2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI event handling. */
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
43 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
44 "\x00\x00\x00\x00\x00\x00\x00\x00"
46 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
48 /* Handle HCI Event packets */
50 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
55 data = skb_pull_data(skb, len);
57 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
62 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
67 data = skb_pull_data(skb, len);
69 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
74 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
79 data = skb_pull_data(skb, len);
81 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
86 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
89 struct hci_ev_status *rp = data;
91 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
93 /* It is possible that we receive Inquiry Complete event right
94 * before we receive Inquiry Cancel Command Complete event, in
95 * which case the latter event should have status of Command
96 * Disallowed. This should not be treated as error, since
97 * we actually achieve what Inquiry Cancel wants to achieve,
98 * which is to end the last Inquiry session.
100 if (rp->status == HCI_ERROR_COMMAND_DISALLOWED && !test_bit(HCI_INQUIRY, &hdev->flags)) {
101 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
108 clear_bit(HCI_INQUIRY, &hdev->flags);
109 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
110 wake_up_bit(&hdev->flags, HCI_INQUIRY);
113 /* Set discovery state to stopped if we're not doing LE active
116 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
117 hdev->le_scan_type != LE_SCAN_ACTIVE)
118 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
119 hci_dev_unlock(hdev);
124 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
127 struct hci_ev_status *rp = data;
129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
139 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
142 struct hci_ev_status *rp = data;
144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
154 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
157 struct hci_ev_status *rp = data;
159 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
164 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
167 struct hci_rp_role_discovery *rp = data;
168 struct hci_conn *conn;
170 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
177 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
179 conn->role = rp->role;
181 hci_dev_unlock(hdev);
186 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
189 struct hci_rp_read_link_policy *rp = data;
190 struct hci_conn *conn;
192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
199 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
201 conn->link_policy = __le16_to_cpu(rp->policy);
203 hci_dev_unlock(hdev);
208 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
211 struct hci_rp_write_link_policy *rp = data;
212 struct hci_conn *conn;
215 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
220 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
226 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
228 conn->link_policy = get_unaligned_le16(sent + 2);
230 hci_dev_unlock(hdev);
235 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
238 struct hci_rp_read_def_link_policy *rp = data;
240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
245 hdev->link_policy = __le16_to_cpu(rp->policy);
250 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
253 struct hci_ev_status *rp = data;
256 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
261 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
265 hdev->link_policy = get_unaligned_le16(sent);
270 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
272 struct hci_ev_status *rp = data;
274 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
276 clear_bit(HCI_RESET, &hdev->flags);
281 /* Reset all non-persistent flags */
282 hci_dev_clear_volatile_flags(hdev);
284 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
286 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
287 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
289 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
290 hdev->adv_data_len = 0;
292 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
293 hdev->scan_rsp_data_len = 0;
295 hdev->le_scan_type = LE_SCAN_PASSIVE;
297 hdev->ssp_debug_mode = 0;
299 hci_bdaddr_list_clear(&hdev->le_accept_list);
300 hci_bdaddr_list_clear(&hdev->le_resolv_list);
305 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
308 struct hci_rp_read_stored_link_key *rp = data;
309 struct hci_cp_read_stored_link_key *sent;
311 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
313 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
317 if (!rp->status && sent->read_all == 0x01) {
318 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
319 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
325 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
328 struct hci_rp_delete_stored_link_key *rp = data;
331 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
336 num_keys = le16_to_cpu(rp->num_keys);
338 if (num_keys <= hdev->stored_num_keys)
339 hdev->stored_num_keys -= num_keys;
341 hdev->stored_num_keys = 0;
346 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
349 struct hci_ev_status *rp = data;
352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
360 if (hci_dev_test_flag(hdev, HCI_MGMT))
361 mgmt_set_local_name_complete(hdev, sent, rp->status);
362 else if (!rp->status)
363 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
365 hci_dev_unlock(hdev);
370 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
373 struct hci_rp_read_local_name *rp = data;
375 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
380 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
381 hci_dev_test_flag(hdev, HCI_CONFIG))
382 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
387 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
390 struct hci_ev_status *rp = data;
393 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
395 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
402 __u8 param = *((__u8 *) sent);
404 if (param == AUTH_ENABLED)
405 set_bit(HCI_AUTH, &hdev->flags);
407 clear_bit(HCI_AUTH, &hdev->flags);
410 if (hci_dev_test_flag(hdev, HCI_MGMT))
411 mgmt_auth_enable_complete(hdev, rp->status);
413 hci_dev_unlock(hdev);
418 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
421 struct hci_ev_status *rp = data;
425 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
430 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
434 param = *((__u8 *) sent);
437 set_bit(HCI_ENCRYPT, &hdev->flags);
439 clear_bit(HCI_ENCRYPT, &hdev->flags);
444 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
447 struct hci_ev_status *rp = data;
451 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
457 param = *((__u8 *) sent);
462 hdev->discov_timeout = 0;
466 if (param & SCAN_INQUIRY)
467 set_bit(HCI_ISCAN, &hdev->flags);
469 clear_bit(HCI_ISCAN, &hdev->flags);
471 if (param & SCAN_PAGE)
472 set_bit(HCI_PSCAN, &hdev->flags);
474 clear_bit(HCI_PSCAN, &hdev->flags);
477 hci_dev_unlock(hdev);
482 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
485 struct hci_ev_status *rp = data;
486 struct hci_cp_set_event_filter *cp;
489 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
494 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
498 cp = (struct hci_cp_set_event_filter *)sent;
500 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
501 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
503 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
508 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
511 struct hci_rp_read_class_of_dev *rp = data;
514 return HCI_ERROR_UNSPECIFIED;
516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
521 memcpy(hdev->dev_class, rp->dev_class, 3);
523 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
524 hdev->dev_class[1], hdev->dev_class[0]);
529 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
532 struct hci_ev_status *rp = data;
535 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
537 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
544 memcpy(hdev->dev_class, sent, 3);
546 if (hci_dev_test_flag(hdev, HCI_MGMT))
547 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
549 hci_dev_unlock(hdev);
554 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
557 struct hci_rp_read_voice_setting *rp = data;
560 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
565 setting = __le16_to_cpu(rp->voice_setting);
567 if (hdev->voice_setting == setting)
570 hdev->voice_setting = setting;
572 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
575 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
580 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
583 struct hci_ev_status *rp = data;
587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
592 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
596 setting = get_unaligned_le16(sent);
598 if (hdev->voice_setting == setting)
601 hdev->voice_setting = setting;
603 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
606 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
611 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
614 struct hci_rp_read_num_supported_iac *rp = data;
616 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
621 hdev->num_iac = rp->num_iac;
623 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
628 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
631 struct hci_ev_status *rp = data;
632 struct hci_cp_write_ssp_mode *sent;
634 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
636 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
644 hdev->features[1][0] |= LMP_HOST_SSP;
646 hdev->features[1][0] &= ~LMP_HOST_SSP;
651 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
653 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
656 hci_dev_unlock(hdev);
661 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
664 struct hci_ev_status *rp = data;
665 struct hci_cp_write_sc_support *sent;
667 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
669 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
677 hdev->features[1][0] |= LMP_HOST_SC;
679 hdev->features[1][0] &= ~LMP_HOST_SC;
682 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
684 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
686 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
689 hci_dev_unlock(hdev);
694 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
697 struct hci_rp_read_local_version *rp = data;
699 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
704 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
705 hci_dev_test_flag(hdev, HCI_CONFIG)) {
706 hdev->hci_ver = rp->hci_ver;
707 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
708 hdev->lmp_ver = rp->lmp_ver;
709 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
710 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
716 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
719 struct hci_rp_read_enc_key_size *rp = data;
720 struct hci_conn *conn;
722 u8 status = rp->status;
724 bt_dev_dbg(hdev, "status 0x%2.2x", status);
726 handle = le16_to_cpu(rp->handle);
730 conn = hci_conn_hash_lookup_handle(hdev, handle);
736 /* While unexpected, the read_enc_key_size command may fail. The most
737 * secure approach is to then assume the key size is 0 to force a
741 bt_dev_err(hdev, "failed to read key size for handle %u",
743 conn->enc_key_size = 0;
745 conn->enc_key_size = rp->key_size;
748 if (conn->enc_key_size < hdev->min_enc_key_size) {
749 /* As slave role, the conn->state has been set to
750 * BT_CONNECTED and l2cap conn req might not be received
751 * yet, at this moment the l2cap layer almost does
752 * nothing with the non-zero status.
753 * So we also clear encrypt related bits, and then the
754 * handler of l2cap conn req will get the right secure
755 * state at a later time.
757 status = HCI_ERROR_AUTH_FAILURE;
758 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
759 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
763 hci_encrypt_cfm(conn, status);
766 hci_dev_unlock(hdev);
771 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
774 struct hci_rp_read_local_commands *rp = data;
776 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
781 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
782 hci_dev_test_flag(hdev, HCI_CONFIG))
783 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
788 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
791 struct hci_rp_read_auth_payload_to *rp = data;
792 struct hci_conn *conn;
794 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
801 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
803 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
805 hci_dev_unlock(hdev);
810 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
813 struct hci_rp_write_auth_payload_to *rp = data;
814 struct hci_conn *conn;
817 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
819 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
825 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
832 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
835 hci_dev_unlock(hdev);
840 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
843 struct hci_rp_read_local_features *rp = data;
845 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
850 memcpy(hdev->features, rp->features, 8);
852 /* Adjust default settings according to features
853 * supported by device. */
855 if (hdev->features[0][0] & LMP_3SLOT)
856 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
858 if (hdev->features[0][0] & LMP_5SLOT)
859 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
861 if (hdev->features[0][1] & LMP_HV2) {
862 hdev->pkt_type |= (HCI_HV2);
863 hdev->esco_type |= (ESCO_HV2);
866 if (hdev->features[0][1] & LMP_HV3) {
867 hdev->pkt_type |= (HCI_HV3);
868 hdev->esco_type |= (ESCO_HV3);
871 if (lmp_esco_capable(hdev))
872 hdev->esco_type |= (ESCO_EV3);
874 if (hdev->features[0][4] & LMP_EV4)
875 hdev->esco_type |= (ESCO_EV4);
877 if (hdev->features[0][4] & LMP_EV5)
878 hdev->esco_type |= (ESCO_EV5);
880 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
881 hdev->esco_type |= (ESCO_2EV3);
883 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
884 hdev->esco_type |= (ESCO_3EV3);
886 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
887 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
892 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
895 struct hci_rp_read_local_ext_features *rp = data;
897 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
902 if (hdev->max_page < rp->max_page) {
903 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
905 bt_dev_warn(hdev, "broken local ext features page 2");
907 hdev->max_page = rp->max_page;
910 if (rp->page < HCI_MAX_PAGES)
911 memcpy(hdev->features[rp->page], rp->features, 8);
916 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
919 struct hci_rp_read_flow_control_mode *rp = data;
921 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
926 hdev->flow_ctl_mode = rp->mode;
931 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
934 struct hci_rp_read_buffer_size *rp = data;
936 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
941 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
942 hdev->sco_mtu = rp->sco_mtu;
943 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
944 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
946 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
951 hdev->acl_cnt = hdev->acl_pkts;
952 hdev->sco_cnt = hdev->sco_pkts;
954 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
955 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
957 if (!hdev->acl_mtu || !hdev->acl_pkts)
958 return HCI_ERROR_INVALID_PARAMETERS;
963 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
966 struct hci_rp_read_bd_addr *rp = data;
968 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
973 if (test_bit(HCI_INIT, &hdev->flags))
974 bacpy(&hdev->bdaddr, &rp->bdaddr);
976 if (hci_dev_test_flag(hdev, HCI_SETUP))
977 bacpy(&hdev->setup_addr, &rp->bdaddr);
982 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
985 struct hci_rp_read_local_pairing_opts *rp = data;
987 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
992 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
993 hci_dev_test_flag(hdev, HCI_CONFIG)) {
994 hdev->pairing_opts = rp->pairing_opts;
995 hdev->max_enc_key_size = rp->max_key_size;
1001 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1002 struct sk_buff *skb)
1004 struct hci_rp_read_page_scan_activity *rp = data;
1006 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1011 if (test_bit(HCI_INIT, &hdev->flags)) {
1012 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1013 hdev->page_scan_window = __le16_to_cpu(rp->window);
1019 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1020 struct sk_buff *skb)
1022 struct hci_ev_status *rp = data;
1023 struct hci_cp_write_page_scan_activity *sent;
1025 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1030 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1034 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1035 hdev->page_scan_window = __le16_to_cpu(sent->window);
1040 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1041 struct sk_buff *skb)
1043 struct hci_rp_read_page_scan_type *rp = data;
1045 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1050 if (test_bit(HCI_INIT, &hdev->flags))
1051 hdev->page_scan_type = rp->type;
1056 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1057 struct sk_buff *skb)
1059 struct hci_ev_status *rp = data;
1062 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1067 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1069 hdev->page_scan_type = *type;
1074 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1075 struct sk_buff *skb)
1077 struct hci_rp_read_data_block_size *rp = data;
1079 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1084 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1085 hdev->block_len = __le16_to_cpu(rp->block_len);
1086 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1088 hdev->block_cnt = hdev->num_blocks;
1090 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1091 hdev->block_cnt, hdev->block_len);
1096 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1097 struct sk_buff *skb)
1099 struct hci_rp_read_clock *rp = data;
1100 struct hci_cp_read_clock *cp;
1101 struct hci_conn *conn;
1103 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1110 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1114 if (cp->which == 0x00) {
1115 hdev->clock = le32_to_cpu(rp->clock);
1119 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1121 conn->clock = le32_to_cpu(rp->clock);
1122 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1126 hci_dev_unlock(hdev);
1130 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1131 struct sk_buff *skb)
1133 struct hci_rp_read_local_amp_info *rp = data;
1135 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1140 hdev->amp_status = rp->amp_status;
1141 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1142 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1143 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1144 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1145 hdev->amp_type = rp->amp_type;
1146 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1147 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1148 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1149 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1154 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1155 struct sk_buff *skb)
1157 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1159 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1164 hdev->inq_tx_power = rp->tx_power;
1169 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1170 struct sk_buff *skb)
1172 struct hci_rp_read_def_err_data_reporting *rp = data;
1174 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1179 hdev->err_data_reporting = rp->err_data_reporting;
1184 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1185 struct sk_buff *skb)
1187 struct hci_ev_status *rp = data;
1188 struct hci_cp_write_def_err_data_reporting *cp;
1190 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1195 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1199 hdev->err_data_reporting = cp->err_data_reporting;
1204 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1205 struct sk_buff *skb)
1207 struct hci_rp_pin_code_reply *rp = data;
1208 struct hci_cp_pin_code_reply *cp;
1209 struct hci_conn *conn;
1211 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1215 if (hci_dev_test_flag(hdev, HCI_MGMT))
1216 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1221 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1225 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1227 conn->pin_length = cp->pin_len;
1230 hci_dev_unlock(hdev);
1234 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1235 struct sk_buff *skb)
1237 struct hci_rp_pin_code_neg_reply *rp = data;
1239 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1243 if (hci_dev_test_flag(hdev, HCI_MGMT))
1244 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1247 hci_dev_unlock(hdev);
1252 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1253 struct sk_buff *skb)
1255 struct hci_rp_le_read_buffer_size *rp = data;
1257 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1262 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1263 hdev->le_pkts = rp->le_max_pkt;
1265 hdev->le_cnt = hdev->le_pkts;
1267 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1269 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
1270 return HCI_ERROR_INVALID_PARAMETERS;
1275 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1276 struct sk_buff *skb)
1278 struct hci_rp_le_read_local_features *rp = data;
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1285 memcpy(hdev->le_features, rp->features, 8);
1290 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1291 struct sk_buff *skb)
1293 struct hci_rp_le_read_adv_tx_power *rp = data;
1295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1300 hdev->adv_tx_power = rp->tx_power;
1305 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1306 struct sk_buff *skb)
1308 struct hci_rp_user_confirm_reply *rp = data;
1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1314 if (hci_dev_test_flag(hdev, HCI_MGMT))
1315 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1318 hci_dev_unlock(hdev);
1323 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1324 struct sk_buff *skb)
1326 struct hci_rp_user_confirm_reply *rp = data;
1328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1332 if (hci_dev_test_flag(hdev, HCI_MGMT))
1333 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1334 ACL_LINK, 0, rp->status);
1336 hci_dev_unlock(hdev);
1341 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1342 struct sk_buff *skb)
1344 struct hci_rp_user_confirm_reply *rp = data;
1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1350 if (hci_dev_test_flag(hdev, HCI_MGMT))
1351 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1354 hci_dev_unlock(hdev);
1359 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1360 struct sk_buff *skb)
1362 struct hci_rp_user_confirm_reply *rp = data;
1364 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1368 if (hci_dev_test_flag(hdev, HCI_MGMT))
1369 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1370 ACL_LINK, 0, rp->status);
1372 hci_dev_unlock(hdev);
1377 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1378 struct sk_buff *skb)
1380 struct hci_rp_read_local_oob_data *rp = data;
1382 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1387 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1388 struct sk_buff *skb)
1390 struct hci_rp_read_local_oob_ext_data *rp = data;
1392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1397 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1398 struct sk_buff *skb)
1400 struct hci_ev_status *rp = data;
1403 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1408 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1414 bacpy(&hdev->random_addr, sent);
1416 if (!bacmp(&hdev->rpa, sent)) {
1417 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1418 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1419 secs_to_jiffies(hdev->rpa_timeout));
1422 hci_dev_unlock(hdev);
1427 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1428 struct sk_buff *skb)
1430 struct hci_ev_status *rp = data;
1431 struct hci_cp_le_set_default_phy *cp;
1433 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1444 hdev->le_tx_def_phys = cp->tx_phys;
1445 hdev->le_rx_def_phys = cp->rx_phys;
1447 hci_dev_unlock(hdev);
1452 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1453 struct sk_buff *skb)
1455 struct hci_ev_status *rp = data;
1456 struct hci_cp_le_set_adv_set_rand_addr *cp;
1457 struct adv_info *adv;
1459 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1465 /* Update only in case the adv instance since handle 0x00 shall be using
1466 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1467 * non-extended adverting.
