2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 /* Set discovery state to stopped if we're not doing LE active
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
66 hci_conn_check_pending(hdev);
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 __u8 status = *((__u8 *) skb->data);
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
83 __u8 status = *((__u8 *) skb->data);
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
92 hci_conn_check_pending(hdev);
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
98 BT_DBG("%s", hdev->name);
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
115 conn->role = rp->role;
117 hci_dev_unlock(hdev);
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
134 conn->link_policy = __le16_to_cpu(rp->policy);
136 hci_dev_unlock(hdev);
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
145 struct hci_cp_write_link_policy cp;
146 struct hci_conn *sco_conn;
149 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
154 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
160 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
162 conn->link_policy = get_unaligned_le16(sent + 2);
165 sco_conn = hci_conn_hash_lookup_sco(hdev);
166 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
167 conn->link_policy & HCI_LP_SNIFF) {
168 BT_ERR("SNIFF is not allowed during sco connection");
169 cp.handle = __cpu_to_le16(conn->handle);
170 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
171 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
175 hci_dev_unlock(hdev);
178 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
181 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
183 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
188 hdev->link_policy = __le16_to_cpu(rp->policy);
191 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
194 __u8 status = *((__u8 *) skb->data);
197 BT_DBG("%s status 0x%2.2x", hdev->name, status);
202 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
206 hdev->link_policy = get_unaligned_le16(sent);
209 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
211 __u8 status = *((__u8 *) skb->data);
213 BT_DBG("%s status 0x%2.2x", hdev->name, status);
215 clear_bit(HCI_RESET, &hdev->flags);
220 /* Reset all non-persistent flags */
221 hci_dev_clear_volatile_flags(hdev);
223 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
225 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
226 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
228 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
229 hdev->adv_data_len = 0;
231 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
232 hdev->scan_rsp_data_len = 0;
234 hdev->le_scan_type = LE_SCAN_PASSIVE;
236 hdev->ssp_debug_mode = 0;
238 hci_bdaddr_list_clear(&hdev->le_white_list);
239 hci_bdaddr_list_clear(&hdev->le_resolv_list);
242 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
245 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
246 struct hci_cp_read_stored_link_key *sent;
248 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
254 if (!rp->status && sent->read_all == 0x01) {
255 hdev->stored_max_keys = rp->max_keys;
256 hdev->stored_num_keys = rp->num_keys;
260 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
263 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
265 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
270 if (rp->num_keys <= hdev->stored_num_keys)
271 hdev->stored_num_keys -= rp->num_keys;
273 hdev->stored_num_keys = 0;
276 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
278 __u8 status = *((__u8 *) skb->data);
281 BT_DBG("%s status 0x%2.2x", hdev->name, status);
283 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
289 if (hci_dev_test_flag(hdev, HCI_MGMT))
290 mgmt_set_local_name_complete(hdev, sent, status);
292 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
294 hci_dev_unlock(hdev);
297 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
299 struct hci_rp_read_local_name *rp = (void *) skb->data;
301 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
306 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
307 hci_dev_test_flag(hdev, HCI_CONFIG))
308 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
311 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
313 __u8 status = *((__u8 *) skb->data);
316 BT_DBG("%s status 0x%2.2x", hdev->name, status);
318 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
325 __u8 param = *((__u8 *) sent);
327 if (param == AUTH_ENABLED)
328 set_bit(HCI_AUTH, &hdev->flags);
330 clear_bit(HCI_AUTH, &hdev->flags);
333 if (hci_dev_test_flag(hdev, HCI_MGMT))
334 mgmt_auth_enable_complete(hdev, status);
336 hci_dev_unlock(hdev);
339 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
341 __u8 status = *((__u8 *) skb->data);
345 BT_DBG("%s status 0x%2.2x", hdev->name, status);
350 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
354 param = *((__u8 *) sent);
357 set_bit(HCI_ENCRYPT, &hdev->flags);
359 clear_bit(HCI_ENCRYPT, &hdev->flags);
362 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
364 __u8 status = *((__u8 *) skb->data);
368 BT_DBG("%s status 0x%2.2x", hdev->name, status);
370 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
374 param = *((__u8 *) sent);
379 hdev->discov_timeout = 0;
383 if (param & SCAN_INQUIRY)
384 set_bit(HCI_ISCAN, &hdev->flags);
386 clear_bit(HCI_ISCAN, &hdev->flags);
388 if (param & SCAN_PAGE)
389 set_bit(HCI_PSCAN, &hdev->flags);
391 clear_bit(HCI_PSCAN, &hdev->flags);
394 hci_dev_unlock(hdev);
397 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
399 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
401 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
406 memcpy(hdev->dev_class, rp->dev_class, 3);
408 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
409 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
412 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
414 __u8 status = *((__u8 *) skb->data);
417 BT_DBG("%s status 0x%2.2x", hdev->name, status);
419 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
426 memcpy(hdev->dev_class, sent, 3);
428 if (hci_dev_test_flag(hdev, HCI_MGMT))
429 mgmt_set_class_of_dev_complete(hdev, sent, status);
431 hci_dev_unlock(hdev);
434 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
436 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
439 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
444 setting = __le16_to_cpu(rp->voice_setting);
446 if (hdev->voice_setting == setting)
449 hdev->voice_setting = setting;
451 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
454 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
457 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
460 __u8 status = *((__u8 *) skb->data);
464 BT_DBG("%s status 0x%2.2x", hdev->name, status);
469 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
473 setting = get_unaligned_le16(sent);
475 if (hdev->voice_setting == setting)
478 hdev->voice_setting = setting;
480 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
483 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
486 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
489 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
491 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
496 hdev->num_iac = rp->num_iac;
498 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
501 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
503 __u8 status = *((__u8 *) skb->data);
504 struct hci_cp_write_ssp_mode *sent;
506 BT_DBG("%s status 0x%2.2x", hdev->name, status);
508 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
516 hdev->features[1][0] |= LMP_HOST_SSP;
518 hdev->features[1][0] &= ~LMP_HOST_SSP;
521 if (hci_dev_test_flag(hdev, HCI_MGMT))
522 mgmt_ssp_enable_complete(hdev, sent->mode, status);
525 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
527 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
530 hci_dev_unlock(hdev);
533 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
535 u8 status = *((u8 *) skb->data);
536 struct hci_cp_write_sc_support *sent;
538 BT_DBG("%s status 0x%2.2x", hdev->name, status);
540 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
548 hdev->features[1][0] |= LMP_HOST_SC;
550 hdev->features[1][0] &= ~LMP_HOST_SC;
553 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
555 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
557 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
560 hci_dev_unlock(hdev);
563 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
565 struct hci_rp_read_local_version *rp = (void *) skb->data;
567 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
573 hci_dev_test_flag(hdev, HCI_CONFIG)) {
574 hdev->hci_ver = rp->hci_ver;
575 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
576 hdev->lmp_ver = rp->lmp_ver;
577 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
578 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
582 static void hci_cc_read_local_commands(struct hci_dev *hdev,
585 struct hci_rp_read_local_commands *rp = (void *) skb->data;
587 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
592 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
593 hci_dev_test_flag(hdev, HCI_CONFIG))
594 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
597 static void hci_cc_read_local_features(struct hci_dev *hdev,
600 struct hci_rp_read_local_features *rp = (void *) skb->data;
602 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
607 memcpy(hdev->features, rp->features, 8);
609 /* Adjust default settings according to features
610 * supported by device. */
612 if (hdev->features[0][0] & LMP_3SLOT)
613 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
615 if (hdev->features[0][0] & LMP_5SLOT)
616 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
618 if (hdev->features[0][1] & LMP_HV2) {
619 hdev->pkt_type |= (HCI_HV2);
620 hdev->esco_type |= (ESCO_HV2);
623 if (hdev->features[0][1] & LMP_HV3) {
624 hdev->pkt_type |= (HCI_HV3);
625 hdev->esco_type |= (ESCO_HV3);
628 if (lmp_esco_capable(hdev))
629 hdev->esco_type |= (ESCO_EV3);
631 if (hdev->features[0][4] & LMP_EV4)
632 hdev->esco_type |= (ESCO_EV4);
634 if (hdev->features[0][4] & LMP_EV5)
635 hdev->esco_type |= (ESCO_EV5);
637 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
638 hdev->esco_type |= (ESCO_2EV3);
640 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
641 hdev->esco_type |= (ESCO_3EV3);
643 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
644 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
647 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
650 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
652 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
657 if (hdev->max_page < rp->max_page)
658 hdev->max_page = rp->max_page;
660 if (rp->page < HCI_MAX_PAGES)
661 memcpy(hdev->features[rp->page], rp->features, 8);
664 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
667 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
669 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
674 hdev->flow_ctl_mode = rp->mode;
677 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
679 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
681 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
686 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
687 hdev->sco_mtu = rp->sco_mtu;
688 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
689 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
691 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
696 hdev->acl_cnt = hdev->acl_pkts;
697 hdev->sco_cnt = hdev->sco_pkts;
699 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
700 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
703 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
705 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
707 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
712 if (test_bit(HCI_INIT, &hdev->flags))
713 bacpy(&hdev->bdaddr, &rp->bdaddr);
715 if (hci_dev_test_flag(hdev, HCI_SETUP))
716 bacpy(&hdev->setup_addr, &rp->bdaddr);
719 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
722 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
724 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
729 if (test_bit(HCI_INIT, &hdev->flags)) {
730 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
731 hdev->page_scan_window = __le16_to_cpu(rp->window);
735 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
738 u8 status = *((u8 *) skb->data);
739 struct hci_cp_write_page_scan_activity *sent;
741 BT_DBG("%s status 0x%2.2x", hdev->name, status);
746 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
750 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
751 hdev->page_scan_window = __le16_to_cpu(sent->window);
754 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
757 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
759 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
764 if (test_bit(HCI_INIT, &hdev->flags))
765 hdev->page_scan_type = rp->type;
768 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
771 u8 status = *((u8 *) skb->data);
774 BT_DBG("%s status 0x%2.2x", hdev->name, status);
779 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
781 hdev->page_scan_type = *type;
784 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
787 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
789 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
794 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
795 hdev->block_len = __le16_to_cpu(rp->block_len);
796 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
798 hdev->block_cnt = hdev->num_blocks;
800 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
801 hdev->block_cnt, hdev->block_len);
804 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
806 struct hci_rp_read_clock *rp = (void *) skb->data;
807 struct hci_cp_read_clock *cp;
808 struct hci_conn *conn;
810 BT_DBG("%s", hdev->name);
812 if (skb->len < sizeof(*rp))
820 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
824 if (cp->which == 0x00) {
825 hdev->clock = le32_to_cpu(rp->clock);
829 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
831 conn->clock = le32_to_cpu(rp->clock);
832 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
836 hci_dev_unlock(hdev);
839 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
842 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
844 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
849 hdev->amp_status = rp->amp_status;
850 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
851 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
852 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
853 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
854 hdev->amp_type = rp->amp_type;
855 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
856 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
857 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
858 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
861 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
864 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
866 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
871 hdev->inq_tx_power = rp->tx_power;
874 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
876 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
877 struct hci_cp_pin_code_reply *cp;
878 struct hci_conn *conn;
880 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
884 if (hci_dev_test_flag(hdev, HCI_MGMT))
885 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
890 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
894 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
896 conn->pin_length = cp->pin_len;
899 hci_dev_unlock(hdev);
902 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
904 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
910 if (hci_dev_test_flag(hdev, HCI_MGMT))
911 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
914 hci_dev_unlock(hdev);
917 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
920 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
922 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
927 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
928 hdev->le_pkts = rp->le_max_pkt;
930 hdev->le_cnt = hdev->le_pkts;
932 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
935 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
938 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
940 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
945 memcpy(hdev->le_features, rp->features, 8);
948 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
951 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
953 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
958 hdev->adv_tx_power = rp->tx_power;
961 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
973 hci_dev_unlock(hdev);
976 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
979 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
981 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
985 if (hci_dev_test_flag(hdev, HCI_MGMT))
986 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
987 ACL_LINK, 0, rp->status);
989 hci_dev_unlock(hdev);
992 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1004 hci_dev_unlock(hdev);
1007 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1010 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1016 if (hci_dev_test_flag(hdev, HCI_MGMT))
1017 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1018 ACL_LINK, 0, rp->status);
1020 hci_dev_unlock(hdev);
1023 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1024 struct sk_buff *skb)
1026 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1028 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1031 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1032 struct sk_buff *skb)
1034 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1036 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1039 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1041 __u8 status = *((__u8 *) skb->data);
1044 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1055 bacpy(&hdev->random_addr, sent);
1057 hci_dev_unlock(hdev);
1060 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1062 __u8 status = *((__u8 *) skb->data);
1063 struct hci_cp_le_set_default_phy *cp;
1065 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1070 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1076 hdev->le_tx_def_phys = cp->tx_phys;
1077 hdev->le_rx_def_phys = cp->rx_phys;
1079 hci_dev_unlock(hdev);
1082 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1083 struct sk_buff *skb)
1085 __u8 status = *((__u8 *) skb->data);
1086 struct hci_cp_le_set_adv_set_rand_addr *cp;
1087 struct adv_info *adv_instance;
1092 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1098 if (!hdev->cur_adv_instance) {
1099 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1100 bacpy(&hdev->random_addr, &cp->bdaddr);
1102 adv_instance = hci_find_adv_instance(hdev,
1103 hdev->cur_adv_instance);
1105 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1108 hci_dev_unlock(hdev);
1111 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1113 __u8 *sent, status = *((__u8 *) skb->data);
1115 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1120 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1126 /* If we're doing connection initiation as peripheral. Set a
1127 * timeout in case something goes wrong.
