2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
46 "\x00\x00\x00\x00\x00\x00\x00\x00"
48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
50 /* Handle HCI Event packets */
52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
57 data = skb_pull_data(skb, len);
59 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
69 data = skb_pull_data(skb, len);
71 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
81 data = skb_pull_data(skb, len);
83 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
91 struct hci_ev_status *rp = data;
93 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
95 /* It is possible that we receive Inquiry Complete event right
96 * before we receive Inquiry Cancel Command Complete event, in
97 * which case the latter event should have status of Command
98 * Disallowed (0x0c). This should not be treated as error, since
99 * we actually achieve what Inquiry Cancel wants to achieve,
100 * which is to end the last Inquiry session.
102 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
103 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
110 clear_bit(HCI_INQUIRY, &hdev->flags);
111 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
112 wake_up_bit(&hdev->flags, HCI_INQUIRY);
115 /* Set discovery state to stopped if we're not doing LE active
118 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
119 hdev->le_scan_type != LE_SCAN_ACTIVE)
120 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
121 hci_dev_unlock(hdev);
123 hci_conn_check_pending(hdev);
128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
131 struct hci_ev_status *rp = data;
133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
138 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
146 struct hci_ev_status *rp = data;
148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
153 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
155 hci_conn_check_pending(hdev);
160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
163 struct hci_ev_status *rp = data;
165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
173 struct hci_rp_role_discovery *rp = data;
174 struct hci_conn *conn;
176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
185 conn->role = rp->role;
187 hci_dev_unlock(hdev);
192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
195 struct hci_rp_read_link_policy *rp = data;
196 struct hci_conn *conn;
198 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
207 conn->link_policy = __le16_to_cpu(rp->policy);
209 hci_dev_unlock(hdev);
214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
217 struct hci_rp_write_link_policy *rp = data;
218 struct hci_conn *conn;
221 struct hci_cp_write_link_policy cp;
222 struct hci_conn *sco_conn;
225 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
230 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
236 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
238 conn->link_policy = get_unaligned_le16(sent + 2);
241 sco_conn = hci_conn_hash_lookup_sco(hdev);
242 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
243 conn->link_policy & HCI_LP_SNIFF) {
244 BT_ERR("SNIFF is not allowed during sco connection");
245 cp.handle = __cpu_to_le16(conn->handle);
246 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
247 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
251 hci_dev_unlock(hdev);
256 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
259 struct hci_rp_read_def_link_policy *rp = data;
261 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
266 hdev->link_policy = __le16_to_cpu(rp->policy);
271 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
274 struct hci_ev_status *rp = data;
277 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
282 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
286 hdev->link_policy = get_unaligned_le16(sent);
291 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
293 struct hci_ev_status *rp = data;
295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
297 clear_bit(HCI_RESET, &hdev->flags);
302 /* Reset all non-persistent flags */
303 hci_dev_clear_volatile_flags(hdev);
305 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
307 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
308 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
310 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
311 hdev->adv_data_len = 0;
313 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
314 hdev->scan_rsp_data_len = 0;
316 hdev->le_scan_type = LE_SCAN_PASSIVE;
318 hdev->ssp_debug_mode = 0;
320 hci_bdaddr_list_clear(&hdev->le_accept_list);
321 hci_bdaddr_list_clear(&hdev->le_resolv_list);
326 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
329 struct hci_rp_read_stored_link_key *rp = data;
330 struct hci_cp_read_stored_link_key *sent;
332 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
334 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
338 if (!rp->status && sent->read_all == 0x01) {
339 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
340 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
346 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
349 struct hci_rp_delete_stored_link_key *rp = data;
352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
357 num_keys = le16_to_cpu(rp->num_keys);
359 if (num_keys <= hdev->stored_num_keys)
360 hdev->stored_num_keys -= num_keys;
362 hdev->stored_num_keys = 0;
367 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
370 struct hci_ev_status *rp = data;
373 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
375 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
381 if (hci_dev_test_flag(hdev, HCI_MGMT))
382 mgmt_set_local_name_complete(hdev, sent, rp->status);
383 else if (!rp->status)
384 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
386 hci_dev_unlock(hdev);
391 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
394 struct hci_rp_read_local_name *rp = data;
396 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
401 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
402 hci_dev_test_flag(hdev, HCI_CONFIG))
403 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
408 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
411 struct hci_ev_status *rp = data;
414 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
416 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
423 __u8 param = *((__u8 *) sent);
425 if (param == AUTH_ENABLED)
426 set_bit(HCI_AUTH, &hdev->flags);
428 clear_bit(HCI_AUTH, &hdev->flags);
431 if (hci_dev_test_flag(hdev, HCI_MGMT))
432 mgmt_auth_enable_complete(hdev, rp->status);
434 hci_dev_unlock(hdev);
439 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
442 struct hci_ev_status *rp = data;
446 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
451 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
455 param = *((__u8 *) sent);
458 set_bit(HCI_ENCRYPT, &hdev->flags);
460 clear_bit(HCI_ENCRYPT, &hdev->flags);
465 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
468 struct hci_ev_status *rp = data;
472 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
474 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
478 param = *((__u8 *) sent);
483 hdev->discov_timeout = 0;
487 if (param & SCAN_INQUIRY)
488 set_bit(HCI_ISCAN, &hdev->flags);
490 clear_bit(HCI_ISCAN, &hdev->flags);
492 if (param & SCAN_PAGE)
493 set_bit(HCI_PSCAN, &hdev->flags);
495 clear_bit(HCI_PSCAN, &hdev->flags);
498 hci_dev_unlock(hdev);
503 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
506 struct hci_ev_status *rp = data;
507 struct hci_cp_set_event_filter *cp;
510 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
515 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
519 cp = (struct hci_cp_set_event_filter *)sent;
521 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
522 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
524 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
529 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
532 struct hci_rp_read_class_of_dev *rp = data;
535 return HCI_ERROR_UNSPECIFIED;
537 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
542 memcpy(hdev->dev_class, rp->dev_class, 3);
544 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
545 hdev->dev_class[1], hdev->dev_class[0]);
550 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
553 struct hci_ev_status *rp = data;
556 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
558 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
565 memcpy(hdev->dev_class, sent, 3);
567 if (hci_dev_test_flag(hdev, HCI_MGMT))
568 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
570 hci_dev_unlock(hdev);
575 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
578 struct hci_rp_read_voice_setting *rp = data;
581 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
586 setting = __le16_to_cpu(rp->voice_setting);
588 if (hdev->voice_setting == setting)
591 hdev->voice_setting = setting;
593 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
596 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
601 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
604 struct hci_ev_status *rp = data;
608 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
613 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
617 setting = get_unaligned_le16(sent);
619 if (hdev->voice_setting == setting)
622 hdev->voice_setting = setting;
624 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
627 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
632 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
635 struct hci_rp_read_num_supported_iac *rp = data;
637 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
642 hdev->num_iac = rp->num_iac;
644 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
649 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
652 struct hci_ev_status *rp = data;
653 struct hci_cp_write_ssp_mode *sent;
655 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
657 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
665 hdev->features[1][0] |= LMP_HOST_SSP;
667 hdev->features[1][0] &= ~LMP_HOST_SSP;
672 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
674 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
677 hci_dev_unlock(hdev);
682 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
685 struct hci_ev_status *rp = data;
686 struct hci_cp_write_sc_support *sent;
688 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
690 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
698 hdev->features[1][0] |= LMP_HOST_SC;
700 hdev->features[1][0] &= ~LMP_HOST_SC;
703 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
705 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
707 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
710 hci_dev_unlock(hdev);
715 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
718 struct hci_rp_read_local_version *rp = data;
720 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
725 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
726 hci_dev_test_flag(hdev, HCI_CONFIG)) {
727 hdev->hci_ver = rp->hci_ver;
728 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
729 hdev->lmp_ver = rp->lmp_ver;
730 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
731 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
737 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
740 struct hci_rp_read_enc_key_size *rp = data;
741 struct hci_conn *conn;
743 u8 status = rp->status;
745 bt_dev_dbg(hdev, "status 0x%2.2x", status);
747 handle = le16_to_cpu(rp->handle);
751 conn = hci_conn_hash_lookup_handle(hdev, handle);
757 /* While unexpected, the read_enc_key_size command may fail. The most
758 * secure approach is to then assume the key size is 0 to force a
762 bt_dev_err(hdev, "failed to read key size for handle %u",
764 conn->enc_key_size = 0;
766 conn->enc_key_size = rp->key_size;
769 if (conn->enc_key_size < hdev->min_enc_key_size) {
770 /* As slave role, the conn->state has been set to
771 * BT_CONNECTED and l2cap conn req might not be received
772 * yet, at this moment the l2cap layer almost does
773 * nothing with the non-zero status.
774 * So we also clear encrypt related bits, and then the
775 * handler of l2cap conn req will get the right secure
776 * state at a later time.
778 status = HCI_ERROR_AUTH_FAILURE;
779 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
780 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
784 hci_encrypt_cfm(conn, status);
787 hci_dev_unlock(hdev);
792 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
795 struct hci_rp_read_local_commands *rp = data;
797 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
802 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
803 hci_dev_test_flag(hdev, HCI_CONFIG))
804 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
809 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
812 struct hci_rp_read_auth_payload_to *rp = data;
813 struct hci_conn *conn;
815 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
822 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
824 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
826 hci_dev_unlock(hdev);
831 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
834 struct hci_rp_write_auth_payload_to *rp = data;
835 struct hci_conn *conn;
838 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
840 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
846 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
853 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
856 hci_dev_unlock(hdev);
861 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
864 struct hci_rp_read_local_features *rp = data;
866 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
871 memcpy(hdev->features, rp->features, 8);
873 /* Adjust default settings according to features
874 * supported by device. */
876 if (hdev->features[0][0] & LMP_3SLOT)
877 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
879 if (hdev->features[0][0] & LMP_5SLOT)
880 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
882 if (hdev->features[0][1] & LMP_HV2) {
883 hdev->pkt_type |= (HCI_HV2);
884 hdev->esco_type |= (ESCO_HV2);
887 if (hdev->features[0][1] & LMP_HV3) {
888 hdev->pkt_type |= (HCI_HV3);
889 hdev->esco_type |= (ESCO_HV3);
892 if (lmp_esco_capable(hdev))
893 hdev->esco_type |= (ESCO_EV3);
895 if (hdev->features[0][4] & LMP_EV4)
896 hdev->esco_type |= (ESCO_EV4);
898 if (hdev->features[0][4] & LMP_EV5)
899 hdev->esco_type |= (ESCO_EV5);
901 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
902 hdev->esco_type |= (ESCO_2EV3);
904 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
905 hdev->esco_type |= (ESCO_3EV3);
907 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
908 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
913 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
916 struct hci_rp_read_local_ext_features *rp = data;
918 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
923 if (hdev->max_page < rp->max_page) {
924 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
926 bt_dev_warn(hdev, "broken local ext features page 2");
928 hdev->max_page = rp->max_page;
931 if (rp->page < HCI_MAX_PAGES)
932 memcpy(hdev->features[rp->page], rp->features, 8);
937 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
940 struct hci_rp_read_flow_control_mode *rp = data;
942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
947 hdev->flow_ctl_mode = rp->mode;
952 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
955 struct hci_rp_read_buffer_size *rp = data;
957 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
962 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
963 hdev->sco_mtu = rp->sco_mtu;
964 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
965 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
967 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
972 hdev->acl_cnt = hdev->acl_pkts;
973 hdev->sco_cnt = hdev->sco_pkts;
975 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
976 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
981 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
984 struct hci_rp_read_bd_addr *rp = data;
986 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
991 if (test_bit(HCI_INIT, &hdev->flags))
992 bacpy(&hdev->bdaddr, &rp->bdaddr);
994 if (hci_dev_test_flag(hdev, HCI_SETUP))
995 bacpy(&hdev->setup_addr, &rp->bdaddr);
1000 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
1001 struct sk_buff *skb)
1003 struct hci_rp_read_local_pairing_opts *rp = data;
1005 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1010 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1011 hci_dev_test_flag(hdev, HCI_CONFIG)) {
1012 hdev->pairing_opts = rp->pairing_opts;
1013 hdev->max_enc_key_size = rp->max_key_size;
1019 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1020 struct sk_buff *skb)
1022 struct hci_rp_read_page_scan_activity *rp = data;
1024 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1029 if (test_bit(HCI_INIT, &hdev->flags)) {
1030 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1031 hdev->page_scan_window = __le16_to_cpu(rp->window);
1037 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1038 struct sk_buff *skb)
1040 struct hci_ev_status *rp = data;
1041 struct hci_cp_write_page_scan_activity *sent;
1043 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1048 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1052 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1053 hdev->page_scan_window = __le16_to_cpu(sent->window);
1058 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1059 struct sk_buff *skb)
1061 struct hci_rp_read_page_scan_type *rp = data;
1063 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1068 if (test_bit(HCI_INIT, &hdev->flags))
1069 hdev->page_scan_type = rp->type;
1074 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1075 struct sk_buff *skb)
1077 struct hci_ev_status *rp = data;
1080 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1085 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1087 hdev->page_scan_type = *type;
1092 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1093 struct sk_buff *skb)
1095 struct hci_rp_read_data_block_size *rp = data;
1097 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1102 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1103 hdev->block_len = __le16_to_cpu(rp->block_len);
1104 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1106 hdev->block_cnt = hdev->num_blocks;
1108 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1109 hdev->block_cnt, hdev->block_len);
1114 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1115 struct sk_buff *skb)
1117 struct hci_rp_read_clock *rp = data;
1118 struct hci_cp_read_clock *cp;
1119 struct hci_conn *conn;
1121 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1128 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1132 if (cp->which == 0x00) {
1133 hdev->clock = le32_to_cpu(rp->clock);
1137 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1139 conn->clock = le32_to_cpu(rp->clock);
1140 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1144 hci_dev_unlock(hdev);
1148 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1149 struct sk_buff *skb)
1151 struct hci_rp_read_local_amp_info *rp = data;
1153 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1158 hdev->amp_status = rp->amp_status;
1159 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1160 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1161 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1162 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1163 hdev->amp_type = rp->amp_type;
1164 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1165 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1166 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1167 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1172 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1173 struct sk_buff *skb)
1175 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1177 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1182 hdev->inq_tx_power = rp->tx_power;
1187 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1188 struct sk_buff *skb)
1190 struct hci_rp_read_def_err_data_reporting *rp = data;
1192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1197 hdev->err_data_reporting = rp->err_data_reporting;
1202 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1203 struct sk_buff *skb)
1205 struct hci_ev_status *rp = data;
1206 struct hci_cp_write_def_err_data_reporting *cp;
1208 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1213 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1217 hdev->err_data_reporting = cp->err_data_reporting;
1222 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1223 struct sk_buff *skb)
1225 struct hci_rp_pin_code_reply *rp = data;
1226 struct hci_cp_pin_code_reply *cp;
1227 struct hci_conn *conn;
1229 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1233 if (hci_dev_test_flag(hdev, HCI_MGMT))
1234 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1239 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1243 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1245 conn->pin_length = cp->pin_len;
1248 hci_dev_unlock(hdev);
1252 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1253 struct sk_buff *skb)
1255 struct hci_rp_pin_code_neg_reply *rp = data;
1257 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1261 if (hci_dev_test_flag(hdev, HCI_MGMT))
1262 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1265 hci_dev_unlock(hdev);
1270 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1271 struct sk_buff *skb)
1273 struct hci_rp_le_read_buffer_size *rp = data;
1275 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1280 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1281 hdev->le_pkts = rp->le_max_pkt;
1283 hdev->le_cnt = hdev->le_pkts;
1285 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1290 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1291 struct sk_buff *skb)
1293 struct hci_rp_le_read_local_features *rp = data;
1295 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1300 memcpy(hdev->le_features, rp->features, 8);
1305 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1306 struct sk_buff *skb)
1308 struct hci_rp_le_read_adv_tx_power *rp = data;
1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1315 hdev->adv_tx_power = rp->tx_power;
1320 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1321 struct sk_buff *skb)
1323 struct hci_rp_user_confirm_reply *rp = data;
1325 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1329 if (hci_dev_test_flag(hdev, HCI_MGMT))
1330 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1333 hci_dev_unlock(hdev);
1338 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1339 struct sk_buff *skb)
1341 struct hci_rp_user_confirm_reply *rp = data;
1343 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1347 if (hci_dev_test_flag(hdev, HCI_MGMT))
1348 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1349 ACL_LINK, 0, rp->status);
1351 hci_dev_unlock(hdev);
1356 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1357 struct sk_buff *skb)
1359 struct hci_rp_user_confirm_reply *rp = data;
1361 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1365 if (hci_dev_test_flag(hdev, HCI_MGMT))
1366 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1369 hci_dev_unlock(hdev);
1374 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1375 struct sk_buff *skb)
1377 struct hci_rp_user_confirm_reply *rp = data;
1379 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1383 if (hci_dev_test_flag(hdev, HCI_MGMT))
1384 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1385 ACL_LINK, 0, rp->status);
1387 hci_dev_unlock(hdev);
1392 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1393 struct sk_buff *skb)
1395 struct hci_rp_read_local_oob_data *rp = data;
1397 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1402 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1403 struct sk_buff *skb)
1405 struct hci_rp_read_local_oob_ext_data *rp = data;
1407 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1412 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1413 struct sk_buff *skb)
1415 struct hci_ev_status *rp = data;
1418 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1423 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1429 bacpy(&hdev->random_addr, sent);
1431 if (!bacmp(&hdev->rpa, sent)) {
1432 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1433 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1434 secs_to_jiffies(hdev->rpa_timeout));
1437 hci_dev_unlock(hdev);
1442 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1443 struct sk_buff *skb)
1445 struct hci_ev_status *rp = data;
1446 struct hci_cp_le_set_default_phy *cp;
1448 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1453 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1459 hdev->le_tx_def_phys = cp->tx_phys;
1460 hdev->le_rx_def_phys = cp->rx_phys;
1462 hci_dev_unlock(hdev);
1467 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1468 struct sk_buff *skb)
1470 struct hci_ev_status *rp = data;
1471 struct hci_cp_le_set_adv_set_rand_addr *cp;
1472 struct adv_info *adv;
1474 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1479 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1480 /* Update only in case the adv instance since handle 0x00 shall be using
1481 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1482 * non-extended adverting.
