2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
40 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
41 "\x00\x00\x00\x00\x00\x00\x00\x00"
43 /* Handle HCI Event packets */
45 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
48 __u8 status = *((__u8 *) skb->data);
50 BT_DBG("%s status 0x%2.2x", hdev->name, status);
52 /* It is possible that we receive Inquiry Complete event right
53 * before we receive Inquiry Cancel Command Complete event, in
54 * which case the latter event should have status of Command
55 * Disallowed (0x0c). This should not be treated as error, since
56 * we actually achieve what Inquiry Cancel wants to achieve,
57 * which is to end the last Inquiry session.
59 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
60 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
69 clear_bit(HCI_INQUIRY, &hdev->flags);
70 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
71 wake_up_bit(&hdev->flags, HCI_INQUIRY);
74 /* Set discovery state to stopped if we're not doing LE active
77 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
78 hdev->le_scan_type != LE_SCAN_ACTIVE)
79 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
82 hci_conn_check_pending(hdev);
85 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
87 __u8 status = *((__u8 *) skb->data);
89 BT_DBG("%s status 0x%2.2x", hdev->name, status);
94 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
97 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
99 __u8 status = *((__u8 *) skb->data);
101 BT_DBG("%s status 0x%2.2x", hdev->name, status);
106 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
108 hci_conn_check_pending(hdev);
111 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
114 BT_DBG("%s", hdev->name);
117 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
119 struct hci_rp_role_discovery *rp = (void *) skb->data;
120 struct hci_conn *conn;
122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
131 conn->role = rp->role;
133 hci_dev_unlock(hdev);
136 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
138 struct hci_rp_read_link_policy *rp = (void *) skb->data;
139 struct hci_conn *conn;
141 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
148 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
150 conn->link_policy = __le16_to_cpu(rp->policy);
152 hci_dev_unlock(hdev);
155 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
157 struct hci_rp_write_link_policy *rp = (void *) skb->data;
158 struct hci_conn *conn;
161 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
166 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
174 conn->link_policy = get_unaligned_le16(sent + 2);
176 hci_dev_unlock(hdev);
179 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
182 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
184 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
189 hdev->link_policy = __le16_to_cpu(rp->policy);
192 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
195 __u8 status = *((__u8 *) skb->data);
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
203 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
207 hdev->link_policy = get_unaligned_le16(sent);
210 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
212 __u8 status = *((__u8 *) skb->data);
214 BT_DBG("%s status 0x%2.2x", hdev->name, status);
216 clear_bit(HCI_RESET, &hdev->flags);
221 /* Reset all non-persistent flags */
222 hci_dev_clear_volatile_flags(hdev);
224 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
226 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
227 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
229 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
230 hdev->adv_data_len = 0;
232 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
233 hdev->scan_rsp_data_len = 0;
235 hdev->le_scan_type = LE_SCAN_PASSIVE;
237 hdev->ssp_debug_mode = 0;
239 hci_bdaddr_list_clear(&hdev->le_white_list);
240 hci_bdaddr_list_clear(&hdev->le_resolv_list);
243 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
246 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
247 struct hci_cp_read_stored_link_key *sent;
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
251 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
255 if (!rp->status && sent->read_all == 0x01) {
256 hdev->stored_max_keys = rp->max_keys;
257 hdev->stored_num_keys = rp->num_keys;
261 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
264 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
266 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
271 if (rp->num_keys <= hdev->stored_num_keys)
272 hdev->stored_num_keys -= rp->num_keys;
274 hdev->stored_num_keys = 0;
277 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
279 __u8 status = *((__u8 *) skb->data);
282 BT_DBG("%s status 0x%2.2x", hdev->name, status);
284 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
290 if (hci_dev_test_flag(hdev, HCI_MGMT))
291 mgmt_set_local_name_complete(hdev, sent, status);
293 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
295 hci_dev_unlock(hdev);
298 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
300 struct hci_rp_read_local_name *rp = (void *) skb->data;
302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
307 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
308 hci_dev_test_flag(hdev, HCI_CONFIG))
309 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
312 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
314 __u8 status = *((__u8 *) skb->data);
317 BT_DBG("%s status 0x%2.2x", hdev->name, status);
319 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
326 __u8 param = *((__u8 *) sent);
328 if (param == AUTH_ENABLED)
329 set_bit(HCI_AUTH, &hdev->flags);
331 clear_bit(HCI_AUTH, &hdev->flags);
334 if (hci_dev_test_flag(hdev, HCI_MGMT))
335 mgmt_auth_enable_complete(hdev, status);
337 hci_dev_unlock(hdev);
340 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
342 __u8 status = *((__u8 *) skb->data);
346 BT_DBG("%s status 0x%2.2x", hdev->name, status);
351 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
355 param = *((__u8 *) sent);
358 set_bit(HCI_ENCRYPT, &hdev->flags);
360 clear_bit(HCI_ENCRYPT, &hdev->flags);
363 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
365 __u8 status = *((__u8 *) skb->data);
369 BT_DBG("%s status 0x%2.2x", hdev->name, status);
371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
375 param = *((__u8 *) sent);
380 hdev->discov_timeout = 0;
384 if (param & SCAN_INQUIRY)
385 set_bit(HCI_ISCAN, &hdev->flags);
387 clear_bit(HCI_ISCAN, &hdev->flags);
389 if (param & SCAN_PAGE)
390 set_bit(HCI_PSCAN, &hdev->flags);
392 clear_bit(HCI_PSCAN, &hdev->flags);
395 hci_dev_unlock(hdev);
398 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
400 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
407 memcpy(hdev->dev_class, rp->dev_class, 3);
409 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
410 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
413 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
415 __u8 status = *((__u8 *) skb->data);
418 BT_DBG("%s status 0x%2.2x", hdev->name, status);
420 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
427 memcpy(hdev->dev_class, sent, 3);
429 if (hci_dev_test_flag(hdev, HCI_MGMT))
430 mgmt_set_class_of_dev_complete(hdev, sent, status);
432 hci_dev_unlock(hdev);
435 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
437 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
440 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
445 setting = __le16_to_cpu(rp->voice_setting);
447 if (hdev->voice_setting == setting)
450 hdev->voice_setting = setting;
452 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
455 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
458 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
461 __u8 status = *((__u8 *) skb->data);
465 BT_DBG("%s status 0x%2.2x", hdev->name, status);
470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
474 setting = get_unaligned_le16(sent);
476 if (hdev->voice_setting == setting)
479 hdev->voice_setting = setting;
481 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
484 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
487 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
490 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
492 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
497 hdev->num_iac = rp->num_iac;
499 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
502 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
504 __u8 status = *((__u8 *) skb->data);
505 struct hci_cp_write_ssp_mode *sent;
507 BT_DBG("%s status 0x%2.2x", hdev->name, status);
509 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
517 hdev->features[1][0] |= LMP_HOST_SSP;
519 hdev->features[1][0] &= ~LMP_HOST_SSP;
522 if (hci_dev_test_flag(hdev, HCI_MGMT))
523 mgmt_ssp_enable_complete(hdev, sent->mode, status);
526 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
528 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
531 hci_dev_unlock(hdev);
534 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
536 u8 status = *((u8 *) skb->data);
537 struct hci_cp_write_sc_support *sent;
539 BT_DBG("%s status 0x%2.2x", hdev->name, status);
541 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
549 hdev->features[1][0] |= LMP_HOST_SC;
551 hdev->features[1][0] &= ~LMP_HOST_SC;
554 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
556 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
558 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
561 hci_dev_unlock(hdev);
564 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
566 struct hci_rp_read_local_version *rp = (void *) skb->data;
568 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
573 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
574 hci_dev_test_flag(hdev, HCI_CONFIG)) {
575 hdev->hci_ver = rp->hci_ver;
576 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
577 hdev->lmp_ver = rp->lmp_ver;
578 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
579 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
583 static void hci_cc_read_local_commands(struct hci_dev *hdev,
586 struct hci_rp_read_local_commands *rp = (void *) skb->data;
588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
593 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
594 hci_dev_test_flag(hdev, HCI_CONFIG))
595 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
598 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,
601 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data;
602 struct hci_conn *conn;
604 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
611 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
613 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
615 hci_dev_unlock(hdev);
618 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,
621 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data;
622 struct hci_conn *conn;
625 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
630 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
636 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
638 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
640 hci_dev_unlock(hdev);
643 static void hci_cc_read_local_features(struct hci_dev *hdev,
646 struct hci_rp_read_local_features *rp = (void *) skb->data;
648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
653 memcpy(hdev->features, rp->features, 8);
655 /* Adjust default settings according to features
656 * supported by device. */
658 if (hdev->features[0][0] & LMP_3SLOT)
659 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
661 if (hdev->features[0][0] & LMP_5SLOT)
662 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
664 if (hdev->features[0][1] & LMP_HV2) {
665 hdev->pkt_type |= (HCI_HV2);
666 hdev->esco_type |= (ESCO_HV2);
669 if (hdev->features[0][1] & LMP_HV3) {
670 hdev->pkt_type |= (HCI_HV3);
671 hdev->esco_type |= (ESCO_HV3);
674 if (lmp_esco_capable(hdev))
675 hdev->esco_type |= (ESCO_EV3);
677 if (hdev->features[0][4] & LMP_EV4)
678 hdev->esco_type |= (ESCO_EV4);
680 if (hdev->features[0][4] & LMP_EV5)
681 hdev->esco_type |= (ESCO_EV5);
683 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
684 hdev->esco_type |= (ESCO_2EV3);
686 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
687 hdev->esco_type |= (ESCO_3EV3);
689 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
690 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
693 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
696 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
698 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
703 if (hdev->max_page < rp->max_page)
704 hdev->max_page = rp->max_page;
706 if (rp->page < HCI_MAX_PAGES)
707 memcpy(hdev->features[rp->page], rp->features, 8);
710 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
713 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
715 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
720 hdev->flow_ctl_mode = rp->mode;
723 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
725 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
732 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
733 hdev->sco_mtu = rp->sco_mtu;
734 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
735 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
737 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
742 hdev->acl_cnt = hdev->acl_pkts;
743 hdev->sco_cnt = hdev->sco_pkts;
745 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
746 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
749 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
751 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
753 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
758 if (test_bit(HCI_INIT, &hdev->flags))
759 bacpy(&hdev->bdaddr, &rp->bdaddr);
761 if (hci_dev_test_flag(hdev, HCI_SETUP))
762 bacpy(&hdev->setup_addr, &rp->bdaddr);
765 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev,
768 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data;
770 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
775 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
776 hci_dev_test_flag(hdev, HCI_CONFIG)) {
777 hdev->pairing_opts = rp->pairing_opts;
778 hdev->max_enc_key_size = rp->max_key_size;
782 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
785 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
787 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
792 if (test_bit(HCI_INIT, &hdev->flags)) {
793 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
794 hdev->page_scan_window = __le16_to_cpu(rp->window);
798 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
801 u8 status = *((u8 *) skb->data);
802 struct hci_cp_write_page_scan_activity *sent;
804 BT_DBG("%s status 0x%2.2x", hdev->name, status);
809 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
813 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
814 hdev->page_scan_window = __le16_to_cpu(sent->window);
817 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
820 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
822 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
827 if (test_bit(HCI_INIT, &hdev->flags))
828 hdev->page_scan_type = rp->type;
831 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
834 u8 status = *((u8 *) skb->data);
837 BT_DBG("%s status 0x%2.2x", hdev->name, status);
842 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
844 hdev->page_scan_type = *type;
847 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
850 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
852 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
857 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
858 hdev->block_len = __le16_to_cpu(rp->block_len);
859 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
861 hdev->block_cnt = hdev->num_blocks;
863 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
864 hdev->block_cnt, hdev->block_len);
867 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
869 struct hci_rp_read_clock *rp = (void *) skb->data;
870 struct hci_cp_read_clock *cp;
871 struct hci_conn *conn;
873 BT_DBG("%s", hdev->name);
875 if (skb->len < sizeof(*rp))
883 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
887 if (cp->which == 0x00) {
888 hdev->clock = le32_to_cpu(rp->clock);
892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
894 conn->clock = le32_to_cpu(rp->clock);
895 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
899 hci_dev_unlock(hdev);
902 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
905 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
907 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
912 hdev->amp_status = rp->amp_status;
913 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
914 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
915 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
916 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
917 hdev->amp_type = rp->amp_type;
918 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
919 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
920 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
921 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
924 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
927 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
929 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
934 hdev->inq_tx_power = rp->tx_power;
937 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev,
940 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data;
942 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
947 hdev->err_data_reporting = rp->err_data_reporting;
950 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev,
953 __u8 status = *((__u8 *)skb->data);
954 struct hci_cp_write_def_err_data_reporting *cp;
956 BT_DBG("%s status 0x%2.2x", hdev->name, status);
961 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
965 hdev->err_data_reporting = cp->err_data_reporting;
968 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
970 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
971 struct hci_cp_pin_code_reply *cp;
972 struct hci_conn *conn;
974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
978 if (hci_dev_test_flag(hdev, HCI_MGMT))
979 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
984 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
988 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
990 conn->pin_length = cp->pin_len;
993 hci_dev_unlock(hdev);
996 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
998 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1004 if (hci_dev_test_flag(hdev, HCI_MGMT))
1005 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1008 hci_dev_unlock(hdev);
1011 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
1012 struct sk_buff *skb)
1014 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
1016 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1022 hdev->le_pkts = rp->le_max_pkt;
1024 hdev->le_cnt = hdev->le_pkts;
1026 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1029 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
1030 struct sk_buff *skb)
1032 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
1034 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1039 memcpy(hdev->le_features, rp->features, 8);
1042 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
1043 struct sk_buff *skb)
1045 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
1047 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1052 hdev->adv_tx_power = rp->tx_power;
1055 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
1057 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1059 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1063 if (hci_dev_test_flag(hdev, HCI_MGMT))
1064 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1067 hci_dev_unlock(hdev);
1070 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
1071 struct sk_buff *skb)
1073 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1075 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1079 if (hci_dev_test_flag(hdev, HCI_MGMT))
1080 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1081 ACL_LINK, 0, rp->status);
1083 hci_dev_unlock(hdev);
1086 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1088 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1090 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1094 if (hci_dev_test_flag(hdev, HCI_MGMT))
1095 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1098 hci_dev_unlock(hdev);
1101 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1102 struct sk_buff *skb)
1104 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1110 if (hci_dev_test_flag(hdev, HCI_MGMT))
1111 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1112 ACL_LINK, 0, rp->status);
1114 hci_dev_unlock(hdev);
1117 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1118 struct sk_buff *skb)
1120 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1125 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1126 struct sk_buff *skb)
1128 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1130 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1133 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1135 __u8 status = *((__u8 *) skb->data);
1138 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1143 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1149 bacpy(&hdev->random_addr, sent);
1151 hci_dev_unlock(hdev);
1154 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1156 __u8 status = *((__u8 *) skb->data);
1157 struct hci_cp_le_set_default_phy *cp;
1159 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1164 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1170 hdev->le_tx_def_phys = cp->tx_phys;
1171 hdev->le_rx_def_phys = cp->rx_phys;
1173 hci_dev_unlock(hdev);
1176 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1177 struct sk_buff *skb)
1179 __u8 status = *((__u8 *) skb->data);
1180 struct hci_cp_le_set_adv_set_rand_addr *cp;
1181 struct adv_info *adv_instance;
1186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1192 if (!hdev->cur_adv_instance) {
1193 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1194 bacpy(&hdev->random_addr, &cp->bdaddr);
1196 adv_instance = hci_find_adv_instance(hdev,
1197 hdev->cur_adv_instance);
1199 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1202 hci_dev_unlock(hdev);
1205 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1207 __u8 *sent, status = *((__u8 *) skb->data);
1209 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1214 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1220 /* If we're doing connection initiation as peripheral. Set a
1221 * timeout in case something goes wrong.
