2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 /* Set discovery state to stopped if we're not doing LE active
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
66 hci_conn_check_pending(hdev);
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 __u8 status = *((__u8 *) skb->data);
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
83 __u8 status = *((__u8 *) skb->data);
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
92 hci_conn_check_pending(hdev);
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
98 BT_DBG("%s", hdev->name);
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
115 conn->role = rp->role;
117 hci_dev_unlock(hdev);
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
134 conn->link_policy = __le16_to_cpu(rp->policy);
136 hci_dev_unlock(hdev);
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
158 conn->link_policy = get_unaligned_le16(sent + 2);
160 hci_dev_unlock(hdev);
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
173 hdev->link_policy = __le16_to_cpu(rp->policy);
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
179 __u8 status = *((__u8 *) skb->data);
182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
191 hdev->link_policy = get_unaligned_le16(sent);
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
196 __u8 status = *((__u8 *) skb->data);
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
200 clear_bit(HCI_RESET, &hdev->flags);
205 /* Reset all non-persistent flags */
206 hci_dev_clear_volatile_flags(hdev);
208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
210 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 hdev->adv_data_len = 0;
216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 hdev->scan_rsp_data_len = 0;
219 hdev->le_scan_type = LE_SCAN_PASSIVE;
221 hdev->ssp_debug_mode = 0;
223 hci_bdaddr_list_clear(&hdev->le_white_list);
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 struct hci_cp_read_stored_link_key *sent;
232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
238 if (!rp->status && sent->read_all == 0x01) {
239 hdev->stored_max_keys = rp->max_keys;
240 hdev->stored_num_keys = rp->num_keys;
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
254 if (rp->num_keys <= hdev->stored_num_keys)
255 hdev->stored_num_keys -= rp->num_keys;
257 hdev->stored_num_keys = 0;
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
262 __u8 status = *((__u8 *) skb->data);
265 BT_DBG("%s status 0x%2.2x", hdev->name, status);
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
273 if (hci_dev_test_flag(hdev, HCI_MGMT))
274 mgmt_set_local_name_complete(hdev, sent, status);
276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
278 hci_dev_unlock(hdev);
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
283 struct hci_rp_read_local_name *rp = (void *) skb->data;
285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
290 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 hci_dev_test_flag(hdev, HCI_CONFIG))
292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
297 __u8 status = *((__u8 *) skb->data);
300 BT_DBG("%s status 0x%2.2x", hdev->name, status);
302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
309 __u8 param = *((__u8 *) sent);
311 if (param == AUTH_ENABLED)
312 set_bit(HCI_AUTH, &hdev->flags);
314 clear_bit(HCI_AUTH, &hdev->flags);
317 if (hci_dev_test_flag(hdev, HCI_MGMT))
318 mgmt_auth_enable_complete(hdev, status);
320 hci_dev_unlock(hdev);
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
325 __u8 status = *((__u8 *) skb->data);
329 BT_DBG("%s status 0x%2.2x", hdev->name, status);
334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
338 param = *((__u8 *) sent);
341 set_bit(HCI_ENCRYPT, &hdev->flags);
343 clear_bit(HCI_ENCRYPT, &hdev->flags);
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
348 __u8 status = *((__u8 *) skb->data);
352 BT_DBG("%s status 0x%2.2x", hdev->name, status);
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
358 param = *((__u8 *) sent);
363 hdev->discov_timeout = 0;
367 if (param & SCAN_INQUIRY)
368 set_bit(HCI_ISCAN, &hdev->flags);
370 clear_bit(HCI_ISCAN, &hdev->flags);
372 if (param & SCAN_PAGE)
373 set_bit(HCI_PSCAN, &hdev->flags);
375 clear_bit(HCI_PSCAN, &hdev->flags);
378 hci_dev_unlock(hdev);
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
390 memcpy(hdev->dev_class, rp->dev_class, 3);
392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
398 __u8 status = *((__u8 *) skb->data);
401 BT_DBG("%s status 0x%2.2x", hdev->name, status);
403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
410 memcpy(hdev->dev_class, sent, 3);
412 if (hci_dev_test_flag(hdev, HCI_MGMT))
413 mgmt_set_class_of_dev_complete(hdev, sent, status);
415 hci_dev_unlock(hdev);
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
420 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
428 setting = __le16_to_cpu(rp->voice_setting);
430 if (hdev->voice_setting == setting)
433 hdev->voice_setting = setting;
435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
444 __u8 status = *((__u8 *) skb->data);
448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
457 setting = get_unaligned_le16(sent);
459 if (hdev->voice_setting == setting)
462 hdev->voice_setting = setting;
464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
480 hdev->num_iac = rp->num_iac;
482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
487 __u8 status = *((__u8 *) skb->data);
488 struct hci_cp_write_ssp_mode *sent;
490 BT_DBG("%s status 0x%2.2x", hdev->name, status);
492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
500 hdev->features[1][0] |= LMP_HOST_SSP;
502 hdev->features[1][0] &= ~LMP_HOST_SSP;
505 if (hci_dev_test_flag(hdev, HCI_MGMT))
506 mgmt_ssp_enable_complete(hdev, sent->mode, status);
509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
514 hci_dev_unlock(hdev);
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
519 u8 status = *((u8 *) skb->data);
520 struct hci_cp_write_sc_support *sent;
522 BT_DBG("%s status 0x%2.2x", hdev->name, status);
524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
532 hdev->features[1][0] |= LMP_HOST_SC;
534 hdev->features[1][0] &= ~LMP_HOST_SC;
537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
539 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
544 hci_dev_unlock(hdev);
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
549 struct hci_rp_read_local_version *rp = (void *) skb->data;
551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
556 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 hdev->hci_ver = rp->hci_ver;
559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 hdev->lmp_ver = rp->lmp_ver;
561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
569 struct hci_rp_read_local_commands *rp = (void *) skb->data;
571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
576 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 hci_dev_test_flag(hdev, HCI_CONFIG))
578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
584 struct hci_rp_read_local_features *rp = (void *) skb->data;
586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
591 memcpy(hdev->features, rp->features, 8);
593 /* Adjust default settings according to features
594 * supported by device. */
596 if (hdev->features[0][0] & LMP_3SLOT)
597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
599 if (hdev->features[0][0] & LMP_5SLOT)
600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
602 if (hdev->features[0][1] & LMP_HV2) {
603 hdev->pkt_type |= (HCI_HV2);
604 hdev->esco_type |= (ESCO_HV2);
607 if (hdev->features[0][1] & LMP_HV3) {
608 hdev->pkt_type |= (HCI_HV3);
609 hdev->esco_type |= (ESCO_HV3);
612 if (lmp_esco_capable(hdev))
613 hdev->esco_type |= (ESCO_EV3);
615 if (hdev->features[0][4] & LMP_EV4)
616 hdev->esco_type |= (ESCO_EV4);
618 if (hdev->features[0][4] & LMP_EV5)
619 hdev->esco_type |= (ESCO_EV5);
621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 hdev->esco_type |= (ESCO_2EV3);
624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 hdev->esco_type |= (ESCO_3EV3);
627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
641 if (hdev->max_page < rp->max_page)
642 hdev->max_page = rp->max_page;
644 if (rp->page < HCI_MAX_PAGES)
645 memcpy(hdev->features[rp->page], rp->features, 8);
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
658 hdev->flow_ctl_mode = rp->mode;
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
671 hdev->sco_mtu = rp->sco_mtu;
672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
680 hdev->acl_cnt = hdev->acl_pkts;
681 hdev->sco_cnt = hdev->sco_pkts;
683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
689 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
696 if (test_bit(HCI_INIT, &hdev->flags))
697 bacpy(&hdev->bdaddr, &rp->bdaddr);
699 if (hci_dev_test_flag(hdev, HCI_SETUP))
700 bacpy(&hdev->setup_addr, &rp->bdaddr);
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
713 if (test_bit(HCI_INIT, &hdev->flags)) {
714 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 hdev->page_scan_window = __le16_to_cpu(rp->window);
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
722 u8 status = *((u8 *) skb->data);
723 struct hci_cp_write_page_scan_activity *sent;
725 BT_DBG("%s status 0x%2.2x", hdev->name, status);
730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
734 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 hdev->page_scan_window = __le16_to_cpu(sent->window);
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
748 if (test_bit(HCI_INIT, &hdev->flags))
749 hdev->page_scan_type = rp->type;
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
755 u8 status = *((u8 *) skb->data);
758 BT_DBG("%s status 0x%2.2x", hdev->name, status);
763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
765 hdev->page_scan_type = *type;
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
771 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 hdev->block_len = __le16_to_cpu(rp->block_len);
780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
782 hdev->block_cnt = hdev->num_blocks;
784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 hdev->block_cnt, hdev->block_len);
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
790 struct hci_rp_read_clock *rp = (void *) skb->data;
791 struct hci_cp_read_clock *cp;
792 struct hci_conn *conn;
794 BT_DBG("%s", hdev->name);
796 if (skb->len < sizeof(*rp))
804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
808 if (cp->which == 0x00) {
809 hdev->clock = le32_to_cpu(rp->clock);
813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
815 conn->clock = le32_to_cpu(rp->clock);
816 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
820 hci_dev_unlock(hdev);
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
833 hdev->amp_status = rp->amp_status;
834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 hdev->amp_type = rp->amp_type;
839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
855 hdev->inq_tx_power = rp->tx_power;
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
860 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 struct hci_cp_pin_code_reply *cp;
862 struct hci_conn *conn;
864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
868 if (hci_dev_test_flag(hdev, HCI_MGMT))
869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
880 conn->pin_length = cp->pin_len;
883 hci_dev_unlock(hdev);
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
894 if (hci_dev_test_flag(hdev, HCI_MGMT))
895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
898 hci_dev_unlock(hdev);
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 hdev->le_pkts = rp->le_max_pkt;
914 hdev->le_cnt = hdev->le_pkts;
916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
922 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
929 memcpy(hdev->le_features, rp->features, 8);
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
942 hdev->adv_tx_power = rp->tx_power;
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
953 if (hci_dev_test_flag(hdev, HCI_MGMT))
954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
957 hci_dev_unlock(hdev);
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 ACL_LINK, 0, rp->status);
973 hci_dev_unlock(hdev);
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
984 if (hci_dev_test_flag(hdev, HCI_MGMT))
985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
988 hci_dev_unlock(hdev);
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 ACL_LINK, 0, rp->status);
1004 hci_dev_unlock(hdev);
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 struct sk_buff *skb)
1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1025 __u8 status = *((__u8 *) skb->data);
1028 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1039 bacpy(&hdev->random_addr, sent);
1041 hci_dev_unlock(hdev);
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1046 __u8 *sent, status = *((__u8 *) skb->data);
1048 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1059 /* If we're doing connection initiation as peripheral. Set a
1060 * timeout in case something goes wrong.
1063 struct hci_conn *conn;
1065 hci_dev_set_flag(hdev, HCI_LE_ADV);
1067 conn = hci_lookup_le_connect(hdev);
1069 queue_delayed_work(hdev->workqueue,
1070 &conn->le_conn_timeout,
1071 conn->conn_timeout);
1073 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1076 hci_dev_unlock(hdev);
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1081 struct hci_cp_le_set_scan_param *cp;
1082 __u8 status = *((__u8 *) skb->data);
1084 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1095 hdev->le_scan_type = cp->type;
1097 hci_dev_unlock(hdev);
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1102 struct discovery_state *d = &hdev->discovery;
1104 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1109 struct discovery_state *d = &hdev->discovery;
1111 bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 d->last_adv_data_len = 0;
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 u8 bdaddr_type, s8 rssi, u32 flags,
1119 struct discovery_state *d = &hdev->discovery;
1121 bacpy(&d->last_adv_addr, bdaddr);
1122 d->last_adv_addr_type = bdaddr_type;
1123 d->last_adv_rssi = rssi;
1124 d->last_adv_flags = flags;
1125 memcpy(d->last_adv_data, data, len);
1126 d->last_adv_data_len = len;
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 struct sk_buff *skb)
1132 struct hci_cp_le_set_scan_enable *cp;
1133 __u8 status = *((__u8 *) skb->data);
1135 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1146 switch (cp->enable) {
1147 case LE_SCAN_ENABLE:
1148 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 clear_pending_adv_report(hdev);
1153 case LE_SCAN_DISABLE:
1154 /* We do this here instead of when setting DISCOVERY_STOPPED
1155 * since the latter would potentially require waiting for
1156 * inquiry to stop too.