1469 if (!cp || !cp->handle)
1474 adv = hci_find_adv_instance(hdev, cp->handle);
1476 bacpy(&adv->random_addr, &cp->bdaddr);
1477 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1478 adv->rpa_expired = false;
1479 queue_delayed_work(hdev->workqueue,
1480 &adv->rpa_expired_cb,
1481 secs_to_jiffies(hdev->rpa_timeout));
1485 hci_dev_unlock(hdev);
1490 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1491 struct sk_buff *skb)
1493 struct hci_ev_status *rp = data;
1497 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1502 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1508 err = hci_remove_adv_instance(hdev, *instance);
1510 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1513 hci_dev_unlock(hdev);
1518 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1519 struct sk_buff *skb)
1521 struct hci_ev_status *rp = data;
1522 struct adv_info *adv, *n;
1525 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1530 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1535 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1536 u8 instance = adv->instance;
1538 err = hci_remove_adv_instance(hdev, instance);
1540 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1544 hci_dev_unlock(hdev);
1549 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1550 struct sk_buff *skb)
1552 struct hci_rp_le_read_transmit_power *rp = data;
1554 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1559 hdev->min_le_tx_power = rp->min_le_tx_power;
1560 hdev->max_le_tx_power = rp->max_le_tx_power;
1565 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1566 struct sk_buff *skb)
1568 struct hci_ev_status *rp = data;
1569 struct hci_cp_le_set_privacy_mode *cp;
1570 struct hci_conn_params *params;
1572 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1577 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1583 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1585 WRITE_ONCE(params->privacy_mode, cp->mode);
1587 hci_dev_unlock(hdev);
1592 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1593 struct sk_buff *skb)
1595 struct hci_ev_status *rp = data;
1598 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1603 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1609 /* If we're doing connection initiation as peripheral. Set a
1610 * timeout in case something goes wrong.
1613 struct hci_conn *conn;
1615 hci_dev_set_flag(hdev, HCI_LE_ADV);
1617 conn = hci_lookup_le_connect(hdev);
1619 queue_delayed_work(hdev->workqueue,
1620 &conn->le_conn_timeout,
1621 conn->conn_timeout);
1623 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1626 hci_dev_unlock(hdev);
1631 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1632 struct sk_buff *skb)
1634 struct hci_cp_le_set_ext_adv_enable *cp;
1635 struct hci_cp_ext_adv_set *set;
1636 struct adv_info *adv = NULL, *n;
1637 struct hci_ev_status *rp = data;
1639 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1644 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1648 set = (void *)cp->data;
1652 if (cp->num_of_sets)
1653 adv = hci_find_adv_instance(hdev, set->handle);
1656 struct hci_conn *conn;
1658 hci_dev_set_flag(hdev, HCI_LE_ADV);
1660 if (adv && !adv->periodic)
1661 adv->enabled = true;
1663 conn = hci_lookup_le_connect(hdev);
1665 queue_delayed_work(hdev->workqueue,
1666 &conn->le_conn_timeout,
1667 conn->conn_timeout);
1669 if (cp->num_of_sets) {
1671 adv->enabled = false;
1673 /* If just one instance was disabled check if there are
1674 * any other instance enabled before clearing HCI_LE_ADV
1676 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1682 /* All instances shall be considered disabled */
1683 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1685 adv->enabled = false;
1688 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1692 hci_dev_unlock(hdev);
1696 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1697 struct sk_buff *skb)
1699 struct hci_cp_le_set_scan_param *cp;
1700 struct hci_ev_status *rp = data;
1702 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1707 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1713 hdev->le_scan_type = cp->type;
1715 hci_dev_unlock(hdev);
1720 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1721 struct sk_buff *skb)
1723 struct hci_cp_le_set_ext_scan_params *cp;
1724 struct hci_ev_status *rp = data;
1725 struct hci_cp_le_scan_phy_params *phy_param;
1727 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1732 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1736 phy_param = (void *)cp->data;
1740 hdev->le_scan_type = phy_param->type;
1742 hci_dev_unlock(hdev);
1747 static bool has_pending_adv_report(struct hci_dev *hdev)
1749 struct discovery_state *d = &hdev->discovery;
1751 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1754 static void clear_pending_adv_report(struct hci_dev *hdev)
1756 struct discovery_state *d = &hdev->discovery;
1758 bacpy(&d->last_adv_addr, BDADDR_ANY);
1759 d->last_adv_data_len = 0;
1762 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1763 u8 bdaddr_type, s8 rssi, u32 flags,
1766 struct discovery_state *d = &hdev->discovery;
1768 if (len > max_adv_len(hdev))
1771 bacpy(&d->last_adv_addr, bdaddr);
1772 d->last_adv_addr_type = bdaddr_type;
1773 d->last_adv_rssi = rssi;
1774 d->last_adv_flags = flags;
1775 memcpy(d->last_adv_data, data, len);
1776 d->last_adv_data_len = len;
1779 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1784 case LE_SCAN_ENABLE:
1785 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1786 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1787 clear_pending_adv_report(hdev);
1788 if (hci_dev_test_flag(hdev, HCI_MESH))
1789 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1792 case LE_SCAN_DISABLE:
1793 /* We do this here instead of when setting DISCOVERY_STOPPED
1794 * since the latter would potentially require waiting for
1795 * inquiry to stop too.
1797 if (has_pending_adv_report(hdev)) {
1798 struct discovery_state *d = &hdev->discovery;
1800 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1801 d->last_adv_addr_type, NULL,
1802 d->last_adv_rssi, d->last_adv_flags,
1804 d->last_adv_data_len, NULL, 0, 0);
1807 /* Cancel this timer so that we don't try to disable scanning
1808 * when it's already disabled.
1810 cancel_delayed_work(&hdev->le_scan_disable);
1812 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1814 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1815 * interrupted scanning due to a connect request. Mark
1816 * therefore discovery as stopped.
1818 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1819 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1820 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1821 hdev->discovery.state == DISCOVERY_FINDING)
1822 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1827 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1832 hci_dev_unlock(hdev);
1835 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1836 struct sk_buff *skb)
1838 struct hci_cp_le_set_scan_enable *cp;
1839 struct hci_ev_status *rp = data;
1841 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1846 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1850 le_set_scan_enable_complete(hdev, cp->enable);
1855 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1856 struct sk_buff *skb)
1858 struct hci_cp_le_set_ext_scan_enable *cp;
1859 struct hci_ev_status *rp = data;
1861 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1866 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1870 le_set_scan_enable_complete(hdev, cp->enable);
1875 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1876 struct sk_buff *skb)
1878 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1880 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1886 hdev->le_num_of_adv_sets = rp->num_of_sets;
1891 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1892 struct sk_buff *skb)
1894 struct hci_rp_le_read_accept_list_size *rp = data;
1896 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1901 hdev->le_accept_list_size = rp->size;
1906 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1907 struct sk_buff *skb)
1909 struct hci_ev_status *rp = data;
1911 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1917 hci_bdaddr_list_clear(&hdev->le_accept_list);
1918 hci_dev_unlock(hdev);
1923 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1924 struct sk_buff *skb)
1926 struct hci_cp_le_add_to_accept_list *sent;
1927 struct hci_ev_status *rp = data;
1929 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1934 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1939 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1941 hci_dev_unlock(hdev);
1946 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1947 struct sk_buff *skb)
1949 struct hci_cp_le_del_from_accept_list *sent;
1950 struct hci_ev_status *rp = data;
1952 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1957 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1962 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1964 hci_dev_unlock(hdev);
1969 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1970 struct sk_buff *skb)
1972 struct hci_rp_le_read_supported_states *rp = data;
1974 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1979 memcpy(hdev->le_states, rp->le_states, 8);
1984 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1985 struct sk_buff *skb)
1987 struct hci_rp_le_read_def_data_len *rp = data;
1989 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1994 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1995 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
2000 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2001 struct sk_buff *skb)
2003 struct hci_cp_le_write_def_data_len *sent;
2004 struct hci_ev_status *rp = data;
2006 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2011 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2015 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2016 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2021 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2022 struct sk_buff *skb)
2024 struct hci_cp_le_add_to_resolv_list *sent;
2025 struct hci_ev_status *rp = data;
2027 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2032 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2037 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2038 sent->bdaddr_type, sent->peer_irk,
2040 hci_dev_unlock(hdev);
2045 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2046 struct sk_buff *skb)
2048 struct hci_cp_le_del_from_resolv_list *sent;
2049 struct hci_ev_status *rp = data;
2051 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2056 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2061 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2063 hci_dev_unlock(hdev);
2068 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2069 struct sk_buff *skb)
2071 struct hci_ev_status *rp = data;
2073 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2079 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2080 hci_dev_unlock(hdev);
2085 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2086 struct sk_buff *skb)
2088 struct hci_rp_le_read_resolv_list_size *rp = data;
2090 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2095 hdev->le_resolv_list_size = rp->size;
2100 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2101 struct sk_buff *skb)
2103 struct hci_ev_status *rp = data;
2106 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2111 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2118 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2120 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2122 hci_dev_unlock(hdev);
2127 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2128 struct sk_buff *skb)
2130 struct hci_rp_le_read_max_data_len *rp = data;
2132 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2137 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2138 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2139 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2140 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2145 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2146 struct sk_buff *skb)
2148 struct hci_cp_write_le_host_supported *sent;
2149 struct hci_ev_status *rp = data;
2151 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2156 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2163 hdev->features[1][0] |= LMP_HOST_LE;
2164 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2166 hdev->features[1][0] &= ~LMP_HOST_LE;
2167 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2168 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2172 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2174 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2176 hci_dev_unlock(hdev);
2181 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2182 struct sk_buff *skb)
2184 struct hci_cp_le_set_adv_param *cp;
2185 struct hci_ev_status *rp = data;
2187 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2192 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2197 hdev->adv_addr_type = cp->own_address_type;
2198 hci_dev_unlock(hdev);
2203 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2204 struct sk_buff *skb)
2206 struct hci_rp_le_set_ext_adv_params *rp = data;
2207 struct hci_cp_le_set_ext_adv_params *cp;
2208 struct adv_info *adv_instance;
2210 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2215 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2220 hdev->adv_addr_type = cp->own_addr_type;
2222 /* Store in hdev for instance 0 */
2223 hdev->adv_tx_power = rp->tx_power;
2225 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2227 adv_instance->tx_power = rp->tx_power;
2229 /* Update adv data as tx power is known now */
2230 hci_update_adv_data(hdev, cp->handle);
2232 hci_dev_unlock(hdev);
2237 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2238 struct sk_buff *skb)
2240 struct hci_rp_read_rssi *rp = data;
2241 struct hci_conn *conn;
2243 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2250 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2252 conn->rssi = rp->rssi;
2254 hci_dev_unlock(hdev);
2259 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2260 struct sk_buff *skb)
2262 struct hci_cp_read_tx_power *sent;
2263 struct hci_rp_read_tx_power *rp = data;
2264 struct hci_conn *conn;
2266 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2271 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2277 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2281 switch (sent->type) {
2283 conn->tx_power = rp->tx_power;
2286 conn->max_tx_power = rp->tx_power;
2291 hci_dev_unlock(hdev);
2295 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2296 struct sk_buff *skb)
2298 struct hci_ev_status *rp = data;
2301 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2306 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2308 hdev->ssp_debug_mode = *mode;
2313 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2315 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2320 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2321 set_bit(HCI_INQUIRY, &hdev->flags);
2324 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2326 struct hci_cp_create_conn *cp;
2327 struct hci_conn *conn;
2329 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2331 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2337 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2339 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2342 if (conn && conn->state == BT_CONNECT) {
2343 conn->state = BT_CLOSED;
2344 hci_connect_cfm(conn, status);
2349 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2352 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
2356 hci_dev_unlock(hdev);
2359 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2361 struct hci_cp_add_sco *cp;
2362 struct hci_conn *acl;
2363 struct hci_link *link;
2366 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2371 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2375 handle = __le16_to_cpu(cp->handle);
2377 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2381 acl = hci_conn_hash_lookup_handle(hdev, handle);
2383 link = list_first_entry_or_null(&acl->link_list,
2384 struct hci_link, list);
2385 if (link && link->conn) {
2386 link->conn->state = BT_CLOSED;
2388 hci_connect_cfm(link->conn, status);
2389 hci_conn_del(link->conn);
2393 hci_dev_unlock(hdev);
2396 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2398 struct hci_cp_auth_requested *cp;
2399 struct hci_conn *conn;
2401 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2406 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2412 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2414 if (conn->state == BT_CONFIG) {
2415 hci_connect_cfm(conn, status);
2416 hci_conn_drop(conn);
2420 hci_dev_unlock(hdev);
2423 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2425 struct hci_cp_set_conn_encrypt *cp;
2426 struct hci_conn *conn;
2428 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2433 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2439 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2441 if (conn->state == BT_CONFIG) {
2442 hci_connect_cfm(conn, status);
2443 hci_conn_drop(conn);
2447 hci_dev_unlock(hdev);
2450 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2451 struct hci_conn *conn)
2453 if (conn->state != BT_CONFIG || !conn->out)
2456 if (conn->pending_sec_level == BT_SECURITY_SDP)
2459 /* Only request authentication for SSP connections or non-SSP
2460 * devices with sec_level MEDIUM or HIGH or if MITM protection
2463 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2464 conn->pending_sec_level != BT_SECURITY_FIPS &&
2465 conn->pending_sec_level != BT_SECURITY_HIGH &&
2466 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2472 static int hci_resolve_name(struct hci_dev *hdev,
2473 struct inquiry_entry *e)
2475 struct hci_cp_remote_name_req cp;
2477 memset(&cp, 0, sizeof(cp));
2479 bacpy(&cp.bdaddr, &e->data.bdaddr);
2480 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2481 cp.pscan_mode = e->data.pscan_mode;
2482 cp.clock_offset = e->data.clock_offset;
2484 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2487 static bool hci_resolve_next_name(struct hci_dev *hdev)
2489 struct discovery_state *discov = &hdev->discovery;
2490 struct inquiry_entry *e;
2492 if (list_empty(&discov->resolve))
2495 /* We should stop if we already spent too much time resolving names. */
2496 if (time_after(jiffies, discov->name_resolve_timeout)) {
2497 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2501 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2505 if (hci_resolve_name(hdev, e) == 0) {
2506 e->name_state = NAME_PENDING;
2513 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2514 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2516 struct discovery_state *discov = &hdev->discovery;
2517 struct inquiry_entry *e;
2519 /* Update the mgmt connected state if necessary. Be careful with
2520 * conn objects that exist but are not (yet) connected however.
2521 * Only those in BT_CONFIG or BT_CONNECTED states can be
2522 * considered connected.
