2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
46 "\x00\x00\x00\x00\x00\x00\x00\x00"
48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
50 /* Handle HCI Event packets */
52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
57 data = skb_pull_data(skb, len);
59 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
69 data = skb_pull_data(skb, len);
71 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
81 data = skb_pull_data(skb, len);
83 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
91 struct hci_ev_status *rp = data;
93 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
95 /* It is possible that we receive Inquiry Complete event right
96 * before we receive Inquiry Cancel Command Complete event, in
97 * which case the latter event should have status of Command
98 * Disallowed (0x0c). This should not be treated as error, since
99 * we actually achieve what Inquiry Cancel wants to achieve,
100 * which is to end the last Inquiry session.
102 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
103 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
110 clear_bit(HCI_INQUIRY, &hdev->flags);
111 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
112 wake_up_bit(&hdev->flags, HCI_INQUIRY);
115 /* Set discovery state to stopped if we're not doing LE active
118 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
119 hdev->le_scan_type != LE_SCAN_ACTIVE)
120 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
121 hci_dev_unlock(hdev);
123 hci_conn_check_pending(hdev);
128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
131 struct hci_ev_status *rp = data;
133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
138 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
146 struct hci_ev_status *rp = data;
148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
153 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
155 hci_conn_check_pending(hdev);
160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
163 struct hci_ev_status *rp = data;
165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
173 struct hci_rp_role_discovery *rp = data;
174 struct hci_conn *conn;
176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
185 conn->role = rp->role;
187 hci_dev_unlock(hdev);
192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
195 struct hci_rp_read_link_policy *rp = data;
196 struct hci_conn *conn;
198 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
207 conn->link_policy = __le16_to_cpu(rp->policy);
209 hci_dev_unlock(hdev);
214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
217 struct hci_rp_write_link_policy *rp = data;
218 struct hci_conn *conn;
221 struct hci_cp_write_link_policy cp;
222 struct hci_conn *sco_conn;
225 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
230 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
236 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
238 conn->link_policy = get_unaligned_le16(sent + 2);
241 sco_conn = hci_conn_hash_lookup_sco(hdev);
242 if (sco_conn && bacmp(&sco_conn->dst, &conn->dst) == 0 &&
243 conn->link_policy & HCI_LP_SNIFF) {
244 BT_ERR("SNIFF is not allowed during sco connection");
245 cp.handle = __cpu_to_le16(conn->handle);
246 cp.policy = __cpu_to_le16(conn->link_policy & ~HCI_LP_SNIFF);
247 hci_send_cmd(hdev, HCI_OP_WRITE_LINK_POLICY, sizeof(cp), &cp);
251 hci_dev_unlock(hdev);
256 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
259 struct hci_rp_read_def_link_policy *rp = data;
261 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
266 hdev->link_policy = __le16_to_cpu(rp->policy);
271 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
274 struct hci_ev_status *rp = data;
277 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
282 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
286 hdev->link_policy = get_unaligned_le16(sent);
291 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
293 struct hci_ev_status *rp = data;
295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
297 clear_bit(HCI_RESET, &hdev->flags);
302 /* Reset all non-persistent flags */
303 hci_dev_clear_volatile_flags(hdev);
305 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
307 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
308 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
310 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
311 hdev->adv_data_len = 0;
313 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
314 hdev->scan_rsp_data_len = 0;
316 hdev->le_scan_type = LE_SCAN_PASSIVE;
318 hdev->ssp_debug_mode = 0;
320 hci_bdaddr_list_clear(&hdev->le_accept_list);
321 hci_bdaddr_list_clear(&hdev->le_resolv_list);
326 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
329 struct hci_rp_read_stored_link_key *rp = data;
330 struct hci_cp_read_stored_link_key *sent;
332 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
334 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
338 if (!rp->status && sent->read_all == 0x01) {
339 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
340 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
346 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
349 struct hci_rp_delete_stored_link_key *rp = data;
352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
357 num_keys = le16_to_cpu(rp->num_keys);
359 if (num_keys <= hdev->stored_num_keys)
360 hdev->stored_num_keys -= num_keys;
362 hdev->stored_num_keys = 0;
367 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
370 struct hci_ev_status *rp = data;
373 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
375 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
381 if (hci_dev_test_flag(hdev, HCI_MGMT))
382 mgmt_set_local_name_complete(hdev, sent, rp->status);
383 else if (!rp->status)
384 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
386 hci_dev_unlock(hdev);
391 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
394 struct hci_rp_read_local_name *rp = data;
396 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
401 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
402 hci_dev_test_flag(hdev, HCI_CONFIG))
403 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
408 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
411 struct hci_ev_status *rp = data;
414 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
416 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
423 __u8 param = *((__u8 *) sent);
425 if (param == AUTH_ENABLED)
426 set_bit(HCI_AUTH, &hdev->flags);
428 clear_bit(HCI_AUTH, &hdev->flags);
431 if (hci_dev_test_flag(hdev, HCI_MGMT))
432 mgmt_auth_enable_complete(hdev, rp->status);
434 hci_dev_unlock(hdev);
439 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
442 struct hci_ev_status *rp = data;
446 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
451 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
455 param = *((__u8 *) sent);
458 set_bit(HCI_ENCRYPT, &hdev->flags);
460 clear_bit(HCI_ENCRYPT, &hdev->flags);
465 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
468 struct hci_ev_status *rp = data;
472 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
474 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
478 param = *((__u8 *) sent);
483 hdev->discov_timeout = 0;
487 if (param & SCAN_INQUIRY)
488 set_bit(HCI_ISCAN, &hdev->flags);
490 clear_bit(HCI_ISCAN, &hdev->flags);
492 if (param & SCAN_PAGE)
493 set_bit(HCI_PSCAN, &hdev->flags);
495 clear_bit(HCI_PSCAN, &hdev->flags);
498 hci_dev_unlock(hdev);
503 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
506 struct hci_ev_status *rp = data;
507 struct hci_cp_set_event_filter *cp;
510 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
515 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
519 cp = (struct hci_cp_set_event_filter *)sent;
521 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
522 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
524 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
529 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
532 struct hci_rp_read_class_of_dev *rp = data;
535 return HCI_ERROR_UNSPECIFIED;
537 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
542 memcpy(hdev->dev_class, rp->dev_class, 3);
544 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
545 hdev->dev_class[1], hdev->dev_class[0]);
550 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
553 struct hci_ev_status *rp = data;
556 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
558 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
565 memcpy(hdev->dev_class, sent, 3);
567 if (hci_dev_test_flag(hdev, HCI_MGMT))
568 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
570 hci_dev_unlock(hdev);
575 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
578 struct hci_rp_read_voice_setting *rp = data;
581 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
586 setting = __le16_to_cpu(rp->voice_setting);
588 if (hdev->voice_setting == setting)
591 hdev->voice_setting = setting;
593 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
596 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
601 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
604 struct hci_ev_status *rp = data;
608 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
613 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
617 setting = get_unaligned_le16(sent);
619 if (hdev->voice_setting == setting)
622 hdev->voice_setting = setting;
624 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
627 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
632 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
635 struct hci_rp_read_num_supported_iac *rp = data;
637 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
642 hdev->num_iac = rp->num_iac;
644 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
649 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
652 struct hci_ev_status *rp = data;
653 struct hci_cp_write_ssp_mode *sent;
655 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
657 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
665 hdev->features[1][0] |= LMP_HOST_SSP;
667 hdev->features[1][0] &= ~LMP_HOST_SSP;
672 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
674 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
677 hci_dev_unlock(hdev);
682 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
685 struct hci_ev_status *rp = data;
686 struct hci_cp_write_sc_support *sent;
688 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
690 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
698 hdev->features[1][0] |= LMP_HOST_SC;
700 hdev->features[1][0] &= ~LMP_HOST_SC;
703 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
705 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
707 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
710 hci_dev_unlock(hdev);
715 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
718 struct hci_rp_read_local_version *rp = data;
720 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
725 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
726 hci_dev_test_flag(hdev, HCI_CONFIG)) {
727 hdev->hci_ver = rp->hci_ver;
728 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
729 hdev->lmp_ver = rp->lmp_ver;
730 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
731 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
737 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
740 struct hci_rp_read_enc_key_size *rp = data;
741 struct hci_conn *conn;
743 u8 status = rp->status;
745 bt_dev_dbg(hdev, "status 0x%2.2x", status);
747 handle = le16_to_cpu(rp->handle);
751 conn = hci_conn_hash_lookup_handle(hdev, handle);
757 /* While unexpected, the read_enc_key_size command may fail. The most
758 * secure approach is to then assume the key size is 0 to force a
762 bt_dev_err(hdev, "failed to read key size for handle %u",
764 conn->enc_key_size = 0;
766 conn->enc_key_size = rp->key_size;
769 if (conn->enc_key_size < hdev->min_enc_key_size) {
770 /* As slave role, the conn->state has been set to
771 * BT_CONNECTED and l2cap conn req might not be received
772 * yet, at this moment the l2cap layer almost does
773 * nothing with the non-zero status.
774 * So we also clear encrypt related bits, and then the
775 * handler of l2cap conn req will get the right secure
776 * state at a later time.
778 status = HCI_ERROR_AUTH_FAILURE;
779 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
780 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
784 hci_encrypt_cfm(conn, status);
787 hci_dev_unlock(hdev);
792 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
795 struct hci_rp_read_local_commands *rp = data;
797 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
802 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
803 hci_dev_test_flag(hdev, HCI_CONFIG))
804 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
809 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
812 struct hci_rp_read_auth_payload_to *rp = data;
813 struct hci_conn *conn;
815 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
822 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
824 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
826 hci_dev_unlock(hdev);
831 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
834 struct hci_rp_write_auth_payload_to *rp = data;
835 struct hci_conn *conn;
838 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
840 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
846 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
853 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
856 hci_dev_unlock(hdev);
861 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
864 struct hci_rp_read_local_features *rp = data;
866 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
871 memcpy(hdev->features, rp->features, 8);
873 /* Adjust default settings according to features
874 * supported by device. */
876 if (hdev->features[0][0] & LMP_3SLOT)
877 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
879 if (hdev->features[0][0] & LMP_5SLOT)
880 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
882 if (hdev->features[0][1] & LMP_HV2) {
883 hdev->pkt_type |= (HCI_HV2);
884 hdev->esco_type |= (ESCO_HV2);
887 if (hdev->features[0][1] & LMP_HV3) {
888 hdev->pkt_type |= (HCI_HV3);
889 hdev->esco_type |= (ESCO_HV3);
892 if (lmp_esco_capable(hdev))
893 hdev->esco_type |= (ESCO_EV3);
895 if (hdev->features[0][4] & LMP_EV4)
896 hdev->esco_type |= (ESCO_EV4);
898 if (hdev->features[0][4] & LMP_EV5)
899 hdev->esco_type |= (ESCO_EV5);
901 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
902 hdev->esco_type |= (ESCO_2EV3);
904 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
905 hdev->esco_type |= (ESCO_3EV3);
907 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
908 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
913 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
916 struct hci_rp_read_local_ext_features *rp = data;
918 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
923 if (hdev->max_page < rp->max_page) {
924 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
926 bt_dev_warn(hdev, "broken local ext features page 2");
928 hdev->max_page = rp->max_page;
931 if (rp->page < HCI_MAX_PAGES)
932 memcpy(hdev->features[rp->page], rp->features, 8);
937 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
940 struct hci_rp_read_flow_control_mode *rp = data;
942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
947 hdev->flow_ctl_mode = rp->mode;
952 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
955 struct hci_rp_read_buffer_size *rp = data;
957 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
962 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
963 hdev->sco_mtu = rp->sco_mtu;
964 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
965 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
967 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
972 hdev->acl_cnt = hdev->acl_pkts;
973 hdev->sco_cnt = hdev->sco_pkts;
975 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
976 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
981 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
984 struct hci_rp_read_bd_addr *rp = data;
986 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
991 if (test_bit(HCI_INIT, &hdev->flags))
992 bacpy(&hdev->bdaddr, &rp->bdaddr);
994 if (hci_dev_test_flag(hdev, HCI_SETUP))
995 bacpy(&hdev->setup_addr, &rp->bdaddr);
1000 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
1001 struct sk_buff *skb)
1003 struct hci_rp_read_local_pairing_opts *rp = data;
1005 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1010 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1011 hci_dev_test_flag(hdev, HCI_CONFIG)) {
1012 hdev->pairing_opts = rp->pairing_opts;
1013 hdev->max_enc_key_size = rp->max_key_size;
1019 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1020 struct sk_buff *skb)
1022 struct hci_rp_read_page_scan_activity *rp = data;
1024 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1029 if (test_bit(HCI_INIT, &hdev->flags)) {
1030 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1031 hdev->page_scan_window = __le16_to_cpu(rp->window);
1037 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1038 struct sk_buff *skb)
1040 struct hci_ev_status *rp = data;
1041 struct hci_cp_write_page_scan_activity *sent;
1043 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1048 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1052 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1053 hdev->page_scan_window = __le16_to_cpu(sent->window);
1058 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1059 struct sk_buff *skb)
1061 struct hci_rp_read_page_scan_type *rp = data;
1063 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1068 if (test_bit(HCI_INIT, &hdev->flags))
1069 hdev->page_scan_type = rp->type;
1074 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1075 struct sk_buff *skb)
1077 struct hci_ev_status *rp = data;
1080 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1085 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1087 hdev->page_scan_type = *type;
1092 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1093 struct sk_buff *skb)
1095 struct hci_rp_read_data_block_size *rp = data;
1097 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1102 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1103 hdev->block_len = __le16_to_cpu(rp->block_len);
1104 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1106 hdev->block_cnt = hdev->num_blocks;
1108 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1109 hdev->block_cnt, hdev->block_len);
1114 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1115 struct sk_buff *skb)
1117 struct hci_rp_read_clock *rp = data;
1118 struct hci_cp_read_clock *cp;
1119 struct hci_conn *conn;
1121 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1128 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1132 if (cp->which == 0x00) {
1133 hdev->clock = le32_to_cpu(rp->clock);
1137 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1139 conn->clock = le32_to_cpu(rp->clock);
1140 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1144 hci_dev_unlock(hdev);
1148 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1149 struct sk_buff *skb)
1151 struct hci_rp_read_local_amp_info *rp = data;
1153 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1158 hdev->amp_status = rp->amp_status;
1159 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1160 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1161 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1162 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1163 hdev->amp_type = rp->amp_type;
1164 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1165 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1166 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1167 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1172 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1173 struct sk_buff *skb)
1175 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1177 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1182 hdev->inq_tx_power = rp->tx_power;
1187 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1188 struct sk_buff *skb)
1190 struct hci_rp_read_def_err_data_reporting *rp = data;
1192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1197 hdev->err_data_reporting = rp->err_data_reporting;
1202 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1203 struct sk_buff *skb)
1205 struct hci_ev_status *rp = data;
1206 struct hci_cp_write_def_err_data_reporting *cp;
1208 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1213 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1217 hdev->err_data_reporting = cp->err_data_reporting;
1222 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1223 struct sk_buff *skb)
1225 struct hci_rp_pin_code_reply *rp = data;
1226 struct hci_cp_pin_code_reply *cp;
1227 struct hci_conn *conn;
1229 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1233 if (hci_dev_test_flag(hdev, HCI_MGMT))
1234 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1239 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1243 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1245 conn->pin_length = cp->pin_len;
1248 hci_dev_unlock(hdev);
1252 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1253 struct sk_buff *skb)
1255 struct hci_rp_pin_code_neg_reply *rp = data;
1257 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1261 if (hci_dev_test_flag(hdev, HCI_MGMT))
1262 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1265 hci_dev_unlock(hdev);
1270 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1271 struct sk_buff *skb)
1273 struct hci_rp_le_read_buffer_size *rp = data;
1275 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1280 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1281 hdev->le_pkts = rp->le_max_pkt;
1283 hdev->le_cnt = hdev->le_pkts;
1285 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1290 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1291 struct sk_buff *skb)
1293 struct hci_rp_le_read_local_features *rp = data;
1295 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1300 memcpy(hdev->le_features, rp->features, 8);
1305 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1306 struct sk_buff *skb)
1308 struct hci_rp_le_read_adv_tx_power *rp = data;
1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1315 hdev->adv_tx_power = rp->tx_power;
1320 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1321 struct sk_buff *skb)
1323 struct hci_rp_user_confirm_reply *rp = data;
1325 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1329 if (hci_dev_test_flag(hdev, HCI_MGMT))
1330 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1333 hci_dev_unlock(hdev);
1338 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1339 struct sk_buff *skb)
1341 struct hci_rp_user_confirm_reply *rp = data;
1343 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1347 if (hci_dev_test_flag(hdev, HCI_MGMT))
1348 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1349 ACL_LINK, 0, rp->status);
1351 hci_dev_unlock(hdev);
1356 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1357 struct sk_buff *skb)
1359 struct hci_rp_user_confirm_reply *rp = data;
1361 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1365 if (hci_dev_test_flag(hdev, HCI_MGMT))
1366 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1369 hci_dev_unlock(hdev);
1374 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1375 struct sk_buff *skb)
1377 struct hci_rp_user_confirm_reply *rp = data;
1379 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1383 if (hci_dev_test_flag(hdev, HCI_MGMT))
1384 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1385 ACL_LINK, 0, rp->status);
1387 hci_dev_unlock(hdev);
1392 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1393 struct sk_buff *skb)
1395 struct hci_rp_read_local_oob_data *rp = data;
1397 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1402 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1403 struct sk_buff *skb)
1405 struct hci_rp_read_local_oob_ext_data *rp = data;
1407 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1412 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1413 struct sk_buff *skb)
1415 struct hci_ev_status *rp = data;
1418 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1423 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1429 bacpy(&hdev->random_addr, sent);
1431 if (!bacmp(&hdev->rpa, sent)) {
1432 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1433 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1434 secs_to_jiffies(hdev->rpa_timeout));
1437 hci_dev_unlock(hdev);
1442 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1443 struct sk_buff *skb)
1445 struct hci_ev_status *rp = data;
1446 struct hci_cp_le_set_default_phy *cp;
1448 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1453 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1459 hdev->le_tx_def_phys = cp->tx_phys;
1460 hdev->le_rx_def_phys = cp->rx_phys;
1462 hci_dev_unlock(hdev);
1467 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1468 struct sk_buff *skb)
1470 struct hci_ev_status *rp = data;
1471 struct hci_cp_le_set_adv_set_rand_addr *cp;
1472 struct adv_info *adv;
1474 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1479 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1480 /* Update only in case the adv instance since handle 0x00 shall be using
1481 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1482 * non-extended adverting.
