2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
41 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
42 "\x00\x00\x00\x00\x00\x00\x00\x00"
44 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
46 /* Handle HCI Event packets */
48 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
53 data = skb_pull_data(skb, len);
55 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
60 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
65 data = skb_pull_data(skb, len);
67 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
72 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
77 data = skb_pull_data(skb, len);
79 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
84 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
87 struct hci_ev_status *rp = data;
89 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
91 /* It is possible that we receive Inquiry Complete event right
92 * before we receive Inquiry Cancel Command Complete event, in
93 * which case the latter event should have status of Command
94 * Disallowed (0x0c). This should not be treated as error, since
95 * we actually achieve what Inquiry Cancel wants to achieve,
96 * which is to end the last Inquiry session.
98 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
99 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
106 clear_bit(HCI_INQUIRY, &hdev->flags);
107 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
108 wake_up_bit(&hdev->flags, HCI_INQUIRY);
111 /* Set discovery state to stopped if we're not doing LE active
114 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
115 hdev->le_scan_type != LE_SCAN_ACTIVE)
116 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
117 hci_dev_unlock(hdev);
119 hci_conn_check_pending(hdev);
124 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
127 struct hci_ev_status *rp = data;
129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
139 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
142 struct hci_ev_status *rp = data;
144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
151 hci_conn_check_pending(hdev);
156 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
159 struct hci_ev_status *rp = data;
161 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
166 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
169 struct hci_rp_role_discovery *rp = data;
170 struct hci_conn *conn;
172 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
179 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
181 conn->role = rp->role;
183 hci_dev_unlock(hdev);
188 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
191 struct hci_rp_read_link_policy *rp = data;
192 struct hci_conn *conn;
194 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
201 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
203 conn->link_policy = __le16_to_cpu(rp->policy);
205 hci_dev_unlock(hdev);
210 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
213 struct hci_rp_write_link_policy *rp = data;
214 struct hci_conn *conn;
217 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
222 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
228 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
230 conn->link_policy = get_unaligned_le16(sent + 2);
232 hci_dev_unlock(hdev);
237 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
240 struct hci_rp_read_def_link_policy *rp = data;
242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
247 hdev->link_policy = __le16_to_cpu(rp->policy);
252 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
255 struct hci_ev_status *rp = data;
258 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
263 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
267 hdev->link_policy = get_unaligned_le16(sent);
272 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
274 struct hci_ev_status *rp = data;
276 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
278 clear_bit(HCI_RESET, &hdev->flags);
283 /* Reset all non-persistent flags */
284 hci_dev_clear_volatile_flags(hdev);
286 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
288 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
289 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
291 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
292 hdev->adv_data_len = 0;
294 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
295 hdev->scan_rsp_data_len = 0;
297 hdev->le_scan_type = LE_SCAN_PASSIVE;
299 hdev->ssp_debug_mode = 0;
301 hci_bdaddr_list_clear(&hdev->le_accept_list);
302 hci_bdaddr_list_clear(&hdev->le_resolv_list);
307 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
310 struct hci_rp_read_stored_link_key *rp = data;
311 struct hci_cp_read_stored_link_key *sent;
313 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
315 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
319 if (!rp->status && sent->read_all == 0x01) {
320 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
321 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
327 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
330 struct hci_rp_delete_stored_link_key *rp = data;
332 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
337 if (rp->num_keys <= hdev->stored_num_keys)
338 hdev->stored_num_keys -= le16_to_cpu(rp->num_keys);
340 hdev->stored_num_keys = 0;
345 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
348 struct hci_ev_status *rp = data;
351 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
353 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
359 if (hci_dev_test_flag(hdev, HCI_MGMT))
360 mgmt_set_local_name_complete(hdev, sent, rp->status);
361 else if (!rp->status)
362 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
364 hci_dev_unlock(hdev);
369 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
372 struct hci_rp_read_local_name *rp = data;
374 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
379 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
380 hci_dev_test_flag(hdev, HCI_CONFIG))
381 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
386 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
389 struct hci_ev_status *rp = data;
392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
394 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
401 __u8 param = *((__u8 *) sent);
403 if (param == AUTH_ENABLED)
404 set_bit(HCI_AUTH, &hdev->flags);
406 clear_bit(HCI_AUTH, &hdev->flags);
409 if (hci_dev_test_flag(hdev, HCI_MGMT))
410 mgmt_auth_enable_complete(hdev, rp->status);
412 hci_dev_unlock(hdev);
417 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
420 struct hci_ev_status *rp = data;
424 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
429 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
433 param = *((__u8 *) sent);
436 set_bit(HCI_ENCRYPT, &hdev->flags);
438 clear_bit(HCI_ENCRYPT, &hdev->flags);
443 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
446 struct hci_ev_status *rp = data;
450 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
452 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
456 param = *((__u8 *) sent);
461 hdev->discov_timeout = 0;
465 if (param & SCAN_INQUIRY)
466 set_bit(HCI_ISCAN, &hdev->flags);
468 clear_bit(HCI_ISCAN, &hdev->flags);
470 if (param & SCAN_PAGE)
471 set_bit(HCI_PSCAN, &hdev->flags);
473 clear_bit(HCI_PSCAN, &hdev->flags);
476 hci_dev_unlock(hdev);
481 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
484 struct hci_ev_status *rp = data;
485 struct hci_cp_set_event_filter *cp;
488 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
493 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
497 cp = (struct hci_cp_set_event_filter *)sent;
499 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
500 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
502 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
507 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
510 struct hci_rp_read_class_of_dev *rp = data;
512 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
517 memcpy(hdev->dev_class, rp->dev_class, 3);
519 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
520 hdev->dev_class[1], hdev->dev_class[0]);
525 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
528 struct hci_ev_status *rp = data;
531 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
533 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
540 memcpy(hdev->dev_class, sent, 3);
542 if (hci_dev_test_flag(hdev, HCI_MGMT))
543 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
545 hci_dev_unlock(hdev);
550 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
553 struct hci_rp_read_voice_setting *rp = data;
556 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
561 setting = __le16_to_cpu(rp->voice_setting);
563 if (hdev->voice_setting == setting)
566 hdev->voice_setting = setting;
568 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
571 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
576 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
579 struct hci_ev_status *rp = data;
583 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
588 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
592 setting = get_unaligned_le16(sent);
594 if (hdev->voice_setting == setting)
597 hdev->voice_setting = setting;
599 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
602 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
607 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
610 struct hci_rp_read_num_supported_iac *rp = data;
612 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
617 hdev->num_iac = rp->num_iac;
619 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
624 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
627 struct hci_ev_status *rp = data;
628 struct hci_cp_write_ssp_mode *sent;
630 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
632 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
640 hdev->features[1][0] |= LMP_HOST_SSP;
642 hdev->features[1][0] &= ~LMP_HOST_SSP;
647 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
649 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
652 hci_dev_unlock(hdev);
657 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
660 struct hci_ev_status *rp = data;
661 struct hci_cp_write_sc_support *sent;
663 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
665 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
673 hdev->features[1][0] |= LMP_HOST_SC;
675 hdev->features[1][0] &= ~LMP_HOST_SC;
678 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
680 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
682 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
685 hci_dev_unlock(hdev);
690 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
693 struct hci_rp_read_local_version *rp = data;
695 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
700 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
701 hci_dev_test_flag(hdev, HCI_CONFIG)) {
702 hdev->hci_ver = rp->hci_ver;
703 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
704 hdev->lmp_ver = rp->lmp_ver;
705 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
706 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
712 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
715 struct hci_rp_read_local_commands *rp = data;
717 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
722 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
723 hci_dev_test_flag(hdev, HCI_CONFIG))
724 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
729 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
732 struct hci_rp_read_auth_payload_to *rp = data;
733 struct hci_conn *conn;
735 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
742 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
744 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
746 hci_dev_unlock(hdev);
751 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
754 struct hci_rp_write_auth_payload_to *rp = data;
755 struct hci_conn *conn;
758 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
763 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
769 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
771 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
773 hci_dev_unlock(hdev);
778 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
781 struct hci_rp_read_local_features *rp = data;
783 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
788 memcpy(hdev->features, rp->features, 8);
790 /* Adjust default settings according to features
791 * supported by device. */
793 if (hdev->features[0][0] & LMP_3SLOT)
794 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
796 if (hdev->features[0][0] & LMP_5SLOT)
797 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
799 if (hdev->features[0][1] & LMP_HV2) {
800 hdev->pkt_type |= (HCI_HV2);
801 hdev->esco_type |= (ESCO_HV2);
804 if (hdev->features[0][1] & LMP_HV3) {
805 hdev->pkt_type |= (HCI_HV3);
806 hdev->esco_type |= (ESCO_HV3);
809 if (lmp_esco_capable(hdev))
810 hdev->esco_type |= (ESCO_EV3);
812 if (hdev->features[0][4] & LMP_EV4)
813 hdev->esco_type |= (ESCO_EV4);
815 if (hdev->features[0][4] & LMP_EV5)
816 hdev->esco_type |= (ESCO_EV5);
818 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
819 hdev->esco_type |= (ESCO_2EV3);
821 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
822 hdev->esco_type |= (ESCO_3EV3);
824 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
825 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
830 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
833 struct hci_rp_read_local_ext_features *rp = data;
835 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
840 if (hdev->max_page < rp->max_page)
841 hdev->max_page = rp->max_page;
843 if (rp->page < HCI_MAX_PAGES)
844 memcpy(hdev->features[rp->page], rp->features, 8);
849 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
852 struct hci_rp_read_flow_control_mode *rp = data;
854 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
859 hdev->flow_ctl_mode = rp->mode;
864 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
867 struct hci_rp_read_buffer_size *rp = data;
869 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
874 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
875 hdev->sco_mtu = rp->sco_mtu;
876 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
877 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
879 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
884 hdev->acl_cnt = hdev->acl_pkts;
885 hdev->sco_cnt = hdev->sco_pkts;
887 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
888 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
893 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
896 struct hci_rp_read_bd_addr *rp = data;
898 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
903 if (test_bit(HCI_INIT, &hdev->flags))
904 bacpy(&hdev->bdaddr, &rp->bdaddr);
906 if (hci_dev_test_flag(hdev, HCI_SETUP))
907 bacpy(&hdev->setup_addr, &rp->bdaddr);
912 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
915 struct hci_rp_read_local_pairing_opts *rp = data;
917 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
922 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
923 hci_dev_test_flag(hdev, HCI_CONFIG)) {
924 hdev->pairing_opts = rp->pairing_opts;
925 hdev->max_enc_key_size = rp->max_key_size;
931 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
934 struct hci_rp_read_page_scan_activity *rp = data;
936 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
941 if (test_bit(HCI_INIT, &hdev->flags)) {
942 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
943 hdev->page_scan_window = __le16_to_cpu(rp->window);
949 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
952 struct hci_ev_status *rp = data;
953 struct hci_cp_write_page_scan_activity *sent;
955 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
960 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
964 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
965 hdev->page_scan_window = __le16_to_cpu(sent->window);
970 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
973 struct hci_rp_read_page_scan_type *rp = data;
975 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
980 if (test_bit(HCI_INIT, &hdev->flags))
981 hdev->page_scan_type = rp->type;
986 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
989 struct hci_ev_status *rp = data;
992 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
997 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
999 hdev->page_scan_type = *type;
1004 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1005 struct sk_buff *skb)
1007 struct hci_rp_read_data_block_size *rp = data;
1009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1014 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1015 hdev->block_len = __le16_to_cpu(rp->block_len);
1016 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1018 hdev->block_cnt = hdev->num_blocks;
1020 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1021 hdev->block_cnt, hdev->block_len);
1026 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1027 struct sk_buff *skb)
1029 struct hci_rp_read_clock *rp = data;
1030 struct hci_cp_read_clock *cp;
1031 struct hci_conn *conn;
1033 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1040 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1044 if (cp->which == 0x00) {
1045 hdev->clock = le32_to_cpu(rp->clock);
1049 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1051 conn->clock = le32_to_cpu(rp->clock);
1052 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1056 hci_dev_unlock(hdev);
1060 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1061 struct sk_buff *skb)
1063 struct hci_rp_read_local_amp_info *rp = data;
1065 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1070 hdev->amp_status = rp->amp_status;
1071 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1072 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1073 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1074 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1075 hdev->amp_type = rp->amp_type;
1076 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1077 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1078 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1079 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1084 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1085 struct sk_buff *skb)
1087 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1089 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1094 hdev->inq_tx_power = rp->tx_power;
1099 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1100 struct sk_buff *skb)
1102 struct hci_rp_read_def_err_data_reporting *rp = data;
1104 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1109 hdev->err_data_reporting = rp->err_data_reporting;
1114 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1115 struct sk_buff *skb)
1117 struct hci_ev_status *rp = data;
1118 struct hci_cp_write_def_err_data_reporting *cp;
1120 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1125 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1129 hdev->err_data_reporting = cp->err_data_reporting;
1134 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1135 struct sk_buff *skb)
1137 struct hci_rp_pin_code_reply *rp = data;
1138 struct hci_cp_pin_code_reply *cp;
1139 struct hci_conn *conn;
1141 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1145 if (hci_dev_test_flag(hdev, HCI_MGMT))
1146 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1151 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1155 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1157 conn->pin_length = cp->pin_len;
1160 hci_dev_unlock(hdev);
1164 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1165 struct sk_buff *skb)
1167 struct hci_rp_pin_code_neg_reply *rp = data;
1169 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1173 if (hci_dev_test_flag(hdev, HCI_MGMT))
1174 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1177 hci_dev_unlock(hdev);
1182 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1183 struct sk_buff *skb)
1185 struct hci_rp_le_read_buffer_size *rp = data;
1187 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1192 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1193 hdev->le_pkts = rp->le_max_pkt;
1195 hdev->le_cnt = hdev->le_pkts;
1197 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1202 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1203 struct sk_buff *skb)
1205 struct hci_rp_le_read_local_features *rp = data;
1207 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1212 memcpy(hdev->le_features, rp->features, 8);
1217 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1218 struct sk_buff *skb)
1220 struct hci_rp_le_read_adv_tx_power *rp = data;
1222 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1227 hdev->adv_tx_power = rp->tx_power;
1232 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1233 struct sk_buff *skb)
1235 struct hci_rp_user_confirm_reply *rp = data;
1237 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1241 if (hci_dev_test_flag(hdev, HCI_MGMT))
1242 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1245 hci_dev_unlock(hdev);
1250 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1251 struct sk_buff *skb)
1253 struct hci_rp_user_confirm_reply *rp = data;
1255 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1259 if (hci_dev_test_flag(hdev, HCI_MGMT))
1260 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1261 ACL_LINK, 0, rp->status);
1263 hci_dev_unlock(hdev);
1268 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1269 struct sk_buff *skb)
1271 struct hci_rp_user_confirm_reply *rp = data;
1273 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1277 if (hci_dev_test_flag(hdev, HCI_MGMT))
1278 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1281 hci_dev_unlock(hdev);
1286 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1287 struct sk_buff *skb)
1289 struct hci_rp_user_confirm_reply *rp = data;
1291 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1295 if (hci_dev_test_flag(hdev, HCI_MGMT))
1296 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1297 ACL_LINK, 0, rp->status);
1299 hci_dev_unlock(hdev);
1304 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1305 struct sk_buff *skb)
1307 struct hci_rp_read_local_oob_data *rp = data;
1309 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1314 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1315 struct sk_buff *skb)
1317 struct hci_rp_read_local_oob_ext_data *rp = data;
1319 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1324 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1325 struct sk_buff *skb)
1327 struct hci_ev_status *rp = data;
1330 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1335 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1341 bacpy(&hdev->random_addr, sent);
1343 if (!bacmp(&hdev->rpa, sent)) {
1344 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1345 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1346 secs_to_jiffies(hdev->rpa_timeout));
1349 hci_dev_unlock(hdev);
1354 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1355 struct sk_buff *skb)
1357 struct hci_ev_status *rp = data;
1358 struct hci_cp_le_set_default_phy *cp;
1360 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1365 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1371 hdev->le_tx_def_phys = cp->tx_phys;
1372 hdev->le_rx_def_phys = cp->rx_phys;
1374 hci_dev_unlock(hdev);
1379 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1380 struct sk_buff *skb)
1382 struct hci_ev_status *rp = data;
1383 struct hci_cp_le_set_adv_set_rand_addr *cp;
1384 struct adv_info *adv;
1386 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1391 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1392 /* Update only in case the adv instance since handle 0x00 shall be using
1393 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1394 * non-extended adverting.
