2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
46 "\x00\x00\x00\x00\x00\x00\x00\x00"
48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
50 /* Handle HCI Event packets */
52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
57 data = skb_pull_data(skb, len);
59 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
69 data = skb_pull_data(skb, len);
71 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
81 data = skb_pull_data(skb, len);
83 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
91 struct hci_ev_status *rp = data;
93 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
95 /* It is possible that we receive Inquiry Complete event right
96 * before we receive Inquiry Cancel Command Complete event, in
97 * which case the latter event should have status of Command
98 * Disallowed (0x0c). This should not be treated as error, since
99 * we actually achieve what Inquiry Cancel wants to achieve,
100 * which is to end the last Inquiry session.
102 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
103 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
110 clear_bit(HCI_INQUIRY, &hdev->flags);
111 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
112 wake_up_bit(&hdev->flags, HCI_INQUIRY);
115 /* Set discovery state to stopped if we're not doing LE active
118 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
119 hdev->le_scan_type != LE_SCAN_ACTIVE)
120 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
121 hci_dev_unlock(hdev);
123 hci_conn_check_pending(hdev);
128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
131 struct hci_ev_status *rp = data;
133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
138 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
146 struct hci_ev_status *rp = data;
148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
153 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
155 hci_conn_check_pending(hdev);
160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
163 struct hci_ev_status *rp = data;
165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
173 struct hci_rp_role_discovery *rp = data;
174 struct hci_conn *conn;
176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
185 conn->role = rp->role;
187 hci_dev_unlock(hdev);
192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
195 struct hci_rp_read_link_policy *rp = data;
196 struct hci_conn *conn;
198 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
207 conn->link_policy = __le16_to_cpu(rp->policy);
209 hci_dev_unlock(hdev);
214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
217 struct hci_rp_write_link_policy *rp = data;
218 struct hci_conn *conn;
221 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
226 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
234 conn->link_policy = get_unaligned_le16(sent + 2);
236 hci_dev_unlock(hdev);
241 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
244 struct hci_rp_read_def_link_policy *rp = data;
246 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
251 hdev->link_policy = __le16_to_cpu(rp->policy);
256 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
259 struct hci_ev_status *rp = data;
262 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
271 hdev->link_policy = get_unaligned_le16(sent);
276 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
278 struct hci_ev_status *rp = data;
280 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
282 clear_bit(HCI_RESET, &hdev->flags);
287 /* Reset all non-persistent flags */
288 hci_dev_clear_volatile_flags(hdev);
290 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
292 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
293 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
295 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
296 hdev->adv_data_len = 0;
298 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
299 hdev->scan_rsp_data_len = 0;
301 hdev->le_scan_type = LE_SCAN_PASSIVE;
303 hdev->ssp_debug_mode = 0;
305 hci_bdaddr_list_clear(&hdev->le_accept_list);
306 hci_bdaddr_list_clear(&hdev->le_resolv_list);
311 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
314 struct hci_rp_read_stored_link_key *rp = data;
315 struct hci_cp_read_stored_link_key *sent;
317 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
319 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
323 if (!rp->status && sent->read_all == 0x01) {
324 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
325 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
331 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
334 struct hci_rp_delete_stored_link_key *rp = data;
337 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
342 num_keys = le16_to_cpu(rp->num_keys);
344 if (num_keys <= hdev->stored_num_keys)
345 hdev->stored_num_keys -= num_keys;
347 hdev->stored_num_keys = 0;
352 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
355 struct hci_ev_status *rp = data;
358 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
360 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
366 if (hci_dev_test_flag(hdev, HCI_MGMT))
367 mgmt_set_local_name_complete(hdev, sent, rp->status);
368 else if (!rp->status)
369 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
371 hci_dev_unlock(hdev);
376 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
379 struct hci_rp_read_local_name *rp = data;
381 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
386 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
387 hci_dev_test_flag(hdev, HCI_CONFIG))
388 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
393 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
396 struct hci_ev_status *rp = data;
399 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
401 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
408 __u8 param = *((__u8 *) sent);
410 if (param == AUTH_ENABLED)
411 set_bit(HCI_AUTH, &hdev->flags);
413 clear_bit(HCI_AUTH, &hdev->flags);
416 if (hci_dev_test_flag(hdev, HCI_MGMT))
417 mgmt_auth_enable_complete(hdev, rp->status);
419 hci_dev_unlock(hdev);
424 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
427 struct hci_ev_status *rp = data;
431 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
436 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
440 param = *((__u8 *) sent);
443 set_bit(HCI_ENCRYPT, &hdev->flags);
445 clear_bit(HCI_ENCRYPT, &hdev->flags);
450 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
453 struct hci_ev_status *rp = data;
457 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
459 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
463 param = *((__u8 *) sent);
468 hdev->discov_timeout = 0;
472 if (param & SCAN_INQUIRY)
473 set_bit(HCI_ISCAN, &hdev->flags);
475 clear_bit(HCI_ISCAN, &hdev->flags);
477 if (param & SCAN_PAGE)
478 set_bit(HCI_PSCAN, &hdev->flags);
480 clear_bit(HCI_PSCAN, &hdev->flags);
483 hci_dev_unlock(hdev);
488 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
491 struct hci_ev_status *rp = data;
492 struct hci_cp_set_event_filter *cp;
495 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
500 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
504 cp = (struct hci_cp_set_event_filter *)sent;
506 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
507 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
509 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
514 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
517 struct hci_rp_read_class_of_dev *rp = data;
520 return HCI_ERROR_UNSPECIFIED;
522 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
527 memcpy(hdev->dev_class, rp->dev_class, 3);
529 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
530 hdev->dev_class[1], hdev->dev_class[0]);
535 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
538 struct hci_ev_status *rp = data;
541 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
543 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
550 memcpy(hdev->dev_class, sent, 3);
552 if (hci_dev_test_flag(hdev, HCI_MGMT))
553 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
555 hci_dev_unlock(hdev);
560 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
563 struct hci_rp_read_voice_setting *rp = data;
566 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
571 setting = __le16_to_cpu(rp->voice_setting);
573 if (hdev->voice_setting == setting)
576 hdev->voice_setting = setting;
578 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
581 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
586 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
589 struct hci_ev_status *rp = data;
593 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
598 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
602 setting = get_unaligned_le16(sent);
604 if (hdev->voice_setting == setting)
607 hdev->voice_setting = setting;
609 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
612 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
617 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
620 struct hci_rp_read_num_supported_iac *rp = data;
622 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
627 hdev->num_iac = rp->num_iac;
629 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
634 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
637 struct hci_ev_status *rp = data;
638 struct hci_cp_write_ssp_mode *sent;
640 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
642 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
650 hdev->features[1][0] |= LMP_HOST_SSP;
652 hdev->features[1][0] &= ~LMP_HOST_SSP;
657 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
659 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
662 hci_dev_unlock(hdev);
667 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
670 struct hci_ev_status *rp = data;
671 struct hci_cp_write_sc_support *sent;
673 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
675 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
683 hdev->features[1][0] |= LMP_HOST_SC;
685 hdev->features[1][0] &= ~LMP_HOST_SC;
688 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
690 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
692 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
695 hci_dev_unlock(hdev);
700 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
703 struct hci_rp_read_local_version *rp = data;
705 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
710 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
711 hci_dev_test_flag(hdev, HCI_CONFIG)) {
712 hdev->hci_ver = rp->hci_ver;
713 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
714 hdev->lmp_ver = rp->lmp_ver;
715 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
716 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
722 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
725 struct hci_rp_read_enc_key_size *rp = data;
726 struct hci_conn *conn;
728 u8 status = rp->status;
730 bt_dev_dbg(hdev, "status 0x%2.2x", status);
732 handle = le16_to_cpu(rp->handle);
736 conn = hci_conn_hash_lookup_handle(hdev, handle);
742 /* While unexpected, the read_enc_key_size command may fail. The most
743 * secure approach is to then assume the key size is 0 to force a
747 bt_dev_err(hdev, "failed to read key size for handle %u",
749 conn->enc_key_size = 0;
751 conn->enc_key_size = rp->key_size;
754 if (conn->enc_key_size < hdev->min_enc_key_size) {
755 /* As slave role, the conn->state has been set to
756 * BT_CONNECTED and l2cap conn req might not be received
757 * yet, at this moment the l2cap layer almost does
758 * nothing with the non-zero status.
759 * So we also clear encrypt related bits, and then the
760 * handler of l2cap conn req will get the right secure
761 * state at a later time.
763 status = HCI_ERROR_AUTH_FAILURE;
764 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
765 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
769 hci_encrypt_cfm(conn, status);
772 hci_dev_unlock(hdev);
777 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
780 struct hci_rp_read_local_commands *rp = data;
782 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
787 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
788 hci_dev_test_flag(hdev, HCI_CONFIG))
789 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
794 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
797 struct hci_rp_read_auth_payload_to *rp = data;
798 struct hci_conn *conn;
800 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
807 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
809 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
811 hci_dev_unlock(hdev);
816 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
819 struct hci_rp_write_auth_payload_to *rp = data;
820 struct hci_conn *conn;
823 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
825 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
831 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
838 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
841 hci_dev_unlock(hdev);
846 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
849 struct hci_rp_read_local_features *rp = data;
851 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
856 memcpy(hdev->features, rp->features, 8);
858 /* Adjust default settings according to features
859 * supported by device. */
861 if (hdev->features[0][0] & LMP_3SLOT)
862 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
864 if (hdev->features[0][0] & LMP_5SLOT)
865 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
867 if (hdev->features[0][1] & LMP_HV2) {
868 hdev->pkt_type |= (HCI_HV2);
869 hdev->esco_type |= (ESCO_HV2);
872 if (hdev->features[0][1] & LMP_HV3) {
873 hdev->pkt_type |= (HCI_HV3);
874 hdev->esco_type |= (ESCO_HV3);
877 if (lmp_esco_capable(hdev))
878 hdev->esco_type |= (ESCO_EV3);
880 if (hdev->features[0][4] & LMP_EV4)
881 hdev->esco_type |= (ESCO_EV4);
883 if (hdev->features[0][4] & LMP_EV5)
884 hdev->esco_type |= (ESCO_EV5);
886 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
887 hdev->esco_type |= (ESCO_2EV3);
889 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
890 hdev->esco_type |= (ESCO_3EV3);
892 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
893 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
898 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
901 struct hci_rp_read_local_ext_features *rp = data;
903 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
908 if (hdev->max_page < rp->max_page) {
909 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
911 bt_dev_warn(hdev, "broken local ext features page 2");
913 hdev->max_page = rp->max_page;
916 if (rp->page < HCI_MAX_PAGES)
917 memcpy(hdev->features[rp->page], rp->features, 8);
922 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
925 struct hci_rp_read_flow_control_mode *rp = data;
927 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
932 hdev->flow_ctl_mode = rp->mode;
937 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
940 struct hci_rp_read_buffer_size *rp = data;
942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
947 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
948 hdev->sco_mtu = rp->sco_mtu;
949 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
950 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
952 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
957 hdev->acl_cnt = hdev->acl_pkts;
958 hdev->sco_cnt = hdev->sco_pkts;
960 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
961 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
966 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
969 struct hci_rp_read_bd_addr *rp = data;
971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
976 if (test_bit(HCI_INIT, &hdev->flags))
977 bacpy(&hdev->bdaddr, &rp->bdaddr);
979 if (hci_dev_test_flag(hdev, HCI_SETUP))
980 bacpy(&hdev->setup_addr, &rp->bdaddr);
985 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
988 struct hci_rp_read_local_pairing_opts *rp = data;
990 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
995 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
996 hci_dev_test_flag(hdev, HCI_CONFIG)) {
997 hdev->pairing_opts = rp->pairing_opts;
998 hdev->max_enc_key_size = rp->max_key_size;
1004 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1005 struct sk_buff *skb)
1007 struct hci_rp_read_page_scan_activity *rp = data;
1009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1014 if (test_bit(HCI_INIT, &hdev->flags)) {
1015 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1016 hdev->page_scan_window = __le16_to_cpu(rp->window);
1022 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1023 struct sk_buff *skb)
1025 struct hci_ev_status *rp = data;
1026 struct hci_cp_write_page_scan_activity *sent;
1028 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1037 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1038 hdev->page_scan_window = __le16_to_cpu(sent->window);
1043 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1044 struct sk_buff *skb)
1046 struct hci_rp_read_page_scan_type *rp = data;
1048 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1053 if (test_bit(HCI_INIT, &hdev->flags))
1054 hdev->page_scan_type = rp->type;
1059 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1060 struct sk_buff *skb)
1062 struct hci_ev_status *rp = data;
1065 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1070 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1072 hdev->page_scan_type = *type;
1077 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1078 struct sk_buff *skb)
1080 struct hci_rp_read_data_block_size *rp = data;
1082 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1087 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1088 hdev->block_len = __le16_to_cpu(rp->block_len);
1089 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1091 hdev->block_cnt = hdev->num_blocks;
1093 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1094 hdev->block_cnt, hdev->block_len);
1099 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1100 struct sk_buff *skb)
1102 struct hci_rp_read_clock *rp = data;
1103 struct hci_cp_read_clock *cp;
1104 struct hci_conn *conn;
1106 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1113 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1117 if (cp->which == 0x00) {
1118 hdev->clock = le32_to_cpu(rp->clock);
1122 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1124 conn->clock = le32_to_cpu(rp->clock);
1125 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1129 hci_dev_unlock(hdev);
1133 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1134 struct sk_buff *skb)
1136 struct hci_rp_read_local_amp_info *rp = data;
1138 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1143 hdev->amp_status = rp->amp_status;
1144 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1145 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1146 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1147 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1148 hdev->amp_type = rp->amp_type;
1149 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1150 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1151 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1152 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1157 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1158 struct sk_buff *skb)
1160 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1167 hdev->inq_tx_power = rp->tx_power;
1172 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1173 struct sk_buff *skb)
1175 struct hci_rp_read_def_err_data_reporting *rp = data;
1177 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1182 hdev->err_data_reporting = rp->err_data_reporting;
1187 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1188 struct sk_buff *skb)
1190 struct hci_ev_status *rp = data;
1191 struct hci_cp_write_def_err_data_reporting *cp;
1193 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1198 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1202 hdev->err_data_reporting = cp->err_data_reporting;
1207 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1208 struct sk_buff *skb)
1210 struct hci_rp_pin_code_reply *rp = data;
1211 struct hci_cp_pin_code_reply *cp;
1212 struct hci_conn *conn;
1214 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1218 if (hci_dev_test_flag(hdev, HCI_MGMT))
1219 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1224 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1228 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1230 conn->pin_length = cp->pin_len;
1233 hci_dev_unlock(hdev);
1237 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1238 struct sk_buff *skb)
1240 struct hci_rp_pin_code_neg_reply *rp = data;
1242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1246 if (hci_dev_test_flag(hdev, HCI_MGMT))
1247 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1250 hci_dev_unlock(hdev);
1255 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1256 struct sk_buff *skb)
1258 struct hci_rp_le_read_buffer_size *rp = data;
1260 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1265 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1266 hdev->le_pkts = rp->le_max_pkt;
1268 hdev->le_cnt = hdev->le_pkts;
1270 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1275 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1276 struct sk_buff *skb)
1278 struct hci_rp_le_read_local_features *rp = data;
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1285 memcpy(hdev->le_features, rp->features, 8);
1290 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1291 struct sk_buff *skb)
1293 struct hci_rp_le_read_adv_tx_power *rp = data;
1295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1300 hdev->adv_tx_power = rp->tx_power;
1305 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1306 struct sk_buff *skb)
1308 struct hci_rp_user_confirm_reply *rp = data;
1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1314 if (hci_dev_test_flag(hdev, HCI_MGMT))
1315 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1318 hci_dev_unlock(hdev);
1323 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1324 struct sk_buff *skb)
1326 struct hci_rp_user_confirm_reply *rp = data;
1328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1332 if (hci_dev_test_flag(hdev, HCI_MGMT))
1333 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1334 ACL_LINK, 0, rp->status);
1336 hci_dev_unlock(hdev);
1341 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1342 struct sk_buff *skb)
1344 struct hci_rp_user_confirm_reply *rp = data;
1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1350 if (hci_dev_test_flag(hdev, HCI_MGMT))
1351 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1354 hci_dev_unlock(hdev);
1359 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1360 struct sk_buff *skb)
1362 struct hci_rp_user_confirm_reply *rp = data;
1364 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1368 if (hci_dev_test_flag(hdev, HCI_MGMT))
1369 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1370 ACL_LINK, 0, rp->status);
1372 hci_dev_unlock(hdev);
1377 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1378 struct sk_buff *skb)
1380 struct hci_rp_read_local_oob_data *rp = data;
1382 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1387 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1388 struct sk_buff *skb)
1390 struct hci_rp_read_local_oob_ext_data *rp = data;
1392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1397 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1398 struct sk_buff *skb)
1400 struct hci_ev_status *rp = data;
1403 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1408 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1414 bacpy(&hdev->random_addr, sent);
1416 if (!bacmp(&hdev->rpa, sent)) {
1417 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1418 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1419 secs_to_jiffies(hdev->rpa_timeout));
1422 hci_dev_unlock(hdev);
1427 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1428 struct sk_buff *skb)
1430 struct hci_ev_status *rp = data;
1431 struct hci_cp_le_set_default_phy *cp;
1433 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1444 hdev->le_tx_def_phys = cp->tx_phys;
1445 hdev->le_rx_def_phys = cp->rx_phys;
1447 hci_dev_unlock(hdev);
1452 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1453 struct sk_buff *skb)
1455 struct hci_ev_status *rp = data;
1456 struct hci_cp_le_set_adv_set_rand_addr *cp;
1457 struct adv_info *adv;
1459 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1465 /* Update only in case the adv instance since handle 0x00 shall be using
1466 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1467 * non-extended adverting.
