xref: /openbmc/linux/net/bluetooth/hci_core.c (revision da097dcc)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2011 ProFUSION Embedded Systems
5 
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11 
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25 
26 /* Bluetooth HCI core. */
27 
28 #include <linux/export.h>
29 #include <linux/rfkill.h>
30 #include <linux/debugfs.h>
31 #include <linux/crypto.h>
32 #include <linux/kcov.h>
33 #include <linux/property.h>
34 #include <linux/suspend.h>
35 #include <linux/wait.h>
36 #include <asm/unaligned.h>
37 
38 #include <net/bluetooth/bluetooth.h>
39 #include <net/bluetooth/hci_core.h>
40 #include <net/bluetooth/l2cap.h>
41 #include <net/bluetooth/mgmt.h>
42 
43 #include "hci_request.h"
44 #include "hci_debugfs.h"
45 #include "smp.h"
46 #include "leds.h"
47 #include "msft.h"
48 #include "aosp.h"
49 #include "hci_codec.h"
50 
51 static void hci_rx_work(struct work_struct *work);
52 static void hci_cmd_work(struct work_struct *work);
53 static void hci_tx_work(struct work_struct *work);
54 
55 /* HCI device list */
56 LIST_HEAD(hci_dev_list);
57 DEFINE_RWLOCK(hci_dev_list_lock);
58 
59 /* HCI callback list */
60 LIST_HEAD(hci_cb_list);
61 DEFINE_MUTEX(hci_cb_list_lock);
62 
63 /* HCI ID Numbering */
64 static DEFINE_IDA(hci_index_ida);
65 
66 static int hci_scan_req(struct hci_request *req, unsigned long opt)
67 {
68 	__u8 scan = opt;
69 
70 	BT_DBG("%s %x", req->hdev->name, scan);
71 
72 	/* Inquiry and Page scans */
73 	hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
74 	return 0;
75 }
76 
77 static int hci_auth_req(struct hci_request *req, unsigned long opt)
78 {
79 	__u8 auth = opt;
80 
81 	BT_DBG("%s %x", req->hdev->name, auth);
82 
83 	/* Authentication */
84 	hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
85 	return 0;
86 }
87 
88 static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
89 {
90 	__u8 encrypt = opt;
91 
92 	BT_DBG("%s %x", req->hdev->name, encrypt);
93 
94 	/* Encryption */
95 	hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
96 	return 0;
97 }
98 
99 static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
100 {
101 	__le16 policy = cpu_to_le16(opt);
102 
103 	BT_DBG("%s %x", req->hdev->name, policy);
104 
105 	/* Default link policy */
106 	hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
107 	return 0;
108 }
109 
110 /* Get HCI device by index.
111  * Device is held on return. */
112 struct hci_dev *hci_dev_get(int index)
113 {
114 	struct hci_dev *hdev = NULL, *d;
115 
116 	BT_DBG("%d", index);
117 
118 	if (index < 0)
119 		return NULL;
120 
121 	read_lock(&hci_dev_list_lock);
122 	list_for_each_entry(d, &hci_dev_list, list) {
123 		if (d->id == index) {
124 			hdev = hci_dev_hold(d);
125 			break;
126 		}
127 	}
128 	read_unlock(&hci_dev_list_lock);
129 	return hdev;
130 }
131 
132 /* ---- Inquiry support ---- */
133 
134 bool hci_discovery_active(struct hci_dev *hdev)
135 {
136 	struct discovery_state *discov = &hdev->discovery;
137 
138 	switch (discov->state) {
139 	case DISCOVERY_FINDING:
140 	case DISCOVERY_RESOLVING:
141 		return true;
142 
143 	default:
144 		return false;
145 	}
146 }
147 
148 void hci_discovery_set_state(struct hci_dev *hdev, int state)
149 {
150 	int old_state = hdev->discovery.state;
151 
152 	BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
153 
154 	if (old_state == state)
155 		return;
156 
157 	hdev->discovery.state = state;
158 
159 	switch (state) {
160 	case DISCOVERY_STOPPED:
161 		hci_update_passive_scan(hdev);
162 
163 		if (old_state != DISCOVERY_STARTING)
164 			mgmt_discovering(hdev, 0);
165 		break;
166 	case DISCOVERY_STARTING:
167 		break;
168 	case DISCOVERY_FINDING:
169 		mgmt_discovering(hdev, 1);
170 		break;
171 	case DISCOVERY_RESOLVING:
172 		break;
173 	case DISCOVERY_STOPPING:
174 		break;
175 	}
176 }
177 
178 void hci_inquiry_cache_flush(struct hci_dev *hdev)
179 {
180 	struct discovery_state *cache = &hdev->discovery;
181 	struct inquiry_entry *p, *n;
182 
183 	list_for_each_entry_safe(p, n, &cache->all, all) {
184 		list_del(&p->all);
185 		kfree(p);
186 	}
187 
188 	INIT_LIST_HEAD(&cache->unknown);
189 	INIT_LIST_HEAD(&cache->resolve);
190 }
191 
192 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
193 					       bdaddr_t *bdaddr)
194 {
195 	struct discovery_state *cache = &hdev->discovery;
196 	struct inquiry_entry *e;
197 
198 	BT_DBG("cache %p, %pMR", cache, bdaddr);
199 
200 	list_for_each_entry(e, &cache->all, all) {
201 		if (!bacmp(&e->data.bdaddr, bdaddr))
202 			return e;
203 	}
204 
205 	return NULL;
206 }
207 
208 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
209 						       bdaddr_t *bdaddr)
210 {
211 	struct discovery_state *cache = &hdev->discovery;
212 	struct inquiry_entry *e;
213 
214 	BT_DBG("cache %p, %pMR", cache, bdaddr);
215 
216 	list_for_each_entry(e, &cache->unknown, list) {
217 		if (!bacmp(&e->data.bdaddr, bdaddr))
218 			return e;
219 	}
220 
221 	return NULL;
222 }
223 
224 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
225 						       bdaddr_t *bdaddr,
226 						       int state)
227 {
228 	struct discovery_state *cache = &hdev->discovery;
229 	struct inquiry_entry *e;
230 
231 	BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
232 
233 	list_for_each_entry(e, &cache->resolve, list) {
234 		if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
235 			return e;
236 		if (!bacmp(&e->data.bdaddr, bdaddr))
237 			return e;
238 	}
239 
240 	return NULL;
241 }
242 
243 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
244 				      struct inquiry_entry *ie)
245 {
246 	struct discovery_state *cache = &hdev->discovery;
247 	struct list_head *pos = &cache->resolve;
248 	struct inquiry_entry *p;
249 
250 	list_del(&ie->list);
251 
252 	list_for_each_entry(p, &cache->resolve, list) {
253 		if (p->name_state != NAME_PENDING &&
254 		    abs(p->data.rssi) >= abs(ie->data.rssi))
255 			break;
256 		pos = &p->list;
257 	}
258 
259 	list_add(&ie->list, pos);
260 }
261 
262 u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
263 			     bool name_known)
264 {
265 	struct discovery_state *cache = &hdev->discovery;
266 	struct inquiry_entry *ie;
267 	u32 flags = 0;
268 
269 	BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
270 
271 	hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
272 
273 	if (!data->ssp_mode)
274 		flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
275 
276 	ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
277 	if (ie) {
278 		if (!ie->data.ssp_mode)
279 			flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
280 
281 		if (ie->name_state == NAME_NEEDED &&
282 		    data->rssi != ie->data.rssi) {
283 			ie->data.rssi = data->rssi;
284 			hci_inquiry_cache_update_resolve(hdev, ie);
285 		}
286 
287 		goto update;
288 	}
289 
290 	/* Entry not in the cache. Add new one. */
291 	ie = kzalloc(sizeof(*ie), GFP_KERNEL);
292 	if (!ie) {
293 		flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
294 		goto done;
295 	}
296 
297 	list_add(&ie->all, &cache->all);
298 
299 	if (name_known) {
300 		ie->name_state = NAME_KNOWN;
301 	} else {
302 		ie->name_state = NAME_NOT_KNOWN;
303 		list_add(&ie->list, &cache->unknown);
304 	}
305 
306 update:
307 	if (name_known && ie->name_state != NAME_KNOWN &&
308 	    ie->name_state != NAME_PENDING) {
309 		ie->name_state = NAME_KNOWN;
310 		list_del(&ie->list);
311 	}
312 
313 	memcpy(&ie->data, data, sizeof(*data));
314 	ie->timestamp = jiffies;
315 	cache->timestamp = jiffies;
316 
317 	if (ie->name_state == NAME_NOT_KNOWN)
318 		flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
319 
320 done:
321 	return flags;
322 }
323 
324 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
325 {
326 	struct discovery_state *cache = &hdev->discovery;
327 	struct inquiry_info *info = (struct inquiry_info *) buf;
328 	struct inquiry_entry *e;
329 	int copied = 0;
330 
331 	list_for_each_entry(e, &cache->all, all) {
332 		struct inquiry_data *data = &e->data;
333 
334 		if (copied >= num)
335 			break;
336 
337 		bacpy(&info->bdaddr, &data->bdaddr);
338 		info->pscan_rep_mode	= data->pscan_rep_mode;
339 		info->pscan_period_mode	= data->pscan_period_mode;
340 		info->pscan_mode	= data->pscan_mode;
341 		memcpy(info->dev_class, data->dev_class, 3);
342 		info->clock_offset	= data->clock_offset;
343 
344 		info++;
345 		copied++;
346 	}
347 
348 	BT_DBG("cache %p, copied %d", cache, copied);
349 	return copied;
350 }
351 
352 static int hci_inq_req(struct hci_request *req, unsigned long opt)
353 {
354 	struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
355 	struct hci_dev *hdev = req->hdev;
356 	struct hci_cp_inquiry cp;
357 
358 	BT_DBG("%s", hdev->name);
359 
360 	if (test_bit(HCI_INQUIRY, &hdev->flags))
361 		return 0;
362 
363 	/* Start Inquiry */
364 	memcpy(&cp.lap, &ir->lap, 3);
365 	cp.length  = ir->length;
366 	cp.num_rsp = ir->num_rsp;
367 	hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
368 
369 	return 0;
370 }
371 
372 int hci_inquiry(void __user *arg)
373 {
374 	__u8 __user *ptr = arg;
375 	struct hci_inquiry_req ir;
376 	struct hci_dev *hdev;
377 	int err = 0, do_inquiry = 0, max_rsp;
378 	long timeo;
379 	__u8 *buf;
380 
381 	if (copy_from_user(&ir, ptr, sizeof(ir)))
382 		return -EFAULT;
383 
384 	hdev = hci_dev_get(ir.dev_id);
385 	if (!hdev)
386 		return -ENODEV;
387 
388 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
389 		err = -EBUSY;
390 		goto done;
391 	}
392 
393 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
394 		err = -EOPNOTSUPP;
395 		goto done;
396 	}
397 
398 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
399 		err = -EOPNOTSUPP;
400 		goto done;
401 	}
402 
403 	/* Restrict maximum inquiry length to 60 seconds */
404 	if (ir.length > 60) {
405 		err = -EINVAL;
406 		goto done;
407 	}
408 
409 	hci_dev_lock(hdev);
410 	if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
411 	    inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
412 		hci_inquiry_cache_flush(hdev);
413 		do_inquiry = 1;
414 	}
415 	hci_dev_unlock(hdev);
416 
417 	timeo = ir.length * msecs_to_jiffies(2000);
418 
419 	if (do_inquiry) {
420 		err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
421 				   timeo, NULL);
422 		if (err < 0)
423 			goto done;
424 
425 		/* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
426 		 * cleared). If it is interrupted by a signal, return -EINTR.
427 		 */
428 		if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
429 				TASK_INTERRUPTIBLE)) {
430 			err = -EINTR;
431 			goto done;
432 		}
433 	}
434 
435 	/* for unlimited number of responses we will use buffer with
436 	 * 255 entries
437 	 */
438 	max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
439 
440 	/* cache_dump can't sleep. Therefore we allocate temp buffer and then
441 	 * copy it to the user space.
442 	 */
443 	buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
444 	if (!buf) {
445 		err = -ENOMEM;
446 		goto done;
447 	}
448 
449 	hci_dev_lock(hdev);
450 	ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
451 	hci_dev_unlock(hdev);
452 
453 	BT_DBG("num_rsp %d", ir.num_rsp);
454 
455 	if (!copy_to_user(ptr, &ir, sizeof(ir))) {
456 		ptr += sizeof(ir);
457 		if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
458 				 ir.num_rsp))
459 			err = -EFAULT;
460 	} else
461 		err = -EFAULT;
462 
463 	kfree(buf);
464 
465 done:
466 	hci_dev_put(hdev);
467 	return err;
468 }
469 
470 static int hci_dev_do_open(struct hci_dev *hdev)
471 {
472 	int ret = 0;
473 
474 	BT_DBG("%s %p", hdev->name, hdev);
475 
476 	hci_req_sync_lock(hdev);
477 
478 	ret = hci_dev_open_sync(hdev);
479 
480 	hci_req_sync_unlock(hdev);
481 	return ret;
482 }
483 
484 /* ---- HCI ioctl helpers ---- */
485 
486 int hci_dev_open(__u16 dev)
487 {
488 	struct hci_dev *hdev;
489 	int err;
490 
491 	hdev = hci_dev_get(dev);
492 	if (!hdev)
493 		return -ENODEV;
494 
495 	/* Devices that are marked as unconfigured can only be powered
496 	 * up as user channel. Trying to bring them up as normal devices
497 	 * will result into a failure. Only user channel operation is
498 	 * possible.
499 	 *
500 	 * When this function is called for a user channel, the flag
501 	 * HCI_USER_CHANNEL will be set first before attempting to
502 	 * open the device.
503 	 */
504 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
505 	    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
506 		err = -EOPNOTSUPP;
507 		goto done;
508 	}
509 
510 	/* We need to ensure that no other power on/off work is pending
511 	 * before proceeding to call hci_dev_do_open. This is
512 	 * particularly important if the setup procedure has not yet
513 	 * completed.
514 	 */
515 	if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
516 		cancel_delayed_work(&hdev->power_off);
517 
518 	/* After this call it is guaranteed that the setup procedure
519 	 * has finished. This means that error conditions like RFKILL
520 	 * or no valid public or static random address apply.
521 	 */
522 	flush_workqueue(hdev->req_workqueue);
523 
524 	/* For controllers not using the management interface and that
525 	 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
526 	 * so that pairing works for them. Once the management interface
527 	 * is in use this bit will be cleared again and userspace has
528 	 * to explicitly enable it.
529 	 */
530 	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
531 	    !hci_dev_test_flag(hdev, HCI_MGMT))
532 		hci_dev_set_flag(hdev, HCI_BONDABLE);
533 
534 	err = hci_dev_do_open(hdev);
535 
536 done:
537 	hci_dev_put(hdev);
538 	return err;
539 }
540 
541 int hci_dev_do_close(struct hci_dev *hdev)
542 {
543 	int err;
544 
545 	BT_DBG("%s %p", hdev->name, hdev);
546 
547 	hci_req_sync_lock(hdev);
548 
549 	err = hci_dev_close_sync(hdev);
550 
551 	hci_req_sync_unlock(hdev);
552 
553 	return err;
554 }
555 
556 int hci_dev_close(__u16 dev)
557 {
558 	struct hci_dev *hdev;
559 	int err;
560 
561 	hdev = hci_dev_get(dev);
562 	if (!hdev)
563 		return -ENODEV;
564 
565 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
566 		err = -EBUSY;
567 		goto done;
568 	}
569 
570 	cancel_work_sync(&hdev->power_on);
571 	if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
572 		cancel_delayed_work(&hdev->power_off);
573 
574 	err = hci_dev_do_close(hdev);
575 
576 done:
577 	hci_dev_put(hdev);
578 	return err;
579 }
580 
581 static int hci_dev_do_reset(struct hci_dev *hdev)
582 {
583 	int ret;
584 
585 	BT_DBG("%s %p", hdev->name, hdev);
586 
587 	hci_req_sync_lock(hdev);
588 
589 	/* Drop queues */
590 	skb_queue_purge(&hdev->rx_q);
591 	skb_queue_purge(&hdev->cmd_q);
592 
593 	/* Cancel these to avoid queueing non-chained pending work */
594 	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
595 	/* Wait for
596 	 *
597 	 *    if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
598 	 *        queue_delayed_work(&hdev->{cmd,ncmd}_timer)
599 	 *
600 	 * inside RCU section to see the flag or complete scheduling.
