2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
41 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
42 "\x00\x00\x00\x00\x00\x00\x00\x00"
44 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
46 /* Handle HCI Event packets */
48 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
53 data = skb_pull_data(skb, len);
55 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
60 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
65 data = skb_pull_data(skb, len);
67 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
72 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
77 data = skb_pull_data(skb, len);
79 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
84 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
87 struct hci_ev_status *rp = data;
89 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
91 /* It is possible that we receive Inquiry Complete event right
92 * before we receive Inquiry Cancel Command Complete event, in
93 * which case the latter event should have status of Command
94 * Disallowed (0x0c). This should not be treated as error, since
95 * we actually achieve what Inquiry Cancel wants to achieve,
96 * which is to end the last Inquiry session.
98 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
99 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
106 clear_bit(HCI_INQUIRY, &hdev->flags);
107 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
108 wake_up_bit(&hdev->flags, HCI_INQUIRY);
111 /* Set discovery state to stopped if we're not doing LE active
114 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
115 hdev->le_scan_type != LE_SCAN_ACTIVE)
116 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
117 hci_dev_unlock(hdev);
119 hci_conn_check_pending(hdev);
124 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
127 struct hci_ev_status *rp = data;
129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
139 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
142 struct hci_ev_status *rp = data;
144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
151 hci_conn_check_pending(hdev);
156 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
159 struct hci_ev_status *rp = data;
161 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
166 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
169 struct hci_rp_role_discovery *rp = data;
170 struct hci_conn *conn;
172 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
179 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
181 conn->role = rp->role;
183 hci_dev_unlock(hdev);
188 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
191 struct hci_rp_read_link_policy *rp = data;
192 struct hci_conn *conn;
194 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
201 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
203 conn->link_policy = __le16_to_cpu(rp->policy);
205 hci_dev_unlock(hdev);
210 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
213 struct hci_rp_write_link_policy *rp = data;
214 struct hci_conn *conn;
217 struct hci_cp_write_link_policy cp;
218 struct hci_conn *sco_conn;
221 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
226 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
234 conn->link_policy = get_unaligned_le16(sent + 2);
237 sco_conn = hci_conn_hash_lookup_sco(hdev);
238 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
239 conn->link_policy & HCI_LP_SNIFF) {
240 BT_ERR("SNIFF is not allowed during sco connection");
241 cp.handle = __cpu_to_le16(conn->handle);
242 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
243 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
247 hci_dev_unlock(hdev);
252 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
255 struct hci_rp_read_def_link_policy *rp = data;
257 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
262 hdev->link_policy = __le16_to_cpu(rp->policy);
267 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
270 struct hci_ev_status *rp = data;
273 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
278 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
282 hdev->link_policy = get_unaligned_le16(sent);
287 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
289 struct hci_ev_status *rp = data;
291 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
293 clear_bit(HCI_RESET, &hdev->flags);
298 /* Reset all non-persistent flags */
299 hci_dev_clear_volatile_flags(hdev);
301 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
303 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
304 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
306 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
307 hdev->adv_data_len = 0;
309 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
310 hdev->scan_rsp_data_len = 0;
312 hdev->le_scan_type = LE_SCAN_PASSIVE;
314 hdev->ssp_debug_mode = 0;
316 hci_bdaddr_list_clear(&hdev->le_accept_list);
317 hci_bdaddr_list_clear(&hdev->le_resolv_list);
322 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
325 struct hci_rp_read_stored_link_key *rp = data;
326 struct hci_cp_read_stored_link_key *sent;
328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
330 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
334 if (!rp->status && sent->read_all == 0x01) {
335 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
336 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
342 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
345 struct hci_rp_delete_stored_link_key *rp = data;
348 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
353 num_keys = le16_to_cpu(rp->num_keys);
355 if (num_keys <= hdev->stored_num_keys)
356 hdev->stored_num_keys -= num_keys;
358 hdev->stored_num_keys = 0;
363 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
366 struct hci_ev_status *rp = data;
369 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
377 if (hci_dev_test_flag(hdev, HCI_MGMT))
378 mgmt_set_local_name_complete(hdev, sent, rp->status);
379 else if (!rp->status)
380 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
382 hci_dev_unlock(hdev);
387 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
390 struct hci_rp_read_local_name *rp = data;
392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
397 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
398 hci_dev_test_flag(hdev, HCI_CONFIG))
399 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
404 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
407 struct hci_ev_status *rp = data;
410 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
412 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
419 __u8 param = *((__u8 *) sent);
421 if (param == AUTH_ENABLED)
422 set_bit(HCI_AUTH, &hdev->flags);
424 clear_bit(HCI_AUTH, &hdev->flags);
427 if (hci_dev_test_flag(hdev, HCI_MGMT))
428 mgmt_auth_enable_complete(hdev, rp->status);
430 hci_dev_unlock(hdev);
435 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
438 struct hci_ev_status *rp = data;
442 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
447 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
451 param = *((__u8 *) sent);
454 set_bit(HCI_ENCRYPT, &hdev->flags);
456 clear_bit(HCI_ENCRYPT, &hdev->flags);
461 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
464 struct hci_ev_status *rp = data;
468 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
474 param = *((__u8 *) sent);
479 hdev->discov_timeout = 0;
483 if (param & SCAN_INQUIRY)
484 set_bit(HCI_ISCAN, &hdev->flags);
486 clear_bit(HCI_ISCAN, &hdev->flags);
488 if (param & SCAN_PAGE)
489 set_bit(HCI_PSCAN, &hdev->flags);
491 clear_bit(HCI_PSCAN, &hdev->flags);
494 hci_dev_unlock(hdev);
499 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
502 struct hci_ev_status *rp = data;
503 struct hci_cp_set_event_filter *cp;
506 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
511 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
515 cp = (struct hci_cp_set_event_filter *)sent;
517 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
518 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
520 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
525 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
528 struct hci_rp_read_class_of_dev *rp = data;
530 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
535 memcpy(hdev->dev_class, rp->dev_class, 3);
537 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
538 hdev->dev_class[1], hdev->dev_class[0]);
543 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
546 struct hci_ev_status *rp = data;
549 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
551 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
558 memcpy(hdev->dev_class, sent, 3);
560 if (hci_dev_test_flag(hdev, HCI_MGMT))
561 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
563 hci_dev_unlock(hdev);
568 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
571 struct hci_rp_read_voice_setting *rp = data;
574 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
579 setting = __le16_to_cpu(rp->voice_setting);
581 if (hdev->voice_setting == setting)
584 hdev->voice_setting = setting;
586 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
589 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
594 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
597 struct hci_ev_status *rp = data;
601 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
606 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
610 setting = get_unaligned_le16(sent);
612 if (hdev->voice_setting == setting)
615 hdev->voice_setting = setting;
617 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
620 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
625 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
628 struct hci_rp_read_num_supported_iac *rp = data;
630 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
635 hdev->num_iac = rp->num_iac;
637 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
642 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
645 struct hci_ev_status *rp = data;
646 struct hci_cp_write_ssp_mode *sent;
648 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
650 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
658 hdev->features[1][0] |= LMP_HOST_SSP;
660 hdev->features[1][0] &= ~LMP_HOST_SSP;
665 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
667 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
670 hci_dev_unlock(hdev);
675 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
678 struct hci_ev_status *rp = data;
679 struct hci_cp_write_sc_support *sent;
681 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
683 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
691 hdev->features[1][0] |= LMP_HOST_SC;
693 hdev->features[1][0] &= ~LMP_HOST_SC;
696 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
698 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
700 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
703 hci_dev_unlock(hdev);
708 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
711 struct hci_rp_read_local_version *rp = data;
713 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
718 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
719 hci_dev_test_flag(hdev, HCI_CONFIG)) {
720 hdev->hci_ver = rp->hci_ver;
721 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
722 hdev->lmp_ver = rp->lmp_ver;
723 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
724 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
730 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
733 struct hci_rp_read_enc_key_size *rp = data;
734 struct hci_conn *conn;
736 u8 status = rp->status;
738 bt_dev_dbg(hdev, "status 0x%2.2x", status);
740 handle = le16_to_cpu(rp->handle);
744 conn = hci_conn_hash_lookup_handle(hdev, handle);
750 /* While unexpected, the read_enc_key_size command may fail. The most
751 * secure approach is to then assume the key size is 0 to force a
755 bt_dev_err(hdev, "failed to read key size for handle %u",
757 conn->enc_key_size = 0;
759 conn->enc_key_size = rp->key_size;
763 hci_encrypt_cfm(conn, 0);
766 hci_dev_unlock(hdev);
771 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
774 struct hci_rp_read_local_commands *rp = data;
776 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
781 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
782 hci_dev_test_flag(hdev, HCI_CONFIG))
783 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
788 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
791 struct hci_rp_read_auth_payload_to *rp = data;
792 struct hci_conn *conn;
794 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
801 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
803 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
805 hci_dev_unlock(hdev);
810 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
813 struct hci_rp_write_auth_payload_to *rp = data;
814 struct hci_conn *conn;
817 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
822 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
828 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
830 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
832 hci_dev_unlock(hdev);
837 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
840 struct hci_rp_read_local_features *rp = data;
842 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
847 memcpy(hdev->features, rp->features, 8);
849 /* Adjust default settings according to features
850 * supported by device. */
852 if (hdev->features[0][0] & LMP_3SLOT)
853 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
855 if (hdev->features[0][0] & LMP_5SLOT)
856 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
858 if (hdev->features[0][1] & LMP_HV2) {
859 hdev->pkt_type |= (HCI_HV2);
860 hdev->esco_type |= (ESCO_HV2);
863 if (hdev->features[0][1] & LMP_HV3) {
864 hdev->pkt_type |= (HCI_HV3);
865 hdev->esco_type |= (ESCO_HV3);
868 if (lmp_esco_capable(hdev))
869 hdev->esco_type |= (ESCO_EV3);
871 if (hdev->features[0][4] & LMP_EV4)
872 hdev->esco_type |= (ESCO_EV4);
874 if (hdev->features[0][4] & LMP_EV5)
875 hdev->esco_type |= (ESCO_EV5);
877 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
878 hdev->esco_type |= (ESCO_2EV3);
880 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
881 hdev->esco_type |= (ESCO_3EV3);
883 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
884 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
889 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
892 struct hci_rp_read_local_ext_features *rp = data;
894 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
899 if (hdev->max_page < rp->max_page) {
900 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
902 bt_dev_warn(hdev, "broken local ext features page 2");
904 hdev->max_page = rp->max_page;
907 if (rp->page < HCI_MAX_PAGES)
908 memcpy(hdev->features[rp->page], rp->features, 8);
913 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
916 struct hci_rp_read_flow_control_mode *rp = data;
918 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
923 hdev->flow_ctl_mode = rp->mode;
928 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
931 struct hci_rp_read_buffer_size *rp = data;
933 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
938 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
939 hdev->sco_mtu = rp->sco_mtu;
940 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
941 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
943 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
948 hdev->acl_cnt = hdev->acl_pkts;
949 hdev->sco_cnt = hdev->sco_pkts;
951 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
952 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
957 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
960 struct hci_rp_read_bd_addr *rp = data;
962 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
967 if (test_bit(HCI_INIT, &hdev->flags))
968 bacpy(&hdev->bdaddr, &rp->bdaddr);
970 if (hci_dev_test_flag(hdev, HCI_SETUP))
971 bacpy(&hdev->setup_addr, &rp->bdaddr);
976 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
979 struct hci_rp_read_local_pairing_opts *rp = data;
981 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
986 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
987 hci_dev_test_flag(hdev, HCI_CONFIG)) {
988 hdev->pairing_opts = rp->pairing_opts;
989 hdev->max_enc_key_size = rp->max_key_size;
995 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
998 struct hci_rp_read_page_scan_activity *rp = data;
1000 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1005 if (test_bit(HCI_INIT, &hdev->flags)) {
1006 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1007 hdev->page_scan_window = __le16_to_cpu(rp->window);
1013 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1014 struct sk_buff *skb)
1016 struct hci_ev_status *rp = data;
1017 struct hci_cp_write_page_scan_activity *sent;
1019 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1024 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1028 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1029 hdev->page_scan_window = __le16_to_cpu(sent->window);
1034 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1035 struct sk_buff *skb)
1037 struct hci_rp_read_page_scan_type *rp = data;
1039 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1044 if (test_bit(HCI_INIT, &hdev->flags))
1045 hdev->page_scan_type = rp->type;
1050 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1051 struct sk_buff *skb)
1053 struct hci_ev_status *rp = data;
1056 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1061 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1063 hdev->page_scan_type = *type;
1068 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1069 struct sk_buff *skb)
1071 struct hci_rp_read_data_block_size *rp = data;
1073 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1078 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1079 hdev->block_len = __le16_to_cpu(rp->block_len);
1080 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1082 hdev->block_cnt = hdev->num_blocks;
1084 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1085 hdev->block_cnt, hdev->block_len);
1090 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1091 struct sk_buff *skb)
1093 struct hci_rp_read_clock *rp = data;
1094 struct hci_cp_read_clock *cp;
1095 struct hci_conn *conn;
1097 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1104 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1108 if (cp->which == 0x00) {
1109 hdev->clock = le32_to_cpu(rp->clock);
1113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1115 conn->clock = le32_to_cpu(rp->clock);
1116 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1120 hci_dev_unlock(hdev);
1124 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1125 struct sk_buff *skb)
1127 struct hci_rp_read_local_amp_info *rp = data;
1129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1134 hdev->amp_status = rp->amp_status;
1135 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1136 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1137 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1138 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1139 hdev->amp_type = rp->amp_type;
1140 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1141 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1142 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1143 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1148 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1149 struct sk_buff *skb)
1151 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1153 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1158 hdev->inq_tx_power = rp->tx_power;
1163 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1164 struct sk_buff *skb)
1166 struct hci_rp_read_def_err_data_reporting *rp = data;
1168 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1173 hdev->err_data_reporting = rp->err_data_reporting;
1178 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1179 struct sk_buff *skb)
1181 struct hci_ev_status *rp = data;
1182 struct hci_cp_write_def_err_data_reporting *cp;
1184 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1189 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1193 hdev->err_data_reporting = cp->err_data_reporting;
1198 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1199 struct sk_buff *skb)
1201 struct hci_rp_pin_code_reply *rp = data;
1202 struct hci_cp_pin_code_reply *cp;
1203 struct hci_conn *conn;
1205 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1209 if (hci_dev_test_flag(hdev, HCI_MGMT))
1210 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1215 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1219 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1221 conn->pin_length = cp->pin_len;
1224 hci_dev_unlock(hdev);
1228 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1229 struct sk_buff *skb)
1231 struct hci_rp_pin_code_neg_reply *rp = data;
1233 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1237 if (hci_dev_test_flag(hdev, HCI_MGMT))
1238 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1241 hci_dev_unlock(hdev);
1246 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1247 struct sk_buff *skb)
1249 struct hci_rp_le_read_buffer_size *rp = data;
1251 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1256 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1257 hdev->le_pkts = rp->le_max_pkt;
1259 hdev->le_cnt = hdev->le_pkts;
1261 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1266 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1267 struct sk_buff *skb)
1269 struct hci_rp_le_read_local_features *rp = data;
1271 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1276 memcpy(hdev->le_features, rp->features, 8);
1281 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1282 struct sk_buff *skb)
1284 struct hci_rp_le_read_adv_tx_power *rp = data;
1286 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1291 hdev->adv_tx_power = rp->tx_power;
1296 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1297 struct sk_buff *skb)
1299 struct hci_rp_user_confirm_reply *rp = data;
1301 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1305 if (hci_dev_test_flag(hdev, HCI_MGMT))
1306 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1309 hci_dev_unlock(hdev);
1314 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1315 struct sk_buff *skb)
1317 struct hci_rp_user_confirm_reply *rp = data;
1319 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1323 if (hci_dev_test_flag(hdev, HCI_MGMT))
1324 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1325 ACL_LINK, 0, rp->status);
1327 hci_dev_unlock(hdev);
1332 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1333 struct sk_buff *skb)
1335 struct hci_rp_user_confirm_reply *rp = data;
1337 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1341 if (hci_dev_test_flag(hdev, HCI_MGMT))
1342 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1345 hci_dev_unlock(hdev);
1350 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1351 struct sk_buff *skb)
1353 struct hci_rp_user_confirm_reply *rp = data;
1355 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1359 if (hci_dev_test_flag(hdev, HCI_MGMT))
1360 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1361 ACL_LINK, 0, rp->status);
1363 hci_dev_unlock(hdev);
1368 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1369 struct sk_buff *skb)
1371 struct hci_rp_read_local_oob_data *rp = data;
1373 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1378 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1379 struct sk_buff *skb)
1381 struct hci_rp_read_local_oob_ext_data *rp = data;
1383 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1388 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1389 struct sk_buff *skb)
1391 struct hci_ev_status *rp = data;
1394 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1399 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1405 bacpy(&hdev->random_addr, sent);
1407 if (!bacmp(&hdev->rpa, sent)) {
1408 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1409 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1410 secs_to_jiffies(hdev->rpa_timeout));
1413 hci_dev_unlock(hdev);
1418 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1419 struct sk_buff *skb)
1421 struct hci_ev_status *rp = data;
1422 struct hci_cp_le_set_default_phy *cp;
1424 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1429 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1435 hdev->le_tx_def_phys = cp->tx_phys;
1436 hdev->le_rx_def_phys = cp->rx_phys;
1438 hci_dev_unlock(hdev);
1443 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1444 struct sk_buff *skb)
1446 struct hci_ev_status *rp = data;
1447 struct hci_cp_le_set_adv_set_rand_addr *cp;
1448 struct adv_info *adv;
1450 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1455 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1456 /* Update only in case the adv instance since handle 0x00 shall be using
1457 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1458 * non-extended adverting.