1469 if (!cp || !cp->handle)
1474 adv = hci_find_adv_instance(hdev, cp->handle);
1476 bacpy(&adv->random_addr, &cp->bdaddr);
1477 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1478 adv->rpa_expired = false;
1479 queue_delayed_work(hdev->workqueue,
1480 &adv->rpa_expired_cb,
1481 secs_to_jiffies(hdev->rpa_timeout));
1485 hci_dev_unlock(hdev);
1490 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1491 struct sk_buff *skb)
1493 struct hci_ev_status *rp = data;
1497 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1502 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1508 err = hci_remove_adv_instance(hdev, *instance);
1510 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1513 hci_dev_unlock(hdev);
1518 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1519 struct sk_buff *skb)
1521 struct hci_ev_status *rp = data;
1522 struct adv_info *adv, *n;
1525 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1530 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1535 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1536 u8 instance = adv->instance;
1538 err = hci_remove_adv_instance(hdev, instance);
1540 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1544 hci_dev_unlock(hdev);
1549 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1550 struct sk_buff *skb)
1552 struct hci_rp_le_read_transmit_power *rp = data;
1554 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1559 hdev->min_le_tx_power = rp->min_le_tx_power;
1560 hdev->max_le_tx_power = rp->max_le_tx_power;
1565 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1566 struct sk_buff *skb)
1568 struct hci_ev_status *rp = data;
1569 struct hci_cp_le_set_privacy_mode *cp;
1570 struct hci_conn_params *params;
1572 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1577 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1583 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1585 WRITE_ONCE(params->privacy_mode, cp->mode);
1587 hci_dev_unlock(hdev);
1592 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1593 struct sk_buff *skb)
1595 struct hci_ev_status *rp = data;
1598 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1603 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1609 /* If we're doing connection initiation as peripheral. Set a
1610 * timeout in case something goes wrong.
1613 struct hci_conn *conn;
1615 hci_dev_set_flag(hdev, HCI_LE_ADV);
1617 conn = hci_lookup_le_connect(hdev);
1619 queue_delayed_work(hdev->workqueue,
1620 &conn->le_conn_timeout,
1621 conn->conn_timeout);
1623 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1626 hci_dev_unlock(hdev);
1631 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1632 struct sk_buff *skb)
1634 struct hci_cp_le_set_ext_adv_enable *cp;
1635 struct hci_cp_ext_adv_set *set;
1636 struct adv_info *adv = NULL, *n;
1637 struct hci_ev_status *rp = data;
1639 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1644 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1648 set = (void *)cp->data;
1652 if (cp->num_of_sets)
1653 adv = hci_find_adv_instance(hdev, set->handle);
1656 struct hci_conn *conn;
1658 hci_dev_set_flag(hdev, HCI_LE_ADV);
1660 if (adv && !adv->periodic)
1661 adv->enabled = true;
1663 conn = hci_lookup_le_connect(hdev);
1665 queue_delayed_work(hdev->workqueue,
1666 &conn->le_conn_timeout,
1667 conn->conn_timeout);
1669 if (cp->num_of_sets) {
1671 adv->enabled = false;
1673 /* If just one instance was disabled check if there are
1674 * any other instance enabled before clearing HCI_LE_ADV
1676 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1682 /* All instances shall be considered disabled */
1683 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1685 adv->enabled = false;
1688 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1692 hci_dev_unlock(hdev);
1696 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1697 struct sk_buff *skb)
1699 struct hci_cp_le_set_scan_param *cp;
1700 struct hci_ev_status *rp = data;
1702 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1707 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1713 hdev->le_scan_type = cp->type;
1715 hci_dev_unlock(hdev);
1720 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1721 struct sk_buff *skb)
1723 struct hci_cp_le_set_ext_scan_params *cp;
1724 struct hci_ev_status *rp = data;
1725 struct hci_cp_le_scan_phy_params *phy_param;
1727 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1732 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1736 phy_param = (void *)cp->data;
1740 hdev->le_scan_type = phy_param->type;
1742 hci_dev_unlock(hdev);
1747 static bool has_pending_adv_report(struct hci_dev *hdev)
1749 struct discovery_state *d = &hdev->discovery;
1751 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1754 static void clear_pending_adv_report(struct hci_dev *hdev)
1756 struct discovery_state *d = &hdev->discovery;
1758 bacpy(&d->last_adv_addr, BDADDR_ANY);
1759 d->last_adv_data_len = 0;
1762 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1763 u8 bdaddr_type, s8 rssi, u32 flags,
1766 struct discovery_state *d = &hdev->discovery;
1768 if (len > max_adv_len(hdev))
1771 bacpy(&d->last_adv_addr, bdaddr);
1772 d->last_adv_addr_type = bdaddr_type;
1773 d->last_adv_rssi = rssi;
1774 d->last_adv_flags = flags;
1775 memcpy(d->last_adv_data, data, len);
1776 d->last_adv_data_len = len;
1779 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1784 case LE_SCAN_ENABLE:
1785 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1786 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1787 clear_pending_adv_report(hdev);
1788 if (hci_dev_test_flag(hdev, HCI_MESH))
1789 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1792 case LE_SCAN_DISABLE:
1793 /* We do this here instead of when setting DISCOVERY_STOPPED
1794 * since the latter would potentially require waiting for
1795 * inquiry to stop too.
1797 if (has_pending_adv_report(hdev)) {
1798 struct discovery_state *d = &hdev->discovery;
1800 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1801 d->last_adv_addr_type, NULL,
1802 d->last_adv_rssi, d->last_adv_flags,
1804 d->last_adv_data_len, NULL, 0, 0);
1807 /* Cancel this timer so that we don't try to disable scanning
1808 * when it's already disabled.
1810 cancel_delayed_work(&hdev->le_scan_disable);
1812 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1814 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1815 * interrupted scanning due to a connect request. Mark
1816 * therefore discovery as stopped.
1818 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1819 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1820 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1821 hdev->discovery.state == DISCOVERY_FINDING)
1822 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1827 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1832 hci_dev_unlock(hdev);
1835 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1836 struct sk_buff *skb)
1838 struct hci_cp_le_set_scan_enable *cp;
1839 struct hci_ev_status *rp = data;
1841 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1846 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1850 le_set_scan_enable_complete(hdev, cp->enable);
1855 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1856 struct sk_buff *skb)
1858 struct hci_cp_le_set_ext_scan_enable *cp;
1859 struct hci_ev_status *rp = data;
1861 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1866 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1870 le_set_scan_enable_complete(hdev, cp->enable);
1875 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1876 struct sk_buff *skb)
1878 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1880 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1886 hdev->le_num_of_adv_sets = rp->num_of_sets;
1891 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1892 struct sk_buff *skb)
1894 struct hci_rp_le_read_accept_list_size *rp = data;
1896 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1901 hdev->le_accept_list_size = rp->size;
1906 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1907 struct sk_buff *skb)
1909 struct hci_ev_status *rp = data;
1911 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1917 hci_bdaddr_list_clear(&hdev->le_accept_list);
1918 hci_dev_unlock(hdev);
1923 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1924 struct sk_buff *skb)
1926 struct hci_cp_le_add_to_accept_list *sent;
1927 struct hci_ev_status *rp = data;
1929 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1934 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1939 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1941 hci_dev_unlock(hdev);
1946 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1947 struct sk_buff *skb)
1949 struct hci_cp_le_del_from_accept_list *sent;
1950 struct hci_ev_status *rp = data;
1952 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1957 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1962 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1964 hci_dev_unlock(hdev);
1969 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1970 struct sk_buff *skb)
1972 struct hci_rp_le_read_supported_states *rp = data;
1974 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1979 memcpy(hdev->le_states, rp->le_states, 8);
1984 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1985 struct sk_buff *skb)
1987 struct hci_rp_le_read_def_data_len *rp = data;
1989 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1994 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1995 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
2000 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2001 struct sk_buff *skb)
2003 struct hci_cp_le_write_def_data_len *sent;
2004 struct hci_ev_status *rp = data;
2006 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2011 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2015 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2016 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2021 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2022 struct sk_buff *skb)
2024 struct hci_cp_le_add_to_resolv_list *sent;
2025 struct hci_ev_status *rp = data;
2027 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2032 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2037 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2038 sent->bdaddr_type, sent->peer_irk,
2040 hci_dev_unlock(hdev);
2045 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2046 struct sk_buff *skb)
2048 struct hci_cp_le_del_from_resolv_list *sent;
2049 struct hci_ev_status *rp = data;
2051 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2056 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2061 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2063 hci_dev_unlock(hdev);
2068 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2069 struct sk_buff *skb)
2071 struct hci_ev_status *rp = data;
2073 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2079 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2080 hci_dev_unlock(hdev);
2085 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2086 struct sk_buff *skb)
2088 struct hci_rp_le_read_resolv_list_size *rp = data;
2090 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2095 hdev->le_resolv_list_size = rp->size;
2100 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2101 struct sk_buff *skb)
2103 struct hci_ev_status *rp = data;
2106 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2111 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2118 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2120 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2122 hci_dev_unlock(hdev);
2127 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2128 struct sk_buff *skb)
2130 struct hci_rp_le_read_max_data_len *rp = data;
2132 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2137 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2138 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2139 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2140 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2145 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2146 struct sk_buff *skb)
2148 struct hci_cp_write_le_host_supported *sent;
2149 struct hci_ev_status *rp = data;
2151 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2156 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2163 hdev->features[1][0] |= LMP_HOST_LE;
2164 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2166 hdev->features[1][0] &= ~LMP_HOST_LE;
2167 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2168 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2172 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2174 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2176 hci_dev_unlock(hdev);
2181 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2182 struct sk_buff *skb)
2184 struct hci_cp_le_set_adv_param *cp;
2185 struct hci_ev_status *rp = data;
2187 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2192 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2197 hdev->adv_addr_type = cp->own_address_type;
2198 hci_dev_unlock(hdev);
2203 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2204 struct sk_buff *skb)
2206 struct hci_rp_le_set_ext_adv_params *rp = data;
2207 struct hci_cp_le_set_ext_adv_params *cp;
2208 struct adv_info *adv_instance;
2210 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2215 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2220 hdev->adv_addr_type = cp->own_addr_type;
2222 /* Store in hdev for instance 0 */
2223 hdev->adv_tx_power = rp->tx_power;
2225 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2227 adv_instance->tx_power = rp->tx_power;
2229 /* Update adv data as tx power is known now */
2230 hci_update_adv_data(hdev, cp->handle);
2232 hci_dev_unlock(hdev);
2237 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2238 struct sk_buff *skb)
2240 struct hci_rp_read_rssi *rp = data;
2241 struct hci_conn *conn;
2243 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2250 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2252 conn->rssi = rp->rssi;
2254 hci_dev_unlock(hdev);
2259 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2260 struct sk_buff *skb)
2262 struct hci_cp_read_tx_power *sent;
2263 struct hci_rp_read_tx_power *rp = data;
2264 struct hci_conn *conn;
2266 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2271 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2277 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2281 switch (sent->type) {
2283 conn->tx_power = rp->tx_power;
2286 conn->max_tx_power = rp->tx_power;
2291 hci_dev_unlock(hdev);
2295 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2296 struct sk_buff *skb)
2298 struct hci_ev_status *rp = data;
2301 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2306 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2308 hdev->ssp_debug_mode = *mode;
2313 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2315 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2318 hci_conn_check_pending(hdev);
2322 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2323 set_bit(HCI_INQUIRY, &hdev->flags);
2326 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2328 struct hci_cp_create_conn *cp;
2329 struct hci_conn *conn;
2331 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2333 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2339 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2341 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2344 if (conn && conn->state == BT_CONNECT) {
2345 if (status != 0x0c || conn->attempt > 2) {
2346 conn->state = BT_CLOSED;
2347 hci_connect_cfm(conn, status);
2350 conn->state = BT_CONNECT2;
2354 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2357 bt_dev_err(hdev, "no memory for new connection");
2361 hci_dev_unlock(hdev);
2364 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2366 struct hci_cp_add_sco *cp;
2367 struct hci_conn *acl;
2368 struct hci_link *link;
2371 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2376 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2380 handle = __le16_to_cpu(cp->handle);
2382 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2386 acl = hci_conn_hash_lookup_handle(hdev, handle);
2388 link = list_first_entry_or_null(&acl->link_list,
2389 struct hci_link, list);
2390 if (link && link->conn) {
2391 link->conn->state = BT_CLOSED;
2393 hci_connect_cfm(link->conn, status);
2394 hci_conn_del(link->conn);
2398 hci_dev_unlock(hdev);
2401 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2403 struct hci_cp_auth_requested *cp;
2404 struct hci_conn *conn;
2406 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2411 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2417 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2419 if (conn->state == BT_CONFIG) {
2420 hci_connect_cfm(conn, status);
2421 hci_conn_drop(conn);
2425 hci_dev_unlock(hdev);
2428 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2430 struct hci_cp_set_conn_encrypt *cp;
2431 struct hci_conn *conn;
2433 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2438 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2444 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2446 if (conn->state == BT_CONFIG) {
2447 hci_connect_cfm(conn, status);
2448 hci_conn_drop(conn);
2452 hci_dev_unlock(hdev);
2455 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2456 struct hci_conn *conn)
2458 if (conn->state != BT_CONFIG || !conn->out)
2461 if (conn->pending_sec_level == BT_SECURITY_SDP)
2464 /* Only request authentication for SSP connections or non-SSP
2465 * devices with sec_level MEDIUM or HIGH or if MITM protection
2468 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2469 conn->pending_sec_level != BT_SECURITY_FIPS &&
2470 conn->pending_sec_level != BT_SECURITY_HIGH &&
2471 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2477 static int hci_resolve_name(struct hci_dev *hdev,
2478 struct inquiry_entry *e)
2480 struct hci_cp_remote_name_req cp;
2482 memset(&cp, 0, sizeof(cp));
2484 bacpy(&cp.bdaddr, &e->data.bdaddr);
2485 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2486 cp.pscan_mode = e->data.pscan_mode;
2487 cp.clock_offset = e->data.clock_offset;
2489 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2492 static bool hci_resolve_next_name(struct hci_dev *hdev)
2494 struct discovery_state *discov = &hdev->discovery;
2495 struct inquiry_entry *e;
2497 if (list_empty(&discov->resolve))
2500 /* We should stop if we already spent too much time resolving names. */
2501 if (time_after(jiffies, discov->name_resolve_timeout)) {
2502 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2506 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2510 if (hci_resolve_name(hdev, e) == 0) {
2511 e->name_state = NAME_PENDING;
2518 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2519 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2521 struct discovery_state *discov = &hdev->discovery;
2522 struct inquiry_entry *e;
2524 /* Update the mgmt connected state if necessary. Be careful with
2525 * conn objects that exist but are not (yet) connected however.
2526 * Only those in BT_CONFIG or BT_CONNECTED states can be
2527 * considered connected.
2530 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2531 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2532 mgmt_device_connected(hdev, conn, name, name_len);
2534 if (discov->state == DISCOVERY_STOPPED)
2537 if (discov->state == DISCOVERY_STOPPING)
2538 goto discov_complete;
2540 if (discov->state != DISCOVERY_RESOLVING)
2543 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2544 /* If the device was not found in a list of found devices names of which
2545 * are pending. there is no need to continue resolving a next name as it
2546 * will be done upon receiving another Remote Name Request Complete
2553 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2554 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2557 if (hci_resolve_next_name(hdev))
2561 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2564 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2566 struct hci_cp_remote_name_req *cp;
2567 struct hci_conn *conn;
2569 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2571 /* If successful wait for the name req complete event before
2572 * checking for the need to do authentication */
2576 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2582 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2584 if (hci_dev_test_flag(hdev, HCI_MGMT))
2585 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2590 if (!hci_outgoing_auth_needed(hdev, conn))
2593 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2594 struct hci_cp_auth_requested auth_cp;
2596 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2598 auth_cp.handle = __cpu_to_le16(conn->handle);
2599 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2600 sizeof(auth_cp), &auth_cp);
2604 hci_dev_unlock(hdev);
2607 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2609 struct hci_cp_read_remote_features *cp;
2610 struct hci_conn *conn;
2612 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2617 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2623 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2625 if (conn->state == BT_CONFIG) {
2626 hci_connect_cfm(conn, status);
2627 hci_conn_drop(conn);
2631 hci_dev_unlock(hdev);
2634 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2636 struct hci_cp_read_remote_ext_features *cp;
2637 struct hci_conn *conn;
2639 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2644 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2650 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2652 if (conn->state == BT_CONFIG) {
2653 hci_connect_cfm(conn, status);
2654 hci_conn_drop(conn);
2658 hci_dev_unlock(hdev);
2661 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2664 struct hci_conn *acl;
2665 struct hci_link *link;
2667 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2671 acl = hci_conn_hash_lookup_handle(hdev, handle);
2673 link = list_first_entry_or_null(&acl->link_list,
2674 struct hci_link, list);
2675 if (link && link->conn) {
2676 link->conn->state = BT_CLOSED;
2678 hci_connect_cfm(link->conn, status);
2679 hci_conn_del(link->conn);
2683 hci_dev_unlock(hdev);
2686 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2688 struct hci_cp_setup_sync_conn *cp;
2690 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2695 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2699 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2702 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2704 struct hci_cp_enhanced_setup_sync_conn *cp;
2706 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2711 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2715 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2718 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2720 struct hci_cp_sniff_mode *cp;
2721 struct hci_conn *conn;
2723 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2728 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2734 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2736 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2738 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2739 hci_sco_setup(conn, status);
2742 hci_dev_unlock(hdev);
2745 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2747 struct hci_cp_exit_sniff_mode *cp;
2748 struct hci_conn *conn;
2750 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2755 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2761 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2763 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2765 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2766 hci_sco_setup(conn, status);
2769 hci_dev_unlock(hdev);
2772 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2774 struct hci_cp_disconnect *cp;
2775 struct hci_conn_params *params;
2776 struct hci_conn *conn;
2779 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2781 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2782 * otherwise cleanup the connection immediately.
