2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
46 "\x00\x00\x00\x00\x00\x00\x00\x00"
48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
50 /* Handle HCI Event packets */
52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
57 data = skb_pull_data(skb, len);
59 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
69 data = skb_pull_data(skb, len);
71 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
81 data = skb_pull_data(skb, len);
83 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
91 struct hci_ev_status *rp = data;
93 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
95 /* It is possible that we receive Inquiry Complete event right
96 * before we receive Inquiry Cancel Command Complete event, in
97 * which case the latter event should have status of Command
98 * Disallowed (0x0c). This should not be treated as error, since
99 * we actually achieve what Inquiry Cancel wants to achieve,
100 * which is to end the last Inquiry session.
102 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
103 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
110 clear_bit(HCI_INQUIRY, &hdev->flags);
111 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
112 wake_up_bit(&hdev->flags, HCI_INQUIRY);
115 /* Set discovery state to stopped if we're not doing LE active
118 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
119 hdev->le_scan_type != LE_SCAN_ACTIVE)
120 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
121 hci_dev_unlock(hdev);
123 hci_conn_check_pending(hdev);
128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
131 struct hci_ev_status *rp = data;
133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
138 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
146 struct hci_ev_status *rp = data;
148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
153 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
155 hci_conn_check_pending(hdev);
160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
163 struct hci_ev_status *rp = data;
165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
173 struct hci_rp_role_discovery *rp = data;
174 struct hci_conn *conn;
176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
185 conn->role = rp->role;
187 hci_dev_unlock(hdev);
192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
195 struct hci_rp_read_link_policy *rp = data;
196 struct hci_conn *conn;
198 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
207 conn->link_policy = __le16_to_cpu(rp->policy);
209 hci_dev_unlock(hdev);
214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
217 struct hci_rp_write_link_policy *rp = data;
218 struct hci_conn *conn;
221 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
226 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
234 conn->link_policy = get_unaligned_le16(sent + 2);
236 hci_dev_unlock(hdev);
241 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
244 struct hci_rp_read_def_link_policy *rp = data;
246 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
251 hdev->link_policy = __le16_to_cpu(rp->policy);
256 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
259 struct hci_ev_status *rp = data;
262 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
271 hdev->link_policy = get_unaligned_le16(sent);
276 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
278 struct hci_ev_status *rp = data;
280 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
282 clear_bit(HCI_RESET, &hdev->flags);
287 /* Reset all non-persistent flags */
288 hci_dev_clear_volatile_flags(hdev);
290 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
292 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
293 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
295 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
296 hdev->adv_data_len = 0;
298 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
299 hdev->scan_rsp_data_len = 0;
301 hdev->le_scan_type = LE_SCAN_PASSIVE;
303 hdev->ssp_debug_mode = 0;
305 hci_bdaddr_list_clear(&hdev->le_accept_list);
306 hci_bdaddr_list_clear(&hdev->le_resolv_list);
311 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
314 struct hci_rp_read_stored_link_key *rp = data;
315 struct hci_cp_read_stored_link_key *sent;
317 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
319 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
323 if (!rp->status && sent->read_all == 0x01) {
324 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
325 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
331 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
334 struct hci_rp_delete_stored_link_key *rp = data;
337 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
342 num_keys = le16_to_cpu(rp->num_keys);
344 if (num_keys <= hdev->stored_num_keys)
345 hdev->stored_num_keys -= num_keys;
347 hdev->stored_num_keys = 0;
352 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
355 struct hci_ev_status *rp = data;
358 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
360 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
366 if (hci_dev_test_flag(hdev, HCI_MGMT))
367 mgmt_set_local_name_complete(hdev, sent, rp->status);
368 else if (!rp->status)
369 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
371 hci_dev_unlock(hdev);
376 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
379 struct hci_rp_read_local_name *rp = data;
381 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
386 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
387 hci_dev_test_flag(hdev, HCI_CONFIG))
388 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
393 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
396 struct hci_ev_status *rp = data;
399 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
401 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
408 __u8 param = *((__u8 *) sent);
410 if (param == AUTH_ENABLED)
411 set_bit(HCI_AUTH, &hdev->flags);
413 clear_bit(HCI_AUTH, &hdev->flags);
416 if (hci_dev_test_flag(hdev, HCI_MGMT))
417 mgmt_auth_enable_complete(hdev, rp->status);
419 hci_dev_unlock(hdev);
424 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
427 struct hci_ev_status *rp = data;
431 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
436 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
440 param = *((__u8 *) sent);
443 set_bit(HCI_ENCRYPT, &hdev->flags);
445 clear_bit(HCI_ENCRYPT, &hdev->flags);
450 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
453 struct hci_ev_status *rp = data;
457 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
459 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
463 param = *((__u8 *) sent);
468 hdev->discov_timeout = 0;
472 if (param & SCAN_INQUIRY)
473 set_bit(HCI_ISCAN, &hdev->flags);
475 clear_bit(HCI_ISCAN, &hdev->flags);
477 if (param & SCAN_PAGE)
478 set_bit(HCI_PSCAN, &hdev->flags);
480 clear_bit(HCI_PSCAN, &hdev->flags);
483 hci_dev_unlock(hdev);
488 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
491 struct hci_ev_status *rp = data;
492 struct hci_cp_set_event_filter *cp;
495 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
500 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
504 cp = (struct hci_cp_set_event_filter *)sent;
506 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
507 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
509 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
514 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
517 struct hci_rp_read_class_of_dev *rp = data;
520 return HCI_ERROR_UNSPECIFIED;
522 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
527 memcpy(hdev->dev_class, rp->dev_class, 3);
529 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
530 hdev->dev_class[1], hdev->dev_class[0]);
535 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
538 struct hci_ev_status *rp = data;
541 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
543 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
550 memcpy(hdev->dev_class, sent, 3);
552 if (hci_dev_test_flag(hdev, HCI_MGMT))
553 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
555 hci_dev_unlock(hdev);
560 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
563 struct hci_rp_read_voice_setting *rp = data;
566 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
571 setting = __le16_to_cpu(rp->voice_setting);
573 if (hdev->voice_setting == setting)
576 hdev->voice_setting = setting;
578 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
581 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
586 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
589 struct hci_ev_status *rp = data;
593 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
598 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
602 setting = get_unaligned_le16(sent);
604 if (hdev->voice_setting == setting)
607 hdev->voice_setting = setting;
609 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
612 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
617 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
620 struct hci_rp_read_num_supported_iac *rp = data;
622 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
627 hdev->num_iac = rp->num_iac;
629 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
634 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
637 struct hci_ev_status *rp = data;
638 struct hci_cp_write_ssp_mode *sent;
640 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
642 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
650 hdev->features[1][0] |= LMP_HOST_SSP;
652 hdev->features[1][0] &= ~LMP_HOST_SSP;
657 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
659 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
662 hci_dev_unlock(hdev);
667 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
670 struct hci_ev_status *rp = data;
671 struct hci_cp_write_sc_support *sent;
673 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
675 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
683 hdev->features[1][0] |= LMP_HOST_SC;
685 hdev->features[1][0] &= ~LMP_HOST_SC;
688 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
690 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
692 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
695 hci_dev_unlock(hdev);
700 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
703 struct hci_rp_read_local_version *rp = data;
705 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
710 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
711 hci_dev_test_flag(hdev, HCI_CONFIG)) {
712 hdev->hci_ver = rp->hci_ver;
713 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
714 hdev->lmp_ver = rp->lmp_ver;
715 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
716 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
722 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
725 struct hci_rp_read_enc_key_size *rp = data;
726 struct hci_conn *conn;
728 u8 status = rp->status;
730 bt_dev_dbg(hdev, "status 0x%2.2x", status);
732 handle = le16_to_cpu(rp->handle);
736 conn = hci_conn_hash_lookup_handle(hdev, handle);
742 /* While unexpected, the read_enc_key_size command may fail. The most
743 * secure approach is to then assume the key size is 0 to force a
747 bt_dev_err(hdev, "failed to read key size for handle %u",
749 conn->enc_key_size = 0;
751 conn->enc_key_size = rp->key_size;
754 if (conn->enc_key_size < hdev->min_enc_key_size) {
755 /* As slave role, the conn->state has been set to
756 * BT_CONNECTED and l2cap conn req might not be received
757 * yet, at this moment the l2cap layer almost does
758 * nothing with the non-zero status.
759 * So we also clear encrypt related bits, and then the
760 * handler of l2cap conn req will get the right secure
761 * state at a later time.
763 status = HCI_ERROR_AUTH_FAILURE;
764 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
765 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
769 hci_encrypt_cfm(conn, status);
772 hci_dev_unlock(hdev);
777 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
780 struct hci_rp_read_local_commands *rp = data;
782 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
787 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
788 hci_dev_test_flag(hdev, HCI_CONFIG))
789 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
794 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
797 struct hci_rp_read_auth_payload_to *rp = data;
798 struct hci_conn *conn;
800 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
807 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
809 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
811 hci_dev_unlock(hdev);
816 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
819 struct hci_rp_write_auth_payload_to *rp = data;
820 struct hci_conn *conn;
823 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
825 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
831 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
838 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
841 hci_dev_unlock(hdev);
846 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
849 struct hci_rp_read_local_features *rp = data;
851 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
856 memcpy(hdev->features, rp->features, 8);
858 /* Adjust default settings according to features
859 * supported by device. */
861 if (hdev->features[0][0] & LMP_3SLOT)
862 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
864 if (hdev->features[0][0] & LMP_5SLOT)
865 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
867 if (hdev->features[0][1] & LMP_HV2) {
868 hdev->pkt_type |= (HCI_HV2);
869 hdev->esco_type |= (ESCO_HV2);
872 if (hdev->features[0][1] & LMP_HV3) {
873 hdev->pkt_type |= (HCI_HV3);
874 hdev->esco_type |= (ESCO_HV3);
877 if (lmp_esco_capable(hdev))
878 hdev->esco_type |= (ESCO_EV3);
880 if (hdev->features[0][4] & LMP_EV4)
881 hdev->esco_type |= (ESCO_EV4);
883 if (hdev->features[0][4] & LMP_EV5)
884 hdev->esco_type |= (ESCO_EV5);
886 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
887 hdev->esco_type |= (ESCO_2EV3);
889 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
890 hdev->esco_type |= (ESCO_3EV3);
892 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
893 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
898 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
901 struct hci_rp_read_local_ext_features *rp = data;
903 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
908 if (hdev->max_page < rp->max_page) {
909 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
911 bt_dev_warn(hdev, "broken local ext features page 2");
913 hdev->max_page = rp->max_page;
916 if (rp->page < HCI_MAX_PAGES)
917 memcpy(hdev->features[rp->page], rp->features, 8);
922 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
925 struct hci_rp_read_flow_control_mode *rp = data;
927 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
932 hdev->flow_ctl_mode = rp->mode;
937 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
940 struct hci_rp_read_buffer_size *rp = data;
942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
947 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
948 hdev->sco_mtu = rp->sco_mtu;
949 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
950 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
952 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
957 hdev->acl_cnt = hdev->acl_pkts;
958 hdev->sco_cnt = hdev->sco_pkts;
960 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
961 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
966 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
969 struct hci_rp_read_bd_addr *rp = data;
971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
976 if (test_bit(HCI_INIT, &hdev->flags))
977 bacpy(&hdev->bdaddr, &rp->bdaddr);
979 if (hci_dev_test_flag(hdev, HCI_SETUP))
980 bacpy(&hdev->setup_addr, &rp->bdaddr);
985 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
988 struct hci_rp_read_local_pairing_opts *rp = data;
990 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
995 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
996 hci_dev_test_flag(hdev, HCI_CONFIG)) {
997 hdev->pairing_opts = rp->pairing_opts;
998 hdev->max_enc_key_size = rp->max_key_size;
1004 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1005 struct sk_buff *skb)
1007 struct hci_rp_read_page_scan_activity *rp = data;
1009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1014 if (test_bit(HCI_INIT, &hdev->flags)) {
1015 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1016 hdev->page_scan_window = __le16_to_cpu(rp->window);
1022 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1023 struct sk_buff *skb)
1025 struct hci_ev_status *rp = data;
1026 struct hci_cp_write_page_scan_activity *sent;
1028 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1037 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1038 hdev->page_scan_window = __le16_to_cpu(sent->window);
1043 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1044 struct sk_buff *skb)
1046 struct hci_rp_read_page_scan_type *rp = data;
1048 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1053 if (test_bit(HCI_INIT, &hdev->flags))
1054 hdev->page_scan_type = rp->type;
1059 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1060 struct sk_buff *skb)
1062 struct hci_ev_status *rp = data;
1065 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1070 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1072 hdev->page_scan_type = *type;
1077 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1078 struct sk_buff *skb)
1080 struct hci_rp_read_data_block_size *rp = data;
1082 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1087 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1088 hdev->block_len = __le16_to_cpu(rp->block_len);
1089 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1091 hdev->block_cnt = hdev->num_blocks;
1093 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1094 hdev->block_cnt, hdev->block_len);
1099 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1100 struct sk_buff *skb)
1102 struct hci_rp_read_clock *rp = data;
1103 struct hci_cp_read_clock *cp;
1104 struct hci_conn *conn;
1106 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1113 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1117 if (cp->which == 0x00) {
1118 hdev->clock = le32_to_cpu(rp->clock);
1122 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1124 conn->clock = le32_to_cpu(rp->clock);
1125 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1129 hci_dev_unlock(hdev);
1133 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1134 struct sk_buff *skb)
1136 struct hci_rp_read_local_amp_info *rp = data;
1138 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1143 hdev->amp_status = rp->amp_status;
1144 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1145 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1146 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1147 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1148 hdev->amp_type = rp->amp_type;
1149 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1150 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1151 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1152 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1157 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1158 struct sk_buff *skb)
1160 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1167 hdev->inq_tx_power = rp->tx_power;
1172 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1173 struct sk_buff *skb)
1175 struct hci_rp_read_def_err_data_reporting *rp = data;
1177 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1182 hdev->err_data_reporting = rp->err_data_reporting;
1187 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1188 struct sk_buff *skb)
1190 struct hci_ev_status *rp = data;
1191 struct hci_cp_write_def_err_data_reporting *cp;
1193 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1198 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1202 hdev->err_data_reporting = cp->err_data_reporting;
1207 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1208 struct sk_buff *skb)
1210 struct hci_rp_pin_code_reply *rp = data;
1211 struct hci_cp_pin_code_reply *cp;
1212 struct hci_conn *conn;
1214 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1218 if (hci_dev_test_flag(hdev, HCI_MGMT))
1219 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1224 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1228 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1230 conn->pin_length = cp->pin_len;
1233 hci_dev_unlock(hdev);
1237 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1238 struct sk_buff *skb)
1240 struct hci_rp_pin_code_neg_reply *rp = data;
1242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1246 if (hci_dev_test_flag(hdev, HCI_MGMT))
1247 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1250 hci_dev_unlock(hdev);
1255 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1256 struct sk_buff *skb)
1258 struct hci_rp_le_read_buffer_size *rp = data;
1260 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1265 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1266 hdev->le_pkts = rp->le_max_pkt;
1268 hdev->le_cnt = hdev->le_pkts;
1270 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1275 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1276 struct sk_buff *skb)
1278 struct hci_rp_le_read_local_features *rp = data;
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1285 memcpy(hdev->le_features, rp->features, 8);
1290 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1291 struct sk_buff *skb)
1293 struct hci_rp_le_read_adv_tx_power *rp = data;
1295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1300 hdev->adv_tx_power = rp->tx_power;
1305 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1306 struct sk_buff *skb)
1308 struct hci_rp_user_confirm_reply *rp = data;
1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1314 if (hci_dev_test_flag(hdev, HCI_MGMT))
1315 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1318 hci_dev_unlock(hdev);
1323 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1324 struct sk_buff *skb)
1326 struct hci_rp_user_confirm_reply *rp = data;
1328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1332 if (hci_dev_test_flag(hdev, HCI_MGMT))
1333 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1334 ACL_LINK, 0, rp->status);
1336 hci_dev_unlock(hdev);
1341 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1342 struct sk_buff *skb)
1344 struct hci_rp_user_confirm_reply *rp = data;
1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1350 if (hci_dev_test_flag(hdev, HCI_MGMT))
1351 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1354 hci_dev_unlock(hdev);
1359 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1360 struct sk_buff *skb)
1362 struct hci_rp_user_confirm_reply *rp = data;
1364 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1368 if (hci_dev_test_flag(hdev, HCI_MGMT))
1369 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1370 ACL_LINK, 0, rp->status);
1372 hci_dev_unlock(hdev);
1377 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1378 struct sk_buff *skb)
1380 struct hci_rp_read_local_oob_data *rp = data;
1382 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1387 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1388 struct sk_buff *skb)
1390 struct hci_rp_read_local_oob_ext_data *rp = data;
1392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1397 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1398 struct sk_buff *skb)
1400 struct hci_ev_status *rp = data;
1403 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1408 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1414 bacpy(&hdev->random_addr, sent);
1416 if (!bacmp(&hdev->rpa, sent)) {
1417 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1418 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1419 secs_to_jiffies(hdev->rpa_timeout));
1422 hci_dev_unlock(hdev);
1427 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1428 struct sk_buff *skb)
1430 struct hci_ev_status *rp = data;
1431 struct hci_cp_le_set_default_phy *cp;
1433 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1444 hdev->le_tx_def_phys = cp->tx_phys;
1445 hdev->le_rx_def_phys = cp->rx_phys;
1447 hci_dev_unlock(hdev);
1452 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1453 struct sk_buff *skb)
1455 struct hci_ev_status *rp = data;
1456 struct hci_cp_le_set_adv_set_rand_addr *cp;
1457 struct adv_info *adv;
1459 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1465 /* Update only in case the adv instance since handle 0x00 shall be using
1466 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1467 * non-extended adverting.