1396 if (!cp || !cp->handle)
1401 adv = hci_find_adv_instance(hdev, cp->handle);
1403 bacpy(&adv->random_addr, &cp->bdaddr);
1404 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1405 adv->rpa_expired = false;
1406 queue_delayed_work(hdev->workqueue,
1407 &adv->rpa_expired_cb,
1408 secs_to_jiffies(hdev->rpa_timeout));
1412 hci_dev_unlock(hdev);
1417 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1418 struct sk_buff *skb)
1420 struct hci_ev_status *rp = data;
1424 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1429 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1435 err = hci_remove_adv_instance(hdev, *instance);
1437 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1440 hci_dev_unlock(hdev);
1445 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1446 struct sk_buff *skb)
1448 struct hci_ev_status *rp = data;
1449 struct adv_info *adv, *n;
1452 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1457 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1462 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1463 u8 instance = adv->instance;
1465 err = hci_remove_adv_instance(hdev, instance);
1467 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1471 hci_dev_unlock(hdev);
1476 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1477 struct sk_buff *skb)
1479 struct hci_rp_le_read_transmit_power *rp = data;
1481 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1486 hdev->min_le_tx_power = rp->min_le_tx_power;
1487 hdev->max_le_tx_power = rp->max_le_tx_power;
1492 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1493 struct sk_buff *skb)
1495 struct hci_ev_status *rp = data;
1496 struct hci_cp_le_set_privacy_mode *cp;
1497 struct hci_conn_params *params;
1499 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1504 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1510 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1512 params->privacy_mode = cp->mode;
1514 hci_dev_unlock(hdev);
1519 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1520 struct sk_buff *skb)
1522 struct hci_ev_status *rp = data;
1525 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1530 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1536 /* If we're doing connection initiation as peripheral. Set a
1537 * timeout in case something goes wrong.
1540 struct hci_conn *conn;
1542 hci_dev_set_flag(hdev, HCI_LE_ADV);
1544 conn = hci_lookup_le_connect(hdev);
1546 queue_delayed_work(hdev->workqueue,
1547 &conn->le_conn_timeout,
1548 conn->conn_timeout);
1550 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1553 hci_dev_unlock(hdev);
1558 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1559 struct sk_buff *skb)
1561 struct hci_cp_le_set_ext_adv_enable *cp;
1562 struct hci_cp_ext_adv_set *set;
1563 struct adv_info *adv = NULL, *n;
1564 struct hci_ev_status *rp = data;
1566 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1571 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1575 set = (void *)cp->data;
1579 if (cp->num_of_sets)
1580 adv = hci_find_adv_instance(hdev, set->handle);
1583 struct hci_conn *conn;
1585 hci_dev_set_flag(hdev, HCI_LE_ADV);
1588 adv->enabled = true;
1590 conn = hci_lookup_le_connect(hdev);
1592 queue_delayed_work(hdev->workqueue,
1593 &conn->le_conn_timeout,
1594 conn->conn_timeout);
1596 if (cp->num_of_sets) {
1598 adv->enabled = false;
1600 /* If just one instance was disabled check if there are
1601 * any other instance enabled before clearing HCI_LE_ADV
1603 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1609 /* All instances shall be considered disabled */
1610 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1612 adv->enabled = false;
1615 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1619 hci_dev_unlock(hdev);
1623 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1624 struct sk_buff *skb)
1626 struct hci_cp_le_set_scan_param *cp;
1627 struct hci_ev_status *rp = data;
1629 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1634 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1640 hdev->le_scan_type = cp->type;
1642 hci_dev_unlock(hdev);
1647 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1648 struct sk_buff *skb)
1650 struct hci_cp_le_set_ext_scan_params *cp;
1651 struct hci_ev_status *rp = data;
1652 struct hci_cp_le_scan_phy_params *phy_param;
1654 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1659 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1663 phy_param = (void *)cp->data;
1667 hdev->le_scan_type = phy_param->type;
1669 hci_dev_unlock(hdev);
1674 static bool has_pending_adv_report(struct hci_dev *hdev)
1676 struct discovery_state *d = &hdev->discovery;
1678 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1681 static void clear_pending_adv_report(struct hci_dev *hdev)
1683 struct discovery_state *d = &hdev->discovery;
1685 bacpy(&d->last_adv_addr, BDADDR_ANY);
1686 d->last_adv_data_len = 0;
1689 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1690 u8 bdaddr_type, s8 rssi, u32 flags,
1693 struct discovery_state *d = &hdev->discovery;
1695 if (len > HCI_MAX_AD_LENGTH)
1698 bacpy(&d->last_adv_addr, bdaddr);
1699 d->last_adv_addr_type = bdaddr_type;
1700 d->last_adv_rssi = rssi;
1701 d->last_adv_flags = flags;
1702 memcpy(d->last_adv_data, data, len);
1703 d->last_adv_data_len = len;
1706 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1711 case LE_SCAN_ENABLE:
1712 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1713 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1714 clear_pending_adv_report(hdev);
1717 case LE_SCAN_DISABLE:
1718 /* We do this here instead of when setting DISCOVERY_STOPPED
1719 * since the latter would potentially require waiting for
1720 * inquiry to stop too.
1722 if (has_pending_adv_report(hdev)) {
1723 struct discovery_state *d = &hdev->discovery;
1725 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1726 d->last_adv_addr_type, NULL,
1727 d->last_adv_rssi, d->last_adv_flags,
1729 d->last_adv_data_len, NULL, 0);
1732 /* Cancel this timer so that we don't try to disable scanning
1733 * when it's already disabled.
1735 cancel_delayed_work(&hdev->le_scan_disable);
1737 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1739 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1740 * interrupted scanning due to a connect request. Mark
1741 * therefore discovery as stopped.
1743 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1744 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1749 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1754 hci_dev_unlock(hdev);
1757 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1758 struct sk_buff *skb)
1760 struct hci_cp_le_set_scan_enable *cp;
1761 struct hci_ev_status *rp = data;
1763 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1768 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1772 le_set_scan_enable_complete(hdev, cp->enable);
1777 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1778 struct sk_buff *skb)
1780 struct hci_cp_le_set_ext_scan_enable *cp;
1781 struct hci_ev_status *rp = data;
1783 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1788 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1792 le_set_scan_enable_complete(hdev, cp->enable);
1797 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1798 struct sk_buff *skb)
1800 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1802 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1808 hdev->le_num_of_adv_sets = rp->num_of_sets;
1813 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1814 struct sk_buff *skb)
1816 struct hci_rp_le_read_accept_list_size *rp = data;
1818 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1823 hdev->le_accept_list_size = rp->size;
1828 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1829 struct sk_buff *skb)
1831 struct hci_ev_status *rp = data;
1833 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1839 hci_bdaddr_list_clear(&hdev->le_accept_list);
1840 hci_dev_unlock(hdev);
1845 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1846 struct sk_buff *skb)
1848 struct hci_cp_le_add_to_accept_list *sent;
1849 struct hci_ev_status *rp = data;
1851 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1856 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1861 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1863 hci_dev_unlock(hdev);
1868 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1869 struct sk_buff *skb)
1871 struct hci_cp_le_del_from_accept_list *sent;
1872 struct hci_ev_status *rp = data;
1874 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1879 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1884 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1886 hci_dev_unlock(hdev);
1891 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1892 struct sk_buff *skb)
1894 struct hci_rp_le_read_supported_states *rp = data;
1896 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1901 memcpy(hdev->le_states, rp->le_states, 8);
1906 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1907 struct sk_buff *skb)
1909 struct hci_rp_le_read_def_data_len *rp = data;
1911 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1916 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1917 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1922 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1923 struct sk_buff *skb)
1925 struct hci_cp_le_write_def_data_len *sent;
1926 struct hci_ev_status *rp = data;
1928 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1933 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1937 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1938 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1943 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
1944 struct sk_buff *skb)
1946 struct hci_cp_le_add_to_resolv_list *sent;
1947 struct hci_ev_status *rp = data;
1949 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1954 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1959 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1960 sent->bdaddr_type, sent->peer_irk,
1962 hci_dev_unlock(hdev);
1967 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
1968 struct sk_buff *skb)
1970 struct hci_cp_le_del_from_resolv_list *sent;
1971 struct hci_ev_status *rp = data;
1973 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1978 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1983 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1985 hci_dev_unlock(hdev);
1990 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
1991 struct sk_buff *skb)
1993 struct hci_ev_status *rp = data;
1995 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2001 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2002 hci_dev_unlock(hdev);
2007 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2008 struct sk_buff *skb)
2010 struct hci_rp_le_read_resolv_list_size *rp = data;
2012 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2017 hdev->le_resolv_list_size = rp->size;
2022 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2023 struct sk_buff *skb)
2025 struct hci_ev_status *rp = data;
2028 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2040 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2042 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2044 hci_dev_unlock(hdev);
2049 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2050 struct sk_buff *skb)
2052 struct hci_rp_le_read_max_data_len *rp = data;
2054 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2059 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2060 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2061 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2062 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2067 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2068 struct sk_buff *skb)
2070 struct hci_cp_write_le_host_supported *sent;
2071 struct hci_ev_status *rp = data;
2073 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2078 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2085 hdev->features[1][0] |= LMP_HOST_LE;
2086 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2088 hdev->features[1][0] &= ~LMP_HOST_LE;
2089 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2090 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2094 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2096 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2098 hci_dev_unlock(hdev);
2103 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2104 struct sk_buff *skb)
2106 struct hci_cp_le_set_adv_param *cp;
2107 struct hci_ev_status *rp = data;
2109 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2114 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2119 hdev->adv_addr_type = cp->own_address_type;
2120 hci_dev_unlock(hdev);
2125 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2126 struct sk_buff *skb)
2128 struct hci_rp_le_set_ext_adv_params *rp = data;
2129 struct hci_cp_le_set_ext_adv_params *cp;
2130 struct adv_info *adv_instance;
2132 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2137 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2142 hdev->adv_addr_type = cp->own_addr_type;
2144 /* Store in hdev for instance 0 */
2145 hdev->adv_tx_power = rp->tx_power;
2147 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2149 adv_instance->tx_power = rp->tx_power;
2151 /* Update adv data as tx power is known now */
2152 hci_req_update_adv_data(hdev, cp->handle);
2154 hci_dev_unlock(hdev);
2159 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2160 struct sk_buff *skb)
2162 struct hci_rp_read_rssi *rp = data;
2163 struct hci_conn *conn;
2165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2174 conn->rssi = rp->rssi;
2176 hci_dev_unlock(hdev);
2181 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2182 struct sk_buff *skb)
2184 struct hci_cp_read_tx_power *sent;
2185 struct hci_rp_read_tx_power *rp = data;
2186 struct hci_conn *conn;
2188 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2193 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2199 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2203 switch (sent->type) {
2205 conn->tx_power = rp->tx_power;
2208 conn->max_tx_power = rp->tx_power;
2213 hci_dev_unlock(hdev);
2217 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2218 struct sk_buff *skb)
2220 struct hci_ev_status *rp = data;
2223 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2228 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2230 hdev->ssp_debug_mode = *mode;
2235 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2237 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2240 hci_conn_check_pending(hdev);
2244 set_bit(HCI_INQUIRY, &hdev->flags);
2247 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2249 struct hci_cp_create_conn *cp;
2250 struct hci_conn *conn;
2252 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2254 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2260 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2262 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2265 if (conn && conn->state == BT_CONNECT) {
2266 if (status != 0x0c || conn->attempt > 2) {
2267 conn->state = BT_CLOSED;
2268 hci_connect_cfm(conn, status);
2271 conn->state = BT_CONNECT2;
2275 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
2278 bt_dev_err(hdev, "no memory for new connection");
2282 hci_dev_unlock(hdev);
2285 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2287 struct hci_cp_add_sco *cp;
2288 struct hci_conn *acl, *sco;
2291 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2296 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2300 handle = __le16_to_cpu(cp->handle);
2302 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2306 acl = hci_conn_hash_lookup_handle(hdev, handle);
2310 sco->state = BT_CLOSED;
2312 hci_connect_cfm(sco, status);
2317 hci_dev_unlock(hdev);
2320 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2322 struct hci_cp_auth_requested *cp;
2323 struct hci_conn *conn;
2325 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2330 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2336 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2338 if (conn->state == BT_CONFIG) {
2339 hci_connect_cfm(conn, status);
2340 hci_conn_drop(conn);
2344 hci_dev_unlock(hdev);
2347 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2349 struct hci_cp_set_conn_encrypt *cp;
2350 struct hci_conn *conn;
2352 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2357 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2363 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2365 if (conn->state == BT_CONFIG) {
2366 hci_connect_cfm(conn, status);
2367 hci_conn_drop(conn);
2371 hci_dev_unlock(hdev);
2374 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2375 struct hci_conn *conn)
2377 if (conn->state != BT_CONFIG || !conn->out)
2380 if (conn->pending_sec_level == BT_SECURITY_SDP)
2383 /* Only request authentication for SSP connections or non-SSP
2384 * devices with sec_level MEDIUM or HIGH or if MITM protection
2387 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2388 conn->pending_sec_level != BT_SECURITY_FIPS &&
2389 conn->pending_sec_level != BT_SECURITY_HIGH &&
2390 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2396 static int hci_resolve_name(struct hci_dev *hdev,
2397 struct inquiry_entry *e)
2399 struct hci_cp_remote_name_req cp;
2401 memset(&cp, 0, sizeof(cp));
2403 bacpy(&cp.bdaddr, &e->data.bdaddr);
2404 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2405 cp.pscan_mode = e->data.pscan_mode;
2406 cp.clock_offset = e->data.clock_offset;
2408 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2411 static bool hci_resolve_next_name(struct hci_dev *hdev)
2413 struct discovery_state *discov = &hdev->discovery;
2414 struct inquiry_entry *e;
2416 if (list_empty(&discov->resolve))
2419 /* We should stop if we already spent too much time resolving names. */
2420 if (time_after(jiffies, discov->name_resolve_timeout)) {
2421 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2425 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2429 if (hci_resolve_name(hdev, e) == 0) {
2430 e->name_state = NAME_PENDING;
2437 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2438 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2440 struct discovery_state *discov = &hdev->discovery;
2441 struct inquiry_entry *e;
2443 /* Update the mgmt connected state if necessary. Be careful with
2444 * conn objects that exist but are not (yet) connected however.
2445 * Only those in BT_CONFIG or BT_CONNECTED states can be
2446 * considered connected.