601 	 */
602 	synchronize_rcu();
603 	/* Explicitly cancel works in case scheduled after setting the flag. */
604 	cancel_delayed_work(&hdev->cmd_timer);
605 	cancel_delayed_work(&hdev->ncmd_timer);
606 
607 	/* Avoid potential lockdep warnings from the *_flush() calls by
608 	 * ensuring the workqueue is empty up front.
609 	 */
610 	drain_workqueue(hdev->workqueue);
611 
612 	hci_dev_lock(hdev);
613 	hci_inquiry_cache_flush(hdev);
614 	hci_conn_hash_flush(hdev);
615 	hci_dev_unlock(hdev);
616 
617 	if (hdev->flush)
618 		hdev->flush(hdev);
619 
620 	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
621 
622 	atomic_set(&hdev->cmd_cnt, 1);
623 	hdev->acl_cnt = 0;
624 	hdev->sco_cnt = 0;
625 	hdev->le_cnt = 0;
626 	hdev->iso_cnt = 0;
627 
628 	ret = hci_reset_sync(hdev);
629 
630 	hci_req_sync_unlock(hdev);
631 	return ret;
632 }
633 
634 int hci_dev_reset(__u16 dev)
635 {
636 	struct hci_dev *hdev;
637 	int err;
638 
639 	hdev = hci_dev_get(dev);
640 	if (!hdev)
641 		return -ENODEV;
642 
643 	if (!test_bit(HCI_UP, &hdev->flags)) {
644 		err = -ENETDOWN;
645 		goto done;
646 	}
647 
648 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
649 		err = -EBUSY;
650 		goto done;
651 	}
652 
653 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
654 		err = -EOPNOTSUPP;
655 		goto done;
656 	}
657 
658 	err = hci_dev_do_reset(hdev);
659 
660 done:
661 	hci_dev_put(hdev);
662 	return err;
663 }
664 
665 int hci_dev_reset_stat(__u16 dev)
666 {
667 	struct hci_dev *hdev;
668 	int ret = 0;
669 
670 	hdev = hci_dev_get(dev);
671 	if (!hdev)
672 		return -ENODEV;
673 
674 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
675 		ret = -EBUSY;
676 		goto done;
677 	}
678 
679 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
680 		ret = -EOPNOTSUPP;
681 		goto done;
682 	}
683 
684 	memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
685 
686 done:
687 	hci_dev_put(hdev);
688 	return ret;
689 }
690 
691 static void hci_update_passive_scan_state(struct hci_dev *hdev, u8 scan)
692 {
693 	bool conn_changed, discov_changed;
694 
695 	BT_DBG("%s scan 0x%02x", hdev->name, scan);
696 
697 	if ((scan & SCAN_PAGE))
698 		conn_changed = !hci_dev_test_and_set_flag(hdev,
699 							  HCI_CONNECTABLE);
700 	else
701 		conn_changed = hci_dev_test_and_clear_flag(hdev,
702 							   HCI_CONNECTABLE);
703 
704 	if ((scan & SCAN_INQUIRY)) {
705 		discov_changed = !hci_dev_test_and_set_flag(hdev,
706 							    HCI_DISCOVERABLE);
707 	} else {
708 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
709 		discov_changed = hci_dev_test_and_clear_flag(hdev,
710 							     HCI_DISCOVERABLE);
711 	}
712 
713 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
714 		return;
715 
716 	if (conn_changed || discov_changed) {
717 		/* In case this was disabled through mgmt */
718 		hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
719 
720 		if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
721 			hci_update_adv_data(hdev, hdev->cur_adv_instance);
722 
723 		mgmt_new_settings(hdev);
724 	}
725 }
726 
727 int hci_dev_cmd(unsigned int cmd, void __user *arg)
728 {
729 	struct hci_dev *hdev;
730 	struct hci_dev_req dr;
731 	int err = 0;
732 
733 	if (copy_from_user(&dr, arg, sizeof(dr)))
734 		return -EFAULT;
735 
736 	hdev = hci_dev_get(dr.dev_id);
737 	if (!hdev)
738 		return -ENODEV;
739 
740 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
741 		err = -EBUSY;
742 		goto done;
743 	}
744 
745 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
746 		err = -EOPNOTSUPP;
747 		goto done;
748 	}
749 
750 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
751 		err = -EOPNOTSUPP;
752 		goto done;
753 	}
754 
755 	switch (cmd) {
756 	case HCISETAUTH:
757 		err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
758 				   HCI_INIT_TIMEOUT, NULL);
759 		break;
760 
761 	case HCISETENCRYPT:
762 		if (!lmp_encrypt_capable(hdev)) {
763 			err = -EOPNOTSUPP;
764 			break;
765 		}
766 
767 		if (!test_bit(HCI_AUTH, &hdev->flags)) {
768 			/* Auth must be enabled first */
769 			err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
770 					   HCI_INIT_TIMEOUT, NULL);
771 			if (err)
772 				break;
773 		}
774 
775 		err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
776 				   HCI_INIT_TIMEOUT, NULL);
777 		break;
778 
779 	case HCISETSCAN:
780 		err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
781 				   HCI_INIT_TIMEOUT, NULL);
782 
783 		/* Ensure that the connectable and discoverable states
784 		 * get correctly modified as this was a non-mgmt change.
785 		 */
786 		if (!err)
787 			hci_update_passive_scan_state(hdev, dr.dev_opt);
788 		break;
789 
790 	case HCISETLINKPOL:
791 		err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
792 				   HCI_INIT_TIMEOUT, NULL);
793 		break;
794 
795 	case HCISETLINKMODE:
796 		hdev->link_mode = ((__u16) dr.dev_opt) &
797 					(HCI_LM_MASTER | HCI_LM_ACCEPT);
798 		break;
799 
800 	case HCISETPTYPE:
801 		if (hdev->pkt_type == (__u16) dr.dev_opt)
802 			break;
803 
804 		hdev->pkt_type = (__u16) dr.dev_opt;
805 		mgmt_phy_configuration_changed(hdev, NULL);
806 		break;
807 
808 	case HCISETACLMTU:
809 		hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
810 		hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
811 		break;
812 
813 	case HCISETSCOMTU:
814 		hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
815 		hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
816 		break;
817 
818 	default:
819 		err = -EINVAL;
820 		break;
821 	}
822 
823 done:
824 	hci_dev_put(hdev);
825 	return err;
826 }
827 
828 int hci_get_dev_list(void __user *arg)
829 {
830 	struct hci_dev *hdev;
831 	struct hci_dev_list_req *dl;
832 	struct hci_dev_req *dr;
833 	int n = 0, size, err;
834 	__u16 dev_num;
835 
836 	if (get_user(dev_num, (__u16 __user *) arg))
837 		return -EFAULT;
838 
839 	if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
840 		return -EINVAL;
841 
842 	size = sizeof(*dl) + dev_num * sizeof(*dr);
843 
844 	dl = kzalloc(size, GFP_KERNEL);
845 	if (!dl)
846 		return -ENOMEM;
847 
848 	dr = dl->dev_req;
849 
850 	read_lock(&hci_dev_list_lock);
851 	list_for_each_entry(hdev, &hci_dev_list, list) {
852 		unsigned long flags = hdev->flags;
853 
854 		/* When the auto-off is configured it means the transport
855 		 * is running, but in that case still indicate that the
856 		 * device is actually down.
857 		 */
858 		if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
859 			flags &= ~BIT(HCI_UP);
860 
861 		(dr + n)->dev_id  = hdev->id;
862 		(dr + n)->dev_opt = flags;
863 
864 		if (++n >= dev_num)
865 			break;
866 	}
867 	read_unlock(&hci_dev_list_lock);
868 
869 	dl->dev_num = n;
870 	size = sizeof(*dl) + n * sizeof(*dr);
871 
872 	err = copy_to_user(arg, dl, size);
873 	kfree(dl);
874 
875 	return err ? -EFAULT : 0;
876 }
877 
878 int hci_get_dev_info(void __user *arg)
879 {
880 	struct hci_dev *hdev;
881 	struct hci_dev_info di;
882 	unsigned long flags;
883 	int err = 0;
884 
885 	if (copy_from_user(&di, arg, sizeof(di)))
886 		return -EFAULT;
887 
888 	hdev = hci_dev_get(di.dev_id);
889 	if (!hdev)
890 		return -ENODEV;
891 
892 	/* When the auto-off is configured it means the transport
893 	 * is running, but in that case still indicate that the
894 	 * device is actually down.
895 	 */
896 	if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
897 		flags = hdev->flags & ~BIT(HCI_UP);
898 	else
899 		flags = hdev->flags;
900 
901 	strscpy(di.name, hdev->name, sizeof(di.name));
902 	di.bdaddr   = hdev->bdaddr;
903 	di.type     = (hdev->bus & 0x0f);
904 	di.flags    = flags;
905 	di.pkt_type = hdev->pkt_type;
906 	if (lmp_bredr_capable(hdev)) {
907 		di.acl_mtu  = hdev->acl_mtu;
908 		di.acl_pkts = hdev->acl_pkts;
909 		di.sco_mtu  = hdev->sco_mtu;
910 		di.sco_pkts = hdev->sco_pkts;
911 	} else {
912 		di.acl_mtu  = hdev->le_mtu;
913 		di.acl_pkts = hdev->le_pkts;
914 		di.sco_mtu  = 0;
915 		di.sco_pkts = 0;
916 	}
917 	di.link_policy = hdev->link_policy;
918 	di.link_mode   = hdev->link_mode;
919 
920 	memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
921 	memcpy(&di.features, &hdev->features, sizeof(di.features));
922 
923 	if (copy_to_user(arg, &di, sizeof(di)))
924 		err = -EFAULT;
925 
926 	hci_dev_put(hdev);
927 
928 	return err;
929 }
930 
931 /* ---- Interface to HCI drivers ---- */
932 
933 static int hci_rfkill_set_block(void *data, bool blocked)
934 {
935 	struct hci_dev *hdev = data;
936 
937 	BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
938 
939 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
940 		return -EBUSY;
941 
942 	if (blocked) {
943 		hci_dev_set_flag(hdev, HCI_RFKILLED);
944 		if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
945 		    !hci_dev_test_flag(hdev, HCI_CONFIG))
946 			hci_dev_do_close(hdev);
947 	} else {
948 		hci_dev_clear_flag(hdev, HCI_RFKILLED);
949 	}
950 
951 	return 0;
952 }
953 
954 static const struct rfkill_ops hci_rfkill_ops = {
955 	.set_block = hci_rfkill_set_block,
956 };
957 
958 static void hci_power_on(struct work_struct *work)
959 {
960 	struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
961 	int err;
962 
963 	BT_DBG("%s", hdev->name);
964 
965 	if (test_bit(HCI_UP, &hdev->flags) &&
966 	    hci_dev_test_flag(hdev, HCI_MGMT) &&
967 	    hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
968 		cancel_delayed_work(&hdev->power_off);
969 		err = hci_powered_update_sync(hdev);
970 		mgmt_power_on(hdev, err);
971 		return;
972 	}
973 
974 	err = hci_dev_do_open(hdev);
975 	if (err < 0) {
976 		hci_dev_lock(hdev);
977 		mgmt_set_powered_failed(hdev, err);
978 		hci_dev_unlock(hdev);
979 		return;
980 	}
981 
982 	/* During the HCI setup phase, a few error conditions are
983 	 * ignored and they need to be checked now. If they are still
984 	 * valid, it is important to turn the device back off.
985 	 */
986 	if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
987 	    hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
988 	    (!bacmp(&hdev->bdaddr, BDADDR_ANY) &&
989 	     !bacmp(&hdev->static_addr, BDADDR_ANY))) {
990 		hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
991 		hci_dev_do_close(hdev);
992 	} else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
993 		queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
994 				   HCI_AUTO_OFF_TIMEOUT);
995 	}
996 
997 	if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
998 		/* For unconfigured devices, set the HCI_RAW flag
999 		 * so that userspace can easily identify them.
1000 		 */
1001 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1002 			set_bit(HCI_RAW, &hdev->flags);
1003 
1004 		/* For fully configured devices, this will send
1005 		 * the Index Added event. For unconfigured devices,
1006 		 * it will send Unconfigued Index Added event.
1007 		 *
1008 		 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
1009 		 * and no event will be send.
1010 		 */
1011 		mgmt_index_added(hdev);
1012 	} else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
1013 		/* When the controller is now configured, then it
1014 		 * is important to clear the HCI_RAW flag.
1015 		 */
1016 		if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1017 			clear_bit(HCI_RAW, &hdev->flags);
1018 
1019 		/* Powering on the controller with HCI_CONFIG set only
1020 		 * happens with the transition from unconfigured to
1021 		 * configured. This will send the Index Added event.