1484 if (!cp || !cp->handle)
1489 adv = hci_find_adv_instance(hdev, cp->handle);
1491 bacpy(&adv->random_addr, &cp->bdaddr);
1492 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1493 adv->rpa_expired = false;
1494 queue_delayed_work(hdev->workqueue,
1495 &adv->rpa_expired_cb,
1496 secs_to_jiffies(hdev->rpa_timeout));
1500 hci_dev_unlock(hdev);
1505 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1506 struct sk_buff *skb)
1508 struct hci_ev_status *rp = data;
1512 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1517 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1523 err = hci_remove_adv_instance(hdev, *instance);
1525 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1528 hci_dev_unlock(hdev);
1533 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1534 struct sk_buff *skb)
1536 struct hci_ev_status *rp = data;
1537 struct adv_info *adv, *n;
1540 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1545 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1550 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1551 u8 instance = adv->instance;
1553 err = hci_remove_adv_instance(hdev, instance);
1555 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1559 hci_dev_unlock(hdev);
1564 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1565 struct sk_buff *skb)
1567 struct hci_rp_le_read_transmit_power *rp = data;
1569 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1574 hdev->min_le_tx_power = rp->min_le_tx_power;
1575 hdev->max_le_tx_power = rp->max_le_tx_power;
1580 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1581 struct sk_buff *skb)
1583 struct hci_ev_status *rp = data;
1584 struct hci_cp_le_set_privacy_mode *cp;
1585 struct hci_conn_params *params;
1587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1592 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1598 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1600 WRITE_ONCE(params->privacy_mode, cp->mode);
1602 hci_dev_unlock(hdev);
1607 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1608 struct sk_buff *skb)
1610 struct hci_ev_status *rp = data;
1613 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1618 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1624 /* If we're doing connection initiation as peripheral. Set a
1625 * timeout in case something goes wrong.
1628 struct hci_conn *conn;
1630 hci_dev_set_flag(hdev, HCI_LE_ADV);
1632 conn = hci_lookup_le_connect(hdev);
1634 queue_delayed_work(hdev->workqueue,
1635 &conn->le_conn_timeout,
1636 conn->conn_timeout);
1638 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1641 hci_dev_unlock(hdev);
1646 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1647 struct sk_buff *skb)
1649 struct hci_cp_le_set_ext_adv_enable *cp;
1650 struct hci_cp_ext_adv_set *set;
1651 struct adv_info *adv = NULL, *n;
1652 struct hci_ev_status *rp = data;
1654 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1659 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1663 set = (void *)cp->data;
1667 if (cp->num_of_sets)
1668 adv = hci_find_adv_instance(hdev, set->handle);
1671 struct hci_conn *conn;
1673 hci_dev_set_flag(hdev, HCI_LE_ADV);
1675 if (adv && !adv->periodic)
1676 adv->enabled = true;
1678 conn = hci_lookup_le_connect(hdev);
1680 queue_delayed_work(hdev->workqueue,
1681 &conn->le_conn_timeout,
1682 conn->conn_timeout);
1684 if (cp->num_of_sets) {
1686 adv->enabled = false;
1688 /* If just one instance was disabled check if there are
1689 * any other instance enabled before clearing HCI_LE_ADV
1691 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1697 /* All instances shall be considered disabled */
1698 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1700 adv->enabled = false;
1703 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1707 hci_dev_unlock(hdev);
1711 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1712 struct sk_buff *skb)
1714 struct hci_cp_le_set_scan_param *cp;
1715 struct hci_ev_status *rp = data;
1717 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1722 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1728 hdev->le_scan_type = cp->type;
1730 hci_dev_unlock(hdev);
1735 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1736 struct sk_buff *skb)
1738 struct hci_cp_le_set_ext_scan_params *cp;
1739 struct hci_ev_status *rp = data;
1740 struct hci_cp_le_scan_phy_params *phy_param;
1742 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1747 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1751 phy_param = (void *)cp->data;
1755 hdev->le_scan_type = phy_param->type;
1757 hci_dev_unlock(hdev);
1762 static bool has_pending_adv_report(struct hci_dev *hdev)
1764 struct discovery_state *d = &hdev->discovery;
1766 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1769 static void clear_pending_adv_report(struct hci_dev *hdev)
1771 struct discovery_state *d = &hdev->discovery;
1773 bacpy(&d->last_adv_addr, BDADDR_ANY);
1774 d->last_adv_data_len = 0;
1778 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1779 u8 bdaddr_type, s8 rssi, u32 flags,
1782 struct discovery_state *d = &hdev->discovery;
1784 if (len > max_adv_len(hdev))
1787 bacpy(&d->last_adv_addr, bdaddr);
1788 d->last_adv_addr_type = bdaddr_type;
1789 d->last_adv_rssi = rssi;
1790 d->last_adv_flags = flags;
1791 memcpy(d->last_adv_data, data, len);
1792 d->last_adv_data_len = len;
1796 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1801 case LE_SCAN_ENABLE:
1802 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1803 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1804 clear_pending_adv_report(hdev);
1805 if (hci_dev_test_flag(hdev, HCI_MESH))
1806 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1809 case LE_SCAN_DISABLE:
1810 /* We do this here instead of when setting DISCOVERY_STOPPED
1811 * since the latter would potentially require waiting for
1812 * inquiry to stop too.
1814 if (has_pending_adv_report(hdev)) {
1815 struct discovery_state *d = &hdev->discovery;
1817 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1818 d->last_adv_addr_type, NULL,
1819 d->last_adv_rssi, d->last_adv_flags,
1821 d->last_adv_data_len, NULL, 0, 0);
1824 /* Cancel this timer so that we don't try to disable scanning
1825 * when it's already disabled.
1827 cancel_delayed_work(&hdev->le_scan_disable);
1829 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1831 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1832 * interrupted scanning due to a connect request. Mark
1833 * therefore discovery as stopped.
1835 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1836 #ifndef TIZEN_BT /* The below line is kernel bug. */
1837 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1839 hci_le_discovery_set_state(hdev, DISCOVERY_STOPPED);
1841 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1842 hdev->discovery.state == DISCOVERY_FINDING)
1843 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1848 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1853 hci_dev_unlock(hdev);
1856 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1857 struct sk_buff *skb)
1859 struct hci_cp_le_set_scan_enable *cp;
1860 struct hci_ev_status *rp = data;
1862 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1867 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1871 le_set_scan_enable_complete(hdev, cp->enable);
1876 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1877 struct sk_buff *skb)
1879 struct hci_cp_le_set_ext_scan_enable *cp;
1880 struct hci_ev_status *rp = data;
1882 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1887 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1891 le_set_scan_enable_complete(hdev, cp->enable);
1896 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1897 struct sk_buff *skb)
1899 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1901 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1907 hdev->le_num_of_adv_sets = rp->num_of_sets;
1912 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1913 struct sk_buff *skb)
1915 struct hci_rp_le_read_accept_list_size *rp = data;
1917 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1922 hdev->le_accept_list_size = rp->size;
1927 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1928 struct sk_buff *skb)
1930 struct hci_ev_status *rp = data;
1932 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1938 hci_bdaddr_list_clear(&hdev->le_accept_list);
1939 hci_dev_unlock(hdev);
1944 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1945 struct sk_buff *skb)
1947 struct hci_cp_le_add_to_accept_list *sent;
1948 struct hci_ev_status *rp = data;
1950 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1955 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1960 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1962 hci_dev_unlock(hdev);
1967 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1968 struct sk_buff *skb)
1970 struct hci_cp_le_del_from_accept_list *sent;
1971 struct hci_ev_status *rp = data;
1973 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1978 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1983 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1985 hci_dev_unlock(hdev);
1990 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1991 struct sk_buff *skb)
1993 struct hci_rp_le_read_supported_states *rp = data;
1995 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2000 memcpy(hdev->le_states, rp->le_states, 8);
2005 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
2006 struct sk_buff *skb)
2008 struct hci_rp_le_read_def_data_len *rp = data;
2010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2015 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
2016 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
2021 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2022 struct sk_buff *skb)
2024 struct hci_cp_le_write_def_data_len *sent;
2025 struct hci_ev_status *rp = data;
2027 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2032 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2036 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2037 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2042 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2043 struct sk_buff *skb)
2045 struct hci_cp_le_add_to_resolv_list *sent;
2046 struct hci_ev_status *rp = data;
2048 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2058 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2059 sent->bdaddr_type, sent->peer_irk,
2061 hci_dev_unlock(hdev);
2066 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2067 struct sk_buff *skb)
2069 struct hci_cp_le_del_from_resolv_list *sent;
2070 struct hci_ev_status *rp = data;
2072 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2077 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2082 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2084 hci_dev_unlock(hdev);
2089 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2090 struct sk_buff *skb)
2092 struct hci_ev_status *rp = data;
2094 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2100 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2101 hci_dev_unlock(hdev);
2106 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2107 struct sk_buff *skb)
2109 struct hci_rp_le_read_resolv_list_size *rp = data;
2111 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2116 hdev->le_resolv_list_size = rp->size;
2121 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2122 struct sk_buff *skb)
2124 struct hci_ev_status *rp = data;
2127 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2132 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2139 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2141 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2143 hci_dev_unlock(hdev);
2148 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2149 struct sk_buff *skb)
2151 struct hci_rp_le_read_max_data_len *rp = data;
2153 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2162 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2163 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2164 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2165 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2168 mgmt_le_read_maximum_data_length_complete(hdev, rp->status);
2169 hci_dev_unlock(hdev);
2175 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2176 struct sk_buff *skb)
2178 struct hci_cp_write_le_host_supported *sent;
2179 struct hci_ev_status *rp = data;
2181 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2186 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2193 hdev->features[1][0] |= LMP_HOST_LE;
2194 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2196 hdev->features[1][0] &= ~LMP_HOST_LE;
2197 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2198 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2202 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2204 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2206 hci_dev_unlock(hdev);
2211 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2212 struct sk_buff *skb)
2214 struct hci_cp_le_set_adv_param *cp;
2215 struct hci_ev_status *rp = data;
2217 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2222 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2227 hdev->adv_addr_type = cp->own_address_type;
2228 hci_dev_unlock(hdev);
2233 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2234 struct sk_buff *skb)
2236 struct hci_rp_le_set_ext_adv_params *rp = data;
2237 struct hci_cp_le_set_ext_adv_params *cp;
2238 struct adv_info *adv_instance;
2240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2245 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2250 hdev->adv_addr_type = cp->own_addr_type;
2252 /* Store in hdev for instance 0 */
2253 hdev->adv_tx_power = rp->tx_power;
2255 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2257 adv_instance->tx_power = rp->tx_power;
2259 /* Update adv data as tx power is known now */
2260 hci_update_adv_data(hdev, cp->handle);
2262 hci_dev_unlock(hdev);
2268 static u8 hci_cc_enable_rssi(struct hci_dev *hdev, void *data,
2269 struct sk_buff *skb)
2271 struct hci_cc_rsp_enable_rssi *rp = data;
2273 BT_DBG("hci_cc_enable_rssi - %s status 0x%2.2x Event_LE_ext_Opcode 0x%2.2x",
2274 hdev->name, rp->status, rp->le_ext_opcode);
2276 mgmt_enable_rssi_cc(hdev, rp, rp->status);
2281 static u8 hci_cc_get_raw_rssi(struct hci_dev *hdev, void *data,
2282 struct sk_buff *skb)
2284 struct hci_cc_rp_get_raw_rssi *rp = data;
2286 BT_DBG("hci_cc_get_raw_rssi- %s Get Raw Rssi Response[%2.2x %4.4x %2.2X]",
2287 hdev->name, rp->status, rp->conn_handle, rp->rssi_dbm);
2289 mgmt_raw_rssi_response(hdev, rp, rp->status);
2294 static void hci_vendor_ext_rssi_link_alert_evt(struct hci_dev *hdev,
2295 struct sk_buff *skb)
2297 struct hci_ev_vendor_specific_rssi_alert *ev = (void *)skb->data;
2299 BT_DBG("RSSI event LE_RSSI_LINK_ALERT %X", LE_RSSI_LINK_ALERT);
2301 mgmt_rssi_alert_evt(hdev, ev->conn_handle, ev->alert_type,
2305 static void hci_vendor_specific_group_ext_evt(struct hci_dev *hdev,
2306 struct sk_buff *skb)
2308 struct hci_ev_ext_vendor_specific *ev = (void *)skb->data;
2309 __u8 event_le_ext_sub_code;
2311 BT_DBG("RSSI event LE_META_VENDOR_SPECIFIC_GROUP_EVENT: %X",
2312 LE_META_VENDOR_SPECIFIC_GROUP_EVENT);
2314 skb_pull(skb, sizeof(*ev));
2315 event_le_ext_sub_code = ev->event_le_ext_sub_code;
2317 switch (event_le_ext_sub_code) {
2318 case LE_RSSI_LINK_ALERT:
2319 hci_vendor_ext_rssi_link_alert_evt(hdev, skb);
2327 static void hci_vendor_multi_adv_state_change_evt(struct hci_dev *hdev,
2328 struct sk_buff *skb)
2330 struct hci_ev_vendor_specific_multi_adv_state *ev = (void *)skb->data;
2332 BT_DBG("LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT");
2334 mgmt_multi_adv_state_change_evt(hdev, ev->adv_instance,
2335 ev->state_change_reason,
2336 ev->connection_handle);
2339 static void hci_vendor_specific_evt(struct hci_dev *hdev, void *data,
2340 struct sk_buff *skb)
2342 struct hci_ev_vendor_specific *ev = (void *)skb->data;
2343 __u8 event_sub_code;
2345 BT_DBG("hci_vendor_specific_evt");
2347 skb_pull(skb, sizeof(*ev));
2348 event_sub_code = ev->event_sub_code;
2350 switch (event_sub_code) {
2351 case LE_META_VENDOR_SPECIFIC_GROUP_EVENT:
2352 hci_vendor_specific_group_ext_evt(hdev, skb);
2355 case LE_MULTI_ADV_STATE_CHANGE_SUB_EVENT:
2356 hci_vendor_multi_adv_state_change_evt(hdev, skb);
2365 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2366 struct sk_buff *skb)
2368 struct hci_rp_read_rssi *rp = data;
2369 struct hci_conn *conn;
2371 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2378 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2380 conn->rssi = rp->rssi;
2382 hci_dev_unlock(hdev);
2387 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2388 struct sk_buff *skb)
2390 struct hci_cp_read_tx_power *sent;
2391 struct hci_rp_read_tx_power *rp = data;
2392 struct hci_conn *conn;
2394 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2399 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2405 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2409 switch (sent->type) {
2411 conn->tx_power = rp->tx_power;
2414 conn->max_tx_power = rp->tx_power;
2419 hci_dev_unlock(hdev);
2423 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2424 struct sk_buff *skb)
2426 struct hci_ev_status *rp = data;
2429 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2434 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2436 hdev->ssp_debug_mode = *mode;
2441 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2443 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2446 hci_conn_check_pending(hdev);
2450 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2451 set_bit(HCI_INQUIRY, &hdev->flags);
2454 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2456 struct hci_cp_create_conn *cp;
2457 struct hci_conn *conn;
2459 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2461 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2467 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2469 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2472 if (conn && conn->state == BT_CONNECT) {
2473 if (status != 0x0c || conn->attempt > 2) {
2474 conn->state = BT_CLOSED;
2475 hci_connect_cfm(conn, status);
2478 conn->state = BT_CONNECT2;
2482 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2485 bt_dev_err(hdev, "no memory for new connection");
2489 hci_dev_unlock(hdev);
2492 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2494 struct hci_cp_add_sco *cp;
2495 struct hci_conn *acl;
2496 struct hci_link *link;
2499 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2504 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2508 handle = __le16_to_cpu(cp->handle);
2510 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2514 acl = hci_conn_hash_lookup_handle(hdev, handle);
2516 link = list_first_entry_or_null(&acl->link_list,
2517 struct hci_link, list);
2518 if (link && link->conn) {
2519 link->conn->state = BT_CLOSED;
2521 hci_connect_cfm(link->conn, status);
2522 hci_conn_del(link->conn);
2526 hci_dev_unlock(hdev);
2529 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2531 struct hci_cp_auth_requested *cp;
2532 struct hci_conn *conn;
2534 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2539 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2545 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2547 if (conn->state == BT_CONFIG) {
2548 hci_connect_cfm(conn, status);
2549 hci_conn_drop(conn);
2553 hci_dev_unlock(hdev);
2556 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2558 struct hci_cp_set_conn_encrypt *cp;
2559 struct hci_conn *conn;
2561 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2566 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2572 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2574 if (conn->state == BT_CONFIG) {
2575 hci_connect_cfm(conn, status);
2576 hci_conn_drop(conn);
2580 hci_dev_unlock(hdev);
2583 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2584 struct hci_conn *conn)
2586 if (conn->state != BT_CONFIG || !conn->out)
2589 if (conn->pending_sec_level == BT_SECURITY_SDP)
2592 /* Only request authentication for SSP connections or non-SSP
2593 * devices with sec_level MEDIUM or HIGH or if MITM protection
2596 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2597 conn->pending_sec_level != BT_SECURITY_FIPS &&
2598 conn->pending_sec_level != BT_SECURITY_HIGH &&
2599 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2605 static int hci_resolve_name(struct hci_dev *hdev,
2606 struct inquiry_entry *e)
2608 struct hci_cp_remote_name_req cp;
2610 memset(&cp, 0, sizeof(cp));
2612 bacpy(&cp.bdaddr, &e->data.bdaddr);
2613 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2614 cp.pscan_mode = e->data.pscan_mode;
2615 cp.clock_offset = e->data.clock_offset;
2617 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2620 static bool hci_resolve_next_name(struct hci_dev *hdev)
2622 struct discovery_state *discov = &hdev->discovery;
2623 struct inquiry_entry *e;
2625 if (list_empty(&discov->resolve))
2628 /* We should stop if we already spent too much time resolving names. */
2629 if (time_after(jiffies, discov->name_resolve_timeout)) {
2630 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2634 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2638 if (hci_resolve_name(hdev, e) == 0) {
2639 e->name_state = NAME_PENDING;
2646 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2647 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2649 struct discovery_state *discov = &hdev->discovery;
2650 struct inquiry_entry *e;
2653 /* Update the mgmt connected state if necessary. Be careful with
2654 * conn objects that exist but are not (yet) connected however.
