2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
43 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
44 "\x00\x00\x00\x00\x00\x00\x00\x00"
46 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
48 /* Handle HCI Event packets */
50 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
55 data = skb_pull_data(skb, len);
57 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
62 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
67 data = skb_pull_data(skb, len);
69 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
74 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
79 data = skb_pull_data(skb, len);
81 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
86 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
89 struct hci_ev_status *rp = data;
91 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
93 /* It is possible that we receive Inquiry Complete event right
94 * before we receive Inquiry Cancel Command Complete event, in
95 * which case the latter event should have status of Command
96 * Disallowed. This should not be treated as error, since
97 * we actually achieve what Inquiry Cancel wants to achieve,
98 * which is to end the last Inquiry session.
100 if (rp->status == HCI_ERROR_COMMAND_DISALLOWED && !test_bit(HCI_INQUIRY, &hdev->flags)) {
101 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
108 clear_bit(HCI_INQUIRY, &hdev->flags);
109 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
110 wake_up_bit(&hdev->flags, HCI_INQUIRY);
113 /* Set discovery state to stopped if we're not doing LE active
116 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
117 hdev->le_scan_type != LE_SCAN_ACTIVE)
118 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
119 hci_dev_unlock(hdev);
124 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
127 struct hci_ev_status *rp = data;
129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
139 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
142 struct hci_ev_status *rp = data;
144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
154 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
157 struct hci_ev_status *rp = data;
159 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
164 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
167 struct hci_rp_role_discovery *rp = data;
168 struct hci_conn *conn;
170 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
177 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
179 conn->role = rp->role;
181 hci_dev_unlock(hdev);
186 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
189 struct hci_rp_read_link_policy *rp = data;
190 struct hci_conn *conn;
192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
199 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
201 conn->link_policy = __le16_to_cpu(rp->policy);
203 hci_dev_unlock(hdev);
208 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
211 struct hci_rp_write_link_policy *rp = data;
212 struct hci_conn *conn;
215 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
220 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
226 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
228 conn->link_policy = get_unaligned_le16(sent + 2);
230 hci_dev_unlock(hdev);
235 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
238 struct hci_rp_read_def_link_policy *rp = data;
240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
245 hdev->link_policy = __le16_to_cpu(rp->policy);
250 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
253 struct hci_ev_status *rp = data;
256 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
261 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
265 hdev->link_policy = get_unaligned_le16(sent);
270 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
272 struct hci_ev_status *rp = data;
274 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
276 clear_bit(HCI_RESET, &hdev->flags);
281 /* Reset all non-persistent flags */
282 hci_dev_clear_volatile_flags(hdev);
284 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
286 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
287 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
289 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
290 hdev->adv_data_len = 0;
292 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
293 hdev->scan_rsp_data_len = 0;
295 hdev->le_scan_type = LE_SCAN_PASSIVE;
297 hdev->ssp_debug_mode = 0;
299 hci_bdaddr_list_clear(&hdev->le_accept_list);
300 hci_bdaddr_list_clear(&hdev->le_resolv_list);
305 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
308 struct hci_rp_read_stored_link_key *rp = data;
309 struct hci_cp_read_stored_link_key *sent;
311 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
313 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
317 if (!rp->status && sent->read_all == 0x01) {
318 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
319 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
325 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
328 struct hci_rp_delete_stored_link_key *rp = data;
331 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
336 num_keys = le16_to_cpu(rp->num_keys);
338 if (num_keys <= hdev->stored_num_keys)
339 hdev->stored_num_keys -= num_keys;
341 hdev->stored_num_keys = 0;
346 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
349 struct hci_ev_status *rp = data;
352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
360 if (hci_dev_test_flag(hdev, HCI_MGMT))
361 mgmt_set_local_name_complete(hdev, sent, rp->status);
362 else if (!rp->status)
363 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
365 hci_dev_unlock(hdev);
370 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
373 struct hci_rp_read_local_name *rp = data;
375 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
380 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
381 hci_dev_test_flag(hdev, HCI_CONFIG))
382 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
387 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
390 struct hci_ev_status *rp = data;
393 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
395 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
402 __u8 param = *((__u8 *) sent);
404 if (param == AUTH_ENABLED)
405 set_bit(HCI_AUTH, &hdev->flags);
407 clear_bit(HCI_AUTH, &hdev->flags);
410 if (hci_dev_test_flag(hdev, HCI_MGMT))
411 mgmt_auth_enable_complete(hdev, rp->status);
413 hci_dev_unlock(hdev);
418 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
421 struct hci_ev_status *rp = data;
425 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
430 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
434 param = *((__u8 *) sent);
437 set_bit(HCI_ENCRYPT, &hdev->flags);
439 clear_bit(HCI_ENCRYPT, &hdev->flags);
444 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
447 struct hci_ev_status *rp = data;
451 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
457 param = *((__u8 *) sent);
462 hdev->discov_timeout = 0;
466 if (param & SCAN_INQUIRY)
467 set_bit(HCI_ISCAN, &hdev->flags);
469 clear_bit(HCI_ISCAN, &hdev->flags);
471 if (param & SCAN_PAGE)
472 set_bit(HCI_PSCAN, &hdev->flags);
474 clear_bit(HCI_PSCAN, &hdev->flags);
477 hci_dev_unlock(hdev);
482 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
485 struct hci_ev_status *rp = data;
486 struct hci_cp_set_event_filter *cp;
489 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
494 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
498 cp = (struct hci_cp_set_event_filter *)sent;
500 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
501 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
503 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
508 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
511 struct hci_rp_read_class_of_dev *rp = data;
514 return HCI_ERROR_UNSPECIFIED;
516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
521 memcpy(hdev->dev_class, rp->dev_class, 3);
523 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
524 hdev->dev_class[1], hdev->dev_class[0]);
529 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
532 struct hci_ev_status *rp = data;
535 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
537 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
544 memcpy(hdev->dev_class, sent, 3);
546 if (hci_dev_test_flag(hdev, HCI_MGMT))
547 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
549 hci_dev_unlock(hdev);
554 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
557 struct hci_rp_read_voice_setting *rp = data;
560 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
565 setting = __le16_to_cpu(rp->voice_setting);
567 if (hdev->voice_setting == setting)
570 hdev->voice_setting = setting;
572 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
575 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
580 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
583 struct hci_ev_status *rp = data;
587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
592 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
596 setting = get_unaligned_le16(sent);
598 if (hdev->voice_setting == setting)
601 hdev->voice_setting = setting;
603 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
606 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
611 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
614 struct hci_rp_read_num_supported_iac *rp = data;
616 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
621 hdev->num_iac = rp->num_iac;
623 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
628 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
631 struct hci_ev_status *rp = data;
632 struct hci_cp_write_ssp_mode *sent;
634 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
636 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
644 hdev->features[1][0] |= LMP_HOST_SSP;
646 hdev->features[1][0] &= ~LMP_HOST_SSP;
651 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
653 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
656 hci_dev_unlock(hdev);
661 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
664 struct hci_ev_status *rp = data;
665 struct hci_cp_write_sc_support *sent;
667 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
669 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
677 hdev->features[1][0] |= LMP_HOST_SC;
679 hdev->features[1][0] &= ~LMP_HOST_SC;
682 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
684 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
686 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
689 hci_dev_unlock(hdev);
694 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
697 struct hci_rp_read_local_version *rp = data;
699 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
704 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
705 hci_dev_test_flag(hdev, HCI_CONFIG)) {
706 hdev->hci_ver = rp->hci_ver;
707 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
708 hdev->lmp_ver = rp->lmp_ver;
709 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
710 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
716 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
719 struct hci_rp_read_enc_key_size *rp = data;
720 struct hci_conn *conn;
722 u8 status = rp->status;
724 bt_dev_dbg(hdev, "status 0x%2.2x", status);
726 handle = le16_to_cpu(rp->handle);
730 conn = hci_conn_hash_lookup_handle(hdev, handle);
736 /* While unexpected, the read_enc_key_size command may fail. The most
737 * secure approach is to then assume the key size is 0 to force a
741 bt_dev_err(hdev, "failed to read key size for handle %u",
743 conn->enc_key_size = 0;
745 conn->enc_key_size = rp->key_size;
748 if (conn->enc_key_size < hdev->min_enc_key_size) {
749 /* As slave role, the conn->state has been set to
750 * BT_CONNECTED and l2cap conn req might not be received
751 * yet, at this moment the l2cap layer almost does
752 * nothing with the non-zero status.
753 * So we also clear encrypt related bits, and then the
754 * handler of l2cap conn req will get the right secure
755 * state at a later time.
757 status = HCI_ERROR_AUTH_FAILURE;
758 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
759 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
763 hci_encrypt_cfm(conn, status);
766 hci_dev_unlock(hdev);
771 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
774 struct hci_rp_read_local_commands *rp = data;
776 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
781 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
782 hci_dev_test_flag(hdev, HCI_CONFIG))
783 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
788 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
791 struct hci_rp_read_auth_payload_to *rp = data;
792 struct hci_conn *conn;
794 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
801 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
803 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
805 hci_dev_unlock(hdev);
810 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
813 struct hci_rp_write_auth_payload_to *rp = data;
814 struct hci_conn *conn;
817 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
819 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
825 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
832 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
835 hci_dev_unlock(hdev);
840 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
843 struct hci_rp_read_local_features *rp = data;
845 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
850 memcpy(hdev->features, rp->features, 8);
852 /* Adjust default settings according to features
853 * supported by device. */
855 if (hdev->features[0][0] & LMP_3SLOT)
856 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
858 if (hdev->features[0][0] & LMP_5SLOT)
859 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
861 if (hdev->features[0][1] & LMP_HV2) {
862 hdev->pkt_type |= (HCI_HV2);
863 hdev->esco_type |= (ESCO_HV2);
866 if (hdev->features[0][1] & LMP_HV3) {
867 hdev->pkt_type |= (HCI_HV3);
868 hdev->esco_type |= (ESCO_HV3);
871 if (lmp_esco_capable(hdev))
872 hdev->esco_type |= (ESCO_EV3);
874 if (hdev->features[0][4] & LMP_EV4)
875 hdev->esco_type |= (ESCO_EV4);
877 if (hdev->features[0][4] & LMP_EV5)
878 hdev->esco_type |= (ESCO_EV5);
880 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
881 hdev->esco_type |= (ESCO_2EV3);
883 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
884 hdev->esco_type |= (ESCO_3EV3);
886 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
887 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
892 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
895 struct hci_rp_read_local_ext_features *rp = data;
897 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
902 if (hdev->max_page < rp->max_page) {
903 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
905 bt_dev_warn(hdev, "broken local ext features page 2");
907 hdev->max_page = rp->max_page;
910 if (rp->page < HCI_MAX_PAGES)
911 memcpy(hdev->features[rp->page], rp->features, 8);
916 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
919 struct hci_rp_read_flow_control_mode *rp = data;
921 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
926 hdev->flow_ctl_mode = rp->mode;
931 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
934 struct hci_rp_read_buffer_size *rp = data;
936 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
941 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
942 hdev->sco_mtu = rp->sco_mtu;
943 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
944 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
946 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
951 hdev->acl_cnt = hdev->acl_pkts;
952 hdev->sco_cnt = hdev->sco_pkts;
954 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
955 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
960 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
963 struct hci_rp_read_bd_addr *rp = data;
965 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
970 if (test_bit(HCI_INIT, &hdev->flags))
971 bacpy(&hdev->bdaddr, &rp->bdaddr);
973 if (hci_dev_test_flag(hdev, HCI_SETUP))
974 bacpy(&hdev->setup_addr, &rp->bdaddr);
979 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
982 struct hci_rp_read_local_pairing_opts *rp = data;
984 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
989 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
990 hci_dev_test_flag(hdev, HCI_CONFIG)) {
991 hdev->pairing_opts = rp->pairing_opts;
992 hdev->max_enc_key_size = rp->max_key_size;
998 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1001 struct hci_rp_read_page_scan_activity *rp = data;
1003 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1008 if (test_bit(HCI_INIT, &hdev->flags)) {
1009 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1010 hdev->page_scan_window = __le16_to_cpu(rp->window);
1016 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1017 struct sk_buff *skb)
1019 struct hci_ev_status *rp = data;
1020 struct hci_cp_write_page_scan_activity *sent;
1022 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1027 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1031 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1032 hdev->page_scan_window = __le16_to_cpu(sent->window);
1037 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1038 struct sk_buff *skb)
1040 struct hci_rp_read_page_scan_type *rp = data;
1042 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1047 if (test_bit(HCI_INIT, &hdev->flags))
1048 hdev->page_scan_type = rp->type;
1053 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1054 struct sk_buff *skb)
1056 struct hci_ev_status *rp = data;
1059 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1064 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1066 hdev->page_scan_type = *type;
1071 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1072 struct sk_buff *skb)
1074 struct hci_rp_read_data_block_size *rp = data;
1076 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1081 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1082 hdev->block_len = __le16_to_cpu(rp->block_len);
1083 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1085 hdev->block_cnt = hdev->num_blocks;
1087 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1088 hdev->block_cnt, hdev->block_len);
1093 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1094 struct sk_buff *skb)
1096 struct hci_rp_read_clock *rp = data;
1097 struct hci_cp_read_clock *cp;
1098 struct hci_conn *conn;
1100 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1107 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1111 if (cp->which == 0x00) {
1112 hdev->clock = le32_to_cpu(rp->clock);
1116 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1118 conn->clock = le32_to_cpu(rp->clock);
1119 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1123 hci_dev_unlock(hdev);
1127 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1128 struct sk_buff *skb)
1130 struct hci_rp_read_local_amp_info *rp = data;
1132 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1137 hdev->amp_status = rp->amp_status;
1138 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1139 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1140 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1141 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1142 hdev->amp_type = rp->amp_type;
1143 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1144 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1145 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1146 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1151 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1152 struct sk_buff *skb)
1154 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1156 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1161 hdev->inq_tx_power = rp->tx_power;
1166 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1167 struct sk_buff *skb)
1169 struct hci_rp_read_def_err_data_reporting *rp = data;
1171 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1176 hdev->err_data_reporting = rp->err_data_reporting;
1181 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1182 struct sk_buff *skb)
1184 struct hci_ev_status *rp = data;
1185 struct hci_cp_write_def_err_data_reporting *cp;
1187 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1192 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1196 hdev->err_data_reporting = cp->err_data_reporting;
1201 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1202 struct sk_buff *skb)
1204 struct hci_rp_pin_code_reply *rp = data;
1205 struct hci_cp_pin_code_reply *cp;
1206 struct hci_conn *conn;
1208 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1212 if (hci_dev_test_flag(hdev, HCI_MGMT))
1213 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1218 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1222 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1224 conn->pin_length = cp->pin_len;
1227 hci_dev_unlock(hdev);
1231 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1232 struct sk_buff *skb)
1234 struct hci_rp_pin_code_neg_reply *rp = data;
1236 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1240 if (hci_dev_test_flag(hdev, HCI_MGMT))
1241 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1244 hci_dev_unlock(hdev);
1249 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1250 struct sk_buff *skb)
1252 struct hci_rp_le_read_buffer_size *rp = data;
1254 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1259 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1260 hdev->le_pkts = rp->le_max_pkt;
1262 hdev->le_cnt = hdev->le_pkts;
1264 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1269 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1270 struct sk_buff *skb)
1272 struct hci_rp_le_read_local_features *rp = data;
1274 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1279 memcpy(hdev->le_features, rp->features, 8);
1284 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1285 struct sk_buff *skb)
1287 struct hci_rp_le_read_adv_tx_power *rp = data;
1289 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1294 hdev->adv_tx_power = rp->tx_power;
1299 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1300 struct sk_buff *skb)
1302 struct hci_rp_user_confirm_reply *rp = data;
1304 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1308 if (hci_dev_test_flag(hdev, HCI_MGMT))
1309 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1312 hci_dev_unlock(hdev);
1317 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1318 struct sk_buff *skb)
1320 struct hci_rp_user_confirm_reply *rp = data;
1322 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1326 if (hci_dev_test_flag(hdev, HCI_MGMT))
1327 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1328 ACL_LINK, 0, rp->status);
1330 hci_dev_unlock(hdev);
1335 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1336 struct sk_buff *skb)
1338 struct hci_rp_user_confirm_reply *rp = data;
1340 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1344 if (hci_dev_test_flag(hdev, HCI_MGMT))
1345 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1348 hci_dev_unlock(hdev);
1353 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1354 struct sk_buff *skb)
1356 struct hci_rp_user_confirm_reply *rp = data;
1358 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1362 if (hci_dev_test_flag(hdev, HCI_MGMT))
1363 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1364 ACL_LINK, 0, rp->status);
1366 hci_dev_unlock(hdev);
1371 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1372 struct sk_buff *skb)
1374 struct hci_rp_read_local_oob_data *rp = data;
1376 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1381 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1382 struct sk_buff *skb)
1384 struct hci_rp_read_local_oob_ext_data *rp = data;
1386 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1391 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1392 struct sk_buff *skb)
1394 struct hci_ev_status *rp = data;
1397 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1402 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1408 bacpy(&hdev->random_addr, sent);
1410 if (!bacmp(&hdev->rpa, sent)) {
1411 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1412 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1413 secs_to_jiffies(hdev->rpa_timeout));
1416 hci_dev_unlock(hdev);
1421 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1422 struct sk_buff *skb)
1424 struct hci_ev_status *rp = data;
1425 struct hci_cp_le_set_default_phy *cp;
1427 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1432 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1438 hdev->le_tx_def_phys = cp->tx_phys;
1439 hdev->le_rx_def_phys = cp->rx_phys;
1441 hci_dev_unlock(hdev);
1446 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1447 struct sk_buff *skb)
1449 struct hci_ev_status *rp = data;
1450 struct hci_cp_le_set_adv_set_rand_addr *cp;
1451 struct adv_info *adv;
1453 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1458 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1459 /* Update only in case the adv instance since handle 0x00 shall be using
1460 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1461 * non-extended adverting.