2784 if (!status && !hdev->suspended)
2787 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2793 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2798 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2799 conn->dst_type, status);
2801 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2802 hdev->cur_adv_instance = conn->adv_instance;
2803 hci_enable_advertising(hdev);
2806 /* Inform sockets conn is gone before we delete it */
2807 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2812 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2814 if (conn->type == ACL_LINK) {
2815 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2816 hci_remove_link_key(hdev, &conn->dst);
2819 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2821 switch (params->auto_connect) {
2822 case HCI_AUTO_CONN_LINK_LOSS:
2823 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2827 case HCI_AUTO_CONN_DIRECT:
2828 case HCI_AUTO_CONN_ALWAYS:
2829 hci_pend_le_list_del_init(params);
2830 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2838 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2839 cp->reason, mgmt_conn);
2841 hci_disconn_cfm(conn, cp->reason);
2844 /* If the disconnection failed for any reason, the upper layer
2845 * does not retry to disconnect in current implementation.
2846 * Hence, we need to do some basic cleanup here and re-enable
2847 * advertising if necessary.
2851 hci_dev_unlock(hdev);
2854 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2856 /* When using controller based address resolution, then the new
2857 * address types 0x02 and 0x03 are used. These types need to be
2858 * converted back into either public address or random address type
2861 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2864 return ADDR_LE_DEV_PUBLIC;
2865 case ADDR_LE_DEV_RANDOM_RESOLVED:
2868 return ADDR_LE_DEV_RANDOM;
2876 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2877 u8 peer_addr_type, u8 own_address_type,
2880 struct hci_conn *conn;
2882 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2887 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2889 /* Store the initiator and responder address information which
2890 * is needed for SMP. These values will not change during the
2891 * lifetime of the connection.
2893 conn->init_addr_type = own_address_type;
2894 if (own_address_type == ADDR_LE_DEV_RANDOM)
2895 bacpy(&conn->init_addr, &hdev->random_addr);
2897 bacpy(&conn->init_addr, &hdev->bdaddr);
2899 conn->resp_addr_type = peer_addr_type;
2900 bacpy(&conn->resp_addr, peer_addr);
2903 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2905 struct hci_cp_le_create_conn *cp;
2907 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2909 /* All connection failure handling is taken care of by the
2910 * hci_conn_failed function which is triggered by the HCI
2911 * request completion callbacks used for connecting.
2916 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2922 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2923 cp->own_address_type, cp->filter_policy);
2925 hci_dev_unlock(hdev);
2928 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2930 struct hci_cp_le_ext_create_conn *cp;
2932 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2934 /* All connection failure handling is taken care of by the
2935 * hci_conn_failed function which is triggered by the HCI
2936 * request completion callbacks used for connecting.
2941 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2947 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2948 cp->own_addr_type, cp->filter_policy);
2950 hci_dev_unlock(hdev);
2953 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2955 struct hci_cp_le_read_remote_features *cp;
2956 struct hci_conn *conn;
2958 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2963 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2969 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2971 if (conn->state == BT_CONFIG) {
2972 hci_connect_cfm(conn, status);
2973 hci_conn_drop(conn);
2977 hci_dev_unlock(hdev);
2980 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2982 struct hci_cp_le_start_enc *cp;
2983 struct hci_conn *conn;
2985 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2992 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2996 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3000 if (conn->state != BT_CONNECTED)
3003 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3004 hci_conn_drop(conn);
3007 hci_dev_unlock(hdev);
3010 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3012 struct hci_cp_switch_role *cp;
3013 struct hci_conn *conn;
3015 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3020 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3026 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3028 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3030 hci_dev_unlock(hdev);
3033 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3034 struct sk_buff *skb)
3036 struct hci_ev_status *ev = data;
3037 struct discovery_state *discov = &hdev->discovery;
3038 struct inquiry_entry *e;
3040 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3042 hci_conn_check_pending(hdev);
3044 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3047 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3048 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3050 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3055 if (discov->state != DISCOVERY_FINDING)
3058 if (list_empty(&discov->resolve)) {
3059 /* When BR/EDR inquiry is active and no LE scanning is in
3060 * progress, then change discovery state to indicate completion.
3062 * When running LE scanning and BR/EDR inquiry simultaneously
3063 * and the LE scan already finished, then change the discovery
3064 * state to indicate completion.
3066 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3067 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3068 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3072 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3073 if (e && hci_resolve_name(hdev, e) == 0) {
3074 e->name_state = NAME_PENDING;
3075 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3076 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3078 /* When BR/EDR inquiry is active and no LE scanning is in
3079 * progress, then change discovery state to indicate completion.
3081 * When running LE scanning and BR/EDR inquiry simultaneously
3082 * and the LE scan already finished, then change the discovery
3083 * state to indicate completion.
3085 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3086 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3087 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3091 hci_dev_unlock(hdev);
3094 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3095 struct sk_buff *skb)
3097 struct hci_ev_inquiry_result *ev = edata;
3098 struct inquiry_data data;
3101 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3102 flex_array_size(ev, info, ev->num)))
3105 bt_dev_dbg(hdev, "num %d", ev->num);
3110 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3115 for (i = 0; i < ev->num; i++) {
3116 struct inquiry_info *info = &ev->info[i];
3119 bacpy(&data.bdaddr, &info->bdaddr);
3120 data.pscan_rep_mode = info->pscan_rep_mode;
3121 data.pscan_period_mode = info->pscan_period_mode;
3122 data.pscan_mode = info->pscan_mode;
3123 memcpy(data.dev_class, info->dev_class, 3);
3124 data.clock_offset = info->clock_offset;
3125 data.rssi = HCI_RSSI_INVALID;
3126 data.ssp_mode = 0x00;
3128 flags = hci_inquiry_cache_update(hdev, &data, false);
3130 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3131 info->dev_class, HCI_RSSI_INVALID,
3132 flags, NULL, 0, NULL, 0, 0);
3135 hci_dev_unlock(hdev);
3138 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3139 struct sk_buff *skb)
3141 struct hci_ev_conn_complete *ev = data;
3142 struct hci_conn *conn;
3143 u8 status = ev->status;
3145 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3149 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3151 /* In case of error status and there is no connection pending
3152 * just unlock as there is nothing to cleanup.
3157 /* Connection may not exist if auto-connected. Check the bredr
3158 * allowlist to see if this device is allowed to auto connect.
3159 * If link is an ACL type, create a connection class
3162 * Auto-connect will only occur if the event filter is
3163 * programmed with a given address. Right now, event filter is
3164 * only used during suspend.
3166 if (ev->link_type == ACL_LINK &&
3167 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3170 conn = hci_conn_add_unset(hdev, ev->link_type,
3171 &ev->bdaddr, HCI_ROLE_SLAVE);
3173 bt_dev_err(hdev, "no memory for new conn");
3177 if (ev->link_type != SCO_LINK)
3180 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3185 conn->type = SCO_LINK;
3189 /* The HCI_Connection_Complete event is only sent once per connection.
3190 * Processing it more than once per connection can corrupt kernel memory.
3192 * As the connection handle is set here for the first time, it indicates
3193 * whether the connection is already set up.
3195 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3196 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3201 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3205 if (conn->type == ACL_LINK) {
3206 conn->state = BT_CONFIG;
3207 hci_conn_hold(conn);
3209 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3210 !hci_find_link_key(hdev, &ev->bdaddr))
3211 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3213 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3215 conn->state = BT_CONNECTED;
3217 hci_debugfs_create_conn(conn);
3218 hci_conn_add_sysfs(conn);
3220 if (test_bit(HCI_AUTH, &hdev->flags))
3221 set_bit(HCI_CONN_AUTH, &conn->flags);
3223 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3224 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3226 /* Get remote features */
3227 if (conn->type == ACL_LINK) {
3228 struct hci_cp_read_remote_features cp;
3229 cp.handle = ev->handle;
3230 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3233 hci_update_scan(hdev);
3236 /* Set packet type for incoming connection */
3237 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3238 struct hci_cp_change_conn_ptype cp;
3239 cp.handle = ev->handle;
3240 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3241 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3246 if (conn->type == ACL_LINK)
3247 hci_sco_setup(conn, ev->status);
3251 hci_conn_failed(conn, status);
3252 } else if (ev->link_type == SCO_LINK) {
3253 switch (conn->setting & SCO_AIRMODE_MASK) {
3254 case SCO_AIRMODE_CVSD:
3256 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3260 hci_connect_cfm(conn, status);
3264 hci_dev_unlock(hdev);
3266 hci_conn_check_pending(hdev);
3269 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3271 struct hci_cp_reject_conn_req cp;
3273 bacpy(&cp.bdaddr, bdaddr);
3274 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3275 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3278 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3279 struct sk_buff *skb)
3281 struct hci_ev_conn_request *ev = data;
3282 int mask = hdev->link_mode;
3283 struct inquiry_entry *ie;
3284 struct hci_conn *conn;
3287 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3289 /* Reject incoming connection from device with same BD ADDR against
3292 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3293 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3295 hci_reject_conn(hdev, &ev->bdaddr);
3299 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3302 if (!(mask & HCI_LM_ACCEPT)) {
3303 hci_reject_conn(hdev, &ev->bdaddr);
3309 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3311 hci_reject_conn(hdev, &ev->bdaddr);
3315 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3316 * connection. These features are only touched through mgmt so
3317 * only do the checks if HCI_MGMT is set.
3319 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3320 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3321 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3323 hci_reject_conn(hdev, &ev->bdaddr);
3327 /* Connection accepted */
3329 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3331 memcpy(ie->data.dev_class, ev->dev_class, 3);
3333 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3336 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3339 bt_dev_err(hdev, "no memory for new connection");
3344 memcpy(conn->dev_class, ev->dev_class, 3);
3346 hci_dev_unlock(hdev);
3348 if (ev->link_type == ACL_LINK ||
3349 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3350 struct hci_cp_accept_conn_req cp;
3351 conn->state = BT_CONNECT;
3353 bacpy(&cp.bdaddr, &ev->bdaddr);
3355 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3356 cp.role = 0x00; /* Become central */
3358 cp.role = 0x01; /* Remain peripheral */
3360 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3361 } else if (!(flags & HCI_PROTO_DEFER)) {
3362 struct hci_cp_accept_sync_conn_req cp;
3363 conn->state = BT_CONNECT;
3365 bacpy(&cp.bdaddr, &ev->bdaddr);
3366 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3368 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3369 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3370 cp.max_latency = cpu_to_le16(0xffff);
3371 cp.content_format = cpu_to_le16(hdev->voice_setting);
3372 cp.retrans_effort = 0xff;
3374 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3377 conn->state = BT_CONNECT2;
3378 hci_connect_cfm(conn, 0);
3383 hci_dev_unlock(hdev);
3386 static u8 hci_to_mgmt_reason(u8 err)
3389 case HCI_ERROR_CONNECTION_TIMEOUT:
3390 return MGMT_DEV_DISCONN_TIMEOUT;
3391 case HCI_ERROR_REMOTE_USER_TERM:
3392 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3393 case HCI_ERROR_REMOTE_POWER_OFF:
3394 return MGMT_DEV_DISCONN_REMOTE;
3395 case HCI_ERROR_LOCAL_HOST_TERM:
3396 return MGMT_DEV_DISCONN_LOCAL_HOST;
3398 return MGMT_DEV_DISCONN_UNKNOWN;
3402 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3403 struct sk_buff *skb)
3405 struct hci_ev_disconn_complete *ev = data;
3407 struct hci_conn_params *params;
3408 struct hci_conn *conn;
3409 bool mgmt_connected;
3411 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3415 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3420 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3421 conn->dst_type, ev->status);
3425 conn->state = BT_CLOSED;
3427 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3429 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3430 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3432 reason = hci_to_mgmt_reason(ev->reason);
3434 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3435 reason, mgmt_connected);
3437 if (conn->type == ACL_LINK) {
3438 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3439 hci_remove_link_key(hdev, &conn->dst);
3441 hci_update_scan(hdev);
3444 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3446 switch (params->auto_connect) {
3447 case HCI_AUTO_CONN_LINK_LOSS:
3448 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3452 case HCI_AUTO_CONN_DIRECT:
3453 case HCI_AUTO_CONN_ALWAYS:
3454 hci_pend_le_list_del_init(params);
3455 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3456 hci_update_passive_scan(hdev);
3464 hci_disconn_cfm(conn, ev->reason);
3466 /* Re-enable advertising if necessary, since it might
3467 * have been disabled by the connection. From the
3468 * HCI_LE_Set_Advertise_Enable command description in
3469 * the core specification (v4.0):
3470 * "The Controller shall continue advertising until the Host
3471 * issues an LE_Set_Advertise_Enable command with
3472 * Advertising_Enable set to 0x00 (Advertising is disabled)
3473 * or until a connection is created or until the Advertising
3474 * is timed out due to Directed Advertising."
3476 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3477 hdev->cur_adv_instance = conn->adv_instance;
3478 hci_enable_advertising(hdev);
3484 hci_dev_unlock(hdev);
3487 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3488 struct sk_buff *skb)
3490 struct hci_ev_auth_complete *ev = data;
3491 struct hci_conn *conn;
3493 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3497 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3502 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3504 if (!hci_conn_ssp_enabled(conn) &&
3505 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
3506 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
3508 set_bit(HCI_CONN_AUTH, &conn->flags);
3509 conn->sec_level = conn->pending_sec_level;
3512 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3513 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3515 mgmt_auth_failed(conn, ev->status);
3518 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3519 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
3521 if (conn->state == BT_CONFIG) {
3522 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3523 struct hci_cp_set_conn_encrypt cp;
3524 cp.handle = ev->handle;
3526 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3529 conn->state = BT_CONNECTED;
3530 hci_connect_cfm(conn, ev->status);
3531 hci_conn_drop(conn);
3534 hci_auth_cfm(conn, ev->status);
3536 hci_conn_hold(conn);
3537 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3538 hci_conn_drop(conn);
3541 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3543 struct hci_cp_set_conn_encrypt cp;
3544 cp.handle = ev->handle;
3546 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3549 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3550 hci_encrypt_cfm(conn, ev->status);
3555 hci_dev_unlock(hdev);
3558 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3559 struct sk_buff *skb)
3561 struct hci_ev_remote_name *ev = data;
3562 struct hci_conn *conn;
3564 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3566 hci_conn_check_pending(hdev);
3570 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3572 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3575 if (ev->status == 0)
3576 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3577 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3579 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3585 if (!hci_outgoing_auth_needed(hdev, conn))
3588 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3589 struct hci_cp_auth_requested cp;
3591 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3593 cp.handle = __cpu_to_le16(conn->handle);
3594 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3598 hci_dev_unlock(hdev);
3601 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3602 struct sk_buff *skb)
3604 struct hci_ev_encrypt_change *ev = data;
3605 struct hci_conn *conn;
3607 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3611 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3617 /* Encryption implies authentication */
3618 set_bit(HCI_CONN_AUTH, &conn->flags);
3619 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3620 conn->sec_level = conn->pending_sec_level;
3622 /* P-256 authentication key implies FIPS */
3623 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3624 set_bit(HCI_CONN_FIPS, &conn->flags);
3626 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3627 conn->type == LE_LINK)
3628 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3630 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3631 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3635 /* We should disregard the current RPA and generate a new one
3636 * whenever the encryption procedure fails.
3638 if (ev->status && conn->type == LE_LINK) {
3639 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3640 hci_adv_instances_set_rpa_expired(hdev, true);
3643 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3645 /* Check link security requirements are met */
3646 if (!hci_conn_check_link_mode(conn))
3647 ev->status = HCI_ERROR_AUTH_FAILURE;
3649 if (ev->status && conn->state == BT_CONNECTED) {
3650 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3651 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3653 /* Notify upper layers so they can cleanup before
3656 hci_encrypt_cfm(conn, ev->status);
3657 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3658 hci_conn_drop(conn);
3662 /* Try reading the encryption key size for encrypted ACL links */
3663 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3664 struct hci_cp_read_enc_key_size cp;
3666 /* Only send HCI_Read_Encryption_Key_Size if the
3667 * controller really supports it. If it doesn't, assume
3668 * the default size (16).