1022 		 */
1023 		mgmt_index_added(hdev);
1024 	}
1025 }
1026 
1027 static void hci_power_off(struct work_struct *work)
1028 {
1029 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1030 					    power_off.work);
1031 
1032 	BT_DBG("%s", hdev->name);
1033 
1034 	hci_dev_do_close(hdev);
1035 }
1036 
1037 static void hci_error_reset(struct work_struct *work)
1038 {
1039 	struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
1040 
1041 	hci_dev_hold(hdev);
1042 	BT_DBG("%s", hdev->name);
1043 
1044 	if (hdev->hw_error)
1045 		hdev->hw_error(hdev, hdev->hw_error_code);
1046 	else
1047 		bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code);
1048 
1049 	if (!hci_dev_do_close(hdev))
1050 		hci_dev_do_open(hdev);
1051 
1052 	hci_dev_put(hdev);
1053 }
1054 
1055 void hci_uuids_clear(struct hci_dev *hdev)
1056 {
1057 	struct bt_uuid *uuid, *tmp;
1058 
1059 	list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1060 		list_del(&uuid->list);
1061 		kfree(uuid);
1062 	}
1063 }
1064 
1065 void hci_link_keys_clear(struct hci_dev *hdev)
1066 {
1067 	struct link_key *key, *tmp;
1068 
1069 	list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
1070 		list_del_rcu(&key->list);
1071 		kfree_rcu(key, rcu);
1072 	}
1073 }
1074 
1075 void hci_smp_ltks_clear(struct hci_dev *hdev)
1076 {
1077 	struct smp_ltk *k, *tmp;
1078 
1079 	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1080 		list_del_rcu(&k->list);
1081 		kfree_rcu(k, rcu);
1082 	}
1083 }
1084 
1085 void hci_smp_irks_clear(struct hci_dev *hdev)
1086 {
1087 	struct smp_irk *k, *tmp;
1088 
1089 	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1090 		list_del_rcu(&k->list);
1091 		kfree_rcu(k, rcu);
1092 	}
1093 }
1094 
1095 void hci_blocked_keys_clear(struct hci_dev *hdev)
1096 {
1097 	struct blocked_key *b, *tmp;
1098 
1099 	list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
1100 		list_del_rcu(&b->list);
1101 		kfree_rcu(b, rcu);
1102 	}
1103 }
1104 
1105 bool hci_is_blocked_key(struct hci_dev *hdev, u8 type, u8 val[16])
1106 {
1107 	bool blocked = false;
1108 	struct blocked_key *b;
1109 
1110 	rcu_read_lock();
1111 	list_for_each_entry_rcu(b, &hdev->blocked_keys, list) {
1112 		if (b->type == type && !memcmp(b->val, val, sizeof(b->val))) {
1113 			blocked = true;
1114 			break;
1115 		}
1116 	}
1117 
1118 	rcu_read_unlock();
1119 	return blocked;
1120 }
1121 
1122 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1123 {
1124 	struct link_key *k;
1125 
1126 	rcu_read_lock();
1127 	list_for_each_entry_rcu(k, &hdev->link_keys, list) {
1128 		if (bacmp(bdaddr, &k->bdaddr) == 0) {
1129 			rcu_read_unlock();
1130 
1131 			if (hci_is_blocked_key(hdev,
1132 					       HCI_BLOCKED_KEY_TYPE_LINKKEY,
1133 					       k->val)) {
1134 				bt_dev_warn_ratelimited(hdev,
1135 							"Link key blocked for %pMR",
1136 							&k->bdaddr);
1137 				return NULL;
1138 			}
1139 
1140 			return k;
1141 		}
1142 	}
1143 	rcu_read_unlock();
1144 
1145 	return NULL;
1146 }
1147 
1148 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1149 			       u8 key_type, u8 old_key_type)
1150 {
1151 	/* Legacy key */
1152 	if (key_type < 0x03)
1153 		return true;
1154 
1155 	/* Debug keys are insecure so don't store them persistently */
1156 	if (key_type == HCI_LK_DEBUG_COMBINATION)
1157 		return false;
1158 
1159 	/* Changed combination key and there's no previous one */
1160 	if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1161 		return false;
1162 
1163 	/* Security mode 3 case */
1164 	if (!conn)
1165 		return true;
1166 
1167 	/* BR/EDR key derived using SC from an LE link */
1168 	if (conn->type == LE_LINK)
1169 		return true;
1170 
1171 	/* Neither local nor remote side had no-bonding as requirement */
1172 	if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1173 		return true;
1174 
1175 	/* Local side had dedicated bonding as requirement */
1176 	if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1177 		return true;
1178 
1179 	/* Remote side had dedicated bonding as requirement */
1180 	if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1181 		return true;
1182 
1183 	/* If none of the above criteria match, then don't store the key
1184 	 * persistently */
1185 	return false;
1186 }
1187 
1188 static u8 ltk_role(u8 type)
1189 {
1190 	if (type == SMP_LTK)
1191 		return HCI_ROLE_MASTER;
1192 
1193 	return HCI_ROLE_SLAVE;
1194 }
1195 
1196 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1197 			     u8 addr_type, u8 role)
1198 {
1199 	struct smp_ltk *k;
1200 
1201 	rcu_read_lock();
1202 	list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1203 		if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
1204 			continue;
1205 
1206 		if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
1207 			rcu_read_unlock();
1208 
1209 			if (hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_LTK,
1210 					       k->val)) {
1211 				bt_dev_warn_ratelimited(hdev,
1212 							"LTK blocked for %pMR",
1213 							&k->bdaddr);
1214 				return NULL;
1215 			}
1216 
1217 			return k;
1218 		}
1219 	}
1220 	rcu_read_unlock();
1221 
1222 	return NULL;
1223 }
1224 
1225 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
1226 {
1227 	struct smp_irk *irk_to_return = NULL;
1228 	struct smp_irk *irk;
1229 
1230 	rcu_read_lock();
1231 	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1232 		if (!bacmp(&irk->rpa, rpa)) {
1233 			irk_to_return = irk;
1234 			goto done;
1235 		}
1236 	}
1237 
1238 	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1239 		if (smp_irk_matches(hdev, irk->val, rpa)) {
1240 			bacpy(&irk->rpa, rpa);
1241 			irk_to_return = irk;
1242 			goto done;
1243 		}
1244 	}
1245 
1246 done:
1247 	if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1248 						irk_to_return->val)) {
1249 		bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1250 					&irk_to_return->bdaddr);
1251 		irk_to_return = NULL;
1252 	}
1253 
1254 	rcu_read_unlock();
1255 
1256 	return irk_to_return;
1257 }
1258 
1259 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1260 				     u8 addr_type)
1261 {
1262 	struct smp_irk *irk_to_return = NULL;
1263 	struct smp_irk *irk;
1264 
1265 	/* Identity Address must be public or static random */
1266 	if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
1267 		return NULL;
1268 
1269 	rcu_read_lock();
1270 	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1271 		if (addr_type == irk->addr_type &&
1272 		    bacmp(bdaddr, &irk->bdaddr) == 0) {
1273 			irk_to_return = irk;
1274 			goto done;
1275 		}
1276 	}
1277 
1278 done:
1279 
1280 	if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1281 						irk_to_return->val)) {
1282 		bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1283 					&irk_to_return->bdaddr);
1284 		irk_to_return = NULL;
1285 	}
1286 
1287 	rcu_read_unlock();
1288 
1289 	return irk_to_return;
1290 }
1291 
1292 struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
1293 				  bdaddr_t *bdaddr, u8 *val, u8 type,
1294 				  u8 pin_len, bool *persistent)
1295 {
1296 	struct link_key *key, *old_key;
1297 	u8 old_key_type;
1298 
1299 	old_key = hci_find_link_key(hdev, bdaddr);
1300 	if (old_key) {
1301 		old_key_type = old_key->type;
1302 		key = old_key;
1303 	} else {
1304 		old_key_type = conn ? conn->key_type : 0xff;
1305 		key = kzalloc(sizeof(*key), GFP_KERNEL);
1306 		if (!key)
1307 			return NULL;
1308 		list_add_rcu(&key->list, &hdev->link_keys);
1309 	}
1310 
1311 	BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1312 
1313 	/* Some buggy controller combinations generate a changed
1314 	 * combination key for legacy pairing even when there's no
1315 	 * previous key */
1316 	if (type == HCI_LK_CHANGED_COMBINATION &&
1317 	    (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1318 		type = HCI_LK_COMBINATION;
1319 		if (conn)
1320 			conn->key_type = type;
1321 	}
1322 
1323 	bacpy(&key->bdaddr, bdaddr);
1324 	memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1325 	key->pin_len = pin_len;
1326 
1327 	if (type == HCI_LK_CHANGED_COMBINATION)
1328 		key->type = old_key_type;
1329 	else
1330 		key->type = type;
1331 
1332 	if (persistent)
1333 		*persistent = hci_persistent_key(hdev, conn, type,
1334 						 old_key_type);
1335 
1336 	return key;
1337 }
1338 
1339 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1340 			    u8 addr_type, u8 type, u8 authenticated,
1341 			    u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
1342 {
1343 	struct smp_ltk *key, *old_key;
1344 	u8 role = ltk_role(type);
1345 
1346 	old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
1347 	if (old_key)
1348 		key = old_key;
1349 	else {
1350 		key = kzalloc(sizeof(*key), GFP_KERNEL);
1351 		if (!key)
1352 			return NULL;
1353 		list_add_rcu(&key->list, &hdev->long_term_keys);
1354 	}
1355 
1356 	bacpy(&key->bdaddr, bdaddr);
1357 	key->bdaddr_type = addr_type;
1358 	memcpy(key->val, tk, sizeof(key->val));
1359 	key->authenticated = authenticated;
1360 	key->ediv = ediv;
1361 	key->rand = rand;
1362 	key->enc_size = enc_size;
1363 	key->type = type;
1364 
1365 	return key;
1366 }
1367 
1368 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1369 			    u8 addr_type, u8 val[16], bdaddr_t *rpa)
1370 {
1371 	struct smp_irk *irk;
1372 
1373 	irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
1374 	if (!irk) {
1375 		irk = kzalloc(sizeof(*irk), GFP_KERNEL);
1376 		if (!irk)
1377 			return NULL;
1378 
1379 		bacpy(&irk->bdaddr, bdaddr);
1380 		irk->addr_type = addr_type;
1381 
1382 		list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
1383 	}
1384 
1385 	memcpy(irk->val, val, 16);
1386 	bacpy(&irk->rpa, rpa);
1387 
1388 	return irk;
1389 }
1390 
1391 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1392 {
1393 	struct link_key *key;
1394 
1395 	key = hci_find_link_key(hdev, bdaddr);
1396 	if (!key)
1397 		return -ENOENT;
1398 
1399 	BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1400 
1401 	list_del_rcu(&key->list);
1402 	kfree_rcu(key, rcu);
1403 
1404 	return 0;
1405 }
1406 
1407 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
1408 {
1409 	struct smp_ltk *k, *tmp;
1410 	int removed = 0;
1411 
1412 	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1413 		if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
1414 			continue;
1415 
1416 		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1417 
1418 		list_del_rcu(&k->list);
1419 		kfree_rcu(k, rcu);
1420 		removed++;
1421 	}
1422 
1423 	return removed ? 0 : -ENOENT;
1424 }
1425 
1426 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
1427 {
1428 	struct smp_irk *k, *tmp;
1429 
1430 	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1431 		if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
1432 			continue;
1433 
1434 		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1435 
1436 		list_del_rcu(&k->list);
1437 		kfree_rcu(k, rcu);
1438 	}
1439 }
1440 
1441 bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1442 {
1443 	struct smp_ltk *k;
1444 	struct smp_irk *irk;
1445 	u8 addr_type;
1446 
1447 	if (type == BDADDR_BREDR) {
1448 		if (hci_find_link_key(hdev, bdaddr))
1449 			return true;
1450 		return false;
1451 	}
1452 
1453 	/* Convert to HCI addr type which struct smp_ltk uses */
1454 	if (type == BDADDR_LE_PUBLIC)
1455 		addr_type = ADDR_LE_DEV_PUBLIC;
1456 	else
1457 		addr_type = ADDR_LE_DEV_RANDOM;
1458 
1459 	irk = hci_get_irk(hdev, bdaddr, addr_type);
1460 	if (irk) {
1461 		bdaddr = &irk->bdaddr;
1462 		addr_type = irk->addr_type;
1463 	}
1464 
1465 	rcu_read_lock();
1466 	list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1467 		if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
1468 			rcu_read_unlock();
1469 			return true;
1470 		}
1471 	}
1472 	rcu_read_unlock();
1473 
1474 	return false;
1475 }
1476 
1477 /* HCI command timer function */
1478 static void hci_cmd_timeout(struct work_struct *work)
1479 {
1480 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1481 					    cmd_timer.work);
1482 
1483 	if (hdev->req_skb) {
1484 		u16 opcode = hci_skb_opcode(hdev->req_skb);
1485 
1486 		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
1487 
1488 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
1489 	} else {
1490 		bt_dev_err(hdev, "command tx timeout");
1491 	}
1492 
1493 	if (hdev->cmd_timeout)
1494 		hdev->cmd_timeout(hdev);
1495 
1496 	atomic_set(&hdev->cmd_cnt, 1);
1497 	queue_work(hdev->workqueue, &hdev->cmd_work);
1498 }
1499 
1500 /* HCI ncmd timer function */
1501 static void hci_ncmd_timeout(struct work_struct *work)
1502 {
1503 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1504 					    ncmd_timer.work);
1505 
1506 	bt_dev_err(hdev, "Controller not accepting commands anymore: ncmd = 0");
1507 
1508 	/* During HCI_INIT phase no events can be injected if the ncmd timer
1509 	 * triggers since the procedure has its own timeout handling.
1510 	 */
1511 	if (test_bit(HCI_INIT, &hdev->flags))
1512 		return;
1513 
1514 	/* This is an irrecoverable state, inject hardware error event */
1515 	hci_reset_dev(hdev);
1516 }
1517 
1518 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1519 					  bdaddr_t *bdaddr, u8 bdaddr_type)
1520 {
1521 	struct oob_data *data;
1522 
1523 	list_for_each_entry(data, &hdev->remote_oob_data, list) {
1524 		if (bacmp(bdaddr, &data->bdaddr) != 0)
1525 			continue;
1526 		if (data->bdaddr_type != bdaddr_type)
1527 			continue;
1528 		return data;
1529 	}
1530 
1531 	return NULL;
1532 }
1533 
1534 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1535 			       u8 bdaddr_type)
1536 {
1537 	struct oob_data *data;
1538 
1539 	data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1540 	if (!data)
1541 		return -ENOENT;
1542 
1543 	BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
1544 
1545 	list_del(&data->list);
1546 	kfree(data);
1547 
1548 	return 0;
1549 }
1550 
1551 void hci_remote_oob_data_clear(struct hci_dev *hdev)
1552 {
1553 	struct oob_data *data, *n;
1554 
1555 	list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1556 		list_del(&data->list);
1557 		kfree(data);
1558 	}
1559 }
1560 
1561 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1562 			    u8 bdaddr_type, u8 *hash192, u8 *rand192,
1563 			    u8 *hash256, u8 *rand256)
1564 {
1565 	struct oob_data *data;
1566 
1567 	data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1568 	if (!data) {
1569 		data = kmalloc(sizeof(*data), GFP_KERNEL);
1570 		if (!data)
1571 			return -ENOMEM;
1572 
1573 		bacpy(&data->bdaddr, bdaddr);
1574 		data->bdaddr_type = bdaddr_type;
1575 		list_add(&data->list, &hdev->remote_oob_data);
1576 	}
1577 
1578 	if (hash192 && rand192) {
1579 		memcpy(data->hash192, hash192, sizeof(data->hash192));
1580 		memcpy(data->rand192, rand192, sizeof(data->rand192));
1581 		if (hash256 && rand256)
1582 			data->present = 0x03;
1583 	} else {
1584 		memset(data->hash192, 0, sizeof(data->hash192));
1585 		memset(data->rand192, 0, sizeof(data->rand192));
1586 		if (hash256 && rand256)
1587 			data->present = 0x02;
1588 		else
1589 			data->present = 0x00;
1590 	}
1591 
1592 	if (hash256 && rand256) {
1593 		memcpy(data->hash256, hash256, sizeof(data->hash256));
1594 		memcpy(data->rand256, rand256, sizeof(data->rand256));
1595 	} else {
1596 		memset(data->hash256, 0, sizeof(data->hash256));
1597 		memset(data->rand256, 0, sizeof(data->rand256));
1598 		if (hash192 && rand192)
1599 			data->present = 0x01;
1600 	}
1601 
1602 	BT_DBG("%s for %pMR", hdev->name, bdaddr);
1603 
1604 	return 0;
1605 }
1606 
1607 /* This function requires the caller holds hdev->lock */
1608 struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
1609 {
1610 	struct adv_info *adv_instance;
1611 
1612 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
1613 		if (adv_instance->instance == instance)
1614 			return adv_instance;
1615 	}
1616 
1617 	return NULL;
1618 }
1619 
1620 /* This function requires the caller holds hdev->lock */
1621 struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
1622 {
1623 	struct adv_info *cur_instance;
1624 
1625 	cur_instance = hci_find_adv_instance(hdev, instance);
1626 	if (!cur_instance)
1627 		return NULL;
1628 
1629 	if (cur_instance == list_last_entry(&hdev->adv_instances,
1630 					    struct adv_info, list))
1631 		return list_first_entry(&hdev->adv_instances,
1632 						 struct adv_info, list);
1633 	else
1634 		return list_next_entry(cur_instance, list);
1635 }
1636 
1637 /* This function requires the caller holds hdev->lock */
1638 int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
1639 {
1640 	struct adv_info *adv_instance;
1641 
1642 	adv_instance = hci_find_adv_instance(hdev, instance);
1643 	if (!adv_instance)
1644 		return -ENOENT;
1645 
1646 	BT_DBG("%s removing %dMR", hdev->name, instance);
1647 
1648 	if (hdev->cur_adv_instance == instance) {
1649 		if (hdev->adv_instance_timeout) {
1650 			cancel_delayed_work(&hdev->adv_instance_expire);
1651 			hdev->adv_instance_timeout = 0;
1652 		}
1653 		hdev->cur_adv_instance = 0x00;
1654 	}
1655 
1656 	cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
1657 
1658 	list_del(&adv_instance->list);
1659 	kfree(adv_instance);
1660 
1661 	hdev->adv_instance_cnt--;
1662 
1663 	return 0;
1664 }
1665 
1666 void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired)
1667 {
1668 	struct adv_info *adv_instance, *n;
1669 
1670 	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list)
1671 		adv_instance->rpa_expired = rpa_expired;
1672 }
1673 
1674 /* This function requires the caller holds hdev->lock */
1675 void hci_adv_instances_clear(struct hci_dev *hdev)
1676 {
1677 	struct adv_info *adv_instance, *n;
1678 
1679 	if (hdev->adv_instance_timeout) {
1680 		cancel_delayed_work(&hdev->adv_instance_expire);
1681 		hdev->adv_instance_timeout = 0;
1682 	}
1683 
1684 	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
1685 		cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
1686 		list_del(&adv_instance->list);
1687 		kfree(adv_instance);
1688 	}
1689 
1690 	hdev->adv_instance_cnt = 0;
1691 	hdev->cur_adv_instance = 0x00;
1692 }
1693 
1694 static void adv_instance_rpa_expired(struct work_struct *work)
1695 {
1696 	struct adv_info *adv_instance = container_of(work, struct adv_info,
1697 						     rpa_expired_cb.work);
1698 
1699 	BT_DBG("");
1700 
1701 	adv_instance->rpa_expired = true;
1702 }
1703 
1704 /* This function requires the caller holds hdev->lock */
1705 struct adv_info *hci_add_adv_instance(struct hci_dev *hdev, u8 instance,
1706 				      u32 flags, u16 adv_data_len, u8 *adv_data,
1707 				      u16 scan_rsp_len, u8 *scan_rsp_data,
1708 				      u16 timeout, u16 duration, s8 tx_power,
1709 				      u32 min_interval, u32 max_interval,
1710 				      u8 mesh_handle)
1711 {
1712 	struct adv_info *adv;
1713 
1714 	adv = hci_find_adv_instance(hdev, instance);
1715 	if (adv) {
1716 		memset(adv->adv_data, 0, sizeof(adv->adv_data));
1717 		memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1718 		memset(adv->per_adv_data, 0, sizeof(adv->per_adv_data));
1719 	} else {
1720 		if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets ||
1721 		    instance < 1 || instance > hdev->le_num_of_adv_sets + 1)
1722 			return ERR_PTR(-EOVERFLOW);
1723 
1724 		adv = kzalloc(sizeof(*adv), GFP_KERNEL);
1725 		if (!adv)
1726 			return ERR_PTR(-ENOMEM);
1727 
1728 		adv->pending = true;
1729 		adv->instance = instance;
1730 		list_add(&adv->list, &hdev->adv_instances);
1731 		hdev->adv_instance_cnt++;
1732 	}
1733 
1734 	adv->flags = flags;
1735 	adv->min_interval = min_interval;
1736 	adv->max_interval = max_interval;
1737 	adv->tx_power = tx_power;
1738 	/* Defining a mesh_handle changes the timing units to ms,
1739 	 * rather than seconds, and ties the instance to the requested
1740 	 * mesh_tx queue.
