2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
41 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
42 "\x00\x00\x00\x00\x00\x00\x00\x00"
44 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
46 /* Handle HCI Event packets */
48 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
53 data = skb_pull_data(skb, len);
55 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
60 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
65 data = skb_pull_data(skb, len);
67 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
72 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
77 data = skb_pull_data(skb, len);
79 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
84 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
87 struct hci_ev_status *rp = data;
89 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
91 /* It is possible that we receive Inquiry Complete event right
92 * before we receive Inquiry Cancel Command Complete event, in
93 * which case the latter event should have status of Command
94 * Disallowed (0x0c). This should not be treated as error, since
95 * we actually achieve what Inquiry Cancel wants to achieve,
96 * which is to end the last Inquiry session.
98 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
99 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
106 clear_bit(HCI_INQUIRY, &hdev->flags);
107 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
108 wake_up_bit(&hdev->flags, HCI_INQUIRY);
111 /* Set discovery state to stopped if we're not doing LE active
114 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
115 hdev->le_scan_type != LE_SCAN_ACTIVE)
116 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
117 hci_dev_unlock(hdev);
119 hci_conn_check_pending(hdev);
124 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
127 struct hci_ev_status *rp = data;
129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
139 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
142 struct hci_ev_status *rp = data;
144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
151 hci_conn_check_pending(hdev);
156 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
159 struct hci_ev_status *rp = data;
161 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
166 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
169 struct hci_rp_role_discovery *rp = data;
170 struct hci_conn *conn;
172 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
179 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
181 conn->role = rp->role;
183 hci_dev_unlock(hdev);
188 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
191 struct hci_rp_read_link_policy *rp = data;
192 struct hci_conn *conn;
194 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
201 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
203 conn->link_policy = __le16_to_cpu(rp->policy);
205 hci_dev_unlock(hdev);
210 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
213 struct hci_rp_write_link_policy *rp = data;
214 struct hci_conn *conn;
217 struct hci_cp_write_link_policy cp;
218 struct hci_conn *sco_conn;
221 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
226 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
234 conn->link_policy = get_unaligned_le16(sent + 2);
237 sco_conn = hci_conn_hash_lookup_sco(hdev);
238 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
239 conn->link_policy & HCI_LP_SNIFF) {
240 BT_ERR("SNIFF is not allowed during sco connection");
241 cp.handle = __cpu_to_le16(conn->handle);
242 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
243 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
247 hci_dev_unlock(hdev);
252 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
255 struct hci_rp_read_def_link_policy *rp = data;
257 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
262 hdev->link_policy = __le16_to_cpu(rp->policy);
267 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
270 struct hci_ev_status *rp = data;
273 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
278 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
282 hdev->link_policy = get_unaligned_le16(sent);
287 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
289 struct hci_ev_status *rp = data;
291 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
293 clear_bit(HCI_RESET, &hdev->flags);
298 /* Reset all non-persistent flags */
299 hci_dev_clear_volatile_flags(hdev);
301 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
303 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
304 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
306 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
307 hdev->adv_data_len = 0;
309 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
310 hdev->scan_rsp_data_len = 0;
312 hdev->le_scan_type = LE_SCAN_PASSIVE;
314 hdev->ssp_debug_mode = 0;
316 hci_bdaddr_list_clear(&hdev->le_accept_list);
317 hci_bdaddr_list_clear(&hdev->le_resolv_list);
322 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
325 struct hci_rp_read_stored_link_key *rp = data;
326 struct hci_cp_read_stored_link_key *sent;
328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
330 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
334 if (!rp->status && sent->read_all == 0x01) {
335 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
336 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
342 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
345 struct hci_rp_delete_stored_link_key *rp = data;
348 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
353 num_keys = le16_to_cpu(rp->num_keys);
355 if (num_keys <= hdev->stored_num_keys)
356 hdev->stored_num_keys -= num_keys;
358 hdev->stored_num_keys = 0;
363 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
366 struct hci_ev_status *rp = data;
369 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
377 if (hci_dev_test_flag(hdev, HCI_MGMT))
378 mgmt_set_local_name_complete(hdev, sent, rp->status);
379 else if (!rp->status)
380 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
382 hci_dev_unlock(hdev);
387 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
390 struct hci_rp_read_local_name *rp = data;
392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
397 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
398 hci_dev_test_flag(hdev, HCI_CONFIG))
399 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
404 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
407 struct hci_ev_status *rp = data;
410 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
412 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
419 __u8 param = *((__u8 *) sent);
421 if (param == AUTH_ENABLED)
422 set_bit(HCI_AUTH, &hdev->flags);
424 clear_bit(HCI_AUTH, &hdev->flags);
427 if (hci_dev_test_flag(hdev, HCI_MGMT))
428 mgmt_auth_enable_complete(hdev, rp->status);
430 hci_dev_unlock(hdev);
435 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
438 struct hci_ev_status *rp = data;
442 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
447 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
451 param = *((__u8 *) sent);
454 set_bit(HCI_ENCRYPT, &hdev->flags);
456 clear_bit(HCI_ENCRYPT, &hdev->flags);
461 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
464 struct hci_ev_status *rp = data;
468 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
474 param = *((__u8 *) sent);
479 hdev->discov_timeout = 0;
483 if (param & SCAN_INQUIRY)
484 set_bit(HCI_ISCAN, &hdev->flags);
486 clear_bit(HCI_ISCAN, &hdev->flags);
488 if (param & SCAN_PAGE)
489 set_bit(HCI_PSCAN, &hdev->flags);
491 clear_bit(HCI_PSCAN, &hdev->flags);
494 hci_dev_unlock(hdev);
499 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
502 struct hci_ev_status *rp = data;
503 struct hci_cp_set_event_filter *cp;
506 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
511 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
515 cp = (struct hci_cp_set_event_filter *)sent;
517 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
518 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
520 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
525 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
528 struct hci_rp_read_class_of_dev *rp = data;
530 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
535 memcpy(hdev->dev_class, rp->dev_class, 3);
537 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
538 hdev->dev_class[1], hdev->dev_class[0]);
543 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
546 struct hci_ev_status *rp = data;
549 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
551 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
558 memcpy(hdev->dev_class, sent, 3);
560 if (hci_dev_test_flag(hdev, HCI_MGMT))
561 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
563 hci_dev_unlock(hdev);
568 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
571 struct hci_rp_read_voice_setting *rp = data;
574 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
579 setting = __le16_to_cpu(rp->voice_setting);
581 if (hdev->voice_setting == setting)
584 hdev->voice_setting = setting;
586 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
589 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
594 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
597 struct hci_ev_status *rp = data;
601 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
606 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
610 setting = get_unaligned_le16(sent);
612 if (hdev->voice_setting == setting)
615 hdev->voice_setting = setting;
617 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
620 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
625 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
628 struct hci_rp_read_num_supported_iac *rp = data;
630 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
635 hdev->num_iac = rp->num_iac;
637 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
642 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
645 struct hci_ev_status *rp = data;
646 struct hci_cp_write_ssp_mode *sent;
648 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
650 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
658 hdev->features[1][0] |= LMP_HOST_SSP;
660 hdev->features[1][0] &= ~LMP_HOST_SSP;
665 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
667 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
670 hci_dev_unlock(hdev);
675 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
678 struct hci_ev_status *rp = data;
679 struct hci_cp_write_sc_support *sent;
681 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
683 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
691 hdev->features[1][0] |= LMP_HOST_SC;
693 hdev->features[1][0] &= ~LMP_HOST_SC;
696 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
698 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
700 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
703 hci_dev_unlock(hdev);
708 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
711 struct hci_rp_read_local_version *rp = data;
713 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
718 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
719 hci_dev_test_flag(hdev, HCI_CONFIG)) {
720 hdev->hci_ver = rp->hci_ver;
721 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
722 hdev->lmp_ver = rp->lmp_ver;
723 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
724 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
730 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
733 struct hci_rp_read_enc_key_size *rp = data;
734 struct hci_conn *conn;
736 u8 status = rp->status;
738 bt_dev_dbg(hdev, "status 0x%2.2x", status);
740 handle = le16_to_cpu(rp->handle);
744 conn = hci_conn_hash_lookup_handle(hdev, handle);
750 /* While unexpected, the read_enc_key_size command may fail. The most
751 * secure approach is to then assume the key size is 0 to force a
755 bt_dev_err(hdev, "failed to read key size for handle %u",
757 conn->enc_key_size = 0;
759 conn->enc_key_size = rp->key_size;
763 hci_encrypt_cfm(conn, 0);
766 hci_dev_unlock(hdev);
771 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
774 struct hci_rp_read_local_commands *rp = data;
776 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
781 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
782 hci_dev_test_flag(hdev, HCI_CONFIG))
783 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
788 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
791 struct hci_rp_read_auth_payload_to *rp = data;
792 struct hci_conn *conn;
794 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
801 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
803 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
805 hci_dev_unlock(hdev);
810 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
813 struct hci_rp_write_auth_payload_to *rp = data;
814 struct hci_conn *conn;
817 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
822 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
828 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
830 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
832 hci_dev_unlock(hdev);
837 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
840 struct hci_rp_read_local_features *rp = data;
842 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
847 memcpy(hdev->features, rp->features, 8);
849 /* Adjust default settings according to features
850 * supported by device. */
852 if (hdev->features[0][0] & LMP_3SLOT)
853 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
855 if (hdev->features[0][0] & LMP_5SLOT)
856 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
858 if (hdev->features[0][1] & LMP_HV2) {
859 hdev->pkt_type |= (HCI_HV2);
860 hdev->esco_type |= (ESCO_HV2);
863 if (hdev->features[0][1] & LMP_HV3) {
864 hdev->pkt_type |= (HCI_HV3);
865 hdev->esco_type |= (ESCO_HV3);
868 if (lmp_esco_capable(hdev))
869 hdev->esco_type |= (ESCO_EV3);
871 if (hdev->features[0][4] & LMP_EV4)
872 hdev->esco_type |= (ESCO_EV4);
874 if (hdev->features[0][4] & LMP_EV5)
875 hdev->esco_type |= (ESCO_EV5);
877 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
878 hdev->esco_type |= (ESCO_2EV3);
880 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
881 hdev->esco_type |= (ESCO_3EV3);
883 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
884 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
889 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
892 struct hci_rp_read_local_ext_features *rp = data;
894 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
899 if (hdev->max_page < rp->max_page) {
900 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
902 bt_dev_warn(hdev, "broken local ext features page 2");
904 hdev->max_page = rp->max_page;
907 if (rp->page < HCI_MAX_PAGES)
908 memcpy(hdev->features[rp->page], rp->features, 8);
913 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
916 struct hci_rp_read_flow_control_mode *rp = data;
918 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
923 hdev->flow_ctl_mode = rp->mode;
928 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
931 struct hci_rp_read_buffer_size *rp = data;
933 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
938 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
939 hdev->sco_mtu = rp->sco_mtu;
940 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
941 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
943 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
948 hdev->acl_cnt = hdev->acl_pkts;
949 hdev->sco_cnt = hdev->sco_pkts;
951 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
952 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
957 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
960 struct hci_rp_read_bd_addr *rp = data;
962 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
967 if (test_bit(HCI_INIT, &hdev->flags))
968 bacpy(&hdev->bdaddr, &rp->bdaddr);
970 if (hci_dev_test_flag(hdev, HCI_SETUP))
971 bacpy(&hdev->setup_addr, &rp->bdaddr);
976 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
979 struct hci_rp_read_local_pairing_opts *rp = data;
981 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
986 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
987 hci_dev_test_flag(hdev, HCI_CONFIG)) {
988 hdev->pairing_opts = rp->pairing_opts;
989 hdev->max_enc_key_size = rp->max_key_size;
995 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
998 struct hci_rp_read_page_scan_activity *rp = data;
1000 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1005 if (test_bit(HCI_INIT, &hdev->flags)) {
1006 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1007 hdev->page_scan_window = __le16_to_cpu(rp->window);
1013 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1014 struct sk_buff *skb)
1016 struct hci_ev_status *rp = data;
1017 struct hci_cp_write_page_scan_activity *sent;
1019 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1024 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1028 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1029 hdev->page_scan_window = __le16_to_cpu(sent->window);
1034 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1035 struct sk_buff *skb)
1037 struct hci_rp_read_page_scan_type *rp = data;
1039 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1044 if (test_bit(HCI_INIT, &hdev->flags))
1045 hdev->page_scan_type = rp->type;
1050 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1051 struct sk_buff *skb)
1053 struct hci_ev_status *rp = data;
1056 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1061 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1063 hdev->page_scan_type = *type;
1068 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1069 struct sk_buff *skb)
1071 struct hci_rp_read_data_block_size *rp = data;
1073 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1078 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1079 hdev->block_len = __le16_to_cpu(rp->block_len);
1080 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1082 hdev->block_cnt = hdev->num_blocks;
1084 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1085 hdev->block_cnt, hdev->block_len);
1090 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1091 struct sk_buff *skb)
1093 struct hci_rp_read_clock *rp = data;
1094 struct hci_cp_read_clock *cp;
1095 struct hci_conn *conn;
1097 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1104 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1108 if (cp->which == 0x00) {
1109 hdev->clock = le32_to_cpu(rp->clock);
1113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1115 conn->clock = le32_to_cpu(rp->clock);
1116 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1120 hci_dev_unlock(hdev);
1124 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1125 struct sk_buff *skb)
1127 struct hci_rp_read_local_amp_info *rp = data;
1129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1134 hdev->amp_status = rp->amp_status;
1135 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1136 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1137 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1138 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1139 hdev->amp_type = rp->amp_type;
1140 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1141 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1142 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1143 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1148 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1149 struct sk_buff *skb)
1151 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1153 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1158 hdev->inq_tx_power = rp->tx_power;
1163 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1164 struct sk_buff *skb)
1166 struct hci_rp_read_def_err_data_reporting *rp = data;
1168 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1173 hdev->err_data_reporting = rp->err_data_reporting;
1178 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1179 struct sk_buff *skb)
1181 struct hci_ev_status *rp = data;
1182 struct hci_cp_write_def_err_data_reporting *cp;
1184 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1189 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1193 hdev->err_data_reporting = cp->err_data_reporting;
1198 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1199 struct sk_buff *skb)
1201 struct hci_rp_pin_code_reply *rp = data;
1202 struct hci_cp_pin_code_reply *cp;
1203 struct hci_conn *conn;
1205 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1209 if (hci_dev_test_flag(hdev, HCI_MGMT))
1210 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1215 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1219 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1221 conn->pin_length = cp->pin_len;
1224 hci_dev_unlock(hdev);
1228 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1229 struct sk_buff *skb)
1231 struct hci_rp_pin_code_neg_reply *rp = data;
1233 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1237 if (hci_dev_test_flag(hdev, HCI_MGMT))
1238 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1241 hci_dev_unlock(hdev);
1246 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1247 struct sk_buff *skb)
1249 struct hci_rp_le_read_buffer_size *rp = data;
1251 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1256 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1257 hdev->le_pkts = rp->le_max_pkt;
1259 hdev->le_cnt = hdev->le_pkts;
1261 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1266 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1267 struct sk_buff *skb)
1269 struct hci_rp_le_read_local_features *rp = data;
1271 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1276 memcpy(hdev->le_features, rp->features, 8);
1281 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1282 struct sk_buff *skb)
1284 struct hci_rp_le_read_adv_tx_power *rp = data;
1286 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1291 hdev->adv_tx_power = rp->tx_power;
1296 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1297 struct sk_buff *skb)
1299 struct hci_rp_user_confirm_reply *rp = data;
1301 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1305 if (hci_dev_test_flag(hdev, HCI_MGMT))
1306 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1309 hci_dev_unlock(hdev);
1314 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1315 struct sk_buff *skb)
1317 struct hci_rp_user_confirm_reply *rp = data;
1319 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1323 if (hci_dev_test_flag(hdev, HCI_MGMT))
1324 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1325 ACL_LINK, 0, rp->status);
1327 hci_dev_unlock(hdev);
1332 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1333 struct sk_buff *skb)
1335 struct hci_rp_user_confirm_reply *rp = data;
1337 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1341 if (hci_dev_test_flag(hdev, HCI_MGMT))
1342 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1345 hci_dev_unlock(hdev);
1350 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1351 struct sk_buff *skb)
1353 struct hci_rp_user_confirm_reply *rp = data;
1355 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1359 if (hci_dev_test_flag(hdev, HCI_MGMT))
1360 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1361 ACL_LINK, 0, rp->status);
1363 hci_dev_unlock(hdev);
1368 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1369 struct sk_buff *skb)
1371 struct hci_rp_read_local_oob_data *rp = data;
1373 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1378 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1379 struct sk_buff *skb)
1381 struct hci_rp_read_local_oob_ext_data *rp = data;
1383 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1388 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1389 struct sk_buff *skb)
1391 struct hci_ev_status *rp = data;
1394 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1399 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1405 bacpy(&hdev->random_addr, sent);
1407 if (!bacmp(&hdev->rpa, sent)) {
1408 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1409 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1410 secs_to_jiffies(hdev->rpa_timeout));
1413 hci_dev_unlock(hdev);
1418 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1419 struct sk_buff *skb)
1421 struct hci_ev_status *rp = data;
1422 struct hci_cp_le_set_default_phy *cp;
1424 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1429 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1435 hdev->le_tx_def_phys = cp->tx_phys;
1436 hdev->le_rx_def_phys = cp->rx_phys;
1438 hci_dev_unlock(hdev);
1443 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1444 struct sk_buff *skb)
1446 struct hci_ev_status *rp = data;
1447 struct hci_cp_le_set_adv_set_rand_addr *cp;
1448 struct adv_info *adv;
1450 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1455 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1456 /* Update only in case the adv instance since handle 0x00 shall be using
1457 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1458 * non-extended adverting.
