Re: [PATCH] Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING

[Luiz Augusto von Dentz]

Hi Jiajia,

On Sun, May 31, 2026 at 9:26 PM Jiajia Liu <liujiajia@xxxxxxxxxx> wrote:
>
> When hci_inquiry_complete_evt is called between le_scan_disable and
> le_set_scan_enable_complete and no remote name needs to be resolved,
> the interleaved discovery with SIMULTANEOUS quirk gets stuck in
> DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
> state. No one sets DISCOVERY_STOPPED in this process.
>
>   < HCI Command: LE Set Extended Scan Enable  #1764 [hci0] 608.610392
>           Extended scan: Disabled (0x00)
>           Filter duplicates: Disabled (0x00)
>           Duration: 0 msec (0x0000)
>           Period: 0.00 sec (0x0000)
>   > HCI Event: Inquiry Complete (0x01)        #1765 [hci0] 608.610548
>           Status: Success (0x00)
>   > HCI Event: Command Complete (0x0e)        #1766 [hci0] 608.611589
>         LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
>           Status: Success (0x00)

This isn't enough, though, where are the MGMT commands?

> Add scan_disable_complete to check state and stop discovery if stuck.
> Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.
>
>   [4517.963204] hci0: state 0 -> 1
>   [4518.096858] hci0: state 1 -> 2
>   [4528.353765] hci0: state 2 -> 0
>   [4528.353776] hci0: state finding to stopped
>   [4533.966844] hci0: state 0 -> 1
>   [4534.097702] hci0: state 1 -> 2
>   [4544.478600] hci0: state 2 -> 0
>
> Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
> Signed-off-by: Jiajia Liu <liujiajia@xxxxxxxxxx>
> ---
>  net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
>  1 file changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index aff8562a8690..4cb1c82cc3f0 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
>         return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
>  }
>
> +static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
> +{
> +       if (err)
> +               return;
> +
> +       hci_dev_lock(hdev);
> +
> +       if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
> +               goto unlock;
> +
> +       if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
> +               if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
> +                   hdev->discovery.state == DISCOVERY_FINDING) {
> +                       hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
> +                       bt_dev_dbg(hdev, "state finding to stopped");

hci_discovery_set_state already prints the state so printing it again
is probably unnecessary. Also, this probably needs to be handled via
hci_event.c since it is not necessarily le_scan_disable that would
cause scan to be disabled, hci_scan_disable_sync can cause it as well.

> +               }
> +       }
> +
> +unlock:
> +       hci_dev_unlock(hdev);
> +}
> +
>  static void le_scan_disable(struct work_struct *work)
>  {
>         struct hci_dev *hdev = container_of(work, struct hci_dev,
> @@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
>         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
>                 goto _return;
>
> -       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
> +       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
> +                                   scan_disable_complete);
>         if (status) {
>                 bt_dev_err(hdev, "failed to disable LE scan: %d", status);
>                 goto _return;
> --
> 2.53.0
>


-- 
Luiz Augusto von Dentz