2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
46 "\x00\x00\x00\x00\x00\x00\x00\x00"
48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
50 /* Handle HCI Event packets */
52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
57 data = skb_pull_data(skb, len);
59 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
69 data = skb_pull_data(skb, len);
71 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
81 data = skb_pull_data(skb, len);
83 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
91 struct hci_ev_status *rp = data;
93 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
95 /* It is possible that we receive Inquiry Complete event right
96 * before we receive Inquiry Cancel Command Complete event, in
97 * which case the latter event should have status of Command
98 * Disallowed (0x0c). This should not be treated as error, since
99 * we actually achieve what Inquiry Cancel wants to achieve,
100 * which is to end the last Inquiry session.
102 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
103 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
110 clear_bit(HCI_INQUIRY, &hdev->flags);
111 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
112 wake_up_bit(&hdev->flags, HCI_INQUIRY);
115 /* Set discovery state to stopped if we're not doing LE active
118 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
119 hdev->le_scan_type != LE_SCAN_ACTIVE)
120 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
121 hci_dev_unlock(hdev);
123 hci_conn_check_pending(hdev);
128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
131 struct hci_ev_status *rp = data;
133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
138 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
146 struct hci_ev_status *rp = data;
148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
153 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
155 hci_conn_check_pending(hdev);
160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
163 struct hci_ev_status *rp = data;
165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
173 struct hci_rp_role_discovery *rp = data;
174 struct hci_conn *conn;
176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
185 conn->role = rp->role;
187 hci_dev_unlock(hdev);
192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
195 struct hci_rp_read_link_policy *rp = data;
196 struct hci_conn *conn;
198 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
207 conn->link_policy = __le16_to_cpu(rp->policy);
209 hci_dev_unlock(hdev);
214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
217 struct hci_rp_write_link_policy *rp = data;
218 struct hci_conn *conn;
221 struct hci_cp_write_link_policy cp;
222 struct hci_conn *sco_conn;
225 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
230 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
236 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
238 conn->link_policy = get_unaligned_le16(sent + 2);
241 sco_conn = hci_conn_hash_lookup_sco(hdev);
242 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
243 conn->link_policy & HCI_LP_SNIFF) {
244 BT_ERR("SNIFF is not allowed during sco connection");
245 cp.handle = __cpu_to_le16(conn->handle);
246 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
247 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
251 hci_dev_unlock(hdev);
256 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
259 struct hci_rp_read_def_link_policy *rp = data;
261 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
266 hdev->link_policy = __le16_to_cpu(rp->policy);
271 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
274 struct hci_ev_status *rp = data;
277 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
282 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
286 hdev->link_policy = get_unaligned_le16(sent);
291 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
293 struct hci_ev_status *rp = data;
295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
297 clear_bit(HCI_RESET, &hdev->flags);
302 /* Reset all non-persistent flags */
303 hci_dev_clear_volatile_flags(hdev);
305 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
307 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
308 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
310 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
311 hdev->adv_data_len = 0;
313 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
314 hdev->scan_rsp_data_len = 0;
316 hdev->le_scan_type = LE_SCAN_PASSIVE;
318 hdev->ssp_debug_mode = 0;
320 hci_bdaddr_list_clear(&hdev->le_accept_list);
321 hci_bdaddr_list_clear(&hdev->le_resolv_list);
326 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
329 struct hci_rp_read_stored_link_key *rp = data;
330 struct hci_cp_read_stored_link_key *sent;
332 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
334 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
338 if (!rp->status && sent->read_all == 0x01) {
339 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
340 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
346 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
349 struct hci_rp_delete_stored_link_key *rp = data;
352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
357 num_keys = le16_to_cpu(rp->num_keys);
359 if (num_keys <= hdev->stored_num_keys)
360 hdev->stored_num_keys -= num_keys;
362 hdev->stored_num_keys = 0;
367 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
370 struct hci_ev_status *rp = data;
373 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
375 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
381 if (hci_dev_test_flag(hdev, HCI_MGMT))
382 mgmt_set_local_name_complete(hdev, sent, rp->status);
383 else if (!rp->status)
384 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
386 hci_dev_unlock(hdev);
391 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
394 struct hci_rp_read_local_name *rp = data;
396 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
401 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
402 hci_dev_test_flag(hdev, HCI_CONFIG))
403 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
408 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
411 struct hci_ev_status *rp = data;
414 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
416 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
423 __u8 param = *((__u8 *) sent);
425 if (param == AUTH_ENABLED)
426 set_bit(HCI_AUTH, &hdev->flags);
428 clear_bit(HCI_AUTH, &hdev->flags);
431 if (hci_dev_test_flag(hdev, HCI_MGMT))
432 mgmt_auth_enable_complete(hdev, rp->status);
434 hci_dev_unlock(hdev);
439 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
442 struct hci_ev_status *rp = data;
446 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
451 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
455 param = *((__u8 *) sent);
458 set_bit(HCI_ENCRYPT, &hdev->flags);
460 clear_bit(HCI_ENCRYPT, &hdev->flags);
465 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
468 struct hci_ev_status *rp = data;
472 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
474 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
478 param = *((__u8 *) sent);
483 hdev->discov_timeout = 0;
487 if (param & SCAN_INQUIRY)
488 set_bit(HCI_ISCAN, &hdev->flags);
490 clear_bit(HCI_ISCAN, &hdev->flags);
492 if (param & SCAN_PAGE)
493 set_bit(HCI_PSCAN, &hdev->flags);
495 clear_bit(HCI_PSCAN, &hdev->flags);
498 hci_dev_unlock(hdev);
503 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
506 struct hci_ev_status *rp = data;
507 struct hci_cp_set_event_filter *cp;
510 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
515 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
519 cp = (struct hci_cp_set_event_filter *)sent;
521 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
522 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
524 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
529 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
532 struct hci_rp_read_class_of_dev *rp = data;
535 return HCI_ERROR_UNSPECIFIED;
537 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
542 memcpy(hdev->dev_class, rp->dev_class, 3);
544 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
545 hdev->dev_class[1], hdev->dev_class[0]);
550 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
553 struct hci_ev_status *rp = data;
556 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
558 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
565 memcpy(hdev->dev_class, sent, 3);
567 if (hci_dev_test_flag(hdev, HCI_MGMT))
568 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
570 hci_dev_unlock(hdev);
575 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
578 struct hci_rp_read_voice_setting *rp = data;
581 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
586 setting = __le16_to_cpu(rp->voice_setting);
588 if (hdev->voice_setting == setting)
591 hdev->voice_setting = setting;
593 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
596 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
601 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
604 struct hci_ev_status *rp = data;
608 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
613 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
617 setting = get_unaligned_le16(sent);
619 if (hdev->voice_setting == setting)
622 hdev->voice_setting = setting;
624 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
627 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
632 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
635 struct hci_rp_read_num_supported_iac *rp = data;
637 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
642 hdev->num_iac = rp->num_iac;
644 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
649 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
652 struct hci_ev_status *rp = data;
653 struct hci_cp_write_ssp_mode *sent;
655 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
657 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
665 hdev->features[1][0] |= LMP_HOST_SSP;
667 hdev->features[1][0] &= ~LMP_HOST_SSP;
672 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
674 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
677 hci_dev_unlock(hdev);
682 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
685 struct hci_ev_status *rp = data;
686 struct hci_cp_write_sc_support *sent;
688 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
690 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
698 hdev->features[1][0] |= LMP_HOST_SC;
700 hdev->features[1][0] &= ~LMP_HOST_SC;
703 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
705 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
707 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
710 hci_dev_unlock(hdev);
715 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
718 struct hci_rp_read_local_version *rp = data;
720 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
725 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
726 hci_dev_test_flag(hdev, HCI_CONFIG)) {
727 hdev->hci_ver = rp->hci_ver;
728 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
729 hdev->lmp_ver = rp->lmp_ver;
730 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
731 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
737 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
740 struct hci_rp_read_enc_key_size *rp = data;
741 struct hci_conn *conn;
743 u8 status = rp->status;
745 bt_dev_dbg(hdev, "status 0x%2.2x", status);
747 handle = le16_to_cpu(rp->handle);
751 conn = hci_conn_hash_lookup_handle(hdev, handle);
757 /* While unexpected, the read_enc_key_size command may fail. The most
758 * secure approach is to then assume the key size is 0 to force a
762 bt_dev_err(hdev, "failed to read key size for handle %u",
764 conn->enc_key_size = 0;
766 conn->enc_key_size = rp->key_size;
769 if (conn->enc_key_size < hdev->min_enc_key_size) {
770 /* As slave role, the conn->state has been set to
771 * BT_CONNECTED and l2cap conn req might not be received
772 * yet, at this moment the l2cap layer almost does
773 * nothing with the non-zero status.
774 * So we also clear encrypt related bits, and then the
775 * handler of l2cap conn req will get the right secure
776 * state at a later time.
778 status = HCI_ERROR_AUTH_FAILURE;
779 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
780 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
784 hci_encrypt_cfm(conn, status);
787 hci_dev_unlock(hdev);
792 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
795 struct hci_rp_read_local_commands *rp = data;
797 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
802 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
803 hci_dev_test_flag(hdev, HCI_CONFIG))
804 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
809 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
812 struct hci_rp_read_auth_payload_to *rp = data;
813 struct hci_conn *conn;
815 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
822 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
824 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
826 hci_dev_unlock(hdev);
831 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
834 struct hci_rp_write_auth_payload_to *rp = data;
835 struct hci_conn *conn;
838 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
840 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
846 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
853 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
856 hci_dev_unlock(hdev);
861 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
864 struct hci_rp_read_local_features *rp = data;
866 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
871 memcpy(hdev->features, rp->features, 8);
873 /* Adjust default settings according to features
874 * supported by device. */
876 if (hdev->features[0][0] & LMP_3SLOT)
877 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
879 if (hdev->features[0][0] & LMP_5SLOT)
880 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
882 if (hdev->features[0][1] & LMP_HV2) {
883 hdev->pkt_type |= (HCI_HV2);
884 hdev->esco_type |= (ESCO_HV2);
887 if (hdev->features[0][1] & LMP_HV3) {
888 hdev->pkt_type |= (HCI_HV3);
889 hdev->esco_type |= (ESCO_HV3);
892 if (lmp_esco_capable(hdev))
893 hdev->esco_type |= (ESCO_EV3);
895 if (hdev->features[0][4] & LMP_EV4)
896 hdev->esco_type |= (ESCO_EV4);
898 if (hdev->features[0][4] & LMP_EV5)
899 hdev->esco_type |= (ESCO_EV5);
901 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
902 hdev->esco_type |= (ESCO_2EV3);
904 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
905 hdev->esco_type |= (ESCO_3EV3);
907 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
908 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
913 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
916 struct hci_rp_read_local_ext_features *rp = data;
918 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
923 if (hdev->max_page < rp->max_page) {
924 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
926 bt_dev_warn(hdev, "broken local ext features page 2");
928 hdev->max_page = rp->max_page;
931 if (rp->page < HCI_MAX_PAGES)
932 memcpy(hdev->features[rp->page], rp->features, 8);
937 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
940 struct hci_rp_read_flow_control_mode *rp = data;
942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
947 hdev->flow_ctl_mode = rp->mode;
952 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
955 struct hci_rp_read_buffer_size *rp = data;
957 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
962 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
963 hdev->sco_mtu = rp->sco_mtu;
964 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
965 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
967 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
972 hdev->acl_cnt = hdev->acl_pkts;
973 hdev->sco_cnt = hdev->sco_pkts;
975 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
976 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
981 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
984 struct hci_rp_read_bd_addr *rp = data;
986 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
991 if (test_bit(HCI_INIT, &hdev->flags))
992 bacpy(&hdev->bdaddr, &rp->bdaddr);
994 if (hci_dev_test_flag(hdev, HCI_SETUP))
995 bacpy(&hdev->setup_addr, &rp->bdaddr);
1000 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
1001 struct sk_buff *skb)
1003 struct hci_rp_read_local_pairing_opts *rp = data;
1005 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1010 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1011 hci_dev_test_flag(hdev, HCI_CONFIG)) {
1012 hdev->pairing_opts = rp->pairing_opts;
1013 hdev->max_enc_key_size = rp->max_key_size;
1019 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1020 struct sk_buff *skb)
1022 struct hci_rp_read_page_scan_activity *rp = data;
1024 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1029 if (test_bit(HCI_INIT, &hdev->flags)) {
1030 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1031 hdev->page_scan_window = __le16_to_cpu(rp->window);
1037 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1038 struct sk_buff *skb)
1040 struct hci_ev_status *rp = data;
1041 struct hci_cp_write_page_scan_activity *sent;
1043 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1048 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1052 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1053 hdev->page_scan_window = __le16_to_cpu(sent->window);
1058 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1059 struct sk_buff *skb)
1061 struct hci_rp_read_page_scan_type *rp = data;
1063 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1068 if (test_bit(HCI_INIT, &hdev->flags))
1069 hdev->page_scan_type = rp->type;
1074 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1075 struct sk_buff *skb)
1077 struct hci_ev_status *rp = data;
1080 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1085 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1087 hdev->page_scan_type = *type;
1092 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1093 struct sk_buff *skb)
1095 struct hci_rp_read_data_block_size *rp = data;
1097 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1102 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1103 hdev->block_len = __le16_to_cpu(rp->block_len);
1104 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1106 hdev->block_cnt = hdev->num_blocks;
1108 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1109 hdev->block_cnt, hdev->block_len);
1114 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1115 struct sk_buff *skb)
1117 struct hci_rp_read_clock *rp = data;
1118 struct hci_cp_read_clock *cp;
1119 struct hci_conn *conn;
1121 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1128 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1132 if (cp->which == 0x00) {
1133 hdev->clock = le32_to_cpu(rp->clock);
1137 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1139 conn->clock = le32_to_cpu(rp->clock);
1140 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1144 hci_dev_unlock(hdev);
1148 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1149 struct sk_buff *skb)
1151 struct hci_rp_read_local_amp_info *rp = data;
1153 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1158 hdev->amp_status = rp->amp_status;
1159 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1160 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1161 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1162 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1163 hdev->amp_type = rp->amp_type;
1164 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1165 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1166 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1167 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1172 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1173 struct sk_buff *skb)
1175 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1177 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1182 hdev->inq_tx_power = rp->tx_power;
1187 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1188 struct sk_buff *skb)
1190 struct hci_rp_read_def_err_data_reporting *rp = data;
1192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1197 hdev->err_data_reporting = rp->err_data_reporting;
1202 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1203 struct sk_buff *skb)
1205 struct hci_ev_status *rp = data;
1206 struct hci_cp_write_def_err_data_reporting *cp;
1208 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1213 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1217 hdev->err_data_reporting = cp->err_data_reporting;
1222 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1223 struct sk_buff *skb)
1225 struct hci_rp_pin_code_reply *rp = data;
1226 struct hci_cp_pin_code_reply *cp;
1227 struct hci_conn *conn;
1229 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1233 if (hci_dev_test_flag(hdev, HCI_MGMT))
1234 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1239 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1243 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1245 conn->pin_length = cp->pin_len;
1248 hci_dev_unlock(hdev);
1252 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1253 struct sk_buff *skb)
1255 struct hci_rp_pin_code_neg_reply *rp = data;
1257 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1261 if (hci_dev_test_flag(hdev, HCI_MGMT))
1262 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1265 hci_dev_unlock(hdev);
1270 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1271 struct sk_buff *skb)
1273 struct hci_rp_le_read_buffer_size *rp = data;
1275 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1280 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1281 hdev->le_pkts = rp->le_max_pkt;
1283 hdev->le_cnt = hdev->le_pkts;
1285 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1290 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1291 struct sk_buff *skb)
1293 struct hci_rp_le_read_local_features *rp = data;
1295 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1300 memcpy(hdev->le_features, rp->features, 8);
1305 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1306 struct sk_buff *skb)
1308 struct hci_rp_le_read_adv_tx_power *rp = data;
1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1315 hdev->adv_tx_power = rp->tx_power;
1320 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1321 struct sk_buff *skb)
1323 struct hci_rp_user_confirm_reply *rp = data;
1325 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1329 if (hci_dev_test_flag(hdev, HCI_MGMT))
1330 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1333 hci_dev_unlock(hdev);
1338 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1339 struct sk_buff *skb)
1341 struct hci_rp_user_confirm_reply *rp = data;
1343 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1347 if (hci_dev_test_flag(hdev, HCI_MGMT))
1348 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1349 ACL_LINK, 0, rp->status);
1351 hci_dev_unlock(hdev);
1356 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1357 struct sk_buff *skb)
1359 struct hci_rp_user_confirm_reply *rp = data;
1361 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1365 if (hci_dev_test_flag(hdev, HCI_MGMT))
1366 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1369 hci_dev_unlock(hdev);
1374 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1375 struct sk_buff *skb)
1377 struct hci_rp_user_confirm_reply *rp = data;
1379 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1383 if (hci_dev_test_flag(hdev, HCI_MGMT))
1384 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1385 ACL_LINK, 0, rp->status);
1387 hci_dev_unlock(hdev);
1392 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1393 struct sk_buff *skb)
1395 struct hci_rp_read_local_oob_data *rp = data;
1397 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1402 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1403 struct sk_buff *skb)
1405 struct hci_rp_read_local_oob_ext_data *rp = data;
1407 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1412 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1413 struct sk_buff *skb)
1415 struct hci_ev_status *rp = data;
1418 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1423 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1429 bacpy(&hdev->random_addr, sent);
1431 if (!bacmp(&hdev->rpa, sent)) {
1432 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1433 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1434 secs_to_jiffies(hdev->rpa_timeout));
1437 hci_dev_unlock(hdev);
1442 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1443 struct sk_buff *skb)
1445 struct hci_ev_status *rp = data;
1446 struct hci_cp_le_set_default_phy *cp;
1448 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1453 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1459 hdev->le_tx_def_phys = cp->tx_phys;
1460 hdev->le_rx_def_phys = cp->rx_phys;
1462 hci_dev_unlock(hdev);
1467 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1468 struct sk_buff *skb)
1470 struct hci_ev_status *rp = data;
1471 struct hci_cp_le_set_adv_set_rand_addr *cp;
1472 struct adv_info *adv;
1474 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1479 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1480 /* Update only in case the adv instance since handle 0x00 shall be using
1481 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1482 * non-extended adverting.