2524 if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED))
2525 mgmt_device_connected(hdev, conn, name, name_len);
2527 if (discov->state == DISCOVERY_STOPPED)
2530 if (discov->state == DISCOVERY_STOPPING)
2531 goto discov_complete;
2533 if (discov->state != DISCOVERY_RESOLVING)
2536 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2537 /* If the device was not found in a list of found devices names of which
2538 * are pending. there is no need to continue resolving a next name as it
2539 * will be done upon receiving another Remote Name Request Complete
2546 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2547 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2550 if (hci_resolve_next_name(hdev))
2554 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2557 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2559 struct hci_cp_remote_name_req *cp;
2560 struct hci_conn *conn;
2562 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2564 /* If successful wait for the name req complete event before
2565 * checking for the need to do authentication */
2569 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2575 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2577 if (hci_dev_test_flag(hdev, HCI_MGMT))
2578 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2583 if (!hci_outgoing_auth_needed(hdev, conn))
2586 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2587 struct hci_cp_auth_requested auth_cp;
2589 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2591 auth_cp.handle = __cpu_to_le16(conn->handle);
2592 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2593 sizeof(auth_cp), &auth_cp);
2597 hci_dev_unlock(hdev);
2600 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2602 struct hci_cp_read_remote_features *cp;
2603 struct hci_conn *conn;
2605 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2610 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2616 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2618 if (conn->state == BT_CONFIG) {
2619 hci_connect_cfm(conn, status);
2620 hci_conn_drop(conn);
2624 hci_dev_unlock(hdev);
2627 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2629 struct hci_cp_read_remote_ext_features *cp;
2630 struct hci_conn *conn;
2632 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2637 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2643 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2645 if (conn->state == BT_CONFIG) {
2646 hci_connect_cfm(conn, status);
2647 hci_conn_drop(conn);
2651 hci_dev_unlock(hdev);
2654 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2657 struct hci_conn *acl;
2658 struct hci_link *link;
2660 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2664 acl = hci_conn_hash_lookup_handle(hdev, handle);
2666 link = list_first_entry_or_null(&acl->link_list,
2667 struct hci_link, list);
2668 if (link && link->conn) {
2669 link->conn->state = BT_CLOSED;
2671 hci_connect_cfm(link->conn, status);
2672 hci_conn_del(link->conn);
2676 hci_dev_unlock(hdev);
2679 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2681 struct hci_cp_setup_sync_conn *cp;
2683 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2688 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2692 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2695 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2697 struct hci_cp_enhanced_setup_sync_conn *cp;
2699 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2704 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2708 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2711 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2713 struct hci_cp_sniff_mode *cp;
2714 struct hci_conn *conn;
2716 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2721 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2727 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2729 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2731 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2732 hci_sco_setup(conn, status);
2735 hci_dev_unlock(hdev);
2738 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2740 struct hci_cp_exit_sniff_mode *cp;
2741 struct hci_conn *conn;
2743 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2748 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2754 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2756 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2758 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2759 hci_sco_setup(conn, status);
2762 hci_dev_unlock(hdev);
2765 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2767 struct hci_cp_disconnect *cp;
2768 struct hci_conn_params *params;
2769 struct hci_conn *conn;
2772 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2774 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2775 * otherwise cleanup the connection immediately.
2777 if (!status && !hdev->suspended)
2780 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2786 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2791 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2792 conn->dst_type, status);
2794 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2795 hdev->cur_adv_instance = conn->adv_instance;
2796 hci_enable_advertising(hdev);
2799 /* Inform sockets conn is gone before we delete it */
2800 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2805 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2807 if (conn->type == ACL_LINK) {
2808 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2809 hci_remove_link_key(hdev, &conn->dst);
2812 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2814 switch (params->auto_connect) {
2815 case HCI_AUTO_CONN_LINK_LOSS:
2816 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2820 case HCI_AUTO_CONN_DIRECT:
2821 case HCI_AUTO_CONN_ALWAYS:
2822 hci_pend_le_list_del_init(params);
2823 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2831 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2832 cp->reason, mgmt_conn);
2834 hci_disconn_cfm(conn, cp->reason);
2837 /* If the disconnection failed for any reason, the upper layer
2838 * does not retry to disconnect in current implementation.
2839 * Hence, we need to do some basic cleanup here and re-enable
2840 * advertising if necessary.
2844 hci_dev_unlock(hdev);
2847 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2849 /* When using controller based address resolution, then the new
2850 * address types 0x02 and 0x03 are used. These types need to be
2851 * converted back into either public address or random address type
2854 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2857 return ADDR_LE_DEV_PUBLIC;
2858 case ADDR_LE_DEV_RANDOM_RESOLVED:
2861 return ADDR_LE_DEV_RANDOM;
2869 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2870 u8 peer_addr_type, u8 own_address_type,
2873 struct hci_conn *conn;
2875 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2880 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2882 /* Store the initiator and responder address information which
2883 * is needed for SMP. These values will not change during the
2884 * lifetime of the connection.
2886 conn->init_addr_type = own_address_type;
2887 if (own_address_type == ADDR_LE_DEV_RANDOM)
2888 bacpy(&conn->init_addr, &hdev->random_addr);
2890 bacpy(&conn->init_addr, &hdev->bdaddr);
2892 conn->resp_addr_type = peer_addr_type;
2893 bacpy(&conn->resp_addr, peer_addr);
2896 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2898 struct hci_cp_le_create_conn *cp;
2900 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2902 /* All connection failure handling is taken care of by the
2903 * hci_conn_failed function which is triggered by the HCI
2904 * request completion callbacks used for connecting.
2909 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2915 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2916 cp->own_address_type, cp->filter_policy);
2918 hci_dev_unlock(hdev);
2921 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2923 struct hci_cp_le_ext_create_conn *cp;
2925 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2927 /* All connection failure handling is taken care of by the
2928 * hci_conn_failed function which is triggered by the HCI
2929 * request completion callbacks used for connecting.
2934 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2940 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2941 cp->own_addr_type, cp->filter_policy);
2943 hci_dev_unlock(hdev);
2946 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2948 struct hci_cp_le_read_remote_features *cp;
2949 struct hci_conn *conn;
2951 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2956 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2962 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2964 if (conn->state == BT_CONFIG) {
2965 hci_connect_cfm(conn, status);
2966 hci_conn_drop(conn);
2970 hci_dev_unlock(hdev);
2973 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2975 struct hci_cp_le_start_enc *cp;
2976 struct hci_conn *conn;
2978 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2985 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2989 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2993 if (conn->state != BT_CONNECTED)
2996 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2997 hci_conn_drop(conn);
3000 hci_dev_unlock(hdev);
3003 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3005 struct hci_cp_switch_role *cp;
3006 struct hci_conn *conn;
3008 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3013 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3019 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3021 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3023 hci_dev_unlock(hdev);
3026 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3027 struct sk_buff *skb)
3029 struct hci_ev_status *ev = data;
3030 struct discovery_state *discov = &hdev->discovery;
3031 struct inquiry_entry *e;
3033 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3035 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3038 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3039 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3041 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3046 if (discov->state != DISCOVERY_FINDING)
3049 if (list_empty(&discov->resolve)) {
3050 /* When BR/EDR inquiry is active and no LE scanning is in
3051 * progress, then change discovery state to indicate completion.
3053 * When running LE scanning and BR/EDR inquiry simultaneously
3054 * and the LE scan already finished, then change the discovery
3055 * state to indicate completion.
3057 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3058 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3059 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3063 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3064 if (e && hci_resolve_name(hdev, e) == 0) {
3065 e->name_state = NAME_PENDING;
3066 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3067 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3069 /* When BR/EDR inquiry is active and no LE scanning is in
3070 * progress, then change discovery state to indicate completion.
3072 * When running LE scanning and BR/EDR inquiry simultaneously
3073 * and the LE scan already finished, then change the discovery
3074 * state to indicate completion.
3076 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3077 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3078 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3082 hci_dev_unlock(hdev);
3085 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3086 struct sk_buff *skb)
3088 struct hci_ev_inquiry_result *ev = edata;
3089 struct inquiry_data data;
3092 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3093 flex_array_size(ev, info, ev->num)))
3096 bt_dev_dbg(hdev, "num %d", ev->num);
3101 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3106 for (i = 0; i < ev->num; i++) {
3107 struct inquiry_info *info = &ev->info[i];
3110 bacpy(&data.bdaddr, &info->bdaddr);
3111 data.pscan_rep_mode = info->pscan_rep_mode;
3112 data.pscan_period_mode = info->pscan_period_mode;
3113 data.pscan_mode = info->pscan_mode;
3114 memcpy(data.dev_class, info->dev_class, 3);
3115 data.clock_offset = info->clock_offset;
3116 data.rssi = HCI_RSSI_INVALID;
3117 data.ssp_mode = 0x00;
3119 flags = hci_inquiry_cache_update(hdev, &data, false);
3121 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3122 info->dev_class, HCI_RSSI_INVALID,
3123 flags, NULL, 0, NULL, 0, 0);
3126 hci_dev_unlock(hdev);
3129 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3130 struct sk_buff *skb)
3132 struct hci_ev_conn_complete *ev = data;
3133 struct hci_conn *conn;
3134 u8 status = ev->status;
3136 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3140 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3142 /* In case of error status and there is no connection pending
3143 * just unlock as there is nothing to cleanup.
3148 /* Connection may not exist if auto-connected. Check the bredr
3149 * allowlist to see if this device is allowed to auto connect.
3150 * If link is an ACL type, create a connection class
3153 * Auto-connect will only occur if the event filter is
3154 * programmed with a given address. Right now, event filter is
3155 * only used during suspend.
3157 if (ev->link_type == ACL_LINK &&
3158 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3161 conn = hci_conn_add_unset(hdev, ev->link_type,
3162 &ev->bdaddr, HCI_ROLE_SLAVE);
3164 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3168 if (ev->link_type != SCO_LINK)
3171 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3176 conn->type = SCO_LINK;
3180 /* The HCI_Connection_Complete event is only sent once per connection.
3181 * Processing it more than once per connection can corrupt kernel memory.
3183 * As the connection handle is set here for the first time, it indicates
3184 * whether the connection is already set up.
3186 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3187 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3192 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3196 if (conn->type == ACL_LINK) {
3197 conn->state = BT_CONFIG;
3198 hci_conn_hold(conn);
3200 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3201 !hci_find_link_key(hdev, &ev->bdaddr))
3202 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3204 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3206 conn->state = BT_CONNECTED;
3208 hci_debugfs_create_conn(conn);
3209 hci_conn_add_sysfs(conn);
3211 if (test_bit(HCI_AUTH, &hdev->flags))
3212 set_bit(HCI_CONN_AUTH, &conn->flags);
3214 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3215 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3217 /* "Link key request" completed ahead of "connect request" completes */
3218 if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3219 ev->link_type == ACL_LINK) {
3220 struct link_key *key;
3221 struct hci_cp_read_enc_key_size cp;
3223 key = hci_find_link_key(hdev, &ev->bdaddr);
3225 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3227 if (!read_key_size_capable(hdev)) {
3228 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3230 cp.handle = cpu_to_le16(conn->handle);
3231 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3233 bt_dev_err(hdev, "sending read key size failed");
3234 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3238 hci_encrypt_cfm(conn, ev->status);
3242 /* Get remote features */
3243 if (conn->type == ACL_LINK) {
3244 struct hci_cp_read_remote_features cp;
3245 cp.handle = ev->handle;
3246 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3249 hci_update_scan(hdev);
3252 /* Set packet type for incoming connection */
3253 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3254 struct hci_cp_change_conn_ptype cp;
3255 cp.handle = ev->handle;
3256 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3257 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3262 if (conn->type == ACL_LINK)
3263 hci_sco_setup(conn, ev->status);
3267 hci_conn_failed(conn, status);
3268 } else if (ev->link_type == SCO_LINK) {
3269 switch (conn->setting & SCO_AIRMODE_MASK) {
3270 case SCO_AIRMODE_CVSD:
3272 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3276 hci_connect_cfm(conn, status);
3280 hci_dev_unlock(hdev);
3283 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3285 struct hci_cp_reject_conn_req cp;
3287 bacpy(&cp.bdaddr, bdaddr);
3288 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3289 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3292 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3293 struct sk_buff *skb)
3295 struct hci_ev_conn_request *ev = data;
3296 int mask = hdev->link_mode;
3297 struct inquiry_entry *ie;
3298 struct hci_conn *conn;
3301 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3303 /* Reject incoming connection from device with same BD ADDR against
3306 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3307 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3309 hci_reject_conn(hdev, &ev->bdaddr);
3313 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3316 if (!(mask & HCI_LM_ACCEPT)) {
3317 hci_reject_conn(hdev, &ev->bdaddr);
3323 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3325 hci_reject_conn(hdev, &ev->bdaddr);
3329 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3330 * connection. These features are only touched through mgmt so
3331 * only do the checks if HCI_MGMT is set.
3333 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3334 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3335 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3337 hci_reject_conn(hdev, &ev->bdaddr);
3341 /* Connection accepted */
3343 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3345 memcpy(ie->data.dev_class, ev->dev_class, 3);
3347 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3350 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3353 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3358 memcpy(conn->dev_class, ev->dev_class, 3);
3360 hci_dev_unlock(hdev);
3362 if (ev->link_type == ACL_LINK ||
3363 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3364 struct hci_cp_accept_conn_req cp;
3365 conn->state = BT_CONNECT;
3367 bacpy(&cp.bdaddr, &ev->bdaddr);
3369 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3370 cp.role = 0x00; /* Become central */
3372 cp.role = 0x01; /* Remain peripheral */
3374 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3375 } else if (!(flags & HCI_PROTO_DEFER)) {
3376 struct hci_cp_accept_sync_conn_req cp;
3377 conn->state = BT_CONNECT;
3379 bacpy(&cp.bdaddr, &ev->bdaddr);
3380 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3382 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3383 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3384 cp.max_latency = cpu_to_le16(0xffff);
3385 cp.content_format = cpu_to_le16(hdev->voice_setting);
3386 cp.retrans_effort = 0xff;
3388 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3391 conn->state = BT_CONNECT2;
3392 hci_connect_cfm(conn, 0);
3397 hci_dev_unlock(hdev);
3400 static u8 hci_to_mgmt_reason(u8 err)
3403 case HCI_ERROR_CONNECTION_TIMEOUT:
3404 return MGMT_DEV_DISCONN_TIMEOUT;
3405 case HCI_ERROR_REMOTE_USER_TERM:
3406 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3407 case HCI_ERROR_REMOTE_POWER_OFF:
3408 return MGMT_DEV_DISCONN_REMOTE;
3409 case HCI_ERROR_LOCAL_HOST_TERM:
3410 return MGMT_DEV_DISCONN_LOCAL_HOST;
3412 return MGMT_DEV_DISCONN_UNKNOWN;
3416 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3417 struct sk_buff *skb)
3419 struct hci_ev_disconn_complete *ev = data;
3421 struct hci_conn_params *params;
3422 struct hci_conn *conn;
3423 bool mgmt_connected;
3425 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3429 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3434 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3435 conn->dst_type, ev->status);
3439 conn->state = BT_CLOSED;
3441 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3443 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3444 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3446 reason = hci_to_mgmt_reason(ev->reason);
3448 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3449 reason, mgmt_connected);
3451 if (conn->type == ACL_LINK) {
3452 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3453 hci_remove_link_key(hdev, &conn->dst);
3455 hci_update_scan(hdev);
3458 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3460 switch (params->auto_connect) {
3461 case HCI_AUTO_CONN_LINK_LOSS:
3462 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3466 case HCI_AUTO_CONN_DIRECT:
3467 case HCI_AUTO_CONN_ALWAYS:
3468 hci_pend_le_list_del_init(params);
3469 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3470 hci_update_passive_scan(hdev);
3478 hci_disconn_cfm(conn, ev->reason);
3480 /* Re-enable advertising if necessary, since it might
3481 * have been disabled by the connection. From the
3482 * HCI_LE_Set_Advertise_Enable command description in
3483 * the core specification (v4.0):
3484 * "The Controller shall continue advertising until the Host
3485 * issues an LE_Set_Advertise_Enable command with
3486 * Advertising_Enable set to 0x00 (Advertising is disabled)
3487 * or until a connection is created or until the Advertising
3488 * is timed out due to Directed Advertising."
3490 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3491 hdev->cur_adv_instance = conn->adv_instance;
3492 hci_enable_advertising(hdev);
3498 hci_dev_unlock(hdev);
3501 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3502 struct sk_buff *skb)
3504 struct hci_ev_auth_complete *ev = data;
3505 struct hci_conn *conn;
3507 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3511 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3516 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3517 set_bit(HCI_CONN_AUTH, &conn->flags);
3518 conn->sec_level = conn->pending_sec_level;
3520 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3521 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3523 mgmt_auth_failed(conn, ev->status);
3526 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3528 if (conn->state == BT_CONFIG) {
3529 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3530 struct hci_cp_set_conn_encrypt cp;
3531 cp.handle = ev->handle;
3533 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3536 conn->state = BT_CONNECTED;
3537 hci_connect_cfm(conn, ev->status);
3538 hci_conn_drop(conn);
3541 hci_auth_cfm(conn, ev->status);
3543 hci_conn_hold(conn);
3544 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3545 hci_conn_drop(conn);
3548 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3550 struct hci_cp_set_conn_encrypt cp;
3551 cp.handle = ev->handle;
3553 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3556 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3557 hci_encrypt_cfm(conn, ev->status);
3562 hci_dev_unlock(hdev);
3565 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3566 struct sk_buff *skb)
3568 struct hci_ev_remote_name *ev = data;
3569 struct hci_conn *conn;
3571 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3575 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3577 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3580 if (ev->status == 0)
3581 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3582 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3584 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3590 if (!hci_outgoing_auth_needed(hdev, conn))
3593 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3594 struct hci_cp_auth_requested cp;
3596 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3598 cp.handle = __cpu_to_le16(conn->handle);
3599 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3603 hci_dev_unlock(hdev);
3606 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3607 struct sk_buff *skb)
3609 struct hci_ev_encrypt_change *ev = data;
3610 struct hci_conn *conn;
3612 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3616 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3622 /* Encryption implies authentication */
3623 set_bit(HCI_CONN_AUTH, &conn->flags);
3624 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3625 conn->sec_level = conn->pending_sec_level;
3627 /* P-256 authentication key implies FIPS */
3628 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3629 set_bit(HCI_CONN_FIPS, &conn->flags);
3631 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3632 conn->type == LE_LINK)
3633 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3635 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3636 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3640 /* We should disregard the current RPA and generate a new one
3641 * whenever the encryption procedure fails.