1460 if (!cp || !cp->handle)
1465 adv = hci_find_adv_instance(hdev, cp->handle);
1467 bacpy(&adv->random_addr, &cp->bdaddr);
1468 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1469 adv->rpa_expired = false;
1470 queue_delayed_work(hdev->workqueue,
1471 &adv->rpa_expired_cb,
1472 secs_to_jiffies(hdev->rpa_timeout));
1476 hci_dev_unlock(hdev);
1481 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1482 struct sk_buff *skb)
1484 struct hci_ev_status *rp = data;
1488 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1493 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1499 err = hci_remove_adv_instance(hdev, *instance);
1501 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1504 hci_dev_unlock(hdev);
1509 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1510 struct sk_buff *skb)
1512 struct hci_ev_status *rp = data;
1513 struct adv_info *adv, *n;
1516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1521 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1526 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1527 u8 instance = adv->instance;
1529 err = hci_remove_adv_instance(hdev, instance);
1531 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1535 hci_dev_unlock(hdev);
1540 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1541 struct sk_buff *skb)
1543 struct hci_rp_le_read_transmit_power *rp = data;
1545 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1550 hdev->min_le_tx_power = rp->min_le_tx_power;
1551 hdev->max_le_tx_power = rp->max_le_tx_power;
1556 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1557 struct sk_buff *skb)
1559 struct hci_ev_status *rp = data;
1560 struct hci_cp_le_set_privacy_mode *cp;
1561 struct hci_conn_params *params;
1563 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1568 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1574 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1576 params->privacy_mode = cp->mode;
1578 hci_dev_unlock(hdev);
1583 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1584 struct sk_buff *skb)
1586 struct hci_ev_status *rp = data;
1589 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1594 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1600 /* If we're doing connection initiation as peripheral. Set a
1601 * timeout in case something goes wrong.
1604 struct hci_conn *conn;
1606 hci_dev_set_flag(hdev, HCI_LE_ADV);
1608 conn = hci_lookup_le_connect(hdev);
1610 queue_delayed_work(hdev->workqueue,
1611 &conn->le_conn_timeout,
1612 conn->conn_timeout);
1614 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1617 hci_dev_unlock(hdev);
1622 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1623 struct sk_buff *skb)
1625 struct hci_cp_le_set_ext_adv_enable *cp;
1626 struct hci_cp_ext_adv_set *set;
1627 struct adv_info *adv = NULL, *n;
1628 struct hci_ev_status *rp = data;
1630 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1635 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1639 set = (void *)cp->data;
1643 if (cp->num_of_sets)
1644 adv = hci_find_adv_instance(hdev, set->handle);
1647 struct hci_conn *conn;
1649 hci_dev_set_flag(hdev, HCI_LE_ADV);
1652 adv->enabled = true;
1654 conn = hci_lookup_le_connect(hdev);
1656 queue_delayed_work(hdev->workqueue,
1657 &conn->le_conn_timeout,
1658 conn->conn_timeout);
1660 if (cp->num_of_sets) {
1662 adv->enabled = false;
1664 /* If just one instance was disabled check if there are
1665 * any other instance enabled before clearing HCI_LE_ADV
1667 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1673 /* All instances shall be considered disabled */
1674 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1676 adv->enabled = false;
1679 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1683 hci_dev_unlock(hdev);
1687 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1688 struct sk_buff *skb)
1690 struct hci_cp_le_set_scan_param *cp;
1691 struct hci_ev_status *rp = data;
1693 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1698 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1704 hdev->le_scan_type = cp->type;
1706 hci_dev_unlock(hdev);
1711 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1712 struct sk_buff *skb)
1714 struct hci_cp_le_set_ext_scan_params *cp;
1715 struct hci_ev_status *rp = data;
1716 struct hci_cp_le_scan_phy_params *phy_param;
1718 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1723 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1727 phy_param = (void *)cp->data;
1731 hdev->le_scan_type = phy_param->type;
1733 hci_dev_unlock(hdev);
1738 static bool has_pending_adv_report(struct hci_dev *hdev)
1740 struct discovery_state *d = &hdev->discovery;
1742 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1745 static void clear_pending_adv_report(struct hci_dev *hdev)
1747 struct discovery_state *d = &hdev->discovery;
1749 bacpy(&d->last_adv_addr, BDADDR_ANY);
1750 d->last_adv_data_len = 0;
1754 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1755 u8 bdaddr_type, s8 rssi, u32 flags,
1758 struct discovery_state *d = &hdev->discovery;
1760 if (len > HCI_MAX_AD_LENGTH)
1763 bacpy(&d->last_adv_addr, bdaddr);
1764 d->last_adv_addr_type = bdaddr_type;
1765 d->last_adv_rssi = rssi;
1766 d->last_adv_flags = flags;
1767 memcpy(d->last_adv_data, data, len);
1768 d->last_adv_data_len = len;
1772 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1777 case LE_SCAN_ENABLE:
1778 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1779 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1780 clear_pending_adv_report(hdev);
1781 if (hci_dev_test_flag(hdev, HCI_MESH))
1782 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1785 case LE_SCAN_DISABLE:
1786 /* We do this here instead of when setting DISCOVERY_STOPPED
1787 * since the latter would potentially require waiting for
1788 * inquiry to stop too.
1790 if (has_pending_adv_report(hdev)) {
1791 struct discovery_state *d = &hdev->discovery;
1793 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1794 d->last_adv_addr_type, NULL,
1795 d->last_adv_rssi, d->last_adv_flags,
1797 d->last_adv_data_len, NULL, 0, 0);
1800 /* Cancel this timer so that we don't try to disable scanning
1801 * when it's already disabled.
1803 cancel_delayed_work(&hdev->le_scan_disable);
1805 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1807 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1808 * interrupted scanning due to a connect request. Mark
1809 * therefore discovery as stopped.
1811 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1812 #ifndef TIZEN_BT /* The below line is kernel bug. */
1813 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1815 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1817 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1818 hdev->discovery.state == DISCOVERY_FINDING)
1819 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1824 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1829 hci_dev_unlock(hdev);
1832 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1833 struct sk_buff *skb)
1835 struct hci_cp_le_set_scan_enable *cp;
1836 struct hci_ev_status *rp = data;
1838 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1843 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1847 le_set_scan_enable_complete(hdev, cp->enable);
1852 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1853 struct sk_buff *skb)
1855 struct hci_cp_le_set_ext_scan_enable *cp;
1856 struct hci_ev_status *rp = data;
1858 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1863 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1867 le_set_scan_enable_complete(hdev, cp->enable);
1872 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1873 struct sk_buff *skb)
1875 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1877 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1883 hdev->le_num_of_adv_sets = rp->num_of_sets;
1888 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1889 struct sk_buff *skb)
1891 struct hci_rp_le_read_accept_list_size *rp = data;
1893 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1898 hdev->le_accept_list_size = rp->size;
1903 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1904 struct sk_buff *skb)
1906 struct hci_ev_status *rp = data;
1908 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1914 hci_bdaddr_list_clear(&hdev->le_accept_list);
1915 hci_dev_unlock(hdev);
1920 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1921 struct sk_buff *skb)
1923 struct hci_cp_le_add_to_accept_list *sent;
1924 struct hci_ev_status *rp = data;
1926 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1931 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1936 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1938 hci_dev_unlock(hdev);
1943 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1944 struct sk_buff *skb)
1946 struct hci_cp_le_del_from_accept_list *sent;
1947 struct hci_ev_status *rp = data;
1949 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1954 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1959 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1961 hci_dev_unlock(hdev);
1966 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1967 struct sk_buff *skb)
1969 struct hci_rp_le_read_supported_states *rp = data;
1971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1976 memcpy(hdev->le_states, rp->le_states, 8);
1981 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1982 struct sk_buff *skb)
1984 struct hci_rp_le_read_def_data_len *rp = data;
1986 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1991 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1992 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1997 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1998 struct sk_buff *skb)
2000 struct hci_cp_le_write_def_data_len *sent;
2001 struct hci_ev_status *rp = data;
2003 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2012 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2020 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2021 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2026 mgmt_le_write_host_suggested_data_length_complete(hdev, rp->status);
2031 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2032 struct sk_buff *skb)
2034 struct hci_cp_le_add_to_resolv_list *sent;
2035 struct hci_ev_status *rp = data;
2037 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2042 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2047 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2048 sent->bdaddr_type, sent->peer_irk,
2050 hci_dev_unlock(hdev);
2055 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2056 struct sk_buff *skb)
2058 struct hci_cp_le_del_from_resolv_list *sent;
2059 struct hci_ev_status *rp = data;
2061 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2066 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2071 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2073 hci_dev_unlock(hdev);
2078 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2079 struct sk_buff *skb)
2081 struct hci_ev_status *rp = data;
2083 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2089 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2090 hci_dev_unlock(hdev);
2095 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2096 struct sk_buff *skb)
2098 struct hci_rp_le_read_resolv_list_size *rp = data;
2100 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2105 hdev->le_resolv_list_size = rp->size;
2110 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2111 struct sk_buff *skb)
2113 struct hci_ev_status *rp = data;
2116 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2121 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2128 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2130 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2132 hci_dev_unlock(hdev);
2137 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2138 struct sk_buff *skb)
2140 struct hci_rp_le_read_max_data_len *rp = data;
2142 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2151 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2152 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2153 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2154 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2157 mgmt_le_read_maximum_data_length_complete(hdev, rp->status);
2158 hci_dev_unlock(hdev);
2164 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2165 struct sk_buff *skb)
2167 struct hci_cp_write_le_host_supported *sent;
2168 struct hci_ev_status *rp = data;
2170 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2175 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2182 hdev->features[1][0] |= LMP_HOST_LE;
2183 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2185 hdev->features[1][0] &= ~LMP_HOST_LE;
2186 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2187 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2191 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2193 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2195 hci_dev_unlock(hdev);
2200 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2201 struct sk_buff *skb)
2203 struct hci_cp_le_set_adv_param *cp;
2204 struct hci_ev_status *rp = data;
2206 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2211 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2216 hdev->adv_addr_type = cp->own_address_type;
2217 hci_dev_unlock(hdev);
2222 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2223 struct sk_buff *skb)
2225 struct hci_rp_le_set_ext_adv_params *rp = data;
2226 struct hci_cp_le_set_ext_adv_params *cp;
2227 struct adv_info *adv_instance;
2229 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2234 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2239 hdev->adv_addr_type = cp->own_addr_type;
2241 /* Store in hdev for instance 0 */
2242 hdev->adv_tx_power = rp->tx_power;
2244 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2246 adv_instance->tx_power = rp->tx_power;
2248 /* Update adv data as tx power is known now */
2249 hci_update_adv_data(hdev, cp->handle);
2251 hci_dev_unlock(hdev);
2257 static u8 hci_cc_enable_rssi(struct hci_dev *hdev, void *data,
2258 struct sk_buff *skb)
2260 struct hci_cc_rsp_enable_rssi *rp = data;
2262 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
2263 hdev->name, rp->status, rp->le_ext_opcode);
2265 mgmt_enable_rssi_cc(hdev, rp, rp->status);
2270 static u8 hci_cc_get_raw_rssi(struct hci_dev *hdev, void *data,
2271 struct sk_buff *skb)
2273 struct hci_cc_rp_get_raw_rssi *rp = data;
2275 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
2276 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
2278 mgmt_raw_rssi_response(hdev, rp, rp->status);
2283 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
2284 struct sk_buff *skb)
2286 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
2288 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
2290 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
2294 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
2295 struct sk_buff *skb)
2297 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
2298 __u8 event_le_ext_sub_code;
2300 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
2301 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
2303 skb_pull(skb, sizeof(*ev));
2304 event_le_ext_sub_code = ev->event_le_ext_sub_code;
2306 switch (event_le_ext_sub_code) {
2307 case LE_RSSI_LINK_ALERT:
2308 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
2316 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
2317 struct sk_buff *skb)
2319 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
2321 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
2323 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
2324 ev->state_change_reason,
2325 ev->connection_handle);
2328 static void hci_vendor_specific_evt(struct hci_dev *hdev, void *data,
2329 struct sk_buff *skb)
2331 struct hci_ev_vendor_specific *ev = (void *)skb->data;
2332 __u8 event_sub_code;
2334 BT_DBG("hci_vendor_specific_evt");
2336 skb_pull(skb, sizeof(*ev));
2337 event_sub_code = ev->event_sub_code;
2339 switch (event_sub_code) {
2340 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
2341 hci_vendor_specific_group_ext_evt(hdev, skb);
2344 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
2345 hci_vendor_multi_adv_state_change_evt(hdev, skb);
2354 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2355 struct sk_buff *skb)
2357 struct hci_rp_read_rssi *rp = data;
2358 struct hci_conn *conn;
2360 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2367 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2369 conn->rssi = rp->rssi;
2371 hci_dev_unlock(hdev);
2376 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2377 struct sk_buff *skb)
2379 struct hci_cp_read_tx_power *sent;
2380 struct hci_rp_read_tx_power *rp = data;
2381 struct hci_conn *conn;
2383 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2388 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2394 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2398 switch (sent->type) {
2400 conn->tx_power = rp->tx_power;
2403 conn->max_tx_power = rp->tx_power;
2408 hci_dev_unlock(hdev);
2412 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2413 struct sk_buff *skb)
2415 struct hci_ev_status *rp = data;
2418 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2423 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2425 hdev->ssp_debug_mode = *mode;
2430 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2432 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2435 hci_conn_check_pending(hdev);
2439 set_bit(HCI_INQUIRY, &hdev->flags);
2442 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2444 struct hci_cp_create_conn *cp;
2445 struct hci_conn *conn;
2447 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2449 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2455 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2457 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2460 if (conn && conn->state == BT_CONNECT) {
2461 if (status != 0x0c || conn->attempt > 2) {
2462 conn->state = BT_CLOSED;
2463 hci_connect_cfm(conn, status);
2466 conn->state = BT_CONNECT2;
2470 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
2473 bt_dev_err(hdev, "no memory for new connection");
2477 hci_dev_unlock(hdev);
2480 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2482 struct hci_cp_add_sco *cp;
2483 struct hci_conn *acl, *sco;
2486 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2491 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2495 handle = __le16_to_cpu(cp->handle);
2497 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2501 acl = hci_conn_hash_lookup_handle(hdev, handle);
2505 sco->state = BT_CLOSED;
2507 hci_connect_cfm(sco, status);
2512 hci_dev_unlock(hdev);
2515 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2517 struct hci_cp_auth_requested *cp;
2518 struct hci_conn *conn;
2520 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2525 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2531 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2533 if (conn->state == BT_CONFIG) {
2534 hci_connect_cfm(conn, status);
2535 hci_conn_drop(conn);
2539 hci_dev_unlock(hdev);
2542 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2544 struct hci_cp_set_conn_encrypt *cp;
2545 struct hci_conn *conn;
2547 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2552 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2558 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2560 if (conn->state == BT_CONFIG) {
2561 hci_connect_cfm(conn, status);
2562 hci_conn_drop(conn);
2566 hci_dev_unlock(hdev);
2569 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2570 struct hci_conn *conn)
2572 if (conn->state != BT_CONFIG || !conn->out)
2575 if (conn->pending_sec_level == BT_SECURITY_SDP)
2578 /* Only request authentication for SSP connections or non-SSP
2579 * devices with sec_level MEDIUM or HIGH or if MITM protection
2582 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2583 conn->pending_sec_level != BT_SECURITY_FIPS &&
2584 conn->pending_sec_level != BT_SECURITY_HIGH &&
2585 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2591 static int hci_resolve_name(struct hci_dev *hdev,
2592 struct inquiry_entry *e)
2594 struct hci_cp_remote_name_req cp;
2596 memset(&cp, 0, sizeof(cp));
2598 bacpy(&cp.bdaddr, &e->data.bdaddr);
2599 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2600 cp.pscan_mode = e->data.pscan_mode;
2601 cp.clock_offset = e->data.clock_offset;
2603 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2606 static bool hci_resolve_next_name(struct hci_dev *hdev)
2608 struct discovery_state *discov = &hdev->discovery;
2609 struct inquiry_entry *e;
2611 if (list_empty(&discov->resolve))
2614 /* We should stop if we already spent too much time resolving names. */
2615 if (time_after(jiffies, discov->name_resolve_timeout)) {
2616 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2620 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2624 if (hci_resolve_name(hdev, e) == 0) {
2625 e->name_state = NAME_PENDING;
2632 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2633 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2635 struct discovery_state *discov = &hdev->discovery;
2636 struct inquiry_entry *e;
2639 /* Update the mgmt connected state if necessary. Be careful with
2640 * conn objects that exist but are not (yet) connected however.
2641 * Only those in BT_CONFIG or BT_CONNECTED states can be
2642 * considered connected.
