Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
[linux-2.6.git] / net / bluetooth / hci_core.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI core. */
26
27 #include <linux/jiffies.h>
28 #include <linux/module.h>
29 #include <linux/kmod.h>
30
31 #include <linux/types.h>
32 #include <linux/errno.h>
33 #include <linux/kernel.h>
34 #include <linux/sched.h>
35 #include <linux/slab.h>
36 #include <linux/poll.h>
37 #include <linux/fcntl.h>
38 #include <linux/init.h>
39 #include <linux/skbuff.h>
40 #include <linux/workqueue.h>
41 #include <linux/interrupt.h>
42 #include <linux/notifier.h>
43 #include <linux/rfkill.h>
44 #include <linux/timer.h>
45 #include <net/sock.h>
46
47 #include <asm/system.h>
48 #include <linux/uaccess.h>
49 #include <asm/unaligned.h>
50
51 #include <net/bluetooth/bluetooth.h>
52 #include <net/bluetooth/hci_core.h>
53
54 #define AUTO_OFF_TIMEOUT 2000
55
56 static void hci_cmd_task(unsigned long arg);
57 static void hci_rx_task(unsigned long arg);
58 static void hci_tx_task(unsigned long arg);
59
60 static DEFINE_RWLOCK(hci_task_lock);
61
62 /* HCI device list */
63 LIST_HEAD(hci_dev_list);
64 DEFINE_RWLOCK(hci_dev_list_lock);
65
66 /* HCI callback list */
67 LIST_HEAD(hci_cb_list);
68 DEFINE_RWLOCK(hci_cb_list_lock);
69
70 /* HCI protocols */
71 #define HCI_MAX_PROTO   2
72 struct hci_proto *hci_proto[HCI_MAX_PROTO];
73
74 /* HCI notifiers list */
75 static ATOMIC_NOTIFIER_HEAD(hci_notifier);
76
77 /* ---- HCI notifications ---- */
78
79 int hci_register_notifier(struct notifier_block *nb)
80 {
81         return atomic_notifier_chain_register(&hci_notifier, nb);
82 }
83
84 int hci_unregister_notifier(struct notifier_block *nb)
85 {
86         return atomic_notifier_chain_unregister(&hci_notifier, nb);
87 }
88
89 static void hci_notify(struct hci_dev *hdev, int event)
90 {
91         atomic_notifier_call_chain(&hci_notifier, event, hdev);
92 }
93
94 /* ---- HCI requests ---- */
95
96 void hci_req_complete(struct hci_dev *hdev, __u16 cmd, int result)
97 {
98         BT_DBG("%s command 0x%04x result 0x%2.2x", hdev->name, cmd, result);
99
100         /* If this is the init phase check if the completed command matches
101          * the last init command, and if not just return.
102          */
103         if (test_bit(HCI_INIT, &hdev->flags) && hdev->init_last_cmd != cmd)
104                 return;
105
106         if (hdev->req_status == HCI_REQ_PEND) {
107                 hdev->req_result = result;
108                 hdev->req_status = HCI_REQ_DONE;
109                 wake_up_interruptible(&hdev->req_wait_q);
110         }
111 }
112
113 static void hci_req_cancel(struct hci_dev *hdev, int err)
114 {
115         BT_DBG("%s err 0x%2.2x", hdev->name, err);
116
117         if (hdev->req_status == HCI_REQ_PEND) {
118                 hdev->req_result = err;
119                 hdev->req_status = HCI_REQ_CANCELED;
120                 wake_up_interruptible(&hdev->req_wait_q);
121         }
122 }
123
124 /* Execute request and wait for completion. */
125 static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev, unsigned long opt),
126                                         unsigned long opt, __u32 timeout)
127 {
128         DECLARE_WAITQUEUE(wait, current);
129         int err = 0;
130
131         BT_DBG("%s start", hdev->name);
132
133         hdev->req_status = HCI_REQ_PEND;
134
135         add_wait_queue(&hdev->req_wait_q, &wait);
136         set_current_state(TASK_INTERRUPTIBLE);
137
138         req(hdev, opt);
139         schedule_timeout(timeout);
140
141         remove_wait_queue(&hdev->req_wait_q, &wait);
142
143         if (signal_pending(current))
144                 return -EINTR;
145
146         switch (hdev->req_status) {
147         case HCI_REQ_DONE:
148                 err = -bt_err(hdev->req_result);
149                 break;
150
151         case HCI_REQ_CANCELED:
152                 err = -hdev->req_result;
153                 break;
154
155         default:
156                 err = -ETIMEDOUT;
157                 break;
158         }
159
160         hdev->req_status = hdev->req_result = 0;
161
162         BT_DBG("%s end: err %d", hdev->name, err);
163
164         return err;
165 }
166
167 static inline int hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev, unsigned long opt),
168                                         unsigned long opt, __u32 timeout)
169 {
170         int ret;
171
172         if (!test_bit(HCI_UP, &hdev->flags))
173                 return -ENETDOWN;
174
175         /* Serialize all requests */
176         hci_req_lock(hdev);
177         ret = __hci_request(hdev, req, opt, timeout);
178         hci_req_unlock(hdev);
179
180         return ret;
181 }
182
183 static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
184 {
185         BT_DBG("%s %ld", hdev->name, opt);
186
187         /* Reset device */
188         set_bit(HCI_RESET, &hdev->flags);
189         hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
190 }
191
192 static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
193 {
194         struct hci_cp_delete_stored_link_key cp;
195         struct sk_buff *skb;
196         __le16 param;
197         __u8 flt_type;
198
199         BT_DBG("%s %ld", hdev->name, opt);
200
201         /* Driver initialization */
202
203         /* Special commands */
204         while ((skb = skb_dequeue(&hdev->driver_init))) {
205                 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
206                 skb->dev = (void *) hdev;
207
208                 skb_queue_tail(&hdev->cmd_q, skb);
209                 tasklet_schedule(&hdev->cmd_task);
210         }
211         skb_queue_purge(&hdev->driver_init);
212
213         /* Mandatory initialization */
214
215         /* Reset */
216         if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
217                         set_bit(HCI_RESET, &hdev->flags);
218                         hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
219         }
220
221         /* Read Local Supported Features */
222         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
223
224         /* Read Local Version */
225         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
226
227         /* Read Buffer Size (ACL mtu, max pkt, etc.) */
228         hci_send_cmd(hdev, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
229
230 #if 0
231         /* Host buffer size */
232         {
233                 struct hci_cp_host_buffer_size cp;
234                 cp.acl_mtu = cpu_to_le16(HCI_MAX_ACL_SIZE);
235                 cp.sco_mtu = HCI_MAX_SCO_SIZE;
236                 cp.acl_max_pkt = cpu_to_le16(0xffff);
237                 cp.sco_max_pkt = cpu_to_le16(0xffff);
238                 hci_send_cmd(hdev, HCI_OP_HOST_BUFFER_SIZE, sizeof(cp), &cp);
239         }
240 #endif
241
242         /* Read BD Address */
243         hci_send_cmd(hdev, HCI_OP_READ_BD_ADDR, 0, NULL);
244
245         /* Read Class of Device */
246         hci_send_cmd(hdev, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
247
248         /* Read Local Name */
249         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_NAME, 0, NULL);
250
251         /* Read Voice Setting */
252         hci_send_cmd(hdev, HCI_OP_READ_VOICE_SETTING, 0, NULL);
253
254         /* Optional initialization */
255
256         /* Clear Event Filters */
257         flt_type = HCI_FLT_CLEAR_ALL;
258         hci_send_cmd(hdev, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
259
260         /* Connection accept timeout ~20 secs */
261         param = cpu_to_le16(0x7d00);
262         hci_send_cmd(hdev, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
263
264         bacpy(&cp.bdaddr, BDADDR_ANY);
265         cp.delete_all = 1;
266         hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
267 }
268
269 static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt)
270 {
271         BT_DBG("%s", hdev->name);
272
273         /* Read LE buffer size */
274         hci_send_cmd(hdev, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
275 }
276
277 static void hci_scan_req(struct hci_dev *hdev, unsigned long opt)
278 {
279         __u8 scan = opt;
280
281         BT_DBG("%s %x", hdev->name, scan);
282
283         /* Inquiry and Page scans */
284         hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
285 }
286
287 static void hci_auth_req(struct hci_dev *hdev, unsigned long opt)
288 {
289         __u8 auth = opt;
290
291         BT_DBG("%s %x", hdev->name, auth);
292
293         /* Authentication */
294         hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
295 }
296
297 static void hci_encrypt_req(struct hci_dev *hdev, unsigned long opt)
298 {
299         __u8 encrypt = opt;
300
301         BT_DBG("%s %x", hdev->name, encrypt);
302
303         /* Encryption */
304         hci_send_cmd(hdev, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
305 }
306
307 static void hci_linkpol_req(struct hci_dev *hdev, unsigned long opt)
308 {
309         __le16 policy = cpu_to_le16(opt);
310
311         BT_DBG("%s %x", hdev->name, policy);
312
313         /* Default link policy */
314         hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
315 }
316
317 /* Get HCI device by index.