1130 struct hci_conn *conn;
1132 hci_dev_set_flag(hdev, HCI_LE_ADV);
1134 conn = hci_lookup_le_connect(hdev);
1136 queue_delayed_work(hdev->workqueue,
1137 &conn->le_conn_timeout,
1138 conn->conn_timeout);
1140 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1143 hci_dev_unlock(hdev);
1146 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1147 struct sk_buff *skb)
1149 struct hci_cp_le_set_ext_adv_enable *cp;
1150 __u8 status = *((__u8 *) skb->data);
1152 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1157 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1164 struct hci_conn *conn;
1166 hci_dev_set_flag(hdev, HCI_LE_ADV);
1168 conn = hci_lookup_le_connect(hdev);
1170 queue_delayed_work(hdev->workqueue,
1171 &conn->le_conn_timeout,
1172 conn->conn_timeout);
1174 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1177 hci_dev_unlock(hdev);
1180 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1182 struct hci_cp_le_set_scan_param *cp;
1183 __u8 status = *((__u8 *) skb->data);
1185 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1190 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1196 hdev->le_scan_type = cp->type;
1198 hci_dev_unlock(hdev);
1201 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1202 struct sk_buff *skb)
1204 struct hci_cp_le_set_ext_scan_params *cp;
1205 __u8 status = *((__u8 *) skb->data);
1206 struct hci_cp_le_scan_phy_params *phy_param;
1208 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1213 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1217 phy_param = (void *)cp->data;
1221 hdev->le_scan_type = phy_param->type;
1223 hci_dev_unlock(hdev);
1226 static bool has_pending_adv_report(struct hci_dev *hdev)
1228 struct discovery_state *d = &hdev->discovery;
1230 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1233 static void clear_pending_adv_report(struct hci_dev *hdev)
1235 struct discovery_state *d = &hdev->discovery;
1237 bacpy(&d->last_adv_addr, BDADDR_ANY);
1238 d->last_adv_data_len = 0;
1242 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1243 u8 bdaddr_type, s8 rssi, u32 flags,
1246 struct discovery_state *d = &hdev->discovery;
1248 bacpy(&d->last_adv_addr, bdaddr);
1249 d->last_adv_addr_type = bdaddr_type;
1250 d->last_adv_rssi = rssi;
1251 d->last_adv_flags = flags;
1252 memcpy(d->last_adv_data, data, len);
1253 d->last_adv_data_len = len;
1257 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1262 case LE_SCAN_ENABLE:
1263 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1264 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1265 clear_pending_adv_report(hdev);
1268 case LE_SCAN_DISABLE:
1269 /* We do this here instead of when setting DISCOVERY_STOPPED
1270 * since the latter would potentially require waiting for
1271 * inquiry to stop too.
1273 if (has_pending_adv_report(hdev)) {
1274 struct discovery_state *d = &hdev->discovery;
1276 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1277 d->last_adv_addr_type, NULL,
1278 d->last_adv_rssi, d->last_adv_flags,
1280 d->last_adv_data_len, NULL, 0);
1283 /* Cancel this timer so that we don't try to disable scanning
1284 * when it's already disabled.
1286 cancel_delayed_work(&hdev->le_scan_disable);
1288 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1290 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1291 * interrupted scanning due to a connect request. Mark
1292 * therefore discovery as stopped. If this was not
1293 * because of a connect request advertising might have
1294 * been disabled because of active scanning, so
1295 * re-enable it again if necessary.
1297 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1298 #ifndef TIZEN_BT /* The below line is kernel bug. */
1299 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1301 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1303 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1304 hdev->discovery.state == DISCOVERY_FINDING)
1305 hci_req_reenable_advertising(hdev);
1310 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1315 hci_dev_unlock(hdev);
1318 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1319 struct sk_buff *skb)
1321 struct hci_cp_le_set_scan_enable *cp;
1322 __u8 status = *((__u8 *) skb->data);
1324 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1329 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1333 le_set_scan_enable_complete(hdev, cp->enable);
1336 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1337 struct sk_buff *skb)
1339 struct hci_cp_le_set_ext_scan_enable *cp;
1340 __u8 status = *((__u8 *) skb->data);
1342 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1347 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1351 le_set_scan_enable_complete(hdev, cp->enable);
1354 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1355 struct sk_buff *skb)
1357 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1359 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1365 hdev->le_num_of_adv_sets = rp->num_of_sets;
1368 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1369 struct sk_buff *skb)
1371 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1373 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1378 hdev->le_white_list_size = rp->size;
1381 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1382 struct sk_buff *skb)
1384 __u8 status = *((__u8 *) skb->data);
1386 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1391 hci_bdaddr_list_clear(&hdev->le_white_list);
1394 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1395 struct sk_buff *skb)
1397 struct hci_cp_le_add_to_white_list *sent;
1398 __u8 status = *((__u8 *) skb->data);
1400 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1405 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1409 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1413 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1414 struct sk_buff *skb)
1416 struct hci_cp_le_del_from_white_list *sent;
1417 __u8 status = *((__u8 *) skb->data);
1419 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1424 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1428 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1432 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1433 struct sk_buff *skb)
1435 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1437 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1442 memcpy(hdev->le_states, rp->le_states, 8);
1445 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1446 struct sk_buff *skb)
1448 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1450 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1455 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1456 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1459 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1460 struct sk_buff *skb)
1462 struct hci_cp_le_write_def_data_len *sent;
1463 __u8 status = *((__u8 *) skb->data);
1465 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1474 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1482 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1483 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1487 mgmt_le_write_host_suggested_data_length_complete(hdev, status);
1491 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1492 struct sk_buff *skb)
1494 __u8 status = *((__u8 *) skb->data);
1496 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1501 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1504 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1505 struct sk_buff *skb)
1507 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1509 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1514 hdev->le_resolv_list_size = rp->size;
1517 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1518 struct sk_buff *skb)
1520 __u8 *sent, status = *((__u8 *) skb->data);
1522 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1527 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1534 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1536 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1538 hci_dev_unlock(hdev);
1541 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1542 struct sk_buff *skb)
1544 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1546 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1555 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1556 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1557 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1558 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1561 mgmt_le_read_maximum_data_length_complete(hdev, rp->status);
1562 hci_dev_unlock(hdev);
1566 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1567 struct sk_buff *skb)
1569 struct hci_cp_write_le_host_supported *sent;
1570 __u8 status = *((__u8 *) skb->data);
1572 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1577 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1584 hdev->features[1][0] |= LMP_HOST_LE;
1585 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1587 hdev->features[1][0] &= ~LMP_HOST_LE;
1588 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1589 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1593 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1595 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1597 hci_dev_unlock(hdev);
1600 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1602 struct hci_cp_le_set_adv_param *cp;
1603 u8 status = *((u8 *) skb->data);
1605 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1610 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1615 hdev->adv_addr_type = cp->own_address_type;
1616 hci_dev_unlock(hdev);
1619 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1621 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1622 struct hci_cp_le_set_ext_adv_params *cp;
1623 struct adv_info *adv_instance;
1625 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1630 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1635 hdev->adv_addr_type = cp->own_addr_type;
1636 if (!hdev->cur_adv_instance) {
1637 /* Store in hdev for instance 0 */
1638 hdev->adv_tx_power = rp->tx_power;
1640 adv_instance = hci_find_adv_instance(hdev,
1641 hdev->cur_adv_instance);
1643 adv_instance->tx_power = rp->tx_power;
1645 /* Update adv data as tx power is known now */
1646 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1647 hci_dev_unlock(hdev);
1651 static void hci_cc_enable_rssi(struct hci_dev *hdev,
1652 struct sk_buff *skb)
1654 struct hci_cc_rsp_enable_rssi *rp = (void *)skb->data;
1656 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
1657 hdev->name, rp->status, rp->le_ext_opcode);
1659 mgmt_enable_rssi_cc(hdev, rp, rp->status);
1662 static void hci_cc_get_raw_rssi(struct hci_dev *hdev,
1663 struct sk_buff *skb)
1665 struct hci_cc_rp_get_raw_rssi *rp = (void *)skb->data;
1667 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
1668 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
1670 mgmt_raw_rssi_response(hdev, rp, rp->status);
1673 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
1674 struct sk_buff *skb)
1676 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
1678 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
1680 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
1684 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
1685 struct sk_buff *skb)
1687 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
1688 __u8 event_le_ext_sub_code;
1690 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
1691 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
1693 skb_pull(skb, sizeof(*ev));
1694 event_le_ext_sub_code = ev->event_le_ext_sub_code;
1696 switch (event_le_ext_sub_code) {
1697 case LE_RSSI_LINK_ALERT:
1698 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
1706 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
1707 struct sk_buff *skb)
1709 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
1711 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
1713 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
1714 ev->state_change_reason,
1715 ev->connection_handle);
1718 static void hci_vendor_specific_evt(struct hci_dev *hdev, struct sk_buff *skb)
1720 struct hci_ev_vendor_specific *ev = (void *)skb->data;
1721 __u8 event_sub_code;
1723 BT_DBG("hci_vendor_specific_evt");
1725 skb_pull(skb, sizeof(*ev));
1726 event_sub_code = ev->event_sub_code;
1728 switch (event_sub_code) {
1729 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
1730 hci_vendor_specific_group_ext_evt(hdev, skb);
1733 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
1734 hci_vendor_multi_adv_state_change_evt(hdev, skb);
1743 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1745 struct hci_rp_read_rssi *rp = (void *) skb->data;
1746 struct hci_conn *conn;
1748 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1755 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1757 conn->rssi = rp->rssi;
1759 hci_dev_unlock(hdev);
1762 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1764 struct hci_cp_read_tx_power *sent;
1765 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1766 struct hci_conn *conn;
1768 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1773 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1779 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1783 switch (sent->type) {
1785 conn->tx_power = rp->tx_power;
1788 conn->max_tx_power = rp->tx_power;
1793 hci_dev_unlock(hdev);
1796 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1798 u8 status = *((u8 *) skb->data);
1801 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1806 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1808 hdev->ssp_debug_mode = *mode;
1811 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1813 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1816 hci_conn_check_pending(hdev);
1820 set_bit(HCI_INQUIRY, &hdev->flags);
1823 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1825 struct hci_cp_create_conn *cp;
1826 struct hci_conn *conn;
1828 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1830 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1836 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1838 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1841 if (conn && conn->state == BT_CONNECT) {
1842 if (status != 0x0c || conn->attempt > 2) {
1843 conn->state = BT_CLOSED;
1844 hci_connect_cfm(conn, status);
1847 conn->state = BT_CONNECT2;
1851 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1854 bt_dev_err(hdev, "no memory for new connection");
1858 hci_dev_unlock(hdev);
1861 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1863 struct hci_cp_add_sco *cp;
1864 struct hci_conn *acl, *sco;
1867 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1872 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1876 handle = __le16_to_cpu(cp->handle);
1878 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1882 acl = hci_conn_hash_lookup_handle(hdev, handle);
1886 sco->state = BT_CLOSED;
1888 hci_connect_cfm(sco, status);
1893 hci_dev_unlock(hdev);
1896 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1898 struct hci_cp_auth_requested *cp;
1899 struct hci_conn *conn;
1901 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1906 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1912 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1914 if (conn->state == BT_CONFIG) {
1915 hci_connect_cfm(conn, status);
1916 hci_conn_drop(conn);
1920 hci_dev_unlock(hdev);
1923 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1925 struct hci_cp_set_conn_encrypt *cp;
1926 struct hci_conn *conn;
1928 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1933 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1939 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1941 if (conn->state == BT_CONFIG) {
1942 hci_connect_cfm(conn, status);
1943 hci_conn_drop(conn);
1947 hci_dev_unlock(hdev);
1950 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1951 struct hci_conn *conn)
1953 if (conn->state != BT_CONFIG || !conn->out)
1956 if (conn->pending_sec_level == BT_SECURITY_SDP)
1959 /* Only request authentication for SSP connections or non-SSP
1960 * devices with sec_level MEDIUM or HIGH or if MITM protection
1963 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1964 conn->pending_sec_level != BT_SECURITY_FIPS &&
1965 conn->pending_sec_level != BT_SECURITY_HIGH &&
1966 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1972 static int hci_resolve_name(struct hci_dev *hdev,
1973 struct inquiry_entry *e)
1975 struct hci_cp_remote_name_req cp;
1977 memset(&cp, 0, sizeof(cp));
1979 bacpy(&cp.bdaddr, &e->data.bdaddr);
1980 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1981 cp.pscan_mode = e->data.pscan_mode;
1982 cp.clock_offset = e->data.clock_offset;
1984 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1987 static bool hci_resolve_next_name(struct hci_dev *hdev)
1989 struct discovery_state *discov = &hdev->discovery;
1990 struct inquiry_entry *e;
1992 if (list_empty(&discov->resolve))
1995 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1999 if (hci_resolve_name(hdev, e) == 0) {
2000 e->name_state = NAME_PENDING;
2007 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2008 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2010 struct discovery_state *discov = &hdev->discovery;
2011 struct inquiry_entry *e;
2014 /* Update the mgmt connected state if necessary. Be careful with
2015 * conn objects that exist but are not (yet) connected however.
2016 * Only those in BT_CONFIG or BT_CONNECTED states can be
2017 * considered connected.
