2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 /* Set discovery state to stopped if we're not doing LE active
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
66 hci_conn_check_pending(hdev);
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 __u8 status = *((__u8 *) skb->data);
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
83 __u8 status = *((__u8 *) skb->data);
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
92 hci_conn_check_pending(hdev);
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
98 BT_DBG("%s", hdev->name);
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
115 conn->role = rp->role;
117 hci_dev_unlock(hdev);
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
134 conn->link_policy = __le16_to_cpu(rp->policy);
136 hci_dev_unlock(hdev);
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
158 conn->link_policy = get_unaligned_le16(sent + 2);
160 hci_dev_unlock(hdev);
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
173 hdev->link_policy = __le16_to_cpu(rp->policy);
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
179 __u8 status = *((__u8 *) skb->data);
182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
191 hdev->link_policy = get_unaligned_le16(sent);
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
196 __u8 status = *((__u8 *) skb->data);
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
200 clear_bit(HCI_RESET, &hdev->flags);
205 /* Reset all non-persistent flags */
206 hci_dev_clear_volatile_flags(hdev);
208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
210 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 hdev->adv_data_len = 0;
216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 hdev->scan_rsp_data_len = 0;
219 hdev->le_scan_type = LE_SCAN_PASSIVE;
221 hdev->ssp_debug_mode = 0;
223 hci_bdaddr_list_clear(&hdev->le_white_list);
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 struct hci_cp_read_stored_link_key *sent;
232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
238 if (!rp->status && sent->read_all == 0x01) {
239 hdev->stored_max_keys = rp->max_keys;
240 hdev->stored_num_keys = rp->num_keys;
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
254 if (rp->num_keys <= hdev->stored_num_keys)
255 hdev->stored_num_keys -= rp->num_keys;
257 hdev->stored_num_keys = 0;
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
262 __u8 status = *((__u8 *) skb->data);
265 BT_DBG("%s status 0x%2.2x", hdev->name, status);
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
273 if (hci_dev_test_flag(hdev, HCI_MGMT))
274 mgmt_set_local_name_complete(hdev, sent, status);
276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
278 hci_dev_unlock(hdev);
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
283 struct hci_rp_read_local_name *rp = (void *) skb->data;
285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
290 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 hci_dev_test_flag(hdev, HCI_CONFIG))
292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
297 __u8 status = *((__u8 *) skb->data);
300 BT_DBG("%s status 0x%2.2x", hdev->name, status);
302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
309 __u8 param = *((__u8 *) sent);
311 if (param == AUTH_ENABLED)
312 set_bit(HCI_AUTH, &hdev->flags);
314 clear_bit(HCI_AUTH, &hdev->flags);
317 if (hci_dev_test_flag(hdev, HCI_MGMT))
318 mgmt_auth_enable_complete(hdev, status);
320 hci_dev_unlock(hdev);
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
325 __u8 status = *((__u8 *) skb->data);
329 BT_DBG("%s status 0x%2.2x", hdev->name, status);
334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
338 param = *((__u8 *) sent);
341 set_bit(HCI_ENCRYPT, &hdev->flags);
343 clear_bit(HCI_ENCRYPT, &hdev->flags);
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
348 __u8 status = *((__u8 *) skb->data);
352 BT_DBG("%s status 0x%2.2x", hdev->name, status);
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
358 param = *((__u8 *) sent);
363 hdev->discov_timeout = 0;
367 if (param & SCAN_INQUIRY)
368 set_bit(HCI_ISCAN, &hdev->flags);
370 clear_bit(HCI_ISCAN, &hdev->flags);
372 if (param & SCAN_PAGE)
373 set_bit(HCI_PSCAN, &hdev->flags);
375 clear_bit(HCI_PSCAN, &hdev->flags);
378 hci_dev_unlock(hdev);
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
390 memcpy(hdev->dev_class, rp->dev_class, 3);
392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
398 __u8 status = *((__u8 *) skb->data);
401 BT_DBG("%s status 0x%2.2x", hdev->name, status);
403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
410 memcpy(hdev->dev_class, sent, 3);
412 if (hci_dev_test_flag(hdev, HCI_MGMT))
413 mgmt_set_class_of_dev_complete(hdev, sent, status);
415 hci_dev_unlock(hdev);
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
420 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
428 setting = __le16_to_cpu(rp->voice_setting);
430 if (hdev->voice_setting == setting)
433 hdev->voice_setting = setting;
435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
444 __u8 status = *((__u8 *) skb->data);
448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
457 setting = get_unaligned_le16(sent);
459 if (hdev->voice_setting == setting)
462 hdev->voice_setting = setting;
464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
480 hdev->num_iac = rp->num_iac;
482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
487 __u8 status = *((__u8 *) skb->data);
488 struct hci_cp_write_ssp_mode *sent;
490 BT_DBG("%s status 0x%2.2x", hdev->name, status);
492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
500 hdev->features[1][0] |= LMP_HOST_SSP;
502 hdev->features[1][0] &= ~LMP_HOST_SSP;
505 if (hci_dev_test_flag(hdev, HCI_MGMT))
506 mgmt_ssp_enable_complete(hdev, sent->mode, status);
509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
514 hci_dev_unlock(hdev);
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
519 u8 status = *((u8 *) skb->data);
520 struct hci_cp_write_sc_support *sent;
522 BT_DBG("%s status 0x%2.2x", hdev->name, status);
524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
532 hdev->features[1][0] |= LMP_HOST_SC;
534 hdev->features[1][0] &= ~LMP_HOST_SC;
537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
539 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
544 hci_dev_unlock(hdev);
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
549 struct hci_rp_read_local_version *rp = (void *) skb->data;
551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
556 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 hdev->hci_ver = rp->hci_ver;
559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 hdev->lmp_ver = rp->lmp_ver;
561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
569 struct hci_rp_read_local_commands *rp = (void *) skb->data;
571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
576 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 hci_dev_test_flag(hdev, HCI_CONFIG))
578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
584 struct hci_rp_read_local_features *rp = (void *) skb->data;
586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
591 memcpy(hdev->features, rp->features, 8);
593 /* Adjust default settings according to features
594 * supported by device. */
596 if (hdev->features[0][0] & LMP_3SLOT)
597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
599 if (hdev->features[0][0] & LMP_5SLOT)
600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
602 if (hdev->features[0][1] & LMP_HV2) {
603 hdev->pkt_type |= (HCI_HV2);
604 hdev->esco_type |= (ESCO_HV2);
607 if (hdev->features[0][1] & LMP_HV3) {
608 hdev->pkt_type |= (HCI_HV3);
609 hdev->esco_type |= (ESCO_HV3);
612 if (lmp_esco_capable(hdev))
613 hdev->esco_type |= (ESCO_EV3);
615 if (hdev->features[0][4] & LMP_EV4)
616 hdev->esco_type |= (ESCO_EV4);
618 if (hdev->features[0][4] & LMP_EV5)
619 hdev->esco_type |= (ESCO_EV5);
621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 hdev->esco_type |= (ESCO_2EV3);
624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 hdev->esco_type |= (ESCO_3EV3);
627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
641 if (hdev->max_page < rp->max_page)
642 hdev->max_page = rp->max_page;
644 if (rp->page < HCI_MAX_PAGES)
645 memcpy(hdev->features[rp->page], rp->features, 8);
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
658 hdev->flow_ctl_mode = rp->mode;
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
671 hdev->sco_mtu = rp->sco_mtu;
672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
680 hdev->acl_cnt = hdev->acl_pkts;
681 hdev->sco_cnt = hdev->sco_pkts;
683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
689 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
696 if (test_bit(HCI_INIT, &hdev->flags))
697 bacpy(&hdev->bdaddr, &rp->bdaddr);
699 if (hci_dev_test_flag(hdev, HCI_SETUP))
700 bacpy(&hdev->setup_addr, &rp->bdaddr);
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
713 if (test_bit(HCI_INIT, &hdev->flags)) {
714 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 hdev->page_scan_window = __le16_to_cpu(rp->window);
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
722 u8 status = *((u8 *) skb->data);
723 struct hci_cp_write_page_scan_activity *sent;
725 BT_DBG("%s status 0x%2.2x", hdev->name, status);
730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
734 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 hdev->page_scan_window = __le16_to_cpu(sent->window);
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
748 if (test_bit(HCI_INIT, &hdev->flags))
749 hdev->page_scan_type = rp->type;
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
755 u8 status = *((u8 *) skb->data);
758 BT_DBG("%s status 0x%2.2x", hdev->name, status);
763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
765 hdev->page_scan_type = *type;
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
771 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 hdev->block_len = __le16_to_cpu(rp->block_len);
780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
782 hdev->block_cnt = hdev->num_blocks;
784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 hdev->block_cnt, hdev->block_len);
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
790 struct hci_rp_read_clock *rp = (void *) skb->data;
791 struct hci_cp_read_clock *cp;
792 struct hci_conn *conn;
794 BT_DBG("%s", hdev->name);
796 if (skb->len < sizeof(*rp))
804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
808 if (cp->which == 0x00) {
809 hdev->clock = le32_to_cpu(rp->clock);
813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
815 conn->clock = le32_to_cpu(rp->clock);
816 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
820 hci_dev_unlock(hdev);
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
833 hdev->amp_status = rp->amp_status;
834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 hdev->amp_type = rp->amp_type;
839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
855 hdev->inq_tx_power = rp->tx_power;
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
860 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 struct hci_cp_pin_code_reply *cp;
862 struct hci_conn *conn;
864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
868 if (hci_dev_test_flag(hdev, HCI_MGMT))
869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
880 conn->pin_length = cp->pin_len;
883 hci_dev_unlock(hdev);
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
894 if (hci_dev_test_flag(hdev, HCI_MGMT))
895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
898 hci_dev_unlock(hdev);
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 hdev->le_pkts = rp->le_max_pkt;
914 hdev->le_cnt = hdev->le_pkts;
916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
922 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
929 memcpy(hdev->le_features, rp->features, 8);
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
942 hdev->adv_tx_power = rp->tx_power;
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
953 if (hci_dev_test_flag(hdev, HCI_MGMT))
954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
957 hci_dev_unlock(hdev);
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 ACL_LINK, 0, rp->status);
973 hci_dev_unlock(hdev);
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
984 if (hci_dev_test_flag(hdev, HCI_MGMT))
985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
988 hci_dev_unlock(hdev);
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 ACL_LINK, 0, rp->status);
1004 hci_dev_unlock(hdev);
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 struct sk_buff *skb)
1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1025 __u8 status = *((__u8 *) skb->data);
1028 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1039 bacpy(&hdev->random_addr, sent);
1041 hci_dev_unlock(hdev);
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1046 __u8 *sent, status = *((__u8 *) skb->data);
1048 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1059 /* If we're doing connection initiation as peripheral. Set a
1060 * timeout in case something goes wrong.
