/****************************************************************************** * * Copyright 2014 Google, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * ******************************************************************************/ #define LOG_TAG "bt_hci" #include "hci_layer.h" #include <base/bind.h> #include <base/logging.h> #include <base/run_loop.h> #include <base/sequenced_task_runner.h> #include <base/threading/thread.h> #include <frameworks/base/core/proto/android/bluetooth/hci/enums.pb.h> #include <signal.h> #include <string.h> #include <sys/types.h> #include <unistd.h> #include <chrono> #include <mutex> #include "btcore/include/module.h" #include "btsnoop.h" #include "buffer_allocator.h" #include "common/message_loop_thread.h" #include "common/metrics.h" #include "hci_inject.h" #include "hci_internals.h" #include "hcidefs.h" #include "hcimsgs.h" #include "osi/include/alarm.h" #include "osi/include/list.h" #include "osi/include/log.h" #include "osi/include/properties.h" #include "osi/include/reactor.h" #include "packet_fragmenter.h" #define BT_HCI_TIMEOUT_TAG_NUM 1010000 using bluetooth::common::MessageLoopThread; extern void hci_initialize(); extern void hci_transmit(BT_HDR* packet); extern void hci_close(); extern int hci_open_firmware_log_file(); extern void hci_close_firmware_log_file(int fd); extern void hci_log_firmware_debug_packet(int fd, BT_HDR* packet); static int hci_firmware_log_fd = INVALID_FD; typedef struct { uint16_t opcode; future_t* complete_future; command_complete_cb complete_callback; command_status_cb status_callback; void* context; BT_HDR* command; std::chrono::time_point<std::chrono::steady_clock> timestamp; } waiting_command_t; // Using a define here, because it can be stringified for the property lookup // Default timeout should be less than BLE_START_TIMEOUT and // having less than 3 sec would hold the wakelock for init #define DEFAULT_STARTUP_TIMEOUT_MS 2900 #define STRING_VALUE_OF(x) #x // Abort if there is no response to an HCI command. static const uint32_t COMMAND_PENDING_TIMEOUT_MS = 2000; static const uint32_t COMMAND_PENDING_MUTEX_ACQUIRE_TIMEOUT_MS = 500; static const uint32_t COMMAND_TIMEOUT_RESTART_MS = 5000; static const int HCI_UNKNOWN_COMMAND_TIMED_OUT = 0x00ffffff; static const int HCI_STARTUP_TIMED_OUT = 0x00eeeeee; // Our interface static bool interface_created; static hci_t interface; // Modules we import and callbacks we export static const allocator_t* buffer_allocator; static const btsnoop_t* btsnoop; static const packet_fragmenter_t* packet_fragmenter; static future_t* startup_future; static MessageLoopThread hci_thread("bt_hci_thread"); static alarm_t* startup_timer; // Outbound-related static int command_credits = 1; static std::mutex command_credits_mutex; static std::queue<base::Closure> command_queue; // Inbound-related static alarm_t* command_response_timer; static list_t* commands_pending_response; static std::recursive_timed_mutex commands_pending_response_mutex; static alarm_t* hci_timeout_abort_timer; // The hand-off point for data going to a higher layer, set by the higher layer static base::Callback<void(const base::Location&, BT_HDR*)> send_data_upwards; static bool filter_incoming_event(BT_HDR* packet); static waiting_command_t* get_waiting_command(command_opcode_t opcode); static int get_num_waiting_commands(); static void event_finish_startup(void* context); static void startup_timer_expired(void* context); static void enqueue_command(waiting_command_t* wait_entry); static void event_command_ready(waiting_command_t* wait_entry); static void