2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
40 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
41 "\x00\x00\x00\x00\x00\x00\x00\x00"
43 /* Handle HCI Event packets */
45 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
48 __u8 status = *((__u8 *) skb->data);
50 BT_DBG("%s status 0x%2.2x", hdev->name, status);
52 /* It is possible that we receive Inquiry Complete event right
53 * before we receive Inquiry Cancel Command Complete event, in
54 * which case the latter event should have status of Command
55 * Disallowed (0x0c). This should not be treated as error, since
56 * we actually achieve what Inquiry Cancel wants to achieve,
57 * which is to end the last Inquiry session.
59 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
60 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
69 clear_bit(HCI_INQUIRY, &hdev->flags);
70 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
71 wake_up_bit(&hdev->flags, HCI_INQUIRY);
74 /* Set discovery state to stopped if we're not doing LE active
77 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
78 hdev->le_scan_type != LE_SCAN_ACTIVE)
79 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
82 hci_conn_check_pending(hdev);
85 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
87 __u8 status = *((__u8 *) skb->data);
89 BT_DBG("%s status 0x%2.2x", hdev->name, status);
94 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
97 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
99 __u8 status = *((__u8 *) skb->data);
101 BT_DBG("%s status 0x%2.2x", hdev->name, status);
106 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
108 hci_conn_check_pending(hdev);
111 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
114 BT_DBG("%s", hdev->name);
117 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
119 struct hci_rp_role_discovery *rp = (void *) skb->data;
120 struct hci_conn *conn;
122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
131 conn->role = rp->role;
133 hci_dev_unlock(hdev);
136 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
138 struct hci_rp_read_link_policy *rp = (void *) skb->data;
139 struct hci_conn *conn;
141 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
148 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
150 conn->link_policy = __le16_to_cpu(rp->policy);
152 hci_dev_unlock(hdev);
155 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
157 struct hci_rp_write_link_policy *rp = (void *) skb->data;
158 struct hci_conn *conn;
161 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
166 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
174 conn->link_policy = get_unaligned_le16(sent + 2);
176 hci_dev_unlock(hdev);
179 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
182 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
184 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
189 hdev->link_policy = __le16_to_cpu(rp->policy);
192 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
195 __u8 status = *((__u8 *) skb->data);
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
203 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
207 hdev->link_policy = get_unaligned_le16(sent);
210 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
212 __u8 status = *((__u8 *) skb->data);
214 BT_DBG("%s status 0x%2.2x", hdev->name, status);
216 clear_bit(HCI_RESET, &hdev->flags);
221 /* Reset all non-persistent flags */
222 hci_dev_clear_volatile_flags(hdev);
224 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
226 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
227 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
229 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
230 hdev->adv_data_len = 0;
232 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
233 hdev->scan_rsp_data_len = 0;
235 hdev->le_scan_type = LE_SCAN_PASSIVE;
237 hdev->ssp_debug_mode = 0;
239 hci_bdaddr_list_clear(&hdev->le_accept_list);
240 hci_bdaddr_list_clear(&hdev->le_resolv_list);
243 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
246 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
247 struct hci_cp_read_stored_link_key *sent;
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
251 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
255 if (!rp->status && sent->read_all == 0x01) {
256 hdev->stored_max_keys = rp->max_keys;
257 hdev->stored_num_keys = rp->num_keys;
261 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
264 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
266 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
271 if (rp->num_keys <= hdev->stored_num_keys)
272 hdev->stored_num_keys -= rp->num_keys;
274 hdev->stored_num_keys = 0;
277 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
279 __u8 status = *((__u8 *) skb->data);
282 BT_DBG("%s status 0x%2.2x", hdev->name, status);
284 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
290 if (hci_dev_test_flag(hdev, HCI_MGMT))
291 mgmt_set_local_name_complete(hdev, sent, status);
293 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
295 hci_dev_unlock(hdev);
298 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
300 struct hci_rp_read_local_name *rp = (void *) skb->data;
302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
307 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
308 hci_dev_test_flag(hdev, HCI_CONFIG))
309 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
312 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
314 __u8 status = *((__u8 *) skb->data);
317 BT_DBG("%s status 0x%2.2x", hdev->name, status);
319 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
326 __u8 param = *((__u8 *) sent);
328 if (param == AUTH_ENABLED)
329 set_bit(HCI_AUTH, &hdev->flags);
331 clear_bit(HCI_AUTH, &hdev->flags);
334 if (hci_dev_test_flag(hdev, HCI_MGMT))
335 mgmt_auth_enable_complete(hdev, status);
337 hci_dev_unlock(hdev);
340 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
342 __u8 status = *((__u8 *) skb->data);
346 BT_DBG("%s status 0x%2.2x", hdev->name, status);
351 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
355 param = *((__u8 *) sent);
358 set_bit(HCI_ENCRYPT, &hdev->flags);
360 clear_bit(HCI_ENCRYPT, &hdev->flags);
363 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
365 __u8 status = *((__u8 *) skb->data);
369 BT_DBG("%s status 0x%2.2x", hdev->name, status);
371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
375 param = *((__u8 *) sent);
380 hdev->discov_timeout = 0;
384 if (param & SCAN_INQUIRY)
385 set_bit(HCI_ISCAN, &hdev->flags);
387 clear_bit(HCI_ISCAN, &hdev->flags);
389 if (param & SCAN_PAGE)
390 set_bit(HCI_PSCAN, &hdev->flags);
392 clear_bit(HCI_PSCAN, &hdev->flags);
395 hci_dev_unlock(hdev);
398 static void hci_cc_set_event_filter(struct hci_dev *hdev, struct sk_buff *skb)
400 __u8 status = *((__u8 *)skb->data);
401 struct hci_cp_set_event_filter *cp;
404 BT_DBG("%s status 0x%2.2x", hdev->name, status);
409 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
413 cp = (struct hci_cp_set_event_filter *)sent;
415 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
416 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
418 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
421 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
423 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
425 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
430 memcpy(hdev->dev_class, rp->dev_class, 3);
432 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
433 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
436 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
438 __u8 status = *((__u8 *) skb->data);
441 BT_DBG("%s status 0x%2.2x", hdev->name, status);
443 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
450 memcpy(hdev->dev_class, sent, 3);
452 if (hci_dev_test_flag(hdev, HCI_MGMT))
453 mgmt_set_class_of_dev_complete(hdev, sent, status);
455 hci_dev_unlock(hdev);
458 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
460 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
463 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
468 setting = __le16_to_cpu(rp->voice_setting);
470 if (hdev->voice_setting == setting)
473 hdev->voice_setting = setting;
475 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
478 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
481 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
484 __u8 status = *((__u8 *) skb->data);
488 BT_DBG("%s status 0x%2.2x", hdev->name, status);
493 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
497 setting = get_unaligned_le16(sent);
499 if (hdev->voice_setting == setting)
502 hdev->voice_setting = setting;
504 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
507 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
510 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
513 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
515 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
520 hdev->num_iac = rp->num_iac;
522 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
525 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
527 __u8 status = *((__u8 *) skb->data);
528 struct hci_cp_write_ssp_mode *sent;
530 BT_DBG("%s status 0x%2.2x", hdev->name, status);
532 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
540 hdev->features[1][0] |= LMP_HOST_SSP;
542 hdev->features[1][0] &= ~LMP_HOST_SSP;
545 if (hci_dev_test_flag(hdev, HCI_MGMT))
546 mgmt_ssp_enable_complete(hdev, sent->mode, status);
549 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
551 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
554 hci_dev_unlock(hdev);
557 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
559 u8 status = *((u8 *) skb->data);
560 struct hci_cp_write_sc_support *sent;
562 BT_DBG("%s status 0x%2.2x", hdev->name, status);
564 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
572 hdev->features[1][0] |= LMP_HOST_SC;
574 hdev->features[1][0] &= ~LMP_HOST_SC;
577 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
579 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
581 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
584 hci_dev_unlock(hdev);
587 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
589 struct hci_rp_read_local_version *rp = (void *) skb->data;
591 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
596 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
597 hci_dev_test_flag(hdev, HCI_CONFIG)) {
598 hdev->hci_ver = rp->hci_ver;
599 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
600 hdev->lmp_ver = rp->lmp_ver;
601 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
602 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
606 static void hci_cc_read_local_commands(struct hci_dev *hdev,
609 struct hci_rp_read_local_commands *rp = (void *) skb->data;
611 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
616 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
617 hci_dev_test_flag(hdev, HCI_CONFIG))
618 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
621 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,
624 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data;
625 struct hci_conn *conn;
627 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
634 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
636 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
638 hci_dev_unlock(hdev);
641 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,
644 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data;
645 struct hci_conn *conn;
648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
653 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
659 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
661 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
663 hci_dev_unlock(hdev);
666 static void hci_cc_read_local_features(struct hci_dev *hdev,
669 struct hci_rp_read_local_features *rp = (void *) skb->data;
671 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
676 memcpy(hdev->features, rp->features, 8);
678 /* Adjust default settings according to features
679 * supported by device. */
681 if (hdev->features[0][0] & LMP_3SLOT)
682 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
684 if (hdev->features[0][0] & LMP_5SLOT)
685 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
687 if (hdev->features[0][1] & LMP_HV2) {
688 hdev->pkt_type |= (HCI_HV2);
689 hdev->esco_type |= (ESCO_HV2);
692 if (hdev->features[0][1] & LMP_HV3) {
693 hdev->pkt_type |= (HCI_HV3);
694 hdev->esco_type |= (ESCO_HV3);
697 if (lmp_esco_capable(hdev))
698 hdev->esco_type |= (ESCO_EV3);
700 if (hdev->features[0][4] & LMP_EV4)
701 hdev->esco_type |= (ESCO_EV4);
703 if (hdev->features[0][4] & LMP_EV5)
704 hdev->esco_type |= (ESCO_EV5);
706 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
707 hdev->esco_type |= (ESCO_2EV3);
709 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
710 hdev->esco_type |= (ESCO_3EV3);
712 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
713 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
716 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
719 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
721 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
726 if (hdev->max_page < rp->max_page)
727 hdev->max_page = rp->max_page;
729 if (rp->page < HCI_MAX_PAGES)
730 memcpy(hdev->features[rp->page], rp->features, 8);
733 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
736 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
738 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
743 hdev->flow_ctl_mode = rp->mode;
746 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
748 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
750 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
755 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
756 hdev->sco_mtu = rp->sco_mtu;
757 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
758 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
760 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
765 hdev->acl_cnt = hdev->acl_pkts;
766 hdev->sco_cnt = hdev->sco_pkts;
768 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
769 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
772 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
774 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
776 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
781 if (test_bit(HCI_INIT, &hdev->flags))
782 bacpy(&hdev->bdaddr, &rp->bdaddr);
784 if (hci_dev_test_flag(hdev, HCI_SETUP))
785 bacpy(&hdev->setup_addr, &rp->bdaddr);
788 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev,
791 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data;
793 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
798 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
799 hci_dev_test_flag(hdev, HCI_CONFIG)) {
800 hdev->pairing_opts = rp->pairing_opts;
801 hdev->max_enc_key_size = rp->max_key_size;
805 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
808 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
810 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
815 if (test_bit(HCI_INIT, &hdev->flags)) {
816 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
817 hdev->page_scan_window = __le16_to_cpu(rp->window);
821 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
824 u8 status = *((u8 *) skb->data);
825 struct hci_cp_write_page_scan_activity *sent;
827 BT_DBG("%s status 0x%2.2x", hdev->name, status);
832 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
836 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
837 hdev->page_scan_window = __le16_to_cpu(sent->window);
840 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
843 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
845 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
850 if (test_bit(HCI_INIT, &hdev->flags))
851 hdev->page_scan_type = rp->type;
854 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
857 u8 status = *((u8 *) skb->data);
860 BT_DBG("%s status 0x%2.2x", hdev->name, status);
865 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
867 hdev->page_scan_type = *type;
870 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
873 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
875 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
880 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
881 hdev->block_len = __le16_to_cpu(rp->block_len);
882 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
884 hdev->block_cnt = hdev->num_blocks;
886 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
887 hdev->block_cnt, hdev->block_len);
890 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
892 struct hci_rp_read_clock *rp = (void *) skb->data;
893 struct hci_cp_read_clock *cp;
894 struct hci_conn *conn;
896 BT_DBG("%s", hdev->name);
898 if (skb->len < sizeof(*rp))
906 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
910 if (cp->which == 0x00) {
911 hdev->clock = le32_to_cpu(rp->clock);
915 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
917 conn->clock = le32_to_cpu(rp->clock);
918 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
922 hci_dev_unlock(hdev);
925 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
928 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
930 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
935 hdev->amp_status = rp->amp_status;
936 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
937 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
938 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
939 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
940 hdev->amp_type = rp->amp_type;
941 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
942 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
943 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
944 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
947 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
950 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
952 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
957 hdev->inq_tx_power = rp->tx_power;
960 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev,
963 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
970 hdev->err_data_reporting = rp->err_data_reporting;
973 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev,
976 __u8 status = *((__u8 *)skb->data);
977 struct hci_cp_write_def_err_data_reporting *cp;
979 BT_DBG("%s status 0x%2.2x", hdev->name, status);
984 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
988 hdev->err_data_reporting = cp->err_data_reporting;
991 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
993 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
994 struct hci_cp_pin_code_reply *cp;
995 struct hci_conn *conn;
997 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1001 if (hci_dev_test_flag(hdev, HCI_MGMT))
1002 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1007 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1011 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1013 conn->pin_length = cp->pin_len;
1016 hci_dev_unlock(hdev);
1019 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
1021 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
1023 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1027 if (hci_dev_test_flag(hdev, HCI_MGMT))
1028 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1031 hci_dev_unlock(hdev);
1034 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
1035 struct sk_buff *skb)
1037 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
1039 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1044 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1045 hdev->le_pkts = rp->le_max_pkt;
1047 hdev->le_cnt = hdev->le_pkts;
1049 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1052 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
1053 struct sk_buff *skb)
1055 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
1057 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1062 memcpy(hdev->le_features, rp->features, 8);
1065 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
1066 struct sk_buff *skb)
1068 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
1070 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1075 hdev->adv_tx_power = rp->tx_power;
1078 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
1080 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1082 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1086 if (hci_dev_test_flag(hdev, HCI_MGMT))
1087 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1090 hci_dev_unlock(hdev);
1093 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
1094 struct sk_buff *skb)
1096 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1098 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1102 if (hci_dev_test_flag(hdev, HCI_MGMT))
1103 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1104 ACL_LINK, 0, rp->status);
1106 hci_dev_unlock(hdev);
1109 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1111 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1113 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1117 if (hci_dev_test_flag(hdev, HCI_MGMT))
1118 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1121 hci_dev_unlock(hdev);
1124 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1125 struct sk_buff *skb)
1127 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1129 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1133 if (hci_dev_test_flag(hdev, HCI_MGMT))
1134 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1135 ACL_LINK, 0, rp->status);
1137 hci_dev_unlock(hdev);
1140 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1141 struct sk_buff *skb)
1143 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1148 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1149 struct sk_buff *skb)
1151 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1153 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1156 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1158 __u8 status = *((__u8 *) skb->data);
1161 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1166 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1172 bacpy(&hdev->random_addr, sent);
1174 hci_dev_unlock(hdev);
1177 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1179 __u8 status = *((__u8 *) skb->data);
1180 struct hci_cp_le_set_default_phy *cp;
1182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1187 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1193 hdev->le_tx_def_phys = cp->tx_phys;
1194 hdev->le_rx_def_phys = cp->rx_phys;
1196 hci_dev_unlock(hdev);
1199 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1200 struct sk_buff *skb)
1202 __u8 status = *((__u8 *) skb->data);
1203 struct hci_cp_le_set_adv_set_rand_addr *cp;
1204 struct adv_info *adv_instance;
1209 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1216 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1217 bacpy(&hdev->random_addr, &cp->bdaddr);
1219 adv_instance = hci_find_adv_instance(hdev, cp->handle);
1221 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1224 hci_dev_unlock(hdev);
1227 static void hci_cc_le_read_transmit_power(struct hci_dev *hdev,
1228 struct sk_buff *skb)
1230 struct hci_rp_le_read_transmit_power *rp = (void *)skb->data;
1232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1237 hdev->min_le_tx_power = rp->min_le_tx_power;
1238 hdev->max_le_tx_power = rp->max_le_tx_power;
1241 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1243 __u8 *sent, status = *((__u8 *) skb->data);
1245 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1250 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1256 /* If we're doing connection initiation as peripheral. Set a
1257 * timeout in case something goes wrong.