1063 struct hci_conn *conn;
1065 hci_dev_set_flag(hdev, HCI_LE_ADV);
1067 conn = hci_lookup_le_connect(hdev);
1069 queue_delayed_work(hdev->workqueue,
1070 &conn->le_conn_timeout,
1071 conn->conn_timeout);
1073 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1076 hci_dev_unlock(hdev);
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1081 struct hci_cp_le_set_scan_param *cp;
1082 __u8 status = *((__u8 *) skb->data);
1084 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1095 hdev->le_scan_type = cp->type;
1097 hci_dev_unlock(hdev);
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1102 struct discovery_state *d = &hdev->discovery;
1104 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1109 struct discovery_state *d = &hdev->discovery;
1111 bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 d->last_adv_data_len = 0;
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 u8 bdaddr_type, s8 rssi, u32 flags,
1119 struct discovery_state *d = &hdev->discovery;
1121 bacpy(&d->last_adv_addr, bdaddr);
1122 d->last_adv_addr_type = bdaddr_type;
1123 d->last_adv_rssi = rssi;
1124 d->last_adv_flags = flags;
1125 memcpy(d->last_adv_data, data, len);
1126 d->last_adv_data_len = len;
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 struct sk_buff *skb)
1132 struct hci_cp_le_set_scan_enable *cp;
1133 __u8 status = *((__u8 *) skb->data);
1135 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1146 switch (cp->enable) {
1147 case LE_SCAN_ENABLE:
1148 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 clear_pending_adv_report(hdev);
1153 case LE_SCAN_DISABLE:
1154 /* We do this here instead of when setting DISCOVERY_STOPPED
1155 * since the latter would potentially require waiting for
1156 * inquiry to stop too.
1158 if (has_pending_adv_report(hdev)) {
1159 struct discovery_state *d = &hdev->discovery;
1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 d->last_adv_addr_type, NULL,
1163 d->last_adv_rssi, d->last_adv_flags,
1165 d->last_adv_data_len, NULL, 0);
1168 /* Cancel this timer so that we don't try to disable scanning
1169 * when it's already disabled.
1171 cancel_delayed_work(&hdev->le_scan_disable);
1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 * interrupted scanning due to a connect request. Mark
1177 * therefore discovery as stopped. If this was not
1178 * because of a connect request advertising might have
1179 * been disabled because of active scanning, so
1180 * re-enable it again if necessary.
1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 hdev->discovery.state == DISCOVERY_FINDING)
1186 mgmt_reenable_advertising(hdev);
1191 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1195 hci_dev_unlock(hdev);
1198 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1199 struct sk_buff *skb)
1201 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1203 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1208 hdev->le_white_list_size = rp->size;
1211 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1212 struct sk_buff *skb)
1214 __u8 status = *((__u8 *) skb->data);
1216 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1221 hci_bdaddr_list_clear(&hdev->le_white_list);
1224 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1225 struct sk_buff *skb)
1227 struct hci_cp_le_add_to_white_list *sent;
1228 __u8 status = *((__u8 *) skb->data);
1230 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1235 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1239 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1243 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1244 struct sk_buff *skb)
1246 struct hci_cp_le_del_from_white_list *sent;
1247 __u8 status = *((__u8 *) skb->data);
1249 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1254 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1258 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1262 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1263 struct sk_buff *skb)
1265 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1267 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1272 memcpy(hdev->le_states, rp->le_states, 8);
1275 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1276 struct sk_buff *skb)
1278 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1285 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1286 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1289 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1290 struct sk_buff *skb)
1292 struct hci_cp_le_write_def_data_len *sent;
1293 __u8 status = *((__u8 *) skb->data);
1295 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1300 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1304 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1305 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1308 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1309 struct sk_buff *skb)
1311 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1313 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1318 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1319 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1320 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1321 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1324 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1325 struct sk_buff *skb)
1327 struct hci_cp_write_le_host_supported *sent;
1328 __u8 status = *((__u8 *) skb->data);
1330 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1342 hdev->features[1][0] |= LMP_HOST_LE;
1343 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1345 hdev->features[1][0] &= ~LMP_HOST_LE;
1346 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1347 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1351 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1353 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1355 hci_dev_unlock(hdev);
1358 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1360 struct hci_cp_le_set_adv_param *cp;
1361 u8 status = *((u8 *) skb->data);
1363 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1368 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1373 hdev->adv_addr_type = cp->own_address_type;
1374 hci_dev_unlock(hdev);
1377 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1379 struct hci_rp_read_rssi *rp = (void *) skb->data;
1380 struct hci_conn *conn;
1382 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1389 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1391 conn->rssi = rp->rssi;
1393 hci_dev_unlock(hdev);
1396 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1398 struct hci_cp_read_tx_power *sent;
1399 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1400 struct hci_conn *conn;
1402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1407 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1417 switch (sent->type) {
1419 conn->tx_power = rp->tx_power;
1422 conn->max_tx_power = rp->tx_power;
1427 hci_dev_unlock(hdev);
1430 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1432 u8 status = *((u8 *) skb->data);
1435 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1440 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1442 hdev->ssp_debug_mode = *mode;
1445 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1447 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1450 hci_conn_check_pending(hdev);
1454 set_bit(HCI_INQUIRY, &hdev->flags);
1457 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1459 struct hci_cp_create_conn *cp;
1460 struct hci_conn *conn;
1462 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1470 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1472 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1475 if (conn && conn->state == BT_CONNECT) {
1476 if (status != 0x0c || conn->attempt > 2) {
1477 conn->state = BT_CLOSED;
1478 hci_connect_cfm(conn, status);
1481 conn->state = BT_CONNECT2;
1485 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1488 BT_ERR("No memory for new connection");
1492 hci_dev_unlock(hdev);
1495 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1497 struct hci_cp_add_sco *cp;
1498 struct hci_conn *acl, *sco;
1501 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1506 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1510 handle = __le16_to_cpu(cp->handle);
1512 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1516 acl = hci_conn_hash_lookup_handle(hdev, handle);
1520 sco->state = BT_CLOSED;
1522 hci_connect_cfm(sco, status);
1527 hci_dev_unlock(hdev);
1530 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1532 struct hci_cp_auth_requested *cp;
1533 struct hci_conn *conn;
1535 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1540 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1546 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1548 if (conn->state == BT_CONFIG) {
1549 hci_connect_cfm(conn, status);
1550 hci_conn_drop(conn);
1554 hci_dev_unlock(hdev);
1557 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1559 struct hci_cp_set_conn_encrypt *cp;
1560 struct hci_conn *conn;
1562 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1567 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1573 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1575 if (conn->state == BT_CONFIG) {
1576 hci_connect_cfm(conn, status);
1577 hci_conn_drop(conn);
1581 hci_dev_unlock(hdev);
1584 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1585 struct hci_conn *conn)
1587 if (conn->state != BT_CONFIG || !conn->out)
1590 if (conn->pending_sec_level == BT_SECURITY_SDP)
1593 /* Only request authentication for SSP connections or non-SSP
1594 * devices with sec_level MEDIUM or HIGH or if MITM protection
1597 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1598 conn->pending_sec_level != BT_SECURITY_FIPS &&
1599 conn->pending_sec_level != BT_SECURITY_HIGH &&
1600 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1606 static int hci_resolve_name(struct hci_dev *hdev,
1607 struct inquiry_entry *e)
1609 struct hci_cp_remote_name_req cp;
1611 memset(&cp, 0, sizeof(cp));
1613 bacpy(&cp.bdaddr, &e->data.bdaddr);
1614 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1615 cp.pscan_mode = e->data.pscan_mode;
1616 cp.clock_offset = e->data.clock_offset;
1618 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1621 static bool hci_resolve_next_name(struct hci_dev *hdev)
1623 struct discovery_state *discov = &hdev->discovery;
1624 struct inquiry_entry *e;
1626 if (list_empty(&discov->resolve))
1629 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1633 if (hci_resolve_name(hdev, e) == 0) {
1634 e->name_state = NAME_PENDING;
1641 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1642 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1644 struct discovery_state *discov = &hdev->discovery;
1645 struct inquiry_entry *e;
1647 /* Update the mgmt connected state if necessary. Be careful with
1648 * conn objects that exist but are not (yet) connected however.
