2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 /* Set discovery state to stopped if we're not doing LE active
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
66 hci_conn_check_pending(hdev);
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 __u8 status = *((__u8 *) skb->data);
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
83 __u8 status = *((__u8 *) skb->data);
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
92 hci_conn_check_pending(hdev);
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
98 BT_DBG("%s", hdev->name);
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
115 conn->role = rp->role;
117 hci_dev_unlock(hdev);
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
134 conn->link_policy = __le16_to_cpu(rp->policy);
136 hci_dev_unlock(hdev);
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
145 struct hci_cp_write_link_policy cp;
146 struct hci_conn *sco_conn;
149 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
154 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
160 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
162 conn->link_policy = get_unaligned_le16(sent + 2);
165 sco_conn = hci_conn_hash_lookup_sco(hdev);
166 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
167 conn->link_policy & HCI_LP_SNIFF) {
168 BT_ERR("SNIFF is not allowed during sco connection");
169 cp.handle = __cpu_to_le16(conn->handle);
170 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
171 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
175 hci_dev_unlock(hdev);
178 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
181 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
183 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
188 hdev->link_policy = __le16_to_cpu(rp->policy);
191 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
194 __u8 status = *((__u8 *) skb->data);
197 BT_DBG("%s status 0x%2.2x", hdev->name, status);
202 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
206 hdev->link_policy = get_unaligned_le16(sent);
209 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
211 __u8 status = *((__u8 *) skb->data);
213 BT_DBG("%s status 0x%2.2x", hdev->name, status);
215 clear_bit(HCI_RESET, &hdev->flags);
220 /* Reset all non-persistent flags */
221 hci_dev_clear_volatile_flags(hdev);
223 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
225 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
226 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
228 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
229 hdev->adv_data_len = 0;
231 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
232 hdev->scan_rsp_data_len = 0;
234 hdev->le_scan_type = LE_SCAN_PASSIVE;
236 hdev->ssp_debug_mode = 0;
238 hci_bdaddr_list_clear(&hdev->le_white_list);
239 hci_bdaddr_list_clear(&hdev->le_resolv_list);
242 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
245 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
246 struct hci_cp_read_stored_link_key *sent;
248 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
254 if (!rp->status && sent->read_all == 0x01) {
255 hdev->stored_max_keys = rp->max_keys;
256 hdev->stored_num_keys = rp->num_keys;
260 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
263 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
265 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
270 if (rp->num_keys <= hdev->stored_num_keys)
271 hdev->stored_num_keys -= rp->num_keys;
273 hdev->stored_num_keys = 0;
276 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
278 __u8 status = *((__u8 *) skb->data);
281 BT_DBG("%s status 0x%2.2x", hdev->name, status);
283 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
289 if (hci_dev_test_flag(hdev, HCI_MGMT))
290 mgmt_set_local_name_complete(hdev, sent, status);
292 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
294 hci_dev_unlock(hdev);
297 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
299 struct hci_rp_read_local_name *rp = (void *) skb->data;
301 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
306 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
307 hci_dev_test_flag(hdev, HCI_CONFIG))
308 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
311 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
313 __u8 status = *((__u8 *) skb->data);
316 BT_DBG("%s status 0x%2.2x", hdev->name, status);
318 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
325 __u8 param = *((__u8 *) sent);
327 if (param == AUTH_ENABLED)
328 set_bit(HCI_AUTH, &hdev->flags);
330 clear_bit(HCI_AUTH, &hdev->flags);
333 if (hci_dev_test_flag(hdev, HCI_MGMT))
334 mgmt_auth_enable_complete(hdev, status);
336 hci_dev_unlock(hdev);
339 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
341 __u8 status = *((__u8 *) skb->data);
345 BT_DBG("%s status 0x%2.2x", hdev->name, status);
350 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
354 param = *((__u8 *) sent);
357 set_bit(HCI_ENCRYPT, &hdev->flags);
359 clear_bit(HCI_ENCRYPT, &hdev->flags);
362 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
364 __u8 status = *((__u8 *) skb->data);
368 BT_DBG("%s status 0x%2.2x", hdev->name, status);
370 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
374 param = *((__u8 *) sent);
379 hdev->discov_timeout = 0;
383 if (param & SCAN_INQUIRY)
384 set_bit(HCI_ISCAN, &hdev->flags);
386 clear_bit(HCI_ISCAN, &hdev->flags);
388 if (param & SCAN_PAGE)
389 set_bit(HCI_PSCAN, &hdev->flags);
391 clear_bit(HCI_PSCAN, &hdev->flags);
394 hci_dev_unlock(hdev);
397 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
399 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
401 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
406 memcpy(hdev->dev_class, rp->dev_class, 3);
408 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
409 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
412 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
414 __u8 status = *((__u8 *) skb->data);
417 BT_DBG("%s status 0x%2.2x", hdev->name, status);
419 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
426 memcpy(hdev->dev_class, sent, 3);
428 if (hci_dev_test_flag(hdev, HCI_MGMT))
429 mgmt_set_class_of_dev_complete(hdev, sent, status);
431 hci_dev_unlock(hdev);
434 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
436 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
439 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
444 setting = __le16_to_cpu(rp->voice_setting);
446 if (hdev->voice_setting == setting)
449 hdev->voice_setting = setting;
451 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
454 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
457 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
460 __u8 status = *((__u8 *) skb->data);
464 BT_DBG("%s status 0x%2.2x", hdev->name, status);
469 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
473 setting = get_unaligned_le16(sent);
475 if (hdev->voice_setting == setting)
478 hdev->voice_setting = setting;
480 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
483 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
486 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
489 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
491 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
496 hdev->num_iac = rp->num_iac;
498 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
501 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
503 __u8 status = *((__u8 *) skb->data);
504 struct hci_cp_write_ssp_mode *sent;
506 BT_DBG("%s status 0x%2.2x", hdev->name, status);
508 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
516 hdev->features[1][0] |= LMP_HOST_SSP;
518 hdev->features[1][0] &= ~LMP_HOST_SSP;
521 if (hci_dev_test_flag(hdev, HCI_MGMT))
522 mgmt_ssp_enable_complete(hdev, sent->mode, status);
525 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
527 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
530 hci_dev_unlock(hdev);
533 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
535 u8 status = *((u8 *) skb->data);
536 struct hci_cp_write_sc_support *sent;
538 BT_DBG("%s status 0x%2.2x", hdev->name, status);
540 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
548 hdev->features[1][0] |= LMP_HOST_SC;
550 hdev->features[1][0] &= ~LMP_HOST_SC;
553 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
555 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
557 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
560 hci_dev_unlock(hdev);
563 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
565 struct hci_rp_read_local_version *rp = (void *) skb->data;
567 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
573 hci_dev_test_flag(hdev, HCI_CONFIG)) {
574 hdev->hci_ver = rp->hci_ver;
575 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
576 hdev->lmp_ver = rp->lmp_ver;
577 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
578 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
582 static void hci_cc_read_local_commands(struct hci_dev *hdev,
585 struct hci_rp_read_local_commands *rp = (void *) skb->data;
587 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
592 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
593 hci_dev_test_flag(hdev, HCI_CONFIG))
594 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
597 static void hci_cc_read_local_features(struct hci_dev *hdev,
600 struct hci_rp_read_local_features *rp = (void *) skb->data;
602 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
607 memcpy(hdev->features, rp->features, 8);
609 /* Adjust default settings according to features
610 * supported by device. */
612 if (hdev->features[0][0] & LMP_3SLOT)
613 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
615 if (hdev->features[0][0] & LMP_5SLOT)
616 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
618 if (hdev->features[0][1] & LMP_HV2) {
619 hdev->pkt_type |= (HCI_HV2);
620 hdev->esco_type |= (ESCO_HV2);
623 if (hdev->features[0][1] & LMP_HV3) {
624 hdev->pkt_type |= (HCI_HV3);
625 hdev->esco_type |= (ESCO_HV3);
628 if (lmp_esco_capable(hdev))
629 hdev->esco_type |= (ESCO_EV3);
631 if (hdev->features[0][4] & LMP_EV4)
632 hdev->esco_type |= (ESCO_EV4);
634 if (hdev->features[0][4] & LMP_EV5)
635 hdev->esco_type |= (ESCO_EV5);
637 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
638 hdev->esco_type |= (ESCO_2EV3);
640 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
641 hdev->esco_type |= (ESCO_3EV3);
643 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
644 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
647 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
650 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
652 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
657 if (hdev->max_page < rp->max_page)
658 hdev->max_page = rp->max_page;
660 if (rp->page < HCI_MAX_PAGES)
661 memcpy(hdev->features[rp->page], rp->features, 8);
664 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
667 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
669 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
674 hdev->flow_ctl_mode = rp->mode;
677 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
679 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
681 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
686 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
687 hdev->sco_mtu = rp->sco_mtu;
688 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
689 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
691 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
696 hdev->acl_cnt = hdev->acl_pkts;
697 hdev->sco_cnt = hdev->sco_pkts;
699 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
700 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
703 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
705 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
707 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
712 if (test_bit(HCI_INIT, &hdev->flags))
713 bacpy(&hdev->bdaddr, &rp->bdaddr);
715 if (hci_dev_test_flag(hdev, HCI_SETUP))
716 bacpy(&hdev->setup_addr, &rp->bdaddr);
719 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
722 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
724 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
729 if (test_bit(HCI_INIT, &hdev->flags)) {
730 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
731 hdev->page_scan_window = __le16_to_cpu(rp->window);
735 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
738 u8 status = *((u8 *) skb->data);
739 struct hci_cp_write_page_scan_activity *sent;
741 BT_DBG("%s status 0x%2.2x", hdev->name, status);
746 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
750 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
751 hdev->page_scan_window = __le16_to_cpu(sent->window);
754 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
757 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
759 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
764 if (test_bit(HCI_INIT, &hdev->flags))
765 hdev->page_scan_type = rp->type;
768 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
771 u8 status = *((u8 *) skb->data);
774 BT_DBG("%s status 0x%2.2x", hdev->name, status);
779 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
781 hdev->page_scan_type = *type;
784 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
787 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
789 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
794 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
795 hdev->block_len = __le16_to_cpu(rp->block_len);
796 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
798 hdev->block_cnt = hdev->num_blocks;
800 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
801 hdev->block_cnt, hdev->block_len);
804 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
806 struct hci_rp_read_clock *rp = (void *) skb->data;
807 struct hci_cp_read_clock *cp;
808 struct hci_conn *conn;
810 BT_DBG("%s", hdev->name);
812 if (skb->len < sizeof(*rp))
820 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
824 if (cp->which == 0x00) {
825 hdev->clock = le32_to_cpu(rp->clock);
829 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
831 conn->clock = le32_to_cpu(rp->clock);
832 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
836 hci_dev_unlock(hdev);
839 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
842 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
844 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
849 hdev->amp_status = rp->amp_status;
850 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
851 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
852 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
853 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
854 hdev->amp_type = rp->amp_type;
855 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
856 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
857 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
858 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
861 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
864 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
866 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
871 hdev->inq_tx_power = rp->tx_power;
874 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
876 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
877 struct hci_cp_pin_code_reply *cp;
878 struct hci_conn *conn;
880 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
884 if (hci_dev_test_flag(hdev, HCI_MGMT))
885 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
890 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
894 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
896 conn->pin_length = cp->pin_len;
899 hci_dev_unlock(hdev);
902 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
904 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
910 if (hci_dev_test_flag(hdev, HCI_MGMT))
911 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
914 hci_dev_unlock(hdev);
917 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
920 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
922 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
927 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
928 hdev->le_pkts = rp->le_max_pkt;
930 hdev->le_cnt = hdev->le_pkts;
932 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
935 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
938 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
940 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
945 memcpy(hdev->le_features, rp->features, 8);
948 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
951 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
953 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
958 hdev->adv_tx_power = rp->tx_power;
961 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
973 hci_dev_unlock(hdev);
976 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
979 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
981 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
985 if (hci_dev_test_flag(hdev, HCI_MGMT))
986 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
987 ACL_LINK, 0, rp->status);
989 hci_dev_unlock(hdev);
992 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1004 hci_dev_unlock(hdev);
1007 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1010 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1016 if (hci_dev_test_flag(hdev, HCI_MGMT))
1017 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1018 ACL_LINK, 0, rp->status);
1020 hci_dev_unlock(hdev);
1023 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1024 struct sk_buff *skb)
1026 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1028 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1031 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1032 struct sk_buff *skb)
1034 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1036 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1039 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1041 __u8 status = *((__u8 *) skb->data);
1044 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1055 bacpy(&hdev->random_addr, sent);
1057 hci_dev_unlock(hdev);
1060 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1062 __u8 status = *((__u8 *) skb->data);
1063 struct hci_cp_le_set_default_phy *cp;
1065 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1070 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1076 hdev->le_tx_def_phys = cp->tx_phys;
1077 hdev->le_rx_def_phys = cp->rx_phys;
1079 hci_dev_unlock(hdev);
1082 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1083 struct sk_buff *skb)
1085 __u8 status = *((__u8 *) skb->data);
1086 struct hci_cp_le_set_adv_set_rand_addr *cp;
1087 struct adv_info *adv_instance;
1092 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1098 if (!hdev->cur_adv_instance) {
1099 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1100 bacpy(&hdev->random_addr, &cp->bdaddr);
1102 adv_instance = hci_find_adv_instance(hdev,
1103 hdev->cur_adv_instance);
1105 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1108 hci_dev_unlock(hdev);
1111 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1113 __u8 *sent, status = *((__u8 *) skb->data);
1115 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1120 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1126 /* If we're doing connection initiation as peripheral. Set a
1127 * timeout in case something goes wrong.