1460 if (!cp || !cp->handle)
1465 adv = hci_find_adv_instance(hdev, cp->handle);
1467 bacpy(&adv->random_addr, &cp->bdaddr);
1468 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1469 adv->rpa_expired = false;
1470 queue_delayed_work(hdev->workqueue,
1471 &adv->rpa_expired_cb,
1472 secs_to_jiffies(hdev->rpa_timeout));
1476 hci_dev_unlock(hdev);
1481 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1482 struct sk_buff *skb)
1484 struct hci_ev_status *rp = data;
1488 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1493 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1499 err = hci_remove_adv_instance(hdev, *instance);
1501 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1504 hci_dev_unlock(hdev);
1509 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1510 struct sk_buff *skb)
1512 struct hci_ev_status *rp = data;
1513 struct adv_info *adv, *n;
1516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1521 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1526 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1527 u8 instance = adv->instance;
1529 err = hci_remove_adv_instance(hdev, instance);
1531 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1535 hci_dev_unlock(hdev);
1540 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1541 struct sk_buff *skb)
1543 struct hci_rp_le_read_transmit_power *rp = data;
1545 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1550 hdev->min_le_tx_power = rp->min_le_tx_power;
1551 hdev->max_le_tx_power = rp->max_le_tx_power;
1556 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1557 struct sk_buff *skb)
1559 struct hci_ev_status *rp = data;
1560 struct hci_cp_le_set_privacy_mode *cp;
1561 struct hci_conn_params *params;
1563 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1568 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1574 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1576 params->privacy_mode = cp->mode;
1578 hci_dev_unlock(hdev);
1583 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1584 struct sk_buff *skb)
1586 struct hci_ev_status *rp = data;
1589 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1594 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1600 /* If we're doing connection initiation as peripheral. Set a
1601 * timeout in case something goes wrong.
1604 struct hci_conn *conn;
1606 hci_dev_set_flag(hdev, HCI_LE_ADV);
1608 conn = hci_lookup_le_connect(hdev);
1610 queue_delayed_work(hdev->workqueue,
1611 &conn->le_conn_timeout,
1612 conn->conn_timeout);
1614 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1617 hci_dev_unlock(hdev);
1622 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1623 struct sk_buff *skb)
1625 struct hci_cp_le_set_ext_adv_enable *cp;
1626 struct hci_cp_ext_adv_set *set;
1627 struct adv_info *adv = NULL, *n;
1628 struct hci_ev_status *rp = data;
1630 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1635 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1639 set = (void *)cp->data;
1643 if (cp->num_of_sets)
1644 adv = hci_find_adv_instance(hdev, set->handle);
1647 struct hci_conn *conn;
1649 hci_dev_set_flag(hdev, HCI_LE_ADV);
1652 adv->enabled = true;
1654 conn = hci_lookup_le_connect(hdev);
1656 queue_delayed_work(hdev->workqueue,
1657 &conn->le_conn_timeout,
1658 conn->conn_timeout);
1660 if (cp->num_of_sets) {
1662 adv->enabled = false;
1664 /* If just one instance was disabled check if there are
1665 * any other instance enabled before clearing HCI_LE_ADV
1667 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1673 /* All instances shall be considered disabled */
1674 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1676 adv->enabled = false;
1679 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1683 hci_dev_unlock(hdev);
1687 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1688 struct sk_buff *skb)
1690 struct hci_cp_le_set_scan_param *cp;
1691 struct hci_ev_status *rp = data;
1693 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1698 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1704 hdev->le_scan_type = cp->type;
1706 hci_dev_unlock(hdev);
1711 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1712 struct sk_buff *skb)
1714 struct hci_cp_le_set_ext_scan_params *cp;
1715 struct hci_ev_status *rp = data;
1716 struct hci_cp_le_scan_phy_params *phy_param;
1718 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1723 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1727 phy_param = (void *)cp->data;
1731 hdev->le_scan_type = phy_param->type;
1733 hci_dev_unlock(hdev);
1738 static bool has_pending_adv_report(struct hci_dev *hdev)
1740 struct discovery_state *d = &hdev->discovery;
1742 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1745 static void clear_pending_adv_report(struct hci_dev *hdev)
1747 struct discovery_state *d = &hdev->discovery;
1749 bacpy(&d->last_adv_addr, BDADDR_ANY);
1750 d->last_adv_data_len = 0;
1754 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1755 u8 bdaddr_type, s8 rssi, u32 flags,
1758 struct discovery_state *d = &hdev->discovery;
1760 if (len > HCI_MAX_AD_LENGTH)
1763 bacpy(&d->last_adv_addr, bdaddr);
1764 d->last_adv_addr_type = bdaddr_type;
1765 d->last_adv_rssi = rssi;
1766 d->last_adv_flags = flags;
1767 memcpy(d->last_adv_data, data, len);
1768 d->last_adv_data_len = len;
1772 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1777 case LE_SCAN_ENABLE:
1778 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1779 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1780 clear_pending_adv_report(hdev);
1781 if (hci_dev_test_flag(hdev, HCI_MESH))
1782 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1785 case LE_SCAN_DISABLE:
1786 /* We do this here instead of when setting DISCOVERY_STOPPED
1787 * since the latter would potentially require waiting for
1788 * inquiry to stop too.
1790 if (has_pending_adv_report(hdev)) {
1791 struct discovery_state *d = &hdev->discovery;
1793 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1794 d->last_adv_addr_type, NULL,
1795 d->last_adv_rssi, d->last_adv_flags,
1797 d->last_adv_data_len, NULL, 0, 0);
1800 /* Cancel this timer so that we don't try to disable scanning
1801 * when it's already disabled.
1803 cancel_delayed_work(&hdev->le_scan_disable);
1805 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1807 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1808 * interrupted scanning due to a connect request. Mark
1809 * therefore discovery as stopped.
1811 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1812 #ifndef TIZEN_BT /* The below line is kernel bug. */
1813 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1815 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1817 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1818 hdev->discovery.state == DISCOVERY_FINDING)
1819 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1824 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1829 hci_dev_unlock(hdev);
1832 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1833 struct sk_buff *skb)
1835 struct hci_cp_le_set_scan_enable *cp;
1836 struct hci_ev_status *rp = data;
1838 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1843 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1847 le_set_scan_enable_complete(hdev, cp->enable);
1852 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1853 struct sk_buff *skb)
1855 struct hci_cp_le_set_ext_scan_enable *cp;
1856 struct hci_ev_status *rp = data;
1858 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1863 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1867 le_set_scan_enable_complete(hdev, cp->enable);
1872 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1873 struct sk_buff *skb)
1875 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1877 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1883 hdev->le_num_of_adv_sets = rp->num_of_sets;
1888 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1889 struct sk_buff *skb)
1891 struct hci_rp_le_read_accept_list_size *rp = data;
1893 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1898 hdev->le_accept_list_size = rp->size;
1903 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1904 struct sk_buff *skb)
1906 struct hci_ev_status *rp = data;
1908 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1914 hci_bdaddr_list_clear(&hdev->le_accept_list);
1915 hci_dev_unlock(hdev);
1920 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1921 struct sk_buff *skb)
1923 struct hci_cp_le_add_to_accept_list *sent;
1924 struct hci_ev_status *rp = data;
1926 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1931 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1936 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1938 hci_dev_unlock(hdev);
1943 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1944 struct sk_buff *skb)
1946 struct hci_cp_le_del_from_accept_list *sent;
1947 struct hci_ev_status *rp = data;
1949 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1954 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1959 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1961 hci_dev_unlock(hdev);
1966 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1967 struct sk_buff *skb)
1969 struct hci_rp_le_read_supported_states *rp = data;
1971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1976 memcpy(hdev->le_states, rp->le_states, 8);
1981 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1982 struct sk_buff *skb)
1984 struct hci_rp_le_read_def_data_len *rp = data;
1986 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1995 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1996 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1999 mgmt_le_read_host_suggested_data_length_complete(hdev, rp->status);
2001 hci_dev_unlock(hdev);
2007 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2008 struct sk_buff *skb)
2010 struct hci_cp_le_write_def_data_len *sent;
2011 struct hci_ev_status *rp = data;
2013 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2022 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2030 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2031 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2036 mgmt_le_write_host_suggested_data_length_complete(hdev, rp->status);
2041 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2042 struct sk_buff *skb)
2044 struct hci_cp_le_add_to_resolv_list *sent;
2045 struct hci_ev_status *rp = data;
2047 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2052 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2057 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2058 sent->bdaddr_type, sent->peer_irk,
2060 hci_dev_unlock(hdev);
2065 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2066 struct sk_buff *skb)
2068 struct hci_cp_le_del_from_resolv_list *sent;
2069 struct hci_ev_status *rp = data;
2071 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2076 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2081 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2083 hci_dev_unlock(hdev);
2088 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2089 struct sk_buff *skb)
2091 struct hci_ev_status *rp = data;
2093 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2099 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2100 hci_dev_unlock(hdev);
2105 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2106 struct sk_buff *skb)
2108 struct hci_rp_le_read_resolv_list_size *rp = data;
2110 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2115 hdev->le_resolv_list_size = rp->size;
2120 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2121 struct sk_buff *skb)
2123 struct hci_ev_status *rp = data;
2126 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2131 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2138 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2140 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2142 hci_dev_unlock(hdev);
2147 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2148 struct sk_buff *skb)
2150 struct hci_rp_le_read_max_data_len *rp = data;
2152 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2161 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2162 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2163 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2164 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2167 mgmt_le_read_maximum_data_length_complete(hdev, rp->status);
2168 hci_dev_unlock(hdev);
2174 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2175 struct sk_buff *skb)
2177 struct hci_cp_write_le_host_supported *sent;
2178 struct hci_ev_status *rp = data;
2180 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2185 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2192 hdev->features[1][0] |= LMP_HOST_LE;
2193 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2195 hdev->features[1][0] &= ~LMP_HOST_LE;
2196 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2197 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2201 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2203 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2205 hci_dev_unlock(hdev);
2210 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2211 struct sk_buff *skb)
2213 struct hci_cp_le_set_adv_param *cp;
2214 struct hci_ev_status *rp = data;
2216 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2221 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2226 hdev->adv_addr_type = cp->own_address_type;
2227 hci_dev_unlock(hdev);
2232 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2233 struct sk_buff *skb)
2235 struct hci_rp_le_set_ext_adv_params *rp = data;
2236 struct hci_cp_le_set_ext_adv_params *cp;
2237 struct adv_info *adv_instance;
2239 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2244 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2249 hdev->adv_addr_type = cp->own_addr_type;
2251 /* Store in hdev for instance 0 */
2252 hdev->adv_tx_power = rp->tx_power;
2254 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2256 adv_instance->tx_power = rp->tx_power;
2258 /* Update adv data as tx power is known now */
2259 hci_update_adv_data(hdev, cp->handle);
2261 hci_dev_unlock(hdev);
2267 static u8 hci_cc_enable_rssi(struct hci_dev *hdev, void *data,
2268 struct sk_buff *skb)
2270 struct hci_cc_rsp_enable_rssi *rp = data;
2272 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
2273 hdev->name, rp->status, rp->le_ext_opcode);
2275 mgmt_enable_rssi_cc(hdev, rp, rp->status);
2280 static u8 hci_cc_get_raw_rssi(struct hci_dev *hdev, void *data,
2281 struct sk_buff *skb)
2283 struct hci_cc_rp_get_raw_rssi *rp = data;
2285 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
2286 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
2288 mgmt_raw_rssi_response(hdev, rp, rp->status);
2293 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
2294 struct sk_buff *skb)
2296 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
2298 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
2300 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
2304 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
2305 struct sk_buff *skb)
2307 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
2308 __u8 event_le_ext_sub_code;
2310 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
2311 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
2313 skb_pull(skb, sizeof(*ev));
2314 event_le_ext_sub_code = ev->event_le_ext_sub_code;
2316 switch (event_le_ext_sub_code) {
2317 case LE_RSSI_LINK_ALERT:
2318 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
2326 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
2327 struct sk_buff *skb)
2329 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
2331 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
2333 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
2334 ev->state_change_reason,
2335 ev->connection_handle);
2338 static void hci_vendor_specific_evt(struct hci_dev *hdev, void *data,
2339 struct sk_buff *skb)
2341 struct hci_ev_vendor_specific *ev = (void *)skb->data;
2342 __u8 event_sub_code;
2344 BT_DBG("hci_vendor_specific_evt");
2346 skb_pull(skb, sizeof(*ev));
2347 event_sub_code = ev->event_sub_code;
2349 switch (event_sub_code) {
2350 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
2351 hci_vendor_specific_group_ext_evt(hdev, skb);
2354 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
2355 hci_vendor_multi_adv_state_change_evt(hdev, skb);
2363 static void hci_le_data_length_changed_complete_evt(struct hci_dev *hdev,
2365 struct sk_buff *skb)
2367 struct hci_ev_le_data_len_change *ev = (void *)skb->data;
2368 struct hci_conn *conn;
2370 BT_DBG("%s status", hdev->name);
2374 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2376 conn->tx_len = le16_to_cpu(ev->tx_len);
2377 conn->tx_time = le16_to_cpu(ev->tx_time);
2378 conn->rx_len = le16_to_cpu(ev->rx_len);
2379 conn->rx_time = le16_to_cpu(ev->rx_time);
2382 mgmt_le_data_length_change_complete(hdev, &conn->dst,
2383 conn->tx_len, conn->tx_time,
2384 conn->rx_len, conn->rx_time);
2386 hci_dev_unlock(hdev);
2390 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2391 struct sk_buff *skb)
2393 struct hci_rp_read_rssi *rp = data;
2394 struct hci_conn *conn;
2396 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2403 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2405 conn->rssi = rp->rssi;
2407 hci_dev_unlock(hdev);
2412 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2413 struct sk_buff *skb)
2415 struct hci_cp_read_tx_power *sent;
2416 struct hci_rp_read_tx_power *rp = data;
2417 struct hci_conn *conn;
2419 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2424 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2430 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2434 switch (sent->type) {
2436 conn->tx_power = rp->tx_power;
2439 conn->max_tx_power = rp->tx_power;
2444 hci_dev_unlock(hdev);
2448 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2449 struct sk_buff *skb)
2451 struct hci_ev_status *rp = data;
2454 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2459 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2461 hdev->ssp_debug_mode = *mode;
2466 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2468 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2471 hci_conn_check_pending(hdev);
2475 set_bit(HCI_INQUIRY, &hdev->flags);
2478 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2480 struct hci_cp_create_conn *cp;
2481 struct hci_conn *conn;
2483 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2485 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2491 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2493 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2496 if (conn && conn->state == BT_CONNECT) {
2497 if (status != 0x0c || conn->attempt > 2) {
2498 conn->state = BT_CLOSED;
2499 hci_connect_cfm(conn, status);
2502 conn->state = BT_CONNECT2;
2506 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
2509 bt_dev_err(hdev, "no memory for new connection");
2513 hci_dev_unlock(hdev);
2516 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2518 struct hci_cp_add_sco *cp;
2519 struct hci_conn *acl, *sco;
2522 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2527 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2531 handle = __le16_to_cpu(cp->handle);
2533 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2537 acl = hci_conn_hash_lookup_handle(hdev, handle);
2541 sco->state = BT_CLOSED;
2543 hci_connect_cfm(sco, status);
2548 hci_dev_unlock(hdev);
2551 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2553 struct hci_cp_auth_requested *cp;
2554 struct hci_conn *conn;
2556 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2561 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2567 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2569 if (conn->state == BT_CONFIG) {
2570 hci_connect_cfm(conn, status);
2571 hci_conn_drop(conn);
2575 hci_dev_unlock(hdev);
2578 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2580 struct hci_cp_set_conn_encrypt *cp;
2581 struct hci_conn *conn;
2583 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2588 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2594 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2596 if (conn->state == BT_CONFIG) {
2597 hci_connect_cfm(conn, status);
2598 hci_conn_drop(conn);
2602 hci_dev_unlock(hdev);
2605 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2606 struct hci_conn *conn)
2608 if (conn->state != BT_CONFIG || !conn->out)
2611 if (conn->pending_sec_level == BT_SECURITY_SDP)
2614 /* Only request authentication for SSP connections or non-SSP
2615 * devices with sec_level MEDIUM or HIGH or if MITM protection
2618 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2619 conn->pending_sec_level != BT_SECURITY_FIPS &&
2620 conn->pending_sec_level != BT_SECURITY_HIGH &&
2621 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2627 static int hci_resolve_name(struct hci_dev *hdev,
2628 struct inquiry_entry *e)
2630 struct hci_cp_remote_name_req cp;
2632 memset(&cp, 0, sizeof(cp));
2634 bacpy(&cp.bdaddr, &e->data.bdaddr);
2635 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2636 cp.pscan_mode = e->data.pscan_mode;
2637 cp.clock_offset = e->data.clock_offset;
2639 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2642 static bool hci_resolve_next_name(struct hci_dev *hdev)
2644 struct discovery_state *discov = &hdev->discovery;
2645 struct inquiry_entry *e;
2647 if (list_empty(&discov->resolve))
2650 /* We should stop if we already spent too much time resolving names. */
2651 if (time_after(jiffies, discov->name_resolve_timeout)) {
2652 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2656 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2660 if (hci_resolve_name(hdev, e) == 0) {
2661 e->name_state = NAME_PENDING;
2668 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2669 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2671 struct discovery_state *discov = &hdev->discovery;
2672 struct inquiry_entry *e;
2675 /* Update the mgmt connected state if necessary. Be careful with
2676 * conn objects that exist but are not (yet) connected however.
