2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 /* Set discovery state to stopped if we're not doing LE active
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
66 hci_conn_check_pending(hdev);
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 __u8 status = *((__u8 *) skb->data);
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
83 __u8 status = *((__u8 *) skb->data);
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
92 hci_conn_check_pending(hdev);
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
98 BT_DBG("%s", hdev->name);
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
115 conn->role = rp->role;
117 hci_dev_unlock(hdev);
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
134 conn->link_policy = __le16_to_cpu(rp->policy);
136 hci_dev_unlock(hdev);
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
145 struct hci_cp_write_link_policy cp;
146 struct hci_conn *sco_conn;
149 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
154 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
160 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
162 conn->link_policy = get_unaligned_le16(sent + 2);
165 sco_conn = hci_conn_hash_lookup_sco(hdev);
166 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
167 conn->link_policy & HCI_LP_SNIFF) {
168 BT_ERR("SNIFF is not allowed during sco connection");
169 cp.handle = __cpu_to_le16(conn->handle);
170 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
171 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
175 hci_dev_unlock(hdev);
178 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
181 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
183 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
188 hdev->link_policy = __le16_to_cpu(rp->policy);
191 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
194 __u8 status = *((__u8 *) skb->data);
197 BT_DBG("%s status 0x%2.2x", hdev->name, status);
202 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
206 hdev->link_policy = get_unaligned_le16(sent);
209 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
211 __u8 status = *((__u8 *) skb->data);
213 BT_DBG("%s status 0x%2.2x", hdev->name, status);
215 clear_bit(HCI_RESET, &hdev->flags);
220 /* Reset all non-persistent flags */
221 hci_dev_clear_volatile_flags(hdev);
223 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
225 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
226 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
228 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
229 hdev->adv_data_len = 0;
231 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
232 hdev->scan_rsp_data_len = 0;
234 hdev->le_scan_type = LE_SCAN_PASSIVE;
236 hdev->ssp_debug_mode = 0;
238 hci_bdaddr_list_clear(&hdev->le_white_list);
239 hci_bdaddr_list_clear(&hdev->le_resolv_list);
242 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
245 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
246 struct hci_cp_read_stored_link_key *sent;
248 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
254 if (!rp->status && sent->read_all == 0x01) {
255 hdev->stored_max_keys = rp->max_keys;
256 hdev->stored_num_keys = rp->num_keys;
260 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
263 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
265 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
270 if (rp->num_keys <= hdev->stored_num_keys)
271 hdev->stored_num_keys -= rp->num_keys;
273 hdev->stored_num_keys = 0;
276 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
278 __u8 status = *((__u8 *) skb->data);
281 BT_DBG("%s status 0x%2.2x", hdev->name, status);
283 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
289 if (hci_dev_test_flag(hdev, HCI_MGMT))
290 mgmt_set_local_name_complete(hdev, sent, status);
292 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
294 hci_dev_unlock(hdev);
297 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
299 struct hci_rp_read_local_name *rp = (void *) skb->data;
301 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
306 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
307 hci_dev_test_flag(hdev, HCI_CONFIG))
308 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
311 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
313 __u8 status = *((__u8 *) skb->data);
316 BT_DBG("%s status 0x%2.2x", hdev->name, status);
318 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
325 __u8 param = *((__u8 *) sent);
327 if (param == AUTH_ENABLED)
328 set_bit(HCI_AUTH, &hdev->flags);
330 clear_bit(HCI_AUTH, &hdev->flags);
333 if (hci_dev_test_flag(hdev, HCI_MGMT))
334 mgmt_auth_enable_complete(hdev, status);
336 hci_dev_unlock(hdev);
339 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
341 __u8 status = *((__u8 *) skb->data);
345 BT_DBG("%s status 0x%2.2x", hdev->name, status);
350 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
354 param = *((__u8 *) sent);
357 set_bit(HCI_ENCRYPT, &hdev->flags);
359 clear_bit(HCI_ENCRYPT, &hdev->flags);
362 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
364 __u8 status = *((__u8 *) skb->data);
368 BT_DBG("%s status 0x%2.2x", hdev->name, status);
370 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
374 param = *((__u8 *) sent);
379 hdev->discov_timeout = 0;
383 if (param & SCAN_INQUIRY)
384 set_bit(HCI_ISCAN, &hdev->flags);
386 clear_bit(HCI_ISCAN, &hdev->flags);
388 if (param & SCAN_PAGE)
389 set_bit(HCI_PSCAN, &hdev->flags);
391 clear_bit(HCI_PSCAN, &hdev->flags);
394 hci_dev_unlock(hdev);
397 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
399 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
401 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
406 memcpy(hdev->dev_class, rp->dev_class, 3);
408 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
409 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
412 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
414 __u8 status = *((__u8 *) skb->data);
417 BT_DBG("%s status 0x%2.2x", hdev->name, status);
419 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
426 memcpy(hdev->dev_class, sent, 3);
428 if (hci_dev_test_flag(hdev, HCI_MGMT))
429 mgmt_set_class_of_dev_complete(hdev, sent, status);
431 hci_dev_unlock(hdev);
434 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
436 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
439 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
444 setting = __le16_to_cpu(rp->voice_setting);
446 if (hdev->voice_setting == setting)
449 hdev->voice_setting = setting;
451 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
454 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
457 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
460 __u8 status = *((__u8 *) skb->data);
464 BT_DBG("%s status 0x%2.2x", hdev->name, status);
469 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
473 setting = get_unaligned_le16(sent);
475 if (hdev->voice_setting == setting)
478 hdev->voice_setting = setting;
480 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
483 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
486 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
489 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
491 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
496 hdev->num_iac = rp->num_iac;
498 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
501 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
503 __u8 status = *((__u8 *) skb->data);
504 struct hci_cp_write_ssp_mode *sent;
506 BT_DBG("%s status 0x%2.2x", hdev->name, status);
508 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
516 hdev->features[1][0] |= LMP_HOST_SSP;
518 hdev->features[1][0] &= ~LMP_HOST_SSP;
521 if (hci_dev_test_flag(hdev, HCI_MGMT))
522 mgmt_ssp_enable_complete(hdev, sent->mode, status);
525 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
527 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
530 hci_dev_unlock(hdev);
533 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
535 u8 status = *((u8 *) skb->data);
536 struct hci_cp_write_sc_support *sent;
538 BT_DBG("%s status 0x%2.2x", hdev->name, status);
540 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
548 hdev->features[1][0] |= LMP_HOST_SC;
550 hdev->features[1][0] &= ~LMP_HOST_SC;
553 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
555 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
557 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
560 hci_dev_unlock(hdev);
563 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
565 struct hci_rp_read_local_version *rp = (void *) skb->data;
567 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
573 hci_dev_test_flag(hdev, HCI_CONFIG)) {
574 hdev->hci_ver = rp->hci_ver;
575 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
576 hdev->lmp_ver = rp->lmp_ver;
577 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
578 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
582 static void hci_cc_read_local_commands(struct hci_dev *hdev,
585 struct hci_rp_read_local_commands *rp = (void *) skb->data;
587 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
592 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
593 hci_dev_test_flag(hdev, HCI_CONFIG))
594 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
597 static void hci_cc_read_local_features(struct hci_dev *hdev,
600 struct hci_rp_read_local_features *rp = (void *) skb->data;
602 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
607 memcpy(hdev->features, rp->features, 8);
609 /* Adjust default settings according to features
610 * supported by device. */
612 if (hdev->features[0][0] & LMP_3SLOT)
613 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
615 if (hdev->features[0][0] & LMP_5SLOT)
616 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
618 if (hdev->features[0][1] & LMP_HV2) {
619 hdev->pkt_type |= (HCI_HV2);
620 hdev->esco_type |= (ESCO_HV2);
623 if (hdev->features[0][1] & LMP_HV3) {
624 hdev->pkt_type |= (HCI_HV3);
625 hdev->esco_type |= (ESCO_HV3);
628 if (lmp_esco_capable(hdev))
629 hdev->esco_type |= (ESCO_EV3);
631 if (hdev->features[0][4] & LMP_EV4)
632 hdev->esco_type |= (ESCO_EV4);
634 if (hdev->features[0][4] & LMP_EV5)
635 hdev->esco_type |= (ESCO_EV5);
637 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
638 hdev->esco_type |= (ESCO_2EV3);
640 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
641 hdev->esco_type |= (ESCO_3EV3);
643 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
644 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
647 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
650 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
652 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
657 if (hdev->max_page < rp->max_page)
658 hdev->max_page = rp->max_page;
660 if (rp->page < HCI_MAX_PAGES)
661 memcpy(hdev->features[rp->page], rp->features, 8);
664 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
667 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
669 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
674 hdev->flow_ctl_mode = rp->mode;
677 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
679 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
681 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
686 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
687 hdev->sco_mtu = rp->sco_mtu;
688 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
689 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
691 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
696 hdev->acl_cnt = hdev->acl_pkts;
697 hdev->sco_cnt = hdev->sco_pkts;
699 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
700 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
703 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
705 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
707 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
712 if (test_bit(HCI_INIT, &hdev->flags))
713 bacpy(&hdev->bdaddr, &rp->bdaddr);
715 if (hci_dev_test_flag(hdev, HCI_SETUP))
716 bacpy(&hdev->setup_addr, &rp->bdaddr);
719 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
722 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
724 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
729 if (test_bit(HCI_INIT, &hdev->flags)) {
730 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
731 hdev->page_scan_window = __le16_to_cpu(rp->window);
735 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
738 u8 status = *((u8 *) skb->data);
739 struct hci_cp_write_page_scan_activity *sent;
741 BT_DBG("%s status 0x%2.2x", hdev->name, status);
746 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
750 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
751 hdev->page_scan_window = __le16_to_cpu(sent->window);
754 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
757 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
759 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
764 if (test_bit(HCI_INIT, &hdev->flags))
765 hdev->page_scan_type = rp->type;
768 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
771 u8 status = *((u8 *) skb->data);
774 BT_DBG("%s status 0x%2.2x", hdev->name, status);
779 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
781 hdev->page_scan_type = *type;
784 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
787 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
789 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
794 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
795 hdev->block_len = __le16_to_cpu(rp->block_len);
796 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
798 hdev->block_cnt = hdev->num_blocks;
800 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
801 hdev->block_cnt, hdev->block_len);
804 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
806 struct hci_rp_read_clock *rp = (void *) skb->data;
807 struct hci_cp_read_clock *cp;
808 struct hci_conn *conn;
810 BT_DBG("%s", hdev->name);
812 if (skb->len < sizeof(*rp))
820 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
824 if (cp->which == 0x00) {
825 hdev->clock = le32_to_cpu(rp->clock);
829 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
831 conn->clock = le32_to_cpu(rp->clock);
832 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
836 hci_dev_unlock(hdev);
839 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
842 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
844 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
849 hdev->amp_status = rp->amp_status;
850 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
851 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
852 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
853 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
854 hdev->amp_type = rp->amp_type;
855 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
856 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
857 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
858 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
861 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
864 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
866 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
871 hdev->inq_tx_power = rp->tx_power;
874 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
876 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
877 struct hci_cp_pin_code_reply *cp;
878 struct hci_conn *conn;
880 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
884 if (hci_dev_test_flag(hdev, HCI_MGMT))
885 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
890 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
894 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
896 conn->pin_length = cp->pin_len;
899 hci_dev_unlock(hdev);
902 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
904 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
910 if (hci_dev_test_flag(hdev, HCI_MGMT))
911 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
914 hci_dev_unlock(hdev);
917 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
920 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
922 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
927 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
928 hdev->le_pkts = rp->le_max_pkt;
930 hdev->le_cnt = hdev->le_pkts;
932 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
935 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
938 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
940 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
945 memcpy(hdev->le_features, rp->features, 8);
948 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
951 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
953 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
958 hdev->adv_tx_power = rp->tx_power;
961 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
973 hci_dev_unlock(hdev);
976 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
979 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
981 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
985 if (hci_dev_test_flag(hdev, HCI_MGMT))
986 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
987 ACL_LINK, 0, rp->status);
989 hci_dev_unlock(hdev);
992 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1004 hci_dev_unlock(hdev);
1007 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1010 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1016 if (hci_dev_test_flag(hdev, HCI_MGMT))
1017 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1018 ACL_LINK, 0, rp->status);
1020 hci_dev_unlock(hdev);
1023 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1024 struct sk_buff *skb)
1026 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1028 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1031 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1032 struct sk_buff *skb)
1034 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1036 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1039 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1041 __u8 status = *((__u8 *) skb->data);
1044 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1055 bacpy(&hdev->random_addr, sent);
1057 hci_dev_unlock(hdev);
1060 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1062 __u8 status = *((__u8 *) skb->data);
1063 struct hci_cp_le_set_default_phy *cp;
1065 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1070 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1076 hdev->le_tx_def_phys = cp->tx_phys;
1077 hdev->le_rx_def_phys = cp->rx_phys;
1079 hci_dev_unlock(hdev);
1082 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1083 struct sk_buff *skb)
1085 __u8 status = *((__u8 *) skb->data);
1086 struct hci_cp_le_set_adv_set_rand_addr *cp;
1087 struct adv_info *adv_instance;
1092 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1098 if (!hdev->cur_adv_instance) {
1099 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1100 bacpy(&hdev->random_addr, &cp->bdaddr);
1102 adv_instance = hci_find_adv_instance(hdev,
1103 hdev->cur_adv_instance);
1105 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1108 hci_dev_unlock(hdev);
1111 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1113 __u8 *sent, status = *((__u8 *) skb->data);
1115 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1120 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1126 /* If we're doing connection initiation as peripheral. Set a
1127 * timeout in case something goes wrong.