1224 struct hci_conn *conn;
1226 hci_dev_set_flag(hdev, HCI_LE_ADV);
1228 conn = hci_lookup_le_connect(hdev);
1230 queue_delayed_work(hdev->workqueue,
1231 &conn->le_conn_timeout,
1232 conn->conn_timeout);
1234 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1237 hci_dev_unlock(hdev);
1240 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1241 struct sk_buff *skb)
1243 struct hci_cp_le_set_ext_adv_enable *cp;
1244 __u8 status = *((__u8 *) skb->data);
1246 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1251 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1258 struct hci_conn *conn;
1260 hci_dev_set_flag(hdev, HCI_LE_ADV);
1262 conn = hci_lookup_le_connect(hdev);
1264 queue_delayed_work(hdev->workqueue,
1265 &conn->le_conn_timeout,
1266 conn->conn_timeout);
1268 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1271 hci_dev_unlock(hdev);
1274 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1276 struct hci_cp_le_set_scan_param *cp;
1277 __u8 status = *((__u8 *) skb->data);
1279 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1284 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1290 hdev->le_scan_type = cp->type;
1292 hci_dev_unlock(hdev);
1295 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1296 struct sk_buff *skb)
1298 struct hci_cp_le_set_ext_scan_params *cp;
1299 __u8 status = *((__u8 *) skb->data);
1300 struct hci_cp_le_scan_phy_params *phy_param;
1302 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1307 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1311 phy_param = (void *)cp->data;
1315 hdev->le_scan_type = phy_param->type;
1317 hci_dev_unlock(hdev);
1320 static bool has_pending_adv_report(struct hci_dev *hdev)
1322 struct discovery_state *d = &hdev->discovery;
1324 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1327 static void clear_pending_adv_report(struct hci_dev *hdev)
1329 struct discovery_state *d = &hdev->discovery;
1331 bacpy(&d->last_adv_addr, BDADDR_ANY);
1332 d->last_adv_data_len = 0;
1335 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1336 u8 bdaddr_type, s8 rssi, u32 flags,
1339 struct discovery_state *d = &hdev->discovery;
1341 if (len > HCI_MAX_AD_LENGTH)
1344 bacpy(&d->last_adv_addr, bdaddr);
1345 d->last_adv_addr_type = bdaddr_type;
1346 d->last_adv_rssi = rssi;
1347 d->last_adv_flags = flags;
1348 memcpy(d->last_adv_data, data, len);
1349 d->last_adv_data_len = len;
1352 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1357 case LE_SCAN_ENABLE:
1358 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1359 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1360 clear_pending_adv_report(hdev);
1363 case LE_SCAN_DISABLE:
1364 /* We do this here instead of when setting DISCOVERY_STOPPED
1365 * since the latter would potentially require waiting for
1366 * inquiry to stop too.
1368 if (has_pending_adv_report(hdev)) {
1369 struct discovery_state *d = &hdev->discovery;
1371 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1372 d->last_adv_addr_type, NULL,
1373 d->last_adv_rssi, d->last_adv_flags,
1375 d->last_adv_data_len, NULL, 0);
1378 /* Cancel this timer so that we don't try to disable scanning
1379 * when it's already disabled.
1381 cancel_delayed_work(&hdev->le_scan_disable);
1383 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1385 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1386 * interrupted scanning due to a connect request. Mark
1387 * therefore discovery as stopped. If this was not
1388 * because of a connect request advertising might have
1389 * been disabled because of active scanning, so
1390 * re-enable it again if necessary.
1392 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1393 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1394 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1395 hdev->discovery.state == DISCOVERY_FINDING)
1396 hci_req_reenable_advertising(hdev);
1401 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1406 hci_dev_unlock(hdev);
1409 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1410 struct sk_buff *skb)
1412 struct hci_cp_le_set_scan_enable *cp;
1413 __u8 status = *((__u8 *) skb->data);
1415 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1420 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1424 le_set_scan_enable_complete(hdev, cp->enable);
1427 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1428 struct sk_buff *skb)
1430 struct hci_cp_le_set_ext_scan_enable *cp;
1431 __u8 status = *((__u8 *) skb->data);
1433 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1442 le_set_scan_enable_complete(hdev, cp->enable);
1445 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1446 struct sk_buff *skb)
1448 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1450 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1456 hdev->le_num_of_adv_sets = rp->num_of_sets;
1459 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1460 struct sk_buff *skb)
1462 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1464 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1469 hdev->le_white_list_size = rp->size;
1472 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1473 struct sk_buff *skb)
1475 __u8 status = *((__u8 *) skb->data);
1477 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1482 hci_bdaddr_list_clear(&hdev->le_white_list);
1485 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1486 struct sk_buff *skb)
1488 struct hci_cp_le_add_to_white_list *sent;
1489 __u8 status = *((__u8 *) skb->data);
1491 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1496 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1500 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1504 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1505 struct sk_buff *skb)
1507 struct hci_cp_le_del_from_white_list *sent;
1508 __u8 status = *((__u8 *) skb->data);
1510 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1515 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1519 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1523 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1524 struct sk_buff *skb)
1526 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1528 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1533 memcpy(hdev->le_states, rp->le_states, 8);
1536 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1537 struct sk_buff *skb)
1539 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1541 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1546 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1547 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1550 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1551 struct sk_buff *skb)
1553 struct hci_cp_le_write_def_data_len *sent;
1554 __u8 status = *((__u8 *) skb->data);
1556 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1561 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1565 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1566 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1569 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1570 struct sk_buff *skb)
1572 struct hci_cp_le_add_to_resolv_list *sent;
1573 __u8 status = *((__u8 *) skb->data);
1575 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1580 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1584 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1585 sent->bdaddr_type, sent->peer_irk,
1589 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1590 struct sk_buff *skb)
1592 struct hci_cp_le_del_from_resolv_list *sent;
1593 __u8 status = *((__u8 *) skb->data);
1595 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1600 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1604 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1608 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1609 struct sk_buff *skb)
1611 __u8 status = *((__u8 *) skb->data);
1613 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1618 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1621 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1622 struct sk_buff *skb)
1624 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1626 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1631 hdev->le_resolv_list_size = rp->size;
1634 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1635 struct sk_buff *skb)
1637 __u8 *sent, status = *((__u8 *) skb->data);
1639 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1644 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1651 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1653 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1655 hci_dev_unlock(hdev);
1658 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1659 struct sk_buff *skb)
1661 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1663 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1668 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1669 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1670 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1671 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1674 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1675 struct sk_buff *skb)
1677 struct hci_cp_write_le_host_supported *sent;
1678 __u8 status = *((__u8 *) skb->data);
1680 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1685 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1692 hdev->features[1][0] |= LMP_HOST_LE;
1693 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1695 hdev->features[1][0] &= ~LMP_HOST_LE;
1696 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1697 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1701 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1703 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1705 hci_dev_unlock(hdev);
1708 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1710 struct hci_cp_le_set_adv_param *cp;
1711 u8 status = *((u8 *) skb->data);
1713 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1718 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1723 hdev->adv_addr_type = cp->own_address_type;
1724 hci_dev_unlock(hdev);
1727 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1729 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1730 struct hci_cp_le_set_ext_adv_params *cp;
1731 struct adv_info *adv_instance;
1733 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1738 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1743 hdev->adv_addr_type = cp->own_addr_type;
1744 if (!hdev->cur_adv_instance) {
1745 /* Store in hdev for instance 0 */
1746 hdev->adv_tx_power = rp->tx_power;
1748 adv_instance = hci_find_adv_instance(hdev,
1749 hdev->cur_adv_instance);
1751 adv_instance->tx_power = rp->tx_power;
1753 /* Update adv data as tx power is known now */
1754 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1755 hci_dev_unlock(hdev);
1758 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1760 struct hci_rp_read_rssi *rp = (void *) skb->data;
1761 struct hci_conn *conn;
1763 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1770 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1772 conn->rssi = rp->rssi;
1774 hci_dev_unlock(hdev);
1777 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1779 struct hci_cp_read_tx_power *sent;
1780 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1781 struct hci_conn *conn;
1783 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1788 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1794 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1798 switch (sent->type) {
1800 conn->tx_power = rp->tx_power;
1803 conn->max_tx_power = rp->tx_power;
1808 hci_dev_unlock(hdev);
1811 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1813 u8 status = *((u8 *) skb->data);
1816 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1821 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1823 hdev->ssp_debug_mode = *mode;
1826 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1828 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1831 hci_conn_check_pending(hdev);
1835 set_bit(HCI_INQUIRY, &hdev->flags);
1838 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1840 struct hci_cp_create_conn *cp;
1841 struct hci_conn *conn;
1843 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1845 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1851 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1853 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1856 if (conn && conn->state == BT_CONNECT) {
1857 if (status != 0x0c || conn->attempt > 2) {
1858 conn->state = BT_CLOSED;
1859 hci_connect_cfm(conn, status);
1862 conn->state = BT_CONNECT2;
1866 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1869 bt_dev_err(hdev, "no memory for new connection");
1873 hci_dev_unlock(hdev);
1876 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1878 struct hci_cp_add_sco *cp;
1879 struct hci_conn *acl, *sco;
1882 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1887 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1891 handle = __le16_to_cpu(cp->handle);
1893 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1897 acl = hci_conn_hash_lookup_handle(hdev, handle);
1901 sco->state = BT_CLOSED;
1903 hci_connect_cfm(sco, status);
1908 hci_dev_unlock(hdev);
1911 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1913 struct hci_cp_auth_requested *cp;
1914 struct hci_conn *conn;
1916 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1921 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1927 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1929 if (conn->state == BT_CONFIG) {
1930 hci_connect_cfm(conn, status);
1931 hci_conn_drop(conn);
1935 hci_dev_unlock(hdev);
1938 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1940 struct hci_cp_set_conn_encrypt *cp;
1941 struct hci_conn *conn;
1943 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1948 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1954 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1956 if (conn->state == BT_CONFIG) {
1957 hci_connect_cfm(conn, status);
1958 hci_conn_drop(conn);
1962 hci_dev_unlock(hdev);
1965 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1966 struct hci_conn *conn)
1968 if (conn->state != BT_CONFIG || !conn->out)
1971 if (conn->pending_sec_level == BT_SECURITY_SDP)
1974 /* Only request authentication for SSP connections or non-SSP
1975 * devices with sec_level MEDIUM or HIGH or if MITM protection
1978 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1979 conn->pending_sec_level != BT_SECURITY_FIPS &&
1980 conn->pending_sec_level != BT_SECURITY_HIGH &&
1981 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1987 static int hci_resolve_name(struct hci_dev *hdev,
1988 struct inquiry_entry *e)
1990 struct hci_cp_remote_name_req cp;
1992 memset(&cp, 0, sizeof(cp));
1994 bacpy(&cp.bdaddr, &e->data.bdaddr);
1995 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1996 cp.pscan_mode = e->data.pscan_mode;
1997 cp.clock_offset = e->data.clock_offset;
1999 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2002 static bool hci_resolve_next_name(struct hci_dev *hdev)
2004 struct discovery_state *discov = &hdev->discovery;
2005 struct inquiry_entry *e;
2007 if (list_empty(&discov->resolve))
2010 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2014 if (hci_resolve_name(hdev, e) == 0) {
2015 e->name_state = NAME_PENDING;
2022 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2023 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2025 struct discovery_state *discov = &hdev->discovery;
2026 struct inquiry_entry *e;
2028 /* Update the mgmt connected state if necessary. Be careful with
2029 * conn objects that exist but are not (yet) connected however.
2030 * Only those in BT_CONFIG or BT_CONNECTED states can be
2031 * considered connected.
2034 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2035 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2036 mgmt_device_connected(hdev, conn, 0, name, name_len);
2038 if (discov->state == DISCOVERY_STOPPED)
2041 if (discov->state == DISCOVERY_STOPPING)
2042 goto discov_complete;
2044 if (discov->state != DISCOVERY_RESOLVING)
2047 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2048 /* If the device was not found in a list of found devices names of which
2049 * are pending. there is no need to continue resolving a next name as it
2050 * will be done upon receiving another Remote Name Request Complete
2057 e->name_state = NAME_KNOWN;
2058 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2059 e->data.rssi, name, name_len);
2061 e->name_state = NAME_NOT_KNOWN;
2064 if (hci_resolve_next_name(hdev))
2068 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2071 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2073 struct hci_cp_remote_name_req *cp;
2074 struct hci_conn *conn;
2076 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2078 /* If successful wait for the name req complete event before
2079 * checking for the need to do authentication */
2083 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2089 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2091 if (hci_dev_test_flag(hdev, HCI_MGMT))
2092 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2097 if (!hci_outgoing_auth_needed(hdev, conn))
2100 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2101 struct hci_cp_auth_requested auth_cp;
2103 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2105 auth_cp.handle = __cpu_to_le16(conn->handle);
2106 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2107 sizeof(auth_cp), &auth_cp);
2111 hci_dev_unlock(hdev);
2114 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2116 struct hci_cp_read_remote_features *cp;
2117 struct hci_conn *conn;
2119 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2124 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2130 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2132 if (conn->state == BT_CONFIG) {
2133 hci_connect_cfm(conn, status);
2134 hci_conn_drop(conn);
2138 hci_dev_unlock(hdev);
2141 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2143 struct hci_cp_read_remote_ext_features *cp;
2144 struct hci_conn *conn;
2146 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2151 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2157 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2159 if (conn->state == BT_CONFIG) {
2160 hci_connect_cfm(conn, status);
2161 hci_conn_drop(conn);
2165 hci_dev_unlock(hdev);
2168 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2170 struct hci_cp_setup_sync_conn *cp;
2171 struct hci_conn *acl, *sco;
2174 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2179 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2183 handle = __le16_to_cpu(cp->handle);
2185 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2189 acl = hci_conn_hash_lookup_handle(hdev, handle);
2193 sco->state = BT_CLOSED;
2195 hci_connect_cfm(sco, status);
2200 hci_dev_unlock(hdev);
2203 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2205 struct hci_cp_sniff_mode *cp;
2206 struct hci_conn *conn;
2208 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2213 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2219 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2221 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2223 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2224 hci_sco_setup(conn, status);
2227 hci_dev_unlock(hdev);
2230 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2232 struct hci_cp_exit_sniff_mode *cp;
2233 struct hci_conn *conn;
2235 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2240 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2246 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2248 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2250 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2251 hci_sco_setup(conn, status);
2254 hci_dev_unlock(hdev);
2257 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2259 struct hci_cp_disconnect *cp;
2260 struct hci_conn *conn;
2265 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2271 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2273 u8 type = conn->type;
2275 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2276 conn->dst_type, status);
2278 /* If the disconnection failed for any reason, the upper layer
2279 * does not retry to disconnect in current implementation.