2645 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2646 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2647 mgmt_device_connected(hdev, conn, 0, name, name_len);
2649 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2653 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2654 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2655 mgmt_device_connected(hdev, conn, name, name_len);
2658 if (discov->state == DISCOVERY_STOPPED)
2661 if (discov->state == DISCOVERY_STOPPING)
2662 goto discov_complete;
2664 if (discov->state != DISCOVERY_RESOLVING)
2667 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2668 /* If the device was not found in a list of found devices names of which
2669 * are pending. there is no need to continue resolving a next name as it
2670 * will be done upon receiving another Remote Name Request Complete
2677 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2678 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2681 if (hci_resolve_next_name(hdev))
2685 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2688 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2690 struct hci_cp_remote_name_req *cp;
2691 struct hci_conn *conn;
2693 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2695 /* If successful wait for the name req complete event before
2696 * checking for the need to do authentication */
2700 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2706 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2708 if (hci_dev_test_flag(hdev, HCI_MGMT))
2709 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2714 if (!hci_outgoing_auth_needed(hdev, conn))
2717 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2718 struct hci_cp_auth_requested auth_cp;
2720 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2722 auth_cp.handle = __cpu_to_le16(conn->handle);
2723 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2724 sizeof(auth_cp), &auth_cp);
2728 hci_dev_unlock(hdev);
2731 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2733 struct hci_cp_read_remote_features *cp;
2734 struct hci_conn *conn;
2736 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2741 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2747 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2749 if (conn->state == BT_CONFIG) {
2750 hci_connect_cfm(conn, status);
2751 hci_conn_drop(conn);
2755 hci_dev_unlock(hdev);
2758 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2760 struct hci_cp_read_remote_ext_features *cp;
2761 struct hci_conn *conn;
2763 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2768 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2774 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2776 if (conn->state == BT_CONFIG) {
2777 hci_connect_cfm(conn, status);
2778 hci_conn_drop(conn);
2782 hci_dev_unlock(hdev);
2785 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2787 struct hci_cp_setup_sync_conn *cp;
2788 struct hci_conn *acl, *sco;
2791 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2796 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2800 handle = __le16_to_cpu(cp->handle);
2802 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2806 acl = hci_conn_hash_lookup_handle(hdev, handle);
2810 sco->state = BT_CLOSED;
2812 hci_connect_cfm(sco, status);
2817 hci_dev_unlock(hdev);
2820 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2822 struct hci_cp_enhanced_setup_sync_conn *cp;
2823 struct hci_conn *acl, *sco;
2826 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2831 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2835 handle = __le16_to_cpu(cp->handle);
2837 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2841 acl = hci_conn_hash_lookup_handle(hdev, handle);
2845 sco->state = BT_CLOSED;
2847 hci_connect_cfm(sco, status);
2852 hci_dev_unlock(hdev);
2855 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2857 struct hci_cp_sniff_mode *cp;
2858 struct hci_conn *conn;
2860 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2865 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2871 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2873 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2875 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2876 hci_sco_setup(conn, status);
2879 hci_dev_unlock(hdev);
2882 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2884 struct hci_cp_exit_sniff_mode *cp;
2885 struct hci_conn *conn;
2887 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2892 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2898 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2900 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2902 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2903 hci_sco_setup(conn, status);
2906 hci_dev_unlock(hdev);
2909 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2911 struct hci_cp_disconnect *cp;
2912 struct hci_conn_params *params;
2913 struct hci_conn *conn;
2916 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2918 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2919 * otherwise cleanup the connection immediately.
2921 if (!status && !hdev->suspended)
2924 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2930 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2935 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2936 conn->dst_type, status);
2938 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2939 hdev->cur_adv_instance = conn->adv_instance;
2940 hci_enable_advertising(hdev);
2946 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2948 if (conn->type == ACL_LINK) {
2949 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2950 hci_remove_link_key(hdev, &conn->dst);
2953 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2955 switch (params->auto_connect) {
2956 case HCI_AUTO_CONN_LINK_LOSS:
2957 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2961 case HCI_AUTO_CONN_DIRECT:
2962 case HCI_AUTO_CONN_ALWAYS:
2963 list_del_init(¶ms->action);
2964 list_add(¶ms->action, &hdev->pend_le_conns);
2972 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2973 cp->reason, mgmt_conn);
2975 hci_disconn_cfm(conn, cp->reason);
2978 /* If the disconnection failed for any reason, the upper layer
2979 * does not retry to disconnect in current implementation.
2980 * Hence, we need to do some basic cleanup here and re-enable
2981 * advertising if necessary.
2985 hci_dev_unlock(hdev);
2988 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2990 /* When using controller based address resolution, then the new
2991 * address types 0x02 and 0x03 are used. These types need to be
2992 * converted back into either public address or random address type
2995 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2998 return ADDR_LE_DEV_PUBLIC;
2999 case ADDR_LE_DEV_RANDOM_RESOLVED:
3002 return ADDR_LE_DEV_RANDOM;
3010 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
3011 u8 peer_addr_type, u8 own_address_type,
3014 struct hci_conn *conn;
3016 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
3021 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
3023 /* Store the initiator and responder address information which
3024 * is needed for SMP. These values will not change during the
3025 * lifetime of the connection.
3027 conn->init_addr_type = own_address_type;
3028 if (own_address_type == ADDR_LE_DEV_RANDOM)
3029 bacpy(&conn->init_addr, &hdev->random_addr);
3031 bacpy(&conn->init_addr, &hdev->bdaddr);
3033 conn->resp_addr_type = peer_addr_type;
3034 bacpy(&conn->resp_addr, peer_addr);
3037 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
3039 struct hci_cp_le_create_conn *cp;
3041 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3043 /* All connection failure handling is taken care of by the
3044 * hci_conn_failed function which is triggered by the HCI
3045 * request completion callbacks used for connecting.
3050 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
3056 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3057 cp->own_address_type, cp->filter_policy);
3059 hci_dev_unlock(hdev);
3062 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
3064 struct hci_cp_le_ext_create_conn *cp;
3066 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3068 /* All connection failure handling is taken care of by the
3069 * hci_conn_failed function which is triggered by the HCI
3070 * request completion callbacks used for connecting.
3075 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
3081 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3082 cp->own_addr_type, cp->filter_policy);
3084 hci_dev_unlock(hdev);
3087 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
3089 struct hci_cp_le_read_remote_features *cp;
3090 struct hci_conn *conn;
3092 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3097 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
3103 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3105 if (conn->state == BT_CONFIG) {
3106 hci_connect_cfm(conn, status);
3107 hci_conn_drop(conn);
3111 hci_dev_unlock(hdev);
3114 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
3116 struct hci_cp_le_start_enc *cp;
3117 struct hci_conn *conn;
3119 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3126 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
3130 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3134 if (conn->state != BT_CONNECTED)
3137 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3138 hci_conn_drop(conn);
3141 hci_dev_unlock(hdev);
3144 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3146 struct hci_cp_switch_role *cp;
3147 struct hci_conn *conn;
3149 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3154 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3160 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3162 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3164 hci_dev_unlock(hdev);
3167 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3168 struct sk_buff *skb)
3170 struct hci_ev_status *ev = data;
3171 struct discovery_state *discov = &hdev->discovery;
3172 struct inquiry_entry *e;
3174 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3176 hci_conn_check_pending(hdev);
3178 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3181 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3182 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3184 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3189 if (discov->state != DISCOVERY_FINDING)
3192 if (list_empty(&discov->resolve)) {
3193 /* When BR/EDR inquiry is active and no LE scanning is in
3194 * progress, then change discovery state to indicate completion.
3196 * When running LE scanning and BR/EDR inquiry simultaneously
3197 * and the LE scan already finished, then change the discovery
3198 * state to indicate completion.
3200 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3201 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3202 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3206 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3207 if (e && hci_resolve_name(hdev, e) == 0) {
3208 e->name_state = NAME_PENDING;
3209 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3210 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3212 /* When BR/EDR inquiry is active and no LE scanning is in
3213 * progress, then change discovery state to indicate completion.
3215 * When running LE scanning and BR/EDR inquiry simultaneously
3216 * and the LE scan already finished, then change the discovery
3217 * state to indicate completion.
3219 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3220 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3221 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3225 hci_dev_unlock(hdev);
3228 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3229 struct sk_buff *skb)
3231 struct hci_ev_inquiry_result *ev = edata;
3232 struct inquiry_data data;
3235 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3236 flex_array_size(ev, info, ev->num)))
3239 bt_dev_dbg(hdev, "num %d", ev->num);
3244 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3249 for (i = 0; i < ev->num; i++) {
3250 struct inquiry_info *info = &ev->info[i];
3253 bacpy(&data.bdaddr, &info->bdaddr);
3254 data.pscan_rep_mode = info->pscan_rep_mode;
3255 data.pscan_period_mode = info->pscan_period_mode;
3256 data.pscan_mode = info->pscan_mode;
3257 memcpy(data.dev_class, info->dev_class, 3);
3258 data.clock_offset = info->clock_offset;
3259 data.rssi = HCI_RSSI_INVALID;
3260 data.ssp_mode = 0x00;
3262 flags = hci_inquiry_cache_update(hdev, &data, false);
3264 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3265 info->dev_class, HCI_RSSI_INVALID,
3266 flags, NULL, 0, NULL, 0, 0);
3269 hci_dev_unlock(hdev);
3272 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3273 struct sk_buff *skb)
3275 struct hci_ev_conn_complete *ev = data;
3276 struct hci_conn *conn;
3277 u8 status = ev->status;
3279 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3283 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3285 /* In case of error status and there is no connection pending
3286 * just unlock as there is nothing to cleanup.
3291 /* Connection may not exist if auto-connected. Check the bredr
3292 * allowlist to see if this device is allowed to auto connect.
3293 * If link is an ACL type, create a connection class
3296 * Auto-connect will only occur if the event filter is
3297 * programmed with a given address. Right now, event filter is
3298 * only used during suspend.
3300 if (ev->link_type == ACL_LINK &&
3301 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3304 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3307 bt_dev_err(hdev, "no memory for new conn");
3311 if (ev->link_type != SCO_LINK)
3314 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3319 conn->type = SCO_LINK;
3323 /* The HCI_Connection_Complete event is only sent once per connection.
3324 * Processing it more than once per connection can corrupt kernel memory.
3326 * As the connection handle is set here for the first time, it indicates
3327 * whether the connection is already set up.
3329 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
3330 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3335 conn->handle = __le16_to_cpu(ev->handle);
3336 if (conn->handle > HCI_CONN_HANDLE_MAX) {
3337 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
3338 conn->handle, HCI_CONN_HANDLE_MAX);
3339 status = HCI_ERROR_INVALID_PARAMETERS;
3343 if (conn->type == ACL_LINK) {
3344 conn->state = BT_CONFIG;
3345 hci_conn_hold(conn);
3347 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3348 !hci_find_link_key(hdev, &ev->bdaddr))
3349 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3351 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3353 conn->state = BT_CONNECTED;
3355 hci_debugfs_create_conn(conn);
3356 hci_conn_add_sysfs(conn);
3358 if (test_bit(HCI_AUTH, &hdev->flags))
3359 set_bit(HCI_CONN_AUTH, &conn->flags);
3361 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3362 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3364 /* Get remote features */
3365 if (conn->type == ACL_LINK) {
3366 struct hci_cp_read_remote_features cp;
3367 cp.handle = ev->handle;
3368 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3371 hci_update_scan(hdev);
3374 /* Set packet type for incoming connection */
3375 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3376 struct hci_cp_change_conn_ptype cp;
3377 cp.handle = ev->handle;
3378 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3379 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3384 if (get_link_mode(conn) & HCI_LM_MASTER)
3385 hci_conn_change_supervision_timeout(conn,
3386 LINK_SUPERVISION_TIMEOUT);
3390 if (conn->type == ACL_LINK)
3391 hci_sco_setup(conn, ev->status);
3395 hci_conn_failed(conn, status);
3396 } else if (ev->link_type == SCO_LINK) {
3397 switch (conn->setting & SCO_AIRMODE_MASK) {
3398 case SCO_AIRMODE_CVSD:
3400 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3404 hci_connect_cfm(conn, status);
3408 hci_dev_unlock(hdev);
3410 hci_conn_check_pending(hdev);
3413 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3415 struct hci_cp_reject_conn_req cp;
3417 bacpy(&cp.bdaddr, bdaddr);
3418 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3419 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3422 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3423 struct sk_buff *skb)
3425 struct hci_ev_conn_request *ev = data;
3426 int mask = hdev->link_mode;
3427 struct inquiry_entry *ie;
3428 struct hci_conn *conn;
3431 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3433 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3436 if (!(mask & HCI_LM_ACCEPT)) {
3437 hci_reject_conn(hdev, &ev->bdaddr);
3443 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3445 hci_reject_conn(hdev, &ev->bdaddr);
3449 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3450 * connection. These features are only touched through mgmt so
3451 * only do the checks if HCI_MGMT is set.
3453 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3454 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3455 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3457 hci_reject_conn(hdev, &ev->bdaddr);
3461 /* Connection accepted */
3463 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3465 memcpy(ie->data.dev_class, ev->dev_class, 3);
3468 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
3469 hci_conn_hash_lookup_sco(hdev)) {
3470 struct hci_cp_reject_conn_req cp;
3472 bacpy(&cp.bdaddr, &ev->bdaddr);
3473 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
3474 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
3476 hci_dev_unlock(hdev);
3481 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3484 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3487 bt_dev_err(hdev, "no memory for new connection");
3492 memcpy(conn->dev_class, ev->dev_class, 3);
3494 hci_dev_unlock(hdev);
3496 if (ev->link_type == ACL_LINK ||
3497 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3498 struct hci_cp_accept_conn_req cp;
3499 conn->state = BT_CONNECT;
3501 bacpy(&cp.bdaddr, &ev->bdaddr);
3503 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3504 cp.role = 0x00; /* Become central */
3506 cp.role = 0x01; /* Remain peripheral */
3508 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3509 } else if (!(flags & HCI_PROTO_DEFER)) {
3510 struct hci_cp_accept_sync_conn_req cp;
3511 conn->state = BT_CONNECT;
3513 bacpy(&cp.bdaddr, &ev->bdaddr);
3514 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3516 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3517 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3518 cp.max_latency = cpu_to_le16(0xffff);
3519 cp.content_format = cpu_to_le16(hdev->voice_setting);
3520 cp.retrans_effort = 0xff;
3522 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3525 conn->state = BT_CONNECT2;
3526 hci_connect_cfm(conn, 0);
3531 hci_dev_unlock(hdev);
3534 static u8 hci_to_mgmt_reason(u8 err)
3537 case HCI_ERROR_CONNECTION_TIMEOUT:
3538 return MGMT_DEV_DISCONN_TIMEOUT;
3539 case HCI_ERROR_REMOTE_USER_TERM:
3540 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3541 case HCI_ERROR_REMOTE_POWER_OFF:
3542 return MGMT_DEV_DISCONN_REMOTE;
3543 case HCI_ERROR_LOCAL_HOST_TERM:
3544 return MGMT_DEV_DISCONN_LOCAL_HOST;
3546 return MGMT_DEV_DISCONN_UNKNOWN;
3550 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3551 struct sk_buff *skb)
3553 struct hci_ev_disconn_complete *ev = data;
3555 struct hci_conn_params *params;
3556 struct hci_conn *conn;
3557 bool mgmt_connected;
3559 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3563 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3568 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3569 conn->dst_type, ev->status);
3573 conn->state = BT_CLOSED;
3575 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3577 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3578 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3580 reason = hci_to_mgmt_reason(ev->reason);
3582 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3583 reason, mgmt_connected);
3585 if (conn->type == ACL_LINK) {
3586 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3587 hci_remove_link_key(hdev, &conn->dst);
3589 hci_update_scan(hdev);
3592 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3594 switch (params->auto_connect) {
3595 case HCI_AUTO_CONN_LINK_LOSS:
3596 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3600 case HCI_AUTO_CONN_DIRECT:
3601 case HCI_AUTO_CONN_ALWAYS:
3602 list_del_init(¶ms->action);
3603 list_add(¶ms->action, &hdev->pend_le_conns);
3604 hci_update_passive_scan(hdev);
3612 hci_disconn_cfm(conn, ev->reason);
3614 /* Re-enable advertising if necessary, since it might
3615 * have been disabled by the connection. From the
3616 * HCI_LE_Set_Advertise_Enable command description in
3617 * the core specification (v4.0):
3618 * "The Controller shall continue advertising until the Host
3619 * issues an LE_Set_Advertise_Enable command with
3620 * Advertising_Enable set to 0x00 (Advertising is disabled)
3621 * or until a connection is created or until the Advertising
3622 * is timed out due to Directed Advertising."
