git.openpandora.org / pandora-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Bluetooth: Add support for custom event terminated commands
[pandora-kernel.git] / net / bluetooth / hci_core.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2011 ProFUSION Embedded Systems
5
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI core. */
27
28 #include <linux/export.h>
29 #include <linux/idr.h>
30
31 #include <linux/rfkill.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35
36 static void hci_rx_work(struct work_struct *work);
37 static void hci_cmd_work(struct work_struct *work);
38 static void hci_tx_work(struct work_struct *work);
39
40 /* HCI device list */
41 LIST_HEAD(hci_dev_list);
42 DEFINE_RWLOCK(hci_dev_list_lock);
43
44 /* HCI callback list */
45 LIST_HEAD(hci_cb_list);
46 DEFINE_RWLOCK(hci_cb_list_lock);
47
48 /* HCI ID Numbering */
49 static DEFINE_IDA(hci_index_ida);
50
51 /* ---- HCI notifications ---- */
52
53 static void hci_notify(struct hci_dev *hdev, int event)
54 {
55         hci_sock_dev_event(hdev, event);
56 }
57
58 /* ---- HCI requests ---- */
59
60 static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
61 {
62         BT_DBG("%s result 0x%2.2x", hdev->name, result);
63
64         if (hdev->req_status == HCI_REQ_PEND) {
65                 hdev->req_result = result;
66                 hdev->req_status = HCI_REQ_DONE;
67                 wake_up_interruptible(&hdev->req_wait_q);
68         }
69 }
70
71 static void hci_req_cancel(struct hci_dev *hdev, int err)
72 {
73         BT_DBG("%s err 0x%2.2x", hdev->name, err);
74
75         if (hdev->req_status == HCI_REQ_PEND) {
76                 hdev->req_result = err;
77                 hdev->req_status = HCI_REQ_CANCELED;
78                 wake_up_interruptible(&hdev->req_wait_q);
79         }
80 }
81
82 struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode)
83 {
84         struct hci_ev_cmd_complete *ev;
85         struct hci_event_hdr *hdr;
86         struct sk_buff *skb;
87
88         hci_dev_lock(hdev);
89
90         skb = hdev->recv_evt;
91         hdev->recv_evt = NULL;
92
93         hci_dev_unlock(hdev);
94
95         if (!skb)
96                 return ERR_PTR(-ENODATA);
97
98         if (skb->len < sizeof(*hdr)) {
99                 BT_ERR("Too short HCI event");
100                 goto failed;
101         }
102
103         hdr = (void *) skb->data;
104         skb_pull(skb, HCI_EVENT_HDR_SIZE);
105
106         if (hdr->evt != HCI_EV_CMD_COMPLETE) {
107                 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
108                 goto failed;
109         }
110
111         if (skb->len < sizeof(*ev)) {
112                 BT_ERR("Too short cmd_complete event");
113                 goto failed;
114         }
115
116         ev = (void *) skb->data;
117         skb_pull(skb, sizeof(*ev));
118
119         if (opcode == __le16_to_cpu(ev->opcode))
120                 return skb;
121
122         BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
123                __le16_to_cpu(ev->opcode));
124
125 failed:
126         kfree_skb(skb);
127         return ERR_PTR(-ENODATA);
128 }
129
130 struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
131                                void *param, u32 timeout)
132 {
133         DECLARE_WAITQUEUE(wait, current);
134         struct hci_request req;
135         int err = 0;
136
137         BT_DBG("%s", hdev->name);
138
139         hci_req_init(&req, hdev);
140
141         hci_req_add(&req, opcode, plen, param);
142
143         hdev->req_status = HCI_REQ_PEND;
144
145         err = hci_req_run(&req, hci_req_sync_complete);
146         if (err < 0)
147                 return ERR_PTR(err);
148
149         add_wait_queue(&hdev->req_wait_q, &wait);
150         set_current_state(TASK_INTERRUPTIBLE);
151
152         schedule_timeout(timeout);
153
154         remove_wait_queue(&hdev->req_wait_q, &wait);
155
156         if (signal_pending(current))
157                 return ERR_PTR(-EINTR);
158
159         switch (hdev->req_status) {
160         case HCI_REQ_DONE:
161                 err = -bt_to_errno(hdev->req_result);
162                 break;
163
164         case HCI_REQ_CANCELED:
165                 err = -hdev->req_result;
166                 break;
167
168         default:
169                 err = -ETIMEDOUT;
170                 break;
171         }
172
173         hdev->req_status = hdev->req_result = 0;
174
175         BT_DBG("%s end: err %d", hdev->name, err);
176
177         if (err < 0)
178                 return ERR_PTR(err);
179
180         return hci_get_cmd_complete(hdev, opcode);
181 }
182 EXPORT_SYMBOL(__hci_cmd_sync);
183
184 /* Execute request and wait for completion. */
185 static int __hci_req_sync(struct hci_dev *hdev,
186                           void (*func)(struct hci_request *req,
187                                       unsigned long opt),
188                           unsigned long opt, __u32 timeout)
189 {
190         struct hci_request req;
191         DECLARE_WAITQUEUE(wait, current);
192         int err = 0;
193
194         BT_DBG("%s start", hdev->name);
195
196         hci_req_init(&req, hdev);
197
198         hdev->req_status = HCI_REQ_PEND;
199
200         func(&req, opt);
201
202         err = hci_req_run(&req, hci_req_sync_complete);
203         if (err < 0) {
204                 hdev->req_status = 0;
205
206                 /* ENODATA means the HCI request command queue is empty.
207                  * This can happen when a request with conditionals doesn't
208                  * trigger any commands to be sent. This is normal behavior
209                  * and should not trigger an error return.
210                  */
211                 if (err == -ENODATA)
212                         return 0;
213
214                 return err;
215         }
216
217         add_wait_queue(&hdev->req_wait_q, &wait);
218         set_current_state(TASK_INTERRUPTIBLE);
219
220         schedule_timeout(timeout);
221
222         remove_wait_queue(&hdev->req_wait_q, &wait);
223
224         if (signal_pending(current))
225                 return -EINTR;
226
227         switch (hdev->req_status) {
228         case HCI_REQ_DONE:
229                 err = -bt_to_errno(hdev->req_result);
230                 break;
231
232         case HCI_REQ_CANCELED:
233                 err = -hdev->req_result;
234                 break;
235
236         default:
237                 err = -ETIMEDOUT;
238                 break;
239         }
240
241         hdev->req_status = hdev->req_result = 0;
242
243         BT_DBG("%s end: err %d", hdev->name, err);
244
245         return err;
246 }
247
248 static int hci_req_sync(struct hci_dev *hdev,
249                         void (*req)(struct hci_request *req,
250                                     unsigned long opt),
251                         unsigned long opt, __u32 timeout)
252 {
253         int ret;
254
255         if (!test_bit(HCI_UP, &hdev->flags))
256                 return -ENETDOWN;
257
258         /* Serialize all requests */
259         hci_req_lock(hdev);
260         ret = __hci_req_sync(hdev, req, opt, timeout);
261         hci_req_unlock(hdev);
262
263         return ret;
264 }
265
266 static void hci_reset_req(struct hci_request *req, unsigned long opt)
267 {
268         BT_DBG("%s %ld", req->hdev->name, opt);
269
270         /* Reset device */
271         set_bit(HCI_RESET, &req->hdev->flags);
272         hci_req_add(req, HCI_OP_RESET, 0, NULL);
273 }
274
275 static void bredr_init(struct hci_request *req)
276 {
277         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
278
279         /* Read Local Supported Features */
280         hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
281
282         /* Read Local Version */
283         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
284
285         /* Read BD Address */
286         hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
287 }
288
289 static void amp_init(struct hci_request *req)
290 {
291         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
292
293         /* Read Local Version */
294         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
295
296         /* Read Local AMP Info */
297         hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
298
299         /* Read Data Blk size */
300         hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
301 }
302
303 static void hci_init1_req(struct hci_request *req, unsigned long opt)
304 {
305         struct hci_dev *hdev = req->hdev;
306         struct hci_request init_req;
307         struct sk_buff *skb;
308
309         BT_DBG("%s %ld", hdev->name, opt);
310
311         /* Driver initialization */
312
313         hci_req_init(&init_req, hdev);
314
315         /* Special commands */
316         while ((skb = skb_dequeue(&hdev->driver_init))) {
317                 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
318                 skb->dev = (void *) hdev;
319
320                 if (skb_queue_empty(&init_req.cmd_q))
321                         bt_cb(skb)->req.start = true;
322
323                 skb_queue_tail(&init_req.cmd_q, skb);
324         }
325         skb_queue_purge(&hdev->driver_init);
326
327         hci_req_run(&init_req, NULL);
328
329         /* Reset */
330         if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
331                 hci_reset_req(req, 0);
332
333         switch (hdev->dev_type) {
334         case HCI_BREDR:
335                 bredr_init(req);
336                 break;
337
338         case HCI_AMP:
339                 amp_init(req);
340                 break;
341
342         default:
343                 BT_ERR("Unknown device type %d", hdev->dev_type);
344                 break;
345         }
346 }
347
348 static void bredr_setup(struct hci_request *req)
349 {
350         struct hci_cp_delete_stored_link_key cp;
351         __le16 param;
352         __u8 flt_type;
353
354         /* Read Buffer Size (ACL mtu, max pkt, etc.) */
355         hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
356
357         /* Read Class of Device */
358         hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
359
360         /* Read Local Name */
361         hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
362
363         /* Read Voice Setting */
364         hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
365
366         /* Clear Event Filters */
367         flt_type = HCI_FLT_CLEAR_ALL;
368         hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
369
370         /* Connection accept timeout ~20 secs */
371         param = __constant_cpu_to_le16(0x7d00);
372         hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
373
374         bacpy(&cp.bdaddr, BDADDR_ANY);
375         cp.delete_all = 0x01;
376         hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
377
378         /* Read page scan parameters */
379         if (req->hdev->hci_ver > BLUETOOTH_VER_1_1) {
380                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
381                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
382         }
383 }
384
385 static void le_setup(struct hci_request *req)
386 {
387         /* Read LE Buffer Size */
388         hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
389
390         /* Read LE Local Supported Features */
391         hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
392
393         /* Read LE Advertising Channel TX Power */
394         hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
395
396         /* Read LE White List Size */
397         hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
398
399         /* Read LE Supported States */
400         hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
401 }
402
403 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
404 {
405         if (lmp_ext_inq_capable(hdev))
406                 return 0x02;
407
408         if (lmp_inq_rssi_capable(hdev))
409                 return 0x01;
410
411         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
412             hdev->lmp_subver == 0x0757)
413                 return 0x01;
414
415         if (hdev->manufacturer == 15) {
416                 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
417                         return 0x01;
418                 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
419                         return 0x01;
420                 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
421                         return 0x01;
422         }
423
424         if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
425             hdev->lmp_subver == 0x1805)
426                 return 0x01;
427
428         return 0x00;
429 }
430
431 static void hci_setup_inquiry_mode(struct hci_request *req)
432 {
433         u8 mode;
434
435         mode = hci_get_inquiry_mode(req->hdev);
436
437         hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
438 }
439
440 static void hci_setup_event_mask(struct hci_request *req)
441 {
442         struct hci_dev *hdev = req->hdev;
443
444         /* The second byte is 0xff instead of 0x9f (two reserved bits
445          * disabled) since a Broadcom 1.2 dongle doesn't respond to the
446          * command otherwise.
447          */
448         u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
449
450         /* CSR 1.1 dongles does not accept any bitfield so don't try to set
451          * any event mask for pre 1.2 devices.