2280 * Hence, we need to do some basic cleanup here and re-enable
2281 * advertising if necessary.
2284 if (type == LE_LINK)
2285 hci_req_reenable_advertising(hdev);
2288 hci_dev_unlock(hdev);
2291 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2292 u8 peer_addr_type, u8 own_address_type,
2295 struct hci_conn *conn;
2297 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2302 /* When using controller based address resolution, then the new
2303 * address types 0x02 and 0x03 are used. These types need to be
2304 * converted back into either public address or random address type
2306 if (use_ll_privacy(hdev) &&
2307 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) {
2308 switch (own_address_type) {
2309 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2310 own_address_type = ADDR_LE_DEV_PUBLIC;
2312 case ADDR_LE_DEV_RANDOM_RESOLVED:
2313 own_address_type = ADDR_LE_DEV_RANDOM;
2318 /* Store the initiator and responder address information which
2319 * is needed for SMP. These values will not change during the
2320 * lifetime of the connection.
2322 conn->init_addr_type = own_address_type;
2323 if (own_address_type == ADDR_LE_DEV_RANDOM)
2324 bacpy(&conn->init_addr, &hdev->random_addr);
2326 bacpy(&conn->init_addr, &hdev->bdaddr);
2328 conn->resp_addr_type = peer_addr_type;
2329 bacpy(&conn->resp_addr, peer_addr);
2331 /* We don't want the connection attempt to stick around
2332 * indefinitely since LE doesn't have a page timeout concept
2333 * like BR/EDR. Set a timer for any connection that doesn't use
2334 * the white list for connecting.
2336 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2337 queue_delayed_work(conn->hdev->workqueue,
2338 &conn->le_conn_timeout,
2339 conn->conn_timeout);
2342 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2344 struct hci_cp_le_create_conn *cp;
2346 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2348 /* All connection failure handling is taken care of by the
2349 * hci_le_conn_failed function which is triggered by the HCI
2350 * request completion callbacks used for connecting.
2355 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2361 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2362 cp->own_address_type, cp->filter_policy);
2364 hci_dev_unlock(hdev);
2367 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2369 struct hci_cp_le_ext_create_conn *cp;
2371 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2373 /* All connection failure handling is taken care of by the
2374 * hci_le_conn_failed function which is triggered by the HCI
2375 * request completion callbacks used for connecting.
2380 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2386 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2387 cp->own_addr_type, cp->filter_policy);
2389 hci_dev_unlock(hdev);
2392 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2394 struct hci_cp_le_read_remote_features *cp;
2395 struct hci_conn *conn;
2397 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2402 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2408 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2410 if (conn->state == BT_CONFIG) {
2411 hci_connect_cfm(conn, status);
2412 hci_conn_drop(conn);
2416 hci_dev_unlock(hdev);
2419 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2421 struct hci_cp_le_start_enc *cp;
2422 struct hci_conn *conn;
2424 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2431 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2435 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2439 if (conn->state != BT_CONNECTED)
2442 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2443 hci_conn_drop(conn);
2446 hci_dev_unlock(hdev);
2449 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2451 struct hci_cp_switch_role *cp;
2452 struct hci_conn *conn;
2454 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2459 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2465 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2467 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2469 hci_dev_unlock(hdev);
2472 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2474 __u8 status = *((__u8 *) skb->data);
2475 struct discovery_state *discov = &hdev->discovery;
2476 struct inquiry_entry *e;
2478 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2480 hci_conn_check_pending(hdev);
2482 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2485 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2486 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2488 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2493 if (discov->state != DISCOVERY_FINDING)
2496 if (list_empty(&discov->resolve)) {
2497 /* When BR/EDR inquiry is active and no LE scanning is in
2498 * progress, then change discovery state to indicate completion.
2500 * When running LE scanning and BR/EDR inquiry simultaneously
2501 * and the LE scan already finished, then change the discovery
2502 * state to indicate completion.
2504 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2505 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2506 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2510 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2511 if (e && hci_resolve_name(hdev, e) == 0) {
2512 e->name_state = NAME_PENDING;
2513 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2515 /* When BR/EDR inquiry is active and no LE scanning is in
2516 * progress, then change discovery state to indicate completion.
2518 * When running LE scanning and BR/EDR inquiry simultaneously
2519 * and the LE scan already finished, then change the discovery
2520 * state to indicate completion.
2522 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2523 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2524 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2528 hci_dev_unlock(hdev);
2531 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2533 struct inquiry_data data;
2534 struct inquiry_info *info = (void *) (skb->data + 1);
2535 int num_rsp = *((__u8 *) skb->data);
2537 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2539 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
2542 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2547 for (; num_rsp; num_rsp--, info++) {
2550 bacpy(&data.bdaddr, &info->bdaddr);
2551 data.pscan_rep_mode = info->pscan_rep_mode;
2552 data.pscan_period_mode = info->pscan_period_mode;
2553 data.pscan_mode = info->pscan_mode;
2554 memcpy(data.dev_class, info->dev_class, 3);
2555 data.clock_offset = info->clock_offset;
2556 data.rssi = HCI_RSSI_INVALID;
2557 data.ssp_mode = 0x00;
2559 flags = hci_inquiry_cache_update(hdev, &data, false);
2561 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2562 info->dev_class, HCI_RSSI_INVALID,
2563 flags, NULL, 0, NULL, 0);
2566 hci_dev_unlock(hdev);
2569 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2571 struct hci_ev_conn_complete *ev = (void *) skb->data;
2572 struct hci_conn *conn;
2574 BT_DBG("%s", hdev->name);
2578 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2580 /* Connection may not exist if auto-connected. Check the bredr
2581 * allowlist to see if this device is allowed to auto connect.
2582 * If link is an ACL type, create a connection class
2585 * Auto-connect will only occur if the event filter is
2586 * programmed with a given address. Right now, event filter is
2587 * only used during suspend.
2589 if (ev->link_type == ACL_LINK &&
2590 hci_bdaddr_list_lookup_with_flags(&hdev->whitelist,
2593 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2596 bt_dev_err(hdev, "no memory for new conn");
2600 if (ev->link_type != SCO_LINK)
2603 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
2608 conn->type = SCO_LINK;
2613 conn->handle = __le16_to_cpu(ev->handle);
2615 if (conn->type == ACL_LINK) {
2616 conn->state = BT_CONFIG;
2617 hci_conn_hold(conn);
2619 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2620 !hci_find_link_key(hdev, &ev->bdaddr))
2621 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2623 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2625 conn->state = BT_CONNECTED;
2627 hci_debugfs_create_conn(conn);
2628 hci_conn_add_sysfs(conn);
2630 if (test_bit(HCI_AUTH, &hdev->flags))
2631 set_bit(HCI_CONN_AUTH, &conn->flags);
2633 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2634 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2636 /* Get remote features */
2637 if (conn->type == ACL_LINK) {
2638 struct hci_cp_read_remote_features cp;
2639 cp.handle = ev->handle;
2640 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2643 hci_req_update_scan(hdev);
2646 /* Set packet type for incoming connection */
2647 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2648 struct hci_cp_change_conn_ptype cp;
2649 cp.handle = ev->handle;
2650 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2651 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2655 conn->state = BT_CLOSED;
2656 if (conn->type == ACL_LINK)
2657 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2658 conn->dst_type, ev->status);
2661 if (conn->type == ACL_LINK)
2662 hci_sco_setup(conn, ev->status);
2665 hci_connect_cfm(conn, ev->status);
2667 } else if (ev->link_type == SCO_LINK) {
2668 switch (conn->setting & SCO_AIRMODE_MASK) {
2669 case SCO_AIRMODE_CVSD:
2671 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
2675 hci_connect_cfm(conn, ev->status);
2679 hci_dev_unlock(hdev);
2681 hci_conn_check_pending(hdev);
2684 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2686 struct hci_cp_reject_conn_req cp;
2688 bacpy(&cp.bdaddr, bdaddr);
2689 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2690 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2693 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2695 struct hci_ev_conn_request *ev = (void *) skb->data;
2696 int mask = hdev->link_mode;
2697 struct inquiry_entry *ie;
2698 struct hci_conn *conn;
2701 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2704 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2707 if (!(mask & HCI_LM_ACCEPT)) {
2708 hci_reject_conn(hdev, &ev->bdaddr);
2712 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2714 hci_reject_conn(hdev, &ev->bdaddr);
2718 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2719 * connection. These features are only touched through mgmt so
2720 * only do the checks if HCI_MGMT is set.
2722 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2723 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2724 !hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, &ev->bdaddr,
2726 hci_reject_conn(hdev, &ev->bdaddr);
2730 /* Connection accepted */
2734 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2736 memcpy(ie->data.dev_class, ev->dev_class, 3);
2738 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2741 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2744 bt_dev_err(hdev, "no memory for new connection");
2745 hci_dev_unlock(hdev);
2750 memcpy(conn->dev_class, ev->dev_class, 3);
2752 hci_dev_unlock(hdev);
2754 if (ev->link_type == ACL_LINK ||
2755 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2756 struct hci_cp_accept_conn_req cp;
2757 conn->state = BT_CONNECT;
2759 bacpy(&cp.bdaddr, &ev->bdaddr);
2761 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2762 cp.role = 0x00; /* Become master */
2764 cp.role = 0x01; /* Remain slave */
2766 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2767 } else if (!(flags & HCI_PROTO_DEFER)) {
2768 struct hci_cp_accept_sync_conn_req cp;
2769 conn->state = BT_CONNECT;
2771 bacpy(&cp.bdaddr, &ev->bdaddr);
2772 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2774 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2775 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2776 cp.max_latency = cpu_to_le16(0xffff);
2777 cp.content_format = cpu_to_le16(hdev->voice_setting);
2778 cp.retrans_effort = 0xff;
2780 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2783 conn->state = BT_CONNECT2;
2784 hci_connect_cfm(conn, 0);
2788 static u8 hci_to_mgmt_reason(u8 err)
2791 case HCI_ERROR_CONNECTION_TIMEOUT:
2792 return MGMT_DEV_DISCONN_TIMEOUT;
2793 case HCI_ERROR_REMOTE_USER_TERM:
2794 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2795 case HCI_ERROR_REMOTE_POWER_OFF:
2796 return MGMT_DEV_DISCONN_REMOTE;
2797 case HCI_ERROR_LOCAL_HOST_TERM:
2798 return MGMT_DEV_DISCONN_LOCAL_HOST;
2800 return MGMT_DEV_DISCONN_UNKNOWN;
2804 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2806 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2808 struct hci_conn_params *params;
2809 struct hci_conn *conn;
2810 bool mgmt_connected;
2813 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2817 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2822 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2823 conn->dst_type, ev->status);
2827 conn->state = BT_CLOSED;
2829 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2831 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2832 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2834 reason = hci_to_mgmt_reason(ev->reason);
2836 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2837 reason, mgmt_connected);
2839 if (conn->type == ACL_LINK) {
2840 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2841 hci_remove_link_key(hdev, &conn->dst);
2843 hci_req_update_scan(hdev);
2846 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2848 switch (params->auto_connect) {
2849 case HCI_AUTO_CONN_LINK_LOSS:
2850 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2854 case HCI_AUTO_CONN_DIRECT:
2855 case HCI_AUTO_CONN_ALWAYS:
2856 list_del_init(¶ms->action);
2857 list_add(¶ms->action, &hdev->pend_le_conns);
2858 hci_update_background_scan(hdev);
2868 hci_disconn_cfm(conn, ev->reason);
2871 /* The suspend notifier is waiting for all devices to disconnect so
2872 * clear the bit from pending tasks and inform the wait queue.
2874 if (list_empty(&hdev->conn_hash.list) &&
2875 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {
2876 wake_up(&hdev->suspend_wait_q);
2879 /* Re-enable advertising if necessary, since it might
2880 * have been disabled by the connection. From the
2881 * HCI_LE_Set_Advertise_Enable command description in
2882 * the core specification (v4.0):
2883 * "The Controller shall continue advertising until the Host
2884 * issues an LE_Set_Advertise_Enable command with
2885 * Advertising_Enable set to 0x00 (Advertising is disabled)
2886 * or until a connection is created or until the Advertising
2887 * is timed out due to Directed Advertising."