3624 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3625 hdev->cur_adv_instance = conn->adv_instance;
3626 hci_enable_advertising(hdev);
3632 if (type == ACL_LINK && !hci_conn_num(hdev, ACL_LINK)) {
3636 iscan = test_bit(HCI_ISCAN, &hdev->flags);
3637 pscan = test_bit(HCI_PSCAN, &hdev->flags);
3638 if (!iscan && !pscan) {
3639 u8 scan_enable = SCAN_PAGE;
3641 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE,
3642 sizeof(scan_enable), &scan_enable);
3648 hci_dev_unlock(hdev);
3651 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3652 struct sk_buff *skb)
3654 struct hci_ev_auth_complete *ev = data;
3655 struct hci_conn *conn;
3657 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3661 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3666 /* PIN or Key Missing patch */
3667 BT_DBG("remote_auth %x, remote_cap %x, auth_type %x, io_capability %x",
3668 conn->remote_auth, conn->remote_cap,
3669 conn->auth_type, conn->io_capability);
3671 if (ev->status == 0x06 && hci_conn_ssp_enabled(conn)) {
3672 struct hci_cp_auth_requested cp;
3674 BT_DBG("Pin or key missing");
3675 hci_remove_link_key(hdev, &conn->dst);
3676 cp.handle = cpu_to_le16(conn->handle);
3677 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
3684 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3686 if (!hci_conn_ssp_enabled(conn) &&
3687 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
3688 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
3690 set_bit(HCI_CONN_AUTH, &conn->flags);
3691 conn->sec_level = conn->pending_sec_level;
3694 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3695 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3697 mgmt_auth_failed(conn, ev->status);
3700 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3701 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
3703 if (conn->state == BT_CONFIG) {
3704 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3705 struct hci_cp_set_conn_encrypt cp;
3706 cp.handle = ev->handle;
3708 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3711 conn->state = BT_CONNECTED;
3712 hci_connect_cfm(conn, ev->status);
3713 hci_conn_drop(conn);
3716 hci_auth_cfm(conn, ev->status);
3718 hci_conn_hold(conn);
3719 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3720 hci_conn_drop(conn);
3723 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3725 struct hci_cp_set_conn_encrypt cp;
3726 cp.handle = ev->handle;
3728 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3731 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3732 hci_encrypt_cfm(conn, ev->status);
3737 hci_dev_unlock(hdev);
3740 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3741 struct sk_buff *skb)
3743 struct hci_ev_remote_name *ev = data;
3744 struct hci_conn *conn;
3746 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3748 hci_conn_check_pending(hdev);
3752 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3754 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3757 if (ev->status == 0)
3758 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3759 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3761 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3767 if (!hci_outgoing_auth_needed(hdev, conn))
3770 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3771 struct hci_cp_auth_requested cp;
3773 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3775 cp.handle = __cpu_to_le16(conn->handle);
3776 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3780 hci_dev_unlock(hdev);
3783 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3784 struct sk_buff *skb)
3786 struct hci_ev_encrypt_change *ev = data;
3787 struct hci_conn *conn;
3789 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3793 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3799 /* Encryption implies authentication */
3800 set_bit(HCI_CONN_AUTH, &conn->flags);
3801 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3802 conn->sec_level = conn->pending_sec_level;
3804 /* P-256 authentication key implies FIPS */
3805 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3806 set_bit(HCI_CONN_FIPS, &conn->flags);
3808 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3809 conn->type == LE_LINK)
3810 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3812 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3813 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3817 /* We should disregard the current RPA and generate a new one
3818 * whenever the encryption procedure fails.
3820 if (ev->status && conn->type == LE_LINK) {
3821 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3822 hci_adv_instances_set_rpa_expired(hdev, true);
3825 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3827 /* Check link security requirements are met */
3828 if (!hci_conn_check_link_mode(conn))
3829 ev->status = HCI_ERROR_AUTH_FAILURE;
3831 if (ev->status && conn->state == BT_CONNECTED) {
3832 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3833 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3835 /* Notify upper layers so they can cleanup before
3838 hci_encrypt_cfm(conn, ev->status);
3839 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3840 hci_conn_drop(conn);
3844 /* Try reading the encryption key size for encrypted ACL links */
3845 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3846 struct hci_cp_read_enc_key_size cp;
3848 /* Only send HCI_Read_Encryption_Key_Size if the
3849 * controller really supports it. If it doesn't, assume
3850 * the default size (16).
3852 if (!(hdev->commands[20] & 0x10)) {
3853 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3857 cp.handle = cpu_to_le16(conn->handle);
3858 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3860 bt_dev_err(hdev, "sending read key size failed");
3861 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3868 /* Set the default Authenticated Payload Timeout after
3869 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3870 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3871 * sent when the link is active and Encryption is enabled, the conn
3872 * type can be either LE or ACL and controller must support LMP Ping.
3873 * Ensure for AES-CCM encryption as well.
3875 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3876 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3877 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3878 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3879 struct hci_cp_write_auth_payload_to cp;
3881 cp.handle = cpu_to_le16(conn->handle);
3882 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3883 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3888 hci_encrypt_cfm(conn, ev->status);
3891 hci_dev_unlock(hdev);
3894 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3895 struct sk_buff *skb)
3897 struct hci_ev_change_link_key_complete *ev = data;
3898 struct hci_conn *conn;
3900 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3904 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3907 set_bit(HCI_CONN_SECURE, &conn->flags);
3909 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3911 hci_key_change_cfm(conn, ev->status);
3914 hci_dev_unlock(hdev);
3917 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3918 struct sk_buff *skb)
3920 struct hci_ev_remote_features *ev = data;
3921 struct hci_conn *conn;
3923 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3927 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3932 memcpy(conn->features[0], ev->features, 8);
3934 if (conn->state != BT_CONFIG)
3937 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3938 lmp_ext_feat_capable(conn)) {
3939 struct hci_cp_read_remote_ext_features cp;
3940 cp.handle = ev->handle;
3942 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3947 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3948 struct hci_cp_remote_name_req cp;
3949 memset(&cp, 0, sizeof(cp));
3950 bacpy(&cp.bdaddr, &conn->dst);
3951 cp.pscan_rep_mode = 0x02;
3952 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3953 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3954 mgmt_device_connected(hdev, conn, NULL, 0);
3956 if (!hci_outgoing_auth_needed(hdev, conn)) {
3957 conn->state = BT_CONNECTED;
3958 hci_connect_cfm(conn, ev->status);
3959 hci_conn_drop(conn);
3963 hci_dev_unlock(hdev);
3966 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3968 cancel_delayed_work(&hdev->cmd_timer);
3971 if (!test_bit(HCI_RESET, &hdev->flags)) {
3973 cancel_delayed_work(&hdev->ncmd_timer);
3974 atomic_set(&hdev->cmd_cnt, 1);
3976 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3977 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3984 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3985 struct sk_buff *skb)
3987 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3989 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3994 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3995 hdev->le_pkts = rp->acl_max_pkt;
3996 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3997 hdev->iso_pkts = rp->iso_max_pkt;
3999 hdev->le_cnt = hdev->le_pkts;
4000 hdev->iso_cnt = hdev->iso_pkts;
4002 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
4003 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
4008 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
4009 struct sk_buff *skb)
4011 struct hci_rp_le_set_cig_params *rp = data;
4012 struct hci_conn *conn;
4015 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4020 while ((conn = hci_conn_hash_lookup_cig(hdev, rp->cig_id))) {
4021 conn->state = BT_CLOSED;
4022 hci_connect_cfm(conn, rp->status);
4030 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
4031 if (conn->type != ISO_LINK || conn->iso_qos.cig != rp->cig_id ||
4032 conn->state == BT_CONNECTED)
4035 conn->handle = __le16_to_cpu(rp->handle[i++]);
4037 bt_dev_dbg(hdev, "%p handle 0x%4.4x link %p", conn,
4038 conn->handle, conn->link);
4040 /* Create CIS if LE is already connected */
4041 if (conn->link && conn->link->state == BT_CONNECTED) {
4043 hci_le_create_cis(conn->link);
4047 if (i == rp->num_handles)
4054 hci_dev_unlock(hdev);
4059 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
4060 struct sk_buff *skb)
4062 struct hci_rp_le_setup_iso_path *rp = data;
4063 struct hci_cp_le_setup_iso_path *cp;
4064 struct hci_conn *conn;
4066 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4068 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
4074 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
4079 hci_connect_cfm(conn, rp->status);
4084 switch (cp->direction) {
4085 /* Input (Host to Controller) */
4087 /* Only confirm connection if output only */
4088 if (conn->iso_qos.out.sdu && !conn->iso_qos.in.sdu)
4089 hci_connect_cfm(conn, rp->status);
4091 /* Output (Controller to Host) */
4093 /* Confirm connection since conn->iso_qos is always configured
4096 hci_connect_cfm(conn, rp->status);
4101 hci_dev_unlock(hdev);
4105 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
4107 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4110 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
4111 struct sk_buff *skb)
4113 struct hci_ev_status *rp = data;
4114 struct hci_cp_le_set_per_adv_params *cp;
4116 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4121 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
4125 /* TODO: set the conn state */
4129 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
4130 struct sk_buff *skb)
4132 struct hci_ev_status *rp = data;
4135 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4140 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4147 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4149 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4151 hci_dev_unlock(hdev);
4156 #define HCI_CC_VL(_op, _func, _min, _max) \
4164 #define HCI_CC(_op, _func, _len) \
4165 HCI_CC_VL(_op, _func, _len, _len)
4167 #define HCI_CC_STATUS(_op, _func) \
4168 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4170 static const struct hci_cc {
4172 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4175 } hci_cc_table[] = {
4176 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4177 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4178 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4179 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4180 hci_cc_remote_name_req_cancel),
4181 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4182 sizeof(struct hci_rp_role_discovery)),
4183 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4184 sizeof(struct hci_rp_read_link_policy)),
4185 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4186 sizeof(struct hci_rp_write_link_policy)),
4187 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4188 sizeof(struct hci_rp_read_def_link_policy)),
4189 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4190 hci_cc_write_def_link_policy),
4191 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4192 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4193 sizeof(struct hci_rp_read_stored_link_key)),
4194 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4195 sizeof(struct hci_rp_delete_stored_link_key)),
4196 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4197 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4198 sizeof(struct hci_rp_read_local_name)),
4199 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4200 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4201 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4202 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4203 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4204 sizeof(struct hci_rp_read_class_of_dev)),
4205 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4206 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4207 sizeof(struct hci_rp_read_voice_setting)),
4208 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4209 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4210 sizeof(struct hci_rp_read_num_supported_iac)),
4211 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4212 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4213 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4214 sizeof(struct hci_rp_read_auth_payload_to)),
4215 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4216 sizeof(struct hci_rp_write_auth_payload_to)),
4217 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4218 sizeof(struct hci_rp_read_local_version)),
4219 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4220 sizeof(struct hci_rp_read_local_commands)),
4221 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4222 sizeof(struct hci_rp_read_local_features)),
4223 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4224 sizeof(struct hci_rp_read_local_ext_features)),
4225 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4226 sizeof(struct hci_rp_read_buffer_size)),
4227 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4228 sizeof(struct hci_rp_read_bd_addr)),
4229 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4230 sizeof(struct hci_rp_read_local_pairing_opts)),
4231 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4232 sizeof(struct hci_rp_read_page_scan_activity)),
4233 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4234 hci_cc_write_page_scan_activity),
4235 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4236 sizeof(struct hci_rp_read_page_scan_type)),
4237 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4238 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4239 sizeof(struct hci_rp_read_data_block_size)),
4240 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4241 sizeof(struct hci_rp_read_flow_control_mode)),
4242 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4243 sizeof(struct hci_rp_read_local_amp_info)),
4244 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4245 sizeof(struct hci_rp_read_clock)),
4246 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4247 sizeof(struct hci_rp_read_enc_key_size)),
4248 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4249 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4250 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4251 hci_cc_read_def_err_data_reporting,
4252 sizeof(struct hci_rp_read_def_err_data_reporting)),
4253 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4254 hci_cc_write_def_err_data_reporting),
4255 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4256 sizeof(struct hci_rp_pin_code_reply)),
4257 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4258 sizeof(struct hci_rp_pin_code_neg_reply)),
4259 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4260 sizeof(struct hci_rp_read_local_oob_data)),
4261 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4262 sizeof(struct hci_rp_read_local_oob_ext_data)),
4263 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4264 sizeof(struct hci_rp_le_read_buffer_size)),
4265 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4266 sizeof(struct hci_rp_le_read_local_features)),
4267 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4268 sizeof(struct hci_rp_le_read_adv_tx_power)),
4269 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4270 sizeof(struct hci_rp_user_confirm_reply)),
4271 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4272 sizeof(struct hci_rp_user_confirm_reply)),
4273 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4274 sizeof(struct hci_rp_user_confirm_reply)),
4275 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4276 sizeof(struct hci_rp_user_confirm_reply)),
4277 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4278 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4279 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4280 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4281 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4282 hci_cc_le_read_accept_list_size,
4283 sizeof(struct hci_rp_le_read_accept_list_size)),
4284 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4285 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4286 hci_cc_le_add_to_accept_list),
4287 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4288 hci_cc_le_del_from_accept_list),
4289 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4290 sizeof(struct hci_rp_le_read_supported_states)),
4291 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4292 sizeof(struct hci_rp_le_read_def_data_len)),
4293 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4294 hci_cc_le_write_def_data_len),
4295 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4296 hci_cc_le_add_to_resolv_list),
4297 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4298 hci_cc_le_del_from_resolv_list),
4299 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4300 hci_cc_le_clear_resolv_list),
4301 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4302 sizeof(struct hci_rp_le_read_resolv_list_size)),
4303 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4304 hci_cc_le_set_addr_resolution_enable),
4305 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4306 sizeof(struct hci_rp_le_read_max_data_len)),
4307 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4308 hci_cc_write_le_host_supported),
4309 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4310 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4311 sizeof(struct hci_rp_read_rssi)),
4312 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4313 sizeof(struct hci_rp_read_tx_power)),
4314 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4315 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4316 hci_cc_le_set_ext_scan_param),
4317 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4318 hci_cc_le_set_ext_scan_enable),
4319 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4320 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4321 hci_cc_le_read_num_adv_sets,
4322 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4323 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4324 sizeof(struct hci_rp_le_set_ext_adv_params)),
4325 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4326 hci_cc_le_set_ext_adv_enable),
4327 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4328 hci_cc_le_set_adv_set_random_addr),
4329 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4330 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4331 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4332 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4333 hci_cc_le_set_per_adv_enable),
4334 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4335 sizeof(struct hci_rp_le_read_transmit_power)),
4337 HCI_CC(HCI_OP_ENABLE_RSSI, hci_cc_enable_rssi,
4338 sizeof(struct hci_cc_rsp_enable_rssi)),
4339 HCI_CC(HCI_OP_GET_RAW_RSSI, hci_cc_get_raw_rssi,
4340 sizeof(struct hci_cc_rp_get_raw_rssi)),
4342 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4343 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4344 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4345 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4346 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4347 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4348 sizeof(struct hci_rp_le_setup_iso_path)),
4351 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4352 struct sk_buff *skb)
4356 if (skb->len < cc->min_len) {
4357 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4358 cc->op, skb->len, cc->min_len);
4359 return HCI_ERROR_UNSPECIFIED;
4362 /* Just warn if the length is over max_len size it still be possible to
4363 * partially parse the cc so leave to callback to decide if that is
4366 if (skb->len > cc->max_len)
4367 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4368 cc->op, skb->len, cc->max_len);
4370 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4372 return HCI_ERROR_UNSPECIFIED;
4374 return cc->func(hdev, data, skb);
4377 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4378 struct sk_buff *skb, u16 *opcode, u8 *status,
4379 hci_req_complete_t *req_complete,
4380 hci_req_complete_skb_t *req_complete_skb)
4382 struct hci_ev_cmd_complete *ev = data;
4385 *opcode = __le16_to_cpu(ev->opcode);
4387 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4389 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4390 if (hci_cc_table[i].op == *opcode) {
4391 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4396 if (i == ARRAY_SIZE(hci_cc_table)) {
4397 /* Unknown opcode, assume byte 0 contains the status, so
4398 * that e.g. __hci_cmd_sync() properly returns errors
4399 * for vendor specific commands send by HCI drivers.
