net/bluetooth/hci_core.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2000-2001 Qualcomm Incorporated
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI core. */
  26
  27 #include <linux/jiffies.h>
  28 #include <linux/module.h>
  29 #include <linux/kmod.h>
  30
  31 #include <linux/types.h>
  32 #include <linux/errno.h>
  33 #include <linux/kernel.h>
  34 #include <linux/sched.h>
  35 #include <linux/slab.h>
  36 #include <linux/poll.h>
  37 #include <linux/fcntl.h>
  38 #include <linux/init.h>
  39 #include <linux/skbuff.h>
  40 #include <linux/workqueue.h>
  41 #include <linux/interrupt.h>
  42 #include <linux/notifier.h>
  43 #include <linux/rfkill.h>
  44 #include <linux/timer.h>
  45 #include <linux/crypto.h>
  46 #include <net/sock.h>
  47
  48 #include <asm/system.h>
  49 #include <linux/uaccess.h>
  50 #include <asm/unaligned.h>
  51
  52 #include <net/bluetooth/bluetooth.h>
  53 #include <net/bluetooth/hci_core.h>
  54
  55 #define AUTO_OFF_TIMEOUT 2000
  56
  57 static void hci_cmd_task(unsigned long arg);
  58 static void hci_rx_task(unsigned long arg);
  59 static void hci_tx_task(unsigned long arg);
  60
  61 static DEFINE_RWLOCK(hci_task_lock);
  62
  63 /* HCI device list */
  64 LIST_HEAD(hci_dev_list);
  65 DEFINE_RWLOCK(hci_dev_list_lock);
  66
  67 /* HCI callback list */
  68 LIST_HEAD(hci_cb_list);
  69 DEFINE_RWLOCK(hci_cb_list_lock);
  70
  71 /* HCI protocols */
  72 #define HCI_MAX_PROTO   2
  73 struct hci_proto *hci_proto[HCI_MAX_PROTO];
  74
  75 /* HCI notifiers list */
  76 static ATOMIC_NOTIFIER_HEAD(hci_notifier);
  77
  78 /* ---- HCI notifications ---- */
  79
  80 int hci_register_notifier(struct notifier_block *nb)
  81 {
  82         return atomic_notifier_chain_register(&hci_notifier, nb);
  83 }
  84
  85 int hci_unregister_notifier(struct notifier_block *nb)
  86 {
  87         return atomic_notifier_chain_unregister(&hci_notifier, nb);
  88 }
  89
  90 static void hci_notify(struct hci_dev *hdev, int event)
  91 {
  92         atomic_notifier_call_chain(&hci_notifier, event, hdev);
  93 }
  94
  95 /* ---- HCI requests ---- */
  96
  97 void hci_req_complete(struct hci_dev *hdev, __u16 cmd, int result)
  98 {
  99         BT_DBG("%s command 0x%04x result 0x%2.2x", hdev->name, cmd, result);
 100
 101         /* If this is the init phase check if the completed command matches
 102          * the last init command, and if not just return.
 103          */
 104         if (test_bit(HCI_INIT, &hdev->flags) && hdev->init_last_cmd != cmd)
 105                 return;
 106
 107         if (hdev->req_status == HCI_REQ_PEND) {
 108                 hdev->req_result = result;
 109                 hdev->req_status = HCI_REQ_DONE;
 110                 wake_up_interruptible(&hdev->req_wait_q);
 111         }
 112 }
 113
 114 static void hci_req_cancel(struct hci_dev *hdev, int err)
 115 {
 116         BT_DBG("%s err 0x%2.2x", hdev->name, err);
 117
 118         if (hdev->req_status == HCI_REQ_PEND) {
 119                 hdev->req_result = err;
 120                 hdev->req_status = HCI_REQ_CANCELED;
 121                 wake_up_interruptible(&hdev->req_wait_q);
 122         }
 123 }
 124
 125 /* Execute request and wait for completion. */
 126 static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev, unsigned long opt),
 127                                         unsigned long opt, __u32 timeout)
 128 {
 129         DECLARE_WAITQUEUE(wait, current);
 130         int err = 0;
 131
 132         BT_DBG("%s start", hdev->name);
 133
 134         hdev->req_status = HCI_REQ_PEND;
 135
 136         add_wait_queue(&hdev->req_wait_q, &wait);
 137         set_current_state(TASK_INTERRUPTIBLE);
 138
 139         req(hdev, opt);
 140         schedule_timeout(timeout);
 141
 142         remove_wait_queue(&hdev->req_wait_q, &wait);
 143
 144         if (signal_pending(current))
 145                 return -EINTR;
 146
 147         switch (hdev->req_status) {
 148         case HCI_REQ_DONE:
 149                 err = -bt_to_errno(hdev->req_result);
 150                 break;
 151
 152         case HCI_REQ_CANCELED:
 153                 err = -hdev->req_result;
 154                 break;
 155
 156         default:
 157                 err = -ETIMEDOUT;
 158                 break;
 159         }
 160
 161         hdev->req_status = hdev->req_result = 0;
 162
 163         BT_DBG("%s end: err %d", hdev->name, err);
 164
 165         return err;
 166 }
 167
 168 static inline int hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev, unsigned long opt),
 169                                         unsigned long opt, __u32 timeout)
 170 {
 171         int ret;
 172
 173         if (!test_bit(HCI_UP, &hdev->flags))
 174                 return -ENETDOWN;
 175
 176         /* Serialize all requests */
 177         hci_req_lock(hdev);
 178         ret = __hci_request(hdev, req, opt, timeout);
 179         hci_req_unlock(hdev);
 180
 181         return ret;
 182 }
 183
 184 static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
 185 {
 186         BT_DBG("%s %ld", hdev->name, opt);
 187
 188         /* Reset device */
 189         set_bit(HCI_RESET, &hdev->flags);
 190         hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
 191 }
 192
 193 static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
 194 {
 195         struct hci_cp_delete_stored_link_key cp;
 196         struct sk_buff *skb;
 197         __le16 param;
 198         __u8 flt_type;
 199
 200         BT_DBG("%s %ld", hdev->name, opt);
 201
 202         /* Driver initialization */
 203
 204         /* Special commands */
 205         while ((skb = skb_dequeue(&hdev->driver_init))) {
 206                 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
 207                 skb->dev = (void *) hdev;
 208
 209                 skb_queue_tail(&hdev->cmd_q, skb);
 210                 tasklet_schedule(&hdev->cmd_task);
 211         }
 212         skb_queue_purge(&hdev->driver_init);
 213
 214         /* Mandatory initialization */
 215
 216         /* Reset */
 217         if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
 218                         set_bit(HCI_RESET, &hdev->flags);
 219                         hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
 220         }
 221
 222         /* Read Local Supported Features */
 223         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
 224
 225         /* Read Local Version */
 226         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
 227
 228         /* Read Buffer Size (ACL mtu, max pkt, etc.) */
 229         hci_send_cmd(hdev, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
 230
 231 #if 0
 232         /* Host buffer size */
 233         {
 234                 struct hci_cp_host_buffer_size cp;
 235                 cp.acl_mtu = cpu_to_le16(HCI_MAX_ACL_SIZE);
 236                 cp.sco_mtu = HCI_MAX_SCO_SIZE;
 237                 cp.acl_max_pkt = cpu_to_le16(0xffff);
 238                 cp.sco_max_pkt = cpu_to_le16(0xffff);
 239                 hci_send_cmd(hdev, HCI_OP_HOST_BUFFER_SIZE, sizeof(cp), &cp);
 240         }
 241 #endif
 242
 243         /* Read BD Address */
 244         hci_send_cmd(hdev, HCI_OP_READ_BD_ADDR, 0, NULL);
 245
 246         /* Read Class of Device */
 247         hci_send_cmd(hdev, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
 248
 249         /* Read Local Name */
 250         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_NAME, 0, NULL);
 251
 252         /* Read Voice Setting */
 253         hci_send_cmd(hdev, HCI_OP_READ_VOICE_SETTING, 0, NULL);
 254
 255         /* Optional initialization */
 256
 257         /* Clear Event Filters */
 258         flt_type = HCI_FLT_CLEAR_ALL;
 259         hci_send_cmd(hdev, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
 260
 261         /* Connection accept timeout ~20 secs */
 262         param = cpu_to_le16(0x7d00);
 263         hci_send_cmd(hdev, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
 264
 265         bacpy(&cp.bdaddr, BDADDR_ANY);
 266         cp.delete_all = 1;
 267         hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
 268 }
 269
 270 static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt)
 271 {
 272         BT_DBG("%s", hdev->name);
 273
 274         /* Read LE buffer size */
 275         hci_send_cmd(hdev, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
 276 }
 277
 278 static void hci_scan_req(struct hci_dev *hdev, unsigned long opt)
 279 {
 280         __u8 scan = opt;
 281
 282         BT_DBG("%s %x", hdev->name, scan);
 283
 284         /* Inquiry and Page scans */
 285         hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
 286 }
 287
 288 static void hci_auth_req(struct hci_dev *hdev, unsigned long opt)
 289 {
 290         __u8 auth = opt;
 291
 292         BT_DBG("%s %x", hdev->name, auth);
 293
 294         /* Authentication */
 295         hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
 296 }
 297
 298 static void hci_encrypt_req(struct hci_dev *hdev, unsigned long opt)
 299 {
 300         __u8 encrypt = opt;
 301
 302         BT_DBG("%s %x", hdev->name, encrypt);
 303
 304         /* Encryption */
 305         hci_send_cmd(hdev, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
 306 }
 307
 308 static void hci_linkpol_req(struct hci_dev *hdev, unsigned long opt)
 309 {
 310         __le16 policy = cpu_to_le16(opt);
 311
 312         BT_DBG("%s %x", hdev->name, policy);
 313
 314         /* Default link policy */
 315         hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
 316 }
 317
 318 /* Get HCI device by index.