1649 * Only those in BT_CONFIG or BT_CONNECTED states can be
1650 * considered connected.
1653 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1654 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1655 mgmt_device_connected(hdev, conn, 0, name, name_len);
1657 if (discov->state == DISCOVERY_STOPPED)
1660 if (discov->state == DISCOVERY_STOPPING)
1661 goto discov_complete;
1663 if (discov->state != DISCOVERY_RESOLVING)
1666 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1667 /* If the device was not found in a list of found devices names of which
1668 * are pending. there is no need to continue resolving a next name as it
1669 * will be done upon receiving another Remote Name Request Complete
1676 e->name_state = NAME_KNOWN;
1677 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1678 e->data.rssi, name, name_len);
1680 e->name_state = NAME_NOT_KNOWN;
1683 if (hci_resolve_next_name(hdev))
1687 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1690 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1692 struct hci_cp_remote_name_req *cp;
1693 struct hci_conn *conn;
1695 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1697 /* If successful wait for the name req complete event before
1698 * checking for the need to do authentication */
1702 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1708 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1710 if (hci_dev_test_flag(hdev, HCI_MGMT))
1711 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1716 if (!hci_outgoing_auth_needed(hdev, conn))
1719 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1720 struct hci_cp_auth_requested auth_cp;
1722 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1724 auth_cp.handle = __cpu_to_le16(conn->handle);
1725 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1726 sizeof(auth_cp), &auth_cp);
1730 hci_dev_unlock(hdev);
1733 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1735 struct hci_cp_read_remote_features *cp;
1736 struct hci_conn *conn;
1738 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1743 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1749 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1751 if (conn->state == BT_CONFIG) {
1752 hci_connect_cfm(conn, status);
1753 hci_conn_drop(conn);
1757 hci_dev_unlock(hdev);
1760 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1762 struct hci_cp_read_remote_ext_features *cp;
1763 struct hci_conn *conn;
1765 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1770 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1776 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1778 if (conn->state == BT_CONFIG) {
1779 hci_connect_cfm(conn, status);
1780 hci_conn_drop(conn);
1784 hci_dev_unlock(hdev);
1787 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1789 struct hci_cp_setup_sync_conn *cp;
1790 struct hci_conn *acl, *sco;
1793 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1798 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1802 handle = __le16_to_cpu(cp->handle);
1804 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1808 acl = hci_conn_hash_lookup_handle(hdev, handle);
1812 sco->state = BT_CLOSED;
1814 hci_connect_cfm(sco, status);
1819 hci_dev_unlock(hdev);
1822 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1824 struct hci_cp_sniff_mode *cp;
1825 struct hci_conn *conn;
1827 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1832 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1838 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1840 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1842 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1843 hci_sco_setup(conn, status);
1846 hci_dev_unlock(hdev);
1849 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1851 struct hci_cp_exit_sniff_mode *cp;
1852 struct hci_conn *conn;
1854 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1859 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1867 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1869 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1870 hci_sco_setup(conn, status);
1873 hci_dev_unlock(hdev);
1876 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1878 struct hci_cp_disconnect *cp;
1879 struct hci_conn *conn;
1884 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1893 conn->dst_type, status);
1895 hci_dev_unlock(hdev);
1898 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1900 struct hci_cp_le_create_conn *cp;
1901 struct hci_conn *conn;
1903 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1905 /* All connection failure handling is taken care of by the
1906 * hci_le_conn_failed function which is triggered by the HCI
1907 * request completion callbacks used for connecting.
1912 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1918 conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1919 cp->peer_addr_type);
1923 /* Store the initiator and responder address information which
1924 * is needed for SMP. These values will not change during the
1925 * lifetime of the connection.
1927 conn->init_addr_type = cp->own_address_type;
1928 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1929 bacpy(&conn->init_addr, &hdev->random_addr);
1931 bacpy(&conn->init_addr, &hdev->bdaddr);
1933 conn->resp_addr_type = cp->peer_addr_type;
1934 bacpy(&conn->resp_addr, &cp->peer_addr);
1936 /* We don't want the connection attempt to stick around
1937 * indefinitely since LE doesn't have a page timeout concept
1938 * like BR/EDR. Set a timer for any connection that doesn't use
1939 * the white list for connecting.
1941 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1942 queue_delayed_work(conn->hdev->workqueue,
1943 &conn->le_conn_timeout,
1944 conn->conn_timeout);
1947 hci_dev_unlock(hdev);
1950 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1952 struct hci_cp_le_read_remote_features *cp;
1953 struct hci_conn *conn;
1955 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1960 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1966 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1968 if (conn->state == BT_CONFIG) {
1969 hci_connect_cfm(conn, status);
1970 hci_conn_drop(conn);
1974 hci_dev_unlock(hdev);
1977 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1979 struct hci_cp_le_start_enc *cp;
1980 struct hci_conn *conn;
1982 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1989 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1993 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1997 if (conn->state != BT_CONNECTED)
2000 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2001 hci_conn_drop(conn);
2004 hci_dev_unlock(hdev);
2007 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2009 struct hci_cp_switch_role *cp;
2010 struct hci_conn *conn;
2012 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2017 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2023 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2025 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2027 hci_dev_unlock(hdev);
2030 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2032 __u8 status = *((__u8 *) skb->data);
2033 struct discovery_state *discov = &hdev->discovery;
2034 struct inquiry_entry *e;
2036 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2038 hci_conn_check_pending(hdev);
2040 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2043 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2044 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2046 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2051 if (discov->state != DISCOVERY_FINDING)
2054 if (list_empty(&discov->resolve)) {
2055 /* When BR/EDR inquiry is active and no LE scanning is in
2056 * progress, then change discovery state to indicate completion.
2058 * When running LE scanning and BR/EDR inquiry simultaneously
2059 * and the LE scan already finished, then change the discovery
2060 * state to indicate completion.
2062 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2063 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2064 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2068 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2069 if (e && hci_resolve_name(hdev, e) == 0) {
2070 e->name_state = NAME_PENDING;
2071 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2073 /* When BR/EDR inquiry is active and no LE scanning is in
2074 * progress, then change discovery state to indicate completion.
2076 * When running LE scanning and BR/EDR inquiry simultaneously
2077 * and the LE scan already finished, then change the discovery
2078 * state to indicate completion.
2080 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2081 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2082 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2086 hci_dev_unlock(hdev);
2089 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2091 struct inquiry_data data;
2092 struct inquiry_info *info = (void *) (skb->data + 1);
2093 int num_rsp = *((__u8 *) skb->data);
2095 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2100 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2105 for (; num_rsp; num_rsp--, info++) {
2108 bacpy(&data.bdaddr, &info->bdaddr);
2109 data.pscan_rep_mode = info->pscan_rep_mode;
2110 data.pscan_period_mode = info->pscan_period_mode;
2111 data.pscan_mode = info->pscan_mode;
2112 memcpy(data.dev_class, info->dev_class, 3);
2113 data.clock_offset = info->clock_offset;
2114 data.rssi = HCI_RSSI_INVALID;
2115 data.ssp_mode = 0x00;
2117 flags = hci_inquiry_cache_update(hdev, &data, false);
2119 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2120 info->dev_class, HCI_RSSI_INVALID,
2121 flags, NULL, 0, NULL, 0);
2124 hci_dev_unlock(hdev);
2127 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2129 struct hci_ev_conn_complete *ev = (void *) skb->data;
2130 struct hci_conn *conn;
2132 BT_DBG("%s", hdev->name);
2136 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2138 if (ev->link_type != SCO_LINK)
2141 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2145 conn->type = SCO_LINK;
2149 conn->handle = __le16_to_cpu(ev->handle);
2151 if (conn->type == ACL_LINK) {
2152 conn->state = BT_CONFIG;
2153 hci_conn_hold(conn);
2155 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2156 !hci_find_link_key(hdev, &ev->bdaddr))
2157 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2159 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2161 conn->state = BT_CONNECTED;
2163 hci_debugfs_create_conn(conn);
2164 hci_conn_add_sysfs(conn);
2166 if (test_bit(HCI_AUTH, &hdev->flags))
2167 set_bit(HCI_CONN_AUTH, &conn->flags);
2169 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2170 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2172 /* Get remote features */
2173 if (conn->type == ACL_LINK) {
2174 struct hci_cp_read_remote_features cp;
2175 cp.handle = ev->handle;
2176 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2179 hci_update_page_scan(hdev);
2182 /* Set packet type for incoming connection */
2183 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2184 struct hci_cp_change_conn_ptype cp;
2185 cp.handle = ev->handle;
2186 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2187 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2191 conn->state = BT_CLOSED;
2192 if (conn->type == ACL_LINK)
2193 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2194 conn->dst_type, ev->status);
2197 if (conn->type == ACL_LINK)
2198 hci_sco_setup(conn, ev->status);
2201 hci_connect_cfm(conn, ev->status);
2203 } else if (ev->link_type != ACL_LINK)
2204 hci_connect_cfm(conn, ev->status);
2207 hci_dev_unlock(hdev);
2209 hci_conn_check_pending(hdev);
2212 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2214 struct hci_cp_reject_conn_req cp;
2216 bacpy(&cp.bdaddr, bdaddr);
2217 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2218 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2221 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2223 struct hci_ev_conn_request *ev = (void *) skb->data;
2224 int mask = hdev->link_mode;
2225 struct inquiry_entry *ie;
2226 struct hci_conn *conn;
2229 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2232 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2235 if (!(mask & HCI_LM_ACCEPT)) {
2236 hci_reject_conn(hdev, &ev->bdaddr);
2240 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2242 hci_reject_conn(hdev, &ev->bdaddr);
2246 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2247 * connection. These features are only touched through mgmt so
2248 * only do the checks if HCI_MGMT is set.