1469 if (!cp || !cp->handle)
1474 adv = hci_find_adv_instance(hdev, cp->handle);
1476 bacpy(&adv->random_addr, &cp->bdaddr);
1477 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1478 adv->rpa_expired = false;
1479 queue_delayed_work(hdev->workqueue,
1480 &adv->rpa_expired_cb,
1481 secs_to_jiffies(hdev->rpa_timeout));
1485 hci_dev_unlock(hdev);
1490 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1491 struct sk_buff *skb)
1493 struct hci_ev_status *rp = data;
1497 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1502 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1508 err = hci_remove_adv_instance(hdev, *instance);
1510 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1513 hci_dev_unlock(hdev);
1518 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1519 struct sk_buff *skb)
1521 struct hci_ev_status *rp = data;
1522 struct adv_info *adv, *n;
1525 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1530 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1535 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1536 u8 instance = adv->instance;
1538 err = hci_remove_adv_instance(hdev, instance);
1540 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1544 hci_dev_unlock(hdev);
1549 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1550 struct sk_buff *skb)
1552 struct hci_rp_le_read_transmit_power *rp = data;
1554 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1559 hdev->min_le_tx_power = rp->min_le_tx_power;
1560 hdev->max_le_tx_power = rp->max_le_tx_power;
1565 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1566 struct sk_buff *skb)
1568 struct hci_ev_status *rp = data;
1569 struct hci_cp_le_set_privacy_mode *cp;
1570 struct hci_conn_params *params;
1572 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1577 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1583 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1585 WRITE_ONCE(params->privacy_mode, cp->mode);
1587 hci_dev_unlock(hdev);
1592 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1593 struct sk_buff *skb)
1595 struct hci_ev_status *rp = data;
1598 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1603 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1609 /* If we're doing connection initiation as peripheral. Set a
1610 * timeout in case something goes wrong.
1613 struct hci_conn *conn;
1615 hci_dev_set_flag(hdev, HCI_LE_ADV);
1617 conn = hci_lookup_le_connect(hdev);
1619 queue_delayed_work(hdev->workqueue,
1620 &conn->le_conn_timeout,
1621 conn->conn_timeout);
1623 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1626 hci_dev_unlock(hdev);
1631 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1632 struct sk_buff *skb)
1634 struct hci_cp_le_set_ext_adv_enable *cp;
1635 struct hci_cp_ext_adv_set *set;
1636 struct adv_info *adv = NULL, *n;
1637 struct hci_ev_status *rp = data;
1639 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1644 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1648 set = (void *)cp->data;
1652 if (cp->num_of_sets)
1653 adv = hci_find_adv_instance(hdev, set->handle);
1656 struct hci_conn *conn;
1658 hci_dev_set_flag(hdev, HCI_LE_ADV);
1660 if (adv && !adv->periodic)
1661 adv->enabled = true;
1663 conn = hci_lookup_le_connect(hdev);
1665 queue_delayed_work(hdev->workqueue,
1666 &conn->le_conn_timeout,
1667 conn->conn_timeout);
1669 if (cp->num_of_sets) {
1671 adv->enabled = false;
1673 /* If just one instance was disabled check if there are
1674 * any other instance enabled before clearing HCI_LE_ADV
1676 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1682 /* All instances shall be considered disabled */
1683 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1685 adv->enabled = false;
1688 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1692 hci_dev_unlock(hdev);
1696 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1697 struct sk_buff *skb)
1699 struct hci_cp_le_set_scan_param *cp;
1700 struct hci_ev_status *rp = data;
1702 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1707 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1713 hdev->le_scan_type = cp->type;
1715 hci_dev_unlock(hdev);
1720 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1721 struct sk_buff *skb)
1723 struct hci_cp_le_set_ext_scan_params *cp;
1724 struct hci_ev_status *rp = data;
1725 struct hci_cp_le_scan_phy_params *phy_param;
1727 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1732 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1736 phy_param = (void *)cp->data;
1740 hdev->le_scan_type = phy_param->type;
1742 hci_dev_unlock(hdev);
1747 static bool has_pending_adv_report(struct hci_dev *hdev)
1749 struct discovery_state *d = &hdev->discovery;
1751 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1754 static void clear_pending_adv_report(struct hci_dev *hdev)
1756 struct discovery_state *d = &hdev->discovery;
1758 bacpy(&d->last_adv_addr, BDADDR_ANY);
1759 d->last_adv_data_len = 0;
1763 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1764 u8 bdaddr_type, s8 rssi, u32 flags,
1767 struct discovery_state *d = &hdev->discovery;
1769 if (len > max_adv_len(hdev))
1772 bacpy(&d->last_adv_addr, bdaddr);
1773 d->last_adv_addr_type = bdaddr_type;
1774 d->last_adv_rssi = rssi;
1775 d->last_adv_flags = flags;
1776 memcpy(d->last_adv_data, data, len);
1777 d->last_adv_data_len = len;
1781 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1786 case LE_SCAN_ENABLE:
1787 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1788 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1789 clear_pending_adv_report(hdev);
1790 if (hci_dev_test_flag(hdev, HCI_MESH))
1791 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1794 case LE_SCAN_DISABLE:
1795 /* We do this here instead of when setting DISCOVERY_STOPPED
1796 * since the latter would potentially require waiting for
1797 * inquiry to stop too.
1799 if (has_pending_adv_report(hdev)) {
1800 struct discovery_state *d = &hdev->discovery;
1802 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1803 d->last_adv_addr_type, NULL,
1804 d->last_adv_rssi, d->last_adv_flags,
1806 d->last_adv_data_len, NULL, 0, 0);
1809 /* Cancel this timer so that we don't try to disable scanning
1810 * when it's already disabled.
1812 cancel_delayed_work(&hdev->le_scan_disable);
1814 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1816 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1817 * interrupted scanning due to a connect request. Mark
1818 * therefore discovery as stopped.
1820 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1821 #ifndef TIZEN_BT /* The below line is kernel bug. */
1822 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1824 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1826 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1827 hdev->discovery.state == DISCOVERY_FINDING)
1828 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1833 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1838 hci_dev_unlock(hdev);
1841 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1842 struct sk_buff *skb)
1844 struct hci_cp_le_set_scan_enable *cp;
1845 struct hci_ev_status *rp = data;
1847 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1852 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1856 le_set_scan_enable_complete(hdev, cp->enable);
1861 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1862 struct sk_buff *skb)
1864 struct hci_cp_le_set_ext_scan_enable *cp;
1865 struct hci_ev_status *rp = data;
1867 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1872 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1876 le_set_scan_enable_complete(hdev, cp->enable);
1881 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1882 struct sk_buff *skb)
1884 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1886 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1892 hdev->le_num_of_adv_sets = rp->num_of_sets;
1897 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1898 struct sk_buff *skb)
1900 struct hci_rp_le_read_accept_list_size *rp = data;
1902 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1907 hdev->le_accept_list_size = rp->size;
1912 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1913 struct sk_buff *skb)
1915 struct hci_ev_status *rp = data;
1917 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1923 hci_bdaddr_list_clear(&hdev->le_accept_list);
1924 hci_dev_unlock(hdev);
1929 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1930 struct sk_buff *skb)
1932 struct hci_cp_le_add_to_accept_list *sent;
1933 struct hci_ev_status *rp = data;
1935 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1940 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1945 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1947 hci_dev_unlock(hdev);
1952 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1953 struct sk_buff *skb)
1955 struct hci_cp_le_del_from_accept_list *sent;
1956 struct hci_ev_status *rp = data;
1958 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1963 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1968 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1970 hci_dev_unlock(hdev);
1975 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1976 struct sk_buff *skb)
1978 struct hci_rp_le_read_supported_states *rp = data;
1980 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1985 memcpy(hdev->le_states, rp->le_states, 8);
1990 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1991 struct sk_buff *skb)
1993 struct hci_rp_le_read_def_data_len *rp = data;
1995 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2000 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
2001 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
2006 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2007 struct sk_buff *skb)
2009 struct hci_cp_le_write_def_data_len *sent;
2010 struct hci_ev_status *rp = data;
2012 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2017 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2021 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2022 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2027 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2028 struct sk_buff *skb)
2030 struct hci_cp_le_add_to_resolv_list *sent;
2031 struct hci_ev_status *rp = data;
2033 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2038 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2043 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2044 sent->bdaddr_type, sent->peer_irk,
2046 hci_dev_unlock(hdev);
2051 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2052 struct sk_buff *skb)
2054 struct hci_cp_le_del_from_resolv_list *sent;
2055 struct hci_ev_status *rp = data;
2057 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2062 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2067 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2069 hci_dev_unlock(hdev);
2074 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2075 struct sk_buff *skb)
2077 struct hci_ev_status *rp = data;
2079 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2085 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2086 hci_dev_unlock(hdev);
2091 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2092 struct sk_buff *skb)
2094 struct hci_rp_le_read_resolv_list_size *rp = data;
2096 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2101 hdev->le_resolv_list_size = rp->size;
2106 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2107 struct sk_buff *skb)
2109 struct hci_ev_status *rp = data;
2112 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2117 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2124 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2126 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2128 hci_dev_unlock(hdev);
2133 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2134 struct sk_buff *skb)
2136 struct hci_rp_le_read_max_data_len *rp = data;
2138 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2143 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2144 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2145 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2146 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2151 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2152 struct sk_buff *skb)
2154 struct hci_cp_write_le_host_supported *sent;
2155 struct hci_ev_status *rp = data;
2157 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2162 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2169 hdev->features[1][0] |= LMP_HOST_LE;
2170 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2172 hdev->features[1][0] &= ~LMP_HOST_LE;
2173 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2174 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2178 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2180 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2182 hci_dev_unlock(hdev);
2187 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2188 struct sk_buff *skb)
2190 struct hci_cp_le_set_adv_param *cp;
2191 struct hci_ev_status *rp = data;
2193 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2198 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2203 hdev->adv_addr_type = cp->own_address_type;
2204 hci_dev_unlock(hdev);
2209 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2210 struct sk_buff *skb)
2212 struct hci_rp_le_set_ext_adv_params *rp = data;
2213 struct hci_cp_le_set_ext_adv_params *cp;
2214 struct adv_info *adv_instance;
2216 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2221 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2226 hdev->adv_addr_type = cp->own_addr_type;
2228 /* Store in hdev for instance 0 */
2229 hdev->adv_tx_power = rp->tx_power;
2231 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2233 adv_instance->tx_power = rp->tx_power;
2235 /* Update adv data as tx power is known now */
2236 hci_update_adv_data(hdev, cp->handle);
2238 hci_dev_unlock(hdev);
2244 static u8 hci_cc_enable_rssi(struct hci_dev *hdev, void *data,
2245 struct sk_buff *skb)
2247 struct hci_cc_rsp_enable_rssi *rp = data;
2249 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
2250 hdev->name, rp->status, rp->le_ext_opcode);
2252 mgmt_enable_rssi_cc(hdev, rp, rp->status);
2257 static u8 hci_cc_get_raw_rssi(struct hci_dev *hdev, void *data,
2258 struct sk_buff *skb)
2260 struct hci_cc_rp_get_raw_rssi *rp = data;
2262 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
2263 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
2265 mgmt_raw_rssi_response(hdev, rp, rp->status);
2270 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
2271 struct sk_buff *skb)
2273 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
2275 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
2277 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
2281 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
2282 struct sk_buff *skb)
2284 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
2285 __u8 event_le_ext_sub_code;
2287 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
2288 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
2290 skb_pull(skb, sizeof(*ev));
2291 event_le_ext_sub_code = ev->event_le_ext_sub_code;
2293 switch (event_le_ext_sub_code) {
2294 case LE_RSSI_LINK_ALERT:
2295 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
2303 static void hci_vendor_specific_evt(struct hci_dev *hdev, void *data,
2304 struct sk_buff *skb)
2306 struct hci_ev_vendor_specific *ev = (void *)skb->data;
2307 __u8 event_sub_code;
2309 BT_DBG("hci_vendor_specific_evt");
2311 skb_pull(skb, sizeof(*ev));
2312 event_sub_code = ev->event_sub_code;
2314 switch (event_sub_code) {
2315 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
2316 hci_vendor_specific_group_ext_evt(hdev, skb);
2325 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2326 struct sk_buff *skb)
2328 struct hci_rp_read_rssi *rp = data;
2329 struct hci_conn *conn;
2331 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2338 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2340 conn->rssi = rp->rssi;
2342 hci_dev_unlock(hdev);
2347 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2348 struct sk_buff *skb)
2350 struct hci_cp_read_tx_power *sent;
2351 struct hci_rp_read_tx_power *rp = data;
2352 struct hci_conn *conn;
2354 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2359 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2365 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2369 switch (sent->type) {
2371 conn->tx_power = rp->tx_power;
2374 conn->max_tx_power = rp->tx_power;
2379 hci_dev_unlock(hdev);
2383 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2384 struct sk_buff *skb)
2386 struct hci_ev_status *rp = data;
2389 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2394 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2396 hdev->ssp_debug_mode = *mode;
2401 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2403 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2406 hci_conn_check_pending(hdev);
2410 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2411 set_bit(HCI_INQUIRY, &hdev->flags);
2414 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2416 struct hci_cp_create_conn *cp;
2417 struct hci_conn *conn;
2419 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2421 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2427 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2429 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2432 if (conn && conn->state == BT_CONNECT) {
2433 if (status != 0x0c || conn->attempt > 2) {
2434 conn->state = BT_CLOSED;
2435 hci_connect_cfm(conn, status);
2438 conn->state = BT_CONNECT2;
2442 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2445 bt_dev_err(hdev, "no memory for new connection");
2449 hci_dev_unlock(hdev);
2452 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2454 struct hci_cp_add_sco *cp;
2455 struct hci_conn *acl;
2456 struct hci_link *link;
2459 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2464 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2468 handle = __le16_to_cpu(cp->handle);
2470 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2474 acl = hci_conn_hash_lookup_handle(hdev, handle);
2476 link = list_first_entry_or_null(&acl->link_list,
2477 struct hci_link, list);
2478 if (link && link->conn) {
2479 link->conn->state = BT_CLOSED;
2481 hci_connect_cfm(link->conn, status);
2482 hci_conn_del(link->conn);
2486 hci_dev_unlock(hdev);
2489 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2491 struct hci_cp_auth_requested *cp;
2492 struct hci_conn *conn;
2494 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2499 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2505 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2507 if (conn->state == BT_CONFIG) {
2508 hci_connect_cfm(conn, status);
2509 hci_conn_drop(conn);
2513 hci_dev_unlock(hdev);
2516 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2518 struct hci_cp_set_conn_encrypt *cp;
2519 struct hci_conn *conn;
2521 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2526 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2532 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2534 if (conn->state == BT_CONFIG) {
2535 hci_connect_cfm(conn, status);
2536 hci_conn_drop(conn);
2540 hci_dev_unlock(hdev);
2543 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2544 struct hci_conn *conn)
2546 if (conn->state != BT_CONFIG || !conn->out)
2549 if (conn->pending_sec_level == BT_SECURITY_SDP)
2552 /* Only request authentication for SSP connections or non-SSP
2553 * devices with sec_level MEDIUM or HIGH or if MITM protection
2556 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2557 conn->pending_sec_level != BT_SECURITY_FIPS &&
2558 conn->pending_sec_level != BT_SECURITY_HIGH &&
2559 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2565 static int hci_resolve_name(struct hci_dev *hdev,
2566 struct inquiry_entry *e)
2568 struct hci_cp_remote_name_req cp;
2570 memset(&cp, 0, sizeof(cp));
2572 bacpy(&cp.bdaddr, &e->data.bdaddr);
2573 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2574 cp.pscan_mode = e->data.pscan_mode;
2575 cp.clock_offset = e->data.clock_offset;
2577 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2580 static bool hci_resolve_next_name(struct hci_dev *hdev)
2582 struct discovery_state *discov = &hdev->discovery;
2583 struct inquiry_entry *e;
2585 if (list_empty(&discov->resolve))
2588 /* We should stop if we already spent too much time resolving names. */
2589 if (time_after(jiffies, discov->name_resolve_timeout)) {
2590 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2594 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2598 if (hci_resolve_name(hdev, e) == 0) {
2599 e->name_state = NAME_PENDING;
2606 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2607 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2609 struct discovery_state *discov = &hdev->discovery;
2610 struct inquiry_entry *e;
2613 /* Update the mgmt connected state if necessary. Be careful with
2614 * conn objects that exist but are not (yet) connected however.
2615 * Only those in BT_CONFIG or BT_CONNECTED states can be
2616 * considered connected.