1158 if (has_pending_adv_report(hdev)) {
1159 struct discovery_state *d = &hdev->discovery;
1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 d->last_adv_addr_type, NULL,
1163 d->last_adv_rssi, d->last_adv_flags,
1165 d->last_adv_data_len, NULL, 0);
1168 /* Cancel this timer so that we don't try to disable scanning
1169 * when it's already disabled.
1171 cancel_delayed_work(&hdev->le_scan_disable);
1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 * interrupted scanning due to a connect request. Mark
1177 * therefore discovery as stopped. If this was not
1178 * because of a connect request advertising might have
1179 * been disabled because of active scanning, so
1180 * re-enable it again if necessary.
1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 hdev->discovery.state == DISCOVERY_FINDING)
1186 hci_req_reenable_advertising(hdev);
1191 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1196 hci_dev_unlock(hdev);
1199 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1200 struct sk_buff *skb)
1202 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1204 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1209 hdev->le_white_list_size = rp->size;
1212 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1213 struct sk_buff *skb)
1215 __u8 status = *((__u8 *) skb->data);
1217 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1222 hci_bdaddr_list_clear(&hdev->le_white_list);
1225 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1226 struct sk_buff *skb)
1228 struct hci_cp_le_add_to_white_list *sent;
1229 __u8 status = *((__u8 *) skb->data);
1231 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1236 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1240 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1244 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1245 struct sk_buff *skb)
1247 struct hci_cp_le_del_from_white_list *sent;
1248 __u8 status = *((__u8 *) skb->data);
1250 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1255 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1259 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1263 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1264 struct sk_buff *skb)
1266 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1268 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1273 memcpy(hdev->le_states, rp->le_states, 8);
1276 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1277 struct sk_buff *skb)
1279 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1281 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1286 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1287 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1290 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1291 struct sk_buff *skb)
1293 struct hci_cp_le_write_def_data_len *sent;
1294 __u8 status = *((__u8 *) skb->data);
1296 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1301 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1305 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1306 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1309 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1310 struct sk_buff *skb)
1312 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1314 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1319 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1320 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1321 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1322 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1325 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1326 struct sk_buff *skb)
1328 struct hci_cp_write_le_host_supported *sent;
1329 __u8 status = *((__u8 *) skb->data);
1331 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1336 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1343 hdev->features[1][0] |= LMP_HOST_LE;
1344 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1346 hdev->features[1][0] &= ~LMP_HOST_LE;
1347 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1348 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1352 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1354 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1356 hci_dev_unlock(hdev);
1359 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1361 struct hci_cp_le_set_adv_param *cp;
1362 u8 status = *((u8 *) skb->data);
1364 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1369 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1374 hdev->adv_addr_type = cp->own_address_type;
1375 hci_dev_unlock(hdev);
1378 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1380 struct hci_rp_read_rssi *rp = (void *) skb->data;
1381 struct hci_conn *conn;
1383 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1390 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1392 conn->rssi = rp->rssi;
1394 hci_dev_unlock(hdev);
1397 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1399 struct hci_cp_read_tx_power *sent;
1400 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1401 struct hci_conn *conn;
1403 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1408 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1414 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1418 switch (sent->type) {
1420 conn->tx_power = rp->tx_power;
1423 conn->max_tx_power = rp->tx_power;
1428 hci_dev_unlock(hdev);
1431 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1433 u8 status = *((u8 *) skb->data);
1436 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1441 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1443 hdev->ssp_debug_mode = *mode;
1446 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1451 hci_conn_check_pending(hdev);
1455 set_bit(HCI_INQUIRY, &hdev->flags);
1458 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1460 struct hci_cp_create_conn *cp;
1461 struct hci_conn *conn;
1463 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1465 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1471 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1473 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1476 if (conn && conn->state == BT_CONNECT) {
1477 if (status != 0x0c || conn->attempt > 2) {
1478 conn->state = BT_CLOSED;
1479 hci_connect_cfm(conn, status);
1482 conn->state = BT_CONNECT2;
1486 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1489 bt_dev_err(hdev, "no memory for new connection");
1493 hci_dev_unlock(hdev);
1496 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1498 struct hci_cp_add_sco *cp;
1499 struct hci_conn *acl, *sco;
1502 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1507 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1511 handle = __le16_to_cpu(cp->handle);
1513 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1517 acl = hci_conn_hash_lookup_handle(hdev, handle);
1521 sco->state = BT_CLOSED;
1523 hci_connect_cfm(sco, status);
1528 hci_dev_unlock(hdev);
1531 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1533 struct hci_cp_auth_requested *cp;
1534 struct hci_conn *conn;
1536 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1541 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1547 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1549 if (conn->state == BT_CONFIG) {
1550 hci_connect_cfm(conn, status);
1551 hci_conn_drop(conn);
1555 hci_dev_unlock(hdev);
1558 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1560 struct hci_cp_set_conn_encrypt *cp;
1561 struct hci_conn *conn;
1563 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1568 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1574 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1576 if (conn->state == BT_CONFIG) {
1577 hci_connect_cfm(conn, status);
1578 hci_conn_drop(conn);
1582 hci_dev_unlock(hdev);
1585 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1586 struct hci_conn *conn)
1588 if (conn->state != BT_CONFIG || !conn->out)
1591 if (conn->pending_sec_level == BT_SECURITY_SDP)
1594 /* Only request authentication for SSP connections or non-SSP
1595 * devices with sec_level MEDIUM or HIGH or if MITM protection
1598 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1599 conn->pending_sec_level != BT_SECURITY_FIPS &&
1600 conn->pending_sec_level != BT_SECURITY_HIGH &&
1601 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1607 static int hci_resolve_name(struct hci_dev *hdev,
1608 struct inquiry_entry *e)
1610 struct hci_cp_remote_name_req cp;
1612 memset(&cp, 0, sizeof(cp));
1614 bacpy(&cp.bdaddr, &e->data.bdaddr);
1615 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1616 cp.pscan_mode = e->data.pscan_mode;
1617 cp.clock_offset = e->data.clock_offset;
1619 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1622 static bool hci_resolve_next_name(struct hci_dev *hdev)
1624 struct discovery_state *discov = &hdev->discovery;
1625 struct inquiry_entry *e;
1627 if (list_empty(&discov->resolve))
1630 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1634 if (hci_resolve_name(hdev, e) == 0) {
1635 e->name_state = NAME_PENDING;
1642 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1643 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1645 struct discovery_state *discov = &hdev->discovery;
1646 struct inquiry_entry *e;
1648 /* Update the mgmt connected state if necessary. Be careful with
1649 * conn objects that exist but are not (yet) connected however.
1650 * Only those in BT_CONFIG or BT_CONNECTED states can be
1651 * considered connected.
1654 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1655 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1656 mgmt_device_connected(hdev, conn, 0, name, name_len);
1658 if (discov->state == DISCOVERY_STOPPED)
1661 if (discov->state == DISCOVERY_STOPPING)
1662 goto discov_complete;
1664 if (discov->state != DISCOVERY_RESOLVING)
1667 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1668 /* If the device was not found in a list of found devices names of which
1669 * are pending. there is no need to continue resolving a next name as it
1670 * will be done upon receiving another Remote Name Request Complete
1677 e->name_state = NAME_KNOWN;
1678 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1679 e->data.rssi, name, name_len);
1681 e->name_state = NAME_NOT_KNOWN;
1684 if (hci_resolve_next_name(hdev))
1688 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1691 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1693 struct hci_cp_remote_name_req *cp;
1694 struct hci_conn *conn;
1696 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1698 /* If successful wait for the name req complete event before
1699 * checking for the need to do authentication */
1703 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1709 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1711 if (hci_dev_test_flag(hdev, HCI_MGMT))
1712 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1717 if (!hci_outgoing_auth_needed(hdev, conn))
1720 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1721 struct hci_cp_auth_requested auth_cp;
1723 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1725 auth_cp.handle = __cpu_to_le16(conn->handle);
1726 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1727 sizeof(auth_cp), &auth_cp);
1731 hci_dev_unlock(hdev);
1734 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1736 struct hci_cp_read_remote_features *cp;
1737 struct hci_conn *conn;
1739 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1744 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1750 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1752 if (conn->state == BT_CONFIG) {
1753 hci_connect_cfm(conn, status);
1754 hci_conn_drop(conn);
1758 hci_dev_unlock(hdev);
1761 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1763 struct hci_cp_read_remote_ext_features *cp;
1764 struct hci_conn *conn;
1766 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1771 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1777 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1779 if (conn->state == BT_CONFIG) {
1780 hci_connect_cfm(conn, status);
1781 hci_conn_drop(conn);
1785 hci_dev_unlock(hdev);
1788 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1790 struct hci_cp_setup_sync_conn *cp;
1791 struct hci_conn *acl, *sco;
1794 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1799 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1803 handle = __le16_to_cpu(cp->handle);
1805 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1809 acl = hci_conn_hash_lookup_handle(hdev, handle);
1813 sco->state = BT_CLOSED;
1815 hci_connect_cfm(sco, status);
1820 hci_dev_unlock(hdev);
1823 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1825 struct hci_cp_sniff_mode *cp;
1826 struct hci_conn *conn;
1828 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1833 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1839 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1841 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1843 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1844 hci_sco_setup(conn, status);
1847 hci_dev_unlock(hdev);
1850 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1852 struct hci_cp_exit_sniff_mode *cp;
1853 struct hci_conn *conn;
1855 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1860 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1866 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1868 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1870 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1871 hci_sco_setup(conn, status);
1874 hci_dev_unlock(hdev);
1877 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1879 struct hci_cp_disconnect *cp;
1880 struct hci_conn *conn;
1885 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1891 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1893 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1894 conn->dst_type, status);
1896 hci_dev_unlock(hdev);
1899 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1901 struct hci_cp_le_create_conn *cp;
1902 struct hci_conn *conn;
1904 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1906 /* All connection failure handling is taken care of by the
1907 * hci_le_conn_failed function which is triggered by the HCI
1908 * request completion callbacks used for connecting.
1913 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1919 conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1920 cp->peer_addr_type);
1924 /* Store the initiator and responder address information which
1925 * is needed for SMP. These values will not change during the
1926 * lifetime of the connection.
1928 conn->init_addr_type = cp->own_address_type;
1929 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1930 bacpy(&conn->init_addr, &hdev->random_addr);
1932 bacpy(&conn->init_addr, &hdev->bdaddr);
1934 conn->resp_addr_type = cp->peer_addr_type;
1935 bacpy(&conn->resp_addr, &cp->peer_addr);
1937 /* We don't want the connection attempt to stick around
1938 * indefinitely since LE doesn't have a page timeout concept
1939 * like BR/EDR. Set a timer for any connection that doesn't use
1940 * the white list for connecting.
1942 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1943 queue_delayed_work(conn->hdev->workqueue,
1944 &conn->le_conn_timeout,
1945 conn->conn_timeout);
1948 hci_dev_unlock(hdev);
1951 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1953 struct hci_cp_le_read_remote_features *cp;
1954 struct hci_conn *conn;
1956 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1961 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1967 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1969 if (conn->state == BT_CONFIG) {
1970 hci_connect_cfm(conn, status);
1971 hci_conn_drop(conn);
1975 hci_dev_unlock(hdev);
1978 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1980 struct hci_cp_le_start_enc *cp;
1981 struct hci_conn *conn;
1983 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1990 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1994 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1998 if (conn->state != BT_CONNECTED)
2001 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2002 hci_conn_drop(conn);
2005 hci_dev_unlock(hdev);
2008 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2010 struct hci_cp_switch_role *cp;
2011 struct hci_conn *conn;
2013 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2018 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2024 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2026 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2028 hci_dev_unlock(hdev);
2031 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2033 __u8 status = *((__u8 *) skb->data);
2034 struct discovery_state *discov = &hdev->discovery;
2035 struct inquiry_entry *e;
2037 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2039 hci_conn_check_pending(hdev);
2041 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2044 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2045 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2047 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2052 if (discov->state != DISCOVERY_FINDING)
2055 if (list_empty(&discov->resolve)) {
2056 /* When BR/EDR inquiry is active and no LE scanning is in
2057 * progress, then change discovery state to indicate completion.