1130 struct hci_conn *conn;
1132 hci_dev_set_flag(hdev, HCI_LE_ADV);
1134 conn = hci_lookup_le_connect(hdev);
1136 queue_delayed_work(hdev->workqueue,
1137 &conn->le_conn_timeout,
1138 conn->conn_timeout);
1140 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1143 hci_dev_unlock(hdev);
1146 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1147 struct sk_buff *skb)
1149 struct hci_cp_le_set_ext_adv_enable *cp;
1150 __u8 status = *((__u8 *) skb->data);
1152 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1157 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1164 struct hci_conn *conn;
1166 hci_dev_set_flag(hdev, HCI_LE_ADV);
1168 conn = hci_lookup_le_connect(hdev);
1170 queue_delayed_work(hdev->workqueue,
1171 &conn->le_conn_timeout,
1172 conn->conn_timeout);
1174 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1177 hci_dev_unlock(hdev);
1180 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1182 struct hci_cp_le_set_scan_param *cp;
1183 __u8 status = *((__u8 *) skb->data);
1185 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1190 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1196 hdev->le_scan_type = cp->type;
1198 hci_dev_unlock(hdev);
1201 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1202 struct sk_buff *skb)
1204 struct hci_cp_le_set_ext_scan_params *cp;
1205 __u8 status = *((__u8 *) skb->data);
1206 struct hci_cp_le_scan_phy_params *phy_param;
1208 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1213 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1217 phy_param = (void *)cp->data;
1221 hdev->le_scan_type = phy_param->type;
1223 hci_dev_unlock(hdev);
1226 static bool has_pending_adv_report(struct hci_dev *hdev)
1228 struct discovery_state *d = &hdev->discovery;
1230 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1233 static void clear_pending_adv_report(struct hci_dev *hdev)
1235 struct discovery_state *d = &hdev->discovery;
1237 bacpy(&d->last_adv_addr, BDADDR_ANY);
1238 d->last_adv_data_len = 0;
1242 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1243 u8 bdaddr_type, s8 rssi, u32 flags,
1246 struct discovery_state *d = &hdev->discovery;
1248 bacpy(&d->last_adv_addr, bdaddr);
1249 d->last_adv_addr_type = bdaddr_type;
1250 d->last_adv_rssi = rssi;
1251 d->last_adv_flags = flags;
1252 memcpy(d->last_adv_data, data, len);
1253 d->last_adv_data_len = len;
1257 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1262 case LE_SCAN_ENABLE:
1263 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1264 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1265 clear_pending_adv_report(hdev);
1268 case LE_SCAN_DISABLE:
1269 /* We do this here instead of when setting DISCOVERY_STOPPED
1270 * since the latter would potentially require waiting for
1271 * inquiry to stop too.
1273 if (has_pending_adv_report(hdev)) {
1274 struct discovery_state *d = &hdev->discovery;
1276 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1277 d->last_adv_addr_type, NULL,
1278 d->last_adv_rssi, d->last_adv_flags,
1280 d->last_adv_data_len, NULL, 0);
1283 /* Cancel this timer so that we don't try to disable scanning
1284 * when it's already disabled.
1286 cancel_delayed_work(&hdev->le_scan_disable);
1288 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1290 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1291 * interrupted scanning due to a connect request. Mark
1292 * therefore discovery as stopped. If this was not
1293 * because of a connect request advertising might have
1294 * been disabled because of active scanning, so
1295 * re-enable it again if necessary.
1297 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1298 #ifndef TIZEN_BT /* The below line is kernel bug. */
1299 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1301 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1303 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1304 hdev->discovery.state == DISCOVERY_FINDING)
1305 hci_req_reenable_advertising(hdev);
1310 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1315 hci_dev_unlock(hdev);
1318 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1319 struct sk_buff *skb)
1321 struct hci_cp_le_set_scan_enable *cp;
1322 __u8 status = *((__u8 *) skb->data);
1324 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1329 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1333 le_set_scan_enable_complete(hdev, cp->enable);
1336 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1337 struct sk_buff *skb)
1339 struct hci_cp_le_set_ext_scan_enable *cp;
1340 __u8 status = *((__u8 *) skb->data);
1342 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1347 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1351 le_set_scan_enable_complete(hdev, cp->enable);
1354 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1355 struct sk_buff *skb)
1357 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1359 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1365 hdev->le_num_of_adv_sets = rp->num_of_sets;
1368 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1369 struct sk_buff *skb)
1371 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1373 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1378 hdev->le_white_list_size = rp->size;
1381 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1382 struct sk_buff *skb)
1384 __u8 status = *((__u8 *) skb->data);
1386 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1391 hci_bdaddr_list_clear(&hdev->le_white_list);
1394 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1395 struct sk_buff *skb)
1397 struct hci_cp_le_add_to_white_list *sent;
1398 __u8 status = *((__u8 *) skb->data);
1400 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1405 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1409 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1413 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1414 struct sk_buff *skb)
1416 struct hci_cp_le_del_from_white_list *sent;
1417 __u8 status = *((__u8 *) skb->data);
1419 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1424 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1428 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1432 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1433 struct sk_buff *skb)
1435 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1437 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1442 memcpy(hdev->le_states, rp->le_states, 8);
1445 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1446 struct sk_buff *skb)
1448 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1450 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1455 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1456 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1459 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1460 struct sk_buff *skb)
1462 struct hci_cp_le_write_def_data_len *sent;
1463 __u8 status = *((__u8 *) skb->data);
1465 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1470 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1474 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1475 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1478 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1479 struct sk_buff *skb)
1481 __u8 status = *((__u8 *) skb->data);
1483 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1488 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1491 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1492 struct sk_buff *skb)
1494 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1496 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1501 hdev->le_resolv_list_size = rp->size;
1504 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1505 struct sk_buff *skb)
1507 __u8 *sent, status = *((__u8 *) skb->data);
1509 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1514 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1521 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1523 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1525 hci_dev_unlock(hdev);
1528 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1529 struct sk_buff *skb)
1531 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1533 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1538 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1539 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1540 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1541 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1544 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1545 struct sk_buff *skb)
1547 struct hci_cp_write_le_host_supported *sent;
1548 __u8 status = *((__u8 *) skb->data);
1550 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1555 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1562 hdev->features[1][0] |= LMP_HOST_LE;
1563 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1565 hdev->features[1][0] &= ~LMP_HOST_LE;
1566 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1567 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1571 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1573 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1575 hci_dev_unlock(hdev);
1578 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1580 struct hci_cp_le_set_adv_param *cp;
1581 u8 status = *((u8 *) skb->data);
1583 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1588 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1593 hdev->adv_addr_type = cp->own_address_type;
1594 hci_dev_unlock(hdev);
1597 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1599 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1600 struct hci_cp_le_set_ext_adv_params *cp;
1601 struct adv_info *adv_instance;
1603 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1608 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1613 hdev->adv_addr_type = cp->own_addr_type;
1614 if (!hdev->cur_adv_instance) {
1615 /* Store in hdev for instance 0 */
1616 hdev->adv_tx_power = rp->tx_power;
1618 adv_instance = hci_find_adv_instance(hdev,
1619 hdev->cur_adv_instance);
1621 adv_instance->tx_power = rp->tx_power;
1623 /* Update adv data as tx power is known now */
1624 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1625 hci_dev_unlock(hdev);
1629 static void hci_cc_enable_rssi(struct hci_dev *hdev,
1630 struct sk_buff *skb)
1632 struct hci_cc_rsp_enable_rssi *rp = (void *)skb->data;
1634 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
1635 hdev->name, rp->status, rp->le_ext_opcode);
1637 mgmt_enable_rssi_cc(hdev, rp, rp->status);
1640 static void hci_cc_get_raw_rssi(struct hci_dev *hdev,
1641 struct sk_buff *skb)
1643 struct hci_cc_rp_get_raw_rssi *rp = (void *)skb->data;
1645 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
1646 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
1648 mgmt_raw_rssi_response(hdev, rp, rp->status);
1651 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
1652 struct sk_buff *skb)
1654 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
1656 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
1658 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
1662 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
1663 struct sk_buff *skb)
1665 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
1666 __u8 event_le_ext_sub_code;
1668 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
1669 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
1671 skb_pull(skb, sizeof(*ev));
1672 event_le_ext_sub_code = ev->event_le_ext_sub_code;
1674 switch (event_le_ext_sub_code) {
1675 case LE_RSSI_LINK_ALERT:
1676 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
1684 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
1685 struct sk_buff *skb)
1687 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
1689 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
1691 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
1692 ev->state_change_reason,
1693 ev->connection_handle);
1696 static void hci_vendor_specific_evt(struct hci_dev *hdev, struct sk_buff *skb)
1698 struct hci_ev_vendor_specific *ev = (void *)skb->data;
1699 __u8 event_sub_code;
1701 BT_DBG("hci_vendor_specific_evt");
1703 skb_pull(skb, sizeof(*ev));
1704 event_sub_code = ev->event_sub_code;
1706 switch (event_sub_code) {
1707 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
1708 hci_vendor_specific_group_ext_evt(hdev, skb);
1711 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
1712 hci_vendor_multi_adv_state_change_evt(hdev, skb);
1721 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1723 struct hci_rp_read_rssi *rp = (void *) skb->data;
1724 struct hci_conn *conn;
1726 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1733 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1735 conn->rssi = rp->rssi;
1737 hci_dev_unlock(hdev);
1740 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1742 struct hci_cp_read_tx_power *sent;
1743 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1744 struct hci_conn *conn;
1746 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1751 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1757 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1761 switch (sent->type) {
1763 conn->tx_power = rp->tx_power;
1766 conn->max_tx_power = rp->tx_power;
1771 hci_dev_unlock(hdev);
1774 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1776 u8 status = *((u8 *) skb->data);
1779 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1784 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1786 hdev->ssp_debug_mode = *mode;
1789 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1791 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1794 hci_conn_check_pending(hdev);
1798 set_bit(HCI_INQUIRY, &hdev->flags);
1801 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1803 struct hci_cp_create_conn *cp;
1804 struct hci_conn *conn;
1806 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1808 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1814 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1816 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1819 if (conn && conn->state == BT_CONNECT) {
1820 if (status != 0x0c || conn->attempt > 2) {
1821 conn->state = BT_CLOSED;
1822 hci_connect_cfm(conn, status);
1825 conn->state = BT_CONNECT2;
1829 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1832 bt_dev_err(hdev, "no memory for new connection");
1836 hci_dev_unlock(hdev);
1839 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1841 struct hci_cp_add_sco *cp;
1842 struct hci_conn *acl, *sco;
1845 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1850 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1854 handle = __le16_to_cpu(cp->handle);
1856 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1860 acl = hci_conn_hash_lookup_handle(hdev, handle);
1864 sco->state = BT_CLOSED;
1866 hci_connect_cfm(sco, status);
1871 hci_dev_unlock(hdev);
1874 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1876 struct hci_cp_auth_requested *cp;
1877 struct hci_conn *conn;
1879 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1884 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892 if (conn->state == BT_CONFIG) {
1893 hci_connect_cfm(conn, status);
1894 hci_conn_drop(conn);
1898 hci_dev_unlock(hdev);
1901 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1903 struct hci_cp_set_conn_encrypt *cp;
1904 struct hci_conn *conn;
1906 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1911 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1917 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1919 if (conn->state == BT_CONFIG) {
1920 hci_connect_cfm(conn, status);
1921 hci_conn_drop(conn);
1925 hci_dev_unlock(hdev);
1928 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1929 struct hci_conn *conn)
1931 if (conn->state != BT_CONFIG || !conn->out)
1934 if (conn->pending_sec_level == BT_SECURITY_SDP)
1937 /* Only request authentication for SSP connections or non-SSP
1938 * devices with sec_level MEDIUM or HIGH or if MITM protection
1941 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1942 conn->pending_sec_level != BT_SECURITY_FIPS &&
1943 conn->pending_sec_level != BT_SECURITY_HIGH &&
1944 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1950 static int hci_resolve_name(struct hci_dev *hdev,
1951 struct inquiry_entry *e)
1953 struct hci_cp_remote_name_req cp;
1955 memset(&cp, 0, sizeof(cp));
1957 bacpy(&cp.bdaddr, &e->data.bdaddr);
1958 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1959 cp.pscan_mode = e->data.pscan_mode;
1960 cp.clock_offset = e->data.clock_offset;
1962 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1965 static bool hci_resolve_next_name(struct hci_dev *hdev)
1967 struct discovery_state *discov = &hdev->discovery;
1968 struct inquiry_entry *e;
1970 if (list_empty(&discov->resolve))
1973 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1977 if (hci_resolve_name(hdev, e) == 0) {
1978 e->name_state = NAME_PENDING;
1985 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1986 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1988 struct discovery_state *discov = &hdev->discovery;
1989 struct inquiry_entry *e;
1992 /* Update the mgmt connected state if necessary. Be careful with
1993 * conn objects that exist but are not (yet) connected however.
1994 * Only those in BT_CONFIG or BT_CONNECTED states can be
1995 * considered connected.
