2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
40 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
41 "\x00\x00\x00\x00\x00\x00\x00\x00"
43 /* Handle HCI Event packets */
45 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
48 __u8 status = *((__u8 *) skb->data);
50 BT_DBG("%s status 0x%2.2x", hdev->name, status);
52 /* It is possible that we receive Inquiry Complete event right
53 * before we receive Inquiry Cancel Command Complete event, in
54 * which case the latter event should have status of Command
55 * Disallowed (0x0c). This should not be treated as error, since
56 * we actually achieve what Inquiry Cancel wants to achieve,
57 * which is to end the last Inquiry session.
59 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
60 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
69 clear_bit(HCI_INQUIRY, &hdev->flags);
70 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
71 wake_up_bit(&hdev->flags, HCI_INQUIRY);
74 /* Set discovery state to stopped if we're not doing LE active
77 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
78 hdev->le_scan_type != LE_SCAN_ACTIVE)
79 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
82 hci_conn_check_pending(hdev);
85 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
87 __u8 status = *((__u8 *) skb->data);
89 BT_DBG("%s status 0x%2.2x", hdev->name, status);
94 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
97 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
99 __u8 status = *((__u8 *) skb->data);
101 BT_DBG("%s status 0x%2.2x", hdev->name, status);
106 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
108 hci_conn_check_pending(hdev);
111 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
114 BT_DBG("%s", hdev->name);
117 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
119 struct hci_rp_role_discovery *rp = (void *) skb->data;
120 struct hci_conn *conn;
122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
131 conn->role = rp->role;
133 hci_dev_unlock(hdev);
136 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
138 struct hci_rp_read_link_policy *rp = (void *) skb->data;
139 struct hci_conn *conn;
141 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
148 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
150 conn->link_policy = __le16_to_cpu(rp->policy);
152 hci_dev_unlock(hdev);
155 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
157 struct hci_rp_write_link_policy *rp = (void *) skb->data;
158 struct hci_conn *conn;
161 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
166 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
174 conn->link_policy = get_unaligned_le16(sent + 2);
176 hci_dev_unlock(hdev);
179 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
182 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
184 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
189 hdev->link_policy = __le16_to_cpu(rp->policy);
192 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
195 __u8 status = *((__u8 *) skb->data);
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
203 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
207 hdev->link_policy = get_unaligned_le16(sent);
210 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
212 __u8 status = *((__u8 *) skb->data);
214 BT_DBG("%s status 0x%2.2x", hdev->name, status);
216 clear_bit(HCI_RESET, &hdev->flags);
221 /* Reset all non-persistent flags */
222 hci_dev_clear_volatile_flags(hdev);
224 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
226 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
227 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
229 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
230 hdev->adv_data_len = 0;
232 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
233 hdev->scan_rsp_data_len = 0;
235 hdev->le_scan_type = LE_SCAN_PASSIVE;
237 hdev->ssp_debug_mode = 0;
239 hci_bdaddr_list_clear(&hdev->le_white_list);
240 hci_bdaddr_list_clear(&hdev->le_resolv_list);
243 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
246 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
247 struct hci_cp_read_stored_link_key *sent;
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
251 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
255 if (!rp->status && sent->read_all == 0x01) {
256 hdev->stored_max_keys = rp->max_keys;
257 hdev->stored_num_keys = rp->num_keys;
261 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
264 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
266 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
271 if (rp->num_keys <= hdev->stored_num_keys)
272 hdev->stored_num_keys -= rp->num_keys;
274 hdev->stored_num_keys = 0;
277 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
279 __u8 status = *((__u8 *) skb->data);
282 BT_DBG("%s status 0x%2.2x", hdev->name, status);
284 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
290 if (hci_dev_test_flag(hdev, HCI_MGMT))
291 mgmt_set_local_name_complete(hdev, sent, status);
293 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
295 hci_dev_unlock(hdev);
298 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
300 struct hci_rp_read_local_name *rp = (void *) skb->data;
302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
307 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
308 hci_dev_test_flag(hdev, HCI_CONFIG))
309 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
312 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
314 __u8 status = *((__u8 *) skb->data);
317 BT_DBG("%s status 0x%2.2x", hdev->name, status);
319 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
326 __u8 param = *((__u8 *) sent);
328 if (param == AUTH_ENABLED)
329 set_bit(HCI_AUTH, &hdev->flags);
331 clear_bit(HCI_AUTH, &hdev->flags);
334 if (hci_dev_test_flag(hdev, HCI_MGMT))
335 mgmt_auth_enable_complete(hdev, status);
337 hci_dev_unlock(hdev);
340 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
342 __u8 status = *((__u8 *) skb->data);
346 BT_DBG("%s status 0x%2.2x", hdev->name, status);
351 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
355 param = *((__u8 *) sent);
358 set_bit(HCI_ENCRYPT, &hdev->flags);
360 clear_bit(HCI_ENCRYPT, &hdev->flags);
363 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
365 __u8 status = *((__u8 *) skb->data);
369 BT_DBG("%s status 0x%2.2x", hdev->name, status);
371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
375 param = *((__u8 *) sent);
380 hdev->discov_timeout = 0;
384 if (param & SCAN_INQUIRY)
385 set_bit(HCI_ISCAN, &hdev->flags);
387 clear_bit(HCI_ISCAN, &hdev->flags);
389 if (param & SCAN_PAGE)
390 set_bit(HCI_PSCAN, &hdev->flags);
392 clear_bit(HCI_PSCAN, &hdev->flags);
395 hci_dev_unlock(hdev);
398 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
400 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
407 memcpy(hdev->dev_class, rp->dev_class, 3);
409 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
410 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
413 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
415 __u8 status = *((__u8 *) skb->data);
418 BT_DBG("%s status 0x%2.2x", hdev->name, status);
420 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
427 memcpy(hdev->dev_class, sent, 3);
429 if (hci_dev_test_flag(hdev, HCI_MGMT))
430 mgmt_set_class_of_dev_complete(hdev, sent, status);
432 hci_dev_unlock(hdev);
435 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
437 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
440 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
445 setting = __le16_to_cpu(rp->voice_setting);
447 if (hdev->voice_setting == setting)
450 hdev->voice_setting = setting;
452 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
455 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
458 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
461 __u8 status = *((__u8 *) skb->data);
465 BT_DBG("%s status 0x%2.2x", hdev->name, status);
470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
474 setting = get_unaligned_le16(sent);
476 if (hdev->voice_setting == setting)
479 hdev->voice_setting = setting;
481 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
484 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
487 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
490 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
492 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
497 hdev->num_iac = rp->num_iac;
499 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
502 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
504 __u8 status = *((__u8 *) skb->data);
505 struct hci_cp_write_ssp_mode *sent;
507 BT_DBG("%s status 0x%2.2x", hdev->name, status);
509 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
517 hdev->features[1][0] |= LMP_HOST_SSP;
519 hdev->features[1][0] &= ~LMP_HOST_SSP;
522 if (hci_dev_test_flag(hdev, HCI_MGMT))
523 mgmt_ssp_enable_complete(hdev, sent->mode, status);
526 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
528 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
531 hci_dev_unlock(hdev);
534 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
536 u8 status = *((u8 *) skb->data);
537 struct hci_cp_write_sc_support *sent;
539 BT_DBG("%s status 0x%2.2x", hdev->name, status);
541 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
549 hdev->features[1][0] |= LMP_HOST_SC;
551 hdev->features[1][0] &= ~LMP_HOST_SC;
554 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
556 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
558 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
561 hci_dev_unlock(hdev);
564 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
566 struct hci_rp_read_local_version *rp = (void *) skb->data;
568 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
573 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
574 hci_dev_test_flag(hdev, HCI_CONFIG)) {
575 hdev->hci_ver = rp->hci_ver;
576 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
577 hdev->lmp_ver = rp->lmp_ver;
578 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
579 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
583 static void hci_cc_read_local_commands(struct hci_dev *hdev,
586 struct hci_rp_read_local_commands *rp = (void *) skb->data;
588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
593 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
594 hci_dev_test_flag(hdev, HCI_CONFIG))
595 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
598 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,
601 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data;
602 struct hci_conn *conn;
604 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
611 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
613 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
615 hci_dev_unlock(hdev);
618 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,
621 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data;
622 struct hci_conn *conn;
625 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
630 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
636 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
638 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
640 hci_dev_unlock(hdev);
643 static void hci_cc_read_local_features(struct hci_dev *hdev,
646 struct hci_rp_read_local_features *rp = (void *) skb->data;
648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
653 memcpy(hdev->features, rp->features, 8);
655 /* Adjust default settings according to features
656 * supported by device. */
658 if (hdev->features[0][0] & LMP_3SLOT)
659 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
661 if (hdev->features[0][0] & LMP_5SLOT)
662 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
664 if (hdev->features[0][1] & LMP_HV2) {
665 hdev->pkt_type |= (HCI_HV2);
666 hdev->esco_type |= (ESCO_HV2);
669 if (hdev->features[0][1] & LMP_HV3) {
670 hdev->pkt_type |= (HCI_HV3);
671 hdev->esco_type |= (ESCO_HV3);
674 if (lmp_esco_capable(hdev))
675 hdev->esco_type |= (ESCO_EV3);
677 if (hdev->features[0][4] & LMP_EV4)
678 hdev->esco_type |= (ESCO_EV4);
680 if (hdev->features[0][4] & LMP_EV5)
681 hdev->esco_type |= (ESCO_EV5);
683 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
684 hdev->esco_type |= (ESCO_2EV3);
686 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
687 hdev->esco_type |= (ESCO_3EV3);
689 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
690 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
693 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
696 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
698 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
703 if (hdev->max_page < rp->max_page)
704 hdev->max_page = rp->max_page;
706 if (rp->page < HCI_MAX_PAGES)
707 memcpy(hdev->features[rp->page], rp->features, 8);
710 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
713 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
715 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
720 hdev->flow_ctl_mode = rp->mode;
723 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
725 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
732 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
733 hdev->sco_mtu = rp->sco_mtu;
734 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
735 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
737 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
742 hdev->acl_cnt = hdev->acl_pkts;
743 hdev->sco_cnt = hdev->sco_pkts;
745 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
746 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
749 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
751 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
753 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
758 if (test_bit(HCI_INIT, &hdev->flags))
759 bacpy(&hdev->bdaddr, &rp->bdaddr);
761 if (hci_dev_test_flag(hdev, HCI_SETUP))
762 bacpy(&hdev->setup_addr, &rp->bdaddr);
765 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev,
768 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data;
770 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
775 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
776 hci_dev_test_flag(hdev, HCI_CONFIG)) {
777 hdev->pairing_opts = rp->pairing_opts;
778 hdev->max_enc_key_size = rp->max_key_size;
782 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
785 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
787 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
792 if (test_bit(HCI_INIT, &hdev->flags)) {
793 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
794 hdev->page_scan_window = __le16_to_cpu(rp->window);
798 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
801 u8 status = *((u8 *) skb->data);
802 struct hci_cp_write_page_scan_activity *sent;
804 BT_DBG("%s status 0x%2.2x", hdev->name, status);
809 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
813 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
814 hdev->page_scan_window = __le16_to_cpu(sent->window);
817 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
820 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
822 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
827 if (test_bit(HCI_INIT, &hdev->flags))
828 hdev->page_scan_type = rp->type;
831 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
834 u8 status = *((u8 *) skb->data);
837 BT_DBG("%s status 0x%2.2x", hdev->name, status);
842 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
844 hdev->page_scan_type = *type;
847 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
850 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
852 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
857 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
858 hdev->block_len = __le16_to_cpu(rp->block_len);
859 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
861 hdev->block_cnt = hdev->num_blocks;
863 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
864 hdev->block_cnt, hdev->block_len);
867 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
869 struct hci_rp_read_clock *rp = (void *) skb->data;
870 struct hci_cp_read_clock *cp;
871 struct hci_conn *conn;
873 BT_DBG("%s", hdev->name);
875 if (skb->len < sizeof(*rp))
883 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
887 if (cp->which == 0x00) {
888 hdev->clock = le32_to_cpu(rp->clock);
892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
894 conn->clock = le32_to_cpu(rp->clock);
895 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
899 hci_dev_unlock(hdev);
902 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
905 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
907 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
912 hdev->amp_status = rp->amp_status;
913 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
914 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
915 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
916 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
917 hdev->amp_type = rp->amp_type;
918 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
919 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
920 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
921 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
924 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
927 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
929 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
934 hdev->inq_tx_power = rp->tx_power;
937 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev,
940 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data;
942 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
947 hdev->err_data_reporting = rp->err_data_reporting;
950 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev,
953 __u8 status = *((__u8 *)skb->data);
954 struct hci_cp_write_def_err_data_reporting *cp;
956 BT_DBG("%s status 0x%2.2x", hdev->name, status);
961 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
965 hdev->err_data_reporting = cp->err_data_reporting;
968 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
970 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
971 struct hci_cp_pin_code_reply *cp;
972 struct hci_conn *conn;
974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
978 if (hci_dev_test_flag(hdev, HCI_MGMT))
979 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
984 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
988 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
990 conn->pin_length = cp->pin_len;
993 hci_dev_unlock(hdev);
996 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
998 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1004 if (hci_dev_test_flag(hdev, HCI_MGMT))
1005 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1008 hci_dev_unlock(hdev);
1011 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
1012 struct sk_buff *skb)
1014 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
1016 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1022 hdev->le_pkts = rp->le_max_pkt;
1024 hdev->le_cnt = hdev->le_pkts;
1026 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1029 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
1030 struct sk_buff *skb)
1032 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
1034 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1039 memcpy(hdev->le_features, rp->features, 8);
1042 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
1043 struct sk_buff *skb)
1045 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
1047 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1052 hdev->adv_tx_power = rp->tx_power;
1055 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
1057 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1059 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1063 if (hci_dev_test_flag(hdev, HCI_MGMT))
1064 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1067 hci_dev_unlock(hdev);
1070 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
1071 struct sk_buff *skb)
1073 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1075 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1079 if (hci_dev_test_flag(hdev, HCI_MGMT))
1080 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1081 ACL_LINK, 0, rp->status);
1083 hci_dev_unlock(hdev);
1086 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1088 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1090 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1094 if (hci_dev_test_flag(hdev, HCI_MGMT))
1095 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1098 hci_dev_unlock(hdev);
1101 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1102 struct sk_buff *skb)
1104 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1110 if (hci_dev_test_flag(hdev, HCI_MGMT))
1111 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1112 ACL_LINK, 0, rp->status);
1114 hci_dev_unlock(hdev);
1117 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1118 struct sk_buff *skb)
1120 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1125 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1126 struct sk_buff *skb)
1128 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1130 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1133 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1135 __u8 status = *((__u8 *) skb->data);
1138 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1143 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1149 bacpy(&hdev->random_addr, sent);
1151 hci_dev_unlock(hdev);
1154 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1156 __u8 status = *((__u8 *) skb->data);
1157 struct hci_cp_le_set_default_phy *cp;
1159 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1164 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1170 hdev->le_tx_def_phys = cp->tx_phys;
1171 hdev->le_rx_def_phys = cp->rx_phys;
1173 hci_dev_unlock(hdev);
1176 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1177 struct sk_buff *skb)
1179 __u8 status = *((__u8 *) skb->data);
1180 struct hci_cp_le_set_adv_set_rand_addr *cp;
1181 struct adv_info *adv_instance;
1186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1192 if (!hdev->cur_adv_instance) {
1193 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1194 bacpy(&hdev->random_addr, &cp->bdaddr);
1196 adv_instance = hci_find_adv_instance(hdev,
1197 hdev->cur_adv_instance);
1199 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1202 hci_dev_unlock(hdev);
1205 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1207 __u8 *sent, status = *((__u8 *) skb->data);
1209 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1214 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1220 /* If we're doing connection initiation as peripheral. Set a
1221 * timeout in case something goes wrong.