1484 if (!cp || !cp->handle)
1489 adv = hci_find_adv_instance(hdev, cp->handle);
1491 bacpy(&adv->random_addr, &cp->bdaddr);
1492 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1493 adv->rpa_expired = false;
1494 queue_delayed_work(hdev->workqueue,
1495 &adv->rpa_expired_cb,
1496 secs_to_jiffies(hdev->rpa_timeout));
1500 hci_dev_unlock(hdev);
1505 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1506 struct sk_buff *skb)
1508 struct hci_ev_status *rp = data;
1512 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1517 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1523 err = hci_remove_adv_instance(hdev, *instance);
1525 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1528 hci_dev_unlock(hdev);
1533 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1534 struct sk_buff *skb)
1536 struct hci_ev_status *rp = data;
1537 struct adv_info *adv, *n;
1540 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1545 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1550 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1551 u8 instance = adv->instance;
1553 err = hci_remove_adv_instance(hdev, instance);
1555 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1559 hci_dev_unlock(hdev);
1564 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1565 struct sk_buff *skb)
1567 struct hci_rp_le_read_transmit_power *rp = data;
1569 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1574 hdev->min_le_tx_power = rp->min_le_tx_power;
1575 hdev->max_le_tx_power = rp->max_le_tx_power;
1580 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1581 struct sk_buff *skb)
1583 struct hci_ev_status *rp = data;
1584 struct hci_cp_le_set_privacy_mode *cp;
1585 struct hci_conn_params *params;
1587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1592 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1598 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1600 WRITE_ONCE(params->privacy_mode, cp->mode);
1602 hci_dev_unlock(hdev);
1607 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1608 struct sk_buff *skb)
1610 struct hci_ev_status *rp = data;
1613 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1618 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1624 /* If we're doing connection initiation as peripheral. Set a
1625 * timeout in case something goes wrong.
1628 struct hci_conn *conn;
1630 hci_dev_set_flag(hdev, HCI_LE_ADV);
1632 conn = hci_lookup_le_connect(hdev);
1634 queue_delayed_work(hdev->workqueue,
1635 &conn->le_conn_timeout,
1636 conn->conn_timeout);
1638 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1641 hci_dev_unlock(hdev);
1646 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1647 struct sk_buff *skb)
1649 struct hci_cp_le_set_ext_adv_enable *cp;
1650 struct hci_cp_ext_adv_set *set;
1651 struct adv_info *adv = NULL, *n;
1652 struct hci_ev_status *rp = data;
1654 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1659 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1663 set = (void *)cp->data;
1667 if (cp->num_of_sets)
1668 adv = hci_find_adv_instance(hdev, set->handle);
1671 struct hci_conn *conn;
1673 hci_dev_set_flag(hdev, HCI_LE_ADV);
1675 if (adv && !adv->periodic)
1676 adv->enabled = true;
1678 conn = hci_lookup_le_connect(hdev);
1680 queue_delayed_work(hdev->workqueue,
1681 &conn->le_conn_timeout,
1682 conn->conn_timeout);
1684 if (cp->num_of_sets) {
1686 adv->enabled = false;
1688 /* If just one instance was disabled check if there are
1689 * any other instance enabled before clearing HCI_LE_ADV
1691 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1697 /* All instances shall be considered disabled */
1698 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1700 adv->enabled = false;
1703 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1707 hci_dev_unlock(hdev);
1711 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1712 struct sk_buff *skb)
1714 struct hci_cp_le_set_scan_param *cp;
1715 struct hci_ev_status *rp = data;
1717 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1722 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1728 hdev->le_scan_type = cp->type;
1730 hci_dev_unlock(hdev);
1735 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1736 struct sk_buff *skb)
1738 struct hci_cp_le_set_ext_scan_params *cp;
1739 struct hci_ev_status *rp = data;
1740 struct hci_cp_le_scan_phy_params *phy_param;
1742 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1747 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1751 phy_param = (void *)cp->data;
1755 hdev->le_scan_type = phy_param->type;
1757 hci_dev_unlock(hdev);
1762 static bool has_pending_adv_report(struct hci_dev *hdev)
1764 struct discovery_state *d = &hdev->discovery;
1766 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1769 static void clear_pending_adv_report(struct hci_dev *hdev)
1771 struct discovery_state *d = &hdev->discovery;
1773 bacpy(&d->last_adv_addr, BDADDR_ANY);
1774 d->last_adv_data_len = 0;
1778 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1779 u8 bdaddr_type, s8 rssi, u32 flags,
1782 struct discovery_state *d = &hdev->discovery;
1784 if (len > max_adv_len(hdev))
1787 bacpy(&d->last_adv_addr, bdaddr);
1788 d->last_adv_addr_type = bdaddr_type;
1789 d->last_adv_rssi = rssi;
1790 d->last_adv_flags = flags;
1791 memcpy(d->last_adv_data, data, len);
1792 d->last_adv_data_len = len;
1796 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1801 case LE_SCAN_ENABLE:
1802 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1803 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1804 clear_pending_adv_report(hdev);
1805 if (hci_dev_test_flag(hdev, HCI_MESH))
1806 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1809 case LE_SCAN_DISABLE:
1810 /* We do this here instead of when setting DISCOVERY_STOPPED
1811 * since the latter would potentially require waiting for
1812 * inquiry to stop too.
1814 if (has_pending_adv_report(hdev)) {
1815 struct discovery_state *d = &hdev->discovery;
1817 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1818 d->last_adv_addr_type, NULL,
1819 d->last_adv_rssi, d->last_adv_flags,
1821 d->last_adv_data_len, NULL, 0, 0);
1824 /* Cancel this timer so that we don't try to disable scanning
1825 * when it's already disabled.
1827 cancel_delayed_work(&hdev->le_scan_disable);
1829 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1831 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1832 * interrupted scanning due to a connect request. Mark
1833 * therefore discovery as stopped.
1835 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1836 #ifndef TIZEN_BT /* The below line is kernel bug. */
1837 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1839 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1841 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1842 hdev->discovery.state == DISCOVERY_FINDING)
1843 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1848 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1853 hci_dev_unlock(hdev);
1856 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1857 struct sk_buff *skb)
1859 struct hci_cp_le_set_scan_enable *cp;
1860 struct hci_ev_status *rp = data;
1862 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1867 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1871 le_set_scan_enable_complete(hdev, cp->enable);
1876 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1877 struct sk_buff *skb)
1879 struct hci_cp_le_set_ext_scan_enable *cp;
1880 struct hci_ev_status *rp = data;
1882 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1887 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1891 le_set_scan_enable_complete(hdev, cp->enable);
1896 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1897 struct sk_buff *skb)
1899 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1901 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1907 hdev->le_num_of_adv_sets = rp->num_of_sets;
1912 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1913 struct sk_buff *skb)
1915 struct hci_rp_le_read_accept_list_size *rp = data;
1917 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1922 hdev->le_accept_list_size = rp->size;
1927 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1928 struct sk_buff *skb)
1930 struct hci_ev_status *rp = data;
1932 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1938 hci_bdaddr_list_clear(&hdev->le_accept_list);
1939 hci_dev_unlock(hdev);
1944 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1945 struct sk_buff *skb)
1947 struct hci_cp_le_add_to_accept_list *sent;
1948 struct hci_ev_status *rp = data;
1950 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1955 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1960 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1962 hci_dev_unlock(hdev);
1967 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1968 struct sk_buff *skb)
1970 struct hci_cp_le_del_from_accept_list *sent;
1971 struct hci_ev_status *rp = data;
1973 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1978 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1983 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1985 hci_dev_unlock(hdev);
1990 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1991 struct sk_buff *skb)
1993 struct hci_rp_le_read_supported_states *rp = data;
1995 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2000 memcpy(hdev->le_states, rp->le_states, 8);
2005 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
2006 struct sk_buff *skb)
2008 struct hci_rp_le_read_def_data_len *rp = data;
2010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2019 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
2020 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
2023 mgmt_le_read_host_suggested_data_length_complete(hdev, rp->status);
2025 hci_dev_unlock(hdev);
2031 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2032 struct sk_buff *skb)
2034 struct hci_cp_le_write_def_data_len *sent;
2035 struct hci_ev_status *rp = data;
2037 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2046 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2054 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2055 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2060 mgmt_le_write_host_suggested_data_length_complete(hdev, rp->status);
2065 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2066 struct sk_buff *skb)
2068 struct hci_cp_le_add_to_resolv_list *sent;
2069 struct hci_ev_status *rp = data;
2071 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2076 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2081 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2082 sent->bdaddr_type, sent->peer_irk,
2084 hci_dev_unlock(hdev);
2089 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2090 struct sk_buff *skb)
2092 struct hci_cp_le_del_from_resolv_list *sent;
2093 struct hci_ev_status *rp = data;
2095 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2100 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2105 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2107 hci_dev_unlock(hdev);
2112 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2113 struct sk_buff *skb)
2115 struct hci_ev_status *rp = data;
2117 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2123 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2124 hci_dev_unlock(hdev);
2129 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2130 struct sk_buff *skb)
2132 struct hci_rp_le_read_resolv_list_size *rp = data;
2134 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2139 hdev->le_resolv_list_size = rp->size;
2144 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2145 struct sk_buff *skb)
2147 struct hci_ev_status *rp = data;
2150 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2155 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2162 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2164 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2166 hci_dev_unlock(hdev);
2171 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2172 struct sk_buff *skb)
2174 struct hci_rp_le_read_max_data_len *rp = data;
2176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2185 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2186 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2187 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2188 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2191 mgmt_le_read_maximum_data_length_complete(hdev, rp->status);
2192 hci_dev_unlock(hdev);
2198 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2199 struct sk_buff *skb)
2201 struct hci_cp_write_le_host_supported *sent;
2202 struct hci_ev_status *rp = data;
2204 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2209 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2216 hdev->features[1][0] |= LMP_HOST_LE;
2217 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2219 hdev->features[1][0] &= ~LMP_HOST_LE;
2220 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2221 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2225 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2227 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2229 hci_dev_unlock(hdev);
2234 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2235 struct sk_buff *skb)
2237 struct hci_cp_le_set_adv_param *cp;
2238 struct hci_ev_status *rp = data;
2240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2245 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2250 hdev->adv_addr_type = cp->own_address_type;
2251 hci_dev_unlock(hdev);
2256 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2257 struct sk_buff *skb)
2259 struct hci_rp_le_set_ext_adv_params *rp = data;
2260 struct hci_cp_le_set_ext_adv_params *cp;
2261 struct adv_info *adv_instance;
2263 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2268 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2273 hdev->adv_addr_type = cp->own_addr_type;
2275 /* Store in hdev for instance 0 */
2276 hdev->adv_tx_power = rp->tx_power;
2278 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2280 adv_instance->tx_power = rp->tx_power;
2282 /* Update adv data as tx power is known now */
2283 hci_update_adv_data(hdev, cp->handle);
2285 hci_dev_unlock(hdev);
2291 static u8 hci_cc_enable_rssi(struct hci_dev *hdev, void *data,
2292 struct sk_buff *skb)
2294 struct hci_cc_rsp_enable_rssi *rp = data;
2296 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
2297 hdev->name, rp->status, rp->le_ext_opcode);
2299 mgmt_enable_rssi_cc(hdev, rp, rp->status);
2304 static u8 hci_cc_get_raw_rssi(struct hci_dev *hdev, void *data,
2305 struct sk_buff *skb)
2307 struct hci_cc_rp_get_raw_rssi *rp = data;
2309 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
2310 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
2312 mgmt_raw_rssi_response(hdev, rp, rp->status);
2317 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
2318 struct sk_buff *skb)
2320 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
2322 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
2324 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
2328 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
2329 struct sk_buff *skb)
2331 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
2332 __u8 event_le_ext_sub_code;
2334 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
2335 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
2337 skb_pull(skb, sizeof(*ev));
2338 event_le_ext_sub_code = ev->event_le_ext_sub_code;
2340 switch (event_le_ext_sub_code) {
2341 case LE_RSSI_LINK_ALERT:
2342 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
2350 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
2351 struct sk_buff *skb)
2353 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
2355 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
2357 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
2358 ev->state_change_reason,
2359 ev->connection_handle);
2362 static void hci_vendor_specific_evt(struct hci_dev *hdev, void *data,
2363 struct sk_buff *skb)
2365 struct hci_ev_vendor_specific *ev = (void *)skb->data;
2366 __u8 event_sub_code;
2368 BT_DBG("hci_vendor_specific_evt");
2370 skb_pull(skb, sizeof(*ev));
2371 event_sub_code = ev->event_sub_code;
2373 switch (event_sub_code) {
2374 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
2375 hci_vendor_specific_group_ext_evt(hdev, skb);
2378 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
2379 hci_vendor_multi_adv_state_change_evt(hdev, skb);
2387 static void hci_le_data_length_changed_complete_evt(struct hci_dev *hdev,
2389 struct sk_buff *skb)
2391 struct hci_ev_le_data_len_change *ev = (void *)skb->data;
2392 struct hci_conn *conn;
2394 BT_DBG("%s status", hdev->name);
2398 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2400 conn->tx_len = le16_to_cpu(ev->tx_len);
2401 conn->tx_time = le16_to_cpu(ev->tx_time);
2402 conn->rx_len = le16_to_cpu(ev->rx_len);
2403 conn->rx_time = le16_to_cpu(ev->rx_time);
2405 mgmt_le_data_length_change_complete(hdev, &conn->dst,
2406 conn->tx_len, conn->tx_time,
2407 conn->rx_len, conn->rx_time);
2410 hci_dev_unlock(hdev);
2414 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2415 struct sk_buff *skb)
2417 struct hci_rp_read_rssi *rp = data;
2418 struct hci_conn *conn;
2420 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2427 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2429 conn->rssi = rp->rssi;
2431 hci_dev_unlock(hdev);
2436 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2437 struct sk_buff *skb)
2439 struct hci_cp_read_tx_power *sent;
2440 struct hci_rp_read_tx_power *rp = data;
2441 struct hci_conn *conn;
2443 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2448 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2454 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2458 switch (sent->type) {
2460 conn->tx_power = rp->tx_power;
2463 conn->max_tx_power = rp->tx_power;
2468 hci_dev_unlock(hdev);
2472 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2473 struct sk_buff *skb)
2475 struct hci_ev_status *rp = data;
2478 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2483 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2485 hdev->ssp_debug_mode = *mode;
2490 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2492 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2495 hci_conn_check_pending(hdev);
2499 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2500 set_bit(HCI_INQUIRY, &hdev->flags);
2503 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2505 struct hci_cp_create_conn *cp;
2506 struct hci_conn *conn;
2508 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2510 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2516 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2518 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2521 if (conn && conn->state == BT_CONNECT) {
2522 if (status != 0x0c || conn->attempt > 2) {
2523 conn->state = BT_CLOSED;
2524 hci_connect_cfm(conn, status);
2527 conn->state = BT_CONNECT2;
2531 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2534 bt_dev_err(hdev, "no memory for new connection");
2538 hci_dev_unlock(hdev);
2541 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2543 struct hci_cp_add_sco *cp;
2544 struct hci_conn *acl;
2545 struct hci_link *link;
2548 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2553 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2557 handle = __le16_to_cpu(cp->handle);
2559 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2563 acl = hci_conn_hash_lookup_handle(hdev, handle);
2565 link = list_first_entry_or_null(&acl->link_list,
2566 struct hci_link, list);
2567 if (link && link->conn) {
2568 link->conn->state = BT_CLOSED;
2570 hci_connect_cfm(link->conn, status);
2571 hci_conn_del(link->conn);
2575 hci_dev_unlock(hdev);
2578 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2580 struct hci_cp_auth_requested *cp;
2581 struct hci_conn *conn;
2583 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2588 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2594 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2596 if (conn->state == BT_CONFIG) {
2597 hci_connect_cfm(conn, status);
2598 hci_conn_drop(conn);
2602 hci_dev_unlock(hdev);
2605 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2607 struct hci_cp_set_conn_encrypt *cp;
2608 struct hci_conn *conn;
2610 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2615 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2621 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2623 if (conn->state == BT_CONFIG) {
2624 hci_connect_cfm(conn, status);
2625 hci_conn_drop(conn);
2629 hci_dev_unlock(hdev);
2632 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2633 struct hci_conn *conn)
2635 if (conn->state != BT_CONFIG || !conn->out)
2638 if (conn->pending_sec_level == BT_SECURITY_SDP)
2641 /* Only request authentication for SSP connections or non-SSP
2642 * devices with sec_level MEDIUM or HIGH or if MITM protection
2645 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2646 conn->pending_sec_level != BT_SECURITY_FIPS &&
2647 conn->pending_sec_level != BT_SECURITY_HIGH &&
2648 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2654 static int hci_resolve_name(struct hci_dev *hdev,
2655 struct inquiry_entry *e)
2657 struct hci_cp_remote_name_req cp;
2659 memset(&cp, 0, sizeof(cp));
2661 bacpy(&cp.bdaddr, &e->data.bdaddr);
2662 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2663 cp.pscan_mode = e->data.pscan_mode;
2664 cp.clock_offset = e->data.clock_offset;
2666 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2669 static bool hci_resolve_next_name(struct hci_dev *hdev)
2671 struct discovery_state *discov = &hdev->discovery;
2672 struct inquiry_entry *e;
2674 if (list_empty(&discov->resolve))
2677 /* We should stop if we already spent too much time resolving names. */
2678 if (time_after(jiffies, discov->name_resolve_timeout)) {
2679 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2683 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2687 if (hci_resolve_name(hdev, e) == 0) {
2688 e->name_state = NAME_PENDING;
2695 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2696 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2698 struct discovery_state *discov = &hdev->discovery;
2699 struct inquiry_entry *e;
2702 /* Update the mgmt connected state if necessary. Be careful with
2703 * conn objects that exist but are not (yet) connected however.
2704 * Only those in BT_CONFIG or BT_CONNECTED states can be
2705 * considered connected.
