[PATCH] Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING

[PATCH] Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING

[Jiajia Liu]

When hci_inquiry_complete_evt is called between le_scan_disable and
le_set_scan_enable_complete and no remote name needs to be resolved,
the interleaved discovery with SIMULTANEOUS quirk gets stuck in
DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
state. No one sets DISCOVERY_STOPPED in this process.

  < HCI Command: LE Set Extended Scan Enable  #1764 [hci0] 608.610392
          Extended scan: Disabled (0x00)
          Filter duplicates: Disabled (0x00)
          Duration: 0 msec (0x0000)
          Period: 0.00 sec (0x0000)
  > HCI Event: Inquiry Complete (0x01)        #1765 [hci0] 608.610548
          Status: Success (0x00)
  > HCI Event: Command Complete (0x0e)        #1766 [hci0] 608.611589
        LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
          Status: Success (0x00)

Add scan_disable_complete to check state and stop discovery if stuck.
Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.

  [4517.963204] hci0: state 0 -> 1
  [4518.096858] hci0: state 1 -> 2
  [4528.353765] hci0: state 2 -> 0
  [4528.353776] hci0: state finding to stopped
  [4533.966844] hci0: state 0 -> 1
  [4534.097702] hci0: state 1 -> 2
  [4544.478600] hci0: state 2 -> 0

Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
---
 net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index aff8562a8690..4cb1c82cc3f0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
 	return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
 }
 
+static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
+{
+	if (err)
+		return;
+
+	hci_dev_lock(hdev);
+
+	if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
+		goto unlock;
+
+	if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
+		if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
+		    hdev->discovery.state == DISCOVERY_FINDING) {
+			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
+			bt_dev_dbg(hdev, "state finding to stopped");
+		}
+	}
+
+unlock:
+	hci_dev_unlock(hdev);
+}
+
 static void le_scan_disable(struct work_struct *work)
 {
 	struct hci_dev *hdev = container_of(work, struct hci_dev,
@@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
 		goto _return;
 
-	status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
+	status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
+				    scan_disable_complete);
 	if (status) {
 		bt_dev_err(hdev, "failed to disable LE scan: %d", status);
 		goto _return;
-- 
2.53.0

RE: Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1103706

---Test result---

Test Summary:
CheckPatch                    PASS      0.74 seconds
VerifyFixes                   PASS      0.13 seconds
VerifySignedoff               PASS      0.13 seconds
GitLint                       PASS      0.32 seconds
SubjectPrefix                 PASS      0.12 seconds
BuildKernel                   PASS      26.47 seconds
CheckAllWarning               PASS      28.43 seconds
CheckSparse                   PASS      28.92 seconds
BuildKernel32                 PASS      24.87 seconds
TestRunnerSetup               PASS      535.30 seconds
TestRunner_l2cap-tester       PASS      59.65 seconds
TestRunner_iso-tester         PASS      77.77 seconds
TestRunner_bnep-tester        PASS      19.01 seconds
TestRunner_mgmt-tester        FAIL      210.17 seconds
TestRunner_rfcomm-tester      PASS      25.71 seconds
TestRunner_sco-tester         PASS      32.80 seconds
TestRunner_ioctl-tester       PASS      26.19 seconds
TestRunner_mesh-tester        FAIL      25.96 seconds
TestRunner_smp-tester         PASS      23.25 seconds
TestRunner_userchan-tester    PASS      20.24 seconds
TestRunner_6lowpan-tester     PASS      22.78 seconds
IncrementalBuild              PASS      24.64 seconds

Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.247 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.344 seconds
Mesh - Send cancel - 2                               Timed out    1.992 seconds


https://github.com/bluez/bluetooth-next/pull/262

---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING

[Luiz Augusto von Dentz]

Hi Jiajia,

On Sun, May 31, 2026 at 9:26 PM Jiajia Liu <liujiajia@kylinos.cn> wrote:
>
> When hci_inquiry_complete_evt is called between le_scan_disable and
> le_set_scan_enable_complete and no remote name needs to be resolved,
> the interleaved discovery with SIMULTANEOUS quirk gets stuck in
> DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
> state. No one sets DISCOVERY_STOPPED in this process.
>
>   < HCI Command: LE Set Extended Scan Enable  #1764 [hci0] 608.610392
>           Extended scan: Disabled (0x00)
>           Filter duplicates: Disabled (0x00)
>           Duration: 0 msec (0x0000)
>           Period: 0.00 sec (0x0000)
>   > HCI Event: Inquiry Complete (0x01)        #1765 [hci0] 608.610548
>           Status: Success (0x00)
>   > HCI Event: Command Complete (0x0e)        #1766 [hci0] 608.611589
>         LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
>           Status: Success (0x00)

This isn't enough, though, where are the MGMT commands?

> Add scan_disable_complete to check state and stop discovery if stuck.
> Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.
>
>   [4517.963204] hci0: state 0 -> 1
>   [4518.096858] hci0: state 1 -> 2
>   [4528.353765] hci0: state 2 -> 0
>   [4528.353776] hci0: state finding to stopped
>   [4533.966844] hci0: state 0 -> 1
>   [4534.097702] hci0: state 1 -> 2
>   [4544.478600] hci0: state 2 -> 0
>
> Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
> Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
> ---
>  net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
>  1 file changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index aff8562a8690..4cb1c82cc3f0 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
>         return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
>  }
>
> +static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
> +{
> +       if (err)
> +               return;
> +
> +       hci_dev_lock(hdev);
> +
> +       if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
> +               goto unlock;
> +
> +       if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
> +               if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
> +                   hdev->discovery.state == DISCOVERY_FINDING) {
> +                       hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
> +                       bt_dev_dbg(hdev, "state finding to stopped");

hci_discovery_set_state already prints the state so printing it again
is probably unnecessary. Also, this probably needs to be handled via
hci_event.c since it is not necessarily le_scan_disable that would
cause scan to be disabled, hci_scan_disable_sync can cause it as well.