2020 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2021 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2022 mgmt_device_connected(hdev, conn, 0, name, name_len);
2024 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2028 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2029 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2030 mgmt_device_connected(hdev, conn, 0, name, name_len);
2033 if (discov->state == DISCOVERY_STOPPED)
2036 if (discov->state == DISCOVERY_STOPPING)
2037 goto discov_complete;
2039 if (discov->state != DISCOVERY_RESOLVING)
2042 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2043 /* If the device was not found in a list of found devices names of which
2044 * are pending. there is no need to continue resolving a next name as it
2045 * will be done upon receiving another Remote Name Request Complete
2052 e->name_state = NAME_KNOWN;
2053 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2054 e->data.rssi, name, name_len);
2056 e->name_state = NAME_NOT_KNOWN;
2059 if (hci_resolve_next_name(hdev))
2063 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2066 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2068 struct hci_cp_remote_name_req *cp;
2069 struct hci_conn *conn;
2071 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2073 /* If successful wait for the name req complete event before
2074 * checking for the need to do authentication */
2078 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2084 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2086 if (hci_dev_test_flag(hdev, HCI_MGMT))
2087 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2092 if (!hci_outgoing_auth_needed(hdev, conn))
2095 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2096 struct hci_cp_auth_requested auth_cp;
2098 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2100 auth_cp.handle = __cpu_to_le16(conn->handle);
2101 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2102 sizeof(auth_cp), &auth_cp);
2106 hci_dev_unlock(hdev);
2109 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2111 struct hci_cp_read_remote_features *cp;
2112 struct hci_conn *conn;
2114 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2119 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2125 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2127 if (conn->state == BT_CONFIG) {
2128 hci_connect_cfm(conn, status);
2129 hci_conn_drop(conn);
2133 hci_dev_unlock(hdev);
2136 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2138 struct hci_cp_read_remote_ext_features *cp;
2139 struct hci_conn *conn;
2141 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2146 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2152 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2154 if (conn->state == BT_CONFIG) {
2155 hci_connect_cfm(conn, status);
2156 hci_conn_drop(conn);
2160 hci_dev_unlock(hdev);
2163 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2165 struct hci_cp_setup_sync_conn *cp;
2166 struct hci_conn *acl, *sco;
2169 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2174 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2178 handle = __le16_to_cpu(cp->handle);
2180 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2184 acl = hci_conn_hash_lookup_handle(hdev, handle);
2188 sco->state = BT_CLOSED;
2190 hci_connect_cfm(sco, status);
2195 hci_dev_unlock(hdev);
2198 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2200 struct hci_cp_sniff_mode *cp;
2201 struct hci_conn *conn;
2203 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2208 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2214 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2216 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2218 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2219 hci_sco_setup(conn, status);
2222 hci_dev_unlock(hdev);
2225 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2227 struct hci_cp_exit_sniff_mode *cp;
2228 struct hci_conn *conn;
2230 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2235 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2241 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2243 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2245 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2246 hci_sco_setup(conn, status);
2249 hci_dev_unlock(hdev);
2252 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2254 struct hci_cp_disconnect *cp;
2255 struct hci_conn *conn;
2260 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2266 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2268 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2269 conn->dst_type, status);
2271 hci_dev_unlock(hdev);
2274 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2275 u8 peer_addr_type, u8 own_address_type,
2278 struct hci_conn *conn;
2280 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2285 /* Store the initiator and responder address information which
2286 * is needed for SMP. These values will not change during the
2287 * lifetime of the connection.
2289 conn->init_addr_type = own_address_type;
2290 if (own_address_type == ADDR_LE_DEV_RANDOM)
2291 bacpy(&conn->init_addr, &hdev->random_addr);
2293 bacpy(&conn->init_addr, &hdev->bdaddr);
2295 conn->resp_addr_type = peer_addr_type;
2296 bacpy(&conn->resp_addr, peer_addr);
2298 /* We don't want the connection attempt to stick around
2299 * indefinitely since LE doesn't have a page timeout concept
2300 * like BR/EDR. Set a timer for any connection that doesn't use
2301 * the white list for connecting.
2303 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2304 queue_delayed_work(conn->hdev->workqueue,
2305 &conn->le_conn_timeout,
2306 conn->conn_timeout);
2309 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2311 struct hci_cp_le_create_conn *cp;
2313 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2315 /* All connection failure handling is taken care of by the
2316 * hci_le_conn_failed function which is triggered by the HCI
2317 * request completion callbacks used for connecting.
2322 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2328 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2329 cp->own_address_type, cp->filter_policy);
2331 hci_dev_unlock(hdev);
2334 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2336 struct hci_cp_le_ext_create_conn *cp;
2338 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2340 /* All connection failure handling is taken care of by the
2341 * hci_le_conn_failed function which is triggered by the HCI
2342 * request completion callbacks used for connecting.
2347 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2353 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2354 cp->own_addr_type, cp->filter_policy);
2356 hci_dev_unlock(hdev);
2359 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2361 struct hci_cp_le_read_remote_features *cp;
2362 struct hci_conn *conn;
2364 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2369 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2375 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2377 if (conn->state == BT_CONFIG) {
2378 hci_connect_cfm(conn, status);
2379 hci_conn_drop(conn);
2383 hci_dev_unlock(hdev);
2386 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2388 struct hci_cp_le_start_enc *cp;
2389 struct hci_conn *conn;
2391 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2398 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2402 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2406 if (conn->state != BT_CONNECTED)
2409 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2410 hci_conn_drop(conn);
2413 hci_dev_unlock(hdev);
2416 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2418 struct hci_cp_switch_role *cp;
2419 struct hci_conn *conn;
2421 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2426 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2432 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2434 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2436 hci_dev_unlock(hdev);
2439 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2441 __u8 status = *((__u8 *) skb->data);
2442 struct discovery_state *discov = &hdev->discovery;
2443 struct inquiry_entry *e;
2445 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2447 hci_conn_check_pending(hdev);
2449 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2452 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2453 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2455 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2460 if (discov->state != DISCOVERY_FINDING)
2463 if (list_empty(&discov->resolve)) {
2464 /* When BR/EDR inquiry is active and no LE scanning is in
2465 * progress, then change discovery state to indicate completion.
2467 * When running LE scanning and BR/EDR inquiry simultaneously
2468 * and the LE scan already finished, then change the discovery
2469 * state to indicate completion.
2471 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2472 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2473 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2477 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2478 if (e && hci_resolve_name(hdev, e) == 0) {
2479 e->name_state = NAME_PENDING;
2480 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2482 /* When BR/EDR inquiry is active and no LE scanning is in
2483 * progress, then change discovery state to indicate completion.
2485 * When running LE scanning and BR/EDR inquiry simultaneously
2486 * and the LE scan already finished, then change the discovery
2487 * state to indicate completion.
2489 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2490 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2491 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2495 hci_dev_unlock(hdev);
2498 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2500 struct inquiry_data data;
2501 struct inquiry_info *info = (void *) (skb->data + 1);
2502 int num_rsp = *((__u8 *) skb->data);
2504 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2509 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2514 for (; num_rsp; num_rsp--, info++) {
2517 bacpy(&data.bdaddr, &info->bdaddr);
2518 data.pscan_rep_mode = info->pscan_rep_mode;
2519 data.pscan_period_mode = info->pscan_period_mode;
2520 data.pscan_mode = info->pscan_mode;
2521 memcpy(data.dev_class, info->dev_class, 3);
2522 data.clock_offset = info->clock_offset;
2523 data.rssi = HCI_RSSI_INVALID;
2524 data.ssp_mode = 0x00;
2526 flags = hci_inquiry_cache_update(hdev, &data, false);
2528 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2529 info->dev_class, HCI_RSSI_INVALID,
2530 flags, NULL, 0, NULL, 0);
2533 hci_dev_unlock(hdev);
2536 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2538 struct hci_ev_conn_complete *ev = (void *) skb->data;
2539 struct hci_conn *conn;
2541 BT_DBG("%s", hdev->name);
2545 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2547 if (ev->link_type != SCO_LINK)
2550 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2554 conn->type = SCO_LINK;
2558 conn->handle = __le16_to_cpu(ev->handle);
2560 if (conn->type == ACL_LINK) {
2561 conn->state = BT_CONFIG;
2562 hci_conn_hold(conn);
2564 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2565 !hci_find_link_key(hdev, &ev->bdaddr))
2566 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2568 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2570 conn->state = BT_CONNECTED;
2572 hci_debugfs_create_conn(conn);
2573 hci_conn_add_sysfs(conn);
2575 if (test_bit(HCI_AUTH, &hdev->flags))
2576 set_bit(HCI_CONN_AUTH, &conn->flags);
2578 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2579 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2581 /* Get remote features */
2582 if (conn->type == ACL_LINK) {
2583 struct hci_cp_read_remote_features cp;
2584 cp.handle = ev->handle;
2585 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2588 hci_req_update_scan(hdev);
2591 /* Set packet type for incoming connection */
2592 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2593 struct hci_cp_change_conn_ptype cp;
2594 cp.handle = ev->handle;
2595 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2596 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2600 if (get_link_mode(conn) & HCI_LM_MASTER)
2601 hci_conn_change_supervision_timeout(conn,
2602 LINK_SUPERVISION_TIMEOUT);
2605 conn->state = BT_CLOSED;
2606 if (conn->type == ACL_LINK)
2607 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2608 conn->dst_type, ev->status);
2611 if (conn->type == ACL_LINK)
2612 hci_sco_setup(conn, ev->status);
2615 hci_connect_cfm(conn, ev->status);
2617 } else if (ev->link_type != ACL_LINK)
2618 hci_connect_cfm(conn, ev->status);
2621 hci_dev_unlock(hdev);
2623 hci_conn_check_pending(hdev);
2626 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2628 struct hci_cp_reject_conn_req cp;
2630 bacpy(&cp.bdaddr, bdaddr);
2631 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2632 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2635 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2637 struct hci_ev_conn_request *ev = (void *) skb->data;
2638 int mask = hdev->link_mode;
2639 struct inquiry_entry *ie;
2640 struct hci_conn *conn;
2643 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2646 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2649 if (!(mask & HCI_LM_ACCEPT)) {
2650 hci_reject_conn(hdev, &ev->bdaddr);
2654 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2656 hci_reject_conn(hdev, &ev->bdaddr);
2660 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2661 * connection. These features are only touched through mgmt so
2662 * only do the checks if HCI_MGMT is set.
2664 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2665 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2666 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2668 hci_reject_conn(hdev, &ev->bdaddr);
2672 /* Connection accepted */
2676 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2678 memcpy(ie->data.dev_class, ev->dev_class, 3);
2681 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
2682 hci_conn_hash_lookup_sco(hdev)) {
2683 struct hci_cp_reject_conn_req cp;
2685 bacpy(&cp.bdaddr, &ev->bdaddr);
2686 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
2687 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
2689 hci_dev_unlock(hdev);
2694 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2697 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2700 bt_dev_err(hdev, "no memory for new connection");
2701 hci_dev_unlock(hdev);
2706 memcpy(conn->dev_class, ev->dev_class, 3);
2708 hci_dev_unlock(hdev);
2710 if (ev->link_type == ACL_LINK ||
2711 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2712 struct hci_cp_accept_conn_req cp;
2713 conn->state = BT_CONNECT;
2715 bacpy(&cp.bdaddr, &ev->bdaddr);
2717 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2718 cp.role = 0x00; /* Become master */
2720 cp.role = 0x01; /* Remain slave */
2722 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2723 } else if (!(flags & HCI_PROTO_DEFER)) {
2724 struct hci_cp_accept_sync_conn_req cp;
2725 conn->state = BT_CONNECT;
2727 bacpy(&cp.bdaddr, &ev->bdaddr);
2728 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2730 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2731 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2732 cp.max_latency = cpu_to_le16(0xffff);
2733 cp.content_format = cpu_to_le16(hdev->voice_setting);
2734 cp.retrans_effort = 0xff;
2736 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2739 conn->state = BT_CONNECT2;
2740 hci_connect_cfm(conn, 0);
2744 static u8 hci_to_mgmt_reason(u8 err)
2747 case HCI_ERROR_CONNECTION_TIMEOUT:
2748 return MGMT_DEV_DISCONN_TIMEOUT;
2749 case HCI_ERROR_REMOTE_USER_TERM:
2750 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2751 case HCI_ERROR_REMOTE_POWER_OFF:
2752 return MGMT_DEV_DISCONN_REMOTE;
2753 case HCI_ERROR_LOCAL_HOST_TERM:
2754 return MGMT_DEV_DISCONN_LOCAL_HOST;
2756 return MGMT_DEV_DISCONN_UNKNOWN;
2760 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2762 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2764 struct hci_conn_params *params;
2765 struct hci_conn *conn;
2766 bool mgmt_connected;
2769 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2773 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2778 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2779 conn->dst_type, ev->status);
2783 conn->state = BT_CLOSED;
2785 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2787 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2788 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2790 reason = hci_to_mgmt_reason(ev->reason);
2792 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2793 reason, mgmt_connected);
2795 if (conn->type == ACL_LINK) {
2796 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2797 hci_remove_link_key(hdev, &conn->dst);
2799 hci_req_update_scan(hdev);
2802 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2804 switch (params->auto_connect) {
2805 case HCI_AUTO_CONN_LINK_LOSS:
2806 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2810 case HCI_AUTO_CONN_DIRECT:
2811 case HCI_AUTO_CONN_ALWAYS:
2812 list_del_init(¶ms->action);
2813 list_add(¶ms->action, &hdev->pend_le_conns);
2814 hci_update_background_scan(hdev);
2824 hci_disconn_cfm(conn, ev->reason);
2827 /* Re-enable advertising if necessary, since it might
2828 * have been disabled by the connection. From the
2829 * HCI_LE_Set_Advertise_Enable command description in
2830 * the core specification (v4.0):
2831 * "The Controller shall continue advertising until the Host
2832 * issues an LE_Set_Advertise_Enable command with
2833 * Advertising_Enable set to 0x00 (Advertising is disabled)
2834 * or until a connection is created or until the Advertising
2835 * is timed out due to Directed Advertising."
