net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-)
When hci_inquiry_complete_evt is called between le_scan_disable and
le_set_scan_enable_complete and no remote name needs to be resolved,
the interleaved discovery with SIMULTANEOUS quirk gets stuck in
DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
state. No one sets DISCOVERY_STOPPED in this process.
< HCI Command: LE Set Extended Scan Enable #1764 [hci0] 608.610392
Extended scan: Disabled (0x00)
Filter duplicates: Disabled (0x00)
Duration: 0 msec (0x0000)
Period: 0.00 sec (0x0000)
> HCI Event: Inquiry Complete (0x01) #1765 [hci0] 608.610548
Status: Success (0x00)
> HCI Event: Command Complete (0x0e) #1766 [hci0] 608.611589
LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
Status: Success (0x00)
Add scan_disable_complete to check state and stop discovery if stuck.
Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.
[4517.963204] hci0: state 0 -> 1
[4518.096858] hci0: state 1 -> 2
[4528.353765] hci0: state 2 -> 0
[4528.353776] hci0: state finding to stopped
[4533.966844] hci0: state 0 -> 1
[4534.097702] hci0: state 1 -> 2
[4544.478600] hci0: state 2 -> 0
Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
---
net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index aff8562a8690..4cb1c82cc3f0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
}
+static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
+{
+ if (err)
+ return;
+
+ hci_dev_lock(hdev);
+
+ if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
+ goto unlock;
+
+ if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
+ if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
+ hdev->discovery.state == DISCOVERY_FINDING) {
+ hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
+ bt_dev_dbg(hdev, "state finding to stopped");
+ }
+ }
+
+unlock:
+ hci_dev_unlock(hdev);
+}
+
static void le_scan_disable(struct work_struct *work)
{
struct hci_dev *hdev = container_of(work, struct hci_dev,
@@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
goto _return;
- status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
+ status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
+ scan_disable_complete);
if (status) {
bt_dev_err(hdev, "failed to disable LE scan: %d", status);
goto _return;
--
2.53.0Hi Jiajia,
On Sun, May 31, 2026 at 9:26 PM Jiajia Liu <liujiajia@kylinos.cn> wrote:
>
> When hci_inquiry_complete_evt is called between le_scan_disable and
> le_set_scan_enable_complete and no remote name needs to be resolved,
> the interleaved discovery with SIMULTANEOUS quirk gets stuck in
> DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
> state. No one sets DISCOVERY_STOPPED in this process.
>
> < HCI Command: LE Set Extended Scan Enable #1764 [hci0] 608.610392
> Extended scan: Disabled (0x00)
> Filter duplicates: Disabled (0x00)
> Duration: 0 msec (0x0000)
> Period: 0.00 sec (0x0000)
> > HCI Event: Inquiry Complete (0x01) #1765 [hci0] 608.610548
> Status: Success (0x00)
> > HCI Event: Command Complete (0x0e) #1766 [hci0] 608.611589
> LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
> Status: Success (0x00)
This isn't enough, though, where are the MGMT commands?
> Add scan_disable_complete to check state and stop discovery if stuck.
> Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.
>
> [4517.963204] hci0: state 0 -> 1
> [4518.096858] hci0: state 1 -> 2
> [4528.353765] hci0: state 2 -> 0
> [4528.353776] hci0: state finding to stopped
> [4533.966844] hci0: state 0 -> 1
> [4534.097702] hci0: state 1 -> 2
> [4544.478600] hci0: state 2 -> 0
>
> Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
> Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
> ---
> net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
> 1 file changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> index aff8562a8690..4cb1c82cc3f0 100644
> --- a/net/bluetooth/hci_sync.c
> +++ b/net/bluetooth/hci_sync.c
> @@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
> return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
> }
>
> +static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
> +{
> + if (err)
> + return;
> +
> + hci_dev_lock(hdev);
> +
> + if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
> + goto unlock;
> +
> + if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
> + if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
> + hdev->discovery.state == DISCOVERY_FINDING) {
> + hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
> + bt_dev_dbg(hdev, "state finding to stopped");
hci_discovery_set_state already prints the state so printing it again
is probably unnecessary. Also, this probably needs to be handled via
hci_event.c since it is not necessarily le_scan_disable that would
cause scan to be disabled, hci_scan_disable_sync can cause it as well.
> + }
> + }
> +
> +unlock:
> + hci_dev_unlock(hdev);
> +}
> +
> static void le_scan_disable(struct work_struct *work)
> {
> struct hci_dev *hdev = container_of(work, struct hci_dev,
> @@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
> if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
> goto _return;
>
> - status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
> + status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
> + scan_disable_complete);
> if (status) {
> bt_dev_err(hdev, "failed to disable LE scan: %d", status);
> goto _return;
> --
> 2.53.0
>
--
Luiz Augusto von Dentz
On Mon, Jun 01, 2026 at 09:32:38AM -0400, Luiz Augusto von Dentz wrote:
> Hi Jiajia,
>
> On Sun, May 31, 2026 at 9:26 PM Jiajia Liu <liujiajia@kylinos.cn> wrote:
> >
> > When hci_inquiry_complete_evt is called between le_scan_disable and
> > le_set_scan_enable_complete and no remote name needs to be resolved,
> > the interleaved discovery with SIMULTANEOUS quirk gets stuck in
> > DISCOVERY_FINDING. le_set_scan_enable_complete does not check inquiry
> > state. No one sets DISCOVERY_STOPPED in this process.
