1/*
2   BlueZ - Bluetooth protocol stack for Linux
3   Copyright (C) 2000-2001 Qualcomm Incorporated
4   Copyright (C) 2011 ProFUSION Embedded Systems
5
6   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8   This program is free software; you can redistribute it and/or modify
9   it under the terms of the GNU General Public License version 2 as
10   published by the Free Software Foundation;
11
12   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23   SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth HCI core. */
27
28#include <linux/export.h>
29#include <linux/idr.h>
30
31#include <linux/rfkill.h>
32
33#include <net/bluetooth/bluetooth.h>
34#include <net/bluetooth/hci_core.h>
35
36static void hci_rx_work(struct work_struct *work);
37static void hci_cmd_work(struct work_struct *work);
38static void hci_tx_work(struct work_struct *work);
39
40/* HCI device list */
41LIST_HEAD(hci_dev_list);
42DEFINE_RWLOCK(hci_dev_list_lock);
43
44/* HCI callback list */
45LIST_HEAD(hci_cb_list);
46DEFINE_RWLOCK(hci_cb_list_lock);
47
48/* HCI ID Numbering */
49static DEFINE_IDA(hci_index_ida);
50
51/* ---- HCI notifications ---- */
52
53static void hci_notify(struct hci_dev *hdev, int event)
54{
55	hci_sock_dev_event(hdev, event);
56}
57
58/* ---- HCI requests ---- */
59
60static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
61{
62	BT_DBG("%s result 0x%2.2x", hdev->name, result);
63
64	if (hdev->req_status == HCI_REQ_PEND) {
65		hdev->req_result = result;
66		hdev->req_status = HCI_REQ_DONE;
67		wake_up_interruptible(&hdev->req_wait_q);
68	}
69}
70
71static void hci_req_cancel(struct hci_dev *hdev, int err)
72{
73	BT_DBG("%s err 0x%2.2x", hdev->name, err);
74
75	if (hdev->req_status == HCI_REQ_PEND) {
76		hdev->req_result = err;
77		hdev->req_status = HCI_REQ_CANCELED;
78		wake_up_interruptible(&hdev->req_wait_q);
79	}
80}
81
82static struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
83					    u8 event)
84{
85	struct hci_ev_cmd_complete *ev;
86	struct hci_event_hdr *hdr;
87	struct sk_buff *skb;
88
89	hci_dev_lock(hdev);
90
91	skb = hdev->recv_evt;
92	hdev->recv_evt = NULL;
93
94	hci_dev_unlock(hdev);
95
96	if (!skb)
97		return ERR_PTR(-ENODATA);
98
99	if (skb->len < sizeof(*hdr)) {
100		BT_ERR("Too short HCI event");
101		goto failed;
102	}
103
104	hdr = (void *) skb->data;
105	skb_pull(skb, HCI_EVENT_HDR_SIZE);
106
107	if (event) {
108		if (hdr->evt != event)
109			goto failed;
110		return skb;
111	}
112
113	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
114		BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
115		goto failed;
116	}
117
118	if (skb->len < sizeof(*ev)) {
119		BT_ERR("Too short cmd_complete event");
120		goto failed;
121	}
122
123	ev = (void *) skb->data;
124	skb_pull(skb, sizeof(*ev));
125
126	if (opcode == __le16_to_cpu(ev->opcode))
127		return skb;
128
129	BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
130	       __le16_to_cpu(ev->opcode));
131
132failed:
133	kfree_skb(skb);
134	return ERR_PTR(-ENODATA);
135}
136
137struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
138				  const void *param, u8 event, u32 timeout)
139{
140	DECLARE_WAITQUEUE(wait, current);
141	struct hci_request req;
142	int err = 0;
143
144	BT_DBG("%s", hdev->name);
145
146	hci_req_init(&req, hdev);
147
148	hci_req_add_ev(&req, opcode, plen, param, event);
149
150	hdev->req_status = HCI_REQ_PEND;
151
152	err = hci_req_run(&req, hci_req_sync_complete);
153	if (err < 0)
154		return ERR_PTR(err);
155
156	add_wait_queue(&hdev->req_wait_q, &wait);
157	set_current_state(TASK_INTERRUPTIBLE);
158
159	schedule_timeout(timeout);
160
161	remove_wait_queue(&hdev->req_wait_q, &wait);
162
163	if (signal_pending(current))
164		return ERR_PTR(-EINTR);
165
166	switch (hdev->req_status) {
167	case HCI_REQ_DONE:
168		err = -bt_to_errno(hdev->req_result);
169		break;
170
171	case HCI_REQ_CANCELED:
172		err = -hdev->req_result;
173		break;
174
175	default:
176		err = -ETIMEDOUT;
177		break;
178	}
179
180	hdev->req_status = hdev->req_result = 0;
181
182	BT_DBG("%s end: err %d", hdev->name, err);
183
184	if (err < 0)
185		return ERR_PTR(err);
186
187	return hci_get_cmd_complete(hdev, opcode, event);
188}
189EXPORT_SYMBOL(__hci_cmd_sync_ev);
190
191struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
192			       const void *param, u32 timeout)
193{
194	return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
195}
196EXPORT_SYMBOL(__hci_cmd_sync);
197
198/* Execute request and wait for completion. */
199static int __hci_req_sync(struct hci_dev *hdev,
200			  void (*func)(struct hci_request *req,
201				      unsigned long opt),
202			  unsigned long opt, __u32 timeout)
203{
204	struct hci_request req;
205	DECLARE_WAITQUEUE(wait, current);
206	int err = 0;
207
208	BT_DBG("%s start", hdev->name);
209
210	hci_req_init(&req, hdev);
211
212	hdev->req_status = HCI_REQ_PEND;
213
214	func(&req, opt);
215
216	err = hci_req_run(&req, hci_req_sync_complete);
217	if (err < 0) {
218		hdev->req_status = 0;
219
220		/* ENODATA means the HCI request command queue is empty.
221		 * This can happen when a request with conditionals doesn't
222		 * trigger any commands to be sent. This is normal behavior
223		 * and should not trigger an error return.
224		 */
225		if (err == -ENODATA)
226			return 0;
227
228		return err;
229	}
230
231	add_wait_queue(&hdev->req_wait_q, &wait);
232	set_current_state(TASK_INTERRUPTIBLE);
233
234	schedule_timeout(timeout);
235
236	remove_wait_queue(&hdev->req_wait_q, &wait);
237
238	if (signal_pending(current))
239		return -EINTR;
240
241	switch (hdev->req_status) {
242	case HCI_REQ_DONE:
243		err = -bt_to_errno(hdev->req_result);
244		break;
245
246	case HCI_REQ_CANCELED:
247		err = -hdev->req_result;
248		break;
249
250	default:
251		err = -ETIMEDOUT;
252		break;
253	}
254
255	hdev->req_status = hdev->req_result = 0;
256
257	BT_DBG("%s end: err %d", hdev->name, err);
258
259	return err;
260}
261
262static int hci_req_sync(struct hci_dev *hdev,
263			void (*req)(struct hci_request *req,
264				    unsigned long opt),
265			unsigned long opt, __u32 timeout)
266{
267	int ret;
268
269	if (!test_bit(HCI_UP, &hdev->flags))
270		return -ENETDOWN;
271
272	/* Serialize all requests */
273	hci_req_lock(hdev);
274	ret = __hci_req_sync(hdev, req, opt, timeout);
275	hci_req_unlock(hdev);
276
277	return ret;
278}
279
280static void hci_reset_req(struct hci_request *req, unsigned long opt)
281{
282	BT_DBG("%s %ld", req->hdev->name, opt);
283
284	/* Reset device */
285	set_bit(HCI_RESET, &req->hdev->flags);
286	hci_req_add(req, HCI_OP_RESET, 0, NULL);
287}
288
289static void bredr_init(struct hci_request *req)
290{
291	req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
292
293	/* Read Local Supported Features */
294	hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
295
296	/* Read Local Version */
297	hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
298
299	/* Read BD Address */
300	hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
301}
302
303static void amp_init(struct hci_request *req)
304{
305	req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
306
307	/* Read Local Version */
308	hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
309
310	/* Read Local AMP Info */
311	hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
312
313	/* Read Data Blk size */
314	hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
315}
316
317static void hci_init1_req(struct hci_request *req, unsigned long opt)
318{
319	struct hci_dev *hdev = req->hdev;
320
321	BT_DBG("%s %ld", hdev->name, opt);
322
323	/* Reset */
324	if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
325		hci_reset_req(req, 0);
326
327	switch (hdev->dev_type) {
328	case HCI_BREDR:
329		bredr_init(req);
330		break;
331
332	case HCI_AMP:
333		amp_init(req);
334		break;
335
336	default:
337		BT_ERR("Unknown device type %d", hdev->dev_type);
338		break;
339	}
340}
341
342static void bredr_setup(struct hci_request *req)
343{
344	__le16 param;
345	__u8 flt_type;
346
347	/* Read Buffer Size (ACL mtu, max pkt, etc.) */
348	hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
349
350	/* Read Class of Device */
351	hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
352
353	/* Read Local Name */
354	hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
355
356	/* Read Voice Setting */
357	hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
358
359	/* Clear Event Filters */
360	flt_type = HCI_FLT_CLEAR_ALL;
361	hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
362
363	/* Connection accept timeout ~20 secs */
364	param = __constant_cpu_to_le16(0x7d00);
365	hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
366
367	/* Read page scan parameters */
368	if (req->hdev->hci_ver > BLUETOOTH_VER_1_1) {
369		hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
370		hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
371	}
372}
373
374static void le_setup(struct hci_request *req)
375{
376	struct hci_dev *hdev = req->hdev;
377
378	/* Read LE Buffer Size */
379	hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
380
381	/* Read LE Local Supported Features */
382	hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
383
384	/* Read LE Advertising Channel TX Power */
385	hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
386
387	/* Read LE White List Size */
388	hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
389
390	/* Read LE Supported States */
391	hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
392
393	/* LE-only controllers have LE implicitly enabled */
394	if (!lmp_bredr_capable(hdev))
395		set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
396}
397
398static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
399{
400	if (lmp_ext_inq_capable(hdev))
401		return 0x02;
402
403	if (lmp_inq_rssi_capable(hdev))
404		return 0x01;
405
406	if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
407	    hdev->lmp_subver == 0x0757)
408		return 0x01;
409
410	if (hdev->manufacturer == 15) {
411		if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
412			return 0x01;
413		if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
414			return 0x01;
415		if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
416			return 0x01;
417	}
418
419	if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
420	    hdev->lmp_subver == 0x1805)
421		return 0x01;
422
423	return 0x00;
424}
425
426static void hci_setup_inquiry_mode(struct hci_request *req)
427{
428	u8 mode;
429
430	mode = hci_get_inquiry_mode(req->hdev);
431
432	hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
433}
434
435static void hci_setup_event_mask(struct hci_request *req)
436{
437	struct hci_dev *hdev = req->hdev;
438
439	/* The second byte is 0xff instead of 0x9f (two reserved bits
440	 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
441	 * command otherwise.
442	 */
443	u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
444
445	/* CSR 1.1 dongles does not accept any bitfield so don't try to set
446	 * any event mask for pre 1.2 devices.