2837 if (type == LE_LINK)
2838 hci_req_reenable_advertising(hdev);
2841 if (type == ACL_LINK && !hci_conn_num(hdev, ACL_LINK)) {
2845 iscan = test_bit(HCI_ISCAN, &hdev->flags);
2846 pscan = test_bit(HCI_PSCAN, &hdev->flags);
2847 if (!iscan && !pscan) {
2848 u8 scan_enable = SCAN_PAGE;
2850 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE,
2851 sizeof(scan_enable), &scan_enable);
2857 hci_dev_unlock(hdev);
2860 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2862 struct hci_ev_auth_complete *ev = (void *) skb->data;
2863 struct hci_conn *conn;
2865 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2869 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2874 /* PIN or Key Missing patch */
2875 BT_DBG("remote_auth %x, remote_cap %x, auth_type %x, io_capability %x",
2876 conn->remote_auth, conn->remote_cap,
2877 conn->auth_type, conn->io_capability);
2879 if (ev->status == 0x06 && hci_conn_ssp_enabled(conn)) {
2880 struct hci_cp_auth_requested cp;
2882 BT_DBG("Pin or key missing");
2883 hci_remove_link_key(hdev, &conn->dst);
2884 cp.handle = cpu_to_le16(conn->handle);
2885 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2892 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2894 if (!hci_conn_ssp_enabled(conn) &&
2895 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2896 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2898 set_bit(HCI_CONN_AUTH, &conn->flags);
2899 conn->sec_level = conn->pending_sec_level;
2902 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2903 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2905 mgmt_auth_failed(conn, ev->status);
2908 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2909 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2911 if (conn->state == BT_CONFIG) {
2912 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2913 struct hci_cp_set_conn_encrypt cp;
2914 cp.handle = ev->handle;
2916 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2919 conn->state = BT_CONNECTED;
2920 hci_connect_cfm(conn, ev->status);
2921 hci_conn_drop(conn);
2924 hci_auth_cfm(conn, ev->status);
2926 hci_conn_hold(conn);
2927 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2928 hci_conn_drop(conn);
2931 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2933 struct hci_cp_set_conn_encrypt cp;
2934 cp.handle = ev->handle;
2936 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2939 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2940 hci_encrypt_cfm(conn, ev->status, 0x00);
2945 hci_dev_unlock(hdev);
2948 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2950 struct hci_ev_remote_name *ev = (void *) skb->data;
2951 struct hci_conn *conn;
2953 BT_DBG("%s", hdev->name);
2955 hci_conn_check_pending(hdev);
2959 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2961 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2964 if (ev->status == 0)
2965 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2966 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2968 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2974 if (!hci_outgoing_auth_needed(hdev, conn))
2977 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2978 struct hci_cp_auth_requested cp;
2980 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2982 cp.handle = __cpu_to_le16(conn->handle);
2983 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2987 hci_dev_unlock(hdev);
2990 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2991 u16 opcode, struct sk_buff *skb)
2993 const struct hci_rp_read_enc_key_size *rp;
2994 struct hci_conn *conn;
2997 BT_DBG("%s status 0x%02x", hdev->name, status);
2999 if (!skb || skb->len < sizeof(*rp)) {
3000 bt_dev_err(hdev, "invalid read key size response");
3004 rp = (void *)skb->data;
3005 handle = le16_to_cpu(rp->handle);
3009 conn = hci_conn_hash_lookup_handle(hdev, handle);
3013 /* If we fail to read the encryption key size, assume maximum
3014 * (which is the same we do also when this HCI command isn't
3018 bt_dev_err(hdev, "failed to read key size for handle %u",
3020 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3022 conn->enc_key_size = rp->key_size;
3025 if (conn->state == BT_CONFIG) {
3026 conn->state = BT_CONNECTED;
3027 hci_connect_cfm(conn, 0);
3028 hci_conn_drop(conn);
3032 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
3034 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
3039 hci_encrypt_cfm(conn, 0, encrypt);
3043 hci_dev_unlock(hdev);
3046 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3048 struct hci_ev_encrypt_change *ev = (void *) skb->data;
3049 struct hci_conn *conn;
3051 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3055 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3061 /* Encryption implies authentication */
3062 set_bit(HCI_CONN_AUTH, &conn->flags);
3063 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3064 conn->sec_level = conn->pending_sec_level;
3066 /* P-256 authentication key implies FIPS */
3067 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3068 set_bit(HCI_CONN_FIPS, &conn->flags);
3070 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3071 conn->type == LE_LINK)
3072 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3074 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3075 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3079 /* We should disregard the current RPA and generate a new one
3080 * whenever the encryption procedure fails.
3082 if (ev->status && conn->type == LE_LINK) {
3083 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3084 hci_adv_instances_set_rpa_expired(hdev, true);
3087 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3089 if (ev->status && conn->state == BT_CONNECTED) {
3090 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3091 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3093 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3094 hci_conn_drop(conn);
3098 /* In Secure Connections Only mode, do not allow any connections
3099 * that are not encrypted with AES-CCM using a P-256 authenticated
3102 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
3103 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
3104 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
3105 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
3106 hci_conn_drop(conn);
3110 /* Try reading the encryption key size for encrypted ACL links */
3111 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3112 struct hci_cp_read_enc_key_size cp;
3113 struct hci_request req;
3115 /* Only send HCI_Read_Encryption_Key_Size if the
3116 * controller really supports it. If it doesn't, assume
3117 * the default size (16).
3119 if (!(hdev->commands[20] & 0x10)) {
3120 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3124 hci_req_init(&req, hdev);
3126 cp.handle = cpu_to_le16(conn->handle);
3127 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3129 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3130 bt_dev_err(hdev, "sending read key size failed");
3131 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3139 if (conn->state == BT_CONFIG) {
3141 conn->state = BT_CONNECTED;
3143 hci_connect_cfm(conn, ev->status);
3144 hci_conn_drop(conn);
3146 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
3149 hci_dev_unlock(hdev);
3152 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3153 struct sk_buff *skb)
3155 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3156 struct hci_conn *conn;
3158 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3162 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3165 set_bit(HCI_CONN_SECURE, &conn->flags);
3167 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3169 hci_key_change_cfm(conn, ev->status);
3172 hci_dev_unlock(hdev);
3175 static void hci_remote_features_evt(struct hci_dev *hdev,
3176 struct sk_buff *skb)
3178 struct hci_ev_remote_features *ev = (void *) skb->data;
3179 struct hci_conn *conn;
3181 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3185 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3190 memcpy(conn->features[0], ev->features, 8);
3192 if (conn->state != BT_CONFIG)
3195 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3196 lmp_ext_feat_capable(conn)) {
3197 struct hci_cp_read_remote_ext_features cp;
3198 cp.handle = ev->handle;
3200 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3205 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3206 struct hci_cp_remote_name_req cp;
3207 memset(&cp, 0, sizeof(cp));
3208 bacpy(&cp.bdaddr, &conn->dst);
3209 cp.pscan_rep_mode = 0x02;
3210 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3211 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3212 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3214 if (!hci_outgoing_auth_needed(hdev, conn)) {
3215 conn->state = BT_CONNECTED;
3216 hci_connect_cfm(conn, ev->status);
3217 hci_conn_drop(conn);
3221 hci_dev_unlock(hdev);
3224 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3225 u16 *opcode, u8 *status,
3226 hci_req_complete_t *req_complete,
3227 hci_req_complete_skb_t *req_complete_skb)
3229 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3231 *opcode = __le16_to_cpu(ev->opcode);
3232 *status = skb->data[sizeof(*ev)];
3234 skb_pull(skb, sizeof(*ev));
3237 case HCI_OP_INQUIRY_CANCEL:
3238 hci_cc_inquiry_cancel(hdev, skb);
3241 case HCI_OP_PERIODIC_INQ:
3242 hci_cc_periodic_inq(hdev, skb);
3245 case HCI_OP_EXIT_PERIODIC_INQ:
3246 hci_cc_exit_periodic_inq(hdev, skb);
3249 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3250 hci_cc_remote_name_req_cancel(hdev, skb);
3253 case HCI_OP_ROLE_DISCOVERY:
3254 hci_cc_role_discovery(hdev, skb);
3257 case HCI_OP_READ_LINK_POLICY:
3258 hci_cc_read_link_policy(hdev, skb);
3261 case HCI_OP_WRITE_LINK_POLICY:
3262 hci_cc_write_link_policy(hdev, skb);
3265 case HCI_OP_READ_DEF_LINK_POLICY:
3266 hci_cc_read_def_link_policy(hdev, skb);
3269 case HCI_OP_WRITE_DEF_LINK_POLICY:
3270 hci_cc_write_def_link_policy(hdev, skb);
3274 hci_cc_reset(hdev, skb);
3277 case HCI_OP_READ_STORED_LINK_KEY:
3278 hci_cc_read_stored_link_key(hdev, skb);
3281 case HCI_OP_DELETE_STORED_LINK_KEY:
3282 hci_cc_delete_stored_link_key(hdev, skb);
3285 case HCI_OP_WRITE_LOCAL_NAME:
3286 hci_cc_write_local_name(hdev, skb);
3289 case HCI_OP_READ_LOCAL_NAME:
3290 hci_cc_read_local_name(hdev, skb);
3293 case HCI_OP_WRITE_AUTH_ENABLE:
3294 hci_cc_write_auth_enable(hdev, skb);
3297 case HCI_OP_WRITE_ENCRYPT_MODE:
3298 hci_cc_write_encrypt_mode(hdev, skb);
3301 case HCI_OP_WRITE_SCAN_ENABLE:
3302 hci_cc_write_scan_enable(hdev, skb);
3305 case HCI_OP_READ_CLASS_OF_DEV:
3306 hci_cc_read_class_of_dev(hdev, skb);
3309 case HCI_OP_WRITE_CLASS_OF_DEV:
3310 hci_cc_write_class_of_dev(hdev, skb);
3313 case HCI_OP_READ_VOICE_SETTING:
3314 hci_cc_read_voice_setting(hdev, skb);
3317 case HCI_OP_WRITE_VOICE_SETTING:
3318 hci_cc_write_voice_setting(hdev, skb);
3321 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3322 hci_cc_read_num_supported_iac(hdev, skb);
3325 case HCI_OP_WRITE_SSP_MODE:
3326 hci_cc_write_ssp_mode(hdev, skb);
3329 case HCI_OP_WRITE_SC_SUPPORT:
3330 hci_cc_write_sc_support(hdev, skb);
3333 case HCI_OP_READ_LOCAL_VERSION:
3334 hci_cc_read_local_version(hdev, skb);
3337 case HCI_OP_READ_LOCAL_COMMANDS:
3338 hci_cc_read_local_commands(hdev, skb);
3341 case HCI_OP_READ_LOCAL_FEATURES:
3342 hci_cc_read_local_features(hdev, skb);
3345 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3346 hci_cc_read_local_ext_features(hdev, skb);
3349 case HCI_OP_READ_BUFFER_SIZE:
3350 hci_cc_read_buffer_size(hdev, skb);
3353 case HCI_OP_READ_BD_ADDR:
3354 hci_cc_read_bd_addr(hdev, skb);
3357 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3358 hci_cc_read_page_scan_activity(hdev, skb);
3361 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3362 hci_cc_write_page_scan_activity(hdev, skb);
3365 case HCI_OP_READ_PAGE_SCAN_TYPE:
3366 hci_cc_read_page_scan_type(hdev, skb);
3369 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3370 hci_cc_write_page_scan_type(hdev, skb);
3373 case HCI_OP_READ_DATA_BLOCK_SIZE:
3374 hci_cc_read_data_block_size(hdev, skb);
3377 case HCI_OP_READ_FLOW_CONTROL_MODE:
3378 hci_cc_read_flow_control_mode(hdev, skb);
3381 case HCI_OP_READ_LOCAL_AMP_INFO:
3382 hci_cc_read_local_amp_info(hdev, skb);
3385 case HCI_OP_READ_CLOCK:
3386 hci_cc_read_clock(hdev, skb);
3389 case HCI_OP_READ_INQ_RSP_TX_POWER:
3390 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3393 case HCI_OP_PIN_CODE_REPLY:
3394 hci_cc_pin_code_reply(hdev, skb);
3397 case HCI_OP_PIN_CODE_NEG_REPLY:
3398 hci_cc_pin_code_neg_reply(hdev, skb);
3401 case HCI_OP_READ_LOCAL_OOB_DATA:
3402 hci_cc_read_local_oob_data(hdev, skb);
3405 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3406 hci_cc_read_local_oob_ext_data(hdev, skb);
3409 case HCI_OP_LE_READ_BUFFER_SIZE:
3410 hci_cc_le_read_buffer_size(hdev, skb);
3413 case HCI_OP_LE_READ_LOCAL_FEATURES:
3414 hci_cc_le_read_local_features(hdev, skb);
3417 case HCI_OP_LE_READ_ADV_TX_POWER:
3418 hci_cc_le_read_adv_tx_power(hdev, skb);
3421 case HCI_OP_USER_CONFIRM_REPLY:
3422 hci_cc_user_confirm_reply(hdev, skb);
3425 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3426 hci_cc_user_confirm_neg_reply(hdev, skb);
3429 case HCI_OP_USER_PASSKEY_REPLY:
3430 hci_cc_user_passkey_reply(hdev, skb);
3433 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3434 hci_cc_user_passkey_neg_reply(hdev, skb);
3437 case HCI_OP_LE_SET_RANDOM_ADDR:
3438 hci_cc_le_set_random_addr(hdev, skb);
3441 case HCI_OP_LE_SET_ADV_ENABLE:
3442 hci_cc_le_set_adv_enable(hdev, skb);
3445 case HCI_OP_LE_SET_SCAN_PARAM:
3446 hci_cc_le_set_scan_param(hdev, skb);
3449 case HCI_OP_LE_SET_SCAN_ENABLE:
3450 hci_cc_le_set_scan_enable(hdev, skb);
3453 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3454 hci_cc_le_read_white_list_size(hdev, skb);
3457 case HCI_OP_LE_CLEAR_WHITE_LIST:
3458 hci_cc_le_clear_white_list(hdev, skb);
3461 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3462 hci_cc_le_add_to_white_list(hdev, skb);
3465 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3466 hci_cc_le_del_from_white_list(hdev, skb);
3469 case HCI_OP_LE_READ_SUPPORTED_STATES:
3470 hci_cc_le_read_supported_states(hdev, skb);
3473 case HCI_OP_LE_READ_DEF_DATA_LEN:
3474 hci_cc_le_read_def_data_len(hdev, skb);
3477 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3478 hci_cc_le_write_def_data_len(hdev, skb);
3481 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3482 hci_cc_le_clear_resolv_list(hdev, skb);
3485 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3486 hci_cc_le_read_resolv_list_size(hdev, skb);
3489 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3490 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3493 case HCI_OP_LE_READ_MAX_DATA_LEN:
3494 hci_cc_le_read_max_data_len(hdev, skb);
3497 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3498 hci_cc_write_le_host_supported(hdev, skb);
3501 case HCI_OP_LE_SET_ADV_PARAM:
3502 hci_cc_set_adv_param(hdev, skb);
3505 case HCI_OP_READ_RSSI:
3506 hci_cc_read_rssi(hdev, skb);
3509 case HCI_OP_READ_TX_POWER:
3510 hci_cc_read_tx_power(hdev, skb);
3513 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3514 hci_cc_write_ssp_debug_mode(hdev, skb);
3517 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3518 hci_cc_le_set_ext_scan_param(hdev, skb);
3521 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3522 hci_cc_le_set_ext_scan_enable(hdev, skb);
3525 case HCI_OP_LE_SET_DEFAULT_PHY:
3526 hci_cc_le_set_default_phy(hdev, skb);
3529 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3530 hci_cc_le_read_num_adv_sets(hdev, skb);
3533 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3534 hci_cc_set_ext_adv_param(hdev, skb);
3537 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3538 hci_cc_le_set_ext_adv_enable(hdev, skb);
3541 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3542 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3545 case HCI_OP_ENABLE_RSSI:
3546 hci_cc_enable_rssi(hdev, skb);
3549 case HCI_OP_GET_RAW_RSSI:
3550 hci_cc_get_raw_rssi(hdev, skb);
3554 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3558 if (*opcode != HCI_OP_NOP)
3559 cancel_delayed_work(&hdev->cmd_timer);
3561 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3562 atomic_set(&hdev->cmd_cnt, 1);