2449 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2450 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2451 mgmt_device_connected(hdev, conn, name, name_len);
2453 if (discov->state == DISCOVERY_STOPPED)
2456 if (discov->state == DISCOVERY_STOPPING)
2457 goto discov_complete;
2459 if (discov->state != DISCOVERY_RESOLVING)
2462 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2463 /* If the device was not found in a list of found devices names of which
2464 * are pending. there is no need to continue resolving a next name as it
2465 * will be done upon receiving another Remote Name Request Complete
2472 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2473 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2476 if (hci_resolve_next_name(hdev))
2480 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2483 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2485 struct hci_cp_remote_name_req *cp;
2486 struct hci_conn *conn;
2488 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2490 /* If successful wait for the name req complete event before
2491 * checking for the need to do authentication */
2495 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2501 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2503 if (hci_dev_test_flag(hdev, HCI_MGMT))
2504 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2509 if (!hci_outgoing_auth_needed(hdev, conn))
2512 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2513 struct hci_cp_auth_requested auth_cp;
2515 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2517 auth_cp.handle = __cpu_to_le16(conn->handle);
2518 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2519 sizeof(auth_cp), &auth_cp);
2523 hci_dev_unlock(hdev);
2526 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2528 struct hci_cp_read_remote_features *cp;
2529 struct hci_conn *conn;
2531 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2536 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2542 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2544 if (conn->state == BT_CONFIG) {
2545 hci_connect_cfm(conn, status);
2546 hci_conn_drop(conn);
2550 hci_dev_unlock(hdev);
2553 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2555 struct hci_cp_read_remote_ext_features *cp;
2556 struct hci_conn *conn;
2558 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2563 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2569 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2571 if (conn->state == BT_CONFIG) {
2572 hci_connect_cfm(conn, status);
2573 hci_conn_drop(conn);
2577 hci_dev_unlock(hdev);
2580 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2582 struct hci_cp_setup_sync_conn *cp;
2583 struct hci_conn *acl, *sco;
2586 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2591 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2595 handle = __le16_to_cpu(cp->handle);
2597 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2601 acl = hci_conn_hash_lookup_handle(hdev, handle);
2605 sco->state = BT_CLOSED;
2607 hci_connect_cfm(sco, status);
2612 hci_dev_unlock(hdev);
2615 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2617 struct hci_cp_enhanced_setup_sync_conn *cp;
2618 struct hci_conn *acl, *sco;
2621 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2626 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2630 handle = __le16_to_cpu(cp->handle);
2632 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2636 acl = hci_conn_hash_lookup_handle(hdev, handle);
2640 sco->state = BT_CLOSED;
2642 hci_connect_cfm(sco, status);
2647 hci_dev_unlock(hdev);
2650 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2652 struct hci_cp_sniff_mode *cp;
2653 struct hci_conn *conn;
2655 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2660 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2666 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2668 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2670 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2671 hci_sco_setup(conn, status);
2674 hci_dev_unlock(hdev);
2677 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2679 struct hci_cp_exit_sniff_mode *cp;
2680 struct hci_conn *conn;
2682 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2687 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2693 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2695 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2697 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2698 hci_sco_setup(conn, status);
2701 hci_dev_unlock(hdev);
2704 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2706 struct hci_cp_disconnect *cp;
2707 struct hci_conn_params *params;
2708 struct hci_conn *conn;
2711 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2713 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2714 * otherwise cleanup the connection immediately.
2716 if (!status && !hdev->suspended)
2719 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2725 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2730 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2731 conn->dst_type, status);
2733 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2734 hdev->cur_adv_instance = conn->adv_instance;
2735 hci_enable_advertising(hdev);
2741 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2743 if (conn->type == ACL_LINK) {
2744 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2745 hci_remove_link_key(hdev, &conn->dst);
2748 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2750 switch (params->auto_connect) {
2751 case HCI_AUTO_CONN_LINK_LOSS:
2752 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2756 case HCI_AUTO_CONN_DIRECT:
2757 case HCI_AUTO_CONN_ALWAYS:
2758 list_del_init(¶ms->action);
2759 list_add(¶ms->action, &hdev->pend_le_conns);
2767 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2768 cp->reason, mgmt_conn);
2770 hci_disconn_cfm(conn, cp->reason);
2773 /* If the disconnection failed for any reason, the upper layer
2774 * does not retry to disconnect in current implementation.
2775 * Hence, we need to do some basic cleanup here and re-enable
2776 * advertising if necessary.
2780 hci_dev_unlock(hdev);
2783 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2785 /* When using controller based address resolution, then the new
2786 * address types 0x02 and 0x03 are used. These types need to be
2787 * converted back into either public address or random address type
2790 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2793 return ADDR_LE_DEV_PUBLIC;
2794 case ADDR_LE_DEV_RANDOM_RESOLVED:
2797 return ADDR_LE_DEV_RANDOM;
2805 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2806 u8 peer_addr_type, u8 own_address_type,
2809 struct hci_conn *conn;
2811 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2816 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2818 /* Store the initiator and responder address information which
2819 * is needed for SMP. These values will not change during the
2820 * lifetime of the connection.
2822 conn->init_addr_type = own_address_type;
2823 if (own_address_type == ADDR_LE_DEV_RANDOM)
2824 bacpy(&conn->init_addr, &hdev->random_addr);
2826 bacpy(&conn->init_addr, &hdev->bdaddr);
2828 conn->resp_addr_type = peer_addr_type;
2829 bacpy(&conn->resp_addr, peer_addr);
2831 /* We don't want the connection attempt to stick around
2832 * indefinitely since LE doesn't have a page timeout concept
2833 * like BR/EDR. Set a timer for any connection that doesn't use
2834 * the accept list for connecting.
2836 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2837 queue_delayed_work(conn->hdev->workqueue,
2838 &conn->le_conn_timeout,
2839 conn->conn_timeout);
2842 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2844 struct hci_cp_le_create_conn *cp;
2846 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2848 /* All connection failure handling is taken care of by the
2849 * hci_conn_failed function which is triggered by the HCI
2850 * request completion callbacks used for connecting.
2855 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2861 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2862 cp->own_address_type, cp->filter_policy);
2864 hci_dev_unlock(hdev);
2867 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2869 struct hci_cp_le_ext_create_conn *cp;
2871 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2873 /* All connection failure handling is taken care of by the
2874 * hci_conn_failed function which is triggered by the HCI
2875 * request completion callbacks used for connecting.
2880 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2886 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2887 cp->own_addr_type, cp->filter_policy);
2889 hci_dev_unlock(hdev);
2892 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2894 struct hci_cp_le_read_remote_features *cp;
2895 struct hci_conn *conn;
2897 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2902 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2908 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2910 if (conn->state == BT_CONFIG) {
2911 hci_connect_cfm(conn, status);
2912 hci_conn_drop(conn);
2916 hci_dev_unlock(hdev);
2919 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2921 struct hci_cp_le_start_enc *cp;
2922 struct hci_conn *conn;
2924 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2931 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2935 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2939 if (conn->state != BT_CONNECTED)
2942 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2943 hci_conn_drop(conn);
2946 hci_dev_unlock(hdev);
2949 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2951 struct hci_cp_switch_role *cp;
2952 struct hci_conn *conn;
2954 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2959 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2965 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2967 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2969 hci_dev_unlock(hdev);
2972 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
2973 struct sk_buff *skb)
2975 struct hci_ev_status *ev = data;
2976 struct discovery_state *discov = &hdev->discovery;
2977 struct inquiry_entry *e;
2979 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
2981 hci_conn_check_pending(hdev);
2983 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2986 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2987 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2989 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2994 if (discov->state != DISCOVERY_FINDING)
2997 if (list_empty(&discov->resolve)) {
2998 /* When BR/EDR inquiry is active and no LE scanning is in
2999 * progress, then change discovery state to indicate completion.
3001 * When running LE scanning and BR/EDR inquiry simultaneously
3002 * and the LE scan already finished, then change the discovery
3003 * state to indicate completion.
3005 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3006 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3007 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3011 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3012 if (e && hci_resolve_name(hdev, e) == 0) {
3013 e->name_state = NAME_PENDING;
3014 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3015 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3017 /* When BR/EDR inquiry is active and no LE scanning is in
3018 * progress, then change discovery state to indicate completion.
3020 * When running LE scanning and BR/EDR inquiry simultaneously
3021 * and the LE scan already finished, then change the discovery
3022 * state to indicate completion.
3024 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3025 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3026 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3030 hci_dev_unlock(hdev);
3033 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3034 struct sk_buff *skb)
3036 struct hci_ev_inquiry_result *ev = edata;
3037 struct inquiry_data data;
3040 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3041 flex_array_size(ev, info, ev->num)))
3044 bt_dev_dbg(hdev, "num %d", ev->num);
3049 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3054 for (i = 0; i < ev->num; i++) {
3055 struct inquiry_info *info = &ev->info[i];
3058 bacpy(&data.bdaddr, &info->bdaddr);
3059 data.pscan_rep_mode = info->pscan_rep_mode;
3060 data.pscan_period_mode = info->pscan_period_mode;
3061 data.pscan_mode = info->pscan_mode;
3062 memcpy(data.dev_class, info->dev_class, 3);
3063 data.clock_offset = info->clock_offset;
3064 data.rssi = HCI_RSSI_INVALID;
3065 data.ssp_mode = 0x00;
3067 flags = hci_inquiry_cache_update(hdev, &data, false);
3069 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3070 info->dev_class, HCI_RSSI_INVALID,
3071 flags, NULL, 0, NULL, 0);
3074 hci_dev_unlock(hdev);
3077 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3078 struct sk_buff *skb)
3080 struct hci_ev_conn_complete *ev = data;
3081 struct hci_conn *conn;
3082 u8 status = ev->status;
3084 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3088 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3090 /* In case of error status and there is no connection pending
3091 * just unlock as there is nothing to cleanup.
3096 /* Connection may not exist if auto-connected. Check the bredr
3097 * allowlist to see if this device is allowed to auto connect.
3098 * If link is an ACL type, create a connection class
3101 * Auto-connect will only occur if the event filter is
3102 * programmed with a given address. Right now, event filter is
3103 * only used during suspend.
3105 if (ev->link_type == ACL_LINK &&
3106 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3109 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3112 bt_dev_err(hdev, "no memory for new conn");
3116 if (ev->link_type != SCO_LINK)
3119 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3124 conn->type = SCO_LINK;
3128 /* The HCI_Connection_Complete event is only sent once per connection.
3129 * Processing it more than once per connection can corrupt kernel memory.
3131 * As the connection handle is set here for the first time, it indicates
3132 * whether the connection is already set up.
3134 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
3135 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3140 conn->handle = __le16_to_cpu(ev->handle);
3141 if (conn->handle > HCI_CONN_HANDLE_MAX) {
3142 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
3143 conn->handle, HCI_CONN_HANDLE_MAX);
3144 status = HCI_ERROR_INVALID_PARAMETERS;
3148 if (conn->type == ACL_LINK) {
3149 conn->state = BT_CONFIG;
3150 hci_conn_hold(conn);
3152 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3153 !hci_find_link_key(hdev, &ev->bdaddr))
3154 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3156 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3158 conn->state = BT_CONNECTED;
3160 hci_debugfs_create_conn(conn);
3161 hci_conn_add_sysfs(conn);
3163 if (test_bit(HCI_AUTH, &hdev->flags))
3164 set_bit(HCI_CONN_AUTH, &conn->flags);
3166 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3167 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3169 /* Get remote features */
3170 if (conn->type == ACL_LINK) {
3171 struct hci_cp_read_remote_features cp;
3172 cp.handle = ev->handle;
3173 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3176 hci_update_scan(hdev);
3179 /* Set packet type for incoming connection */
3180 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3181 struct hci_cp_change_conn_ptype cp;
3182 cp.handle = ev->handle;
3183 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3184 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3189 if (conn->type == ACL_LINK)
3190 hci_sco_setup(conn, ev->status);
3194 hci_conn_failed(conn, status);
3195 } else if (ev->link_type == SCO_LINK) {
3196 switch (conn->setting & SCO_AIRMODE_MASK) {
3197 case SCO_AIRMODE_CVSD:
3199 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3203 hci_connect_cfm(conn, status);
3207 hci_dev_unlock(hdev);
3209 hci_conn_check_pending(hdev);
3212 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3214 struct hci_cp_reject_conn_req cp;
3216 bacpy(&cp.bdaddr, bdaddr);
3217 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3218 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3221 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3222 struct sk_buff *skb)
3224 struct hci_ev_conn_request *ev = data;
3225 int mask = hdev->link_mode;
3226 struct inquiry_entry *ie;
3227 struct hci_conn *conn;
3230 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3232 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3235 if (!(mask & HCI_LM_ACCEPT)) {
3236 hci_reject_conn(hdev, &ev->bdaddr);
3242 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3244 hci_reject_conn(hdev, &ev->bdaddr);
3248 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3249 * connection. These features are only touched through mgmt so
3250 * only do the checks if HCI_MGMT is set.
3252 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3253 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3254 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3256 hci_reject_conn(hdev, &ev->bdaddr);
3260 /* Connection accepted */
3262 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3264 memcpy(ie->data.dev_class, ev->dev_class, 3);
3266 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3269 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3272 bt_dev_err(hdev, "no memory for new connection");
3277 memcpy(conn->dev_class, ev->dev_class, 3);
3279 hci_dev_unlock(hdev);
3281 if (ev->link_type == ACL_LINK ||
3282 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3283 struct hci_cp_accept_conn_req cp;
3284 conn->state = BT_CONNECT;
3286 bacpy(&cp.bdaddr, &ev->bdaddr);
3288 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3289 cp.role = 0x00; /* Become central */
3291 cp.role = 0x01; /* Remain peripheral */
3293 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3294 } else if (!(flags & HCI_PROTO_DEFER)) {
3295 struct hci_cp_accept_sync_conn_req cp;
3296 conn->state = BT_CONNECT;
3298 bacpy(&cp.bdaddr, &ev->bdaddr);
3299 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3301 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3302 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3303 cp.max_latency = cpu_to_le16(0xffff);
3304 cp.content_format = cpu_to_le16(hdev->voice_setting);
3305 cp.retrans_effort = 0xff;
3307 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3310 conn->state = BT_CONNECT2;
3311 hci_connect_cfm(conn, 0);
3316 hci_dev_unlock(hdev);
3319 static u8 hci_to_mgmt_reason(u8 err)
3322 case HCI_ERROR_CONNECTION_TIMEOUT:
3323 return MGMT_DEV_DISCONN_TIMEOUT;
3324 case HCI_ERROR_REMOTE_USER_TERM:
3325 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3326 case HCI_ERROR_REMOTE_POWER_OFF:
3327 return MGMT_DEV_DISCONN_REMOTE;
3328 case HCI_ERROR_LOCAL_HOST_TERM:
3329 return MGMT_DEV_DISCONN_LOCAL_HOST;
3331 return MGMT_DEV_DISCONN_UNKNOWN;
3335 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3336 struct sk_buff *skb)
3338 struct hci_ev_disconn_complete *ev = data;
3340 struct hci_conn_params *params;
3341 struct hci_conn *conn;
3342 bool mgmt_connected;
3344 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3348 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3353 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3354 conn->dst_type, ev->status);
3358 conn->state = BT_CLOSED;
3360 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3362 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3363 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3365 reason = hci_to_mgmt_reason(ev->reason);
3367 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3368 reason, mgmt_connected);
3370 if (conn->type == ACL_LINK) {
3371 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3372 hci_remove_link_key(hdev, &conn->dst);
3374 hci_update_scan(hdev);
3377 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3379 switch (params->auto_connect) {
3380 case HCI_AUTO_CONN_LINK_LOSS:
3381 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3385 case HCI_AUTO_CONN_DIRECT:
3386 case HCI_AUTO_CONN_ALWAYS:
3387 list_del_init(¶ms->action);
3388 list_add(¶ms->action, &hdev->pend_le_conns);
3389 hci_update_passive_scan(hdev);
3397 hci_disconn_cfm(conn, ev->reason);
3399 /* Re-enable advertising if necessary, since it might
3400 * have been disabled by the connection. From the
3401 * HCI_LE_Set_Advertise_Enable command description in
3402 * the core specification (v4.0):
3403 * "The Controller shall continue advertising until the Host
3404 * issues an LE_Set_Advertise_Enable command with
3405 * Advertising_Enable set to 0x00 (Advertising is disabled)
3406 * or until a connection is created or until the Advertising
3407 * is timed out due to Directed Advertising."