1224 struct hci_conn *conn;
1226 hci_dev_set_flag(hdev, HCI_LE_ADV);
1228 conn = hci_lookup_le_connect(hdev);
1230 queue_delayed_work(hdev->workqueue,
1231 &conn->le_conn_timeout,
1232 conn->conn_timeout);
1234 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1237 hci_dev_unlock(hdev);
1240 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1241 struct sk_buff *skb)
1243 struct hci_cp_le_set_ext_adv_enable *cp;
1244 __u8 status = *((__u8 *) skb->data);
1246 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1251 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1258 struct hci_conn *conn;
1260 hci_dev_set_flag(hdev, HCI_LE_ADV);
1262 conn = hci_lookup_le_connect(hdev);
1264 queue_delayed_work(hdev->workqueue,
1265 &conn->le_conn_timeout,
1266 conn->conn_timeout);
1268 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1271 hci_dev_unlock(hdev);
1274 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1276 struct hci_cp_le_set_scan_param *cp;
1277 __u8 status = *((__u8 *) skb->data);
1279 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1284 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1290 hdev->le_scan_type = cp->type;
1292 hci_dev_unlock(hdev);
1295 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1296 struct sk_buff *skb)
1298 struct hci_cp_le_set_ext_scan_params *cp;
1299 __u8 status = *((__u8 *) skb->data);
1300 struct hci_cp_le_scan_phy_params *phy_param;
1302 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1307 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1311 phy_param = (void *)cp->data;
1315 hdev->le_scan_type = phy_param->type;
1317 hci_dev_unlock(hdev);
1320 static bool has_pending_adv_report(struct hci_dev *hdev)
1322 struct discovery_state *d = &hdev->discovery;
1324 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1327 static void clear_pending_adv_report(struct hci_dev *hdev)
1329 struct discovery_state *d = &hdev->discovery;
1331 bacpy(&d->last_adv_addr, BDADDR_ANY);
1332 d->last_adv_data_len = 0;
1335 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1336 u8 bdaddr_type, s8 rssi, u32 flags,
1339 struct discovery_state *d = &hdev->discovery;
1341 bacpy(&d->last_adv_addr, bdaddr);
1342 d->last_adv_addr_type = bdaddr_type;
1343 d->last_adv_rssi = rssi;
1344 d->last_adv_flags = flags;
1345 memcpy(d->last_adv_data, data, len);
1346 d->last_adv_data_len = len;
1349 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1354 case LE_SCAN_ENABLE:
1355 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1356 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1357 clear_pending_adv_report(hdev);
1360 case LE_SCAN_DISABLE:
1361 /* We do this here instead of when setting DISCOVERY_STOPPED
1362 * since the latter would potentially require waiting for
1363 * inquiry to stop too.
1365 if (has_pending_adv_report(hdev)) {
1366 struct discovery_state *d = &hdev->discovery;
1368 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1369 d->last_adv_addr_type, NULL,
1370 d->last_adv_rssi, d->last_adv_flags,
1372 d->last_adv_data_len, NULL, 0);
1375 /* Cancel this timer so that we don't try to disable scanning
1376 * when it's already disabled.
1378 cancel_delayed_work(&hdev->le_scan_disable);
1380 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1382 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1383 * interrupted scanning due to a connect request. Mark
1384 * therefore discovery as stopped. If this was not
1385 * because of a connect request advertising might have
1386 * been disabled because of active scanning, so
1387 * re-enable it again if necessary.
1389 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1390 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1391 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1392 hdev->discovery.state == DISCOVERY_FINDING)
1393 hci_req_reenable_advertising(hdev);
1398 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1403 hci_dev_unlock(hdev);
1406 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1407 struct sk_buff *skb)
1409 struct hci_cp_le_set_scan_enable *cp;
1410 __u8 status = *((__u8 *) skb->data);
1412 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1417 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1421 le_set_scan_enable_complete(hdev, cp->enable);
1424 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1425 struct sk_buff *skb)
1427 struct hci_cp_le_set_ext_scan_enable *cp;
1428 __u8 status = *((__u8 *) skb->data);
1430 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1435 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1439 le_set_scan_enable_complete(hdev, cp->enable);
1442 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1443 struct sk_buff *skb)
1445 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1447 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1453 hdev->le_num_of_adv_sets = rp->num_of_sets;
1456 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1457 struct sk_buff *skb)
1459 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1461 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1466 hdev->le_white_list_size = rp->size;
1469 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1470 struct sk_buff *skb)
1472 __u8 status = *((__u8 *) skb->data);
1474 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1479 hci_bdaddr_list_clear(&hdev->le_white_list);
1482 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1483 struct sk_buff *skb)
1485 struct hci_cp_le_add_to_white_list *sent;
1486 __u8 status = *((__u8 *) skb->data);
1488 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1493 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1497 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1501 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1502 struct sk_buff *skb)
1504 struct hci_cp_le_del_from_white_list *sent;
1505 __u8 status = *((__u8 *) skb->data);
1507 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1512 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1516 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1520 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1521 struct sk_buff *skb)
1523 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1525 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1530 memcpy(hdev->le_states, rp->le_states, 8);
1533 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1534 struct sk_buff *skb)
1536 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1538 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1543 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1544 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1547 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1548 struct sk_buff *skb)
1550 struct hci_cp_le_write_def_data_len *sent;
1551 __u8 status = *((__u8 *) skb->data);
1553 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1558 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1562 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1563 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1566 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1567 struct sk_buff *skb)
1569 struct hci_cp_le_add_to_resolv_list *sent;
1570 __u8 status = *((__u8 *) skb->data);
1572 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1577 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1581 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1582 sent->bdaddr_type, sent->peer_irk,
1586 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1587 struct sk_buff *skb)
1589 struct hci_cp_le_del_from_resolv_list *sent;
1590 __u8 status = *((__u8 *) skb->data);
1592 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1597 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1601 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1605 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1606 struct sk_buff *skb)
1608 __u8 status = *((__u8 *) skb->data);
1610 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1615 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1618 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1619 struct sk_buff *skb)
1621 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1623 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1628 hdev->le_resolv_list_size = rp->size;
1631 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1632 struct sk_buff *skb)
1634 __u8 *sent, status = *((__u8 *) skb->data);
1636 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1641 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1648 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1650 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1652 hci_dev_unlock(hdev);
1655 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1656 struct sk_buff *skb)
1658 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1660 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1665 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1666 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1667 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1668 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1671 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1672 struct sk_buff *skb)
1674 struct hci_cp_write_le_host_supported *sent;
1675 __u8 status = *((__u8 *) skb->data);
1677 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1682 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1689 hdev->features[1][0] |= LMP_HOST_LE;
1690 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1692 hdev->features[1][0] &= ~LMP_HOST_LE;
1693 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1694 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1698 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1700 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1702 hci_dev_unlock(hdev);
1705 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1707 struct hci_cp_le_set_adv_param *cp;
1708 u8 status = *((u8 *) skb->data);
1710 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1715 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1720 hdev->adv_addr_type = cp->own_address_type;
1721 hci_dev_unlock(hdev);
1724 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1726 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1727 struct hci_cp_le_set_ext_adv_params *cp;
1728 struct adv_info *adv_instance;
1730 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1735 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1740 hdev->adv_addr_type = cp->own_addr_type;
1741 if (!hdev->cur_adv_instance) {
1742 /* Store in hdev for instance 0 */
1743 hdev->adv_tx_power = rp->tx_power;
1745 adv_instance = hci_find_adv_instance(hdev,
1746 hdev->cur_adv_instance);
1748 adv_instance->tx_power = rp->tx_power;
1750 /* Update adv data as tx power is known now */
1751 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1752 hci_dev_unlock(hdev);
1755 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1757 struct hci_rp_read_rssi *rp = (void *) skb->data;
1758 struct hci_conn *conn;
1760 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1767 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1769 conn->rssi = rp->rssi;
1771 hci_dev_unlock(hdev);
1774 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1776 struct hci_cp_read_tx_power *sent;
1777 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1778 struct hci_conn *conn;
1780 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1785 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1791 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1795 switch (sent->type) {
1797 conn->tx_power = rp->tx_power;
1800 conn->max_tx_power = rp->tx_power;
1805 hci_dev_unlock(hdev);
1808 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1810 u8 status = *((u8 *) skb->data);
1813 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1818 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1820 hdev->ssp_debug_mode = *mode;
1823 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1825 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1828 hci_conn_check_pending(hdev);
1832 set_bit(HCI_INQUIRY, &hdev->flags);
1835 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1837 struct hci_cp_create_conn *cp;
1838 struct hci_conn *conn;
1840 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1842 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1848 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1850 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1853 if (conn && conn->state == BT_CONNECT) {
1854 if (status != 0x0c || conn->attempt > 2) {
1855 conn->state = BT_CLOSED;
1856 hci_connect_cfm(conn, status);
1859 conn->state = BT_CONNECT2;
1863 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1866 bt_dev_err(hdev, "no memory for new connection");
1870 hci_dev_unlock(hdev);
1873 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1875 struct hci_cp_add_sco *cp;
1876 struct hci_conn *acl, *sco;
1879 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1884 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1888 handle = __le16_to_cpu(cp->handle);
1890 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1894 acl = hci_conn_hash_lookup_handle(hdev, handle);
1898 sco->state = BT_CLOSED;
1900 hci_connect_cfm(sco, status);
1905 hci_dev_unlock(hdev);
1908 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1910 struct hci_cp_auth_requested *cp;
1911 struct hci_conn *conn;
1913 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1918 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1924 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1926 if (conn->state == BT_CONFIG) {
1927 hci_connect_cfm(conn, status);
1928 hci_conn_drop(conn);
1932 hci_dev_unlock(hdev);
1935 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1937 struct hci_cp_set_conn_encrypt *cp;
1938 struct hci_conn *conn;
1940 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1945 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1951 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1953 if (conn->state == BT_CONFIG) {
1954 hci_connect_cfm(conn, status);
1955 hci_conn_drop(conn);
1959 hci_dev_unlock(hdev);
1962 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1963 struct hci_conn *conn)
1965 if (conn->state != BT_CONFIG || !conn->out)
1968 if (conn->pending_sec_level == BT_SECURITY_SDP)
1971 /* Only request authentication for SSP connections or non-SSP
1972 * devices with sec_level MEDIUM or HIGH or if MITM protection
1975 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1976 conn->pending_sec_level != BT_SECURITY_FIPS &&
1977 conn->pending_sec_level != BT_SECURITY_HIGH &&
1978 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1984 static int hci_resolve_name(struct hci_dev *hdev,
1985 struct inquiry_entry *e)
1987 struct hci_cp_remote_name_req cp;
1989 memset(&cp, 0, sizeof(cp));
1991 bacpy(&cp.bdaddr, &e->data.bdaddr);
1992 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1993 cp.pscan_mode = e->data.pscan_mode;
1994 cp.clock_offset = e->data.clock_offset;
1996 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1999 static bool hci_resolve_next_name(struct hci_dev *hdev)
2001 struct discovery_state *discov = &hdev->discovery;
2002 struct inquiry_entry *e;
2004 if (list_empty(&discov->resolve))
2007 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2011 if (hci_resolve_name(hdev, e) == 0) {
2012 e->name_state = NAME_PENDING;
2019 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2020 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2022 struct discovery_state *discov = &hdev->discovery;
2023 struct inquiry_entry *e;
2025 /* Update the mgmt connected state if necessary. Be careful with
2026 * conn objects that exist but are not (yet) connected however.
2027 * Only those in BT_CONFIG or BT_CONNECTED states can be
2028 * considered connected.