2708 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2709 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2710 mgmt_device_connected(hdev, conn, name, name_len);
2712 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2716 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2717 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2718 mgmt_device_connected(hdev, conn, name, name_len);
2721 if (discov->state == DISCOVERY_STOPPED)
2724 if (discov->state == DISCOVERY_STOPPING)
2725 goto discov_complete;
2727 if (discov->state != DISCOVERY_RESOLVING)
2730 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2731 /* If the device was not found in a list of found devices names of which
2732 * are pending. there is no need to continue resolving a next name as it
2733 * will be done upon receiving another Remote Name Request Complete
2740 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2741 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2744 if (hci_resolve_next_name(hdev))
2748 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2751 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2753 struct hci_cp_remote_name_req *cp;
2754 struct hci_conn *conn;
2756 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2758 /* If successful wait for the name req complete event before
2759 * checking for the need to do authentication */
2763 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2769 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2771 if (hci_dev_test_flag(hdev, HCI_MGMT))
2772 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2777 if (!hci_outgoing_auth_needed(hdev, conn))
2780 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2781 struct hci_cp_auth_requested auth_cp;
2783 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2785 auth_cp.handle = __cpu_to_le16(conn->handle);
2786 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2787 sizeof(auth_cp), &auth_cp);
2791 hci_dev_unlock(hdev);
2794 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2796 struct hci_cp_read_remote_features *cp;
2797 struct hci_conn *conn;
2799 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2810 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2812 if (conn->state == BT_CONFIG) {
2813 hci_connect_cfm(conn, status);
2814 hci_conn_drop(conn);
2818 hci_dev_unlock(hdev);
2821 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2823 struct hci_cp_read_remote_ext_features *cp;
2824 struct hci_conn *conn;
2826 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2831 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2837 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2839 if (conn->state == BT_CONFIG) {
2840 hci_connect_cfm(conn, status);
2841 hci_conn_drop(conn);
2845 hci_dev_unlock(hdev);
2848 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2851 struct hci_conn *acl;
2852 struct hci_link *link;
2854 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2858 acl = hci_conn_hash_lookup_handle(hdev, handle);
2860 link = list_first_entry_or_null(&acl->link_list,
2861 struct hci_link, list);
2862 if (link && link->conn) {
2863 link->conn->state = BT_CLOSED;
2865 hci_connect_cfm(link->conn, status);
2866 hci_conn_del(link->conn);
2870 hci_dev_unlock(hdev);
2873 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2875 struct hci_cp_setup_sync_conn *cp;
2877 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2882 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2886 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2889 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2891 struct hci_cp_enhanced_setup_sync_conn *cp;
2893 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2898 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2902 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2905 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2907 struct hci_cp_sniff_mode *cp;
2908 struct hci_conn *conn;
2910 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2915 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2921 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2923 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2925 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2926 hci_sco_setup(conn, status);
2929 hci_dev_unlock(hdev);
2932 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2934 struct hci_cp_exit_sniff_mode *cp;
2935 struct hci_conn *conn;
2937 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2942 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2948 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2950 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2952 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2953 hci_sco_setup(conn, status);
2956 hci_dev_unlock(hdev);
2959 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2961 struct hci_cp_disconnect *cp;
2962 struct hci_conn_params *params;
2963 struct hci_conn *conn;
2966 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2968 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2969 * otherwise cleanup the connection immediately.
2971 if (!status && !hdev->suspended)
2974 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2980 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2985 u8 type = conn->type;
2986 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2987 conn->dst_type, status);
2989 if (type == LE_LINK)
2990 hci_enable_advertising(hdev);
2992 /* Inform sockets conn is gone before we delete it */
2993 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2998 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3000 if (conn->type == ACL_LINK) {
3001 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3002 hci_remove_link_key(hdev, &conn->dst);
3005 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3007 switch (params->auto_connect) {
3008 case HCI_AUTO_CONN_LINK_LOSS:
3009 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3013 case HCI_AUTO_CONN_DIRECT:
3014 case HCI_AUTO_CONN_ALWAYS:
3015 hci_pend_le_list_del_init(params);
3016 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3024 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3025 cp->reason, mgmt_conn);
3027 hci_disconn_cfm(conn, cp->reason);
3030 /* If the disconnection failed for any reason, the upper layer
3031 * does not retry to disconnect in current implementation.
3032 * Hence, we need to do some basic cleanup here and re-enable
3033 * advertising if necessary.
3037 hci_dev_unlock(hdev);
3040 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
3042 /* When using controller based address resolution, then the new
3043 * address types 0x02 and 0x03 are used. These types need to be
3044 * converted back into either public address or random address type
3047 case ADDR_LE_DEV_PUBLIC_RESOLVED:
3050 return ADDR_LE_DEV_PUBLIC;
3051 case ADDR_LE_DEV_RANDOM_RESOLVED:
3054 return ADDR_LE_DEV_RANDOM;
3062 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
3063 u8 peer_addr_type, u8 own_address_type,
3066 struct hci_conn *conn;
3068 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
3073 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
3075 /* Store the initiator and responder address information which
3076 * is needed for SMP. These values will not change during the
3077 * lifetime of the connection.
3079 conn->init_addr_type = own_address_type;
3080 if (own_address_type == ADDR_LE_DEV_RANDOM)
3081 bacpy(&conn->init_addr, &hdev->random_addr);
3083 bacpy(&conn->init_addr, &hdev->bdaddr);
3085 conn->resp_addr_type = peer_addr_type;
3086 bacpy(&conn->resp_addr, peer_addr);
3089 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
3091 struct hci_cp_le_create_conn *cp;
3093 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3095 /* All connection failure handling is taken care of by the
3096 * hci_conn_failed function which is triggered by the HCI
3097 * request completion callbacks used for connecting.
3102 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
3108 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3109 cp->own_address_type, cp->filter_policy);
3111 hci_dev_unlock(hdev);
3114 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
3116 struct hci_cp_le_ext_create_conn *cp;
3118 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3120 /* All connection failure handling is taken care of by the
3121 * hci_conn_failed function which is triggered by the HCI
3122 * request completion callbacks used for connecting.
3127 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
3133 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3134 cp->own_addr_type, cp->filter_policy);
3136 hci_dev_unlock(hdev);
3139 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
3141 struct hci_cp_le_read_remote_features *cp;
3142 struct hci_conn *conn;
3144 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3149 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
3155 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3157 if (conn->state == BT_CONFIG) {
3158 hci_connect_cfm(conn, status);
3159 hci_conn_drop(conn);
3163 hci_dev_unlock(hdev);
3166 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
3168 struct hci_cp_le_start_enc *cp;
3169 struct hci_conn *conn;
3171 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3178 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
3182 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3186 if (conn->state != BT_CONNECTED)
3189 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3190 hci_conn_drop(conn);
3193 hci_dev_unlock(hdev);
3196 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3198 struct hci_cp_switch_role *cp;
3199 struct hci_conn *conn;
3201 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3206 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3212 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3214 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3216 hci_dev_unlock(hdev);
3219 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3220 struct sk_buff *skb)
3222 struct hci_ev_status *ev = data;
3223 struct discovery_state *discov = &hdev->discovery;
3224 struct inquiry_entry *e;
3226 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3228 hci_conn_check_pending(hdev);
3230 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3233 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3234 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3236 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3241 if (discov->state != DISCOVERY_FINDING)
3244 if (list_empty(&discov->resolve)) {
3245 /* When BR/EDR inquiry is active and no LE scanning is in
3246 * progress, then change discovery state to indicate completion.
3248 * When running LE scanning and BR/EDR inquiry simultaneously
3249 * and the LE scan already finished, then change the discovery
3250 * state to indicate completion.
3252 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3253 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3254 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3258 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3259 if (e && hci_resolve_name(hdev, e) == 0) {
3260 e->name_state = NAME_PENDING;
3261 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3262 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3264 /* When BR/EDR inquiry is active and no LE scanning is in
3265 * progress, then change discovery state to indicate completion.
3267 * When running LE scanning and BR/EDR inquiry simultaneously
3268 * and the LE scan already finished, then change the discovery
3269 * state to indicate completion.
3271 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3272 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3273 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3277 hci_dev_unlock(hdev);
3280 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3281 struct sk_buff *skb)
3283 struct hci_ev_inquiry_result *ev = edata;
3284 struct inquiry_data data;
3287 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3288 flex_array_size(ev, info, ev->num)))
3291 bt_dev_dbg(hdev, "num %d", ev->num);
3296 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3301 for (i = 0; i < ev->num; i++) {
3302 struct inquiry_info *info = &ev->info[i];
3305 bacpy(&data.bdaddr, &info->bdaddr);
3306 data.pscan_rep_mode = info->pscan_rep_mode;
3307 data.pscan_period_mode = info->pscan_period_mode;
3308 data.pscan_mode = info->pscan_mode;
3309 memcpy(data.dev_class, info->dev_class, 3);
3310 data.clock_offset = info->clock_offset;
3311 data.rssi = HCI_RSSI_INVALID;
3312 data.ssp_mode = 0x00;
3314 flags = hci_inquiry_cache_update(hdev, &data, false);
3316 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3317 info->dev_class, HCI_RSSI_INVALID,
3318 flags, NULL, 0, NULL, 0, 0);
3321 hci_dev_unlock(hdev);
3324 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3325 struct sk_buff *skb)
3327 struct hci_ev_conn_complete *ev = data;
3328 struct hci_conn *conn;
3329 u8 status = ev->status;
3331 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3335 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3337 /* In case of error status and there is no connection pending
3338 * just unlock as there is nothing to cleanup.
3343 /* Connection may not exist if auto-connected. Check the bredr
3344 * allowlist to see if this device is allowed to auto connect.
3345 * If link is an ACL type, create a connection class
3348 * Auto-connect will only occur if the event filter is
3349 * programmed with a given address. Right now, event filter is
3350 * only used during suspend.
3352 if (ev->link_type == ACL_LINK &&
3353 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3356 conn = hci_conn_add_unset(hdev, ev->link_type,
3357 &ev->bdaddr, HCI_ROLE_SLAVE);
3359 bt_dev_err(hdev, "no memory for new conn");
3363 if (ev->link_type != SCO_LINK)
3366 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3371 conn->type = SCO_LINK;
3375 /* The HCI_Connection_Complete event is only sent once per connection.
3376 * Processing it more than once per connection can corrupt kernel memory.
3378 * As the connection handle is set here for the first time, it indicates
3379 * whether the connection is already set up.
3381 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3382 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3387 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3391 if (conn->type == ACL_LINK) {
3392 conn->state = BT_CONFIG;
3393 hci_conn_hold(conn);
3395 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3396 !hci_find_link_key(hdev, &ev->bdaddr))
3397 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3399 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3401 conn->state = BT_CONNECTED;
3403 hci_debugfs_create_conn(conn);
3404 hci_conn_add_sysfs(conn);
3406 if (test_bit(HCI_AUTH, &hdev->flags))
3407 set_bit(HCI_CONN_AUTH, &conn->flags);
3409 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3410 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3412 /* Get remote features */
3413 if (conn->type == ACL_LINK) {
3414 struct hci_cp_read_remote_features cp;
3415 cp.handle = ev->handle;
3416 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3419 hci_update_scan(hdev);
3422 /* Set packet type for incoming connection */
3423 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3424 struct hci_cp_change_conn_ptype cp;
3425 cp.handle = ev->handle;
3426 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3427 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3432 if (get_link_mode(conn) & HCI_LM_MASTER)
3433 hci_conn_change_supervision_timeout(conn,
3434 LINK_SUPERVISION_TIMEOUT);
3438 if (conn->type == ACL_LINK)
3439 hci_sco_setup(conn, ev->status);
3443 hci_conn_failed(conn, status);
3444 } else if (ev->link_type == SCO_LINK) {
3445 switch (conn->setting & SCO_AIRMODE_MASK) {
3446 case SCO_AIRMODE_CVSD:
3448 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3452 hci_connect_cfm(conn, status);
3456 hci_dev_unlock(hdev);
3458 hci_conn_check_pending(hdev);
3461 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3463 struct hci_cp_reject_conn_req cp;
3465 bacpy(&cp.bdaddr, bdaddr);
3466 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3467 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3470 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3471 struct sk_buff *skb)
3473 struct hci_ev_conn_request *ev = data;
3474 int mask = hdev->link_mode;
3475 struct inquiry_entry *ie;
3476 struct hci_conn *conn;
3479 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3481 /* Reject incoming connection from device with same BD ADDR against
3484 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3485 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3487 hci_reject_conn(hdev, &ev->bdaddr);
3491 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3494 if (!(mask & HCI_LM_ACCEPT)) {
3495 hci_reject_conn(hdev, &ev->bdaddr);
3501 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3503 hci_reject_conn(hdev, &ev->bdaddr);
3507 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3508 * connection. These features are only touched through mgmt so
3509 * only do the checks if HCI_MGMT is set.
3511 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3512 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3513 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3515 hci_reject_conn(hdev, &ev->bdaddr);
3519 /* Connection accepted */
3521 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3523 memcpy(ie->data.dev_class, ev->dev_class, 3);
3526 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
3527 hci_conn_hash_lookup_sco(hdev)) {
3528 struct hci_cp_reject_conn_req cp;
3530 bacpy(&cp.bdaddr, &ev->bdaddr);
3531 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
3532 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
3534 hci_dev_unlock(hdev);
3539 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3542 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3545 bt_dev_err(hdev, "no memory for new connection");
3550 memcpy(conn->dev_class, ev->dev_class, 3);
3552 hci_dev_unlock(hdev);
3554 if (ev->link_type == ACL_LINK ||
3555 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3556 struct hci_cp_accept_conn_req cp;
3557 conn->state = BT_CONNECT;
3559 bacpy(&cp.bdaddr, &ev->bdaddr);
3561 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3562 cp.role = 0x00; /* Become central */
3564 cp.role = 0x01; /* Remain peripheral */
3566 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3567 } else if (!(flags & HCI_PROTO_DEFER)) {
3568 struct hci_cp_accept_sync_conn_req cp;
3569 conn->state = BT_CONNECT;
3571 bacpy(&cp.bdaddr, &ev->bdaddr);
3572 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3574 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3575 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3576 cp.max_latency = cpu_to_le16(0xffff);
3577 cp.content_format = cpu_to_le16(hdev->voice_setting);
3578 cp.retrans_effort = 0xff;
3580 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3583 conn->state = BT_CONNECT2;
3584 hci_connect_cfm(conn, 0);
3589 hci_dev_unlock(hdev);
3592 static u8 hci_to_mgmt_reason(u8 err)
3595 case HCI_ERROR_CONNECTION_TIMEOUT:
3596 return MGMT_DEV_DISCONN_TIMEOUT;
3597 case HCI_ERROR_REMOTE_USER_TERM:
3598 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3599 case HCI_ERROR_REMOTE_POWER_OFF:
3600 return MGMT_DEV_DISCONN_REMOTE;
3601 case HCI_ERROR_LOCAL_HOST_TERM:
3602 return MGMT_DEV_DISCONN_LOCAL_HOST;
3604 return MGMT_DEV_DISCONN_UNKNOWN;
3608 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3609 struct sk_buff *skb)
3611 struct hci_ev_disconn_complete *ev = data;
3613 struct hci_conn_params *params;
3614 struct hci_conn *conn;
3615 bool mgmt_connected;
3618 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3622 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3627 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3628 conn->dst_type, ev->status);
3632 conn->state = BT_CLOSED;
3634 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3636 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3637 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3639 reason = hci_to_mgmt_reason(ev->reason);
3641 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3642 reason, mgmt_connected);
3644 if (conn->type == ACL_LINK) {
3645 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3646 hci_remove_link_key(hdev, &conn->dst);
3648 hci_update_scan(hdev);
3651 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3653 switch (params->auto_connect) {
3654 case HCI_AUTO_CONN_LINK_LOSS:
3655 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3659 case HCI_AUTO_CONN_DIRECT:
3660 case HCI_AUTO_CONN_ALWAYS:
3661 hci_pend_le_list_del_init(params);
3662 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3663 hci_update_passive_scan(hdev);
3672 hci_disconn_cfm(conn, ev->reason);
3675 /* Re-enable advertising if necessary, since it might
3676 * have been disabled by the connection. From the
3677 * HCI_LE_Set_Advertise_Enable command description in
3678 * the core specification (v4.0):
3679 * "The Controller shall continue advertising until the Host
3680 * issues an LE_Set_Advertise_Enable command with
3681 * Advertising_Enable set to 0x00 (Advertising is disabled)
3682 * or until a connection is created or until the Advertising
3683 * is timed out due to Directed Advertising."
