2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
46 "\x00\x00\x00\x00\x00\x00\x00\x00"
48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
50 /* Handle HCI Event packets */
52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
57 data = skb_pull_data(skb, len);
59 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
69 data = skb_pull_data(skb, len);
71 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
81 data = skb_pull_data(skb, len);
83 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
91 struct hci_ev_status *rp = data;
93 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
95 /* It is possible that we receive Inquiry Complete event right
96 * before we receive Inquiry Cancel Command Complete event, in
97 * which case the latter event should have status of Command
98 * Disallowed (0x0c). This should not be treated as error, since
99 * we actually achieve what Inquiry Cancel wants to achieve,
100 * which is to end the last Inquiry session.
102 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
103 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
110 clear_bit(HCI_INQUIRY, &hdev->flags);
111 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
112 wake_up_bit(&hdev->flags, HCI_INQUIRY);
115 /* Set discovery state to stopped if we're not doing LE active
118 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
119 hdev->le_scan_type != LE_SCAN_ACTIVE)
120 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
121 hci_dev_unlock(hdev);
123 hci_conn_check_pending(hdev);
128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
131 struct hci_ev_status *rp = data;
133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
138 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
146 struct hci_ev_status *rp = data;
148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
153 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
155 hci_conn_check_pending(hdev);
160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
163 struct hci_ev_status *rp = data;
165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
173 struct hci_rp_role_discovery *rp = data;
174 struct hci_conn *conn;
176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
185 conn->role = rp->role;
187 hci_dev_unlock(hdev);
192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
195 struct hci_rp_read_link_policy *rp = data;
196 struct hci_conn *conn;
198 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
207 conn->link_policy = __le16_to_cpu(rp->policy);
209 hci_dev_unlock(hdev);
214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
217 struct hci_rp_write_link_policy *rp = data;
218 struct hci_conn *conn;
221 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
226 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
234 conn->link_policy = get_unaligned_le16(sent + 2);
236 hci_dev_unlock(hdev);
241 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
244 struct hci_rp_read_def_link_policy *rp = data;
246 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
251 hdev->link_policy = __le16_to_cpu(rp->policy);
256 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
259 struct hci_ev_status *rp = data;
262 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
271 hdev->link_policy = get_unaligned_le16(sent);
276 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
278 struct hci_ev_status *rp = data;
280 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
282 clear_bit(HCI_RESET, &hdev->flags);
287 /* Reset all non-persistent flags */
288 hci_dev_clear_volatile_flags(hdev);
290 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
292 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
293 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
295 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
296 hdev->adv_data_len = 0;
298 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
299 hdev->scan_rsp_data_len = 0;
301 hdev->le_scan_type = LE_SCAN_PASSIVE;
303 hdev->ssp_debug_mode = 0;
305 hci_bdaddr_list_clear(&hdev->le_accept_list);
306 hci_bdaddr_list_clear(&hdev->le_resolv_list);
311 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
314 struct hci_rp_read_stored_link_key *rp = data;
315 struct hci_cp_read_stored_link_key *sent;
317 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
319 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
323 if (!rp->status && sent->read_all == 0x01) {
324 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
325 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
331 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
334 struct hci_rp_delete_stored_link_key *rp = data;
337 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
342 num_keys = le16_to_cpu(rp->num_keys);
344 if (num_keys <= hdev->stored_num_keys)
345 hdev->stored_num_keys -= num_keys;
347 hdev->stored_num_keys = 0;
352 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
355 struct hci_ev_status *rp = data;
358 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
360 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
366 if (hci_dev_test_flag(hdev, HCI_MGMT))
367 mgmt_set_local_name_complete(hdev, sent, rp->status);
368 else if (!rp->status)
369 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
371 hci_dev_unlock(hdev);
376 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
379 struct hci_rp_read_local_name *rp = data;
381 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
386 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
387 hci_dev_test_flag(hdev, HCI_CONFIG))
388 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
393 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
396 struct hci_ev_status *rp = data;
399 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
401 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
408 __u8 param = *((__u8 *) sent);
410 if (param == AUTH_ENABLED)
411 set_bit(HCI_AUTH, &hdev->flags);
413 clear_bit(HCI_AUTH, &hdev->flags);
416 if (hci_dev_test_flag(hdev, HCI_MGMT))
417 mgmt_auth_enable_complete(hdev, rp->status);
419 hci_dev_unlock(hdev);
424 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
427 struct hci_ev_status *rp = data;
431 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
436 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
440 param = *((__u8 *) sent);
443 set_bit(HCI_ENCRYPT, &hdev->flags);
445 clear_bit(HCI_ENCRYPT, &hdev->flags);
450 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
453 struct hci_ev_status *rp = data;
457 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
459 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
463 param = *((__u8 *) sent);
468 hdev->discov_timeout = 0;
472 if (param & SCAN_INQUIRY)
473 set_bit(HCI_ISCAN, &hdev->flags);
475 clear_bit(HCI_ISCAN, &hdev->flags);
477 if (param & SCAN_PAGE)
478 set_bit(HCI_PSCAN, &hdev->flags);
480 clear_bit(HCI_PSCAN, &hdev->flags);
483 hci_dev_unlock(hdev);
488 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
491 struct hci_ev_status *rp = data;
492 struct hci_cp_set_event_filter *cp;
495 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
500 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
504 cp = (struct hci_cp_set_event_filter *)sent;
506 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
507 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
509 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
514 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
517 struct hci_rp_read_class_of_dev *rp = data;
520 return HCI_ERROR_UNSPECIFIED;
522 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
527 memcpy(hdev->dev_class, rp->dev_class, 3);
529 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
530 hdev->dev_class[1], hdev->dev_class[0]);
535 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
538 struct hci_ev_status *rp = data;
541 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
543 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
550 memcpy(hdev->dev_class, sent, 3);
552 if (hci_dev_test_flag(hdev, HCI_MGMT))
553 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
555 hci_dev_unlock(hdev);
560 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
563 struct hci_rp_read_voice_setting *rp = data;
566 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
571 setting = __le16_to_cpu(rp->voice_setting);
573 if (hdev->voice_setting == setting)
576 hdev->voice_setting = setting;
578 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
581 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
586 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
589 struct hci_ev_status *rp = data;
593 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
598 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
602 setting = get_unaligned_le16(sent);
604 if (hdev->voice_setting == setting)
607 hdev->voice_setting = setting;
609 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
612 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
617 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
620 struct hci_rp_read_num_supported_iac *rp = data;
622 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
627 hdev->num_iac = rp->num_iac;
629 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
634 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
637 struct hci_ev_status *rp = data;
638 struct hci_cp_write_ssp_mode *sent;
640 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
642 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
650 hdev->features[1][0] |= LMP_HOST_SSP;
652 hdev->features[1][0] &= ~LMP_HOST_SSP;
657 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
659 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
662 hci_dev_unlock(hdev);
667 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
670 struct hci_ev_status *rp = data;
671 struct hci_cp_write_sc_support *sent;
673 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
675 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
683 hdev->features[1][0] |= LMP_HOST_SC;
685 hdev->features[1][0] &= ~LMP_HOST_SC;
688 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
690 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
692 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
695 hci_dev_unlock(hdev);
700 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
703 struct hci_rp_read_local_version *rp = data;
705 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
710 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
711 hci_dev_test_flag(hdev, HCI_CONFIG)) {
712 hdev->hci_ver = rp->hci_ver;
713 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
714 hdev->lmp_ver = rp->lmp_ver;
715 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
716 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
722 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
725 struct hci_rp_read_enc_key_size *rp = data;
726 struct hci_conn *conn;
728 u8 status = rp->status;
730 bt_dev_dbg(hdev, "status 0x%2.2x", status);
732 handle = le16_to_cpu(rp->handle);
736 conn = hci_conn_hash_lookup_handle(hdev, handle);
742 /* While unexpected, the read_enc_key_size command may fail. The most
743 * secure approach is to then assume the key size is 0 to force a
747 bt_dev_err(hdev, "failed to read key size for handle %u",
749 conn->enc_key_size = 0;
751 conn->enc_key_size = rp->key_size;
754 if (conn->enc_key_size < hdev->min_enc_key_size) {
755 /* As slave role, the conn->state has been set to
756 * BT_CONNECTED and l2cap conn req might not be received
757 * yet, at this moment the l2cap layer almost does
758 * nothing with the non-zero status.
759 * So we also clear encrypt related bits, and then the
760 * handler of l2cap conn req will get the right secure
761 * state at a later time.
763 status = HCI_ERROR_AUTH_FAILURE;
764 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
765 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
769 hci_encrypt_cfm(conn, status);
772 hci_dev_unlock(hdev);
777 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
780 struct hci_rp_read_local_commands *rp = data;
782 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
787 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
788 hci_dev_test_flag(hdev, HCI_CONFIG))
789 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
794 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
797 struct hci_rp_read_auth_payload_to *rp = data;
798 struct hci_conn *conn;
800 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
807 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
809 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
811 hci_dev_unlock(hdev);
816 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
819 struct hci_rp_write_auth_payload_to *rp = data;
820 struct hci_conn *conn;
823 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
825 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
831 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
838 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
841 hci_dev_unlock(hdev);
846 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
849 struct hci_rp_read_local_features *rp = data;
851 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
856 memcpy(hdev->features, rp->features, 8);
858 /* Adjust default settings according to features
859 * supported by device. */
861 if (hdev->features[0][0] & LMP_3SLOT)
862 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
864 if (hdev->features[0][0] & LMP_5SLOT)
865 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
867 if (hdev->features[0][1] & LMP_HV2) {
868 hdev->pkt_type |= (HCI_HV2);
869 hdev->esco_type |= (ESCO_HV2);
872 if (hdev->features[0][1] & LMP_HV3) {
873 hdev->pkt_type |= (HCI_HV3);
874 hdev->esco_type |= (ESCO_HV3);
877 if (lmp_esco_capable(hdev))
878 hdev->esco_type |= (ESCO_EV3);
880 if (hdev->features[0][4] & LMP_EV4)
881 hdev->esco_type |= (ESCO_EV4);
883 if (hdev->features[0][4] & LMP_EV5)
884 hdev->esco_type |= (ESCO_EV5);
886 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
887 hdev->esco_type |= (ESCO_2EV3);
889 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
890 hdev->esco_type |= (ESCO_3EV3);
892 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
893 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
898 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
901 struct hci_rp_read_local_ext_features *rp = data;
903 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
908 if (hdev->max_page < rp->max_page) {
909 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
911 bt_dev_warn(hdev, "broken local ext features page 2");
913 hdev->max_page = rp->max_page;
916 if (rp->page < HCI_MAX_PAGES)
917 memcpy(hdev->features[rp->page], rp->features, 8);
922 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
925 struct hci_rp_read_flow_control_mode *rp = data;
927 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
932 hdev->flow_ctl_mode = rp->mode;
937 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
940 struct hci_rp_read_buffer_size *rp = data;
942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
947 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
948 hdev->sco_mtu = rp->sco_mtu;
949 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
950 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
952 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
957 hdev->acl_cnt = hdev->acl_pkts;
958 hdev->sco_cnt = hdev->sco_pkts;
960 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
961 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
966 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
969 struct hci_rp_read_bd_addr *rp = data;
971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
976 if (test_bit(HCI_INIT, &hdev->flags))
977 bacpy(&hdev->bdaddr, &rp->bdaddr);
979 if (hci_dev_test_flag(hdev, HCI_SETUP))
980 bacpy(&hdev->setup_addr, &rp->bdaddr);
985 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
988 struct hci_rp_read_local_pairing_opts *rp = data;
990 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
995 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
996 hci_dev_test_flag(hdev, HCI_CONFIG)) {
997 hdev->pairing_opts = rp->pairing_opts;
998 hdev->max_enc_key_size = rp->max_key_size;
1004 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1005 struct sk_buff *skb)
1007 struct hci_rp_read_page_scan_activity *rp = data;
1009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1014 if (test_bit(HCI_INIT, &hdev->flags)) {
1015 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1016 hdev->page_scan_window = __le16_to_cpu(rp->window);
1022 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1023 struct sk_buff *skb)
1025 struct hci_ev_status *rp = data;
1026 struct hci_cp_write_page_scan_activity *sent;
1028 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1037 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1038 hdev->page_scan_window = __le16_to_cpu(sent->window);
1043 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1044 struct sk_buff *skb)
1046 struct hci_rp_read_page_scan_type *rp = data;
1048 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1053 if (test_bit(HCI_INIT, &hdev->flags))
1054 hdev->page_scan_type = rp->type;
1059 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1060 struct sk_buff *skb)
1062 struct hci_ev_status *rp = data;
1065 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1070 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1072 hdev->page_scan_type = *type;
1077 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1078 struct sk_buff *skb)
1080 struct hci_rp_read_data_block_size *rp = data;
1082 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1087 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1088 hdev->block_len = __le16_to_cpu(rp->block_len);
1089 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1091 hdev->block_cnt = hdev->num_blocks;
1093 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1094 hdev->block_cnt, hdev->block_len);
1099 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1100 struct sk_buff *skb)
1102 struct hci_rp_read_clock *rp = data;
1103 struct hci_cp_read_clock *cp;
1104 struct hci_conn *conn;
1106 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1113 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1117 if (cp->which == 0x00) {
1118 hdev->clock = le32_to_cpu(rp->clock);
1122 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1124 conn->clock = le32_to_cpu(rp->clock);
1125 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1129 hci_dev_unlock(hdev);
1133 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1134 struct sk_buff *skb)
1136 struct hci_rp_read_local_amp_info *rp = data;
1138 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1143 hdev->amp_status = rp->amp_status;
1144 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1145 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1146 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1147 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1148 hdev->amp_type = rp->amp_type;
1149 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1150 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1151 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1152 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1157 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1158 struct sk_buff *skb)
1160 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1167 hdev->inq_tx_power = rp->tx_power;
1172 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1173 struct sk_buff *skb)
1175 struct hci_rp_read_def_err_data_reporting *rp = data;
1177 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1182 hdev->err_data_reporting = rp->err_data_reporting;
1187 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1188 struct sk_buff *skb)
1190 struct hci_ev_status *rp = data;
1191 struct hci_cp_write_def_err_data_reporting *cp;
1193 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1198 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1202 hdev->err_data_reporting = cp->err_data_reporting;
1207 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1208 struct sk_buff *skb)
1210 struct hci_rp_pin_code_reply *rp = data;
1211 struct hci_cp_pin_code_reply *cp;
1212 struct hci_conn *conn;
1214 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1218 if (hci_dev_test_flag(hdev, HCI_MGMT))
1219 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1224 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1228 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1230 conn->pin_length = cp->pin_len;
1233 hci_dev_unlock(hdev);
1237 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1238 struct sk_buff *skb)
1240 struct hci_rp_pin_code_neg_reply *rp = data;
1242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1246 if (hci_dev_test_flag(hdev, HCI_MGMT))
1247 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1250 hci_dev_unlock(hdev);
1255 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1256 struct sk_buff *skb)
1258 struct hci_rp_le_read_buffer_size *rp = data;
1260 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1265 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1266 hdev->le_pkts = rp->le_max_pkt;
1268 hdev->le_cnt = hdev->le_pkts;
1270 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1275 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1276 struct sk_buff *skb)
1278 struct hci_rp_le_read_local_features *rp = data;
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1285 memcpy(hdev->le_features, rp->features, 8);
1290 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1291 struct sk_buff *skb)
1293 struct hci_rp_le_read_adv_tx_power *rp = data;
1295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1300 hdev->adv_tx_power = rp->tx_power;
1305 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1306 struct sk_buff *skb)
1308 struct hci_rp_user_confirm_reply *rp = data;
1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1314 if (hci_dev_test_flag(hdev, HCI_MGMT))
1315 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1318 hci_dev_unlock(hdev);
1323 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1324 struct sk_buff *skb)
1326 struct hci_rp_user_confirm_reply *rp = data;
1328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1332 if (hci_dev_test_flag(hdev, HCI_MGMT))
1333 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1334 ACL_LINK, 0, rp->status);
1336 hci_dev_unlock(hdev);
1341 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1342 struct sk_buff *skb)
1344 struct hci_rp_user_confirm_reply *rp = data;
1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1350 if (hci_dev_test_flag(hdev, HCI_MGMT))
1351 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1354 hci_dev_unlock(hdev);
1359 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1360 struct sk_buff *skb)
1362 struct hci_rp_user_confirm_reply *rp = data;
1364 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1368 if (hci_dev_test_flag(hdev, HCI_MGMT))
1369 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1370 ACL_LINK, 0, rp->status);
1372 hci_dev_unlock(hdev);
1377 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1378 struct sk_buff *skb)
1380 struct hci_rp_read_local_oob_data *rp = data;
1382 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1387 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1388 struct sk_buff *skb)
1390 struct hci_rp_read_local_oob_ext_data *rp = data;
1392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1397 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1398 struct sk_buff *skb)
1400 struct hci_ev_status *rp = data;
1403 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1408 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1414 bacpy(&hdev->random_addr, sent);
1416 if (!bacmp(&hdev->rpa, sent)) {
1417 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1418 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1419 secs_to_jiffies(hdev->rpa_timeout));
1422 hci_dev_unlock(hdev);
1427 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1428 struct sk_buff *skb)
1430 struct hci_ev_status *rp = data;
1431 struct hci_cp_le_set_default_phy *cp;
1433 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1444 hdev->le_tx_def_phys = cp->tx_phys;
1445 hdev->le_rx_def_phys = cp->rx_phys;
1447 hci_dev_unlock(hdev);
1452 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1453 struct sk_buff *skb)
1455 struct hci_ev_status *rp = data;
1456 struct hci_cp_le_set_adv_set_rand_addr *cp;
1457 struct adv_info *adv;
1459 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1465 /* Update only in case the adv instance since handle 0x00 shall be using
1466 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1467 * non-extended adverting.