1484 if (!cp || !cp->handle)
1489 adv = hci_find_adv_instance(hdev, cp->handle);
1491 bacpy(&adv->random_addr, &cp->bdaddr);
1492 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1493 adv->rpa_expired = false;
1494 queue_delayed_work(hdev->workqueue,
1495 &adv->rpa_expired_cb,
1496 secs_to_jiffies(hdev->rpa_timeout));
1500 hci_dev_unlock(hdev);
1505 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1506 struct sk_buff *skb)
1508 struct hci_ev_status *rp = data;
1512 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1517 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1523 err = hci_remove_adv_instance(hdev, *instance);
1525 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1528 hci_dev_unlock(hdev);
1533 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1534 struct sk_buff *skb)
1536 struct hci_ev_status *rp = data;
1537 struct adv_info *adv, *n;
1540 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1545 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1550 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1551 u8 instance = adv->instance;
1553 err = hci_remove_adv_instance(hdev, instance);
1555 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1559 hci_dev_unlock(hdev);
1564 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1565 struct sk_buff *skb)
1567 struct hci_rp_le_read_transmit_power *rp = data;
1569 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1574 hdev->min_le_tx_power = rp->min_le_tx_power;
1575 hdev->max_le_tx_power = rp->max_le_tx_power;
1580 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1581 struct sk_buff *skb)
1583 struct hci_ev_status *rp = data;
1584 struct hci_cp_le_set_privacy_mode *cp;
1585 struct hci_conn_params *params;
1587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1592 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1598 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1600 WRITE_ONCE(params->privacy_mode, cp->mode);
1602 hci_dev_unlock(hdev);
1607 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1608 struct sk_buff *skb)
1610 struct hci_ev_status *rp = data;
1613 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1618 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1624 /* If we're doing connection initiation as peripheral. Set a
1625 * timeout in case something goes wrong.
1628 struct hci_conn *conn;
1630 hci_dev_set_flag(hdev, HCI_LE_ADV);
1632 conn = hci_lookup_le_connect(hdev);
1634 queue_delayed_work(hdev->workqueue,
1635 &conn->le_conn_timeout,
1636 conn->conn_timeout);
1638 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1641 hci_dev_unlock(hdev);
1646 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1647 struct sk_buff *skb)
1649 struct hci_cp_le_set_ext_adv_enable *cp;
1650 struct hci_cp_ext_adv_set *set;
1651 struct adv_info *adv = NULL, *n;
1652 struct hci_ev_status *rp = data;
1654 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1659 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1663 set = (void *)cp->data;
1667 if (cp->num_of_sets)
1668 adv = hci_find_adv_instance(hdev, set->handle);
1671 struct hci_conn *conn;
1673 hci_dev_set_flag(hdev, HCI_LE_ADV);
1675 if (adv && !adv->periodic)
1676 adv->enabled = true;
1678 conn = hci_lookup_le_connect(hdev);
1680 queue_delayed_work(hdev->workqueue,
1681 &conn->le_conn_timeout,
1682 conn->conn_timeout);
1684 if (cp->num_of_sets) {
1686 adv->enabled = false;
1688 /* If just one instance was disabled check if there are
1689 * any other instance enabled before clearing HCI_LE_ADV
1691 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1697 /* All instances shall be considered disabled */
1698 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1700 adv->enabled = false;
1703 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1707 hci_dev_unlock(hdev);
1711 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1712 struct sk_buff *skb)
1714 struct hci_cp_le_set_scan_param *cp;
1715 struct hci_ev_status *rp = data;
1717 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1722 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1728 hdev->le_scan_type = cp->type;
1730 hci_dev_unlock(hdev);
1735 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1736 struct sk_buff *skb)
1738 struct hci_cp_le_set_ext_scan_params *cp;
1739 struct hci_ev_status *rp = data;
1740 struct hci_cp_le_scan_phy_params *phy_param;
1742 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1747 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1751 phy_param = (void *)cp->data;
1755 hdev->le_scan_type = phy_param->type;
1757 hci_dev_unlock(hdev);
1762 static bool has_pending_adv_report(struct hci_dev *hdev)
1764 struct discovery_state *d = &hdev->discovery;
1766 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1769 static void clear_pending_adv_report(struct hci_dev *hdev)
1771 struct discovery_state *d = &hdev->discovery;
1773 bacpy(&d->last_adv_addr, BDADDR_ANY);
1774 d->last_adv_data_len = 0;
1778 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1779 u8 bdaddr_type, s8 rssi, u32 flags,
1782 struct discovery_state *d = &hdev->discovery;
1784 if (len > max_adv_len(hdev))
1787 bacpy(&d->last_adv_addr, bdaddr);
1788 d->last_adv_addr_type = bdaddr_type;
1789 d->last_adv_rssi = rssi;
1790 d->last_adv_flags = flags;
1791 memcpy(d->last_adv_data, data, len);
1792 d->last_adv_data_len = len;
1796 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1801 case LE_SCAN_ENABLE:
1802 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1803 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1804 clear_pending_adv_report(hdev);
1805 if (hci_dev_test_flag(hdev, HCI_MESH))
1806 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1809 case LE_SCAN_DISABLE:
1810 /* We do this here instead of when setting DISCOVERY_STOPPED
1811 * since the latter would potentially require waiting for
1812 * inquiry to stop too.
1814 if (has_pending_adv_report(hdev)) {
1815 struct discovery_state *d = &hdev->discovery;
1817 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1818 d->last_adv_addr_type, NULL,
1819 d->last_adv_rssi, d->last_adv_flags,
1821 d->last_adv_data_len, NULL, 0, 0);
1824 /* Cancel this timer so that we don't try to disable scanning
1825 * when it's already disabled.
1827 cancel_delayed_work(&hdev->le_scan_disable);
1829 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1831 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1832 * interrupted scanning due to a connect request. Mark
1833 * therefore discovery as stopped.
1835 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1836 #ifndef TIZEN_BT /* The below line is kernel bug. */
1837 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1839 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1841 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1842 hdev->discovery.state == DISCOVERY_FINDING)
1843 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1848 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1853 hci_dev_unlock(hdev);
1856 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1857 struct sk_buff *skb)
1859 struct hci_cp_le_set_scan_enable *cp;
1860 struct hci_ev_status *rp = data;
1862 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1867 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1871 le_set_scan_enable_complete(hdev, cp->enable);
1876 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1877 struct sk_buff *skb)
1879 struct hci_cp_le_set_ext_scan_enable *cp;
1880 struct hci_ev_status *rp = data;
1882 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1887 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1891 le_set_scan_enable_complete(hdev, cp->enable);
1896 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1897 struct sk_buff *skb)
1899 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1901 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1907 hdev->le_num_of_adv_sets = rp->num_of_sets;
1912 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1913 struct sk_buff *skb)
1915 struct hci_rp_le_read_accept_list_size *rp = data;
1917 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1922 hdev->le_accept_list_size = rp->size;
1927 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1928 struct sk_buff *skb)
1930 struct hci_ev_status *rp = data;
1932 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1938 hci_bdaddr_list_clear(&hdev->le_accept_list);
1939 hci_dev_unlock(hdev);
1944 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1945 struct sk_buff *skb)
1947 struct hci_cp_le_add_to_accept_list *sent;
1948 struct hci_ev_status *rp = data;
1950 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1955 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1960 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1962 hci_dev_unlock(hdev);
1967 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1968 struct sk_buff *skb)
1970 struct hci_cp_le_del_from_accept_list *sent;
1971 struct hci_ev_status *rp = data;
1973 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1978 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1983 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1985 hci_dev_unlock(hdev);
1990 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1991 struct sk_buff *skb)
1993 struct hci_rp_le_read_supported_states *rp = data;
1995 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2000 memcpy(hdev->le_states, rp->le_states, 8);
2005 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
2006 struct sk_buff *skb)
2008 struct hci_rp_le_read_def_data_len *rp = data;
2010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2015 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
2016 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
2021 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2022 struct sk_buff *skb)
2024 struct hci_cp_le_write_def_data_len *sent;
2025 struct hci_ev_status *rp = data;
2027 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2032 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2036 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2037 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2042 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2043 struct sk_buff *skb)
2045 struct hci_cp_le_add_to_resolv_list *sent;
2046 struct hci_ev_status *rp = data;
2048 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2058 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2059 sent->bdaddr_type, sent->peer_irk,
2061 hci_dev_unlock(hdev);
2066 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2067 struct sk_buff *skb)
2069 struct hci_cp_le_del_from_resolv_list *sent;
2070 struct hci_ev_status *rp = data;
2072 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2077 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2082 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2084 hci_dev_unlock(hdev);
2089 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2090 struct sk_buff *skb)
2092 struct hci_ev_status *rp = data;
2094 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2100 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2101 hci_dev_unlock(hdev);
2106 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2107 struct sk_buff *skb)
2109 struct hci_rp_le_read_resolv_list_size *rp = data;
2111 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2116 hdev->le_resolv_list_size = rp->size;
2121 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2122 struct sk_buff *skb)
2124 struct hci_ev_status *rp = data;
2127 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2132 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2139 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2141 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2143 hci_dev_unlock(hdev);
2148 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2149 struct sk_buff *skb)
2151 struct hci_rp_le_read_max_data_len *rp = data;
2153 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2158 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2159 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2160 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2161 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2166 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2167 struct sk_buff *skb)
2169 struct hci_cp_write_le_host_supported *sent;
2170 struct hci_ev_status *rp = data;
2172 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2177 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2184 hdev->features[1][0] |= LMP_HOST_LE;
2185 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2187 hdev->features[1][0] &= ~LMP_HOST_LE;
2188 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2189 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2193 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2195 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2197 hci_dev_unlock(hdev);
2202 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2203 struct sk_buff *skb)
2205 struct hci_cp_le_set_adv_param *cp;
2206 struct hci_ev_status *rp = data;
2208 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2213 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2218 hdev->adv_addr_type = cp->own_address_type;
2219 hci_dev_unlock(hdev);
2224 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2225 struct sk_buff *skb)
2227 struct hci_rp_le_set_ext_adv_params *rp = data;
2228 struct hci_cp_le_set_ext_adv_params *cp;
2229 struct adv_info *adv_instance;
2231 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2236 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2241 hdev->adv_addr_type = cp->own_addr_type;
2243 /* Store in hdev for instance 0 */
2244 hdev->adv_tx_power = rp->tx_power;
2246 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2248 adv_instance->tx_power = rp->tx_power;
2250 /* Update adv data as tx power is known now */
2251 hci_update_adv_data(hdev, cp->handle);
2253 hci_dev_unlock(hdev);
2259 static u8 hci_cc_enable_rssi(struct hci_dev *hdev, void *data,
2260 struct sk_buff *skb)
2262 struct hci_cc_rsp_enable_rssi *rp = data;
2264 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
2265 hdev->name, rp->status, rp->le_ext_opcode);
2267 mgmt_enable_rssi_cc(hdev, rp, rp->status);
2272 static u8 hci_cc_get_raw_rssi(struct hci_dev *hdev, void *data,
2273 struct sk_buff *skb)
2275 struct hci_cc_rp_get_raw_rssi *rp = data;
2277 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
2278 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
2280 mgmt_raw_rssi_response(hdev, rp, rp->status);
2285 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
2286 struct sk_buff *skb)
2288 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
2290 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
2292 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
2296 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
2297 struct sk_buff *skb)
2299 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
2300 __u8 event_le_ext_sub_code;
2302 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
2303 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
2305 skb_pull(skb, sizeof(*ev));
2306 event_le_ext_sub_code = ev->event_le_ext_sub_code;
2308 switch (event_le_ext_sub_code) {
2309 case LE_RSSI_LINK_ALERT:
2310 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
2318 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
2319 struct sk_buff *skb)
2321 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
2323 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
2325 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
2326 ev->state_change_reason,
2327 ev->connection_handle);
2330 static void hci_vendor_specific_evt(struct hci_dev *hdev, void *data,
2331 struct sk_buff *skb)
2333 struct hci_ev_vendor_specific *ev = (void *)skb->data;
2334 __u8 event_sub_code;
2336 BT_DBG("hci_vendor_specific_evt");
2338 skb_pull(skb, sizeof(*ev));
2339 event_sub_code = ev->event_sub_code;
2341 switch (event_sub_code) {
2342 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
2343 hci_vendor_specific_group_ext_evt(hdev, skb);
2346 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
2347 hci_vendor_multi_adv_state_change_evt(hdev, skb);
2356 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2357 struct sk_buff *skb)
2359 struct hci_rp_read_rssi *rp = data;
2360 struct hci_conn *conn;
2362 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2369 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2371 conn->rssi = rp->rssi;
2373 hci_dev_unlock(hdev);
2378 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2379 struct sk_buff *skb)
2381 struct hci_cp_read_tx_power *sent;
2382 struct hci_rp_read_tx_power *rp = data;
2383 struct hci_conn *conn;
2385 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2390 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2396 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2400 switch (sent->type) {
2402 conn->tx_power = rp->tx_power;
2405 conn->max_tx_power = rp->tx_power;
2410 hci_dev_unlock(hdev);
2414 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2415 struct sk_buff *skb)
2417 struct hci_ev_status *rp = data;
2420 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2425 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2427 hdev->ssp_debug_mode = *mode;
2432 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2434 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2437 hci_conn_check_pending(hdev);
2441 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2442 set_bit(HCI_INQUIRY, &hdev->flags);
2445 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2447 struct hci_cp_create_conn *cp;
2448 struct hci_conn *conn;
2450 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2452 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2458 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2460 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2463 if (conn && conn->state == BT_CONNECT) {
2464 if (status != 0x0c || conn->attempt > 2) {
2465 conn->state = BT_CLOSED;
2466 hci_connect_cfm(conn, status);
2469 conn->state = BT_CONNECT2;
2473 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2476 bt_dev_err(hdev, "no memory for new connection");
2480 hci_dev_unlock(hdev);
2483 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2485 struct hci_cp_add_sco *cp;
2486 struct hci_conn *acl;
2487 struct hci_link *link;
2490 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2495 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2499 handle = __le16_to_cpu(cp->handle);
2501 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2505 acl = hci_conn_hash_lookup_handle(hdev, handle);
2507 link = list_first_entry_or_null(&acl->link_list,
2508 struct hci_link, list);
2509 if (link && link->conn) {
2510 link->conn->state = BT_CLOSED;
2512 hci_connect_cfm(link->conn, status);
2513 hci_conn_del(link->conn);
2517 hci_dev_unlock(hdev);
2520 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2522 struct hci_cp_auth_requested *cp;
2523 struct hci_conn *conn;
2525 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2530 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2536 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2538 if (conn->state == BT_CONFIG) {
2539 hci_connect_cfm(conn, status);
2540 hci_conn_drop(conn);
2544 hci_dev_unlock(hdev);
2547 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2549 struct hci_cp_set_conn_encrypt *cp;
2550 struct hci_conn *conn;
2552 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2557 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2563 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2565 if (conn->state == BT_CONFIG) {
2566 hci_connect_cfm(conn, status);
2567 hci_conn_drop(conn);
2571 hci_dev_unlock(hdev);
2574 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2575 struct hci_conn *conn)
2577 if (conn->state != BT_CONFIG || !conn->out)
2580 if (conn->pending_sec_level == BT_SECURITY_SDP)
2583 /* Only request authentication for SSP connections or non-SSP
2584 * devices with sec_level MEDIUM or HIGH or if MITM protection
2587 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2588 conn->pending_sec_level != BT_SECURITY_FIPS &&
2589 conn->pending_sec_level != BT_SECURITY_HIGH &&
2590 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2596 static int hci_resolve_name(struct hci_dev *hdev,
2597 struct inquiry_entry *e)
2599 struct hci_cp_remote_name_req cp;
2601 memset(&cp, 0, sizeof(cp));
2603 bacpy(&cp.bdaddr, &e->data.bdaddr);
2604 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2605 cp.pscan_mode = e->data.pscan_mode;
2606 cp.clock_offset = e->data.clock_offset;
2608 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2611 static bool hci_resolve_next_name(struct hci_dev *hdev)
2613 struct discovery_state *discov = &hdev->discovery;
2614 struct inquiry_entry *e;
2616 if (list_empty(&discov->resolve))
2619 /* We should stop if we already spent too much time resolving names. */
2620 if (time_after(jiffies, discov->name_resolve_timeout)) {
2621 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2625 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2629 if (hci_resolve_name(hdev, e) == 0) {
2630 e->name_state = NAME_PENDING;
2637 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2638 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2640 struct discovery_state *discov = &hdev->discovery;
2641 struct inquiry_entry *e;
2644 /* Update the mgmt connected state if necessary. Be careful with
2645 * conn objects that exist but are not (yet) connected however.
2646 * Only those in BT_CONFIG or BT_CONNECTED states can be
2647 * considered connected.