1130 struct hci_conn *conn;
1132 hci_dev_set_flag(hdev, HCI_LE_ADV);
1134 conn = hci_lookup_le_connect(hdev);
1136 queue_delayed_work(hdev->workqueue,
1137 &conn->le_conn_timeout,
1138 conn->conn_timeout);
1140 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1143 hci_dev_unlock(hdev);
1146 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1147 struct sk_buff *skb)
1149 struct hci_cp_le_set_ext_adv_enable *cp;
1150 __u8 status = *((__u8 *) skb->data);
1152 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1157 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1164 struct hci_conn *conn;
1166 hci_dev_set_flag(hdev, HCI_LE_ADV);
1168 conn = hci_lookup_le_connect(hdev);
1170 queue_delayed_work(hdev->workqueue,
1171 &conn->le_conn_timeout,
1172 conn->conn_timeout);
1174 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1177 hci_dev_unlock(hdev);
1180 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1182 struct hci_cp_le_set_scan_param *cp;
1183 __u8 status = *((__u8 *) skb->data);
1185 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1190 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1196 hdev->le_scan_type = cp->type;
1198 hci_dev_unlock(hdev);
1201 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1202 struct sk_buff *skb)
1204 struct hci_cp_le_set_ext_scan_params *cp;
1205 __u8 status = *((__u8 *) skb->data);
1206 struct hci_cp_le_scan_phy_params *phy_param;
1208 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1213 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1217 phy_param = (void *)cp->data;
1221 hdev->le_scan_type = phy_param->type;
1223 hci_dev_unlock(hdev);
1226 static bool has_pending_adv_report(struct hci_dev *hdev)
1228 struct discovery_state *d = &hdev->discovery;
1230 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1233 static void clear_pending_adv_report(struct hci_dev *hdev)
1235 struct discovery_state *d = &hdev->discovery;
1237 bacpy(&d->last_adv_addr, BDADDR_ANY);
1238 d->last_adv_data_len = 0;
1242 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1243 u8 bdaddr_type, s8 rssi, u32 flags,
1246 struct discovery_state *d = &hdev->discovery;
1248 bacpy(&d->last_adv_addr, bdaddr);
1249 d->last_adv_addr_type = bdaddr_type;
1250 d->last_adv_rssi = rssi;
1251 d->last_adv_flags = flags;
1252 memcpy(d->last_adv_data, data, len);
1253 d->last_adv_data_len = len;
1257 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1262 case LE_SCAN_ENABLE:
1263 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1264 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1265 clear_pending_adv_report(hdev);
1268 case LE_SCAN_DISABLE:
1269 /* We do this here instead of when setting DISCOVERY_STOPPED
1270 * since the latter would potentially require waiting for
1271 * inquiry to stop too.
1273 if (has_pending_adv_report(hdev)) {
1274 struct discovery_state *d = &hdev->discovery;
1276 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1277 d->last_adv_addr_type, NULL,
1278 d->last_adv_rssi, d->last_adv_flags,
1280 d->last_adv_data_len, NULL, 0);
1283 /* Cancel this timer so that we don't try to disable scanning
1284 * when it's already disabled.
1286 cancel_delayed_work(&hdev->le_scan_disable);
1288 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1290 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1291 * interrupted scanning due to a connect request. Mark
1292 * therefore discovery as stopped. If this was not
1293 * because of a connect request advertising might have
1294 * been disabled because of active scanning, so
1295 * re-enable it again if necessary.
1297 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1298 #ifndef TIZEN_BT /* The below line is kernel bug. */
1299 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1301 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1303 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1304 hdev->discovery.state == DISCOVERY_FINDING)
1305 hci_req_reenable_advertising(hdev);
1310 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1315 hci_dev_unlock(hdev);
1318 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1319 struct sk_buff *skb)
1321 struct hci_cp_le_set_scan_enable *cp;
1322 __u8 status = *((__u8 *) skb->data);
1324 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1329 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1333 le_set_scan_enable_complete(hdev, cp->enable);
1336 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1337 struct sk_buff *skb)
1339 struct hci_cp_le_set_ext_scan_enable *cp;
1340 __u8 status = *((__u8 *) skb->data);
1342 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1347 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1351 le_set_scan_enable_complete(hdev, cp->enable);
1354 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1355 struct sk_buff *skb)
1357 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1359 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1365 hdev->le_num_of_adv_sets = rp->num_of_sets;
1368 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1369 struct sk_buff *skb)
1371 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1373 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1378 hdev->le_white_list_size = rp->size;
1381 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1382 struct sk_buff *skb)
1384 __u8 status = *((__u8 *) skb->data);
1386 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1391 hci_bdaddr_list_clear(&hdev->le_white_list);
1394 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1395 struct sk_buff *skb)
1397 struct hci_cp_le_add_to_white_list *sent;
1398 __u8 status = *((__u8 *) skb->data);
1400 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1405 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1409 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1413 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1414 struct sk_buff *skb)
1416 struct hci_cp_le_del_from_white_list *sent;
1417 __u8 status = *((__u8 *) skb->data);
1419 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1424 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1428 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1432 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1433 struct sk_buff *skb)
1435 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1437 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1442 memcpy(hdev->le_states, rp->le_states, 8);
1445 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1446 struct sk_buff *skb)
1448 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1450 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1455 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1456 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1459 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1460 struct sk_buff *skb)
1462 struct hci_cp_le_write_def_data_len *sent;
1463 __u8 status = *((__u8 *) skb->data);
1465 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1470 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1474 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1475 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1478 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1479 struct sk_buff *skb)
1481 __u8 status = *((__u8 *) skb->data);
1483 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1488 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1491 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1492 struct sk_buff *skb)
1494 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1496 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1501 hdev->le_resolv_list_size = rp->size;
1504 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1505 struct sk_buff *skb)
1507 __u8 *sent, status = *((__u8 *) skb->data);
1509 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1514 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1521 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1523 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1525 hci_dev_unlock(hdev);
1528 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1529 struct sk_buff *skb)
1531 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1533 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1538 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1539 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1540 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1541 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1544 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1545 struct sk_buff *skb)
1547 struct hci_cp_write_le_host_supported *sent;
1548 __u8 status = *((__u8 *) skb->data);
1550 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1555 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1562 hdev->features[1][0] |= LMP_HOST_LE;
1563 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1565 hdev->features[1][0] &= ~LMP_HOST_LE;
1566 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1567 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1571 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1573 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1575 hci_dev_unlock(hdev);
1578 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1580 struct hci_cp_le_set_adv_param *cp;
1581 u8 status = *((u8 *) skb->data);
1583 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1588 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1593 hdev->adv_addr_type = cp->own_address_type;
1594 hci_dev_unlock(hdev);
1597 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1599 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1600 struct hci_cp_le_set_ext_adv_params *cp;
1601 struct adv_info *adv_instance;
1603 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1608 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1613 hdev->adv_addr_type = cp->own_addr_type;
1614 if (!hdev->cur_adv_instance) {
1615 /* Store in hdev for instance 0 */
1616 hdev->adv_tx_power = rp->tx_power;
1618 adv_instance = hci_find_adv_instance(hdev,
1619 hdev->cur_adv_instance);
1621 adv_instance->tx_power = rp->tx_power;
1623 /* Update adv data as tx power is known now */
1624 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1625 hci_dev_unlock(hdev);
1629 static void hci_cc_enable_rssi(struct hci_dev *hdev,
1630 struct sk_buff *skb)
1632 struct hci_cc_rsp_enable_rssi *rp = (void *)skb->data;
1634 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
1635 hdev->name, rp->status, rp->le_ext_opcode);
1637 mgmt_enable_rssi_cc(hdev, rp, rp->status);
1640 static void hci_cc_get_raw_rssi(struct hci_dev *hdev,
1641 struct sk_buff *skb)
1643 struct hci_cc_rp_get_raw_rssi *rp = (void *)skb->data;
1645 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
1646 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
1648 mgmt_raw_rssi_response(hdev, rp, rp->status);
1651 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
1652 struct sk_buff *skb)
1654 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
1656 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
1658 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
1662 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
1663 struct sk_buff *skb)
1665 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
1666 __u8 event_le_ext_sub_code;
1668 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
1669 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
1671 skb_pull(skb, sizeof(*ev));
1672 event_le_ext_sub_code = ev->event_le_ext_sub_code;
1674 switch (event_le_ext_sub_code) {
1675 case LE_RSSI_LINK_ALERT:
1676 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
1684 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
1685 struct sk_buff *skb)
1687 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
1689 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
1691 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
1692 ev->state_change_reason,
1693 ev->connection_handle);
1696 static void hci_vendor_specific_evt(struct hci_dev *hdev, struct sk_buff *skb)
1698 struct hci_ev_vendor_specific *ev = (void *)skb->data;
1699 __u8 event_sub_code;
1701 BT_DBG("hci_vendor_specific_evt");
1703 skb_pull(skb, sizeof(*ev));
1704 event_sub_code = ev->event_sub_code;
1706 switch (event_sub_code) {
1707 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
1708 hci_vendor_specific_group_ext_evt(hdev, skb);
1711 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
1712 hci_vendor_multi_adv_state_change_evt(hdev, skb);
1721 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1723 struct hci_rp_read_rssi *rp = (void *) skb->data;
1724 struct hci_conn *conn;
1726 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1733 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1735 conn->rssi = rp->rssi;
1737 hci_dev_unlock(hdev);
1740 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1742 struct hci_cp_read_tx_power *sent;
1743 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1744 struct hci_conn *conn;
1746 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1751 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1757 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1761 switch (sent->type) {
1763 conn->tx_power = rp->tx_power;
1766 conn->max_tx_power = rp->tx_power;
1771 hci_dev_unlock(hdev);
1774 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1776 u8 status = *((u8 *) skb->data);
1779 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1784 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1786 hdev->ssp_debug_mode = *mode;
1789 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1791 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1794 hci_conn_check_pending(hdev);
1798 set_bit(HCI_INQUIRY, &hdev->flags);
1801 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1803 struct hci_cp_create_conn *cp;
1804 struct hci_conn *conn;
1806 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1808 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1814 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1816 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1819 if (conn && conn->state == BT_CONNECT) {
1820 if (status != 0x0c || conn->attempt > 2) {
1821 conn->state = BT_CLOSED;
1822 hci_connect_cfm(conn, status);
1825 conn->state = BT_CONNECT2;
1829 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1832 bt_dev_err(hdev, "no memory for new connection");
1836 hci_dev_unlock(hdev);
1839 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1841 struct hci_cp_add_sco *cp;
1842 struct hci_conn *acl, *sco;
1845 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1850 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1854 handle = __le16_to_cpu(cp->handle);
1856 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1860 acl = hci_conn_hash_lookup_handle(hdev, handle);
1864 sco->state = BT_CLOSED;
1866 hci_connect_cfm(sco, status);
1871 hci_dev_unlock(hdev);
1874 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1876 struct hci_cp_auth_requested *cp;
1877 struct hci_conn *conn;
1879 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1884 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892 if (conn->state == BT_CONFIG) {
1893 hci_connect_cfm(conn, status);
1894 hci_conn_drop(conn);
1898 hci_dev_unlock(hdev);
1901 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1903 struct hci_cp_set_conn_encrypt *cp;
1904 struct hci_conn *conn;
1906 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1911 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1917 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1919 if (conn->state == BT_CONFIG) {
1920 hci_connect_cfm(conn, status);
1921 hci_conn_drop(conn);
1925 hci_dev_unlock(hdev);
1928 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1929 struct hci_conn *conn)
1931 if (conn->state != BT_CONFIG || !conn->out)
1934 if (conn->pending_sec_level == BT_SECURITY_SDP)
1937 /* Only request authentication for SSP connections or non-SSP
1938 * devices with sec_level MEDIUM or HIGH or if MITM protection
1941 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1942 conn->pending_sec_level != BT_SECURITY_FIPS &&
1943 conn->pending_sec_level != BT_SECURITY_HIGH &&
1944 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1950 static int hci_resolve_name(struct hci_dev *hdev,
1951 struct inquiry_entry *e)
1953 struct hci_cp_remote_name_req cp;
1955 memset(&cp, 0, sizeof(cp));
1957 bacpy(&cp.bdaddr, &e->data.bdaddr);
1958 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1959 cp.pscan_mode = e->data.pscan_mode;
1960 cp.clock_offset = e->data.clock_offset;
1962 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1965 static bool hci_resolve_next_name(struct hci_dev *hdev)
1967 struct discovery_state *discov = &hdev->discovery;
1968 struct inquiry_entry *e;
1970 if (list_empty(&discov->resolve))
1973 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1977 if (hci_resolve_name(hdev, e) == 0) {
1978 e->name_state = NAME_PENDING;
1985 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1986 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1988 struct discovery_state *discov = &hdev->discovery;
1989 struct inquiry_entry *e;
1992 /* Update the mgmt connected state if necessary. Be careful with
1993 * conn objects that exist but are not (yet) connected however.
1994 * Only those in BT_CONFIG or BT_CONNECTED states can be
1995 * considered connected.