> >
> > < HCI Command: LE Set Extended Scan Enable #1764 [hci0] 608.610392
> > Extended scan: Disabled (0x00)
> > Filter duplicates: Disabled (0x00)
> > Duration: 0 msec (0x0000)
> > Period: 0.00 sec (0x0000)
> > > HCI Event: Inquiry Complete (0x01) #1765 [hci0] 608.610548
> > Status: Success (0x00)
> > > HCI Event: Command Complete (0x0e) #1766 [hci0] 608.611589
> > LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
> > Status: Success (0x00)
>
> This isn't enough, though, where are the MGMT commands?
It was the last output where the scan was stuck in finding state during
scan test. No Discovering: Disabled MGMT Event report.
complete reproduction log is at
https://drive.google.com/file/d/1dsCtntVdh0zFK6QsbxW26UWjJQE_1xMS/view?usp=sharing
The summary of this last scan including Start Discovery.
@ MGMT Command: Start Discovery (0x0023) plen 1 {0x0001} [hci0] 598.347552
Address type: 0x07
BR/EDR
LE Public
LE Random
...
< HCI Command: LE Set Extended Scan Enable (0x08|0x0042) plen 6 #1741 [hci0] 598.357554
Extended scan: Enabled (0x01)
Filter duplicates: Enabled (0x01)
Duration: 0 msec (0x0000)
Period: 0.00 sec (0x0000)
> HCI Event: Command Complete (0x0e) plen 4 #1742 [hci0] 598.359436
LE Set Extended Scan Enable (0x08|0x0042) ncmd 2
Status: Success (0x00)
@ MGMT Event: Discovering (0x0013) plen 2 {0x0001} [hci0] 598.359535
Address type: 0x07
BR/EDR
LE Public
LE Random
Discovery: Enabled (0x01)
< HCI Command: Inquiry (0x01|0x0001) plen 5 #1743 [hci0] 598.359568
Access code: 0x9e8b33 (General Inquiry)
Length: 10.24s (0x08)
Num responses: 0
> HCI Event: Command Status (0x0f) plen 4 #1744 [hci0] 598.361410
Inquiry (0x01|0x0001) ncmd 2
Status: Success (0x00)
...
>
> > Add scan_disable_complete to check state and stop discovery if stuck.
> > Tested with bluetooth AX201 (8087:0026) in Dell Vostro 13 laptop.
> >
> > [4517.963204] hci0: state 0 -> 1
> > [4518.096858] hci0: state 1 -> 2
> > [4528.353765] hci0: state 2 -> 0
> > [4528.353776] hci0: state finding to stopped
> > [4533.966844] hci0: state 0 -> 1
> > [4534.097702] hci0: state 1 -> 2
> > [4544.478600] hci0: state 2 -> 0
> >
> > Fixes: 8ffde2a73f2c ("Bluetooth: Convert le_scan_disable timeout to hci_sync")
> > Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
> > ---
> > net/bluetooth/hci_sync.c | 25 ++++++++++++++++++++++++-
> > 1 file changed, 24 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
> > index aff8562a8690..4cb1c82cc3f0 100644
> > --- a/net/bluetooth/hci_sync.c
> > +++ b/net/bluetooth/hci_sync.c
> > @@ -361,6 +361,28 @@ static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
> > return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
> > }
> >
> > +static void scan_disable_complete(struct hci_dev *hdev, void *data, int err)
> > +{
> > + if (err)
> > + return;
> > +
> > + hci_dev_lock(hdev);
> > +
> > + if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
> > + goto unlock;
> > +
> > + if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
> > + if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
> > + hdev->discovery.state == DISCOVERY_FINDING) {
> > + hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
> > + bt_dev_dbg(hdev, "state finding to stopped");
>
> hci_discovery_set_state already prints the state so printing it again
> is probably unnecessary. Also, this probably needs to be handled via
> hci_event.c since it is not necessarily le_scan_disable that would
> cause scan to be disabled, hci_scan_disable_sync can cause it as well.
will move to le_set_scan_enable_complete
>
> > + }
> > + }
> > +
> > +unlock:
> > + hci_dev_unlock(hdev);
> > +}
> > +
> > static void le_scan_disable(struct work_struct *work)
> > {
> > struct hci_dev *hdev = container_of(work, struct hci_dev,
> > @@ -373,7 +395,8 @@ static void le_scan_disable(struct work_struct *work)
> > if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
> > goto _return;
> >
> > - status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
> > + status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL,
> > + scan_disable_complete);
> > if (status) {
> > bt_dev_err(hdev, "failed to disable LE scan: %d", status);
> > goto _return;
> > --
> > 2.53.0
> >
>
>
> --
> Luiz Augusto von Dentz
© 2016 - 2026 Red Hat, Inc.