2889 if (type == LE_LINK)
2890 hci_req_reenable_advertising(hdev);
2893 hci_dev_unlock(hdev);
2896 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2898 struct hci_ev_auth_complete *ev = (void *) skb->data;
2899 struct hci_conn *conn;
2901 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2905 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2910 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2912 if (!hci_conn_ssp_enabled(conn) &&
2913 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2914 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2916 set_bit(HCI_CONN_AUTH, &conn->flags);
2917 conn->sec_level = conn->pending_sec_level;
2920 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2921 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2923 mgmt_auth_failed(conn, ev->status);
2926 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2927 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2929 if (conn->state == BT_CONFIG) {
2930 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2931 struct hci_cp_set_conn_encrypt cp;
2932 cp.handle = ev->handle;
2934 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2937 conn->state = BT_CONNECTED;
2938 hci_connect_cfm(conn, ev->status);
2939 hci_conn_drop(conn);
2942 hci_auth_cfm(conn, ev->status);
2944 hci_conn_hold(conn);
2945 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2946 hci_conn_drop(conn);
2949 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2951 struct hci_cp_set_conn_encrypt cp;
2952 cp.handle = ev->handle;
2954 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2957 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2958 hci_encrypt_cfm(conn, ev->status);
2963 hci_dev_unlock(hdev);
2966 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2968 struct hci_ev_remote_name *ev = (void *) skb->data;
2969 struct hci_conn *conn;
2971 BT_DBG("%s", hdev->name);
2973 hci_conn_check_pending(hdev);
2977 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2979 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2982 if (ev->status == 0)
2983 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2984 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2986 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2992 if (!hci_outgoing_auth_needed(hdev, conn))
2995 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2996 struct hci_cp_auth_requested cp;
2998 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3000 cp.handle = __cpu_to_le16(conn->handle);
3001 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3005 hci_dev_unlock(hdev);
3008 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
3009 u16 opcode, struct sk_buff *skb)
3011 const struct hci_rp_read_enc_key_size *rp;
3012 struct hci_conn *conn;
3015 BT_DBG("%s status 0x%02x", hdev->name, status);
3017 if (!skb || skb->len < sizeof(*rp)) {
3018 bt_dev_err(hdev, "invalid read key size response");
3022 rp = (void *)skb->data;
3023 handle = le16_to_cpu(rp->handle);
3027 conn = hci_conn_hash_lookup_handle(hdev, handle);
3031 /* While unexpected, the read_enc_key_size command may fail. The most
3032 * secure approach is to then assume the key size is 0 to force a
3036 bt_dev_err(hdev, "failed to read key size for handle %u",
3038 conn->enc_key_size = 0;
3040 conn->enc_key_size = rp->key_size;
3043 hci_encrypt_cfm(conn, 0);
3046 hci_dev_unlock(hdev);
3049 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3051 struct hci_ev_encrypt_change *ev = (void *) skb->data;
3052 struct hci_conn *conn;
3054 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3058 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3064 /* Encryption implies authentication */
3065 set_bit(HCI_CONN_AUTH, &conn->flags);
3066 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3067 conn->sec_level = conn->pending_sec_level;
3069 /* P-256 authentication key implies FIPS */
3070 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3071 set_bit(HCI_CONN_FIPS, &conn->flags);
3073 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3074 conn->type == LE_LINK)
3075 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3077 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3078 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3082 /* We should disregard the current RPA and generate a new one
3083 * whenever the encryption procedure fails.
3085 if (ev->status && conn->type == LE_LINK) {
3086 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3087 hci_adv_instances_set_rpa_expired(hdev, true);
3090 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3092 /* Check link security requirements are met */
3093 if (!hci_conn_check_link_mode(conn))
3094 ev->status = HCI_ERROR_AUTH_FAILURE;
3096 if (ev->status && conn->state == BT_CONNECTED) {
3097 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3098 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3100 /* Notify upper layers so they can cleanup before
3103 hci_encrypt_cfm(conn, ev->status);
3104 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3105 hci_conn_drop(conn);
3109 /* Try reading the encryption key size for encrypted ACL links */
3110 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3111 struct hci_cp_read_enc_key_size cp;
3112 struct hci_request req;
3114 /* Only send HCI_Read_Encryption_Key_Size if the
3115 * controller really supports it. If it doesn't, assume
3116 * the default size (16).
3118 if (!(hdev->commands[20] & 0x10)) {
3119 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3123 hci_req_init(&req, hdev);
3125 cp.handle = cpu_to_le16(conn->handle);
3126 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3128 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3129 bt_dev_err(hdev, "sending read key size failed");
3130 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3137 /* Set the default Authenticated Payload Timeout after
3138 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3139 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3140 * sent when the link is active and Encryption is enabled, the conn
3141 * type can be either LE or ACL and controller must support LMP Ping.
3142 * Ensure for AES-CCM encryption as well.
3144 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3145 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3146 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3147 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3148 struct hci_cp_write_auth_payload_to cp;
3150 cp.handle = cpu_to_le16(conn->handle);
3151 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3152 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3157 hci_encrypt_cfm(conn, ev->status);
3160 hci_dev_unlock(hdev);
3163 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3164 struct sk_buff *skb)
3166 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3167 struct hci_conn *conn;
3169 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3173 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3176 set_bit(HCI_CONN_SECURE, &conn->flags);
3178 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3180 hci_key_change_cfm(conn, ev->status);
3183 hci_dev_unlock(hdev);
3186 static void hci_remote_features_evt(struct hci_dev *hdev,
3187 struct sk_buff *skb)
3189 struct hci_ev_remote_features *ev = (void *) skb->data;
3190 struct hci_conn *conn;
3192 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3196 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3201 memcpy(conn->features[0], ev->features, 8);
3203 if (conn->state != BT_CONFIG)
3206 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3207 lmp_ext_feat_capable(conn)) {
3208 struct hci_cp_read_remote_ext_features cp;
3209 cp.handle = ev->handle;
3211 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3216 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3217 struct hci_cp_remote_name_req cp;
3218 memset(&cp, 0, sizeof(cp));
3219 bacpy(&cp.bdaddr, &conn->dst);
3220 cp.pscan_rep_mode = 0x02;
3221 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3222 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3223 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3225 if (!hci_outgoing_auth_needed(hdev, conn)) {
3226 conn->state = BT_CONNECTED;
3227 hci_connect_cfm(conn, ev->status);
3228 hci_conn_drop(conn);
3232 hci_dev_unlock(hdev);
3235 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3236 u16 *opcode, u8 *status,
3237 hci_req_complete_t *req_complete,
3238 hci_req_complete_skb_t *req_complete_skb)
3240 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3242 *opcode = __le16_to_cpu(ev->opcode);
3243 *status = skb->data[sizeof(*ev)];
3245 skb_pull(skb, sizeof(*ev));
3248 case HCI_OP_INQUIRY_CANCEL:
3249 hci_cc_inquiry_cancel(hdev, skb, status);
3252 case HCI_OP_PERIODIC_INQ:
3253 hci_cc_periodic_inq(hdev, skb);
3256 case HCI_OP_EXIT_PERIODIC_INQ:
3257 hci_cc_exit_periodic_inq(hdev, skb);
3260 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3261 hci_cc_remote_name_req_cancel(hdev, skb);
3264 case HCI_OP_ROLE_DISCOVERY:
3265 hci_cc_role_discovery(hdev, skb);
3268 case HCI_OP_READ_LINK_POLICY:
3269 hci_cc_read_link_policy(hdev, skb);
3272 case HCI_OP_WRITE_LINK_POLICY:
3273 hci_cc_write_link_policy(hdev, skb);
3276 case HCI_OP_READ_DEF_LINK_POLICY:
3277 hci_cc_read_def_link_policy(hdev, skb);
3280 case HCI_OP_WRITE_DEF_LINK_POLICY:
3281 hci_cc_write_def_link_policy(hdev, skb);
3285 hci_cc_reset(hdev, skb);
3288 case HCI_OP_READ_STORED_LINK_KEY:
3289 hci_cc_read_stored_link_key(hdev, skb);
3292 case HCI_OP_DELETE_STORED_LINK_KEY:
3293 hci_cc_delete_stored_link_key(hdev, skb);
3296 case HCI_OP_WRITE_LOCAL_NAME:
3297 hci_cc_write_local_name(hdev, skb);
3300 case HCI_OP_READ_LOCAL_NAME:
3301 hci_cc_read_local_name(hdev, skb);
3304 case HCI_OP_WRITE_AUTH_ENABLE:
3305 hci_cc_write_auth_enable(hdev, skb);
3308 case HCI_OP_WRITE_ENCRYPT_MODE:
3309 hci_cc_write_encrypt_mode(hdev, skb);
3312 case HCI_OP_WRITE_SCAN_ENABLE:
3313 hci_cc_write_scan_enable(hdev, skb);
3316 case HCI_OP_READ_CLASS_OF_DEV:
3317 hci_cc_read_class_of_dev(hdev, skb);
3320 case HCI_OP_WRITE_CLASS_OF_DEV:
3321 hci_cc_write_class_of_dev(hdev, skb);
3324 case HCI_OP_READ_VOICE_SETTING:
3325 hci_cc_read_voice_setting(hdev, skb);
3328 case HCI_OP_WRITE_VOICE_SETTING:
3329 hci_cc_write_voice_setting(hdev, skb);
3332 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3333 hci_cc_read_num_supported_iac(hdev, skb);
3336 case HCI_OP_WRITE_SSP_MODE:
3337 hci_cc_write_ssp_mode(hdev, skb);
3340 case HCI_OP_WRITE_SC_SUPPORT:
3341 hci_cc_write_sc_support(hdev, skb);
3344 case HCI_OP_READ_AUTH_PAYLOAD_TO:
3345 hci_cc_read_auth_payload_timeout(hdev, skb);
3348 case HCI_OP_WRITE_AUTH_PAYLOAD_TO:
3349 hci_cc_write_auth_payload_timeout(hdev, skb);
3352 case HCI_OP_READ_LOCAL_VERSION:
3353 hci_cc_read_local_version(hdev, skb);
3356 case HCI_OP_READ_LOCAL_COMMANDS:
3357 hci_cc_read_local_commands(hdev, skb);
3360 case HCI_OP_READ_LOCAL_FEATURES:
3361 hci_cc_read_local_features(hdev, skb);
3364 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3365 hci_cc_read_local_ext_features(hdev, skb);
3368 case HCI_OP_READ_BUFFER_SIZE:
3369 hci_cc_read_buffer_size(hdev, skb);
3372 case HCI_OP_READ_BD_ADDR:
3373 hci_cc_read_bd_addr(hdev, skb);
3376 case HCI_OP_READ_LOCAL_PAIRING_OPTS:
3377 hci_cc_read_local_pairing_opts(hdev, skb);
3380 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3381 hci_cc_read_page_scan_activity(hdev, skb);
3384 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3385 hci_cc_write_page_scan_activity(hdev, skb);
3388 case HCI_OP_READ_PAGE_SCAN_TYPE:
3389 hci_cc_read_page_scan_type(hdev, skb);
3392 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3393 hci_cc_write_page_scan_type(hdev, skb);
3396 case HCI_OP_READ_DATA_BLOCK_SIZE:
3397 hci_cc_read_data_block_size(hdev, skb);
3400 case HCI_OP_READ_FLOW_CONTROL_MODE:
3401 hci_cc_read_flow_control_mode(hdev, skb);
3404 case HCI_OP_READ_LOCAL_AMP_INFO:
3405 hci_cc_read_local_amp_info(hdev, skb);
3408 case HCI_OP_READ_CLOCK:
3409 hci_cc_read_clock(hdev, skb);
3412 case HCI_OP_READ_INQ_RSP_TX_POWER:
3413 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3416 case HCI_OP_READ_DEF_ERR_DATA_REPORTING:
3417 hci_cc_read_def_err_data_reporting(hdev, skb);
3420 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING:
3421 hci_cc_write_def_err_data_reporting(hdev, skb);
3424 case HCI_OP_PIN_CODE_REPLY:
3425 hci_cc_pin_code_reply(hdev, skb);
3428 case HCI_OP_PIN_CODE_NEG_REPLY:
3429 hci_cc_pin_code_neg_reply(hdev, skb);
3432 case HCI_OP_READ_LOCAL_OOB_DATA:
3433 hci_cc_read_local_oob_data(hdev, skb);
3436 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3437 hci_cc_read_local_oob_ext_data(hdev, skb);
3440 case HCI_OP_LE_READ_BUFFER_SIZE:
3441 hci_cc_le_read_buffer_size(hdev, skb);
3444 case HCI_OP_LE_READ_LOCAL_FEATURES:
3445 hci_cc_le_read_local_features(hdev, skb);
3448 case HCI_OP_LE_READ_ADV_TX_POWER:
3449 hci_cc_le_read_adv_tx_power(hdev, skb);
3452 case HCI_OP_USER_CONFIRM_REPLY:
3453 hci_cc_user_confirm_reply(hdev, skb);
3456 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3457 hci_cc_user_confirm_neg_reply(hdev, skb);
3460 case HCI_OP_USER_PASSKEY_REPLY:
3461 hci_cc_user_passkey_reply(hdev, skb);
3464 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3465 hci_cc_user_passkey_neg_reply(hdev, skb);
3468 case HCI_OP_LE_SET_RANDOM_ADDR:
3469 hci_cc_le_set_random_addr(hdev, skb);
3472 case HCI_OP_LE_SET_ADV_ENABLE:
3473 hci_cc_le_set_adv_enable(hdev, skb);
3476 case HCI_OP_LE_SET_SCAN_PARAM:
3477 hci_cc_le_set_scan_param(hdev, skb);
3480 case HCI_OP_LE_SET_SCAN_ENABLE:
3481 hci_cc_le_set_scan_enable(hdev, skb);
3484 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3485 hci_cc_le_read_white_list_size(hdev, skb);
3488 case HCI_OP_LE_CLEAR_WHITE_LIST:
3489 hci_cc_le_clear_white_list(hdev, skb);
3492 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3493 hci_cc_le_add_to_white_list(hdev, skb);
3496 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3497 hci_cc_le_del_from_white_list(hdev, skb);
3500 case HCI_OP_LE_READ_SUPPORTED_STATES:
3501 hci_cc_le_read_supported_states(hdev, skb);
3504 case HCI_OP_LE_READ_DEF_DATA_LEN:
3505 hci_cc_le_read_def_data_len(hdev, skb);
3508 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3509 hci_cc_le_write_def_data_len(hdev, skb);
3512 case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3513 hci_cc_le_add_to_resolv_list(hdev, skb);
3516 case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3517 hci_cc_le_del_from_resolv_list(hdev, skb);
3520 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3521 hci_cc_le_clear_resolv_list(hdev, skb);
3524 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3525 hci_cc_le_read_resolv_list_size(hdev, skb);
3528 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3529 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3532 case HCI_OP_LE_READ_MAX_DATA_LEN:
3533 hci_cc_le_read_max_data_len(hdev, skb);
3536 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3537 hci_cc_write_le_host_supported(hdev, skb);
3540 case HCI_OP_LE_SET_ADV_PARAM:
3541 hci_cc_set_adv_param(hdev, skb);
3544 case HCI_OP_READ_RSSI:
3545 hci_cc_read_rssi(hdev, skb);
3548 case HCI_OP_READ_TX_POWER:
3549 hci_cc_read_tx_power(hdev, skb);
3552 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3553 hci_cc_write_ssp_debug_mode(hdev, skb);
3556 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3557 hci_cc_le_set_ext_scan_param(hdev, skb);
3560 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3561 hci_cc_le_set_ext_scan_enable(hdev, skb);
3564 case HCI_OP_LE_SET_DEFAULT_PHY:
3565 hci_cc_le_set_default_phy(hdev, skb);
3568 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3569 hci_cc_le_read_num_adv_sets(hdev, skb);
3572 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3573 hci_cc_set_ext_adv_param(hdev, skb);
3576 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3577 hci_cc_le_set_ext_adv_enable(hdev, skb);
3580 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3581 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3585 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3589 if (*opcode != HCI_OP_NOP)
3590 cancel_delayed_work(&hdev->cmd_timer);
3592 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3593 atomic_set(&hdev->cmd_cnt, 1);