452          */
453         if (hdev->hci_ver < BLUETOOTH_VER_1_2)
454                 return;
455
456         if (lmp_bredr_capable(hdev)) {
457                 events[4] |= 0x01; /* Flow Specification Complete */
458                 events[4] |= 0x02; /* Inquiry Result with RSSI */
459                 events[4] |= 0x04; /* Read Remote Extended Features Complete */
460                 events[5] |= 0x08; /* Synchronous Connection Complete */
461                 events[5] |= 0x10; /* Synchronous Connection Changed */
462         }
463
464         if (lmp_inq_rssi_capable(hdev))
465                 events[4] |= 0x02; /* Inquiry Result with RSSI */
466
467         if (lmp_sniffsubr_capable(hdev))
468                 events[5] |= 0x20; /* Sniff Subrating */
469
470         if (lmp_pause_enc_capable(hdev))
471                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
472
473         if (lmp_ext_inq_capable(hdev))
474                 events[5] |= 0x40; /* Extended Inquiry Result */
475
476         if (lmp_no_flush_capable(hdev))
477                 events[7] |= 0x01; /* Enhanced Flush Complete */
478
479         if (lmp_lsto_capable(hdev))
480                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
481
482         if (lmp_ssp_capable(hdev)) {
483                 events[6] |= 0x01;      /* IO Capability Request */
484                 events[6] |= 0x02;      /* IO Capability Response */
485                 events[6] |= 0x04;      /* User Confirmation Request */
486                 events[6] |= 0x08;      /* User Passkey Request */
487                 events[6] |= 0x10;      /* Remote OOB Data Request */
488                 events[6] |= 0x20;      /* Simple Pairing Complete */
489                 events[7] |= 0x04;      /* User Passkey Notification */
490                 events[7] |= 0x08;      /* Keypress Notification */
491                 events[7] |= 0x10;      /* Remote Host Supported
492                                          * Features Notification
493                                          */
494         }
495
496         if (lmp_le_capable(hdev))
497                 events[7] |= 0x20;      /* LE Meta-Event */
498
499         hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
500
501         if (lmp_le_capable(hdev)) {
502                 memset(events, 0, sizeof(events));
503                 events[0] = 0x1f;
504                 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK,
505                             sizeof(events), events);
506         }
507 }
508
509 static void hci_init2_req(struct hci_request *req, unsigned long opt)
510 {
511         struct hci_dev *hdev = req->hdev;
512
513         if (lmp_bredr_capable(hdev))
514                 bredr_setup(req);
515
516         if (lmp_le_capable(hdev))
517                 le_setup(req);
518
519         hci_setup_event_mask(req);
520
521         if (hdev->hci_ver > BLUETOOTH_VER_1_1)
522                 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
523
524         if (lmp_ssp_capable(hdev)) {
525                 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
526                         u8 mode = 0x01;
527                         hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
528                                     sizeof(mode), &mode);
529                 } else {
530                         struct hci_cp_write_eir cp;
531
532                         memset(hdev->eir, 0, sizeof(hdev->eir));
533                         memset(&cp, 0, sizeof(cp));
534
535                         hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
536                 }
537         }
538
539         if (lmp_inq_rssi_capable(hdev))
540                 hci_setup_inquiry_mode(req);
541
542         if (lmp_inq_tx_pwr_capable(hdev))
543                 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
544
545         if (lmp_ext_feat_capable(hdev)) {
546                 struct hci_cp_read_local_ext_features cp;
547
548                 cp.page = 0x01;
549                 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
550                             sizeof(cp), &cp);
551         }
552
553         if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
554                 u8 enable = 1;
555                 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
556                             &enable);
557         }
558 }
559
560 static void hci_setup_link_policy(struct hci_request *req)
561 {
562         struct hci_dev *hdev = req->hdev;
563         struct hci_cp_write_def_link_policy cp;
564         u16 link_policy = 0;
565
566         if (lmp_rswitch_capable(hdev))
567                 link_policy |= HCI_LP_RSWITCH;
568         if (lmp_hold_capable(hdev))
569                 link_policy |= HCI_LP_HOLD;
570         if (lmp_sniff_capable(hdev))
571                 link_policy |= HCI_LP_SNIFF;
572         if (lmp_park_capable(hdev))
573                 link_policy |= HCI_LP_PARK;
574
575         cp.policy = cpu_to_le16(link_policy);
576         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
577 }
578
579 static void hci_set_le_support(struct hci_request *req)
580 {
581         struct hci_dev *hdev = req->hdev;
582         struct hci_cp_write_le_host_supported cp;
583
584         memset(&cp, 0, sizeof(cp));
585
586         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
587                 cp.le = 0x01;
588                 cp.simul = lmp_le_br_capable(hdev);
589         }
590
591         if (cp.le != lmp_host_le_capable(hdev))
592                 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
593                             &cp);
594 }
595
596 static void hci_init3_req(struct hci_request *req, unsigned long opt)
597 {
598         struct hci_dev *hdev = req->hdev;
599
600         if (hdev->commands[5] & 0x10)
601                 hci_setup_link_policy(req);
602
603         if (lmp_le_capable(hdev)) {
604                 hci_set_le_support(req);
605                 hci_update_ad(req);
606         }
607 }
608
609 static int __hci_init(struct hci_dev *hdev)
610 {
611         int err;
612
613         err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
614         if (err < 0)
615                 return err;
616
617         /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
618          * BR/EDR/LE type controllers. AMP controllers only need the
619          * first stage init.
620          */
621         if (hdev->dev_type != HCI_BREDR)
622                 return 0;
623
624         err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
625         if (err < 0)
626                 return err;
627
628         return __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
629 }
630
631 static void hci_scan_req(struct hci_request *req, unsigned long opt)
632 {
633         __u8 scan = opt;
634
635         BT_DBG("%s %x", req->hdev->name, scan);
636
637         /* Inquiry and Page scans */
638         hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
639 }
640
641 static void hci_auth_req(struct hci_request *req, unsigned long opt)
642 {
643         __u8 auth = opt;
644
645         BT_DBG("%s %x", req->hdev->name, auth);
646
647         /* Authentication */
648         hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
649 }
650
651 static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
652 {
653         __u8 encrypt = opt;
654
655         BT_DBG("%s %x", req->hdev->name, encrypt);
656
657         /* Encryption */
658         hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
659 }
660
661 static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
662 {
663         __le16 policy = cpu_to_le16(opt);
664
665         BT_DBG("%s %x", req->hdev->name, policy);
666
667         /* Default link policy */
668         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
669 }
670
671 /* Get HCI device by index.
672  * Device is held on return. */
673 struct hci_dev *hci_dev_get(int index)
674 {
675         struct hci_dev *hdev = NULL, *d;
676
677         BT_DBG("%d", index);
678
679         if (index < 0)
680                 return NULL;
681
682         read_lock(&hci_dev_list_lock);
683         list_for_each_entry(d, &hci_dev_list, list) {
684                 if (d->id == index) {
685                         hdev = hci_dev_hold(d);
686                         break;
687                 }
688         }
689         read_unlock(&hci_dev_list_lock);
690         return hdev;
691 }
692
693 /* ---- Inquiry support ---- */
694
695 bool hci_discovery_active(struct hci_dev *hdev)
696 {
697         struct discovery_state *discov = &hdev->discovery;
698
699         switch (discov->state) {
700         case DISCOVERY_FINDING:
701         case DISCOVERY_RESOLVING:
702                 return true;
703
704         default:
705                 return false;
706         }
707 }
708
709 void hci_discovery_set_state(struct hci_dev *hdev, int state)
710 {
711         BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
712
713         if (hdev->discovery.state == state)
714                 return;
715
716         switch (state) {
717         case DISCOVERY_STOPPED:
718                 if (hdev->discovery.state != DISCOVERY_STARTING)
719                         mgmt_discovering(hdev, 0);
720                 break;
721         case DISCOVERY_STARTING:
722                 break;
723         case DISCOVERY_FINDING:
724                 mgmt_discovering(hdev, 1);
725                 break;
726         case DISCOVERY_RESOLVING:
727                 break;
728         case DISCOVERY_STOPPING:
729                 break;
730         }
731
732         hdev->discovery.state = state;
733 }
734
735 static void inquiry_cache_flush(struct hci_dev *hdev)
736 {
737         struct discovery_state *cache = &hdev->discovery;
738         struct inquiry_entry *p, *n;
739
740         list_for_each_entry_safe(p, n, &cache->all, all) {
741                 list_del(&p->all);
742                 kfree(p);
743         }
744
745         INIT_LIST_HEAD(&cache->unknown);
746         INIT_LIST_HEAD(&cache->resolve);
747 }
748
749 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
750                                                bdaddr_t *bdaddr)
751 {
752         struct discovery_state *cache = &hdev->discovery;
753         struct inquiry_entry *e;
754
755         BT_DBG("cache %p, %pMR", cache, bdaddr);
756
757         list_for_each_entry(e, &cache->all, all) {
758                 if (!bacmp(&e->data.bdaddr, bdaddr))
759                         return e;
760         }
761
762         return NULL;
763 }
764
765 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
766                                                        bdaddr_t *bdaddr)
767 {
768         struct discovery_state *cache = &hdev->discovery;
769         struct inquiry_entry *e;
770
771         BT_DBG("cache %p, %pMR", cache, bdaddr);
772
773         list_for_each_entry(e, &cache->unknown, list) {
774                 if (!bacmp(&e->data.bdaddr, bdaddr))
775                         return e;
776         }
777
778         return NULL;
779 }
780
781 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
782                                                        bdaddr_t *bdaddr,
783                                                        int state)
784 {
785         struct discovery_state *cache = &hdev->discovery;
786         struct inquiry_entry *e;
787
788         BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
789
790         list_for_each_entry(e, &cache->resolve, list) {
791                 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
792                         return e;
793                 if (!bacmp(&e->data.bdaddr, bdaddr))
794                         return e;
795         }
796
797         return NULL;
798 }
799
800 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
801                                       struct inquiry_entry *ie)
802 {
803         struct discovery_state *cache = &hdev->discovery;
804         struct list_head *pos = &cache->resolve;
805         struct inquiry_entry *p;
806
807         list_del(&ie->list);
808
809         list_for_each_entry(p, &cache->resolve, list) {
810                 if (p->name_state != NAME_PENDING &&
811                     abs(p->data.rssi) >= abs(ie->data.rssi))
812                         break;
813                 pos = &p->list;
814         }
815
816         list_add(&ie->list, pos);
817 }
818
819 bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
820                               bool name_known, bool *ssp)
821 {
822         struct discovery_state *cache = &hdev->discovery;
823         struct inquiry_entry *ie;
824
825         BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
826
827         hci_remove_remote_oob_data(hdev, &data->bdaddr);
828
829         if (ssp)
830                 *ssp = data->ssp_mode;
831
832         ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
833         if (ie) {
834                 if (ie->data.ssp_mode && ssp)
835                         *ssp = true;
836
837                 if (ie->name_state == NAME_NEEDED &&
838                     data->rssi != ie->data.rssi) {
839                         ie->data.rssi = data->rssi;
840                         hci_inquiry_cache_update_resolve(hdev, ie);
841                 }
842
843                 goto update;
844         }
845
846         /* Entry not in the cache. Add new one. */
847         ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
848         if (!ie)
849                 return false;
850
851         list_add(&ie->all, &cache->all);
852
853         if (name_known) {
854                 ie->name_state = NAME_KNOWN;
855         } else {
856                 ie->name_state = NAME_NOT_KNOWN;
857                 list_add(&ie->list, &cache->unknown);
858         }
859
860 update:
861         if (name_known && ie->name_state != NAME_KNOWN &&
862             ie->name_state != NAME_PENDING) {
863                 ie->name_state = NAME_KNOWN;
864                 list_del(&ie->list);
865         }
866
867         memcpy(&ie->data, data, sizeof(*data));
868         ie->timestamp = jiffies;
869         cache->timestamp = jiffies;
870
871         if (ie->name_state == NAME_NOT_KNOWN)
872                 return false;
873
874         return true;
875 }
876
877 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
878 {
879         struct discovery_state *cache = &hdev->discovery;
880         struct inquiry_info *info = (struct inquiry_info *) buf;
881         struct inquiry_entry *e;
882         int copied = 0;
883
884         list_for_each_entry(e, &cache->all, all) {
885                 struct inquiry_data *data = &e->data;
886
887                 if (copied >= num)
888                         break;
889
890                 bacpy(&info->bdaddr, &data->bdaddr);
891                 info->pscan_rep_mode    = data->pscan_rep_mode;
892                 info->pscan_period_mode = data->pscan_period_mode;
893                 info->pscan_mode        = data->pscan_mode;
894                 memcpy(info->dev_class, data->dev_class, 3);
895                 info->clock_offset      = data->clock_offset;
896
897                 info++;
898                 copied++;
899         }
900
901         BT_DBG("cache %p, copied %d", cache, copied);
902         return copied;
903 }
904
905 static void hci_inq_req(struct hci_request *req, unsigned long opt)
906 {
907         struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
908         struct hci_dev *hdev = req->hdev;
909         struct hci_cp_inquiry cp;
910
911         BT_DBG("%s", hdev->name);
912
913         if (test_bit(HCI_INQUIRY, &hdev->flags))
914                 return;
915
916         /* Start Inquiry */
917         memcpy(&cp.lap, &ir->lap, 3);
918         cp.length  = ir->length;
919         cp.num_rsp = ir->num_rsp;
920         hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
921 }
922
923 static int wait_inquiry(void *word)
924 {
925         schedule();
926         return signal_pending(current);
927 }
928
929 int hci_inquiry(void __user *arg)
930 {
931         __u8 __user *ptr = arg;
932         struct hci_inquiry_req ir;
933         struct hci_dev *hdev;
934         int err = 0, do_inquiry = 0, max_rsp;
935         long timeo;
936         __u8 *buf;
937
938         if (copy_from_user(&ir, ptr, sizeof(ir)))
939                 return -EFAULT;
940
941         hdev = hci_dev_get(ir.dev_id);
942         if (!hdev)
943                 return -ENODEV;
944
945         hci_dev_lock(hdev);
946         if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
947             inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
948                 inquiry_cache_flush(hdev);
949                 do_inquiry = 1;
950         }
951         hci_dev_unlock(hdev);
952
953         timeo = ir.length * msecs_to_jiffies(2000);
954
955         if (do_inquiry) {
956                 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
957                                    timeo);
958                 if (err < 0)
959                         goto done;
960
961                 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
962                  * cleared). If it is interrupted by a signal, return -EINTR.