2619 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2620 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2621 mgmt_device_connected(hdev, conn, name, name_len);
2623 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2627 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2628 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2629 mgmt_device_connected(hdev, conn, name, name_len);
2632 if (discov->state == DISCOVERY_STOPPED)
2635 if (discov->state == DISCOVERY_STOPPING)
2636 goto discov_complete;
2638 if (discov->state != DISCOVERY_RESOLVING)
2641 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2642 /* If the device was not found in a list of found devices names of which
2643 * are pending. there is no need to continue resolving a next name as it
2644 * will be done upon receiving another Remote Name Request Complete
2651 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2652 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2655 if (hci_resolve_next_name(hdev))
2659 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2662 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2664 struct hci_cp_remote_name_req *cp;
2665 struct hci_conn *conn;
2667 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2669 /* If successful wait for the name req complete event before
2670 * checking for the need to do authentication */
2674 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2680 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2682 if (hci_dev_test_flag(hdev, HCI_MGMT))
2683 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2688 if (!hci_outgoing_auth_needed(hdev, conn))
2691 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2692 struct hci_cp_auth_requested auth_cp;
2694 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2696 auth_cp.handle = __cpu_to_le16(conn->handle);
2697 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2698 sizeof(auth_cp), &auth_cp);
2702 hci_dev_unlock(hdev);
2705 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2707 struct hci_cp_read_remote_features *cp;
2708 struct hci_conn *conn;
2710 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2715 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2721 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2723 if (conn->state == BT_CONFIG) {
2724 hci_connect_cfm(conn, status);
2725 hci_conn_drop(conn);
2729 hci_dev_unlock(hdev);
2732 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2734 struct hci_cp_read_remote_ext_features *cp;
2735 struct hci_conn *conn;
2737 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2742 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2748 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2750 if (conn->state == BT_CONFIG) {
2751 hci_connect_cfm(conn, status);
2752 hci_conn_drop(conn);
2756 hci_dev_unlock(hdev);
2759 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2762 struct hci_conn *acl;
2763 struct hci_link *link;
2765 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2769 acl = hci_conn_hash_lookup_handle(hdev, handle);
2771 link = list_first_entry_or_null(&acl->link_list,
2772 struct hci_link, list);
2773 if (link && link->conn) {
2774 link->conn->state = BT_CLOSED;
2776 hci_connect_cfm(link->conn, status);
2777 hci_conn_del(link->conn);
2781 hci_dev_unlock(hdev);
2784 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2786 struct hci_cp_setup_sync_conn *cp;
2788 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2793 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2797 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2800 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2802 struct hci_cp_enhanced_setup_sync_conn *cp;
2804 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2809 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2813 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2816 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2818 struct hci_cp_sniff_mode *cp;
2819 struct hci_conn *conn;
2821 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2826 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2832 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2834 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2836 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2837 hci_sco_setup(conn, status);
2840 hci_dev_unlock(hdev);
2843 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2845 struct hci_cp_exit_sniff_mode *cp;
2846 struct hci_conn *conn;
2848 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2853 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2859 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2861 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2863 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2864 hci_sco_setup(conn, status);
2867 hci_dev_unlock(hdev);
2870 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2872 struct hci_cp_disconnect *cp;
2873 struct hci_conn_params *params;
2874 struct hci_conn *conn;
2877 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2879 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2880 * otherwise cleanup the connection immediately.
2882 if (!status && !hdev->suspended)
2885 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2891 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2896 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2897 conn->dst_type, status);
2899 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2900 hdev->cur_adv_instance = conn->adv_instance;
2901 hci_enable_advertising(hdev);
2904 /* Inform sockets conn is gone before we delete it */
2905 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2910 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2912 if (conn->type == ACL_LINK) {
2913 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2914 hci_remove_link_key(hdev, &conn->dst);
2917 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2919 switch (params->auto_connect) {
2920 case HCI_AUTO_CONN_LINK_LOSS:
2921 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2925 case HCI_AUTO_CONN_DIRECT:
2926 case HCI_AUTO_CONN_ALWAYS:
2927 hci_pend_le_list_del_init(params);
2928 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2936 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2937 cp->reason, mgmt_conn);
2939 hci_disconn_cfm(conn, cp->reason);
2942 /* If the disconnection failed for any reason, the upper layer
2943 * does not retry to disconnect in current implementation.
2944 * Hence, we need to do some basic cleanup here and re-enable
2945 * advertising if necessary.
2949 hci_dev_unlock(hdev);
2952 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2954 /* When using controller based address resolution, then the new
2955 * address types 0x02 and 0x03 are used. These types need to be
2956 * converted back into either public address or random address type
2959 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2962 return ADDR_LE_DEV_PUBLIC;
2963 case ADDR_LE_DEV_RANDOM_RESOLVED:
2966 return ADDR_LE_DEV_RANDOM;
2974 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2975 u8 peer_addr_type, u8 own_address_type,
2978 struct hci_conn *conn;
2980 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2985 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2987 /* Store the initiator and responder address information which
2988 * is needed for SMP. These values will not change during the
2989 * lifetime of the connection.
2991 conn->init_addr_type = own_address_type;
2992 if (own_address_type == ADDR_LE_DEV_RANDOM)
2993 bacpy(&conn->init_addr, &hdev->random_addr);
2995 bacpy(&conn->init_addr, &hdev->bdaddr);
2997 conn->resp_addr_type = peer_addr_type;
2998 bacpy(&conn->resp_addr, peer_addr);
3001 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
3003 struct hci_cp_le_create_conn *cp;
3005 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3007 /* All connection failure handling is taken care of by the
3008 * hci_conn_failed function which is triggered by the HCI
3009 * request completion callbacks used for connecting.
3014 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
3020 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3021 cp->own_address_type, cp->filter_policy);
3023 hci_dev_unlock(hdev);
3026 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
3028 struct hci_cp_le_ext_create_conn *cp;
3030 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3032 /* All connection failure handling is taken care of by the
3033 * hci_conn_failed function which is triggered by the HCI
3034 * request completion callbacks used for connecting.
3039 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
3045 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3046 cp->own_addr_type, cp->filter_policy);
3048 hci_dev_unlock(hdev);
3051 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
3053 struct hci_cp_le_read_remote_features *cp;
3054 struct hci_conn *conn;
3056 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3061 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
3067 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3069 if (conn->state == BT_CONFIG) {
3070 hci_connect_cfm(conn, status);
3071 hci_conn_drop(conn);
3075 hci_dev_unlock(hdev);
3078 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
3080 struct hci_cp_le_start_enc *cp;
3081 struct hci_conn *conn;
3083 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3090 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
3094 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3098 if (conn->state != BT_CONNECTED)
3101 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3102 hci_conn_drop(conn);
3105 hci_dev_unlock(hdev);
3108 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3110 struct hci_cp_switch_role *cp;
3111 struct hci_conn *conn;
3113 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3118 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3124 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3126 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3128 hci_dev_unlock(hdev);
3131 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3132 struct sk_buff *skb)
3134 struct hci_ev_status *ev = data;
3135 struct discovery_state *discov = &hdev->discovery;
3136 struct inquiry_entry *e;
3138 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3140 hci_conn_check_pending(hdev);
3142 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3145 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3146 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3148 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3153 if (discov->state != DISCOVERY_FINDING)
3156 if (list_empty(&discov->resolve)) {
3157 /* When BR/EDR inquiry is active and no LE scanning is in
3158 * progress, then change discovery state to indicate completion.
3160 * When running LE scanning and BR/EDR inquiry simultaneously
3161 * and the LE scan already finished, then change the discovery
3162 * state to indicate completion.
3164 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3165 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3166 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3170 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3171 if (e && hci_resolve_name(hdev, e) == 0) {
3172 e->name_state = NAME_PENDING;
3173 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3174 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3176 /* When BR/EDR inquiry is active and no LE scanning is in
3177 * progress, then change discovery state to indicate completion.
3179 * When running LE scanning and BR/EDR inquiry simultaneously
3180 * and the LE scan already finished, then change the discovery
3181 * state to indicate completion.
3183 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3184 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3185 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3189 hci_dev_unlock(hdev);
3192 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3193 struct sk_buff *skb)
3195 struct hci_ev_inquiry_result *ev = edata;
3196 struct inquiry_data data;
3199 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3200 flex_array_size(ev, info, ev->num)))
3203 bt_dev_dbg(hdev, "num %d", ev->num);
3208 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3213 for (i = 0; i < ev->num; i++) {
3214 struct inquiry_info *info = &ev->info[i];
3217 bacpy(&data.bdaddr, &info->bdaddr);
3218 data.pscan_rep_mode = info->pscan_rep_mode;
3219 data.pscan_period_mode = info->pscan_period_mode;
3220 data.pscan_mode = info->pscan_mode;
3221 memcpy(data.dev_class, info->dev_class, 3);
3222 data.clock_offset = info->clock_offset;
3223 data.rssi = HCI_RSSI_INVALID;
3224 data.ssp_mode = 0x00;
3226 flags = hci_inquiry_cache_update(hdev, &data, false);
3228 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3229 info->dev_class, HCI_RSSI_INVALID,
3230 flags, NULL, 0, NULL, 0, 0);
3233 hci_dev_unlock(hdev);
3236 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3237 struct sk_buff *skb)
3239 struct hci_ev_conn_complete *ev = data;
3240 struct hci_conn *conn;
3241 u8 status = ev->status;
3243 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3247 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3249 /* In case of error status and there is no connection pending
3250 * just unlock as there is nothing to cleanup.
3255 /* Connection may not exist if auto-connected. Check the bredr
3256 * allowlist to see if this device is allowed to auto connect.
3257 * If link is an ACL type, create a connection class
3260 * Auto-connect will only occur if the event filter is
3261 * programmed with a given address. Right now, event filter is
3262 * only used during suspend.
3264 if (ev->link_type == ACL_LINK &&
3265 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3268 conn = hci_conn_add_unset(hdev, ev->link_type,
3269 &ev->bdaddr, HCI_ROLE_SLAVE);
3271 bt_dev_err(hdev, "no memory for new conn");
3275 if (ev->link_type != SCO_LINK)
3278 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3283 conn->type = SCO_LINK;
3287 /* The HCI_Connection_Complete event is only sent once per connection.
3288 * Processing it more than once per connection can corrupt kernel memory.
3290 * As the connection handle is set here for the first time, it indicates
3291 * whether the connection is already set up.
3293 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3294 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3299 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3303 if (conn->type == ACL_LINK) {
3304 conn->state = BT_CONFIG;
3305 hci_conn_hold(conn);
3307 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3308 !hci_find_link_key(hdev, &ev->bdaddr))
3309 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3311 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3313 conn->state = BT_CONNECTED;
3315 hci_debugfs_create_conn(conn);
3316 hci_conn_add_sysfs(conn);
3318 if (test_bit(HCI_AUTH, &hdev->flags))
3319 set_bit(HCI_CONN_AUTH, &conn->flags);
3321 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3322 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3324 /* Get remote features */
3325 if (conn->type == ACL_LINK) {
3326 struct hci_cp_read_remote_features cp;
3327 cp.handle = ev->handle;
3328 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3331 hci_update_scan(hdev);
3334 /* Set packet type for incoming connection */
3335 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3336 struct hci_cp_change_conn_ptype cp;
3337 cp.handle = ev->handle;
3338 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3339 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3344 if (conn->type == ACL_LINK)
3345 hci_sco_setup(conn, ev->status);
3349 hci_conn_failed(conn, status);
3350 } else if (ev->link_type == SCO_LINK) {
3351 switch (conn->setting & SCO_AIRMODE_MASK) {
3352 case SCO_AIRMODE_CVSD:
3354 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3358 hci_connect_cfm(conn, status);
3362 hci_dev_unlock(hdev);
3364 hci_conn_check_pending(hdev);
3367 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3369 struct hci_cp_reject_conn_req cp;
3371 bacpy(&cp.bdaddr, bdaddr);
3372 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3373 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3376 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3377 struct sk_buff *skb)
3379 struct hci_ev_conn_request *ev = data;
3380 int mask = hdev->link_mode;
3381 struct inquiry_entry *ie;
3382 struct hci_conn *conn;
3385 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3387 /* Reject incoming connection from device with same BD ADDR against
3390 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3391 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3393 hci_reject_conn(hdev, &ev->bdaddr);
3397 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3400 if (!(mask & HCI_LM_ACCEPT)) {
3401 hci_reject_conn(hdev, &ev->bdaddr);
3407 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3409 hci_reject_conn(hdev, &ev->bdaddr);
3413 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3414 * connection. These features are only touched through mgmt so
3415 * only do the checks if HCI_MGMT is set.
3417 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3418 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3419 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3421 hci_reject_conn(hdev, &ev->bdaddr);
3425 /* Connection accepted */
3427 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3429 memcpy(ie->data.dev_class, ev->dev_class, 3);
3431 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3434 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3437 bt_dev_err(hdev, "no memory for new connection");
3442 memcpy(conn->dev_class, ev->dev_class, 3);
3444 hci_dev_unlock(hdev);
3446 if (ev->link_type == ACL_LINK ||
3447 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3448 struct hci_cp_accept_conn_req cp;
3449 conn->state = BT_CONNECT;
3451 bacpy(&cp.bdaddr, &ev->bdaddr);
3453 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3454 cp.role = 0x00; /* Become central */
3456 cp.role = 0x01; /* Remain peripheral */
3458 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3459 } else if (!(flags & HCI_PROTO_DEFER)) {
3460 struct hci_cp_accept_sync_conn_req cp;
3461 conn->state = BT_CONNECT;
3463 bacpy(&cp.bdaddr, &ev->bdaddr);
3464 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3466 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3467 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3468 cp.max_latency = cpu_to_le16(0xffff);
3469 cp.content_format = cpu_to_le16(hdev->voice_setting);
3470 cp.retrans_effort = 0xff;
3472 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3475 conn->state = BT_CONNECT2;
3476 hci_connect_cfm(conn, 0);
3481 hci_dev_unlock(hdev);
3484 static u8 hci_to_mgmt_reason(u8 err)
3487 case HCI_ERROR_CONNECTION_TIMEOUT:
3488 return MGMT_DEV_DISCONN_TIMEOUT;
3489 case HCI_ERROR_REMOTE_USER_TERM:
3490 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3491 case HCI_ERROR_REMOTE_POWER_OFF:
3492 return MGMT_DEV_DISCONN_REMOTE;
3493 case HCI_ERROR_LOCAL_HOST_TERM:
3494 return MGMT_DEV_DISCONN_LOCAL_HOST;
3496 return MGMT_DEV_DISCONN_UNKNOWN;
3500 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3501 struct sk_buff *skb)
3503 struct hci_ev_disconn_complete *ev = data;
3505 struct hci_conn_params *params;
3506 struct hci_conn *conn;
3507 bool mgmt_connected;
3509 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3513 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3518 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3519 conn->dst_type, ev->status);
3523 conn->state = BT_CLOSED;
3525 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3527 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3528 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3530 reason = hci_to_mgmt_reason(ev->reason);
3532 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3533 reason, mgmt_connected);
3535 if (conn->type == ACL_LINK) {
3536 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3537 hci_remove_link_key(hdev, &conn->dst);
3539 hci_update_scan(hdev);
3542 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3544 switch (params->auto_connect) {
3545 case HCI_AUTO_CONN_LINK_LOSS:
3546 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3550 case HCI_AUTO_CONN_DIRECT:
3551 case HCI_AUTO_CONN_ALWAYS:
3552 hci_pend_le_list_del_init(params);
3553 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3554 hci_update_passive_scan(hdev);
3562 hci_disconn_cfm(conn, ev->reason);
3564 /* Re-enable advertising if necessary, since it might
3565 * have been disabled by the connection. From the
3566 * HCI_LE_Set_Advertise_Enable command description in
3567 * the core specification (v4.0):
3568 * "The Controller shall continue advertising until the Host
3569 * issues an LE_Set_Advertise_Enable command with
3570 * Advertising_Enable set to 0x00 (Advertising is disabled)
3571 * or until a connection is created or until the Advertising
3572 * is timed out due to Directed Advertising."
3574 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3575 hdev->cur_adv_instance = conn->adv_instance;
3576 hci_enable_advertising(hdev);
3582 hci_dev_unlock(hdev);
3585 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3586 struct sk_buff *skb)
3588 struct hci_ev_auth_complete *ev = data;
3589 struct hci_conn *conn;
3591 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3595 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3600 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3601 set_bit(HCI_CONN_AUTH, &conn->flags);
3602 conn->sec_level = conn->pending_sec_level;
3604 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3605 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3607 mgmt_auth_failed(conn, ev->status);
3610 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3612 if (conn->state == BT_CONFIG) {
3613 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3614 struct hci_cp_set_conn_encrypt cp;
3615 cp.handle = ev->handle;
3617 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3620 conn->state = BT_CONNECTED;
3621 hci_connect_cfm(conn, ev->status);
3622 hci_conn_drop(conn);
3625 hci_auth_cfm(conn, ev->status);
3627 hci_conn_hold(conn);
3628 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3629 hci_conn_drop(conn);
3632 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3634 struct hci_cp_set_conn_encrypt cp;
3635 cp.handle = ev->handle;
3637 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3640 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3641 hci_encrypt_cfm(conn, ev->status);
3646 hci_dev_unlock(hdev);
3649 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3650 struct sk_buff *skb)
3652 struct hci_ev_remote_name *ev = data;
3653 struct hci_conn *conn;
3655 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3657 hci_conn_check_pending(hdev);
3661 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3663 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3666 if (ev->status == 0)
3667 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3668 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3670 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3676 if (!hci_outgoing_auth_needed(hdev, conn))
3679 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3680 struct hci_cp_auth_requested cp;
3682 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3684 cp.handle = __cpu_to_le16(conn->handle);
3685 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3689 hci_dev_unlock(hdev);
3692 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3693 struct sk_buff *skb)
3695 struct hci_ev_encrypt_change *ev = data;
3696 struct hci_conn *conn;
3698 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3702 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3708 /* Encryption implies authentication */
3709 set_bit(HCI_CONN_AUTH, &conn->flags);
3710 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3711 conn->sec_level = conn->pending_sec_level;
3713 /* P-256 authentication key implies FIPS */
3714 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3715 set_bit(HCI_CONN_FIPS, &conn->flags);
3717 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3718 conn->type == LE_LINK)
3719 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3721 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3722 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3726 /* We should disregard the current RPA and generate a new one
3727 * whenever the encryption procedure fails.
