2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
43 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
44 "\x00\x00\x00\x00\x00\x00\x00\x00"
46 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
48 /* Handle HCI Event packets */
50 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
55 data = skb_pull_data(skb, len);
57 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
62 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
67 data = skb_pull_data(skb, len);
69 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
74 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
79 data = skb_pull_data(skb, len);
81 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
86 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
89 struct hci_ev_status *rp = data;
91 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
93 /* It is possible that we receive Inquiry Complete event right
94 * before we receive Inquiry Cancel Command Complete event, in
95 * which case the latter event should have status of Command
96 * Disallowed (0x0c). This should not be treated as error, since
97 * we actually achieve what Inquiry Cancel wants to achieve,
98 * which is to end the last Inquiry session.
100 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
101 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
108 clear_bit(HCI_INQUIRY, &hdev->flags);
109 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
110 wake_up_bit(&hdev->flags, HCI_INQUIRY);
113 /* Set discovery state to stopped if we're not doing LE active
116 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
117 hdev->le_scan_type != LE_SCAN_ACTIVE)
118 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
119 hci_dev_unlock(hdev);
121 hci_conn_check_pending(hdev);
126 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
129 struct hci_ev_status *rp = data;
131 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
136 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
141 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
144 struct hci_ev_status *rp = data;
146 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
151 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
153 hci_conn_check_pending(hdev);
158 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
161 struct hci_ev_status *rp = data;
163 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
168 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
171 struct hci_rp_role_discovery *rp = data;
172 struct hci_conn *conn;
174 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
181 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
183 conn->role = rp->role;
185 hci_dev_unlock(hdev);
190 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
193 struct hci_rp_read_link_policy *rp = data;
194 struct hci_conn *conn;
196 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
203 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
205 conn->link_policy = __le16_to_cpu(rp->policy);
207 hci_dev_unlock(hdev);
212 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
215 struct hci_rp_write_link_policy *rp = data;
216 struct hci_conn *conn;
219 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
224 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
230 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
232 conn->link_policy = get_unaligned_le16(sent + 2);
234 hci_dev_unlock(hdev);
239 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
242 struct hci_rp_read_def_link_policy *rp = data;
244 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
249 hdev->link_policy = __le16_to_cpu(rp->policy);
254 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
257 struct hci_ev_status *rp = data;
260 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
265 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
269 hdev->link_policy = get_unaligned_le16(sent);
274 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
276 struct hci_ev_status *rp = data;
278 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
280 clear_bit(HCI_RESET, &hdev->flags);
285 /* Reset all non-persistent flags */
286 hci_dev_clear_volatile_flags(hdev);
288 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
290 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
291 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
293 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
294 hdev->adv_data_len = 0;
296 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
297 hdev->scan_rsp_data_len = 0;
299 hdev->le_scan_type = LE_SCAN_PASSIVE;
301 hdev->ssp_debug_mode = 0;
303 hci_bdaddr_list_clear(&hdev->le_accept_list);
304 hci_bdaddr_list_clear(&hdev->le_resolv_list);
309 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
312 struct hci_rp_read_stored_link_key *rp = data;
313 struct hci_cp_read_stored_link_key *sent;
315 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
317 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
321 if (!rp->status && sent->read_all == 0x01) {
322 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
323 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
329 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
332 struct hci_rp_delete_stored_link_key *rp = data;
335 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
340 num_keys = le16_to_cpu(rp->num_keys);
342 if (num_keys <= hdev->stored_num_keys)
343 hdev->stored_num_keys -= num_keys;
345 hdev->stored_num_keys = 0;
350 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
353 struct hci_ev_status *rp = data;
356 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
358 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
364 if (hci_dev_test_flag(hdev, HCI_MGMT))
365 mgmt_set_local_name_complete(hdev, sent, rp->status);
366 else if (!rp->status)
367 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
369 hci_dev_unlock(hdev);
374 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
377 struct hci_rp_read_local_name *rp = data;
379 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
384 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
385 hci_dev_test_flag(hdev, HCI_CONFIG))
386 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
391 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
394 struct hci_ev_status *rp = data;
397 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
399 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
406 __u8 param = *((__u8 *) sent);
408 if (param == AUTH_ENABLED)
409 set_bit(HCI_AUTH, &hdev->flags);
411 clear_bit(HCI_AUTH, &hdev->flags);
414 if (hci_dev_test_flag(hdev, HCI_MGMT))
415 mgmt_auth_enable_complete(hdev, rp->status);
417 hci_dev_unlock(hdev);
422 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
425 struct hci_ev_status *rp = data;
429 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
434 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
438 param = *((__u8 *) sent);
441 set_bit(HCI_ENCRYPT, &hdev->flags);
443 clear_bit(HCI_ENCRYPT, &hdev->flags);
448 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
451 struct hci_ev_status *rp = data;
455 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
457 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
461 param = *((__u8 *) sent);
466 hdev->discov_timeout = 0;
470 if (param & SCAN_INQUIRY)
471 set_bit(HCI_ISCAN, &hdev->flags);
473 clear_bit(HCI_ISCAN, &hdev->flags);
475 if (param & SCAN_PAGE)
476 set_bit(HCI_PSCAN, &hdev->flags);
478 clear_bit(HCI_PSCAN, &hdev->flags);
481 hci_dev_unlock(hdev);
486 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
489 struct hci_ev_status *rp = data;
490 struct hci_cp_set_event_filter *cp;
493 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
498 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
502 cp = (struct hci_cp_set_event_filter *)sent;
504 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
505 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
507 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
512 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
515 struct hci_rp_read_class_of_dev *rp = data;
518 return HCI_ERROR_UNSPECIFIED;
520 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
525 memcpy(hdev->dev_class, rp->dev_class, 3);
527 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
528 hdev->dev_class[1], hdev->dev_class[0]);
533 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
536 struct hci_ev_status *rp = data;
539 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
541 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
548 memcpy(hdev->dev_class, sent, 3);
550 if (hci_dev_test_flag(hdev, HCI_MGMT))
551 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
553 hci_dev_unlock(hdev);
558 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
561 struct hci_rp_read_voice_setting *rp = data;
564 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
569 setting = __le16_to_cpu(rp->voice_setting);
571 if (hdev->voice_setting == setting)
574 hdev->voice_setting = setting;
576 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
579 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
584 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
587 struct hci_ev_status *rp = data;
591 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
596 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
600 setting = get_unaligned_le16(sent);
602 if (hdev->voice_setting == setting)
605 hdev->voice_setting = setting;
607 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
610 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
615 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
618 struct hci_rp_read_num_supported_iac *rp = data;
620 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
625 hdev->num_iac = rp->num_iac;
627 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
632 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
635 struct hci_ev_status *rp = data;
636 struct hci_cp_write_ssp_mode *sent;
638 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
640 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
648 hdev->features[1][0] |= LMP_HOST_SSP;
650 hdev->features[1][0] &= ~LMP_HOST_SSP;
655 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
657 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
660 hci_dev_unlock(hdev);
665 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
668 struct hci_ev_status *rp = data;
669 struct hci_cp_write_sc_support *sent;
671 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
673 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
681 hdev->features[1][0] |= LMP_HOST_SC;
683 hdev->features[1][0] &= ~LMP_HOST_SC;
686 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
688 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
690 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
693 hci_dev_unlock(hdev);
698 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
701 struct hci_rp_read_local_version *rp = data;
703 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
708 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
709 hci_dev_test_flag(hdev, HCI_CONFIG)) {
710 hdev->hci_ver = rp->hci_ver;
711 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
712 hdev->lmp_ver = rp->lmp_ver;
713 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
714 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
720 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
723 struct hci_rp_read_enc_key_size *rp = data;
724 struct hci_conn *conn;
726 u8 status = rp->status;
728 bt_dev_dbg(hdev, "status 0x%2.2x", status);
730 handle = le16_to_cpu(rp->handle);
734 conn = hci_conn_hash_lookup_handle(hdev, handle);
740 /* While unexpected, the read_enc_key_size command may fail. The most
741 * secure approach is to then assume the key size is 0 to force a
745 bt_dev_err(hdev, "failed to read key size for handle %u",
747 conn->enc_key_size = 0;
749 conn->enc_key_size = rp->key_size;
752 if (conn->enc_key_size < hdev->min_enc_key_size) {
753 /* As slave role, the conn->state has been set to
754 * BT_CONNECTED and l2cap conn req might not be received
755 * yet, at this moment the l2cap layer almost does
756 * nothing with the non-zero status.
757 * So we also clear encrypt related bits, and then the
758 * handler of l2cap conn req will get the right secure
759 * state at a later time.
761 status = HCI_ERROR_AUTH_FAILURE;
762 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
763 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
767 hci_encrypt_cfm(conn, status);
770 hci_dev_unlock(hdev);
775 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
778 struct hci_rp_read_local_commands *rp = data;
780 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
785 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
786 hci_dev_test_flag(hdev, HCI_CONFIG))
787 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
792 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
795 struct hci_rp_read_auth_payload_to *rp = data;
796 struct hci_conn *conn;
798 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
805 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
807 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
809 hci_dev_unlock(hdev);
814 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
817 struct hci_rp_write_auth_payload_to *rp = data;
818 struct hci_conn *conn;
821 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
823 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
829 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
836 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
839 hci_dev_unlock(hdev);
844 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
847 struct hci_rp_read_local_features *rp = data;
849 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
854 memcpy(hdev->features, rp->features, 8);
856 /* Adjust default settings according to features
857 * supported by device. */
859 if (hdev->features[0][0] & LMP_3SLOT)
860 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
862 if (hdev->features[0][0] & LMP_5SLOT)
863 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
865 if (hdev->features[0][1] & LMP_HV2) {
866 hdev->pkt_type |= (HCI_HV2);
867 hdev->esco_type |= (ESCO_HV2);
870 if (hdev->features[0][1] & LMP_HV3) {
871 hdev->pkt_type |= (HCI_HV3);
872 hdev->esco_type |= (ESCO_HV3);
875 if (lmp_esco_capable(hdev))
876 hdev->esco_type |= (ESCO_EV3);
878 if (hdev->features[0][4] & LMP_EV4)
879 hdev->esco_type |= (ESCO_EV4);
881 if (hdev->features[0][4] & LMP_EV5)
882 hdev->esco_type |= (ESCO_EV5);
884 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
885 hdev->esco_type |= (ESCO_2EV3);
887 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
888 hdev->esco_type |= (ESCO_3EV3);
890 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
891 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
896 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
899 struct hci_rp_read_local_ext_features *rp = data;
901 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
906 if (hdev->max_page < rp->max_page) {
907 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
909 bt_dev_warn(hdev, "broken local ext features page 2");
911 hdev->max_page = rp->max_page;
914 if (rp->page < HCI_MAX_PAGES)
915 memcpy(hdev->features[rp->page], rp->features, 8);
920 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
923 struct hci_rp_read_flow_control_mode *rp = data;
925 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
930 hdev->flow_ctl_mode = rp->mode;
935 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
938 struct hci_rp_read_buffer_size *rp = data;
940 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
945 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
946 hdev->sco_mtu = rp->sco_mtu;
947 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
948 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
950 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
955 hdev->acl_cnt = hdev->acl_pkts;
956 hdev->sco_cnt = hdev->sco_pkts;
958 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
959 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
964 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
967 struct hci_rp_read_bd_addr *rp = data;
969 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
974 if (test_bit(HCI_INIT, &hdev->flags))
975 bacpy(&hdev->bdaddr, &rp->bdaddr);
977 if (hci_dev_test_flag(hdev, HCI_SETUP))
978 bacpy(&hdev->setup_addr, &rp->bdaddr);
983 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
986 struct hci_rp_read_local_pairing_opts *rp = data;
988 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
993 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
994 hci_dev_test_flag(hdev, HCI_CONFIG)) {
995 hdev->pairing_opts = rp->pairing_opts;
996 hdev->max_enc_key_size = rp->max_key_size;
1002 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1003 struct sk_buff *skb)
1005 struct hci_rp_read_page_scan_activity *rp = data;
1007 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1012 if (test_bit(HCI_INIT, &hdev->flags)) {
1013 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1014 hdev->page_scan_window = __le16_to_cpu(rp->window);
1020 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1021 struct sk_buff *skb)
1023 struct hci_ev_status *rp = data;
1024 struct hci_cp_write_page_scan_activity *sent;
1026 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1031 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1035 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1036 hdev->page_scan_window = __le16_to_cpu(sent->window);
1041 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1042 struct sk_buff *skb)
1044 struct hci_rp_read_page_scan_type *rp = data;
1046 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1051 if (test_bit(HCI_INIT, &hdev->flags))
1052 hdev->page_scan_type = rp->type;
1057 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1058 struct sk_buff *skb)
1060 struct hci_ev_status *rp = data;
1063 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1068 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1070 hdev->page_scan_type = *type;
1075 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1076 struct sk_buff *skb)
1078 struct hci_rp_read_data_block_size *rp = data;
1080 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1085 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1086 hdev->block_len = __le16_to_cpu(rp->block_len);
1087 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1089 hdev->block_cnt = hdev->num_blocks;
1091 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1092 hdev->block_cnt, hdev->block_len);
1097 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1098 struct sk_buff *skb)
1100 struct hci_rp_read_clock *rp = data;
1101 struct hci_cp_read_clock *cp;
1102 struct hci_conn *conn;
1104 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1111 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1115 if (cp->which == 0x00) {
1116 hdev->clock = le32_to_cpu(rp->clock);
1120 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1122 conn->clock = le32_to_cpu(rp->clock);
1123 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1127 hci_dev_unlock(hdev);
1131 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1132 struct sk_buff *skb)
1134 struct hci_rp_read_local_amp_info *rp = data;
1136 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1141 hdev->amp_status = rp->amp_status;
1142 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1143 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1144 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1145 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1146 hdev->amp_type = rp->amp_type;
1147 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1148 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1149 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1150 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1155 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1156 struct sk_buff *skb)
1158 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1160 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1165 hdev->inq_tx_power = rp->tx_power;
1170 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1171 struct sk_buff *skb)
1173 struct hci_rp_read_def_err_data_reporting *rp = data;
1175 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1180 hdev->err_data_reporting = rp->err_data_reporting;
1185 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1186 struct sk_buff *skb)
1188 struct hci_ev_status *rp = data;
1189 struct hci_cp_write_def_err_data_reporting *cp;
1191 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1196 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1200 hdev->err_data_reporting = cp->err_data_reporting;
1205 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1206 struct sk_buff *skb)
1208 struct hci_rp_pin_code_reply *rp = data;
1209 struct hci_cp_pin_code_reply *cp;
1210 struct hci_conn *conn;
1212 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1216 if (hci_dev_test_flag(hdev, HCI_MGMT))
1217 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1222 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1226 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1228 conn->pin_length = cp->pin_len;
1231 hci_dev_unlock(hdev);
1235 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1236 struct sk_buff *skb)
1238 struct hci_rp_pin_code_neg_reply *rp = data;
1240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1244 if (hci_dev_test_flag(hdev, HCI_MGMT))
1245 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1248 hci_dev_unlock(hdev);
1253 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1254 struct sk_buff *skb)
1256 struct hci_rp_le_read_buffer_size *rp = data;
1258 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1263 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1264 hdev->le_pkts = rp->le_max_pkt;
1266 hdev->le_cnt = hdev->le_pkts;
1268 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1273 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1274 struct sk_buff *skb)
1276 struct hci_rp_le_read_local_features *rp = data;
1278 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1283 memcpy(hdev->le_features, rp->features, 8);
1288 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1289 struct sk_buff *skb)
1291 struct hci_rp_le_read_adv_tx_power *rp = data;
1293 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1298 hdev->adv_tx_power = rp->tx_power;
1303 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1304 struct sk_buff *skb)
1306 struct hci_rp_user_confirm_reply *rp = data;
1308 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1312 if (hci_dev_test_flag(hdev, HCI_MGMT))
1313 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1316 hci_dev_unlock(hdev);
1321 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1322 struct sk_buff *skb)
1324 struct hci_rp_user_confirm_reply *rp = data;
1326 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1330 if (hci_dev_test_flag(hdev, HCI_MGMT))
1331 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1332 ACL_LINK, 0, rp->status);
1334 hci_dev_unlock(hdev);
1339 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1340 struct sk_buff *skb)
1342 struct hci_rp_user_confirm_reply *rp = data;
1344 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1348 if (hci_dev_test_flag(hdev, HCI_MGMT))
1349 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1352 hci_dev_unlock(hdev);
1357 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1358 struct sk_buff *skb)
1360 struct hci_rp_user_confirm_reply *rp = data;
1362 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1366 if (hci_dev_test_flag(hdev, HCI_MGMT))
1367 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1368 ACL_LINK, 0, rp->status);
1370 hci_dev_unlock(hdev);
1375 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1376 struct sk_buff *skb)
1378 struct hci_rp_read_local_oob_data *rp = data;
1380 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1385 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1386 struct sk_buff *skb)
1388 struct hci_rp_read_local_oob_ext_data *rp = data;
1390 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1395 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1396 struct sk_buff *skb)
1398 struct hci_ev_status *rp = data;
1401 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1406 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1412 bacpy(&hdev->random_addr, sent);
1414 if (!bacmp(&hdev->rpa, sent)) {
1415 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1416 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1417 secs_to_jiffies(hdev->rpa_timeout));
1420 hci_dev_unlock(hdev);
1425 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1426 struct sk_buff *skb)
1428 struct hci_ev_status *rp = data;
1429 struct hci_cp_le_set_default_phy *cp;
1431 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1436 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1442 hdev->le_tx_def_phys = cp->tx_phys;
1443 hdev->le_rx_def_phys = cp->rx_phys;
1445 hci_dev_unlock(hdev);
1450 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1451 struct sk_buff *skb)
1453 struct hci_ev_status *rp = data;
1454 struct hci_cp_le_set_adv_set_rand_addr *cp;
1455 struct adv_info *adv;
1457 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1462 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1463 /* Update only in case the adv instance since handle 0x00 shall be using
1464 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1465 * non-extended adverting.