enqueue_packet(void* packet); static void event_packet_ready(void* packet); static void command_timed_out(void* context); static void update_command_response_timer(void); static void transmit_fragment(BT_HDR* packet, bool send_transmit_finished); static void dispatch_reassembled(BT_HDR* packet); static void fragmenter_transmit_finished(BT_HDR* packet, bool all_fragments_sent); static const packet_fragmenter_callbacks_t packet_fragmenter_callbacks = { transmit_fragment, dispatch_reassembled, fragmenter_transmit_finished}; void initialization_complete() { hci_thread.DoInThread(FROM_HERE, base::Bind(&event_finish_startup, nullptr)); } void hci_event_received(const base::Location& from_here, BT_HDR* packet) { btsnoop->capture(packet, true); if (!filter_incoming_event(packet)) { send_data_upwards.Run(from_here, packet); } } void acl_event_received(BT_HDR* packet) { btsnoop->capture(packet, true); packet_fragmenter->reassemble_and_dispatch(packet); } void sco_data_received(BT_HDR* packet) { btsnoop->capture(packet, true); packet_fragmenter->reassemble_and_dispatch(packet); } // Module lifecycle functions static future_t* hci_module_shut_down(); static future_t* hci_module_start_up(void) { LOG_INFO(LOG_TAG, "%s", __func__); // The host is only allowed to send at most one command initially, // as per the Bluetooth spec, Volume 2, Part E, 4.4 (Command Flow Control) // This value can change when you get a command complete or command status // event. command_credits = 1; // For now, always use the default timeout on non-Android builds. uint64_t startup_timeout_ms = DEFAULT_STARTUP_TIMEOUT_MS; // Grab the override startup timeout ms, if present. char timeout_prop[PROPERTY_VALUE_MAX]; if (!osi_property_get("bluetooth.enable_timeout_ms", timeout_prop, STRING_VALUE_OF(DEFAULT_STARTUP_TIMEOUT_MS)) || (startup_timeout_ms = atoi(timeout_prop)) < 100) startup_timeout_ms = DEFAULT_STARTUP_TIMEOUT_MS; startup_timer = alarm_new("hci.startup_timer"); if (!startup_timer) { LOG_ERROR(LOG_TAG, "%s unable to create startup timer.", __func__); goto error; } command_response_timer = alarm_new("hci.command_response_timer"); if (!command_response_timer) { LOG_ERROR(LOG_TAG, "%s unable to create command response timer.", __func__); goto error; } hci_thread.StartUp(); if (!hci_thread.IsRunning()) { LOG_ERROR(LOG_TAG, "%s unable to start thread.", __func__); goto error; } if (!hci_thread.EnableRealTimeScheduling()) { LOG_ERROR(LOG_TAG, "%s unable to make thread RT.", __func__); goto error; } commands_pending_response = list_new(NULL); if (!commands_pending_response) { LOG_ERROR(LOG_TAG, "%s unable to create list for commands pending response.", __func__); goto error; } // Make sure we run in a bounded amount of time future_t* local_startup_future; local_startup_future = future_new(); startup_future = local_startup_future; alarm_set(startup_timer, startup_timeout_ms, startup_timer_expired, NULL); packet_fragmenter->init(&packet_fragmenter_callbacks); hci_thread.DoInThread(FROM_HERE, base::Bind(&hci_initialize)); LOG_DEBUG(LOG_TAG, "%s starting async portion", __func__); return local_startup_future; error: hci_module_shut_down(); // returns NULL so no need to wait for it return future_new_immediate(FUTURE_FAIL); } static future_t* hci_module_shut_down() { LOG_INFO(LOG_TAG, "%s", __func__); // Free the timers { std::lock_guard<std::recursive_timed_mutex> lock( commands_pending_response_mutex); alarm_free(command_response_timer); command_response_timer = NULL; alarm_free(startup_timer); startup_timer = NULL; } hci_thread.ShutDown(); // Close HCI to prevent