1469 if (!cp || !cp->handle)
1474 adv = hci_find_adv_instance(hdev, cp->handle);
1476 bacpy(&adv->random_addr, &cp->bdaddr);
1477 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1478 adv->rpa_expired = false;
1479 queue_delayed_work(hdev->workqueue,
1480 &adv->rpa_expired_cb,
1481 secs_to_jiffies(hdev->rpa_timeout));
1485 hci_dev_unlock(hdev);
1490 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1491 struct sk_buff *skb)
1493 struct hci_ev_status *rp = data;
1497 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1502 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1508 err = hci_remove_adv_instance(hdev, *instance);
1510 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1513 hci_dev_unlock(hdev);
1518 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1519 struct sk_buff *skb)
1521 struct hci_ev_status *rp = data;
1522 struct adv_info *adv, *n;
1525 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1530 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1535 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1536 u8 instance = adv->instance;
1538 err = hci_remove_adv_instance(hdev, instance);
1540 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1544 hci_dev_unlock(hdev);
1549 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1550 struct sk_buff *skb)
1552 struct hci_rp_le_read_transmit_power *rp = data;
1554 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1559 hdev->min_le_tx_power = rp->min_le_tx_power;
1560 hdev->max_le_tx_power = rp->max_le_tx_power;
1565 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1566 struct sk_buff *skb)
1568 struct hci_ev_status *rp = data;
1569 struct hci_cp_le_set_privacy_mode *cp;
1570 struct hci_conn_params *params;
1572 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1577 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1583 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1585 WRITE_ONCE(params->privacy_mode, cp->mode);
1587 hci_dev_unlock(hdev);
1592 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1593 struct sk_buff *skb)
1595 struct hci_ev_status *rp = data;
1598 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1603 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1609 /* If we're doing connection initiation as peripheral. Set a
1610 * timeout in case something goes wrong.
1613 struct hci_conn *conn;
1615 hci_dev_set_flag(hdev, HCI_LE_ADV);
1617 conn = hci_lookup_le_connect(hdev);
1619 queue_delayed_work(hdev->workqueue,
1620 &conn->le_conn_timeout,
1621 conn->conn_timeout);
1623 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1626 hci_dev_unlock(hdev);
1631 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1632 struct sk_buff *skb)
1634 struct hci_cp_le_set_ext_adv_enable *cp;
1635 struct hci_cp_ext_adv_set *set;
1636 struct adv_info *adv = NULL, *n;
1637 struct hci_ev_status *rp = data;
1639 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1644 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1648 set = (void *)cp->data;
1652 if (cp->num_of_sets)
1653 adv = hci_find_adv_instance(hdev, set->handle);
1656 struct hci_conn *conn;
1658 hci_dev_set_flag(hdev, HCI_LE_ADV);
1660 if (adv && !adv->periodic)
1661 adv->enabled = true;
1663 conn = hci_lookup_le_connect(hdev);
1665 queue_delayed_work(hdev->workqueue,
1666 &conn->le_conn_timeout,
1667 conn->conn_timeout);
1669 if (cp->num_of_sets) {
1671 adv->enabled = false;
1673 /* If just one instance was disabled check if there are
1674 * any other instance enabled before clearing HCI_LE_ADV
1676 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1682 /* All instances shall be considered disabled */
1683 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1685 adv->enabled = false;
1688 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1692 hci_dev_unlock(hdev);
1696 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1697 struct sk_buff *skb)
1699 struct hci_cp_le_set_scan_param *cp;
1700 struct hci_ev_status *rp = data;
1702 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1707 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1713 hdev->le_scan_type = cp->type;
1715 hci_dev_unlock(hdev);
1720 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1721 struct sk_buff *skb)
1723 struct hci_cp_le_set_ext_scan_params *cp;
1724 struct hci_ev_status *rp = data;
1725 struct hci_cp_le_scan_phy_params *phy_param;
1727 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1732 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1736 phy_param = (void *)cp->data;
1740 hdev->le_scan_type = phy_param->type;
1742 hci_dev_unlock(hdev);
1747 static bool has_pending_adv_report(struct hci_dev *hdev)
1749 struct discovery_state *d = &hdev->discovery;
1751 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1754 static void clear_pending_adv_report(struct hci_dev *hdev)
1756 struct discovery_state *d = &hdev->discovery;
1758 bacpy(&d->last_adv_addr, BDADDR_ANY);
1759 d->last_adv_data_len = 0;
1762 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1763 u8 bdaddr_type, s8 rssi, u32 flags,
1766 struct discovery_state *d = &hdev->discovery;
1768 if (len > max_adv_len(hdev))
1771 bacpy(&d->last_adv_addr, bdaddr);
1772 d->last_adv_addr_type = bdaddr_type;
1773 d->last_adv_rssi = rssi;
1774 d->last_adv_flags = flags;
1775 memcpy(d->last_adv_data, data, len);
1776 d->last_adv_data_len = len;
1779 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1784 case LE_SCAN_ENABLE:
1785 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1786 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1787 clear_pending_adv_report(hdev);
1788 if (hci_dev_test_flag(hdev, HCI_MESH))
1789 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1792 case LE_SCAN_DISABLE:
1793 /* We do this here instead of when setting DISCOVERY_STOPPED
1794 * since the latter would potentially require waiting for
1795 * inquiry to stop too.
1797 if (has_pending_adv_report(hdev)) {
1798 struct discovery_state *d = &hdev->discovery;
1800 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1801 d->last_adv_addr_type, NULL,
1802 d->last_adv_rssi, d->last_adv_flags,
1804 d->last_adv_data_len, NULL, 0, 0);
1807 /* Cancel this timer so that we don't try to disable scanning
1808 * when it's already disabled.
1810 cancel_delayed_work(&hdev->le_scan_disable);
1812 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1814 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1815 * interrupted scanning due to a connect request. Mark
1816 * therefore discovery as stopped.
1818 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1819 #ifndef TIZEN_BT /* The below line is kernel bug. */
1820 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1822 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1824 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1825 hdev->discovery.state == DISCOVERY_FINDING)
1826 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1831 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1836 hci_dev_unlock(hdev);
1839 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1840 struct sk_buff *skb)
1842 struct hci_cp_le_set_scan_enable *cp;
1843 struct hci_ev_status *rp = data;
1845 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1850 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1854 le_set_scan_enable_complete(hdev, cp->enable);
1859 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1860 struct sk_buff *skb)
1862 struct hci_cp_le_set_ext_scan_enable *cp;
1863 struct hci_ev_status *rp = data;
1865 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1870 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1874 le_set_scan_enable_complete(hdev, cp->enable);
1879 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1880 struct sk_buff *skb)
1882 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1884 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1890 hdev->le_num_of_adv_sets = rp->num_of_sets;
1895 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1896 struct sk_buff *skb)
1898 struct hci_rp_le_read_accept_list_size *rp = data;
1900 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1905 hdev->le_accept_list_size = rp->size;
1910 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1911 struct sk_buff *skb)
1913 struct hci_ev_status *rp = data;
1915 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1921 hci_bdaddr_list_clear(&hdev->le_accept_list);
1922 hci_dev_unlock(hdev);
1927 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1928 struct sk_buff *skb)
1930 struct hci_cp_le_add_to_accept_list *sent;
1931 struct hci_ev_status *rp = data;
1933 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1938 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1943 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1945 hci_dev_unlock(hdev);
1950 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1951 struct sk_buff *skb)
1953 struct hci_cp_le_del_from_accept_list *sent;
1954 struct hci_ev_status *rp = data;
1956 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1961 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1966 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1968 hci_dev_unlock(hdev);
1973 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1974 struct sk_buff *skb)
1976 struct hci_rp_le_read_supported_states *rp = data;
1978 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1983 memcpy(hdev->le_states, rp->le_states, 8);
1988 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1989 struct sk_buff *skb)
1991 struct hci_rp_le_read_def_data_len *rp = data;
1993 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1998 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1999 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
2004 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2005 struct sk_buff *skb)
2007 struct hci_cp_le_write_def_data_len *sent;
2008 struct hci_ev_status *rp = data;
2010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2015 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2019 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2020 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2025 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2026 struct sk_buff *skb)
2028 struct hci_cp_le_add_to_resolv_list *sent;
2029 struct hci_ev_status *rp = data;
2031 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2036 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2041 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2042 sent->bdaddr_type, sent->peer_irk,
2044 hci_dev_unlock(hdev);
2049 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2050 struct sk_buff *skb)
2052 struct hci_cp_le_del_from_resolv_list *sent;
2053 struct hci_ev_status *rp = data;
2055 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2060 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2065 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2067 hci_dev_unlock(hdev);
2072 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2073 struct sk_buff *skb)
2075 struct hci_ev_status *rp = data;
2077 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2083 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2084 hci_dev_unlock(hdev);
2089 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2090 struct sk_buff *skb)
2092 struct hci_rp_le_read_resolv_list_size *rp = data;
2094 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2099 hdev->le_resolv_list_size = rp->size;
2104 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2105 struct sk_buff *skb)
2107 struct hci_ev_status *rp = data;
2110 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2115 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2122 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2124 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2126 hci_dev_unlock(hdev);
2131 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2132 struct sk_buff *skb)
2134 struct hci_rp_le_read_max_data_len *rp = data;
2136 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2141 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2142 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2143 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2144 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2149 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2150 struct sk_buff *skb)
2152 struct hci_cp_write_le_host_supported *sent;
2153 struct hci_ev_status *rp = data;
2155 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2160 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2167 hdev->features[1][0] |= LMP_HOST_LE;
2168 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2170 hdev->features[1][0] &= ~LMP_HOST_LE;
2171 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2172 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2176 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2178 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2180 hci_dev_unlock(hdev);
2185 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2186 struct sk_buff *skb)
2188 struct hci_cp_le_set_adv_param *cp;
2189 struct hci_ev_status *rp = data;
2191 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2196 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2201 hdev->adv_addr_type = cp->own_address_type;
2202 hci_dev_unlock(hdev);
2207 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2208 struct sk_buff *skb)
2210 struct hci_rp_le_set_ext_adv_params *rp = data;
2211 struct hci_cp_le_set_ext_adv_params *cp;
2212 struct adv_info *adv_instance;
2214 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2219 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2224 hdev->adv_addr_type = cp->own_addr_type;
2226 /* Store in hdev for instance 0 */
2227 hdev->adv_tx_power = rp->tx_power;
2229 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2231 adv_instance->tx_power = rp->tx_power;
2233 /* Update adv data as tx power is known now */
2234 hci_update_adv_data(hdev, cp->handle);
2236 hci_dev_unlock(hdev);
2242 static u8 hci_cc_enable_rssi(struct hci_dev *hdev, void *data,
2243 struct sk_buff *skb)
2245 struct hci_cc_rsp_enable_rssi *rp = data;
2247 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
2248 hdev->name, rp->status, rp->le_ext_opcode);
2250 mgmt_enable_rssi_cc(hdev, rp, rp->status);
2255 static u8 hci_cc_get_raw_rssi(struct hci_dev *hdev, void *data,
2256 struct sk_buff *skb)
2258 struct hci_cc_rp_get_raw_rssi *rp = data;
2260 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
2261 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
2263 mgmt_raw_rssi_response(hdev, rp, rp->status);
2268 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
2269 struct sk_buff *skb)
2271 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
2273 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
2275 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
2279 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
2280 struct sk_buff *skb)
2282 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
2283 __u8 event_le_ext_sub_code;
2285 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
2286 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
2288 skb_pull(skb, sizeof(*ev));
2289 event_le_ext_sub_code = ev->event_le_ext_sub_code;
2291 switch (event_le_ext_sub_code) {
2292 case LE_RSSI_LINK_ALERT:
2293 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
2301 static void hci_vendor_specific_evt(struct hci_dev *hdev, void *data,
2302 struct sk_buff *skb)
2304 struct hci_ev_vendor_specific *ev = (void *)skb->data;
2305 __u8 event_sub_code;
2307 BT_DBG("hci_vendor_specific_evt");
2309 skb_pull(skb, sizeof(*ev));
2310 event_sub_code = ev->event_sub_code;
2312 switch (event_sub_code) {
2313 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
2314 hci_vendor_specific_group_ext_evt(hdev, skb);
2323 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2324 struct sk_buff *skb)
2326 struct hci_rp_read_rssi *rp = data;
2327 struct hci_conn *conn;
2329 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2336 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2338 conn->rssi = rp->rssi;
2340 hci_dev_unlock(hdev);
2345 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2346 struct sk_buff *skb)
2348 struct hci_cp_read_tx_power *sent;
2349 struct hci_rp_read_tx_power *rp = data;
2350 struct hci_conn *conn;
2352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2357 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2363 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2367 switch (sent->type) {
2369 conn->tx_power = rp->tx_power;
2372 conn->max_tx_power = rp->tx_power;
2377 hci_dev_unlock(hdev);
2381 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2382 struct sk_buff *skb)
2384 struct hci_ev_status *rp = data;
2387 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2392 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2394 hdev->ssp_debug_mode = *mode;
2399 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2401 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2404 hci_conn_check_pending(hdev);
2408 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2409 set_bit(HCI_INQUIRY, &hdev->flags);
2412 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2414 struct hci_cp_create_conn *cp;
2415 struct hci_conn *conn;
2417 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2419 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2425 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2427 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2430 if (conn && conn->state == BT_CONNECT) {
2431 if (status != 0x0c || conn->attempt > 2) {
2432 conn->state = BT_CLOSED;
2433 hci_connect_cfm(conn, status);
2436 conn->state = BT_CONNECT2;
2440 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2443 bt_dev_err(hdev, "no memory for new connection");
2447 hci_dev_unlock(hdev);
2450 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2452 struct hci_cp_add_sco *cp;
2453 struct hci_conn *acl;
2454 struct hci_link *link;
2457 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2462 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2466 handle = __le16_to_cpu(cp->handle);
2468 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2472 acl = hci_conn_hash_lookup_handle(hdev, handle);
2474 link = list_first_entry_or_null(&acl->link_list,
2475 struct hci_link, list);
2476 if (link && link->conn) {
2477 link->conn->state = BT_CLOSED;
2479 hci_connect_cfm(link->conn, status);
2480 hci_conn_del(link->conn);
2484 hci_dev_unlock(hdev);
2487 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2489 struct hci_cp_auth_requested *cp;
2490 struct hci_conn *conn;
2492 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2497 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2503 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2505 if (conn->state == BT_CONFIG) {
2506 hci_connect_cfm(conn, status);
2507 hci_conn_drop(conn);
2511 hci_dev_unlock(hdev);
2514 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2516 struct hci_cp_set_conn_encrypt *cp;
2517 struct hci_conn *conn;
2519 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2524 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2530 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2532 if (conn->state == BT_CONFIG) {
2533 hci_connect_cfm(conn, status);
2534 hci_conn_drop(conn);
2538 hci_dev_unlock(hdev);
2541 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2542 struct hci_conn *conn)
2544 if (conn->state != BT_CONFIG || !conn->out)
2547 if (conn->pending_sec_level == BT_SECURITY_SDP)
2550 /* Only request authentication for SSP connections or non-SSP
2551 * devices with sec_level MEDIUM or HIGH or if MITM protection
2554 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2555 conn->pending_sec_level != BT_SECURITY_FIPS &&
2556 conn->pending_sec_level != BT_SECURITY_HIGH &&
2557 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2563 static int hci_resolve_name(struct hci_dev *hdev,
2564 struct inquiry_entry *e)
2566 struct hci_cp_remote_name_req cp;
2568 memset(&cp, 0, sizeof(cp));
2570 bacpy(&cp.bdaddr, &e->data.bdaddr);
2571 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2572 cp.pscan_mode = e->data.pscan_mode;
2573 cp.clock_offset = e->data.clock_offset;
2575 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2578 static bool hci_resolve_next_name(struct hci_dev *hdev)
2580 struct discovery_state *discov = &hdev->discovery;
2581 struct inquiry_entry *e;
2583 if (list_empty(&discov->resolve))
2586 /* We should stop if we already spent too much time resolving names. */
2587 if (time_after(jiffies, discov->name_resolve_timeout)) {
2588 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2592 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2596 if (hci_resolve_name(hdev, e) == 0) {
2597 e->name_state = NAME_PENDING;
2604 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2605 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2607 struct discovery_state *discov = &hdev->discovery;
2608 struct inquiry_entry *e;
2611 /* Update the mgmt connected state if necessary. Be careful with
2612 * conn objects that exist but are not (yet) connected however.
2613 * Only those in BT_CONFIG or BT_CONNECTED states can be
2614 * considered connected.