1467 if (!cp || !cp->handle)
1472 adv = hci_find_adv_instance(hdev, cp->handle);
1474 bacpy(&adv->random_addr, &cp->bdaddr);
1475 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1476 adv->rpa_expired = false;
1477 queue_delayed_work(hdev->workqueue,
1478 &adv->rpa_expired_cb,
1479 secs_to_jiffies(hdev->rpa_timeout));
1483 hci_dev_unlock(hdev);
1488 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1489 struct sk_buff *skb)
1491 struct hci_ev_status *rp = data;
1495 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1500 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1506 err = hci_remove_adv_instance(hdev, *instance);
1508 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1511 hci_dev_unlock(hdev);
1516 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1517 struct sk_buff *skb)
1519 struct hci_ev_status *rp = data;
1520 struct adv_info *adv, *n;
1523 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1528 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1533 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1534 u8 instance = adv->instance;
1536 err = hci_remove_adv_instance(hdev, instance);
1538 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1542 hci_dev_unlock(hdev);
1547 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1548 struct sk_buff *skb)
1550 struct hci_rp_le_read_transmit_power *rp = data;
1552 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1557 hdev->min_le_tx_power = rp->min_le_tx_power;
1558 hdev->max_le_tx_power = rp->max_le_tx_power;
1563 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1564 struct sk_buff *skb)
1566 struct hci_ev_status *rp = data;
1567 struct hci_cp_le_set_privacy_mode *cp;
1568 struct hci_conn_params *params;
1570 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1575 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1581 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1583 WRITE_ONCE(params->privacy_mode, cp->mode);
1585 hci_dev_unlock(hdev);
1590 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1591 struct sk_buff *skb)
1593 struct hci_ev_status *rp = data;
1596 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1601 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1607 /* If we're doing connection initiation as peripheral. Set a
1608 * timeout in case something goes wrong.
1611 struct hci_conn *conn;
1613 hci_dev_set_flag(hdev, HCI_LE_ADV);
1615 conn = hci_lookup_le_connect(hdev);
1617 queue_delayed_work(hdev->workqueue,
1618 &conn->le_conn_timeout,
1619 conn->conn_timeout);
1621 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1624 hci_dev_unlock(hdev);
1629 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1630 struct sk_buff *skb)
1632 struct hci_cp_le_set_ext_adv_enable *cp;
1633 struct hci_cp_ext_adv_set *set;
1634 struct adv_info *adv = NULL, *n;
1635 struct hci_ev_status *rp = data;
1637 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1642 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1646 set = (void *)cp->data;
1650 if (cp->num_of_sets)
1651 adv = hci_find_adv_instance(hdev, set->handle);
1654 struct hci_conn *conn;
1656 hci_dev_set_flag(hdev, HCI_LE_ADV);
1658 if (adv && !adv->periodic)
1659 adv->enabled = true;
1661 conn = hci_lookup_le_connect(hdev);
1663 queue_delayed_work(hdev->workqueue,
1664 &conn->le_conn_timeout,
1665 conn->conn_timeout);
1667 if (cp->num_of_sets) {
1669 adv->enabled = false;
1671 /* If just one instance was disabled check if there are
1672 * any other instance enabled before clearing HCI_LE_ADV
1674 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1680 /* All instances shall be considered disabled */
1681 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1683 adv->enabled = false;
1686 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1690 hci_dev_unlock(hdev);
1694 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1695 struct sk_buff *skb)
1697 struct hci_cp_le_set_scan_param *cp;
1698 struct hci_ev_status *rp = data;
1700 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1705 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1711 hdev->le_scan_type = cp->type;
1713 hci_dev_unlock(hdev);
1718 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1719 struct sk_buff *skb)
1721 struct hci_cp_le_set_ext_scan_params *cp;
1722 struct hci_ev_status *rp = data;
1723 struct hci_cp_le_scan_phy_params *phy_param;
1725 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1730 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1734 phy_param = (void *)cp->data;
1738 hdev->le_scan_type = phy_param->type;
1740 hci_dev_unlock(hdev);
1745 static bool has_pending_adv_report(struct hci_dev *hdev)
1747 struct discovery_state *d = &hdev->discovery;
1749 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1752 static void clear_pending_adv_report(struct hci_dev *hdev)
1754 struct discovery_state *d = &hdev->discovery;
1756 bacpy(&d->last_adv_addr, BDADDR_ANY);
1757 d->last_adv_data_len = 0;
1760 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1761 u8 bdaddr_type, s8 rssi, u32 flags,
1764 struct discovery_state *d = &hdev->discovery;
1766 if (len > max_adv_len(hdev))
1769 bacpy(&d->last_adv_addr, bdaddr);
1770 d->last_adv_addr_type = bdaddr_type;
1771 d->last_adv_rssi = rssi;
1772 d->last_adv_flags = flags;
1773 memcpy(d->last_adv_data, data, len);
1774 d->last_adv_data_len = len;
1777 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1782 case LE_SCAN_ENABLE:
1783 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1784 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1785 clear_pending_adv_report(hdev);
1786 if (hci_dev_test_flag(hdev, HCI_MESH))
1787 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1790 case LE_SCAN_DISABLE:
1791 /* We do this here instead of when setting DISCOVERY_STOPPED
1792 * since the latter would potentially require waiting for
1793 * inquiry to stop too.
1795 if (has_pending_adv_report(hdev)) {
1796 struct discovery_state *d = &hdev->discovery;
1798 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1799 d->last_adv_addr_type, NULL,
1800 d->last_adv_rssi, d->last_adv_flags,
1802 d->last_adv_data_len, NULL, 0, 0);
1805 /* Cancel this timer so that we don't try to disable scanning
1806 * when it's already disabled.
1808 cancel_delayed_work(&hdev->le_scan_disable);
1810 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1812 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1813 * interrupted scanning due to a connect request. Mark
1814 * therefore discovery as stopped.
1816 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1817 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1818 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1819 hdev->discovery.state == DISCOVERY_FINDING)
1820 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1825 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1830 hci_dev_unlock(hdev);
1833 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1834 struct sk_buff *skb)
1836 struct hci_cp_le_set_scan_enable *cp;
1837 struct hci_ev_status *rp = data;
1839 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1844 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1848 le_set_scan_enable_complete(hdev, cp->enable);
1853 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1854 struct sk_buff *skb)
1856 struct hci_cp_le_set_ext_scan_enable *cp;
1857 struct hci_ev_status *rp = data;
1859 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1864 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1868 le_set_scan_enable_complete(hdev, cp->enable);
1873 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1874 struct sk_buff *skb)
1876 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1878 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1884 hdev->le_num_of_adv_sets = rp->num_of_sets;
1889 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1890 struct sk_buff *skb)
1892 struct hci_rp_le_read_accept_list_size *rp = data;
1894 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1899 hdev->le_accept_list_size = rp->size;
1904 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1905 struct sk_buff *skb)
1907 struct hci_ev_status *rp = data;
1909 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1915 hci_bdaddr_list_clear(&hdev->le_accept_list);
1916 hci_dev_unlock(hdev);
1921 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1922 struct sk_buff *skb)
1924 struct hci_cp_le_add_to_accept_list *sent;
1925 struct hci_ev_status *rp = data;
1927 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1932 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1937 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1939 hci_dev_unlock(hdev);
1944 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1945 struct sk_buff *skb)
1947 struct hci_cp_le_del_from_accept_list *sent;
1948 struct hci_ev_status *rp = data;
1950 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1955 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1960 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1962 hci_dev_unlock(hdev);
1967 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1968 struct sk_buff *skb)
1970 struct hci_rp_le_read_supported_states *rp = data;
1972 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1977 memcpy(hdev->le_states, rp->le_states, 8);
1982 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1983 struct sk_buff *skb)
1985 struct hci_rp_le_read_def_data_len *rp = data;
1987 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1992 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1993 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1998 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1999 struct sk_buff *skb)
2001 struct hci_cp_le_write_def_data_len *sent;
2002 struct hci_ev_status *rp = data;
2004 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2009 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2013 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2014 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2019 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2020 struct sk_buff *skb)
2022 struct hci_cp_le_add_to_resolv_list *sent;
2023 struct hci_ev_status *rp = data;
2025 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2030 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2035 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2036 sent->bdaddr_type, sent->peer_irk,
2038 hci_dev_unlock(hdev);
2043 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2044 struct sk_buff *skb)
2046 struct hci_cp_le_del_from_resolv_list *sent;
2047 struct hci_ev_status *rp = data;
2049 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2054 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2059 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2061 hci_dev_unlock(hdev);
2066 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2067 struct sk_buff *skb)
2069 struct hci_ev_status *rp = data;
2071 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2077 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2078 hci_dev_unlock(hdev);
2083 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2084 struct sk_buff *skb)
2086 struct hci_rp_le_read_resolv_list_size *rp = data;
2088 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2093 hdev->le_resolv_list_size = rp->size;
2098 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2099 struct sk_buff *skb)
2101 struct hci_ev_status *rp = data;
2104 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2109 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2116 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2118 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2120 hci_dev_unlock(hdev);
2125 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2126 struct sk_buff *skb)
2128 struct hci_rp_le_read_max_data_len *rp = data;
2130 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2135 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2136 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2137 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2138 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2143 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2144 struct sk_buff *skb)
2146 struct hci_cp_write_le_host_supported *sent;
2147 struct hci_ev_status *rp = data;
2149 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2154 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2161 hdev->features[1][0] |= LMP_HOST_LE;
2162 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2164 hdev->features[1][0] &= ~LMP_HOST_LE;
2165 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2166 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2170 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2172 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2174 hci_dev_unlock(hdev);
2179 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2180 struct sk_buff *skb)
2182 struct hci_cp_le_set_adv_param *cp;
2183 struct hci_ev_status *rp = data;
2185 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2190 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2195 hdev->adv_addr_type = cp->own_address_type;
2196 hci_dev_unlock(hdev);
2201 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2202 struct sk_buff *skb)
2204 struct hci_rp_le_set_ext_adv_params *rp = data;
2205 struct hci_cp_le_set_ext_adv_params *cp;
2206 struct adv_info *adv_instance;
2208 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2213 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2218 hdev->adv_addr_type = cp->own_addr_type;
2220 /* Store in hdev for instance 0 */
2221 hdev->adv_tx_power = rp->tx_power;
2223 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2225 adv_instance->tx_power = rp->tx_power;
2227 /* Update adv data as tx power is known now */
2228 hci_update_adv_data(hdev, cp->handle);
2230 hci_dev_unlock(hdev);
2235 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2236 struct sk_buff *skb)
2238 struct hci_rp_read_rssi *rp = data;
2239 struct hci_conn *conn;
2241 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2248 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2250 conn->rssi = rp->rssi;
2252 hci_dev_unlock(hdev);
2257 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2258 struct sk_buff *skb)
2260 struct hci_cp_read_tx_power *sent;
2261 struct hci_rp_read_tx_power *rp = data;
2262 struct hci_conn *conn;
2264 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2269 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2275 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2279 switch (sent->type) {
2281 conn->tx_power = rp->tx_power;
2284 conn->max_tx_power = rp->tx_power;
2289 hci_dev_unlock(hdev);
2293 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2294 struct sk_buff *skb)
2296 struct hci_ev_status *rp = data;
2299 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2304 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2306 hdev->ssp_debug_mode = *mode;
2311 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2313 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2316 hci_conn_check_pending(hdev);
2320 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2321 set_bit(HCI_INQUIRY, &hdev->flags);
2324 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2326 struct hci_cp_create_conn *cp;
2327 struct hci_conn *conn;
2329 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2331 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2337 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2339 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2342 if (conn && conn->state == BT_CONNECT) {
2343 if (status != 0x0c || conn->attempt > 2) {
2344 conn->state = BT_CLOSED;
2345 hci_connect_cfm(conn, status);
2348 conn->state = BT_CONNECT2;
2352 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2355 bt_dev_err(hdev, "no memory for new connection");
2359 hci_dev_unlock(hdev);
2362 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2364 struct hci_cp_add_sco *cp;
2365 struct hci_conn *acl;
2366 struct hci_link *link;
2369 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2374 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2378 handle = __le16_to_cpu(cp->handle);
2380 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2384 acl = hci_conn_hash_lookup_handle(hdev, handle);
2386 link = list_first_entry_or_null(&acl->link_list,
2387 struct hci_link, list);
2388 if (link && link->conn) {
2389 link->conn->state = BT_CLOSED;
2391 hci_connect_cfm(link->conn, status);
2392 hci_conn_del(link->conn);
2396 hci_dev_unlock(hdev);
2399 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2401 struct hci_cp_auth_requested *cp;
2402 struct hci_conn *conn;
2404 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2409 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2415 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2417 if (conn->state == BT_CONFIG) {
2418 hci_connect_cfm(conn, status);
2419 hci_conn_drop(conn);
2423 hci_dev_unlock(hdev);
2426 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2428 struct hci_cp_set_conn_encrypt *cp;
2429 struct hci_conn *conn;
2431 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2436 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2442 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2444 if (conn->state == BT_CONFIG) {
2445 hci_connect_cfm(conn, status);
2446 hci_conn_drop(conn);
2450 hci_dev_unlock(hdev);
2453 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2454 struct hci_conn *conn)
2456 if (conn->state != BT_CONFIG || !conn->out)
2459 if (conn->pending_sec_level == BT_SECURITY_SDP)
2462 /* Only request authentication for SSP connections or non-SSP
2463 * devices with sec_level MEDIUM or HIGH or if MITM protection
2466 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2467 conn->pending_sec_level != BT_SECURITY_FIPS &&
2468 conn->pending_sec_level != BT_SECURITY_HIGH &&
2469 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2475 static int hci_resolve_name(struct hci_dev *hdev,
2476 struct inquiry_entry *e)
2478 struct hci_cp_remote_name_req cp;
2480 memset(&cp, 0, sizeof(cp));
2482 bacpy(&cp.bdaddr, &e->data.bdaddr);
2483 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2484 cp.pscan_mode = e->data.pscan_mode;
2485 cp.clock_offset = e->data.clock_offset;
2487 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2490 static bool hci_resolve_next_name(struct hci_dev *hdev)
2492 struct discovery_state *discov = &hdev->discovery;
2493 struct inquiry_entry *e;
2495 if (list_empty(&discov->resolve))
2498 /* We should stop if we already spent too much time resolving names. */
2499 if (time_after(jiffies, discov->name_resolve_timeout)) {
2500 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2504 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2508 if (hci_resolve_name(hdev, e) == 0) {
2509 e->name_state = NAME_PENDING;
2516 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2517 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2519 struct discovery_state *discov = &hdev->discovery;
2520 struct inquiry_entry *e;
2522 /* Update the mgmt connected state if necessary. Be careful with
2523 * conn objects that exist but are not (yet) connected however.
2524 * Only those in BT_CONFIG or BT_CONNECTED states can be
2525 * considered connected.
2527 if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED))
2528 mgmt_device_connected(hdev, conn, name, name_len);
2530 if (discov->state == DISCOVERY_STOPPED)
2533 if (discov->state == DISCOVERY_STOPPING)
2534 goto discov_complete;
2536 if (discov->state != DISCOVERY_RESOLVING)
2539 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2540 /* If the device was not found in a list of found devices names of which
2541 * are pending. there is no need to continue resolving a next name as it
2542 * will be done upon receiving another Remote Name Request Complete
2549 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2550 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2553 if (hci_resolve_next_name(hdev))
2557 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2560 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2562 struct hci_cp_remote_name_req *cp;
2563 struct hci_conn *conn;
2565 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2567 /* If successful wait for the name req complete event before
2568 * checking for the need to do authentication */
2572 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2578 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2580 if (hci_dev_test_flag(hdev, HCI_MGMT))
2581 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2586 if (!hci_outgoing_auth_needed(hdev, conn))
2589 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2590 struct hci_cp_auth_requested auth_cp;
2592 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2594 auth_cp.handle = __cpu_to_le16(conn->handle);
2595 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2596 sizeof(auth_cp), &auth_cp);
2600 hci_dev_unlock(hdev);
2603 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2605 struct hci_cp_read_remote_features *cp;
2606 struct hci_conn *conn;
2608 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2613 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2619 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2621 if (conn->state == BT_CONFIG) {
2622 hci_connect_cfm(conn, status);
2623 hci_conn_drop(conn);
2627 hci_dev_unlock(hdev);
2630 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2632 struct hci_cp_read_remote_ext_features *cp;
2633 struct hci_conn *conn;
2635 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2640 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2646 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2648 if (conn->state == BT_CONFIG) {
2649 hci_connect_cfm(conn, status);
2650 hci_conn_drop(conn);
2654 hci_dev_unlock(hdev);
2657 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2660 struct hci_conn *acl;
2661 struct hci_link *link;
2663 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2667 acl = hci_conn_hash_lookup_handle(hdev, handle);
2669 link = list_first_entry_or_null(&acl->link_list,
2670 struct hci_link, list);
2671 if (link && link->conn) {
2672 link->conn->state = BT_CLOSED;
2674 hci_connect_cfm(link->conn, status);
2675 hci_conn_del(link->conn);
2679 hci_dev_unlock(hdev);
2682 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2684 struct hci_cp_setup_sync_conn *cp;
2686 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2691 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2695 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2698 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2700 struct hci_cp_enhanced_setup_sync_conn *cp;
2702 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2707 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2711 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2714 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2716 struct hci_cp_sniff_mode *cp;
2717 struct hci_conn *conn;
2719 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2724 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2730 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2732 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2734 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2735 hci_sco_setup(conn, status);
2738 hci_dev_unlock(hdev);
2741 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2743 struct hci_cp_exit_sniff_mode *cp;
2744 struct hci_conn *conn;
2746 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2751 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2757 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2759 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2761 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2762 hci_sco_setup(conn, status);
2765 hci_dev_unlock(hdev);
2768 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2770 struct hci_cp_disconnect *cp;
2771 struct hci_conn_params *params;
2772 struct hci_conn *conn;
2775 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2777 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2778 * otherwise cleanup the connection immediately.