447	 */
448	if (hdev->hci_ver < BLUETOOTH_VER_1_2)
449		return;
450
451	if (lmp_bredr_capable(hdev)) {
452		events[4] |= 0x01; /* Flow Specification Complete */
453		events[4] |= 0x02; /* Inquiry Result with RSSI */
454		events[4] |= 0x04; /* Read Remote Extended Features Complete */
455		events[5] |= 0x08; /* Synchronous Connection Complete */
456		events[5] |= 0x10; /* Synchronous Connection Changed */
457	}
458
459	if (lmp_inq_rssi_capable(hdev))
460		events[4] |= 0x02; /* Inquiry Result with RSSI */
461
462	if (lmp_sniffsubr_capable(hdev))
463		events[5] |= 0x20; /* Sniff Subrating */
464
465	if (lmp_pause_enc_capable(hdev))
466		events[5] |= 0x80; /* Encryption Key Refresh Complete */
467
468	if (lmp_ext_inq_capable(hdev))
469		events[5] |= 0x40; /* Extended Inquiry Result */
470
471	if (lmp_no_flush_capable(hdev))
472		events[7] |= 0x01; /* Enhanced Flush Complete */
473
474	if (lmp_lsto_capable(hdev))
475		events[6] |= 0x80; /* Link Supervision Timeout Changed */
476
477	if (lmp_ssp_capable(hdev)) {
478		events[6] |= 0x01;	/* IO Capability Request */
479		events[6] |= 0x02;	/* IO Capability Response */
480		events[6] |= 0x04;	/* User Confirmation Request */
481		events[6] |= 0x08;	/* User Passkey Request */
482		events[6] |= 0x10;	/* Remote OOB Data Request */
483		events[6] |= 0x20;	/* Simple Pairing Complete */
484		events[7] |= 0x04;	/* User Passkey Notification */
485		events[7] |= 0x08;	/* Keypress Notification */
486		events[7] |= 0x10;	/* Remote Host Supported
487					 * Features Notification
488					 */
489	}
490
491	if (lmp_le_capable(hdev))
492		events[7] |= 0x20;	/* LE Meta-Event */
493
494	hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
495
496	if (lmp_le_capable(hdev)) {
497		memset(events, 0, sizeof(events));
498		events[0] = 0x1f;
499		hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK,
500			    sizeof(events), events);
501	}
502}
503
504static void hci_init2_req(struct hci_request *req, unsigned long opt)
505{
506	struct hci_dev *hdev = req->hdev;
507
508	if (lmp_bredr_capable(hdev))
509		bredr_setup(req);
510
511	if (lmp_le_capable(hdev))
512		le_setup(req);
513
514	hci_setup_event_mask(req);
515
516	if (hdev->hci_ver > BLUETOOTH_VER_1_1)
517		hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
518
519	if (lmp_ssp_capable(hdev)) {
520		if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
521			u8 mode = 0x01;
522			hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
523				    sizeof(mode), &mode);
524		} else {
525			struct hci_cp_write_eir cp;
526
527			memset(hdev->eir, 0, sizeof(hdev->eir));
528			memset(&cp, 0, sizeof(cp));
529
530			hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
531		}
532	}
533
534	if (lmp_inq_rssi_capable(hdev))
535		hci_setup_inquiry_mode(req);
536
537	if (lmp_inq_tx_pwr_capable(hdev))
538		hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
539
540	if (lmp_ext_feat_capable(hdev)) {
541		struct hci_cp_read_local_ext_features cp;
542
543		cp.page = 0x01;
544		hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
545			    sizeof(cp), &cp);
546	}
547
548	if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
549		u8 enable = 1;
550		hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
551			    &enable);
552	}
553}
554
555static void hci_setup_link_policy(struct hci_request *req)
556{
557	struct hci_dev *hdev = req->hdev;
558	struct hci_cp_write_def_link_policy cp;
559	u16 link_policy = 0;
560
561	if (lmp_rswitch_capable(hdev))
562		link_policy |= HCI_LP_RSWITCH;
563	if (lmp_hold_capable(hdev))
564		link_policy |= HCI_LP_HOLD;
565	if (lmp_sniff_capable(hdev))
566		link_policy |= HCI_LP_SNIFF;
567	if (lmp_park_capable(hdev))
568		link_policy |= HCI_LP_PARK;
569
570	cp.policy = cpu_to_le16(link_policy);
571	hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
572}
573
574static void hci_set_le_support(struct hci_request *req)
575{
576	struct hci_dev *hdev = req->hdev;
577	struct hci_cp_write_le_host_supported cp;
578
579	/* LE-only devices do not support explicit enablement */
580	if (!lmp_bredr_capable(hdev))
581		return;
582
583	memset(&cp, 0, sizeof(cp));
584
585	if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
586		cp.le = 0x01;
587		cp.simul = lmp_le_br_capable(hdev);
588	}
589
590	if (cp.le != lmp_host_le_capable(hdev))
591		hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
592			    &cp);
593}
594
595static void hci_init3_req(struct hci_request *req, unsigned long opt)
596{
597	struct hci_dev *hdev = req->hdev;
598	u8 p;
599
600	/* Only send HCI_Delete_Stored_Link_Key if it is supported */
601	if (hdev->commands[6] & 0x80) {
602		struct hci_cp_delete_stored_link_key cp;
603
604		bacpy(&cp.bdaddr, BDADDR_ANY);
605		cp.delete_all = 0x01;
606		hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
607			    sizeof(cp), &cp);
608	}
609
610	if (hdev->commands[5] & 0x10)
611		hci_setup_link_policy(req);
612
613	if (lmp_le_capable(hdev)) {
614		hci_set_le_support(req);
615		hci_update_ad(req);
616	}
617
618	/* Read features beyond page 1 if available */
619	for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
620		struct hci_cp_read_local_ext_features cp;
621
622		cp.page = p;
623		hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
624			    sizeof(cp), &cp);
625	}
626}
627
628static int __hci_init(struct hci_dev *hdev)
629{
630	int err;
631
632	err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
633	if (err < 0)
634		return err;
635
636	/* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
637	 * BR/EDR/LE type controllers. AMP controllers only need the
638	 * first stage init.
639	 */
640	if (hdev->dev_type != HCI_BREDR)
641		return 0;
642
643	err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
644	if (err < 0)
645		return err;
646
647	return __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
648}
649
650static void hci_scan_req(struct hci_request *req, unsigned long opt)
651{
652	__u8 scan = opt;
653
654	BT_DBG("%s %x", req->hdev->name, scan);
655
656	/* Inquiry and Page scans */
657	hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
658}
659
660static void hci_auth_req(struct hci_request *req, unsigned long opt)
661{
662	__u8 auth = opt;
663
664	BT_DBG("%s %x", req->hdev->name, auth);
665
666	/* Authentication */
667	hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
668}
669
670static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
671{
672	__u8 encrypt = opt;
673
674	BT_DBG("%s %x", req->hdev->name, encrypt);
675
676	/* Encryption */
677	hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
678}
679
680static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
681{
682	__le16 policy = cpu_to_le16(opt);
683
684	BT_DBG("%s %x", req->hdev->name, policy);
685
686	/* Default link policy */
687	hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
688}
689
690/* Get HCI device by index.
691 * Device is held on return. */
692struct hci_dev *hci_dev_get(int index)
693{
694	struct hci_dev *hdev = NULL, *d;
695
696	BT_DBG("%d", index);
697
698	if (index < 0)
699		return NULL;
700
701	read_lock(&hci_dev_list_lock);
702	list_for_each_entry(d, &hci_dev_list, list) {
703		if (d->id == index) {
704			hdev = hci_dev_hold(d);
705			break;
706		}
707	}
708	read_unlock(&hci_dev_list_lock);
709	return hdev;
710}
711
712/* ---- Inquiry support ---- */
713
714bool hci_discovery_active(struct hci_dev *hdev)
715{
716	struct discovery_state *discov = &hdev->discovery;
717
718	switch (discov->state) {
719	case DISCOVERY_FINDING:
720	case DISCOVERY_RESOLVING:
721		return true;
722
723	default:
724		return false;
725	}
726}
727
728void hci_discovery_set_state(struct hci_dev *hdev, int state)
729{
730	BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
731
732	if (hdev->discovery.state == state)
733		return;
734
735	switch (state) {
736	case DISCOVERY_STOPPED:
737		if (hdev->discovery.state != DISCOVERY_STARTING)
738			mgmt_discovering(hdev, 0);
739		break;
740	case DISCOVERY_STARTING:
741		break;
742	case DISCOVERY_FINDING:
743		mgmt_discovering(hdev, 1);
744		break;
745	case DISCOVERY_RESOLVING:
746		break;
747	case DISCOVERY_STOPPING:
748		break;
749	}
750
751	hdev->discovery.state = state;
752}
753
754static void inquiry_cache_flush(struct hci_dev *hdev)
755{
756	struct discovery_state *cache = &hdev->discovery;
757	struct inquiry_entry *p, *n;
758
759	list_for_each_entry_safe(p, n, &cache->all, all) {
760		list_del(&p->all);
761		kfree(p);
762	}
763
764	INIT_LIST_HEAD(&cache->unknown);
765	INIT_LIST_HEAD(&cache->resolve);
766}
767
768struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
769					       bdaddr_t *bdaddr)
770{
771	struct discovery_state *cache = &hdev->discovery;
772	struct inquiry_entry *e;
773
774	BT_DBG("cache %p, %pMR", cache, bdaddr);
775
776	list_for_each_entry(e, &cache->all, all) {
777		if (!bacmp(&e->data.bdaddr, bdaddr))
778			return e;
779	}
780
781	return NULL;
782}
783
784struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
785						       bdaddr_t *bdaddr)
786{
787	struct discovery_state *cache = &hdev->discovery;
788	struct inquiry_entry *e;
789
790	BT_DBG("cache %p, %pMR", cache, bdaddr);
791
792	list_for_each_entry(e, &cache->unknown, list) {
793		if (!bacmp(&e->data.bdaddr, bdaddr))
794			return e;
795	}
796
797	return NULL;
798}
799
800struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
801						       bdaddr_t *bdaddr,
802						       int state)
803{
804	struct discovery_state *cache = &hdev->discovery;
805	struct inquiry_entry *e;
806
807	BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
808
809	list_for_each_entry(e, &cache->resolve, list) {
810		if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
811			return e;
812		if (!bacmp(&e->data.bdaddr, bdaddr))
813			return e;
814	}
815
816	return NULL;
817}
818
819void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
820				      struct inquiry_entry *ie)
821{
822	struct discovery_state *cache = &hdev->discovery;
823	struct list_head *pos = &cache->resolve;
824	struct inquiry_entry *p;
825
826	list_del(&ie->list);
827
828	list_for_each_entry(p, &cache->resolve, list) {
829		if (p->name_state != NAME_PENDING &&
830		    abs(p->data.rssi) >= abs(ie->data.rssi))
831			break;
832		pos = &p->list;
833	}
834
835	list_add(&ie->list, pos);
836}
837
838bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
839			      bool name_known, bool *ssp)
840{
841	struct discovery_state *cache = &hdev->discovery;
842	struct inquiry_entry *ie;
843
844	BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
845
846	hci_remove_remote_oob_data(hdev, &data->bdaddr);
847
848	if (ssp)
849		*ssp = data->ssp_mode;
850
851	ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
852	if (ie) {
853		if (ie->data.ssp_mode && ssp)
854			*ssp = true;
855
856		if (ie->name_state == NAME_NEEDED &&
857		    data->rssi != ie->data.rssi) {
858			ie->data.rssi = data->rssi;
859			hci_inquiry_cache_update_resolve(hdev, ie);
860		}
861
862		goto update;
863	}
864
865	/* Entry not in the cache. Add new one. */
866	ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
867	if (!ie)
868		return false;
869
870	list_add(&ie->all, &cache->all);
871
872	if (name_known) {
873		ie->name_state = NAME_KNOWN;
874	} else {
875		ie->name_state = NAME_NOT_KNOWN;
876		list_add(&ie->list, &cache->unknown);
877	}
878
879update:
880	if (name_known && ie->name_state != NAME_KNOWN &&
881	    ie->name_state != NAME_PENDING) {
882		ie->name_state = NAME_KNOWN;
883		list_del(&ie->list);
884	}
885
886	memcpy(&ie->data, data, sizeof(*data));
887	ie->timestamp = jiffies;
888	cache->timestamp = jiffies;
889
890	if (ie->name_state == NAME_NOT_KNOWN)
891		return false;
892
893	return true;
894}
895
896static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
897{
898	struct discovery_state *cache = &hdev->discovery;
899	struct inquiry_info *info = (struct inquiry_info *) buf;
900	struct inquiry_entry *e;
901	int copied = 0;
902
903	list_for_each_entry(e, &cache->all, all) {
904		struct inquiry_data *data = &e->data;
905
906		if (copied >= num)
907			break;
908
909		bacpy(&info->bdaddr, &data->bdaddr);
910		info->pscan_rep_mode	= data->pscan_rep_mode;
911		info->pscan_period_mode	= data->pscan_period_mode;
912		info->pscan_mode	= data->pscan_mode;
913		memcpy(info->dev_class, data->dev_class, 3);
914		info->clock_offset	= data->clock_offset;
915
916		info++;
917		copied++;
918	}
919
920	BT_DBG("cache %p, copied %d", cache, copied);
921	return copied;
922}
923
924static void hci_inq_req(struct hci_request *req, unsigned long opt)
925{
926	struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
927	struct hci_dev *hdev = req->hdev;
928	struct hci_cp_inquiry cp;
929
930	BT_DBG("%s", hdev->name);
931
932	if (test_bit(HCI_INQUIRY, &hdev->flags))
933		return;
934
935	/* Start Inquiry */
936	memcpy(&cp.lap, &ir->lap, 3);
937	cp.length  = ir->length;
938	cp.num_rsp = ir->num_rsp;
939	hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
940}
941
942static int wait_inquiry(void *word)
943{
944	schedule();
945	return signal_pending(current);
946}
947
948int hci_inquiry(void __user *arg)
949{
950	__u8 __user *ptr = arg;
951	struct hci_inquiry_req ir;
952	struct hci_dev *hdev;
953	int err = 0, do_inquiry = 0, max_rsp;
954	long timeo;
955	__u8 *buf;
956
957	if (copy_from_user(&ir, ptr, sizeof(ir)))
958		return -EFAULT;
959
960	hdev = hci_dev_get(ir.dev_id);
961	if (!hdev)
962		return -ENODEV;
963
964	hci_dev_lock(hdev);
965	if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
966	    inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
967		inquiry_cache_flush(hdev);
968		do_inquiry = 1;
969	}
970	hci_dev_unlock(hdev);
971
972	timeo = ir.length * msecs_to_jiffies(2000);
973
974	if (do_inquiry) {
975		err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
976				   timeo);
977		if (err < 0)
978			goto done;
979
980		/* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
981		 * cleared). If it is interrupted by a signal, return -EINTR.