3564 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3567 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3569 "unexpected event for opcode 0x%4.4x", *opcode);
3573 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3574 queue_work(hdev->workqueue, &hdev->cmd_work);
3577 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3578 u16 *opcode, u8 *status,
3579 hci_req_complete_t *req_complete,
3580 hci_req_complete_skb_t *req_complete_skb)
3582 struct hci_ev_cmd_status *ev = (void *) skb->data;
3584 skb_pull(skb, sizeof(*ev));
3586 *opcode = __le16_to_cpu(ev->opcode);
3587 *status = ev->status;
3590 case HCI_OP_INQUIRY:
3591 hci_cs_inquiry(hdev, ev->status);
3594 case HCI_OP_CREATE_CONN:
3595 hci_cs_create_conn(hdev, ev->status);
3598 case HCI_OP_DISCONNECT:
3599 hci_cs_disconnect(hdev, ev->status);
3602 case HCI_OP_ADD_SCO:
3603 hci_cs_add_sco(hdev, ev->status);
3606 case HCI_OP_AUTH_REQUESTED:
3607 hci_cs_auth_requested(hdev, ev->status);
3610 case HCI_OP_SET_CONN_ENCRYPT:
3611 hci_cs_set_conn_encrypt(hdev, ev->status);
3614 case HCI_OP_REMOTE_NAME_REQ:
3615 hci_cs_remote_name_req(hdev, ev->status);
3618 case HCI_OP_READ_REMOTE_FEATURES:
3619 hci_cs_read_remote_features(hdev, ev->status);
3622 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3623 hci_cs_read_remote_ext_features(hdev, ev->status);
3626 case HCI_OP_SETUP_SYNC_CONN:
3627 hci_cs_setup_sync_conn(hdev, ev->status);
3630 case HCI_OP_SNIFF_MODE:
3631 hci_cs_sniff_mode(hdev, ev->status);
3634 case HCI_OP_EXIT_SNIFF_MODE:
3635 hci_cs_exit_sniff_mode(hdev, ev->status);
3638 case HCI_OP_SWITCH_ROLE:
3639 hci_cs_switch_role(hdev, ev->status);
3642 case HCI_OP_LE_CREATE_CONN:
3643 hci_cs_le_create_conn(hdev, ev->status);
3646 case HCI_OP_LE_READ_REMOTE_FEATURES:
3647 hci_cs_le_read_remote_features(hdev, ev->status);
3650 case HCI_OP_LE_START_ENC:
3651 hci_cs_le_start_enc(hdev, ev->status);
3654 case HCI_OP_LE_EXT_CREATE_CONN:
3655 hci_cs_le_ext_create_conn(hdev, ev->status);
3659 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3663 if (*opcode != HCI_OP_NOP)
3664 cancel_delayed_work(&hdev->cmd_timer);
3666 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3667 atomic_set(&hdev->cmd_cnt, 1);
3669 /* Indicate request completion if the command failed. Also, if
3670 * we're not waiting for a special event and we get a success
3671 * command status we should try to flag the request as completed
3672 * (since for this kind of commands there will not be a command
3676 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3677 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3680 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3682 "unexpected event for opcode 0x%4.4x", *opcode);
3686 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3687 queue_work(hdev->workqueue, &hdev->cmd_work);
3690 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3692 struct hci_ev_hardware_error *ev = (void *) skb->data;
3696 mgmt_hardware_error(hdev, ev->code);
3697 hci_dev_unlock(hdev);
3699 hdev->hw_error_code = ev->code;
3701 queue_work(hdev->req_workqueue, &hdev->error_reset);
3704 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3706 struct hci_ev_role_change *ev = (void *) skb->data;
3707 struct hci_conn *conn;
3709 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3713 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3716 conn->role = ev->role;
3718 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3720 hci_role_switch_cfm(conn, ev->status, ev->role);
3722 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
3723 hci_conn_change_supervision_timeout(conn,
3724 LINK_SUPERVISION_TIMEOUT);
3728 hci_dev_unlock(hdev);
3731 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3733 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3736 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3737 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3741 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3742 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3743 BT_DBG("%s bad parameters", hdev->name);
3747 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3749 for (i = 0; i < ev->num_hndl; i++) {
3750 struct hci_comp_pkts_info *info = &ev->handles[i];
3751 struct hci_conn *conn;
3752 __u16 handle, count;
3754 handle = __le16_to_cpu(info->handle);
3755 count = __le16_to_cpu(info->count);
3757 conn = hci_conn_hash_lookup_handle(hdev, handle);
3761 conn->sent -= count;
3763 switch (conn->type) {
3765 hdev->acl_cnt += count;
3766 if (hdev->acl_cnt > hdev->acl_pkts)
3767 hdev->acl_cnt = hdev->acl_pkts;
3771 if (hdev->le_pkts) {
3772 hdev->le_cnt += count;
3773 if (hdev->le_cnt > hdev->le_pkts)
3774 hdev->le_cnt = hdev->le_pkts;
3776 hdev->acl_cnt += count;
3777 if (hdev->acl_cnt > hdev->acl_pkts)
3778 hdev->acl_cnt = hdev->acl_pkts;
3783 hdev->sco_cnt += count;
3784 if (hdev->sco_cnt > hdev->sco_pkts)
3785 hdev->sco_cnt = hdev->sco_pkts;
3789 bt_dev_err(hdev, "unknown type %d conn %p",
3795 queue_work(hdev->workqueue, &hdev->tx_work);
3798 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3801 struct hci_chan *chan;
3803 switch (hdev->dev_type) {
3805 return hci_conn_hash_lookup_handle(hdev, handle);
3807 chan = hci_chan_lookup_handle(hdev, handle);
3812 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3819 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3821 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3824 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3825 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3829 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3830 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3831 BT_DBG("%s bad parameters", hdev->name);
3835 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3838 for (i = 0; i < ev->num_hndl; i++) {
3839 struct hci_comp_blocks_info *info = &ev->handles[i];
3840 struct hci_conn *conn = NULL;
3841 __u16 handle, block_count;
3843 handle = __le16_to_cpu(info->handle);
3844 block_count = __le16_to_cpu(info->blocks);
3846 conn = __hci_conn_lookup_handle(hdev, handle);
3850 conn->sent -= block_count;
3852 switch (conn->type) {
3855 hdev->block_cnt += block_count;
3856 if (hdev->block_cnt > hdev->num_blocks)
3857 hdev->block_cnt = hdev->num_blocks;
3861 bt_dev_err(hdev, "unknown type %d conn %p",
3867 queue_work(hdev->workqueue, &hdev->tx_work);
3870 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3872 struct hci_ev_mode_change *ev = (void *) skb->data;
3873 struct hci_conn *conn;
3875 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3879 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3881 conn->mode = ev->mode;
3883 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3885 if (conn->mode == HCI_CM_ACTIVE)
3886 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3888 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3891 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3892 hci_sco_setup(conn, ev->status);
3895 hci_dev_unlock(hdev);
3898 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3900 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3901 struct hci_conn *conn;
3903 BT_DBG("%s", hdev->name);
3907 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3911 if (conn->state == BT_CONNECTED) {
3912 hci_conn_hold(conn);
3913 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3914 hci_conn_drop(conn);
3917 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3918 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3919 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3920 sizeof(ev->bdaddr), &ev->bdaddr);
3921 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3924 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3929 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3933 hci_dev_unlock(hdev);
3936 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3938 if (key_type == HCI_LK_CHANGED_COMBINATION)
3941 conn->pin_length = pin_len;
3942 conn->key_type = key_type;
3945 case HCI_LK_LOCAL_UNIT:
3946 case HCI_LK_REMOTE_UNIT:
3947 case HCI_LK_DEBUG_COMBINATION:
3949 case HCI_LK_COMBINATION:
3951 conn->pending_sec_level = BT_SECURITY_HIGH;
3953 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3955 case HCI_LK_UNAUTH_COMBINATION_P192:
3956 case HCI_LK_UNAUTH_COMBINATION_P256:
3957 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3959 case HCI_LK_AUTH_COMBINATION_P192:
3960 conn->pending_sec_level = BT_SECURITY_HIGH;
3962 case HCI_LK_AUTH_COMBINATION_P256:
3963 conn->pending_sec_level = BT_SECURITY_FIPS;
3968 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3970 struct hci_ev_link_key_req *ev = (void *) skb->data;
3971 struct hci_cp_link_key_reply cp;
3972 struct hci_conn *conn;
3973 struct link_key *key;
3975 BT_DBG("%s", hdev->name);
3977 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3982 key = hci_find_link_key(hdev, &ev->bdaddr);
3984 BT_DBG("%s link key not found for %pMR", hdev->name,
3989 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3992 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3994 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3996 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3997 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3998 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3999 BT_DBG("%s ignoring unauthenticated key", hdev->name);
4003 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4004 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4005 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4006 BT_DBG("%s ignoring key unauthenticated for high security",
4011 conn_set_key(conn, key->type, key->pin_len);
4014 bacpy(&cp.bdaddr, &ev->bdaddr);
4015 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4017 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4019 hci_dev_unlock(hdev);
4024 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4025 hci_dev_unlock(hdev);
4028 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4030 struct hci_ev_link_key_notify *ev = (void *) skb->data;
4031 struct hci_conn *conn;
4032 struct link_key *key;
4036 BT_DBG("%s", hdev->name);
4040 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4044 hci_conn_hold(conn);
4045 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4046 hci_conn_drop(conn);
4048 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4049 conn_set_key(conn, ev->key_type, conn->pin_length);
4051 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4054 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4055 ev->key_type, pin_len, &persistent);
4059 /* Update connection information since adding the key will have
4060 * fixed up the type in the case of changed combination keys.
4062 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4063 conn_set_key(conn, key->type, key->pin_len);
4065 mgmt_new_link_key(hdev, key, persistent);
4067 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4068 * is set. If it's not set simply remove the key from the kernel
4069 * list (we've still notified user space about it but with
4070 * store_hint being 0).
4072 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4073 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4074 list_del_rcu(&key->list);
4075 kfree_rcu(key, rcu);
4080 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4082 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4085 hci_dev_unlock(hdev);
4088 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4090 struct hci_ev_clock_offset *ev = (void *) skb->data;
4091 struct hci_conn *conn;
4093 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4097 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4098 if (conn && !ev->status) {
4099 struct inquiry_entry *ie;
4101 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4103 ie->data.clock_offset = ev->clock_offset;
4104 ie->timestamp = jiffies;
4108 hci_dev_unlock(hdev);
4111 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4113 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4114 struct hci_conn *conn;
4116 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4120 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4121 if (conn && !ev->status)
4122 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4124 hci_dev_unlock(hdev);
4127 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4129 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4130 struct inquiry_entry *ie;
4132 BT_DBG("%s", hdev->name);
4136 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4138 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4139 ie->timestamp = jiffies;
4142 hci_dev_unlock(hdev);
4145 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4146 struct sk_buff *skb)
4148 struct inquiry_data data;
4149 int num_rsp = *((__u8 *) skb->data);
4151 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4156 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4161 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4162 struct inquiry_info_with_rssi_and_pscan_mode *info;
4163 info = (void *) (skb->data + 1);
4165 for (; num_rsp; num_rsp--, info++) {
4168 bacpy(&data.bdaddr, &info->bdaddr);
4169 data.pscan_rep_mode = info->pscan_rep_mode;
4170 data.pscan_period_mode = info->pscan_period_mode;
4171 data.pscan_mode = info->pscan_mode;
4172 memcpy(data.dev_class, info->dev_class, 3);
4173 data.clock_offset = info->clock_offset;
4174 data.rssi = info->rssi;
4175 data.ssp_mode = 0x00;
4177 flags = hci_inquiry_cache_update(hdev, &data, false);
4179 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4180 info->dev_class, info->rssi,
4181 flags, NULL, 0, NULL, 0);
4184 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4186 for (; num_rsp; num_rsp--, info++) {
4189 bacpy(&data.bdaddr, &info->bdaddr);
4190 data.pscan_rep_mode = info->pscan_rep_mode;
4191 data.pscan_period_mode = info->pscan_period_mode;
4192 data.pscan_mode = 0x00;
4193 memcpy(data.dev_class, info->dev_class, 3);
4194 data.clock_offset = info->clock_offset;
4195 data.rssi = info->rssi;
4196 data.ssp_mode = 0x00;
4198 flags = hci_inquiry_cache_update(hdev, &data, false);
4200 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4201 info->dev_class, info->rssi,
4202 flags, NULL, 0, NULL, 0);
4206 hci_dev_unlock(hdev);
4209 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4210 struct sk_buff *skb)
4212 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4213 struct hci_conn *conn;
4215 BT_DBG("%s", hdev->name);
4219 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4223 if (ev->page < HCI_MAX_PAGES)
4224 memcpy(conn->features[ev->page], ev->features, 8);
4226 if (!ev->status && ev->page == 0x01) {
4227 struct inquiry_entry *ie;
4229 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4231 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4233 if (ev->features[0] & LMP_HOST_SSP) {
4234 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4236 /* It is mandatory by the Bluetooth specification that
4237 * Extended Inquiry Results are only used when Secure
4238 * Simple Pairing is enabled, but some devices violate
4241 * To make these devices work, the internal SSP
4242 * enabled flag needs to be cleared if the remote host
4243 * features do not indicate SSP support */
4244 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4247 if (ev->features[0] & LMP_HOST_SC)
4248 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4251 if (conn->state != BT_CONFIG)
4254 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4255 struct hci_cp_remote_name_req cp;
4256 memset(&cp, 0, sizeof(cp));
4257 bacpy(&cp.bdaddr, &conn->dst);
4258 cp.pscan_rep_mode = 0x02;
4259 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4260 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4261 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4263 if (!hci_outgoing_auth_needed(hdev, conn)) {
4264 conn->state = BT_CONNECTED;
4265 hci_connect_cfm(conn, ev->status);
4266 hci_conn_drop(conn);
4270 hci_dev_unlock(hdev);
4273 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4274 struct sk_buff *skb)
4276 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4277 struct hci_conn *conn;
4279 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4283 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4285 if (ev->link_type == ESCO_LINK)
4288 /* When the link type in the event indicates SCO connection
4289 * and lookup of the connection object fails, then check
4290 * if an eSCO connection object exists.