3670 if (!(hdev->commands[20] & 0x10)) {
3671 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3675 cp.handle = cpu_to_le16(conn->handle);
3676 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3678 bt_dev_err(hdev, "sending read key size failed");
3679 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3686 /* Set the default Authenticated Payload Timeout after
3687 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3688 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3689 * sent when the link is active and Encryption is enabled, the conn
3690 * type can be either LE or ACL and controller must support LMP Ping.
3691 * Ensure for AES-CCM encryption as well.
3693 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3694 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3695 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3696 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3697 struct hci_cp_write_auth_payload_to cp;
3699 cp.handle = cpu_to_le16(conn->handle);
3700 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3701 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3703 bt_dev_err(hdev, "write auth payload timeout failed");
3707 hci_encrypt_cfm(conn, ev->status);
3710 hci_dev_unlock(hdev);
3713 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3714 struct sk_buff *skb)
3716 struct hci_ev_change_link_key_complete *ev = data;
3717 struct hci_conn *conn;
3719 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3723 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3726 set_bit(HCI_CONN_SECURE, &conn->flags);
3728 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3730 hci_key_change_cfm(conn, ev->status);
3733 hci_dev_unlock(hdev);
3736 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3737 struct sk_buff *skb)
3739 struct hci_ev_remote_features *ev = data;
3740 struct hci_conn *conn;
3742 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3746 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3751 memcpy(conn->features[0], ev->features, 8);
3753 if (conn->state != BT_CONFIG)
3756 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3757 lmp_ext_feat_capable(conn)) {
3758 struct hci_cp_read_remote_ext_features cp;
3759 cp.handle = ev->handle;
3761 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3766 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3767 struct hci_cp_remote_name_req cp;
3768 memset(&cp, 0, sizeof(cp));
3769 bacpy(&cp.bdaddr, &conn->dst);
3770 cp.pscan_rep_mode = 0x02;
3771 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3772 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3773 mgmt_device_connected(hdev, conn, NULL, 0);
3775 if (!hci_outgoing_auth_needed(hdev, conn)) {
3776 conn->state = BT_CONNECTED;
3777 hci_connect_cfm(conn, ev->status);
3778 hci_conn_drop(conn);
3782 hci_dev_unlock(hdev);
3785 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3787 cancel_delayed_work(&hdev->cmd_timer);
3790 if (!test_bit(HCI_RESET, &hdev->flags)) {
3792 cancel_delayed_work(&hdev->ncmd_timer);
3793 atomic_set(&hdev->cmd_cnt, 1);
3795 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3796 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3803 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3804 struct sk_buff *skb)
3806 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3808 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3813 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3814 hdev->le_pkts = rp->acl_max_pkt;
3815 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3816 hdev->iso_pkts = rp->iso_max_pkt;
3818 hdev->le_cnt = hdev->le_pkts;
3819 hdev->iso_cnt = hdev->iso_pkts;
3821 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3822 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3827 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3829 struct hci_conn *conn, *tmp;
3831 lockdep_assert_held(&hdev->lock);
3833 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3834 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3835 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3838 if (HCI_CONN_HANDLE_UNSET(conn->handle))
3839 hci_conn_failed(conn, status);
3843 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3844 struct sk_buff *skb)
3846 struct hci_rp_le_set_cig_params *rp = data;
3847 struct hci_cp_le_set_cig_params *cp;
3848 struct hci_conn *conn;
3849 u8 status = rp->status;
3850 bool pending = false;
3853 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3855 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3856 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3857 rp->cig_id != cp->cig_id)) {
3858 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3859 status = HCI_ERROR_UNSPECIFIED;
3864 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3866 * If the Status return parameter is non-zero, then the state of the CIG
3867 * and its CIS configurations shall not be changed by the command. If
3868 * the CIG did not already exist, it shall not be created.
3871 /* Keep current configuration, fail only the unbound CIS */
3872 hci_unbound_cis_failed(hdev, rp->cig_id, status);
3876 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3878 * If the Status return parameter is zero, then the Controller shall
3879 * set the Connection_Handle arrayed return parameter to the connection
3880 * handle(s) corresponding to the CIS configurations specified in
3881 * the CIS_IDs command parameter, in the same order.
3883 for (i = 0; i < rp->num_handles; ++i) {
3884 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3886 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3889 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3892 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3895 if (conn->state == BT_CONNECT)
3901 hci_le_create_cis_pending(hdev);
3903 hci_dev_unlock(hdev);
3908 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3909 struct sk_buff *skb)
3911 struct hci_rp_le_setup_iso_path *rp = data;
3912 struct hci_cp_le_setup_iso_path *cp;
3913 struct hci_conn *conn;
3915 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3917 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3923 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3928 hci_connect_cfm(conn, rp->status);
3933 switch (cp->direction) {
3934 /* Input (Host to Controller) */
3936 /* Only confirm connection if output only */
3937 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3938 hci_connect_cfm(conn, rp->status);
3940 /* Output (Controller to Host) */
3942 /* Confirm connection since conn->iso_qos is always configured
3945 hci_connect_cfm(conn, rp->status);
3950 hci_dev_unlock(hdev);
3954 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3956 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3959 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3960 struct sk_buff *skb)
3962 struct hci_ev_status *rp = data;
3963 struct hci_cp_le_set_per_adv_params *cp;
3965 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3970 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3974 /* TODO: set the conn state */
3978 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3979 struct sk_buff *skb)
3981 struct hci_ev_status *rp = data;
3982 struct hci_cp_le_set_per_adv_enable *cp;
3983 struct adv_info *adv = NULL, *n;
3986 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3991 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
3997 adv = hci_find_adv_instance(hdev, cp->handle);
4000 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4003 adv->enabled = true;
4005 /* If just one instance was disabled check if there are
4006 * any other instance enabled before clearing HCI_LE_PER_ADV.
4007 * The current periodic adv instance will be marked as
4008 * disabled once extended advertising is also disabled.
4010 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4012 if (adv->periodic && adv->enabled)
4016 if (per_adv_cnt > 1)
4019 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4023 hci_dev_unlock(hdev);
4028 #define HCI_CC_VL(_op, _func, _min, _max) \
4036 #define HCI_CC(_op, _func, _len) \
4037 HCI_CC_VL(_op, _func, _len, _len)
4039 #define HCI_CC_STATUS(_op, _func) \
4040 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4042 static const struct hci_cc {
4044 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4047 } hci_cc_table[] = {
4048 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4049 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4050 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4051 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4052 hci_cc_remote_name_req_cancel),
4053 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4054 sizeof(struct hci_rp_role_discovery)),
4055 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4056 sizeof(struct hci_rp_read_link_policy)),
4057 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4058 sizeof(struct hci_rp_write_link_policy)),
4059 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4060 sizeof(struct hci_rp_read_def_link_policy)),
4061 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4062 hci_cc_write_def_link_policy),
4063 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4064 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4065 sizeof(struct hci_rp_read_stored_link_key)),
4066 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4067 sizeof(struct hci_rp_delete_stored_link_key)),
4068 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4069 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4070 sizeof(struct hci_rp_read_local_name)),
4071 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4072 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4073 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4074 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4075 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4076 sizeof(struct hci_rp_read_class_of_dev)),
4077 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4078 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4079 sizeof(struct hci_rp_read_voice_setting)),
4080 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4081 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4082 sizeof(struct hci_rp_read_num_supported_iac)),
4083 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4084 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4085 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4086 sizeof(struct hci_rp_read_auth_payload_to)),
4087 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4088 sizeof(struct hci_rp_write_auth_payload_to)),
4089 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4090 sizeof(struct hci_rp_read_local_version)),
4091 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4092 sizeof(struct hci_rp_read_local_commands)),
4093 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4094 sizeof(struct hci_rp_read_local_features)),
4095 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4096 sizeof(struct hci_rp_read_local_ext_features)),
4097 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4098 sizeof(struct hci_rp_read_buffer_size)),
4099 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4100 sizeof(struct hci_rp_read_bd_addr)),
4101 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4102 sizeof(struct hci_rp_read_local_pairing_opts)),
4103 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4104 sizeof(struct hci_rp_read_page_scan_activity)),
4105 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4106 hci_cc_write_page_scan_activity),
4107 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4108 sizeof(struct hci_rp_read_page_scan_type)),
4109 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4110 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4111 sizeof(struct hci_rp_read_data_block_size)),
4112 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4113 sizeof(struct hci_rp_read_flow_control_mode)),
4114 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4115 sizeof(struct hci_rp_read_local_amp_info)),
4116 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4117 sizeof(struct hci_rp_read_clock)),
4118 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4119 sizeof(struct hci_rp_read_enc_key_size)),
4120 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4121 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4122 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4123 hci_cc_read_def_err_data_reporting,
4124 sizeof(struct hci_rp_read_def_err_data_reporting)),
4125 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4126 hci_cc_write_def_err_data_reporting),
4127 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4128 sizeof(struct hci_rp_pin_code_reply)),
4129 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4130 sizeof(struct hci_rp_pin_code_neg_reply)),
4131 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4132 sizeof(struct hci_rp_read_local_oob_data)),
4133 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4134 sizeof(struct hci_rp_read_local_oob_ext_data)),
4135 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4136 sizeof(struct hci_rp_le_read_buffer_size)),
4137 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4138 sizeof(struct hci_rp_le_read_local_features)),
4139 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4140 sizeof(struct hci_rp_le_read_adv_tx_power)),
4141 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4142 sizeof(struct hci_rp_user_confirm_reply)),
4143 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4144 sizeof(struct hci_rp_user_confirm_reply)),
4145 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4146 sizeof(struct hci_rp_user_confirm_reply)),
4147 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4148 sizeof(struct hci_rp_user_confirm_reply)),
4149 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4150 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4151 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4152 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4153 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4154 hci_cc_le_read_accept_list_size,
4155 sizeof(struct hci_rp_le_read_accept_list_size)),
4156 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4157 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4158 hci_cc_le_add_to_accept_list),
4159 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4160 hci_cc_le_del_from_accept_list),
4161 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4162 sizeof(struct hci_rp_le_read_supported_states)),
4163 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4164 sizeof(struct hci_rp_le_read_def_data_len)),
4165 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4166 hci_cc_le_write_def_data_len),
4167 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4168 hci_cc_le_add_to_resolv_list),
4169 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4170 hci_cc_le_del_from_resolv_list),
4171 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4172 hci_cc_le_clear_resolv_list),
4173 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4174 sizeof(struct hci_rp_le_read_resolv_list_size)),
4175 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4176 hci_cc_le_set_addr_resolution_enable),
4177 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4178 sizeof(struct hci_rp_le_read_max_data_len)),
4179 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4180 hci_cc_write_le_host_supported),
4181 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4182 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4183 sizeof(struct hci_rp_read_rssi)),
4184 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4185 sizeof(struct hci_rp_read_tx_power)),
4186 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4187 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4188 hci_cc_le_set_ext_scan_param),
4189 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4190 hci_cc_le_set_ext_scan_enable),
4191 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4192 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4193 hci_cc_le_read_num_adv_sets,
4194 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4195 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4196 sizeof(struct hci_rp_le_set_ext_adv_params)),
4197 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4198 hci_cc_le_set_ext_adv_enable),
4199 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4200 hci_cc_le_set_adv_set_random_addr),
4201 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4202 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4203 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4204 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4205 hci_cc_le_set_per_adv_enable),
4206 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4207 sizeof(struct hci_rp_le_read_transmit_power)),
4208 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4209 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4210 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4211 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4212 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4213 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4214 sizeof(struct hci_rp_le_setup_iso_path)),
4217 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4218 struct sk_buff *skb)
4222 if (skb->len < cc->min_len) {
4223 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4224 cc->op, skb->len, cc->min_len);
4225 return HCI_ERROR_UNSPECIFIED;
4228 /* Just warn if the length is over max_len size it still be possible to
4229 * partially parse the cc so leave to callback to decide if that is
4232 if (skb->len > cc->max_len)
4233 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4234 cc->op, skb->len, cc->max_len);
4236 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4238 return HCI_ERROR_UNSPECIFIED;
4240 return cc->func(hdev, data, skb);
4243 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4244 struct sk_buff *skb, u16 *opcode, u8 *status,
4245 hci_req_complete_t *req_complete,
4246 hci_req_complete_skb_t *req_complete_skb)
4248 struct hci_ev_cmd_complete *ev = data;
4251 *opcode = __le16_to_cpu(ev->opcode);
4253 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4255 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4256 if (hci_cc_table[i].op == *opcode) {
4257 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4262 if (i == ARRAY_SIZE(hci_cc_table)) {
4263 /* Unknown opcode, assume byte 0 contains the status, so
4264 * that e.g. __hci_cmd_sync() properly returns errors
4265 * for vendor specific commands send by HCI drivers.