2677 * Only those in BT_CONFIG or BT_CONNECTED states can be
2678 * considered connected.
2681 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2682 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2683 mgmt_device_connected(hdev, conn, 0, name, name_len);
2685 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2689 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2690 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2691 mgmt_device_connected(hdev, conn, name, name_len);
2694 if (discov->state == DISCOVERY_STOPPED)
2697 if (discov->state == DISCOVERY_STOPPING)
2698 goto discov_complete;
2700 if (discov->state != DISCOVERY_RESOLVING)
2703 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2704 /* If the device was not found in a list of found devices names of which
2705 * are pending. there is no need to continue resolving a next name as it
2706 * will be done upon receiving another Remote Name Request Complete
2713 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2714 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2717 if (hci_resolve_next_name(hdev))
2721 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2724 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2726 struct hci_cp_remote_name_req *cp;
2727 struct hci_conn *conn;
2729 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2731 /* If successful wait for the name req complete event before
2732 * checking for the need to do authentication */
2736 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2742 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2744 if (hci_dev_test_flag(hdev, HCI_MGMT))
2745 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2750 if (!hci_outgoing_auth_needed(hdev, conn))
2753 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2754 struct hci_cp_auth_requested auth_cp;
2756 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2758 auth_cp.handle = __cpu_to_le16(conn->handle);
2759 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2760 sizeof(auth_cp), &auth_cp);
2764 hci_dev_unlock(hdev);
2767 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2769 struct hci_cp_read_remote_features *cp;
2770 struct hci_conn *conn;
2772 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2777 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2783 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2785 if (conn->state == BT_CONFIG) {
2786 hci_connect_cfm(conn, status);
2787 hci_conn_drop(conn);
2791 hci_dev_unlock(hdev);
2794 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2796 struct hci_cp_read_remote_ext_features *cp;
2797 struct hci_conn *conn;
2799 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2810 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2812 if (conn->state == BT_CONFIG) {
2813 hci_connect_cfm(conn, status);
2814 hci_conn_drop(conn);
2818 hci_dev_unlock(hdev);
2821 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2823 struct hci_cp_setup_sync_conn *cp;
2824 struct hci_conn *acl, *sco;
2827 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2832 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2836 handle = __le16_to_cpu(cp->handle);
2838 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2842 acl = hci_conn_hash_lookup_handle(hdev, handle);
2846 sco->state = BT_CLOSED;
2848 hci_connect_cfm(sco, status);
2853 hci_dev_unlock(hdev);
2856 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2858 struct hci_cp_enhanced_setup_sync_conn *cp;
2859 struct hci_conn *acl, *sco;
2862 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2867 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2871 handle = __le16_to_cpu(cp->handle);
2873 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2877 acl = hci_conn_hash_lookup_handle(hdev, handle);
2881 sco->state = BT_CLOSED;
2883 hci_connect_cfm(sco, status);
2888 hci_dev_unlock(hdev);
2891 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2893 struct hci_cp_sniff_mode *cp;
2894 struct hci_conn *conn;
2896 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2901 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2907 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2909 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2911 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2912 hci_sco_setup(conn, status);
2915 hci_dev_unlock(hdev);
2918 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2920 struct hci_cp_exit_sniff_mode *cp;
2921 struct hci_conn *conn;
2923 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2928 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2934 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2936 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2938 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2939 hci_sco_setup(conn, status);
2942 hci_dev_unlock(hdev);
2945 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2947 struct hci_cp_disconnect *cp;
2948 struct hci_conn_params *params;
2949 struct hci_conn *conn;
2952 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2954 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2955 * otherwise cleanup the connection immediately.
2957 if (!status && !hdev->suspended)
2960 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2966 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2971 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2972 conn->dst_type, status);
2974 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2975 hdev->cur_adv_instance = conn->adv_instance;
2976 hci_enable_advertising(hdev);
2982 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2984 if (conn->type == ACL_LINK) {
2985 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2986 hci_remove_link_key(hdev, &conn->dst);
2989 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2991 switch (params->auto_connect) {
2992 case HCI_AUTO_CONN_LINK_LOSS:
2993 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2997 case HCI_AUTO_CONN_DIRECT:
2998 case HCI_AUTO_CONN_ALWAYS:
2999 list_del_init(¶ms->action);
3000 list_add(¶ms->action, &hdev->pend_le_conns);
3008 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3009 cp->reason, mgmt_conn);
3011 hci_disconn_cfm(conn, cp->reason);
3014 /* If the disconnection failed for any reason, the upper layer
3015 * does not retry to disconnect in current implementation.
3016 * Hence, we need to do some basic cleanup here and re-enable
3017 * advertising if necessary.
3021 hci_dev_unlock(hdev);
3024 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
3026 /* When using controller based address resolution, then the new
3027 * address types 0x02 and 0x03 are used. These types need to be
3028 * converted back into either public address or random address type
3031 case ADDR_LE_DEV_PUBLIC_RESOLVED:
3034 return ADDR_LE_DEV_PUBLIC;
3035 case ADDR_LE_DEV_RANDOM_RESOLVED:
3038 return ADDR_LE_DEV_RANDOM;
3046 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
3047 u8 peer_addr_type, u8 own_address_type,
3050 struct hci_conn *conn;
3052 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
3057 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
3059 /* Store the initiator and responder address information which
3060 * is needed for SMP. These values will not change during the
3061 * lifetime of the connection.
3063 conn->init_addr_type = own_address_type;
3064 if (own_address_type == ADDR_LE_DEV_RANDOM)
3065 bacpy(&conn->init_addr, &hdev->random_addr);
3067 bacpy(&conn->init_addr, &hdev->bdaddr);
3069 conn->resp_addr_type = peer_addr_type;
3070 bacpy(&conn->resp_addr, peer_addr);
3073 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
3075 struct hci_cp_le_create_conn *cp;
3077 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3079 /* All connection failure handling is taken care of by the
3080 * hci_conn_failed function which is triggered by the HCI
3081 * request completion callbacks used for connecting.
3086 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
3092 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3093 cp->own_address_type, cp->filter_policy);
3095 hci_dev_unlock(hdev);
3098 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
3100 struct hci_cp_le_ext_create_conn *cp;
3102 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3104 /* All connection failure handling is taken care of by the
3105 * hci_conn_failed function which is triggered by the HCI
3106 * request completion callbacks used for connecting.
3111 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
3117 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3118 cp->own_addr_type, cp->filter_policy);
3120 hci_dev_unlock(hdev);
3123 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
3125 struct hci_cp_le_read_remote_features *cp;
3126 struct hci_conn *conn;
3128 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3133 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
3139 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3141 if (conn->state == BT_CONFIG) {
3142 hci_connect_cfm(conn, status);
3143 hci_conn_drop(conn);
3147 hci_dev_unlock(hdev);
3150 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
3152 struct hci_cp_le_start_enc *cp;
3153 struct hci_conn *conn;
3155 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3162 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
3166 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3170 if (conn->state != BT_CONNECTED)
3173 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3174 hci_conn_drop(conn);
3177 hci_dev_unlock(hdev);
3180 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3182 struct hci_cp_switch_role *cp;
3183 struct hci_conn *conn;
3185 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3190 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3196 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3198 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3200 hci_dev_unlock(hdev);
3203 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3204 struct sk_buff *skb)
3206 struct hci_ev_status *ev = data;
3207 struct discovery_state *discov = &hdev->discovery;
3208 struct inquiry_entry *e;
3210 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3212 hci_conn_check_pending(hdev);
3214 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3217 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3218 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3220 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3225 if (discov->state != DISCOVERY_FINDING)
3228 if (list_empty(&discov->resolve)) {
3229 /* When BR/EDR inquiry is active and no LE scanning is in
3230 * progress, then change discovery state to indicate completion.
3232 * When running LE scanning and BR/EDR inquiry simultaneously
3233 * and the LE scan already finished, then change the discovery
3234 * state to indicate completion.
3236 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3237 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3238 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3242 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3243 if (e && hci_resolve_name(hdev, e) == 0) {
3244 e->name_state = NAME_PENDING;
3245 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3246 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3248 /* When BR/EDR inquiry is active and no LE scanning is in
3249 * progress, then change discovery state to indicate completion.
3251 * When running LE scanning and BR/EDR inquiry simultaneously
3252 * and the LE scan already finished, then change the discovery
3253 * state to indicate completion.
3255 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3256 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3257 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3261 hci_dev_unlock(hdev);
3264 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3265 struct sk_buff *skb)
3267 struct hci_ev_inquiry_result *ev = edata;
3268 struct inquiry_data data;
3271 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3272 flex_array_size(ev, info, ev->num)))
3275 bt_dev_dbg(hdev, "num %d", ev->num);
3280 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3285 for (i = 0; i < ev->num; i++) {
3286 struct inquiry_info *info = &ev->info[i];
3289 bacpy(&data.bdaddr, &info->bdaddr);
3290 data.pscan_rep_mode = info->pscan_rep_mode;
3291 data.pscan_period_mode = info->pscan_period_mode;
3292 data.pscan_mode = info->pscan_mode;
3293 memcpy(data.dev_class, info->dev_class, 3);
3294 data.clock_offset = info->clock_offset;
3295 data.rssi = HCI_RSSI_INVALID;
3296 data.ssp_mode = 0x00;
3298 flags = hci_inquiry_cache_update(hdev, &data, false);
3300 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3301 info->dev_class, HCI_RSSI_INVALID,
3302 flags, NULL, 0, NULL, 0, 0);
3305 hci_dev_unlock(hdev);
3308 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3309 struct sk_buff *skb)
3311 struct hci_ev_conn_complete *ev = data;
3312 struct hci_conn *conn;
3313 u8 status = ev->status;
3315 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3319 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3321 /* In case of error status and there is no connection pending
3322 * just unlock as there is nothing to cleanup.
3327 /* Connection may not exist if auto-connected. Check the bredr
3328 * allowlist to see if this device is allowed to auto connect.
3329 * If link is an ACL type, create a connection class
3332 * Auto-connect will only occur if the event filter is
3333 * programmed with a given address. Right now, event filter is
3334 * only used during suspend.
3336 if (ev->link_type == ACL_LINK &&
3337 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3340 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3343 bt_dev_err(hdev, "no memory for new conn");
3347 if (ev->link_type != SCO_LINK)
3350 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3355 conn->type = SCO_LINK;
3359 /* The HCI_Connection_Complete event is only sent once per connection.
3360 * Processing it more than once per connection can corrupt kernel memory.
3362 * As the connection handle is set here for the first time, it indicates
3363 * whether the connection is already set up.
3365 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
3366 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3371 conn->handle = __le16_to_cpu(ev->handle);
3372 if (conn->handle > HCI_CONN_HANDLE_MAX) {
3373 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
3374 conn->handle, HCI_CONN_HANDLE_MAX);
3375 status = HCI_ERROR_INVALID_PARAMETERS;
3379 if (conn->type == ACL_LINK) {
3380 conn->state = BT_CONFIG;
3381 hci_conn_hold(conn);
3383 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3384 !hci_find_link_key(hdev, &ev->bdaddr))
3385 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3387 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3389 conn->state = BT_CONNECTED;
3391 hci_debugfs_create_conn(conn);
3392 hci_conn_add_sysfs(conn);
3394 if (test_bit(HCI_AUTH, &hdev->flags))
3395 set_bit(HCI_CONN_AUTH, &conn->flags);
3397 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3398 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3400 /* Get remote features */
3401 if (conn->type == ACL_LINK) {
3402 struct hci_cp_read_remote_features cp;
3403 cp.handle = ev->handle;
3404 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3407 hci_update_scan(hdev);
3410 /* Set packet type for incoming connection */
3411 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3412 struct hci_cp_change_conn_ptype cp;
3413 cp.handle = ev->handle;
3414 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3415 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3420 if (get_link_mode(conn) & HCI_LM_MASTER)
3421 hci_conn_change_supervision_timeout(conn,
3422 LINK_SUPERVISION_TIMEOUT);
3426 if (conn->type == ACL_LINK)
3427 hci_sco_setup(conn, ev->status);
3431 hci_conn_failed(conn, status);
3432 } else if (ev->link_type == SCO_LINK) {
3433 switch (conn->setting & SCO_AIRMODE_MASK) {
3434 case SCO_AIRMODE_CVSD:
3436 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3440 hci_connect_cfm(conn, status);
3444 hci_dev_unlock(hdev);
3446 hci_conn_check_pending(hdev);
3449 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3451 struct hci_cp_reject_conn_req cp;
3453 bacpy(&cp.bdaddr, bdaddr);
3454 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3455 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3458 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3459 struct sk_buff *skb)
3461 struct hci_ev_conn_request *ev = data;
3462 int mask = hdev->link_mode;
3463 struct inquiry_entry *ie;
3464 struct hci_conn *conn;
3467 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3469 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3472 if (!(mask & HCI_LM_ACCEPT)) {
3473 hci_reject_conn(hdev, &ev->bdaddr);
3479 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3481 hci_reject_conn(hdev, &ev->bdaddr);
3485 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3486 * connection. These features are only touched through mgmt so
3487 * only do the checks if HCI_MGMT is set.
3489 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3490 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3491 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3493 hci_reject_conn(hdev, &ev->bdaddr);
3497 /* Connection accepted */
3499 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3501 memcpy(ie->data.dev_class, ev->dev_class, 3);
3504 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
3505 hci_conn_hash_lookup_sco(hdev)) {
3506 struct hci_cp_reject_conn_req cp;
3508 bacpy(&cp.bdaddr, &ev->bdaddr);
3509 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
3510 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
3512 hci_dev_unlock(hdev);
3517 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3520 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3523 bt_dev_err(hdev, "no memory for new connection");
3528 memcpy(conn->dev_class, ev->dev_class, 3);
3530 hci_dev_unlock(hdev);
3532 if (ev->link_type == ACL_LINK ||
3533 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3534 struct hci_cp_accept_conn_req cp;
3535 conn->state = BT_CONNECT;
3537 bacpy(&cp.bdaddr, &ev->bdaddr);
3539 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3540 cp.role = 0x00; /* Become central */
3542 cp.role = 0x01; /* Remain peripheral */
3544 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3545 } else if (!(flags & HCI_PROTO_DEFER)) {
3546 struct hci_cp_accept_sync_conn_req cp;
3547 conn->state = BT_CONNECT;
3549 bacpy(&cp.bdaddr, &ev->bdaddr);
3550 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3552 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3553 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3554 cp.max_latency = cpu_to_le16(0xffff);
3555 cp.content_format = cpu_to_le16(hdev->voice_setting);
3556 cp.retrans_effort = 0xff;
3558 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3561 conn->state = BT_CONNECT2;
3562 hci_connect_cfm(conn, 0);
3567 hci_dev_unlock(hdev);
3570 static u8 hci_to_mgmt_reason(u8 err)
3573 case HCI_ERROR_CONNECTION_TIMEOUT:
3574 return MGMT_DEV_DISCONN_TIMEOUT;
3575 case HCI_ERROR_REMOTE_USER_TERM:
3576 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3577 case HCI_ERROR_REMOTE_POWER_OFF:
3578 return MGMT_DEV_DISCONN_REMOTE;
3579 case HCI_ERROR_LOCAL_HOST_TERM:
3580 return MGMT_DEV_DISCONN_LOCAL_HOST;
3582 return MGMT_DEV_DISCONN_UNKNOWN;
3586 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3587 struct sk_buff *skb)
3589 struct hci_ev_disconn_complete *ev = data;
3591 struct hci_conn_params *params;
3592 struct hci_conn *conn;
3593 bool mgmt_connected;
3595 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3599 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3604 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3605 conn->dst_type, ev->status);
3609 conn->state = BT_CLOSED;
3611 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3613 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3614 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3616 reason = hci_to_mgmt_reason(ev->reason);
3618 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3619 reason, mgmt_connected);
3621 if (conn->type == ACL_LINK) {
3622 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3623 hci_remove_link_key(hdev, &conn->dst);
3625 hci_update_scan(hdev);
3628 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3630 switch (params->auto_connect) {
3631 case HCI_AUTO_CONN_LINK_LOSS:
3632 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3636 case HCI_AUTO_CONN_DIRECT:
3637 case HCI_AUTO_CONN_ALWAYS:
3638 list_del_init(¶ms->action);
3639 list_add(¶ms->action, &hdev->pend_le_conns);
3640 hci_update_passive_scan(hdev);
3648 hci_disconn_cfm(conn, ev->reason);
3650 /* Re-enable advertising if necessary, since it might
3651 * have been disabled by the connection. From the
3652 * HCI_LE_Set_Advertise_Enable command description in
3653 * the core specification (v4.0):
3654 * "The Controller shall continue advertising until the Host
3655 * issues an LE_Set_Advertise_Enable command with
3656 * Advertising_Enable set to 0x00 (Advertising is disabled)
3657 * or until a connection is created or until the Advertising
3658 * is timed out due to Directed Advertising."