1998 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
1999 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2000 mgmt_device_connected(hdev, conn, 0, name, name_len);
2002 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2006 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2007 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2008 mgmt_device_connected(hdev, conn, 0, name, name_len);
2011 if (discov->state == DISCOVERY_STOPPED)
2014 if (discov->state == DISCOVERY_STOPPING)
2015 goto discov_complete;
2017 if (discov->state != DISCOVERY_RESOLVING)
2020 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2021 /* If the device was not found in a list of found devices names of which
2022 * are pending. there is no need to continue resolving a next name as it
2023 * will be done upon receiving another Remote Name Request Complete
2030 e->name_state = NAME_KNOWN;
2031 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2032 e->data.rssi, name, name_len);
2034 e->name_state = NAME_NOT_KNOWN;
2037 if (hci_resolve_next_name(hdev))
2041 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2044 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2046 struct hci_cp_remote_name_req *cp;
2047 struct hci_conn *conn;
2049 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2051 /* If successful wait for the name req complete event before
2052 * checking for the need to do authentication */
2056 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2062 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2064 if (hci_dev_test_flag(hdev, HCI_MGMT))
2065 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2070 if (!hci_outgoing_auth_needed(hdev, conn))
2073 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2074 struct hci_cp_auth_requested auth_cp;
2076 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2078 auth_cp.handle = __cpu_to_le16(conn->handle);
2079 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2080 sizeof(auth_cp), &auth_cp);
2084 hci_dev_unlock(hdev);
2087 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2089 struct hci_cp_read_remote_features *cp;
2090 struct hci_conn *conn;
2092 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2097 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2103 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2105 if (conn->state == BT_CONFIG) {
2106 hci_connect_cfm(conn, status);
2107 hci_conn_drop(conn);
2111 hci_dev_unlock(hdev);
2114 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2116 struct hci_cp_read_remote_ext_features *cp;
2117 struct hci_conn *conn;
2119 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2124 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2130 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2132 if (conn->state == BT_CONFIG) {
2133 hci_connect_cfm(conn, status);
2134 hci_conn_drop(conn);
2138 hci_dev_unlock(hdev);
2141 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2143 struct hci_cp_setup_sync_conn *cp;
2144 struct hci_conn *acl, *sco;
2147 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2152 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2156 handle = __le16_to_cpu(cp->handle);
2158 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2162 acl = hci_conn_hash_lookup_handle(hdev, handle);
2166 sco->state = BT_CLOSED;
2168 hci_connect_cfm(sco, status);
2173 hci_dev_unlock(hdev);
2176 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2178 struct hci_cp_sniff_mode *cp;
2179 struct hci_conn *conn;
2181 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2186 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2192 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2194 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2196 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2197 hci_sco_setup(conn, status);
2200 hci_dev_unlock(hdev);
2203 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2205 struct hci_cp_exit_sniff_mode *cp;
2206 struct hci_conn *conn;
2208 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2213 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2219 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2221 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2223 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2224 hci_sco_setup(conn, status);
2227 hci_dev_unlock(hdev);
2230 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2232 struct hci_cp_disconnect *cp;
2233 struct hci_conn *conn;
2238 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2244 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2246 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2247 conn->dst_type, status);
2249 hci_dev_unlock(hdev);
2252 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2253 u8 peer_addr_type, u8 own_address_type,
2256 struct hci_conn *conn;
2258 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2263 /* Store the initiator and responder address information which
2264 * is needed for SMP. These values will not change during the
2265 * lifetime of the connection.
2267 conn->init_addr_type = own_address_type;
2268 if (own_address_type == ADDR_LE_DEV_RANDOM)
2269 bacpy(&conn->init_addr, &hdev->random_addr);
2271 bacpy(&conn->init_addr, &hdev->bdaddr);
2273 conn->resp_addr_type = peer_addr_type;
2274 bacpy(&conn->resp_addr, peer_addr);
2276 /* We don't want the connection attempt to stick around
2277 * indefinitely since LE doesn't have a page timeout concept
2278 * like BR/EDR. Set a timer for any connection that doesn't use
2279 * the white list for connecting.
2281 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2282 queue_delayed_work(conn->hdev->workqueue,
2283 &conn->le_conn_timeout,
2284 conn->conn_timeout);
2287 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2289 struct hci_cp_le_create_conn *cp;
2291 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2293 /* All connection failure handling is taken care of by the
2294 * hci_le_conn_failed function which is triggered by the HCI
2295 * request completion callbacks used for connecting.
2300 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2306 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2307 cp->own_address_type, cp->filter_policy);
2309 hci_dev_unlock(hdev);
2312 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2314 struct hci_cp_le_ext_create_conn *cp;
2316 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2318 /* All connection failure handling is taken care of by the
2319 * hci_le_conn_failed function which is triggered by the HCI
2320 * request completion callbacks used for connecting.
2325 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2331 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2332 cp->own_addr_type, cp->filter_policy);
2334 hci_dev_unlock(hdev);
2337 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2339 struct hci_cp_le_read_remote_features *cp;
2340 struct hci_conn *conn;
2342 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2347 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2353 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2355 if (conn->state == BT_CONFIG) {
2356 hci_connect_cfm(conn, status);
2357 hci_conn_drop(conn);
2361 hci_dev_unlock(hdev);
2364 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2366 struct hci_cp_le_start_enc *cp;
2367 struct hci_conn *conn;
2369 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2376 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2380 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2384 if (conn->state != BT_CONNECTED)
2387 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2388 hci_conn_drop(conn);
2391 hci_dev_unlock(hdev);
2394 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2396 struct hci_cp_switch_role *cp;
2397 struct hci_conn *conn;
2399 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2404 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2410 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2412 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2414 hci_dev_unlock(hdev);
2417 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2419 __u8 status = *((__u8 *) skb->data);
2420 struct discovery_state *discov = &hdev->discovery;
2421 struct inquiry_entry *e;
2423 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2425 hci_conn_check_pending(hdev);
2427 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2430 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2431 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2433 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2438 if (discov->state != DISCOVERY_FINDING)
2441 if (list_empty(&discov->resolve)) {
2442 /* When BR/EDR inquiry is active and no LE scanning is in
2443 * progress, then change discovery state to indicate completion.
2445 * When running LE scanning and BR/EDR inquiry simultaneously
2446 * and the LE scan already finished, then change the discovery
2447 * state to indicate completion.
2449 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2450 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2451 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2455 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2456 if (e && hci_resolve_name(hdev, e) == 0) {
2457 e->name_state = NAME_PENDING;
2458 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2460 /* When BR/EDR inquiry is active and no LE scanning is in
2461 * progress, then change discovery state to indicate completion.
2463 * When running LE scanning and BR/EDR inquiry simultaneously
2464 * and the LE scan already finished, then change the discovery
2465 * state to indicate completion.
2467 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2468 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2469 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2473 hci_dev_unlock(hdev);
2476 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2478 struct inquiry_data data;
2479 struct inquiry_info *info = (void *) (skb->data + 1);
2480 int num_rsp = *((__u8 *) skb->data);
2482 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2487 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2492 for (; num_rsp; num_rsp--, info++) {
2495 bacpy(&data.bdaddr, &info->bdaddr);
2496 data.pscan_rep_mode = info->pscan_rep_mode;
2497 data.pscan_period_mode = info->pscan_period_mode;
2498 data.pscan_mode = info->pscan_mode;
2499 memcpy(data.dev_class, info->dev_class, 3);
2500 data.clock_offset = info->clock_offset;
2501 data.rssi = HCI_RSSI_INVALID;
2502 data.ssp_mode = 0x00;
2504 flags = hci_inquiry_cache_update(hdev, &data, false);
2506 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2507 info->dev_class, HCI_RSSI_INVALID,
2508 flags, NULL, 0, NULL, 0);
2511 hci_dev_unlock(hdev);
2514 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2516 struct hci_ev_conn_complete *ev = (void *) skb->data;
2517 struct hci_conn *conn;
2519 BT_DBG("%s", hdev->name);
2523 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2525 if (ev->link_type != SCO_LINK)
2528 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2532 conn->type = SCO_LINK;
2536 conn->handle = __le16_to_cpu(ev->handle);
2538 if (conn->type == ACL_LINK) {
2539 conn->state = BT_CONFIG;
2540 hci_conn_hold(conn);
2542 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2543 !hci_find_link_key(hdev, &ev->bdaddr))
2544 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2546 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2548 conn->state = BT_CONNECTED;
2550 hci_debugfs_create_conn(conn);
2551 hci_conn_add_sysfs(conn);
2553 if (test_bit(HCI_AUTH, &hdev->flags))
2554 set_bit(HCI_CONN_AUTH, &conn->flags);
2556 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2557 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2559 /* Get remote features */
2560 if (conn->type == ACL_LINK) {
2561 struct hci_cp_read_remote_features cp;
2562 cp.handle = ev->handle;
2563 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2566 hci_req_update_scan(hdev);
2569 /* Set packet type for incoming connection */
2570 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2571 struct hci_cp_change_conn_ptype cp;
2572 cp.handle = ev->handle;
2573 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2574 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2578 if (get_link_mode(conn) & HCI_LM_MASTER)
2579 hci_conn_change_supervision_timeout(conn,
2580 LINK_SUPERVISION_TIMEOUT);
2583 conn->state = BT_CLOSED;
2584 if (conn->type == ACL_LINK)
2585 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2586 conn->dst_type, ev->status);
2589 if (conn->type == ACL_LINK)
2590 hci_sco_setup(conn, ev->status);
2593 hci_connect_cfm(conn, ev->status);
2595 } else if (ev->link_type != ACL_LINK)
2596 hci_connect_cfm(conn, ev->status);
2599 hci_dev_unlock(hdev);
2601 hci_conn_check_pending(hdev);
2604 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2606 struct hci_cp_reject_conn_req cp;
2608 bacpy(&cp.bdaddr, bdaddr);
2609 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2610 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2613 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2615 struct hci_ev_conn_request *ev = (void *) skb->data;
2616 int mask = hdev->link_mode;
2617 struct inquiry_entry *ie;
2618 struct hci_conn *conn;
2621 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2624 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2627 if (!(mask & HCI_LM_ACCEPT)) {
2628 hci_reject_conn(hdev, &ev->bdaddr);
2632 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2634 hci_reject_conn(hdev, &ev->bdaddr);
2638 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2639 * connection. These features are only touched through mgmt so
2640 * only do the checks if HCI_MGMT is set.
2642 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2643 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2644 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2646 hci_reject_conn(hdev, &ev->bdaddr);
2650 /* Connection accepted */
2654 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2656 memcpy(ie->data.dev_class, ev->dev_class, 3);
2659 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
2660 hci_conn_hash_lookup_sco(hdev)) {
2661 struct hci_cp_reject_conn_req cp;
2663 bacpy(&cp.bdaddr, &ev->bdaddr);
2664 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
2665 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
2667 hci_dev_unlock(hdev);
2672 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2675 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2678 bt_dev_err(hdev, "no memory for new connection");
2679 hci_dev_unlock(hdev);
2684 memcpy(conn->dev_class, ev->dev_class, 3);
2686 hci_dev_unlock(hdev);
2688 if (ev->link_type == ACL_LINK ||
2689 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2690 struct hci_cp_accept_conn_req cp;
2691 conn->state = BT_CONNECT;
2693 bacpy(&cp.bdaddr, &ev->bdaddr);
2695 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2696 cp.role = 0x00; /* Become master */
2698 cp.role = 0x01; /* Remain slave */
2700 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2701 } else if (!(flags & HCI_PROTO_DEFER)) {
2702 struct hci_cp_accept_sync_conn_req cp;
2703 conn->state = BT_CONNECT;
2705 bacpy(&cp.bdaddr, &ev->bdaddr);
2706 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2708 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2709 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2710 cp.max_latency = cpu_to_le16(0xffff);
2711 cp.content_format = cpu_to_le16(hdev->voice_setting);
2712 cp.retrans_effort = 0xff;
2714 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2717 conn->state = BT_CONNECT2;
2718 hci_connect_cfm(conn, 0);
2722 static u8 hci_to_mgmt_reason(u8 err)
2725 case HCI_ERROR_CONNECTION_TIMEOUT:
2726 return MGMT_DEV_DISCONN_TIMEOUT;
2727 case HCI_ERROR_REMOTE_USER_TERM:
2728 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2729 case HCI_ERROR_REMOTE_POWER_OFF:
2730 return MGMT_DEV_DISCONN_REMOTE;
2731 case HCI_ERROR_LOCAL_HOST_TERM:
2732 return MGMT_DEV_DISCONN_LOCAL_HOST;
2734 return MGMT_DEV_DISCONN_UNKNOWN;
2738 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2740 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2742 struct hci_conn_params *params;
2743 struct hci_conn *conn;
2744 bool mgmt_connected;
2747 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2751 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2756 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2757 conn->dst_type, ev->status);
2761 conn->state = BT_CLOSED;
2763 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2765 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2766 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2768 reason = hci_to_mgmt_reason(ev->reason);
2770 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2771 reason, mgmt_connected);
2773 if (conn->type == ACL_LINK) {
2774 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2775 hci_remove_link_key(hdev, &conn->dst);
2777 hci_req_update_scan(hdev);
2780 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2782 switch (params->auto_connect) {
2783 case HCI_AUTO_CONN_LINK_LOSS:
2784 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2788 case HCI_AUTO_CONN_DIRECT:
2789 case HCI_AUTO_CONN_ALWAYS:
2790 list_del_init(¶ms->action);
2791 list_add(¶ms->action, &hdev->pend_le_conns);
2792 hci_update_background_scan(hdev);
2802 hci_disconn_cfm(conn, ev->reason);
2805 /* Re-enable advertising if necessary, since it might
2806 * have been disabled by the connection. From the
2807 * HCI_LE_Set_Advertise_Enable command description in
2808 * the core specification (v4.0):
2809 * "The Controller shall continue advertising until the Host
2810 * issues an LE_Set_Advertise_Enable command with
2811 * Advertising_Enable set to 0x00 (Advertising is disabled)
2812 * or until a connection is created or until the Advertising
2813 * is timed out due to Directed Advertising."