2031 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2032 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2033 mgmt_device_connected(hdev, conn, 0, name, name_len);
2035 if (discov->state == DISCOVERY_STOPPED)
2038 if (discov->state == DISCOVERY_STOPPING)
2039 goto discov_complete;
2041 if (discov->state != DISCOVERY_RESOLVING)
2044 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2045 /* If the device was not found in a list of found devices names of which
2046 * are pending. there is no need to continue resolving a next name as it
2047 * will be done upon receiving another Remote Name Request Complete
2054 e->name_state = NAME_KNOWN;
2055 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2056 e->data.rssi, name, name_len);
2058 e->name_state = NAME_NOT_KNOWN;
2061 if (hci_resolve_next_name(hdev))
2065 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2068 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2070 struct hci_cp_remote_name_req *cp;
2071 struct hci_conn *conn;
2073 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2075 /* If successful wait for the name req complete event before
2076 * checking for the need to do authentication */
2080 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2086 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2088 if (hci_dev_test_flag(hdev, HCI_MGMT))
2089 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2094 if (!hci_outgoing_auth_needed(hdev, conn))
2097 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2098 struct hci_cp_auth_requested auth_cp;
2100 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2102 auth_cp.handle = __cpu_to_le16(conn->handle);
2103 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2104 sizeof(auth_cp), &auth_cp);
2108 hci_dev_unlock(hdev);
2111 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2113 struct hci_cp_read_remote_features *cp;
2114 struct hci_conn *conn;
2116 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2121 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2127 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2129 if (conn->state == BT_CONFIG) {
2130 hci_connect_cfm(conn, status);
2131 hci_conn_drop(conn);
2135 hci_dev_unlock(hdev);
2138 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2140 struct hci_cp_read_remote_ext_features *cp;
2141 struct hci_conn *conn;
2143 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2148 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2154 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2156 if (conn->state == BT_CONFIG) {
2157 hci_connect_cfm(conn, status);
2158 hci_conn_drop(conn);
2162 hci_dev_unlock(hdev);
2165 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2167 struct hci_cp_setup_sync_conn *cp;
2168 struct hci_conn *acl, *sco;
2171 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2176 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2180 handle = __le16_to_cpu(cp->handle);
2182 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2186 acl = hci_conn_hash_lookup_handle(hdev, handle);
2190 sco->state = BT_CLOSED;
2192 hci_connect_cfm(sco, status);
2197 hci_dev_unlock(hdev);
2200 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2202 struct hci_cp_sniff_mode *cp;
2203 struct hci_conn *conn;
2205 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2210 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2216 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2218 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2220 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2221 hci_sco_setup(conn, status);
2224 hci_dev_unlock(hdev);
2227 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2229 struct hci_cp_exit_sniff_mode *cp;
2230 struct hci_conn *conn;
2232 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2237 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2243 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2245 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2247 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2248 hci_sco_setup(conn, status);
2251 hci_dev_unlock(hdev);
2254 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2256 struct hci_cp_disconnect *cp;
2257 struct hci_conn *conn;
2262 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2268 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2270 u8 type = conn->type;
2272 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2273 conn->dst_type, status);
2275 /* If the disconnection failed for any reason, the upper layer
2276 * does not retry to disconnect in current implementation.
2277 * Hence, we need to do some basic cleanup here and re-enable
2278 * advertising if necessary.
2281 if (type == LE_LINK)
2282 hci_req_reenable_advertising(hdev);
2285 hci_dev_unlock(hdev);
2288 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2289 u8 peer_addr_type, u8 own_address_type,
2292 struct hci_conn *conn;
2294 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2299 /* Store the initiator and responder address information which
2300 * is needed for SMP. These values will not change during the
2301 * lifetime of the connection.
2303 conn->init_addr_type = own_address_type;
2304 if (own_address_type == ADDR_LE_DEV_RANDOM)
2305 bacpy(&conn->init_addr, &hdev->random_addr);
2307 bacpy(&conn->init_addr, &hdev->bdaddr);
2309 conn->resp_addr_type = peer_addr_type;
2310 bacpy(&conn->resp_addr, peer_addr);
2312 /* We don't want the connection attempt to stick around
2313 * indefinitely since LE doesn't have a page timeout concept
2314 * like BR/EDR. Set a timer for any connection that doesn't use
2315 * the white list for connecting.
2317 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2318 queue_delayed_work(conn->hdev->workqueue,
2319 &conn->le_conn_timeout,
2320 conn->conn_timeout);
2323 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2325 struct hci_cp_le_create_conn *cp;
2327 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2329 /* All connection failure handling is taken care of by the
2330 * hci_le_conn_failed function which is triggered by the HCI
2331 * request completion callbacks used for connecting.
2336 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2342 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2343 cp->own_address_type, cp->filter_policy);
2345 hci_dev_unlock(hdev);
2348 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2350 struct hci_cp_le_ext_create_conn *cp;
2352 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2354 /* All connection failure handling is taken care of by the
2355 * hci_le_conn_failed function which is triggered by the HCI
2356 * request completion callbacks used for connecting.
2361 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2367 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2368 cp->own_addr_type, cp->filter_policy);
2370 hci_dev_unlock(hdev);
2373 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2375 struct hci_cp_le_read_remote_features *cp;
2376 struct hci_conn *conn;
2378 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2383 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2389 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2391 if (conn->state == BT_CONFIG) {
2392 hci_connect_cfm(conn, status);
2393 hci_conn_drop(conn);
2397 hci_dev_unlock(hdev);
2400 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2402 struct hci_cp_le_start_enc *cp;
2403 struct hci_conn *conn;
2405 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2412 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2416 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2420 if (conn->state != BT_CONNECTED)
2423 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2424 hci_conn_drop(conn);
2427 hci_dev_unlock(hdev);
2430 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2432 struct hci_cp_switch_role *cp;
2433 struct hci_conn *conn;
2435 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2440 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2446 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2448 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2450 hci_dev_unlock(hdev);
2453 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2455 __u8 status = *((__u8 *) skb->data);
2456 struct discovery_state *discov = &hdev->discovery;
2457 struct inquiry_entry *e;
2459 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2461 hci_conn_check_pending(hdev);
2463 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2466 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2467 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2469 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2474 if (discov->state != DISCOVERY_FINDING)
2477 if (list_empty(&discov->resolve)) {
2478 /* When BR/EDR inquiry is active and no LE scanning is in
2479 * progress, then change discovery state to indicate completion.
2481 * When running LE scanning and BR/EDR inquiry simultaneously
2482 * and the LE scan already finished, then change the discovery
2483 * state to indicate completion.
2485 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2486 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2487 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2491 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2492 if (e && hci_resolve_name(hdev, e) == 0) {
2493 e->name_state = NAME_PENDING;
2494 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2496 /* When BR/EDR inquiry is active and no LE scanning is in
2497 * progress, then change discovery state to indicate completion.
2499 * When running LE scanning and BR/EDR inquiry simultaneously
2500 * and the LE scan already finished, then change the discovery
2501 * state to indicate completion.
2503 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2504 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2505 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2509 hci_dev_unlock(hdev);
2512 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2514 struct inquiry_data data;
2515 struct inquiry_info *info = (void *) (skb->data + 1);
2516 int num_rsp = *((__u8 *) skb->data);
2518 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2523 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2528 for (; num_rsp; num_rsp--, info++) {
2531 bacpy(&data.bdaddr, &info->bdaddr);
2532 data.pscan_rep_mode = info->pscan_rep_mode;
2533 data.pscan_period_mode = info->pscan_period_mode;
2534 data.pscan_mode = info->pscan_mode;
2535 memcpy(data.dev_class, info->dev_class, 3);
2536 data.clock_offset = info->clock_offset;
2537 data.rssi = HCI_RSSI_INVALID;
2538 data.ssp_mode = 0x00;
2540 flags = hci_inquiry_cache_update(hdev, &data, false);
2542 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2543 info->dev_class, HCI_RSSI_INVALID,
2544 flags, NULL, 0, NULL, 0);
2547 hci_dev_unlock(hdev);
2550 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2552 struct hci_ev_conn_complete *ev = (void *) skb->data;
2553 struct inquiry_entry *ie;
2554 struct hci_conn *conn;
2556 BT_DBG("%s", hdev->name);
2560 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2562 /* Connection may not exist if auto-connected. Check the inquiry
2563 * cache to see if we've already discovered this bdaddr before.
2564 * If found and link is an ACL type, create a connection class
2567 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2568 if (ie && ev->link_type == ACL_LINK) {
2569 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2572 bt_dev_err(hdev, "no memory for new conn");
2576 if (ev->link_type != SCO_LINK)
2579 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
2584 conn->type = SCO_LINK;
2589 conn->handle = __le16_to_cpu(ev->handle);
2591 if (conn->type == ACL_LINK) {
2592 conn->state = BT_CONFIG;
2593 hci_conn_hold(conn);
2595 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2596 !hci_find_link_key(hdev, &ev->bdaddr))
2597 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2599 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2601 conn->state = BT_CONNECTED;
2603 hci_debugfs_create_conn(conn);
2604 hci_conn_add_sysfs(conn);
2606 if (test_bit(HCI_AUTH, &hdev->flags))
2607 set_bit(HCI_CONN_AUTH, &conn->flags);
2609 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2610 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2612 /* Get remote features */
2613 if (conn->type == ACL_LINK) {
2614 struct hci_cp_read_remote_features cp;
2615 cp.handle = ev->handle;
2616 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2619 hci_req_update_scan(hdev);
2622 /* Set packet type for incoming connection */
2623 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2624 struct hci_cp_change_conn_ptype cp;
2625 cp.handle = ev->handle;
2626 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2627 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2631 conn->state = BT_CLOSED;
2632 if (conn->type == ACL_LINK)
2633 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2634 conn->dst_type, ev->status);
2637 if (conn->type == ACL_LINK)
2638 hci_sco_setup(conn, ev->status);
2641 hci_connect_cfm(conn, ev->status);
2643 } else if (ev->link_type == SCO_LINK) {
2644 switch (conn->setting & SCO_AIRMODE_MASK) {
2645 case SCO_AIRMODE_CVSD:
2647 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
2651 hci_connect_cfm(conn, ev->status);
2655 hci_dev_unlock(hdev);
2657 hci_conn_check_pending(hdev);
2660 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2662 struct hci_cp_reject_conn_req cp;
2664 bacpy(&cp.bdaddr, bdaddr);
2665 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2666 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2669 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2671 struct hci_ev_conn_request *ev = (void *) skb->data;
2672 int mask = hdev->link_mode;
2673 struct inquiry_entry *ie;
2674 struct hci_conn *conn;
2677 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2680 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2683 if (!(mask & HCI_LM_ACCEPT)) {
2684 hci_reject_conn(hdev, &ev->bdaddr);
2688 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2690 hci_reject_conn(hdev, &ev->bdaddr);
2694 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2695 * connection. These features are only touched through mgmt so
2696 * only do the checks if HCI_MGMT is set.
2698 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2699 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2700 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2702 hci_reject_conn(hdev, &ev->bdaddr);
2706 /* Connection accepted */
2710 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2712 memcpy(ie->data.dev_class, ev->dev_class, 3);
2714 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2717 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2720 bt_dev_err(hdev, "no memory for new connection");
2721 hci_dev_unlock(hdev);
2726 memcpy(conn->dev_class, ev->dev_class, 3);
2728 hci_dev_unlock(hdev);
2730 if (ev->link_type == ACL_LINK ||
2731 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2732 struct hci_cp_accept_conn_req cp;
2733 conn->state = BT_CONNECT;
2735 bacpy(&cp.bdaddr, &ev->bdaddr);
2737 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2738 cp.role = 0x00; /* Become master */
2740 cp.role = 0x01; /* Remain slave */
2742 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2743 } else if (!(flags & HCI_PROTO_DEFER)) {
2744 struct hci_cp_accept_sync_conn_req cp;
2745 conn->state = BT_CONNECT;
2747 bacpy(&cp.bdaddr, &ev->bdaddr);
2748 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2750 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2751 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2752 cp.max_latency = cpu_to_le16(0xffff);
2753 cp.content_format = cpu_to_le16(hdev->voice_setting);
2754 cp.retrans_effort = 0xff;
2756 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2759 conn->state = BT_CONNECT2;
2760 hci_connect_cfm(conn, 0);
2764 static u8 hci_to_mgmt_reason(u8 err)
2767 case HCI_ERROR_CONNECTION_TIMEOUT:
2768 return MGMT_DEV_DISCONN_TIMEOUT;
2769 case HCI_ERROR_REMOTE_USER_TERM:
2770 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2771 case HCI_ERROR_REMOTE_POWER_OFF:
2772 return MGMT_DEV_DISCONN_REMOTE;
2773 case HCI_ERROR_LOCAL_HOST_TERM:
2774 return MGMT_DEV_DISCONN_LOCAL_HOST;
2776 return MGMT_DEV_DISCONN_UNKNOWN;
2780 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2782 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2784 struct hci_conn_params *params;
2785 struct hci_conn *conn;
2786 bool mgmt_connected;
2789 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2793 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2798 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2799 conn->dst_type, ev->status);
2803 conn->state = BT_CLOSED;
2805 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2807 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2808 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2810 reason = hci_to_mgmt_reason(ev->reason);
2812 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2813 reason, mgmt_connected);
2815 if (conn->type == ACL_LINK) {
2816 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2817 hci_remove_link_key(hdev, &conn->dst);
2819 hci_req_update_scan(hdev);
2822 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2824 switch (params->auto_connect) {
2825 case HCI_AUTO_CONN_LINK_LOSS:
2826 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2830 case HCI_AUTO_CONN_DIRECT:
2831 case HCI_AUTO_CONN_ALWAYS:
2832 list_del_init(¶ms->action);
2833 list_add(¶ms->action, &hdev->pend_le_conns);
2834 hci_update_background_scan(hdev);
2844 hci_disconn_cfm(conn, ev->reason);
2847 /* The suspend notifier is waiting for all devices to disconnect so
2848 * clear the bit from pending tasks and inform the wait queue.
2850 if (list_empty(&hdev->conn_hash.list) &&
2851 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {
2852 wake_up(&hdev->suspend_wait_q);
2855 /* Re-enable advertising if necessary, since it might
2856 * have been disabled by the connection. From the
2857 * HCI_LE_Set_Advertise_Enable command description in
2858 * the core specification (v4.0):
2859 * "The Controller shall continue advertising until the Host
2860 * issues an LE_Set_Advertise_Enable command with
2861 * Advertising_Enable set to 0x00 (Advertising is disabled)
2862 * or until a connection is created or until the Advertising
2863 * is timed out due to Directed Advertising."