3595 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3598 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3600 "unexpected event for opcode 0x%4.4x", *opcode);
3604 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3605 queue_work(hdev->workqueue, &hdev->cmd_work);
3608 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3609 u16 *opcode, u8 *status,
3610 hci_req_complete_t *req_complete,
3611 hci_req_complete_skb_t *req_complete_skb)
3613 struct hci_ev_cmd_status *ev = (void *) skb->data;
3615 skb_pull(skb, sizeof(*ev));
3617 *opcode = __le16_to_cpu(ev->opcode);
3618 *status = ev->status;
3621 case HCI_OP_INQUIRY:
3622 hci_cs_inquiry(hdev, ev->status);
3625 case HCI_OP_CREATE_CONN:
3626 hci_cs_create_conn(hdev, ev->status);
3629 case HCI_OP_DISCONNECT:
3630 hci_cs_disconnect(hdev, ev->status);
3633 case HCI_OP_ADD_SCO:
3634 hci_cs_add_sco(hdev, ev->status);
3637 case HCI_OP_AUTH_REQUESTED:
3638 hci_cs_auth_requested(hdev, ev->status);
3641 case HCI_OP_SET_CONN_ENCRYPT:
3642 hci_cs_set_conn_encrypt(hdev, ev->status);
3645 case HCI_OP_REMOTE_NAME_REQ:
3646 hci_cs_remote_name_req(hdev, ev->status);
3649 case HCI_OP_READ_REMOTE_FEATURES:
3650 hci_cs_read_remote_features(hdev, ev->status);
3653 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3654 hci_cs_read_remote_ext_features(hdev, ev->status);
3657 case HCI_OP_SETUP_SYNC_CONN:
3658 hci_cs_setup_sync_conn(hdev, ev->status);
3661 case HCI_OP_SNIFF_MODE:
3662 hci_cs_sniff_mode(hdev, ev->status);
3665 case HCI_OP_EXIT_SNIFF_MODE:
3666 hci_cs_exit_sniff_mode(hdev, ev->status);
3669 case HCI_OP_SWITCH_ROLE:
3670 hci_cs_switch_role(hdev, ev->status);
3673 case HCI_OP_LE_CREATE_CONN:
3674 hci_cs_le_create_conn(hdev, ev->status);
3677 case HCI_OP_LE_READ_REMOTE_FEATURES:
3678 hci_cs_le_read_remote_features(hdev, ev->status);
3681 case HCI_OP_LE_START_ENC:
3682 hci_cs_le_start_enc(hdev, ev->status);
3685 case HCI_OP_LE_EXT_CREATE_CONN:
3686 hci_cs_le_ext_create_conn(hdev, ev->status);
3690 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3694 if (*opcode != HCI_OP_NOP)
3695 cancel_delayed_work(&hdev->cmd_timer);
3697 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3698 atomic_set(&hdev->cmd_cnt, 1);
3700 /* Indicate request completion if the command failed. Also, if
3701 * we're not waiting for a special event and we get a success
3702 * command status we should try to flag the request as completed
3703 * (since for this kind of commands there will not be a command
3707 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3708 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3711 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3713 "unexpected event for opcode 0x%4.4x", *opcode);
3717 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3718 queue_work(hdev->workqueue, &hdev->cmd_work);
3721 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3723 struct hci_ev_hardware_error *ev = (void *) skb->data;
3725 hdev->hw_error_code = ev->code;
3727 queue_work(hdev->req_workqueue, &hdev->error_reset);
3730 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3732 struct hci_ev_role_change *ev = (void *) skb->data;
3733 struct hci_conn *conn;
3735 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3739 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3742 conn->role = ev->role;
3744 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3746 hci_role_switch_cfm(conn, ev->status, ev->role);
3749 hci_dev_unlock(hdev);
3752 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3754 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3757 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3758 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3762 if (skb->len < sizeof(*ev) ||
3763 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3764 BT_DBG("%s bad parameters", hdev->name);
3768 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3770 for (i = 0; i < ev->num_hndl; i++) {
3771 struct hci_comp_pkts_info *info = &ev->handles[i];
3772 struct hci_conn *conn;
3773 __u16 handle, count;
3775 handle = __le16_to_cpu(info->handle);
3776 count = __le16_to_cpu(info->count);
3778 conn = hci_conn_hash_lookup_handle(hdev, handle);
3782 conn->sent -= count;
3784 switch (conn->type) {
3786 hdev->acl_cnt += count;
3787 if (hdev->acl_cnt > hdev->acl_pkts)
3788 hdev->acl_cnt = hdev->acl_pkts;
3792 if (hdev->le_pkts) {
3793 hdev->le_cnt += count;
3794 if (hdev->le_cnt > hdev->le_pkts)
3795 hdev->le_cnt = hdev->le_pkts;
3797 hdev->acl_cnt += count;
3798 if (hdev->acl_cnt > hdev->acl_pkts)
3799 hdev->acl_cnt = hdev->acl_pkts;
3804 hdev->sco_cnt += count;
3805 if (hdev->sco_cnt > hdev->sco_pkts)
3806 hdev->sco_cnt = hdev->sco_pkts;
3810 bt_dev_err(hdev, "unknown type %d conn %p",
3816 queue_work(hdev->workqueue, &hdev->tx_work);
3819 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3822 struct hci_chan *chan;
3824 switch (hdev->dev_type) {
3826 return hci_conn_hash_lookup_handle(hdev, handle);
3828 chan = hci_chan_lookup_handle(hdev, handle);
3833 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3840 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3842 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3845 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3846 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3850 if (skb->len < sizeof(*ev) ||
3851 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3852 BT_DBG("%s bad parameters", hdev->name);
3856 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3859 for (i = 0; i < ev->num_hndl; i++) {
3860 struct hci_comp_blocks_info *info = &ev->handles[i];
3861 struct hci_conn *conn = NULL;
3862 __u16 handle, block_count;
3864 handle = __le16_to_cpu(info->handle);
3865 block_count = __le16_to_cpu(info->blocks);
3867 conn = __hci_conn_lookup_handle(hdev, handle);
3871 conn->sent -= block_count;
3873 switch (conn->type) {
3876 hdev->block_cnt += block_count;
3877 if (hdev->block_cnt > hdev->num_blocks)
3878 hdev->block_cnt = hdev->num_blocks;
3882 bt_dev_err(hdev, "unknown type %d conn %p",
3888 queue_work(hdev->workqueue, &hdev->tx_work);
3891 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3893 struct hci_ev_mode_change *ev = (void *) skb->data;
3894 struct hci_conn *conn;
3896 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3900 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3902 conn->mode = ev->mode;
3904 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3906 if (conn->mode == HCI_CM_ACTIVE)
3907 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3909 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3912 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3913 hci_sco_setup(conn, ev->status);
3916 hci_dev_unlock(hdev);
3919 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3921 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3922 struct hci_conn *conn;
3924 BT_DBG("%s", hdev->name);
3928 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3932 if (conn->state == BT_CONNECTED) {
3933 hci_conn_hold(conn);
3934 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3935 hci_conn_drop(conn);
3938 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3939 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3940 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3941 sizeof(ev->bdaddr), &ev->bdaddr);
3942 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3945 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3950 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3954 hci_dev_unlock(hdev);
3957 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3959 if (key_type == HCI_LK_CHANGED_COMBINATION)
3962 conn->pin_length = pin_len;
3963 conn->key_type = key_type;
3966 case HCI_LK_LOCAL_UNIT:
3967 case HCI_LK_REMOTE_UNIT:
3968 case HCI_LK_DEBUG_COMBINATION:
3970 case HCI_LK_COMBINATION:
3972 conn->pending_sec_level = BT_SECURITY_HIGH;
3974 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3976 case HCI_LK_UNAUTH_COMBINATION_P192:
3977 case HCI_LK_UNAUTH_COMBINATION_P256:
3978 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3980 case HCI_LK_AUTH_COMBINATION_P192:
3981 conn->pending_sec_level = BT_SECURITY_HIGH;
3983 case HCI_LK_AUTH_COMBINATION_P256:
3984 conn->pending_sec_level = BT_SECURITY_FIPS;
3989 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3991 struct hci_ev_link_key_req *ev = (void *) skb->data;
3992 struct hci_cp_link_key_reply cp;
3993 struct hci_conn *conn;
3994 struct link_key *key;
3996 BT_DBG("%s", hdev->name);
3998 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4003 key = hci_find_link_key(hdev, &ev->bdaddr);
4005 BT_DBG("%s link key not found for %pMR", hdev->name,
4010 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
4013 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4015 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4017 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4018 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4019 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4020 BT_DBG("%s ignoring unauthenticated key", hdev->name);
4024 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4025 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4026 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4027 BT_DBG("%s ignoring key unauthenticated for high security",
4032 conn_set_key(conn, key->type, key->pin_len);
4035 bacpy(&cp.bdaddr, &ev->bdaddr);
4036 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4038 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4040 hci_dev_unlock(hdev);
4045 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4046 hci_dev_unlock(hdev);
4049 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4051 struct hci_ev_link_key_notify *ev = (void *) skb->data;
4052 struct hci_conn *conn;
4053 struct link_key *key;
4057 BT_DBG("%s", hdev->name);
4061 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4065 hci_conn_hold(conn);
4066 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4067 hci_conn_drop(conn);
4069 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4070 conn_set_key(conn, ev->key_type, conn->pin_length);
4072 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4075 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4076 ev->key_type, pin_len, &persistent);
4080 /* Update connection information since adding the key will have
4081 * fixed up the type in the case of changed combination keys.
4083 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4084 conn_set_key(conn, key->type, key->pin_len);
4086 mgmt_new_link_key(hdev, key, persistent);
4088 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4089 * is set. If it's not set simply remove the key from the kernel
4090 * list (we've still notified user space about it but with
4091 * store_hint being 0).
4093 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4094 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4095 list_del_rcu(&key->list);
4096 kfree_rcu(key, rcu);
4101 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4103 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4106 hci_dev_unlock(hdev);
4109 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4111 struct hci_ev_clock_offset *ev = (void *) skb->data;
4112 struct hci_conn *conn;
4114 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4118 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4119 if (conn && !ev->status) {
4120 struct inquiry_entry *ie;
4122 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4124 ie->data.clock_offset = ev->clock_offset;
4125 ie->timestamp = jiffies;
4129 hci_dev_unlock(hdev);
4132 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4134 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4135 struct hci_conn *conn;
4137 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4141 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4142 if (conn && !ev->status)
4143 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4145 hci_dev_unlock(hdev);
4148 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4150 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4151 struct inquiry_entry *ie;
4153 BT_DBG("%s", hdev->name);
4157 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4159 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4160 ie->timestamp = jiffies;
4163 hci_dev_unlock(hdev);
4166 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4167 struct sk_buff *skb)
4169 struct inquiry_data data;
4170 int num_rsp = *((__u8 *) skb->data);
4172 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4177 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4182 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4183 struct inquiry_info_with_rssi_and_pscan_mode *info;
4184 info = (void *) (skb->data + 1);
4186 if (skb->len < num_rsp * sizeof(*info) + 1)
4189 for (; num_rsp; num_rsp--, info++) {
4192 bacpy(&data.bdaddr, &info->bdaddr);
4193 data.pscan_rep_mode = info->pscan_rep_mode;
4194 data.pscan_period_mode = info->pscan_period_mode;
4195 data.pscan_mode = info->pscan_mode;
4196 memcpy(data.dev_class, info->dev_class, 3);
4197 data.clock_offset = info->clock_offset;
4198 data.rssi = info->rssi;
4199 data.ssp_mode = 0x00;
4201 flags = hci_inquiry_cache_update(hdev, &data, false);
4203 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4204 info->dev_class, info->rssi,
4205 flags, NULL, 0, NULL, 0);
4208 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4210 if (skb->len < num_rsp * sizeof(*info) + 1)
4213 for (; num_rsp; num_rsp--, info++) {
4216 bacpy(&data.bdaddr, &info->bdaddr);
4217 data.pscan_rep_mode = info->pscan_rep_mode;
4218 data.pscan_period_mode = info->pscan_period_mode;
4219 data.pscan_mode = 0x00;
4220 memcpy(data.dev_class, info->dev_class, 3);
4221 data.clock_offset = info->clock_offset;
4222 data.rssi = info->rssi;
4223 data.ssp_mode = 0x00;
4225 flags = hci_inquiry_cache_update(hdev, &data, false);
4227 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4228 info->dev_class, info->rssi,
4229 flags, NULL, 0, NULL, 0);
4234 hci_dev_unlock(hdev);
4237 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4238 struct sk_buff *skb)
4240 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4241 struct hci_conn *conn;
4243 BT_DBG("%s", hdev->name);
4247 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4251 if (ev->page < HCI_MAX_PAGES)
4252 memcpy(conn->features[ev->page], ev->features, 8);
4254 if (!ev->status && ev->page == 0x01) {
4255 struct inquiry_entry *ie;
4257 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4259 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4261 if (ev->features[0] & LMP_HOST_SSP) {
4262 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4264 /* It is mandatory by the Bluetooth specification that
4265 * Extended Inquiry Results are only used when Secure
4266 * Simple Pairing is enabled, but some devices violate
4269 * To make these devices work, the internal SSP
4270 * enabled flag needs to be cleared if the remote host
4271 * features do not indicate SSP support */
4272 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4275 if (ev->features[0] & LMP_HOST_SC)
4276 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4279 if (conn->state != BT_CONFIG)
4282 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4283 struct hci_cp_remote_name_req cp;
4284 memset(&cp, 0, sizeof(cp));
4285 bacpy(&cp.bdaddr, &conn->dst);
4286 cp.pscan_rep_mode = 0x02;
4287 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4288 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4289 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4291 if (!hci_outgoing_auth_needed(hdev, conn)) {
4292 conn->state = BT_CONNECTED;
4293 hci_connect_cfm(conn, ev->status);
4294 hci_conn_drop(conn);
4298 hci_dev_unlock(hdev);
4301 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4302 struct sk_buff *skb)
4304 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4305 struct hci_conn *conn;
4307 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4311 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4313 if (ev->link_type == ESCO_LINK)
4316 /* When the link type in the event indicates SCO connection
4317 * and lookup of the connection object fails, then check
4318 * if an eSCO connection object exists.