1260 struct hci_conn *conn;
1262 hci_dev_set_flag(hdev, HCI_LE_ADV);
1264 conn = hci_lookup_le_connect(hdev);
1266 queue_delayed_work(hdev->workqueue,
1267 &conn->le_conn_timeout,
1268 conn->conn_timeout);
1270 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1273 hci_dev_unlock(hdev);
1276 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1277 struct sk_buff *skb)
1279 struct hci_cp_le_set_ext_adv_enable *cp;
1280 __u8 status = *((__u8 *) skb->data);
1282 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1287 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1294 struct hci_conn *conn;
1296 hci_dev_set_flag(hdev, HCI_LE_ADV);
1298 conn = hci_lookup_le_connect(hdev);
1300 queue_delayed_work(hdev->workqueue,
1301 &conn->le_conn_timeout,
1302 conn->conn_timeout);
1304 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1307 hci_dev_unlock(hdev);
1310 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1312 struct hci_cp_le_set_scan_param *cp;
1313 __u8 status = *((__u8 *) skb->data);
1315 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1320 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1326 hdev->le_scan_type = cp->type;
1328 hci_dev_unlock(hdev);
1331 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1332 struct sk_buff *skb)
1334 struct hci_cp_le_set_ext_scan_params *cp;
1335 __u8 status = *((__u8 *) skb->data);
1336 struct hci_cp_le_scan_phy_params *phy_param;
1338 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1343 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1347 phy_param = (void *)cp->data;
1351 hdev->le_scan_type = phy_param->type;
1353 hci_dev_unlock(hdev);
1356 static bool has_pending_adv_report(struct hci_dev *hdev)
1358 struct discovery_state *d = &hdev->discovery;
1360 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1363 static void clear_pending_adv_report(struct hci_dev *hdev)
1365 struct discovery_state *d = &hdev->discovery;
1367 bacpy(&d->last_adv_addr, BDADDR_ANY);
1368 d->last_adv_data_len = 0;
1371 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1372 u8 bdaddr_type, s8 rssi, u32 flags,
1375 struct discovery_state *d = &hdev->discovery;
1377 if (len > HCI_MAX_AD_LENGTH)
1380 bacpy(&d->last_adv_addr, bdaddr);
1381 d->last_adv_addr_type = bdaddr_type;
1382 d->last_adv_rssi = rssi;
1383 d->last_adv_flags = flags;
1384 memcpy(d->last_adv_data, data, len);
1385 d->last_adv_data_len = len;
1388 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1393 case LE_SCAN_ENABLE:
1394 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1395 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1396 clear_pending_adv_report(hdev);
1399 case LE_SCAN_DISABLE:
1400 /* We do this here instead of when setting DISCOVERY_STOPPED
1401 * since the latter would potentially require waiting for
1402 * inquiry to stop too.
1404 if (has_pending_adv_report(hdev)) {
1405 struct discovery_state *d = &hdev->discovery;
1407 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1408 d->last_adv_addr_type, NULL,
1409 d->last_adv_rssi, d->last_adv_flags,
1411 d->last_adv_data_len, NULL, 0);
1414 /* Cancel this timer so that we don't try to disable scanning
1415 * when it's already disabled.
1417 cancel_delayed_work(&hdev->le_scan_disable);
1419 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1421 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1422 * interrupted scanning due to a connect request. Mark
1423 * therefore discovery as stopped. If this was not
1424 * because of a connect request advertising might have
1425 * been disabled because of active scanning, so
1426 * re-enable it again if necessary.
1428 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1429 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1430 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1431 hdev->discovery.state == DISCOVERY_FINDING)
1432 hci_req_reenable_advertising(hdev);
1437 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1442 hci_dev_unlock(hdev);
1445 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1446 struct sk_buff *skb)
1448 struct hci_cp_le_set_scan_enable *cp;
1449 __u8 status = *((__u8 *) skb->data);
1451 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1456 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1460 le_set_scan_enable_complete(hdev, cp->enable);
1463 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1464 struct sk_buff *skb)
1466 struct hci_cp_le_set_ext_scan_enable *cp;
1467 __u8 status = *((__u8 *) skb->data);
1469 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1474 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1478 le_set_scan_enable_complete(hdev, cp->enable);
1481 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1482 struct sk_buff *skb)
1484 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1486 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1492 hdev->le_num_of_adv_sets = rp->num_of_sets;
1495 static void hci_cc_le_read_accept_list_size(struct hci_dev *hdev,
1496 struct sk_buff *skb)
1498 struct hci_rp_le_read_accept_list_size *rp = (void *)skb->data;
1500 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1505 hdev->le_accept_list_size = rp->size;
1508 static void hci_cc_le_clear_accept_list(struct hci_dev *hdev,
1509 struct sk_buff *skb)
1511 __u8 status = *((__u8 *) skb->data);
1513 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1518 hci_bdaddr_list_clear(&hdev->le_accept_list);
1521 static void hci_cc_le_add_to_accept_list(struct hci_dev *hdev,
1522 struct sk_buff *skb)
1524 struct hci_cp_le_add_to_accept_list *sent;
1525 __u8 status = *((__u8 *) skb->data);
1527 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1532 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1536 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1540 static void hci_cc_le_del_from_accept_list(struct hci_dev *hdev,
1541 struct sk_buff *skb)
1543 struct hci_cp_le_del_from_accept_list *sent;
1544 __u8 status = *((__u8 *) skb->data);
1546 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1551 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1555 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1559 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1560 struct sk_buff *skb)
1562 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1564 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1569 memcpy(hdev->le_states, rp->le_states, 8);
1572 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1573 struct sk_buff *skb)
1575 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1577 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1582 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1583 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1586 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1587 struct sk_buff *skb)
1589 struct hci_cp_le_write_def_data_len *sent;
1590 __u8 status = *((__u8 *) skb->data);
1592 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1597 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1601 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1602 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1605 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1606 struct sk_buff *skb)
1608 struct hci_cp_le_add_to_resolv_list *sent;
1609 __u8 status = *((__u8 *) skb->data);
1611 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1616 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1620 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1621 sent->bdaddr_type, sent->peer_irk,
1625 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1626 struct sk_buff *skb)
1628 struct hci_cp_le_del_from_resolv_list *sent;
1629 __u8 status = *((__u8 *) skb->data);
1631 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1636 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1640 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1644 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1645 struct sk_buff *skb)
1647 __u8 status = *((__u8 *) skb->data);
1649 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1654 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1657 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1658 struct sk_buff *skb)
1660 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1662 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1667 hdev->le_resolv_list_size = rp->size;
1670 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1671 struct sk_buff *skb)
1673 __u8 *sent, status = *((__u8 *) skb->data);
1675 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1680 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1687 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1689 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1691 hci_dev_unlock(hdev);
1694 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1695 struct sk_buff *skb)
1697 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1699 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1704 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1705 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1706 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1707 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1710 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1711 struct sk_buff *skb)
1713 struct hci_cp_write_le_host_supported *sent;
1714 __u8 status = *((__u8 *) skb->data);
1716 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1721 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1728 hdev->features[1][0] |= LMP_HOST_LE;
1729 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1731 hdev->features[1][0] &= ~LMP_HOST_LE;
1732 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1733 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1737 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1739 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1741 hci_dev_unlock(hdev);
1744 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1746 struct hci_cp_le_set_adv_param *cp;
1747 u8 status = *((u8 *) skb->data);
1749 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1754 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1759 hdev->adv_addr_type = cp->own_address_type;
1760 hci_dev_unlock(hdev);
1763 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1765 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1766 struct hci_cp_le_set_ext_adv_params *cp;
1767 struct adv_info *adv_instance;
1769 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1774 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1779 hdev->adv_addr_type = cp->own_addr_type;
1781 /* Store in hdev for instance 0 */
1782 hdev->adv_tx_power = rp->tx_power;
1784 adv_instance = hci_find_adv_instance(hdev, cp->handle);
1786 adv_instance->tx_power = rp->tx_power;
1788 /* Update adv data as tx power is known now */
1789 hci_req_update_adv_data(hdev, cp->handle);
1791 hci_dev_unlock(hdev);
1794 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1796 struct hci_rp_read_rssi *rp = (void *) skb->data;
1797 struct hci_conn *conn;
1799 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1806 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1808 conn->rssi = rp->rssi;
1810 hci_dev_unlock(hdev);
1813 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1815 struct hci_cp_read_tx_power *sent;
1816 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1817 struct hci_conn *conn;
1819 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1824 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1830 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1834 switch (sent->type) {
1836 conn->tx_power = rp->tx_power;
1839 conn->max_tx_power = rp->tx_power;
1844 hci_dev_unlock(hdev);
1847 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1849 u8 status = *((u8 *) skb->data);
1852 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1857 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1859 hdev->ssp_debug_mode = *mode;
1862 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1864 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1867 hci_conn_check_pending(hdev);
1871 set_bit(HCI_INQUIRY, &hdev->flags);
1874 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1876 struct hci_cp_create_conn *cp;
1877 struct hci_conn *conn;
1879 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1881 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1887 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1889 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1892 if (conn && conn->state == BT_CONNECT) {
1893 if (status != 0x0c || conn->attempt > 2) {
1894 conn->state = BT_CLOSED;
1895 hci_connect_cfm(conn, status);
1898 conn->state = BT_CONNECT2;
1902 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1905 bt_dev_err(hdev, "no memory for new connection");
1909 hci_dev_unlock(hdev);
1912 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1914 struct hci_cp_add_sco *cp;
1915 struct hci_conn *acl, *sco;
1918 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1923 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1927 handle = __le16_to_cpu(cp->handle);
1929 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1933 acl = hci_conn_hash_lookup_handle(hdev, handle);
1937 sco->state = BT_CLOSED;
1939 hci_connect_cfm(sco, status);
1944 hci_dev_unlock(hdev);
1947 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1949 struct hci_cp_auth_requested *cp;
1950 struct hci_conn *conn;
1952 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1957 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1963 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1965 if (conn->state == BT_CONFIG) {
1966 hci_connect_cfm(conn, status);
1967 hci_conn_drop(conn);
1971 hci_dev_unlock(hdev);
1974 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1976 struct hci_cp_set_conn_encrypt *cp;
1977 struct hci_conn *conn;
1979 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1984 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1990 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1992 if (conn->state == BT_CONFIG) {
1993 hci_connect_cfm(conn, status);
1994 hci_conn_drop(conn);
1998 hci_dev_unlock(hdev);
2001 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2002 struct hci_conn *conn)
2004 if (conn->state != BT_CONFIG || !conn->out)
2007 if (conn->pending_sec_level == BT_SECURITY_SDP)
2010 /* Only request authentication for SSP connections or non-SSP
2011 * devices with sec_level MEDIUM or HIGH or if MITM protection
2014 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2015 conn->pending_sec_level != BT_SECURITY_FIPS &&
2016 conn->pending_sec_level != BT_SECURITY_HIGH &&
2017 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2023 static int hci_resolve_name(struct hci_dev *hdev,
2024 struct inquiry_entry *e)
2026 struct hci_cp_remote_name_req cp;
2028 memset(&cp, 0, sizeof(cp));
2030 bacpy(&cp.bdaddr, &e->data.bdaddr);
2031 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2032 cp.pscan_mode = e->data.pscan_mode;
2033 cp.clock_offset = e->data.clock_offset;
2035 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2038 static bool hci_resolve_next_name(struct hci_dev *hdev)
2040 struct discovery_state *discov = &hdev->discovery;
2041 struct inquiry_entry *e;
2043 if (list_empty(&discov->resolve))
2046 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2050 if (hci_resolve_name(hdev, e) == 0) {
2051 e->name_state = NAME_PENDING;
2058 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2059 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2061 struct discovery_state *discov = &hdev->discovery;
2062 struct inquiry_entry *e;
2064 /* Update the mgmt connected state if necessary. Be careful with
2065 * conn objects that exist but are not (yet) connected however.
2066 * Only those in BT_CONFIG or BT_CONNECTED states can be
2067 * considered connected.