963                  */
964                 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
965                                 TASK_INTERRUPTIBLE))
966                         return -EINTR;
967         }
968
969         /* for unlimited number of responses we will use buffer with
970          * 255 entries
971          */
972         max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
973
974         /* cache_dump can't sleep. Therefore we allocate temp buffer and then
975          * copy it to the user space.
976          */
977         buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
978         if (!buf) {
979                 err = -ENOMEM;
980                 goto done;
981         }
982
983         hci_dev_lock(hdev);
984         ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
985         hci_dev_unlock(hdev);
986
987         BT_DBG("num_rsp %d", ir.num_rsp);
988
989         if (!copy_to_user(ptr, &ir, sizeof(ir))) {
990                 ptr += sizeof(ir);
991                 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
992                                  ir.num_rsp))
993                         err = -EFAULT;
994         } else
995                 err = -EFAULT;
996
997         kfree(buf);
998
999 done:
1000         hci_dev_put(hdev);
1001         return err;
1002 }
1003
1004 static u8 create_ad(struct hci_dev *hdev, u8 *ptr)
1005 {
1006         u8 ad_len = 0, flags = 0;
1007         size_t name_len;
1008
1009         if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
1010                 flags |= LE_AD_GENERAL;
1011
1012         if (!lmp_bredr_capable(hdev))
1013                 flags |= LE_AD_NO_BREDR;
1014
1015         if (lmp_le_br_capable(hdev))
1016                 flags |= LE_AD_SIM_LE_BREDR_CTRL;
1017
1018         if (lmp_host_le_br_capable(hdev))
1019                 flags |= LE_AD_SIM_LE_BREDR_HOST;
1020
1021         if (flags) {
1022                 BT_DBG("adv flags 0x%02x", flags);
1023
1024                 ptr[0] = 2;
1025                 ptr[1] = EIR_FLAGS;
1026                 ptr[2] = flags;
1027
1028                 ad_len += 3;
1029                 ptr += 3;
1030         }
1031
1032         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
1033                 ptr[0] = 2;
1034                 ptr[1] = EIR_TX_POWER;
1035                 ptr[2] = (u8) hdev->adv_tx_power;
1036
1037                 ad_len += 3;
1038                 ptr += 3;
1039         }
1040
1041         name_len = strlen(hdev->dev_name);
1042         if (name_len > 0) {
1043                 size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
1044
1045                 if (name_len > max_len) {
1046                         name_len = max_len;
1047                         ptr[1] = EIR_NAME_SHORT;
1048                 } else
1049                         ptr[1] = EIR_NAME_COMPLETE;
1050
1051                 ptr[0] = name_len + 1;
1052
1053                 memcpy(ptr + 2, hdev->dev_name, name_len);
1054
1055                 ad_len += (name_len + 2);
1056                 ptr += (name_len + 2);
1057         }
1058
1059         return ad_len;
1060 }
1061
1062 void hci_update_ad(struct hci_request *req)
1063 {
1064         struct hci_dev *hdev = req->hdev;
1065         struct hci_cp_le_set_adv_data cp;
1066         u8 len;
1067
1068         if (!lmp_le_capable(hdev))
1069                 return;
1070
1071         memset(&cp, 0, sizeof(cp));
1072
1073         len = create_ad(hdev, cp.data);
1074
1075         if (hdev->adv_data_len == len &&
1076             memcmp(cp.data, hdev->adv_data, len) == 0)
1077                 return;
1078
1079         memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
1080         hdev->adv_data_len = len;
1081
1082         cp.length = len;
1083
1084         hci_req_add(req, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
1085 }
1086
1087 /* ---- HCI ioctl helpers ---- */
1088
1089 int hci_dev_open(__u16 dev)
1090 {
1091         struct hci_dev *hdev;
1092         int ret = 0;
1093
1094         hdev = hci_dev_get(dev);
1095         if (!hdev)
1096                 return -ENODEV;
1097
1098         BT_DBG("%s %p", hdev->name, hdev);
1099
1100         hci_req_lock(hdev);
1101
1102         if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1103                 ret = -ENODEV;
1104                 goto done;
1105         }
1106
1107         if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
1108                 ret = -ERFKILL;
1109                 goto done;
1110         }
1111
1112         if (test_bit(HCI_UP, &hdev->flags)) {
1113                 ret = -EALREADY;
1114                 goto done;
1115         }
1116
1117         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1118                 set_bit(HCI_RAW, &hdev->flags);
1119
1120         /* Treat all non BR/EDR controllers as raw devices if
1121            enable_hs is not set */
1122         if (hdev->dev_type != HCI_BREDR && !enable_hs)
1123                 set_bit(HCI_RAW, &hdev->flags);
1124
1125         if (hdev->open(hdev)) {
1126                 ret = -EIO;
1127                 goto done;
1128         }
1129
1130         if (!test_bit(HCI_RAW, &hdev->flags)) {
1131                 atomic_set(&hdev->cmd_cnt, 1);
1132                 set_bit(HCI_INIT, &hdev->flags);
1133                 ret = __hci_init(hdev);
1134                 clear_bit(HCI_INIT, &hdev->flags);
1135         }
1136
1137         if (!ret) {
1138                 hci_dev_hold(hdev);
1139                 set_bit(HCI_UP, &hdev->flags);
1140                 hci_notify(hdev, HCI_DEV_UP);
1141                 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1142                     mgmt_valid_hdev(hdev)) {
1143                         hci_dev_lock(hdev);
1144                         mgmt_powered(hdev, 1);
1145                         hci_dev_unlock(hdev);
1146                 }
1147         } else {
1148                 /* Init failed, cleanup */
1149                 flush_work(&hdev->tx_work);
1150                 flush_work(&hdev->cmd_work);
1151                 flush_work(&hdev->rx_work);
1152
1153                 skb_queue_purge(&hdev->cmd_q);
1154                 skb_queue_purge(&hdev->rx_q);
1155
1156                 if (hdev->flush)
1157                         hdev->flush(hdev);
1158
1159                 if (hdev->sent_cmd) {
1160                         kfree_skb(hdev->sent_cmd);
1161                         hdev->sent_cmd = NULL;
1162                 }
1163
1164                 hdev->close(hdev);
1165                 hdev->flags = 0;
1166         }
1167
1168 done:
1169         hci_req_unlock(hdev);
1170         hci_dev_put(hdev);
1171         return ret;
1172 }
1173
1174 static int hci_dev_do_close(struct hci_dev *hdev)
1175 {
1176         BT_DBG("%s %p", hdev->name, hdev);
1177
1178         cancel_work_sync(&hdev->le_scan);
1179
1180         cancel_delayed_work(&hdev->power_off);
1181
1182         hci_req_cancel(hdev, ENODEV);
1183         hci_req_lock(hdev);
1184
1185         if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1186                 del_timer_sync(&hdev->cmd_timer);
1187                 hci_req_unlock(hdev);
1188                 return 0;
1189         }
1190
1191         /* Flush RX and TX works */
1192         flush_work(&hdev->tx_work);
1193         flush_work(&hdev->rx_work);
1194
1195         if (hdev->discov_timeout > 0) {
1196                 cancel_delayed_work(&hdev->discov_off);
1197                 hdev->discov_timeout = 0;
1198                 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1199         }
1200
1201         if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1202                 cancel_delayed_work(&hdev->service_cache);
1203
1204         cancel_delayed_work_sync(&hdev->le_scan_disable);
1205
1206         hci_dev_lock(hdev);
1207         inquiry_cache_flush(hdev);
1208         hci_conn_hash_flush(hdev);
1209         hci_dev_unlock(hdev);
1210
1211         hci_notify(hdev, HCI_DEV_DOWN);
1212
1213         if (hdev->flush)
1214                 hdev->flush(hdev);
1215
1216         /* Reset device */
1217         skb_queue_purge(&hdev->cmd_q);
1218         atomic_set(&hdev->cmd_cnt, 1);
1219         if (!test_bit(HCI_RAW, &hdev->flags) &&
1220             test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
1221                 set_bit(HCI_INIT, &hdev->flags);
1222                 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
1223                 clear_bit(HCI_INIT, &hdev->flags);
1224         }
1225
1226         /* flush cmd  work */
1227         flush_work(&hdev->cmd_work);
1228
1229         /* Drop queues */
1230         skb_queue_purge(&hdev->rx_q);
1231         skb_queue_purge(&hdev->cmd_q);
1232         skb_queue_purge(&hdev->raw_q);
1233
1234         /* Drop last sent command */
1235         if (hdev->sent_cmd) {
1236                 del_timer_sync(&hdev->cmd_timer);
1237                 kfree_skb(hdev->sent_cmd);
1238                 hdev->sent_cmd = NULL;
1239         }
1240
1241         kfree_skb(hdev->recv_evt);
1242         hdev->recv_evt = NULL;
1243
1244         /* After this point our queues are empty
1245          * and no tasks are scheduled. */
1246         hdev->close(hdev);
1247
1248         /* Clear flags */
1249         hdev->flags = 0;
1250         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
1251
1252         if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
1253             mgmt_valid_hdev(hdev)) {
1254                 hci_dev_lock(hdev);
1255                 mgmt_powered(hdev, 0);
1256                 hci_dev_unlock(hdev);
1257         }
1258
1259         /* Controller radio is available but is currently powered down */
1260         hdev->amp_status = 0;
1261
1262         memset(hdev->eir, 0, sizeof(hdev->eir));
1263         memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1264
1265         hci_req_unlock(hdev);
1266
1267         hci_dev_put(hdev);
1268         return 0;
1269 }
1270
1271 int hci_dev_close(__u16 dev)
1272 {
1273         struct hci_dev *hdev;
1274         int err;
1275
1276         hdev = hci_dev_get(dev);
1277         if (!hdev)
1278                 return -ENODEV;
1279
1280         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1281                 cancel_delayed_work(&hdev->power_off);
1282
1283         err = hci_dev_do_close(hdev);
1284
1285         hci_dev_put(hdev);
1286         return err;
1287 }
1288
1289 int hci_dev_reset(__u16 dev)
1290 {
1291         struct hci_dev *hdev;
1292         int ret = 0;
1293
1294         hdev = hci_dev_get(dev);
1295         if (!hdev)
1296                 return -ENODEV;
1297
1298         hci_req_lock(hdev);
1299
1300         if (!test_bit(HCI_UP, &hdev->flags))
1301                 goto done;
1302
1303         /* Drop queues */
1304         skb_queue_purge(&hdev->rx_q);
1305         skb_queue_purge(&hdev->cmd_q);
1306
1307         hci_dev_lock(hdev);
1308         inquiry_cache_flush(hdev);
1309         hci_conn_hash_flush(hdev);
1310         hci_dev_unlock(hdev);
1311
1312         if (hdev->flush)
1313                 hdev->flush(hdev);
1314
1315         atomic_set(&hdev->cmd_cnt, 1);
1316         hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1317
1318         if (!test_bit(HCI_RAW, &hdev->flags))
1319                 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
1320
1321 done:
1322         hci_req_unlock(hdev);
1323         hci_dev_put(hdev);
1324         return ret;
1325 }
1326
1327 int hci_dev_reset_stat(__u16 dev)
1328 {
1329         struct hci_dev *hdev;
1330         int ret = 0;
1331
1332         hdev = hci_dev_get(dev);
1333         if (!hdev)
1334                 return -ENODEV;
1335
1336         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1337
1338         hci_dev_put(hdev);
1339
1340         return ret;
1341 }
1342
1343 int hci_dev_cmd(unsigned int cmd, void __user *arg)
1344 {
1345         struct hci_dev *hdev;
1346         struct hci_dev_req dr;
1347         int err = 0;
1348
1349         if (copy_from_user(&dr, arg, sizeof(dr)))
1350                 return -EFAULT;
1351
1352         hdev = hci_dev_get(dr.dev_id);
1353         if (!hdev)
1354                 return -ENODEV;
1355
1356         switch (cmd) {
1357         case HCISETAUTH:
1358                 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1359                                    HCI_INIT_TIMEOUT);
1360                 break;
1361
1362         case HCISETENCRYPT:
1363                 if (!lmp_encrypt_capable(hdev)) {
1364                         err = -EOPNOTSUPP;
1365                         break;
1366                 }
1367
1368                 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1369                         /* Auth must be enabled first */