2780 if (!status && !hdev->suspended)
2783 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2789 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2794 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2795 conn->dst_type, status);
2797 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2798 hdev->cur_adv_instance = conn->adv_instance;
2799 hci_enable_advertising(hdev);
2802 /* Inform sockets conn is gone before we delete it */
2803 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2808 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2810 if (conn->type == ACL_LINK) {
2811 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2812 hci_remove_link_key(hdev, &conn->dst);
2815 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2817 switch (params->auto_connect) {
2818 case HCI_AUTO_CONN_LINK_LOSS:
2819 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2823 case HCI_AUTO_CONN_DIRECT:
2824 case HCI_AUTO_CONN_ALWAYS:
2825 hci_pend_le_list_del_init(params);
2826 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2834 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2835 cp->reason, mgmt_conn);
2837 hci_disconn_cfm(conn, cp->reason);
2840 /* If the disconnection failed for any reason, the upper layer
2841 * does not retry to disconnect in current implementation.
2842 * Hence, we need to do some basic cleanup here and re-enable
2843 * advertising if necessary.
2847 hci_dev_unlock(hdev);
2850 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2852 /* When using controller based address resolution, then the new
2853 * address types 0x02 and 0x03 are used. These types need to be
2854 * converted back into either public address or random address type
2857 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2860 return ADDR_LE_DEV_PUBLIC;
2861 case ADDR_LE_DEV_RANDOM_RESOLVED:
2864 return ADDR_LE_DEV_RANDOM;
2872 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2873 u8 peer_addr_type, u8 own_address_type,
2876 struct hci_conn *conn;
2878 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2883 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2885 /* Store the initiator and responder address information which
2886 * is needed for SMP. These values will not change during the
2887 * lifetime of the connection.
2889 conn->init_addr_type = own_address_type;
2890 if (own_address_type == ADDR_LE_DEV_RANDOM)
2891 bacpy(&conn->init_addr, &hdev->random_addr);
2893 bacpy(&conn->init_addr, &hdev->bdaddr);
2895 conn->resp_addr_type = peer_addr_type;
2896 bacpy(&conn->resp_addr, peer_addr);
2899 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2901 struct hci_cp_le_create_conn *cp;
2903 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2905 /* All connection failure handling is taken care of by the
2906 * hci_conn_failed function which is triggered by the HCI
2907 * request completion callbacks used for connecting.
2912 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2918 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2919 cp->own_address_type, cp->filter_policy);
2921 hci_dev_unlock(hdev);
2924 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2926 struct hci_cp_le_ext_create_conn *cp;
2928 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2930 /* All connection failure handling is taken care of by the
2931 * hci_conn_failed function which is triggered by the HCI
2932 * request completion callbacks used for connecting.
2937 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2943 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2944 cp->own_addr_type, cp->filter_policy);
2946 hci_dev_unlock(hdev);
2949 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2951 struct hci_cp_le_read_remote_features *cp;
2952 struct hci_conn *conn;
2954 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2959 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2965 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2967 if (conn->state == BT_CONFIG) {
2968 hci_connect_cfm(conn, status);
2969 hci_conn_drop(conn);
2973 hci_dev_unlock(hdev);
2976 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2978 struct hci_cp_le_start_enc *cp;
2979 struct hci_conn *conn;
2981 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2988 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2992 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2996 if (conn->state != BT_CONNECTED)
2999 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3000 hci_conn_drop(conn);
3003 hci_dev_unlock(hdev);
3006 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3008 struct hci_cp_switch_role *cp;
3009 struct hci_conn *conn;
3011 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3016 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3022 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3024 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3026 hci_dev_unlock(hdev);
3029 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3030 struct sk_buff *skb)
3032 struct hci_ev_status *ev = data;
3033 struct discovery_state *discov = &hdev->discovery;
3034 struct inquiry_entry *e;
3036 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3038 hci_conn_check_pending(hdev);
3040 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3043 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3044 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3046 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3051 if (discov->state != DISCOVERY_FINDING)
3054 if (list_empty(&discov->resolve)) {
3055 /* When BR/EDR inquiry is active and no LE scanning is in
3056 * progress, then change discovery state to indicate completion.
3058 * When running LE scanning and BR/EDR inquiry simultaneously
3059 * and the LE scan already finished, then change the discovery
3060 * state to indicate completion.
3062 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3063 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3064 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3068 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3069 if (e && hci_resolve_name(hdev, e) == 0) {
3070 e->name_state = NAME_PENDING;
3071 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3072 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3074 /* When BR/EDR inquiry is active and no LE scanning is in
3075 * progress, then change discovery state to indicate completion.
3077 * When running LE scanning and BR/EDR inquiry simultaneously
3078 * and the LE scan already finished, then change the discovery
3079 * state to indicate completion.
3081 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3082 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3083 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3087 hci_dev_unlock(hdev);
3090 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3091 struct sk_buff *skb)
3093 struct hci_ev_inquiry_result *ev = edata;
3094 struct inquiry_data data;
3097 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3098 flex_array_size(ev, info, ev->num)))
3101 bt_dev_dbg(hdev, "num %d", ev->num);
3106 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3111 for (i = 0; i < ev->num; i++) {
3112 struct inquiry_info *info = &ev->info[i];
3115 bacpy(&data.bdaddr, &info->bdaddr);
3116 data.pscan_rep_mode = info->pscan_rep_mode;
3117 data.pscan_period_mode = info->pscan_period_mode;
3118 data.pscan_mode = info->pscan_mode;
3119 memcpy(data.dev_class, info->dev_class, 3);
3120 data.clock_offset = info->clock_offset;
3121 data.rssi = HCI_RSSI_INVALID;
3122 data.ssp_mode = 0x00;
3124 flags = hci_inquiry_cache_update(hdev, &data, false);
3126 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3127 info->dev_class, HCI_RSSI_INVALID,
3128 flags, NULL, 0, NULL, 0, 0);
3131 hci_dev_unlock(hdev);
3134 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3135 struct sk_buff *skb)
3137 struct hci_ev_conn_complete *ev = data;
3138 struct hci_conn *conn;
3139 u8 status = ev->status;
3141 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3145 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3147 /* In case of error status and there is no connection pending
3148 * just unlock as there is nothing to cleanup.
3153 /* Connection may not exist if auto-connected. Check the bredr
3154 * allowlist to see if this device is allowed to auto connect.
3155 * If link is an ACL type, create a connection class
3158 * Auto-connect will only occur if the event filter is
3159 * programmed with a given address. Right now, event filter is
3160 * only used during suspend.
3162 if (ev->link_type == ACL_LINK &&
3163 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3166 conn = hci_conn_add_unset(hdev, ev->link_type,
3167 &ev->bdaddr, HCI_ROLE_SLAVE);
3169 bt_dev_err(hdev, "no memory for new conn");
3173 if (ev->link_type != SCO_LINK)
3176 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3181 conn->type = SCO_LINK;
3185 /* The HCI_Connection_Complete event is only sent once per connection.
3186 * Processing it more than once per connection can corrupt kernel memory.
3188 * As the connection handle is set here for the first time, it indicates
3189 * whether the connection is already set up.
3191 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3192 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3197 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3201 if (conn->type == ACL_LINK) {
3202 conn->state = BT_CONFIG;
3203 hci_conn_hold(conn);
3205 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3206 !hci_find_link_key(hdev, &ev->bdaddr))
3207 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3209 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3211 conn->state = BT_CONNECTED;
3213 hci_debugfs_create_conn(conn);
3214 hci_conn_add_sysfs(conn);
3216 if (test_bit(HCI_AUTH, &hdev->flags))
3217 set_bit(HCI_CONN_AUTH, &conn->flags);
3219 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3220 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3222 /* "Link key request" completed ahead of "connect request" completes */
3223 if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3224 ev->link_type == ACL_LINK) {
3225 struct link_key *key;
3226 struct hci_cp_read_enc_key_size cp;
3228 key = hci_find_link_key(hdev, &ev->bdaddr);
3230 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3232 if (!(hdev->commands[20] & 0x10)) {
3233 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3235 cp.handle = cpu_to_le16(conn->handle);
3236 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3238 bt_dev_err(hdev, "sending read key size failed");
3239 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3243 hci_encrypt_cfm(conn, ev->status);
3247 /* Get remote features */
3248 if (conn->type == ACL_LINK) {
3249 struct hci_cp_read_remote_features cp;
3250 cp.handle = ev->handle;
3251 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3254 hci_update_scan(hdev);
3257 /* Set packet type for incoming connection */
3258 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3259 struct hci_cp_change_conn_ptype cp;
3260 cp.handle = ev->handle;
3261 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3262 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3267 if (conn->type == ACL_LINK)
3268 hci_sco_setup(conn, ev->status);
3272 hci_conn_failed(conn, status);
3273 } else if (ev->link_type == SCO_LINK) {
3274 switch (conn->setting & SCO_AIRMODE_MASK) {
3275 case SCO_AIRMODE_CVSD:
3277 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3281 hci_connect_cfm(conn, status);
3285 hci_dev_unlock(hdev);
3287 hci_conn_check_pending(hdev);
3290 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3292 struct hci_cp_reject_conn_req cp;
3294 bacpy(&cp.bdaddr, bdaddr);
3295 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3296 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3299 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3300 struct sk_buff *skb)
3302 struct hci_ev_conn_request *ev = data;
3303 int mask = hdev->link_mode;
3304 struct inquiry_entry *ie;
3305 struct hci_conn *conn;
3308 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3310 /* Reject incoming connection from device with same BD ADDR against
3313 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3314 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3316 hci_reject_conn(hdev, &ev->bdaddr);
3320 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3323 if (!(mask & HCI_LM_ACCEPT)) {
3324 hci_reject_conn(hdev, &ev->bdaddr);
3330 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3332 hci_reject_conn(hdev, &ev->bdaddr);
3336 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3337 * connection. These features are only touched through mgmt so
3338 * only do the checks if HCI_MGMT is set.
3340 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3341 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3342 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3344 hci_reject_conn(hdev, &ev->bdaddr);
3348 /* Connection accepted */
3350 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3352 memcpy(ie->data.dev_class, ev->dev_class, 3);
3354 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3357 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3360 bt_dev_err(hdev, "no memory for new connection");
3365 memcpy(conn->dev_class, ev->dev_class, 3);
3367 hci_dev_unlock(hdev);
3369 if (ev->link_type == ACL_LINK ||
3370 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3371 struct hci_cp_accept_conn_req cp;
3372 conn->state = BT_CONNECT;
3374 bacpy(&cp.bdaddr, &ev->bdaddr);
3376 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3377 cp.role = 0x00; /* Become central */
3379 cp.role = 0x01; /* Remain peripheral */
3381 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3382 } else if (!(flags & HCI_PROTO_DEFER)) {
3383 struct hci_cp_accept_sync_conn_req cp;
3384 conn->state = BT_CONNECT;
3386 bacpy(&cp.bdaddr, &ev->bdaddr);
3387 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3389 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3390 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3391 cp.max_latency = cpu_to_le16(0xffff);
3392 cp.content_format = cpu_to_le16(hdev->voice_setting);
3393 cp.retrans_effort = 0xff;
3395 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3398 conn->state = BT_CONNECT2;
3399 hci_connect_cfm(conn, 0);
3404 hci_dev_unlock(hdev);
3407 static u8 hci_to_mgmt_reason(u8 err)
3410 case HCI_ERROR_CONNECTION_TIMEOUT:
3411 return MGMT_DEV_DISCONN_TIMEOUT;
3412 case HCI_ERROR_REMOTE_USER_TERM:
3413 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3414 case HCI_ERROR_REMOTE_POWER_OFF:
3415 return MGMT_DEV_DISCONN_REMOTE;
3416 case HCI_ERROR_LOCAL_HOST_TERM:
3417 return MGMT_DEV_DISCONN_LOCAL_HOST;
3419 return MGMT_DEV_DISCONN_UNKNOWN;
3423 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3424 struct sk_buff *skb)
3426 struct hci_ev_disconn_complete *ev = data;
3428 struct hci_conn_params *params;
3429 struct hci_conn *conn;
3430 bool mgmt_connected;
3432 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3436 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3441 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3442 conn->dst_type, ev->status);
3446 conn->state = BT_CLOSED;
3448 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3450 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3451 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3453 reason = hci_to_mgmt_reason(ev->reason);
3455 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3456 reason, mgmt_connected);
3458 if (conn->type == ACL_LINK) {
3459 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3460 hci_remove_link_key(hdev, &conn->dst);
3462 hci_update_scan(hdev);
3465 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3467 switch (params->auto_connect) {
3468 case HCI_AUTO_CONN_LINK_LOSS:
3469 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3473 case HCI_AUTO_CONN_DIRECT:
3474 case HCI_AUTO_CONN_ALWAYS:
3475 hci_pend_le_list_del_init(params);
3476 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3477 hci_update_passive_scan(hdev);
3485 hci_disconn_cfm(conn, ev->reason);
3487 /* Re-enable advertising if necessary, since it might
3488 * have been disabled by the connection. From the
3489 * HCI_LE_Set_Advertise_Enable command description in
3490 * the core specification (v4.0):
3491 * "The Controller shall continue advertising until the Host
3492 * issues an LE_Set_Advertise_Enable command with
3493 * Advertising_Enable set to 0x00 (Advertising is disabled)
3494 * or until a connection is created or until the Advertising
3495 * is timed out due to Directed Advertising."
3497 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3498 hdev->cur_adv_instance = conn->adv_instance;
3499 hci_enable_advertising(hdev);
3505 hci_dev_unlock(hdev);
3508 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3509 struct sk_buff *skb)
3511 struct hci_ev_auth_complete *ev = data;
3512 struct hci_conn *conn;
3514 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3518 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3523 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3524 set_bit(HCI_CONN_AUTH, &conn->flags);
3525 conn->sec_level = conn->pending_sec_level;
3527 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3528 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3530 mgmt_auth_failed(conn, ev->status);
3533 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3535 if (conn->state == BT_CONFIG) {
3536 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3537 struct hci_cp_set_conn_encrypt cp;
3538 cp.handle = ev->handle;
3540 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3543 conn->state = BT_CONNECTED;
3544 hci_connect_cfm(conn, ev->status);
3545 hci_conn_drop(conn);
3548 hci_auth_cfm(conn, ev->status);
3550 hci_conn_hold(conn);
3551 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3552 hci_conn_drop(conn);
3555 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3557 struct hci_cp_set_conn_encrypt cp;
3558 cp.handle = ev->handle;
3560 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3563 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3564 hci_encrypt_cfm(conn, ev->status);
3569 hci_dev_unlock(hdev);
3572 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3573 struct sk_buff *skb)
3575 struct hci_ev_remote_name *ev = data;
3576 struct hci_conn *conn;
3578 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3582 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3584 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3587 if (ev->status == 0)
3588 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3589 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3591 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3597 if (!hci_outgoing_auth_needed(hdev, conn))
3600 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3601 struct hci_cp_auth_requested cp;
3603 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3605 cp.handle = __cpu_to_le16(conn->handle);
3606 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3610 hci_dev_unlock(hdev);
3613 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3614 struct sk_buff *skb)
3616 struct hci_ev_encrypt_change *ev = data;
3617 struct hci_conn *conn;
3619 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3623 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3629 /* Encryption implies authentication */
3630 set_bit(HCI_CONN_AUTH, &conn->flags);
3631 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3632 conn->sec_level = conn->pending_sec_level;
3634 /* P-256 authentication key implies FIPS */
3635 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3636 set_bit(HCI_CONN_FIPS, &conn->flags);
3638 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3639 conn->type == LE_LINK)
3640 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3642 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3643 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3647 /* We should disregard the current RPA and generate a new one
3648 * whenever the encryption procedure fails.