 319  * Device is held on return. */
 320 struct hci_dev *hci_dev_get(int index)
 321 {
 322         struct hci_dev *hdev = NULL;
 323         struct list_head *p;
 324
 325         BT_DBG("%d", index);
 326
 327         if (index < 0)
 328                 return NULL;
 329
 330         read_lock(&hci_dev_list_lock);
 331         list_for_each(p, &hci_dev_list) {
 332                 struct hci_dev *d = list_entry(p, struct hci_dev, list);
 333                 if (d->id == index) {
 334                         hdev = hci_dev_hold(d);
 335                         break;
 336                 }
 337         }
 338         read_unlock(&hci_dev_list_lock);
 339         return hdev;
 340 }
 341
 342 /* ---- Inquiry support ---- */
 343 static void inquiry_cache_flush(struct hci_dev *hdev)
 344 {
 345         struct inquiry_cache *cache = &hdev->inq_cache;
 346         struct inquiry_entry *next  = cache->list, *e;
 347
 348         BT_DBG("cache %p", cache);
 349
 350         cache->list = NULL;
 351         while ((e = next)) {
 352                 next = e->next;
 353                 kfree(e);
 354         }
 355 }
 356
 357 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
 358 {
 359         struct inquiry_cache *cache = &hdev->inq_cache;
 360         struct inquiry_entry *e;
 361
 362         BT_DBG("cache %p, %s", cache, batostr(bdaddr));
 363
 364         for (e = cache->list; e; e = e->next)
 365                 if (!bacmp(&e->data.bdaddr, bdaddr))
 366                         break;
 367         return e;
 368 }
 369
 370 void hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data)
 371 {
 372         struct inquiry_cache *cache = &hdev->inq_cache;
 373         struct inquiry_entry *ie;
 374
 375         BT_DBG("cache %p, %s", cache, batostr(&data->bdaddr));
 376
 377         ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
 378         if (!ie) {
 379                 /* Entry not in the cache. Add new one. */
 380                 ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
 381                 if (!ie)
 382                         return;
 383
 384                 ie->next = cache->list;
 385                 cache->list = ie;
 386         }
 387
 388         memcpy(&ie->data, data, sizeof(*data));
 389         ie->timestamp = jiffies;
 390         cache->timestamp = jiffies;
 391 }
 392
 393 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
 394 {
 395         struct inquiry_cache *cache = &hdev->inq_cache;
 396         struct inquiry_info *info = (struct inquiry_info *) buf;
 397         struct inquiry_entry *e;
 398         int copied = 0;
 399
 400         for (e = cache->list; e && copied < num; e = e->next, copied++) {
 401                 struct inquiry_data *data = &e->data;
 402                 bacpy(&info->bdaddr, &data->bdaddr);
 403                 info->pscan_rep_mode    = data->pscan_rep_mode;
 404                 info->pscan_period_mode = data->pscan_period_mode;
 405                 info->pscan_mode        = data->pscan_mode;
 406                 memcpy(info->dev_class, data->dev_class, 3);
 407                 info->clock_offset      = data->clock_offset;
 408                 info++;
 409         }
 410
 411         BT_DBG("cache %p, copied %d", cache, copied);
 412         return copied;
 413 }
 414
 415 static void hci_inq_req(struct hci_dev *hdev, unsigned long opt)
 416 {
 417         struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
 418         struct hci_cp_inquiry cp;
 419
 420         BT_DBG("%s", hdev->name);
 421
 422         if (test_bit(HCI_INQUIRY, &hdev->flags))
 423                 return;
 424
 425         /* Start Inquiry */
 426         memcpy(&cp.lap, &ir->lap, 3);
 427         cp.length  = ir->length;
 428         cp.num_rsp = ir->num_rsp;
 429         hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
 430 }
 431
 432 int hci_inquiry(void __user *arg)
 433 {
 434         __u8 __user *ptr = arg;
 435         struct hci_inquiry_req ir;
 436         struct hci_dev *hdev;
 437         int err = 0, do_inquiry = 0, max_rsp;
 438         long timeo;
 439         __u8 *buf;
 440
 441         if (copy_from_user(&ir, ptr, sizeof(ir)))
 442                 return -EFAULT;
 443
 444         hdev = hci_dev_get(ir.dev_id);
 445         if (!hdev)
 446                 return -ENODEV;
 447
 448         hci_dev_lock_bh(hdev);
 449         if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
 450                                 inquiry_cache_empty(hdev) ||
 451                                 ir.flags & IREQ_CACHE_FLUSH) {
 452                 inquiry_cache_flush(hdev);
 453                 do_inquiry = 1;
 454         }
 455         hci_dev_unlock_bh(hdev);
 456
 457         timeo = ir.length * msecs_to_jiffies(2000);
 458
 459         if (do_inquiry) {
 460                 err = hci_request(hdev, hci_inq_req, (unsigned long)&ir, timeo);
 461                 if (err < 0)
 462                         goto done;
 463         }
 464
 465         /* for unlimited number of responses we will use buffer with 255 entries */
 466         max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
 467
 468         /* cache_dump can't sleep. Therefore we allocate temp buffer and then
 469          * copy it to the user space.
 470          */
 471         buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
 472         if (!buf) {
 473                 err = -ENOMEM;
 474                 goto done;
 475         }
 476
 477         hci_dev_lock_bh(hdev);
 478         ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
 479         hci_dev_unlock_bh(hdev);
 480
 481         BT_DBG("num_rsp %d", ir.num_rsp);
 482
 483         if (!copy_to_user(ptr, &ir, sizeof(ir))) {
 484                 ptr += sizeof(ir);
 485                 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
 486                                         ir.num_rsp))
 487                         err = -EFAULT;
 488         } else
 489                 err = -EFAULT;
 490
 491         kfree(buf);
 492
 493 done:
 494         hci_dev_put(hdev);
 495         return err;
 496 }
 497
 498 /* ---- HCI ioctl helpers ---- */
 499
 500 int hci_dev_open(__u16 dev)
 501 {
 502         struct hci_dev *hdev;
 503         int ret = 0;
 504
 505         hdev = hci_dev_get(dev);
 506         if (!hdev)
 507                 return -ENODEV;
 508
 509         BT_DBG("%s %p", hdev->name, hdev);
 510
 511         hci_req_lock(hdev);
 512
 513         if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
 514                 ret = -ERFKILL;
 515                 goto done;
 516         }
 517
 518         if (test_bit(HCI_UP, &hdev->flags)) {
 519                 ret = -EALREADY;
 520                 goto done;
 521         }
 522
 523         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
 524                 set_bit(HCI_RAW, &hdev->flags);
 525
 526         /* Treat all non BR/EDR controllers as raw devices for now */
 527         if (hdev->dev_type != HCI_BREDR)
 528                 set_bit(HCI_RAW, &hdev->flags);
 529
 530         if (hdev->open(hdev)) {
 531                 ret = -EIO;
 532                 goto done;
 533         }
 534
 535         if (!test_bit(HCI_RAW, &hdev->flags)) {
 536                 atomic_set(&hdev->cmd_cnt, 1);
 537                 set_bit(HCI_INIT, &hdev->flags);
 538                 hdev->init_last_cmd = 0;
 539
 540                 ret = __hci_request(hdev, hci_init_req, 0,
 541                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 542
 543                 if (lmp_host_le_capable(hdev))
 544                         ret = __hci_request(hdev, hci_le_init_req, 0,
 545                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 546
 547                 clear_bit(HCI_INIT, &hdev->flags);
 548         }
 549
 550         if (!ret) {
 551                 hci_dev_hold(hdev);
 552                 set_bit(HCI_UP, &hdev->flags);
 553                 hci_notify(hdev, HCI_DEV_UP);
 554                 if (!test_bit(HCI_SETUP, &hdev->flags))
 555                         mgmt_powered(hdev->id, 1);
 556         } else {
 557                 /* Init failed, cleanup */
 558                 tasklet_kill(&hdev->rx_task);
 559                 tasklet_kill(&hdev->tx_task);
 560                 tasklet_kill(&hdev->cmd_task);
 561
 562                 skb_queue_purge(&hdev->cmd_q);
 563                 skb_queue_purge(&hdev->rx_q);
 564
 565                 if (hdev->flush)
 566                         hdev->flush(hdev);
 567
 568                 if (hdev->sent_cmd) {
 569                         kfree_skb(hdev->sent_cmd);
 570                         hdev->sent_cmd = NULL;
 571                 }
 572
 573                 hdev->close(hdev);
 574                 hdev->flags = 0;
 575         }
 576
 577 done:
 578         hci_req_unlock(hdev);
 579         hci_dev_put(hdev);
 580         return ret;
 581 }
 582
 583 static int hci_dev_do_close(struct hci_dev *hdev)
 584 {
 585         BT_DBG("%s %p", hdev->name, hdev);
 586
 587         hci_req_cancel(hdev, ENODEV);
 588         hci_req_lock(hdev);
 589
 590         if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
 591                 del_timer_sync(&hdev->cmd_timer);
 592                 hci_req_unlock(hdev);
 593                 return 0;
 594         }
 595
 596         /* Kill RX and TX tasks */
 597         tasklet_kill(&hdev->rx_task);
 598         tasklet_kill(&hdev->tx_task);
 599
 600         hci_dev_lock_bh(hdev);
 601         inquiry_cache_flush(hdev);