1463 if (!cp || !cp->handle)
1468 adv = hci_find_adv_instance(hdev, cp->handle);
1470 bacpy(&adv->random_addr, &cp->bdaddr);
1471 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1472 adv->rpa_expired = false;
1473 queue_delayed_work(hdev->workqueue,
1474 &adv->rpa_expired_cb,
1475 secs_to_jiffies(hdev->rpa_timeout));
1479 hci_dev_unlock(hdev);
1484 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1485 struct sk_buff *skb)
1487 struct hci_ev_status *rp = data;
1491 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1496 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1502 err = hci_remove_adv_instance(hdev, *instance);
1504 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1507 hci_dev_unlock(hdev);
1512 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1513 struct sk_buff *skb)
1515 struct hci_ev_status *rp = data;
1516 struct adv_info *adv, *n;
1519 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1524 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1529 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1530 u8 instance = adv->instance;
1532 err = hci_remove_adv_instance(hdev, instance);
1534 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1538 hci_dev_unlock(hdev);
1543 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1544 struct sk_buff *skb)
1546 struct hci_rp_le_read_transmit_power *rp = data;
1548 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1553 hdev->min_le_tx_power = rp->min_le_tx_power;
1554 hdev->max_le_tx_power = rp->max_le_tx_power;
1559 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1560 struct sk_buff *skb)
1562 struct hci_ev_status *rp = data;
1563 struct hci_cp_le_set_privacy_mode *cp;
1564 struct hci_conn_params *params;
1566 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1571 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1577 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1579 WRITE_ONCE(params->privacy_mode, cp->mode);
1581 hci_dev_unlock(hdev);
1586 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1587 struct sk_buff *skb)
1589 struct hci_ev_status *rp = data;
1592 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1597 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1603 /* If we're doing connection initiation as peripheral. Set a
1604 * timeout in case something goes wrong.
1607 struct hci_conn *conn;
1609 hci_dev_set_flag(hdev, HCI_LE_ADV);
1611 conn = hci_lookup_le_connect(hdev);
1613 queue_delayed_work(hdev->workqueue,
1614 &conn->le_conn_timeout,
1615 conn->conn_timeout);
1617 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1620 hci_dev_unlock(hdev);
1625 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1626 struct sk_buff *skb)
1628 struct hci_cp_le_set_ext_adv_enable *cp;
1629 struct hci_cp_ext_adv_set *set;
1630 struct adv_info *adv = NULL, *n;
1631 struct hci_ev_status *rp = data;
1633 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1638 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1642 set = (void *)cp->data;
1646 if (cp->num_of_sets)
1647 adv = hci_find_adv_instance(hdev, set->handle);
1650 struct hci_conn *conn;
1652 hci_dev_set_flag(hdev, HCI_LE_ADV);
1654 if (adv && !adv->periodic)
1655 adv->enabled = true;
1657 conn = hci_lookup_le_connect(hdev);
1659 queue_delayed_work(hdev->workqueue,
1660 &conn->le_conn_timeout,
1661 conn->conn_timeout);
1663 if (cp->num_of_sets) {
1665 adv->enabled = false;
1667 /* If just one instance was disabled check if there are
1668 * any other instance enabled before clearing HCI_LE_ADV
1670 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1676 /* All instances shall be considered disabled */
1677 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1679 adv->enabled = false;
1682 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1686 hci_dev_unlock(hdev);
1690 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1691 struct sk_buff *skb)
1693 struct hci_cp_le_set_scan_param *cp;
1694 struct hci_ev_status *rp = data;
1696 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1701 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1707 hdev->le_scan_type = cp->type;
1709 hci_dev_unlock(hdev);
1714 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1715 struct sk_buff *skb)
1717 struct hci_cp_le_set_ext_scan_params *cp;
1718 struct hci_ev_status *rp = data;
1719 struct hci_cp_le_scan_phy_params *phy_param;
1721 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1726 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1730 phy_param = (void *)cp->data;
1734 hdev->le_scan_type = phy_param->type;
1736 hci_dev_unlock(hdev);
1741 static bool has_pending_adv_report(struct hci_dev *hdev)
1743 struct discovery_state *d = &hdev->discovery;
1745 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1748 static void clear_pending_adv_report(struct hci_dev *hdev)
1750 struct discovery_state *d = &hdev->discovery;
1752 bacpy(&d->last_adv_addr, BDADDR_ANY);
1753 d->last_adv_data_len = 0;
1756 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1757 u8 bdaddr_type, s8 rssi, u32 flags,
1760 struct discovery_state *d = &hdev->discovery;
1762 if (len > max_adv_len(hdev))
1765 bacpy(&d->last_adv_addr, bdaddr);
1766 d->last_adv_addr_type = bdaddr_type;
1767 d->last_adv_rssi = rssi;
1768 d->last_adv_flags = flags;
1769 memcpy(d->last_adv_data, data, len);
1770 d->last_adv_data_len = len;
1773 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1778 case LE_SCAN_ENABLE:
1779 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1780 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1781 clear_pending_adv_report(hdev);
1782 if (hci_dev_test_flag(hdev, HCI_MESH))
1783 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1786 case LE_SCAN_DISABLE:
1787 /* We do this here instead of when setting DISCOVERY_STOPPED
1788 * since the latter would potentially require waiting for
1789 * inquiry to stop too.
1791 if (has_pending_adv_report(hdev)) {
1792 struct discovery_state *d = &hdev->discovery;
1794 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1795 d->last_adv_addr_type, NULL,
1796 d->last_adv_rssi, d->last_adv_flags,
1798 d->last_adv_data_len, NULL, 0, 0);
1801 /* Cancel this timer so that we don't try to disable scanning
1802 * when it's already disabled.
1804 cancel_delayed_work(&hdev->le_scan_disable);
1806 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1808 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1809 * interrupted scanning due to a connect request. Mark
1810 * therefore discovery as stopped.
1812 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1813 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1814 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1815 hdev->discovery.state == DISCOVERY_FINDING)
1816 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1821 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1826 hci_dev_unlock(hdev);
1829 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1830 struct sk_buff *skb)
1832 struct hci_cp_le_set_scan_enable *cp;
1833 struct hci_ev_status *rp = data;
1835 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1840 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1844 le_set_scan_enable_complete(hdev, cp->enable);
1849 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1850 struct sk_buff *skb)
1852 struct hci_cp_le_set_ext_scan_enable *cp;
1853 struct hci_ev_status *rp = data;
1855 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1860 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1864 le_set_scan_enable_complete(hdev, cp->enable);
1869 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1870 struct sk_buff *skb)
1872 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1874 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1880 hdev->le_num_of_adv_sets = rp->num_of_sets;
1885 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1886 struct sk_buff *skb)
1888 struct hci_rp_le_read_accept_list_size *rp = data;
1890 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1895 hdev->le_accept_list_size = rp->size;
1900 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1901 struct sk_buff *skb)
1903 struct hci_ev_status *rp = data;
1905 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1911 hci_bdaddr_list_clear(&hdev->le_accept_list);
1912 hci_dev_unlock(hdev);
1917 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1918 struct sk_buff *skb)
1920 struct hci_cp_le_add_to_accept_list *sent;
1921 struct hci_ev_status *rp = data;
1923 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1928 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1933 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1935 hci_dev_unlock(hdev);
1940 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1941 struct sk_buff *skb)
1943 struct hci_cp_le_del_from_accept_list *sent;
1944 struct hci_ev_status *rp = data;
1946 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1951 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1956 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1958 hci_dev_unlock(hdev);
1963 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1964 struct sk_buff *skb)
1966 struct hci_rp_le_read_supported_states *rp = data;
1968 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1973 memcpy(hdev->le_states, rp->le_states, 8);
1978 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1979 struct sk_buff *skb)
1981 struct hci_rp_le_read_def_data_len *rp = data;
1983 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1988 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1989 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1994 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1995 struct sk_buff *skb)
1997 struct hci_cp_le_write_def_data_len *sent;
1998 struct hci_ev_status *rp = data;
2000 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2005 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2009 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2010 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2015 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2016 struct sk_buff *skb)
2018 struct hci_cp_le_add_to_resolv_list *sent;
2019 struct hci_ev_status *rp = data;
2021 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2026 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2031 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2032 sent->bdaddr_type, sent->peer_irk,
2034 hci_dev_unlock(hdev);
2039 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2040 struct sk_buff *skb)
2042 struct hci_cp_le_del_from_resolv_list *sent;
2043 struct hci_ev_status *rp = data;
2045 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2050 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2055 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2057 hci_dev_unlock(hdev);
2062 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2063 struct sk_buff *skb)
2065 struct hci_ev_status *rp = data;
2067 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2073 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2074 hci_dev_unlock(hdev);
2079 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2080 struct sk_buff *skb)
2082 struct hci_rp_le_read_resolv_list_size *rp = data;
2084 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2089 hdev->le_resolv_list_size = rp->size;
2094 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2095 struct sk_buff *skb)
2097 struct hci_ev_status *rp = data;
2100 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2105 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2112 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2114 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2116 hci_dev_unlock(hdev);
2121 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2122 struct sk_buff *skb)
2124 struct hci_rp_le_read_max_data_len *rp = data;
2126 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2131 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2132 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2133 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2134 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2139 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2140 struct sk_buff *skb)
2142 struct hci_cp_write_le_host_supported *sent;
2143 struct hci_ev_status *rp = data;
2145 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2157 hdev->features[1][0] |= LMP_HOST_LE;
2158 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2160 hdev->features[1][0] &= ~LMP_HOST_LE;
2161 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2162 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2166 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2168 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2170 hci_dev_unlock(hdev);
2175 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2176 struct sk_buff *skb)
2178 struct hci_cp_le_set_adv_param *cp;
2179 struct hci_ev_status *rp = data;
2181 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2191 hdev->adv_addr_type = cp->own_address_type;
2192 hci_dev_unlock(hdev);
2197 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2198 struct sk_buff *skb)
2200 struct hci_rp_le_set_ext_adv_params *rp = data;
2201 struct hci_cp_le_set_ext_adv_params *cp;
2202 struct adv_info *adv_instance;
2204 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2209 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2214 hdev->adv_addr_type = cp->own_addr_type;
2216 /* Store in hdev for instance 0 */
2217 hdev->adv_tx_power = rp->tx_power;
2219 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2221 adv_instance->tx_power = rp->tx_power;
2223 /* Update adv data as tx power is known now */
2224 hci_update_adv_data(hdev, cp->handle);
2226 hci_dev_unlock(hdev);
2231 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2232 struct sk_buff *skb)
2234 struct hci_rp_read_rssi *rp = data;
2235 struct hci_conn *conn;
2237 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2244 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2246 conn->rssi = rp->rssi;
2248 hci_dev_unlock(hdev);
2253 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2254 struct sk_buff *skb)
2256 struct hci_cp_read_tx_power *sent;
2257 struct hci_rp_read_tx_power *rp = data;
2258 struct hci_conn *conn;
2260 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2265 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2271 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2275 switch (sent->type) {
2277 conn->tx_power = rp->tx_power;
2280 conn->max_tx_power = rp->tx_power;
2285 hci_dev_unlock(hdev);
2289 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2290 struct sk_buff *skb)
2292 struct hci_ev_status *rp = data;
2295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2300 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2302 hdev->ssp_debug_mode = *mode;
2307 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2309 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2314 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2315 set_bit(HCI_INQUIRY, &hdev->flags);
2318 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2320 struct hci_cp_create_conn *cp;
2321 struct hci_conn *conn;
2323 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2325 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2331 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2333 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2336 if (conn && conn->state == BT_CONNECT) {
2337 conn->state = BT_CLOSED;
2338 hci_connect_cfm(conn, status);
2343 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2346 bt_dev_err(hdev, "no memory for new connection");
2350 hci_dev_unlock(hdev);
2353 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2355 struct hci_cp_add_sco *cp;
2356 struct hci_conn *acl;
2357 struct hci_link *link;
2360 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2365 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2369 handle = __le16_to_cpu(cp->handle);
2371 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2375 acl = hci_conn_hash_lookup_handle(hdev, handle);
2377 link = list_first_entry_or_null(&acl->link_list,
2378 struct hci_link, list);
2379 if (link && link->conn) {
2380 link->conn->state = BT_CLOSED;
2382 hci_connect_cfm(link->conn, status);
2383 hci_conn_del(link->conn);
2387 hci_dev_unlock(hdev);
2390 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2392 struct hci_cp_auth_requested *cp;
2393 struct hci_conn *conn;
2395 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2400 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2406 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2408 if (conn->state == BT_CONFIG) {
2409 hci_connect_cfm(conn, status);
2410 hci_conn_drop(conn);
2414 hci_dev_unlock(hdev);
2417 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2419 struct hci_cp_set_conn_encrypt *cp;
2420 struct hci_conn *conn;
2422 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2427 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2433 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2435 if (conn->state == BT_CONFIG) {
2436 hci_connect_cfm(conn, status);
2437 hci_conn_drop(conn);
2441 hci_dev_unlock(hdev);
2444 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2445 struct hci_conn *conn)
2447 if (conn->state != BT_CONFIG || !conn->out)
2450 if (conn->pending_sec_level == BT_SECURITY_SDP)
2453 /* Only request authentication for SSP connections or non-SSP
2454 * devices with sec_level MEDIUM or HIGH or if MITM protection
2457 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2458 conn->pending_sec_level != BT_SECURITY_FIPS &&
2459 conn->pending_sec_level != BT_SECURITY_HIGH &&
2460 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2466 static int hci_resolve_name(struct hci_dev *hdev,
2467 struct inquiry_entry *e)
2469 struct hci_cp_remote_name_req cp;
2471 memset(&cp, 0, sizeof(cp));
2473 bacpy(&cp.bdaddr, &e->data.bdaddr);
2474 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2475 cp.pscan_mode = e->data.pscan_mode;
2476 cp.clock_offset = e->data.clock_offset;
2478 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2481 static bool hci_resolve_next_name(struct hci_dev *hdev)
2483 struct discovery_state *discov = &hdev->discovery;
2484 struct inquiry_entry *e;
2486 if (list_empty(&discov->resolve))
2489 /* We should stop if we already spent too much time resolving names. */
2490 if (time_after(jiffies, discov->name_resolve_timeout)) {
2491 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2495 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2499 if (hci_resolve_name(hdev, e) == 0) {
2500 e->name_state = NAME_PENDING;
2507 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2508 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2510 struct discovery_state *discov = &hdev->discovery;
2511 struct inquiry_entry *e;
2513 /* Update the mgmt connected state if necessary. Be careful with
2514 * conn objects that exist but are not (yet) connected however.
2515 * Only those in BT_CONFIG or BT_CONNECTED states can be
2516 * considered connected.