3650 if (ev->status && conn->type == LE_LINK) {
3651 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3652 hci_adv_instances_set_rpa_expired(hdev, true);
3655 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3657 /* Check link security requirements are met */
3658 if (!hci_conn_check_link_mode(conn))
3659 ev->status = HCI_ERROR_AUTH_FAILURE;
3661 if (ev->status && conn->state == BT_CONNECTED) {
3662 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3663 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3665 /* Notify upper layers so they can cleanup before
3668 hci_encrypt_cfm(conn, ev->status);
3669 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3670 hci_conn_drop(conn);
3674 /* Try reading the encryption key size for encrypted ACL links */
3675 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3676 struct hci_cp_read_enc_key_size cp;
3678 /* Only send HCI_Read_Encryption_Key_Size if the
3679 * controller really supports it. If it doesn't, assume
3680 * the default size (16).
3682 if (!(hdev->commands[20] & 0x10) ||
3683 test_bit(HCI_QUIRK_BROKEN_READ_ENC_KEY_SIZE, &hdev->quirks)) {
3684 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3688 cp.handle = cpu_to_le16(conn->handle);
3689 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3691 bt_dev_err(hdev, "sending read key size failed");
3692 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3699 /* Set the default Authenticated Payload Timeout after
3700 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3701 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3702 * sent when the link is active and Encryption is enabled, the conn
3703 * type can be either LE or ACL and controller must support LMP Ping.
3704 * Ensure for AES-CCM encryption as well.
3706 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3707 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3708 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3709 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3710 struct hci_cp_write_auth_payload_to cp;
3712 cp.handle = cpu_to_le16(conn->handle);
3713 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3714 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3716 bt_dev_err(hdev, "write auth payload timeout failed");
3720 hci_encrypt_cfm(conn, ev->status);
3723 hci_dev_unlock(hdev);
3726 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3727 struct sk_buff *skb)
3729 struct hci_ev_change_link_key_complete *ev = data;
3730 struct hci_conn *conn;
3732 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3736 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3739 set_bit(HCI_CONN_SECURE, &conn->flags);
3741 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3743 hci_key_change_cfm(conn, ev->status);
3746 hci_dev_unlock(hdev);
3749 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3750 struct sk_buff *skb)
3752 struct hci_ev_remote_features *ev = data;
3753 struct hci_conn *conn;
3755 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3759 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3764 memcpy(conn->features[0], ev->features, 8);
3766 if (conn->state != BT_CONFIG)
3769 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3770 lmp_ext_feat_capable(conn)) {
3771 struct hci_cp_read_remote_ext_features cp;
3772 cp.handle = ev->handle;
3774 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3779 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3780 struct hci_cp_remote_name_req cp;
3781 memset(&cp, 0, sizeof(cp));
3782 bacpy(&cp.bdaddr, &conn->dst);
3783 cp.pscan_rep_mode = 0x02;
3784 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3786 mgmt_device_connected(hdev, conn, NULL, 0);
3789 if (!hci_outgoing_auth_needed(hdev, conn)) {
3790 conn->state = BT_CONNECTED;
3791 hci_connect_cfm(conn, ev->status);
3792 hci_conn_drop(conn);
3796 hci_dev_unlock(hdev);
3799 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3801 cancel_delayed_work(&hdev->cmd_timer);
3804 if (!test_bit(HCI_RESET, &hdev->flags)) {
3806 cancel_delayed_work(&hdev->ncmd_timer);
3807 atomic_set(&hdev->cmd_cnt, 1);
3809 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3810 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3817 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3818 struct sk_buff *skb)
3820 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3822 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3827 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3828 hdev->le_pkts = rp->acl_max_pkt;
3829 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3830 hdev->iso_pkts = rp->iso_max_pkt;
3832 hdev->le_cnt = hdev->le_pkts;
3833 hdev->iso_cnt = hdev->iso_pkts;
3835 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3836 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3841 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3843 struct hci_conn *conn, *tmp;
3845 lockdep_assert_held(&hdev->lock);
3847 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3848 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3849 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3852 if (HCI_CONN_HANDLE_UNSET(conn->handle))
3853 hci_conn_failed(conn, status);
3857 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3858 struct sk_buff *skb)
3860 struct hci_rp_le_set_cig_params *rp = data;
3861 struct hci_cp_le_set_cig_params *cp;
3862 struct hci_conn *conn;
3863 u8 status = rp->status;
3864 bool pending = false;
3867 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3869 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3870 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3871 rp->cig_id != cp->cig_id)) {
3872 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3873 status = HCI_ERROR_UNSPECIFIED;
3878 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3880 * If the Status return parameter is non-zero, then the state of the CIG
3881 * and its CIS configurations shall not be changed by the command. If
3882 * the CIG did not already exist, it shall not be created.
3885 /* Keep current configuration, fail only the unbound CIS */
3886 hci_unbound_cis_failed(hdev, rp->cig_id, status);
3890 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3892 * If the Status return parameter is zero, then the Controller shall
3893 * set the Connection_Handle arrayed return parameter to the connection
3894 * handle(s) corresponding to the CIS configurations specified in
3895 * the CIS_IDs command parameter, in the same order.
3897 for (i = 0; i < rp->num_handles; ++i) {
3898 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3900 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3903 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3906 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3909 if (conn->state == BT_CONNECT)
3915 hci_le_create_cis_pending(hdev);
3917 hci_dev_unlock(hdev);
3922 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3923 struct sk_buff *skb)
3925 struct hci_rp_le_setup_iso_path *rp = data;
3926 struct hci_cp_le_setup_iso_path *cp;
3927 struct hci_conn *conn;
3929 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3931 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3937 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3942 hci_connect_cfm(conn, rp->status);
3947 switch (cp->direction) {
3948 /* Input (Host to Controller) */
3950 /* Only confirm connection if output only */
3951 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3952 hci_connect_cfm(conn, rp->status);
3954 /* Output (Controller to Host) */
3956 /* Confirm connection since conn->iso_qos is always configured
3959 hci_connect_cfm(conn, rp->status);
3961 /* Notify device connected in case it is a BIG Sync */
3962 if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags))
3963 mgmt_device_connected(hdev, conn, NULL, 0);
3969 hci_dev_unlock(hdev);
3973 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3975 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3978 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3979 struct sk_buff *skb)
3981 struct hci_ev_status *rp = data;
3982 struct hci_cp_le_set_per_adv_params *cp;
3984 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3989 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3993 /* TODO: set the conn state */
3997 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3998 struct sk_buff *skb)
4000 struct hci_ev_status *rp = data;
4001 struct hci_cp_le_set_per_adv_enable *cp;
4002 struct adv_info *adv = NULL, *n;
4005 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4010 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4016 adv = hci_find_adv_instance(hdev, cp->handle);
4019 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4022 adv->enabled = true;
4024 /* If just one instance was disabled check if there are
4025 * any other instance enabled before clearing HCI_LE_PER_ADV.
4026 * The current periodic adv instance will be marked as
4027 * disabled once extended advertising is also disabled.
4029 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4031 if (adv->periodic && adv->enabled)
4035 if (per_adv_cnt > 1)
4038 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4042 hci_dev_unlock(hdev);
4047 #define HCI_CC_VL(_op, _func, _min, _max) \
4055 #define HCI_CC(_op, _func, _len) \
4056 HCI_CC_VL(_op, _func, _len, _len)
4058 #define HCI_CC_STATUS(_op, _func) \
4059 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4061 static const struct hci_cc {
4063 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4066 } hci_cc_table[] = {
4067 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4068 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4069 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4070 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4071 hci_cc_remote_name_req_cancel),
4072 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4073 sizeof(struct hci_rp_role_discovery)),
4074 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4075 sizeof(struct hci_rp_read_link_policy)),
4076 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4077 sizeof(struct hci_rp_write_link_policy)),
4078 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4079 sizeof(struct hci_rp_read_def_link_policy)),
4080 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4081 hci_cc_write_def_link_policy),
4082 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4083 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4084 sizeof(struct hci_rp_read_stored_link_key)),
4085 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4086 sizeof(struct hci_rp_delete_stored_link_key)),
4087 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4088 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4089 sizeof(struct hci_rp_read_local_name)),
4090 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4091 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4092 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4093 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4094 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4095 sizeof(struct hci_rp_read_class_of_dev)),
4096 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4097 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4098 sizeof(struct hci_rp_read_voice_setting)),
4099 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4100 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4101 sizeof(struct hci_rp_read_num_supported_iac)),
4102 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4103 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4104 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4105 sizeof(struct hci_rp_read_auth_payload_to)),
4106 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4107 sizeof(struct hci_rp_write_auth_payload_to)),
4108 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4109 sizeof(struct hci_rp_read_local_version)),
4110 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4111 sizeof(struct hci_rp_read_local_commands)),
4112 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4113 sizeof(struct hci_rp_read_local_features)),
4114 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4115 sizeof(struct hci_rp_read_local_ext_features)),
4116 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4117 sizeof(struct hci_rp_read_buffer_size)),
4118 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4119 sizeof(struct hci_rp_read_bd_addr)),
4120 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4121 sizeof(struct hci_rp_read_local_pairing_opts)),
4122 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4123 sizeof(struct hci_rp_read_page_scan_activity)),
4124 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4125 hci_cc_write_page_scan_activity),
4126 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4127 sizeof(struct hci_rp_read_page_scan_type)),
4128 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4129 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4130 sizeof(struct hci_rp_read_data_block_size)),
4131 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4132 sizeof(struct hci_rp_read_flow_control_mode)),
4133 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4134 sizeof(struct hci_rp_read_local_amp_info)),
4135 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4136 sizeof(struct hci_rp_read_clock)),
4137 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4138 sizeof(struct hci_rp_read_enc_key_size)),
4139 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4140 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4141 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4142 hci_cc_read_def_err_data_reporting,
4143 sizeof(struct hci_rp_read_def_err_data_reporting)),
4144 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4145 hci_cc_write_def_err_data_reporting),
4146 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4147 sizeof(struct hci_rp_pin_code_reply)),
4148 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4149 sizeof(struct hci_rp_pin_code_neg_reply)),
4150 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4151 sizeof(struct hci_rp_read_local_oob_data)),
4152 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4153 sizeof(struct hci_rp_read_local_oob_ext_data)),
4154 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4155 sizeof(struct hci_rp_le_read_buffer_size)),
4156 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4157 sizeof(struct hci_rp_le_read_local_features)),
4158 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4159 sizeof(struct hci_rp_le_read_adv_tx_power)),
4160 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4161 sizeof(struct hci_rp_user_confirm_reply)),
4162 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4163 sizeof(struct hci_rp_user_confirm_reply)),
4164 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4165 sizeof(struct hci_rp_user_confirm_reply)),
4166 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4167 sizeof(struct hci_rp_user_confirm_reply)),
4168 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4169 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4170 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4171 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4172 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4173 hci_cc_le_read_accept_list_size,
4174 sizeof(struct hci_rp_le_read_accept_list_size)),
4175 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4176 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4177 hci_cc_le_add_to_accept_list),
4178 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4179 hci_cc_le_del_from_accept_list),
4180 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4181 sizeof(struct hci_rp_le_read_supported_states)),
4182 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4183 sizeof(struct hci_rp_le_read_def_data_len)),
4184 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4185 hci_cc_le_write_def_data_len),
4186 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4187 hci_cc_le_add_to_resolv_list),
4188 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4189 hci_cc_le_del_from_resolv_list),
4190 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4191 hci_cc_le_clear_resolv_list),
4192 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4193 sizeof(struct hci_rp_le_read_resolv_list_size)),
4194 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4195 hci_cc_le_set_addr_resolution_enable),
4196 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4197 sizeof(struct hci_rp_le_read_max_data_len)),
4198 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4199 hci_cc_write_le_host_supported),
4200 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4201 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4202 sizeof(struct hci_rp_read_rssi)),
4203 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4204 sizeof(struct hci_rp_read_tx_power)),
4205 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4206 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4207 hci_cc_le_set_ext_scan_param),
4208 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4209 hci_cc_le_set_ext_scan_enable),
4210 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4211 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4212 hci_cc_le_read_num_adv_sets,
4213 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4214 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4215 sizeof(struct hci_rp_le_set_ext_adv_params)),
4216 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4217 hci_cc_le_set_ext_adv_enable),
4218 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4219 hci_cc_le_set_adv_set_random_addr),
4220 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4221 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4222 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4223 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4224 hci_cc_le_set_per_adv_enable),
4225 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4226 sizeof(struct hci_rp_le_read_transmit_power)),
4227 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4228 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4229 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4230 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4231 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4232 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4233 sizeof(struct hci_rp_le_setup_iso_path)),
4236 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4237 struct sk_buff *skb)
4241 if (skb->len < cc->min_len) {
4242 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4243 cc->op, skb->len, cc->min_len);
4244 return HCI_ERROR_UNSPECIFIED;
4247 /* Just warn if the length is over max_len size it still be possible to
4248 * partially parse the cc so leave to callback to decide if that is
4251 if (skb->len > cc->max_len)
4252 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4253 cc->op, skb->len, cc->max_len);
4255 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4257 return HCI_ERROR_UNSPECIFIED;
4259 return cc->func(hdev, data, skb);
4262 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4263 struct sk_buff *skb, u16 *opcode, u8 *status,
4264 hci_req_complete_t *req_complete,
4265 hci_req_complete_skb_t *req_complete_skb)
4267 struct hci_ev_cmd_complete *ev = data;
4270 *opcode = __le16_to_cpu(ev->opcode);
4272 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4274 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4275 if (hci_cc_table[i].op == *opcode) {
4276 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4281 if (i == ARRAY_SIZE(hci_cc_table)) {
4282 /* Unknown opcode, assume byte 0 contains the status, so
4283 * that e.g. __hci_cmd_sync() properly returns errors
4284 * for vendor specific commands send by HCI drivers.