 602         hci_conn_hash_flush(hdev);
 603         hci_dev_unlock_bh(hdev);
 604
 605         hci_notify(hdev, HCI_DEV_DOWN);
 606
 607         if (hdev->flush)
 608                 hdev->flush(hdev);
 609
 610         /* Reset device */
 611         skb_queue_purge(&hdev->cmd_q);
 612         atomic_set(&hdev->cmd_cnt, 1);
 613         if (!test_bit(HCI_RAW, &hdev->flags)) {
 614                 set_bit(HCI_INIT, &hdev->flags);
 615                 __hci_request(hdev, hci_reset_req, 0,
 616                                         msecs_to_jiffies(250));
 617                 clear_bit(HCI_INIT, &hdev->flags);
 618         }
 619
 620         /* Kill cmd task */
 621         tasklet_kill(&hdev->cmd_task);
 622
 623         /* Drop queues */
 624         skb_queue_purge(&hdev->rx_q);
 625         skb_queue_purge(&hdev->cmd_q);
 626         skb_queue_purge(&hdev->raw_q);
 627
 628         /* Drop last sent command */
 629         if (hdev->sent_cmd) {
 630                 del_timer_sync(&hdev->cmd_timer);
 631                 kfree_skb(hdev->sent_cmd);
 632                 hdev->sent_cmd = NULL;
 633         }
 634
 635         /* After this point our queues are empty
 636          * and no tasks are scheduled. */
 637         hdev->close(hdev);
 638
 639         mgmt_powered(hdev->id, 0);
 640
 641         /* Clear flags */
 642         hdev->flags = 0;
 643
 644         hci_req_unlock(hdev);
 645
 646         hci_dev_put(hdev);
 647         return 0;
 648 }
 649
 650 int hci_dev_close(__u16 dev)
 651 {
 652         struct hci_dev *hdev;
 653         int err;
 654
 655         hdev = hci_dev_get(dev);
 656         if (!hdev)
 657                 return -ENODEV;
 658         err = hci_dev_do_close(hdev);
 659         hci_dev_put(hdev);
 660         return err;
 661 }
 662
 663 int hci_dev_reset(__u16 dev)
 664 {
 665         struct hci_dev *hdev;
 666         int ret = 0;
 667
 668         hdev = hci_dev_get(dev);
 669         if (!hdev)
 670                 return -ENODEV;
 671
 672         hci_req_lock(hdev);
 673         tasklet_disable(&hdev->tx_task);
 674
 675         if (!test_bit(HCI_UP, &hdev->flags))
 676                 goto done;
 677
 678         /* Drop queues */
 679         skb_queue_purge(&hdev->rx_q);
 680         skb_queue_purge(&hdev->cmd_q);
 681
 682         hci_dev_lock_bh(hdev);
 683         inquiry_cache_flush(hdev);
 684         hci_conn_hash_flush(hdev);
 685         hci_dev_unlock_bh(hdev);
 686
 687         if (hdev->flush)
 688                 hdev->flush(hdev);
 689
 690         atomic_set(&hdev->cmd_cnt, 1);
 691         hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
 692
 693         if (!test_bit(HCI_RAW, &hdev->flags))
 694                 ret = __hci_request(hdev, hci_reset_req, 0,
 695                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 696
 697 done:
 698         tasklet_enable(&hdev->tx_task);
 699         hci_req_unlock(hdev);
 700         hci_dev_put(hdev);
 701         return ret;
 702 }
 703
 704 int hci_dev_reset_stat(__u16 dev)
 705 {
 706         struct hci_dev *hdev;
 707         int ret = 0;
 708
 709         hdev = hci_dev_get(dev);
 710         if (!hdev)
 711                 return -ENODEV;
 712
 713         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
 714
 715         hci_dev_put(hdev);
 716
 717         return ret;
 718 }
 719
 720 int hci_dev_cmd(unsigned int cmd, void __user *arg)
 721 {
 722         struct hci_dev *hdev;
 723         struct hci_dev_req dr;
 724         int err = 0;
 725
 726         if (copy_from_user(&dr, arg, sizeof(dr)))
 727                 return -EFAULT;
 728
 729         hdev = hci_dev_get(dr.dev_id);
 730         if (!hdev)
 731                 return -ENODEV;
 732
 733         switch (cmd) {
 734         case HCISETAUTH:
 735                 err = hci_request(hdev, hci_auth_req, dr.dev_opt,
 736                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 737                 break;
 738
 739         case HCISETENCRYPT:
 740                 if (!lmp_encrypt_capable(hdev)) {
 741                         err = -EOPNOTSUPP;
 742                         break;
 743                 }
 744
 745                 if (!test_bit(HCI_AUTH, &hdev->flags)) {
 746                         /* Auth must be enabled first */
 747                         err = hci_request(hdev, hci_auth_req, dr.dev_opt,
 748                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 749                         if (err)
 750                                 break;
 751                 }
 752
 753                 err = hci_request(hdev, hci_encrypt_req, dr.dev_opt,
 754                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 755                 break;
 756
 757         case HCISETSCAN:
 758                 err = hci_request(hdev, hci_scan_req, dr.dev_opt,
 759                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 760                 break;
 761
 762         case HCISETLINKPOL:
 763                 err = hci_request(hdev, hci_linkpol_req, dr.dev_opt,
 764                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
 765                 break;
 766
 767         case HCISETLINKMODE:
 768                 hdev->link_mode = ((__u16) dr.dev_opt) &
 769                                         (HCI_LM_MASTER | HCI_LM_ACCEPT);
 770                 break;
 771
 772         case HCISETPTYPE:
 773                 hdev->pkt_type = (__u16) dr.dev_opt;
 774                 break;
 775
 776         case HCISETACLMTU:
 777                 hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
 778                 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
 779                 break;
 780
 781         case HCISETSCOMTU:
 782                 hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
 783                 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
 784                 break;
 785
 786         default:
 787                 err = -EINVAL;
 788                 break;
 789         }
 790
 791         hci_dev_put(hdev);
 792         return err;
 793 }
 794
 795 int hci_get_dev_list(void __user *arg)
 796 {
 797         struct hci_dev_list_req *dl;
 798         struct hci_dev_req *dr;
 799         struct list_head *p;
 800         int n = 0, size, err;
 801         __u16 dev_num;
 802
 803         if (get_user(dev_num, (__u16 __user *) arg))
 804                 return -EFAULT;
 805
 806         if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
 807                 return -EINVAL;
 808
 809         size = sizeof(*dl) + dev_num * sizeof(*dr);
 810
 811         dl = kzalloc(size, GFP_KERNEL);
 812         if (!dl)
 813                 return -ENOMEM;
 814
 815         dr = dl->dev_req;
 816
 817         read_lock_bh(&hci_dev_list_lock);
 818         list_for_each(p, &hci_dev_list) {
 819                 struct hci_dev *hdev;
 820
 821                 hdev = list_entry(p, struct hci_dev, list);
 822
 823                 hci_del_off_timer(hdev);
 824
 825                 if (!test_bit(HCI_MGMT, &hdev->flags))
 826                         set_bit(HCI_PAIRABLE, &hdev->flags);
 827
 828                 (dr + n)->dev_id  = hdev->id;
 829                 (dr + n)->dev_opt = hdev->flags;
 830
 831                 if (++n >= dev_num)
 832                         break;
 833         }
 834         read_unlock_bh(&hci_dev_list_lock);
 835
 836         dl->dev_num = n;
 837         size = sizeof(*dl) + n * sizeof(*dr);
 838
 839         err = copy_to_user(arg, dl, size);
 840         kfree(dl);
 841
 842         return err ? -EFAULT : 0;
 843 }
 844
 845 int hci_get_dev_info(void __user *arg)
 846 {
 847         struct hci_dev *hdev;
 848         struct hci_dev_info di;
 849         int err = 0;
 850
 851         if (copy_from_user(&di, arg, sizeof(di)))
 852                 return -EFAULT;
 853
 854         hdev = hci_dev_get(di.dev_id);
 855         if (!hdev)
 856                 return -ENODEV;
 857
 858         hci_del_off_timer(hdev);
 859
 860         if (!test_bit(HCI_MGMT, &hdev->flags))
 861                 set_bit(HCI_PAIRABLE, &hdev->flags);
 862
 863         strcpy(di.name, hdev->name);
 864         di.bdaddr   = hdev->bdaddr;
 865         di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
 866         di.flags    = hdev->flags;
 867         di.pkt_type = hdev->pkt_type;
 868         di.acl_mtu  = hdev->acl_mtu;
 869         di.acl_pkts = hdev->acl_pkts;
 870         di.sco_mtu  = hdev->sco_mtu;
 871         di.sco_pkts = hdev->sco_pkts;
 872         di.link_policy = hdev->link_policy;
 873         di.link_mode   = hdev->link_mode;
 874
 875         memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
 876         memcpy(&di.features, &hdev->features, sizeof(di.features));
 877
 878         if (copy_to_user(arg, &di, sizeof(di)))
 879                 err = -EFAULT;
 880
 881         hci_dev_put(hdev);
 882
 883         return err;
 884 }
 885
 886 /* ---- Interface to HCI drivers ---- */
 887
 888 static int hci_rfkill_set_block(void *data, bool blocked)
 889 {
 890         struct hci_dev *hdev = data;
 891
 892         BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
 893
 894         if (!blocked)
 895                 return 0;
 896
 897         hci_dev_do_close(hdev);
 898
 899         return 0;
 900 }
 901
 902 static const struct rfkill_ops hci_rfkill_ops = {
 903         .set_block = hci_rfkill_set_block,
 904 };
 905
 906 /* Alloc HCI device */
 907 struct hci_dev *hci_alloc_dev(void)
 908 {
 909         struct hci_dev *hdev;