4292 * The core limits the synchronous connections to either
4293 * SCO or eSCO. The eSCO connection is preferred and tried
4294 * to be setup first and until successfully established,
4295 * the link type will be hinted as eSCO.
4297 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4302 switch (ev->status) {
4304 conn->handle = __le16_to_cpu(ev->handle);
4305 conn->state = BT_CONNECTED;
4306 conn->type = ev->link_type;
4308 hci_debugfs_create_conn(conn);
4309 hci_conn_add_sysfs(conn);
4312 case 0x10: /* Connection Accept Timeout */
4313 case 0x0d: /* Connection Rejected due to Limited Resources */
4314 case 0x11: /* Unsupported Feature or Parameter Value */
4315 case 0x1c: /* SCO interval rejected */
4316 case 0x1a: /* Unsupported Remote Feature */
4317 case 0x1f: /* Unspecified error */
4318 case 0x20: /* Unsupported LMP Parameter value */
4320 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4321 (hdev->esco_type & EDR_ESCO_MASK);
4322 if (hci_setup_sync(conn, conn->link->handle))
4328 conn->state = BT_CLOSED;
4332 hci_connect_cfm(conn, ev->status);
4337 hci_dev_unlock(hdev);
4340 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4344 while (parsed < eir_len) {
4345 u8 field_len = eir[0];
4350 parsed += field_len + 1;
4351 eir += field_len + 1;
4357 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4358 struct sk_buff *skb)
4360 struct inquiry_data data;
4361 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4362 int num_rsp = *((__u8 *) skb->data);
4365 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4370 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4375 for (; num_rsp; num_rsp--, info++) {
4379 bacpy(&data.bdaddr, &info->bdaddr);
4380 data.pscan_rep_mode = info->pscan_rep_mode;
4381 data.pscan_period_mode = info->pscan_period_mode;
4382 data.pscan_mode = 0x00;
4383 memcpy(data.dev_class, info->dev_class, 3);
4384 data.clock_offset = info->clock_offset;
4385 data.rssi = info->rssi;
4386 data.ssp_mode = 0x01;
4388 if (hci_dev_test_flag(hdev, HCI_MGMT))
4389 name_known = eir_get_data(info->data,
4391 EIR_NAME_COMPLETE, NULL);
4395 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4397 eir_len = eir_get_length(info->data, sizeof(info->data));
4399 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4400 info->dev_class, info->rssi,
4401 flags, info->data, eir_len, NULL, 0);
4404 hci_dev_unlock(hdev);
4407 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4408 struct sk_buff *skb)
4410 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4411 struct hci_conn *conn;
4413 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4414 __le16_to_cpu(ev->handle));
4418 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4422 /* For BR/EDR the necessary steps are taken through the
4423 * auth_complete event.
4425 if (conn->type != LE_LINK)
4429 conn->sec_level = conn->pending_sec_level;
4431 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4433 if (ev->status && conn->state == BT_CONNECTED) {
4434 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4435 hci_conn_drop(conn);
4439 if (conn->state == BT_CONFIG) {
4441 conn->state = BT_CONNECTED;
4443 hci_connect_cfm(conn, ev->status);
4444 hci_conn_drop(conn);
4446 hci_auth_cfm(conn, ev->status);
4448 hci_conn_hold(conn);
4449 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4450 hci_conn_drop(conn);
4454 hci_dev_unlock(hdev);
4457 static u8 hci_get_auth_req(struct hci_conn *conn)
4460 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
4461 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4462 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4463 return HCI_AT_GENERAL_BONDING_MITM;
4467 /* If remote requests no-bonding follow that lead */
4468 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4469 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4470 return conn->remote_auth | (conn->auth_type & 0x01);
4472 /* If both remote and local have enough IO capabilities, require
4475 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4476 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4477 return conn->remote_auth | 0x01;
4479 /* No MITM protection possible so ignore remote requirement */
4480 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4483 static u8 bredr_oob_data_present(struct hci_conn *conn)
4485 struct hci_dev *hdev = conn->hdev;
4486 struct oob_data *data;
4488 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4492 if (bredr_sc_enabled(hdev)) {
4493 /* When Secure Connections is enabled, then just
4494 * return the present value stored with the OOB
4495 * data. The stored value contains the right present
4496 * information. However it can only be trusted when
4497 * not in Secure Connection Only mode.
4499 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4500 return data->present;
4502 /* When Secure Connections Only mode is enabled, then
4503 * the P-256 values are required. If they are not
4504 * available, then do not declare that OOB data is
4507 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4508 !memcmp(data->hash256, ZERO_KEY, 16))
4514 /* When Secure Connections is not enabled or actually
4515 * not supported by the hardware, then check that if
4516 * P-192 data values are present.
4518 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4519 !memcmp(data->hash192, ZERO_KEY, 16))
4525 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4527 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4528 struct hci_conn *conn;
4530 BT_DBG("%s", hdev->name);
4534 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4538 hci_conn_hold(conn);
4540 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4543 /* Allow pairing if we're pairable, the initiators of the
4544 * pairing or if the remote is not requesting bonding.
4546 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4547 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4548 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4549 struct hci_cp_io_capability_reply cp;
4551 bacpy(&cp.bdaddr, &ev->bdaddr);
4552 /* Change the IO capability from KeyboardDisplay
4553 * to DisplayYesNo as it is not supported by BT spec. */
4554 cp.capability = (conn->io_capability == 0x04) ?
4555 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4557 /* If we are initiators, there is no remote information yet */
4558 if (conn->remote_auth == 0xff) {
4559 /* Request MITM protection if our IO caps allow it
4560 * except for the no-bonding case.
4562 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4563 conn->auth_type != HCI_AT_NO_BONDING)
4564 conn->auth_type |= 0x01;
4566 conn->auth_type = hci_get_auth_req(conn);
4569 /* If we're not bondable, force one of the non-bondable
4570 * authentication requirement values.
4572 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4573 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4575 cp.authentication = conn->auth_type;
4576 cp.oob_data = bredr_oob_data_present(conn);
4578 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4581 struct hci_cp_io_capability_neg_reply cp;
4583 bacpy(&cp.bdaddr, &ev->bdaddr);
4584 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4586 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4591 hci_dev_unlock(hdev);
4594 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4596 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4597 struct hci_conn *conn;
4599 BT_DBG("%s", hdev->name);
4603 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4607 conn->remote_cap = ev->capability;
4608 conn->remote_auth = ev->authentication;
4611 hci_dev_unlock(hdev);
4614 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4615 struct sk_buff *skb)
4617 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4618 int loc_mitm, rem_mitm, confirm_hint = 0;
4619 struct hci_conn *conn;
4621 BT_DBG("%s", hdev->name);
4625 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4628 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4632 loc_mitm = (conn->auth_type & 0x01);
4633 rem_mitm = (conn->remote_auth & 0x01);
4635 /* If we require MITM but the remote device can't provide that
4636 * (it has NoInputNoOutput) then reject the confirmation
4637 * request. We check the security level here since it doesn't
4638 * necessarily match conn->auth_type.
4640 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4641 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4642 BT_DBG("Rejecting request: remote device can't provide MITM");
4643 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4644 sizeof(ev->bdaddr), &ev->bdaddr);
4648 /* If no side requires MITM protection; auto-accept */
4649 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4650 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4652 /* If we're not the initiators request authorization to
4653 * proceed from user space (mgmt_user_confirm with
4654 * confirm_hint set to 1). The exception is if neither
4655 * side had MITM or if the local IO capability is
4656 * NoInputNoOutput, in which case we do auto-accept
4658 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4659 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4660 (loc_mitm || rem_mitm)) {
4661 BT_DBG("Confirming auto-accept as acceptor");
4666 BT_DBG("Auto-accept of user confirmation with %ums delay",
4667 hdev->auto_accept_delay);
4669 if (hdev->auto_accept_delay > 0) {
4670 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4671 queue_delayed_work(conn->hdev->workqueue,
4672 &conn->auto_accept_work, delay);
4676 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4677 sizeof(ev->bdaddr), &ev->bdaddr);
4682 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4683 le32_to_cpu(ev->passkey), confirm_hint);
4686 hci_dev_unlock(hdev);
4689 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4690 struct sk_buff *skb)
4692 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4694 BT_DBG("%s", hdev->name);
4696 if (hci_dev_test_flag(hdev, HCI_MGMT))
4697 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4700 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4701 struct sk_buff *skb)
4703 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4704 struct hci_conn *conn;
4706 BT_DBG("%s", hdev->name);
4708 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4712 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4713 conn->passkey_entered = 0;
4715 if (hci_dev_test_flag(hdev, HCI_MGMT))
4716 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4717 conn->dst_type, conn->passkey_notify,
4718 conn->passkey_entered);
4721 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4723 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4724 struct hci_conn *conn;
4726 BT_DBG("%s", hdev->name);
4728 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4733 case HCI_KEYPRESS_STARTED:
4734 conn->passkey_entered = 0;
4737 case HCI_KEYPRESS_ENTERED:
4738 conn->passkey_entered++;
4741 case HCI_KEYPRESS_ERASED:
4742 conn->passkey_entered--;
4745 case HCI_KEYPRESS_CLEARED:
4746 conn->passkey_entered = 0;
4749 case HCI_KEYPRESS_COMPLETED:
4753 if (hci_dev_test_flag(hdev, HCI_MGMT))
4754 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4755 conn->dst_type, conn->passkey_notify,
4756 conn->passkey_entered);
4759 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4760 struct sk_buff *skb)
4762 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4763 struct hci_conn *conn;
4765 BT_DBG("%s", hdev->name);
4769 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4773 /* Reset the authentication requirement to unknown */
4774 conn->remote_auth = 0xff;
4776 /* To avoid duplicate auth_failed events to user space we check
4777 * the HCI_CONN_AUTH_PEND flag which will be set if we
4778 * initiated the authentication. A traditional auth_complete
4779 * event gets always produced as initiator and is also mapped to
4780 * the mgmt_auth_failed event */
4781 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4782 mgmt_auth_failed(conn, ev->status);
4784 hci_conn_drop(conn);
4787 hci_dev_unlock(hdev);
4790 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4791 struct sk_buff *skb)
4793 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4794 struct inquiry_entry *ie;
4795 struct hci_conn *conn;
4797 BT_DBG("%s", hdev->name);
4801 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4803 memcpy(conn->features[1], ev->features, 8);
4805 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4807 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4809 hci_dev_unlock(hdev);
4812 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4813 struct sk_buff *skb)
4815 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4816 struct oob_data *data;
4818 BT_DBG("%s", hdev->name);
4822 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4825 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4827 struct hci_cp_remote_oob_data_neg_reply cp;
4829 bacpy(&cp.bdaddr, &ev->bdaddr);
4830 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4835 if (bredr_sc_enabled(hdev)) {
4836 struct hci_cp_remote_oob_ext_data_reply cp;
4838 bacpy(&cp.bdaddr, &ev->bdaddr);
4839 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4840 memset(cp.hash192, 0, sizeof(cp.hash192));
4841 memset(cp.rand192, 0, sizeof(cp.rand192));
4843 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4844 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4846 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4847 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4849 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4852 struct hci_cp_remote_oob_data_reply cp;
4854 bacpy(&cp.bdaddr, &ev->bdaddr);
4855 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4856 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4858 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4863 hci_dev_unlock(hdev);
4866 #if IS_ENABLED(CONFIG_BT_HS)
4867 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4869 struct hci_ev_channel_selected *ev = (void *)skb->data;
4870 struct hci_conn *hcon;
4872 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4874 skb_pull(skb, sizeof(*ev));
4876 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4880 amp_read_loc_assoc_final_data(hdev, hcon);
4883 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4884 struct sk_buff *skb)
4886 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4887 struct hci_conn *hcon, *bredr_hcon;
4889 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4894 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4896 hci_dev_unlock(hdev);
4902 hci_dev_unlock(hdev);
4906 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4908 hcon->state = BT_CONNECTED;
4909 bacpy(&hcon->dst, &bredr_hcon->dst);
4911 hci_conn_hold(hcon);
4912 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4913 hci_conn_drop(hcon);
4915 hci_debugfs_create_conn(hcon);
4916 hci_conn_add_sysfs(hcon);
4918 amp_physical_cfm(bredr_hcon, hcon);
4920 hci_dev_unlock(hdev);
4923 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4925 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4926 struct hci_conn *hcon;
4927 struct hci_chan *hchan;
4928 struct amp_mgr *mgr;
4930 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4931 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4934 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4938 /* Create AMP hchan */
4939 hchan = hci_chan_create(hcon);
4943 hchan->handle = le16_to_cpu(ev->handle);
4945 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4947 mgr = hcon->amp_mgr;
4948 if (mgr && mgr->bredr_chan) {
4949 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4951 l2cap_chan_lock(bredr_chan);
4953 bredr_chan->conn->mtu = hdev->block_mtu;
4954 l2cap_logical_cfm(bredr_chan, hchan, 0);
4955 hci_conn_hold(hcon);
4957 l2cap_chan_unlock(bredr_chan);
4961 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4962 struct sk_buff *skb)
4964 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4965 struct hci_chan *hchan;
4967 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4968 le16_to_cpu(ev->handle), ev->status);
4975 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4979 amp_destroy_logical_link(hchan, ev->reason);
4982 hci_dev_unlock(hdev);
4985 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4986 struct sk_buff *skb)
4988 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4989 struct hci_conn *hcon;
4991 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4998 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5000 hcon->state = BT_CLOSED;
5004 hci_dev_unlock(hdev);
5008 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5009 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
5010 u16 interval, u16 latency, u16 supervision_timeout)
5012 struct hci_conn_params *params;
5013 struct hci_conn *conn;
5014 struct smp_irk *irk;
5019 /* All controllers implicitly stop advertising in the event of a
5020 * connection, so ensure that the state bit is cleared.