1370                         err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1371                                            HCI_INIT_TIMEOUT);
1372                         if (err)
1373                                 break;
1374                 }
1375
1376                 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1377                                    HCI_INIT_TIMEOUT);
1378                 break;
1379
1380         case HCISETSCAN:
1381                 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1382                                    HCI_INIT_TIMEOUT);
1383                 break;
1384
1385         case HCISETLINKPOL:
1386                 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1387                                    HCI_INIT_TIMEOUT);
1388                 break;
1389
1390         case HCISETLINKMODE:
1391                 hdev->link_mode = ((__u16) dr.dev_opt) &
1392                                         (HCI_LM_MASTER | HCI_LM_ACCEPT);
1393                 break;
1394
1395         case HCISETPTYPE:
1396                 hdev->pkt_type = (__u16) dr.dev_opt;
1397                 break;
1398
1399         case HCISETACLMTU:
1400                 hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
1401                 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1402                 break;
1403
1404         case HCISETSCOMTU:
1405                 hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
1406                 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1407                 break;
1408
1409         default:
1410                 err = -EINVAL;
1411                 break;
1412         }
1413
1414         hci_dev_put(hdev);
1415         return err;
1416 }
1417
1418 int hci_get_dev_list(void __user *arg)
1419 {
1420         struct hci_dev *hdev;
1421         struct hci_dev_list_req *dl;
1422         struct hci_dev_req *dr;
1423         int n = 0, size, err;
1424         __u16 dev_num;
1425
1426         if (get_user(dev_num, (__u16 __user *) arg))
1427                 return -EFAULT;
1428
1429         if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1430                 return -EINVAL;
1431
1432         size = sizeof(*dl) + dev_num * sizeof(*dr);
1433
1434         dl = kzalloc(size, GFP_KERNEL);
1435         if (!dl)
1436                 return -ENOMEM;
1437
1438         dr = dl->dev_req;
1439
1440         read_lock(&hci_dev_list_lock);
1441         list_for_each_entry(hdev, &hci_dev_list, list) {
1442                 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1443                         cancel_delayed_work(&hdev->power_off);
1444
1445                 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1446                         set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1447
1448                 (dr + n)->dev_id  = hdev->id;
1449                 (dr + n)->dev_opt = hdev->flags;
1450
1451                 if (++n >= dev_num)
1452                         break;
1453         }
1454         read_unlock(&hci_dev_list_lock);
1455
1456         dl->dev_num = n;
1457         size = sizeof(*dl) + n * sizeof(*dr);
1458
1459         err = copy_to_user(arg, dl, size);
1460         kfree(dl);
1461
1462         return err ? -EFAULT : 0;
1463 }
1464
1465 int hci_get_dev_info(void __user *arg)
1466 {
1467         struct hci_dev *hdev;
1468         struct hci_dev_info di;
1469         int err = 0;
1470
1471         if (copy_from_user(&di, arg, sizeof(di)))
1472                 return -EFAULT;
1473
1474         hdev = hci_dev_get(di.dev_id);
1475         if (!hdev)
1476                 return -ENODEV;
1477
1478         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1479                 cancel_delayed_work_sync(&hdev->power_off);
1480
1481         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1482                 set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1483
1484         strcpy(di.name, hdev->name);
1485         di.bdaddr   = hdev->bdaddr;
1486         di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
1487         di.flags    = hdev->flags;
1488         di.pkt_type = hdev->pkt_type;
1489         if (lmp_bredr_capable(hdev)) {
1490                 di.acl_mtu  = hdev->acl_mtu;
1491                 di.acl_pkts = hdev->acl_pkts;
1492                 di.sco_mtu  = hdev->sco_mtu;
1493                 di.sco_pkts = hdev->sco_pkts;
1494         } else {
1495                 di.acl_mtu  = hdev->le_mtu;
1496                 di.acl_pkts = hdev->le_pkts;
1497                 di.sco_mtu  = 0;
1498                 di.sco_pkts = 0;
1499         }
1500         di.link_policy = hdev->link_policy;
1501         di.link_mode   = hdev->link_mode;
1502
1503         memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1504         memcpy(&di.features, &hdev->features, sizeof(di.features));
1505
1506         if (copy_to_user(arg, &di, sizeof(di)))
1507                 err = -EFAULT;
1508
1509         hci_dev_put(hdev);
1510
1511         return err;
1512 }
1513
1514 /* ---- Interface to HCI drivers ---- */
1515
1516 static int hci_rfkill_set_block(void *data, bool blocked)
1517 {
1518         struct hci_dev *hdev = data;
1519
1520         BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1521
1522         if (!blocked)
1523                 return 0;
1524
1525         hci_dev_do_close(hdev);
1526
1527         return 0;
1528 }
1529
1530 static const struct rfkill_ops hci_rfkill_ops = {
1531         .set_block = hci_rfkill_set_block,
1532 };
1533
1534 static void hci_power_on(struct work_struct *work)
1535 {
1536         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
1537
1538         BT_DBG("%s", hdev->name);
1539
1540         if (hci_dev_open(hdev->id) < 0)
1541                 return;
1542
1543         if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1544                 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1545                                    HCI_AUTO_OFF_TIMEOUT);
1546
1547         if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
1548                 mgmt_index_added(hdev);
1549 }
1550
1551 static void hci_power_off(struct work_struct *work)
1552 {
1553         struct hci_dev *hdev = container_of(work, struct hci_dev,
1554                                             power_off.work);
1555
1556         BT_DBG("%s", hdev->name);
1557
1558         hci_dev_do_close(hdev);
1559 }
1560
1561 static void hci_discov_off(struct work_struct *work)
1562 {
1563         struct hci_dev *hdev;
1564         u8 scan = SCAN_PAGE;
1565
1566         hdev = container_of(work, struct hci_dev, discov_off.work);
1567
1568         BT_DBG("%s", hdev->name);
1569
1570         hci_dev_lock(hdev);
1571
1572         hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
1573
1574         hdev->discov_timeout = 0;
1575
1576         hci_dev_unlock(hdev);
1577 }
1578
1579 int hci_uuids_clear(struct hci_dev *hdev)
1580 {
1581         struct bt_uuid *uuid, *tmp;
1582
1583         list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1584                 list_del(&uuid->list);
1585                 kfree(uuid);
1586         }
1587
1588         return 0;
1589 }
1590
1591 int hci_link_keys_clear(struct hci_dev *hdev)
1592 {
1593         struct list_head *p, *n;
1594
1595         list_for_each_safe(p, n, &hdev->link_keys) {
1596                 struct link_key *key;
1597
1598                 key = list_entry(p, struct link_key, list);
1599
1600                 list_del(p);
1601                 kfree(key);
1602         }
1603
1604         return 0;
1605 }
1606
1607 int hci_smp_ltks_clear(struct hci_dev *hdev)
1608 {
1609         struct smp_ltk *k, *tmp;
1610
1611         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1612                 list_del(&k->list);
1613                 kfree(k);
1614         }
1615
1616         return 0;
1617 }
1618
1619 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1620 {
1621         struct link_key *k;
1622
1623         list_for_each_entry(k, &hdev->link_keys, list)
1624                 if (bacmp(bdaddr, &k->bdaddr) == 0)
1625                         return k;
1626
1627         return NULL;
1628 }
1629
1630 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1631                                u8 key_type, u8 old_key_type)
1632 {
1633         /* Legacy key */
1634         if (key_type < 0x03)
1635                 return true;
1636
1637         /* Debug keys are insecure so don't store them persistently */
1638         if (key_type == HCI_LK_DEBUG_COMBINATION)
1639                 return false;
1640
1641         /* Changed combination key and there's no previous one */
1642         if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1643                 return false;
1644
1645         /* Security mode 3 case */
1646         if (!conn)
1647                 return true;
1648
1649         /* Neither local nor remote side had no-bonding as requirement */
1650         if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1651                 return true;
1652
1653         /* Local side had dedicated bonding as requirement */
1654         if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1655                 return true;
1656
1657         /* Remote side had dedicated bonding as requirement */
1658         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1659                 return true;
1660
1661         /* If none of the above criteria match, then don't store the key
1662          * persistently */
1663         return false;
1664 }
1665
1666 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1667 {
1668         struct smp_ltk *k;
1669
1670         list_for_each_entry(k, &hdev->long_term_keys, list) {
1671                 if (k->ediv != ediv ||
1672                     memcmp(rand, k->rand, sizeof(k->rand)))
1673                         continue;
1674
1675                 return k;
1676         }
1677
1678         return NULL;
1679 }
1680
1681 struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1682                                      u8 addr_type)
1683 {
1684         struct smp_ltk *k;
1685
1686         list_for_each_entry(k, &hdev->long_term_keys, list)
1687                 if (addr_type == k->bdaddr_type &&
1688                     bacmp(bdaddr, &k->bdaddr) == 0)
1689                         return k;
1690
1691         return NULL;
1692 }
1693
1694 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1695                      bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1696 {
1697         struct link_key *key, *old_key;
1698         u8 old_key_type;
1699         bool persistent;
1700
1701         old_key = hci_find_link_key(hdev, bdaddr);
1702         if (old_key) {
1703                 old_key_type = old_key->type;
1704                 key = old_key;
1705         } else {
1706                 old_key_type = conn ? conn->key_type : 0xff;
1707                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1708                 if (!key)
1709                         return -ENOMEM;
1710                 list_add(&key->list, &hdev->link_keys);
1711         }
1712
1713         BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1714
1715         /* Some buggy controller combinations generate a changed
1716          * combination key for legacy pairing even when there's no
1717          * previous key */
1718         if (type == HCI_LK_CHANGED_COMBINATION &&
1719             (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1720                 type = HCI_LK_COMBINATION;
1721                 if (conn)
1722                         conn->key_type = type;
1723         }
1724
1725         bacpy(&key->bdaddr, bdaddr);
1726         memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1727         key->pin_len = pin_len;
1728
1729         if (type == HCI_LK_CHANGED_COMBINATION)
1730                 key->type = old_key_type;
1731         else
1732                 key->type = type;
1733
1734         if (!new_key)
1735                 return 0;
1736
1737         persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1738
1739         mgmt_new_link_key(hdev, key, persistent);
1740
1741         if (conn)
1742                 conn->flush_key = !persistent;
1743
1744         return 0;
1745 }
1746
1747 int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
1748                 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16
1749                 ediv, u8 rand[8])
1750 {
1751         struct smp_ltk *key, *old_key;
1752
1753         if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK))
1754                 return 0;
1755
1756         old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
1757         if (old_key)