2250 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2251 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2252 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2254 hci_reject_conn(hdev, &ev->bdaddr);
2258 /* Connection accepted */
2262 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2264 memcpy(ie->data.dev_class, ev->dev_class, 3);
2266 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2269 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2272 BT_ERR("No memory for new connection");
2273 hci_dev_unlock(hdev);
2278 memcpy(conn->dev_class, ev->dev_class, 3);
2280 hci_dev_unlock(hdev);
2282 if (ev->link_type == ACL_LINK ||
2283 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2284 struct hci_cp_accept_conn_req cp;
2285 conn->state = BT_CONNECT;
2287 bacpy(&cp.bdaddr, &ev->bdaddr);
2289 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2290 cp.role = 0x00; /* Become master */
2292 cp.role = 0x01; /* Remain slave */
2294 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2295 } else if (!(flags & HCI_PROTO_DEFER)) {
2296 struct hci_cp_accept_sync_conn_req cp;
2297 conn->state = BT_CONNECT;
2299 bacpy(&cp.bdaddr, &ev->bdaddr);
2300 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2302 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2303 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2304 cp.max_latency = cpu_to_le16(0xffff);
2305 cp.content_format = cpu_to_le16(hdev->voice_setting);
2306 cp.retrans_effort = 0xff;
2308 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2311 conn->state = BT_CONNECT2;
2312 hci_connect_cfm(conn, 0);
2316 static u8 hci_to_mgmt_reason(u8 err)
2319 case HCI_ERROR_CONNECTION_TIMEOUT:
2320 return MGMT_DEV_DISCONN_TIMEOUT;
2321 case HCI_ERROR_REMOTE_USER_TERM:
2322 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2323 case HCI_ERROR_REMOTE_POWER_OFF:
2324 return MGMT_DEV_DISCONN_REMOTE;
2325 case HCI_ERROR_LOCAL_HOST_TERM:
2326 return MGMT_DEV_DISCONN_LOCAL_HOST;
2328 return MGMT_DEV_DISCONN_UNKNOWN;
2332 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2334 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2335 u8 reason = hci_to_mgmt_reason(ev->reason);
2336 struct hci_conn_params *params;
2337 struct hci_conn *conn;
2338 bool mgmt_connected;
2341 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2345 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2350 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2351 conn->dst_type, ev->status);
2355 conn->state = BT_CLOSED;
2357 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2358 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2359 reason, mgmt_connected);
2361 if (conn->type == ACL_LINK) {
2362 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2363 hci_remove_link_key(hdev, &conn->dst);
2365 hci_update_page_scan(hdev);
2368 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2370 switch (params->auto_connect) {
2371 case HCI_AUTO_CONN_LINK_LOSS:
2372 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2376 case HCI_AUTO_CONN_DIRECT:
2377 case HCI_AUTO_CONN_ALWAYS:
2378 list_del_init(¶ms->action);
2379 list_add(¶ms->action, &hdev->pend_le_conns);
2380 hci_update_background_scan(hdev);
2390 hci_disconn_cfm(conn, ev->reason);
2393 /* Re-enable advertising if necessary, since it might
2394 * have been disabled by the connection. From the
2395 * HCI_LE_Set_Advertise_Enable command description in
2396 * the core specification (v4.0):
2397 * "The Controller shall continue advertising until the Host
2398 * issues an LE_Set_Advertise_Enable command with
2399 * Advertising_Enable set to 0x00 (Advertising is disabled)
2400 * or until a connection is created or until the Advertising
2401 * is timed out due to Directed Advertising."
2403 if (type == LE_LINK)
2404 mgmt_reenable_advertising(hdev);
2407 hci_dev_unlock(hdev);
2410 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2412 struct hci_ev_auth_complete *ev = (void *) skb->data;
2413 struct hci_conn *conn;
2415 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2419 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2424 if (!hci_conn_ssp_enabled(conn) &&
2425 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2426 BT_INFO("re-auth of legacy device is not possible.");
2428 set_bit(HCI_CONN_AUTH, &conn->flags);
2429 conn->sec_level = conn->pending_sec_level;
2432 mgmt_auth_failed(conn, ev->status);
2435 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2436 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2438 if (conn->state == BT_CONFIG) {
2439 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2440 struct hci_cp_set_conn_encrypt cp;
2441 cp.handle = ev->handle;
2443 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2446 conn->state = BT_CONNECTED;
2447 hci_connect_cfm(conn, ev->status);
2448 hci_conn_drop(conn);
2451 hci_auth_cfm(conn, ev->status);
2453 hci_conn_hold(conn);
2454 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2455 hci_conn_drop(conn);
2458 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2460 struct hci_cp_set_conn_encrypt cp;
2461 cp.handle = ev->handle;
2463 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2466 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2467 hci_encrypt_cfm(conn, ev->status, 0x00);
2472 hci_dev_unlock(hdev);
2475 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2477 struct hci_ev_remote_name *ev = (void *) skb->data;
2478 struct hci_conn *conn;
2480 BT_DBG("%s", hdev->name);
2482 hci_conn_check_pending(hdev);
2486 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2488 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2491 if (ev->status == 0)
2492 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2493 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2495 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2501 if (!hci_outgoing_auth_needed(hdev, conn))
2504 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2505 struct hci_cp_auth_requested cp;
2507 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2509 cp.handle = __cpu_to_le16(conn->handle);
2510 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2514 hci_dev_unlock(hdev);
2517 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2518 u16 opcode, struct sk_buff *skb)
2520 const struct hci_rp_read_enc_key_size *rp;
2521 struct hci_conn *conn;
2524 BT_DBG("%s status 0x%02x", hdev->name, status);
2526 if (!skb || skb->len < sizeof(*rp)) {
2527 BT_ERR("%s invalid HCI Read Encryption Key Size response",
2532 rp = (void *)skb->data;
2533 handle = le16_to_cpu(rp->handle);
2537 conn = hci_conn_hash_lookup_handle(hdev, handle);
2541 /* If we fail to read the encryption key size, assume maximum
2542 * (which is the same we do also when this HCI command isn't
2546 BT_ERR("%s failed to read key size for handle %u", hdev->name,
2548 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2550 conn->enc_key_size = rp->key_size;
2553 if (conn->state == BT_CONFIG) {
2554 conn->state = BT_CONNECTED;
2555 hci_connect_cfm(conn, 0);
2556 hci_conn_drop(conn);
2560 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2562 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2567 hci_encrypt_cfm(conn, 0, encrypt);
2571 hci_dev_unlock(hdev);
2574 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2576 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2577 struct hci_conn *conn;
2579 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2583 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2589 /* Encryption implies authentication */
2590 set_bit(HCI_CONN_AUTH, &conn->flags);
2591 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2592 conn->sec_level = conn->pending_sec_level;
2594 /* P-256 authentication key implies FIPS */
2595 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2596 set_bit(HCI_CONN_FIPS, &conn->flags);
2598 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2599 conn->type == LE_LINK)
2600 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2602 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2607 /* We should disregard the current RPA and generate a new one
2608 * whenever the encryption procedure fails.
2610 if (ev->status && conn->type == LE_LINK)
2611 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2613 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2615 if (ev->status && conn->state == BT_CONNECTED) {
2616 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2617 hci_conn_drop(conn);
2621 /* In Secure Connections Only mode, do not allow any connections
2622 * that are not encrypted with AES-CCM using a P-256 authenticated
2625 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2626 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2627 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2628 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2629 hci_conn_drop(conn);
2633 /* Try reading the encryption key size for encrypted ACL links */
2634 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2635 struct hci_cp_read_enc_key_size cp;
2636 struct hci_request req;
2638 /* Only send HCI_Read_Encryption_Key_Size if the
2639 * controller really supports it. If it doesn't, assume
2640 * the default size (16).