2518 if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED))
2519 mgmt_device_connected(hdev, conn, name, name_len);
2521 if (discov->state == DISCOVERY_STOPPED)
2524 if (discov->state == DISCOVERY_STOPPING)
2525 goto discov_complete;
2527 if (discov->state != DISCOVERY_RESOLVING)
2530 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2531 /* If the device was not found in a list of found devices names of which
2532 * are pending. there is no need to continue resolving a next name as it
2533 * will be done upon receiving another Remote Name Request Complete
2540 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2541 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2544 if (hci_resolve_next_name(hdev))
2548 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2551 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2553 struct hci_cp_remote_name_req *cp;
2554 struct hci_conn *conn;
2556 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2558 /* If successful wait for the name req complete event before
2559 * checking for the need to do authentication */
2563 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2569 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2571 if (hci_dev_test_flag(hdev, HCI_MGMT))
2572 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2577 if (!hci_outgoing_auth_needed(hdev, conn))
2580 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2581 struct hci_cp_auth_requested auth_cp;
2583 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2585 auth_cp.handle = __cpu_to_le16(conn->handle);
2586 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2587 sizeof(auth_cp), &auth_cp);
2591 hci_dev_unlock(hdev);
2594 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2596 struct hci_cp_read_remote_features *cp;
2597 struct hci_conn *conn;
2599 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2604 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2610 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2612 if (conn->state == BT_CONFIG) {
2613 hci_connect_cfm(conn, status);
2614 hci_conn_drop(conn);
2618 hci_dev_unlock(hdev);
2621 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2623 struct hci_cp_read_remote_ext_features *cp;
2624 struct hci_conn *conn;
2626 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2631 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2637 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2639 if (conn->state == BT_CONFIG) {
2640 hci_connect_cfm(conn, status);
2641 hci_conn_drop(conn);
2645 hci_dev_unlock(hdev);
2648 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2651 struct hci_conn *acl;
2652 struct hci_link *link;
2654 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2658 acl = hci_conn_hash_lookup_handle(hdev, handle);
2660 link = list_first_entry_or_null(&acl->link_list,
2661 struct hci_link, list);
2662 if (link && link->conn) {
2663 link->conn->state = BT_CLOSED;
2665 hci_connect_cfm(link->conn, status);
2666 hci_conn_del(link->conn);
2670 hci_dev_unlock(hdev);
2673 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2675 struct hci_cp_setup_sync_conn *cp;
2677 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2682 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2686 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2689 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2691 struct hci_cp_enhanced_setup_sync_conn *cp;
2693 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2698 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2702 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2705 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2707 struct hci_cp_sniff_mode *cp;
2708 struct hci_conn *conn;
2710 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2715 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2721 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2723 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2725 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2726 hci_sco_setup(conn, status);
2729 hci_dev_unlock(hdev);
2732 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2734 struct hci_cp_exit_sniff_mode *cp;
2735 struct hci_conn *conn;
2737 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2742 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2748 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2750 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2752 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2753 hci_sco_setup(conn, status);
2756 hci_dev_unlock(hdev);
2759 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2761 struct hci_cp_disconnect *cp;
2762 struct hci_conn_params *params;
2763 struct hci_conn *conn;
2766 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2768 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2769 * otherwise cleanup the connection immediately.
2771 if (!status && !hdev->suspended)
2774 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2780 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2785 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2786 conn->dst_type, status);
2788 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2789 hdev->cur_adv_instance = conn->adv_instance;
2790 hci_enable_advertising(hdev);
2793 /* Inform sockets conn is gone before we delete it */
2794 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2799 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2801 if (conn->type == ACL_LINK) {
2802 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2803 hci_remove_link_key(hdev, &conn->dst);
2806 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2808 switch (params->auto_connect) {
2809 case HCI_AUTO_CONN_LINK_LOSS:
2810 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2814 case HCI_AUTO_CONN_DIRECT:
2815 case HCI_AUTO_CONN_ALWAYS:
2816 hci_pend_le_list_del_init(params);
2817 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2825 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2826 cp->reason, mgmt_conn);
2828 hci_disconn_cfm(conn, cp->reason);
2831 /* If the disconnection failed for any reason, the upper layer
2832 * does not retry to disconnect in current implementation.
2833 * Hence, we need to do some basic cleanup here and re-enable
2834 * advertising if necessary.
2838 hci_dev_unlock(hdev);
2841 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2843 /* When using controller based address resolution, then the new
2844 * address types 0x02 and 0x03 are used. These types need to be
2845 * converted back into either public address or random address type
2848 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2851 return ADDR_LE_DEV_PUBLIC;
2852 case ADDR_LE_DEV_RANDOM_RESOLVED:
2855 return ADDR_LE_DEV_RANDOM;
2863 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2864 u8 peer_addr_type, u8 own_address_type,
2867 struct hci_conn *conn;
2869 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2874 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2876 /* Store the initiator and responder address information which
2877 * is needed for SMP. These values will not change during the
2878 * lifetime of the connection.
2880 conn->init_addr_type = own_address_type;
2881 if (own_address_type == ADDR_LE_DEV_RANDOM)
2882 bacpy(&conn->init_addr, &hdev->random_addr);
2884 bacpy(&conn->init_addr, &hdev->bdaddr);
2886 conn->resp_addr_type = peer_addr_type;
2887 bacpy(&conn->resp_addr, peer_addr);
2890 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2892 struct hci_cp_le_create_conn *cp;
2894 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2896 /* All connection failure handling is taken care of by the
2897 * hci_conn_failed function which is triggered by the HCI
2898 * request completion callbacks used for connecting.
2903 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2909 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2910 cp->own_address_type, cp->filter_policy);
2912 hci_dev_unlock(hdev);
2915 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2917 struct hci_cp_le_ext_create_conn *cp;
2919 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2921 /* All connection failure handling is taken care of by the
2922 * hci_conn_failed function which is triggered by the HCI
2923 * request completion callbacks used for connecting.
2928 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2934 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2935 cp->own_addr_type, cp->filter_policy);
2937 hci_dev_unlock(hdev);
2940 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2942 struct hci_cp_le_read_remote_features *cp;
2943 struct hci_conn *conn;
2945 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2950 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2956 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2958 if (conn->state == BT_CONFIG) {
2959 hci_connect_cfm(conn, status);
2960 hci_conn_drop(conn);
2964 hci_dev_unlock(hdev);
2967 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2969 struct hci_cp_le_start_enc *cp;
2970 struct hci_conn *conn;
2972 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2979 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2983 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2987 if (conn->state != BT_CONNECTED)
2990 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2991 hci_conn_drop(conn);
2994 hci_dev_unlock(hdev);
2997 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2999 struct hci_cp_switch_role *cp;
3000 struct hci_conn *conn;
3002 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3007 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3013 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3015 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3017 hci_dev_unlock(hdev);
3020 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3021 struct sk_buff *skb)
3023 struct hci_ev_status *ev = data;
3024 struct discovery_state *discov = &hdev->discovery;
3025 struct inquiry_entry *e;
3027 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3029 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3032 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3033 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3035 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3040 if (discov->state != DISCOVERY_FINDING)
3043 if (list_empty(&discov->resolve)) {
3044 /* When BR/EDR inquiry is active and no LE scanning is in
3045 * progress, then change discovery state to indicate completion.
3047 * When running LE scanning and BR/EDR inquiry simultaneously
3048 * and the LE scan already finished, then change the discovery
3049 * state to indicate completion.
3051 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3052 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3053 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3057 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3058 if (e && hci_resolve_name(hdev, e) == 0) {
3059 e->name_state = NAME_PENDING;
3060 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3061 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3063 /* When BR/EDR inquiry is active and no LE scanning is in
3064 * progress, then change discovery state to indicate completion.
3066 * When running LE scanning and BR/EDR inquiry simultaneously
3067 * and the LE scan already finished, then change the discovery
3068 * state to indicate completion.
3070 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3071 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3072 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3076 hci_dev_unlock(hdev);
3079 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3080 struct sk_buff *skb)
3082 struct hci_ev_inquiry_result *ev = edata;
3083 struct inquiry_data data;
3086 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3087 flex_array_size(ev, info, ev->num)))
3090 bt_dev_dbg(hdev, "num %d", ev->num);
3095 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3100 for (i = 0; i < ev->num; i++) {
3101 struct inquiry_info *info = &ev->info[i];
3104 bacpy(&data.bdaddr, &info->bdaddr);
3105 data.pscan_rep_mode = info->pscan_rep_mode;
3106 data.pscan_period_mode = info->pscan_period_mode;
3107 data.pscan_mode = info->pscan_mode;
3108 memcpy(data.dev_class, info->dev_class, 3);
3109 data.clock_offset = info->clock_offset;
3110 data.rssi = HCI_RSSI_INVALID;
3111 data.ssp_mode = 0x00;
3113 flags = hci_inquiry_cache_update(hdev, &data, false);
3115 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3116 info->dev_class, HCI_RSSI_INVALID,
3117 flags, NULL, 0, NULL, 0, 0);
3120 hci_dev_unlock(hdev);
3123 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3124 struct sk_buff *skb)
3126 struct hci_ev_conn_complete *ev = data;
3127 struct hci_conn *conn;
3128 u8 status = ev->status;
3130 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3134 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3136 /* In case of error status and there is no connection pending
3137 * just unlock as there is nothing to cleanup.
3142 /* Connection may not exist if auto-connected. Check the bredr
3143 * allowlist to see if this device is allowed to auto connect.
3144 * If link is an ACL type, create a connection class
3147 * Auto-connect will only occur if the event filter is
3148 * programmed with a given address. Right now, event filter is
3149 * only used during suspend.
3151 if (ev->link_type == ACL_LINK &&
3152 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3155 conn = hci_conn_add_unset(hdev, ev->link_type,
3156 &ev->bdaddr, HCI_ROLE_SLAVE);
3158 bt_dev_err(hdev, "no memory for new conn");
3162 if (ev->link_type != SCO_LINK)
3165 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3170 conn->type = SCO_LINK;
3174 /* The HCI_Connection_Complete event is only sent once per connection.
3175 * Processing it more than once per connection can corrupt kernel memory.
3177 * As the connection handle is set here for the first time, it indicates
3178 * whether the connection is already set up.
3180 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3181 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3186 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3190 if (conn->type == ACL_LINK) {
3191 conn->state = BT_CONFIG;
3192 hci_conn_hold(conn);
3194 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3195 !hci_find_link_key(hdev, &ev->bdaddr))
3196 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3198 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3200 conn->state = BT_CONNECTED;
3202 hci_debugfs_create_conn(conn);
3203 hci_conn_add_sysfs(conn);
3205 if (test_bit(HCI_AUTH, &hdev->flags))
3206 set_bit(HCI_CONN_AUTH, &conn->flags);
3208 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3209 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3211 /* Get remote features */
3212 if (conn->type == ACL_LINK) {
3213 struct hci_cp_read_remote_features cp;
3214 cp.handle = ev->handle;
3215 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3218 hci_update_scan(hdev);
3221 /* Set packet type for incoming connection */
3222 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3223 struct hci_cp_change_conn_ptype cp;
3224 cp.handle = ev->handle;
3225 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3226 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3231 if (conn->type == ACL_LINK)
3232 hci_sco_setup(conn, ev->status);
3236 hci_conn_failed(conn, status);
3237 } else if (ev->link_type == SCO_LINK) {
3238 switch (conn->setting & SCO_AIRMODE_MASK) {
3239 case SCO_AIRMODE_CVSD:
3241 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3245 hci_connect_cfm(conn, status);
3249 hci_dev_unlock(hdev);
3252 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3254 struct hci_cp_reject_conn_req cp;
3256 bacpy(&cp.bdaddr, bdaddr);
3257 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3258 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3261 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3262 struct sk_buff *skb)
3264 struct hci_ev_conn_request *ev = data;
3265 int mask = hdev->link_mode;
3266 struct inquiry_entry *ie;
3267 struct hci_conn *conn;
3270 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3272 /* Reject incoming connection from device with same BD ADDR against
3275 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3276 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3278 hci_reject_conn(hdev, &ev->bdaddr);
3282 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3285 if (!(mask & HCI_LM_ACCEPT)) {
3286 hci_reject_conn(hdev, &ev->bdaddr);
3292 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3294 hci_reject_conn(hdev, &ev->bdaddr);
3298 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3299 * connection. These features are only touched through mgmt so
3300 * only do the checks if HCI_MGMT is set.
3302 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3303 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3304 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3306 hci_reject_conn(hdev, &ev->bdaddr);
3310 /* Connection accepted */
3312 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3314 memcpy(ie->data.dev_class, ev->dev_class, 3);
3316 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3319 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3322 bt_dev_err(hdev, "no memory for new connection");
3327 memcpy(conn->dev_class, ev->dev_class, 3);
3329 hci_dev_unlock(hdev);
3331 if (ev->link_type == ACL_LINK ||
3332 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3333 struct hci_cp_accept_conn_req cp;
3334 conn->state = BT_CONNECT;
3336 bacpy(&cp.bdaddr, &ev->bdaddr);
3338 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3339 cp.role = 0x00; /* Become central */
3341 cp.role = 0x01; /* Remain peripheral */
3343 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3344 } else if (!(flags & HCI_PROTO_DEFER)) {
3345 struct hci_cp_accept_sync_conn_req cp;
3346 conn->state = BT_CONNECT;
3348 bacpy(&cp.bdaddr, &ev->bdaddr);
3349 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3351 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3352 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3353 cp.max_latency = cpu_to_le16(0xffff);
3354 cp.content_format = cpu_to_le16(hdev->voice_setting);
3355 cp.retrans_effort = 0xff;
3357 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3360 conn->state = BT_CONNECT2;
3361 hci_connect_cfm(conn, 0);
3366 hci_dev_unlock(hdev);
3369 static u8 hci_to_mgmt_reason(u8 err)
3372 case HCI_ERROR_CONNECTION_TIMEOUT:
3373 return MGMT_DEV_DISCONN_TIMEOUT;
3374 case HCI_ERROR_REMOTE_USER_TERM:
3375 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3376 case HCI_ERROR_REMOTE_POWER_OFF:
3377 return MGMT_DEV_DISCONN_REMOTE;
3378 case HCI_ERROR_LOCAL_HOST_TERM:
3379 return MGMT_DEV_DISCONN_LOCAL_HOST;
3381 return MGMT_DEV_DISCONN_UNKNOWN;
3385 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3386 struct sk_buff *skb)
3388 struct hci_ev_disconn_complete *ev = data;
3390 struct hci_conn_params *params;
3391 struct hci_conn *conn;
3392 bool mgmt_connected;
3394 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3398 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3403 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3404 conn->dst_type, ev->status);
3408 conn->state = BT_CLOSED;
3410 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3412 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3413 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3415 reason = hci_to_mgmt_reason(ev->reason);
3417 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3418 reason, mgmt_connected);
3420 if (conn->type == ACL_LINK) {
3421 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3422 hci_remove_link_key(hdev, &conn->dst);
3424 hci_update_scan(hdev);
3427 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3429 switch (params->auto_connect) {
3430 case HCI_AUTO_CONN_LINK_LOSS:
3431 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3435 case HCI_AUTO_CONN_DIRECT:
3436 case HCI_AUTO_CONN_ALWAYS:
3437 hci_pend_le_list_del_init(params);
3438 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3439 hci_update_passive_scan(hdev);
3447 hci_disconn_cfm(conn, ev->reason);
3449 /* Re-enable advertising if necessary, since it might
3450 * have been disabled by the connection. From the
3451 * HCI_LE_Set_Advertise_Enable command description in
3452 * the core specification (v4.0):
3453 * "The Controller shall continue advertising until the Host
3454 * issues an LE_Set_Advertise_Enable command with
3455 * Advertising_Enable set to 0x00 (Advertising is disabled)
3456 * or until a connection is created or until the Advertising
3457 * is timed out due to Directed Advertising."
3459 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3460 hdev->cur_adv_instance = conn->adv_instance;
3461 hci_enable_advertising(hdev);
3467 hci_dev_unlock(hdev);
3470 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3471 struct sk_buff *skb)
3473 struct hci_ev_auth_complete *ev = data;
3474 struct hci_conn *conn;
3476 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3480 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3485 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3486 set_bit(HCI_CONN_AUTH, &conn->flags);
3487 conn->sec_level = conn->pending_sec_level;
3489 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3490 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3492 mgmt_auth_failed(conn, ev->status);
3495 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3497 if (conn->state == BT_CONFIG) {
3498 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3499 struct hci_cp_set_conn_encrypt cp;
3500 cp.handle = ev->handle;
3502 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3505 conn->state = BT_CONNECTED;
3506 hci_connect_cfm(conn, ev->status);
3507 hci_conn_drop(conn);
3510 hci_auth_cfm(conn, ev->status);
3512 hci_conn_hold(conn);
3513 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3514 hci_conn_drop(conn);
3517 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3519 struct hci_cp_set_conn_encrypt cp;
3520 cp.handle = ev->handle;
3522 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3525 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3526 hci_encrypt_cfm(conn, ev->status);
3531 hci_dev_unlock(hdev);
3534 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3535 struct sk_buff *skb)
3537 struct hci_ev_remote_name *ev = data;
3538 struct hci_conn *conn;
3540 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3544 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3546 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3549 if (ev->status == 0)
3550 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3551 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3553 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3559 if (!hci_outgoing_auth_needed(hdev, conn))
3562 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3563 struct hci_cp_auth_requested cp;
3565 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3567 cp.handle = __cpu_to_le16(conn->handle);
3568 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3572 hci_dev_unlock(hdev);
3575 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3576 struct sk_buff *skb)
3578 struct hci_ev_encrypt_change *ev = data;
3579 struct hci_conn *conn;
3581 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3585 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3591 /* Encryption implies authentication */
3592 set_bit(HCI_CONN_AUTH, &conn->flags);
3593 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3594 conn->sec_level = conn->pending_sec_level;
3596 /* P-256 authentication key implies FIPS */
3597 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3598 set_bit(HCI_CONN_FIPS, &conn->flags);
3600 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3601 conn->type == LE_LINK)
3602 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3604 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3605 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3609 /* We should disregard the current RPA and generate a new one
3610 * whenever the encryption procedure fails.