2865 if (type == LE_LINK)
2866 hci_req_reenable_advertising(hdev);
2869 hci_dev_unlock(hdev);
2872 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2874 struct hci_ev_auth_complete *ev = (void *) skb->data;
2875 struct hci_conn *conn;
2877 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2881 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2886 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2888 if (!hci_conn_ssp_enabled(conn) &&
2889 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2890 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2892 set_bit(HCI_CONN_AUTH, &conn->flags);
2893 conn->sec_level = conn->pending_sec_level;
2896 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2897 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2899 mgmt_auth_failed(conn, ev->status);
2902 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2903 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2905 if (conn->state == BT_CONFIG) {
2906 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2907 struct hci_cp_set_conn_encrypt cp;
2908 cp.handle = ev->handle;
2910 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2913 conn->state = BT_CONNECTED;
2914 hci_connect_cfm(conn, ev->status);
2915 hci_conn_drop(conn);
2918 hci_auth_cfm(conn, ev->status);
2920 hci_conn_hold(conn);
2921 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2922 hci_conn_drop(conn);
2925 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2927 struct hci_cp_set_conn_encrypt cp;
2928 cp.handle = ev->handle;
2930 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2933 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2934 hci_encrypt_cfm(conn, ev->status);
2939 hci_dev_unlock(hdev);
2942 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2944 struct hci_ev_remote_name *ev = (void *) skb->data;
2945 struct hci_conn *conn;
2947 BT_DBG("%s", hdev->name);
2949 hci_conn_check_pending(hdev);
2953 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2955 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2958 if (ev->status == 0)
2959 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2960 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2962 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2968 if (!hci_outgoing_auth_needed(hdev, conn))
2971 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2972 struct hci_cp_auth_requested cp;
2974 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2976 cp.handle = __cpu_to_le16(conn->handle);
2977 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2981 hci_dev_unlock(hdev);
2984 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2985 u16 opcode, struct sk_buff *skb)
2987 const struct hci_rp_read_enc_key_size *rp;
2988 struct hci_conn *conn;
2991 BT_DBG("%s status 0x%02x", hdev->name, status);
2993 if (!skb || skb->len < sizeof(*rp)) {
2994 bt_dev_err(hdev, "invalid read key size response");
2998 rp = (void *)skb->data;
2999 handle = le16_to_cpu(rp->handle);
3003 conn = hci_conn_hash_lookup_handle(hdev, handle);
3007 /* While unexpected, the read_enc_key_size command may fail. The most
3008 * secure approach is to then assume the key size is 0 to force a
3012 bt_dev_err(hdev, "failed to read key size for handle %u",
3014 conn->enc_key_size = 0;
3016 conn->enc_key_size = rp->key_size;
3019 hci_encrypt_cfm(conn, 0);
3022 hci_dev_unlock(hdev);
3025 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3027 struct hci_ev_encrypt_change *ev = (void *) skb->data;
3028 struct hci_conn *conn;
3030 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3034 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3040 /* Encryption implies authentication */
3041 set_bit(HCI_CONN_AUTH, &conn->flags);
3042 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3043 conn->sec_level = conn->pending_sec_level;
3045 /* P-256 authentication key implies FIPS */
3046 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3047 set_bit(HCI_CONN_FIPS, &conn->flags);
3049 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3050 conn->type == LE_LINK)
3051 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3053 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3054 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3058 /* We should disregard the current RPA and generate a new one
3059 * whenever the encryption procedure fails.
3061 if (ev->status && conn->type == LE_LINK) {
3062 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3063 hci_adv_instances_set_rpa_expired(hdev, true);
3066 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3068 if (ev->status && conn->state == BT_CONNECTED) {
3069 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3070 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3072 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3073 hci_conn_drop(conn);
3077 /* In Secure Connections Only mode, do not allow any connections
3078 * that are not encrypted with AES-CCM using a P-256 authenticated
3081 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
3082 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
3083 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
3084 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
3085 hci_conn_drop(conn);
3089 /* Try reading the encryption key size for encrypted ACL links */
3090 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3091 struct hci_cp_read_enc_key_size cp;
3092 struct hci_request req;
3094 /* Only send HCI_Read_Encryption_Key_Size if the
3095 * controller really supports it. If it doesn't, assume
3096 * the default size (16).
3098 if (!(hdev->commands[20] & 0x10)) {
3099 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3103 hci_req_init(&req, hdev);
3105 cp.handle = cpu_to_le16(conn->handle);
3106 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3108 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3109 bt_dev_err(hdev, "sending read key size failed");
3110 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3117 /* Set the default Authenticated Payload Timeout after
3118 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3119 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3120 * sent when the link is active and Encryption is enabled, the conn
3121 * type can be either LE or ACL and controller must support LMP Ping.
3122 * Ensure for AES-CCM encryption as well.
3124 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3125 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3126 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3127 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3128 struct hci_cp_write_auth_payload_to cp;
3130 cp.handle = cpu_to_le16(conn->handle);
3131 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3132 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3137 hci_encrypt_cfm(conn, ev->status);
3140 hci_dev_unlock(hdev);
3143 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3144 struct sk_buff *skb)
3146 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3147 struct hci_conn *conn;
3149 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3153 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3156 set_bit(HCI_CONN_SECURE, &conn->flags);
3158 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3160 hci_key_change_cfm(conn, ev->status);
3163 hci_dev_unlock(hdev);
3166 static void hci_remote_features_evt(struct hci_dev *hdev,
3167 struct sk_buff *skb)
3169 struct hci_ev_remote_features *ev = (void *) skb->data;
3170 struct hci_conn *conn;
3172 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3176 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3181 memcpy(conn->features[0], ev->features, 8);
3183 if (conn->state != BT_CONFIG)
3186 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3187 lmp_ext_feat_capable(conn)) {
3188 struct hci_cp_read_remote_ext_features cp;
3189 cp.handle = ev->handle;
3191 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3196 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3197 struct hci_cp_remote_name_req cp;
3198 memset(&cp, 0, sizeof(cp));
3199 bacpy(&cp.bdaddr, &conn->dst);
3200 cp.pscan_rep_mode = 0x02;
3201 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3202 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3203 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3205 if (!hci_outgoing_auth_needed(hdev, conn)) {
3206 conn->state = BT_CONNECTED;
3207 hci_connect_cfm(conn, ev->status);
3208 hci_conn_drop(conn);
3212 hci_dev_unlock(hdev);
3215 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3216 u16 *opcode, u8 *status,
3217 hci_req_complete_t *req_complete,
3218 hci_req_complete_skb_t *req_complete_skb)
3220 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3222 *opcode = __le16_to_cpu(ev->opcode);
3223 *status = skb->data[sizeof(*ev)];
3225 skb_pull(skb, sizeof(*ev));
3228 case HCI_OP_INQUIRY_CANCEL:
3229 hci_cc_inquiry_cancel(hdev, skb, status);
3232 case HCI_OP_PERIODIC_INQ:
3233 hci_cc_periodic_inq(hdev, skb);
3236 case HCI_OP_EXIT_PERIODIC_INQ:
3237 hci_cc_exit_periodic_inq(hdev, skb);
3240 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3241 hci_cc_remote_name_req_cancel(hdev, skb);
3244 case HCI_OP_ROLE_DISCOVERY:
3245 hci_cc_role_discovery(hdev, skb);
3248 case HCI_OP_READ_LINK_POLICY:
3249 hci_cc_read_link_policy(hdev, skb);
3252 case HCI_OP_WRITE_LINK_POLICY:
3253 hci_cc_write_link_policy(hdev, skb);
3256 case HCI_OP_READ_DEF_LINK_POLICY:
3257 hci_cc_read_def_link_policy(hdev, skb);
3260 case HCI_OP_WRITE_DEF_LINK_POLICY:
3261 hci_cc_write_def_link_policy(hdev, skb);
3265 hci_cc_reset(hdev, skb);
3268 case HCI_OP_READ_STORED_LINK_KEY:
3269 hci_cc_read_stored_link_key(hdev, skb);
3272 case HCI_OP_DELETE_STORED_LINK_KEY:
3273 hci_cc_delete_stored_link_key(hdev, skb);
3276 case HCI_OP_WRITE_LOCAL_NAME:
3277 hci_cc_write_local_name(hdev, skb);
3280 case HCI_OP_READ_LOCAL_NAME:
3281 hci_cc_read_local_name(hdev, skb);
3284 case HCI_OP_WRITE_AUTH_ENABLE:
3285 hci_cc_write_auth_enable(hdev, skb);
3288 case HCI_OP_WRITE_ENCRYPT_MODE:
3289 hci_cc_write_encrypt_mode(hdev, skb);
3292 case HCI_OP_WRITE_SCAN_ENABLE:
3293 hci_cc_write_scan_enable(hdev, skb);
3296 case HCI_OP_READ_CLASS_OF_DEV:
3297 hci_cc_read_class_of_dev(hdev, skb);
3300 case HCI_OP_WRITE_CLASS_OF_DEV:
3301 hci_cc_write_class_of_dev(hdev, skb);
3304 case HCI_OP_READ_VOICE_SETTING:
3305 hci_cc_read_voice_setting(hdev, skb);
3308 case HCI_OP_WRITE_VOICE_SETTING:
3309 hci_cc_write_voice_setting(hdev, skb);
3312 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3313 hci_cc_read_num_supported_iac(hdev, skb);
3316 case HCI_OP_WRITE_SSP_MODE:
3317 hci_cc_write_ssp_mode(hdev, skb);
3320 case HCI_OP_WRITE_SC_SUPPORT:
3321 hci_cc_write_sc_support(hdev, skb);
3324 case HCI_OP_READ_AUTH_PAYLOAD_TO:
3325 hci_cc_read_auth_payload_timeout(hdev, skb);
3328 case HCI_OP_WRITE_AUTH_PAYLOAD_TO:
3329 hci_cc_write_auth_payload_timeout(hdev, skb);
3332 case HCI_OP_READ_LOCAL_VERSION:
3333 hci_cc_read_local_version(hdev, skb);
3336 case HCI_OP_READ_LOCAL_COMMANDS:
3337 hci_cc_read_local_commands(hdev, skb);
3340 case HCI_OP_READ_LOCAL_FEATURES:
3341 hci_cc_read_local_features(hdev, skb);
3344 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3345 hci_cc_read_local_ext_features(hdev, skb);
3348 case HCI_OP_READ_BUFFER_SIZE:
3349 hci_cc_read_buffer_size(hdev, skb);
3352 case HCI_OP_READ_BD_ADDR:
3353 hci_cc_read_bd_addr(hdev, skb);
3356 case HCI_OP_READ_LOCAL_PAIRING_OPTS:
3357 hci_cc_read_local_pairing_opts(hdev, skb);
3360 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3361 hci_cc_read_page_scan_activity(hdev, skb);
3364 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3365 hci_cc_write_page_scan_activity(hdev, skb);
3368 case HCI_OP_READ_PAGE_SCAN_TYPE:
3369 hci_cc_read_page_scan_type(hdev, skb);
3372 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3373 hci_cc_write_page_scan_type(hdev, skb);
3376 case HCI_OP_READ_DATA_BLOCK_SIZE:
3377 hci_cc_read_data_block_size(hdev, skb);
3380 case HCI_OP_READ_FLOW_CONTROL_MODE:
3381 hci_cc_read_flow_control_mode(hdev, skb);
3384 case HCI_OP_READ_LOCAL_AMP_INFO:
3385 hci_cc_read_local_amp_info(hdev, skb);
3388 case HCI_OP_READ_CLOCK:
3389 hci_cc_read_clock(hdev, skb);
3392 case HCI_OP_READ_INQ_RSP_TX_POWER:
3393 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3396 case HCI_OP_READ_DEF_ERR_DATA_REPORTING:
3397 hci_cc_read_def_err_data_reporting(hdev, skb);
3400 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING:
3401 hci_cc_write_def_err_data_reporting(hdev, skb);
3404 case HCI_OP_PIN_CODE_REPLY:
3405 hci_cc_pin_code_reply(hdev, skb);
3408 case HCI_OP_PIN_CODE_NEG_REPLY:
3409 hci_cc_pin_code_neg_reply(hdev, skb);
3412 case HCI_OP_READ_LOCAL_OOB_DATA:
3413 hci_cc_read_local_oob_data(hdev, skb);
3416 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3417 hci_cc_read_local_oob_ext_data(hdev, skb);
3420 case HCI_OP_LE_READ_BUFFER_SIZE:
3421 hci_cc_le_read_buffer_size(hdev, skb);
3424 case HCI_OP_LE_READ_LOCAL_FEATURES:
3425 hci_cc_le_read_local_features(hdev, skb);
3428 case HCI_OP_LE_READ_ADV_TX_POWER:
3429 hci_cc_le_read_adv_tx_power(hdev, skb);
3432 case HCI_OP_USER_CONFIRM_REPLY:
3433 hci_cc_user_confirm_reply(hdev, skb);
3436 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3437 hci_cc_user_confirm_neg_reply(hdev, skb);
3440 case HCI_OP_USER_PASSKEY_REPLY:
3441 hci_cc_user_passkey_reply(hdev, skb);
3444 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3445 hci_cc_user_passkey_neg_reply(hdev, skb);
3448 case HCI_OP_LE_SET_RANDOM_ADDR:
3449 hci_cc_le_set_random_addr(hdev, skb);
3452 case HCI_OP_LE_SET_ADV_ENABLE:
3453 hci_cc_le_set_adv_enable(hdev, skb);
3456 case HCI_OP_LE_SET_SCAN_PARAM:
3457 hci_cc_le_set_scan_param(hdev, skb);
3460 case HCI_OP_LE_SET_SCAN_ENABLE:
3461 hci_cc_le_set_scan_enable(hdev, skb);
3464 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3465 hci_cc_le_read_white_list_size(hdev, skb);
3468 case HCI_OP_LE_CLEAR_WHITE_LIST:
3469 hci_cc_le_clear_white_list(hdev, skb);
3472 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3473 hci_cc_le_add_to_white_list(hdev, skb);
3476 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3477 hci_cc_le_del_from_white_list(hdev, skb);
3480 case HCI_OP_LE_READ_SUPPORTED_STATES:
3481 hci_cc_le_read_supported_states(hdev, skb);
3484 case HCI_OP_LE_READ_DEF_DATA_LEN:
3485 hci_cc_le_read_def_data_len(hdev, skb);
3488 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3489 hci_cc_le_write_def_data_len(hdev, skb);
3492 case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3493 hci_cc_le_add_to_resolv_list(hdev, skb);
3496 case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3497 hci_cc_le_del_from_resolv_list(hdev, skb);
3500 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3501 hci_cc_le_clear_resolv_list(hdev, skb);
3504 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3505 hci_cc_le_read_resolv_list_size(hdev, skb);
3508 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3509 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3512 case HCI_OP_LE_READ_MAX_DATA_LEN:
3513 hci_cc_le_read_max_data_len(hdev, skb);
3516 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3517 hci_cc_write_le_host_supported(hdev, skb);
3520 case HCI_OP_LE_SET_ADV_PARAM:
3521 hci_cc_set_adv_param(hdev, skb);
3524 case HCI_OP_READ_RSSI:
3525 hci_cc_read_rssi(hdev, skb);
3528 case HCI_OP_READ_TX_POWER:
3529 hci_cc_read_tx_power(hdev, skb);
3532 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3533 hci_cc_write_ssp_debug_mode(hdev, skb);
3536 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3537 hci_cc_le_set_ext_scan_param(hdev, skb);
3540 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3541 hci_cc_le_set_ext_scan_enable(hdev, skb);
3544 case HCI_OP_LE_SET_DEFAULT_PHY:
3545 hci_cc_le_set_default_phy(hdev, skb);
3548 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3549 hci_cc_le_read_num_adv_sets(hdev, skb);
3552 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3553 hci_cc_set_ext_adv_param(hdev, skb);
3556 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3557 hci_cc_le_set_ext_adv_enable(hdev, skb);
3560 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3561 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3565 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3569 if (*opcode != HCI_OP_NOP)