1741 	 */
1742 	adv->mesh = mesh_handle;
1743 
1744 	hci_set_adv_instance_data(hdev, instance, adv_data_len, adv_data,
1745 				  scan_rsp_len, scan_rsp_data);
1746 
1747 	adv->timeout = timeout;
1748 	adv->remaining_time = timeout;
1749 
1750 	if (duration == 0)
1751 		adv->duration = hdev->def_multi_adv_rotation_duration;
1752 	else
1753 		adv->duration = duration;
1754 
1755 	INIT_DELAYED_WORK(&adv->rpa_expired_cb, adv_instance_rpa_expired);
1756 
1757 	BT_DBG("%s for %dMR", hdev->name, instance);
1758 
1759 	return adv;
1760 }
1761 
1762 /* This function requires the caller holds hdev->lock */
1763 struct adv_info *hci_add_per_instance(struct hci_dev *hdev, u8 instance,
1764 				      u32 flags, u8 data_len, u8 *data,
1765 				      u32 min_interval, u32 max_interval)
1766 {
1767 	struct adv_info *adv;
1768 
1769 	adv = hci_add_adv_instance(hdev, instance, flags, 0, NULL, 0, NULL,
1770 				   0, 0, HCI_ADV_TX_POWER_NO_PREFERENCE,
1771 				   min_interval, max_interval, 0);
1772 	if (IS_ERR(adv))
1773 		return adv;
1774 
1775 	adv->periodic = true;
1776 	adv->per_adv_data_len = data_len;
1777 
1778 	if (data)
1779 		memcpy(adv->per_adv_data, data, data_len);
1780 
1781 	return adv;
1782 }
1783 
1784 /* This function requires the caller holds hdev->lock */
1785 int hci_set_adv_instance_data(struct hci_dev *hdev, u8 instance,
1786 			      u16 adv_data_len, u8 *adv_data,
1787 			      u16 scan_rsp_len, u8 *scan_rsp_data)
1788 {
1789 	struct adv_info *adv;
1790 
1791 	adv = hci_find_adv_instance(hdev, instance);
1792 
1793 	/* If advertisement doesn't exist, we can't modify its data */
1794 	if (!adv)
1795 		return -ENOENT;
1796 
1797 	if (adv_data_len && ADV_DATA_CMP(adv, adv_data, adv_data_len)) {
1798 		memset(adv->adv_data, 0, sizeof(adv->adv_data));
1799 		memcpy(adv->adv_data, adv_data, adv_data_len);
1800 		adv->adv_data_len = adv_data_len;
1801 		adv->adv_data_changed = true;
1802 	}
1803 
1804 	if (scan_rsp_len && SCAN_RSP_CMP(adv, scan_rsp_data, scan_rsp_len)) {
1805 		memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1806 		memcpy(adv->scan_rsp_data, scan_rsp_data, scan_rsp_len);
1807 		adv->scan_rsp_len = scan_rsp_len;
1808 		adv->scan_rsp_changed = true;
1809 	}
1810 
1811 	/* Mark as changed if there are flags which would affect it */
1812 	if (((adv->flags & MGMT_ADV_FLAG_APPEARANCE) && hdev->appearance) ||
1813 	    adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1814 		adv->scan_rsp_changed = true;
1815 
1816 	return 0;
1817 }
1818 
1819 /* This function requires the caller holds hdev->lock */
1820 u32 hci_adv_instance_flags(struct hci_dev *hdev, u8 instance)
1821 {
1822 	u32 flags;
1823 	struct adv_info *adv;
1824 
1825 	if (instance == 0x00) {
1826 		/* Instance 0 always manages the "Tx Power" and "Flags"
1827 		 * fields
1828 		 */
1829 		flags = MGMT_ADV_FLAG_TX_POWER | MGMT_ADV_FLAG_MANAGED_FLAGS;
1830 
1831 		/* For instance 0, the HCI_ADVERTISING_CONNECTABLE setting
1832 		 * corresponds to the "connectable" instance flag.
1833 		 */
1834 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE))
1835 			flags |= MGMT_ADV_FLAG_CONNECTABLE;
1836 
1837 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
1838 			flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
1839 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
1840 			flags |= MGMT_ADV_FLAG_DISCOV;
1841 
1842 		return flags;
1843 	}
1844 
1845 	adv = hci_find_adv_instance(hdev, instance);
1846 
1847 	/* Return 0 when we got an invalid instance identifier. */
1848 	if (!adv)
1849 		return 0;
1850 
1851 	return adv->flags;
1852 }
1853 
1854 bool hci_adv_instance_is_scannable(struct hci_dev *hdev, u8 instance)
1855 {
1856 	struct adv_info *adv;
1857 
1858 	/* Instance 0x00 always set local name */
1859 	if (instance == 0x00)
1860 		return true;
1861 
1862 	adv = hci_find_adv_instance(hdev, instance);
1863 	if (!adv)
1864 		return false;
1865 
1866 	if (adv->flags & MGMT_ADV_FLAG_APPEARANCE ||
1867 	    adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1868 		return true;
1869 
1870 	return adv->scan_rsp_len ? true : false;
1871 }
1872 
1873 /* This function requires the caller holds hdev->lock */
1874 void hci_adv_monitors_clear(struct hci_dev *hdev)
1875 {
1876 	struct adv_monitor *monitor;
1877 	int handle;
1878 
1879 	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
1880 		hci_free_adv_monitor(hdev, monitor);
1881 
1882 	idr_destroy(&hdev->adv_monitors_idr);
1883 }
1884 
1885 /* Frees the monitor structure and do some bookkeepings.
1886  * This function requires the caller holds hdev->lock.
1887  */
1888 void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1889 {
1890 	struct adv_pattern *pattern;
1891 	struct adv_pattern *tmp;
1892 
1893 	if (!monitor)
1894 		return;
1895 
1896 	list_for_each_entry_safe(pattern, tmp, &monitor->patterns, list) {
1897 		list_del(&pattern->list);
1898 		kfree(pattern);
1899 	}
1900 
1901 	if (monitor->handle)
1902 		idr_remove(&hdev->adv_monitors_idr, monitor->handle);
1903 
1904 	if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED) {
1905 		hdev->adv_monitors_cnt--;
1906 		mgmt_adv_monitor_removed(hdev, monitor->handle);
1907 	}
1908 
1909 	kfree(monitor);
1910 }
1911 
1912 /* Assigns handle to a monitor, and if offloading is supported and power is on,
1913  * also attempts to forward the request to the controller.
1914  * This function requires the caller holds hci_req_sync_lock.
1915  */
1916 int hci_add_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1917 {
1918 	int min, max, handle;
1919 	int status = 0;
1920 
1921 	if (!monitor)
1922 		return -EINVAL;
1923 
1924 	hci_dev_lock(hdev);
1925 
1926 	min = HCI_MIN_ADV_MONITOR_HANDLE;
1927 	max = HCI_MIN_ADV_MONITOR_HANDLE + HCI_MAX_ADV_MONITOR_NUM_HANDLES;
1928 	handle = idr_alloc(&hdev->adv_monitors_idr, monitor, min, max,
1929 			   GFP_KERNEL);
1930 
1931 	hci_dev_unlock(hdev);
1932 
1933 	if (handle < 0)
1934 		return handle;
1935 
1936 	monitor->handle = handle;
1937 
1938 	if (!hdev_is_powered(hdev))
1939 		return status;
1940 
1941 	switch (hci_get_adv_monitor_offload_ext(hdev)) {
1942 	case HCI_ADV_MONITOR_EXT_NONE:
1943 		bt_dev_dbg(hdev, "add monitor %d status %d",
1944 			   monitor->handle, status);
1945 		/* Message was not forwarded to controller - not an error */
1946 		break;
1947 
1948 	case HCI_ADV_MONITOR_EXT_MSFT:
1949 		status = msft_add_monitor_pattern(hdev, monitor);
1950 		bt_dev_dbg(hdev, "add monitor %d msft status %d",
1951 			   handle, status);
1952 		break;
1953 	}
1954 
1955 	return status;
1956 }
1957 
1958 /* Attempts to tell the controller and free the monitor. If somehow the
1959  * controller doesn't have a corresponding handle, remove anyway.
1960  * This function requires the caller holds hci_req_sync_lock.
1961  */
1962 static int hci_remove_adv_monitor(struct hci_dev *hdev,
1963 				  struct adv_monitor *monitor)
1964 {
1965 	int status = 0;
1966 	int handle;
1967 
1968 	switch (hci_get_adv_monitor_offload_ext(hdev)) {
1969 	case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */
1970 		bt_dev_dbg(hdev, "remove monitor %d status %d",
1971 			   monitor->handle, status);
1972 		goto free_monitor;
1973 
1974 	case HCI_ADV_MONITOR_EXT_MSFT:
1975 		handle = monitor->handle;
1976 		status = msft_remove_monitor(hdev, monitor);
1977 		bt_dev_dbg(hdev, "remove monitor %d msft status %d",
1978 			   handle, status);
1979 		break;
1980 	}
1981 
1982 	/* In case no matching handle registered, just free the monitor */
1983 	if (status == -ENOENT)
1984 		goto free_monitor;
1985 
1986 	return status;
1987 
1988 free_monitor:
1989 	if (status == -ENOENT)
1990 		bt_dev_warn(hdev, "Removing monitor with no matching handle %d",
1991 			    monitor->handle);
1992 	hci_free_adv_monitor(hdev, monitor);
1993 
1994 	return status;
1995 }
1996 
1997 /* This function requires the caller holds hci_req_sync_lock */
1998 int hci_remove_single_adv_monitor(struct hci_dev *hdev, u16 handle)
1999 {
2000 	struct adv_monitor *monitor = idr_find(&hdev->adv_monitors_idr, handle);
2001 
2002 	if (!monitor)
2003 		return -EINVAL;
2004 
2005 	return hci_remove_adv_monitor(hdev, monitor);
2006 }
2007 
2008 /* This function requires the caller holds hci_req_sync_lock */
2009 int hci_remove_all_adv_monitor(struct hci_dev *hdev)
2010 {
2011 	struct adv_monitor *monitor;
2012 	int idr_next_id = 0;
2013 	int status = 0;
2014 
2015 	while (1) {
2016 		monitor = idr_get_next(&hdev->adv_monitors_idr, &idr_next_id);
2017 		if (!monitor)
2018 			break;
2019 
2020 		status = hci_remove_adv_monitor(hdev, monitor);
2021 		if (status)
2022 			return status;
2023 
2024 		idr_next_id++;
2025 	}
2026 
2027 	return status;
2028 }
2029 
2030 /* This function requires the caller holds hdev->lock */
2031 bool hci_is_adv_monitoring(struct hci_dev *hdev)
2032 {
2033 	return !idr_is_empty(&hdev->adv_monitors_idr);
2034 }
2035 
2036 int hci_get_adv_monitor_offload_ext(struct hci_dev *hdev)
2037 {
2038 	if (msft_monitor_supported(hdev))
2039 		return HCI_ADV_MONITOR_EXT_MSFT;
2040 
2041 	return HCI_ADV_MONITOR_EXT_NONE;
2042 }
2043 
2044 struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2045 					 bdaddr_t *bdaddr, u8 type)
2046 {
2047 	struct bdaddr_list *b;
2048 
2049 	list_for_each_entry(b, bdaddr_list, list) {
2050 		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2051 			return b;
2052 	}
2053 
2054 	return NULL;
2055 }
2056 
2057 struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk(
2058 				struct list_head *bdaddr_list, bdaddr_t *bdaddr,
2059 				u8 type)
2060 {
2061 	struct bdaddr_list_with_irk *b;
2062 
2063 	list_for_each_entry(b, bdaddr_list, list) {
2064 		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2065 			return b;
2066 	}
2067 
2068 	return NULL;
2069 }
2070 
2071 struct bdaddr_list_with_flags *
2072 hci_bdaddr_list_lookup_with_flags(struct list_head *bdaddr_list,
2073 				  bdaddr_t *bdaddr, u8 type)
2074 {
2075 	struct bdaddr_list_with_flags *b;
2076 
2077 	list_for_each_entry(b, bdaddr_list, list) {
2078 		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2079 			return b;
2080 	}
2081 
2082 	return NULL;
2083 }
2084 
2085 void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2086 {
2087 	struct bdaddr_list *b, *n;
2088 
2089 	list_for_each_entry_safe(b, n, bdaddr_list, list) {
2090 		list_del(&b->list);
2091 		kfree(b);
2092 	}
2093 }
2094 
2095 int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2096 {
2097 	struct bdaddr_list *entry;
2098 
2099 	if (!bacmp(bdaddr, BDADDR_ANY))
2100 		return -EBADF;
2101 
2102 	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2103 		return -EEXIST;
2104 
2105 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2106 	if (!entry)
2107 		return -ENOMEM;
2108 
2109 	bacpy(&entry->bdaddr, bdaddr);
2110 	entry->bdaddr_type = type;
2111 
2112 	list_add(&entry->list, list);
2113 
2114 	return 0;
2115 }
2116 
2117 int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2118 					u8 type, u8 *peer_irk, u8 *local_irk)
2119 {
2120 	struct bdaddr_list_with_irk *entry;
2121 
2122 	if (!bacmp(bdaddr, BDADDR_ANY))
2123 		return -EBADF;
2124 
2125 	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2126 		return -EEXIST;
2127 
2128 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2129 	if (!entry)
2130 		return -ENOMEM;
2131 
2132 	bacpy(&entry->bdaddr, bdaddr);
2133 	entry->bdaddr_type = type;
2134 
2135 	if (peer_irk)
2136 		memcpy(entry->peer_irk, peer_irk, 16);
2137 
2138 	if (local_irk)
2139 		memcpy(entry->local_irk, local_irk, 16);
2140 
2141 	list_add(&entry->list, list);
2142 
2143 	return 0;
2144 }
2145 
2146 int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr,
2147 				   u8 type, u32 flags)
2148 {
2149 	struct bdaddr_list_with_flags *entry;
2150 
2151 	if (!bacmp(bdaddr, BDADDR_ANY))
2152 		return -EBADF;
2153 
2154 	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2155 		return -EEXIST;
2156 
2157 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2158 	if (!entry)
2159 		return -ENOMEM;
2160 
2161 	bacpy(&entry->bdaddr, bdaddr);
2162 	entry->bdaddr_type = type;
2163 	entry->flags = flags;
2164 
2165 	list_add(&entry->list, list);
2166 
2167 	return 0;
2168 }
2169 
2170 int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2171 {
2172 	struct bdaddr_list *entry;
2173 
2174 	if (!bacmp(bdaddr, BDADDR_ANY)) {
2175 		hci_bdaddr_list_clear(list);
2176 		return 0;
2177 	}
2178 
2179 	entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2180 	if (!entry)
2181 		return -ENOENT;
2182 
2183 	list_del(&entry->list);
2184 	kfree(entry);
2185 
2186 	return 0;
2187 }
2188 
2189 int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2190 							u8 type)
2191 {
2192 	struct bdaddr_list_with_irk *entry;
2193 
2194 	if (!bacmp(bdaddr, BDADDR_ANY)) {
2195 		hci_bdaddr_list_clear(list);
2196 		return 0;
2197 	}
2198 
2199 	entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type);
2200 	if (!entry)
2201 		return -ENOENT;
2202 
2203 	list_del(&entry->list);
2204 	kfree(entry);
2205 
2206 	return 0;
2207 }
2208 
2209 int hci_bdaddr_list_del_with_flags(struct list_head *list, bdaddr_t *bdaddr,
2210 				   u8 type)
2211 {
2212 	struct bdaddr_list_with_flags *entry;
2213 
2214 	if (!bacmp(bdaddr, BDADDR_ANY)) {
2215 		hci_bdaddr_list_clear(list);
2216 		return 0;
2217 	}
2218 
2219 	entry = hci_bdaddr_list_lookup_with_flags(list, bdaddr, type);
2220 	if (!entry)
2221 		return -ENOENT;
2222 
2223 	list_del(&entry->list);
2224 	kfree(entry);
2225 
2226 	return 0;
2227 }
2228 
2229 /* This function requires the caller holds hdev->lock */