3729 if (ev->status && conn->type == LE_LINK) {
3730 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3731 hci_adv_instances_set_rpa_expired(hdev, true);
3734 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3736 /* Check link security requirements are met */
3737 if (!hci_conn_check_link_mode(conn))
3738 ev->status = HCI_ERROR_AUTH_FAILURE;
3740 if (ev->status && conn->state == BT_CONNECTED) {
3741 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3742 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3744 /* Notify upper layers so they can cleanup before
3747 hci_encrypt_cfm(conn, ev->status);
3748 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3749 hci_conn_drop(conn);
3753 /* Try reading the encryption key size for encrypted ACL links */
3754 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3755 struct hci_cp_read_enc_key_size cp;
3757 /* Only send HCI_Read_Encryption_Key_Size if the
3758 * controller really supports it. If it doesn't, assume
3759 * the default size (16).
3761 if (!(hdev->commands[20] & 0x10)) {
3762 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3766 cp.handle = cpu_to_le16(conn->handle);
3767 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3769 bt_dev_err(hdev, "sending read key size failed");
3770 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3777 /* Set the default Authenticated Payload Timeout after
3778 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3779 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3780 * sent when the link is active and Encryption is enabled, the conn
3781 * type can be either LE or ACL and controller must support LMP Ping.
3782 * Ensure for AES-CCM encryption as well.
3784 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3785 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3786 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3787 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3788 struct hci_cp_write_auth_payload_to cp;
3790 cp.handle = cpu_to_le16(conn->handle);
3791 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3792 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3794 bt_dev_err(hdev, "write auth payload timeout failed");
3798 hci_encrypt_cfm(conn, ev->status);
3801 hci_dev_unlock(hdev);
3804 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3805 struct sk_buff *skb)
3807 struct hci_ev_change_link_key_complete *ev = data;
3808 struct hci_conn *conn;
3810 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3814 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3817 set_bit(HCI_CONN_SECURE, &conn->flags);
3819 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3821 hci_key_change_cfm(conn, ev->status);
3824 hci_dev_unlock(hdev);
3827 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3828 struct sk_buff *skb)
3830 struct hci_ev_remote_features *ev = data;
3831 struct hci_conn *conn;
3833 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3837 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3842 memcpy(conn->features[0], ev->features, 8);
3844 if (conn->state != BT_CONFIG)
3847 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3848 lmp_ext_feat_capable(conn)) {
3849 struct hci_cp_read_remote_ext_features cp;
3850 cp.handle = ev->handle;
3852 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3857 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3858 struct hci_cp_remote_name_req cp;
3859 memset(&cp, 0, sizeof(cp));
3860 bacpy(&cp.bdaddr, &conn->dst);
3861 cp.pscan_rep_mode = 0x02;
3862 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3863 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3864 mgmt_device_connected(hdev, conn, NULL, 0);
3866 if (!hci_outgoing_auth_needed(hdev, conn)) {
3867 conn->state = BT_CONNECTED;
3868 hci_connect_cfm(conn, ev->status);
3869 hci_conn_drop(conn);
3873 hci_dev_unlock(hdev);
3876 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3878 cancel_delayed_work(&hdev->cmd_timer);
3881 if (!test_bit(HCI_RESET, &hdev->flags)) {
3883 cancel_delayed_work(&hdev->ncmd_timer);
3884 atomic_set(&hdev->cmd_cnt, 1);
3886 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3887 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3894 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3895 struct sk_buff *skb)
3897 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3899 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3904 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3905 hdev->le_pkts = rp->acl_max_pkt;
3906 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3907 hdev->iso_pkts = rp->iso_max_pkt;
3909 hdev->le_cnt = hdev->le_pkts;
3910 hdev->iso_cnt = hdev->iso_pkts;
3912 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3913 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3918 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3920 struct hci_conn *conn, *tmp;
3922 lockdep_assert_held(&hdev->lock);
3924 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3925 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3926 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3929 if (HCI_CONN_HANDLE_UNSET(conn->handle))
3930 hci_conn_failed(conn, status);
3934 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3935 struct sk_buff *skb)
3937 struct hci_rp_le_set_cig_params *rp = data;
3938 struct hci_cp_le_set_cig_params *cp;
3939 struct hci_conn *conn;
3940 u8 status = rp->status;
3941 bool pending = false;
3944 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3946 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3947 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3948 rp->cig_id != cp->cig_id)) {
3949 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3950 status = HCI_ERROR_UNSPECIFIED;
3955 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3957 * If the Status return parameter is non-zero, then the state of the CIG
3958 * and its CIS configurations shall not be changed by the command. If
3959 * the CIG did not already exist, it shall not be created.
3962 /* Keep current configuration, fail only the unbound CIS */
3963 hci_unbound_cis_failed(hdev, rp->cig_id, status);
3967 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3969 * If the Status return parameter is zero, then the Controller shall
3970 * set the Connection_Handle arrayed return parameter to the connection
3971 * handle(s) corresponding to the CIS configurations specified in
3972 * the CIS_IDs command parameter, in the same order.
3974 for (i = 0; i < rp->num_handles; ++i) {
3975 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3977 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3980 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3983 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3986 if (conn->state == BT_CONNECT)
3992 hci_le_create_cis_pending(hdev);
3994 hci_dev_unlock(hdev);
3999 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
4000 struct sk_buff *skb)
4002 struct hci_rp_le_setup_iso_path *rp = data;
4003 struct hci_cp_le_setup_iso_path *cp;
4004 struct hci_conn *conn;
4006 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4008 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
4014 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
4019 hci_connect_cfm(conn, rp->status);
4024 switch (cp->direction) {
4025 /* Input (Host to Controller) */
4027 /* Only confirm connection if output only */
4028 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
4029 hci_connect_cfm(conn, rp->status);
4031 /* Output (Controller to Host) */
4033 /* Confirm connection since conn->iso_qos is always configured
4036 hci_connect_cfm(conn, rp->status);
4041 hci_dev_unlock(hdev);
4045 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
4047 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4050 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
4051 struct sk_buff *skb)
4053 struct hci_ev_status *rp = data;
4054 struct hci_cp_le_set_per_adv_params *cp;
4056 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4061 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
4065 /* TODO: set the conn state */
4069 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
4070 struct sk_buff *skb)
4072 struct hci_ev_status *rp = data;
4073 struct hci_cp_le_set_per_adv_enable *cp;
4074 struct adv_info *adv = NULL, *n;
4077 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4082 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4088 adv = hci_find_adv_instance(hdev, cp->handle);
4091 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4094 adv->enabled = true;
4096 /* If just one instance was disabled check if there are
4097 * any other instance enabled before clearing HCI_LE_PER_ADV.
4098 * The current periodic adv instance will be marked as
4099 * disabled once extended advertising is also disabled.
4101 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4103 if (adv->periodic && adv->enabled)
4107 if (per_adv_cnt > 1)
4110 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4114 hci_dev_unlock(hdev);
4119 #define HCI_CC_VL(_op, _func, _min, _max) \
4127 #define HCI_CC(_op, _func, _len) \
4128 HCI_CC_VL(_op, _func, _len, _len)
4130 #define HCI_CC_STATUS(_op, _func) \
4131 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4133 static const struct hci_cc {
4135 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4138 } hci_cc_table[] = {
4139 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4140 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4141 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4142 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4143 hci_cc_remote_name_req_cancel),
4144 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4145 sizeof(struct hci_rp_role_discovery)),
4146 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4147 sizeof(struct hci_rp_read_link_policy)),
4148 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4149 sizeof(struct hci_rp_write_link_policy)),
4150 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4151 sizeof(struct hci_rp_read_def_link_policy)),
4152 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4153 hci_cc_write_def_link_policy),
4154 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4155 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4156 sizeof(struct hci_rp_read_stored_link_key)),
4157 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4158 sizeof(struct hci_rp_delete_stored_link_key)),
4159 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4160 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4161 sizeof(struct hci_rp_read_local_name)),
4162 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4163 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4164 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4165 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4166 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4167 sizeof(struct hci_rp_read_class_of_dev)),
4168 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4169 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4170 sizeof(struct hci_rp_read_voice_setting)),
4171 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4172 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4173 sizeof(struct hci_rp_read_num_supported_iac)),
4174 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4175 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4176 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4177 sizeof(struct hci_rp_read_auth_payload_to)),
4178 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4179 sizeof(struct hci_rp_write_auth_payload_to)),
4180 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4181 sizeof(struct hci_rp_read_local_version)),
4182 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4183 sizeof(struct hci_rp_read_local_commands)),
4184 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4185 sizeof(struct hci_rp_read_local_features)),
4186 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4187 sizeof(struct hci_rp_read_local_ext_features)),
4188 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4189 sizeof(struct hci_rp_read_buffer_size)),
4190 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4191 sizeof(struct hci_rp_read_bd_addr)),
4192 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4193 sizeof(struct hci_rp_read_local_pairing_opts)),
4194 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4195 sizeof(struct hci_rp_read_page_scan_activity)),
4196 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4197 hci_cc_write_page_scan_activity),
4198 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4199 sizeof(struct hci_rp_read_page_scan_type)),
4200 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4201 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4202 sizeof(struct hci_rp_read_data_block_size)),
4203 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4204 sizeof(struct hci_rp_read_flow_control_mode)),
4205 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4206 sizeof(struct hci_rp_read_local_amp_info)),
4207 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4208 sizeof(struct hci_rp_read_clock)),
4209 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4210 sizeof(struct hci_rp_read_enc_key_size)),
4211 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4212 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4213 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4214 hci_cc_read_def_err_data_reporting,
4215 sizeof(struct hci_rp_read_def_err_data_reporting)),
4216 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4217 hci_cc_write_def_err_data_reporting),
4218 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4219 sizeof(struct hci_rp_pin_code_reply)),
4220 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4221 sizeof(struct hci_rp_pin_code_neg_reply)),
4222 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4223 sizeof(struct hci_rp_read_local_oob_data)),
4224 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4225 sizeof(struct hci_rp_read_local_oob_ext_data)),
4226 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4227 sizeof(struct hci_rp_le_read_buffer_size)),
4228 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4229 sizeof(struct hci_rp_le_read_local_features)),
4230 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4231 sizeof(struct hci_rp_le_read_adv_tx_power)),
4232 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4233 sizeof(struct hci_rp_user_confirm_reply)),
4234 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4235 sizeof(struct hci_rp_user_confirm_reply)),
4236 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4237 sizeof(struct hci_rp_user_confirm_reply)),
4238 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4239 sizeof(struct hci_rp_user_confirm_reply)),
4240 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4241 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4242 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4243 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4244 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4245 hci_cc_le_read_accept_list_size,
4246 sizeof(struct hci_rp_le_read_accept_list_size)),
4247 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4248 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4249 hci_cc_le_add_to_accept_list),
4250 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4251 hci_cc_le_del_from_accept_list),
4252 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4253 sizeof(struct hci_rp_le_read_supported_states)),
4254 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4255 sizeof(struct hci_rp_le_read_def_data_len)),
4256 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4257 hci_cc_le_write_def_data_len),
4258 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4259 hci_cc_le_add_to_resolv_list),
4260 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4261 hci_cc_le_del_from_resolv_list),
4262 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4263 hci_cc_le_clear_resolv_list),
4264 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4265 sizeof(struct hci_rp_le_read_resolv_list_size)),
4266 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4267 hci_cc_le_set_addr_resolution_enable),
4268 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4269 sizeof(struct hci_rp_le_read_max_data_len)),
4270 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4271 hci_cc_write_le_host_supported),
4272 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4273 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4274 sizeof(struct hci_rp_read_rssi)),
4275 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4276 sizeof(struct hci_rp_read_tx_power)),
4277 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4278 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4279 hci_cc_le_set_ext_scan_param),
4280 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4281 hci_cc_le_set_ext_scan_enable),
4282 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4283 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4284 hci_cc_le_read_num_adv_sets,
4285 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4286 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4287 sizeof(struct hci_rp_le_set_ext_adv_params)),
4288 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4289 hci_cc_le_set_ext_adv_enable),
4290 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4291 hci_cc_le_set_adv_set_random_addr),
4292 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4293 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4294 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4295 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4296 hci_cc_le_set_per_adv_enable),
4297 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4298 sizeof(struct hci_rp_le_read_transmit_power)),
4300 HCI_CC(HCI_OP_ENABLE_RSSI, hci_cc_enable_rssi,
4301 sizeof(struct hci_cc_rsp_enable_rssi)),
4302 HCI_CC(HCI_OP_GET_RAW_RSSI, hci_cc_get_raw_rssi,
4303 sizeof(struct hci_cc_rp_get_raw_rssi)),
4305 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4306 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4307 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4308 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4309 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4310 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4311 sizeof(struct hci_rp_le_setup_iso_path)),
4314 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4315 struct sk_buff *skb)
4319 if (skb->len < cc->min_len) {
4320 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4321 cc->op, skb->len, cc->min_len);
4322 return HCI_ERROR_UNSPECIFIED;
4325 /* Just warn if the length is over max_len size it still be possible to
4326 * partially parse the cc so leave to callback to decide if that is
4329 if (skb->len > cc->max_len)
4330 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4331 cc->op, skb->len, cc->max_len);
4333 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4335 return HCI_ERROR_UNSPECIFIED;
4337 return cc->func(hdev, data, skb);
4340 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4341 struct sk_buff *skb, u16 *opcode, u8 *status,
4342 hci_req_complete_t *req_complete,
4343 hci_req_complete_skb_t *req_complete_skb)
4345 struct hci_ev_cmd_complete *ev = data;
4348 *opcode = __le16_to_cpu(ev->opcode);
4350 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4352 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4353 if (hci_cc_table[i].op == *opcode) {
4354 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4359 if (i == ARRAY_SIZE(hci_cc_table)) {
4360 /* Unknown opcode, assume byte 0 contains the status, so
4361 * that e.g. __hci_cmd_sync() properly returns errors
4362 * for vendor specific commands send by HCI drivers.