3686 if (type == LE_LINK)
3687 hci_enable_advertising(hdev);
3691 if (conn->type == ACL_LINK && !hci_conn_num(hdev, ACL_LINK)) {
3695 iscan = test_bit(HCI_ISCAN, &hdev->flags);
3696 pscan = test_bit(HCI_PSCAN, &hdev->flags);
3697 if (!iscan && !pscan) {
3698 u8 scan_enable = SCAN_PAGE;
3700 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE,
3701 sizeof(scan_enable), &scan_enable);
3707 hci_dev_unlock(hdev);
3710 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3711 struct sk_buff *skb)
3713 struct hci_ev_auth_complete *ev = data;
3714 struct hci_conn *conn;
3716 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3720 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3725 /* PIN or Key Missing patch */
3726 BT_DBG("remote_auth %x, remote_cap %x, auth_type %x, io_capability %x",
3727 conn->remote_auth, conn->remote_cap,
3728 conn->auth_type, conn->io_capability);
3730 if (ev->status == 0x06 && hci_conn_ssp_enabled(conn)) {
3731 struct hci_cp_auth_requested cp;
3733 BT_DBG("Pin or key missing");
3734 hci_remove_link_key(hdev, &conn->dst);
3735 cp.handle = cpu_to_le16(conn->handle);
3736 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
3743 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3744 set_bit(HCI_CONN_AUTH, &conn->flags);
3745 conn->sec_level = conn->pending_sec_level;
3747 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3748 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3750 mgmt_auth_failed(conn, ev->status);
3753 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3755 if (conn->state == BT_CONFIG) {
3756 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3757 struct hci_cp_set_conn_encrypt cp;
3758 cp.handle = ev->handle;
3760 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3763 conn->state = BT_CONNECTED;
3764 hci_connect_cfm(conn, ev->status);
3765 hci_conn_drop(conn);
3768 hci_auth_cfm(conn, ev->status);
3770 hci_conn_hold(conn);
3771 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3772 hci_conn_drop(conn);
3775 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3777 struct hci_cp_set_conn_encrypt cp;
3778 cp.handle = ev->handle;
3780 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3783 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3784 hci_encrypt_cfm(conn, ev->status);
3789 hci_dev_unlock(hdev);
3792 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3793 struct sk_buff *skb)
3795 struct hci_ev_remote_name *ev = data;
3796 struct hci_conn *conn;
3798 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3800 hci_conn_check_pending(hdev);
3804 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3806 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3809 if (ev->status == 0)
3810 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3811 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3813 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3819 if (!hci_outgoing_auth_needed(hdev, conn))
3822 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3823 struct hci_cp_auth_requested cp;
3825 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3827 cp.handle = __cpu_to_le16(conn->handle);
3828 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3832 hci_dev_unlock(hdev);
3835 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3836 struct sk_buff *skb)
3838 struct hci_ev_encrypt_change *ev = data;
3839 struct hci_conn *conn;
3841 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3845 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3851 /* Encryption implies authentication */
3852 set_bit(HCI_CONN_AUTH, &conn->flags);
3853 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3854 conn->sec_level = conn->pending_sec_level;
3856 /* P-256 authentication key implies FIPS */
3857 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3858 set_bit(HCI_CONN_FIPS, &conn->flags);
3860 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3861 conn->type == LE_LINK)
3862 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3864 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3865 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3869 /* We should disregard the current RPA and generate a new one
3870 * whenever the encryption procedure fails.
3872 if (ev->status && conn->type == LE_LINK) {
3873 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3874 hci_adv_instances_set_rpa_expired(hdev, true);
3877 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3879 /* Check link security requirements are met */
3880 if (!hci_conn_check_link_mode(conn))
3881 ev->status = HCI_ERROR_AUTH_FAILURE;
3883 if (ev->status && conn->state == BT_CONNECTED) {
3884 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3885 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3887 /* Notify upper layers so they can cleanup before
3890 hci_encrypt_cfm(conn, ev->status);
3891 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3892 hci_conn_drop(conn);
3896 /* Try reading the encryption key size for encrypted ACL links */
3897 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3898 struct hci_cp_read_enc_key_size cp;
3900 /* Only send HCI_Read_Encryption_Key_Size if the
3901 * controller really supports it. If it doesn't, assume
3902 * the default size (16).
3904 if (!(hdev->commands[20] & 0x10)) {
3905 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3909 cp.handle = cpu_to_le16(conn->handle);
3910 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3912 bt_dev_err(hdev, "sending read key size failed");
3913 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3920 /* Set the default Authenticated Payload Timeout after
3921 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3922 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3923 * sent when the link is active and Encryption is enabled, the conn
3924 * type can be either LE or ACL and controller must support LMP Ping.
3925 * Ensure for AES-CCM encryption as well.
3927 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3928 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3929 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3930 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3931 struct hci_cp_write_auth_payload_to cp;
3933 cp.handle = cpu_to_le16(conn->handle);
3934 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3935 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3937 bt_dev_err(hdev, "write auth payload timeout failed");
3941 hci_encrypt_cfm(conn, ev->status);
3944 hci_dev_unlock(hdev);
3947 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3948 struct sk_buff *skb)
3950 struct hci_ev_change_link_key_complete *ev = data;
3951 struct hci_conn *conn;
3953 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3957 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3960 set_bit(HCI_CONN_SECURE, &conn->flags);
3962 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3964 hci_key_change_cfm(conn, ev->status);
3967 hci_dev_unlock(hdev);
3970 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3971 struct sk_buff *skb)
3973 struct hci_ev_remote_features *ev = data;
3974 struct hci_conn *conn;
3976 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3980 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3985 memcpy(conn->features[0], ev->features, 8);
3987 if (conn->state != BT_CONFIG)
3990 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3991 lmp_ext_feat_capable(conn)) {
3992 struct hci_cp_read_remote_ext_features cp;
3993 cp.handle = ev->handle;
3995 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
4000 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4001 struct hci_cp_remote_name_req cp;
4002 memset(&cp, 0, sizeof(cp));
4003 bacpy(&cp.bdaddr, &conn->dst);
4004 cp.pscan_rep_mode = 0x02;
4005 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4006 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4007 mgmt_device_connected(hdev, conn, NULL, 0);
4009 if (!hci_outgoing_auth_needed(hdev, conn)) {
4010 conn->state = BT_CONNECTED;
4011 hci_connect_cfm(conn, ev->status);
4012 hci_conn_drop(conn);
4016 hci_dev_unlock(hdev);
4019 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
4021 cancel_delayed_work(&hdev->cmd_timer);
4024 if (!test_bit(HCI_RESET, &hdev->flags)) {
4026 cancel_delayed_work(&hdev->ncmd_timer);
4027 atomic_set(&hdev->cmd_cnt, 1);
4029 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4030 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
4037 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
4038 struct sk_buff *skb)
4040 struct hci_rp_le_read_buffer_size_v2 *rp = data;
4042 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4047 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
4048 hdev->le_pkts = rp->acl_max_pkt;
4049 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
4050 hdev->iso_pkts = rp->iso_max_pkt;
4052 hdev->le_cnt = hdev->le_pkts;
4053 hdev->iso_cnt = hdev->iso_pkts;
4055 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
4056 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
4061 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
4063 struct hci_conn *conn, *tmp;
4065 lockdep_assert_held(&hdev->lock);
4067 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
4068 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
4069 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
4072 if (HCI_CONN_HANDLE_UNSET(conn->handle))
4073 hci_conn_failed(conn, status);
4077 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
4078 struct sk_buff *skb)
4080 struct hci_rp_le_set_cig_params *rp = data;
4081 struct hci_cp_le_set_cig_params *cp;
4082 struct hci_conn *conn;
4083 u8 status = rp->status;
4084 bool pending = false;
4087 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
4090 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
4091 rp->cig_id != cp->cig_id)) {
4092 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
4093 status = HCI_ERROR_UNSPECIFIED;
4098 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
4100 * If the Status return parameter is non-zero, then the state of the CIG
4101 * and its CIS configurations shall not be changed by the command. If
4102 * the CIG did not already exist, it shall not be created.
4105 /* Keep current configuration, fail only the unbound CIS */
4106 hci_unbound_cis_failed(hdev, rp->cig_id, status);
4110 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
4112 * If the Status return parameter is zero, then the Controller shall
4113 * set the Connection_Handle arrayed return parameter to the connection
4114 * handle(s) corresponding to the CIS configurations specified in
4115 * the CIS_IDs command parameter, in the same order.
4117 for (i = 0; i < rp->num_handles; ++i) {
4118 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
4120 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
4123 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
4126 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
4129 if (conn->state == BT_CONNECT)
4135 hci_le_create_cis_pending(hdev);
4137 hci_dev_unlock(hdev);
4142 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
4143 struct sk_buff *skb)
4145 struct hci_rp_le_setup_iso_path *rp = data;
4146 struct hci_cp_le_setup_iso_path *cp;
4147 struct hci_conn *conn;
4149 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4151 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
4157 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
4162 hci_connect_cfm(conn, rp->status);
4167 switch (cp->direction) {
4168 /* Input (Host to Controller) */
4170 /* Only confirm connection if output only */
4171 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
4172 hci_connect_cfm(conn, rp->status);
4174 /* Output (Controller to Host) */
4176 /* Confirm connection since conn->iso_qos is always configured
4179 hci_connect_cfm(conn, rp->status);
4184 hci_dev_unlock(hdev);
4188 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
4190 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4193 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
4194 struct sk_buff *skb)
4196 struct hci_ev_status *rp = data;
4197 struct hci_cp_le_set_per_adv_params *cp;
4199 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4204 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
4208 /* TODO: set the conn state */
4212 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
4213 struct sk_buff *skb)
4215 struct hci_ev_status *rp = data;
4216 struct hci_cp_le_set_per_adv_enable *cp;
4217 struct adv_info *adv = NULL, *n;
4220 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4225 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4231 adv = hci_find_adv_instance(hdev, cp->handle);
4234 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4237 adv->enabled = true;
4239 /* If just one instance was disabled check if there are
4240 * any other instance enabled before clearing HCI_LE_PER_ADV.
4241 * The current periodic adv instance will be marked as
4242 * disabled once extended advertising is also disabled.
4244 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4246 if (adv->periodic && adv->enabled)
4250 if (per_adv_cnt > 1)
4253 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4257 hci_dev_unlock(hdev);
4262 #define HCI_CC_VL(_op, _func, _min, _max) \
4270 #define HCI_CC(_op, _func, _len) \
4271 HCI_CC_VL(_op, _func, _len, _len)
4273 #define HCI_CC_STATUS(_op, _func) \
4274 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4276 static const struct hci_cc {
4278 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4281 } hci_cc_table[] = {
4282 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4283 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4284 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4285 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4286 hci_cc_remote_name_req_cancel),
4287 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4288 sizeof(struct hci_rp_role_discovery)),
4289 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4290 sizeof(struct hci_rp_read_link_policy)),
4291 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4292 sizeof(struct hci_rp_write_link_policy)),
4293 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4294 sizeof(struct hci_rp_read_def_link_policy)),
4295 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4296 hci_cc_write_def_link_policy),
4297 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4298 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4299 sizeof(struct hci_rp_read_stored_link_key)),
4300 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4301 sizeof(struct hci_rp_delete_stored_link_key)),
4302 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4303 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4304 sizeof(struct hci_rp_read_local_name)),
4305 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4306 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4307 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4308 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4309 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4310 sizeof(struct hci_rp_read_class_of_dev)),
4311 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4312 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4313 sizeof(struct hci_rp_read_voice_setting)),
4314 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4315 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4316 sizeof(struct hci_rp_read_num_supported_iac)),
4317 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4318 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4319 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4320 sizeof(struct hci_rp_read_auth_payload_to)),
4321 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4322 sizeof(struct hci_rp_write_auth_payload_to)),
4323 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4324 sizeof(struct hci_rp_read_local_version)),
4325 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4326 sizeof(struct hci_rp_read_local_commands)),
4327 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4328 sizeof(struct hci_rp_read_local_features)),
4329 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4330 sizeof(struct hci_rp_read_local_ext_features)),
4331 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4332 sizeof(struct hci_rp_read_buffer_size)),
4333 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4334 sizeof(struct hci_rp_read_bd_addr)),
4335 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4336 sizeof(struct hci_rp_read_local_pairing_opts)),
4337 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4338 sizeof(struct hci_rp_read_page_scan_activity)),
4339 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4340 hci_cc_write_page_scan_activity),
4341 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4342 sizeof(struct hci_rp_read_page_scan_type)),
4343 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4344 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4345 sizeof(struct hci_rp_read_data_block_size)),
4346 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4347 sizeof(struct hci_rp_read_flow_control_mode)),
4348 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4349 sizeof(struct hci_rp_read_local_amp_info)),
4350 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4351 sizeof(struct hci_rp_read_clock)),
4352 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4353 sizeof(struct hci_rp_read_enc_key_size)),
4354 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4355 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4356 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4357 hci_cc_read_def_err_data_reporting,
4358 sizeof(struct hci_rp_read_def_err_data_reporting)),
4359 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4360 hci_cc_write_def_err_data_reporting),
4361 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4362 sizeof(struct hci_rp_pin_code_reply)),
4363 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4364 sizeof(struct hci_rp_pin_code_neg_reply)),
4365 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4366 sizeof(struct hci_rp_read_local_oob_data)),
4367 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4368 sizeof(struct hci_rp_read_local_oob_ext_data)),
4369 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4370 sizeof(struct hci_rp_le_read_buffer_size)),
4371 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4372 sizeof(struct hci_rp_le_read_local_features)),
4373 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4374 sizeof(struct hci_rp_le_read_adv_tx_power)),
4375 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4376 sizeof(struct hci_rp_user_confirm_reply)),
4377 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4378 sizeof(struct hci_rp_user_confirm_reply)),
4379 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4380 sizeof(struct hci_rp_user_confirm_reply)),
4381 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4382 sizeof(struct hci_rp_user_confirm_reply)),
4383 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4384 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4385 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4386 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4387 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4388 hci_cc_le_read_accept_list_size,
4389 sizeof(struct hci_rp_le_read_accept_list_size)),
4390 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4391 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4392 hci_cc_le_add_to_accept_list),
4393 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4394 hci_cc_le_del_from_accept_list),
4395 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4396 sizeof(struct hci_rp_le_read_supported_states)),
4397 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4398 sizeof(struct hci_rp_le_read_def_data_len)),
4399 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4400 hci_cc_le_write_def_data_len),
4401 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4402 hci_cc_le_add_to_resolv_list),
4403 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4404 hci_cc_le_del_from_resolv_list),
4405 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4406 hci_cc_le_clear_resolv_list),
4407 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4408 sizeof(struct hci_rp_le_read_resolv_list_size)),
4409 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4410 hci_cc_le_set_addr_resolution_enable),
4411 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4412 sizeof(struct hci_rp_le_read_max_data_len)),
4413 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4414 hci_cc_write_le_host_supported),
4415 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4416 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4417 sizeof(struct hci_rp_read_rssi)),
4418 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4419 sizeof(struct hci_rp_read_tx_power)),
4420 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4421 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4422 hci_cc_le_set_ext_scan_param),
4423 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4424 hci_cc_le_set_ext_scan_enable),
4425 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4426 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4427 hci_cc_le_read_num_adv_sets,
4428 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4429 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4430 sizeof(struct hci_rp_le_set_ext_adv_params)),
4431 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4432 hci_cc_le_set_ext_adv_enable),
4433 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4434 hci_cc_le_set_adv_set_random_addr),
4435 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4436 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4437 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4438 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4439 hci_cc_le_set_per_adv_enable),
4440 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4441 sizeof(struct hci_rp_le_read_transmit_power)),
4443 HCI_CC(HCI_OP_ENABLE_RSSI, hci_cc_enable_rssi,
4444 sizeof(struct hci_cc_rsp_enable_rssi)),
4445 HCI_CC(HCI_OP_GET_RAW_RSSI, hci_cc_get_raw_rssi,
4446 sizeof(struct hci_cc_rp_get_raw_rssi)),
4448 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4449 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4450 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4451 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4452 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4453 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4454 sizeof(struct hci_rp_le_setup_iso_path)),
4457 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4458 struct sk_buff *skb)
4462 if (skb->len < cc->min_len) {
4463 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4464 cc->op, skb->len, cc->min_len);
4465 return HCI_ERROR_UNSPECIFIED;
4468 /* Just warn if the length is over max_len size it still be possible to
4469 * partially parse the cc so leave to callback to decide if that is
4472 if (skb->len > cc->max_len)
4473 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4474 cc->op, skb->len, cc->max_len);
4476 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4478 return HCI_ERROR_UNSPECIFIED;
4480 return cc->func(hdev, data, skb);
4483 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4484 struct sk_buff *skb, u16 *opcode, u8 *status,
4485 hci_req_complete_t *req_complete,
4486 hci_req_complete_skb_t *req_complete_skb)
4488 struct hci_ev_cmd_complete *ev = data;
4491 *opcode = __le16_to_cpu(ev->opcode);
4493 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4495 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4496 if (hci_cc_table[i].op == *opcode) {
4497 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4502 if (i == ARRAY_SIZE(hci_cc_table)) {
4503 /* Unknown opcode, assume byte 0 contains the status, so
4504 * that e.g. __hci_cmd_sync() properly returns errors
4505 * for vendor specific commands send by HCI drivers.