1758                 key = old_key;
1759         else {
1760                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1761                 if (!key)
1762                         return -ENOMEM;
1763                 list_add(&key->list, &hdev->long_term_keys);
1764         }
1765
1766         bacpy(&key->bdaddr, bdaddr);
1767         key->bdaddr_type = addr_type;
1768         memcpy(key->val, tk, sizeof(key->val));
1769         key->authenticated = authenticated;
1770         key->ediv = ediv;
1771         key->enc_size = enc_size;
1772         key->type = type;
1773         memcpy(key->rand, rand, sizeof(key->rand));
1774
1775         if (!new_key)
1776                 return 0;
1777
1778         if (type & HCI_SMP_LTK)
1779                 mgmt_new_ltk(hdev, key, 1);
1780
1781         return 0;
1782 }
1783
1784 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1785 {
1786         struct link_key *key;
1787
1788         key = hci_find_link_key(hdev, bdaddr);
1789         if (!key)
1790                 return -ENOENT;
1791
1792         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1793
1794         list_del(&key->list);
1795         kfree(key);
1796
1797         return 0;
1798 }
1799
1800 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
1801 {
1802         struct smp_ltk *k, *tmp;
1803
1804         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1805                 if (bacmp(bdaddr, &k->bdaddr))
1806                         continue;
1807
1808                 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1809
1810                 list_del(&k->list);
1811                 kfree(k);
1812         }
1813
1814         return 0;
1815 }
1816
1817 /* HCI command timer function */
1818 static void hci_cmd_timeout(unsigned long arg)
1819 {
1820         struct hci_dev *hdev = (void *) arg;
1821
1822         if (hdev->sent_cmd) {
1823                 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
1824                 u16 opcode = __le16_to_cpu(sent->opcode);
1825
1826                 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
1827         } else {
1828                 BT_ERR("%s command tx timeout", hdev->name);
1829         }
1830
1831         atomic_set(&hdev->cmd_cnt, 1);
1832         queue_work(hdev->workqueue, &hdev->cmd_work);
1833 }
1834
1835 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1836                                           bdaddr_t *bdaddr)
1837 {
1838         struct oob_data *data;
1839
1840         list_for_each_entry(data, &hdev->remote_oob_data, list)
1841                 if (bacmp(bdaddr, &data->bdaddr) == 0)
1842                         return data;
1843
1844         return NULL;
1845 }
1846
1847 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1848 {
1849         struct oob_data *data;
1850
1851         data = hci_find_remote_oob_data(hdev, bdaddr);
1852         if (!data)
1853                 return -ENOENT;
1854
1855         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1856
1857         list_del(&data->list);
1858         kfree(data);
1859
1860         return 0;
1861 }
1862
1863 int hci_remote_oob_data_clear(struct hci_dev *hdev)
1864 {
1865         struct oob_data *data, *n;
1866
1867         list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1868                 list_del(&data->list);
1869                 kfree(data);
1870         }
1871
1872         return 0;
1873 }
1874
1875 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1876                             u8 *randomizer)
1877 {
1878         struct oob_data *data;
1879
1880         data = hci_find_remote_oob_data(hdev, bdaddr);
1881
1882         if (!data) {
1883                 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1884                 if (!data)
1885                         return -ENOMEM;
1886
1887                 bacpy(&data->bdaddr, bdaddr);
1888                 list_add(&data->list, &hdev->remote_oob_data);
1889         }
1890
1891         memcpy(data->hash, hash, sizeof(data->hash));
1892         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1893
1894         BT_DBG("%s for %pMR", hdev->name, bdaddr);
1895
1896         return 0;
1897 }
1898
1899 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
1900 {
1901         struct bdaddr_list *b;
1902
1903         list_for_each_entry(b, &hdev->blacklist, list)
1904                 if (bacmp(bdaddr, &b->bdaddr) == 0)
1905                         return b;
1906
1907         return NULL;
1908 }
1909
1910 int hci_blacklist_clear(struct hci_dev *hdev)
1911 {
1912         struct list_head *p, *n;
1913
1914         list_for_each_safe(p, n, &hdev->blacklist) {
1915                 struct bdaddr_list *b;
1916
1917                 b = list_entry(p, struct bdaddr_list, list);
1918
1919                 list_del(p);
1920                 kfree(b);
1921         }
1922
1923         return 0;
1924 }
1925
1926 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1927 {
1928         struct bdaddr_list *entry;
1929
1930         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1931                 return -EBADF;
1932
1933         if (hci_blacklist_lookup(hdev, bdaddr))
1934                 return -EEXIST;
1935
1936         entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1937         if (!entry)
1938                 return -ENOMEM;
1939
1940         bacpy(&entry->bdaddr, bdaddr);
1941
1942         list_add(&entry->list, &hdev->blacklist);
1943
1944         return mgmt_device_blocked(hdev, bdaddr, type);
1945 }
1946
1947 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1948 {
1949         struct bdaddr_list *entry;
1950
1951         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1952                 return hci_blacklist_clear(hdev);
1953
1954         entry = hci_blacklist_lookup(hdev, bdaddr);
1955         if (!entry)
1956                 return -ENOENT;
1957
1958         list_del(&entry->list);
1959         kfree(entry);
1960
1961         return mgmt_device_unblocked(hdev, bdaddr, type);
1962 }
1963
1964 static void le_scan_param_req(struct hci_request *req, unsigned long opt)
1965 {
1966         struct le_scan_params *param =  (struct le_scan_params *) opt;
1967         struct hci_cp_le_set_scan_param cp;
1968
1969         memset(&cp, 0, sizeof(cp));
1970         cp.type = param->type;
1971         cp.interval = cpu_to_le16(param->interval);
1972         cp.window = cpu_to_le16(param->window);
1973
1974         hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(cp), &cp);
1975 }
1976
1977 static void le_scan_enable_req(struct hci_request *req, unsigned long opt)
1978 {
1979         struct hci_cp_le_set_scan_enable cp;
1980
1981         memset(&cp, 0, sizeof(cp));
1982         cp.enable = 1;
1983         cp.filter_dup = 1;
1984
1985         hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
1986 }
1987
1988 static int hci_do_le_scan(struct hci_dev *hdev, u8 type, u16 interval,
1989                           u16 window, int timeout)
1990 {
1991         long timeo = msecs_to_jiffies(3000);
1992         struct le_scan_params param;
1993         int err;
1994
1995         BT_DBG("%s", hdev->name);
1996
1997         if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
1998                 return -EINPROGRESS;
1999
2000         param.type = type;
2001         param.interval = interval;
2002         param.window = window;
2003
2004         hci_req_lock(hdev);
2005
2006         err = __hci_req_sync(hdev, le_scan_param_req, (unsigned long) &param,
2007                              timeo);
2008         if (!err)
2009                 err = __hci_req_sync(hdev, le_scan_enable_req, 0, timeo);
2010
2011         hci_req_unlock(hdev);
2012
2013         if (err < 0)
2014                 return err;
2015
2016         queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable,
2017                            msecs_to_jiffies(timeout));
2018
2019         return 0;
2020 }
2021
2022 int hci_cancel_le_scan(struct hci_dev *hdev)
2023 {
2024         BT_DBG("%s", hdev->name);
2025
2026         if (!test_bit(HCI_LE_SCAN, &hdev->dev_flags))
2027                 return -EALREADY;
2028
2029         if (cancel_delayed_work(&hdev->le_scan_disable)) {
2030                 struct hci_cp_le_set_scan_enable cp;
2031
2032                 /* Send HCI command to disable LE Scan */
2033                 memset(&cp, 0, sizeof(cp));
2034                 hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2035         }
2036
2037         return 0;
2038 }
2039
2040 static void le_scan_disable_work(struct work_struct *work)
2041 {
2042         struct hci_dev *hdev = container_of(work, struct hci_dev,
2043                                             le_scan_disable.work);
2044         struct hci_cp_le_set_scan_enable cp;
2045
2046         BT_DBG("%s", hdev->name);
2047
2048         memset(&cp, 0, sizeof(cp));
2049
2050         hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2051 }
2052
2053 static void le_scan_work(struct work_struct *work)
2054 {
2055         struct hci_dev *hdev = container_of(work, struct hci_dev, le_scan);
2056         struct le_scan_params *param = &hdev->le_scan_params;
2057
2058         BT_DBG("%s", hdev->name);
2059
2060         hci_do_le_scan(hdev, param->type, param->interval, param->window,
2061                        param->timeout);
2062 }
2063
2064 int hci_le_scan(struct hci_dev *hdev, u8 type, u16 interval, u16 window,
2065                 int timeout)
2066 {
2067         struct le_scan_params *param = &hdev->le_scan_params;
2068
2069         BT_DBG("%s", hdev->name);
2070
2071         if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
2072                 return -ENOTSUPP;
2073
2074         if (work_busy(&hdev->le_scan))
2075                 return -EINPROGRESS;
2076
2077         param->type = type;
2078         param->interval = interval;
2079         param->window = window;
2080         param->timeout = timeout;
2081
2082         queue_work(system_long_wq, &hdev->le_scan);
2083
2084         return 0;
2085 }
2086
2087 /* Alloc HCI device */
2088 struct hci_dev *hci_alloc_dev(void)
2089 {
2090         struct hci_dev *hdev;
2091
2092         hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
2093         if (!hdev)
2094                 return NULL;
2095
2096         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2097         hdev->esco_type = (ESCO_HV1);
2098         hdev->link_mode = (HCI_LM_ACCEPT);
2099         hdev->io_capability = 0x03; /* No Input No Output */
2100         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2101         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2102
2103         hdev->sniff_max_interval = 800;
2104         hdev->sniff_min_interval = 80;
2105
2106         mutex_init(&hdev->lock);
2107         mutex_init(&hdev->req_lock);
2108
2109         INIT_LIST_HEAD(&hdev->mgmt_pending);
2110         INIT_LIST_HEAD(&hdev->blacklist);
2111         INIT_LIST_HEAD(&hdev->uuids);
2112         INIT_LIST_HEAD(&hdev->link_keys);
2113         INIT_LIST_HEAD(&hdev->long_term_keys);
2114         INIT_LIST_HEAD(&hdev->remote_oob_data);
2115         INIT_LIST_HEAD(&hdev->conn_hash.list);
2116
2117         INIT_WORK(&hdev->rx_work, hci_rx_work);
2118         INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2119         INIT_WORK(&hdev->tx_work, hci_tx_work);
2120         INIT_WORK(&hdev->power_on, hci_power_on);
2121         INIT_WORK(&hdev->le_scan, le_scan_work);
2122
2123         INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2124         INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2125         INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2126
2127         skb_queue_head_init(&hdev->driver_init);
2128         skb_queue_head_init(&hdev->rx_q);
2129         skb_queue_head_init(&hdev->cmd_q);
2130         skb_queue_head_init(&hdev->raw_q);
2131
2132         init_waitqueue_head(&hdev->req_wait_q);
2133
2134         setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
2135
2136         hci_init_sysfs(hdev);
2137         discovery_init(hdev);
2138
2139         return hdev;
2140 }
2141 EXPORT_SYMBOL(hci_alloc_dev);
2142
2143 /* Free HCI device */
2144 void hci_free_dev(struct hci_dev *hdev)
2145 {
2146         skb_queue_purge(&hdev->driver_init);
2147
2148         /* will free via device release */
2149         put_device(&hdev->dev);
2150 }
2151 EXPORT_SYMBOL(hci_free_dev);
2152
2153 /* Register HCI device */
2154 int hci_register_dev(struct hci_dev *hdev)
2155 {
2156         int id, error;
2157
2158         if (!hdev->open || !hdev->close)
2159                 return -EINVAL;
2160
2161         /* Do not allow HCI_AMP devices to register at index 0,
2162          * so the index can be used as the AMP controller ID.