2655 * Only those in BT_CONFIG or BT_CONNECTED states can be
2656 * considered connected.
2659 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) {
2660 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2661 mgmt_device_connected(hdev, conn, name, name_len);
2663 mgmt_device_name_update(hdev, bdaddr, name, name_len);
2667 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2668 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2669 mgmt_device_connected(hdev, conn, name, name_len);
2672 if (discov->state == DISCOVERY_STOPPED)
2675 if (discov->state == DISCOVERY_STOPPING)
2676 goto discov_complete;
2678 if (discov->state != DISCOVERY_RESOLVING)
2681 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2682 /* If the device was not found in a list of found devices names of which
2683 * are pending. there is no need to continue resolving a next name as it
2684 * will be done upon receiving another Remote Name Request Complete
2691 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2692 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2695 if (hci_resolve_next_name(hdev))
2699 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2702 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2704 struct hci_cp_remote_name_req *cp;
2705 struct hci_conn *conn;
2707 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2709 /* If successful wait for the name req complete event before
2710 * checking for the need to do authentication */
2714 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2720 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2722 if (hci_dev_test_flag(hdev, HCI_MGMT))
2723 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2728 if (!hci_outgoing_auth_needed(hdev, conn))
2731 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2732 struct hci_cp_auth_requested auth_cp;
2734 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2736 auth_cp.handle = __cpu_to_le16(conn->handle);
2737 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2738 sizeof(auth_cp), &auth_cp);
2742 hci_dev_unlock(hdev);
2745 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2747 struct hci_cp_read_remote_features *cp;
2748 struct hci_conn *conn;
2750 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2755 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2761 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2763 if (conn->state == BT_CONFIG) {
2764 hci_connect_cfm(conn, status);
2765 hci_conn_drop(conn);
2769 hci_dev_unlock(hdev);
2772 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2774 struct hci_cp_read_remote_ext_features *cp;
2775 struct hci_conn *conn;
2777 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2782 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2788 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2790 if (conn->state == BT_CONFIG) {
2791 hci_connect_cfm(conn, status);
2792 hci_conn_drop(conn);
2796 hci_dev_unlock(hdev);
2799 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2802 struct hci_conn *acl;
2803 struct hci_link *link;
2805 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2809 acl = hci_conn_hash_lookup_handle(hdev, handle);
2811 link = list_first_entry_or_null(&acl->link_list,
2812 struct hci_link, list);
2813 if (link && link->conn) {
2814 link->conn->state = BT_CLOSED;
2816 hci_connect_cfm(link->conn, status);
2817 hci_conn_del(link->conn);
2821 hci_dev_unlock(hdev);
2824 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2826 struct hci_cp_setup_sync_conn *cp;
2828 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2833 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2837 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2840 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2842 struct hci_cp_enhanced_setup_sync_conn *cp;
2844 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2849 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2853 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2856 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2858 struct hci_cp_sniff_mode *cp;
2859 struct hci_conn *conn;
2861 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2866 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2872 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2874 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2876 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2877 hci_sco_setup(conn, status);
2880 hci_dev_unlock(hdev);
2883 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2885 struct hci_cp_exit_sniff_mode *cp;
2886 struct hci_conn *conn;
2888 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2893 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2899 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2901 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2903 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2904 hci_sco_setup(conn, status);
2907 hci_dev_unlock(hdev);
2910 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2912 struct hci_cp_disconnect *cp;
2913 struct hci_conn_params *params;
2914 struct hci_conn *conn;
2917 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2919 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2920 * otherwise cleanup the connection immediately.
2922 if (!status && !hdev->suspended)
2925 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2931 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2936 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2937 conn->dst_type, status);
2939 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2940 hdev->cur_adv_instance = conn->adv_instance;
2941 hci_enable_advertising(hdev);
2944 /* Inform sockets conn is gone before we delete it */
2945 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2950 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2952 if (conn->type == ACL_LINK) {
2953 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2954 hci_remove_link_key(hdev, &conn->dst);
2957 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2959 switch (params->auto_connect) {
2960 case HCI_AUTO_CONN_LINK_LOSS:
2961 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2965 case HCI_AUTO_CONN_DIRECT:
2966 case HCI_AUTO_CONN_ALWAYS:
2967 hci_pend_le_list_del_init(params);
2968 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2976 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2977 cp->reason, mgmt_conn);
2979 hci_disconn_cfm(conn, cp->reason);
2982 /* If the disconnection failed for any reason, the upper layer
2983 * does not retry to disconnect in current implementation.
2984 * Hence, we need to do some basic cleanup here and re-enable
2985 * advertising if necessary.
2989 hci_dev_unlock(hdev);
2992 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2994 /* When using controller based address resolution, then the new
2995 * address types 0x02 and 0x03 are used. These types need to be
2996 * converted back into either public address or random address type
2999 case ADDR_LE_DEV_PUBLIC_RESOLVED:
3002 return ADDR_LE_DEV_PUBLIC;
3003 case ADDR_LE_DEV_RANDOM_RESOLVED:
3006 return ADDR_LE_DEV_RANDOM;
3014 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
3015 u8 peer_addr_type, u8 own_address_type,
3018 struct hci_conn *conn;
3020 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
3025 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
3027 /* Store the initiator and responder address information which
3028 * is needed for SMP. These values will not change during the
3029 * lifetime of the connection.
3031 conn->init_addr_type = own_address_type;
3032 if (own_address_type == ADDR_LE_DEV_RANDOM)
3033 bacpy(&conn->init_addr, &hdev->random_addr);
3035 bacpy(&conn->init_addr, &hdev->bdaddr);
3037 conn->resp_addr_type = peer_addr_type;
3038 bacpy(&conn->resp_addr, peer_addr);
3041 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
3043 struct hci_cp_le_create_conn *cp;
3045 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3047 /* All connection failure handling is taken care of by the
3048 * hci_conn_failed function which is triggered by the HCI
3049 * request completion callbacks used for connecting.
3054 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
3060 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3061 cp->own_address_type, cp->filter_policy);
3063 hci_dev_unlock(hdev);
3066 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
3068 struct hci_cp_le_ext_create_conn *cp;
3070 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3072 /* All connection failure handling is taken care of by the
3073 * hci_conn_failed function which is triggered by the HCI
3074 * request completion callbacks used for connecting.
3079 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
3085 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
3086 cp->own_addr_type, cp->filter_policy);
3088 hci_dev_unlock(hdev);
3091 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
3093 struct hci_cp_le_read_remote_features *cp;
3094 struct hci_conn *conn;
3096 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3101 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
3107 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3109 if (conn->state == BT_CONFIG) {
3110 hci_connect_cfm(conn, status);
3111 hci_conn_drop(conn);
3115 hci_dev_unlock(hdev);
3118 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
3120 struct hci_cp_le_start_enc *cp;
3121 struct hci_conn *conn;
3123 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3130 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
3134 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3138 if (conn->state != BT_CONNECTED)
3141 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3142 hci_conn_drop(conn);
3145 hci_dev_unlock(hdev);
3148 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3150 struct hci_cp_switch_role *cp;
3151 struct hci_conn *conn;
3153 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3158 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3164 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3166 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3168 hci_dev_unlock(hdev);
3171 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3172 struct sk_buff *skb)
3174 struct hci_ev_status *ev = data;
3175 struct discovery_state *discov = &hdev->discovery;
3176 struct inquiry_entry *e;
3178 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3180 hci_conn_check_pending(hdev);
3182 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3185 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3186 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3188 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3193 if (discov->state != DISCOVERY_FINDING)
3196 if (list_empty(&discov->resolve)) {
3197 /* When BR/EDR inquiry is active and no LE scanning is in
3198 * progress, then change discovery state to indicate completion.
3200 * When running LE scanning and BR/EDR inquiry simultaneously
3201 * and the LE scan already finished, then change the discovery
3202 * state to indicate completion.
3204 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3205 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3206 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3210 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3211 if (e && hci_resolve_name(hdev, e) == 0) {
3212 e->name_state = NAME_PENDING;
3213 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3214 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3216 /* When BR/EDR inquiry is active and no LE scanning is in
3217 * progress, then change discovery state to indicate completion.
3219 * When running LE scanning and BR/EDR inquiry simultaneously
3220 * and the LE scan already finished, then change the discovery
3221 * state to indicate completion.
3223 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3224 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3225 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3229 hci_dev_unlock(hdev);
3232 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3233 struct sk_buff *skb)
3235 struct hci_ev_inquiry_result *ev = edata;
3236 struct inquiry_data data;
3239 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3240 flex_array_size(ev, info, ev->num)))
3243 bt_dev_dbg(hdev, "num %d", ev->num);
3248 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3253 for (i = 0; i < ev->num; i++) {
3254 struct inquiry_info *info = &ev->info[i];
3257 bacpy(&data.bdaddr, &info->bdaddr);
3258 data.pscan_rep_mode = info->pscan_rep_mode;
3259 data.pscan_period_mode = info->pscan_period_mode;
3260 data.pscan_mode = info->pscan_mode;
3261 memcpy(data.dev_class, info->dev_class, 3);
3262 data.clock_offset = info->clock_offset;
3263 data.rssi = HCI_RSSI_INVALID;
3264 data.ssp_mode = 0x00;
3266 flags = hci_inquiry_cache_update(hdev, &data, false);
3268 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3269 info->dev_class, HCI_RSSI_INVALID,
3270 flags, NULL, 0, NULL, 0, 0);
3273 hci_dev_unlock(hdev);
3276 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3277 struct sk_buff *skb)
3279 struct hci_ev_conn_complete *ev = data;
3280 struct hci_conn *conn;
3281 u8 status = ev->status;
3283 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3287 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3289 /* In case of error status and there is no connection pending
3290 * just unlock as there is nothing to cleanup.
3295 /* Connection may not exist if auto-connected. Check the bredr
3296 * allowlist to see if this device is allowed to auto connect.
3297 * If link is an ACL type, create a connection class
3300 * Auto-connect will only occur if the event filter is
3301 * programmed with a given address. Right now, event filter is
3302 * only used during suspend.
3304 if (ev->link_type == ACL_LINK &&
3305 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3308 conn = hci_conn_add_unset(hdev, ev->link_type,
3309 &ev->bdaddr, HCI_ROLE_SLAVE);
3311 bt_dev_err(hdev, "no memory for new conn");
3315 if (ev->link_type != SCO_LINK)
3318 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3323 conn->type = SCO_LINK;
3327 /* The HCI_Connection_Complete event is only sent once per connection.
3328 * Processing it more than once per connection can corrupt kernel memory.
3330 * As the connection handle is set here for the first time, it indicates
3331 * whether the connection is already set up.
3333 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3334 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3339 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3343 if (conn->type == ACL_LINK) {
3344 conn->state = BT_CONFIG;
3345 hci_conn_hold(conn);
3347 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3348 !hci_find_link_key(hdev, &ev->bdaddr))
3349 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3351 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3353 conn->state = BT_CONNECTED;
3355 hci_debugfs_create_conn(conn);
3356 hci_conn_add_sysfs(conn);
3358 if (test_bit(HCI_AUTH, &hdev->flags))
3359 set_bit(HCI_CONN_AUTH, &conn->flags);
3361 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3362 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3364 /* Get remote features */
3365 if (conn->type == ACL_LINK) {
3366 struct hci_cp_read_remote_features cp;
3367 cp.handle = ev->handle;
3368 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3371 hci_update_scan(hdev);
3374 /* Set packet type for incoming connection */
3375 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3376 struct hci_cp_change_conn_ptype cp;
3377 cp.handle = ev->handle;
3378 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3379 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3384 if (get_link_mode(conn) & HCI_LM_MASTER)
3385 hci_conn_change_supervision_timeout(conn,
3386 LINK_SUPERVISION_TIMEOUT);
3390 if (conn->type == ACL_LINK)
3391 hci_sco_setup(conn, ev->status);
3395 hci_conn_failed(conn, status);
3396 } else if (ev->link_type == SCO_LINK) {
3397 switch (conn->setting & SCO_AIRMODE_MASK) {
3398 case SCO_AIRMODE_CVSD:
3400 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3404 hci_connect_cfm(conn, status);
3408 hci_dev_unlock(hdev);
3410 hci_conn_check_pending(hdev);
3413 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3415 struct hci_cp_reject_conn_req cp;
3417 bacpy(&cp.bdaddr, bdaddr);
3418 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3419 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3422 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3423 struct sk_buff *skb)
3425 struct hci_ev_conn_request *ev = data;
3426 int mask = hdev->link_mode;
3427 struct inquiry_entry *ie;
3428 struct hci_conn *conn;
3431 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3433 /* Reject incoming connection from device with same BD ADDR against
3436 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3437 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3439 hci_reject_conn(hdev, &ev->bdaddr);
3443 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3446 if (!(mask & HCI_LM_ACCEPT)) {
3447 hci_reject_conn(hdev, &ev->bdaddr);
3453 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3455 hci_reject_conn(hdev, &ev->bdaddr);
3459 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3460 * connection. These features are only touched through mgmt so
3461 * only do the checks if HCI_MGMT is set.
3463 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3464 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3465 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3467 hci_reject_conn(hdev, &ev->bdaddr);
3471 /* Connection accepted */
3473 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3475 memcpy(ie->data.dev_class, ev->dev_class, 3);
3478 if ((ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK) &&
3479 hci_conn_hash_lookup_sco(hdev)) {
3480 struct hci_cp_reject_conn_req cp;
3482 bacpy(&cp.bdaddr, &ev->bdaddr);
3483 cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
3484 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ,
3486 hci_dev_unlock(hdev);
3491 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3494 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3497 bt_dev_err(hdev, "no memory for new connection");
3502 memcpy(conn->dev_class, ev->dev_class, 3);
3504 hci_dev_unlock(hdev);
3506 if (ev->link_type == ACL_LINK ||
3507 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3508 struct hci_cp_accept_conn_req cp;
3509 conn->state = BT_CONNECT;
3511 bacpy(&cp.bdaddr, &ev->bdaddr);
3513 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3514 cp.role = 0x00; /* Become central */
3516 cp.role = 0x01; /* Remain peripheral */
3518 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3519 } else if (!(flags & HCI_PROTO_DEFER)) {
3520 struct hci_cp_accept_sync_conn_req cp;
3521 conn->state = BT_CONNECT;
3523 bacpy(&cp.bdaddr, &ev->bdaddr);
3524 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3526 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3527 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3528 cp.max_latency = cpu_to_le16(0xffff);
3529 cp.content_format = cpu_to_le16(hdev->voice_setting);
3530 cp.retrans_effort = 0xff;
3532 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3535 conn->state = BT_CONNECT2;
3536 hci_connect_cfm(conn, 0);
3541 hci_dev_unlock(hdev);
3544 static u8 hci_to_mgmt_reason(u8 err)
3547 case HCI_ERROR_CONNECTION_TIMEOUT:
3548 return MGMT_DEV_DISCONN_TIMEOUT;
3549 case HCI_ERROR_REMOTE_USER_TERM:
3550 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3551 case HCI_ERROR_REMOTE_POWER_OFF:
3552 return MGMT_DEV_DISCONN_REMOTE;
3553 case HCI_ERROR_LOCAL_HOST_TERM:
3554 return MGMT_DEV_DISCONN_LOCAL_HOST;
3556 return MGMT_DEV_DISCONN_UNKNOWN;
3560 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3561 struct sk_buff *skb)
3563 struct hci_ev_disconn_complete *ev = data;
3565 struct hci_conn_params *params;
3566 struct hci_conn *conn;
3567 bool mgmt_connected;
3569 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3573 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3578 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3579 conn->dst_type, ev->status);
3583 conn->state = BT_CLOSED;
3585 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3587 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3588 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3590 reason = hci_to_mgmt_reason(ev->reason);
3592 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3593 reason, mgmt_connected);
3595 if (conn->type == ACL_LINK) {
3596 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3597 hci_remove_link_key(hdev, &conn->dst);
3599 hci_update_scan(hdev);
3602 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3604 switch (params->auto_connect) {
3605 case HCI_AUTO_CONN_LINK_LOSS:
3606 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3610 case HCI_AUTO_CONN_DIRECT:
3611 case HCI_AUTO_CONN_ALWAYS:
3612 hci_pend_le_list_del_init(params);
3613 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3614 hci_update_passive_scan(hdev);
3622 hci_disconn_cfm(conn, ev->reason);
3624 /* Re-enable advertising if necessary, since it might
3625 * have been disabled by the connection. From the
3626 * HCI_LE_Set_Advertise_Enable command description in
3627 * the core specification (v4.0):
3628 * "The Controller shall continue advertising until the Host
3629 * issues an LE_Set_Advertise_Enable command with
3630 * Advertising_Enable set to 0x00 (Advertising is disabled)
3631 * or until a connection is created or until the Advertising
3632 * is timed out due to Directed Advertising."