2642 if (!(hdev->commands[20] & 0x10)) {
2643 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2647 hci_req_init(&req, hdev);
2649 cp.handle = cpu_to_le16(conn->handle);
2650 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2652 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2653 BT_ERR("Sending HCI Read Encryption Key Size failed");
2654 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2662 if (conn->state == BT_CONFIG) {
2664 conn->state = BT_CONNECTED;
2666 hci_connect_cfm(conn, ev->status);
2667 hci_conn_drop(conn);
2669 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2672 hci_dev_unlock(hdev);
2675 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2676 struct sk_buff *skb)
2678 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2679 struct hci_conn *conn;
2681 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2685 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2688 set_bit(HCI_CONN_SECURE, &conn->flags);
2690 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2692 hci_key_change_cfm(conn, ev->status);
2695 hci_dev_unlock(hdev);
2698 static void hci_remote_features_evt(struct hci_dev *hdev,
2699 struct sk_buff *skb)
2701 struct hci_ev_remote_features *ev = (void *) skb->data;
2702 struct hci_conn *conn;
2704 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2708 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2713 memcpy(conn->features[0], ev->features, 8);
2715 if (conn->state != BT_CONFIG)
2718 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2719 lmp_ext_feat_capable(conn)) {
2720 struct hci_cp_read_remote_ext_features cp;
2721 cp.handle = ev->handle;
2723 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2728 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2729 struct hci_cp_remote_name_req cp;
2730 memset(&cp, 0, sizeof(cp));
2731 bacpy(&cp.bdaddr, &conn->dst);
2732 cp.pscan_rep_mode = 0x02;
2733 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2734 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2735 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2737 if (!hci_outgoing_auth_needed(hdev, conn)) {
2738 conn->state = BT_CONNECTED;
2739 hci_connect_cfm(conn, ev->status);
2740 hci_conn_drop(conn);
2744 hci_dev_unlock(hdev);
2747 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2748 u16 *opcode, u8 *status,
2749 hci_req_complete_t *req_complete,
2750 hci_req_complete_skb_t *req_complete_skb)
2752 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2754 *opcode = __le16_to_cpu(ev->opcode);
2755 *status = skb->data[sizeof(*ev)];
2757 skb_pull(skb, sizeof(*ev));
2760 case HCI_OP_INQUIRY_CANCEL:
2761 hci_cc_inquiry_cancel(hdev, skb);
2764 case HCI_OP_PERIODIC_INQ:
2765 hci_cc_periodic_inq(hdev, skb);
2768 case HCI_OP_EXIT_PERIODIC_INQ:
2769 hci_cc_exit_periodic_inq(hdev, skb);
2772 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2773 hci_cc_remote_name_req_cancel(hdev, skb);
2776 case HCI_OP_ROLE_DISCOVERY:
2777 hci_cc_role_discovery(hdev, skb);
2780 case HCI_OP_READ_LINK_POLICY:
2781 hci_cc_read_link_policy(hdev, skb);
2784 case HCI_OP_WRITE_LINK_POLICY:
2785 hci_cc_write_link_policy(hdev, skb);
2788 case HCI_OP_READ_DEF_LINK_POLICY:
2789 hci_cc_read_def_link_policy(hdev, skb);
2792 case HCI_OP_WRITE_DEF_LINK_POLICY:
2793 hci_cc_write_def_link_policy(hdev, skb);
2797 hci_cc_reset(hdev, skb);
2800 case HCI_OP_READ_STORED_LINK_KEY:
2801 hci_cc_read_stored_link_key(hdev, skb);
2804 case HCI_OP_DELETE_STORED_LINK_KEY:
2805 hci_cc_delete_stored_link_key(hdev, skb);
2808 case HCI_OP_WRITE_LOCAL_NAME:
2809 hci_cc_write_local_name(hdev, skb);
2812 case HCI_OP_READ_LOCAL_NAME:
2813 hci_cc_read_local_name(hdev, skb);
2816 case HCI_OP_WRITE_AUTH_ENABLE:
2817 hci_cc_write_auth_enable(hdev, skb);
2820 case HCI_OP_WRITE_ENCRYPT_MODE:
2821 hci_cc_write_encrypt_mode(hdev, skb);
2824 case HCI_OP_WRITE_SCAN_ENABLE:
2825 hci_cc_write_scan_enable(hdev, skb);
2828 case HCI_OP_READ_CLASS_OF_DEV:
2829 hci_cc_read_class_of_dev(hdev, skb);
2832 case HCI_OP_WRITE_CLASS_OF_DEV:
2833 hci_cc_write_class_of_dev(hdev, skb);
2836 case HCI_OP_READ_VOICE_SETTING:
2837 hci_cc_read_voice_setting(hdev, skb);
2840 case HCI_OP_WRITE_VOICE_SETTING:
2841 hci_cc_write_voice_setting(hdev, skb);
2844 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2845 hci_cc_read_num_supported_iac(hdev, skb);
2848 case HCI_OP_WRITE_SSP_MODE:
2849 hci_cc_write_ssp_mode(hdev, skb);
2852 case HCI_OP_WRITE_SC_SUPPORT:
2853 hci_cc_write_sc_support(hdev, skb);
2856 case HCI_OP_READ_LOCAL_VERSION:
2857 hci_cc_read_local_version(hdev, skb);
2860 case HCI_OP_READ_LOCAL_COMMANDS:
2861 hci_cc_read_local_commands(hdev, skb);
2864 case HCI_OP_READ_LOCAL_FEATURES:
2865 hci_cc_read_local_features(hdev, skb);
2868 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2869 hci_cc_read_local_ext_features(hdev, skb);
2872 case HCI_OP_READ_BUFFER_SIZE:
2873 hci_cc_read_buffer_size(hdev, skb);
2876 case HCI_OP_READ_BD_ADDR:
2877 hci_cc_read_bd_addr(hdev, skb);
2880 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2881 hci_cc_read_page_scan_activity(hdev, skb);
2884 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2885 hci_cc_write_page_scan_activity(hdev, skb);
2888 case HCI_OP_READ_PAGE_SCAN_TYPE:
2889 hci_cc_read_page_scan_type(hdev, skb);
2892 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2893 hci_cc_write_page_scan_type(hdev, skb);
2896 case HCI_OP_READ_DATA_BLOCK_SIZE:
2897 hci_cc_read_data_block_size(hdev, skb);
2900 case HCI_OP_READ_FLOW_CONTROL_MODE:
2901 hci_cc_read_flow_control_mode(hdev, skb);
2904 case HCI_OP_READ_LOCAL_AMP_INFO:
2905 hci_cc_read_local_amp_info(hdev, skb);
2908 case HCI_OP_READ_CLOCK:
2909 hci_cc_read_clock(hdev, skb);
2912 case HCI_OP_READ_INQ_RSP_TX_POWER:
2913 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2916 case HCI_OP_PIN_CODE_REPLY:
2917 hci_cc_pin_code_reply(hdev, skb);
2920 case HCI_OP_PIN_CODE_NEG_REPLY:
2921 hci_cc_pin_code_neg_reply(hdev, skb);
2924 case HCI_OP_READ_LOCAL_OOB_DATA:
2925 hci_cc_read_local_oob_data(hdev, skb);
2928 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2929 hci_cc_read_local_oob_ext_data(hdev, skb);
2932 case HCI_OP_LE_READ_BUFFER_SIZE:
2933 hci_cc_le_read_buffer_size(hdev, skb);
2936 case HCI_OP_LE_READ_LOCAL_FEATURES:
2937 hci_cc_le_read_local_features(hdev, skb);
2940 case HCI_OP_LE_READ_ADV_TX_POWER:
2941 hci_cc_le_read_adv_tx_power(hdev, skb);
2944 case HCI_OP_USER_CONFIRM_REPLY:
2945 hci_cc_user_confirm_reply(hdev, skb);
2948 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2949 hci_cc_user_confirm_neg_reply(hdev, skb);
2952 case HCI_OP_USER_PASSKEY_REPLY:
2953 hci_cc_user_passkey_reply(hdev, skb);
2956 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2957 hci_cc_user_passkey_neg_reply(hdev, skb);
2960 case HCI_OP_LE_SET_RANDOM_ADDR:
2961 hci_cc_le_set_random_addr(hdev, skb);
2964 case HCI_OP_LE_SET_ADV_ENABLE:
2965 hci_cc_le_set_adv_enable(hdev, skb);
2968 case HCI_OP_LE_SET_SCAN_PARAM:
2969 hci_cc_le_set_scan_param(hdev, skb);
2972 case HCI_OP_LE_SET_SCAN_ENABLE:
2973 hci_cc_le_set_scan_enable(hdev, skb);
2976 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2977 hci_cc_le_read_white_list_size(hdev, skb);
2980 case HCI_OP_LE_CLEAR_WHITE_LIST:
2981 hci_cc_le_clear_white_list(hdev, skb);
2984 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2985 hci_cc_le_add_to_white_list(hdev, skb);
2988 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2989 hci_cc_le_del_from_white_list(hdev, skb);
2992 case HCI_OP_LE_READ_SUPPORTED_STATES:
2993 hci_cc_le_read_supported_states(hdev, skb);
2996 case HCI_OP_LE_READ_DEF_DATA_LEN:
2997 hci_cc_le_read_def_data_len(hdev, skb);
3000 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3001 hci_cc_le_write_def_data_len(hdev, skb);
3004 case HCI_OP_LE_READ_MAX_DATA_LEN:
3005 hci_cc_le_read_max_data_len(hdev, skb);
3008 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3009 hci_cc_write_le_host_supported(hdev, skb);
3012 case HCI_OP_LE_SET_ADV_PARAM:
3013 hci_cc_set_adv_param(hdev, skb);
3016 case HCI_OP_READ_RSSI:
3017 hci_cc_read_rssi(hdev, skb);
3020 case HCI_OP_READ_TX_POWER:
3021 hci_cc_read_tx_power(hdev, skb);
3024 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3025 hci_cc_write_ssp_debug_mode(hdev, skb);
3029 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3033 if (*opcode != HCI_OP_NOP)
3034 cancel_delayed_work(&hdev->cmd_timer);
3036 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3037 atomic_set(&hdev->cmd_cnt, 1);
3039 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3042 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3043 queue_work(hdev->workqueue, &hdev->cmd_work);
3046 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3047 u16 *opcode, u8 *status,
3048 hci_req_complete_t *req_complete,
3049 hci_req_complete_skb_t *req_complete_skb)
3051 struct hci_ev_cmd_status *ev = (void *) skb->data;
3053 skb_pull(skb, sizeof(*ev));
3055 *opcode = __le16_to_cpu(ev->opcode);
3056 *status = ev->status;
3059 case HCI_OP_INQUIRY:
3060 hci_cs_inquiry(hdev, ev->status);
3063 case HCI_OP_CREATE_CONN:
3064 hci_cs_create_conn(hdev, ev->status);
3067 case HCI_OP_DISCONNECT:
3068 hci_cs_disconnect(hdev, ev->status);
3071 case HCI_OP_ADD_SCO:
3072 hci_cs_add_sco(hdev, ev->status);
3075 case HCI_OP_AUTH_REQUESTED:
3076 hci_cs_auth_requested(hdev, ev->status);
3079 case HCI_OP_SET_CONN_ENCRYPT:
3080 hci_cs_set_conn_encrypt(hdev, ev->status);
3083 case HCI_OP_REMOTE_NAME_REQ:
3084 hci_cs_remote_name_req(hdev, ev->status);