2230 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2231 					       bdaddr_t *addr, u8 addr_type)
2232 {
2233 	struct hci_conn_params *params;
2234 
2235 	list_for_each_entry(params, &hdev->le_conn_params, list) {
2236 		if (bacmp(&params->addr, addr) == 0 &&
2237 		    params->addr_type == addr_type) {
2238 			return params;
2239 		}
2240 	}
2241 
2242 	return NULL;
2243 }
2244 
2245 /* This function requires the caller holds hdev->lock or rcu_read_lock */
2246 struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2247 						  bdaddr_t *addr, u8 addr_type)
2248 {
2249 	struct hci_conn_params *param;
2250 
2251 	rcu_read_lock();
2252 
2253 	list_for_each_entry_rcu(param, list, action) {
2254 		if (bacmp(&param->addr, addr) == 0 &&
2255 		    param->addr_type == addr_type) {
2256 			rcu_read_unlock();
2257 			return param;
2258 		}
2259 	}
2260 
2261 	rcu_read_unlock();
2262 
2263 	return NULL;
2264 }
2265 
2266 /* This function requires the caller holds hdev->lock */
2267 void hci_pend_le_list_del_init(struct hci_conn_params *param)
2268 {
2269 	if (list_empty(&param->action))
2270 		return;
2271 
2272 	list_del_rcu(&param->action);
2273 	synchronize_rcu();
2274 	INIT_LIST_HEAD(&param->action);
2275 }
2276 
2277 /* This function requires the caller holds hdev->lock */
2278 void hci_pend_le_list_add(struct hci_conn_params *param,
2279 			  struct list_head *list)
2280 {
2281 	list_add_rcu(&param->action, list);
2282 }
2283 
2284 /* This function requires the caller holds hdev->lock */
2285 struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2286 					    bdaddr_t *addr, u8 addr_type)
2287 {
2288 	struct hci_conn_params *params;
2289 
2290 	params = hci_conn_params_lookup(hdev, addr, addr_type);
2291 	if (params)
2292 		return params;
2293 
2294 	params = kzalloc(sizeof(*params), GFP_KERNEL);
2295 	if (!params) {
2296 		bt_dev_err(hdev, "out of memory");
2297 		return NULL;
2298 	}
2299 
2300 	bacpy(&params->addr, addr);
2301 	params->addr_type = addr_type;
2302 
2303 	list_add(&params->list, &hdev->le_conn_params);
2304 	INIT_LIST_HEAD(&params->action);
2305 
2306 	params->conn_min_interval = hdev->le_conn_min_interval;
2307 	params->conn_max_interval = hdev->le_conn_max_interval;
2308 	params->conn_latency = hdev->le_conn_latency;
2309 	params->supervision_timeout = hdev->le_supv_timeout;
2310 	params->auto_connect = HCI_AUTO_CONN_DISABLED;
2311 
2312 	BT_DBG("addr %pMR (type %u)", addr, addr_type);
2313 
2314 	return params;
2315 }
2316 
2317 void hci_conn_params_free(struct hci_conn_params *params)
2318 {
2319 	hci_pend_le_list_del_init(params);
2320 
2321 	if (params->conn) {
2322 		hci_conn_drop(params->conn);
2323 		hci_conn_put(params->conn);
2324 	}
2325 
2326 	list_del(&params->list);
2327 	kfree(params);
2328 }
2329 
2330 /* This function requires the caller holds hdev->lock */
2331 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2332 {
2333 	struct hci_conn_params *params;
2334 
2335 	params = hci_conn_params_lookup(hdev, addr, addr_type);
2336 	if (!params)
2337 		return;
2338 
2339 	hci_conn_params_free(params);
2340 
2341 	hci_update_passive_scan(hdev);
2342 
2343 	BT_DBG("addr %pMR (type %u)", addr, addr_type);
2344 }
2345 
2346 /* This function requires the caller holds hdev->lock */
2347 void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2348 {
2349 	struct hci_conn_params *params, *tmp;
2350 
2351 	list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2352 		if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2353 			continue;
2354 
2355 		/* If trying to establish one time connection to disabled
2356 		 * device, leave the params, but mark them as just once.
2357 		 */
2358 		if (params->explicit_connect) {
2359 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2360 			continue;
2361 		}
2362 
2363 		hci_conn_params_free(params);
2364 	}
2365 
2366 	BT_DBG("All LE disabled connection parameters were removed");
2367 }
2368 
2369 /* This function requires the caller holds hdev->lock */
2370 static void hci_conn_params_clear_all(struct hci_dev *hdev)
2371 {
2372 	struct hci_conn_params *params, *tmp;
2373 
2374 	list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2375 		hci_conn_params_free(params);
2376 
2377 	BT_DBG("All LE connection parameters were removed");
2378 }
2379 
2380 /* Copy the Identity Address of the controller.
2381  *
2382  * If the controller has a public BD_ADDR, then by default use that one.
2383  * If this is a LE only controller without a public address, default to
2384  * the static random address.
2385  *
2386  * For debugging purposes it is possible to force controllers with a
2387  * public address to use the static random address instead.
2388  *
2389  * In case BR/EDR has been disabled on a dual-mode controller and
2390  * userspace has configured a static address, then that address
2391  * becomes the identity address instead of the public BR/EDR address.
2392  */
2393 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2394 			       u8 *bdaddr_type)
2395 {
2396 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2397 	    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2398 	    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2399 	     bacmp(&hdev->static_addr, BDADDR_ANY))) {
2400 		bacpy(bdaddr, &hdev->static_addr);
2401 		*bdaddr_type = ADDR_LE_DEV_RANDOM;
2402 	} else {
2403 		bacpy(bdaddr, &hdev->bdaddr);
2404 		*bdaddr_type = ADDR_LE_DEV_PUBLIC;
2405 	}
2406 }
2407 
2408 static void hci_clear_wake_reason(struct hci_dev *hdev)
2409 {
2410 	hci_dev_lock(hdev);
2411 
2412 	hdev->wake_reason = 0;
2413 	bacpy(&hdev->wake_addr, BDADDR_ANY);
2414 	hdev->wake_addr_type = 0;
2415 
2416 	hci_dev_unlock(hdev);
2417 }
2418 
2419 static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action,
2420 				void *data)
2421 {
2422 	struct hci_dev *hdev =
2423 		container_of(nb, struct hci_dev, suspend_notifier);
2424 	int ret = 0;
2425 
2426 	/* Userspace has full control of this device. Do nothing. */
2427 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
2428 		return NOTIFY_DONE;
2429 
2430 	/* To avoid a potential race with hci_unregister_dev. */
2431 	hci_dev_hold(hdev);
2432 
2433 	if (action == PM_SUSPEND_PREPARE)
2434 		ret = hci_suspend_dev(hdev);
2435 	else if (action == PM_POST_SUSPEND)
2436 		ret = hci_resume_dev(hdev);
2437 
2438 	if (ret)
2439 		bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d",
2440 			   action, ret);
2441 
2442 	hci_dev_put(hdev);
2443 	return NOTIFY_DONE;
2444 }
2445 
2446 /* Alloc HCI device */
2447 struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
2448 {
2449 	struct hci_dev *hdev;
2450 	unsigned int alloc_size;
2451 
2452 	alloc_size = sizeof(*hdev);
2453 	if (sizeof_priv) {
2454 		/* Fixme: May need ALIGN-ment? */
2455 		alloc_size += sizeof_priv;
2456 	}
2457 
2458 	hdev = kzalloc(alloc_size, GFP_KERNEL);
2459 	if (!hdev)
2460 		return NULL;
2461 
2462 	hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2463 	hdev->esco_type = (ESCO_HV1);
2464 	hdev->link_mode = (HCI_LM_ACCEPT);
2465 	hdev->num_iac = 0x01;		/* One IAC support is mandatory */
2466 	hdev->io_capability = 0x03;	/* No Input No Output */
2467 	hdev->manufacturer = 0xffff;	/* Default to internal use */
2468 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2469 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2470 	hdev->adv_instance_cnt = 0;
2471 	hdev->cur_adv_instance = 0x00;
2472 	hdev->adv_instance_timeout = 0;
2473 
2474 	hdev->advmon_allowlist_duration = 300;
2475 	hdev->advmon_no_filter_duration = 500;
2476 	hdev->enable_advmon_interleave_scan = 0x00;	/* Default to disable */
2477 
2478 	hdev->sniff_max_interval = 800;
2479 	hdev->sniff_min_interval = 80;
2480 
2481 	hdev->le_adv_channel_map = 0x07;
2482 	hdev->le_adv_min_interval = 0x0800;
2483 	hdev->le_adv_max_interval = 0x0800;
2484 	hdev->le_scan_interval = 0x0060;
2485 	hdev->le_scan_window = 0x0030;
2486 	hdev->le_scan_int_suspend = 0x0400;
2487 	hdev->le_scan_window_suspend = 0x0012;
2488 	hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT;
2489 	hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN;
2490 	hdev->le_scan_int_adv_monitor = 0x0060;
2491 	hdev->le_scan_window_adv_monitor = 0x0030;
2492 	hdev->le_scan_int_connect = 0x0060;
2493 	hdev->le_scan_window_connect = 0x0060;
2494 	hdev->le_conn_min_interval = 0x0018;
2495 	hdev->le_conn_max_interval = 0x0028;
2496 	hdev->le_conn_latency = 0x0000;
2497 	hdev->le_supv_timeout = 0x002a;
2498 	hdev->le_def_tx_len = 0x001b;
2499 	hdev->le_def_tx_time = 0x0148;
2500 	hdev->le_max_tx_len = 0x001b;
2501 	hdev->le_max_tx_time = 0x0148;
2502 	hdev->le_max_rx_len = 0x001b;
2503 	hdev->le_max_rx_time = 0x0148;
2504 	hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
2505 	hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
2506 	hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
2507 	hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
2508 	hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES;
2509 	hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION;
2510 	hdev->def_le_autoconnect_timeout = HCI_LE_AUTOCONN_TIMEOUT;
2511 	hdev->min_le_tx_power = HCI_TX_POWER_INVALID;
2512 	hdev->max_le_tx_power = HCI_TX_POWER_INVALID;
2513 
2514 	hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2515 	hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2516 	hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2517 	hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2518 	hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
2519 	hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE;
2520 
2521 	/* default 1.28 sec page scan */
2522 	hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD;
2523 	hdev->def_page_scan_int = 0x0800;
2524 	hdev->def_page_scan_window = 0x0012;
2525 
2526 	mutex_init(&hdev->lock);
2527 	mutex_init(&hdev->req_lock);
2528 
2529 	ida_init(&hdev->unset_handle_ida);
2530 
2531 	INIT_LIST_HEAD(&hdev->mesh_pending);
2532 	INIT_LIST_HEAD(&hdev->mgmt_pending);
2533 	INIT_LIST_HEAD(&hdev->reject_list);
2534 	INIT_LIST_HEAD(&hdev->accept_list);
2535 	INIT_LIST_HEAD(&hdev->uuids);
2536 	INIT_LIST_HEAD(&hdev->link_keys);
2537 	INIT_LIST_HEAD(&hdev->long_term_keys);
2538 	INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2539 	INIT_LIST_HEAD(&hdev->remote_oob_data);
2540 	INIT_LIST_HEAD(&hdev->le_accept_list);
2541 	INIT_LIST_HEAD(&hdev->le_resolv_list);
2542 	INIT_LIST_HEAD(&hdev->le_conn_params);
2543 	INIT_LIST_HEAD(&hdev->pend_le_conns);
2544 	INIT_LIST_HEAD(&hdev->pend_le_reports);
2545 	INIT_LIST_HEAD(&hdev->conn_hash.list);
2546 	INIT_LIST_HEAD(&hdev->adv_instances);
2547 	INIT_LIST_HEAD(&hdev->blocked_keys);
2548 	INIT_LIST_HEAD(&hdev->monitored_devices);
2549 
2550 	INIT_LIST_HEAD(&hdev->local_codecs);
2551 	INIT_WORK(&hdev->rx_work, hci_rx_work);
2552 	INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2553 	INIT_WORK(&hdev->tx_work, hci_tx_work);
2554 	INIT_WORK(&hdev->power_on, hci_power_on);
2555 	INIT_WORK(&hdev->error_reset, hci_error_reset);
2556 
2557 	hci_cmd_sync_init(hdev);
2558 
2559 	INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2560 
2561 	skb_queue_head_init(&hdev->rx_q);
2562 	skb_queue_head_init(&hdev->cmd_q);
2563 	skb_queue_head_init(&hdev->raw_q);
2564 
2565 	init_waitqueue_head(&hdev->req_wait_q);
2566 
2567 	INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
2568 	INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout);
2569 
2570 	hci_devcd_setup(hdev);
2571 	hci_request_setup(hdev);
2572 
2573 	hci_init_sysfs(hdev);
2574 	discovery_init(hdev);
2575 
2576 	return hdev;
2577 }
2578 EXPORT_SYMBOL(hci_alloc_dev_priv);
2579 
2580 /* Free HCI device */
2581 void hci_free_dev(struct hci_dev *hdev)
2582 {
2583 	/* will free via device release */
2584 	put_device(&hdev->dev);
2585 }
2586 EXPORT_SYMBOL(hci_free_dev);
2587 
2588 /* Register HCI device */
2589 int hci_register_dev(struct hci_dev *hdev)
2590 {
2591 	int id, error;
2592 
2593 	if (!hdev->open || !hdev->close || !hdev->send)
2594 		return -EINVAL;
2595 
2596 	id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL);
2597 	if (id < 0)
2598 		return id;
2599 
2600 	error = dev_set_name(&hdev->dev, "hci%u", id);
2601 	if (error)
2602 		return error;
2603 
2604 	hdev->name = dev_name(&hdev->dev);
2605 	hdev->id = id;
2606 
2607 	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2608 
2609 	hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name);
2610 	if (!hdev->workqueue) {
2611 		error = -ENOMEM;
2612 		goto err;
2613 	}
2614 
2615 	hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI,
2616 						      hdev->name);
2617 	if (!hdev->req_workqueue) {
2618 		destroy_workqueue(hdev->workqueue);
2619 		error = -ENOMEM;
2620 		goto err;
2621 	}
2622 
2623 	if (!IS_ERR_OR_NULL(bt_debugfs))
2624 		hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
2625 
2626 	error = device_add(&hdev->dev);
2627 	if (error < 0)
2628 		goto err_wqueue;
2629 
2630 	hci_leds_init(hdev);
2631 
2632 	hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2633 				    RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2634 				    hdev);
2635 	if (hdev->rfkill) {
2636 		if (rfkill_register(hdev->rfkill) < 0) {
2637 			rfkill_destroy(hdev->rfkill);
2638 			hdev->rfkill = NULL;
2639 		}
2640 	}
2641 
2642 	if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
2643 		hci_dev_set_flag(hdev, HCI_RFKILLED);
2644 
2645 	hci_dev_set_flag(hdev, HCI_SETUP);
2646 	hci_dev_set_flag(hdev, HCI_AUTO_OFF);
2647 
2648 	/* Assume BR/EDR support until proven otherwise (such as
2649 	 * through reading supported features during init.