3409 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3410 hdev->cur_adv_instance = conn->adv_instance;
3411 hci_enable_advertising(hdev);
3417 hci_dev_unlock(hdev);
3420 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3421 struct sk_buff *skb)
3423 struct hci_ev_auth_complete *ev = data;
3424 struct hci_conn *conn;
3426 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3430 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3435 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3437 if (!hci_conn_ssp_enabled(conn) &&
3438 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
3439 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
3441 set_bit(HCI_CONN_AUTH, &conn->flags);
3442 conn->sec_level = conn->pending_sec_level;
3445 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3446 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3448 mgmt_auth_failed(conn, ev->status);
3451 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3452 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
3454 if (conn->state == BT_CONFIG) {
3455 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3456 struct hci_cp_set_conn_encrypt cp;
3457 cp.handle = ev->handle;
3459 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3462 conn->state = BT_CONNECTED;
3463 hci_connect_cfm(conn, ev->status);
3464 hci_conn_drop(conn);
3467 hci_auth_cfm(conn, ev->status);
3469 hci_conn_hold(conn);
3470 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3471 hci_conn_drop(conn);
3474 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3476 struct hci_cp_set_conn_encrypt cp;
3477 cp.handle = ev->handle;
3479 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3482 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3483 hci_encrypt_cfm(conn, ev->status);
3488 hci_dev_unlock(hdev);
3491 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3492 struct sk_buff *skb)
3494 struct hci_ev_remote_name *ev = data;
3495 struct hci_conn *conn;
3497 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3499 hci_conn_check_pending(hdev);
3503 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3505 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3508 if (ev->status == 0)
3509 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3510 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3512 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3518 if (!hci_outgoing_auth_needed(hdev, conn))
3521 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3522 struct hci_cp_auth_requested cp;
3524 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3526 cp.handle = __cpu_to_le16(conn->handle);
3527 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3531 hci_dev_unlock(hdev);
3534 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
3535 u16 opcode, struct sk_buff *skb)
3537 const struct hci_rp_read_enc_key_size *rp;
3538 struct hci_conn *conn;
3541 BT_DBG("%s status 0x%02x", hdev->name, status);
3543 if (!skb || skb->len < sizeof(*rp)) {
3544 bt_dev_err(hdev, "invalid read key size response");
3548 rp = (void *)skb->data;
3549 handle = le16_to_cpu(rp->handle);
3553 conn = hci_conn_hash_lookup_handle(hdev, handle);
3557 /* While unexpected, the read_enc_key_size command may fail. The most
3558 * secure approach is to then assume the key size is 0 to force a
3562 bt_dev_err(hdev, "failed to read key size for handle %u",
3564 conn->enc_key_size = 0;
3566 conn->enc_key_size = rp->key_size;
3569 hci_encrypt_cfm(conn, 0);
3572 hci_dev_unlock(hdev);
3575 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3576 struct sk_buff *skb)
3578 struct hci_ev_encrypt_change *ev = data;
3579 struct hci_conn *conn;
3581 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3585 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3591 /* Encryption implies authentication */
3592 set_bit(HCI_CONN_AUTH, &conn->flags);
3593 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3594 conn->sec_level = conn->pending_sec_level;
3596 /* P-256 authentication key implies FIPS */
3597 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3598 set_bit(HCI_CONN_FIPS, &conn->flags);
3600 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3601 conn->type == LE_LINK)
3602 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3604 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3605 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3609 /* We should disregard the current RPA and generate a new one
3610 * whenever the encryption procedure fails.
3612 if (ev->status && conn->type == LE_LINK) {
3613 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3614 hci_adv_instances_set_rpa_expired(hdev, true);
3617 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3619 /* Check link security requirements are met */
3620 if (!hci_conn_check_link_mode(conn))
3621 ev->status = HCI_ERROR_AUTH_FAILURE;
3623 if (ev->status && conn->state == BT_CONNECTED) {
3624 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3625 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3627 /* Notify upper layers so they can cleanup before
3630 hci_encrypt_cfm(conn, ev->status);
3631 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3632 hci_conn_drop(conn);
3636 /* Try reading the encryption key size for encrypted ACL links */
3637 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3638 struct hci_cp_read_enc_key_size cp;
3639 struct hci_request req;
3641 /* Only send HCI_Read_Encryption_Key_Size if the
3642 * controller really supports it. If it doesn't, assume
3643 * the default size (16).
3645 if (!(hdev->commands[20] & 0x10)) {
3646 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3650 hci_req_init(&req, hdev);
3652 cp.handle = cpu_to_le16(conn->handle);
3653 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3655 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3656 bt_dev_err(hdev, "sending read key size failed");
3657 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3664 /* Set the default Authenticated Payload Timeout after
3665 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3666 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3667 * sent when the link is active and Encryption is enabled, the conn
3668 * type can be either LE or ACL and controller must support LMP Ping.
3669 * Ensure for AES-CCM encryption as well.
3671 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3672 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3673 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3674 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3675 struct hci_cp_write_auth_payload_to cp;
3677 cp.handle = cpu_to_le16(conn->handle);
3678 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3679 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3684 hci_encrypt_cfm(conn, ev->status);
3687 hci_dev_unlock(hdev);
3690 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3691 struct sk_buff *skb)
3693 struct hci_ev_change_link_key_complete *ev = data;
3694 struct hci_conn *conn;
3696 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3700 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3703 set_bit(HCI_CONN_SECURE, &conn->flags);
3705 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3707 hci_key_change_cfm(conn, ev->status);
3710 hci_dev_unlock(hdev);
3713 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3714 struct sk_buff *skb)
3716 struct hci_ev_remote_features *ev = data;
3717 struct hci_conn *conn;
3719 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3723 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3728 memcpy(conn->features[0], ev->features, 8);
3730 if (conn->state != BT_CONFIG)
3733 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3734 lmp_ext_feat_capable(conn)) {
3735 struct hci_cp_read_remote_ext_features cp;
3736 cp.handle = ev->handle;
3738 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3743 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3744 struct hci_cp_remote_name_req cp;
3745 memset(&cp, 0, sizeof(cp));
3746 bacpy(&cp.bdaddr, &conn->dst);
3747 cp.pscan_rep_mode = 0x02;
3748 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3749 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3750 mgmt_device_connected(hdev, conn, NULL, 0);
3752 if (!hci_outgoing_auth_needed(hdev, conn)) {
3753 conn->state = BT_CONNECTED;
3754 hci_connect_cfm(conn, ev->status);
3755 hci_conn_drop(conn);
3759 hci_dev_unlock(hdev);
3762 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3764 cancel_delayed_work(&hdev->cmd_timer);
3766 if (!test_bit(HCI_RESET, &hdev->flags)) {
3768 cancel_delayed_work(&hdev->ncmd_timer);
3769 atomic_set(&hdev->cmd_cnt, 1);
3771 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3772 schedule_delayed_work(&hdev->ncmd_timer,
3778 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3779 struct sk_buff *skb)
3781 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3783 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3788 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3789 hdev->le_pkts = rp->acl_max_pkt;
3790 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3791 hdev->iso_pkts = rp->iso_max_pkt;
3793 hdev->le_cnt = hdev->le_pkts;
3794 hdev->iso_cnt = hdev->iso_pkts;
3796 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3797 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3802 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3803 struct sk_buff *skb)
3805 struct hci_rp_le_set_cig_params *rp = data;
3806 struct hci_conn *conn;
3809 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3814 while ((conn = hci_conn_hash_lookup_cig(hdev, rp->cig_id))) {
3815 conn->state = BT_CLOSED;
3816 hci_connect_cfm(conn, rp->status);
3824 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
3825 if (conn->type != ISO_LINK || conn->iso_qos.cig != rp->cig_id ||
3826 conn->state == BT_CONNECTED)
3829 conn->handle = __le16_to_cpu(rp->handle[i++]);
3831 bt_dev_dbg(hdev, "%p handle 0x%4.4x link %p", conn,
3832 conn->handle, conn->link);
3834 /* Create CIS if LE is already connected */
3835 if (conn->link && conn->link->state == BT_CONNECTED)
3836 hci_le_create_cis(conn->link);
3838 if (i == rp->num_handles)
3845 hci_dev_unlock(hdev);
3850 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3851 struct sk_buff *skb)
3853 struct hci_rp_le_setup_iso_path *rp = data;
3854 struct hci_cp_le_setup_iso_path *cp;
3855 struct hci_conn *conn;
3857 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3859 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3870 hci_connect_cfm(conn, rp->status);
3875 switch (cp->direction) {
3876 /* Input (Host to Controller) */
3878 /* Only confirm connection if output only */
3879 if (conn->iso_qos.out.sdu && !conn->iso_qos.in.sdu)
3880 hci_connect_cfm(conn, rp->status);
3882 /* Output (Controller to Host) */
3884 /* Confirm connection since conn->iso_qos is always configured
3887 hci_connect_cfm(conn, rp->status);
3892 hci_dev_unlock(hdev);
3896 #define HCI_CC_VL(_op, _func, _min, _max) \
3904 #define HCI_CC(_op, _func, _len) \
3905 HCI_CC_VL(_op, _func, _len, _len)
3907 #define HCI_CC_STATUS(_op, _func) \
3908 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
3910 static const struct hci_cc {
3912 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
3915 } hci_cc_table[] = {
3916 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
3917 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
3918 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
3919 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
3920 hci_cc_remote_name_req_cancel),
3921 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
3922 sizeof(struct hci_rp_role_discovery)),
3923 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
3924 sizeof(struct hci_rp_read_link_policy)),
3925 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
3926 sizeof(struct hci_rp_write_link_policy)),
3927 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
3928 sizeof(struct hci_rp_read_def_link_policy)),
3929 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
3930 hci_cc_write_def_link_policy),
3931 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
3932 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
3933 sizeof(struct hci_rp_read_stored_link_key)),
3934 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
3935 sizeof(struct hci_rp_delete_stored_link_key)),
3936 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
3937 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
3938 sizeof(struct hci_rp_read_local_name)),
3939 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
3940 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
3941 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
3942 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
3943 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
3944 sizeof(struct hci_rp_read_class_of_dev)),
3945 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
3946 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
3947 sizeof(struct hci_rp_read_voice_setting)),
3948 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
3949 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
3950 sizeof(struct hci_rp_read_num_supported_iac)),
3951 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
3952 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
3953 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
3954 sizeof(struct hci_rp_read_auth_payload_to)),
3955 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
3956 sizeof(struct hci_rp_write_auth_payload_to)),
3957 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
3958 sizeof(struct hci_rp_read_local_version)),
3959 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
3960 sizeof(struct hci_rp_read_local_commands)),
3961 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
3962 sizeof(struct hci_rp_read_local_features)),
3963 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
3964 sizeof(struct hci_rp_read_local_ext_features)),
3965 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
3966 sizeof(struct hci_rp_read_buffer_size)),
3967 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
3968 sizeof(struct hci_rp_read_bd_addr)),
3969 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
3970 sizeof(struct hci_rp_read_local_pairing_opts)),
3971 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
3972 sizeof(struct hci_rp_read_page_scan_activity)),
3973 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
3974 hci_cc_write_page_scan_activity),
3975 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
3976 sizeof(struct hci_rp_read_page_scan_type)),
3977 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
3978 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
3979 sizeof(struct hci_rp_read_data_block_size)),
3980 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
3981 sizeof(struct hci_rp_read_flow_control_mode)),
3982 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
3983 sizeof(struct hci_rp_read_local_amp_info)),
3984 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
3985 sizeof(struct hci_rp_read_clock)),
3986 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
3987 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
3988 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
3989 hci_cc_read_def_err_data_reporting,
3990 sizeof(struct hci_rp_read_def_err_data_reporting)),
3991 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
3992 hci_cc_write_def_err_data_reporting),
3993 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
3994 sizeof(struct hci_rp_pin_code_reply)),
3995 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
3996 sizeof(struct hci_rp_pin_code_neg_reply)),
3997 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
3998 sizeof(struct hci_rp_read_local_oob_data)),
3999 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4000 sizeof(struct hci_rp_read_local_oob_ext_data)),
4001 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4002 sizeof(struct hci_rp_le_read_buffer_size)),
4003 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4004 sizeof(struct hci_rp_le_read_local_features)),
4005 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4006 sizeof(struct hci_rp_le_read_adv_tx_power)),
4007 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4008 sizeof(struct hci_rp_user_confirm_reply)),
4009 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4010 sizeof(struct hci_rp_user_confirm_reply)),
4011 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4012 sizeof(struct hci_rp_user_confirm_reply)),
4013 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4014 sizeof(struct hci_rp_user_confirm_reply)),
4015 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4016 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4017 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4018 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4019 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4020 hci_cc_le_read_accept_list_size,
4021 sizeof(struct hci_rp_le_read_accept_list_size)),
4022 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4023 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4024 hci_cc_le_add_to_accept_list),
4025 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4026 hci_cc_le_del_from_accept_list),
4027 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4028 sizeof(struct hci_rp_le_read_supported_states)),
4029 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4030 sizeof(struct hci_rp_le_read_def_data_len)),
4031 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4032 hci_cc_le_write_def_data_len),
4033 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4034 hci_cc_le_add_to_resolv_list),
4035 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4036 hci_cc_le_del_from_resolv_list),
4037 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4038 hci_cc_le_clear_resolv_list),
4039 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4040 sizeof(struct hci_rp_le_read_resolv_list_size)),
4041 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4042 hci_cc_le_set_addr_resolution_enable),
4043 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4044 sizeof(struct hci_rp_le_read_max_data_len)),
4045 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4046 hci_cc_write_le_host_supported),
4047 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4048 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4049 sizeof(struct hci_rp_read_rssi)),
4050 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4051 sizeof(struct hci_rp_read_tx_power)),
4052 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4053 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4054 hci_cc_le_set_ext_scan_param),
4055 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4056 hci_cc_le_set_ext_scan_enable),
4057 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4058 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4059 hci_cc_le_read_num_adv_sets,
4060 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4061 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4062 sizeof(struct hci_rp_le_set_ext_adv_params)),
4063 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4064 hci_cc_le_set_ext_adv_enable),
4065 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4066 hci_cc_le_set_adv_set_random_addr),
4067 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4068 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4069 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4070 sizeof(struct hci_rp_le_read_transmit_power)),
4071 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4072 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4073 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4074 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4075 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4076 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4077 sizeof(struct hci_rp_le_setup_iso_path)),
4080 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4081 struct sk_buff *skb)
4085 if (skb->len < cc->min_len) {
4086 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4087 cc->op, skb->len, cc->min_len);
4088 return HCI_ERROR_UNSPECIFIED;
4091 /* Just warn if the length is over max_len size it still be possible to
4092 * partially parse the cc so leave to callback to decide if that is
4095 if (skb->len > cc->max_len)
4096 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4097 cc->op, skb->len, cc->max_len);
4099 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4101 return HCI_ERROR_UNSPECIFIED;
4103 return cc->func(hdev, data, skb);
4106 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4107 struct sk_buff *skb, u16 *opcode, u8 *status,
4108 hci_req_complete_t *req_complete,
4109 hci_req_complete_skb_t *req_complete_skb)
4111 struct hci_ev_cmd_complete *ev = data;
4114 *opcode = __le16_to_cpu(ev->opcode);
4116 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4118 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4119 if (hci_cc_table[i].op == *opcode) {
4120 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4125 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4127 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4130 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4132 "unexpected event for opcode 0x%4.4x", *opcode);
4136 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4137 queue_work(hdev->workqueue, &hdev->cmd_work);
4140 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4142 struct hci_cp_le_create_cis *cp;