2650 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2651 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2652 mgmt_device_connected(hdev, conn, name, name_len);
2654 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2658 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2659 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2660 mgmt_device_connected(hdev, conn, name, name_len);
2663 if (discov->state == DISCOVERY_STOPPED)
2666 if (discov->state == DISCOVERY_STOPPING)
2667 goto discov_complete;
2669 if (discov->state != DISCOVERY_RESOLVING)
2672 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2673 /* If the device was not found in a list of found devices names of which
2674 * are pending. there is no need to continue resolving a next name as it
2675 * will be done upon receiving another Remote Name Request Complete
2682 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2683 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2686 if (hci_resolve_next_name(hdev))
2690 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2693 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2695 struct hci_cp_remote_name_req *cp;
2696 struct hci_conn *conn;
2698 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2700 /* If successful wait for the name req complete event before
2701 * checking for the need to do authentication */
2705 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2711 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2713 if (hci_dev_test_flag(hdev, HCI_MGMT))
2714 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2719 if (!hci_outgoing_auth_needed(hdev, conn))
2722 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2723 struct hci_cp_auth_requested auth_cp;
2725 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2727 auth_cp.handle = __cpu_to_le16(conn->handle);
2728 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2729 sizeof(auth_cp), &auth_cp);
2733 hci_dev_unlock(hdev);
2736 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2738 struct hci_cp_read_remote_features *cp;
2739 struct hci_conn *conn;
2741 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2746 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2752 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2754 if (conn->state == BT_CONFIG) {
2755 hci_connect_cfm(conn, status);
2756 hci_conn_drop(conn);
2760 hci_dev_unlock(hdev);
2763 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2765 struct hci_cp_read_remote_ext_features *cp;
2766 struct hci_conn *conn;
2768 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2773 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2779 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2781 if (conn->state == BT_CONFIG) {
2782 hci_connect_cfm(conn, status);
2783 hci_conn_drop(conn);
2787 hci_dev_unlock(hdev);
2790 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2793 struct hci_conn *acl;
2794 struct hci_link *link;
2796 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2800 acl = hci_conn_hash_lookup_handle(hdev, handle);
2802 link = list_first_entry_or_null(&acl->link_list,
2803 struct hci_link, list);
2804 if (link && link->conn) {
2805 link->conn->state = BT_CLOSED;
2807 hci_connect_cfm(link->conn, status);
2808 hci_conn_del(link->conn);
2812 hci_dev_unlock(hdev);
2815 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2817 struct hci_cp_setup_sync_conn *cp;
2819 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2824 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2828 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2831 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2833 struct hci_cp_enhanced_setup_sync_conn *cp;
2835 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2840 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2844 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2847 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2849 struct hci_cp_sniff_mode *cp;
2850 struct hci_conn *conn;
2852 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2857 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2863 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2865 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2867 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2868 hci_sco_setup(conn, status);
2871 hci_dev_unlock(hdev);
2874 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2876 struct hci_cp_exit_sniff_mode *cp;
2877 struct hci_conn *conn;
2879 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2884 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2892 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2894 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2895 hci_sco_setup(conn, status);
2898 hci_dev_unlock(hdev);
2901 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2903 struct hci_cp_disconnect *cp;
2904 struct hci_conn_params *params;
2905 struct hci_conn *conn;
2908 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2910 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2911 * otherwise cleanup the connection immediately.
2913 if (!status && !hdev->suspended)
2916 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2922 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2927 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2928 conn->dst_type, status);
2930 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2931 hdev->cur_adv_instance = conn->adv_instance;
2932 hci_enable_advertising(hdev);
2935 /* Inform sockets conn is gone before we delete it */
2936 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2941 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2943 if (conn->type == ACL_LINK) {
2944 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2945 hci_remove_link_key(hdev, &conn->dst);
2948 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2950 switch (params->auto_connect) {
2951 case HCI_AUTO_CONN_LINK_LOSS:
2952 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2956 case HCI_AUTO_CONN_DIRECT:
2957 case HCI_AUTO_CONN_ALWAYS:
2958 hci_pend_le_list_del_init(params);
2959 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2967 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2968 cp->reason, mgmt_conn);
2970 hci_disconn_cfm(conn, cp->reason);
2973 /* If the disconnection failed for any reason, the upper layer
2974 * does not retry to disconnect in current implementation.
2975 * Hence, we need to do some basic cleanup here and re-enable
2976 * advertising if necessary.
2980 hci_dev_unlock(hdev);
2983 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2985 /* When using controller based address resolution, then the new
2986 * address types 0x02 and 0x03 are used. These types need to be
2987 * converted back into either public address or random address type
2990 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2993 return ADDR_LE_DEV_PUBLIC;
2994 case ADDR_LE_DEV_RANDOM_RESOLVED:
2997 return ADDR_LE_DEV_RANDOM;
3005 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
3006 u8 peer_addr_type, u8 own_address_type,
3009 struct hci_conn *conn;
3011 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
3016 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
3018 /* Store the initiator and responder address information which
3019 * is needed for SMP. These values will not change during the
3020 * lifetime of the connection.
3022 conn->init_addr_type = own_address_type;
3023 if (own_address_type == ADDR_LE_DEV_RANDOM)
3024 bacpy(&conn->init_addr, &hdev->random_addr);
3026 bacpy(&conn->init_addr, &hdev->bdaddr);
3028 conn->resp_addr_type = peer_addr_type;
3029 bacpy(&conn->resp_addr, peer_addr);
3032 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
3034 struct hci_cp_le_create_conn *cp;
3036 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3038 /* All connection failure handling is taken care of by the
3039 * hci_conn_failed function which is triggered by the HCI
3040 * request completion callbacks used for connecting.
3045 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
3051 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3052 cp->own_address_type, cp->filter_policy);
3054 hci_dev_unlock(hdev);
3057 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
3059 struct hci_cp_le_ext_create_conn *cp;
3061 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3063 /* All connection failure handling is taken care of by the
3064 * hci_conn_failed function which is triggered by the HCI
3065 * request completion callbacks used for connecting.
3070 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
3076 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3077 cp->own_addr_type, cp->filter_policy);
3079 hci_dev_unlock(hdev);
3082 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
3084 struct hci_cp_le_read_remote_features *cp;
3085 struct hci_conn *conn;
3087 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3092 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
3098 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3100 if (conn->state == BT_CONFIG) {
3101 hci_connect_cfm(conn, status);
3102 hci_conn_drop(conn);
3106 hci_dev_unlock(hdev);
3109 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
3111 struct hci_cp_le_start_enc *cp;
3112 struct hci_conn *conn;
3114 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3121 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
3125 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3129 if (conn->state != BT_CONNECTED)
3132 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3133 hci_conn_drop(conn);
3136 hci_dev_unlock(hdev);
3139 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3141 struct hci_cp_switch_role *cp;
3142 struct hci_conn *conn;
3144 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3149 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3155 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3157 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3159 hci_dev_unlock(hdev);
3162 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3163 struct sk_buff *skb)
3165 struct hci_ev_status *ev = data;
3166 struct discovery_state *discov = &hdev->discovery;
3167 struct inquiry_entry *e;
3169 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3171 hci_conn_check_pending(hdev);
3173 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3176 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3177 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3179 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3184 if (discov->state != DISCOVERY_FINDING)
3187 if (list_empty(&discov->resolve)) {
3188 /* When BR/EDR inquiry is active and no LE scanning is in
3189 * progress, then change discovery state to indicate completion.
3191 * When running LE scanning and BR/EDR inquiry simultaneously
3192 * and the LE scan already finished, then change the discovery
3193 * state to indicate completion.
3195 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3196 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3197 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3201 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3202 if (e && hci_resolve_name(hdev, e) == 0) {
3203 e->name_state = NAME_PENDING;
3204 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3205 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3207 /* When BR/EDR inquiry is active and no LE scanning is in
3208 * progress, then change discovery state to indicate completion.
3210 * When running LE scanning and BR/EDR inquiry simultaneously
3211 * and the LE scan already finished, then change the discovery
3212 * state to indicate completion.
3214 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3215 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3216 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3220 hci_dev_unlock(hdev);
3223 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3224 struct sk_buff *skb)
3226 struct hci_ev_inquiry_result *ev = edata;
3227 struct inquiry_data data;
3230 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3231 flex_array_size(ev, info, ev->num)))
3234 bt_dev_dbg(hdev, "num %d", ev->num);
3239 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3244 for (i = 0; i < ev->num; i++) {
3245 struct inquiry_info *info = &ev->info[i];
3248 bacpy(&data.bdaddr, &info->bdaddr);
3249 data.pscan_rep_mode = info->pscan_rep_mode;
3250 data.pscan_period_mode = info->pscan_period_mode;
3251 data.pscan_mode = info->pscan_mode;
3252 memcpy(data.dev_class, info->dev_class, 3);
3253 data.clock_offset = info->clock_offset;
3254 data.rssi = HCI_RSSI_INVALID;
3255 data.ssp_mode = 0x00;
3257 flags = hci_inquiry_cache_update(hdev, &data, false);
3259 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3260 info->dev_class, HCI_RSSI_INVALID,
3261 flags, NULL, 0, NULL, 0, 0);
3264 hci_dev_unlock(hdev);
3267 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3268 struct sk_buff *skb)
3270 struct hci_ev_conn_complete *ev = data;
3271 struct hci_conn *conn;
3272 u8 status = ev->status;
3274 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3278 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3280 /* In case of error status and there is no connection pending
3281 * just unlock as there is nothing to cleanup.
3286 /* Connection may not exist if auto-connected. Check the bredr
3287 * allowlist to see if this device is allowed to auto connect.
3288 * If link is an ACL type, create a connection class
3291 * Auto-connect will only occur if the event filter is
3292 * programmed with a given address. Right now, event filter is
3293 * only used during suspend.
3295 if (ev->link_type == ACL_LINK &&
3296 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3299 conn = hci_conn_add_unset(hdev, ev->link_type,
3300 &ev->bdaddr, HCI_ROLE_SLAVE);
3302 bt_dev_err(hdev, "no memory for new conn");
3306 if (ev->link_type != SCO_LINK)
3309 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3314 conn->type = SCO_LINK;
3318 /* The HCI_Connection_Complete event is only sent once per connection.
3319 * Processing it more than once per connection can corrupt kernel memory.
3321 * As the connection handle is set here for the first time, it indicates
3322 * whether the connection is already set up.
3324 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3325 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3330 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3334 if (conn->type == ACL_LINK) {
3335 conn->state = BT_CONFIG;
3336 hci_conn_hold(conn);
3338 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3339 !hci_find_link_key(hdev, &ev->bdaddr))
3340 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3342 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3344 conn->state = BT_CONNECTED;
3346 hci_debugfs_create_conn(conn);
3347 hci_conn_add_sysfs(conn);
3349 if (test_bit(HCI_AUTH, &hdev->flags))
3350 set_bit(HCI_CONN_AUTH, &conn->flags);
3352 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3353 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3355 /* Get remote features */
3356 if (conn->type == ACL_LINK) {
3357 struct hci_cp_read_remote_features cp;
3358 cp.handle = ev->handle;
3359 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3362 hci_update_scan(hdev);
3365 /* Set packet type for incoming connection */
3366 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3367 struct hci_cp_change_conn_ptype cp;
3368 cp.handle = ev->handle;
3369 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3370 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3375 if (get_link_mode(conn) & HCI_LM_MASTER)
3376 hci_conn_change_supervision_timeout(conn,
3377 LINK_SUPERVISION_TIMEOUT);
3381 if (conn->type == ACL_LINK)
3382 hci_sco_setup(conn, ev->status);
3386 hci_conn_failed(conn, status);
3387 } else if (ev->link_type == SCO_LINK) {
3388 switch (conn->setting & SCO_AIRMODE_MASK) {
3389 case SCO_AIRMODE_CVSD:
3391 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3395 hci_connect_cfm(conn, status);
3399 hci_dev_unlock(hdev);
3401 hci_conn_check_pending(hdev);
3404 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3406 struct hci_cp_reject_conn_req cp;
3408 bacpy(&cp.bdaddr, bdaddr);
3409 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3410 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3413 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3414 struct sk_buff *skb)
3416 struct hci_ev_conn_request *ev = data;
3417 int mask = hdev->link_mode;
3418 struct inquiry_entry *ie;
3419 struct hci_conn *conn;
3422 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3424 /* Reject incoming connection from device with same BD ADDR against
3427 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3428 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3430 hci_reject_conn(hdev, &ev->bdaddr);
3434 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3437 if (!(mask & HCI_LM_ACCEPT)) {
3438 hci_reject_conn(hdev, &ev->bdaddr);
3444 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3446 hci_reject_conn(hdev, &ev->bdaddr);
3450 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3451 * connection. These features are only touched through mgmt so
3452 * only do the checks if HCI_MGMT is set.
3454 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3455 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3456 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3458 hci_reject_conn(hdev, &ev->bdaddr);
3462 /* Connection accepted */
3464 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3466 memcpy(ie->data.dev_class, ev->dev_class, 3);
3469 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
3470 hci_conn_hash_lookup_sco(hdev)) {
3471 struct hci_cp_reject_conn_req cp;
3473 bacpy(&cp.bdaddr, &ev->bdaddr);
3474 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
3475 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
3477 hci_dev_unlock(hdev);
3482 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3485 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3488 bt_dev_err(hdev, "no memory for new connection");
3493 memcpy(conn->dev_class, ev->dev_class, 3);
3495 hci_dev_unlock(hdev);
3497 if (ev->link_type == ACL_LINK ||
3498 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3499 struct hci_cp_accept_conn_req cp;
3500 conn->state = BT_CONNECT;
3502 bacpy(&cp.bdaddr, &ev->bdaddr);
3504 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3505 cp.role = 0x00; /* Become central */
3507 cp.role = 0x01; /* Remain peripheral */
3509 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3510 } else if (!(flags & HCI_PROTO_DEFER)) {
3511 struct hci_cp_accept_sync_conn_req cp;
3512 conn->state = BT_CONNECT;
3514 bacpy(&cp.bdaddr, &ev->bdaddr);
3515 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3517 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3518 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3519 cp.max_latency = cpu_to_le16(0xffff);
3520 cp.content_format = cpu_to_le16(hdev->voice_setting);
3521 cp.retrans_effort = 0xff;
3523 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3526 conn->state = BT_CONNECT2;
3527 hci_connect_cfm(conn, 0);
3532 hci_dev_unlock(hdev);
3535 static u8 hci_to_mgmt_reason(u8 err)
3538 case HCI_ERROR_CONNECTION_TIMEOUT:
3539 return MGMT_DEV_DISCONN_TIMEOUT;
3540 case HCI_ERROR_REMOTE_USER_TERM:
3541 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3542 case HCI_ERROR_REMOTE_POWER_OFF:
3543 return MGMT_DEV_DISCONN_REMOTE;
3544 case HCI_ERROR_LOCAL_HOST_TERM:
3545 return MGMT_DEV_DISCONN_LOCAL_HOST;
3547 return MGMT_DEV_DISCONN_UNKNOWN;
3551 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3552 struct sk_buff *skb)
3554 struct hci_ev_disconn_complete *ev = data;
3556 struct hci_conn_params *params;
3557 struct hci_conn *conn;
3558 bool mgmt_connected;
3560 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3564 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3569 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3570 conn->dst_type, ev->status);
3574 conn->state = BT_CLOSED;
3576 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3578 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3579 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3581 reason = hci_to_mgmt_reason(ev->reason);
3583 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3584 reason, mgmt_connected);
3586 if (conn->type == ACL_LINK) {
3587 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3588 hci_remove_link_key(hdev, &conn->dst);
3590 hci_update_scan(hdev);
3593 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3595 switch (params->auto_connect) {
3596 case HCI_AUTO_CONN_LINK_LOSS:
3597 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3601 case HCI_AUTO_CONN_DIRECT:
3602 case HCI_AUTO_CONN_ALWAYS:
3603 hci_pend_le_list_del_init(params);
3604 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3605 hci_update_passive_scan(hdev);
3613 hci_disconn_cfm(conn, ev->reason);
3615 /* Re-enable advertising if necessary, since it might
3616 * have been disabled by the connection. From the
3617 * HCI_LE_Set_Advertise_Enable command description in
3618 * the core specification (v4.0):
3619 * "The Controller shall continue advertising until the Host
3620 * issues an LE_Set_Advertise_Enable command with
3621 * Advertising_Enable set to 0x00 (Advertising is disabled)
3622 * or until a connection is created or until the Advertising
3623 * is timed out due to Directed Advertising."
3625 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3626 hdev->cur_adv_instance = conn->adv_instance;
3627 hci_enable_advertising(hdev);
3633 if (conn->type == ACL_LINK && !hci_conn_num(hdev, ACL_LINK)) {
3637 iscan = test_bit(HCI_ISCAN, &hdev->flags);
3638 pscan = test_bit(HCI_PSCAN, &hdev->flags);
3639 if (!iscan && !pscan) {
3640 u8 scan_enable = SCAN_PAGE;
3642 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE,
3643 sizeof(scan_enable), &scan_enable);
3649 hci_dev_unlock(hdev);
3652 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3653 struct sk_buff *skb)
3655 struct hci_ev_auth_complete *ev = data;
3656 struct hci_conn *conn;
3658 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3662 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3667 /* PIN or Key Missing patch */
3668 BT_DBG("remote_auth %x, remote_cap %x, auth_type %x, io_capability %x",
3669 conn->remote_auth, conn->remote_cap,
3670 conn->auth_type, conn->io_capability);
3672 if (ev->status == 0x06 && hci_conn_ssp_enabled(conn)) {
3673 struct hci_cp_auth_requested cp;
3675 BT_DBG("Pin or key missing");
3676 hci_remove_link_key(hdev, &conn->dst);
3677 cp.handle = cpu_to_le16(conn->handle);
3678 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
3685 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3686 set_bit(HCI_CONN_AUTH, &conn->flags);
3687 conn->sec_level = conn->pending_sec_level;
3689 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3690 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3692 mgmt_auth_failed(conn, ev->status);
3695 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3697 if (conn->state == BT_CONFIG) {
3698 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3699 struct hci_cp_set_conn_encrypt cp;
3700 cp.handle = ev->handle;
3702 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3705 conn->state = BT_CONNECTED;
3706 hci_connect_cfm(conn, ev->status);
3707 hci_conn_drop(conn);
3710 hci_auth_cfm(conn, ev->status);
3712 hci_conn_hold(conn);
3713 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3714 hci_conn_drop(conn);
3717 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3719 struct hci_cp_set_conn_encrypt cp;
3720 cp.handle = ev->handle;
3722 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3725 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3726 hci_encrypt_cfm(conn, ev->status);
3731 hci_dev_unlock(hdev);
3734 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3735 struct sk_buff *skb)
3737 struct hci_ev_remote_name *ev = data;
3738 struct hci_conn *conn;
3740 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3742 hci_conn_check_pending(hdev);
3746 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3748 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3751 if (ev->status == 0)
3752 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3753 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3755 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3761 if (!hci_outgoing_auth_needed(hdev, conn))
3764 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3765 struct hci_cp_auth_requested cp;
3767 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3769 cp.handle = __cpu_to_le16(conn->handle);
3770 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3774 hci_dev_unlock(hdev);
3777 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3778 struct sk_buff *skb)
3780 struct hci_ev_encrypt_change *ev = data;
3781 struct hci_conn *conn;
3783 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3787 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3793 /* Encryption implies authentication */
3794 set_bit(HCI_CONN_AUTH, &conn->flags);
3795 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3796 conn->sec_level = conn->pending_sec_level;
3798 /* P-256 authentication key implies FIPS */
3799 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3800 set_bit(HCI_CONN_FIPS, &conn->flags);
3802 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3803 conn->type == LE_LINK)
3804 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3806 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3807 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3811 /* We should disregard the current RPA and generate a new one
3812 * whenever the encryption procedure fails.