2650 	 */
2651 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
2652 
2653 	write_lock(&hci_dev_list_lock);
2654 	list_add(&hdev->list, &hci_dev_list);
2655 	write_unlock(&hci_dev_list_lock);
2656 
2657 	/* Devices that are marked for raw-only usage are unconfigured
2658 	 * and should not be included in normal operation.
2659 	 */
2660 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
2661 		hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
2662 
2663 	/* Mark Remote Wakeup connection flag as supported if driver has wakeup
2664 	 * callback.
2665 	 */
2666 	if (hdev->wakeup)
2667 		hdev->conn_flags |= HCI_CONN_FLAG_REMOTE_WAKEUP;
2668 
2669 	hci_sock_dev_event(hdev, HCI_DEV_REG);
2670 	hci_dev_hold(hdev);
2671 
2672 	error = hci_register_suspend_notifier(hdev);
2673 	if (error)
2674 		BT_WARN("register suspend notifier failed error:%d\n", error);
2675 
2676 	queue_work(hdev->req_workqueue, &hdev->power_on);
2677 
2678 	idr_init(&hdev->adv_monitors_idr);
2679 	msft_register(hdev);
2680 
2681 	return id;
2682 
2683 err_wqueue:
2684 	debugfs_remove_recursive(hdev->debugfs);
2685 	destroy_workqueue(hdev->workqueue);
2686 	destroy_workqueue(hdev->req_workqueue);
2687 err:
2688 	ida_free(&hci_index_ida, hdev->id);
2689 
2690 	return error;
2691 }
2692 EXPORT_SYMBOL(hci_register_dev);
2693 
2694 /* Unregister HCI device */
2695 void hci_unregister_dev(struct hci_dev *hdev)
2696 {
2697 	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2698 
2699 	mutex_lock(&hdev->unregister_lock);
2700 	hci_dev_set_flag(hdev, HCI_UNREGISTER);
2701 	mutex_unlock(&hdev->unregister_lock);
2702 
2703 	write_lock(&hci_dev_list_lock);
2704 	list_del(&hdev->list);
2705 	write_unlock(&hci_dev_list_lock);
2706 
2707 	cancel_work_sync(&hdev->power_on);
2708 
2709 	hci_cmd_sync_clear(hdev);
2710 
2711 	hci_unregister_suspend_notifier(hdev);
2712 
2713 	hci_dev_do_close(hdev);
2714 
2715 	if (!test_bit(HCI_INIT, &hdev->flags) &&
2716 	    !hci_dev_test_flag(hdev, HCI_SETUP) &&
2717 	    !hci_dev_test_flag(hdev, HCI_CONFIG)) {
2718 		hci_dev_lock(hdev);
2719 		mgmt_index_removed(hdev);
2720 		hci_dev_unlock(hdev);
2721 	}
2722 
2723 	/* mgmt_index_removed should take care of emptying the
2724 	 * pending list */
2725 	BUG_ON(!list_empty(&hdev->mgmt_pending));
2726 
2727 	hci_sock_dev_event(hdev, HCI_DEV_UNREG);
2728 
2729 	if (hdev->rfkill) {
2730 		rfkill_unregister(hdev->rfkill);
2731 		rfkill_destroy(hdev->rfkill);
2732 	}
2733 
2734 	device_del(&hdev->dev);
2735 	/* Actual cleanup is deferred until hci_release_dev(). */
2736 	hci_dev_put(hdev);
2737 }
2738 EXPORT_SYMBOL(hci_unregister_dev);
2739 
2740 /* Release HCI device */
2741 void hci_release_dev(struct hci_dev *hdev)
2742 {
2743 	debugfs_remove_recursive(hdev->debugfs);
2744 	kfree_const(hdev->hw_info);
2745 	kfree_const(hdev->fw_info);
2746 
2747 	destroy_workqueue(hdev->workqueue);
2748 	destroy_workqueue(hdev->req_workqueue);
2749 
2750 	hci_dev_lock(hdev);
2751 	hci_bdaddr_list_clear(&hdev->reject_list);
2752 	hci_bdaddr_list_clear(&hdev->accept_list);
2753 	hci_uuids_clear(hdev);
2754 	hci_link_keys_clear(hdev);
2755 	hci_smp_ltks_clear(hdev);
2756 	hci_smp_irks_clear(hdev);
2757 	hci_remote_oob_data_clear(hdev);
2758 	hci_adv_instances_clear(hdev);
2759 	hci_adv_monitors_clear(hdev);
2760 	hci_bdaddr_list_clear(&hdev->le_accept_list);
2761 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
2762 	hci_conn_params_clear_all(hdev);
2763 	hci_discovery_filter_clear(hdev);
2764 	hci_blocked_keys_clear(hdev);
2765 	hci_codec_list_clear(&hdev->local_codecs);
2766 	msft_release(hdev);
2767 	hci_dev_unlock(hdev);
2768 
2769 	ida_destroy(&hdev->unset_handle_ida);
2770 	ida_free(&hci_index_ida, hdev->id);
2771 	kfree_skb(hdev->sent_cmd);
2772 	kfree_skb(hdev->req_skb);
2773 	kfree_skb(hdev->recv_event);
2774 	kfree(hdev);
2775 }
2776 EXPORT_SYMBOL(hci_release_dev);
2777 
2778 int hci_register_suspend_notifier(struct hci_dev *hdev)
2779 {
2780 	int ret = 0;
2781 
2782 	if (!hdev->suspend_notifier.notifier_call &&
2783 	    !test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) {
2784 		hdev->suspend_notifier.notifier_call = hci_suspend_notifier;
2785 		ret = register_pm_notifier(&hdev->suspend_notifier);
2786 	}
2787 
2788 	return ret;
2789 }
2790 
2791 int hci_unregister_suspend_notifier(struct hci_dev *hdev)
2792 {
2793 	int ret = 0;
2794 
2795 	if (hdev->suspend_notifier.notifier_call) {
2796 		ret = unregister_pm_notifier(&hdev->suspend_notifier);
2797 		if (!ret)
2798 			hdev->suspend_notifier.notifier_call = NULL;
2799 	}
2800 
2801 	return ret;
2802 }
2803 
2804 /* Cancel ongoing command synchronously:
2805  *
2806  * - Cancel command timer
2807  * - Reset command counter
2808  * - Cancel command request
2809  */
2810 static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err)
2811 {
2812 	bt_dev_dbg(hdev, "err 0x%2.2x", err);
2813 
2814 	cancel_delayed_work_sync(&hdev->cmd_timer);
2815 	cancel_delayed_work_sync(&hdev->ncmd_timer);
2816 	atomic_set(&hdev->cmd_cnt, 1);
2817 
2818 	hci_cmd_sync_cancel_sync(hdev, err);
2819 }
2820 
2821 /* Suspend HCI device */
2822 int hci_suspend_dev(struct hci_dev *hdev)
2823 {
2824 	int ret;
2825 
2826 	bt_dev_dbg(hdev, "");
2827 
2828 	/* Suspend should only act on when powered. */
2829 	if (!hdev_is_powered(hdev) ||
2830 	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
2831 		return 0;
2832 
2833 	/* If powering down don't attempt to suspend */
2834 	if (mgmt_powering_down(hdev))
2835 		return 0;
2836 
2837 	/* Cancel potentially blocking sync operation before suspend */
2838 	hci_cancel_cmd_sync(hdev, EHOSTDOWN);
2839 
2840 	hci_req_sync_lock(hdev);
2841 	ret = hci_suspend_sync(hdev);
2842 	hci_req_sync_unlock(hdev);
2843 
2844 	hci_clear_wake_reason(hdev);
2845 	mgmt_suspending(hdev, hdev->suspend_state);
2846 
2847 	hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
2848 	return ret;
2849 }
2850 EXPORT_SYMBOL(hci_suspend_dev);
2851 
2852 /* Resume HCI device */
2853 int hci_resume_dev(struct hci_dev *hdev)
2854 {
2855 	int ret;
2856 
2857 	bt_dev_dbg(hdev, "");
2858 
2859 	/* Resume should only act on when powered. */
2860 	if (!hdev_is_powered(hdev) ||
2861 	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
2862 		return 0;
2863 
2864 	/* If powering down don't attempt to resume */
2865 	if (mgmt_powering_down(hdev))
2866 		return 0;
2867 
2868 	hci_req_sync_lock(hdev);
2869 	ret = hci_resume_sync(hdev);
2870 	hci_req_sync_unlock(hdev);
2871 
2872 	mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr,
2873 		      hdev->wake_addr_type);
2874 
2875 	hci_sock_dev_event(hdev, HCI_DEV_RESUME);
2876 	return ret;
2877 }
2878 EXPORT_SYMBOL(hci_resume_dev);
2879 
2880 /* Reset HCI device */
2881 int hci_reset_dev(struct hci_dev *hdev)
2882 {
2883 	static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
2884 	struct sk_buff *skb;
2885 
2886 	skb = bt_skb_alloc(3, GFP_ATOMIC);
2887 	if (!skb)
2888 		return -ENOMEM;
2889 
2890 	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
2891 	skb_put_data(skb, hw_err, 3);
2892 
2893 	bt_dev_err(hdev, "Injecting HCI hardware error event");
2894 
2895 	/* Send Hardware Error to upper stack */
2896 	return hci_recv_frame(hdev, skb);
2897 }
2898 EXPORT_SYMBOL(hci_reset_dev);
2899 
2900 /* Receive frame from HCI drivers */
2901 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
2902 {
2903 	if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2904 		      && !test_bit(HCI_INIT, &hdev->flags))) {
2905 		kfree_skb(skb);
2906 		return -ENXIO;
2907 	}
2908 
2909 	switch (hci_skb_pkt_type(skb)) {
2910 	case HCI_EVENT_PKT:
2911 		break;
2912 	case HCI_ACLDATA_PKT:
2913 		/* Detect if ISO packet has been sent as ACL */
2914 		if (hci_conn_num(hdev, ISO_LINK)) {
2915 			__u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle);
2916 			__u8 type;
2917 
2918 			type = hci_conn_lookup_type(hdev, hci_handle(handle));
2919 			if (type == ISO_LINK)
2920 				hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
2921 		}
2922 		break;
2923 	case HCI_SCODATA_PKT:
2924 		break;
2925 	case HCI_ISODATA_PKT:
2926 		break;
2927 	default:
2928 		kfree_skb(skb);
2929 		return -EINVAL;
2930 	}
2931 
2932 	/* Incoming skb */
2933 	bt_cb(skb)->incoming = 1;
2934 
2935 	/* Time stamp */
2936 	__net_timestamp(skb);
2937 
2938 	skb_queue_tail(&hdev->rx_q, skb);
2939 	queue_work(hdev->workqueue, &hdev->rx_work);
2940 
2941 	return 0;
2942 }
2943 EXPORT_SYMBOL(hci_recv_frame);
2944 
2945 /* Receive diagnostic message from HCI drivers */
2946 int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
2947 {
2948 	/* Mark as diagnostic packet */
2949 	hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
2950 
2951 	/* Time stamp */
2952 	__net_timestamp(skb);
2953 
2954 	skb_queue_tail(&hdev->rx_q, skb);
2955 	queue_work(hdev->workqueue, &hdev->rx_work);
2956 
2957 	return 0;
2958 }
2959 EXPORT_SYMBOL(hci_recv_diag);
2960 
2961 void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...)
2962 {
2963 	va_list vargs;
2964 
2965 	va_start(vargs, fmt);
2966 	kfree_const(hdev->hw_info);
2967 	hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
2968 	va_end(vargs);
2969 }
2970 EXPORT_SYMBOL(hci_set_hw_info);
2971 
2972 void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...)
2973 {
2974 	va_list vargs;
2975 
2976 	va_start(vargs, fmt);
2977 	kfree_const(hdev->fw_info);
2978 	hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
2979 	va_end(vargs);
2980 }
2981 EXPORT_SYMBOL(hci_set_fw_info);
2982 
2983 /* ---- Interface to upper protocols ---- */
2984 
2985 int hci_register_cb(struct hci_cb *cb)
2986 {
2987 	BT_DBG("%p name %s", cb, cb->name);
2988 
2989 	mutex_lock(&hci_cb_list_lock);
2990 	list_add_tail(&cb->list, &hci_cb_list);
2991 	mutex_unlock(&hci_cb_list_lock);
2992 
2993 	return 0;
2994 }
2995 EXPORT_SYMBOL(hci_register_cb);
2996 
2997 int hci_unregister_cb(struct hci_cb *cb)
2998 {
2999 	BT_DBG("%p name %s", cb, cb->name);
3000 
3001 	mutex_lock(&hci_cb_list_lock);
3002 	list_del(&cb->list);
3003 	mutex_unlock(&hci_cb_list_lock);
3004 
3005 	return 0;
3006 }
3007 EXPORT_SYMBOL(hci_unregister_cb);
3008 
3009 static int hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3010 {
3011 	int err;
3012 
3013 	BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3014 	       skb->len);
3015 
3016 	/* Time stamp */
3017 	__net_timestamp(skb);
3018 
3019 	/* Send copy to monitor */
3020 	hci_send_to_monitor(hdev, skb);
3021 
3022 	if (atomic_read(&hdev->promisc)) {
3023 		/* Send copy to the sockets */
3024 		hci_send_to_sock(hdev, skb);
3025 	}
3026 
3027 	/* Get rid of skb owner, prior to sending to the driver. */
3028 	skb_orphan(skb);
3029 
3030 	if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3031 		kfree_skb(skb);
3032 		return -EINVAL;
3033 	}
3034 
3035 	err = hdev->send(hdev, skb);
3036 	if (err < 0) {
3037 		bt_dev_err(hdev, "sending frame failed (%d)", err);
3038 		kfree_skb(skb);
3039 		return err;
3040 	}
3041 
3042 	return 0;
3043 }
3044 
3045 /* Send HCI command */
3046 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3047 		 const void *param)
3048 {
3049 	struct sk_buff *skb;
3050 
3051 	BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3052 
3053 	skb = hci_prepare_cmd(hdev, opcode, plen, param);
3054 	if (!skb) {
3055 		bt_dev_err(hdev, "no memory for command");
3056 		return -ENOMEM;
3057 	}
3058 
3059 	/* Stand-alone HCI commands must be flagged as
3060 	 * single-command requests.
3061 	 */
3062 	bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3063 
3064 	skb_queue_tail(&hdev->cmd_q, skb);
3065 	queue_work(hdev->workqueue, &hdev->cmd_work);
3066 
3067 	return 0;
3068 }
3069 
3070 int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen,
3071 		   const void *param)
3072 {
3073 	struct sk_buff *skb;
3074 
3075 	if (hci_opcode_ogf(opcode) != 0x3f) {
3076 		/* A controller receiving a command shall respond with either
3077 		 * a Command Status Event or a Command Complete Event.