5022 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5024 conn = hci_lookup_le_connect(hdev);
5026 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5028 bt_dev_err(hdev, "no memory for new connection");
5032 conn->dst_type = bdaddr_type;
5034 /* If we didn't have a hci_conn object previously
5035 * but we're in master role this must be something
5036 * initiated using a white list. Since white list based
5037 * connections are not "first class citizens" we don't
5038 * have full tracking of them. Therefore, we go ahead
5039 * with a "best effort" approach of determining the
5040 * initiator address based on the HCI_PRIVACY flag.
5043 conn->resp_addr_type = bdaddr_type;
5044 bacpy(&conn->resp_addr, bdaddr);
5045 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5046 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5047 bacpy(&conn->init_addr, &hdev->rpa);
5049 hci_copy_identity_address(hdev,
5051 &conn->init_addr_type);
5056 /* LE auto connect */
5057 bacpy(&conn->dst, bdaddr);
5059 cancel_delayed_work(&conn->le_conn_timeout);
5063 /* Set the responder (our side) address type based on
5064 * the advertising address type.
5066 conn->resp_addr_type = hdev->adv_addr_type;
5067 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5068 /* In case of ext adv, resp_addr will be updated in
5069 * Adv Terminated event.
5071 if (!ext_adv_capable(hdev))
5072 bacpy(&conn->resp_addr, &hdev->random_addr);
5074 bacpy(&conn->resp_addr, &hdev->bdaddr);
5077 conn->init_addr_type = bdaddr_type;
5078 bacpy(&conn->init_addr, bdaddr);
5080 /* For incoming connections, set the default minimum
5081 * and maximum connection interval. They will be used
5082 * to check if the parameters are in range and if not
5083 * trigger the connection update procedure.
5085 conn->le_conn_min_interval = hdev->le_conn_min_interval;
5086 conn->le_conn_max_interval = hdev->le_conn_max_interval;
5089 /* Lookup the identity address from the stored connection
5090 * address and address type.
5092 * When establishing connections to an identity address, the
5093 * connection procedure will store the resolvable random
5094 * address first. Now if it can be converted back into the
5095 * identity address, start using the identity address from
5098 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5100 bacpy(&conn->dst, &irk->bdaddr);
5101 conn->dst_type = irk->addr_type;
5105 hci_le_conn_failed(conn, status);
5109 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5110 addr_type = BDADDR_LE_PUBLIC;
5112 addr_type = BDADDR_LE_RANDOM;
5114 /* Drop the connection if the device is blocked */
5115 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
5116 hci_conn_drop(conn);
5120 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5121 mgmt_device_connected(hdev, conn, 0, NULL, 0);
5123 conn->sec_level = BT_SECURITY_LOW;
5124 conn->handle = handle;
5125 conn->state = BT_CONFIG;
5127 conn->le_conn_interval = interval;
5128 conn->le_conn_latency = latency;
5129 conn->le_supv_timeout = supervision_timeout;
5131 hci_debugfs_create_conn(conn);
5132 hci_conn_add_sysfs(conn);
5135 /* The remote features procedure is defined for master
5136 * role only. So only in case of an initiated connection
5137 * request the remote features.
5139 * If the local controller supports slave-initiated features
5140 * exchange, then requesting the remote features in slave
5141 * role is possible. Otherwise just transition into the
5142 * connected state without requesting the remote features.
5145 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
5146 struct hci_cp_le_read_remote_features cp;
5148 cp.handle = __cpu_to_le16(conn->handle);
5150 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5153 hci_conn_hold(conn);
5155 conn->state = BT_CONNECTED;
5156 hci_connect_cfm(conn, status);
5159 hci_connect_cfm(conn, status);
5162 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5165 list_del_init(¶ms->action);
5167 hci_conn_drop(params->conn);
5168 hci_conn_put(params->conn);
5169 params->conn = NULL;
5174 hci_update_background_scan(hdev);
5175 hci_dev_unlock(hdev);
5178 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5180 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5182 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5184 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5185 ev->role, le16_to_cpu(ev->handle),
5186 le16_to_cpu(ev->interval),
5187 le16_to_cpu(ev->latency),
5188 le16_to_cpu(ev->supervision_timeout));
5191 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5192 struct sk_buff *skb)
5194 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5196 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5198 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5199 ev->role, le16_to_cpu(ev->handle),
5200 le16_to_cpu(ev->interval),
5201 le16_to_cpu(ev->latency),
5202 le16_to_cpu(ev->supervision_timeout));
5205 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5207 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5208 struct hci_conn *conn;
5210 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5215 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5217 struct adv_info *adv_instance;
5219 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5222 if (!hdev->cur_adv_instance) {
5223 bacpy(&conn->resp_addr, &hdev->random_addr);
5227 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5229 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5233 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5234 struct sk_buff *skb)
5236 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5237 struct hci_conn *conn;
5239 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5246 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5250 hci_dev_unlock(hdev);
5251 mgmt_le_conn_update_failed(hdev, &conn->dst,
5252 conn->type, conn->dst_type, ev->status);
5256 conn->le_conn_interval = le16_to_cpu(ev->interval);
5257 conn->le_conn_latency = le16_to_cpu(ev->latency);
5258 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5261 hci_dev_unlock(hdev);
5264 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
5265 conn->dst_type, conn->le_conn_interval,
5266 conn->le_conn_latency, conn->le_supv_timeout);
5270 /* This function requires the caller holds hdev->lock */
5271 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5273 u8 addr_type, u8 adv_type,
5274 bdaddr_t *direct_rpa)
5276 struct hci_conn *conn;
5277 struct hci_conn_params *params;
5279 /* If the event is not connectable don't proceed further */
5280 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5283 /* Ignore if the device is blocked */
5284 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5287 /* Most controller will fail if we try to create new connections
5288 * while we have an existing one in slave role.
5290 if (hdev->conn_hash.le_num_slave > 0)
5293 /* If we're not connectable only connect devices that we have in
5294 * our pend_le_conns list.
5296 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5301 if (!params->explicit_connect) {
5302 switch (params->auto_connect) {
5303 case HCI_AUTO_CONN_DIRECT:
5304 /* Only devices advertising with ADV_DIRECT_IND are
5305 * triggering a connection attempt. This is allowing
5306 * incoming connections from slave devices.
5308 if (adv_type != LE_ADV_DIRECT_IND)
5311 case HCI_AUTO_CONN_ALWAYS:
5312 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5313 * are triggering a connection attempt. This means
5314 * that incoming connectioms from slave device are
5315 * accepted and also outgoing connections to slave
5316 * devices are established when found.
5324 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5325 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
5327 if (!IS_ERR(conn)) {
5328 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5329 * by higher layer that tried to connect, if no then
5330 * store the pointer since we don't really have any
5331 * other owner of the object besides the params that
5332 * triggered it. This way we can abort the connection if
5333 * the parameters get removed and keep the reference
5334 * count consistent once the connection is established.
5337 if (!params->explicit_connect)
5338 params->conn = hci_conn_get(conn);
5343 switch (PTR_ERR(conn)) {
5345 /* If hci_connect() returns -EBUSY it means there is already
5346 * an LE connection attempt going on. Since controllers don't
5347 * support more than one connection attempt at the time, we
5348 * don't consider this an error case.
5352 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5359 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5360 u8 bdaddr_type, bdaddr_t *direct_addr,
5361 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
5364 struct discovery_state *d = &hdev->discovery;
5366 struct smp_irk *irk;
5367 struct hci_conn *conn;
5376 case LE_ADV_DIRECT_IND:
5377 case LE_ADV_SCAN_IND:
5378 case LE_ADV_NONCONN_IND:
5379 case LE_ADV_SCAN_RSP:
5382 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5383 "type: 0x%02x", type);
5387 /* Find the end of the data in case the report contains padded zero
5388 * bytes at the end causing an invalid length value.
5390 * When data is NULL, len is 0 so there is no need for extra ptr
5391 * check as 'ptr < data + 0' is already false in such case.
5393 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5394 if (ptr + 1 + *ptr > data + len)
5398 real_len = ptr - data;
5400 /* Adjust for actual length */
5401 if (len != real_len) {
5402 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
5406 /* If the direct address is present, then this report is from
5407 * a LE Direct Advertising Report event. In that case it is
5408 * important to see if the address is matching the local
5409 * controller address.
5412 /* Only resolvable random addresses are valid for these
5413 * kind of reports and others can be ignored.
5415 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5418 /* If the controller is not using resolvable random
5419 * addresses, then this report can be ignored.
5421 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5424 /* If the local IRK of the controller does not match
5425 * with the resolvable random address provided, then
5426 * this report can be ignored.
5428 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5432 /* Check if we need to convert to identity address */
5433 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5435 bdaddr = &irk->bdaddr;
5436 bdaddr_type = irk->addr_type;
5439 /* Check if we have been requested to connect to this device.
5441 * direct_addr is set only for directed advertising reports (it is NULL
5442 * for advertising reports) and is already verified to be RPA above.
5444 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5446 if (conn && type == LE_ADV_IND) {
5447 /* Store report for later inclusion by
5448 * mgmt_device_connected
5450 memcpy(conn->le_adv_data, data, len);
5451 conn->le_adv_data_len = len;
5454 /* Passive scanning shouldn't trigger any device found events,
5455 * except for devices marked as CONN_REPORT for which we do send
5456 * device found events.
5458 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5459 if (type == LE_ADV_DIRECT_IND)
5463 /* Handle all adv packet in platform */
5464 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5465 bdaddr, bdaddr_type))
5469 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5470 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5474 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5475 rssi, flags, data, len, NULL, 0, type);
5477 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5478 rssi, flags, data, len, NULL, 0);
5483 /* When receiving non-connectable or scannable undirected
5484 * advertising reports, this means that the remote device is
5485 * not connectable and then clearly indicate this in the
5486 * device found event.
5488 * When receiving a scan response, then there is no way to
5489 * know if the remote device is connectable or not. However
5490 * since scan responses are merged with a previously seen
5491 * advertising report, the flags field from that report
5494 * In the really unlikely case that a controller get confused
5495 * and just sends a scan response event, then it is marked as
5496 * not connectable as well.
5498 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5499 type == LE_ADV_SCAN_RSP)
5500 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5505 /* Disable adv ind and scan rsp merging */
5506 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5507 rssi, flags, data, len, NULL, 0, type);
5509 /* If there's nothing pending either store the data from this
5510 * event or send an immediate device found event if the data
5511 * should not be stored for later.
5513 if (!has_pending_adv_report(hdev)) {
5514 /* If the report will trigger a SCAN_REQ store it for
5517 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5518 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5519 rssi, flags, data, len);
5523 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5524 rssi, flags, data, len, NULL, 0);
5528 /* Check if the pending report is for the same device as the new one */
5529 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5530 bdaddr_type == d->last_adv_addr_type);
5532 /* If the pending data doesn't match this report or this isn't a
5533 * scan response (e.g. we got a duplicate ADV_IND) then force
5534 * sending of the pending data.
5536 if (type != LE_ADV_SCAN_RSP || !match) {
5537 /* Send out whatever is in the cache, but skip duplicates */
5539 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5540 d->last_adv_addr_type, NULL,
5541 d->last_adv_rssi, d->last_adv_flags,
5543 d->last_adv_data_len, NULL, 0);
5545 /* If the new report will trigger a SCAN_REQ store it for
5548 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5549 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5550 rssi, flags, data, len);
5554 /* The advertising reports cannot be merged, so clear
5555 * the pending report and send out a device found event.
5557 clear_pending_adv_report(hdev);
5558 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5559 rssi, flags, data, len, NULL, 0);
5563 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5564 * the new event is a SCAN_RSP. We can therefore proceed with
5565 * sending a merged device found event.