3570 cancel_delayed_work(&hdev->cmd_timer);
3572 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3573 atomic_set(&hdev->cmd_cnt, 1);
3575 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3578 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3580 "unexpected event for opcode 0x%4.4x", *opcode);
3584 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3585 queue_work(hdev->workqueue, &hdev->cmd_work);
3588 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3589 u16 *opcode, u8 *status,
3590 hci_req_complete_t *req_complete,
3591 hci_req_complete_skb_t *req_complete_skb)
3593 struct hci_ev_cmd_status *ev = (void *) skb->data;
3595 skb_pull(skb, sizeof(*ev));
3597 *opcode = __le16_to_cpu(ev->opcode);
3598 *status = ev->status;
3601 case HCI_OP_INQUIRY:
3602 hci_cs_inquiry(hdev, ev->status);
3605 case HCI_OP_CREATE_CONN:
3606 hci_cs_create_conn(hdev, ev->status);
3609 case HCI_OP_DISCONNECT:
3610 hci_cs_disconnect(hdev, ev->status);
3613 case HCI_OP_ADD_SCO:
3614 hci_cs_add_sco(hdev, ev->status);
3617 case HCI_OP_AUTH_REQUESTED:
3618 hci_cs_auth_requested(hdev, ev->status);
3621 case HCI_OP_SET_CONN_ENCRYPT:
3622 hci_cs_set_conn_encrypt(hdev, ev->status);
3625 case HCI_OP_REMOTE_NAME_REQ:
3626 hci_cs_remote_name_req(hdev, ev->status);
3629 case HCI_OP_READ_REMOTE_FEATURES:
3630 hci_cs_read_remote_features(hdev, ev->status);
3633 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3634 hci_cs_read_remote_ext_features(hdev, ev->status);
3637 case HCI_OP_SETUP_SYNC_CONN:
3638 hci_cs_setup_sync_conn(hdev, ev->status);
3641 case HCI_OP_SNIFF_MODE:
3642 hci_cs_sniff_mode(hdev, ev->status);
3645 case HCI_OP_EXIT_SNIFF_MODE:
3646 hci_cs_exit_sniff_mode(hdev, ev->status);
3649 case HCI_OP_SWITCH_ROLE:
3650 hci_cs_switch_role(hdev, ev->status);
3653 case HCI_OP_LE_CREATE_CONN:
3654 hci_cs_le_create_conn(hdev, ev->status);
3657 case HCI_OP_LE_READ_REMOTE_FEATURES:
3658 hci_cs_le_read_remote_features(hdev, ev->status);
3661 case HCI_OP_LE_START_ENC:
3662 hci_cs_le_start_enc(hdev, ev->status);
3665 case HCI_OP_LE_EXT_CREATE_CONN:
3666 hci_cs_le_ext_create_conn(hdev, ev->status);
3670 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3674 if (*opcode != HCI_OP_NOP)
3675 cancel_delayed_work(&hdev->cmd_timer);
3677 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3678 atomic_set(&hdev->cmd_cnt, 1);
3680 /* Indicate request completion if the command failed. Also, if
3681 * we're not waiting for a special event and we get a success
3682 * command status we should try to flag the request as completed
3683 * (since for this kind of commands there will not be a command
3687 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3688 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3691 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3693 "unexpected event for opcode 0x%4.4x", *opcode);
3697 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3698 queue_work(hdev->workqueue, &hdev->cmd_work);
3701 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3703 struct hci_ev_hardware_error *ev = (void *) skb->data;
3705 hdev->hw_error_code = ev->code;
3707 queue_work(hdev->req_workqueue, &hdev->error_reset);
3710 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3712 struct hci_ev_role_change *ev = (void *) skb->data;
3713 struct hci_conn *conn;
3715 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3719 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3722 conn->role = ev->role;
3724 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3726 hci_role_switch_cfm(conn, ev->status, ev->role);
3729 hci_dev_unlock(hdev);
3732 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3734 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3737 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3738 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3742 if (skb->len < sizeof(*ev) ||
3743 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3744 BT_DBG("%s bad parameters", hdev->name);
3748 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3750 for (i = 0; i < ev->num_hndl; i++) {
3751 struct hci_comp_pkts_info *info = &ev->handles[i];
3752 struct hci_conn *conn;
3753 __u16 handle, count;
3755 handle = __le16_to_cpu(info->handle);
3756 count = __le16_to_cpu(info->count);
3758 conn = hci_conn_hash_lookup_handle(hdev, handle);
3762 conn->sent -= count;
3764 switch (conn->type) {
3766 hdev->acl_cnt += count;
3767 if (hdev->acl_cnt > hdev->acl_pkts)
3768 hdev->acl_cnt = hdev->acl_pkts;
3772 if (hdev->le_pkts) {
3773 hdev->le_cnt += count;
3774 if (hdev->le_cnt > hdev->le_pkts)
3775 hdev->le_cnt = hdev->le_pkts;
3777 hdev->acl_cnt += count;
3778 if (hdev->acl_cnt > hdev->acl_pkts)
3779 hdev->acl_cnt = hdev->acl_pkts;
3784 hdev->sco_cnt += count;
3785 if (hdev->sco_cnt > hdev->sco_pkts)
3786 hdev->sco_cnt = hdev->sco_pkts;
3790 bt_dev_err(hdev, "unknown type %d conn %p",
3796 queue_work(hdev->workqueue, &hdev->tx_work);
3799 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3802 struct hci_chan *chan;
3804 switch (hdev->dev_type) {
3806 return hci_conn_hash_lookup_handle(hdev, handle);
3808 chan = hci_chan_lookup_handle(hdev, handle);
3813 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3820 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3822 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3825 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3826 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3830 if (skb->len < sizeof(*ev) ||
3831 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3832 BT_DBG("%s bad parameters", hdev->name);
3836 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3839 for (i = 0; i < ev->num_hndl; i++) {
3840 struct hci_comp_blocks_info *info = &ev->handles[i];
3841 struct hci_conn *conn = NULL;
3842 __u16 handle, block_count;
3844 handle = __le16_to_cpu(info->handle);
3845 block_count = __le16_to_cpu(info->blocks);
3847 conn = __hci_conn_lookup_handle(hdev, handle);
3851 conn->sent -= block_count;
3853 switch (conn->type) {
3856 hdev->block_cnt += block_count;
3857 if (hdev->block_cnt > hdev->num_blocks)
3858 hdev->block_cnt = hdev->num_blocks;
3862 bt_dev_err(hdev, "unknown type %d conn %p",
3868 queue_work(hdev->workqueue, &hdev->tx_work);
3871 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3873 struct hci_ev_mode_change *ev = (void *) skb->data;
3874 struct hci_conn *conn;
3876 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3880 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3882 conn->mode = ev->mode;
3884 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3886 if (conn->mode == HCI_CM_ACTIVE)
3887 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3889 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3892 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3893 hci_sco_setup(conn, ev->status);
3896 hci_dev_unlock(hdev);
3899 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3901 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3902 struct hci_conn *conn;
3904 BT_DBG("%s", hdev->name);
3908 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3912 if (conn->state == BT_CONNECTED) {
3913 hci_conn_hold(conn);
3914 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3915 hci_conn_drop(conn);
3918 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3919 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3920 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3921 sizeof(ev->bdaddr), &ev->bdaddr);
3922 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3925 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3930 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3934 hci_dev_unlock(hdev);
3937 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3939 if (key_type == HCI_LK_CHANGED_COMBINATION)
3942 conn->pin_length = pin_len;
3943 conn->key_type = key_type;
3946 case HCI_LK_LOCAL_UNIT:
3947 case HCI_LK_REMOTE_UNIT:
3948 case HCI_LK_DEBUG_COMBINATION:
3950 case HCI_LK_COMBINATION:
3952 conn->pending_sec_level = BT_SECURITY_HIGH;
3954 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3956 case HCI_LK_UNAUTH_COMBINATION_P192:
3957 case HCI_LK_UNAUTH_COMBINATION_P256:
3958 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3960 case HCI_LK_AUTH_COMBINATION_P192:
3961 conn->pending_sec_level = BT_SECURITY_HIGH;
3963 case HCI_LK_AUTH_COMBINATION_P256:
3964 conn->pending_sec_level = BT_SECURITY_FIPS;
3969 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3971 struct hci_ev_link_key_req *ev = (void *) skb->data;
3972 struct hci_cp_link_key_reply cp;
3973 struct hci_conn *conn;
3974 struct link_key *key;
3976 BT_DBG("%s", hdev->name);
3978 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3983 key = hci_find_link_key(hdev, &ev->bdaddr);
3985 BT_DBG("%s link key not found for %pMR", hdev->name,
3990 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3993 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3995 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3997 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3998 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3999 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4000 BT_DBG("%s ignoring unauthenticated key", hdev->name);
4004 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4005 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4006 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4007 BT_DBG("%s ignoring key unauthenticated for high security",
4012 conn_set_key(conn, key->type, key->pin_len);
4015 bacpy(&cp.bdaddr, &ev->bdaddr);
4016 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4018 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4020 hci_dev_unlock(hdev);
4025 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4026 hci_dev_unlock(hdev);
4029 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4031 struct hci_ev_link_key_notify *ev = (void *) skb->data;
4032 struct hci_conn *conn;
4033 struct link_key *key;
4037 BT_DBG("%s", hdev->name);
4041 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4045 hci_conn_hold(conn);
4046 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4047 hci_conn_drop(conn);
4049 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4050 conn_set_key(conn, ev->key_type, conn->pin_length);
4052 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4055 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4056 ev->key_type, pin_len, &persistent);
4060 /* Update connection information since adding the key will have
4061 * fixed up the type in the case of changed combination keys.
4063 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4064 conn_set_key(conn, key->type, key->pin_len);
4066 mgmt_new_link_key(hdev, key, persistent);
4068 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4069 * is set. If it's not set simply remove the key from the kernel
4070 * list (we've still notified user space about it but with
4071 * store_hint being 0).
4073 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4074 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4075 list_del_rcu(&key->list);
4076 kfree_rcu(key, rcu);
4081 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4083 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4086 hci_dev_unlock(hdev);
4089 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4091 struct hci_ev_clock_offset *ev = (void *) skb->data;
4092 struct hci_conn *conn;
4094 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4098 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4099 if (conn && !ev->status) {
4100 struct inquiry_entry *ie;
4102 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4104 ie->data.clock_offset = ev->clock_offset;
4105 ie->timestamp = jiffies;
4109 hci_dev_unlock(hdev);
4112 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4114 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4115 struct hci_conn *conn;
4117 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4121 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4122 if (conn && !ev->status)
4123 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4125 hci_dev_unlock(hdev);
4128 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4130 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4131 struct inquiry_entry *ie;
4133 BT_DBG("%s", hdev->name);
4137 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4139 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4140 ie->timestamp = jiffies;
4143 hci_dev_unlock(hdev);
4146 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4147 struct sk_buff *skb)
4149 struct inquiry_data data;
4150 int num_rsp = *((__u8 *) skb->data);
4152 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4157 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4162 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4163 struct inquiry_info_with_rssi_and_pscan_mode *info;
4164 info = (void *) (skb->data + 1);
4166 for (; num_rsp; num_rsp--, info++) {
4169 bacpy(&data.bdaddr, &info->bdaddr);
4170 data.pscan_rep_mode = info->pscan_rep_mode;
4171 data.pscan_period_mode = info->pscan_period_mode;
4172 data.pscan_mode = info->pscan_mode;
4173 memcpy(data.dev_class, info->dev_class, 3);
4174 data.clock_offset = info->clock_offset;
4175 data.rssi = info->rssi;
4176 data.ssp_mode = 0x00;
4178 flags = hci_inquiry_cache_update(hdev, &data, false);
4180 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4181 info->dev_class, info->rssi,
4182 flags, NULL, 0, NULL, 0);
4185 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4187 for (; num_rsp; num_rsp--, info++) {
4190 bacpy(&data.bdaddr, &info->bdaddr);
4191 data.pscan_rep_mode = info->pscan_rep_mode;
4192 data.pscan_period_mode = info->pscan_period_mode;
4193 data.pscan_mode = 0x00;
4194 memcpy(data.dev_class, info->dev_class, 3);
4195 data.clock_offset = info->clock_offset;
4196 data.rssi = info->rssi;
4197 data.ssp_mode = 0x00;
4199 flags = hci_inquiry_cache_update(hdev, &data, false);
4201 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4202 info->dev_class, info->rssi,
4203 flags, NULL, 0, NULL, 0);
4207 hci_dev_unlock(hdev);
4210 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4211 struct sk_buff *skb)
4213 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4214 struct hci_conn *conn;
4216 BT_DBG("%s", hdev->name);
4220 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4224 if (ev->page < HCI_MAX_PAGES)
4225 memcpy(conn->features[ev->page], ev->features, 8);
4227 if (!ev->status && ev->page == 0x01) {
4228 struct inquiry_entry *ie;
4230 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4232 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4234 if (ev->features[0] & LMP_HOST_SSP) {
4235 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4237 /* It is mandatory by the Bluetooth specification that
4238 * Extended Inquiry Results are only used when Secure
4239 * Simple Pairing is enabled, but some devices violate
4242 * To make these devices work, the internal SSP
4243 * enabled flag needs to be cleared if the remote host
4244 * features do not indicate SSP support */
4245 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4248 if (ev->features[0] & LMP_HOST_SC)
4249 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4252 if (conn->state != BT_CONFIG)
4255 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4256 struct hci_cp_remote_name_req cp;
4257 memset(&cp, 0, sizeof(cp));
4258 bacpy(&cp.bdaddr, &conn->dst);
4259 cp.pscan_rep_mode = 0x02;
4260 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4261 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4262 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4264 if (!hci_outgoing_auth_needed(hdev, conn)) {
4265 conn->state = BT_CONNECTED;
4266 hci_connect_cfm(conn, ev->status);
4267 hci_conn_drop(conn);
4271 hci_dev_unlock(hdev);
4274 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4275 struct sk_buff *skb)
4277 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4278 struct hci_conn *conn;
4280 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4284 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4286 if (ev->link_type == ESCO_LINK)
4289 /* When the link type in the event indicates SCO connection
4290 * and lookup of the connection object fails, then check
4291 * if an eSCO connection object exists.