982		 */
983		if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
984				TASK_INTERRUPTIBLE))
985			return -EINTR;
986	}
987
988	/* for unlimited number of responses we will use buffer with
989	 * 255 entries
990	 */
991	max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
992
993	/* cache_dump can't sleep. Therefore we allocate temp buffer and then
994	 * copy it to the user space.
995	 */
996	buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
997	if (!buf) {
998		err = -ENOMEM;
999		goto done;
1000	}
1001
1002	hci_dev_lock(hdev);
1003	ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1004	hci_dev_unlock(hdev);
1005
1006	BT_DBG("num_rsp %d", ir.num_rsp);
1007
1008	if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1009		ptr += sizeof(ir);
1010		if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1011				 ir.num_rsp))
1012			err = -EFAULT;
1013	} else
1014		err = -EFAULT;
1015
1016	kfree(buf);
1017
1018done:
1019	hci_dev_put(hdev);
1020	return err;
1021}
1022
1023static u8 create_ad(struct hci_dev *hdev, u8 *ptr)
1024{
1025	u8 ad_len = 0, flags = 0;
1026	size_t name_len;
1027
1028	if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
1029		flags |= LE_AD_GENERAL;
1030
1031	if (!lmp_bredr_capable(hdev))
1032		flags |= LE_AD_NO_BREDR;
1033
1034	if (lmp_le_br_capable(hdev))
1035		flags |= LE_AD_SIM_LE_BREDR_CTRL;
1036
1037	if (lmp_host_le_br_capable(hdev))
1038		flags |= LE_AD_SIM_LE_BREDR_HOST;
1039
1040	if (flags) {
1041		BT_DBG("adv flags 0x%02x", flags);
1042
1043		ptr[0] = 2;
1044		ptr[1] = EIR_FLAGS;
1045		ptr[2] = flags;
1046
1047		ad_len += 3;
1048		ptr += 3;
1049	}
1050
1051	if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
1052		ptr[0] = 2;
1053		ptr[1] = EIR_TX_POWER;
1054		ptr[2] = (u8) hdev->adv_tx_power;
1055
1056		ad_len += 3;
1057		ptr += 3;
1058	}
1059
1060	name_len = strlen(hdev->dev_name);
1061	if (name_len > 0) {
1062		size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
1063
1064		if (name_len > max_len) {
1065			name_len = max_len;
1066			ptr[1] = EIR_NAME_SHORT;
1067		} else
1068			ptr[1] = EIR_NAME_COMPLETE;
1069
1070		ptr[0] = name_len + 1;
1071
1072		memcpy(ptr + 2, hdev->dev_name, name_len);
1073
1074		ad_len += (name_len + 2);
1075		ptr += (name_len + 2);
1076	}
1077
1078	return ad_len;
1079}
1080
1081void hci_update_ad(struct hci_request *req)
1082{
1083	struct hci_dev *hdev = req->hdev;
1084	struct hci_cp_le_set_adv_data cp;
1085	u8 len;
1086
1087	if (!lmp_le_capable(hdev))
1088		return;
1089
1090	memset(&cp, 0, sizeof(cp));
1091
1092	len = create_ad(hdev, cp.data);
1093
1094	if (hdev->adv_data_len == len &&
1095	    memcmp(cp.data, hdev->adv_data, len) == 0)
1096		return;
1097
1098	memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
1099	hdev->adv_data_len = len;
1100
1101	cp.length = len;
1102
1103	hci_req_add(req, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
1104}
1105
1106/* ---- HCI ioctl helpers ---- */
1107
1108int hci_dev_open(__u16 dev)
1109{
1110	struct hci_dev *hdev;
1111	int ret = 0;
1112
1113	hdev = hci_dev_get(dev);
1114	if (!hdev)
1115		return -ENODEV;
1116
1117	BT_DBG("%s %p", hdev->name, hdev);
1118
1119	hci_req_lock(hdev);
1120
1121	if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1122		ret = -ENODEV;
1123		goto done;
1124	}
1125
1126	if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
1127		ret = -ERFKILL;
1128		goto done;
1129	}
1130
1131	if (test_bit(HCI_UP, &hdev->flags)) {
1132		ret = -EALREADY;
1133		goto done;
1134	}
1135
1136	if (hdev->open(hdev)) {
1137		ret = -EIO;
1138		goto done;
1139	}
1140
1141	atomic_set(&hdev->cmd_cnt, 1);
1142	set_bit(HCI_INIT, &hdev->flags);
1143
1144	if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
1145		ret = hdev->setup(hdev);
1146
1147	if (!ret) {
1148		/* Treat all non BR/EDR controllers as raw devices if
1149		 * enable_hs is not set.
1150		 */
1151		if (hdev->dev_type != HCI_BREDR && !enable_hs)
1152			set_bit(HCI_RAW, &hdev->flags);
1153
1154		if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1155			set_bit(HCI_RAW, &hdev->flags);
1156
1157		if (!test_bit(HCI_RAW, &hdev->flags))
1158			ret = __hci_init(hdev);
1159	}
1160
1161	clear_bit(HCI_INIT, &hdev->flags);
1162
1163	if (!ret) {
1164		hci_dev_hold(hdev);
1165		set_bit(HCI_UP, &hdev->flags);
1166		hci_notify(hdev, HCI_DEV_UP);
1167		if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1168		    mgmt_valid_hdev(hdev)) {
1169			hci_dev_lock(hdev);
1170			mgmt_powered(hdev, 1);
1171			hci_dev_unlock(hdev);
1172		}
1173	} else {
1174		/* Init failed, cleanup */
1175		flush_work(&hdev->tx_work);
1176		flush_work(&hdev->cmd_work);
1177		flush_work(&hdev->rx_work);
1178
1179		skb_queue_purge(&hdev->cmd_q);
1180		skb_queue_purge(&hdev->rx_q);
1181
1182		if (hdev->flush)
1183			hdev->flush(hdev);
1184
1185		if (hdev->sent_cmd) {
1186			kfree_skb(hdev->sent_cmd);
1187			hdev->sent_cmd = NULL;
1188		}
1189
1190		hdev->close(hdev);
1191		hdev->flags = 0;
1192	}
1193
1194done:
1195	hci_req_unlock(hdev);
1196	hci_dev_put(hdev);
1197	return ret;
1198}
1199
1200static int hci_dev_do_close(struct hci_dev *hdev)
1201{
1202	BT_DBG("%s %p", hdev->name, hdev);
1203
1204	cancel_work_sync(&hdev->le_scan);
1205
1206	cancel_delayed_work(&hdev->power_off);
1207
1208	hci_req_cancel(hdev, ENODEV);
1209	hci_req_lock(hdev);
1210
1211	if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1212		del_timer_sync(&hdev->cmd_timer);
1213		hci_req_unlock(hdev);
1214		return 0;
1215	}
1216
1217	/* Flush RX and TX works */
1218	flush_work(&hdev->tx_work);
1219	flush_work(&hdev->rx_work);
1220
1221	if (hdev->discov_timeout > 0) {
1222		cancel_delayed_work(&hdev->discov_off);
1223		hdev->discov_timeout = 0;
1224		clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1225	}
1226
1227	if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1228		cancel_delayed_work(&hdev->service_cache);
1229
1230	cancel_delayed_work_sync(&hdev->le_scan_disable);
1231
1232	hci_dev_lock(hdev);
1233	inquiry_cache_flush(hdev);
1234	hci_conn_hash_flush(hdev);
1235	hci_dev_unlock(hdev);
1236
1237	hci_notify(hdev, HCI_DEV_DOWN);
1238
1239	if (hdev->flush)
1240		hdev->flush(hdev);
1241
1242	/* Reset device */
1243	skb_queue_purge(&hdev->cmd_q);
1244	atomic_set(&hdev->cmd_cnt, 1);
1245	if (!test_bit(HCI_RAW, &hdev->flags) &&
1246	    test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
1247		set_bit(HCI_INIT, &hdev->flags);
1248		__hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
1249		clear_bit(HCI_INIT, &hdev->flags);
1250	}
1251
1252	/* flush cmd  work */
1253	flush_work(&hdev->cmd_work);
1254
1255	/* Drop queues */
1256	skb_queue_purge(&hdev->rx_q);
1257	skb_queue_purge(&hdev->cmd_q);
1258	skb_queue_purge(&hdev->raw_q);
1259
1260	/* Drop last sent command */
1261	if (hdev->sent_cmd) {
1262		del_timer_sync(&hdev->cmd_timer);
1263		kfree_skb(hdev->sent_cmd);
1264		hdev->sent_cmd = NULL;
1265	}
1266
1267	kfree_skb(hdev->recv_evt);
1268	hdev->recv_evt = NULL;
1269
1270	/* After this point our queues are empty
1271	 * and no tasks are scheduled. */
1272	hdev->close(hdev);
1273
1274	/* Clear flags */
1275	hdev->flags = 0;
1276	hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
1277
1278	if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
1279	    mgmt_valid_hdev(hdev)) {
1280		hci_dev_lock(hdev);
1281		mgmt_powered(hdev, 0);
1282		hci_dev_unlock(hdev);
1283	}
1284
1285	/* Controller radio is available but is currently powered down */
1286	hdev->amp_status = 0;
1287
1288	memset(hdev->eir, 0, sizeof(hdev->eir));
1289	memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1290
1291	hci_req_unlock(hdev);
1292
1293	hci_dev_put(hdev);
1294	return 0;
1295}
1296
1297int hci_dev_close(__u16 dev)
1298{
1299	struct hci_dev *hdev;
1300	int err;
1301
1302	hdev = hci_dev_get(dev);
1303	if (!hdev)
1304		return -ENODEV;
1305
1306	if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1307		cancel_delayed_work(&hdev->power_off);
1308
1309	err = hci_dev_do_close(hdev);
1310
1311	hci_dev_put(hdev);
1312	return err;
1313}
1314
1315int hci_dev_reset(__u16 dev)
1316{
1317	struct hci_dev *hdev;
1318	int ret = 0;
1319
1320	hdev = hci_dev_get(dev);
1321	if (!hdev)
1322		return -ENODEV;
1323
1324	hci_req_lock(hdev);
1325
1326	if (!test_bit(HCI_UP, &hdev->flags))
1327		goto done;
1328
1329	/* Drop queues */
1330	skb_queue_purge(&hdev->rx_q);
1331	skb_queue_purge(&hdev->cmd_q);
1332
1333	hci_dev_lock(hdev);
1334	inquiry_cache_flush(hdev);
1335	hci_conn_hash_flush(hdev);
1336	hci_dev_unlock(hdev);
1337
1338	if (hdev->flush)
1339		hdev->flush(hdev);
1340
1341	atomic_set(&hdev->cmd_cnt, 1);
1342	hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1343
1344	if (!test_bit(HCI_RAW, &hdev->flags))
1345		ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
1346
1347done:
1348	hci_req_unlock(hdev);
1349	hci_dev_put(hdev);
1350	return ret;
1351}
1352
1353int hci_dev_reset_stat(__u16 dev)
1354{
1355	struct hci_dev *hdev;
1356	int ret = 0;
1357
1358	hdev = hci_dev_get(dev);
1359	if (!hdev)
1360		return -ENODEV;
1361
1362	memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1363
1364	hci_dev_put(hdev);
1365
1366	return ret;
1367}
1368
1369int hci_dev_cmd(unsigned int cmd, void __user *arg)
1370{
1371	struct hci_dev *hdev;
1372	struct hci_dev_req dr;
1373	int err = 0;
1374
1375	if (copy_from_user(&dr, arg, sizeof(dr)))
1376		return -EFAULT;
1377
1378	hdev = hci_dev_get(dr.dev_id);
1379	if (!hdev)
1380		return -ENODEV;
1381
1382	switch (cmd) {
1383	case HCISETAUTH:
1384		err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1385				   HCI_INIT_TIMEOUT);
1386		break;
1387
1388	case HCISETENCRYPT:
1389		if (!lmp_encrypt_capable(hdev)) {
1390			err = -EOPNOTSUPP;
1391			break;
1392		}
1393
1394		if (!test_bit(HCI_AUTH, &hdev->flags)) {
1395			/* Auth must be enabled first */
1396			err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1397					   HCI_INIT_TIMEOUT);
1398			if (err)
1399				break;
1400		}
1401
1402		err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1403				   HCI_INIT_TIMEOUT);