3660 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3661 hdev->cur_adv_instance = conn->adv_instance;
3662 hci_enable_advertising(hdev);
3668 if (type == ACL_LINK && !hci_conn_num(hdev, ACL_LINK)) {
3672 iscan = test_bit(HCI_ISCAN, &hdev->flags);
3673 pscan = test_bit(HCI_PSCAN, &hdev->flags);
3674 if (!iscan && !pscan) {
3675 u8 scan_enable = SCAN_PAGE;
3677 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE,
3678 sizeof(scan_enable), &scan_enable);
3684 hci_dev_unlock(hdev);
3687 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3688 struct sk_buff *skb)
3690 struct hci_ev_auth_complete *ev = data;
3691 struct hci_conn *conn;
3693 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3697 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3702 /* PIN or Key Missing patch */
3703 BT_DBG("remote_auth %x, remote_cap %x, auth_type %x, io_capability %x",
3704 conn->remote_auth, conn->remote_cap,
3705 conn->auth_type, conn->io_capability);
3707 if (ev->status == 0x06 && hci_conn_ssp_enabled(conn)) {
3708 struct hci_cp_auth_requested cp;
3710 BT_DBG("Pin or key missing");
3711 hci_remove_link_key(hdev, &conn->dst);
3712 cp.handle = cpu_to_le16(conn->handle);
3713 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
3720 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3722 if (!hci_conn_ssp_enabled(conn) &&
3723 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
3724 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
3726 set_bit(HCI_CONN_AUTH, &conn->flags);
3727 conn->sec_level = conn->pending_sec_level;
3730 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3731 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3733 mgmt_auth_failed(conn, ev->status);
3736 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3737 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
3739 if (conn->state == BT_CONFIG) {
3740 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3741 struct hci_cp_set_conn_encrypt cp;
3742 cp.handle = ev->handle;
3744 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3747 conn->state = BT_CONNECTED;
3748 hci_connect_cfm(conn, ev->status);
3749 hci_conn_drop(conn);
3752 hci_auth_cfm(conn, ev->status);
3754 hci_conn_hold(conn);
3755 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3756 hci_conn_drop(conn);
3759 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3761 struct hci_cp_set_conn_encrypt cp;
3762 cp.handle = ev->handle;
3764 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3767 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3768 hci_encrypt_cfm(conn, ev->status);
3773 hci_dev_unlock(hdev);
3776 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3777 struct sk_buff *skb)
3779 struct hci_ev_remote_name *ev = data;
3780 struct hci_conn *conn;
3782 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3784 hci_conn_check_pending(hdev);
3788 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3790 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3793 if (ev->status == 0)
3794 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3795 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3797 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3803 if (!hci_outgoing_auth_needed(hdev, conn))
3806 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3807 struct hci_cp_auth_requested cp;
3809 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3811 cp.handle = __cpu_to_le16(conn->handle);
3812 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3816 hci_dev_unlock(hdev);
3819 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3820 struct sk_buff *skb)
3822 struct hci_ev_encrypt_change *ev = data;
3823 struct hci_conn *conn;
3825 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3829 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3835 /* Encryption implies authentication */
3836 set_bit(HCI_CONN_AUTH, &conn->flags);
3837 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3838 conn->sec_level = conn->pending_sec_level;
3840 /* P-256 authentication key implies FIPS */
3841 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3842 set_bit(HCI_CONN_FIPS, &conn->flags);
3844 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3845 conn->type == LE_LINK)
3846 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3848 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3849 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3853 /* We should disregard the current RPA and generate a new one
3854 * whenever the encryption procedure fails.
3856 if (ev->status && conn->type == LE_LINK) {
3857 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3858 hci_adv_instances_set_rpa_expired(hdev, true);
3861 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3863 /* Check link security requirements are met */
3864 if (!hci_conn_check_link_mode(conn))
3865 ev->status = HCI_ERROR_AUTH_FAILURE;
3867 if (ev->status && conn->state == BT_CONNECTED) {
3868 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3869 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3871 /* Notify upper layers so they can cleanup before
3874 hci_encrypt_cfm(conn, ev->status);
3875 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3876 hci_conn_drop(conn);
3880 /* Try reading the encryption key size for encrypted ACL links */
3881 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3882 struct hci_cp_read_enc_key_size cp;
3884 /* Only send HCI_Read_Encryption_Key_Size if the
3885 * controller really supports it. If it doesn't, assume
3886 * the default size (16).
3888 if (!(hdev->commands[20] & 0x10)) {
3889 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3893 cp.handle = cpu_to_le16(conn->handle);
3894 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3896 bt_dev_err(hdev, "sending read key size failed");
3897 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3904 /* Set the default Authenticated Payload Timeout after
3905 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3906 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3907 * sent when the link is active and Encryption is enabled, the conn
3908 * type can be either LE or ACL and controller must support LMP Ping.
3909 * Ensure for AES-CCM encryption as well.
3911 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3912 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3913 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3914 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3915 struct hci_cp_write_auth_payload_to cp;
3917 cp.handle = cpu_to_le16(conn->handle);
3918 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3919 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3924 hci_encrypt_cfm(conn, ev->status);
3927 hci_dev_unlock(hdev);
3930 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3931 struct sk_buff *skb)
3933 struct hci_ev_change_link_key_complete *ev = data;
3934 struct hci_conn *conn;
3936 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3940 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3943 set_bit(HCI_CONN_SECURE, &conn->flags);
3945 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3947 hci_key_change_cfm(conn, ev->status);
3950 hci_dev_unlock(hdev);
3953 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3954 struct sk_buff *skb)
3956 struct hci_ev_remote_features *ev = data;
3957 struct hci_conn *conn;
3959 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3963 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3968 memcpy(conn->features[0], ev->features, 8);
3970 if (conn->state != BT_CONFIG)
3973 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3974 lmp_ext_feat_capable(conn)) {
3975 struct hci_cp_read_remote_ext_features cp;
3976 cp.handle = ev->handle;
3978 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3983 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3984 struct hci_cp_remote_name_req cp;
3985 memset(&cp, 0, sizeof(cp));
3986 bacpy(&cp.bdaddr, &conn->dst);
3987 cp.pscan_rep_mode = 0x02;
3988 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3989 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3990 mgmt_device_connected(hdev, conn, NULL, 0);
3992 if (!hci_outgoing_auth_needed(hdev, conn)) {
3993 conn->state = BT_CONNECTED;
3994 hci_connect_cfm(conn, ev->status);
3995 hci_conn_drop(conn);
3999 hci_dev_unlock(hdev);
4002 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
4004 cancel_delayed_work(&hdev->cmd_timer);
4007 if (!test_bit(HCI_RESET, &hdev->flags)) {
4009 cancel_delayed_work(&hdev->ncmd_timer);
4010 atomic_set(&hdev->cmd_cnt, 1);
4012 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4013 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
4020 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
4021 struct sk_buff *skb)
4023 struct hci_rp_le_read_buffer_size_v2 *rp = data;
4025 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4030 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
4031 hdev->le_pkts = rp->acl_max_pkt;
4032 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
4033 hdev->iso_pkts = rp->iso_max_pkt;
4035 hdev->le_cnt = hdev->le_pkts;
4036 hdev->iso_cnt = hdev->iso_pkts;
4038 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
4039 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
4044 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
4045 struct sk_buff *skb)
4047 struct hci_rp_le_set_cig_params *rp = data;
4048 struct hci_conn *conn;
4051 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4056 while ((conn = hci_conn_hash_lookup_cig(hdev, rp->cig_id))) {
4057 conn->state = BT_CLOSED;
4058 hci_connect_cfm(conn, rp->status);
4066 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
4067 if (conn->type != ISO_LINK || conn->iso_qos.cig != rp->cig_id ||
4068 conn->state == BT_CONNECTED)
4071 conn->handle = __le16_to_cpu(rp->handle[i++]);
4073 bt_dev_dbg(hdev, "%p handle 0x%4.4x link %p", conn,
4074 conn->handle, conn->link);
4076 /* Create CIS if LE is already connected */
4077 if (conn->link && conn->link->state == BT_CONNECTED) {
4079 hci_le_create_cis(conn->link);
4083 if (i == rp->num_handles)
4090 hci_dev_unlock(hdev);
4095 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
4096 struct sk_buff *skb)
4098 struct hci_rp_le_setup_iso_path *rp = data;
4099 struct hci_cp_le_setup_iso_path *cp;
4100 struct hci_conn *conn;
4102 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4104 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
4110 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
4115 hci_connect_cfm(conn, rp->status);
4120 switch (cp->direction) {
4121 /* Input (Host to Controller) */
4123 /* Only confirm connection if output only */
4124 if (conn->iso_qos.out.sdu && !conn->iso_qos.in.sdu)
4125 hci_connect_cfm(conn, rp->status);
4127 /* Output (Controller to Host) */
4129 /* Confirm connection since conn->iso_qos is always configured
4132 hci_connect_cfm(conn, rp->status);
4137 hci_dev_unlock(hdev);
4141 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
4143 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4146 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
4147 struct sk_buff *skb)
4149 struct hci_ev_status *rp = data;
4150 struct hci_cp_le_set_per_adv_params *cp;
4152 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4157 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
4161 /* TODO: set the conn state */
4165 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
4166 struct sk_buff *skb)
4168 struct hci_ev_status *rp = data;
4171 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4176 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4183 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4185 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4187 hci_dev_unlock(hdev);
4192 #define HCI_CC_VL(_op, _func, _min, _max) \
4200 #define HCI_CC(_op, _func, _len) \
4201 HCI_CC_VL(_op, _func, _len, _len)
4203 #define HCI_CC_STATUS(_op, _func) \
4204 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4206 static const struct hci_cc {
4208 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4211 } hci_cc_table[] = {
4212 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4213 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4214 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4215 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4216 hci_cc_remote_name_req_cancel),
4217 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4218 sizeof(struct hci_rp_role_discovery)),
4219 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4220 sizeof(struct hci_rp_read_link_policy)),
4221 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4222 sizeof(struct hci_rp_write_link_policy)),
4223 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4224 sizeof(struct hci_rp_read_def_link_policy)),
4225 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4226 hci_cc_write_def_link_policy),
4227 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4228 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4229 sizeof(struct hci_rp_read_stored_link_key)),
4230 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4231 sizeof(struct hci_rp_delete_stored_link_key)),
4232 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4233 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4234 sizeof(struct hci_rp_read_local_name)),
4235 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4236 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4237 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4238 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4239 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4240 sizeof(struct hci_rp_read_class_of_dev)),
4241 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4242 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4243 sizeof(struct hci_rp_read_voice_setting)),
4244 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4245 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4246 sizeof(struct hci_rp_read_num_supported_iac)),
4247 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4248 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4249 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4250 sizeof(struct hci_rp_read_auth_payload_to)),
4251 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4252 sizeof(struct hci_rp_write_auth_payload_to)),
4253 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4254 sizeof(struct hci_rp_read_local_version)),
4255 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4256 sizeof(struct hci_rp_read_local_commands)),
4257 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4258 sizeof(struct hci_rp_read_local_features)),
4259 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4260 sizeof(struct hci_rp_read_local_ext_features)),
4261 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4262 sizeof(struct hci_rp_read_buffer_size)),
4263 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4264 sizeof(struct hci_rp_read_bd_addr)),
4265 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4266 sizeof(struct hci_rp_read_local_pairing_opts)),
4267 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4268 sizeof(struct hci_rp_read_page_scan_activity)),
4269 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4270 hci_cc_write_page_scan_activity),
4271 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4272 sizeof(struct hci_rp_read_page_scan_type)),
4273 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4274 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4275 sizeof(struct hci_rp_read_data_block_size)),
4276 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4277 sizeof(struct hci_rp_read_flow_control_mode)),
4278 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4279 sizeof(struct hci_rp_read_local_amp_info)),
4280 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4281 sizeof(struct hci_rp_read_clock)),
4282 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4283 sizeof(struct hci_rp_read_enc_key_size)),
4284 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4285 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4286 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4287 hci_cc_read_def_err_data_reporting,
4288 sizeof(struct hci_rp_read_def_err_data_reporting)),
4289 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4290 hci_cc_write_def_err_data_reporting),
4291 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4292 sizeof(struct hci_rp_pin_code_reply)),
4293 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4294 sizeof(struct hci_rp_pin_code_neg_reply)),
4295 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4296 sizeof(struct hci_rp_read_local_oob_data)),
4297 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4298 sizeof(struct hci_rp_read_local_oob_ext_data)),
4299 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4300 sizeof(struct hci_rp_le_read_buffer_size)),
4301 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4302 sizeof(struct hci_rp_le_read_local_features)),
4303 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4304 sizeof(struct hci_rp_le_read_adv_tx_power)),
4305 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4306 sizeof(struct hci_rp_user_confirm_reply)),
4307 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4308 sizeof(struct hci_rp_user_confirm_reply)),
4309 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4310 sizeof(struct hci_rp_user_confirm_reply)),
4311 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4312 sizeof(struct hci_rp_user_confirm_reply)),
4313 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4314 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4315 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4316 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4317 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4318 hci_cc_le_read_accept_list_size,
4319 sizeof(struct hci_rp_le_read_accept_list_size)),
4320 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4321 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4322 hci_cc_le_add_to_accept_list),
4323 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4324 hci_cc_le_del_from_accept_list),
4325 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4326 sizeof(struct hci_rp_le_read_supported_states)),
4327 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4328 sizeof(struct hci_rp_le_read_def_data_len)),
4329 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4330 hci_cc_le_write_def_data_len),
4331 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4332 hci_cc_le_add_to_resolv_list),
4333 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4334 hci_cc_le_del_from_resolv_list),
4335 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4336 hci_cc_le_clear_resolv_list),
4337 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4338 sizeof(struct hci_rp_le_read_resolv_list_size)),
4339 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4340 hci_cc_le_set_addr_resolution_enable),
4341 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4342 sizeof(struct hci_rp_le_read_max_data_len)),
4343 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4344 hci_cc_write_le_host_supported),
4345 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4346 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4347 sizeof(struct hci_rp_read_rssi)),
4348 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4349 sizeof(struct hci_rp_read_tx_power)),
4350 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4351 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4352 hci_cc_le_set_ext_scan_param),
4353 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4354 hci_cc_le_set_ext_scan_enable),
4355 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4356 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4357 hci_cc_le_read_num_adv_sets,
4358 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4359 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4360 sizeof(struct hci_rp_le_set_ext_adv_params)),
4361 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4362 hci_cc_le_set_ext_adv_enable),
4363 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4364 hci_cc_le_set_adv_set_random_addr),
4365 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4366 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4367 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4368 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4369 hci_cc_le_set_per_adv_enable),
4370 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4371 sizeof(struct hci_rp_le_read_transmit_power)),
4373 HCI_CC(HCI_OP_ENABLE_RSSI, hci_cc_enable_rssi,
4374 sizeof(struct hci_cc_rsp_enable_rssi)),
4375 HCI_CC(HCI_OP_GET_RAW_RSSI, hci_cc_get_raw_rssi,
4376 sizeof(struct hci_cc_rp_get_raw_rssi)),
4378 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4379 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4380 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4381 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4382 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4383 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4384 sizeof(struct hci_rp_le_setup_iso_path)),
4387 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4388 struct sk_buff *skb)
4392 if (skb->len < cc->min_len) {
4393 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4394 cc->op, skb->len, cc->min_len);
4395 return HCI_ERROR_UNSPECIFIED;
4398 /* Just warn if the length is over max_len size it still be possible to
4399 * partially parse the cc so leave to callback to decide if that is
4402 if (skb->len > cc->max_len)
4403 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4404 cc->op, skb->len, cc->max_len);
4406 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4408 return HCI_ERROR_UNSPECIFIED;
4410 return cc->func(hdev, data, skb);
4413 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4414 struct sk_buff *skb, u16 *opcode, u8 *status,
4415 hci_req_complete_t *req_complete,
4416 hci_req_complete_skb_t *req_complete_skb)
4418 struct hci_ev_cmd_complete *ev = data;
4421 *opcode = __le16_to_cpu(ev->opcode);
4423 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4425 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4426 if (hci_cc_table[i].op == *opcode) {
4427 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4432 if (i == ARRAY_SIZE(hci_cc_table)) {
4433 /* Unknown opcode, assume byte 0 contains the status, so
4434 * that e.g. __hci_cmd_sync() properly returns errors
4435 * for vendor specific commands send by HCI drivers.