4400 * If a vendor doesn't actually follow this convention we may
4401 * need to introduce a vendor CC table in order to properly set
4404 *status = skb->data[0];
4407 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4409 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4412 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4414 "unexpected event for opcode 0x%4.4x", *opcode);
4418 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4419 queue_work(hdev->workqueue, &hdev->cmd_work);
4422 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4424 struct hci_cp_le_create_cis *cp;
4427 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4432 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4438 /* Remove connection if command failed */
4439 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4440 struct hci_conn *conn;
4443 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4445 conn = hci_conn_hash_lookup_handle(hdev, handle);
4447 conn->state = BT_CLOSED;
4448 hci_connect_cfm(conn, status);
4453 hci_dev_unlock(hdev);
4456 #define HCI_CS(_op, _func) \
4462 static const struct hci_cs {
4464 void (*func)(struct hci_dev *hdev, __u8 status);
4465 } hci_cs_table[] = {
4466 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4467 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4468 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4469 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4470 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4471 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4472 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4473 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4474 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4475 hci_cs_read_remote_ext_features),
4476 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4477 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4478 hci_cs_enhanced_setup_sync_conn),
4479 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4480 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4481 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4482 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4483 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4484 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4485 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4486 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4487 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4490 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4491 struct sk_buff *skb, u16 *opcode, u8 *status,
4492 hci_req_complete_t *req_complete,
4493 hci_req_complete_skb_t *req_complete_skb)
4495 struct hci_ev_cmd_status *ev = data;
4498 *opcode = __le16_to_cpu(ev->opcode);
4499 *status = ev->status;
4501 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4503 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4504 if (hci_cs_table[i].op == *opcode) {
4505 hci_cs_table[i].func(hdev, ev->status);
4510 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4512 /* Indicate request completion if the command failed. Also, if
4513 * we're not waiting for a special event and we get a success
4514 * command status we should try to flag the request as completed
4515 * (since for this kind of commands there will not be a command
4518 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4519 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4521 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4522 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4528 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4529 queue_work(hdev->workqueue, &hdev->cmd_work);
4532 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4533 struct sk_buff *skb)
4535 struct hci_ev_hardware_error *ev = data;
4537 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4541 mgmt_hardware_error(hdev, ev->code);
4542 hci_dev_unlock(hdev);
4544 hdev->hw_error_code = ev->code;
4546 queue_work(hdev->req_workqueue, &hdev->error_reset);
4549 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4550 struct sk_buff *skb)
4552 struct hci_ev_role_change *ev = data;
4553 struct hci_conn *conn;
4555 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4559 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4562 conn->role = ev->role;
4564 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4566 hci_role_switch_cfm(conn, ev->status, ev->role);
4568 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
4569 hci_conn_change_supervision_timeout(conn,
4570 LINK_SUPERVISION_TIMEOUT);
4574 hci_dev_unlock(hdev);
4577 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4578 struct sk_buff *skb)
4580 struct hci_ev_num_comp_pkts *ev = data;
4583 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4584 flex_array_size(ev, handles, ev->num)))
4587 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4588 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4592 bt_dev_dbg(hdev, "num %d", ev->num);
4594 for (i = 0; i < ev->num; i++) {
4595 struct hci_comp_pkts_info *info = &ev->handles[i];
4596 struct hci_conn *conn;
4597 __u16 handle, count;
4599 handle = __le16_to_cpu(info->handle);
4600 count = __le16_to_cpu(info->count);
4602 conn = hci_conn_hash_lookup_handle(hdev, handle);
4606 conn->sent -= count;
4608 switch (conn->type) {
4610 hdev->acl_cnt += count;
4611 if (hdev->acl_cnt > hdev->acl_pkts)
4612 hdev->acl_cnt = hdev->acl_pkts;
4616 if (hdev->le_pkts) {
4617 hdev->le_cnt += count;
4618 if (hdev->le_cnt > hdev->le_pkts)
4619 hdev->le_cnt = hdev->le_pkts;
4621 hdev->acl_cnt += count;
4622 if (hdev->acl_cnt > hdev->acl_pkts)
4623 hdev->acl_cnt = hdev->acl_pkts;
4628 hdev->sco_cnt += count;
4629 if (hdev->sco_cnt > hdev->sco_pkts)
4630 hdev->sco_cnt = hdev->sco_pkts;
4634 if (hdev->iso_pkts) {
4635 hdev->iso_cnt += count;
4636 if (hdev->iso_cnt > hdev->iso_pkts)
4637 hdev->iso_cnt = hdev->iso_pkts;
4638 } else if (hdev->le_pkts) {
4639 hdev->le_cnt += count;
4640 if (hdev->le_cnt > hdev->le_pkts)
4641 hdev->le_cnt = hdev->le_pkts;
4643 hdev->acl_cnt += count;
4644 if (hdev->acl_cnt > hdev->acl_pkts)
4645 hdev->acl_cnt = hdev->acl_pkts;
4650 bt_dev_err(hdev, "unknown type %d conn %p",
4656 queue_work(hdev->workqueue, &hdev->tx_work);
4659 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4662 struct hci_chan *chan;
4664 switch (hdev->dev_type) {
4666 return hci_conn_hash_lookup_handle(hdev, handle);
4668 chan = hci_chan_lookup_handle(hdev, handle);
4673 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4680 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4681 struct sk_buff *skb)
4683 struct hci_ev_num_comp_blocks *ev = data;
4686 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4687 flex_array_size(ev, handles, ev->num_hndl)))
4690 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4691 bt_dev_err(hdev, "wrong event for mode %d",
4692 hdev->flow_ctl_mode);
4696 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4699 for (i = 0; i < ev->num_hndl; i++) {
4700 struct hci_comp_blocks_info *info = &ev->handles[i];
4701 struct hci_conn *conn = NULL;
4702 __u16 handle, block_count;
4704 handle = __le16_to_cpu(info->handle);
4705 block_count = __le16_to_cpu(info->blocks);
4707 conn = __hci_conn_lookup_handle(hdev, handle);
4711 conn->sent -= block_count;
4713 switch (conn->type) {
4716 hdev->block_cnt += block_count;
4717 if (hdev->block_cnt > hdev->num_blocks)
4718 hdev->block_cnt = hdev->num_blocks;
4722 bt_dev_err(hdev, "unknown type %d conn %p",
4728 queue_work(hdev->workqueue, &hdev->tx_work);
4731 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4732 struct sk_buff *skb)
4734 struct hci_ev_mode_change *ev = data;
4735 struct hci_conn *conn;
4737 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4741 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4743 conn->mode = ev->mode;
4745 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4747 if (conn->mode == HCI_CM_ACTIVE)
4748 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4750 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4753 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4754 hci_sco_setup(conn, ev->status);
4757 hci_dev_unlock(hdev);
4760 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4761 struct sk_buff *skb)
4763 struct hci_ev_pin_code_req *ev = data;
4764 struct hci_conn *conn;
4766 bt_dev_dbg(hdev, "");
4770 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4774 if (conn->state == BT_CONNECTED) {
4775 hci_conn_hold(conn);
4776 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4777 hci_conn_drop(conn);
4780 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4781 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4782 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4783 sizeof(ev->bdaddr), &ev->bdaddr);
4784 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4787 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4792 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4796 hci_dev_unlock(hdev);
4799 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4801 if (key_type == HCI_LK_CHANGED_COMBINATION)
4804 conn->pin_length = pin_len;
4805 conn->key_type = key_type;
4808 case HCI_LK_LOCAL_UNIT:
4809 case HCI_LK_REMOTE_UNIT:
4810 case HCI_LK_DEBUG_COMBINATION:
4812 case HCI_LK_COMBINATION:
4814 conn->pending_sec_level = BT_SECURITY_HIGH;
4816 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4818 case HCI_LK_UNAUTH_COMBINATION_P192:
4819 case HCI_LK_UNAUTH_COMBINATION_P256:
4820 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4822 case HCI_LK_AUTH_COMBINATION_P192:
4823 conn->pending_sec_level = BT_SECURITY_HIGH;
4825 case HCI_LK_AUTH_COMBINATION_P256:
4826 conn->pending_sec_level = BT_SECURITY_FIPS;
4831 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4832 struct sk_buff *skb)
4834 struct hci_ev_link_key_req *ev = data;
4835 struct hci_cp_link_key_reply cp;
4836 struct hci_conn *conn;
4837 struct link_key *key;
4839 bt_dev_dbg(hdev, "");
4841 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4846 key = hci_find_link_key(hdev, &ev->bdaddr);
4848 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4852 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4854 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4856 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4858 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4859 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4860 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4861 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4865 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4866 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4867 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4868 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4872 conn_set_key(conn, key->type, key->pin_len);
4875 bacpy(&cp.bdaddr, &ev->bdaddr);
4876 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4878 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4880 hci_dev_unlock(hdev);
4885 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4886 hci_dev_unlock(hdev);
4889 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4890 struct sk_buff *skb)
4892 struct hci_ev_link_key_notify *ev = data;
4893 struct hci_conn *conn;
4894 struct link_key *key;
4898 bt_dev_dbg(hdev, "");
4902 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4906 hci_conn_hold(conn);
4907 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4908 hci_conn_drop(conn);
4910 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4911 conn_set_key(conn, ev->key_type, conn->pin_length);
4913 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4916 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4917 ev->key_type, pin_len, &persistent);
4921 /* Update connection information since adding the key will have
4922 * fixed up the type in the case of changed combination keys.
4924 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4925 conn_set_key(conn, key->type, key->pin_len);
4927 mgmt_new_link_key(hdev, key, persistent);
4929 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4930 * is set. If it's not set simply remove the key from the kernel
4931 * list (we've still notified user space about it but with
4932 * store_hint being 0).
4934 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4935 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4936 list_del_rcu(&key->list);
4937 kfree_rcu(key, rcu);
4942 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4944 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4947 hci_dev_unlock(hdev);
4950 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4951 struct sk_buff *skb)
4953 struct hci_ev_clock_offset *ev = data;
4954 struct hci_conn *conn;
4956 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4960 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4961 if (conn && !ev->status) {
4962 struct inquiry_entry *ie;
4964 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4966 ie->data.clock_offset = ev->clock_offset;
4967 ie->timestamp = jiffies;
4971 hci_dev_unlock(hdev);
4974 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4975 struct sk_buff *skb)
4977 struct hci_ev_pkt_type_change *ev = data;
4978 struct hci_conn *conn;
4980 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4984 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4985 if (conn && !ev->status)
4986 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4988 hci_dev_unlock(hdev);
4991 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4992 struct sk_buff *skb)
4994 struct hci_ev_pscan_rep_mode *ev = data;
4995 struct inquiry_entry *ie;
4997 bt_dev_dbg(hdev, "");
5001 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5003 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
5004 ie->timestamp = jiffies;
5007 hci_dev_unlock(hdev);
5010 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
5011 struct sk_buff *skb)
5013 struct hci_ev_inquiry_result_rssi *ev = edata;
5014 struct inquiry_data data;
5017 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
5022 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5027 if (skb->len == array_size(ev->num,
5028 sizeof(struct inquiry_info_rssi_pscan))) {
5029 struct inquiry_info_rssi_pscan *info;
5031 for (i = 0; i < ev->num; i++) {
5034 info = hci_ev_skb_pull(hdev, skb,
5035 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5038 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5039 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5043 bacpy(&data.bdaddr, &info->bdaddr);
5044 data.pscan_rep_mode = info->pscan_rep_mode;
5045 data.pscan_period_mode = info->pscan_period_mode;
5046 data.pscan_mode = info->pscan_mode;
5047 memcpy(data.dev_class, info->dev_class, 3);
5048 data.clock_offset = info->clock_offset;
5049 data.rssi = info->rssi;
5050 data.ssp_mode = 0x00;
5052 flags = hci_inquiry_cache_update(hdev, &data, false);
5054 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5055 info->dev_class, info->rssi,
5056 flags, NULL, 0, NULL, 0, 0);
5058 } else if (skb->len == array_size(ev->num,
5059 sizeof(struct inquiry_info_rssi))) {
5060 struct inquiry_info_rssi *info;
5062 for (i = 0; i < ev->num; i++) {
5065 info = hci_ev_skb_pull(hdev, skb,
5066 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5069 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5070 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5074 bacpy(&data.bdaddr, &info->bdaddr);
5075 data.pscan_rep_mode = info->pscan_rep_mode;
5076 data.pscan_period_mode = info->pscan_period_mode;
5077 data.pscan_mode = 0x00;
5078 memcpy(data.dev_class, info->dev_class, 3);
5079 data.clock_offset = info->clock_offset;
5080 data.rssi = info->rssi;
5081 data.ssp_mode = 0x00;
5083 flags = hci_inquiry_cache_update(hdev, &data, false);
5085 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5086 info->dev_class, info->rssi,
5087 flags, NULL, 0, NULL, 0, 0);
5090 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5091 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5094 hci_dev_unlock(hdev);
5097 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
5098 struct sk_buff *skb)
5100 struct hci_ev_remote_ext_features *ev = data;
5101 struct hci_conn *conn;
5103 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5107 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5111 if (ev->page < HCI_MAX_PAGES)
5112 memcpy(conn->features[ev->page], ev->features, 8);
5114 if (!ev->status && ev->page == 0x01) {
5115 struct inquiry_entry *ie;
5117 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5119 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5121 if (ev->features[0] & LMP_HOST_SSP) {
5122 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5124 /* It is mandatory by the Bluetooth specification that
5125 * Extended Inquiry Results are only used when Secure
5126 * Simple Pairing is enabled, but some devices violate
5129 * To make these devices work, the internal SSP
5130 * enabled flag needs to be cleared if the remote host
5131 * features do not indicate SSP support */
5132 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5135 if (ev->features[0] & LMP_HOST_SC)
5136 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5139 if (conn->state != BT_CONFIG)
5142 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5143 struct hci_cp_remote_name_req cp;
5144 memset(&cp, 0, sizeof(cp));
5145 bacpy(&cp.bdaddr, &conn->dst);
5146 cp.pscan_rep_mode = 0x02;
5147 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5148 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5149 mgmt_device_connected(hdev, conn, NULL, 0);
5151 if (!hci_outgoing_auth_needed(hdev, conn)) {
5152 conn->state = BT_CONNECTED;
5153 hci_connect_cfm(conn, ev->status);
5154 hci_conn_drop(conn);
5158 hci_dev_unlock(hdev);
5161 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5162 struct sk_buff *skb)
5164 struct hci_ev_sync_conn_complete *ev = data;
5165 struct hci_conn *conn;
5166 u8 status = ev->status;
5168 switch (ev->link_type) {
5173 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5174 * for HCI_Synchronous_Connection_Complete is limited to
5175 * either SCO or eSCO
5177 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5181 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5185 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5187 if (ev->link_type == ESCO_LINK)
5190 /* When the link type in the event indicates SCO connection
5191 * and lookup of the connection object fails, then check
5192 * if an eSCO connection object exists.
5194 * The core limits the synchronous connections to either
5195 * SCO or eSCO. The eSCO connection is preferred and tried
5196 * to be setup first and until successfully established,
5197 * the link type will be hinted as eSCO.
5199 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5204 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5205 * Processing it more than once per connection can corrupt kernel memory.
5207 * As the connection handle is set here for the first time, it indicates
5208 * whether the connection is already set up.
5210 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
5211 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5217 conn->handle = __le16_to_cpu(ev->handle);
5218 if (conn->handle > HCI_CONN_HANDLE_MAX) {
5219 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
5220 conn->handle, HCI_CONN_HANDLE_MAX);
5221 status = HCI_ERROR_INVALID_PARAMETERS;
5222 conn->state = BT_CLOSED;
5226 conn->state = BT_CONNECTED;
5227 conn->type = ev->link_type;
5229 hci_debugfs_create_conn(conn);
5230 hci_conn_add_sysfs(conn);
5233 case 0x10: /* Connection Accept Timeout */
5234 case 0x0d: /* Connection Rejected due to Limited Resources */
5235 case 0x11: /* Unsupported Feature or Parameter Value */
5236 case 0x1c: /* SCO interval rejected */
5237 case 0x1a: /* Unsupported Remote Feature */
5238 case 0x1e: /* Invalid LMP Parameters */
5239 case 0x1f: /* Unspecified error */
5240 case 0x20: /* Unsupported LMP Parameter value */
5242 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5243 (hdev->esco_type & EDR_ESCO_MASK);
5244 if (hci_setup_sync(conn, conn->link->handle))
5250 conn->state = BT_CLOSED;
5254 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5255 /* Notify only in case of SCO over HCI transport data path which
5256 * is zero and non-zero value shall be non-HCI transport data path
5258 if (conn->codec.data_path == 0 && hdev->notify) {
5259 switch (ev->air_mode) {
5261 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5264 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5269 hci_connect_cfm(conn, status);
5274 hci_dev_unlock(hdev);
5277 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5281 while (parsed < eir_len) {
5282 u8 field_len = eir[0];
5287 parsed += field_len + 1;
5288 eir += field_len + 1;
5294 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5295 struct sk_buff *skb)
5297 struct hci_ev_ext_inquiry_result *ev = edata;
5298 struct inquiry_data data;
5302 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5303 flex_array_size(ev, info, ev->num)))
5306 bt_dev_dbg(hdev, "num %d", ev->num);
5311 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5316 for (i = 0; i < ev->num; i++) {
5317 struct extended_inquiry_info *info = &ev->info[i];
5321 bacpy(&data.bdaddr, &info->bdaddr);
5322 data.pscan_rep_mode = info->pscan_rep_mode;
5323 data.pscan_period_mode = info->pscan_period_mode;
5324 data.pscan_mode = 0x00;
5325 memcpy(data.dev_class, info->dev_class, 3);
5326 data.clock_offset = info->clock_offset;
5327 data.rssi = info->rssi;
5328 data.ssp_mode = 0x01;
5330 if (hci_dev_test_flag(hdev, HCI_MGMT))
5331 name_known = eir_get_data(info->data,
5333 EIR_NAME_COMPLETE, NULL);
5337 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5339 eir_len = eir_get_length(info->data, sizeof(info->data));
5341 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5342 info->dev_class, info->rssi,
5343 flags, info->data, eir_len, NULL, 0, 0);
5346 hci_dev_unlock(hdev);
5349 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5350 struct sk_buff *skb)
5352 struct hci_ev_key_refresh_complete *ev = data;
5353 struct hci_conn *conn;
5355 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5356 __le16_to_cpu(ev->handle));
5360 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5364 /* For BR/EDR the necessary steps are taken through the
5365 * auth_complete event.
5367 if (conn->type != LE_LINK)
5371 conn->sec_level = conn->pending_sec_level;
5373 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5375 if (ev->status && conn->state == BT_CONNECTED) {
5376 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5377 hci_conn_drop(conn);
5381 if (conn->state == BT_CONFIG) {
5383 conn->state = BT_CONNECTED;
5385 hci_connect_cfm(conn, ev->status);
5386 hci_conn_drop(conn);
5388 hci_auth_cfm(conn, ev->status);
5390 hci_conn_hold(conn);
5391 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5392 hci_conn_drop(conn);
5396 hci_dev_unlock(hdev);
5399 static u8 hci_get_auth_req(struct hci_conn *conn)
5402 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
5403 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5404 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5405 return HCI_AT_GENERAL_BONDING_MITM;
5409 /* If remote requests no-bonding follow that lead */
5410 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5411 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5412 return conn->remote_auth | (conn->auth_type & 0x01);
5414 /* If both remote and local have enough IO capabilities, require
5417 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5418 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5419 return conn->remote_auth | 0x01;
5421 /* No MITM protection possible so ignore remote requirement */
5422 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5425 static u8 bredr_oob_data_present(struct hci_conn *conn)
5427 struct hci_dev *hdev = conn->hdev;
5428 struct oob_data *data;
5430 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5434 if (bredr_sc_enabled(hdev)) {
5435 /* When Secure Connections is enabled, then just
5436 * return the present value stored with the OOB
5437 * data. The stored value contains the right present
5438 * information. However it can only be trusted when
5439 * not in Secure Connection Only mode.