4506 * If a vendor doesn't actually follow this convention we may
4507 * need to introduce a vendor CC table in order to properly set
4510 *status = skb->data[0];
4513 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4515 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4518 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4520 "unexpected event for opcode 0x%4.4x", *opcode);
4524 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4525 queue_work(hdev->workqueue, &hdev->cmd_work);
4528 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4530 struct hci_cp_le_create_cis *cp;
4531 bool pending = false;
4534 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4539 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4545 /* Remove connection if command failed */
4546 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4547 struct hci_conn *conn;
4550 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4552 conn = hci_conn_hash_lookup_handle(hdev, handle);
4554 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4557 conn->state = BT_CLOSED;
4558 hci_connect_cfm(conn, status);
4564 hci_le_create_cis_pending(hdev);
4566 hci_dev_unlock(hdev);
4569 #define HCI_CS(_op, _func) \
4575 static const struct hci_cs {
4577 void (*func)(struct hci_dev *hdev, __u8 status);
4578 } hci_cs_table[] = {
4579 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4580 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4581 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4582 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4583 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4584 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4585 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4586 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4587 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4588 hci_cs_read_remote_ext_features),
4589 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4590 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4591 hci_cs_enhanced_setup_sync_conn),
4592 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4593 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4594 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4595 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4596 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4597 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4598 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4599 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4600 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4603 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4604 struct sk_buff *skb, u16 *opcode, u8 *status,
4605 hci_req_complete_t *req_complete,
4606 hci_req_complete_skb_t *req_complete_skb)
4608 struct hci_ev_cmd_status *ev = data;
4611 *opcode = __le16_to_cpu(ev->opcode);
4612 *status = ev->status;
4614 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4616 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4617 if (hci_cs_table[i].op == *opcode) {
4618 hci_cs_table[i].func(hdev, ev->status);
4623 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4625 /* Indicate request completion if the command failed. Also, if
4626 * we're not waiting for a special event and we get a success
4627 * command status we should try to flag the request as completed
4628 * (since for this kind of commands there will not be a command
4631 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4632 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4634 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4635 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4641 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4642 queue_work(hdev->workqueue, &hdev->cmd_work);
4645 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4646 struct sk_buff *skb)
4648 struct hci_ev_hardware_error *ev = data;
4650 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4654 mgmt_hardware_error(hdev, ev->code);
4655 hci_dev_unlock(hdev);
4657 hdev->hw_error_code = ev->code;
4659 queue_work(hdev->req_workqueue, &hdev->error_reset);
4662 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4663 struct sk_buff *skb)
4665 struct hci_ev_role_change *ev = data;
4666 struct hci_conn *conn;
4668 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4672 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4675 conn->role = ev->role;
4677 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4679 hci_role_switch_cfm(conn, ev->status, ev->role);
4681 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
4682 hci_conn_change_supervision_timeout(conn,
4683 LINK_SUPERVISION_TIMEOUT);
4687 hci_dev_unlock(hdev);
4690 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4691 struct sk_buff *skb)
4693 struct hci_ev_num_comp_pkts *ev = data;
4696 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4697 flex_array_size(ev, handles, ev->num)))
4700 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4701 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4705 bt_dev_dbg(hdev, "num %d", ev->num);
4707 for (i = 0; i < ev->num; i++) {
4708 struct hci_comp_pkts_info *info = &ev->handles[i];
4709 struct hci_conn *conn;
4710 __u16 handle, count;
4712 handle = __le16_to_cpu(info->handle);
4713 count = __le16_to_cpu(info->count);
4715 conn = hci_conn_hash_lookup_handle(hdev, handle);
4719 conn->sent -= count;
4721 switch (conn->type) {
4723 hdev->acl_cnt += count;
4724 if (hdev->acl_cnt > hdev->acl_pkts)
4725 hdev->acl_cnt = hdev->acl_pkts;
4729 if (hdev->le_pkts) {
4730 hdev->le_cnt += count;
4731 if (hdev->le_cnt > hdev->le_pkts)
4732 hdev->le_cnt = hdev->le_pkts;
4734 hdev->acl_cnt += count;
4735 if (hdev->acl_cnt > hdev->acl_pkts)
4736 hdev->acl_cnt = hdev->acl_pkts;
4741 hdev->sco_cnt += count;
4742 if (hdev->sco_cnt > hdev->sco_pkts)
4743 hdev->sco_cnt = hdev->sco_pkts;
4747 if (hdev->iso_pkts) {
4748 hdev->iso_cnt += count;
4749 if (hdev->iso_cnt > hdev->iso_pkts)
4750 hdev->iso_cnt = hdev->iso_pkts;
4751 } else if (hdev->le_pkts) {
4752 hdev->le_cnt += count;
4753 if (hdev->le_cnt > hdev->le_pkts)
4754 hdev->le_cnt = hdev->le_pkts;
4756 hdev->acl_cnt += count;
4757 if (hdev->acl_cnt > hdev->acl_pkts)
4758 hdev->acl_cnt = hdev->acl_pkts;
4763 bt_dev_err(hdev, "unknown type %d conn %p",
4769 queue_work(hdev->workqueue, &hdev->tx_work);
4772 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4775 struct hci_chan *chan;
4777 switch (hdev->dev_type) {
4779 return hci_conn_hash_lookup_handle(hdev, handle);
4781 chan = hci_chan_lookup_handle(hdev, handle);
4786 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4793 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4794 struct sk_buff *skb)
4796 struct hci_ev_num_comp_blocks *ev = data;
4799 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4800 flex_array_size(ev, handles, ev->num_hndl)))
4803 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4804 bt_dev_err(hdev, "wrong event for mode %d",
4805 hdev->flow_ctl_mode);
4809 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4812 for (i = 0; i < ev->num_hndl; i++) {
4813 struct hci_comp_blocks_info *info = &ev->handles[i];
4814 struct hci_conn *conn = NULL;
4815 __u16 handle, block_count;
4817 handle = __le16_to_cpu(info->handle);
4818 block_count = __le16_to_cpu(info->blocks);
4820 conn = __hci_conn_lookup_handle(hdev, handle);
4824 conn->sent -= block_count;
4826 switch (conn->type) {
4829 hdev->block_cnt += block_count;
4830 if (hdev->block_cnt > hdev->num_blocks)
4831 hdev->block_cnt = hdev->num_blocks;
4835 bt_dev_err(hdev, "unknown type %d conn %p",
4841 queue_work(hdev->workqueue, &hdev->tx_work);
4844 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4845 struct sk_buff *skb)
4847 struct hci_ev_mode_change *ev = data;
4848 struct hci_conn *conn;
4850 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4854 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4856 conn->mode = ev->mode;
4858 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4860 if (conn->mode == HCI_CM_ACTIVE)
4861 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4863 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4866 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4867 hci_sco_setup(conn, ev->status);
4870 hci_dev_unlock(hdev);
4873 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4874 struct sk_buff *skb)
4876 struct hci_ev_pin_code_req *ev = data;
4877 struct hci_conn *conn;
4879 bt_dev_dbg(hdev, "");
4883 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4887 if (conn->state == BT_CONNECTED) {
4888 hci_conn_hold(conn);
4889 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4890 hci_conn_drop(conn);
4893 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4894 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4895 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4896 sizeof(ev->bdaddr), &ev->bdaddr);
4897 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4900 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4905 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4909 hci_dev_unlock(hdev);
4912 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4914 if (key_type == HCI_LK_CHANGED_COMBINATION)
4917 conn->pin_length = pin_len;
4918 conn->key_type = key_type;
4921 case HCI_LK_LOCAL_UNIT:
4922 case HCI_LK_REMOTE_UNIT:
4923 case HCI_LK_DEBUG_COMBINATION:
4925 case HCI_LK_COMBINATION:
4927 conn->pending_sec_level = BT_SECURITY_HIGH;
4929 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4931 case HCI_LK_UNAUTH_COMBINATION_P192:
4932 case HCI_LK_UNAUTH_COMBINATION_P256:
4933 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4935 case HCI_LK_AUTH_COMBINATION_P192:
4936 conn->pending_sec_level = BT_SECURITY_HIGH;
4938 case HCI_LK_AUTH_COMBINATION_P256:
4939 conn->pending_sec_level = BT_SECURITY_FIPS;
4944 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4945 struct sk_buff *skb)
4947 struct hci_ev_link_key_req *ev = data;
4948 struct hci_cp_link_key_reply cp;
4949 struct hci_conn *conn;
4950 struct link_key *key;
4952 bt_dev_dbg(hdev, "");
4954 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4959 key = hci_find_link_key(hdev, &ev->bdaddr);
4961 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4965 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4967 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4969 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4971 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4972 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4973 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4974 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4978 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4979 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4980 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4981 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4985 conn_set_key(conn, key->type, key->pin_len);
4988 bacpy(&cp.bdaddr, &ev->bdaddr);
4989 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4991 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4993 hci_dev_unlock(hdev);
4998 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4999 hci_dev_unlock(hdev);
5002 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
5003 struct sk_buff *skb)
5005 struct hci_ev_link_key_notify *ev = data;
5006 struct hci_conn *conn;
5007 struct link_key *key;
5011 bt_dev_dbg(hdev, "");
5015 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5019 /* Ignore NULL link key against CVE-2020-26555 */
5020 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
5021 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
5023 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5024 hci_conn_drop(conn);
5028 hci_conn_hold(conn);
5029 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5030 hci_conn_drop(conn);
5032 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
5033 conn_set_key(conn, ev->key_type, conn->pin_length);
5035 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5038 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
5039 ev->key_type, pin_len, &persistent);
5043 /* Update connection information since adding the key will have
5044 * fixed up the type in the case of changed combination keys.
5046 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
5047 conn_set_key(conn, key->type, key->pin_len);
5049 mgmt_new_link_key(hdev, key, persistent);
5051 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
5052 * is set. If it's not set simply remove the key from the kernel
5053 * list (we've still notified user space about it but with
5054 * store_hint being 0).
5056 if (key->type == HCI_LK_DEBUG_COMBINATION &&
5057 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
5058 list_del_rcu(&key->list);
5059 kfree_rcu(key, rcu);
5064 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
5066 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
5069 hci_dev_unlock(hdev);
5072 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
5073 struct sk_buff *skb)
5075 struct hci_ev_clock_offset *ev = data;
5076 struct hci_conn *conn;
5078 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5082 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5083 if (conn && !ev->status) {
5084 struct inquiry_entry *ie;
5086 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5088 ie->data.clock_offset = ev->clock_offset;
5089 ie->timestamp = jiffies;
5093 hci_dev_unlock(hdev);
5096 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
5097 struct sk_buff *skb)
5099 struct hci_ev_pkt_type_change *ev = data;
5100 struct hci_conn *conn;
5102 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5106 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5107 if (conn && !ev->status)
5108 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
5110 hci_dev_unlock(hdev);
5113 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
5114 struct sk_buff *skb)
5116 struct hci_ev_pscan_rep_mode *ev = data;
5117 struct inquiry_entry *ie;
5119 bt_dev_dbg(hdev, "");
5123 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5125 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
5126 ie->timestamp = jiffies;
5129 hci_dev_unlock(hdev);
5132 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
5133 struct sk_buff *skb)
5135 struct hci_ev_inquiry_result_rssi *ev = edata;
5136 struct inquiry_data data;
5139 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
5144 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5149 if (skb->len == array_size(ev->num,
5150 sizeof(struct inquiry_info_rssi_pscan))) {
5151 struct inquiry_info_rssi_pscan *info;
5153 for (i = 0; i < ev->num; i++) {
5156 info = hci_ev_skb_pull(hdev, skb,
5157 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5160 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5161 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5165 bacpy(&data.bdaddr, &info->bdaddr);
5166 data.pscan_rep_mode = info->pscan_rep_mode;
5167 data.pscan_period_mode = info->pscan_period_mode;
5168 data.pscan_mode = info->pscan_mode;
5169 memcpy(data.dev_class, info->dev_class, 3);
5170 data.clock_offset = info->clock_offset;
5171 data.rssi = info->rssi;
5172 data.ssp_mode = 0x00;
5174 flags = hci_inquiry_cache_update(hdev, &data, false);
5176 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5177 info->dev_class, info->rssi,
5178 flags, NULL, 0, NULL, 0, 0);
5180 } else if (skb->len == array_size(ev->num,
5181 sizeof(struct inquiry_info_rssi))) {
5182 struct inquiry_info_rssi *info;
5184 for (i = 0; i < ev->num; i++) {
5187 info = hci_ev_skb_pull(hdev, skb,
5188 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5191 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5192 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5196 bacpy(&data.bdaddr, &info->bdaddr);
5197 data.pscan_rep_mode = info->pscan_rep_mode;
5198 data.pscan_period_mode = info->pscan_period_mode;
5199 data.pscan_mode = 0x00;
5200 memcpy(data.dev_class, info->dev_class, 3);
5201 data.clock_offset = info->clock_offset;
5202 data.rssi = info->rssi;
5203 data.ssp_mode = 0x00;
5205 flags = hci_inquiry_cache_update(hdev, &data, false);
5207 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5208 info->dev_class, info->rssi,
5209 flags, NULL, 0, NULL, 0, 0);
5212 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5213 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5216 hci_dev_unlock(hdev);
5219 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
5220 struct sk_buff *skb)
5222 struct hci_ev_remote_ext_features *ev = data;
5223 struct hci_conn *conn;
5225 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5229 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5233 if (ev->page < HCI_MAX_PAGES)
5234 memcpy(conn->features[ev->page], ev->features, 8);
5236 if (!ev->status && ev->page == 0x01) {
5237 struct inquiry_entry *ie;
5239 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5241 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5243 if (ev->features[0] & LMP_HOST_SSP) {
5244 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5246 /* It is mandatory by the Bluetooth specification that
5247 * Extended Inquiry Results are only used when Secure
5248 * Simple Pairing is enabled, but some devices violate
5251 * To make these devices work, the internal SSP
5252 * enabled flag needs to be cleared if the remote host
5253 * features do not indicate SSP support */
5254 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5257 if (ev->features[0] & LMP_HOST_SC)
5258 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5261 if (conn->state != BT_CONFIG)
5264 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5265 struct hci_cp_remote_name_req cp;
5266 memset(&cp, 0, sizeof(cp));
5267 bacpy(&cp.bdaddr, &conn->dst);
5268 cp.pscan_rep_mode = 0x02;
5269 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5270 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5271 mgmt_device_connected(hdev, conn, NULL, 0);
5273 if (!hci_outgoing_auth_needed(hdev, conn)) {
5274 conn->state = BT_CONNECTED;
5275 hci_connect_cfm(conn, ev->status);
5276 hci_conn_drop(conn);
5280 hci_dev_unlock(hdev);
5283 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5284 struct sk_buff *skb)
5286 struct hci_ev_sync_conn_complete *ev = data;
5287 struct hci_conn *conn;
5288 u8 status = ev->status;
5290 switch (ev->link_type) {
5295 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5296 * for HCI_Synchronous_Connection_Complete is limited to
5297 * either SCO or eSCO
5299 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5303 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5307 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5309 if (ev->link_type == ESCO_LINK)
5312 /* When the link type in the event indicates SCO connection
5313 * and lookup of the connection object fails, then check
5314 * if an eSCO connection object exists.
5316 * The core limits the synchronous connections to either
5317 * SCO or eSCO. The eSCO connection is preferred and tried
5318 * to be setup first and until successfully established,
5319 * the link type will be hinted as eSCO.
5321 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5326 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5327 * Processing it more than once per connection can corrupt kernel memory.
5329 * As the connection handle is set here for the first time, it indicates
5330 * whether the connection is already set up.
5332 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5333 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5339 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5341 conn->state = BT_CLOSED;
5345 conn->state = BT_CONNECTED;
5346 conn->type = ev->link_type;
5348 hci_debugfs_create_conn(conn);
5349 hci_conn_add_sysfs(conn);
5352 case 0x10: /* Connection Accept Timeout */
5353 case 0x0d: /* Connection Rejected due to Limited Resources */
5354 case 0x11: /* Unsupported Feature or Parameter Value */
5355 case 0x1c: /* SCO interval rejected */
5356 case 0x1a: /* Unsupported Remote Feature */
5357 case 0x1e: /* Invalid LMP Parameters */
5358 case 0x1f: /* Unspecified error */
5359 case 0x20: /* Unsupported LMP Parameter value */
5361 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5362 (hdev->esco_type & EDR_ESCO_MASK);
5363 if (hci_setup_sync(conn, conn->parent->handle))
5369 conn->state = BT_CLOSED;
5373 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5374 /* Notify only in case of SCO over HCI transport data path which
5375 * is zero and non-zero value shall be non-HCI transport data path
5377 if (conn->codec.data_path == 0 && hdev->notify) {
5378 switch (ev->air_mode) {
5380 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5383 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5388 hci_connect_cfm(conn, status);
5393 hci_dev_unlock(hdev);
5396 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5400 while (parsed < eir_len) {
5401 u8 field_len = eir[0];
5406 parsed += field_len + 1;
5407 eir += field_len + 1;
5413 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5414 struct sk_buff *skb)
5416 struct hci_ev_ext_inquiry_result *ev = edata;
5417 struct inquiry_data data;
5421 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5422 flex_array_size(ev, info, ev->num)))
5425 bt_dev_dbg(hdev, "num %d", ev->num);
5430 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5435 for (i = 0; i < ev->num; i++) {
5436 struct extended_inquiry_info *info = &ev->info[i];
5440 bacpy(&data.bdaddr, &info->bdaddr);
5441 data.pscan_rep_mode = info->pscan_rep_mode;
5442 data.pscan_period_mode = info->pscan_period_mode;
5443 data.pscan_mode = 0x00;
5444 memcpy(data.dev_class, info->dev_class, 3);
5445 data.clock_offset = info->clock_offset;
5446 data.rssi = info->rssi;
5447 data.ssp_mode = 0x01;
5449 if (hci_dev_test_flag(hdev, HCI_MGMT))
5450 name_known = eir_get_data(info->data,
5452 EIR_NAME_COMPLETE, NULL);
5456 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5458 eir_len = eir_get_length(info->data, sizeof(info->data));
5460 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5461 info->dev_class, info->rssi,
5462 flags, info->data, eir_len, NULL, 0, 0);
5465 hci_dev_unlock(hdev);
5468 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5469 struct sk_buff *skb)
5471 struct hci_ev_key_refresh_complete *ev = data;
5472 struct hci_conn *conn;
5474 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5475 __le16_to_cpu(ev->handle));
5479 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5483 /* For BR/EDR the necessary steps are taken through the
5484 * auth_complete event.
5486 if (conn->type != LE_LINK)
5490 conn->sec_level = conn->pending_sec_level;
5492 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5494 if (ev->status && conn->state == BT_CONNECTED) {
5495 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5496 hci_conn_drop(conn);
5500 if (conn->state == BT_CONFIG) {
5502 conn->state = BT_CONNECTED;
5504 hci_connect_cfm(conn, ev->status);
5505 hci_conn_drop(conn);
5507 hci_auth_cfm(conn, ev->status);
5509 hci_conn_hold(conn);
5510 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5511 hci_conn_drop(conn);
5515 hci_dev_unlock(hdev);
5518 static u8 hci_get_auth_req(struct hci_conn *conn)
5521 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
5522 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5523 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5524 return HCI_AT_GENERAL_BONDING_MITM;
5528 /* If remote requests no-bonding follow that lead */
5529 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5530 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5531 return conn->remote_auth | (conn->auth_type & 0x01);
5533 /* If both remote and local have enough IO capabilities, require
5536 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5537 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5538 return conn->remote_auth | 0x01;
5540 /* No MITM protection possible so ignore remote requirement */
5541 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5544 static u8 bredr_oob_data_present(struct hci_conn *conn)
5546 struct hci_dev *hdev = conn->hdev;
5547 struct oob_data *data;
5549 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5553 if (bredr_sc_enabled(hdev)) {
5554 /* When Secure Connections is enabled, then just
5555 * return the present value stored with the OOB
5556 * data. The stored value contains the right present
5557 * information. However it can only be trusted when
5558 * not in Secure Connection Only mode.
5560 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5561 return data->present;
5563 /* When Secure Connections Only mode is enabled, then
5564 * the P-256 values are required. If they are not
5565 * available, then do not declare that OOB data is
5568 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5569 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5575 /* When Secure Connections is not enabled or actually
5576 * not supported by the hardware, then check that if
5577 * P-192 data values are present.