3643 if (ev->status && conn->type == LE_LINK) {
3644 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3645 hci_adv_instances_set_rpa_expired(hdev, true);
3648 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3650 /* Check link security requirements are met */
3651 if (!hci_conn_check_link_mode(conn))
3652 ev->status = HCI_ERROR_AUTH_FAILURE;
3654 if (ev->status && conn->state == BT_CONNECTED) {
3655 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3656 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3658 /* Notify upper layers so they can cleanup before
3661 hci_encrypt_cfm(conn, ev->status);
3662 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3663 hci_conn_drop(conn);
3667 /* Try reading the encryption key size for encrypted ACL links */
3668 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3669 struct hci_cp_read_enc_key_size cp;
3671 /* Only send HCI_Read_Encryption_Key_Size if the
3672 * controller really supports it. If it doesn't, assume
3673 * the default size (16).
3675 if (!read_key_size_capable(hdev)) {
3676 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3680 cp.handle = cpu_to_le16(conn->handle);
3681 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3683 bt_dev_err(hdev, "sending read key size failed");
3684 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3691 /* Set the default Authenticated Payload Timeout after
3692 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3693 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3694 * sent when the link is active and Encryption is enabled, the conn
3695 * type can be either LE or ACL and controller must support LMP Ping.
3696 * Ensure for AES-CCM encryption as well.
3698 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3699 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3700 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3701 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3702 struct hci_cp_write_auth_payload_to cp;
3704 cp.handle = cpu_to_le16(conn->handle);
3705 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3706 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3708 bt_dev_err(hdev, "write auth payload timeout failed");
3712 hci_encrypt_cfm(conn, ev->status);
3715 hci_dev_unlock(hdev);
3718 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3719 struct sk_buff *skb)
3721 struct hci_ev_change_link_key_complete *ev = data;
3722 struct hci_conn *conn;
3724 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3728 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3731 set_bit(HCI_CONN_SECURE, &conn->flags);
3733 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3735 hci_key_change_cfm(conn, ev->status);
3738 hci_dev_unlock(hdev);
3741 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3742 struct sk_buff *skb)
3744 struct hci_ev_remote_features *ev = data;
3745 struct hci_conn *conn;
3747 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3751 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3756 memcpy(conn->features[0], ev->features, 8);
3758 if (conn->state != BT_CONFIG)
3761 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3762 lmp_ext_feat_capable(conn)) {
3763 struct hci_cp_read_remote_ext_features cp;
3764 cp.handle = ev->handle;
3766 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3771 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3772 struct hci_cp_remote_name_req cp;
3773 memset(&cp, 0, sizeof(cp));
3774 bacpy(&cp.bdaddr, &conn->dst);
3775 cp.pscan_rep_mode = 0x02;
3776 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3778 mgmt_device_connected(hdev, conn, NULL, 0);
3781 if (!hci_outgoing_auth_needed(hdev, conn)) {
3782 conn->state = BT_CONNECTED;
3783 hci_connect_cfm(conn, ev->status);
3784 hci_conn_drop(conn);
3788 hci_dev_unlock(hdev);
3791 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3793 cancel_delayed_work(&hdev->cmd_timer);
3796 if (!test_bit(HCI_RESET, &hdev->flags)) {
3798 cancel_delayed_work(&hdev->ncmd_timer);
3799 atomic_set(&hdev->cmd_cnt, 1);
3801 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3802 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3809 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3810 struct sk_buff *skb)
3812 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3814 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3819 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3820 hdev->le_pkts = rp->acl_max_pkt;
3821 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3822 hdev->iso_pkts = rp->iso_max_pkt;
3824 hdev->le_cnt = hdev->le_pkts;
3825 hdev->iso_cnt = hdev->iso_pkts;
3827 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3828 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3830 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
3831 return HCI_ERROR_INVALID_PARAMETERS;
3836 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3838 struct hci_conn *conn, *tmp;
3840 lockdep_assert_held(&hdev->lock);
3842 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3843 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3844 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3847 if (HCI_CONN_HANDLE_UNSET(conn->handle))
3848 hci_conn_failed(conn, status);
3852 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3853 struct sk_buff *skb)
3855 struct hci_rp_le_set_cig_params *rp = data;
3856 struct hci_cp_le_set_cig_params *cp;
3857 struct hci_conn *conn;
3858 u8 status = rp->status;
3859 bool pending = false;
3862 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3864 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3865 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3866 rp->cig_id != cp->cig_id)) {
3867 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3868 status = HCI_ERROR_UNSPECIFIED;
3873 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3875 * If the Status return parameter is non-zero, then the state of the CIG
3876 * and its CIS configurations shall not be changed by the command. If
3877 * the CIG did not already exist, it shall not be created.
3880 /* Keep current configuration, fail only the unbound CIS */
3881 hci_unbound_cis_failed(hdev, rp->cig_id, status);
3885 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3887 * If the Status return parameter is zero, then the Controller shall
3888 * set the Connection_Handle arrayed return parameter to the connection
3889 * handle(s) corresponding to the CIS configurations specified in
3890 * the CIS_IDs command parameter, in the same order.
3892 for (i = 0; i < rp->num_handles; ++i) {
3893 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3895 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3898 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3901 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3904 if (conn->state == BT_CONNECT)
3910 hci_le_create_cis_pending(hdev);
3912 hci_dev_unlock(hdev);
3917 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3918 struct sk_buff *skb)
3920 struct hci_rp_le_setup_iso_path *rp = data;
3921 struct hci_cp_le_setup_iso_path *cp;
3922 struct hci_conn *conn;
3924 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3926 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3932 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3937 hci_connect_cfm(conn, rp->status);
3942 switch (cp->direction) {
3943 /* Input (Host to Controller) */
3945 /* Only confirm connection if output only */
3946 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3947 hci_connect_cfm(conn, rp->status);
3949 /* Output (Controller to Host) */
3951 /* Confirm connection since conn->iso_qos is always configured
3954 hci_connect_cfm(conn, rp->status);
3956 /* Notify device connected in case it is a BIG Sync */
3957 if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags))
3958 mgmt_device_connected(hdev, conn, NULL, 0);
3964 hci_dev_unlock(hdev);
3968 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3970 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3973 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3974 struct sk_buff *skb)
3976 struct hci_ev_status *rp = data;
3977 struct hci_cp_le_set_per_adv_params *cp;
3979 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3984 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3988 /* TODO: set the conn state */
3992 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3993 struct sk_buff *skb)
3995 struct hci_ev_status *rp = data;
3996 struct hci_cp_le_set_per_adv_enable *cp;
3997 struct adv_info *adv = NULL, *n;
4000 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
4005 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
4011 adv = hci_find_adv_instance(hdev, cp->handle);
4014 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
4017 adv->enabled = true;
4019 /* If just one instance was disabled check if there are
4020 * any other instance enabled before clearing HCI_LE_PER_ADV.
4021 * The current periodic adv instance will be marked as
4022 * disabled once extended advertising is also disabled.
4024 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4026 if (adv->periodic && adv->enabled)
4030 if (per_adv_cnt > 1)
4033 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4037 hci_dev_unlock(hdev);
4042 #define HCI_CC_VL(_op, _func, _min, _max) \
4050 #define HCI_CC(_op, _func, _len) \
4051 HCI_CC_VL(_op, _func, _len, _len)
4053 #define HCI_CC_STATUS(_op, _func) \
4054 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4056 static const struct hci_cc {
4058 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4061 } hci_cc_table[] = {
4062 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4063 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4064 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4065 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4066 hci_cc_remote_name_req_cancel),
4067 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4068 sizeof(struct hci_rp_role_discovery)),
4069 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4070 sizeof(struct hci_rp_read_link_policy)),
4071 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4072 sizeof(struct hci_rp_write_link_policy)),
4073 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4074 sizeof(struct hci_rp_read_def_link_policy)),
4075 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4076 hci_cc_write_def_link_policy),
4077 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4078 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4079 sizeof(struct hci_rp_read_stored_link_key)),
4080 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4081 sizeof(struct hci_rp_delete_stored_link_key)),
4082 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4083 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4084 sizeof(struct hci_rp_read_local_name)),
4085 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4086 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4087 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4088 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4089 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4090 sizeof(struct hci_rp_read_class_of_dev)),
4091 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4092 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4093 sizeof(struct hci_rp_read_voice_setting)),
4094 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4095 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4096 sizeof(struct hci_rp_read_num_supported_iac)),
4097 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4098 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4099 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4100 sizeof(struct hci_rp_read_auth_payload_to)),
4101 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4102 sizeof(struct hci_rp_write_auth_payload_to)),
4103 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4104 sizeof(struct hci_rp_read_local_version)),
4105 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4106 sizeof(struct hci_rp_read_local_commands)),
4107 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4108 sizeof(struct hci_rp_read_local_features)),
4109 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4110 sizeof(struct hci_rp_read_local_ext_features)),
4111 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4112 sizeof(struct hci_rp_read_buffer_size)),
4113 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4114 sizeof(struct hci_rp_read_bd_addr)),
4115 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4116 sizeof(struct hci_rp_read_local_pairing_opts)),
4117 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4118 sizeof(struct hci_rp_read_page_scan_activity)),
4119 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4120 hci_cc_write_page_scan_activity),
4121 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4122 sizeof(struct hci_rp_read_page_scan_type)),
4123 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4124 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4125 sizeof(struct hci_rp_read_data_block_size)),
4126 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4127 sizeof(struct hci_rp_read_flow_control_mode)),
4128 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4129 sizeof(struct hci_rp_read_local_amp_info)),
4130 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4131 sizeof(struct hci_rp_read_clock)),
4132 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4133 sizeof(struct hci_rp_read_enc_key_size)),
4134 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4135 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4136 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4137 hci_cc_read_def_err_data_reporting,
4138 sizeof(struct hci_rp_read_def_err_data_reporting)),
4139 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4140 hci_cc_write_def_err_data_reporting),
4141 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4142 sizeof(struct hci_rp_pin_code_reply)),
4143 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4144 sizeof(struct hci_rp_pin_code_neg_reply)),
4145 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4146 sizeof(struct hci_rp_read_local_oob_data)),
4147 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4148 sizeof(struct hci_rp_read_local_oob_ext_data)),
4149 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4150 sizeof(struct hci_rp_le_read_buffer_size)),
4151 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4152 sizeof(struct hci_rp_le_read_local_features)),
4153 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4154 sizeof(struct hci_rp_le_read_adv_tx_power)),
4155 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4156 sizeof(struct hci_rp_user_confirm_reply)),
4157 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4158 sizeof(struct hci_rp_user_confirm_reply)),
4159 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4160 sizeof(struct hci_rp_user_confirm_reply)),
4161 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4162 sizeof(struct hci_rp_user_confirm_reply)),
4163 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4164 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4165 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4166 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4167 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4168 hci_cc_le_read_accept_list_size,
4169 sizeof(struct hci_rp_le_read_accept_list_size)),
4170 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4171 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4172 hci_cc_le_add_to_accept_list),
4173 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4174 hci_cc_le_del_from_accept_list),
4175 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4176 sizeof(struct hci_rp_le_read_supported_states)),
4177 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4178 sizeof(struct hci_rp_le_read_def_data_len)),
4179 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4180 hci_cc_le_write_def_data_len),
4181 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4182 hci_cc_le_add_to_resolv_list),
4183 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4184 hci_cc_le_del_from_resolv_list),
4185 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4186 hci_cc_le_clear_resolv_list),
4187 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4188 sizeof(struct hci_rp_le_read_resolv_list_size)),
4189 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4190 hci_cc_le_set_addr_resolution_enable),
4191 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4192 sizeof(struct hci_rp_le_read_max_data_len)),
4193 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4194 hci_cc_write_le_host_supported),
4195 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4196 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4197 sizeof(struct hci_rp_read_rssi)),
4198 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4199 sizeof(struct hci_rp_read_tx_power)),
4200 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4201 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4202 hci_cc_le_set_ext_scan_param),
4203 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4204 hci_cc_le_set_ext_scan_enable),
4205 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4206 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4207 hci_cc_le_read_num_adv_sets,
4208 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4209 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4210 sizeof(struct hci_rp_le_set_ext_adv_params)),
4211 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4212 hci_cc_le_set_ext_adv_enable),
4213 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4214 hci_cc_le_set_adv_set_random_addr),
4215 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4216 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4217 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4218 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4219 hci_cc_le_set_per_adv_enable),
4220 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4221 sizeof(struct hci_rp_le_read_transmit_power)),
4222 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4223 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4224 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4225 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4226 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4227 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4228 sizeof(struct hci_rp_le_setup_iso_path)),
4231 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4232 struct sk_buff *skb)
4236 if (skb->len < cc->min_len) {
4237 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4238 cc->op, skb->len, cc->min_len);
4239 return HCI_ERROR_UNSPECIFIED;
4242 /* Just warn if the length is over max_len size it still be possible to
4243 * partially parse the cc so leave to callback to decide if that is
4246 if (skb->len > cc->max_len)
4247 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4248 cc->op, skb->len, cc->max_len);
4250 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4252 return HCI_ERROR_UNSPECIFIED;
4254 return cc->func(hdev, data, skb);
4257 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4258 struct sk_buff *skb, u16 *opcode, u8 *status,
4259 hci_req_complete_t *req_complete,
4260 hci_req_complete_skb_t *req_complete_skb)
4262 struct hci_ev_cmd_complete *ev = data;
4265 *opcode = __le16_to_cpu(ev->opcode);
4267 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4269 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4270 if (hci_cc_table[i].op == *opcode) {
4271 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4276 if (i == ARRAY_SIZE(hci_cc_table)) {
4277 /* Unknown opcode, assume byte 0 contains the status, so
4278 * that e.g. __hci_cmd_sync() properly returns errors
4279 * for vendor specific commands send by HCI drivers.