3078 		 * Therefore, all standard HCI commands must be sent via the
3079 		 * standard API, using hci_send_cmd or hci_cmd_sync helpers.
3080 		 * Some vendors do not comply with this rule for vendor-specific
3081 		 * commands and do not return any event. We want to support
3082 		 * unresponded commands for such cases only.
3083 		 */
3084 		bt_dev_err(hdev, "unresponded command not supported");
3085 		return -EINVAL;
3086 	}
3087 
3088 	skb = hci_prepare_cmd(hdev, opcode, plen, param);
3089 	if (!skb) {
3090 		bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)",
3091 			   opcode);
3092 		return -ENOMEM;
3093 	}
3094 
3095 	hci_send_frame(hdev, skb);
3096 
3097 	return 0;
3098 }
3099 EXPORT_SYMBOL(__hci_cmd_send);
3100 
3101 /* Get data from the previously sent command */
3102 static void *hci_cmd_data(struct sk_buff *skb, __u16 opcode)
3103 {
3104 	struct hci_command_hdr *hdr;
3105 
3106 	if (!skb || skb->len < HCI_COMMAND_HDR_SIZE)
3107 		return NULL;
3108 
3109 	hdr = (void *)skb->data;
3110 
3111 	if (hdr->opcode != cpu_to_le16(opcode))
3112 		return NULL;
3113 
3114 	return skb->data + HCI_COMMAND_HDR_SIZE;
3115 }
3116 
3117 /* Get data from the previously sent command */
3118 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3119 {
3120 	void *data;
3121 
3122 	/* Check if opcode matches last sent command */
3123 	data = hci_cmd_data(hdev->sent_cmd, opcode);
3124 	if (!data)
3125 		/* Check if opcode matches last request */
3126 		data = hci_cmd_data(hdev->req_skb, opcode);
3127 
3128 	return data;
3129 }
3130 
3131 /* Get data from last received event */
3132 void *hci_recv_event_data(struct hci_dev *hdev, __u8 event)
3133 {
3134 	struct hci_event_hdr *hdr;
3135 	int offset;
3136 
3137 	if (!hdev->recv_event)
3138 		return NULL;
3139 
3140 	hdr = (void *)hdev->recv_event->data;
3141 	offset = sizeof(*hdr);
3142 
3143 	if (hdr->evt != event) {
3144 		/* In case of LE metaevent check the subevent match */
3145 		if (hdr->evt == HCI_EV_LE_META) {
3146 			struct hci_ev_le_meta *ev;
3147 
3148 			ev = (void *)hdev->recv_event->data + offset;
3149 			offset += sizeof(*ev);
3150 			if (ev->subevent == event)
3151 				goto found;
3152 		}
3153 		return NULL;
3154 	}
3155 
3156 found:
3157 	bt_dev_dbg(hdev, "event 0x%2.2x", event);
3158 
3159 	return hdev->recv_event->data + offset;
3160 }
3161 
3162 /* Send ACL data */
3163 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3164 {
3165 	struct hci_acl_hdr *hdr;
3166 	int len = skb->len;
3167 
3168 	skb_push(skb, HCI_ACL_HDR_SIZE);
3169 	skb_reset_transport_header(skb);
3170 	hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3171 	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3172 	hdr->dlen   = cpu_to_le16(len);
3173 }
3174 
3175 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3176 			  struct sk_buff *skb, __u16 flags)
3177 {
3178 	struct hci_conn *conn = chan->conn;
3179 	struct hci_dev *hdev = conn->hdev;
3180 	struct sk_buff *list;
3181 
3182 	skb->len = skb_headlen(skb);
3183 	skb->data_len = 0;
3184 
3185 	hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3186 
3187 	hci_add_acl_hdr(skb, conn->handle, flags);
3188 
3189 	list = skb_shinfo(skb)->frag_list;
3190 	if (!list) {
3191 		/* Non fragmented */
3192 		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3193 
3194 		skb_queue_tail(queue, skb);
3195 	} else {
3196 		/* Fragmented */
3197 		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3198 
3199 		skb_shinfo(skb)->frag_list = NULL;
3200 
3201 		/* Queue all fragments atomically. We need to use spin_lock_bh
3202 		 * here because of 6LoWPAN links, as there this function is
3203 		 * called from softirq and using normal spin lock could cause
3204 		 * deadlocks.
3205 		 */
3206 		spin_lock_bh(&queue->lock);
3207 
3208 		__skb_queue_tail(queue, skb);
3209 
3210 		flags &= ~ACL_START;
3211 		flags |= ACL_CONT;
3212 		do {
3213 			skb = list; list = list->next;
3214 
3215 			hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3216 			hci_add_acl_hdr(skb, conn->handle, flags);
3217 
3218 			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3219 
3220 			__skb_queue_tail(queue, skb);
3221 		} while (list);
3222 
3223 		spin_unlock_bh(&queue->lock);
3224 	}
3225 }
3226 
3227 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3228 {
3229 	struct hci_dev *hdev = chan->conn->hdev;
3230 
3231 	BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3232 
3233 	hci_queue_acl(chan, &chan->data_q, skb, flags);
3234 
3235 	queue_work(hdev->workqueue, &hdev->tx_work);
3236 }
3237 
3238 /* Send SCO data */
3239 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3240 {
3241 	struct hci_dev *hdev = conn->hdev;
3242 	struct hci_sco_hdr hdr;
3243 
3244 	BT_DBG("%s len %d", hdev->name, skb->len);
3245 
3246 	hdr.handle = cpu_to_le16(conn->handle);
3247 	hdr.dlen   = skb->len;
3248 
3249 	skb_push(skb, HCI_SCO_HDR_SIZE);
3250 	skb_reset_transport_header(skb);
3251 	memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3252 
3253 	hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3254 
3255 	skb_queue_tail(&conn->data_q, skb);
3256 	queue_work(hdev->workqueue, &hdev->tx_work);
3257 }
3258 
3259 /* Send ISO data */
3260 static void hci_add_iso_hdr(struct sk_buff *skb, __u16 handle, __u8 flags)
3261 {
3262 	struct hci_iso_hdr *hdr;
3263 	int len = skb->len;
3264 
3265 	skb_push(skb, HCI_ISO_HDR_SIZE);
3266 	skb_reset_transport_header(skb);
3267 	hdr = (struct hci_iso_hdr *)skb_transport_header(skb);
3268 	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3269 	hdr->dlen   = cpu_to_le16(len);
3270 }
3271 
3272 static void hci_queue_iso(struct hci_conn *conn, struct sk_buff_head *queue,
3273 			  struct sk_buff *skb)
3274 {
3275 	struct hci_dev *hdev = conn->hdev;
3276 	struct sk_buff *list;
3277 	__u16 flags;
3278 
3279 	skb->len = skb_headlen(skb);
3280 	skb->data_len = 0;
3281 
3282 	hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3283 
3284 	list = skb_shinfo(skb)->frag_list;
3285 
3286 	flags = hci_iso_flags_pack(list ? ISO_START : ISO_SINGLE, 0x00);
3287 	hci_add_iso_hdr(skb, conn->handle, flags);
3288 
3289 	if (!list) {
3290 		/* Non fragmented */
3291 		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3292 
3293 		skb_queue_tail(queue, skb);
3294 	} else {
3295 		/* Fragmented */
3296 		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3297 
3298 		skb_shinfo(skb)->frag_list = NULL;
3299 
3300 		__skb_queue_tail(queue, skb);
3301 
3302 		do {
3303 			skb = list; list = list->next;
3304 
3305 			hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3306 			flags = hci_iso_flags_pack(list ? ISO_CONT : ISO_END,
3307 						   0x00);
3308 			hci_add_iso_hdr(skb, conn->handle, flags);
3309 
3310 			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3311 
3312 			__skb_queue_tail(queue, skb);
3313 		} while (list);
3314 	}
3315 }
3316 
3317 void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb)
3318 {
3319 	struct hci_dev *hdev = conn->hdev;
3320 
3321 	BT_DBG("%s len %d", hdev->name, skb->len);
3322 
3323 	hci_queue_iso(conn, &conn->data_q, skb);
3324 
3325 	queue_work(hdev->workqueue, &hdev->tx_work);
3326 }
3327 
3328 /* ---- HCI TX task (outgoing data) ---- */
3329 
3330 /* HCI Connection scheduler */
3331 static inline void hci_quote_sent(struct hci_conn *conn, int num, int *quote)
3332 {
3333 	struct hci_dev *hdev;
3334 	int cnt, q;
3335 
3336 	if (!conn) {
3337 		*quote = 0;
3338 		return;
3339 	}
3340 
3341 	hdev = conn->hdev;
3342 
3343 	switch (conn->type) {
3344 	case ACL_LINK:
3345 		cnt = hdev->acl_cnt;
3346 		break;
3347 	case SCO_LINK:
3348 	case ESCO_LINK:
3349 		cnt = hdev->sco_cnt;
3350 		break;
3351 	case LE_LINK:
3352 		cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3353 		break;
3354 	case ISO_LINK:
3355 		cnt = hdev->iso_mtu ? hdev->iso_cnt :
3356 			hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3357 		break;
3358 	default:
3359 		cnt = 0;
3360 		bt_dev_err(hdev, "unknown link type %d", conn->type);
3361 	}
3362 
3363 	q = cnt / num;
3364 	*quote = q ? q : 1;
3365 }
3366 
3367 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3368 				     int *quote)
3369 {
3370 	struct hci_conn_hash *h = &hdev->conn_hash;
3371 	struct hci_conn *conn = NULL, *c;
3372 	unsigned int num = 0, min = ~0;
3373 
3374 	/* We don't have to lock device here. Connections are always
3375 	 * added and removed with TX task disabled. */
3376 
3377 	rcu_read_lock();
3378 
3379 	list_for_each_entry_rcu(c, &h->list, list) {
3380 		if (c->type != type || skb_queue_empty(&c->data_q))
3381 			continue;
3382 
3383 		if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3384 			continue;
3385 
3386 		num++;
3387 
3388 		if (c->sent < min) {
3389 			min  = c->sent;
3390 			conn = c;
3391 		}
3392 
3393 		if (hci_conn_num(hdev, type) == num)
3394 			break;
3395 	}
3396 
3397 	rcu_read_unlock();
3398 
3399 	hci_quote_sent(conn, num, quote);
3400 
3401 	BT_DBG("conn %p quote %d", conn, *quote);
3402 	return conn;
3403 }
3404 
3405 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3406 {
3407 	struct hci_conn_hash *h = &hdev->conn_hash;
3408 	struct hci_conn *c;
3409 
3410 	bt_dev_err(hdev, "link tx timeout");
3411 
3412 	rcu_read_lock();
3413 
3414 	/* Kill stalled connections */
3415 	list_for_each_entry_rcu(c, &h->list, list) {
3416 		if (c->type == type && c->sent) {
3417 			bt_dev_err(hdev, "killing stalled connection %pMR",
3418 				   &c->dst);
3419 			/* hci_disconnect might sleep, so, we have to release
3420 			 * the RCU read lock before calling it.
3421 			 */
3422 			rcu_read_unlock();
3423 			hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3424 			rcu_read_lock();
3425 		}
3426 	}
3427 
3428 	rcu_read_unlock();
3429 }
3430 
3431 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3432 				      int *quote)
3433 {
3434 	struct hci_conn_hash *h = &hdev->conn_hash;
3435 	struct hci_chan *chan = NULL;
3436 	unsigned int num = 0, min = ~0, cur_prio = 0;
3437 	struct hci_conn *conn;
3438 	int conn_num = 0;
3439 
3440 	BT_DBG("%s", hdev->name);
3441 
3442 	rcu_read_lock();
3443 
3444 	list_for_each_entry_rcu(conn, &h->list, list) {
3445 		struct hci_chan *tmp;
3446 
3447 		if (conn->type != type)
3448 			continue;
3449 
3450 		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3451 			continue;
3452 
3453 		conn_num++;
3454 
3455 		list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3456 			struct sk_buff *skb;
3457 
3458 			if (skb_queue_empty(&tmp->data_q))
3459 				continue;
3460 
3461 			skb = skb_peek(&tmp->data_q);
3462 			if (skb->priority < cur_prio)
3463 				continue;
3464 
3465 			if (skb->priority > cur_prio) {
3466 				num = 0;
3467 				min = ~0;
3468 				cur_prio = skb->priority;
3469 			}
3470 
3471 			num++;
3472 
3473 			if (conn->sent < min) {
3474 				min  = conn->sent;
3475 				chan = tmp;
3476 			}
3477 		}
3478 
3479 		if (hci_conn_num(hdev, type) == conn_num)
3480 			break;
3481 	}
3482 
3483 	rcu_read_unlock();
3484 
3485 	if (!chan)
3486 		return NULL;
3487 
3488 	hci_quote_sent(chan->conn, num, quote);
3489 
3490 	BT_DBG("chan %p quote %d", chan, *quote);
3491 	return chan;
3492 }
3493 
3494 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3495 {
3496 	struct hci_conn_hash *h = &hdev->conn_hash;
3497 	struct hci_conn *conn;
3498 	int num = 0;
3499 
3500 	BT_DBG("%s", hdev->name);
3501 
3502 	rcu_read_lock();
3503 
3504 	list_for_each_entry_rcu(conn, &h->list, list) {
3505 		struct hci_chan *chan;
3506 
3507 		if (conn->type != type)
3508 			continue;
3509 
3510 		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3511 			continue;
3512 
3513 		num++;
3514 
3515 		list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3516 			struct sk_buff *skb;
3517 
3518 			if (chan->sent) {
3519 				chan->sent = 0;
3520 				continue;
3521 			}
3522 
3523 			if (skb_queue_empty(&chan->data_q))
3524 				continue;
3525 
3526 			skb = skb_peek(&chan->data_q);
3527 			if (skb->priority >= HCI_PRIO_MAX - 1)
3528 				continue;
3529 
3530 			skb->priority = HCI_PRIO_MAX - 1;
3531 
3532 			BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3533 			       skb->priority);
3534 		}
3535 
3536 		if (hci_conn_num(hdev, type) == num)
3537 			break;
3538 	}
3539 
3540 	rcu_read_unlock();
3541 
3542 }
3543 
3544 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type)
3545 {
3546 	unsigned long last_tx;
3547 
3548 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
3549 		return;
3550 
3551 	switch (type) {
3552 	case LE_LINK:
3553 		last_tx = hdev->le_last_tx;
3554 		break;
3555 	default:
3556 		last_tx = hdev->acl_last_tx;
3557 		break;
3558 	}
3559 
3560 	/* tx timeout must be longer than maximum link supervision timeout
3561 	 * (40.9 seconds)
3562 	 */
3563 	if (!cnt && time_after(jiffies, last_tx + HCI_ACL_TX_TIMEOUT))
3564 		hci_link_tx_to(hdev, type);
3565 }
3566 
3567 /* Schedule SCO */
3568 static void hci_sched_sco(struct hci_dev *hdev)
3569 {
3570 	struct hci_conn *conn;
3571 	struct sk_buff *skb;
3572 	int quote;
3573 
3574 	BT_DBG("%s", hdev->name);
3575 
3576 	if (!hci_conn_num(hdev, SCO_LINK))
3577 		return;
3578 
3579 	while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3580 		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3581 			BT_DBG("skb %p len %d", skb, skb->len);
3582 			hci_send_frame(hdev, skb);
3583 
3584 			conn->sent++;
3585 			if (conn->sent == ~0)
3586 				conn->sent = 0;
3587 		}
3588 	}
3589 }
3590 
3591 static void hci_sched_esco(struct hci_dev *hdev)
3592 {
3593 	struct hci_conn *conn;
3594 	struct sk_buff *skb;
3595 	int quote;
3596 
3597 	BT_DBG("%s", hdev->name);
3598 
3599 	if (!hci_conn_num(hdev, ESCO_LINK))
3600 		return;
3601 
3602 	while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3603 						     &quote))) {
3604 		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3605 			BT_DBG("skb %p len %d", skb, skb->len);
3606 			hci_send_frame(hdev, skb);
3607 
3608 			conn->sent++;
3609 			if (conn->sent == ~0)
3610 				conn->sent = 0;