2070 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2071 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2072 mgmt_device_connected(hdev, conn, name, name_len);
2074 if (discov->state == DISCOVERY_STOPPED)
2077 if (discov->state == DISCOVERY_STOPPING)
2078 goto discov_complete;
2080 if (discov->state != DISCOVERY_RESOLVING)
2083 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2084 /* If the device was not found in a list of found devices names of which
2085 * are pending. there is no need to continue resolving a next name as it
2086 * will be done upon receiving another Remote Name Request Complete
2093 e->name_state = NAME_KNOWN;
2094 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2095 e->data.rssi, name, name_len);
2097 e->name_state = NAME_NOT_KNOWN;
2100 if (hci_resolve_next_name(hdev))
2104 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2107 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2109 struct hci_cp_remote_name_req *cp;
2110 struct hci_conn *conn;
2112 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2114 /* If successful wait for the name req complete event before
2115 * checking for the need to do authentication */
2119 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2125 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2127 if (hci_dev_test_flag(hdev, HCI_MGMT))
2128 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2133 if (!hci_outgoing_auth_needed(hdev, conn))
2136 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2137 struct hci_cp_auth_requested auth_cp;
2139 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2141 auth_cp.handle = __cpu_to_le16(conn->handle);
2142 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2143 sizeof(auth_cp), &auth_cp);
2147 hci_dev_unlock(hdev);
2150 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2152 struct hci_cp_read_remote_features *cp;
2153 struct hci_conn *conn;
2155 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2160 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2166 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2168 if (conn->state == BT_CONFIG) {
2169 hci_connect_cfm(conn, status);
2170 hci_conn_drop(conn);
2174 hci_dev_unlock(hdev);
2177 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2179 struct hci_cp_read_remote_ext_features *cp;
2180 struct hci_conn *conn;
2182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2187 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2193 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2195 if (conn->state == BT_CONFIG) {
2196 hci_connect_cfm(conn, status);
2197 hci_conn_drop(conn);
2201 hci_dev_unlock(hdev);
2204 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2206 struct hci_cp_setup_sync_conn *cp;
2207 struct hci_conn *acl, *sco;
2210 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2215 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2219 handle = __le16_to_cpu(cp->handle);
2221 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2225 acl = hci_conn_hash_lookup_handle(hdev, handle);
2229 sco->state = BT_CLOSED;
2231 hci_connect_cfm(sco, status);
2236 hci_dev_unlock(hdev);
2239 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2241 struct hci_cp_sniff_mode *cp;
2242 struct hci_conn *conn;
2244 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2249 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2255 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2257 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2259 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2260 hci_sco_setup(conn, status);
2263 hci_dev_unlock(hdev);
2266 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2268 struct hci_cp_exit_sniff_mode *cp;
2269 struct hci_conn *conn;
2271 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2276 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2282 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2284 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2286 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2287 hci_sco_setup(conn, status);
2290 hci_dev_unlock(hdev);
2293 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2295 struct hci_cp_disconnect *cp;
2296 struct hci_conn *conn;
2301 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2307 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2309 u8 type = conn->type;
2311 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2312 conn->dst_type, status);
2314 /* If the disconnection failed for any reason, the upper layer
2315 * does not retry to disconnect in current implementation.
2316 * Hence, we need to do some basic cleanup here and re-enable
2317 * advertising if necessary.
2320 if (type == LE_LINK)
2321 hci_req_reenable_advertising(hdev);
2324 hci_dev_unlock(hdev);
2327 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2328 u8 peer_addr_type, u8 own_address_type,
2331 struct hci_conn *conn;
2333 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2338 /* When using controller based address resolution, then the new
2339 * address types 0x02 and 0x03 are used. These types need to be
2340 * converted back into either public address or random address type
2342 if (use_ll_privacy(hdev) &&
2343 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) {
2344 switch (own_address_type) {
2345 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2346 own_address_type = ADDR_LE_DEV_PUBLIC;
2348 case ADDR_LE_DEV_RANDOM_RESOLVED:
2349 own_address_type = ADDR_LE_DEV_RANDOM;
2354 /* Store the initiator and responder address information which
2355 * is needed for SMP. These values will not change during the
2356 * lifetime of the connection.
2358 conn->init_addr_type = own_address_type;
2359 if (own_address_type == ADDR_LE_DEV_RANDOM)
2360 bacpy(&conn->init_addr, &hdev->random_addr);
2362 bacpy(&conn->init_addr, &hdev->bdaddr);
2364 conn->resp_addr_type = peer_addr_type;
2365 bacpy(&conn->resp_addr, peer_addr);
2367 /* We don't want the connection attempt to stick around
2368 * indefinitely since LE doesn't have a page timeout concept
2369 * like BR/EDR. Set a timer for any connection that doesn't use
2370 * the accept list for connecting.
2372 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2373 queue_delayed_work(conn->hdev->workqueue,
2374 &conn->le_conn_timeout,
2375 conn->conn_timeout);
2378 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2380 struct hci_cp_le_create_conn *cp;
2382 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2384 /* All connection failure handling is taken care of by the
2385 * hci_le_conn_failed function which is triggered by the HCI
2386 * request completion callbacks used for connecting.
2391 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2397 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2398 cp->own_address_type, cp->filter_policy);
2400 hci_dev_unlock(hdev);
2403 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2405 struct hci_cp_le_ext_create_conn *cp;
2407 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2409 /* All connection failure handling is taken care of by the
2410 * hci_le_conn_failed function which is triggered by the HCI
2411 * request completion callbacks used for connecting.
2416 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2422 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2423 cp->own_addr_type, cp->filter_policy);
2425 hci_dev_unlock(hdev);
2428 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2430 struct hci_cp_le_read_remote_features *cp;
2431 struct hci_conn *conn;
2433 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2444 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2446 if (conn->state == BT_CONFIG) {
2447 hci_connect_cfm(conn, status);
2448 hci_conn_drop(conn);
2452 hci_dev_unlock(hdev);
2455 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2457 struct hci_cp_le_start_enc *cp;
2458 struct hci_conn *conn;
2460 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2467 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2471 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2475 if (conn->state != BT_CONNECTED)
2478 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2479 hci_conn_drop(conn);
2482 hci_dev_unlock(hdev);
2485 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2487 struct hci_cp_switch_role *cp;
2488 struct hci_conn *conn;
2490 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2495 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2501 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2503 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2505 hci_dev_unlock(hdev);
2508 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2510 __u8 status = *((__u8 *) skb->data);
2511 struct discovery_state *discov = &hdev->discovery;
2512 struct inquiry_entry *e;
2514 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2516 hci_conn_check_pending(hdev);
2518 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2521 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2522 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2524 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2529 if (discov->state != DISCOVERY_FINDING)
2532 if (list_empty(&discov->resolve)) {
2533 /* When BR/EDR inquiry is active and no LE scanning is in
2534 * progress, then change discovery state to indicate completion.
2536 * When running LE scanning and BR/EDR inquiry simultaneously
2537 * and the LE scan already finished, then change the discovery
2538 * state to indicate completion.
2540 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2541 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2542 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2546 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2547 if (e && hci_resolve_name(hdev, e) == 0) {
2548 e->name_state = NAME_PENDING;
2549 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2551 /* When BR/EDR inquiry is active and no LE scanning is in
2552 * progress, then change discovery state to indicate completion.
2554 * When running LE scanning and BR/EDR inquiry simultaneously
2555 * and the LE scan already finished, then change the discovery
2556 * state to indicate completion.
2558 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2559 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2560 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2564 hci_dev_unlock(hdev);
2567 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2569 struct inquiry_data data;
2570 struct inquiry_info *info = (void *) (skb->data + 1);
2571 int num_rsp = *((__u8 *) skb->data);
2573 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2575 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
2578 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2583 for (; num_rsp; num_rsp--, info++) {
2586 bacpy(&data.bdaddr, &info->bdaddr);
2587 data.pscan_rep_mode = info->pscan_rep_mode;
2588 data.pscan_period_mode = info->pscan_period_mode;
2589 data.pscan_mode = info->pscan_mode;
2590 memcpy(data.dev_class, info->dev_class, 3);
2591 data.clock_offset = info->clock_offset;
2592 data.rssi = HCI_RSSI_INVALID;
2593 data.ssp_mode = 0x00;
2595 flags = hci_inquiry_cache_update(hdev, &data, false);
2597 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2598 info->dev_class, HCI_RSSI_INVALID,
2599 flags, NULL, 0, NULL, 0);
2602 hci_dev_unlock(hdev);
2605 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2607 struct hci_ev_conn_complete *ev = (void *) skb->data;
2608 struct hci_conn *conn;
2610 BT_DBG("%s", hdev->name);
2614 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2616 /* Connection may not exist if auto-connected. Check the bredr
2617 * allowlist to see if this device is allowed to auto connect.
2618 * If link is an ACL type, create a connection class
2621 * Auto-connect will only occur if the event filter is
2622 * programmed with a given address. Right now, event filter is
2623 * only used during suspend.
2625 if (ev->link_type == ACL_LINK &&
2626 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
2629 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2632 bt_dev_err(hdev, "no memory for new conn");
2636 if (ev->link_type != SCO_LINK)
2639 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
2644 conn->type = SCO_LINK;
2649 conn->handle = __le16_to_cpu(ev->handle);
2651 if (conn->type == ACL_LINK) {
2652 conn->state = BT_CONFIG;
2653 hci_conn_hold(conn);
2655 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2656 !hci_find_link_key(hdev, &ev->bdaddr))
2657 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2659 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2661 conn->state = BT_CONNECTED;
2663 hci_debugfs_create_conn(conn);
2664 hci_conn_add_sysfs(conn);
2666 if (test_bit(HCI_AUTH, &hdev->flags))
2667 set_bit(HCI_CONN_AUTH, &conn->flags);
2669 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2670 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2672 /* Get remote features */
2673 if (conn->type == ACL_LINK) {
2674 struct hci_cp_read_remote_features cp;
2675 cp.handle = ev->handle;
2676 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2679 hci_req_update_scan(hdev);
2682 /* Set packet type for incoming connection */
2683 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2684 struct hci_cp_change_conn_ptype cp;
2685 cp.handle = ev->handle;
2686 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2687 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2691 conn->state = BT_CLOSED;
2692 if (conn->type == ACL_LINK)
2693 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2694 conn->dst_type, ev->status);
2697 if (conn->type == ACL_LINK)
2698 hci_sco_setup(conn, ev->status);
2701 hci_connect_cfm(conn, ev->status);
2703 } else if (ev->link_type == SCO_LINK) {
2704 switch (conn->setting & SCO_AIRMODE_MASK) {
2705 case SCO_AIRMODE_CVSD:
2707 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
2711 hci_connect_cfm(conn, ev->status);
2715 hci_dev_unlock(hdev);
2717 hci_conn_check_pending(hdev);
2720 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2722 struct hci_cp_reject_conn_req cp;
2724 bacpy(&cp.bdaddr, bdaddr);
2725 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2726 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2729 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2731 struct hci_ev_conn_request *ev = (void *) skb->data;
2732 int mask = hdev->link_mode;
2733 struct inquiry_entry *ie;
2734 struct hci_conn *conn;
2737 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2740 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2743 if (!(mask & HCI_LM_ACCEPT)) {
2744 hci_reject_conn(hdev, &ev->bdaddr);
2748 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
2750 hci_reject_conn(hdev, &ev->bdaddr);
2754 /* Require HCI_CONNECTABLE or an accept list entry to accept the
2755 * connection. These features are only touched through mgmt so
2756 * only do the checks if HCI_MGMT is set.
2758 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2759 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2760 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
2762 hci_reject_conn(hdev, &ev->bdaddr);
2766 /* Connection accepted */
2770 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2772 memcpy(ie->data.dev_class, ev->dev_class, 3);
2774 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2777 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2780 bt_dev_err(hdev, "no memory for new connection");
2781 hci_dev_unlock(hdev);
2786 memcpy(conn->dev_class, ev->dev_class, 3);
2788 hci_dev_unlock(hdev);
2790 if (ev->link_type == ACL_LINK ||
2791 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2792 struct hci_cp_accept_conn_req cp;
2793 conn->state = BT_CONNECT;
2795 bacpy(&cp.bdaddr, &ev->bdaddr);
2797 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2798 cp.role = 0x00; /* Become central */
2800 cp.role = 0x01; /* Remain peripheral */
2802 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2803 } else if (!(flags & HCI_PROTO_DEFER)) {
2804 struct hci_cp_accept_sync_conn_req cp;
2805 conn->state = BT_CONNECT;
2807 bacpy(&cp.bdaddr, &ev->bdaddr);
2808 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2810 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2811 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2812 cp.max_latency = cpu_to_le16(0xffff);
2813 cp.content_format = cpu_to_le16(hdev->voice_setting);
2814 cp.retrans_effort = 0xff;
2816 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2819 conn->state = BT_CONNECT2;
2820 hci_connect_cfm(conn, 0);
2824 static u8 hci_to_mgmt_reason(u8 err)
2827 case HCI_ERROR_CONNECTION_TIMEOUT:
2828 return MGMT_DEV_DISCONN_TIMEOUT;
2829 case HCI_ERROR_REMOTE_USER_TERM:
2830 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2831 case HCI_ERROR_REMOTE_POWER_OFF:
2832 return MGMT_DEV_DISCONN_REMOTE;
2833 case HCI_ERROR_LOCAL_HOST_TERM:
2834 return MGMT_DEV_DISCONN_LOCAL_HOST;
2836 return MGMT_DEV_DISCONN_UNKNOWN;
2840 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2842 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2844 struct hci_conn_params *params;
2845 struct hci_conn *conn;
2846 bool mgmt_connected;
2849 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2853 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2858 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2859 conn->dst_type, ev->status);
2863 conn->state = BT_CLOSED;
2865 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2867 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2868 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2870 reason = hci_to_mgmt_reason(ev->reason);
2872 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2873 reason, mgmt_connected);
2875 if (conn->type == ACL_LINK) {
2876 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2877 hci_remove_link_key(hdev, &conn->dst);
2879 hci_req_update_scan(hdev);
2882 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2884 switch (params->auto_connect) {
2885 case HCI_AUTO_CONN_LINK_LOSS:
2886 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2890 case HCI_AUTO_CONN_DIRECT:
2891 case HCI_AUTO_CONN_ALWAYS:
2892 list_del_init(¶ms->action);
2893 list_add(¶ms->action, &hdev->pend_le_conns);
2894 hci_update_background_scan(hdev);
2904 hci_disconn_cfm(conn, ev->reason);
2907 /* The suspend notifier is waiting for all devices to disconnect so
2908 * clear the bit from pending tasks and inform the wait queue.
2910 if (list_empty(&hdev->conn_hash.list) &&
2911 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {
2912 wake_up(&hdev->suspend_wait_q);
2915 /* Re-enable advertising if necessary, since it might
2916 * have been disabled by the connection. From the
2917 * HCI_LE_Set_Advertise_Enable command description in
2918 * the core specification (v4.0):
2919 * "The Controller shall continue advertising until the Host
2920 * issues an LE_Set_Advertise_Enable command with
2921 * Advertising_Enable set to 0x00 (Advertising is disabled)
2922 * or until a connection is created or until the Advertising
2923 * is timed out due to Directed Advertising."