 910
 911         hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
 912         if (!hdev)
 913                 return NULL;
 914
 915         hci_init_sysfs(hdev);
 916         skb_queue_head_init(&hdev->driver_init);
 917
 918         return hdev;
 919 }
 920 EXPORT_SYMBOL(hci_alloc_dev);
 921
 922 /* Free HCI device */
 923 void hci_free_dev(struct hci_dev *hdev)
 924 {
 925         skb_queue_purge(&hdev->driver_init);
 926
 927         /* will free via device release */
 928         put_device(&hdev->dev);
 929 }
 930 EXPORT_SYMBOL(hci_free_dev);
 931
 932 static void hci_power_on(struct work_struct *work)
 933 {
 934         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
 935
 936         BT_DBG("%s", hdev->name);
 937
 938         if (hci_dev_open(hdev->id) < 0)
 939                 return;
 940
 941         if (test_bit(HCI_AUTO_OFF, &hdev->flags))
 942                 mod_timer(&hdev->off_timer,
 943                                 jiffies + msecs_to_jiffies(AUTO_OFF_TIMEOUT));
 944
 945         if (test_and_clear_bit(HCI_SETUP, &hdev->flags))
 946                 mgmt_index_added(hdev->id);
 947 }
 948
 949 static void hci_power_off(struct work_struct *work)
 950 {
 951         struct hci_dev *hdev = container_of(work, struct hci_dev, power_off);
 952
 953         BT_DBG("%s", hdev->name);
 954
 955         hci_dev_close(hdev->id);
 956 }
 957
 958 static void hci_auto_off(unsigned long data)
 959 {
 960         struct hci_dev *hdev = (struct hci_dev *) data;
 961
 962         BT_DBG("%s", hdev->name);
 963
 964         clear_bit(HCI_AUTO_OFF, &hdev->flags);
 965
 966         queue_work(hdev->workqueue, &hdev->power_off);
 967 }
 968
 969 void hci_del_off_timer(struct hci_dev *hdev)
 970 {
 971         BT_DBG("%s", hdev->name);
 972
 973         clear_bit(HCI_AUTO_OFF, &hdev->flags);
 974         del_timer(&hdev->off_timer);
 975 }
 976
 977 int hci_uuids_clear(struct hci_dev *hdev)
 978 {
 979         struct list_head *p, *n;
 980
 981         list_for_each_safe(p, n, &hdev->uuids) {
 982                 struct bt_uuid *uuid;
 983
 984                 uuid = list_entry(p, struct bt_uuid, list);
 985
 986                 list_del(p);
 987                 kfree(uuid);
 988         }
 989
 990         return 0;
 991 }
 992
 993 int hci_link_keys_clear(struct hci_dev *hdev)
 994 {
 995         struct list_head *p, *n;
 996
 997         list_for_each_safe(p, n, &hdev->link_keys) {
 998                 struct link_key *key;
 999
1000                 key = list_entry(p, struct link_key, list);
1001
1002                 list_del(p);
1003                 kfree(key);
1004         }
1005
1006         return 0;
1007 }
1008
1009 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1010 {
1011         struct list_head *p;
1012
1013         list_for_each(p, &hdev->link_keys) {
1014                 struct link_key *k;
1015
1016                 k = list_entry(p, struct link_key, list);
1017
1018                 if (bacmp(bdaddr, &k->bdaddr) == 0)
1019                         return k;
1020         }
1021
1022         return NULL;
1023 }
1024
1025 static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1026                                                 u8 key_type, u8 old_key_type)
1027 {
1028         /* Legacy key */
1029         if (key_type < 0x03)
1030                 return 1;
1031
1032         /* Debug keys are insecure so don't store them persistently */
1033         if (key_type == HCI_LK_DEBUG_COMBINATION)
1034                 return 0;
1035
1036         /* Changed combination key and there's no previous one */
1037         if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1038                 return 0;
1039
1040         /* Security mode 3 case */
1041         if (!conn)
1042                 return 1;
1043
1044         /* Neither local nor remote side had no-bonding as requirement */
1045         if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1046                 return 1;
1047
1048         /* Local side had dedicated bonding as requirement */
1049         if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1050                 return 1;
1051
1052         /* Remote side had dedicated bonding as requirement */
1053         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1054                 return 1;
1055
1056         /* If none of the above criteria match, then don't store the key
1057          * persistently */
1058         return 0;
1059 }
1060
1061 struct link_key *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1062 {
1063         struct link_key *k;
1064
1065         list_for_each_entry(k, &hdev->link_keys, list) {
1066                 struct key_master_id *id;
1067
1068                 if (k->type != HCI_LK_SMP_LTK)
1069                         continue;
1070
1071                 if (k->dlen != sizeof(*id))
1072                         continue;
1073
1074                 id = (void *) &k->data;
1075                 if (id->ediv == ediv &&
1076                                 (memcmp(rand, id->rand, sizeof(id->rand)) == 0))
1077                         return k;
1078         }
1079
1080         return NULL;
1081 }
1082 EXPORT_SYMBOL(hci_find_ltk);
1083
1084 struct link_key *hci_find_link_key_type(struct hci_dev *hdev,
1085                                         bdaddr_t *bdaddr, u8 type)
1086 {
1087         struct link_key *k;
1088
1089         list_for_each_entry(k, &hdev->link_keys, list)
1090                 if (k->type == type && bacmp(bdaddr, &k->bdaddr) == 0)
1091                         return k;
1092
1093         return NULL;
1094 }
1095 EXPORT_SYMBOL(hci_find_link_key_type);
1096
1097 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1098                                 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1099 {
1100         struct link_key *key, *old_key;
1101         u8 old_key_type, persistent;
1102
1103         old_key = hci_find_link_key(hdev, bdaddr);
1104         if (old_key) {
1105                 old_key_type = old_key->type;
1106                 key = old_key;
1107         } else {
1108                 old_key_type = conn ? conn->key_type : 0xff;
1109                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1110                 if (!key)
1111                         return -ENOMEM;
1112                 list_add(&key->list, &hdev->link_keys);
1113         }
1114
1115         BT_DBG("%s key for %s type %u", hdev->name, batostr(bdaddr), type);
1116
1117         /* Some buggy controller combinations generate a changed
1118          * combination key for legacy pairing even when there's no
1119          * previous key */
1120         if (type == HCI_LK_CHANGED_COMBINATION &&
1121                                         (!conn || conn->remote_auth == 0xff) &&
1122                                         old_key_type == 0xff) {
1123                 type = HCI_LK_COMBINATION;
1124                 if (conn)
1125                         conn->key_type = type;
1126         }
1127
1128         bacpy(&key->bdaddr, bdaddr);
1129         memcpy(key->val, val, 16);
1130         key->pin_len = pin_len;
1131
1132         if (type == HCI_LK_CHANGED_COMBINATION)
1133                 key->type = old_key_type;
1134         else
1135                 key->type = type;
1136
1137         if (!new_key)
1138                 return 0;
1139
1140         persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1141
1142         mgmt_new_key(hdev->id, key, persistent);
1143
1144         if (!persistent) {
1145                 list_del(&key->list);
1146                 kfree(key);
1147         }
1148
1149         return 0;
1150 }
1151
1152 int hci_add_ltk(struct hci_dev *hdev, int new_key, bdaddr_t *bdaddr,
1153                         u8 key_size, __le16 ediv, u8 rand[8], u8 ltk[16])
1154 {
1155         struct link_key *key, *old_key;
1156         struct key_master_id *id;
1157         u8 old_key_type;
1158
1159         BT_DBG("%s addr %s", hdev->name, batostr(bdaddr));
1160
1161         old_key = hci_find_link_key_type(hdev, bdaddr, HCI_LK_SMP_LTK);
1162         if (old_key) {
1163                 key = old_key;
1164                 old_key_type = old_key->type;
1165         } else {
1166                 key = kzalloc(sizeof(*key) + sizeof(*id), GFP_ATOMIC);
1167                 if (!key)
1168                         return -ENOMEM;
1169                 list_add(&key->list, &hdev->link_keys);
1170                 old_key_type = 0xff;
1171         }
1172
1173         key->dlen = sizeof(*id);
1174
1175         bacpy(&key->bdaddr, bdaddr);
1176         memcpy(key->val, ltk, sizeof(key->val));
1177         key->type = HCI_LK_SMP_LTK;
1178         key->pin_len = key_size;
1179
1180         id = (void *) &key->data;
1181         id->ediv = ediv;
1182         memcpy(id->rand, rand, sizeof(id->rand));
1183
1184         if (new_key)
1185                 mgmt_new_key(hdev->id, key, old_key_type);
1186
1187         return 0;
1188 }
1189
1190 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1191 {
1192         struct link_key *key;
1193
1194         key = hci_find_link_key(hdev, bdaddr);
1195         if (!key)
1196                 return -ENOENT;
1197
1198         BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
1199
1200         list_del(&key->list);
1201         kfree(key);
1202
1203         return 0;
1204 }
1205
1206 /* HCI command timer function */
1207 static void hci_cmd_timer(unsigned long arg)
1208 {
1209         struct hci_dev *hdev = (void *) arg;
1210