4320 * The core limits the synchronous connections to either
4321 * SCO or eSCO. The eSCO connection is preferred and tried
4322 * to be setup first and until successfully established,
4323 * the link type will be hinted as eSCO.
4325 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4330 switch (ev->status) {
4332 conn->handle = __le16_to_cpu(ev->handle);
4333 conn->state = BT_CONNECTED;
4334 conn->type = ev->link_type;
4336 hci_debugfs_create_conn(conn);
4337 hci_conn_add_sysfs(conn);
4340 case 0x10: /* Connection Accept Timeout */
4341 case 0x0d: /* Connection Rejected due to Limited Resources */
4342 case 0x11: /* Unsupported Feature or Parameter Value */
4343 case 0x1c: /* SCO interval rejected */
4344 case 0x1a: /* Unsupported Remote Feature */
4345 case 0x1e: /* Invalid LMP Parameters */
4346 case 0x1f: /* Unspecified error */
4347 case 0x20: /* Unsupported LMP Parameter value */
4349 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4350 (hdev->esco_type & EDR_ESCO_MASK);
4351 if (hci_setup_sync(conn, conn->link->handle))
4357 conn->state = BT_CLOSED;
4361 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4363 switch (conn->setting & SCO_AIRMODE_MASK) {
4364 case SCO_AIRMODE_CVSD:
4366 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
4368 case SCO_AIRMODE_TRANSP:
4370 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
4374 hci_connect_cfm(conn, ev->status);
4379 hci_dev_unlock(hdev);
4382 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4386 while (parsed < eir_len) {
4387 u8 field_len = eir[0];
4392 parsed += field_len + 1;
4393 eir += field_len + 1;
4399 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4400 struct sk_buff *skb)
4402 struct inquiry_data data;
4403 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4404 int num_rsp = *((__u8 *) skb->data);
4407 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4409 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
4412 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4417 for (; num_rsp; num_rsp--, info++) {
4421 bacpy(&data.bdaddr, &info->bdaddr);
4422 data.pscan_rep_mode = info->pscan_rep_mode;
4423 data.pscan_period_mode = info->pscan_period_mode;
4424 data.pscan_mode = 0x00;
4425 memcpy(data.dev_class, info->dev_class, 3);
4426 data.clock_offset = info->clock_offset;
4427 data.rssi = info->rssi;
4428 data.ssp_mode = 0x01;
4430 if (hci_dev_test_flag(hdev, HCI_MGMT))
4431 name_known = eir_get_data(info->data,
4433 EIR_NAME_COMPLETE, NULL);
4437 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4439 eir_len = eir_get_length(info->data, sizeof(info->data));
4441 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4442 info->dev_class, info->rssi,
4443 flags, info->data, eir_len, NULL, 0);
4446 hci_dev_unlock(hdev);
4449 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4450 struct sk_buff *skb)
4452 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4453 struct hci_conn *conn;
4455 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4456 __le16_to_cpu(ev->handle));
4460 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4464 /* For BR/EDR the necessary steps are taken through the
4465 * auth_complete event.
4467 if (conn->type != LE_LINK)
4471 conn->sec_level = conn->pending_sec_level;
4473 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4475 if (ev->status && conn->state == BT_CONNECTED) {
4476 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4477 hci_conn_drop(conn);
4481 if (conn->state == BT_CONFIG) {
4483 conn->state = BT_CONNECTED;
4485 hci_connect_cfm(conn, ev->status);
4486 hci_conn_drop(conn);
4488 hci_auth_cfm(conn, ev->status);
4490 hci_conn_hold(conn);
4491 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4492 hci_conn_drop(conn);
4496 hci_dev_unlock(hdev);
4499 static u8 hci_get_auth_req(struct hci_conn *conn)
4501 /* If remote requests no-bonding follow that lead */
4502 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4503 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4504 return conn->remote_auth | (conn->auth_type & 0x01);
4506 /* If both remote and local have enough IO capabilities, require
4509 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4510 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4511 return conn->remote_auth | 0x01;
4513 /* No MITM protection possible so ignore remote requirement */
4514 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4517 static u8 bredr_oob_data_present(struct hci_conn *conn)
4519 struct hci_dev *hdev = conn->hdev;
4520 struct oob_data *data;
4522 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4526 if (bredr_sc_enabled(hdev)) {
4527 /* When Secure Connections is enabled, then just
4528 * return the present value stored with the OOB
4529 * data. The stored value contains the right present
4530 * information. However it can only be trusted when
4531 * not in Secure Connection Only mode.
4533 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4534 return data->present;
4536 /* When Secure Connections Only mode is enabled, then
4537 * the P-256 values are required. If they are not
4538 * available, then do not declare that OOB data is
4541 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4542 !memcmp(data->hash256, ZERO_KEY, 16))
4548 /* When Secure Connections is not enabled or actually
4549 * not supported by the hardware, then check that if
4550 * P-192 data values are present.
4552 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4553 !memcmp(data->hash192, ZERO_KEY, 16))
4559 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4561 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4562 struct hci_conn *conn;
4564 BT_DBG("%s", hdev->name);
4568 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4572 hci_conn_hold(conn);
4574 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4577 /* Allow pairing if we're pairable, the initiators of the
4578 * pairing or if the remote is not requesting bonding.
4580 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4581 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4582 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4583 struct hci_cp_io_capability_reply cp;
4585 bacpy(&cp.bdaddr, &ev->bdaddr);
4586 /* Change the IO capability from KeyboardDisplay
4587 * to DisplayYesNo as it is not supported by BT spec. */
4588 cp.capability = (conn->io_capability == 0x04) ?
4589 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4591 /* If we are initiators, there is no remote information yet */
4592 if (conn->remote_auth == 0xff) {
4593 /* Request MITM protection if our IO caps allow it
4594 * except for the no-bonding case.
4596 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4597 conn->auth_type != HCI_AT_NO_BONDING)
4598 conn->auth_type |= 0x01;
4600 conn->auth_type = hci_get_auth_req(conn);
4603 /* If we're not bondable, force one of the non-bondable
4604 * authentication requirement values.
4606 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4607 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4609 cp.authentication = conn->auth_type;
4610 cp.oob_data = bredr_oob_data_present(conn);
4612 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4615 struct hci_cp_io_capability_neg_reply cp;
4617 bacpy(&cp.bdaddr, &ev->bdaddr);
4618 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4620 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4625 hci_dev_unlock(hdev);
4628 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4630 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4631 struct hci_conn *conn;
4633 BT_DBG("%s", hdev->name);
4637 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4641 conn->remote_cap = ev->capability;
4642 conn->remote_auth = ev->authentication;
4645 hci_dev_unlock(hdev);
4648 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4649 struct sk_buff *skb)
4651 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4652 int loc_mitm, rem_mitm, confirm_hint = 0;
4653 struct hci_conn *conn;
4655 BT_DBG("%s", hdev->name);
4659 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4662 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4666 loc_mitm = (conn->auth_type & 0x01);
4667 rem_mitm = (conn->remote_auth & 0x01);
4669 /* If we require MITM but the remote device can't provide that
4670 * (it has NoInputNoOutput) then reject the confirmation
4671 * request. We check the security level here since it doesn't
4672 * necessarily match conn->auth_type.
4674 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4675 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4676 BT_DBG("Rejecting request: remote device can't provide MITM");
4677 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4678 sizeof(ev->bdaddr), &ev->bdaddr);
4682 /* If no side requires MITM protection; auto-accept */
4683 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4684 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4686 /* If we're not the initiators request authorization to
4687 * proceed from user space (mgmt_user_confirm with
4688 * confirm_hint set to 1). The exception is if neither
4689 * side had MITM or if the local IO capability is
4690 * NoInputNoOutput, in which case we do auto-accept
4692 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4693 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4694 (loc_mitm || rem_mitm)) {
4695 BT_DBG("Confirming auto-accept as acceptor");
4700 /* If there already exists link key in local host, leave the
4701 * decision to user space since the remote device could be
4702 * legitimate or malicious.
4704 if (hci_find_link_key(hdev, &ev->bdaddr)) {
4705 bt_dev_dbg(hdev, "Local host already has link key");
4710 BT_DBG("Auto-accept of user confirmation with %ums delay",
4711 hdev->auto_accept_delay);
4713 if (hdev->auto_accept_delay > 0) {
4714 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4715 queue_delayed_work(conn->hdev->workqueue,
4716 &conn->auto_accept_work, delay);
4720 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4721 sizeof(ev->bdaddr), &ev->bdaddr);
4726 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4727 le32_to_cpu(ev->passkey), confirm_hint);
4730 hci_dev_unlock(hdev);
4733 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4734 struct sk_buff *skb)
4736 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4738 BT_DBG("%s", hdev->name);
4740 if (hci_dev_test_flag(hdev, HCI_MGMT))
4741 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4744 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4745 struct sk_buff *skb)
4747 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4748 struct hci_conn *conn;
4750 BT_DBG("%s", hdev->name);
4752 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4756 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4757 conn->passkey_entered = 0;
4759 if (hci_dev_test_flag(hdev, HCI_MGMT))
4760 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4761 conn->dst_type, conn->passkey_notify,
4762 conn->passkey_entered);
4765 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4767 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4768 struct hci_conn *conn;
4770 BT_DBG("%s", hdev->name);
4772 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4777 case HCI_KEYPRESS_STARTED:
4778 conn->passkey_entered = 0;
4781 case HCI_KEYPRESS_ENTERED:
4782 conn->passkey_entered++;
4785 case HCI_KEYPRESS_ERASED:
4786 conn->passkey_entered--;
4789 case HCI_KEYPRESS_CLEARED:
4790 conn->passkey_entered = 0;
4793 case HCI_KEYPRESS_COMPLETED:
4797 if (hci_dev_test_flag(hdev, HCI_MGMT))
4798 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4799 conn->dst_type, conn->passkey_notify,
4800 conn->passkey_entered);
4803 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4804 struct sk_buff *skb)
4806 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4807 struct hci_conn *conn;
4809 BT_DBG("%s", hdev->name);
4813 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4817 /* Reset the authentication requirement to unknown */
4818 conn->remote_auth = 0xff;
4820 /* To avoid duplicate auth_failed events to user space we check
4821 * the HCI_CONN_AUTH_PEND flag which will be set if we
4822 * initiated the authentication. A traditional auth_complete
4823 * event gets always produced as initiator and is also mapped to
4824 * the mgmt_auth_failed event */
4825 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4826 mgmt_auth_failed(conn, ev->status);
4828 hci_conn_drop(conn);
4831 hci_dev_unlock(hdev);
4834 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4835 struct sk_buff *skb)
4837 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4838 struct inquiry_entry *ie;
4839 struct hci_conn *conn;
4841 BT_DBG("%s", hdev->name);
4845 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4847 memcpy(conn->features[1], ev->features, 8);
4849 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4851 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4853 hci_dev_unlock(hdev);
4856 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4857 struct sk_buff *skb)
4859 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4860 struct oob_data *data;
4862 BT_DBG("%s", hdev->name);
4866 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4869 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4871 struct hci_cp_remote_oob_data_neg_reply cp;
4873 bacpy(&cp.bdaddr, &ev->bdaddr);
4874 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4879 if (bredr_sc_enabled(hdev)) {
4880 struct hci_cp_remote_oob_ext_data_reply cp;
4882 bacpy(&cp.bdaddr, &ev->bdaddr);
4883 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4884 memset(cp.hash192, 0, sizeof(cp.hash192));
4885 memset(cp.rand192, 0, sizeof(cp.rand192));
4887 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4888 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4890 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4891 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4893 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4896 struct hci_cp_remote_oob_data_reply cp;
4898 bacpy(&cp.bdaddr, &ev->bdaddr);
4899 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4900 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4902 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4907 hci_dev_unlock(hdev);
4910 #if IS_ENABLED(CONFIG_BT_HS)
4911 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4913 struct hci_ev_channel_selected *ev = (void *)skb->data;
4914 struct hci_conn *hcon;
4916 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4918 skb_pull(skb, sizeof(*ev));
4920 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4924 amp_read_loc_assoc_final_data(hdev, hcon);
4927 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4928 struct sk_buff *skb)
4930 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4931 struct hci_conn *hcon, *bredr_hcon;
4933 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4938 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4940 hci_dev_unlock(hdev);
4946 hci_dev_unlock(hdev);
4950 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4952 hcon->state = BT_CONNECTED;
4953 bacpy(&hcon->dst, &bredr_hcon->dst);
4955 hci_conn_hold(hcon);
4956 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4957 hci_conn_drop(hcon);
4959 hci_debugfs_create_conn(hcon);
4960 hci_conn_add_sysfs(hcon);
4962 amp_physical_cfm(bredr_hcon, hcon);
4964 hci_dev_unlock(hdev);
4967 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4969 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4970 struct hci_conn *hcon;
4971 struct hci_chan *hchan;
4972 struct amp_mgr *mgr;
4974 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4975 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4978 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4982 /* Create AMP hchan */
4983 hchan = hci_chan_create(hcon);
4987 hchan->handle = le16_to_cpu(ev->handle);
4989 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4991 mgr = hcon->amp_mgr;
4992 if (mgr && mgr->bredr_chan) {
4993 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4995 l2cap_chan_lock(bredr_chan);
4997 bredr_chan->conn->mtu = hdev->block_mtu;
4998 l2cap_logical_cfm(bredr_chan, hchan, 0);
4999 hci_conn_hold(hcon);
5001 l2cap_chan_unlock(bredr_chan);
5005 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
5006 struct sk_buff *skb)
5008 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
5009 struct hci_chan *hchan;
5011 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
5012 le16_to_cpu(ev->handle), ev->status);
5019 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5023 amp_destroy_logical_link(hchan, ev->reason);
5026 hci_dev_unlock(hdev);
5029 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
5030 struct sk_buff *skb)
5032 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
5033 struct hci_conn *hcon;
5035 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5042 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5044 hcon->state = BT_CLOSED;
5048 hci_dev_unlock(hdev);
5052 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5053 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
5054 u16 interval, u16 latency, u16 supervision_timeout)
5056 struct hci_conn_params *params;
5057 struct hci_conn *conn;
5058 struct smp_irk *irk;
5063 /* All controllers implicitly stop advertising in the event of a
5064 * connection, so ensure that the state bit is cleared.