2925 if (type == LE_LINK)
2926 hci_req_reenable_advertising(hdev);
2929 hci_dev_unlock(hdev);
2932 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2934 struct hci_ev_auth_complete *ev = (void *) skb->data;
2935 struct hci_conn *conn;
2937 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2941 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2946 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2948 if (!hci_conn_ssp_enabled(conn) &&
2949 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2950 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2952 set_bit(HCI_CONN_AUTH, &conn->flags);
2953 conn->sec_level = conn->pending_sec_level;
2956 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2957 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2959 mgmt_auth_failed(conn, ev->status);
2962 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2963 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2965 if (conn->state == BT_CONFIG) {
2966 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2967 struct hci_cp_set_conn_encrypt cp;
2968 cp.handle = ev->handle;
2970 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2973 conn->state = BT_CONNECTED;
2974 hci_connect_cfm(conn, ev->status);
2975 hci_conn_drop(conn);
2978 hci_auth_cfm(conn, ev->status);
2980 hci_conn_hold(conn);
2981 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2982 hci_conn_drop(conn);
2985 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2987 struct hci_cp_set_conn_encrypt cp;
2988 cp.handle = ev->handle;
2990 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2993 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2994 hci_encrypt_cfm(conn, ev->status);
2999 hci_dev_unlock(hdev);
3002 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
3004 struct hci_ev_remote_name *ev = (void *) skb->data;
3005 struct hci_conn *conn;
3007 BT_DBG("%s", hdev->name);
3009 hci_conn_check_pending(hdev);
3013 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3015 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3018 if (ev->status == 0)
3019 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3020 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3022 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3028 if (!hci_outgoing_auth_needed(hdev, conn))
3031 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3032 struct hci_cp_auth_requested cp;
3034 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3036 cp.handle = __cpu_to_le16(conn->handle);
3037 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3041 hci_dev_unlock(hdev);
3044 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
3045 u16 opcode, struct sk_buff *skb)
3047 const struct hci_rp_read_enc_key_size *rp;
3048 struct hci_conn *conn;
3051 BT_DBG("%s status 0x%02x", hdev->name, status);
3053 if (!skb || skb->len < sizeof(*rp)) {
3054 bt_dev_err(hdev, "invalid read key size response");
3058 rp = (void *)skb->data;
3059 handle = le16_to_cpu(rp->handle);
3063 conn = hci_conn_hash_lookup_handle(hdev, handle);
3067 /* While unexpected, the read_enc_key_size command may fail. The most
3068 * secure approach is to then assume the key size is 0 to force a
3072 bt_dev_err(hdev, "failed to read key size for handle %u",
3074 conn->enc_key_size = 0;
3076 conn->enc_key_size = rp->key_size;
3079 hci_encrypt_cfm(conn, 0);
3082 hci_dev_unlock(hdev);
3085 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3087 struct hci_ev_encrypt_change *ev = (void *) skb->data;
3088 struct hci_conn *conn;
3090 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3094 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3100 /* Encryption implies authentication */
3101 set_bit(HCI_CONN_AUTH, &conn->flags);
3102 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3103 conn->sec_level = conn->pending_sec_level;
3105 /* P-256 authentication key implies FIPS */
3106 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3107 set_bit(HCI_CONN_FIPS, &conn->flags);
3109 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3110 conn->type == LE_LINK)
3111 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3113 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3114 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3118 /* We should disregard the current RPA and generate a new one
3119 * whenever the encryption procedure fails.
3121 if (ev->status && conn->type == LE_LINK) {
3122 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3123 hci_adv_instances_set_rpa_expired(hdev, true);
3126 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3128 /* Check link security requirements are met */
3129 if (!hci_conn_check_link_mode(conn))
3130 ev->status = HCI_ERROR_AUTH_FAILURE;
3132 if (ev->status && conn->state == BT_CONNECTED) {
3133 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3134 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3136 /* Notify upper layers so they can cleanup before
3139 hci_encrypt_cfm(conn, ev->status);
3140 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3141 hci_conn_drop(conn);
3145 /* Try reading the encryption key size for encrypted ACL links */
3146 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3147 struct hci_cp_read_enc_key_size cp;
3148 struct hci_request req;
3150 /* Only send HCI_Read_Encryption_Key_Size if the
3151 * controller really supports it. If it doesn't, assume
3152 * the default size (16).
3154 if (!(hdev->commands[20] & 0x10)) {
3155 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3159 hci_req_init(&req, hdev);
3161 cp.handle = cpu_to_le16(conn->handle);
3162 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3164 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3165 bt_dev_err(hdev, "sending read key size failed");
3166 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3173 /* Set the default Authenticated Payload Timeout after
3174 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3175 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3176 * sent when the link is active and Encryption is enabled, the conn
3177 * type can be either LE or ACL and controller must support LMP Ping.
3178 * Ensure for AES-CCM encryption as well.
3180 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3181 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3182 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3183 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3184 struct hci_cp_write_auth_payload_to cp;
3186 cp.handle = cpu_to_le16(conn->handle);
3187 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3188 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3193 hci_encrypt_cfm(conn, ev->status);
3196 hci_dev_unlock(hdev);
3199 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3200 struct sk_buff *skb)
3202 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3203 struct hci_conn *conn;
3205 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3209 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3212 set_bit(HCI_CONN_SECURE, &conn->flags);
3214 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3216 hci_key_change_cfm(conn, ev->status);
3219 hci_dev_unlock(hdev);
3222 static void hci_remote_features_evt(struct hci_dev *hdev,
3223 struct sk_buff *skb)
3225 struct hci_ev_remote_features *ev = (void *) skb->data;
3226 struct hci_conn *conn;
3228 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3237 memcpy(conn->features[0], ev->features, 8);
3239 if (conn->state != BT_CONFIG)
3242 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3243 lmp_ext_feat_capable(conn)) {
3244 struct hci_cp_read_remote_ext_features cp;
3245 cp.handle = ev->handle;
3247 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3252 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3253 struct hci_cp_remote_name_req cp;
3254 memset(&cp, 0, sizeof(cp));
3255 bacpy(&cp.bdaddr, &conn->dst);
3256 cp.pscan_rep_mode = 0x02;
3257 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3258 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3259 mgmt_device_connected(hdev, conn, NULL, 0);
3261 if (!hci_outgoing_auth_needed(hdev, conn)) {
3262 conn->state = BT_CONNECTED;
3263 hci_connect_cfm(conn, ev->status);
3264 hci_conn_drop(conn);
3268 hci_dev_unlock(hdev);
3271 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev,
3272 u16 opcode, u8 ncmd)
3274 if (opcode != HCI_OP_NOP)
3275 cancel_delayed_work(&hdev->cmd_timer);
3277 if (!test_bit(HCI_RESET, &hdev->flags)) {
3279 cancel_delayed_work(&hdev->ncmd_timer);
3280 atomic_set(&hdev->cmd_cnt, 1);
3282 schedule_delayed_work(&hdev->ncmd_timer,
3288 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3289 u16 *opcode, u8 *status,
3290 hci_req_complete_t *req_complete,
3291 hci_req_complete_skb_t *req_complete_skb)
3293 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3295 *opcode = __le16_to_cpu(ev->opcode);
3296 *status = skb->data[sizeof(*ev)];
3298 skb_pull(skb, sizeof(*ev));
3301 case HCI_OP_INQUIRY_CANCEL:
3302 hci_cc_inquiry_cancel(hdev, skb, status);
3305 case HCI_OP_PERIODIC_INQ:
3306 hci_cc_periodic_inq(hdev, skb);
3309 case HCI_OP_EXIT_PERIODIC_INQ:
3310 hci_cc_exit_periodic_inq(hdev, skb);
3313 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3314 hci_cc_remote_name_req_cancel(hdev, skb);
3317 case HCI_OP_ROLE_DISCOVERY:
3318 hci_cc_role_discovery(hdev, skb);
3321 case HCI_OP_READ_LINK_POLICY:
3322 hci_cc_read_link_policy(hdev, skb);
3325 case HCI_OP_WRITE_LINK_POLICY:
3326 hci_cc_write_link_policy(hdev, skb);
3329 case HCI_OP_READ_DEF_LINK_POLICY:
3330 hci_cc_read_def_link_policy(hdev, skb);
3333 case HCI_OP_WRITE_DEF_LINK_POLICY:
3334 hci_cc_write_def_link_policy(hdev, skb);
3338 hci_cc_reset(hdev, skb);
3341 case HCI_OP_READ_STORED_LINK_KEY:
3342 hci_cc_read_stored_link_key(hdev, skb);
3345 case HCI_OP_DELETE_STORED_LINK_KEY:
3346 hci_cc_delete_stored_link_key(hdev, skb);
3349 case HCI_OP_WRITE_LOCAL_NAME:
3350 hci_cc_write_local_name(hdev, skb);
3353 case HCI_OP_READ_LOCAL_NAME:
3354 hci_cc_read_local_name(hdev, skb);
3357 case HCI_OP_WRITE_AUTH_ENABLE:
3358 hci_cc_write_auth_enable(hdev, skb);
3361 case HCI_OP_WRITE_ENCRYPT_MODE:
3362 hci_cc_write_encrypt_mode(hdev, skb);
3365 case HCI_OP_WRITE_SCAN_ENABLE:
3366 hci_cc_write_scan_enable(hdev, skb);
3369 case HCI_OP_SET_EVENT_FLT:
3370 hci_cc_set_event_filter(hdev, skb);
3373 case HCI_OP_READ_CLASS_OF_DEV:
3374 hci_cc_read_class_of_dev(hdev, skb);
3377 case HCI_OP_WRITE_CLASS_OF_DEV:
3378 hci_cc_write_class_of_dev(hdev, skb);
3381 case HCI_OP_READ_VOICE_SETTING:
3382 hci_cc_read_voice_setting(hdev, skb);
3385 case HCI_OP_WRITE_VOICE_SETTING:
3386 hci_cc_write_voice_setting(hdev, skb);
3389 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3390 hci_cc_read_num_supported_iac(hdev, skb);
3393 case HCI_OP_WRITE_SSP_MODE:
3394 hci_cc_write_ssp_mode(hdev, skb);
3397 case HCI_OP_WRITE_SC_SUPPORT:
3398 hci_cc_write_sc_support(hdev, skb);
3401 case HCI_OP_READ_AUTH_PAYLOAD_TO:
3402 hci_cc_read_auth_payload_timeout(hdev, skb);
3405 case HCI_OP_WRITE_AUTH_PAYLOAD_TO:
3406 hci_cc_write_auth_payload_timeout(hdev, skb);
3409 case HCI_OP_READ_LOCAL_VERSION:
3410 hci_cc_read_local_version(hdev, skb);
3413 case HCI_OP_READ_LOCAL_COMMANDS:
3414 hci_cc_read_local_commands(hdev, skb);
3417 case HCI_OP_READ_LOCAL_FEATURES:
3418 hci_cc_read_local_features(hdev, skb);
3421 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3422 hci_cc_read_local_ext_features(hdev, skb);
3425 case HCI_OP_READ_BUFFER_SIZE:
3426 hci_cc_read_buffer_size(hdev, skb);
3429 case HCI_OP_READ_BD_ADDR:
3430 hci_cc_read_bd_addr(hdev, skb);
3433 case HCI_OP_READ_LOCAL_PAIRING_OPTS:
3434 hci_cc_read_local_pairing_opts(hdev, skb);
3437 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3438 hci_cc_read_page_scan_activity(hdev, skb);
3441 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3442 hci_cc_write_page_scan_activity(hdev, skb);
3445 case HCI_OP_READ_PAGE_SCAN_TYPE:
3446 hci_cc_read_page_scan_type(hdev, skb);
3449 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3450 hci_cc_write_page_scan_type(hdev, skb);
3453 case HCI_OP_READ_DATA_BLOCK_SIZE:
3454 hci_cc_read_data_block_size(hdev, skb);
3457 case HCI_OP_READ_FLOW_CONTROL_MODE:
3458 hci_cc_read_flow_control_mode(hdev, skb);
3461 case HCI_OP_READ_LOCAL_AMP_INFO:
3462 hci_cc_read_local_amp_info(hdev, skb);
3465 case HCI_OP_READ_CLOCK:
3466 hci_cc_read_clock(hdev, skb);
3469 case HCI_OP_READ_INQ_RSP_TX_POWER:
3470 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3473 case HCI_OP_READ_DEF_ERR_DATA_REPORTING:
3474 hci_cc_read_def_err_data_reporting(hdev, skb);
3477 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING:
3478 hci_cc_write_def_err_data_reporting(hdev, skb);
3481 case HCI_OP_PIN_CODE_REPLY:
3482 hci_cc_pin_code_reply(hdev, skb);
3485 case HCI_OP_PIN_CODE_NEG_REPLY:
3486 hci_cc_pin_code_neg_reply(hdev, skb);
3489 case HCI_OP_READ_LOCAL_OOB_DATA:
3490 hci_cc_read_local_oob_data(hdev, skb);
3493 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3494 hci_cc_read_local_oob_ext_data(hdev, skb);
3497 case HCI_OP_LE_READ_BUFFER_SIZE:
3498 hci_cc_le_read_buffer_size(hdev, skb);
3501 case HCI_OP_LE_READ_LOCAL_FEATURES:
3502 hci_cc_le_read_local_features(hdev, skb);
3505 case HCI_OP_LE_READ_ADV_TX_POWER:
3506 hci_cc_le_read_adv_tx_power(hdev, skb);
3509 case HCI_OP_USER_CONFIRM_REPLY:
3510 hci_cc_user_confirm_reply(hdev, skb);
3513 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3514 hci_cc_user_confirm_neg_reply(hdev, skb);
3517 case HCI_OP_USER_PASSKEY_REPLY:
3518 hci_cc_user_passkey_reply(hdev, skb);
3521 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3522 hci_cc_user_passkey_neg_reply(hdev, skb);
3525 case HCI_OP_LE_SET_RANDOM_ADDR:
3526 hci_cc_le_set_random_addr(hdev, skb);
3529 case HCI_OP_LE_SET_ADV_ENABLE:
3530 hci_cc_le_set_adv_enable(hdev, skb);
3533 case HCI_OP_LE_SET_SCAN_PARAM:
3534 hci_cc_le_set_scan_param(hdev, skb);
3537 case HCI_OP_LE_SET_SCAN_ENABLE:
3538 hci_cc_le_set_scan_enable(hdev, skb);
3541 case HCI_OP_LE_READ_ACCEPT_LIST_SIZE:
3542 hci_cc_le_read_accept_list_size(hdev, skb);
3545 case HCI_OP_LE_CLEAR_ACCEPT_LIST:
3546 hci_cc_le_clear_accept_list(hdev, skb);
3549 case HCI_OP_LE_ADD_TO_ACCEPT_LIST:
3550 hci_cc_le_add_to_accept_list(hdev, skb);
3553 case HCI_OP_LE_DEL_FROM_ACCEPT_LIST:
3554 hci_cc_le_del_from_accept_list(hdev, skb);
3557 case HCI_OP_LE_READ_SUPPORTED_STATES:
3558 hci_cc_le_read_supported_states(hdev, skb);
3561 case HCI_OP_LE_READ_DEF_DATA_LEN:
3562 hci_cc_le_read_def_data_len(hdev, skb);
3565 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3566 hci_cc_le_write_def_data_len(hdev, skb);
3569 case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3570 hci_cc_le_add_to_resolv_list(hdev, skb);
3573 case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3574 hci_cc_le_del_from_resolv_list(hdev, skb);
3577 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3578 hci_cc_le_clear_resolv_list(hdev, skb);
3581 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3582 hci_cc_le_read_resolv_list_size(hdev, skb);
3585 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3586 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3589 case HCI_OP_LE_READ_MAX_DATA_LEN:
3590 hci_cc_le_read_max_data_len(hdev, skb);
3593 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3594 hci_cc_write_le_host_supported(hdev, skb);
3597 case HCI_OP_LE_SET_ADV_PARAM:
3598 hci_cc_set_adv_param(hdev, skb);
3601 case HCI_OP_READ_RSSI:
3602 hci_cc_read_rssi(hdev, skb);
3605 case HCI_OP_READ_TX_POWER:
3606 hci_cc_read_tx_power(hdev, skb);
3609 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3610 hci_cc_write_ssp_debug_mode(hdev, skb);
3613 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3614 hci_cc_le_set_ext_scan_param(hdev, skb);
3617 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3618 hci_cc_le_set_ext_scan_enable(hdev, skb);
3621 case HCI_OP_LE_SET_DEFAULT_PHY:
3622 hci_cc_le_set_default_phy(hdev, skb);
3625 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3626 hci_cc_le_read_num_adv_sets(hdev, skb);
3629 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3630 hci_cc_set_ext_adv_param(hdev, skb);
3633 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3634 hci_cc_le_set_ext_adv_enable(hdev, skb);
3637 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3638 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3641 case HCI_OP_LE_READ_TRANSMIT_POWER:
3642 hci_cc_le_read_transmit_power(hdev, skb);
3646 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3650 handle_cmd_cnt_and_timer(hdev, *opcode, ev->ncmd);
3652 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3655 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3657 "unexpected event for opcode 0x%4.4x", *opcode);
3661 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3662 queue_work(hdev->workqueue, &hdev->cmd_work);
3665 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3666 u16 *opcode, u8 *status,
3667 hci_req_complete_t *req_complete,
3668 hci_req_complete_skb_t *req_complete_skb)
3670 struct hci_ev_cmd_status *ev = (void *) skb->data;
3672 skb_pull(skb, sizeof(*ev));
3674 *opcode = __le16_to_cpu(ev->opcode);
3675 *status = ev->status;
3678 case HCI_OP_INQUIRY:
3679 hci_cs_inquiry(hdev, ev->status);
3682 case HCI_OP_CREATE_CONN:
3683 hci_cs_create_conn(hdev, ev->status);
3686 case HCI_OP_DISCONNECT:
3687 hci_cs_disconnect(hdev, ev->status);
3690 case HCI_OP_ADD_SCO:
3691 hci_cs_add_sco(hdev, ev->status);
3694 case HCI_OP_AUTH_REQUESTED:
3695 hci_cs_auth_requested(hdev, ev->status);
3698 case HCI_OP_SET_CONN_ENCRYPT:
3699 hci_cs_set_conn_encrypt(hdev, ev->status);
3702 case HCI_OP_REMOTE_NAME_REQ:
3703 hci_cs_remote_name_req(hdev, ev->status);
3706 case HCI_OP_READ_REMOTE_FEATURES:
3707 hci_cs_read_remote_features(hdev, ev->status);
3710 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3711 hci_cs_read_remote_ext_features(hdev, ev->status);
3714 case HCI_OP_SETUP_SYNC_CONN:
3715 hci_cs_setup_sync_conn(hdev, ev->status);
3718 case HCI_OP_SNIFF_MODE:
3719 hci_cs_sniff_mode(hdev, ev->status);
3722 case HCI_OP_EXIT_SNIFF_MODE:
3723 hci_cs_exit_sniff_mode(hdev, ev->status);
3726 case HCI_OP_SWITCH_ROLE:
3727 hci_cs_switch_role(hdev, ev->status);
3730 case HCI_OP_LE_CREATE_CONN:
3731 hci_cs_le_create_conn(hdev, ev->status);
3734 case HCI_OP_LE_READ_REMOTE_FEATURES:
3735 hci_cs_le_read_remote_features(hdev, ev->status);
3738 case HCI_OP_LE_START_ENC:
3739 hci_cs_le_start_enc(hdev, ev->status);
3742 case HCI_OP_LE_EXT_CREATE_CONN:
3743 hci_cs_le_ext_create_conn(hdev, ev->status);
3747 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3751 handle_cmd_cnt_and_timer(hdev, *opcode, ev->ncmd);
3753 /* Indicate request completion if the command failed. Also, if
3754 * we're not waiting for a special event and we get a success
3755 * command status we should try to flag the request as completed
3756 * (since for this kind of commands there will not be a command
3760 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3761 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3764 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3766 "unexpected event for opcode 0x%4.4x", *opcode);
3770 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3771 queue_work(hdev->workqueue, &hdev->cmd_work);
3774 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3776 struct hci_ev_hardware_error *ev = (void *) skb->data;
3778 hdev->hw_error_code = ev->code;
3780 queue_work(hdev->req_workqueue, &hdev->error_reset);
3783 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3785 struct hci_ev_role_change *ev = (void *) skb->data;
3786 struct hci_conn *conn;
3788 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3792 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3795 conn->role = ev->role;
3797 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3799 hci_role_switch_cfm(conn, ev->status, ev->role);
3802 hci_dev_unlock(hdev);
3805 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3807 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3810 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3811 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3815 if (skb->len < sizeof(*ev) ||
3816 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3817 BT_DBG("%s bad parameters", hdev->name);
3821 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3823 for (i = 0; i < ev->num_hndl; i++) {
3824 struct hci_comp_pkts_info *info = &ev->handles[i];
3825 struct hci_conn *conn;
3826 __u16 handle, count;
3828 handle = __le16_to_cpu(info->handle);
3829 count = __le16_to_cpu(info->count);
3831 conn = hci_conn_hash_lookup_handle(hdev, handle);
3835 conn->sent -= count;
3837 switch (conn->type) {
3839 hdev->acl_cnt += count;
3840 if (hdev->acl_cnt > hdev->acl_pkts)
3841 hdev->acl_cnt = hdev->acl_pkts;
3845 if (hdev->le_pkts) {
3846 hdev->le_cnt += count;
3847 if (hdev->le_cnt > hdev->le_pkts)
3848 hdev->le_cnt = hdev->le_pkts;
3850 hdev->acl_cnt += count;
3851 if (hdev->acl_cnt > hdev->acl_pkts)
3852 hdev->acl_cnt = hdev->acl_pkts;
3857 hdev->sco_cnt += count;
3858 if (hdev->sco_cnt > hdev->sco_pkts)
3859 hdev->sco_cnt = hdev->sco_pkts;
3863 bt_dev_err(hdev, "unknown type %d conn %p",
3869 queue_work(hdev->workqueue, &hdev->tx_work);
3872 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3875 struct hci_chan *chan;
3877 switch (hdev->dev_type) {
3879 return hci_conn_hash_lookup_handle(hdev, handle);
3881 chan = hci_chan_lookup_handle(hdev, handle);
3886 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3893 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3895 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3898 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3899 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3903 if (skb->len < sizeof(*ev) ||
3904 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3905 BT_DBG("%s bad parameters", hdev->name);
3909 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3912 for (i = 0; i < ev->num_hndl; i++) {
3913 struct hci_comp_blocks_info *info = &ev->handles[i];
3914 struct hci_conn *conn = NULL;
3915 __u16 handle, block_count;
3917 handle = __le16_to_cpu(info->handle);
3918 block_count = __le16_to_cpu(info->blocks);
3920 conn = __hci_conn_lookup_handle(hdev, handle);
3924 conn->sent -= block_count;
3926 switch (conn->type) {
3929 hdev->block_cnt += block_count;
3930 if (hdev->block_cnt > hdev->num_blocks)
3931 hdev->block_cnt = hdev->num_blocks;
3935 bt_dev_err(hdev, "unknown type %d conn %p",
3941 queue_work(hdev->workqueue, &hdev->tx_work);
3944 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3946 struct hci_ev_mode_change *ev = (void *) skb->data;
3947 struct hci_conn *conn;
3949 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3953 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3955 conn->mode = ev->mode;
3957 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3959 if (conn->mode == HCI_CM_ACTIVE)
3960 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3962 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3965 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3966 hci_sco_setup(conn, ev->status);
3969 hci_dev_unlock(hdev);
3972 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3974 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3975 struct hci_conn *conn;
3977 BT_DBG("%s", hdev->name);
3981 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3985 if (conn->state == BT_CONNECTED) {
3986 hci_conn_hold(conn);
3987 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3988 hci_conn_drop(conn);
3991 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3992 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3993 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3994 sizeof(ev->bdaddr), &ev->bdaddr);
3995 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3998 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4003 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4007 hci_dev_unlock(hdev);
4010 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4012 if (key_type == HCI_LK_CHANGED_COMBINATION)
4015 conn->pin_length = pin_len;
4016 conn->key_type = key_type;
4019 case HCI_LK_LOCAL_UNIT:
4020 case HCI_LK_REMOTE_UNIT:
4021 case HCI_LK_DEBUG_COMBINATION:
4023 case HCI_LK_COMBINATION:
4025 conn->pending_sec_level = BT_SECURITY_HIGH;
4027 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4029 case HCI_LK_UNAUTH_COMBINATION_P192:
4030 case HCI_LK_UNAUTH_COMBINATION_P256:
4031 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4033 case HCI_LK_AUTH_COMBINATION_P192:
4034 conn->pending_sec_level = BT_SECURITY_HIGH;
4036 case HCI_LK_AUTH_COMBINATION_P256:
4037 conn->pending_sec_level = BT_SECURITY_FIPS;
4042 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4044 struct hci_ev_link_key_req *ev = (void *) skb->data;
4045 struct hci_cp_link_key_reply cp;
4046 struct hci_conn *conn;
4047 struct link_key *key;
4049 BT_DBG("%s", hdev->name);
4051 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4056 key = hci_find_link_key(hdev, &ev->bdaddr);
4058 BT_DBG("%s link key not found for %pMR", hdev->name,
4063 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
4066 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4068 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4070 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4071 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4072 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4073 BT_DBG("%s ignoring unauthenticated key", hdev->name);
4077 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4078 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4079 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4080 BT_DBG("%s ignoring key unauthenticated for high security",
4085 conn_set_key(conn, key->type, key->pin_len);
4088 bacpy(&cp.bdaddr, &ev->bdaddr);
4089 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4091 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4093 hci_dev_unlock(hdev);
4098 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4099 hci_dev_unlock(hdev);
4102 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4104 struct hci_ev_link_key_notify *ev = (void *) skb->data;
4105 struct hci_conn *conn;
4106 struct link_key *key;
4110 BT_DBG("%s", hdev->name);
4114 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4118 hci_conn_hold(conn);
4119 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4120 hci_conn_drop(conn);
4122 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4123 conn_set_key(conn, ev->key_type, conn->pin_length);
4125 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4128 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4129 ev->key_type, pin_len, &persistent);
4133 /* Update connection information since adding the key will have
4134 * fixed up the type in the case of changed combination keys.
4136 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4137 conn_set_key(conn, key->type, key->pin_len);
4139 mgmt_new_link_key(hdev, key, persistent);
4141 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4142 * is set. If it's not set simply remove the key from the kernel
4143 * list (we've still notified user space about it but with
4144 * store_hint being 0).
4146 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4147 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4148 list_del_rcu(&key->list);
4149 kfree_rcu(key, rcu);
4154 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4156 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4159 hci_dev_unlock(hdev);
4162 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4164 struct hci_ev_clock_offset *ev = (void *) skb->data;
4165 struct hci_conn *conn;
4167 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4171 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4172 if (conn && !ev->status) {
4173 struct inquiry_entry *ie;
4175 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4177 ie->data.clock_offset = ev->clock_offset;
4178 ie->timestamp = jiffies;
4182 hci_dev_unlock(hdev);
4185 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4187 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4188 struct hci_conn *conn;
4190 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4194 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4195 if (conn && !ev->status)
4196 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4198 hci_dev_unlock(hdev);
4201 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4203 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4204 struct inquiry_entry *ie;
4206 BT_DBG("%s", hdev->name);
4210 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4212 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4213 ie->timestamp = jiffies;
4216 hci_dev_unlock(hdev);
4219 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4220 struct sk_buff *skb)
4222 struct inquiry_data data;
4223 int num_rsp = *((__u8 *) skb->data);
4225 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4230 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4235 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4236 struct inquiry_info_with_rssi_and_pscan_mode *info;
4237 info = (void *) (skb->data + 1);
4239 if (skb->len < num_rsp * sizeof(*info) + 1)
4242 for (; num_rsp; num_rsp--, info++) {
4245 bacpy(&data.bdaddr, &info->bdaddr);
4246 data.pscan_rep_mode = info->pscan_rep_mode;
4247 data.pscan_period_mode = info->pscan_period_mode;
4248 data.pscan_mode = info->pscan_mode;
4249 memcpy(data.dev_class, info->dev_class, 3);
4250 data.clock_offset = info->clock_offset;
4251 data.rssi = info->rssi;
4252 data.ssp_mode = 0x00;
4254 flags = hci_inquiry_cache_update(hdev, &data, false);
4256 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4257 info->dev_class, info->rssi,
4258 flags, NULL, 0, NULL, 0);
4261 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4263 if (skb->len < num_rsp * sizeof(*info) + 1)
4266 for (; num_rsp; num_rsp--, info++) {
4269 bacpy(&data.bdaddr, &info->bdaddr);
4270 data.pscan_rep_mode = info->pscan_rep_mode;
4271 data.pscan_period_mode = info->pscan_period_mode;
4272 data.pscan_mode = 0x00;
4273 memcpy(data.dev_class, info->dev_class, 3);
4274 data.clock_offset = info->clock_offset;
4275 data.rssi = info->rssi;
4276 data.ssp_mode = 0x00;
4278 flags = hci_inquiry_cache_update(hdev, &data, false);
4280 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4281 info->dev_class, info->rssi,
4282 flags, NULL, 0, NULL, 0);
4287 hci_dev_unlock(hdev);
4290 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4291 struct sk_buff *skb)
4293 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4294 struct hci_conn *conn;
4296 BT_DBG("%s", hdev->name);
4300 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4304 if (ev->page < HCI_MAX_PAGES)
4305 memcpy(conn->features[ev->page], ev->features, 8);
4307 if (!ev->status && ev->page == 0x01) {
4308 struct inquiry_entry *ie;
4310 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4312 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4314 if (ev->features[0] & LMP_HOST_SSP) {
4315 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4317 /* It is mandatory by the Bluetooth specification that
4318 * Extended Inquiry Results are only used when Secure
4319 * Simple Pairing is enabled, but some devices violate
4322 * To make these devices work, the internal SSP
4323 * enabled flag needs to be cleared if the remote host
4324 * features do not indicate SSP support */
4325 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4328 if (ev->features[0] & LMP_HOST_SC)
4329 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4332 if (conn->state != BT_CONFIG)
4335 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4336 struct hci_cp_remote_name_req cp;
4337 memset(&cp, 0, sizeof(cp));
4338 bacpy(&cp.bdaddr, &conn->dst);
4339 cp.pscan_rep_mode = 0x02;
4340 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4341 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4342 mgmt_device_connected(hdev, conn, NULL, 0);
4344 if (!hci_outgoing_auth_needed(hdev, conn)) {
4345 conn->state = BT_CONNECTED;
4346 hci_connect_cfm(conn, ev->status);
4347 hci_conn_drop(conn);
4351 hci_dev_unlock(hdev);
4354 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4355 struct sk_buff *skb)
4357 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4358 struct hci_conn *conn;
4360 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4364 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4366 if (ev->link_type == ESCO_LINK)
4369 /* When the link type in the event indicates SCO connection
4370 * and lookup of the connection object fails, then check
4371 * if an eSCO connection object exists.