1998 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
1999 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2000 mgmt_device_connected(hdev, conn, 0, name, name_len);
2002 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2006 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2007 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2008 mgmt_device_connected(hdev, conn, 0, name, name_len);
2011 if (discov->state == DISCOVERY_STOPPED)
2014 if (discov->state == DISCOVERY_STOPPING)
2015 goto discov_complete;
2017 if (discov->state != DISCOVERY_RESOLVING)
2020 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2021 /* If the device was not found in a list of found devices names of which
2022 * are pending. there is no need to continue resolving a next name as it
2023 * will be done upon receiving another Remote Name Request Complete
2030 e->name_state = NAME_KNOWN;
2031 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2032 e->data.rssi, name, name_len);
2034 e->name_state = NAME_NOT_KNOWN;
2037 if (hci_resolve_next_name(hdev))
2041 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2044 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2046 struct hci_cp_remote_name_req *cp;
2047 struct hci_conn *conn;
2049 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2051 /* If successful wait for the name req complete event before
2052 * checking for the need to do authentication */
2056 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2062 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2064 if (hci_dev_test_flag(hdev, HCI_MGMT))
2065 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2070 if (!hci_outgoing_auth_needed(hdev, conn))
2073 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2074 struct hci_cp_auth_requested auth_cp;
2076 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2078 auth_cp.handle = __cpu_to_le16(conn->handle);
2079 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2080 sizeof(auth_cp), &auth_cp);
2084 hci_dev_unlock(hdev);
2087 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2089 struct hci_cp_read_remote_features *cp;
2090 struct hci_conn *conn;
2092 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2097 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2103 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2105 if (conn->state == BT_CONFIG) {
2106 hci_connect_cfm(conn, status);
2107 hci_conn_drop(conn);
2111 hci_dev_unlock(hdev);
2114 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2116 struct hci_cp_read_remote_ext_features *cp;
2117 struct hci_conn *conn;
2119 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2124 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2130 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2132 if (conn->state == BT_CONFIG) {
2133 hci_connect_cfm(conn, status);
2134 hci_conn_drop(conn);
2138 hci_dev_unlock(hdev);
2141 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2143 struct hci_cp_setup_sync_conn *cp;
2144 struct hci_conn *acl, *sco;
2147 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2152 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2156 handle = __le16_to_cpu(cp->handle);
2158 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2162 acl = hci_conn_hash_lookup_handle(hdev, handle);
2166 sco->state = BT_CLOSED;
2168 hci_connect_cfm(sco, status);
2173 hci_dev_unlock(hdev);
2176 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2178 struct hci_cp_sniff_mode *cp;
2179 struct hci_conn *conn;
2181 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2186 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2192 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2194 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2196 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2197 hci_sco_setup(conn, status);
2200 hci_dev_unlock(hdev);
2203 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2205 struct hci_cp_exit_sniff_mode *cp;
2206 struct hci_conn *conn;
2208 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2213 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2219 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2221 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2223 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2224 hci_sco_setup(conn, status);
2227 hci_dev_unlock(hdev);
2230 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2232 struct hci_cp_disconnect *cp;
2233 struct hci_conn *conn;
2238 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2244 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2246 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2247 conn->dst_type, status);
2249 hci_dev_unlock(hdev);
2252 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2253 u8 peer_addr_type, u8 own_address_type,
2256 struct hci_conn *conn;
2258 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2263 /* Store the initiator and responder address information which
2264 * is needed for SMP. These values will not change during the
2265 * lifetime of the connection.
2267 conn->init_addr_type = own_address_type;
2268 if (own_address_type == ADDR_LE_DEV_RANDOM)
2269 bacpy(&conn->init_addr, &hdev->random_addr);
2271 bacpy(&conn->init_addr, &hdev->bdaddr);
2273 conn->resp_addr_type = peer_addr_type;
2274 bacpy(&conn->resp_addr, peer_addr);
2276 /* We don't want the connection attempt to stick around
2277 * indefinitely since LE doesn't have a page timeout concept
2278 * like BR/EDR. Set a timer for any connection that doesn't use
2279 * the white list for connecting.
2281 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2282 queue_delayed_work(conn->hdev->workqueue,
2283 &conn->le_conn_timeout,
2284 conn->conn_timeout);
2287 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2289 struct hci_cp_le_create_conn *cp;
2291 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2293 /* All connection failure handling is taken care of by the
2294 * hci_le_conn_failed function which is triggered by the HCI
2295 * request completion callbacks used for connecting.
2300 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2306 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2307 cp->own_address_type, cp->filter_policy);
2309 hci_dev_unlock(hdev);
2312 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2314 struct hci_cp_le_ext_create_conn *cp;
2316 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2318 /* All connection failure handling is taken care of by the
2319 * hci_le_conn_failed function which is triggered by the HCI
2320 * request completion callbacks used for connecting.
2325 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2331 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2332 cp->own_addr_type, cp->filter_policy);
2334 hci_dev_unlock(hdev);
2337 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2339 struct hci_cp_le_read_remote_features *cp;
2340 struct hci_conn *conn;
2342 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2347 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2353 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2355 if (conn->state == BT_CONFIG) {
2356 hci_connect_cfm(conn, status);
2357 hci_conn_drop(conn);
2361 hci_dev_unlock(hdev);
2364 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2366 struct hci_cp_le_start_enc *cp;
2367 struct hci_conn *conn;
2369 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2376 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2380 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2384 if (conn->state != BT_CONNECTED)
2387 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2388 hci_conn_drop(conn);
2391 hci_dev_unlock(hdev);
2394 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2396 struct hci_cp_switch_role *cp;
2397 struct hci_conn *conn;
2399 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2404 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2410 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2412 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2414 hci_dev_unlock(hdev);
2417 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2419 __u8 status = *((__u8 *) skb->data);
2420 struct discovery_state *discov = &hdev->discovery;
2421 struct inquiry_entry *e;
2423 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2425 hci_conn_check_pending(hdev);
2427 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2430 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2431 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2433 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2438 if (discov->state != DISCOVERY_FINDING)
2441 if (list_empty(&discov->resolve)) {
2442 /* When BR/EDR inquiry is active and no LE scanning is in
2443 * progress, then change discovery state to indicate completion.
2445 * When running LE scanning and BR/EDR inquiry simultaneously
2446 * and the LE scan already finished, then change the discovery
2447 * state to indicate completion.
2449 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2450 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2451 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2455 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2456 if (e && hci_resolve_name(hdev, e) == 0) {
2457 e->name_state = NAME_PENDING;
2458 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2460 /* When BR/EDR inquiry is active and no LE scanning is in
2461 * progress, then change discovery state to indicate completion.
2463 * When running LE scanning and BR/EDR inquiry simultaneously
2464 * and the LE scan already finished, then change the discovery
2465 * state to indicate completion.
2467 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2468 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2469 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2473 hci_dev_unlock(hdev);
2476 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2478 struct inquiry_data data;
2479 struct inquiry_info *info = (void *) (skb->data + 1);
2480 int num_rsp = *((__u8 *) skb->data);
2482 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2487 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2492 for (; num_rsp; num_rsp--, info++) {
2495 bacpy(&data.bdaddr, &info->bdaddr);
2496 data.pscan_rep_mode = info->pscan_rep_mode;
2497 data.pscan_period_mode = info->pscan_period_mode;
2498 data.pscan_mode = info->pscan_mode;
2499 memcpy(data.dev_class, info->dev_class, 3);
2500 data.clock_offset = info->clock_offset;
2501 data.rssi = HCI_RSSI_INVALID;
2502 data.ssp_mode = 0x00;
2504 flags = hci_inquiry_cache_update(hdev, &data, false);
2506 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2507 info->dev_class, HCI_RSSI_INVALID,
2508 flags, NULL, 0, NULL, 0);
2511 hci_dev_unlock(hdev);
2514 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2516 struct hci_ev_conn_complete *ev = (void *) skb->data;
2517 struct hci_conn *conn;
2519 BT_DBG("%s", hdev->name);
2523 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2525 if (ev->link_type != SCO_LINK)
2528 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2532 conn->type = SCO_LINK;
2536 conn->handle = __le16_to_cpu(ev->handle);
2538 if (conn->type == ACL_LINK) {
2539 conn->state = BT_CONFIG;
2540 hci_conn_hold(conn);
2542 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2543 !hci_find_link_key(hdev, &ev->bdaddr))
2544 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2546 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2548 conn->state = BT_CONNECTED;
2550 hci_debugfs_create_conn(conn);
2551 hci_conn_add_sysfs(conn);
2553 if (test_bit(HCI_AUTH, &hdev->flags))
2554 set_bit(HCI_CONN_AUTH, &conn->flags);
2556 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2557 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2559 /* Get remote features */
2560 if (conn->type == ACL_LINK) {
2561 struct hci_cp_read_remote_features cp;
2562 cp.handle = ev->handle;
2563 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2566 hci_req_update_scan(hdev);
2569 /* Set packet type for incoming connection */
2570 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2571 struct hci_cp_change_conn_ptype cp;
2572 cp.handle = ev->handle;
2573 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2574 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2578 if (get_link_mode(conn) & HCI_LM_MASTER)
2579 hci_conn_change_supervision_timeout(conn,
2580 LINK_SUPERVISION_TIMEOUT);
2583 conn->state = BT_CLOSED;
2584 if (conn->type == ACL_LINK)
2585 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2586 conn->dst_type, ev->status);
2589 if (conn->type == ACL_LINK)
2590 hci_sco_setup(conn, ev->status);
2593 hci_connect_cfm(conn, ev->status);
2595 } else if (ev->link_type != ACL_LINK)
2596 hci_connect_cfm(conn, ev->status);
2599 hci_dev_unlock(hdev);
2601 hci_conn_check_pending(hdev);
2604 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2606 struct hci_cp_reject_conn_req cp;
2608 bacpy(&cp.bdaddr, bdaddr);
2609 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2610 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2613 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2615 struct hci_ev_conn_request *ev = (void *) skb->data;
2616 int mask = hdev->link_mode;
2617 struct inquiry_entry *ie;
2618 struct hci_conn *conn;
2621 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2624 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2627 if (!(mask & HCI_LM_ACCEPT)) {
2628 hci_reject_conn(hdev, &ev->bdaddr);
2632 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2634 hci_reject_conn(hdev, &ev->bdaddr);
2638 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2639 * connection. These features are only touched through mgmt so
2640 * only do the checks if HCI_MGMT is set.
2642 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2643 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2644 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2646 hci_reject_conn(hdev, &ev->bdaddr);
2650 /* Connection accepted */
2654 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2656 memcpy(ie->data.dev_class, ev->dev_class, 3);
2659 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
2660 hci_conn_hash_lookup_sco(hdev)) {
2661 struct hci_cp_reject_conn_req cp;
2663 bacpy(&cp.bdaddr, &ev->bdaddr);
2664 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
2665 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
2667 hci_dev_unlock(hdev);
2672 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2675 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2678 bt_dev_err(hdev, "no memory for new connection");
2679 hci_dev_unlock(hdev);
2684 memcpy(conn->dev_class, ev->dev_class, 3);
2686 hci_dev_unlock(hdev);
2688 if (ev->link_type == ACL_LINK ||
2689 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2690 struct hci_cp_accept_conn_req cp;
2691 conn->state = BT_CONNECT;
2693 bacpy(&cp.bdaddr, &ev->bdaddr);
2695 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2696 cp.role = 0x00; /* Become master */
2698 cp.role = 0x01; /* Remain slave */
2700 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2701 } else if (!(flags & HCI_PROTO_DEFER)) {
2702 struct hci_cp_accept_sync_conn_req cp;
2703 conn->state = BT_CONNECT;
2705 bacpy(&cp.bdaddr, &ev->bdaddr);
2706 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2708 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2709 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2710 cp.max_latency = cpu_to_le16(0xffff);
2711 cp.content_format = cpu_to_le16(hdev->voice_setting);
2712 cp.retrans_effort = 0xff;
2714 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2717 conn->state = BT_CONNECT2;
2718 hci_connect_cfm(conn, 0);
2722 static u8 hci_to_mgmt_reason(u8 err)
2725 case HCI_ERROR_CONNECTION_TIMEOUT:
2726 return MGMT_DEV_DISCONN_TIMEOUT;
2727 case HCI_ERROR_REMOTE_USER_TERM:
2728 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2729 case HCI_ERROR_REMOTE_POWER_OFF:
2730 return MGMT_DEV_DISCONN_REMOTE;
2731 case HCI_ERROR_LOCAL_HOST_TERM:
2732 return MGMT_DEV_DISCONN_LOCAL_HOST;
2734 return MGMT_DEV_DISCONN_UNKNOWN;
2738 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2740 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2742 struct hci_conn_params *params;
2743 struct hci_conn *conn;
2744 bool mgmt_connected;
2747 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2751 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2756 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2757 conn->dst_type, ev->status);
2761 conn->state = BT_CLOSED;
2763 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2765 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2766 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2768 reason = hci_to_mgmt_reason(ev->reason);
2770 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2771 reason, mgmt_connected);
2773 if (conn->type == ACL_LINK) {
2774 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2775 hci_remove_link_key(hdev, &conn->dst);
2777 hci_req_update_scan(hdev);
2780 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2782 switch (params->auto_connect) {
2783 case HCI_AUTO_CONN_LINK_LOSS:
2784 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2788 case HCI_AUTO_CONN_DIRECT:
2789 case HCI_AUTO_CONN_ALWAYS:
2790 list_del_init(¶ms->action);
2791 list_add(¶ms->action, &hdev->pend_le_conns);
2792 hci_update_background_scan(hdev);
2802 hci_disconn_cfm(conn, ev->reason);
2805 /* Re-enable advertising if necessary, since it might
2806 * have been disabled by the connection. From the
2807 * HCI_LE_Set_Advertise_Enable command description in
2808 * the core specification (v4.0):
2809 * "The Controller shall continue advertising until the Host
2810 * issues an LE_Set_Advertise_Enable command with
2811 * Advertising_Enable set to 0x00 (Advertising is disabled)
2812 * or until a connection is created or until the Advertising
2813 * is timed out due to Directed Advertising."