2059 * When running LE scanning and BR/EDR inquiry simultaneously
2060 * and the LE scan already finished, then change the discovery
2061 * state to indicate completion.
2063 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2064 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2065 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2069 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2070 if (e && hci_resolve_name(hdev, e) == 0) {
2071 e->name_state = NAME_PENDING;
2072 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2074 /* When BR/EDR inquiry is active and no LE scanning is in
2075 * progress, then change discovery state to indicate completion.
2077 * When running LE scanning and BR/EDR inquiry simultaneously
2078 * and the LE scan already finished, then change the discovery
2079 * state to indicate completion.
2081 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2082 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2083 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2087 hci_dev_unlock(hdev);
2090 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2092 struct inquiry_data data;
2093 struct inquiry_info *info = (void *) (skb->data + 1);
2094 int num_rsp = *((__u8 *) skb->data);
2096 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2101 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2106 for (; num_rsp; num_rsp--, info++) {
2109 bacpy(&data.bdaddr, &info->bdaddr);
2110 data.pscan_rep_mode = info->pscan_rep_mode;
2111 data.pscan_period_mode = info->pscan_period_mode;
2112 data.pscan_mode = info->pscan_mode;
2113 memcpy(data.dev_class, info->dev_class, 3);
2114 data.clock_offset = info->clock_offset;
2115 data.rssi = HCI_RSSI_INVALID;
2116 data.ssp_mode = 0x00;
2118 flags = hci_inquiry_cache_update(hdev, &data, false);
2120 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2121 info->dev_class, HCI_RSSI_INVALID,
2122 flags, NULL, 0, NULL, 0);
2125 hci_dev_unlock(hdev);
2128 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2130 struct hci_ev_conn_complete *ev = (void *) skb->data;
2131 struct hci_conn *conn;
2133 BT_DBG("%s", hdev->name);
2137 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2139 if (ev->link_type != SCO_LINK)
2142 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2146 conn->type = SCO_LINK;
2150 conn->handle = __le16_to_cpu(ev->handle);
2152 if (conn->type == ACL_LINK) {
2153 conn->state = BT_CONFIG;
2154 hci_conn_hold(conn);
2156 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2157 !hci_find_link_key(hdev, &ev->bdaddr))
2158 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2160 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2162 conn->state = BT_CONNECTED;
2164 hci_debugfs_create_conn(conn);
2165 hci_conn_add_sysfs(conn);
2167 if (test_bit(HCI_AUTH, &hdev->flags))
2168 set_bit(HCI_CONN_AUTH, &conn->flags);
2170 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2171 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2173 /* Get remote features */
2174 if (conn->type == ACL_LINK) {
2175 struct hci_cp_read_remote_features cp;
2176 cp.handle = ev->handle;
2177 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2180 hci_req_update_scan(hdev);
2183 /* Set packet type for incoming connection */
2184 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2185 struct hci_cp_change_conn_ptype cp;
2186 cp.handle = ev->handle;
2187 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2188 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2192 conn->state = BT_CLOSED;
2193 if (conn->type == ACL_LINK)
2194 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2195 conn->dst_type, ev->status);
2198 if (conn->type == ACL_LINK)
2199 hci_sco_setup(conn, ev->status);
2202 hci_connect_cfm(conn, ev->status);
2204 } else if (ev->link_type != ACL_LINK)
2205 hci_connect_cfm(conn, ev->status);
2208 hci_dev_unlock(hdev);
2210 hci_conn_check_pending(hdev);
2213 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2215 struct hci_cp_reject_conn_req cp;
2217 bacpy(&cp.bdaddr, bdaddr);
2218 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2219 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2222 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2224 struct hci_ev_conn_request *ev = (void *) skb->data;
2225 int mask = hdev->link_mode;
2226 struct inquiry_entry *ie;
2227 struct hci_conn *conn;
2230 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2233 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2236 if (!(mask & HCI_LM_ACCEPT)) {
2237 hci_reject_conn(hdev, &ev->bdaddr);
2241 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2243 hci_reject_conn(hdev, &ev->bdaddr);
2247 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2248 * connection. These features are only touched through mgmt so
2249 * only do the checks if HCI_MGMT is set.
2251 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2252 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2253 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2255 hci_reject_conn(hdev, &ev->bdaddr);
2259 /* Connection accepted */
2263 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2265 memcpy(ie->data.dev_class, ev->dev_class, 3);
2267 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2270 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2273 bt_dev_err(hdev, "no memory for new connection");
2274 hci_dev_unlock(hdev);
2279 memcpy(conn->dev_class, ev->dev_class, 3);
2281 hci_dev_unlock(hdev);
2283 if (ev->link_type == ACL_LINK ||
2284 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2285 struct hci_cp_accept_conn_req cp;
2286 conn->state = BT_CONNECT;
2288 bacpy(&cp.bdaddr, &ev->bdaddr);
2290 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2291 cp.role = 0x00; /* Become master */
2293 cp.role = 0x01; /* Remain slave */
2295 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2296 } else if (!(flags & HCI_PROTO_DEFER)) {
2297 struct hci_cp_accept_sync_conn_req cp;
2298 conn->state = BT_CONNECT;
2300 bacpy(&cp.bdaddr, &ev->bdaddr);
2301 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2303 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2304 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2305 cp.max_latency = cpu_to_le16(0xffff);
2306 cp.content_format = cpu_to_le16(hdev->voice_setting);
2307 cp.retrans_effort = 0xff;
2309 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2312 conn->state = BT_CONNECT2;
2313 hci_connect_cfm(conn, 0);
2317 static u8 hci_to_mgmt_reason(u8 err)
2320 case HCI_ERROR_CONNECTION_TIMEOUT:
2321 return MGMT_DEV_DISCONN_TIMEOUT;
2322 case HCI_ERROR_REMOTE_USER_TERM:
2323 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2324 case HCI_ERROR_REMOTE_POWER_OFF:
2325 return MGMT_DEV_DISCONN_REMOTE;
2326 case HCI_ERROR_LOCAL_HOST_TERM:
2327 return MGMT_DEV_DISCONN_LOCAL_HOST;
2329 return MGMT_DEV_DISCONN_UNKNOWN;
2333 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2335 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2337 struct hci_conn_params *params;
2338 struct hci_conn *conn;
2339 bool mgmt_connected;
2342 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2346 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2351 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2352 conn->dst_type, ev->status);
2356 conn->state = BT_CLOSED;
2358 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2360 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2361 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2363 reason = hci_to_mgmt_reason(ev->reason);
2365 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2366 reason, mgmt_connected);
2368 if (conn->type == ACL_LINK) {
2369 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2370 hci_remove_link_key(hdev, &conn->dst);
2372 hci_req_update_scan(hdev);
2375 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2377 switch (params->auto_connect) {
2378 case HCI_AUTO_CONN_LINK_LOSS:
2379 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2383 case HCI_AUTO_CONN_DIRECT:
2384 case HCI_AUTO_CONN_ALWAYS:
2385 list_del_init(¶ms->action);
2386 list_add(¶ms->action, &hdev->pend_le_conns);
2387 hci_update_background_scan(hdev);
2397 hci_disconn_cfm(conn, ev->reason);
2400 /* Re-enable advertising if necessary, since it might
2401 * have been disabled by the connection. From the
2402 * HCI_LE_Set_Advertise_Enable command description in
2403 * the core specification (v4.0):
2404 * "The Controller shall continue advertising until the Host
2405 * issues an LE_Set_Advertise_Enable command with
2406 * Advertising_Enable set to 0x00 (Advertising is disabled)
2407 * or until a connection is created or until the Advertising
2408 * is timed out due to Directed Advertising."
2410 if (type == LE_LINK)
2411 hci_req_reenable_advertising(hdev);
2414 hci_dev_unlock(hdev);
2417 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2419 struct hci_ev_auth_complete *ev = (void *) skb->data;
2420 struct hci_conn *conn;
2422 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2426 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2431 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2433 if (!hci_conn_ssp_enabled(conn) &&
2434 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2435 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2437 set_bit(HCI_CONN_AUTH, &conn->flags);
2438 conn->sec_level = conn->pending_sec_level;
2441 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2442 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2444 mgmt_auth_failed(conn, ev->status);
2447 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2448 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2450 if (conn->state == BT_CONFIG) {
2451 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2452 struct hci_cp_set_conn_encrypt cp;
2453 cp.handle = ev->handle;
2455 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2458 conn->state = BT_CONNECTED;
2459 hci_connect_cfm(conn, ev->status);
2460 hci_conn_drop(conn);
2463 hci_auth_cfm(conn, ev->status);
2465 hci_conn_hold(conn);
2466 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2467 hci_conn_drop(conn);
2470 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2472 struct hci_cp_set_conn_encrypt cp;
2473 cp.handle = ev->handle;
2475 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2478 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2479 hci_encrypt_cfm(conn, ev->status, 0x00);
2484 hci_dev_unlock(hdev);
2487 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2489 struct hci_ev_remote_name *ev = (void *) skb->data;
2490 struct hci_conn *conn;
2492 BT_DBG("%s", hdev->name);
2494 hci_conn_check_pending(hdev);
2498 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2500 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2503 if (ev->status == 0)
2504 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2505 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2507 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2513 if (!hci_outgoing_auth_needed(hdev, conn))
2516 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2517 struct hci_cp_auth_requested cp;
2519 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2521 cp.handle = __cpu_to_le16(conn->handle);
2522 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2526 hci_dev_unlock(hdev);
2529 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2530 u16 opcode, struct sk_buff *skb)
2532 const struct hci_rp_read_enc_key_size *rp;
2533 struct hci_conn *conn;
2536 BT_DBG("%s status 0x%02x", hdev->name, status);
2538 if (!skb || skb->len < sizeof(*rp)) {
2539 bt_dev_err(hdev, "invalid read key size response");
2543 rp = (void *)skb->data;
2544 handle = le16_to_cpu(rp->handle);
2548 conn = hci_conn_hash_lookup_handle(hdev, handle);
2552 /* If we fail to read the encryption key size, assume maximum
2553 * (which is the same we do also when this HCI command isn't
2557 bt_dev_err(hdev, "failed to read key size for handle %u",
2559 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2561 conn->enc_key_size = rp->key_size;
2564 if (conn->state == BT_CONFIG) {
2565 conn->state = BT_CONNECTED;
2566 hci_connect_cfm(conn, 0);
2567 hci_conn_drop(conn);
2571 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2573 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2578 hci_encrypt_cfm(conn, 0, encrypt);
2582 hci_dev_unlock(hdev);
2585 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2587 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2588 struct hci_conn *conn;
2590 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2594 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2600 /* Encryption implies authentication */
2601 set_bit(HCI_CONN_AUTH, &conn->flags);
2602 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 conn->sec_level = conn->pending_sec_level;
2605 /* P-256 authentication key implies FIPS */
2606 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2607 set_bit(HCI_CONN_FIPS, &conn->flags);
2609 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2610 conn->type == LE_LINK)
2611 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2613 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2614 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2618 /* We should disregard the current RPA and generate a new one
2619 * whenever the encryption procedure fails.
2621 if (ev->status && conn->type == LE_LINK)
2622 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2624 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2626 if (ev->status && conn->state == BT_CONNECTED) {
2627 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2628 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2630 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2631 hci_conn_drop(conn);
2635 /* In Secure Connections Only mode, do not allow any connections
2636 * that are not encrypted with AES-CCM using a P-256 authenticated
2639 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2640 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2641 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2642 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2643 hci_conn_drop(conn);
2647 /* Try reading the encryption key size for encrypted ACL links */
2648 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2649 struct hci_cp_read_enc_key_size cp;
2650 struct hci_request req;
2652 /* Only send HCI_Read_Encryption_Key_Size if the
2653 * controller really supports it. If it doesn't, assume
2654 * the default size (16).