3814 if (ev->status && conn->type == LE_LINK) {
3815 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3816 hci_adv_instances_set_rpa_expired(hdev, true);
3819 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3821 /* Check link security requirements are met */
3822 if (!hci_conn_check_link_mode(conn))
3823 ev->status = HCI_ERROR_AUTH_FAILURE;
3825 if (ev->status && conn->state == BT_CONNECTED) {
3826 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3827 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3829 /* Notify upper layers so they can cleanup before
3832 hci_encrypt_cfm(conn, ev->status);
3833 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3834 hci_conn_drop(conn);
3838 /* Try reading the encryption key size for encrypted ACL links */
3839 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3840 struct hci_cp_read_enc_key_size cp;
3842 /* Only send HCI_Read_Encryption_Key_Size if the
3843 * controller really supports it. If it doesn't, assume
3844 * the default size (16).
3846 if (!(hdev->commands[20] & 0x10)) {
3847 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3851 cp.handle = cpu_to_le16(conn->handle);
3852 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3854 bt_dev_err(hdev, "sending read key size failed");
3855 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3862 /* Set the default Authenticated Payload Timeout after
3863 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3864 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3865 * sent when the link is active and Encryption is enabled, the conn
3866 * type can be either LE or ACL and controller must support LMP Ping.
3867 * Ensure for AES-CCM encryption as well.
3869 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3870 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3871 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3872 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3873 struct hci_cp_write_auth_payload_to cp;
3875 cp.handle = cpu_to_le16(conn->handle);
3876 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3877 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3879 bt_dev_err(hdev, "write auth payload timeout failed");
3883 hci_encrypt_cfm(conn, ev->status);
3886 hci_dev_unlock(hdev);
3889 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3890 struct sk_buff *skb)
3892 struct hci_ev_change_link_key_complete *ev = data;
3893 struct hci_conn *conn;
3895 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3899 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3902 set_bit(HCI_CONN_SECURE, &conn->flags);
3904 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3906 hci_key_change_cfm(conn, ev->status);
3909 hci_dev_unlock(hdev);
3912 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3913 struct sk_buff *skb)
3915 struct hci_ev_remote_features *ev = data;
3916 struct hci_conn *conn;
3918 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3922 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3927 memcpy(conn->features[0], ev->features, 8);
3929 if (conn->state != BT_CONFIG)
3932 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3933 lmp_ext_feat_capable(conn)) {
3934 struct hci_cp_read_remote_ext_features cp;
3935 cp.handle = ev->handle;
3937 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3942 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3943 struct hci_cp_remote_name_req cp;
3944 memset(&cp, 0, sizeof(cp));
3945 bacpy(&cp.bdaddr, &conn->dst);
3946 cp.pscan_rep_mode = 0x02;
3947 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3948 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3949 mgmt_device_connected(hdev, conn, NULL, 0);
3951 if (!hci_outgoing_auth_needed(hdev, conn)) {
3952 conn->state = BT_CONNECTED;
3953 hci_connect_cfm(conn, ev->status);
3954 hci_conn_drop(conn);
3958 hci_dev_unlock(hdev);
3961 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3963 cancel_delayed_work(&hdev->cmd_timer);
3966 if (!test_bit(HCI_RESET, &hdev->flags)) {
3968 cancel_delayed_work(&hdev->ncmd_timer);
3969 atomic_set(&hdev->cmd_cnt, 1);
3971 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3972 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3979 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3980 struct sk_buff *skb)
3982 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3984 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3989 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3990 hdev->le_pkts = rp->acl_max_pkt;
3991 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3992 hdev->iso_pkts = rp->iso_max_pkt;
3994 hdev->le_cnt = hdev->le_pkts;
3995 hdev->iso_cnt = hdev->iso_pkts;
3997 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3998 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
4003 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
4005 struct hci_conn *conn, *tmp;
4007 lockdep_assert_held(&hdev->lock);
4009 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
4010 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
4011 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
4014 if (HCI_CONN_HANDLE_UNSET(conn->handle))
4015 hci_conn_failed(conn, status);
4019 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
4020 struct sk_buff *skb)
4022 struct hci_rp_le_set_cig_params *rp = data;
4023 struct hci_cp_le_set_cig_params *cp;
4024 struct hci_conn *conn;
4025 u8 status = rp->status;
4026 bool pending = false;
4029 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4031 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
4032 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
4033 rp->cig_id != cp->cig_id)) {
4034 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
4035 status = HCI_ERROR_UNSPECIFIED;
4040 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
4042 * If the Status return parameter is non-zero, then the state of the CIG
4043 * and its CIS configurations shall not be changed by the command. If
4044 * the CIG did not already exist, it shall not be created.
4047 /* Keep current configuration, fail only the unbound CIS */
4048 hci_unbound_cis_failed(hdev, rp->cig_id, status);
4052 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
4054 * If the Status return parameter is zero, then the Controller shall
4055 * set the Connection_Handle arrayed return parameter to the connection
4056 * handle(s) corresponding to the CIS configurations specified in
4057 * the CIS_IDs command parameter, in the same order.
4059 for (i = 0; i < rp->num_handles; ++i) {
4060 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
4062 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
4065 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
4068 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
4071 if (conn->state == BT_CONNECT)
4077 hci_le_create_cis_pending(hdev);
4079 hci_dev_unlock(hdev);
4084 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
4085 struct sk_buff *skb)
4087 struct hci_rp_le_setup_iso_path *rp = data;
4088 struct hci_cp_le_setup_iso_path *cp;
4089 struct hci_conn *conn;
4091 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4093 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
4099 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
4104 hci_connect_cfm(conn, rp->status);
4109 switch (cp->direction) {
4110 /* Input (Host to Controller) */
4112 /* Only confirm connection if output only */
4113 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
4114 hci_connect_cfm(conn, rp->status);
4116 /* Output (Controller to Host) */
4118 /* Confirm connection since conn->iso_qos is always configured
4121 hci_connect_cfm(conn, rp->status);
4126 hci_dev_unlock(hdev);
4130 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
4132 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4135 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
4136 struct sk_buff *skb)
4138 struct hci_ev_status *rp = data;
4139 struct hci_cp_le_set_per_adv_params *cp;
4141 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4146 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
4150 /* TODO: set the conn state */
4154 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
4155 struct sk_buff *skb)
4157 struct hci_ev_status *rp = data;
4158 struct hci_cp_le_set_per_adv_enable *cp;
4159 struct adv_info *adv = NULL, *n;
4162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4167 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4173 adv = hci_find_adv_instance(hdev, cp->handle);
4176 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4179 adv->enabled = true;
4181 /* If just one instance was disabled check if there are
4182 * any other instance enabled before clearing HCI_LE_PER_ADV.
4183 * The current periodic adv instance will be marked as
4184 * disabled once extended advertising is also disabled.
4186 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4188 if (adv->periodic && adv->enabled)
4192 if (per_adv_cnt > 1)
4195 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4199 hci_dev_unlock(hdev);
4204 #define HCI_CC_VL(_op, _func, _min, _max) \
4212 #define HCI_CC(_op, _func, _len) \
4213 HCI_CC_VL(_op, _func, _len, _len)
4215 #define HCI_CC_STATUS(_op, _func) \
4216 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4218 static const struct hci_cc {
4220 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4223 } hci_cc_table[] = {
4224 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4225 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4226 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4227 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4228 hci_cc_remote_name_req_cancel),
4229 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4230 sizeof(struct hci_rp_role_discovery)),
4231 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4232 sizeof(struct hci_rp_read_link_policy)),
4233 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4234 sizeof(struct hci_rp_write_link_policy)),
4235 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4236 sizeof(struct hci_rp_read_def_link_policy)),
4237 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4238 hci_cc_write_def_link_policy),
4239 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4240 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4241 sizeof(struct hci_rp_read_stored_link_key)),
4242 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4243 sizeof(struct hci_rp_delete_stored_link_key)),
4244 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4245 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4246 sizeof(struct hci_rp_read_local_name)),
4247 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4248 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4249 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4250 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4251 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4252 sizeof(struct hci_rp_read_class_of_dev)),
4253 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4254 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4255 sizeof(struct hci_rp_read_voice_setting)),
4256 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4257 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4258 sizeof(struct hci_rp_read_num_supported_iac)),
4259 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4260 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4261 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4262 sizeof(struct hci_rp_read_auth_payload_to)),
4263 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4264 sizeof(struct hci_rp_write_auth_payload_to)),
4265 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4266 sizeof(struct hci_rp_read_local_version)),
4267 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4268 sizeof(struct hci_rp_read_local_commands)),
4269 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4270 sizeof(struct hci_rp_read_local_features)),
4271 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4272 sizeof(struct hci_rp_read_local_ext_features)),
4273 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4274 sizeof(struct hci_rp_read_buffer_size)),
4275 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4276 sizeof(struct hci_rp_read_bd_addr)),
4277 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4278 sizeof(struct hci_rp_read_local_pairing_opts)),
4279 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4280 sizeof(struct hci_rp_read_page_scan_activity)),
4281 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4282 hci_cc_write_page_scan_activity),
4283 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4284 sizeof(struct hci_rp_read_page_scan_type)),
4285 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4286 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4287 sizeof(struct hci_rp_read_data_block_size)),
4288 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4289 sizeof(struct hci_rp_read_flow_control_mode)),
4290 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4291 sizeof(struct hci_rp_read_local_amp_info)),
4292 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4293 sizeof(struct hci_rp_read_clock)),
4294 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4295 sizeof(struct hci_rp_read_enc_key_size)),
4296 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4297 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4298 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4299 hci_cc_read_def_err_data_reporting,
4300 sizeof(struct hci_rp_read_def_err_data_reporting)),
4301 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4302 hci_cc_write_def_err_data_reporting),
4303 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4304 sizeof(struct hci_rp_pin_code_reply)),
4305 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4306 sizeof(struct hci_rp_pin_code_neg_reply)),
4307 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4308 sizeof(struct hci_rp_read_local_oob_data)),
4309 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4310 sizeof(struct hci_rp_read_local_oob_ext_data)),
4311 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4312 sizeof(struct hci_rp_le_read_buffer_size)),
4313 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4314 sizeof(struct hci_rp_le_read_local_features)),
4315 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4316 sizeof(struct hci_rp_le_read_adv_tx_power)),
4317 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4318 sizeof(struct hci_rp_user_confirm_reply)),
4319 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4320 sizeof(struct hci_rp_user_confirm_reply)),
4321 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4322 sizeof(struct hci_rp_user_confirm_reply)),
4323 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4324 sizeof(struct hci_rp_user_confirm_reply)),
4325 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4326 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4327 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4328 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4329 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4330 hci_cc_le_read_accept_list_size,
4331 sizeof(struct hci_rp_le_read_accept_list_size)),
4332 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4333 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4334 hci_cc_le_add_to_accept_list),
4335 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4336 hci_cc_le_del_from_accept_list),
4337 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4338 sizeof(struct hci_rp_le_read_supported_states)),
4339 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4340 sizeof(struct hci_rp_le_read_def_data_len)),
4341 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4342 hci_cc_le_write_def_data_len),
4343 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4344 hci_cc_le_add_to_resolv_list),
4345 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4346 hci_cc_le_del_from_resolv_list),
4347 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4348 hci_cc_le_clear_resolv_list),
4349 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4350 sizeof(struct hci_rp_le_read_resolv_list_size)),
4351 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4352 hci_cc_le_set_addr_resolution_enable),
4353 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4354 sizeof(struct hci_rp_le_read_max_data_len)),
4355 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4356 hci_cc_write_le_host_supported),
4357 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4358 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4359 sizeof(struct hci_rp_read_rssi)),
4360 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4361 sizeof(struct hci_rp_read_tx_power)),
4362 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4363 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4364 hci_cc_le_set_ext_scan_param),
4365 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4366 hci_cc_le_set_ext_scan_enable),
4367 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4368 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4369 hci_cc_le_read_num_adv_sets,
4370 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4371 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4372 sizeof(struct hci_rp_le_set_ext_adv_params)),
4373 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4374 hci_cc_le_set_ext_adv_enable),
4375 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4376 hci_cc_le_set_adv_set_random_addr),
4377 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4378 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4379 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4380 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4381 hci_cc_le_set_per_adv_enable),
4382 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4383 sizeof(struct hci_rp_le_read_transmit_power)),
4385 HCI_CC(HCI_OP_ENABLE_RSSI, hci_cc_enable_rssi,
4386 sizeof(struct hci_cc_rsp_enable_rssi)),
4387 HCI_CC(HCI_OP_GET_RAW_RSSI, hci_cc_get_raw_rssi,
4388 sizeof(struct hci_cc_rp_get_raw_rssi)),
4390 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4391 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4392 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4393 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4394 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4395 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4396 sizeof(struct hci_rp_le_setup_iso_path)),
4399 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4400 struct sk_buff *skb)
4404 if (skb->len < cc->min_len) {
4405 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4406 cc->op, skb->len, cc->min_len);
4407 return HCI_ERROR_UNSPECIFIED;
4410 /* Just warn if the length is over max_len size it still be possible to
4411 * partially parse the cc so leave to callback to decide if that is
4414 if (skb->len > cc->max_len)
4415 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4416 cc->op, skb->len, cc->max_len);
4418 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4420 return HCI_ERROR_UNSPECIFIED;
4422 return cc->func(hdev, data, skb);
4425 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4426 struct sk_buff *skb, u16 *opcode, u8 *status,
4427 hci_req_complete_t *req_complete,
4428 hci_req_complete_skb_t *req_complete_skb)
4430 struct hci_ev_cmd_complete *ev = data;
4433 *opcode = __le16_to_cpu(ev->opcode);
4435 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4437 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4438 if (hci_cc_table[i].op == *opcode) {
4439 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4444 if (i == ARRAY_SIZE(hci_cc_table)) {
4445 /* Unknown opcode, assume byte 0 contains the status, so
4446 * that e.g. __hci_cmd_sync() properly returns errors
4447 * for vendor specific commands send by HCI drivers.