4285 * If a vendor doesn't actually follow this convention we may
4286 * need to introduce a vendor CC table in order to properly set
4289 *status = skb->data[0];
4292 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4294 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4297 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4299 "unexpected event for opcode 0x%4.4x", *opcode);
4303 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4304 queue_work(hdev->workqueue, &hdev->cmd_work);
4307 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4309 struct hci_cp_le_create_cis *cp;
4310 bool pending = false;
4313 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4318 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4324 /* Remove connection if command failed */
4325 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4326 struct hci_conn *conn;
4329 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4331 conn = hci_conn_hash_lookup_handle(hdev, handle);
4333 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4336 conn->state = BT_CLOSED;
4337 hci_connect_cfm(conn, status);
4343 hci_le_create_cis_pending(hdev);
4345 hci_dev_unlock(hdev);
4348 #define HCI_CS(_op, _func) \
4354 static const struct hci_cs {
4356 void (*func)(struct hci_dev *hdev, __u8 status);
4357 } hci_cs_table[] = {
4358 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4359 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4360 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4361 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4362 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4363 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4364 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4365 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4366 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4367 hci_cs_read_remote_ext_features),
4368 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4369 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4370 hci_cs_enhanced_setup_sync_conn),
4371 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4372 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4373 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4374 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4375 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4376 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4377 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4378 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4379 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4382 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4383 struct sk_buff *skb, u16 *opcode, u8 *status,
4384 hci_req_complete_t *req_complete,
4385 hci_req_complete_skb_t *req_complete_skb)
4387 struct hci_ev_cmd_status *ev = data;
4390 *opcode = __le16_to_cpu(ev->opcode);
4391 *status = ev->status;
4393 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4395 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4396 if (hci_cs_table[i].op == *opcode) {
4397 hci_cs_table[i].func(hdev, ev->status);
4402 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4404 /* Indicate request completion if the command failed. Also, if
4405 * we're not waiting for a special event and we get a success
4406 * command status we should try to flag the request as completed
4407 * (since for this kind of commands there will not be a command
4410 if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) {
4411 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4413 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4414 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4420 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4421 queue_work(hdev->workqueue, &hdev->cmd_work);
4424 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4425 struct sk_buff *skb)
4427 struct hci_ev_hardware_error *ev = data;
4429 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4431 hdev->hw_error_code = ev->code;
4433 queue_work(hdev->req_workqueue, &hdev->error_reset);
4436 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4437 struct sk_buff *skb)
4439 struct hci_ev_role_change *ev = data;
4440 struct hci_conn *conn;
4442 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4446 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4449 conn->role = ev->role;
4451 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4453 hci_role_switch_cfm(conn, ev->status, ev->role);
4456 hci_dev_unlock(hdev);
4459 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4460 struct sk_buff *skb)
4462 struct hci_ev_num_comp_pkts *ev = data;
4465 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4466 flex_array_size(ev, handles, ev->num)))
4469 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4470 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4474 bt_dev_dbg(hdev, "num %d", ev->num);
4476 for (i = 0; i < ev->num; i++) {
4477 struct hci_comp_pkts_info *info = &ev->handles[i];
4478 struct hci_conn *conn;
4479 __u16 handle, count;
4481 handle = __le16_to_cpu(info->handle);
4482 count = __le16_to_cpu(info->count);
4484 conn = hci_conn_hash_lookup_handle(hdev, handle);
4488 conn->sent -= count;
4490 switch (conn->type) {
4492 hdev->acl_cnt += count;
4493 if (hdev->acl_cnt > hdev->acl_pkts)
4494 hdev->acl_cnt = hdev->acl_pkts;
4498 if (hdev->le_pkts) {
4499 hdev->le_cnt += count;
4500 if (hdev->le_cnt > hdev->le_pkts)
4501 hdev->le_cnt = hdev->le_pkts;
4503 hdev->acl_cnt += count;
4504 if (hdev->acl_cnt > hdev->acl_pkts)
4505 hdev->acl_cnt = hdev->acl_pkts;
4510 hdev->sco_cnt += count;
4511 if (hdev->sco_cnt > hdev->sco_pkts)
4512 hdev->sco_cnt = hdev->sco_pkts;
4516 if (hdev->iso_pkts) {
4517 hdev->iso_cnt += count;
4518 if (hdev->iso_cnt > hdev->iso_pkts)
4519 hdev->iso_cnt = hdev->iso_pkts;
4520 } else if (hdev->le_pkts) {
4521 hdev->le_cnt += count;
4522 if (hdev->le_cnt > hdev->le_pkts)
4523 hdev->le_cnt = hdev->le_pkts;
4525 hdev->acl_cnt += count;
4526 if (hdev->acl_cnt > hdev->acl_pkts)
4527 hdev->acl_cnt = hdev->acl_pkts;
4532 bt_dev_err(hdev, "unknown type %d conn %p",
4538 queue_work(hdev->workqueue, &hdev->tx_work);
4541 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4544 struct hci_chan *chan;
4546 switch (hdev->dev_type) {
4548 return hci_conn_hash_lookup_handle(hdev, handle);
4550 chan = hci_chan_lookup_handle(hdev, handle);
4555 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4562 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4563 struct sk_buff *skb)
4565 struct hci_ev_num_comp_blocks *ev = data;
4568 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4569 flex_array_size(ev, handles, ev->num_hndl)))
4572 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4573 bt_dev_err(hdev, "wrong event for mode %d",
4574 hdev->flow_ctl_mode);
4578 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4581 for (i = 0; i < ev->num_hndl; i++) {
4582 struct hci_comp_blocks_info *info = &ev->handles[i];
4583 struct hci_conn *conn = NULL;
4584 __u16 handle, block_count;
4586 handle = __le16_to_cpu(info->handle);
4587 block_count = __le16_to_cpu(info->blocks);
4589 conn = __hci_conn_lookup_handle(hdev, handle);
4593 conn->sent -= block_count;
4595 switch (conn->type) {
4598 hdev->block_cnt += block_count;
4599 if (hdev->block_cnt > hdev->num_blocks)
4600 hdev->block_cnt = hdev->num_blocks;
4604 bt_dev_err(hdev, "unknown type %d conn %p",
4610 queue_work(hdev->workqueue, &hdev->tx_work);
4613 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4614 struct sk_buff *skb)
4616 struct hci_ev_mode_change *ev = data;
4617 struct hci_conn *conn;
4619 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4623 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4625 conn->mode = ev->mode;
4627 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4629 if (conn->mode == HCI_CM_ACTIVE)
4630 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4632 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4635 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4636 hci_sco_setup(conn, ev->status);
4639 hci_dev_unlock(hdev);
4642 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4643 struct sk_buff *skb)
4645 struct hci_ev_pin_code_req *ev = data;
4646 struct hci_conn *conn;
4648 bt_dev_dbg(hdev, "");
4652 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4656 if (conn->state == BT_CONNECTED) {
4657 hci_conn_hold(conn);
4658 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4659 hci_conn_drop(conn);
4662 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4663 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4664 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4665 sizeof(ev->bdaddr), &ev->bdaddr);
4666 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4669 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4674 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4678 hci_dev_unlock(hdev);
4681 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4683 if (key_type == HCI_LK_CHANGED_COMBINATION)
4686 conn->pin_length = pin_len;
4687 conn->key_type = key_type;
4690 case HCI_LK_LOCAL_UNIT:
4691 case HCI_LK_REMOTE_UNIT:
4692 case HCI_LK_DEBUG_COMBINATION:
4694 case HCI_LK_COMBINATION:
4696 conn->pending_sec_level = BT_SECURITY_HIGH;
4698 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4700 case HCI_LK_UNAUTH_COMBINATION_P192:
4701 case HCI_LK_UNAUTH_COMBINATION_P256:
4702 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4704 case HCI_LK_AUTH_COMBINATION_P192:
4705 conn->pending_sec_level = BT_SECURITY_HIGH;
4707 case HCI_LK_AUTH_COMBINATION_P256:
4708 conn->pending_sec_level = BT_SECURITY_FIPS;
4713 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4714 struct sk_buff *skb)
4716 struct hci_ev_link_key_req *ev = data;
4717 struct hci_cp_link_key_reply cp;
4718 struct hci_conn *conn;
4719 struct link_key *key;
4721 bt_dev_dbg(hdev, "");
4723 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4728 key = hci_find_link_key(hdev, &ev->bdaddr);
4730 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4734 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4736 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4738 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4740 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4741 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4742 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4743 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4747 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4748 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4749 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4750 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4754 conn_set_key(conn, key->type, key->pin_len);
4757 bacpy(&cp.bdaddr, &ev->bdaddr);
4758 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4760 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4762 hci_dev_unlock(hdev);
4767 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4768 hci_dev_unlock(hdev);
4771 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4772 struct sk_buff *skb)
4774 struct hci_ev_link_key_notify *ev = data;
4775 struct hci_conn *conn;
4776 struct link_key *key;
4780 bt_dev_dbg(hdev, "");
4784 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4788 /* Ignore NULL link key against CVE-2020-26555 */
4789 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4790 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4792 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4793 hci_conn_drop(conn);
4797 hci_conn_hold(conn);
4798 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4799 hci_conn_drop(conn);
4801 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4802 conn_set_key(conn, ev->key_type, conn->pin_length);
4804 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4807 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4808 ev->key_type, pin_len, &persistent);
4812 /* Update connection information since adding the key will have
4813 * fixed up the type in the case of changed combination keys.
4815 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4816 conn_set_key(conn, key->type, key->pin_len);
4818 mgmt_new_link_key(hdev, key, persistent);
4820 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4821 * is set. If it's not set simply remove the key from the kernel
4822 * list (we've still notified user space about it but with
4823 * store_hint being 0).
4825 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4826 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4827 list_del_rcu(&key->list);
4828 kfree_rcu(key, rcu);
4833 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4835 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4838 hci_dev_unlock(hdev);
4841 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4842 struct sk_buff *skb)
4844 struct hci_ev_clock_offset *ev = data;
4845 struct hci_conn *conn;
4847 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4851 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4852 if (conn && !ev->status) {
4853 struct inquiry_entry *ie;
4855 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4857 ie->data.clock_offset = ev->clock_offset;
4858 ie->timestamp = jiffies;
4862 hci_dev_unlock(hdev);
4865 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4866 struct sk_buff *skb)
4868 struct hci_ev_pkt_type_change *ev = data;
4869 struct hci_conn *conn;
4871 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4875 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4876 if (conn && !ev->status)
4877 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4879 hci_dev_unlock(hdev);
4882 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4883 struct sk_buff *skb)
4885 struct hci_ev_pscan_rep_mode *ev = data;
4886 struct inquiry_entry *ie;
4888 bt_dev_dbg(hdev, "");
4892 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4894 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4895 ie->timestamp = jiffies;
4898 hci_dev_unlock(hdev);
4901 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4902 struct sk_buff *skb)
4904 struct hci_ev_inquiry_result_rssi *ev = edata;
4905 struct inquiry_data data;
4908 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4913 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4918 if (skb->len == array_size(ev->num,
4919 sizeof(struct inquiry_info_rssi_pscan))) {
4920 struct inquiry_info_rssi_pscan *info;
4922 for (i = 0; i < ev->num; i++) {
4925 info = hci_ev_skb_pull(hdev, skb,
4926 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4929 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4930 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4934 bacpy(&data.bdaddr, &info->bdaddr);
4935 data.pscan_rep_mode = info->pscan_rep_mode;
4936 data.pscan_period_mode = info->pscan_period_mode;
4937 data.pscan_mode = info->pscan_mode;
4938 memcpy(data.dev_class, info->dev_class, 3);
4939 data.clock_offset = info->clock_offset;
4940 data.rssi = info->rssi;
4941 data.ssp_mode = 0x00;
4943 flags = hci_inquiry_cache_update(hdev, &data, false);
4945 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4946 info->dev_class, info->rssi,
4947 flags, NULL, 0, NULL, 0, 0);
4949 } else if (skb->len == array_size(ev->num,
4950 sizeof(struct inquiry_info_rssi))) {
4951 struct inquiry_info_rssi *info;
4953 for (i = 0; i < ev->num; i++) {
4956 info = hci_ev_skb_pull(hdev, skb,
4957 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4960 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4961 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4965 bacpy(&data.bdaddr, &info->bdaddr);
4966 data.pscan_rep_mode = info->pscan_rep_mode;
4967 data.pscan_period_mode = info->pscan_period_mode;
4968 data.pscan_mode = 0x00;
4969 memcpy(data.dev_class, info->dev_class, 3);
4970 data.clock_offset = info->clock_offset;
4971 data.rssi = info->rssi;
4972 data.ssp_mode = 0x00;
4974 flags = hci_inquiry_cache_update(hdev, &data, false);
4976 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4977 info->dev_class, info->rssi,
4978 flags, NULL, 0, NULL, 0, 0);
4981 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4982 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4985 hci_dev_unlock(hdev);
4988 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4989 struct sk_buff *skb)
4991 struct hci_ev_remote_ext_features *ev = data;
4992 struct hci_conn *conn;
4994 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4998 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5002 if (ev->page < HCI_MAX_PAGES)
5003 memcpy(conn->features[ev->page], ev->features, 8);
5005 if (!ev->status && ev->page == 0x01) {
5006 struct inquiry_entry *ie;
5008 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5010 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5012 if (ev->features[0] & LMP_HOST_SSP) {
5013 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5015 /* It is mandatory by the Bluetooth specification that
5016 * Extended Inquiry Results are only used when Secure
5017 * Simple Pairing is enabled, but some devices violate
5020 * To make these devices work, the internal SSP
5021 * enabled flag needs to be cleared if the remote host
5022 * features do not indicate SSP support */
5023 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5026 if (ev->features[0] & LMP_HOST_SC)
5027 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5030 if (conn->state != BT_CONFIG)
5033 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5034 struct hci_cp_remote_name_req cp;
5035 memset(&cp, 0, sizeof(cp));
5036 bacpy(&cp.bdaddr, &conn->dst);
5037 cp.pscan_rep_mode = 0x02;
5038 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5040 mgmt_device_connected(hdev, conn, NULL, 0);
5043 if (!hci_outgoing_auth_needed(hdev, conn)) {
5044 conn->state = BT_CONNECTED;
5045 hci_connect_cfm(conn, ev->status);
5046 hci_conn_drop(conn);
5050 hci_dev_unlock(hdev);
5053 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5054 struct sk_buff *skb)
5056 struct hci_ev_sync_conn_complete *ev = data;
5057 struct hci_conn *conn;
5058 u8 status = ev->status;
5060 switch (ev->link_type) {
5065 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5066 * for HCI_Synchronous_Connection_Complete is limited to
5067 * either SCO or eSCO
5069 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5073 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5077 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5079 if (ev->link_type == ESCO_LINK)
5082 /* When the link type in the event indicates SCO connection
5083 * and lookup of the connection object fails, then check
5084 * if an eSCO connection object exists.
5086 * The core limits the synchronous connections to either
5087 * SCO or eSCO. The eSCO connection is preferred and tried
5088 * to be setup first and until successfully established,
5089 * the link type will be hinted as eSCO.
5091 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5096 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5097 * Processing it more than once per connection can corrupt kernel memory.
5099 * As the connection handle is set here for the first time, it indicates
5100 * whether the connection is already set up.
5102 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5103 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5109 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5111 conn->state = BT_CLOSED;
5115 conn->state = BT_CONNECTED;
5116 conn->type = ev->link_type;
5118 hci_debugfs_create_conn(conn);
5119 hci_conn_add_sysfs(conn);
5122 case 0x10: /* Connection Accept Timeout */
5123 case 0x0d: /* Connection Rejected due to Limited Resources */
5124 case 0x11: /* Unsupported Feature or Parameter Value */
5125 case 0x1c: /* SCO interval rejected */
5126 case 0x1a: /* Unsupported Remote Feature */
5127 case 0x1e: /* Invalid LMP Parameters */
5128 case 0x1f: /* Unspecified error */
5129 case 0x20: /* Unsupported LMP Parameter value */
5131 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5132 (hdev->esco_type & EDR_ESCO_MASK);
5133 if (hci_setup_sync(conn, conn->parent->handle))
5139 conn->state = BT_CLOSED;
5143 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5144 /* Notify only in case of SCO over HCI transport data path which
5145 * is zero and non-zero value shall be non-HCI transport data path
5147 if (conn->codec.data_path == 0 && hdev->notify) {
5148 switch (ev->air_mode) {
5150 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5153 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5158 hci_connect_cfm(conn, status);
5163 hci_dev_unlock(hdev);
5166 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5170 while (parsed < eir_len) {
5171 u8 field_len = eir[0];
5176 parsed += field_len + 1;
5177 eir += field_len + 1;
5183 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5184 struct sk_buff *skb)
5186 struct hci_ev_ext_inquiry_result *ev = edata;
5187 struct inquiry_data data;
5191 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5192 flex_array_size(ev, info, ev->num)))
5195 bt_dev_dbg(hdev, "num %d", ev->num);
5200 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5205 for (i = 0; i < ev->num; i++) {
5206 struct extended_inquiry_info *info = &ev->info[i];
5210 bacpy(&data.bdaddr, &info->bdaddr);
5211 data.pscan_rep_mode = info->pscan_rep_mode;
5212 data.pscan_period_mode = info->pscan_period_mode;
5213 data.pscan_mode = 0x00;
5214 memcpy(data.dev_class, info->dev_class, 3);
5215 data.clock_offset = info->clock_offset;
5216 data.rssi = info->rssi;
5217 data.ssp_mode = 0x01;
5219 if (hci_dev_test_flag(hdev, HCI_MGMT))
5220 name_known = eir_get_data(info->data,
5222 EIR_NAME_COMPLETE, NULL);
5226 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5228 eir_len = eir_get_length(info->data, sizeof(info->data));
5230 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5231 info->dev_class, info->rssi,
5232 flags, info->data, eir_len, NULL, 0, 0);
5235 hci_dev_unlock(hdev);
5238 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5239 struct sk_buff *skb)
5241 struct hci_ev_key_refresh_complete *ev = data;
5242 struct hci_conn *conn;
5244 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5245 __le16_to_cpu(ev->handle));
5249 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5253 /* For BR/EDR the necessary steps are taken through the
5254 * auth_complete event.
5256 if (conn->type != LE_LINK)
5260 conn->sec_level = conn->pending_sec_level;
5262 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5264 if (ev->status && conn->state == BT_CONNECTED) {
5265 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5266 hci_conn_drop(conn);
5270 if (conn->state == BT_CONFIG) {
5272 conn->state = BT_CONNECTED;
5274 hci_connect_cfm(conn, ev->status);
5275 hci_conn_drop(conn);
5277 hci_auth_cfm(conn, ev->status);
5279 hci_conn_hold(conn);
5280 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5281 hci_conn_drop(conn);
5285 hci_dev_unlock(hdev);
5288 static u8 hci_get_auth_req(struct hci_conn *conn)
5290 /* If remote requests no-bonding follow that lead */
5291 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5292 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5293 return conn->remote_auth | (conn->auth_type & 0x01);
5295 /* If both remote and local have enough IO capabilities, require
5298 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5299 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5300 return conn->remote_auth | 0x01;
5302 /* No MITM protection possible so ignore remote requirement */
5303 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5306 static u8 bredr_oob_data_present(struct hci_conn *conn)
5308 struct hci_dev *hdev = conn->hdev;
5309 struct oob_data *data;
5311 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5315 if (bredr_sc_enabled(hdev)) {
5316 /* When Secure Connections is enabled, then just
5317 * return the present value stored with the OOB
5318 * data. The stored value contains the right present
5319 * information. However it can only be trusted when
5320 * not in Secure Connection Only mode.
5322 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5323 return data->present;
5325 /* When Secure Connections Only mode is enabled, then
5326 * the P-256 values are required. If they are not
5327 * available, then do not declare that OOB data is
5330 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5331 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5337 /* When Secure Connections is not enabled or actually
5338 * not supported by the hardware, then check that if
5339 * P-192 data values are present.
5341 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5342 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5348 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5349 struct sk_buff *skb)
5351 struct hci_ev_io_capa_request *ev = data;
5352 struct hci_conn *conn;
5354 bt_dev_dbg(hdev, "");
5358 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5359 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5362 /* Assume remote supports SSP since it has triggered this event */
5363 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5365 hci_conn_hold(conn);
5367 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5370 /* Allow pairing if we're pairable, the initiators of the
5371 * pairing or if the remote is not requesting bonding.
5373 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5374 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5375 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5376 struct hci_cp_io_capability_reply cp;
5378 bacpy(&cp.bdaddr, &ev->bdaddr);
5379 /* Change the IO capability from KeyboardDisplay
5380 * to DisplayYesNo as it is not supported by BT spec. */
5381 cp.capability = (conn->io_capability == 0x04) ?
5382 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5384 /* If we are initiators, there is no remote information yet */
5385 if (conn->remote_auth == 0xff) {
5386 /* Request MITM protection if our IO caps allow it
5387 * except for the no-bonding case.
5389 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5390 conn->auth_type != HCI_AT_NO_BONDING)
5391 conn->auth_type |= 0x01;
5393 conn->auth_type = hci_get_auth_req(conn);
5396 /* If we're not bondable, force one of the non-bondable
5397 * authentication requirement values.