> +               }
> +       }
> +
> +unlock:
> +       hci_dev_unlock(hdev);
> +}
> +
>  static void le_scan_disable(struct work_struct *work)
>  {
>         struct hci_dev *hdev = container_of(work, struct hci_dev,
> @@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
>         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
>                 goto _return;
>
> -       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
> +       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
> +                                   scan_disable_complete);
>         if (status) {
>                 bt_dev_err(hdev, "failed to disable LE scan: %d", status);
>                 goto _return;
> --
> 2.53.0
>


-- 
Luiz Augusto von Dentz

Re: [PATCH] Bluetooth: hci_sync: fix simultaneous discovery stuck in FINDING

[Jiajia Liu]

On Mon, Jun 01, 2026 at 09:32:38AM -0400, Luiz Augusto von Dentz wrote:
> Hi Jiajia,
> 
> On Sun, May 31, 2026 at 9:26 PM Jiajia Liu <liujiajia@kylinos.cn> wrote:
> >
> > When hci_inquiry_complete_evt is called between le_scan_disable and
> > le_set_scan_enable_complete and no remote name needs to be resolved,
> > the interleaved discovery with SIMULTANEOUS quirk gets stuck in
> > DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
> > state. No one sets DISCOVERY_STOPPED in this process.
> >
> >   < HCI Command: LE Set Extended Scan Enable  #1764 [hci0] 608.610392
> >           Extended scan: Disabled (0x00)
> >           Filter duplicates: Disabled (0x00)
> >           Duration: 0 msec (0x0000)
> >           Period: 0.00 sec (0x0000)
> >   > HCI Event: Inquiry Complete (0x01)        #1765 [hci0] 608.610548
> >           Status: Success (0x00)
> >   > HCI Event: Command Complete (0x0e)        #1766 [hci0] 608.611589
> >         LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
> >           Status: Success (0x00)
> 
> This isn't enough, though, where are the MGMT commands?

It was the last output where the scan was stuck in finding state during
scan test. No Discovering: Disabled MGMT Event report.

complete reproduction log is at
https://drive.google.com/file/d/1dsCtntVdh0zFK6QsbxW26UWjJQE_1xMS/view?usp=sharing

The summary of this last scan including Start Discovery.

@ MGMT Command: Start Discovery (0x0023) plen 1                                  {0x0001} [hci0] 598.347552
        Address type: 0x07
          BR/EDR
          LE Public
          LE Random
...
< HCI Command: LE Set Extended Scan Enable (0x08|0x0042) plen 6                     #1741 [hci0] 598.357554
        Extended scan: Enabled (0x01)
        Filter duplicates: Enabled (0x01)
        Duration: 0 msec (0x0000)
        Period: 0.00 sec (0x0000)
> HCI Event: Command Complete (0x0e) plen 4                                         #1742 [hci0] 598.359436
      LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
        Status: Success (0x00)
@ MGMT Event: Discovering (0x0013) plen 2                                        {0x0001} [hci0] 598.359535
        Address type: 0x07
          BR/EDR
          LE Public
          LE Random
        Discovery: Enabled (0x01)
< HCI Command: Inquiry (0x01|0x0001) plen 5                                         #1743 [hci0] 598.359568
        Access code: 0x9e8b33 (General Inquiry)
        Length: 10.24s (0x08)
        Num responses: 0
> HCI Event: Command Status (0x0f) plen 4                                           #1744 [hci0] 598.361410
      Inquiry (0x01|0x0001) ncmd 2
        Status: Success (0x00)
...

> 
> > Add scan_disable_complete to check state and stop discovery if stuck.
> > Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.
> >
> >   [4517.963204] hci0: state 0 -> 1
> >   [4518.096858] hci0: state 1 -> 2
> >   [4528.353765] hci0: state 2 -> 0
> >   [4528.353776] hci0: state finding to stopped
> >   [4533.966844] hci0: state 0 -> 1
> >   [4534.097702] hci0: state 1 -> 2
> >   [4544.478600] hci0: state 2 -> 0
> >
> > Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
> > Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
> > ---
> >  net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
> >  1 file changed, 24 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index aff8562a8690..4cb1c82cc3f0 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
> >         return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
> >  }
> >
> > +static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
> > +{
> > +       if (err)
> > +               return;
> > +
> > +       hci_dev_lock(hdev);
> > +
> > +       if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
> > +               goto unlock;
> > +
> > +       if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
> > +               if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
> > +                   hdev->discovery.state == DISCOVERY_FINDING) {
> > +                       hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
> > +                       bt_dev_dbg(hdev, "state finding to stopped");
> 
> hci_discovery_set_state already prints the state so printing it again
> is probably unnecessary. Also, this probably needs to be handled via
> hci_event.c since it is not necessarily le_scan_disable that would
> cause scan to be disabled, hci_scan_disable_sync can cause it as well.

will move to le_set_scan_enable_complete

> 
> > +               }
> > +       }
> > +
> > +unlock:
> > +       hci_dev_unlock(hdev);
> > +}
> > +
> >  static void le_scan_disable(struct work_struct *work)
> >  {
> >         struct hci_dev *hdev = container_of(work, struct hci_dev,
> > @@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
> >         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
> >                 goto _return;
> >
> > -       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
> > +       status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
> > +                                   scan_disable_complete);
> >         if (status) {
> >                 bt_dev_err(hdev, "failed to disable LE scan: %d", status);
> >                 goto _return;
> > --
> > 2.53.0
> >
> 
> 
> -- 
> Luiz Augusto von Dentz