Re: [PATCH] Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING

[Jiajia Liu <liujiajia@kylinos.cn>]

On Mon, Jun 01, 2026 at 09:32:38AM -0400, Luiz Augusto von Dentz wrote:
> Hi Jiajia,
> 
> On Sun, May 31, 2026 at 9:26 PM Jiajia Liu <liujiajia@kylinos.cn> wrote:
> >
> > When hci_inquiry_complete_evt is called between le_scan_disable and
> > le_set_scan_enable_complete and no remote name needs to be resolved,
> > the interleaved discovery with SIMULTANEOUS quirk gets stuck in
> > DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
> > state. No one sets DISCOVERY_STOPPED in this process.
> >
> >   < HCI Command: LE Set Extended Scan Enable  #1764 [hci0] 608.610392
> >           Extended scan: Disabled (0x00)
> >           Filter duplicates: Disabled (0x00)
> >           Duration: 0 msec (0x0000)
> >           Period: 0.00 sec (0x0000)
> >   > HCI Event: Inquiry Complete (0x01)        #1765 [hci0] 608.610548
> >           Status: Success (0x00)
> >   > HCI Event: Command Complete (0x0e)        #1766 [hci0] 608.611589
> >         LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
> >           Status: Success (0x00)
> 
> This isn't enough, though, where are the MGMT commands?

It was the last output where the scan was stuck in finding state during
scan test. No Discovering: Disabled MGMT Event report.

complete reproduction log is at
https://drive.google.com/file/d/1dsCtntVdh0zFK6QsbxW26UWjJQE_1xMS/view?usp=sharing

The summary of this last scan including Start Discovery.

@ MGMT Command: Start Discovery (0x0023) plen 1                                  {0x0001} [hci0] 598.347552
        Address type: 0x07
          BR/EDR
          LE Public
          LE Random
...
< HCI Command: LE Set Extended Scan Enable (0x08|0x0042) plen 6                     #1741 [hci0] 598.357554
        Extended scan: Enabled (0x01)
        Filter duplicates: Enabled (0x01)
        Duration: 0 msec (0x0000)
        Period: 0.00 sec (0x0000)
> HCI Event: Command Complete (0x0e) plen 4                                         #1742 [hci0] 598.359436
      LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
        Status: Success (0x00)
@ MGMT Event: Discovering (0x0013) plen 2                                        {0x0001} [hci0] 598.359535
        Address type: 0x07
          BR/EDR
          LE Public
          LE Random
        Discovery: Enabled (0x01)
< HCI Command: Inquiry (0x01|0x0001) plen 5                                         #1743 [hci0] 598.359568
        Access code: 0x9e8b33 (General Inquiry)
        Length: 10.24s (0x08)
        Num responses: 0
> HCI Event: Command Status (0x0f) plen 4                                           #1744 [hci0] 598.361410
      Inquiry (0x01|0x0001) ncmd 2
        Status: Success (0x00)
...

> 
> > Add scan_disable_complete to check state and stop discovery if stuck.
> > Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.
> >
> >   [4517.963204] hci0: state 0 -> 1
> >   [4518.096858] hci0: state 1 -> 2
> >   [4528.353765] hci0: state 2 -> 0
> >   [4528.353776] hci0: state finding to stopped
> >   [4533.966844] hci0: state 0 -> 1
> >   [4534.097702] hci0: state 1 -> 2
> >   [4544.478600] hci0: state 2 -> 0
> >
> > Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
> > Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
> > ---
> >  net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
> >  1 file changed, 24 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index aff8562a8690..4cb1c82cc3f0 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
> >         return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
> >  }
> >
> > +static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
> > +{
> > +       if (err)
> > +               return;
> > +
> > +       hci_dev_lock(hdev);
> > +
> > +       if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
> > +               goto unlock;
> > +
> > +       if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
> > +               if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
> > +                   hdev->discovery.state == DISCOVERY_FINDING) {
> > +                       hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
> > +                       bt_dev_dbg(hdev, "state finding to stopped");
> 
> hci_discovery_set_state already prints the state so printing it again
> is probably unnecessary. Also, this probably needs to be handled via
> hci_event.c since it is not necessarily le_scan_disable that would
> cause scan to be disabled, hci_scan_disable_sync can cause it as well.

will move to le_set_scan_enable_complete

> 
> > +               }
> > +       }
> > +
> > +unlock:
> > +       hci_dev_unlock(hdev);
> > +}
> > +
> >  static void le_scan_disable(struct work_struct *work)
> >  {
> >         struct hci_dev *hdev = container_of(work, struct hci_dev,
> > @@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
> >         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
> >                 goto _return;
> >
> > -       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
> > +       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
> > +                                   scan_disable_complete);
> >         if (status) {
> >                 bt_dev_err(hdev, "failed to disable LE scan: %d", status);
> >                 goto _return;
> > --
> > 2.53.0
> >
> 
> 
> -- 
> Luiz Augusto von Dentz