2656 if (!(hdev->commands[20] & 0x10)) {
2657 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2661 hci_req_init(&req, hdev);
2663 cp.handle = cpu_to_le16(conn->handle);
2664 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2666 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2667 bt_dev_err(hdev, "sending read key size failed");
2668 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2676 if (conn->state == BT_CONFIG) {
2678 conn->state = BT_CONNECTED;
2680 hci_connect_cfm(conn, ev->status);
2681 hci_conn_drop(conn);
2683 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2686 hci_dev_unlock(hdev);
2689 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2690 struct sk_buff *skb)
2692 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2693 struct hci_conn *conn;
2695 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2699 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2702 set_bit(HCI_CONN_SECURE, &conn->flags);
2704 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2706 hci_key_change_cfm(conn, ev->status);
2709 hci_dev_unlock(hdev);
2712 static void hci_remote_features_evt(struct hci_dev *hdev,
2713 struct sk_buff *skb)
2715 struct hci_ev_remote_features *ev = (void *) skb->data;
2716 struct hci_conn *conn;
2718 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2722 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2727 memcpy(conn->features[0], ev->features, 8);
2729 if (conn->state != BT_CONFIG)
2732 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2733 lmp_ext_feat_capable(conn)) {
2734 struct hci_cp_read_remote_ext_features cp;
2735 cp.handle = ev->handle;
2737 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2742 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2743 struct hci_cp_remote_name_req cp;
2744 memset(&cp, 0, sizeof(cp));
2745 bacpy(&cp.bdaddr, &conn->dst);
2746 cp.pscan_rep_mode = 0x02;
2747 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2748 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2749 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2751 if (!hci_outgoing_auth_needed(hdev, conn)) {
2752 conn->state = BT_CONNECTED;
2753 hci_connect_cfm(conn, ev->status);
2754 hci_conn_drop(conn);
2758 hci_dev_unlock(hdev);
2761 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2762 u16 *opcode, u8 *status,
2763 hci_req_complete_t *req_complete,
2764 hci_req_complete_skb_t *req_complete_skb)
2766 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2768 *opcode = __le16_to_cpu(ev->opcode);
2769 *status = skb->data[sizeof(*ev)];
2771 skb_pull(skb, sizeof(*ev));
2774 case HCI_OP_INQUIRY_CANCEL:
2775 hci_cc_inquiry_cancel(hdev, skb);
2778 case HCI_OP_PERIODIC_INQ:
2779 hci_cc_periodic_inq(hdev, skb);
2782 case HCI_OP_EXIT_PERIODIC_INQ:
2783 hci_cc_exit_periodic_inq(hdev, skb);
2786 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2787 hci_cc_remote_name_req_cancel(hdev, skb);
2790 case HCI_OP_ROLE_DISCOVERY:
2791 hci_cc_role_discovery(hdev, skb);
2794 case HCI_OP_READ_LINK_POLICY:
2795 hci_cc_read_link_policy(hdev, skb);
2798 case HCI_OP_WRITE_LINK_POLICY:
2799 hci_cc_write_link_policy(hdev, skb);
2802 case HCI_OP_READ_DEF_LINK_POLICY:
2803 hci_cc_read_def_link_policy(hdev, skb);
2806 case HCI_OP_WRITE_DEF_LINK_POLICY:
2807 hci_cc_write_def_link_policy(hdev, skb);
2811 hci_cc_reset(hdev, skb);
2814 case HCI_OP_READ_STORED_LINK_KEY:
2815 hci_cc_read_stored_link_key(hdev, skb);
2818 case HCI_OP_DELETE_STORED_LINK_KEY:
2819 hci_cc_delete_stored_link_key(hdev, skb);
2822 case HCI_OP_WRITE_LOCAL_NAME:
2823 hci_cc_write_local_name(hdev, skb);
2826 case HCI_OP_READ_LOCAL_NAME:
2827 hci_cc_read_local_name(hdev, skb);
2830 case HCI_OP_WRITE_AUTH_ENABLE:
2831 hci_cc_write_auth_enable(hdev, skb);
2834 case HCI_OP_WRITE_ENCRYPT_MODE:
2835 hci_cc_write_encrypt_mode(hdev, skb);
2838 case HCI_OP_WRITE_SCAN_ENABLE:
2839 hci_cc_write_scan_enable(hdev, skb);
2842 case HCI_OP_READ_CLASS_OF_DEV:
2843 hci_cc_read_class_of_dev(hdev, skb);
2846 case HCI_OP_WRITE_CLASS_OF_DEV:
2847 hci_cc_write_class_of_dev(hdev, skb);
2850 case HCI_OP_READ_VOICE_SETTING:
2851 hci_cc_read_voice_setting(hdev, skb);
2854 case HCI_OP_WRITE_VOICE_SETTING:
2855 hci_cc_write_voice_setting(hdev, skb);
2858 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2859 hci_cc_read_num_supported_iac(hdev, skb);
2862 case HCI_OP_WRITE_SSP_MODE:
2863 hci_cc_write_ssp_mode(hdev, skb);
2866 case HCI_OP_WRITE_SC_SUPPORT:
2867 hci_cc_write_sc_support(hdev, skb);
2870 case HCI_OP_READ_LOCAL_VERSION:
2871 hci_cc_read_local_version(hdev, skb);
2874 case HCI_OP_READ_LOCAL_COMMANDS:
2875 hci_cc_read_local_commands(hdev, skb);
2878 case HCI_OP_READ_LOCAL_FEATURES:
2879 hci_cc_read_local_features(hdev, skb);
2882 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2883 hci_cc_read_local_ext_features(hdev, skb);
2886 case HCI_OP_READ_BUFFER_SIZE:
2887 hci_cc_read_buffer_size(hdev, skb);
2890 case HCI_OP_READ_BD_ADDR:
2891 hci_cc_read_bd_addr(hdev, skb);
2894 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2895 hci_cc_read_page_scan_activity(hdev, skb);
2898 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2899 hci_cc_write_page_scan_activity(hdev, skb);
2902 case HCI_OP_READ_PAGE_SCAN_TYPE:
2903 hci_cc_read_page_scan_type(hdev, skb);
2906 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2907 hci_cc_write_page_scan_type(hdev, skb);
2910 case HCI_OP_READ_DATA_BLOCK_SIZE:
2911 hci_cc_read_data_block_size(hdev, skb);
2914 case HCI_OP_READ_FLOW_CONTROL_MODE:
2915 hci_cc_read_flow_control_mode(hdev, skb);
2918 case HCI_OP_READ_LOCAL_AMP_INFO:
2919 hci_cc_read_local_amp_info(hdev, skb);
2922 case HCI_OP_READ_CLOCK:
2923 hci_cc_read_clock(hdev, skb);
2926 case HCI_OP_READ_INQ_RSP_TX_POWER:
2927 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2930 case HCI_OP_PIN_CODE_REPLY:
2931 hci_cc_pin_code_reply(hdev, skb);
2934 case HCI_OP_PIN_CODE_NEG_REPLY:
2935 hci_cc_pin_code_neg_reply(hdev, skb);
2938 case HCI_OP_READ_LOCAL_OOB_DATA:
2939 hci_cc_read_local_oob_data(hdev, skb);
2942 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2943 hci_cc_read_local_oob_ext_data(hdev, skb);
2946 case HCI_OP_LE_READ_BUFFER_SIZE:
2947 hci_cc_le_read_buffer_size(hdev, skb);
2950 case HCI_OP_LE_READ_LOCAL_FEATURES:
2951 hci_cc_le_read_local_features(hdev, skb);
2954 case HCI_OP_LE_READ_ADV_TX_POWER:
2955 hci_cc_le_read_adv_tx_power(hdev, skb);
2958 case HCI_OP_USER_CONFIRM_REPLY:
2959 hci_cc_user_confirm_reply(hdev, skb);
2962 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2963 hci_cc_user_confirm_neg_reply(hdev, skb);
2966 case HCI_OP_USER_PASSKEY_REPLY:
2967 hci_cc_user_passkey_reply(hdev, skb);
2970 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2971 hci_cc_user_passkey_neg_reply(hdev, skb);
2974 case HCI_OP_LE_SET_RANDOM_ADDR:
2975 hci_cc_le_set_random_addr(hdev, skb);
2978 case HCI_OP_LE_SET_ADV_ENABLE:
2979 hci_cc_le_set_adv_enable(hdev, skb);
2982 case HCI_OP_LE_SET_SCAN_PARAM:
2983 hci_cc_le_set_scan_param(hdev, skb);
2986 case HCI_OP_LE_SET_SCAN_ENABLE:
2987 hci_cc_le_set_scan_enable(hdev, skb);
2990 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2991 hci_cc_le_read_white_list_size(hdev, skb);
2994 case HCI_OP_LE_CLEAR_WHITE_LIST:
2995 hci_cc_le_clear_white_list(hdev, skb);
2998 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2999 hci_cc_le_add_to_white_list(hdev, skb);
3002 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3003 hci_cc_le_del_from_white_list(hdev, skb);
3006 case HCI_OP_LE_READ_SUPPORTED_STATES:
3007 hci_cc_le_read_supported_states(hdev, skb);
3010 case HCI_OP_LE_READ_DEF_DATA_LEN:
3011 hci_cc_le_read_def_data_len(hdev, skb);
3014 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3015 hci_cc_le_write_def_data_len(hdev, skb);
3018 case HCI_OP_LE_READ_MAX_DATA_LEN:
3019 hci_cc_le_read_max_data_len(hdev, skb);
3022 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3023 hci_cc_write_le_host_supported(hdev, skb);
3026 case HCI_OP_LE_SET_ADV_PARAM:
3027 hci_cc_set_adv_param(hdev, skb);
3030 case HCI_OP_READ_RSSI:
3031 hci_cc_read_rssi(hdev, skb);
3034 case HCI_OP_READ_TX_POWER:
3035 hci_cc_read_tx_power(hdev, skb);
3038 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3039 hci_cc_write_ssp_debug_mode(hdev, skb);
3043 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3047 if (*opcode != HCI_OP_NOP)
3048 cancel_delayed_work(&hdev->cmd_timer);
3050 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3051 atomic_set(&hdev->cmd_cnt, 1);
3053 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3056 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3057 queue_work(hdev->workqueue, &hdev->cmd_work);
3060 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3061 u16 *opcode, u8 *status,
3062 hci_req_complete_t *req_complete,
3063 hci_req_complete_skb_t *req_complete_skb)
3065 struct hci_ev_cmd_status *ev = (void *) skb->data;
3067 skb_pull(skb, sizeof(*ev));
3069 *opcode = __le16_to_cpu(ev->opcode);
3070 *status = ev->status;
3073 case HCI_OP_INQUIRY:
3074 hci_cs_inquiry(hdev, ev->status);
3077 case HCI_OP_CREATE_CONN:
3078 hci_cs_create_conn(hdev, ev->status);
3081 case HCI_OP_DISCONNECT:
3082 hci_cs_disconnect(hdev, ev->status);
3085 case HCI_OP_ADD_SCO:
3086 hci_cs_add_sco(hdev, ev->status);
3089 case HCI_OP_AUTH_REQUESTED:
3090 hci_cs_auth_requested(hdev, ev->status);
3093 case HCI_OP_SET_CONN_ENCRYPT:
3094 hci_cs_set_conn_encrypt(hdev, ev->status);
3097 case HCI_OP_REMOTE_NAME_REQ:
3098 hci_cs_remote_name_req(hdev, ev->status);
3101 case HCI_OP_READ_REMOTE_FEATURES:
3102 hci_cs_read_remote_features(hdev, ev->status);
3105 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3106 hci_cs_read_remote_ext_features(hdev, ev->status);
3109 case HCI_OP_SETUP_SYNC_CONN:
3110 hci_cs_setup_sync_conn(hdev, ev->status);
3113 case HCI_OP_SNIFF_MODE:
3114 hci_cs_sniff_mode(hdev, ev->status);
3117 case HCI_OP_EXIT_SNIFF_MODE:
3118 hci_cs_exit_sniff_mode(hdev, ev->status);
3121 case HCI_OP_SWITCH_ROLE:
3122 hci_cs_switch_role(hdev, ev->status);
3125 case HCI_OP_LE_CREATE_CONN:
3126 hci_cs_le_create_conn(hdev, ev->status);
3129 case HCI_OP_LE_READ_REMOTE_FEATURES:
3130 hci_cs_le_read_remote_features(hdev, ev->status);
3133 case HCI_OP_LE_START_ENC:
3134 hci_cs_le_start_enc(hdev, ev->status);
3138 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3142 if (*opcode != HCI_OP_NOP)
3143 cancel_delayed_work(&hdev->cmd_timer);
3145 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3146 atomic_set(&hdev->cmd_cnt, 1);
3148 /* Indicate request completion if the command failed. Also, if
3149 * we're not waiting for a special event and we get a success
3150 * command status we should try to flag the request as completed
3151 * (since for this kind of commands there will not be a command
3155 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3156 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3159 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3160 queue_work(hdev->workqueue, &hdev->cmd_work);
3163 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3165 struct hci_ev_hardware_error *ev = (void *) skb->data;
3167 hdev->hw_error_code = ev->code;
3169 queue_work(hdev->req_workqueue, &hdev->error_reset);
3172 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3174 struct hci_ev_role_change *ev = (void *) skb->data;
3175 struct hci_conn *conn;
3177 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3181 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3184 conn->role = ev->role;
3186 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3188 hci_role_switch_cfm(conn, ev->status, ev->role);
3191 hci_dev_unlock(hdev);
3194 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3196 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3199 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3200 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3204 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3205 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3206 BT_DBG("%s bad parameters", hdev->name);
3210 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3212 for (i = 0; i < ev->num_hndl; i++) {
3213 struct hci_comp_pkts_info *info = &ev->handles[i];