1404		break;
1405
1406	case HCISETSCAN:
1407		err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1408				   HCI_INIT_TIMEOUT);
1409		break;
1410
1411	case HCISETLINKPOL:
1412		err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1413				   HCI_INIT_TIMEOUT);
1414		break;
1415
1416	case HCISETLINKMODE:
1417		hdev->link_mode = ((__u16) dr.dev_opt) &
1418					(HCI_LM_MASTER | HCI_LM_ACCEPT);
1419		break;
1420
1421	case HCISETPTYPE:
1422		hdev->pkt_type = (__u16) dr.dev_opt;
1423		break;
1424
1425	case HCISETACLMTU:
1426		hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
1427		hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1428		break;
1429
1430	case HCISETSCOMTU:
1431		hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
1432		hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1433		break;
1434
1435	default:
1436		err = -EINVAL;
1437		break;
1438	}
1439
1440	hci_dev_put(hdev);
1441	return err;
1442}
1443
1444int hci_get_dev_list(void __user *arg)
1445{
1446	struct hci_dev *hdev;
1447	struct hci_dev_list_req *dl;
1448	struct hci_dev_req *dr;
1449	int n = 0, size, err;
1450	__u16 dev_num;
1451
1452	if (get_user(dev_num, (__u16 __user *) arg))
1453		return -EFAULT;
1454
1455	if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1456		return -EINVAL;
1457
1458	size = sizeof(*dl) + dev_num * sizeof(*dr);
1459
1460	dl = kzalloc(size, GFP_KERNEL);
1461	if (!dl)
1462		return -ENOMEM;
1463
1464	dr = dl->dev_req;
1465
1466	read_lock(&hci_dev_list_lock);
1467	list_for_each_entry(hdev, &hci_dev_list, list) {
1468		if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1469			cancel_delayed_work(&hdev->power_off);
1470
1471		if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1472			set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1473
1474		(dr + n)->dev_id  = hdev->id;
1475		(dr + n)->dev_opt = hdev->flags;
1476
1477		if (++n >= dev_num)
1478			break;
1479	}
1480	read_unlock(&hci_dev_list_lock);
1481
1482	dl->dev_num = n;
1483	size = sizeof(*dl) + n * sizeof(*dr);
1484
1485	err = copy_to_user(arg, dl, size);
1486	kfree(dl);
1487
1488	return err ? -EFAULT : 0;
1489}
1490
1491int hci_get_dev_info(void __user *arg)
1492{
1493	struct hci_dev *hdev;
1494	struct hci_dev_info di;
1495	int err = 0;
1496
1497	if (copy_from_user(&di, arg, sizeof(di)))
1498		return -EFAULT;
1499
1500	hdev = hci_dev_get(di.dev_id);
1501	if (!hdev)
1502		return -ENODEV;
1503
1504	if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1505		cancel_delayed_work_sync(&hdev->power_off);
1506
1507	if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1508		set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1509
1510	strcpy(di.name, hdev->name);
1511	di.bdaddr   = hdev->bdaddr;
1512	di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
1513	di.flags    = hdev->flags;
1514	di.pkt_type = hdev->pkt_type;
1515	if (lmp_bredr_capable(hdev)) {
1516		di.acl_mtu  = hdev->acl_mtu;
1517		di.acl_pkts = hdev->acl_pkts;
1518		di.sco_mtu  = hdev->sco_mtu;
1519		di.sco_pkts = hdev->sco_pkts;
1520	} else {
1521		di.acl_mtu  = hdev->le_mtu;
1522		di.acl_pkts = hdev->le_pkts;
1523		di.sco_mtu  = 0;
1524		di.sco_pkts = 0;
1525	}
1526	di.link_policy = hdev->link_policy;
1527	di.link_mode   = hdev->link_mode;
1528
1529	memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1530	memcpy(&di.features, &hdev->features, sizeof(di.features));
1531
1532	if (copy_to_user(arg, &di, sizeof(di)))
1533		err = -EFAULT;
1534
1535	hci_dev_put(hdev);
1536
1537	return err;
1538}
1539
1540/* ---- Interface to HCI drivers ---- */
1541
1542static int hci_rfkill_set_block(void *data, bool blocked)
1543{
1544	struct hci_dev *hdev = data;
1545
1546	BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1547
1548	if (!blocked)
1549		return 0;
1550
1551	hci_dev_do_close(hdev);
1552
1553	return 0;
1554}
1555
1556static const struct rfkill_ops hci_rfkill_ops = {
1557	.set_block = hci_rfkill_set_block,
1558};
1559
1560static void hci_power_on(struct work_struct *work)
1561{
1562	struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
1563	int err;
1564
1565	BT_DBG("%s", hdev->name);
1566
1567	err = hci_dev_open(hdev->id);
1568	if (err < 0) {
1569		mgmt_set_powered_failed(hdev, err);
1570		return;
1571	}
1572
1573	if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1574		queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1575				   HCI_AUTO_OFF_TIMEOUT);
1576
1577	if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
1578		mgmt_index_added(hdev);
1579}
1580
1581static void hci_power_off(struct work_struct *work)
1582{
1583	struct hci_dev *hdev = container_of(work, struct hci_dev,
1584					    power_off.work);
1585
1586	BT_DBG("%s", hdev->name);
1587
1588	hci_dev_do_close(hdev);
1589}
1590
1591static void hci_discov_off(struct work_struct *work)
1592{
1593	struct hci_dev *hdev;
1594	u8 scan = SCAN_PAGE;
1595
1596	hdev = container_of(work, struct hci_dev, discov_off.work);
1597
1598	BT_DBG("%s", hdev->name);
1599
1600	hci_dev_lock(hdev);
1601
1602	hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
1603
1604	hdev->discov_timeout = 0;
1605
1606	hci_dev_unlock(hdev);
1607}
1608
1609int hci_uuids_clear(struct hci_dev *hdev)
1610{
1611	struct bt_uuid *uuid, *tmp;
1612
1613	list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1614		list_del(&uuid->list);
1615		kfree(uuid);
1616	}
1617
1618	return 0;
1619}
1620
1621int hci_link_keys_clear(struct hci_dev *hdev)
1622{
1623	struct list_head *p, *n;
1624
1625	list_for_each_safe(p, n, &hdev->link_keys) {
1626		struct link_key *key;
1627
1628		key = list_entry(p, struct link_key, list);
1629
1630		list_del(p);
1631		kfree(key);
1632	}
1633
1634	return 0;
1635}
1636
1637int hci_smp_ltks_clear(struct hci_dev *hdev)
1638{
1639	struct smp_ltk *k, *tmp;
1640
1641	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1642		list_del(&k->list);
1643		kfree(k);
1644	}
1645
1646	return 0;
1647}
1648
1649struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1650{
1651	struct link_key *k;
1652
1653	list_for_each_entry(k, &hdev->link_keys, list)
1654		if (bacmp(bdaddr, &k->bdaddr) == 0)
1655			return k;
1656
1657	return NULL;
1658}
1659
1660static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1661			       u8 key_type, u8 old_key_type)
1662{
1663	/* Legacy key */
1664	if (key_type < 0x03)
1665		return true;
1666
1667	/* Debug keys are insecure so don't store them persistently */
1668	if (key_type == HCI_LK_DEBUG_COMBINATION)
1669		return false;
1670
1671	/* Changed combination key and there's no previous one */
1672	if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1673		return false;
1674
1675	/* Security mode 3 case */
1676	if (!conn)
1677		return true;
1678
1679	/* Neither local nor remote side had no-bonding as requirement */
1680	if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1681		return true;
1682
1683	/* Local side had dedicated bonding as requirement */
1684	if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1685		return true;
1686
1687	/* Remote side had dedicated bonding as requirement */
1688	if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1689		return true;
1690
1691	/* If none of the above criteria match, then don't store the key
1692	 * persistently */
1693	return false;
1694}
1695
1696struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1697{
1698	struct smp_ltk *k;
1699
1700	list_for_each_entry(k, &hdev->long_term_keys, list) {
1701		if (k->ediv != ediv ||
1702		    memcmp(rand, k->rand, sizeof(k->rand)))
1703			continue;
1704
1705		return k;
1706	}
1707
1708	return NULL;
1709}
1710
1711struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1712				     u8 addr_type)
1713{
1714	struct smp_ltk *k;
1715
1716	list_for_each_entry(k, &hdev->long_term_keys, list)
1717		if (addr_type == k->bdaddr_type &&
1718		    bacmp(bdaddr, &k->bdaddr) == 0)
1719			return k;
1720
1721	return NULL;
1722}
1723
1724int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1725		     bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1726{
1727	struct link_key *key, *old_key;
1728	u8 old_key_type;
1729	bool persistent;
1730
1731	old_key = hci_find_link_key(hdev, bdaddr);
1732	if (old_key) {
1733		old_key_type = old_key->type;
1734		key = old_key;
1735	} else {
1736		old_key_type = conn ? conn->key_type : 0xff;
1737		key = kzalloc(sizeof(*key), GFP_ATOMIC);
1738		if (!key)
1739			return -ENOMEM;
1740		list_add(&key->list, &hdev->link_keys);
1741	}
1742
1743	BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1744
1745	/* Some buggy controller combinations generate a changed
1746	 * combination key for legacy pairing even when there's no
1747	 * previous key */
1748	if (type == HCI_LK_CHANGED_COMBINATION &&
1749	    (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1750		type = HCI_LK_COMBINATION;
1751		if (conn)
1752			conn->key_type = type;
1753	}
1754
1755	bacpy(&key->bdaddr, bdaddr);
1756	memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1757	key->pin_len = pin_len;
1758
1759	if (type == HCI_LK_CHANGED_COMBINATION)
1760		key->type = old_key_type;
1761	else
1762		key->type = type;
1763
1764	if (!new_key)
1765		return 0;
1766
1767	persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1768
1769	mgmt_new_link_key(hdev, key, persistent);
1770
1771	if (conn)
1772		conn->flush_key = !persistent;
1773
1774	return 0;
1775}
1776
1777int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
1778		int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16
1779		ediv, u8 rand[8])
1780{
1781	struct smp_ltk *key, *old_key;
1782
1783	if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK))
1784		return 0;
1785
1786	old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
1787	if (old_key)
1788		key = old_key;
1789	else {
1790		key = kzalloc(sizeof(*key), GFP_ATOMIC);
1791		if (!key)
1792			return -ENOMEM;
1793		list_add(&key->list, &hdev->long_term_keys);
1794	}
1795
1796	bacpy(&key->bdaddr, bdaddr);
1797	key->bdaddr_type = addr_type;
1798	memcpy(key->val, tk, sizeof(key->val));