5441 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5442 return data->present;
5444 /* When Secure Connections Only mode is enabled, then
5445 * the P-256 values are required. If they are not
5446 * available, then do not declare that OOB data is
5449 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
5450 !memcmp(data->hash256, ZERO_KEY, 16))
5456 /* When Secure Connections is not enabled or actually
5457 * not supported by the hardware, then check that if
5458 * P-192 data values are present.
5460 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
5461 !memcmp(data->hash192, ZERO_KEY, 16))
5467 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5468 struct sk_buff *skb)
5470 struct hci_ev_io_capa_request *ev = data;
5471 struct hci_conn *conn;
5473 bt_dev_dbg(hdev, "");
5477 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5481 hci_conn_hold(conn);
5483 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5486 /* Allow pairing if we're pairable, the initiators of the
5487 * pairing or if the remote is not requesting bonding.
5489 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5490 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5491 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5492 struct hci_cp_io_capability_reply cp;
5494 bacpy(&cp.bdaddr, &ev->bdaddr);
5495 /* Change the IO capability from KeyboardDisplay
5496 * to DisplayYesNo as it is not supported by BT spec. */
5497 cp.capability = (conn->io_capability == 0x04) ?
5498 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5500 /* If we are initiators, there is no remote information yet */
5501 if (conn->remote_auth == 0xff) {
5502 /* Request MITM protection if our IO caps allow it
5503 * except for the no-bonding case.
5505 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5506 conn->auth_type != HCI_AT_NO_BONDING)
5507 conn->auth_type |= 0x01;
5509 conn->auth_type = hci_get_auth_req(conn);
5512 /* If we're not bondable, force one of the non-bondable
5513 * authentication requirement values.
5515 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5516 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5518 cp.authentication = conn->auth_type;
5519 cp.oob_data = bredr_oob_data_present(conn);
5521 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5524 struct hci_cp_io_capability_neg_reply cp;
5526 bacpy(&cp.bdaddr, &ev->bdaddr);
5527 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5529 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5534 hci_dev_unlock(hdev);
5537 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5538 struct sk_buff *skb)
5540 struct hci_ev_io_capa_reply *ev = data;
5541 struct hci_conn *conn;
5543 bt_dev_dbg(hdev, "");
5547 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5551 conn->remote_cap = ev->capability;
5552 conn->remote_auth = ev->authentication;
5555 hci_dev_unlock(hdev);
5558 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5559 struct sk_buff *skb)
5561 struct hci_ev_user_confirm_req *ev = data;
5562 int loc_mitm, rem_mitm, confirm_hint = 0;
5563 struct hci_conn *conn;
5565 bt_dev_dbg(hdev, "");
5569 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5572 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5576 loc_mitm = (conn->auth_type & 0x01);
5577 rem_mitm = (conn->remote_auth & 0x01);
5579 /* If we require MITM but the remote device can't provide that
5580 * (it has NoInputNoOutput) then reject the confirmation
5581 * request. We check the security level here since it doesn't
5582 * necessarily match conn->auth_type.
5584 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5585 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5586 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5587 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5588 sizeof(ev->bdaddr), &ev->bdaddr);
5592 /* If no side requires MITM protection; auto-accept */
5593 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5594 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5596 /* If we're not the initiators request authorization to
5597 * proceed from user space (mgmt_user_confirm with
5598 * confirm_hint set to 1). The exception is if neither
5599 * side had MITM or if the local IO capability is
5600 * NoInputNoOutput, in which case we do auto-accept
5602 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5603 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5604 (loc_mitm || rem_mitm)) {
5605 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5610 /* If there already exists link key in local host, leave the
5611 * decision to user space since the remote device could be
5612 * legitimate or malicious.
5614 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5615 bt_dev_dbg(hdev, "Local host already has link key");
5620 BT_DBG("Auto-accept of user confirmation with %ums delay",
5621 hdev->auto_accept_delay);
5623 if (hdev->auto_accept_delay > 0) {
5624 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5625 queue_delayed_work(conn->hdev->workqueue,
5626 &conn->auto_accept_work, delay);
5630 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5631 sizeof(ev->bdaddr), &ev->bdaddr);
5636 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5637 le32_to_cpu(ev->passkey), confirm_hint);
5640 hci_dev_unlock(hdev);
5643 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5644 struct sk_buff *skb)
5646 struct hci_ev_user_passkey_req *ev = data;
5648 bt_dev_dbg(hdev, "");
5650 if (hci_dev_test_flag(hdev, HCI_MGMT))
5651 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5654 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5655 struct sk_buff *skb)
5657 struct hci_ev_user_passkey_notify *ev = data;
5658 struct hci_conn *conn;
5660 bt_dev_dbg(hdev, "");
5662 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5666 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5667 conn->passkey_entered = 0;
5669 if (hci_dev_test_flag(hdev, HCI_MGMT))
5670 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5671 conn->dst_type, conn->passkey_notify,
5672 conn->passkey_entered);
5675 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5676 struct sk_buff *skb)
5678 struct hci_ev_keypress_notify *ev = data;
5679 struct hci_conn *conn;
5681 bt_dev_dbg(hdev, "");
5683 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5688 case HCI_KEYPRESS_STARTED:
5689 conn->passkey_entered = 0;
5692 case HCI_KEYPRESS_ENTERED:
5693 conn->passkey_entered++;
5696 case HCI_KEYPRESS_ERASED:
5697 conn->passkey_entered--;
5700 case HCI_KEYPRESS_CLEARED:
5701 conn->passkey_entered = 0;
5704 case HCI_KEYPRESS_COMPLETED:
5708 if (hci_dev_test_flag(hdev, HCI_MGMT))
5709 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5710 conn->dst_type, conn->passkey_notify,
5711 conn->passkey_entered);
5714 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5715 struct sk_buff *skb)
5717 struct hci_ev_simple_pair_complete *ev = data;
5718 struct hci_conn *conn;
5720 bt_dev_dbg(hdev, "");
5724 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5728 /* Reset the authentication requirement to unknown */
5729 conn->remote_auth = 0xff;
5731 /* To avoid duplicate auth_failed events to user space we check
5732 * the HCI_CONN_AUTH_PEND flag which will be set if we
5733 * initiated the authentication. A traditional auth_complete
5734 * event gets always produced as initiator and is also mapped to
5735 * the mgmt_auth_failed event */
5736 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5737 mgmt_auth_failed(conn, ev->status);
5739 hci_conn_drop(conn);
5742 hci_dev_unlock(hdev);
5745 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5746 struct sk_buff *skb)
5748 struct hci_ev_remote_host_features *ev = data;
5749 struct inquiry_entry *ie;
5750 struct hci_conn *conn;
5752 bt_dev_dbg(hdev, "");
5756 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5758 memcpy(conn->features[1], ev->features, 8);
5760 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5762 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5764 hci_dev_unlock(hdev);
5767 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5768 struct sk_buff *skb)
5770 struct hci_ev_remote_oob_data_request *ev = edata;
5771 struct oob_data *data;
5773 bt_dev_dbg(hdev, "");
5777 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5780 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5782 struct hci_cp_remote_oob_data_neg_reply cp;
5784 bacpy(&cp.bdaddr, &ev->bdaddr);
5785 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5790 if (bredr_sc_enabled(hdev)) {
5791 struct hci_cp_remote_oob_ext_data_reply cp;
5793 bacpy(&cp.bdaddr, &ev->bdaddr);
5794 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5795 memset(cp.hash192, 0, sizeof(cp.hash192));
5796 memset(cp.rand192, 0, sizeof(cp.rand192));
5798 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5799 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5801 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5802 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5804 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5807 struct hci_cp_remote_oob_data_reply cp;
5809 bacpy(&cp.bdaddr, &ev->bdaddr);
5810 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5811 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5813 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5818 hci_dev_unlock(hdev);
5821 #if IS_ENABLED(CONFIG_BT_HS)
5822 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5823 struct sk_buff *skb)
5825 struct hci_ev_channel_selected *ev = data;
5826 struct hci_conn *hcon;
5828 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5830 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5834 amp_read_loc_assoc_final_data(hdev, hcon);
5837 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5838 struct sk_buff *skb)
5840 struct hci_ev_phy_link_complete *ev = data;
5841 struct hci_conn *hcon, *bredr_hcon;
5843 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5848 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5860 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5862 hcon->state = BT_CONNECTED;
5863 bacpy(&hcon->dst, &bredr_hcon->dst);
5865 hci_conn_hold(hcon);
5866 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5867 hci_conn_drop(hcon);
5869 hci_debugfs_create_conn(hcon);
5870 hci_conn_add_sysfs(hcon);
5872 amp_physical_cfm(bredr_hcon, hcon);
5875 hci_dev_unlock(hdev);
5878 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5879 struct sk_buff *skb)
5881 struct hci_ev_logical_link_complete *ev = data;
5882 struct hci_conn *hcon;
5883 struct hci_chan *hchan;
5884 struct amp_mgr *mgr;
5886 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5887 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5889 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5893 /* Create AMP hchan */
5894 hchan = hci_chan_create(hcon);
5898 hchan->handle = le16_to_cpu(ev->handle);
5901 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5903 mgr = hcon->amp_mgr;
5904 if (mgr && mgr->bredr_chan) {
5905 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5907 l2cap_chan_lock(bredr_chan);
5909 bredr_chan->conn->mtu = hdev->block_mtu;
5910 l2cap_logical_cfm(bredr_chan, hchan, 0);
5911 hci_conn_hold(hcon);
5913 l2cap_chan_unlock(bredr_chan);
5917 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5918 struct sk_buff *skb)
5920 struct hci_ev_disconn_logical_link_complete *ev = data;
5921 struct hci_chan *hchan;
5923 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5924 le16_to_cpu(ev->handle), ev->status);
5931 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5932 if (!hchan || !hchan->amp)
5935 amp_destroy_logical_link(hchan, ev->reason);
5938 hci_dev_unlock(hdev);
5941 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5942 struct sk_buff *skb)
5944 struct hci_ev_disconn_phy_link_complete *ev = data;
5945 struct hci_conn *hcon;
5947 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5954 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5955 if (hcon && hcon->type == AMP_LINK) {
5956 hcon->state = BT_CLOSED;
5957 hci_disconn_cfm(hcon, ev->reason);
5961 hci_dev_unlock(hdev);
5965 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5966 u8 bdaddr_type, bdaddr_t *local_rpa)
5969 conn->dst_type = bdaddr_type;
5970 conn->resp_addr_type = bdaddr_type;
5971 bacpy(&conn->resp_addr, bdaddr);
5973 /* Check if the controller has set a Local RPA then it must be
5974 * used instead or hdev->rpa.
5976 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5977 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5978 bacpy(&conn->init_addr, local_rpa);
5979 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5980 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5981 bacpy(&conn->init_addr, &conn->hdev->rpa);
5983 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5984 &conn->init_addr_type);
5987 conn->resp_addr_type = conn->hdev->adv_addr_type;
5988 /* Check if the controller has set a Local RPA then it must be
5989 * used instead or hdev->rpa.
5991 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5992 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5993 bacpy(&conn->resp_addr, local_rpa);
5994 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5995 /* In case of ext adv, resp_addr will be updated in
5996 * Adv Terminated event.
5998 if (!ext_adv_capable(conn->hdev))
5999 bacpy(&conn->resp_addr,
6000 &conn->hdev->random_addr);
6002 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
6005 conn->init_addr_type = bdaddr_type;
6006 bacpy(&conn->init_addr, bdaddr);
6008 /* For incoming connections, set the default minimum
6009 * and maximum connection interval. They will be used
6010 * to check if the parameters are in range and if not
6011 * trigger the connection update procedure.
6013 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
6014 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
6018 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
6019 bdaddr_t *bdaddr, u8 bdaddr_type,
6020 bdaddr_t *local_rpa, u8 role, u16 handle,
6021 u16 interval, u16 latency,
6022 u16 supervision_timeout)
6024 struct hci_conn_params *params;
6025 struct hci_conn *conn;
6026 struct smp_irk *irk;
6031 /* All controllers implicitly stop advertising in the event of a
6032 * connection, so ensure that the state bit is cleared.
6034 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6036 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
6038 /* In case of error status and there is no connection pending
6039 * just unlock as there is nothing to cleanup.
6044 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
6046 bt_dev_err(hdev, "no memory for new connection");
6050 conn->dst_type = bdaddr_type;
6052 /* If we didn't have a hci_conn object previously
6053 * but we're in central role this must be something
6054 * initiated using an accept list. Since accept list based
6055 * connections are not "first class citizens" we don't
6056 * have full tracking of them. Therefore, we go ahead
6057 * with a "best effort" approach of determining the
6058 * initiator address based on the HCI_PRIVACY flag.
6061 conn->resp_addr_type = bdaddr_type;
6062 bacpy(&conn->resp_addr, bdaddr);
6063 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6064 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6065 bacpy(&conn->init_addr, &hdev->rpa);
6067 hci_copy_identity_address(hdev,
6069 &conn->init_addr_type);
6074 /* LE auto connect */
6075 bacpy(&conn->dst, bdaddr);
6077 cancel_delayed_work(&conn->le_conn_timeout);
6080 /* The HCI_LE_Connection_Complete event is only sent once per connection.
6081 * Processing it more than once per connection can corrupt kernel memory.
6083 * As the connection handle is set here for the first time, it indicates
6084 * whether the connection is already set up.
6086 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
6087 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
6091 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
6093 /* Lookup the identity address from the stored connection
6094 * address and address type.
6096 * When establishing connections to an identity address, the
6097 * connection procedure will store the resolvable random
6098 * address first. Now if it can be converted back into the
6099 * identity address, start using the identity address from
6102 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
6104 bacpy(&conn->dst, &irk->bdaddr);
6105 conn->dst_type = irk->addr_type;
6108 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
6110 if (handle > HCI_CONN_HANDLE_MAX) {
6111 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", handle,
6112 HCI_CONN_HANDLE_MAX);
6113 status = HCI_ERROR_INVALID_PARAMETERS;
6116 /* All connection failure handling is taken care of by the
6117 * hci_conn_failed function which is triggered by the HCI
6118 * request completion callbacks used for connecting.
6123 /* Drop the connection if it has been aborted */
6124 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
6125 hci_conn_drop(conn);
6129 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6130 addr_type = BDADDR_LE_PUBLIC;
6132 addr_type = BDADDR_LE_RANDOM;
6134 /* Drop the connection if the device is blocked */
6135 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6136 hci_conn_drop(conn);
6140 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
6141 mgmt_device_connected(hdev, conn, NULL, 0);
6143 conn->sec_level = BT_SECURITY_LOW;
6144 conn->handle = handle;
6145 conn->state = BT_CONFIG;
6147 /* Store current advertising instance as connection advertising instance
6148 * when sotfware rotation is in use so it can be re-enabled when
6151 if (!ext_adv_capable(hdev))
6152 conn->adv_instance = hdev->cur_adv_instance;
6154 conn->le_conn_interval = interval;
6155 conn->le_conn_latency = latency;
6156 conn->le_supv_timeout = supervision_timeout;
6158 hci_debugfs_create_conn(conn);
6159 hci_conn_add_sysfs(conn);
6161 /* The remote features procedure is defined for central
6162 * role only. So only in case of an initiated connection
6163 * request the remote features.
6165 * If the local controller supports peripheral-initiated features
6166 * exchange, then requesting the remote features in peripheral
6167 * role is possible. Otherwise just transition into the
6168 * connected state without requesting the remote features.
6171 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6172 struct hci_cp_le_read_remote_features cp;
6174 cp.handle = __cpu_to_le16(conn->handle);
6176 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6179 hci_conn_hold(conn);
6181 conn->state = BT_CONNECTED;
6182 hci_connect_cfm(conn, status);
6185 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6188 list_del_init(¶ms->action);
6190 hci_conn_drop(params->conn);
6191 hci_conn_put(params->conn);
6192 params->conn = NULL;
6197 hci_update_passive_scan(hdev);
6198 hci_dev_unlock(hdev);
6201 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6202 struct sk_buff *skb)
6204 struct hci_ev_le_conn_complete *ev = data;
6206 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6208 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6209 NULL, ev->role, le16_to_cpu(ev->handle),
6210 le16_to_cpu(ev->interval),
6211 le16_to_cpu(ev->latency),
6212 le16_to_cpu(ev->supervision_timeout));
6215 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6216 struct sk_buff *skb)
6218 struct hci_ev_le_enh_conn_complete *ev = data;
6220 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6222 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6223 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6224 le16_to_cpu(ev->interval),
6225 le16_to_cpu(ev->latency),
6226 le16_to_cpu(ev->supervision_timeout));
6229 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6230 struct sk_buff *skb)
6232 struct hci_evt_le_ext_adv_set_term *ev = data;
6233 struct hci_conn *conn;
6234 struct adv_info *adv, *n;
6236 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6238 /* The Bluetooth Core 5.3 specification clearly states that this event
6239 * shall not be sent when the Host disables the advertising set. So in
6240 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6242 * When the Host disables an advertising set, all cleanup is done via
6243 * its command callback and not needed to be duplicated here.