318  * Device is held on return. */
319 struct hci_dev *hci_dev_get(int index)
320 {
321         struct hci_dev *hdev = NULL;
322         struct list_head *p;
323
324         BT_DBG("%d", index);
325
326         if (index < 0)
327                 return NULL;
328
329         read_lock(&hci_dev_list_lock);
330         list_for_each(p, &hci_dev_list) {
331                 struct hci_dev *d = list_entry(p, struct hci_dev, list);
332                 if (d->id == index) {
333                         hdev = hci_dev_hold(d);
334                         break;
335                 }
336         }
337         read_unlock(&hci_dev_list_lock);
338         return hdev;
339 }
340
341 /* ---- Inquiry support ---- */
342 static void inquiry_cache_flush(struct hci_dev *hdev)
343 {
344         struct inquiry_cache *cache = &hdev->inq_cache;
345         struct inquiry_entry *next  = cache->list, *e;
346
347         BT_DBG("cache %p", cache);
348
349         cache->list = NULL;
350         while ((e = next)) {
351                 next = e->next;
352                 kfree(e);
353         }
354 }
355
356 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
357 {
358         struct inquiry_cache *cache = &hdev->inq_cache;
359         struct inquiry_entry *e;
360
361         BT_DBG("cache %p, %s", cache, batostr(bdaddr));
362
363         for (e = cache->list; e; e = e->next)
364                 if (!bacmp(&e->data.bdaddr, bdaddr))
365                         break;
366         return e;
367 }
368
369 void hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data)
370 {
371         struct inquiry_cache *cache = &hdev->inq_cache;
372         struct inquiry_entry *ie;
373
374         BT_DBG("cache %p, %s", cache, batostr(&data->bdaddr));
375
376         ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
377         if (!ie) {
378                 /* Entry not in the cache. Add new one. */
379                 ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
380                 if (!ie)
381                         return;
382
383                 ie->next = cache->list;
384                 cache->list = ie;
385         }
386
387         memcpy(&ie->data, data, sizeof(*data));
388         ie->timestamp = jiffies;
389         cache->timestamp = jiffies;
390 }
391
392 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
393 {
394         struct inquiry_cache *cache = &hdev->inq_cache;
395         struct inquiry_info *info = (struct inquiry_info *) buf;
396         struct inquiry_entry *e;
397         int copied = 0;
398
399         for (e = cache->list; e && copied < num; e = e->next, copied++) {
400                 struct inquiry_data *data = &e->data;
401                 bacpy(&info->bdaddr, &data->bdaddr);
402                 info->pscan_rep_mode    = data->pscan_rep_mode;
403                 info->pscan_period_mode = data->pscan_period_mode;
404                 info->pscan_mode        = data->pscan_mode;
405                 memcpy(info->dev_class, data->dev_class, 3);
406                 info->clock_offset      = data->clock_offset;
407                 info++;
408         }
409
410         BT_DBG("cache %p, copied %d", cache, copied);
411         return copied;
412 }
413
414 static void hci_inq_req(struct hci_dev *hdev, unsigned long opt)
415 {
416         struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
417         struct hci_cp_inquiry cp;
418
419         BT_DBG("%s", hdev->name);
420
421         if (test_bit(HCI_INQUIRY, &hdev->flags))
422                 return;
423
424         /* Start Inquiry */
425         memcpy(&cp.lap, &ir->lap, 3);
426         cp.length  = ir->length;
427         cp.num_rsp = ir->num_rsp;
428         hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
429 }
430
431 int hci_inquiry(void __user *arg)
432 {
433         __u8 __user *ptr = arg;
434         struct hci_inquiry_req ir;
435         struct hci_dev *hdev;
436         int err = 0, do_inquiry = 0, max_rsp;
437         long timeo;
438         __u8 *buf;
439
440         if (copy_from_user(&ir, ptr, sizeof(ir)))
441                 return -EFAULT;
442
443         hdev = hci_dev_get(ir.dev_id);
444         if (!hdev)
445                 return -ENODEV;
446
447         hci_dev_lock_bh(hdev);
448         if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
449                                 inquiry_cache_empty(hdev) ||
450                                 ir.flags & IREQ_CACHE_FLUSH) {
451                 inquiry_cache_flush(hdev);
452                 do_inquiry = 1;
453         }
454         hci_dev_unlock_bh(hdev);
455
456         timeo = ir.length * msecs_to_jiffies(2000);
457
458         if (do_inquiry) {
459                 err = hci_request(hdev, hci_inq_req, (unsigned long)&ir, timeo);
460                 if (err < 0)
461                         goto done;
462         }
463
464         /* for unlimited number of responses we will use buffer with 255 entries */
465         max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
466
467         /* cache_dump can't sleep. Therefore we allocate temp buffer and then
468          * copy it to the user space.
469          */
470         buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
471         if (!buf) {
472                 err = -ENOMEM;
473                 goto done;
474         }
475
476         hci_dev_lock_bh(hdev);
477         ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
478         hci_dev_unlock_bh(hdev);
479
480         BT_DBG("num_rsp %d", ir.num_rsp);
481
482         if (!copy_to_user(ptr, &ir, sizeof(ir))) {
483                 ptr += sizeof(ir);
484                 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
485                                         ir.num_rsp))
486                         err = -EFAULT;
487         } else
488                 err = -EFAULT;
489
490         kfree(buf);
491
492 done:
493         hci_dev_put(hdev);
494         return err;
495 }
496
497 /* ---- HCI ioctl helpers ---- */
498
499 int hci_dev_open(__u16 dev)
500 {
501         struct hci_dev *hdev;
502         int ret = 0;
503
504         hdev = hci_dev_get(dev);
505         if (!hdev)
506                 return -ENODEV;
507
508         BT_DBG("%s %p", hdev->name, hdev);
509
510         hci_req_lock(hdev);
511
512         if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
513                 ret = -ERFKILL;
514                 goto done;
515         }
516
517         if (test_bit(HCI_UP, &hdev->flags)) {
518                 ret = -EALREADY;
519                 goto done;
520         }
521
522         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
523                 set_bit(HCI_RAW, &hdev->flags);
524
525         /* Treat all non BR/EDR controllers as raw devices for now */
526         if (hdev->dev_type != HCI_BREDR)
527                 set_bit(HCI_RAW, &hdev->flags);
528
529         if (hdev->open(hdev)) {
530                 ret = -EIO;
531                 goto done;
532         }
533
534         if (!test_bit(HCI_RAW, &hdev->flags)) {
535                 atomic_set(&hdev->cmd_cnt, 1);
536                 set_bit(HCI_INIT, &hdev->flags);
537                 hdev->init_last_cmd = 0;
538
539                 ret = __hci_request(hdev, hci_init_req, 0,
540                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
541
542                 if (lmp_le_capable(hdev))
543                         ret = __hci_request(hdev, hci_le_init_req, 0,
544                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
545
546                 clear_bit(HCI_INIT, &hdev->flags);
547         }
548
549         if (!ret) {
550                 hci_dev_hold(hdev);
551                 set_bit(HCI_UP, &hdev->flags);
552                 hci_notify(hdev, HCI_DEV_UP);
553                 if (!test_bit(HCI_SETUP, &hdev->flags))
554                         mgmt_powered(hdev->id, 1);
555         } else {
556                 /* Init failed, cleanup */
557                 tasklet_kill(&hdev->rx_task);
558                 tasklet_kill(&hdev->tx_task);
559                 tasklet_kill(&hdev->cmd_task);
560
561                 skb_queue_purge(&hdev->cmd_q);
562                 skb_queue_purge(&hdev->rx_q);
563
564                 if (hdev->flush)
565                         hdev->flush(hdev);
566
567                 if (hdev->sent_cmd) {
568                         kfree_skb(hdev->sent_cmd);
569                         hdev->sent_cmd = NULL;
570                 }
571
572                 hdev->close(hdev);
573                 hdev->flags = 0;
574         }
575
576 done:
577         hci_req_unlock(hdev);