callbacks. hci_close(); { std::lock_guard<std::recursive_timed_mutex> lock( commands_pending_response_mutex); list_free(commands_pending_response); commands_pending_response = NULL; } packet_fragmenter->cleanup(); // Clean up abort timer, if it exists. if (hci_timeout_abort_timer != NULL) { alarm_free(hci_timeout_abort_timer); hci_timeout_abort_timer = NULL; } if (hci_firmware_log_fd != INVALID_FD) { hci_close_firmware_log_file(hci_firmware_log_fd); hci_firmware_log_fd = INVALID_FD; } return NULL; } EXPORT_SYMBOL extern const module_t hci_module = { .name = HCI_MODULE, .init = NULL, .start_up = hci_module_start_up, .shut_down = hci_module_shut_down, .clean_up = NULL, .dependencies = {BTSNOOP_MODULE, NULL}}; // Interface functions static void set_data_cb( base::Callback<void(const base::Location&, BT_HDR*)> send_data_cb) { send_data_upwards = std::move(send_data_cb); } static void transmit_command(BT_HDR* command, command_complete_cb complete_callback, command_status_cb status_callback, void* context) { waiting_command_t* wait_entry = reinterpret_cast<waiting_command_t*>( osi_calloc(sizeof(waiting_command_t))); uint8_t* stream = command->data + command->offset; STREAM_TO_UINT16(wait_entry->opcode, stream); wait_entry->complete_callback = complete_callback; wait_entry->status_callback = status_callback; wait_entry->command = command; wait_entry->context = context; // Store the command message type in the event field // in case the upper layer didn't already command->event = MSG_STACK_TO_HC_HCI_CMD; enqueue_command(wait_entry); } static future_t* transmit_command_futured(BT_HDR* command) { waiting_command_t* wait_entry = reinterpret_cast<waiting_command_t*>( osi_calloc(sizeof(waiting_command_t))); future_t* future = future_new(); uint8_t* stream = command->data + command->offset; STREAM_TO_UINT16(wait_entry->opcode, stream); wait_entry->complete_future = future; wait_entry->command = command; // Store the command message type in the event field // in case the upper layer didn't already command->event = MSG_STACK_TO_HC_HCI_CMD; enqueue_command(wait_entry); return future; } static void transmit_downward(uint16_t type, void* data) { if (type == MSG_STACK_TO_HC_HCI_CMD) { // TODO(zachoverflow): eliminate this call transmit_command((BT_HDR*)data, NULL, NULL, NULL); LOG_WARN(LOG_TAG, "%s legacy transmit of command. Use transmit_command instead.", __func__); } else { enqueue_packet(data); } } // Start up functions static void event_finish_startup(UNUSED_ATTR void* context) { LOG_INFO(LOG_TAG, "%s", __func__); std::lock_guard<std::recursive_timed_mutex> lock( commands_pending_response_mutex); alarm_cancel(startup_timer); if (!startup_future) { return; } future_ready(startup_future, FUTURE_SUCCESS); startup_future = NULL; } static void startup_timer_expired(UNUSED_ATTR void* context) { LOG_ERROR(LOG_TAG, "%s", __func__); LOG_EVENT_INT(BT_HCI_TIMEOUT_TAG_NUM, HCI_STARTUP_TIMED_OUT); abort(); } // Command/packet transmitting functions static void enqueue_command(waiting_command_t* wait_entry) { base::Closure callback = base::Bind(&event_command_ready, wait_entry); std::lock_guard<std::mutex> command_credits_lock(command_credits_mutex); if (command_credits > 0) { if (!hci_thread.DoInThread(FROM_HERE, std::move(callback))) { // HCI Layer was shut down or not running buffer_allocator->free(wait_entry->command); osi_free(wait_entry); return; } command_credits--; } else { command_queue.push(std::move(callback)); } } static void event_command_ready(waiting_command_t* wait_entry) { { /// Move it to the list of commands awaiting response