5399 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5400 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5402 cp.authentication = conn->auth_type;
5403 cp.oob_data = bredr_oob_data_present(conn);
5405 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5408 struct hci_cp_io_capability_neg_reply cp;
5410 bacpy(&cp.bdaddr, &ev->bdaddr);
5411 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5413 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5418 hci_dev_unlock(hdev);
5421 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5422 struct sk_buff *skb)
5424 struct hci_ev_io_capa_reply *ev = data;
5425 struct hci_conn *conn;
5427 bt_dev_dbg(hdev, "");
5431 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5435 conn->remote_cap = ev->capability;
5436 conn->remote_auth = ev->authentication;
5439 hci_dev_unlock(hdev);
5442 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5443 struct sk_buff *skb)
5445 struct hci_ev_user_confirm_req *ev = data;
5446 int loc_mitm, rem_mitm, confirm_hint = 0;
5447 struct hci_conn *conn;
5449 bt_dev_dbg(hdev, "");
5453 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5456 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5460 loc_mitm = (conn->auth_type & 0x01);
5461 rem_mitm = (conn->remote_auth & 0x01);
5463 /* If we require MITM but the remote device can't provide that
5464 * (it has NoInputNoOutput) then reject the confirmation
5465 * request. We check the security level here since it doesn't
5466 * necessarily match conn->auth_type.
5468 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5469 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5470 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5471 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5472 sizeof(ev->bdaddr), &ev->bdaddr);
5476 /* If no side requires MITM protection; auto-accept */
5477 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5478 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5480 /* If we're not the initiators request authorization to
5481 * proceed from user space (mgmt_user_confirm with
5482 * confirm_hint set to 1). The exception is if neither
5483 * side had MITM or if the local IO capability is
5484 * NoInputNoOutput, in which case we do auto-accept
5486 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5487 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5488 (loc_mitm || rem_mitm)) {
5489 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5494 /* If there already exists link key in local host, leave the
5495 * decision to user space since the remote device could be
5496 * legitimate or malicious.
5498 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5499 bt_dev_dbg(hdev, "Local host already has link key");
5504 BT_DBG("Auto-accept of user confirmation with %ums delay",
5505 hdev->auto_accept_delay);
5507 if (hdev->auto_accept_delay > 0) {
5508 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5509 queue_delayed_work(conn->hdev->workqueue,
5510 &conn->auto_accept_work, delay);
5514 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5515 sizeof(ev->bdaddr), &ev->bdaddr);
5520 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5521 le32_to_cpu(ev->passkey), confirm_hint);
5524 hci_dev_unlock(hdev);
5527 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5528 struct sk_buff *skb)
5530 struct hci_ev_user_passkey_req *ev = data;
5532 bt_dev_dbg(hdev, "");
5534 if (hci_dev_test_flag(hdev, HCI_MGMT))
5535 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5538 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5539 struct sk_buff *skb)
5541 struct hci_ev_user_passkey_notify *ev = data;
5542 struct hci_conn *conn;
5544 bt_dev_dbg(hdev, "");
5546 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5550 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5551 conn->passkey_entered = 0;
5553 if (hci_dev_test_flag(hdev, HCI_MGMT))
5554 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5555 conn->dst_type, conn->passkey_notify,
5556 conn->passkey_entered);
5559 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5560 struct sk_buff *skb)
5562 struct hci_ev_keypress_notify *ev = data;
5563 struct hci_conn *conn;
5565 bt_dev_dbg(hdev, "");
5567 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5572 case HCI_KEYPRESS_STARTED:
5573 conn->passkey_entered = 0;
5576 case HCI_KEYPRESS_ENTERED:
5577 conn->passkey_entered++;
5580 case HCI_KEYPRESS_ERASED:
5581 conn->passkey_entered--;
5584 case HCI_KEYPRESS_CLEARED:
5585 conn->passkey_entered = 0;
5588 case HCI_KEYPRESS_COMPLETED:
5592 if (hci_dev_test_flag(hdev, HCI_MGMT))
5593 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5594 conn->dst_type, conn->passkey_notify,
5595 conn->passkey_entered);
5598 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5599 struct sk_buff *skb)
5601 struct hci_ev_simple_pair_complete *ev = data;
5602 struct hci_conn *conn;
5604 bt_dev_dbg(hdev, "");
5608 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5609 if (!conn || !hci_conn_ssp_enabled(conn))
5612 /* Reset the authentication requirement to unknown */
5613 conn->remote_auth = 0xff;
5615 /* To avoid duplicate auth_failed events to user space we check
5616 * the HCI_CONN_AUTH_PEND flag which will be set if we
5617 * initiated the authentication. A traditional auth_complete
5618 * event gets always produced as initiator and is also mapped to
5619 * the mgmt_auth_failed event */
5620 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5621 mgmt_auth_failed(conn, ev->status);
5623 hci_conn_drop(conn);
5626 hci_dev_unlock(hdev);
5629 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5630 struct sk_buff *skb)
5632 struct hci_ev_remote_host_features *ev = data;
5633 struct inquiry_entry *ie;
5634 struct hci_conn *conn;
5636 bt_dev_dbg(hdev, "");
5640 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5642 memcpy(conn->features[1], ev->features, 8);
5644 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5646 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5648 hci_dev_unlock(hdev);
5651 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5652 struct sk_buff *skb)
5654 struct hci_ev_remote_oob_data_request *ev = edata;
5655 struct oob_data *data;
5657 bt_dev_dbg(hdev, "");
5661 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5664 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5666 struct hci_cp_remote_oob_data_neg_reply cp;
5668 bacpy(&cp.bdaddr, &ev->bdaddr);
5669 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5674 if (bredr_sc_enabled(hdev)) {
5675 struct hci_cp_remote_oob_ext_data_reply cp;
5677 bacpy(&cp.bdaddr, &ev->bdaddr);
5678 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5679 memset(cp.hash192, 0, sizeof(cp.hash192));
5680 memset(cp.rand192, 0, sizeof(cp.rand192));
5682 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5683 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5685 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5686 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5688 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5691 struct hci_cp_remote_oob_data_reply cp;
5693 bacpy(&cp.bdaddr, &ev->bdaddr);
5694 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5695 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5697 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5702 hci_dev_unlock(hdev);
5705 #if IS_ENABLED(CONFIG_BT_HS)
5706 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5707 struct sk_buff *skb)
5709 struct hci_ev_channel_selected *ev = data;
5710 struct hci_conn *hcon;
5712 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5714 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5718 amp_read_loc_assoc_final_data(hdev, hcon);
5721 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5722 struct sk_buff *skb)
5724 struct hci_ev_phy_link_complete *ev = data;
5725 struct hci_conn *hcon, *bredr_hcon;
5727 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5732 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5744 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5746 hcon->state = BT_CONNECTED;
5747 bacpy(&hcon->dst, &bredr_hcon->dst);
5749 hci_conn_hold(hcon);
5750 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5751 hci_conn_drop(hcon);
5753 hci_debugfs_create_conn(hcon);
5754 hci_conn_add_sysfs(hcon);
5756 amp_physical_cfm(bredr_hcon, hcon);
5759 hci_dev_unlock(hdev);
5762 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5763 struct sk_buff *skb)
5765 struct hci_ev_logical_link_complete *ev = data;
5766 struct hci_conn *hcon;
5767 struct hci_chan *hchan;
5768 struct amp_mgr *mgr;
5770 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5771 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5773 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5777 /* Create AMP hchan */
5778 hchan = hci_chan_create(hcon);
5782 hchan->handle = le16_to_cpu(ev->handle);
5785 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5787 mgr = hcon->amp_mgr;
5788 if (mgr && mgr->bredr_chan) {
5789 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5791 l2cap_chan_lock(bredr_chan);
5793 bredr_chan->conn->mtu = hdev->block_mtu;
5794 l2cap_logical_cfm(bredr_chan, hchan, 0);
5795 hci_conn_hold(hcon);
5797 l2cap_chan_unlock(bredr_chan);
5801 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5802 struct sk_buff *skb)
5804 struct hci_ev_disconn_logical_link_complete *ev = data;
5805 struct hci_chan *hchan;
5807 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5808 le16_to_cpu(ev->handle), ev->status);
5815 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5816 if (!hchan || !hchan->amp)
5819 amp_destroy_logical_link(hchan, ev->reason);
5822 hci_dev_unlock(hdev);
5825 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5826 struct sk_buff *skb)
5828 struct hci_ev_disconn_phy_link_complete *ev = data;
5829 struct hci_conn *hcon;
5831 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5838 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5839 if (hcon && hcon->type == AMP_LINK) {
5840 hcon->state = BT_CLOSED;
5841 hci_disconn_cfm(hcon, ev->reason);
5845 hci_dev_unlock(hdev);
5849 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5850 u8 bdaddr_type, bdaddr_t *local_rpa)
5853 conn->dst_type = bdaddr_type;
5854 conn->resp_addr_type = bdaddr_type;
5855 bacpy(&conn->resp_addr, bdaddr);
5857 /* Check if the controller has set a Local RPA then it must be
5858 * used instead or hdev->rpa.
5860 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5861 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5862 bacpy(&conn->init_addr, local_rpa);
5863 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5864 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5865 bacpy(&conn->init_addr, &conn->hdev->rpa);
5867 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5868 &conn->init_addr_type);
5871 conn->resp_addr_type = conn->hdev->adv_addr_type;
5872 /* Check if the controller has set a Local RPA then it must be
5873 * used instead or hdev->rpa.
5875 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5876 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5877 bacpy(&conn->resp_addr, local_rpa);
5878 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5879 /* In case of ext adv, resp_addr will be updated in
5880 * Adv Terminated event.
5882 if (!ext_adv_capable(conn->hdev))
5883 bacpy(&conn->resp_addr,
5884 &conn->hdev->random_addr);
5886 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5889 conn->init_addr_type = bdaddr_type;
5890 bacpy(&conn->init_addr, bdaddr);
5892 /* For incoming connections, set the default minimum
5893 * and maximum connection interval. They will be used
5894 * to check if the parameters are in range and if not
5895 * trigger the connection update procedure.
5897 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5898 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5902 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5903 bdaddr_t *bdaddr, u8 bdaddr_type,
5904 bdaddr_t *local_rpa, u8 role, u16 handle,
5905 u16 interval, u16 latency,
5906 u16 supervision_timeout)
5908 struct hci_conn_params *params;
5909 struct hci_conn *conn;
5910 struct smp_irk *irk;
5915 /* All controllers implicitly stop advertising in the event of a
5916 * connection, so ensure that the state bit is cleared.
5918 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5920 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5922 /* In case of error status and there is no connection pending
5923 * just unlock as there is nothing to cleanup.
5928 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5930 bt_dev_err(hdev, "no memory for new connection");
5934 conn->dst_type = bdaddr_type;
5936 /* If we didn't have a hci_conn object previously
5937 * but we're in central role this must be something
5938 * initiated using an accept list. Since accept list based
5939 * connections are not "first class citizens" we don't
5940 * have full tracking of them. Therefore, we go ahead
5941 * with a "best effort" approach of determining the
5942 * initiator address based on the HCI_PRIVACY flag.
5945 conn->resp_addr_type = bdaddr_type;
5946 bacpy(&conn->resp_addr, bdaddr);
5947 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5948 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5949 bacpy(&conn->init_addr, &hdev->rpa);
5951 hci_copy_identity_address(hdev,
5953 &conn->init_addr_type);
5957 cancel_delayed_work(&conn->le_conn_timeout);
5960 /* The HCI_LE_Connection_Complete event is only sent once per connection.
5961 * Processing it more than once per connection can corrupt kernel memory.
5963 * As the connection handle is set here for the first time, it indicates
5964 * whether the connection is already set up.
5966 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5967 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5971 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5973 /* Lookup the identity address from the stored connection
5974 * address and address type.
5976 * When establishing connections to an identity address, the
5977 * connection procedure will store the resolvable random
5978 * address first. Now if it can be converted back into the
5979 * identity address, start using the identity address from
5982 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5984 bacpy(&conn->dst, &irk->bdaddr);
5985 conn->dst_type = irk->addr_type;
5988 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5990 /* All connection failure handling is taken care of by the
5991 * hci_conn_failed function which is triggered by the HCI
5992 * request completion callbacks used for connecting.
5994 if (status || hci_conn_set_handle(conn, handle))
5997 /* Drop the connection if it has been aborted */
5998 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5999 hci_conn_drop(conn);
6003 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
6004 addr_type = BDADDR_LE_PUBLIC;
6006 addr_type = BDADDR_LE_RANDOM;
6008 /* Drop the connection if the device is blocked */
6009 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
6010 hci_conn_drop(conn);
6014 mgmt_device_connected(hdev, conn, NULL, 0);
6016 conn->sec_level = BT_SECURITY_LOW;
6017 conn->state = BT_CONFIG;
6019 /* Store current advertising instance as connection advertising instance
6020 * when sotfware rotation is in use so it can be re-enabled when
6023 if (!ext_adv_capable(hdev))
6024 conn->adv_instance = hdev->cur_adv_instance;
6026 conn->le_conn_interval = interval;
6027 conn->le_conn_latency = latency;
6028 conn->le_supv_timeout = supervision_timeout;
6030 hci_debugfs_create_conn(conn);
6031 hci_conn_add_sysfs(conn);
6033 /* The remote features procedure is defined for central
6034 * role only. So only in case of an initiated connection
6035 * request the remote features.
6037 * If the local controller supports peripheral-initiated features
6038 * exchange, then requesting the remote features in peripheral
6039 * role is possible. Otherwise just transition into the
6040 * connected state without requesting the remote features.
6043 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6044 struct hci_cp_le_read_remote_features cp;
6046 cp.handle = __cpu_to_le16(conn->handle);
6048 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6051 hci_conn_hold(conn);
6053 conn->state = BT_CONNECTED;
6054 hci_connect_cfm(conn, status);
6057 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6060 hci_pend_le_list_del_init(params);
6062 hci_conn_drop(params->conn);
6063 hci_conn_put(params->conn);
6064 params->conn = NULL;
6069 hci_update_passive_scan(hdev);
6070 hci_dev_unlock(hdev);
6073 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6074 struct sk_buff *skb)
6076 struct hci_ev_le_conn_complete *ev = data;
6078 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6080 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6081 NULL, ev->role, le16_to_cpu(ev->handle),
6082 le16_to_cpu(ev->interval),
6083 le16_to_cpu(ev->latency),
6084 le16_to_cpu(ev->supervision_timeout));
6087 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6088 struct sk_buff *skb)
6090 struct hci_ev_le_enh_conn_complete *ev = data;
6092 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6094 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6095 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6096 le16_to_cpu(ev->interval),
6097 le16_to_cpu(ev->latency),
6098 le16_to_cpu(ev->supervision_timeout));
6101 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6102 struct sk_buff *skb)
6104 struct hci_evt_le_ext_adv_set_term *ev = data;
6105 struct hci_conn *conn;
6106 struct adv_info *adv, *n;
6108 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6110 /* The Bluetooth Core 5.3 specification clearly states that this event
6111 * shall not be sent when the Host disables the advertising set. So in
6112 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6114 * When the Host disables an advertising set, all cleanup is done via
6115 * its command callback and not needed to be duplicated here.
6117 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6118 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6124 adv = hci_find_adv_instance(hdev, ev->handle);
6130 /* Remove advertising as it has been terminated */
6131 hci_remove_adv_instance(hdev, ev->handle);
6132 mgmt_advertising_removed(NULL, hdev, ev->handle);
6134 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6139 /* We are no longer advertising, clear HCI_LE_ADV */
6140 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6145 adv->enabled = false;
6147 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6149 /* Store handle in the connection so the correct advertising
6150 * instance can be re-enabled when disconnected.
6152 conn->adv_instance = ev->handle;
6154 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6155 bacmp(&conn->resp_addr, BDADDR_ANY))
6159 bacpy(&conn->resp_addr, &hdev->random_addr);
6164 bacpy(&conn->resp_addr, &adv->random_addr);
6168 hci_dev_unlock(hdev);
6171 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6172 struct sk_buff *skb)
6174 struct hci_ev_le_conn_update_complete *ev = data;
6175 struct hci_conn *conn;
6177 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6184 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6186 conn->le_conn_interval = le16_to_cpu(ev->interval);
6187 conn->le_conn_latency = le16_to_cpu(ev->latency);
6188 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6191 hci_dev_unlock(hdev);
6194 /* This function requires the caller holds hdev->lock */
6195 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6197 u8 addr_type, bool addr_resolved,
6200 struct hci_conn *conn;
6201 struct hci_conn_params *params;
6203 /* If the event is not connectable don't proceed further */
6204 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6207 /* Ignore if the device is blocked or hdev is suspended */
6208 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6212 /* Most controller will fail if we try to create new connections
6213 * while we have an existing one in peripheral role.
6215 if (hdev->conn_hash.le_num_peripheral > 0 &&
6216 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6217 !(hdev->le_states[3] & 0x10)))
6220 /* If we're not connectable only connect devices that we have in
6221 * our pend_le_conns list.
6223 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6228 if (!params->explicit_connect) {
6229 switch (params->auto_connect) {
6230 case HCI_AUTO_CONN_DIRECT:
6231 /* Only devices advertising with ADV_DIRECT_IND are
6232 * triggering a connection attempt. This is allowing
6233 * incoming connections from peripheral devices.