1799	key->authenticated = authenticated;
1800	key->ediv = ediv;
1801	key->enc_size = enc_size;
1802	key->type = type;
1803	memcpy(key->rand, rand, sizeof(key->rand));
1804
1805	if (!new_key)
1806		return 0;
1807
1808	if (type & HCI_SMP_LTK)
1809		mgmt_new_ltk(hdev, key, 1);
1810
1811	return 0;
1812}
1813
1814int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1815{
1816	struct link_key *key;
1817
1818	key = hci_find_link_key(hdev, bdaddr);
1819	if (!key)
1820		return -ENOENT;
1821
1822	BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1823
1824	list_del(&key->list);
1825	kfree(key);
1826
1827	return 0;
1828}
1829
1830int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
1831{
1832	struct smp_ltk *k, *tmp;
1833
1834	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1835		if (bacmp(bdaddr, &k->bdaddr))
1836			continue;
1837
1838		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1839
1840		list_del(&k->list);
1841		kfree(k);
1842	}
1843
1844	return 0;
1845}
1846
1847/* HCI command timer function */
1848static void hci_cmd_timeout(unsigned long arg)
1849{
1850	struct hci_dev *hdev = (void *) arg;
1851
1852	if (hdev->sent_cmd) {
1853		struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
1854		u16 opcode = __le16_to_cpu(sent->opcode);
1855
1856		BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
1857	} else {
1858		BT_ERR("%s command tx timeout", hdev->name);
1859	}
1860
1861	atomic_set(&hdev->cmd_cnt, 1);
1862	queue_work(hdev->workqueue, &hdev->cmd_work);
1863}
1864
1865struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1866					  bdaddr_t *bdaddr)
1867{
1868	struct oob_data *data;
1869
1870	list_for_each_entry(data, &hdev->remote_oob_data, list)
1871		if (bacmp(bdaddr, &data->bdaddr) == 0)
1872			return data;
1873
1874	return NULL;
1875}
1876
1877int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1878{
1879	struct oob_data *data;
1880
1881	data = hci_find_remote_oob_data(hdev, bdaddr);
1882	if (!data)
1883		return -ENOENT;
1884
1885	BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1886
1887	list_del(&data->list);
1888	kfree(data);
1889
1890	return 0;
1891}
1892
1893int hci_remote_oob_data_clear(struct hci_dev *hdev)
1894{
1895	struct oob_data *data, *n;
1896
1897	list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1898		list_del(&data->list);
1899		kfree(data);
1900	}
1901
1902	return 0;
1903}
1904
1905int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1906			    u8 *randomizer)
1907{
1908	struct oob_data *data;
1909
1910	data = hci_find_remote_oob_data(hdev, bdaddr);
1911
1912	if (!data) {
1913		data = kmalloc(sizeof(*data), GFP_ATOMIC);
1914		if (!data)
1915			return -ENOMEM;
1916
1917		bacpy(&data->bdaddr, bdaddr);
1918		list_add(&data->list, &hdev->remote_oob_data);
1919	}
1920
1921	memcpy(data->hash, hash, sizeof(data->hash));
1922	memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1923
1924	BT_DBG("%s for %pMR", hdev->name, bdaddr);
1925
1926	return 0;
1927}
1928
1929struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
1930{
1931	struct bdaddr_list *b;
1932
1933	list_for_each_entry(b, &hdev->blacklist, list)
1934		if (bacmp(bdaddr, &b->bdaddr) == 0)
1935			return b;
1936
1937	return NULL;
1938}
1939
1940int hci_blacklist_clear(struct hci_dev *hdev)
1941{
1942	struct list_head *p, *n;
1943
1944	list_for_each_safe(p, n, &hdev->blacklist) {
1945		struct bdaddr_list *b;
1946
1947		b = list_entry(p, struct bdaddr_list, list);
1948
1949		list_del(p);
1950		kfree(b);
1951	}
1952
1953	return 0;
1954}
1955
1956int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1957{
1958	struct bdaddr_list *entry;
1959
1960	if (bacmp(bdaddr, BDADDR_ANY) == 0)
1961		return -EBADF;
1962
1963	if (hci_blacklist_lookup(hdev, bdaddr))
1964		return -EEXIST;
1965
1966	entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1967	if (!entry)
1968		return -ENOMEM;
1969
1970	bacpy(&entry->bdaddr, bdaddr);
1971
1972	list_add(&entry->list, &hdev->blacklist);
1973
1974	return mgmt_device_blocked(hdev, bdaddr, type);
1975}
1976
1977int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1978{
1979	struct bdaddr_list *entry;
1980
1981	if (bacmp(bdaddr, BDADDR_ANY) == 0)
1982		return hci_blacklist_clear(hdev);
1983
1984	entry = hci_blacklist_lookup(hdev, bdaddr);
1985	if (!entry)
1986		return -ENOENT;
1987
1988	list_del(&entry->list);
1989	kfree(entry);
1990
1991	return mgmt_device_unblocked(hdev, bdaddr, type);
1992}
1993
1994static void le_scan_param_req(struct hci_request *req, unsigned long opt)
1995{
1996	struct le_scan_params *param =  (struct le_scan_params *) opt;
1997	struct hci_cp_le_set_scan_param cp;
1998
1999	memset(&cp, 0, sizeof(cp));
2000	cp.type = param->type;
2001	cp.interval = cpu_to_le16(param->interval);
2002	cp.window = cpu_to_le16(param->window);
2003
2004	hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(cp), &cp);
2005}
2006
2007static void le_scan_enable_req(struct hci_request *req, unsigned long opt)
2008{
2009	struct hci_cp_le_set_scan_enable cp;
2010
2011	memset(&cp, 0, sizeof(cp));
2012	cp.enable = LE_SCAN_ENABLE;
2013	cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
2014
2015	hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2016}
2017
2018static int hci_do_le_scan(struct hci_dev *hdev, u8 type, u16 interval,
2019			  u16 window, int timeout)
2020{
2021	long timeo = msecs_to_jiffies(3000);
2022	struct le_scan_params param;
2023	int err;
2024
2025	BT_DBG("%s", hdev->name);
2026
2027	if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
2028		return -EINPROGRESS;
2029
2030	param.type = type;
2031	param.interval = interval;
2032	param.window = window;
2033
2034	hci_req_lock(hdev);
2035
2036	err = __hci_req_sync(hdev, le_scan_param_req, (unsigned long) &param,
2037			     timeo);
2038	if (!err)
2039		err = __hci_req_sync(hdev, le_scan_enable_req, 0, timeo);
2040
2041	hci_req_unlock(hdev);
2042
2043	if (err < 0)
2044		return err;
2045
2046	queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable,
2047			   timeout);
2048
2049	return 0;
2050}
2051
2052int hci_cancel_le_scan(struct hci_dev *hdev)
2053{
2054	BT_DBG("%s", hdev->name);
2055
2056	if (!test_bit(HCI_LE_SCAN, &hdev->dev_flags))
2057		return -EALREADY;
2058
2059	if (cancel_delayed_work(&hdev->le_scan_disable)) {
2060		struct hci_cp_le_set_scan_enable cp;
2061
2062		/* Send HCI command to disable LE Scan */
2063		memset(&cp, 0, sizeof(cp));
2064		hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2065	}
2066
2067	return 0;
2068}
2069
2070static void le_scan_disable_work(struct work_struct *work)
2071{
2072	struct hci_dev *hdev = container_of(work, struct hci_dev,
2073					    le_scan_disable.work);
2074	struct hci_cp_le_set_scan_enable cp;
2075
2076	BT_DBG("%s", hdev->name);
2077
2078	memset(&cp, 0, sizeof(cp));
2079
2080	hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2081}
2082
2083static void le_scan_work(struct work_struct *work)
2084{
2085	struct hci_dev *hdev = container_of(work, struct hci_dev, le_scan);
2086	struct le_scan_params *param = &hdev->le_scan_params;
2087
2088	BT_DBG("%s", hdev->name);
2089
2090	hci_do_le_scan(hdev, param->type, param->interval, param->window,
2091		       param->timeout);
2092}
2093
2094int hci_le_scan(struct hci_dev *hdev, u8 type, u16 interval, u16 window,
2095		int timeout)
2096{
2097	struct le_scan_params *param = &hdev->le_scan_params;
2098
2099	BT_DBG("%s", hdev->name);
2100
2101	if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
2102		return -ENOTSUPP;
2103
2104	if (work_busy(&hdev->le_scan))
2105		return -EINPROGRESS;
2106
2107	param->type = type;
2108	param->interval = interval;
2109	param->window = window;
2110	param->timeout = timeout;
2111
2112	queue_work(system_long_wq, &hdev->le_scan);
2113
2114	return 0;
2115}
2116
2117/* Alloc HCI device */
2118struct hci_dev *hci_alloc_dev(void)
2119{
2120	struct hci_dev *hdev;
2121
2122	hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
2123	if (!hdev)
2124		return NULL;
2125
2126	hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2127	hdev->esco_type = (ESCO_HV1);
2128	hdev->link_mode = (HCI_LM_ACCEPT);
2129	hdev->io_capability = 0x03; /* No Input No Output */
2130	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2131	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2132
2133	hdev->sniff_max_interval = 800;
2134	hdev->sniff_min_interval = 80;
2135
2136	mutex_init(&hdev->lock);
2137	mutex_init(&hdev->req_lock);
2138
2139	INIT_LIST_HEAD(&hdev->mgmt_pending);
2140	INIT_LIST_HEAD(&hdev->blacklist);
2141	INIT_LIST_HEAD(&hdev->uuids);
2142	INIT_LIST_HEAD(&hdev->link_keys);
2143	INIT_LIST_HEAD(&hdev->long_term_keys);
2144	INIT_LIST_HEAD(&hdev->remote_oob_data);
2145	INIT_LIST_HEAD(&hdev->conn_hash.list);
2146
2147	INIT_WORK(&hdev->rx_work, hci_rx_work);
2148	INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2149	INIT_WORK(&hdev->tx_work, hci_tx_work);
2150	INIT_WORK(&hdev->power_on, hci_power_on);
2151	INIT_WORK(&hdev->le_scan, le_scan_work);
2152
2153	INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2154	INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2155	INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2156
2157	skb_queue_head_init(&hdev->rx_q);
2158	skb_queue_head_init(&hdev->cmd_q);
2159	skb_queue_head_init(&hdev->raw_q);
2160
2161	init_waitqueue_head(&hdev->req_wait_q);
2162
2163	setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
2164
2165	hci_init_sysfs(hdev);
2166	discovery_init(hdev);
2167
2168	return hdev;
2169}
2170EXPORT_SYMBOL(hci_alloc_dev);
2171
2172/* Free HCI device */
2173void hci_free_dev(struct hci_dev *hdev)
2174{
2175	/* will free via device release */
2176	put_device(&hdev->dev);
2177}
2178EXPORT_SYMBOL(hci_free_dev);
2179
2180/* Register HCI device */
2181int hci_register_dev(struct hci_dev *hdev)
2182{
2183	int id, error;
2184
2185	if (!hdev->open || !hdev->close)
2186		return -EINVAL;
2187
2188	/* Do not allow HCI_AMP devices to register at index 0,
2189	 * so the index can be used as the AMP controller ID.