3634 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3635 hdev->cur_adv_instance = conn->adv_instance;
3636 hci_enable_advertising(hdev);
3642 if (conn->type == ACL_LINK && !hci_conn_num(hdev, ACL_LINK)) {
3646 iscan = test_bit(HCI_ISCAN, &hdev->flags);
3647 pscan = test_bit(HCI_PSCAN, &hdev->flags);
3648 if (!iscan && !pscan) {
3649 u8 scan_enable = SCAN_PAGE;
3651 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE,
3652 sizeof(scan_enable), &scan_enable);
3658 hci_dev_unlock(hdev);
3661 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3662 struct sk_buff *skb)
3664 struct hci_ev_auth_complete *ev = data;
3665 struct hci_conn *conn;
3667 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3671 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3676 /* PIN or Key Missing patch */
3677 BT_DBG("remote_auth %x, remote_cap %x, auth_type %x, io_capability %x",
3678 conn->remote_auth, conn->remote_cap,
3679 conn->auth_type, conn->io_capability);
3681 if (ev->status == 0x06 && hci_conn_ssp_enabled(conn)) {
3682 struct hci_cp_auth_requested cp;
3684 BT_DBG("Pin or key missing");
3685 hci_remove_link_key(hdev, &conn->dst);
3686 cp.handle = cpu_to_le16(conn->handle);
3687 hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
3694 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3695 set_bit(HCI_CONN_AUTH, &conn->flags);
3696 conn->sec_level = conn->pending_sec_level;
3698 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3699 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3701 mgmt_auth_failed(conn, ev->status);
3704 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3706 if (conn->state == BT_CONFIG) {
3707 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3708 struct hci_cp_set_conn_encrypt cp;
3709 cp.handle = ev->handle;
3711 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3714 conn->state = BT_CONNECTED;
3715 hci_connect_cfm(conn, ev->status);
3716 hci_conn_drop(conn);
3719 hci_auth_cfm(conn, ev->status);
3721 hci_conn_hold(conn);
3722 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3723 hci_conn_drop(conn);
3726 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3728 struct hci_cp_set_conn_encrypt cp;
3729 cp.handle = ev->handle;
3731 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3734 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3735 hci_encrypt_cfm(conn, ev->status);
3740 hci_dev_unlock(hdev);
3743 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3744 struct sk_buff *skb)
3746 struct hci_ev_remote_name *ev = data;
3747 struct hci_conn *conn;
3749 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3751 hci_conn_check_pending(hdev);
3755 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3757 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3760 if (ev->status == 0)
3761 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3762 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3764 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3770 if (!hci_outgoing_auth_needed(hdev, conn))
3773 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3774 struct hci_cp_auth_requested cp;
3776 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3778 cp.handle = __cpu_to_le16(conn->handle);
3779 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3783 hci_dev_unlock(hdev);
3786 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3787 struct sk_buff *skb)
3789 struct hci_ev_encrypt_change *ev = data;
3790 struct hci_conn *conn;
3792 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3796 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3802 /* Encryption implies authentication */
3803 set_bit(HCI_CONN_AUTH, &conn->flags);
3804 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3805 conn->sec_level = conn->pending_sec_level;
3807 /* P-256 authentication key implies FIPS */
3808 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3809 set_bit(HCI_CONN_FIPS, &conn->flags);
3811 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3812 conn->type == LE_LINK)
3813 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3815 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3816 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3820 /* We should disregard the current RPA and generate a new one
3821 * whenever the encryption procedure fails.
3823 if (ev->status && conn->type == LE_LINK) {
3824 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3825 hci_adv_instances_set_rpa_expired(hdev, true);
3828 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3830 /* Check link security requirements are met */
3831 if (!hci_conn_check_link_mode(conn))
3832 ev->status = HCI_ERROR_AUTH_FAILURE;
3834 if (ev->status && conn->state == BT_CONNECTED) {
3835 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3836 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3838 /* Notify upper layers so they can cleanup before
3841 hci_encrypt_cfm(conn, ev->status);
3842 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3843 hci_conn_drop(conn);
3847 /* Try reading the encryption key size for encrypted ACL links */
3848 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3849 struct hci_cp_read_enc_key_size cp;
3851 /* Only send HCI_Read_Encryption_Key_Size if the
3852 * controller really supports it. If it doesn't, assume
3853 * the default size (16).
3855 if (!(hdev->commands[20] & 0x10)) {
3856 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3860 cp.handle = cpu_to_le16(conn->handle);
3861 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3863 bt_dev_err(hdev, "sending read key size failed");
3864 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3871 /* Set the default Authenticated Payload Timeout after
3872 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3873 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3874 * sent when the link is active and Encryption is enabled, the conn
3875 * type can be either LE or ACL and controller must support LMP Ping.
3876 * Ensure for AES-CCM encryption as well.
3878 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3879 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3880 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3881 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3882 struct hci_cp_write_auth_payload_to cp;
3884 cp.handle = cpu_to_le16(conn->handle);
3885 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3886 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3888 bt_dev_err(hdev, "write auth payload timeout failed");
3892 hci_encrypt_cfm(conn, ev->status);
3895 hci_dev_unlock(hdev);
3898 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3899 struct sk_buff *skb)
3901 struct hci_ev_change_link_key_complete *ev = data;
3902 struct hci_conn *conn;
3904 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3908 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3911 set_bit(HCI_CONN_SECURE, &conn->flags);
3913 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3915 hci_key_change_cfm(conn, ev->status);
3918 hci_dev_unlock(hdev);
3921 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3922 struct sk_buff *skb)
3924 struct hci_ev_remote_features *ev = data;
3925 struct hci_conn *conn;
3927 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3931 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3936 memcpy(conn->features[0], ev->features, 8);
3938 if (conn->state != BT_CONFIG)
3941 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3942 lmp_ext_feat_capable(conn)) {
3943 struct hci_cp_read_remote_ext_features cp;
3944 cp.handle = ev->handle;
3946 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3951 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3952 struct hci_cp_remote_name_req cp;
3953 memset(&cp, 0, sizeof(cp));
3954 bacpy(&cp.bdaddr, &conn->dst);
3955 cp.pscan_rep_mode = 0x02;
3956 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3957 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3958 mgmt_device_connected(hdev, conn, NULL, 0);
3960 if (!hci_outgoing_auth_needed(hdev, conn)) {
3961 conn->state = BT_CONNECTED;
3962 hci_connect_cfm(conn, ev->status);
3963 hci_conn_drop(conn);
3967 hci_dev_unlock(hdev);
3970 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3972 cancel_delayed_work(&hdev->cmd_timer);
3975 if (!test_bit(HCI_RESET, &hdev->flags)) {
3977 cancel_delayed_work(&hdev->ncmd_timer);
3978 atomic_set(&hdev->cmd_cnt, 1);
3980 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3981 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3988 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3989 struct sk_buff *skb)
3991 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3993 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3998 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3999 hdev->le_pkts = rp->acl_max_pkt;
4000 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
4001 hdev->iso_pkts = rp->iso_max_pkt;
4003 hdev->le_cnt = hdev->le_pkts;
4004 hdev->iso_cnt = hdev->iso_pkts;
4006 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
4007 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
4012 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
4014 struct hci_conn *conn, *tmp;
4016 lockdep_assert_held(&hdev->lock);
4018 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
4019 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
4020 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
4023 if (HCI_CONN_HANDLE_UNSET(conn->handle))
4024 hci_conn_failed(conn, status);
4028 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
4029 struct sk_buff *skb)
4031 struct hci_rp_le_set_cig_params *rp = data;
4032 struct hci_cp_le_set_cig_params *cp;
4033 struct hci_conn *conn;
4034 u8 status = rp->status;
4035 bool pending = false;
4038 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4040 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
4041 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
4042 rp->cig_id != cp->cig_id)) {
4043 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
4044 status = HCI_ERROR_UNSPECIFIED;
4049 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
4051 * If the Status return parameter is non-zero, then the state of the CIG
4052 * and its CIS configurations shall not be changed by the command. If
4053 * the CIG did not already exist, it shall not be created.
4056 /* Keep current configuration, fail only the unbound CIS */
4057 hci_unbound_cis_failed(hdev, rp->cig_id, status);
4061 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
4063 * If the Status return parameter is zero, then the Controller shall
4064 * set the Connection_Handle arrayed return parameter to the connection
4065 * handle(s) corresponding to the CIS configurations specified in
4066 * the CIS_IDs command parameter, in the same order.
4068 for (i = 0; i < rp->num_handles; ++i) {
4069 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
4071 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
4074 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
4077 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
4080 if (conn->state == BT_CONNECT)
4086 hci_le_create_cis_pending(hdev);
4088 hci_dev_unlock(hdev);
4093 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
4094 struct sk_buff *skb)
4096 struct hci_rp_le_setup_iso_path *rp = data;
4097 struct hci_cp_le_setup_iso_path *cp;
4098 struct hci_conn *conn;
4100 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4102 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
4108 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
4113 hci_connect_cfm(conn, rp->status);
4118 switch (cp->direction) {
4119 /* Input (Host to Controller) */
4121 /* Only confirm connection if output only */
4122 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
4123 hci_connect_cfm(conn, rp->status);
4125 /* Output (Controller to Host) */
4127 /* Confirm connection since conn->iso_qos is always configured
4130 hci_connect_cfm(conn, rp->status);
4135 hci_dev_unlock(hdev);
4139 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
4141 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4144 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
4145 struct sk_buff *skb)
4147 struct hci_ev_status *rp = data;
4148 struct hci_cp_le_set_per_adv_params *cp;
4150 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4155 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
4159 /* TODO: set the conn state */
4163 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
4164 struct sk_buff *skb)
4166 struct hci_ev_status *rp = data;
4167 struct hci_cp_le_set_per_adv_enable *cp;
4168 struct adv_info *adv = NULL, *n;
4171 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4176 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4182 adv = hci_find_adv_instance(hdev, cp->handle);
4185 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4188 adv->enabled = true;
4190 /* If just one instance was disabled check if there are
4191 * any other instance enabled before clearing HCI_LE_PER_ADV.
4192 * The current periodic adv instance will be marked as
4193 * disabled once extended advertising is also disabled.
4195 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4197 if (adv->periodic && adv->enabled)
4201 if (per_adv_cnt > 1)
4204 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4208 hci_dev_unlock(hdev);
4213 #define HCI_CC_VL(_op, _func, _min, _max) \
4221 #define HCI_CC(_op, _func, _len) \
4222 HCI_CC_VL(_op, _func, _len, _len)
4224 #define HCI_CC_STATUS(_op, _func) \
4225 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4227 static const struct hci_cc {
4229 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4232 } hci_cc_table[] = {
4233 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4234 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4235 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4236 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4237 hci_cc_remote_name_req_cancel),
4238 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4239 sizeof(struct hci_rp_role_discovery)),
4240 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4241 sizeof(struct hci_rp_read_link_policy)),
4242 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4243 sizeof(struct hci_rp_write_link_policy)),
4244 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4245 sizeof(struct hci_rp_read_def_link_policy)),
4246 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4247 hci_cc_write_def_link_policy),
4248 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4249 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4250 sizeof(struct hci_rp_read_stored_link_key)),
4251 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4252 sizeof(struct hci_rp_delete_stored_link_key)),
4253 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4254 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4255 sizeof(struct hci_rp_read_local_name)),
4256 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4257 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4258 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4259 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4260 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4261 sizeof(struct hci_rp_read_class_of_dev)),
4262 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4263 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4264 sizeof(struct hci_rp_read_voice_setting)),
4265 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4266 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4267 sizeof(struct hci_rp_read_num_supported_iac)),
4268 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4269 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4270 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4271 sizeof(struct hci_rp_read_auth_payload_to)),
4272 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4273 sizeof(struct hci_rp_write_auth_payload_to)),
4274 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4275 sizeof(struct hci_rp_read_local_version)),
4276 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4277 sizeof(struct hci_rp_read_local_commands)),
4278 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4279 sizeof(struct hci_rp_read_local_features)),
4280 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4281 sizeof(struct hci_rp_read_local_ext_features)),
4282 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4283 sizeof(struct hci_rp_read_buffer_size)),
4284 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4285 sizeof(struct hci_rp_read_bd_addr)),
4286 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4287 sizeof(struct hci_rp_read_local_pairing_opts)),
4288 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4289 sizeof(struct hci_rp_read_page_scan_activity)),
4290 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4291 hci_cc_write_page_scan_activity),
4292 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4293 sizeof(struct hci_rp_read_page_scan_type)),
4294 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4295 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4296 sizeof(struct hci_rp_read_data_block_size)),
4297 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4298 sizeof(struct hci_rp_read_flow_control_mode)),
4299 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4300 sizeof(struct hci_rp_read_local_amp_info)),
4301 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4302 sizeof(struct hci_rp_read_clock)),
4303 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4304 sizeof(struct hci_rp_read_enc_key_size)),
4305 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4306 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4307 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4308 hci_cc_read_def_err_data_reporting,
4309 sizeof(struct hci_rp_read_def_err_data_reporting)),
4310 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4311 hci_cc_write_def_err_data_reporting),
4312 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4313 sizeof(struct hci_rp_pin_code_reply)),
4314 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4315 sizeof(struct hci_rp_pin_code_neg_reply)),
4316 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4317 sizeof(struct hci_rp_read_local_oob_data)),
4318 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4319 sizeof(struct hci_rp_read_local_oob_ext_data)),
4320 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4321 sizeof(struct hci_rp_le_read_buffer_size)),
4322 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4323 sizeof(struct hci_rp_le_read_local_features)),
4324 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4325 sizeof(struct hci_rp_le_read_adv_tx_power)),
4326 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4327 sizeof(struct hci_rp_user_confirm_reply)),
4328 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4329 sizeof(struct hci_rp_user_confirm_reply)),
4330 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4331 sizeof(struct hci_rp_user_confirm_reply)),
4332 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4333 sizeof(struct hci_rp_user_confirm_reply)),
4334 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4335 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4336 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4337 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4338 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4339 hci_cc_le_read_accept_list_size,
4340 sizeof(struct hci_rp_le_read_accept_list_size)),
4341 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4342 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4343 hci_cc_le_add_to_accept_list),
4344 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4345 hci_cc_le_del_from_accept_list),
4346 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4347 sizeof(struct hci_rp_le_read_supported_states)),
4348 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4349 sizeof(struct hci_rp_le_read_def_data_len)),
4350 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4351 hci_cc_le_write_def_data_len),
4352 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4353 hci_cc_le_add_to_resolv_list),
4354 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4355 hci_cc_le_del_from_resolv_list),
4356 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4357 hci_cc_le_clear_resolv_list),
4358 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4359 sizeof(struct hci_rp_le_read_resolv_list_size)),
4360 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4361 hci_cc_le_set_addr_resolution_enable),
4362 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4363 sizeof(struct hci_rp_le_read_max_data_len)),
4364 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4365 hci_cc_write_le_host_supported),
4366 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4367 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4368 sizeof(struct hci_rp_read_rssi)),
4369 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4370 sizeof(struct hci_rp_read_tx_power)),
4371 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4372 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4373 hci_cc_le_set_ext_scan_param),
4374 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4375 hci_cc_le_set_ext_scan_enable),
4376 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4377 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4378 hci_cc_le_read_num_adv_sets,
4379 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4380 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4381 sizeof(struct hci_rp_le_set_ext_adv_params)),
4382 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4383 hci_cc_le_set_ext_adv_enable),
4384 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4385 hci_cc_le_set_adv_set_random_addr),
4386 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4387 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4388 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4389 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4390 hci_cc_le_set_per_adv_enable),
4391 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4392 sizeof(struct hci_rp_le_read_transmit_power)),
4394 HCI_CC(HCI_OP_ENABLE_RSSI, hci_cc_enable_rssi,
4395 sizeof(struct hci_cc_rsp_enable_rssi)),
4396 HCI_CC(HCI_OP_GET_RAW_RSSI, hci_cc_get_raw_rssi,
4397 sizeof(struct hci_cc_rp_get_raw_rssi)),
4399 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4400 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4401 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4402 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4403 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4404 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4405 sizeof(struct hci_rp_le_setup_iso_path)),
4408 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4409 struct sk_buff *skb)
4413 if (skb->len < cc->min_len) {
4414 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4415 cc->op, skb->len, cc->min_len);
4416 return HCI_ERROR_UNSPECIFIED;
4419 /* Just warn if the length is over max_len size it still be possible to
4420 * partially parse the cc so leave to callback to decide if that is
4423 if (skb->len > cc->max_len)
4424 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4425 cc->op, skb->len, cc->max_len);
4427 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4429 return HCI_ERROR_UNSPECIFIED;
4431 return cc->func(hdev, data, skb);
4434 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4435 struct sk_buff *skb, u16 *opcode, u8 *status,
4436 hci_req_complete_t *req_complete,
4437 hci_req_complete_skb_t *req_complete_skb)
4439 struct hci_ev_cmd_complete *ev = data;
4442 *opcode = __le16_to_cpu(ev->opcode);
4444 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4446 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4447 if (hci_cc_table[i].op == *opcode) {
4448 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4453 if (i == ARRAY_SIZE(hci_cc_table)) {
4454 /* Unknown opcode, assume byte 0 contains the status, so
4455 * that e.g. __hci_cmd_sync() properly returns errors
4456 * for vendor specific commands send by HCI drivers.