3612 if (ev->status && conn->type == LE_LINK) {
3613 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3614 hci_adv_instances_set_rpa_expired(hdev, true);
3617 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3619 /* Check link security requirements are met */
3620 if (!hci_conn_check_link_mode(conn))
3621 ev->status = HCI_ERROR_AUTH_FAILURE;
3623 if (ev->status && conn->state == BT_CONNECTED) {
3624 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3625 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3627 /* Notify upper layers so they can cleanup before
3630 hci_encrypt_cfm(conn, ev->status);
3631 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3632 hci_conn_drop(conn);
3636 /* Try reading the encryption key size for encrypted ACL links */
3637 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3638 struct hci_cp_read_enc_key_size cp;
3640 /* Only send HCI_Read_Encryption_Key_Size if the
3641 * controller really supports it. If it doesn't, assume
3642 * the default size (16).
3644 if (!(hdev->commands[20] & 0x10) ||
3645 test_bit(HCI_QUIRK_BROKEN_READ_ENC_KEY_SIZE, &hdev->quirks)) {
3646 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3650 cp.handle = cpu_to_le16(conn->handle);
3651 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3653 bt_dev_err(hdev, "sending read key size failed");
3654 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3661 /* Set the default Authenticated Payload Timeout after
3662 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3663 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3664 * sent when the link is active and Encryption is enabled, the conn
3665 * type can be either LE or ACL and controller must support LMP Ping.
3666 * Ensure for AES-CCM encryption as well.
3668 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3669 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3670 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3671 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3672 struct hci_cp_write_auth_payload_to cp;
3674 cp.handle = cpu_to_le16(conn->handle);
3675 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3676 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3678 bt_dev_err(hdev, "write auth payload timeout failed");
3682 hci_encrypt_cfm(conn, ev->status);
3685 hci_dev_unlock(hdev);
3688 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3689 struct sk_buff *skb)
3691 struct hci_ev_change_link_key_complete *ev = data;
3692 struct hci_conn *conn;
3694 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3698 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3701 set_bit(HCI_CONN_SECURE, &conn->flags);
3703 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3705 hci_key_change_cfm(conn, ev->status);
3708 hci_dev_unlock(hdev);
3711 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3712 struct sk_buff *skb)
3714 struct hci_ev_remote_features *ev = data;
3715 struct hci_conn *conn;
3717 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3721 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3726 memcpy(conn->features[0], ev->features, 8);
3728 if (conn->state != BT_CONFIG)
3731 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3732 lmp_ext_feat_capable(conn)) {
3733 struct hci_cp_read_remote_ext_features cp;
3734 cp.handle = ev->handle;
3736 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3741 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3742 struct hci_cp_remote_name_req cp;
3743 memset(&cp, 0, sizeof(cp));
3744 bacpy(&cp.bdaddr, &conn->dst);
3745 cp.pscan_rep_mode = 0x02;
3746 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3748 mgmt_device_connected(hdev, conn, NULL, 0);
3751 if (!hci_outgoing_auth_needed(hdev, conn)) {
3752 conn->state = BT_CONNECTED;
3753 hci_connect_cfm(conn, ev->status);
3754 hci_conn_drop(conn);
3758 hci_dev_unlock(hdev);
3761 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3763 cancel_delayed_work(&hdev->cmd_timer);
3766 if (!test_bit(HCI_RESET, &hdev->flags)) {
3768 cancel_delayed_work(&hdev->ncmd_timer);
3769 atomic_set(&hdev->cmd_cnt, 1);
3771 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3772 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3779 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3780 struct sk_buff *skb)
3782 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3784 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3789 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3790 hdev->le_pkts = rp->acl_max_pkt;
3791 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3792 hdev->iso_pkts = rp->iso_max_pkt;
3794 hdev->le_cnt = hdev->le_pkts;
3795 hdev->iso_cnt = hdev->iso_pkts;
3797 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3798 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3803 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3805 struct hci_conn *conn, *tmp;
3807 lockdep_assert_held(&hdev->lock);
3809 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3810 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3811 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3814 if (HCI_CONN_HANDLE_UNSET(conn->handle))
3815 hci_conn_failed(conn, status);
3819 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3820 struct sk_buff *skb)
3822 struct hci_rp_le_set_cig_params *rp = data;
3823 struct hci_cp_le_set_cig_params *cp;
3824 struct hci_conn *conn;
3825 u8 status = rp->status;
3826 bool pending = false;
3829 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3831 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3832 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3833 rp->cig_id != cp->cig_id)) {
3834 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3835 status = HCI_ERROR_UNSPECIFIED;
3840 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3842 * If the Status return parameter is non-zero, then the state of the CIG
3843 * and its CIS configurations shall not be changed by the command. If
3844 * the CIG did not already exist, it shall not be created.
3847 /* Keep current configuration, fail only the unbound CIS */
3848 hci_unbound_cis_failed(hdev, rp->cig_id, status);
3852 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3854 * If the Status return parameter is zero, then the Controller shall
3855 * set the Connection_Handle arrayed return parameter to the connection
3856 * handle(s) corresponding to the CIS configurations specified in
3857 * the CIS_IDs command parameter, in the same order.
3859 for (i = 0; i < rp->num_handles; ++i) {
3860 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3862 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3865 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3868 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3871 if (conn->state == BT_CONNECT)
3877 hci_le_create_cis_pending(hdev);
3879 hci_dev_unlock(hdev);
3884 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3885 struct sk_buff *skb)
3887 struct hci_rp_le_setup_iso_path *rp = data;
3888 struct hci_cp_le_setup_iso_path *cp;
3889 struct hci_conn *conn;
3891 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3893 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3899 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3904 hci_connect_cfm(conn, rp->status);
3909 switch (cp->direction) {
3910 /* Input (Host to Controller) */
3912 /* Only confirm connection if output only */
3913 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3914 hci_connect_cfm(conn, rp->status);
3916 /* Output (Controller to Host) */
3918 /* Confirm connection since conn->iso_qos is always configured
3921 hci_connect_cfm(conn, rp->status);
3923 /* Notify device connected in case it is a BIG Sync */
3924 if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags))
3925 mgmt_device_connected(hdev, conn, NULL, 0);
3931 hci_dev_unlock(hdev);
3935 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3937 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3940 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3941 struct sk_buff *skb)
3943 struct hci_ev_status *rp = data;
3944 struct hci_cp_le_set_per_adv_params *cp;
3946 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3951 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3955 /* TODO: set the conn state */
3959 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3960 struct sk_buff *skb)
3962 struct hci_ev_status *rp = data;
3963 struct hci_cp_le_set_per_adv_enable *cp;
3964 struct adv_info *adv = NULL, *n;
3967 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3972 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
3978 adv = hci_find_adv_instance(hdev, cp->handle);
3981 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
3984 adv->enabled = true;
3986 /* If just one instance was disabled check if there are
3987 * any other instance enabled before clearing HCI_LE_PER_ADV.
3988 * The current periodic adv instance will be marked as
3989 * disabled once extended advertising is also disabled.
3991 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
3993 if (adv->periodic && adv->enabled)
3997 if (per_adv_cnt > 1)
4000 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4004 hci_dev_unlock(hdev);
4009 #define HCI_CC_VL(_op, _func, _min, _max) \
4017 #define HCI_CC(_op, _func, _len) \
4018 HCI_CC_VL(_op, _func, _len, _len)
4020 #define HCI_CC_STATUS(_op, _func) \
4021 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4023 static const struct hci_cc {
4025 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4028 } hci_cc_table[] = {
4029 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4030 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4031 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4032 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4033 hci_cc_remote_name_req_cancel),
4034 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4035 sizeof(struct hci_rp_role_discovery)),
4036 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4037 sizeof(struct hci_rp_read_link_policy)),
4038 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4039 sizeof(struct hci_rp_write_link_policy)),
4040 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4041 sizeof(struct hci_rp_read_def_link_policy)),
4042 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4043 hci_cc_write_def_link_policy),
4044 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4045 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4046 sizeof(struct hci_rp_read_stored_link_key)),
4047 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4048 sizeof(struct hci_rp_delete_stored_link_key)),
4049 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4050 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4051 sizeof(struct hci_rp_read_local_name)),
4052 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4053 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4054 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4055 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4056 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4057 sizeof(struct hci_rp_read_class_of_dev)),
4058 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4059 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4060 sizeof(struct hci_rp_read_voice_setting)),
4061 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4062 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4063 sizeof(struct hci_rp_read_num_supported_iac)),
4064 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4065 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4066 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4067 sizeof(struct hci_rp_read_auth_payload_to)),
4068 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4069 sizeof(struct hci_rp_write_auth_payload_to)),
4070 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4071 sizeof(struct hci_rp_read_local_version)),
4072 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4073 sizeof(struct hci_rp_read_local_commands)),
4074 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4075 sizeof(struct hci_rp_read_local_features)),
4076 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4077 sizeof(struct hci_rp_read_local_ext_features)),
4078 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4079 sizeof(struct hci_rp_read_buffer_size)),
4080 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4081 sizeof(struct hci_rp_read_bd_addr)),
4082 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4083 sizeof(struct hci_rp_read_local_pairing_opts)),
4084 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4085 sizeof(struct hci_rp_read_page_scan_activity)),
4086 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4087 hci_cc_write_page_scan_activity),
4088 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4089 sizeof(struct hci_rp_read_page_scan_type)),
4090 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4091 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4092 sizeof(struct hci_rp_read_data_block_size)),
4093 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4094 sizeof(struct hci_rp_read_flow_control_mode)),
4095 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4096 sizeof(struct hci_rp_read_local_amp_info)),
4097 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4098 sizeof(struct hci_rp_read_clock)),
4099 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4100 sizeof(struct hci_rp_read_enc_key_size)),
4101 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4102 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4103 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4104 hci_cc_read_def_err_data_reporting,
4105 sizeof(struct hci_rp_read_def_err_data_reporting)),
4106 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4107 hci_cc_write_def_err_data_reporting),
4108 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4109 sizeof(struct hci_rp_pin_code_reply)),
4110 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4111 sizeof(struct hci_rp_pin_code_neg_reply)),
4112 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4113 sizeof(struct hci_rp_read_local_oob_data)),
4114 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4115 sizeof(struct hci_rp_read_local_oob_ext_data)),
4116 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4117 sizeof(struct hci_rp_le_read_buffer_size)),
4118 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4119 sizeof(struct hci_rp_le_read_local_features)),
4120 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4121 sizeof(struct hci_rp_le_read_adv_tx_power)),
4122 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4123 sizeof(struct hci_rp_user_confirm_reply)),
4124 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4125 sizeof(struct hci_rp_user_confirm_reply)),
4126 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4127 sizeof(struct hci_rp_user_confirm_reply)),
4128 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4129 sizeof(struct hci_rp_user_confirm_reply)),
4130 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4131 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4132 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4133 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4134 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4135 hci_cc_le_read_accept_list_size,
4136 sizeof(struct hci_rp_le_read_accept_list_size)),
4137 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4138 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4139 hci_cc_le_add_to_accept_list),
4140 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4141 hci_cc_le_del_from_accept_list),
4142 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4143 sizeof(struct hci_rp_le_read_supported_states)),
4144 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4145 sizeof(struct hci_rp_le_read_def_data_len)),
4146 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4147 hci_cc_le_write_def_data_len),
4148 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4149 hci_cc_le_add_to_resolv_list),
4150 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4151 hci_cc_le_del_from_resolv_list),
4152 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4153 hci_cc_le_clear_resolv_list),
4154 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4155 sizeof(struct hci_rp_le_read_resolv_list_size)),
4156 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4157 hci_cc_le_set_addr_resolution_enable),
4158 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4159 sizeof(struct hci_rp_le_read_max_data_len)),
4160 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4161 hci_cc_write_le_host_supported),
4162 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4163 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4164 sizeof(struct hci_rp_read_rssi)),
4165 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4166 sizeof(struct hci_rp_read_tx_power)),
4167 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4168 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4169 hci_cc_le_set_ext_scan_param),
4170 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4171 hci_cc_le_set_ext_scan_enable),
4172 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4173 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4174 hci_cc_le_read_num_adv_sets,
4175 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4176 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4177 sizeof(struct hci_rp_le_set_ext_adv_params)),
4178 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4179 hci_cc_le_set_ext_adv_enable),
4180 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4181 hci_cc_le_set_adv_set_random_addr),
4182 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4183 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4184 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4185 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4186 hci_cc_le_set_per_adv_enable),
4187 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4188 sizeof(struct hci_rp_le_read_transmit_power)),
4189 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4190 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4191 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4192 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4193 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4194 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4195 sizeof(struct hci_rp_le_setup_iso_path)),
4198 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4199 struct sk_buff *skb)
4203 if (skb->len < cc->min_len) {
4204 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4205 cc->op, skb->len, cc->min_len);
4206 return HCI_ERROR_UNSPECIFIED;
4209 /* Just warn if the length is over max_len size it still be possible to
4210 * partially parse the cc so leave to callback to decide if that is
4213 if (skb->len > cc->max_len)
4214 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4215 cc->op, skb->len, cc->max_len);
4217 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4219 return HCI_ERROR_UNSPECIFIED;
4221 return cc->func(hdev, data, skb);
4224 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4225 struct sk_buff *skb, u16 *opcode, u8 *status,
4226 hci_req_complete_t *req_complete,
4227 hci_req_complete_skb_t *req_complete_skb)
4229 struct hci_ev_cmd_complete *ev = data;
4232 *opcode = __le16_to_cpu(ev->opcode);
4234 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4236 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4237 if (hci_cc_table[i].op == *opcode) {
4238 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4243 if (i == ARRAY_SIZE(hci_cc_table)) {
4244 /* Unknown opcode, assume byte 0 contains the status, so
4245 * that e.g. __hci_cmd_sync() properly returns errors
4246 * for vendor specific commands send by HCI drivers.