3214 struct hci_conn *conn;
3215 __u16 handle, count;
3217 handle = __le16_to_cpu(info->handle);
3218 count = __le16_to_cpu(info->count);
3220 conn = hci_conn_hash_lookup_handle(hdev, handle);
3224 conn->sent -= count;
3226 switch (conn->type) {
3228 hdev->acl_cnt += count;
3229 if (hdev->acl_cnt > hdev->acl_pkts)
3230 hdev->acl_cnt = hdev->acl_pkts;
3234 if (hdev->le_pkts) {
3235 hdev->le_cnt += count;
3236 if (hdev->le_cnt > hdev->le_pkts)
3237 hdev->le_cnt = hdev->le_pkts;
3239 hdev->acl_cnt += count;
3240 if (hdev->acl_cnt > hdev->acl_pkts)
3241 hdev->acl_cnt = hdev->acl_pkts;
3246 hdev->sco_cnt += count;
3247 if (hdev->sco_cnt > hdev->sco_pkts)
3248 hdev->sco_cnt = hdev->sco_pkts;
3252 bt_dev_err(hdev, "unknown type %d conn %p",
3258 queue_work(hdev->workqueue, &hdev->tx_work);
3261 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3264 struct hci_chan *chan;
3266 switch (hdev->dev_type) {
3268 return hci_conn_hash_lookup_handle(hdev, handle);
3270 chan = hci_chan_lookup_handle(hdev, handle);
3275 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3282 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3284 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3287 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3288 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3292 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3293 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3294 BT_DBG("%s bad parameters", hdev->name);
3298 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3301 for (i = 0; i < ev->num_hndl; i++) {
3302 struct hci_comp_blocks_info *info = &ev->handles[i];
3303 struct hci_conn *conn = NULL;
3304 __u16 handle, block_count;
3306 handle = __le16_to_cpu(info->handle);
3307 block_count = __le16_to_cpu(info->blocks);
3309 conn = __hci_conn_lookup_handle(hdev, handle);
3313 conn->sent -= block_count;
3315 switch (conn->type) {
3318 hdev->block_cnt += block_count;
3319 if (hdev->block_cnt > hdev->num_blocks)
3320 hdev->block_cnt = hdev->num_blocks;
3324 bt_dev_err(hdev, "unknown type %d conn %p",
3330 queue_work(hdev->workqueue, &hdev->tx_work);
3333 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3335 struct hci_ev_mode_change *ev = (void *) skb->data;
3336 struct hci_conn *conn;
3338 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3342 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3344 conn->mode = ev->mode;
3346 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3348 if (conn->mode == HCI_CM_ACTIVE)
3349 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3351 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3354 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3355 hci_sco_setup(conn, ev->status);
3358 hci_dev_unlock(hdev);
3361 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3363 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3364 struct hci_conn *conn;
3366 BT_DBG("%s", hdev->name);
3370 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3374 if (conn->state == BT_CONNECTED) {
3375 hci_conn_hold(conn);
3376 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3377 hci_conn_drop(conn);
3380 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3381 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3382 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3383 sizeof(ev->bdaddr), &ev->bdaddr);
3384 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3387 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3392 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3396 hci_dev_unlock(hdev);
3399 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3401 if (key_type == HCI_LK_CHANGED_COMBINATION)
3404 conn->pin_length = pin_len;
3405 conn->key_type = key_type;
3408 case HCI_LK_LOCAL_UNIT:
3409 case HCI_LK_REMOTE_UNIT:
3410 case HCI_LK_DEBUG_COMBINATION:
3412 case HCI_LK_COMBINATION:
3414 conn->pending_sec_level = BT_SECURITY_HIGH;
3416 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3418 case HCI_LK_UNAUTH_COMBINATION_P192:
3419 case HCI_LK_UNAUTH_COMBINATION_P256:
3420 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3422 case HCI_LK_AUTH_COMBINATION_P192:
3423 conn->pending_sec_level = BT_SECURITY_HIGH;
3425 case HCI_LK_AUTH_COMBINATION_P256:
3426 conn->pending_sec_level = BT_SECURITY_FIPS;
3431 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3433 struct hci_ev_link_key_req *ev = (void *) skb->data;
3434 struct hci_cp_link_key_reply cp;
3435 struct hci_conn *conn;
3436 struct link_key *key;
3438 BT_DBG("%s", hdev->name);
3440 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3445 key = hci_find_link_key(hdev, &ev->bdaddr);
3447 BT_DBG("%s link key not found for %pMR", hdev->name,
3452 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3455 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3457 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3459 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3460 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3461 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3462 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3466 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3467 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3468 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3469 BT_DBG("%s ignoring key unauthenticated for high security",
3474 conn_set_key(conn, key->type, key->pin_len);
3477 bacpy(&cp.bdaddr, &ev->bdaddr);
3478 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3480 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3482 hci_dev_unlock(hdev);
3487 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3488 hci_dev_unlock(hdev);
3491 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3493 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3494 struct hci_conn *conn;
3495 struct link_key *key;
3499 BT_DBG("%s", hdev->name);
3503 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3507 hci_conn_hold(conn);
3508 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3509 hci_conn_drop(conn);
3511 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3512 conn_set_key(conn, ev->key_type, conn->pin_length);
3514 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3517 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3518 ev->key_type, pin_len, &persistent);
3522 /* Update connection information since adding the key will have
3523 * fixed up the type in the case of changed combination keys.
3525 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3526 conn_set_key(conn, key->type, key->pin_len);
3528 mgmt_new_link_key(hdev, key, persistent);
3530 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3531 * is set. If it's not set simply remove the key from the kernel
3532 * list (we've still notified user space about it but with
3533 * store_hint being 0).
3535 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3536 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3537 list_del_rcu(&key->list);
3538 kfree_rcu(key, rcu);
3543 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3545 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3548 hci_dev_unlock(hdev);
3551 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3553 struct hci_ev_clock_offset *ev = (void *) skb->data;
3554 struct hci_conn *conn;
3556 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3560 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3561 if (conn && !ev->status) {
3562 struct inquiry_entry *ie;
3564 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3566 ie->data.clock_offset = ev->clock_offset;
3567 ie->timestamp = jiffies;
3571 hci_dev_unlock(hdev);
3574 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3576 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3577 struct hci_conn *conn;
3579 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3583 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3584 if (conn && !ev->status)
3585 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3587 hci_dev_unlock(hdev);
3590 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3592 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3593 struct inquiry_entry *ie;
3595 BT_DBG("%s", hdev->name);
3599 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3601 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3602 ie->timestamp = jiffies;
3605 hci_dev_unlock(hdev);
3608 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3609 struct sk_buff *skb)
3611 struct inquiry_data data;
3612 int num_rsp = *((__u8 *) skb->data);
3614 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3619 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3624 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3625 struct inquiry_info_with_rssi_and_pscan_mode *info;
3626 info = (void *) (skb->data + 1);
3628 for (; num_rsp; num_rsp--, info++) {
3631 bacpy(&data.bdaddr, &info->bdaddr);
3632 data.pscan_rep_mode = info->pscan_rep_mode;
3633 data.pscan_period_mode = info->pscan_period_mode;
3634 data.pscan_mode = info->pscan_mode;
3635 memcpy(data.dev_class, info->dev_class, 3);
3636 data.clock_offset = info->clock_offset;
3637 data.rssi = info->rssi;
3638 data.ssp_mode = 0x00;
3640 flags = hci_inquiry_cache_update(hdev, &data, false);
3642 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3643 info->dev_class, info->rssi,
3644 flags, NULL, 0, NULL, 0);
3647 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3649 for (; num_rsp; num_rsp--, info++) {
3652 bacpy(&data.bdaddr, &info->bdaddr);
3653 data.pscan_rep_mode = info->pscan_rep_mode;
3654 data.pscan_period_mode = info->pscan_period_mode;
3655 data.pscan_mode = 0x00;
3656 memcpy(data.dev_class, info->dev_class, 3);
3657 data.clock_offset = info->clock_offset;
3658 data.rssi = info->rssi;
3659 data.ssp_mode = 0x00;
3661 flags = hci_inquiry_cache_update(hdev, &data, false);
3663 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3664 info->dev_class, info->rssi,
3665 flags, NULL, 0, NULL, 0);
3669 hci_dev_unlock(hdev);
3672 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3673 struct sk_buff *skb)
3675 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3676 struct hci_conn *conn;
3678 BT_DBG("%s", hdev->name);
3682 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3686 if (ev->page < HCI_MAX_PAGES)
3687 memcpy(conn->features[ev->page], ev->features, 8);
3689 if (!ev->status && ev->page == 0x01) {
3690 struct inquiry_entry *ie;
3692 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3694 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3696 if (ev->features[0] & LMP_HOST_SSP) {
3697 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3699 /* It is mandatory by the Bluetooth specification that
3700 * Extended Inquiry Results are only used when Secure
3701 * Simple Pairing is enabled, but some devices violate
3704 * To make these devices work, the internal SSP
3705 * enabled flag needs to be cleared if the remote host
3706 * features do not indicate SSP support */
3707 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3710 if (ev->features[0] & LMP_HOST_SC)
3711 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3714 if (conn->state != BT_CONFIG)
3717 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3718 struct hci_cp_remote_name_req cp;
3719 memset(&cp, 0, sizeof(cp));
3720 bacpy(&cp.bdaddr, &conn->dst);
3721 cp.pscan_rep_mode = 0x02;
3722 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3723 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3724 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3726 if (!hci_outgoing_auth_needed(hdev, conn)) {
3727 conn->state = BT_CONNECTED;
3728 hci_connect_cfm(conn, ev->status);
3729 hci_conn_drop(conn);
3733 hci_dev_unlock(hdev);
3736 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3737 struct sk_buff *skb)
3739 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3740 struct hci_conn *conn;
3742 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3746 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3748 if (ev->link_type == ESCO_LINK)
3751 /* When the link type in the event indicates SCO connection
3752 * and lookup of the connection object fails, then check
3753 * if an eSCO connection object exists.