4373 * The core limits the synchronous connections to either
4374 * SCO or eSCO. The eSCO connection is preferred and tried
4375 * to be setup first and until successfully established,
4376 * the link type will be hinted as eSCO.
4378 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4383 switch (ev->status) {
4385 conn->handle = __le16_to_cpu(ev->handle);
4386 conn->state = BT_CONNECTED;
4387 conn->type = ev->link_type;
4389 hci_debugfs_create_conn(conn);
4390 hci_conn_add_sysfs(conn);
4393 case 0x10: /* Connection Accept Timeout */
4394 case 0x0d: /* Connection Rejected due to Limited Resources */
4395 case 0x11: /* Unsupported Feature or Parameter Value */
4396 case 0x1c: /* SCO interval rejected */
4397 case 0x1a: /* Unsupported Remote Feature */
4398 case 0x1e: /* Invalid LMP Parameters */
4399 case 0x1f: /* Unspecified error */
4400 case 0x20: /* Unsupported LMP Parameter value */
4402 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4403 (hdev->esco_type & EDR_ESCO_MASK);
4404 if (hci_setup_sync(conn, conn->link->handle))
4410 conn->state = BT_CLOSED;
4414 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4416 switch (ev->air_mode) {
4419 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
4423 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
4427 hci_connect_cfm(conn, ev->status);
4432 hci_dev_unlock(hdev);
4435 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4439 while (parsed < eir_len) {
4440 u8 field_len = eir[0];
4445 parsed += field_len + 1;
4446 eir += field_len + 1;
4452 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4453 struct sk_buff *skb)
4455 struct inquiry_data data;
4456 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4457 int num_rsp = *((__u8 *) skb->data);
4460 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4462 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
4465 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4470 for (; num_rsp; num_rsp--, info++) {
4474 bacpy(&data.bdaddr, &info->bdaddr);
4475 data.pscan_rep_mode = info->pscan_rep_mode;
4476 data.pscan_period_mode = info->pscan_period_mode;
4477 data.pscan_mode = 0x00;
4478 memcpy(data.dev_class, info->dev_class, 3);
4479 data.clock_offset = info->clock_offset;
4480 data.rssi = info->rssi;
4481 data.ssp_mode = 0x01;
4483 if (hci_dev_test_flag(hdev, HCI_MGMT))
4484 name_known = eir_get_data(info->data,
4486 EIR_NAME_COMPLETE, NULL);
4490 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4492 eir_len = eir_get_length(info->data, sizeof(info->data));
4494 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4495 info->dev_class, info->rssi,
4496 flags, info->data, eir_len, NULL, 0);
4499 hci_dev_unlock(hdev);
4502 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4503 struct sk_buff *skb)
4505 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4506 struct hci_conn *conn;
4508 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4509 __le16_to_cpu(ev->handle));
4513 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4517 /* For BR/EDR the necessary steps are taken through the
4518 * auth_complete event.
4520 if (conn->type != LE_LINK)
4524 conn->sec_level = conn->pending_sec_level;
4526 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4528 if (ev->status && conn->state == BT_CONNECTED) {
4529 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4530 hci_conn_drop(conn);
4534 if (conn->state == BT_CONFIG) {
4536 conn->state = BT_CONNECTED;
4538 hci_connect_cfm(conn, ev->status);
4539 hci_conn_drop(conn);
4541 hci_auth_cfm(conn, ev->status);
4543 hci_conn_hold(conn);
4544 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4545 hci_conn_drop(conn);
4549 hci_dev_unlock(hdev);
4552 static u8 hci_get_auth_req(struct hci_conn *conn)
4554 /* If remote requests no-bonding follow that lead */
4555 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4556 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4557 return conn->remote_auth | (conn->auth_type & 0x01);
4559 /* If both remote and local have enough IO capabilities, require
4562 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4563 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4564 return conn->remote_auth | 0x01;
4566 /* No MITM protection possible so ignore remote requirement */
4567 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4570 static u8 bredr_oob_data_present(struct hci_conn *conn)
4572 struct hci_dev *hdev = conn->hdev;
4573 struct oob_data *data;
4575 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4579 if (bredr_sc_enabled(hdev)) {
4580 /* When Secure Connections is enabled, then just
4581 * return the present value stored with the OOB
4582 * data. The stored value contains the right present
4583 * information. However it can only be trusted when
4584 * not in Secure Connection Only mode.
4586 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4587 return data->present;
4589 /* When Secure Connections Only mode is enabled, then
4590 * the P-256 values are required. If they are not
4591 * available, then do not declare that OOB data is
4594 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4595 !memcmp(data->hash256, ZERO_KEY, 16))
4601 /* When Secure Connections is not enabled or actually
4602 * not supported by the hardware, then check that if
4603 * P-192 data values are present.
4605 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4606 !memcmp(data->hash192, ZERO_KEY, 16))
4612 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4614 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4615 struct hci_conn *conn;
4617 BT_DBG("%s", hdev->name);
4621 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4625 hci_conn_hold(conn);
4627 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4630 /* Allow pairing if we're pairable, the initiators of the
4631 * pairing or if the remote is not requesting bonding.
4633 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4634 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4635 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4636 struct hci_cp_io_capability_reply cp;
4638 bacpy(&cp.bdaddr, &ev->bdaddr);
4639 /* Change the IO capability from KeyboardDisplay
4640 * to DisplayYesNo as it is not supported by BT spec. */
4641 cp.capability = (conn->io_capability == 0x04) ?
4642 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4644 /* If we are initiators, there is no remote information yet */
4645 if (conn->remote_auth == 0xff) {
4646 /* Request MITM protection if our IO caps allow it
4647 * except for the no-bonding case.
4649 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4650 conn->auth_type != HCI_AT_NO_BONDING)
4651 conn->auth_type |= 0x01;
4653 conn->auth_type = hci_get_auth_req(conn);
4656 /* If we're not bondable, force one of the non-bondable
4657 * authentication requirement values.
4659 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4660 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4662 cp.authentication = conn->auth_type;
4663 cp.oob_data = bredr_oob_data_present(conn);
4665 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4668 struct hci_cp_io_capability_neg_reply cp;
4670 bacpy(&cp.bdaddr, &ev->bdaddr);
4671 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4673 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4678 hci_dev_unlock(hdev);
4681 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4683 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4684 struct hci_conn *conn;
4686 BT_DBG("%s", hdev->name);
4690 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4694 conn->remote_cap = ev->capability;
4695 conn->remote_auth = ev->authentication;
4698 hci_dev_unlock(hdev);
4701 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4702 struct sk_buff *skb)
4704 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4705 int loc_mitm, rem_mitm, confirm_hint = 0;
4706 struct hci_conn *conn;
4708 BT_DBG("%s", hdev->name);
4712 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4715 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4719 loc_mitm = (conn->auth_type & 0x01);
4720 rem_mitm = (conn->remote_auth & 0x01);
4722 /* If we require MITM but the remote device can't provide that
4723 * (it has NoInputNoOutput) then reject the confirmation
4724 * request. We check the security level here since it doesn't
4725 * necessarily match conn->auth_type.
4727 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4728 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4729 BT_DBG("Rejecting request: remote device can't provide MITM");
4730 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4731 sizeof(ev->bdaddr), &ev->bdaddr);
4735 /* If no side requires MITM protection; auto-accept */
4736 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4737 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4739 /* If we're not the initiators request authorization to
4740 * proceed from user space (mgmt_user_confirm with
4741 * confirm_hint set to 1). The exception is if neither
4742 * side had MITM or if the local IO capability is
4743 * NoInputNoOutput, in which case we do auto-accept
4745 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4746 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4747 (loc_mitm || rem_mitm)) {
4748 BT_DBG("Confirming auto-accept as acceptor");
4753 /* If there already exists link key in local host, leave the
4754 * decision to user space since the remote device could be
4755 * legitimate or malicious.
4757 if (hci_find_link_key(hdev, &ev->bdaddr)) {
4758 bt_dev_dbg(hdev, "Local host already has link key");
4763 BT_DBG("Auto-accept of user confirmation with %ums delay",
4764 hdev->auto_accept_delay);
4766 if (hdev->auto_accept_delay > 0) {
4767 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4768 queue_delayed_work(conn->hdev->workqueue,
4769 &conn->auto_accept_work, delay);
4773 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4774 sizeof(ev->bdaddr), &ev->bdaddr);
4779 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4780 le32_to_cpu(ev->passkey), confirm_hint);
4783 hci_dev_unlock(hdev);
4786 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4787 struct sk_buff *skb)
4789 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4791 BT_DBG("%s", hdev->name);
4793 if (hci_dev_test_flag(hdev, HCI_MGMT))
4794 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4797 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4798 struct sk_buff *skb)
4800 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4801 struct hci_conn *conn;
4803 BT_DBG("%s", hdev->name);
4805 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4809 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4810 conn->passkey_entered = 0;
4812 if (hci_dev_test_flag(hdev, HCI_MGMT))
4813 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4814 conn->dst_type, conn->passkey_notify,
4815 conn->passkey_entered);
4818 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4820 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4821 struct hci_conn *conn;
4823 BT_DBG("%s", hdev->name);
4825 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4830 case HCI_KEYPRESS_STARTED:
4831 conn->passkey_entered = 0;
4834 case HCI_KEYPRESS_ENTERED:
4835 conn->passkey_entered++;
4838 case HCI_KEYPRESS_ERASED:
4839 conn->passkey_entered--;
4842 case HCI_KEYPRESS_CLEARED:
4843 conn->passkey_entered = 0;
4846 case HCI_KEYPRESS_COMPLETED:
4850 if (hci_dev_test_flag(hdev, HCI_MGMT))
4851 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4852 conn->dst_type, conn->passkey_notify,
4853 conn->passkey_entered);
4856 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4857 struct sk_buff *skb)
4859 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4860 struct hci_conn *conn;
4862 BT_DBG("%s", hdev->name);
4866 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4870 /* Reset the authentication requirement to unknown */
4871 conn->remote_auth = 0xff;
4873 /* To avoid duplicate auth_failed events to user space we check
4874 * the HCI_CONN_AUTH_PEND flag which will be set if we
4875 * initiated the authentication. A traditional auth_complete
4876 * event gets always produced as initiator and is also mapped to
4877 * the mgmt_auth_failed event */
4878 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4879 mgmt_auth_failed(conn, ev->status);
4881 hci_conn_drop(conn);
4884 hci_dev_unlock(hdev);
4887 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4888 struct sk_buff *skb)
4890 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4891 struct inquiry_entry *ie;
4892 struct hci_conn *conn;
4894 BT_DBG("%s", hdev->name);
4898 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4900 memcpy(conn->features[1], ev->features, 8);
4902 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4904 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4906 hci_dev_unlock(hdev);
4909 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4910 struct sk_buff *skb)
4912 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4913 struct oob_data *data;
4915 BT_DBG("%s", hdev->name);
4919 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4922 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4924 struct hci_cp_remote_oob_data_neg_reply cp;
4926 bacpy(&cp.bdaddr, &ev->bdaddr);
4927 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4932 if (bredr_sc_enabled(hdev)) {
4933 struct hci_cp_remote_oob_ext_data_reply cp;
4935 bacpy(&cp.bdaddr, &ev->bdaddr);
4936 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4937 memset(cp.hash192, 0, sizeof(cp.hash192));
4938 memset(cp.rand192, 0, sizeof(cp.rand192));
4940 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4941 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4943 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4944 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4946 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4949 struct hci_cp_remote_oob_data_reply cp;
4951 bacpy(&cp.bdaddr, &ev->bdaddr);
4952 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4953 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4955 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4960 hci_dev_unlock(hdev);
4963 #if IS_ENABLED(CONFIG_BT_HS)
4964 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4966 struct hci_ev_channel_selected *ev = (void *)skb->data;
4967 struct hci_conn *hcon;
4969 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4971 skb_pull(skb, sizeof(*ev));
4973 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4977 amp_read_loc_assoc_final_data(hdev, hcon);
4980 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4981 struct sk_buff *skb)
4983 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4984 struct hci_conn *hcon, *bredr_hcon;
4986 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4991 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5003 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5005 hcon->state = BT_CONNECTED;
5006 bacpy(&hcon->dst, &bredr_hcon->dst);
5008 hci_conn_hold(hcon);
5009 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5010 hci_conn_drop(hcon);
5012 hci_debugfs_create_conn(hcon);
5013 hci_conn_add_sysfs(hcon);
5015 amp_physical_cfm(bredr_hcon, hcon);
5018 hci_dev_unlock(hdev);
5021 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5023 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
5024 struct hci_conn *hcon;
5025 struct hci_chan *hchan;
5026 struct amp_mgr *mgr;
5028 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5029 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
5032 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5036 /* Create AMP hchan */
5037 hchan = hci_chan_create(hcon);
5041 hchan->handle = le16_to_cpu(ev->handle);
5044 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5046 mgr = hcon->amp_mgr;
5047 if (mgr && mgr->bredr_chan) {
5048 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5050 l2cap_chan_lock(bredr_chan);
5052 bredr_chan->conn->mtu = hdev->block_mtu;
5053 l2cap_logical_cfm(bredr_chan, hchan, 0);
5054 hci_conn_hold(hcon);
5056 l2cap_chan_unlock(bredr_chan);
5060 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
5061 struct sk_buff *skb)
5063 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
5064 struct hci_chan *hchan;
5066 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
5067 le16_to_cpu(ev->handle), ev->status);
5074 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5075 if (!hchan || !hchan->amp)
5078 amp_destroy_logical_link(hchan, ev->reason);
5081 hci_dev_unlock(hdev);
5084 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
5085 struct sk_buff *skb)
5087 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
5088 struct hci_conn *hcon;
5090 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5097 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5099 hcon->state = BT_CLOSED;
5103 hci_dev_unlock(hdev);
5107 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5108 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
5109 u16 interval, u16 latency, u16 supervision_timeout)
5111 struct hci_conn_params *params;
5112 struct hci_conn *conn;
5113 struct smp_irk *irk;
5118 /* All controllers implicitly stop advertising in the event of a
5119 * connection, so ensure that the state bit is cleared.