578         hci_dev_put(hdev);
579         return ret;
580 }
581
582 static int hci_dev_do_close(struct hci_dev *hdev)
583 {
584         BT_DBG("%s %p", hdev->name, hdev);
585
586         hci_req_cancel(hdev, ENODEV);
587         hci_req_lock(hdev);
588
589         if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
590                 del_timer_sync(&hdev->cmd_timer);
591                 hci_req_unlock(hdev);
592                 return 0;
593         }
594
595         /* Kill RX and TX tasks */
596         tasklet_kill(&hdev->rx_task);
597         tasklet_kill(&hdev->tx_task);
598
599         hci_dev_lock_bh(hdev);
600         inquiry_cache_flush(hdev);
601         hci_conn_hash_flush(hdev);
602         hci_dev_unlock_bh(hdev);
603
604         hci_notify(hdev, HCI_DEV_DOWN);
605
606         if (hdev->flush)
607                 hdev->flush(hdev);
608
609         /* Reset device */
610         skb_queue_purge(&hdev->cmd_q);
611         atomic_set(&hdev->cmd_cnt, 1);
612         if (!test_bit(HCI_RAW, &hdev->flags)) {
613                 set_bit(HCI_INIT, &hdev->flags);
614                 __hci_request(hdev, hci_reset_req, 0,
615                                         msecs_to_jiffies(250));
616                 clear_bit(HCI_INIT, &hdev->flags);
617         }
618
619         /* Kill cmd task */
620         tasklet_kill(&hdev->cmd_task);
621
622         /* Drop queues */
623         skb_queue_purge(&hdev->rx_q);
624         skb_queue_purge(&hdev->cmd_q);
625         skb_queue_purge(&hdev->raw_q);
626
627         /* Drop last sent command */
628         if (hdev->sent_cmd) {
629                 del_timer_sync(&hdev->cmd_timer);
630                 kfree_skb(hdev->sent_cmd);
631                 hdev->sent_cmd = NULL;
632         }
633
634         /* After this point our queues are empty
635          * and no tasks are scheduled. */
636         hdev->close(hdev);
637
638         mgmt_powered(hdev->id, 0);
639
640         /* Clear flags */
641         hdev->flags = 0;
642
643         hci_req_unlock(hdev);
644
645         hci_dev_put(hdev);
646         return 0;
647 }
648
649 int hci_dev_close(__u16 dev)
650 {
651         struct hci_dev *hdev;
652         int err;
653
654         hdev = hci_dev_get(dev);
655         if (!hdev)
656                 return -ENODEV;
657         err = hci_dev_do_close(hdev);
658         hci_dev_put(hdev);
659         return err;
660 }
661
662 int hci_dev_reset(__u16 dev)
663 {
664         struct hci_dev *hdev;
665         int ret = 0;
666
667         hdev = hci_dev_get(dev);
668         if (!hdev)
669                 return -ENODEV;
670
671         hci_req_lock(hdev);
672         tasklet_disable(&hdev->tx_task);
673
674         if (!test_bit(HCI_UP, &hdev->flags))
675                 goto done;
676
677         /* Drop queues */
678         skb_queue_purge(&hdev->rx_q);
679         skb_queue_purge(&hdev->cmd_q);
680
681         hci_dev_lock_bh(hdev);
682         inquiry_cache_flush(hdev);
683         hci_conn_hash_flush(hdev);
684         hci_dev_unlock_bh(hdev);
685
686         if (hdev->flush)
687                 hdev->flush(hdev);
688
689         atomic_set(&hdev->cmd_cnt, 1);
690         hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
691
692         if (!test_bit(HCI_RAW, &hdev->flags))
693                 ret = __hci_request(hdev, hci_reset_req, 0,
694                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
695
696 done:
697         tasklet_enable(&hdev->tx_task);
698         hci_req_unlock(hdev);
699         hci_dev_put(hdev);
700         return ret;
701 }
702
703 int hci_dev_reset_stat(__u16 dev)
704 {
705         struct hci_dev *hdev;
706         int ret = 0;
707
708         hdev = hci_dev_get(dev);
709         if (!hdev)
710                 return -ENODEV;
711
712         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
713
714         hci_dev_put(hdev);
715
716         return ret;
717 }
718
719 int hci_dev_cmd(unsigned int cmd, void __user *arg)
720 {
721         struct hci_dev *hdev;
722         struct hci_dev_req dr;
723         int err = 0;
724
725         if (copy_from_user(&dr, arg, sizeof(dr)))
726                 return -EFAULT;
727
728         hdev = hci_dev_get(dr.dev_id);
729         if (!hdev)
730                 return -ENODEV;
731
732         switch (cmd) {
733         case HCISETAUTH:
734                 err = hci_request(hdev, hci_auth_req, dr.dev_opt,
735                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
736                 break;
737
738         case HCISETENCRYPT:
739                 if (!lmp_encrypt_capable(hdev)) {
740                         err = -EOPNOTSUPP;
741                         break;
742                 }
743
744                 if (!test_bit(HCI_AUTH, &hdev->flags)) {
745                         /* Auth must be enabled first */
746                         err = hci_request(hdev, hci_auth_req, dr.dev_opt,
747                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
748                         if (err)
749                                 break;
750                 }
751
752                 err = hci_request(hdev, hci_encrypt_req, dr.dev_opt,
753                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
754                 break;
755
756         case HCISETSCAN:
757                 err = hci_request(hdev, hci_scan_req, dr.dev_opt,
758                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
759                 break;
760
761         case HCISETLINKPOL:
762                 err = hci_request(hdev, hci_linkpol_req, dr.dev_opt,
763                                         msecs_to_jiffies(HCI_INIT_TIMEOUT));
764                 break;
765
766         case HCISETLINKMODE:
767                 hdev->link_mode = ((__u16) dr.dev_opt) &
768                                         (HCI_LM_MASTER | HCI_LM_ACCEPT);
769                 break;
770
771         case HCISETPTYPE:
772                 hdev->pkt_type = (__u16) dr.dev_opt;
773                 break;
774
775         case HCISETACLMTU:
776                 hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
777                 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
778                 break;
779
780         case HCISETSCOMTU:
781                 hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
782                 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
783                 break;
784
785         default:
786                 err = -EINVAL;
787                 break;
788         }
789
790         hci_dev_put(hdev);
791         return err;
792 }
793
794 int hci_get_dev_list(void __user *arg)
795 {
796         struct hci_dev_list_req *dl;
797         struct hci_dev_req *dr;
798         struct list_head *p;
799         int n = 0, size, err;
800         __u16 dev_num;
801
802         if (get_user(dev_num, (__u16 __user *) arg))
803                 return -EFAULT;
804
805         if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
806                 return -EINVAL;
807
808         size = sizeof(*dl) + dev_num * sizeof(*dr);
809
810         dl = kzalloc(size, GFP_KERNEL);
811         if (!dl)
812                 return -ENOMEM;
813
814         dr = dl->dev_req;
815
816         read_lock_bh(&hci_dev_list_lock);
817         list_for_each(p, &hci_dev_list) {
818                 struct hci_dev *hdev;
819
820                 hdev = list_entry(p, struct hci_dev, list);
821
822                 hci_del_off_timer(hdev);
823
824                 if (!test_bit(HCI_MGMT, &hdev->flags))
825                         set_bit(HCI_PAIRABLE, &hdev->flags);
826
827                 (dr + n)->dev_id  = hdev->id;
828                 (dr + n)->dev_opt = hdev->flags;
829
830                 if (++n >= dev_num)
831                         break;
832         }
833         read_unlock_bh(&hci_dev_list_lock);
834
835         dl->dev_num = n;
836         size = sizeof(*dl) + n * sizeof(*dr);
837
838         err = copy_to_user(arg, dl, size);
839         kfree(dl);
840
841         return err ? -EFAULT : 0;
842 }
843
844 int hci_get_dev_info(void __user *arg)
845 {
846         struct hci_dev *hdev;
847         struct hci_dev_info di;
848         int err = 0;
849
850         if (copy_from_user(&di, arg, sizeof(di)))
851                 return -EFAULT;
852
853         hdev = hci_dev_get(di.dev_id);
854         if (!hdev)
855                 return -ENODEV;
856
857         hci_del_off_timer(hdev);
858
859         if (!test_bit(HCI_MGMT, &hdev->flags))
860                 set_bit(HCI_PAIRABLE, &hdev->flags);
861
862         strcpy(di.name, hdev->name);