2815 if (type == LE_LINK)
2816 hci_req_reenable_advertising(hdev);
2819 hci_dev_unlock(hdev);
2822 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2824 struct hci_ev_auth_complete *ev = (void *) skb->data;
2825 struct hci_conn *conn;
2827 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2831 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2836 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2838 if (!hci_conn_ssp_enabled(conn) &&
2839 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2840 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2842 set_bit(HCI_CONN_AUTH, &conn->flags);
2843 conn->sec_level = conn->pending_sec_level;
2846 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2847 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2849 mgmt_auth_failed(conn, ev->status);
2852 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2853 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2855 if (conn->state == BT_CONFIG) {
2856 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2857 struct hci_cp_set_conn_encrypt cp;
2858 cp.handle = ev->handle;
2860 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2863 conn->state = BT_CONNECTED;
2864 hci_connect_cfm(conn, ev->status);
2865 hci_conn_drop(conn);
2868 hci_auth_cfm(conn, ev->status);
2870 hci_conn_hold(conn);
2871 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2872 hci_conn_drop(conn);
2875 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2877 struct hci_cp_set_conn_encrypt cp;
2878 cp.handle = ev->handle;
2880 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2883 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2884 hci_encrypt_cfm(conn, ev->status, 0x00);
2889 hci_dev_unlock(hdev);
2892 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2894 struct hci_ev_remote_name *ev = (void *) skb->data;
2895 struct hci_conn *conn;
2897 BT_DBG("%s", hdev->name);
2899 hci_conn_check_pending(hdev);
2903 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2905 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2908 if (ev->status == 0)
2909 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2910 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2912 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2918 if (!hci_outgoing_auth_needed(hdev, conn))
2921 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2922 struct hci_cp_auth_requested cp;
2924 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2926 cp.handle = __cpu_to_le16(conn->handle);
2927 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2931 hci_dev_unlock(hdev);
2934 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2935 u16 opcode, struct sk_buff *skb)
2937 const struct hci_rp_read_enc_key_size *rp;
2938 struct hci_conn *conn;
2941 BT_DBG("%s status 0x%02x", hdev->name, status);
2943 if (!skb || skb->len < sizeof(*rp)) {
2944 bt_dev_err(hdev, "invalid read key size response");
2948 rp = (void *)skb->data;
2949 handle = le16_to_cpu(rp->handle);
2953 conn = hci_conn_hash_lookup_handle(hdev, handle);
2957 /* If we fail to read the encryption key size, assume maximum
2958 * (which is the same we do also when this HCI command isn't
2962 bt_dev_err(hdev, "failed to read key size for handle %u",
2964 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2966 conn->enc_key_size = rp->key_size;
2969 if (conn->state == BT_CONFIG) {
2970 conn->state = BT_CONNECTED;
2971 hci_connect_cfm(conn, 0);
2972 hci_conn_drop(conn);
2976 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2978 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2983 hci_encrypt_cfm(conn, 0, encrypt);
2987 hci_dev_unlock(hdev);
2990 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2992 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2993 struct hci_conn *conn;
2995 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2999 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3005 /* Encryption implies authentication */
3006 set_bit(HCI_CONN_AUTH, &conn->flags);
3007 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3008 conn->sec_level = conn->pending_sec_level;
3010 /* P-256 authentication key implies FIPS */
3011 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3012 set_bit(HCI_CONN_FIPS, &conn->flags);
3014 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3015 conn->type == LE_LINK)
3016 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3018 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3019 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3023 /* We should disregard the current RPA and generate a new one
3024 * whenever the encryption procedure fails.
3026 if (ev->status && conn->type == LE_LINK) {
3027 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3028 hci_adv_instances_set_rpa_expired(hdev, true);
3031 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3033 if (ev->status && conn->state == BT_CONNECTED) {
3034 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3035 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3037 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3038 hci_conn_drop(conn);
3042 /* In Secure Connections Only mode, do not allow any connections
3043 * that are not encrypted with AES-CCM using a P-256 authenticated
3046 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
3047 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
3048 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
3049 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
3050 hci_conn_drop(conn);
3054 /* Try reading the encryption key size for encrypted ACL links */
3055 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3056 struct hci_cp_read_enc_key_size cp;
3057 struct hci_request req;
3059 /* Only send HCI_Read_Encryption_Key_Size if the
3060 * controller really supports it. If it doesn't, assume
3061 * the default size (16).
3063 if (!(hdev->commands[20] & 0x10)) {
3064 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3068 hci_req_init(&req, hdev);
3070 cp.handle = cpu_to_le16(conn->handle);
3071 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3073 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3074 bt_dev_err(hdev, "sending read key size failed");
3075 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3083 if (conn->state == BT_CONFIG) {
3085 conn->state = BT_CONNECTED;
3087 hci_connect_cfm(conn, ev->status);
3088 hci_conn_drop(conn);
3090 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
3093 hci_dev_unlock(hdev);
3096 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3097 struct sk_buff *skb)
3099 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3100 struct hci_conn *conn;
3102 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3106 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3109 set_bit(HCI_CONN_SECURE, &conn->flags);
3111 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3113 hci_key_change_cfm(conn, ev->status);
3116 hci_dev_unlock(hdev);
3119 static void hci_remote_features_evt(struct hci_dev *hdev,
3120 struct sk_buff *skb)
3122 struct hci_ev_remote_features *ev = (void *) skb->data;
3123 struct hci_conn *conn;
3125 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3134 memcpy(conn->features[0], ev->features, 8);
3136 if (conn->state != BT_CONFIG)
3139 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3140 lmp_ext_feat_capable(conn)) {
3141 struct hci_cp_read_remote_ext_features cp;
3142 cp.handle = ev->handle;
3144 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3149 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3150 struct hci_cp_remote_name_req cp;
3151 memset(&cp, 0, sizeof(cp));
3152 bacpy(&cp.bdaddr, &conn->dst);
3153 cp.pscan_rep_mode = 0x02;
3154 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3155 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3156 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3158 if (!hci_outgoing_auth_needed(hdev, conn)) {
3159 conn->state = BT_CONNECTED;
3160 hci_connect_cfm(conn, ev->status);
3161 hci_conn_drop(conn);
3165 hci_dev_unlock(hdev);
3168 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3169 u16 *opcode, u8 *status,
3170 hci_req_complete_t *req_complete,
3171 hci_req_complete_skb_t *req_complete_skb)
3173 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3175 *opcode = __le16_to_cpu(ev->opcode);
3176 *status = skb->data[sizeof(*ev)];
3178 skb_pull(skb, sizeof(*ev));
3181 case HCI_OP_INQUIRY_CANCEL:
3182 hci_cc_inquiry_cancel(hdev, skb);
3185 case HCI_OP_PERIODIC_INQ:
3186 hci_cc_periodic_inq(hdev, skb);
3189 case HCI_OP_EXIT_PERIODIC_INQ:
3190 hci_cc_exit_periodic_inq(hdev, skb);
3193 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3194 hci_cc_remote_name_req_cancel(hdev, skb);
3197 case HCI_OP_ROLE_DISCOVERY:
3198 hci_cc_role_discovery(hdev, skb);
3201 case HCI_OP_READ_LINK_POLICY:
3202 hci_cc_read_link_policy(hdev, skb);
3205 case HCI_OP_WRITE_LINK_POLICY:
3206 hci_cc_write_link_policy(hdev, skb);
3209 case HCI_OP_READ_DEF_LINK_POLICY:
3210 hci_cc_read_def_link_policy(hdev, skb);
3213 case HCI_OP_WRITE_DEF_LINK_POLICY:
3214 hci_cc_write_def_link_policy(hdev, skb);
3218 hci_cc_reset(hdev, skb);
3221 case HCI_OP_READ_STORED_LINK_KEY:
3222 hci_cc_read_stored_link_key(hdev, skb);
3225 case HCI_OP_DELETE_STORED_LINK_KEY:
3226 hci_cc_delete_stored_link_key(hdev, skb);
3229 case HCI_OP_WRITE_LOCAL_NAME:
3230 hci_cc_write_local_name(hdev, skb);
3233 case HCI_OP_READ_LOCAL_NAME:
3234 hci_cc_read_local_name(hdev, skb);
3237 case HCI_OP_WRITE_AUTH_ENABLE:
3238 hci_cc_write_auth_enable(hdev, skb);
3241 case HCI_OP_WRITE_ENCRYPT_MODE:
3242 hci_cc_write_encrypt_mode(hdev, skb);
3245 case HCI_OP_WRITE_SCAN_ENABLE:
3246 hci_cc_write_scan_enable(hdev, skb);
3249 case HCI_OP_READ_CLASS_OF_DEV:
3250 hci_cc_read_class_of_dev(hdev, skb);
3253 case HCI_OP_WRITE_CLASS_OF_DEV:
3254 hci_cc_write_class_of_dev(hdev, skb);
3257 case HCI_OP_READ_VOICE_SETTING:
3258 hci_cc_read_voice_setting(hdev, skb);
3261 case HCI_OP_WRITE_VOICE_SETTING:
3262 hci_cc_write_voice_setting(hdev, skb);
3265 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3266 hci_cc_read_num_supported_iac(hdev, skb);
3269 case HCI_OP_WRITE_SSP_MODE:
3270 hci_cc_write_ssp_mode(hdev, skb);
3273 case HCI_OP_WRITE_SC_SUPPORT:
3274 hci_cc_write_sc_support(hdev, skb);
3277 case HCI_OP_READ_LOCAL_VERSION:
3278 hci_cc_read_local_version(hdev, skb);
3281 case HCI_OP_READ_LOCAL_COMMANDS:
3282 hci_cc_read_local_commands(hdev, skb);
3285 case HCI_OP_READ_LOCAL_FEATURES:
3286 hci_cc_read_local_features(hdev, skb);
3289 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3290 hci_cc_read_local_ext_features(hdev, skb);
3293 case HCI_OP_READ_BUFFER_SIZE:
3294 hci_cc_read_buffer_size(hdev, skb);
3297 case HCI_OP_READ_BD_ADDR:
3298 hci_cc_read_bd_addr(hdev, skb);
3301 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3302 hci_cc_read_page_scan_activity(hdev, skb);
3305 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3306 hci_cc_write_page_scan_activity(hdev, skb);
3309 case HCI_OP_READ_PAGE_SCAN_TYPE:
3310 hci_cc_read_page_scan_type(hdev, skb);
3313 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3314 hci_cc_write_page_scan_type(hdev, skb);
3317 case HCI_OP_READ_DATA_BLOCK_SIZE:
3318 hci_cc_read_data_block_size(hdev, skb);
3321 case HCI_OP_READ_FLOW_CONTROL_MODE:
3322 hci_cc_read_flow_control_mode(hdev, skb);
3325 case HCI_OP_READ_LOCAL_AMP_INFO:
3326 hci_cc_read_local_amp_info(hdev, skb);
3329 case HCI_OP_READ_CLOCK:
3330 hci_cc_read_clock(hdev, skb);
3333 case HCI_OP_READ_INQ_RSP_TX_POWER:
3334 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3337 case HCI_OP_PIN_CODE_REPLY:
3338 hci_cc_pin_code_reply(hdev, skb);
3341 case HCI_OP_PIN_CODE_NEG_REPLY:
3342 hci_cc_pin_code_neg_reply(hdev, skb);
3345 case HCI_OP_READ_LOCAL_OOB_DATA:
3346 hci_cc_read_local_oob_data(hdev, skb);
3349 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3350 hci_cc_read_local_oob_ext_data(hdev, skb);
3353 case HCI_OP_LE_READ_BUFFER_SIZE:
3354 hci_cc_le_read_buffer_size(hdev, skb);
3357 case HCI_OP_LE_READ_LOCAL_FEATURES:
3358 hci_cc_le_read_local_features(hdev, skb);
3361 case HCI_OP_LE_READ_ADV_TX_POWER:
3362 hci_cc_le_read_adv_tx_power(hdev, skb);
3365 case HCI_OP_USER_CONFIRM_REPLY:
3366 hci_cc_user_confirm_reply(hdev, skb);
3369 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3370 hci_cc_user_confirm_neg_reply(hdev, skb);
3373 case HCI_OP_USER_PASSKEY_REPLY:
3374 hci_cc_user_passkey_reply(hdev, skb);
3377 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3378 hci_cc_user_passkey_neg_reply(hdev, skb);
3381 case HCI_OP_LE_SET_RANDOM_ADDR:
3382 hci_cc_le_set_random_addr(hdev, skb);
3385 case HCI_OP_LE_SET_ADV_ENABLE:
3386 hci_cc_le_set_adv_enable(hdev, skb);
3389 case HCI_OP_LE_SET_SCAN_PARAM:
3390 hci_cc_le_set_scan_param(hdev, skb);
3393 case HCI_OP_LE_SET_SCAN_ENABLE:
3394 hci_cc_le_set_scan_enable(hdev, skb);
3397 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3398 hci_cc_le_read_white_list_size(hdev, skb);
3401 case HCI_OP_LE_CLEAR_WHITE_LIST:
3402 hci_cc_le_clear_white_list(hdev, skb);
3405 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3406 hci_cc_le_add_to_white_list(hdev, skb);
3409 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3410 hci_cc_le_del_from_white_list(hdev, skb);
3413 case HCI_OP_LE_READ_SUPPORTED_STATES:
3414 hci_cc_le_read_supported_states(hdev, skb);
3417 case HCI_OP_LE_READ_DEF_DATA_LEN:
3418 hci_cc_le_read_def_data_len(hdev, skb);
3421 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3422 hci_cc_le_write_def_data_len(hdev, skb);
3425 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3426 hci_cc_le_clear_resolv_list(hdev, skb);
3429 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3430 hci_cc_le_read_resolv_list_size(hdev, skb);
3433 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3434 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3437 case HCI_OP_LE_READ_MAX_DATA_LEN:
3438 hci_cc_le_read_max_data_len(hdev, skb);
3441 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3442 hci_cc_write_le_host_supported(hdev, skb);
3445 case HCI_OP_LE_SET_ADV_PARAM:
3446 hci_cc_set_adv_param(hdev, skb);
3449 case HCI_OP_READ_RSSI:
3450 hci_cc_read_rssi(hdev, skb);
3453 case HCI_OP_READ_TX_POWER:
3454 hci_cc_read_tx_power(hdev, skb);
3457 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3458 hci_cc_write_ssp_debug_mode(hdev, skb);
3461 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3462 hci_cc_le_set_ext_scan_param(hdev, skb);
3465 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3466 hci_cc_le_set_ext_scan_enable(hdev, skb);
3469 case HCI_OP_LE_SET_DEFAULT_PHY:
3470 hci_cc_le_set_default_phy(hdev, skb);
3473 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3474 hci_cc_le_read_num_adv_sets(hdev, skb);
3477 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3478 hci_cc_set_ext_adv_param(hdev, skb);
3481 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3482 hci_cc_le_set_ext_adv_enable(hdev, skb);
3485 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3486 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3489 case HCI_OP_ENABLE_RSSI:
3490 hci_cc_enable_rssi(hdev, skb);
3493 case HCI_OP_GET_RAW_RSSI:
3494 hci_cc_get_raw_rssi(hdev, skb);
3498 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3502 if (*opcode != HCI_OP_NOP)
3503 cancel_delayed_work(&hdev->cmd_timer);
3505 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3506 atomic_set(&hdev->cmd_cnt, 1);
3508 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3511 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3513 "unexpected event for opcode 0x%4.4x", *opcode);
3517 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3518 queue_work(hdev->workqueue, &hdev->cmd_work);
3521 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3522 u16 *opcode, u8 *status,
3523 hci_req_complete_t *req_complete,
3524 hci_req_complete_skb_t *req_complete_skb)