2815 if (type == LE_LINK)
2816 hci_req_reenable_advertising(hdev);
2819 if (type == ACL_LINK && !hci_conn_num(hdev, ACL_LINK)) {
2823 iscan = test_bit(HCI_ISCAN, &hdev->flags);
2824 pscan = test_bit(HCI_PSCAN, &hdev->flags);
2825 if (!iscan && !pscan) {
2826 u8 scan_enable = SCAN_PAGE;
2828 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE,
2829 sizeof(scan_enable), &scan_enable);
2835 hci_dev_unlock(hdev);
2838 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2840 struct hci_ev_auth_complete *ev = (void *) skb->data;
2841 struct hci_conn *conn;
2843 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2847 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2852 /* PIN or Key Missing patch */
2853 BT_DBG("remote_auth %x, remote_cap %x, auth_type %x, io_capability %x",
2854 conn->remote_auth, conn->remote_cap,
2855 conn->auth_type, conn->io_capability);
2857 if (ev->status == 0x06 && hci_conn_ssp_enabled(conn)) {
2858 struct hci_cp_auth_requested cp;
2860 BT_DBG("Pin or key missing");
2861 hci_remove_link_key(hdev, &conn->dst);
2862 cp.handle = cpu_to_le16(conn->handle);
2863 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
2870 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2872 if (!hci_conn_ssp_enabled(conn) &&
2873 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2874 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2876 set_bit(HCI_CONN_AUTH, &conn->flags);
2877 conn->sec_level = conn->pending_sec_level;
2880 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2881 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2883 mgmt_auth_failed(conn, ev->status);
2886 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2887 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2889 if (conn->state == BT_CONFIG) {
2890 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2891 struct hci_cp_set_conn_encrypt cp;
2892 cp.handle = ev->handle;
2894 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2897 conn->state = BT_CONNECTED;
2898 hci_connect_cfm(conn, ev->status);
2899 hci_conn_drop(conn);
2902 hci_auth_cfm(conn, ev->status);
2904 hci_conn_hold(conn);
2905 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2906 hci_conn_drop(conn);
2909 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2911 struct hci_cp_set_conn_encrypt cp;
2912 cp.handle = ev->handle;
2914 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2917 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2918 hci_encrypt_cfm(conn, ev->status, 0x00);
2923 hci_dev_unlock(hdev);
2926 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2928 struct hci_ev_remote_name *ev = (void *) skb->data;
2929 struct hci_conn *conn;
2931 BT_DBG("%s", hdev->name);
2933 hci_conn_check_pending(hdev);
2937 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2939 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2942 if (ev->status == 0)
2943 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2944 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2946 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2952 if (!hci_outgoing_auth_needed(hdev, conn))
2955 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2956 struct hci_cp_auth_requested cp;
2958 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2960 cp.handle = __cpu_to_le16(conn->handle);
2961 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2965 hci_dev_unlock(hdev);
2968 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2969 u16 opcode, struct sk_buff *skb)
2971 const struct hci_rp_read_enc_key_size *rp;
2972 struct hci_conn *conn;
2975 BT_DBG("%s status 0x%02x", hdev->name, status);
2977 if (!skb || skb->len < sizeof(*rp)) {
2978 bt_dev_err(hdev, "invalid read key size response");
2982 rp = (void *)skb->data;
2983 handle = le16_to_cpu(rp->handle);
2987 conn = hci_conn_hash_lookup_handle(hdev, handle);
2991 /* If we fail to read the encryption key size, assume maximum
2992 * (which is the same we do also when this HCI command isn't
2996 bt_dev_err(hdev, "failed to read key size for handle %u",
2998 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3000 conn->enc_key_size = rp->key_size;
3003 if (conn->state == BT_CONFIG) {
3004 conn->state = BT_CONNECTED;
3005 hci_connect_cfm(conn, 0);
3006 hci_conn_drop(conn);
3010 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
3012 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
3017 hci_encrypt_cfm(conn, 0, encrypt);
3021 hci_dev_unlock(hdev);
3024 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3026 struct hci_ev_encrypt_change *ev = (void *) skb->data;
3027 struct hci_conn *conn;
3029 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3033 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3039 /* Encryption implies authentication */
3040 set_bit(HCI_CONN_AUTH, &conn->flags);
3041 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3042 conn->sec_level = conn->pending_sec_level;
3044 /* P-256 authentication key implies FIPS */
3045 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3046 set_bit(HCI_CONN_FIPS, &conn->flags);
3048 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3049 conn->type == LE_LINK)
3050 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3052 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3053 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3057 /* We should disregard the current RPA and generate a new one
3058 * whenever the encryption procedure fails.
3060 if (ev->status && conn->type == LE_LINK) {
3061 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3062 hci_adv_instances_set_rpa_expired(hdev, true);
3065 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3067 if (ev->status && conn->state == BT_CONNECTED) {
3068 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3069 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3071 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3072 hci_conn_drop(conn);
3076 /* In Secure Connections Only mode, do not allow any connections
3077 * that are not encrypted with AES-CCM using a P-256 authenticated
3080 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
3081 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
3082 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
3083 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
3084 hci_conn_drop(conn);
3088 /* Try reading the encryption key size for encrypted ACL links */
3089 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3090 struct hci_cp_read_enc_key_size cp;
3091 struct hci_request req;
3093 /* Only send HCI_Read_Encryption_Key_Size if the
3094 * controller really supports it. If it doesn't, assume
3095 * the default size (16).
3097 if (!(hdev->commands[20] & 0x10)) {
3098 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3102 hci_req_init(&req, hdev);
3104 cp.handle = cpu_to_le16(conn->handle);
3105 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3107 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3108 bt_dev_err(hdev, "sending read key size failed");
3109 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3117 if (conn->state == BT_CONFIG) {
3119 conn->state = BT_CONNECTED;
3121 hci_connect_cfm(conn, ev->status);
3122 hci_conn_drop(conn);
3124 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
3127 hci_dev_unlock(hdev);
3130 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3131 struct sk_buff *skb)
3133 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3134 struct hci_conn *conn;
3136 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3140 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3143 set_bit(HCI_CONN_SECURE, &conn->flags);
3145 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3147 hci_key_change_cfm(conn, ev->status);
3150 hci_dev_unlock(hdev);
3153 static void hci_remote_features_evt(struct hci_dev *hdev,
3154 struct sk_buff *skb)
3156 struct hci_ev_remote_features *ev = (void *) skb->data;
3157 struct hci_conn *conn;
3159 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3163 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3168 memcpy(conn->features[0], ev->features, 8);
3170 if (conn->state != BT_CONFIG)
3173 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3174 lmp_ext_feat_capable(conn)) {
3175 struct hci_cp_read_remote_ext_features cp;
3176 cp.handle = ev->handle;
3178 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3183 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3184 struct hci_cp_remote_name_req cp;
3185 memset(&cp, 0, sizeof(cp));
3186 bacpy(&cp.bdaddr, &conn->dst);
3187 cp.pscan_rep_mode = 0x02;
3188 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3189 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3190 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3192 if (!hci_outgoing_auth_needed(hdev, conn)) {
3193 conn->state = BT_CONNECTED;
3194 hci_connect_cfm(conn, ev->status);
3195 hci_conn_drop(conn);
3199 hci_dev_unlock(hdev);
3202 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3203 u16 *opcode, u8 *status,
3204 hci_req_complete_t *req_complete,
3205 hci_req_complete_skb_t *req_complete_skb)
3207 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3209 *opcode = __le16_to_cpu(ev->opcode);
3210 *status = skb->data[sizeof(*ev)];
3212 skb_pull(skb, sizeof(*ev));
3215 case HCI_OP_INQUIRY_CANCEL:
3216 hci_cc_inquiry_cancel(hdev, skb);
3219 case HCI_OP_PERIODIC_INQ:
3220 hci_cc_periodic_inq(hdev, skb);
3223 case HCI_OP_EXIT_PERIODIC_INQ:
3224 hci_cc_exit_periodic_inq(hdev, skb);
3227 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3228 hci_cc_remote_name_req_cancel(hdev, skb);
3231 case HCI_OP_ROLE_DISCOVERY:
3232 hci_cc_role_discovery(hdev, skb);
3235 case HCI_OP_READ_LINK_POLICY:
3236 hci_cc_read_link_policy(hdev, skb);
3239 case HCI_OP_WRITE_LINK_POLICY:
3240 hci_cc_write_link_policy(hdev, skb);
3243 case HCI_OP_READ_DEF_LINK_POLICY:
3244 hci_cc_read_def_link_policy(hdev, skb);
3247 case HCI_OP_WRITE_DEF_LINK_POLICY:
3248 hci_cc_write_def_link_policy(hdev, skb);
3252 hci_cc_reset(hdev, skb);
3255 case HCI_OP_READ_STORED_LINK_KEY:
3256 hci_cc_read_stored_link_key(hdev, skb);
3259 case HCI_OP_DELETE_STORED_LINK_KEY:
3260 hci_cc_delete_stored_link_key(hdev, skb);
3263 case HCI_OP_WRITE_LOCAL_NAME:
3264 hci_cc_write_local_name(hdev, skb);
3267 case HCI_OP_READ_LOCAL_NAME:
3268 hci_cc_read_local_name(hdev, skb);
3271 case HCI_OP_WRITE_AUTH_ENABLE:
3272 hci_cc_write_auth_enable(hdev, skb);
3275 case HCI_OP_WRITE_ENCRYPT_MODE:
3276 hci_cc_write_encrypt_mode(hdev, skb);
3279 case HCI_OP_WRITE_SCAN_ENABLE:
3280 hci_cc_write_scan_enable(hdev, skb);
3283 case HCI_OP_READ_CLASS_OF_DEV:
3284 hci_cc_read_class_of_dev(hdev, skb);
3287 case HCI_OP_WRITE_CLASS_OF_DEV:
3288 hci_cc_write_class_of_dev(hdev, skb);
3291 case HCI_OP_READ_VOICE_SETTING:
3292 hci_cc_read_voice_setting(hdev, skb);
3295 case HCI_OP_WRITE_VOICE_SETTING:
3296 hci_cc_write_voice_setting(hdev, skb);
3299 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3300 hci_cc_read_num_supported_iac(hdev, skb);
3303 case HCI_OP_WRITE_SSP_MODE:
3304 hci_cc_write_ssp_mode(hdev, skb);
3307 case HCI_OP_WRITE_SC_SUPPORT:
3308 hci_cc_write_sc_support(hdev, skb);
3311 case HCI_OP_READ_LOCAL_VERSION:
3312 hci_cc_read_local_version(hdev, skb);
3315 case HCI_OP_READ_LOCAL_COMMANDS:
3316 hci_cc_read_local_commands(hdev, skb);
3319 case HCI_OP_READ_LOCAL_FEATURES:
3320 hci_cc_read_local_features(hdev, skb);
3323 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3324 hci_cc_read_local_ext_features(hdev, skb);
3327 case HCI_OP_READ_BUFFER_SIZE:
3328 hci_cc_read_buffer_size(hdev, skb);
3331 case HCI_OP_READ_BD_ADDR:
3332 hci_cc_read_bd_addr(hdev, skb);
3335 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3336 hci_cc_read_page_scan_activity(hdev, skb);
3339 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3340 hci_cc_write_page_scan_activity(hdev, skb);
3343 case HCI_OP_READ_PAGE_SCAN_TYPE:
3344 hci_cc_read_page_scan_type(hdev, skb);
3347 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3348 hci_cc_write_page_scan_type(hdev, skb);
3351 case HCI_OP_READ_DATA_BLOCK_SIZE:
3352 hci_cc_read_data_block_size(hdev, skb);
3355 case HCI_OP_READ_FLOW_CONTROL_MODE:
3356 hci_cc_read_flow_control_mode(hdev, skb);
3359 case HCI_OP_READ_LOCAL_AMP_INFO:
3360 hci_cc_read_local_amp_info(hdev, skb);
3363 case HCI_OP_READ_CLOCK:
3364 hci_cc_read_clock(hdev, skb);
3367 case HCI_OP_READ_INQ_RSP_TX_POWER:
3368 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3371 case HCI_OP_PIN_CODE_REPLY:
3372 hci_cc_pin_code_reply(hdev, skb);
3375 case HCI_OP_PIN_CODE_NEG_REPLY:
3376 hci_cc_pin_code_neg_reply(hdev, skb);
3379 case HCI_OP_READ_LOCAL_OOB_DATA:
3380 hci_cc_read_local_oob_data(hdev, skb);
3383 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3384 hci_cc_read_local_oob_ext_data(hdev, skb);
3387 case HCI_OP_LE_READ_BUFFER_SIZE:
3388 hci_cc_le_read_buffer_size(hdev, skb);
3391 case HCI_OP_LE_READ_LOCAL_FEATURES:
3392 hci_cc_le_read_local_features(hdev, skb);
3395 case HCI_OP_LE_READ_ADV_TX_POWER:
3396 hci_cc_le_read_adv_tx_power(hdev, skb);
3399 case HCI_OP_USER_CONFIRM_REPLY:
3400 hci_cc_user_confirm_reply(hdev, skb);
3403 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3404 hci_cc_user_confirm_neg_reply(hdev, skb);
3407 case HCI_OP_USER_PASSKEY_REPLY:
3408 hci_cc_user_passkey_reply(hdev, skb);
3411 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3412 hci_cc_user_passkey_neg_reply(hdev, skb);
3415 case HCI_OP_LE_SET_RANDOM_ADDR:
3416 hci_cc_le_set_random_addr(hdev, skb);
3419 case HCI_OP_LE_SET_ADV_ENABLE:
3420 hci_cc_le_set_adv_enable(hdev, skb);
3423 case HCI_OP_LE_SET_SCAN_PARAM:
3424 hci_cc_le_set_scan_param(hdev, skb);
3427 case HCI_OP_LE_SET_SCAN_ENABLE:
3428 hci_cc_le_set_scan_enable(hdev, skb);
3431 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3432 hci_cc_le_read_white_list_size(hdev, skb);
3435 case HCI_OP_LE_CLEAR_WHITE_LIST:
3436 hci_cc_le_clear_white_list(hdev, skb);
3439 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3440 hci_cc_le_add_to_white_list(hdev, skb);
3443 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3444 hci_cc_le_del_from_white_list(hdev, skb);
3447 case HCI_OP_LE_READ_SUPPORTED_STATES:
3448 hci_cc_le_read_supported_states(hdev, skb);
3451 case HCI_OP_LE_READ_DEF_DATA_LEN:
3452 hci_cc_le_read_def_data_len(hdev, skb);
3455 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3456 hci_cc_le_write_def_data_len(hdev, skb);
3459 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3460 hci_cc_le_clear_resolv_list(hdev, skb);
3463 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3464 hci_cc_le_read_resolv_list_size(hdev, skb);
3467 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3468 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3471 case HCI_OP_LE_READ_MAX_DATA_LEN:
3472 hci_cc_le_read_max_data_len(hdev, skb);
3475 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3476 hci_cc_write_le_host_supported(hdev, skb);
3479 case HCI_OP_LE_SET_ADV_PARAM:
3480 hci_cc_set_adv_param(hdev, skb);
3483 case HCI_OP_READ_RSSI:
3484 hci_cc_read_rssi(hdev, skb);
3487 case HCI_OP_READ_TX_POWER:
3488 hci_cc_read_tx_power(hdev, skb);
3491 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3492 hci_cc_write_ssp_debug_mode(hdev, skb);
3495 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3496 hci_cc_le_set_ext_scan_param(hdev, skb);
3499 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3500 hci_cc_le_set_ext_scan_enable(hdev, skb);
3503 case HCI_OP_LE_SET_DEFAULT_PHY:
3504 hci_cc_le_set_default_phy(hdev, skb);
3507 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3508 hci_cc_le_read_num_adv_sets(hdev, skb);
3511 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3512 hci_cc_set_ext_adv_param(hdev, skb);
3515 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3516 hci_cc_le_set_ext_adv_enable(hdev, skb);
3519 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3520 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3523 case HCI_OP_ENABLE_RSSI:
3524 hci_cc_enable_rssi(hdev, skb);
3527 case HCI_OP_GET_RAW_RSSI:
3528 hci_cc_get_raw_rssi(hdev, skb);
3532 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3536 if (*opcode != HCI_OP_NOP)
3537 cancel_delayed_work(&hdev->cmd_timer);
3539 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3540 atomic_set(&hdev->cmd_cnt, 1);