6235 if (adv_type != LE_ADV_DIRECT_IND)
6238 case HCI_AUTO_CONN_ALWAYS:
6239 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6240 * are triggering a connection attempt. This means
6241 * that incoming connections from peripheral device are
6242 * accepted and also outgoing connections to peripheral
6243 * devices are established when found.
6251 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6252 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6254 if (!IS_ERR(conn)) {
6255 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6256 * by higher layer that tried to connect, if no then
6257 * store the pointer since we don't really have any
6258 * other owner of the object besides the params that
6259 * triggered it. This way we can abort the connection if
6260 * the parameters get removed and keep the reference
6261 * count consistent once the connection is established.
6264 if (!params->explicit_connect)
6265 params->conn = hci_conn_get(conn);
6270 switch (PTR_ERR(conn)) {
6272 /* If hci_connect() returns -EBUSY it means there is already
6273 * an LE connection attempt going on. Since controllers don't
6274 * support more than one connection attempt at the time, we
6275 * don't consider this an error case.
6279 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6286 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6287 u8 bdaddr_type, bdaddr_t *direct_addr,
6288 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6289 bool ext_adv, bool ctl_time, u64 instant)
6291 struct discovery_state *d = &hdev->discovery;
6292 struct smp_irk *irk;
6293 struct hci_conn *conn;
6294 bool match, bdaddr_resolved;
6300 case LE_ADV_DIRECT_IND:
6301 case LE_ADV_SCAN_IND:
6302 case LE_ADV_NONCONN_IND:
6303 case LE_ADV_SCAN_RSP:
6306 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6307 "type: 0x%02x", type);
6311 if (len > max_adv_len(hdev)) {
6312 bt_dev_err_ratelimited(hdev,
6313 "adv larger than maximum supported");
6317 /* Find the end of the data in case the report contains padded zero
6318 * bytes at the end causing an invalid length value.
6320 * When data is NULL, len is 0 so there is no need for extra ptr
6321 * check as 'ptr < data + 0' is already false in such case.
6323 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6324 if (ptr + 1 + *ptr > data + len)
6328 /* Adjust for actual length. This handles the case when remote
6329 * device is advertising with incorrect data length.
6333 /* If the direct address is present, then this report is from
6334 * a LE Direct Advertising Report event. In that case it is
6335 * important to see if the address is matching the local
6336 * controller address.
6338 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6339 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6342 /* Only resolvable random addresses are valid for these
6343 * kind of reports and others can be ignored.
6345 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6348 /* If the controller is not using resolvable random
6349 * addresses, then this report can be ignored.
6351 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6354 /* If the local IRK of the controller does not match
6355 * with the resolvable random address provided, then
6356 * this report can be ignored.
6358 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6362 /* Check if we need to convert to identity address */
6363 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6365 bdaddr = &irk->bdaddr;
6366 bdaddr_type = irk->addr_type;
6369 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6371 /* Check if we have been requested to connect to this device.
6373 * direct_addr is set only for directed advertising reports (it is NULL
6374 * for advertising reports) and is already verified to be RPA above.
6376 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6378 if (!ext_adv && conn && type == LE_ADV_IND &&
6379 len <= max_adv_len(hdev)) {
6380 /* Store report for later inclusion by
6381 * mgmt_device_connected
6383 memcpy(conn->le_adv_data, data, len);
6384 conn->le_adv_data_len = len;
6387 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6388 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6392 /* All scan results should be sent up for Mesh systems */
6393 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6394 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6395 rssi, flags, data, len, NULL, 0, instant);
6399 /* Passive scanning shouldn't trigger any device found events,
6400 * except for devices marked as CONN_REPORT for which we do send
6401 * device found events, or advertisement monitoring requested.
6403 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6404 if (type == LE_ADV_DIRECT_IND)
6407 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6408 bdaddr, bdaddr_type) &&
6409 idr_is_empty(&hdev->adv_monitors_idr))
6412 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6413 rssi, flags, data, len, NULL, 0, 0);
6417 /* When receiving a scan response, then there is no way to
6418 * know if the remote device is connectable or not. However
6419 * since scan responses are merged with a previously seen
6420 * advertising report, the flags field from that report
6423 * In the unlikely case that a controller just sends a scan
6424 * response event that doesn't match the pending report, then
6425 * it is marked as a standalone SCAN_RSP.
6427 if (type == LE_ADV_SCAN_RSP)
6428 flags = MGMT_DEV_FOUND_SCAN_RSP;
6430 /* If there's nothing pending either store the data from this
6431 * event or send an immediate device found event if the data
6432 * should not be stored for later.
6434 if (!ext_adv && !has_pending_adv_report(hdev)) {
6435 /* If the report will trigger a SCAN_REQ store it for
6438 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6439 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6440 rssi, flags, data, len);
6444 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6445 rssi, flags, data, len, NULL, 0, 0);
6449 /* Check if the pending report is for the same device as the new one */
6450 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6451 bdaddr_type == d->last_adv_addr_type);
6453 /* If the pending data doesn't match this report or this isn't a
6454 * scan response (e.g. we got a duplicate ADV_IND) then force
6455 * sending of the pending data.
6457 if (type != LE_ADV_SCAN_RSP || !match) {
6458 /* Send out whatever is in the cache, but skip duplicates */
6460 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6461 d->last_adv_addr_type, NULL,
6462 d->last_adv_rssi, d->last_adv_flags,
6464 d->last_adv_data_len, NULL, 0, 0);
6466 /* If the new report will trigger a SCAN_REQ store it for
6469 if (!ext_adv && (type == LE_ADV_IND ||
6470 type == LE_ADV_SCAN_IND)) {
6471 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6472 rssi, flags, data, len);
6476 /* The advertising reports cannot be merged, so clear
6477 * the pending report and send out a device found event.
6479 clear_pending_adv_report(hdev);
6480 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6481 rssi, flags, data, len, NULL, 0, 0);
6485 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6486 * the new event is a SCAN_RSP. We can therefore proceed with
6487 * sending a merged device found event.
6489 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6490 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6491 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6492 clear_pending_adv_report(hdev);
6495 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6496 struct sk_buff *skb)
6498 struct hci_ev_le_advertising_report *ev = data;
6499 u64 instant = jiffies;
6507 struct hci_ev_le_advertising_info *info;
6510 info = hci_le_ev_skb_pull(hdev, skb,
6511 HCI_EV_LE_ADVERTISING_REPORT,
6516 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6520 if (info->length <= max_adv_len(hdev)) {
6521 rssi = info->data[info->length];
6522 process_adv_report(hdev, info->type, &info->bdaddr,
6523 info->bdaddr_type, NULL, 0, rssi,
6524 info->data, info->length, false,
6527 bt_dev_err(hdev, "Dropping invalid advertising data");
6531 hci_dev_unlock(hdev);
6534 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6536 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6538 case LE_LEGACY_ADV_IND:
6540 case LE_LEGACY_ADV_DIRECT_IND:
6541 return LE_ADV_DIRECT_IND;
6542 case LE_LEGACY_ADV_SCAN_IND:
6543 return LE_ADV_SCAN_IND;
6544 case LE_LEGACY_NONCONN_IND:
6545 return LE_ADV_NONCONN_IND;
6546 case LE_LEGACY_SCAN_RSP_ADV:
6547 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6548 return LE_ADV_SCAN_RSP;
6554 if (evt_type & LE_EXT_ADV_CONN_IND) {
6555 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6556 return LE_ADV_DIRECT_IND;
6561 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6562 return LE_ADV_SCAN_RSP;
6564 if (evt_type & LE_EXT_ADV_SCAN_IND)
6565 return LE_ADV_SCAN_IND;
6567 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6568 evt_type & LE_EXT_ADV_DIRECT_IND)
6569 return LE_ADV_NONCONN_IND;
6572 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6575 return LE_ADV_INVALID;
6578 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6579 struct sk_buff *skb)
6581 struct hci_ev_le_ext_adv_report *ev = data;
6582 u64 instant = jiffies;
6590 struct hci_ev_le_ext_adv_info *info;
6594 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6599 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6603 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6604 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6605 if (legacy_evt_type != LE_ADV_INVALID) {
6606 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6607 info->bdaddr_type, NULL, 0,
6608 info->rssi, info->data, info->length,
6609 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6614 hci_dev_unlock(hdev);
6617 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6619 struct hci_cp_le_pa_term_sync cp;
6621 memset(&cp, 0, sizeof(cp));
6624 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6627 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6628 struct sk_buff *skb)
6630 struct hci_ev_le_pa_sync_established *ev = data;
6631 int mask = hdev->link_mode;
6633 struct hci_conn *pa_sync;
6635 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6639 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6641 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6642 if (!(mask & HCI_LM_ACCEPT)) {
6643 hci_le_pa_term_sync(hdev, ev->handle);
6647 if (!(flags & HCI_PROTO_DEFER))
6651 /* Add connection to indicate the failed PA sync event */
6652 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6658 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6660 /* Notify iso layer */
6661 hci_connect_cfm(pa_sync, ev->status);
6665 hci_dev_unlock(hdev);
6668 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6669 struct sk_buff *skb)
6671 struct hci_ev_le_per_adv_report *ev = data;
6672 int mask = hdev->link_mode;
6675 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6679 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6680 if (!(mask & HCI_LM_ACCEPT))
6681 hci_le_pa_term_sync(hdev, ev->sync_handle);
6683 hci_dev_unlock(hdev);
6686 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6687 struct sk_buff *skb)
6689 struct hci_ev_le_remote_feat_complete *ev = data;
6690 struct hci_conn *conn;
6692 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6696 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6699 memcpy(conn->features[0], ev->features, 8);
6701 if (conn->state == BT_CONFIG) {
6704 /* If the local controller supports peripheral-initiated
6705 * features exchange, but the remote controller does
6706 * not, then it is possible that the error code 0x1a
6707 * for unsupported remote feature gets returned.
6709 * In this specific case, allow the connection to
6710 * transition into connected state and mark it as
6713 if (!conn->out && ev->status == 0x1a &&
6714 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6717 status = ev->status;
6719 conn->state = BT_CONNECTED;
6720 hci_connect_cfm(conn, status);
6721 hci_conn_drop(conn);
6725 hci_dev_unlock(hdev);
6728 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6729 struct sk_buff *skb)
6731 struct hci_ev_le_ltk_req *ev = data;
6732 struct hci_cp_le_ltk_reply cp;
6733 struct hci_cp_le_ltk_neg_reply neg;
6734 struct hci_conn *conn;
6735 struct smp_ltk *ltk;
6737 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6741 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6745 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6749 if (smp_ltk_is_sc(ltk)) {
6750 /* With SC both EDiv and Rand are set to zero */
6751 if (ev->ediv || ev->rand)
6754 /* For non-SC keys check that EDiv and Rand match */
6755 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6759 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6760 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6761 cp.handle = cpu_to_le16(conn->handle);
6763 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6765 conn->enc_key_size = ltk->enc_size;
6767 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6769 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6770 * temporary key used to encrypt a connection following
6771 * pairing. It is used during the Encrypted Session Setup to
6772 * distribute the keys. Later, security can be re-established
6773 * using a distributed LTK.
6775 if (ltk->type == SMP_STK) {
6776 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6777 list_del_rcu(<k->list);
6778 kfree_rcu(ltk, rcu);
6780 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6783 hci_dev_unlock(hdev);
6788 neg.handle = ev->handle;
6789 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6790 hci_dev_unlock(hdev);
6793 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6796 struct hci_cp_le_conn_param_req_neg_reply cp;
6798 cp.handle = cpu_to_le16(handle);
6801 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6805 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6806 struct sk_buff *skb)
6808 struct hci_ev_le_remote_conn_param_req *ev = data;
6809 struct hci_cp_le_conn_param_req_reply cp;
6810 struct hci_conn *hcon;
6811 u16 handle, min, max, latency, timeout;
6813 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6815 handle = le16_to_cpu(ev->handle);
6816 min = le16_to_cpu(ev->interval_min);
6817 max = le16_to_cpu(ev->interval_max);
6818 latency = le16_to_cpu(ev->latency);
6819 timeout = le16_to_cpu(ev->timeout);
6821 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6822 if (!hcon || hcon->state != BT_CONNECTED)
6823 return send_conn_param_neg_reply(hdev, handle,
6824 HCI_ERROR_UNKNOWN_CONN_ID);
6826 if (max > hcon->le_conn_max_interval)
6827 return send_conn_param_neg_reply(hdev, handle,
6828 HCI_ERROR_INVALID_LL_PARAMS);
6830 if (hci_check_conn_params(min, max, latency, timeout))
6831 return send_conn_param_neg_reply(hdev, handle,
6832 HCI_ERROR_INVALID_LL_PARAMS);
6834 if (hcon->role == HCI_ROLE_MASTER) {
6835 struct hci_conn_params *params;
6840 params = hci_conn_params_lookup(hdev, &hcon->dst,
6843 params->conn_min_interval = min;
6844 params->conn_max_interval = max;
6845 params->conn_latency = latency;
6846 params->supervision_timeout = timeout;
6852 hci_dev_unlock(hdev);
6854 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6855 store_hint, min, max, latency, timeout);
6858 cp.handle = ev->handle;
6859 cp.interval_min = ev->interval_min;
6860 cp.interval_max = ev->interval_max;
6861 cp.latency = ev->latency;
6862 cp.timeout = ev->timeout;
6866 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6869 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6870 struct sk_buff *skb)
6872 struct hci_ev_le_direct_adv_report *ev = data;
6873 u64 instant = jiffies;
6876 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6877 flex_array_size(ev, info, ev->num)))
6885 for (i = 0; i < ev->num; i++) {
6886 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6888 process_adv_report(hdev, info->type, &info->bdaddr,
6889 info->bdaddr_type, &info->direct_addr,
6890 info->direct_addr_type, info->rssi, NULL, 0,
6891 false, false, instant);
6894 hci_dev_unlock(hdev);
6897 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6898 struct sk_buff *skb)
6900 struct hci_ev_le_phy_update_complete *ev = data;
6901 struct hci_conn *conn;
6903 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6910 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6914 conn->le_tx_phy = ev->tx_phy;
6915 conn->le_rx_phy = ev->rx_phy;
6918 hci_dev_unlock(hdev);
6921 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6922 struct sk_buff *skb)
6924 struct hci_evt_le_cis_established *ev = data;
6925 struct hci_conn *conn;
6926 struct bt_iso_qos *qos;
6927 bool pending = false;
6928 u16 handle = __le16_to_cpu(ev->handle);
6930 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6934 conn = hci_conn_hash_lookup_handle(hdev, handle);
6937 "Unable to find connection with handle 0x%4.4x",
6942 if (conn->type != ISO_LINK) {
6944 "Invalid connection link type handle 0x%4.4x",
6949 qos = &conn->iso_qos;
6951 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6953 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
6954 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
6955 qos->ucast.out.interval = qos->ucast.in.interval;
6957 switch (conn->role) {
6958 case HCI_ROLE_SLAVE:
6959 /* Convert Transport Latency (us) to Latency (msec) */
6960 qos->ucast.in.latency =
6961 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6963 qos->ucast.out.latency =
6964 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6966 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
6967 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
6968 qos->ucast.in.phy = ev->c_phy;
6969 qos->ucast.out.phy = ev->p_phy;
6971 case HCI_ROLE_MASTER:
6972 /* Convert Transport Latency (us) to Latency (msec) */
6973 qos->ucast.out.latency =
6974 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6976 qos->ucast.in.latency =
6977 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6979 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
6980 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
6981 qos->ucast.out.phy = ev->c_phy;
6982 qos->ucast.in.phy = ev->p_phy;
6987 conn->state = BT_CONNECTED;
6988 hci_debugfs_create_conn(conn);
6989 hci_conn_add_sysfs(conn);
6990 hci_iso_setup_path(conn);
6994 conn->state = BT_CLOSED;
6995 hci_connect_cfm(conn, ev->status);
7000 hci_le_create_cis_pending(hdev);
7002 hci_dev_unlock(hdev);
7005 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
7007 struct hci_cp_le_reject_cis cp;
7009 memset(&cp, 0, sizeof(cp));
7011 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
7012 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
7015 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
7017 struct hci_cp_le_accept_cis cp;
7019 memset(&cp, 0, sizeof(cp));
7021 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
7024 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
7025 struct sk_buff *skb)
7027 struct hci_evt_le_cis_req *ev = data;
7028 u16 acl_handle, cis_handle;
7029 struct hci_conn *acl, *cis;
7033 acl_handle = __le16_to_cpu(ev->acl_handle);
7034 cis_handle = __le16_to_cpu(ev->cis_handle);
7036 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7037 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7041 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7045 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7046 if (!(mask & HCI_LM_ACCEPT)) {
7047 hci_le_reject_cis(hdev, ev->cis_handle);
7051 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7053 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7056 hci_le_reject_cis(hdev, ev->cis_handle);
7061 cis->iso_qos.ucast.cig = ev->cig_id;
7062 cis->iso_qos.ucast.cis = ev->cis_id;
7064 if (!(flags & HCI_PROTO_DEFER)) {
7065 hci_le_accept_cis(hdev, ev->cis_handle);
7067 cis->state = BT_CONNECT2;
7068 hci_connect_cfm(cis, 0);
7072 hci_dev_unlock(hdev);
7075 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7077 u8 handle = PTR_UINT(data);
7079 return hci_le_terminate_big_sync(hdev, handle,
7080 HCI_ERROR_LOCAL_HOST_TERM);
7083 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7084 struct sk_buff *skb)
7086 struct hci_evt_le_create_big_complete *ev = data;
7087 struct hci_conn *conn;
7090 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7092 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7093 flex_array_size(ev, bis_handle, ev->num_bis)))
7099 /* Connect all BISes that are bound to the BIG */
7100 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7101 if (bacmp(&conn->dst, BDADDR_ANY) ||
7102 conn->type != ISO_LINK ||
7103 conn->iso_qos.bcast.big != ev->handle)
7106 if (hci_conn_set_handle(conn,
7107 __le16_to_cpu(ev->bis_handle[i++])))
7111 conn->state = BT_CONNECTED;
7112 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7114 hci_debugfs_create_conn(conn);
7115 hci_conn_add_sysfs(conn);
7116 hci_iso_setup_path(conn);
7121 hci_connect_cfm(conn, ev->status);
7129 if (!ev->status && !i)
7130 /* If no BISes have been connected for the BIG,
7131 * terminate. This is in case all bound connections
7132 * have been closed before the BIG creation
7135 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7136 UINT_PTR(ev->handle), NULL);
7138 hci_dev_unlock(hdev);
7141 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7142 struct sk_buff *skb)
7144 struct hci_evt_le_big_sync_estabilished *ev = data;
7145 struct hci_conn *bis;
7148 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7150 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7151 flex_array_size(ev, bis, ev->num_bis)))
7156 for (i = 0; i < ev->num_bis; i++) {
7157 u16 handle = le16_to_cpu(ev->bis[i]);
7160 bis = hci_conn_hash_lookup_handle(hdev, handle);
7162 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7163 HCI_ROLE_SLAVE, handle);
7168 if (ev->status != 0x42)
7169 /* Mark PA sync as established */
7170 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7172 bis->iso_qos.bcast.big = ev->handle;
7173 memset(&interval, 0, sizeof(interval));
7174 memcpy(&interval, ev->latency, sizeof(ev->latency));
7175 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7176 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7177 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7178 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7181 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7182 hci_iso_setup_path(bis);
7186 /* In case BIG sync failed, notify each failed connection to
7187 * the user after all hci connections have been added
7190 for (i = 0; i < ev->num_bis; i++) {
7191 u16 handle = le16_to_cpu(ev->bis[i]);
7193 bis = hci_conn_hash_lookup_handle(hdev, handle);
7195 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7196 hci_connect_cfm(bis, ev->status);
7199 hci_dev_unlock(hdev);
7202 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7203 struct sk_buff *skb)
7205 struct hci_evt_le_big_info_adv_report *ev = data;
7206 int mask = hdev->link_mode;
7208 struct hci_conn *pa_sync;
7210 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7214 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7215 if (!(mask & HCI_LM_ACCEPT)) {
7216 hci_le_pa_term_sync(hdev, ev->sync_handle);
7220 if (!(flags & HCI_PROTO_DEFER))
7223 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7225 le16_to_cpu(ev->sync_handle));
7230 /* Add connection to indicate the PA sync event */
7231 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7237 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7238 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7240 /* Notify iso layer */
7241 hci_connect_cfm(pa_sync, 0x00);
7243 /* Notify MGMT layer */
7244 mgmt_device_connected(hdev, pa_sync, NULL, 0);
7247 hci_dev_unlock(hdev);
7250 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7253 .min_len = _min_len, \
7254 .max_len = _max_len, \
7257 #define HCI_LE_EV(_op, _func, _len) \
7258 HCI_LE_EV_VL(_op, _func, _len, _len)
7260 #define HCI_LE_EV_STATUS(_op, _func) \
7261 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7263 /* Entries in this table shall have their position according to the subevent
7264 * opcode they handle so the use of the macros above is recommend since it does
7265 * attempt to initialize at its proper index using Designated Initializers that
7266 * way events without a callback function can be ommited.