4280 * If a vendor doesn't actually follow this convention we may
4281 * need to introduce a vendor CC table in order to properly set
4284 *status = skb->data[0];
4287 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4289 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4292 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4294 "unexpected event for opcode 0x%4.4x", *opcode);
4298 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4299 queue_work(hdev->workqueue, &hdev->cmd_work);
4302 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4304 struct hci_cp_le_create_cis *cp;
4305 bool pending = false;
4308 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4313 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4319 /* Remove connection if command failed */
4320 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4321 struct hci_conn *conn;
4324 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4326 conn = hci_conn_hash_lookup_handle(hdev, handle);
4328 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4331 conn->state = BT_CLOSED;
4332 hci_connect_cfm(conn, status);
4338 hci_le_create_cis_pending(hdev);
4340 hci_dev_unlock(hdev);
4343 #define HCI_CS(_op, _func) \
4349 static const struct hci_cs {
4351 void (*func)(struct hci_dev *hdev, __u8 status);
4352 } hci_cs_table[] = {
4353 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4354 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4355 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4356 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4357 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4358 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4359 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4360 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4361 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4362 hci_cs_read_remote_ext_features),
4363 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4364 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4365 hci_cs_enhanced_setup_sync_conn),
4366 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4367 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4368 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4369 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4370 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4371 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4372 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4373 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4374 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4377 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4378 struct sk_buff *skb, u16 *opcode, u8 *status,
4379 hci_req_complete_t *req_complete,
4380 hci_req_complete_skb_t *req_complete_skb)
4382 struct hci_ev_cmd_status *ev = data;
4385 *opcode = __le16_to_cpu(ev->opcode);
4386 *status = ev->status;
4388 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4390 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4391 if (hci_cs_table[i].op == *opcode) {
4392 hci_cs_table[i].func(hdev, ev->status);
4397 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4399 /* Indicate request completion if the command failed. Also, if
4400 * we're not waiting for a special event and we get a success
4401 * command status we should try to flag the request as completed
4402 * (since for this kind of commands there will not be a command
4405 if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) {
4406 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4408 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4409 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4415 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4416 queue_work(hdev->workqueue, &hdev->cmd_work);
4419 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4420 struct sk_buff *skb)
4422 struct hci_ev_hardware_error *ev = data;
4424 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4426 hdev->hw_error_code = ev->code;
4428 queue_work(hdev->req_workqueue, &hdev->error_reset);
4431 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4432 struct sk_buff *skb)
4434 struct hci_ev_role_change *ev = data;
4435 struct hci_conn *conn;
4437 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4441 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4444 conn->role = ev->role;
4446 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4448 hci_role_switch_cfm(conn, ev->status, ev->role);
4451 hci_dev_unlock(hdev);
4454 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4455 struct sk_buff *skb)
4457 struct hci_ev_num_comp_pkts *ev = data;
4460 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4461 flex_array_size(ev, handles, ev->num)))
4464 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4465 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4469 bt_dev_dbg(hdev, "num %d", ev->num);
4471 for (i = 0; i < ev->num; i++) {
4472 struct hci_comp_pkts_info *info = &ev->handles[i];
4473 struct hci_conn *conn;
4474 __u16 handle, count;
4476 handle = __le16_to_cpu(info->handle);
4477 count = __le16_to_cpu(info->count);
4479 conn = hci_conn_hash_lookup_handle(hdev, handle);
4483 conn->sent -= count;
4485 switch (conn->type) {
4487 hdev->acl_cnt += count;
4488 if (hdev->acl_cnt > hdev->acl_pkts)
4489 hdev->acl_cnt = hdev->acl_pkts;
4493 if (hdev->le_pkts) {
4494 hdev->le_cnt += count;
4495 if (hdev->le_cnt > hdev->le_pkts)
4496 hdev->le_cnt = hdev->le_pkts;
4498 hdev->acl_cnt += count;
4499 if (hdev->acl_cnt > hdev->acl_pkts)
4500 hdev->acl_cnt = hdev->acl_pkts;
4505 hdev->sco_cnt += count;
4506 if (hdev->sco_cnt > hdev->sco_pkts)
4507 hdev->sco_cnt = hdev->sco_pkts;
4511 if (hdev->iso_pkts) {
4512 hdev->iso_cnt += count;
4513 if (hdev->iso_cnt > hdev->iso_pkts)
4514 hdev->iso_cnt = hdev->iso_pkts;
4515 } else if (hdev->le_pkts) {
4516 hdev->le_cnt += count;
4517 if (hdev->le_cnt > hdev->le_pkts)
4518 hdev->le_cnt = hdev->le_pkts;
4520 hdev->acl_cnt += count;
4521 if (hdev->acl_cnt > hdev->acl_pkts)
4522 hdev->acl_cnt = hdev->acl_pkts;
4527 bt_dev_err(hdev, "unknown type %d conn %p",
4533 queue_work(hdev->workqueue, &hdev->tx_work);
4536 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4539 struct hci_chan *chan;
4541 switch (hdev->dev_type) {
4543 return hci_conn_hash_lookup_handle(hdev, handle);
4545 chan = hci_chan_lookup_handle(hdev, handle);
4550 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4557 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4558 struct sk_buff *skb)
4560 struct hci_ev_num_comp_blocks *ev = data;
4563 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4564 flex_array_size(ev, handles, ev->num_hndl)))
4567 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4568 bt_dev_err(hdev, "wrong event for mode %d",
4569 hdev->flow_ctl_mode);
4573 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4576 for (i = 0; i < ev->num_hndl; i++) {
4577 struct hci_comp_blocks_info *info = &ev->handles[i];
4578 struct hci_conn *conn = NULL;
4579 __u16 handle, block_count;
4581 handle = __le16_to_cpu(info->handle);
4582 block_count = __le16_to_cpu(info->blocks);
4584 conn = __hci_conn_lookup_handle(hdev, handle);
4588 conn->sent -= block_count;
4590 switch (conn->type) {
4593 hdev->block_cnt += block_count;
4594 if (hdev->block_cnt > hdev->num_blocks)
4595 hdev->block_cnt = hdev->num_blocks;
4599 bt_dev_err(hdev, "unknown type %d conn %p",
4605 queue_work(hdev->workqueue, &hdev->tx_work);
4608 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4609 struct sk_buff *skb)
4611 struct hci_ev_mode_change *ev = data;
4612 struct hci_conn *conn;
4614 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4618 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4620 conn->mode = ev->mode;
4622 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4624 if (conn->mode == HCI_CM_ACTIVE)
4625 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4627 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4630 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4631 hci_sco_setup(conn, ev->status);
4634 hci_dev_unlock(hdev);
4637 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4638 struct sk_buff *skb)
4640 struct hci_ev_pin_code_req *ev = data;
4641 struct hci_conn *conn;
4643 bt_dev_dbg(hdev, "");
4647 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4651 if (conn->state == BT_CONNECTED) {
4652 hci_conn_hold(conn);
4653 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4654 hci_conn_drop(conn);
4657 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4658 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4659 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4660 sizeof(ev->bdaddr), &ev->bdaddr);
4661 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4664 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4669 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4673 hci_dev_unlock(hdev);
4676 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4678 if (key_type == HCI_LK_CHANGED_COMBINATION)
4681 conn->pin_length = pin_len;
4682 conn->key_type = key_type;
4685 case HCI_LK_LOCAL_UNIT:
4686 case HCI_LK_REMOTE_UNIT:
4687 case HCI_LK_DEBUG_COMBINATION:
4689 case HCI_LK_COMBINATION:
4691 conn->pending_sec_level = BT_SECURITY_HIGH;
4693 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4695 case HCI_LK_UNAUTH_COMBINATION_P192:
4696 case HCI_LK_UNAUTH_COMBINATION_P256:
4697 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4699 case HCI_LK_AUTH_COMBINATION_P192:
4700 conn->pending_sec_level = BT_SECURITY_HIGH;
4702 case HCI_LK_AUTH_COMBINATION_P256:
4703 conn->pending_sec_level = BT_SECURITY_FIPS;
4708 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4709 struct sk_buff *skb)
4711 struct hci_ev_link_key_req *ev = data;
4712 struct hci_cp_link_key_reply cp;
4713 struct hci_conn *conn;
4714 struct link_key *key;
4716 bt_dev_dbg(hdev, "");
4718 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4723 key = hci_find_link_key(hdev, &ev->bdaddr);
4725 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4729 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4731 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4733 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4735 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4736 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4737 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4738 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4742 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4743 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4744 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4745 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4749 conn_set_key(conn, key->type, key->pin_len);
4752 bacpy(&cp.bdaddr, &ev->bdaddr);
4753 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4755 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4757 hci_dev_unlock(hdev);
4762 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4763 hci_dev_unlock(hdev);
4766 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4767 struct sk_buff *skb)
4769 struct hci_ev_link_key_notify *ev = data;
4770 struct hci_conn *conn;
4771 struct link_key *key;
4775 bt_dev_dbg(hdev, "");
4779 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4783 /* Ignore NULL link key against CVE-2020-26555 */
4784 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4785 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4787 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4788 hci_conn_drop(conn);
4792 hci_conn_hold(conn);
4793 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4794 hci_conn_drop(conn);
4796 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4797 conn_set_key(conn, ev->key_type, conn->pin_length);
4799 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4802 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4803 ev->key_type, pin_len, &persistent);
4807 /* Update connection information since adding the key will have
4808 * fixed up the type in the case of changed combination keys.
4810 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4811 conn_set_key(conn, key->type, key->pin_len);
4813 mgmt_new_link_key(hdev, key, persistent);
4815 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4816 * is set. If it's not set simply remove the key from the kernel
4817 * list (we've still notified user space about it but with
4818 * store_hint being 0).
4820 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4821 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4822 list_del_rcu(&key->list);
4823 kfree_rcu(key, rcu);
4828 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4830 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4833 hci_dev_unlock(hdev);
4836 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4837 struct sk_buff *skb)
4839 struct hci_ev_clock_offset *ev = data;
4840 struct hci_conn *conn;
4842 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4846 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4847 if (conn && !ev->status) {
4848 struct inquiry_entry *ie;
4850 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4852 ie->data.clock_offset = ev->clock_offset;
4853 ie->timestamp = jiffies;
4857 hci_dev_unlock(hdev);
4860 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4861 struct sk_buff *skb)
4863 struct hci_ev_pkt_type_change *ev = data;
4864 struct hci_conn *conn;
4866 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4870 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4871 if (conn && !ev->status)
4872 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4874 hci_dev_unlock(hdev);
4877 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4878 struct sk_buff *skb)
4880 struct hci_ev_pscan_rep_mode *ev = data;
4881 struct inquiry_entry *ie;
4883 bt_dev_dbg(hdev, "");
4887 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4889 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4890 ie->timestamp = jiffies;
4893 hci_dev_unlock(hdev);
4896 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4897 struct sk_buff *skb)
4899 struct hci_ev_inquiry_result_rssi *ev = edata;
4900 struct inquiry_data data;
4903 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4908 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4913 if (skb->len == array_size(ev->num,
4914 sizeof(struct inquiry_info_rssi_pscan))) {
4915 struct inquiry_info_rssi_pscan *info;
4917 for (i = 0; i < ev->num; i++) {
4920 info = hci_ev_skb_pull(hdev, skb,
4921 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4924 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4925 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4929 bacpy(&data.bdaddr, &info->bdaddr);
4930 data.pscan_rep_mode = info->pscan_rep_mode;
4931 data.pscan_period_mode = info->pscan_period_mode;
4932 data.pscan_mode = info->pscan_mode;
4933 memcpy(data.dev_class, info->dev_class, 3);
4934 data.clock_offset = info->clock_offset;
4935 data.rssi = info->rssi;
4936 data.ssp_mode = 0x00;
4938 flags = hci_inquiry_cache_update(hdev, &data, false);
4940 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4941 info->dev_class, info->rssi,
4942 flags, NULL, 0, NULL, 0, 0);
4944 } else if (skb->len == array_size(ev->num,
4945 sizeof(struct inquiry_info_rssi))) {
4946 struct inquiry_info_rssi *info;
4948 for (i = 0; i < ev->num; i++) {
4951 info = hci_ev_skb_pull(hdev, skb,
4952 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4955 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4956 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4960 bacpy(&data.bdaddr, &info->bdaddr);
4961 data.pscan_rep_mode = info->pscan_rep_mode;
4962 data.pscan_period_mode = info->pscan_period_mode;
4963 data.pscan_mode = 0x00;
4964 memcpy(data.dev_class, info->dev_class, 3);
4965 data.clock_offset = info->clock_offset;
4966 data.rssi = info->rssi;
4967 data.ssp_mode = 0x00;
4969 flags = hci_inquiry_cache_update(hdev, &data, false);
4971 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4972 info->dev_class, info->rssi,
4973 flags, NULL, 0, NULL, 0, 0);
4976 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4977 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4980 hci_dev_unlock(hdev);
4983 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4984 struct sk_buff *skb)
4986 struct hci_ev_remote_ext_features *ev = data;
4987 struct hci_conn *conn;
4989 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4993 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4997 if (ev->page < HCI_MAX_PAGES)
4998 memcpy(conn->features[ev->page], ev->features, 8);
5000 if (!ev->status && ev->page == 0x01) {
5001 struct inquiry_entry *ie;
5003 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
5005 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5007 if (ev->features[0] & LMP_HOST_SSP) {
5008 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5010 /* It is mandatory by the Bluetooth specification that
5011 * Extended Inquiry Results are only used when Secure
5012 * Simple Pairing is enabled, but some devices violate
5015 * To make these devices work, the internal SSP
5016 * enabled flag needs to be cleared if the remote host
5017 * features do not indicate SSP support */
5018 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5021 if (ev->features[0] & LMP_HOST_SC)
5022 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5025 if (conn->state != BT_CONFIG)
5028 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5029 struct hci_cp_remote_name_req cp;
5030 memset(&cp, 0, sizeof(cp));
5031 bacpy(&cp.bdaddr, &conn->dst);
5032 cp.pscan_rep_mode = 0x02;
5033 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5035 mgmt_device_connected(hdev, conn, NULL, 0);
5038 if (!hci_outgoing_auth_needed(hdev, conn)) {
5039 conn->state = BT_CONNECTED;
5040 hci_connect_cfm(conn, ev->status);
5041 hci_conn_drop(conn);
5045 hci_dev_unlock(hdev);
5048 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5049 struct sk_buff *skb)
5051 struct hci_ev_sync_conn_complete *ev = data;
5052 struct hci_conn *conn;
5053 u8 status = ev->status;
5055 switch (ev->link_type) {
5060 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5061 * for HCI_Synchronous_Connection_Complete is limited to
5062 * either SCO or eSCO
5064 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5068 bt_dev_dbg(hdev, "status 0x%2.2x", status);
5072 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5074 if (ev->link_type == ESCO_LINK)
5077 /* When the link type in the event indicates SCO connection
5078 * and lookup of the connection object fails, then check
5079 * if an eSCO connection object exists.
5081 * The core limits the synchronous connections to either
5082 * SCO or eSCO. The eSCO connection is preferred and tried
5083 * to be setup first and until successfully established,
5084 * the link type will be hinted as eSCO.
5086 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5091 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5092 * Processing it more than once per connection can corrupt kernel memory.
5094 * As the connection handle is set here for the first time, it indicates
5095 * whether the connection is already set up.
5097 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5098 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5104 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5106 conn->state = BT_CLOSED;
5110 conn->state = BT_CONNECTED;
5111 conn->type = ev->link_type;
5113 hci_debugfs_create_conn(conn);
5114 hci_conn_add_sysfs(conn);
5117 case 0x10: /* Connection Accept Timeout */
5118 case 0x0d: /* Connection Rejected due to Limited Resources */
5119 case 0x11: /* Unsupported Feature or Parameter Value */
5120 case 0x1c: /* SCO interval rejected */
5121 case 0x1a: /* Unsupported Remote Feature */
5122 case 0x1e: /* Invalid LMP Parameters */
5123 case 0x1f: /* Unspecified error */
5124 case 0x20: /* Unsupported LMP Parameter value */
5126 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5127 (hdev->esco_type & EDR_ESCO_MASK);
5128 if (hci_setup_sync(conn, conn->parent->handle))
5134 conn->state = BT_CLOSED;
5138 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5139 /* Notify only in case of SCO over HCI transport data path which
5140 * is zero and non-zero value shall be non-HCI transport data path
5142 if (conn->codec.data_path == 0 && hdev->notify) {
5143 switch (ev->air_mode) {
5145 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5148 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5153 hci_connect_cfm(conn, status);
5158 hci_dev_unlock(hdev);
5161 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5165 while (parsed < eir_len) {
5166 u8 field_len = eir[0];
5171 parsed += field_len + 1;
5172 eir += field_len + 1;
5178 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5179 struct sk_buff *skb)
5181 struct hci_ev_ext_inquiry_result *ev = edata;
5182 struct inquiry_data data;
5186 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5187 flex_array_size(ev, info, ev->num)))
5190 bt_dev_dbg(hdev, "num %d", ev->num);
5195 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5200 for (i = 0; i < ev->num; i++) {
5201 struct extended_inquiry_info *info = &ev->info[i];
5205 bacpy(&data.bdaddr, &info->bdaddr);
5206 data.pscan_rep_mode = info->pscan_rep_mode;
5207 data.pscan_period_mode = info->pscan_period_mode;
5208 data.pscan_mode = 0x00;
5209 memcpy(data.dev_class, info->dev_class, 3);
5210 data.clock_offset = info->clock_offset;
5211 data.rssi = info->rssi;
5212 data.ssp_mode = 0x01;
5214 if (hci_dev_test_flag(hdev, HCI_MGMT))
5215 name_known = eir_get_data(info->data,
5217 EIR_NAME_COMPLETE, NULL);
5221 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5223 eir_len = eir_get_length(info->data, sizeof(info->data));
5225 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5226 info->dev_class, info->rssi,
5227 flags, info->data, eir_len, NULL, 0, 0);
5230 hci_dev_unlock(hdev);
5233 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5234 struct sk_buff *skb)
5236 struct hci_ev_key_refresh_complete *ev = data;
5237 struct hci_conn *conn;
5239 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5240 __le16_to_cpu(ev->handle));
5244 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5248 /* For BR/EDR the necessary steps are taken through the
5249 * auth_complete event.
5251 if (conn->type != LE_LINK)
5255 conn->sec_level = conn->pending_sec_level;
5257 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5259 if (ev->status && conn->state == BT_CONNECTED) {
5260 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5261 hci_conn_drop(conn);
5265 if (conn->state == BT_CONFIG) {
5267 conn->state = BT_CONNECTED;
5269 hci_connect_cfm(conn, ev->status);
5270 hci_conn_drop(conn);
5272 hci_auth_cfm(conn, ev->status);
5274 hci_conn_hold(conn);
5275 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5276 hci_conn_drop(conn);
5280 hci_dev_unlock(hdev);
5283 static u8 hci_get_auth_req(struct hci_conn *conn)
5285 /* If remote requests no-bonding follow that lead */
5286 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5287 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5288 return conn->remote_auth | (conn->auth_type & 0x01);
5290 /* If both remote and local have enough IO capabilities, require
5293 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5294 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5295 return conn->remote_auth | 0x01;
5297 /* No MITM protection possible so ignore remote requirement */
5298 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5301 static u8 bredr_oob_data_present(struct hci_conn *conn)
5303 struct hci_dev *hdev = conn->hdev;
5304 struct oob_data *data;
5306 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5310 if (bredr_sc_enabled(hdev)) {
5311 /* When Secure Connections is enabled, then just
5312 * return the present value stored with the OOB
5313 * data. The stored value contains the right present
5314 * information. However it can only be trusted when
5315 * not in Secure Connection Only mode.