4293 * The core limits the synchronous connections to either
4294 * SCO or eSCO. The eSCO connection is preferred and tried
4295 * to be setup first and until successfully established,
4296 * the link type will be hinted as eSCO.
4298 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4303 switch (ev->status) {
4305 conn->handle = __le16_to_cpu(ev->handle);
4306 conn->state = BT_CONNECTED;
4307 conn->type = ev->link_type;
4309 hci_debugfs_create_conn(conn);
4310 hci_conn_add_sysfs(conn);
4313 case 0x10: /* Connection Accept Timeout */
4314 case 0x0d: /* Connection Rejected due to Limited Resources */
4315 case 0x11: /* Unsupported Feature or Parameter Value */
4316 case 0x1c: /* SCO interval rejected */
4317 case 0x1a: /* Unsupported Remote Feature */
4318 case 0x1e: /* Invalid LMP Parameters */
4319 case 0x1f: /* Unspecified error */
4320 case 0x20: /* Unsupported LMP Parameter value */
4322 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4323 (hdev->esco_type & EDR_ESCO_MASK);
4324 if (hci_setup_sync(conn, conn->link->handle))
4330 conn->state = BT_CLOSED;
4334 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4336 switch (conn->setting & SCO_AIRMODE_MASK) {
4337 case SCO_AIRMODE_CVSD:
4339 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
4341 case SCO_AIRMODE_TRANSP:
4343 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
4347 hci_connect_cfm(conn, ev->status);
4352 hci_dev_unlock(hdev);
4355 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4359 while (parsed < eir_len) {
4360 u8 field_len = eir[0];
4365 parsed += field_len + 1;
4366 eir += field_len + 1;
4372 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4373 struct sk_buff *skb)
4375 struct inquiry_data data;
4376 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4377 int num_rsp = *((__u8 *) skb->data);
4380 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4385 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4390 for (; num_rsp; num_rsp--, info++) {
4394 bacpy(&data.bdaddr, &info->bdaddr);
4395 data.pscan_rep_mode = info->pscan_rep_mode;
4396 data.pscan_period_mode = info->pscan_period_mode;
4397 data.pscan_mode = 0x00;
4398 memcpy(data.dev_class, info->dev_class, 3);
4399 data.clock_offset = info->clock_offset;
4400 data.rssi = info->rssi;
4401 data.ssp_mode = 0x01;
4403 if (hci_dev_test_flag(hdev, HCI_MGMT))
4404 name_known = eir_get_data(info->data,
4406 EIR_NAME_COMPLETE, NULL);
4410 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4412 eir_len = eir_get_length(info->data, sizeof(info->data));
4414 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4415 info->dev_class, info->rssi,
4416 flags, info->data, eir_len, NULL, 0);
4419 hci_dev_unlock(hdev);
4422 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4423 struct sk_buff *skb)
4425 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4426 struct hci_conn *conn;
4428 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4429 __le16_to_cpu(ev->handle));
4433 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4437 /* For BR/EDR the necessary steps are taken through the
4438 * auth_complete event.
4440 if (conn->type != LE_LINK)
4444 conn->sec_level = conn->pending_sec_level;
4446 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4448 if (ev->status && conn->state == BT_CONNECTED) {
4449 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4450 hci_conn_drop(conn);
4454 if (conn->state == BT_CONFIG) {
4456 conn->state = BT_CONNECTED;
4458 hci_connect_cfm(conn, ev->status);
4459 hci_conn_drop(conn);
4461 hci_auth_cfm(conn, ev->status);
4463 hci_conn_hold(conn);
4464 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4465 hci_conn_drop(conn);
4469 hci_dev_unlock(hdev);
4472 static u8 hci_get_auth_req(struct hci_conn *conn)
4474 /* If remote requests no-bonding follow that lead */
4475 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4476 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4477 return conn->remote_auth | (conn->auth_type & 0x01);
4479 /* If both remote and local have enough IO capabilities, require
4482 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4483 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4484 return conn->remote_auth | 0x01;
4486 /* No MITM protection possible so ignore remote requirement */
4487 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4490 static u8 bredr_oob_data_present(struct hci_conn *conn)
4492 struct hci_dev *hdev = conn->hdev;
4493 struct oob_data *data;
4495 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4499 if (bredr_sc_enabled(hdev)) {
4500 /* When Secure Connections is enabled, then just
4501 * return the present value stored with the OOB
4502 * data. The stored value contains the right present
4503 * information. However it can only be trusted when
4504 * not in Secure Connection Only mode.
4506 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4507 return data->present;
4509 /* When Secure Connections Only mode is enabled, then
4510 * the P-256 values are required. If they are not
4511 * available, then do not declare that OOB data is
4514 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4515 !memcmp(data->hash256, ZERO_KEY, 16))
4521 /* When Secure Connections is not enabled or actually
4522 * not supported by the hardware, then check that if
4523 * P-192 data values are present.
4525 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4526 !memcmp(data->hash192, ZERO_KEY, 16))
4532 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4534 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4535 struct hci_conn *conn;
4537 BT_DBG("%s", hdev->name);
4541 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4545 hci_conn_hold(conn);
4547 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4550 /* Allow pairing if we're pairable, the initiators of the
4551 * pairing or if the remote is not requesting bonding.
4553 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4554 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4555 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4556 struct hci_cp_io_capability_reply cp;
4558 bacpy(&cp.bdaddr, &ev->bdaddr);
4559 /* Change the IO capability from KeyboardDisplay
4560 * to DisplayYesNo as it is not supported by BT spec. */
4561 cp.capability = (conn->io_capability == 0x04) ?
4562 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4564 /* If we are initiators, there is no remote information yet */
4565 if (conn->remote_auth == 0xff) {
4566 /* Request MITM protection if our IO caps allow it
4567 * except for the no-bonding case.
4569 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4570 conn->auth_type != HCI_AT_NO_BONDING)
4571 conn->auth_type |= 0x01;
4573 conn->auth_type = hci_get_auth_req(conn);
4576 /* If we're not bondable, force one of the non-bondable
4577 * authentication requirement values.
4579 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4580 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4582 cp.authentication = conn->auth_type;
4583 cp.oob_data = bredr_oob_data_present(conn);
4585 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4588 struct hci_cp_io_capability_neg_reply cp;
4590 bacpy(&cp.bdaddr, &ev->bdaddr);
4591 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4593 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4598 hci_dev_unlock(hdev);
4601 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4603 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4604 struct hci_conn *conn;
4606 BT_DBG("%s", hdev->name);
4610 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4614 conn->remote_cap = ev->capability;
4615 conn->remote_auth = ev->authentication;
4618 hci_dev_unlock(hdev);
4621 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4622 struct sk_buff *skb)
4624 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4625 int loc_mitm, rem_mitm, confirm_hint = 0;
4626 struct hci_conn *conn;
4628 BT_DBG("%s", hdev->name);
4632 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4635 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4639 loc_mitm = (conn->auth_type & 0x01);
4640 rem_mitm = (conn->remote_auth & 0x01);
4642 /* If we require MITM but the remote device can't provide that
4643 * (it has NoInputNoOutput) then reject the confirmation
4644 * request. We check the security level here since it doesn't
4645 * necessarily match conn->auth_type.
4647 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4648 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4649 BT_DBG("Rejecting request: remote device can't provide MITM");
4650 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4651 sizeof(ev->bdaddr), &ev->bdaddr);
4655 /* If no side requires MITM protection; auto-accept */
4656 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4657 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4659 /* If we're not the initiators request authorization to
4660 * proceed from user space (mgmt_user_confirm with
4661 * confirm_hint set to 1). The exception is if neither
4662 * side had MITM or if the local IO capability is
4663 * NoInputNoOutput, in which case we do auto-accept
4665 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4666 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4667 (loc_mitm || rem_mitm)) {
4668 BT_DBG("Confirming auto-accept as acceptor");
4673 /* If there already exists link key in local host, leave the
4674 * decision to user space since the remote device could be
4675 * legitimate or malicious.
4677 if (hci_find_link_key(hdev, &ev->bdaddr)) {
4678 bt_dev_dbg(hdev, "Local host already has link key");
4683 BT_DBG("Auto-accept of user confirmation with %ums delay",
4684 hdev->auto_accept_delay);
4686 if (hdev->auto_accept_delay > 0) {
4687 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4688 queue_delayed_work(conn->hdev->workqueue,
4689 &conn->auto_accept_work, delay);
4693 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4694 sizeof(ev->bdaddr), &ev->bdaddr);
4699 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4700 le32_to_cpu(ev->passkey), confirm_hint);
4703 hci_dev_unlock(hdev);
4706 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4707 struct sk_buff *skb)
4709 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4711 BT_DBG("%s", hdev->name);
4713 if (hci_dev_test_flag(hdev, HCI_MGMT))
4714 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4717 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4718 struct sk_buff *skb)
4720 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4721 struct hci_conn *conn;
4723 BT_DBG("%s", hdev->name);
4725 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4729 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4730 conn->passkey_entered = 0;
4732 if (hci_dev_test_flag(hdev, HCI_MGMT))
4733 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4734 conn->dst_type, conn->passkey_notify,
4735 conn->passkey_entered);
4738 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4740 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4741 struct hci_conn *conn;
4743 BT_DBG("%s", hdev->name);
4745 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4750 case HCI_KEYPRESS_STARTED:
4751 conn->passkey_entered = 0;
4754 case HCI_KEYPRESS_ENTERED:
4755 conn->passkey_entered++;
4758 case HCI_KEYPRESS_ERASED:
4759 conn->passkey_entered--;
4762 case HCI_KEYPRESS_CLEARED:
4763 conn->passkey_entered = 0;
4766 case HCI_KEYPRESS_COMPLETED:
4770 if (hci_dev_test_flag(hdev, HCI_MGMT))
4771 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4772 conn->dst_type, conn->passkey_notify,
4773 conn->passkey_entered);
4776 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4777 struct sk_buff *skb)
4779 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4780 struct hci_conn *conn;
4782 BT_DBG("%s", hdev->name);
4786 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4790 /* Reset the authentication requirement to unknown */
4791 conn->remote_auth = 0xff;
4793 /* To avoid duplicate auth_failed events to user space we check
4794 * the HCI_CONN_AUTH_PEND flag which will be set if we
4795 * initiated the authentication. A traditional auth_complete
4796 * event gets always produced as initiator and is also mapped to
4797 * the mgmt_auth_failed event */
4798 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4799 mgmt_auth_failed(conn, ev->status);
4801 hci_conn_drop(conn);
4804 hci_dev_unlock(hdev);
4807 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4808 struct sk_buff *skb)
4810 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4811 struct inquiry_entry *ie;
4812 struct hci_conn *conn;
4814 BT_DBG("%s", hdev->name);
4818 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4820 memcpy(conn->features[1], ev->features, 8);
4822 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4824 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4826 hci_dev_unlock(hdev);
4829 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4830 struct sk_buff *skb)
4832 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4833 struct oob_data *data;
4835 BT_DBG("%s", hdev->name);
4839 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4842 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4844 struct hci_cp_remote_oob_data_neg_reply cp;
4846 bacpy(&cp.bdaddr, &ev->bdaddr);
4847 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4852 if (bredr_sc_enabled(hdev)) {
4853 struct hci_cp_remote_oob_ext_data_reply cp;
4855 bacpy(&cp.bdaddr, &ev->bdaddr);
4856 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4857 memset(cp.hash192, 0, sizeof(cp.hash192));
4858 memset(cp.rand192, 0, sizeof(cp.rand192));
4860 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4861 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4863 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4864 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4866 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4869 struct hci_cp_remote_oob_data_reply cp;
4871 bacpy(&cp.bdaddr, &ev->bdaddr);
4872 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4873 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4875 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4880 hci_dev_unlock(hdev);
4883 #if IS_ENABLED(CONFIG_BT_HS)
4884 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4886 struct hci_ev_channel_selected *ev = (void *)skb->data;
4887 struct hci_conn *hcon;
4889 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4891 skb_pull(skb, sizeof(*ev));
4893 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4897 amp_read_loc_assoc_final_data(hdev, hcon);
4900 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4901 struct sk_buff *skb)
4903 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4904 struct hci_conn *hcon, *bredr_hcon;
4906 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4911 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4913 hci_dev_unlock(hdev);
4919 hci_dev_unlock(hdev);
4923 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4925 hcon->state = BT_CONNECTED;
4926 bacpy(&hcon->dst, &bredr_hcon->dst);
4928 hci_conn_hold(hcon);
4929 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4930 hci_conn_drop(hcon);
4932 hci_debugfs_create_conn(hcon);
4933 hci_conn_add_sysfs(hcon);
4935 amp_physical_cfm(bredr_hcon, hcon);
4937 hci_dev_unlock(hdev);
4940 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4942 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4943 struct hci_conn *hcon;
4944 struct hci_chan *hchan;
4945 struct amp_mgr *mgr;
4947 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4948 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4951 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4955 /* Create AMP hchan */
4956 hchan = hci_chan_create(hcon);
4960 hchan->handle = le16_to_cpu(ev->handle);
4962 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4964 mgr = hcon->amp_mgr;
4965 if (mgr && mgr->bredr_chan) {
4966 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4968 l2cap_chan_lock(bredr_chan);
4970 bredr_chan->conn->mtu = hdev->block_mtu;
4971 l2cap_logical_cfm(bredr_chan, hchan, 0);
4972 hci_conn_hold(hcon);
4974 l2cap_chan_unlock(bredr_chan);
4978 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4979 struct sk_buff *skb)
4981 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4982 struct hci_chan *hchan;
4984 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4985 le16_to_cpu(ev->handle), ev->status);
4992 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4996 amp_destroy_logical_link(hchan, ev->reason);
4999 hci_dev_unlock(hdev);
5002 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
5003 struct sk_buff *skb)
5005 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
5006 struct hci_conn *hcon;
5008 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5015 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5017 hcon->state = BT_CLOSED;
5021 hci_dev_unlock(hdev);
5025 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5026 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
5027 u16 interval, u16 latency, u16 supervision_timeout)
5029 struct hci_conn_params *params;
5030 struct hci_conn *conn;
5031 struct smp_irk *irk;
5036 /* All controllers implicitly stop advertising in the event of a
5037 * connection, so ensure that the state bit is cleared.