4436 * If a vendor doesn't actually follow this convention we may
4437 * need to introduce a vendor CC table in order to properly set
4440 *status = skb->data[0];
4443 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4445 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4448 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4450 "unexpected event for opcode 0x%4.4x", *opcode);
4454 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4455 queue_work(hdev->workqueue, &hdev->cmd_work);
4458 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4460 struct hci_cp_le_create_cis *cp;
4463 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4468 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4474 /* Remove connection if command failed */
4475 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4476 struct hci_conn *conn;
4479 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4481 conn = hci_conn_hash_lookup_handle(hdev, handle);
4483 conn->state = BT_CLOSED;
4484 hci_connect_cfm(conn, status);
4489 hci_dev_unlock(hdev);
4492 #define HCI_CS(_op, _func) \
4498 static const struct hci_cs {
4500 void (*func)(struct hci_dev *hdev, __u8 status);
4501 } hci_cs_table[] = {
4502 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4503 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4504 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4505 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4506 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4507 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4508 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4509 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4510 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4511 hci_cs_read_remote_ext_features),
4512 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4513 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4514 hci_cs_enhanced_setup_sync_conn),
4515 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4516 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4517 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4518 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4519 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4520 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4521 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4522 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4523 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4526 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4527 struct sk_buff *skb, u16 *opcode, u8 *status,
4528 hci_req_complete_t *req_complete,
4529 hci_req_complete_skb_t *req_complete_skb)
4531 struct hci_ev_cmd_status *ev = data;
4534 *opcode = __le16_to_cpu(ev->opcode);
4535 *status = ev->status;
4537 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4539 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4540 if (hci_cs_table[i].op == *opcode) {
4541 hci_cs_table[i].func(hdev, ev->status);
4546 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4548 /* Indicate request completion if the command failed. Also, if
4549 * we're not waiting for a special event and we get a success
4550 * command status we should try to flag the request as completed
4551 * (since for this kind of commands there will not be a command
4554 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4555 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4557 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4558 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4564 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4565 queue_work(hdev->workqueue, &hdev->cmd_work);
4568 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4569 struct sk_buff *skb)
4571 struct hci_ev_hardware_error *ev = data;
4573 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4577 mgmt_hardware_error(hdev, ev->code);
4578 hci_dev_unlock(hdev);
4580 hdev->hw_error_code = ev->code;
4582 queue_work(hdev->req_workqueue, &hdev->error_reset);
4585 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4586 struct sk_buff *skb)
4588 struct hci_ev_role_change *ev = data;
4589 struct hci_conn *conn;
4591 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4595 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4598 conn->role = ev->role;
4600 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4602 hci_role_switch_cfm(conn, ev->status, ev->role);
4604 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
4605 hci_conn_change_supervision_timeout(conn,
4606 LINK_SUPERVISION_TIMEOUT);
4610 hci_dev_unlock(hdev);
4613 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4614 struct sk_buff *skb)
4616 struct hci_ev_num_comp_pkts *ev = data;
4619 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4620 flex_array_size(ev, handles, ev->num)))
4623 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4624 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4628 bt_dev_dbg(hdev, "num %d", ev->num);
4630 for (i = 0; i < ev->num; i++) {
4631 struct hci_comp_pkts_info *info = &ev->handles[i];
4632 struct hci_conn *conn;
4633 __u16 handle, count;
4635 handle = __le16_to_cpu(info->handle);
4636 count = __le16_to_cpu(info->count);
4638 conn = hci_conn_hash_lookup_handle(hdev, handle);
4642 conn->sent -= count;
4644 switch (conn->type) {
4646 hdev->acl_cnt += count;
4647 if (hdev->acl_cnt > hdev->acl_pkts)
4648 hdev->acl_cnt = hdev->acl_pkts;
4652 if (hdev->le_pkts) {
4653 hdev->le_cnt += count;
4654 if (hdev->le_cnt > hdev->le_pkts)
4655 hdev->le_cnt = hdev->le_pkts;
4657 hdev->acl_cnt += count;
4658 if (hdev->acl_cnt > hdev->acl_pkts)
4659 hdev->acl_cnt = hdev->acl_pkts;
4664 hdev->sco_cnt += count;
4665 if (hdev->sco_cnt > hdev->sco_pkts)
4666 hdev->sco_cnt = hdev->sco_pkts;
4670 if (hdev->iso_pkts) {
4671 hdev->iso_cnt += count;
4672 if (hdev->iso_cnt > hdev->iso_pkts)
4673 hdev->iso_cnt = hdev->iso_pkts;
4674 } else if (hdev->le_pkts) {
4675 hdev->le_cnt += count;
4676 if (hdev->le_cnt > hdev->le_pkts)
4677 hdev->le_cnt = hdev->le_pkts;
4679 hdev->acl_cnt += count;
4680 if (hdev->acl_cnt > hdev->acl_pkts)
4681 hdev->acl_cnt = hdev->acl_pkts;
4686 bt_dev_err(hdev, "unknown type %d conn %p",
4692 queue_work(hdev->workqueue, &hdev->tx_work);
4695 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4698 struct hci_chan *chan;
4700 switch (hdev->dev_type) {
4702 return hci_conn_hash_lookup_handle(hdev, handle);
4704 chan = hci_chan_lookup_handle(hdev, handle);
4709 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4716 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4717 struct sk_buff *skb)
4719 struct hci_ev_num_comp_blocks *ev = data;
4722 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4723 flex_array_size(ev, handles, ev->num_hndl)))
4726 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4727 bt_dev_err(hdev, "wrong event for mode %d",
4728 hdev->flow_ctl_mode);
4732 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4735 for (i = 0; i < ev->num_hndl; i++) {
4736 struct hci_comp_blocks_info *info = &ev->handles[i];
4737 struct hci_conn *conn = NULL;
4738 __u16 handle, block_count;
4740 handle = __le16_to_cpu(info->handle);
4741 block_count = __le16_to_cpu(info->blocks);
4743 conn = __hci_conn_lookup_handle(hdev, handle);
4747 conn->sent -= block_count;
4749 switch (conn->type) {
4752 hdev->block_cnt += block_count;
4753 if (hdev->block_cnt > hdev->num_blocks)
4754 hdev->block_cnt = hdev->num_blocks;
4758 bt_dev_err(hdev, "unknown type %d conn %p",
4764 queue_work(hdev->workqueue, &hdev->tx_work);
4767 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4768 struct sk_buff *skb)
4770 struct hci_ev_mode_change *ev = data;
4771 struct hci_conn *conn;
4773 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4777 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4779 conn->mode = ev->mode;
4781 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4783 if (conn->mode == HCI_CM_ACTIVE)
4784 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4786 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4789 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4790 hci_sco_setup(conn, ev->status);
4793 hci_dev_unlock(hdev);
4796 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4797 struct sk_buff *skb)
4799 struct hci_ev_pin_code_req *ev = data;
4800 struct hci_conn *conn;
4802 bt_dev_dbg(hdev, "");
4806 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4810 if (conn->state == BT_CONNECTED) {
4811 hci_conn_hold(conn);
4812 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4813 hci_conn_drop(conn);
4816 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4817 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4818 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4819 sizeof(ev->bdaddr), &ev->bdaddr);
4820 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4823 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4828 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4832 hci_dev_unlock(hdev);
4835 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4837 if (key_type == HCI_LK_CHANGED_COMBINATION)
4840 conn->pin_length = pin_len;
4841 conn->key_type = key_type;
4844 case HCI_LK_LOCAL_UNIT:
4845 case HCI_LK_REMOTE_UNIT:
4846 case HCI_LK_DEBUG_COMBINATION:
4848 case HCI_LK_COMBINATION:
4850 conn->pending_sec_level = BT_SECURITY_HIGH;
4852 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4854 case HCI_LK_UNAUTH_COMBINATION_P192:
4855 case HCI_LK_UNAUTH_COMBINATION_P256:
4856 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4858 case HCI_LK_AUTH_COMBINATION_P192:
4859 conn->pending_sec_level = BT_SECURITY_HIGH;
4861 case HCI_LK_AUTH_COMBINATION_P256:
4862 conn->pending_sec_level = BT_SECURITY_FIPS;
4867 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4868 struct sk_buff *skb)
4870 struct hci_ev_link_key_req *ev = data;
4871 struct hci_cp_link_key_reply cp;
4872 struct hci_conn *conn;
4873 struct link_key *key;
4875 bt_dev_dbg(hdev, "");
4877 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4882 key = hci_find_link_key(hdev, &ev->bdaddr);
4884 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4888 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4890 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4892 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4894 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4895 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4896 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4897 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4901 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4902 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4903 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4904 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4908 conn_set_key(conn, key->type, key->pin_len);
4911 bacpy(&cp.bdaddr, &ev->bdaddr);
4912 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4914 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4916 hci_dev_unlock(hdev);
4921 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4922 hci_dev_unlock(hdev);
4925 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4926 struct sk_buff *skb)
4928 struct hci_ev_link_key_notify *ev = data;
4929 struct hci_conn *conn;
4930 struct link_key *key;
4934 bt_dev_dbg(hdev, "");
4938 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4942 hci_conn_hold(conn);
4943 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4944 hci_conn_drop(conn);
4946 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4947 conn_set_key(conn, ev->key_type, conn->pin_length);
4949 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4952 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4953 ev->key_type, pin_len, &persistent);
4957 /* Update connection information since adding the key will have
4958 * fixed up the type in the case of changed combination keys.
4960 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4961 conn_set_key(conn, key->type, key->pin_len);
4963 mgmt_new_link_key(hdev, key, persistent);
4965 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4966 * is set. If it's not set simply remove the key from the kernel
4967 * list (we've still notified user space about it but with
4968 * store_hint being 0).
4970 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4971 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4972 list_del_rcu(&key->list);
4973 kfree_rcu(key, rcu);
4978 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4980 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4983 hci_dev_unlock(hdev);
4986 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4987 struct sk_buff *skb)
4989 struct hci_ev_clock_offset *ev = data;
4990 struct hci_conn *conn;
4992 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4996 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4997 if (conn && !ev->status) {
4998 struct inquiry_entry *ie;
5000 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5002 ie->data.clock_offset = ev->clock_offset;
5003 ie->timestamp = jiffies;
5007 hci_dev_unlock(hdev);
5010 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
5011 struct sk_buff *skb)
5013 struct hci_ev_pkt_type_change *ev = data;
5014 struct hci_conn *conn;
5016 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5020 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5021 if (conn && !ev->status)
5022 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
5024 hci_dev_unlock(hdev);
5027 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
5028 struct sk_buff *skb)
5030 struct hci_ev_pscan_rep_mode *ev = data;
5031 struct inquiry_entry *ie;
5033 bt_dev_dbg(hdev, "");
5037 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5039 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
5040 ie->timestamp = jiffies;
5043 hci_dev_unlock(hdev);
5046 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
5047 struct sk_buff *skb)
5049 struct hci_ev_inquiry_result_rssi *ev = edata;
5050 struct inquiry_data data;
5053 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
5058 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5063 if (skb->len == array_size(ev->num,
5064 sizeof(struct inquiry_info_rssi_pscan))) {
5065 struct inquiry_info_rssi_pscan *info;
5067 for (i = 0; i < ev->num; i++) {
5070 info = hci_ev_skb_pull(hdev, skb,
5071 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5074 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5075 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5079 bacpy(&data.bdaddr, &info->bdaddr);
5080 data.pscan_rep_mode = info->pscan_rep_mode;
5081 data.pscan_period_mode = info->pscan_period_mode;
5082 data.pscan_mode = info->pscan_mode;
5083 memcpy(data.dev_class, info->dev_class, 3);
5084 data.clock_offset = info->clock_offset;
5085 data.rssi = info->rssi;
5086 data.ssp_mode = 0x00;
5088 flags = hci_inquiry_cache_update(hdev, &data, false);
5090 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5091 info->dev_class, info->rssi,
5092 flags, NULL, 0, NULL, 0, 0);
5094 } else if (skb->len == array_size(ev->num,
5095 sizeof(struct inquiry_info_rssi))) {
5096 struct inquiry_info_rssi *info;
5098 for (i = 0; i < ev->num; i++) {
5101 info = hci_ev_skb_pull(hdev, skb,
5102 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5105 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5106 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5110 bacpy(&data.bdaddr, &info->bdaddr);
5111 data.pscan_rep_mode = info->pscan_rep_mode;
5112 data.pscan_period_mode = info->pscan_period_mode;
5113 data.pscan_mode = 0x00;
5114 memcpy(data.dev_class, info->dev_class, 3);
5115 data.clock_offset = info->clock_offset;
5116 data.rssi = info->rssi;
5117 data.ssp_mode = 0x00;
5119 flags = hci_inquiry_cache_update(hdev, &data, false);
5121 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5122 info->dev_class, info->rssi,
5123 flags, NULL, 0, NULL, 0, 0);
5126 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5127 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5130 hci_dev_unlock(hdev);
5133 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
5134 struct sk_buff *skb)
5136 struct hci_ev_remote_ext_features *ev = data;
5137 struct hci_conn *conn;
5139 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5143 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5147 if (ev->page < HCI_MAX_PAGES)
5148 memcpy(conn->features[ev->page], ev->features, 8);
5150 if (!ev->status && ev->page == 0x01) {
5151 struct inquiry_entry *ie;
5153 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5155 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5157 if (ev->features[0] & LMP_HOST_SSP) {
5158 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5160 /* It is mandatory by the Bluetooth specification that
5161 * Extended Inquiry Results are only used when Secure
5162 * Simple Pairing is enabled, but some devices violate
5165 * To make these devices work, the internal SSP
5166 * enabled flag needs to be cleared if the remote host
5167 * features do not indicate SSP support */
5168 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5171 if (ev->features[0] & LMP_HOST_SC)
5172 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5175 if (conn->state != BT_CONFIG)
5178 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5179 struct hci_cp_remote_name_req cp;
5180 memset(&cp, 0, sizeof(cp));
5181 bacpy(&cp.bdaddr, &conn->dst);
5182 cp.pscan_rep_mode = 0x02;
5183 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5184 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5185 mgmt_device_connected(hdev, conn, NULL, 0);
5187 if (!hci_outgoing_auth_needed(hdev, conn)) {
5188 conn->state = BT_CONNECTED;
5189 hci_connect_cfm(conn, ev->status);
5190 hci_conn_drop(conn);
5194 hci_dev_unlock(hdev);
5197 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5198 struct sk_buff *skb)
5200 struct hci_ev_sync_conn_complete *ev = data;
5201 struct hci_conn *conn;
5202 u8 status = ev->status;
5204 switch (ev->link_type) {
5209 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5210 * for HCI_Synchronous_Connection_Complete is limited to
5211 * either SCO or eSCO
5213 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5217 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5221 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5223 if (ev->link_type == ESCO_LINK)
5226 /* When the link type in the event indicates SCO connection
5227 * and lookup of the connection object fails, then check
5228 * if an eSCO connection object exists.
5230 * The core limits the synchronous connections to either
5231 * SCO or eSCO. The eSCO connection is preferred and tried
5232 * to be setup first and until successfully established,
5233 * the link type will be hinted as eSCO.
5235 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5240 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5241 * Processing it more than once per connection can corrupt kernel memory.
5243 * As the connection handle is set here for the first time, it indicates
5244 * whether the connection is already set up.
5246 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
5247 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5253 conn->handle = __le16_to_cpu(ev->handle);
5254 if (conn->handle > HCI_CONN_HANDLE_MAX) {
5255 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
5256 conn->handle, HCI_CONN_HANDLE_MAX);
5257 status = HCI_ERROR_INVALID_PARAMETERS;
5258 conn->state = BT_CLOSED;
5262 conn->state = BT_CONNECTED;
5263 conn->type = ev->link_type;
5265 hci_debugfs_create_conn(conn);
5266 hci_conn_add_sysfs(conn);
5269 case 0x10: /* Connection Accept Timeout */
5270 case 0x0d: /* Connection Rejected due to Limited Resources */
5271 case 0x11: /* Unsupported Feature or Parameter Value */
5272 case 0x1c: /* SCO interval rejected */
5273 case 0x1a: /* Unsupported Remote Feature */
5274 case 0x1e: /* Invalid LMP Parameters */
5275 case 0x1f: /* Unspecified error */
5276 case 0x20: /* Unsupported LMP Parameter value */
5278 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5279 (hdev->esco_type & EDR_ESCO_MASK);
5280 if (hci_setup_sync(conn, conn->link->handle))
5286 conn->state = BT_CLOSED;
5290 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5291 /* Notify only in case of SCO over HCI transport data path which
5292 * is zero and non-zero value shall be non-HCI transport data path
5294 if (conn->codec.data_path == 0 && hdev->notify) {
5295 switch (ev->air_mode) {
5297 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5300 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5305 hci_connect_cfm(conn, status);
5310 hci_dev_unlock(hdev);
5313 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5317 while (parsed < eir_len) {
5318 u8 field_len = eir[0];
5323 parsed += field_len + 1;
5324 eir += field_len + 1;
5330 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5331 struct sk_buff *skb)
5333 struct hci_ev_ext_inquiry_result *ev = edata;
5334 struct inquiry_data data;
5338 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5339 flex_array_size(ev, info, ev->num)))
5342 bt_dev_dbg(hdev, "num %d", ev->num);
5347 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5352 for (i = 0; i < ev->num; i++) {
5353 struct extended_inquiry_info *info = &ev->info[i];
5357 bacpy(&data.bdaddr, &info->bdaddr);
5358 data.pscan_rep_mode = info->pscan_rep_mode;
5359 data.pscan_period_mode = info->pscan_period_mode;
5360 data.pscan_mode = 0x00;
5361 memcpy(data.dev_class, info->dev_class, 3);
5362 data.clock_offset = info->clock_offset;
5363 data.rssi = info->rssi;
5364 data.ssp_mode = 0x01;
5366 if (hci_dev_test_flag(hdev, HCI_MGMT))
5367 name_known = eir_get_data(info->data,
5369 EIR_NAME_COMPLETE, NULL);
5373 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5375 eir_len = eir_get_length(info->data, sizeof(info->data));
5377 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5378 info->dev_class, info->rssi,
5379 flags, info->data, eir_len, NULL, 0, 0);
5382 hci_dev_unlock(hdev);
5385 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5386 struct sk_buff *skb)
5388 struct hci_ev_key_refresh_complete *ev = data;
5389 struct hci_conn *conn;
5391 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5392 __le16_to_cpu(ev->handle));
5396 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5400 /* For BR/EDR the necessary steps are taken through the
5401 * auth_complete event.
5403 if (conn->type != LE_LINK)
5407 conn->sec_level = conn->pending_sec_level;
5409 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5411 if (ev->status && conn->state == BT_CONNECTED) {
5412 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5413 hci_conn_drop(conn);
5417 if (conn->state == BT_CONFIG) {
5419 conn->state = BT_CONNECTED;
5421 hci_connect_cfm(conn, ev->status);
5422 hci_conn_drop(conn);
5424 hci_auth_cfm(conn, ev->status);
5426 hci_conn_hold(conn);
5427 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5428 hci_conn_drop(conn);
5432 hci_dev_unlock(hdev);
5435 static u8 hci_get_auth_req(struct hci_conn *conn)
5438 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
5439 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5440 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5441 return HCI_AT_GENERAL_BONDING_MITM;
5445 /* If remote requests no-bonding follow that lead */
5446 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5447 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5448 return conn->remote_auth | (conn->auth_type & 0x01);
5450 /* If both remote and local have enough IO capabilities, require
5453 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5454 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5455 return conn->remote_auth | 0x01;
5457 /* No MITM protection possible so ignore remote requirement */
5458 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5461 static u8 bredr_oob_data_present(struct hci_conn *conn)
5463 struct hci_dev *hdev = conn->hdev;
5464 struct oob_data *data;
5466 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5470 if (bredr_sc_enabled(hdev)) {
5471 /* When Secure Connections is enabled, then just
5472 * return the present value stored with the OOB
5473 * data. The stored value contains the right present
5474 * information. However it can only be trusted when
5475 * not in Secure Connection Only mode.