5317 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5318 return data->present;
5320 /* When Secure Connections Only mode is enabled, then
5321 * the P-256 values are required. If they are not
5322 * available, then do not declare that OOB data is
5325 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5326 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5332 /* When Secure Connections is not enabled or actually
5333 * not supported by the hardware, then check that if
5334 * P-192 data values are present.
5336 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5337 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5343 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5344 struct sk_buff *skb)
5346 struct hci_ev_io_capa_request *ev = data;
5347 struct hci_conn *conn;
5349 bt_dev_dbg(hdev, "");
5353 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5354 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5357 /* Assume remote supports SSP since it has triggered this event */
5358 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5360 hci_conn_hold(conn);
5362 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5365 /* Allow pairing if we're pairable, the initiators of the
5366 * pairing or if the remote is not requesting bonding.
5368 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5369 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5370 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5371 struct hci_cp_io_capability_reply cp;
5373 bacpy(&cp.bdaddr, &ev->bdaddr);
5374 /* Change the IO capability from KeyboardDisplay
5375 * to DisplayYesNo as it is not supported by BT spec. */
5376 cp.capability = (conn->io_capability == 0x04) ?
5377 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5379 /* If we are initiators, there is no remote information yet */
5380 if (conn->remote_auth == 0xff) {
5381 /* Request MITM protection if our IO caps allow it
5382 * except for the no-bonding case.
5384 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5385 conn->auth_type != HCI_AT_NO_BONDING)
5386 conn->auth_type |= 0x01;
5388 conn->auth_type = hci_get_auth_req(conn);
5391 /* If we're not bondable, force one of the non-bondable
5392 * authentication requirement values.
5394 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5395 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5397 cp.authentication = conn->auth_type;
5398 cp.oob_data = bredr_oob_data_present(conn);
5400 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5403 struct hci_cp_io_capability_neg_reply cp;
5405 bacpy(&cp.bdaddr, &ev->bdaddr);
5406 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5408 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5413 hci_dev_unlock(hdev);
5416 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5417 struct sk_buff *skb)
5419 struct hci_ev_io_capa_reply *ev = data;
5420 struct hci_conn *conn;
5422 bt_dev_dbg(hdev, "");
5426 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5430 conn->remote_cap = ev->capability;
5431 conn->remote_auth = ev->authentication;
5434 hci_dev_unlock(hdev);
5437 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5438 struct sk_buff *skb)
5440 struct hci_ev_user_confirm_req *ev = data;
5441 int loc_mitm, rem_mitm, confirm_hint = 0;
5442 struct hci_conn *conn;
5444 bt_dev_dbg(hdev, "");
5448 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5451 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5455 loc_mitm = (conn->auth_type & 0x01);
5456 rem_mitm = (conn->remote_auth & 0x01);
5458 /* If we require MITM but the remote device can't provide that
5459 * (it has NoInputNoOutput) then reject the confirmation
5460 * request. We check the security level here since it doesn't
5461 * necessarily match conn->auth_type.
5463 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5464 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5465 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5466 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5467 sizeof(ev->bdaddr), &ev->bdaddr);
5471 /* If no side requires MITM protection; auto-accept */
5472 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5473 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5475 /* If we're not the initiators request authorization to
5476 * proceed from user space (mgmt_user_confirm with
5477 * confirm_hint set to 1). The exception is if neither
5478 * side had MITM or if the local IO capability is
5479 * NoInputNoOutput, in which case we do auto-accept
5481 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5482 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5483 (loc_mitm || rem_mitm)) {
5484 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5489 /* If there already exists link key in local host, leave the
5490 * decision to user space since the remote device could be
5491 * legitimate or malicious.
5493 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5494 bt_dev_dbg(hdev, "Local host already has link key");
5499 BT_DBG("Auto-accept of user confirmation with %ums delay",
5500 hdev->auto_accept_delay);
5502 if (hdev->auto_accept_delay > 0) {
5503 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5504 queue_delayed_work(conn->hdev->workqueue,
5505 &conn->auto_accept_work, delay);
5509 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5510 sizeof(ev->bdaddr), &ev->bdaddr);
5515 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5516 le32_to_cpu(ev->passkey), confirm_hint);
5519 hci_dev_unlock(hdev);
5522 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5523 struct sk_buff *skb)
5525 struct hci_ev_user_passkey_req *ev = data;
5527 bt_dev_dbg(hdev, "");
5529 if (hci_dev_test_flag(hdev, HCI_MGMT))
5530 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5533 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5534 struct sk_buff *skb)
5536 struct hci_ev_user_passkey_notify *ev = data;
5537 struct hci_conn *conn;
5539 bt_dev_dbg(hdev, "");
5541 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5545 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5546 conn->passkey_entered = 0;
5548 if (hci_dev_test_flag(hdev, HCI_MGMT))
5549 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5550 conn->dst_type, conn->passkey_notify,
5551 conn->passkey_entered);
5554 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5555 struct sk_buff *skb)
5557 struct hci_ev_keypress_notify *ev = data;
5558 struct hci_conn *conn;
5560 bt_dev_dbg(hdev, "");
5562 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5567 case HCI_KEYPRESS_STARTED:
5568 conn->passkey_entered = 0;
5571 case HCI_KEYPRESS_ENTERED:
5572 conn->passkey_entered++;
5575 case HCI_KEYPRESS_ERASED:
5576 conn->passkey_entered--;
5579 case HCI_KEYPRESS_CLEARED:
5580 conn->passkey_entered = 0;
5583 case HCI_KEYPRESS_COMPLETED:
5587 if (hci_dev_test_flag(hdev, HCI_MGMT))
5588 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5589 conn->dst_type, conn->passkey_notify,
5590 conn->passkey_entered);
5593 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5594 struct sk_buff *skb)
5596 struct hci_ev_simple_pair_complete *ev = data;
5597 struct hci_conn *conn;
5599 bt_dev_dbg(hdev, "");
5603 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5604 if (!conn || !hci_conn_ssp_enabled(conn))
5607 /* Reset the authentication requirement to unknown */
5608 conn->remote_auth = 0xff;
5610 /* To avoid duplicate auth_failed events to user space we check
5611 * the HCI_CONN_AUTH_PEND flag which will be set if we
5612 * initiated the authentication. A traditional auth_complete
5613 * event gets always produced as initiator and is also mapped to
5614 * the mgmt_auth_failed event */
5615 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5616 mgmt_auth_failed(conn, ev->status);
5618 hci_conn_drop(conn);
5621 hci_dev_unlock(hdev);
5624 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5625 struct sk_buff *skb)
5627 struct hci_ev_remote_host_features *ev = data;
5628 struct inquiry_entry *ie;
5629 struct hci_conn *conn;
5631 bt_dev_dbg(hdev, "");
5635 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5637 memcpy(conn->features[1], ev->features, 8);
5639 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5641 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5643 hci_dev_unlock(hdev);
5646 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5647 struct sk_buff *skb)
5649 struct hci_ev_remote_oob_data_request *ev = edata;
5650 struct oob_data *data;
5652 bt_dev_dbg(hdev, "");
5656 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5659 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5661 struct hci_cp_remote_oob_data_neg_reply cp;
5663 bacpy(&cp.bdaddr, &ev->bdaddr);
5664 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5669 if (bredr_sc_enabled(hdev)) {
5670 struct hci_cp_remote_oob_ext_data_reply cp;
5672 bacpy(&cp.bdaddr, &ev->bdaddr);
5673 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5674 memset(cp.hash192, 0, sizeof(cp.hash192));
5675 memset(cp.rand192, 0, sizeof(cp.rand192));
5677 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5678 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5680 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5681 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5683 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5686 struct hci_cp_remote_oob_data_reply cp;
5688 bacpy(&cp.bdaddr, &ev->bdaddr);
5689 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5690 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5692 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5697 hci_dev_unlock(hdev);
5700 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5701 u8 bdaddr_type, bdaddr_t *local_rpa)
5704 conn->dst_type = bdaddr_type;
5705 conn->resp_addr_type = bdaddr_type;
5706 bacpy(&conn->resp_addr, bdaddr);
5708 /* Check if the controller has set a Local RPA then it must be
5709 * used instead or hdev->rpa.
5711 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5712 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5713 bacpy(&conn->init_addr, local_rpa);
5714 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5715 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5716 bacpy(&conn->init_addr, &conn->hdev->rpa);
5718 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5719 &conn->init_addr_type);
5722 conn->resp_addr_type = conn->hdev->adv_addr_type;
5723 /* Check if the controller has set a Local RPA then it must be
5724 * used instead or hdev->rpa.
5726 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5727 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5728 bacpy(&conn->resp_addr, local_rpa);
5729 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5730 /* In case of ext adv, resp_addr will be updated in
5731 * Adv Terminated event.
5733 if (!ext_adv_capable(conn->hdev))
5734 bacpy(&conn->resp_addr,
5735 &conn->hdev->random_addr);
5737 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5740 conn->init_addr_type = bdaddr_type;
5741 bacpy(&conn->init_addr, bdaddr);
5743 /* For incoming connections, set the default minimum
5744 * and maximum connection interval. They will be used
5745 * to check if the parameters are in range and if not
5746 * trigger the connection update procedure.
5748 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5749 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5753 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5754 bdaddr_t *bdaddr, u8 bdaddr_type,
5755 bdaddr_t *local_rpa, u8 role, u16 handle,
5756 u16 interval, u16 latency,
5757 u16 supervision_timeout)
5759 struct hci_conn_params *params;
5760 struct hci_conn *conn;
5761 struct smp_irk *irk;
5766 /* All controllers implicitly stop advertising in the event of a
5767 * connection, so ensure that the state bit is cleared.
5769 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5771 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5773 /* In case of error status and there is no connection pending
5774 * just unlock as there is nothing to cleanup.
5779 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5781 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
5785 conn->dst_type = bdaddr_type;
5787 /* If we didn't have a hci_conn object previously
5788 * but we're in central role this must be something
5789 * initiated using an accept list. Since accept list based
5790 * connections are not "first class citizens" we don't
5791 * have full tracking of them. Therefore, we go ahead
5792 * with a "best effort" approach of determining the
5793 * initiator address based on the HCI_PRIVACY flag.
5796 conn->resp_addr_type = bdaddr_type;
5797 bacpy(&conn->resp_addr, bdaddr);
5798 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5799 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5800 bacpy(&conn->init_addr, &hdev->rpa);
5802 hci_copy_identity_address(hdev,
5804 &conn->init_addr_type);
5808 cancel_delayed_work(&conn->le_conn_timeout);
5811 /* The HCI_LE_Connection_Complete event is only sent once per connection.
5812 * Processing it more than once per connection can corrupt kernel memory.
5814 * As the connection handle is set here for the first time, it indicates
5815 * whether the connection is already set up.
5817 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5818 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5822 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5824 /* Lookup the identity address from the stored connection
5825 * address and address type.
5827 * When establishing connections to an identity address, the
5828 * connection procedure will store the resolvable random
5829 * address first. Now if it can be converted back into the
5830 * identity address, start using the identity address from
5833 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5835 bacpy(&conn->dst, &irk->bdaddr);
5836 conn->dst_type = irk->addr_type;
5839 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5841 /* All connection failure handling is taken care of by the
5842 * hci_conn_failed function which is triggered by the HCI
5843 * request completion callbacks used for connecting.
5845 if (status || hci_conn_set_handle(conn, handle))
5848 /* Drop the connection if it has been aborted */
5849 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5850 hci_conn_drop(conn);
5854 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5855 addr_type = BDADDR_LE_PUBLIC;
5857 addr_type = BDADDR_LE_RANDOM;
5859 /* Drop the connection if the device is blocked */
5860 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5861 hci_conn_drop(conn);
5865 mgmt_device_connected(hdev, conn, NULL, 0);
5867 conn->sec_level = BT_SECURITY_LOW;
5868 conn->state = BT_CONFIG;
5870 /* Store current advertising instance as connection advertising instance
5871 * when sotfware rotation is in use so it can be re-enabled when
5874 if (!ext_adv_capable(hdev))
5875 conn->adv_instance = hdev->cur_adv_instance;
5877 conn->le_conn_interval = interval;
5878 conn->le_conn_latency = latency;
5879 conn->le_supv_timeout = supervision_timeout;
5881 hci_debugfs_create_conn(conn);
5882 hci_conn_add_sysfs(conn);
5884 /* The remote features procedure is defined for central
5885 * role only. So only in case of an initiated connection
5886 * request the remote features.
5888 * If the local controller supports peripheral-initiated features
5889 * exchange, then requesting the remote features in peripheral
5890 * role is possible. Otherwise just transition into the
5891 * connected state without requesting the remote features.
5894 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5895 struct hci_cp_le_read_remote_features cp;
5897 cp.handle = __cpu_to_le16(conn->handle);
5899 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5902 hci_conn_hold(conn);
5904 conn->state = BT_CONNECTED;
5905 hci_connect_cfm(conn, status);
5908 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5911 hci_pend_le_list_del_init(params);
5913 hci_conn_drop(params->conn);
5914 hci_conn_put(params->conn);
5915 params->conn = NULL;
5920 hci_update_passive_scan(hdev);
5921 hci_dev_unlock(hdev);
5924 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
5925 struct sk_buff *skb)
5927 struct hci_ev_le_conn_complete *ev = data;
5929 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5931 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5932 NULL, ev->role, le16_to_cpu(ev->handle),
5933 le16_to_cpu(ev->interval),
5934 le16_to_cpu(ev->latency),
5935 le16_to_cpu(ev->supervision_timeout));
5938 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
5939 struct sk_buff *skb)
5941 struct hci_ev_le_enh_conn_complete *ev = data;
5943 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5945 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5946 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5947 le16_to_cpu(ev->interval),
5948 le16_to_cpu(ev->latency),
5949 le16_to_cpu(ev->supervision_timeout));
5952 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
5953 struct sk_buff *skb)
5955 struct hci_evt_le_ext_adv_set_term *ev = data;
5956 struct hci_conn *conn;
5957 struct adv_info *adv, *n;
5959 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5961 /* The Bluetooth Core 5.3 specification clearly states that this event
5962 * shall not be sent when the Host disables the advertising set. So in
5963 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
5965 * When the Host disables an advertising set, all cleanup is done via
5966 * its command callback and not needed to be duplicated here.
5968 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
5969 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
5975 adv = hci_find_adv_instance(hdev, ev->handle);
5981 /* Remove advertising as it has been terminated */
5982 hci_remove_adv_instance(hdev, ev->handle);
5983 mgmt_advertising_removed(NULL, hdev, ev->handle);
5985 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
5990 /* We are no longer advertising, clear HCI_LE_ADV */
5991 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5996 adv->enabled = false;
5998 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6000 /* Store handle in the connection so the correct advertising
6001 * instance can be re-enabled when disconnected.
6003 conn->adv_instance = ev->handle;
6005 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6006 bacmp(&conn->resp_addr, BDADDR_ANY))
6010 bacpy(&conn->resp_addr, &hdev->random_addr);
6015 bacpy(&conn->resp_addr, &adv->random_addr);
6019 hci_dev_unlock(hdev);
6022 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6023 struct sk_buff *skb)
6025 struct hci_ev_le_conn_update_complete *ev = data;
6026 struct hci_conn *conn;
6028 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6035 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6037 conn->le_conn_interval = le16_to_cpu(ev->interval);
6038 conn->le_conn_latency = le16_to_cpu(ev->latency);
6039 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6042 hci_dev_unlock(hdev);
6045 /* This function requires the caller holds hdev->lock */
6046 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6048 u8 addr_type, bool addr_resolved,
6049 u8 adv_type, u8 phy, u8 sec_phy)
6051 struct hci_conn *conn;
6052 struct hci_conn_params *params;
6054 /* If the event is not connectable don't proceed further */
6055 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6058 /* Ignore if the device is blocked or hdev is suspended */
6059 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6063 /* Most controller will fail if we try to create new connections
6064 * while we have an existing one in peripheral role.
6066 if (hdev->conn_hash.le_num_peripheral > 0 &&
6067 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6068 !(hdev->le_states[3] & 0x10)))
6071 /* If we're not connectable only connect devices that we have in
6072 * our pend_le_conns list.
6074 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6079 if (!params->explicit_connect) {
6080 switch (params->auto_connect) {
6081 case HCI_AUTO_CONN_DIRECT:
6082 /* Only devices advertising with ADV_DIRECT_IND are
6083 * triggering a connection attempt. This is allowing
6084 * incoming connections from peripheral devices.
6086 if (adv_type != LE_ADV_DIRECT_IND)
6089 case HCI_AUTO_CONN_ALWAYS:
6090 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6091 * are triggering a connection attempt. This means
6092 * that incoming connections from peripheral device are
6093 * accepted and also outgoing connections to peripheral
6094 * devices are established when found.
6102 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6103 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6104 HCI_ROLE_MASTER, phy, sec_phy);
6105 if (!IS_ERR(conn)) {
6106 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6107 * by higher layer that tried to connect, if no then
6108 * store the pointer since we don't really have any
6109 * other owner of the object besides the params that
6110 * triggered it. This way we can abort the connection if
6111 * the parameters get removed and keep the reference
6112 * count consistent once the connection is established.