1211         BT_ERR("%s command tx timeout", hdev->name);
1212         atomic_set(&hdev->cmd_cnt, 1);
1213         tasklet_schedule(&hdev->cmd_task);
1214 }
1215
1216 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1217                                                         bdaddr_t *bdaddr)
1218 {
1219         struct oob_data *data;
1220
1221         list_for_each_entry(data, &hdev->remote_oob_data, list)
1222                 if (bacmp(bdaddr, &data->bdaddr) == 0)
1223                         return data;
1224
1225         return NULL;
1226 }
1227
1228 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1229 {
1230         struct oob_data *data;
1231
1232         data = hci_find_remote_oob_data(hdev, bdaddr);
1233         if (!data)
1234                 return -ENOENT;
1235
1236         BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
1237
1238         list_del(&data->list);
1239         kfree(data);
1240
1241         return 0;
1242 }
1243
1244 int hci_remote_oob_data_clear(struct hci_dev *hdev)
1245 {
1246         struct oob_data *data, *n;
1247
1248         list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1249                 list_del(&data->list);
1250                 kfree(data);
1251         }
1252
1253         return 0;
1254 }
1255
1256 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1257                                                                 u8 *randomizer)
1258 {
1259         struct oob_data *data;
1260
1261         data = hci_find_remote_oob_data(hdev, bdaddr);
1262
1263         if (!data) {
1264                 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1265                 if (!data)
1266                         return -ENOMEM;
1267
1268                 bacpy(&data->bdaddr, bdaddr);
1269                 list_add(&data->list, &hdev->remote_oob_data);
1270         }
1271
1272         memcpy(data->hash, hash, sizeof(data->hash));
1273         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1274
1275         BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
1276
1277         return 0;
1278 }
1279
1280 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
1281                                                 bdaddr_t *bdaddr)
1282 {
1283         struct list_head *p;
1284
1285         list_for_each(p, &hdev->blacklist) {
1286                 struct bdaddr_list *b;
1287
1288                 b = list_entry(p, struct bdaddr_list, list);
1289
1290                 if (bacmp(bdaddr, &b->bdaddr) == 0)
1291                         return b;
1292         }
1293
1294         return NULL;
1295 }
1296
1297 int hci_blacklist_clear(struct hci_dev *hdev)
1298 {
1299         struct list_head *p, *n;
1300
1301         list_for_each_safe(p, n, &hdev->blacklist) {
1302                 struct bdaddr_list *b;
1303
1304                 b = list_entry(p, struct bdaddr_list, list);
1305
1306                 list_del(p);
1307                 kfree(b);
1308         }
1309
1310         return 0;
1311 }
1312
1313 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr)
1314 {
1315         struct bdaddr_list *entry;
1316
1317         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1318                 return -EBADF;
1319
1320         if (hci_blacklist_lookup(hdev, bdaddr))
1321                 return -EEXIST;
1322
1323         entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1324         if (!entry)
1325                 return -ENOMEM;
1326
1327         bacpy(&entry->bdaddr, bdaddr);
1328
1329         list_add(&entry->list, &hdev->blacklist);
1330
1331         return mgmt_device_blocked(hdev->id, bdaddr);
1332 }
1333
1334 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr)
1335 {
1336         struct bdaddr_list *entry;
1337
1338         if (bacmp(bdaddr, BDADDR_ANY) == 0) {
1339                 return hci_blacklist_clear(hdev);
1340         }
1341
1342         entry = hci_blacklist_lookup(hdev, bdaddr);
1343         if (!entry) {
1344                 return -ENOENT;
1345         }
1346
1347         list_del(&entry->list);
1348         kfree(entry);
1349
1350         return mgmt_device_unblocked(hdev->id, bdaddr);
1351 }
1352
1353 static void hci_clear_adv_cache(unsigned long arg)
1354 {
1355         struct hci_dev *hdev = (void *) arg;
1356
1357         hci_dev_lock(hdev);
1358
1359         hci_adv_entries_clear(hdev);
1360
1361         hci_dev_unlock(hdev);
1362 }
1363
1364 int hci_adv_entries_clear(struct hci_dev *hdev)
1365 {
1366         struct adv_entry *entry, *tmp;
1367
1368         list_for_each_entry_safe(entry, tmp, &hdev->adv_entries, list) {
1369                 list_del(&entry->list);
1370                 kfree(entry);
1371         }
1372
1373         BT_DBG("%s adv cache cleared", hdev->name);
1374
1375         return 0;
1376 }
1377
1378 struct adv_entry *hci_find_adv_entry(struct hci_dev *hdev, bdaddr_t *bdaddr)
1379 {
1380         struct adv_entry *entry;
1381
1382         list_for_each_entry(entry, &hdev->adv_entries, list)
1383                 if (bacmp(bdaddr, &entry->bdaddr) == 0)
1384                         return entry;
1385
1386         return NULL;
1387 }
1388
1389 static inline int is_connectable_adv(u8 evt_type)
1390 {
1391         if (evt_type == ADV_IND || evt_type == ADV_DIRECT_IND)
1392                 return 1;
1393
1394         return 0;
1395 }
1396
1397 int hci_add_adv_entry(struct hci_dev *hdev,
1398                                         struct hci_ev_le_advertising_info *ev)
1399 {
1400         struct adv_entry *entry;
1401
1402         if (!is_connectable_adv(ev->evt_type))
1403                 return -EINVAL;
1404
1405         /* Only new entries should be added to adv_entries. So, if
1406          * bdaddr was found, don't add it. */
1407         if (hci_find_adv_entry(hdev, &ev->bdaddr))
1408                 return 0;
1409
1410         entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
1411         if (!entry)
1412                 return -ENOMEM;
1413
1414         bacpy(&entry->bdaddr, &ev->bdaddr);
1415         entry->bdaddr_type = ev->bdaddr_type;
1416
1417         list_add(&entry->list, &hdev->adv_entries);
1418
1419         BT_DBG("%s adv entry added: address %s type %u", hdev->name,
1420                                 batostr(&entry->bdaddr), entry->bdaddr_type);
1421
1422         return 0;
1423 }
1424
1425 /* Register HCI device */
1426 int hci_register_dev(struct hci_dev *hdev)
1427 {
1428         struct list_head *head = &hci_dev_list, *p;
1429         int i, id = 0, error;
1430
1431         BT_DBG("%p name %s bus %d owner %p", hdev, hdev->name,
1432                                                 hdev->bus, hdev->owner);
1433
1434         if (!hdev->open || !hdev->close || !hdev->destruct)
1435                 return -EINVAL;
1436
1437         write_lock_bh(&hci_dev_list_lock);
1438
1439         /* Find first available device id */
1440         list_for_each(p, &hci_dev_list) {
1441                 if (list_entry(p, struct hci_dev, list)->id != id)
1442                         break;
1443                 head = p; id++;
1444         }
1445
1446         sprintf(hdev->name, "hci%d", id);
1447         hdev->id = id;
1448         list_add(&hdev->list, head);
1449
1450         atomic_set(&hdev->refcnt, 1);
1451         spin_lock_init(&hdev->lock);
1452
1453         hdev->flags = 0;
1454         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
1455         hdev->esco_type = (ESCO_HV1);
1456         hdev->link_mode = (HCI_LM_ACCEPT);
1457         hdev->io_capability = 0x03; /* No Input No Output */
1458
1459         hdev->idle_timeout = 0;
1460         hdev->sniff_max_interval = 800;
1461         hdev->sniff_min_interval = 80;
1462
1463         tasklet_init(&hdev->cmd_task, hci_cmd_task, (unsigned long) hdev);
1464         tasklet_init(&hdev->rx_task, hci_rx_task, (unsigned long) hdev);
1465         tasklet_init(&hdev->tx_task, hci_tx_task, (unsigned long) hdev);
1466
1467         skb_queue_head_init(&hdev->rx_q);
1468         skb_queue_head_init(&hdev->cmd_q);
1469         skb_queue_head_init(&hdev->raw_q);
1470
1471         setup_timer(&hdev->cmd_timer, hci_cmd_timer, (unsigned long) hdev);
1472
1473         for (i = 0; i < NUM_REASSEMBLY; i++)
1474                 hdev->reassembly[i] = NULL;
1475
1476         init_waitqueue_head(&hdev->req_wait_q);
1477         mutex_init(&hdev->req_lock);
1478
1479         inquiry_cache_init(hdev);
1480
1481         hci_conn_hash_init(hdev);
1482
1483         INIT_LIST_HEAD(&hdev->blacklist);
1484
1485         INIT_LIST_HEAD(&hdev->uuids);
1486
1487         INIT_LIST_HEAD(&hdev->link_keys);
1488
1489         INIT_LIST_HEAD(&hdev->remote_oob_data);
1490
1491         INIT_LIST_HEAD(&hdev->adv_entries);
1492         setup_timer(&hdev->adv_timer, hci_clear_adv_cache,
1493                                                 (unsigned long) hdev);
1494
1495         INIT_WORK(&hdev->power_on, hci_power_on);
1496         INIT_WORK(&hdev->power_off, hci_power_off);
1497         setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
1498
1499         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1500
1501         atomic_set(&hdev->promisc, 0);
1502
1503         write_unlock_bh(&hci_dev_list_lock);
1504
1505         hdev->workqueue = create_singlethread_workqueue(hdev->name);
1506         if (!hdev->workqueue) {
1507                 error = -ENOMEM;
1508                 goto err;
1509         }
1510
1511         error = hci_add_sysfs(hdev);
1512         if (error < 0)
1513                 goto err_wqueue;
1514
1515         hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