4145 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4150 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4156 /* Remove connection if command failed */
4157 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4158 struct hci_conn *conn;
4161 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4163 conn = hci_conn_hash_lookup_handle(hdev, handle);
4165 conn->state = BT_CLOSED;
4166 hci_connect_cfm(conn, status);
4171 hci_dev_unlock(hdev);
4174 #define HCI_CS(_op, _func) \
4180 static const struct hci_cs {
4182 void (*func)(struct hci_dev *hdev, __u8 status);
4183 } hci_cs_table[] = {
4184 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4185 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4186 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4187 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4188 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4189 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4190 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4191 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4192 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4193 hci_cs_read_remote_ext_features),
4194 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4195 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4196 hci_cs_enhanced_setup_sync_conn),
4197 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4198 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4199 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4200 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4201 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4202 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4203 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4204 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4207 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4208 struct sk_buff *skb, u16 *opcode, u8 *status,
4209 hci_req_complete_t *req_complete,
4210 hci_req_complete_skb_t *req_complete_skb)
4212 struct hci_ev_cmd_status *ev = data;
4215 *opcode = __le16_to_cpu(ev->opcode);
4216 *status = ev->status;
4218 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4220 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4221 if (hci_cs_table[i].op == *opcode) {
4222 hci_cs_table[i].func(hdev, ev->status);
4227 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4229 /* Indicate request completion if the command failed. Also, if
4230 * we're not waiting for a special event and we get a success
4231 * command status we should try to flag the request as completed
4232 * (since for this kind of commands there will not be a command
4235 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4236 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4238 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4239 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4245 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4246 queue_work(hdev->workqueue, &hdev->cmd_work);
4249 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4250 struct sk_buff *skb)
4252 struct hci_ev_hardware_error *ev = data;
4254 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4256 hdev->hw_error_code = ev->code;
4258 queue_work(hdev->req_workqueue, &hdev->error_reset);
4261 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4262 struct sk_buff *skb)
4264 struct hci_ev_role_change *ev = data;
4265 struct hci_conn *conn;
4267 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4271 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4274 conn->role = ev->role;
4276 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4278 hci_role_switch_cfm(conn, ev->status, ev->role);
4281 hci_dev_unlock(hdev);
4284 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4285 struct sk_buff *skb)
4287 struct hci_ev_num_comp_pkts *ev = data;
4290 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4291 flex_array_size(ev, handles, ev->num)))
4294 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4295 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4299 bt_dev_dbg(hdev, "num %d", ev->num);
4301 for (i = 0; i < ev->num; i++) {
4302 struct hci_comp_pkts_info *info = &ev->handles[i];
4303 struct hci_conn *conn;
4304 __u16 handle, count;
4306 handle = __le16_to_cpu(info->handle);
4307 count = __le16_to_cpu(info->count);
4309 conn = hci_conn_hash_lookup_handle(hdev, handle);
4313 conn->sent -= count;
4315 switch (conn->type) {
4317 hdev->acl_cnt += count;
4318 if (hdev->acl_cnt > hdev->acl_pkts)
4319 hdev->acl_cnt = hdev->acl_pkts;
4323 if (hdev->le_pkts) {
4324 hdev->le_cnt += count;
4325 if (hdev->le_cnt > hdev->le_pkts)
4326 hdev->le_cnt = hdev->le_pkts;
4328 hdev->acl_cnt += count;
4329 if (hdev->acl_cnt > hdev->acl_pkts)
4330 hdev->acl_cnt = hdev->acl_pkts;
4335 hdev->sco_cnt += count;
4336 if (hdev->sco_cnt > hdev->sco_pkts)
4337 hdev->sco_cnt = hdev->sco_pkts;
4341 if (hdev->iso_pkts) {
4342 hdev->iso_cnt += count;
4343 if (hdev->iso_cnt > hdev->iso_pkts)
4344 hdev->iso_cnt = hdev->iso_pkts;
4345 } else if (hdev->le_pkts) {
4346 hdev->le_cnt += count;
4347 if (hdev->le_cnt > hdev->le_pkts)
4348 hdev->le_cnt = hdev->le_pkts;
4350 hdev->acl_cnt += count;
4351 if (hdev->acl_cnt > hdev->acl_pkts)
4352 hdev->acl_cnt = hdev->acl_pkts;
4357 bt_dev_err(hdev, "unknown type %d conn %p",
4363 queue_work(hdev->workqueue, &hdev->tx_work);
4366 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4369 struct hci_chan *chan;
4371 switch (hdev->dev_type) {
4373 return hci_conn_hash_lookup_handle(hdev, handle);
4375 chan = hci_chan_lookup_handle(hdev, handle);
4380 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4387 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4388 struct sk_buff *skb)
4390 struct hci_ev_num_comp_blocks *ev = data;
4393 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4394 flex_array_size(ev, handles, ev->num_hndl)))
4397 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4398 bt_dev_err(hdev, "wrong event for mode %d",
4399 hdev->flow_ctl_mode);
4403 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4406 for (i = 0; i < ev->num_hndl; i++) {
4407 struct hci_comp_blocks_info *info = &ev->handles[i];
4408 struct hci_conn *conn = NULL;
4409 __u16 handle, block_count;
4411 handle = __le16_to_cpu(info->handle);
4412 block_count = __le16_to_cpu(info->blocks);
4414 conn = __hci_conn_lookup_handle(hdev, handle);
4418 conn->sent -= block_count;
4420 switch (conn->type) {
4423 hdev->block_cnt += block_count;
4424 if (hdev->block_cnt > hdev->num_blocks)
4425 hdev->block_cnt = hdev->num_blocks;
4429 bt_dev_err(hdev, "unknown type %d conn %p",
4435 queue_work(hdev->workqueue, &hdev->tx_work);
4438 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4439 struct sk_buff *skb)
4441 struct hci_ev_mode_change *ev = data;
4442 struct hci_conn *conn;
4444 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4448 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4450 conn->mode = ev->mode;
4452 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4454 if (conn->mode == HCI_CM_ACTIVE)
4455 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4457 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4460 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4461 hci_sco_setup(conn, ev->status);
4464 hci_dev_unlock(hdev);
4467 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4468 struct sk_buff *skb)
4470 struct hci_ev_pin_code_req *ev = data;
4471 struct hci_conn *conn;
4473 bt_dev_dbg(hdev, "");
4477 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4481 if (conn->state == BT_CONNECTED) {
4482 hci_conn_hold(conn);
4483 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4484 hci_conn_drop(conn);
4487 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4488 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4489 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4490 sizeof(ev->bdaddr), &ev->bdaddr);
4491 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4494 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4499 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4503 hci_dev_unlock(hdev);
4506 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4508 if (key_type == HCI_LK_CHANGED_COMBINATION)
4511 conn->pin_length = pin_len;
4512 conn->key_type = key_type;
4515 case HCI_LK_LOCAL_UNIT:
4516 case HCI_LK_REMOTE_UNIT:
4517 case HCI_LK_DEBUG_COMBINATION:
4519 case HCI_LK_COMBINATION:
4521 conn->pending_sec_level = BT_SECURITY_HIGH;
4523 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4525 case HCI_LK_UNAUTH_COMBINATION_P192:
4526 case HCI_LK_UNAUTH_COMBINATION_P256:
4527 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4529 case HCI_LK_AUTH_COMBINATION_P192:
4530 conn->pending_sec_level = BT_SECURITY_HIGH;
4532 case HCI_LK_AUTH_COMBINATION_P256:
4533 conn->pending_sec_level = BT_SECURITY_FIPS;
4538 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4539 struct sk_buff *skb)
4541 struct hci_ev_link_key_req *ev = data;
4542 struct hci_cp_link_key_reply cp;
4543 struct hci_conn *conn;
4544 struct link_key *key;
4546 bt_dev_dbg(hdev, "");
4548 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4553 key = hci_find_link_key(hdev, &ev->bdaddr);
4555 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4559 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4561 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4563 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4565 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4566 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4567 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4568 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4572 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4573 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4574 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4575 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4579 conn_set_key(conn, key->type, key->pin_len);
4582 bacpy(&cp.bdaddr, &ev->bdaddr);
4583 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4585 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4587 hci_dev_unlock(hdev);
4592 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4593 hci_dev_unlock(hdev);
4596 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4597 struct sk_buff *skb)
4599 struct hci_ev_link_key_notify *ev = data;
4600 struct hci_conn *conn;
4601 struct link_key *key;
4605 bt_dev_dbg(hdev, "");
4609 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4613 hci_conn_hold(conn);
4614 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4615 hci_conn_drop(conn);
4617 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4618 conn_set_key(conn, ev->key_type, conn->pin_length);
4620 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4623 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4624 ev->key_type, pin_len, &persistent);
4628 /* Update connection information since adding the key will have
4629 * fixed up the type in the case of changed combination keys.
4631 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4632 conn_set_key(conn, key->type, key->pin_len);
4634 mgmt_new_link_key(hdev, key, persistent);
4636 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4637 * is set. If it's not set simply remove the key from the kernel
4638 * list (we've still notified user space about it but with
4639 * store_hint being 0).
4641 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4642 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4643 list_del_rcu(&key->list);
4644 kfree_rcu(key, rcu);
4649 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4651 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4654 hci_dev_unlock(hdev);
4657 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4658 struct sk_buff *skb)
4660 struct hci_ev_clock_offset *ev = data;
4661 struct hci_conn *conn;
4663 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4667 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4668 if (conn && !ev->status) {
4669 struct inquiry_entry *ie;
4671 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4673 ie->data.clock_offset = ev->clock_offset;
4674 ie->timestamp = jiffies;
4678 hci_dev_unlock(hdev);
4681 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4682 struct sk_buff *skb)
4684 struct hci_ev_pkt_type_change *ev = data;
4685 struct hci_conn *conn;
4687 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4691 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4692 if (conn && !ev->status)
4693 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4695 hci_dev_unlock(hdev);
4698 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4699 struct sk_buff *skb)
4701 struct hci_ev_pscan_rep_mode *ev = data;
4702 struct inquiry_entry *ie;
4704 bt_dev_dbg(hdev, "");
4708 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4710 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4711 ie->timestamp = jiffies;
4714 hci_dev_unlock(hdev);
4717 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4718 struct sk_buff *skb)
4720 struct hci_ev_inquiry_result_rssi *ev = edata;
4721 struct inquiry_data data;
4724 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4729 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4734 if (skb->len == array_size(ev->num,
4735 sizeof(struct inquiry_info_rssi_pscan))) {
4736 struct inquiry_info_rssi_pscan *info;
4738 for (i = 0; i < ev->num; i++) {
4741 info = hci_ev_skb_pull(hdev, skb,
4742 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4745 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4746 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4750 bacpy(&data.bdaddr, &info->bdaddr);
4751 data.pscan_rep_mode = info->pscan_rep_mode;
4752 data.pscan_period_mode = info->pscan_period_mode;
4753 data.pscan_mode = info->pscan_mode;
4754 memcpy(data.dev_class, info->dev_class, 3);
4755 data.clock_offset = info->clock_offset;
4756 data.rssi = info->rssi;
4757 data.ssp_mode = 0x00;
4759 flags = hci_inquiry_cache_update(hdev, &data, false);
4761 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4762 info->dev_class, info->rssi,
4763 flags, NULL, 0, NULL, 0);
4765 } else if (skb->len == array_size(ev->num,
4766 sizeof(struct inquiry_info_rssi))) {
4767 struct inquiry_info_rssi *info;
4769 for (i = 0; i < ev->num; i++) {
4772 info = hci_ev_skb_pull(hdev, skb,
4773 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4776 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4777 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4781 bacpy(&data.bdaddr, &info->bdaddr);
4782 data.pscan_rep_mode = info->pscan_rep_mode;
4783 data.pscan_period_mode = info->pscan_period_mode;
4784 data.pscan_mode = 0x00;
4785 memcpy(data.dev_class, info->dev_class, 3);
4786 data.clock_offset = info->clock_offset;
4787 data.rssi = info->rssi;
4788 data.ssp_mode = 0x00;
4790 flags = hci_inquiry_cache_update(hdev, &data, false);
4792 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4793 info->dev_class, info->rssi,
4794 flags, NULL, 0, NULL, 0);
4797 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4798 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4801 hci_dev_unlock(hdev);
4804 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4805 struct sk_buff *skb)
4807 struct hci_ev_remote_ext_features *ev = data;
4808 struct hci_conn *conn;
4810 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4814 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4818 if (ev->page < HCI_MAX_PAGES)
4819 memcpy(conn->features[ev->page], ev->features, 8);
4821 if (!ev->status && ev->page == 0x01) {
4822 struct inquiry_entry *ie;
4824 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4826 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4828 if (ev->features[0] & LMP_HOST_SSP) {
4829 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4831 /* It is mandatory by the Bluetooth specification that
4832 * Extended Inquiry Results are only used when Secure
4833 * Simple Pairing is enabled, but some devices violate
4836 * To make these devices work, the internal SSP
4837 * enabled flag needs to be cleared if the remote host
4838 * features do not indicate SSP support */
4839 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4842 if (ev->features[0] & LMP_HOST_SC)
4843 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4846 if (conn->state != BT_CONFIG)
4849 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4850 struct hci_cp_remote_name_req cp;
4851 memset(&cp, 0, sizeof(cp));
4852 bacpy(&cp.bdaddr, &conn->dst);
4853 cp.pscan_rep_mode = 0x02;
4854 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4855 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4856 mgmt_device_connected(hdev, conn, NULL, 0);
4858 if (!hci_outgoing_auth_needed(hdev, conn)) {
4859 conn->state = BT_CONNECTED;
4860 hci_connect_cfm(conn, ev->status);
4861 hci_conn_drop(conn);
4865 hci_dev_unlock(hdev);
4868 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
4869 struct sk_buff *skb)
4871 struct hci_ev_sync_conn_complete *ev = data;
4872 struct hci_conn *conn;
4873 u8 status = ev->status;
4875 switch (ev->link_type) {
4880 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
4881 * for HCI_Synchronous_Connection_Complete is limited to
4882 * either SCO or eSCO
4884 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
4888 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4892 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4894 if (ev->link_type == ESCO_LINK)
4897 /* When the link type in the event indicates SCO connection
4898 * and lookup of the connection object fails, then check
4899 * if an eSCO connection object exists.
4901 * The core limits the synchronous connections to either
4902 * SCO or eSCO. The eSCO connection is preferred and tried
4903 * to be setup first and until successfully established,
4904 * the link type will be hinted as eSCO.
4906 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4911 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
4912 * Processing it more than once per connection can corrupt kernel memory.
4914 * As the connection handle is set here for the first time, it indicates
4915 * whether the connection is already set up.
4917 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
4918 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
4924 conn->handle = __le16_to_cpu(ev->handle);
4925 if (conn->handle > HCI_CONN_HANDLE_MAX) {
4926 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
4927 conn->handle, HCI_CONN_HANDLE_MAX);
4928 status = HCI_ERROR_INVALID_PARAMETERS;
4929 conn->state = BT_CLOSED;
4933 conn->state = BT_CONNECTED;
4934 conn->type = ev->link_type;
4936 hci_debugfs_create_conn(conn);
4937 hci_conn_add_sysfs(conn);
4940 case 0x10: /* Connection Accept Timeout */
4941 case 0x0d: /* Connection Rejected due to Limited Resources */
4942 case 0x11: /* Unsupported Feature or Parameter Value */
4943 case 0x1c: /* SCO interval rejected */
4944 case 0x1a: /* Unsupported Remote Feature */
4945 case 0x1e: /* Invalid LMP Parameters */
4946 case 0x1f: /* Unspecified error */
4947 case 0x20: /* Unsupported LMP Parameter value */
4949 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4950 (hdev->esco_type & EDR_ESCO_MASK);
4951 if (hci_setup_sync(conn, conn->link->handle))
4957 conn->state = BT_CLOSED;
4961 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4962 /* Notify only in case of SCO over HCI transport data path which
4963 * is zero and non-zero value shall be non-HCI transport data path
4965 if (conn->codec.data_path == 0 && hdev->notify) {
4966 switch (ev->air_mode) {
4968 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
4971 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
4976 hci_connect_cfm(conn, status);
4981 hci_dev_unlock(hdev);
4984 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4988 while (parsed < eir_len) {
4989 u8 field_len = eir[0];
4994 parsed += field_len + 1;
4995 eir += field_len + 1;
5001 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5002 struct sk_buff *skb)
5004 struct hci_ev_ext_inquiry_result *ev = edata;
5005 struct inquiry_data data;
5009 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5010 flex_array_size(ev, info, ev->num)))
5013 bt_dev_dbg(hdev, "num %d", ev->num);
5018 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5023 for (i = 0; i < ev->num; i++) {
5024 struct extended_inquiry_info *info = &ev->info[i];
5028 bacpy(&data.bdaddr, &info->bdaddr);
5029 data.pscan_rep_mode = info->pscan_rep_mode;
5030 data.pscan_period_mode = info->pscan_period_mode;
5031 data.pscan_mode = 0x00;
5032 memcpy(data.dev_class, info->dev_class, 3);
5033 data.clock_offset = info->clock_offset;
5034 data.rssi = info->rssi;
5035 data.ssp_mode = 0x01;
5037 if (hci_dev_test_flag(hdev, HCI_MGMT))
5038 name_known = eir_get_data(info->data,
5040 EIR_NAME_COMPLETE, NULL);
5044 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5046 eir_len = eir_get_length(info->data, sizeof(info->data));
5048 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5049 info->dev_class, info->rssi,
5050 flags, info->data, eir_len, NULL, 0);
5053 hci_dev_unlock(hdev);
5056 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5057 struct sk_buff *skb)
5059 struct hci_ev_key_refresh_complete *ev = data;
5060 struct hci_conn *conn;
5062 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5063 __le16_to_cpu(ev->handle));
5067 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5071 /* For BR/EDR the necessary steps are taken through the
5072 * auth_complete event.