2190	 */
2191	switch (hdev->dev_type) {
2192	case HCI_BREDR:
2193		id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
2194		break;
2195	case HCI_AMP:
2196		id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
2197		break;
2198	default:
2199		return -EINVAL;
2200	}
2201
2202	if (id < 0)
2203		return id;
2204
2205	sprintf(hdev->name, "hci%d", id);
2206	hdev->id = id;
2207
2208	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2209
2210	write_lock(&hci_dev_list_lock);
2211	list_add(&hdev->list, &hci_dev_list);
2212	write_unlock(&hci_dev_list_lock);
2213
2214	hdev->workqueue = alloc_workqueue(hdev->name, WQ_HIGHPRI | WQ_UNBOUND |
2215					  WQ_MEM_RECLAIM, 1);
2216	if (!hdev->workqueue) {
2217		error = -ENOMEM;
2218		goto err;
2219	}
2220
2221	hdev->req_workqueue = alloc_workqueue(hdev->name,
2222					      WQ_HIGHPRI | WQ_UNBOUND |
2223					      WQ_MEM_RECLAIM, 1);
2224	if (!hdev->req_workqueue) {
2225		destroy_workqueue(hdev->workqueue);
2226		error = -ENOMEM;
2227		goto err;
2228	}
2229
2230	error = hci_add_sysfs(hdev);
2231	if (error < 0)
2232		goto err_wqueue;
2233
2234	hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2235				    RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2236				    hdev);
2237	if (hdev->rfkill) {
2238		if (rfkill_register(hdev->rfkill) < 0) {
2239			rfkill_destroy(hdev->rfkill);
2240			hdev->rfkill = NULL;
2241		}
2242	}
2243
2244	set_bit(HCI_SETUP, &hdev->dev_flags);
2245
2246	if (hdev->dev_type != HCI_AMP)
2247		set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2248
2249	hci_notify(hdev, HCI_DEV_REG);
2250	hci_dev_hold(hdev);
2251
2252	queue_work(hdev->req_workqueue, &hdev->power_on);
2253
2254	return id;
2255
2256err_wqueue:
2257	destroy_workqueue(hdev->workqueue);
2258	destroy_workqueue(hdev->req_workqueue);
2259err:
2260	ida_simple_remove(&hci_index_ida, hdev->id);
2261	write_lock(&hci_dev_list_lock);
2262	list_del(&hdev->list);
2263	write_unlock(&hci_dev_list_lock);
2264
2265	return error;
2266}
2267EXPORT_SYMBOL(hci_register_dev);
2268
2269/* Unregister HCI device */
2270void hci_unregister_dev(struct hci_dev *hdev)
2271{
2272	int i, id;
2273
2274	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2275
2276	set_bit(HCI_UNREGISTER, &hdev->dev_flags);
2277
2278	id = hdev->id;
2279
2280	write_lock(&hci_dev_list_lock);
2281	list_del(&hdev->list);
2282	write_unlock(&hci_dev_list_lock);
2283
2284	hci_dev_do_close(hdev);
2285
2286	for (i = 0; i < NUM_REASSEMBLY; i++)
2287		kfree_skb(hdev->reassembly[i]);
2288
2289	cancel_work_sync(&hdev->power_on);
2290
2291	if (!test_bit(HCI_INIT, &hdev->flags) &&
2292	    !test_bit(HCI_SETUP, &hdev->dev_flags)) {
2293		hci_dev_lock(hdev);
2294		mgmt_index_removed(hdev);
2295		hci_dev_unlock(hdev);
2296	}
2297
2298	/* mgmt_index_removed should take care of emptying the
2299	 * pending list */
2300	BUG_ON(!list_empty(&hdev->mgmt_pending));
2301
2302	hci_notify(hdev, HCI_DEV_UNREG);
2303
2304	if (hdev->rfkill) {
2305		rfkill_unregister(hdev->rfkill);
2306		rfkill_destroy(hdev->rfkill);
2307	}
2308
2309	hci_del_sysfs(hdev);
2310
2311	destroy_workqueue(hdev->workqueue);
2312	destroy_workqueue(hdev->req_workqueue);
2313
2314	hci_dev_lock(hdev);
2315	hci_blacklist_clear(hdev);
2316	hci_uuids_clear(hdev);
2317	hci_link_keys_clear(hdev);
2318	hci_smp_ltks_clear(hdev);
2319	hci_remote_oob_data_clear(hdev);
2320	hci_dev_unlock(hdev);
2321
2322	hci_dev_put(hdev);
2323
2324	ida_simple_remove(&hci_index_ida, id);
2325}
2326EXPORT_SYMBOL(hci_unregister_dev);
2327
2328/* Suspend HCI device */
2329int hci_suspend_dev(struct hci_dev *hdev)
2330{
2331	hci_notify(hdev, HCI_DEV_SUSPEND);
2332	return 0;
2333}
2334EXPORT_SYMBOL(hci_suspend_dev);
2335
2336/* Resume HCI device */
2337int hci_resume_dev(struct hci_dev *hdev)
2338{
2339	hci_notify(hdev, HCI_DEV_RESUME);
2340	return 0;
2341}
2342EXPORT_SYMBOL(hci_resume_dev);
2343
2344/* Receive frame from HCI drivers */
2345int hci_recv_frame(struct sk_buff *skb)
2346{
2347	struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2348	if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2349		      && !test_bit(HCI_INIT, &hdev->flags))) {
2350		kfree_skb(skb);
2351		return -ENXIO;
2352	}
2353
2354	/* Incoming skb */
2355	bt_cb(skb)->incoming = 1;
2356
2357	/* Time stamp */
2358	__net_timestamp(skb);
2359
2360	skb_queue_tail(&hdev->rx_q, skb);
2361	queue_work(hdev->workqueue, &hdev->rx_work);
2362
2363	return 0;
2364}
2365EXPORT_SYMBOL(hci_recv_frame);
2366
2367static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
2368			  int count, __u8 index)
2369{
2370	int len = 0;
2371	int hlen = 0;
2372	int remain = count;
2373	struct sk_buff *skb;
2374	struct bt_skb_cb *scb;
2375
2376	if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
2377	    index >= NUM_REASSEMBLY)
2378		return -EILSEQ;
2379
2380	skb = hdev->reassembly[index];
2381
2382	if (!skb) {
2383		switch (type) {
2384		case HCI_ACLDATA_PKT:
2385			len = HCI_MAX_FRAME_SIZE;
2386			hlen = HCI_ACL_HDR_SIZE;
2387			break;
2388		case HCI_EVENT_PKT:
2389			len = HCI_MAX_EVENT_SIZE;
2390			hlen = HCI_EVENT_HDR_SIZE;
2391			break;
2392		case HCI_SCODATA_PKT:
2393			len = HCI_MAX_SCO_SIZE;
2394			hlen = HCI_SCO_HDR_SIZE;
2395			break;
2396		}
2397
2398		skb = bt_skb_alloc(len, GFP_ATOMIC);
2399		if (!skb)
2400			return -ENOMEM;
2401
2402		scb = (void *) skb->cb;
2403		scb->expect = hlen;
2404		scb->pkt_type = type;
2405
2406		skb->dev = (void *) hdev;
2407		hdev->reassembly[index] = skb;
2408	}
2409
2410	while (count) {
2411		scb = (void *) skb->cb;
2412		len = min_t(uint, scb->expect, count);
2413
2414		memcpy(skb_put(skb, len), data, len);
2415
2416		count -= len;
2417		data += len;
2418		scb->expect -= len;
2419		remain = count;
2420
2421		switch (type) {
2422		case HCI_EVENT_PKT:
2423			if (skb->len == HCI_EVENT_HDR_SIZE) {
2424				struct hci_event_hdr *h = hci_event_hdr(skb);
2425				scb->expect = h->plen;
2426
2427				if (skb_tailroom(skb) < scb->expect) {
2428					kfree_skb(skb);
2429					hdev->reassembly[index] = NULL;
2430					return -ENOMEM;
2431				}
2432			}
2433			break;
2434
2435		case HCI_ACLDATA_PKT:
2436			if (skb->len  == HCI_ACL_HDR_SIZE) {
2437				struct hci_acl_hdr *h = hci_acl_hdr(skb);
2438				scb->expect = __le16_to_cpu(h->dlen);
2439
2440				if (skb_tailroom(skb) < scb->expect) {
2441					kfree_skb(skb);
2442					hdev->reassembly[index] = NULL;
2443					return -ENOMEM;
2444				}
2445			}
2446			break;
2447
2448		case HCI_SCODATA_PKT:
2449			if (skb->len == HCI_SCO_HDR_SIZE) {
2450				struct hci_sco_hdr *h = hci_sco_hdr(skb);
2451				scb->expect = h->dlen;
2452
2453				if (skb_tailroom(skb) < scb->expect) {
2454					kfree_skb(skb);
2455					hdev->reassembly[index] = NULL;
2456					return -ENOMEM;
2457				}
2458			}
2459			break;
2460		}
2461
2462		if (scb->expect == 0) {
2463			/* Complete frame */
2464
2465			bt_cb(skb)->pkt_type = type;
2466			hci_recv_frame(skb);
2467
2468			hdev->reassembly[index] = NULL;
2469			return remain;
2470		}
2471	}
2472
2473	return remain;
2474}
2475
2476int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
2477{
2478	int rem = 0;
2479
2480	if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
2481		return -EILSEQ;
2482
2483	while (count) {
2484		rem = hci_reassembly(hdev, type, data, count, type - 1);
2485		if (rem < 0)
2486			return rem;
2487
2488		data += (count - rem);
2489		count = rem;
2490	}
2491
2492	return rem;
2493}
2494EXPORT_SYMBOL(hci_recv_fragment);
2495
2496#define STREAM_REASSEMBLY 0
2497
2498int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
2499{
2500	int type;
2501	int rem = 0;
2502
2503	while (count) {
2504		struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
2505
2506		if (!skb) {
2507			struct { char type; } *pkt;
2508
2509			/* Start of the frame */
2510			pkt = data;
2511			type = pkt->type;
2512
2513			data++;
2514			count--;
2515		} else
2516			type = bt_cb(skb)->pkt_type;
2517
2518		rem = hci_reassembly(hdev, type, data, count,
2519				     STREAM_REASSEMBLY);
2520		if (rem < 0)
2521			return rem;
2522
2523		data += (count - rem);
2524		count = rem;
2525	}
2526
2527	return rem;
2528}
2529EXPORT_SYMBOL(hci_recv_stream_fragment);
2530
2531/* ---- Interface to upper protocols ---- */
2532
2533int hci_register_cb(struct hci_cb *cb)
2534{
2535	BT_DBG("%p name %s", cb, cb->name);
2536
2537	write_lock(&hci_cb_list_lock);
2538	list_add(&cb->list, &hci_cb_list);
2539	write_unlock(&hci_cb_list_lock);
2540
2541	return 0;
2542}
2543EXPORT_SYMBOL(hci_register_cb);
2544
2545int hci_unregister_cb(struct hci_cb *cb)
2546{
2547	BT_DBG("%p name %s", cb, cb->name);
2548
2549	write_lock(&hci_cb_list_lock);
2550	list_del(&cb->list);
2551	write_unlock(&hci_cb_list_lock);
2552
2553	return 0;
2554}
2555EXPORT_SYMBOL(hci_unregister_cb);
2556
2557static int hci_send_frame(struct sk_buff *skb)
2558{
2559	struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2560
2561	if (!hdev) {
2562		kfree_skb(skb);
2563		return -ENODEV;
2564	}
2565
2566	BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
2567
2568	/* Time stamp */
2569	__net_timestamp(skb);
2570
2571	/* Send copy to monitor */
2572	hci_send_to_monitor(hdev, skb);
2573
2574	if (atomic_read(&hdev->promisc)) {
2575		/* Send copy to the sockets */
2576		hci_send_to_sock(hdev, skb);
2577	}
2578
2579	/* Get rid of skb owner, prior to sending to the driver. */
2580	skb_orphan(skb);
2581
2582	return hdev->send(skb);
2583}
2584
2585void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
2586{
2587	skb_queue_head_init(&req->cmd_q);
2588	req->hdev = hdev;
2589	req->err = 0;
2590}
2591
2592int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
2593{
2594	struct hci_dev *hdev = req->hdev;
2595	struct sk_buff *skb;
2596	unsigned long flags;
2597
2598	BT_DBG("length %u", skb_queue_len(&req->cmd_q));
2599
2600	/* If an error occured during request building, remove all HCI
2601	 * commands queued on the HCI request queue.
2602	 */
2603	if (req->err) {
2604		skb_queue_purge(&req->cmd_q);
2605		return req->err;
2606	}
2607
2608	/* Do not allow empty requests */
2609	if (skb_queue_empty(&req->cmd_q))
2610		return -ENODATA;
2611
2612	skb = skb_peek_tail(&req->cmd_q);
2613	bt_cb(skb)->req.complete = complete;
2614
2615	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
2616	skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
2617	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
2618
2619	queue_work(hdev->workqueue, &hdev->cmd_work);
2620
2621	return 0;
2622}
2623
2624static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
2625				       u32 plen, const void *param)
2626{
2627	int len = HCI_COMMAND_HDR_SIZE + plen;
2628	struct hci_command_hdr *hdr;
2629	struct sk_buff *skb;
2630
2631	skb = bt_skb_alloc(len, GFP_ATOMIC);
2632	if (!skb)
2633		return NULL;
2634
2635	hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
2636	hdr->opcode = cpu_to_le16(opcode);
2637	hdr->plen   = plen;
2638
2639	if (plen)
2640		memcpy(skb_put(skb, plen), param, plen);
2641
2642	BT_DBG("skb len %d", skb->len);
2643
2644	bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
2645	skb->dev = (void *) hdev;
2646
2647	return skb;
2648}
2649
2650/* Send HCI command */
2651int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
2652		 const void *param)
2653{
2654	struct sk_buff *skb;
2655
2656	BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2657
2658	skb = hci_prepare_cmd(hdev, opcode, plen, param);
2659	if (!skb) {
2660		BT_ERR("%s no memory for command", hdev->name);
2661		return -ENOMEM;
2662	}
2663
2664	/* Stand-alone HCI commands must be flaged as
2665	 * single-command requests.
2666	 */
2667	bt_cb(skb)->req.start = true;
2668
2669	skb_queue_tail(&hdev->cmd_q, skb);
2670	queue_work(hdev->workqueue, &hdev->cmd_work);
2671
2672	return 0;
2673}
2674
2675/* Queue a command to an asynchronous HCI request */
2676void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen,
2677		    const void *param, u8 event)
2678{
2679	struct hci_dev *hdev = req->hdev;
2680	struct sk_buff *skb;
2681
2682	BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2683
2684	/* If an error occured during request building, there is no point in
2685	 * queueing the HCI command. We can simply return.