2617 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2618 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2619 mgmt_device_connected(hdev, conn, name, name_len);
2621 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2625 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2626 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2627 mgmt_device_connected(hdev, conn, name, name_len);
2630 if (discov->state == DISCOVERY_STOPPED)
2633 if (discov->state == DISCOVERY_STOPPING)
2634 goto discov_complete;
2636 if (discov->state != DISCOVERY_RESOLVING)
2639 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2640 /* If the device was not found in a list of found devices names of which
2641 * are pending. there is no need to continue resolving a next name as it
2642 * will be done upon receiving another Remote Name Request Complete
2649 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2650 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2653 if (hci_resolve_next_name(hdev))
2657 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2660 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2662 struct hci_cp_remote_name_req *cp;
2663 struct hci_conn *conn;
2665 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2667 /* If successful wait for the name req complete event before
2668 * checking for the need to do authentication */
2672 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2678 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2680 if (hci_dev_test_flag(hdev, HCI_MGMT))
2681 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2686 if (!hci_outgoing_auth_needed(hdev, conn))
2689 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2690 struct hci_cp_auth_requested auth_cp;
2692 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2694 auth_cp.handle = __cpu_to_le16(conn->handle);
2695 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2696 sizeof(auth_cp), &auth_cp);
2700 hci_dev_unlock(hdev);
2703 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2705 struct hci_cp_read_remote_features *cp;
2706 struct hci_conn *conn;
2708 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2713 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2719 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2721 if (conn->state == BT_CONFIG) {
2722 hci_connect_cfm(conn, status);
2723 hci_conn_drop(conn);
2727 hci_dev_unlock(hdev);
2730 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2732 struct hci_cp_read_remote_ext_features *cp;
2733 struct hci_conn *conn;
2735 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2740 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2746 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2748 if (conn->state == BT_CONFIG) {
2749 hci_connect_cfm(conn, status);
2750 hci_conn_drop(conn);
2754 hci_dev_unlock(hdev);
2757 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2760 struct hci_conn *acl;
2761 struct hci_link *link;
2763 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2767 acl = hci_conn_hash_lookup_handle(hdev, handle);
2769 link = list_first_entry_or_null(&acl->link_list,
2770 struct hci_link, list);
2771 if (link && link->conn) {
2772 link->conn->state = BT_CLOSED;
2774 hci_connect_cfm(link->conn, status);
2775 hci_conn_del(link->conn);
2779 hci_dev_unlock(hdev);
2782 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2784 struct hci_cp_setup_sync_conn *cp;
2786 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2791 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2795 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2798 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2800 struct hci_cp_enhanced_setup_sync_conn *cp;
2802 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2807 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2811 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2814 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2816 struct hci_cp_sniff_mode *cp;
2817 struct hci_conn *conn;
2819 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2824 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2830 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2832 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2834 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2835 hci_sco_setup(conn, status);
2838 hci_dev_unlock(hdev);
2841 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2843 struct hci_cp_exit_sniff_mode *cp;
2844 struct hci_conn *conn;
2846 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2851 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2857 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2859 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2861 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2862 hci_sco_setup(conn, status);
2865 hci_dev_unlock(hdev);
2868 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2870 struct hci_cp_disconnect *cp;
2871 struct hci_conn_params *params;
2872 struct hci_conn *conn;
2875 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2877 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2878 * otherwise cleanup the connection immediately.
2880 if (!status && !hdev->suspended)
2883 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2889 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2894 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2895 conn->dst_type, status);
2897 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2898 hdev->cur_adv_instance = conn->adv_instance;
2899 hci_enable_advertising(hdev);
2902 /* Inform sockets conn is gone before we delete it */
2903 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2908 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2910 if (conn->type == ACL_LINK) {
2911 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2912 hci_remove_link_key(hdev, &conn->dst);
2915 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2917 switch (params->auto_connect) {
2918 case HCI_AUTO_CONN_LINK_LOSS:
2919 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2923 case HCI_AUTO_CONN_DIRECT:
2924 case HCI_AUTO_CONN_ALWAYS:
2925 hci_pend_le_list_del_init(params);
2926 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2934 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2935 cp->reason, mgmt_conn);
2937 hci_disconn_cfm(conn, cp->reason);
2940 /* If the disconnection failed for any reason, the upper layer
2941 * does not retry to disconnect in current implementation.
2942 * Hence, we need to do some basic cleanup here and re-enable
2943 * advertising if necessary.
2947 hci_dev_unlock(hdev);
2950 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2952 /* When using controller based address resolution, then the new
2953 * address types 0x02 and 0x03 are used. These types need to be
2954 * converted back into either public address or random address type
2957 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2960 return ADDR_LE_DEV_PUBLIC;
2961 case ADDR_LE_DEV_RANDOM_RESOLVED:
2964 return ADDR_LE_DEV_RANDOM;
2972 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2973 u8 peer_addr_type, u8 own_address_type,
2976 struct hci_conn *conn;
2978 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2983 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2985 /* Store the initiator and responder address information which
2986 * is needed for SMP. These values will not change during the
2987 * lifetime of the connection.
2989 conn->init_addr_type = own_address_type;
2990 if (own_address_type == ADDR_LE_DEV_RANDOM)
2991 bacpy(&conn->init_addr, &hdev->random_addr);
2993 bacpy(&conn->init_addr, &hdev->bdaddr);
2995 conn->resp_addr_type = peer_addr_type;
2996 bacpy(&conn->resp_addr, peer_addr);
2999 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
3001 struct hci_cp_le_create_conn *cp;
3003 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3005 /* All connection failure handling is taken care of by the
3006 * hci_conn_failed function which is triggered by the HCI
3007 * request completion callbacks used for connecting.
3012 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
3018 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3019 cp->own_address_type, cp->filter_policy);
3021 hci_dev_unlock(hdev);
3024 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
3026 struct hci_cp_le_ext_create_conn *cp;
3028 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3030 /* All connection failure handling is taken care of by the
3031 * hci_conn_failed function which is triggered by the HCI
3032 * request completion callbacks used for connecting.
3037 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
3043 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3044 cp->own_addr_type, cp->filter_policy);
3046 hci_dev_unlock(hdev);
3049 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
3051 struct hci_cp_le_read_remote_features *cp;
3052 struct hci_conn *conn;
3054 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3059 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
3065 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3067 if (conn->state == BT_CONFIG) {
3068 hci_connect_cfm(conn, status);
3069 hci_conn_drop(conn);
3073 hci_dev_unlock(hdev);
3076 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
3078 struct hci_cp_le_start_enc *cp;
3079 struct hci_conn *conn;
3081 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3088 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
3092 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3096 if (conn->state != BT_CONNECTED)
3099 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3100 hci_conn_drop(conn);
3103 hci_dev_unlock(hdev);
3106 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3108 struct hci_cp_switch_role *cp;
3109 struct hci_conn *conn;
3111 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3116 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3122 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3124 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3126 hci_dev_unlock(hdev);
3129 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3130 struct sk_buff *skb)
3132 struct hci_ev_status *ev = data;
3133 struct discovery_state *discov = &hdev->discovery;
3134 struct inquiry_entry *e;
3136 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3138 hci_conn_check_pending(hdev);
3140 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3143 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3144 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3146 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3151 if (discov->state != DISCOVERY_FINDING)
3154 if (list_empty(&discov->resolve)) {
3155 /* When BR/EDR inquiry is active and no LE scanning is in
3156 * progress, then change discovery state to indicate completion.
3158 * When running LE scanning and BR/EDR inquiry simultaneously
3159 * and the LE scan already finished, then change the discovery
3160 * state to indicate completion.
3162 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3163 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3164 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3168 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3169 if (e && hci_resolve_name(hdev, e) == 0) {
3170 e->name_state = NAME_PENDING;
3171 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3172 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3174 /* When BR/EDR inquiry is active and no LE scanning is in
3175 * progress, then change discovery state to indicate completion.
3177 * When running LE scanning and BR/EDR inquiry simultaneously
3178 * and the LE scan already finished, then change the discovery
3179 * state to indicate completion.
3181 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3182 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3187 hci_dev_unlock(hdev);
3190 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3191 struct sk_buff *skb)
3193 struct hci_ev_inquiry_result *ev = edata;
3194 struct inquiry_data data;
3197 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3198 flex_array_size(ev, info, ev->num)))
3201 bt_dev_dbg(hdev, "num %d", ev->num);
3206 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3211 for (i = 0; i < ev->num; i++) {
3212 struct inquiry_info *info = &ev->info[i];
3215 bacpy(&data.bdaddr, &info->bdaddr);
3216 data.pscan_rep_mode = info->pscan_rep_mode;
3217 data.pscan_period_mode = info->pscan_period_mode;
3218 data.pscan_mode = info->pscan_mode;
3219 memcpy(data.dev_class, info->dev_class, 3);
3220 data.clock_offset = info->clock_offset;
3221 data.rssi = HCI_RSSI_INVALID;
3222 data.ssp_mode = 0x00;
3224 flags = hci_inquiry_cache_update(hdev, &data, false);
3226 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3227 info->dev_class, HCI_RSSI_INVALID,
3228 flags, NULL, 0, NULL, 0, 0);
3231 hci_dev_unlock(hdev);
3234 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3235 struct sk_buff *skb)
3237 struct hci_ev_conn_complete *ev = data;
3238 struct hci_conn *conn;
3239 u8 status = ev->status;
3241 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3245 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3247 /* In case of error status and there is no connection pending
3248 * just unlock as there is nothing to cleanup.
3253 /* Connection may not exist if auto-connected. Check the bredr
3254 * allowlist to see if this device is allowed to auto connect.
3255 * If link is an ACL type, create a connection class
3258 * Auto-connect will only occur if the event filter is
3259 * programmed with a given address. Right now, event filter is
3260 * only used during suspend.
3262 if (ev->link_type == ACL_LINK &&
3263 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3266 conn = hci_conn_add_unset(hdev, ev->link_type,
3267 &ev->bdaddr, HCI_ROLE_SLAVE);
3269 bt_dev_err(hdev, "no memory for new conn");
3273 if (ev->link_type != SCO_LINK)
3276 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3281 conn->type = SCO_LINK;
3285 /* The HCI_Connection_Complete event is only sent once per connection.
3286 * Processing it more than once per connection can corrupt kernel memory.
3288 * As the connection handle is set here for the first time, it indicates
3289 * whether the connection is already set up.
3291 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3292 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3297 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3301 if (conn->type == ACL_LINK) {
3302 conn->state = BT_CONFIG;
3303 hci_conn_hold(conn);
3305 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3306 !hci_find_link_key(hdev, &ev->bdaddr))
3307 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3309 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3311 conn->state = BT_CONNECTED;
3313 hci_debugfs_create_conn(conn);
3314 hci_conn_add_sysfs(conn);
3316 if (test_bit(HCI_AUTH, &hdev->flags))
3317 set_bit(HCI_CONN_AUTH, &conn->flags);
3319 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3320 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3322 /* Get remote features */
3323 if (conn->type == ACL_LINK) {
3324 struct hci_cp_read_remote_features cp;
3325 cp.handle = ev->handle;
3326 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3329 hci_update_scan(hdev);
3332 /* Set packet type for incoming connection */
3333 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3334 struct hci_cp_change_conn_ptype cp;
3335 cp.handle = ev->handle;
3336 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3337 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3342 if (conn->type == ACL_LINK)
3343 hci_sco_setup(conn, ev->status);
3347 hci_conn_failed(conn, status);
3348 } else if (ev->link_type == SCO_LINK) {
3349 switch (conn->setting & SCO_AIRMODE_MASK) {
3350 case SCO_AIRMODE_CVSD:
3352 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3356 hci_connect_cfm(conn, status);
3360 hci_dev_unlock(hdev);
3362 hci_conn_check_pending(hdev);
3365 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3367 struct hci_cp_reject_conn_req cp;
3369 bacpy(&cp.bdaddr, bdaddr);
3370 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3371 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3374 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3375 struct sk_buff *skb)
3377 struct hci_ev_conn_request *ev = data;
3378 int mask = hdev->link_mode;
3379 struct inquiry_entry *ie;
3380 struct hci_conn *conn;
3383 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3385 /* Reject incoming connection from device with same BD ADDR against
3388 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3389 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3391 hci_reject_conn(hdev, &ev->bdaddr);
3395 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3398 if (!(mask & HCI_LM_ACCEPT)) {
3399 hci_reject_conn(hdev, &ev->bdaddr);
3405 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3407 hci_reject_conn(hdev, &ev->bdaddr);
3411 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3412 * connection. These features are only touched through mgmt so
3413 * only do the checks if HCI_MGMT is set.
3415 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3416 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3417 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3419 hci_reject_conn(hdev, &ev->bdaddr);
3423 /* Connection accepted */
3425 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3427 memcpy(ie->data.dev_class, ev->dev_class, 3);
3429 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3432 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3435 bt_dev_err(hdev, "no memory for new connection");
3440 memcpy(conn->dev_class, ev->dev_class, 3);
3442 hci_dev_unlock(hdev);
3444 if (ev->link_type == ACL_LINK ||
3445 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3446 struct hci_cp_accept_conn_req cp;
3447 conn->state = BT_CONNECT;
3449 bacpy(&cp.bdaddr, &ev->bdaddr);
3451 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3452 cp.role = 0x00; /* Become central */
3454 cp.role = 0x01; /* Remain peripheral */
3456 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3457 } else if (!(flags & HCI_PROTO_DEFER)) {
3458 struct hci_cp_accept_sync_conn_req cp;
3459 conn->state = BT_CONNECT;
3461 bacpy(&cp.bdaddr, &ev->bdaddr);
3462 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3464 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3465 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3466 cp.max_latency = cpu_to_le16(0xffff);
3467 cp.content_format = cpu_to_le16(hdev->voice_setting);
3468 cp.retrans_effort = 0xff;
3470 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3473 conn->state = BT_CONNECT2;
3474 hci_connect_cfm(conn, 0);
3479 hci_dev_unlock(hdev);
3482 static u8 hci_to_mgmt_reason(u8 err)
3485 case HCI_ERROR_CONNECTION_TIMEOUT:
3486 return MGMT_DEV_DISCONN_TIMEOUT;
3487 case HCI_ERROR_REMOTE_USER_TERM:
3488 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3489 case HCI_ERROR_REMOTE_POWER_OFF:
3490 return MGMT_DEV_DISCONN_REMOTE;
3491 case HCI_ERROR_LOCAL_HOST_TERM:
3492 return MGMT_DEV_DISCONN_LOCAL_HOST;
3494 return MGMT_DEV_DISCONN_UNKNOWN;
3498 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3499 struct sk_buff *skb)
3501 struct hci_ev_disconn_complete *ev = data;
3503 struct hci_conn_params *params;
3504 struct hci_conn *conn;
3505 bool mgmt_connected;
3507 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3511 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3516 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3517 conn->dst_type, ev->status);
3521 conn->state = BT_CLOSED;
3523 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3525 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3526 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3528 reason = hci_to_mgmt_reason(ev->reason);
3530 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3531 reason, mgmt_connected);
3533 if (conn->type == ACL_LINK) {
3534 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3535 hci_remove_link_key(hdev, &conn->dst);
3537 hci_update_scan(hdev);
3540 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3542 switch (params->auto_connect) {
3543 case HCI_AUTO_CONN_LINK_LOSS:
3544 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3548 case HCI_AUTO_CONN_DIRECT:
3549 case HCI_AUTO_CONN_ALWAYS:
3550 hci_pend_le_list_del_init(params);
3551 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3552 hci_update_passive_scan(hdev);
3560 hci_disconn_cfm(conn, ev->reason);
3562 /* Re-enable advertising if necessary, since it might
3563 * have been disabled by the connection. From the
3564 * HCI_LE_Set_Advertise_Enable command description in
3565 * the core specification (v4.0):
3566 * "The Controller shall continue advertising until the Host
3567 * issues an LE_Set_Advertise_Enable command with
3568 * Advertising_Enable set to 0x00 (Advertising is disabled)
3569 * or until a connection is created or until the Advertising
3570 * is timed out due to Directed Advertising."
3572 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3573 hdev->cur_adv_instance = conn->adv_instance;
3574 hci_enable_advertising(hdev);
3580 hci_dev_unlock(hdev);
3583 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3584 struct sk_buff *skb)
3586 struct hci_ev_auth_complete *ev = data;
3587 struct hci_conn *conn;
3589 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3593 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3598 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3599 set_bit(HCI_CONN_AUTH, &conn->flags);
3600 conn->sec_level = conn->pending_sec_level;
3602 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3603 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3605 mgmt_auth_failed(conn, ev->status);
3608 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3610 if (conn->state == BT_CONFIG) {
3611 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3612 struct hci_cp_set_conn_encrypt cp;
3613 cp.handle = ev->handle;
3615 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3618 conn->state = BT_CONNECTED;
3619 hci_connect_cfm(conn, ev->status);
3620 hci_conn_drop(conn);
3623 hci_auth_cfm(conn, ev->status);
3625 hci_conn_hold(conn);
3626 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3627 hci_conn_drop(conn);
3630 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3632 struct hci_cp_set_conn_encrypt cp;
3633 cp.handle = ev->handle;
3635 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3638 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3639 hci_encrypt_cfm(conn, ev->status);
3644 hci_dev_unlock(hdev);
3647 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3648 struct sk_buff *skb)
3650 struct hci_ev_remote_name *ev = data;
3651 struct hci_conn *conn;
3653 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3655 hci_conn_check_pending(hdev);
3659 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3661 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3664 if (ev->status == 0)
3665 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3666 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3668 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3674 if (!hci_outgoing_auth_needed(hdev, conn))
3677 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3678 struct hci_cp_auth_requested cp;
3680 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3682 cp.handle = __cpu_to_le16(conn->handle);
3683 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3687 hci_dev_unlock(hdev);
3690 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3691 struct sk_buff *skb)
3693 struct hci_ev_encrypt_change *ev = data;
3694 struct hci_conn *conn;
3696 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3700 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3706 /* Encryption implies authentication */
3707 set_bit(HCI_CONN_AUTH, &conn->flags);
3708 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3709 conn->sec_level = conn->pending_sec_level;
3711 /* P-256 authentication key implies FIPS */
3712 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3713 set_bit(HCI_CONN_FIPS, &conn->flags);
3715 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3716 conn->type == LE_LINK)
3717 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3719 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3720 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3724 /* We should disregard the current RPA and generate a new one
3725 * whenever the encryption procedure fails.