4363 * If a vendor doesn't actually follow this convention we may
4364 * need to introduce a vendor CC table in order to properly set
4367 *status = skb->data[0];
4370 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4372 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4375 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4377 "unexpected event for opcode 0x%4.4x", *opcode);
4381 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4382 queue_work(hdev->workqueue, &hdev->cmd_work);
4385 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4387 struct hci_cp_le_create_cis *cp;
4388 bool pending = false;
4391 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4396 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4402 /* Remove connection if command failed */
4403 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4404 struct hci_conn *conn;
4407 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4409 conn = hci_conn_hash_lookup_handle(hdev, handle);
4411 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4414 conn->state = BT_CLOSED;
4415 hci_connect_cfm(conn, status);
4421 hci_le_create_cis_pending(hdev);
4423 hci_dev_unlock(hdev);
4426 #define HCI_CS(_op, _func) \
4432 static const struct hci_cs {
4434 void (*func)(struct hci_dev *hdev, __u8 status);
4435 } hci_cs_table[] = {
4436 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4437 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4438 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4439 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4440 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4441 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4442 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4443 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4444 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4445 hci_cs_read_remote_ext_features),
4446 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4447 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4448 hci_cs_enhanced_setup_sync_conn),
4449 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4450 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4451 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4452 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4453 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4454 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4455 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4456 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4457 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4460 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4461 struct sk_buff *skb, u16 *opcode, u8 *status,
4462 hci_req_complete_t *req_complete,
4463 hci_req_complete_skb_t *req_complete_skb)
4465 struct hci_ev_cmd_status *ev = data;
4468 *opcode = __le16_to_cpu(ev->opcode);
4469 *status = ev->status;
4471 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4473 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4474 if (hci_cs_table[i].op == *opcode) {
4475 hci_cs_table[i].func(hdev, ev->status);
4480 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4482 /* Indicate request completion if the command failed. Also, if
4483 * we're not waiting for a special event and we get a success
4484 * command status we should try to flag the request as completed
4485 * (since for this kind of commands there will not be a command
4488 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4489 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4491 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4492 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4498 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4499 queue_work(hdev->workqueue, &hdev->cmd_work);
4502 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4503 struct sk_buff *skb)
4505 struct hci_ev_hardware_error *ev = data;
4507 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4511 mgmt_hardware_error(hdev, ev->code);
4512 hci_dev_unlock(hdev);
4514 hdev->hw_error_code = ev->code;
4516 queue_work(hdev->req_workqueue, &hdev->error_reset);
4519 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4520 struct sk_buff *skb)
4522 struct hci_ev_role_change *ev = data;
4523 struct hci_conn *conn;
4525 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4529 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4532 conn->role = ev->role;
4534 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4536 hci_role_switch_cfm(conn, ev->status, ev->role);
4539 hci_dev_unlock(hdev);
4542 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4543 struct sk_buff *skb)
4545 struct hci_ev_num_comp_pkts *ev = data;
4548 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4549 flex_array_size(ev, handles, ev->num)))
4552 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4553 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4557 bt_dev_dbg(hdev, "num %d", ev->num);
4559 for (i = 0; i < ev->num; i++) {
4560 struct hci_comp_pkts_info *info = &ev->handles[i];
4561 struct hci_conn *conn;
4562 __u16 handle, count;
4564 handle = __le16_to_cpu(info->handle);
4565 count = __le16_to_cpu(info->count);
4567 conn = hci_conn_hash_lookup_handle(hdev, handle);
4571 conn->sent -= count;
4573 switch (conn->type) {
4575 hdev->acl_cnt += count;
4576 if (hdev->acl_cnt > hdev->acl_pkts)
4577 hdev->acl_cnt = hdev->acl_pkts;
4581 if (hdev->le_pkts) {
4582 hdev->le_cnt += count;
4583 if (hdev->le_cnt > hdev->le_pkts)
4584 hdev->le_cnt = hdev->le_pkts;
4586 hdev->acl_cnt += count;
4587 if (hdev->acl_cnt > hdev->acl_pkts)
4588 hdev->acl_cnt = hdev->acl_pkts;
4593 hdev->sco_cnt += count;
4594 if (hdev->sco_cnt > hdev->sco_pkts)
4595 hdev->sco_cnt = hdev->sco_pkts;
4599 if (hdev->iso_pkts) {
4600 hdev->iso_cnt += count;
4601 if (hdev->iso_cnt > hdev->iso_pkts)
4602 hdev->iso_cnt = hdev->iso_pkts;
4603 } else if (hdev->le_pkts) {
4604 hdev->le_cnt += count;
4605 if (hdev->le_cnt > hdev->le_pkts)
4606 hdev->le_cnt = hdev->le_pkts;
4608 hdev->acl_cnt += count;
4609 if (hdev->acl_cnt > hdev->acl_pkts)
4610 hdev->acl_cnt = hdev->acl_pkts;
4615 bt_dev_err(hdev, "unknown type %d conn %p",
4621 queue_work(hdev->workqueue, &hdev->tx_work);
4624 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4627 struct hci_chan *chan;
4629 switch (hdev->dev_type) {
4631 return hci_conn_hash_lookup_handle(hdev, handle);
4633 chan = hci_chan_lookup_handle(hdev, handle);
4638 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4645 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4646 struct sk_buff *skb)
4648 struct hci_ev_num_comp_blocks *ev = data;
4651 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4652 flex_array_size(ev, handles, ev->num_hndl)))
4655 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4656 bt_dev_err(hdev, "wrong event for mode %d",
4657 hdev->flow_ctl_mode);
4661 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4664 for (i = 0; i < ev->num_hndl; i++) {
4665 struct hci_comp_blocks_info *info = &ev->handles[i];
4666 struct hci_conn *conn = NULL;
4667 __u16 handle, block_count;
4669 handle = __le16_to_cpu(info->handle);
4670 block_count = __le16_to_cpu(info->blocks);
4672 conn = __hci_conn_lookup_handle(hdev, handle);
4676 conn->sent -= block_count;
4678 switch (conn->type) {
4681 hdev->block_cnt += block_count;
4682 if (hdev->block_cnt > hdev->num_blocks)
4683 hdev->block_cnt = hdev->num_blocks;
4687 bt_dev_err(hdev, "unknown type %d conn %p",
4693 queue_work(hdev->workqueue, &hdev->tx_work);
4696 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4697 struct sk_buff *skb)
4699 struct hci_ev_mode_change *ev = data;
4700 struct hci_conn *conn;
4702 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4706 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4708 conn->mode = ev->mode;
4710 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4712 if (conn->mode == HCI_CM_ACTIVE)
4713 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4715 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4718 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4719 hci_sco_setup(conn, ev->status);
4722 hci_dev_unlock(hdev);
4725 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4726 struct sk_buff *skb)
4728 struct hci_ev_pin_code_req *ev = data;
4729 struct hci_conn *conn;
4731 bt_dev_dbg(hdev, "");
4735 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4739 if (conn->state == BT_CONNECTED) {
4740 hci_conn_hold(conn);
4741 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4742 hci_conn_drop(conn);
4745 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4746 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4747 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4748 sizeof(ev->bdaddr), &ev->bdaddr);
4749 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4752 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4757 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4761 hci_dev_unlock(hdev);
4764 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4766 if (key_type == HCI_LK_CHANGED_COMBINATION)
4769 conn->pin_length = pin_len;
4770 conn->key_type = key_type;
4773 case HCI_LK_LOCAL_UNIT:
4774 case HCI_LK_REMOTE_UNIT:
4775 case HCI_LK_DEBUG_COMBINATION:
4777 case HCI_LK_COMBINATION:
4779 conn->pending_sec_level = BT_SECURITY_HIGH;
4781 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4783 case HCI_LK_UNAUTH_COMBINATION_P192:
4784 case HCI_LK_UNAUTH_COMBINATION_P256:
4785 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4787 case HCI_LK_AUTH_COMBINATION_P192:
4788 conn->pending_sec_level = BT_SECURITY_HIGH;
4790 case HCI_LK_AUTH_COMBINATION_P256:
4791 conn->pending_sec_level = BT_SECURITY_FIPS;
4796 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4797 struct sk_buff *skb)
4799 struct hci_ev_link_key_req *ev = data;
4800 struct hci_cp_link_key_reply cp;
4801 struct hci_conn *conn;
4802 struct link_key *key;
4804 bt_dev_dbg(hdev, "");
4806 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4811 key = hci_find_link_key(hdev, &ev->bdaddr);
4813 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4817 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4819 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4821 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4823 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4824 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4825 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4826 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4830 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4831 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4832 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4833 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4837 conn_set_key(conn, key->type, key->pin_len);
4840 bacpy(&cp.bdaddr, &ev->bdaddr);
4841 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4843 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4845 hci_dev_unlock(hdev);
4850 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4851 hci_dev_unlock(hdev);
4854 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4855 struct sk_buff *skb)
4857 struct hci_ev_link_key_notify *ev = data;
4858 struct hci_conn *conn;
4859 struct link_key *key;
4863 bt_dev_dbg(hdev, "");
4867 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4871 /* Ignore NULL link key against CVE-2020-26555 */
4872 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4873 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4875 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4876 hci_conn_drop(conn);
4880 hci_conn_hold(conn);
4881 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4882 hci_conn_drop(conn);
4884 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4885 conn_set_key(conn, ev->key_type, conn->pin_length);
4887 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4890 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4891 ev->key_type, pin_len, &persistent);
4895 /* Update connection information since adding the key will have
4896 * fixed up the type in the case of changed combination keys.
4898 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4899 conn_set_key(conn, key->type, key->pin_len);
4901 mgmt_new_link_key(hdev, key, persistent);
4903 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4904 * is set. If it's not set simply remove the key from the kernel
4905 * list (we've still notified user space about it but with
4906 * store_hint being 0).
4908 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4909 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4910 list_del_rcu(&key->list);
4911 kfree_rcu(key, rcu);
4916 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4918 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4921 hci_dev_unlock(hdev);
4924 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4925 struct sk_buff *skb)
4927 struct hci_ev_clock_offset *ev = data;
4928 struct hci_conn *conn;
4930 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4934 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4935 if (conn && !ev->status) {
4936 struct inquiry_entry *ie;
4938 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4940 ie->data.clock_offset = ev->clock_offset;
4941 ie->timestamp = jiffies;
4945 hci_dev_unlock(hdev);
4948 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4949 struct sk_buff *skb)
4951 struct hci_ev_pkt_type_change *ev = data;
4952 struct hci_conn *conn;
4954 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4958 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4959 if (conn && !ev->status)
4960 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4962 hci_dev_unlock(hdev);
4965 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4966 struct sk_buff *skb)
4968 struct hci_ev_pscan_rep_mode *ev = data;
4969 struct inquiry_entry *ie;
4971 bt_dev_dbg(hdev, "");
4975 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4977 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4978 ie->timestamp = jiffies;
4981 hci_dev_unlock(hdev);
4984 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4985 struct sk_buff *skb)
4987 struct hci_ev_inquiry_result_rssi *ev = edata;
4988 struct inquiry_data data;
4991 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4996 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5001 if (skb->len == array_size(ev->num,
5002 sizeof(struct inquiry_info_rssi_pscan))) {
5003 struct inquiry_info_rssi_pscan *info;
5005 for (i = 0; i < ev->num; i++) {
5008 info = hci_ev_skb_pull(hdev, skb,
5009 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5012 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5013 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5017 bacpy(&data.bdaddr, &info->bdaddr);
5018 data.pscan_rep_mode = info->pscan_rep_mode;
5019 data.pscan_period_mode = info->pscan_period_mode;
5020 data.pscan_mode = info->pscan_mode;
5021 memcpy(data.dev_class, info->dev_class, 3);
5022 data.clock_offset = info->clock_offset;
5023 data.rssi = info->rssi;
5024 data.ssp_mode = 0x00;
5026 flags = hci_inquiry_cache_update(hdev, &data, false);
5028 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5029 info->dev_class, info->rssi,
5030 flags, NULL, 0, NULL, 0, 0);
5032 } else if (skb->len == array_size(ev->num,
5033 sizeof(struct inquiry_info_rssi))) {
5034 struct inquiry_info_rssi *info;
5036 for (i = 0; i < ev->num; i++) {
5039 info = hci_ev_skb_pull(hdev, skb,
5040 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5043 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5044 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5048 bacpy(&data.bdaddr, &info->bdaddr);
5049 data.pscan_rep_mode = info->pscan_rep_mode;
5050 data.pscan_period_mode = info->pscan_period_mode;
5051 data.pscan_mode = 0x00;
5052 memcpy(data.dev_class, info->dev_class, 3);
5053 data.clock_offset = info->clock_offset;
5054 data.rssi = info->rssi;
5055 data.ssp_mode = 0x00;
5057 flags = hci_inquiry_cache_update(hdev, &data, false);
5059 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5060 info->dev_class, info->rssi,
5061 flags, NULL, 0, NULL, 0, 0);
5064 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5065 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5068 hci_dev_unlock(hdev);
5071 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
5072 struct sk_buff *skb)
5074 struct hci_ev_remote_ext_features *ev = data;
5075 struct hci_conn *conn;
5077 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5081 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5085 if (ev->page < HCI_MAX_PAGES)
5086 memcpy(conn->features[ev->page], ev->features, 8);
5088 if (!ev->status && ev->page == 0x01) {
5089 struct inquiry_entry *ie;
5091 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5093 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5095 if (ev->features[0] & LMP_HOST_SSP) {
5096 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5098 /* It is mandatory by the Bluetooth specification that
5099 * Extended Inquiry Results are only used when Secure
5100 * Simple Pairing is enabled, but some devices violate
5103 * To make these devices work, the internal SSP
5104 * enabled flag needs to be cleared if the remote host
5105 * features do not indicate SSP support */
5106 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5109 if (ev->features[0] & LMP_HOST_SC)
5110 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5113 if (conn->state != BT_CONFIG)
5116 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5117 struct hci_cp_remote_name_req cp;
5118 memset(&cp, 0, sizeof(cp));
5119 bacpy(&cp.bdaddr, &conn->dst);
5120 cp.pscan_rep_mode = 0x02;
5121 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5122 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5123 mgmt_device_connected(hdev, conn, NULL, 0);
5125 if (!hci_outgoing_auth_needed(hdev, conn)) {
5126 conn->state = BT_CONNECTED;
5127 hci_connect_cfm(conn, ev->status);
5128 hci_conn_drop(conn);
5132 hci_dev_unlock(hdev);
5135 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5136 struct sk_buff *skb)
5138 struct hci_ev_sync_conn_complete *ev = data;
5139 struct hci_conn *conn;
5140 u8 status = ev->status;
5142 switch (ev->link_type) {
5147 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5148 * for HCI_Synchronous_Connection_Complete is limited to
5149 * either SCO or eSCO
5151 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5155 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5159 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5161 if (ev->link_type == ESCO_LINK)
5164 /* When the link type in the event indicates SCO connection
5165 * and lookup of the connection object fails, then check
5166 * if an eSCO connection object exists.
5168 * The core limits the synchronous connections to either
5169 * SCO or eSCO. The eSCO connection is preferred and tried
5170 * to be setup first and until successfully established,
5171 * the link type will be hinted as eSCO.
5173 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5178 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5179 * Processing it more than once per connection can corrupt kernel memory.
5181 * As the connection handle is set here for the first time, it indicates
5182 * whether the connection is already set up.
5184 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5185 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5191 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5193 conn->state = BT_CLOSED;
5197 conn->state = BT_CONNECTED;
5198 conn->type = ev->link_type;
5200 hci_debugfs_create_conn(conn);
5201 hci_conn_add_sysfs(conn);
5204 case 0x10: /* Connection Accept Timeout */
5205 case 0x0d: /* Connection Rejected due to Limited Resources */
5206 case 0x11: /* Unsupported Feature or Parameter Value */
5207 case 0x1c: /* SCO interval rejected */
5208 case 0x1a: /* Unsupported Remote Feature */
5209 case 0x1e: /* Invalid LMP Parameters */
5210 case 0x1f: /* Unspecified error */
5211 case 0x20: /* Unsupported LMP Parameter value */
5213 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5214 (hdev->esco_type & EDR_ESCO_MASK);
5215 if (hci_setup_sync(conn, conn->parent->handle))
5221 conn->state = BT_CLOSED;
5225 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5226 /* Notify only in case of SCO over HCI transport data path which
5227 * is zero and non-zero value shall be non-HCI transport data path
5229 if (conn->codec.data_path == 0 && hdev->notify) {
5230 switch (ev->air_mode) {
5232 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5235 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5240 hci_connect_cfm(conn, status);
5245 hci_dev_unlock(hdev);
5248 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5252 while (parsed < eir_len) {
5253 u8 field_len = eir[0];
5258 parsed += field_len + 1;
5259 eir += field_len + 1;
5265 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5266 struct sk_buff *skb)
5268 struct hci_ev_ext_inquiry_result *ev = edata;
5269 struct inquiry_data data;
5273 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5274 flex_array_size(ev, info, ev->num)))
5277 bt_dev_dbg(hdev, "num %d", ev->num);
5282 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5287 for (i = 0; i < ev->num; i++) {
5288 struct extended_inquiry_info *info = &ev->info[i];
5292 bacpy(&data.bdaddr, &info->bdaddr);
5293 data.pscan_rep_mode = info->pscan_rep_mode;
5294 data.pscan_period_mode = info->pscan_period_mode;
5295 data.pscan_mode = 0x00;
5296 memcpy(data.dev_class, info->dev_class, 3);
5297 data.clock_offset = info->clock_offset;
5298 data.rssi = info->rssi;
5299 data.ssp_mode = 0x01;
5301 if (hci_dev_test_flag(hdev, HCI_MGMT))
5302 name_known = eir_get_data(info->data,
5304 EIR_NAME_COMPLETE, NULL);
5308 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5310 eir_len = eir_get_length(info->data, sizeof(info->data));
5312 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5313 info->dev_class, info->rssi,
5314 flags, info->data, eir_len, NULL, 0, 0);
5317 hci_dev_unlock(hdev);
5320 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5321 struct sk_buff *skb)
5323 struct hci_ev_key_refresh_complete *ev = data;
5324 struct hci_conn *conn;
5326 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5327 __le16_to_cpu(ev->handle));
5331 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5335 /* For BR/EDR the necessary steps are taken through the
5336 * auth_complete event.
5338 if (conn->type != LE_LINK)
5342 conn->sec_level = conn->pending_sec_level;
5344 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5346 if (ev->status && conn->state == BT_CONNECTED) {
5347 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5348 hci_conn_drop(conn);
5352 if (conn->state == BT_CONFIG) {
5354 conn->state = BT_CONNECTED;
5356 hci_connect_cfm(conn, ev->status);
5357 hci_conn_drop(conn);
5359 hci_auth_cfm(conn, ev->status);
5361 hci_conn_hold(conn);
5362 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5363 hci_conn_drop(conn);
5367 hci_dev_unlock(hdev);
5370 static u8 hci_get_auth_req(struct hci_conn *conn)
5372 /* If remote requests no-bonding follow that lead */
5373 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5374 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5375 return conn->remote_auth | (conn->auth_type & 0x01);
5377 /* If both remote and local have enough IO capabilities, require
5380 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5381 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5382 return conn->remote_auth | 0x01;
5384 /* No MITM protection possible so ignore remote requirement */
5385 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5388 static u8 bredr_oob_data_present(struct hci_conn *conn)
5390 struct hci_dev *hdev = conn->hdev;
5391 struct oob_data *data;
5393 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5397 if (bredr_sc_enabled(hdev)) {
5398 /* When Secure Connections is enabled, then just
5399 * return the present value stored with the OOB
5400 * data. The stored value contains the right present
5401 * information. However it can only be trusted when
5402 * not in Secure Connection Only mode.
5404 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5405 return data->present;
5407 /* When Secure Connections Only mode is enabled, then
5408 * the P-256 values are required. If they are not
5409 * available, then do not declare that OOB data is
5412 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5413 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5419 /* When Secure Connections is not enabled or actually
5420 * not supported by the hardware, then check that if
5421 * P-192 data values are present.
5423 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5424 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5430 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5431 struct sk_buff *skb)
5433 struct hci_ev_io_capa_request *ev = data;
5434 struct hci_conn *conn;
5436 bt_dev_dbg(hdev, "");
5440 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5441 if (!conn || !hci_conn_ssp_enabled(conn))
5444 hci_conn_hold(conn);
5446 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5449 /* Allow pairing if we're pairable, the initiators of the
5450 * pairing or if the remote is not requesting bonding.
5452 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5453 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5454 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5455 struct hci_cp_io_capability_reply cp;
5457 bacpy(&cp.bdaddr, &ev->bdaddr);
5458 /* Change the IO capability from KeyboardDisplay
5459 * to DisplayYesNo as it is not supported by BT spec. */
5460 cp.capability = (conn->io_capability == 0x04) ?
5461 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5463 /* If we are initiators, there is no remote information yet */
5464 if (conn->remote_auth == 0xff) {
5465 /* Request MITM protection if our IO caps allow it
5466 * except for the no-bonding case.