3526 struct hci_ev_cmd_status *ev = (void *) skb->data;
3528 skb_pull(skb, sizeof(*ev));
3530 *opcode = __le16_to_cpu(ev->opcode);
3531 *status = ev->status;
3534 case HCI_OP_INQUIRY:
3535 hci_cs_inquiry(hdev, ev->status);
3538 case HCI_OP_CREATE_CONN:
3539 hci_cs_create_conn(hdev, ev->status);
3542 case HCI_OP_DISCONNECT:
3543 hci_cs_disconnect(hdev, ev->status);
3546 case HCI_OP_ADD_SCO:
3547 hci_cs_add_sco(hdev, ev->status);
3550 case HCI_OP_AUTH_REQUESTED:
3551 hci_cs_auth_requested(hdev, ev->status);
3554 case HCI_OP_SET_CONN_ENCRYPT:
3555 hci_cs_set_conn_encrypt(hdev, ev->status);
3558 case HCI_OP_REMOTE_NAME_REQ:
3559 hci_cs_remote_name_req(hdev, ev->status);
3562 case HCI_OP_READ_REMOTE_FEATURES:
3563 hci_cs_read_remote_features(hdev, ev->status);
3566 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3567 hci_cs_read_remote_ext_features(hdev, ev->status);
3570 case HCI_OP_SETUP_SYNC_CONN:
3571 hci_cs_setup_sync_conn(hdev, ev->status);
3574 case HCI_OP_SNIFF_MODE:
3575 hci_cs_sniff_mode(hdev, ev->status);
3578 case HCI_OP_EXIT_SNIFF_MODE:
3579 hci_cs_exit_sniff_mode(hdev, ev->status);
3582 case HCI_OP_SWITCH_ROLE:
3583 hci_cs_switch_role(hdev, ev->status);
3586 case HCI_OP_LE_CREATE_CONN:
3587 hci_cs_le_create_conn(hdev, ev->status);
3590 case HCI_OP_LE_READ_REMOTE_FEATURES:
3591 hci_cs_le_read_remote_features(hdev, ev->status);
3594 case HCI_OP_LE_START_ENC:
3595 hci_cs_le_start_enc(hdev, ev->status);
3598 case HCI_OP_LE_EXT_CREATE_CONN:
3599 hci_cs_le_ext_create_conn(hdev, ev->status);
3603 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3607 if (*opcode != HCI_OP_NOP)
3608 cancel_delayed_work(&hdev->cmd_timer);
3610 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3611 atomic_set(&hdev->cmd_cnt, 1);
3613 /* Indicate request completion if the command failed. Also, if
3614 * we're not waiting for a special event and we get a success
3615 * command status we should try to flag the request as completed
3616 * (since for this kind of commands there will not be a command
3620 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3621 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3624 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3626 "unexpected event for opcode 0x%4.4x", *opcode);
3630 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3631 queue_work(hdev->workqueue, &hdev->cmd_work);
3634 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3636 struct hci_ev_hardware_error *ev = (void *) skb->data;
3640 mgmt_hardware_error(hdev, ev->code);
3641 hci_dev_unlock(hdev);
3643 hdev->hw_error_code = ev->code;
3645 queue_work(hdev->req_workqueue, &hdev->error_reset);
3648 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3650 struct hci_ev_role_change *ev = (void *) skb->data;
3651 struct hci_conn *conn;
3653 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3657 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3660 conn->role = ev->role;
3662 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3664 hci_role_switch_cfm(conn, ev->status, ev->role);
3666 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
3667 hci_conn_change_supervision_timeout(conn,
3668 LINK_SUPERVISION_TIMEOUT);
3672 hci_dev_unlock(hdev);
3675 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3677 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3680 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3681 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3685 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3686 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3687 BT_DBG("%s bad parameters", hdev->name);
3691 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3693 for (i = 0; i < ev->num_hndl; i++) {
3694 struct hci_comp_pkts_info *info = &ev->handles[i];
3695 struct hci_conn *conn;
3696 __u16 handle, count;
3698 handle = __le16_to_cpu(info->handle);
3699 count = __le16_to_cpu(info->count);
3701 conn = hci_conn_hash_lookup_handle(hdev, handle);
3705 conn->sent -= count;
3707 switch (conn->type) {
3709 hdev->acl_cnt += count;
3710 if (hdev->acl_cnt > hdev->acl_pkts)
3711 hdev->acl_cnt = hdev->acl_pkts;
3715 if (hdev->le_pkts) {
3716 hdev->le_cnt += count;
3717 if (hdev->le_cnt > hdev->le_pkts)
3718 hdev->le_cnt = hdev->le_pkts;
3720 hdev->acl_cnt += count;
3721 if (hdev->acl_cnt > hdev->acl_pkts)
3722 hdev->acl_cnt = hdev->acl_pkts;
3727 hdev->sco_cnt += count;
3728 if (hdev->sco_cnt > hdev->sco_pkts)
3729 hdev->sco_cnt = hdev->sco_pkts;
3733 bt_dev_err(hdev, "unknown type %d conn %p",
3739 queue_work(hdev->workqueue, &hdev->tx_work);
3742 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3745 struct hci_chan *chan;
3747 switch (hdev->dev_type) {
3749 return hci_conn_hash_lookup_handle(hdev, handle);
3751 chan = hci_chan_lookup_handle(hdev, handle);
3756 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3763 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3765 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3768 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3769 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3773 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3774 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3775 BT_DBG("%s bad parameters", hdev->name);
3779 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3782 for (i = 0; i < ev->num_hndl; i++) {
3783 struct hci_comp_blocks_info *info = &ev->handles[i];
3784 struct hci_conn *conn = NULL;
3785 __u16 handle, block_count;
3787 handle = __le16_to_cpu(info->handle);
3788 block_count = __le16_to_cpu(info->blocks);
3790 conn = __hci_conn_lookup_handle(hdev, handle);
3794 conn->sent -= block_count;
3796 switch (conn->type) {
3799 hdev->block_cnt += block_count;
3800 if (hdev->block_cnt > hdev->num_blocks)
3801 hdev->block_cnt = hdev->num_blocks;
3805 bt_dev_err(hdev, "unknown type %d conn %p",
3811 queue_work(hdev->workqueue, &hdev->tx_work);
3814 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3816 struct hci_ev_mode_change *ev = (void *) skb->data;
3817 struct hci_conn *conn;
3819 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3823 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3825 conn->mode = ev->mode;
3827 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3829 if (conn->mode == HCI_CM_ACTIVE)
3830 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3832 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3835 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3836 hci_sco_setup(conn, ev->status);
3839 hci_dev_unlock(hdev);
3842 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3844 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3845 struct hci_conn *conn;
3847 BT_DBG("%s", hdev->name);
3851 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3855 if (conn->state == BT_CONNECTED) {
3856 hci_conn_hold(conn);
3857 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3858 hci_conn_drop(conn);
3861 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3862 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3863 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3864 sizeof(ev->bdaddr), &ev->bdaddr);
3865 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3868 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3873 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3877 hci_dev_unlock(hdev);
3880 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3882 if (key_type == HCI_LK_CHANGED_COMBINATION)
3885 conn->pin_length = pin_len;
3886 conn->key_type = key_type;
3889 case HCI_LK_LOCAL_UNIT:
3890 case HCI_LK_REMOTE_UNIT:
3891 case HCI_LK_DEBUG_COMBINATION:
3893 case HCI_LK_COMBINATION:
3895 conn->pending_sec_level = BT_SECURITY_HIGH;
3897 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3899 case HCI_LK_UNAUTH_COMBINATION_P192:
3900 case HCI_LK_UNAUTH_COMBINATION_P256:
3901 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3903 case HCI_LK_AUTH_COMBINATION_P192:
3904 conn->pending_sec_level = BT_SECURITY_HIGH;
3906 case HCI_LK_AUTH_COMBINATION_P256:
3907 conn->pending_sec_level = BT_SECURITY_FIPS;
3912 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3914 struct hci_ev_link_key_req *ev = (void *) skb->data;
3915 struct hci_cp_link_key_reply cp;
3916 struct hci_conn *conn;
3917 struct link_key *key;
3919 BT_DBG("%s", hdev->name);
3921 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3926 key = hci_find_link_key(hdev, &ev->bdaddr);
3928 BT_DBG("%s link key not found for %pMR", hdev->name,
3933 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3936 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3938 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3940 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3941 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3942 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3943 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3947 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3948 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3949 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3950 BT_DBG("%s ignoring key unauthenticated for high security",
3955 conn_set_key(conn, key->type, key->pin_len);
3958 bacpy(&cp.bdaddr, &ev->bdaddr);
3959 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3961 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3963 hci_dev_unlock(hdev);
3968 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3969 hci_dev_unlock(hdev);
3972 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3974 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3975 struct hci_conn *conn;
3976 struct link_key *key;
3980 BT_DBG("%s", hdev->name);
3984 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3988 hci_conn_hold(conn);
3989 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3990 hci_conn_drop(conn);
3992 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3993 conn_set_key(conn, ev->key_type, conn->pin_length);
3995 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3998 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3999 ev->key_type, pin_len, &persistent);
4003 /* Update connection information since adding the key will have
4004 * fixed up the type in the case of changed combination keys.
4006 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4007 conn_set_key(conn, key->type, key->pin_len);
4009 mgmt_new_link_key(hdev, key, persistent);
4011 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4012 * is set. If it's not set simply remove the key from the kernel
4013 * list (we've still notified user space about it but with
4014 * store_hint being 0).
4016 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4017 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4018 list_del_rcu(&key->list);
4019 kfree_rcu(key, rcu);
4024 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4026 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4029 hci_dev_unlock(hdev);
4032 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4034 struct hci_ev_clock_offset *ev = (void *) skb->data;
4035 struct hci_conn *conn;
4037 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4041 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4042 if (conn && !ev->status) {
4043 struct inquiry_entry *ie;
4045 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4047 ie->data.clock_offset = ev->clock_offset;
4048 ie->timestamp = jiffies;
4052 hci_dev_unlock(hdev);
4055 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4057 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4058 struct hci_conn *conn;
4060 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4064 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4065 if (conn && !ev->status)
4066 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4068 hci_dev_unlock(hdev);
4071 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4073 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4074 struct inquiry_entry *ie;
4076 BT_DBG("%s", hdev->name);
4080 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4082 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4083 ie->timestamp = jiffies;
4086 hci_dev_unlock(hdev);
4089 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4090 struct sk_buff *skb)
4092 struct inquiry_data data;
4093 int num_rsp = *((__u8 *) skb->data);
4095 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4100 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4105 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4106 struct inquiry_info_with_rssi_and_pscan_mode *info;
4107 info = (void *) (skb->data + 1);
4109 for (; num_rsp; num_rsp--, info++) {
4112 bacpy(&data.bdaddr, &info->bdaddr);
4113 data.pscan_rep_mode = info->pscan_rep_mode;
4114 data.pscan_period_mode = info->pscan_period_mode;
4115 data.pscan_mode = info->pscan_mode;
4116 memcpy(data.dev_class, info->dev_class, 3);
4117 data.clock_offset = info->clock_offset;
4118 data.rssi = info->rssi;
4119 data.ssp_mode = 0x00;
4121 flags = hci_inquiry_cache_update(hdev, &data, false);
4123 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4124 info->dev_class, info->rssi,
4125 flags, NULL, 0, NULL, 0);
4128 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4130 for (; num_rsp; num_rsp--, info++) {
4133 bacpy(&data.bdaddr, &info->bdaddr);
4134 data.pscan_rep_mode = info->pscan_rep_mode;
4135 data.pscan_period_mode = info->pscan_period_mode;
4136 data.pscan_mode = 0x00;
4137 memcpy(data.dev_class, info->dev_class, 3);
4138 data.clock_offset = info->clock_offset;
4139 data.rssi = info->rssi;
4140 data.ssp_mode = 0x00;
4142 flags = hci_inquiry_cache_update(hdev, &data, false);
4144 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4145 info->dev_class, info->rssi,
4146 flags, NULL, 0, NULL, 0);
4150 hci_dev_unlock(hdev);
4153 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4154 struct sk_buff *skb)
4156 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4157 struct hci_conn *conn;
4159 BT_DBG("%s", hdev->name);
4163 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4167 if (ev->page < HCI_MAX_PAGES)
4168 memcpy(conn->features[ev->page], ev->features, 8);
4170 if (!ev->status && ev->page == 0x01) {
4171 struct inquiry_entry *ie;
4173 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4175 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4177 if (ev->features[0] & LMP_HOST_SSP) {
4178 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4180 /* It is mandatory by the Bluetooth specification that
4181 * Extended Inquiry Results are only used when Secure
4182 * Simple Pairing is enabled, but some devices violate
4185 * To make these devices work, the internal SSP
4186 * enabled flag needs to be cleared if the remote host
4187 * features do not indicate SSP support */
4188 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4191 if (ev->features[0] & LMP_HOST_SC)
4192 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4195 if (conn->state != BT_CONFIG)
4198 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4199 struct hci_cp_remote_name_req cp;
4200 memset(&cp, 0, sizeof(cp));
4201 bacpy(&cp.bdaddr, &conn->dst);
4202 cp.pscan_rep_mode = 0x02;
4203 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4204 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4205 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4207 if (!hci_outgoing_auth_needed(hdev, conn)) {
4208 conn->state = BT_CONNECTED;
4209 hci_connect_cfm(conn, ev->status);
4210 hci_conn_drop(conn);
4214 hci_dev_unlock(hdev);
4217 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4218 struct sk_buff *skb)
4220 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4221 struct hci_conn *conn;
4223 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4227 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4229 if (ev->link_type == ESCO_LINK)
4232 /* When the link type in the event indicates SCO connection
4233 * and lookup of the connection object fails, then check
4234 * if an eSCO connection object exists.