3542 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3545 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3547 "unexpected event for opcode 0x%4.4x", *opcode);
3551 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3552 queue_work(hdev->workqueue, &hdev->cmd_work);
3555 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3556 u16 *opcode, u8 *status,
3557 hci_req_complete_t *req_complete,
3558 hci_req_complete_skb_t *req_complete_skb)
3560 struct hci_ev_cmd_status *ev = (void *) skb->data;
3562 skb_pull(skb, sizeof(*ev));
3564 *opcode = __le16_to_cpu(ev->opcode);
3565 *status = ev->status;
3568 case HCI_OP_INQUIRY:
3569 hci_cs_inquiry(hdev, ev->status);
3572 case HCI_OP_CREATE_CONN:
3573 hci_cs_create_conn(hdev, ev->status);
3576 case HCI_OP_DISCONNECT:
3577 hci_cs_disconnect(hdev, ev->status);
3580 case HCI_OP_ADD_SCO:
3581 hci_cs_add_sco(hdev, ev->status);
3584 case HCI_OP_AUTH_REQUESTED:
3585 hci_cs_auth_requested(hdev, ev->status);
3588 case HCI_OP_SET_CONN_ENCRYPT:
3589 hci_cs_set_conn_encrypt(hdev, ev->status);
3592 case HCI_OP_REMOTE_NAME_REQ:
3593 hci_cs_remote_name_req(hdev, ev->status);
3596 case HCI_OP_READ_REMOTE_FEATURES:
3597 hci_cs_read_remote_features(hdev, ev->status);
3600 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3601 hci_cs_read_remote_ext_features(hdev, ev->status);
3604 case HCI_OP_SETUP_SYNC_CONN:
3605 hci_cs_setup_sync_conn(hdev, ev->status);
3608 case HCI_OP_SNIFF_MODE:
3609 hci_cs_sniff_mode(hdev, ev->status);
3612 case HCI_OP_EXIT_SNIFF_MODE:
3613 hci_cs_exit_sniff_mode(hdev, ev->status);
3616 case HCI_OP_SWITCH_ROLE:
3617 hci_cs_switch_role(hdev, ev->status);
3620 case HCI_OP_LE_CREATE_CONN:
3621 hci_cs_le_create_conn(hdev, ev->status);
3624 case HCI_OP_LE_READ_REMOTE_FEATURES:
3625 hci_cs_le_read_remote_features(hdev, ev->status);
3628 case HCI_OP_LE_START_ENC:
3629 hci_cs_le_start_enc(hdev, ev->status);
3632 case HCI_OP_LE_EXT_CREATE_CONN:
3633 hci_cs_le_ext_create_conn(hdev, ev->status);
3637 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3641 if (*opcode != HCI_OP_NOP)
3642 cancel_delayed_work(&hdev->cmd_timer);
3644 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3645 atomic_set(&hdev->cmd_cnt, 1);
3647 /* Indicate request completion if the command failed. Also, if
3648 * we're not waiting for a special event and we get a success
3649 * command status we should try to flag the request as completed
3650 * (since for this kind of commands there will not be a command
3654 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3655 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3658 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3660 "unexpected event for opcode 0x%4.4x", *opcode);
3664 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3665 queue_work(hdev->workqueue, &hdev->cmd_work);
3668 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3670 struct hci_ev_hardware_error *ev = (void *) skb->data;
3674 mgmt_hardware_error(hdev, ev->code);
3675 hci_dev_unlock(hdev);
3677 hdev->hw_error_code = ev->code;
3679 queue_work(hdev->req_workqueue, &hdev->error_reset);
3682 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3684 struct hci_ev_role_change *ev = (void *) skb->data;
3685 struct hci_conn *conn;
3687 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3691 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3694 conn->role = ev->role;
3696 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3698 hci_role_switch_cfm(conn, ev->status, ev->role);
3700 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
3701 hci_conn_change_supervision_timeout(conn,
3702 LINK_SUPERVISION_TIMEOUT);
3706 hci_dev_unlock(hdev);
3709 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3711 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3714 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3715 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3719 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3720 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3721 BT_DBG("%s bad parameters", hdev->name);
3725 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3727 for (i = 0; i < ev->num_hndl; i++) {
3728 struct hci_comp_pkts_info *info = &ev->handles[i];
3729 struct hci_conn *conn;
3730 __u16 handle, count;
3732 handle = __le16_to_cpu(info->handle);
3733 count = __le16_to_cpu(info->count);
3735 conn = hci_conn_hash_lookup_handle(hdev, handle);
3739 conn->sent -= count;
3741 switch (conn->type) {
3743 hdev->acl_cnt += count;
3744 if (hdev->acl_cnt > hdev->acl_pkts)
3745 hdev->acl_cnt = hdev->acl_pkts;
3749 if (hdev->le_pkts) {
3750 hdev->le_cnt += count;
3751 if (hdev->le_cnt > hdev->le_pkts)
3752 hdev->le_cnt = hdev->le_pkts;
3754 hdev->acl_cnt += count;
3755 if (hdev->acl_cnt > hdev->acl_pkts)
3756 hdev->acl_cnt = hdev->acl_pkts;
3761 hdev->sco_cnt += count;
3762 if (hdev->sco_cnt > hdev->sco_pkts)
3763 hdev->sco_cnt = hdev->sco_pkts;
3767 bt_dev_err(hdev, "unknown type %d conn %p",
3773 queue_work(hdev->workqueue, &hdev->tx_work);
3776 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3779 struct hci_chan *chan;
3781 switch (hdev->dev_type) {
3783 return hci_conn_hash_lookup_handle(hdev, handle);
3785 chan = hci_chan_lookup_handle(hdev, handle);
3790 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3797 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3799 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3802 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3803 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3807 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3808 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3809 BT_DBG("%s bad parameters", hdev->name);
3813 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3816 for (i = 0; i < ev->num_hndl; i++) {
3817 struct hci_comp_blocks_info *info = &ev->handles[i];
3818 struct hci_conn *conn = NULL;
3819 __u16 handle, block_count;
3821 handle = __le16_to_cpu(info->handle);
3822 block_count = __le16_to_cpu(info->blocks);
3824 conn = __hci_conn_lookup_handle(hdev, handle);
3828 conn->sent -= block_count;
3830 switch (conn->type) {
3833 hdev->block_cnt += block_count;
3834 if (hdev->block_cnt > hdev->num_blocks)
3835 hdev->block_cnt = hdev->num_blocks;
3839 bt_dev_err(hdev, "unknown type %d conn %p",
3845 queue_work(hdev->workqueue, &hdev->tx_work);
3848 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3850 struct hci_ev_mode_change *ev = (void *) skb->data;
3851 struct hci_conn *conn;
3853 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3857 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3859 conn->mode = ev->mode;
3861 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3863 if (conn->mode == HCI_CM_ACTIVE)
3864 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3866 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3869 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3870 hci_sco_setup(conn, ev->status);
3873 hci_dev_unlock(hdev);
3876 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3878 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3879 struct hci_conn *conn;
3881 BT_DBG("%s", hdev->name);
3885 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3889 if (conn->state == BT_CONNECTED) {
3890 hci_conn_hold(conn);
3891 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3892 hci_conn_drop(conn);
3895 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3896 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3897 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3898 sizeof(ev->bdaddr), &ev->bdaddr);
3899 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3902 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3907 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3911 hci_dev_unlock(hdev);
3914 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3916 if (key_type == HCI_LK_CHANGED_COMBINATION)
3919 conn->pin_length = pin_len;
3920 conn->key_type = key_type;
3923 case HCI_LK_LOCAL_UNIT:
3924 case HCI_LK_REMOTE_UNIT:
3925 case HCI_LK_DEBUG_COMBINATION:
3927 case HCI_LK_COMBINATION:
3929 conn->pending_sec_level = BT_SECURITY_HIGH;
3931 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3933 case HCI_LK_UNAUTH_COMBINATION_P192:
3934 case HCI_LK_UNAUTH_COMBINATION_P256:
3935 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3937 case HCI_LK_AUTH_COMBINATION_P192:
3938 conn->pending_sec_level = BT_SECURITY_HIGH;
3940 case HCI_LK_AUTH_COMBINATION_P256:
3941 conn->pending_sec_level = BT_SECURITY_FIPS;
3946 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3948 struct hci_ev_link_key_req *ev = (void *) skb->data;
3949 struct hci_cp_link_key_reply cp;
3950 struct hci_conn *conn;
3951 struct link_key *key;
3953 BT_DBG("%s", hdev->name);
3955 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3960 key = hci_find_link_key(hdev, &ev->bdaddr);
3962 BT_DBG("%s link key not found for %pMR", hdev->name,
3967 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3970 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3972 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3974 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3975 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3976 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3977 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3981 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3982 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3983 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3984 BT_DBG("%s ignoring key unauthenticated for high security",
3989 conn_set_key(conn, key->type, key->pin_len);
3992 bacpy(&cp.bdaddr, &ev->bdaddr);
3993 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3995 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3997 hci_dev_unlock(hdev);
4002 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4003 hci_dev_unlock(hdev);
4006 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4008 struct hci_ev_link_key_notify *ev = (void *) skb->data;
4009 struct hci_conn *conn;
4010 struct link_key *key;
4014 BT_DBG("%s", hdev->name);
4018 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4022 hci_conn_hold(conn);
4023 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4024 hci_conn_drop(conn);
4026 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4027 conn_set_key(conn, ev->key_type, conn->pin_length);
4029 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4032 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4033 ev->key_type, pin_len, &persistent);
4037 /* Update connection information since adding the key will have
4038 * fixed up the type in the case of changed combination keys.
4040 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4041 conn_set_key(conn, key->type, key->pin_len);
4043 mgmt_new_link_key(hdev, key, persistent);
4045 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4046 * is set. If it's not set simply remove the key from the kernel
4047 * list (we've still notified user space about it but with
4048 * store_hint being 0).
4050 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4051 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4052 list_del_rcu(&key->list);
4053 kfree_rcu(key, rcu);
4058 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4060 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4063 hci_dev_unlock(hdev);
4066 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4068 struct hci_ev_clock_offset *ev = (void *) skb->data;
4069 struct hci_conn *conn;
4071 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4075 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4076 if (conn && !ev->status) {
4077 struct inquiry_entry *ie;
4079 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4081 ie->data.clock_offset = ev->clock_offset;
4082 ie->timestamp = jiffies;
4086 hci_dev_unlock(hdev);
4089 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4091 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4092 struct hci_conn *conn;
4094 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4098 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4099 if (conn && !ev->status)
4100 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4102 hci_dev_unlock(hdev);
4105 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4107 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4108 struct inquiry_entry *ie;
4110 BT_DBG("%s", hdev->name);
4114 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4116 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4117 ie->timestamp = jiffies;
4120 hci_dev_unlock(hdev);
4123 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4124 struct sk_buff *skb)
4126 struct inquiry_data data;
4127 int num_rsp = *((__u8 *) skb->data);
4129 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4134 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4139 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4140 struct inquiry_info_with_rssi_and_pscan_mode *info;
4141 info = (void *) (skb->data + 1);
4143 for (; num_rsp; num_rsp--, info++) {
4146 bacpy(&data.bdaddr, &info->bdaddr);
4147 data.pscan_rep_mode = info->pscan_rep_mode;
4148 data.pscan_period_mode = info->pscan_period_mode;
4149 data.pscan_mode = info->pscan_mode;
4150 memcpy(data.dev_class, info->dev_class, 3);
4151 data.clock_offset = info->clock_offset;
4152 data.rssi = info->rssi;
4153 data.ssp_mode = 0x00;
4155 flags = hci_inquiry_cache_update(hdev, &data, false);
4157 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4158 info->dev_class, info->rssi,
4159 flags, NULL, 0, NULL, 0);
4162 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4164 for (; num_rsp; num_rsp--, info++) {
4167 bacpy(&data.bdaddr, &info->bdaddr);
4168 data.pscan_rep_mode = info->pscan_rep_mode;
4169 data.pscan_period_mode = info->pscan_period_mode;
4170 data.pscan_mode = 0x00;
4171 memcpy(data.dev_class, info->dev_class, 3);
4172 data.clock_offset = info->clock_offset;
4173 data.rssi = info->rssi;
4174 data.ssp_mode = 0x00;
4176 flags = hci_inquiry_cache_update(hdev, &data, false);
4178 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4179 info->dev_class, info->rssi,
4180 flags, NULL, 0, NULL, 0);
4184 hci_dev_unlock(hdev);
4187 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4188 struct sk_buff *skb)
4190 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4191 struct hci_conn *conn;
4193 BT_DBG("%s", hdev->name);
4197 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4201 if (ev->page < HCI_MAX_PAGES)
4202 memcpy(conn->features[ev->page], ev->features, 8);
4204 if (!ev->status && ev->page == 0x01) {
4205 struct inquiry_entry *ie;
4207 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4209 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4211 if (ev->features[0] & LMP_HOST_SSP) {
4212 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4214 /* It is mandatory by the Bluetooth specification that
4215 * Extended Inquiry Results are only used when Secure
4216 * Simple Pairing is enabled, but some devices violate
4219 * To make these devices work, the internal SSP
4220 * enabled flag needs to be cleared if the remote host
4221 * features do not indicate SSP support */
4222 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4225 if (ev->features[0] & LMP_HOST_SC)
4226 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4229 if (conn->state != BT_CONFIG)
4232 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4233 struct hci_cp_remote_name_req cp;
4234 memset(&cp, 0, sizeof(cp));
4235 bacpy(&cp.bdaddr, &conn->dst);
4236 cp.pscan_rep_mode = 0x02;
4237 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4238 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4239 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4241 if (!hci_outgoing_auth_needed(hdev, conn)) {
4242 conn->state = BT_CONNECTED;
4243 hci_connect_cfm(conn, ev->status);
4244 hci_conn_drop(conn);
4248 hci_dev_unlock(hdev);
4251 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4252 struct sk_buff *skb)
4254 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4255 struct hci_conn *conn;
4257 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4261 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4263 if (ev->link_type == ESCO_LINK)
4266 /* When the link type in the event indicates SCO connection
4267 * and lookup of the connection object fails, then check
4268 * if an eSCO connection object exists.