4247 * If a vendor doesn't actually follow this convention we may
4248 * need to introduce a vendor CC table in order to properly set
4251 *status = skb->data[0];
4254 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4256 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4259 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4261 "unexpected event for opcode 0x%4.4x", *opcode);
4265 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4266 queue_work(hdev->workqueue, &hdev->cmd_work);
4269 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4271 struct hci_cp_le_create_cis *cp;
4272 bool pending = false;
4275 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4280 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4286 /* Remove connection if command failed */
4287 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4288 struct hci_conn *conn;
4291 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4293 conn = hci_conn_hash_lookup_handle(hdev, handle);
4295 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4298 conn->state = BT_CLOSED;
4299 hci_connect_cfm(conn, status);
4305 hci_le_create_cis_pending(hdev);
4307 hci_dev_unlock(hdev);
4310 #define HCI_CS(_op, _func) \
4316 static const struct hci_cs {
4318 void (*func)(struct hci_dev *hdev, __u8 status);
4319 } hci_cs_table[] = {
4320 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4321 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4322 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4323 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4324 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4325 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4326 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4327 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4328 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4329 hci_cs_read_remote_ext_features),
4330 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4331 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4332 hci_cs_enhanced_setup_sync_conn),
4333 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4334 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4335 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4336 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4337 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4338 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4339 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4340 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4341 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4344 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4345 struct sk_buff *skb, u16 *opcode, u8 *status,
4346 hci_req_complete_t *req_complete,
4347 hci_req_complete_skb_t *req_complete_skb)
4349 struct hci_ev_cmd_status *ev = data;
4352 *opcode = __le16_to_cpu(ev->opcode);
4353 *status = ev->status;
4355 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4357 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4358 if (hci_cs_table[i].op == *opcode) {
4359 hci_cs_table[i].func(hdev, ev->status);
4364 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4366 /* Indicate request completion if the command failed. Also, if
4367 * we're not waiting for a special event and we get a success
4368 * command status we should try to flag the request as completed
4369 * (since for this kind of commands there will not be a command
4372 if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) {
4373 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4375 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4376 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4382 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4383 queue_work(hdev->workqueue, &hdev->cmd_work);
4386 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4387 struct sk_buff *skb)
4389 struct hci_ev_hardware_error *ev = data;
4391 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4393 hdev->hw_error_code = ev->code;
4395 queue_work(hdev->req_workqueue, &hdev->error_reset);
4398 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4399 struct sk_buff *skb)
4401 struct hci_ev_role_change *ev = data;
4402 struct hci_conn *conn;
4404 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4408 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4411 conn->role = ev->role;
4413 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4415 hci_role_switch_cfm(conn, ev->status, ev->role);
4418 hci_dev_unlock(hdev);
4421 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4422 struct sk_buff *skb)
4424 struct hci_ev_num_comp_pkts *ev = data;
4427 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4428 flex_array_size(ev, handles, ev->num)))
4431 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4432 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4436 bt_dev_dbg(hdev, "num %d", ev->num);
4438 for (i = 0; i < ev->num; i++) {
4439 struct hci_comp_pkts_info *info = &ev->handles[i];
4440 struct hci_conn *conn;
4441 __u16 handle, count;
4443 handle = __le16_to_cpu(info->handle);
4444 count = __le16_to_cpu(info->count);
4446 conn = hci_conn_hash_lookup_handle(hdev, handle);
4450 conn->sent -= count;
4452 switch (conn->type) {
4454 hdev->acl_cnt += count;
4455 if (hdev->acl_cnt > hdev->acl_pkts)
4456 hdev->acl_cnt = hdev->acl_pkts;
4460 if (hdev->le_pkts) {
4461 hdev->le_cnt += count;
4462 if (hdev->le_cnt > hdev->le_pkts)
4463 hdev->le_cnt = hdev->le_pkts;
4465 hdev->acl_cnt += count;
4466 if (hdev->acl_cnt > hdev->acl_pkts)
4467 hdev->acl_cnt = hdev->acl_pkts;
4472 hdev->sco_cnt += count;
4473 if (hdev->sco_cnt > hdev->sco_pkts)
4474 hdev->sco_cnt = hdev->sco_pkts;
4478 if (hdev->iso_pkts) {
4479 hdev->iso_cnt += count;
4480 if (hdev->iso_cnt > hdev->iso_pkts)
4481 hdev->iso_cnt = hdev->iso_pkts;
4482 } else if (hdev->le_pkts) {
4483 hdev->le_cnt += count;
4484 if (hdev->le_cnt > hdev->le_pkts)
4485 hdev->le_cnt = hdev->le_pkts;
4487 hdev->acl_cnt += count;
4488 if (hdev->acl_cnt > hdev->acl_pkts)
4489 hdev->acl_cnt = hdev->acl_pkts;
4494 bt_dev_err(hdev, "unknown type %d conn %p",
4500 queue_work(hdev->workqueue, &hdev->tx_work);
4503 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4506 struct hci_chan *chan;
4508 switch (hdev->dev_type) {
4510 return hci_conn_hash_lookup_handle(hdev, handle);
4512 chan = hci_chan_lookup_handle(hdev, handle);
4517 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4524 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4525 struct sk_buff *skb)
4527 struct hci_ev_num_comp_blocks *ev = data;
4530 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4531 flex_array_size(ev, handles, ev->num_hndl)))
4534 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4535 bt_dev_err(hdev, "wrong event for mode %d",
4536 hdev->flow_ctl_mode);
4540 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4543 for (i = 0; i < ev->num_hndl; i++) {
4544 struct hci_comp_blocks_info *info = &ev->handles[i];
4545 struct hci_conn *conn = NULL;
4546 __u16 handle, block_count;
4548 handle = __le16_to_cpu(info->handle);
4549 block_count = __le16_to_cpu(info->blocks);
4551 conn = __hci_conn_lookup_handle(hdev, handle);
4555 conn->sent -= block_count;
4557 switch (conn->type) {
4560 hdev->block_cnt += block_count;
4561 if (hdev->block_cnt > hdev->num_blocks)
4562 hdev->block_cnt = hdev->num_blocks;
4566 bt_dev_err(hdev, "unknown type %d conn %p",
4572 queue_work(hdev->workqueue, &hdev->tx_work);
4575 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4576 struct sk_buff *skb)
4578 struct hci_ev_mode_change *ev = data;
4579 struct hci_conn *conn;
4581 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4585 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4587 conn->mode = ev->mode;
4589 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4591 if (conn->mode == HCI_CM_ACTIVE)
4592 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4594 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4597 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4598 hci_sco_setup(conn, ev->status);
4601 hci_dev_unlock(hdev);
4604 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4605 struct sk_buff *skb)
4607 struct hci_ev_pin_code_req *ev = data;
4608 struct hci_conn *conn;
4610 bt_dev_dbg(hdev, "");
4614 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4618 if (conn->state == BT_CONNECTED) {
4619 hci_conn_hold(conn);
4620 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4621 hci_conn_drop(conn);
4624 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4625 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4626 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4627 sizeof(ev->bdaddr), &ev->bdaddr);
4628 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4631 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4636 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4640 hci_dev_unlock(hdev);
4643 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4645 if (key_type == HCI_LK_CHANGED_COMBINATION)
4648 conn->pin_length = pin_len;
4649 conn->key_type = key_type;
4652 case HCI_LK_LOCAL_UNIT:
4653 case HCI_LK_REMOTE_UNIT:
4654 case HCI_LK_DEBUG_COMBINATION:
4656 case HCI_LK_COMBINATION:
4658 conn->pending_sec_level = BT_SECURITY_HIGH;
4660 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4662 case HCI_LK_UNAUTH_COMBINATION_P192:
4663 case HCI_LK_UNAUTH_COMBINATION_P256:
4664 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4666 case HCI_LK_AUTH_COMBINATION_P192:
4667 conn->pending_sec_level = BT_SECURITY_HIGH;
4669 case HCI_LK_AUTH_COMBINATION_P256:
4670 conn->pending_sec_level = BT_SECURITY_FIPS;
4675 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4676 struct sk_buff *skb)
4678 struct hci_ev_link_key_req *ev = data;
4679 struct hci_cp_link_key_reply cp;
4680 struct hci_conn *conn;
4681 struct link_key *key;
4683 bt_dev_dbg(hdev, "");
4685 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4690 key = hci_find_link_key(hdev, &ev->bdaddr);
4692 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4696 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4698 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4700 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4702 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4703 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4704 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4705 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4709 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4710 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4711 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4712 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4716 conn_set_key(conn, key->type, key->pin_len);
4719 bacpy(&cp.bdaddr, &ev->bdaddr);
4720 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4722 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4724 hci_dev_unlock(hdev);
4729 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4730 hci_dev_unlock(hdev);
4733 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4734 struct sk_buff *skb)
4736 struct hci_ev_link_key_notify *ev = data;
4737 struct hci_conn *conn;
4738 struct link_key *key;
4742 bt_dev_dbg(hdev, "");
4746 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4750 /* Ignore NULL link key against CVE-2020-26555 */
4751 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4752 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4754 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4755 hci_conn_drop(conn);
4759 hci_conn_hold(conn);
4760 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4761 hci_conn_drop(conn);
4763 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4764 conn_set_key(conn, ev->key_type, conn->pin_length);
4766 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4769 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4770 ev->key_type, pin_len, &persistent);
4774 /* Update connection information since adding the key will have
4775 * fixed up the type in the case of changed combination keys.
4777 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4778 conn_set_key(conn, key->type, key->pin_len);
4780 mgmt_new_link_key(hdev, key, persistent);
4782 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4783 * is set. If it's not set simply remove the key from the kernel
4784 * list (we've still notified user space about it but with
4785 * store_hint being 0).
4787 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4788 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4789 list_del_rcu(&key->list);
4790 kfree_rcu(key, rcu);
4795 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4797 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4800 hci_dev_unlock(hdev);
4803 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4804 struct sk_buff *skb)
4806 struct hci_ev_clock_offset *ev = data;
4807 struct hci_conn *conn;
4809 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4814 if (conn && !ev->status) {
4815 struct inquiry_entry *ie;
4817 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4819 ie->data.clock_offset = ev->clock_offset;
4820 ie->timestamp = jiffies;
4824 hci_dev_unlock(hdev);
4827 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4828 struct sk_buff *skb)
4830 struct hci_ev_pkt_type_change *ev = data;
4831 struct hci_conn *conn;
4833 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4837 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4838 if (conn && !ev->status)
4839 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4841 hci_dev_unlock(hdev);
4844 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4845 struct sk_buff *skb)
4847 struct hci_ev_pscan_rep_mode *ev = data;
4848 struct inquiry_entry *ie;
4850 bt_dev_dbg(hdev, "");
4854 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4856 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4857 ie->timestamp = jiffies;
4860 hci_dev_unlock(hdev);
4863 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4864 struct sk_buff *skb)
4866 struct hci_ev_inquiry_result_rssi *ev = edata;
4867 struct inquiry_data data;
4870 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4875 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4880 if (skb->len == array_size(ev->num,
4881 sizeof(struct inquiry_info_rssi_pscan))) {
4882 struct inquiry_info_rssi_pscan *info;
4884 for (i = 0; i < ev->num; i++) {
4887 info = hci_ev_skb_pull(hdev, skb,
4888 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4891 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4892 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4896 bacpy(&data.bdaddr, &info->bdaddr);
4897 data.pscan_rep_mode = info->pscan_rep_mode;
4898 data.pscan_period_mode = info->pscan_period_mode;
4899 data.pscan_mode = info->pscan_mode;
4900 memcpy(data.dev_class, info->dev_class, 3);
4901 data.clock_offset = info->clock_offset;
4902 data.rssi = info->rssi;
4903 data.ssp_mode = 0x00;
4905 flags = hci_inquiry_cache_update(hdev, &data, false);
4907 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4908 info->dev_class, info->rssi,
4909 flags, NULL, 0, NULL, 0, 0);
4911 } else if (skb->len == array_size(ev->num,
4912 sizeof(struct inquiry_info_rssi))) {
4913 struct inquiry_info_rssi *info;
4915 for (i = 0; i < ev->num; i++) {
4918 info = hci_ev_skb_pull(hdev, skb,
4919 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4922 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4923 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4927 bacpy(&data.bdaddr, &info->bdaddr);
4928 data.pscan_rep_mode = info->pscan_rep_mode;
4929 data.pscan_period_mode = info->pscan_period_mode;
4930 data.pscan_mode = 0x00;
4931 memcpy(data.dev_class, info->dev_class, 3);
4932 data.clock_offset = info->clock_offset;
4933 data.rssi = info->rssi;
4934 data.ssp_mode = 0x00;
4936 flags = hci_inquiry_cache_update(hdev, &data, false);
4938 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4939 info->dev_class, info->rssi,
4940 flags, NULL, 0, NULL, 0, 0);
4943 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4944 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4947 hci_dev_unlock(hdev);
4950 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4951 struct sk_buff *skb)
4953 struct hci_ev_remote_ext_features *ev = data;
4954 struct hci_conn *conn;
4956 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4960 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4964 if (ev->page < HCI_MAX_PAGES)
4965 memcpy(conn->features[ev->page], ev->features, 8);
4967 if (!ev->status && ev->page == 0x01) {
4968 struct inquiry_entry *ie;
4970 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4972 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4974 if (ev->features[0] & LMP_HOST_SSP) {
4975 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4977 /* It is mandatory by the Bluetooth specification that
4978 * Extended Inquiry Results are only used when Secure
4979 * Simple Pairing is enabled, but some devices violate
4982 * To make these devices work, the internal SSP
4983 * enabled flag needs to be cleared if the remote host
4984 * features do not indicate SSP support */
4985 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4988 if (ev->features[0] & LMP_HOST_SC)
4989 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4992 if (conn->state != BT_CONFIG)
4995 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4996 struct hci_cp_remote_name_req cp;
4997 memset(&cp, 0, sizeof(cp));
4998 bacpy(&cp.bdaddr, &conn->dst);
4999 cp.pscan_rep_mode = 0x02;
5000 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5002 mgmt_device_connected(hdev, conn, NULL, 0);
5005 if (!hci_outgoing_auth_needed(hdev, conn)) {
5006 conn->state = BT_CONNECTED;
5007 hci_connect_cfm(conn, ev->status);
5008 hci_conn_drop(conn);
5012 hci_dev_unlock(hdev);
5015 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5016 struct sk_buff *skb)
5018 struct hci_ev_sync_conn_complete *ev = data;
5019 struct hci_conn *conn;
5020 u8 status = ev->status;
5022 switch (ev->link_type) {
5027 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5028 * for HCI_Synchronous_Connection_Complete is limited to
5029 * either SCO or eSCO
5031 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5035 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5039 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5041 if (ev->link_type == ESCO_LINK)
5044 /* When the link type in the event indicates SCO connection
5045 * and lookup of the connection object fails, then check
5046 * if an eSCO connection object exists.
5048 * The core limits the synchronous connections to either
5049 * SCO or eSCO. The eSCO connection is preferred and tried
5050 * to be setup first and until successfully established,
5051 * the link type will be hinted as eSCO.
5053 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5058 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5059 * Processing it more than once per connection can corrupt kernel memory.
5061 * As the connection handle is set here for the first time, it indicates
5062 * whether the connection is already set up.
5064 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5065 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5071 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5073 conn->state = BT_CLOSED;
5077 conn->state = BT_CONNECTED;
5078 conn->type = ev->link_type;
5080 hci_debugfs_create_conn(conn);
5081 hci_conn_add_sysfs(conn);
5084 case 0x10: /* Connection Accept Timeout */
5085 case 0x0d: /* Connection Rejected due to Limited Resources */
5086 case 0x11: /* Unsupported Feature or Parameter Value */
5087 case 0x1c: /* SCO interval rejected */
5088 case 0x1a: /* Unsupported Remote Feature */
5089 case 0x1e: /* Invalid LMP Parameters */
5090 case 0x1f: /* Unspecified error */
5091 case 0x20: /* Unsupported LMP Parameter value */
5093 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5094 (hdev->esco_type & EDR_ESCO_MASK);
5095 if (hci_setup_sync(conn, conn->parent->handle))
5101 conn->state = BT_CLOSED;
5105 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5106 /* Notify only in case of SCO over HCI transport data path which
5107 * is zero and non-zero value shall be non-HCI transport data path
5109 if (conn->codec.data_path == 0 && hdev->notify) {
5110 switch (ev->air_mode) {
5112 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5115 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5120 hci_connect_cfm(conn, status);
5125 hci_dev_unlock(hdev);
5128 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5132 while (parsed < eir_len) {
5133 u8 field_len = eir[0];
5138 parsed += field_len + 1;
5139 eir += field_len + 1;
5145 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5146 struct sk_buff *skb)
5148 struct hci_ev_ext_inquiry_result *ev = edata;
5149 struct inquiry_data data;
5153 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5154 flex_array_size(ev, info, ev->num)))
5157 bt_dev_dbg(hdev, "num %d", ev->num);
5162 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5167 for (i = 0; i < ev->num; i++) {
5168 struct extended_inquiry_info *info = &ev->info[i];
5172 bacpy(&data.bdaddr, &info->bdaddr);
5173 data.pscan_rep_mode = info->pscan_rep_mode;
5174 data.pscan_period_mode = info->pscan_period_mode;
5175 data.pscan_mode = 0x00;
5176 memcpy(data.dev_class, info->dev_class, 3);
5177 data.clock_offset = info->clock_offset;
5178 data.rssi = info->rssi;
5179 data.ssp_mode = 0x01;
5181 if (hci_dev_test_flag(hdev, HCI_MGMT))
5182 name_known = eir_get_data(info->data,
5184 EIR_NAME_COMPLETE, NULL);
5188 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5190 eir_len = eir_get_length(info->data, sizeof(info->data));
5192 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5193 info->dev_class, info->rssi,
5194 flags, info->data, eir_len, NULL, 0, 0);
5197 hci_dev_unlock(hdev);
5200 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5201 struct sk_buff *skb)
5203 struct hci_ev_key_refresh_complete *ev = data;
5204 struct hci_conn *conn;
5206 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5207 __le16_to_cpu(ev->handle));
5211 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5215 /* For BR/EDR the necessary steps are taken through the
5216 * auth_complete event.
5218 if (conn->type != LE_LINK)
5222 conn->sec_level = conn->pending_sec_level;
5224 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5226 if (ev->status && conn->state == BT_CONNECTED) {
5227 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5228 hci_conn_drop(conn);
5232 if (conn->state == BT_CONFIG) {
5234 conn->state = BT_CONNECTED;
5236 hci_connect_cfm(conn, ev->status);
5237 hci_conn_drop(conn);
5239 hci_auth_cfm(conn, ev->status);
5241 hci_conn_hold(conn);
5242 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5243 hci_conn_drop(conn);
5247 hci_dev_unlock(hdev);
5250 static u8 hci_get_auth_req(struct hci_conn *conn)
5252 /* If remote requests no-bonding follow that lead */
5253 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5254 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5255 return conn->remote_auth | (conn->auth_type & 0x01);
5257 /* If both remote and local have enough IO capabilities, require
5260 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5261 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5262 return conn->remote_auth | 0x01;
5264 /* No MITM protection possible so ignore remote requirement */
5265 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5268 static u8 bredr_oob_data_present(struct hci_conn *conn)
5270 struct hci_dev *hdev = conn->hdev;
5271 struct oob_data *data;
5273 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5277 if (bredr_sc_enabled(hdev)) {
5278 /* When Secure Connections is enabled, then just
5279 * return the present value stored with the OOB
5280 * data. The stored value contains the right present
5281 * information. However it can only be trusted when
5282 * not in Secure Connection Only mode.