3727 if (ev->status && conn->type == LE_LINK) {
3728 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3729 hci_adv_instances_set_rpa_expired(hdev, true);
3732 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3734 /* Check link security requirements are met */
3735 if (!hci_conn_check_link_mode(conn))
3736 ev->status = HCI_ERROR_AUTH_FAILURE;
3738 if (ev->status && conn->state == BT_CONNECTED) {
3739 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3740 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3742 /* Notify upper layers so they can cleanup before
3745 hci_encrypt_cfm(conn, ev->status);
3746 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3747 hci_conn_drop(conn);
3751 /* Try reading the encryption key size for encrypted ACL links */
3752 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3753 struct hci_cp_read_enc_key_size cp;
3755 /* Only send HCI_Read_Encryption_Key_Size if the
3756 * controller really supports it. If it doesn't, assume
3757 * the default size (16).
3759 if (!(hdev->commands[20] & 0x10)) {
3760 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3764 cp.handle = cpu_to_le16(conn->handle);
3765 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3767 bt_dev_err(hdev, "sending read key size failed");
3768 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3775 /* Set the default Authenticated Payload Timeout after
3776 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3777 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3778 * sent when the link is active and Encryption is enabled, the conn
3779 * type can be either LE or ACL and controller must support LMP Ping.
3780 * Ensure for AES-CCM encryption as well.
3782 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3783 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3784 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3785 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3786 struct hci_cp_write_auth_payload_to cp;
3788 cp.handle = cpu_to_le16(conn->handle);
3789 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3790 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3792 bt_dev_err(hdev, "write auth payload timeout failed");
3796 hci_encrypt_cfm(conn, ev->status);
3799 hci_dev_unlock(hdev);
3802 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3803 struct sk_buff *skb)
3805 struct hci_ev_change_link_key_complete *ev = data;
3806 struct hci_conn *conn;
3808 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3812 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3815 set_bit(HCI_CONN_SECURE, &conn->flags);
3817 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3819 hci_key_change_cfm(conn, ev->status);
3822 hci_dev_unlock(hdev);
3825 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3826 struct sk_buff *skb)
3828 struct hci_ev_remote_features *ev = data;
3829 struct hci_conn *conn;
3831 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3835 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3840 memcpy(conn->features[0], ev->features, 8);
3842 if (conn->state != BT_CONFIG)
3845 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3846 lmp_ext_feat_capable(conn)) {
3847 struct hci_cp_read_remote_ext_features cp;
3848 cp.handle = ev->handle;
3850 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3855 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3856 struct hci_cp_remote_name_req cp;
3857 memset(&cp, 0, sizeof(cp));
3858 bacpy(&cp.bdaddr, &conn->dst);
3859 cp.pscan_rep_mode = 0x02;
3860 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3861 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3862 mgmt_device_connected(hdev, conn, NULL, 0);
3864 if (!hci_outgoing_auth_needed(hdev, conn)) {
3865 conn->state = BT_CONNECTED;
3866 hci_connect_cfm(conn, ev->status);
3867 hci_conn_drop(conn);
3871 hci_dev_unlock(hdev);
3874 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3876 cancel_delayed_work(&hdev->cmd_timer);
3879 if (!test_bit(HCI_RESET, &hdev->flags)) {
3881 cancel_delayed_work(&hdev->ncmd_timer);
3882 atomic_set(&hdev->cmd_cnt, 1);
3884 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3885 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3892 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3893 struct sk_buff *skb)
3895 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3897 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3902 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3903 hdev->le_pkts = rp->acl_max_pkt;
3904 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3905 hdev->iso_pkts = rp->iso_max_pkt;
3907 hdev->le_cnt = hdev->le_pkts;
3908 hdev->iso_cnt = hdev->iso_pkts;
3910 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3911 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3916 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3918 struct hci_conn *conn, *tmp;
3920 lockdep_assert_held(&hdev->lock);
3922 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3923 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3924 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3927 if (HCI_CONN_HANDLE_UNSET(conn->handle))
3928 hci_conn_failed(conn, status);
3932 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3933 struct sk_buff *skb)
3935 struct hci_rp_le_set_cig_params *rp = data;
3936 struct hci_cp_le_set_cig_params *cp;
3937 struct hci_conn *conn;
3938 u8 status = rp->status;
3939 bool pending = false;
3942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3944 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3945 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3946 rp->cig_id != cp->cig_id)) {
3947 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3948 status = HCI_ERROR_UNSPECIFIED;
3953 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3955 * If the Status return parameter is non-zero, then the state of the CIG
3956 * and its CIS configurations shall not be changed by the command. If
3957 * the CIG did not already exist, it shall not be created.
3960 /* Keep current configuration, fail only the unbound CIS */
3961 hci_unbound_cis_failed(hdev, rp->cig_id, status);
3965 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3967 * If the Status return parameter is zero, then the Controller shall
3968 * set the Connection_Handle arrayed return parameter to the connection
3969 * handle(s) corresponding to the CIS configurations specified in
3970 * the CIS_IDs command parameter, in the same order.
3972 for (i = 0; i < rp->num_handles; ++i) {
3973 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3975 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3978 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3981 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3984 if (conn->state == BT_CONNECT)
3990 hci_le_create_cis_pending(hdev);
3992 hci_dev_unlock(hdev);
3997 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3998 struct sk_buff *skb)
4000 struct hci_rp_le_setup_iso_path *rp = data;
4001 struct hci_cp_le_setup_iso_path *cp;
4002 struct hci_conn *conn;
4004 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4006 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
4012 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
4017 hci_connect_cfm(conn, rp->status);
4022 switch (cp->direction) {
4023 /* Input (Host to Controller) */
4025 /* Only confirm connection if output only */
4026 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
4027 hci_connect_cfm(conn, rp->status);
4029 /* Output (Controller to Host) */
4031 /* Confirm connection since conn->iso_qos is always configured
4034 hci_connect_cfm(conn, rp->status);
4039 hci_dev_unlock(hdev);
4043 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
4045 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4048 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
4049 struct sk_buff *skb)
4051 struct hci_ev_status *rp = data;
4052 struct hci_cp_le_set_per_adv_params *cp;
4054 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4059 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
4063 /* TODO: set the conn state */
4067 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
4068 struct sk_buff *skb)
4070 struct hci_ev_status *rp = data;
4071 struct hci_cp_le_set_per_adv_enable *cp;
4072 struct adv_info *adv = NULL, *n;
4075 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4080 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4086 adv = hci_find_adv_instance(hdev, cp->handle);
4089 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4092 adv->enabled = true;
4094 /* If just one instance was disabled check if there are
4095 * any other instance enabled before clearing HCI_LE_PER_ADV.
4096 * The current periodic adv instance will be marked as
4097 * disabled once extended advertising is also disabled.
4099 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4101 if (adv->periodic && adv->enabled)
4105 if (per_adv_cnt > 1)
4108 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4112 hci_dev_unlock(hdev);
4117 #define HCI_CC_VL(_op, _func, _min, _max) \
4125 #define HCI_CC(_op, _func, _len) \
4126 HCI_CC_VL(_op, _func, _len, _len)
4128 #define HCI_CC_STATUS(_op, _func) \
4129 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4131 static const struct hci_cc {
4133 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4136 } hci_cc_table[] = {
4137 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4138 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4139 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4140 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4141 hci_cc_remote_name_req_cancel),
4142 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4143 sizeof(struct hci_rp_role_discovery)),
4144 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4145 sizeof(struct hci_rp_read_link_policy)),
4146 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4147 sizeof(struct hci_rp_write_link_policy)),
4148 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4149 sizeof(struct hci_rp_read_def_link_policy)),
4150 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4151 hci_cc_write_def_link_policy),
4152 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4153 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4154 sizeof(struct hci_rp_read_stored_link_key)),
4155 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4156 sizeof(struct hci_rp_delete_stored_link_key)),
4157 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4158 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4159 sizeof(struct hci_rp_read_local_name)),
4160 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4161 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4162 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4163 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4164 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4165 sizeof(struct hci_rp_read_class_of_dev)),
4166 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4167 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4168 sizeof(struct hci_rp_read_voice_setting)),
4169 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4170 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4171 sizeof(struct hci_rp_read_num_supported_iac)),
4172 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4173 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4174 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4175 sizeof(struct hci_rp_read_auth_payload_to)),
4176 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4177 sizeof(struct hci_rp_write_auth_payload_to)),
4178 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4179 sizeof(struct hci_rp_read_local_version)),
4180 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4181 sizeof(struct hci_rp_read_local_commands)),
4182 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4183 sizeof(struct hci_rp_read_local_features)),
4184 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4185 sizeof(struct hci_rp_read_local_ext_features)),
4186 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4187 sizeof(struct hci_rp_read_buffer_size)),
4188 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4189 sizeof(struct hci_rp_read_bd_addr)),
4190 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4191 sizeof(struct hci_rp_read_local_pairing_opts)),
4192 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4193 sizeof(struct hci_rp_read_page_scan_activity)),
4194 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4195 hci_cc_write_page_scan_activity),
4196 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4197 sizeof(struct hci_rp_read_page_scan_type)),
4198 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4199 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4200 sizeof(struct hci_rp_read_data_block_size)),
4201 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4202 sizeof(struct hci_rp_read_flow_control_mode)),
4203 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4204 sizeof(struct hci_rp_read_local_amp_info)),
4205 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4206 sizeof(struct hci_rp_read_clock)),
4207 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4208 sizeof(struct hci_rp_read_enc_key_size)),
4209 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4210 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4211 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4212 hci_cc_read_def_err_data_reporting,
4213 sizeof(struct hci_rp_read_def_err_data_reporting)),
4214 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4215 hci_cc_write_def_err_data_reporting),
4216 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4217 sizeof(struct hci_rp_pin_code_reply)),
4218 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4219 sizeof(struct hci_rp_pin_code_neg_reply)),
4220 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4221 sizeof(struct hci_rp_read_local_oob_data)),
4222 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4223 sizeof(struct hci_rp_read_local_oob_ext_data)),
4224 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4225 sizeof(struct hci_rp_le_read_buffer_size)),
4226 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4227 sizeof(struct hci_rp_le_read_local_features)),
4228 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4229 sizeof(struct hci_rp_le_read_adv_tx_power)),
4230 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4231 sizeof(struct hci_rp_user_confirm_reply)),
4232 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4233 sizeof(struct hci_rp_user_confirm_reply)),
4234 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4235 sizeof(struct hci_rp_user_confirm_reply)),
4236 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4237 sizeof(struct hci_rp_user_confirm_reply)),
4238 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4239 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4240 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4241 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4242 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4243 hci_cc_le_read_accept_list_size,
4244 sizeof(struct hci_rp_le_read_accept_list_size)),
4245 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4246 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4247 hci_cc_le_add_to_accept_list),
4248 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4249 hci_cc_le_del_from_accept_list),
4250 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4251 sizeof(struct hci_rp_le_read_supported_states)),
4252 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4253 sizeof(struct hci_rp_le_read_def_data_len)),
4254 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4255 hci_cc_le_write_def_data_len),
4256 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4257 hci_cc_le_add_to_resolv_list),
4258 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4259 hci_cc_le_del_from_resolv_list),
4260 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4261 hci_cc_le_clear_resolv_list),
4262 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4263 sizeof(struct hci_rp_le_read_resolv_list_size)),
4264 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4265 hci_cc_le_set_addr_resolution_enable),
4266 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4267 sizeof(struct hci_rp_le_read_max_data_len)),
4268 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4269 hci_cc_write_le_host_supported),
4270 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4271 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4272 sizeof(struct hci_rp_read_rssi)),
4273 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4274 sizeof(struct hci_rp_read_tx_power)),
4275 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4276 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4277 hci_cc_le_set_ext_scan_param),
4278 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4279 hci_cc_le_set_ext_scan_enable),
4280 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4281 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4282 hci_cc_le_read_num_adv_sets,
4283 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4284 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4285 sizeof(struct hci_rp_le_set_ext_adv_params)),
4286 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4287 hci_cc_le_set_ext_adv_enable),
4288 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4289 hci_cc_le_set_adv_set_random_addr),
4290 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4291 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4292 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4293 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4294 hci_cc_le_set_per_adv_enable),
4295 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4296 sizeof(struct hci_rp_le_read_transmit_power)),
4298 HCI_CC(HCI_OP_ENABLE_RSSI, hci_cc_enable_rssi,
4299 sizeof(struct hci_cc_rsp_enable_rssi)),
4300 HCI_CC(HCI_OP_GET_RAW_RSSI, hci_cc_get_raw_rssi,
4301 sizeof(struct hci_cc_rp_get_raw_rssi)),
4303 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4304 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4305 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4306 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4307 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4308 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4309 sizeof(struct hci_rp_le_setup_iso_path)),
4312 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4313 struct sk_buff *skb)
4317 if (skb->len < cc->min_len) {
4318 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4319 cc->op, skb->len, cc->min_len);
4320 return HCI_ERROR_UNSPECIFIED;
4323 /* Just warn if the length is over max_len size it still be possible to
4324 * partially parse the cc so leave to callback to decide if that is
4327 if (skb->len > cc->max_len)
4328 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4329 cc->op, skb->len, cc->max_len);
4331 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4333 return HCI_ERROR_UNSPECIFIED;
4335 return cc->func(hdev, data, skb);
4338 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4339 struct sk_buff *skb, u16 *opcode, u8 *status,
4340 hci_req_complete_t *req_complete,
4341 hci_req_complete_skb_t *req_complete_skb)
4343 struct hci_ev_cmd_complete *ev = data;
4346 *opcode = __le16_to_cpu(ev->opcode);
4348 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4350 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4351 if (hci_cc_table[i].op == *opcode) {
4352 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4357 if (i == ARRAY_SIZE(hci_cc_table)) {
4358 /* Unknown opcode, assume byte 0 contains the status, so
4359 * that e.g. __hci_cmd_sync() properly returns errors
4360 * for vendor specific commands send by HCI drivers.