4457 * If a vendor doesn't actually follow this convention we may
4458 * need to introduce a vendor CC table in order to properly set
4461 *status = skb->data[0];
4464 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4466 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4469 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4471 "unexpected event for opcode 0x%4.4x", *opcode);
4475 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4476 queue_work(hdev->workqueue, &hdev->cmd_work);
4479 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4481 struct hci_cp_le_create_cis *cp;
4482 bool pending = false;
4485 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4490 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4496 /* Remove connection if command failed */
4497 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4498 struct hci_conn *conn;
4501 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4503 conn = hci_conn_hash_lookup_handle(hdev, handle);
4505 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4508 conn->state = BT_CLOSED;
4509 hci_connect_cfm(conn, status);
4515 hci_le_create_cis_pending(hdev);
4517 hci_dev_unlock(hdev);
4520 #define HCI_CS(_op, _func) \
4526 static const struct hci_cs {
4528 void (*func)(struct hci_dev *hdev, __u8 status);
4529 } hci_cs_table[] = {
4530 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4531 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4532 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4533 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4534 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4535 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4536 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4537 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4538 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4539 hci_cs_read_remote_ext_features),
4540 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4541 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4542 hci_cs_enhanced_setup_sync_conn),
4543 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4544 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4545 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4546 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4547 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4548 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4549 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4550 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4551 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4554 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4555 struct sk_buff *skb, u16 *opcode, u8 *status,
4556 hci_req_complete_t *req_complete,
4557 hci_req_complete_skb_t *req_complete_skb)
4559 struct hci_ev_cmd_status *ev = data;
4562 *opcode = __le16_to_cpu(ev->opcode);
4563 *status = ev->status;
4565 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4567 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4568 if (hci_cs_table[i].op == *opcode) {
4569 hci_cs_table[i].func(hdev, ev->status);
4574 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4576 /* Indicate request completion if the command failed. Also, if
4577 * we're not waiting for a special event and we get a success
4578 * command status we should try to flag the request as completed
4579 * (since for this kind of commands there will not be a command
4582 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4583 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4585 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4586 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4592 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4593 queue_work(hdev->workqueue, &hdev->cmd_work);
4596 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4597 struct sk_buff *skb)
4599 struct hci_ev_hardware_error *ev = data;
4601 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4605 mgmt_hardware_error(hdev, ev->code);
4606 hci_dev_unlock(hdev);
4608 hdev->hw_error_code = ev->code;
4610 queue_work(hdev->req_workqueue, &hdev->error_reset);
4613 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4614 struct sk_buff *skb)
4616 struct hci_ev_role_change *ev = data;
4617 struct hci_conn *conn;
4619 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4623 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4626 conn->role = ev->role;
4628 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4630 hci_role_switch_cfm(conn, ev->status, ev->role);
4632 if (!ev->status && (get_link_mode(conn) & HCI_LM_MASTER))
4633 hci_conn_change_supervision_timeout(conn,
4634 LINK_SUPERVISION_TIMEOUT);
4638 hci_dev_unlock(hdev);
4641 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4642 struct sk_buff *skb)
4644 struct hci_ev_num_comp_pkts *ev = data;
4647 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4648 flex_array_size(ev, handles, ev->num)))
4651 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4652 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4656 bt_dev_dbg(hdev, "num %d", ev->num);
4658 for (i = 0; i < ev->num; i++) {
4659 struct hci_comp_pkts_info *info = &ev->handles[i];
4660 struct hci_conn *conn;
4661 __u16 handle, count;
4663 handle = __le16_to_cpu(info->handle);
4664 count = __le16_to_cpu(info->count);
4666 conn = hci_conn_hash_lookup_handle(hdev, handle);
4670 conn->sent -= count;
4672 switch (conn->type) {
4674 hdev->acl_cnt += count;
4675 if (hdev->acl_cnt > hdev->acl_pkts)
4676 hdev->acl_cnt = hdev->acl_pkts;
4680 if (hdev->le_pkts) {
4681 hdev->le_cnt += count;
4682 if (hdev->le_cnt > hdev->le_pkts)
4683 hdev->le_cnt = hdev->le_pkts;
4685 hdev->acl_cnt += count;
4686 if (hdev->acl_cnt > hdev->acl_pkts)
4687 hdev->acl_cnt = hdev->acl_pkts;
4692 hdev->sco_cnt += count;
4693 if (hdev->sco_cnt > hdev->sco_pkts)
4694 hdev->sco_cnt = hdev->sco_pkts;
4698 if (hdev->iso_pkts) {
4699 hdev->iso_cnt += count;
4700 if (hdev->iso_cnt > hdev->iso_pkts)
4701 hdev->iso_cnt = hdev->iso_pkts;
4702 } else if (hdev->le_pkts) {
4703 hdev->le_cnt += count;
4704 if (hdev->le_cnt > hdev->le_pkts)
4705 hdev->le_cnt = hdev->le_pkts;
4707 hdev->acl_cnt += count;
4708 if (hdev->acl_cnt > hdev->acl_pkts)
4709 hdev->acl_cnt = hdev->acl_pkts;
4714 bt_dev_err(hdev, "unknown type %d conn %p",
4720 queue_work(hdev->workqueue, &hdev->tx_work);
4723 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4726 struct hci_chan *chan;
4728 switch (hdev->dev_type) {
4730 return hci_conn_hash_lookup_handle(hdev, handle);
4732 chan = hci_chan_lookup_handle(hdev, handle);
4737 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4744 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4745 struct sk_buff *skb)
4747 struct hci_ev_num_comp_blocks *ev = data;
4750 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4751 flex_array_size(ev, handles, ev->num_hndl)))
4754 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4755 bt_dev_err(hdev, "wrong event for mode %d",
4756 hdev->flow_ctl_mode);
4760 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4763 for (i = 0; i < ev->num_hndl; i++) {
4764 struct hci_comp_blocks_info *info = &ev->handles[i];
4765 struct hci_conn *conn = NULL;
4766 __u16 handle, block_count;
4768 handle = __le16_to_cpu(info->handle);
4769 block_count = __le16_to_cpu(info->blocks);
4771 conn = __hci_conn_lookup_handle(hdev, handle);
4775 conn->sent -= block_count;
4777 switch (conn->type) {
4780 hdev->block_cnt += block_count;
4781 if (hdev->block_cnt > hdev->num_blocks)
4782 hdev->block_cnt = hdev->num_blocks;
4786 bt_dev_err(hdev, "unknown type %d conn %p",
4792 queue_work(hdev->workqueue, &hdev->tx_work);
4795 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4796 struct sk_buff *skb)
4798 struct hci_ev_mode_change *ev = data;
4799 struct hci_conn *conn;
4801 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4805 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4807 conn->mode = ev->mode;
4809 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4811 if (conn->mode == HCI_CM_ACTIVE)
4812 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4814 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4817 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4818 hci_sco_setup(conn, ev->status);
4821 hci_dev_unlock(hdev);
4824 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4825 struct sk_buff *skb)
4827 struct hci_ev_pin_code_req *ev = data;
4828 struct hci_conn *conn;
4830 bt_dev_dbg(hdev, "");
4834 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4838 if (conn->state == BT_CONNECTED) {
4839 hci_conn_hold(conn);
4840 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4841 hci_conn_drop(conn);
4844 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4845 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4846 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4847 sizeof(ev->bdaddr), &ev->bdaddr);
4848 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4851 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4856 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4860 hci_dev_unlock(hdev);
4863 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4865 if (key_type == HCI_LK_CHANGED_COMBINATION)
4868 conn->pin_length = pin_len;
4869 conn->key_type = key_type;
4872 case HCI_LK_LOCAL_UNIT:
4873 case HCI_LK_REMOTE_UNIT:
4874 case HCI_LK_DEBUG_COMBINATION:
4876 case HCI_LK_COMBINATION:
4878 conn->pending_sec_level = BT_SECURITY_HIGH;
4880 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4882 case HCI_LK_UNAUTH_COMBINATION_P192:
4883 case HCI_LK_UNAUTH_COMBINATION_P256:
4884 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4886 case HCI_LK_AUTH_COMBINATION_P192:
4887 conn->pending_sec_level = BT_SECURITY_HIGH;
4889 case HCI_LK_AUTH_COMBINATION_P256:
4890 conn->pending_sec_level = BT_SECURITY_FIPS;
4895 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4896 struct sk_buff *skb)
4898 struct hci_ev_link_key_req *ev = data;
4899 struct hci_cp_link_key_reply cp;
4900 struct hci_conn *conn;
4901 struct link_key *key;
4903 bt_dev_dbg(hdev, "");
4905 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4910 key = hci_find_link_key(hdev, &ev->bdaddr);
4912 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4916 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4918 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4920 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4922 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4923 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4924 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4925 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4929 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4930 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4931 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4932 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4936 conn_set_key(conn, key->type, key->pin_len);
4939 bacpy(&cp.bdaddr, &ev->bdaddr);
4940 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4942 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4944 hci_dev_unlock(hdev);
4949 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4950 hci_dev_unlock(hdev);
4953 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4954 struct sk_buff *skb)
4956 struct hci_ev_link_key_notify *ev = data;
4957 struct hci_conn *conn;
4958 struct link_key *key;
4962 bt_dev_dbg(hdev, "");
4966 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4970 /* Ignore NULL link key against CVE-2020-26555 */
4971 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4972 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4974 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4975 hci_conn_drop(conn);
4979 hci_conn_hold(conn);
4980 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4981 hci_conn_drop(conn);
4983 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4984 conn_set_key(conn, ev->key_type, conn->pin_length);
4986 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4989 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4990 ev->key_type, pin_len, &persistent);
4994 /* Update connection information since adding the key will have
4995 * fixed up the type in the case of changed combination keys.
4997 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4998 conn_set_key(conn, key->type, key->pin_len);
5000 mgmt_new_link_key(hdev, key, persistent);
5002 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
5003 * is set. If it's not set simply remove the key from the kernel
5004 * list (we've still notified user space about it but with
5005 * store_hint being 0).
5007 if (key->type == HCI_LK_DEBUG_COMBINATION &&
5008 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
5009 list_del_rcu(&key->list);
5010 kfree_rcu(key, rcu);
5015 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
5017 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
5020 hci_dev_unlock(hdev);
5023 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
5024 struct sk_buff *skb)
5026 struct hci_ev_clock_offset *ev = data;
5027 struct hci_conn *conn;
5029 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5033 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5034 if (conn && !ev->status) {
5035 struct inquiry_entry *ie;
5037 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5039 ie->data.clock_offset = ev->clock_offset;
5040 ie->timestamp = jiffies;
5044 hci_dev_unlock(hdev);
5047 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
5048 struct sk_buff *skb)
5050 struct hci_ev_pkt_type_change *ev = data;
5051 struct hci_conn *conn;
5053 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5057 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5058 if (conn && !ev->status)
5059 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
5061 hci_dev_unlock(hdev);
5064 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
5065 struct sk_buff *skb)
5067 struct hci_ev_pscan_rep_mode *ev = data;
5068 struct inquiry_entry *ie;
5070 bt_dev_dbg(hdev, "");
5074 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5076 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
5077 ie->timestamp = jiffies;
5080 hci_dev_unlock(hdev);
5083 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
5084 struct sk_buff *skb)
5086 struct hci_ev_inquiry_result_rssi *ev = edata;
5087 struct inquiry_data data;
5090 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
5095 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5100 if (skb->len == array_size(ev->num,
5101 sizeof(struct inquiry_info_rssi_pscan))) {
5102 struct inquiry_info_rssi_pscan *info;
5104 for (i = 0; i < ev->num; i++) {
5107 info = hci_ev_skb_pull(hdev, skb,
5108 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5111 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5112 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5116 bacpy(&data.bdaddr, &info->bdaddr);
5117 data.pscan_rep_mode = info->pscan_rep_mode;
5118 data.pscan_period_mode = info->pscan_period_mode;
5119 data.pscan_mode = info->pscan_mode;
5120 memcpy(data.dev_class, info->dev_class, 3);
5121 data.clock_offset = info->clock_offset;
5122 data.rssi = info->rssi;
5123 data.ssp_mode = 0x00;
5125 flags = hci_inquiry_cache_update(hdev, &data, false);
5127 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5128 info->dev_class, info->rssi,
5129 flags, NULL, 0, NULL, 0, 0);
5131 } else if (skb->len == array_size(ev->num,
5132 sizeof(struct inquiry_info_rssi))) {
5133 struct inquiry_info_rssi *info;
5135 for (i = 0; i < ev->num; i++) {
5138 info = hci_ev_skb_pull(hdev, skb,
5139 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
5142 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5143 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5147 bacpy(&data.bdaddr, &info->bdaddr);
5148 data.pscan_rep_mode = info->pscan_rep_mode;
5149 data.pscan_period_mode = info->pscan_period_mode;
5150 data.pscan_mode = 0x00;
5151 memcpy(data.dev_class, info->dev_class, 3);
5152 data.clock_offset = info->clock_offset;
5153 data.rssi = info->rssi;
5154 data.ssp_mode = 0x00;
5156 flags = hci_inquiry_cache_update(hdev, &data, false);
5158 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5159 info->dev_class, info->rssi,
5160 flags, NULL, 0, NULL, 0, 0);
5163 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
5164 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
5167 hci_dev_unlock(hdev);
5170 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
5171 struct sk_buff *skb)
5173 struct hci_ev_remote_ext_features *ev = data;
5174 struct hci_conn *conn;
5176 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5180 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5184 if (ev->page < HCI_MAX_PAGES)
5185 memcpy(conn->features[ev->page], ev->features, 8);
5187 if (!ev->status && ev->page == 0x01) {
5188 struct inquiry_entry *ie;
5190 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5192 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5194 if (ev->features[0] & LMP_HOST_SSP) {
5195 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5197 /* It is mandatory by the Bluetooth specification that
5198 * Extended Inquiry Results are only used when Secure
5199 * Simple Pairing is enabled, but some devices violate
5202 * To make these devices work, the internal SSP
5203 * enabled flag needs to be cleared if the remote host
5204 * features do not indicate SSP support */
5205 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5208 if (ev->features[0] & LMP_HOST_SC)
5209 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5212 if (conn->state != BT_CONFIG)
5215 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5216 struct hci_cp_remote_name_req cp;
5217 memset(&cp, 0, sizeof(cp));
5218 bacpy(&cp.bdaddr, &conn->dst);
5219 cp.pscan_rep_mode = 0x02;
5220 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5221 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5222 mgmt_device_connected(hdev, conn, NULL, 0);
5224 if (!hci_outgoing_auth_needed(hdev, conn)) {
5225 conn->state = BT_CONNECTED;
5226 hci_connect_cfm(conn, ev->status);
5227 hci_conn_drop(conn);
5231 hci_dev_unlock(hdev);
5234 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5235 struct sk_buff *skb)
5237 struct hci_ev_sync_conn_complete *ev = data;
5238 struct hci_conn *conn;
5239 u8 status = ev->status;
5241 switch (ev->link_type) {
5246 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5247 * for HCI_Synchronous_Connection_Complete is limited to
5248 * either SCO or eSCO
5250 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5254 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5258 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5260 if (ev->link_type == ESCO_LINK)
5263 /* When the link type in the event indicates SCO connection
5264 * and lookup of the connection object fails, then check
5265 * if an eSCO connection object exists.
5267 * The core limits the synchronous connections to either
5268 * SCO or eSCO. The eSCO connection is preferred and tried
5269 * to be setup first and until successfully established,
5270 * the link type will be hinted as eSCO.
5272 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5277 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5278 * Processing it more than once per connection can corrupt kernel memory.
5280 * As the connection handle is set here for the first time, it indicates
5281 * whether the connection is already set up.
5283 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5284 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5290 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5292 conn->state = BT_CLOSED;
5296 conn->state = BT_CONNECTED;
5297 conn->type = ev->link_type;
5299 hci_debugfs_create_conn(conn);
5300 hci_conn_add_sysfs(conn);
5303 case 0x10: /* Connection Accept Timeout */
5304 case 0x0d: /* Connection Rejected due to Limited Resources */
5305 case 0x11: /* Unsupported Feature or Parameter Value */
5306 case 0x1c: /* SCO interval rejected */
5307 case 0x1a: /* Unsupported Remote Feature */
5308 case 0x1e: /* Invalid LMP Parameters */
5309 case 0x1f: /* Unspecified error */
5310 case 0x20: /* Unsupported LMP Parameter value */
5312 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5313 (hdev->esco_type & EDR_ESCO_MASK);
5314 if (hci_setup_sync(conn, conn->parent->handle))
5320 conn->state = BT_CLOSED;
5324 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5325 /* Notify only in case of SCO over HCI transport data path which
5326 * is zero and non-zero value shall be non-HCI transport data path
5328 if (conn->codec.data_path == 0 && hdev->notify) {
5329 switch (ev->air_mode) {
5331 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5334 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5339 hci_connect_cfm(conn, status);
5344 hci_dev_unlock(hdev);
5347 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5351 while (parsed < eir_len) {
5352 u8 field_len = eir[0];
5357 parsed += field_len + 1;
5358 eir += field_len + 1;
5364 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5365 struct sk_buff *skb)
5367 struct hci_ev_ext_inquiry_result *ev = edata;
5368 struct inquiry_data data;
5372 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5373 flex_array_size(ev, info, ev->num)))
5376 bt_dev_dbg(hdev, "num %d", ev->num);
5381 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5386 for (i = 0; i < ev->num; i++) {
5387 struct extended_inquiry_info *info = &ev->info[i];
5391 bacpy(&data.bdaddr, &info->bdaddr);
5392 data.pscan_rep_mode = info->pscan_rep_mode;
5393 data.pscan_period_mode = info->pscan_period_mode;
5394 data.pscan_mode = 0x00;
5395 memcpy(data.dev_class, info->dev_class, 3);
5396 data.clock_offset = info->clock_offset;
5397 data.rssi = info->rssi;
5398 data.ssp_mode = 0x01;
5400 if (hci_dev_test_flag(hdev, HCI_MGMT))
5401 name_known = eir_get_data(info->data,
5403 EIR_NAME_COMPLETE, NULL);
5407 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5409 eir_len = eir_get_length(info->data, sizeof(info->data));
5411 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5412 info->dev_class, info->rssi,
5413 flags, info->data, eir_len, NULL, 0, 0);
5416 hci_dev_unlock(hdev);
5419 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5420 struct sk_buff *skb)
5422 struct hci_ev_key_refresh_complete *ev = data;
5423 struct hci_conn *conn;
5425 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5426 __le16_to_cpu(ev->handle));
5430 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5434 /* For BR/EDR the necessary steps are taken through the
5435 * auth_complete event.
5437 if (conn->type != LE_LINK)
5441 conn->sec_level = conn->pending_sec_level;
5443 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5445 if (ev->status && conn->state == BT_CONNECTED) {
5446 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5447 hci_conn_drop(conn);
5451 if (conn->state == BT_CONFIG) {
5453 conn->state = BT_CONNECTED;
5455 hci_connect_cfm(conn, ev->status);
5456 hci_conn_drop(conn);
5458 hci_auth_cfm(conn, ev->status);
5460 hci_conn_hold(conn);
5461 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5462 hci_conn_drop(conn);
5466 hci_dev_unlock(hdev);
5469 static u8 hci_get_auth_req(struct hci_conn *conn)
5472 if (conn->remote_auth == HCI_AT_GENERAL_BONDING_MITM) {
5473 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5474 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5475 return HCI_AT_GENERAL_BONDING_MITM;
5479 /* If remote requests no-bonding follow that lead */
5480 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5481 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5482 return conn->remote_auth | (conn->auth_type & 0x01);
5484 /* If both remote and local have enough IO capabilities, require
5487 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5488 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5489 return conn->remote_auth | 0x01;
5491 /* No MITM protection possible so ignore remote requirement */
5492 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5495 static u8 bredr_oob_data_present(struct hci_conn *conn)
5497 struct hci_dev *hdev = conn->hdev;
5498 struct oob_data *data;
5500 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5504 if (bredr_sc_enabled(hdev)) {
5505 /* When Secure Connections is enabled, then just
5506 * return the present value stored with the OOB
5507 * data. The stored value contains the right present
5508 * information. However it can only be trusted when
5509 * not in Secure Connection Only mode.