4236 * The core limits the synchronous connections to either
4237 * SCO or eSCO. The eSCO connection is preferred and tried
4238 * to be setup first and until successfully established,
4239 * the link type will be hinted as eSCO.
4241 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4246 switch (ev->status) {
4248 conn->handle = __le16_to_cpu(ev->handle);
4249 conn->state = BT_CONNECTED;
4250 conn->type = ev->link_type;
4252 hci_debugfs_create_conn(conn);
4253 hci_conn_add_sysfs(conn);
4256 case 0x10: /* Connection Accept Timeout */
4257 case 0x0d: /* Connection Rejected due to Limited Resources */
4258 case 0x11: /* Unsupported Feature or Parameter Value */
4259 case 0x1c: /* SCO interval rejected */
4260 case 0x1a: /* Unsupported Remote Feature */
4261 case 0x1f: /* Unspecified error */
4262 case 0x20: /* Unsupported LMP Parameter value */
4264 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4265 (hdev->esco_type & EDR_ESCO_MASK);
4266 if (hci_setup_sync(conn, conn->link->handle))
4272 conn->state = BT_CLOSED;
4276 hci_connect_cfm(conn, ev->status);
4281 hci_dev_unlock(hdev);
4284 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4288 while (parsed < eir_len) {
4289 u8 field_len = eir[0];
4294 parsed += field_len + 1;
4295 eir += field_len + 1;
4301 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4302 struct sk_buff *skb)
4304 struct inquiry_data data;
4305 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4306 int num_rsp = *((__u8 *) skb->data);
4309 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4314 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4319 for (; num_rsp; num_rsp--, info++) {
4323 bacpy(&data.bdaddr, &info->bdaddr);
4324 data.pscan_rep_mode = info->pscan_rep_mode;
4325 data.pscan_period_mode = info->pscan_period_mode;
4326 data.pscan_mode = 0x00;
4327 memcpy(data.dev_class, info->dev_class, 3);
4328 data.clock_offset = info->clock_offset;
4329 data.rssi = info->rssi;
4330 data.ssp_mode = 0x01;
4332 if (hci_dev_test_flag(hdev, HCI_MGMT))
4333 name_known = eir_get_data(info->data,
4335 EIR_NAME_COMPLETE, NULL);
4339 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4341 eir_len = eir_get_length(info->data, sizeof(info->data));
4343 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4344 info->dev_class, info->rssi,
4345 flags, info->data, eir_len, NULL, 0);
4348 hci_dev_unlock(hdev);
4351 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4352 struct sk_buff *skb)
4354 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4355 struct hci_conn *conn;
4357 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4358 __le16_to_cpu(ev->handle));
4362 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4366 /* For BR/EDR the necessary steps are taken through the
4367 * auth_complete event.
4369 if (conn->type != LE_LINK)
4373 conn->sec_level = conn->pending_sec_level;
4375 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4377 if (ev->status && conn->state == BT_CONNECTED) {
4378 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4379 hci_conn_drop(conn);
4383 if (conn->state == BT_CONFIG) {
4385 conn->state = BT_CONNECTED;
4387 hci_connect_cfm(conn, ev->status);
4388 hci_conn_drop(conn);
4390 hci_auth_cfm(conn, ev->status);
4392 hci_conn_hold(conn);
4393 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4394 hci_conn_drop(conn);
4398 hci_dev_unlock(hdev);
4401 static u8 hci_get_auth_req(struct hci_conn *conn)
4404 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
4405 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4406 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4407 return HCI_AT_GENERAL_BONDING_MITM;
4411 /* If remote requests no-bonding follow that lead */
4412 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4413 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4414 return conn->remote_auth | (conn->auth_type & 0x01);
4416 /* If both remote and local have enough IO capabilities, require
4419 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4420 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4421 return conn->remote_auth | 0x01;
4423 /* No MITM protection possible so ignore remote requirement */
4424 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4427 static u8 bredr_oob_data_present(struct hci_conn *conn)
4429 struct hci_dev *hdev = conn->hdev;
4430 struct oob_data *data;
4432 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4436 if (bredr_sc_enabled(hdev)) {
4437 /* When Secure Connections is enabled, then just
4438 * return the present value stored with the OOB
4439 * data. The stored value contains the right present
4440 * information. However it can only be trusted when
4441 * not in Secure Connection Only mode.
4443 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4444 return data->present;
4446 /* When Secure Connections Only mode is enabled, then
4447 * the P-256 values are required. If they are not
4448 * available, then do not declare that OOB data is
4451 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4452 !memcmp(data->hash256, ZERO_KEY, 16))
4458 /* When Secure Connections is not enabled or actually
4459 * not supported by the hardware, then check that if
4460 * P-192 data values are present.
4462 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4463 !memcmp(data->hash192, ZERO_KEY, 16))
4469 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4471 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4472 struct hci_conn *conn;
4474 BT_DBG("%s", hdev->name);
4478 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4482 hci_conn_hold(conn);
4484 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4487 /* Allow pairing if we're pairable, the initiators of the
4488 * pairing or if the remote is not requesting bonding.
4490 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4491 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4492 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4493 struct hci_cp_io_capability_reply cp;
4495 bacpy(&cp.bdaddr, &ev->bdaddr);
4496 /* Change the IO capability from KeyboardDisplay
4497 * to DisplayYesNo as it is not supported by BT spec. */
4498 cp.capability = (conn->io_capability == 0x04) ?
4499 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4501 /* If we are initiators, there is no remote information yet */
4502 if (conn->remote_auth == 0xff) {
4503 /* Request MITM protection if our IO caps allow it
4504 * except for the no-bonding case.
4506 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4507 conn->auth_type != HCI_AT_NO_BONDING)
4508 conn->auth_type |= 0x01;
4510 conn->auth_type = hci_get_auth_req(conn);
4513 /* If we're not bondable, force one of the non-bondable
4514 * authentication requirement values.
4516 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4517 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4519 cp.authentication = conn->auth_type;
4520 cp.oob_data = bredr_oob_data_present(conn);
4522 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4525 struct hci_cp_io_capability_neg_reply cp;
4527 bacpy(&cp.bdaddr, &ev->bdaddr);
4528 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4530 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4535 hci_dev_unlock(hdev);
4538 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4540 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4541 struct hci_conn *conn;
4543 BT_DBG("%s", hdev->name);
4547 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4551 conn->remote_cap = ev->capability;
4552 conn->remote_auth = ev->authentication;
4555 hci_dev_unlock(hdev);
4558 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4559 struct sk_buff *skb)
4561 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4562 int loc_mitm, rem_mitm, confirm_hint = 0;
4563 struct hci_conn *conn;
4565 BT_DBG("%s", hdev->name);
4569 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4572 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4576 loc_mitm = (conn->auth_type & 0x01);
4577 rem_mitm = (conn->remote_auth & 0x01);
4579 /* If we require MITM but the remote device can't provide that
4580 * (it has NoInputNoOutput) then reject the confirmation
4581 * request. We check the security level here since it doesn't
4582 * necessarily match conn->auth_type.
4584 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4585 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4586 BT_DBG("Rejecting request: remote device can't provide MITM");
4587 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4588 sizeof(ev->bdaddr), &ev->bdaddr);
4592 /* If no side requires MITM protection; auto-accept */
4593 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4594 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4596 /* If we're not the initiators request authorization to
4597 * proceed from user space (mgmt_user_confirm with
4598 * confirm_hint set to 1). The exception is if neither
4599 * side had MITM or if the local IO capability is
4600 * NoInputNoOutput, in which case we do auto-accept
4602 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4603 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4604 (loc_mitm || rem_mitm)) {
4605 BT_DBG("Confirming auto-accept as acceptor");
4610 BT_DBG("Auto-accept of user confirmation with %ums delay",
4611 hdev->auto_accept_delay);
4613 if (hdev->auto_accept_delay > 0) {
4614 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4615 queue_delayed_work(conn->hdev->workqueue,
4616 &conn->auto_accept_work, delay);
4620 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4621 sizeof(ev->bdaddr), &ev->bdaddr);
4626 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4627 le32_to_cpu(ev->passkey), confirm_hint);
4630 hci_dev_unlock(hdev);
4633 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4634 struct sk_buff *skb)
4636 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4638 BT_DBG("%s", hdev->name);
4640 if (hci_dev_test_flag(hdev, HCI_MGMT))
4641 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4644 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4645 struct sk_buff *skb)
4647 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4648 struct hci_conn *conn;
4650 BT_DBG("%s", hdev->name);
4652 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4656 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4657 conn->passkey_entered = 0;
4659 if (hci_dev_test_flag(hdev, HCI_MGMT))
4660 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4661 conn->dst_type, conn->passkey_notify,
4662 conn->passkey_entered);
4665 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4667 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4668 struct hci_conn *conn;
4670 BT_DBG("%s", hdev->name);
4672 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4677 case HCI_KEYPRESS_STARTED:
4678 conn->passkey_entered = 0;
4681 case HCI_KEYPRESS_ENTERED:
4682 conn->passkey_entered++;
4685 case HCI_KEYPRESS_ERASED:
4686 conn->passkey_entered--;
4689 case HCI_KEYPRESS_CLEARED:
4690 conn->passkey_entered = 0;
4693 case HCI_KEYPRESS_COMPLETED:
4697 if (hci_dev_test_flag(hdev, HCI_MGMT))
4698 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4699 conn->dst_type, conn->passkey_notify,
4700 conn->passkey_entered);
4703 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4704 struct sk_buff *skb)
4706 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4707 struct hci_conn *conn;
4709 BT_DBG("%s", hdev->name);
4713 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4717 /* Reset the authentication requirement to unknown */
4718 conn->remote_auth = 0xff;
4720 /* To avoid duplicate auth_failed events to user space we check
4721 * the HCI_CONN_AUTH_PEND flag which will be set if we
4722 * initiated the authentication. A traditional auth_complete
4723 * event gets always produced as initiator and is also mapped to
4724 * the mgmt_auth_failed event */
4725 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4726 mgmt_auth_failed(conn, ev->status);
4728 hci_conn_drop(conn);
4731 hci_dev_unlock(hdev);
4734 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4735 struct sk_buff *skb)
4737 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4738 struct inquiry_entry *ie;
4739 struct hci_conn *conn;
4741 BT_DBG("%s", hdev->name);
4745 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4747 memcpy(conn->features[1], ev->features, 8);
4749 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4751 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4753 hci_dev_unlock(hdev);
4756 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4757 struct sk_buff *skb)
4759 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4760 struct oob_data *data;
4762 BT_DBG("%s", hdev->name);
4766 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4769 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4771 struct hci_cp_remote_oob_data_neg_reply cp;
4773 bacpy(&cp.bdaddr, &ev->bdaddr);
4774 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4779 if (bredr_sc_enabled(hdev)) {
4780 struct hci_cp_remote_oob_ext_data_reply cp;
4782 bacpy(&cp.bdaddr, &ev->bdaddr);
4783 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4784 memset(cp.hash192, 0, sizeof(cp.hash192));
4785 memset(cp.rand192, 0, sizeof(cp.rand192));
4787 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4788 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4790 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4791 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4793 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4796 struct hci_cp_remote_oob_data_reply cp;
4798 bacpy(&cp.bdaddr, &ev->bdaddr);
4799 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4800 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4802 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4807 hci_dev_unlock(hdev);
4810 #if IS_ENABLED(CONFIG_BT_HS)
4811 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4813 struct hci_ev_channel_selected *ev = (void *)skb->data;
4814 struct hci_conn *hcon;
4816 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4818 skb_pull(skb, sizeof(*ev));
4820 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4824 amp_read_loc_assoc_final_data(hdev, hcon);
4827 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4828 struct sk_buff *skb)
4830 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4831 struct hci_conn *hcon, *bredr_hcon;
4833 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4838 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4840 hci_dev_unlock(hdev);
4846 hci_dev_unlock(hdev);
4850 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4852 hcon->state = BT_CONNECTED;
4853 bacpy(&hcon->dst, &bredr_hcon->dst);
4855 hci_conn_hold(hcon);
4856 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4857 hci_conn_drop(hcon);
4859 hci_debugfs_create_conn(hcon);
4860 hci_conn_add_sysfs(hcon);
4862 amp_physical_cfm(bredr_hcon, hcon);
4864 hci_dev_unlock(hdev);
4867 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4869 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4870 struct hci_conn *hcon;
4871 struct hci_chan *hchan;
4872 struct amp_mgr *mgr;
4874 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4875 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4878 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4882 /* Create AMP hchan */
4883 hchan = hci_chan_create(hcon);
4887 hchan->handle = le16_to_cpu(ev->handle);
4889 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4891 mgr = hcon->amp_mgr;
4892 if (mgr && mgr->bredr_chan) {
4893 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4895 l2cap_chan_lock(bredr_chan);
4897 bredr_chan->conn->mtu = hdev->block_mtu;
4898 l2cap_logical_cfm(bredr_chan, hchan, 0);
4899 hci_conn_hold(hcon);
4901 l2cap_chan_unlock(bredr_chan);
4905 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4906 struct sk_buff *skb)
4908 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4909 struct hci_chan *hchan;
4911 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4912 le16_to_cpu(ev->handle), ev->status);
4919 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4923 amp_destroy_logical_link(hchan, ev->reason);
4926 hci_dev_unlock(hdev);
4929 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4930 struct sk_buff *skb)
4932 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4933 struct hci_conn *hcon;
4935 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4942 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4944 hcon->state = BT_CLOSED;
4948 hci_dev_unlock(hdev);
4952 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
4953 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
4954 u16 interval, u16 latency, u16 supervision_timeout)
4956 struct hci_conn_params *params;
4957 struct hci_conn *conn;
4958 struct smp_irk *irk;
4963 /* All controllers implicitly stop advertising in the event of a
4964 * connection, so ensure that the state bit is cleared.