5579 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5580 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5586 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5587 struct sk_buff *skb)
5589 struct hci_ev_io_capa_request *ev = data;
5590 struct hci_conn *conn;
5592 bt_dev_dbg(hdev, "");
5596 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5597 if (!conn || !hci_conn_ssp_enabled(conn))
5600 hci_conn_hold(conn);
5602 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5605 /* Allow pairing if we're pairable, the initiators of the
5606 * pairing or if the remote is not requesting bonding.
5608 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5609 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5610 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5611 struct hci_cp_io_capability_reply cp;
5613 bacpy(&cp.bdaddr, &ev->bdaddr);
5614 /* Change the IO capability from KeyboardDisplay
5615 * to DisplayYesNo as it is not supported by BT spec. */
5616 cp.capability = (conn->io_capability == 0x04) ?
5617 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5619 /* If we are initiators, there is no remote information yet */
5620 if (conn->remote_auth == 0xff) {
5621 /* Request MITM protection if our IO caps allow it
5622 * except for the no-bonding case.
5624 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5625 conn->auth_type != HCI_AT_NO_BONDING)
5626 conn->auth_type |= 0x01;
5628 conn->auth_type = hci_get_auth_req(conn);
5631 /* If we're not bondable, force one of the non-bondable
5632 * authentication requirement values.
5634 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5635 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5637 cp.authentication = conn->auth_type;
5638 cp.oob_data = bredr_oob_data_present(conn);
5640 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5643 struct hci_cp_io_capability_neg_reply cp;
5645 bacpy(&cp.bdaddr, &ev->bdaddr);
5646 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5648 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5653 hci_dev_unlock(hdev);
5656 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5657 struct sk_buff *skb)
5659 struct hci_ev_io_capa_reply *ev = data;
5660 struct hci_conn *conn;
5662 bt_dev_dbg(hdev, "");
5666 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5670 conn->remote_cap = ev->capability;
5671 conn->remote_auth = ev->authentication;
5674 hci_dev_unlock(hdev);
5677 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5678 struct sk_buff *skb)
5680 struct hci_ev_user_confirm_req *ev = data;
5681 int loc_mitm, rem_mitm, confirm_hint = 0;
5682 struct hci_conn *conn;
5684 bt_dev_dbg(hdev, "");
5688 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5691 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5695 loc_mitm = (conn->auth_type & 0x01);
5696 rem_mitm = (conn->remote_auth & 0x01);
5698 /* If we require MITM but the remote device can't provide that
5699 * (it has NoInputNoOutput) then reject the confirmation
5700 * request. We check the security level here since it doesn't
5701 * necessarily match conn->auth_type.
5703 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5704 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5705 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5706 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5707 sizeof(ev->bdaddr), &ev->bdaddr);
5711 /* If no side requires MITM protection; auto-accept */
5712 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5713 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5715 /* If we're not the initiators request authorization to
5716 * proceed from user space (mgmt_user_confirm with
5717 * confirm_hint set to 1). The exception is if neither
5718 * side had MITM or if the local IO capability is
5719 * NoInputNoOutput, in which case we do auto-accept
5721 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5722 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5723 (loc_mitm || rem_mitm)) {
5724 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5729 /* If there already exists link key in local host, leave the
5730 * decision to user space since the remote device could be
5731 * legitimate or malicious.
5733 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5734 bt_dev_dbg(hdev, "Local host already has link key");
5739 BT_DBG("Auto-accept of user confirmation with %ums delay",
5740 hdev->auto_accept_delay);
5742 if (hdev->auto_accept_delay > 0) {
5743 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5744 queue_delayed_work(conn->hdev->workqueue,
5745 &conn->auto_accept_work, delay);
5749 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5750 sizeof(ev->bdaddr), &ev->bdaddr);
5755 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5756 le32_to_cpu(ev->passkey), confirm_hint);
5759 hci_dev_unlock(hdev);
5762 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5763 struct sk_buff *skb)
5765 struct hci_ev_user_passkey_req *ev = data;
5767 bt_dev_dbg(hdev, "");
5769 if (hci_dev_test_flag(hdev, HCI_MGMT))
5770 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5773 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5774 struct sk_buff *skb)
5776 struct hci_ev_user_passkey_notify *ev = data;
5777 struct hci_conn *conn;
5779 bt_dev_dbg(hdev, "");
5781 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5785 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5786 conn->passkey_entered = 0;
5788 if (hci_dev_test_flag(hdev, HCI_MGMT))
5789 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5790 conn->dst_type, conn->passkey_notify,
5791 conn->passkey_entered);
5794 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5795 struct sk_buff *skb)
5797 struct hci_ev_keypress_notify *ev = data;
5798 struct hci_conn *conn;
5800 bt_dev_dbg(hdev, "");
5802 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5807 case HCI_KEYPRESS_STARTED:
5808 conn->passkey_entered = 0;
5811 case HCI_KEYPRESS_ENTERED:
5812 conn->passkey_entered++;
5815 case HCI_KEYPRESS_ERASED:
5816 conn->passkey_entered--;
5819 case HCI_KEYPRESS_CLEARED:
5820 conn->passkey_entered = 0;
5823 case HCI_KEYPRESS_COMPLETED:
5827 if (hci_dev_test_flag(hdev, HCI_MGMT))
5828 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5829 conn->dst_type, conn->passkey_notify,
5830 conn->passkey_entered);
5833 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5834 struct sk_buff *skb)
5836 struct hci_ev_simple_pair_complete *ev = data;
5837 struct hci_conn *conn;
5839 bt_dev_dbg(hdev, "");
5843 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5844 if (!conn || !hci_conn_ssp_enabled(conn))
5847 /* Reset the authentication requirement to unknown */
5848 conn->remote_auth = 0xff;
5850 /* To avoid duplicate auth_failed events to user space we check
5851 * the HCI_CONN_AUTH_PEND flag which will be set if we
5852 * initiated the authentication. A traditional auth_complete
5853 * event gets always produced as initiator and is also mapped to
5854 * the mgmt_auth_failed event */
5855 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5856 mgmt_auth_failed(conn, ev->status);
5858 hci_conn_drop(conn);
5861 hci_dev_unlock(hdev);
5864 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5865 struct sk_buff *skb)
5867 struct hci_ev_remote_host_features *ev = data;
5868 struct inquiry_entry *ie;
5869 struct hci_conn *conn;
5871 bt_dev_dbg(hdev, "");
5875 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5877 memcpy(conn->features[1], ev->features, 8);
5879 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5881 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5883 hci_dev_unlock(hdev);
5886 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5887 struct sk_buff *skb)
5889 struct hci_ev_remote_oob_data_request *ev = edata;
5890 struct oob_data *data;
5892 bt_dev_dbg(hdev, "");
5896 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5899 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5901 struct hci_cp_remote_oob_data_neg_reply cp;
5903 bacpy(&cp.bdaddr, &ev->bdaddr);
5904 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5909 if (bredr_sc_enabled(hdev)) {
5910 struct hci_cp_remote_oob_ext_data_reply cp;
5912 bacpy(&cp.bdaddr, &ev->bdaddr);
5913 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5914 memset(cp.hash192, 0, sizeof(cp.hash192));
5915 memset(cp.rand192, 0, sizeof(cp.rand192));
5917 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5918 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5920 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5921 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5923 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5926 struct hci_cp_remote_oob_data_reply cp;
5928 bacpy(&cp.bdaddr, &ev->bdaddr);
5929 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5930 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5932 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5937 hci_dev_unlock(hdev);
5940 #if IS_ENABLED(CONFIG_BT_HS)
5941 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5942 struct sk_buff *skb)
5944 struct hci_ev_channel_selected *ev = data;
5945 struct hci_conn *hcon;
5947 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5949 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5953 amp_read_loc_assoc_final_data(hdev, hcon);
5956 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5957 struct sk_buff *skb)
5959 struct hci_ev_phy_link_complete *ev = data;
5960 struct hci_conn *hcon, *bredr_hcon;
5962 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5967 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5979 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5981 hcon->state = BT_CONNECTED;
5982 bacpy(&hcon->dst, &bredr_hcon->dst);
5984 hci_conn_hold(hcon);
5985 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5986 hci_conn_drop(hcon);
5988 hci_debugfs_create_conn(hcon);
5989 hci_conn_add_sysfs(hcon);
5991 amp_physical_cfm(bredr_hcon, hcon);
5994 hci_dev_unlock(hdev);
5997 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5998 struct sk_buff *skb)
6000 struct hci_ev_logical_link_complete *ev = data;
6001 struct hci_conn *hcon;
6002 struct hci_chan *hchan;
6003 struct amp_mgr *mgr;
6005 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
6006 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
6008 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
6012 /* Create AMP hchan */
6013 hchan = hci_chan_create(hcon);
6017 hchan->handle = le16_to_cpu(ev->handle);
6020 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
6022 mgr = hcon->amp_mgr;
6023 if (mgr && mgr->bredr_chan) {
6024 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
6026 l2cap_chan_lock(bredr_chan);
6028 bredr_chan->conn->mtu = hdev->block_mtu;
6029 l2cap_logical_cfm(bredr_chan, hchan, 0);
6030 hci_conn_hold(hcon);
6032 l2cap_chan_unlock(bredr_chan);
6036 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
6037 struct sk_buff *skb)
6039 struct hci_ev_disconn_logical_link_complete *ev = data;
6040 struct hci_chan *hchan;
6042 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
6043 le16_to_cpu(ev->handle), ev->status);
6050 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
6051 if (!hchan || !hchan->amp)
6054 amp_destroy_logical_link(hchan, ev->reason);
6057 hci_dev_unlock(hdev);
6060 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
6061 struct sk_buff *skb)
6063 struct hci_ev_disconn_phy_link_complete *ev = data;
6064 struct hci_conn *hcon;
6066 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6073 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
6074 if (hcon && hcon->type == AMP_LINK) {
6075 hcon->state = BT_CLOSED;
6076 hci_disconn_cfm(hcon, ev->reason);
6080 hci_dev_unlock(hdev);
6084 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
6085 u8 bdaddr_type, bdaddr_t *local_rpa)
6088 conn->dst_type = bdaddr_type;
6089 conn->resp_addr_type = bdaddr_type;
6090 bacpy(&conn->resp_addr, bdaddr);
6092 /* Check if the controller has set a Local RPA then it must be
6093 * used instead or hdev->rpa.
6095 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6096 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6097 bacpy(&conn->init_addr, local_rpa);
6098 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
6099 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6100 bacpy(&conn->init_addr, &conn->hdev->rpa);
6102 hci_copy_identity_address(conn->hdev, &conn->init_addr,
6103 &conn->init_addr_type);
6106 conn->resp_addr_type = conn->hdev->adv_addr_type;
6107 /* Check if the controller has set a Local RPA then it must be
6108 * used instead or hdev->rpa.
6110 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6111 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
6112 bacpy(&conn->resp_addr, local_rpa);
6113 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
6114 /* In case of ext adv, resp_addr will be updated in
6115 * Adv Terminated event.
6117 if (!ext_adv_capable(conn->hdev))
6118 bacpy(&conn->resp_addr,
6119 &conn->hdev->random_addr);
6121 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
6124 conn->init_addr_type = bdaddr_type;
6125 bacpy(&conn->init_addr, bdaddr);
6127 /* For incoming connections, set the default minimum
6128 * and maximum connection interval. They will be used
6129 * to check if the parameters are in range and if not
6130 * trigger the connection update procedure.
6132 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
6133 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
6137 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
6138 bdaddr_t *bdaddr, u8 bdaddr_type,
6139 bdaddr_t *local_rpa, u8 role, u16 handle,
6140 u16 interval, u16 latency,
6141 u16 supervision_timeout)
6143 struct hci_conn_params *params;
6144 struct hci_conn *conn;
6145 struct smp_irk *irk;
6150 /* All controllers implicitly stop advertising in the event of a
6151 * connection, so ensure that the state bit is cleared.
6153 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6155 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
6157 /* In case of error status and there is no connection pending
6158 * just unlock as there is nothing to cleanup.
6163 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
6165 bt_dev_err(hdev, "no memory for new connection");
6169 conn->dst_type = bdaddr_type;
6171 /* If we didn't have a hci_conn object previously
6172 * but we're in central role this must be something
6173 * initiated using an accept list. Since accept list based
6174 * connections are not "first class citizens" we don't
6175 * have full tracking of them. Therefore, we go ahead
6176 * with a "best effort" approach of determining the
6177 * initiator address based on the HCI_PRIVACY flag.
6180 conn->resp_addr_type = bdaddr_type;
6181 bacpy(&conn->resp_addr, bdaddr);
6182 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6183 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6184 bacpy(&conn->init_addr, &hdev->rpa);
6186 hci_copy_identity_address(hdev,
6188 &conn->init_addr_type);
6193 /* LE auto connect */
6194 bacpy(&conn->dst, bdaddr);
6196 cancel_delayed_work(&conn->le_conn_timeout);
6199 /* The HCI_LE_Connection_Complete event is only sent once per connection.
6200 * Processing it more than once per connection can corrupt kernel memory.
6202 * As the connection handle is set here for the first time, it indicates
6203 * whether the connection is already set up.
6205 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
6206 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
6210 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
6212 /* Lookup the identity address from the stored connection
6213 * address and address type.
6215 * When establishing connections to an identity address, the
6216 * connection procedure will store the resolvable random
6217 * address first. Now if it can be converted back into the
6218 * identity address, start using the identity address from
6221 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
6223 bacpy(&conn->dst, &irk->bdaddr);
6224 conn->dst_type = irk->addr_type;
6227 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
6229 /* All connection failure handling is taken care of by the
6230 * hci_conn_failed function which is triggered by the HCI
6231 * request completion callbacks used for connecting.
6233 if (status || hci_conn_set_handle(conn, handle))
6236 /* Drop the connection if it has been aborted */
6237 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
6238 hci_conn_drop(conn);
6242 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6243 addr_type = BDADDR_LE_PUBLIC;
6245 addr_type = BDADDR_LE_RANDOM;
6247 /* Drop the connection if the device is blocked */
6248 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6249 hci_conn_drop(conn);
6253 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
6254 mgmt_device_connected(hdev, conn, NULL, 0);
6256 conn->sec_level = BT_SECURITY_LOW;
6257 conn->state = BT_CONFIG;
6259 conn->le_conn_interval = interval;
6260 conn->le_conn_latency = latency;
6261 conn->le_supv_timeout = supervision_timeout;
6263 hci_debugfs_create_conn(conn);
6264 hci_conn_add_sysfs(conn);
6266 /* The remote features procedure is defined for central
6267 * role only. So only in case of an initiated connection
6268 * request the remote features.
6270 * If the local controller supports peripheral-initiated features
6271 * exchange, then requesting the remote features in peripheral
6272 * role is possible. Otherwise just transition into the
6273 * connected state without requesting the remote features.
6276 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6277 struct hci_cp_le_read_remote_features cp;
6279 cp.handle = __cpu_to_le16(conn->handle);
6281 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6284 hci_conn_hold(conn);
6286 conn->state = BT_CONNECTED;
6287 hci_connect_cfm(conn, status);
6290 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6293 hci_pend_le_list_del_init(params);
6295 hci_conn_drop(params->conn);
6296 hci_conn_put(params->conn);
6297 params->conn = NULL;
6302 hci_update_passive_scan(hdev);
6303 hci_dev_unlock(hdev);
6306 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6307 struct sk_buff *skb)
6309 struct hci_ev_le_conn_complete *ev = data;
6311 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6313 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6314 NULL, ev->role, le16_to_cpu(ev->handle),
6315 le16_to_cpu(ev->interval),
6316 le16_to_cpu(ev->latency),
6317 le16_to_cpu(ev->supervision_timeout));
6320 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6321 struct sk_buff *skb)
6323 struct hci_ev_le_enh_conn_complete *ev = data;
6325 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6327 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6328 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6329 le16_to_cpu(ev->interval),
6330 le16_to_cpu(ev->latency),
6331 le16_to_cpu(ev->supervision_timeout));
6334 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6335 struct sk_buff *skb)
6337 struct hci_evt_le_ext_adv_set_term *ev = data;
6338 struct hci_conn *conn;
6341 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6343 /* The Bluetooth Core 5.3 specification clearly states that this event
6344 * shall not be sent when the Host disables the advertising set. So in
6345 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6347 * When the Host disables an advertising set, all cleanup is done via
6348 * its command callback and not needed to be duplicated here.
6350 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6351 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6359 struct adv_info *adv;
6360 adv = hci_find_adv_instance(hdev, ev->handle);
6364 /* Remove advertising as it has been terminated */
6365 hci_remove_adv_instance(hdev, ev->handle);
6366 mgmt_advertising_removed(NULL, hdev, ev->handle);
6368 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6373 /* We are no longer advertising, clear HCI_LE_ADV */
6374 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6378 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6380 struct adv_info *adv_instance;
6382 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6383 bacmp(&conn->resp_addr, BDADDR_ANY))
6387 bacpy(&conn->resp_addr, &hdev->random_addr);
6391 adv_instance = hci_find_adv_instance(hdev, ev->handle);
6393 bacpy(&conn->resp_addr, &adv_instance->random_addr);
6397 hci_dev_unlock(hdev);
6400 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6401 struct sk_buff *skb)
6403 struct hci_ev_le_conn_update_complete *ev = data;
6404 struct hci_conn *conn;
6406 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6417 hci_dev_unlock(hdev);
6418 mgmt_le_conn_update_failed(hdev, &conn->dst,
6419 conn->type, conn->dst_type, ev->status);
6423 conn->le_conn_interval = le16_to_cpu(ev->interval);
6424 conn->le_conn_latency = le16_to_cpu(ev->latency);
6425 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6428 hci_dev_unlock(hdev);
6431 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
6432 conn->dst_type, conn->le_conn_interval,
6433 conn->le_conn_latency, conn->le_supv_timeout);
6437 /* This function requires the caller holds hdev->lock */
6438 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6440 u8 addr_type, bool addr_resolved,
6443 struct hci_conn *conn;
6444 struct hci_conn_params *params;
6446 /* If the event is not connectable don't proceed further */
6447 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6450 /* Ignore if the device is blocked or hdev is suspended */
6451 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6455 /* Most controller will fail if we try to create new connections
6456 * while we have an existing one in peripheral role.