5511 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5512 return data->present;
5514 /* When Secure Connections Only mode is enabled, then
5515 * the P-256 values are required. If they are not
5516 * available, then do not declare that OOB data is
5519 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5520 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5526 /* When Secure Connections is not enabled or actually
5527 * not supported by the hardware, then check that if
5528 * P-192 data values are present.
5530 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5531 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5537 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5538 struct sk_buff *skb)
5540 struct hci_ev_io_capa_request *ev = data;
5541 struct hci_conn *conn;
5543 bt_dev_dbg(hdev, "");
5547 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5548 if (!conn || !hci_conn_ssp_enabled(conn))
5551 hci_conn_hold(conn);
5553 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5556 /* Allow pairing if we're pairable, the initiators of the
5557 * pairing or if the remote is not requesting bonding.
5559 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5560 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5561 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5562 struct hci_cp_io_capability_reply cp;
5564 bacpy(&cp.bdaddr, &ev->bdaddr);
5565 /* Change the IO capability from KeyboardDisplay
5566 * to DisplayYesNo as it is not supported by BT spec. */
5567 cp.capability = (conn->io_capability == 0x04) ?
5568 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5570 /* If we are initiators, there is no remote information yet */
5571 if (conn->remote_auth == 0xff) {
5572 /* Request MITM protection if our IO caps allow it
5573 * except for the no-bonding case.
5575 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5576 conn->auth_type != HCI_AT_NO_BONDING)
5577 conn->auth_type |= 0x01;
5579 conn->auth_type = hci_get_auth_req(conn);
5582 /* If we're not bondable, force one of the non-bondable
5583 * authentication requirement values.
5585 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5586 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5588 cp.authentication = conn->auth_type;
5589 cp.oob_data = bredr_oob_data_present(conn);
5591 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5594 struct hci_cp_io_capability_neg_reply cp;
5596 bacpy(&cp.bdaddr, &ev->bdaddr);
5597 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5599 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5604 hci_dev_unlock(hdev);
5607 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5608 struct sk_buff *skb)
5610 struct hci_ev_io_capa_reply *ev = data;
5611 struct hci_conn *conn;
5613 bt_dev_dbg(hdev, "");
5617 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5621 conn->remote_cap = ev->capability;
5622 conn->remote_auth = ev->authentication;
5625 hci_dev_unlock(hdev);
5628 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5629 struct sk_buff *skb)
5631 struct hci_ev_user_confirm_req *ev = data;
5632 int loc_mitm, rem_mitm, confirm_hint = 0;
5633 struct hci_conn *conn;
5635 bt_dev_dbg(hdev, "");
5639 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5642 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5646 loc_mitm = (conn->auth_type & 0x01);
5647 rem_mitm = (conn->remote_auth & 0x01);
5649 /* If we require MITM but the remote device can't provide that
5650 * (it has NoInputNoOutput) then reject the confirmation
5651 * request. We check the security level here since it doesn't
5652 * necessarily match conn->auth_type.
5654 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5655 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5656 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5657 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5658 sizeof(ev->bdaddr), &ev->bdaddr);
5662 /* If no side requires MITM protection; auto-accept */
5663 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5664 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5666 /* If we're not the initiators request authorization to
5667 * proceed from user space (mgmt_user_confirm with
5668 * confirm_hint set to 1). The exception is if neither
5669 * side had MITM or if the local IO capability is
5670 * NoInputNoOutput, in which case we do auto-accept
5672 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5673 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5674 (loc_mitm || rem_mitm)) {
5675 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5680 /* If there already exists link key in local host, leave the
5681 * decision to user space since the remote device could be
5682 * legitimate or malicious.
5684 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5685 bt_dev_dbg(hdev, "Local host already has link key");
5690 BT_DBG("Auto-accept of user confirmation with %ums delay",
5691 hdev->auto_accept_delay);
5693 if (hdev->auto_accept_delay > 0) {
5694 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5695 queue_delayed_work(conn->hdev->workqueue,
5696 &conn->auto_accept_work, delay);
5700 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5701 sizeof(ev->bdaddr), &ev->bdaddr);
5706 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5707 le32_to_cpu(ev->passkey), confirm_hint);
5710 hci_dev_unlock(hdev);
5713 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5714 struct sk_buff *skb)
5716 struct hci_ev_user_passkey_req *ev = data;
5718 bt_dev_dbg(hdev, "");
5720 if (hci_dev_test_flag(hdev, HCI_MGMT))
5721 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5724 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5725 struct sk_buff *skb)
5727 struct hci_ev_user_passkey_notify *ev = data;
5728 struct hci_conn *conn;
5730 bt_dev_dbg(hdev, "");
5732 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5736 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5737 conn->passkey_entered = 0;
5739 if (hci_dev_test_flag(hdev, HCI_MGMT))
5740 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5741 conn->dst_type, conn->passkey_notify,
5742 conn->passkey_entered);
5745 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5746 struct sk_buff *skb)
5748 struct hci_ev_keypress_notify *ev = data;
5749 struct hci_conn *conn;
5751 bt_dev_dbg(hdev, "");
5753 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5758 case HCI_KEYPRESS_STARTED:
5759 conn->passkey_entered = 0;
5762 case HCI_KEYPRESS_ENTERED:
5763 conn->passkey_entered++;
5766 case HCI_KEYPRESS_ERASED:
5767 conn->passkey_entered--;
5770 case HCI_KEYPRESS_CLEARED:
5771 conn->passkey_entered = 0;
5774 case HCI_KEYPRESS_COMPLETED:
5778 if (hci_dev_test_flag(hdev, HCI_MGMT))
5779 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5780 conn->dst_type, conn->passkey_notify,
5781 conn->passkey_entered);
5784 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5785 struct sk_buff *skb)
5787 struct hci_ev_simple_pair_complete *ev = data;
5788 struct hci_conn *conn;
5790 bt_dev_dbg(hdev, "");
5794 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5795 if (!conn || !hci_conn_ssp_enabled(conn))
5798 /* Reset the authentication requirement to unknown */
5799 conn->remote_auth = 0xff;
5801 /* To avoid duplicate auth_failed events to user space we check
5802 * the HCI_CONN_AUTH_PEND flag which will be set if we
5803 * initiated the authentication. A traditional auth_complete
5804 * event gets always produced as initiator and is also mapped to
5805 * the mgmt_auth_failed event */
5806 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5807 mgmt_auth_failed(conn, ev->status);
5809 hci_conn_drop(conn);
5812 hci_dev_unlock(hdev);
5815 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5816 struct sk_buff *skb)
5818 struct hci_ev_remote_host_features *ev = data;
5819 struct inquiry_entry *ie;
5820 struct hci_conn *conn;
5822 bt_dev_dbg(hdev, "");
5826 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5828 memcpy(conn->features[1], ev->features, 8);
5830 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5832 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5834 hci_dev_unlock(hdev);
5837 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5838 struct sk_buff *skb)
5840 struct hci_ev_remote_oob_data_request *ev = edata;
5841 struct oob_data *data;
5843 bt_dev_dbg(hdev, "");
5847 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5850 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5852 struct hci_cp_remote_oob_data_neg_reply cp;
5854 bacpy(&cp.bdaddr, &ev->bdaddr);
5855 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5860 if (bredr_sc_enabled(hdev)) {
5861 struct hci_cp_remote_oob_ext_data_reply cp;
5863 bacpy(&cp.bdaddr, &ev->bdaddr);
5864 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5865 memset(cp.hash192, 0, sizeof(cp.hash192));
5866 memset(cp.rand192, 0, sizeof(cp.rand192));
5868 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5869 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5871 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5872 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5874 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5877 struct hci_cp_remote_oob_data_reply cp;
5879 bacpy(&cp.bdaddr, &ev->bdaddr);
5880 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5881 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5883 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5888 hci_dev_unlock(hdev);
5891 #if IS_ENABLED(CONFIG_BT_HS)
5892 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5893 struct sk_buff *skb)
5895 struct hci_ev_channel_selected *ev = data;
5896 struct hci_conn *hcon;
5898 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5900 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5904 amp_read_loc_assoc_final_data(hdev, hcon);
5907 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5908 struct sk_buff *skb)
5910 struct hci_ev_phy_link_complete *ev = data;
5911 struct hci_conn *hcon, *bredr_hcon;
5913 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5918 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5930 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5932 hcon->state = BT_CONNECTED;
5933 bacpy(&hcon->dst, &bredr_hcon->dst);
5935 hci_conn_hold(hcon);
5936 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5937 hci_conn_drop(hcon);
5939 hci_debugfs_create_conn(hcon);
5940 hci_conn_add_sysfs(hcon);
5942 amp_physical_cfm(bredr_hcon, hcon);
5945 hci_dev_unlock(hdev);
5948 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5949 struct sk_buff *skb)
5951 struct hci_ev_logical_link_complete *ev = data;
5952 struct hci_conn *hcon;
5953 struct hci_chan *hchan;
5954 struct amp_mgr *mgr;
5956 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5957 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5959 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5963 /* Create AMP hchan */
5964 hchan = hci_chan_create(hcon);
5968 hchan->handle = le16_to_cpu(ev->handle);
5971 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5973 mgr = hcon->amp_mgr;
5974 if (mgr && mgr->bredr_chan) {
5975 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5977 l2cap_chan_lock(bredr_chan);
5979 bredr_chan->conn->mtu = hdev->block_mtu;
5980 l2cap_logical_cfm(bredr_chan, hchan, 0);
5981 hci_conn_hold(hcon);
5983 l2cap_chan_unlock(bredr_chan);
5987 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5988 struct sk_buff *skb)
5990 struct hci_ev_disconn_logical_link_complete *ev = data;
5991 struct hci_chan *hchan;
5993 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5994 le16_to_cpu(ev->handle), ev->status);
6001 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
6002 if (!hchan || !hchan->amp)
6005 amp_destroy_logical_link(hchan, ev->reason);
6008 hci_dev_unlock(hdev);
6011 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
6012 struct sk_buff *skb)
6014 struct hci_ev_disconn_phy_link_complete *ev = data;
6015 struct hci_conn *hcon;
6017 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6024 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
6025 if (hcon && hcon->type == AMP_LINK) {
6026 hcon->state = BT_CLOSED;
6027 hci_disconn_cfm(hcon, ev->reason);
6031 hci_dev_unlock(hdev);
6035 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
6036 u8 bdaddr_type, bdaddr_t *local_rpa)
6039 conn->dst_type = bdaddr_type;
6040 conn->resp_addr_type = bdaddr_type;
6041 bacpy(&conn->resp_addr, bdaddr);
6043 /* Check if the controller has set a Local RPA then it must be
6044 * used instead or hdev->rpa.
6046 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6047 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6048 bacpy(&conn->init_addr, local_rpa);
6049 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
6050 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6051 bacpy(&conn->init_addr, &conn->hdev->rpa);
6053 hci_copy_identity_address(conn->hdev, &conn->init_addr,
6054 &conn->init_addr_type);
6057 conn->resp_addr_type = conn->hdev->adv_addr_type;
6058 /* Check if the controller has set a Local RPA then it must be
6059 * used instead or hdev->rpa.
6061 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
6062 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
6063 bacpy(&conn->resp_addr, local_rpa);
6064 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
6065 /* In case of ext adv, resp_addr will be updated in
6066 * Adv Terminated event.
6068 if (!ext_adv_capable(conn->hdev))
6069 bacpy(&conn->resp_addr,
6070 &conn->hdev->random_addr);
6072 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
6075 conn->init_addr_type = bdaddr_type;
6076 bacpy(&conn->init_addr, bdaddr);
6078 /* For incoming connections, set the default minimum
6079 * and maximum connection interval. They will be used
6080 * to check if the parameters are in range and if not
6081 * trigger the connection update procedure.
6083 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
6084 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
6088 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
6089 bdaddr_t *bdaddr, u8 bdaddr_type,
6090 bdaddr_t *local_rpa, u8 role, u16 handle,
6091 u16 interval, u16 latency,
6092 u16 supervision_timeout)
6094 struct hci_conn_params *params;
6095 struct hci_conn *conn;
6096 struct smp_irk *irk;
6101 /* All controllers implicitly stop advertising in the event of a
6102 * connection, so ensure that the state bit is cleared.
6104 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6106 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
6108 /* In case of error status and there is no connection pending
6109 * just unlock as there is nothing to cleanup.
6114 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
6116 bt_dev_err(hdev, "no memory for new connection");
6120 conn->dst_type = bdaddr_type;
6122 /* If we didn't have a hci_conn object previously
6123 * but we're in central role this must be something
6124 * initiated using an accept list. Since accept list based
6125 * connections are not "first class citizens" we don't
6126 * have full tracking of them. Therefore, we go ahead
6127 * with a "best effort" approach of determining the
6128 * initiator address based on the HCI_PRIVACY flag.
6131 conn->resp_addr_type = bdaddr_type;
6132 bacpy(&conn->resp_addr, bdaddr);
6133 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6134 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
6135 bacpy(&conn->init_addr, &hdev->rpa);
6137 hci_copy_identity_address(hdev,
6139 &conn->init_addr_type);
6144 /* LE auto connect */
6145 bacpy(&conn->dst, bdaddr);
6147 cancel_delayed_work(&conn->le_conn_timeout);
6150 /* The HCI_LE_Connection_Complete event is only sent once per connection.
6151 * Processing it more than once per connection can corrupt kernel memory.
6153 * As the connection handle is set here for the first time, it indicates
6154 * whether the connection is already set up.
6156 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
6157 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
6161 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
6163 /* Lookup the identity address from the stored connection
6164 * address and address type.
6166 * When establishing connections to an identity address, the
6167 * connection procedure will store the resolvable random
6168 * address first. Now if it can be converted back into the
6169 * identity address, start using the identity address from
6172 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
6174 bacpy(&conn->dst, &irk->bdaddr);
6175 conn->dst_type = irk->addr_type;
6178 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
6180 /* All connection failure handling is taken care of by the
6181 * hci_conn_failed function which is triggered by the HCI
6182 * request completion callbacks used for connecting.
6184 if (status || hci_conn_set_handle(conn, handle))
6187 /* Drop the connection if it has been aborted */
6188 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
6189 hci_conn_drop(conn);
6193 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6194 addr_type = BDADDR_LE_PUBLIC;
6196 addr_type = BDADDR_LE_RANDOM;
6198 /* Drop the connection if the device is blocked */
6199 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6200 hci_conn_drop(conn);
6204 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
6205 mgmt_device_connected(hdev, conn, NULL, 0);
6207 conn->sec_level = BT_SECURITY_LOW;
6208 conn->state = BT_CONFIG;
6210 /* Store current advertising instance as connection advertising instance
6211 * when sotfware rotation is in use so it can be re-enabled when
6214 if (!ext_adv_capable(hdev))
6215 conn->adv_instance = hdev->cur_adv_instance;
6217 conn->le_conn_interval = interval;
6218 conn->le_conn_latency = latency;
6219 conn->le_supv_timeout = supervision_timeout;
6221 hci_debugfs_create_conn(conn);
6222 hci_conn_add_sysfs(conn);
6224 /* The remote features procedure is defined for central
6225 * role only. So only in case of an initiated connection
6226 * request the remote features.
6228 * If the local controller supports peripheral-initiated features
6229 * exchange, then requesting the remote features in peripheral
6230 * role is possible. Otherwise just transition into the
6231 * connected state without requesting the remote features.
6234 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6235 struct hci_cp_le_read_remote_features cp;
6237 cp.handle = __cpu_to_le16(conn->handle);
6239 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6242 hci_conn_hold(conn);
6244 conn->state = BT_CONNECTED;
6245 hci_connect_cfm(conn, status);
6248 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6251 hci_pend_le_list_del_init(params);
6253 hci_conn_drop(params->conn);
6254 hci_conn_put(params->conn);
6255 params->conn = NULL;
6260 hci_update_passive_scan(hdev);
6261 hci_dev_unlock(hdev);
6264 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6265 struct sk_buff *skb)
6267 struct hci_ev_le_conn_complete *ev = data;
6269 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6271 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6272 NULL, ev->role, le16_to_cpu(ev->handle),
6273 le16_to_cpu(ev->interval),
6274 le16_to_cpu(ev->latency),
6275 le16_to_cpu(ev->supervision_timeout));
6278 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6279 struct sk_buff *skb)
6281 struct hci_ev_le_enh_conn_complete *ev = data;
6283 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6285 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6286 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6287 le16_to_cpu(ev->interval),
6288 le16_to_cpu(ev->latency),
6289 le16_to_cpu(ev->supervision_timeout));
6292 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6293 struct sk_buff *skb)
6295 struct hci_evt_le_ext_adv_set_term *ev = data;
6296 struct hci_conn *conn;
6297 struct adv_info *adv, *n;
6299 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6301 /* The Bluetooth Core 5.3 specification clearly states that this event
6302 * shall not be sent when the Host disables the advertising set. So in
6303 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6305 * When the Host disables an advertising set, all cleanup is done via
6306 * its command callback and not needed to be duplicated here.
6308 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6309 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6315 adv = hci_find_adv_instance(hdev, ev->handle);
6321 /* Remove advertising as it has been terminated */
6322 hci_remove_adv_instance(hdev, ev->handle);
6323 mgmt_advertising_removed(NULL, hdev, ev->handle);
6325 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6330 /* We are no longer advertising, clear HCI_LE_ADV */
6331 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6336 adv->enabled = false;
6338 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6340 /* Store handle in the connection so the correct advertising
6341 * instance can be re-enabled when disconnected.