5284 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5285 return data->present;
5287 /* When Secure Connections Only mode is enabled, then
5288 * the P-256 values are required. If they are not
5289 * available, then do not declare that OOB data is
5292 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5293 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5299 /* When Secure Connections is not enabled or actually
5300 * not supported by the hardware, then check that if
5301 * P-192 data values are present.
5303 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5304 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5310 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5311 struct sk_buff *skb)
5313 struct hci_ev_io_capa_request *ev = data;
5314 struct hci_conn *conn;
5316 bt_dev_dbg(hdev, "");
5320 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5321 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5324 /* Assume remote supports SSP since it has triggered this event */
5325 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5327 hci_conn_hold(conn);
5329 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5332 /* Allow pairing if we're pairable, the initiators of the
5333 * pairing or if the remote is not requesting bonding.
5335 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5336 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5337 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5338 struct hci_cp_io_capability_reply cp;
5340 bacpy(&cp.bdaddr, &ev->bdaddr);
5341 /* Change the IO capability from KeyboardDisplay
5342 * to DisplayYesNo as it is not supported by BT spec. */
5343 cp.capability = (conn->io_capability == 0x04) ?
5344 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5346 /* If we are initiators, there is no remote information yet */
5347 if (conn->remote_auth == 0xff) {
5348 /* Request MITM protection if our IO caps allow it
5349 * except for the no-bonding case.
5351 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5352 conn->auth_type != HCI_AT_NO_BONDING)
5353 conn->auth_type |= 0x01;
5355 conn->auth_type = hci_get_auth_req(conn);
5358 /* If we're not bondable, force one of the non-bondable
5359 * authentication requirement values.
5361 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5362 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5364 cp.authentication = conn->auth_type;
5365 cp.oob_data = bredr_oob_data_present(conn);
5367 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5370 struct hci_cp_io_capability_neg_reply cp;
5372 bacpy(&cp.bdaddr, &ev->bdaddr);
5373 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5375 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5380 hci_dev_unlock(hdev);
5383 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5384 struct sk_buff *skb)
5386 struct hci_ev_io_capa_reply *ev = data;
5387 struct hci_conn *conn;
5389 bt_dev_dbg(hdev, "");
5393 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5397 conn->remote_cap = ev->capability;
5398 conn->remote_auth = ev->authentication;
5401 hci_dev_unlock(hdev);
5404 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5405 struct sk_buff *skb)
5407 struct hci_ev_user_confirm_req *ev = data;
5408 int loc_mitm, rem_mitm, confirm_hint = 0;
5409 struct hci_conn *conn;
5411 bt_dev_dbg(hdev, "");
5415 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5418 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5422 loc_mitm = (conn->auth_type & 0x01);
5423 rem_mitm = (conn->remote_auth & 0x01);
5425 /* If we require MITM but the remote device can't provide that
5426 * (it has NoInputNoOutput) then reject the confirmation
5427 * request. We check the security level here since it doesn't
5428 * necessarily match conn->auth_type.
5430 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5431 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5432 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5433 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5434 sizeof(ev->bdaddr), &ev->bdaddr);
5438 /* If no side requires MITM protection; auto-accept */
5439 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5440 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5442 /* If we're not the initiators request authorization to
5443 * proceed from user space (mgmt_user_confirm with
5444 * confirm_hint set to 1). The exception is if neither
5445 * side had MITM or if the local IO capability is
5446 * NoInputNoOutput, in which case we do auto-accept
5448 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5449 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5450 (loc_mitm || rem_mitm)) {
5451 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5456 /* If there already exists link key in local host, leave the
5457 * decision to user space since the remote device could be
5458 * legitimate or malicious.
5460 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5461 bt_dev_dbg(hdev, "Local host already has link key");
5466 BT_DBG("Auto-accept of user confirmation with %ums delay",
5467 hdev->auto_accept_delay);
5469 if (hdev->auto_accept_delay > 0) {
5470 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5471 queue_delayed_work(conn->hdev->workqueue,
5472 &conn->auto_accept_work, delay);
5476 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5477 sizeof(ev->bdaddr), &ev->bdaddr);
5482 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5483 le32_to_cpu(ev->passkey), confirm_hint);
5486 hci_dev_unlock(hdev);
5489 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5490 struct sk_buff *skb)
5492 struct hci_ev_user_passkey_req *ev = data;
5494 bt_dev_dbg(hdev, "");
5496 if (hci_dev_test_flag(hdev, HCI_MGMT))
5497 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5500 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5501 struct sk_buff *skb)
5503 struct hci_ev_user_passkey_notify *ev = data;
5504 struct hci_conn *conn;
5506 bt_dev_dbg(hdev, "");
5508 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5512 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5513 conn->passkey_entered = 0;
5515 if (hci_dev_test_flag(hdev, HCI_MGMT))
5516 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5517 conn->dst_type, conn->passkey_notify,
5518 conn->passkey_entered);
5521 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5522 struct sk_buff *skb)
5524 struct hci_ev_keypress_notify *ev = data;
5525 struct hci_conn *conn;
5527 bt_dev_dbg(hdev, "");
5529 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5534 case HCI_KEYPRESS_STARTED:
5535 conn->passkey_entered = 0;
5538 case HCI_KEYPRESS_ENTERED:
5539 conn->passkey_entered++;
5542 case HCI_KEYPRESS_ERASED:
5543 conn->passkey_entered--;
5546 case HCI_KEYPRESS_CLEARED:
5547 conn->passkey_entered = 0;
5550 case HCI_KEYPRESS_COMPLETED:
5554 if (hci_dev_test_flag(hdev, HCI_MGMT))
5555 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5556 conn->dst_type, conn->passkey_notify,
5557 conn->passkey_entered);
5560 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5561 struct sk_buff *skb)
5563 struct hci_ev_simple_pair_complete *ev = data;
5564 struct hci_conn *conn;
5566 bt_dev_dbg(hdev, "");
5570 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5571 if (!conn || !hci_conn_ssp_enabled(conn))
5574 /* Reset the authentication requirement to unknown */
5575 conn->remote_auth = 0xff;
5577 /* To avoid duplicate auth_failed events to user space we check
5578 * the HCI_CONN_AUTH_PEND flag which will be set if we
5579 * initiated the authentication. A traditional auth_complete
5580 * event gets always produced as initiator and is also mapped to
5581 * the mgmt_auth_failed event */
5582 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5583 mgmt_auth_failed(conn, ev->status);
5585 hci_conn_drop(conn);
5588 hci_dev_unlock(hdev);
5591 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5592 struct sk_buff *skb)
5594 struct hci_ev_remote_host_features *ev = data;
5595 struct inquiry_entry *ie;
5596 struct hci_conn *conn;
5598 bt_dev_dbg(hdev, "");
5602 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5604 memcpy(conn->features[1], ev->features, 8);
5606 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5608 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5610 hci_dev_unlock(hdev);
5613 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5614 struct sk_buff *skb)
5616 struct hci_ev_remote_oob_data_request *ev = edata;
5617 struct oob_data *data;
5619 bt_dev_dbg(hdev, "");
5623 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5626 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5628 struct hci_cp_remote_oob_data_neg_reply cp;
5630 bacpy(&cp.bdaddr, &ev->bdaddr);
5631 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5636 if (bredr_sc_enabled(hdev)) {
5637 struct hci_cp_remote_oob_ext_data_reply cp;
5639 bacpy(&cp.bdaddr, &ev->bdaddr);
5640 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5641 memset(cp.hash192, 0, sizeof(cp.hash192));
5642 memset(cp.rand192, 0, sizeof(cp.rand192));
5644 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5645 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5647 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5648 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5650 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5653 struct hci_cp_remote_oob_data_reply cp;
5655 bacpy(&cp.bdaddr, &ev->bdaddr);
5656 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5657 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5659 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5664 hci_dev_unlock(hdev);
5667 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5668 u8 bdaddr_type, bdaddr_t *local_rpa)
5671 conn->dst_type = bdaddr_type;
5672 conn->resp_addr_type = bdaddr_type;
5673 bacpy(&conn->resp_addr, bdaddr);
5675 /* Check if the controller has set a Local RPA then it must be
5676 * used instead or hdev->rpa.
5678 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5679 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5680 bacpy(&conn->init_addr, local_rpa);
5681 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5682 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5683 bacpy(&conn->init_addr, &conn->hdev->rpa);
5685 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5686 &conn->init_addr_type);
5689 conn->resp_addr_type = conn->hdev->adv_addr_type;
5690 /* Check if the controller has set a Local RPA then it must be
5691 * used instead or hdev->rpa.
5693 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5694 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5695 bacpy(&conn->resp_addr, local_rpa);
5696 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5697 /* In case of ext adv, resp_addr will be updated in
5698 * Adv Terminated event.
5700 if (!ext_adv_capable(conn->hdev))
5701 bacpy(&conn->resp_addr,
5702 &conn->hdev->random_addr);
5704 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5707 conn->init_addr_type = bdaddr_type;
5708 bacpy(&conn->init_addr, bdaddr);
5710 /* For incoming connections, set the default minimum
5711 * and maximum connection interval. They will be used
5712 * to check if the parameters are in range and if not
5713 * trigger the connection update procedure.
5715 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5716 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5720 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5721 bdaddr_t *bdaddr, u8 bdaddr_type,
5722 bdaddr_t *local_rpa, u8 role, u16 handle,
5723 u16 interval, u16 latency,
5724 u16 supervision_timeout)
5726 struct hci_conn_params *params;
5727 struct hci_conn *conn;
5728 struct smp_irk *irk;
5733 /* All controllers implicitly stop advertising in the event of a
5734 * connection, so ensure that the state bit is cleared.
5736 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5738 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5740 /* In case of error status and there is no connection pending
5741 * just unlock as there is nothing to cleanup.
5746 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5748 bt_dev_err(hdev, "no memory for new connection");
5752 conn->dst_type = bdaddr_type;
5754 /* If we didn't have a hci_conn object previously
5755 * but we're in central role this must be something
5756 * initiated using an accept list. Since accept list based
5757 * connections are not "first class citizens" we don't
5758 * have full tracking of them. Therefore, we go ahead
5759 * with a "best effort" approach of determining the
5760 * initiator address based on the HCI_PRIVACY flag.
5763 conn->resp_addr_type = bdaddr_type;
5764 bacpy(&conn->resp_addr, bdaddr);
5765 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5766 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5767 bacpy(&conn->init_addr, &hdev->rpa);
5769 hci_copy_identity_address(hdev,
5771 &conn->init_addr_type);
5775 cancel_delayed_work(&conn->le_conn_timeout);
5778 /* The HCI_LE_Connection_Complete event is only sent once per connection.
5779 * Processing it more than once per connection can corrupt kernel memory.
5781 * As the connection handle is set here for the first time, it indicates
5782 * whether the connection is already set up.
5784 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5785 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5789 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5791 /* Lookup the identity address from the stored connection
5792 * address and address type.
5794 * When establishing connections to an identity address, the
5795 * connection procedure will store the resolvable random
5796 * address first. Now if it can be converted back into the
5797 * identity address, start using the identity address from
5800 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5802 bacpy(&conn->dst, &irk->bdaddr);
5803 conn->dst_type = irk->addr_type;
5806 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5808 /* All connection failure handling is taken care of by the
5809 * hci_conn_failed function which is triggered by the HCI
5810 * request completion callbacks used for connecting.
5812 if (status || hci_conn_set_handle(conn, handle))
5815 /* Drop the connection if it has been aborted */
5816 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5817 hci_conn_drop(conn);
5821 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5822 addr_type = BDADDR_LE_PUBLIC;
5824 addr_type = BDADDR_LE_RANDOM;
5826 /* Drop the connection if the device is blocked */
5827 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5828 hci_conn_drop(conn);
5832 mgmt_device_connected(hdev, conn, NULL, 0);
5834 conn->sec_level = BT_SECURITY_LOW;
5835 conn->state = BT_CONFIG;
5837 /* Store current advertising instance as connection advertising instance
5838 * when sotfware rotation is in use so it can be re-enabled when
5841 if (!ext_adv_capable(hdev))
5842 conn->adv_instance = hdev->cur_adv_instance;
5844 conn->le_conn_interval = interval;
5845 conn->le_conn_latency = latency;
5846 conn->le_supv_timeout = supervision_timeout;
5848 hci_debugfs_create_conn(conn);
5849 hci_conn_add_sysfs(conn);
5851 /* The remote features procedure is defined for central
5852 * role only. So only in case of an initiated connection
5853 * request the remote features.
5855 * If the local controller supports peripheral-initiated features
5856 * exchange, then requesting the remote features in peripheral
5857 * role is possible. Otherwise just transition into the
5858 * connected state without requesting the remote features.
5861 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5862 struct hci_cp_le_read_remote_features cp;
5864 cp.handle = __cpu_to_le16(conn->handle);
5866 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5869 hci_conn_hold(conn);
5871 conn->state = BT_CONNECTED;
5872 hci_connect_cfm(conn, status);
5875 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5878 hci_pend_le_list_del_init(params);
5880 hci_conn_drop(params->conn);
5881 hci_conn_put(params->conn);
5882 params->conn = NULL;
5887 hci_update_passive_scan(hdev);
5888 hci_dev_unlock(hdev);
5891 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
5892 struct sk_buff *skb)
5894 struct hci_ev_le_conn_complete *ev = data;
5896 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5898 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5899 NULL, ev->role, le16_to_cpu(ev->handle),
5900 le16_to_cpu(ev->interval),
5901 le16_to_cpu(ev->latency),
5902 le16_to_cpu(ev->supervision_timeout));
5905 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
5906 struct sk_buff *skb)
5908 struct hci_ev_le_enh_conn_complete *ev = data;
5910 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5912 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5913 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5914 le16_to_cpu(ev->interval),
5915 le16_to_cpu(ev->latency),
5916 le16_to_cpu(ev->supervision_timeout));
5919 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
5920 struct sk_buff *skb)
5922 struct hci_evt_le_ext_adv_set_term *ev = data;
5923 struct hci_conn *conn;
5924 struct adv_info *adv, *n;
5926 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5928 /* The Bluetooth Core 5.3 specification clearly states that this event
5929 * shall not be sent when the Host disables the advertising set. So in
5930 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
5932 * When the Host disables an advertising set, all cleanup is done via
5933 * its command callback and not needed to be duplicated here.
5935 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
5936 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
5942 adv = hci_find_adv_instance(hdev, ev->handle);
5948 /* Remove advertising as it has been terminated */
5949 hci_remove_adv_instance(hdev, ev->handle);
5950 mgmt_advertising_removed(NULL, hdev, ev->handle);
5952 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
5957 /* We are no longer advertising, clear HCI_LE_ADV */
5958 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5963 adv->enabled = false;
5965 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5967 /* Store handle in the connection so the correct advertising
5968 * instance can be re-enabled when disconnected.
5970 conn->adv_instance = ev->handle;
5972 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
5973 bacmp(&conn->resp_addr, BDADDR_ANY))
5977 bacpy(&conn->resp_addr, &hdev->random_addr);
5982 bacpy(&conn->resp_addr, &adv->random_addr);
5986 hci_dev_unlock(hdev);
5989 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
5990 struct sk_buff *skb)
5992 struct hci_ev_le_conn_update_complete *ev = data;
5993 struct hci_conn *conn;
5995 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6002 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6004 conn->le_conn_interval = le16_to_cpu(ev->interval);
6005 conn->le_conn_latency = le16_to_cpu(ev->latency);
6006 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6009 hci_dev_unlock(hdev);
6012 /* This function requires the caller holds hdev->lock */
6013 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6015 u8 addr_type, bool addr_resolved,
6018 struct hci_conn *conn;
6019 struct hci_conn_params *params;
6021 /* If the event is not connectable don't proceed further */
6022 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6025 /* Ignore if the device is blocked or hdev is suspended */
6026 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6030 /* Most controller will fail if we try to create new connections
6031 * while we have an existing one in peripheral role.
6033 if (hdev->conn_hash.le_num_peripheral > 0 &&
6034 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6035 !(hdev->le_states[3] & 0x10)))
6038 /* If we're not connectable only connect devices that we have in
6039 * our pend_le_conns list.
6041 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6046 if (!params->explicit_connect) {
6047 switch (params->auto_connect) {
6048 case HCI_AUTO_CONN_DIRECT:
6049 /* Only devices advertising with ADV_DIRECT_IND are
6050 * triggering a connection attempt. This is allowing
6051 * incoming connections from peripheral devices.
6053 if (adv_type != LE_ADV_DIRECT_IND)
6056 case HCI_AUTO_CONN_ALWAYS:
6057 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6058 * are triggering a connection attempt. This means
6059 * that incoming connections from peripheral device are
6060 * accepted and also outgoing connections to peripheral
6061 * devices are established when found.