2686	 */
2687	if (req->err)
2688		return;
2689
2690	skb = hci_prepare_cmd(hdev, opcode, plen, param);
2691	if (!skb) {
2692		BT_ERR("%s no memory for command (opcode 0x%4.4x)",
2693		       hdev->name, opcode);
2694		req->err = -ENOMEM;
2695		return;
2696	}
2697
2698	if (skb_queue_empty(&req->cmd_q))
2699		bt_cb(skb)->req.start = true;
2700
2701	bt_cb(skb)->req.event = event;
2702
2703	skb_queue_tail(&req->cmd_q, skb);
2704}
2705
2706void hci_req_add(struct hci_request *req, u16 opcode, u32 plen,
2707		 const void *param)
2708{
2709	hci_req_add_ev(req, opcode, plen, param, 0);
2710}
2711
2712/* Get data from the previously sent command */
2713void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
2714{
2715	struct hci_command_hdr *hdr;
2716
2717	if (!hdev->sent_cmd)
2718		return NULL;
2719
2720	hdr = (void *) hdev->sent_cmd->data;
2721
2722	if (hdr->opcode != cpu_to_le16(opcode))
2723		return NULL;
2724
2725	BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2726
2727	return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
2728}
2729
2730/* Send ACL data */
2731static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
2732{
2733	struct hci_acl_hdr *hdr;
2734	int len = skb->len;
2735
2736	skb_push(skb, HCI_ACL_HDR_SIZE);
2737	skb_reset_transport_header(skb);
2738	hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
2739	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
2740	hdr->dlen   = cpu_to_le16(len);
2741}
2742
2743static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
2744			  struct sk_buff *skb, __u16 flags)
2745{
2746	struct hci_conn *conn = chan->conn;
2747	struct hci_dev *hdev = conn->hdev;
2748	struct sk_buff *list;
2749
2750	skb->len = skb_headlen(skb);
2751	skb->data_len = 0;
2752
2753	bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2754
2755	switch (hdev->dev_type) {
2756	case HCI_BREDR:
2757		hci_add_acl_hdr(skb, conn->handle, flags);
2758		break;
2759	case HCI_AMP:
2760		hci_add_acl_hdr(skb, chan->handle, flags);
2761		break;
2762	default:
2763		BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2764		return;
2765	}
2766
2767	list = skb_shinfo(skb)->frag_list;
2768	if (!list) {
2769		/* Non fragmented */
2770		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
2771
2772		skb_queue_tail(queue, skb);
2773	} else {
2774		/* Fragmented */
2775		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2776
2777		skb_shinfo(skb)->frag_list = NULL;
2778
2779		/* Queue all fragments atomically */
2780		spin_lock(&queue->lock);
2781
2782		__skb_queue_tail(queue, skb);
2783
2784		flags &= ~ACL_START;
2785		flags |= ACL_CONT;
2786		do {
2787			skb = list; list = list->next;
2788
2789			skb->dev = (void *) hdev;
2790			bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2791			hci_add_acl_hdr(skb, conn->handle, flags);
2792
2793			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2794
2795			__skb_queue_tail(queue, skb);
2796		} while (list);
2797
2798		spin_unlock(&queue->lock);
2799	}
2800}
2801
2802void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
2803{
2804	struct hci_dev *hdev = chan->conn->hdev;
2805
2806	BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
2807
2808	skb->dev = (void *) hdev;
2809
2810	hci_queue_acl(chan, &chan->data_q, skb, flags);
2811
2812	queue_work(hdev->workqueue, &hdev->tx_work);
2813}
2814
2815/* Send SCO data */
2816void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
2817{
2818	struct hci_dev *hdev = conn->hdev;
2819	struct hci_sco_hdr hdr;
2820
2821	BT_DBG("%s len %d", hdev->name, skb->len);
2822
2823	hdr.handle = cpu_to_le16(conn->handle);
2824	hdr.dlen   = skb->len;
2825
2826	skb_push(skb, HCI_SCO_HDR_SIZE);
2827	skb_reset_transport_header(skb);
2828	memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
2829
2830	skb->dev = (void *) hdev;
2831	bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
2832
2833	skb_queue_tail(&conn->data_q, skb);
2834	queue_work(hdev->workqueue, &hdev->tx_work);
2835}
2836
2837/* ---- HCI TX task (outgoing data) ---- */
2838
2839/* HCI Connection scheduler */
2840static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
2841				     int *quote)
2842{
2843	struct hci_conn_hash *h = &hdev->conn_hash;
2844	struct hci_conn *conn = NULL, *c;
2845	unsigned int num = 0, min = ~0;
2846
2847	/* We don't have to lock device here. Connections are always
2848	 * added and removed with TX task disabled. */
2849
2850	rcu_read_lock();
2851
2852	list_for_each_entry_rcu(c, &h->list, list) {
2853		if (c->type != type || skb_queue_empty(&c->data_q))
2854			continue;
2855
2856		if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
2857			continue;
2858
2859		num++;
2860
2861		if (c->sent < min) {
2862			min  = c->sent;
2863			conn = c;
2864		}
2865
2866		if (hci_conn_num(hdev, type) == num)
2867			break;
2868	}
2869
2870	rcu_read_unlock();
2871
2872	if (conn) {
2873		int cnt, q;
2874
2875		switch (conn->type) {
2876		case ACL_LINK:
2877			cnt = hdev->acl_cnt;
2878			break;
2879		case SCO_LINK:
2880		case ESCO_LINK:
2881			cnt = hdev->sco_cnt;
2882			break;
2883		case LE_LINK:
2884			cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2885			break;
2886		default:
2887			cnt = 0;
2888			BT_ERR("Unknown link type");
2889		}
2890
2891		q = cnt / num;
2892		*quote = q ? q : 1;
2893	} else
2894		*quote = 0;
2895
2896	BT_DBG("conn %p quote %d", conn, *quote);
2897	return conn;
2898}
2899
2900static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
2901{
2902	struct hci_conn_hash *h = &hdev->conn_hash;
2903	struct hci_conn *c;
2904
2905	BT_ERR("%s link tx timeout", hdev->name);
2906
2907	rcu_read_lock();
2908
2909	/* Kill stalled connections */
2910	list_for_each_entry_rcu(c, &h->list, list) {
2911		if (c->type == type && c->sent) {
2912			BT_ERR("%s killing stalled connection %pMR",
2913			       hdev->name, &c->dst);
2914			hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
2915		}
2916	}
2917
2918	rcu_read_unlock();
2919}
2920
2921static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2922				      int *quote)
2923{
2924	struct hci_conn_hash *h = &hdev->conn_hash;
2925	struct hci_chan *chan = NULL;
2926	unsigned int num = 0, min = ~0, cur_prio = 0;
2927	struct hci_conn *conn;
2928	int cnt, q, conn_num = 0;
2929
2930	BT_DBG("%s", hdev->name);
2931
2932	rcu_read_lock();
2933
2934	list_for_each_entry_rcu(conn, &h->list, list) {
2935		struct hci_chan *tmp;
2936
2937		if (conn->type != type)
2938			continue;
2939
2940		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2941			continue;
2942
2943		conn_num++;
2944
2945		list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
2946			struct sk_buff *skb;
2947
2948			if (skb_queue_empty(&tmp->data_q))
2949				continue;
2950
2951			skb = skb_peek(&tmp->data_q);
2952			if (skb->priority < cur_prio)
2953				continue;
2954
2955			if (skb->priority > cur_prio) {
2956				num = 0;
2957				min = ~0;
2958				cur_prio = skb->priority;
2959			}
2960
2961			num++;
2962
2963			if (conn->sent < min) {
2964				min  = conn->sent;
2965				chan = tmp;
2966			}
2967		}
2968
2969		if (hci_conn_num(hdev, type) == conn_num)
2970			break;
2971	}
2972
2973	rcu_read_unlock();
2974
2975	if (!chan)
2976		return NULL;
2977
2978	switch (chan->conn->type) {
2979	case ACL_LINK:
2980		cnt = hdev->acl_cnt;
2981		break;
2982	case AMP_LINK:
2983		cnt = hdev->block_cnt;
2984		break;
2985	case SCO_LINK:
2986	case ESCO_LINK:
2987		cnt = hdev->sco_cnt;
2988		break;
2989	case LE_LINK:
2990		cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2991		break;
2992	default:
2993		cnt = 0;
2994		BT_ERR("Unknown link type");
2995	}
2996
2997	q = cnt / num;
2998	*quote = q ? q : 1;
2999	BT_DBG("chan %p quote %d", chan, *quote);
3000	return chan;
3001}
3002
3003static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3004{
3005	struct hci_conn_hash *h = &hdev->conn_hash;
3006	struct hci_conn *conn;
3007	int num = 0;
3008
3009	BT_DBG("%s", hdev->name);
3010
3011	rcu_read_lock();
3012
3013	list_for_each_entry_rcu(conn, &h->list, list) {
3014		struct hci_chan *chan;
3015
3016		if (conn->type != type)
3017			continue;
3018
3019		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3020			continue;
3021
3022		num++;
3023
3024		list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3025			struct sk_buff *skb;
3026
3027			if (chan->sent) {
3028				chan->sent = 0;
3029				continue;
3030			}
3031
3032			if (skb_queue_empty(&chan->data_q))
3033				continue;
3034
3035			skb = skb_peek(&chan->data_q);
3036			if (skb->priority >= HCI_PRIO_MAX - 1)
3037				continue;
3038
3039			skb->priority = HCI_PRIO_MAX - 1;
3040
3041			BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3042			       skb->priority);
3043		}
3044
3045		if (hci_conn_num(hdev, type) == num)
3046			break;
3047	}
3048
3049	rcu_read_unlock();
3050
3051}
3052
3053static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3054{
3055	/* Calculate count of blocks used by this packet */
3056	return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3057}
3058
3059static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3060{
3061	if (!test_bit(HCI_RAW, &hdev->flags)) {
3062		/* ACL tx timeout must be longer than maximum
3063		 * link supervision timeout (40.9 seconds) */
3064		if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3065				       HCI_ACL_TX_TIMEOUT))
3066			hci_link_tx_to(hdev, ACL_LINK);
3067	}
3068}
3069
3070static void hci_sched_acl_pkt(struct hci_dev *hdev)
3071{
3072	unsigned int cnt = hdev->acl_cnt;
3073	struct hci_chan *chan;
3074	struct sk_buff *skb;
3075	int quote;
3076
3077	__check_timeout(hdev, cnt);
3078
3079	while (hdev->acl_cnt &&
3080	       (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3081		u32 priority = (skb_peek(&chan->data_q))->priority;
3082		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3083			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3084			       skb->len, skb->priority);
3085
3086			/* Stop if priority has changed */
3087			if (skb->priority < priority)
3088				break;
3089
3090			skb = skb_dequeue(&chan->data_q);
3091
3092			hci_conn_enter_active_mode(chan->conn,
3093						   bt_cb(skb)->force_active);
3094
3095			hci_send_frame(skb);
3096			hdev->acl_last_tx = jiffies;
3097
3098			hdev->acl_cnt--;
3099			chan->sent++;
3100			chan->conn->sent++;
3101		}
3102	}
3103
3104	if (cnt != hdev->acl_cnt)
3105		hci_prio_recalculate(hdev, ACL_LINK);
3106}
3107
3108static void hci_sched_acl_blk(struct hci_dev *hdev)
3109{
3110	unsigned int cnt = hdev->block_cnt;
3111	struct hci_chan *chan;
3112	struct sk_buff *skb;
3113	int quote;
3114	u8 type;
3115
3116	__check_timeout(hdev, cnt);
3117
3118	BT_DBG("%s", hdev->name);
3119
3120	if (hdev->dev_type == HCI_AMP)
3121		type = AMP_LINK;
3122	else
3123		type = ACL_LINK;
3124
3125	while (hdev->block_cnt > 0 &&
3126	       (chan = hci_chan_sent(hdev, type, &quote))) {
3127		u32 priority = (skb_peek(&chan->data_q))->priority;
3128		while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3129			int blocks;
3130
3131			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3132			       skb->len, skb->priority);
3133
3134			/* Stop if priority has changed */
3135			if (skb->priority < priority)
3136				break;
3137
3138			skb = skb_dequeue(&chan->data_q);
3139
3140			blocks = __get_blocks(hdev, skb);
3141			if (blocks > hdev->block_cnt)
3142				return;
3143
3144			hci_conn_enter_active_mode(chan->conn,
3145						   bt_cb(skb)->force_active);
3146
3147			hci_send_frame(skb);
3148			hdev->acl_last_tx = jiffies;