6343 conn->adv_instance = ev->handle;
6345 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6346 bacmp(&conn->resp_addr, BDADDR_ANY))
6350 bacpy(&conn->resp_addr, &hdev->random_addr);
6355 bacpy(&conn->resp_addr, &adv->random_addr);
6359 hci_dev_unlock(hdev);
6362 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6363 struct sk_buff *skb)
6365 struct hci_ev_le_conn_update_complete *ev = data;
6366 struct hci_conn *conn;
6368 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6375 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6379 hci_dev_unlock(hdev);
6380 mgmt_le_conn_update_failed(hdev, &conn->dst,
6381 conn->type, conn->dst_type, ev->status);
6385 conn->le_conn_interval = le16_to_cpu(ev->interval);
6386 conn->le_conn_latency = le16_to_cpu(ev->latency);
6387 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6390 hci_dev_unlock(hdev);
6393 mgmt_le_conn_updated(hdev, &conn->dst, conn->type,
6394 conn->dst_type, conn->le_conn_interval,
6395 conn->le_conn_latency, conn->le_supv_timeout);
6399 /* This function requires the caller holds hdev->lock */
6400 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6402 u8 addr_type, bool addr_resolved,
6405 struct hci_conn *conn;
6406 struct hci_conn_params *params;
6408 /* If the event is not connectable don't proceed further */
6409 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6412 /* Ignore if the device is blocked or hdev is suspended */
6413 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6417 /* Most controller will fail if we try to create new connections
6418 * while we have an existing one in peripheral role.
6420 if (hdev->conn_hash.le_num_peripheral > 0 &&
6421 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6422 !(hdev->le_states[3] & 0x10)))
6425 /* If we're not connectable only connect devices that we have in
6426 * our pend_le_conns list.
6428 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6433 if (!params->explicit_connect) {
6434 switch (params->auto_connect) {
6435 case HCI_AUTO_CONN_DIRECT:
6436 /* Only devices advertising with ADV_DIRECT_IND are
6437 * triggering a connection attempt. This is allowing
6438 * incoming connections from peripheral devices.
6440 if (adv_type != LE_ADV_DIRECT_IND)
6443 case HCI_AUTO_CONN_ALWAYS:
6444 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6445 * are triggering a connection attempt. This means
6446 * that incoming connections from peripheral device are
6447 * accepted and also outgoing connections to peripheral
6448 * devices are established when found.
6456 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6457 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6459 if (!IS_ERR(conn)) {
6460 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6461 * by higher layer that tried to connect, if no then
6462 * store the pointer since we don't really have any
6463 * other owner of the object besides the params that
6464 * triggered it. This way we can abort the connection if
6465 * the parameters get removed and keep the reference
6466 * count consistent once the connection is established.
6469 if (!params->explicit_connect)
6470 params->conn = hci_conn_get(conn);
6475 switch (PTR_ERR(conn)) {
6477 /* If hci_connect() returns -EBUSY it means there is already
6478 * an LE connection attempt going on. Since controllers don't
6479 * support more than one connection attempt at the time, we
6480 * don't consider this an error case.
6484 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6491 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6492 u8 bdaddr_type, bdaddr_t *direct_addr,
6493 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6494 bool ext_adv, bool ctl_time, u64 instant)
6497 struct discovery_state *d = &hdev->discovery;
6500 struct smp_irk *irk;
6501 struct hci_conn *conn;
6502 bool bdaddr_resolved;
6508 case LE_ADV_DIRECT_IND:
6509 case LE_ADV_SCAN_IND:
6510 case LE_ADV_NONCONN_IND:
6511 case LE_ADV_SCAN_RSP:
6514 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6515 "type: 0x%02x", type);
6519 if (len > max_adv_len(hdev)) {
6520 bt_dev_err_ratelimited(hdev,
6521 "adv larger than maximum supported");
6525 /* Find the end of the data in case the report contains padded zero
6526 * bytes at the end causing an invalid length value.
6528 * When data is NULL, len is 0 so there is no need for extra ptr
6529 * check as 'ptr < data + 0' is already false in such case.
6531 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6532 if (ptr + 1 + *ptr > data + len)
6536 /* Adjust for actual length. This handles the case when remote
6537 * device is advertising with incorrect data length.
6541 /* If the direct address is present, then this report is from
6542 * a LE Direct Advertising Report event. In that case it is
6543 * important to see if the address is matching the local
6544 * controller address.
6546 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6547 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6550 /* Only resolvable random addresses are valid for these
6551 * kind of reports and others can be ignored.
6553 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6556 /* If the controller is not using resolvable random
6557 * addresses, then this report can be ignored.
6559 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6562 /* If the local IRK of the controller does not match
6563 * with the resolvable random address provided, then
6564 * this report can be ignored.
6566 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6570 /* Check if we need to convert to identity address */
6571 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6573 bdaddr = &irk->bdaddr;
6574 bdaddr_type = irk->addr_type;
6577 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6579 /* Check if we have been requested to connect to this device.
6581 * direct_addr is set only for directed advertising reports (it is NULL
6582 * for advertising reports) and is already verified to be RPA above.
6584 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6586 if (!ext_adv && conn && type == LE_ADV_IND &&
6587 len <= max_adv_len(hdev)) {
6588 /* Store report for later inclusion by
6589 * mgmt_device_connected
6591 memcpy(conn->le_adv_data, data, len);
6592 conn->le_adv_data_len = len;
6595 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6596 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6600 /* All scan results should be sent up for Mesh systems */
6601 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6602 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6603 rssi, flags, data, len, NULL, 0, instant);
6607 /* Passive scanning shouldn't trigger any device found events,
6608 * except for devices marked as CONN_REPORT for which we do send
6609 * device found events, or advertisement monitoring requested.
6611 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6612 if (type == LE_ADV_DIRECT_IND)
6616 /* Handle all adv packet in platform */
6617 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6618 bdaddr, bdaddr_type) &&
6619 idr_is_empty(&hdev->adv_monitors_idr))
6624 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6625 rssi, flags, data, len, NULL, 0, type);
6627 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6628 rssi, flags, data, len, NULL, 0, 0);
6633 /* When receiving a scan response, then there is no way to
6634 * know if the remote device is connectable or not. However
6635 * since scan responses are merged with a previously seen
6636 * advertising report, the flags field from that report
6639 * In the unlikely case that a controller just sends a scan
6640 * response event that doesn't match the pending report, then
6641 * it is marked as a standalone SCAN_RSP.
6643 if (type == LE_ADV_SCAN_RSP)
6644 flags = MGMT_DEV_FOUND_SCAN_RSP;
6647 /* Disable adv ind and scan rsp merging */
6648 mgmt_le_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6649 rssi, flags, data, len, NULL, 0, type);
6651 /* If there's nothing pending either store the data from this
6652 * event or send an immediate device found event if the data
6653 * should not be stored for later.
6655 if (!ext_adv && !has_pending_adv_report(hdev)) {
6656 /* If the report will trigger a SCAN_REQ store it for
6659 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6660 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6661 rssi, flags, data, len);
6665 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6666 rssi, flags, data, len, NULL, 0, 0);
6670 /* Check if the pending report is for the same device as the new one */
6671 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6672 bdaddr_type == d->last_adv_addr_type);
6674 /* If the pending data doesn't match this report or this isn't a
6675 * scan response (e.g. we got a duplicate ADV_IND) then force
6676 * sending of the pending data.
6678 if (type != LE_ADV_SCAN_RSP || !match) {
6679 /* Send out whatever is in the cache, but skip duplicates */
6681 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6682 d->last_adv_addr_type, NULL,
6683 d->last_adv_rssi, d->last_adv_flags,
6685 d->last_adv_data_len, NULL, 0, 0);
6687 /* If the new report will trigger a SCAN_REQ store it for
6690 if (!ext_adv && (type == LE_ADV_IND ||
6691 type == LE_ADV_SCAN_IND)) {
6692 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6693 rssi, flags, data, len);
6697 /* The advertising reports cannot be merged, so clear
6698 * the pending report and send out a device found event.
6700 clear_pending_adv_report(hdev);
6701 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6702 rssi, flags, data, len, NULL, 0, 0);
6706 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6707 * the new event is a SCAN_RSP. We can therefore proceed with
6708 * sending a merged device found event.
6710 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6711 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6712 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6713 clear_pending_adv_report(hdev);
6717 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6718 struct sk_buff *skb)
6720 struct hci_ev_le_advertising_report *ev = data;
6721 u64 instant = jiffies;
6729 struct hci_ev_le_advertising_info *info;
6732 info = hci_le_ev_skb_pull(hdev, skb,
6733 HCI_EV_LE_ADVERTISING_REPORT,
6738 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6742 if (info->length <= max_adv_len(hdev)) {
6743 rssi = info->data[info->length];
6744 process_adv_report(hdev, info->type, &info->bdaddr,
6745 info->bdaddr_type, NULL, 0, rssi,
6746 info->data, info->length, false,
6749 bt_dev_err(hdev, "Dropping invalid advertising data");
6753 hci_dev_unlock(hdev);
6756 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6758 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6760 case LE_LEGACY_ADV_IND:
6762 case LE_LEGACY_ADV_DIRECT_IND:
6763 return LE_ADV_DIRECT_IND;
6764 case LE_LEGACY_ADV_SCAN_IND:
6765 return LE_ADV_SCAN_IND;
6766 case LE_LEGACY_NONCONN_IND:
6767 return LE_ADV_NONCONN_IND;
6768 case LE_LEGACY_SCAN_RSP_ADV:
6769 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6770 return LE_ADV_SCAN_RSP;
6776 if (evt_type & LE_EXT_ADV_CONN_IND) {
6777 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6778 return LE_ADV_DIRECT_IND;
6783 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6784 return LE_ADV_SCAN_RSP;
6786 if (evt_type & LE_EXT_ADV_SCAN_IND)
6787 return LE_ADV_SCAN_IND;
6789 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6790 evt_type & LE_EXT_ADV_DIRECT_IND)
6791 return LE_ADV_NONCONN_IND;
6794 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6797 return LE_ADV_INVALID;
6800 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6801 struct sk_buff *skb)
6803 struct hci_ev_le_ext_adv_report *ev = data;
6804 u64 instant = jiffies;
6812 struct hci_ev_le_ext_adv_info *info;
6816 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6821 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6825 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6826 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6827 if (legacy_evt_type != LE_ADV_INVALID) {
6828 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6829 info->bdaddr_type, NULL, 0,
6830 info->rssi, info->data, info->length,
6831 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6836 hci_dev_unlock(hdev);
6839 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6841 struct hci_cp_le_pa_term_sync cp;
6843 memset(&cp, 0, sizeof(cp));
6846 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6849 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6850 struct sk_buff *skb)
6852 struct hci_ev_le_pa_sync_established *ev = data;
6853 int mask = hdev->link_mode;
6855 struct hci_conn *pa_sync;
6857 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6861 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6863 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6864 if (!(mask & HCI_LM_ACCEPT)) {
6865 hci_le_pa_term_sync(hdev, ev->handle);
6869 if (!(flags & HCI_PROTO_DEFER))
6873 /* Add connection to indicate the failed PA sync event */
6874 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6880 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6882 /* Notify iso layer */
6883 hci_connect_cfm(pa_sync, ev->status);
6887 hci_dev_unlock(hdev);
6890 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6891 struct sk_buff *skb)
6893 struct hci_ev_le_per_adv_report *ev = data;
6894 int mask = hdev->link_mode;
6897 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6901 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6902 if (!(mask & HCI_LM_ACCEPT))
6903 hci_le_pa_term_sync(hdev, ev->sync_handle);
6905 hci_dev_unlock(hdev);
6908 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6909 struct sk_buff *skb)
6911 struct hci_ev_le_remote_feat_complete *ev = data;
6912 struct hci_conn *conn;
6914 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6918 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6921 memcpy(conn->features[0], ev->features, 8);
6923 if (conn->state == BT_CONFIG) {
6926 /* If the local controller supports peripheral-initiated
6927 * features exchange, but the remote controller does
6928 * not, then it is possible that the error code 0x1a
6929 * for unsupported remote feature gets returned.
6931 * In this specific case, allow the connection to
6932 * transition into connected state and mark it as
6935 if (!conn->out && ev->status == 0x1a &&
6936 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6939 status = ev->status;
6941 conn->state = BT_CONNECTED;
6942 hci_connect_cfm(conn, status);
6943 hci_conn_drop(conn);
6947 hci_dev_unlock(hdev);
6950 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6951 struct sk_buff *skb)
6953 struct hci_ev_le_ltk_req *ev = data;
6954 struct hci_cp_le_ltk_reply cp;
6955 struct hci_cp_le_ltk_neg_reply neg;
6956 struct hci_conn *conn;
6957 struct smp_ltk *ltk;
6959 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6963 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6967 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6971 if (smp_ltk_is_sc(ltk)) {
6972 /* With SC both EDiv and Rand are set to zero */
6973 if (ev->ediv || ev->rand)
6976 /* For non-SC keys check that EDiv and Rand match */
6977 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6981 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6982 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6983 cp.handle = cpu_to_le16(conn->handle);
6985 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6987 conn->enc_key_size = ltk->enc_size;
6989 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6991 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6992 * temporary key used to encrypt a connection following
6993 * pairing. It is used during the Encrypted Session Setup to
6994 * distribute the keys. Later, security can be re-established
6995 * using a distributed LTK.
6997 if (ltk->type == SMP_STK) {
6998 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6999 list_del_rcu(<k->list);
7000 kfree_rcu(ltk, rcu);
7002 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
7005 hci_dev_unlock(hdev);
7010 neg.handle = ev->handle;
7011 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
7012 hci_dev_unlock(hdev);
7015 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
7018 struct hci_cp_le_conn_param_req_neg_reply cp;
7020 cp.handle = cpu_to_le16(handle);
7023 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
7027 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
7028 struct sk_buff *skb)
7030 struct hci_ev_le_remote_conn_param_req *ev = data;
7031 struct hci_cp_le_conn_param_req_reply cp;
7032 struct hci_conn *hcon;
7033 u16 handle, min, max, latency, timeout;
7035 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
7037 handle = le16_to_cpu(ev->handle);
7038 min = le16_to_cpu(ev->interval_min);
7039 max = le16_to_cpu(ev->interval_max);
7040 latency = le16_to_cpu(ev->latency);
7041 timeout = le16_to_cpu(ev->timeout);
7043 hcon = hci_conn_hash_lookup_handle(hdev, handle);
7044 if (!hcon || hcon->state != BT_CONNECTED)
7045 return send_conn_param_neg_reply(hdev, handle,
7046 HCI_ERROR_UNKNOWN_CONN_ID);
7048 if (hci_check_conn_params(min, max, latency, timeout))
7049 return send_conn_param_neg_reply(hdev, handle,
7050 HCI_ERROR_INVALID_LL_PARAMS);
7052 if (hcon->role == HCI_ROLE_MASTER) {
7053 struct hci_conn_params *params;
7058 params = hci_conn_params_lookup(hdev, &hcon->dst,
7061 params->conn_min_interval = min;
7062 params->conn_max_interval = max;
7063 params->conn_latency = latency;
7064 params->supervision_timeout = timeout;
7070 hci_dev_unlock(hdev);
7072 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
7073 store_hint, min, max, latency, timeout);
7076 cp.handle = ev->handle;
7077 cp.interval_min = ev->interval_min;
7078 cp.interval_max = ev->interval_max;
7079 cp.latency = ev->latency;
7080 cp.timeout = ev->timeout;
7084 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
7087 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
7088 struct sk_buff *skb)
7090 struct hci_ev_le_direct_adv_report *ev = data;
7091 u64 instant = jiffies;
7094 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
7095 flex_array_size(ev, info, ev->num)))
7103 for (i = 0; i < ev->num; i++) {
7104 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
7106 process_adv_report(hdev, info->type, &info->bdaddr,
7107 info->bdaddr_type, &info->direct_addr,
7108 info->direct_addr_type, info->rssi, NULL, 0,
7109 false, false, instant);
7112 hci_dev_unlock(hdev);
7115 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
7116 struct sk_buff *skb)
7118 struct hci_ev_le_phy_update_complete *ev = data;
7119 struct hci_conn *conn;
7121 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7128 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
7132 conn->le_tx_phy = ev->tx_phy;
7133 conn->le_rx_phy = ev->rx_phy;
7136 hci_dev_unlock(hdev);
7139 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
7140 struct sk_buff *skb)
7142 struct hci_evt_le_cis_established *ev = data;
7143 struct hci_conn *conn;
7144 struct bt_iso_qos *qos;
7145 bool pending = false;
7146 u16 handle = __le16_to_cpu(ev->handle);
7148 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7152 conn = hci_conn_hash_lookup_handle(hdev, handle);
7155 "Unable to find connection with handle 0x%4.4x",
7160 if (conn->type != ISO_LINK) {
7162 "Invalid connection link type handle 0x%4.4x",
7167 qos = &conn->iso_qos;
7169 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
7171 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
7172 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
7173 qos->ucast.out.interval = qos->ucast.in.interval;
7175 switch (conn->role) {
7176 case HCI_ROLE_SLAVE:
7177 /* Convert Transport Latency (us) to Latency (msec) */
7178 qos->ucast.in.latency =
7179 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7181 qos->ucast.out.latency =
7182 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7184 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
7185 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
7186 qos->ucast.in.phy = ev->c_phy;
7187 qos->ucast.out.phy = ev->p_phy;
7189 case HCI_ROLE_MASTER:
7190 /* Convert Transport Latency (us) to Latency (msec) */
7191 qos->ucast.out.latency =
7192 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
7194 qos->ucast.in.latency =
7195 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
7197 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
7198 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
7199 qos->ucast.out.phy = ev->c_phy;
7200 qos->ucast.in.phy = ev->p_phy;
7205 conn->state = BT_CONNECTED;
7206 hci_debugfs_create_conn(conn);
7207 hci_conn_add_sysfs(conn);
7208 hci_iso_setup_path(conn);
7212 conn->state = BT_CLOSED;
7213 hci_connect_cfm(conn, ev->status);
7218 hci_le_create_cis_pending(hdev);
7220 hci_dev_unlock(hdev);
7223 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7225 struct hci_cp_le_reject_cis cp;
7227 memset(&cp, 0, sizeof(cp));
7229 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7230 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7233 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7235 struct hci_cp_le_accept_cis cp;
7237 memset(&cp, 0, sizeof(cp));
7239 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7242 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7243 struct sk_buff *skb)
7245 struct hci_evt_le_cis_req *ev = data;
7246 u16 acl_handle, cis_handle;
7247 struct hci_conn *acl, *cis;
7251 acl_handle = __le16_to_cpu(ev->acl_handle);
7252 cis_handle = __le16_to_cpu(ev->cis_handle);
7254 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7255 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7259 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7263 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7264 if (!(mask & HCI_LM_ACCEPT)) {
7265 hci_le_reject_cis(hdev, ev->cis_handle);
7269 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7271 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7274 hci_le_reject_cis(hdev, ev->cis_handle);
7279 cis->iso_qos.ucast.cig = ev->cig_id;
7280 cis->iso_qos.ucast.cis = ev->cis_id;
7282 if (!(flags & HCI_PROTO_DEFER)) {
7283 hci_le_accept_cis(hdev, ev->cis_handle);
7285 cis->state = BT_CONNECT2;
7286 hci_connect_cfm(cis, 0);
7290 hci_dev_unlock(hdev);
7293 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7295 u8 handle = PTR_UINT(data);
7297 return hci_le_terminate_big_sync(hdev, handle,
7298 HCI_ERROR_LOCAL_HOST_TERM);
7301 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7302 struct sk_buff *skb)
7304 struct hci_evt_le_create_big_complete *ev = data;
7305 struct hci_conn *conn;
7308 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7310 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7311 flex_array_size(ev, bis_handle, ev->num_bis)))
7317 /* Connect all BISes that are bound to the BIG */
7318 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7319 if (bacmp(&conn->dst, BDADDR_ANY) ||
7320 conn->type != ISO_LINK ||
7321 conn->iso_qos.bcast.big != ev->handle)
7324 if (hci_conn_set_handle(conn,
7325 __le16_to_cpu(ev->bis_handle[i++])))
7329 conn->state = BT_CONNECTED;
7330 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7332 hci_debugfs_create_conn(conn);
7333 hci_conn_add_sysfs(conn);
7334 hci_iso_setup_path(conn);
7339 hci_connect_cfm(conn, ev->status);
7347 if (!ev->status && !i)
7348 /* If no BISes have been connected for the BIG,
7349 * terminate. This is in case all bound connections
7350 * have been closed before the BIG creation
7353 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7354 UINT_PTR(ev->handle), NULL);
7356 hci_dev_unlock(hdev);
7359 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7360 struct sk_buff *skb)
7362 struct hci_evt_le_big_sync_estabilished *ev = data;
7363 struct hci_conn *bis;
7364 struct hci_conn *pa_sync;
7367 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7369 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7370 flex_array_size(ev, bis, ev->num_bis)))
7376 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7378 /* Also mark the BIG sync established event on the
7379 * associated PA sync hcon
7381 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
7384 for (i = 0; i < ev->num_bis; i++) {
7385 u16 handle = le16_to_cpu(ev->bis[i]);
7388 bis = hci_conn_hash_lookup_handle(hdev, handle);
7390 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7391 HCI_ROLE_SLAVE, handle);
7396 if (ev->status != 0x42)
7397 /* Mark PA sync as established */
7398 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7400 bis->iso_qos.bcast.big = ev->handle;
7401 memset(&interval, 0, sizeof(interval));
7402 memcpy(&interval, ev->latency, sizeof(ev->latency));
7403 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7404 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7405 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7406 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7409 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7410 hci_iso_setup_path(bis);
7414 /* In case BIG sync failed, notify each failed connection to
7415 * the user after all hci connections have been added
7418 for (i = 0; i < ev->num_bis; i++) {
7419 u16 handle = le16_to_cpu(ev->bis[i]);
7421 bis = hci_conn_hash_lookup_handle(hdev, handle);
7423 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7424 hci_connect_cfm(bis, ev->status);
7427 hci_dev_unlock(hdev);
7430 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7431 struct sk_buff *skb)
7433 struct hci_evt_le_big_info_adv_report *ev = data;
7434 int mask = hdev->link_mode;
7436 struct hci_conn *pa_sync;
7438 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7442 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7443 if (!(mask & HCI_LM_ACCEPT)) {
7444 hci_le_pa_term_sync(hdev, ev->sync_handle);
7448 if (!(flags & HCI_PROTO_DEFER))
7451 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7453 le16_to_cpu(ev->sync_handle));
7458 /* Add connection to indicate the PA sync event */
7459 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7465 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7466 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7468 /* Notify iso layer */
7469 hci_connect_cfm(pa_sync, 0x00);
7472 hci_dev_unlock(hdev);
7475 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7478 .min_len = _min_len, \
7479 .max_len = _max_len, \
7482 #define HCI_LE_EV(_op, _func, _len) \
7483 HCI_LE_EV_VL(_op, _func, _len, _len)
7485 #define HCI_LE_EV_STATUS(_op, _func) \
7486 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7488 /* Entries in this table shall have their position according to the subevent
7489 * opcode they handle so the use of the macros above is recommend since it does
7490 * attempt to initialize at its proper index using Designated Initializers that
7491 * way events without a callback function can be ommited.