863         di.bdaddr   = hdev->bdaddr;
864         di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
865         di.flags    = hdev->flags;
866         di.pkt_type = hdev->pkt_type;
867         di.acl_mtu  = hdev->acl_mtu;
868         di.acl_pkts = hdev->acl_pkts;
869         di.sco_mtu  = hdev->sco_mtu;
870         di.sco_pkts = hdev->sco_pkts;
871         di.link_policy = hdev->link_policy;
872         di.link_mode   = hdev->link_mode;
873
874         memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
875         memcpy(&di.features, &hdev->features, sizeof(di.features));
876
877         if (copy_to_user(arg, &di, sizeof(di)))
878                 err = -EFAULT;
879
880         hci_dev_put(hdev);
881
882         return err;
883 }
884
885 /* ---- Interface to HCI drivers ---- */
886
887 static int hci_rfkill_set_block(void *data, bool blocked)
888 {
889         struct hci_dev *hdev = data;
890
891         BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
892
893         if (!blocked)
894                 return 0;
895
896         hci_dev_do_close(hdev);
897
898         return 0;
899 }
900
901 static const struct rfkill_ops hci_rfkill_ops = {
902         .set_block = hci_rfkill_set_block,
903 };
904
905 /* Alloc HCI device */
906 struct hci_dev *hci_alloc_dev(void)
907 {
908         struct hci_dev *hdev;
909
910         hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
911         if (!hdev)
912                 return NULL;
913
914         skb_queue_head_init(&hdev->driver_init);
915
916         return hdev;
917 }
918 EXPORT_SYMBOL(hci_alloc_dev);
919
920 /* Free HCI device */
921 void hci_free_dev(struct hci_dev *hdev)
922 {
923         skb_queue_purge(&hdev->driver_init);
924
925         /* will free via device release */
926         put_device(&hdev->dev);
927 }
928 EXPORT_SYMBOL(hci_free_dev);
929
930 static void hci_power_on(struct work_struct *work)
931 {
932         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
933
934         BT_DBG("%s", hdev->name);
935
936         if (hci_dev_open(hdev->id) < 0)
937                 return;
938
939         if (test_bit(HCI_AUTO_OFF, &hdev->flags))
940                 mod_timer(&hdev->off_timer,
941                                 jiffies + msecs_to_jiffies(AUTO_OFF_TIMEOUT));
942
943         if (test_and_clear_bit(HCI_SETUP, &hdev->flags))
944                 mgmt_index_added(hdev->id);
945 }
946
947 static void hci_power_off(struct work_struct *work)
948 {
949         struct hci_dev *hdev = container_of(work, struct hci_dev, power_off);
950
951         BT_DBG("%s", hdev->name);
952
953         hci_dev_close(hdev->id);
954 }
955
956 static void hci_auto_off(unsigned long data)
957 {
958         struct hci_dev *hdev = (struct hci_dev *) data;
959
960         BT_DBG("%s", hdev->name);
961
962         clear_bit(HCI_AUTO_OFF, &hdev->flags);
963
964         queue_work(hdev->workqueue, &hdev->power_off);
965 }
966
967 void hci_del_off_timer(struct hci_dev *hdev)
968 {
969         BT_DBG("%s", hdev->name);
970
971         clear_bit(HCI_AUTO_OFF, &hdev->flags);
972         del_timer(&hdev->off_timer);
973 }
974
975 int hci_uuids_clear(struct hci_dev *hdev)
976 {
977         struct list_head *p, *n;
978
979         list_for_each_safe(p, n, &hdev->uuids) {
980                 struct bt_uuid *uuid;
981
982                 uuid = list_entry(p, struct bt_uuid, list);
983
984                 list_del(p);
985                 kfree(uuid);
986         }
987
988         return 0;
989 }
990
991 int hci_link_keys_clear(struct hci_dev *hdev)
992 {
993         struct list_head *p, *n;
994
995         list_for_each_safe(p, n, &hdev->link_keys) {
996                 struct link_key *key;
997
998                 key = list_entry(p, struct link_key, list);
999
1000                 list_del(p);
1001                 kfree(key);
1002         }
1003
1004         return 0;
1005 }
1006
1007 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1008 {
1009         struct list_head *p;
1010
1011         list_for_each(p, &hdev->link_keys) {
1012                 struct link_key *k;
1013
1014                 k = list_entry(p, struct link_key, list);
1015
1016                 if (bacmp(bdaddr, &k->bdaddr) == 0)
1017                         return k;
1018         }
1019
1020         return NULL;
1021 }
1022
1023 static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1024                                                 u8 key_type, u8 old_key_type)
1025 {
1026         /* Legacy key */
1027         if (key_type < 0x03)
1028                 return 1;
1029
1030         /* Debug keys are insecure so don't store them persistently */
1031         if (key_type == HCI_LK_DEBUG_COMBINATION)
1032                 return 0;
1033
1034         /* Changed combination key and there's no previous one */
1035         if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1036                 return 0;
1037
1038         /* Security mode 3 case */
1039         if (!conn)
1040                 return 1;
1041
1042         /* Neither local nor remote side had no-bonding as requirement */
1043         if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1044                 return 1;
1045
1046         /* Local side had dedicated bonding as requirement */
1047         if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1048                 return 1;
1049
1050         /* Remote side had dedicated bonding as requirement */
1051         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1052                 return 1;
1053
1054         /* If none of the above criteria match, then don't store the key
1055          * persistently */
1056         return 0;
1057 }
1058
1059 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1060                                 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1061 {
1062         struct link_key *key, *old_key;
1063         u8 old_key_type, persistent;
1064
1065         old_key = hci_find_link_key(hdev, bdaddr);
1066         if (old_key) {
1067                 old_key_type = old_key->type;
1068                 key = old_key;
1069         } else {
1070                 old_key_type = conn ? conn->key_type : 0xff;
1071                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1072                 if (!key)
1073                         return -ENOMEM;
1074                 list_add(&key->list, &hdev->link_keys);
1075         }
1076
1077         BT_DBG("%s key for %s type %u", hdev->name, batostr(bdaddr), type);
1078
1079         /* Some buggy controller combinations generate a changed
1080          * combination key for legacy pairing even when there's no
1081          * previous key */
1082         if (type == HCI_LK_CHANGED_COMBINATION &&
1083                                         (!conn || conn->remote_auth == 0xff) &&
1084                                         old_key_type == 0xff) {
1085                 type = HCI_LK_COMBINATION;
1086                 if (conn)
1087                         conn->key_type = type;
1088         }
1089
1090         bacpy(&key->bdaddr, bdaddr);
1091         memcpy(key->val, val, 16);
1092         key->pin_len = pin_len;
1093
1094         if (type == HCI_LK_CHANGED_COMBINATION)
1095                 key->type = old_key_type;
1096         else
1097                 key->type = type;
1098
1099         if (!new_key)
1100                 return 0;
1101
1102         persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1103
1104         mgmt_new_key(hdev->id, key, persistent);
1105
1106         if (!persistent) {
1107                 list_del(&key->list);
1108                 kfree(key);
1109         }
1110
1111         return 0;
1112 }
1113
1114 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1115 {
1116         struct link_key *key;
1117
1118         key = hci_find_link_key(hdev, bdaddr);
1119         if (!key)
1120                 return -ENOENT;
1121
1122         BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
1123
1124         list_del(&key->list);
1125         kfree(key);
1126
1127         return 0;
1128 }
1129
1130 /* HCI command timer function */
1131 static void hci_cmd_timer(unsigned long arg)
1132 {
1133         struct hci_dev *hdev = (void *) arg;
1134
1135         BT_ERR("%s command tx timeout", hdev->name);
1136         atomic_set(&hdev->cmd_cnt, 1);
1137         clear_bit(HCI_RESET, &hdev->flags);
1138         tasklet_schedule(&hdev->cmd_task);
1139 }
1140
1141 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1142                                                         bdaddr_t *bdaddr)