3149
3150			hdev->block_cnt -= blocks;
3151			quote -= blocks;
3152
3153			chan->sent += blocks;
3154			chan->conn->sent += blocks;
3155		}
3156	}
3157
3158	if (cnt != hdev->block_cnt)
3159		hci_prio_recalculate(hdev, type);
3160}
3161
3162static void hci_sched_acl(struct hci_dev *hdev)
3163{
3164	BT_DBG("%s", hdev->name);
3165
3166	/* No ACL link over BR/EDR controller */
3167	if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3168		return;
3169
3170	/* No AMP link over AMP controller */
3171	if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3172		return;
3173
3174	switch (hdev->flow_ctl_mode) {
3175	case HCI_FLOW_CTL_MODE_PACKET_BASED:
3176		hci_sched_acl_pkt(hdev);
3177		break;
3178
3179	case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3180		hci_sched_acl_blk(hdev);
3181		break;
3182	}
3183}
3184
3185/* Schedule SCO */
3186static void hci_sched_sco(struct hci_dev *hdev)
3187{
3188	struct hci_conn *conn;
3189	struct sk_buff *skb;
3190	int quote;
3191
3192	BT_DBG("%s", hdev->name);
3193
3194	if (!hci_conn_num(hdev, SCO_LINK))
3195		return;
3196
3197	while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3198		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3199			BT_DBG("skb %p len %d", skb, skb->len);
3200			hci_send_frame(skb);
3201
3202			conn->sent++;
3203			if (conn->sent == ~0)
3204				conn->sent = 0;
3205		}
3206	}
3207}
3208
3209static void hci_sched_esco(struct hci_dev *hdev)
3210{
3211	struct hci_conn *conn;
3212	struct sk_buff *skb;
3213	int quote;
3214
3215	BT_DBG("%s", hdev->name);
3216
3217	if (!hci_conn_num(hdev, ESCO_LINK))
3218		return;
3219
3220	while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3221						     &quote))) {
3222		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3223			BT_DBG("skb %p len %d", skb, skb->len);
3224			hci_send_frame(skb);
3225
3226			conn->sent++;
3227			if (conn->sent == ~0)
3228				conn->sent = 0;
3229		}
3230	}
3231}
3232
3233static void hci_sched_le(struct hci_dev *hdev)
3234{
3235	struct hci_chan *chan;
3236	struct sk_buff *skb;
3237	int quote, cnt, tmp;
3238
3239	BT_DBG("%s", hdev->name);
3240
3241	if (!hci_conn_num(hdev, LE_LINK))
3242		return;
3243
3244	if (!test_bit(HCI_RAW, &hdev->flags)) {
3245		/* LE tx timeout must be longer than maximum
3246		 * link supervision timeout (40.9 seconds) */
3247		if (!hdev->le_cnt && hdev->le_pkts &&
3248		    time_after(jiffies, hdev->le_last_tx + HZ * 45))
3249			hci_link_tx_to(hdev, LE_LINK);
3250	}
3251
3252	cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3253	tmp = cnt;
3254	while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3255		u32 priority = (skb_peek(&chan->data_q))->priority;
3256		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3257			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3258			       skb->len, skb->priority);
3259
3260			/* Stop if priority has changed */
3261			if (skb->priority < priority)
3262				break;
3263
3264			skb = skb_dequeue(&chan->data_q);
3265
3266			hci_send_frame(skb);
3267			hdev->le_last_tx = jiffies;
3268
3269			cnt--;
3270			chan->sent++;
3271			chan->conn->sent++;
3272		}
3273	}
3274
3275	if (hdev->le_pkts)
3276		hdev->le_cnt = cnt;
3277	else
3278		hdev->acl_cnt = cnt;
3279
3280	if (cnt != tmp)
3281		hci_prio_recalculate(hdev, LE_LINK);
3282}
3283
3284static void hci_tx_work(struct work_struct *work)
3285{
3286	struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3287	struct sk_buff *skb;
3288
3289	BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3290	       hdev->sco_cnt, hdev->le_cnt);
3291
3292	/* Schedule queues and send stuff to HCI driver */
3293
3294	hci_sched_acl(hdev);
3295
3296	hci_sched_sco(hdev);
3297
3298	hci_sched_esco(hdev);
3299
3300	hci_sched_le(hdev);
3301
3302	/* Send next queued raw (unknown type) packet */
3303	while ((skb = skb_dequeue(&hdev->raw_q)))
3304		hci_send_frame(skb);
3305}
3306
3307/* ----- HCI RX task (incoming data processing) ----- */
3308
3309/* ACL data packet */
3310static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3311{
3312	struct hci_acl_hdr *hdr = (void *) skb->data;
3313	struct hci_conn *conn;
3314	__u16 handle, flags;
3315
3316	skb_pull(skb, HCI_ACL_HDR_SIZE);
3317
3318	handle = __le16_to_cpu(hdr->handle);
3319	flags  = hci_flags(handle);
3320	handle = hci_handle(handle);
3321
3322	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3323	       handle, flags);
3324
3325	hdev->stat.acl_rx++;
3326
3327	hci_dev_lock(hdev);
3328	conn = hci_conn_hash_lookup_handle(hdev, handle);
3329	hci_dev_unlock(hdev);
3330
3331	if (conn) {
3332		hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3333
3334		/* Send to upper protocol */
3335		l2cap_recv_acldata(conn, skb, flags);
3336		return;
3337	} else {
3338		BT_ERR("%s ACL packet for unknown connection handle %d",
3339		       hdev->name, handle);
3340	}
3341
3342	kfree_skb(skb);
3343}
3344
3345/* SCO data packet */
3346static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3347{
3348	struct hci_sco_hdr *hdr = (void *) skb->data;
3349	struct hci_conn *conn;
3350	__u16 handle;
3351
3352	skb_pull(skb, HCI_SCO_HDR_SIZE);
3353
3354	handle = __le16_to_cpu(hdr->handle);
3355
3356	BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
3357
3358	hdev->stat.sco_rx++;
3359
3360	hci_dev_lock(hdev);
3361	conn = hci_conn_hash_lookup_handle(hdev, handle);
3362	hci_dev_unlock(hdev);
3363
3364	if (conn) {
3365		/* Send to upper protocol */
3366		sco_recv_scodata(conn, skb);
3367		return;
3368	} else {
3369		BT_ERR("%s SCO packet for unknown connection handle %d",
3370		       hdev->name, handle);
3371	}
3372
3373	kfree_skb(skb);
3374}
3375
3376static bool hci_req_is_complete(struct hci_dev *hdev)
3377{
3378	struct sk_buff *skb;
3379
3380	skb = skb_peek(&hdev->cmd_q);
3381	if (!skb)
3382		return true;
3383
3384	return bt_cb(skb)->req.start;
3385}
3386
3387static void hci_resend_last(struct hci_dev *hdev)
3388{
3389	struct hci_command_hdr *sent;
3390	struct sk_buff *skb;
3391	u16 opcode;
3392
3393	if (!hdev->sent_cmd)
3394		return;
3395
3396	sent = (void *) hdev->sent_cmd->data;
3397	opcode = __le16_to_cpu(sent->opcode);
3398	if (opcode == HCI_OP_RESET)
3399		return;
3400
3401	skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3402	if (!skb)
3403		return;
3404
3405	skb_queue_head(&hdev->cmd_q, skb);
3406	queue_work(hdev->workqueue, &hdev->cmd_work);
3407}
3408
3409void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
3410{
3411	hci_req_complete_t req_complete = NULL;
3412	struct sk_buff *skb;
3413	unsigned long flags;
3414
3415	BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3416
3417	/* If the completed command doesn't match the last one that was
3418	 * sent we need to do special handling of it.
3419	 */
3420	if (!hci_sent_cmd_data(hdev, opcode)) {
3421		/* Some CSR based controllers generate a spontaneous
3422		 * reset complete event during init and any pending
3423		 * command will never be completed. In such a case we
3424		 * need to resend whatever was the last sent
3425		 * command.
3426		 */
3427		if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
3428			hci_resend_last(hdev);
3429
3430		return;
3431	}
3432
3433	/* If the command succeeded and there's still more commands in
3434	 * this request the request is not yet complete.
3435	 */
3436	if (!status && !hci_req_is_complete(hdev))
3437		return;
3438
3439	/* If this was the last command in a request the complete
3440	 * callback would be found in hdev->sent_cmd instead of the
3441	 * command queue (hdev->cmd_q).
3442	 */
3443	if (hdev->sent_cmd) {
3444		req_complete = bt_cb(hdev->sent_cmd)->req.complete;
3445		if (req_complete)
3446			goto call_complete;
3447	}
3448
3449	/* Remove all pending commands belonging to this request */
3450	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3451	while ((skb = __skb_dequeue(&hdev->cmd_q))) {
3452		if (bt_cb(skb)->req.start) {
3453			__skb_queue_head(&hdev->cmd_q, skb);
3454			break;
3455		}
3456
3457		req_complete = bt_cb(skb)->req.complete;
3458		kfree_skb(skb);
3459	}
3460	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3461
3462call_complete:
3463	if (req_complete)
3464		req_complete(hdev, status);
3465}
3466
3467static void hci_rx_work(struct work_struct *work)
3468{
3469	struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
3470	struct sk_buff *skb;
3471
3472	BT_DBG("%s", hdev->name);
3473
3474	while ((skb = skb_dequeue(&hdev->rx_q))) {
3475		/* Send copy to monitor */
3476		hci_send_to_monitor(hdev, skb);
3477
3478		if (atomic_read(&hdev->promisc)) {
3479			/* Send copy to the sockets */
3480			hci_send_to_sock(hdev, skb);
3481		}
3482
3483		if (test_bit(HCI_RAW, &hdev->flags)) {
3484			kfree_skb(skb);
3485			continue;
3486		}
3487
3488		if (test_bit(HCI_INIT, &hdev->flags)) {
3489			/* Don't process data packets in this states. */
3490			switch (bt_cb(skb)->pkt_type) {
3491			case HCI_ACLDATA_PKT:
3492			case HCI_SCODATA_PKT:
3493				kfree_skb(skb);
3494				continue;
3495			}
3496		}
3497
3498		/* Process frame */
3499		switch (bt_cb(skb)->pkt_type) {
3500		case HCI_EVENT_PKT:
3501			BT_DBG("%s Event packet", hdev->name);
3502			hci_event_packet(hdev, skb);
3503			break;
3504
3505		case HCI_ACLDATA_PKT:
3506			BT_DBG("%s ACL data packet", hdev->name);
3507			hci_acldata_packet(hdev, skb);
3508			break;
3509
3510		case HCI_SCODATA_PKT:
3511			BT_DBG("%s SCO data packet", hdev->name);
3512			hci_scodata_packet(hdev, skb);
3513			break;
3514
3515		default:
3516			kfree_skb(skb);
3517			break;
3518		}
3519	}
3520}
3521
3522static void hci_cmd_work(struct work_struct *work)
3523{
3524	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
3525	struct sk_buff *skb;
3526
3527	BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
3528	       atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
3529
3530	/* Send queued commands */
3531	if (atomic_read(&hdev->cmd_cnt)) {
3532		skb = skb_dequeue(&hdev->cmd_q);
3533		if (!skb)
3534			return;
3535
3536		kfree_skb(hdev->sent_cmd);
3537
3538		hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
3539		if (hdev->sent_cmd) {
3540			atomic_dec(&hdev->cmd_cnt);
3541			hci_send_frame(skb);
3542			if (test_bit(HCI_RESET, &hdev->flags))
3543				del_timer(&hdev->cmd_timer);
3544			else
3545				mod_timer(&hdev->cmd_timer,
3546					  jiffies + HCI_CMD_TIMEOUT);
3547		} else {
3548			skb_queue_head(&hdev->cmd_q, skb);
3549			queue_work(hdev->workqueue, &hdev->cmd_work);
3550		}
3551	}
3552}
3553
3554int hci_do_inquiry(struct hci_dev *hdev, u8 length)
3555{
3556	/* General inquiry access code (GIAC) */
3557	u8 lap[3] = { 0x33, 0x8b, 0x9e };
3558	struct hci_cp_inquiry cp;
3559
3560	BT_DBG("%s", hdev->name);
3561
3562	if (test_bit(HCI_INQUIRY, &hdev->flags))
3563		return -EINPROGRESS;
3564
3565	inquiry_cache_flush(hdev);
3566
3567	memset(&cp, 0, sizeof(cp));
3568	memcpy(&cp.lap, lap, sizeof(cp.lap));
3569	cp.length  = length;
3570
3571	return hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
3572}
3573
3574int hci_cancel_inquiry(struct hci_dev *hdev)
3575{
3576	BT_DBG("%s", hdev->name);
3577
3578	if (!test_bit(HCI_INQUIRY, &hdev->flags))
3579		return -EALREADY;
3580
3581	return hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
3582}
3583
3584u8 bdaddr_to_le(u8 bdaddr_type)
3585{
3586	switch (bdaddr_type) {
3587	case BDADDR_LE_PUBLIC:
3588		return ADDR_LE_DEV_PUBLIC;
3589
3590	default:
3591		/* Fallback to LE Random address type */
3592		return ADDR_LE_DEV_RANDOM;
3593	}
3594}
3595