5567 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5568 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5569 d->last_adv_data, d->last_adv_data_len, data, len);
5570 clear_pending_adv_report(hdev);
5574 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5576 u8 num_reports = skb->data[0];
5577 void *ptr = &skb->data[1];
5581 while (num_reports--) {
5582 struct hci_ev_le_advertising_info *ev = ptr;
5585 if (ev->length <= HCI_MAX_AD_LENGTH) {
5586 rssi = ev->data[ev->length];
5587 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5588 ev->bdaddr_type, NULL, 0, rssi,
5589 ev->data, ev->length);
5591 bt_dev_err(hdev, "Dropping invalid advertising data");
5594 ptr += sizeof(*ev) + ev->length + 1;
5597 hci_dev_unlock(hdev);
5600 static u8 ext_evt_type_to_legacy(u16 evt_type)
5602 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5604 case LE_LEGACY_ADV_IND:
5606 case LE_LEGACY_ADV_DIRECT_IND:
5607 return LE_ADV_DIRECT_IND;
5608 case LE_LEGACY_ADV_SCAN_IND:
5609 return LE_ADV_SCAN_IND;
5610 case LE_LEGACY_NONCONN_IND:
5611 return LE_ADV_NONCONN_IND;
5612 case LE_LEGACY_SCAN_RSP_ADV:
5613 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5614 return LE_ADV_SCAN_RSP;
5617 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5620 return LE_ADV_INVALID;
5623 if (evt_type & LE_EXT_ADV_CONN_IND) {
5624 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5625 return LE_ADV_DIRECT_IND;
5630 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5631 return LE_ADV_SCAN_RSP;
5633 if (evt_type & LE_EXT_ADV_SCAN_IND)
5634 return LE_ADV_SCAN_IND;
5636 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5637 evt_type & LE_EXT_ADV_DIRECT_IND)
5638 return LE_ADV_NONCONN_IND;
5640 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5643 return LE_ADV_INVALID;
5646 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5648 u8 num_reports = skb->data[0];
5649 void *ptr = &skb->data[1];
5653 while (num_reports--) {
5654 struct hci_ev_le_ext_adv_report *ev = ptr;
5658 evt_type = __le16_to_cpu(ev->evt_type);
5659 legacy_evt_type = ext_evt_type_to_legacy(evt_type);
5660 if (legacy_evt_type != LE_ADV_INVALID) {
5661 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5662 ev->bdaddr_type, NULL, 0, ev->rssi,
5663 ev->data, ev->length);
5666 ptr += sizeof(*ev) + ev->length + 1;
5669 hci_dev_unlock(hdev);
5672 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5673 struct sk_buff *skb)
5675 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5676 struct hci_conn *conn;
5678 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5682 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5685 memcpy(conn->features[0], ev->features, 8);
5687 if (conn->state == BT_CONFIG) {
5690 /* If the local controller supports slave-initiated
5691 * features exchange, but the remote controller does
5692 * not, then it is possible that the error code 0x1a
5693 * for unsupported remote feature gets returned.
5695 * In this specific case, allow the connection to
5696 * transition into connected state and mark it as
5699 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5700 !conn->out && ev->status == 0x1a)
5703 status = ev->status;
5705 conn->state = BT_CONNECTED;
5706 hci_connect_cfm(conn, status);
5707 hci_conn_drop(conn);
5711 hci_dev_unlock(hdev);
5714 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5716 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5717 struct hci_cp_le_ltk_reply cp;
5718 struct hci_cp_le_ltk_neg_reply neg;
5719 struct hci_conn *conn;
5720 struct smp_ltk *ltk;
5722 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5726 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5730 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5734 if (smp_ltk_is_sc(ltk)) {
5735 /* With SC both EDiv and Rand are set to zero */
5736 if (ev->ediv || ev->rand)
5739 /* For non-SC keys check that EDiv and Rand match */
5740 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5744 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5745 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5746 cp.handle = cpu_to_le16(conn->handle);
5748 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5750 conn->enc_key_size = ltk->enc_size;
5752 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5754 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5755 * temporary key used to encrypt a connection following
5756 * pairing. It is used during the Encrypted Session Setup to
5757 * distribute the keys. Later, security can be re-established
5758 * using a distributed LTK.
5760 if (ltk->type == SMP_STK) {
5761 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5762 list_del_rcu(<k->list);
5763 kfree_rcu(ltk, rcu);
5765 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5768 hci_dev_unlock(hdev);
5773 neg.handle = ev->handle;
5774 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5775 hci_dev_unlock(hdev);
5778 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5781 struct hci_cp_le_conn_param_req_neg_reply cp;
5783 cp.handle = cpu_to_le16(handle);
5786 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5790 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5791 struct sk_buff *skb)
5793 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5794 struct hci_cp_le_conn_param_req_reply cp;
5795 struct hci_conn *hcon;
5796 u16 handle, min, max, latency, timeout;
5798 handle = le16_to_cpu(ev->handle);
5799 min = le16_to_cpu(ev->interval_min);
5800 max = le16_to_cpu(ev->interval_max);
5801 latency = le16_to_cpu(ev->latency);
5802 timeout = le16_to_cpu(ev->timeout);
5804 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5805 if (!hcon || hcon->state != BT_CONNECTED)
5806 return send_conn_param_neg_reply(hdev, handle,
5807 HCI_ERROR_UNKNOWN_CONN_ID);
5809 if (hci_check_conn_params(min, max, latency, timeout))
5810 return send_conn_param_neg_reply(hdev, handle,
5811 HCI_ERROR_INVALID_LL_PARAMS);
5813 if (hcon->role == HCI_ROLE_MASTER) {
5814 struct hci_conn_params *params;
5819 params = hci_conn_params_lookup(hdev, &hcon->dst,
5822 params->conn_min_interval = min;
5823 params->conn_max_interval = max;
5824 params->conn_latency = latency;
5825 params->supervision_timeout = timeout;
5831 hci_dev_unlock(hdev);
5833 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5834 store_hint, min, max, latency, timeout);
5837 cp.handle = ev->handle;
5838 cp.interval_min = ev->interval_min;
5839 cp.interval_max = ev->interval_max;
5840 cp.latency = ev->latency;
5841 cp.timeout = ev->timeout;
5845 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5848 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5849 struct sk_buff *skb)
5851 u8 num_reports = skb->data[0];
5852 void *ptr = &skb->data[1];
5856 while (num_reports--) {
5857 struct hci_ev_le_direct_adv_info *ev = ptr;
5859 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5860 ev->bdaddr_type, &ev->direct_addr,
5861 ev->direct_addr_type, ev->rssi, NULL, 0);
5866 hci_dev_unlock(hdev);
5869 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5871 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5873 skb_pull(skb, sizeof(*le_ev));
5875 switch (le_ev->subevent) {
5876 case HCI_EV_LE_CONN_COMPLETE:
5877 hci_le_conn_complete_evt(hdev, skb);
5880 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5881 hci_le_conn_update_complete_evt(hdev, skb);
5884 case HCI_EV_LE_ADVERTISING_REPORT:
5885 hci_le_adv_report_evt(hdev, skb);
5888 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5889 hci_le_remote_feat_complete_evt(hdev, skb);
5892 case HCI_EV_LE_LTK_REQ:
5893 hci_le_ltk_request_evt(hdev, skb);
5896 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5897 hci_le_remote_conn_param_req_evt(hdev, skb);
5900 case HCI_EV_LE_DIRECT_ADV_REPORT:
5901 hci_le_direct_adv_report_evt(hdev, skb);
5904 case HCI_EV_LE_EXT_ADV_REPORT:
5905 hci_le_ext_adv_report_evt(hdev, skb);
5908 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5909 hci_le_enh_conn_complete_evt(hdev, skb);
5912 case HCI_EV_LE_EXT_ADV_SET_TERM:
5913 hci_le_ext_adv_term_evt(hdev, skb);
5921 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5922 u8 event, struct sk_buff *skb)
5924 struct hci_ev_cmd_complete *ev;
5925 struct hci_event_hdr *hdr;
5930 if (skb->len < sizeof(*hdr)) {
5931 bt_dev_err(hdev, "too short HCI event");
5935 hdr = (void *) skb->data;
5936 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5939 if (hdr->evt != event)
5944 /* Check if request ended in Command Status - no way to retreive
5945 * any extra parameters in this case.
5947 if (hdr->evt == HCI_EV_CMD_STATUS)
5950 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5951 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5956 if (skb->len < sizeof(*ev)) {
5957 bt_dev_err(hdev, "too short cmd_complete event");
5961 ev = (void *) skb->data;
5962 skb_pull(skb, sizeof(*ev));
5964 if (opcode != __le16_to_cpu(ev->opcode)) {
5965 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5966 __le16_to_cpu(ev->opcode));
5973 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5975 struct hci_event_hdr *hdr = (void *) skb->data;
5976 hci_req_complete_t req_complete = NULL;
5977 hci_req_complete_skb_t req_complete_skb = NULL;
5978 struct sk_buff *orig_skb = NULL;
5979 u8 status = 0, event = hdr->evt, req_evt = 0;
5980 u16 opcode = HCI_OP_NOP;
5982 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5983 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5984 opcode = __le16_to_cpu(cmd_hdr->opcode);
5985 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5990 /* If it looks like we might end up having to call
5991 * req_complete_skb, store a pristine copy of the skb since the
5992 * various handlers may modify the original one through
5993 * skb_pull() calls, etc.
5995 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5996 event == HCI_EV_CMD_COMPLETE)
5997 orig_skb = skb_clone(skb, GFP_KERNEL);
5999 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6002 case HCI_EV_INQUIRY_COMPLETE:
6003 hci_inquiry_complete_evt(hdev, skb);
6006 case HCI_EV_INQUIRY_RESULT:
6007 hci_inquiry_result_evt(hdev, skb);
6010 case HCI_EV_CONN_COMPLETE:
6011 hci_conn_complete_evt(hdev, skb);
6014 case HCI_EV_CONN_REQUEST:
6015 hci_conn_request_evt(hdev, skb);
6018 case HCI_EV_DISCONN_COMPLETE:
6019 hci_disconn_complete_evt(hdev, skb);
6022 case HCI_EV_AUTH_COMPLETE:
6023 hci_auth_complete_evt(hdev, skb);
6026 case HCI_EV_REMOTE_NAME:
6027 hci_remote_name_evt(hdev, skb);
6030 case HCI_EV_ENCRYPT_CHANGE:
6031 hci_encrypt_change_evt(hdev, skb);
6034 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6035 hci_change_link_key_complete_evt(hdev, skb);
6038 case HCI_EV_REMOTE_FEATURES:
6039 hci_remote_features_evt(hdev, skb);
6042 case HCI_EV_CMD_COMPLETE:
6043 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6044 &req_complete, &req_complete_skb);
6047 case HCI_EV_CMD_STATUS:
6048 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6052 case HCI_EV_HARDWARE_ERROR:
6053 hci_hardware_error_evt(hdev, skb);
6056 case HCI_EV_ROLE_CHANGE:
6057 hci_role_change_evt(hdev, skb);
6060 case HCI_EV_NUM_COMP_PKTS:
6061 hci_num_comp_pkts_evt(hdev, skb);
6064 case HCI_EV_MODE_CHANGE:
6065 hci_mode_change_evt(hdev, skb);
6068 case HCI_EV_PIN_CODE_REQ:
6069 hci_pin_code_request_evt(hdev, skb);
6072 case HCI_EV_LINK_KEY_REQ:
6073 hci_link_key_request_evt(hdev, skb);
6076 case HCI_EV_LINK_KEY_NOTIFY:
6077 hci_link_key_notify_evt(hdev, skb);
6080 case HCI_EV_CLOCK_OFFSET:
6081 hci_clock_offset_evt(hdev, skb);
6084 case HCI_EV_PKT_TYPE_CHANGE:
6085 hci_pkt_type_change_evt(hdev, skb);
6088 case HCI_EV_PSCAN_REP_MODE:
6089 hci_pscan_rep_mode_evt(hdev, skb);
6092 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6093 hci_inquiry_result_with_rssi_evt(hdev, skb);
6096 case HCI_EV_REMOTE_EXT_FEATURES:
6097 hci_remote_ext_features_evt(hdev, skb);
6100 case HCI_EV_SYNC_CONN_COMPLETE:
6101 hci_sync_conn_complete_evt(hdev, skb);
6104 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6105 hci_extended_inquiry_result_evt(hdev, skb);
6108 case HCI_EV_KEY_REFRESH_COMPLETE:
6109 hci_key_refresh_complete_evt(hdev, skb);
6112 case HCI_EV_IO_CAPA_REQUEST:
6113 hci_io_capa_request_evt(hdev, skb);
6116 case HCI_EV_IO_CAPA_REPLY:
6117 hci_io_capa_reply_evt(hdev, skb);
6120 case HCI_EV_USER_CONFIRM_REQUEST:
6121 hci_user_confirm_request_evt(hdev, skb);
6124 case HCI_EV_USER_PASSKEY_REQUEST:
6125 hci_user_passkey_request_evt(hdev, skb);
6128 case HCI_EV_USER_PASSKEY_NOTIFY:
6129 hci_user_passkey_notify_evt(hdev, skb);
6132 case HCI_EV_KEYPRESS_NOTIFY:
6133 hci_keypress_notify_evt(hdev, skb);
6136 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6137 hci_simple_pair_complete_evt(hdev, skb);
6140 case HCI_EV_REMOTE_HOST_FEATURES:
6141 hci_remote_host_features_evt(hdev, skb);
6144 case HCI_EV_LE_META:
6145 hci_le_meta_evt(hdev, skb);
6148 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6149 hci_remote_oob_data_request_evt(hdev, skb);
6152 #if IS_ENABLED(CONFIG_BT_HS)
6153 case HCI_EV_CHANNEL_SELECTED:
6154 hci_chan_selected_evt(hdev, skb);
6157 case HCI_EV_PHY_LINK_COMPLETE:
6158 hci_phy_link_complete_evt(hdev, skb);
6161 case HCI_EV_LOGICAL_LINK_COMPLETE:
6162 hci_loglink_complete_evt(hdev, skb);
6165 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6166 hci_disconn_loglink_complete_evt(hdev, skb);
6169 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6170 hci_disconn_phylink_complete_evt(hdev, skb);
6174 case HCI_EV_NUM_COMP_BLOCKS:
6175 hci_num_comp_blocks_evt(hdev, skb);
6179 case HCI_EV_VENDOR_SPECIFIC:
6180 hci_vendor_specific_evt(hdev, skb);
6185 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6190 req_complete(hdev, status, opcode);
6191 } else if (req_complete_skb) {
6192 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6193 kfree_skb(orig_skb);
6196 req_complete_skb(hdev, status, opcode, orig_skb);
6199 kfree_skb(orig_skb);
6201 hdev->stat.evt_rx++;