3755 * The core limits the synchronous connections to either
3756 * SCO or eSCO. The eSCO connection is preferred and tried
3757 * to be setup first and until successfully established,
3758 * the link type will be hinted as eSCO.
3760 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3765 switch (ev->status) {
3767 conn->handle = __le16_to_cpu(ev->handle);
3768 conn->state = BT_CONNECTED;
3769 conn->type = ev->link_type;
3771 hci_debugfs_create_conn(conn);
3772 hci_conn_add_sysfs(conn);
3775 case 0x10: /* Connection Accept Timeout */
3776 case 0x0d: /* Connection Rejected due to Limited Resources */
3777 case 0x11: /* Unsupported Feature or Parameter Value */
3778 case 0x1c: /* SCO interval rejected */
3779 case 0x1a: /* Unsupported Remote Feature */
3780 case 0x1f: /* Unspecified error */
3781 case 0x20: /* Unsupported LMP Parameter value */
3783 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3784 (hdev->esco_type & EDR_ESCO_MASK);
3785 if (hci_setup_sync(conn, conn->link->handle))
3791 conn->state = BT_CLOSED;
3795 hci_connect_cfm(conn, ev->status);
3800 hci_dev_unlock(hdev);
3803 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3807 while (parsed < eir_len) {
3808 u8 field_len = eir[0];
3813 parsed += field_len + 1;
3814 eir += field_len + 1;
3820 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3821 struct sk_buff *skb)
3823 struct inquiry_data data;
3824 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3825 int num_rsp = *((__u8 *) skb->data);
3828 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3833 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3838 for (; num_rsp; num_rsp--, info++) {
3842 bacpy(&data.bdaddr, &info->bdaddr);
3843 data.pscan_rep_mode = info->pscan_rep_mode;
3844 data.pscan_period_mode = info->pscan_period_mode;
3845 data.pscan_mode = 0x00;
3846 memcpy(data.dev_class, info->dev_class, 3);
3847 data.clock_offset = info->clock_offset;
3848 data.rssi = info->rssi;
3849 data.ssp_mode = 0x01;
3851 if (hci_dev_test_flag(hdev, HCI_MGMT))
3852 name_known = eir_get_data(info->data,
3854 EIR_NAME_COMPLETE, NULL);
3858 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3860 eir_len = eir_get_length(info->data, sizeof(info->data));
3862 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3863 info->dev_class, info->rssi,
3864 flags, info->data, eir_len, NULL, 0);
3867 hci_dev_unlock(hdev);
3870 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3871 struct sk_buff *skb)
3873 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3874 struct hci_conn *conn;
3876 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3877 __le16_to_cpu(ev->handle));
3881 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3885 /* For BR/EDR the necessary steps are taken through the
3886 * auth_complete event.
3888 if (conn->type != LE_LINK)
3892 conn->sec_level = conn->pending_sec_level;
3894 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3896 if (ev->status && conn->state == BT_CONNECTED) {
3897 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3898 hci_conn_drop(conn);
3902 if (conn->state == BT_CONFIG) {
3904 conn->state = BT_CONNECTED;
3906 hci_connect_cfm(conn, ev->status);
3907 hci_conn_drop(conn);
3909 hci_auth_cfm(conn, ev->status);
3911 hci_conn_hold(conn);
3912 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3913 hci_conn_drop(conn);
3917 hci_dev_unlock(hdev);
3920 static u8 hci_get_auth_req(struct hci_conn *conn)
3922 /* If remote requests no-bonding follow that lead */
3923 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3924 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3925 return conn->remote_auth | (conn->auth_type & 0x01);
3927 /* If both remote and local have enough IO capabilities, require
3930 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3931 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3932 return conn->remote_auth | 0x01;
3934 /* No MITM protection possible so ignore remote requirement */
3935 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3938 static u8 bredr_oob_data_present(struct hci_conn *conn)
3940 struct hci_dev *hdev = conn->hdev;
3941 struct oob_data *data;
3943 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3947 if (bredr_sc_enabled(hdev)) {
3948 /* When Secure Connections is enabled, then just
3949 * return the present value stored with the OOB
3950 * data. The stored value contains the right present
3951 * information. However it can only be trusted when
3952 * not in Secure Connection Only mode.
3954 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3955 return data->present;
3957 /* When Secure Connections Only mode is enabled, then
3958 * the P-256 values are required. If they are not
3959 * available, then do not declare that OOB data is
3962 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3963 !memcmp(data->hash256, ZERO_KEY, 16))
3969 /* When Secure Connections is not enabled or actually
3970 * not supported by the hardware, then check that if
3971 * P-192 data values are present.
3973 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3974 !memcmp(data->hash192, ZERO_KEY, 16))
3980 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3982 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3983 struct hci_conn *conn;
3985 BT_DBG("%s", hdev->name);
3989 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3993 hci_conn_hold(conn);
3995 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3998 /* Allow pairing if we're pairable, the initiators of the
3999 * pairing or if the remote is not requesting bonding.
4001 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4002 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4003 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4004 struct hci_cp_io_capability_reply cp;
4006 bacpy(&cp.bdaddr, &ev->bdaddr);
4007 /* Change the IO capability from KeyboardDisplay
4008 * to DisplayYesNo as it is not supported by BT spec. */
4009 cp.capability = (conn->io_capability == 0x04) ?
4010 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4012 /* If we are initiators, there is no remote information yet */
4013 if (conn->remote_auth == 0xff) {
4014 /* Request MITM protection if our IO caps allow it
4015 * except for the no-bonding case.
4017 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4018 conn->auth_type != HCI_AT_NO_BONDING)
4019 conn->auth_type |= 0x01;
4021 conn->auth_type = hci_get_auth_req(conn);
4024 /* If we're not bondable, force one of the non-bondable
4025 * authentication requirement values.
4027 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4028 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4030 cp.authentication = conn->auth_type;
4031 cp.oob_data = bredr_oob_data_present(conn);
4033 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4036 struct hci_cp_io_capability_neg_reply cp;
4038 bacpy(&cp.bdaddr, &ev->bdaddr);
4039 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4041 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4046 hci_dev_unlock(hdev);
4049 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4051 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4052 struct hci_conn *conn;
4054 BT_DBG("%s", hdev->name);
4058 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4062 conn->remote_cap = ev->capability;
4063 conn->remote_auth = ev->authentication;
4066 hci_dev_unlock(hdev);
4069 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4070 struct sk_buff *skb)
4072 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4073 int loc_mitm, rem_mitm, confirm_hint = 0;
4074 struct hci_conn *conn;
4076 BT_DBG("%s", hdev->name);
4080 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4083 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4087 loc_mitm = (conn->auth_type & 0x01);
4088 rem_mitm = (conn->remote_auth & 0x01);
4090 /* If we require MITM but the remote device can't provide that
4091 * (it has NoInputNoOutput) then reject the confirmation
4092 * request. We check the security level here since it doesn't
4093 * necessarily match conn->auth_type.
4095 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4096 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4097 BT_DBG("Rejecting request: remote device can't provide MITM");
4098 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4099 sizeof(ev->bdaddr), &ev->bdaddr);
4103 /* If no side requires MITM protection; auto-accept */
4104 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4105 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4107 /* If we're not the initiators request authorization to
4108 * proceed from user space (mgmt_user_confirm with
4109 * confirm_hint set to 1). The exception is if neither
4110 * side had MITM or if the local IO capability is
4111 * NoInputNoOutput, in which case we do auto-accept
4113 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4114 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4115 (loc_mitm || rem_mitm)) {
4116 BT_DBG("Confirming auto-accept as acceptor");
4121 BT_DBG("Auto-accept of user confirmation with %ums delay",
4122 hdev->auto_accept_delay);
4124 if (hdev->auto_accept_delay > 0) {
4125 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4126 queue_delayed_work(conn->hdev->workqueue,
4127 &conn->auto_accept_work, delay);
4131 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4132 sizeof(ev->bdaddr), &ev->bdaddr);
4137 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4138 le32_to_cpu(ev->passkey), confirm_hint);
4141 hci_dev_unlock(hdev);
4144 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4145 struct sk_buff *skb)
4147 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4149 BT_DBG("%s", hdev->name);
4151 if (hci_dev_test_flag(hdev, HCI_MGMT))
4152 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4155 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4156 struct sk_buff *skb)
4158 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4159 struct hci_conn *conn;
4161 BT_DBG("%s", hdev->name);
4163 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4167 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4168 conn->passkey_entered = 0;
4170 if (hci_dev_test_flag(hdev, HCI_MGMT))
4171 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4172 conn->dst_type, conn->passkey_notify,
4173 conn->passkey_entered);
4176 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4178 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4179 struct hci_conn *conn;
4181 BT_DBG("%s", hdev->name);
4183 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4188 case HCI_KEYPRESS_STARTED:
4189 conn->passkey_entered = 0;
4192 case HCI_KEYPRESS_ENTERED:
4193 conn->passkey_entered++;
4196 case HCI_KEYPRESS_ERASED:
4197 conn->passkey_entered--;
4200 case HCI_KEYPRESS_CLEARED:
4201 conn->passkey_entered = 0;
4204 case HCI_KEYPRESS_COMPLETED:
4208 if (hci_dev_test_flag(hdev, HCI_MGMT))
4209 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4210 conn->dst_type, conn->passkey_notify,
4211 conn->passkey_entered);
4214 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4215 struct sk_buff *skb)
4217 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4218 struct hci_conn *conn;
4220 BT_DBG("%s", hdev->name);
4224 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4228 /* Reset the authentication requirement to unknown */
4229 conn->remote_auth = 0xff;
4231 /* To avoid duplicate auth_failed events to user space we check
4232 * the HCI_CONN_AUTH_PEND flag which will be set if we
4233 * initiated the authentication. A traditional auth_complete
4234 * event gets always produced as initiator and is also mapped to
4235 * the mgmt_auth_failed event */
4236 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4237 mgmt_auth_failed(conn, ev->status);
4239 hci_conn_drop(conn);
4242 hci_dev_unlock(hdev);
4245 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4246 struct sk_buff *skb)
4248 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4249 struct inquiry_entry *ie;
4250 struct hci_conn *conn;
4252 BT_DBG("%s", hdev->name);
4256 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4258 memcpy(conn->features[1], ev->features, 8);
4260 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4262 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4264 hci_dev_unlock(hdev);
4267 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4268 struct sk_buff *skb)
4270 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4271 struct oob_data *data;
4273 BT_DBG("%s", hdev->name);
4277 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4280 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4282 struct hci_cp_remote_oob_data_neg_reply cp;
4284 bacpy(&cp.bdaddr, &ev->bdaddr);
4285 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4290 if (bredr_sc_enabled(hdev)) {
4291 struct hci_cp_remote_oob_ext_data_reply cp;
4293 bacpy(&cp.bdaddr, &ev->bdaddr);
4294 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4295 memset(cp.hash192, 0, sizeof(cp.hash192));
4296 memset(cp.rand192, 0, sizeof(cp.rand192));
4298 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4299 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4301 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4302 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4304 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4307 struct hci_cp_remote_oob_data_reply cp;
4309 bacpy(&cp.bdaddr, &ev->bdaddr);
4310 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4311 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4313 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4318 hci_dev_unlock(hdev);
4321 #if IS_ENABLED(CONFIG_BT_HS)
4322 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4324 struct hci_ev_channel_selected *ev = (void *)skb->data;
4325 struct hci_conn *hcon;
4327 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4329 skb_pull(skb, sizeof(*ev));
4331 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4335 amp_read_loc_assoc_final_data(hdev, hcon);
4338 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4339 struct sk_buff *skb)
4341 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4342 struct hci_conn *hcon, *bredr_hcon;
4344 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4349 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4351 hci_dev_unlock(hdev);
4357 hci_dev_unlock(hdev);
4361 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4363 hcon->state = BT_CONNECTED;
4364 bacpy(&hcon->dst, &bredr_hcon->dst);
4366 hci_conn_hold(hcon);
4367 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4368 hci_conn_drop(hcon);
4370 hci_debugfs_create_conn(hcon);
4371 hci_conn_add_sysfs(hcon);
4373 amp_physical_cfm(bredr_hcon, hcon);
4375 hci_dev_unlock(hdev);
4378 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4380 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4381 struct hci_conn *hcon;
4382 struct hci_chan *hchan;
4383 struct amp_mgr *mgr;
4385 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4386 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4389 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4393 /* Create AMP hchan */
4394 hchan = hci_chan_create(hcon);
4398 hchan->handle = le16_to_cpu(ev->handle);
4400 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4402 mgr = hcon->amp_mgr;
4403 if (mgr && mgr->bredr_chan) {
4404 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4406 l2cap_chan_lock(bredr_chan);
4408 bredr_chan->conn->mtu = hdev->block_mtu;
4409 l2cap_logical_cfm(bredr_chan, hchan, 0);
4410 hci_conn_hold(hcon);
4412 l2cap_chan_unlock(bredr_chan);
4416 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4417 struct sk_buff *skb)
4419 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4420 struct hci_chan *hchan;
4422 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4423 le16_to_cpu(ev->handle), ev->status);
4430 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4434 amp_destroy_logical_link(hchan, ev->reason);
4437 hci_dev_unlock(hdev);
4440 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4441 struct sk_buff *skb)
4443 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4444 struct hci_conn *hcon;
4446 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4453 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4455 hcon->state = BT_CLOSED;
4459 hci_dev_unlock(hdev);
4463 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4465 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4466 struct hci_conn_params *params;
4467 struct hci_conn *conn;
4468 struct smp_irk *irk;
4471 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4475 /* All controllers implicitly stop advertising in the event of a
4476 * connection, so ensure that the state bit is cleared.