5039 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5041 conn = hci_lookup_le_connect(hdev);
5043 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5045 bt_dev_err(hdev, "no memory for new connection");
5049 conn->dst_type = bdaddr_type;
5051 /* If we didn't have a hci_conn object previously
5052 * but we're in master role this must be something
5053 * initiated using a white list. Since white list based
5054 * connections are not "first class citizens" we don't
5055 * have full tracking of them. Therefore, we go ahead
5056 * with a "best effort" approach of determining the
5057 * initiator address based on the HCI_PRIVACY flag.
5060 conn->resp_addr_type = bdaddr_type;
5061 bacpy(&conn->resp_addr, bdaddr);
5062 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5063 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5064 bacpy(&conn->init_addr, &hdev->rpa);
5066 hci_copy_identity_address(hdev,
5068 &conn->init_addr_type);
5072 cancel_delayed_work(&conn->le_conn_timeout);
5076 /* Set the responder (our side) address type based on
5077 * the advertising address type.
5079 conn->resp_addr_type = hdev->adv_addr_type;
5080 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5081 /* In case of ext adv, resp_addr will be updated in
5082 * Adv Terminated event.
5084 if (!ext_adv_capable(hdev))
5085 bacpy(&conn->resp_addr, &hdev->random_addr);
5087 bacpy(&conn->resp_addr, &hdev->bdaddr);
5090 conn->init_addr_type = bdaddr_type;
5091 bacpy(&conn->init_addr, bdaddr);
5093 /* For incoming connections, set the default minimum
5094 * and maximum connection interval. They will be used
5095 * to check if the parameters are in range and if not
5096 * trigger the connection update procedure.
5098 conn->le_conn_min_interval = hdev->le_conn_min_interval;
5099 conn->le_conn_max_interval = hdev->le_conn_max_interval;
5102 /* Lookup the identity address from the stored connection
5103 * address and address type.
5105 * When establishing connections to an identity address, the
5106 * connection procedure will store the resolvable random
5107 * address first. Now if it can be converted back into the
5108 * identity address, start using the identity address from
5111 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5113 bacpy(&conn->dst, &irk->bdaddr);
5114 conn->dst_type = irk->addr_type;
5118 hci_le_conn_failed(conn, status);
5122 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5123 addr_type = BDADDR_LE_PUBLIC;
5125 addr_type = BDADDR_LE_RANDOM;
5127 /* Drop the connection if the device is blocked */
5128 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
5129 hci_conn_drop(conn);
5133 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5134 mgmt_device_connected(hdev, conn, 0, NULL, 0);
5136 conn->sec_level = BT_SECURITY_LOW;
5137 conn->handle = handle;
5138 conn->state = BT_CONFIG;
5140 conn->le_conn_interval = interval;
5141 conn->le_conn_latency = latency;
5142 conn->le_supv_timeout = supervision_timeout;
5144 hci_debugfs_create_conn(conn);
5145 hci_conn_add_sysfs(conn);
5147 /* The remote features procedure is defined for master
5148 * role only. So only in case of an initiated connection
5149 * request the remote features.
5151 * If the local controller supports slave-initiated features
5152 * exchange, then requesting the remote features in slave
5153 * role is possible. Otherwise just transition into the
5154 * connected state without requesting the remote features.
5157 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
5158 struct hci_cp_le_read_remote_features cp;
5160 cp.handle = __cpu_to_le16(conn->handle);
5162 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5165 hci_conn_hold(conn);
5167 conn->state = BT_CONNECTED;
5168 hci_connect_cfm(conn, status);
5171 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5174 list_del_init(¶ms->action);
5176 hci_conn_drop(params->conn);
5177 hci_conn_put(params->conn);
5178 params->conn = NULL;
5183 hci_update_background_scan(hdev);
5184 hci_dev_unlock(hdev);
5187 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5189 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5191 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5193 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5194 ev->role, le16_to_cpu(ev->handle),
5195 le16_to_cpu(ev->interval),
5196 le16_to_cpu(ev->latency),
5197 le16_to_cpu(ev->supervision_timeout));
5200 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5201 struct sk_buff *skb)
5203 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5205 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5207 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5208 ev->role, le16_to_cpu(ev->handle),
5209 le16_to_cpu(ev->interval),
5210 le16_to_cpu(ev->latency),
5211 le16_to_cpu(ev->supervision_timeout));
5214 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5216 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5217 struct hci_conn *conn;
5219 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5224 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5226 struct adv_info *adv_instance;
5228 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5231 if (!hdev->cur_adv_instance) {
5232 bacpy(&conn->resp_addr, &hdev->random_addr);
5236 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5238 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5242 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5243 struct sk_buff *skb)
5245 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5246 struct hci_conn *conn;
5248 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5255 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5257 conn->le_conn_interval = le16_to_cpu(ev->interval);
5258 conn->le_conn_latency = le16_to_cpu(ev->latency);
5259 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5262 hci_dev_unlock(hdev);
5265 /* This function requires the caller holds hdev->lock */
5266 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5268 u8 addr_type, u8 adv_type,
5269 bdaddr_t *direct_rpa)
5271 struct hci_conn *conn;
5272 struct hci_conn_params *params;
5274 /* If the event is not connectable don't proceed further */
5275 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5278 /* Ignore if the device is blocked */
5279 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5282 /* Most controller will fail if we try to create new connections
5283 * while we have an existing one in slave role.
5285 if (hdev->conn_hash.le_num_slave > 0 &&
5286 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5287 !(hdev->le_states[3] & 0x10)))
5290 /* If we're not connectable only connect devices that we have in
5291 * our pend_le_conns list.
5293 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5298 if (!params->explicit_connect) {
5299 switch (params->auto_connect) {
5300 case HCI_AUTO_CONN_DIRECT:
5301 /* Only devices advertising with ADV_DIRECT_IND are
5302 * triggering a connection attempt. This is allowing
5303 * incoming connections from slave devices.
5305 if (adv_type != LE_ADV_DIRECT_IND)
5308 case HCI_AUTO_CONN_ALWAYS:
5309 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5310 * are triggering a connection attempt. This means
5311 * that incoming connections from slave device are
5312 * accepted and also outgoing connections to slave
5313 * devices are established when found.
5321 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5322 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
5324 if (!IS_ERR(conn)) {
5325 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5326 * by higher layer that tried to connect, if no then
5327 * store the pointer since we don't really have any
5328 * other owner of the object besides the params that
5329 * triggered it. This way we can abort the connection if
5330 * the parameters get removed and keep the reference
5331 * count consistent once the connection is established.
5334 if (!params->explicit_connect)
5335 params->conn = hci_conn_get(conn);
5340 switch (PTR_ERR(conn)) {
5342 /* If hci_connect() returns -EBUSY it means there is already
5343 * an LE connection attempt going on. Since controllers don't
5344 * support more than one connection attempt at the time, we
5345 * don't consider this an error case.
5349 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5356 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5357 u8 bdaddr_type, bdaddr_t *direct_addr,
5358 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
5360 struct discovery_state *d = &hdev->discovery;
5361 struct smp_irk *irk;
5362 struct hci_conn *conn;
5369 case LE_ADV_DIRECT_IND:
5370 case LE_ADV_SCAN_IND:
5371 case LE_ADV_NONCONN_IND:
5372 case LE_ADV_SCAN_RSP:
5375 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5376 "type: 0x%02x", type);
5380 /* Find the end of the data in case the report contains padded zero
5381 * bytes at the end causing an invalid length value.
5383 * When data is NULL, len is 0 so there is no need for extra ptr
5384 * check as 'ptr < data + 0' is already false in such case.
5386 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5387 if (ptr + 1 + *ptr > data + len)
5391 real_len = ptr - data;
5393 /* Adjust for actual length */
5394 if (len != real_len) {
5395 bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u",
5400 /* If the direct address is present, then this report is from
5401 * a LE Direct Advertising Report event. In that case it is
5402 * important to see if the address is matching the local
5403 * controller address.
5406 /* Only resolvable random addresses are valid for these
5407 * kind of reports and others can be ignored.
5409 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5412 /* If the controller is not using resolvable random
5413 * addresses, then this report can be ignored.
5415 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5418 /* If the local IRK of the controller does not match
5419 * with the resolvable random address provided, then
5420 * this report can be ignored.
5422 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5426 /* Check if we need to convert to identity address */
5427 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5429 bdaddr = &irk->bdaddr;
5430 bdaddr_type = irk->addr_type;
5433 /* Check if we have been requested to connect to this device.
5435 * direct_addr is set only for directed advertising reports (it is NULL
5436 * for advertising reports) and is already verified to be RPA above.
5438 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5440 if (conn && type == LE_ADV_IND) {
5441 /* Store report for later inclusion by
5442 * mgmt_device_connected
5444 memcpy(conn->le_adv_data, data, len);
5445 conn->le_adv_data_len = len;
5448 /* Passive scanning shouldn't trigger any device found events,
5449 * except for devices marked as CONN_REPORT for which we do send
5450 * device found events.
5452 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5453 if (type == LE_ADV_DIRECT_IND)
5456 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5457 bdaddr, bdaddr_type))
5460 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5461 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5464 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5465 rssi, flags, data, len, NULL, 0);
5469 /* When receiving non-connectable or scannable undirected
5470 * advertising reports, this means that the remote device is
5471 * not connectable and then clearly indicate this in the
5472 * device found event.
5474 * When receiving a scan response, then there is no way to
5475 * know if the remote device is connectable or not. However
5476 * since scan responses are merged with a previously seen
5477 * advertising report, the flags field from that report
5480 * In the really unlikely case that a controller get confused
5481 * and just sends a scan response event, then it is marked as
5482 * not connectable as well.
5484 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5485 type == LE_ADV_SCAN_RSP)
5486 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5490 /* If there's nothing pending either store the data from this
5491 * event or send an immediate device found event if the data
5492 * should not be stored for later.
5494 if (!has_pending_adv_report(hdev)) {
5495 /* If the report will trigger a SCAN_REQ store it for
5498 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5499 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5500 rssi, flags, data, len);
5504 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5505 rssi, flags, data, len, NULL, 0);
5509 /* Check if the pending report is for the same device as the new one */
5510 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5511 bdaddr_type == d->last_adv_addr_type);
5513 /* If the pending data doesn't match this report or this isn't a
5514 * scan response (e.g. we got a duplicate ADV_IND) then force
5515 * sending of the pending data.
5517 if (type != LE_ADV_SCAN_RSP || !match) {
5518 /* Send out whatever is in the cache, but skip duplicates */
5520 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5521 d->last_adv_addr_type, NULL,
5522 d->last_adv_rssi, d->last_adv_flags,
5524 d->last_adv_data_len, NULL, 0);
5526 /* If the new report will trigger a SCAN_REQ store it for
5529 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5530 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5531 rssi, flags, data, len);
5535 /* The advertising reports cannot be merged, so clear
5536 * the pending report and send out a device found event.
5538 clear_pending_adv_report(hdev);
5539 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5540 rssi, flags, data, len, NULL, 0);
5544 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5545 * the new event is a SCAN_RSP. We can therefore proceed with
5546 * sending a merged device found event.