4448 * If a vendor doesn't actually follow this convention we may
4449 * need to introduce a vendor CC table in order to properly set
4452 *status = skb->data[0];
4455 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4457 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4460 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4462 "unexpected event for opcode 0x%4.4x", *opcode);
4466 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4467 queue_work(hdev->workqueue, &hdev->cmd_work);
4470 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4472 struct hci_cp_le_create_cis *cp;
4473 bool pending = false;
4476 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4481 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4487 /* Remove connection if command failed */
4488 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4489 struct hci_conn *conn;
4492 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4494 conn = hci_conn_hash_lookup_handle(hdev, handle);
4496 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4499 conn->state = BT_CLOSED;
4500 hci_connect_cfm(conn, status);
4506 hci_le_create_cis_pending(hdev);
4508 hci_dev_unlock(hdev);
4511 #define HCI_CS(_op, _func) \
4517 static const struct hci_cs {
4519 void (*func)(struct hci_dev *hdev, __u8 status);
4520 } hci_cs_table[] = {
4521 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4522 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4523 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4524 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4525 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4526 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4527 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4528 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4529 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4530 hci_cs_read_remote_ext_features),
4531 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4532 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4533 hci_cs_enhanced_setup_sync_conn),
4534 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4535 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4536 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4537 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4538 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4539 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4540 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4541 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4542 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4545 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4546 struct sk_buff *skb, u16 *opcode, u8 *status,
4547 hci_req_complete_t *req_complete,
4548 hci_req_complete_skb_t *req_complete_skb)
4550 struct hci_ev_cmd_status *ev = data;
4553 *opcode = __le16_to_cpu(ev->opcode);
4554 *status = ev->status;
4556 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4558 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4559 if (hci_cs_table[i].op == *opcode) {
4560 hci_cs_table[i].func(hdev, ev->status);
4565 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4567 /* Indicate request completion if the command failed. Also, if
4568 * we're not waiting for a special event and we get a success
4569 * command status we should try to flag the request as completed
4570 * (since for this kind of commands there will not be a command
4573 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4574 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4576 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4577 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4583 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4584 queue_work(hdev->workqueue, &hdev->cmd_work);
4587 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4588 struct sk_buff *skb)
4590 struct hci_ev_hardware_error *ev = data;
4592 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4596 mgmt_hardware_error(hdev, ev->code);
4597 hci_dev_unlock(hdev);
4599 hdev->hw_error_code = ev->code;
4601 queue_work(hdev->req_workqueue, &hdev->error_reset);
4604 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4605 struct sk_buff *skb)
4607 struct hci_ev_role_change *ev = data;
4608 struct hci_conn *conn;
4610 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4614 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4617 conn->role = ev->role;
4619 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4621 hci_role_switch_cfm(conn, ev->status, ev->role);
4623 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
4624 hci_conn_change_supervision_timeout(conn,
4625 LINK_SUPERVISION_TIMEOUT);
4629 hci_dev_unlock(hdev);
4632 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4633 struct sk_buff *skb)
4635 struct hci_ev_num_comp_pkts *ev = data;
4638 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4639 flex_array_size(ev, handles, ev->num)))
4642 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4643 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4647 bt_dev_dbg(hdev, "num %d", ev->num);
4649 for (i = 0; i < ev->num; i++) {
4650 struct hci_comp_pkts_info *info = &ev->handles[i];
4651 struct hci_conn *conn;
4652 __u16 handle, count;
4654 handle = __le16_to_cpu(info->handle);
4655 count = __le16_to_cpu(info->count);
4657 conn = hci_conn_hash_lookup_handle(hdev, handle);
4661 conn->sent -= count;
4663 switch (conn->type) {
4665 hdev->acl_cnt += count;
4666 if (hdev->acl_cnt > hdev->acl_pkts)
4667 hdev->acl_cnt = hdev->acl_pkts;
4671 if (hdev->le_pkts) {
4672 hdev->le_cnt += count;
4673 if (hdev->le_cnt > hdev->le_pkts)
4674 hdev->le_cnt = hdev->le_pkts;
4676 hdev->acl_cnt += count;
4677 if (hdev->acl_cnt > hdev->acl_pkts)
4678 hdev->acl_cnt = hdev->acl_pkts;
4683 hdev->sco_cnt += count;
4684 if (hdev->sco_cnt > hdev->sco_pkts)
4685 hdev->sco_cnt = hdev->sco_pkts;
4689 if (hdev->iso_pkts) {
4690 hdev->iso_cnt += count;
4691 if (hdev->iso_cnt > hdev->iso_pkts)
4692 hdev->iso_cnt = hdev->iso_pkts;
4693 } else if (hdev->le_pkts) {
4694 hdev->le_cnt += count;
4695 if (hdev->le_cnt > hdev->le_pkts)
4696 hdev->le_cnt = hdev->le_pkts;
4698 hdev->acl_cnt += count;
4699 if (hdev->acl_cnt > hdev->acl_pkts)
4700 hdev->acl_cnt = hdev->acl_pkts;
4705 bt_dev_err(hdev, "unknown type %d conn %p",
4711 queue_work(hdev->workqueue, &hdev->tx_work);
4714 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4717 struct hci_chan *chan;
4719 switch (hdev->dev_type) {
4721 return hci_conn_hash_lookup_handle(hdev, handle);
4723 chan = hci_chan_lookup_handle(hdev, handle);
4728 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4735 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4736 struct sk_buff *skb)
4738 struct hci_ev_num_comp_blocks *ev = data;
4741 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4742 flex_array_size(ev, handles, ev->num_hndl)))
4745 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4746 bt_dev_err(hdev, "wrong event for mode %d",
4747 hdev->flow_ctl_mode);
4751 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4754 for (i = 0; i < ev->num_hndl; i++) {
4755 struct hci_comp_blocks_info *info = &ev->handles[i];
4756 struct hci_conn *conn = NULL;
4757 __u16 handle, block_count;
4759 handle = __le16_to_cpu(info->handle);
4760 block_count = __le16_to_cpu(info->blocks);
4762 conn = __hci_conn_lookup_handle(hdev, handle);
4766 conn->sent -= block_count;
4768 switch (conn->type) {
4771 hdev->block_cnt += block_count;
4772 if (hdev->block_cnt > hdev->num_blocks)
4773 hdev->block_cnt = hdev->num_blocks;
4777 bt_dev_err(hdev, "unknown type %d conn %p",
4783 queue_work(hdev->workqueue, &hdev->tx_work);
4786 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4787 struct sk_buff *skb)
4789 struct hci_ev_mode_change *ev = data;
4790 struct hci_conn *conn;
4792 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4796 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4798 conn->mode = ev->mode;
4800 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4802 if (conn->mode == HCI_CM_ACTIVE)
4803 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4805 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4808 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4809 hci_sco_setup(conn, ev->status);
4812 hci_dev_unlock(hdev);
4815 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4816 struct sk_buff *skb)
4818 struct hci_ev_pin_code_req *ev = data;
4819 struct hci_conn *conn;
4821 bt_dev_dbg(hdev, "");
4825 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4829 if (conn->state == BT_CONNECTED) {
4830 hci_conn_hold(conn);
4831 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4832 hci_conn_drop(conn);
4835 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4836 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4837 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4838 sizeof(ev->bdaddr), &ev->bdaddr);
4839 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4842 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4847 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4851 hci_dev_unlock(hdev);
4854 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4856 if (key_type == HCI_LK_CHANGED_COMBINATION)
4859 conn->pin_length = pin_len;
4860 conn->key_type = key_type;
4863 case HCI_LK_LOCAL_UNIT:
4864 case HCI_LK_REMOTE_UNIT:
4865 case HCI_LK_DEBUG_COMBINATION:
4867 case HCI_LK_COMBINATION:
4869 conn->pending_sec_level = BT_SECURITY_HIGH;
4871 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4873 case HCI_LK_UNAUTH_COMBINATION_P192:
4874 case HCI_LK_UNAUTH_COMBINATION_P256:
4875 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4877 case HCI_LK_AUTH_COMBINATION_P192:
4878 conn->pending_sec_level = BT_SECURITY_HIGH;
4880 case HCI_LK_AUTH_COMBINATION_P256:
4881 conn->pending_sec_level = BT_SECURITY_FIPS;
4886 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4887 struct sk_buff *skb)
4889 struct hci_ev_link_key_req *ev = data;
4890 struct hci_cp_link_key_reply cp;
4891 struct hci_conn *conn;
4892 struct link_key *key;
4894 bt_dev_dbg(hdev, "");
4896 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4901 key = hci_find_link_key(hdev, &ev->bdaddr);
4903 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4907 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4909 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4911 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4913 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4914 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4915 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4916 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4920 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4921 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4922 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4923 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4927 conn_set_key(conn, key->type, key->pin_len);
4930 bacpy(&cp.bdaddr, &ev->bdaddr);
4931 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4933 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4935 hci_dev_unlock(hdev);
4940 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4941 hci_dev_unlock(hdev);
4944 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4945 struct sk_buff *skb)
4947 struct hci_ev_link_key_notify *ev = data;
4948 struct hci_conn *conn;
4949 struct link_key *key;
4953 bt_dev_dbg(hdev, "");
4957 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4961 /* Ignore NULL link key against CVE-2020-26555 */
4962 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4963 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4965 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4966 hci_conn_drop(conn);
4970 hci_conn_hold(conn);
4971 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4972 hci_conn_drop(conn);
4974 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4975 conn_set_key(conn, ev->key_type, conn->pin_length);
4977 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4980 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4981 ev->key_type, pin_len, &persistent);
4985 /* Update connection information since adding the key will have
4986 * fixed up the type in the case of changed combination keys.
4988 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4989 conn_set_key(conn, key->type, key->pin_len);
4991 mgmt_new_link_key(hdev, key, persistent);
4993 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4994 * is set. If it's not set simply remove the key from the kernel
4995 * list (we've still notified user space about it but with
4996 * store_hint being 0).
4998 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4999 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
5000 list_del_rcu(&key->list);
5001 kfree_rcu(key, rcu);
5006 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
5008 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
5011 hci_dev_unlock(hdev);
5014 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
5015 struct sk_buff *skb)
5017 struct hci_ev_clock_offset *ev = data;
5018 struct hci_conn *conn;
5020 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5024 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5025 if (conn && !ev->status) {
5026 struct inquiry_entry *ie;
5028 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5030 ie->data.clock_offset = ev->clock_offset;
5031 ie->timestamp = jiffies;
5035 hci_dev_unlock(hdev);
5038 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
5039 struct sk_buff *skb)
5041 struct hci_ev_pkt_type_change *ev = data;
5042 struct hci_conn *conn;
5044 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5048 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5049 if (conn && !ev->status)
5050 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
5052 hci_dev_unlock(hdev);
5055 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
5056 struct sk_buff *skb)
5058 struct hci_ev_pscan_rep_mode *ev = data;
5059 struct inquiry_entry *ie;
5061 bt_dev_dbg(hdev, "");
5065 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5067 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
5068 ie->timestamp = jiffies;
5071 hci_dev_unlock(hdev);
5074 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
5075 struct sk_buff *skb)
5077 struct hci_ev_inquiry_result_rssi *ev = edata;
5078 struct inquiry_data data;
5081 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
5086 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5091 if (skb->len == array_size(ev->num,
5092 sizeof(struct inquiry_info_rssi_pscan))) {
5093 struct inquiry_info_rssi_pscan *info;
5095 for (i = 0; i < ev->num; i++) {
5098 info = hci_ev_skb_pull(hdev, skb,
5099 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5102 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5103 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5107 bacpy(&data.bdaddr, &info->bdaddr);
5108 data.pscan_rep_mode = info->pscan_rep_mode;
5109 data.pscan_period_mode = info->pscan_period_mode;
5110 data.pscan_mode = info->pscan_mode;
5111 memcpy(data.dev_class, info->dev_class, 3);
5112 data.clock_offset = info->clock_offset;
5113 data.rssi = info->rssi;
5114 data.ssp_mode = 0x00;
5116 flags = hci_inquiry_cache_update(hdev, &data, false);
5118 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5119 info->dev_class, info->rssi,
5120 flags, NULL, 0, NULL, 0, 0);
5122 } else if (skb->len == array_size(ev->num,
5123 sizeof(struct inquiry_info_rssi))) {
5124 struct inquiry_info_rssi *info;
5126 for (i = 0; i < ev->num; i++) {
5129 info = hci_ev_skb_pull(hdev, skb,
5130 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5133 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5134 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5138 bacpy(&data.bdaddr, &info->bdaddr);
5139 data.pscan_rep_mode = info->pscan_rep_mode;
5140 data.pscan_period_mode = info->pscan_period_mode;
5141 data.pscan_mode = 0x00;
5142 memcpy(data.dev_class, info->dev_class, 3);
5143 data.clock_offset = info->clock_offset;
5144 data.rssi = info->rssi;
5145 data.ssp_mode = 0x00;
5147 flags = hci_inquiry_cache_update(hdev, &data, false);
5149 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5150 info->dev_class, info->rssi,
5151 flags, NULL, 0, NULL, 0, 0);
5154 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5155 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5158 hci_dev_unlock(hdev);
5161 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
5162 struct sk_buff *skb)
5164 struct hci_ev_remote_ext_features *ev = data;
5165 struct hci_conn *conn;
5167 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5171 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5175 if (ev->page < HCI_MAX_PAGES)
5176 memcpy(conn->features[ev->page], ev->features, 8);
5178 if (!ev->status && ev->page == 0x01) {
5179 struct inquiry_entry *ie;
5181 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5183 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5185 if (ev->features[0] & LMP_HOST_SSP) {
5186 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5188 /* It is mandatory by the Bluetooth specification that
5189 * Extended Inquiry Results are only used when Secure
5190 * Simple Pairing is enabled, but some devices violate
5193 * To make these devices work, the internal SSP
5194 * enabled flag needs to be cleared if the remote host
5195 * features do not indicate SSP support */
5196 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5199 if (ev->features[0] & LMP_HOST_SC)
5200 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5203 if (conn->state != BT_CONFIG)
5206 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5207 struct hci_cp_remote_name_req cp;
5208 memset(&cp, 0, sizeof(cp));
5209 bacpy(&cp.bdaddr, &conn->dst);
5210 cp.pscan_rep_mode = 0x02;
5211 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5212 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5213 mgmt_device_connected(hdev, conn, NULL, 0);
5215 if (!hci_outgoing_auth_needed(hdev, conn)) {
5216 conn->state = BT_CONNECTED;
5217 hci_connect_cfm(conn, ev->status);
5218 hci_conn_drop(conn);
5222 hci_dev_unlock(hdev);
5225 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5226 struct sk_buff *skb)
5228 struct hci_ev_sync_conn_complete *ev = data;
5229 struct hci_conn *conn;
5230 u8 status = ev->status;
5232 switch (ev->link_type) {
5237 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5238 * for HCI_Synchronous_Connection_Complete is limited to
5239 * either SCO or eSCO
5241 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5245 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5249 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5251 if (ev->link_type == ESCO_LINK)
5254 /* When the link type in the event indicates SCO connection
5255 * and lookup of the connection object fails, then check
5256 * if an eSCO connection object exists.
5258 * The core limits the synchronous connections to either
5259 * SCO or eSCO. The eSCO connection is preferred and tried
5260 * to be setup first and until successfully established,
5261 * the link type will be hinted as eSCO.
5263 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5268 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5269 * Processing it more than once per connection can corrupt kernel memory.
5271 * As the connection handle is set here for the first time, it indicates
5272 * whether the connection is already set up.
5274 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5275 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5281 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5283 conn->state = BT_CLOSED;
5287 conn->state = BT_CONNECTED;
5288 conn->type = ev->link_type;
5290 hci_debugfs_create_conn(conn);
5291 hci_conn_add_sysfs(conn);
5294 case 0x10: /* Connection Accept Timeout */
5295 case 0x0d: /* Connection Rejected due to Limited Resources */
5296 case 0x11: /* Unsupported Feature or Parameter Value */
5297 case 0x1c: /* SCO interval rejected */
5298 case 0x1a: /* Unsupported Remote Feature */
5299 case 0x1e: /* Invalid LMP Parameters */
5300 case 0x1f: /* Unspecified error */
5301 case 0x20: /* Unsupported LMP Parameter value */
5303 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5304 (hdev->esco_type & EDR_ESCO_MASK);
5305 if (hci_setup_sync(conn, conn->parent->handle))
5311 conn->state = BT_CLOSED;
5315 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5316 /* Notify only in case of SCO over HCI transport data path which
5317 * is zero and non-zero value shall be non-HCI transport data path
5319 if (conn->codec.data_path == 0 && hdev->notify) {
5320 switch (ev->air_mode) {
5322 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5325 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5330 hci_connect_cfm(conn, status);
5335 hci_dev_unlock(hdev);
5338 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5342 while (parsed < eir_len) {
5343 u8 field_len = eir[0];
5348 parsed += field_len + 1;
5349 eir += field_len + 1;
5355 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5356 struct sk_buff *skb)
5358 struct hci_ev_ext_inquiry_result *ev = edata;
5359 struct inquiry_data data;
5363 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5364 flex_array_size(ev, info, ev->num)))
5367 bt_dev_dbg(hdev, "num %d", ev->num);
5372 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5377 for (i = 0; i < ev->num; i++) {
5378 struct extended_inquiry_info *info = &ev->info[i];
5382 bacpy(&data.bdaddr, &info->bdaddr);
5383 data.pscan_rep_mode = info->pscan_rep_mode;
5384 data.pscan_period_mode = info->pscan_period_mode;
5385 data.pscan_mode = 0x00;
5386 memcpy(data.dev_class, info->dev_class, 3);
5387 data.clock_offset = info->clock_offset;
5388 data.rssi = info->rssi;
5389 data.ssp_mode = 0x01;
5391 if (hci_dev_test_flag(hdev, HCI_MGMT))
5392 name_known = eir_get_data(info->data,
5394 EIR_NAME_COMPLETE, NULL);
5398 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5400 eir_len = eir_get_length(info->data, sizeof(info->data));
5402 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5403 info->dev_class, info->rssi,
5404 flags, info->data, eir_len, NULL, 0, 0);
5407 hci_dev_unlock(hdev);
5410 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5411 struct sk_buff *skb)
5413 struct hci_ev_key_refresh_complete *ev = data;
5414 struct hci_conn *conn;
5416 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5417 __le16_to_cpu(ev->handle));
5421 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5425 /* For BR/EDR the necessary steps are taken through the
5426 * auth_complete event.
5428 if (conn->type != LE_LINK)
5432 conn->sec_level = conn->pending_sec_level;
5434 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5436 if (ev->status && conn->state == BT_CONNECTED) {
5437 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5438 hci_conn_drop(conn);
5442 if (conn->state == BT_CONFIG) {
5444 conn->state = BT_CONNECTED;
5446 hci_connect_cfm(conn, ev->status);
5447 hci_conn_drop(conn);
5449 hci_auth_cfm(conn, ev->status);
5451 hci_conn_hold(conn);
5452 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5453 hci_conn_drop(conn);
5457 hci_dev_unlock(hdev);
5460 static u8 hci_get_auth_req(struct hci_conn *conn)
5463 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
5464 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5465 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5466 return HCI_AT_GENERAL_BONDING_MITM;
5470 /* If remote requests no-bonding follow that lead */
5471 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5472 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5473 return conn->remote_auth | (conn->auth_type & 0x01);
5475 /* If both remote and local have enough IO capabilities, require
5478 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5479 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5480 return conn->remote_auth | 0x01;
5482 /* No MITM protection possible so ignore remote requirement */
5483 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5486 static u8 bredr_oob_data_present(struct hci_conn *conn)
5488 struct hci_dev *hdev = conn->hdev;
5489 struct oob_data *data;
5491 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5495 if (bredr_sc_enabled(hdev)) {
5496 /* When Secure Connections is enabled, then just
5497 * return the present value stored with the OOB
5498 * data. The stored value contains the right present
5499 * information. However it can only be trusted when
5500 * not in Secure Connection Only mode.
5502 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5503 return data->present;
5505 /* When Secure Connections Only mode is enabled, then
5506 * the P-256 values are required. If they are not
5507 * available, then do not declare that OOB data is
5510 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5511 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5517 /* When Secure Connections is not enabled or actually
5518 * not supported by the hardware, then check that if
5519 * P-192 data values are present.
5521 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5522 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5528 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5529 struct sk_buff *skb)
5531 struct hci_ev_io_capa_request *ev = data;
5532 struct hci_conn *conn;
5534 bt_dev_dbg(hdev, "");
5538 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5539 if (!conn || !hci_conn_ssp_enabled(conn))
5542 hci_conn_hold(conn);
5544 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5547 /* Allow pairing if we're pairable, the initiators of the
5548 * pairing or if the remote is not requesting bonding.