4266 * If a vendor doesn't actually follow this convention we may
4267 * need to introduce a vendor CC table in order to properly set
4270 *status = skb->data[0];
4273 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4275 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4278 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4280 "unexpected event for opcode 0x%4.4x", *opcode);
4284 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4285 queue_work(hdev->workqueue, &hdev->cmd_work);
4288 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4290 struct hci_cp_le_create_cis *cp;
4291 bool pending = false;
4294 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4299 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4305 /* Remove connection if command failed */
4306 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4307 struct hci_conn *conn;
4310 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4312 conn = hci_conn_hash_lookup_handle(hdev, handle);
4314 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4317 conn->state = BT_CLOSED;
4318 hci_connect_cfm(conn, status);
4324 hci_le_create_cis_pending(hdev);
4326 hci_dev_unlock(hdev);
4329 #define HCI_CS(_op, _func) \
4335 static const struct hci_cs {
4337 void (*func)(struct hci_dev *hdev, __u8 status);
4338 } hci_cs_table[] = {
4339 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4340 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4341 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4342 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4343 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4344 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4345 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4346 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4347 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4348 hci_cs_read_remote_ext_features),
4349 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4350 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4351 hci_cs_enhanced_setup_sync_conn),
4352 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4353 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4354 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4355 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4356 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4357 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4358 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4359 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4360 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4363 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4364 struct sk_buff *skb, u16 *opcode, u8 *status,
4365 hci_req_complete_t *req_complete,
4366 hci_req_complete_skb_t *req_complete_skb)
4368 struct hci_ev_cmd_status *ev = data;
4371 *opcode = __le16_to_cpu(ev->opcode);
4372 *status = ev->status;
4374 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4376 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4377 if (hci_cs_table[i].op == *opcode) {
4378 hci_cs_table[i].func(hdev, ev->status);
4383 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4385 /* Indicate request completion if the command failed. Also, if
4386 * we're not waiting for a special event and we get a success
4387 * command status we should try to flag the request as completed
4388 * (since for this kind of commands there will not be a command
4391 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4392 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4394 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4395 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4401 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4402 queue_work(hdev->workqueue, &hdev->cmd_work);
4405 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4406 struct sk_buff *skb)
4408 struct hci_ev_hardware_error *ev = data;
4410 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4412 hdev->hw_error_code = ev->code;
4414 queue_work(hdev->req_workqueue, &hdev->error_reset);
4417 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4418 struct sk_buff *skb)
4420 struct hci_ev_role_change *ev = data;
4421 struct hci_conn *conn;
4423 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4427 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4430 conn->role = ev->role;
4432 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4434 hci_role_switch_cfm(conn, ev->status, ev->role);
4437 hci_dev_unlock(hdev);
4440 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4441 struct sk_buff *skb)
4443 struct hci_ev_num_comp_pkts *ev = data;
4446 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4447 flex_array_size(ev, handles, ev->num)))
4450 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4451 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4455 bt_dev_dbg(hdev, "num %d", ev->num);
4457 for (i = 0; i < ev->num; i++) {
4458 struct hci_comp_pkts_info *info = &ev->handles[i];
4459 struct hci_conn *conn;
4460 __u16 handle, count;
4462 handle = __le16_to_cpu(info->handle);
4463 count = __le16_to_cpu(info->count);
4465 conn = hci_conn_hash_lookup_handle(hdev, handle);
4469 conn->sent -= count;
4471 switch (conn->type) {
4473 hdev->acl_cnt += count;
4474 if (hdev->acl_cnt > hdev->acl_pkts)
4475 hdev->acl_cnt = hdev->acl_pkts;
4479 if (hdev->le_pkts) {
4480 hdev->le_cnt += count;
4481 if (hdev->le_cnt > hdev->le_pkts)
4482 hdev->le_cnt = hdev->le_pkts;
4484 hdev->acl_cnt += count;
4485 if (hdev->acl_cnt > hdev->acl_pkts)
4486 hdev->acl_cnt = hdev->acl_pkts;
4491 hdev->sco_cnt += count;
4492 if (hdev->sco_cnt > hdev->sco_pkts)
4493 hdev->sco_cnt = hdev->sco_pkts;
4497 if (hdev->iso_pkts) {
4498 hdev->iso_cnt += count;
4499 if (hdev->iso_cnt > hdev->iso_pkts)
4500 hdev->iso_cnt = hdev->iso_pkts;
4501 } else if (hdev->le_pkts) {
4502 hdev->le_cnt += count;
4503 if (hdev->le_cnt > hdev->le_pkts)
4504 hdev->le_cnt = hdev->le_pkts;
4506 hdev->acl_cnt += count;
4507 if (hdev->acl_cnt > hdev->acl_pkts)
4508 hdev->acl_cnt = hdev->acl_pkts;
4513 bt_dev_err(hdev, "unknown type %d conn %p",
4519 queue_work(hdev->workqueue, &hdev->tx_work);
4522 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4525 struct hci_chan *chan;
4527 switch (hdev->dev_type) {
4529 return hci_conn_hash_lookup_handle(hdev, handle);
4531 chan = hci_chan_lookup_handle(hdev, handle);
4536 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4543 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4544 struct sk_buff *skb)
4546 struct hci_ev_num_comp_blocks *ev = data;
4549 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4550 flex_array_size(ev, handles, ev->num_hndl)))
4553 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4554 bt_dev_err(hdev, "wrong event for mode %d",
4555 hdev->flow_ctl_mode);
4559 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4562 for (i = 0; i < ev->num_hndl; i++) {
4563 struct hci_comp_blocks_info *info = &ev->handles[i];
4564 struct hci_conn *conn = NULL;
4565 __u16 handle, block_count;
4567 handle = __le16_to_cpu(info->handle);
4568 block_count = __le16_to_cpu(info->blocks);
4570 conn = __hci_conn_lookup_handle(hdev, handle);
4574 conn->sent -= block_count;
4576 switch (conn->type) {
4579 hdev->block_cnt += block_count;
4580 if (hdev->block_cnt > hdev->num_blocks)
4581 hdev->block_cnt = hdev->num_blocks;
4585 bt_dev_err(hdev, "unknown type %d conn %p",
4591 queue_work(hdev->workqueue, &hdev->tx_work);
4594 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4595 struct sk_buff *skb)
4597 struct hci_ev_mode_change *ev = data;
4598 struct hci_conn *conn;
4600 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4604 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4606 conn->mode = ev->mode;
4608 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4610 if (conn->mode == HCI_CM_ACTIVE)
4611 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4613 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4616 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4617 hci_sco_setup(conn, ev->status);
4620 hci_dev_unlock(hdev);
4623 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4624 struct sk_buff *skb)
4626 struct hci_ev_pin_code_req *ev = data;
4627 struct hci_conn *conn;
4629 bt_dev_dbg(hdev, "");
4633 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4637 if (conn->state == BT_CONNECTED) {
4638 hci_conn_hold(conn);
4639 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4640 hci_conn_drop(conn);
4643 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4644 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4645 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4646 sizeof(ev->bdaddr), &ev->bdaddr);
4647 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4650 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4655 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4659 hci_dev_unlock(hdev);
4662 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4664 if (key_type == HCI_LK_CHANGED_COMBINATION)
4667 conn->pin_length = pin_len;
4668 conn->key_type = key_type;
4671 case HCI_LK_LOCAL_UNIT:
4672 case HCI_LK_REMOTE_UNIT:
4673 case HCI_LK_DEBUG_COMBINATION:
4675 case HCI_LK_COMBINATION:
4677 conn->pending_sec_level = BT_SECURITY_HIGH;
4679 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4681 case HCI_LK_UNAUTH_COMBINATION_P192:
4682 case HCI_LK_UNAUTH_COMBINATION_P256:
4683 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4685 case HCI_LK_AUTH_COMBINATION_P192:
4686 conn->pending_sec_level = BT_SECURITY_HIGH;
4688 case HCI_LK_AUTH_COMBINATION_P256:
4689 conn->pending_sec_level = BT_SECURITY_FIPS;
4694 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4695 struct sk_buff *skb)
4697 struct hci_ev_link_key_req *ev = data;
4698 struct hci_cp_link_key_reply cp;
4699 struct hci_conn *conn;
4700 struct link_key *key;
4702 bt_dev_dbg(hdev, "");
4704 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4709 key = hci_find_link_key(hdev, &ev->bdaddr);
4711 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4715 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4717 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4719 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4721 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4722 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4723 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4724 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4728 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4729 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4730 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4731 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4735 conn_set_key(conn, key->type, key->pin_len);
4738 bacpy(&cp.bdaddr, &ev->bdaddr);
4739 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4741 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4743 hci_dev_unlock(hdev);
4748 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4749 hci_dev_unlock(hdev);
4752 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4753 struct sk_buff *skb)
4755 struct hci_ev_link_key_notify *ev = data;
4756 struct hci_conn *conn;
4757 struct link_key *key;
4761 bt_dev_dbg(hdev, "");
4765 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4769 /* Ignore NULL link key against CVE-2020-26555 */
4770 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4771 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4773 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4774 hci_conn_drop(conn);
4778 hci_conn_hold(conn);
4779 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4780 hci_conn_drop(conn);
4782 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4783 conn_set_key(conn, ev->key_type, conn->pin_length);
4785 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4788 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4789 ev->key_type, pin_len, &persistent);
4793 /* Update connection information since adding the key will have
4794 * fixed up the type in the case of changed combination keys.
4796 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4797 conn_set_key(conn, key->type, key->pin_len);
4799 mgmt_new_link_key(hdev, key, persistent);
4801 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4802 * is set. If it's not set simply remove the key from the kernel
4803 * list (we've still notified user space about it but with
4804 * store_hint being 0).
4806 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4807 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4808 list_del_rcu(&key->list);
4809 kfree_rcu(key, rcu);
4814 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4816 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4819 hci_dev_unlock(hdev);
4822 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4823 struct sk_buff *skb)
4825 struct hci_ev_clock_offset *ev = data;
4826 struct hci_conn *conn;
4828 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4832 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4833 if (conn && !ev->status) {
4834 struct inquiry_entry *ie;
4836 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4838 ie->data.clock_offset = ev->clock_offset;
4839 ie->timestamp = jiffies;
4843 hci_dev_unlock(hdev);
4846 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4847 struct sk_buff *skb)
4849 struct hci_ev_pkt_type_change *ev = data;
4850 struct hci_conn *conn;
4852 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4856 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4857 if (conn && !ev->status)
4858 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4860 hci_dev_unlock(hdev);
4863 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4864 struct sk_buff *skb)
4866 struct hci_ev_pscan_rep_mode *ev = data;
4867 struct inquiry_entry *ie;
4869 bt_dev_dbg(hdev, "");
4873 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4875 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4876 ie->timestamp = jiffies;
4879 hci_dev_unlock(hdev);
4882 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4883 struct sk_buff *skb)
4885 struct hci_ev_inquiry_result_rssi *ev = edata;
4886 struct inquiry_data data;
4889 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4894 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4899 if (skb->len == array_size(ev->num,
4900 sizeof(struct inquiry_info_rssi_pscan))) {
4901 struct inquiry_info_rssi_pscan *info;
4903 for (i = 0; i < ev->num; i++) {
4906 info = hci_ev_skb_pull(hdev, skb,
4907 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4910 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4911 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4915 bacpy(&data.bdaddr, &info->bdaddr);
4916 data.pscan_rep_mode = info->pscan_rep_mode;
4917 data.pscan_period_mode = info->pscan_period_mode;
4918 data.pscan_mode = info->pscan_mode;
4919 memcpy(data.dev_class, info->dev_class, 3);
4920 data.clock_offset = info->clock_offset;
4921 data.rssi = info->rssi;
4922 data.ssp_mode = 0x00;
4924 flags = hci_inquiry_cache_update(hdev, &data, false);
4926 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4927 info->dev_class, info->rssi,
4928 flags, NULL, 0, NULL, 0, 0);
4930 } else if (skb->len == array_size(ev->num,
4931 sizeof(struct inquiry_info_rssi))) {
4932 struct inquiry_info_rssi *info;
4934 for (i = 0; i < ev->num; i++) {
4937 info = hci_ev_skb_pull(hdev, skb,
4938 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4941 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4942 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4946 bacpy(&data.bdaddr, &info->bdaddr);
4947 data.pscan_rep_mode = info->pscan_rep_mode;
4948 data.pscan_period_mode = info->pscan_period_mode;
4949 data.pscan_mode = 0x00;
4950 memcpy(data.dev_class, info->dev_class, 3);
4951 data.clock_offset = info->clock_offset;
4952 data.rssi = info->rssi;
4953 data.ssp_mode = 0x00;
4955 flags = hci_inquiry_cache_update(hdev, &data, false);
4957 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4958 info->dev_class, info->rssi,
4959 flags, NULL, 0, NULL, 0, 0);
4962 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4963 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4966 hci_dev_unlock(hdev);
4969 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4970 struct sk_buff *skb)
4972 struct hci_ev_remote_ext_features *ev = data;
4973 struct hci_conn *conn;
4975 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4979 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4983 if (ev->page < HCI_MAX_PAGES)
4984 memcpy(conn->features[ev->page], ev->features, 8);
4986 if (!ev->status && ev->page == 0x01) {
4987 struct inquiry_entry *ie;
4989 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4991 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4993 if (ev->features[0] & LMP_HOST_SSP) {
4994 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4996 /* It is mandatory by the Bluetooth specification that
4997 * Extended Inquiry Results are only used when Secure
4998 * Simple Pairing is enabled, but some devices violate
5001 * To make these devices work, the internal SSP
5002 * enabled flag needs to be cleared if the remote host
5003 * features do not indicate SSP support */
5004 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5007 if (ev->features[0] & LMP_HOST_SC)
5008 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5011 if (conn->state != BT_CONFIG)
5014 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5015 struct hci_cp_remote_name_req cp;
5016 memset(&cp, 0, sizeof(cp));
5017 bacpy(&cp.bdaddr, &conn->dst);
5018 cp.pscan_rep_mode = 0x02;
5019 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5020 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5021 mgmt_device_connected(hdev, conn, NULL, 0);
5023 if (!hci_outgoing_auth_needed(hdev, conn)) {
5024 conn->state = BT_CONNECTED;
5025 hci_connect_cfm(conn, ev->status);
5026 hci_conn_drop(conn);
5030 hci_dev_unlock(hdev);
5033 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5034 struct sk_buff *skb)
5036 struct hci_ev_sync_conn_complete *ev = data;
5037 struct hci_conn *conn;
5038 u8 status = ev->status;
5040 switch (ev->link_type) {
5045 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5046 * for HCI_Synchronous_Connection_Complete is limited to
5047 * either SCO or eSCO
5049 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5053 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5057 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5059 if (ev->link_type == ESCO_LINK)
5062 /* When the link type in the event indicates SCO connection
5063 * and lookup of the connection object fails, then check
5064 * if an eSCO connection object exists.
5066 * The core limits the synchronous connections to either
5067 * SCO or eSCO. The eSCO connection is preferred and tried
5068 * to be setup first and until successfully established,
5069 * the link type will be hinted as eSCO.
5071 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5076 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5077 * Processing it more than once per connection can corrupt kernel memory.
5079 * As the connection handle is set here for the first time, it indicates
5080 * whether the connection is already set up.
5082 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5083 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5089 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5091 conn->state = BT_CLOSED;
5095 conn->state = BT_CONNECTED;
5096 conn->type = ev->link_type;
5098 hci_debugfs_create_conn(conn);
5099 hci_conn_add_sysfs(conn);
5102 case 0x10: /* Connection Accept Timeout */
5103 case 0x0d: /* Connection Rejected due to Limited Resources */
5104 case 0x11: /* Unsupported Feature or Parameter Value */
5105 case 0x1c: /* SCO interval rejected */
5106 case 0x1a: /* Unsupported Remote Feature */
5107 case 0x1e: /* Invalid LMP Parameters */
5108 case 0x1f: /* Unspecified error */
5109 case 0x20: /* Unsupported LMP Parameter value */
5111 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5112 (hdev->esco_type & EDR_ESCO_MASK);
5113 if (hci_setup_sync(conn, conn->parent->handle))
5119 conn->state = BT_CLOSED;
5123 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5124 /* Notify only in case of SCO over HCI transport data path which
5125 * is zero and non-zero value shall be non-HCI transport data path
5127 if (conn->codec.data_path == 0 && hdev->notify) {
5128 switch (ev->air_mode) {
5130 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5133 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5138 hci_connect_cfm(conn, status);
5143 hci_dev_unlock(hdev);
5146 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5150 while (parsed < eir_len) {
5151 u8 field_len = eir[0];
5156 parsed += field_len + 1;
5157 eir += field_len + 1;
5163 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5164 struct sk_buff *skb)
5166 struct hci_ev_ext_inquiry_result *ev = edata;
5167 struct inquiry_data data;
5171 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5172 flex_array_size(ev, info, ev->num)))
5175 bt_dev_dbg(hdev, "num %d", ev->num);
5180 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5185 for (i = 0; i < ev->num; i++) {
5186 struct extended_inquiry_info *info = &ev->info[i];
5190 bacpy(&data.bdaddr, &info->bdaddr);
5191 data.pscan_rep_mode = info->pscan_rep_mode;
5192 data.pscan_period_mode = info->pscan_period_mode;
5193 data.pscan_mode = 0x00;
5194 memcpy(data.dev_class, info->dev_class, 3);
5195 data.clock_offset = info->clock_offset;
5196 data.rssi = info->rssi;
5197 data.ssp_mode = 0x01;
5199 if (hci_dev_test_flag(hdev, HCI_MGMT))
5200 name_known = eir_get_data(info->data,
5202 EIR_NAME_COMPLETE, NULL);
5206 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5208 eir_len = eir_get_length(info->data, sizeof(info->data));
5210 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5211 info->dev_class, info->rssi,
5212 flags, info->data, eir_len, NULL, 0, 0);
5215 hci_dev_unlock(hdev);
5218 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5219 struct sk_buff *skb)
5221 struct hci_ev_key_refresh_complete *ev = data;
5222 struct hci_conn *conn;
5224 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5225 __le16_to_cpu(ev->handle));
5229 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5233 /* For BR/EDR the necessary steps are taken through the
5234 * auth_complete event.
5236 if (conn->type != LE_LINK)
5240 conn->sec_level = conn->pending_sec_level;
5242 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5244 if (ev->status && conn->state == BT_CONNECTED) {
5245 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5246 hci_conn_drop(conn);
5250 if (conn->state == BT_CONFIG) {
5252 conn->state = BT_CONNECTED;
5254 hci_connect_cfm(conn, ev->status);
5255 hci_conn_drop(conn);
5257 hci_auth_cfm(conn, ev->status);
5259 hci_conn_hold(conn);
5260 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5261 hci_conn_drop(conn);
5265 hci_dev_unlock(hdev);
5268 static u8 hci_get_auth_req(struct hci_conn *conn)
5270 /* If remote requests no-bonding follow that lead */
5271 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5272 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5273 return conn->remote_auth | (conn->auth_type & 0x01);
5275 /* If both remote and local have enough IO capabilities, require
5278 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5279 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5280 return conn->remote_auth | 0x01;
5282 /* No MITM protection possible so ignore remote requirement */
5283 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5286 static u8 bredr_oob_data_present(struct hci_conn *conn)
5288 struct hci_dev *hdev = conn->hdev;
5289 struct oob_data *data;
5291 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5295 if (bredr_sc_enabled(hdev)) {
5296 /* When Secure Connections is enabled, then just
5297 * return the present value stored with the OOB
5298 * data. The stored value contains the right present
5299 * information. However it can only be trusted when
5300 * not in Secure Connection Only mode.
5302 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5303 return data->present;
5305 /* When Secure Connections Only mode is enabled, then
5306 * the P-256 values are required. If they are not
5307 * available, then do not declare that OOB data is
5310 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5311 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5317 /* When Secure Connections is not enabled or actually
5318 * not supported by the hardware, then check that if
5319 * P-192 data values are present.
5321 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5322 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5328 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5329 struct sk_buff *skb)
5331 struct hci_ev_io_capa_request *ev = data;
5332 struct hci_conn *conn;
5334 bt_dev_dbg(hdev, "");
5338 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5339 if (!conn || !hci_conn_ssp_enabled(conn))
5342 hci_conn_hold(conn);
5344 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5347 /* Allow pairing if we're pairable, the initiators of the
5348 * pairing or if the remote is not requesting bonding.
5350 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5351 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5352 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5353 struct hci_cp_io_capability_reply cp;
5355 bacpy(&cp.bdaddr, &ev->bdaddr);
5356 /* Change the IO capability from KeyboardDisplay
5357 * to DisplayYesNo as it is not supported by BT spec. */
5358 cp.capability = (conn->io_capability == 0x04) ?
5359 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5361 /* If we are initiators, there is no remote information yet */
5362 if (conn->remote_auth == 0xff) {
5363 /* Request MITM protection if our IO caps allow it
5364 * except for the no-bonding case.
5366 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5367 conn->auth_type != HCI_AT_NO_BONDING)
5368 conn->auth_type |= 0x01;
5370 conn->auth_type = hci_get_auth_req(conn);
5373 /* If we're not bondable, force one of the non-bondable
5374 * authentication requirement values.