5066 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5068 conn = hci_lookup_le_connect(hdev);
5070 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5072 bt_dev_err(hdev, "no memory for new connection");
5076 conn->dst_type = bdaddr_type;
5078 /* If we didn't have a hci_conn object previously
5079 * but we're in master role this must be something
5080 * initiated using a white list. Since white list based
5081 * connections are not "first class citizens" we don't
5082 * have full tracking of them. Therefore, we go ahead
5083 * with a "best effort" approach of determining the
5084 * initiator address based on the HCI_PRIVACY flag.
5087 conn->resp_addr_type = bdaddr_type;
5088 bacpy(&conn->resp_addr, bdaddr);
5089 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5090 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5091 bacpy(&conn->init_addr, &hdev->rpa);
5093 hci_copy_identity_address(hdev,
5095 &conn->init_addr_type);
5099 cancel_delayed_work(&conn->le_conn_timeout);
5103 /* Set the responder (our side) address type based on
5104 * the advertising address type.
5106 conn->resp_addr_type = hdev->adv_addr_type;
5107 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5108 /* In case of ext adv, resp_addr will be updated in
5109 * Adv Terminated event.
5111 if (!ext_adv_capable(hdev))
5112 bacpy(&conn->resp_addr, &hdev->random_addr);
5114 bacpy(&conn->resp_addr, &hdev->bdaddr);
5117 conn->init_addr_type = bdaddr_type;
5118 bacpy(&conn->init_addr, bdaddr);
5120 /* For incoming connections, set the default minimum
5121 * and maximum connection interval. They will be used
5122 * to check if the parameters are in range and if not
5123 * trigger the connection update procedure.
5125 conn->le_conn_min_interval = hdev->le_conn_min_interval;
5126 conn->le_conn_max_interval = hdev->le_conn_max_interval;
5129 /* Lookup the identity address from the stored connection
5130 * address and address type.
5132 * When establishing connections to an identity address, the
5133 * connection procedure will store the resolvable random
5134 * address first. Now if it can be converted back into the
5135 * identity address, start using the identity address from
5138 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5140 bacpy(&conn->dst, &irk->bdaddr);
5141 conn->dst_type = irk->addr_type;
5145 hci_le_conn_failed(conn, status);
5149 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5150 addr_type = BDADDR_LE_PUBLIC;
5152 addr_type = BDADDR_LE_RANDOM;
5154 /* Drop the connection if the device is blocked */
5155 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
5156 hci_conn_drop(conn);
5160 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5161 mgmt_device_connected(hdev, conn, 0, NULL, 0);
5163 conn->sec_level = BT_SECURITY_LOW;
5164 conn->handle = handle;
5165 conn->state = BT_CONFIG;
5167 conn->le_conn_interval = interval;
5168 conn->le_conn_latency = latency;
5169 conn->le_supv_timeout = supervision_timeout;
5171 hci_debugfs_create_conn(conn);
5172 hci_conn_add_sysfs(conn);
5174 /* The remote features procedure is defined for master
5175 * role only. So only in case of an initiated connection
5176 * request the remote features.
5178 * If the local controller supports slave-initiated features
5179 * exchange, then requesting the remote features in slave
5180 * role is possible. Otherwise just transition into the
5181 * connected state without requesting the remote features.
5184 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
5185 struct hci_cp_le_read_remote_features cp;
5187 cp.handle = __cpu_to_le16(conn->handle);
5189 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5192 hci_conn_hold(conn);
5194 conn->state = BT_CONNECTED;
5195 hci_connect_cfm(conn, status);
5198 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5201 list_del_init(¶ms->action);
5203 hci_conn_drop(params->conn);
5204 hci_conn_put(params->conn);
5205 params->conn = NULL;
5210 hci_update_background_scan(hdev);
5211 hci_dev_unlock(hdev);
5214 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5216 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5218 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5220 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5221 ev->role, le16_to_cpu(ev->handle),
5222 le16_to_cpu(ev->interval),
5223 le16_to_cpu(ev->latency),
5224 le16_to_cpu(ev->supervision_timeout));
5227 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5228 struct sk_buff *skb)
5230 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5232 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5234 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5235 ev->role, le16_to_cpu(ev->handle),
5236 le16_to_cpu(ev->interval),
5237 le16_to_cpu(ev->latency),
5238 le16_to_cpu(ev->supervision_timeout));
5240 if (use_ll_privacy(hdev) &&
5241 hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&
5242 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))
5243 hci_req_disable_address_resolution(hdev);
5246 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5248 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5249 struct hci_conn *conn;
5251 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5256 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5258 struct adv_info *adv_instance;
5260 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5263 if (!hdev->cur_adv_instance) {
5264 bacpy(&conn->resp_addr, &hdev->random_addr);
5268 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5270 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5274 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5275 struct sk_buff *skb)
5277 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5278 struct hci_conn *conn;
5280 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5287 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5289 conn->le_conn_interval = le16_to_cpu(ev->interval);
5290 conn->le_conn_latency = le16_to_cpu(ev->latency);
5291 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5294 hci_dev_unlock(hdev);
5297 /* This function requires the caller holds hdev->lock */
5298 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5300 u8 addr_type, u8 adv_type,
5301 bdaddr_t *direct_rpa)
5303 struct hci_conn *conn;
5304 struct hci_conn_params *params;
5306 /* If the event is not connectable don't proceed further */
5307 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5310 /* Ignore if the device is blocked */
5311 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5314 /* Most controller will fail if we try to create new connections
5315 * while we have an existing one in slave role.
5317 if (hdev->conn_hash.le_num_slave > 0 &&
5318 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5319 !(hdev->le_states[3] & 0x10)))
5322 /* If we're not connectable only connect devices that we have in
5323 * our pend_le_conns list.
5325 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5330 if (!params->explicit_connect) {
5331 switch (params->auto_connect) {
5332 case HCI_AUTO_CONN_DIRECT:
5333 /* Only devices advertising with ADV_DIRECT_IND are
5334 * triggering a connection attempt. This is allowing
5335 * incoming connections from slave devices.
5337 if (adv_type != LE_ADV_DIRECT_IND)
5340 case HCI_AUTO_CONN_ALWAYS:
5341 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5342 * are triggering a connection attempt. This means
5343 * that incoming connections from slave device are
5344 * accepted and also outgoing connections to slave
5345 * devices are established when found.
5353 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5354 hdev->def_le_autoconnect_timeout, HCI_ROLE_MASTER,
5356 if (!IS_ERR(conn)) {
5357 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5358 * by higher layer that tried to connect, if no then
5359 * store the pointer since we don't really have any
5360 * other owner of the object besides the params that
5361 * triggered it. This way we can abort the connection if
5362 * the parameters get removed and keep the reference
5363 * count consistent once the connection is established.
5366 if (!params->explicit_connect)
5367 params->conn = hci_conn_get(conn);
5372 switch (PTR_ERR(conn)) {
5374 /* If hci_connect() returns -EBUSY it means there is already
5375 * an LE connection attempt going on. Since controllers don't
5376 * support more than one connection attempt at the time, we
5377 * don't consider this an error case.
5381 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5388 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5389 u8 bdaddr_type, bdaddr_t *direct_addr,
5390 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
5393 struct discovery_state *d = &hdev->discovery;
5394 struct smp_irk *irk;
5395 struct hci_conn *conn;
5402 case LE_ADV_DIRECT_IND:
5403 case LE_ADV_SCAN_IND:
5404 case LE_ADV_NONCONN_IND:
5405 case LE_ADV_SCAN_RSP:
5408 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5409 "type: 0x%02x", type);
5413 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
5414 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
5418 /* Find the end of the data in case the report contains padded zero
5419 * bytes at the end causing an invalid length value.
5421 * When data is NULL, len is 0 so there is no need for extra ptr
5422 * check as 'ptr < data + 0' is already false in such case.
5424 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5425 if (ptr + 1 + *ptr > data + len)
5429 real_len = ptr - data;
5431 /* Adjust for actual length */
5432 if (len != real_len) {
5433 bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u",
5438 /* If the direct address is present, then this report is from
5439 * a LE Direct Advertising Report event. In that case it is
5440 * important to see if the address is matching the local
5441 * controller address.
5444 /* Only resolvable random addresses are valid for these
5445 * kind of reports and others can be ignored.
5447 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5450 /* If the controller is not using resolvable random
5451 * addresses, then this report can be ignored.
5453 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5456 /* If the local IRK of the controller does not match
5457 * with the resolvable random address provided, then
5458 * this report can be ignored.
5460 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5464 /* Check if we need to convert to identity address */
5465 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5467 bdaddr = &irk->bdaddr;
5468 bdaddr_type = irk->addr_type;
5471 /* Check if we have been requested to connect to this device.
5473 * direct_addr is set only for directed advertising reports (it is NULL
5474 * for advertising reports) and is already verified to be RPA above.
5476 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5478 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
5479 /* Store report for later inclusion by
5480 * mgmt_device_connected
5482 memcpy(conn->le_adv_data, data, len);
5483 conn->le_adv_data_len = len;
5486 /* Passive scanning shouldn't trigger any device found events,
5487 * except for devices marked as CONN_REPORT for which we do send
5488 * device found events, or advertisement monitoring requested.
5490 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5491 if (type == LE_ADV_DIRECT_IND)
5494 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5495 bdaddr, bdaddr_type) &&
5496 idr_is_empty(&hdev->adv_monitors_idr))
5499 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5500 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5503 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5504 rssi, flags, data, len, NULL, 0);
5508 /* When receiving non-connectable or scannable undirected
5509 * advertising reports, this means that the remote device is
5510 * not connectable and then clearly indicate this in the
5511 * device found event.
5513 * When receiving a scan response, then there is no way to
5514 * know if the remote device is connectable or not. However
5515 * since scan responses are merged with a previously seen
5516 * advertising report, the flags field from that report
5519 * In the really unlikely case that a controller get confused
5520 * and just sends a scan response event, then it is marked as
5521 * not connectable as well.
5523 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5524 type == LE_ADV_SCAN_RSP)
5525 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5529 /* If there's nothing pending either store the data from this
5530 * event or send an immediate device found event if the data
5531 * should not be stored for later.
5533 if (!ext_adv && !has_pending_adv_report(hdev)) {
5534 /* If the report will trigger a SCAN_REQ store it for
5537 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5538 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5539 rssi, flags, data, len);
5543 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5544 rssi, flags, data, len, NULL, 0);
5548 /* Check if the pending report is for the same device as the new one */
5549 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5550 bdaddr_type == d->last_adv_addr_type);
5552 /* If the pending data doesn't match this report or this isn't a
5553 * scan response (e.g. we got a duplicate ADV_IND) then force
5554 * sending of the pending data.
5556 if (type != LE_ADV_SCAN_RSP || !match) {
5557 /* Send out whatever is in the cache, but skip duplicates */
5559 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5560 d->last_adv_addr_type, NULL,
5561 d->last_adv_rssi, d->last_adv_flags,
5563 d->last_adv_data_len, NULL, 0);
5565 /* If the new report will trigger a SCAN_REQ store it for
5568 if (!ext_adv && (type == LE_ADV_IND ||
5569 type == LE_ADV_SCAN_IND)) {
5570 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5571 rssi, flags, data, len);
5575 /* The advertising reports cannot be merged, so clear
5576 * the pending report and send out a device found event.
5578 clear_pending_adv_report(hdev);
5579 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5580 rssi, flags, data, len, NULL, 0);
5584 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5585 * the new event is a SCAN_RSP. We can therefore proceed with
5586 * sending a merged device found event.
5588 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5589 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5590 d->last_adv_data, d->last_adv_data_len, data, len);
5591 clear_pending_adv_report(hdev);
5594 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5596 u8 num_reports = skb->data[0];
5597 void *ptr = &skb->data[1];
5601 while (num_reports--) {
5602 struct hci_ev_le_advertising_info *ev = ptr;
5605 if (ev->length <= HCI_MAX_AD_LENGTH) {
5606 rssi = ev->data[ev->length];
5607 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5608 ev->bdaddr_type, NULL, 0, rssi,
5609 ev->data, ev->length, false);
5611 bt_dev_err(hdev, "Dropping invalid advertising data");
5614 ptr += sizeof(*ev) + ev->length + 1;
5617 hci_dev_unlock(hdev);
5620 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
5622 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5624 case LE_LEGACY_ADV_IND:
5626 case LE_LEGACY_ADV_DIRECT_IND:
5627 return LE_ADV_DIRECT_IND;
5628 case LE_LEGACY_ADV_SCAN_IND:
5629 return LE_ADV_SCAN_IND;
5630 case LE_LEGACY_NONCONN_IND:
5631 return LE_ADV_NONCONN_IND;
5632 case LE_LEGACY_SCAN_RSP_ADV:
5633 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5634 return LE_ADV_SCAN_RSP;
5640 if (evt_type & LE_EXT_ADV_CONN_IND) {
5641 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5642 return LE_ADV_DIRECT_IND;
5647 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5648 return LE_ADV_SCAN_RSP;
5650 if (evt_type & LE_EXT_ADV_SCAN_IND)
5651 return LE_ADV_SCAN_IND;
5653 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5654 evt_type & LE_EXT_ADV_DIRECT_IND)
5655 return LE_ADV_NONCONN_IND;
5658 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
5661 return LE_ADV_INVALID;
5664 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5666 u8 num_reports = skb->data[0];
5667 void *ptr = &skb->data[1];
5671 while (num_reports--) {
5672 struct hci_ev_le_ext_adv_report *ev = ptr;
5676 evt_type = __le16_to_cpu(ev->evt_type);
5677 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
5678 if (legacy_evt_type != LE_ADV_INVALID) {
5679 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5680 ev->bdaddr_type, NULL, 0, ev->rssi,
5681 ev->data, ev->length,
5682 !(evt_type & LE_EXT_ADV_LEGACY_PDU));
5685 ptr += sizeof(*ev) + ev->length;
5688 hci_dev_unlock(hdev);
5691 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5692 struct sk_buff *skb)
5694 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5695 struct hci_conn *conn;
5697 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5701 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5704 memcpy(conn->features[0], ev->features, 8);
5706 if (conn->state == BT_CONFIG) {
5709 /* If the local controller supports slave-initiated
5710 * features exchange, but the remote controller does
5711 * not, then it is possible that the error code 0x1a
5712 * for unsupported remote feature gets returned.