5550 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5551 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5552 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5553 struct hci_cp_io_capability_reply cp;
5555 bacpy(&cp.bdaddr, &ev->bdaddr);
5556 /* Change the IO capability from KeyboardDisplay
5557 * to DisplayYesNo as it is not supported by BT spec. */
5558 cp.capability = (conn->io_capability == 0x04) ?
5559 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5561 /* If we are initiators, there is no remote information yet */
5562 if (conn->remote_auth == 0xff) {
5563 /* Request MITM protection if our IO caps allow it
5564 * except for the no-bonding case.
5566 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5567 conn->auth_type != HCI_AT_NO_BONDING)
5568 conn->auth_type |= 0x01;
5570 conn->auth_type = hci_get_auth_req(conn);
5573 /* If we're not bondable, force one of the non-bondable
5574 * authentication requirement values.
5576 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5577 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5579 cp.authentication = conn->auth_type;
5580 cp.oob_data = bredr_oob_data_present(conn);
5582 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5585 struct hci_cp_io_capability_neg_reply cp;
5587 bacpy(&cp.bdaddr, &ev->bdaddr);
5588 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5590 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5595 hci_dev_unlock(hdev);
5598 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5599 struct sk_buff *skb)
5601 struct hci_ev_io_capa_reply *ev = data;
5602 struct hci_conn *conn;
5604 bt_dev_dbg(hdev, "");
5608 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5612 conn->remote_cap = ev->capability;
5613 conn->remote_auth = ev->authentication;
5616 hci_dev_unlock(hdev);
5619 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5620 struct sk_buff *skb)
5622 struct hci_ev_user_confirm_req *ev = data;
5623 int loc_mitm, rem_mitm, confirm_hint = 0;
5624 struct hci_conn *conn;
5626 bt_dev_dbg(hdev, "");
5630 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5633 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5637 loc_mitm = (conn->auth_type & 0x01);
5638 rem_mitm = (conn->remote_auth & 0x01);
5640 /* If we require MITM but the remote device can't provide that
5641 * (it has NoInputNoOutput) then reject the confirmation
5642 * request. We check the security level here since it doesn't
5643 * necessarily match conn->auth_type.
5645 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5646 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5647 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5648 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5649 sizeof(ev->bdaddr), &ev->bdaddr);
5653 /* If no side requires MITM protection; auto-accept */
5654 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5655 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5657 /* If we're not the initiators request authorization to
5658 * proceed from user space (mgmt_user_confirm with
5659 * confirm_hint set to 1). The exception is if neither
5660 * side had MITM or if the local IO capability is
5661 * NoInputNoOutput, in which case we do auto-accept
5663 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5664 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5665 (loc_mitm || rem_mitm)) {
5666 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5671 /* If there already exists link key in local host, leave the
5672 * decision to user space since the remote device could be
5673 * legitimate or malicious.
5675 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5676 bt_dev_dbg(hdev, "Local host already has link key");
5681 BT_DBG("Auto-accept of user confirmation with %ums delay",
5682 hdev->auto_accept_delay);
5684 if (hdev->auto_accept_delay > 0) {
5685 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5686 queue_delayed_work(conn->hdev->workqueue,
5687 &conn->auto_accept_work, delay);
5691 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5692 sizeof(ev->bdaddr), &ev->bdaddr);
5697 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5698 le32_to_cpu(ev->passkey), confirm_hint);
5701 hci_dev_unlock(hdev);
5704 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5705 struct sk_buff *skb)
5707 struct hci_ev_user_passkey_req *ev = data;
5709 bt_dev_dbg(hdev, "");
5711 if (hci_dev_test_flag(hdev, HCI_MGMT))
5712 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5715 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5716 struct sk_buff *skb)
5718 struct hci_ev_user_passkey_notify *ev = data;
5719 struct hci_conn *conn;
5721 bt_dev_dbg(hdev, "");
5723 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5727 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5728 conn->passkey_entered = 0;
5730 if (hci_dev_test_flag(hdev, HCI_MGMT))
5731 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5732 conn->dst_type, conn->passkey_notify,
5733 conn->passkey_entered);
5736 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5737 struct sk_buff *skb)
5739 struct hci_ev_keypress_notify *ev = data;
5740 struct hci_conn *conn;
5742 bt_dev_dbg(hdev, "");
5744 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5749 case HCI_KEYPRESS_STARTED:
5750 conn->passkey_entered = 0;
5753 case HCI_KEYPRESS_ENTERED:
5754 conn->passkey_entered++;
5757 case HCI_KEYPRESS_ERASED:
5758 conn->passkey_entered--;
5761 case HCI_KEYPRESS_CLEARED:
5762 conn->passkey_entered = 0;
5765 case HCI_KEYPRESS_COMPLETED:
5769 if (hci_dev_test_flag(hdev, HCI_MGMT))
5770 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5771 conn->dst_type, conn->passkey_notify,
5772 conn->passkey_entered);
5775 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5776 struct sk_buff *skb)
5778 struct hci_ev_simple_pair_complete *ev = data;
5779 struct hci_conn *conn;
5781 bt_dev_dbg(hdev, "");
5785 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5786 if (!conn || !hci_conn_ssp_enabled(conn))
5789 /* Reset the authentication requirement to unknown */
5790 conn->remote_auth = 0xff;
5792 /* To avoid duplicate auth_failed events to user space we check
5793 * the HCI_CONN_AUTH_PEND flag which will be set if we
5794 * initiated the authentication. A traditional auth_complete
5795 * event gets always produced as initiator and is also mapped to
5796 * the mgmt_auth_failed event */
5797 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5798 mgmt_auth_failed(conn, ev->status);
5800 hci_conn_drop(conn);
5803 hci_dev_unlock(hdev);
5806 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5807 struct sk_buff *skb)
5809 struct hci_ev_remote_host_features *ev = data;
5810 struct inquiry_entry *ie;
5811 struct hci_conn *conn;
5813 bt_dev_dbg(hdev, "");
5817 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5819 memcpy(conn->features[1], ev->features, 8);
5821 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5823 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5825 hci_dev_unlock(hdev);
5828 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5829 struct sk_buff *skb)
5831 struct hci_ev_remote_oob_data_request *ev = edata;
5832 struct oob_data *data;
5834 bt_dev_dbg(hdev, "");
5838 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5841 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5843 struct hci_cp_remote_oob_data_neg_reply cp;
5845 bacpy(&cp.bdaddr, &ev->bdaddr);
5846 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5851 if (bredr_sc_enabled(hdev)) {
5852 struct hci_cp_remote_oob_ext_data_reply cp;
5854 bacpy(&cp.bdaddr, &ev->bdaddr);
5855 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5856 memset(cp.hash192, 0, sizeof(cp.hash192));
5857 memset(cp.rand192, 0, sizeof(cp.rand192));
5859 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5860 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5862 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5863 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5865 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5868 struct hci_cp_remote_oob_data_reply cp;
5870 bacpy(&cp.bdaddr, &ev->bdaddr);
5871 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5872 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5874 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5879 hci_dev_unlock(hdev);
5882 #if IS_ENABLED(CONFIG_BT_HS)
5883 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5884 struct sk_buff *skb)
5886 struct hci_ev_channel_selected *ev = data;
5887 struct hci_conn *hcon;
5889 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5891 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5895 amp_read_loc_assoc_final_data(hdev, hcon);
5898 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5899 struct sk_buff *skb)
5901 struct hci_ev_phy_link_complete *ev = data;
5902 struct hci_conn *hcon, *bredr_hcon;
5904 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5909 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5921 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5923 hcon->state = BT_CONNECTED;
5924 bacpy(&hcon->dst, &bredr_hcon->dst);
5926 hci_conn_hold(hcon);
5927 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5928 hci_conn_drop(hcon);
5930 hci_debugfs_create_conn(hcon);
5931 hci_conn_add_sysfs(hcon);
5933 amp_physical_cfm(bredr_hcon, hcon);
5936 hci_dev_unlock(hdev);
5939 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5940 struct sk_buff *skb)
5942 struct hci_ev_logical_link_complete *ev = data;
5943 struct hci_conn *hcon;
5944 struct hci_chan *hchan;
5945 struct amp_mgr *mgr;
5947 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5948 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5950 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5954 /* Create AMP hchan */
5955 hchan = hci_chan_create(hcon);
5959 hchan->handle = le16_to_cpu(ev->handle);
5962 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5964 mgr = hcon->amp_mgr;
5965 if (mgr && mgr->bredr_chan) {
5966 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5968 l2cap_chan_lock(bredr_chan);
5970 bredr_chan->conn->mtu = hdev->block_mtu;
5971 l2cap_logical_cfm(bredr_chan, hchan, 0);
5972 hci_conn_hold(hcon);
5974 l2cap_chan_unlock(bredr_chan);
5978 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5979 struct sk_buff *skb)
5981 struct hci_ev_disconn_logical_link_complete *ev = data;
5982 struct hci_chan *hchan;
5984 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5985 le16_to_cpu(ev->handle), ev->status);
5992 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5993 if (!hchan || !hchan->amp)
5996 amp_destroy_logical_link(hchan, ev->reason);
5999 hci_dev_unlock(hdev);
6002 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
6003 struct sk_buff *skb)
6005 struct hci_ev_disconn_phy_link_complete *ev = data;
6006 struct hci_conn *hcon;
6008 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6015 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
6016 if (hcon && hcon->type == AMP_LINK) {
6017 hcon->state = BT_CLOSED;
6018 hci_disconn_cfm(hcon, ev->reason);
6022 hci_dev_unlock(hdev);
6026 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
6027 u8 bdaddr_type, bdaddr_t *local_rpa)
6030 conn->dst_type = bdaddr_type;
6031 conn->resp_addr_type = bdaddr_type;
6032 bacpy(&conn->resp_addr, bdaddr);
6034 /* Check if the controller has set a Local RPA then it must be
6035 * used instead or hdev->rpa.
6037 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6038 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6039 bacpy(&conn->init_addr, local_rpa);
6040 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
6041 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6042 bacpy(&conn->init_addr, &conn->hdev->rpa);
6044 hci_copy_identity_address(conn->hdev, &conn->init_addr,
6045 &conn->init_addr_type);
6048 conn->resp_addr_type = conn->hdev->adv_addr_type;
6049 /* Check if the controller has set a Local RPA then it must be
6050 * used instead or hdev->rpa.
6052 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6053 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
6054 bacpy(&conn->resp_addr, local_rpa);
6055 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
6056 /* In case of ext adv, resp_addr will be updated in
6057 * Adv Terminated event.
6059 if (!ext_adv_capable(conn->hdev))
6060 bacpy(&conn->resp_addr,
6061 &conn->hdev->random_addr);
6063 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
6066 conn->init_addr_type = bdaddr_type;
6067 bacpy(&conn->init_addr, bdaddr);
6069 /* For incoming connections, set the default minimum
6070 * and maximum connection interval. They will be used
6071 * to check if the parameters are in range and if not
6072 * trigger the connection update procedure.
6074 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
6075 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
6079 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
6080 bdaddr_t *bdaddr, u8 bdaddr_type,
6081 bdaddr_t *local_rpa, u8 role, u16 handle,
6082 u16 interval, u16 latency,
6083 u16 supervision_timeout)
6085 struct hci_conn_params *params;
6086 struct hci_conn *conn;
6087 struct smp_irk *irk;
6092 /* All controllers implicitly stop advertising in the event of a
6093 * connection, so ensure that the state bit is cleared.
6095 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6097 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
6099 /* In case of error status and there is no connection pending
6100 * just unlock as there is nothing to cleanup.
6105 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
6107 bt_dev_err(hdev, "no memory for new connection");
6111 conn->dst_type = bdaddr_type;
6113 /* If we didn't have a hci_conn object previously
6114 * but we're in central role this must be something
6115 * initiated using an accept list. Since accept list based
6116 * connections are not "first class citizens" we don't
6117 * have full tracking of them. Therefore, we go ahead
6118 * with a "best effort" approach of determining the
6119 * initiator address based on the HCI_PRIVACY flag.
6122 conn->resp_addr_type = bdaddr_type;
6123 bacpy(&conn->resp_addr, bdaddr);
6124 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6125 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6126 bacpy(&conn->init_addr, &hdev->rpa);
6128 hci_copy_identity_address(hdev,
6130 &conn->init_addr_type);
6135 /* LE auto connect */
6136 bacpy(&conn->dst, bdaddr);
6138 cancel_delayed_work(&conn->le_conn_timeout);
6141 /* The HCI_LE_Connection_Complete event is only sent once per connection.
6142 * Processing it more than once per connection can corrupt kernel memory.
6144 * As the connection handle is set here for the first time, it indicates
6145 * whether the connection is already set up.
6147 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
6148 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
6152 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
6154 /* Lookup the identity address from the stored connection
6155 * address and address type.
6157 * When establishing connections to an identity address, the
6158 * connection procedure will store the resolvable random
6159 * address first. Now if it can be converted back into the
6160 * identity address, start using the identity address from
6163 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
6165 bacpy(&conn->dst, &irk->bdaddr);
6166 conn->dst_type = irk->addr_type;
6169 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
6171 /* All connection failure handling is taken care of by the
6172 * hci_conn_failed function which is triggered by the HCI
6173 * request completion callbacks used for connecting.
6175 if (status || hci_conn_set_handle(conn, handle))
6178 /* Drop the connection if it has been aborted */
6179 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
6180 hci_conn_drop(conn);
6184 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6185 addr_type = BDADDR_LE_PUBLIC;
6187 addr_type = BDADDR_LE_RANDOM;
6189 /* Drop the connection if the device is blocked */
6190 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6191 hci_conn_drop(conn);
6195 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
6196 mgmt_device_connected(hdev, conn, NULL, 0);
6198 conn->sec_level = BT_SECURITY_LOW;
6199 conn->state = BT_CONFIG;
6201 /* Store current advertising instance as connection advertising instance
6202 * when sotfware rotation is in use so it can be re-enabled when
6205 if (!ext_adv_capable(hdev))
6206 conn->adv_instance = hdev->cur_adv_instance;
6208 conn->le_conn_interval = interval;
6209 conn->le_conn_latency = latency;
6210 conn->le_supv_timeout = supervision_timeout;
6212 hci_debugfs_create_conn(conn);
6213 hci_conn_add_sysfs(conn);
6215 /* The remote features procedure is defined for central
6216 * role only. So only in case of an initiated connection
6217 * request the remote features.
6219 * If the local controller supports peripheral-initiated features
6220 * exchange, then requesting the remote features in peripheral
6221 * role is possible. Otherwise just transition into the
6222 * connected state without requesting the remote features.
6225 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6226 struct hci_cp_le_read_remote_features cp;
6228 cp.handle = __cpu_to_le16(conn->handle);
6230 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6233 hci_conn_hold(conn);
6235 conn->state = BT_CONNECTED;
6236 hci_connect_cfm(conn, status);
6239 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6242 hci_pend_le_list_del_init(params);
6244 hci_conn_drop(params->conn);
6245 hci_conn_put(params->conn);
6246 params->conn = NULL;
6251 hci_update_passive_scan(hdev);
6252 hci_dev_unlock(hdev);
6255 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6256 struct sk_buff *skb)
6258 struct hci_ev_le_conn_complete *ev = data;
6260 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6262 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6263 NULL, ev->role, le16_to_cpu(ev->handle),
6264 le16_to_cpu(ev->interval),
6265 le16_to_cpu(ev->latency),
6266 le16_to_cpu(ev->supervision_timeout));
6269 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6270 struct sk_buff *skb)
6272 struct hci_ev_le_enh_conn_complete *ev = data;
6274 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6276 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6277 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6278 le16_to_cpu(ev->interval),
6279 le16_to_cpu(ev->latency),
6280 le16_to_cpu(ev->supervision_timeout));
6283 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6284 struct sk_buff *skb)
6286 struct hci_evt_le_ext_adv_set_term *ev = data;
6287 struct hci_conn *conn;
6288 struct adv_info *adv, *n;
6290 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6292 /* The Bluetooth Core 5.3 specification clearly states that this event
6293 * shall not be sent when the Host disables the advertising set. So in
6294 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6296 * When the Host disables an advertising set, all cleanup is done via
6297 * its command callback and not needed to be duplicated here.
6299 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6300 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6306 adv = hci_find_adv_instance(hdev, ev->handle);
6312 /* Remove advertising as it has been terminated */
6313 hci_remove_adv_instance(hdev, ev->handle);
6314 mgmt_advertising_removed(NULL, hdev, ev->handle);
6316 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6321 /* We are no longer advertising, clear HCI_LE_ADV */
6322 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6327 adv->enabled = false;
6329 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6331 /* Store handle in the connection so the correct advertising
6332 * instance can be re-enabled when disconnected.
6334 conn->adv_instance = ev->handle;
6336 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6337 bacmp(&conn->resp_addr, BDADDR_ANY))
6341 bacpy(&conn->resp_addr, &hdev->random_addr);
6346 bacpy(&conn->resp_addr, &adv->random_addr);
6350 hci_dev_unlock(hdev);
6353 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6354 struct sk_buff *skb)
6356 struct hci_ev_le_conn_update_complete *ev = data;
6357 struct hci_conn *conn;
6359 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6366 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6370 hci_dev_unlock(hdev);
6371 mgmt_le_conn_update_failed(hdev, &conn->dst,
6372 conn->type, conn->dst_type, ev->status);
6376 conn->le_conn_interval = le16_to_cpu(ev->interval);
6377 conn->le_conn_latency = le16_to_cpu(ev->latency);
6378 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6381 hci_dev_unlock(hdev);
6384 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
6385 conn->dst_type, conn->le_conn_interval,
6386 conn->le_conn_latency, conn->le_supv_timeout);
6390 /* This function requires the caller holds hdev->lock */
6391 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6393 u8 addr_type, bool addr_resolved,
6396 struct hci_conn *conn;
6397 struct hci_conn_params *params;
6399 /* If the event is not connectable don't proceed further */
6400 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6403 /* Ignore if the device is blocked or hdev is suspended */
6404 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6408 /* Most controller will fail if we try to create new connections
6409 * while we have an existing one in peripheral role.