7268 static const struct hci_le_ev {
7269 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7272 } hci_le_ev_table[U8_MAX + 1] = {
7273 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7274 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7275 sizeof(struct hci_ev_le_conn_complete)),
7276 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7277 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7278 sizeof(struct hci_ev_le_advertising_report),
7279 HCI_MAX_EVENT_SIZE),
7280 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7281 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7282 hci_le_conn_update_complete_evt,
7283 sizeof(struct hci_ev_le_conn_update_complete)),
7284 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7285 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7286 hci_le_remote_feat_complete_evt,
7287 sizeof(struct hci_ev_le_remote_feat_complete)),
7288 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7289 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7290 sizeof(struct hci_ev_le_ltk_req)),
7291 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7292 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7293 hci_le_remote_conn_param_req_evt,
7294 sizeof(struct hci_ev_le_remote_conn_param_req)),
7295 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7296 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7297 hci_le_enh_conn_complete_evt,
7298 sizeof(struct hci_ev_le_enh_conn_complete)),
7299 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7300 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7301 sizeof(struct hci_ev_le_direct_adv_report),
7302 HCI_MAX_EVENT_SIZE),
7303 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7304 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7305 sizeof(struct hci_ev_le_phy_update_complete)),
7306 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7307 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7308 sizeof(struct hci_ev_le_ext_adv_report),
7309 HCI_MAX_EVENT_SIZE),
7310 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7311 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7312 hci_le_pa_sync_estabilished_evt,
7313 sizeof(struct hci_ev_le_pa_sync_established)),
7314 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7315 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7316 hci_le_per_adv_report_evt,
7317 sizeof(struct hci_ev_le_per_adv_report),
7318 HCI_MAX_EVENT_SIZE),
7319 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7320 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7321 sizeof(struct hci_evt_le_ext_adv_set_term)),
7322 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7323 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7324 sizeof(struct hci_evt_le_cis_established)),
7325 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7326 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7327 sizeof(struct hci_evt_le_cis_req)),
7328 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7329 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7330 hci_le_create_big_complete_evt,
7331 sizeof(struct hci_evt_le_create_big_complete),
7332 HCI_MAX_EVENT_SIZE),
7333 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7334 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7335 hci_le_big_sync_established_evt,
7336 sizeof(struct hci_evt_le_big_sync_estabilished),
7337 HCI_MAX_EVENT_SIZE),
7338 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7339 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7340 hci_le_big_info_adv_report_evt,
7341 sizeof(struct hci_evt_le_big_info_adv_report),
7342 HCI_MAX_EVENT_SIZE),
7345 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7346 struct sk_buff *skb, u16 *opcode, u8 *status,
7347 hci_req_complete_t *req_complete,
7348 hci_req_complete_skb_t *req_complete_skb)
7350 struct hci_ev_le_meta *ev = data;
7351 const struct hci_le_ev *subev;
7353 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7355 /* Only match event if command OGF is for LE */
7356 if (hdev->req_skb &&
7357 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 &&
7358 hci_skb_event(hdev->req_skb) == ev->subevent) {
7359 *opcode = hci_skb_opcode(hdev->req_skb);
7360 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7364 subev = &hci_le_ev_table[ev->subevent];
7368 if (skb->len < subev->min_len) {
7369 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7370 ev->subevent, skb->len, subev->min_len);
7374 /* Just warn if the length is over max_len size it still be
7375 * possible to partially parse the event so leave to callback to
7376 * decide if that is acceptable.
7378 if (skb->len > subev->max_len)
7379 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7380 ev->subevent, skb->len, subev->max_len);
7381 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7385 subev->func(hdev, data, skb);
7388 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7389 u8 event, struct sk_buff *skb)
7391 struct hci_ev_cmd_complete *ev;
7392 struct hci_event_hdr *hdr;
7397 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7402 if (hdr->evt != event)
7407 /* Check if request ended in Command Status - no way to retrieve
7408 * any extra parameters in this case.
7410 if (hdr->evt == HCI_EV_CMD_STATUS)
7413 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7414 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7419 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7423 if (opcode != __le16_to_cpu(ev->opcode)) {
7424 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7425 __le16_to_cpu(ev->opcode));
7432 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7433 struct sk_buff *skb)
7435 struct hci_ev_le_advertising_info *adv;
7436 struct hci_ev_le_direct_adv_info *direct_adv;
7437 struct hci_ev_le_ext_adv_info *ext_adv;
7438 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7439 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7443 /* If we are currently suspended and this is the first BT event seen,
7444 * save the wake reason associated with the event.
7446 if (!hdev->suspended || hdev->wake_reason)
7449 /* Default to remote wake. Values for wake_reason are documented in the
7450 * Bluez mgmt api docs.
7452 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7454 /* Once configured for remote wakeup, we should only wake up for
7455 * reconnections. It's useful to see which device is waking us up so
7456 * keep track of the bdaddr of the connection event that woke us up.
7458 if (event == HCI_EV_CONN_REQUEST) {
7459 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7460 hdev->wake_addr_type = BDADDR_BREDR;
7461 } else if (event == HCI_EV_CONN_COMPLETE) {
7462 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7463 hdev->wake_addr_type = BDADDR_BREDR;
7464 } else if (event == HCI_EV_LE_META) {
7465 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7466 u8 subevent = le_ev->subevent;
7467 u8 *ptr = &skb->data[sizeof(*le_ev)];
7468 u8 num_reports = *ptr;
7470 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7471 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7472 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7474 adv = (void *)(ptr + 1);
7475 direct_adv = (void *)(ptr + 1);
7476 ext_adv = (void *)(ptr + 1);
7479 case HCI_EV_LE_ADVERTISING_REPORT:
7480 bacpy(&hdev->wake_addr, &adv->bdaddr);
7481 hdev->wake_addr_type = adv->bdaddr_type;
7483 case HCI_EV_LE_DIRECT_ADV_REPORT:
7484 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7485 hdev->wake_addr_type = direct_adv->bdaddr_type;
7487 case HCI_EV_LE_EXT_ADV_REPORT:
7488 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7489 hdev->wake_addr_type = ext_adv->bdaddr_type;
7494 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7498 hci_dev_unlock(hdev);
7501 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7505 .min_len = _min_len, \
7506 .max_len = _max_len, \
7509 #define HCI_EV(_op, _func, _len) \
7510 HCI_EV_VL(_op, _func, _len, _len)
7512 #define HCI_EV_STATUS(_op, _func) \
7513 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7515 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7518 .func_req = _func, \
7519 .min_len = _min_len, \
7520 .max_len = _max_len, \
7523 #define HCI_EV_REQ(_op, _func, _len) \
7524 HCI_EV_REQ_VL(_op, _func, _len, _len)
7526 /* Entries in this table shall have their position according to the event opcode
7527 * they handle so the use of the macros above is recommend since it does attempt
7528 * to initialize at its proper index using Designated Initializers that way
7529 * events without a callback function don't have entered.
7531 static const struct hci_ev {
7534 void (*func)(struct hci_dev *hdev, void *data,
7535 struct sk_buff *skb);
7536 void (*func_req)(struct hci_dev *hdev, void *data,
7537 struct sk_buff *skb, u16 *opcode, u8 *status,
7538 hci_req_complete_t *req_complete,
7539 hci_req_complete_skb_t *req_complete_skb);
7543 } hci_ev_table[U8_MAX + 1] = {
7544 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7545 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7546 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7547 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7548 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7549 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7550 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7551 sizeof(struct hci_ev_conn_complete)),
7552 /* [0x04 = HCI_EV_CONN_REQUEST] */
7553 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7554 sizeof(struct hci_ev_conn_request)),
7555 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7556 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7557 sizeof(struct hci_ev_disconn_complete)),
7558 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7559 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7560 sizeof(struct hci_ev_auth_complete)),
7561 /* [0x07 = HCI_EV_REMOTE_NAME] */
7562 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7563 sizeof(struct hci_ev_remote_name)),
7564 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7565 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7566 sizeof(struct hci_ev_encrypt_change)),
7567 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7568 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7569 hci_change_link_key_complete_evt,
7570 sizeof(struct hci_ev_change_link_key_complete)),
7571 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7572 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7573 sizeof(struct hci_ev_remote_features)),
7574 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7575 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7576 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7577 /* [0x0f = HCI_EV_CMD_STATUS] */
7578 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7579 sizeof(struct hci_ev_cmd_status)),
7580 /* [0x10 = HCI_EV_CMD_STATUS] */
7581 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7582 sizeof(struct hci_ev_hardware_error)),
7583 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7584 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7585 sizeof(struct hci_ev_role_change)),
7586 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7587 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7588 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7589 /* [0x14 = HCI_EV_MODE_CHANGE] */
7590 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7591 sizeof(struct hci_ev_mode_change)),
7592 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7593 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7594 sizeof(struct hci_ev_pin_code_req)),
7595 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7596 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7597 sizeof(struct hci_ev_link_key_req)),
7598 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7599 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7600 sizeof(struct hci_ev_link_key_notify)),
7601 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7602 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7603 sizeof(struct hci_ev_clock_offset)),
7604 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7605 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7606 sizeof(struct hci_ev_pkt_type_change)),
7607 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7608 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7609 sizeof(struct hci_ev_pscan_rep_mode)),
7610 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7611 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7612 hci_inquiry_result_with_rssi_evt,
7613 sizeof(struct hci_ev_inquiry_result_rssi),
7614 HCI_MAX_EVENT_SIZE),
7615 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7616 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7617 sizeof(struct hci_ev_remote_ext_features)),
7618 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7619 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7620 sizeof(struct hci_ev_sync_conn_complete)),
7621 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7622 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7623 hci_extended_inquiry_result_evt,
7624 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7625 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7626 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7627 sizeof(struct hci_ev_key_refresh_complete)),
7628 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7629 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7630 sizeof(struct hci_ev_io_capa_request)),
7631 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7632 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7633 sizeof(struct hci_ev_io_capa_reply)),
7634 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7635 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7636 sizeof(struct hci_ev_user_confirm_req)),
7637 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7638 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7639 sizeof(struct hci_ev_user_passkey_req)),
7640 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7641 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7642 sizeof(struct hci_ev_remote_oob_data_request)),
7643 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7644 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7645 sizeof(struct hci_ev_simple_pair_complete)),
7646 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7647 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7648 sizeof(struct hci_ev_user_passkey_notify)),
7649 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7650 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7651 sizeof(struct hci_ev_keypress_notify)),
7652 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7653 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7654 sizeof(struct hci_ev_remote_host_features)),
7655 /* [0x3e = HCI_EV_LE_META] */
7656 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7657 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7658 #if IS_ENABLED(CONFIG_BT_HS)
7659 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7660 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7661 sizeof(struct hci_ev_phy_link_complete)),
7662 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7663 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7664 sizeof(struct hci_ev_channel_selected)),
7665 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7666 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7667 hci_disconn_loglink_complete_evt,
7668 sizeof(struct hci_ev_disconn_logical_link_complete)),
7669 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7670 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7671 sizeof(struct hci_ev_logical_link_complete)),
7672 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7673 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7674 hci_disconn_phylink_complete_evt,
7675 sizeof(struct hci_ev_disconn_phy_link_complete)),
7677 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7678 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7679 sizeof(struct hci_ev_num_comp_blocks)),
7680 /* [0xff = HCI_EV_VENDOR] */
7681 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7684 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7685 u16 *opcode, u8 *status,
7686 hci_req_complete_t *req_complete,
7687 hci_req_complete_skb_t *req_complete_skb)
7689 const struct hci_ev *ev = &hci_ev_table[event];
7695 if (skb->len < ev->min_len) {
7696 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7697 event, skb->len, ev->min_len);
7701 /* Just warn if the length is over max_len size it still be
7702 * possible to partially parse the event so leave to callback to
7703 * decide if that is acceptable.
7705 if (skb->len > ev->max_len)
7706 bt_dev_warn_ratelimited(hdev,
7707 "unexpected event 0x%2.2x length: %u > %u",
7708 event, skb->len, ev->max_len);
7710 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7715 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7718 ev->func(hdev, data, skb);
7721 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7723 struct hci_event_hdr *hdr = (void *) skb->data;
7724 hci_req_complete_t req_complete = NULL;
7725 hci_req_complete_skb_t req_complete_skb = NULL;
7726 struct sk_buff *orig_skb = NULL;
7727 u8 status = 0, event, req_evt = 0;
7728 u16 opcode = HCI_OP_NOP;
7730 if (skb->len < sizeof(*hdr)) {
7731 bt_dev_err(hdev, "Malformed HCI Event");
7735 kfree_skb(hdev->recv_event);
7736 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7740 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7745 /* Only match event if command OGF is not for LE */
7746 if (hdev->req_skb &&
7747 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 &&
7748 hci_skb_event(hdev->req_skb) == event) {
7749 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb),
7750 status, &req_complete, &req_complete_skb);
7754 /* If it looks like we might end up having to call
7755 * req_complete_skb, store a pristine copy of the skb since the
7756 * various handlers may modify the original one through
7757 * skb_pull() calls, etc.
7759 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7760 event == HCI_EV_CMD_COMPLETE)
7761 orig_skb = skb_clone(skb, GFP_KERNEL);
7763 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7765 /* Store wake reason if we're suspended */
7766 hci_store_wake_reason(hdev, event, skb);
7768 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7770 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7774 req_complete(hdev, status, opcode);
7775 } else if (req_complete_skb) {
7776 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7777 kfree_skb(orig_skb);
7780 req_complete_skb(hdev, status, opcode, orig_skb);
7784 kfree_skb(orig_skb);
7786 hdev->stat.evt_rx++;
projects / releases.git / blob