5468 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5469 conn->auth_type != HCI_AT_NO_BONDING)
5470 conn->auth_type |= 0x01;
5472 conn->auth_type = hci_get_auth_req(conn);
5475 /* If we're not bondable, force one of the non-bondable
5476 * authentication requirement values.
5478 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5479 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5481 cp.authentication = conn->auth_type;
5482 cp.oob_data = bredr_oob_data_present(conn);
5484 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5487 struct hci_cp_io_capability_neg_reply cp;
5489 bacpy(&cp.bdaddr, &ev->bdaddr);
5490 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5492 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5497 hci_dev_unlock(hdev);
5500 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5501 struct sk_buff *skb)
5503 struct hci_ev_io_capa_reply *ev = data;
5504 struct hci_conn *conn;
5506 bt_dev_dbg(hdev, "");
5510 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5514 conn->remote_cap = ev->capability;
5515 conn->remote_auth = ev->authentication;
5518 hci_dev_unlock(hdev);
5521 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5522 struct sk_buff *skb)
5524 struct hci_ev_user_confirm_req *ev = data;
5525 int loc_mitm, rem_mitm, confirm_hint = 0;
5526 struct hci_conn *conn;
5528 bt_dev_dbg(hdev, "");
5532 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5535 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5539 loc_mitm = (conn->auth_type & 0x01);
5540 rem_mitm = (conn->remote_auth & 0x01);
5542 /* If we require MITM but the remote device can't provide that
5543 * (it has NoInputNoOutput) then reject the confirmation
5544 * request. We check the security level here since it doesn't
5545 * necessarily match conn->auth_type.
5547 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5548 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5549 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5550 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5551 sizeof(ev->bdaddr), &ev->bdaddr);
5555 /* If no side requires MITM protection; auto-accept */
5556 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5557 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5559 /* If we're not the initiators request authorization to
5560 * proceed from user space (mgmt_user_confirm with
5561 * confirm_hint set to 1). The exception is if neither
5562 * side had MITM or if the local IO capability is
5563 * NoInputNoOutput, in which case we do auto-accept
5565 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5566 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5567 (loc_mitm || rem_mitm)) {
5568 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5573 /* If there already exists link key in local host, leave the
5574 * decision to user space since the remote device could be
5575 * legitimate or malicious.
5577 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5578 bt_dev_dbg(hdev, "Local host already has link key");
5583 BT_DBG("Auto-accept of user confirmation with %ums delay",
5584 hdev->auto_accept_delay);
5586 if (hdev->auto_accept_delay > 0) {
5587 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5588 queue_delayed_work(conn->hdev->workqueue,
5589 &conn->auto_accept_work, delay);
5593 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5594 sizeof(ev->bdaddr), &ev->bdaddr);
5599 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5600 le32_to_cpu(ev->passkey), confirm_hint);
5603 hci_dev_unlock(hdev);
5606 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5607 struct sk_buff *skb)
5609 struct hci_ev_user_passkey_req *ev = data;
5611 bt_dev_dbg(hdev, "");
5613 if (hci_dev_test_flag(hdev, HCI_MGMT))
5614 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5617 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5618 struct sk_buff *skb)
5620 struct hci_ev_user_passkey_notify *ev = data;
5621 struct hci_conn *conn;
5623 bt_dev_dbg(hdev, "");
5625 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5629 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5630 conn->passkey_entered = 0;
5632 if (hci_dev_test_flag(hdev, HCI_MGMT))
5633 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5634 conn->dst_type, conn->passkey_notify,
5635 conn->passkey_entered);
5638 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5639 struct sk_buff *skb)
5641 struct hci_ev_keypress_notify *ev = data;
5642 struct hci_conn *conn;
5644 bt_dev_dbg(hdev, "");
5646 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5651 case HCI_KEYPRESS_STARTED:
5652 conn->passkey_entered = 0;
5655 case HCI_KEYPRESS_ENTERED:
5656 conn->passkey_entered++;
5659 case HCI_KEYPRESS_ERASED:
5660 conn->passkey_entered--;
5663 case HCI_KEYPRESS_CLEARED:
5664 conn->passkey_entered = 0;
5667 case HCI_KEYPRESS_COMPLETED:
5671 if (hci_dev_test_flag(hdev, HCI_MGMT))
5672 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5673 conn->dst_type, conn->passkey_notify,
5674 conn->passkey_entered);
5677 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5678 struct sk_buff *skb)
5680 struct hci_ev_simple_pair_complete *ev = data;
5681 struct hci_conn *conn;
5683 bt_dev_dbg(hdev, "");
5687 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5688 if (!conn || !hci_conn_ssp_enabled(conn))
5691 /* Reset the authentication requirement to unknown */
5692 conn->remote_auth = 0xff;
5694 /* To avoid duplicate auth_failed events to user space we check
5695 * the HCI_CONN_AUTH_PEND flag which will be set if we
5696 * initiated the authentication. A traditional auth_complete
5697 * event gets always produced as initiator and is also mapped to
5698 * the mgmt_auth_failed event */
5699 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5700 mgmt_auth_failed(conn, ev->status);
5702 hci_conn_drop(conn);
5705 hci_dev_unlock(hdev);
5708 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5709 struct sk_buff *skb)
5711 struct hci_ev_remote_host_features *ev = data;
5712 struct inquiry_entry *ie;
5713 struct hci_conn *conn;
5715 bt_dev_dbg(hdev, "");
5719 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5721 memcpy(conn->features[1], ev->features, 8);
5723 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5725 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5727 hci_dev_unlock(hdev);
5730 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5731 struct sk_buff *skb)
5733 struct hci_ev_remote_oob_data_request *ev = edata;
5734 struct oob_data *data;
5736 bt_dev_dbg(hdev, "");
5740 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5743 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5745 struct hci_cp_remote_oob_data_neg_reply cp;
5747 bacpy(&cp.bdaddr, &ev->bdaddr);
5748 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5753 if (bredr_sc_enabled(hdev)) {
5754 struct hci_cp_remote_oob_ext_data_reply cp;
5756 bacpy(&cp.bdaddr, &ev->bdaddr);
5757 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5758 memset(cp.hash192, 0, sizeof(cp.hash192));
5759 memset(cp.rand192, 0, sizeof(cp.rand192));
5761 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5762 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5764 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5765 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5767 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5770 struct hci_cp_remote_oob_data_reply cp;
5772 bacpy(&cp.bdaddr, &ev->bdaddr);
5773 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5774 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5776 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5781 hci_dev_unlock(hdev);
5784 #if IS_ENABLED(CONFIG_BT_HS)
5785 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5786 struct sk_buff *skb)
5788 struct hci_ev_channel_selected *ev = data;
5789 struct hci_conn *hcon;
5791 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5793 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5797 amp_read_loc_assoc_final_data(hdev, hcon);
5800 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5801 struct sk_buff *skb)
5803 struct hci_ev_phy_link_complete *ev = data;
5804 struct hci_conn *hcon, *bredr_hcon;
5806 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5811 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5823 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5825 hcon->state = BT_CONNECTED;
5826 bacpy(&hcon->dst, &bredr_hcon->dst);
5828 hci_conn_hold(hcon);
5829 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5830 hci_conn_drop(hcon);
5832 hci_debugfs_create_conn(hcon);
5833 hci_conn_add_sysfs(hcon);
5835 amp_physical_cfm(bredr_hcon, hcon);
5838 hci_dev_unlock(hdev);
5841 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5842 struct sk_buff *skb)
5844 struct hci_ev_logical_link_complete *ev = data;
5845 struct hci_conn *hcon;
5846 struct hci_chan *hchan;
5847 struct amp_mgr *mgr;
5849 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5850 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5852 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5856 /* Create AMP hchan */
5857 hchan = hci_chan_create(hcon);
5861 hchan->handle = le16_to_cpu(ev->handle);
5864 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5866 mgr = hcon->amp_mgr;
5867 if (mgr && mgr->bredr_chan) {
5868 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5870 l2cap_chan_lock(bredr_chan);
5872 bredr_chan->conn->mtu = hdev->block_mtu;
5873 l2cap_logical_cfm(bredr_chan, hchan, 0);
5874 hci_conn_hold(hcon);
5876 l2cap_chan_unlock(bredr_chan);
5880 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5881 struct sk_buff *skb)
5883 struct hci_ev_disconn_logical_link_complete *ev = data;
5884 struct hci_chan *hchan;
5886 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5887 le16_to_cpu(ev->handle), ev->status);
5894 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5895 if (!hchan || !hchan->amp)
5898 amp_destroy_logical_link(hchan, ev->reason);
5901 hci_dev_unlock(hdev);
5904 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5905 struct sk_buff *skb)
5907 struct hci_ev_disconn_phy_link_complete *ev = data;
5908 struct hci_conn *hcon;
5910 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5917 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5918 if (hcon && hcon->type == AMP_LINK) {
5919 hcon->state = BT_CLOSED;
5920 hci_disconn_cfm(hcon, ev->reason);
5924 hci_dev_unlock(hdev);
5928 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5929 u8 bdaddr_type, bdaddr_t *local_rpa)
5932 conn->dst_type = bdaddr_type;
5933 conn->resp_addr_type = bdaddr_type;
5934 bacpy(&conn->resp_addr, bdaddr);
5936 /* Check if the controller has set a Local RPA then it must be
5937 * used instead or hdev->rpa.
5939 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5940 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5941 bacpy(&conn->init_addr, local_rpa);
5942 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5943 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5944 bacpy(&conn->init_addr, &conn->hdev->rpa);
5946 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5947 &conn->init_addr_type);
5950 conn->resp_addr_type = conn->hdev->adv_addr_type;
5951 /* Check if the controller has set a Local RPA then it must be
5952 * used instead or hdev->rpa.
5954 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5955 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5956 bacpy(&conn->resp_addr, local_rpa);
5957 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5958 /* In case of ext adv, resp_addr will be updated in
5959 * Adv Terminated event.
5961 if (!ext_adv_capable(conn->hdev))
5962 bacpy(&conn->resp_addr,
5963 &conn->hdev->random_addr);
5965 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5968 conn->init_addr_type = bdaddr_type;
5969 bacpy(&conn->init_addr, bdaddr);
5971 /* For incoming connections, set the default minimum
5972 * and maximum connection interval. They will be used
5973 * to check if the parameters are in range and if not
5974 * trigger the connection update procedure.
5976 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5977 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5981 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5982 bdaddr_t *bdaddr, u8 bdaddr_type,
5983 bdaddr_t *local_rpa, u8 role, u16 handle,
5984 u16 interval, u16 latency,
5985 u16 supervision_timeout)
5987 struct hci_conn_params *params;
5988 struct hci_conn *conn;
5989 struct smp_irk *irk;
5994 /* All controllers implicitly stop advertising in the event of a
5995 * connection, so ensure that the state bit is cleared.
5997 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5999 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
6001 /* In case of error status and there is no connection pending
6002 * just unlock as there is nothing to cleanup.
6007 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
6009 bt_dev_err(hdev, "no memory for new connection");
6013 conn->dst_type = bdaddr_type;
6015 /* If we didn't have a hci_conn object previously
6016 * but we're in central role this must be something
6017 * initiated using an accept list. Since accept list based
6018 * connections are not "first class citizens" we don't
6019 * have full tracking of them. Therefore, we go ahead
6020 * with a "best effort" approach of determining the
6021 * initiator address based on the HCI_PRIVACY flag.
6024 conn->resp_addr_type = bdaddr_type;
6025 bacpy(&conn->resp_addr, bdaddr);
6026 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6027 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6028 bacpy(&conn->init_addr, &hdev->rpa);
6030 hci_copy_identity_address(hdev,
6032 &conn->init_addr_type);
6036 cancel_delayed_work(&conn->le_conn_timeout);
6039 /* The HCI_LE_Connection_Complete event is only sent once per connection.
6040 * Processing it more than once per connection can corrupt kernel memory.
6042 * As the connection handle is set here for the first time, it indicates
6043 * whether the connection is already set up.
6045 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
6046 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
6050 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
6052 /* Lookup the identity address from the stored connection
6053 * address and address type.
6055 * When establishing connections to an identity address, the
6056 * connection procedure will store the resolvable random
6057 * address first. Now if it can be converted back into the
6058 * identity address, start using the identity address from
6061 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
6063 bacpy(&conn->dst, &irk->bdaddr);
6064 conn->dst_type = irk->addr_type;
6067 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
6069 /* All connection failure handling is taken care of by the
6070 * hci_conn_failed function which is triggered by the HCI
6071 * request completion callbacks used for connecting.
6073 if (status || hci_conn_set_handle(conn, handle))
6076 /* Drop the connection if it has been aborted */
6077 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
6078 hci_conn_drop(conn);
6082 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6083 addr_type = BDADDR_LE_PUBLIC;
6085 addr_type = BDADDR_LE_RANDOM;
6087 /* Drop the connection if the device is blocked */
6088 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6089 hci_conn_drop(conn);
6093 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
6094 mgmt_device_connected(hdev, conn, NULL, 0);
6096 conn->sec_level = BT_SECURITY_LOW;
6097 conn->state = BT_CONFIG;
6099 /* Store current advertising instance as connection advertising instance
6100 * when sotfware rotation is in use so it can be re-enabled when
6103 if (!ext_adv_capable(hdev))
6104 conn->adv_instance = hdev->cur_adv_instance;
6106 conn->le_conn_interval = interval;
6107 conn->le_conn_latency = latency;
6108 conn->le_supv_timeout = supervision_timeout;
6110 hci_debugfs_create_conn(conn);
6111 hci_conn_add_sysfs(conn);
6113 /* The remote features procedure is defined for central
6114 * role only. So only in case of an initiated connection
6115 * request the remote features.
6117 * If the local controller supports peripheral-initiated features
6118 * exchange, then requesting the remote features in peripheral
6119 * role is possible. Otherwise just transition into the
6120 * connected state without requesting the remote features.
6123 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6124 struct hci_cp_le_read_remote_features cp;
6126 cp.handle = __cpu_to_le16(conn->handle);
6128 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6131 hci_conn_hold(conn);
6133 conn->state = BT_CONNECTED;
6134 hci_connect_cfm(conn, status);
6137 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6140 hci_pend_le_list_del_init(params);
6142 hci_conn_drop(params->conn);
6143 hci_conn_put(params->conn);
6144 params->conn = NULL;
6149 hci_update_passive_scan(hdev);
6150 hci_dev_unlock(hdev);
6153 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6154 struct sk_buff *skb)
6156 struct hci_ev_le_conn_complete *ev = data;
6158 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6160 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6161 NULL, ev->role, le16_to_cpu(ev->handle),
6162 le16_to_cpu(ev->interval),
6163 le16_to_cpu(ev->latency),
6164 le16_to_cpu(ev->supervision_timeout));
6167 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6168 struct sk_buff *skb)
6170 struct hci_ev_le_enh_conn_complete *ev = data;
6172 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6174 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6175 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6176 le16_to_cpu(ev->interval),
6177 le16_to_cpu(ev->latency),
6178 le16_to_cpu(ev->supervision_timeout));
6181 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6182 struct sk_buff *skb)
6184 struct hci_evt_le_ext_adv_set_term *ev = data;
6185 struct hci_conn *conn;
6186 struct adv_info *adv, *n;
6188 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6190 /* The Bluetooth Core 5.3 specification clearly states that this event
6191 * shall not be sent when the Host disables the advertising set. So in
6192 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6194 * When the Host disables an advertising set, all cleanup is done via
6195 * its command callback and not needed to be duplicated here.
6197 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6198 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6204 adv = hci_find_adv_instance(hdev, ev->handle);
6210 /* Remove advertising as it has been terminated */
6211 hci_remove_adv_instance(hdev, ev->handle);
6212 mgmt_advertising_removed(NULL, hdev, ev->handle);
6214 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6219 /* We are no longer advertising, clear HCI_LE_ADV */
6220 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6225 adv->enabled = false;
6227 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6229 /* Store handle in the connection so the correct advertising
6230 * instance can be re-enabled when disconnected.
6232 conn->adv_instance = ev->handle;
6234 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6235 bacmp(&conn->resp_addr, BDADDR_ANY))
6239 bacpy(&conn->resp_addr, &hdev->random_addr);
6244 bacpy(&conn->resp_addr, &adv->random_addr);
6248 hci_dev_unlock(hdev);
6251 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6252 struct sk_buff *skb)
6254 struct hci_ev_le_conn_update_complete *ev = data;
6255 struct hci_conn *conn;
6257 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6264 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6268 hci_dev_unlock(hdev);
6269 mgmt_le_conn_update_failed(hdev, &conn->dst,
6270 conn->type, conn->dst_type, ev->status);
6274 conn->le_conn_interval = le16_to_cpu(ev->interval);
6275 conn->le_conn_latency = le16_to_cpu(ev->latency);
6276 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6279 hci_dev_unlock(hdev);
6282 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
6283 conn->dst_type, conn->le_conn_interval,
6284 conn->le_conn_latency, conn->le_supv_timeout);
6288 /* This function requires the caller holds hdev->lock */
6289 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6291 u8 addr_type, bool addr_resolved,
6294 struct hci_conn *conn;
6295 struct hci_conn_params *params;
6297 /* If the event is not connectable don't proceed further */
6298 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6301 /* Ignore if the device is blocked or hdev is suspended */
6302 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6306 /* Most controller will fail if we try to create new connections
6307 * while we have an existing one in peripheral role.
6309 if (hdev->conn_hash.le_num_peripheral > 0 &&
6310 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6311 !(hdev->le_states[3] & 0x10)))
6314 /* If we're not connectable only connect devices that we have in
6315 * our pend_le_conns list.