5121 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5123 conn = hci_lookup_le_connect(hdev);
5125 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5127 bt_dev_err(hdev, "no memory for new connection");
5131 conn->dst_type = bdaddr_type;
5133 /* If we didn't have a hci_conn object previously
5134 * but we're in central role this must be something
5135 * initiated using an accept list. Since accept list based
5136 * connections are not "first class citizens" we don't
5137 * have full tracking of them. Therefore, we go ahead
5138 * with a "best effort" approach of determining the
5139 * initiator address based on the HCI_PRIVACY flag.
5142 conn->resp_addr_type = bdaddr_type;
5143 bacpy(&conn->resp_addr, bdaddr);
5144 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5145 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5146 bacpy(&conn->init_addr, &hdev->rpa);
5148 hci_copy_identity_address(hdev,
5150 &conn->init_addr_type);
5154 cancel_delayed_work(&conn->le_conn_timeout);
5158 /* Set the responder (our side) address type based on
5159 * the advertising address type.
5161 conn->resp_addr_type = hdev->adv_addr_type;
5162 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5163 /* In case of ext adv, resp_addr will be updated in
5164 * Adv Terminated event.
5166 if (!ext_adv_capable(hdev))
5167 bacpy(&conn->resp_addr, &hdev->random_addr);
5169 bacpy(&conn->resp_addr, &hdev->bdaddr);
5172 conn->init_addr_type = bdaddr_type;
5173 bacpy(&conn->init_addr, bdaddr);
5175 /* For incoming connections, set the default minimum
5176 * and maximum connection interval. They will be used
5177 * to check if the parameters are in range and if not
5178 * trigger the connection update procedure.
5180 conn->le_conn_min_interval = hdev->le_conn_min_interval;
5181 conn->le_conn_max_interval = hdev->le_conn_max_interval;
5184 /* Lookup the identity address from the stored connection
5185 * address and address type.
5187 * When establishing connections to an identity address, the
5188 * connection procedure will store the resolvable random
5189 * address first. Now if it can be converted back into the
5190 * identity address, start using the identity address from
5193 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5195 bacpy(&conn->dst, &irk->bdaddr);
5196 conn->dst_type = irk->addr_type;
5199 /* When using controller based address resolution, then the new
5200 * address types 0x02 and 0x03 are used. These types need to be
5201 * converted back into either public address or random address type
5203 if (use_ll_privacy(hdev) &&
5204 hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&
5205 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) {
5206 switch (conn->dst_type) {
5207 case ADDR_LE_DEV_PUBLIC_RESOLVED:
5208 conn->dst_type = ADDR_LE_DEV_PUBLIC;
5210 case ADDR_LE_DEV_RANDOM_RESOLVED:
5211 conn->dst_type = ADDR_LE_DEV_RANDOM;
5217 hci_le_conn_failed(conn, status);
5221 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5222 addr_type = BDADDR_LE_PUBLIC;
5224 addr_type = BDADDR_LE_RANDOM;
5226 /* Drop the connection if the device is blocked */
5227 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5228 hci_conn_drop(conn);
5232 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5233 mgmt_device_connected(hdev, conn, NULL, 0);
5235 conn->sec_level = BT_SECURITY_LOW;
5236 conn->handle = handle;
5237 conn->state = BT_CONFIG;
5239 conn->le_conn_interval = interval;
5240 conn->le_conn_latency = latency;
5241 conn->le_supv_timeout = supervision_timeout;
5243 hci_debugfs_create_conn(conn);
5244 hci_conn_add_sysfs(conn);
5246 /* The remote features procedure is defined for central
5247 * role only. So only in case of an initiated connection
5248 * request the remote features.
5250 * If the local controller supports peripheral-initiated features
5251 * exchange, then requesting the remote features in peripheral
5252 * role is possible. Otherwise just transition into the
5253 * connected state without requesting the remote features.
5256 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5257 struct hci_cp_le_read_remote_features cp;
5259 cp.handle = __cpu_to_le16(conn->handle);
5261 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5264 hci_conn_hold(conn);
5266 conn->state = BT_CONNECTED;
5267 hci_connect_cfm(conn, status);
5270 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5273 list_del_init(¶ms->action);
5275 hci_conn_drop(params->conn);
5276 hci_conn_put(params->conn);
5277 params->conn = NULL;
5282 hci_update_background_scan(hdev);
5283 hci_dev_unlock(hdev);
5286 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5288 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5290 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5292 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5293 ev->role, le16_to_cpu(ev->handle),
5294 le16_to_cpu(ev->interval),
5295 le16_to_cpu(ev->latency),
5296 le16_to_cpu(ev->supervision_timeout));
5299 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5300 struct sk_buff *skb)
5302 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5304 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5306 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5307 ev->role, le16_to_cpu(ev->handle),
5308 le16_to_cpu(ev->interval),
5309 le16_to_cpu(ev->latency),
5310 le16_to_cpu(ev->supervision_timeout));
5312 if (use_ll_privacy(hdev) &&
5313 hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&
5314 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))
5315 hci_req_disable_address_resolution(hdev);
5318 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5320 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5321 struct hci_conn *conn;
5323 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5326 struct adv_info *adv;
5328 adv = hci_find_adv_instance(hdev, ev->handle);
5332 /* Remove advertising as it has been terminated */
5333 hci_remove_adv_instance(hdev, ev->handle);
5334 mgmt_advertising_removed(NULL, hdev, ev->handle);
5339 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5341 struct adv_info *adv_instance;
5343 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5347 bacpy(&conn->resp_addr, &hdev->random_addr);
5351 adv_instance = hci_find_adv_instance(hdev, ev->handle);
5353 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5357 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5358 struct sk_buff *skb)
5360 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5361 struct hci_conn *conn;
5363 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5370 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5372 conn->le_conn_interval = le16_to_cpu(ev->interval);
5373 conn->le_conn_latency = le16_to_cpu(ev->latency);
5374 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5377 hci_dev_unlock(hdev);
5380 /* This function requires the caller holds hdev->lock */
5381 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5383 u8 addr_type, u8 adv_type,
5384 bdaddr_t *direct_rpa)
5386 struct hci_conn *conn;
5387 struct hci_conn_params *params;
5389 /* If the event is not connectable don't proceed further */
5390 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5393 /* Ignore if the device is blocked */
5394 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type))
5397 /* Most controller will fail if we try to create new connections
5398 * while we have an existing one in peripheral role.
5400 if (hdev->conn_hash.le_num_peripheral > 0 &&
5401 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5402 !(hdev->le_states[3] & 0x10)))
5405 /* If we're not connectable only connect devices that we have in
5406 * our pend_le_conns list.
5408 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5413 if (!params->explicit_connect) {
5414 switch (params->auto_connect) {
5415 case HCI_AUTO_CONN_DIRECT:
5416 /* Only devices advertising with ADV_DIRECT_IND are
5417 * triggering a connection attempt. This is allowing
5418 * incoming connections from peripheral devices.
5420 if (adv_type != LE_ADV_DIRECT_IND)
5423 case HCI_AUTO_CONN_ALWAYS:
5424 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5425 * are triggering a connection attempt. This means
5426 * that incoming connections from peripheral device are
5427 * accepted and also outgoing connections to peripheral
5428 * devices are established when found.
5436 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5437 hdev->def_le_autoconnect_timeout, HCI_ROLE_MASTER,
5439 if (!IS_ERR(conn)) {
5440 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5441 * by higher layer that tried to connect, if no then
5442 * store the pointer since we don't really have any
5443 * other owner of the object besides the params that
5444 * triggered it. This way we can abort the connection if
5445 * the parameters get removed and keep the reference
5446 * count consistent once the connection is established.
5449 if (!params->explicit_connect)
5450 params->conn = hci_conn_get(conn);
5455 switch (PTR_ERR(conn)) {
5457 /* If hci_connect() returns -EBUSY it means there is already
5458 * an LE connection attempt going on. Since controllers don't
5459 * support more than one connection attempt at the time, we
5460 * don't consider this an error case.
5464 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5471 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5472 u8 bdaddr_type, bdaddr_t *direct_addr,
5473 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
5476 struct discovery_state *d = &hdev->discovery;
5477 struct smp_irk *irk;
5478 struct hci_conn *conn;
5485 case LE_ADV_DIRECT_IND:
5486 case LE_ADV_SCAN_IND:
5487 case LE_ADV_NONCONN_IND:
5488 case LE_ADV_SCAN_RSP:
5491 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5492 "type: 0x%02x", type);
5496 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
5497 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
5501 /* Find the end of the data in case the report contains padded zero
5502 * bytes at the end causing an invalid length value.
5504 * When data is NULL, len is 0 so there is no need for extra ptr
5505 * check as 'ptr < data + 0' is already false in such case.
5507 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5508 if (ptr + 1 + *ptr > data + len)
5512 /* Adjust for actual length. This handles the case when remote
5513 * device is advertising with incorrect data length.
5517 /* If the direct address is present, then this report is from
5518 * a LE Direct Advertising Report event. In that case it is
5519 * important to see if the address is matching the local
5520 * controller address.
5523 /* Only resolvable random addresses are valid for these
5524 * kind of reports and others can be ignored.
5526 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5529 /* If the controller is not using resolvable random
5530 * addresses, then this report can be ignored.
5532 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5535 /* If the local IRK of the controller does not match
5536 * with the resolvable random address provided, then
5537 * this report can be ignored.
5539 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5543 /* Check if we need to convert to identity address */
5544 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5546 bdaddr = &irk->bdaddr;
5547 bdaddr_type = irk->addr_type;
5550 /* Check if we have been requested to connect to this device.
5552 * direct_addr is set only for directed advertising reports (it is NULL
5553 * for advertising reports) and is already verified to be RPA above.
5555 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5557 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
5558 /* Store report for later inclusion by
5559 * mgmt_device_connected
5561 memcpy(conn->le_adv_data, data, len);
5562 conn->le_adv_data_len = len;
5565 /* Passive scanning shouldn't trigger any device found events,
5566 * except for devices marked as CONN_REPORT for which we do send
5567 * device found events, or advertisement monitoring requested.
5569 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5570 if (type == LE_ADV_DIRECT_IND)
5573 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5574 bdaddr, bdaddr_type) &&
5575 idr_is_empty(&hdev->adv_monitors_idr))
5578 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5579 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5582 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5583 rssi, flags, data, len, NULL, 0);
5587 /* When receiving non-connectable or scannable undirected
5588 * advertising reports, this means that the remote device is
5589 * not connectable and then clearly indicate this in the
5590 * device found event.
5592 * When receiving a scan response, then there is no way to
5593 * know if the remote device is connectable or not. However
5594 * since scan responses are merged with a previously seen
5595 * advertising report, the flags field from that report
5598 * In the really unlikely case that a controller get confused
5599 * and just sends a scan response event, then it is marked as
5600 * not connectable as well.
5602 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5603 type == LE_ADV_SCAN_RSP)
5604 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5608 /* If there's nothing pending either store the data from this
5609 * event or send an immediate device found event if the data
5610 * should not be stored for later.
5612 if (!ext_adv && !has_pending_adv_report(hdev)) {
5613 /* If the report will trigger a SCAN_REQ store it for
5616 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5617 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5618 rssi, flags, data, len);
5622 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5623 rssi, flags, data, len, NULL, 0);
5627 /* Check if the pending report is for the same device as the new one */
5628 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5629 bdaddr_type == d->last_adv_addr_type);
5631 /* If the pending data doesn't match this report or this isn't a
5632 * scan response (e.g. we got a duplicate ADV_IND) then force
5633 * sending of the pending data.
5635 if (type != LE_ADV_SCAN_RSP || !match) {
5636 /* Send out whatever is in the cache, but skip duplicates */
5638 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5639 d->last_adv_addr_type, NULL,
5640 d->last_adv_rssi, d->last_adv_flags,
5642 d->last_adv_data_len, NULL, 0);
5644 /* If the new report will trigger a SCAN_REQ store it for
5647 if (!ext_adv && (type == LE_ADV_IND ||
5648 type == LE_ADV_SCAN_IND)) {
5649 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5650 rssi, flags, data, len);
5654 /* The advertising reports cannot be merged, so clear
5655 * the pending report and send out a device found event.
5657 clear_pending_adv_report(hdev);
5658 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5659 rssi, flags, data, len, NULL, 0);
5663 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5664 * the new event is a SCAN_RSP. We can therefore proceed with
5665 * sending a merged device found event.
5667 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5668 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5669 d->last_adv_data, d->last_adv_data_len, data, len);
5670 clear_pending_adv_report(hdev);
5673 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5675 u8 num_reports = skb->data[0];
5676 void *ptr = &skb->data[1];
5680 while (num_reports--) {
5681 struct hci_ev_le_advertising_info *ev = ptr;
5684 if (ev->length <= HCI_MAX_AD_LENGTH) {
5685 rssi = ev->data[ev->length];
5686 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5687 ev->bdaddr_type, NULL, 0, rssi,
5688 ev->data, ev->length, false);
5690 bt_dev_err(hdev, "Dropping invalid advertising data");
5693 ptr += sizeof(*ev) + ev->length + 1;
5696 hci_dev_unlock(hdev);
5699 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
5701 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5703 case LE_LEGACY_ADV_IND:
5705 case LE_LEGACY_ADV_DIRECT_IND:
5706 return LE_ADV_DIRECT_IND;
5707 case LE_LEGACY_ADV_SCAN_IND:
5708 return LE_ADV_SCAN_IND;
5709 case LE_LEGACY_NONCONN_IND:
5710 return LE_ADV_NONCONN_IND;
5711 case LE_LEGACY_SCAN_RSP_ADV:
5712 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5713 return LE_ADV_SCAN_RSP;
5719 if (evt_type & LE_EXT_ADV_CONN_IND) {
5720 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5721 return LE_ADV_DIRECT_IND;
5726 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5727 return LE_ADV_SCAN_RSP;
5729 if (evt_type & LE_EXT_ADV_SCAN_IND)
5730 return LE_ADV_SCAN_IND;
5732 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5733 evt_type & LE_EXT_ADV_DIRECT_IND)
5734 return LE_ADV_NONCONN_IND;
5737 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
5740 return LE_ADV_INVALID;
5743 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5745 u8 num_reports = skb->data[0];
5746 void *ptr = &skb->data[1];
5750 while (num_reports--) {
5751 struct hci_ev_le_ext_adv_report *ev = ptr;
5755 evt_type = __le16_to_cpu(ev->evt_type);
5756 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
5757 if (legacy_evt_type != LE_ADV_INVALID) {
5758 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5759 ev->bdaddr_type, NULL, 0, ev->rssi,
5760 ev->data, ev->length,
5761 !(evt_type & LE_EXT_ADV_LEGACY_PDU));
5764 ptr += sizeof(*ev) + ev->length;
5767 hci_dev_unlock(hdev);
5770 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5771 struct sk_buff *skb)
5773 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5774 struct hci_conn *conn;
5776 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5780 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5783 memcpy(conn->features[0], ev->features, 8);
5785 if (conn->state == BT_CONFIG) {
5788 /* If the local controller supports peripheral-initiated
5789 * features exchange, but the remote controller does
5790 * not, then it is possible that the error code 0x1a
5791 * for unsupported remote feature gets returned.