5477 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5478 return data->present;
5480 /* When Secure Connections Only mode is enabled, then
5481 * the P-256 values are required. If they are not
5482 * available, then do not declare that OOB data is
5485 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
5486 !memcmp(data->hash256, ZERO_KEY, 16))
5492 /* When Secure Connections is not enabled or actually
5493 * not supported by the hardware, then check that if
5494 * P-192 data values are present.
5496 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
5497 !memcmp(data->hash192, ZERO_KEY, 16))
5503 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5504 struct sk_buff *skb)
5506 struct hci_ev_io_capa_request *ev = data;
5507 struct hci_conn *conn;
5509 bt_dev_dbg(hdev, "");
5513 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5517 hci_conn_hold(conn);
5519 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5522 /* Allow pairing if we're pairable, the initiators of the
5523 * pairing or if the remote is not requesting bonding.
5525 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5526 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5527 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5528 struct hci_cp_io_capability_reply cp;
5530 bacpy(&cp.bdaddr, &ev->bdaddr);
5531 /* Change the IO capability from KeyboardDisplay
5532 * to DisplayYesNo as it is not supported by BT spec. */
5533 cp.capability = (conn->io_capability == 0x04) ?
5534 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5536 /* If we are initiators, there is no remote information yet */
5537 if (conn->remote_auth == 0xff) {
5538 /* Request MITM protection if our IO caps allow it
5539 * except for the no-bonding case.
5541 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5542 conn->auth_type != HCI_AT_NO_BONDING)
5543 conn->auth_type |= 0x01;
5545 conn->auth_type = hci_get_auth_req(conn);
5548 /* If we're not bondable, force one of the non-bondable
5549 * authentication requirement values.
5551 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5552 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5554 cp.authentication = conn->auth_type;
5555 cp.oob_data = bredr_oob_data_present(conn);
5557 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5560 struct hci_cp_io_capability_neg_reply cp;
5562 bacpy(&cp.bdaddr, &ev->bdaddr);
5563 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5565 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5570 hci_dev_unlock(hdev);
5573 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5574 struct sk_buff *skb)
5576 struct hci_ev_io_capa_reply *ev = data;
5577 struct hci_conn *conn;
5579 bt_dev_dbg(hdev, "");
5583 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5587 conn->remote_cap = ev->capability;
5588 conn->remote_auth = ev->authentication;
5591 hci_dev_unlock(hdev);
5594 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5595 struct sk_buff *skb)
5597 struct hci_ev_user_confirm_req *ev = data;
5598 int loc_mitm, rem_mitm, confirm_hint = 0;
5599 struct hci_conn *conn;
5601 bt_dev_dbg(hdev, "");
5605 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5608 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5612 loc_mitm = (conn->auth_type & 0x01);
5613 rem_mitm = (conn->remote_auth & 0x01);
5615 /* If we require MITM but the remote device can't provide that
5616 * (it has NoInputNoOutput) then reject the confirmation
5617 * request. We check the security level here since it doesn't
5618 * necessarily match conn->auth_type.
5620 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5621 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5622 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5623 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5624 sizeof(ev->bdaddr), &ev->bdaddr);
5628 /* If no side requires MITM protection; auto-accept */
5629 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5630 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5632 /* If we're not the initiators request authorization to
5633 * proceed from user space (mgmt_user_confirm with
5634 * confirm_hint set to 1). The exception is if neither
5635 * side had MITM or if the local IO capability is
5636 * NoInputNoOutput, in which case we do auto-accept
5638 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5639 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5640 (loc_mitm || rem_mitm)) {
5641 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5646 /* If there already exists link key in local host, leave the
5647 * decision to user space since the remote device could be
5648 * legitimate or malicious.
5650 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5651 bt_dev_dbg(hdev, "Local host already has link key");
5656 BT_DBG("Auto-accept of user confirmation with %ums delay",
5657 hdev->auto_accept_delay);
5659 if (hdev->auto_accept_delay > 0) {
5660 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5661 queue_delayed_work(conn->hdev->workqueue,
5662 &conn->auto_accept_work, delay);
5666 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5667 sizeof(ev->bdaddr), &ev->bdaddr);
5672 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5673 le32_to_cpu(ev->passkey), confirm_hint);
5676 hci_dev_unlock(hdev);
5679 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5680 struct sk_buff *skb)
5682 struct hci_ev_user_passkey_req *ev = data;
5684 bt_dev_dbg(hdev, "");
5686 if (hci_dev_test_flag(hdev, HCI_MGMT))
5687 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5690 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5691 struct sk_buff *skb)
5693 struct hci_ev_user_passkey_notify *ev = data;
5694 struct hci_conn *conn;
5696 bt_dev_dbg(hdev, "");
5698 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5702 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5703 conn->passkey_entered = 0;
5705 if (hci_dev_test_flag(hdev, HCI_MGMT))
5706 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5707 conn->dst_type, conn->passkey_notify,
5708 conn->passkey_entered);
5711 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5712 struct sk_buff *skb)
5714 struct hci_ev_keypress_notify *ev = data;
5715 struct hci_conn *conn;
5717 bt_dev_dbg(hdev, "");
5719 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5724 case HCI_KEYPRESS_STARTED:
5725 conn->passkey_entered = 0;
5728 case HCI_KEYPRESS_ENTERED:
5729 conn->passkey_entered++;
5732 case HCI_KEYPRESS_ERASED:
5733 conn->passkey_entered--;
5736 case HCI_KEYPRESS_CLEARED:
5737 conn->passkey_entered = 0;
5740 case HCI_KEYPRESS_COMPLETED:
5744 if (hci_dev_test_flag(hdev, HCI_MGMT))
5745 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5746 conn->dst_type, conn->passkey_notify,
5747 conn->passkey_entered);
5750 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5751 struct sk_buff *skb)
5753 struct hci_ev_simple_pair_complete *ev = data;
5754 struct hci_conn *conn;
5756 bt_dev_dbg(hdev, "");
5760 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5764 /* Reset the authentication requirement to unknown */
5765 conn->remote_auth = 0xff;
5767 /* To avoid duplicate auth_failed events to user space we check
5768 * the HCI_CONN_AUTH_PEND flag which will be set if we
5769 * initiated the authentication. A traditional auth_complete
5770 * event gets always produced as initiator and is also mapped to
5771 * the mgmt_auth_failed event */
5772 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5773 mgmt_auth_failed(conn, ev->status);
5775 hci_conn_drop(conn);
5778 hci_dev_unlock(hdev);
5781 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5782 struct sk_buff *skb)
5784 struct hci_ev_remote_host_features *ev = data;
5785 struct inquiry_entry *ie;
5786 struct hci_conn *conn;
5788 bt_dev_dbg(hdev, "");
5792 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5794 memcpy(conn->features[1], ev->features, 8);
5796 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5798 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5800 hci_dev_unlock(hdev);
5803 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5804 struct sk_buff *skb)
5806 struct hci_ev_remote_oob_data_request *ev = edata;
5807 struct oob_data *data;
5809 bt_dev_dbg(hdev, "");
5813 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5816 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5818 struct hci_cp_remote_oob_data_neg_reply cp;
5820 bacpy(&cp.bdaddr, &ev->bdaddr);
5821 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5826 if (bredr_sc_enabled(hdev)) {
5827 struct hci_cp_remote_oob_ext_data_reply cp;
5829 bacpy(&cp.bdaddr, &ev->bdaddr);
5830 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5831 memset(cp.hash192, 0, sizeof(cp.hash192));
5832 memset(cp.rand192, 0, sizeof(cp.rand192));
5834 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5835 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5837 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5838 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5840 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5843 struct hci_cp_remote_oob_data_reply cp;
5845 bacpy(&cp.bdaddr, &ev->bdaddr);
5846 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5847 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5849 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5854 hci_dev_unlock(hdev);
5857 #if IS_ENABLED(CONFIG_BT_HS)
5858 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5859 struct sk_buff *skb)
5861 struct hci_ev_channel_selected *ev = data;
5862 struct hci_conn *hcon;
5864 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5866 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5870 amp_read_loc_assoc_final_data(hdev, hcon);
5873 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5874 struct sk_buff *skb)
5876 struct hci_ev_phy_link_complete *ev = data;
5877 struct hci_conn *hcon, *bredr_hcon;
5879 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5884 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5896 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5898 hcon->state = BT_CONNECTED;
5899 bacpy(&hcon->dst, &bredr_hcon->dst);
5901 hci_conn_hold(hcon);
5902 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5903 hci_conn_drop(hcon);
5905 hci_debugfs_create_conn(hcon);
5906 hci_conn_add_sysfs(hcon);
5908 amp_physical_cfm(bredr_hcon, hcon);
5911 hci_dev_unlock(hdev);
5914 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5915 struct sk_buff *skb)
5917 struct hci_ev_logical_link_complete *ev = data;
5918 struct hci_conn *hcon;
5919 struct hci_chan *hchan;
5920 struct amp_mgr *mgr;
5922 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5923 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5925 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5929 /* Create AMP hchan */
5930 hchan = hci_chan_create(hcon);
5934 hchan->handle = le16_to_cpu(ev->handle);
5937 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5939 mgr = hcon->amp_mgr;
5940 if (mgr && mgr->bredr_chan) {
5941 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5943 l2cap_chan_lock(bredr_chan);
5945 bredr_chan->conn->mtu = hdev->block_mtu;
5946 l2cap_logical_cfm(bredr_chan, hchan, 0);
5947 hci_conn_hold(hcon);
5949 l2cap_chan_unlock(bredr_chan);
5953 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5954 struct sk_buff *skb)
5956 struct hci_ev_disconn_logical_link_complete *ev = data;
5957 struct hci_chan *hchan;
5959 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5960 le16_to_cpu(ev->handle), ev->status);
5967 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5968 if (!hchan || !hchan->amp)
5971 amp_destroy_logical_link(hchan, ev->reason);
5974 hci_dev_unlock(hdev);
5977 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5978 struct sk_buff *skb)
5980 struct hci_ev_disconn_phy_link_complete *ev = data;
5981 struct hci_conn *hcon;
5983 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5990 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5991 if (hcon && hcon->type == AMP_LINK) {
5992 hcon->state = BT_CLOSED;
5993 hci_disconn_cfm(hcon, ev->reason);
5997 hci_dev_unlock(hdev);
6001 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
6002 u8 bdaddr_type, bdaddr_t *local_rpa)
6005 conn->dst_type = bdaddr_type;
6006 conn->resp_addr_type = bdaddr_type;
6007 bacpy(&conn->resp_addr, bdaddr);
6009 /* Check if the controller has set a Local RPA then it must be
6010 * used instead or hdev->rpa.
6012 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6013 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6014 bacpy(&conn->init_addr, local_rpa);
6015 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
6016 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6017 bacpy(&conn->init_addr, &conn->hdev->rpa);
6019 hci_copy_identity_address(conn->hdev, &conn->init_addr,
6020 &conn->init_addr_type);
6023 conn->resp_addr_type = conn->hdev->adv_addr_type;
6024 /* Check if the controller has set a Local RPA then it must be
6025 * used instead or hdev->rpa.
6027 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6028 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
6029 bacpy(&conn->resp_addr, local_rpa);
6030 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
6031 /* In case of ext adv, resp_addr will be updated in
6032 * Adv Terminated event.
6034 if (!ext_adv_capable(conn->hdev))
6035 bacpy(&conn->resp_addr,
6036 &conn->hdev->random_addr);
6038 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
6041 conn->init_addr_type = bdaddr_type;
6042 bacpy(&conn->init_addr, bdaddr);
6044 /* For incoming connections, set the default minimum
6045 * and maximum connection interval. They will be used
6046 * to check if the parameters are in range and if not
6047 * trigger the connection update procedure.
6049 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
6050 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
6054 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
6055 bdaddr_t *bdaddr, u8 bdaddr_type,
6056 bdaddr_t *local_rpa, u8 role, u16 handle,
6057 u16 interval, u16 latency,
6058 u16 supervision_timeout)
6060 struct hci_conn_params *params;
6061 struct hci_conn *conn;
6062 struct smp_irk *irk;
6067 /* All controllers implicitly stop advertising in the event of a
6068 * connection, so ensure that the state bit is cleared.
6070 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6072 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
6074 /* In case of error status and there is no connection pending
6075 * just unlock as there is nothing to cleanup.
6080 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
6082 bt_dev_err(hdev, "no memory for new connection");
6086 conn->dst_type = bdaddr_type;
6088 /* If we didn't have a hci_conn object previously
6089 * but we're in central role this must be something
6090 * initiated using an accept list. Since accept list based
6091 * connections are not "first class citizens" we don't
6092 * have full tracking of them. Therefore, we go ahead
6093 * with a "best effort" approach of determining the
6094 * initiator address based on the HCI_PRIVACY flag.
6097 conn->resp_addr_type = bdaddr_type;
6098 bacpy(&conn->resp_addr, bdaddr);
6099 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6100 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6101 bacpy(&conn->init_addr, &hdev->rpa);
6103 hci_copy_identity_address(hdev,
6105 &conn->init_addr_type);
6110 /* LE auto connect */
6111 bacpy(&conn->dst, bdaddr);
6113 cancel_delayed_work(&conn->le_conn_timeout);
6116 /* The HCI_LE_Connection_Complete event is only sent once per connection.
6117 * Processing it more than once per connection can corrupt kernel memory.
6119 * As the connection handle is set here for the first time, it indicates
6120 * whether the connection is already set up.
6122 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
6123 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
6127 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
6129 /* Lookup the identity address from the stored connection
6130 * address and address type.
6132 * When establishing connections to an identity address, the
6133 * connection procedure will store the resolvable random
6134 * address first. Now if it can be converted back into the
6135 * identity address, start using the identity address from
6138 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
6140 bacpy(&conn->dst, &irk->bdaddr);
6141 conn->dst_type = irk->addr_type;
6144 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
6146 if (handle > HCI_CONN_HANDLE_MAX) {
6147 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", handle,
6148 HCI_CONN_HANDLE_MAX);
6149 status = HCI_ERROR_INVALID_PARAMETERS;
6152 /* All connection failure handling is taken care of by the
6153 * hci_conn_failed function which is triggered by the HCI
6154 * request completion callbacks used for connecting.
6159 /* Drop the connection if it has been aborted */
6160 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
6161 hci_conn_drop(conn);
6165 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6166 addr_type = BDADDR_LE_PUBLIC;
6168 addr_type = BDADDR_LE_RANDOM;
6170 /* Drop the connection if the device is blocked */
6171 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6172 hci_conn_drop(conn);
6176 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
6177 mgmt_device_connected(hdev, conn, NULL, 0);
6179 conn->sec_level = BT_SECURITY_LOW;
6180 conn->handle = handle;
6181 conn->state = BT_CONFIG;
6183 /* Store current advertising instance as connection advertising instance
6184 * when sotfware rotation is in use so it can be re-enabled when
6187 if (!ext_adv_capable(hdev))
6188 conn->adv_instance = hdev->cur_adv_instance;
6190 conn->le_conn_interval = interval;
6191 conn->le_conn_latency = latency;
6192 conn->le_supv_timeout = supervision_timeout;
6194 hci_debugfs_create_conn(conn);
6195 hci_conn_add_sysfs(conn);
6197 /* The remote features procedure is defined for central
6198 * role only. So only in case of an initiated connection
6199 * request the remote features.
6201 * If the local controller supports peripheral-initiated features
6202 * exchange, then requesting the remote features in peripheral
6203 * role is possible. Otherwise just transition into the
6204 * connected state without requesting the remote features.
6207 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6208 struct hci_cp_le_read_remote_features cp;
6210 cp.handle = __cpu_to_le16(conn->handle);
6212 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6215 hci_conn_hold(conn);
6217 conn->state = BT_CONNECTED;
6218 hci_connect_cfm(conn, status);
6221 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6224 list_del_init(¶ms->action);
6226 hci_conn_drop(params->conn);
6227 hci_conn_put(params->conn);
6228 params->conn = NULL;
6233 hci_update_passive_scan(hdev);
6234 hci_dev_unlock(hdev);
6237 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6238 struct sk_buff *skb)
6240 struct hci_ev_le_conn_complete *ev = data;
6242 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6244 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6245 NULL, ev->role, le16_to_cpu(ev->handle),
6246 le16_to_cpu(ev->interval),
6247 le16_to_cpu(ev->latency),
6248 le16_to_cpu(ev->supervision_timeout));
6251 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6252 struct sk_buff *skb)
6254 struct hci_ev_le_enh_conn_complete *ev = data;
6256 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6258 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6259 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6260 le16_to_cpu(ev->interval),
6261 le16_to_cpu(ev->latency),
6262 le16_to_cpu(ev->supervision_timeout));
6265 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6266 struct sk_buff *skb)
6268 struct hci_evt_le_ext_adv_set_term *ev = data;
6269 struct hci_conn *conn;
6270 struct adv_info *adv, *n;
6272 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6274 /* The Bluetooth Core 5.3 specification clearly states that this event
6275 * shall not be sent when the Host disables the advertising set. So in
6276 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6278 * When the Host disables an advertising set, all cleanup is done via
6279 * its command callback and not needed to be duplicated here.