3087 case HCI_OP_READ_REMOTE_FEATURES:
3088 hci_cs_read_remote_features(hdev, ev->status);
3091 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3092 hci_cs_read_remote_ext_features(hdev, ev->status);
3095 case HCI_OP_SETUP_SYNC_CONN:
3096 hci_cs_setup_sync_conn(hdev, ev->status);
3099 case HCI_OP_SNIFF_MODE:
3100 hci_cs_sniff_mode(hdev, ev->status);
3103 case HCI_OP_EXIT_SNIFF_MODE:
3104 hci_cs_exit_sniff_mode(hdev, ev->status);
3107 case HCI_OP_SWITCH_ROLE:
3108 hci_cs_switch_role(hdev, ev->status);
3111 case HCI_OP_LE_CREATE_CONN:
3112 hci_cs_le_create_conn(hdev, ev->status);
3115 case HCI_OP_LE_READ_REMOTE_FEATURES:
3116 hci_cs_le_read_remote_features(hdev, ev->status);
3119 case HCI_OP_LE_START_ENC:
3120 hci_cs_le_start_enc(hdev, ev->status);
3124 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3128 if (*opcode != HCI_OP_NOP)
3129 cancel_delayed_work(&hdev->cmd_timer);
3131 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3132 atomic_set(&hdev->cmd_cnt, 1);
3134 /* Indicate request completion if the command failed. Also, if
3135 * we're not waiting for a special event and we get a success
3136 * command status we should try to flag the request as completed
3137 * (since for this kind of commands there will not be a command
3141 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3142 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3145 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3146 queue_work(hdev->workqueue, &hdev->cmd_work);
3149 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3151 struct hci_ev_hardware_error *ev = (void *) skb->data;
3153 hdev->hw_error_code = ev->code;
3155 queue_work(hdev->req_workqueue, &hdev->error_reset);
3158 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3160 struct hci_ev_role_change *ev = (void *) skb->data;
3161 struct hci_conn *conn;
3163 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3167 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3170 conn->role = ev->role;
3172 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3174 hci_role_switch_cfm(conn, ev->status, ev->role);
3177 hci_dev_unlock(hdev);
3180 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3182 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3185 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3186 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3190 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3191 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3192 BT_DBG("%s bad parameters", hdev->name);
3196 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3198 for (i = 0; i < ev->num_hndl; i++) {
3199 struct hci_comp_pkts_info *info = &ev->handles[i];
3200 struct hci_conn *conn;
3201 __u16 handle, count;
3203 handle = __le16_to_cpu(info->handle);
3204 count = __le16_to_cpu(info->count);
3206 conn = hci_conn_hash_lookup_handle(hdev, handle);
3210 conn->sent -= count;
3212 switch (conn->type) {
3214 hdev->acl_cnt += count;
3215 if (hdev->acl_cnt > hdev->acl_pkts)
3216 hdev->acl_cnt = hdev->acl_pkts;
3220 if (hdev->le_pkts) {
3221 hdev->le_cnt += count;
3222 if (hdev->le_cnt > hdev->le_pkts)
3223 hdev->le_cnt = hdev->le_pkts;
3225 hdev->acl_cnt += count;
3226 if (hdev->acl_cnt > hdev->acl_pkts)
3227 hdev->acl_cnt = hdev->acl_pkts;
3232 hdev->sco_cnt += count;
3233 if (hdev->sco_cnt > hdev->sco_pkts)
3234 hdev->sco_cnt = hdev->sco_pkts;
3238 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3243 queue_work(hdev->workqueue, &hdev->tx_work);
3246 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3249 struct hci_chan *chan;
3251 switch (hdev->dev_type) {
3253 return hci_conn_hash_lookup_handle(hdev, handle);
3255 chan = hci_chan_lookup_handle(hdev, handle);
3260 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3267 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3269 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3272 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3273 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3277 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3278 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3279 BT_DBG("%s bad parameters", hdev->name);
3283 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3286 for (i = 0; i < ev->num_hndl; i++) {
3287 struct hci_comp_blocks_info *info = &ev->handles[i];
3288 struct hci_conn *conn = NULL;
3289 __u16 handle, block_count;
3291 handle = __le16_to_cpu(info->handle);
3292 block_count = __le16_to_cpu(info->blocks);
3294 conn = __hci_conn_lookup_handle(hdev, handle);
3298 conn->sent -= block_count;
3300 switch (conn->type) {
3303 hdev->block_cnt += block_count;
3304 if (hdev->block_cnt > hdev->num_blocks)
3305 hdev->block_cnt = hdev->num_blocks;
3309 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3314 queue_work(hdev->workqueue, &hdev->tx_work);
3317 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3319 struct hci_ev_mode_change *ev = (void *) skb->data;
3320 struct hci_conn *conn;
3322 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3326 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3328 conn->mode = ev->mode;
3330 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3332 if (conn->mode == HCI_CM_ACTIVE)
3333 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3335 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3338 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3339 hci_sco_setup(conn, ev->status);
3342 hci_dev_unlock(hdev);
3345 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3347 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3348 struct hci_conn *conn;
3350 BT_DBG("%s", hdev->name);
3354 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3358 if (conn->state == BT_CONNECTED) {
3359 hci_conn_hold(conn);
3360 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3361 hci_conn_drop(conn);
3364 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3365 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3366 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3367 sizeof(ev->bdaddr), &ev->bdaddr);
3368 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3371 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3376 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3380 hci_dev_unlock(hdev);
3383 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3385 if (key_type == HCI_LK_CHANGED_COMBINATION)
3388 conn->pin_length = pin_len;
3389 conn->key_type = key_type;
3392 case HCI_LK_LOCAL_UNIT:
3393 case HCI_LK_REMOTE_UNIT:
3394 case HCI_LK_DEBUG_COMBINATION:
3396 case HCI_LK_COMBINATION:
3398 conn->pending_sec_level = BT_SECURITY_HIGH;
3400 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3402 case HCI_LK_UNAUTH_COMBINATION_P192:
3403 case HCI_LK_UNAUTH_COMBINATION_P256:
3404 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3406 case HCI_LK_AUTH_COMBINATION_P192:
3407 conn->pending_sec_level = BT_SECURITY_HIGH;
3409 case HCI_LK_AUTH_COMBINATION_P256:
3410 conn->pending_sec_level = BT_SECURITY_FIPS;
3415 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3417 struct hci_ev_link_key_req *ev = (void *) skb->data;
3418 struct hci_cp_link_key_reply cp;
3419 struct hci_conn *conn;
3420 struct link_key *key;
3422 BT_DBG("%s", hdev->name);
3424 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3429 key = hci_find_link_key(hdev, &ev->bdaddr);
3431 BT_DBG("%s link key not found for %pMR", hdev->name,
3436 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3439 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3441 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3443 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3444 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3445 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3446 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3450 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3451 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3452 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3453 BT_DBG("%s ignoring key unauthenticated for high security",
3458 conn_set_key(conn, key->type, key->pin_len);
3461 bacpy(&cp.bdaddr, &ev->bdaddr);
3462 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3464 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3466 hci_dev_unlock(hdev);
3471 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3472 hci_dev_unlock(hdev);
3475 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3477 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3478 struct hci_conn *conn;
3479 struct link_key *key;
3483 BT_DBG("%s", hdev->name);
3487 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3491 hci_conn_hold(conn);
3492 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3493 hci_conn_drop(conn);
3495 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3496 conn_set_key(conn, ev->key_type, conn->pin_length);
3498 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3501 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3502 ev->key_type, pin_len, &persistent);
3506 /* Update connection information since adding the key will have
3507 * fixed up the type in the case of changed combination keys.
3509 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3510 conn_set_key(conn, key->type, key->pin_len);
3512 mgmt_new_link_key(hdev, key, persistent);
3514 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3515 * is set. If it's not set simply remove the key from the kernel
3516 * list (we've still notified user space about it but with
3517 * store_hint being 0).