6411 if (hdev->conn_hash.le_num_peripheral > 0 &&
6412 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6413 !(hdev->le_states[3] & 0x10)))
6416 /* If we're not connectable only connect devices that we have in
6417 * our pend_le_conns list.
6419 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6424 if (!params->explicit_connect) {
6425 switch (params->auto_connect) {
6426 case HCI_AUTO_CONN_DIRECT:
6427 /* Only devices advertising with ADV_DIRECT_IND are
6428 * triggering a connection attempt. This is allowing
6429 * incoming connections from peripheral devices.
6431 if (adv_type != LE_ADV_DIRECT_IND)
6434 case HCI_AUTO_CONN_ALWAYS:
6435 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6436 * are triggering a connection attempt. This means
6437 * that incoming connections from peripheral device are
6438 * accepted and also outgoing connections to peripheral
6439 * devices are established when found.
6447 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6448 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6450 if (!IS_ERR(conn)) {
6451 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6452 * by higher layer that tried to connect, if no then
6453 * store the pointer since we don't really have any
6454 * other owner of the object besides the params that
6455 * triggered it. This way we can abort the connection if
6456 * the parameters get removed and keep the reference
6457 * count consistent once the connection is established.
6460 if (!params->explicit_connect)
6461 params->conn = hci_conn_get(conn);
6466 switch (PTR_ERR(conn)) {
6468 /* If hci_connect() returns -EBUSY it means there is already
6469 * an LE connection attempt going on. Since controllers don't
6470 * support more than one connection attempt at the time, we
6471 * don't consider this an error case.
6475 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6482 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6483 u8 bdaddr_type, bdaddr_t *direct_addr,
6484 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6485 bool ext_adv, bool ctl_time, u64 instant)
6488 struct discovery_state *d = &hdev->discovery;
6491 struct smp_irk *irk;
6492 struct hci_conn *conn;
6493 bool bdaddr_resolved;
6499 case LE_ADV_DIRECT_IND:
6500 case LE_ADV_SCAN_IND:
6501 case LE_ADV_NONCONN_IND:
6502 case LE_ADV_SCAN_RSP:
6505 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6506 "type: 0x%02x", type);
6510 if (len > max_adv_len(hdev)) {
6511 bt_dev_err_ratelimited(hdev,
6512 "adv larger than maximum supported");
6516 /* Find the end of the data in case the report contains padded zero
6517 * bytes at the end causing an invalid length value.
6519 * When data is NULL, len is 0 so there is no need for extra ptr
6520 * check as 'ptr < data + 0' is already false in such case.
6522 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6523 if (ptr + 1 + *ptr > data + len)
6527 /* Adjust for actual length. This handles the case when remote
6528 * device is advertising with incorrect data length.
6532 /* If the direct address is present, then this report is from
6533 * a LE Direct Advertising Report event. In that case it is
6534 * important to see if the address is matching the local
6535 * controller address.
6537 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6538 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6541 /* Only resolvable random addresses are valid for these
6542 * kind of reports and others can be ignored.
6544 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6547 /* If the controller is not using resolvable random
6548 * addresses, then this report can be ignored.
6550 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6553 /* If the local IRK of the controller does not match
6554 * with the resolvable random address provided, then
6555 * this report can be ignored.
6557 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6561 /* Check if we need to convert to identity address */
6562 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6564 bdaddr = &irk->bdaddr;
6565 bdaddr_type = irk->addr_type;
6568 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6570 /* Check if we have been requested to connect to this device.
6572 * direct_addr is set only for directed advertising reports (it is NULL
6573 * for advertising reports) and is already verified to be RPA above.
6575 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6577 if (!ext_adv && conn && type == LE_ADV_IND &&
6578 len <= max_adv_len(hdev)) {
6579 /* Store report for later inclusion by
6580 * mgmt_device_connected
6582 memcpy(conn->le_adv_data, data, len);
6583 conn->le_adv_data_len = len;
6586 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6587 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6591 /* All scan results should be sent up for Mesh systems */
6592 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6593 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6594 rssi, flags, data, len, NULL, 0, instant);
6598 /* Passive scanning shouldn't trigger any device found events,
6599 * except for devices marked as CONN_REPORT for which we do send
6600 * device found events, or advertisement monitoring requested.
6602 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6603 if (type == LE_ADV_DIRECT_IND)
6607 /* Handle all adv packet in platform */
6608 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6609 bdaddr, bdaddr_type) &&
6610 idr_is_empty(&hdev->adv_monitors_idr))
6615 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6616 rssi, flags, data, len, NULL, 0, type);
6618 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6619 rssi, flags, data, len, NULL, 0, 0);
6624 /* When receiving a scan response, then there is no way to
6625 * know if the remote device is connectable or not. However
6626 * since scan responses are merged with a previously seen
6627 * advertising report, the flags field from that report
6630 * In the unlikely case that a controller just sends a scan
6631 * response event that doesn't match the pending report, then
6632 * it is marked as a standalone SCAN_RSP.
6634 if (type == LE_ADV_SCAN_RSP)
6635 flags = MGMT_DEV_FOUND_SCAN_RSP;
6638 /* Disable adv ind and scan rsp merging */
6639 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6640 rssi, flags, data, len, NULL, 0, type);
6642 /* If there's nothing pending either store the data from this
6643 * event or send an immediate device found event if the data
6644 * should not be stored for later.
6646 if (!ext_adv && !has_pending_adv_report(hdev)) {
6647 /* If the report will trigger a SCAN_REQ store it for
6650 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6651 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6652 rssi, flags, data, len);
6656 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6657 rssi, flags, data, len, NULL, 0, 0);
6661 /* Check if the pending report is for the same device as the new one */
6662 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6663 bdaddr_type == d->last_adv_addr_type);
6665 /* If the pending data doesn't match this report or this isn't a
6666 * scan response (e.g. we got a duplicate ADV_IND) then force
6667 * sending of the pending data.
6669 if (type != LE_ADV_SCAN_RSP || !match) {
6670 /* Send out whatever is in the cache, but skip duplicates */
6672 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6673 d->last_adv_addr_type, NULL,
6674 d->last_adv_rssi, d->last_adv_flags,
6676 d->last_adv_data_len, NULL, 0, 0);
6678 /* If the new report will trigger a SCAN_REQ store it for
6681 if (!ext_adv && (type == LE_ADV_IND ||
6682 type == LE_ADV_SCAN_IND)) {
6683 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6684 rssi, flags, data, len);
6688 /* The advertising reports cannot be merged, so clear
6689 * the pending report and send out a device found event.
6691 clear_pending_adv_report(hdev);
6692 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6693 rssi, flags, data, len, NULL, 0, 0);
6697 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6698 * the new event is a SCAN_RSP. We can therefore proceed with
6699 * sending a merged device found event.
6701 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6702 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6703 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6704 clear_pending_adv_report(hdev);
6708 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6709 struct sk_buff *skb)
6711 struct hci_ev_le_advertising_report *ev = data;
6712 u64 instant = jiffies;
6720 struct hci_ev_le_advertising_info *info;
6723 info = hci_le_ev_skb_pull(hdev, skb,
6724 HCI_EV_LE_ADVERTISING_REPORT,
6729 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6733 if (info->length <= max_adv_len(hdev)) {
6734 rssi = info->data[info->length];
6735 process_adv_report(hdev, info->type, &info->bdaddr,
6736 info->bdaddr_type, NULL, 0, rssi,
6737 info->data, info->length, false,
6740 bt_dev_err(hdev, "Dropping invalid advertising data");
6744 hci_dev_unlock(hdev);
6747 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6749 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6751 case LE_LEGACY_ADV_IND:
6753 case LE_LEGACY_ADV_DIRECT_IND:
6754 return LE_ADV_DIRECT_IND;
6755 case LE_LEGACY_ADV_SCAN_IND:
6756 return LE_ADV_SCAN_IND;
6757 case LE_LEGACY_NONCONN_IND:
6758 return LE_ADV_NONCONN_IND;
6759 case LE_LEGACY_SCAN_RSP_ADV:
6760 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6761 return LE_ADV_SCAN_RSP;
6767 if (evt_type & LE_EXT_ADV_CONN_IND) {
6768 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6769 return LE_ADV_DIRECT_IND;
6774 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6775 return LE_ADV_SCAN_RSP;
6777 if (evt_type & LE_EXT_ADV_SCAN_IND)
6778 return LE_ADV_SCAN_IND;
6780 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6781 evt_type & LE_EXT_ADV_DIRECT_IND)
6782 return LE_ADV_NONCONN_IND;
6785 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6788 return LE_ADV_INVALID;
6791 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6792 struct sk_buff *skb)
6794 struct hci_ev_le_ext_adv_report *ev = data;
6795 u64 instant = jiffies;
6803 struct hci_ev_le_ext_adv_info *info;
6807 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6812 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6816 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6817 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6818 if (legacy_evt_type != LE_ADV_INVALID) {
6819 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6820 info->bdaddr_type, NULL, 0,
6821 info->rssi, info->data, info->length,
6822 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6827 hci_dev_unlock(hdev);
6830 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6832 struct hci_cp_le_pa_term_sync cp;
6834 memset(&cp, 0, sizeof(cp));
6837 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6840 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6841 struct sk_buff *skb)
6843 struct hci_ev_le_pa_sync_established *ev = data;
6844 int mask = hdev->link_mode;
6846 struct hci_conn *pa_sync;
6848 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6852 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6854 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6855 if (!(mask & HCI_LM_ACCEPT)) {
6856 hci_le_pa_term_sync(hdev, ev->handle);
6860 if (!(flags & HCI_PROTO_DEFER))
6864 /* Add connection to indicate the failed PA sync event */
6865 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6871 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6873 /* Notify iso layer */
6874 hci_connect_cfm(pa_sync, ev->status);
6878 hci_dev_unlock(hdev);
6881 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6882 struct sk_buff *skb)
6884 struct hci_ev_le_per_adv_report *ev = data;
6885 int mask = hdev->link_mode;
6888 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6892 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6893 if (!(mask & HCI_LM_ACCEPT))
6894 hci_le_pa_term_sync(hdev, ev->sync_handle);
6896 hci_dev_unlock(hdev);
6899 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6900 struct sk_buff *skb)
6902 struct hci_ev_le_remote_feat_complete *ev = data;
6903 struct hci_conn *conn;
6905 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6909 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6912 memcpy(conn->features[0], ev->features, 8);
6914 if (conn->state == BT_CONFIG) {
6917 /* If the local controller supports peripheral-initiated
6918 * features exchange, but the remote controller does
6919 * not, then it is possible that the error code 0x1a
6920 * for unsupported remote feature gets returned.
6922 * In this specific case, allow the connection to
6923 * transition into connected state and mark it as
6926 if (!conn->out && ev->status == 0x1a &&
6927 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6930 status = ev->status;
6932 conn->state = BT_CONNECTED;
6933 hci_connect_cfm(conn, status);
6934 hci_conn_drop(conn);
6938 hci_dev_unlock(hdev);
6941 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6942 struct sk_buff *skb)
6944 struct hci_ev_le_ltk_req *ev = data;
6945 struct hci_cp_le_ltk_reply cp;
6946 struct hci_cp_le_ltk_neg_reply neg;
6947 struct hci_conn *conn;
6948 struct smp_ltk *ltk;
6950 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6954 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6958 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6962 if (smp_ltk_is_sc(ltk)) {
6963 /* With SC both EDiv and Rand are set to zero */
6964 if (ev->ediv || ev->rand)
6967 /* For non-SC keys check that EDiv and Rand match */
6968 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6972 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6973 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6974 cp.handle = cpu_to_le16(conn->handle);
6976 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6978 conn->enc_key_size = ltk->enc_size;
6980 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6982 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6983 * temporary key used to encrypt a connection following
6984 * pairing. It is used during the Encrypted Session Setup to
6985 * distribute the keys. Later, security can be re-established
6986 * using a distributed LTK.
6988 if (ltk->type == SMP_STK) {
6989 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6990 list_del_rcu(<k->list);
6991 kfree_rcu(ltk, rcu);
6993 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6996 hci_dev_unlock(hdev);
7001 neg.handle = ev->handle;
7002 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
7003 hci_dev_unlock(hdev);
7006 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
7009 struct hci_cp_le_conn_param_req_neg_reply cp;
7011 cp.handle = cpu_to_le16(handle);
7014 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
7018 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
7019 struct sk_buff *skb)
7021 struct hci_ev_le_remote_conn_param_req *ev = data;
7022 struct hci_cp_le_conn_param_req_reply cp;
7023 struct hci_conn *hcon;
7024 u16 handle, min, max, latency, timeout;
7026 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
7028 handle = le16_to_cpu(ev->handle);
7029 min = le16_to_cpu(ev->interval_min);
7030 max = le16_to_cpu(ev->interval_max);
7031 latency = le16_to_cpu(ev->latency);
7032 timeout = le16_to_cpu(ev->timeout);
7034 hcon = hci_conn_hash_lookup_handle(hdev, handle);
7035 if (!hcon || hcon->state != BT_CONNECTED)
7036 return send_conn_param_neg_reply(hdev, handle,
7037 HCI_ERROR_UNKNOWN_CONN_ID);
7039 if (hci_check_conn_params(min, max, latency, timeout))
7040 return send_conn_param_neg_reply(hdev, handle,
7041 HCI_ERROR_INVALID_LL_PARAMS);
7043 if (hcon->role == HCI_ROLE_MASTER) {
7044 struct hci_conn_params *params;
7049 params = hci_conn_params_lookup(hdev, &hcon->dst,
7052 params->conn_min_interval = min;
7053 params->conn_max_interval = max;
7054 params->conn_latency = latency;
7055 params->supervision_timeout = timeout;
7061 hci_dev_unlock(hdev);
7063 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
7064 store_hint, min, max, latency, timeout);
7067 cp.handle = ev->handle;
7068 cp.interval_min = ev->interval_min;
7069 cp.interval_max = ev->interval_max;
7070 cp.latency = ev->latency;
7071 cp.timeout = ev->timeout;
7075 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
7078 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
7079 struct sk_buff *skb)
7081 struct hci_ev_le_direct_adv_report *ev = data;
7082 u64 instant = jiffies;
7085 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
7086 flex_array_size(ev, info, ev->num)))
7094 for (i = 0; i < ev->num; i++) {
7095 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
7097 process_adv_report(hdev, info->type, &info->bdaddr,
7098 info->bdaddr_type, &info->direct_addr,
7099 info->direct_addr_type, info->rssi, NULL, 0,
7100 false, false, instant);
7103 hci_dev_unlock(hdev);
7106 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
7107 struct sk_buff *skb)
7109 struct hci_ev_le_phy_update_complete *ev = data;
7110 struct hci_conn *conn;
7112 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7119 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7123 conn->le_tx_phy = ev->tx_phy;
7124 conn->le_rx_phy = ev->rx_phy;
7127 hci_dev_unlock(hdev);
7130 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
7131 struct sk_buff *skb)
7133 struct hci_evt_le_cis_established *ev = data;
7134 struct hci_conn *conn;
7135 struct bt_iso_qos *qos;
7136 bool pending = false;
7137 u16 handle = __le16_to_cpu(ev->handle);
7139 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7143 conn = hci_conn_hash_lookup_handle(hdev, handle);
7146 "Unable to find connection with handle 0x%4.4x",
7151 if (conn->type != ISO_LINK) {
7153 "Invalid connection link type handle 0x%4.4x",
7158 qos = &conn->iso_qos;
7160 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
7162 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
7163 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
7164 qos->ucast.out.interval = qos->ucast.in.interval;
7166 switch (conn->role) {
7167 case HCI_ROLE_SLAVE:
7168 /* Convert Transport Latency (us) to Latency (msec) */
7169 qos->ucast.in.latency =
7170 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7172 qos->ucast.out.latency =
7173 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7175 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
7176 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
7177 qos->ucast.in.phy = ev->c_phy;
7178 qos->ucast.out.phy = ev->p_phy;
7180 case HCI_ROLE_MASTER:
7181 /* Convert Transport Latency (us) to Latency (msec) */
7182 qos->ucast.out.latency =
7183 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7185 qos->ucast.in.latency =
7186 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7188 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
7189 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
7190 qos->ucast.out.phy = ev->c_phy;
7191 qos->ucast.in.phy = ev->p_phy;
7196 conn->state = BT_CONNECTED;
7197 hci_debugfs_create_conn(conn);
7198 hci_conn_add_sysfs(conn);
7199 hci_iso_setup_path(conn);
7203 conn->state = BT_CLOSED;
7204 hci_connect_cfm(conn, ev->status);
7209 hci_le_create_cis_pending(hdev);
7211 hci_dev_unlock(hdev);
7214 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7216 struct hci_cp_le_reject_cis cp;
7218 memset(&cp, 0, sizeof(cp));
7220 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7221 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7224 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7226 struct hci_cp_le_accept_cis cp;
7228 memset(&cp, 0, sizeof(cp));
7230 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7233 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7234 struct sk_buff *skb)
7236 struct hci_evt_le_cis_req *ev = data;
7237 u16 acl_handle, cis_handle;
7238 struct hci_conn *acl, *cis;
7242 acl_handle = __le16_to_cpu(ev->acl_handle);
7243 cis_handle = __le16_to_cpu(ev->cis_handle);
7245 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7246 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7250 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7254 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7255 if (!(mask & HCI_LM_ACCEPT)) {
7256 hci_le_reject_cis(hdev, ev->cis_handle);
7260 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7262 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7265 hci_le_reject_cis(hdev, ev->cis_handle);
7270 cis->iso_qos.ucast.cig = ev->cig_id;
7271 cis->iso_qos.ucast.cis = ev->cis_id;
7273 if (!(flags & HCI_PROTO_DEFER)) {
7274 hci_le_accept_cis(hdev, ev->cis_handle);
7276 cis->state = BT_CONNECT2;
7277 hci_connect_cfm(cis, 0);
7281 hci_dev_unlock(hdev);
7284 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7286 u8 handle = PTR_UINT(data);
7288 return hci_le_terminate_big_sync(hdev, handle,
7289 HCI_ERROR_LOCAL_HOST_TERM);
7292 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7293 struct sk_buff *skb)
7295 struct hci_evt_le_create_big_complete *ev = data;
7296 struct hci_conn *conn;
7299 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7301 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7302 flex_array_size(ev, bis_handle, ev->num_bis)))
7308 /* Connect all BISes that are bound to the BIG */
7309 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7310 if (bacmp(&conn->dst, BDADDR_ANY) ||
7311 conn->type != ISO_LINK ||
7312 conn->iso_qos.bcast.big != ev->handle)
7315 if (hci_conn_set_handle(conn,
7316 __le16_to_cpu(ev->bis_handle[i++])))
7320 conn->state = BT_CONNECTED;
7321 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7323 hci_debugfs_create_conn(conn);
7324 hci_conn_add_sysfs(conn);
7325 hci_iso_setup_path(conn);
7330 hci_connect_cfm(conn, ev->status);
7338 if (!ev->status && !i)
7339 /* If no BISes have been connected for the BIG,
7340 * terminate. This is in case all bound connections
7341 * have been closed before the BIG creation
7344 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7345 UINT_PTR(ev->handle), NULL);
7347 hci_dev_unlock(hdev);
7350 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7351 struct sk_buff *skb)
7353 struct hci_evt_le_big_sync_estabilished *ev = data;
7354 struct hci_conn *bis;
7355 struct hci_conn *pa_sync;
7358 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7360 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7361 flex_array_size(ev, bis, ev->num_bis)))
7367 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7369 /* Also mark the BIG sync established event on the
7370 * associated PA sync hcon
7372 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
7375 for (i = 0; i < ev->num_bis; i++) {
7376 u16 handle = le16_to_cpu(ev->bis[i]);
7379 bis = hci_conn_hash_lookup_handle(hdev, handle);
7381 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7382 HCI_ROLE_SLAVE, handle);
7387 if (ev->status != 0x42)
7388 /* Mark PA sync as established */
7389 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7391 bis->iso_qos.bcast.big = ev->handle;
7392 memset(&interval, 0, sizeof(interval));
7393 memcpy(&interval, ev->latency, sizeof(ev->latency));
7394 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7395 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7396 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7397 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7400 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7401 hci_iso_setup_path(bis);
7405 /* In case BIG sync failed, notify each failed connection to
7406 * the user after all hci connections have been added
7409 for (i = 0; i < ev->num_bis; i++) {
7410 u16 handle = le16_to_cpu(ev->bis[i]);
7412 bis = hci_conn_hash_lookup_handle(hdev, handle);
7414 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7415 hci_connect_cfm(bis, ev->status);
7418 hci_dev_unlock(hdev);
7421 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7422 struct sk_buff *skb)
7424 struct hci_evt_le_big_info_adv_report *ev = data;
7425 int mask = hdev->link_mode;
7427 struct hci_conn *pa_sync;
7429 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7433 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7434 if (!(mask & HCI_LM_ACCEPT)) {
7435 hci_le_pa_term_sync(hdev, ev->sync_handle);
7439 if (!(flags & HCI_PROTO_DEFER))
7442 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7444 le16_to_cpu(ev->sync_handle));
7449 /* Add connection to indicate the PA sync event */
7450 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7456 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7457 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7459 /* Notify iso layer */
7460 hci_connect_cfm(pa_sync, 0x00);
7463 hci_dev_unlock(hdev);
7466 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7469 .min_len = _min_len, \
7470 .max_len = _max_len, \
7473 #define HCI_LE_EV(_op, _func, _len) \
7474 HCI_LE_EV_VL(_op, _func, _len, _len)
7476 #define HCI_LE_EV_STATUS(_op, _func) \
7477 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7479 /* Entries in this table shall have their position according to the subevent
7480 * opcode they handle so the use of the macros above is recommend since it does
7481 * attempt to initialize at its proper index using Designated Initializers that
7482 * way events without a callback function can be ommited.