5793 * In this specific case, allow the connection to
5794 * transition into connected state and mark it as
5797 if (!conn->out && ev->status == 0x1a &&
5798 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
5801 status = ev->status;
5803 conn->state = BT_CONNECTED;
5804 hci_connect_cfm(conn, status);
5805 hci_conn_drop(conn);
5809 hci_dev_unlock(hdev);
5812 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5814 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5815 struct hci_cp_le_ltk_reply cp;
5816 struct hci_cp_le_ltk_neg_reply neg;
5817 struct hci_conn *conn;
5818 struct smp_ltk *ltk;
5820 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5824 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5828 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5832 if (smp_ltk_is_sc(ltk)) {
5833 /* With SC both EDiv and Rand are set to zero */
5834 if (ev->ediv || ev->rand)
5837 /* For non-SC keys check that EDiv and Rand match */
5838 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5842 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5843 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5844 cp.handle = cpu_to_le16(conn->handle);
5846 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5848 conn->enc_key_size = ltk->enc_size;
5850 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5852 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5853 * temporary key used to encrypt a connection following
5854 * pairing. It is used during the Encrypted Session Setup to
5855 * distribute the keys. Later, security can be re-established
5856 * using a distributed LTK.
5858 if (ltk->type == SMP_STK) {
5859 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5860 list_del_rcu(<k->list);
5861 kfree_rcu(ltk, rcu);
5863 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5866 hci_dev_unlock(hdev);
5871 neg.handle = ev->handle;
5872 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5873 hci_dev_unlock(hdev);
5876 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5879 struct hci_cp_le_conn_param_req_neg_reply cp;
5881 cp.handle = cpu_to_le16(handle);
5884 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5888 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5889 struct sk_buff *skb)
5891 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5892 struct hci_cp_le_conn_param_req_reply cp;
5893 struct hci_conn *hcon;
5894 u16 handle, min, max, latency, timeout;
5896 handle = le16_to_cpu(ev->handle);
5897 min = le16_to_cpu(ev->interval_min);
5898 max = le16_to_cpu(ev->interval_max);
5899 latency = le16_to_cpu(ev->latency);
5900 timeout = le16_to_cpu(ev->timeout);
5902 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5903 if (!hcon || hcon->state != BT_CONNECTED)
5904 return send_conn_param_neg_reply(hdev, handle,
5905 HCI_ERROR_UNKNOWN_CONN_ID);
5907 if (hci_check_conn_params(min, max, latency, timeout))
5908 return send_conn_param_neg_reply(hdev, handle,
5909 HCI_ERROR_INVALID_LL_PARAMS);
5911 if (hcon->role == HCI_ROLE_MASTER) {
5912 struct hci_conn_params *params;
5917 params = hci_conn_params_lookup(hdev, &hcon->dst,
5920 params->conn_min_interval = min;
5921 params->conn_max_interval = max;
5922 params->conn_latency = latency;
5923 params->supervision_timeout = timeout;
5929 hci_dev_unlock(hdev);
5931 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5932 store_hint, min, max, latency, timeout);
5935 cp.handle = ev->handle;
5936 cp.interval_min = ev->interval_min;
5937 cp.interval_max = ev->interval_max;
5938 cp.latency = ev->latency;
5939 cp.timeout = ev->timeout;
5943 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5946 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5947 struct sk_buff *skb)
5949 u8 num_reports = skb->data[0];
5950 struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1];
5952 if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1)
5957 for (; num_reports; num_reports--, ev++)
5958 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5959 ev->bdaddr_type, &ev->direct_addr,
5960 ev->direct_addr_type, ev->rssi, NULL, 0,
5963 hci_dev_unlock(hdev);
5966 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
5968 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data;
5969 struct hci_conn *conn;
5971 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5978 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5982 conn->le_tx_phy = ev->tx_phy;
5983 conn->le_rx_phy = ev->rx_phy;
5986 hci_dev_unlock(hdev);
5989 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5991 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5993 skb_pull(skb, sizeof(*le_ev));
5995 switch (le_ev->subevent) {
5996 case HCI_EV_LE_CONN_COMPLETE:
5997 hci_le_conn_complete_evt(hdev, skb);
6000 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
6001 hci_le_conn_update_complete_evt(hdev, skb);
6004 case HCI_EV_LE_ADVERTISING_REPORT:
6005 hci_le_adv_report_evt(hdev, skb);
6008 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
6009 hci_le_remote_feat_complete_evt(hdev, skb);
6012 case HCI_EV_LE_LTK_REQ:
6013 hci_le_ltk_request_evt(hdev, skb);
6016 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
6017 hci_le_remote_conn_param_req_evt(hdev, skb);
6020 case HCI_EV_LE_DIRECT_ADV_REPORT:
6021 hci_le_direct_adv_report_evt(hdev, skb);
6024 case HCI_EV_LE_PHY_UPDATE_COMPLETE:
6025 hci_le_phy_update_evt(hdev, skb);
6028 case HCI_EV_LE_EXT_ADV_REPORT:
6029 hci_le_ext_adv_report_evt(hdev, skb);
6032 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
6033 hci_le_enh_conn_complete_evt(hdev, skb);
6036 case HCI_EV_LE_EXT_ADV_SET_TERM:
6037 hci_le_ext_adv_term_evt(hdev, skb);
6045 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
6046 u8 event, struct sk_buff *skb)
6048 struct hci_ev_cmd_complete *ev;
6049 struct hci_event_hdr *hdr;
6054 if (skb->len < sizeof(*hdr)) {
6055 bt_dev_err(hdev, "too short HCI event");
6059 hdr = (void *) skb->data;
6060 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6063 if (hdr->evt != event)
6068 /* Check if request ended in Command Status - no way to retrieve
6069 * any extra parameters in this case.
6071 if (hdr->evt == HCI_EV_CMD_STATUS)
6074 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
6075 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
6080 if (skb->len < sizeof(*ev)) {
6081 bt_dev_err(hdev, "too short cmd_complete event");
6085 ev = (void *) skb->data;
6086 skb_pull(skb, sizeof(*ev));
6088 if (opcode != __le16_to_cpu(ev->opcode)) {
6089 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
6090 __le16_to_cpu(ev->opcode));
6097 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
6098 struct sk_buff *skb)
6100 struct hci_ev_le_advertising_info *adv;
6101 struct hci_ev_le_direct_adv_info *direct_adv;
6102 struct hci_ev_le_ext_adv_report *ext_adv;
6103 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
6104 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
6108 /* If we are currently suspended and this is the first BT event seen,
6109 * save the wake reason associated with the event.
6111 if (!hdev->suspended || hdev->wake_reason)
6114 /* Default to remote wake. Values for wake_reason are documented in the
6115 * Bluez mgmt api docs.
6117 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
6119 /* Once configured for remote wakeup, we should only wake up for
6120 * reconnections. It's useful to see which device is waking us up so
6121 * keep track of the bdaddr of the connection event that woke us up.
6123 if (event == HCI_EV_CONN_REQUEST) {
6124 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
6125 hdev->wake_addr_type = BDADDR_BREDR;
6126 } else if (event == HCI_EV_CONN_COMPLETE) {
6127 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
6128 hdev->wake_addr_type = BDADDR_BREDR;
6129 } else if (event == HCI_EV_LE_META) {
6130 struct hci_ev_le_meta *le_ev = (void *)skb->data;
6131 u8 subevent = le_ev->subevent;
6132 u8 *ptr = &skb->data[sizeof(*le_ev)];
6133 u8 num_reports = *ptr;
6135 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
6136 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
6137 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
6139 adv = (void *)(ptr + 1);
6140 direct_adv = (void *)(ptr + 1);
6141 ext_adv = (void *)(ptr + 1);
6144 case HCI_EV_LE_ADVERTISING_REPORT:
6145 bacpy(&hdev->wake_addr, &adv->bdaddr);
6146 hdev->wake_addr_type = adv->bdaddr_type;
6148 case HCI_EV_LE_DIRECT_ADV_REPORT:
6149 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
6150 hdev->wake_addr_type = direct_adv->bdaddr_type;
6152 case HCI_EV_LE_EXT_ADV_REPORT:
6153 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
6154 hdev->wake_addr_type = ext_adv->bdaddr_type;
6159 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
6163 hci_dev_unlock(hdev);
6166 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
6168 struct hci_event_hdr *hdr = (void *) skb->data;
6169 hci_req_complete_t req_complete = NULL;
6170 hci_req_complete_skb_t req_complete_skb = NULL;
6171 struct sk_buff *orig_skb = NULL;
6172 u8 status = 0, event = hdr->evt, req_evt = 0;
6173 u16 opcode = HCI_OP_NOP;
6176 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
6180 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
6181 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
6182 opcode = __le16_to_cpu(cmd_hdr->opcode);
6183 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
6188 /* If it looks like we might end up having to call
6189 * req_complete_skb, store a pristine copy of the skb since the
6190 * various handlers may modify the original one through
6191 * skb_pull() calls, etc.
6193 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
6194 event == HCI_EV_CMD_COMPLETE)
6195 orig_skb = skb_clone(skb, GFP_KERNEL);
6197 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6199 /* Store wake reason if we're suspended */
6200 hci_store_wake_reason(hdev, event, skb);
6203 case HCI_EV_INQUIRY_COMPLETE:
6204 hci_inquiry_complete_evt(hdev, skb);
6207 case HCI_EV_INQUIRY_RESULT:
6208 hci_inquiry_result_evt(hdev, skb);
6211 case HCI_EV_CONN_COMPLETE:
6212 hci_conn_complete_evt(hdev, skb);
6215 case HCI_EV_CONN_REQUEST:
6216 hci_conn_request_evt(hdev, skb);
6219 case HCI_EV_DISCONN_COMPLETE:
6220 hci_disconn_complete_evt(hdev, skb);
6223 case HCI_EV_AUTH_COMPLETE:
6224 hci_auth_complete_evt(hdev, skb);
6227 case HCI_EV_REMOTE_NAME:
6228 hci_remote_name_evt(hdev, skb);
6231 case HCI_EV_ENCRYPT_CHANGE:
6232 hci_encrypt_change_evt(hdev, skb);
6235 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6236 hci_change_link_key_complete_evt(hdev, skb);
6239 case HCI_EV_REMOTE_FEATURES:
6240 hci_remote_features_evt(hdev, skb);
6243 case HCI_EV_CMD_COMPLETE:
6244 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6245 &req_complete, &req_complete_skb);
6248 case HCI_EV_CMD_STATUS:
6249 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6253 case HCI_EV_HARDWARE_ERROR:
6254 hci_hardware_error_evt(hdev, skb);
6257 case HCI_EV_ROLE_CHANGE:
6258 hci_role_change_evt(hdev, skb);
6261 case HCI_EV_NUM_COMP_PKTS:
6262 hci_num_comp_pkts_evt(hdev, skb);
6265 case HCI_EV_MODE_CHANGE:
6266 hci_mode_change_evt(hdev, skb);
6269 case HCI_EV_PIN_CODE_REQ:
6270 hci_pin_code_request_evt(hdev, skb);
6273 case HCI_EV_LINK_KEY_REQ:
6274 hci_link_key_request_evt(hdev, skb);
6277 case HCI_EV_LINK_KEY_NOTIFY:
6278 hci_link_key_notify_evt(hdev, skb);
6281 case HCI_EV_CLOCK_OFFSET:
6282 hci_clock_offset_evt(hdev, skb);
6285 case HCI_EV_PKT_TYPE_CHANGE:
6286 hci_pkt_type_change_evt(hdev, skb);
6289 case HCI_EV_PSCAN_REP_MODE:
6290 hci_pscan_rep_mode_evt(hdev, skb);
6293 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6294 hci_inquiry_result_with_rssi_evt(hdev, skb);
6297 case HCI_EV_REMOTE_EXT_FEATURES:
6298 hci_remote_ext_features_evt(hdev, skb);
6301 case HCI_EV_SYNC_CONN_COMPLETE:
6302 hci_sync_conn_complete_evt(hdev, skb);
6305 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6306 hci_extended_inquiry_result_evt(hdev, skb);
6309 case HCI_EV_KEY_REFRESH_COMPLETE:
6310 hci_key_refresh_complete_evt(hdev, skb);
6313 case HCI_EV_IO_CAPA_REQUEST:
6314 hci_io_capa_request_evt(hdev, skb);
6317 case HCI_EV_IO_CAPA_REPLY:
6318 hci_io_capa_reply_evt(hdev, skb);
6321 case HCI_EV_USER_CONFIRM_REQUEST:
6322 hci_user_confirm_request_evt(hdev, skb);
6325 case HCI_EV_USER_PASSKEY_REQUEST:
6326 hci_user_passkey_request_evt(hdev, skb);
6329 case HCI_EV_USER_PASSKEY_NOTIFY:
6330 hci_user_passkey_notify_evt(hdev, skb);
6333 case HCI_EV_KEYPRESS_NOTIFY:
6334 hci_keypress_notify_evt(hdev, skb);
6337 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6338 hci_simple_pair_complete_evt(hdev, skb);
6341 case HCI_EV_REMOTE_HOST_FEATURES:
6342 hci_remote_host_features_evt(hdev, skb);
6345 case HCI_EV_LE_META:
6346 hci_le_meta_evt(hdev, skb);
6349 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6350 hci_remote_oob_data_request_evt(hdev, skb);
6353 #if IS_ENABLED(CONFIG_BT_HS)
6354 case HCI_EV_CHANNEL_SELECTED:
6355 hci_chan_selected_evt(hdev, skb);
6358 case HCI_EV_PHY_LINK_COMPLETE:
6359 hci_phy_link_complete_evt(hdev, skb);
6362 case HCI_EV_LOGICAL_LINK_COMPLETE:
6363 hci_loglink_complete_evt(hdev, skb);
6366 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6367 hci_disconn_loglink_complete_evt(hdev, skb);
6370 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6371 hci_disconn_phylink_complete_evt(hdev, skb);
6375 case HCI_EV_NUM_COMP_BLOCKS:
6376 hci_num_comp_blocks_evt(hdev, skb);
6380 msft_vendor_evt(hdev, skb);
6384 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6389 req_complete(hdev, status, opcode);
6390 } else if (req_complete_skb) {
6391 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6392 kfree_skb(orig_skb);
6395 req_complete_skb(hdev, status, opcode, orig_skb);
6399 kfree_skb(orig_skb);
6401 hdev->stat.evt_rx++;
projects / linux-2.6-microblaze.git / blob