6281 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6282 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6288 adv = hci_find_adv_instance(hdev, ev->handle);
6294 /* Remove advertising as it has been terminated */
6295 hci_remove_adv_instance(hdev, ev->handle);
6296 mgmt_advertising_removed(NULL, hdev, ev->handle);
6298 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6303 /* We are no longer advertising, clear HCI_LE_ADV */
6304 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6309 adv->enabled = false;
6311 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6313 /* Store handle in the connection so the correct advertising
6314 * instance can be re-enabled when disconnected.
6316 conn->adv_instance = ev->handle;
6318 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6319 bacmp(&conn->resp_addr, BDADDR_ANY))
6323 bacpy(&conn->resp_addr, &hdev->random_addr);
6328 bacpy(&conn->resp_addr, &adv->random_addr);
6332 hci_dev_unlock(hdev);
6335 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6336 struct sk_buff *skb)
6338 struct hci_ev_le_conn_update_complete *ev = data;
6339 struct hci_conn *conn;
6341 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6348 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6352 hci_dev_unlock(hdev);
6353 mgmt_le_conn_update_failed(hdev, &conn->dst,
6354 conn->type, conn->dst_type, ev->status);
6358 conn->le_conn_interval = le16_to_cpu(ev->interval);
6359 conn->le_conn_latency = le16_to_cpu(ev->latency);
6360 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6363 hci_dev_unlock(hdev);
6366 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
6367 conn->dst_type, conn->le_conn_interval,
6368 conn->le_conn_latency, conn->le_supv_timeout);
6372 /* This function requires the caller holds hdev->lock */
6373 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6375 u8 addr_type, bool addr_resolved,
6378 struct hci_conn *conn;
6379 struct hci_conn_params *params;
6381 /* If the event is not connectable don't proceed further */
6382 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6385 /* Ignore if the device is blocked or hdev is suspended */
6386 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6390 /* Most controller will fail if we try to create new connections
6391 * while we have an existing one in peripheral role.
6393 if (hdev->conn_hash.le_num_peripheral > 0 &&
6394 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6395 !(hdev->le_states[3] & 0x10)))
6398 /* If we're not connectable only connect devices that we have in
6399 * our pend_le_conns list.
6401 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6406 if (!params->explicit_connect) {
6407 switch (params->auto_connect) {
6408 case HCI_AUTO_CONN_DIRECT:
6409 /* Only devices advertising with ADV_DIRECT_IND are
6410 * triggering a connection attempt. This is allowing
6411 * incoming connections from peripheral devices.
6413 if (adv_type != LE_ADV_DIRECT_IND)
6416 case HCI_AUTO_CONN_ALWAYS:
6417 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6418 * are triggering a connection attempt. This means
6419 * that incoming connections from peripheral device are
6420 * accepted and also outgoing connections to peripheral
6421 * devices are established when found.
6429 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6430 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6432 if (!IS_ERR(conn)) {
6433 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6434 * by higher layer that tried to connect, if no then
6435 * store the pointer since we don't really have any
6436 * other owner of the object besides the params that
6437 * triggered it. This way we can abort the connection if
6438 * the parameters get removed and keep the reference
6439 * count consistent once the connection is established.
6442 if (!params->explicit_connect)
6443 params->conn = hci_conn_get(conn);
6448 switch (PTR_ERR(conn)) {
6450 /* If hci_connect() returns -EBUSY it means there is already
6451 * an LE connection attempt going on. Since controllers don't
6452 * support more than one connection attempt at the time, we
6453 * don't consider this an error case.
6457 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6464 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6465 u8 bdaddr_type, bdaddr_t *direct_addr,
6466 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6467 bool ext_adv, bool ctl_time, u64 instant)
6469 struct discovery_state *d = &hdev->discovery;
6470 struct smp_irk *irk;
6471 struct hci_conn *conn;
6472 bool match, bdaddr_resolved;
6478 case LE_ADV_DIRECT_IND:
6479 case LE_ADV_SCAN_IND:
6480 case LE_ADV_NONCONN_IND:
6481 case LE_ADV_SCAN_RSP:
6484 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6485 "type: 0x%02x", type);
6489 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
6490 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
6494 /* Find the end of the data in case the report contains padded zero
6495 * bytes at the end causing an invalid length value.
6497 * When data is NULL, len is 0 so there is no need for extra ptr
6498 * check as 'ptr < data + 0' is already false in such case.
6500 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6501 if (ptr + 1 + *ptr > data + len)
6505 /* Adjust for actual length. This handles the case when remote
6506 * device is advertising with incorrect data length.
6510 /* If the direct address is present, then this report is from
6511 * a LE Direct Advertising Report event. In that case it is
6512 * important to see if the address is matching the local
6513 * controller address.
6515 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6516 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6519 /* Only resolvable random addresses are valid for these
6520 * kind of reports and others can be ignored.
6522 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6525 /* If the controller is not using resolvable random
6526 * addresses, then this report can be ignored.
6528 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6531 /* If the local IRK of the controller does not match
6532 * with the resolvable random address provided, then
6533 * this report can be ignored.
6535 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6539 /* Check if we need to convert to identity address */
6540 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6542 bdaddr = &irk->bdaddr;
6543 bdaddr_type = irk->addr_type;
6546 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6548 /* Check if we have been requested to connect to this device.
6550 * direct_addr is set only for directed advertising reports (it is NULL
6551 * for advertising reports) and is already verified to be RPA above.
6553 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6555 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
6556 /* Store report for later inclusion by
6557 * mgmt_device_connected
6559 memcpy(conn->le_adv_data, data, len);
6560 conn->le_adv_data_len = len;
6563 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6564 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6568 /* All scan results should be sent up for Mesh systems */
6569 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6570 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6571 rssi, flags, data, len, NULL, 0, instant);
6575 /* Passive scanning shouldn't trigger any device found events,
6576 * except for devices marked as CONN_REPORT for which we do send
6577 * device found events, or advertisement monitoring requested.
6579 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6580 if (type == LE_ADV_DIRECT_IND)
6584 /* Handle all adv packet in platform */
6585 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6586 bdaddr, bdaddr_type) &&
6587 idr_is_empty(&hdev->adv_monitors_idr))
6592 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6593 rssi, flags, data, len, NULL, 0, type);
6595 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6596 rssi, flags, data, len, NULL, 0, 0);
6601 /* When receiving a scan response, then there is no way to
6602 * know if the remote device is connectable or not. However
6603 * since scan responses are merged with a previously seen
6604 * advertising report, the flags field from that report
6607 * In the unlikely case that a controller just sends a scan
6608 * response event that doesn't match the pending report, then
6609 * it is marked as a standalone SCAN_RSP.
6611 if (type == LE_ADV_SCAN_RSP)
6612 flags = MGMT_DEV_FOUND_SCAN_RSP;
6615 /* Disable adv ind and scan rsp merging */
6616 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6617 rssi, flags, data, len, NULL, 0, type);
6619 /* If there's nothing pending either store the data from this
6620 * event or send an immediate device found event if the data
6621 * should not be stored for later.
6623 if (!ext_adv && !has_pending_adv_report(hdev)) {
6624 /* If the report will trigger a SCAN_REQ store it for
6627 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6628 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6629 rssi, flags, data, len);
6633 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6634 rssi, flags, data, len, NULL, 0, 0);
6638 /* Check if the pending report is for the same device as the new one */
6639 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6640 bdaddr_type == d->last_adv_addr_type);
6642 /* If the pending data doesn't match this report or this isn't a
6643 * scan response (e.g. we got a duplicate ADV_IND) then force
6644 * sending of the pending data.
6646 if (type != LE_ADV_SCAN_RSP || !match) {
6647 /* Send out whatever is in the cache, but skip duplicates */
6649 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6650 d->last_adv_addr_type, NULL,
6651 d->last_adv_rssi, d->last_adv_flags,
6653 d->last_adv_data_len, NULL, 0, 0);
6655 /* If the new report will trigger a SCAN_REQ store it for
6658 if (!ext_adv && (type == LE_ADV_IND ||
6659 type == LE_ADV_SCAN_IND)) {
6660 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6661 rssi, flags, data, len);
6665 /* The advertising reports cannot be merged, so clear
6666 * the pending report and send out a device found event.
6668 clear_pending_adv_report(hdev);
6669 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6670 rssi, flags, data, len, NULL, 0, 0);
6674 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6675 * the new event is a SCAN_RSP. We can therefore proceed with
6676 * sending a merged device found event.
6678 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6679 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6680 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6681 clear_pending_adv_report(hdev);
6685 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6686 struct sk_buff *skb)
6688 struct hci_ev_le_advertising_report *ev = data;
6689 u64 instant = jiffies;
6697 struct hci_ev_le_advertising_info *info;
6700 info = hci_le_ev_skb_pull(hdev, skb,
6701 HCI_EV_LE_ADVERTISING_REPORT,
6706 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6710 if (info->length <= HCI_MAX_AD_LENGTH) {
6711 rssi = info->data[info->length];
6712 process_adv_report(hdev, info->type, &info->bdaddr,
6713 info->bdaddr_type, NULL, 0, rssi,
6714 info->data, info->length, false,
6717 bt_dev_err(hdev, "Dropping invalid advertising data");
6721 hci_dev_unlock(hdev);
6724 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6726 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6728 case LE_LEGACY_ADV_IND:
6730 case LE_LEGACY_ADV_DIRECT_IND:
6731 return LE_ADV_DIRECT_IND;
6732 case LE_LEGACY_ADV_SCAN_IND:
6733 return LE_ADV_SCAN_IND;
6734 case LE_LEGACY_NONCONN_IND:
6735 return LE_ADV_NONCONN_IND;
6736 case LE_LEGACY_SCAN_RSP_ADV:
6737 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6738 return LE_ADV_SCAN_RSP;
6744 if (evt_type & LE_EXT_ADV_CONN_IND) {
6745 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6746 return LE_ADV_DIRECT_IND;
6751 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6752 return LE_ADV_SCAN_RSP;
6754 if (evt_type & LE_EXT_ADV_SCAN_IND)
6755 return LE_ADV_SCAN_IND;
6757 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6758 evt_type & LE_EXT_ADV_DIRECT_IND)
6759 return LE_ADV_NONCONN_IND;
6762 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6765 return LE_ADV_INVALID;
6768 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6769 struct sk_buff *skb)
6771 struct hci_ev_le_ext_adv_report *ev = data;
6772 u64 instant = jiffies;
6780 struct hci_ev_le_ext_adv_info *info;
6784 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6789 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6793 evt_type = __le16_to_cpu(info->type);
6794 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6795 if (legacy_evt_type != LE_ADV_INVALID) {
6796 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6797 info->bdaddr_type, NULL, 0,
6798 info->rssi, info->data, info->length,
6799 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6804 hci_dev_unlock(hdev);
6807 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6809 struct hci_cp_le_pa_term_sync cp;
6811 memset(&cp, 0, sizeof(cp));
6814 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6817 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6818 struct sk_buff *skb)
6820 struct hci_ev_le_pa_sync_established *ev = data;
6821 int mask = hdev->link_mode;
6824 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6831 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6833 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6834 if (!(mask & HCI_LM_ACCEPT))
6835 hci_le_pa_term_sync(hdev, ev->handle);
6837 hci_dev_unlock(hdev);
6840 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6841 struct sk_buff *skb)
6843 struct hci_ev_le_remote_feat_complete *ev = data;
6844 struct hci_conn *conn;
6846 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6850 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6853 memcpy(conn->features[0], ev->features, 8);
6855 if (conn->state == BT_CONFIG) {
6858 /* If the local controller supports peripheral-initiated
6859 * features exchange, but the remote controller does
6860 * not, then it is possible that the error code 0x1a
6861 * for unsupported remote feature gets returned.
6863 * In this specific case, allow the connection to
6864 * transition into connected state and mark it as
6867 if (!conn->out && ev->status == 0x1a &&
6868 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6871 status = ev->status;
6873 conn->state = BT_CONNECTED;
6874 hci_connect_cfm(conn, status);
6875 hci_conn_drop(conn);
6879 hci_dev_unlock(hdev);
6882 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6883 struct sk_buff *skb)
6885 struct hci_ev_le_ltk_req *ev = data;
6886 struct hci_cp_le_ltk_reply cp;
6887 struct hci_cp_le_ltk_neg_reply neg;
6888 struct hci_conn *conn;
6889 struct smp_ltk *ltk;
6891 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6895 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6899 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6903 if (smp_ltk_is_sc(ltk)) {
6904 /* With SC both EDiv and Rand are set to zero */
6905 if (ev->ediv || ev->rand)
6908 /* For non-SC keys check that EDiv and Rand match */
6909 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6913 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6914 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6915 cp.handle = cpu_to_le16(conn->handle);
6917 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6919 conn->enc_key_size = ltk->enc_size;
6921 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6923 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6924 * temporary key used to encrypt a connection following
6925 * pairing. It is used during the Encrypted Session Setup to
6926 * distribute the keys. Later, security can be re-established
6927 * using a distributed LTK.
6929 if (ltk->type == SMP_STK) {
6930 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6931 list_del_rcu(<k->list);
6932 kfree_rcu(ltk, rcu);
6934 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6937 hci_dev_unlock(hdev);
6942 neg.handle = ev->handle;
6943 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6944 hci_dev_unlock(hdev);
6947 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6950 struct hci_cp_le_conn_param_req_neg_reply cp;
6952 cp.handle = cpu_to_le16(handle);
6955 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6959 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6960 struct sk_buff *skb)
6962 struct hci_ev_le_remote_conn_param_req *ev = data;
6963 struct hci_cp_le_conn_param_req_reply cp;
6964 struct hci_conn *hcon;
6965 u16 handle, min, max, latency, timeout;
6967 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6969 handle = le16_to_cpu(ev->handle);
6970 min = le16_to_cpu(ev->interval_min);
6971 max = le16_to_cpu(ev->interval_max);
6972 latency = le16_to_cpu(ev->latency);
6973 timeout = le16_to_cpu(ev->timeout);
6975 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6976 if (!hcon || hcon->state != BT_CONNECTED)
6977 return send_conn_param_neg_reply(hdev, handle,
6978 HCI_ERROR_UNKNOWN_CONN_ID);
6980 if (hci_check_conn_params(min, max, latency, timeout))
6981 return send_conn_param_neg_reply(hdev, handle,
6982 HCI_ERROR_INVALID_LL_PARAMS);
6984 if (hcon->role == HCI_ROLE_MASTER) {
6985 struct hci_conn_params *params;
6990 params = hci_conn_params_lookup(hdev, &hcon->dst,
6993 params->conn_min_interval = min;
6994 params->conn_max_interval = max;
6995 params->conn_latency = latency;
6996 params->supervision_timeout = timeout;
7002 hci_dev_unlock(hdev);
7004 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
7005 store_hint, min, max, latency, timeout);
7008 cp.handle = ev->handle;
7009 cp.interval_min = ev->interval_min;
7010 cp.interval_max = ev->interval_max;
7011 cp.latency = ev->latency;
7012 cp.timeout = ev->timeout;
7016 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
7019 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
7020 struct sk_buff *skb)
7022 struct hci_ev_le_direct_adv_report *ev = data;
7023 u64 instant = jiffies;
7026 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
7027 flex_array_size(ev, info, ev->num)))
7035 for (i = 0; i < ev->num; i++) {
7036 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
7038 process_adv_report(hdev, info->type, &info->bdaddr,
7039 info->bdaddr_type, &info->direct_addr,
7040 info->direct_addr_type, info->rssi, NULL, 0,
7041 false, false, instant);
7044 hci_dev_unlock(hdev);
7047 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
7048 struct sk_buff *skb)
7050 struct hci_ev_le_phy_update_complete *ev = data;
7051 struct hci_conn *conn;
7053 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7060 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7064 conn->le_tx_phy = ev->tx_phy;
7065 conn->le_rx_phy = ev->rx_phy;
7068 hci_dev_unlock(hdev);
7071 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
7072 struct sk_buff *skb)
7074 struct hci_evt_le_cis_established *ev = data;
7075 struct hci_conn *conn;
7076 u16 handle = __le16_to_cpu(ev->handle);
7078 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7082 conn = hci_conn_hash_lookup_handle(hdev, handle);
7085 "Unable to find connection with handle 0x%4.4x",
7090 if (conn->type != ISO_LINK) {
7092 "Invalid connection link type handle 0x%4.4x",
7097 if (conn->role == HCI_ROLE_SLAVE) {
7100 memset(&interval, 0, sizeof(interval));
7102 memcpy(&interval, ev->c_latency, sizeof(ev->c_latency));
7103 conn->iso_qos.in.interval = le32_to_cpu(interval);
7104 memcpy(&interval, ev->p_latency, sizeof(ev->p_latency));
7105 conn->iso_qos.out.interval = le32_to_cpu(interval);
7106 conn->iso_qos.in.latency = le16_to_cpu(ev->interval);
7107 conn->iso_qos.out.latency = le16_to_cpu(ev->interval);
7108 conn->iso_qos.in.sdu = le16_to_cpu(ev->c_mtu);
7109 conn->iso_qos.out.sdu = le16_to_cpu(ev->p_mtu);
7110 conn->iso_qos.in.phy = ev->c_phy;
7111 conn->iso_qos.out.phy = ev->p_phy;
7115 conn->state = BT_CONNECTED;
7116 hci_debugfs_create_conn(conn);
7117 hci_conn_add_sysfs(conn);
7118 hci_iso_setup_path(conn);
7122 hci_connect_cfm(conn, ev->status);
7126 hci_dev_unlock(hdev);
7129 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7131 struct hci_cp_le_reject_cis cp;
7133 memset(&cp, 0, sizeof(cp));
7135 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7136 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7139 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7141 struct hci_cp_le_accept_cis cp;
7143 memset(&cp, 0, sizeof(cp));
7145 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7148 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7149 struct sk_buff *skb)
7151 struct hci_evt_le_cis_req *ev = data;
7152 u16 acl_handle, cis_handle;
7153 struct hci_conn *acl, *cis;
7157 acl_handle = __le16_to_cpu(ev->acl_handle);
7158 cis_handle = __le16_to_cpu(ev->cis_handle);
7160 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7161 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7165 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7169 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7170 if (!(mask & HCI_LM_ACCEPT)) {
7171 hci_le_reject_cis(hdev, ev->cis_handle);
7175 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7177 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE);
7179 hci_le_reject_cis(hdev, ev->cis_handle);
7182 cis->handle = cis_handle;
7185 cis->iso_qos.cig = ev->cig_id;
7186 cis->iso_qos.cis = ev->cis_id;
7188 if (!(flags & HCI_PROTO_DEFER)) {
7189 hci_le_accept_cis(hdev, ev->cis_handle);
7191 cis->state = BT_CONNECT2;
7192 hci_connect_cfm(cis, 0);
7196 hci_dev_unlock(hdev);
7199 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7200 struct sk_buff *skb)
7202 struct hci_evt_le_create_big_complete *ev = data;
7203 struct hci_conn *conn;
7205 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7207 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7208 flex_array_size(ev, bis_handle, ev->num_bis)))
7213 conn = hci_conn_hash_lookup_big(hdev, ev->handle);
7217 if (conn->type != ISO_LINK) {
7219 "Invalid connection link type handle 0x%2.2x",
7225 conn->handle = __le16_to_cpu(ev->bis_handle[0]);
7228 conn->state = BT_CONNECTED;
7229 hci_debugfs_create_conn(conn);
7230 hci_conn_add_sysfs(conn);
7231 hci_iso_setup_path(conn);
7235 hci_connect_cfm(conn, ev->status);
7239 hci_dev_unlock(hdev);
7242 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7243 struct sk_buff *skb)
7245 struct hci_evt_le_big_sync_estabilished *ev = data;
7246 struct hci_conn *bis;
7249 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7251 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7252 flex_array_size(ev, bis, ev->num_bis)))
7260 for (i = 0; i < ev->num_bis; i++) {
7261 u16 handle = le16_to_cpu(ev->bis[i]);
7264 bis = hci_conn_hash_lookup_handle(hdev, handle);
7266 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7270 bis->handle = handle;
7273 bis->iso_qos.big = ev->handle;
7274 memset(&interval, 0, sizeof(interval));
7275 memcpy(&interval, ev->latency, sizeof(ev->latency));
7276 bis->iso_qos.in.interval = le32_to_cpu(interval);
7277 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7278 bis->iso_qos.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7279 bis->iso_qos.in.sdu = le16_to_cpu(ev->max_pdu);
7281 hci_iso_setup_path(bis);
7284 hci_dev_unlock(hdev);
7287 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7288 struct sk_buff *skb)
7290 struct hci_evt_le_big_info_adv_report *ev = data;
7291 int mask = hdev->link_mode;
7294 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7298 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7299 if (!(mask & HCI_LM_ACCEPT))
7300 hci_le_pa_term_sync(hdev, ev->sync_handle);
7302 hci_dev_unlock(hdev);
7305 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7308 .min_len = _min_len, \
7309 .max_len = _max_len, \
7312 #define HCI_LE_EV(_op, _func, _len) \
7313 HCI_LE_EV_VL(_op, _func, _len, _len)
7315 #define HCI_LE_EV_STATUS(_op, _func) \
7316 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7318 /* Entries in this table shall have their position according to the subevent
7319 * opcode they handle so the use of the macros above is recommend since it does
7320 * attempt to initialize at its proper index using Designated Initializers that
7321 * way events without a callback function can be ommited.