4361 * If a vendor doesn't actually follow this convention we may
4362 * need to introduce a vendor CC table in order to properly set
4365 *status = skb->data[0];
4368 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4370 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4373 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4375 "unexpected event for opcode 0x%4.4x", *opcode);
4379 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4380 queue_work(hdev->workqueue, &hdev->cmd_work);
4383 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4385 struct hci_cp_le_create_cis *cp;
4386 bool pending = false;
4389 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4394 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4400 /* Remove connection if command failed */
4401 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4402 struct hci_conn *conn;
4405 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4407 conn = hci_conn_hash_lookup_handle(hdev, handle);
4409 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4412 conn->state = BT_CLOSED;
4413 hci_connect_cfm(conn, status);
4419 hci_le_create_cis_pending(hdev);
4421 hci_dev_unlock(hdev);
4424 #define HCI_CS(_op, _func) \
4430 static const struct hci_cs {
4432 void (*func)(struct hci_dev *hdev, __u8 status);
4433 } hci_cs_table[] = {
4434 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4435 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4436 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4437 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4438 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4439 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4440 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4441 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4442 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4443 hci_cs_read_remote_ext_features),
4444 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4445 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4446 hci_cs_enhanced_setup_sync_conn),
4447 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4448 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4449 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4450 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4451 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4452 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4453 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4454 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4455 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4458 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4459 struct sk_buff *skb, u16 *opcode, u8 *status,
4460 hci_req_complete_t *req_complete,
4461 hci_req_complete_skb_t *req_complete_skb)
4463 struct hci_ev_cmd_status *ev = data;
4466 *opcode = __le16_to_cpu(ev->opcode);
4467 *status = ev->status;
4469 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4471 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4472 if (hci_cs_table[i].op == *opcode) {
4473 hci_cs_table[i].func(hdev, ev->status);
4478 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4480 /* Indicate request completion if the command failed. Also, if
4481 * we're not waiting for a special event and we get a success
4482 * command status we should try to flag the request as completed
4483 * (since for this kind of commands there will not be a command
4486 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4487 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4489 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4490 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4496 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4497 queue_work(hdev->workqueue, &hdev->cmd_work);
4500 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4501 struct sk_buff *skb)
4503 struct hci_ev_hardware_error *ev = data;
4505 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4509 mgmt_hardware_error(hdev, ev->code);
4510 hci_dev_unlock(hdev);
4512 hdev->hw_error_code = ev->code;
4514 queue_work(hdev->req_workqueue, &hdev->error_reset);
4517 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4518 struct sk_buff *skb)
4520 struct hci_ev_role_change *ev = data;
4521 struct hci_conn *conn;
4523 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4527 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4530 conn->role = ev->role;
4532 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4534 hci_role_switch_cfm(conn, ev->status, ev->role);
4537 hci_dev_unlock(hdev);
4540 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4541 struct sk_buff *skb)
4543 struct hci_ev_num_comp_pkts *ev = data;
4546 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4547 flex_array_size(ev, handles, ev->num)))
4550 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4551 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4555 bt_dev_dbg(hdev, "num %d", ev->num);
4557 for (i = 0; i < ev->num; i++) {
4558 struct hci_comp_pkts_info *info = &ev->handles[i];
4559 struct hci_conn *conn;
4560 __u16 handle, count;
4562 handle = __le16_to_cpu(info->handle);
4563 count = __le16_to_cpu(info->count);
4565 conn = hci_conn_hash_lookup_handle(hdev, handle);
4569 conn->sent -= count;
4571 switch (conn->type) {
4573 hdev->acl_cnt += count;
4574 if (hdev->acl_cnt > hdev->acl_pkts)
4575 hdev->acl_cnt = hdev->acl_pkts;
4579 if (hdev->le_pkts) {
4580 hdev->le_cnt += count;
4581 if (hdev->le_cnt > hdev->le_pkts)
4582 hdev->le_cnt = hdev->le_pkts;
4584 hdev->acl_cnt += count;
4585 if (hdev->acl_cnt > hdev->acl_pkts)
4586 hdev->acl_cnt = hdev->acl_pkts;
4591 hdev->sco_cnt += count;
4592 if (hdev->sco_cnt > hdev->sco_pkts)
4593 hdev->sco_cnt = hdev->sco_pkts;
4597 if (hdev->iso_pkts) {
4598 hdev->iso_cnt += count;
4599 if (hdev->iso_cnt > hdev->iso_pkts)
4600 hdev->iso_cnt = hdev->iso_pkts;
4601 } else if (hdev->le_pkts) {
4602 hdev->le_cnt += count;
4603 if (hdev->le_cnt > hdev->le_pkts)
4604 hdev->le_cnt = hdev->le_pkts;
4606 hdev->acl_cnt += count;
4607 if (hdev->acl_cnt > hdev->acl_pkts)
4608 hdev->acl_cnt = hdev->acl_pkts;
4613 bt_dev_err(hdev, "unknown type %d conn %p",
4619 queue_work(hdev->workqueue, &hdev->tx_work);
4622 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4625 struct hci_chan *chan;
4627 switch (hdev->dev_type) {
4629 return hci_conn_hash_lookup_handle(hdev, handle);
4631 chan = hci_chan_lookup_handle(hdev, handle);
4636 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4643 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4644 struct sk_buff *skb)
4646 struct hci_ev_num_comp_blocks *ev = data;
4649 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4650 flex_array_size(ev, handles, ev->num_hndl)))
4653 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4654 bt_dev_err(hdev, "wrong event for mode %d",
4655 hdev->flow_ctl_mode);
4659 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4662 for (i = 0; i < ev->num_hndl; i++) {
4663 struct hci_comp_blocks_info *info = &ev->handles[i];
4664 struct hci_conn *conn = NULL;
4665 __u16 handle, block_count;
4667 handle = __le16_to_cpu(info->handle);
4668 block_count = __le16_to_cpu(info->blocks);
4670 conn = __hci_conn_lookup_handle(hdev, handle);
4674 conn->sent -= block_count;
4676 switch (conn->type) {
4679 hdev->block_cnt += block_count;
4680 if (hdev->block_cnt > hdev->num_blocks)
4681 hdev->block_cnt = hdev->num_blocks;
4685 bt_dev_err(hdev, "unknown type %d conn %p",
4691 queue_work(hdev->workqueue, &hdev->tx_work);
4694 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4695 struct sk_buff *skb)
4697 struct hci_ev_mode_change *ev = data;
4698 struct hci_conn *conn;
4700 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4704 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4706 conn->mode = ev->mode;
4708 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4710 if (conn->mode == HCI_CM_ACTIVE)
4711 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4713 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4716 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4717 hci_sco_setup(conn, ev->status);
4720 hci_dev_unlock(hdev);
4723 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4724 struct sk_buff *skb)
4726 struct hci_ev_pin_code_req *ev = data;
4727 struct hci_conn *conn;
4729 bt_dev_dbg(hdev, "");
4733 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4737 if (conn->state == BT_CONNECTED) {
4738 hci_conn_hold(conn);
4739 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4740 hci_conn_drop(conn);
4743 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4744 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4745 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4746 sizeof(ev->bdaddr), &ev->bdaddr);
4747 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4750 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4755 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4759 hci_dev_unlock(hdev);
4762 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4764 if (key_type == HCI_LK_CHANGED_COMBINATION)
4767 conn->pin_length = pin_len;
4768 conn->key_type = key_type;
4771 case HCI_LK_LOCAL_UNIT:
4772 case HCI_LK_REMOTE_UNIT:
4773 case HCI_LK_DEBUG_COMBINATION:
4775 case HCI_LK_COMBINATION:
4777 conn->pending_sec_level = BT_SECURITY_HIGH;
4779 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4781 case HCI_LK_UNAUTH_COMBINATION_P192:
4782 case HCI_LK_UNAUTH_COMBINATION_P256:
4783 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4785 case HCI_LK_AUTH_COMBINATION_P192:
4786 conn->pending_sec_level = BT_SECURITY_HIGH;
4788 case HCI_LK_AUTH_COMBINATION_P256:
4789 conn->pending_sec_level = BT_SECURITY_FIPS;
4794 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4795 struct sk_buff *skb)
4797 struct hci_ev_link_key_req *ev = data;
4798 struct hci_cp_link_key_reply cp;
4799 struct hci_conn *conn;
4800 struct link_key *key;
4802 bt_dev_dbg(hdev, "");
4804 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4809 key = hci_find_link_key(hdev, &ev->bdaddr);
4811 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4815 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4817 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4819 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4821 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4822 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4823 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4824 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4828 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4829 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4830 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4831 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4835 conn_set_key(conn, key->type, key->pin_len);
4838 bacpy(&cp.bdaddr, &ev->bdaddr);
4839 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4841 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4843 hci_dev_unlock(hdev);
4848 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4849 hci_dev_unlock(hdev);
4852 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4853 struct sk_buff *skb)
4855 struct hci_ev_link_key_notify *ev = data;
4856 struct hci_conn *conn;
4857 struct link_key *key;
4861 bt_dev_dbg(hdev, "");
4865 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4869 /* Ignore NULL link key against CVE-2020-26555 */
4870 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4871 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4873 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4874 hci_conn_drop(conn);
4878 hci_conn_hold(conn);
4879 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4880 hci_conn_drop(conn);
4882 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4883 conn_set_key(conn, ev->key_type, conn->pin_length);
4885 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4888 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4889 ev->key_type, pin_len, &persistent);
4893 /* Update connection information since adding the key will have
4894 * fixed up the type in the case of changed combination keys.
4896 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4897 conn_set_key(conn, key->type, key->pin_len);
4899 mgmt_new_link_key(hdev, key, persistent);
4901 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4902 * is set. If it's not set simply remove the key from the kernel
4903 * list (we've still notified user space about it but with
4904 * store_hint being 0).
4906 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4907 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4908 list_del_rcu(&key->list);
4909 kfree_rcu(key, rcu);
4914 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4916 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4919 hci_dev_unlock(hdev);
4922 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4923 struct sk_buff *skb)
4925 struct hci_ev_clock_offset *ev = data;
4926 struct hci_conn *conn;
4928 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4932 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4933 if (conn && !ev->status) {
4934 struct inquiry_entry *ie;
4936 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4938 ie->data.clock_offset = ev->clock_offset;
4939 ie->timestamp = jiffies;
4943 hci_dev_unlock(hdev);
4946 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4947 struct sk_buff *skb)
4949 struct hci_ev_pkt_type_change *ev = data;
4950 struct hci_conn *conn;
4952 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4956 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4957 if (conn && !ev->status)
4958 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4960 hci_dev_unlock(hdev);
4963 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4964 struct sk_buff *skb)
4966 struct hci_ev_pscan_rep_mode *ev = data;
4967 struct inquiry_entry *ie;
4969 bt_dev_dbg(hdev, "");
4973 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4975 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4976 ie->timestamp = jiffies;
4979 hci_dev_unlock(hdev);
4982 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4983 struct sk_buff *skb)
4985 struct hci_ev_inquiry_result_rssi *ev = edata;
4986 struct inquiry_data data;
4989 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4994 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4999 if (skb->len == array_size(ev->num,
5000 sizeof(struct inquiry_info_rssi_pscan))) {
5001 struct inquiry_info_rssi_pscan *info;
5003 for (i = 0; i < ev->num; i++) {
5006 info = hci_ev_skb_pull(hdev, skb,
5007 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5010 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5011 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5015 bacpy(&data.bdaddr, &info->bdaddr);
5016 data.pscan_rep_mode = info->pscan_rep_mode;
5017 data.pscan_period_mode = info->pscan_period_mode;
5018 data.pscan_mode = info->pscan_mode;
5019 memcpy(data.dev_class, info->dev_class, 3);
5020 data.clock_offset = info->clock_offset;
5021 data.rssi = info->rssi;
5022 data.ssp_mode = 0x00;
5024 flags = hci_inquiry_cache_update(hdev, &data, false);
5026 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5027 info->dev_class, info->rssi,
5028 flags, NULL, 0, NULL, 0, 0);
5030 } else if (skb->len == array_size(ev->num,
5031 sizeof(struct inquiry_info_rssi))) {
5032 struct inquiry_info_rssi *info;
5034 for (i = 0; i < ev->num; i++) {
5037 info = hci_ev_skb_pull(hdev, skb,
5038 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5041 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5042 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5046 bacpy(&data.bdaddr, &info->bdaddr);
5047 data.pscan_rep_mode = info->pscan_rep_mode;
5048 data.pscan_period_mode = info->pscan_period_mode;
5049 data.pscan_mode = 0x00;
5050 memcpy(data.dev_class, info->dev_class, 3);
5051 data.clock_offset = info->clock_offset;
5052 data.rssi = info->rssi;
5053 data.ssp_mode = 0x00;
5055 flags = hci_inquiry_cache_update(hdev, &data, false);
5057 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5058 info->dev_class, info->rssi,
5059 flags, NULL, 0, NULL, 0, 0);
5062 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5063 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5066 hci_dev_unlock(hdev);
5069 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
5070 struct sk_buff *skb)
5072 struct hci_ev_remote_ext_features *ev = data;
5073 struct hci_conn *conn;
5075 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5079 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5083 if (ev->page < HCI_MAX_PAGES)
5084 memcpy(conn->features[ev->page], ev->features, 8);
5086 if (!ev->status && ev->page == 0x01) {
5087 struct inquiry_entry *ie;
5089 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5091 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5093 if (ev->features[0] & LMP_HOST_SSP) {
5094 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5096 /* It is mandatory by the Bluetooth specification that
5097 * Extended Inquiry Results are only used when Secure
5098 * Simple Pairing is enabled, but some devices violate
5101 * To make these devices work, the internal SSP
5102 * enabled flag needs to be cleared if the remote host
5103 * features do not indicate SSP support */
5104 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5107 if (ev->features[0] & LMP_HOST_SC)
5108 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5111 if (conn->state != BT_CONFIG)
5114 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5115 struct hci_cp_remote_name_req cp;
5116 memset(&cp, 0, sizeof(cp));
5117 bacpy(&cp.bdaddr, &conn->dst);
5118 cp.pscan_rep_mode = 0x02;
5119 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5120 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5121 mgmt_device_connected(hdev, conn, NULL, 0);
5123 if (!hci_outgoing_auth_needed(hdev, conn)) {
5124 conn->state = BT_CONNECTED;
5125 hci_connect_cfm(conn, ev->status);
5126 hci_conn_drop(conn);
5130 hci_dev_unlock(hdev);
5133 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5134 struct sk_buff *skb)
5136 struct hci_ev_sync_conn_complete *ev = data;
5137 struct hci_conn *conn;
5138 u8 status = ev->status;
5140 switch (ev->link_type) {
5145 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5146 * for HCI_Synchronous_Connection_Complete is limited to
5147 * either SCO or eSCO
5149 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5153 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5157 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5159 if (ev->link_type == ESCO_LINK)
5162 /* When the link type in the event indicates SCO connection
5163 * and lookup of the connection object fails, then check
5164 * if an eSCO connection object exists.
5166 * The core limits the synchronous connections to either
5167 * SCO or eSCO. The eSCO connection is preferred and tried
5168 * to be setup first and until successfully established,
5169 * the link type will be hinted as eSCO.
5171 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5176 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5177 * Processing it more than once per connection can corrupt kernel memory.
5179 * As the connection handle is set here for the first time, it indicates
5180 * whether the connection is already set up.
5182 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5183 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5189 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5191 conn->state = BT_CLOSED;
5195 conn->state = BT_CONNECTED;
5196 conn->type = ev->link_type;
5198 hci_debugfs_create_conn(conn);
5199 hci_conn_add_sysfs(conn);
5202 case 0x10: /* Connection Accept Timeout */
5203 case 0x0d: /* Connection Rejected due to Limited Resources */
5204 case 0x11: /* Unsupported Feature or Parameter Value */
5205 case 0x1c: /* SCO interval rejected */
5206 case 0x1a: /* Unsupported Remote Feature */
5207 case 0x1e: /* Invalid LMP Parameters */
5208 case 0x1f: /* Unspecified error */
5209 case 0x20: /* Unsupported LMP Parameter value */
5211 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5212 (hdev->esco_type & EDR_ESCO_MASK);
5213 if (hci_setup_sync(conn, conn->parent->handle))
5219 conn->state = BT_CLOSED;
5223 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5224 /* Notify only in case of SCO over HCI transport data path which
5225 * is zero and non-zero value shall be non-HCI transport data path
5227 if (conn->codec.data_path == 0 && hdev->notify) {
5228 switch (ev->air_mode) {
5230 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5233 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5238 hci_connect_cfm(conn, status);
5243 hci_dev_unlock(hdev);
5246 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5250 while (parsed < eir_len) {
5251 u8 field_len = eir[0];
5256 parsed += field_len + 1;
5257 eir += field_len + 1;
5263 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5264 struct sk_buff *skb)
5266 struct hci_ev_ext_inquiry_result *ev = edata;
5267 struct inquiry_data data;
5271 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5272 flex_array_size(ev, info, ev->num)))
5275 bt_dev_dbg(hdev, "num %d", ev->num);
5280 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5285 for (i = 0; i < ev->num; i++) {
5286 struct extended_inquiry_info *info = &ev->info[i];
5290 bacpy(&data.bdaddr, &info->bdaddr);
5291 data.pscan_rep_mode = info->pscan_rep_mode;
5292 data.pscan_period_mode = info->pscan_period_mode;
5293 data.pscan_mode = 0x00;
5294 memcpy(data.dev_class, info->dev_class, 3);
5295 data.clock_offset = info->clock_offset;
5296 data.rssi = info->rssi;
5297 data.ssp_mode = 0x01;
5299 if (hci_dev_test_flag(hdev, HCI_MGMT))
5300 name_known = eir_get_data(info->data,
5302 EIR_NAME_COMPLETE, NULL);
5306 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5308 eir_len = eir_get_length(info->data, sizeof(info->data));
5310 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5311 info->dev_class, info->rssi,
5312 flags, info->data, eir_len, NULL, 0, 0);
5315 hci_dev_unlock(hdev);
5318 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5319 struct sk_buff *skb)
5321 struct hci_ev_key_refresh_complete *ev = data;
5322 struct hci_conn *conn;
5324 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5325 __le16_to_cpu(ev->handle));
5329 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5333 /* For BR/EDR the necessary steps are taken through the
5334 * auth_complete event.
5336 if (conn->type != LE_LINK)
5340 conn->sec_level = conn->pending_sec_level;
5342 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5344 if (ev->status && conn->state == BT_CONNECTED) {
5345 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5346 hci_conn_drop(conn);
5350 if (conn->state == BT_CONFIG) {
5352 conn->state = BT_CONNECTED;
5354 hci_connect_cfm(conn, ev->status);
5355 hci_conn_drop(conn);
5357 hci_auth_cfm(conn, ev->status);
5359 hci_conn_hold(conn);
5360 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5361 hci_conn_drop(conn);
5365 hci_dev_unlock(hdev);
5368 static u8 hci_get_auth_req(struct hci_conn *conn)
5370 /* If remote requests no-bonding follow that lead */
5371 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5372 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5373 return conn->remote_auth | (conn->auth_type & 0x01);
5375 /* If both remote and local have enough IO capabilities, require
5378 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5379 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5380 return conn->remote_auth | 0x01;
5382 /* No MITM protection possible so ignore remote requirement */
5383 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5386 static u8 bredr_oob_data_present(struct hci_conn *conn)
5388 struct hci_dev *hdev = conn->hdev;
5389 struct oob_data *data;
5391 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5395 if (bredr_sc_enabled(hdev)) {
5396 /* When Secure Connections is enabled, then just
5397 * return the present value stored with the OOB
5398 * data. The stored value contains the right present
5399 * information. However it can only be trusted when
5400 * not in Secure Connection Only mode.
5402 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5403 return data->present;
5405 /* When Secure Connections Only mode is enabled, then
5406 * the P-256 values are required. If they are not
5407 * available, then do not declare that OOB data is
5410 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5411 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5417 /* When Secure Connections is not enabled or actually
5418 * not supported by the hardware, then check that if
5419 * P-192 data values are present.
5421 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5422 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5428 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5429 struct sk_buff *skb)
5431 struct hci_ev_io_capa_request *ev = data;
5432 struct hci_conn *conn;
5434 bt_dev_dbg(hdev, "");
5438 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5439 if (!conn || !hci_conn_ssp_enabled(conn))
5442 hci_conn_hold(conn);
5444 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5447 /* Allow pairing if we're pairable, the initiators of the
5448 * pairing or if the remote is not requesting bonding.
5450 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5451 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5452 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5453 struct hci_cp_io_capability_reply cp;
5455 bacpy(&cp.bdaddr, &ev->bdaddr);
5456 /* Change the IO capability from KeyboardDisplay
5457 * to DisplayYesNo as it is not supported by BT spec. */
5458 cp.capability = (conn->io_capability == 0x04) ?
5459 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5461 /* If we are initiators, there is no remote information yet */
5462 if (conn->remote_auth == 0xff) {
5463 /* Request MITM protection if our IO caps allow it
5464 * except for the no-bonding case.