std::lock_guard<std::recursive_timed_mutex> lock( commands_pending_response_mutex); wait_entry->timestamp = std::chrono::steady_clock::now(); list_append(commands_pending_response, wait_entry); } // Send it off packet_fragmenter->fragment_and_dispatch(wait_entry->command); update_command_response_timer(); } static void enqueue_packet(void* packet) { if (!hci_thread.DoInThread(FROM_HERE, base::Bind(&event_packet_ready, packet))) { // HCI Layer was shut down or not running buffer_allocator->free(packet); return; } } static void event_packet_ready(void* pkt) { // The queue may be the command queue or the packet queue, we don't care BT_HDR* packet = (BT_HDR*)pkt; packet_fragmenter->fragment_and_dispatch(packet); } // Callback for the fragmenter to send a fragment static void transmit_fragment(BT_HDR* packet, bool send_transmit_finished) { btsnoop->capture(packet, false); // HCI command packets are freed on a different thread when the matching // event is received. Check packet->event before sending to avoid a race. bool free_after_transmit = (packet->event & MSG_EVT_MASK) != MSG_STACK_TO_HC_HCI_CMD && send_transmit_finished; hci_transmit(packet); if (free_after_transmit) { buffer_allocator->free(packet); } } static void fragmenter_transmit_finished(BT_HDR* packet, bool all_fragments_sent) { if (all_fragments_sent) { buffer_allocator->free(packet); } else { // This is kind of a weird case, since we're dispatching a partially sent // packet up to a higher layer. // TODO(zachoverflow): rework upper layer so this isn't necessary. send_data_upwards.Run(FROM_HERE, packet); } } // Abort. The chip has had time to write any debugging information. static void hci_timeout_abort(void* unused_data) { LOG_ERROR(LOG_TAG, "%s restarting the Bluetooth process.", __func__); hci_close_firmware_log_file(hci_firmware_log_fd); // We shouldn't try to recover the stack from this command timeout. // If it's caused by a software bug, fix it. If it's a hardware bug, fix it. abort(); } static void command_timed_out_log_info(void* original_wait_entry) { LOG_ERROR(LOG_TAG, "%s: %d commands pending response", __func__, get_num_waiting_commands()); for (const list_node_t* node = list_begin(commands_pending_response); node != list_end(commands_pending_response); node = list_next(node)) { waiting_command_t* wait_entry = reinterpret_cast<waiting_command_t*>(list_node(node)); int wait_time_ms = std::chrono::duration_cast<std::chrono::milliseconds>( std::chrono::steady_clock::now() - wait_entry->timestamp) .count(); LOG_ERROR(LOG_TAG, "%s: Waited %d ms for a response to opcode: 0x%x %s", __func__, wait_time_ms, wait_entry->opcode, (wait_entry == original_wait_entry) ? "*matches timer*" : ""); // Dump the length field and the first byte of the payload, if present. uint8_t* command = wait_entry->command->data + wait_entry->command->offset; if (wait_entry->command->len > 3) { LOG_ERROR(LOG_TAG, "%s: Size %d Hex %02x %02x %02x %02x", __func__, wait_entry->command->len, command[0], command[1], command[2], command[3]); } else { LOG_ERROR(LOG_TAG, "%s: Size %d Hex %02x %02x %02x", __func__, wait_entry->command->len, command[0], command[1], command[2]); } LOG_EVENT_INT(BT_HCI_TIMEOUT_TAG_NUM, wait_entry->opcode); bluetooth::common::LogHciTimeoutEvent(wait_entry->opcode); } } // Print debugging information and quit. Don't dereference original_wait_entry. static void command_timed_out(void* original_wait_entry) { LOG_ERROR(LOG_TAG, "%s", __func__); std::unique_lock<std::recursive_timed_mutex> lock( commands_pending_response_mutex, std::defer_lock); if (!lock.try_lock_for(std::chrono::milliseconds( COMMAND_PENDING_MUTEX_ACQUIRE_TIMEOUT_MS))) { LOG_ERROR(LOG_TAG, "%s: Cannot obtain the mutex", __func__); LOG_EVENT_INT(BT_HCI_TIMEOUT_TAG_NUM, HCI_UNKNOWN_COMMAND_TIMED_OUT); bluetooth::common::LogHciTimeoutEvent(android::bluetooth::hci::CMD_UNKNOWN); } else { command_timed_out_log_info(original_wait_entry); lock.unlock(); } // Don't request a firmware dump for multiple hci timeouts if (hci_timeout_abort_timer != NULL || hci_firmware_log_fd != INVALID_FD) { return; } LOG_ERROR(LOG_TAG, "%s: requesting a firmware dump.", __func__); /* Allocate a buffer to hold the HCI command. */ BT_HDR* bt_hdr = static_cast<BT_HDR*>(osi_malloc(sizeof(BT_HDR) + HCIC_PREAMBLE_SIZE)); bt_hdr->len = HCIC_PREAMBLE_SIZE; bt_hdr->event = MSG_STACK_TO_HC_HCI_CMD; bt_hdr->offset = 0; uint8_t* hci_packet = reinterpret_cast<uint8_t*>(bt_hdr + 1); UINT16_TO_STREAM(hci_packet, HCI_GRP_VENDOR_SPECIFIC | HCI_CONTROLLER_DEBUG_INFO_OCF); UINT8_TO_STREAM(hci_packet, 0); // No parameters hci_firmware_log_fd = hci_open_firmware_log_file(); transmit_fragment(bt_hdr, true); osi_free(bt_hdr); LOG_ERROR(LOG_TAG, "%s: Setting a timer to restart.", __func__); hci_timeout_abort_timer = alarm_new("hci.hci_timeout_aborter"); if (!hci_timeout_abort_timer) { LOG_ERROR(LOG_TAG, "%s unable to create an abort timer.", __func__); abort(); } alarm_set(hci_timeout_abort_timer, COMMAND_TIMEOUT_RESTART_MS, hci_timeout_abort, nullptr); } // Event/packet receiving functions void process_command_credits(int credits) { std::lock_guard<std::mutex> command_credits_lock(command_credits_mutex); if (!hci_thread.IsRunning()) { // HCI Layer was shut down or not running return; } // Subtract commands in flight. command_credits = credits - get_num_waiting_commands(); while (command_credits > 0 && !command_queue.empty()) { if (!hci_thread.DoInThread(FROM_HERE, std::move(command_queue.front()))) { LOG(ERROR) << __func__ << ": failed to enqueue command"; } command_queue.pop(); command_credits--; } } // Returns true if the event was intercepted and should not proceed to // higher layers. Also inspects an incoming event for interesting // information, like how many commands are now able to be sent. static bool filter_incoming_event(BT_HDR* packet) { waiting_command_t* wait_entry = NULL; uint8_t* stream = packet->data; uint8_t event_code; int credits = 0; command_opcode_t opcode; STREAM_TO_UINT8(event_code, stream); STREAM_SKIP_UINT8(stream); // Skip the parameter total length field if (event_code == HCI_COMMAND_COMPLETE_EVT) { STREAM_TO_UINT8(credits, stream); STREAM_TO_UINT16(opcode, stream); wait_entry = get_waiting_command(opcode); process_command_credits(credits); if (!wait_entry) { if (opcode != HCI_COMMAND_NONE) { LOG_WARN(LOG_TAG, "%s command complete event with no matching command (opcode: " "0x%04x).", __func__, opcode); } } else { update_command_response_timer(); if (wait_entry->complete_callback) { wait_entry->complete_callback(packet, wait_entry->context); } else if (wait_entry->complete_future) { future_ready(wait_entry->complete_future, packet); } } goto intercepted; } else if (event_code == HCI_COMMAND_STATUS_EVT) { uint8_t status; STREAM_TO_UINT8(status, stream); STREAM_TO_UINT8(credits, stream); STREAM_TO_UINT16(opcode, stream); // If a command generates a command status event, it won't be getting a // command complete event wait_entry = get_waiting_command(opcode); process_command_credits(credits); if (!wait_entry) { LOG_WARN( LOG_TAG, "%s command status event with no matching command. opcode: 0x%04x", __func__, opcode); } else { update_command_response_timer(); if (wait_entry->status_callback) wait_entry->status_callback(status, wait_entry->command, wait_entry->context); } goto