1516                                 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, hdev);
1517         if (hdev->rfkill) {
1518                 if (rfkill_register(hdev->rfkill) < 0) {
1519                         rfkill_destroy(hdev->rfkill);
1520                         hdev->rfkill = NULL;
1521                 }
1522         }
1523
1524         set_bit(HCI_AUTO_OFF, &hdev->flags);
1525         set_bit(HCI_SETUP, &hdev->flags);
1526         queue_work(hdev->workqueue, &hdev->power_on);
1527
1528         hci_notify(hdev, HCI_DEV_REG);
1529
1530         return id;
1531
1532 err_wqueue:
1533         destroy_workqueue(hdev->workqueue);
1534 err:
1535         write_lock_bh(&hci_dev_list_lock);
1536         list_del(&hdev->list);
1537         write_unlock_bh(&hci_dev_list_lock);
1538
1539         return error;
1540 }
1541 EXPORT_SYMBOL(hci_register_dev);
1542
1543 /* Unregister HCI device */
1544 void hci_unregister_dev(struct hci_dev *hdev)
1545 {
1546         int i;
1547
1548         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
1549
1550         write_lock_bh(&hci_dev_list_lock);
1551         list_del(&hdev->list);
1552         write_unlock_bh(&hci_dev_list_lock);
1553
1554         hci_dev_do_close(hdev);
1555
1556         for (i = 0; i < NUM_REASSEMBLY; i++)
1557                 kfree_skb(hdev->reassembly[i]);
1558
1559         if (!test_bit(HCI_INIT, &hdev->flags) &&
1560                                         !test_bit(HCI_SETUP, &hdev->flags))
1561                 mgmt_index_removed(hdev->id);
1562
1563         hci_notify(hdev, HCI_DEV_UNREG);
1564
1565         if (hdev->rfkill) {
1566                 rfkill_unregister(hdev->rfkill);
1567                 rfkill_destroy(hdev->rfkill);
1568         }
1569
1570         hci_del_sysfs(hdev);
1571
1572         hci_del_off_timer(hdev);
1573         del_timer(&hdev->adv_timer);
1574
1575         destroy_workqueue(hdev->workqueue);
1576
1577         hci_dev_lock_bh(hdev);
1578         hci_blacklist_clear(hdev);
1579         hci_uuids_clear(hdev);
1580         hci_link_keys_clear(hdev);
1581         hci_remote_oob_data_clear(hdev);
1582         hci_adv_entries_clear(hdev);
1583         hci_dev_unlock_bh(hdev);
1584
1585         __hci_dev_put(hdev);
1586 }
1587 EXPORT_SYMBOL(hci_unregister_dev);
1588
1589 /* Suspend HCI device */
1590 int hci_suspend_dev(struct hci_dev *hdev)
1591 {
1592         hci_notify(hdev, HCI_DEV_SUSPEND);
1593         return 0;
1594 }
1595 EXPORT_SYMBOL(hci_suspend_dev);
1596
1597 /* Resume HCI device */
1598 int hci_resume_dev(struct hci_dev *hdev)
1599 {
1600         hci_notify(hdev, HCI_DEV_RESUME);
1601         return 0;
1602 }
1603 EXPORT_SYMBOL(hci_resume_dev);
1604
1605 /* Receive frame from HCI drivers */
1606 int hci_recv_frame(struct sk_buff *skb)
1607 {
1608         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
1609         if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
1610                                 && !test_bit(HCI_INIT, &hdev->flags))) {
1611                 kfree_skb(skb);
1612                 return -ENXIO;
1613         }
1614
1615         /* Incomming skb */
1616         bt_cb(skb)->incoming = 1;
1617
1618         /* Time stamp */
1619         __net_timestamp(skb);
1620
1621         /* Queue frame for rx task */
1622         skb_queue_tail(&hdev->rx_q, skb);
1623         tasklet_schedule(&hdev->rx_task);
1624
1625         return 0;
1626 }
1627 EXPORT_SYMBOL(hci_recv_frame);
1628
1629 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
1630                                                   int count, __u8 index)
1631 {
1632         int len = 0;
1633         int hlen = 0;
1634         int remain = count;
1635         struct sk_buff *skb;
1636         struct bt_skb_cb *scb;
1637
1638         if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
1639                                 index >= NUM_REASSEMBLY)
1640                 return -EILSEQ;
1641
1642         skb = hdev->reassembly[index];
1643
1644         if (!skb) {
1645                 switch (type) {
1646                 case HCI_ACLDATA_PKT:
1647                         len = HCI_MAX_FRAME_SIZE;
1648                         hlen = HCI_ACL_HDR_SIZE;
1649                         break;
1650                 case HCI_EVENT_PKT:
1651                         len = HCI_MAX_EVENT_SIZE;
1652                         hlen = HCI_EVENT_HDR_SIZE;
1653                         break;
1654                 case HCI_SCODATA_PKT:
1655                         len = HCI_MAX_SCO_SIZE;
1656                         hlen = HCI_SCO_HDR_SIZE;
1657                         break;
1658                 }
1659
1660                 skb = bt_skb_alloc(len, GFP_ATOMIC);
1661                 if (!skb)
1662                         return -ENOMEM;
1663
1664                 scb = (void *) skb->cb;
1665                 scb->expect = hlen;
1666                 scb->pkt_type = type;
1667
1668                 skb->dev = (void *) hdev;
1669                 hdev->reassembly[index] = skb;
1670         }
1671
1672         while (count) {
1673                 scb = (void *) skb->cb;
1674                 len = min(scb->expect, (__u16)count);
1675
1676                 memcpy(skb_put(skb, len), data, len);
1677
1678                 count -= len;
1679                 data += len;
1680                 scb->expect -= len;
1681                 remain = count;
1682
1683                 switch (type) {
1684                 case HCI_EVENT_PKT:
1685                         if (skb->len == HCI_EVENT_HDR_SIZE) {
1686                                 struct hci_event_hdr *h = hci_event_hdr(skb);
1687                                 scb->expect = h->plen;
1688
1689                                 if (skb_tailroom(skb) < scb->expect) {
1690                                         kfree_skb(skb);
1691                                         hdev->reassembly[index] = NULL;
1692                                         return -ENOMEM;
1693                                 }
1694                         }
1695                         break;
1696
1697                 case HCI_ACLDATA_PKT:
1698                         if (skb->len  == HCI_ACL_HDR_SIZE) {
1699                                 struct hci_acl_hdr *h = hci_acl_hdr(skb);
1700                                 scb->expect = __le16_to_cpu(h->dlen);
1701
1702                                 if (skb_tailroom(skb) < scb->expect) {
1703                                         kfree_skb(skb);
1704                                         hdev->reassembly[index] = NULL;
1705                                         return -ENOMEM;
1706                                 }
1707                         }
1708                         break;
1709
1710                 case HCI_SCODATA_PKT:
1711                         if (skb->len == HCI_SCO_HDR_SIZE) {
1712                                 struct hci_sco_hdr *h = hci_sco_hdr(skb);
1713                                 scb->expect = h->dlen;
1714
1715                                 if (skb_tailroom(skb) < scb->expect) {
1716                                         kfree_skb(skb);
1717                                         hdev->reassembly[index] = NULL;
1718                                         return -ENOMEM;
1719                                 }
1720                         }
1721                         break;
1722                 }
1723
1724                 if (scb->expect == 0) {
1725                         /* Complete frame */
1726
1727                         bt_cb(skb)->pkt_type = type;
1728                         hci_recv_frame(skb);
1729
1730                         hdev->reassembly[index] = NULL;
1731                         return remain;
1732                 }
1733         }
1734
1735         return remain;
1736 }
1737
1738 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1739 {
1740         int rem = 0;
1741
1742         if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
1743                 return -EILSEQ;
1744
1745         while (count) {
1746                 rem = hci_reassembly(hdev, type, data, count, type - 1);
1747                 if (rem < 0)
1748                         return rem;
1749
1750                 data += (count - rem);
1751                 count = rem;
1752         }
1753
1754         return rem;
1755 }
1756 EXPORT_SYMBOL(hci_recv_fragment);
1757
1758 #define STREAM_REASSEMBLY 0
1759
1760 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
1761 {
1762         int type;
1763         int rem = 0;
1764
1765         while (count) {
1766                 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
1767
1768                 if (!skb) {
1769                         struct { char type; } *pkt;
1770
1771                         /* Start of the frame */
1772                         pkt = data;
1773                         type = pkt->type;
1774
1775                         data++;
1776                         count--;
1777                 } else
1778                         type = bt_cb(skb)->pkt_type;
1779
1780                 rem = hci_reassembly(hdev, type, data, count,
1781                                                         STREAM_REASSEMBLY);
1782                 if (rem < 0)
1783                         return rem;
1784
1785                 data += (count - rem);
1786                 count = rem;
1787         }
1788
1789         return rem;
1790 }
1791 EXPORT_SYMBOL(hci_recv_stream_fragment);
1792
1793 /* ---- Interface to upper protocols ---- */
1794
1795 /* Register/Unregister protocols.