6245 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6246 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6252 adv = hci_find_adv_instance(hdev, ev->handle);
6258 /* Remove advertising as it has been terminated */
6259 hci_remove_adv_instance(hdev, ev->handle);
6260 mgmt_advertising_removed(NULL, hdev, ev->handle);
6262 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6267 /* We are no longer advertising, clear HCI_LE_ADV */
6268 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6273 adv->enabled = false;
6275 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6277 /* Store handle in the connection so the correct advertising
6278 * instance can be re-enabled when disconnected.
6280 conn->adv_instance = ev->handle;
6282 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6283 bacmp(&conn->resp_addr, BDADDR_ANY))
6287 bacpy(&conn->resp_addr, &hdev->random_addr);
6292 bacpy(&conn->resp_addr, &adv->random_addr);
6296 hci_dev_unlock(hdev);
6299 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6300 struct sk_buff *skb)
6302 struct hci_ev_le_conn_update_complete *ev = data;
6303 struct hci_conn *conn;
6305 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6312 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6316 hci_dev_unlock(hdev);
6317 mgmt_le_conn_update_failed(hdev, &conn->dst,
6318 conn->type, conn->dst_type, ev->status);
6322 conn->le_conn_interval = le16_to_cpu(ev->interval);
6323 conn->le_conn_latency = le16_to_cpu(ev->latency);
6324 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6327 hci_dev_unlock(hdev);
6330 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
6331 conn->dst_type, conn->le_conn_interval,
6332 conn->le_conn_latency, conn->le_supv_timeout);
6336 /* This function requires the caller holds hdev->lock */
6337 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6339 u8 addr_type, bool addr_resolved,
6342 struct hci_conn *conn;
6343 struct hci_conn_params *params;
6345 /* If the event is not connectable don't proceed further */
6346 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6349 /* Ignore if the device is blocked or hdev is suspended */
6350 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6354 /* Most controller will fail if we try to create new connections
6355 * while we have an existing one in peripheral role.
6357 if (hdev->conn_hash.le_num_peripheral > 0 &&
6358 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6359 !(hdev->le_states[3] & 0x10)))
6362 /* If we're not connectable only connect devices that we have in
6363 * our pend_le_conns list.
6365 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6370 if (!params->explicit_connect) {
6371 switch (params->auto_connect) {
6372 case HCI_AUTO_CONN_DIRECT:
6373 /* Only devices advertising with ADV_DIRECT_IND are
6374 * triggering a connection attempt. This is allowing
6375 * incoming connections from peripheral devices.
6377 if (adv_type != LE_ADV_DIRECT_IND)
6380 case HCI_AUTO_CONN_ALWAYS:
6381 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6382 * are triggering a connection attempt. This means
6383 * that incoming connections from peripheral device are
6384 * accepted and also outgoing connections to peripheral
6385 * devices are established when found.
6393 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6394 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6396 if (!IS_ERR(conn)) {
6397 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6398 * by higher layer that tried to connect, if no then
6399 * store the pointer since we don't really have any
6400 * other owner of the object besides the params that
6401 * triggered it. This way we can abort the connection if
6402 * the parameters get removed and keep the reference
6403 * count consistent once the connection is established.
6406 if (!params->explicit_connect)
6407 params->conn = hci_conn_get(conn);
6412 switch (PTR_ERR(conn)) {
6414 /* If hci_connect() returns -EBUSY it means there is already
6415 * an LE connection attempt going on. Since controllers don't
6416 * support more than one connection attempt at the time, we
6417 * don't consider this an error case.
6421 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6428 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6429 u8 bdaddr_type, bdaddr_t *direct_addr,
6430 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6431 bool ext_adv, bool ctl_time, u64 instant)
6433 struct discovery_state *d = &hdev->discovery;
6434 struct smp_irk *irk;
6435 struct hci_conn *conn;
6436 bool match, bdaddr_resolved;
6442 case LE_ADV_DIRECT_IND:
6443 case LE_ADV_SCAN_IND:
6444 case LE_ADV_NONCONN_IND:
6445 case LE_ADV_SCAN_RSP:
6448 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6449 "type: 0x%02x", type);
6453 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
6454 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
6458 /* Find the end of the data in case the report contains padded zero
6459 * bytes at the end causing an invalid length value.
6461 * When data is NULL, len is 0 so there is no need for extra ptr
6462 * check as 'ptr < data + 0' is already false in such case.
6464 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6465 if (ptr + 1 + *ptr > data + len)
6469 /* Adjust for actual length. This handles the case when remote
6470 * device is advertising with incorrect data length.
6474 /* If the direct address is present, then this report is from
6475 * a LE Direct Advertising Report event. In that case it is
6476 * important to see if the address is matching the local
6477 * controller address.
6479 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6480 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6483 /* Only resolvable random addresses are valid for these
6484 * kind of reports and others can be ignored.
6486 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6489 /* If the controller is not using resolvable random
6490 * addresses, then this report can be ignored.
6492 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6495 /* If the local IRK of the controller does not match
6496 * with the resolvable random address provided, then
6497 * this report can be ignored.
6499 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6503 /* Check if we need to convert to identity address */
6504 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6506 bdaddr = &irk->bdaddr;
6507 bdaddr_type = irk->addr_type;
6510 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6512 /* Check if we have been requested to connect to this device.
6514 * direct_addr is set only for directed advertising reports (it is NULL
6515 * for advertising reports) and is already verified to be RPA above.
6517 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6519 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
6520 /* Store report for later inclusion by
6521 * mgmt_device_connected
6523 memcpy(conn->le_adv_data, data, len);
6524 conn->le_adv_data_len = len;
6527 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6528 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6532 /* All scan results should be sent up for Mesh systems */
6533 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6534 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6535 rssi, flags, data, len, NULL, 0, instant);
6539 /* Passive scanning shouldn't trigger any device found events,
6540 * except for devices marked as CONN_REPORT for which we do send
6541 * device found events, or advertisement monitoring requested.
6543 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6544 if (type == LE_ADV_DIRECT_IND)
6548 /* Handle all adv packet in platform */
6549 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6550 bdaddr, bdaddr_type) &&
6551 idr_is_empty(&hdev->adv_monitors_idr))
6556 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6557 rssi, flags, data, len, NULL, 0, type);
6559 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6560 rssi, flags, data, len, NULL, 0, 0);
6565 /* When receiving a scan response, then there is no way to
6566 * know if the remote device is connectable or not. However
6567 * since scan responses are merged with a previously seen
6568 * advertising report, the flags field from that report
6571 * In the unlikely case that a controller just sends a scan
6572 * response event that doesn't match the pending report, then
6573 * it is marked as a standalone SCAN_RSP.
6575 if (type == LE_ADV_SCAN_RSP)
6576 flags = MGMT_DEV_FOUND_SCAN_RSP;
6579 /* Disable adv ind and scan rsp merging */
6580 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6581 rssi, flags, data, len, NULL, 0, type);
6583 /* If there's nothing pending either store the data from this
6584 * event or send an immediate device found event if the data
6585 * should not be stored for later.
6587 if (!ext_adv && !has_pending_adv_report(hdev)) {
6588 /* If the report will trigger a SCAN_REQ store it for
6591 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6592 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6593 rssi, flags, data, len);
6597 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6598 rssi, flags, data, len, NULL, 0, 0);
6602 /* Check if the pending report is for the same device as the new one */
6603 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6604 bdaddr_type == d->last_adv_addr_type);
6606 /* If the pending data doesn't match this report or this isn't a
6607 * scan response (e.g. we got a duplicate ADV_IND) then force
6608 * sending of the pending data.
6610 if (type != LE_ADV_SCAN_RSP || !match) {
6611 /* Send out whatever is in the cache, but skip duplicates */
6613 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6614 d->last_adv_addr_type, NULL,
6615 d->last_adv_rssi, d->last_adv_flags,
6617 d->last_adv_data_len, NULL, 0, 0);
6619 /* If the new report will trigger a SCAN_REQ store it for
6622 if (!ext_adv && (type == LE_ADV_IND ||
6623 type == LE_ADV_SCAN_IND)) {
6624 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6625 rssi, flags, data, len);
6629 /* The advertising reports cannot be merged, so clear
6630 * the pending report and send out a device found event.
6632 clear_pending_adv_report(hdev);
6633 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6634 rssi, flags, data, len, NULL, 0, 0);
6638 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6639 * the new event is a SCAN_RSP. We can therefore proceed with
6640 * sending a merged device found event.
6642 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6643 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6644 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6645 clear_pending_adv_report(hdev);
6649 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6650 struct sk_buff *skb)
6652 struct hci_ev_le_advertising_report *ev = data;
6653 u64 instant = jiffies;
6661 struct hci_ev_le_advertising_info *info;
6664 info = hci_le_ev_skb_pull(hdev, skb,
6665 HCI_EV_LE_ADVERTISING_REPORT,
6670 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6674 if (info->length <= HCI_MAX_AD_LENGTH) {
6675 rssi = info->data[info->length];
6676 process_adv_report(hdev, info->type, &info->bdaddr,
6677 info->bdaddr_type, NULL, 0, rssi,
6678 info->data, info->length, false,
6681 bt_dev_err(hdev, "Dropping invalid advertising data");
6685 hci_dev_unlock(hdev);
6688 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6690 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6692 case LE_LEGACY_ADV_IND:
6694 case LE_LEGACY_ADV_DIRECT_IND:
6695 return LE_ADV_DIRECT_IND;
6696 case LE_LEGACY_ADV_SCAN_IND:
6697 return LE_ADV_SCAN_IND;
6698 case LE_LEGACY_NONCONN_IND:
6699 return LE_ADV_NONCONN_IND;
6700 case LE_LEGACY_SCAN_RSP_ADV:
6701 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6702 return LE_ADV_SCAN_RSP;
6708 if (evt_type & LE_EXT_ADV_CONN_IND) {
6709 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6710 return LE_ADV_DIRECT_IND;
6715 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6716 return LE_ADV_SCAN_RSP;
6718 if (evt_type & LE_EXT_ADV_SCAN_IND)
6719 return LE_ADV_SCAN_IND;
6721 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6722 evt_type & LE_EXT_ADV_DIRECT_IND)
6723 return LE_ADV_NONCONN_IND;
6726 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6729 return LE_ADV_INVALID;
6732 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6733 struct sk_buff *skb)
6735 struct hci_ev_le_ext_adv_report *ev = data;
6736 u64 instant = jiffies;
6744 struct hci_ev_le_ext_adv_info *info;
6748 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6753 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6757 evt_type = __le16_to_cpu(info->type);
6758 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6759 if (legacy_evt_type != LE_ADV_INVALID) {
6760 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6761 info->bdaddr_type, NULL, 0,
6762 info->rssi, info->data, info->length,
6763 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6768 hci_dev_unlock(hdev);
6771 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6773 struct hci_cp_le_pa_term_sync cp;
6775 memset(&cp, 0, sizeof(cp));
6778 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6781 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6782 struct sk_buff *skb)
6784 struct hci_ev_le_pa_sync_established *ev = data;
6785 int mask = hdev->link_mode;
6788 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6795 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6797 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6798 if (!(mask & HCI_LM_ACCEPT))
6799 hci_le_pa_term_sync(hdev, ev->handle);
6801 hci_dev_unlock(hdev);
6804 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6805 struct sk_buff *skb)
6807 struct hci_ev_le_remote_feat_complete *ev = data;
6808 struct hci_conn *conn;
6810 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6814 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6817 memcpy(conn->features[0], ev->features, 8);
6819 if (conn->state == BT_CONFIG) {
6822 /* If the local controller supports peripheral-initiated
6823 * features exchange, but the remote controller does
6824 * not, then it is possible that the error code 0x1a
6825 * for unsupported remote feature gets returned.
6827 * In this specific case, allow the connection to
6828 * transition into connected state and mark it as
6831 if (!conn->out && ev->status == 0x1a &&
6832 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6835 status = ev->status;
6837 conn->state = BT_CONNECTED;
6838 hci_connect_cfm(conn, status);
6839 hci_conn_drop(conn);
6843 hci_dev_unlock(hdev);
6846 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6847 struct sk_buff *skb)
6849 struct hci_ev_le_ltk_req *ev = data;
6850 struct hci_cp_le_ltk_reply cp;
6851 struct hci_cp_le_ltk_neg_reply neg;
6852 struct hci_conn *conn;
6853 struct smp_ltk *ltk;
6855 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6859 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6863 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6867 if (smp_ltk_is_sc(ltk)) {
6868 /* With SC both EDiv and Rand are set to zero */
6869 if (ev->ediv || ev->rand)
6872 /* For non-SC keys check that EDiv and Rand match */
6873 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6877 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6878 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6879 cp.handle = cpu_to_le16(conn->handle);
6881 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6883 conn->enc_key_size = ltk->enc_size;
6885 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6887 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6888 * temporary key used to encrypt a connection following
6889 * pairing. It is used during the Encrypted Session Setup to
6890 * distribute the keys. Later, security can be re-established
6891 * using a distributed LTK.
6893 if (ltk->type == SMP_STK) {
6894 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6895 list_del_rcu(<k->list);
6896 kfree_rcu(ltk, rcu);
6898 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6901 hci_dev_unlock(hdev);
6906 neg.handle = ev->handle;
6907 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6908 hci_dev_unlock(hdev);
6911 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6914 struct hci_cp_le_conn_param_req_neg_reply cp;
6916 cp.handle = cpu_to_le16(handle);
6919 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6923 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6924 struct sk_buff *skb)
6926 struct hci_ev_le_remote_conn_param_req *ev = data;
6927 struct hci_cp_le_conn_param_req_reply cp;
6928 struct hci_conn *hcon;
6929 u16 handle, min, max, latency, timeout;
6931 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6933 handle = le16_to_cpu(ev->handle);
6934 min = le16_to_cpu(ev->interval_min);
6935 max = le16_to_cpu(ev->interval_max);
6936 latency = le16_to_cpu(ev->latency);
6937 timeout = le16_to_cpu(ev->timeout);
6939 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6940 if (!hcon || hcon->state != BT_CONNECTED)
6941 return send_conn_param_neg_reply(hdev, handle,
6942 HCI_ERROR_UNKNOWN_CONN_ID);
6944 if (hci_check_conn_params(min, max, latency, timeout))
6945 return send_conn_param_neg_reply(hdev, handle,
6946 HCI_ERROR_INVALID_LL_PARAMS);
6948 if (hcon->role == HCI_ROLE_MASTER) {
6949 struct hci_conn_params *params;
6954 params = hci_conn_params_lookup(hdev, &hcon->dst,
6957 params->conn_min_interval = min;
6958 params->conn_max_interval = max;
6959 params->conn_latency = latency;
6960 params->supervision_timeout = timeout;
6966 hci_dev_unlock(hdev);
6968 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6969 store_hint, min, max, latency, timeout);
6972 cp.handle = ev->handle;
6973 cp.interval_min = ev->interval_min;
6974 cp.interval_max = ev->interval_max;
6975 cp.latency = ev->latency;
6976 cp.timeout = ev->timeout;
6980 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6983 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6984 struct sk_buff *skb)
6986 struct hci_ev_le_direct_adv_report *ev = data;
6987 u64 instant = jiffies;
6990 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6991 flex_array_size(ev, info, ev->num)))
6999 for (i = 0; i < ev->num; i++) {
7000 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
7002 process_adv_report(hdev, info->type, &info->bdaddr,
7003 info->bdaddr_type, &info->direct_addr,
7004 info->direct_addr_type, info->rssi, NULL, 0,
7005 false, false, instant);
7008 hci_dev_unlock(hdev);
7011 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
7012 struct sk_buff *skb)
7014 struct hci_ev_le_phy_update_complete *ev = data;
7015 struct hci_conn *conn;
7017 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7024 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7028 conn->le_tx_phy = ev->tx_phy;
7029 conn->le_rx_phy = ev->rx_phy;
7032 hci_dev_unlock(hdev);
7035 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
7036 struct sk_buff *skb)
7038 struct hci_evt_le_cis_established *ev = data;
7039 struct hci_conn *conn;
7040 u16 handle = __le16_to_cpu(ev->handle);
7042 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7046 conn = hci_conn_hash_lookup_handle(hdev, handle);
7049 "Unable to find connection with handle 0x%4.4x",
7054 if (conn->type != ISO_LINK) {
7056 "Invalid connection link type handle 0x%4.4x",
7061 if (conn->role == HCI_ROLE_SLAVE) {
7064 memset(&interval, 0, sizeof(interval));
7066 memcpy(&interval, ev->c_latency, sizeof(ev->c_latency));
7067 conn->iso_qos.in.interval = le32_to_cpu(interval);
7068 memcpy(&interval, ev->p_latency, sizeof(ev->p_latency));
7069 conn->iso_qos.out.interval = le32_to_cpu(interval);
7070 conn->iso_qos.in.latency = le16_to_cpu(ev->interval);
7071 conn->iso_qos.out.latency = le16_to_cpu(ev->interval);
7072 conn->iso_qos.in.sdu = le16_to_cpu(ev->c_mtu);
7073 conn->iso_qos.out.sdu = le16_to_cpu(ev->p_mtu);
7074 conn->iso_qos.in.phy = ev->c_phy;
7075 conn->iso_qos.out.phy = ev->p_phy;
7079 conn->state = BT_CONNECTED;
7080 hci_debugfs_create_conn(conn);
7081 hci_conn_add_sysfs(conn);
7082 hci_iso_setup_path(conn);
7086 hci_connect_cfm(conn, ev->status);
7090 hci_dev_unlock(hdev);
7093 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7095 struct hci_cp_le_reject_cis cp;
7097 memset(&cp, 0, sizeof(cp));
7099 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7100 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7103 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7105 struct hci_cp_le_accept_cis cp;
7107 memset(&cp, 0, sizeof(cp));
7109 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7112 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7113 struct sk_buff *skb)
7115 struct hci_evt_le_cis_req *ev = data;
7116 u16 acl_handle, cis_handle;
7117 struct hci_conn *acl, *cis;
7121 acl_handle = __le16_to_cpu(ev->acl_handle);
7122 cis_handle = __le16_to_cpu(ev->cis_handle);
7124 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7125 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7129 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7133 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7134 if (!(mask & HCI_LM_ACCEPT)) {
7135 hci_le_reject_cis(hdev, ev->cis_handle);
7139 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7141 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE);
7143 hci_le_reject_cis(hdev, ev->cis_handle);
7146 cis->handle = cis_handle;
7149 cis->iso_qos.cig = ev->cig_id;
7150 cis->iso_qos.cis = ev->cis_id;
7152 if (!(flags & HCI_PROTO_DEFER)) {
7153 hci_le_accept_cis(hdev, ev->cis_handle);
7155 cis->state = BT_CONNECT2;
7156 hci_connect_cfm(cis, 0);
7160 hci_dev_unlock(hdev);
7163 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7164 struct sk_buff *skb)
7166 struct hci_evt_le_create_big_complete *ev = data;
7167 struct hci_conn *conn;
7169 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7171 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7172 flex_array_size(ev, bis_handle, ev->num_bis)))
7177 conn = hci_conn_hash_lookup_big(hdev, ev->handle);
7181 if (conn->type != ISO_LINK) {
7183 "Invalid connection link type handle 0x%2.2x",
7189 conn->handle = __le16_to_cpu(ev->bis_handle[0]);
7192 conn->state = BT_CONNECTED;
7193 hci_debugfs_create_conn(conn);
7194 hci_conn_add_sysfs(conn);
7195 hci_iso_setup_path(conn);
7199 hci_connect_cfm(conn, ev->status);
7203 hci_dev_unlock(hdev);
7206 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7207 struct sk_buff *skb)
7209 struct hci_evt_le_big_sync_estabilished *ev = data;
7210 struct hci_conn *bis;
7213 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7215 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7216 flex_array_size(ev, bis, ev->num_bis)))
7224 for (i = 0; i < ev->num_bis; i++) {
7225 u16 handle = le16_to_cpu(ev->bis[i]);
7228 bis = hci_conn_hash_lookup_handle(hdev, handle);
7230 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7234 bis->handle = handle;
7237 bis->iso_qos.big = ev->handle;
7238 memset(&interval, 0, sizeof(interval));
7239 memcpy(&interval, ev->latency, sizeof(ev->latency));
7240 bis->iso_qos.in.interval = le32_to_cpu(interval);
7241 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7242 bis->iso_qos.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7243 bis->iso_qos.in.sdu = le16_to_cpu(ev->max_pdu);
7245 hci_iso_setup_path(bis);
7248 hci_dev_unlock(hdev);
7251 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7252 struct sk_buff *skb)
7254 struct hci_evt_le_big_info_adv_report *ev = data;
7255 int mask = hdev->link_mode;
7258 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7262 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7263 if (!(mask & HCI_LM_ACCEPT))
7264 hci_le_pa_term_sync(hdev, ev->sync_handle);
7266 hci_dev_unlock(hdev);
7269 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7272 .min_len = _min_len, \
7273 .max_len = _max_len, \
7276 #define HCI_LE_EV(_op, _func, _len) \
7277 HCI_LE_EV_VL(_op, _func, _len, _len)
7279 #define HCI_LE_EV_STATUS(_op, _func) \
7280 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7282 /* Entries in this table shall have their position according to the subevent
7283 * opcode they handle so the use of the macros above is recommend since it does
7284 * attempt to initialize at its proper index using Designated Initializers that
7285 * way events without a callback function can be ommited.