5376 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5377 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5379 cp.authentication = conn->auth_type;
5380 cp.oob_data = bredr_oob_data_present(conn);
5382 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5385 struct hci_cp_io_capability_neg_reply cp;
5387 bacpy(&cp.bdaddr, &ev->bdaddr);
5388 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5390 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5395 hci_dev_unlock(hdev);
5398 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5399 struct sk_buff *skb)
5401 struct hci_ev_io_capa_reply *ev = data;
5402 struct hci_conn *conn;
5404 bt_dev_dbg(hdev, "");
5408 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5412 conn->remote_cap = ev->capability;
5413 conn->remote_auth = ev->authentication;
5416 hci_dev_unlock(hdev);
5419 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5420 struct sk_buff *skb)
5422 struct hci_ev_user_confirm_req *ev = data;
5423 int loc_mitm, rem_mitm, confirm_hint = 0;
5424 struct hci_conn *conn;
5426 bt_dev_dbg(hdev, "");
5430 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5433 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5437 loc_mitm = (conn->auth_type & 0x01);
5438 rem_mitm = (conn->remote_auth & 0x01);
5440 /* If we require MITM but the remote device can't provide that
5441 * (it has NoInputNoOutput) then reject the confirmation
5442 * request. We check the security level here since it doesn't
5443 * necessarily match conn->auth_type.
5445 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5446 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5447 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5448 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5449 sizeof(ev->bdaddr), &ev->bdaddr);
5453 /* If no side requires MITM protection; auto-accept */
5454 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5455 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5457 /* If we're not the initiators request authorization to
5458 * proceed from user space (mgmt_user_confirm with
5459 * confirm_hint set to 1). The exception is if neither
5460 * side had MITM or if the local IO capability is
5461 * NoInputNoOutput, in which case we do auto-accept
5463 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5464 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5465 (loc_mitm || rem_mitm)) {
5466 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5471 /* If there already exists link key in local host, leave the
5472 * decision to user space since the remote device could be
5473 * legitimate or malicious.
5475 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5476 bt_dev_dbg(hdev, "Local host already has link key");
5481 BT_DBG("Auto-accept of user confirmation with %ums delay",
5482 hdev->auto_accept_delay);
5484 if (hdev->auto_accept_delay > 0) {
5485 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5486 queue_delayed_work(conn->hdev->workqueue,
5487 &conn->auto_accept_work, delay);
5491 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5492 sizeof(ev->bdaddr), &ev->bdaddr);
5497 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5498 le32_to_cpu(ev->passkey), confirm_hint);
5501 hci_dev_unlock(hdev);
5504 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5505 struct sk_buff *skb)
5507 struct hci_ev_user_passkey_req *ev = data;
5509 bt_dev_dbg(hdev, "");
5511 if (hci_dev_test_flag(hdev, HCI_MGMT))
5512 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5515 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5516 struct sk_buff *skb)
5518 struct hci_ev_user_passkey_notify *ev = data;
5519 struct hci_conn *conn;
5521 bt_dev_dbg(hdev, "");
5523 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5527 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5528 conn->passkey_entered = 0;
5530 if (hci_dev_test_flag(hdev, HCI_MGMT))
5531 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5532 conn->dst_type, conn->passkey_notify,
5533 conn->passkey_entered);
5536 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5537 struct sk_buff *skb)
5539 struct hci_ev_keypress_notify *ev = data;
5540 struct hci_conn *conn;
5542 bt_dev_dbg(hdev, "");
5544 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5549 case HCI_KEYPRESS_STARTED:
5550 conn->passkey_entered = 0;
5553 case HCI_KEYPRESS_ENTERED:
5554 conn->passkey_entered++;
5557 case HCI_KEYPRESS_ERASED:
5558 conn->passkey_entered--;
5561 case HCI_KEYPRESS_CLEARED:
5562 conn->passkey_entered = 0;
5565 case HCI_KEYPRESS_COMPLETED:
5569 if (hci_dev_test_flag(hdev, HCI_MGMT))
5570 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5571 conn->dst_type, conn->passkey_notify,
5572 conn->passkey_entered);
5575 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5576 struct sk_buff *skb)
5578 struct hci_ev_simple_pair_complete *ev = data;
5579 struct hci_conn *conn;
5581 bt_dev_dbg(hdev, "");
5585 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5586 if (!conn || !hci_conn_ssp_enabled(conn))
5589 /* Reset the authentication requirement to unknown */
5590 conn->remote_auth = 0xff;
5592 /* To avoid duplicate auth_failed events to user space we check
5593 * the HCI_CONN_AUTH_PEND flag which will be set if we
5594 * initiated the authentication. A traditional auth_complete
5595 * event gets always produced as initiator and is also mapped to
5596 * the mgmt_auth_failed event */
5597 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5598 mgmt_auth_failed(conn, ev->status);
5600 hci_conn_drop(conn);
5603 hci_dev_unlock(hdev);
5606 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5607 struct sk_buff *skb)
5609 struct hci_ev_remote_host_features *ev = data;
5610 struct inquiry_entry *ie;
5611 struct hci_conn *conn;
5613 bt_dev_dbg(hdev, "");
5617 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5619 memcpy(conn->features[1], ev->features, 8);
5621 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5623 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5625 hci_dev_unlock(hdev);
5628 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5629 struct sk_buff *skb)
5631 struct hci_ev_remote_oob_data_request *ev = edata;
5632 struct oob_data *data;
5634 bt_dev_dbg(hdev, "");
5638 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5641 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5643 struct hci_cp_remote_oob_data_neg_reply cp;
5645 bacpy(&cp.bdaddr, &ev->bdaddr);
5646 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5651 if (bredr_sc_enabled(hdev)) {
5652 struct hci_cp_remote_oob_ext_data_reply cp;
5654 bacpy(&cp.bdaddr, &ev->bdaddr);
5655 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5656 memset(cp.hash192, 0, sizeof(cp.hash192));
5657 memset(cp.rand192, 0, sizeof(cp.rand192));
5659 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5660 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5662 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5663 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5665 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5668 struct hci_cp_remote_oob_data_reply cp;
5670 bacpy(&cp.bdaddr, &ev->bdaddr);
5671 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5672 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5674 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5679 hci_dev_unlock(hdev);
5682 #if IS_ENABLED(CONFIG_BT_HS)
5683 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5684 struct sk_buff *skb)
5686 struct hci_ev_channel_selected *ev = data;
5687 struct hci_conn *hcon;
5689 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5691 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5695 amp_read_loc_assoc_final_data(hdev, hcon);
5698 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5699 struct sk_buff *skb)
5701 struct hci_ev_phy_link_complete *ev = data;
5702 struct hci_conn *hcon, *bredr_hcon;
5704 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5709 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5721 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5723 hcon->state = BT_CONNECTED;
5724 bacpy(&hcon->dst, &bredr_hcon->dst);
5726 hci_conn_hold(hcon);
5727 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5728 hci_conn_drop(hcon);
5730 hci_debugfs_create_conn(hcon);
5731 hci_conn_add_sysfs(hcon);
5733 amp_physical_cfm(bredr_hcon, hcon);
5736 hci_dev_unlock(hdev);
5739 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5740 struct sk_buff *skb)
5742 struct hci_ev_logical_link_complete *ev = data;
5743 struct hci_conn *hcon;
5744 struct hci_chan *hchan;
5745 struct amp_mgr *mgr;
5747 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5748 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5750 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5754 /* Create AMP hchan */
5755 hchan = hci_chan_create(hcon);
5759 hchan->handle = le16_to_cpu(ev->handle);
5762 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5764 mgr = hcon->amp_mgr;
5765 if (mgr && mgr->bredr_chan) {
5766 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5768 l2cap_chan_lock(bredr_chan);
5770 bredr_chan->conn->mtu = hdev->block_mtu;
5771 l2cap_logical_cfm(bredr_chan, hchan, 0);
5772 hci_conn_hold(hcon);
5774 l2cap_chan_unlock(bredr_chan);
5778 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5779 struct sk_buff *skb)
5781 struct hci_ev_disconn_logical_link_complete *ev = data;
5782 struct hci_chan *hchan;
5784 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5785 le16_to_cpu(ev->handle), ev->status);
5792 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5793 if (!hchan || !hchan->amp)
5796 amp_destroy_logical_link(hchan, ev->reason);
5799 hci_dev_unlock(hdev);
5802 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5803 struct sk_buff *skb)
5805 struct hci_ev_disconn_phy_link_complete *ev = data;
5806 struct hci_conn *hcon;
5808 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5815 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5816 if (hcon && hcon->type == AMP_LINK) {
5817 hcon->state = BT_CLOSED;
5818 hci_disconn_cfm(hcon, ev->reason);
5822 hci_dev_unlock(hdev);
5826 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5827 u8 bdaddr_type, bdaddr_t *local_rpa)
5830 conn->dst_type = bdaddr_type;
5831 conn->resp_addr_type = bdaddr_type;
5832 bacpy(&conn->resp_addr, bdaddr);
5834 /* Check if the controller has set a Local RPA then it must be
5835 * used instead or hdev->rpa.
5837 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5838 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5839 bacpy(&conn->init_addr, local_rpa);
5840 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5841 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5842 bacpy(&conn->init_addr, &conn->hdev->rpa);
5844 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5845 &conn->init_addr_type);
5848 conn->resp_addr_type = conn->hdev->adv_addr_type;
5849 /* Check if the controller has set a Local RPA then it must be
5850 * used instead or hdev->rpa.
5852 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5853 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5854 bacpy(&conn->resp_addr, local_rpa);
5855 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5856 /* In case of ext adv, resp_addr will be updated in
5857 * Adv Terminated event.
5859 if (!ext_adv_capable(conn->hdev))
5860 bacpy(&conn->resp_addr,
5861 &conn->hdev->random_addr);
5863 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5866 conn->init_addr_type = bdaddr_type;
5867 bacpy(&conn->init_addr, bdaddr);
5869 /* For incoming connections, set the default minimum
5870 * and maximum connection interval. They will be used
5871 * to check if the parameters are in range and if not
5872 * trigger the connection update procedure.
5874 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5875 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5879 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5880 bdaddr_t *bdaddr, u8 bdaddr_type,
5881 bdaddr_t *local_rpa, u8 role, u16 handle,
5882 u16 interval, u16 latency,
5883 u16 supervision_timeout)
5885 struct hci_conn_params *params;
5886 struct hci_conn *conn;
5887 struct smp_irk *irk;
5892 /* All controllers implicitly stop advertising in the event of a
5893 * connection, so ensure that the state bit is cleared.
5895 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5897 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5899 /* In case of error status and there is no connection pending
5900 * just unlock as there is nothing to cleanup.
5905 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5907 bt_dev_err(hdev, "no memory for new connection");
5911 conn->dst_type = bdaddr_type;
5913 /* If we didn't have a hci_conn object previously
5914 * but we're in central role this must be something
5915 * initiated using an accept list. Since accept list based
5916 * connections are not "first class citizens" we don't
5917 * have full tracking of them. Therefore, we go ahead
5918 * with a "best effort" approach of determining the
5919 * initiator address based on the HCI_PRIVACY flag.
5922 conn->resp_addr_type = bdaddr_type;
5923 bacpy(&conn->resp_addr, bdaddr);
5924 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5925 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5926 bacpy(&conn->init_addr, &hdev->rpa);
5928 hci_copy_identity_address(hdev,
5930 &conn->init_addr_type);
5934 cancel_delayed_work(&conn->le_conn_timeout);
5937 /* The HCI_LE_Connection_Complete event is only sent once per connection.
5938 * Processing it more than once per connection can corrupt kernel memory.
5940 * As the connection handle is set here for the first time, it indicates
5941 * whether the connection is already set up.
5943 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5944 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5948 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5950 /* Lookup the identity address from the stored connection
5951 * address and address type.
5953 * When establishing connections to an identity address, the
5954 * connection procedure will store the resolvable random
5955 * address first. Now if it can be converted back into the
5956 * identity address, start using the identity address from
5959 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5961 bacpy(&conn->dst, &irk->bdaddr);
5962 conn->dst_type = irk->addr_type;
5965 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5967 /* All connection failure handling is taken care of by the
5968 * hci_conn_failed function which is triggered by the HCI
5969 * request completion callbacks used for connecting.
5971 if (status || hci_conn_set_handle(conn, handle))
5974 /* Drop the connection if it has been aborted */
5975 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5976 hci_conn_drop(conn);
5980 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5981 addr_type = BDADDR_LE_PUBLIC;
5983 addr_type = BDADDR_LE_RANDOM;
5985 /* Drop the connection if the device is blocked */
5986 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5987 hci_conn_drop(conn);
5991 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5992 mgmt_device_connected(hdev, conn, NULL, 0);
5994 conn->sec_level = BT_SECURITY_LOW;
5995 conn->state = BT_CONFIG;
5997 /* Store current advertising instance as connection advertising instance
5998 * when sotfware rotation is in use so it can be re-enabled when
6001 if (!ext_adv_capable(hdev))
6002 conn->adv_instance = hdev->cur_adv_instance;
6004 conn->le_conn_interval = interval;
6005 conn->le_conn_latency = latency;
6006 conn->le_supv_timeout = supervision_timeout;
6008 hci_debugfs_create_conn(conn);
6009 hci_conn_add_sysfs(conn);
6011 /* The remote features procedure is defined for central
6012 * role only. So only in case of an initiated connection
6013 * request the remote features.
6015 * If the local controller supports peripheral-initiated features
6016 * exchange, then requesting the remote features in peripheral
6017 * role is possible. Otherwise just transition into the
6018 * connected state without requesting the remote features.
6021 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6022 struct hci_cp_le_read_remote_features cp;
6024 cp.handle = __cpu_to_le16(conn->handle);
6026 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6029 hci_conn_hold(conn);
6031 conn->state = BT_CONNECTED;
6032 hci_connect_cfm(conn, status);
6035 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6038 hci_pend_le_list_del_init(params);
6040 hci_conn_drop(params->conn);
6041 hci_conn_put(params->conn);
6042 params->conn = NULL;
6047 hci_update_passive_scan(hdev);
6048 hci_dev_unlock(hdev);
6051 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6052 struct sk_buff *skb)
6054 struct hci_ev_le_conn_complete *ev = data;
6056 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6058 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6059 NULL, ev->role, le16_to_cpu(ev->handle),
6060 le16_to_cpu(ev->interval),
6061 le16_to_cpu(ev->latency),
6062 le16_to_cpu(ev->supervision_timeout));
6065 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6066 struct sk_buff *skb)
6068 struct hci_ev_le_enh_conn_complete *ev = data;
6070 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6072 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6073 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6074 le16_to_cpu(ev->interval),
6075 le16_to_cpu(ev->latency),
6076 le16_to_cpu(ev->supervision_timeout));
6079 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6080 struct sk_buff *skb)
6082 struct hci_evt_le_ext_adv_set_term *ev = data;
6083 struct hci_conn *conn;
6084 struct adv_info *adv, *n;
6086 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6088 /* The Bluetooth Core 5.3 specification clearly states that this event
6089 * shall not be sent when the Host disables the advertising set. So in
6090 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6092 * When the Host disables an advertising set, all cleanup is done via
6093 * its command callback and not needed to be duplicated here.
6095 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6096 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6102 adv = hci_find_adv_instance(hdev, ev->handle);
6108 /* Remove advertising as it has been terminated */
6109 hci_remove_adv_instance(hdev, ev->handle);
6110 mgmt_advertising_removed(NULL, hdev, ev->handle);
6112 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6117 /* We are no longer advertising, clear HCI_LE_ADV */
6118 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6123 adv->enabled = false;
6125 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6127 /* Store handle in the connection so the correct advertising
6128 * instance can be re-enabled when disconnected.
6130 conn->adv_instance = ev->handle;
6132 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6133 bacmp(&conn->resp_addr, BDADDR_ANY))
6137 bacpy(&conn->resp_addr, &hdev->random_addr);
6142 bacpy(&conn->resp_addr, &adv->random_addr);
6146 hci_dev_unlock(hdev);
6149 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6150 struct sk_buff *skb)
6152 struct hci_ev_le_conn_update_complete *ev = data;
6153 struct hci_conn *conn;
6155 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6162 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6164 conn->le_conn_interval = le16_to_cpu(ev->interval);
6165 conn->le_conn_latency = le16_to_cpu(ev->latency);
6166 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6169 hci_dev_unlock(hdev);
6172 /* This function requires the caller holds hdev->lock */
6173 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6175 u8 addr_type, bool addr_resolved,
6178 struct hci_conn *conn;
6179 struct hci_conn_params *params;
6181 /* If the event is not connectable don't proceed further */
6182 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6185 /* Ignore if the device is blocked or hdev is suspended */
6186 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6190 /* Most controller will fail if we try to create new connections
6191 * while we have an existing one in peripheral role.
6193 if (hdev->conn_hash.le_num_peripheral > 0 &&
6194 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6195 !(hdev->le_states[3] & 0x10)))
6198 /* If we're not connectable only connect devices that we have in
6199 * our pend_le_conns list.
6201 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6206 if (!params->explicit_connect) {
6207 switch (params->auto_connect) {
6208 case HCI_AUTO_CONN_DIRECT:
6209 /* Only devices advertising with ADV_DIRECT_IND are
6210 * triggering a connection attempt. This is allowing
6211 * incoming connections from peripheral devices.