1796  * hci_task_lock is used to ensure that no tasks are running. */
1797 int hci_register_proto(struct hci_proto *hp)
1798 {
1799         int err = 0;
1800
1801         BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1802
1803         if (hp->id >= HCI_MAX_PROTO)
1804                 return -EINVAL;
1805
1806         write_lock_bh(&hci_task_lock);
1807
1808         if (!hci_proto[hp->id])
1809                 hci_proto[hp->id] = hp;
1810         else
1811                 err = -EEXIST;
1812
1813         write_unlock_bh(&hci_task_lock);
1814
1815         return err;
1816 }
1817 EXPORT_SYMBOL(hci_register_proto);
1818
1819 int hci_unregister_proto(struct hci_proto *hp)
1820 {
1821         int err = 0;
1822
1823         BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1824
1825         if (hp->id >= HCI_MAX_PROTO)
1826                 return -EINVAL;
1827
1828         write_lock_bh(&hci_task_lock);
1829
1830         if (hci_proto[hp->id])
1831                 hci_proto[hp->id] = NULL;
1832         else
1833                 err = -ENOENT;
1834
1835         write_unlock_bh(&hci_task_lock);
1836
1837         return err;
1838 }
1839 EXPORT_SYMBOL(hci_unregister_proto);
1840
1841 int hci_register_cb(struct hci_cb *cb)
1842 {
1843         BT_DBG("%p name %s", cb, cb->name);
1844
1845         write_lock_bh(&hci_cb_list_lock);
1846         list_add(&cb->list, &hci_cb_list);
1847         write_unlock_bh(&hci_cb_list_lock);
1848
1849         return 0;
1850 }
1851 EXPORT_SYMBOL(hci_register_cb);
1852
1853 int hci_unregister_cb(struct hci_cb *cb)
1854 {
1855         BT_DBG("%p name %s", cb, cb->name);
1856
1857         write_lock_bh(&hci_cb_list_lock);
1858         list_del(&cb->list);
1859         write_unlock_bh(&hci_cb_list_lock);
1860
1861         return 0;
1862 }
1863 EXPORT_SYMBOL(hci_unregister_cb);
1864
1865 static int hci_send_frame(struct sk_buff *skb)
1866 {
1867         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
1868
1869         if (!hdev) {
1870                 kfree_skb(skb);
1871                 return -ENODEV;
1872         }
1873
1874         BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
1875
1876         if (atomic_read(&hdev->promisc)) {
1877                 /* Time stamp */
1878                 __net_timestamp(skb);
1879
1880                 hci_send_to_sock(hdev, skb, NULL);
1881         }
1882
1883         /* Get rid of skb owner, prior to sending to the driver. */
1884         skb_orphan(skb);
1885
1886         return hdev->send(skb);
1887 }
1888
1889 /* Send HCI command */
1890 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
1891 {
1892         int len = HCI_COMMAND_HDR_SIZE + plen;
1893         struct hci_command_hdr *hdr;
1894         struct sk_buff *skb;
1895
1896         BT_DBG("%s opcode 0x%x plen %d", hdev->name, opcode, plen);
1897
1898         skb = bt_skb_alloc(len, GFP_ATOMIC);
1899         if (!skb) {
1900                 BT_ERR("%s no memory for command", hdev->name);
1901                 return -ENOMEM;
1902         }
1903
1904         hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
1905         hdr->opcode = cpu_to_le16(opcode);
1906         hdr->plen   = plen;
1907
1908         if (plen)
1909                 memcpy(skb_put(skb, plen), param, plen);
1910
1911         BT_DBG("skb len %d", skb->len);
1912
1913         bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
1914         skb->dev = (void *) hdev;
1915
1916         if (test_bit(HCI_INIT, &hdev->flags))
1917                 hdev->init_last_cmd = opcode;
1918
1919         skb_queue_tail(&hdev->cmd_q, skb);
1920         tasklet_schedule(&hdev->cmd_task);
1921
1922         return 0;
1923 }
1924
1925 /* Get data from the previously sent command */
1926 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
1927 {
1928         struct hci_command_hdr *hdr;
1929
1930         if (!hdev->sent_cmd)
1931                 return NULL;
1932
1933         hdr = (void *) hdev->sent_cmd->data;
1934
1935         if (hdr->opcode != cpu_to_le16(opcode))
1936                 return NULL;
1937
1938         BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1939
1940         return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
1941 }
1942
1943 /* Send ACL data */
1944 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
1945 {
1946         struct hci_acl_hdr *hdr;
1947         int len = skb->len;
1948
1949         skb_push(skb, HCI_ACL_HDR_SIZE);
1950         skb_reset_transport_header(skb);
1951         hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
1952         hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
1953         hdr->dlen   = cpu_to_le16(len);
1954 }
1955
1956 void hci_send_acl(struct hci_conn *conn, struct sk_buff *skb, __u16 flags)
1957 {
1958         struct hci_dev *hdev = conn->hdev;
1959         struct sk_buff *list;
1960
1961         BT_DBG("%s conn %p flags 0x%x", hdev->name, conn, flags);
1962
1963         skb->dev = (void *) hdev;
1964         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
1965         hci_add_acl_hdr(skb, conn->handle, flags);
1966
1967         list = skb_shinfo(skb)->frag_list;
1968         if (!list) {
1969                 /* Non fragmented */
1970                 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
1971
1972                 skb_queue_tail(&conn->data_q, skb);
1973         } else {
1974                 /* Fragmented */
1975                 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
1976
1977                 skb_shinfo(skb)->frag_list = NULL;
1978
1979                 /* Queue all fragments atomically */
1980                 spin_lock_bh(&conn->data_q.lock);
1981
1982                 __skb_queue_tail(&conn->data_q, skb);
1983
1984                 flags &= ~ACL_START;
1985                 flags |= ACL_CONT;
1986                 do {
1987                         skb = list; list = list->next;
1988
1989                         skb->dev = (void *) hdev;
1990                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
1991                         hci_add_acl_hdr(skb, conn->handle, flags);
1992
1993                         BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
1994
1995                         __skb_queue_tail(&conn->data_q, skb);
1996                 } while (list);
1997
1998                 spin_unlock_bh(&conn->data_q.lock);
1999         }
2000
2001         tasklet_schedule(&hdev->tx_task);
2002 }
2003 EXPORT_SYMBOL(hci_send_acl);
2004
2005 /* Send SCO data */
2006 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
2007 {
2008         struct hci_dev *hdev = conn->hdev;
2009         struct hci_sco_hdr hdr;
2010
2011         BT_DBG("%s len %d", hdev->name, skb->len);
2012
2013         hdr.handle = cpu_to_le16(conn->handle);
2014         hdr.dlen   = skb->len;
2015
2016         skb_push(skb, HCI_SCO_HDR_SIZE);
2017         skb_reset_transport_header(skb);
2018         memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
2019
2020         skb->dev = (void *) hdev;
2021         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
2022
2023         skb_queue_tail(&conn->data_q, skb);
2024         tasklet_schedule(&hdev->tx_task);
2025 }
2026 EXPORT_SYMBOL(hci_send_sco);
2027
2028 /* ---- HCI TX task (outgoing data) ---- */
2029
2030 /* HCI Connection scheduler */
2031 static inline struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, int *quote)
2032 {
2033         struct hci_conn_hash *h = &hdev->conn_hash;
2034         struct hci_conn *conn = NULL;
2035         int num = 0, min = ~0;
2036         struct list_head *p;
2037
2038         /* We don't have to lock device here. Connections are always
2039          * added and removed with TX task disabled. */
2040         list_for_each(p, &h->list) {
2041                 struct hci_conn *c;
2042                 c = list_entry(p, struct hci_conn, list);
2043
2044                 if (c->type != type || skb_queue_empty(&c->data_q))
2045                         continue;
2046
2047                 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
2048                         continue;
2049
2050                 num++;
2051
2052                 if (c->sent < min) {
2053                         min  = c->sent;
2054                         conn = c;
2055                 }
2056
2057                 if (hci_conn_num(hdev, type) == num)
2058                         break;
2059         }
2060
2061         if (conn) {
2062                 int cnt, q;
2063
2064                 switch (conn->type) {
2065                 case ACL_LINK:
2066                         cnt = hdev->acl_cnt;
2067                         break;
2068                 case SCO_LINK:
2069                 case ESCO_LINK:
2070                         cnt = hdev->sco_cnt;
2071                         break;
2072                 case LE_LINK:
2073                         cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2074                         break;
2075                 default:
2076                         cnt = 0;
2077                         BT_ERR("Unknown link type");
2078                 }
2079
2080                 q = cnt / num;
2081                 *quote = q ? q : 1;
2082         } else
2083                 *quote = 0;
2084
2085         BT_DBG("conn %p quote %d", conn, *quote);
2086         return conn;
2087 }
2088
2089 static inline void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
2090 {
2091         struct hci_conn_hash *h = &hdev->conn_hash;
2092         struct list_head *p;
2093         struct hci_conn  *c;
2094
2095         BT_ERR("%s link tx timeout", hdev->name);
2096
2097         /* Kill stalled connections */
2098         list_for_each(p, &h->list) {
2099                 c = list_entry(p, struct hci_conn, list);
2100                 if (c->type == type && c->sent) {
2101                         BT_ERR("%s killing stalled connection %s",
2102                                 hdev->name, batostr(&c->dst));
2103                         hci_acl_disconn(c, 0x13);
2104                 }
2105         }
2106 }
2107
2108 static inline void hci_sched_acl(struct hci_dev *hdev)
2109 {
2110         struct hci_conn *conn;
2111         struct sk_buff *skb;
2112         int quote;
2113
2114         BT_DBG("%s", hdev->name);
2115
2116         if (!hci_conn_num(hdev, ACL_LINK))
2117                 return;
2118
2119         if (!test_bit(HCI_RAW, &hdev->flags)) {