3519 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3520 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3521 list_del_rcu(&key->list);
3522 kfree_rcu(key, rcu);
3527 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3529 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3532 hci_dev_unlock(hdev);
3535 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3537 struct hci_ev_clock_offset *ev = (void *) skb->data;
3538 struct hci_conn *conn;
3540 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3544 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3545 if (conn && !ev->status) {
3546 struct inquiry_entry *ie;
3548 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3550 ie->data.clock_offset = ev->clock_offset;
3551 ie->timestamp = jiffies;
3555 hci_dev_unlock(hdev);
3558 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3560 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3561 struct hci_conn *conn;
3563 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3567 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3568 if (conn && !ev->status)
3569 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3571 hci_dev_unlock(hdev);
3574 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3576 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3577 struct inquiry_entry *ie;
3579 BT_DBG("%s", hdev->name);
3583 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3585 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3586 ie->timestamp = jiffies;
3589 hci_dev_unlock(hdev);
3592 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3593 struct sk_buff *skb)
3595 struct inquiry_data data;
3596 int num_rsp = *((__u8 *) skb->data);
3598 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3603 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3608 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3609 struct inquiry_info_with_rssi_and_pscan_mode *info;
3610 info = (void *) (skb->data + 1);
3612 for (; num_rsp; num_rsp--, info++) {
3615 bacpy(&data.bdaddr, &info->bdaddr);
3616 data.pscan_rep_mode = info->pscan_rep_mode;
3617 data.pscan_period_mode = info->pscan_period_mode;
3618 data.pscan_mode = info->pscan_mode;
3619 memcpy(data.dev_class, info->dev_class, 3);
3620 data.clock_offset = info->clock_offset;
3621 data.rssi = info->rssi;
3622 data.ssp_mode = 0x00;
3624 flags = hci_inquiry_cache_update(hdev, &data, false);
3626 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3627 info->dev_class, info->rssi,
3628 flags, NULL, 0, NULL, 0);
3631 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3633 for (; num_rsp; num_rsp--, info++) {
3636 bacpy(&data.bdaddr, &info->bdaddr);
3637 data.pscan_rep_mode = info->pscan_rep_mode;
3638 data.pscan_period_mode = info->pscan_period_mode;
3639 data.pscan_mode = 0x00;
3640 memcpy(data.dev_class, info->dev_class, 3);
3641 data.clock_offset = info->clock_offset;
3642 data.rssi = info->rssi;
3643 data.ssp_mode = 0x00;
3645 flags = hci_inquiry_cache_update(hdev, &data, false);
3647 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3648 info->dev_class, info->rssi,
3649 flags, NULL, 0, NULL, 0);
3653 hci_dev_unlock(hdev);
3656 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3657 struct sk_buff *skb)
3659 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3660 struct hci_conn *conn;
3662 BT_DBG("%s", hdev->name);
3666 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3670 if (ev->page < HCI_MAX_PAGES)
3671 memcpy(conn->features[ev->page], ev->features, 8);
3673 if (!ev->status && ev->page == 0x01) {
3674 struct inquiry_entry *ie;
3676 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3678 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3680 if (ev->features[0] & LMP_HOST_SSP) {
3681 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3683 /* It is mandatory by the Bluetooth specification that
3684 * Extended Inquiry Results are only used when Secure
3685 * Simple Pairing is enabled, but some devices violate
3688 * To make these devices work, the internal SSP
3689 * enabled flag needs to be cleared if the remote host
3690 * features do not indicate SSP support */
3691 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3694 if (ev->features[0] & LMP_HOST_SC)
3695 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3698 if (conn->state != BT_CONFIG)
3701 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3702 struct hci_cp_remote_name_req cp;
3703 memset(&cp, 0, sizeof(cp));
3704 bacpy(&cp.bdaddr, &conn->dst);
3705 cp.pscan_rep_mode = 0x02;
3706 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3707 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3708 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3710 if (!hci_outgoing_auth_needed(hdev, conn)) {
3711 conn->state = BT_CONNECTED;
3712 hci_connect_cfm(conn, ev->status);
3713 hci_conn_drop(conn);
3717 hci_dev_unlock(hdev);
3720 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3721 struct sk_buff *skb)
3723 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3724 struct hci_conn *conn;
3726 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3730 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3732 if (ev->link_type == ESCO_LINK)
3735 /* When the link type in the event indicates SCO connection
3736 * and lookup of the connection object fails, then check
3737 * if an eSCO connection object exists.
3739 * The core limits the synchronous connections to either
3740 * SCO or eSCO. The eSCO connection is preferred and tried
3741 * to be setup first and until successfully established,
3742 * the link type will be hinted as eSCO.
3744 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3749 switch (ev->status) {
3751 conn->handle = __le16_to_cpu(ev->handle);
3752 conn->state = BT_CONNECTED;
3753 conn->type = ev->link_type;
3755 hci_debugfs_create_conn(conn);
3756 hci_conn_add_sysfs(conn);
3759 case 0x10: /* Connection Accept Timeout */
3760 case 0x0d: /* Connection Rejected due to Limited Resources */
3761 case 0x11: /* Unsupported Feature or Parameter Value */
3762 case 0x1c: /* SCO interval rejected */
3763 case 0x1a: /* Unsupported Remote Feature */
3764 case 0x1f: /* Unspecified error */
3765 case 0x20: /* Unsupported LMP Parameter value */
3767 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3768 (hdev->esco_type & EDR_ESCO_MASK);
3769 if (hci_setup_sync(conn, conn->link->handle))
3775 conn->state = BT_CLOSED;
3779 hci_connect_cfm(conn, ev->status);
3784 hci_dev_unlock(hdev);
3787 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3791 while (parsed < eir_len) {
3792 u8 field_len = eir[0];
3797 parsed += field_len + 1;
3798 eir += field_len + 1;
3804 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3805 struct sk_buff *skb)
3807 struct inquiry_data data;
3808 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3809 int num_rsp = *((__u8 *) skb->data);
3812 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3817 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3822 for (; num_rsp; num_rsp--, info++) {
3826 bacpy(&data.bdaddr, &info->bdaddr);
3827 data.pscan_rep_mode = info->pscan_rep_mode;
3828 data.pscan_period_mode = info->pscan_period_mode;
3829 data.pscan_mode = 0x00;
3830 memcpy(data.dev_class, info->dev_class, 3);
3831 data.clock_offset = info->clock_offset;
3832 data.rssi = info->rssi;
3833 data.ssp_mode = 0x01;
3835 if (hci_dev_test_flag(hdev, HCI_MGMT))
3836 name_known = eir_has_data_type(info->data,
3842 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3844 eir_len = eir_get_length(info->data, sizeof(info->data));
3846 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3847 info->dev_class, info->rssi,
3848 flags, info->data, eir_len, NULL, 0);
3851 hci_dev_unlock(hdev);
3854 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3855 struct sk_buff *skb)
3857 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3858 struct hci_conn *conn;
3860 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3861 __le16_to_cpu(ev->handle));
3865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3869 /* For BR/EDR the necessary steps are taken through the
3870 * auth_complete event.
3872 if (conn->type != LE_LINK)
3876 conn->sec_level = conn->pending_sec_level;
3878 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3880 if (ev->status && conn->state == BT_CONNECTED) {
3881 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3882 hci_conn_drop(conn);
3886 if (conn->state == BT_CONFIG) {
3888 conn->state = BT_CONNECTED;
3890 hci_connect_cfm(conn, ev->status);
3891 hci_conn_drop(conn);
3893 hci_auth_cfm(conn, ev->status);
3895 hci_conn_hold(conn);
3896 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3897 hci_conn_drop(conn);
3901 hci_dev_unlock(hdev);
3904 static u8 hci_get_auth_req(struct hci_conn *conn)
3906 /* If remote requests no-bonding follow that lead */
3907 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3908 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3909 return conn->remote_auth | (conn->auth_type & 0x01);
3911 /* If both remote and local have enough IO capabilities, require
3914 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3915 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3916 return conn->remote_auth | 0x01;
3918 /* No MITM protection possible so ignore remote requirement */
3919 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3922 static u8 bredr_oob_data_present(struct hci_conn *conn)
3924 struct hci_dev *hdev = conn->hdev;
3925 struct oob_data *data;
3927 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3931 if (bredr_sc_enabled(hdev)) {
3932 /* When Secure Connections is enabled, then just
3933 * return the present value stored with the OOB
3934 * data. The stored value contains the right present
3935 * information. However it can only be trusted when
3936 * not in Secure Connection Only mode.
3938 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3939 return data->present;
3941 /* When Secure Connections Only mode is enabled, then
3942 * the P-256 values are required. If they are not
3943 * available, then do not declare that OOB data is
3946 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3947 !memcmp(data->hash256, ZERO_KEY, 16))
3953 /* When Secure Connections is not enabled or actually
3954 * not supported by the hardware, then check that if
3955 * P-192 data values are present.
3957 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3958 !memcmp(data->hash192, ZERO_KEY, 16))
3964 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3966 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3967 struct hci_conn *conn;
3969 BT_DBG("%s", hdev->name);
3973 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3977 hci_conn_hold(conn);
3979 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3982 /* Allow pairing if we're pairable, the initiators of the
3983 * pairing or if the remote is not requesting bonding.
3985 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
3986 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3987 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3988 struct hci_cp_io_capability_reply cp;
3990 bacpy(&cp.bdaddr, &ev->bdaddr);
3991 /* Change the IO capability from KeyboardDisplay
3992 * to DisplayYesNo as it is not supported by BT spec. */
3993 cp.capability = (conn->io_capability == 0x04) ?
3994 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3996 /* If we are initiators, there is no remote information yet */
3997 if (conn->remote_auth == 0xff) {
3998 /* Request MITM protection if our IO caps allow it
3999 * except for the no-bonding case.