6069 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6070 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6072 if (!IS_ERR(conn)) {
6073 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6074 * by higher layer that tried to connect, if no then
6075 * store the pointer since we don't really have any
6076 * other owner of the object besides the params that
6077 * triggered it. This way we can abort the connection if
6078 * the parameters get removed and keep the reference
6079 * count consistent once the connection is established.
6082 if (!params->explicit_connect)
6083 params->conn = hci_conn_get(conn);
6088 switch (PTR_ERR(conn)) {
6090 /* If hci_connect() returns -EBUSY it means there is already
6091 * an LE connection attempt going on. Since controllers don't
6092 * support more than one connection attempt at the time, we
6093 * don't consider this an error case.
6097 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6104 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6105 u8 bdaddr_type, bdaddr_t *direct_addr,
6106 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6107 bool ext_adv, bool ctl_time, u64 instant)
6109 struct discovery_state *d = &hdev->discovery;
6110 struct smp_irk *irk;
6111 struct hci_conn *conn;
6112 bool match, bdaddr_resolved;
6118 case LE_ADV_DIRECT_IND:
6119 case LE_ADV_SCAN_IND:
6120 case LE_ADV_NONCONN_IND:
6121 case LE_ADV_SCAN_RSP:
6124 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6125 "type: 0x%02x", type);
6129 if (len > max_adv_len(hdev)) {
6130 bt_dev_err_ratelimited(hdev,
6131 "adv larger than maximum supported");
6135 /* Find the end of the data in case the report contains padded zero
6136 * bytes at the end causing an invalid length value.
6138 * When data is NULL, len is 0 so there is no need for extra ptr
6139 * check as 'ptr < data + 0' is already false in such case.
6141 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6142 if (ptr + 1 + *ptr > data + len)
6146 /* Adjust for actual length. This handles the case when remote
6147 * device is advertising with incorrect data length.
6151 /* If the direct address is present, then this report is from
6152 * a LE Direct Advertising Report event. In that case it is
6153 * important to see if the address is matching the local
6154 * controller address.
6156 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6157 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6160 /* Only resolvable random addresses are valid for these
6161 * kind of reports and others can be ignored.
6163 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6166 /* If the controller is not using resolvable random
6167 * addresses, then this report can be ignored.
6169 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6172 /* If the local IRK of the controller does not match
6173 * with the resolvable random address provided, then
6174 * this report can be ignored.
6176 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6180 /* Check if we need to convert to identity address */
6181 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6183 bdaddr = &irk->bdaddr;
6184 bdaddr_type = irk->addr_type;
6187 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6189 /* Check if we have been requested to connect to this device.
6191 * direct_addr is set only for directed advertising reports (it is NULL
6192 * for advertising reports) and is already verified to be RPA above.
6194 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6196 if (!ext_adv && conn && type == LE_ADV_IND &&
6197 len <= max_adv_len(hdev)) {
6198 /* Store report for later inclusion by
6199 * mgmt_device_connected
6201 memcpy(conn->le_adv_data, data, len);
6202 conn->le_adv_data_len = len;
6205 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6206 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6210 /* All scan results should be sent up for Mesh systems */
6211 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6212 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6213 rssi, flags, data, len, NULL, 0, instant);
6217 /* Passive scanning shouldn't trigger any device found events,
6218 * except for devices marked as CONN_REPORT for which we do send
6219 * device found events, or advertisement monitoring requested.
6221 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6222 if (type == LE_ADV_DIRECT_IND)
6225 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6226 bdaddr, bdaddr_type) &&
6227 idr_is_empty(&hdev->adv_monitors_idr))
6230 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6231 rssi, flags, data, len, NULL, 0, 0);
6235 /* When receiving a scan response, then there is no way to
6236 * know if the remote device is connectable or not. However
6237 * since scan responses are merged with a previously seen
6238 * advertising report, the flags field from that report
6241 * In the unlikely case that a controller just sends a scan
6242 * response event that doesn't match the pending report, then
6243 * it is marked as a standalone SCAN_RSP.
6245 if (type == LE_ADV_SCAN_RSP)
6246 flags = MGMT_DEV_FOUND_SCAN_RSP;
6248 /* If there's nothing pending either store the data from this
6249 * event or send an immediate device found event if the data
6250 * should not be stored for later.
6252 if (!ext_adv && !has_pending_adv_report(hdev)) {
6253 /* If the report will trigger a SCAN_REQ store it for
6256 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6257 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6258 rssi, flags, data, len);
6262 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6263 rssi, flags, data, len, NULL, 0, 0);
6267 /* Check if the pending report is for the same device as the new one */
6268 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6269 bdaddr_type == d->last_adv_addr_type);
6271 /* If the pending data doesn't match this report or this isn't a
6272 * scan response (e.g. we got a duplicate ADV_IND) then force
6273 * sending of the pending data.
6275 if (type != LE_ADV_SCAN_RSP || !match) {
6276 /* Send out whatever is in the cache, but skip duplicates */
6278 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6279 d->last_adv_addr_type, NULL,
6280 d->last_adv_rssi, d->last_adv_flags,
6282 d->last_adv_data_len, NULL, 0, 0);
6284 /* If the new report will trigger a SCAN_REQ store it for
6287 if (!ext_adv && (type == LE_ADV_IND ||
6288 type == LE_ADV_SCAN_IND)) {
6289 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6290 rssi, flags, data, len);
6294 /* The advertising reports cannot be merged, so clear
6295 * the pending report and send out a device found event.
6297 clear_pending_adv_report(hdev);
6298 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6299 rssi, flags, data, len, NULL, 0, 0);
6303 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6304 * the new event is a SCAN_RSP. We can therefore proceed with
6305 * sending a merged device found event.
6307 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6308 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6309 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6310 clear_pending_adv_report(hdev);
6313 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6314 struct sk_buff *skb)
6316 struct hci_ev_le_advertising_report *ev = data;
6317 u64 instant = jiffies;
6325 struct hci_ev_le_advertising_info *info;
6328 info = hci_le_ev_skb_pull(hdev, skb,
6329 HCI_EV_LE_ADVERTISING_REPORT,
6334 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6338 if (info->length <= max_adv_len(hdev)) {
6339 rssi = info->data[info->length];
6340 process_adv_report(hdev, info->type, &info->bdaddr,
6341 info->bdaddr_type, NULL, 0, rssi,
6342 info->data, info->length, false,
6345 bt_dev_err(hdev, "Dropping invalid advertising data");
6349 hci_dev_unlock(hdev);
6352 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6354 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6356 case LE_LEGACY_ADV_IND:
6358 case LE_LEGACY_ADV_DIRECT_IND:
6359 return LE_ADV_DIRECT_IND;
6360 case LE_LEGACY_ADV_SCAN_IND:
6361 return LE_ADV_SCAN_IND;
6362 case LE_LEGACY_NONCONN_IND:
6363 return LE_ADV_NONCONN_IND;
6364 case LE_LEGACY_SCAN_RSP_ADV:
6365 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6366 return LE_ADV_SCAN_RSP;
6372 if (evt_type & LE_EXT_ADV_CONN_IND) {
6373 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6374 return LE_ADV_DIRECT_IND;
6379 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6380 return LE_ADV_SCAN_RSP;
6382 if (evt_type & LE_EXT_ADV_SCAN_IND)
6383 return LE_ADV_SCAN_IND;
6385 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6386 evt_type & LE_EXT_ADV_DIRECT_IND)
6387 return LE_ADV_NONCONN_IND;
6390 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6393 return LE_ADV_INVALID;
6396 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6397 struct sk_buff *skb)
6399 struct hci_ev_le_ext_adv_report *ev = data;
6400 u64 instant = jiffies;
6408 struct hci_ev_le_ext_adv_info *info;
6412 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6417 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6421 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6422 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6423 if (legacy_evt_type != LE_ADV_INVALID) {
6424 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6425 info->bdaddr_type, NULL, 0,
6426 info->rssi, info->data, info->length,
6427 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6432 hci_dev_unlock(hdev);
6435 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6437 struct hci_cp_le_pa_term_sync cp;
6439 memset(&cp, 0, sizeof(cp));
6442 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6445 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6446 struct sk_buff *skb)
6448 struct hci_ev_le_pa_sync_established *ev = data;
6449 int mask = hdev->link_mode;
6451 struct hci_conn *pa_sync;
6453 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6457 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6459 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6460 if (!(mask & HCI_LM_ACCEPT)) {
6461 hci_le_pa_term_sync(hdev, ev->handle);
6465 if (!(flags & HCI_PROTO_DEFER))
6469 /* Add connection to indicate the failed PA sync event */
6470 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6476 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6478 /* Notify iso layer */
6479 hci_connect_cfm(pa_sync, ev->status);
6483 hci_dev_unlock(hdev);
6486 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6487 struct sk_buff *skb)
6489 struct hci_ev_le_per_adv_report *ev = data;
6490 int mask = hdev->link_mode;
6493 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6497 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6498 if (!(mask & HCI_LM_ACCEPT))
6499 hci_le_pa_term_sync(hdev, ev->sync_handle);
6501 hci_dev_unlock(hdev);
6504 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6505 struct sk_buff *skb)
6507 struct hci_ev_le_remote_feat_complete *ev = data;
6508 struct hci_conn *conn;
6510 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6514 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6517 memcpy(conn->features[0], ev->features, 8);
6519 if (conn->state == BT_CONFIG) {
6522 /* If the local controller supports peripheral-initiated
6523 * features exchange, but the remote controller does
6524 * not, then it is possible that the error code 0x1a
6525 * for unsupported remote feature gets returned.
6527 * In this specific case, allow the connection to
6528 * transition into connected state and mark it as
6531 if (!conn->out && ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE &&
6532 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6535 status = ev->status;
6537 conn->state = BT_CONNECTED;
6538 hci_connect_cfm(conn, status);
6539 hci_conn_drop(conn);
6543 hci_dev_unlock(hdev);
6546 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6547 struct sk_buff *skb)
6549 struct hci_ev_le_ltk_req *ev = data;
6550 struct hci_cp_le_ltk_reply cp;
6551 struct hci_cp_le_ltk_neg_reply neg;
6552 struct hci_conn *conn;
6553 struct smp_ltk *ltk;
6555 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6559 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6563 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6567 if (smp_ltk_is_sc(ltk)) {
6568 /* With SC both EDiv and Rand are set to zero */
6569 if (ev->ediv || ev->rand)
6572 /* For non-SC keys check that EDiv and Rand match */
6573 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6577 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6578 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6579 cp.handle = cpu_to_le16(conn->handle);
6581 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6583 conn->enc_key_size = ltk->enc_size;
6585 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6587 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6588 * temporary key used to encrypt a connection following
6589 * pairing. It is used during the Encrypted Session Setup to
6590 * distribute the keys. Later, security can be re-established
6591 * using a distributed LTK.
6593 if (ltk->type == SMP_STK) {
6594 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6595 list_del_rcu(<k->list);
6596 kfree_rcu(ltk, rcu);
6598 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6601 hci_dev_unlock(hdev);
6606 neg.handle = ev->handle;
6607 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6608 hci_dev_unlock(hdev);
6611 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6614 struct hci_cp_le_conn_param_req_neg_reply cp;
6616 cp.handle = cpu_to_le16(handle);
6619 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6623 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6624 struct sk_buff *skb)
6626 struct hci_ev_le_remote_conn_param_req *ev = data;
6627 struct hci_cp_le_conn_param_req_reply cp;
6628 struct hci_conn *hcon;
6629 u16 handle, min, max, latency, timeout;
6631 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6633 handle = le16_to_cpu(ev->handle);
6634 min = le16_to_cpu(ev->interval_min);
6635 max = le16_to_cpu(ev->interval_max);
6636 latency = le16_to_cpu(ev->latency);
6637 timeout = le16_to_cpu(ev->timeout);
6639 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6640 if (!hcon || hcon->state != BT_CONNECTED)
6641 return send_conn_param_neg_reply(hdev, handle,
6642 HCI_ERROR_UNKNOWN_CONN_ID);
6644 if (max > hcon->le_conn_max_interval)
6645 return send_conn_param_neg_reply(hdev, handle,
6646 HCI_ERROR_INVALID_LL_PARAMS);
6648 if (hci_check_conn_params(min, max, latency, timeout))
6649 return send_conn_param_neg_reply(hdev, handle,
6650 HCI_ERROR_INVALID_LL_PARAMS);
6652 if (hcon->role == HCI_ROLE_MASTER) {
6653 struct hci_conn_params *params;
6658 params = hci_conn_params_lookup(hdev, &hcon->dst,
6661 params->conn_min_interval = min;
6662 params->conn_max_interval = max;
6663 params->conn_latency = latency;
6664 params->supervision_timeout = timeout;
6670 hci_dev_unlock(hdev);
6672 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6673 store_hint, min, max, latency, timeout);
6676 cp.handle = ev->handle;
6677 cp.interval_min = ev->interval_min;
6678 cp.interval_max = ev->interval_max;
6679 cp.latency = ev->latency;
6680 cp.timeout = ev->timeout;
6684 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6687 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6688 struct sk_buff *skb)
6690 struct hci_ev_le_direct_adv_report *ev = data;
6691 u64 instant = jiffies;
6694 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6695 flex_array_size(ev, info, ev->num)))
6703 for (i = 0; i < ev->num; i++) {
6704 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6706 process_adv_report(hdev, info->type, &info->bdaddr,
6707 info->bdaddr_type, &info->direct_addr,
6708 info->direct_addr_type, info->rssi, NULL, 0,
6709 false, false, instant);
6712 hci_dev_unlock(hdev);
6715 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6716 struct sk_buff *skb)
6718 struct hci_ev_le_phy_update_complete *ev = data;
6719 struct hci_conn *conn;
6721 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6728 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6732 conn->le_tx_phy = ev->tx_phy;
6733 conn->le_rx_phy = ev->rx_phy;
6736 hci_dev_unlock(hdev);
6739 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6740 struct sk_buff *skb)
6742 struct hci_evt_le_cis_established *ev = data;
6743 struct hci_conn *conn;
6744 struct bt_iso_qos *qos;
6745 bool pending = false;
6746 u16 handle = __le16_to_cpu(ev->handle);
6748 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6752 conn = hci_conn_hash_lookup_handle(hdev, handle);
6755 "Unable to find connection with handle 0x%4.4x",
6760 if (conn->type != ISO_LINK) {
6762 "Invalid connection link type handle 0x%4.4x",
6767 qos = &conn->iso_qos;
6769 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6771 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
6772 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
6773 qos->ucast.out.interval = qos->ucast.in.interval;
6775 switch (conn->role) {
6776 case HCI_ROLE_SLAVE:
6777 /* Convert Transport Latency (us) to Latency (msec) */
6778 qos->ucast.in.latency =
6779 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6781 qos->ucast.out.latency =
6782 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6784 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
6785 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
6786 qos->ucast.in.phy = ev->c_phy;
6787 qos->ucast.out.phy = ev->p_phy;
6789 case HCI_ROLE_MASTER:
6790 /* Convert Transport Latency (us) to Latency (msec) */
6791 qos->ucast.out.latency =
6792 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6794 qos->ucast.in.latency =
6795 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6797 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
6798 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
6799 qos->ucast.out.phy = ev->c_phy;
6800 qos->ucast.in.phy = ev->p_phy;
6805 conn->state = BT_CONNECTED;
6806 hci_debugfs_create_conn(conn);
6807 hci_conn_add_sysfs(conn);
6808 hci_iso_setup_path(conn);
6812 conn->state = BT_CLOSED;
6813 hci_connect_cfm(conn, ev->status);
6818 hci_le_create_cis_pending(hdev);
6820 hci_dev_unlock(hdev);
6823 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6825 struct hci_cp_le_reject_cis cp;
6827 memset(&cp, 0, sizeof(cp));
6829 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6830 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6833 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6835 struct hci_cp_le_accept_cis cp;
6837 memset(&cp, 0, sizeof(cp));
6839 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6842 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6843 struct sk_buff *skb)
6845 struct hci_evt_le_cis_req *ev = data;
6846 u16 acl_handle, cis_handle;
6847 struct hci_conn *acl, *cis;
6851 acl_handle = __le16_to_cpu(ev->acl_handle);
6852 cis_handle = __le16_to_cpu(ev->cis_handle);
6854 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
6855 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
6859 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
6863 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
6864 if (!(mask & HCI_LM_ACCEPT)) {
6865 hci_le_reject_cis(hdev, ev->cis_handle);
6869 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
6871 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
6874 hci_le_reject_cis(hdev, ev->cis_handle);
6879 cis->iso_qos.ucast.cig = ev->cig_id;
6880 cis->iso_qos.ucast.cis = ev->cis_id;
6882 if (!(flags & HCI_PROTO_DEFER)) {
6883 hci_le_accept_cis(hdev, ev->cis_handle);
6885 cis->state = BT_CONNECT2;
6886 hci_connect_cfm(cis, 0);
6890 hci_dev_unlock(hdev);
6893 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
6895 u8 handle = PTR_UINT(data);
6897 return hci_le_terminate_big_sync(hdev, handle,
6898 HCI_ERROR_LOCAL_HOST_TERM);
6901 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
6902 struct sk_buff *skb)
6904 struct hci_evt_le_create_big_complete *ev = data;
6905 struct hci_conn *conn;
6908 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6910 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
6911 flex_array_size(ev, bis_handle, ev->num_bis)))
6917 /* Connect all BISes that are bound to the BIG */
6918 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
6919 if (bacmp(&conn->dst, BDADDR_ANY) ||
6920 conn->type != ISO_LINK ||
6921 conn->iso_qos.bcast.big != ev->handle)
6924 if (hci_conn_set_handle(conn,
6925 __le16_to_cpu(ev->bis_handle[i++])))
6929 conn->state = BT_CONNECTED;
6930 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
6932 hci_debugfs_create_conn(conn);
6933 hci_conn_add_sysfs(conn);
6934 hci_iso_setup_path(conn);
6939 hci_connect_cfm(conn, ev->status);
6947 if (!ev->status && !i)
6948 /* If no BISes have been connected for the BIG,
6949 * terminate. This is in case all bound connections
6950 * have been closed before the BIG creation
6953 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
6954 UINT_PTR(ev->handle), NULL);
6956 hci_dev_unlock(hdev);
6959 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
6960 struct sk_buff *skb)
6962 struct hci_evt_le_big_sync_estabilished *ev = data;
6963 struct hci_conn *bis;
6966 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6968 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
6969 flex_array_size(ev, bis, ev->num_bis)))
6974 for (i = 0; i < ev->num_bis; i++) {
6975 u16 handle = le16_to_cpu(ev->bis[i]);
6978 bis = hci_conn_hash_lookup_handle(hdev, handle);
6980 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
6981 HCI_ROLE_SLAVE, handle);
6986 if (ev->status != 0x42)
6987 /* Mark PA sync as established */
6988 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
6990 bis->iso_qos.bcast.big = ev->handle;
6991 memset(&interval, 0, sizeof(interval));
6992 memcpy(&interval, ev->latency, sizeof(ev->latency));
6993 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
6994 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
6995 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
6996 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
6999 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7000 hci_iso_setup_path(bis);
7004 /* In case BIG sync failed, notify each failed connection to
7005 * the user after all hci connections have been added
7008 for (i = 0; i < ev->num_bis; i++) {
7009 u16 handle = le16_to_cpu(ev->bis[i]);
7011 bis = hci_conn_hash_lookup_handle(hdev, handle);
7013 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7014 hci_connect_cfm(bis, ev->status);
7017 hci_dev_unlock(hdev);
7020 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7021 struct sk_buff *skb)
7023 struct hci_evt_le_big_info_adv_report *ev = data;
7024 int mask = hdev->link_mode;
7026 struct hci_conn *pa_sync;
7028 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7032 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7033 if (!(mask & HCI_LM_ACCEPT)) {
7034 hci_le_pa_term_sync(hdev, ev->sync_handle);
7038 if (!(flags & HCI_PROTO_DEFER))
7041 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7043 le16_to_cpu(ev->sync_handle));
7048 /* Add connection to indicate the PA sync event */
7049 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7055 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7056 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7058 /* Notify iso layer */
7059 hci_connect_cfm(pa_sync, 0x00);
7061 /* Notify MGMT layer */
7062 mgmt_device_connected(hdev, pa_sync, NULL, 0);
7065 hci_dev_unlock(hdev);
7068 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7071 .min_len = _min_len, \
7072 .max_len = _max_len, \
7075 #define HCI_LE_EV(_op, _func, _len) \
7076 HCI_LE_EV_VL(_op, _func, _len, _len)
7078 #define HCI_LE_EV_STATUS(_op, _func) \
7079 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7081 /* Entries in this table shall have their position according to the subevent
7082 * opcode they handle so the use of the macros above is recommend since it does
7083 * attempt to initialize at its proper index using Designated Initializers that
7084 * way events without a callback function can be ommited.