6458 if (hdev->conn_hash.le_num_peripheral > 0 &&
6459 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6460 !(hdev->le_states[3] & 0x10)))
6463 /* If we're not connectable only connect devices that we have in
6464 * our pend_le_conns list.
6466 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6471 if (!params->explicit_connect) {
6472 switch (params->auto_connect) {
6473 case HCI_AUTO_CONN_DIRECT:
6474 /* Only devices advertising with ADV_DIRECT_IND are
6475 * triggering a connection attempt. This is allowing
6476 * incoming connections from peripheral devices.
6478 if (adv_type != LE_ADV_DIRECT_IND)
6481 case HCI_AUTO_CONN_ALWAYS:
6482 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6483 * are triggering a connection attempt. This means
6484 * that incoming connections from peripheral device are
6485 * accepted and also outgoing connections to peripheral
6486 * devices are established when found.
6494 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6495 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6497 if (!IS_ERR(conn)) {
6498 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6499 * by higher layer that tried to connect, if no then
6500 * store the pointer since we don't really have any
6501 * other owner of the object besides the params that
6502 * triggered it. This way we can abort the connection if
6503 * the parameters get removed and keep the reference
6504 * count consistent once the connection is established.
6507 if (!params->explicit_connect)
6508 params->conn = hci_conn_get(conn);
6513 switch (PTR_ERR(conn)) {
6515 /* If hci_connect() returns -EBUSY it means there is already
6516 * an LE connection attempt going on. Since controllers don't
6517 * support more than one connection attempt at the time, we
6518 * don't consider this an error case.
6522 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6529 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6530 u8 bdaddr_type, bdaddr_t *direct_addr,
6531 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6532 bool ext_adv, bool ctl_time, u64 instant)
6535 struct discovery_state *d = &hdev->discovery;
6538 struct smp_irk *irk;
6539 struct hci_conn *conn;
6540 bool bdaddr_resolved;
6546 case LE_ADV_DIRECT_IND:
6547 case LE_ADV_SCAN_IND:
6548 case LE_ADV_NONCONN_IND:
6549 case LE_ADV_SCAN_RSP:
6552 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6553 "type: 0x%02x", type);
6557 if (len > max_adv_len(hdev)) {
6558 bt_dev_err_ratelimited(hdev,
6559 "adv larger than maximum supported");
6563 /* Find the end of the data in case the report contains padded zero
6564 * bytes at the end causing an invalid length value.
6566 * When data is NULL, len is 0 so there is no need for extra ptr
6567 * check as 'ptr < data + 0' is already false in such case.
6569 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6570 if (ptr + 1 + *ptr > data + len)
6574 /* Adjust for actual length. This handles the case when remote
6575 * device is advertising with incorrect data length.
6579 /* If the direct address is present, then this report is from
6580 * a LE Direct Advertising Report event. In that case it is
6581 * important to see if the address is matching the local
6582 * controller address.
6584 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6585 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6588 /* Only resolvable random addresses are valid for these
6589 * kind of reports and others can be ignored.
6591 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6594 /* If the controller is not using resolvable random
6595 * addresses, then this report can be ignored.
6597 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6600 /* If the local IRK of the controller does not match
6601 * with the resolvable random address provided, then
6602 * this report can be ignored.
6604 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6608 /* Check if we need to convert to identity address */
6609 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6611 bdaddr = &irk->bdaddr;
6612 bdaddr_type = irk->addr_type;
6615 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6617 /* Check if we have been requested to connect to this device.
6619 * direct_addr is set only for directed advertising reports (it is NULL
6620 * for advertising reports) and is already verified to be RPA above.
6622 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6624 if (!ext_adv && conn && type == LE_ADV_IND &&
6625 len <= max_adv_len(hdev)) {
6626 /* Store report for later inclusion by
6627 * mgmt_device_connected
6629 memcpy(conn->le_adv_data, data, len);
6630 conn->le_adv_data_len = len;
6633 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6634 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6638 /* All scan results should be sent up for Mesh systems */
6639 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6640 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6641 rssi, flags, data, len, NULL, 0, instant);
6645 /* Passive scanning shouldn't trigger any device found events,
6646 * except for devices marked as CONN_REPORT for which we do send
6647 * device found events, or advertisement monitoring requested.
6649 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6650 if (type == LE_ADV_DIRECT_IND)
6654 /* Handle all adv packet in platform */
6655 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6656 bdaddr, bdaddr_type) &&
6657 idr_is_empty(&hdev->adv_monitors_idr))
6662 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6663 rssi, flags, data, len, NULL, 0, type);
6665 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6666 rssi, flags, data, len, NULL, 0, 0);
6671 /* When receiving a scan response, then there is no way to
6672 * know if the remote device is connectable or not. However
6673 * since scan responses are merged with a previously seen
6674 * advertising report, the flags field from that report
6677 * In the unlikely case that a controller just sends a scan
6678 * response event that doesn't match the pending report, then
6679 * it is marked as a standalone SCAN_RSP.
6681 if (type == LE_ADV_SCAN_RSP)
6682 flags = MGMT_DEV_FOUND_SCAN_RSP;
6685 /* Disable adv ind and scan rsp merging */
6686 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6687 rssi, flags, data, len, NULL, 0, type);
6689 /* If there's nothing pending either store the data from this
6690 * event or send an immediate device found event if the data
6691 * should not be stored for later.
6693 if (!ext_adv && !has_pending_adv_report(hdev)) {
6694 /* If the report will trigger a SCAN_REQ store it for
6697 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6698 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6699 rssi, flags, data, len);
6703 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6704 rssi, flags, data, len, NULL, 0, 0);
6708 /* Check if the pending report is for the same device as the new one */
6709 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6710 bdaddr_type == d->last_adv_addr_type);
6712 /* If the pending data doesn't match this report or this isn't a
6713 * scan response (e.g. we got a duplicate ADV_IND) then force
6714 * sending of the pending data.
6716 if (type != LE_ADV_SCAN_RSP || !match) {
6717 /* Send out whatever is in the cache, but skip duplicates */
6719 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6720 d->last_adv_addr_type, NULL,
6721 d->last_adv_rssi, d->last_adv_flags,
6723 d->last_adv_data_len, NULL, 0, 0);
6725 /* If the new report will trigger a SCAN_REQ store it for
6728 if (!ext_adv && (type == LE_ADV_IND ||
6729 type == LE_ADV_SCAN_IND)) {
6730 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6731 rssi, flags, data, len);
6735 /* The advertising reports cannot be merged, so clear
6736 * the pending report and send out a device found event.
6738 clear_pending_adv_report(hdev);
6739 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6740 rssi, flags, data, len, NULL, 0, 0);
6744 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6745 * the new event is a SCAN_RSP. We can therefore proceed with
6746 * sending a merged device found event.
6748 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6749 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6750 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6751 clear_pending_adv_report(hdev);
6755 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6756 struct sk_buff *skb)
6758 struct hci_ev_le_advertising_report *ev = data;
6759 u64 instant = jiffies;
6767 struct hci_ev_le_advertising_info *info;
6770 info = hci_le_ev_skb_pull(hdev, skb,
6771 HCI_EV_LE_ADVERTISING_REPORT,
6776 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6780 if (info->length <= max_adv_len(hdev)) {
6781 rssi = info->data[info->length];
6782 process_adv_report(hdev, info->type, &info->bdaddr,
6783 info->bdaddr_type, NULL, 0, rssi,
6784 info->data, info->length, false,
6787 bt_dev_err(hdev, "Dropping invalid advertising data");
6791 hci_dev_unlock(hdev);
6794 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6796 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6798 case LE_LEGACY_ADV_IND:
6800 case LE_LEGACY_ADV_DIRECT_IND:
6801 return LE_ADV_DIRECT_IND;
6802 case LE_LEGACY_ADV_SCAN_IND:
6803 return LE_ADV_SCAN_IND;
6804 case LE_LEGACY_NONCONN_IND:
6805 return LE_ADV_NONCONN_IND;
6806 case LE_LEGACY_SCAN_RSP_ADV:
6807 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6808 return LE_ADV_SCAN_RSP;
6814 if (evt_type & LE_EXT_ADV_CONN_IND) {
6815 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6816 return LE_ADV_DIRECT_IND;
6821 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6822 return LE_ADV_SCAN_RSP;
6824 if (evt_type & LE_EXT_ADV_SCAN_IND)
6825 return LE_ADV_SCAN_IND;
6827 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6828 evt_type & LE_EXT_ADV_DIRECT_IND)
6829 return LE_ADV_NONCONN_IND;
6832 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6835 return LE_ADV_INVALID;
6838 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6839 struct sk_buff *skb)
6841 struct hci_ev_le_ext_adv_report *ev = data;
6842 u64 instant = jiffies;
6850 struct hci_ev_le_ext_adv_info *info;
6854 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6859 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6863 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6864 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6865 if (legacy_evt_type != LE_ADV_INVALID) {
6866 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6867 info->bdaddr_type, NULL, 0,
6868 info->rssi, info->data, info->length,
6869 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6874 hci_dev_unlock(hdev);
6877 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6879 struct hci_cp_le_pa_term_sync cp;
6881 memset(&cp, 0, sizeof(cp));
6884 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6887 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6888 struct sk_buff *skb)
6890 struct hci_ev_le_pa_sync_established *ev = data;
6891 int mask = hdev->link_mode;
6893 struct hci_conn *pa_sync;
6895 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6899 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6901 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6902 if (!(mask & HCI_LM_ACCEPT)) {
6903 hci_le_pa_term_sync(hdev, ev->handle);
6907 if (!(flags & HCI_PROTO_DEFER))
6911 /* Add connection to indicate the failed PA sync event */
6912 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6918 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6920 /* Notify iso layer */
6921 hci_connect_cfm(pa_sync, ev->status);
6925 hci_dev_unlock(hdev);
6928 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6929 struct sk_buff *skb)
6931 struct hci_ev_le_per_adv_report *ev = data;
6932 int mask = hdev->link_mode;
6935 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6939 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6940 if (!(mask & HCI_LM_ACCEPT))
6941 hci_le_pa_term_sync(hdev, ev->sync_handle);
6943 hci_dev_unlock(hdev);
6946 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6947 struct sk_buff *skb)
6949 struct hci_ev_le_remote_feat_complete *ev = data;
6950 struct hci_conn *conn;
6952 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6956 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6959 memcpy(conn->features[0], ev->features, 8);
6961 if (conn->state == BT_CONFIG) {
6964 /* If the local controller supports peripheral-initiated
6965 * features exchange, but the remote controller does
6966 * not, then it is possible that the error code 0x1a
6967 * for unsupported remote feature gets returned.
6969 * In this specific case, allow the connection to
6970 * transition into connected state and mark it as
6973 if (!conn->out && ev->status == 0x1a &&
6974 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6977 status = ev->status;
6979 conn->state = BT_CONNECTED;
6980 hci_connect_cfm(conn, status);
6981 hci_conn_drop(conn);
6985 hci_dev_unlock(hdev);
6988 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6989 struct sk_buff *skb)
6991 struct hci_ev_le_ltk_req *ev = data;
6992 struct hci_cp_le_ltk_reply cp;
6993 struct hci_cp_le_ltk_neg_reply neg;
6994 struct hci_conn *conn;
6995 struct smp_ltk *ltk;
6997 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
7001 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7005 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
7009 if (smp_ltk_is_sc(ltk)) {
7010 /* With SC both EDiv and Rand are set to zero */
7011 if (ev->ediv || ev->rand)
7014 /* For non-SC keys check that EDiv and Rand match */
7015 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
7019 memcpy(cp.ltk, ltk->val, ltk->enc_size);
7020 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
7021 cp.handle = cpu_to_le16(conn->handle);
7023 conn->pending_sec_level = smp_ltk_sec_level(ltk);
7025 conn->enc_key_size = ltk->enc_size;
7027 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
7029 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
7030 * temporary key used to encrypt a connection following
7031 * pairing. It is used during the Encrypted Session Setup to
7032 * distribute the keys. Later, security can be re-established
7033 * using a distributed LTK.
7035 if (ltk->type == SMP_STK) {
7036 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
7037 list_del_rcu(<k->list);
7038 kfree_rcu(ltk, rcu);
7040 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
7043 hci_dev_unlock(hdev);
7048 neg.handle = ev->handle;
7049 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
7050 hci_dev_unlock(hdev);
7053 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
7056 struct hci_cp_le_conn_param_req_neg_reply cp;
7058 cp.handle = cpu_to_le16(handle);
7061 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
7065 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
7066 struct sk_buff *skb)
7068 struct hci_ev_le_remote_conn_param_req *ev = data;
7069 struct hci_cp_le_conn_param_req_reply cp;
7070 struct hci_conn *hcon;
7071 u16 handle, min, max, latency, timeout;
7073 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
7075 handle = le16_to_cpu(ev->handle);
7076 min = le16_to_cpu(ev->interval_min);
7077 max = le16_to_cpu(ev->interval_max);
7078 latency = le16_to_cpu(ev->latency);
7079 timeout = le16_to_cpu(ev->timeout);
7081 hcon = hci_conn_hash_lookup_handle(hdev, handle);
7082 if (!hcon || hcon->state != BT_CONNECTED)
7083 return send_conn_param_neg_reply(hdev, handle,
7084 HCI_ERROR_UNKNOWN_CONN_ID);
7086 if (hci_check_conn_params(min, max, latency, timeout))
7087 return send_conn_param_neg_reply(hdev, handle,
7088 HCI_ERROR_INVALID_LL_PARAMS);
7090 if (hcon->role == HCI_ROLE_MASTER) {
7091 struct hci_conn_params *params;
7096 params = hci_conn_params_lookup(hdev, &hcon->dst,
7099 params->conn_min_interval = min;
7100 params->conn_max_interval = max;
7101 params->conn_latency = latency;
7102 params->supervision_timeout = timeout;
7108 hci_dev_unlock(hdev);
7110 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
7111 store_hint, min, max, latency, timeout);
7114 cp.handle = ev->handle;
7115 cp.interval_min = ev->interval_min;
7116 cp.interval_max = ev->interval_max;
7117 cp.latency = ev->latency;
7118 cp.timeout = ev->timeout;
7122 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
7125 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
7126 struct sk_buff *skb)
7128 struct hci_ev_le_direct_adv_report *ev = data;
7129 u64 instant = jiffies;
7132 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
7133 flex_array_size(ev, info, ev->num)))
7141 for (i = 0; i < ev->num; i++) {
7142 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
7144 process_adv_report(hdev, info->type, &info->bdaddr,
7145 info->bdaddr_type, &info->direct_addr,
7146 info->direct_addr_type, info->rssi, NULL, 0,
7147 false, false, instant);
7150 hci_dev_unlock(hdev);
7153 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
7154 struct sk_buff *skb)
7156 struct hci_ev_le_phy_update_complete *ev = data;
7157 struct hci_conn *conn;
7159 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7166 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7170 conn->le_tx_phy = ev->tx_phy;
7171 conn->le_rx_phy = ev->rx_phy;
7174 hci_dev_unlock(hdev);
7177 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
7178 struct sk_buff *skb)
7180 struct hci_evt_le_cis_established *ev = data;
7181 struct hci_conn *conn;
7182 struct bt_iso_qos *qos;
7183 bool pending = false;
7184 u16 handle = __le16_to_cpu(ev->handle);
7186 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7190 conn = hci_conn_hash_lookup_handle(hdev, handle);
7193 "Unable to find connection with handle 0x%4.4x",
7198 if (conn->type != ISO_LINK) {
7200 "Invalid connection link type handle 0x%4.4x",
7205 qos = &conn->iso_qos;
7207 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
7209 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
7210 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
7211 qos->ucast.out.interval = qos->ucast.in.interval;
7213 switch (conn->role) {
7214 case HCI_ROLE_SLAVE:
7215 /* Convert Transport Latency (us) to Latency (msec) */
7216 qos->ucast.in.latency =
7217 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7219 qos->ucast.out.latency =
7220 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7222 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
7223 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
7224 qos->ucast.in.phy = ev->c_phy;
7225 qos->ucast.out.phy = ev->p_phy;
7227 case HCI_ROLE_MASTER:
7228 /* Convert Transport Latency (us) to Latency (msec) */
7229 qos->ucast.out.latency =
7230 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7232 qos->ucast.in.latency =
7233 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7235 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
7236 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
7237 qos->ucast.out.phy = ev->c_phy;
7238 qos->ucast.in.phy = ev->p_phy;
7243 conn->state = BT_CONNECTED;
7244 hci_debugfs_create_conn(conn);
7245 hci_conn_add_sysfs(conn);
7246 hci_iso_setup_path(conn);
7250 conn->state = BT_CLOSED;
7251 hci_connect_cfm(conn, ev->status);
7256 hci_le_create_cis_pending(hdev);
7258 hci_dev_unlock(hdev);
7261 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7263 struct hci_cp_le_reject_cis cp;
7265 memset(&cp, 0, sizeof(cp));
7267 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7268 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7271 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7273 struct hci_cp_le_accept_cis cp;
7275 memset(&cp, 0, sizeof(cp));
7277 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7280 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7281 struct sk_buff *skb)
7283 struct hci_evt_le_cis_req *ev = data;
7284 u16 acl_handle, cis_handle;
7285 struct hci_conn *acl, *cis;
7289 acl_handle = __le16_to_cpu(ev->acl_handle);
7290 cis_handle = __le16_to_cpu(ev->cis_handle);
7292 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7293 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7297 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7301 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7302 if (!(mask & HCI_LM_ACCEPT)) {
7303 hci_le_reject_cis(hdev, ev->cis_handle);
7307 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7309 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7312 hci_le_reject_cis(hdev, ev->cis_handle);
7317 cis->iso_qos.ucast.cig = ev->cig_id;
7318 cis->iso_qos.ucast.cis = ev->cis_id;
7320 if (!(flags & HCI_PROTO_DEFER)) {
7321 hci_le_accept_cis(hdev, ev->cis_handle);
7323 cis->state = BT_CONNECT2;
7324 hci_connect_cfm(cis, 0);
7328 hci_dev_unlock(hdev);
7331 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7333 u8 handle = PTR_UINT(data);
7335 return hci_le_terminate_big_sync(hdev, handle,
7336 HCI_ERROR_LOCAL_HOST_TERM);
7339 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7340 struct sk_buff *skb)
7342 struct hci_evt_le_create_big_complete *ev = data;
7343 struct hci_conn *conn;
7346 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7348 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7349 flex_array_size(ev, bis_handle, ev->num_bis)))
7355 /* Connect all BISes that are bound to the BIG */
7356 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7357 if (bacmp(&conn->dst, BDADDR_ANY) ||
7358 conn->type != ISO_LINK ||
7359 conn->iso_qos.bcast.big != ev->handle)
7362 if (hci_conn_set_handle(conn,
7363 __le16_to_cpu(ev->bis_handle[i++])))
7367 conn->state = BT_CONNECTED;
7368 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7370 hci_debugfs_create_conn(conn);
7371 hci_conn_add_sysfs(conn);
7372 hci_iso_setup_path(conn);
7377 hci_connect_cfm(conn, ev->status);
7385 if (!ev->status && !i)
7386 /* If no BISes have been connected for the BIG,
7387 * terminate. This is in case all bound connections
7388 * have been closed before the BIG creation
7391 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7392 UINT_PTR(ev->handle), NULL);
7394 hci_dev_unlock(hdev);
7397 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7398 struct sk_buff *skb)
7400 struct hci_evt_le_big_sync_estabilished *ev = data;
7401 struct hci_conn *bis;
7402 struct hci_conn *pa_sync;
7405 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7407 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7408 flex_array_size(ev, bis, ev->num_bis)))
7414 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7416 /* Also mark the BIG sync established event on the
7417 * associated PA sync hcon
7419 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
7422 for (i = 0; i < ev->num_bis; i++) {
7423 u16 handle = le16_to_cpu(ev->bis[i]);
7426 bis = hci_conn_hash_lookup_handle(hdev, handle);
7428 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7429 HCI_ROLE_SLAVE, handle);
7434 if (ev->status != 0x42)
7435 /* Mark PA sync as established */
7436 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7438 bis->iso_qos.bcast.big = ev->handle;
7439 memset(&interval, 0, sizeof(interval));
7440 memcpy(&interval, ev->latency, sizeof(ev->latency));
7441 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7442 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7443 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7444 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7447 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7448 hci_iso_setup_path(bis);
7452 /* In case BIG sync failed, notify each failed connection to
7453 * the user after all hci connections have been added
7456 for (i = 0; i < ev->num_bis; i++) {
7457 u16 handle = le16_to_cpu(ev->bis[i]);
7459 bis = hci_conn_hash_lookup_handle(hdev, handle);
7461 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7462 hci_connect_cfm(bis, ev->status);
7465 hci_dev_unlock(hdev);
7468 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7469 struct sk_buff *skb)
7471 struct hci_evt_le_big_info_adv_report *ev = data;
7472 int mask = hdev->link_mode;
7474 struct hci_conn *pa_sync;
7476 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7480 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7481 if (!(mask & HCI_LM_ACCEPT)) {
7482 hci_le_pa_term_sync(hdev, ev->sync_handle);
7486 if (!(flags & HCI_PROTO_DEFER))
7489 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7491 le16_to_cpu(ev->sync_handle));
7496 /* Add connection to indicate the PA sync event */
7497 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7503 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7504 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7506 /* Notify iso layer */
7507 hci_connect_cfm(pa_sync, 0x00);
7510 hci_dev_unlock(hdev);
7513 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7516 .min_len = _min_len, \
7517 .max_len = _max_len, \
7520 #define HCI_LE_EV(_op, _func, _len) \
7521 HCI_LE_EV_VL(_op, _func, _len, _len)
7523 #define HCI_LE_EV_STATUS(_op, _func) \
7524 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7526 /* Entries in this table shall have their position according to the subevent
7527 * opcode they handle so the use of the macros above is recommend since it does
7528 * attempt to initialize at its proper index using Designated Initializers that
7529 * way events without a callback function can be ommited.