4270 * The core limits the synchronous connections to either
4271 * SCO or eSCO. The eSCO connection is preferred and tried
4272 * to be setup first and until successfully established,
4273 * the link type will be hinted as eSCO.
4275 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4280 switch (ev->status) {
4282 conn->handle = __le16_to_cpu(ev->handle);
4283 conn->state = BT_CONNECTED;
4284 conn->type = ev->link_type;
4286 hci_debugfs_create_conn(conn);
4287 hci_conn_add_sysfs(conn);
4290 case 0x10: /* Connection Accept Timeout */
4291 case 0x0d: /* Connection Rejected due to Limited Resources */
4292 case 0x11: /* Unsupported Feature or Parameter Value */
4293 case 0x1c: /* SCO interval rejected */
4294 case 0x1a: /* Unsupported Remote Feature */
4295 case 0x1f: /* Unspecified error */
4296 case 0x20: /* Unsupported LMP Parameter value */
4298 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4299 (hdev->esco_type & EDR_ESCO_MASK);
4300 if (hci_setup_sync(conn, conn->link->handle))
4306 conn->state = BT_CLOSED;
4310 hci_connect_cfm(conn, ev->status);
4315 hci_dev_unlock(hdev);
4318 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4322 while (parsed < eir_len) {
4323 u8 field_len = eir[0];
4328 parsed += field_len + 1;
4329 eir += field_len + 1;
4335 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4336 struct sk_buff *skb)
4338 struct inquiry_data data;
4339 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4340 int num_rsp = *((__u8 *) skb->data);
4343 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4348 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4353 for (; num_rsp; num_rsp--, info++) {
4357 bacpy(&data.bdaddr, &info->bdaddr);
4358 data.pscan_rep_mode = info->pscan_rep_mode;
4359 data.pscan_period_mode = info->pscan_period_mode;
4360 data.pscan_mode = 0x00;
4361 memcpy(data.dev_class, info->dev_class, 3);
4362 data.clock_offset = info->clock_offset;
4363 data.rssi = info->rssi;
4364 data.ssp_mode = 0x01;
4366 if (hci_dev_test_flag(hdev, HCI_MGMT))
4367 name_known = eir_get_data(info->data,
4369 EIR_NAME_COMPLETE, NULL);
4373 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4375 eir_len = eir_get_length(info->data, sizeof(info->data));
4377 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4378 info->dev_class, info->rssi,
4379 flags, info->data, eir_len, NULL, 0);
4382 hci_dev_unlock(hdev);
4385 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4386 struct sk_buff *skb)
4388 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4389 struct hci_conn *conn;
4391 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4392 __le16_to_cpu(ev->handle));
4396 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4400 /* For BR/EDR the necessary steps are taken through the
4401 * auth_complete event.
4403 if (conn->type != LE_LINK)
4407 conn->sec_level = conn->pending_sec_level;
4409 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4411 if (ev->status && conn->state == BT_CONNECTED) {
4412 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4413 hci_conn_drop(conn);
4417 if (conn->state == BT_CONFIG) {
4419 conn->state = BT_CONNECTED;
4421 hci_connect_cfm(conn, ev->status);
4422 hci_conn_drop(conn);
4424 hci_auth_cfm(conn, ev->status);
4426 hci_conn_hold(conn);
4427 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4428 hci_conn_drop(conn);
4432 hci_dev_unlock(hdev);
4435 static u8 hci_get_auth_req(struct hci_conn *conn)
4438 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
4439 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4440 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4441 return HCI_AT_GENERAL_BONDING_MITM;
4445 /* If remote requests no-bonding follow that lead */
4446 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4447 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4448 return conn->remote_auth | (conn->auth_type & 0x01);
4450 /* If both remote and local have enough IO capabilities, require
4453 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4454 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4455 return conn->remote_auth | 0x01;
4457 /* No MITM protection possible so ignore remote requirement */
4458 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4461 static u8 bredr_oob_data_present(struct hci_conn *conn)
4463 struct hci_dev *hdev = conn->hdev;
4464 struct oob_data *data;
4466 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4470 if (bredr_sc_enabled(hdev)) {
4471 /* When Secure Connections is enabled, then just
4472 * return the present value stored with the OOB
4473 * data. The stored value contains the right present
4474 * information. However it can only be trusted when
4475 * not in Secure Connection Only mode.
4477 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4478 return data->present;
4480 /* When Secure Connections Only mode is enabled, then
4481 * the P-256 values are required. If they are not
4482 * available, then do not declare that OOB data is
4485 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4486 !memcmp(data->hash256, ZERO_KEY, 16))
4492 /* When Secure Connections is not enabled or actually
4493 * not supported by the hardware, then check that if
4494 * P-192 data values are present.
4496 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4497 !memcmp(data->hash192, ZERO_KEY, 16))
4503 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4505 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4506 struct hci_conn *conn;
4508 BT_DBG("%s", hdev->name);
4512 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4516 hci_conn_hold(conn);
4518 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4521 /* Allow pairing if we're pairable, the initiators of the
4522 * pairing or if the remote is not requesting bonding.
4524 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4525 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4526 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4527 struct hci_cp_io_capability_reply cp;
4529 bacpy(&cp.bdaddr, &ev->bdaddr);
4530 /* Change the IO capability from KeyboardDisplay
4531 * to DisplayYesNo as it is not supported by BT spec. */
4532 cp.capability = (conn->io_capability == 0x04) ?
4533 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4535 /* If we are initiators, there is no remote information yet */
4536 if (conn->remote_auth == 0xff) {
4537 /* Request MITM protection if our IO caps allow it
4538 * except for the no-bonding case.
4540 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4541 conn->auth_type != HCI_AT_NO_BONDING)
4542 conn->auth_type |= 0x01;
4544 conn->auth_type = hci_get_auth_req(conn);
4547 /* If we're not bondable, force one of the non-bondable
4548 * authentication requirement values.
4550 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4551 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4553 cp.authentication = conn->auth_type;
4554 cp.oob_data = bredr_oob_data_present(conn);
4556 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4559 struct hci_cp_io_capability_neg_reply cp;
4561 bacpy(&cp.bdaddr, &ev->bdaddr);
4562 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4564 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4569 hci_dev_unlock(hdev);
4572 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4574 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4575 struct hci_conn *conn;
4577 BT_DBG("%s", hdev->name);
4581 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4585 conn->remote_cap = ev->capability;
4586 conn->remote_auth = ev->authentication;
4589 hci_dev_unlock(hdev);
4592 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4593 struct sk_buff *skb)
4595 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4596 int loc_mitm, rem_mitm, confirm_hint = 0;
4597 struct hci_conn *conn;
4599 BT_DBG("%s", hdev->name);
4603 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4606 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4610 loc_mitm = (conn->auth_type & 0x01);
4611 rem_mitm = (conn->remote_auth & 0x01);
4613 /* If we require MITM but the remote device can't provide that
4614 * (it has NoInputNoOutput) then reject the confirmation
4615 * request. We check the security level here since it doesn't
4616 * necessarily match conn->auth_type.
4618 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4619 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4620 BT_DBG("Rejecting request: remote device can't provide MITM");
4621 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4622 sizeof(ev->bdaddr), &ev->bdaddr);
4626 /* If no side requires MITM protection; auto-accept */
4627 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4628 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4630 /* If we're not the initiators request authorization to
4631 * proceed from user space (mgmt_user_confirm with
4632 * confirm_hint set to 1). The exception is if neither
4633 * side had MITM or if the local IO capability is
4634 * NoInputNoOutput, in which case we do auto-accept
4636 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4637 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4638 (loc_mitm || rem_mitm)) {
4639 BT_DBG("Confirming auto-accept as acceptor");
4644 BT_DBG("Auto-accept of user confirmation with %ums delay",
4645 hdev->auto_accept_delay);
4647 if (hdev->auto_accept_delay > 0) {
4648 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4649 queue_delayed_work(conn->hdev->workqueue,
4650 &conn->auto_accept_work, delay);
4654 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4655 sizeof(ev->bdaddr), &ev->bdaddr);
4660 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4661 le32_to_cpu(ev->passkey), confirm_hint);
4664 hci_dev_unlock(hdev);
4667 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4668 struct sk_buff *skb)
4670 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4672 BT_DBG("%s", hdev->name);
4674 if (hci_dev_test_flag(hdev, HCI_MGMT))
4675 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4678 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4679 struct sk_buff *skb)
4681 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4682 struct hci_conn *conn;
4684 BT_DBG("%s", hdev->name);
4686 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4690 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4691 conn->passkey_entered = 0;
4693 if (hci_dev_test_flag(hdev, HCI_MGMT))
4694 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4695 conn->dst_type, conn->passkey_notify,
4696 conn->passkey_entered);
4699 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4701 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4702 struct hci_conn *conn;
4704 BT_DBG("%s", hdev->name);
4706 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4711 case HCI_KEYPRESS_STARTED:
4712 conn->passkey_entered = 0;
4715 case HCI_KEYPRESS_ENTERED:
4716 conn->passkey_entered++;
4719 case HCI_KEYPRESS_ERASED:
4720 conn->passkey_entered--;
4723 case HCI_KEYPRESS_CLEARED:
4724 conn->passkey_entered = 0;
4727 case HCI_KEYPRESS_COMPLETED:
4731 if (hci_dev_test_flag(hdev, HCI_MGMT))
4732 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4733 conn->dst_type, conn->passkey_notify,
4734 conn->passkey_entered);
4737 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4738 struct sk_buff *skb)
4740 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4741 struct hci_conn *conn;
4743 BT_DBG("%s", hdev->name);
4747 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4751 /* Reset the authentication requirement to unknown */
4752 conn->remote_auth = 0xff;
4754 /* To avoid duplicate auth_failed events to user space we check
4755 * the HCI_CONN_AUTH_PEND flag which will be set if we
4756 * initiated the authentication. A traditional auth_complete
4757 * event gets always produced as initiator and is also mapped to
4758 * the mgmt_auth_failed event */
4759 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4760 mgmt_auth_failed(conn, ev->status);
4762 hci_conn_drop(conn);
4765 hci_dev_unlock(hdev);
4768 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4769 struct sk_buff *skb)
4771 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4772 struct inquiry_entry *ie;
4773 struct hci_conn *conn;
4775 BT_DBG("%s", hdev->name);
4779 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4781 memcpy(conn->features[1], ev->features, 8);
4783 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4785 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4787 hci_dev_unlock(hdev);
4790 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4791 struct sk_buff *skb)
4793 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4794 struct oob_data *data;
4796 BT_DBG("%s", hdev->name);
4800 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4803 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4805 struct hci_cp_remote_oob_data_neg_reply cp;
4807 bacpy(&cp.bdaddr, &ev->bdaddr);
4808 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4813 if (bredr_sc_enabled(hdev)) {
4814 struct hci_cp_remote_oob_ext_data_reply cp;
4816 bacpy(&cp.bdaddr, &ev->bdaddr);
4817 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4818 memset(cp.hash192, 0, sizeof(cp.hash192));
4819 memset(cp.rand192, 0, sizeof(cp.rand192));
4821 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4822 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4824 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4825 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4827 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4830 struct hci_cp_remote_oob_data_reply cp;
4832 bacpy(&cp.bdaddr, &ev->bdaddr);
4833 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4834 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4836 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4841 hci_dev_unlock(hdev);
4844 #if IS_ENABLED(CONFIG_BT_HS)
4845 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4847 struct hci_ev_channel_selected *ev = (void *)skb->data;
4848 struct hci_conn *hcon;
4850 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4852 skb_pull(skb, sizeof(*ev));
4854 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4858 amp_read_loc_assoc_final_data(hdev, hcon);
4861 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4862 struct sk_buff *skb)
4864 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4865 struct hci_conn *hcon, *bredr_hcon;
4867 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4872 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4874 hci_dev_unlock(hdev);
4880 hci_dev_unlock(hdev);
4884 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4886 hcon->state = BT_CONNECTED;
4887 bacpy(&hcon->dst, &bredr_hcon->dst);
4889 hci_conn_hold(hcon);
4890 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4891 hci_conn_drop(hcon);
4893 hci_debugfs_create_conn(hcon);
4894 hci_conn_add_sysfs(hcon);
4896 amp_physical_cfm(bredr_hcon, hcon);
4898 hci_dev_unlock(hdev);
4901 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4903 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4904 struct hci_conn *hcon;
4905 struct hci_chan *hchan;
4906 struct amp_mgr *mgr;
4908 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4909 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4912 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4916 /* Create AMP hchan */
4917 hchan = hci_chan_create(hcon);
4921 hchan->handle = le16_to_cpu(ev->handle);
4923 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4925 mgr = hcon->amp_mgr;
4926 if (mgr && mgr->bredr_chan) {
4927 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4929 l2cap_chan_lock(bredr_chan);
4931 bredr_chan->conn->mtu = hdev->block_mtu;
4932 l2cap_logical_cfm(bredr_chan, hchan, 0);
4933 hci_conn_hold(hcon);
4935 l2cap_chan_unlock(bredr_chan);
4939 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4940 struct sk_buff *skb)
4942 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4943 struct hci_chan *hchan;
4945 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4946 le16_to_cpu(ev->handle), ev->status);
4953 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4957 amp_destroy_logical_link(hchan, ev->reason);
4960 hci_dev_unlock(hdev);
4963 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4964 struct sk_buff *skb)
4966 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4967 struct hci_conn *hcon;
4969 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4976 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4978 hcon->state = BT_CLOSED;
4982 hci_dev_unlock(hdev);
4986 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
4987 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
4988 u16 interval, u16 latency, u16 supervision_timeout)
4990 struct hci_conn_params *params;
4991 struct hci_conn *conn;
4992 struct smp_irk *irk;
4997 /* All controllers implicitly stop advertising in the event of a
4998 * connection, so ensure that the state bit is cleared.