4966 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4968 conn = hci_lookup_le_connect(hdev);
4970 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
4972 bt_dev_err(hdev, "no memory for new connection");
4976 conn->dst_type = bdaddr_type;
4978 /* If we didn't have a hci_conn object previously
4979 * but we're in master role this must be something
4980 * initiated using a white list. Since white list based
4981 * connections are not "first class citizens" we don't
4982 * have full tracking of them. Therefore, we go ahead
4983 * with a "best effort" approach of determining the
4984 * initiator address based on the HCI_PRIVACY flag.
4987 conn->resp_addr_type = bdaddr_type;
4988 bacpy(&conn->resp_addr, bdaddr);
4989 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4990 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4991 bacpy(&conn->init_addr, &hdev->rpa);
4993 hci_copy_identity_address(hdev,
4995 &conn->init_addr_type);
5000 /* LE auto connect */
5001 bacpy(&conn->dst, bdaddr);
5003 cancel_delayed_work(&conn->le_conn_timeout);
5007 /* Set the responder (our side) address type based on
5008 * the advertising address type.
5010 conn->resp_addr_type = hdev->adv_addr_type;
5011 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5012 /* In case of ext adv, resp_addr will be updated in
5013 * Adv Terminated event.
5015 if (!ext_adv_capable(hdev))
5016 bacpy(&conn->resp_addr, &hdev->random_addr);
5018 bacpy(&conn->resp_addr, &hdev->bdaddr);
5021 conn->init_addr_type = bdaddr_type;
5022 bacpy(&conn->init_addr, bdaddr);
5024 /* For incoming connections, set the default minimum
5025 * and maximum connection interval. They will be used
5026 * to check if the parameters are in range and if not
5027 * trigger the connection update procedure.
5029 conn->le_conn_min_interval = hdev->le_conn_min_interval;
5030 conn->le_conn_max_interval = hdev->le_conn_max_interval;
5033 /* Lookup the identity address from the stored connection
5034 * address and address type.
5036 * When establishing connections to an identity address, the
5037 * connection procedure will store the resolvable random
5038 * address first. Now if it can be converted back into the
5039 * identity address, start using the identity address from
5042 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5044 bacpy(&conn->dst, &irk->bdaddr);
5045 conn->dst_type = irk->addr_type;
5049 hci_le_conn_failed(conn, status);
5053 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5054 addr_type = BDADDR_LE_PUBLIC;
5056 addr_type = BDADDR_LE_RANDOM;
5058 /* Drop the connection if the device is blocked */
5059 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
5060 hci_conn_drop(conn);
5064 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5065 mgmt_device_connected(hdev, conn, 0, NULL, 0);
5067 conn->sec_level = BT_SECURITY_LOW;
5068 conn->handle = handle;
5069 conn->state = BT_CONFIG;
5071 conn->le_conn_interval = interval;
5072 conn->le_conn_latency = latency;
5073 conn->le_supv_timeout = supervision_timeout;
5075 hci_debugfs_create_conn(conn);
5076 hci_conn_add_sysfs(conn);
5079 /* The remote features procedure is defined for master
5080 * role only. So only in case of an initiated connection
5081 * request the remote features.
5083 * If the local controller supports slave-initiated features
5084 * exchange, then requesting the remote features in slave
5085 * role is possible. Otherwise just transition into the
5086 * connected state without requesting the remote features.
5089 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
5090 struct hci_cp_le_read_remote_features cp;
5092 cp.handle = __cpu_to_le16(conn->handle);
5094 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5097 hci_conn_hold(conn);
5099 conn->state = BT_CONNECTED;
5100 hci_connect_cfm(conn, status);
5103 hci_connect_cfm(conn, status);
5106 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5109 list_del_init(¶ms->action);
5111 hci_conn_drop(params->conn);
5112 hci_conn_put(params->conn);
5113 params->conn = NULL;
5118 hci_update_background_scan(hdev);
5119 hci_dev_unlock(hdev);
5122 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5124 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5126 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5128 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5129 ev->role, le16_to_cpu(ev->handle),
5130 le16_to_cpu(ev->interval),
5131 le16_to_cpu(ev->latency),
5132 le16_to_cpu(ev->supervision_timeout));
5135 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5136 struct sk_buff *skb)
5138 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5140 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5142 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5143 ev->role, le16_to_cpu(ev->handle),
5144 le16_to_cpu(ev->interval),
5145 le16_to_cpu(ev->latency),
5146 le16_to_cpu(ev->supervision_timeout));
5149 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5151 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5152 struct hci_conn *conn;
5154 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5159 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5161 struct adv_info *adv_instance;
5163 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5166 if (!hdev->cur_adv_instance) {
5167 bacpy(&conn->resp_addr, &hdev->random_addr);
5171 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5173 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5177 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5178 struct sk_buff *skb)
5180 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5181 struct hci_conn *conn;
5183 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5190 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5194 hci_dev_unlock(hdev);
5195 mgmt_le_conn_update_failed(hdev, &conn->dst,
5196 conn->type, conn->dst_type, ev->status);
5200 conn->le_conn_interval = le16_to_cpu(ev->interval);
5201 conn->le_conn_latency = le16_to_cpu(ev->latency);
5202 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5205 hci_dev_unlock(hdev);
5208 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
5209 conn->dst_type, conn->le_conn_interval,
5210 conn->le_conn_latency, conn->le_supv_timeout);
5214 /* This function requires the caller holds hdev->lock */
5215 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5217 u8 addr_type, u8 adv_type,
5218 bdaddr_t *direct_rpa)
5220 struct hci_conn *conn;
5221 struct hci_conn_params *params;
5223 /* If the event is not connectable don't proceed further */
5224 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5227 /* Ignore if the device is blocked */
5228 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5231 /* Most controller will fail if we try to create new connections
5232 * while we have an existing one in slave role.
5234 if (hdev->conn_hash.le_num_slave > 0)
5237 /* If we're not connectable only connect devices that we have in
5238 * our pend_le_conns list.
5240 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5245 if (!params->explicit_connect) {
5246 switch (params->auto_connect) {
5247 case HCI_AUTO_CONN_DIRECT:
5248 /* Only devices advertising with ADV_DIRECT_IND are
5249 * triggering a connection attempt. This is allowing
5250 * incoming connections from slave devices.
5252 if (adv_type != LE_ADV_DIRECT_IND)
5255 case HCI_AUTO_CONN_ALWAYS:
5256 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5257 * are triggering a connection attempt. This means
5258 * that incoming connectioms from slave device are
5259 * accepted and also outgoing connections to slave
5260 * devices are established when found.
5268 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5269 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
5271 if (!IS_ERR(conn)) {
5272 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5273 * by higher layer that tried to connect, if no then
5274 * store the pointer since we don't really have any
5275 * other owner of the object besides the params that
5276 * triggered it. This way we can abort the connection if
5277 * the parameters get removed and keep the reference
5278 * count consistent once the connection is established.
5281 if (!params->explicit_connect)
5282 params->conn = hci_conn_get(conn);
5287 switch (PTR_ERR(conn)) {
5289 /* If hci_connect() returns -EBUSY it means there is already
5290 * an LE connection attempt going on. Since controllers don't
5291 * support more than one connection attempt at the time, we
5292 * don't consider this an error case.
5296 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5303 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5304 u8 bdaddr_type, bdaddr_t *direct_addr,
5305 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
5308 struct discovery_state *d = &hdev->discovery;
5310 struct smp_irk *irk;
5311 struct hci_conn *conn;
5320 case LE_ADV_DIRECT_IND:
5321 case LE_ADV_SCAN_IND:
5322 case LE_ADV_NONCONN_IND:
5323 case LE_ADV_SCAN_RSP:
5326 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5327 "type: 0x%02x", type);
5331 /* Find the end of the data in case the report contains padded zero
5332 * bytes at the end causing an invalid length value.
5334 * When data is NULL, len is 0 so there is no need for extra ptr
5335 * check as 'ptr < data + 0' is already false in such case.
5337 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5338 if (ptr + 1 + *ptr > data + len)
5342 real_len = ptr - data;
5344 /* Adjust for actual length */
5345 if (len != real_len) {
5346 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
5350 /* If the direct address is present, then this report is from
5351 * a LE Direct Advertising Report event. In that case it is
5352 * important to see if the address is matching the local
5353 * controller address.
5356 /* Only resolvable random addresses are valid for these
5357 * kind of reports and others can be ignored.
5359 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5362 /* If the controller is not using resolvable random
5363 * addresses, then this report can be ignored.
5365 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5368 /* If the local IRK of the controller does not match
5369 * with the resolvable random address provided, then
5370 * this report can be ignored.
5372 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5376 /* Check if we need to convert to identity address */
5377 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5379 bdaddr = &irk->bdaddr;
5380 bdaddr_type = irk->addr_type;
5383 /* Check if we have been requested to connect to this device.
5385 * direct_addr is set only for directed advertising reports (it is NULL
5386 * for advertising reports) and is already verified to be RPA above.
5388 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5390 if (conn && type == LE_ADV_IND) {
5391 /* Store report for later inclusion by
5392 * mgmt_device_connected
5394 memcpy(conn->le_adv_data, data, len);
5395 conn->le_adv_data_len = len;
5398 /* Passive scanning shouldn't trigger any device found events,
5399 * except for devices marked as CONN_REPORT for which we do send
5400 * device found events.
5402 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5403 if (type == LE_ADV_DIRECT_IND)
5407 /* Handle all adv packet in platform */
5408 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5409 bdaddr, bdaddr_type))
5413 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5414 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5418 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5419 rssi, flags, data, len, NULL, 0, type);
5421 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5422 rssi, flags, data, len, NULL, 0);
5427 /* When receiving non-connectable or scannable undirected
5428 * advertising reports, this means that the remote device is
5429 * not connectable and then clearly indicate this in the
5430 * device found event.
5432 * When receiving a scan response, then there is no way to
5433 * know if the remote device is connectable or not. However
5434 * since scan responses are merged with a previously seen
5435 * advertising report, the flags field from that report
5438 * In the really unlikely case that a controller get confused
5439 * and just sends a scan response event, then it is marked as
5440 * not connectable as well.
5442 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5443 type == LE_ADV_SCAN_RSP)
5444 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5449 /* Disable adv ind and scan rsp merging */
5450 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5451 rssi, flags, data, len, NULL, 0, type);
5453 /* If there's nothing pending either store the data from this
5454 * event or send an immediate device found event if the data
5455 * should not be stored for later.
5457 if (!has_pending_adv_report(hdev)) {
5458 /* If the report will trigger a SCAN_REQ store it for
5461 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5462 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5463 rssi, flags, data, len);
5467 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5468 rssi, flags, data, len, NULL, 0);
5472 /* Check if the pending report is for the same device as the new one */
5473 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5474 bdaddr_type == d->last_adv_addr_type);
5476 /* If the pending data doesn't match this report or this isn't a
5477 * scan response (e.g. we got a duplicate ADV_IND) then force
5478 * sending of the pending data.
5480 if (type != LE_ADV_SCAN_RSP || !match) {
5481 /* Send out whatever is in the cache, but skip duplicates */
5483 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5484 d->last_adv_addr_type, NULL,
5485 d->last_adv_rssi, d->last_adv_flags,
5487 d->last_adv_data_len, NULL, 0);
5489 /* If the new report will trigger a SCAN_REQ store it for
5492 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5493 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5494 rssi, flags, data, len);
5498 /* The advertising reports cannot be merged, so clear
5499 * the pending report and send out a device found event.
5501 clear_pending_adv_report(hdev);
5502 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5503 rssi, flags, data, len, NULL, 0);
5507 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5508 * the new event is a SCAN_RSP. We can therefore proceed with
5509 * sending a merged device found event.