2120                 /* ACL tx timeout must be longer than maximum
2121                  * link supervision timeout (40.9 seconds) */
2122                 if (!hdev->acl_cnt && time_after(jiffies, hdev->acl_last_tx + HZ * 45))
2123                         hci_link_tx_to(hdev, ACL_LINK);
2124         }
2125
2126         while (hdev->acl_cnt && (conn = hci_low_sent(hdev, ACL_LINK, &quote))) {
2127                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
2128                         BT_DBG("skb %p len %d", skb, skb->len);
2129
2130                         hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
2131
2132                         hci_send_frame(skb);
2133                         hdev->acl_last_tx = jiffies;
2134
2135                         hdev->acl_cnt--;
2136                         conn->sent++;
2137                 }
2138         }
2139 }
2140
2141 /* Schedule SCO */
2142 static inline void hci_sched_sco(struct hci_dev *hdev)
2143 {
2144         struct hci_conn *conn;
2145         struct sk_buff *skb;
2146         int quote;
2147
2148         BT_DBG("%s", hdev->name);
2149
2150         if (!hci_conn_num(hdev, SCO_LINK))
2151                 return;
2152
2153         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
2154                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
2155                         BT_DBG("skb %p len %d", skb, skb->len);
2156                         hci_send_frame(skb);
2157
2158                         conn->sent++;
2159                         if (conn->sent == ~0)
2160                                 conn->sent = 0;
2161                 }
2162         }
2163 }
2164
2165 static inline void hci_sched_esco(struct hci_dev *hdev)
2166 {
2167         struct hci_conn *conn;
2168         struct sk_buff *skb;
2169         int quote;
2170
2171         BT_DBG("%s", hdev->name);
2172
2173         if (!hci_conn_num(hdev, ESCO_LINK))
2174                 return;
2175
2176         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK, &quote))) {
2177                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
2178                         BT_DBG("skb %p len %d", skb, skb->len);
2179                         hci_send_frame(skb);
2180
2181                         conn->sent++;
2182                         if (conn->sent == ~0)
2183                                 conn->sent = 0;
2184                 }
2185         }
2186 }
2187
2188 static inline void hci_sched_le(struct hci_dev *hdev)
2189 {
2190         struct hci_conn *conn;
2191         struct sk_buff *skb;
2192         int quote, cnt;
2193
2194         BT_DBG("%s", hdev->name);
2195
2196         if (!hci_conn_num(hdev, LE_LINK))
2197                 return;
2198
2199         if (!test_bit(HCI_RAW, &hdev->flags)) {
2200                 /* LE tx timeout must be longer than maximum
2201                  * link supervision timeout (40.9 seconds) */
2202                 if (!hdev->le_cnt && hdev->le_pkts &&
2203                                 time_after(jiffies, hdev->le_last_tx + HZ * 45))
2204                         hci_link_tx_to(hdev, LE_LINK);
2205         }
2206
2207         cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
2208         while (cnt && (conn = hci_low_sent(hdev, LE_LINK, &quote))) {
2209                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
2210                         BT_DBG("skb %p len %d", skb, skb->len);
2211
2212                         hci_send_frame(skb);
2213                         hdev->le_last_tx = jiffies;
2214
2215                         cnt--;
2216                         conn->sent++;
2217                 }
2218         }
2219         if (hdev->le_pkts)
2220                 hdev->le_cnt = cnt;
2221         else
2222                 hdev->acl_cnt = cnt;
2223 }
2224
2225 static void hci_tx_task(unsigned long arg)
2226 {
2227         struct hci_dev *hdev = (struct hci_dev *) arg;
2228         struct sk_buff *skb;
2229
2230         read_lock(&hci_task_lock);
2231
2232         BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
2233                 hdev->sco_cnt, hdev->le_cnt);
2234
2235         /* Schedule queues and send stuff to HCI driver */
2236
2237         hci_sched_acl(hdev);
2238
2239         hci_sched_sco(hdev);
2240
2241         hci_sched_esco(hdev);
2242
2243         hci_sched_le(hdev);
2244
2245         /* Send next queued raw (unknown type) packet */
2246         while ((skb = skb_dequeue(&hdev->raw_q)))
2247                 hci_send_frame(skb);
2248
2249         read_unlock(&hci_task_lock);
2250 }
2251
2252 /* ----- HCI RX task (incoming data processing) ----- */
2253
2254 /* ACL data packet */
2255 static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2256 {
2257         struct hci_acl_hdr *hdr = (void *) skb->data;
2258         struct hci_conn *conn;
2259         __u16 handle, flags;
2260
2261         skb_pull(skb, HCI_ACL_HDR_SIZE);
2262
2263         handle = __le16_to_cpu(hdr->handle);
2264         flags  = hci_flags(handle);
2265         handle = hci_handle(handle);
2266
2267         BT_DBG("%s len %d handle 0x%x flags 0x%x", hdev->name, skb->len, handle, flags);
2268
2269         hdev->stat.acl_rx++;
2270
2271         hci_dev_lock(hdev);
2272         conn = hci_conn_hash_lookup_handle(hdev, handle);
2273         hci_dev_unlock(hdev);
2274
2275         if (conn) {
2276                 register struct hci_proto *hp;
2277
2278                 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
2279
2280                 /* Send to upper protocol */
2281                 hp = hci_proto[HCI_PROTO_L2CAP];
2282                 if (hp && hp->recv_acldata) {
2283                         hp->recv_acldata(conn, skb, flags);
2284                         return;
2285                 }
2286         } else {
2287                 BT_ERR("%s ACL packet for unknown connection handle %d",
2288                         hdev->name, handle);
2289         }
2290
2291         kfree_skb(skb);
2292 }
2293
2294 /* SCO data packet */
2295 static inline void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2296 {
2297         struct hci_sco_hdr *hdr = (void *) skb->data;
2298         struct hci_conn *conn;
2299         __u16 handle;
2300
2301         skb_pull(skb, HCI_SCO_HDR_SIZE);
2302
2303         handle = __le16_to_cpu(hdr->handle);
2304
2305         BT_DBG("%s len %d handle 0x%x", hdev->name, skb->len, handle);
2306
2307         hdev->stat.sco_rx++;
2308
2309         hci_dev_lock(hdev);
2310         conn = hci_conn_hash_lookup_handle(hdev, handle);
2311         hci_dev_unlock(hdev);
2312
2313         if (conn) {
2314                 register struct hci_proto *hp;
2315
2316                 /* Send to upper protocol */
2317                 hp = hci_proto[HCI_PROTO_SCO];
2318                 if (hp && hp->recv_scodata) {
2319                         hp->recv_scodata(conn, skb);
2320                         return;
2321                 }
2322         } else {
2323                 BT_ERR("%s SCO packet for unknown connection handle %d",
2324                         hdev->name, handle);
2325         }
2326
2327         kfree_skb(skb);
2328 }
2329
2330 static void hci_rx_task(unsigned long arg)
2331 {
2332         struct hci_dev *hdev = (struct hci_dev *) arg;
2333         struct sk_buff *skb;
2334
2335         BT_DBG("%s", hdev->name);
2336
2337         read_lock(&hci_task_lock);
2338
2339         while ((skb = skb_dequeue(&hdev->rx_q))) {
2340                 if (atomic_read(&hdev->promisc)) {
2341                         /* Send copy to the sockets */
2342                         hci_send_to_sock(hdev, skb, NULL);
2343                 }
2344
2345                 if (test_bit(HCI_RAW, &hdev->flags)) {
2346                         kfree_skb(skb);
2347                         continue;
2348                 }
2349
2350                 if (test_bit(HCI_INIT, &hdev->flags)) {
2351                         /* Don't process data packets in this states. */
2352                         switch (bt_cb(skb)->pkt_type) {
2353                         case HCI_ACLDATA_PKT:
2354                         case HCI_SCODATA_PKT:
2355                                 kfree_skb(skb);
2356                                 continue;
2357                         }
2358                 }
2359
2360                 /* Process frame */
2361                 switch (bt_cb(skb)->pkt_type) {
2362                 case HCI_EVENT_PKT:
2363                         hci_event_packet(hdev, skb);
2364                         break;
2365
2366                 case HCI_ACLDATA_PKT:
2367                         BT_DBG("%s ACL data packet", hdev->name);
2368                         hci_acldata_packet(hdev, skb);
2369                         break;
2370
2371                 case HCI_SCODATA_PKT:
2372                         BT_DBG("%s SCO data packet", hdev->name);
2373                         hci_scodata_packet(hdev, skb);
2374                         break;
2375
2376                 default:
2377                         kfree_skb(skb);
2378                         break;
2379                 }
2380         }
2381
2382         read_unlock(&hci_task_lock);
2383 }
2384
2385 static void hci_cmd_task(unsigned long arg)
2386 {
2387         struct hci_dev *hdev = (struct hci_dev *) arg;
2388         struct sk_buff *skb;
2389
2390         BT_DBG("%s cmd %d", hdev->name, atomic_read(&hdev->cmd_cnt));
2391
2392         /* Send queued commands */
2393         if (atomic_read(&hdev->cmd_cnt)) {
2394                 skb = skb_dequeue(&hdev->cmd_q);
2395                 if (!skb)
2396                         return;
2397
2398                 kfree_skb(hdev->sent_cmd);
2399
2400                 hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
2401                 if (hdev->sent_cmd) {
2402                         atomic_dec(&hdev->cmd_cnt);
2403                         hci_send_frame(skb);
2404                         if (test_bit(HCI_RESET, &hdev->flags))
2405                                 del_timer(&hdev->cmd_timer);
2406                         else
2407                                 mod_timer(&hdev->cmd_timer,
2408                                   jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT));
2409                 } else {
2410                         skb_queue_head(&hdev->cmd_q, skb);
2411                         tasklet_schedule(&hdev->cmd_task);
2412                 }
2413         }
2414 }