5000 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5002 conn = hci_lookup_le_connect(hdev);
5004 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5006 bt_dev_err(hdev, "no memory for new connection");
5010 conn->dst_type = bdaddr_type;
5012 /* If we didn't have a hci_conn object previously
5013 * but we're in master role this must be something
5014 * initiated using a white list. Since white list based
5015 * connections are not "first class citizens" we don't
5016 * have full tracking of them. Therefore, we go ahead
5017 * with a "best effort" approach of determining the
5018 * initiator address based on the HCI_PRIVACY flag.
5021 conn->resp_addr_type = bdaddr_type;
5022 bacpy(&conn->resp_addr, bdaddr);
5023 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5024 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5025 bacpy(&conn->init_addr, &hdev->rpa);
5027 hci_copy_identity_address(hdev,
5029 &conn->init_addr_type);
5034 /* LE auto connect */
5035 bacpy(&conn->dst, bdaddr);
5037 cancel_delayed_work(&conn->le_conn_timeout);
5041 /* Set the responder (our side) address type based on
5042 * the advertising address type.
5044 conn->resp_addr_type = hdev->adv_addr_type;
5045 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5046 /* In case of ext adv, resp_addr will be updated in
5047 * Adv Terminated event.
5049 if (!ext_adv_capable(hdev))
5050 bacpy(&conn->resp_addr, &hdev->random_addr);
5052 bacpy(&conn->resp_addr, &hdev->bdaddr);
5055 conn->init_addr_type = bdaddr_type;
5056 bacpy(&conn->init_addr, bdaddr);
5058 /* For incoming connections, set the default minimum
5059 * and maximum connection interval. They will be used
5060 * to check if the parameters are in range and if not
5061 * trigger the connection update procedure.
5063 conn->le_conn_min_interval = hdev->le_conn_min_interval;
5064 conn->le_conn_max_interval = hdev->le_conn_max_interval;
5067 /* Lookup the identity address from the stored connection
5068 * address and address type.
5070 * When establishing connections to an identity address, the
5071 * connection procedure will store the resolvable random
5072 * address first. Now if it can be converted back into the
5073 * identity address, start using the identity address from
5076 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5078 bacpy(&conn->dst, &irk->bdaddr);
5079 conn->dst_type = irk->addr_type;
5083 hci_le_conn_failed(conn, status);
5087 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5088 addr_type = BDADDR_LE_PUBLIC;
5090 addr_type = BDADDR_LE_RANDOM;
5092 /* Drop the connection if the device is blocked */
5093 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
5094 hci_conn_drop(conn);
5098 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5099 mgmt_device_connected(hdev, conn, 0, NULL, 0);
5101 conn->sec_level = BT_SECURITY_LOW;
5102 conn->handle = handle;
5103 conn->state = BT_CONFIG;
5105 conn->le_conn_interval = interval;
5106 conn->le_conn_latency = latency;
5107 conn->le_supv_timeout = supervision_timeout;
5109 hci_debugfs_create_conn(conn);
5110 hci_conn_add_sysfs(conn);
5113 /* The remote features procedure is defined for master
5114 * role only. So only in case of an initiated connection
5115 * request the remote features.
5117 * If the local controller supports slave-initiated features
5118 * exchange, then requesting the remote features in slave
5119 * role is possible. Otherwise just transition into the
5120 * connected state without requesting the remote features.
5123 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
5124 struct hci_cp_le_read_remote_features cp;
5126 cp.handle = __cpu_to_le16(conn->handle);
5128 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5131 hci_conn_hold(conn);
5133 conn->state = BT_CONNECTED;
5134 hci_connect_cfm(conn, status);
5137 hci_connect_cfm(conn, status);
5140 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5143 list_del_init(¶ms->action);
5145 hci_conn_drop(params->conn);
5146 hci_conn_put(params->conn);
5147 params->conn = NULL;
5152 hci_update_background_scan(hdev);
5153 hci_dev_unlock(hdev);
5156 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5158 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5160 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5162 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5163 ev->role, le16_to_cpu(ev->handle),
5164 le16_to_cpu(ev->interval),
5165 le16_to_cpu(ev->latency),
5166 le16_to_cpu(ev->supervision_timeout));
5169 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5170 struct sk_buff *skb)
5172 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5174 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5176 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5177 ev->role, le16_to_cpu(ev->handle),
5178 le16_to_cpu(ev->interval),
5179 le16_to_cpu(ev->latency),
5180 le16_to_cpu(ev->supervision_timeout));
5183 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5185 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5186 struct hci_conn *conn;
5188 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5193 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5195 struct adv_info *adv_instance;
5197 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5200 if (!hdev->cur_adv_instance) {
5201 bacpy(&conn->resp_addr, &hdev->random_addr);
5205 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5207 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5211 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5212 struct sk_buff *skb)
5214 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5215 struct hci_conn *conn;
5217 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5224 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5228 hci_dev_unlock(hdev);
5229 mgmt_le_conn_update_failed(hdev, &conn->dst,
5230 conn->type, conn->dst_type, ev->status);
5234 conn->le_conn_interval = le16_to_cpu(ev->interval);
5235 conn->le_conn_latency = le16_to_cpu(ev->latency);
5236 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5239 hci_dev_unlock(hdev);
5242 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
5243 conn->dst_type, conn->le_conn_interval,
5244 conn->le_conn_latency, conn->le_supv_timeout);
5248 /* This function requires the caller holds hdev->lock */
5249 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5251 u8 addr_type, u8 adv_type,
5252 bdaddr_t *direct_rpa)
5254 struct hci_conn *conn;
5255 struct hci_conn_params *params;
5257 /* If the event is not connectable don't proceed further */
5258 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5261 /* Ignore if the device is blocked */
5262 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5265 /* Most controller will fail if we try to create new connections
5266 * while we have an existing one in slave role.
5268 if (hdev->conn_hash.le_num_slave > 0)
5271 /* If we're not connectable only connect devices that we have in
5272 * our pend_le_conns list.
5274 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5279 if (!params->explicit_connect) {
5280 switch (params->auto_connect) {
5281 case HCI_AUTO_CONN_DIRECT:
5282 /* Only devices advertising with ADV_DIRECT_IND are
5283 * triggering a connection attempt. This is allowing
5284 * incoming connections from slave devices.
5286 if (adv_type != LE_ADV_DIRECT_IND)
5289 case HCI_AUTO_CONN_ALWAYS:
5290 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5291 * are triggering a connection attempt. This means
5292 * that incoming connectioms from slave device are
5293 * accepted and also outgoing connections to slave
5294 * devices are established when found.
5302 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5303 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
5305 if (!IS_ERR(conn)) {
5306 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5307 * by higher layer that tried to connect, if no then
5308 * store the pointer since we don't really have any
5309 * other owner of the object besides the params that
5310 * triggered it. This way we can abort the connection if
5311 * the parameters get removed and keep the reference
5312 * count consistent once the connection is established.
5315 if (!params->explicit_connect)
5316 params->conn = hci_conn_get(conn);
5321 switch (PTR_ERR(conn)) {
5323 /* If hci_connect() returns -EBUSY it means there is already
5324 * an LE connection attempt going on. Since controllers don't
5325 * support more than one connection attempt at the time, we
5326 * don't consider this an error case.
5330 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5337 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5338 u8 bdaddr_type, bdaddr_t *direct_addr,
5339 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
5342 struct discovery_state *d = &hdev->discovery;
5344 struct smp_irk *irk;
5345 struct hci_conn *conn;
5354 case LE_ADV_DIRECT_IND:
5355 case LE_ADV_SCAN_IND:
5356 case LE_ADV_NONCONN_IND:
5357 case LE_ADV_SCAN_RSP:
5360 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5361 "type: 0x%02x", type);
5365 /* Find the end of the data in case the report contains padded zero
5366 * bytes at the end causing an invalid length value.
5368 * When data is NULL, len is 0 so there is no need for extra ptr
5369 * check as 'ptr < data + 0' is already false in such case.
5371 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5372 if (ptr + 1 + *ptr > data + len)
5376 real_len = ptr - data;
5378 /* Adjust for actual length */
5379 if (len != real_len) {
5380 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
5384 /* If the direct address is present, then this report is from
5385 * a LE Direct Advertising Report event. In that case it is
5386 * important to see if the address is matching the local
5387 * controller address.
5390 /* Only resolvable random addresses are valid for these
5391 * kind of reports and others can be ignored.
5393 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5396 /* If the controller is not using resolvable random
5397 * addresses, then this report can be ignored.
5399 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5402 /* If the local IRK of the controller does not match
5403 * with the resolvable random address provided, then
5404 * this report can be ignored.
5406 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5410 /* Check if we need to convert to identity address */
5411 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5413 bdaddr = &irk->bdaddr;
5414 bdaddr_type = irk->addr_type;
5417 /* Check if we have been requested to connect to this device.
5419 * direct_addr is set only for directed advertising reports (it is NULL
5420 * for advertising reports) and is already verified to be RPA above.
5422 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5424 if (conn && type == LE_ADV_IND) {
5425 /* Store report for later inclusion by
5426 * mgmt_device_connected
5428 memcpy(conn->le_adv_data, data, len);
5429 conn->le_adv_data_len = len;
5432 /* Passive scanning shouldn't trigger any device found events,
5433 * except for devices marked as CONN_REPORT for which we do send
5434 * device found events.
5436 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5437 if (type == LE_ADV_DIRECT_IND)
5441 /* Handle all adv packet in platform */
5442 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5443 bdaddr, bdaddr_type))
5447 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5448 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5452 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5453 rssi, flags, data, len, NULL, 0, type);
5455 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5456 rssi, flags, data, len, NULL, 0);
5461 /* When receiving non-connectable or scannable undirected
5462 * advertising reports, this means that the remote device is
5463 * not connectable and then clearly indicate this in the
5464 * device found event.
5466 * When receiving a scan response, then there is no way to
5467 * know if the remote device is connectable or not. However
5468 * since scan responses are merged with a previously seen
5469 * advertising report, the flags field from that report
5472 * In the really unlikely case that a controller get confused
5473 * and just sends a scan response event, then it is marked as
5474 * not connectable as well.
5476 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5477 type == LE_ADV_SCAN_RSP)
5478 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5483 /* Disable adv ind and scan rsp merging */
5484 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5485 rssi, flags, data, len, NULL, 0, type);
5487 /* If there's nothing pending either store the data from this
5488 * event or send an immediate device found event if the data
5489 * should not be stored for later.
5491 if (!has_pending_adv_report(hdev)) {
5492 /* If the report will trigger a SCAN_REQ store it for
5495 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5496 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5497 rssi, flags, data, len);
5501 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5502 rssi, flags, data, len, NULL, 0);
5506 /* Check if the pending report is for the same device as the new one */
5507 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5508 bdaddr_type == d->last_adv_addr_type);
5510 /* If the pending data doesn't match this report or this isn't a
5511 * scan response (e.g. we got a duplicate ADV_IND) then force
5512 * sending of the pending data.
5514 if (type != LE_ADV_SCAN_RSP || !match) {
5515 /* Send out whatever is in the cache, but skip duplicates */
5517 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5518 d->last_adv_addr_type, NULL,
5519 d->last_adv_rssi, d->last_adv_flags,
5521 d->last_adv_data_len, NULL, 0);
5523 /* If the new report will trigger a SCAN_REQ store it for
5526 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5527 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5528 rssi, flags, data, len);
5532 /* The advertising reports cannot be merged, so clear
5533 * the pending report and send out a device found event.
5535 clear_pending_adv_report(hdev);
5536 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5537 rssi, flags, data, len, NULL, 0);
5541 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5542 * the new event is a SCAN_RSP. We can therefore proceed with
5543 * sending a merged device found event.