5511 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5512 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5513 d->last_adv_data, d->last_adv_data_len, data, len);
5514 clear_pending_adv_report(hdev);
5518 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5520 u8 num_reports = skb->data[0];
5521 void *ptr = &skb->data[1];
5525 while (num_reports--) {
5526 struct hci_ev_le_advertising_info *ev = ptr;
5529 if (ev->length <= HCI_MAX_AD_LENGTH) {
5530 rssi = ev->data[ev->length];
5531 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5532 ev->bdaddr_type, NULL, 0, rssi,
5533 ev->data, ev->length);
5535 bt_dev_err(hdev, "Dropping invalid advertising data");
5538 ptr += sizeof(*ev) + ev->length + 1;
5541 hci_dev_unlock(hdev);
5544 static u8 ext_evt_type_to_legacy(u16 evt_type)
5546 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5548 case LE_LEGACY_ADV_IND:
5550 case LE_LEGACY_ADV_DIRECT_IND:
5551 return LE_ADV_DIRECT_IND;
5552 case LE_LEGACY_ADV_SCAN_IND:
5553 return LE_ADV_SCAN_IND;
5554 case LE_LEGACY_NONCONN_IND:
5555 return LE_ADV_NONCONN_IND;
5556 case LE_LEGACY_SCAN_RSP_ADV:
5557 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5558 return LE_ADV_SCAN_RSP;
5561 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5564 return LE_ADV_INVALID;
5567 if (evt_type & LE_EXT_ADV_CONN_IND) {
5568 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5569 return LE_ADV_DIRECT_IND;
5574 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5575 return LE_ADV_SCAN_RSP;
5577 if (evt_type & LE_EXT_ADV_SCAN_IND)
5578 return LE_ADV_SCAN_IND;
5580 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5581 evt_type & LE_EXT_ADV_DIRECT_IND)
5582 return LE_ADV_NONCONN_IND;
5584 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5587 return LE_ADV_INVALID;
5590 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5592 u8 num_reports = skb->data[0];
5593 void *ptr = &skb->data[1];
5597 while (num_reports--) {
5598 struct hci_ev_le_ext_adv_report *ev = ptr;
5602 evt_type = __le16_to_cpu(ev->evt_type);
5603 legacy_evt_type = ext_evt_type_to_legacy(evt_type);
5604 if (legacy_evt_type != LE_ADV_INVALID) {
5605 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5606 ev->bdaddr_type, NULL, 0, ev->rssi,
5607 ev->data, ev->length);
5610 ptr += sizeof(*ev) + ev->length + 1;
5613 hci_dev_unlock(hdev);
5616 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5617 struct sk_buff *skb)
5619 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5620 struct hci_conn *conn;
5622 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5626 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5629 memcpy(conn->features[0], ev->features, 8);
5631 if (conn->state == BT_CONFIG) {
5634 /* If the local controller supports slave-initiated
5635 * features exchange, but the remote controller does
5636 * not, then it is possible that the error code 0x1a
5637 * for unsupported remote feature gets returned.
5639 * In this specific case, allow the connection to
5640 * transition into connected state and mark it as
5643 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5644 !conn->out && ev->status == 0x1a)
5647 status = ev->status;
5649 conn->state = BT_CONNECTED;
5650 hci_connect_cfm(conn, status);
5651 hci_conn_drop(conn);
5655 hci_dev_unlock(hdev);
5658 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5660 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5661 struct hci_cp_le_ltk_reply cp;
5662 struct hci_cp_le_ltk_neg_reply neg;
5663 struct hci_conn *conn;
5664 struct smp_ltk *ltk;
5666 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5670 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5674 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5678 if (smp_ltk_is_sc(ltk)) {
5679 /* With SC both EDiv and Rand are set to zero */
5680 if (ev->ediv || ev->rand)
5683 /* For non-SC keys check that EDiv and Rand match */
5684 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5688 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5689 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5690 cp.handle = cpu_to_le16(conn->handle);
5692 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5694 conn->enc_key_size = ltk->enc_size;
5696 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5698 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5699 * temporary key used to encrypt a connection following
5700 * pairing. It is used during the Encrypted Session Setup to
5701 * distribute the keys. Later, security can be re-established
5702 * using a distributed LTK.
5704 if (ltk->type == SMP_STK) {
5705 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5706 list_del_rcu(<k->list);
5707 kfree_rcu(ltk, rcu);
5709 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5712 hci_dev_unlock(hdev);
5717 neg.handle = ev->handle;
5718 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5719 hci_dev_unlock(hdev);
5722 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5725 struct hci_cp_le_conn_param_req_neg_reply cp;
5727 cp.handle = cpu_to_le16(handle);
5730 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5734 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5735 struct sk_buff *skb)
5737 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5738 struct hci_cp_le_conn_param_req_reply cp;
5739 struct hci_conn *hcon;
5740 u16 handle, min, max, latency, timeout;
5742 handle = le16_to_cpu(ev->handle);
5743 min = le16_to_cpu(ev->interval_min);
5744 max = le16_to_cpu(ev->interval_max);
5745 latency = le16_to_cpu(ev->latency);
5746 timeout = le16_to_cpu(ev->timeout);
5748 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5749 if (!hcon || hcon->state != BT_CONNECTED)
5750 return send_conn_param_neg_reply(hdev, handle,
5751 HCI_ERROR_UNKNOWN_CONN_ID);
5753 if (hci_check_conn_params(min, max, latency, timeout))
5754 return send_conn_param_neg_reply(hdev, handle,
5755 HCI_ERROR_INVALID_LL_PARAMS);
5757 if (hcon->role == HCI_ROLE_MASTER) {
5758 struct hci_conn_params *params;
5763 params = hci_conn_params_lookup(hdev, &hcon->dst,
5766 params->conn_min_interval = min;
5767 params->conn_max_interval = max;
5768 params->conn_latency = latency;
5769 params->supervision_timeout = timeout;
5775 hci_dev_unlock(hdev);
5777 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5778 store_hint, min, max, latency, timeout);
5781 cp.handle = ev->handle;
5782 cp.interval_min = ev->interval_min;
5783 cp.interval_max = ev->interval_max;
5784 cp.latency = ev->latency;
5785 cp.timeout = ev->timeout;
5789 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5792 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5793 struct sk_buff *skb)
5795 u8 num_reports = skb->data[0];
5796 void *ptr = &skb->data[1];
5800 while (num_reports--) {
5801 struct hci_ev_le_direct_adv_info *ev = ptr;
5803 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5804 ev->bdaddr_type, &ev->direct_addr,
5805 ev->direct_addr_type, ev->rssi, NULL, 0);
5810 hci_dev_unlock(hdev);
5813 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5815 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5817 skb_pull(skb, sizeof(*le_ev));
5819 switch (le_ev->subevent) {
5820 case HCI_EV_LE_CONN_COMPLETE:
5821 hci_le_conn_complete_evt(hdev, skb);
5824 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5825 hci_le_conn_update_complete_evt(hdev, skb);
5828 case HCI_EV_LE_ADVERTISING_REPORT:
5829 hci_le_adv_report_evt(hdev, skb);
5832 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5833 hci_le_remote_feat_complete_evt(hdev, skb);
5836 case HCI_EV_LE_LTK_REQ:
5837 hci_le_ltk_request_evt(hdev, skb);
5840 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5841 hci_le_remote_conn_param_req_evt(hdev, skb);
5844 case HCI_EV_LE_DIRECT_ADV_REPORT:
5845 hci_le_direct_adv_report_evt(hdev, skb);
5848 case HCI_EV_LE_EXT_ADV_REPORT:
5849 hci_le_ext_adv_report_evt(hdev, skb);
5852 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5853 hci_le_enh_conn_complete_evt(hdev, skb);
5856 case HCI_EV_LE_EXT_ADV_SET_TERM:
5857 hci_le_ext_adv_term_evt(hdev, skb);
5865 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5866 u8 event, struct sk_buff *skb)
5868 struct hci_ev_cmd_complete *ev;
5869 struct hci_event_hdr *hdr;
5874 if (skb->len < sizeof(*hdr)) {
5875 bt_dev_err(hdev, "too short HCI event");
5879 hdr = (void *) skb->data;
5880 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5883 if (hdr->evt != event)
5888 /* Check if request ended in Command Status - no way to retreive
5889 * any extra parameters in this case.
5891 if (hdr->evt == HCI_EV_CMD_STATUS)
5894 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5895 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5900 if (skb->len < sizeof(*ev)) {
5901 bt_dev_err(hdev, "too short cmd_complete event");
5905 ev = (void *) skb->data;
5906 skb_pull(skb, sizeof(*ev));
5908 if (opcode != __le16_to_cpu(ev->opcode)) {
5909 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5910 __le16_to_cpu(ev->opcode));
5917 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5919 struct hci_event_hdr *hdr = (void *) skb->data;
5920 hci_req_complete_t req_complete = NULL;
5921 hci_req_complete_skb_t req_complete_skb = NULL;
5922 struct sk_buff *orig_skb = NULL;
5923 u8 status = 0, event = hdr->evt, req_evt = 0;
5924 u16 opcode = HCI_OP_NOP;
5926 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5927 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5928 opcode = __le16_to_cpu(cmd_hdr->opcode);
5929 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5934 /* If it looks like we might end up having to call
5935 * req_complete_skb, store a pristine copy of the skb since the
5936 * various handlers may modify the original one through
5937 * skb_pull() calls, etc.
5939 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5940 event == HCI_EV_CMD_COMPLETE)
5941 orig_skb = skb_clone(skb, GFP_KERNEL);
5943 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5946 case HCI_EV_INQUIRY_COMPLETE:
5947 hci_inquiry_complete_evt(hdev, skb);
5950 case HCI_EV_INQUIRY_RESULT:
5951 hci_inquiry_result_evt(hdev, skb);
5954 case HCI_EV_CONN_COMPLETE:
5955 hci_conn_complete_evt(hdev, skb);
5958 case HCI_EV_CONN_REQUEST:
5959 hci_conn_request_evt(hdev, skb);
5962 case HCI_EV_DISCONN_COMPLETE:
5963 hci_disconn_complete_evt(hdev, skb);
5966 case HCI_EV_AUTH_COMPLETE:
5967 hci_auth_complete_evt(hdev, skb);
5970 case HCI_EV_REMOTE_NAME:
5971 hci_remote_name_evt(hdev, skb);
5974 case HCI_EV_ENCRYPT_CHANGE:
5975 hci_encrypt_change_evt(hdev, skb);
5978 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5979 hci_change_link_key_complete_evt(hdev, skb);
5982 case HCI_EV_REMOTE_FEATURES:
5983 hci_remote_features_evt(hdev, skb);
5986 case HCI_EV_CMD_COMPLETE:
5987 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5988 &req_complete, &req_complete_skb);
5991 case HCI_EV_CMD_STATUS:
5992 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5996 case HCI_EV_HARDWARE_ERROR:
5997 hci_hardware_error_evt(hdev, skb);
6000 case HCI_EV_ROLE_CHANGE:
6001 hci_role_change_evt(hdev, skb);
6004 case HCI_EV_NUM_COMP_PKTS:
6005 hci_num_comp_pkts_evt(hdev, skb);
6008 case HCI_EV_MODE_CHANGE:
6009 hci_mode_change_evt(hdev, skb);
6012 case HCI_EV_PIN_CODE_REQ:
6013 hci_pin_code_request_evt(hdev, skb);
6016 case HCI_EV_LINK_KEY_REQ:
6017 hci_link_key_request_evt(hdev, skb);
6020 case HCI_EV_LINK_KEY_NOTIFY:
6021 hci_link_key_notify_evt(hdev, skb);
6024 case HCI_EV_CLOCK_OFFSET:
6025 hci_clock_offset_evt(hdev, skb);
6028 case HCI_EV_PKT_TYPE_CHANGE:
6029 hci_pkt_type_change_evt(hdev, skb);
6032 case HCI_EV_PSCAN_REP_MODE:
6033 hci_pscan_rep_mode_evt(hdev, skb);
6036 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6037 hci_inquiry_result_with_rssi_evt(hdev, skb);
6040 case HCI_EV_REMOTE_EXT_FEATURES:
6041 hci_remote_ext_features_evt(hdev, skb);
6044 case HCI_EV_SYNC_CONN_COMPLETE:
6045 hci_sync_conn_complete_evt(hdev, skb);
6048 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6049 hci_extended_inquiry_result_evt(hdev, skb);
6052 case HCI_EV_KEY_REFRESH_COMPLETE:
6053 hci_key_refresh_complete_evt(hdev, skb);
6056 case HCI_EV_IO_CAPA_REQUEST:
6057 hci_io_capa_request_evt(hdev, skb);
6060 case HCI_EV_IO_CAPA_REPLY:
6061 hci_io_capa_reply_evt(hdev, skb);
6064 case HCI_EV_USER_CONFIRM_REQUEST:
6065 hci_user_confirm_request_evt(hdev, skb);
6068 case HCI_EV_USER_PASSKEY_REQUEST:
6069 hci_user_passkey_request_evt(hdev, skb);
6072 case HCI_EV_USER_PASSKEY_NOTIFY:
6073 hci_user_passkey_notify_evt(hdev, skb);
6076 case HCI_EV_KEYPRESS_NOTIFY:
6077 hci_keypress_notify_evt(hdev, skb);
6080 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6081 hci_simple_pair_complete_evt(hdev, skb);
6084 case HCI_EV_REMOTE_HOST_FEATURES:
6085 hci_remote_host_features_evt(hdev, skb);
6088 case HCI_EV_LE_META:
6089 hci_le_meta_evt(hdev, skb);
6092 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6093 hci_remote_oob_data_request_evt(hdev, skb);
6096 #if IS_ENABLED(CONFIG_BT_HS)
6097 case HCI_EV_CHANNEL_SELECTED:
6098 hci_chan_selected_evt(hdev, skb);
6101 case HCI_EV_PHY_LINK_COMPLETE:
6102 hci_phy_link_complete_evt(hdev, skb);
6105 case HCI_EV_LOGICAL_LINK_COMPLETE:
6106 hci_loglink_complete_evt(hdev, skb);
6109 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6110 hci_disconn_loglink_complete_evt(hdev, skb);
6113 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6114 hci_disconn_phylink_complete_evt(hdev, skb);
6118 case HCI_EV_NUM_COMP_BLOCKS:
6119 hci_num_comp_blocks_evt(hdev, skb);
6123 case HCI_EV_VENDOR_SPECIFIC:
6124 hci_vendor_specific_evt(hdev, skb);
6129 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6134 req_complete(hdev, status, opcode);
6135 } else if (req_complete_skb) {
6136 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6137 kfree_skb(orig_skb);
6140 req_complete_skb(hdev, status, opcode, orig_skb);
6143 kfree_skb(orig_skb);
6145 hdev->stat.evt_rx++;