2163          */
2164         switch (hdev->dev_type) {
2165         case HCI_BREDR:
2166                 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
2167                 break;
2168         case HCI_AMP:
2169                 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
2170                 break;
2171         default:
2172                 return -EINVAL;
2173         }
2174
2175         if (id < 0)
2176                 return id;
2177
2178         sprintf(hdev->name, "hci%d", id);
2179         hdev->id = id;
2180
2181         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2182
2183         write_lock(&hci_dev_list_lock);
2184         list_add(&hdev->list, &hci_dev_list);
2185         write_unlock(&hci_dev_list_lock);
2186
2187         hdev->workqueue = alloc_workqueue(hdev->name, WQ_HIGHPRI | WQ_UNBOUND |
2188                                           WQ_MEM_RECLAIM, 1);
2189         if (!hdev->workqueue) {
2190                 error = -ENOMEM;
2191                 goto err;
2192         }
2193
2194         hdev->req_workqueue = alloc_workqueue(hdev->name,
2195                                               WQ_HIGHPRI | WQ_UNBOUND |
2196                                               WQ_MEM_RECLAIM, 1);
2197         if (!hdev->req_workqueue) {
2198                 destroy_workqueue(hdev->workqueue);
2199                 error = -ENOMEM;
2200                 goto err;
2201         }
2202
2203         error = hci_add_sysfs(hdev);
2204         if (error < 0)
2205                 goto err_wqueue;
2206
2207         hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2208                                     RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2209                                     hdev);
2210         if (hdev->rfkill) {
2211                 if (rfkill_register(hdev->rfkill) < 0) {
2212                         rfkill_destroy(hdev->rfkill);
2213                         hdev->rfkill = NULL;
2214                 }
2215         }
2216
2217         set_bit(HCI_SETUP, &hdev->dev_flags);
2218
2219         if (hdev->dev_type != HCI_AMP)
2220                 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2221
2222         hci_notify(hdev, HCI_DEV_REG);
2223         hci_dev_hold(hdev);
2224
2225         queue_work(hdev->req_workqueue, &hdev->power_on);
2226
2227         return id;
2228
2229 err_wqueue:
2230         destroy_workqueue(hdev->workqueue);
2231         destroy_workqueue(hdev->req_workqueue);
2232 err:
2233         ida_simple_remove(&hci_index_ida, hdev->id);
2234         write_lock(&hci_dev_list_lock);
2235         list_del(&hdev->list);
2236         write_unlock(&hci_dev_list_lock);
2237
2238         return error;
2239 }
2240 EXPORT_SYMBOL(hci_register_dev);
2241
2242 /* Unregister HCI device */
2243 void hci_unregister_dev(struct hci_dev *hdev)
2244 {
2245         int i, id;
2246
2247         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2248
2249         set_bit(HCI_UNREGISTER, &hdev->dev_flags);
2250
2251         id = hdev->id;
2252
2253         write_lock(&hci_dev_list_lock);
2254         list_del(&hdev->list);
2255         write_unlock(&hci_dev_list_lock);
2256
2257         hci_dev_do_close(hdev);
2258
2259         for (i = 0; i < NUM_REASSEMBLY; i++)
2260                 kfree_skb(hdev->reassembly[i]);
2261
2262         cancel_work_sync(&hdev->power_on);
2263
2264         if (!test_bit(HCI_INIT, &hdev->flags) &&
2265             !test_bit(HCI_SETUP, &hdev->dev_flags)) {
2266                 hci_dev_lock(hdev);
2267                 mgmt_index_removed(hdev);
2268                 hci_dev_unlock(hdev);
2269         }
2270
2271         /* mgmt_index_removed should take care of emptying the
2272          * pending list */
2273         BUG_ON(!list_empty(&hdev->mgmt_pending));
2274
2275         hci_notify(hdev, HCI_DEV_UNREG);
2276
2277         if (hdev->rfkill) {
2278                 rfkill_unregister(hdev->rfkill);
2279                 rfkill_destroy(hdev->rfkill);
2280         }
2281
2282         hci_del_sysfs(hdev);
2283
2284         destroy_workqueue(hdev->workqueue);
2285         destroy_workqueue(hdev->req_workqueue);
2286
2287         hci_dev_lock(hdev);
2288         hci_blacklist_clear(hdev);
2289         hci_uuids_clear(hdev);
2290         hci_link_keys_clear(hdev);
2291         hci_smp_ltks_clear(hdev);
2292         hci_remote_oob_data_clear(hdev);
2293         hci_dev_unlock(hdev);
2294
2295         hci_dev_put(hdev);
2296
2297         ida_simple_remove(&hci_index_ida, id);
2298 }
2299 EXPORT_SYMBOL(hci_unregister_dev);
2300
2301 /* Suspend HCI device */
2302 int hci_suspend_dev(struct hci_dev *hdev)
2303 {
2304         hci_notify(hdev, HCI_DEV_SUSPEND);
2305         return 0;
2306 }
2307 EXPORT_SYMBOL(hci_suspend_dev);
2308
2309 /* Resume HCI device */
2310 int hci_resume_dev(struct hci_dev *hdev)
2311 {
2312         hci_notify(hdev, HCI_DEV_RESUME);
2313         return 0;
2314 }
2315 EXPORT_SYMBOL(hci_resume_dev);
2316
2317 /* Receive frame from HCI drivers */
2318 int hci_recv_frame(struct sk_buff *skb)
2319 {
2320         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2321         if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2322                       && !test_bit(HCI_INIT, &hdev->flags))) {
2323                 kfree_skb(skb);
2324                 return -ENXIO;
2325         }
2326
2327         /* Incoming skb */
2328         bt_cb(skb)->incoming = 1;
2329
2330         /* Time stamp */
2331         __net_timestamp(skb);
2332
2333         skb_queue_tail(&hdev->rx_q, skb);
2334         queue_work(hdev->workqueue, &hdev->rx_work);
2335
2336         return 0;
2337 }
2338 EXPORT_SYMBOL(hci_recv_frame);
2339
2340 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
2341                           int count, __u8 index)
2342 {
2343         int len = 0;
2344         int hlen = 0;
2345         int remain = count;
2346         struct sk_buff *skb;
2347         struct bt_skb_cb *scb;
2348
2349         if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
2350             index >= NUM_REASSEMBLY)
2351                 return -EILSEQ;
2352
2353         skb = hdev->reassembly[index];
2354
2355         if (!skb) {
2356                 switch (type) {
2357                 case HCI_ACLDATA_PKT:
2358                         len = HCI_MAX_FRAME_SIZE;
2359                         hlen = HCI_ACL_HDR_SIZE;
2360                         break;
2361                 case HCI_EVENT_PKT:
2362                         len = HCI_MAX_EVENT_SIZE;
2363                         hlen = HCI_EVENT_HDR_SIZE;
2364                         break;
2365                 case HCI_SCODATA_PKT:
2366                         len = HCI_MAX_SCO_SIZE;
2367                         hlen = HCI_SCO_HDR_SIZE;
2368                         break;
2369                 }
2370
2371                 skb = bt_skb_alloc(len, GFP_ATOMIC);
2372                 if (!skb)
2373                         return -ENOMEM;
2374
2375                 scb = (void *) skb->cb;
2376                 scb->expect = hlen;
2377                 scb->pkt_type = type;
2378
2379                 skb->dev = (void *) hdev;
2380                 hdev->reassembly[index] = skb;
2381         }
2382
2383         while (count) {
2384                 scb = (void *) skb->cb;
2385                 len = min_t(uint, scb->expect, count);
2386
2387                 memcpy(skb_put(skb, len), data, len);
2388
2389                 count -= len;
2390                 data += len;
2391                 scb->expect -= len;
2392                 remain = count;
2393
2394                 switch (type) {
2395                 case HCI_EVENT_PKT:
2396                         if (skb->len == HCI_EVENT_HDR_SIZE) {
2397                                 struct hci_event_hdr *h = hci_event_hdr(skb);
2398                                 scb->expect = h->plen;
2399
2400                                 if (skb_tailroom(skb) < scb->expect) {
2401                                         kfree_skb(skb);
2402                                         hdev->reassembly[index] = NULL;
2403                                         return -ENOMEM;
2404                                 }
2405                         }
2406                         break;
2407
2408                 case HCI_ACLDATA_PKT:
2409                         if (skb->len  == HCI_ACL_HDR_SIZE) {
2410                                 struct hci_acl_hdr *h = hci_acl_hdr(skb);
2411                                 scb->expect = __le16_to_cpu(h->dlen);
2412
2413                                 if (skb_tailroom(skb) < scb->expect) {
2414                                         kfree_skb(skb);
2415                                         hdev->reassembly[index] = NULL;
2416                                         return -ENOMEM;
2417                                 }
2418                         }
2419                         break;
2420
2421                 case HCI_SCODATA_PKT:
2422                         if (skb->len == HCI_SCO_HDR_SIZE) {
2423                                 struct hci_sco_hdr *h = hci_sco_hdr(skb);
2424                                 scb->expect = h->dlen;
2425
2426                                 if (skb_tailroom(skb) < scb->expect) {
2427                                         kfree_skb(skb);
2428                                         hdev->reassembly[index] = NULL;
2429                                         return -ENOMEM;
2430                                 }
2431                         }
2432                         break;
2433                 }
2434
2435                 if (scb->expect == 0) {
2436                         /* Complete frame */
2437
2438                         bt_cb(skb)->pkt_type = type;
2439                         hci_recv_frame(skb);
2440
2441                         hdev->reassembly[index] = NULL;
2442                         return remain;
2443                 }
2444         }
2445
2446         return remain;
2447 }
2448
2449 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
2450 {
2451         int rem = 0;
2452
2453         if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
2454                 return -EILSEQ;
2455
2456         while (count) {
2457                 rem = hci_reassembly(hdev, type, data, count, type - 1);
2458                 if (rem < 0)
2459                         return rem;
2460
2461                 data += (count - rem);
2462                 count = rem;
2463         }
2464
2465         return rem;
2466 }
2467 EXPORT_SYMBOL(hci_recv_fragment);
2468
2469 #define STREAM_REASSEMBLY 0
2470
2471 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
2472 {
2473         int type;
2474         int rem = 0;
2475
2476         while (count) {
2477                 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
2478
2479                 if (!skb) {
2480                         struct { char type; } *pkt;
2481
2482                         /* Start of the frame */
2483                         pkt = data;
2484                         type = pkt->type;
2485
2486                         data++;
2487                         count--;
2488                 } else
2489                         type = bt_cb(skb)->pkt_type;
2490
2491                 rem = hci_reassembly(hdev, type, data, count,
2492                                      STREAM_REASSEMBLY);
2493                 if (rem < 0)
2494                         return rem;
2495
2496                 data += (count - rem);
2497                 count = rem;
2498         }
2499
2500         return rem;
2501 }
2502 EXPORT_SYMBOL(hci_recv_stream_fragment);
2503
2504 /* ---- Interface to upper protocols ---- */
2505
2506 int hci_register_cb(struct hci_cb *cb)
2507 {
2508         BT_DBG("%p name %s", cb, cb->name);
2509
2510         write_lock(&hci_cb_list_lock);
2511         list_add(&cb->list, &hci_cb_list);
2512         write_unlock(&hci_cb_list_lock);
2513
2514         return 0;
2515 }
2516 EXPORT_SYMBOL(hci_register_cb);
2517
2518 int hci_unregister_cb(struct hci_cb *cb)
2519 {
2520         BT_DBG("%p name %s", cb, cb->name);
2521
2522         write_lock(&hci_cb_list_lock);
2523         list_del(&cb->list);
2524         write_unlock(&hci_cb_list_lock);
2525
2526         return 0;
2527 }
2528 EXPORT_SYMBOL(hci_unregister_cb);
2529
2530 static int hci_send_frame(struct sk_buff *skb)
2531 {
2532         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2533
2534         if (!hdev) {
2535                 kfree_skb(skb);
2536                 return -ENODEV;
2537         }
2538
2539         BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
2540
2541         /* Time stamp */
2542         __net_timestamp(skb);
2543
2544         /* Send copy to monitor */
2545         hci_send_to_monitor(hdev, skb);
2546
2547         if (atomic_read(&hdev->promisc)) {
2548                 /* Send copy to the sockets */
2549                 hci_send_to_sock(hdev, skb);
2550         }
2551
2552         /* Get rid of skb owner, prior to sending to the driver. */
2553         skb_orphan(skb);
2554
2555         return hdev->send(skb);
2556 }
2557
2558 void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
2559 {
2560         skb_queue_head_init(&req->cmd_q);
2561         req->hdev = hdev;
2562         req->err = 0;
2563 }
2564
2565 int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
2566 {
2567         struct hci_dev *hdev = req->hdev;
2568         struct sk_buff *skb;
2569         unsigned long flags;
2570
2571         BT_DBG("length %u", skb_queue_len(&req->cmd_q));
2572
2573         /* If an error occured during request building, remove all HCI
2574          * commands queued on the HCI request queue.
2575          */
2576         if (req->err) {
2577                 skb_queue_purge(&req->cmd_q);
2578                 return req->err;
2579         }
2580
2581         /* Do not allow empty requests */
2582         if (skb_queue_empty(&req->cmd_q))
2583                 return -ENODATA;
2584
2585         skb = skb_peek_tail(&req->cmd_q);
2586         bt_cb(skb)->req.complete = complete;
2587
2588         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
2589         skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
2590         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
2591
2592         queue_work(hdev->workqueue, &hdev->cmd_work);
2593
2594         return 0;
2595 }
2596
2597 static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
2598                                        u32 plen, void *param)
2599 {
2600         int len = HCI_COMMAND_HDR_SIZE + plen;
2601         struct hci_command_hdr *hdr;
2602         struct sk_buff *skb;
2603
2604         skb = bt_skb_alloc(len, GFP_ATOMIC);
2605         if (!skb)
2606                 return NULL;
2607
2608         hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
2609         hdr->opcode = cpu_to_le16(opcode);
2610         hdr->plen   = plen;
2611
2612         if (plen)
2613                 memcpy(skb_put(skb, plen), param, plen);
2614
2615         BT_DBG("skb len %d", skb->len);
2616
2617         bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
2618         skb->dev = (void *) hdev;
2619
2620         return skb;
2621 }
2622
2623 /* Send HCI command */
2624 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
2625 {
2626         struct sk_buff *skb;
2627
2628         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2629
2630         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2631         if (!skb) {
2632                 BT_ERR("%s no memory for command", hdev->name);
2633                 return -ENOMEM;
2634         }
2635
2636         /* Stand-alone HCI commands must be flaged as
2637          * single-command requests.
2638          */
2639         bt_cb(skb)->req.start = true;
2640
2641         skb_queue_tail(&hdev->cmd_q, skb);
2642         queue_work(hdev->workqueue, &hdev->cmd_work);
2643
2644         return 0;
2645 }
2646
2647 /* Queue a command to an asynchronous HCI request */
2648 void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen, void *param,
2649                     u8 event)
2650 {
2651         struct hci_dev *hdev = req->hdev;
2652         struct sk_buff *skb;
2653
2654         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2655
2656         /* If an error occured during request building, there is no point in
2657          * queueing the HCI command. We can simply return.