6115 if (!params->explicit_connect)
6116 params->conn = hci_conn_get(conn);
6121 switch (PTR_ERR(conn)) {
6123 /* If hci_connect() returns -EBUSY it means there is already
6124 * an LE connection attempt going on. Since controllers don't
6125 * support more than one connection attempt at the time, we
6126 * don't consider this an error case.
6130 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6137 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6138 u8 bdaddr_type, bdaddr_t *direct_addr,
6139 u8 direct_addr_type, u8 phy, u8 sec_phy, s8 rssi,
6140 u8 *data, u8 len, bool ext_adv, bool ctl_time,
6143 struct discovery_state *d = &hdev->discovery;
6144 struct smp_irk *irk;
6145 struct hci_conn *conn;
6146 bool match, bdaddr_resolved;
6152 case LE_ADV_DIRECT_IND:
6153 case LE_ADV_SCAN_IND:
6154 case LE_ADV_NONCONN_IND:
6155 case LE_ADV_SCAN_RSP:
6158 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6159 "type: 0x%02x", type);
6163 if (len > max_adv_len(hdev)) {
6164 bt_dev_err_ratelimited(hdev,
6165 "adv larger than maximum supported");
6169 /* Find the end of the data in case the report contains padded zero
6170 * bytes at the end causing an invalid length value.
6172 * When data is NULL, len is 0 so there is no need for extra ptr
6173 * check as 'ptr < data + 0' is already false in such case.
6175 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6176 if (ptr + 1 + *ptr > data + len)
6180 /* Adjust for actual length. This handles the case when remote
6181 * device is advertising with incorrect data length.
6185 /* If the direct address is present, then this report is from
6186 * a LE Direct Advertising Report event. In that case it is
6187 * important to see if the address is matching the local
6188 * controller address.
6190 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6191 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6194 /* Only resolvable random addresses are valid for these
6195 * kind of reports and others can be ignored.
6197 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6200 /* If the controller is not using resolvable random
6201 * addresses, then this report can be ignored.
6203 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6206 /* If the local IRK of the controller does not match
6207 * with the resolvable random address provided, then
6208 * this report can be ignored.
6210 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6214 /* Check if we need to convert to identity address */
6215 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6217 bdaddr = &irk->bdaddr;
6218 bdaddr_type = irk->addr_type;
6221 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6223 /* Check if we have been requested to connect to this device.
6225 * direct_addr is set only for directed advertising reports (it is NULL
6226 * for advertising reports) and is already verified to be RPA above.
6228 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6229 type, phy, sec_phy);
6230 if (!ext_adv && conn && type == LE_ADV_IND &&
6231 len <= max_adv_len(hdev)) {
6232 /* Store report for later inclusion by
6233 * mgmt_device_connected
6235 memcpy(conn->le_adv_data, data, len);
6236 conn->le_adv_data_len = len;
6239 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6240 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6244 /* All scan results should be sent up for Mesh systems */
6245 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6246 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6247 rssi, flags, data, len, NULL, 0, instant);
6251 /* Passive scanning shouldn't trigger any device found events,
6252 * except for devices marked as CONN_REPORT for which we do send
6253 * device found events, or advertisement monitoring requested.
6255 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6256 if (type == LE_ADV_DIRECT_IND)
6259 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6260 bdaddr, bdaddr_type) &&
6261 idr_is_empty(&hdev->adv_monitors_idr))
6264 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6265 rssi, flags, data, len, NULL, 0, 0);
6269 /* When receiving a scan response, then there is no way to
6270 * know if the remote device is connectable or not. However
6271 * since scan responses are merged with a previously seen
6272 * advertising report, the flags field from that report
6275 * In the unlikely case that a controller just sends a scan
6276 * response event that doesn't match the pending report, then
6277 * it is marked as a standalone SCAN_RSP.
6279 if (type == LE_ADV_SCAN_RSP)
6280 flags = MGMT_DEV_FOUND_SCAN_RSP;
6282 /* If there's nothing pending either store the data from this
6283 * event or send an immediate device found event if the data
6284 * should not be stored for later.
6286 if (!ext_adv && !has_pending_adv_report(hdev)) {
6287 /* If the report will trigger a SCAN_REQ store it for
6290 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6291 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6292 rssi, flags, data, len);
6296 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6297 rssi, flags, data, len, NULL, 0, 0);
6301 /* Check if the pending report is for the same device as the new one */
6302 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6303 bdaddr_type == d->last_adv_addr_type);
6305 /* If the pending data doesn't match this report or this isn't a
6306 * scan response (e.g. we got a duplicate ADV_IND) then force
6307 * sending of the pending data.
6309 if (type != LE_ADV_SCAN_RSP || !match) {
6310 /* Send out whatever is in the cache, but skip duplicates */
6312 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6313 d->last_adv_addr_type, NULL,
6314 d->last_adv_rssi, d->last_adv_flags,
6316 d->last_adv_data_len, NULL, 0, 0);
6318 /* If the new report will trigger a SCAN_REQ store it for
6321 if (!ext_adv && (type == LE_ADV_IND ||
6322 type == LE_ADV_SCAN_IND)) {
6323 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6324 rssi, flags, data, len);
6328 /* The advertising reports cannot be merged, so clear
6329 * the pending report and send out a device found event.
6331 clear_pending_adv_report(hdev);
6332 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6333 rssi, flags, data, len, NULL, 0, 0);
6337 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6338 * the new event is a SCAN_RSP. We can therefore proceed with
6339 * sending a merged device found event.
6341 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6342 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6343 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6344 clear_pending_adv_report(hdev);
6347 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6348 struct sk_buff *skb)
6350 struct hci_ev_le_advertising_report *ev = data;
6351 u64 instant = jiffies;
6359 struct hci_ev_le_advertising_info *info;
6362 info = hci_le_ev_skb_pull(hdev, skb,
6363 HCI_EV_LE_ADVERTISING_REPORT,
6368 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6372 if (info->length <= max_adv_len(hdev)) {
6373 rssi = info->data[info->length];
6374 process_adv_report(hdev, info->type, &info->bdaddr,
6375 info->bdaddr_type, NULL, 0,
6376 HCI_ADV_PHY_1M, 0, rssi,
6377 info->data, info->length, false,
6380 bt_dev_err(hdev, "Dropping invalid advertising data");
6384 hci_dev_unlock(hdev);
6387 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6389 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6391 case LE_LEGACY_ADV_IND:
6393 case LE_LEGACY_ADV_DIRECT_IND:
6394 return LE_ADV_DIRECT_IND;
6395 case LE_LEGACY_ADV_SCAN_IND:
6396 return LE_ADV_SCAN_IND;
6397 case LE_LEGACY_NONCONN_IND:
6398 return LE_ADV_NONCONN_IND;
6399 case LE_LEGACY_SCAN_RSP_ADV:
6400 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6401 return LE_ADV_SCAN_RSP;
6407 if (evt_type & LE_EXT_ADV_CONN_IND) {
6408 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6409 return LE_ADV_DIRECT_IND;
6414 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6415 return LE_ADV_SCAN_RSP;
6417 if (evt_type & LE_EXT_ADV_SCAN_IND)
6418 return LE_ADV_SCAN_IND;
6420 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6421 evt_type & LE_EXT_ADV_DIRECT_IND)
6422 return LE_ADV_NONCONN_IND;
6425 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6428 return LE_ADV_INVALID;
6431 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6432 struct sk_buff *skb)
6434 struct hci_ev_le_ext_adv_report *ev = data;
6435 u64 instant = jiffies;
6443 struct hci_ev_le_ext_adv_info *info;
6447 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6452 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6456 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6457 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6458 if (legacy_evt_type != LE_ADV_INVALID) {
6459 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6460 info->bdaddr_type, NULL, 0,
6462 info->secondary_phy,
6463 info->rssi, info->data, info->length,
6464 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6469 hci_dev_unlock(hdev);
6472 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6474 struct hci_cp_le_pa_term_sync cp;
6476 memset(&cp, 0, sizeof(cp));
6479 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6482 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6483 struct sk_buff *skb)
6485 struct hci_ev_le_pa_sync_established *ev = data;
6486 int mask = hdev->link_mode;
6488 struct hci_conn *pa_sync;
6490 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6494 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6496 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6497 if (!(mask & HCI_LM_ACCEPT)) {
6498 hci_le_pa_term_sync(hdev, ev->handle);
6502 if (!(flags & HCI_PROTO_DEFER))
6506 /* Add connection to indicate the failed PA sync event */
6507 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6513 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6515 /* Notify iso layer */
6516 hci_connect_cfm(pa_sync, ev->status);
6520 hci_dev_unlock(hdev);
6523 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6524 struct sk_buff *skb)
6526 struct hci_ev_le_per_adv_report *ev = data;
6527 int mask = hdev->link_mode;
6530 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6534 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6535 if (!(mask & HCI_LM_ACCEPT))
6536 hci_le_pa_term_sync(hdev, ev->sync_handle);
6538 hci_dev_unlock(hdev);
6541 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6542 struct sk_buff *skb)
6544 struct hci_ev_le_remote_feat_complete *ev = data;
6545 struct hci_conn *conn;
6547 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6551 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6554 memcpy(conn->features[0], ev->features, 8);
6556 if (conn->state == BT_CONFIG) {
6559 /* If the local controller supports peripheral-initiated
6560 * features exchange, but the remote controller does
6561 * not, then it is possible that the error code 0x1a
6562 * for unsupported remote feature gets returned.
6564 * In this specific case, allow the connection to
6565 * transition into connected state and mark it as
6568 if (!conn->out && ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE &&
6569 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6572 status = ev->status;
6574 conn->state = BT_CONNECTED;
6575 hci_connect_cfm(conn, status);
6576 hci_conn_drop(conn);
6580 hci_dev_unlock(hdev);
6583 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6584 struct sk_buff *skb)
6586 struct hci_ev_le_ltk_req *ev = data;
6587 struct hci_cp_le_ltk_reply cp;
6588 struct hci_cp_le_ltk_neg_reply neg;
6589 struct hci_conn *conn;
6590 struct smp_ltk *ltk;
6592 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6596 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6600 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6604 if (smp_ltk_is_sc(ltk)) {
6605 /* With SC both EDiv and Rand are set to zero */
6606 if (ev->ediv || ev->rand)
6609 /* For non-SC keys check that EDiv and Rand match */
6610 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6614 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6615 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6616 cp.handle = cpu_to_le16(conn->handle);
6618 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6620 conn->enc_key_size = ltk->enc_size;
6622 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6624 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6625 * temporary key used to encrypt a connection following
6626 * pairing. It is used during the Encrypted Session Setup to
6627 * distribute the keys. Later, security can be re-established
6628 * using a distributed LTK.
6630 if (ltk->type == SMP_STK) {
6631 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6632 list_del_rcu(<k->list);
6633 kfree_rcu(ltk, rcu);
6635 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6638 hci_dev_unlock(hdev);
6643 neg.handle = ev->handle;
6644 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6645 hci_dev_unlock(hdev);
6648 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6651 struct hci_cp_le_conn_param_req_neg_reply cp;
6653 cp.handle = cpu_to_le16(handle);
6656 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6660 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6661 struct sk_buff *skb)
6663 struct hci_ev_le_remote_conn_param_req *ev = data;
6664 struct hci_cp_le_conn_param_req_reply cp;
6665 struct hci_conn *hcon;
6666 u16 handle, min, max, latency, timeout;
6668 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6670 handle = le16_to_cpu(ev->handle);
6671 min = le16_to_cpu(ev->interval_min);
6672 max = le16_to_cpu(ev->interval_max);
6673 latency = le16_to_cpu(ev->latency);
6674 timeout = le16_to_cpu(ev->timeout);
6676 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6677 if (!hcon || hcon->state != BT_CONNECTED)
6678 return send_conn_param_neg_reply(hdev, handle,
6679 HCI_ERROR_UNKNOWN_CONN_ID);
6681 if (max > hcon->le_conn_max_interval)
6682 return send_conn_param_neg_reply(hdev, handle,
6683 HCI_ERROR_INVALID_LL_PARAMS);
6685 if (hci_check_conn_params(min, max, latency, timeout))
6686 return send_conn_param_neg_reply(hdev, handle,
6687 HCI_ERROR_INVALID_LL_PARAMS);
6689 if (hcon->role == HCI_ROLE_MASTER) {
6690 struct hci_conn_params *params;
6695 params = hci_conn_params_lookup(hdev, &hcon->dst,
6698 params->conn_min_interval = min;
6699 params->conn_max_interval = max;
6700 params->conn_latency = latency;
6701 params->supervision_timeout = timeout;
6707 hci_dev_unlock(hdev);
6709 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6710 store_hint, min, max, latency, timeout);
6713 cp.handle = ev->handle;
6714 cp.interval_min = ev->interval_min;
6715 cp.interval_max = ev->interval_max;
6716 cp.latency = ev->latency;
6717 cp.timeout = ev->timeout;
6721 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6724 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6725 struct sk_buff *skb)
6727 struct hci_ev_le_direct_adv_report *ev = data;
6728 u64 instant = jiffies;
6731 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6732 flex_array_size(ev, info, ev->num)))
6740 for (i = 0; i < ev->num; i++) {
6741 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6743 process_adv_report(hdev, info->type, &info->bdaddr,
6744 info->bdaddr_type, &info->direct_addr,
6745 info->direct_addr_type, HCI_ADV_PHY_1M, 0,
6746 info->rssi, NULL, 0, false, false, instant);
6749 hci_dev_unlock(hdev);
6752 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6753 struct sk_buff *skb)
6755 struct hci_ev_le_phy_update_complete *ev = data;
6756 struct hci_conn *conn;
6758 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6765 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6769 conn->le_tx_phy = ev->tx_phy;
6770 conn->le_rx_phy = ev->rx_phy;
6773 hci_dev_unlock(hdev);
6776 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6777 struct sk_buff *skb)
6779 struct hci_evt_le_cis_established *ev = data;
6780 struct hci_conn *conn;
6781 struct bt_iso_qos *qos;
6782 bool pending = false;
6783 u16 handle = __le16_to_cpu(ev->handle);
6785 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6789 conn = hci_conn_hash_lookup_handle(hdev, handle);
6792 "Unable to find connection with handle 0x%4.4x",
6797 if (conn->type != ISO_LINK) {
6799 "Invalid connection link type handle 0x%4.4x",
6804 qos = &conn->iso_qos;
6806 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6808 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
6809 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
6810 qos->ucast.out.interval = qos->ucast.in.interval;
6812 switch (conn->role) {
6813 case HCI_ROLE_SLAVE:
6814 /* Convert Transport Latency (us) to Latency (msec) */
6815 qos->ucast.in.latency =
6816 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6818 qos->ucast.out.latency =
6819 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6821 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
6822 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
6823 qos->ucast.in.phy = ev->c_phy;
6824 qos->ucast.out.phy = ev->p_phy;
6826 case HCI_ROLE_MASTER:
6827 /* Convert Transport Latency (us) to Latency (msec) */
6828 qos->ucast.out.latency =
6829 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6831 qos->ucast.in.latency =
6832 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6834 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
6835 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
6836 qos->ucast.out.phy = ev->c_phy;
6837 qos->ucast.in.phy = ev->p_phy;
6842 conn->state = BT_CONNECTED;
6843 hci_debugfs_create_conn(conn);
6844 hci_conn_add_sysfs(conn);
6845 hci_iso_setup_path(conn);
6849 conn->state = BT_CLOSED;
6850 hci_connect_cfm(conn, ev->status);
6855 hci_le_create_cis_pending(hdev);
6857 hci_dev_unlock(hdev);
6860 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6862 struct hci_cp_le_reject_cis cp;
6864 memset(&cp, 0, sizeof(cp));
6866 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6867 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6870 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6872 struct hci_cp_le_accept_cis cp;
6874 memset(&cp, 0, sizeof(cp));
6876 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6879 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6880 struct sk_buff *skb)
6882 struct hci_evt_le_cis_req *ev = data;
6883 u16 acl_handle, cis_handle;
6884 struct hci_conn *acl, *cis;
6888 acl_handle = __le16_to_cpu(ev->acl_handle);
6889 cis_handle = __le16_to_cpu(ev->cis_handle);
6891 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
6892 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
6896 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
6900 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
6901 if (!(mask & HCI_LM_ACCEPT)) {
6902 hci_le_reject_cis(hdev, ev->cis_handle);
6906 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
6908 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
6911 hci_le_reject_cis(hdev, ev->cis_handle);
6916 cis->iso_qos.ucast.cig = ev->cig_id;
6917 cis->iso_qos.ucast.cis = ev->cis_id;
6919 if (!(flags & HCI_PROTO_DEFER)) {
6920 hci_le_accept_cis(hdev, ev->cis_handle);
6922 cis->state = BT_CONNECT2;
6923 hci_connect_cfm(cis, 0);
6927 hci_dev_unlock(hdev);
6930 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
6932 u8 handle = PTR_UINT(data);
6934 return hci_le_terminate_big_sync(hdev, handle,
6935 HCI_ERROR_LOCAL_HOST_TERM);
6938 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
6939 struct sk_buff *skb)
6941 struct hci_evt_le_create_big_complete *ev = data;
6942 struct hci_conn *conn;
6945 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6947 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
6948 flex_array_size(ev, bis_handle, ev->num_bis)))
6954 /* Connect all BISes that are bound to the BIG */
6955 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
6956 if (bacmp(&conn->dst, BDADDR_ANY) ||
6957 conn->type != ISO_LINK ||
6958 conn->iso_qos.bcast.big != ev->handle)
6961 if (hci_conn_set_handle(conn,
6962 __le16_to_cpu(ev->bis_handle[i++])))
6966 conn->state = BT_CONNECTED;
6967 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
6969 hci_debugfs_create_conn(conn);
6970 hci_conn_add_sysfs(conn);
6971 hci_iso_setup_path(conn);
6976 hci_connect_cfm(conn, ev->status);
6984 if (!ev->status && !i)
6985 /* If no BISes have been connected for the BIG,
6986 * terminate. This is in case all bound connections
6987 * have been closed before the BIG creation
6990 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
6991 UINT_PTR(ev->handle), NULL);
6993 hci_dev_unlock(hdev);
6996 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
6997 struct sk_buff *skb)
6999 struct hci_evt_le_big_sync_estabilished *ev = data;
7000 struct hci_conn *bis;
7003 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7005 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7006 flex_array_size(ev, bis, ev->num_bis)))
7011 for (i = 0; i < ev->num_bis; i++) {
7012 u16 handle = le16_to_cpu(ev->bis[i]);
7015 bis = hci_conn_hash_lookup_handle(hdev, handle);
7017 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7018 HCI_ROLE_SLAVE, handle);
7023 if (ev->status != 0x42)
7024 /* Mark PA sync as established */
7025 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7027 bis->iso_qos.bcast.big = ev->handle;
7028 memset(&interval, 0, sizeof(interval));
7029 memcpy(&interval, ev->latency, sizeof(ev->latency));
7030 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7031 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7032 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7033 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7036 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7037 hci_iso_setup_path(bis);
7041 /* In case BIG sync failed, notify each failed connection to
7042 * the user after all hci connections have been added
7045 for (i = 0; i < ev->num_bis; i++) {
7046 u16 handle = le16_to_cpu(ev->bis[i]);
7048 bis = hci_conn_hash_lookup_handle(hdev, handle);
7052 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7053 hci_connect_cfm(bis, ev->status);
7056 hci_dev_unlock(hdev);
7059 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7060 struct sk_buff *skb)
7062 struct hci_evt_le_big_info_adv_report *ev = data;
7063 int mask = hdev->link_mode;
7065 struct hci_conn *pa_sync;
7067 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7071 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7072 if (!(mask & HCI_LM_ACCEPT)) {
7073 hci_le_pa_term_sync(hdev, ev->sync_handle);
7077 if (!(flags & HCI_PROTO_DEFER))
7080 pa_sync = hci_conn_hash_lookup_pa_sync_handle
7082 le16_to_cpu(ev->sync_handle));
7087 /* Add connection to indicate the PA sync event */
7088 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7091 if (IS_ERR(pa_sync))
7094 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7095 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7097 /* Notify iso layer */
7098 hci_connect_cfm(pa_sync, 0x00);
7100 /* Notify MGMT layer */
7101 mgmt_device_connected(hdev, pa_sync, NULL, 0);
7104 hci_dev_unlock(hdev);
7107 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7110 .min_len = _min_len, \
7111 .max_len = _max_len, \
7114 #define HCI_LE_EV(_op, _func, _len) \
7115 HCI_LE_EV_VL(_op, _func, _len, _len)
7117 #define HCI_LE_EV_STATUS(_op, _func) \
7118 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7120 /* Entries in this table shall have their position according to the subevent
7121 * opcode they handle so the use of the macros above is recommend since it does
7122 * attempt to initialize at its proper index using Designated Initializers that
7123 * way events without a callback function can be ommited.