5545 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5546 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5547 d->last_adv_data, d->last_adv_data_len, data, len);
5548 clear_pending_adv_report(hdev);
5552 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5554 u8 num_reports = skb->data[0];
5555 void *ptr = &skb->data[1];
5559 while (num_reports--) {
5560 struct hci_ev_le_advertising_info *ev = ptr;
5563 if (ev->length <= HCI_MAX_AD_LENGTH) {
5564 rssi = ev->data[ev->length];
5565 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5566 ev->bdaddr_type, NULL, 0, rssi,
5567 ev->data, ev->length);
5569 bt_dev_err(hdev, "Dropping invalid advertising data");
5572 ptr += sizeof(*ev) + ev->length + 1;
5575 hci_dev_unlock(hdev);
5578 static u8 ext_evt_type_to_legacy(u16 evt_type)
5580 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5582 case LE_LEGACY_ADV_IND:
5584 case LE_LEGACY_ADV_DIRECT_IND:
5585 return LE_ADV_DIRECT_IND;
5586 case LE_LEGACY_ADV_SCAN_IND:
5587 return LE_ADV_SCAN_IND;
5588 case LE_LEGACY_NONCONN_IND:
5589 return LE_ADV_NONCONN_IND;
5590 case LE_LEGACY_SCAN_RSP_ADV:
5591 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5592 return LE_ADV_SCAN_RSP;
5595 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5598 return LE_ADV_INVALID;
5601 if (evt_type & LE_EXT_ADV_CONN_IND) {
5602 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5603 return LE_ADV_DIRECT_IND;
5608 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5609 return LE_ADV_SCAN_RSP;
5611 if (evt_type & LE_EXT_ADV_SCAN_IND)
5612 return LE_ADV_SCAN_IND;
5614 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5615 evt_type & LE_EXT_ADV_DIRECT_IND)
5616 return LE_ADV_NONCONN_IND;
5618 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5621 return LE_ADV_INVALID;
5624 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5626 u8 num_reports = skb->data[0];
5627 void *ptr = &skb->data[1];
5631 while (num_reports--) {
5632 struct hci_ev_le_ext_adv_report *ev = ptr;
5636 evt_type = __le16_to_cpu(ev->evt_type);
5637 legacy_evt_type = ext_evt_type_to_legacy(evt_type);
5638 if (legacy_evt_type != LE_ADV_INVALID) {
5639 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5640 ev->bdaddr_type, NULL, 0, ev->rssi,
5641 ev->data, ev->length);
5644 ptr += sizeof(*ev) + ev->length + 1;
5647 hci_dev_unlock(hdev);
5650 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5651 struct sk_buff *skb)
5653 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5654 struct hci_conn *conn;
5656 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5660 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5663 memcpy(conn->features[0], ev->features, 8);
5665 if (conn->state == BT_CONFIG) {
5668 /* If the local controller supports slave-initiated
5669 * features exchange, but the remote controller does
5670 * not, then it is possible that the error code 0x1a
5671 * for unsupported remote feature gets returned.
5673 * In this specific case, allow the connection to
5674 * transition into connected state and mark it as
5677 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5678 !conn->out && ev->status == 0x1a)
5681 status = ev->status;
5683 conn->state = BT_CONNECTED;
5684 hci_connect_cfm(conn, status);
5685 hci_conn_drop(conn);
5689 hci_dev_unlock(hdev);
5692 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5694 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5695 struct hci_cp_le_ltk_reply cp;
5696 struct hci_cp_le_ltk_neg_reply neg;
5697 struct hci_conn *conn;
5698 struct smp_ltk *ltk;
5700 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5704 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5708 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5712 if (smp_ltk_is_sc(ltk)) {
5713 /* With SC both EDiv and Rand are set to zero */
5714 if (ev->ediv || ev->rand)
5717 /* For non-SC keys check that EDiv and Rand match */
5718 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5722 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5723 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5724 cp.handle = cpu_to_le16(conn->handle);
5726 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5728 conn->enc_key_size = ltk->enc_size;
5730 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5732 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5733 * temporary key used to encrypt a connection following
5734 * pairing. It is used during the Encrypted Session Setup to
5735 * distribute the keys. Later, security can be re-established
5736 * using a distributed LTK.
5738 if (ltk->type == SMP_STK) {
5739 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5740 list_del_rcu(<k->list);
5741 kfree_rcu(ltk, rcu);
5743 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5746 hci_dev_unlock(hdev);
5751 neg.handle = ev->handle;
5752 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5753 hci_dev_unlock(hdev);
5756 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5759 struct hci_cp_le_conn_param_req_neg_reply cp;
5761 cp.handle = cpu_to_le16(handle);
5764 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5768 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5769 struct sk_buff *skb)
5771 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5772 struct hci_cp_le_conn_param_req_reply cp;
5773 struct hci_conn *hcon;
5774 u16 handle, min, max, latency, timeout;
5776 handle = le16_to_cpu(ev->handle);
5777 min = le16_to_cpu(ev->interval_min);
5778 max = le16_to_cpu(ev->interval_max);
5779 latency = le16_to_cpu(ev->latency);
5780 timeout = le16_to_cpu(ev->timeout);
5782 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5783 if (!hcon || hcon->state != BT_CONNECTED)
5784 return send_conn_param_neg_reply(hdev, handle,
5785 HCI_ERROR_UNKNOWN_CONN_ID);
5787 if (hci_check_conn_params(min, max, latency, timeout))
5788 return send_conn_param_neg_reply(hdev, handle,
5789 HCI_ERROR_INVALID_LL_PARAMS);
5791 if (hcon->role == HCI_ROLE_MASTER) {
5792 struct hci_conn_params *params;
5797 params = hci_conn_params_lookup(hdev, &hcon->dst,
5800 params->conn_min_interval = min;
5801 params->conn_max_interval = max;
5802 params->conn_latency = latency;
5803 params->supervision_timeout = timeout;
5809 hci_dev_unlock(hdev);
5811 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5812 store_hint, min, max, latency, timeout);
5815 cp.handle = ev->handle;
5816 cp.interval_min = ev->interval_min;
5817 cp.interval_max = ev->interval_max;
5818 cp.latency = ev->latency;
5819 cp.timeout = ev->timeout;
5823 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5826 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5827 struct sk_buff *skb)
5829 u8 num_reports = skb->data[0];
5830 void *ptr = &skb->data[1];
5834 while (num_reports--) {
5835 struct hci_ev_le_direct_adv_info *ev = ptr;
5837 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5838 ev->bdaddr_type, &ev->direct_addr,
5839 ev->direct_addr_type, ev->rssi, NULL, 0);
5844 hci_dev_unlock(hdev);
5847 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5849 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5851 skb_pull(skb, sizeof(*le_ev));
5853 switch (le_ev->subevent) {
5854 case HCI_EV_LE_CONN_COMPLETE:
5855 hci_le_conn_complete_evt(hdev, skb);
5858 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5859 hci_le_conn_update_complete_evt(hdev, skb);
5862 case HCI_EV_LE_ADVERTISING_REPORT:
5863 hci_le_adv_report_evt(hdev, skb);
5866 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5867 hci_le_remote_feat_complete_evt(hdev, skb);
5870 case HCI_EV_LE_LTK_REQ:
5871 hci_le_ltk_request_evt(hdev, skb);
5874 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5875 hci_le_remote_conn_param_req_evt(hdev, skb);
5878 case HCI_EV_LE_DIRECT_ADV_REPORT:
5879 hci_le_direct_adv_report_evt(hdev, skb);
5882 case HCI_EV_LE_EXT_ADV_REPORT:
5883 hci_le_ext_adv_report_evt(hdev, skb);
5886 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5887 hci_le_enh_conn_complete_evt(hdev, skb);
5890 case HCI_EV_LE_EXT_ADV_SET_TERM:
5891 hci_le_ext_adv_term_evt(hdev, skb);
5899 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5900 u8 event, struct sk_buff *skb)
5902 struct hci_ev_cmd_complete *ev;
5903 struct hci_event_hdr *hdr;
5908 if (skb->len < sizeof(*hdr)) {
5909 bt_dev_err(hdev, "too short HCI event");
5913 hdr = (void *) skb->data;
5914 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5917 if (hdr->evt != event)
5922 /* Check if request ended in Command Status - no way to retreive
5923 * any extra parameters in this case.
5925 if (hdr->evt == HCI_EV_CMD_STATUS)
5928 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5929 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5934 if (skb->len < sizeof(*ev)) {
5935 bt_dev_err(hdev, "too short cmd_complete event");
5939 ev = (void *) skb->data;
5940 skb_pull(skb, sizeof(*ev));
5942 if (opcode != __le16_to_cpu(ev->opcode)) {
5943 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5944 __le16_to_cpu(ev->opcode));
5951 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5953 struct hci_event_hdr *hdr = (void *) skb->data;
5954 hci_req_complete_t req_complete = NULL;
5955 hci_req_complete_skb_t req_complete_skb = NULL;
5956 struct sk_buff *orig_skb = NULL;
5957 u8 status = 0, event = hdr->evt, req_evt = 0;
5958 u16 opcode = HCI_OP_NOP;
5960 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5961 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5962 opcode = __le16_to_cpu(cmd_hdr->opcode);
5963 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5968 /* If it looks like we might end up having to call
5969 * req_complete_skb, store a pristine copy of the skb since the
5970 * various handlers may modify the original one through
5971 * skb_pull() calls, etc.
5973 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5974 event == HCI_EV_CMD_COMPLETE)
5975 orig_skb = skb_clone(skb, GFP_KERNEL);
5977 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5980 case HCI_EV_INQUIRY_COMPLETE:
5981 hci_inquiry_complete_evt(hdev, skb);
5984 case HCI_EV_INQUIRY_RESULT:
5985 hci_inquiry_result_evt(hdev, skb);
5988 case HCI_EV_CONN_COMPLETE:
5989 hci_conn_complete_evt(hdev, skb);
5992 case HCI_EV_CONN_REQUEST:
5993 hci_conn_request_evt(hdev, skb);
5996 case HCI_EV_DISCONN_COMPLETE:
5997 hci_disconn_complete_evt(hdev, skb);
6000 case HCI_EV_AUTH_COMPLETE:
6001 hci_auth_complete_evt(hdev, skb);
6004 case HCI_EV_REMOTE_NAME:
6005 hci_remote_name_evt(hdev, skb);
6008 case HCI_EV_ENCRYPT_CHANGE:
6009 hci_encrypt_change_evt(hdev, skb);
6012 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6013 hci_change_link_key_complete_evt(hdev, skb);
6016 case HCI_EV_REMOTE_FEATURES:
6017 hci_remote_features_evt(hdev, skb);
6020 case HCI_EV_CMD_COMPLETE:
6021 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6022 &req_complete, &req_complete_skb);
6025 case HCI_EV_CMD_STATUS:
6026 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6030 case HCI_EV_HARDWARE_ERROR:
6031 hci_hardware_error_evt(hdev, skb);
6034 case HCI_EV_ROLE_CHANGE:
6035 hci_role_change_evt(hdev, skb);
6038 case HCI_EV_NUM_COMP_PKTS:
6039 hci_num_comp_pkts_evt(hdev, skb);
6042 case HCI_EV_MODE_CHANGE:
6043 hci_mode_change_evt(hdev, skb);
6046 case HCI_EV_PIN_CODE_REQ:
6047 hci_pin_code_request_evt(hdev, skb);
6050 case HCI_EV_LINK_KEY_REQ:
6051 hci_link_key_request_evt(hdev, skb);
6054 case HCI_EV_LINK_KEY_NOTIFY:
6055 hci_link_key_notify_evt(hdev, skb);
6058 case HCI_EV_CLOCK_OFFSET:
6059 hci_clock_offset_evt(hdev, skb);
6062 case HCI_EV_PKT_TYPE_CHANGE:
6063 hci_pkt_type_change_evt(hdev, skb);
6066 case HCI_EV_PSCAN_REP_MODE:
6067 hci_pscan_rep_mode_evt(hdev, skb);
6070 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6071 hci_inquiry_result_with_rssi_evt(hdev, skb);
6074 case HCI_EV_REMOTE_EXT_FEATURES:
6075 hci_remote_ext_features_evt(hdev, skb);
6078 case HCI_EV_SYNC_CONN_COMPLETE:
6079 hci_sync_conn_complete_evt(hdev, skb);
6082 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6083 hci_extended_inquiry_result_evt(hdev, skb);
6086 case HCI_EV_KEY_REFRESH_COMPLETE:
6087 hci_key_refresh_complete_evt(hdev, skb);
6090 case HCI_EV_IO_CAPA_REQUEST:
6091 hci_io_capa_request_evt(hdev, skb);
6094 case HCI_EV_IO_CAPA_REPLY:
6095 hci_io_capa_reply_evt(hdev, skb);
6098 case HCI_EV_USER_CONFIRM_REQUEST:
6099 hci_user_confirm_request_evt(hdev, skb);
6102 case HCI_EV_USER_PASSKEY_REQUEST:
6103 hci_user_passkey_request_evt(hdev, skb);
6106 case HCI_EV_USER_PASSKEY_NOTIFY:
6107 hci_user_passkey_notify_evt(hdev, skb);
6110 case HCI_EV_KEYPRESS_NOTIFY:
6111 hci_keypress_notify_evt(hdev, skb);
6114 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6115 hci_simple_pair_complete_evt(hdev, skb);
6118 case HCI_EV_REMOTE_HOST_FEATURES:
6119 hci_remote_host_features_evt(hdev, skb);
6122 case HCI_EV_LE_META:
6123 hci_le_meta_evt(hdev, skb);
6126 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6127 hci_remote_oob_data_request_evt(hdev, skb);
6130 #if IS_ENABLED(CONFIG_BT_HS)
6131 case HCI_EV_CHANNEL_SELECTED:
6132 hci_chan_selected_evt(hdev, skb);
6135 case HCI_EV_PHY_LINK_COMPLETE:
6136 hci_phy_link_complete_evt(hdev, skb);
6139 case HCI_EV_LOGICAL_LINK_COMPLETE:
6140 hci_loglink_complete_evt(hdev, skb);
6143 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6144 hci_disconn_loglink_complete_evt(hdev, skb);
6147 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6148 hci_disconn_phylink_complete_evt(hdev, skb);
6152 case HCI_EV_NUM_COMP_BLOCKS:
6153 hci_num_comp_blocks_evt(hdev, skb);
6157 case HCI_EV_VENDOR_SPECIFIC:
6158 hci_vendor_specific_evt(hdev, skb);
6163 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6168 req_complete(hdev, status, opcode);
6169 } else if (req_complete_skb) {
6170 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6171 kfree_skb(orig_skb);
6174 req_complete_skb(hdev, status, opcode, orig_skb);
6177 kfree_skb(orig_skb);
6179 hdev->stat.evt_rx++;