5714 * In this specific case, allow the connection to
5715 * transition into connected state and mark it as
5718 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5719 !conn->out && ev->status == 0x1a)
5722 status = ev->status;
5724 conn->state = BT_CONNECTED;
5725 hci_connect_cfm(conn, status);
5726 hci_conn_drop(conn);
5730 hci_dev_unlock(hdev);
5733 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5735 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5736 struct hci_cp_le_ltk_reply cp;
5737 struct hci_cp_le_ltk_neg_reply neg;
5738 struct hci_conn *conn;
5739 struct smp_ltk *ltk;
5741 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5745 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5749 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5753 if (smp_ltk_is_sc(ltk)) {
5754 /* With SC both EDiv and Rand are set to zero */
5755 if (ev->ediv || ev->rand)
5758 /* For non-SC keys check that EDiv and Rand match */
5759 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5763 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5764 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5765 cp.handle = cpu_to_le16(conn->handle);
5767 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5769 conn->enc_key_size = ltk->enc_size;
5771 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5773 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5774 * temporary key used to encrypt a connection following
5775 * pairing. It is used during the Encrypted Session Setup to
5776 * distribute the keys. Later, security can be re-established
5777 * using a distributed LTK.
5779 if (ltk->type == SMP_STK) {
5780 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5781 list_del_rcu(<k->list);
5782 kfree_rcu(ltk, rcu);
5784 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5787 hci_dev_unlock(hdev);
5792 neg.handle = ev->handle;
5793 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5794 hci_dev_unlock(hdev);
5797 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5800 struct hci_cp_le_conn_param_req_neg_reply cp;
5802 cp.handle = cpu_to_le16(handle);
5805 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5809 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5810 struct sk_buff *skb)
5812 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5813 struct hci_cp_le_conn_param_req_reply cp;
5814 struct hci_conn *hcon;
5815 u16 handle, min, max, latency, timeout;
5817 handle = le16_to_cpu(ev->handle);
5818 min = le16_to_cpu(ev->interval_min);
5819 max = le16_to_cpu(ev->interval_max);
5820 latency = le16_to_cpu(ev->latency);
5821 timeout = le16_to_cpu(ev->timeout);
5823 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5824 if (!hcon || hcon->state != BT_CONNECTED)
5825 return send_conn_param_neg_reply(hdev, handle,
5826 HCI_ERROR_UNKNOWN_CONN_ID);
5828 if (hci_check_conn_params(min, max, latency, timeout))
5829 return send_conn_param_neg_reply(hdev, handle,
5830 HCI_ERROR_INVALID_LL_PARAMS);
5832 if (hcon->role == HCI_ROLE_MASTER) {
5833 struct hci_conn_params *params;
5838 params = hci_conn_params_lookup(hdev, &hcon->dst,
5841 params->conn_min_interval = min;
5842 params->conn_max_interval = max;
5843 params->conn_latency = latency;
5844 params->supervision_timeout = timeout;
5850 hci_dev_unlock(hdev);
5852 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5853 store_hint, min, max, latency, timeout);
5856 cp.handle = ev->handle;
5857 cp.interval_min = ev->interval_min;
5858 cp.interval_max = ev->interval_max;
5859 cp.latency = ev->latency;
5860 cp.timeout = ev->timeout;
5864 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5867 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5868 struct sk_buff *skb)
5870 u8 num_reports = skb->data[0];
5871 void *ptr = &skb->data[1];
5875 while (num_reports--) {
5876 struct hci_ev_le_direct_adv_info *ev = ptr;
5878 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5879 ev->bdaddr_type, &ev->direct_addr,
5880 ev->direct_addr_type, ev->rssi, NULL, 0,
5886 hci_dev_unlock(hdev);
5889 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
5891 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data;
5892 struct hci_conn *conn;
5894 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5901 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5905 conn->le_tx_phy = ev->tx_phy;
5906 conn->le_rx_phy = ev->rx_phy;
5909 hci_dev_unlock(hdev);
5912 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5914 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5916 skb_pull(skb, sizeof(*le_ev));
5918 switch (le_ev->subevent) {
5919 case HCI_EV_LE_CONN_COMPLETE:
5920 hci_le_conn_complete_evt(hdev, skb);
5923 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5924 hci_le_conn_update_complete_evt(hdev, skb);
5927 case HCI_EV_LE_ADVERTISING_REPORT:
5928 hci_le_adv_report_evt(hdev, skb);
5931 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5932 hci_le_remote_feat_complete_evt(hdev, skb);
5935 case HCI_EV_LE_LTK_REQ:
5936 hci_le_ltk_request_evt(hdev, skb);
5939 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5940 hci_le_remote_conn_param_req_evt(hdev, skb);
5943 case HCI_EV_LE_DIRECT_ADV_REPORT:
5944 hci_le_direct_adv_report_evt(hdev, skb);
5947 case HCI_EV_LE_PHY_UPDATE_COMPLETE:
5948 hci_le_phy_update_evt(hdev, skb);
5951 case HCI_EV_LE_EXT_ADV_REPORT:
5952 hci_le_ext_adv_report_evt(hdev, skb);
5955 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5956 hci_le_enh_conn_complete_evt(hdev, skb);
5959 case HCI_EV_LE_EXT_ADV_SET_TERM:
5960 hci_le_ext_adv_term_evt(hdev, skb);
5968 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5969 u8 event, struct sk_buff *skb)
5971 struct hci_ev_cmd_complete *ev;
5972 struct hci_event_hdr *hdr;
5977 if (skb->len < sizeof(*hdr)) {
5978 bt_dev_err(hdev, "too short HCI event");
5982 hdr = (void *) skb->data;
5983 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5986 if (hdr->evt != event)
5991 /* Check if request ended in Command Status - no way to retreive
5992 * any extra parameters in this case.
5994 if (hdr->evt == HCI_EV_CMD_STATUS)
5997 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5998 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
6003 if (skb->len < sizeof(*ev)) {
6004 bt_dev_err(hdev, "too short cmd_complete event");
6008 ev = (void *) skb->data;
6009 skb_pull(skb, sizeof(*ev));
6011 if (opcode != __le16_to_cpu(ev->opcode)) {
6012 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
6013 __le16_to_cpu(ev->opcode));
6020 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
6021 struct sk_buff *skb)
6023 struct hci_ev_le_advertising_info *adv;
6024 struct hci_ev_le_direct_adv_info *direct_adv;
6025 struct hci_ev_le_ext_adv_report *ext_adv;
6026 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
6027 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
6031 /* If we are currently suspended and this is the first BT event seen,
6032 * save the wake reason associated with the event.
6034 if (!hdev->suspended || hdev->wake_reason)
6037 /* Default to remote wake. Values for wake_reason are documented in the
6038 * Bluez mgmt api docs.
6040 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
6042 /* Once configured for remote wakeup, we should only wake up for
6043 * reconnections. It's useful to see which device is waking us up so
6044 * keep track of the bdaddr of the connection event that woke us up.
6046 if (event == HCI_EV_CONN_REQUEST) {
6047 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
6048 hdev->wake_addr_type = BDADDR_BREDR;
6049 } else if (event == HCI_EV_CONN_COMPLETE) {
6050 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
6051 hdev->wake_addr_type = BDADDR_BREDR;
6052 } else if (event == HCI_EV_LE_META) {
6053 struct hci_ev_le_meta *le_ev = (void *)skb->data;
6054 u8 subevent = le_ev->subevent;
6055 u8 *ptr = &skb->data[sizeof(*le_ev)];
6056 u8 num_reports = *ptr;
6058 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
6059 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
6060 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
6062 adv = (void *)(ptr + 1);
6063 direct_adv = (void *)(ptr + 1);
6064 ext_adv = (void *)(ptr + 1);
6067 case HCI_EV_LE_ADVERTISING_REPORT:
6068 bacpy(&hdev->wake_addr, &adv->bdaddr);
6069 hdev->wake_addr_type = adv->bdaddr_type;
6071 case HCI_EV_LE_DIRECT_ADV_REPORT:
6072 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
6073 hdev->wake_addr_type = direct_adv->bdaddr_type;
6075 case HCI_EV_LE_EXT_ADV_REPORT:
6076 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
6077 hdev->wake_addr_type = ext_adv->bdaddr_type;
6082 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
6086 hci_dev_unlock(hdev);
6089 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
6091 struct hci_event_hdr *hdr = (void *) skb->data;
6092 hci_req_complete_t req_complete = NULL;
6093 hci_req_complete_skb_t req_complete_skb = NULL;
6094 struct sk_buff *orig_skb = NULL;
6095 u8 status = 0, event = hdr->evt, req_evt = 0;
6096 u16 opcode = HCI_OP_NOP;
6099 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
6103 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
6104 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
6105 opcode = __le16_to_cpu(cmd_hdr->opcode);
6106 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
6111 /* If it looks like we might end up having to call
6112 * req_complete_skb, store a pristine copy of the skb since the
6113 * various handlers may modify the original one through
6114 * skb_pull() calls, etc.
6116 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
6117 event == HCI_EV_CMD_COMPLETE)
6118 orig_skb = skb_clone(skb, GFP_KERNEL);
6120 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6122 /* Store wake reason if we're suspended */
6123 hci_store_wake_reason(hdev, event, skb);
6126 case HCI_EV_INQUIRY_COMPLETE:
6127 hci_inquiry_complete_evt(hdev, skb);
6130 case HCI_EV_INQUIRY_RESULT:
6131 hci_inquiry_result_evt(hdev, skb);
6134 case HCI_EV_CONN_COMPLETE:
6135 hci_conn_complete_evt(hdev, skb);
6138 case HCI_EV_CONN_REQUEST:
6139 hci_conn_request_evt(hdev, skb);
6142 case HCI_EV_DISCONN_COMPLETE:
6143 hci_disconn_complete_evt(hdev, skb);
6146 case HCI_EV_AUTH_COMPLETE:
6147 hci_auth_complete_evt(hdev, skb);
6150 case HCI_EV_REMOTE_NAME:
6151 hci_remote_name_evt(hdev, skb);
6154 case HCI_EV_ENCRYPT_CHANGE:
6155 hci_encrypt_change_evt(hdev, skb);
6158 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6159 hci_change_link_key_complete_evt(hdev, skb);
6162 case HCI_EV_REMOTE_FEATURES:
6163 hci_remote_features_evt(hdev, skb);
6166 case HCI_EV_CMD_COMPLETE:
6167 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6168 &req_complete, &req_complete_skb);
6171 case HCI_EV_CMD_STATUS:
6172 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6176 case HCI_EV_HARDWARE_ERROR:
6177 hci_hardware_error_evt(hdev, skb);
6180 case HCI_EV_ROLE_CHANGE:
6181 hci_role_change_evt(hdev, skb);
6184 case HCI_EV_NUM_COMP_PKTS:
6185 hci_num_comp_pkts_evt(hdev, skb);
6188 case HCI_EV_MODE_CHANGE:
6189 hci_mode_change_evt(hdev, skb);
6192 case HCI_EV_PIN_CODE_REQ:
6193 hci_pin_code_request_evt(hdev, skb);
6196 case HCI_EV_LINK_KEY_REQ:
6197 hci_link_key_request_evt(hdev, skb);
6200 case HCI_EV_LINK_KEY_NOTIFY:
6201 hci_link_key_notify_evt(hdev, skb);
6204 case HCI_EV_CLOCK_OFFSET:
6205 hci_clock_offset_evt(hdev, skb);
6208 case HCI_EV_PKT_TYPE_CHANGE:
6209 hci_pkt_type_change_evt(hdev, skb);
6212 case HCI_EV_PSCAN_REP_MODE:
6213 hci_pscan_rep_mode_evt(hdev, skb);
6216 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6217 hci_inquiry_result_with_rssi_evt(hdev, skb);
6220 case HCI_EV_REMOTE_EXT_FEATURES:
6221 hci_remote_ext_features_evt(hdev, skb);
6224 case HCI_EV_SYNC_CONN_COMPLETE:
6225 hci_sync_conn_complete_evt(hdev, skb);
6228 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6229 hci_extended_inquiry_result_evt(hdev, skb);
6232 case HCI_EV_KEY_REFRESH_COMPLETE:
6233 hci_key_refresh_complete_evt(hdev, skb);
6236 case HCI_EV_IO_CAPA_REQUEST:
6237 hci_io_capa_request_evt(hdev, skb);
6240 case HCI_EV_IO_CAPA_REPLY:
6241 hci_io_capa_reply_evt(hdev, skb);
6244 case HCI_EV_USER_CONFIRM_REQUEST:
6245 hci_user_confirm_request_evt(hdev, skb);
6248 case HCI_EV_USER_PASSKEY_REQUEST:
6249 hci_user_passkey_request_evt(hdev, skb);
6252 case HCI_EV_USER_PASSKEY_NOTIFY:
6253 hci_user_passkey_notify_evt(hdev, skb);
6256 case HCI_EV_KEYPRESS_NOTIFY:
6257 hci_keypress_notify_evt(hdev, skb);
6260 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6261 hci_simple_pair_complete_evt(hdev, skb);
6264 case HCI_EV_REMOTE_HOST_FEATURES:
6265 hci_remote_host_features_evt(hdev, skb);
6268 case HCI_EV_LE_META:
6269 hci_le_meta_evt(hdev, skb);
6272 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6273 hci_remote_oob_data_request_evt(hdev, skb);
6276 #if IS_ENABLED(CONFIG_BT_HS)
6277 case HCI_EV_CHANNEL_SELECTED:
6278 hci_chan_selected_evt(hdev, skb);
6281 case HCI_EV_PHY_LINK_COMPLETE:
6282 hci_phy_link_complete_evt(hdev, skb);
6285 case HCI_EV_LOGICAL_LINK_COMPLETE:
6286 hci_loglink_complete_evt(hdev, skb);
6289 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6290 hci_disconn_loglink_complete_evt(hdev, skb);
6293 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6294 hci_disconn_phylink_complete_evt(hdev, skb);
6298 case HCI_EV_NUM_COMP_BLOCKS:
6299 hci_num_comp_blocks_evt(hdev, skb);
6303 msft_vendor_evt(hdev, skb);
6307 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6312 req_complete(hdev, status, opcode);
6313 } else if (req_complete_skb) {
6314 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6315 kfree_skb(orig_skb);
6318 req_complete_skb(hdev, status, opcode, orig_skb);
6322 kfree_skb(orig_skb);
6324 hdev->stat.evt_rx++;
projects / linux-2.6-microblaze.git / blob