6213 if (adv_type != LE_ADV_DIRECT_IND)
6216 case HCI_AUTO_CONN_ALWAYS:
6217 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6218 * are triggering a connection attempt. This means
6219 * that incoming connections from peripheral device are
6220 * accepted and also outgoing connections to peripheral
6221 * devices are established when found.
6229 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6230 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6232 if (!IS_ERR(conn)) {
6233 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6234 * by higher layer that tried to connect, if no then
6235 * store the pointer since we don't really have any
6236 * other owner of the object besides the params that
6237 * triggered it. This way we can abort the connection if
6238 * the parameters get removed and keep the reference
6239 * count consistent once the connection is established.
6242 if (!params->explicit_connect)
6243 params->conn = hci_conn_get(conn);
6248 switch (PTR_ERR(conn)) {
6250 /* If hci_connect() returns -EBUSY it means there is already
6251 * an LE connection attempt going on. Since controllers don't
6252 * support more than one connection attempt at the time, we
6253 * don't consider this an error case.
6257 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6264 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6265 u8 bdaddr_type, bdaddr_t *direct_addr,
6266 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6267 bool ext_adv, bool ctl_time, u64 instant)
6269 struct discovery_state *d = &hdev->discovery;
6270 struct smp_irk *irk;
6271 struct hci_conn *conn;
6272 bool match, bdaddr_resolved;
6278 case LE_ADV_DIRECT_IND:
6279 case LE_ADV_SCAN_IND:
6280 case LE_ADV_NONCONN_IND:
6281 case LE_ADV_SCAN_RSP:
6284 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6285 "type: 0x%02x", type);
6289 if (len > max_adv_len(hdev)) {
6290 bt_dev_err_ratelimited(hdev,
6291 "adv larger than maximum supported");
6295 /* Find the end of the data in case the report contains padded zero
6296 * bytes at the end causing an invalid length value.
6298 * When data is NULL, len is 0 so there is no need for extra ptr
6299 * check as 'ptr < data + 0' is already false in such case.
6301 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6302 if (ptr + 1 + *ptr > data + len)
6306 /* Adjust for actual length. This handles the case when remote
6307 * device is advertising with incorrect data length.
6311 /* If the direct address is present, then this report is from
6312 * a LE Direct Advertising Report event. In that case it is
6313 * important to see if the address is matching the local
6314 * controller address.
6316 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6317 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6320 /* Only resolvable random addresses are valid for these
6321 * kind of reports and others can be ignored.
6323 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6326 /* If the controller is not using resolvable random
6327 * addresses, then this report can be ignored.
6329 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6332 /* If the local IRK of the controller does not match
6333 * with the resolvable random address provided, then
6334 * this report can be ignored.
6336 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6340 /* Check if we need to convert to identity address */
6341 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6343 bdaddr = &irk->bdaddr;
6344 bdaddr_type = irk->addr_type;
6347 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6349 /* Check if we have been requested to connect to this device.
6351 * direct_addr is set only for directed advertising reports (it is NULL
6352 * for advertising reports) and is already verified to be RPA above.
6354 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6356 if (!ext_adv && conn && type == LE_ADV_IND &&
6357 len <= max_adv_len(hdev)) {
6358 /* Store report for later inclusion by
6359 * mgmt_device_connected
6361 memcpy(conn->le_adv_data, data, len);
6362 conn->le_adv_data_len = len;
6365 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6366 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6370 /* All scan results should be sent up for Mesh systems */
6371 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6372 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6373 rssi, flags, data, len, NULL, 0, instant);
6377 /* Passive scanning shouldn't trigger any device found events,
6378 * except for devices marked as CONN_REPORT for which we do send
6379 * device found events, or advertisement monitoring requested.
6381 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6382 if (type == LE_ADV_DIRECT_IND)
6385 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6386 bdaddr, bdaddr_type) &&
6387 idr_is_empty(&hdev->adv_monitors_idr))
6390 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6391 rssi, flags, data, len, NULL, 0, 0);
6395 /* When receiving a scan response, then there is no way to
6396 * know if the remote device is connectable or not. However
6397 * since scan responses are merged with a previously seen
6398 * advertising report, the flags field from that report
6401 * In the unlikely case that a controller just sends a scan
6402 * response event that doesn't match the pending report, then
6403 * it is marked as a standalone SCAN_RSP.
6405 if (type == LE_ADV_SCAN_RSP)
6406 flags = MGMT_DEV_FOUND_SCAN_RSP;
6408 /* If there's nothing pending either store the data from this
6409 * event or send an immediate device found event if the data
6410 * should not be stored for later.
6412 if (!ext_adv && !has_pending_adv_report(hdev)) {
6413 /* If the report will trigger a SCAN_REQ store it for
6416 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6417 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6418 rssi, flags, data, len);
6422 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6423 rssi, flags, data, len, NULL, 0, 0);
6427 /* Check if the pending report is for the same device as the new one */
6428 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6429 bdaddr_type == d->last_adv_addr_type);
6431 /* If the pending data doesn't match this report or this isn't a
6432 * scan response (e.g. we got a duplicate ADV_IND) then force
6433 * sending of the pending data.
6435 if (type != LE_ADV_SCAN_RSP || !match) {
6436 /* Send out whatever is in the cache, but skip duplicates */
6438 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6439 d->last_adv_addr_type, NULL,
6440 d->last_adv_rssi, d->last_adv_flags,
6442 d->last_adv_data_len, NULL, 0, 0);
6444 /* If the new report will trigger a SCAN_REQ store it for
6447 if (!ext_adv && (type == LE_ADV_IND ||
6448 type == LE_ADV_SCAN_IND)) {
6449 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6450 rssi, flags, data, len);
6454 /* The advertising reports cannot be merged, so clear
6455 * the pending report and send out a device found event.
6457 clear_pending_adv_report(hdev);
6458 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6459 rssi, flags, data, len, NULL, 0, 0);
6463 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6464 * the new event is a SCAN_RSP. We can therefore proceed with
6465 * sending a merged device found event.
6467 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6468 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6469 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6470 clear_pending_adv_report(hdev);
6473 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6474 struct sk_buff *skb)
6476 struct hci_ev_le_advertising_report *ev = data;
6477 u64 instant = jiffies;
6485 struct hci_ev_le_advertising_info *info;
6488 info = hci_le_ev_skb_pull(hdev, skb,
6489 HCI_EV_LE_ADVERTISING_REPORT,
6494 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6498 if (info->length <= max_adv_len(hdev)) {
6499 rssi = info->data[info->length];
6500 process_adv_report(hdev, info->type, &info->bdaddr,
6501 info->bdaddr_type, NULL, 0, rssi,
6502 info->data, info->length, false,
6505 bt_dev_err(hdev, "Dropping invalid advertising data");
6509 hci_dev_unlock(hdev);
6512 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6514 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6516 case LE_LEGACY_ADV_IND:
6518 case LE_LEGACY_ADV_DIRECT_IND:
6519 return LE_ADV_DIRECT_IND;
6520 case LE_LEGACY_ADV_SCAN_IND:
6521 return LE_ADV_SCAN_IND;
6522 case LE_LEGACY_NONCONN_IND:
6523 return LE_ADV_NONCONN_IND;
6524 case LE_LEGACY_SCAN_RSP_ADV:
6525 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6526 return LE_ADV_SCAN_RSP;
6532 if (evt_type & LE_EXT_ADV_CONN_IND) {
6533 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6534 return LE_ADV_DIRECT_IND;
6539 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6540 return LE_ADV_SCAN_RSP;
6542 if (evt_type & LE_EXT_ADV_SCAN_IND)
6543 return LE_ADV_SCAN_IND;
6545 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6546 evt_type & LE_EXT_ADV_DIRECT_IND)
6547 return LE_ADV_NONCONN_IND;
6550 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6553 return LE_ADV_INVALID;
6556 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6557 struct sk_buff *skb)
6559 struct hci_ev_le_ext_adv_report *ev = data;
6560 u64 instant = jiffies;
6568 struct hci_ev_le_ext_adv_info *info;
6572 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6577 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6581 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6582 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6583 if (legacy_evt_type != LE_ADV_INVALID) {
6584 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6585 info->bdaddr_type, NULL, 0,
6586 info->rssi, info->data, info->length,
6587 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6592 hci_dev_unlock(hdev);
6595 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6597 struct hci_cp_le_pa_term_sync cp;
6599 memset(&cp, 0, sizeof(cp));
6602 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6605 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6606 struct sk_buff *skb)
6608 struct hci_ev_le_pa_sync_established *ev = data;
6609 int mask = hdev->link_mode;
6611 struct hci_conn *pa_sync;
6613 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6617 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6619 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6620 if (!(mask & HCI_LM_ACCEPT)) {
6621 hci_le_pa_term_sync(hdev, ev->handle);
6625 if (!(flags & HCI_PROTO_DEFER))
6629 /* Add connection to indicate the failed PA sync event */
6630 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6636 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6638 /* Notify iso layer */
6639 hci_connect_cfm(pa_sync, ev->status);
6643 hci_dev_unlock(hdev);
6646 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6647 struct sk_buff *skb)
6649 struct hci_ev_le_per_adv_report *ev = data;
6650 int mask = hdev->link_mode;
6653 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6657 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6658 if (!(mask & HCI_LM_ACCEPT))
6659 hci_le_pa_term_sync(hdev, ev->sync_handle);
6661 hci_dev_unlock(hdev);
6664 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6665 struct sk_buff *skb)
6667 struct hci_ev_le_remote_feat_complete *ev = data;
6668 struct hci_conn *conn;
6670 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6674 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6677 memcpy(conn->features[0], ev->features, 8);
6679 if (conn->state == BT_CONFIG) {
6682 /* If the local controller supports peripheral-initiated
6683 * features exchange, but the remote controller does
6684 * not, then it is possible that the error code 0x1a
6685 * for unsupported remote feature gets returned.
6687 * In this specific case, allow the connection to
6688 * transition into connected state and mark it as
6691 if (!conn->out && ev->status == 0x1a &&
6692 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6695 status = ev->status;
6697 conn->state = BT_CONNECTED;
6698 hci_connect_cfm(conn, status);
6699 hci_conn_drop(conn);
6703 hci_dev_unlock(hdev);
6706 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6707 struct sk_buff *skb)
6709 struct hci_ev_le_ltk_req *ev = data;
6710 struct hci_cp_le_ltk_reply cp;
6711 struct hci_cp_le_ltk_neg_reply neg;
6712 struct hci_conn *conn;
6713 struct smp_ltk *ltk;
6715 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6719 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6723 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6727 if (smp_ltk_is_sc(ltk)) {
6728 /* With SC both EDiv and Rand are set to zero */
6729 if (ev->ediv || ev->rand)
6732 /* For non-SC keys check that EDiv and Rand match */
6733 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6737 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6738 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6739 cp.handle = cpu_to_le16(conn->handle);
6741 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6743 conn->enc_key_size = ltk->enc_size;
6745 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6747 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6748 * temporary key used to encrypt a connection following
6749 * pairing. It is used during the Encrypted Session Setup to
6750 * distribute the keys. Later, security can be re-established
6751 * using a distributed LTK.
6753 if (ltk->type == SMP_STK) {
6754 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6755 list_del_rcu(<k->list);
6756 kfree_rcu(ltk, rcu);
6758 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6761 hci_dev_unlock(hdev);
6766 neg.handle = ev->handle;
6767 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6768 hci_dev_unlock(hdev);
6771 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6774 struct hci_cp_le_conn_param_req_neg_reply cp;
6776 cp.handle = cpu_to_le16(handle);
6779 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6783 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6784 struct sk_buff *skb)
6786 struct hci_ev_le_remote_conn_param_req *ev = data;
6787 struct hci_cp_le_conn_param_req_reply cp;
6788 struct hci_conn *hcon;
6789 u16 handle, min, max, latency, timeout;
6791 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6793 handle = le16_to_cpu(ev->handle);
6794 min = le16_to_cpu(ev->interval_min);
6795 max = le16_to_cpu(ev->interval_max);
6796 latency = le16_to_cpu(ev->latency);
6797 timeout = le16_to_cpu(ev->timeout);
6799 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6800 if (!hcon || hcon->state != BT_CONNECTED)
6801 return send_conn_param_neg_reply(hdev, handle,
6802 HCI_ERROR_UNKNOWN_CONN_ID);
6804 if (hci_check_conn_params(min, max, latency, timeout))
6805 return send_conn_param_neg_reply(hdev, handle,
6806 HCI_ERROR_INVALID_LL_PARAMS);
6808 if (hcon->role == HCI_ROLE_MASTER) {
6809 struct hci_conn_params *params;
6814 params = hci_conn_params_lookup(hdev, &hcon->dst,
6817 params->conn_min_interval = min;
6818 params->conn_max_interval = max;
6819 params->conn_latency = latency;
6820 params->supervision_timeout = timeout;
6826 hci_dev_unlock(hdev);
6828 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6829 store_hint, min, max, latency, timeout);
6832 cp.handle = ev->handle;
6833 cp.interval_min = ev->interval_min;
6834 cp.interval_max = ev->interval_max;
6835 cp.latency = ev->latency;
6836 cp.timeout = ev->timeout;
6840 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6843 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6844 struct sk_buff *skb)
6846 struct hci_ev_le_direct_adv_report *ev = data;
6847 u64 instant = jiffies;
6850 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6851 flex_array_size(ev, info, ev->num)))
6859 for (i = 0; i < ev->num; i++) {
6860 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6862 process_adv_report(hdev, info->type, &info->bdaddr,
6863 info->bdaddr_type, &info->direct_addr,
6864 info->direct_addr_type, info->rssi, NULL, 0,
6865 false, false, instant);
6868 hci_dev_unlock(hdev);
6871 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6872 struct sk_buff *skb)
6874 struct hci_ev_le_phy_update_complete *ev = data;
6875 struct hci_conn *conn;
6877 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6884 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6888 conn->le_tx_phy = ev->tx_phy;
6889 conn->le_rx_phy = ev->rx_phy;
6892 hci_dev_unlock(hdev);
6895 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6896 struct sk_buff *skb)
6898 struct hci_evt_le_cis_established *ev = data;
6899 struct hci_conn *conn;
6900 struct bt_iso_qos *qos;
6901 bool pending = false;
6902 u16 handle = __le16_to_cpu(ev->handle);
6904 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6908 conn = hci_conn_hash_lookup_handle(hdev, handle);
6911 "Unable to find connection with handle 0x%4.4x",
6916 if (conn->type != ISO_LINK) {
6918 "Invalid connection link type handle 0x%4.4x",
6923 qos = &conn->iso_qos;
6925 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6927 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
6928 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
6929 qos->ucast.out.interval = qos->ucast.in.interval;
6931 switch (conn->role) {
6932 case HCI_ROLE_SLAVE:
6933 /* Convert Transport Latency (us) to Latency (msec) */
6934 qos->ucast.in.latency =
6935 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6937 qos->ucast.out.latency =
6938 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6940 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
6941 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
6942 qos->ucast.in.phy = ev->c_phy;
6943 qos->ucast.out.phy = ev->p_phy;
6945 case HCI_ROLE_MASTER:
6946 /* Convert Transport Latency (us) to Latency (msec) */
6947 qos->ucast.out.latency =
6948 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6950 qos->ucast.in.latency =
6951 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6953 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
6954 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
6955 qos->ucast.out.phy = ev->c_phy;
6956 qos->ucast.in.phy = ev->p_phy;
6961 conn->state = BT_CONNECTED;
6962 hci_debugfs_create_conn(conn);
6963 hci_conn_add_sysfs(conn);
6964 hci_iso_setup_path(conn);
6968 conn->state = BT_CLOSED;
6969 hci_connect_cfm(conn, ev->status);
6974 hci_le_create_cis_pending(hdev);
6976 hci_dev_unlock(hdev);
6979 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6981 struct hci_cp_le_reject_cis cp;
6983 memset(&cp, 0, sizeof(cp));
6985 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6986 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6989 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6991 struct hci_cp_le_accept_cis cp;
6993 memset(&cp, 0, sizeof(cp));
6995 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6998 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6999 struct sk_buff *skb)
7001 struct hci_evt_le_cis_req *ev = data;
7002 u16 acl_handle, cis_handle;
7003 struct hci_conn *acl, *cis;
7007 acl_handle = __le16_to_cpu(ev->acl_handle);
7008 cis_handle = __le16_to_cpu(ev->cis_handle);
7010 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7011 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7015 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7019 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7020 if (!(mask & HCI_LM_ACCEPT)) {
7021 hci_le_reject_cis(hdev, ev->cis_handle);
7025 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7027 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7030 hci_le_reject_cis(hdev, ev->cis_handle);
7035 cis->iso_qos.ucast.cig = ev->cig_id;
7036 cis->iso_qos.ucast.cis = ev->cis_id;
7038 if (!(flags & HCI_PROTO_DEFER)) {
7039 hci_le_accept_cis(hdev, ev->cis_handle);
7041 cis->state = BT_CONNECT2;
7042 hci_connect_cfm(cis, 0);
7046 hci_dev_unlock(hdev);
7049 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7051 u8 handle = PTR_UINT(data);
7053 return hci_le_terminate_big_sync(hdev, handle,
7054 HCI_ERROR_LOCAL_HOST_TERM);
7057 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7058 struct sk_buff *skb)
7060 struct hci_evt_le_create_big_complete *ev = data;
7061 struct hci_conn *conn;
7064 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7066 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7067 flex_array_size(ev, bis_handle, ev->num_bis)))
7073 /* Connect all BISes that are bound to the BIG */
7074 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7075 if (bacmp(&conn->dst, BDADDR_ANY) ||
7076 conn->type != ISO_LINK ||
7077 conn->iso_qos.bcast.big != ev->handle)
7080 if (hci_conn_set_handle(conn,
7081 __le16_to_cpu(ev->bis_handle[i++])))
7085 conn->state = BT_CONNECTED;
7086 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7088 hci_debugfs_create_conn(conn);
7089 hci_conn_add_sysfs(conn);
7090 hci_iso_setup_path(conn);
7095 hci_connect_cfm(conn, ev->status);
7103 if (!ev->status && !i)
7104 /* If no BISes have been connected for the BIG,
7105 * terminate. This is in case all bound connections
7106 * have been closed before the BIG creation
7109 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7110 UINT_PTR(ev->handle), NULL);
7112 hci_dev_unlock(hdev);
7115 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7116 struct sk_buff *skb)
7118 struct hci_evt_le_big_sync_estabilished *ev = data;
7119 struct hci_conn *bis;
7120 struct hci_conn *pa_sync;
7123 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7125 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7126 flex_array_size(ev, bis, ev->num_bis)))
7132 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7134 /* Also mark the BIG sync established event on the
7135 * associated PA sync hcon
7137 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
7140 for (i = 0; i < ev->num_bis; i++) {
7141 u16 handle = le16_to_cpu(ev->bis[i]);
7144 bis = hci_conn_hash_lookup_handle(hdev, handle);
7146 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7147 HCI_ROLE_SLAVE, handle);
7152 if (ev->status != 0x42)
7153 /* Mark PA sync as established */
7154 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7156 bis->iso_qos.bcast.big = ev->handle;
7157 memset(&interval, 0, sizeof(interval));
7158 memcpy(&interval, ev->latency, sizeof(ev->latency));
7159 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7160 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7161 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7162 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7165 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7166 hci_iso_setup_path(bis);
7170 /* In case BIG sync failed, notify each failed connection to
7171 * the user after all hci connections have been added
7174 for (i = 0; i < ev->num_bis; i++) {
7175 u16 handle = le16_to_cpu(ev->bis[i]);
7177 bis = hci_conn_hash_lookup_handle(hdev, handle);
7179 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7180 hci_connect_cfm(bis, ev->status);
7183 hci_dev_unlock(hdev);
7186 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7187 struct sk_buff *skb)
7189 struct hci_evt_le_big_info_adv_report *ev = data;
7190 int mask = hdev->link_mode;
7192 struct hci_conn *pa_sync;
7194 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7198 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7199 if (!(mask & HCI_LM_ACCEPT)) {
7200 hci_le_pa_term_sync(hdev, ev->sync_handle);
7204 if (!(flags & HCI_PROTO_DEFER))
7207 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7209 le16_to_cpu(ev->sync_handle));
7214 /* Add connection to indicate the PA sync event */
7215 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7221 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7222 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7224 /* Notify iso layer */
7225 hci_connect_cfm(pa_sync, 0x00);
7228 hci_dev_unlock(hdev);
7231 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7234 .min_len = _min_len, \
7235 .max_len = _max_len, \
7238 #define HCI_LE_EV(_op, _func, _len) \
7239 HCI_LE_EV_VL(_op, _func, _len, _len)
7241 #define HCI_LE_EV_STATUS(_op, _func) \
7242 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7244 /* Entries in this table shall have their position according to the subevent
7245 * opcode they handle so the use of the macros above is recommend since it does
7246 * attempt to initialize at its proper index using Designated Initializers that
7247 * way events without a callback function can be ommited.