5074 if (conn->type != LE_LINK)
5078 conn->sec_level = conn->pending_sec_level;
5080 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5082 if (ev->status && conn->state == BT_CONNECTED) {
5083 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5084 hci_conn_drop(conn);
5088 if (conn->state == BT_CONFIG) {
5090 conn->state = BT_CONNECTED;
5092 hci_connect_cfm(conn, ev->status);
5093 hci_conn_drop(conn);
5095 hci_auth_cfm(conn, ev->status);
5097 hci_conn_hold(conn);
5098 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5099 hci_conn_drop(conn);
5103 hci_dev_unlock(hdev);
5106 static u8 hci_get_auth_req(struct hci_conn *conn)
5108 /* If remote requests no-bonding follow that lead */
5109 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5110 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5111 return conn->remote_auth | (conn->auth_type & 0x01);
5113 /* If both remote and local have enough IO capabilities, require
5116 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5117 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5118 return conn->remote_auth | 0x01;
5120 /* No MITM protection possible so ignore remote requirement */
5121 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5124 static u8 bredr_oob_data_present(struct hci_conn *conn)
5126 struct hci_dev *hdev = conn->hdev;
5127 struct oob_data *data;
5129 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5133 if (bredr_sc_enabled(hdev)) {
5134 /* When Secure Connections is enabled, then just
5135 * return the present value stored with the OOB
5136 * data. The stored value contains the right present
5137 * information. However it can only be trusted when
5138 * not in Secure Connection Only mode.
5140 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5141 return data->present;
5143 /* When Secure Connections Only mode is enabled, then
5144 * the P-256 values are required. If they are not
5145 * available, then do not declare that OOB data is
5148 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
5149 !memcmp(data->hash256, ZERO_KEY, 16))
5155 /* When Secure Connections is not enabled or actually
5156 * not supported by the hardware, then check that if
5157 * P-192 data values are present.
5159 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
5160 !memcmp(data->hash192, ZERO_KEY, 16))
5166 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5167 struct sk_buff *skb)
5169 struct hci_ev_io_capa_request *ev = data;
5170 struct hci_conn *conn;
5172 bt_dev_dbg(hdev, "");
5176 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5180 hci_conn_hold(conn);
5182 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5185 /* Allow pairing if we're pairable, the initiators of the
5186 * pairing or if the remote is not requesting bonding.
5188 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5189 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5190 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5191 struct hci_cp_io_capability_reply cp;
5193 bacpy(&cp.bdaddr, &ev->bdaddr);
5194 /* Change the IO capability from KeyboardDisplay
5195 * to DisplayYesNo as it is not supported by BT spec. */
5196 cp.capability = (conn->io_capability == 0x04) ?
5197 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5199 /* If we are initiators, there is no remote information yet */
5200 if (conn->remote_auth == 0xff) {
5201 /* Request MITM protection if our IO caps allow it
5202 * except for the no-bonding case.
5204 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5205 conn->auth_type != HCI_AT_NO_BONDING)
5206 conn->auth_type |= 0x01;
5208 conn->auth_type = hci_get_auth_req(conn);
5211 /* If we're not bondable, force one of the non-bondable
5212 * authentication requirement values.
5214 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5215 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5217 cp.authentication = conn->auth_type;
5218 cp.oob_data = bredr_oob_data_present(conn);
5220 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5223 struct hci_cp_io_capability_neg_reply cp;
5225 bacpy(&cp.bdaddr, &ev->bdaddr);
5226 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5228 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5233 hci_dev_unlock(hdev);
5236 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5237 struct sk_buff *skb)
5239 struct hci_ev_io_capa_reply *ev = data;
5240 struct hci_conn *conn;
5242 bt_dev_dbg(hdev, "");
5246 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5250 conn->remote_cap = ev->capability;
5251 conn->remote_auth = ev->authentication;
5254 hci_dev_unlock(hdev);
5257 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5258 struct sk_buff *skb)
5260 struct hci_ev_user_confirm_req *ev = data;
5261 int loc_mitm, rem_mitm, confirm_hint = 0;
5262 struct hci_conn *conn;
5264 bt_dev_dbg(hdev, "");
5268 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5271 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5275 loc_mitm = (conn->auth_type & 0x01);
5276 rem_mitm = (conn->remote_auth & 0x01);
5278 /* If we require MITM but the remote device can't provide that
5279 * (it has NoInputNoOutput) then reject the confirmation
5280 * request. We check the security level here since it doesn't
5281 * necessarily match conn->auth_type.
5283 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5284 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5285 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5286 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5287 sizeof(ev->bdaddr), &ev->bdaddr);
5291 /* If no side requires MITM protection; auto-accept */
5292 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5293 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5295 /* If we're not the initiators request authorization to
5296 * proceed from user space (mgmt_user_confirm with
5297 * confirm_hint set to 1). The exception is if neither
5298 * side had MITM or if the local IO capability is
5299 * NoInputNoOutput, in which case we do auto-accept
5301 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5302 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5303 (loc_mitm || rem_mitm)) {
5304 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5309 /* If there already exists link key in local host, leave the
5310 * decision to user space since the remote device could be
5311 * legitimate or malicious.
5313 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5314 bt_dev_dbg(hdev, "Local host already has link key");
5319 BT_DBG("Auto-accept of user confirmation with %ums delay",
5320 hdev->auto_accept_delay);
5322 if (hdev->auto_accept_delay > 0) {
5323 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5324 queue_delayed_work(conn->hdev->workqueue,
5325 &conn->auto_accept_work, delay);
5329 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5330 sizeof(ev->bdaddr), &ev->bdaddr);
5335 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5336 le32_to_cpu(ev->passkey), confirm_hint);
5339 hci_dev_unlock(hdev);
5342 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5343 struct sk_buff *skb)
5345 struct hci_ev_user_passkey_req *ev = data;
5347 bt_dev_dbg(hdev, "");
5349 if (hci_dev_test_flag(hdev, HCI_MGMT))
5350 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5353 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5354 struct sk_buff *skb)
5356 struct hci_ev_user_passkey_notify *ev = data;
5357 struct hci_conn *conn;
5359 bt_dev_dbg(hdev, "");
5361 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5365 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5366 conn->passkey_entered = 0;
5368 if (hci_dev_test_flag(hdev, HCI_MGMT))
5369 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5370 conn->dst_type, conn->passkey_notify,
5371 conn->passkey_entered);
5374 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5375 struct sk_buff *skb)
5377 struct hci_ev_keypress_notify *ev = data;
5378 struct hci_conn *conn;
5380 bt_dev_dbg(hdev, "");
5382 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5387 case HCI_KEYPRESS_STARTED:
5388 conn->passkey_entered = 0;
5391 case HCI_KEYPRESS_ENTERED:
5392 conn->passkey_entered++;
5395 case HCI_KEYPRESS_ERASED:
5396 conn->passkey_entered--;
5399 case HCI_KEYPRESS_CLEARED:
5400 conn->passkey_entered = 0;
5403 case HCI_KEYPRESS_COMPLETED:
5407 if (hci_dev_test_flag(hdev, HCI_MGMT))
5408 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5409 conn->dst_type, conn->passkey_notify,
5410 conn->passkey_entered);
5413 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5414 struct sk_buff *skb)
5416 struct hci_ev_simple_pair_complete *ev = data;
5417 struct hci_conn *conn;
5419 bt_dev_dbg(hdev, "");
5423 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5427 /* Reset the authentication requirement to unknown */
5428 conn->remote_auth = 0xff;
5430 /* To avoid duplicate auth_failed events to user space we check
5431 * the HCI_CONN_AUTH_PEND flag which will be set if we
5432 * initiated the authentication. A traditional auth_complete
5433 * event gets always produced as initiator and is also mapped to
5434 * the mgmt_auth_failed event */
5435 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5436 mgmt_auth_failed(conn, ev->status);
5438 hci_conn_drop(conn);
5441 hci_dev_unlock(hdev);
5444 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5445 struct sk_buff *skb)
5447 struct hci_ev_remote_host_features *ev = data;
5448 struct inquiry_entry *ie;
5449 struct hci_conn *conn;
5451 bt_dev_dbg(hdev, "");
5455 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5457 memcpy(conn->features[1], ev->features, 8);
5459 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5461 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5463 hci_dev_unlock(hdev);
5466 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5467 struct sk_buff *skb)
5469 struct hci_ev_remote_oob_data_request *ev = edata;
5470 struct oob_data *data;
5472 bt_dev_dbg(hdev, "");
5476 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5479 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5481 struct hci_cp_remote_oob_data_neg_reply cp;
5483 bacpy(&cp.bdaddr, &ev->bdaddr);
5484 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5489 if (bredr_sc_enabled(hdev)) {
5490 struct hci_cp_remote_oob_ext_data_reply cp;
5492 bacpy(&cp.bdaddr, &ev->bdaddr);
5493 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5494 memset(cp.hash192, 0, sizeof(cp.hash192));
5495 memset(cp.rand192, 0, sizeof(cp.rand192));
5497 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5498 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5500 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5501 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5503 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5506 struct hci_cp_remote_oob_data_reply cp;
5508 bacpy(&cp.bdaddr, &ev->bdaddr);
5509 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5510 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5512 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5517 hci_dev_unlock(hdev);
5520 #if IS_ENABLED(CONFIG_BT_HS)
5521 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5522 struct sk_buff *skb)
5524 struct hci_ev_channel_selected *ev = data;
5525 struct hci_conn *hcon;
5527 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5529 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5533 amp_read_loc_assoc_final_data(hdev, hcon);
5536 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5537 struct sk_buff *skb)
5539 struct hci_ev_phy_link_complete *ev = data;
5540 struct hci_conn *hcon, *bredr_hcon;
5542 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5547 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5559 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5561 hcon->state = BT_CONNECTED;
5562 bacpy(&hcon->dst, &bredr_hcon->dst);
5564 hci_conn_hold(hcon);
5565 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5566 hci_conn_drop(hcon);
5568 hci_debugfs_create_conn(hcon);
5569 hci_conn_add_sysfs(hcon);
5571 amp_physical_cfm(bredr_hcon, hcon);
5574 hci_dev_unlock(hdev);
5577 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5578 struct sk_buff *skb)
5580 struct hci_ev_logical_link_complete *ev = data;
5581 struct hci_conn *hcon;
5582 struct hci_chan *hchan;
5583 struct amp_mgr *mgr;
5585 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5586 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5588 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5592 /* Create AMP hchan */
5593 hchan = hci_chan_create(hcon);
5597 hchan->handle = le16_to_cpu(ev->handle);
5600 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5602 mgr = hcon->amp_mgr;
5603 if (mgr && mgr->bredr_chan) {
5604 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5606 l2cap_chan_lock(bredr_chan);
5608 bredr_chan->conn->mtu = hdev->block_mtu;
5609 l2cap_logical_cfm(bredr_chan, hchan, 0);
5610 hci_conn_hold(hcon);
5612 l2cap_chan_unlock(bredr_chan);
5616 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5617 struct sk_buff *skb)
5619 struct hci_ev_disconn_logical_link_complete *ev = data;
5620 struct hci_chan *hchan;
5622 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5623 le16_to_cpu(ev->handle), ev->status);
5630 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5631 if (!hchan || !hchan->amp)
5634 amp_destroy_logical_link(hchan, ev->reason);
5637 hci_dev_unlock(hdev);
5640 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5641 struct sk_buff *skb)
5643 struct hci_ev_disconn_phy_link_complete *ev = data;
5644 struct hci_conn *hcon;
5646 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5653 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5654 if (hcon && hcon->type == AMP_LINK) {
5655 hcon->state = BT_CLOSED;
5656 hci_disconn_cfm(hcon, ev->reason);
5660 hci_dev_unlock(hdev);
5664 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5665 u8 bdaddr_type, bdaddr_t *local_rpa)
5668 conn->dst_type = bdaddr_type;
5669 conn->resp_addr_type = bdaddr_type;
5670 bacpy(&conn->resp_addr, bdaddr);
5672 /* Check if the controller has set a Local RPA then it must be
5673 * used instead or hdev->rpa.
5675 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5676 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5677 bacpy(&conn->init_addr, local_rpa);
5678 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5679 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5680 bacpy(&conn->init_addr, &conn->hdev->rpa);
5682 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5683 &conn->init_addr_type);
5686 conn->resp_addr_type = conn->hdev->adv_addr_type;
5687 /* Check if the controller has set a Local RPA then it must be
5688 * used instead or hdev->rpa.
5690 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5691 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5692 bacpy(&conn->resp_addr, local_rpa);
5693 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5694 /* In case of ext adv, resp_addr will be updated in
5695 * Adv Terminated event.
5697 if (!ext_adv_capable(conn->hdev))
5698 bacpy(&conn->resp_addr,
5699 &conn->hdev->random_addr);
5701 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5704 conn->init_addr_type = bdaddr_type;
5705 bacpy(&conn->init_addr, bdaddr);
5707 /* For incoming connections, set the default minimum
5708 * and maximum connection interval. They will be used
5709 * to check if the parameters are in range and if not
5710 * trigger the connection update procedure.
5712 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5713 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5717 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5718 bdaddr_t *bdaddr, u8 bdaddr_type,
5719 bdaddr_t *local_rpa, u8 role, u16 handle,
5720 u16 interval, u16 latency,
5721 u16 supervision_timeout)
5723 struct hci_conn_params *params;
5724 struct hci_conn *conn;
5725 struct smp_irk *irk;
5730 /* All controllers implicitly stop advertising in the event of a
5731 * connection, so ensure that the state bit is cleared.
5733 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5735 conn = hci_lookup_le_connect(hdev);
5737 /* In case of error status and there is no connection pending
5738 * just unlock as there is nothing to cleanup.
5743 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5745 bt_dev_err(hdev, "no memory for new connection");
5749 conn->dst_type = bdaddr_type;
5751 /* If we didn't have a hci_conn object previously
5752 * but we're in central role this must be something
5753 * initiated using an accept list. Since accept list based
5754 * connections are not "first class citizens" we don't
5755 * have full tracking of them. Therefore, we go ahead
5756 * with a "best effort" approach of determining the
5757 * initiator address based on the HCI_PRIVACY flag.
5760 conn->resp_addr_type = bdaddr_type;
5761 bacpy(&conn->resp_addr, bdaddr);
5762 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5763 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5764 bacpy(&conn->init_addr, &hdev->rpa);
5766 hci_copy_identity_address(hdev,
5768 &conn->init_addr_type);
5772 cancel_delayed_work(&conn->le_conn_timeout);
5775 /* The HCI_LE_Connection_Complete event is only sent once per connection.
5776 * Processing it more than once per connection can corrupt kernel memory.
5778 * As the connection handle is set here for the first time, it indicates
5779 * whether the connection is already set up.
5781 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
5782 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5786 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5788 /* Lookup the identity address from the stored connection
5789 * address and address type.
5791 * When establishing connections to an identity address, the
5792 * connection procedure will store the resolvable random
5793 * address first. Now if it can be converted back into the
5794 * identity address, start using the identity address from
5797 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5799 bacpy(&conn->dst, &irk->bdaddr);
5800 conn->dst_type = irk->addr_type;
5803 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5805 if (handle > HCI_CONN_HANDLE_MAX) {
5806 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", handle,
5807 HCI_CONN_HANDLE_MAX);
5808 status = HCI_ERROR_INVALID_PARAMETERS;
5811 /* All connection failure handling is taken care of by the
5812 * hci_conn_failed function which is triggered by the HCI
5813 * request completion callbacks used for connecting.
5818 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5819 addr_type = BDADDR_LE_PUBLIC;
5821 addr_type = BDADDR_LE_RANDOM;
5823 /* Drop the connection if the device is blocked */
5824 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5825 hci_conn_drop(conn);
5829 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5830 mgmt_device_connected(hdev, conn, NULL, 0);
5832 conn->sec_level = BT_SECURITY_LOW;
5833 conn->handle = handle;
5834 conn->state = BT_CONFIG;
5836 /* Store current advertising instance as connection advertising instance
5837 * when sotfware rotation is in use so it can be re-enabled when
5840 if (!ext_adv_capable(hdev))
5841 conn->adv_instance = hdev->cur_adv_instance;
5843 conn->le_conn_interval = interval;
5844 conn->le_conn_latency = latency;
5845 conn->le_supv_timeout = supervision_timeout;
5847 hci_debugfs_create_conn(conn);
5848 hci_conn_add_sysfs(conn);
5850 /* The remote features procedure is defined for central
5851 * role only. So only in case of an initiated connection
5852 * request the remote features.
5854 * If the local controller supports peripheral-initiated features
5855 * exchange, then requesting the remote features in peripheral
5856 * role is possible. Otherwise just transition into the
5857 * connected state without requesting the remote features.