7125 static const struct hci_le_ev {
7126 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7129 } hci_le_ev_table[U8_MAX + 1] = {
7130 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7131 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7132 sizeof(struct hci_ev_le_conn_complete)),
7133 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7134 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7135 sizeof(struct hci_ev_le_advertising_report),
7136 HCI_MAX_EVENT_SIZE),
7137 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7138 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7139 hci_le_conn_update_complete_evt,
7140 sizeof(struct hci_ev_le_conn_update_complete)),
7141 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7142 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7143 hci_le_remote_feat_complete_evt,
7144 sizeof(struct hci_ev_le_remote_feat_complete)),
7145 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7146 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7147 sizeof(struct hci_ev_le_ltk_req)),
7148 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7149 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7150 hci_le_remote_conn_param_req_evt,
7151 sizeof(struct hci_ev_le_remote_conn_param_req)),
7152 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7153 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7154 hci_le_enh_conn_complete_evt,
7155 sizeof(struct hci_ev_le_enh_conn_complete)),
7156 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7157 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7158 sizeof(struct hci_ev_le_direct_adv_report),
7159 HCI_MAX_EVENT_SIZE),
7160 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7161 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7162 sizeof(struct hci_ev_le_phy_update_complete)),
7163 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7164 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7165 sizeof(struct hci_ev_le_ext_adv_report),
7166 HCI_MAX_EVENT_SIZE),
7167 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7168 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7169 hci_le_pa_sync_estabilished_evt,
7170 sizeof(struct hci_ev_le_pa_sync_established)),
7171 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7172 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7173 hci_le_per_adv_report_evt,
7174 sizeof(struct hci_ev_le_per_adv_report),
7175 HCI_MAX_EVENT_SIZE),
7176 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7177 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7178 sizeof(struct hci_evt_le_ext_adv_set_term)),
7179 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7180 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7181 sizeof(struct hci_evt_le_cis_established)),
7182 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7183 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7184 sizeof(struct hci_evt_le_cis_req)),
7185 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7186 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7187 hci_le_create_big_complete_evt,
7188 sizeof(struct hci_evt_le_create_big_complete),
7189 HCI_MAX_EVENT_SIZE),
7190 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7191 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7192 hci_le_big_sync_established_evt,
7193 sizeof(struct hci_evt_le_big_sync_estabilished),
7194 HCI_MAX_EVENT_SIZE),
7195 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7196 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7197 hci_le_big_info_adv_report_evt,
7198 sizeof(struct hci_evt_le_big_info_adv_report),
7199 HCI_MAX_EVENT_SIZE),
7202 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7203 struct sk_buff *skb, u16 *opcode, u8 *status,
7204 hci_req_complete_t *req_complete,
7205 hci_req_complete_skb_t *req_complete_skb)
7207 struct hci_ev_le_meta *ev = data;
7208 const struct hci_le_ev *subev;
7210 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7212 /* Only match event if command OGF is for LE */
7213 if (hdev->req_skb &&
7214 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 &&
7215 hci_skb_event(hdev->req_skb) == ev->subevent) {
7216 *opcode = hci_skb_opcode(hdev->req_skb);
7217 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7221 subev = &hci_le_ev_table[ev->subevent];
7225 if (skb->len < subev->min_len) {
7226 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7227 ev->subevent, skb->len, subev->min_len);
7231 /* Just warn if the length is over max_len size it still be
7232 * possible to partially parse the event so leave to callback to
7233 * decide if that is acceptable.
7235 if (skb->len > subev->max_len)
7236 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7237 ev->subevent, skb->len, subev->max_len);
7238 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7242 subev->func(hdev, data, skb);
7245 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7246 u8 event, struct sk_buff *skb)
7248 struct hci_ev_cmd_complete *ev;
7249 struct hci_event_hdr *hdr;
7254 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7259 if (hdr->evt != event)
7264 /* Check if request ended in Command Status - no way to retrieve
7265 * any extra parameters in this case.
7267 if (hdr->evt == HCI_EV_CMD_STATUS)
7270 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7271 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7276 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7280 if (opcode != __le16_to_cpu(ev->opcode)) {
7281 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7282 __le16_to_cpu(ev->opcode));
7289 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7290 struct sk_buff *skb)
7292 struct hci_ev_le_advertising_info *adv;
7293 struct hci_ev_le_direct_adv_info *direct_adv;
7294 struct hci_ev_le_ext_adv_info *ext_adv;
7295 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7296 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7300 /* If we are currently suspended and this is the first BT event seen,
7301 * save the wake reason associated with the event.
7303 if (!hdev->suspended || hdev->wake_reason)
7306 /* Default to remote wake. Values for wake_reason are documented in the
7307 * Bluez mgmt api docs.
7309 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7311 /* Once configured for remote wakeup, we should only wake up for
7312 * reconnections. It's useful to see which device is waking us up so
7313 * keep track of the bdaddr of the connection event that woke us up.
7315 if (event == HCI_EV_CONN_REQUEST) {
7316 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7317 hdev->wake_addr_type = BDADDR_BREDR;
7318 } else if (event == HCI_EV_CONN_COMPLETE) {
7319 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7320 hdev->wake_addr_type = BDADDR_BREDR;
7321 } else if (event == HCI_EV_LE_META) {
7322 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7323 u8 subevent = le_ev->subevent;
7324 u8 *ptr = &skb->data[sizeof(*le_ev)];
7325 u8 num_reports = *ptr;
7327 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7328 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7329 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7331 adv = (void *)(ptr + 1);
7332 direct_adv = (void *)(ptr + 1);
7333 ext_adv = (void *)(ptr + 1);
7336 case HCI_EV_LE_ADVERTISING_REPORT:
7337 bacpy(&hdev->wake_addr, &adv->bdaddr);
7338 hdev->wake_addr_type = adv->bdaddr_type;
7340 case HCI_EV_LE_DIRECT_ADV_REPORT:
7341 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7342 hdev->wake_addr_type = direct_adv->bdaddr_type;
7344 case HCI_EV_LE_EXT_ADV_REPORT:
7345 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7346 hdev->wake_addr_type = ext_adv->bdaddr_type;
7351 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7355 hci_dev_unlock(hdev);
7358 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7362 .min_len = _min_len, \
7363 .max_len = _max_len, \
7366 #define HCI_EV(_op, _func, _len) \
7367 HCI_EV_VL(_op, _func, _len, _len)
7369 #define HCI_EV_STATUS(_op, _func) \
7370 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7372 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7375 .func_req = _func, \
7376 .min_len = _min_len, \
7377 .max_len = _max_len, \
7380 #define HCI_EV_REQ(_op, _func, _len) \
7381 HCI_EV_REQ_VL(_op, _func, _len, _len)
7383 /* Entries in this table shall have their position according to the event opcode
7384 * they handle so the use of the macros above is recommend since it does attempt
7385 * to initialize at its proper index using Designated Initializers that way
7386 * events without a callback function don't have entered.
7388 static const struct hci_ev {
7391 void (*func)(struct hci_dev *hdev, void *data,
7392 struct sk_buff *skb);
7393 void (*func_req)(struct hci_dev *hdev, void *data,
7394 struct sk_buff *skb, u16 *opcode, u8 *status,
7395 hci_req_complete_t *req_complete,
7396 hci_req_complete_skb_t *req_complete_skb);
7400 } hci_ev_table[U8_MAX + 1] = {
7401 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7402 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7403 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7404 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7405 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7406 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7407 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7408 sizeof(struct hci_ev_conn_complete)),
7409 /* [0x04 = HCI_EV_CONN_REQUEST] */
7410 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7411 sizeof(struct hci_ev_conn_request)),
7412 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7413 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7414 sizeof(struct hci_ev_disconn_complete)),
7415 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7416 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7417 sizeof(struct hci_ev_auth_complete)),
7418 /* [0x07 = HCI_EV_REMOTE_NAME] */
7419 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7420 sizeof(struct hci_ev_remote_name)),
7421 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7422 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7423 sizeof(struct hci_ev_encrypt_change)),
7424 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7425 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7426 hci_change_link_key_complete_evt,
7427 sizeof(struct hci_ev_change_link_key_complete)),
7428 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7429 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7430 sizeof(struct hci_ev_remote_features)),
7431 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7432 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7433 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7434 /* [0x0f = HCI_EV_CMD_STATUS] */
7435 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7436 sizeof(struct hci_ev_cmd_status)),
7437 /* [0x10 = HCI_EV_CMD_STATUS] */
7438 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7439 sizeof(struct hci_ev_hardware_error)),
7440 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7441 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7442 sizeof(struct hci_ev_role_change)),
7443 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7444 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7445 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7446 /* [0x14 = HCI_EV_MODE_CHANGE] */
7447 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7448 sizeof(struct hci_ev_mode_change)),
7449 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7450 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7451 sizeof(struct hci_ev_pin_code_req)),
7452 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7453 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7454 sizeof(struct hci_ev_link_key_req)),
7455 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7456 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7457 sizeof(struct hci_ev_link_key_notify)),
7458 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7459 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7460 sizeof(struct hci_ev_clock_offset)),
7461 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7462 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7463 sizeof(struct hci_ev_pkt_type_change)),
7464 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7465 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7466 sizeof(struct hci_ev_pscan_rep_mode)),
7467 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7468 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7469 hci_inquiry_result_with_rssi_evt,
7470 sizeof(struct hci_ev_inquiry_result_rssi),
7471 HCI_MAX_EVENT_SIZE),
7472 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7473 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7474 sizeof(struct hci_ev_remote_ext_features)),
7475 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7476 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7477 sizeof(struct hci_ev_sync_conn_complete)),
7478 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7479 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7480 hci_extended_inquiry_result_evt,
7481 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7482 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7483 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7484 sizeof(struct hci_ev_key_refresh_complete)),
7485 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7486 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7487 sizeof(struct hci_ev_io_capa_request)),
7488 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7489 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7490 sizeof(struct hci_ev_io_capa_reply)),
7491 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7492 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7493 sizeof(struct hci_ev_user_confirm_req)),
7494 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7495 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7496 sizeof(struct hci_ev_user_passkey_req)),
7497 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7498 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7499 sizeof(struct hci_ev_remote_oob_data_request)),
7500 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7501 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7502 sizeof(struct hci_ev_simple_pair_complete)),
7503 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7504 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7505 sizeof(struct hci_ev_user_passkey_notify)),
7506 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7507 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7508 sizeof(struct hci_ev_keypress_notify)),
7509 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7510 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7511 sizeof(struct hci_ev_remote_host_features)),
7512 /* [0x3e = HCI_EV_LE_META] */
7513 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7514 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7515 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7516 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7517 sizeof(struct hci_ev_num_comp_blocks)),
7518 /* [0xff = HCI_EV_VENDOR] */
7519 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7522 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7523 u16 *opcode, u8 *status,
7524 hci_req_complete_t *req_complete,
7525 hci_req_complete_skb_t *req_complete_skb)
7527 const struct hci_ev *ev = &hci_ev_table[event];
7533 if (skb->len < ev->min_len) {
7534 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7535 event, skb->len, ev->min_len);
7539 /* Just warn if the length is over max_len size it still be
7540 * possible to partially parse the event so leave to callback to
7541 * decide if that is acceptable.
7543 if (skb->len > ev->max_len)
7544 bt_dev_warn_ratelimited(hdev,
7545 "unexpected event 0x%2.2x length: %u > %u",
7546 event, skb->len, ev->max_len);
7548 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7553 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7556 ev->func(hdev, data, skb);
7559 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7561 struct hci_event_hdr *hdr = (void *) skb->data;
7562 hci_req_complete_t req_complete = NULL;
7563 hci_req_complete_skb_t req_complete_skb = NULL;
7564 struct sk_buff *orig_skb = NULL;
7565 u8 status = 0, event, req_evt = 0;
7566 u16 opcode = HCI_OP_NOP;
7568 if (skb->len < sizeof(*hdr)) {
7569 bt_dev_err(hdev, "Malformed HCI Event");
7573 kfree_skb(hdev->recv_event);
7574 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7578 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7583 /* Only match event if command OGF is not for LE */
7584 if (hdev->req_skb &&
7585 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 &&
7586 hci_skb_event(hdev->req_skb) == event) {
7587 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb),
7588 status, &req_complete, &req_complete_skb);
7592 /* If it looks like we might end up having to call
7593 * req_complete_skb, store a pristine copy of the skb since the
7594 * various handlers may modify the original one through
7595 * skb_pull() calls, etc.
7597 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7598 event == HCI_EV_CMD_COMPLETE)
7599 orig_skb = skb_clone(skb, GFP_KERNEL);
7601 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7603 /* Store wake reason if we're suspended */
7604 hci_store_wake_reason(hdev, event, skb);
7606 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7608 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7612 req_complete(hdev, status, opcode);
7613 } else if (req_complete_skb) {
7614 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7615 kfree_skb(orig_skb);
7618 req_complete_skb(hdev, status, opcode, orig_skb);
7622 kfree_skb(orig_skb);
7624 hdev->stat.evt_rx++;