5548 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5549 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5550 d->last_adv_data, d->last_adv_data_len, data, len);
5551 clear_pending_adv_report(hdev);
5554 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5556 u8 num_reports = skb->data[0];
5557 void *ptr = &skb->data[1];
5561 while (num_reports--) {
5562 struct hci_ev_le_advertising_info *ev = ptr;
5565 if (ev->length <= HCI_MAX_AD_LENGTH) {
5566 rssi = ev->data[ev->length];
5567 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5568 ev->bdaddr_type, NULL, 0, rssi,
5569 ev->data, ev->length);
5571 bt_dev_err(hdev, "Dropping invalid advertising data");
5574 ptr += sizeof(*ev) + ev->length + 1;
5577 hci_dev_unlock(hdev);
5580 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
5582 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5584 case LE_LEGACY_ADV_IND:
5586 case LE_LEGACY_ADV_DIRECT_IND:
5587 return LE_ADV_DIRECT_IND;
5588 case LE_LEGACY_ADV_SCAN_IND:
5589 return LE_ADV_SCAN_IND;
5590 case LE_LEGACY_NONCONN_IND:
5591 return LE_ADV_NONCONN_IND;
5592 case LE_LEGACY_SCAN_RSP_ADV:
5593 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5594 return LE_ADV_SCAN_RSP;
5600 if (evt_type & LE_EXT_ADV_CONN_IND) {
5601 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5602 return LE_ADV_DIRECT_IND;
5607 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5608 return LE_ADV_SCAN_RSP;
5610 if (evt_type & LE_EXT_ADV_SCAN_IND)
5611 return LE_ADV_SCAN_IND;
5613 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5614 evt_type & LE_EXT_ADV_DIRECT_IND)
5615 return LE_ADV_NONCONN_IND;
5618 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
5621 return LE_ADV_INVALID;
5624 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5626 u8 num_reports = skb->data[0];
5627 void *ptr = &skb->data[1];
5631 while (num_reports--) {
5632 struct hci_ev_le_ext_adv_report *ev = ptr;
5636 evt_type = __le16_to_cpu(ev->evt_type);
5637 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
5638 if (legacy_evt_type != LE_ADV_INVALID) {
5639 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5640 ev->bdaddr_type, NULL, 0, ev->rssi,
5641 ev->data, ev->length);
5644 ptr += sizeof(*ev) + ev->length;
5647 hci_dev_unlock(hdev);
5650 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5651 struct sk_buff *skb)
5653 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5654 struct hci_conn *conn;
5656 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5660 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5663 memcpy(conn->features[0], ev->features, 8);
5665 if (conn->state == BT_CONFIG) {
5668 /* If the local controller supports slave-initiated
5669 * features exchange, but the remote controller does
5670 * not, then it is possible that the error code 0x1a
5671 * for unsupported remote feature gets returned.
5673 * In this specific case, allow the connection to
5674 * transition into connected state and mark it as
5677 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5678 !conn->out && ev->status == 0x1a)
5681 status = ev->status;
5683 conn->state = BT_CONNECTED;
5684 hci_connect_cfm(conn, status);
5685 hci_conn_drop(conn);
5689 hci_dev_unlock(hdev);
5692 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5694 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5695 struct hci_cp_le_ltk_reply cp;
5696 struct hci_cp_le_ltk_neg_reply neg;
5697 struct hci_conn *conn;
5698 struct smp_ltk *ltk;
5700 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5704 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5708 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5712 if (smp_ltk_is_sc(ltk)) {
5713 /* With SC both EDiv and Rand are set to zero */
5714 if (ev->ediv || ev->rand)
5717 /* For non-SC keys check that EDiv and Rand match */
5718 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5722 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5723 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5724 cp.handle = cpu_to_le16(conn->handle);
5726 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5728 conn->enc_key_size = ltk->enc_size;
5730 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5732 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5733 * temporary key used to encrypt a connection following
5734 * pairing. It is used during the Encrypted Session Setup to
5735 * distribute the keys. Later, security can be re-established
5736 * using a distributed LTK.
5738 if (ltk->type == SMP_STK) {
5739 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5740 list_del_rcu(<k->list);
5741 kfree_rcu(ltk, rcu);
5743 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5746 hci_dev_unlock(hdev);
5751 neg.handle = ev->handle;
5752 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5753 hci_dev_unlock(hdev);
5756 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5759 struct hci_cp_le_conn_param_req_neg_reply cp;
5761 cp.handle = cpu_to_le16(handle);
5764 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5768 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5769 struct sk_buff *skb)
5771 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5772 struct hci_cp_le_conn_param_req_reply cp;
5773 struct hci_conn *hcon;
5774 u16 handle, min, max, latency, timeout;
5776 handle = le16_to_cpu(ev->handle);
5777 min = le16_to_cpu(ev->interval_min);
5778 max = le16_to_cpu(ev->interval_max);
5779 latency = le16_to_cpu(ev->latency);
5780 timeout = le16_to_cpu(ev->timeout);
5782 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5783 if (!hcon || hcon->state != BT_CONNECTED)
5784 return send_conn_param_neg_reply(hdev, handle,
5785 HCI_ERROR_UNKNOWN_CONN_ID);
5787 if (hci_check_conn_params(min, max, latency, timeout))
5788 return send_conn_param_neg_reply(hdev, handle,
5789 HCI_ERROR_INVALID_LL_PARAMS);
5791 if (hcon->role == HCI_ROLE_MASTER) {
5792 struct hci_conn_params *params;
5797 params = hci_conn_params_lookup(hdev, &hcon->dst,
5800 params->conn_min_interval = min;
5801 params->conn_max_interval = max;
5802 params->conn_latency = latency;
5803 params->supervision_timeout = timeout;
5809 hci_dev_unlock(hdev);
5811 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5812 store_hint, min, max, latency, timeout);
5815 cp.handle = ev->handle;
5816 cp.interval_min = ev->interval_min;
5817 cp.interval_max = ev->interval_max;
5818 cp.latency = ev->latency;
5819 cp.timeout = ev->timeout;
5823 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5826 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5827 struct sk_buff *skb)
5829 u8 num_reports = skb->data[0];
5830 void *ptr = &skb->data[1];
5834 while (num_reports--) {
5835 struct hci_ev_le_direct_adv_info *ev = ptr;
5837 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5838 ev->bdaddr_type, &ev->direct_addr,
5839 ev->direct_addr_type, ev->rssi, NULL, 0);
5844 hci_dev_unlock(hdev);
5847 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
5849 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data;
5850 struct hci_conn *conn;
5852 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5859 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5863 conn->le_tx_phy = ev->tx_phy;
5864 conn->le_rx_phy = ev->rx_phy;
5867 hci_dev_unlock(hdev);
5870 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5872 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5874 skb_pull(skb, sizeof(*le_ev));
5876 switch (le_ev->subevent) {
5877 case HCI_EV_LE_CONN_COMPLETE:
5878 hci_le_conn_complete_evt(hdev, skb);
5881 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5882 hci_le_conn_update_complete_evt(hdev, skb);
5885 case HCI_EV_LE_ADVERTISING_REPORT:
5886 hci_le_adv_report_evt(hdev, skb);
5889 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5890 hci_le_remote_feat_complete_evt(hdev, skb);
5893 case HCI_EV_LE_LTK_REQ:
5894 hci_le_ltk_request_evt(hdev, skb);
5897 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5898 hci_le_remote_conn_param_req_evt(hdev, skb);
5901 case HCI_EV_LE_DIRECT_ADV_REPORT:
5902 hci_le_direct_adv_report_evt(hdev, skb);
5905 case HCI_EV_LE_PHY_UPDATE_COMPLETE:
5906 hci_le_phy_update_evt(hdev, skb);
5909 case HCI_EV_LE_EXT_ADV_REPORT:
5910 hci_le_ext_adv_report_evt(hdev, skb);
5913 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5914 hci_le_enh_conn_complete_evt(hdev, skb);
5917 case HCI_EV_LE_EXT_ADV_SET_TERM:
5918 hci_le_ext_adv_term_evt(hdev, skb);
5926 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5927 u8 event, struct sk_buff *skb)
5929 struct hci_ev_cmd_complete *ev;
5930 struct hci_event_hdr *hdr;
5935 if (skb->len < sizeof(*hdr)) {
5936 bt_dev_err(hdev, "too short HCI event");
5940 hdr = (void *) skb->data;
5941 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5944 if (hdr->evt != event)
5949 /* Check if request ended in Command Status - no way to retreive
5950 * any extra parameters in this case.
5952 if (hdr->evt == HCI_EV_CMD_STATUS)
5955 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5956 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5961 if (skb->len < sizeof(*ev)) {
5962 bt_dev_err(hdev, "too short cmd_complete event");
5966 ev = (void *) skb->data;
5967 skb_pull(skb, sizeof(*ev));
5969 if (opcode != __le16_to_cpu(ev->opcode)) {
5970 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5971 __le16_to_cpu(ev->opcode));
5978 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5980 struct hci_event_hdr *hdr = (void *) skb->data;
5981 hci_req_complete_t req_complete = NULL;
5982 hci_req_complete_skb_t req_complete_skb = NULL;
5983 struct sk_buff *orig_skb = NULL;
5984 u8 status = 0, event = hdr->evt, req_evt = 0;
5985 u16 opcode = HCI_OP_NOP;
5988 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
5992 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5993 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5994 opcode = __le16_to_cpu(cmd_hdr->opcode);
5995 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
6000 /* If it looks like we might end up having to call
6001 * req_complete_skb, store a pristine copy of the skb since the
6002 * various handlers may modify the original one through
6003 * skb_pull() calls, etc.
6005 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
6006 event == HCI_EV_CMD_COMPLETE)
6007 orig_skb = skb_clone(skb, GFP_KERNEL);
6009 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6012 case HCI_EV_INQUIRY_COMPLETE:
6013 hci_inquiry_complete_evt(hdev, skb);
6016 case HCI_EV_INQUIRY_RESULT:
6017 hci_inquiry_result_evt(hdev, skb);
6020 case HCI_EV_CONN_COMPLETE:
6021 hci_conn_complete_evt(hdev, skb);
6024 case HCI_EV_CONN_REQUEST:
6025 hci_conn_request_evt(hdev, skb);
6028 case HCI_EV_DISCONN_COMPLETE:
6029 hci_disconn_complete_evt(hdev, skb);
6032 case HCI_EV_AUTH_COMPLETE:
6033 hci_auth_complete_evt(hdev, skb);
6036 case HCI_EV_REMOTE_NAME:
6037 hci_remote_name_evt(hdev, skb);
6040 case HCI_EV_ENCRYPT_CHANGE:
6041 hci_encrypt_change_evt(hdev, skb);
6044 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6045 hci_change_link_key_complete_evt(hdev, skb);
6048 case HCI_EV_REMOTE_FEATURES:
6049 hci_remote_features_evt(hdev, skb);
6052 case HCI_EV_CMD_COMPLETE:
6053 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6054 &req_complete, &req_complete_skb);
6057 case HCI_EV_CMD_STATUS:
6058 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6062 case HCI_EV_HARDWARE_ERROR:
6063 hci_hardware_error_evt(hdev, skb);
6066 case HCI_EV_ROLE_CHANGE:
6067 hci_role_change_evt(hdev, skb);
6070 case HCI_EV_NUM_COMP_PKTS:
6071 hci_num_comp_pkts_evt(hdev, skb);
6074 case HCI_EV_MODE_CHANGE:
6075 hci_mode_change_evt(hdev, skb);
6078 case HCI_EV_PIN_CODE_REQ:
6079 hci_pin_code_request_evt(hdev, skb);
6082 case HCI_EV_LINK_KEY_REQ:
6083 hci_link_key_request_evt(hdev, skb);
6086 case HCI_EV_LINK_KEY_NOTIFY:
6087 hci_link_key_notify_evt(hdev, skb);
6090 case HCI_EV_CLOCK_OFFSET:
6091 hci_clock_offset_evt(hdev, skb);
6094 case HCI_EV_PKT_TYPE_CHANGE:
6095 hci_pkt_type_change_evt(hdev, skb);
6098 case HCI_EV_PSCAN_REP_MODE:
6099 hci_pscan_rep_mode_evt(hdev, skb);
6102 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6103 hci_inquiry_result_with_rssi_evt(hdev, skb);
6106 case HCI_EV_REMOTE_EXT_FEATURES:
6107 hci_remote_ext_features_evt(hdev, skb);
6110 case HCI_EV_SYNC_CONN_COMPLETE:
6111 hci_sync_conn_complete_evt(hdev, skb);
6114 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6115 hci_extended_inquiry_result_evt(hdev, skb);
6118 case HCI_EV_KEY_REFRESH_COMPLETE:
6119 hci_key_refresh_complete_evt(hdev, skb);
6122 case HCI_EV_IO_CAPA_REQUEST:
6123 hci_io_capa_request_evt(hdev, skb);
6126 case HCI_EV_IO_CAPA_REPLY:
6127 hci_io_capa_reply_evt(hdev, skb);
6130 case HCI_EV_USER_CONFIRM_REQUEST:
6131 hci_user_confirm_request_evt(hdev, skb);
6134 case HCI_EV_USER_PASSKEY_REQUEST:
6135 hci_user_passkey_request_evt(hdev, skb);
6138 case HCI_EV_USER_PASSKEY_NOTIFY:
6139 hci_user_passkey_notify_evt(hdev, skb);
6142 case HCI_EV_KEYPRESS_NOTIFY:
6143 hci_keypress_notify_evt(hdev, skb);
6146 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6147 hci_simple_pair_complete_evt(hdev, skb);
6150 case HCI_EV_REMOTE_HOST_FEATURES:
6151 hci_remote_host_features_evt(hdev, skb);
6154 case HCI_EV_LE_META:
6155 hci_le_meta_evt(hdev, skb);
6158 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6159 hci_remote_oob_data_request_evt(hdev, skb);
6162 #if IS_ENABLED(CONFIG_BT_HS)
6163 case HCI_EV_CHANNEL_SELECTED:
6164 hci_chan_selected_evt(hdev, skb);
6167 case HCI_EV_PHY_LINK_COMPLETE:
6168 hci_phy_link_complete_evt(hdev, skb);
6171 case HCI_EV_LOGICAL_LINK_COMPLETE:
6172 hci_loglink_complete_evt(hdev, skb);
6175 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6176 hci_disconn_loglink_complete_evt(hdev, skb);
6179 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6180 hci_disconn_phylink_complete_evt(hdev, skb);
6184 case HCI_EV_NUM_COMP_BLOCKS:
6185 hci_num_comp_blocks_evt(hdev, skb);
6189 msft_vendor_evt(hdev, skb);
6193 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6198 req_complete(hdev, status, opcode);
6199 } else if (req_complete_skb) {
6200 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6201 kfree_skb(orig_skb);
6204 req_complete_skb(hdev, status, opcode, orig_skb);
6208 kfree_skb(orig_skb);
6210 hdev->stat.evt_rx++;