5860 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5861 struct hci_cp_le_read_remote_features cp;
5863 cp.handle = __cpu_to_le16(conn->handle);
5865 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5868 hci_conn_hold(conn);
5870 conn->state = BT_CONNECTED;
5871 hci_connect_cfm(conn, status);
5874 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5877 list_del_init(¶ms->action);
5879 hci_conn_drop(params->conn);
5880 hci_conn_put(params->conn);
5881 params->conn = NULL;
5886 hci_update_passive_scan(hdev);
5887 hci_dev_unlock(hdev);
5890 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
5891 struct sk_buff *skb)
5893 struct hci_ev_le_conn_complete *ev = data;
5895 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5897 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5898 NULL, ev->role, le16_to_cpu(ev->handle),
5899 le16_to_cpu(ev->interval),
5900 le16_to_cpu(ev->latency),
5901 le16_to_cpu(ev->supervision_timeout));
5904 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
5905 struct sk_buff *skb)
5907 struct hci_ev_le_enh_conn_complete *ev = data;
5909 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5911 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5912 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5913 le16_to_cpu(ev->interval),
5914 le16_to_cpu(ev->latency),
5915 le16_to_cpu(ev->supervision_timeout));
5918 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
5919 struct sk_buff *skb)
5921 struct hci_evt_le_ext_adv_set_term *ev = data;
5922 struct hci_conn *conn;
5923 struct adv_info *adv, *n;
5925 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5927 /* The Bluetooth Core 5.3 specification clearly states that this event
5928 * shall not be sent when the Host disables the advertising set. So in
5929 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
5931 * When the Host disables an advertising set, all cleanup is done via
5932 * its command callback and not needed to be duplicated here.
5934 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
5935 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
5941 adv = hci_find_adv_instance(hdev, ev->handle);
5947 /* Remove advertising as it has been terminated */
5948 hci_remove_adv_instance(hdev, ev->handle);
5949 mgmt_advertising_removed(NULL, hdev, ev->handle);
5951 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
5956 /* We are no longer advertising, clear HCI_LE_ADV */
5957 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5962 adv->enabled = false;
5964 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5966 /* Store handle in the connection so the correct advertising
5967 * instance can be re-enabled when disconnected.
5969 conn->adv_instance = ev->handle;
5971 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
5972 bacmp(&conn->resp_addr, BDADDR_ANY))
5976 bacpy(&conn->resp_addr, &hdev->random_addr);
5981 bacpy(&conn->resp_addr, &adv->random_addr);
5985 hci_dev_unlock(hdev);
5988 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
5989 struct sk_buff *skb)
5991 struct hci_ev_le_conn_update_complete *ev = data;
5992 struct hci_conn *conn;
5994 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6001 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6003 conn->le_conn_interval = le16_to_cpu(ev->interval);
6004 conn->le_conn_latency = le16_to_cpu(ev->latency);
6005 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6008 hci_dev_unlock(hdev);
6011 /* This function requires the caller holds hdev->lock */
6012 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6014 u8 addr_type, bool addr_resolved,
6017 struct hci_conn *conn;
6018 struct hci_conn_params *params;
6020 /* If the event is not connectable don't proceed further */
6021 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6024 /* Ignore if the device is blocked or hdev is suspended */
6025 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6029 /* Most controller will fail if we try to create new connections
6030 * while we have an existing one in peripheral role.
6032 if (hdev->conn_hash.le_num_peripheral > 0 &&
6033 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6034 !(hdev->le_states[3] & 0x10)))
6037 /* If we're not connectable only connect devices that we have in
6038 * our pend_le_conns list.
6040 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6045 if (!params->explicit_connect) {
6046 switch (params->auto_connect) {
6047 case HCI_AUTO_CONN_DIRECT:
6048 /* Only devices advertising with ADV_DIRECT_IND are
6049 * triggering a connection attempt. This is allowing
6050 * incoming connections from peripheral devices.
6052 if (adv_type != LE_ADV_DIRECT_IND)
6055 case HCI_AUTO_CONN_ALWAYS:
6056 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6057 * are triggering a connection attempt. This means
6058 * that incoming connections from peripheral device are
6059 * accepted and also outgoing connections to peripheral
6060 * devices are established when found.
6068 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6069 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6071 if (!IS_ERR(conn)) {
6072 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6073 * by higher layer that tried to connect, if no then
6074 * store the pointer since we don't really have any
6075 * other owner of the object besides the params that
6076 * triggered it. This way we can abort the connection if
6077 * the parameters get removed and keep the reference
6078 * count consistent once the connection is established.
6081 if (!params->explicit_connect)
6082 params->conn = hci_conn_get(conn);
6087 switch (PTR_ERR(conn)) {
6089 /* If hci_connect() returns -EBUSY it means there is already
6090 * an LE connection attempt going on. Since controllers don't
6091 * support more than one connection attempt at the time, we
6092 * don't consider this an error case.
6096 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6103 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6104 u8 bdaddr_type, bdaddr_t *direct_addr,
6105 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6108 struct discovery_state *d = &hdev->discovery;
6109 struct smp_irk *irk;
6110 struct hci_conn *conn;
6111 bool match, bdaddr_resolved;
6117 case LE_ADV_DIRECT_IND:
6118 case LE_ADV_SCAN_IND:
6119 case LE_ADV_NONCONN_IND:
6120 case LE_ADV_SCAN_RSP:
6123 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6124 "type: 0x%02x", type);
6128 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
6129 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
6133 /* Find the end of the data in case the report contains padded zero
6134 * bytes at the end causing an invalid length value.
6136 * When data is NULL, len is 0 so there is no need for extra ptr
6137 * check as 'ptr < data + 0' is already false in such case.
6139 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6140 if (ptr + 1 + *ptr > data + len)
6144 /* Adjust for actual length. This handles the case when remote
6145 * device is advertising with incorrect data length.
6149 /* If the direct address is present, then this report is from
6150 * a LE Direct Advertising Report event. In that case it is
6151 * important to see if the address is matching the local
6152 * controller address.
6155 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6158 /* Only resolvable random addresses are valid for these
6159 * kind of reports and others can be ignored.
6161 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6164 /* If the controller is not using resolvable random
6165 * addresses, then this report can be ignored.
6167 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6170 /* If the local IRK of the controller does not match
6171 * with the resolvable random address provided, then
6172 * this report can be ignored.
6174 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6178 /* Check if we need to convert to identity address */
6179 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6181 bdaddr = &irk->bdaddr;
6182 bdaddr_type = irk->addr_type;
6185 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6187 /* Check if we have been requested to connect to this device.
6189 * direct_addr is set only for directed advertising reports (it is NULL
6190 * for advertising reports) and is already verified to be RPA above.
6192 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6194 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
6195 /* Store report for later inclusion by
6196 * mgmt_device_connected
6198 memcpy(conn->le_adv_data, data, len);
6199 conn->le_adv_data_len = len;
6202 /* Passive scanning shouldn't trigger any device found events,
6203 * except for devices marked as CONN_REPORT for which we do send
6204 * device found events, or advertisement monitoring requested.
6206 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6207 if (type == LE_ADV_DIRECT_IND)
6210 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6211 bdaddr, bdaddr_type) &&
6212 idr_is_empty(&hdev->adv_monitors_idr))
6215 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6216 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6219 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6220 rssi, flags, data, len, NULL, 0);
6224 /* When receiving non-connectable or scannable undirected
6225 * advertising reports, this means that the remote device is
6226 * not connectable and then clearly indicate this in the
6227 * device found event.
6229 * When receiving a scan response, then there is no way to
6230 * know if the remote device is connectable or not. However
6231 * since scan responses are merged with a previously seen
6232 * advertising report, the flags field from that report
6235 * In the really unlikely case that a controller get confused
6236 * and just sends a scan response event, then it is marked as
6237 * not connectable as well.
6239 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
6240 type == LE_ADV_SCAN_RSP)
6241 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6245 /* If there's nothing pending either store the data from this
6246 * event or send an immediate device found event if the data
6247 * should not be stored for later.
6249 if (!ext_adv && !has_pending_adv_report(hdev)) {
6250 /* If the report will trigger a SCAN_REQ store it for
6253 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6254 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6255 rssi, flags, data, len);
6259 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6260 rssi, flags, data, len, NULL, 0);
6264 /* Check if the pending report is for the same device as the new one */
6265 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6266 bdaddr_type == d->last_adv_addr_type);
6268 /* If the pending data doesn't match this report or this isn't a
6269 * scan response (e.g. we got a duplicate ADV_IND) then force
6270 * sending of the pending data.
6272 if (type != LE_ADV_SCAN_RSP || !match) {
6273 /* Send out whatever is in the cache, but skip duplicates */
6275 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6276 d->last_adv_addr_type, NULL,
6277 d->last_adv_rssi, d->last_adv_flags,
6279 d->last_adv_data_len, NULL, 0);
6281 /* If the new report will trigger a SCAN_REQ store it for
6284 if (!ext_adv && (type == LE_ADV_IND ||
6285 type == LE_ADV_SCAN_IND)) {
6286 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6287 rssi, flags, data, len);
6291 /* The advertising reports cannot be merged, so clear
6292 * the pending report and send out a device found event.
6294 clear_pending_adv_report(hdev);
6295 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6296 rssi, flags, data, len, NULL, 0);
6300 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6301 * the new event is a SCAN_RSP. We can therefore proceed with
6302 * sending a merged device found event.
6304 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6305 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6306 d->last_adv_data, d->last_adv_data_len, data, len);
6307 clear_pending_adv_report(hdev);
6310 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6311 struct sk_buff *skb)
6313 struct hci_ev_le_advertising_report *ev = data;
6321 struct hci_ev_le_advertising_info *info;
6324 info = hci_le_ev_skb_pull(hdev, skb,
6325 HCI_EV_LE_ADVERTISING_REPORT,
6330 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6334 if (info->length <= HCI_MAX_AD_LENGTH) {
6335 rssi = info->data[info->length];
6336 process_adv_report(hdev, info->type, &info->bdaddr,
6337 info->bdaddr_type, NULL, 0, rssi,
6338 info->data, info->length, false);
6340 bt_dev_err(hdev, "Dropping invalid advertising data");
6344 hci_dev_unlock(hdev);
6347 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6349 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6351 case LE_LEGACY_ADV_IND:
6353 case LE_LEGACY_ADV_DIRECT_IND:
6354 return LE_ADV_DIRECT_IND;
6355 case LE_LEGACY_ADV_SCAN_IND:
6356 return LE_ADV_SCAN_IND;
6357 case LE_LEGACY_NONCONN_IND:
6358 return LE_ADV_NONCONN_IND;
6359 case LE_LEGACY_SCAN_RSP_ADV:
6360 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6361 return LE_ADV_SCAN_RSP;
6367 if (evt_type & LE_EXT_ADV_CONN_IND) {
6368 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6369 return LE_ADV_DIRECT_IND;
6374 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6375 return LE_ADV_SCAN_RSP;
6377 if (evt_type & LE_EXT_ADV_SCAN_IND)
6378 return LE_ADV_SCAN_IND;
6380 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6381 evt_type & LE_EXT_ADV_DIRECT_IND)
6382 return LE_ADV_NONCONN_IND;
6385 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6388 return LE_ADV_INVALID;
6391 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6392 struct sk_buff *skb)
6394 struct hci_ev_le_ext_adv_report *ev = data;
6402 struct hci_ev_le_ext_adv_info *info;
6406 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6411 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6415 evt_type = __le16_to_cpu(info->type);
6416 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6417 if (legacy_evt_type != LE_ADV_INVALID) {
6418 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6419 info->bdaddr_type, NULL, 0,
6420 info->rssi, info->data, info->length,
6421 !(evt_type & LE_EXT_ADV_LEGACY_PDU));
6425 hci_dev_unlock(hdev);
6428 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6429 struct sk_buff *skb)
6431 struct hci_ev_le_remote_feat_complete *ev = data;
6432 struct hci_conn *conn;
6434 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6438 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6441 memcpy(conn->features[0], ev->features, 8);
6443 if (conn->state == BT_CONFIG) {
6446 /* If the local controller supports peripheral-initiated
6447 * features exchange, but the remote controller does
6448 * not, then it is possible that the error code 0x1a
6449 * for unsupported remote feature gets returned.
6451 * In this specific case, allow the connection to
6452 * transition into connected state and mark it as
6455 if (!conn->out && ev->status == 0x1a &&
6456 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6459 status = ev->status;
6461 conn->state = BT_CONNECTED;
6462 hci_connect_cfm(conn, status);
6463 hci_conn_drop(conn);
6467 hci_dev_unlock(hdev);
6470 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6471 struct sk_buff *skb)
6473 struct hci_ev_le_ltk_req *ev = data;
6474 struct hci_cp_le_ltk_reply cp;
6475 struct hci_cp_le_ltk_neg_reply neg;
6476 struct hci_conn *conn;
6477 struct smp_ltk *ltk;
6479 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6483 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6487 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6491 if (smp_ltk_is_sc(ltk)) {
6492 /* With SC both EDiv and Rand are set to zero */
6493 if (ev->ediv || ev->rand)
6496 /* For non-SC keys check that EDiv and Rand match */
6497 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6501 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6502 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6503 cp.handle = cpu_to_le16(conn->handle);
6505 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6507 conn->enc_key_size = ltk->enc_size;
6509 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6511 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6512 * temporary key used to encrypt a connection following
6513 * pairing. It is used during the Encrypted Session Setup to
6514 * distribute the keys. Later, security can be re-established
6515 * using a distributed LTK.