5466 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5467 conn->auth_type != HCI_AT_NO_BONDING)
5468 conn->auth_type |= 0x01;
5470 conn->auth_type = hci_get_auth_req(conn);
5473 /* If we're not bondable, force one of the non-bondable
5474 * authentication requirement values.
5476 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5477 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5479 cp.authentication = conn->auth_type;
5480 cp.oob_data = bredr_oob_data_present(conn);
5482 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5485 struct hci_cp_io_capability_neg_reply cp;
5487 bacpy(&cp.bdaddr, &ev->bdaddr);
5488 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5490 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5495 hci_dev_unlock(hdev);
5498 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5499 struct sk_buff *skb)
5501 struct hci_ev_io_capa_reply *ev = data;
5502 struct hci_conn *conn;
5504 bt_dev_dbg(hdev, "");
5508 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5512 conn->remote_cap = ev->capability;
5513 conn->remote_auth = ev->authentication;
5516 hci_dev_unlock(hdev);
5519 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5520 struct sk_buff *skb)
5522 struct hci_ev_user_confirm_req *ev = data;
5523 int loc_mitm, rem_mitm, confirm_hint = 0;
5524 struct hci_conn *conn;
5526 bt_dev_dbg(hdev, "");
5530 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5533 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5537 loc_mitm = (conn->auth_type & 0x01);
5538 rem_mitm = (conn->remote_auth & 0x01);
5540 /* If we require MITM but the remote device can't provide that
5541 * (it has NoInputNoOutput) then reject the confirmation
5542 * request. We check the security level here since it doesn't
5543 * necessarily match conn->auth_type.
5545 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5546 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5547 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5548 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5549 sizeof(ev->bdaddr), &ev->bdaddr);
5553 /* If no side requires MITM protection; auto-accept */
5554 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5555 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5557 /* If we're not the initiators request authorization to
5558 * proceed from user space (mgmt_user_confirm with
5559 * confirm_hint set to 1). The exception is if neither
5560 * side had MITM or if the local IO capability is
5561 * NoInputNoOutput, in which case we do auto-accept
5563 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5564 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5565 (loc_mitm || rem_mitm)) {
5566 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5571 /* If there already exists link key in local host, leave the
5572 * decision to user space since the remote device could be
5573 * legitimate or malicious.
5575 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5576 bt_dev_dbg(hdev, "Local host already has link key");
5581 BT_DBG("Auto-accept of user confirmation with %ums delay",
5582 hdev->auto_accept_delay);
5584 if (hdev->auto_accept_delay > 0) {
5585 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5586 queue_delayed_work(conn->hdev->workqueue,
5587 &conn->auto_accept_work, delay);
5591 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5592 sizeof(ev->bdaddr), &ev->bdaddr);
5597 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5598 le32_to_cpu(ev->passkey), confirm_hint);
5601 hci_dev_unlock(hdev);
5604 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5605 struct sk_buff *skb)
5607 struct hci_ev_user_passkey_req *ev = data;
5609 bt_dev_dbg(hdev, "");
5611 if (hci_dev_test_flag(hdev, HCI_MGMT))
5612 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5615 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5616 struct sk_buff *skb)
5618 struct hci_ev_user_passkey_notify *ev = data;
5619 struct hci_conn *conn;
5621 bt_dev_dbg(hdev, "");
5623 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5627 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5628 conn->passkey_entered = 0;
5630 if (hci_dev_test_flag(hdev, HCI_MGMT))
5631 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5632 conn->dst_type, conn->passkey_notify,
5633 conn->passkey_entered);
5636 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5637 struct sk_buff *skb)
5639 struct hci_ev_keypress_notify *ev = data;
5640 struct hci_conn *conn;
5642 bt_dev_dbg(hdev, "");
5644 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5649 case HCI_KEYPRESS_STARTED:
5650 conn->passkey_entered = 0;
5653 case HCI_KEYPRESS_ENTERED:
5654 conn->passkey_entered++;
5657 case HCI_KEYPRESS_ERASED:
5658 conn->passkey_entered--;
5661 case HCI_KEYPRESS_CLEARED:
5662 conn->passkey_entered = 0;
5665 case HCI_KEYPRESS_COMPLETED:
5669 if (hci_dev_test_flag(hdev, HCI_MGMT))
5670 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5671 conn->dst_type, conn->passkey_notify,
5672 conn->passkey_entered);
5675 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5676 struct sk_buff *skb)
5678 struct hci_ev_simple_pair_complete *ev = data;
5679 struct hci_conn *conn;
5681 bt_dev_dbg(hdev, "");
5685 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5686 if (!conn || !hci_conn_ssp_enabled(conn))
5689 /* Reset the authentication requirement to unknown */
5690 conn->remote_auth = 0xff;
5692 /* To avoid duplicate auth_failed events to user space we check
5693 * the HCI_CONN_AUTH_PEND flag which will be set if we
5694 * initiated the authentication. A traditional auth_complete
5695 * event gets always produced as initiator and is also mapped to
5696 * the mgmt_auth_failed event */
5697 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5698 mgmt_auth_failed(conn, ev->status);
5700 hci_conn_drop(conn);
5703 hci_dev_unlock(hdev);
5706 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5707 struct sk_buff *skb)
5709 struct hci_ev_remote_host_features *ev = data;
5710 struct inquiry_entry *ie;
5711 struct hci_conn *conn;
5713 bt_dev_dbg(hdev, "");
5717 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5719 memcpy(conn->features[1], ev->features, 8);
5721 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5723 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5725 hci_dev_unlock(hdev);
5728 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5729 struct sk_buff *skb)
5731 struct hci_ev_remote_oob_data_request *ev = edata;
5732 struct oob_data *data;
5734 bt_dev_dbg(hdev, "");
5738 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5741 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5743 struct hci_cp_remote_oob_data_neg_reply cp;
5745 bacpy(&cp.bdaddr, &ev->bdaddr);
5746 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5751 if (bredr_sc_enabled(hdev)) {
5752 struct hci_cp_remote_oob_ext_data_reply cp;
5754 bacpy(&cp.bdaddr, &ev->bdaddr);
5755 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5756 memset(cp.hash192, 0, sizeof(cp.hash192));
5757 memset(cp.rand192, 0, sizeof(cp.rand192));
5759 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5760 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5762 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5763 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5765 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5768 struct hci_cp_remote_oob_data_reply cp;
5770 bacpy(&cp.bdaddr, &ev->bdaddr);
5771 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5772 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5774 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5779 hci_dev_unlock(hdev);
5782 #if IS_ENABLED(CONFIG_BT_HS)
5783 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5784 struct sk_buff *skb)
5786 struct hci_ev_channel_selected *ev = data;
5787 struct hci_conn *hcon;
5789 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5791 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5795 amp_read_loc_assoc_final_data(hdev, hcon);
5798 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5799 struct sk_buff *skb)
5801 struct hci_ev_phy_link_complete *ev = data;
5802 struct hci_conn *hcon, *bredr_hcon;
5804 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5809 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5821 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5823 hcon->state = BT_CONNECTED;
5824 bacpy(&hcon->dst, &bredr_hcon->dst);
5826 hci_conn_hold(hcon);
5827 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5828 hci_conn_drop(hcon);
5830 hci_debugfs_create_conn(hcon);
5831 hci_conn_add_sysfs(hcon);
5833 amp_physical_cfm(bredr_hcon, hcon);
5836 hci_dev_unlock(hdev);
5839 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5840 struct sk_buff *skb)
5842 struct hci_ev_logical_link_complete *ev = data;
5843 struct hci_conn *hcon;
5844 struct hci_chan *hchan;
5845 struct amp_mgr *mgr;
5847 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5848 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5850 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5854 /* Create AMP hchan */
5855 hchan = hci_chan_create(hcon);
5859 hchan->handle = le16_to_cpu(ev->handle);
5862 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5864 mgr = hcon->amp_mgr;
5865 if (mgr && mgr->bredr_chan) {
5866 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5868 l2cap_chan_lock(bredr_chan);
5870 bredr_chan->conn->mtu = hdev->block_mtu;
5871 l2cap_logical_cfm(bredr_chan, hchan, 0);
5872 hci_conn_hold(hcon);
5874 l2cap_chan_unlock(bredr_chan);
5878 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5879 struct sk_buff *skb)
5881 struct hci_ev_disconn_logical_link_complete *ev = data;
5882 struct hci_chan *hchan;
5884 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5885 le16_to_cpu(ev->handle), ev->status);
5892 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5893 if (!hchan || !hchan->amp)
5896 amp_destroy_logical_link(hchan, ev->reason);
5899 hci_dev_unlock(hdev);
5902 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5903 struct sk_buff *skb)
5905 struct hci_ev_disconn_phy_link_complete *ev = data;
5906 struct hci_conn *hcon;
5908 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5915 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5916 if (hcon && hcon->type == AMP_LINK) {
5917 hcon->state = BT_CLOSED;
5918 hci_disconn_cfm(hcon, ev->reason);
5922 hci_dev_unlock(hdev);
5926 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5927 u8 bdaddr_type, bdaddr_t *local_rpa)
5930 conn->dst_type = bdaddr_type;
5931 conn->resp_addr_type = bdaddr_type;
5932 bacpy(&conn->resp_addr, bdaddr);
5934 /* Check if the controller has set a Local RPA then it must be
5935 * used instead or hdev->rpa.
5937 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5938 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5939 bacpy(&conn->init_addr, local_rpa);
5940 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5941 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5942 bacpy(&conn->init_addr, &conn->hdev->rpa);
5944 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5945 &conn->init_addr_type);
5948 conn->resp_addr_type = conn->hdev->adv_addr_type;
5949 /* Check if the controller has set a Local RPA then it must be
5950 * used instead or hdev->rpa.
5952 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5953 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5954 bacpy(&conn->resp_addr, local_rpa);
5955 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5956 /* In case of ext adv, resp_addr will be updated in
5957 * Adv Terminated event.
5959 if (!ext_adv_capable(conn->hdev))
5960 bacpy(&conn->resp_addr,
5961 &conn->hdev->random_addr);
5963 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5966 conn->init_addr_type = bdaddr_type;
5967 bacpy(&conn->init_addr, bdaddr);
5969 /* For incoming connections, set the default minimum
5970 * and maximum connection interval. They will be used
5971 * to check if the parameters are in range and if not
5972 * trigger the connection update procedure.
5974 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5975 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5979 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5980 bdaddr_t *bdaddr, u8 bdaddr_type,
5981 bdaddr_t *local_rpa, u8 role, u16 handle,
5982 u16 interval, u16 latency,
5983 u16 supervision_timeout)
5985 struct hci_conn_params *params;
5986 struct hci_conn *conn;
5987 struct smp_irk *irk;
5992 /* All controllers implicitly stop advertising in the event of a
5993 * connection, so ensure that the state bit is cleared.
5995 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5997 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5999 /* In case of error status and there is no connection pending
6000 * just unlock as there is nothing to cleanup.
6005 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
6007 bt_dev_err(hdev, "no memory for new connection");
6011 conn->dst_type = bdaddr_type;
6013 /* If we didn't have a hci_conn object previously
6014 * but we're in central role this must be something
6015 * initiated using an accept list. Since accept list based
6016 * connections are not "first class citizens" we don't
6017 * have full tracking of them. Therefore, we go ahead
6018 * with a "best effort" approach of determining the
6019 * initiator address based on the HCI_PRIVACY flag.
6022 conn->resp_addr_type = bdaddr_type;
6023 bacpy(&conn->resp_addr, bdaddr);
6024 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6025 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6026 bacpy(&conn->init_addr, &hdev->rpa);
6028 hci_copy_identity_address(hdev,
6030 &conn->init_addr_type);
6034 cancel_delayed_work(&conn->le_conn_timeout);
6037 /* The HCI_LE_Connection_Complete event is only sent once per connection.
6038 * Processing it more than once per connection can corrupt kernel memory.
6040 * As the connection handle is set here for the first time, it indicates
6041 * whether the connection is already set up.
6043 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
6044 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
6048 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
6050 /* Lookup the identity address from the stored connection
6051 * address and address type.
6053 * When establishing connections to an identity address, the
6054 * connection procedure will store the resolvable random
6055 * address first. Now if it can be converted back into the
6056 * identity address, start using the identity address from
6059 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
6061 bacpy(&conn->dst, &irk->bdaddr);
6062 conn->dst_type = irk->addr_type;
6065 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
6067 /* All connection failure handling is taken care of by the
6068 * hci_conn_failed function which is triggered by the HCI
6069 * request completion callbacks used for connecting.
6071 if (status || hci_conn_set_handle(conn, handle))
6074 /* Drop the connection if it has been aborted */
6075 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
6076 hci_conn_drop(conn);
6080 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6081 addr_type = BDADDR_LE_PUBLIC;
6083 addr_type = BDADDR_LE_RANDOM;
6085 /* Drop the connection if the device is blocked */
6086 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6087 hci_conn_drop(conn);
6091 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
6092 mgmt_device_connected(hdev, conn, NULL, 0);
6094 conn->sec_level = BT_SECURITY_LOW;
6095 conn->state = BT_CONFIG;
6097 /* Store current advertising instance as connection advertising instance
6098 * when sotfware rotation is in use so it can be re-enabled when
6101 if (!ext_adv_capable(hdev))
6102 conn->adv_instance = hdev->cur_adv_instance;
6104 conn->le_conn_interval = interval;
6105 conn->le_conn_latency = latency;
6106 conn->le_supv_timeout = supervision_timeout;
6108 hci_debugfs_create_conn(conn);
6109 hci_conn_add_sysfs(conn);
6111 /* The remote features procedure is defined for central
6112 * role only. So only in case of an initiated connection
6113 * request the remote features.
6115 * If the local controller supports peripheral-initiated features
6116 * exchange, then requesting the remote features in peripheral
6117 * role is possible. Otherwise just transition into the
6118 * connected state without requesting the remote features.
6121 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6122 struct hci_cp_le_read_remote_features cp;
6124 cp.handle = __cpu_to_le16(conn->handle);
6126 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6129 hci_conn_hold(conn);
6131 conn->state = BT_CONNECTED;
6132 hci_connect_cfm(conn, status);
6135 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6138 hci_pend_le_list_del_init(params);
6140 hci_conn_drop(params->conn);
6141 hci_conn_put(params->conn);
6142 params->conn = NULL;
6147 hci_update_passive_scan(hdev);
6148 hci_dev_unlock(hdev);
6151 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6152 struct sk_buff *skb)
6154 struct hci_ev_le_conn_complete *ev = data;
6156 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6158 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6159 NULL, ev->role, le16_to_cpu(ev->handle),
6160 le16_to_cpu(ev->interval),
6161 le16_to_cpu(ev->latency),
6162 le16_to_cpu(ev->supervision_timeout));
6165 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6166 struct sk_buff *skb)
6168 struct hci_ev_le_enh_conn_complete *ev = data;
6170 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6172 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6173 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6174 le16_to_cpu(ev->interval),
6175 le16_to_cpu(ev->latency),
6176 le16_to_cpu(ev->supervision_timeout));
6179 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6180 struct sk_buff *skb)
6182 struct hci_evt_le_ext_adv_set_term *ev = data;
6183 struct hci_conn *conn;
6184 struct adv_info *adv, *n;
6186 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6188 /* The Bluetooth Core 5.3 specification clearly states that this event
6189 * shall not be sent when the Host disables the advertising set. So in
6190 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6192 * When the Host disables an advertising set, all cleanup is done via
6193 * its command callback and not needed to be duplicated here.
6195 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6196 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6202 adv = hci_find_adv_instance(hdev, ev->handle);
6208 /* Remove advertising as it has been terminated */
6209 hci_remove_adv_instance(hdev, ev->handle);
6210 mgmt_advertising_removed(NULL, hdev, ev->handle);
6212 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6217 /* We are no longer advertising, clear HCI_LE_ADV */
6218 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6223 adv->enabled = false;
6225 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6227 /* Store handle in the connection so the correct advertising
6228 * instance can be re-enabled when disconnected.
6230 conn->adv_instance = ev->handle;
6232 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6233 bacmp(&conn->resp_addr, BDADDR_ANY))
6237 bacpy(&conn->resp_addr, &hdev->random_addr);
6242 bacpy(&conn->resp_addr, &adv->random_addr);
6246 hci_dev_unlock(hdev);
6249 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6250 struct sk_buff *skb)
6252 struct hci_ev_le_conn_update_complete *ev = data;
6253 struct hci_conn *conn;
6255 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6262 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6266 hci_dev_unlock(hdev);
6267 mgmt_le_conn_update_failed(hdev, &conn->dst,
6268 conn->type, conn->dst_type, ev->status);
6272 conn->le_conn_interval = le16_to_cpu(ev->interval);
6273 conn->le_conn_latency = le16_to_cpu(ev->latency);
6274 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6277 hci_dev_unlock(hdev);
6280 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
6281 conn->dst_type, conn->le_conn_interval,
6282 conn->le_conn_latency, conn->le_supv_timeout);
6286 /* This function requires the caller holds hdev->lock */
6287 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6289 u8 addr_type, bool addr_resolved,
6292 struct hci_conn *conn;
6293 struct hci_conn_params *params;
6295 /* If the event is not connectable don't proceed further */
6296 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6299 /* Ignore if the device is blocked or hdev is suspended */
6300 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6304 /* Most controller will fail if we try to create new connections
6305 * while we have an existing one in peripheral role.
6307 if (hdev->conn_hash.le_num_peripheral > 0 &&
6308 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6309 !(hdev->le_states[3] & 0x10)))
6312 /* If we're not connectable only connect devices that we have in
6313 * our pend_le_conns list.