1143 {
1144         struct oob_data *data;
1145
1146         list_for_each_entry(data, &hdev->remote_oob_data, list)
1147                 if (bacmp(bdaddr, &data->bdaddr) == 0)
1148                         return data;
1149
1150         return NULL;
1151 }
1152
1153 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1154 {
1155         struct oob_data *data;
1156
1157         data = hci_find_remote_oob_data(hdev, bdaddr);
1158         if (!data)
1159                 return -ENOENT;
1160
1161         BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
1162
1163         list_del(&data->list);
1164         kfree(data);
1165
1166         return 0;
1167 }
1168
1169 int hci_remote_oob_data_clear(struct hci_dev *hdev)
1170 {
1171         struct oob_data *data, *n;
1172
1173         list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1174                 list_del(&data->list);
1175                 kfree(data);
1176         }
1177
1178         return 0;
1179 }
1180
1181 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1182                                                                 u8 *randomizer)
1183 {
1184         struct oob_data *data;
1185
1186         data = hci_find_remote_oob_data(hdev, bdaddr);
1187
1188         if (!data) {
1189                 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1190                 if (!data)
1191                         return -ENOMEM;
1192
1193                 bacpy(&data->bdaddr, bdaddr);
1194                 list_add(&data->list, &hdev->remote_oob_data);
1195         }
1196
1197         memcpy(data->hash, hash, sizeof(data->hash));
1198         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1199
1200         BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
1201
1202         return 0;
1203 }
1204
1205 /* Register HCI device */
1206 int hci_register_dev(struct hci_dev *hdev)
1207 {
1208         struct list_head *head = &hci_dev_list, *p;
1209         int i, id = 0;
1210
1211         BT_DBG("%p name %s bus %d owner %p", hdev, hdev->name,
1212                                                 hdev->bus, hdev->owner);
1213
1214         if (!hdev->open || !hdev->close || !hdev->destruct)
1215                 return -EINVAL;
1216
1217         write_lock_bh(&hci_dev_list_lock);
1218
1219         /* Find first available device id */
1220         list_for_each(p, &hci_dev_list) {
1221                 if (list_entry(p, struct hci_dev, list)->id != id)
1222                         break;
1223                 head = p; id++;
1224         }
1225
1226         sprintf(hdev->name, "hci%d", id);
1227         hdev->id = id;
1228         list_add(&hdev->list, head);
1229
1230         atomic_set(&hdev->refcnt, 1);
1231         spin_lock_init(&hdev->lock);
1232
1233         hdev->flags = 0;
1234         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
1235         hdev->esco_type = (ESCO_HV1);
1236         hdev->link_mode = (HCI_LM_ACCEPT);
1237         hdev->io_capability = 0x03; /* No Input No Output */
1238
1239         hdev->idle_timeout = 0;
1240         hdev->sniff_max_interval = 800;
1241         hdev->sniff_min_interval = 80;
1242
1243         tasklet_init(&hdev->cmd_task, hci_cmd_task, (unsigned long) hdev);
1244         tasklet_init(&hdev->rx_task, hci_rx_task, (unsigned long) hdev);
1245         tasklet_init(&hdev->tx_task, hci_tx_task, (unsigned long) hdev);
1246
1247         skb_queue_head_init(&hdev->rx_q);
1248         skb_queue_head_init(&hdev->cmd_q);
1249         skb_queue_head_init(&hdev->raw_q);
1250
1251         setup_timer(&hdev->cmd_timer, hci_cmd_timer, (unsigned long) hdev);
1252
1253         for (i = 0; i < NUM_REASSEMBLY; i++)
1254                 hdev->reassembly[i] = NULL;
1255
1256         init_waitqueue_head(&hdev->req_wait_q);
1257         mutex_init(&hdev->req_lock);
1258
1259         inquiry_cache_init(hdev);
1260
1261         hci_conn_hash_init(hdev);
1262
1263         INIT_LIST_HEAD(&hdev->blacklist);
1264
1265         INIT_LIST_HEAD(&hdev->uuids);
1266
1267         INIT_LIST_HEAD(&hdev->link_keys);
1268
1269         INIT_LIST_HEAD(&hdev->remote_oob_data);
1270
1271         INIT_WORK(&hdev->power_on, hci_power_on);
1272         INIT_WORK(&hdev->power_off, hci_power_off);
1273         setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
1274
1275         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1276
1277         atomic_set(&hdev->promisc, 0);
1278
1279         write_unlock_bh(&hci_dev_list_lock);
1280
1281         hdev->workqueue = create_singlethread_workqueue(hdev->name);
1282         if (!hdev->workqueue)
1283                 goto nomem;
1284
1285         hci_register_sysfs(hdev);
1286
1287         hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
1288                                 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, hdev);
1289         if (hdev->rfkill) {
1290                 if (rfkill_register(hdev->rfkill) < 0) {
1291                         rfkill_destroy(hdev->rfkill);
1292                         hdev->rfkill = NULL;
1293                 }
1294         }
1295
1296         set_bit(HCI_AUTO_OFF, &hdev->flags);
1297         set_bit(HCI_SETUP, &hdev->flags);
1298         queue_work(hdev->workqueue, &hdev->power_on);
1299
1300         hci_notify(hdev, HCI_DEV_REG);
1301
1302         return id;
1303
1304 nomem:
1305         write_lock_bh(&hci_dev_list_lock);
1306         list_del(&hdev->list);
1307         write_unlock_bh(&hci_dev_list_lock);
1308
1309         return -ENOMEM;
1310 }
1311 EXPORT_SYMBOL(hci_register_dev);
1312
1313 /* Unregister HCI device */
1314 int hci_unregister_dev(struct hci_dev *hdev)
1315 {
1316         int i;
1317
1318         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
1319
1320         write_lock_bh(&hci_dev_list_lock);
1321         list_del(&hdev->list);
1322         write_unlock_bh(&hci_dev_list_lock);
1323
1324         hci_dev_do_close(hdev);
1325
1326         for (i = 0; i < NUM_REASSEMBLY; i++)
1327                 kfree_skb(hdev->reassembly[i]);
1328
1329         if (!test_bit(HCI_INIT, &hdev->flags) &&
1330                                         !test_bit(HCI_SETUP, &hdev->flags))
1331                 mgmt_index_removed(hdev->id);
1332
1333         hci_notify(hdev, HCI_DEV_UNREG);
1334
1335         if (hdev->rfkill) {
1336                 rfkill_unregister(hdev->rfkill);
1337                 rfkill_destroy(hdev->rfkill);
1338         }
1339
1340         hci_unregister_sysfs(hdev);
1341
1342         hci_del_off_timer(hdev);
1343
1344         destroy_workqueue(hdev->workqueue);
1345
1346         hci_dev_lock_bh(hdev);
1347         hci_blacklist_clear(hdev);
1348         hci_uuids_clear(hdev);
1349         hci_link_keys_clear(hdev);
1350         hci_remote_oob_data_clear(hdev);
1351         hci_dev_unlock_bh(hdev);
1352
1353         __hci_dev_put(hdev);
1354
1355         return 0;
1356 }
1357 EXPORT_SYMBOL(hci_unregister_dev);
1358
1359 /* Suspend HCI device */
1360 int hci_suspend_dev(struct hci_dev *hdev)
1361 {
1362         hci_notify(hdev, HCI_DEV_SUSPEND);
1363         return 0;
1364 }
1365 EXPORT_SYMBOL(hci_suspend_dev);
1366
1367 /* Resume HCI device */
1368 int hci_resume_dev(struct hci_dev *hdev)
1369 {
1370         hci_notify(hdev, HCI_DEV_RESUME);
1371         return 0;
1372 }
1373 EXPORT_SYMBOL(hci_resume_dev);
1374
1375 /* Receive frame from HCI drivers */
1376 int hci_recv_frame(struct sk_buff *skb)
1377 {
1378         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
1379         if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
1380                                 && !test_bit(HCI_INIT, &hdev->flags))) {
1381                 kfree_skb(skb);
1382                 return -ENXIO;
1383         }
1384
1385         /* Incomming skb */
1386         bt_cb(skb)->incoming = 1;
1387
1388         /* Time stamp */
1389         __net_timestamp(skb);
1390
1391         /* Queue frame for rx task */
1392         skb_queue_tail(&hdev->rx_q, skb);
1393         tasklet_schedule(&hdev->rx_task);
1394
1395         return 0;
1396 }
1397 EXPORT_SYMBOL(hci_recv_frame);
1398
1399 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
1400                                                   int count, __u8 index)
1401 {
1402         int len = 0;
1403         int hlen = 0;
1404         int remain = count;
1405         struct sk_buff *skb;
1406         struct bt_skb_cb *scb;
1407
1408         if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
1409                                 index >= NUM_REASSEMBLY)
1410                 return -EILSEQ;
1411