6517 if (ltk->type == SMP_STK) {
6518 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6519 list_del_rcu(<k->list);
6520 kfree_rcu(ltk, rcu);
6522 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6525 hci_dev_unlock(hdev);
6530 neg.handle = ev->handle;
6531 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6532 hci_dev_unlock(hdev);
6535 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6538 struct hci_cp_le_conn_param_req_neg_reply cp;
6540 cp.handle = cpu_to_le16(handle);
6543 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6547 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6548 struct sk_buff *skb)
6550 struct hci_ev_le_remote_conn_param_req *ev = data;
6551 struct hci_cp_le_conn_param_req_reply cp;
6552 struct hci_conn *hcon;
6553 u16 handle, min, max, latency, timeout;
6555 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6557 handle = le16_to_cpu(ev->handle);
6558 min = le16_to_cpu(ev->interval_min);
6559 max = le16_to_cpu(ev->interval_max);
6560 latency = le16_to_cpu(ev->latency);
6561 timeout = le16_to_cpu(ev->timeout);
6563 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6564 if (!hcon || hcon->state != BT_CONNECTED)
6565 return send_conn_param_neg_reply(hdev, handle,
6566 HCI_ERROR_UNKNOWN_CONN_ID);
6568 if (hci_check_conn_params(min, max, latency, timeout))
6569 return send_conn_param_neg_reply(hdev, handle,
6570 HCI_ERROR_INVALID_LL_PARAMS);
6572 if (hcon->role == HCI_ROLE_MASTER) {
6573 struct hci_conn_params *params;
6578 params = hci_conn_params_lookup(hdev, &hcon->dst,
6581 params->conn_min_interval = min;
6582 params->conn_max_interval = max;
6583 params->conn_latency = latency;
6584 params->supervision_timeout = timeout;
6590 hci_dev_unlock(hdev);
6592 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6593 store_hint, min, max, latency, timeout);
6596 cp.handle = ev->handle;
6597 cp.interval_min = ev->interval_min;
6598 cp.interval_max = ev->interval_max;
6599 cp.latency = ev->latency;
6600 cp.timeout = ev->timeout;
6604 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6607 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6608 struct sk_buff *skb)
6610 struct hci_ev_le_direct_adv_report *ev = data;
6613 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6614 flex_array_size(ev, info, ev->num)))
6622 for (i = 0; i < ev->num; i++) {
6623 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6625 process_adv_report(hdev, info->type, &info->bdaddr,
6626 info->bdaddr_type, &info->direct_addr,
6627 info->direct_addr_type, info->rssi, NULL, 0,
6631 hci_dev_unlock(hdev);
6634 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6635 struct sk_buff *skb)
6637 struct hci_ev_le_phy_update_complete *ev = data;
6638 struct hci_conn *conn;
6640 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6647 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6651 conn->le_tx_phy = ev->tx_phy;
6652 conn->le_rx_phy = ev->rx_phy;
6655 hci_dev_unlock(hdev);
6658 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6659 struct sk_buff *skb)
6661 struct hci_evt_le_cis_established *ev = data;
6662 struct hci_conn *conn;
6663 u16 handle = __le16_to_cpu(ev->handle);
6665 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6669 conn = hci_conn_hash_lookup_handle(hdev, handle);
6672 "Unable to find connection with handle 0x%4.4x",
6677 if (conn->role == HCI_ROLE_SLAVE) {
6680 memset(&interval, 0, sizeof(interval));
6682 memcpy(&interval, ev->c_latency, sizeof(ev->c_latency));
6683 conn->iso_qos.in.interval = le32_to_cpu(interval);
6684 memcpy(&interval, ev->p_latency, sizeof(ev->p_latency));
6685 conn->iso_qos.out.interval = le32_to_cpu(interval);
6686 conn->iso_qos.in.latency = le16_to_cpu(ev->interval);
6687 conn->iso_qos.out.latency = le16_to_cpu(ev->interval);
6688 conn->iso_qos.in.sdu = le16_to_cpu(ev->c_mtu);
6689 conn->iso_qos.out.sdu = le16_to_cpu(ev->p_mtu);
6690 conn->iso_qos.in.phy = ev->c_phy;
6691 conn->iso_qos.out.phy = ev->p_phy;
6695 conn->state = BT_CONNECTED;
6696 hci_debugfs_create_conn(conn);
6697 hci_conn_add_sysfs(conn);
6698 hci_iso_setup_path(conn);
6702 hci_connect_cfm(conn, ev->status);
6706 hci_dev_unlock(hdev);
6709 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6711 struct hci_cp_le_reject_cis cp;
6713 memset(&cp, 0, sizeof(cp));
6715 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6716 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6719 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6721 struct hci_cp_le_accept_cis cp;
6723 memset(&cp, 0, sizeof(cp));
6725 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6728 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6729 struct sk_buff *skb)
6731 struct hci_evt_le_cis_req *ev = data;
6732 u16 acl_handle, cis_handle;
6733 struct hci_conn *acl, *cis;
6737 acl_handle = __le16_to_cpu(ev->acl_handle);
6738 cis_handle = __le16_to_cpu(ev->cis_handle);
6740 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
6741 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
6745 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
6749 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
6750 if (!(mask & HCI_LM_ACCEPT)) {
6751 hci_le_reject_cis(hdev, ev->cis_handle);
6755 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
6757 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE);
6759 hci_le_reject_cis(hdev, ev->cis_handle);
6762 cis->handle = cis_handle;
6765 cis->iso_qos.cig = ev->cig_id;
6766 cis->iso_qos.cis = ev->cis_id;
6768 if (!(flags & HCI_PROTO_DEFER)) {
6769 hci_le_accept_cis(hdev, ev->cis_handle);
6771 cis->state = BT_CONNECT2;
6772 hci_connect_cfm(cis, 0);
6776 hci_dev_unlock(hdev);
6779 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
6782 .min_len = _min_len, \
6783 .max_len = _max_len, \
6786 #define HCI_LE_EV(_op, _func, _len) \
6787 HCI_LE_EV_VL(_op, _func, _len, _len)
6789 #define HCI_LE_EV_STATUS(_op, _func) \
6790 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
6792 /* Entries in this table shall have their position according to the subevent
6793 * opcode they handle so the use of the macros above is recommend since it does
6794 * attempt to initialize at its proper index using Designated Initializers that
6795 * way events without a callback function can be ommited.
6797 static const struct hci_le_ev {
6798 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
6801 } hci_le_ev_table[U8_MAX + 1] = {
6802 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
6803 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
6804 sizeof(struct hci_ev_le_conn_complete)),
6805 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
6806 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
6807 sizeof(struct hci_ev_le_advertising_report),
6808 HCI_MAX_EVENT_SIZE),
6809 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
6810 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
6811 hci_le_conn_update_complete_evt,
6812 sizeof(struct hci_ev_le_conn_update_complete)),
6813 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
6814 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
6815 hci_le_remote_feat_complete_evt,
6816 sizeof(struct hci_ev_le_remote_feat_complete)),
6817 /* [0x05 = HCI_EV_LE_LTK_REQ] */
6818 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
6819 sizeof(struct hci_ev_le_ltk_req)),
6820 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
6821 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
6822 hci_le_remote_conn_param_req_evt,
6823 sizeof(struct hci_ev_le_remote_conn_param_req)),
6824 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
6825 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
6826 hci_le_enh_conn_complete_evt,
6827 sizeof(struct hci_ev_le_enh_conn_complete)),
6828 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
6829 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
6830 sizeof(struct hci_ev_le_direct_adv_report),
6831 HCI_MAX_EVENT_SIZE),
6832 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
6833 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
6834 sizeof(struct hci_ev_le_phy_update_complete)),
6835 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
6836 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
6837 sizeof(struct hci_ev_le_ext_adv_report),
6838 HCI_MAX_EVENT_SIZE),
6839 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
6840 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
6841 sizeof(struct hci_evt_le_ext_adv_set_term)),
6842 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
6843 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
6844 sizeof(struct hci_evt_le_cis_established)),
6845 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
6846 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
6847 sizeof(struct hci_evt_le_cis_req)),
6850 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
6851 struct sk_buff *skb, u16 *opcode, u8 *status,
6852 hci_req_complete_t *req_complete,
6853 hci_req_complete_skb_t *req_complete_skb)
6855 struct hci_ev_le_meta *ev = data;
6856 const struct hci_le_ev *subev;
6858 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
6860 /* Only match event if command OGF is for LE */
6861 if (hdev->sent_cmd &&
6862 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
6863 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
6864 *opcode = hci_skb_opcode(hdev->sent_cmd);
6865 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
6869 subev = &hci_le_ev_table[ev->subevent];
6873 if (skb->len < subev->min_len) {
6874 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
6875 ev->subevent, skb->len, subev->min_len);
6879 /* Just warn if the length is over max_len size it still be
6880 * possible to partially parse the event so leave to callback to
6881 * decide if that is acceptable.
6883 if (skb->len > subev->max_len)
6884 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
6885 ev->subevent, skb->len, subev->max_len);
6886 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
6890 subev->func(hdev, data, skb);
6893 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
6894 u8 event, struct sk_buff *skb)
6896 struct hci_ev_cmd_complete *ev;
6897 struct hci_event_hdr *hdr;
6902 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
6907 if (hdr->evt != event)
6912 /* Check if request ended in Command Status - no way to retrieve
6913 * any extra parameters in this case.
6915 if (hdr->evt == HCI_EV_CMD_STATUS)
6918 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
6919 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
6924 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
6928 if (opcode != __le16_to_cpu(ev->opcode)) {
6929 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
6930 __le16_to_cpu(ev->opcode));
6937 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
6938 struct sk_buff *skb)
6940 struct hci_ev_le_advertising_info *adv;
6941 struct hci_ev_le_direct_adv_info *direct_adv;
6942 struct hci_ev_le_ext_adv_info *ext_adv;
6943 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
6944 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
6948 /* If we are currently suspended and this is the first BT event seen,
6949 * save the wake reason associated with the event.
6951 if (!hdev->suspended || hdev->wake_reason)
6954 /* Default to remote wake. Values for wake_reason are documented in the
6955 * Bluez mgmt api docs.
6957 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
6959 /* Once configured for remote wakeup, we should only wake up for
6960 * reconnections. It's useful to see which device is waking us up so
6961 * keep track of the bdaddr of the connection event that woke us up.
6963 if (event == HCI_EV_CONN_REQUEST) {
6964 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
6965 hdev->wake_addr_type = BDADDR_BREDR;
6966 } else if (event == HCI_EV_CONN_COMPLETE) {
6967 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
6968 hdev->wake_addr_type = BDADDR_BREDR;
6969 } else if (event == HCI_EV_LE_META) {
6970 struct hci_ev_le_meta *le_ev = (void *)skb->data;
6971 u8 subevent = le_ev->subevent;
6972 u8 *ptr = &skb->data[sizeof(*le_ev)];
6973 u8 num_reports = *ptr;
6975 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
6976 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
6977 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
6979 adv = (void *)(ptr + 1);
6980 direct_adv = (void *)(ptr + 1);
6981 ext_adv = (void *)(ptr + 1);
6984 case HCI_EV_LE_ADVERTISING_REPORT:
6985 bacpy(&hdev->wake_addr, &adv->bdaddr);
6986 hdev->wake_addr_type = adv->bdaddr_type;
6988 case HCI_EV_LE_DIRECT_ADV_REPORT:
6989 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
6990 hdev->wake_addr_type = direct_adv->bdaddr_type;
6992 case HCI_EV_LE_EXT_ADV_REPORT:
6993 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
6994 hdev->wake_addr_type = ext_adv->bdaddr_type;
6999 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7003 hci_dev_unlock(hdev);
7006 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7010 .min_len = _min_len, \
7011 .max_len = _max_len, \
7014 #define HCI_EV(_op, _func, _len) \
7015 HCI_EV_VL(_op, _func, _len, _len)
7017 #define HCI_EV_STATUS(_op, _func) \
7018 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7020 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7023 .func_req = _func, \
7024 .min_len = _min_len, \
7025 .max_len = _max_len, \
7028 #define HCI_EV_REQ(_op, _func, _len) \
7029 HCI_EV_REQ_VL(_op, _func, _len, _len)
7031 /* Entries in this table shall have their position according to the event opcode
7032 * they handle so the use of the macros above is recommend since it does attempt
7033 * to initialize at its proper index using Designated Initializers that way
7034 * events without a callback function don't have entered.
7036 static const struct hci_ev {
7039 void (*func)(struct hci_dev *hdev, void *data,
7040 struct sk_buff *skb);
7041 void (*func_req)(struct hci_dev *hdev, void *data,
7042 struct sk_buff *skb, u16 *opcode, u8 *status,
7043 hci_req_complete_t *req_complete,
7044 hci_req_complete_skb_t *req_complete_skb);
7048 } hci_ev_table[U8_MAX + 1] = {
7049 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7050 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7051 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7052 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7053 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7054 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7055 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7056 sizeof(struct hci_ev_conn_complete)),
7057 /* [0x04 = HCI_EV_CONN_REQUEST] */
7058 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7059 sizeof(struct hci_ev_conn_request)),
7060 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7061 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7062 sizeof(struct hci_ev_disconn_complete)),
7063 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7064 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7065 sizeof(struct hci_ev_auth_complete)),
7066 /* [0x07 = HCI_EV_REMOTE_NAME] */
7067 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7068 sizeof(struct hci_ev_remote_name)),
7069 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7070 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7071 sizeof(struct hci_ev_encrypt_change)),
7072 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7073 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7074 hci_change_link_key_complete_evt,
7075 sizeof(struct hci_ev_change_link_key_complete)),
7076 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7077 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7078 sizeof(struct hci_ev_remote_features)),
7079 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7080 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7081 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7082 /* [0x0f = HCI_EV_CMD_STATUS] */
7083 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7084 sizeof(struct hci_ev_cmd_status)),
7085 /* [0x10 = HCI_EV_CMD_STATUS] */
7086 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7087 sizeof(struct hci_ev_hardware_error)),
7088 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7089 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7090 sizeof(struct hci_ev_role_change)),
7091 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7092 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7093 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7094 /* [0x14 = HCI_EV_MODE_CHANGE] */
7095 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7096 sizeof(struct hci_ev_mode_change)),
7097 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7098 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7099 sizeof(struct hci_ev_pin_code_req)),
7100 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7101 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7102 sizeof(struct hci_ev_link_key_req)),
7103 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7104 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7105 sizeof(struct hci_ev_link_key_notify)),
7106 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7107 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7108 sizeof(struct hci_ev_clock_offset)),
7109 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7110 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7111 sizeof(struct hci_ev_pkt_type_change)),
7112 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7113 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7114 sizeof(struct hci_ev_pscan_rep_mode)),
7115 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7116 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7117 hci_inquiry_result_with_rssi_evt,
7118 sizeof(struct hci_ev_inquiry_result_rssi),
7119 HCI_MAX_EVENT_SIZE),
7120 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7121 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7122 sizeof(struct hci_ev_remote_ext_features)),
7123 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7124 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7125 sizeof(struct hci_ev_sync_conn_complete)),
7126 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7127 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7128 hci_extended_inquiry_result_evt,
7129 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7130 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7131 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7132 sizeof(struct hci_ev_key_refresh_complete)),
7133 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7134 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7135 sizeof(struct hci_ev_io_capa_request)),
7136 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7137 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7138 sizeof(struct hci_ev_io_capa_reply)),
7139 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7140 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7141 sizeof(struct hci_ev_user_confirm_req)),
7142 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7143 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7144 sizeof(struct hci_ev_user_passkey_req)),
7145 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7146 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7147 sizeof(struct hci_ev_remote_oob_data_request)),
7148 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7149 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7150 sizeof(struct hci_ev_simple_pair_complete)),
7151 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7152 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7153 sizeof(struct hci_ev_user_passkey_notify)),
7154 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7155 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7156 sizeof(struct hci_ev_keypress_notify)),
7157 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7158 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7159 sizeof(struct hci_ev_remote_host_features)),
7160 /* [0x3e = HCI_EV_LE_META] */
7161 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7162 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7163 #if IS_ENABLED(CONFIG_BT_HS)
7164 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7165 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7166 sizeof(struct hci_ev_phy_link_complete)),
7167 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7168 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7169 sizeof(struct hci_ev_channel_selected)),
7170 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7171 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7172 hci_disconn_loglink_complete_evt,
7173 sizeof(struct hci_ev_disconn_logical_link_complete)),
7174 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7175 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7176 sizeof(struct hci_ev_logical_link_complete)),
7177 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7178 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7179 hci_disconn_phylink_complete_evt,
7180 sizeof(struct hci_ev_disconn_phy_link_complete)),
7182 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7183 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7184 sizeof(struct hci_ev_num_comp_blocks)),
7185 /* [0xff = HCI_EV_VENDOR] */
7186 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7189 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7190 u16 *opcode, u8 *status,
7191 hci_req_complete_t *req_complete,
7192 hci_req_complete_skb_t *req_complete_skb)
7194 const struct hci_ev *ev = &hci_ev_table[event];
7200 if (skb->len < ev->min_len) {
7201 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7202 event, skb->len, ev->min_len);
7206 /* Just warn if the length is over max_len size it still be
7207 * possible to partially parse the event so leave to callback to
7208 * decide if that is acceptable.
7210 if (skb->len > ev->max_len)
7211 bt_dev_warn_ratelimited(hdev,
7212 "unexpected event 0x%2.2x length: %u > %u",
7213 event, skb->len, ev->max_len);
7215 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7220 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7223 ev->func(hdev, data, skb);
7226 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7228 struct hci_event_hdr *hdr = (void *) skb->data;
7229 hci_req_complete_t req_complete = NULL;
7230 hci_req_complete_skb_t req_complete_skb = NULL;
7231 struct sk_buff *orig_skb = NULL;
7232 u8 status = 0, event, req_evt = 0;
7233 u16 opcode = HCI_OP_NOP;
7235 if (skb->len < sizeof(*hdr)) {
7236 bt_dev_err(hdev, "Malformed HCI Event");
7240 kfree_skb(hdev->recv_event);
7241 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7245 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7250 /* Only match event if command OGF is not for LE */
7251 if (hdev->sent_cmd &&
7252 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7253 hci_skb_event(hdev->sent_cmd) == event) {
7254 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7255 status, &req_complete, &req_complete_skb);
7259 /* If it looks like we might end up having to call
7260 * req_complete_skb, store a pristine copy of the skb since the
7261 * various handlers may modify the original one through
7262 * skb_pull() calls, etc.
7264 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7265 event == HCI_EV_CMD_COMPLETE)
7266 orig_skb = skb_clone(skb, GFP_KERNEL);
7268 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7270 /* Store wake reason if we're suspended */
7271 hci_store_wake_reason(hdev, event, skb);
7273 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7275 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7279 req_complete(hdev, status, opcode);
7280 } else if (req_complete_skb) {
7281 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7282 kfree_skb(orig_skb);
7285 req_complete_skb(hdev, status, opcode, orig_skb);
7289 kfree_skb(orig_skb);
7291 hdev->stat.evt_rx++;