6317 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6322 if (!params->explicit_connect) {
6323 switch (params->auto_connect) {
6324 case HCI_AUTO_CONN_DIRECT:
6325 /* Only devices advertising with ADV_DIRECT_IND are
6326 * triggering a connection attempt. This is allowing
6327 * incoming connections from peripheral devices.
6329 if (adv_type != LE_ADV_DIRECT_IND)
6332 case HCI_AUTO_CONN_ALWAYS:
6333 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6334 * are triggering a connection attempt. This means
6335 * that incoming connections from peripheral device are
6336 * accepted and also outgoing connections to peripheral
6337 * devices are established when found.
6345 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6346 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6348 if (!IS_ERR(conn)) {
6349 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6350 * by higher layer that tried to connect, if no then
6351 * store the pointer since we don't really have any
6352 * other owner of the object besides the params that
6353 * triggered it. This way we can abort the connection if
6354 * the parameters get removed and keep the reference
6355 * count consistent once the connection is established.
6358 if (!params->explicit_connect)
6359 params->conn = hci_conn_get(conn);
6364 switch (PTR_ERR(conn)) {
6366 /* If hci_connect() returns -EBUSY it means there is already
6367 * an LE connection attempt going on. Since controllers don't
6368 * support more than one connection attempt at the time, we
6369 * don't consider this an error case.
6373 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6380 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6381 u8 bdaddr_type, bdaddr_t *direct_addr,
6382 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6383 bool ext_adv, bool ctl_time, u64 instant)
6386 struct discovery_state *d = &hdev->discovery;
6389 struct smp_irk *irk;
6390 struct hci_conn *conn;
6391 bool bdaddr_resolved;
6397 case LE_ADV_DIRECT_IND:
6398 case LE_ADV_SCAN_IND:
6399 case LE_ADV_NONCONN_IND:
6400 case LE_ADV_SCAN_RSP:
6403 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6404 "type: 0x%02x", type);
6408 if (len > max_adv_len(hdev)) {
6409 bt_dev_err_ratelimited(hdev,
6410 "adv larger than maximum supported");
6414 /* Find the end of the data in case the report contains padded zero
6415 * bytes at the end causing an invalid length value.
6417 * When data is NULL, len is 0 so there is no need for extra ptr
6418 * check as 'ptr < data + 0' is already false in such case.
6420 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6421 if (ptr + 1 + *ptr > data + len)
6425 /* Adjust for actual length. This handles the case when remote
6426 * device is advertising with incorrect data length.
6430 /* If the direct address is present, then this report is from
6431 * a LE Direct Advertising Report event. In that case it is
6432 * important to see if the address is matching the local
6433 * controller address.
6435 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6436 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6439 /* Only resolvable random addresses are valid for these
6440 * kind of reports and others can be ignored.
6442 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6445 /* If the controller is not using resolvable random
6446 * addresses, then this report can be ignored.
6448 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6451 /* If the local IRK of the controller does not match
6452 * with the resolvable random address provided, then
6453 * this report can be ignored.
6455 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6459 /* Check if we need to convert to identity address */
6460 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6462 bdaddr = &irk->bdaddr;
6463 bdaddr_type = irk->addr_type;
6466 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6468 /* Check if we have been requested to connect to this device.
6470 * direct_addr is set only for directed advertising reports (it is NULL
6471 * for advertising reports) and is already verified to be RPA above.
6473 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6475 if (!ext_adv && conn && type == LE_ADV_IND &&
6476 len <= max_adv_len(hdev)) {
6477 /* Store report for later inclusion by
6478 * mgmt_device_connected
6480 memcpy(conn->le_adv_data, data, len);
6481 conn->le_adv_data_len = len;
6484 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6485 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6489 /* All scan results should be sent up for Mesh systems */
6490 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6491 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6492 rssi, flags, data, len, NULL, 0, instant);
6496 /* Passive scanning shouldn't trigger any device found events,
6497 * except for devices marked as CONN_REPORT for which we do send
6498 * device found events, or advertisement monitoring requested.
6500 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6501 if (type == LE_ADV_DIRECT_IND)
6505 /* Handle all adv packet in platform */
6506 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6507 bdaddr, bdaddr_type) &&
6508 idr_is_empty(&hdev->adv_monitors_idr))
6513 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6514 rssi, flags, data, len, NULL, 0, type);
6516 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6517 rssi, flags, data, len, NULL, 0, 0);
6522 /* When receiving a scan response, then there is no way to
6523 * know if the remote device is connectable or not. However
6524 * since scan responses are merged with a previously seen
6525 * advertising report, the flags field from that report
6528 * In the unlikely case that a controller just sends a scan
6529 * response event that doesn't match the pending report, then
6530 * it is marked as a standalone SCAN_RSP.
6532 if (type == LE_ADV_SCAN_RSP)
6533 flags = MGMT_DEV_FOUND_SCAN_RSP;
6536 /* Disable adv ind and scan rsp merging */
6537 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6538 rssi, flags, data, len, NULL, 0, type);
6540 /* If there's nothing pending either store the data from this
6541 * event or send an immediate device found event if the data
6542 * should not be stored for later.
6544 if (!ext_adv && !has_pending_adv_report(hdev)) {
6545 /* If the report will trigger a SCAN_REQ store it for
6548 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6549 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6550 rssi, flags, data, len);
6554 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6555 rssi, flags, data, len, NULL, 0, 0);
6559 /* Check if the pending report is for the same device as the new one */
6560 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6561 bdaddr_type == d->last_adv_addr_type);
6563 /* If the pending data doesn't match this report or this isn't a
6564 * scan response (e.g. we got a duplicate ADV_IND) then force
6565 * sending of the pending data.
6567 if (type != LE_ADV_SCAN_RSP || !match) {
6568 /* Send out whatever is in the cache, but skip duplicates */
6570 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6571 d->last_adv_addr_type, NULL,
6572 d->last_adv_rssi, d->last_adv_flags,
6574 d->last_adv_data_len, NULL, 0, 0);
6576 /* If the new report will trigger a SCAN_REQ store it for
6579 if (!ext_adv && (type == LE_ADV_IND ||
6580 type == LE_ADV_SCAN_IND)) {
6581 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6582 rssi, flags, data, len);
6586 /* The advertising reports cannot be merged, so clear
6587 * the pending report and send out a device found event.
6589 clear_pending_adv_report(hdev);
6590 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6591 rssi, flags, data, len, NULL, 0, 0);
6595 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6596 * the new event is a SCAN_RSP. We can therefore proceed with
6597 * sending a merged device found event.
6599 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6600 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6601 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6602 clear_pending_adv_report(hdev);
6606 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6607 struct sk_buff *skb)
6609 struct hci_ev_le_advertising_report *ev = data;
6610 u64 instant = jiffies;
6618 struct hci_ev_le_advertising_info *info;
6621 info = hci_le_ev_skb_pull(hdev, skb,
6622 HCI_EV_LE_ADVERTISING_REPORT,
6627 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6631 if (info->length <= max_adv_len(hdev)) {
6632 rssi = info->data[info->length];
6633 process_adv_report(hdev, info->type, &info->bdaddr,
6634 info->bdaddr_type, NULL, 0, rssi,
6635 info->data, info->length, false,
6638 bt_dev_err(hdev, "Dropping invalid advertising data");
6642 hci_dev_unlock(hdev);
6645 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6647 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6649 case LE_LEGACY_ADV_IND:
6651 case LE_LEGACY_ADV_DIRECT_IND:
6652 return LE_ADV_DIRECT_IND;
6653 case LE_LEGACY_ADV_SCAN_IND:
6654 return LE_ADV_SCAN_IND;
6655 case LE_LEGACY_NONCONN_IND:
6656 return LE_ADV_NONCONN_IND;
6657 case LE_LEGACY_SCAN_RSP_ADV:
6658 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6659 return LE_ADV_SCAN_RSP;
6665 if (evt_type & LE_EXT_ADV_CONN_IND) {
6666 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6667 return LE_ADV_DIRECT_IND;
6672 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6673 return LE_ADV_SCAN_RSP;
6675 if (evt_type & LE_EXT_ADV_SCAN_IND)
6676 return LE_ADV_SCAN_IND;
6678 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6679 evt_type & LE_EXT_ADV_DIRECT_IND)
6680 return LE_ADV_NONCONN_IND;
6683 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6686 return LE_ADV_INVALID;
6689 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6690 struct sk_buff *skb)
6692 struct hci_ev_le_ext_adv_report *ev = data;
6693 u64 instant = jiffies;
6701 struct hci_ev_le_ext_adv_info *info;
6705 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6710 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6714 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6715 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6716 if (legacy_evt_type != LE_ADV_INVALID) {
6717 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6718 info->bdaddr_type, NULL, 0,
6719 info->rssi, info->data, info->length,
6720 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6725 hci_dev_unlock(hdev);
6728 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6730 struct hci_cp_le_pa_term_sync cp;
6732 memset(&cp, 0, sizeof(cp));
6735 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6738 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6739 struct sk_buff *skb)
6741 struct hci_ev_le_pa_sync_established *ev = data;
6742 int mask = hdev->link_mode;
6744 struct hci_conn *pa_sync;
6746 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6750 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6752 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6753 if (!(mask & HCI_LM_ACCEPT)) {
6754 hci_le_pa_term_sync(hdev, ev->handle);
6758 if (!(flags & HCI_PROTO_DEFER))
6762 /* Add connection to indicate the failed PA sync event */
6763 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6769 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6771 /* Notify iso layer */
6772 hci_connect_cfm(pa_sync, ev->status);
6776 hci_dev_unlock(hdev);
6779 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6780 struct sk_buff *skb)
6782 struct hci_ev_le_per_adv_report *ev = data;
6783 int mask = hdev->link_mode;
6786 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6790 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6791 if (!(mask & HCI_LM_ACCEPT))
6792 hci_le_pa_term_sync(hdev, ev->sync_handle);
6794 hci_dev_unlock(hdev);
6797 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6798 struct sk_buff *skb)
6800 struct hci_ev_le_remote_feat_complete *ev = data;
6801 struct hci_conn *conn;
6803 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6807 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6810 memcpy(conn->features[0], ev->features, 8);
6812 if (conn->state == BT_CONFIG) {
6815 /* If the local controller supports peripheral-initiated
6816 * features exchange, but the remote controller does
6817 * not, then it is possible that the error code 0x1a
6818 * for unsupported remote feature gets returned.
6820 * In this specific case, allow the connection to
6821 * transition into connected state and mark it as
6824 if (!conn->out && ev->status == 0x1a &&
6825 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6828 status = ev->status;
6830 conn->state = BT_CONNECTED;
6831 hci_connect_cfm(conn, status);
6832 hci_conn_drop(conn);
6836 hci_dev_unlock(hdev);
6839 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6840 struct sk_buff *skb)
6842 struct hci_ev_le_ltk_req *ev = data;
6843 struct hci_cp_le_ltk_reply cp;
6844 struct hci_cp_le_ltk_neg_reply neg;
6845 struct hci_conn *conn;
6846 struct smp_ltk *ltk;
6848 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6852 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6856 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6860 if (smp_ltk_is_sc(ltk)) {
6861 /* With SC both EDiv and Rand are set to zero */
6862 if (ev->ediv || ev->rand)
6865 /* For non-SC keys check that EDiv and Rand match */
6866 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6870 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6871 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6872 cp.handle = cpu_to_le16(conn->handle);
6874 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6876 conn->enc_key_size = ltk->enc_size;
6878 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6880 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6881 * temporary key used to encrypt a connection following
6882 * pairing. It is used during the Encrypted Session Setup to
6883 * distribute the keys. Later, security can be re-established
6884 * using a distributed LTK.
6886 if (ltk->type == SMP_STK) {
6887 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6888 list_del_rcu(<k->list);
6889 kfree_rcu(ltk, rcu);
6891 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6894 hci_dev_unlock(hdev);
6899 neg.handle = ev->handle;
6900 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6901 hci_dev_unlock(hdev);
6904 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6907 struct hci_cp_le_conn_param_req_neg_reply cp;
6909 cp.handle = cpu_to_le16(handle);
6912 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6916 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6917 struct sk_buff *skb)
6919 struct hci_ev_le_remote_conn_param_req *ev = data;
6920 struct hci_cp_le_conn_param_req_reply cp;
6921 struct hci_conn *hcon;
6922 u16 handle, min, max, latency, timeout;
6924 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6926 handle = le16_to_cpu(ev->handle);
6927 min = le16_to_cpu(ev->interval_min);
6928 max = le16_to_cpu(ev->interval_max);
6929 latency = le16_to_cpu(ev->latency);
6930 timeout = le16_to_cpu(ev->timeout);
6932 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6933 if (!hcon || hcon->state != BT_CONNECTED)
6934 return send_conn_param_neg_reply(hdev, handle,
6935 HCI_ERROR_UNKNOWN_CONN_ID);
6937 if (hci_check_conn_params(min, max, latency, timeout))
6938 return send_conn_param_neg_reply(hdev, handle,
6939 HCI_ERROR_INVALID_LL_PARAMS);
6941 if (hcon->role == HCI_ROLE_MASTER) {
6942 struct hci_conn_params *params;
6947 params = hci_conn_params_lookup(hdev, &hcon->dst,
6950 params->conn_min_interval = min;
6951 params->conn_max_interval = max;
6952 params->conn_latency = latency;
6953 params->supervision_timeout = timeout;
6959 hci_dev_unlock(hdev);
6961 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6962 store_hint, min, max, latency, timeout);
6965 cp.handle = ev->handle;
6966 cp.interval_min = ev->interval_min;
6967 cp.interval_max = ev->interval_max;
6968 cp.latency = ev->latency;
6969 cp.timeout = ev->timeout;
6973 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6976 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6977 struct sk_buff *skb)
6979 struct hci_ev_le_direct_adv_report *ev = data;
6980 u64 instant = jiffies;
6983 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6984 flex_array_size(ev, info, ev->num)))
6992 for (i = 0; i < ev->num; i++) {
6993 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6995 process_adv_report(hdev, info->type, &info->bdaddr,
6996 info->bdaddr_type, &info->direct_addr,
6997 info->direct_addr_type, info->rssi, NULL, 0,
6998 false, false, instant);
7001 hci_dev_unlock(hdev);
7004 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
7005 struct sk_buff *skb)
7007 struct hci_ev_le_phy_update_complete *ev = data;
7008 struct hci_conn *conn;
7010 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7017 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7021 conn->le_tx_phy = ev->tx_phy;
7022 conn->le_rx_phy = ev->rx_phy;
7025 hci_dev_unlock(hdev);
7028 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
7029 struct sk_buff *skb)
7031 struct hci_evt_le_cis_established *ev = data;
7032 struct hci_conn *conn;
7033 struct bt_iso_qos *qos;
7034 bool pending = false;
7035 u16 handle = __le16_to_cpu(ev->handle);
7037 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7041 conn = hci_conn_hash_lookup_handle(hdev, handle);
7044 "Unable to find connection with handle 0x%4.4x",
7049 if (conn->type != ISO_LINK) {
7051 "Invalid connection link type handle 0x%4.4x",
7056 qos = &conn->iso_qos;
7058 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
7060 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
7061 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
7062 qos->ucast.out.interval = qos->ucast.in.interval;
7064 switch (conn->role) {
7065 case HCI_ROLE_SLAVE:
7066 /* Convert Transport Latency (us) to Latency (msec) */
7067 qos->ucast.in.latency =
7068 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7070 qos->ucast.out.latency =
7071 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7073 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
7074 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
7075 qos->ucast.in.phy = ev->c_phy;
7076 qos->ucast.out.phy = ev->p_phy;
7078 case HCI_ROLE_MASTER:
7079 /* Convert Transport Latency (us) to Latency (msec) */
7080 qos->ucast.out.latency =
7081 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7083 qos->ucast.in.latency =
7084 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7086 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
7087 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
7088 qos->ucast.out.phy = ev->c_phy;
7089 qos->ucast.in.phy = ev->p_phy;
7094 conn->state = BT_CONNECTED;
7095 hci_debugfs_create_conn(conn);
7096 hci_conn_add_sysfs(conn);
7097 hci_iso_setup_path(conn);
7101 conn->state = BT_CLOSED;
7102 hci_connect_cfm(conn, ev->status);
7107 hci_le_create_cis_pending(hdev);
7109 hci_dev_unlock(hdev);
7112 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7114 struct hci_cp_le_reject_cis cp;
7116 memset(&cp, 0, sizeof(cp));
7118 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7119 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7122 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7124 struct hci_cp_le_accept_cis cp;
7126 memset(&cp, 0, sizeof(cp));
7128 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7131 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7132 struct sk_buff *skb)
7134 struct hci_evt_le_cis_req *ev = data;
7135 u16 acl_handle, cis_handle;
7136 struct hci_conn *acl, *cis;
7140 acl_handle = __le16_to_cpu(ev->acl_handle);
7141 cis_handle = __le16_to_cpu(ev->cis_handle);
7143 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7144 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7148 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7152 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7153 if (!(mask & HCI_LM_ACCEPT)) {
7154 hci_le_reject_cis(hdev, ev->cis_handle);
7158 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7160 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7163 hci_le_reject_cis(hdev, ev->cis_handle);
7168 cis->iso_qos.ucast.cig = ev->cig_id;
7169 cis->iso_qos.ucast.cis = ev->cis_id;
7171 if (!(flags & HCI_PROTO_DEFER)) {
7172 hci_le_accept_cis(hdev, ev->cis_handle);
7174 cis->state = BT_CONNECT2;
7175 hci_connect_cfm(cis, 0);
7179 hci_dev_unlock(hdev);
7182 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7184 u8 handle = PTR_UINT(data);
7186 return hci_le_terminate_big_sync(hdev, handle,
7187 HCI_ERROR_LOCAL_HOST_TERM);
7190 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7191 struct sk_buff *skb)
7193 struct hci_evt_le_create_big_complete *ev = data;
7194 struct hci_conn *conn;
7197 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7199 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7200 flex_array_size(ev, bis_handle, ev->num_bis)))
7206 /* Connect all BISes that are bound to the BIG */
7207 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7208 if (bacmp(&conn->dst, BDADDR_ANY) ||
7209 conn->type != ISO_LINK ||
7210 conn->iso_qos.bcast.big != ev->handle)
7213 if (hci_conn_set_handle(conn,
7214 __le16_to_cpu(ev->bis_handle[i++])))
7218 conn->state = BT_CONNECTED;
7219 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7221 hci_debugfs_create_conn(conn);
7222 hci_conn_add_sysfs(conn);
7223 hci_iso_setup_path(conn);
7228 hci_connect_cfm(conn, ev->status);
7236 if (!ev->status && !i)
7237 /* If no BISes have been connected for the BIG,
7238 * terminate. This is in case all bound connections
7239 * have been closed before the BIG creation
7242 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7243 UINT_PTR(ev->handle), NULL);
7245 hci_dev_unlock(hdev);
7248 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7249 struct sk_buff *skb)
7251 struct hci_evt_le_big_sync_estabilished *ev = data;
7252 struct hci_conn *bis;
7253 struct hci_conn *pa_sync;
7256 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7258 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7259 flex_array_size(ev, bis, ev->num_bis)))
7265 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7267 /* Also mark the BIG sync established event on the
7268 * associated PA sync hcon
7270 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
7273 for (i = 0; i < ev->num_bis; i++) {
7274 u16 handle = le16_to_cpu(ev->bis[i]);
7277 bis = hci_conn_hash_lookup_handle(hdev, handle);
7279 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7280 HCI_ROLE_SLAVE, handle);
7285 if (ev->status != 0x42)
7286 /* Mark PA sync as established */
7287 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7289 bis->iso_qos.bcast.big = ev->handle;
7290 memset(&interval, 0, sizeof(interval));
7291 memcpy(&interval, ev->latency, sizeof(ev->latency));
7292 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7293 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7294 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7295 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7298 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7299 hci_iso_setup_path(bis);
7303 /* In case BIG sync failed, notify each failed connection to
7304 * the user after all hci connections have been added
7307 for (i = 0; i < ev->num_bis; i++) {
7308 u16 handle = le16_to_cpu(ev->bis[i]);
7310 bis = hci_conn_hash_lookup_handle(hdev, handle);
7312 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7313 hci_connect_cfm(bis, ev->status);
7316 hci_dev_unlock(hdev);
7319 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7320 struct sk_buff *skb)
7322 struct hci_evt_le_big_info_adv_report *ev = data;
7323 int mask = hdev->link_mode;
7325 struct hci_conn *pa_sync;
7327 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7331 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7332 if (!(mask & HCI_LM_ACCEPT)) {
7333 hci_le_pa_term_sync(hdev, ev->sync_handle);
7337 if (!(flags & HCI_PROTO_DEFER))
7340 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7342 le16_to_cpu(ev->sync_handle));
7347 /* Add connection to indicate the PA sync event */
7348 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7354 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7355 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7357 /* Notify iso layer */
7358 hci_connect_cfm(pa_sync, 0x00);
7361 hci_dev_unlock(hdev);
7364 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7367 .min_len = _min_len, \
7368 .max_len = _max_len, \
7371 #define HCI_LE_EV(_op, _func, _len) \
7372 HCI_LE_EV_VL(_op, _func, _len, _len)
7374 #define HCI_LE_EV_STATUS(_op, _func) \
7375 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7377 /* Entries in this table shall have their position according to the subevent
7378 * opcode they handle so the use of the macros above is recommend since it does
7379 * attempt to initialize at its proper index using Designated Initializers that
7380 * way events without a callback function can be ommited.