7484 static const struct hci_le_ev {
7485 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7488 } hci_le_ev_table[U8_MAX + 1] = {
7489 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7490 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7491 sizeof(struct hci_ev_le_conn_complete)),
7492 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7493 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7494 sizeof(struct hci_ev_le_advertising_report),
7495 HCI_MAX_EVENT_SIZE),
7496 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7497 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7498 hci_le_conn_update_complete_evt,
7499 sizeof(struct hci_ev_le_conn_update_complete)),
7500 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7501 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7502 hci_le_remote_feat_complete_evt,
7503 sizeof(struct hci_ev_le_remote_feat_complete)),
7504 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7505 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7506 sizeof(struct hci_ev_le_ltk_req)),
7507 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7508 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7509 hci_le_remote_conn_param_req_evt,
7510 sizeof(struct hci_ev_le_remote_conn_param_req)),
7511 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7512 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7513 hci_le_enh_conn_complete_evt,
7514 sizeof(struct hci_ev_le_enh_conn_complete)),
7515 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7516 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7517 sizeof(struct hci_ev_le_direct_adv_report),
7518 HCI_MAX_EVENT_SIZE),
7519 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7520 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7521 sizeof(struct hci_ev_le_phy_update_complete)),
7522 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7523 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7524 sizeof(struct hci_ev_le_ext_adv_report),
7525 HCI_MAX_EVENT_SIZE),
7526 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7527 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7528 hci_le_pa_sync_estabilished_evt,
7529 sizeof(struct hci_ev_le_pa_sync_established)),
7530 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7531 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7532 hci_le_per_adv_report_evt,
7533 sizeof(struct hci_ev_le_per_adv_report),
7534 HCI_MAX_EVENT_SIZE),
7535 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7536 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7537 sizeof(struct hci_evt_le_ext_adv_set_term)),
7538 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7539 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7540 sizeof(struct hci_evt_le_cis_established)),
7541 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7542 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7543 sizeof(struct hci_evt_le_cis_req)),
7544 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7545 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7546 hci_le_create_big_complete_evt,
7547 sizeof(struct hci_evt_le_create_big_complete),
7548 HCI_MAX_EVENT_SIZE),
7549 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7550 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7551 hci_le_big_sync_established_evt,
7552 sizeof(struct hci_evt_le_big_sync_estabilished),
7553 HCI_MAX_EVENT_SIZE),
7554 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7555 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7556 hci_le_big_info_adv_report_evt,
7557 sizeof(struct hci_evt_le_big_info_adv_report),
7558 HCI_MAX_EVENT_SIZE),
7561 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7562 struct sk_buff *skb, u16 *opcode, u8 *status,
7563 hci_req_complete_t *req_complete,
7564 hci_req_complete_skb_t *req_complete_skb)
7566 struct hci_ev_le_meta *ev = data;
7567 const struct hci_le_ev *subev;
7569 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7571 /* Only match event if command OGF is for LE */
7572 if (hdev->sent_cmd &&
7573 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7574 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7575 *opcode = hci_skb_opcode(hdev->sent_cmd);
7576 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7580 subev = &hci_le_ev_table[ev->subevent];
7584 if (skb->len < subev->min_len) {
7585 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7586 ev->subevent, skb->len, subev->min_len);
7590 /* Just warn if the length is over max_len size it still be
7591 * possible to partially parse the event so leave to callback to
7592 * decide if that is acceptable.
7594 if (skb->len > subev->max_len)
7595 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7596 ev->subevent, skb->len, subev->max_len);
7597 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7601 subev->func(hdev, data, skb);
7604 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7605 u8 event, struct sk_buff *skb)
7607 struct hci_ev_cmd_complete *ev;
7608 struct hci_event_hdr *hdr;
7613 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7618 if (hdr->evt != event)
7623 /* Check if request ended in Command Status - no way to retrieve
7624 * any extra parameters in this case.
7626 if (hdr->evt == HCI_EV_CMD_STATUS)
7629 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7630 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7635 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7639 if (opcode != __le16_to_cpu(ev->opcode)) {
7640 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7641 __le16_to_cpu(ev->opcode));
7648 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7649 struct sk_buff *skb)
7651 struct hci_ev_le_advertising_info *adv;
7652 struct hci_ev_le_direct_adv_info *direct_adv;
7653 struct hci_ev_le_ext_adv_info *ext_adv;
7654 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7655 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7659 /* If we are currently suspended and this is the first BT event seen,
7660 * save the wake reason associated with the event.
7662 if (!hdev->suspended || hdev->wake_reason)
7665 /* Default to remote wake. Values for wake_reason are documented in the
7666 * Bluez mgmt api docs.
7668 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7670 /* Once configured for remote wakeup, we should only wake up for
7671 * reconnections. It's useful to see which device is waking us up so
7672 * keep track of the bdaddr of the connection event that woke us up.
7674 if (event == HCI_EV_CONN_REQUEST) {
7675 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7676 hdev->wake_addr_type = BDADDR_BREDR;
7677 } else if (event == HCI_EV_CONN_COMPLETE) {
7678 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7679 hdev->wake_addr_type = BDADDR_BREDR;
7680 } else if (event == HCI_EV_LE_META) {
7681 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7682 u8 subevent = le_ev->subevent;
7683 u8 *ptr = &skb->data[sizeof(*le_ev)];
7684 u8 num_reports = *ptr;
7686 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7687 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7688 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7690 adv = (void *)(ptr + 1);
7691 direct_adv = (void *)(ptr + 1);
7692 ext_adv = (void *)(ptr + 1);
7695 case HCI_EV_LE_ADVERTISING_REPORT:
7696 bacpy(&hdev->wake_addr, &adv->bdaddr);
7697 hdev->wake_addr_type = adv->bdaddr_type;
7699 case HCI_EV_LE_DIRECT_ADV_REPORT:
7700 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7701 hdev->wake_addr_type = direct_adv->bdaddr_type;
7703 case HCI_EV_LE_EXT_ADV_REPORT:
7704 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7705 hdev->wake_addr_type = ext_adv->bdaddr_type;
7710 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7714 hci_dev_unlock(hdev);
7717 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7721 .min_len = _min_len, \
7722 .max_len = _max_len, \
7725 #define HCI_EV(_op, _func, _len) \
7726 HCI_EV_VL(_op, _func, _len, _len)
7728 #define HCI_EV_STATUS(_op, _func) \
7729 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7731 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7734 .func_req = _func, \
7735 .min_len = _min_len, \
7736 .max_len = _max_len, \
7739 #define HCI_EV_REQ(_op, _func, _len) \
7740 HCI_EV_REQ_VL(_op, _func, _len, _len)
7742 /* Entries in this table shall have their position according to the event opcode
7743 * they handle so the use of the macros above is recommend since it does attempt
7744 * to initialize at its proper index using Designated Initializers that way
7745 * events without a callback function don't have entered.
7747 static const struct hci_ev {
7750 void (*func)(struct hci_dev *hdev, void *data,
7751 struct sk_buff *skb);
7752 void (*func_req)(struct hci_dev *hdev, void *data,
7753 struct sk_buff *skb, u16 *opcode, u8 *status,
7754 hci_req_complete_t *req_complete,
7755 hci_req_complete_skb_t *req_complete_skb);
7759 } hci_ev_table[U8_MAX + 1] = {
7760 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7761 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7762 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7763 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7764 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7765 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7766 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7767 sizeof(struct hci_ev_conn_complete)),
7768 /* [0x04 = HCI_EV_CONN_REQUEST] */
7769 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7770 sizeof(struct hci_ev_conn_request)),
7771 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7772 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7773 sizeof(struct hci_ev_disconn_complete)),
7774 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7775 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7776 sizeof(struct hci_ev_auth_complete)),
7777 /* [0x07 = HCI_EV_REMOTE_NAME] */
7778 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7779 sizeof(struct hci_ev_remote_name)),
7780 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7781 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7782 sizeof(struct hci_ev_encrypt_change)),
7783 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7784 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7785 hci_change_link_key_complete_evt,
7786 sizeof(struct hci_ev_change_link_key_complete)),
7787 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7788 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7789 sizeof(struct hci_ev_remote_features)),
7790 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7791 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7792 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7793 /* [0x0f = HCI_EV_CMD_STATUS] */
7794 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7795 sizeof(struct hci_ev_cmd_status)),
7796 /* [0x10 = HCI_EV_CMD_STATUS] */
7797 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7798 sizeof(struct hci_ev_hardware_error)),
7799 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7800 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7801 sizeof(struct hci_ev_role_change)),
7802 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7803 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7804 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7805 /* [0x14 = HCI_EV_MODE_CHANGE] */
7806 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7807 sizeof(struct hci_ev_mode_change)),
7808 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7809 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7810 sizeof(struct hci_ev_pin_code_req)),
7811 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7812 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7813 sizeof(struct hci_ev_link_key_req)),
7814 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7815 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7816 sizeof(struct hci_ev_link_key_notify)),
7817 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7818 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7819 sizeof(struct hci_ev_clock_offset)),
7820 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7821 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7822 sizeof(struct hci_ev_pkt_type_change)),
7823 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7824 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7825 sizeof(struct hci_ev_pscan_rep_mode)),
7826 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7827 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7828 hci_inquiry_result_with_rssi_evt,
7829 sizeof(struct hci_ev_inquiry_result_rssi),
7830 HCI_MAX_EVENT_SIZE),
7831 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7832 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7833 sizeof(struct hci_ev_remote_ext_features)),
7834 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7835 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7836 sizeof(struct hci_ev_sync_conn_complete)),
7837 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7838 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7839 hci_extended_inquiry_result_evt,
7840 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7841 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7842 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7843 sizeof(struct hci_ev_key_refresh_complete)),
7844 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7845 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7846 sizeof(struct hci_ev_io_capa_request)),
7847 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7848 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7849 sizeof(struct hci_ev_io_capa_reply)),
7850 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7851 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7852 sizeof(struct hci_ev_user_confirm_req)),
7853 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7854 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7855 sizeof(struct hci_ev_user_passkey_req)),
7856 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7857 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7858 sizeof(struct hci_ev_remote_oob_data_request)),
7859 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7860 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7861 sizeof(struct hci_ev_simple_pair_complete)),
7862 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7863 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7864 sizeof(struct hci_ev_user_passkey_notify)),
7865 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7866 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7867 sizeof(struct hci_ev_keypress_notify)),
7868 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7869 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7870 sizeof(struct hci_ev_remote_host_features)),
7871 /* [0x3e = HCI_EV_LE_META] */
7872 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7873 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7874 #if IS_ENABLED(CONFIG_BT_HS)
7875 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7876 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7877 sizeof(struct hci_ev_phy_link_complete)),
7878 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7879 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7880 sizeof(struct hci_ev_channel_selected)),
7881 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7882 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7883 hci_disconn_loglink_complete_evt,
7884 sizeof(struct hci_ev_disconn_logical_link_complete)),
7885 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7886 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7887 sizeof(struct hci_ev_logical_link_complete)),
7888 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7889 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7890 hci_disconn_phylink_complete_evt,
7891 sizeof(struct hci_ev_disconn_phy_link_complete)),
7893 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7894 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7895 sizeof(struct hci_ev_num_comp_blocks)),
7897 /* [0xFF = HCI_EV_VENDOR_SPECIFIC] */
7898 HCI_EV(HCI_EV_VENDOR_SPECIFIC, hci_vendor_specific_evt,
7899 sizeof(struct hci_ev_vendor_specific)),
7901 /* [0xff = HCI_EV_VENDOR] */
7902 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7906 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7907 u16 *opcode, u8 *status,
7908 hci_req_complete_t *req_complete,
7909 hci_req_complete_skb_t *req_complete_skb)
7911 const struct hci_ev *ev = &hci_ev_table[event];
7917 if (skb->len < ev->min_len) {
7918 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7919 event, skb->len, ev->min_len);
7923 /* Just warn if the length is over max_len size it still be
7924 * possible to partially parse the event so leave to callback to
7925 * decide if that is acceptable.
7927 if (skb->len > ev->max_len)
7928 bt_dev_warn_ratelimited(hdev,
7929 "unexpected event 0x%2.2x length: %u > %u",
7930 event, skb->len, ev->max_len);
7932 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7937 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7940 ev->func(hdev, data, skb);
7943 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7945 struct hci_event_hdr *hdr = (void *) skb->data;
7946 hci_req_complete_t req_complete = NULL;
7947 hci_req_complete_skb_t req_complete_skb = NULL;
7948 struct sk_buff *orig_skb = NULL;
7949 u8 status = 0, event, req_evt = 0;
7950 u16 opcode = HCI_OP_NOP;
7952 if (skb->len < sizeof(*hdr)) {
7953 bt_dev_err(hdev, "Malformed HCI Event");
7957 kfree_skb(hdev->recv_event);
7958 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7962 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7967 /* Only match event if command OGF is not for LE */
7968 if (hdev->sent_cmd &&
7969 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7970 hci_skb_event(hdev->sent_cmd) == event) {
7971 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7972 status, &req_complete, &req_complete_skb);
7976 /* If it looks like we might end up having to call
7977 * req_complete_skb, store a pristine copy of the skb since the
7978 * various handlers may modify the original one through
7979 * skb_pull() calls, etc.
7981 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7982 event == HCI_EV_CMD_COMPLETE)
7983 orig_skb = skb_clone(skb, GFP_KERNEL);
7985 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7987 /* Store wake reason if we're suspended */
7988 hci_store_wake_reason(hdev, event, skb);
7990 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7992 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7996 req_complete(hdev, status, opcode);
7997 } else if (req_complete_skb) {
7998 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7999 kfree_skb(orig_skb);
8002 req_complete_skb(hdev, status, opcode, orig_skb);
8006 kfree_skb(orig_skb);
8008 hdev->stat.evt_rx++;