7287 static const struct hci_le_ev {
7288 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7291 } hci_le_ev_table[U8_MAX + 1] = {
7292 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7293 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7294 sizeof(struct hci_ev_le_conn_complete)),
7295 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7296 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7297 sizeof(struct hci_ev_le_advertising_report),
7298 HCI_MAX_EVENT_SIZE),
7299 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7300 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7301 hci_le_conn_update_complete_evt,
7302 sizeof(struct hci_ev_le_conn_update_complete)),
7303 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7304 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7305 hci_le_remote_feat_complete_evt,
7306 sizeof(struct hci_ev_le_remote_feat_complete)),
7307 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7308 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7309 sizeof(struct hci_ev_le_ltk_req)),
7310 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7311 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7312 hci_le_remote_conn_param_req_evt,
7313 sizeof(struct hci_ev_le_remote_conn_param_req)),
7314 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7315 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7316 hci_le_enh_conn_complete_evt,
7317 sizeof(struct hci_ev_le_enh_conn_complete)),
7318 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7319 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7320 sizeof(struct hci_ev_le_direct_adv_report),
7321 HCI_MAX_EVENT_SIZE),
7322 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7323 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7324 sizeof(struct hci_ev_le_phy_update_complete)),
7325 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7326 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7327 sizeof(struct hci_ev_le_ext_adv_report),
7328 HCI_MAX_EVENT_SIZE),
7329 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7330 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7331 hci_le_pa_sync_estabilished_evt,
7332 sizeof(struct hci_ev_le_pa_sync_established)),
7333 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7334 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7335 sizeof(struct hci_evt_le_ext_adv_set_term)),
7336 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7337 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7338 sizeof(struct hci_evt_le_cis_established)),
7339 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7340 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7341 sizeof(struct hci_evt_le_cis_req)),
7342 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7343 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7344 hci_le_create_big_complete_evt,
7345 sizeof(struct hci_evt_le_create_big_complete),
7346 HCI_MAX_EVENT_SIZE),
7347 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7348 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7349 hci_le_big_sync_established_evt,
7350 sizeof(struct hci_evt_le_big_sync_estabilished),
7351 HCI_MAX_EVENT_SIZE),
7352 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7353 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7354 hci_le_big_info_adv_report_evt,
7355 sizeof(struct hci_evt_le_big_info_adv_report),
7356 HCI_MAX_EVENT_SIZE),
7359 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7360 struct sk_buff *skb, u16 *opcode, u8 *status,
7361 hci_req_complete_t *req_complete,
7362 hci_req_complete_skb_t *req_complete_skb)
7364 struct hci_ev_le_meta *ev = data;
7365 const struct hci_le_ev *subev;
7367 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7369 /* Only match event if command OGF is for LE */
7370 if (hdev->sent_cmd &&
7371 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7372 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7373 *opcode = hci_skb_opcode(hdev->sent_cmd);
7374 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7378 subev = &hci_le_ev_table[ev->subevent];
7382 if (skb->len < subev->min_len) {
7383 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7384 ev->subevent, skb->len, subev->min_len);
7388 /* Just warn if the length is over max_len size it still be
7389 * possible to partially parse the event so leave to callback to
7390 * decide if that is acceptable.
7392 if (skb->len > subev->max_len)
7393 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7394 ev->subevent, skb->len, subev->max_len);
7395 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7399 subev->func(hdev, data, skb);
7402 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7403 u8 event, struct sk_buff *skb)
7405 struct hci_ev_cmd_complete *ev;
7406 struct hci_event_hdr *hdr;
7411 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7416 if (hdr->evt != event)
7421 /* Check if request ended in Command Status - no way to retrieve
7422 * any extra parameters in this case.
7424 if (hdr->evt == HCI_EV_CMD_STATUS)
7427 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7428 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7433 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7437 if (opcode != __le16_to_cpu(ev->opcode)) {
7438 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7439 __le16_to_cpu(ev->opcode));
7446 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7447 struct sk_buff *skb)
7449 struct hci_ev_le_advertising_info *adv;
7450 struct hci_ev_le_direct_adv_info *direct_adv;
7451 struct hci_ev_le_ext_adv_info *ext_adv;
7452 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7453 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7457 /* If we are currently suspended and this is the first BT event seen,
7458 * save the wake reason associated with the event.
7460 if (!hdev->suspended || hdev->wake_reason)
7463 /* Default to remote wake. Values for wake_reason are documented in the
7464 * Bluez mgmt api docs.
7466 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7468 /* Once configured for remote wakeup, we should only wake up for
7469 * reconnections. It's useful to see which device is waking us up so
7470 * keep track of the bdaddr of the connection event that woke us up.
7472 if (event == HCI_EV_CONN_REQUEST) {
7473 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7474 hdev->wake_addr_type = BDADDR_BREDR;
7475 } else if (event == HCI_EV_CONN_COMPLETE) {
7476 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7477 hdev->wake_addr_type = BDADDR_BREDR;
7478 } else if (event == HCI_EV_LE_META) {
7479 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7480 u8 subevent = le_ev->subevent;
7481 u8 *ptr = &skb->data[sizeof(*le_ev)];
7482 u8 num_reports = *ptr;
7484 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7485 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7486 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7488 adv = (void *)(ptr + 1);
7489 direct_adv = (void *)(ptr + 1);
7490 ext_adv = (void *)(ptr + 1);
7493 case HCI_EV_LE_ADVERTISING_REPORT:
7494 bacpy(&hdev->wake_addr, &adv->bdaddr);
7495 hdev->wake_addr_type = adv->bdaddr_type;
7497 case HCI_EV_LE_DIRECT_ADV_REPORT:
7498 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7499 hdev->wake_addr_type = direct_adv->bdaddr_type;
7501 case HCI_EV_LE_EXT_ADV_REPORT:
7502 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7503 hdev->wake_addr_type = ext_adv->bdaddr_type;
7508 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7512 hci_dev_unlock(hdev);
7515 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7519 .min_len = _min_len, \
7520 .max_len = _max_len, \
7523 #define HCI_EV(_op, _func, _len) \
7524 HCI_EV_VL(_op, _func, _len, _len)
7526 #define HCI_EV_STATUS(_op, _func) \
7527 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7529 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7532 .func_req = _func, \
7533 .min_len = _min_len, \
7534 .max_len = _max_len, \
7537 #define HCI_EV_REQ(_op, _func, _len) \
7538 HCI_EV_REQ_VL(_op, _func, _len, _len)
7540 /* Entries in this table shall have their position according to the event opcode
7541 * they handle so the use of the macros above is recommend since it does attempt
7542 * to initialize at its proper index using Designated Initializers that way
7543 * events without a callback function don't have entered.
7545 static const struct hci_ev {
7548 void (*func)(struct hci_dev *hdev, void *data,
7549 struct sk_buff *skb);
7550 void (*func_req)(struct hci_dev *hdev, void *data,
7551 struct sk_buff *skb, u16 *opcode, u8 *status,
7552 hci_req_complete_t *req_complete,
7553 hci_req_complete_skb_t *req_complete_skb);
7557 } hci_ev_table[U8_MAX + 1] = {
7558 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7559 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7560 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7561 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7562 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7563 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7564 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7565 sizeof(struct hci_ev_conn_complete)),
7566 /* [0x04 = HCI_EV_CONN_REQUEST] */
7567 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7568 sizeof(struct hci_ev_conn_request)),
7569 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7570 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7571 sizeof(struct hci_ev_disconn_complete)),
7572 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7573 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7574 sizeof(struct hci_ev_auth_complete)),
7575 /* [0x07 = HCI_EV_REMOTE_NAME] */
7576 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7577 sizeof(struct hci_ev_remote_name)),
7578 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7579 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7580 sizeof(struct hci_ev_encrypt_change)),
7581 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7582 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7583 hci_change_link_key_complete_evt,
7584 sizeof(struct hci_ev_change_link_key_complete)),
7585 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7586 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7587 sizeof(struct hci_ev_remote_features)),
7588 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7589 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7590 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7591 /* [0x0f = HCI_EV_CMD_STATUS] */
7592 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7593 sizeof(struct hci_ev_cmd_status)),
7594 /* [0x10 = HCI_EV_CMD_STATUS] */
7595 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7596 sizeof(struct hci_ev_hardware_error)),
7597 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7598 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7599 sizeof(struct hci_ev_role_change)),
7600 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7601 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7602 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7603 /* [0x14 = HCI_EV_MODE_CHANGE] */
7604 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7605 sizeof(struct hci_ev_mode_change)),
7606 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7607 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7608 sizeof(struct hci_ev_pin_code_req)),
7609 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7610 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7611 sizeof(struct hci_ev_link_key_req)),
7612 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7613 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7614 sizeof(struct hci_ev_link_key_notify)),
7615 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7616 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7617 sizeof(struct hci_ev_clock_offset)),
7618 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7619 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7620 sizeof(struct hci_ev_pkt_type_change)),
7621 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7622 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7623 sizeof(struct hci_ev_pscan_rep_mode)),
7624 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7625 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7626 hci_inquiry_result_with_rssi_evt,
7627 sizeof(struct hci_ev_inquiry_result_rssi),
7628 HCI_MAX_EVENT_SIZE),
7629 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7630 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7631 sizeof(struct hci_ev_remote_ext_features)),
7632 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7633 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7634 sizeof(struct hci_ev_sync_conn_complete)),
7635 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7636 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7637 hci_extended_inquiry_result_evt,
7638 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7639 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7640 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7641 sizeof(struct hci_ev_key_refresh_complete)),
7642 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7643 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7644 sizeof(struct hci_ev_io_capa_request)),
7645 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7646 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7647 sizeof(struct hci_ev_io_capa_reply)),
7648 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7649 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7650 sizeof(struct hci_ev_user_confirm_req)),
7651 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7652 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7653 sizeof(struct hci_ev_user_passkey_req)),
7654 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7655 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7656 sizeof(struct hci_ev_remote_oob_data_request)),
7657 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7658 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7659 sizeof(struct hci_ev_simple_pair_complete)),
7660 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7661 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7662 sizeof(struct hci_ev_user_passkey_notify)),
7663 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7664 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7665 sizeof(struct hci_ev_keypress_notify)),
7666 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7667 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7668 sizeof(struct hci_ev_remote_host_features)),
7669 /* [0x3e = HCI_EV_LE_META] */
7670 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7671 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7672 #if IS_ENABLED(CONFIG_BT_HS)
7673 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7674 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7675 sizeof(struct hci_ev_phy_link_complete)),
7676 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7677 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7678 sizeof(struct hci_ev_channel_selected)),
7679 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7680 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7681 hci_disconn_loglink_complete_evt,
7682 sizeof(struct hci_ev_disconn_logical_link_complete)),
7683 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7684 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7685 sizeof(struct hci_ev_logical_link_complete)),
7686 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7687 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7688 hci_disconn_phylink_complete_evt,
7689 sizeof(struct hci_ev_disconn_phy_link_complete)),
7691 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7692 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7693 sizeof(struct hci_ev_num_comp_blocks)),
7695 /* [0xFF = HCI_EV_VENDOR_SPECIFIC] */
7696 HCI_EV(HCI_EV_VENDOR_SPECIFIC, hci_vendor_specific_evt,
7697 sizeof(struct hci_ev_vendor_specific)),
7699 /* [0xff = HCI_EV_VENDOR] */
7700 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7704 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7705 u16 *opcode, u8 *status,
7706 hci_req_complete_t *req_complete,
7707 hci_req_complete_skb_t *req_complete_skb)
7709 const struct hci_ev *ev = &hci_ev_table[event];
7715 if (skb->len < ev->min_len) {
7716 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7717 event, skb->len, ev->min_len);
7721 /* Just warn if the length is over max_len size it still be
7722 * possible to partially parse the event so leave to callback to
7723 * decide if that is acceptable.
7725 if (skb->len > ev->max_len)
7726 bt_dev_warn_ratelimited(hdev,
7727 "unexpected event 0x%2.2x length: %u > %u",
7728 event, skb->len, ev->max_len);
7730 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7735 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7738 ev->func(hdev, data, skb);
7741 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7743 struct hci_event_hdr *hdr = (void *) skb->data;
7744 hci_req_complete_t req_complete = NULL;
7745 hci_req_complete_skb_t req_complete_skb = NULL;
7746 struct sk_buff *orig_skb = NULL;
7747 u8 status = 0, event, req_evt = 0;
7748 u16 opcode = HCI_OP_NOP;
7750 if (skb->len < sizeof(*hdr)) {
7751 bt_dev_err(hdev, "Malformed HCI Event");
7755 kfree_skb(hdev->recv_event);
7756 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7760 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7765 /* Only match event if command OGF is not for LE */
7766 if (hdev->sent_cmd &&
7767 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7768 hci_skb_event(hdev->sent_cmd) == event) {
7769 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7770 status, &req_complete, &req_complete_skb);
7774 /* If it looks like we might end up having to call
7775 * req_complete_skb, store a pristine copy of the skb since the
7776 * various handlers may modify the original one through
7777 * skb_pull() calls, etc.
7779 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7780 event == HCI_EV_CMD_COMPLETE)
7781 orig_skb = skb_clone(skb, GFP_KERNEL);
7783 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7785 /* Store wake reason if we're suspended */
7786 hci_store_wake_reason(hdev, event, skb);
7788 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7790 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7794 req_complete(hdev, status, opcode);
7795 } else if (req_complete_skb) {
7796 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7797 kfree_skb(orig_skb);
7800 req_complete_skb(hdev, status, opcode, orig_skb);
7804 kfree_skb(orig_skb);
7806 hdev->stat.evt_rx++;