7086 static const struct hci_le_ev {
7087 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7090 } hci_le_ev_table[U8_MAX + 1] = {
7091 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7092 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7093 sizeof(struct hci_ev_le_conn_complete)),
7094 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7095 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7096 sizeof(struct hci_ev_le_advertising_report),
7097 HCI_MAX_EVENT_SIZE),
7098 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7099 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7100 hci_le_conn_update_complete_evt,
7101 sizeof(struct hci_ev_le_conn_update_complete)),
7102 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7103 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7104 hci_le_remote_feat_complete_evt,
7105 sizeof(struct hci_ev_le_remote_feat_complete)),
7106 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7107 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7108 sizeof(struct hci_ev_le_ltk_req)),
7109 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7110 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7111 hci_le_remote_conn_param_req_evt,
7112 sizeof(struct hci_ev_le_remote_conn_param_req)),
7113 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7114 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7115 hci_le_enh_conn_complete_evt,
7116 sizeof(struct hci_ev_le_enh_conn_complete)),
7117 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7118 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7119 sizeof(struct hci_ev_le_direct_adv_report),
7120 HCI_MAX_EVENT_SIZE),
7121 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7122 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7123 sizeof(struct hci_ev_le_phy_update_complete)),
7124 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7125 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7126 sizeof(struct hci_ev_le_ext_adv_report),
7127 HCI_MAX_EVENT_SIZE),
7128 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7129 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7130 hci_le_pa_sync_estabilished_evt,
7131 sizeof(struct hci_ev_le_pa_sync_established)),
7132 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7133 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7134 hci_le_per_adv_report_evt,
7135 sizeof(struct hci_ev_le_per_adv_report),
7136 HCI_MAX_EVENT_SIZE),
7137 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7138 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7139 sizeof(struct hci_evt_le_ext_adv_set_term)),
7140 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7141 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7142 sizeof(struct hci_evt_le_cis_established)),
7143 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7144 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7145 sizeof(struct hci_evt_le_cis_req)),
7146 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7147 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7148 hci_le_create_big_complete_evt,
7149 sizeof(struct hci_evt_le_create_big_complete),
7150 HCI_MAX_EVENT_SIZE),
7151 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7152 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7153 hci_le_big_sync_established_evt,
7154 sizeof(struct hci_evt_le_big_sync_estabilished),
7155 HCI_MAX_EVENT_SIZE),
7156 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7157 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7158 hci_le_big_info_adv_report_evt,
7159 sizeof(struct hci_evt_le_big_info_adv_report),
7160 HCI_MAX_EVENT_SIZE),
7163 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7164 struct sk_buff *skb, u16 *opcode, u8 *status,
7165 hci_req_complete_t *req_complete,
7166 hci_req_complete_skb_t *req_complete_skb)
7168 struct hci_ev_le_meta *ev = data;
7169 const struct hci_le_ev *subev;
7171 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7173 /* Only match event if command OGF is for LE */
7174 if (hdev->req_skb &&
7175 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 &&
7176 hci_skb_event(hdev->req_skb) == ev->subevent) {
7177 *opcode = hci_skb_opcode(hdev->req_skb);
7178 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7182 subev = &hci_le_ev_table[ev->subevent];
7186 if (skb->len < subev->min_len) {
7187 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7188 ev->subevent, skb->len, subev->min_len);
7192 /* Just warn if the length is over max_len size it still be
7193 * possible to partially parse the event so leave to callback to
7194 * decide if that is acceptable.
7196 if (skb->len > subev->max_len)
7197 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7198 ev->subevent, skb->len, subev->max_len);
7199 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7203 subev->func(hdev, data, skb);
7206 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7207 u8 event, struct sk_buff *skb)
7209 struct hci_ev_cmd_complete *ev;
7210 struct hci_event_hdr *hdr;
7215 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7220 if (hdr->evt != event)
7225 /* Check if request ended in Command Status - no way to retrieve
7226 * any extra parameters in this case.
7228 if (hdr->evt == HCI_EV_CMD_STATUS)
7231 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7232 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7237 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7241 if (opcode != __le16_to_cpu(ev->opcode)) {
7242 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7243 __le16_to_cpu(ev->opcode));
7250 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7251 struct sk_buff *skb)
7253 struct hci_ev_le_advertising_info *adv;
7254 struct hci_ev_le_direct_adv_info *direct_adv;
7255 struct hci_ev_le_ext_adv_info *ext_adv;
7256 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7257 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7261 /* If we are currently suspended and this is the first BT event seen,
7262 * save the wake reason associated with the event.
7264 if (!hdev->suspended || hdev->wake_reason)
7267 /* Default to remote wake. Values for wake_reason are documented in the
7268 * Bluez mgmt api docs.
7270 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7272 /* Once configured for remote wakeup, we should only wake up for
7273 * reconnections. It's useful to see which device is waking us up so
7274 * keep track of the bdaddr of the connection event that woke us up.
7276 if (event == HCI_EV_CONN_REQUEST) {
7277 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7278 hdev->wake_addr_type = BDADDR_BREDR;
7279 } else if (event == HCI_EV_CONN_COMPLETE) {
7280 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7281 hdev->wake_addr_type = BDADDR_BREDR;
7282 } else if (event == HCI_EV_LE_META) {
7283 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7284 u8 subevent = le_ev->subevent;
7285 u8 *ptr = &skb->data[sizeof(*le_ev)];
7286 u8 num_reports = *ptr;
7288 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7289 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7290 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7292 adv = (void *)(ptr + 1);
7293 direct_adv = (void *)(ptr + 1);
7294 ext_adv = (void *)(ptr + 1);
7297 case HCI_EV_LE_ADVERTISING_REPORT:
7298 bacpy(&hdev->wake_addr, &adv->bdaddr);
7299 hdev->wake_addr_type = adv->bdaddr_type;
7301 case HCI_EV_LE_DIRECT_ADV_REPORT:
7302 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7303 hdev->wake_addr_type = direct_adv->bdaddr_type;
7305 case HCI_EV_LE_EXT_ADV_REPORT:
7306 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7307 hdev->wake_addr_type = ext_adv->bdaddr_type;
7312 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7316 hci_dev_unlock(hdev);
7319 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7323 .min_len = _min_len, \
7324 .max_len = _max_len, \
7327 #define HCI_EV(_op, _func, _len) \
7328 HCI_EV_VL(_op, _func, _len, _len)
7330 #define HCI_EV_STATUS(_op, _func) \
7331 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7333 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7336 .func_req = _func, \
7337 .min_len = _min_len, \
7338 .max_len = _max_len, \
7341 #define HCI_EV_REQ(_op, _func, _len) \
7342 HCI_EV_REQ_VL(_op, _func, _len, _len)
7344 /* Entries in this table shall have their position according to the event opcode
7345 * they handle so the use of the macros above is recommend since it does attempt
7346 * to initialize at its proper index using Designated Initializers that way
7347 * events without a callback function don't have entered.
7349 static const struct hci_ev {
7352 void (*func)(struct hci_dev *hdev, void *data,
7353 struct sk_buff *skb);
7354 void (*func_req)(struct hci_dev *hdev, void *data,
7355 struct sk_buff *skb, u16 *opcode, u8 *status,
7356 hci_req_complete_t *req_complete,
7357 hci_req_complete_skb_t *req_complete_skb);
7361 } hci_ev_table[U8_MAX + 1] = {
7362 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7363 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7364 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7365 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7366 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7367 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7368 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7369 sizeof(struct hci_ev_conn_complete)),
7370 /* [0x04 = HCI_EV_CONN_REQUEST] */
7371 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7372 sizeof(struct hci_ev_conn_request)),
7373 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7374 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7375 sizeof(struct hci_ev_disconn_complete)),
7376 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7377 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7378 sizeof(struct hci_ev_auth_complete)),
7379 /* [0x07 = HCI_EV_REMOTE_NAME] */
7380 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7381 sizeof(struct hci_ev_remote_name)),
7382 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7383 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7384 sizeof(struct hci_ev_encrypt_change)),
7385 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7386 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7387 hci_change_link_key_complete_evt,
7388 sizeof(struct hci_ev_change_link_key_complete)),
7389 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7390 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7391 sizeof(struct hci_ev_remote_features)),
7392 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7393 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7394 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7395 /* [0x0f = HCI_EV_CMD_STATUS] */
7396 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7397 sizeof(struct hci_ev_cmd_status)),
7398 /* [0x10 = HCI_EV_CMD_STATUS] */
7399 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7400 sizeof(struct hci_ev_hardware_error)),
7401 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7402 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7403 sizeof(struct hci_ev_role_change)),
7404 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7405 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7406 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7407 /* [0x14 = HCI_EV_MODE_CHANGE] */
7408 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7409 sizeof(struct hci_ev_mode_change)),
7410 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7411 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7412 sizeof(struct hci_ev_pin_code_req)),
7413 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7414 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7415 sizeof(struct hci_ev_link_key_req)),
7416 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7417 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7418 sizeof(struct hci_ev_link_key_notify)),
7419 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7420 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7421 sizeof(struct hci_ev_clock_offset)),
7422 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7423 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7424 sizeof(struct hci_ev_pkt_type_change)),
7425 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7426 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7427 sizeof(struct hci_ev_pscan_rep_mode)),
7428 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7429 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7430 hci_inquiry_result_with_rssi_evt,
7431 sizeof(struct hci_ev_inquiry_result_rssi),
7432 HCI_MAX_EVENT_SIZE),
7433 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7434 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7435 sizeof(struct hci_ev_remote_ext_features)),
7436 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7437 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7438 sizeof(struct hci_ev_sync_conn_complete)),
7439 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7440 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7441 hci_extended_inquiry_result_evt,
7442 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7443 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7444 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7445 sizeof(struct hci_ev_key_refresh_complete)),
7446 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7447 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7448 sizeof(struct hci_ev_io_capa_request)),
7449 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7450 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7451 sizeof(struct hci_ev_io_capa_reply)),
7452 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7453 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7454 sizeof(struct hci_ev_user_confirm_req)),
7455 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7456 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7457 sizeof(struct hci_ev_user_passkey_req)),
7458 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7459 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7460 sizeof(struct hci_ev_remote_oob_data_request)),
7461 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7462 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7463 sizeof(struct hci_ev_simple_pair_complete)),
7464 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7465 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7466 sizeof(struct hci_ev_user_passkey_notify)),
7467 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7468 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7469 sizeof(struct hci_ev_keypress_notify)),
7470 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7471 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7472 sizeof(struct hci_ev_remote_host_features)),
7473 /* [0x3e = HCI_EV_LE_META] */
7474 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7475 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7476 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7477 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7478 sizeof(struct hci_ev_num_comp_blocks)),
7479 /* [0xff = HCI_EV_VENDOR] */
7480 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7483 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7484 u16 *opcode, u8 *status,
7485 hci_req_complete_t *req_complete,
7486 hci_req_complete_skb_t *req_complete_skb)
7488 const struct hci_ev *ev = &hci_ev_table[event];
7494 if (skb->len < ev->min_len) {
7495 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7496 event, skb->len, ev->min_len);
7500 /* Just warn if the length is over max_len size it still be
7501 * possible to partially parse the event so leave to callback to
7502 * decide if that is acceptable.
7504 if (skb->len > ev->max_len)
7505 bt_dev_warn_ratelimited(hdev,
7506 "unexpected event 0x%2.2x length: %u > %u",
7507 event, skb->len, ev->max_len);
7509 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7514 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7517 ev->func(hdev, data, skb);
7520 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7522 struct hci_event_hdr *hdr = (void *) skb->data;
7523 hci_req_complete_t req_complete = NULL;
7524 hci_req_complete_skb_t req_complete_skb = NULL;
7525 struct sk_buff *orig_skb = NULL;
7526 u8 status = 0, event, req_evt = 0;
7527 u16 opcode = HCI_OP_NOP;
7529 if (skb->len < sizeof(*hdr)) {
7530 bt_dev_err(hdev, "Malformed HCI Event");
7534 kfree_skb(hdev->recv_event);
7535 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7539 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7544 /* Only match event if command OGF is not for LE */
7545 if (hdev->req_skb &&
7546 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 &&
7547 hci_skb_event(hdev->req_skb) == event) {
7548 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb),
7549 status, &req_complete, &req_complete_skb);
7553 /* If it looks like we might end up having to call
7554 * req_complete_skb, store a pristine copy of the skb since the
7555 * various handlers may modify the original one through
7556 * skb_pull() calls, etc.
7558 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7559 event == HCI_EV_CMD_COMPLETE)
7560 orig_skb = skb_clone(skb, GFP_KERNEL);
7562 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7564 /* Store wake reason if we're suspended */
7565 hci_store_wake_reason(hdev, event, skb);
7567 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7569 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7573 req_complete(hdev, status, opcode);
7574 } else if (req_complete_skb) {
7575 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7576 kfree_skb(orig_skb);
7579 req_complete_skb(hdev, status, opcode, orig_skb);
7583 kfree_skb(orig_skb);
7585 hdev->stat.evt_rx++;
projects / linux.git / blob