intercepted; } else if (event_code == HCI_VSE_SUBCODE_DEBUG_INFO_SUB_EVT) { if (hci_firmware_log_fd == INVALID_FD) hci_firmware_log_fd = hci_open_firmware_log_file(); if (hci_firmware_log_fd != INVALID_FD) hci_log_firmware_debug_packet(hci_firmware_log_fd, packet); buffer_allocator->free(packet); return true; } return false; intercepted: if (wait_entry) { // If it has a callback, it's responsible for freeing the packet if (event_code == HCI_COMMAND_STATUS_EVT || (!wait_entry->complete_callback && !wait_entry->complete_future)) buffer_allocator->free(packet); // If it has a callback, it's responsible for freeing the command if (event_code == HCI_COMMAND_COMPLETE_EVT || !wait_entry->status_callback) buffer_allocator->free(wait_entry->command); osi_free(wait_entry); } else { buffer_allocator->free(packet); } return true; } // Callback for the fragmenter to dispatch up a completely reassembled packet static void dispatch_reassembled(BT_HDR* packet) { // Events should already have been dispatched before this point CHECK((packet->event & MSG_EVT_MASK) != MSG_HC_TO_STACK_HCI_EVT); CHECK(!send_data_upwards.is_null()); send_data_upwards.Run(FROM_HERE, packet); } // Misc internal functions static waiting_command_t* get_waiting_command(command_opcode_t opcode) { std::lock_guard<std::recursive_timed_mutex> lock( commands_pending_response_mutex); for (const list_node_t* node = list_begin(commands_pending_response); node != list_end(commands_pending_response); node = list_next(node)) { waiting_command_t* wait_entry = reinterpret_cast<waiting_command_t*>(list_node(node)); if (!wait_entry || wait_entry->opcode != opcode) continue; list_remove(commands_pending_response, wait_entry); return wait_entry; } return NULL; } static int get_num_waiting_commands() { std::lock_guard<std::recursive_timed_mutex> lock( commands_pending_response_mutex); return list_length(commands_pending_response); } static void update_command_response_timer(void) { std::lock_guard<std::recursive_timed_mutex> lock( commands_pending_response_mutex); if (command_response_timer == NULL) return; if (list_is_empty(commands_pending_response)) { alarm_cancel(command_response_timer); } else { alarm_set(command_response_timer, COMMAND_PENDING_TIMEOUT_MS, command_timed_out, list_front(commands_pending_response)); } } static void init_layer_interface() { if (!interface_created) { // It's probably ok for this to live forever. It's small and // there's only one instance of the hci interface. interface.set_data_cb = set_data_cb; interface.transmit_command = transmit_command; interface.transmit_command_futured = transmit_command_futured; interface.transmit_downward = transmit_downward; interface_created = true; } } void hci_layer_cleanup_interface() { if (interface_created) { send_data_upwards.Reset(); interface.set_data_cb = NULL; interface.transmit_command = NULL; interface.transmit_command_futured = NULL; interface.transmit_downward = NULL; interface_created = false; } } const hci_t* hci_layer_get_interface() { buffer_allocator = buffer_allocator_get_interface(); btsnoop = btsnoop_get_interface(); packet_fragmenter = packet_fragmenter_get_interface(); init_layer_interface(); return &interface; } const hci_t* hci_layer_get_test_interface( const allocator_t* buffer_allocator_interface, const btsnoop_t* btsnoop_interface, const packet_fragmenter_t* packet_fragmenter_interface) { buffer_allocator = buffer_allocator_interface; btsnoop = btsnoop_interface; packet_fragmenter = packet_fragmenter_interface; init_layer_interface(); return &interface; }