1412         skb = hdev->reassembly[index];
1413
1414         if (!skb) {
1415                 switch (type) {
1416                 case HCI_ACLDATA_PKT:
1417                         len = HCI_MAX_FRAME_SIZE;
1418                         hlen = HCI_ACL_HDR_SIZE;
1419                         break;
1420                 case HCI_EVENT_PKT:
1421                         len = HCI_MAX_EVENT_SIZE;
1422                         hlen = HCI_EVENT_HDR_SIZE;
1423                         break;
1424                 case HCI_SCODATA_PKT:
1425                         len = HCI_MAX_SCO_SIZE;
1426                         hlen = HCI_SCO_HDR_SIZE;
1427                         break;
1428                 }
1429
1430                 skb = bt_skb_alloc(len, GFP_ATOMIC);
1431                 if (!skb)
1432                         return -ENOMEM;
1433
1434                 scb = (void *) skb->cb;
1435                 scb->expect = hlen;
1436                 scb->pkt_type = type;
1437
1438                 skb->dev = (void *) hdev;
1439                 hdev->reassembly[index] = skb;
1440         }
1441
1442         while (count) {
1443                 scb = (void *) skb->cb;
1444                 len = min(scb->expect, (__u16)count);
1445
1446                 memcpy(skb_put(skb, len), data, len);
1447
1448                 count -= len;
1449                 data += len;
1450                 scb->expect -= len;
1451                 remain = count;
1452
1453                 switch (type) {
1454                 case HCI_EVENT_PKT:
1455                         if (skb->len == HCI_EVENT_HDR_SIZE) {
1456                                 struct hci_event_hdr *h = hci_event_hdr(skb);
1457                                 scb->expect = h->plen;
1458
1459                                 if (skb_tailroom(skb) < scb->expect) {
1460                                         kfree_skb(skb);
1461                                         hdev->reassembly[index] = NULL;
1462                                         return -ENOMEM;
1463                                 }
1464                         }
1465                         break;
1466
1467                 case HCI_ACLDATA_PKT:
1468                         if (skb->len  == HCI_ACL_HDR_SIZE) {
1469                                 struct hci_acl_hdr *h = hci_acl_hdr(skb);
1470                                 scb->expect = __le16_to_cpu(h->dlen);
1471
1472                                 if (skb_tailroom(skb) < scb->expect) {
1473                                         kfree_skb(skb);
1474                                         hdev->reassembly[index] = NULL;
1475                                         return -ENOMEM;
1476                                 }
1477                         }
1478                         break;
1479
1480                 case HCI_SCODATA_PKT:
1481                         if (skb->len == HCI_SCO_HDR_SIZE) {
1482                                 struct hci_sco_hdr *h = hci_sco_hdr(skb);
1483                                 scb->expect = h->dlen;
1484
1485                                 if (skb_tailroom(skb) < scb->expect) {
1486                                         kfree_skb(skb);
1487                                         hdev->reassembly[index] = NULL;
1488                                         return -ENOMEM;
1489                                 }
1490                         }
1491                         break;
1492                 }
1493
1494                 if (scb->expect == 0) {
1495                         /* Complete frame */
1496
1497                         bt_cb(skb)->pkt_type = type;
1498                         hci_recv_frame(skb);
1499
1500                         hdev->reassembly[index] = NULL;
1501                         return remain;
1502                 }
1503         }
1504
1505         return remain;
1506 }
1507
1508 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
1509 {
1510         int rem = 0;
1511
1512         if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
1513                 return -EILSEQ;
1514
1515         while (count) {
1516                 rem = hci_reassembly(hdev, type, data, count, type - 1);
1517                 if (rem < 0)
1518                         return rem;
1519
1520                 data += (count - rem);
1521                 count = rem;
1522         };
1523
1524         return rem;
1525 }
1526 EXPORT_SYMBOL(hci_recv_fragment);
1527
1528 #define STREAM_REASSEMBLY 0
1529
1530 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
1531 {
1532         int type;
1533         int rem = 0;
1534
1535         while (count) {
1536                 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
1537
1538                 if (!skb) {
1539                         struct { char type; } *pkt;
1540
1541                         /* Start of the frame */
1542                         pkt = data;
1543                         type = pkt->type;
1544
1545                         data++;
1546                         count--;
1547                 } else
1548                         type = bt_cb(skb)->pkt_type;
1549
1550                 rem = hci_reassembly(hdev, type, data, count,
1551                                                         STREAM_REASSEMBLY);
1552                 if (rem < 0)
1553                         return rem;
1554
1555                 data += (count - rem);
1556                 count = rem;
1557         };
1558
1559         return rem;
1560 }
1561 EXPORT_SYMBOL(hci_recv_stream_fragment);
1562
1563 /* ---- Interface to upper protocols ---- */
1564
1565 /* Register/Unregister protocols.
1566  * hci_task_lock is used to ensure that no tasks are running. */
1567 int hci_register_proto(struct hci_proto *hp)
1568 {
1569         int err = 0;
1570
1571         BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1572
1573         if (hp->id >= HCI_MAX_PROTO)
1574                 return -EINVAL;
1575
1576         write_lock_bh(&hci_task_lock);
1577
1578         if (!hci_proto[hp->id])
1579                 hci_proto[hp->id] = hp;
1580         else
1581                 err = -EEXIST;
1582
1583         write_unlock_bh(&hci_task_lock);
1584
1585         return err;
1586 }
1587 EXPORT_SYMBOL(hci_register_proto);
1588
1589 int hci_unregister_proto(struct hci_proto *hp)
1590 {
1591         int err = 0;
1592
1593         BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1594
1595         if (hp->id >= HCI_MAX_PROTO)
1596                 return -EINVAL;
1597
1598         write_lock_bh(&hci_task_lock);
1599
1600         if (hci_proto[hp->id])
1601                 hci_proto[hp->id] = NULL;
1602         else
1603                 err = -ENOENT;
1604
1605         write_unlock_bh(&hci_task_lock);
1606
1607         return err;
1608 }
1609 EXPORT_SYMBOL(hci_unregister_proto);
1610
1611 int hci_register_cb(struct hci_cb *cb)
1612 {
1613         BT_DBG("%p name %s", cb, cb->name);
1614
1615         write_lock_bh(&hci_cb_list_lock);
1616         list_add(&cb->list, &hci_cb_list);
1617         write_unlock_bh(&hci_cb_list_lock);
1618
1619         return 0;
1620 }
1621 EXPORT_SYMBOL(hci_register_cb);
1622
1623 int hci_unregister_cb(struct hci_cb *cb)
1624 {
1625         BT_DBG("%p name %s", cb, cb->name);
1626
1627         write_lock_bh(&hci_cb_list_lock);
1628         list_del(&cb->list);
1629         write_unlock_bh(&hci_cb_list_lock);
1630
1631         return 0;
1632 }
1633 EXPORT_SYMBOL(hci_unregister_cb);
1634
1635 static int hci_send_frame(struct sk_buff *skb)
1636 {
1637         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
1638
1639         if (!hdev) {
1640                 kfree_skb(skb);
1641                 return -ENODEV;
1642         }
1643
1644         BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
1645
1646         if (atomic_read(&hdev->promisc)) {
1647                 /* Time stamp */
1648                 __net_timestamp(skb);
1649
1650                 hci_send_to_sock(hdev, skb, NULL);
1651         }
1652
1653         /* Get rid of skb owner, prior to sending to the driver. */
1654         skb_orphan(skb);
1655
1656         return hdev->send(skb);
1657 }
1658
1659 /* Send HCI command */
1660 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
1661 {
1662         int len = HCI_COMMAND_HDR_SIZE + plen;
1663         struct hci_command_hdr *hdr;
1664         struct sk_buff *skb;
1665
1666         BT_DBG("%s opcode 0x%x plen %d", hdev->name, opcode, plen);
1667
1668         skb = bt_skb_alloc(len, GFP_ATOMIC);
1669         if (!skb) {
1670                 BT_ERR("%s no memory for command", hdev->name);
1671                 return -ENOMEM;