7249 static const struct hci_le_ev {
7250 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7253 } hci_le_ev_table[U8_MAX + 1] = {
7254 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7255 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7256 sizeof(struct hci_ev_le_conn_complete)),
7257 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7258 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7259 sizeof(struct hci_ev_le_advertising_report),
7260 HCI_MAX_EVENT_SIZE),
7261 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7262 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7263 hci_le_conn_update_complete_evt,
7264 sizeof(struct hci_ev_le_conn_update_complete)),
7265 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7266 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7267 hci_le_remote_feat_complete_evt,
7268 sizeof(struct hci_ev_le_remote_feat_complete)),
7269 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7270 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7271 sizeof(struct hci_ev_le_ltk_req)),
7272 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7273 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7274 hci_le_remote_conn_param_req_evt,
7275 sizeof(struct hci_ev_le_remote_conn_param_req)),
7276 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7277 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7278 hci_le_enh_conn_complete_evt,
7279 sizeof(struct hci_ev_le_enh_conn_complete)),
7280 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7281 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7282 sizeof(struct hci_ev_le_direct_adv_report),
7283 HCI_MAX_EVENT_SIZE),
7284 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7285 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7286 sizeof(struct hci_ev_le_phy_update_complete)),
7287 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7288 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7289 sizeof(struct hci_ev_le_ext_adv_report),
7290 HCI_MAX_EVENT_SIZE),
7291 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7292 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7293 hci_le_pa_sync_estabilished_evt,
7294 sizeof(struct hci_ev_le_pa_sync_established)),
7295 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7296 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7297 hci_le_per_adv_report_evt,
7298 sizeof(struct hci_ev_le_per_adv_report),
7299 HCI_MAX_EVENT_SIZE),
7300 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7301 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7302 sizeof(struct hci_evt_le_ext_adv_set_term)),
7303 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7304 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7305 sizeof(struct hci_evt_le_cis_established)),
7306 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7307 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7308 sizeof(struct hci_evt_le_cis_req)),
7309 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7310 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7311 hci_le_create_big_complete_evt,
7312 sizeof(struct hci_evt_le_create_big_complete),
7313 HCI_MAX_EVENT_SIZE),
7314 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7315 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7316 hci_le_big_sync_established_evt,
7317 sizeof(struct hci_evt_le_big_sync_estabilished),
7318 HCI_MAX_EVENT_SIZE),
7319 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7320 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7321 hci_le_big_info_adv_report_evt,
7322 sizeof(struct hci_evt_le_big_info_adv_report),
7323 HCI_MAX_EVENT_SIZE),
7326 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7327 struct sk_buff *skb, u16 *opcode, u8 *status,
7328 hci_req_complete_t *req_complete,
7329 hci_req_complete_skb_t *req_complete_skb)
7331 struct hci_ev_le_meta *ev = data;
7332 const struct hci_le_ev *subev;
7334 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7336 /* Only match event if command OGF is for LE */
7337 if (hdev->sent_cmd &&
7338 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7339 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7340 *opcode = hci_skb_opcode(hdev->sent_cmd);
7341 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7345 subev = &hci_le_ev_table[ev->subevent];
7349 if (skb->len < subev->min_len) {
7350 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7351 ev->subevent, skb->len, subev->min_len);
7355 /* Just warn if the length is over max_len size it still be
7356 * possible to partially parse the event so leave to callback to
7357 * decide if that is acceptable.
7359 if (skb->len > subev->max_len)
7360 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7361 ev->subevent, skb->len, subev->max_len);
7362 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7366 subev->func(hdev, data, skb);
7369 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7370 u8 event, struct sk_buff *skb)
7372 struct hci_ev_cmd_complete *ev;
7373 struct hci_event_hdr *hdr;
7378 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7383 if (hdr->evt != event)
7388 /* Check if request ended in Command Status - no way to retrieve
7389 * any extra parameters in this case.
7391 if (hdr->evt == HCI_EV_CMD_STATUS)
7394 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7395 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7400 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7404 if (opcode != __le16_to_cpu(ev->opcode)) {
7405 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7406 __le16_to_cpu(ev->opcode));
7413 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7414 struct sk_buff *skb)
7416 struct hci_ev_le_advertising_info *adv;
7417 struct hci_ev_le_direct_adv_info *direct_adv;
7418 struct hci_ev_le_ext_adv_info *ext_adv;
7419 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7420 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7424 /* If we are currently suspended and this is the first BT event seen,
7425 * save the wake reason associated with the event.
7427 if (!hdev->suspended || hdev->wake_reason)
7430 /* Default to remote wake. Values for wake_reason are documented in the
7431 * Bluez mgmt api docs.
7433 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7435 /* Once configured for remote wakeup, we should only wake up for
7436 * reconnections. It's useful to see which device is waking us up so
7437 * keep track of the bdaddr of the connection event that woke us up.
7439 if (event == HCI_EV_CONN_REQUEST) {
7440 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7441 hdev->wake_addr_type = BDADDR_BREDR;
7442 } else if (event == HCI_EV_CONN_COMPLETE) {
7443 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7444 hdev->wake_addr_type = BDADDR_BREDR;
7445 } else if (event == HCI_EV_LE_META) {
7446 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7447 u8 subevent = le_ev->subevent;
7448 u8 *ptr = &skb->data[sizeof(*le_ev)];
7449 u8 num_reports = *ptr;
7451 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7452 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7453 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7455 adv = (void *)(ptr + 1);
7456 direct_adv = (void *)(ptr + 1);
7457 ext_adv = (void *)(ptr + 1);
7460 case HCI_EV_LE_ADVERTISING_REPORT:
7461 bacpy(&hdev->wake_addr, &adv->bdaddr);
7462 hdev->wake_addr_type = adv->bdaddr_type;
7464 case HCI_EV_LE_DIRECT_ADV_REPORT:
7465 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7466 hdev->wake_addr_type = direct_adv->bdaddr_type;
7468 case HCI_EV_LE_EXT_ADV_REPORT:
7469 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7470 hdev->wake_addr_type = ext_adv->bdaddr_type;
7475 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7479 hci_dev_unlock(hdev);
7482 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7486 .min_len = _min_len, \
7487 .max_len = _max_len, \
7490 #define HCI_EV(_op, _func, _len) \
7491 HCI_EV_VL(_op, _func, _len, _len)
7493 #define HCI_EV_STATUS(_op, _func) \
7494 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7496 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7499 .func_req = _func, \
7500 .min_len = _min_len, \
7501 .max_len = _max_len, \
7504 #define HCI_EV_REQ(_op, _func, _len) \
7505 HCI_EV_REQ_VL(_op, _func, _len, _len)
7507 /* Entries in this table shall have their position according to the event opcode
7508 * they handle so the use of the macros above is recommend since it does attempt
7509 * to initialize at its proper index using Designated Initializers that way
7510 * events without a callback function don't have entered.
7512 static const struct hci_ev {
7515 void (*func)(struct hci_dev *hdev, void *data,
7516 struct sk_buff *skb);
7517 void (*func_req)(struct hci_dev *hdev, void *data,
7518 struct sk_buff *skb, u16 *opcode, u8 *status,
7519 hci_req_complete_t *req_complete,
7520 hci_req_complete_skb_t *req_complete_skb);
7524 } hci_ev_table[U8_MAX + 1] = {
7525 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7526 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7527 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7528 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7529 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7530 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7531 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7532 sizeof(struct hci_ev_conn_complete)),
7533 /* [0x04 = HCI_EV_CONN_REQUEST] */
7534 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7535 sizeof(struct hci_ev_conn_request)),
7536 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7537 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7538 sizeof(struct hci_ev_disconn_complete)),
7539 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7540 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7541 sizeof(struct hci_ev_auth_complete)),
7542 /* [0x07 = HCI_EV_REMOTE_NAME] */
7543 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7544 sizeof(struct hci_ev_remote_name)),
7545 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7546 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7547 sizeof(struct hci_ev_encrypt_change)),
7548 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7549 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7550 hci_change_link_key_complete_evt,
7551 sizeof(struct hci_ev_change_link_key_complete)),
7552 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7553 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7554 sizeof(struct hci_ev_remote_features)),
7555 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7556 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7557 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7558 /* [0x0f = HCI_EV_CMD_STATUS] */
7559 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7560 sizeof(struct hci_ev_cmd_status)),
7561 /* [0x10 = HCI_EV_CMD_STATUS] */
7562 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7563 sizeof(struct hci_ev_hardware_error)),
7564 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7565 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7566 sizeof(struct hci_ev_role_change)),
7567 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7568 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7569 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7570 /* [0x14 = HCI_EV_MODE_CHANGE] */
7571 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7572 sizeof(struct hci_ev_mode_change)),
7573 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7574 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7575 sizeof(struct hci_ev_pin_code_req)),
7576 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7577 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7578 sizeof(struct hci_ev_link_key_req)),
7579 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7580 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7581 sizeof(struct hci_ev_link_key_notify)),
7582 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7583 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7584 sizeof(struct hci_ev_clock_offset)),
7585 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7586 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7587 sizeof(struct hci_ev_pkt_type_change)),
7588 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7589 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7590 sizeof(struct hci_ev_pscan_rep_mode)),
7591 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7592 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7593 hci_inquiry_result_with_rssi_evt,
7594 sizeof(struct hci_ev_inquiry_result_rssi),
7595 HCI_MAX_EVENT_SIZE),
7596 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7597 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7598 sizeof(struct hci_ev_remote_ext_features)),
7599 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7600 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7601 sizeof(struct hci_ev_sync_conn_complete)),
7602 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7603 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7604 hci_extended_inquiry_result_evt,
7605 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7606 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7607 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7608 sizeof(struct hci_ev_key_refresh_complete)),
7609 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7610 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7611 sizeof(struct hci_ev_io_capa_request)),
7612 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7613 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7614 sizeof(struct hci_ev_io_capa_reply)),
7615 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7616 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7617 sizeof(struct hci_ev_user_confirm_req)),
7618 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7619 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7620 sizeof(struct hci_ev_user_passkey_req)),
7621 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7622 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7623 sizeof(struct hci_ev_remote_oob_data_request)),
7624 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7625 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7626 sizeof(struct hci_ev_simple_pair_complete)),
7627 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7628 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7629 sizeof(struct hci_ev_user_passkey_notify)),
7630 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7631 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7632 sizeof(struct hci_ev_keypress_notify)),
7633 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7634 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7635 sizeof(struct hci_ev_remote_host_features)),
7636 /* [0x3e = HCI_EV_LE_META] */
7637 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7638 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7639 #if IS_ENABLED(CONFIG_BT_HS)
7640 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7641 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7642 sizeof(struct hci_ev_phy_link_complete)),
7643 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7644 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7645 sizeof(struct hci_ev_channel_selected)),
7646 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7647 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7648 hci_disconn_loglink_complete_evt,
7649 sizeof(struct hci_ev_disconn_logical_link_complete)),
7650 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7651 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7652 sizeof(struct hci_ev_logical_link_complete)),
7653 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7654 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7655 hci_disconn_phylink_complete_evt,
7656 sizeof(struct hci_ev_disconn_phy_link_complete)),
7658 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7659 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7660 sizeof(struct hci_ev_num_comp_blocks)),
7661 /* [0xff = HCI_EV_VENDOR] */
7662 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7665 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7666 u16 *opcode, u8 *status,
7667 hci_req_complete_t *req_complete,
7668 hci_req_complete_skb_t *req_complete_skb)
7670 const struct hci_ev *ev = &hci_ev_table[event];
7676 if (skb->len < ev->min_len) {
7677 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7678 event, skb->len, ev->min_len);
7682 /* Just warn if the length is over max_len size it still be
7683 * possible to partially parse the event so leave to callback to
7684 * decide if that is acceptable.
7686 if (skb->len > ev->max_len)
7687 bt_dev_warn_ratelimited(hdev,
7688 "unexpected event 0x%2.2x length: %u > %u",
7689 event, skb->len, ev->max_len);
7691 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7696 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7699 ev->func(hdev, data, skb);
7702 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7704 struct hci_event_hdr *hdr = (void *) skb->data;
7705 hci_req_complete_t req_complete = NULL;
7706 hci_req_complete_skb_t req_complete_skb = NULL;
7707 struct sk_buff *orig_skb = NULL;
7708 u8 status = 0, event, req_evt = 0;
7709 u16 opcode = HCI_OP_NOP;
7711 if (skb->len < sizeof(*hdr)) {
7712 bt_dev_err(hdev, "Malformed HCI Event");
7716 kfree_skb(hdev->recv_event);
7717 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7721 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7726 /* Only match event if command OGF is not for LE */
7727 if (hdev->sent_cmd &&
7728 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7729 hci_skb_event(hdev->sent_cmd) == event) {
7730 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7731 status, &req_complete, &req_complete_skb);
7735 /* If it looks like we might end up having to call
7736 * req_complete_skb, store a pristine copy of the skb since the
7737 * various handlers may modify the original one through
7738 * skb_pull() calls, etc.
7740 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7741 event == HCI_EV_CMD_COMPLETE)
7742 orig_skb = skb_clone(skb, GFP_KERNEL);
7744 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7746 /* Store wake reason if we're suspended */
7747 hci_store_wake_reason(hdev, event, skb);
7749 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7751 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7755 req_complete(hdev, status, opcode);
7756 } else if (req_complete_skb) {
7757 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7758 kfree_skb(orig_skb);
7761 req_complete_skb(hdev, status, opcode, orig_skb);
7765 kfree_skb(orig_skb);
7767 hdev->stat.evt_rx++;
projects / platform / kernel / linux-starfive.git / blob