7493 static const struct hci_le_ev {
7494 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7497 } hci_le_ev_table[U8_MAX + 1] = {
7498 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7499 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7500 sizeof(struct hci_ev_le_conn_complete)),
7501 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7502 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7503 sizeof(struct hci_ev_le_advertising_report),
7504 HCI_MAX_EVENT_SIZE),
7505 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7506 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7507 hci_le_conn_update_complete_evt,
7508 sizeof(struct hci_ev_le_conn_update_complete)),
7509 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7510 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7511 hci_le_remote_feat_complete_evt,
7512 sizeof(struct hci_ev_le_remote_feat_complete)),
7513 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7514 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7515 sizeof(struct hci_ev_le_ltk_req)),
7516 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7517 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7518 hci_le_remote_conn_param_req_evt,
7519 sizeof(struct hci_ev_le_remote_conn_param_req)),
7520 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7521 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7522 hci_le_enh_conn_complete_evt,
7523 sizeof(struct hci_ev_le_enh_conn_complete)),
7524 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7525 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7526 sizeof(struct hci_ev_le_direct_adv_report),
7527 HCI_MAX_EVENT_SIZE),
7528 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7529 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7530 sizeof(struct hci_ev_le_phy_update_complete)),
7531 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7532 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7533 sizeof(struct hci_ev_le_ext_adv_report),
7534 HCI_MAX_EVENT_SIZE),
7535 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7536 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7537 hci_le_pa_sync_estabilished_evt,
7538 sizeof(struct hci_ev_le_pa_sync_established)),
7539 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7540 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7541 hci_le_per_adv_report_evt,
7542 sizeof(struct hci_ev_le_per_adv_report),
7543 HCI_MAX_EVENT_SIZE),
7544 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7545 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7546 sizeof(struct hci_evt_le_ext_adv_set_term)),
7547 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7548 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7549 sizeof(struct hci_evt_le_cis_established)),
7550 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7551 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7552 sizeof(struct hci_evt_le_cis_req)),
7553 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7554 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7555 hci_le_create_big_complete_evt,
7556 sizeof(struct hci_evt_le_create_big_complete),
7557 HCI_MAX_EVENT_SIZE),
7558 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7559 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7560 hci_le_big_sync_established_evt,
7561 sizeof(struct hci_evt_le_big_sync_estabilished),
7562 HCI_MAX_EVENT_SIZE),
7563 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7564 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7565 hci_le_big_info_adv_report_evt,
7566 sizeof(struct hci_evt_le_big_info_adv_report),
7567 HCI_MAX_EVENT_SIZE),
7570 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7571 struct sk_buff *skb, u16 *opcode, u8 *status,
7572 hci_req_complete_t *req_complete,
7573 hci_req_complete_skb_t *req_complete_skb)
7575 struct hci_ev_le_meta *ev = data;
7576 const struct hci_le_ev *subev;
7578 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7580 /* Only match event if command OGF is for LE */
7581 if (hdev->sent_cmd &&
7582 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7583 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7584 *opcode = hci_skb_opcode(hdev->sent_cmd);
7585 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7589 subev = &hci_le_ev_table[ev->subevent];
7593 if (skb->len < subev->min_len) {
7594 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7595 ev->subevent, skb->len, subev->min_len);
7599 /* Just warn if the length is over max_len size it still be
7600 * possible to partially parse the event so leave to callback to
7601 * decide if that is acceptable.
7603 if (skb->len > subev->max_len)
7604 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7605 ev->subevent, skb->len, subev->max_len);
7606 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7610 subev->func(hdev, data, skb);
7613 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7614 u8 event, struct sk_buff *skb)
7616 struct hci_ev_cmd_complete *ev;
7617 struct hci_event_hdr *hdr;
7622 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7627 if (hdr->evt != event)
7632 /* Check if request ended in Command Status - no way to retrieve
7633 * any extra parameters in this case.
7635 if (hdr->evt == HCI_EV_CMD_STATUS)
7638 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7639 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7644 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7648 if (opcode != __le16_to_cpu(ev->opcode)) {
7649 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7650 __le16_to_cpu(ev->opcode));
7657 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7658 struct sk_buff *skb)
7660 struct hci_ev_le_advertising_info *adv;
7661 struct hci_ev_le_direct_adv_info *direct_adv;
7662 struct hci_ev_le_ext_adv_info *ext_adv;
7663 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7664 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7668 /* If we are currently suspended and this is the first BT event seen,
7669 * save the wake reason associated with the event.
7671 if (!hdev->suspended || hdev->wake_reason)
7674 /* Default to remote wake. Values for wake_reason are documented in the
7675 * Bluez mgmt api docs.
7677 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7679 /* Once configured for remote wakeup, we should only wake up for
7680 * reconnections. It's useful to see which device is waking us up so
7681 * keep track of the bdaddr of the connection event that woke us up.
7683 if (event == HCI_EV_CONN_REQUEST) {
7684 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7685 hdev->wake_addr_type = BDADDR_BREDR;
7686 } else if (event == HCI_EV_CONN_COMPLETE) {
7687 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7688 hdev->wake_addr_type = BDADDR_BREDR;
7689 } else if (event == HCI_EV_LE_META) {
7690 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7691 u8 subevent = le_ev->subevent;
7692 u8 *ptr = &skb->data[sizeof(*le_ev)];
7693 u8 num_reports = *ptr;
7695 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7696 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7697 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7699 adv = (void *)(ptr + 1);
7700 direct_adv = (void *)(ptr + 1);
7701 ext_adv = (void *)(ptr + 1);
7704 case HCI_EV_LE_ADVERTISING_REPORT:
7705 bacpy(&hdev->wake_addr, &adv->bdaddr);
7706 hdev->wake_addr_type = adv->bdaddr_type;
7708 case HCI_EV_LE_DIRECT_ADV_REPORT:
7709 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7710 hdev->wake_addr_type = direct_adv->bdaddr_type;
7712 case HCI_EV_LE_EXT_ADV_REPORT:
7713 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7714 hdev->wake_addr_type = ext_adv->bdaddr_type;
7719 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7723 hci_dev_unlock(hdev);
7726 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7730 .min_len = _min_len, \
7731 .max_len = _max_len, \
7734 #define HCI_EV(_op, _func, _len) \
7735 HCI_EV_VL(_op, _func, _len, _len)
7737 #define HCI_EV_STATUS(_op, _func) \
7738 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7740 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7743 .func_req = _func, \
7744 .min_len = _min_len, \
7745 .max_len = _max_len, \
7748 #define HCI_EV_REQ(_op, _func, _len) \
7749 HCI_EV_REQ_VL(_op, _func, _len, _len)
7751 /* Entries in this table shall have their position according to the event opcode
7752 * they handle so the use of the macros above is recommend since it does attempt
7753 * to initialize at its proper index using Designated Initializers that way
7754 * events without a callback function don't have entered.
7756 static const struct hci_ev {
7759 void (*func)(struct hci_dev *hdev, void *data,
7760 struct sk_buff *skb);
7761 void (*func_req)(struct hci_dev *hdev, void *data,
7762 struct sk_buff *skb, u16 *opcode, u8 *status,
7763 hci_req_complete_t *req_complete,
7764 hci_req_complete_skb_t *req_complete_skb);
7768 } hci_ev_table[U8_MAX + 1] = {
7769 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7770 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7771 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7772 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7773 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7774 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7775 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7776 sizeof(struct hci_ev_conn_complete)),
7777 /* [0x04 = HCI_EV_CONN_REQUEST] */
7778 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7779 sizeof(struct hci_ev_conn_request)),
7780 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7781 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7782 sizeof(struct hci_ev_disconn_complete)),
7783 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7784 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7785 sizeof(struct hci_ev_auth_complete)),
7786 /* [0x07 = HCI_EV_REMOTE_NAME] */
7787 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7788 sizeof(struct hci_ev_remote_name)),
7789 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7790 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7791 sizeof(struct hci_ev_encrypt_change)),
7792 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7793 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7794 hci_change_link_key_complete_evt,
7795 sizeof(struct hci_ev_change_link_key_complete)),
7796 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7797 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7798 sizeof(struct hci_ev_remote_features)),
7799 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7800 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7801 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7802 /* [0x0f = HCI_EV_CMD_STATUS] */
7803 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7804 sizeof(struct hci_ev_cmd_status)),
7805 /* [0x10 = HCI_EV_CMD_STATUS] */
7806 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7807 sizeof(struct hci_ev_hardware_error)),
7808 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7809 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7810 sizeof(struct hci_ev_role_change)),
7811 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7812 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7813 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7814 /* [0x14 = HCI_EV_MODE_CHANGE] */
7815 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7816 sizeof(struct hci_ev_mode_change)),
7817 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7818 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7819 sizeof(struct hci_ev_pin_code_req)),
7820 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7821 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7822 sizeof(struct hci_ev_link_key_req)),
7823 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7824 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7825 sizeof(struct hci_ev_link_key_notify)),
7826 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7827 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7828 sizeof(struct hci_ev_clock_offset)),
7829 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7830 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7831 sizeof(struct hci_ev_pkt_type_change)),
7832 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7833 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7834 sizeof(struct hci_ev_pscan_rep_mode)),
7835 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7836 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7837 hci_inquiry_result_with_rssi_evt,
7838 sizeof(struct hci_ev_inquiry_result_rssi),
7839 HCI_MAX_EVENT_SIZE),
7840 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7841 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7842 sizeof(struct hci_ev_remote_ext_features)),
7843 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7844 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7845 sizeof(struct hci_ev_sync_conn_complete)),
7846 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7847 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7848 hci_extended_inquiry_result_evt,
7849 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7850 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7851 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7852 sizeof(struct hci_ev_key_refresh_complete)),
7853 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7854 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7855 sizeof(struct hci_ev_io_capa_request)),
7856 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7857 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7858 sizeof(struct hci_ev_io_capa_reply)),
7859 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7860 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7861 sizeof(struct hci_ev_user_confirm_req)),
7862 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7863 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7864 sizeof(struct hci_ev_user_passkey_req)),
7865 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7866 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7867 sizeof(struct hci_ev_remote_oob_data_request)),
7868 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7869 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7870 sizeof(struct hci_ev_simple_pair_complete)),
7871 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7872 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7873 sizeof(struct hci_ev_user_passkey_notify)),
7874 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7875 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7876 sizeof(struct hci_ev_keypress_notify)),
7877 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7878 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7879 sizeof(struct hci_ev_remote_host_features)),
7880 /* [0x3e = HCI_EV_LE_META] */
7881 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7882 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7883 #if IS_ENABLED(CONFIG_BT_HS)
7884 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7885 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7886 sizeof(struct hci_ev_phy_link_complete)),
7887 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7888 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7889 sizeof(struct hci_ev_channel_selected)),
7890 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7891 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7892 hci_disconn_loglink_complete_evt,
7893 sizeof(struct hci_ev_disconn_logical_link_complete)),
7894 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7895 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7896 sizeof(struct hci_ev_logical_link_complete)),
7897 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7898 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7899 hci_disconn_phylink_complete_evt,
7900 sizeof(struct hci_ev_disconn_phy_link_complete)),
7902 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7903 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7904 sizeof(struct hci_ev_num_comp_blocks)),
7906 /* [0xFF = HCI_EV_VENDOR_SPECIFIC] */
7907 HCI_EV(HCI_EV_VENDOR_SPECIFIC, hci_vendor_specific_evt,
7908 sizeof(struct hci_ev_vendor_specific)),
7910 /* [0xff = HCI_EV_VENDOR] */
7911 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7915 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7916 u16 *opcode, u8 *status,
7917 hci_req_complete_t *req_complete,
7918 hci_req_complete_skb_t *req_complete_skb)
7920 const struct hci_ev *ev = &hci_ev_table[event];
7926 if (skb->len < ev->min_len) {
7927 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7928 event, skb->len, ev->min_len);
7932 /* Just warn if the length is over max_len size it still be
7933 * possible to partially parse the event so leave to callback to
7934 * decide if that is acceptable.
7936 if (skb->len > ev->max_len)
7937 bt_dev_warn_ratelimited(hdev,
7938 "unexpected event 0x%2.2x length: %u > %u",
7939 event, skb->len, ev->max_len);
7941 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7946 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7949 ev->func(hdev, data, skb);
7952 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7954 struct hci_event_hdr *hdr = (void *) skb->data;
7955 hci_req_complete_t req_complete = NULL;
7956 hci_req_complete_skb_t req_complete_skb = NULL;
7957 struct sk_buff *orig_skb = NULL;
7958 u8 status = 0, event, req_evt = 0;
7959 u16 opcode = HCI_OP_NOP;
7961 if (skb->len < sizeof(*hdr)) {
7962 bt_dev_err(hdev, "Malformed HCI Event");
7966 kfree_skb(hdev->recv_event);
7967 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7971 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7976 /* Only match event if command OGF is not for LE */
7977 if (hdev->sent_cmd &&
7978 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7979 hci_skb_event(hdev->sent_cmd) == event) {
7980 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7981 status, &req_complete, &req_complete_skb);
7985 /* If it looks like we might end up having to call
7986 * req_complete_skb, store a pristine copy of the skb since the
7987 * various handlers may modify the original one through
7988 * skb_pull() calls, etc.
7990 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7991 event == HCI_EV_CMD_COMPLETE)
7992 orig_skb = skb_clone(skb, GFP_KERNEL);
7994 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7996 /* Store wake reason if we're suspended */
7997 hci_store_wake_reason(hdev, event, skb);
7999 bt_dev_dbg(hdev, "event 0x%2.2x", event);
8001 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
8005 req_complete(hdev, status, opcode);
8006 } else if (req_complete_skb) {
8007 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
8008 kfree_skb(orig_skb);
8011 req_complete_skb(hdev, status, opcode, orig_skb);
8015 kfree_skb(orig_skb);
8017 hdev->stat.evt_rx++;