1672         }
1673
1674         hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
1675         hdr->opcode = cpu_to_le16(opcode);
1676         hdr->plen   = plen;
1677
1678         if (plen)
1679                 memcpy(skb_put(skb, plen), param, plen);
1680
1681         BT_DBG("skb len %d", skb->len);
1682
1683         bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
1684         skb->dev = (void *) hdev;
1685
1686         if (test_bit(HCI_INIT, &hdev->flags))
1687                 hdev->init_last_cmd = opcode;
1688
1689         skb_queue_tail(&hdev->cmd_q, skb);
1690         tasklet_schedule(&hdev->cmd_task);
1691
1692         return 0;
1693 }
1694
1695 /* Get data from the previously sent command */
1696 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
1697 {
1698         struct hci_command_hdr *hdr;
1699
1700         if (!hdev->sent_cmd)
1701                 return NULL;
1702
1703         hdr = (void *) hdev->sent_cmd->data;
1704
1705         if (hdr->opcode != cpu_to_le16(opcode))
1706                 return NULL;
1707
1708         BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1709
1710         return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
1711 }
1712
1713 /* Send ACL data */
1714 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
1715 {
1716         struct hci_acl_hdr *hdr;
1717         int len = skb->len;
1718
1719         skb_push(skb, HCI_ACL_HDR_SIZE);
1720         skb_reset_transport_header(skb);
1721         hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
1722         hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
1723         hdr->dlen   = cpu_to_le16(len);
1724 }
1725
1726 void hci_send_acl(struct hci_conn *conn, struct sk_buff *skb, __u16 flags)
1727 {
1728         struct hci_dev *hdev = conn->hdev;
1729         struct sk_buff *list;
1730
1731         BT_DBG("%s conn %p flags 0x%x", hdev->name, conn, flags);
1732
1733         skb->dev = (void *) hdev;
1734         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
1735         hci_add_acl_hdr(skb, conn->handle, flags);
1736
1737         list = skb_shinfo(skb)->frag_list;
1738         if (!list) {
1739                 /* Non fragmented */
1740                 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
1741
1742                 skb_queue_tail(&conn->data_q, skb);
1743         } else {
1744                 /* Fragmented */
1745                 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
1746
1747                 skb_shinfo(skb)->frag_list = NULL;
1748
1749                 /* Queue all fragments atomically */
1750                 spin_lock_bh(&conn->data_q.lock);
1751
1752                 __skb_queue_tail(&conn->data_q, skb);
1753
1754                 flags &= ~ACL_START;
1755                 flags |= ACL_CONT;
1756                 do {
1757                         skb = list; list = list->next;
1758
1759                         skb->dev = (void *) hdev;
1760                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
1761                         hci_add_acl_hdr(skb, conn->handle, flags);
1762
1763                         BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
1764
1765                         __skb_queue_tail(&conn->data_q, skb);
1766                 } while (list);
1767
1768                 spin_unlock_bh(&conn->data_q.lock);
1769         }
1770
1771         tasklet_schedule(&hdev->tx_task);
1772 }
1773 EXPORT_SYMBOL(hci_send_acl);
1774
1775 /* Send SCO data */
1776 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
1777 {
1778         struct hci_dev *hdev = conn->hdev;
1779         struct hci_sco_hdr hdr;
1780
1781         BT_DBG("%s len %d", hdev->name, skb->len);
1782
1783         hdr.handle = cpu_to_le16(conn->handle);
1784         hdr.dlen   = skb->len;
1785
1786         skb_push(skb, HCI_SCO_HDR_SIZE);
1787         skb_reset_transport_header(skb);
1788         memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
1789
1790         skb->dev = (void *) hdev;
1791         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
1792
1793         skb_queue_tail(&conn->data_q, skb);
1794         tasklet_schedule(&hdev->tx_task);
1795 }
1796 EXPORT_SYMBOL(hci_send_sco);
1797
1798 /* ---- HCI TX task (outgoing data) ---- */
1799
1800 /* HCI Connection scheduler */
1801 static inline struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, int *quote)
1802 {
1803         struct hci_conn_hash *h = &hdev->conn_hash;
1804         struct hci_conn *conn = NULL;
1805         int num = 0, min = ~0;
1806         struct list_head *p;
1807
1808         /* We don't have to lock device here. Connections are always
1809          * added and removed with TX task disabled. */
1810         list_for_each(p, &h->list) {
1811                 struct hci_conn *c;
1812                 c = list_entry(p, struct hci_conn, list);
1813
1814                 if (c->type != type || skb_queue_empty(&c->data_q))
1815                         continue;
1816
1817                 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
1818                         continue;
1819
1820                 num++;
1821
1822                 if (c->sent < min) {
1823                         min  = c->sent;
1824                         conn = c;
1825                 }
1826         }
1827
1828         if (conn) {
1829                 int cnt, q;
1830
1831                 switch (conn->type) {
1832                 case ACL_LINK:
1833                         cnt = hdev->acl_cnt;
1834                         break;
1835                 case SCO_LINK:
1836                 case ESCO_LINK:
1837                         cnt = hdev->sco_cnt;
1838                         break;
1839                 case LE_LINK:
1840                         cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
1841                         break;
1842                 default:
1843                         cnt = 0;
1844                         BT_ERR("Unknown link type");
1845                 }
1846
1847                 q = cnt / num;
1848                 *quote = q ? q : 1;
1849         } else
1850                 *quote = 0;
1851
1852         BT_DBG("conn %p quote %d", conn, *quote);
1853         return conn;
1854 }
1855
1856 static inline void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
1857 {
1858         struct hci_conn_hash *h = &hdev->conn_hash;
1859         struct list_head *p;
1860         struct hci_conn  *c;
1861
1862         BT_ERR("%s link tx timeout", hdev->name);
1863
1864         /* Kill stalled connections */
1865         list_for_each(p, &h->list) {
1866                 c = list_entry(p, struct hci_conn, list);
1867                 if (c->type == type && c->sent) {
1868                         BT_ERR("%s killing stalled connection %s",
1869                                 hdev->name, batostr(&c->dst));
1870                         hci_acl_disconn(c, 0x13);
1871                 }
1872         }
1873 }
1874
1875 static inline void hci_sched_acl(struct hci_dev *hdev)
1876 {
1877         struct hci_conn *conn;
1878         struct sk_buff *skb;
1879         int quote;
1880
1881         BT_DBG("%s", hdev->name);
1882
1883         if (!test_bit(HCI_RAW, &hdev->flags)) {
1884                 /* ACL tx timeout must be longer than maximum
1885                  * link supervision timeout (40.9 seconds) */
1886                 if (!hdev->acl_cnt && time_after(jiffies, hdev->acl_last_tx + HZ * 45))
1887                         hci_link_tx_to(hdev, ACL_LINK);
1888         }
1889
1890         while (hdev->acl_cnt && (conn = hci_low_sent(hdev, ACL_LINK, &quote))) {
1891                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
1892                         BT_DBG("skb %p len %d", skb, skb->len);
1893
1894                         hci_conn_enter_active_mode(conn);
1895
1896                         hci_send_frame(skb);
1897                         hdev->acl_last_tx = jiffies;
1898
1899                         hdev->acl_cnt--;
1900                         conn->sent++;
1901                 }
1902         }
1903 }
1904
1905 /* Schedule SCO */
1906 static inline void hci_sched_sco(struct hci_dev *hdev)
1907 {
1908         struct hci_conn *conn;
1909         struct sk_buff *skb;
1910         int quote;
1911
1912         BT_DBG("%s", hdev->name);
1913
1914         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
1915                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
1916                         BT_DBG("skb %p len %d", skb, skb->len);
1917                         hci_send_frame(skb);
1918