3611 		}
3612 	}
3613 }
3614 
3615 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3616 {
3617 	unsigned int cnt = hdev->acl_cnt;
3618 	struct hci_chan *chan;
3619 	struct sk_buff *skb;
3620 	int quote;
3621 
3622 	__check_timeout(hdev, cnt, ACL_LINK);
3623 
3624 	while (hdev->acl_cnt &&
3625 	       (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3626 		u32 priority = (skb_peek(&chan->data_q))->priority;
3627 		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3628 			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3629 			       skb->len, skb->priority);
3630 
3631 			/* Stop if priority has changed */
3632 			if (skb->priority < priority)
3633 				break;
3634 
3635 			skb = skb_dequeue(&chan->data_q);
3636 
3637 			hci_conn_enter_active_mode(chan->conn,
3638 						   bt_cb(skb)->force_active);
3639 
3640 			hci_send_frame(hdev, skb);
3641 			hdev->acl_last_tx = jiffies;
3642 
3643 			hdev->acl_cnt--;
3644 			chan->sent++;
3645 			chan->conn->sent++;
3646 
3647 			/* Send pending SCO packets right away */
3648 			hci_sched_sco(hdev);
3649 			hci_sched_esco(hdev);
3650 		}
3651 	}
3652 
3653 	if (cnt != hdev->acl_cnt)
3654 		hci_prio_recalculate(hdev, ACL_LINK);
3655 }
3656 
3657 static void hci_sched_acl(struct hci_dev *hdev)
3658 {
3659 	BT_DBG("%s", hdev->name);
3660 
3661 	/* No ACL link over BR/EDR controller */
3662 	if (!hci_conn_num(hdev, ACL_LINK))
3663 		return;
3664 
3665 	hci_sched_acl_pkt(hdev);
3666 }
3667 
3668 static void hci_sched_le(struct hci_dev *hdev)
3669 {
3670 	struct hci_chan *chan;
3671 	struct sk_buff *skb;
3672 	int quote, cnt, tmp;
3673 
3674 	BT_DBG("%s", hdev->name);
3675 
3676 	if (!hci_conn_num(hdev, LE_LINK))
3677 		return;
3678 
3679 	cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3680 
3681 	__check_timeout(hdev, cnt, LE_LINK);
3682 
3683 	tmp = cnt;
3684 	while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3685 		u32 priority = (skb_peek(&chan->data_q))->priority;
3686 		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3687 			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3688 			       skb->len, skb->priority);
3689 
3690 			/* Stop if priority has changed */
3691 			if (skb->priority < priority)
3692 				break;
3693 
3694 			skb = skb_dequeue(&chan->data_q);
3695 
3696 			hci_send_frame(hdev, skb);
3697 			hdev->le_last_tx = jiffies;
3698 
3699 			cnt--;
3700 			chan->sent++;
3701 			chan->conn->sent++;
3702 
3703 			/* Send pending SCO packets right away */
3704 			hci_sched_sco(hdev);
3705 			hci_sched_esco(hdev);
3706 		}
3707 	}
3708 
3709 	if (hdev->le_pkts)
3710 		hdev->le_cnt = cnt;
3711 	else
3712 		hdev->acl_cnt = cnt;
3713 
3714 	if (cnt != tmp)
3715 		hci_prio_recalculate(hdev, LE_LINK);
3716 }
3717 
3718 /* Schedule CIS */
3719 static void hci_sched_iso(struct hci_dev *hdev)
3720 {
3721 	struct hci_conn *conn;
3722 	struct sk_buff *skb;
3723 	int quote, *cnt;
3724 
3725 	BT_DBG("%s", hdev->name);
3726 
3727 	if (!hci_conn_num(hdev, ISO_LINK))
3728 		return;
3729 
3730 	cnt = hdev->iso_pkts ? &hdev->iso_cnt :
3731 		hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt;
3732 	while (*cnt && (conn = hci_low_sent(hdev, ISO_LINK, &quote))) {
3733 		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3734 			BT_DBG("skb %p len %d", skb, skb->len);
3735 			hci_send_frame(hdev, skb);
3736 
3737 			conn->sent++;
3738 			if (conn->sent == ~0)
3739 				conn->sent = 0;
3740 			(*cnt)--;
3741 		}
3742 	}
3743 }
3744 
3745 static void hci_tx_work(struct work_struct *work)
3746 {
3747 	struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3748 	struct sk_buff *skb;
3749 
3750 	BT_DBG("%s acl %d sco %d le %d iso %d", hdev->name, hdev->acl_cnt,
3751 	       hdev->sco_cnt, hdev->le_cnt, hdev->iso_cnt);
3752 
3753 	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3754 		/* Schedule queues and send stuff to HCI driver */
3755 		hci_sched_sco(hdev);
3756 		hci_sched_esco(hdev);
3757 		hci_sched_iso(hdev);
3758 		hci_sched_acl(hdev);
3759 		hci_sched_le(hdev);
3760 	}
3761 
3762 	/* Send next queued raw (unknown type) packet */
3763 	while ((skb = skb_dequeue(&hdev->raw_q)))
3764 		hci_send_frame(hdev, skb);
3765 }
3766 
3767 /* ----- HCI RX task (incoming data processing) ----- */
3768 
3769 /* ACL data packet */
3770 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3771 {
3772 	struct hci_acl_hdr *hdr = (void *) skb->data;
3773 	struct hci_conn *conn;
3774 	__u16 handle, flags;
3775 
3776 	skb_pull(skb, HCI_ACL_HDR_SIZE);
3777 
3778 	handle = __le16_to_cpu(hdr->handle);
3779 	flags  = hci_flags(handle);
3780 	handle = hci_handle(handle);
3781 
3782 	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3783 	       handle, flags);
3784 
3785 	hdev->stat.acl_rx++;
3786 
3787 	hci_dev_lock(hdev);
3788 	conn = hci_conn_hash_lookup_handle(hdev, handle);
3789 	hci_dev_unlock(hdev);
3790 
3791 	if (conn) {
3792 		hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3793 
3794 		/* Send to upper protocol */
3795 		l2cap_recv_acldata(conn, skb, flags);
3796 		return;
3797 	} else {
3798 		bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
3799 			   handle);
3800 	}
3801 
3802 	kfree_skb(skb);
3803 }
3804 
3805 /* SCO data packet */
3806 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3807 {
3808 	struct hci_sco_hdr *hdr = (void *) skb->data;
3809 	struct hci_conn *conn;
3810 	__u16 handle, flags;
3811 
3812 	skb_pull(skb, HCI_SCO_HDR_SIZE);
3813 
3814 	handle = __le16_to_cpu(hdr->handle);
3815 	flags  = hci_flags(handle);
3816 	handle = hci_handle(handle);
3817 
3818 	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3819 	       handle, flags);
3820 
3821 	hdev->stat.sco_rx++;
3822 
3823 	hci_dev_lock(hdev);
3824 	conn = hci_conn_hash_lookup_handle(hdev, handle);
3825 	hci_dev_unlock(hdev);
3826 
3827 	if (conn) {
3828 		/* Send to upper protocol */
3829 		hci_skb_pkt_status(skb) = flags & 0x03;
3830 		sco_recv_scodata(conn, skb);
3831 		return;
3832 	} else {
3833 		bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d",
3834 				       handle);
3835 	}
3836 
3837 	kfree_skb(skb);
3838 }
3839 
3840 static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3841 {
3842 	struct hci_iso_hdr *hdr;
3843 	struct hci_conn *conn;
3844 	__u16 handle, flags;
3845 
3846 	hdr = skb_pull_data(skb, sizeof(*hdr));
3847 	if (!hdr) {
3848 		bt_dev_err(hdev, "ISO packet too small");
3849 		goto drop;
3850 	}
3851 
3852 	handle = __le16_to_cpu(hdr->handle);
3853 	flags  = hci_flags(handle);
3854 	handle = hci_handle(handle);
3855 
3856 	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3857 		   handle, flags);
3858 
3859 	hci_dev_lock(hdev);
3860 	conn = hci_conn_hash_lookup_handle(hdev, handle);
3861 	hci_dev_unlock(hdev);
3862 
3863 	if (!conn) {
3864 		bt_dev_err(hdev, "ISO packet for unknown connection handle %d",
3865 			   handle);
3866 		goto drop;
3867 	}
3868 
3869 	/* Send to upper protocol */
3870 	iso_recv(conn, skb, flags);
3871 	return;
3872 
3873 drop:
3874 	kfree_skb(skb);
3875 }
3876 
3877 static bool hci_req_is_complete(struct hci_dev *hdev)
3878 {
3879 	struct sk_buff *skb;
3880 
3881 	skb = skb_peek(&hdev->cmd_q);
3882 	if (!skb)
3883 		return true;
3884 
3885 	return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
3886 }
3887 
3888 static void hci_resend_last(struct hci_dev *hdev)
3889 {
3890 	struct hci_command_hdr *sent;
3891 	struct sk_buff *skb;
3892 	u16 opcode;
3893 
3894 	if (!hdev->sent_cmd)
3895 		return;
3896 
3897 	sent = (void *) hdev->sent_cmd->data;
3898 	opcode = __le16_to_cpu(sent->opcode);
3899 	if (opcode == HCI_OP_RESET)
3900 		return;
3901 
3902 	skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3903 	if (!skb)
3904 		return;
3905 
3906 	skb_queue_head(&hdev->cmd_q, skb);
3907 	queue_work(hdev->workqueue, &hdev->cmd_work);
3908 }
3909 
3910 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
3911 			  hci_req_complete_t *req_complete,
3912 			  hci_req_complete_skb_t *req_complete_skb)
3913 {
3914 	struct sk_buff *skb;
3915 	unsigned long flags;
3916 
3917 	BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3918 
3919 	/* If the completed command doesn't match the last one that was
3920 	 * sent we need to do special handling of it.
3921 	 */
3922 	if (!hci_sent_cmd_data(hdev, opcode)) {
3923 		/* Some CSR based controllers generate a spontaneous
3924 		 * reset complete event during init and any pending
3925 		 * command will never be completed. In such a case we
3926 		 * need to resend whatever was the last sent
3927 		 * command.
3928 		 */
3929 		if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
3930 			hci_resend_last(hdev);
3931 
3932 		return;
3933 	}
3934 
3935 	/* If we reach this point this event matches the last command sent */
3936 	hci_dev_clear_flag(hdev, HCI_CMD_PENDING);
3937 
3938 	/* If the command succeeded and there's still more commands in
3939 	 * this request the request is not yet complete.
3940 	 */
3941 	if (!status && !hci_req_is_complete(hdev))
3942 		return;
3943 
3944 	skb = hdev->req_skb;
3945 
3946 	/* If this was the last command in a request the complete
3947 	 * callback would be found in hdev->req_skb instead of the
3948 	 * command queue (hdev->cmd_q).
3949 	 */
3950 	if (skb && bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) {
3951 		*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
3952 		return;
3953 	}
3954 
3955 	if (skb && bt_cb(skb)->hci.req_complete) {
3956 		*req_complete = bt_cb(skb)->hci.req_complete;
3957 		return;
3958 	}
3959 
3960 	/* Remove all pending commands belonging to this request */
3961 	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3962 	while ((skb = __skb_dequeue(&hdev->cmd_q))) {
3963 		if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
3964 			__skb_queue_head(&hdev->cmd_q, skb);
3965 			break;
3966 		}
3967 
3968 		if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
3969 			*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
3970 		else
3971 			*req_complete = bt_cb(skb)->hci.req_complete;
3972 		dev_kfree_skb_irq(skb);
3973 	}
3974 	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3975 }
3976 
3977 static void hci_rx_work(struct work_struct *work)
3978 {
3979 	struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
3980 	struct sk_buff *skb;
3981 
3982 	BT_DBG("%s", hdev->name);
3983 
3984 	/* The kcov_remote functions used for collecting packet parsing
3985 	 * coverage information from this background thread and associate
3986 	 * the coverage with the syscall's thread which originally injected
3987 	 * the packet. This helps fuzzing the kernel.
3988 	 */
3989 	for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
3990 		kcov_remote_start_common(skb_get_kcov_handle(skb));
3991 
3992 		/* Send copy to monitor */
3993 		hci_send_to_monitor(hdev, skb);
3994 
3995 		if (atomic_read(&hdev->promisc)) {
3996 			/* Send copy to the sockets */
3997 			hci_send_to_sock(hdev, skb);
3998 		}
3999 
4000 		/* If the device has been opened in HCI_USER_CHANNEL,
4001 		 * the userspace has exclusive access to device.
4002 		 * When device is HCI_INIT, we still need to process
4003 		 * the data packets to the driver in order
4004 		 * to complete its setup().
4005 		 */
4006 		if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
4007 		    !test_bit(HCI_INIT, &hdev->flags)) {
4008 			kfree_skb(skb);
4009 			continue;
4010 		}
4011 
4012 		if (test_bit(HCI_INIT, &hdev->flags)) {
4013 			/* Don't process data packets in this states. */
4014 			switch (hci_skb_pkt_type(skb)) {
4015 			case HCI_ACLDATA_PKT:
4016 			case HCI_SCODATA_PKT:
4017 			case HCI_ISODATA_PKT:
4018 				kfree_skb(skb);
4019 				continue;
4020 			}
4021 		}
4022 
4023 		/* Process frame */
4024 		switch (hci_skb_pkt_type(skb)) {
4025 		case HCI_EVENT_PKT:
4026 			BT_DBG("%s Event packet", hdev->name);
4027 			hci_event_packet(hdev, skb);
4028 			break;
4029 
4030 		case HCI_ACLDATA_PKT:
4031 			BT_DBG("%s ACL data packet", hdev->name);
4032 			hci_acldata_packet(hdev, skb);
4033 			break;
4034 
4035 		case HCI_SCODATA_PKT:
4036 			BT_DBG("%s SCO data packet", hdev->name);
4037 			hci_scodata_packet(hdev, skb);
4038 			break;
4039 
4040 		case HCI_ISODATA_PKT:
4041 			BT_DBG("%s ISO data packet", hdev->name);
4042 			hci_isodata_packet(hdev, skb);
4043 			break;
4044 
4045 		default:
4046 			kfree_skb(skb);
4047 			break;
4048 		}
4049 	}
4050 }
4051 
4052 static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
4053 {
4054 	int err;
4055 
4056 	bt_dev_dbg(hdev, "skb %p", skb);
4057 
4058 	kfree_skb(hdev->sent_cmd);
4059 
4060 	hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4061 	if (!hdev->sent_cmd) {
4062 		skb_queue_head(&hdev->cmd_q, skb);
4063 		queue_work(hdev->workqueue, &hdev->cmd_work);
4064 		return;
4065 	}
4066 
4067 	err = hci_send_frame(hdev, skb);
4068 	if (err < 0) {
4069 		hci_cmd_sync_cancel_sync(hdev, -err);
4070 		return;
4071 	}
4072 
4073 	if (hci_req_status_pend(hdev) &&
4074 	    !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
4075 		kfree_skb(hdev->req_skb);
4076 		hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4077 	}
4078 
4079 	atomic_dec(&hdev->cmd_cnt);
4080 }
4081 
4082 static void hci_cmd_work(struct work_struct *work)
4083 {
4084 	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4085 	struct sk_buff *skb;
4086 
4087 	BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4088 	       atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4089 
4090 	/* Send queued commands */
4091 	if (atomic_read(&hdev->cmd_cnt)) {
4092 		skb = skb_dequeue(&hdev->cmd_q);
4093 		if (!skb)
4094 			return;
4095 
4096 		hci_send_cmd_sync(hdev, skb);
4097 
4098 		rcu_read_lock();
4099 		if (test_bit(HCI_RESET, &hdev->flags) ||
4100 		    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4101 			cancel_delayed_work(&hdev->cmd_timer);
4102 		else
4103 			queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
4104 					   HCI_CMD_TIMEOUT);
4105 		rcu_read_unlock();
4106 	}
4107 }
4108