7531 static const struct hci_le_ev {
7532 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7535 } hci_le_ev_table[U8_MAX + 1] = {
7536 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7537 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7538 sizeof(struct hci_ev_le_conn_complete)),
7539 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7540 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7541 sizeof(struct hci_ev_le_advertising_report),
7542 HCI_MAX_EVENT_SIZE),
7543 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7544 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7545 hci_le_conn_update_complete_evt,
7546 sizeof(struct hci_ev_le_conn_update_complete)),
7547 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7548 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7549 hci_le_remote_feat_complete_evt,
7550 sizeof(struct hci_ev_le_remote_feat_complete)),
7551 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7552 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7553 sizeof(struct hci_ev_le_ltk_req)),
7554 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7555 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7556 hci_le_remote_conn_param_req_evt,
7557 sizeof(struct hci_ev_le_remote_conn_param_req)),
7559 /* [0x07 = HCI_EV_LE_DATA_LEN_CHANGE] */
7560 HCI_LE_EV(HCI_EV_LE_DATA_LEN_CHANGE,
7561 hci_le_data_length_changed_complete_evt,
7562 sizeof(struct hci_ev_le_data_len_change)),
7564 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7565 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7566 hci_le_enh_conn_complete_evt,
7567 sizeof(struct hci_ev_le_enh_conn_complete)),
7568 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7569 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7570 sizeof(struct hci_ev_le_direct_adv_report),
7571 HCI_MAX_EVENT_SIZE),
7572 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7573 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7574 sizeof(struct hci_ev_le_phy_update_complete)),
7575 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7576 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7577 sizeof(struct hci_ev_le_ext_adv_report),
7578 HCI_MAX_EVENT_SIZE),
7579 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7580 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7581 hci_le_pa_sync_estabilished_evt,
7582 sizeof(struct hci_ev_le_pa_sync_established)),
7583 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7584 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7585 hci_le_per_adv_report_evt,
7586 sizeof(struct hci_ev_le_per_adv_report),
7587 HCI_MAX_EVENT_SIZE),
7588 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7589 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7590 sizeof(struct hci_evt_le_ext_adv_set_term)),
7591 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7592 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7593 sizeof(struct hci_evt_le_cis_established)),
7594 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7595 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7596 sizeof(struct hci_evt_le_cis_req)),
7597 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7598 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7599 hci_le_create_big_complete_evt,
7600 sizeof(struct hci_evt_le_create_big_complete),
7601 HCI_MAX_EVENT_SIZE),
7602 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7603 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7604 hci_le_big_sync_established_evt,
7605 sizeof(struct hci_evt_le_big_sync_estabilished),
7606 HCI_MAX_EVENT_SIZE),
7607 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7608 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7609 hci_le_big_info_adv_report_evt,
7610 sizeof(struct hci_evt_le_big_info_adv_report),
7611 HCI_MAX_EVENT_SIZE),
7614 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7615 struct sk_buff *skb, u16 *opcode, u8 *status,
7616 hci_req_complete_t *req_complete,
7617 hci_req_complete_skb_t *req_complete_skb)
7619 struct hci_ev_le_meta *ev = data;
7620 const struct hci_le_ev *subev;
7622 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7624 /* Only match event if command OGF is for LE */
7625 if (hdev->sent_cmd &&
7626 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7627 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7628 *opcode = hci_skb_opcode(hdev->sent_cmd);
7629 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7633 subev = &hci_le_ev_table[ev->subevent];
7637 if (skb->len < subev->min_len) {
7638 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7639 ev->subevent, skb->len, subev->min_len);
7643 /* Just warn if the length is over max_len size it still be
7644 * possible to partially parse the event so leave to callback to
7645 * decide if that is acceptable.
7647 if (skb->len > subev->max_len)
7648 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7649 ev->subevent, skb->len, subev->max_len);
7650 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7654 subev->func(hdev, data, skb);
7657 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7658 u8 event, struct sk_buff *skb)
7660 struct hci_ev_cmd_complete *ev;
7661 struct hci_event_hdr *hdr;
7666 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7671 if (hdr->evt != event)
7676 /* Check if request ended in Command Status - no way to retrieve
7677 * any extra parameters in this case.
7679 if (hdr->evt == HCI_EV_CMD_STATUS)
7682 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7683 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7688 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7692 if (opcode != __le16_to_cpu(ev->opcode)) {
7693 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7694 __le16_to_cpu(ev->opcode));
7701 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7702 struct sk_buff *skb)
7704 struct hci_ev_le_advertising_info *adv;
7705 struct hci_ev_le_direct_adv_info *direct_adv;
7706 struct hci_ev_le_ext_adv_info *ext_adv;
7707 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7708 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7712 /* If we are currently suspended and this is the first BT event seen,
7713 * save the wake reason associated with the event.
7715 if (!hdev->suspended || hdev->wake_reason)
7718 /* Default to remote wake. Values for wake_reason are documented in the
7719 * Bluez mgmt api docs.
7721 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7723 /* Once configured for remote wakeup, we should only wake up for
7724 * reconnections. It's useful to see which device is waking us up so
7725 * keep track of the bdaddr of the connection event that woke us up.
7727 if (event == HCI_EV_CONN_REQUEST) {
7728 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7729 hdev->wake_addr_type = BDADDR_BREDR;
7730 } else if (event == HCI_EV_CONN_COMPLETE) {
7731 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7732 hdev->wake_addr_type = BDADDR_BREDR;
7733 } else if (event == HCI_EV_LE_META) {
7734 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7735 u8 subevent = le_ev->subevent;
7736 u8 *ptr = &skb->data[sizeof(*le_ev)];
7737 u8 num_reports = *ptr;
7739 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7740 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7741 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7743 adv = (void *)(ptr + 1);
7744 direct_adv = (void *)(ptr + 1);
7745 ext_adv = (void *)(ptr + 1);
7748 case HCI_EV_LE_ADVERTISING_REPORT:
7749 bacpy(&hdev->wake_addr, &adv->bdaddr);
7750 hdev->wake_addr_type = adv->bdaddr_type;
7752 case HCI_EV_LE_DIRECT_ADV_REPORT:
7753 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7754 hdev->wake_addr_type = direct_adv->bdaddr_type;
7756 case HCI_EV_LE_EXT_ADV_REPORT:
7757 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7758 hdev->wake_addr_type = ext_adv->bdaddr_type;
7763 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7767 hci_dev_unlock(hdev);
7770 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7774 .min_len = _min_len, \
7775 .max_len = _max_len, \
7778 #define HCI_EV(_op, _func, _len) \
7779 HCI_EV_VL(_op, _func, _len, _len)
7781 #define HCI_EV_STATUS(_op, _func) \
7782 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7784 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7787 .func_req = _func, \
7788 .min_len = _min_len, \
7789 .max_len = _max_len, \
7792 #define HCI_EV_REQ(_op, _func, _len) \
7793 HCI_EV_REQ_VL(_op, _func, _len, _len)
7795 /* Entries in this table shall have their position according to the event opcode
7796 * they handle so the use of the macros above is recommend since it does attempt
7797 * to initialize at its proper index using Designated Initializers that way
7798 * events without a callback function don't have entered.
7800 static const struct hci_ev {
7803 void (*func)(struct hci_dev *hdev, void *data,
7804 struct sk_buff *skb);
7805 void (*func_req)(struct hci_dev *hdev, void *data,
7806 struct sk_buff *skb, u16 *opcode, u8 *status,
7807 hci_req_complete_t *req_complete,
7808 hci_req_complete_skb_t *req_complete_skb);
7812 } hci_ev_table[U8_MAX + 1] = {
7813 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7814 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7815 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7816 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7817 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7818 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7819 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7820 sizeof(struct hci_ev_conn_complete)),
7821 /* [0x04 = HCI_EV_CONN_REQUEST] */
7822 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7823 sizeof(struct hci_ev_conn_request)),
7824 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7825 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7826 sizeof(struct hci_ev_disconn_complete)),
7827 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7828 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7829 sizeof(struct hci_ev_auth_complete)),
7830 /* [0x07 = HCI_EV_REMOTE_NAME] */
7831 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7832 sizeof(struct hci_ev_remote_name)),
7833 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7834 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7835 sizeof(struct hci_ev_encrypt_change)),
7836 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7837 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7838 hci_change_link_key_complete_evt,
7839 sizeof(struct hci_ev_change_link_key_complete)),
7840 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7841 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7842 sizeof(struct hci_ev_remote_features)),
7843 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7844 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7845 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7846 /* [0x0f = HCI_EV_CMD_STATUS] */
7847 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7848 sizeof(struct hci_ev_cmd_status)),
7849 /* [0x10 = HCI_EV_CMD_STATUS] */
7850 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7851 sizeof(struct hci_ev_hardware_error)),
7852 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7853 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7854 sizeof(struct hci_ev_role_change)),
7855 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7856 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7857 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7858 /* [0x14 = HCI_EV_MODE_CHANGE] */
7859 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7860 sizeof(struct hci_ev_mode_change)),
7861 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7862 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7863 sizeof(struct hci_ev_pin_code_req)),
7864 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7865 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7866 sizeof(struct hci_ev_link_key_req)),
7867 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7868 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7869 sizeof(struct hci_ev_link_key_notify)),
7870 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7871 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7872 sizeof(struct hci_ev_clock_offset)),
7873 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7874 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7875 sizeof(struct hci_ev_pkt_type_change)),
7876 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7877 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7878 sizeof(struct hci_ev_pscan_rep_mode)),
7879 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7880 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7881 hci_inquiry_result_with_rssi_evt,
7882 sizeof(struct hci_ev_inquiry_result_rssi),
7883 HCI_MAX_EVENT_SIZE),
7884 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7885 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7886 sizeof(struct hci_ev_remote_ext_features)),
7887 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7888 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7889 sizeof(struct hci_ev_sync_conn_complete)),
7890 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7891 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7892 hci_extended_inquiry_result_evt,
7893 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7894 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7895 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7896 sizeof(struct hci_ev_key_refresh_complete)),
7897 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7898 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7899 sizeof(struct hci_ev_io_capa_request)),
7900 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7901 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7902 sizeof(struct hci_ev_io_capa_reply)),
7903 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7904 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7905 sizeof(struct hci_ev_user_confirm_req)),
7906 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7907 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7908 sizeof(struct hci_ev_user_passkey_req)),
7909 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7910 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7911 sizeof(struct hci_ev_remote_oob_data_request)),
7912 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7913 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7914 sizeof(struct hci_ev_simple_pair_complete)),
7915 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7916 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7917 sizeof(struct hci_ev_user_passkey_notify)),
7918 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7919 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7920 sizeof(struct hci_ev_keypress_notify)),
7921 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7922 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7923 sizeof(struct hci_ev_remote_host_features)),
7924 /* [0x3e = HCI_EV_LE_META] */
7925 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7926 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7927 #if IS_ENABLED(CONFIG_BT_HS)
7928 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7929 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7930 sizeof(struct hci_ev_phy_link_complete)),
7931 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7932 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7933 sizeof(struct hci_ev_channel_selected)),
7934 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7935 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7936 hci_disconn_loglink_complete_evt,
7937 sizeof(struct hci_ev_disconn_logical_link_complete)),
7938 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7939 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7940 sizeof(struct hci_ev_logical_link_complete)),
7941 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7942 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7943 hci_disconn_phylink_complete_evt,
7944 sizeof(struct hci_ev_disconn_phy_link_complete)),
7946 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7947 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7948 sizeof(struct hci_ev_num_comp_blocks)),
7950 /* [0xFF = HCI_EV_VENDOR_SPECIFIC] */
7951 HCI_EV(HCI_EV_VENDOR_SPECIFIC, hci_vendor_specific_evt,
7952 sizeof(struct hci_ev_vendor_specific)),
7954 /* [0xff = HCI_EV_VENDOR] */
7955 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7959 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7960 u16 *opcode, u8 *status,
7961 hci_req_complete_t *req_complete,
7962 hci_req_complete_skb_t *req_complete_skb)
7964 const struct hci_ev *ev = &hci_ev_table[event];
7970 if (skb->len < ev->min_len) {
7971 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7972 event, skb->len, ev->min_len);
7976 /* Just warn if the length is over max_len size it still be
7977 * possible to partially parse the event so leave to callback to
7978 * decide if that is acceptable.
7980 if (skb->len > ev->max_len)
7981 bt_dev_warn_ratelimited(hdev,
7982 "unexpected event 0x%2.2x length: %u > %u",
7983 event, skb->len, ev->max_len);
7985 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7990 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7993 ev->func(hdev, data, skb);
7996 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7998 struct hci_event_hdr *hdr = (void *) skb->data;
7999 hci_req_complete_t req_complete = NULL;
8000 hci_req_complete_skb_t req_complete_skb = NULL;
8001 struct sk_buff *orig_skb = NULL;
8002 u8 status = 0, event, req_evt = 0;
8003 u16 opcode = HCI_OP_NOP;
8005 if (skb->len < sizeof(*hdr)) {
8006 bt_dev_err(hdev, "Malformed HCI Event");
8010 kfree_skb(hdev->recv_event);
8011 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
8015 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
8020 /* Only match event if command OGF is not for LE */
8021 if (hdev->sent_cmd &&
8022 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
8023 hci_skb_event(hdev->sent_cmd) == event) {
8024 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
8025 status, &req_complete, &req_complete_skb);
8029 /* If it looks like we might end up having to call
8030 * req_complete_skb, store a pristine copy of the skb since the
8031 * various handlers may modify the original one through
8032 * skb_pull() calls, etc.
8034 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
8035 event == HCI_EV_CMD_COMPLETE)
8036 orig_skb = skb_clone(skb, GFP_KERNEL);
8038 skb_pull(skb, HCI_EVENT_HDR_SIZE);
8040 /* Store wake reason if we're suspended */
8041 hci_store_wake_reason(hdev, event, skb);
8043 bt_dev_dbg(hdev, "event 0x%2.2x", event);
8045 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
8049 req_complete(hdev, status, opcode);
8050 } else if (req_complete_skb) {
8051 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
8052 kfree_skb(orig_skb);
8055 req_complete_skb(hdev, status, opcode, orig_skb);
8059 kfree_skb(orig_skb);
8061 hdev->stat.evt_rx++;