1919                         conn->sent++;
1920                         if (conn->sent == ~0)
1921                                 conn->sent = 0;
1922                 }
1923         }
1924 }
1925
1926 static inline void hci_sched_esco(struct hci_dev *hdev)
1927 {
1928         struct hci_conn *conn;
1929         struct sk_buff *skb;
1930         int quote;
1931
1932         BT_DBG("%s", hdev->name);
1933
1934         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK, &quote))) {
1935                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
1936                         BT_DBG("skb %p len %d", skb, skb->len);
1937                         hci_send_frame(skb);
1938
1939                         conn->sent++;
1940                         if (conn->sent == ~0)
1941                                 conn->sent = 0;
1942                 }
1943         }
1944 }
1945
1946 static inline void hci_sched_le(struct hci_dev *hdev)
1947 {
1948         struct hci_conn *conn;
1949         struct sk_buff *skb;
1950         int quote, cnt;
1951
1952         BT_DBG("%s", hdev->name);
1953
1954         if (!test_bit(HCI_RAW, &hdev->flags)) {
1955                 /* LE tx timeout must be longer than maximum
1956                  * link supervision timeout (40.9 seconds) */
1957                 if (!hdev->le_cnt && hdev->le_pkts &&
1958                                 time_after(jiffies, hdev->le_last_tx + HZ * 45))
1959                         hci_link_tx_to(hdev, LE_LINK);
1960         }
1961
1962         cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
1963         while (cnt && (conn = hci_low_sent(hdev, LE_LINK, &quote))) {
1964                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
1965                         BT_DBG("skb %p len %d", skb, skb->len);
1966
1967                         hci_send_frame(skb);
1968                         hdev->le_last_tx = jiffies;
1969
1970                         cnt--;
1971                         conn->sent++;
1972                 }
1973         }
1974         if (hdev->le_pkts)
1975                 hdev->le_cnt = cnt;
1976         else
1977                 hdev->acl_cnt = cnt;
1978 }
1979
1980 static void hci_tx_task(unsigned long arg)
1981 {
1982         struct hci_dev *hdev = (struct hci_dev *) arg;
1983         struct sk_buff *skb;
1984
1985         read_lock(&hci_task_lock);
1986
1987         BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
1988                 hdev->sco_cnt, hdev->le_cnt);
1989
1990         /* Schedule queues and send stuff to HCI driver */
1991
1992         hci_sched_acl(hdev);
1993
1994         hci_sched_sco(hdev);
1995
1996         hci_sched_esco(hdev);
1997
1998         hci_sched_le(hdev);
1999
2000         /* Send next queued raw (unknown type) packet */
2001         while ((skb = skb_dequeue(&hdev->raw_q)))
2002                 hci_send_frame(skb);
2003
2004         read_unlock(&hci_task_lock);
2005 }
2006
2007 /* ----- HCI RX task (incoming data processing) ----- */
2008
2009 /* ACL data packet */
2010 static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2011 {
2012         struct hci_acl_hdr *hdr = (void *) skb->data;
2013         struct hci_conn *conn;
2014         __u16 handle, flags;
2015
2016         skb_pull(skb, HCI_ACL_HDR_SIZE);
2017
2018         handle = __le16_to_cpu(hdr->handle);
2019         flags  = hci_flags(handle);
2020         handle = hci_handle(handle);
2021
2022         BT_DBG("%s len %d handle 0x%x flags 0x%x", hdev->name, skb->len, handle, flags);
2023
2024         hdev->stat.acl_rx++;
2025
2026         hci_dev_lock(hdev);
2027         conn = hci_conn_hash_lookup_handle(hdev, handle);
2028         hci_dev_unlock(hdev);
2029
2030         if (conn) {
2031                 register struct hci_proto *hp;
2032
2033                 hci_conn_enter_active_mode(conn);
2034
2035                 /* Send to upper protocol */
2036                 hp = hci_proto[HCI_PROTO_L2CAP];
2037                 if (hp && hp->recv_acldata) {
2038                         hp->recv_acldata(conn, skb, flags);
2039                         return;
2040                 }
2041         } else {
2042                 BT_ERR("%s ACL packet for unknown connection handle %d",
2043                         hdev->name, handle);
2044         }
2045
2046         kfree_skb(skb);
2047 }
2048
2049 /* SCO data packet */
2050 static inline void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2051 {
2052         struct hci_sco_hdr *hdr = (void *) skb->data;
2053         struct hci_conn *conn;
2054         __u16 handle;
2055
2056         skb_pull(skb, HCI_SCO_HDR_SIZE);
2057
2058         handle = __le16_to_cpu(hdr->handle);
2059
2060         BT_DBG("%s len %d handle 0x%x", hdev->name, skb->len, handle);
2061
2062         hdev->stat.sco_rx++;
2063
2064         hci_dev_lock(hdev);
2065         conn = hci_conn_hash_lookup_handle(hdev, handle);
2066         hci_dev_unlock(hdev);
2067
2068         if (conn) {
2069                 register struct hci_proto *hp;
2070
2071                 /* Send to upper protocol */
2072                 hp = hci_proto[HCI_PROTO_SCO];
2073                 if (hp && hp->recv_scodata) {
2074                         hp->recv_scodata(conn, skb);
2075                         return;
2076                 }
2077         } else {
2078                 BT_ERR("%s SCO packet for unknown connection handle %d",
2079                         hdev->name, handle);
2080         }
2081
2082         kfree_skb(skb);
2083 }
2084
2085 static void hci_rx_task(unsigned long arg)
2086 {
2087         struct hci_dev *hdev = (struct hci_dev *) arg;
2088         struct sk_buff *skb;
2089
2090         BT_DBG("%s", hdev->name);
2091
2092         read_lock(&hci_task_lock);
2093
2094         while ((skb = skb_dequeue(&hdev->rx_q))) {
2095                 if (atomic_read(&hdev->promisc)) {
2096                         /* Send copy to the sockets */
2097                         hci_send_to_sock(hdev, skb, NULL);
2098                 }
2099
2100                 if (test_bit(HCI_RAW, &hdev->flags)) {
2101                         kfree_skb(skb);
2102                         continue;
2103                 }
2104
2105                 if (test_bit(HCI_INIT, &hdev->flags)) {
2106                         /* Don't process data packets in this states. */
2107                         switch (bt_cb(skb)->pkt_type) {
2108                         case HCI_ACLDATA_PKT:
2109                         case HCI_SCODATA_PKT:
2110                                 kfree_skb(skb);
2111                                 continue;
2112                         }
2113                 }
2114
2115                 /* Process frame */
2116                 switch (bt_cb(skb)->pkt_type) {
2117                 case HCI_EVENT_PKT:
2118                         hci_event_packet(hdev, skb);
2119                         break;
2120
2121                 case HCI_ACLDATA_PKT:
2122                         BT_DBG("%s ACL data packet", hdev->name);
2123                         hci_acldata_packet(hdev, skb);
2124                         break;
2125
2126                 case HCI_SCODATA_PKT:
2127                         BT_DBG("%s SCO data packet", hdev->name);
2128                         hci_scodata_packet(hdev, skb);
2129                         break;
2130
2131                 default:
2132                         kfree_skb(skb);
2133                         break;
2134                 }
2135         }
2136
2137         read_unlock(&hci_task_lock);
2138 }
2139
2140 static void hci_cmd_task(unsigned long arg)
2141 {
2142         struct hci_dev *hdev = (struct hci_dev *) arg;
2143         struct sk_buff *skb;
2144
2145         BT_DBG("%s cmd %d", hdev->name, atomic_read(&hdev->cmd_cnt));
2146
2147         /* Send queued commands */
2148         if (atomic_read(&hdev->cmd_cnt)) {
2149                 skb = skb_dequeue(&hdev->cmd_q);
2150                 if (!skb)
2151                         return;
2152
2153                 kfree_skb(hdev->sent_cmd);
2154
2155                 hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
2156                 if (hdev->sent_cmd) {
2157                         atomic_dec(&hdev->cmd_cnt);
2158                         hci_send_frame(skb);
2159                         mod_timer(&hdev->cmd_timer,
2160                                   jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT));
2161                 } else {
2162                         skb_queue_head(&hdev->cmd_q, skb);
2163                         tasklet_schedule(&hdev->cmd_task);
2164                 }
2165         }
2166 }