4478 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4480 conn = hci_lookup_le_connect(hdev);
4482 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4484 bt_dev_err(hdev, "no memory for new connection");
4488 conn->dst_type = ev->bdaddr_type;
4490 /* If we didn't have a hci_conn object previously
4491 * but we're in master role this must be something
4492 * initiated using a white list. Since white list based
4493 * connections are not "first class citizens" we don't
4494 * have full tracking of them. Therefore, we go ahead
4495 * with a "best effort" approach of determining the
4496 * initiator address based on the HCI_PRIVACY flag.
4499 conn->resp_addr_type = ev->bdaddr_type;
4500 bacpy(&conn->resp_addr, &ev->bdaddr);
4501 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4502 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4503 bacpy(&conn->init_addr, &hdev->rpa);
4505 hci_copy_identity_address(hdev,
4507 &conn->init_addr_type);
4511 cancel_delayed_work(&conn->le_conn_timeout);
4515 /* Set the responder (our side) address type based on
4516 * the advertising address type.
4518 conn->resp_addr_type = hdev->adv_addr_type;
4519 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4520 bacpy(&conn->resp_addr, &hdev->random_addr);
4522 bacpy(&conn->resp_addr, &hdev->bdaddr);
4524 conn->init_addr_type = ev->bdaddr_type;
4525 bacpy(&conn->init_addr, &ev->bdaddr);
4527 /* For incoming connections, set the default minimum
4528 * and maximum connection interval. They will be used
4529 * to check if the parameters are in range and if not
4530 * trigger the connection update procedure.
4532 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4533 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4536 /* Lookup the identity address from the stored connection
4537 * address and address type.
4539 * When establishing connections to an identity address, the
4540 * connection procedure will store the resolvable random
4541 * address first. Now if it can be converted back into the
4542 * identity address, start using the identity address from
4545 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4547 bacpy(&conn->dst, &irk->bdaddr);
4548 conn->dst_type = irk->addr_type;
4552 hci_le_conn_failed(conn, ev->status);
4556 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4557 addr_type = BDADDR_LE_PUBLIC;
4559 addr_type = BDADDR_LE_RANDOM;
4561 /* Drop the connection if the device is blocked */
4562 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4563 hci_conn_drop(conn);
4567 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4568 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4570 conn->sec_level = BT_SECURITY_LOW;
4571 conn->handle = __le16_to_cpu(ev->handle);
4572 conn->state = BT_CONFIG;
4574 conn->le_conn_interval = le16_to_cpu(ev->interval);
4575 conn->le_conn_latency = le16_to_cpu(ev->latency);
4576 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4578 hci_debugfs_create_conn(conn);
4579 hci_conn_add_sysfs(conn);
4582 /* The remote features procedure is defined for master
4583 * role only. So only in case of an initiated connection
4584 * request the remote features.
4586 * If the local controller supports slave-initiated features
4587 * exchange, then requesting the remote features in slave
4588 * role is possible. Otherwise just transition into the
4589 * connected state without requesting the remote features.
4592 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4593 struct hci_cp_le_read_remote_features cp;
4595 cp.handle = __cpu_to_le16(conn->handle);
4597 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4600 hci_conn_hold(conn);
4602 conn->state = BT_CONNECTED;
4603 hci_connect_cfm(conn, ev->status);
4606 hci_connect_cfm(conn, ev->status);
4609 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4612 list_del_init(¶ms->action);
4614 hci_conn_drop(params->conn);
4615 hci_conn_put(params->conn);
4616 params->conn = NULL;
4621 hci_update_background_scan(hdev);
4622 hci_dev_unlock(hdev);
4625 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4626 struct sk_buff *skb)
4628 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4629 struct hci_conn *conn;
4631 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4638 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4640 conn->le_conn_interval = le16_to_cpu(ev->interval);
4641 conn->le_conn_latency = le16_to_cpu(ev->latency);
4642 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4645 hci_dev_unlock(hdev);
4648 /* This function requires the caller holds hdev->lock */
4649 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4651 u8 addr_type, u8 adv_type,
4652 bdaddr_t *direct_rpa)
4654 struct hci_conn *conn;
4655 struct hci_conn_params *params;
4657 /* If the event is not connectable don't proceed further */
4658 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4661 /* Ignore if the device is blocked */
4662 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4665 /* Most controller will fail if we try to create new connections
4666 * while we have an existing one in slave role.
4668 if (hdev->conn_hash.le_num_slave > 0)
4671 /* If we're not connectable only connect devices that we have in
4672 * our pend_le_conns list.
4674 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4679 if (!params->explicit_connect) {
4680 switch (params->auto_connect) {
4681 case HCI_AUTO_CONN_DIRECT:
4682 /* Only devices advertising with ADV_DIRECT_IND are
4683 * triggering a connection attempt. This is allowing
4684 * incoming connections from slave devices.
4686 if (adv_type != LE_ADV_DIRECT_IND)
4689 case HCI_AUTO_CONN_ALWAYS:
4690 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4691 * are triggering a connection attempt. This means
4692 * that incoming connectioms from slave device are
4693 * accepted and also outgoing connections to slave
4694 * devices are established when found.
4702 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4703 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
4705 if (!IS_ERR(conn)) {
4706 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4707 * by higher layer that tried to connect, if no then
4708 * store the pointer since we don't really have any
4709 * other owner of the object besides the params that
4710 * triggered it. This way we can abort the connection if
4711 * the parameters get removed and keep the reference
4712 * count consistent once the connection is established.
4715 if (!params->explicit_connect)
4716 params->conn = hci_conn_get(conn);
4721 switch (PTR_ERR(conn)) {
4723 /* If hci_connect() returns -EBUSY it means there is already
4724 * an LE connection attempt going on. Since controllers don't
4725 * support more than one connection attempt at the time, we
4726 * don't consider this an error case.
4730 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4737 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4738 u8 bdaddr_type, bdaddr_t *direct_addr,
4739 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4741 struct discovery_state *d = &hdev->discovery;
4742 struct smp_irk *irk;
4743 struct hci_conn *conn;
4750 case LE_ADV_DIRECT_IND:
4751 case LE_ADV_SCAN_IND:
4752 case LE_ADV_NONCONN_IND:
4753 case LE_ADV_SCAN_RSP:
4756 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
4757 "type: 0x%02x", type);
4761 /* Find the end of the data in case the report contains padded zero
4762 * bytes at the end causing an invalid length value.
4764 * When data is NULL, len is 0 so there is no need for extra ptr
4765 * check as 'ptr < data + 0' is already false in such case.
4767 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4768 if (ptr + 1 + *ptr > data + len)
4772 real_len = ptr - data;
4774 /* Adjust for actual length */
4775 if (len != real_len) {
4776 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
4780 /* If the direct address is present, then this report is from
4781 * a LE Direct Advertising Report event. In that case it is
4782 * important to see if the address is matching the local
4783 * controller address.
4786 /* Only resolvable random addresses are valid for these
4787 * kind of reports and others can be ignored.
4789 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4792 /* If the controller is not using resolvable random
4793 * addresses, then this report can be ignored.
4795 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4798 /* If the local IRK of the controller does not match
4799 * with the resolvable random address provided, then
4800 * this report can be ignored.
4802 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4806 /* Check if we need to convert to identity address */
4807 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4809 bdaddr = &irk->bdaddr;
4810 bdaddr_type = irk->addr_type;
4813 /* Check if we have been requested to connect to this device.
4815 * direct_addr is set only for directed advertising reports (it is NULL
4816 * for advertising reports) and is already verified to be RPA above.
4818 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
4820 if (conn && type == LE_ADV_IND) {
4821 /* Store report for later inclusion by
4822 * mgmt_device_connected
4824 memcpy(conn->le_adv_data, data, len);
4825 conn->le_adv_data_len = len;
4828 /* Passive scanning shouldn't trigger any device found events,
4829 * except for devices marked as CONN_REPORT for which we do send
4830 * device found events.
4832 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4833 if (type == LE_ADV_DIRECT_IND)
4836 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4837 bdaddr, bdaddr_type))
4840 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4841 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4844 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4845 rssi, flags, data, len, NULL, 0);
4849 /* When receiving non-connectable or scannable undirected
4850 * advertising reports, this means that the remote device is
4851 * not connectable and then clearly indicate this in the
4852 * device found event.
4854 * When receiving a scan response, then there is no way to
4855 * know if the remote device is connectable or not. However
4856 * since scan responses are merged with a previously seen
4857 * advertising report, the flags field from that report
4860 * In the really unlikely case that a controller get confused
4861 * and just sends a scan response event, then it is marked as
4862 * not connectable as well.
4864 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4865 type == LE_ADV_SCAN_RSP)
4866 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4870 /* If there's nothing pending either store the data from this
4871 * event or send an immediate device found event if the data
4872 * should not be stored for later.
4874 if (!has_pending_adv_report(hdev)) {
4875 /* If the report will trigger a SCAN_REQ store it for
4878 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4879 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4880 rssi, flags, data, len);
4884 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4885 rssi, flags, data, len, NULL, 0);
4889 /* Check if the pending report is for the same device as the new one */
4890 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4891 bdaddr_type == d->last_adv_addr_type);
4893 /* If the pending data doesn't match this report or this isn't a
4894 * scan response (e.g. we got a duplicate ADV_IND) then force
4895 * sending of the pending data.
4897 if (type != LE_ADV_SCAN_RSP || !match) {
4898 /* Send out whatever is in the cache, but skip duplicates */
4900 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4901 d->last_adv_addr_type, NULL,
4902 d->last_adv_rssi, d->last_adv_flags,
4904 d->last_adv_data_len, NULL, 0);
4906 /* If the new report will trigger a SCAN_REQ store it for
4909 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4910 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4911 rssi, flags, data, len);
4915 /* The advertising reports cannot be merged, so clear
4916 * the pending report and send out a device found event.
4918 clear_pending_adv_report(hdev);
4919 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4920 rssi, flags, data, len, NULL, 0);
4924 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4925 * the new event is a SCAN_RSP. We can therefore proceed with
4926 * sending a merged device found event.