6315 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6320 if (!params->explicit_connect) {
6321 switch (params->auto_connect) {
6322 case HCI_AUTO_CONN_DIRECT:
6323 /* Only devices advertising with ADV_DIRECT_IND are
6324 * triggering a connection attempt. This is allowing
6325 * incoming connections from peripheral devices.
6327 if (adv_type != LE_ADV_DIRECT_IND)
6330 case HCI_AUTO_CONN_ALWAYS:
6331 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6332 * are triggering a connection attempt. This means
6333 * that incoming connections from peripheral device are
6334 * accepted and also outgoing connections to peripheral
6335 * devices are established when found.
6343 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6344 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6346 if (!IS_ERR(conn)) {
6347 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6348 * by higher layer that tried to connect, if no then
6349 * store the pointer since we don't really have any
6350 * other owner of the object besides the params that
6351 * triggered it. This way we can abort the connection if
6352 * the parameters get removed and keep the reference
6353 * count consistent once the connection is established.
6356 if (!params->explicit_connect)
6357 params->conn = hci_conn_get(conn);
6362 switch (PTR_ERR(conn)) {
6364 /* If hci_connect() returns -EBUSY it means there is already
6365 * an LE connection attempt going on. Since controllers don't
6366 * support more than one connection attempt at the time, we
6367 * don't consider this an error case.
6371 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6378 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6379 u8 bdaddr_type, bdaddr_t *direct_addr,
6380 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6381 bool ext_adv, bool ctl_time, u64 instant)
6383 struct discovery_state *d = &hdev->discovery;
6384 struct smp_irk *irk;
6385 struct hci_conn *conn;
6386 bool match, bdaddr_resolved;
6392 case LE_ADV_DIRECT_IND:
6393 case LE_ADV_SCAN_IND:
6394 case LE_ADV_NONCONN_IND:
6395 case LE_ADV_SCAN_RSP:
6398 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6399 "type: 0x%02x", type);
6403 if (len > max_adv_len(hdev)) {
6404 bt_dev_err_ratelimited(hdev,
6405 "adv larger than maximum supported");
6409 /* Find the end of the data in case the report contains padded zero
6410 * bytes at the end causing an invalid length value.
6412 * When data is NULL, len is 0 so there is no need for extra ptr
6413 * check as 'ptr < data + 0' is already false in such case.
6415 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6416 if (ptr + 1 + *ptr > data + len)
6420 /* Adjust for actual length. This handles the case when remote
6421 * device is advertising with incorrect data length.
6425 /* If the direct address is present, then this report is from
6426 * a LE Direct Advertising Report event. In that case it is
6427 * important to see if the address is matching the local
6428 * controller address.
6430 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6431 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6434 /* Only resolvable random addresses are valid for these
6435 * kind of reports and others can be ignored.
6437 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6440 /* If the controller is not using resolvable random
6441 * addresses, then this report can be ignored.
6443 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6446 /* If the local IRK of the controller does not match
6447 * with the resolvable random address provided, then
6448 * this report can be ignored.
6450 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6454 /* Check if we need to convert to identity address */
6455 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6457 bdaddr = &irk->bdaddr;
6458 bdaddr_type = irk->addr_type;
6461 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6463 /* Check if we have been requested to connect to this device.
6465 * direct_addr is set only for directed advertising reports (it is NULL
6466 * for advertising reports) and is already verified to be RPA above.
6468 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6470 if (!ext_adv && conn && type == LE_ADV_IND &&
6471 len <= max_adv_len(hdev)) {
6472 /* Store report for later inclusion by
6473 * mgmt_device_connected
6475 memcpy(conn->le_adv_data, data, len);
6476 conn->le_adv_data_len = len;
6479 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6480 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6484 /* All scan results should be sent up for Mesh systems */
6485 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6486 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6487 rssi, flags, data, len, NULL, 0, instant);
6491 /* Passive scanning shouldn't trigger any device found events,
6492 * except for devices marked as CONN_REPORT for which we do send
6493 * device found events, or advertisement monitoring requested.
6495 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6496 if (type == LE_ADV_DIRECT_IND)
6499 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6500 bdaddr, bdaddr_type) &&
6501 idr_is_empty(&hdev->adv_monitors_idr))
6504 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6505 rssi, flags, data, len, NULL, 0, 0);
6509 /* When receiving a scan response, then there is no way to
6510 * know if the remote device is connectable or not. However
6511 * since scan responses are merged with a previously seen
6512 * advertising report, the flags field from that report
6515 * In the unlikely case that a controller just sends a scan
6516 * response event that doesn't match the pending report, then
6517 * it is marked as a standalone SCAN_RSP.
6519 if (type == LE_ADV_SCAN_RSP)
6520 flags = MGMT_DEV_FOUND_SCAN_RSP;
6522 /* If there's nothing pending either store the data from this
6523 * event or send an immediate device found event if the data
6524 * should not be stored for later.
6526 if (!ext_adv && !has_pending_adv_report(hdev)) {
6527 /* If the report will trigger a SCAN_REQ store it for
6530 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6531 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6532 rssi, flags, data, len);
6536 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6537 rssi, flags, data, len, NULL, 0, 0);
6541 /* Check if the pending report is for the same device as the new one */
6542 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6543 bdaddr_type == d->last_adv_addr_type);
6545 /* If the pending data doesn't match this report or this isn't a
6546 * scan response (e.g. we got a duplicate ADV_IND) then force
6547 * sending of the pending data.
6549 if (type != LE_ADV_SCAN_RSP || !match) {
6550 /* Send out whatever is in the cache, but skip duplicates */
6552 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6553 d->last_adv_addr_type, NULL,
6554 d->last_adv_rssi, d->last_adv_flags,
6556 d->last_adv_data_len, NULL, 0, 0);
6558 /* If the new report will trigger a SCAN_REQ store it for
6561 if (!ext_adv && (type == LE_ADV_IND ||
6562 type == LE_ADV_SCAN_IND)) {
6563 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6564 rssi, flags, data, len);
6568 /* The advertising reports cannot be merged, so clear
6569 * the pending report and send out a device found event.
6571 clear_pending_adv_report(hdev);
6572 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6573 rssi, flags, data, len, NULL, 0, 0);
6577 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6578 * the new event is a SCAN_RSP. We can therefore proceed with
6579 * sending a merged device found event.
6581 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6582 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6583 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6584 clear_pending_adv_report(hdev);
6587 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6588 struct sk_buff *skb)
6590 struct hci_ev_le_advertising_report *ev = data;
6591 u64 instant = jiffies;
6599 struct hci_ev_le_advertising_info *info;
6602 info = hci_le_ev_skb_pull(hdev, skb,
6603 HCI_EV_LE_ADVERTISING_REPORT,
6608 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6612 if (info->length <= max_adv_len(hdev)) {
6613 rssi = info->data[info->length];
6614 process_adv_report(hdev, info->type, &info->bdaddr,
6615 info->bdaddr_type, NULL, 0, rssi,
6616 info->data, info->length, false,
6619 bt_dev_err(hdev, "Dropping invalid advertising data");
6623 hci_dev_unlock(hdev);
6626 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6628 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6630 case LE_LEGACY_ADV_IND:
6632 case LE_LEGACY_ADV_DIRECT_IND:
6633 return LE_ADV_DIRECT_IND;
6634 case LE_LEGACY_ADV_SCAN_IND:
6635 return LE_ADV_SCAN_IND;
6636 case LE_LEGACY_NONCONN_IND:
6637 return LE_ADV_NONCONN_IND;
6638 case LE_LEGACY_SCAN_RSP_ADV:
6639 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6640 return LE_ADV_SCAN_RSP;
6646 if (evt_type & LE_EXT_ADV_CONN_IND) {
6647 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6648 return LE_ADV_DIRECT_IND;
6653 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6654 return LE_ADV_SCAN_RSP;
6656 if (evt_type & LE_EXT_ADV_SCAN_IND)
6657 return LE_ADV_SCAN_IND;
6659 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6660 evt_type & LE_EXT_ADV_DIRECT_IND)
6661 return LE_ADV_NONCONN_IND;
6664 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6667 return LE_ADV_INVALID;
6670 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6671 struct sk_buff *skb)
6673 struct hci_ev_le_ext_adv_report *ev = data;
6674 u64 instant = jiffies;
6682 struct hci_ev_le_ext_adv_info *info;
6686 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6691 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6695 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6696 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6697 if (legacy_evt_type != LE_ADV_INVALID) {
6698 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6699 info->bdaddr_type, NULL, 0,
6700 info->rssi, info->data, info->length,
6701 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6706 hci_dev_unlock(hdev);
6709 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6711 struct hci_cp_le_pa_term_sync cp;
6713 memset(&cp, 0, sizeof(cp));
6716 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6719 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6720 struct sk_buff *skb)
6722 struct hci_ev_le_pa_sync_established *ev = data;
6723 int mask = hdev->link_mode;
6725 struct hci_conn *pa_sync;
6727 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6731 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6733 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6734 if (!(mask & HCI_LM_ACCEPT)) {
6735 hci_le_pa_term_sync(hdev, ev->handle);
6739 if (!(flags & HCI_PROTO_DEFER))
6743 /* Add connection to indicate the failed PA sync event */
6744 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6750 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6752 /* Notify iso layer */
6753 hci_connect_cfm(pa_sync, ev->status);
6757 hci_dev_unlock(hdev);
6760 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6761 struct sk_buff *skb)
6763 struct hci_ev_le_per_adv_report *ev = data;
6764 int mask = hdev->link_mode;
6767 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6771 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6772 if (!(mask & HCI_LM_ACCEPT))
6773 hci_le_pa_term_sync(hdev, ev->sync_handle);
6775 hci_dev_unlock(hdev);
6778 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6779 struct sk_buff *skb)
6781 struct hci_ev_le_remote_feat_complete *ev = data;
6782 struct hci_conn *conn;
6784 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6788 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6791 memcpy(conn->features[0], ev->features, 8);
6793 if (conn->state == BT_CONFIG) {
6796 /* If the local controller supports peripheral-initiated
6797 * features exchange, but the remote controller does
6798 * not, then it is possible that the error code 0x1a
6799 * for unsupported remote feature gets returned.
6801 * In this specific case, allow the connection to
6802 * transition into connected state and mark it as
6805 if (!conn->out && ev->status == 0x1a &&
6806 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6809 status = ev->status;
6811 conn->state = BT_CONNECTED;
6812 hci_connect_cfm(conn, status);
6813 hci_conn_drop(conn);
6817 hci_dev_unlock(hdev);
6820 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6821 struct sk_buff *skb)
6823 struct hci_ev_le_ltk_req *ev = data;
6824 struct hci_cp_le_ltk_reply cp;
6825 struct hci_cp_le_ltk_neg_reply neg;
6826 struct hci_conn *conn;
6827 struct smp_ltk *ltk;
6829 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6833 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6837 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6841 if (smp_ltk_is_sc(ltk)) {
6842 /* With SC both EDiv and Rand are set to zero */
6843 if (ev->ediv || ev->rand)
6846 /* For non-SC keys check that EDiv and Rand match */
6847 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6851 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6852 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6853 cp.handle = cpu_to_le16(conn->handle);
6855 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6857 conn->enc_key_size = ltk->enc_size;
6859 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6861 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6862 * temporary key used to encrypt a connection following
6863 * pairing. It is used during the Encrypted Session Setup to
6864 * distribute the keys. Later, security can be re-established
6865 * using a distributed LTK.
6867 if (ltk->type == SMP_STK) {
6868 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6869 list_del_rcu(<k->list);
6870 kfree_rcu(ltk, rcu);
6872 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6875 hci_dev_unlock(hdev);
6880 neg.handle = ev->handle;
6881 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6882 hci_dev_unlock(hdev);
6885 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6888 struct hci_cp_le_conn_param_req_neg_reply cp;
6890 cp.handle = cpu_to_le16(handle);
6893 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6897 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6898 struct sk_buff *skb)
6900 struct hci_ev_le_remote_conn_param_req *ev = data;
6901 struct hci_cp_le_conn_param_req_reply cp;
6902 struct hci_conn *hcon;
6903 u16 handle, min, max, latency, timeout;
6905 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6907 handle = le16_to_cpu(ev->handle);
6908 min = le16_to_cpu(ev->interval_min);
6909 max = le16_to_cpu(ev->interval_max);
6910 latency = le16_to_cpu(ev->latency);
6911 timeout = le16_to_cpu(ev->timeout);
6913 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6914 if (!hcon || hcon->state != BT_CONNECTED)
6915 return send_conn_param_neg_reply(hdev, handle,
6916 HCI_ERROR_UNKNOWN_CONN_ID);
6918 if (hci_check_conn_params(min, max, latency, timeout))
6919 return send_conn_param_neg_reply(hdev, handle,
6920 HCI_ERROR_INVALID_LL_PARAMS);
6922 if (hcon->role == HCI_ROLE_MASTER) {
6923 struct hci_conn_params *params;
6928 params = hci_conn_params_lookup(hdev, &hcon->dst,
6931 params->conn_min_interval = min;
6932 params->conn_max_interval = max;
6933 params->conn_latency = latency;
6934 params->supervision_timeout = timeout;
6940 hci_dev_unlock(hdev);
6942 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6943 store_hint, min, max, latency, timeout);
6946 cp.handle = ev->handle;
6947 cp.interval_min = ev->interval_min;
6948 cp.interval_max = ev->interval_max;
6949 cp.latency = ev->latency;
6950 cp.timeout = ev->timeout;
6954 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6957 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6958 struct sk_buff *skb)
6960 struct hci_ev_le_direct_adv_report *ev = data;
6961 u64 instant = jiffies;
6964 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6965 flex_array_size(ev, info, ev->num)))
6973 for (i = 0; i < ev->num; i++) {
6974 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6976 process_adv_report(hdev, info->type, &info->bdaddr,
6977 info->bdaddr_type, &info->direct_addr,
6978 info->direct_addr_type, info->rssi, NULL, 0,
6979 false, false, instant);
6982 hci_dev_unlock(hdev);
6985 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6986 struct sk_buff *skb)
6988 struct hci_ev_le_phy_update_complete *ev = data;
6989 struct hci_conn *conn;
6991 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6998 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7002 conn->le_tx_phy = ev->tx_phy;
7003 conn->le_rx_phy = ev->rx_phy;
7006 hci_dev_unlock(hdev);
7009 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
7010 struct sk_buff *skb)
7012 struct hci_evt_le_cis_established *ev = data;
7013 struct hci_conn *conn;
7014 struct bt_iso_qos *qos;
7015 bool pending = false;
7016 u16 handle = __le16_to_cpu(ev->handle);
7018 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7022 conn = hci_conn_hash_lookup_handle(hdev, handle);
7025 "Unable to find connection with handle 0x%4.4x",
7030 if (conn->type != ISO_LINK) {
7032 "Invalid connection link type handle 0x%4.4x",
7037 qos = &conn->iso_qos;
7039 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
7041 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
7042 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
7043 qos->ucast.out.interval = qos->ucast.in.interval;
7045 switch (conn->role) {
7046 case HCI_ROLE_SLAVE:
7047 /* Convert Transport Latency (us) to Latency (msec) */
7048 qos->ucast.in.latency =
7049 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7051 qos->ucast.out.latency =
7052 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7054 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
7055 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
7056 qos->ucast.in.phy = ev->c_phy;
7057 qos->ucast.out.phy = ev->p_phy;
7059 case HCI_ROLE_MASTER:
7060 /* Convert Transport Latency (us) to Latency (msec) */
7061 qos->ucast.out.latency =
7062 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7064 qos->ucast.in.latency =
7065 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7067 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
7068 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
7069 qos->ucast.out.phy = ev->c_phy;
7070 qos->ucast.in.phy = ev->p_phy;
7075 conn->state = BT_CONNECTED;
7076 hci_debugfs_create_conn(conn);
7077 hci_conn_add_sysfs(conn);
7078 hci_iso_setup_path(conn);
7082 conn->state = BT_CLOSED;
7083 hci_connect_cfm(conn, ev->status);
7088 hci_le_create_cis_pending(hdev);
7090 hci_dev_unlock(hdev);
7093 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7095 struct hci_cp_le_reject_cis cp;
7097 memset(&cp, 0, sizeof(cp));
7099 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7100 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7103 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7105 struct hci_cp_le_accept_cis cp;
7107 memset(&cp, 0, sizeof(cp));
7109 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7112 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7113 struct sk_buff *skb)
7115 struct hci_evt_le_cis_req *ev = data;
7116 u16 acl_handle, cis_handle;
7117 struct hci_conn *acl, *cis;
7121 acl_handle = __le16_to_cpu(ev->acl_handle);
7122 cis_handle = __le16_to_cpu(ev->cis_handle);
7124 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7125 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7129 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7133 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7134 if (!(mask & HCI_LM_ACCEPT)) {
7135 hci_le_reject_cis(hdev, ev->cis_handle);
7139 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7141 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7144 hci_le_reject_cis(hdev, ev->cis_handle);
7149 cis->iso_qos.ucast.cig = ev->cig_id;
7150 cis->iso_qos.ucast.cis = ev->cis_id;
7152 if (!(flags & HCI_PROTO_DEFER)) {
7153 hci_le_accept_cis(hdev, ev->cis_handle);
7155 cis->state = BT_CONNECT2;
7156 hci_connect_cfm(cis, 0);
7160 hci_dev_unlock(hdev);
7163 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7165 u8 handle = PTR_UINT(data);
7167 return hci_le_terminate_big_sync(hdev, handle,
7168 HCI_ERROR_LOCAL_HOST_TERM);
7171 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7172 struct sk_buff *skb)
7174 struct hci_evt_le_create_big_complete *ev = data;
7175 struct hci_conn *conn;
7178 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7180 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7181 flex_array_size(ev, bis_handle, ev->num_bis)))
7187 /* Connect all BISes that are bound to the BIG */
7188 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7189 if (bacmp(&conn->dst, BDADDR_ANY) ||
7190 conn->type != ISO_LINK ||
7191 conn->iso_qos.bcast.big != ev->handle)
7194 if (hci_conn_set_handle(conn,
7195 __le16_to_cpu(ev->bis_handle[i++])))
7199 conn->state = BT_CONNECTED;
7200 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7202 hci_debugfs_create_conn(conn);
7203 hci_conn_add_sysfs(conn);
7204 hci_iso_setup_path(conn);
7209 hci_connect_cfm(conn, ev->status);
7217 if (!ev->status && !i)
7218 /* If no BISes have been connected for the BIG,
7219 * terminate. This is in case all bound connections
7220 * have been closed before the BIG creation
7223 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7224 UINT_PTR(ev->handle), NULL);
7226 hci_dev_unlock(hdev);
7229 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7230 struct sk_buff *skb)
7232 struct hci_evt_le_big_sync_estabilished *ev = data;
7233 struct hci_conn *bis;
7234 struct hci_conn *pa_sync;
7237 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7239 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7240 flex_array_size(ev, bis, ev->num_bis)))
7246 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7248 /* Also mark the BIG sync established event on the
7249 * associated PA sync hcon
7251 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
7254 for (i = 0; i < ev->num_bis; i++) {
7255 u16 handle = le16_to_cpu(ev->bis[i]);
7258 bis = hci_conn_hash_lookup_handle(hdev, handle);
7260 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7261 HCI_ROLE_SLAVE, handle);
7266 if (ev->status != 0x42)
7267 /* Mark PA sync as established */
7268 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7270 bis->iso_qos.bcast.big = ev->handle;
7271 memset(&interval, 0, sizeof(interval));
7272 memcpy(&interval, ev->latency, sizeof(ev->latency));
7273 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7274 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7275 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7276 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7279 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7280 hci_iso_setup_path(bis);
7284 /* In case BIG sync failed, notify each failed connection to
7285 * the user after all hci connections have been added
7288 for (i = 0; i < ev->num_bis; i++) {
7289 u16 handle = le16_to_cpu(ev->bis[i]);
7291 bis = hci_conn_hash_lookup_handle(hdev, handle);
7293 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7294 hci_connect_cfm(bis, ev->status);
7297 hci_dev_unlock(hdev);
7300 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7301 struct sk_buff *skb)
7303 struct hci_evt_le_big_info_adv_report *ev = data;
7304 int mask = hdev->link_mode;
7306 struct hci_conn *pa_sync;
7308 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7312 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7313 if (!(mask & HCI_LM_ACCEPT)) {
7314 hci_le_pa_term_sync(hdev, ev->sync_handle);
7318 if (!(flags & HCI_PROTO_DEFER))
7321 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7323 le16_to_cpu(ev->sync_handle));
7328 /* Add connection to indicate the PA sync event */
7329 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7335 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7336 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7338 /* Notify iso layer */
7339 hci_connect_cfm(pa_sync, 0x00);
7342 hci_dev_unlock(hdev);
7345 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7348 .min_len = _min_len, \
7349 .max_len = _max_len, \
7352 #define HCI_LE_EV(_op, _func, _len) \
7353 HCI_LE_EV_VL(_op, _func, _len, _len)
7355 #define HCI_LE_EV_STATUS(_op, _func) \
7356 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7358 /* Entries in this table shall have their position according to the subevent
7359 * opcode they handle so the use of the macros above is recommend since it does
7360 * attempt to initialize at its proper index using Designated Initializers that
7361 * way events without a callback function can be ommited.