7382 static const struct hci_le_ev {
7383 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7386 } hci_le_ev_table[U8_MAX + 1] = {
7387 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7388 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7389 sizeof(struct hci_ev_le_conn_complete)),
7390 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7391 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7392 sizeof(struct hci_ev_le_advertising_report),
7393 HCI_MAX_EVENT_SIZE),
7394 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7395 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7396 hci_le_conn_update_complete_evt,
7397 sizeof(struct hci_ev_le_conn_update_complete)),
7398 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7399 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7400 hci_le_remote_feat_complete_evt,
7401 sizeof(struct hci_ev_le_remote_feat_complete)),
7402 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7403 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7404 sizeof(struct hci_ev_le_ltk_req)),
7405 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7406 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7407 hci_le_remote_conn_param_req_evt,
7408 sizeof(struct hci_ev_le_remote_conn_param_req)),
7409 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7410 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7411 hci_le_enh_conn_complete_evt,
7412 sizeof(struct hci_ev_le_enh_conn_complete)),
7413 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7414 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7415 sizeof(struct hci_ev_le_direct_adv_report),
7416 HCI_MAX_EVENT_SIZE),
7417 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7418 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7419 sizeof(struct hci_ev_le_phy_update_complete)),
7420 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7421 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7422 sizeof(struct hci_ev_le_ext_adv_report),
7423 HCI_MAX_EVENT_SIZE),
7424 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7425 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7426 hci_le_pa_sync_estabilished_evt,
7427 sizeof(struct hci_ev_le_pa_sync_established)),
7428 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7429 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7430 hci_le_per_adv_report_evt,
7431 sizeof(struct hci_ev_le_per_adv_report),
7432 HCI_MAX_EVENT_SIZE),
7433 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7434 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7435 sizeof(struct hci_evt_le_ext_adv_set_term)),
7436 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7437 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7438 sizeof(struct hci_evt_le_cis_established)),
7439 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7440 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7441 sizeof(struct hci_evt_le_cis_req)),
7442 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7443 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7444 hci_le_create_big_complete_evt,
7445 sizeof(struct hci_evt_le_create_big_complete),
7446 HCI_MAX_EVENT_SIZE),
7447 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7448 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7449 hci_le_big_sync_established_evt,
7450 sizeof(struct hci_evt_le_big_sync_estabilished),
7451 HCI_MAX_EVENT_SIZE),
7452 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7453 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7454 hci_le_big_info_adv_report_evt,
7455 sizeof(struct hci_evt_le_big_info_adv_report),
7456 HCI_MAX_EVENT_SIZE),
7459 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7460 struct sk_buff *skb, u16 *opcode, u8 *status,
7461 hci_req_complete_t *req_complete,
7462 hci_req_complete_skb_t *req_complete_skb)
7464 struct hci_ev_le_meta *ev = data;
7465 const struct hci_le_ev *subev;
7467 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7469 /* Only match event if command OGF is for LE */
7470 if (hdev->sent_cmd &&
7471 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7472 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7473 *opcode = hci_skb_opcode(hdev->sent_cmd);
7474 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7478 subev = &hci_le_ev_table[ev->subevent];
7482 if (skb->len < subev->min_len) {
7483 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7484 ev->subevent, skb->len, subev->min_len);
7488 /* Just warn if the length is over max_len size it still be
7489 * possible to partially parse the event so leave to callback to
7490 * decide if that is acceptable.
7492 if (skb->len > subev->max_len)
7493 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7494 ev->subevent, skb->len, subev->max_len);
7495 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7499 subev->func(hdev, data, skb);
7502 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7503 u8 event, struct sk_buff *skb)
7505 struct hci_ev_cmd_complete *ev;
7506 struct hci_event_hdr *hdr;
7511 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7516 if (hdr->evt != event)
7521 /* Check if request ended in Command Status - no way to retrieve
7522 * any extra parameters in this case.
7524 if (hdr->evt == HCI_EV_CMD_STATUS)
7527 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7528 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7533 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7537 if (opcode != __le16_to_cpu(ev->opcode)) {
7538 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7539 __le16_to_cpu(ev->opcode));
7546 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7547 struct sk_buff *skb)
7549 struct hci_ev_le_advertising_info *adv;
7550 struct hci_ev_le_direct_adv_info *direct_adv;
7551 struct hci_ev_le_ext_adv_info *ext_adv;
7552 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7553 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7557 /* If we are currently suspended and this is the first BT event seen,
7558 * save the wake reason associated with the event.
7560 if (!hdev->suspended || hdev->wake_reason)
7563 /* Default to remote wake. Values for wake_reason are documented in the
7564 * Bluez mgmt api docs.
7566 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7568 /* Once configured for remote wakeup, we should only wake up for
7569 * reconnections. It's useful to see which device is waking us up so
7570 * keep track of the bdaddr of the connection event that woke us up.
7572 if (event == HCI_EV_CONN_REQUEST) {
7573 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7574 hdev->wake_addr_type = BDADDR_BREDR;
7575 } else if (event == HCI_EV_CONN_COMPLETE) {
7576 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7577 hdev->wake_addr_type = BDADDR_BREDR;
7578 } else if (event == HCI_EV_LE_META) {
7579 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7580 u8 subevent = le_ev->subevent;
7581 u8 *ptr = &skb->data[sizeof(*le_ev)];
7582 u8 num_reports = *ptr;
7584 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7585 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7586 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7588 adv = (void *)(ptr + 1);
7589 direct_adv = (void *)(ptr + 1);
7590 ext_adv = (void *)(ptr + 1);
7593 case HCI_EV_LE_ADVERTISING_REPORT:
7594 bacpy(&hdev->wake_addr, &adv->bdaddr);
7595 hdev->wake_addr_type = adv->bdaddr_type;
7597 case HCI_EV_LE_DIRECT_ADV_REPORT:
7598 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7599 hdev->wake_addr_type = direct_adv->bdaddr_type;
7601 case HCI_EV_LE_EXT_ADV_REPORT:
7602 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7603 hdev->wake_addr_type = ext_adv->bdaddr_type;
7608 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7612 hci_dev_unlock(hdev);
7615 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7619 .min_len = _min_len, \
7620 .max_len = _max_len, \
7623 #define HCI_EV(_op, _func, _len) \
7624 HCI_EV_VL(_op, _func, _len, _len)
7626 #define HCI_EV_STATUS(_op, _func) \
7627 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7629 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7632 .func_req = _func, \
7633 .min_len = _min_len, \
7634 .max_len = _max_len, \
7637 #define HCI_EV_REQ(_op, _func, _len) \
7638 HCI_EV_REQ_VL(_op, _func, _len, _len)
7640 /* Entries in this table shall have their position according to the event opcode
7641 * they handle so the use of the macros above is recommend since it does attempt
7642 * to initialize at its proper index using Designated Initializers that way
7643 * events without a callback function don't have entered.
7645 static const struct hci_ev {
7648 void (*func)(struct hci_dev *hdev, void *data,
7649 struct sk_buff *skb);
7650 void (*func_req)(struct hci_dev *hdev, void *data,
7651 struct sk_buff *skb, u16 *opcode, u8 *status,
7652 hci_req_complete_t *req_complete,
7653 hci_req_complete_skb_t *req_complete_skb);
7657 } hci_ev_table[U8_MAX + 1] = {
7658 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7659 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7660 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7661 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7662 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7663 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7664 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7665 sizeof(struct hci_ev_conn_complete)),
7666 /* [0x04 = HCI_EV_CONN_REQUEST] */
7667 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7668 sizeof(struct hci_ev_conn_request)),
7669 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7670 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7671 sizeof(struct hci_ev_disconn_complete)),
7672 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7673 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7674 sizeof(struct hci_ev_auth_complete)),
7675 /* [0x07 = HCI_EV_REMOTE_NAME] */
7676 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7677 sizeof(struct hci_ev_remote_name)),
7678 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7679 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7680 sizeof(struct hci_ev_encrypt_change)),
7681 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7682 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7683 hci_change_link_key_complete_evt,
7684 sizeof(struct hci_ev_change_link_key_complete)),
7685 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7686 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7687 sizeof(struct hci_ev_remote_features)),
7688 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7689 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7690 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7691 /* [0x0f = HCI_EV_CMD_STATUS] */
7692 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7693 sizeof(struct hci_ev_cmd_status)),
7694 /* [0x10 = HCI_EV_CMD_STATUS] */
7695 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7696 sizeof(struct hci_ev_hardware_error)),
7697 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7698 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7699 sizeof(struct hci_ev_role_change)),
7700 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7701 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7702 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7703 /* [0x14 = HCI_EV_MODE_CHANGE] */
7704 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7705 sizeof(struct hci_ev_mode_change)),
7706 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7707 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7708 sizeof(struct hci_ev_pin_code_req)),
7709 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7710 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7711 sizeof(struct hci_ev_link_key_req)),
7712 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7713 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7714 sizeof(struct hci_ev_link_key_notify)),
7715 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7716 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7717 sizeof(struct hci_ev_clock_offset)),
7718 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7719 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7720 sizeof(struct hci_ev_pkt_type_change)),
7721 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7722 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7723 sizeof(struct hci_ev_pscan_rep_mode)),
7724 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7725 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7726 hci_inquiry_result_with_rssi_evt,
7727 sizeof(struct hci_ev_inquiry_result_rssi),
7728 HCI_MAX_EVENT_SIZE),
7729 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7730 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7731 sizeof(struct hci_ev_remote_ext_features)),
7732 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7733 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7734 sizeof(struct hci_ev_sync_conn_complete)),
7735 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7736 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7737 hci_extended_inquiry_result_evt,
7738 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7739 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7740 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7741 sizeof(struct hci_ev_key_refresh_complete)),
7742 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7743 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7744 sizeof(struct hci_ev_io_capa_request)),
7745 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7746 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7747 sizeof(struct hci_ev_io_capa_reply)),
7748 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7749 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7750 sizeof(struct hci_ev_user_confirm_req)),
7751 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7752 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7753 sizeof(struct hci_ev_user_passkey_req)),
7754 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7755 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7756 sizeof(struct hci_ev_remote_oob_data_request)),
7757 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7758 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7759 sizeof(struct hci_ev_simple_pair_complete)),
7760 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7761 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7762 sizeof(struct hci_ev_user_passkey_notify)),
7763 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7764 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7765 sizeof(struct hci_ev_keypress_notify)),
7766 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7767 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7768 sizeof(struct hci_ev_remote_host_features)),
7769 /* [0x3e = HCI_EV_LE_META] */
7770 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7771 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7772 #if IS_ENABLED(CONFIG_BT_HS)
7773 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7774 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7775 sizeof(struct hci_ev_phy_link_complete)),
7776 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7777 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7778 sizeof(struct hci_ev_channel_selected)),
7779 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7780 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7781 hci_disconn_loglink_complete_evt,
7782 sizeof(struct hci_ev_disconn_logical_link_complete)),
7783 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7784 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7785 sizeof(struct hci_ev_logical_link_complete)),
7786 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7787 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7788 hci_disconn_phylink_complete_evt,
7789 sizeof(struct hci_ev_disconn_phy_link_complete)),
7791 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7792 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7793 sizeof(struct hci_ev_num_comp_blocks)),
7795 /* [0xFF = HCI_EV_VENDOR_SPECIFIC] */
7796 HCI_EV(HCI_EV_VENDOR_SPECIFIC, hci_vendor_specific_evt,
7797 sizeof(struct hci_ev_vendor_specific)),
7799 /* [0xff = HCI_EV_VENDOR] */
7800 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7804 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7805 u16 *opcode, u8 *status,
7806 hci_req_complete_t *req_complete,
7807 hci_req_complete_skb_t *req_complete_skb)
7809 const struct hci_ev *ev = &hci_ev_table[event];
7815 if (skb->len < ev->min_len) {
7816 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7817 event, skb->len, ev->min_len);
7821 /* Just warn if the length is over max_len size it still be
7822 * possible to partially parse the event so leave to callback to
7823 * decide if that is acceptable.
7825 if (skb->len > ev->max_len)
7826 bt_dev_warn_ratelimited(hdev,
7827 "unexpected event 0x%2.2x length: %u > %u",
7828 event, skb->len, ev->max_len);
7830 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7835 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7838 ev->func(hdev, data, skb);
7841 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7843 struct hci_event_hdr *hdr = (void *) skb->data;
7844 hci_req_complete_t req_complete = NULL;
7845 hci_req_complete_skb_t req_complete_skb = NULL;
7846 struct sk_buff *orig_skb = NULL;
7847 u8 status = 0, event, req_evt = 0;
7848 u16 opcode = HCI_OP_NOP;
7850 if (skb->len < sizeof(*hdr)) {
7851 bt_dev_err(hdev, "Malformed HCI Event");
7855 kfree_skb(hdev->recv_event);
7856 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7860 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7865 /* Only match event if command OGF is not for LE */
7866 if (hdev->sent_cmd &&
7867 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7868 hci_skb_event(hdev->sent_cmd) == event) {
7869 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7870 status, &req_complete, &req_complete_skb);
7874 /* If it looks like we might end up having to call
7875 * req_complete_skb, store a pristine copy of the skb since the
7876 * various handlers may modify the original one through
7877 * skb_pull() calls, etc.
7879 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7880 event == HCI_EV_CMD_COMPLETE)
7881 orig_skb = skb_clone(skb, GFP_KERNEL);
7883 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7885 /* Store wake reason if we're suspended */
7886 hci_store_wake_reason(hdev, event, skb);
7888 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7890 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7894 req_complete(hdev, status, opcode);
7895 } else if (req_complete_skb) {
7896 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7897 kfree_skb(orig_skb);
7900 req_complete_skb(hdev, status, opcode, orig_skb);
7904 kfree_skb(orig_skb);
7906 hdev->stat.evt_rx++;