2658          */
2659         if (req->err)
2660                 return;
2661
2662         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2663         if (!skb) {
2664                 BT_ERR("%s no memory for command (opcode 0x%4.4x)",
2665                        hdev->name, opcode);
2666                 req->err = -ENOMEM;
2667                 return;
2668         }
2669
2670         if (skb_queue_empty(&req->cmd_q))
2671                 bt_cb(skb)->req.start = true;
2672
2673         bt_cb(skb)->req.event = event;
2674
2675         skb_queue_tail(&req->cmd_q, skb);
2676 }
2677
2678 void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param)
2679 {
2680         hci_req_add_ev(req, opcode, plen, param, 0);
2681 }
2682
2683 /* Get data from the previously sent command */
2684 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
2685 {
2686         struct hci_command_hdr *hdr;
2687
2688         if (!hdev->sent_cmd)
2689                 return NULL;
2690
2691         hdr = (void *) hdev->sent_cmd->data;
2692
2693         if (hdr->opcode != cpu_to_le16(opcode))
2694                 return NULL;
2695
2696         BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2697
2698         return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
2699 }
2700
2701 /* Send ACL data */
2702 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
2703 {
2704         struct hci_acl_hdr *hdr;
2705         int len = skb->len;
2706
2707         skb_push(skb, HCI_ACL_HDR_SIZE);
2708         skb_reset_transport_header(skb);
2709         hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
2710         hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
2711         hdr->dlen   = cpu_to_le16(len);
2712 }
2713
2714 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
2715                           struct sk_buff *skb, __u16 flags)
2716 {
2717         struct hci_conn *conn = chan->conn;
2718         struct hci_dev *hdev = conn->hdev;
2719         struct sk_buff *list;
2720
2721         skb->len = skb_headlen(skb);
2722         skb->data_len = 0;
2723
2724         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2725
2726         switch (hdev->dev_type) {
2727         case HCI_BREDR:
2728                 hci_add_acl_hdr(skb, conn->handle, flags);
2729                 break;
2730         case HCI_AMP:
2731                 hci_add_acl_hdr(skb, chan->handle, flags);
2732                 break;
2733         default:
2734                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2735                 return;
2736         }
2737
2738         list = skb_shinfo(skb)->frag_list;
2739         if (!list) {
2740                 /* Non fragmented */
2741                 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
2742
2743                 skb_queue_tail(queue, skb);
2744         } else {
2745                 /* Fragmented */
2746                 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2747
2748                 skb_shinfo(skb)->frag_list = NULL;
2749
2750                 /* Queue all fragments atomically */
2751                 spin_lock(&queue->lock);
2752
2753                 __skb_queue_tail(queue, skb);
2754
2755                 flags &= ~ACL_START;
2756                 flags |= ACL_CONT;
2757                 do {
2758                         skb = list; list = list->next;
2759
2760                         skb->dev = (void *) hdev;
2761                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2762                         hci_add_acl_hdr(skb, conn->handle, flags);
2763
2764                         BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2765
2766                         __skb_queue_tail(queue, skb);
2767                 } while (list);
2768
2769                 spin_unlock(&queue->lock);
2770         }
2771 }
2772
2773 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
2774 {
2775         struct hci_dev *hdev = chan->conn->hdev;
2776
2777         BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
2778
2779         skb->dev = (void *) hdev;
2780
2781         hci_queue_acl(chan, &chan->data_q, skb, flags);
2782
2783         queue_work(hdev->workqueue, &hdev->tx_work);
2784 }
2785
2786 /* Send SCO data */
2787 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
2788 {
2789         struct hci_dev *hdev = conn->hdev;
2790         struct hci_sco_hdr hdr;
2791
2792         BT_DBG("%s len %d", hdev->name, skb->len);
2793
2794         hdr.handle = cpu_to_le16(conn->handle);
2795         hdr.dlen   = skb->len;
2796
2797         skb_push(skb, HCI_SCO_HDR_SIZE);
2798         skb_reset_transport_header(skb);
2799         memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
2800
2801         skb->dev = (void *) hdev;
2802         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
2803
2804         skb_queue_tail(&conn->data_q, skb);
2805         queue_work(hdev->workqueue, &hdev->tx_work);
2806 }
2807
2808 /* ---- HCI TX task (outgoing data) ---- */
2809
2810 /* HCI Connection scheduler */
2811 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
2812                                      int *quote)
2813 {
2814         struct hci_conn_hash *h = &hdev->conn_hash;
2815         struct hci_conn *conn = NULL, *c;
2816         unsigned int num = 0, min = ~0;
2817
2818         /* We don't have to lock device here. Connections are always
2819          * added and removed with TX task disabled. */
2820
2821         rcu_read_lock();
2822
2823         list_for_each_entry_rcu(c, &h->list, list) {
2824                 if (c->type != type || skb_queue_empty(&c->data_q))
2825                         continue;
2826
2827                 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
2828                         continue;
2829
2830                 num++;
2831
2832                 if (c->sent < min) {
2833                         min  = c->sent;
2834                         conn = c;
2835                 }
2836
2837                 if (hci_conn_num(hdev, type) == num)
2838                         break;
2839         }
2840
2841         rcu_read_unlock();
2842
2843         if (conn) {
2844                 int cnt, q;
2845
2846                 switch (conn->type) {
2847                 case ACL_LINK:
2848                         cnt = hdev->acl_cnt;
2849                         break;
2850                 case SCO_LINK:
2851                 case ESCO_LINK:
2852                         cnt = hdev->sco_cnt;
2853                         break;
2854                 case LE_LINK:
2855                         cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2856                         break;
2857                 default:
2858                         cnt = 0;
2859                         BT_ERR("Unknown link type");
2860                 }
2861
2862                 q = cnt / num;
2863                 *quote = q ? q : 1;
2864         } else
2865                 *quote = 0;
2866
2867         BT_DBG("conn %p quote %d", conn, *quote);
2868         return conn;
2869 }
2870
2871 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
2872 {
2873         struct hci_conn_hash *h = &hdev->conn_hash;
2874         struct hci_conn *c;
2875
2876         BT_ERR("%s link tx timeout", hdev->name);
2877
2878         rcu_read_lock();
2879
2880         /* Kill stalled connections */
2881         list_for_each_entry_rcu(c, &h->list, list) {
2882                 if (c->type == type && c->sent) {
2883                         BT_ERR("%s killing stalled connection %pMR",
2884                                hdev->name, &c->dst);
2885                         hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
2886                 }
2887         }
2888
2889         rcu_read_unlock();
2890 }
2891
2892 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2893                                       int *quote)
2894 {
2895         struct hci_conn_hash *h = &hdev->conn_hash;
2896         struct hci_chan *chan = NULL;
2897         unsigned int num = 0, min = ~0, cur_prio = 0;
2898         struct hci_conn *conn;
2899         int cnt, q, conn_num = 0;
2900
2901         BT_DBG("%s", hdev->name);
2902
2903         rcu_read_lock();
2904
2905         list_for_each_entry_rcu(conn, &h->list, list) {
2906                 struct hci_chan *tmp;
2907
2908                 if (conn->type != type)
2909                         continue;
2910
2911                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2912                         continue;
2913
2914                 conn_num++;
2915
2916                 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
2917                         struct sk_buff *skb;
2918
2919                         if (skb_queue_empty(&tmp->data_q))
2920                                 continue;
2921
2922                         skb = skb_peek(&tmp->data_q);
2923                         if (skb->priority < cur_prio)
2924                                 continue;
2925
2926                         if (skb->priority > cur_prio) {
2927                                 num = 0;
2928                                 min = ~0;
2929                                 cur_prio = skb->priority;
2930                         }
2931
2932                         num++;
2933
2934                         if (conn->sent < min) {
2935                                 min  = conn->sent;
2936                                 chan = tmp;
2937                         }
2938                 }
2939
2940                 if (hci_conn_num(hdev, type) == conn_num)
2941                         break;
2942         }
2943
2944         rcu_read_unlock();
2945
2946         if (!chan)
2947                 return NULL;
2948
2949         switch (chan->conn->type) {
2950         case ACL_LINK:
2951                 cnt = hdev->acl_cnt;
2952                 break;
2953         case AMP_LINK:
2954                 cnt = hdev->block_cnt;
2955                 break;
2956         case SCO_LINK:
2957         case ESCO_LINK:
2958                 cnt = hdev->sco_cnt;
2959                 break;
2960         case LE_LINK:
2961                 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2962                 break;
2963         default:
2964                 cnt = 0;
2965                 BT_ERR("Unknown link type");
2966         }
2967
2968         q = cnt / num;
2969         *quote = q ? q : 1;
2970         BT_DBG("chan %p quote %d", chan, *quote);
2971         return chan;
2972 }
2973
2974 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
2975 {
2976         struct hci_conn_hash *h = &hdev->conn_hash;
2977         struct hci_conn *conn;
2978         int num = 0;
2979
2980         BT_DBG("%s", hdev->name);
2981
2982         rcu_read_lock();
2983
2984         list_for_each_entry_rcu(conn, &h->list, list) {
2985                 struct hci_chan *chan;
2986
2987                 if (conn->type != type)
2988                         continue;
2989
2990                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2991                         continue;
2992
2993                 num++;
2994
2995                 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
2996                         struct sk_buff *skb;
2997
2998                         if (chan->sent) {
2999                                 chan->sent = 0;
3000                                 continue;
3001                         }
3002
3003                         if (skb_queue_empty(&chan->data_q))
3004                                 continue;
3005
3006                         skb = skb_peek(&chan->data_q);
3007                         if (skb->priority >= HCI_PRIO_MAX - 1)
3008                                 continue;
3009
3010                         skb->priority = HCI_PRIO_MAX - 1;
3011
3012                         BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3013                                skb->priority);
3014                 }
3015
3016                 if (hci_conn_num(hdev, type) == num)
3017                         break;
3018         }
3019
3020         rcu_read_unlock();
3021
3022 }
3023
3024 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3025 {
3026         /* Calculate count of blocks used by this packet */
3027         return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3028 }
3029
3030 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3031 {
3032         if (!test_bit(HCI_RAW, &hdev->flags)) {
3033                 /* ACL tx timeout must be longer than maximum
3034                  * link supervision timeout (40.9 seconds) */
3035                 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3036                                        HCI_ACL_TX_TIMEOUT))
3037                         hci_link_tx_to(hdev, ACL_LINK);
3038         }
3039 }
3040
3041 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3042 {
3043         unsigned int cnt = hdev->acl_cnt;
3044         struct hci_chan *chan;
3045         struct sk_buff *skb;
3046         int quote;
3047
3048         __check_timeout(hdev, cnt);
3049
3050         while (hdev->acl_cnt &&
3051                (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3052                 u32 priority = (skb_peek(&chan->data_q))->priority;
3053                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3054                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3055                                skb->len, skb->priority);
3056
3057                         /* Stop if priority has changed */
3058                         if (skb->priority < priority)
3059                                 break;
3060
3061                         skb = skb_dequeue(&chan->data_q);
3062
3063                         hci_conn_enter_active_mode(chan->conn,
3064                                                    bt_cb(skb)->force_active);
3065
3066                         hci_send_frame(skb);
3067                         hdev->acl_last_tx = jiffies;
3068
3069                         hdev->acl_cnt--;
3070                         chan->sent++;
3071                         chan->conn->sent++;
3072                 }
3073         }
3074
3075         if (cnt != hdev->acl_cnt)
3076                 hci_prio_recalculate(hdev, ACL_LINK);
3077 }
3078
3079 static void hci_sched_acl_blk(struct hci_dev *hdev)
3080 {
3081         unsigned int cnt = hdev->block_cnt;
3082         struct hci_chan *chan;
3083         struct sk_buff *skb;
3084         int quote;
3085         u8 type;
3086
3087         __check_timeout(hdev, cnt);
3088
3089         BT_DBG("%s", hdev->name);
3090
3091         if (hdev->dev_type == HCI_AMP)
3092                 type = AMP_LINK;
3093         else
3094                 type = ACL_LINK;
3095
3096         while (hdev->block_cnt > 0 &&
3097                (chan = hci_chan_sent(hdev, type, &quote))) {
3098                 u32 priority = (skb_peek(&chan->data_q))->priority;
3099                 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3100                         int blocks;
3101
3102                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3103                                skb->len, skb->priority);
3104
3105                         /* Stop if priority has changed */
3106                         if (skb->priority < priority)
3107                                 break;
3108
3109                         skb = skb_dequeue(&chan->data_q);
3110
3111                         blocks = __get_blocks(hdev, skb);
3112                         if (blocks > hdev->block_cnt)
3113                                 return;
3114
3115                         hci_conn_enter_active_mode(chan->conn,