7363 static const struct hci_le_ev {
7364 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7367 } hci_le_ev_table[U8_MAX + 1] = {
7368 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7369 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7370 sizeof(struct hci_ev_le_conn_complete)),
7371 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7372 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7373 sizeof(struct hci_ev_le_advertising_report),
7374 HCI_MAX_EVENT_SIZE),
7375 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7376 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7377 hci_le_conn_update_complete_evt,
7378 sizeof(struct hci_ev_le_conn_update_complete)),
7379 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7380 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7381 hci_le_remote_feat_complete_evt,
7382 sizeof(struct hci_ev_le_remote_feat_complete)),
7383 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7384 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7385 sizeof(struct hci_ev_le_ltk_req)),
7386 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7387 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7388 hci_le_remote_conn_param_req_evt,
7389 sizeof(struct hci_ev_le_remote_conn_param_req)),
7390 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7391 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7392 hci_le_enh_conn_complete_evt,
7393 sizeof(struct hci_ev_le_enh_conn_complete)),
7394 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7395 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7396 sizeof(struct hci_ev_le_direct_adv_report),
7397 HCI_MAX_EVENT_SIZE),
7398 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7399 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7400 sizeof(struct hci_ev_le_phy_update_complete)),
7401 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7402 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7403 sizeof(struct hci_ev_le_ext_adv_report),
7404 HCI_MAX_EVENT_SIZE),
7405 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7406 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7407 hci_le_pa_sync_estabilished_evt,
7408 sizeof(struct hci_ev_le_pa_sync_established)),
7409 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7410 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7411 hci_le_per_adv_report_evt,
7412 sizeof(struct hci_ev_le_per_adv_report),
7413 HCI_MAX_EVENT_SIZE),
7414 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7415 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7416 sizeof(struct hci_evt_le_ext_adv_set_term)),
7417 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7418 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7419 sizeof(struct hci_evt_le_cis_established)),
7420 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7421 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7422 sizeof(struct hci_evt_le_cis_req)),
7423 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7424 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7425 hci_le_create_big_complete_evt,
7426 sizeof(struct hci_evt_le_create_big_complete),
7427 HCI_MAX_EVENT_SIZE),
7428 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7429 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7430 hci_le_big_sync_established_evt,
7431 sizeof(struct hci_evt_le_big_sync_estabilished),
7432 HCI_MAX_EVENT_SIZE),
7433 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7434 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7435 hci_le_big_info_adv_report_evt,
7436 sizeof(struct hci_evt_le_big_info_adv_report),
7437 HCI_MAX_EVENT_SIZE),
7440 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7441 struct sk_buff *skb, u16 *opcode, u8 *status,
7442 hci_req_complete_t *req_complete,
7443 hci_req_complete_skb_t *req_complete_skb)
7445 struct hci_ev_le_meta *ev = data;
7446 const struct hci_le_ev *subev;
7448 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7450 /* Only match event if command OGF is for LE */
7451 if (hdev->sent_cmd &&
7452 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7453 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7454 *opcode = hci_skb_opcode(hdev->sent_cmd);
7455 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7459 subev = &hci_le_ev_table[ev->subevent];
7463 if (skb->len < subev->min_len) {
7464 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7465 ev->subevent, skb->len, subev->min_len);
7469 /* Just warn if the length is over max_len size it still be
7470 * possible to partially parse the event so leave to callback to
7471 * decide if that is acceptable.
7473 if (skb->len > subev->max_len)
7474 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7475 ev->subevent, skb->len, subev->max_len);
7476 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7480 subev->func(hdev, data, skb);
7483 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7484 u8 event, struct sk_buff *skb)
7486 struct hci_ev_cmd_complete *ev;
7487 struct hci_event_hdr *hdr;
7492 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7497 if (hdr->evt != event)
7502 /* Check if request ended in Command Status - no way to retrieve
7503 * any extra parameters in this case.
7505 if (hdr->evt == HCI_EV_CMD_STATUS)
7508 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7509 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7514 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7518 if (opcode != __le16_to_cpu(ev->opcode)) {
7519 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7520 __le16_to_cpu(ev->opcode));
7527 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7528 struct sk_buff *skb)
7530 struct hci_ev_le_advertising_info *adv;
7531 struct hci_ev_le_direct_adv_info *direct_adv;
7532 struct hci_ev_le_ext_adv_info *ext_adv;
7533 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7534 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7538 /* If we are currently suspended and this is the first BT event seen,
7539 * save the wake reason associated with the event.
7541 if (!hdev->suspended || hdev->wake_reason)
7544 /* Default to remote wake. Values for wake_reason are documented in the
7545 * Bluez mgmt api docs.
7547 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7549 /* Once configured for remote wakeup, we should only wake up for
7550 * reconnections. It's useful to see which device is waking us up so
7551 * keep track of the bdaddr of the connection event that woke us up.
7553 if (event == HCI_EV_CONN_REQUEST) {
7554 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7555 hdev->wake_addr_type = BDADDR_BREDR;
7556 } else if (event == HCI_EV_CONN_COMPLETE) {
7557 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7558 hdev->wake_addr_type = BDADDR_BREDR;
7559 } else if (event == HCI_EV_LE_META) {
7560 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7561 u8 subevent = le_ev->subevent;
7562 u8 *ptr = &skb->data[sizeof(*le_ev)];
7563 u8 num_reports = *ptr;
7565 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7566 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7567 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7569 adv = (void *)(ptr + 1);
7570 direct_adv = (void *)(ptr + 1);
7571 ext_adv = (void *)(ptr + 1);
7574 case HCI_EV_LE_ADVERTISING_REPORT:
7575 bacpy(&hdev->wake_addr, &adv->bdaddr);
7576 hdev->wake_addr_type = adv->bdaddr_type;
7578 case HCI_EV_LE_DIRECT_ADV_REPORT:
7579 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7580 hdev->wake_addr_type = direct_adv->bdaddr_type;
7582 case HCI_EV_LE_EXT_ADV_REPORT:
7583 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7584 hdev->wake_addr_type = ext_adv->bdaddr_type;
7589 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7593 hci_dev_unlock(hdev);
7596 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7600 .min_len = _min_len, \
7601 .max_len = _max_len, \
7604 #define HCI_EV(_op, _func, _len) \
7605 HCI_EV_VL(_op, _func, _len, _len)
7607 #define HCI_EV_STATUS(_op, _func) \
7608 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7610 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7613 .func_req = _func, \
7614 .min_len = _min_len, \
7615 .max_len = _max_len, \
7618 #define HCI_EV_REQ(_op, _func, _len) \
7619 HCI_EV_REQ_VL(_op, _func, _len, _len)
7621 /* Entries in this table shall have their position according to the event opcode
7622 * they handle so the use of the macros above is recommend since it does attempt
7623 * to initialize at its proper index using Designated Initializers that way
7624 * events without a callback function don't have entered.
7626 static const struct hci_ev {
7629 void (*func)(struct hci_dev *hdev, void *data,
7630 struct sk_buff *skb);
7631 void (*func_req)(struct hci_dev *hdev, void *data,
7632 struct sk_buff *skb, u16 *opcode, u8 *status,
7633 hci_req_complete_t *req_complete,
7634 hci_req_complete_skb_t *req_complete_skb);
7638 } hci_ev_table[U8_MAX + 1] = {
7639 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7640 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7641 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7642 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7643 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7644 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7645 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7646 sizeof(struct hci_ev_conn_complete)),
7647 /* [0x04 = HCI_EV_CONN_REQUEST] */
7648 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7649 sizeof(struct hci_ev_conn_request)),
7650 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7651 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7652 sizeof(struct hci_ev_disconn_complete)),
7653 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7654 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7655 sizeof(struct hci_ev_auth_complete)),
7656 /* [0x07 = HCI_EV_REMOTE_NAME] */
7657 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7658 sizeof(struct hci_ev_remote_name)),
7659 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7660 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7661 sizeof(struct hci_ev_encrypt_change)),
7662 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7663 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7664 hci_change_link_key_complete_evt,
7665 sizeof(struct hci_ev_change_link_key_complete)),
7666 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7667 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7668 sizeof(struct hci_ev_remote_features)),
7669 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7670 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7671 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7672 /* [0x0f = HCI_EV_CMD_STATUS] */
7673 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7674 sizeof(struct hci_ev_cmd_status)),
7675 /* [0x10 = HCI_EV_CMD_STATUS] */
7676 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7677 sizeof(struct hci_ev_hardware_error)),
7678 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7679 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7680 sizeof(struct hci_ev_role_change)),
7681 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7682 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7683 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7684 /* [0x14 = HCI_EV_MODE_CHANGE] */
7685 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7686 sizeof(struct hci_ev_mode_change)),
7687 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7688 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7689 sizeof(struct hci_ev_pin_code_req)),
7690 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7691 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7692 sizeof(struct hci_ev_link_key_req)),
7693 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7694 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7695 sizeof(struct hci_ev_link_key_notify)),
7696 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7697 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7698 sizeof(struct hci_ev_clock_offset)),
7699 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7700 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7701 sizeof(struct hci_ev_pkt_type_change)),
7702 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7703 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7704 sizeof(struct hci_ev_pscan_rep_mode)),
7705 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7706 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7707 hci_inquiry_result_with_rssi_evt,
7708 sizeof(struct hci_ev_inquiry_result_rssi),
7709 HCI_MAX_EVENT_SIZE),
7710 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7711 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7712 sizeof(struct hci_ev_remote_ext_features)),
7713 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7714 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7715 sizeof(struct hci_ev_sync_conn_complete)),
7716 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7717 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7718 hci_extended_inquiry_result_evt,
7719 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7720 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7721 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7722 sizeof(struct hci_ev_key_refresh_complete)),
7723 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7724 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7725 sizeof(struct hci_ev_io_capa_request)),
7726 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7727 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7728 sizeof(struct hci_ev_io_capa_reply)),
7729 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7730 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7731 sizeof(struct hci_ev_user_confirm_req)),
7732 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7733 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7734 sizeof(struct hci_ev_user_passkey_req)),
7735 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7736 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7737 sizeof(struct hci_ev_remote_oob_data_request)),
7738 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7739 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7740 sizeof(struct hci_ev_simple_pair_complete)),
7741 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7742 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7743 sizeof(struct hci_ev_user_passkey_notify)),
7744 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7745 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7746 sizeof(struct hci_ev_keypress_notify)),
7747 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7748 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7749 sizeof(struct hci_ev_remote_host_features)),
7750 /* [0x3e = HCI_EV_LE_META] */
7751 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7752 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7753 #if IS_ENABLED(CONFIG_BT_HS)
7754 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7755 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7756 sizeof(struct hci_ev_phy_link_complete)),
7757 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7758 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7759 sizeof(struct hci_ev_channel_selected)),
7760 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7761 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7762 hci_disconn_loglink_complete_evt,
7763 sizeof(struct hci_ev_disconn_logical_link_complete)),
7764 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7765 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7766 sizeof(struct hci_ev_logical_link_complete)),
7767 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7768 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7769 hci_disconn_phylink_complete_evt,
7770 sizeof(struct hci_ev_disconn_phy_link_complete)),
7772 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7773 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7774 sizeof(struct hci_ev_num_comp_blocks)),
7776 /* [0xFF = HCI_EV_VENDOR_SPECIFIC] */
7777 HCI_EV(HCI_EV_VENDOR_SPECIFIC, hci_vendor_specific_evt,
7778 sizeof(struct hci_ev_vendor_specific)),
7780 /* [0xff = HCI_EV_VENDOR] */
7781 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7785 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7786 u16 *opcode, u8 *status,
7787 hci_req_complete_t *req_complete,
7788 hci_req_complete_skb_t *req_complete_skb)
7790 const struct hci_ev *ev = &hci_ev_table[event];
7796 if (skb->len < ev->min_len) {
7797 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7798 event, skb->len, ev->min_len);
7802 /* Just warn if the length is over max_len size it still be
7803 * possible to partially parse the event so leave to callback to
7804 * decide if that is acceptable.
7806 if (skb->len > ev->max_len)
7807 bt_dev_warn_ratelimited(hdev,
7808 "unexpected event 0x%2.2x length: %u > %u",
7809 event, skb->len, ev->max_len);
7811 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7816 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7819 ev->func(hdev, data, skb);
7822 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7824 struct hci_event_hdr *hdr = (void *) skb->data;
7825 hci_req_complete_t req_complete = NULL;
7826 hci_req_complete_skb_t req_complete_skb = NULL;
7827 struct sk_buff *orig_skb = NULL;
7828 u8 status = 0, event, req_evt = 0;
7829 u16 opcode = HCI_OP_NOP;
7831 if (skb->len < sizeof(*hdr)) {
7832 bt_dev_err(hdev, "Malformed HCI Event");
7836 kfree_skb(hdev->recv_event);
7837 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7841 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7846 /* Only match event if command OGF is not for LE */
7847 if (hdev->sent_cmd &&
7848 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7849 hci_skb_event(hdev->sent_cmd) == event) {
7850 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7851 status, &req_complete, &req_complete_skb);
7855 /* If it looks like we might end up having to call
7856 * req_complete_skb, store a pristine copy of the skb since the
7857 * various handlers may modify the original one through
7858 * skb_pull() calls, etc.
7860 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7861 event == HCI_EV_CMD_COMPLETE)
7862 orig_skb = skb_clone(skb, GFP_KERNEL);
7864 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7866 /* Store wake reason if we're suspended */
7867 hci_store_wake_reason(hdev, event, skb);
7869 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7871 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7875 req_complete(hdev, status, opcode);
7876 } else if (req_complete_skb) {
7877 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7878 kfree_skb(orig_skb);
7881 req_complete_skb(hdev, status, opcode, orig_skb);
7885 kfree_skb(orig_skb);
7887 hdev->stat.evt_rx++;
projects / platform / kernel / linux-starfive.git / blob