4928 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4929 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4930 d->last_adv_data, d->last_adv_data_len, data, len);
4931 clear_pending_adv_report(hdev);
4934 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4936 u8 num_reports = skb->data[0];
4937 void *ptr = &skb->data[1];
4941 while (num_reports--) {
4942 struct hci_ev_le_advertising_info *ev = ptr;
4945 if (ev->length <= HCI_MAX_AD_LENGTH) {
4946 rssi = ev->data[ev->length];
4947 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4948 ev->bdaddr_type, NULL, 0, rssi,
4949 ev->data, ev->length);
4951 bt_dev_err(hdev, "Dropping invalid advertising data");
4954 ptr += sizeof(*ev) + ev->length + 1;
4957 hci_dev_unlock(hdev);
4960 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4961 struct sk_buff *skb)
4963 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4964 struct hci_conn *conn;
4966 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4970 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4973 memcpy(conn->features[0], ev->features, 8);
4975 if (conn->state == BT_CONFIG) {
4978 /* If the local controller supports slave-initiated
4979 * features exchange, but the remote controller does
4980 * not, then it is possible that the error code 0x1a
4981 * for unsupported remote feature gets returned.
4983 * In this specific case, allow the connection to
4984 * transition into connected state and mark it as
4987 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4988 !conn->out && ev->status == 0x1a)
4991 status = ev->status;
4993 conn->state = BT_CONNECTED;
4994 hci_connect_cfm(conn, status);
4995 hci_conn_drop(conn);
4999 hci_dev_unlock(hdev);
5002 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5004 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5005 struct hci_cp_le_ltk_reply cp;
5006 struct hci_cp_le_ltk_neg_reply neg;
5007 struct hci_conn *conn;
5008 struct smp_ltk *ltk;
5010 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5014 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5018 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5022 if (smp_ltk_is_sc(ltk)) {
5023 /* With SC both EDiv and Rand are set to zero */
5024 if (ev->ediv || ev->rand)
5027 /* For non-SC keys check that EDiv and Rand match */
5028 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5032 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5033 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5034 cp.handle = cpu_to_le16(conn->handle);
5036 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5038 conn->enc_key_size = ltk->enc_size;
5040 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5042 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5043 * temporary key used to encrypt a connection following
5044 * pairing. It is used during the Encrypted Session Setup to
5045 * distribute the keys. Later, security can be re-established
5046 * using a distributed LTK.
5048 if (ltk->type == SMP_STK) {
5049 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5050 list_del_rcu(<k->list);
5051 kfree_rcu(ltk, rcu);
5053 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5056 hci_dev_unlock(hdev);
5061 neg.handle = ev->handle;
5062 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5063 hci_dev_unlock(hdev);
5066 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5069 struct hci_cp_le_conn_param_req_neg_reply cp;
5071 cp.handle = cpu_to_le16(handle);
5074 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5078 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5079 struct sk_buff *skb)
5081 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5082 struct hci_cp_le_conn_param_req_reply cp;
5083 struct hci_conn *hcon;
5084 u16 handle, min, max, latency, timeout;
5086 handle = le16_to_cpu(ev->handle);
5087 min = le16_to_cpu(ev->interval_min);
5088 max = le16_to_cpu(ev->interval_max);
5089 latency = le16_to_cpu(ev->latency);
5090 timeout = le16_to_cpu(ev->timeout);
5092 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5093 if (!hcon || hcon->state != BT_CONNECTED)
5094 return send_conn_param_neg_reply(hdev, handle,
5095 HCI_ERROR_UNKNOWN_CONN_ID);
5097 if (hci_check_conn_params(min, max, latency, timeout))
5098 return send_conn_param_neg_reply(hdev, handle,
5099 HCI_ERROR_INVALID_LL_PARAMS);
5101 if (hcon->role == HCI_ROLE_MASTER) {
5102 struct hci_conn_params *params;
5107 params = hci_conn_params_lookup(hdev, &hcon->dst,
5110 params->conn_min_interval = min;
5111 params->conn_max_interval = max;
5112 params->conn_latency = latency;
5113 params->supervision_timeout = timeout;
5119 hci_dev_unlock(hdev);
5121 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5122 store_hint, min, max, latency, timeout);
5125 cp.handle = ev->handle;
5126 cp.interval_min = ev->interval_min;
5127 cp.interval_max = ev->interval_max;
5128 cp.latency = ev->latency;
5129 cp.timeout = ev->timeout;
5133 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5136 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5137 struct sk_buff *skb)
5139 u8 num_reports = skb->data[0];
5140 void *ptr = &skb->data[1];
5144 while (num_reports--) {
5145 struct hci_ev_le_direct_adv_info *ev = ptr;
5147 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5148 ev->bdaddr_type, &ev->direct_addr,
5149 ev->direct_addr_type, ev->rssi, NULL, 0);
5154 hci_dev_unlock(hdev);
5157 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5159 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5161 skb_pull(skb, sizeof(*le_ev));
5163 switch (le_ev->subevent) {
5164 case HCI_EV_LE_CONN_COMPLETE:
5165 hci_le_conn_complete_evt(hdev, skb);
5168 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5169 hci_le_conn_update_complete_evt(hdev, skb);
5172 case HCI_EV_LE_ADVERTISING_REPORT:
5173 hci_le_adv_report_evt(hdev, skb);
5176 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5177 hci_le_remote_feat_complete_evt(hdev, skb);
5180 case HCI_EV_LE_LTK_REQ:
5181 hci_le_ltk_request_evt(hdev, skb);
5184 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5185 hci_le_remote_conn_param_req_evt(hdev, skb);
5188 case HCI_EV_LE_DIRECT_ADV_REPORT:
5189 hci_le_direct_adv_report_evt(hdev, skb);
5197 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5198 u8 event, struct sk_buff *skb)
5200 struct hci_ev_cmd_complete *ev;
5201 struct hci_event_hdr *hdr;
5206 if (skb->len < sizeof(*hdr)) {
5207 bt_dev_err(hdev, "too short HCI event");
5211 hdr = (void *) skb->data;
5212 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5215 if (hdr->evt != event)
5220 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5221 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5226 if (skb->len < sizeof(*ev)) {
5227 bt_dev_err(hdev, "too short cmd_complete event");
5231 ev = (void *) skb->data;
5232 skb_pull(skb, sizeof(*ev));
5234 if (opcode != __le16_to_cpu(ev->opcode)) {
5235 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5236 __le16_to_cpu(ev->opcode));
5243 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5245 struct hci_event_hdr *hdr = (void *) skb->data;
5246 hci_req_complete_t req_complete = NULL;
5247 hci_req_complete_skb_t req_complete_skb = NULL;
5248 struct sk_buff *orig_skb = NULL;
5249 u8 status = 0, event = hdr->evt, req_evt = 0;
5250 u16 opcode = HCI_OP_NOP;
5252 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5253 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5254 opcode = __le16_to_cpu(cmd_hdr->opcode);
5255 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5260 /* If it looks like we might end up having to call
5261 * req_complete_skb, store a pristine copy of the skb since the
5262 * various handlers may modify the original one through
5263 * skb_pull() calls, etc.
5265 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5266 event == HCI_EV_CMD_COMPLETE)
5267 orig_skb = skb_clone(skb, GFP_KERNEL);
5269 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5272 case HCI_EV_INQUIRY_COMPLETE:
5273 hci_inquiry_complete_evt(hdev, skb);
5276 case HCI_EV_INQUIRY_RESULT:
5277 hci_inquiry_result_evt(hdev, skb);
5280 case HCI_EV_CONN_COMPLETE:
5281 hci_conn_complete_evt(hdev, skb);
5284 case HCI_EV_CONN_REQUEST:
5285 hci_conn_request_evt(hdev, skb);
5288 case HCI_EV_DISCONN_COMPLETE:
5289 hci_disconn_complete_evt(hdev, skb);
5292 case HCI_EV_AUTH_COMPLETE:
5293 hci_auth_complete_evt(hdev, skb);
5296 case HCI_EV_REMOTE_NAME:
5297 hci_remote_name_evt(hdev, skb);
5300 case HCI_EV_ENCRYPT_CHANGE:
5301 hci_encrypt_change_evt(hdev, skb);
5304 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5305 hci_change_link_key_complete_evt(hdev, skb);
5308 case HCI_EV_REMOTE_FEATURES:
5309 hci_remote_features_evt(hdev, skb);
5312 case HCI_EV_CMD_COMPLETE:
5313 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5314 &req_complete, &req_complete_skb);
5317 case HCI_EV_CMD_STATUS:
5318 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5322 case HCI_EV_HARDWARE_ERROR:
5323 hci_hardware_error_evt(hdev, skb);
5326 case HCI_EV_ROLE_CHANGE:
5327 hci_role_change_evt(hdev, skb);
5330 case HCI_EV_NUM_COMP_PKTS:
5331 hci_num_comp_pkts_evt(hdev, skb);
5334 case HCI_EV_MODE_CHANGE:
5335 hci_mode_change_evt(hdev, skb);
5338 case HCI_EV_PIN_CODE_REQ:
5339 hci_pin_code_request_evt(hdev, skb);
5342 case HCI_EV_LINK_KEY_REQ:
5343 hci_link_key_request_evt(hdev, skb);
5346 case HCI_EV_LINK_KEY_NOTIFY:
5347 hci_link_key_notify_evt(hdev, skb);
5350 case HCI_EV_CLOCK_OFFSET:
5351 hci_clock_offset_evt(hdev, skb);
5354 case HCI_EV_PKT_TYPE_CHANGE:
5355 hci_pkt_type_change_evt(hdev, skb);
5358 case HCI_EV_PSCAN_REP_MODE:
5359 hci_pscan_rep_mode_evt(hdev, skb);
5362 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5363 hci_inquiry_result_with_rssi_evt(hdev, skb);
5366 case HCI_EV_REMOTE_EXT_FEATURES:
5367 hci_remote_ext_features_evt(hdev, skb);
5370 case HCI_EV_SYNC_CONN_COMPLETE:
5371 hci_sync_conn_complete_evt(hdev, skb);
5374 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5375 hci_extended_inquiry_result_evt(hdev, skb);
5378 case HCI_EV_KEY_REFRESH_COMPLETE:
5379 hci_key_refresh_complete_evt(hdev, skb);
5382 case HCI_EV_IO_CAPA_REQUEST:
5383 hci_io_capa_request_evt(hdev, skb);
5386 case HCI_EV_IO_CAPA_REPLY:
5387 hci_io_capa_reply_evt(hdev, skb);
5390 case HCI_EV_USER_CONFIRM_REQUEST:
5391 hci_user_confirm_request_evt(hdev, skb);
5394 case HCI_EV_USER_PASSKEY_REQUEST:
5395 hci_user_passkey_request_evt(hdev, skb);
5398 case HCI_EV_USER_PASSKEY_NOTIFY:
5399 hci_user_passkey_notify_evt(hdev, skb);
5402 case HCI_EV_KEYPRESS_NOTIFY:
5403 hci_keypress_notify_evt(hdev, skb);
5406 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5407 hci_simple_pair_complete_evt(hdev, skb);
5410 case HCI_EV_REMOTE_HOST_FEATURES:
5411 hci_remote_host_features_evt(hdev, skb);
5414 case HCI_EV_LE_META:
5415 hci_le_meta_evt(hdev, skb);
5418 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5419 hci_remote_oob_data_request_evt(hdev, skb);
5422 #if IS_ENABLED(CONFIG_BT_HS)
5423 case HCI_EV_CHANNEL_SELECTED:
5424 hci_chan_selected_evt(hdev, skb);
5427 case HCI_EV_PHY_LINK_COMPLETE:
5428 hci_phy_link_complete_evt(hdev, skb);
5431 case HCI_EV_LOGICAL_LINK_COMPLETE:
5432 hci_loglink_complete_evt(hdev, skb);
5435 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5436 hci_disconn_loglink_complete_evt(hdev, skb);
5439 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5440 hci_disconn_phylink_complete_evt(hdev, skb);
5444 case HCI_EV_NUM_COMP_BLOCKS:
5445 hci_num_comp_blocks_evt(hdev, skb);
5449 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5454 req_complete(hdev, status, opcode);
5455 } else if (req_complete_skb) {
5456 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5457 kfree_skb(orig_skb);
5460 req_complete_skb(hdev, status, opcode, orig_skb);
5463 kfree_skb(orig_skb);
5465 hdev->stat.evt_rx++;
projects / linux-2.6-microblaze.git / blob