3116                                                    bt_cb(skb)->force_active);
3117
3118                         hci_send_frame(skb);
3119                         hdev->acl_last_tx = jiffies;
3120
3121                         hdev->block_cnt -= blocks;
3122                         quote -= blocks;
3123
3124                         chan->sent += blocks;
3125                         chan->conn->sent += blocks;
3126                 }
3127         }
3128
3129         if (cnt != hdev->block_cnt)
3130                 hci_prio_recalculate(hdev, type);
3131 }
3132
3133 static void hci_sched_acl(struct hci_dev *hdev)
3134 {
3135         BT_DBG("%s", hdev->name);
3136
3137         /* No ACL link over BR/EDR controller */
3138         if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3139                 return;
3140
3141         /* No AMP link over AMP controller */
3142         if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3143                 return;
3144
3145         switch (hdev->flow_ctl_mode) {
3146         case HCI_FLOW_CTL_MODE_PACKET_BASED:
3147                 hci_sched_acl_pkt(hdev);
3148                 break;
3149
3150         case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3151                 hci_sched_acl_blk(hdev);
3152                 break;
3153         }
3154 }
3155
3156 /* Schedule SCO */
3157 static void hci_sched_sco(struct hci_dev *hdev)
3158 {
3159         struct hci_conn *conn;
3160         struct sk_buff *skb;
3161         int quote;
3162
3163         BT_DBG("%s", hdev->name);
3164
3165         if (!hci_conn_num(hdev, SCO_LINK))
3166                 return;
3167
3168         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3169                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3170                         BT_DBG("skb %p len %d", skb, skb->len);
3171                         hci_send_frame(skb);
3172
3173                         conn->sent++;
3174                         if (conn->sent == ~0)
3175                                 conn->sent = 0;
3176                 }
3177         }
3178 }
3179
3180 static void hci_sched_esco(struct hci_dev *hdev)
3181 {
3182         struct hci_conn *conn;
3183         struct sk_buff *skb;
3184         int quote;
3185
3186         BT_DBG("%s", hdev->name);
3187
3188         if (!hci_conn_num(hdev, ESCO_LINK))
3189                 return;
3190
3191         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3192                                                      &quote))) {
3193                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3194                         BT_DBG("skb %p len %d", skb, skb->len);
3195                         hci_send_frame(skb);
3196
3197                         conn->sent++;
3198                         if (conn->sent == ~0)
3199                                 conn->sent = 0;
3200                 }
3201         }
3202 }
3203
3204 static void hci_sched_le(struct hci_dev *hdev)
3205 {
3206         struct hci_chan *chan;
3207         struct sk_buff *skb;
3208         int quote, cnt, tmp;
3209
3210         BT_DBG("%s", hdev->name);
3211
3212         if (!hci_conn_num(hdev, LE_LINK))
3213                 return;
3214
3215         if (!test_bit(HCI_RAW, &hdev->flags)) {
3216                 /* LE tx timeout must be longer than maximum
3217                  * link supervision timeout (40.9 seconds) */
3218                 if (!hdev->le_cnt && hdev->le_pkts &&
3219                     time_after(jiffies, hdev->le_last_tx + HZ * 45))
3220                         hci_link_tx_to(hdev, LE_LINK);
3221         }
3222
3223         cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3224         tmp = cnt;
3225         while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3226                 u32 priority = (skb_peek(&chan->data_q))->priority;
3227                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3228                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3229                                skb->len, skb->priority);
3230
3231                         /* Stop if priority has changed */
3232                         if (skb->priority < priority)
3233                                 break;
3234
3235                         skb = skb_dequeue(&chan->data_q);
3236
3237                         hci_send_frame(skb);
3238                         hdev->le_last_tx = jiffies;
3239
3240                         cnt--;
3241                         chan->sent++;
3242                         chan->conn->sent++;
3243                 }
3244         }
3245
3246         if (hdev->le_pkts)
3247                 hdev->le_cnt = cnt;
3248         else
3249                 hdev->acl_cnt = cnt;
3250
3251         if (cnt != tmp)
3252                 hci_prio_recalculate(hdev, LE_LINK);
3253 }
3254
3255 static void hci_tx_work(struct work_struct *work)
3256 {
3257         struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3258         struct sk_buff *skb;
3259
3260         BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3261                hdev->sco_cnt, hdev->le_cnt);
3262
3263         /* Schedule queues and send stuff to HCI driver */
3264
3265         hci_sched_acl(hdev);
3266
3267         hci_sched_sco(hdev);
3268
3269         hci_sched_esco(hdev);
3270
3271         hci_sched_le(hdev);
3272
3273         /* Send next queued raw (unknown type) packet */
3274         while ((skb = skb_dequeue(&hdev->raw_q)))
3275                 hci_send_frame(skb);
3276 }
3277
3278 /* ----- HCI RX task (incoming data processing) ----- */
3279
3280 /* ACL data packet */
3281 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3282 {
3283         struct hci_acl_hdr *hdr = (void *) skb->data;
3284         struct hci_conn *conn;
3285         __u16 handle, flags;
3286
3287         skb_pull(skb, HCI_ACL_HDR_SIZE);
3288
3289         handle = __le16_to_cpu(hdr->handle);
3290         flags  = hci_flags(handle);
3291         handle = hci_handle(handle);
3292
3293         BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3294                handle, flags);
3295
3296         hdev->stat.acl_rx++;
3297
3298         hci_dev_lock(hdev);
3299         conn = hci_conn_hash_lookup_handle(hdev, handle);
3300         hci_dev_unlock(hdev);
3301
3302         if (conn) {
3303                 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3304
3305                 /* Send to upper protocol */
3306                 l2cap_recv_acldata(conn, skb, flags);
3307                 return;
3308         } else {
3309                 BT_ERR("%s ACL packet for unknown connection handle %d",
3310                        hdev->name, handle);
3311         }
3312
3313         kfree_skb(skb);
3314 }
3315
3316 /* SCO data packet */
3317 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3318 {
3319         struct hci_sco_hdr *hdr = (void *) skb->data;
3320         struct hci_conn *conn;
3321         __u16 handle;
3322
3323         skb_pull(skb, HCI_SCO_HDR_SIZE);
3324
3325         handle = __le16_to_cpu(hdr->handle);
3326
3327         BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
3328
3329         hdev->stat.sco_rx++;
3330
3331         hci_dev_lock(hdev);
3332         conn = hci_conn_hash_lookup_handle(hdev, handle);
3333         hci_dev_unlock(hdev);
3334
3335         if (conn) {
3336                 /* Send to upper protocol */
3337                 sco_recv_scodata(conn, skb);
3338                 return;
3339         } else {
3340                 BT_ERR("%s SCO packet for unknown connection handle %d",
3341                        hdev->name, handle);
3342         }
3343
3344         kfree_skb(skb);
3345 }
3346
3347 static bool hci_req_is_complete(struct hci_dev *hdev)
3348 {
3349         struct sk_buff *skb;
3350
3351         skb = skb_peek(&hdev->cmd_q);
3352         if (!skb)
3353                 return true;
3354
3355         return bt_cb(skb)->req.start;
3356 }
3357
3358 static void hci_resend_last(struct hci_dev *hdev)
3359 {
3360         struct hci_command_hdr *sent;
3361         struct sk_buff *skb;
3362         u16 opcode;
3363
3364         if (!hdev->sent_cmd)
3365                 return;
3366
3367         sent = (void *) hdev->sent_cmd->data;
3368         opcode = __le16_to_cpu(sent->opcode);
3369         if (opcode == HCI_OP_RESET)
3370                 return;
3371
3372         skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3373         if (!skb)
3374                 return;
3375
3376         skb_queue_head(&hdev->cmd_q, skb);
3377         queue_work(hdev->workqueue, &hdev->cmd_work);
3378 }
3379
3380 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
3381 {
3382         hci_req_complete_t req_complete = NULL;
3383         struct sk_buff *skb;
3384         unsigned long flags;
3385
3386         BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3387
3388         /* If the completed command doesn't match the last one that was
3389          * sent we need to do special handling of it.
3390          */
3391         if (!hci_sent_cmd_data(hdev, opcode)) {
3392                 /* Some CSR based controllers generate a spontaneous
3393                  * reset complete event during init and any pending
3394                  * command will never be completed. In such a case we
3395                  * need to resend whatever was the last sent
3396                  * command.
3397                  */
3398                 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
3399                         hci_resend_last(hdev);
3400
3401                 return;
3402         }
3403
3404         /* If the command succeeded and there's still more commands in
3405          * this request the request is not yet complete.
3406          */
3407         if (!status && !hci_req_is_complete(hdev))
3408                 return;
3409
3410         /* If this was the last command in a request the complete
3411          * callback would be found in hdev->sent_cmd instead of the
3412          * command queue (hdev->cmd_q).
3413          */
3414         if (hdev->sent_cmd) {
3415                 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
3416                 if (req_complete)
3417                         goto call_complete;
3418         }
3419
3420         /* Remove all pending commands belonging to this request */
3421         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3422         while ((skb = __skb_dequeue(&hdev->cmd_q))) {
3423                 if (bt_cb(skb)->req.start) {
3424                         __skb_queue_head(&hdev->cmd_q, skb);
3425                         break;
3426                 }
3427
3428                 req_complete = bt_cb(skb)->req.complete;
3429                 kfree_skb(skb);
3430         }
3431         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3432
3433 call_complete:
3434         if (req_complete)
3435                 req_complete(hdev, status);
3436 }
3437
3438 static void hci_rx_work(struct work_struct *work)
3439 {
3440         struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
3441         struct sk_buff *skb;
3442
3443         BT_DBG("%s", hdev->name);
3444
3445         while ((skb = skb_dequeue(&hdev->rx_q))) {
3446                 /* Send copy to monitor */
3447                 hci_send_to_monitor(hdev, skb);
3448
3449                 if (atomic_read(&hdev->promisc)) {
3450                         /* Send copy to the sockets */
3451                         hci_send_to_sock(hdev, skb);
3452                 }
3453
3454                 if (test_bit(HCI_RAW, &hdev->flags)) {
3455                         kfree_skb(skb);
3456                         continue;
3457                 }
3458
3459                 if (test_bit(HCI_INIT, &hdev->flags)) {
3460                         /* Don't process data packets in this states. */
3461                         switch (bt_cb(skb)->pkt_type) {
3462                         case HCI_ACLDATA_PKT:
3463                         case HCI_SCODATA_PKT:
3464                                 kfree_skb(skb);
3465                                 continue;
3466                         }
3467                 }
3468
3469                 /* Process frame */
3470                 switch (bt_cb(skb)->pkt_type) {
3471                 case HCI_EVENT_PKT:
3472                         BT_DBG("%s Event packet", hdev->name);
3473                         hci_event_packet(hdev, skb);
3474                         break;
3475
3476                 case HCI_ACLDATA_PKT:
3477                         BT_DBG("%s ACL data packet", hdev->name);
3478                         hci_acldata_packet(hdev, skb);
3479                         break;
3480
3481                 case HCI_SCODATA_PKT:
3482                         BT_DBG("%s SCO data packet", hdev->name);
3483                         hci_scodata_packet(hdev, skb);
3484                         break;
3485
3486                 default:
3487                         kfree_skb(skb);
3488                         break;
3489                 }
3490         }
3491 }
3492
3493 static void hci_cmd_work(struct work_struct *work)
3494 {
3495         struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
3496         struct sk_buff *skb;
3497
3498         BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
3499                atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
3500
3501         /* Send queued commands */
3502         if (atomic_read(&hdev->cmd_cnt)) {
3503                 skb = skb_dequeue(&hdev->cmd_q);
3504                 if (!skb)
3505                         return;
3506
3507                 kfree_skb(hdev->sent_cmd);
3508
3509                 hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
3510                 if (hdev->sent_cmd) {
3511                         atomic_dec(&hdev->cmd_cnt);
3512                         hci_send_frame(skb);
3513                         if (test_bit(HCI_RESET, &hdev->flags))
3514                                 del_timer(&hdev->cmd_timer);
3515                         else
3516                                 mod_timer(&hdev->cmd_timer,
3517                                           jiffies + HCI_CMD_TIMEOUT);
3518                 } else {
3519                         skb_queue_head(&hdev->cmd_q, skb);
3520                         queue_work(hdev->workqueue, &hdev->cmd_work);
3521                 }
3522         }
3523 }
3524
3525 int hci_do_inquiry(struct hci_dev *hdev, u8 length)
3526 {
3527         /* General inquiry access code (GIAC) */
3528         u8 lap[3] = { 0x33, 0x8b, 0x9e };
3529         struct hci_cp_inquiry cp;
3530
3531         BT_DBG("%s", hdev->name);
3532
3533         if (test_bit(HCI_INQUIRY, &hdev->flags))
3534                 return -EINPROGRESS;
3535
3536         inquiry_cache_flush(hdev);
3537
3538         memset(&cp, 0, sizeof(cp));
3539         memcpy(&cp.lap, lap, sizeof(cp.lap));
3540         cp.length  = length;
3541
3542         return hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
3543 }
3544
3545 int hci_cancel_inquiry(struct hci_dev *hdev)
3546 {
3547         BT_DBG("%s", hdev->name);
3548
3549         if (!test_bit(HCI_INQUIRY, &hdev->flags))
3550                 return -EALREADY;
3551
3552         return hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
3553 }
3554
3555 u8 bdaddr_to_le(u8 bdaddr_type)
3556 {
3557         switch (bdaddr_type) {
3558         case BDADDR_LE_PUBLIC:
3559                 return ADDR_LE_DEV_PUBLIC;
3560
3561         default:
3562                 /* Fallback to LE Random address type */
3563                 return ADDR_LE_DEV_RANDOM;
3564         }
3565 }
Pandora Kernel Repository