7323 static const struct hci_le_ev {
7324 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7327 } hci_le_ev_table[U8_MAX + 1] = {
7328 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7329 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7330 sizeof(struct hci_ev_le_conn_complete)),
7331 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7332 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7333 sizeof(struct hci_ev_le_advertising_report),
7334 HCI_MAX_EVENT_SIZE),
7335 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7336 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7337 hci_le_conn_update_complete_evt,
7338 sizeof(struct hci_ev_le_conn_update_complete)),
7339 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7340 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7341 hci_le_remote_feat_complete_evt,
7342 sizeof(struct hci_ev_le_remote_feat_complete)),
7343 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7344 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7345 sizeof(struct hci_ev_le_ltk_req)),
7346 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7347 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7348 hci_le_remote_conn_param_req_evt,
7349 sizeof(struct hci_ev_le_remote_conn_param_req)),
7351 /* [0x07 = HCI_EV_LE_DATA_LEN_CHANGE] */
7352 HCI_LE_EV(HCI_EV_LE_DATA_LEN_CHANGE,
7353 hci_le_data_length_changed_complete_evt,
7354 sizeof(struct hci_ev_le_data_len_change)),
7356 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7357 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7358 hci_le_enh_conn_complete_evt,
7359 sizeof(struct hci_ev_le_enh_conn_complete)),
7360 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7361 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7362 sizeof(struct hci_ev_le_direct_adv_report),
7363 HCI_MAX_EVENT_SIZE),
7364 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7365 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7366 sizeof(struct hci_ev_le_phy_update_complete)),
7367 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7368 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7369 sizeof(struct hci_ev_le_ext_adv_report),
7370 HCI_MAX_EVENT_SIZE),
7371 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7372 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7373 hci_le_pa_sync_estabilished_evt,
7374 sizeof(struct hci_ev_le_pa_sync_established)),
7375 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7376 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7377 sizeof(struct hci_evt_le_ext_adv_set_term)),
7378 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7379 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7380 sizeof(struct hci_evt_le_cis_established)),
7381 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7382 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7383 sizeof(struct hci_evt_le_cis_req)),
7384 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7385 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7386 hci_le_create_big_complete_evt,
7387 sizeof(struct hci_evt_le_create_big_complete),
7388 HCI_MAX_EVENT_SIZE),
7389 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7390 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7391 hci_le_big_sync_established_evt,
7392 sizeof(struct hci_evt_le_big_sync_estabilished),
7393 HCI_MAX_EVENT_SIZE),
7394 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7395 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7396 hci_le_big_info_adv_report_evt,
7397 sizeof(struct hci_evt_le_big_info_adv_report),
7398 HCI_MAX_EVENT_SIZE),
7401 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7402 struct sk_buff *skb, u16 *opcode, u8 *status,
7403 hci_req_complete_t *req_complete,
7404 hci_req_complete_skb_t *req_complete_skb)
7406 struct hci_ev_le_meta *ev = data;
7407 const struct hci_le_ev *subev;
7409 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7411 /* Only match event if command OGF is for LE */
7412 if (hdev->sent_cmd &&
7413 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7414 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7415 *opcode = hci_skb_opcode(hdev->sent_cmd);
7416 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7420 subev = &hci_le_ev_table[ev->subevent];
7424 if (skb->len < subev->min_len) {
7425 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7426 ev->subevent, skb->len, subev->min_len);
7430 /* Just warn if the length is over max_len size it still be
7431 * possible to partially parse the event so leave to callback to
7432 * decide if that is acceptable.
7434 if (skb->len > subev->max_len)
7435 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7436 ev->subevent, skb->len, subev->max_len);
7437 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7441 subev->func(hdev, data, skb);
7444 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7445 u8 event, struct sk_buff *skb)
7447 struct hci_ev_cmd_complete *ev;
7448 struct hci_event_hdr *hdr;
7453 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7458 if (hdr->evt != event)
7463 /* Check if request ended in Command Status - no way to retrieve
7464 * any extra parameters in this case.
7466 if (hdr->evt == HCI_EV_CMD_STATUS)
7469 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7470 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7475 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7479 if (opcode != __le16_to_cpu(ev->opcode)) {
7480 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7481 __le16_to_cpu(ev->opcode));
7488 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7489 struct sk_buff *skb)
7491 struct hci_ev_le_advertising_info *adv;
7492 struct hci_ev_le_direct_adv_info *direct_adv;
7493 struct hci_ev_le_ext_adv_info *ext_adv;
7494 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7495 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7499 /* If we are currently suspended and this is the first BT event seen,
7500 * save the wake reason associated with the event.
7502 if (!hdev->suspended || hdev->wake_reason)
7505 /* Default to remote wake. Values for wake_reason are documented in the
7506 * Bluez mgmt api docs.
7508 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7510 /* Once configured for remote wakeup, we should only wake up for
7511 * reconnections. It's useful to see which device is waking us up so
7512 * keep track of the bdaddr of the connection event that woke us up.
7514 if (event == HCI_EV_CONN_REQUEST) {
7515 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7516 hdev->wake_addr_type = BDADDR_BREDR;
7517 } else if (event == HCI_EV_CONN_COMPLETE) {
7518 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7519 hdev->wake_addr_type = BDADDR_BREDR;
7520 } else if (event == HCI_EV_LE_META) {
7521 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7522 u8 subevent = le_ev->subevent;
7523 u8 *ptr = &skb->data[sizeof(*le_ev)];
7524 u8 num_reports = *ptr;
7526 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7527 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7528 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7530 adv = (void *)(ptr + 1);
7531 direct_adv = (void *)(ptr + 1);
7532 ext_adv = (void *)(ptr + 1);
7535 case HCI_EV_LE_ADVERTISING_REPORT:
7536 bacpy(&hdev->wake_addr, &adv->bdaddr);
7537 hdev->wake_addr_type = adv->bdaddr_type;
7539 case HCI_EV_LE_DIRECT_ADV_REPORT:
7540 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7541 hdev->wake_addr_type = direct_adv->bdaddr_type;
7543 case HCI_EV_LE_EXT_ADV_REPORT:
7544 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7545 hdev->wake_addr_type = ext_adv->bdaddr_type;
7550 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7554 hci_dev_unlock(hdev);
7557 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7561 .min_len = _min_len, \
7562 .max_len = _max_len, \
7565 #define HCI_EV(_op, _func, _len) \
7566 HCI_EV_VL(_op, _func, _len, _len)
7568 #define HCI_EV_STATUS(_op, _func) \
7569 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7571 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7574 .func_req = _func, \
7575 .min_len = _min_len, \
7576 .max_len = _max_len, \
7579 #define HCI_EV_REQ(_op, _func, _len) \
7580 HCI_EV_REQ_VL(_op, _func, _len, _len)
7582 /* Entries in this table shall have their position according to the event opcode
7583 * they handle so the use of the macros above is recommend since it does attempt
7584 * to initialize at its proper index using Designated Initializers that way
7585 * events without a callback function don't have entered.
7587 static const struct hci_ev {
7590 void (*func)(struct hci_dev *hdev, void *data,
7591 struct sk_buff *skb);
7592 void (*func_req)(struct hci_dev *hdev, void *data,
7593 struct sk_buff *skb, u16 *opcode, u8 *status,
7594 hci_req_complete_t *req_complete,
7595 hci_req_complete_skb_t *req_complete_skb);
7599 } hci_ev_table[U8_MAX + 1] = {
7600 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7601 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7602 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7603 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7604 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7605 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7606 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7607 sizeof(struct hci_ev_conn_complete)),
7608 /* [0x04 = HCI_EV_CONN_REQUEST] */
7609 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7610 sizeof(struct hci_ev_conn_request)),
7611 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7612 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7613 sizeof(struct hci_ev_disconn_complete)),
7614 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7615 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7616 sizeof(struct hci_ev_auth_complete)),
7617 /* [0x07 = HCI_EV_REMOTE_NAME] */
7618 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7619 sizeof(struct hci_ev_remote_name)),
7620 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7621 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7622 sizeof(struct hci_ev_encrypt_change)),
7623 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7624 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7625 hci_change_link_key_complete_evt,
7626 sizeof(struct hci_ev_change_link_key_complete)),
7627 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7628 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7629 sizeof(struct hci_ev_remote_features)),
7630 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7631 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7632 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7633 /* [0x0f = HCI_EV_CMD_STATUS] */
7634 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7635 sizeof(struct hci_ev_cmd_status)),
7636 /* [0x10 = HCI_EV_CMD_STATUS] */
7637 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7638 sizeof(struct hci_ev_hardware_error)),
7639 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7640 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7641 sizeof(struct hci_ev_role_change)),
7642 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7643 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7644 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7645 /* [0x14 = HCI_EV_MODE_CHANGE] */
7646 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7647 sizeof(struct hci_ev_mode_change)),
7648 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7649 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7650 sizeof(struct hci_ev_pin_code_req)),
7651 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7652 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7653 sizeof(struct hci_ev_link_key_req)),
7654 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7655 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7656 sizeof(struct hci_ev_link_key_notify)),
7657 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7658 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7659 sizeof(struct hci_ev_clock_offset)),
7660 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7661 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7662 sizeof(struct hci_ev_pkt_type_change)),
7663 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7664 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7665 sizeof(struct hci_ev_pscan_rep_mode)),
7666 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7667 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7668 hci_inquiry_result_with_rssi_evt,
7669 sizeof(struct hci_ev_inquiry_result_rssi),
7670 HCI_MAX_EVENT_SIZE),
7671 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7672 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7673 sizeof(struct hci_ev_remote_ext_features)),
7674 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7675 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7676 sizeof(struct hci_ev_sync_conn_complete)),
7677 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7678 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7679 hci_extended_inquiry_result_evt,
7680 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7681 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7682 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7683 sizeof(struct hci_ev_key_refresh_complete)),
7684 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7685 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7686 sizeof(struct hci_ev_io_capa_request)),
7687 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7688 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7689 sizeof(struct hci_ev_io_capa_reply)),
7690 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7691 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7692 sizeof(struct hci_ev_user_confirm_req)),
7693 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7694 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7695 sizeof(struct hci_ev_user_passkey_req)),
7696 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7697 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7698 sizeof(struct hci_ev_remote_oob_data_request)),
7699 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7700 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7701 sizeof(struct hci_ev_simple_pair_complete)),
7702 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7703 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7704 sizeof(struct hci_ev_user_passkey_notify)),
7705 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7706 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7707 sizeof(struct hci_ev_keypress_notify)),
7708 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7709 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7710 sizeof(struct hci_ev_remote_host_features)),
7711 /* [0x3e = HCI_EV_LE_META] */
7712 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7713 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7714 #if IS_ENABLED(CONFIG_BT_HS)
7715 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7716 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7717 sizeof(struct hci_ev_phy_link_complete)),
7718 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7719 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7720 sizeof(struct hci_ev_channel_selected)),
7721 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7722 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7723 hci_disconn_loglink_complete_evt,
7724 sizeof(struct hci_ev_disconn_logical_link_complete)),
7725 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7726 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7727 sizeof(struct hci_ev_logical_link_complete)),
7728 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7729 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7730 hci_disconn_phylink_complete_evt,
7731 sizeof(struct hci_ev_disconn_phy_link_complete)),
7733 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7734 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7735 sizeof(struct hci_ev_num_comp_blocks)),
7737 /* [0xFF = HCI_EV_VENDOR_SPECIFIC] */
7738 HCI_EV(HCI_EV_VENDOR_SPECIFIC, hci_vendor_specific_evt,
7739 sizeof(struct hci_ev_vendor_specific)),
7741 /* [0xff = HCI_EV_VENDOR] */
7742 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7746 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7747 u16 *opcode, u8 *status,
7748 hci_req_complete_t *req_complete,
7749 hci_req_complete_skb_t *req_complete_skb)
7751 const struct hci_ev *ev = &hci_ev_table[event];
7757 if (skb->len < ev->min_len) {
7758 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7759 event, skb->len, ev->min_len);
7763 /* Just warn if the length is over max_len size it still be
7764 * possible to partially parse the event so leave to callback to
7765 * decide if that is acceptable.
7767 if (skb->len > ev->max_len)
7768 bt_dev_warn_ratelimited(hdev,
7769 "unexpected event 0x%2.2x length: %u > %u",
7770 event, skb->len, ev->max_len);
7772 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7777 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7780 ev->func(hdev, data, skb);
7783 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7785 struct hci_event_hdr *hdr = (void *) skb->data;
7786 hci_req_complete_t req_complete = NULL;
7787 hci_req_complete_skb_t req_complete_skb = NULL;
7788 struct sk_buff *orig_skb = NULL;
7789 u8 status = 0, event, req_evt = 0;
7790 u16 opcode = HCI_OP_NOP;
7792 if (skb->len < sizeof(*hdr)) {
7793 bt_dev_err(hdev, "Malformed HCI Event");
7797 kfree_skb(hdev->recv_event);
7798 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7802 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7807 /* Only match event if command OGF is not for LE */
7808 if (hdev->sent_cmd &&
7809 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7810 hci_skb_event(hdev->sent_cmd) == event) {
7811 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7812 status, &req_complete, &req_complete_skb);
7816 /* If it looks like we might end up having to call
7817 * req_complete_skb, store a pristine copy of the skb since the
7818 * various handlers may modify the original one through
7819 * skb_pull() calls, etc.
7821 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7822 event == HCI_EV_CMD_COMPLETE)
7823 orig_skb = skb_clone(skb, GFP_KERNEL);
7825 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7827 /* Store wake reason if we're suspended */
7828 hci_store_wake_reason(hdev, event, skb);
7830 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7832 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7836 req_complete(hdev, status, opcode);
7837 } else if (req_complete_skb) {
7838 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7839 kfree_skb(orig_skb);
7842 req_complete_skb(hdev, status, opcode, orig_skb);
7846 kfree_skb(orig_skb);
7848 hdev->stat.evt_rx++;