4001 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4002 conn->auth_type != HCI_AT_NO_BONDING)
4003 conn->auth_type |= 0x01;
4005 conn->auth_type = hci_get_auth_req(conn);
4008 /* If we're not bondable, force one of the non-bondable
4009 * authentication requirement values.
4011 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4012 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4014 cp.authentication = conn->auth_type;
4015 cp.oob_data = bredr_oob_data_present(conn);
4017 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4020 struct hci_cp_io_capability_neg_reply cp;
4022 bacpy(&cp.bdaddr, &ev->bdaddr);
4023 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4025 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4030 hci_dev_unlock(hdev);
4033 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4035 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4036 struct hci_conn *conn;
4038 BT_DBG("%s", hdev->name);
4042 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4046 conn->remote_cap = ev->capability;
4047 conn->remote_auth = ev->authentication;
4050 hci_dev_unlock(hdev);
4053 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4054 struct sk_buff *skb)
4056 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4057 int loc_mitm, rem_mitm, confirm_hint = 0;
4058 struct hci_conn *conn;
4060 BT_DBG("%s", hdev->name);
4064 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4067 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4071 loc_mitm = (conn->auth_type & 0x01);
4072 rem_mitm = (conn->remote_auth & 0x01);
4074 /* If we require MITM but the remote device can't provide that
4075 * (it has NoInputNoOutput) then reject the confirmation
4076 * request. We check the security level here since it doesn't
4077 * necessarily match conn->auth_type.
4079 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4080 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4081 BT_DBG("Rejecting request: remote device can't provide MITM");
4082 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4083 sizeof(ev->bdaddr), &ev->bdaddr);
4087 /* If no side requires MITM protection; auto-accept */
4088 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4089 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4091 /* If we're not the initiators request authorization to
4092 * proceed from user space (mgmt_user_confirm with
4093 * confirm_hint set to 1). The exception is if neither
4094 * side had MITM or if the local IO capability is
4095 * NoInputNoOutput, in which case we do auto-accept
4097 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4098 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4099 (loc_mitm || rem_mitm)) {
4100 BT_DBG("Confirming auto-accept as acceptor");
4105 BT_DBG("Auto-accept of user confirmation with %ums delay",
4106 hdev->auto_accept_delay);
4108 if (hdev->auto_accept_delay > 0) {
4109 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4110 queue_delayed_work(conn->hdev->workqueue,
4111 &conn->auto_accept_work, delay);
4115 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4116 sizeof(ev->bdaddr), &ev->bdaddr);
4121 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4122 le32_to_cpu(ev->passkey), confirm_hint);
4125 hci_dev_unlock(hdev);
4128 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4129 struct sk_buff *skb)
4131 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4133 BT_DBG("%s", hdev->name);
4135 if (hci_dev_test_flag(hdev, HCI_MGMT))
4136 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4139 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4140 struct sk_buff *skb)
4142 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4143 struct hci_conn *conn;
4145 BT_DBG("%s", hdev->name);
4147 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4151 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4152 conn->passkey_entered = 0;
4154 if (hci_dev_test_flag(hdev, HCI_MGMT))
4155 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4156 conn->dst_type, conn->passkey_notify,
4157 conn->passkey_entered);
4160 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4162 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4163 struct hci_conn *conn;
4165 BT_DBG("%s", hdev->name);
4167 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4172 case HCI_KEYPRESS_STARTED:
4173 conn->passkey_entered = 0;
4176 case HCI_KEYPRESS_ENTERED:
4177 conn->passkey_entered++;
4180 case HCI_KEYPRESS_ERASED:
4181 conn->passkey_entered--;
4184 case HCI_KEYPRESS_CLEARED:
4185 conn->passkey_entered = 0;
4188 case HCI_KEYPRESS_COMPLETED:
4192 if (hci_dev_test_flag(hdev, HCI_MGMT))
4193 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4194 conn->dst_type, conn->passkey_notify,
4195 conn->passkey_entered);
4198 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4199 struct sk_buff *skb)
4201 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4202 struct hci_conn *conn;
4204 BT_DBG("%s", hdev->name);
4208 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4212 /* Reset the authentication requirement to unknown */
4213 conn->remote_auth = 0xff;
4215 /* To avoid duplicate auth_failed events to user space we check
4216 * the HCI_CONN_AUTH_PEND flag which will be set if we
4217 * initiated the authentication. A traditional auth_complete
4218 * event gets always produced as initiator and is also mapped to
4219 * the mgmt_auth_failed event */
4220 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4221 mgmt_auth_failed(conn, ev->status);
4223 hci_conn_drop(conn);
4226 hci_dev_unlock(hdev);
4229 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4230 struct sk_buff *skb)
4232 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4233 struct inquiry_entry *ie;
4234 struct hci_conn *conn;
4236 BT_DBG("%s", hdev->name);
4240 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4242 memcpy(conn->features[1], ev->features, 8);
4244 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4246 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4248 hci_dev_unlock(hdev);
4251 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4252 struct sk_buff *skb)
4254 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4255 struct oob_data *data;
4257 BT_DBG("%s", hdev->name);
4261 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4264 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4266 struct hci_cp_remote_oob_data_neg_reply cp;
4268 bacpy(&cp.bdaddr, &ev->bdaddr);
4269 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4274 if (bredr_sc_enabled(hdev)) {
4275 struct hci_cp_remote_oob_ext_data_reply cp;
4277 bacpy(&cp.bdaddr, &ev->bdaddr);
4278 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4279 memset(cp.hash192, 0, sizeof(cp.hash192));
4280 memset(cp.rand192, 0, sizeof(cp.rand192));
4282 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4283 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4285 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4286 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4288 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4291 struct hci_cp_remote_oob_data_reply cp;
4293 bacpy(&cp.bdaddr, &ev->bdaddr);
4294 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4295 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4297 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4302 hci_dev_unlock(hdev);
4305 #if IS_ENABLED(CONFIG_BT_HS)
4306 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4308 struct hci_ev_channel_selected *ev = (void *)skb->data;
4309 struct hci_conn *hcon;
4311 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4313 skb_pull(skb, sizeof(*ev));
4315 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4319 amp_read_loc_assoc_final_data(hdev, hcon);
4322 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4323 struct sk_buff *skb)
4325 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4326 struct hci_conn *hcon, *bredr_hcon;
4328 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4333 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4335 hci_dev_unlock(hdev);
4341 hci_dev_unlock(hdev);
4345 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4347 hcon->state = BT_CONNECTED;
4348 bacpy(&hcon->dst, &bredr_hcon->dst);
4350 hci_conn_hold(hcon);
4351 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4352 hci_conn_drop(hcon);
4354 hci_debugfs_create_conn(hcon);
4355 hci_conn_add_sysfs(hcon);
4357 amp_physical_cfm(bredr_hcon, hcon);
4359 hci_dev_unlock(hdev);
4362 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4364 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4365 struct hci_conn *hcon;
4366 struct hci_chan *hchan;
4367 struct amp_mgr *mgr;
4369 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4370 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4373 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4377 /* Create AMP hchan */
4378 hchan = hci_chan_create(hcon);
4382 hchan->handle = le16_to_cpu(ev->handle);
4384 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4386 mgr = hcon->amp_mgr;
4387 if (mgr && mgr->bredr_chan) {
4388 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4390 l2cap_chan_lock(bredr_chan);
4392 bredr_chan->conn->mtu = hdev->block_mtu;
4393 l2cap_logical_cfm(bredr_chan, hchan, 0);
4394 hci_conn_hold(hcon);
4396 l2cap_chan_unlock(bredr_chan);
4400 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4401 struct sk_buff *skb)
4403 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4404 struct hci_chan *hchan;
4406 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4407 le16_to_cpu(ev->handle), ev->status);
4414 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4418 amp_destroy_logical_link(hchan, ev->reason);
4421 hci_dev_unlock(hdev);
4424 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4425 struct sk_buff *skb)
4427 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4428 struct hci_conn *hcon;
4430 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4437 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4439 hcon->state = BT_CLOSED;
4443 hci_dev_unlock(hdev);
4447 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4449 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4450 struct hci_conn_params *params;
4451 struct hci_conn *conn;
4452 struct smp_irk *irk;
4455 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4459 /* All controllers implicitly stop advertising in the event of a
4460 * connection, so ensure that the state bit is cleared.
4462 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4464 conn = hci_lookup_le_connect(hdev);
4466 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4468 BT_ERR("No memory for new connection");
4472 conn->dst_type = ev->bdaddr_type;
4474 /* If we didn't have a hci_conn object previously
4475 * but we're in master role this must be something
4476 * initiated using a white list. Since white list based
4477 * connections are not "first class citizens" we don't
4478 * have full tracking of them. Therefore, we go ahead
4479 * with a "best effort" approach of determining the
4480 * initiator address based on the HCI_PRIVACY flag.
4483 conn->resp_addr_type = ev->bdaddr_type;
4484 bacpy(&conn->resp_addr, &ev->bdaddr);
4485 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4486 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4487 bacpy(&conn->init_addr, &hdev->rpa);
4489 hci_copy_identity_address(hdev,
4491 &conn->init_addr_type);
4495 cancel_delayed_work(&conn->le_conn_timeout);
4499 /* Set the responder (our side) address type based on
4500 * the advertising address type.
4502 conn->resp_addr_type = hdev->adv_addr_type;
4503 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4504 bacpy(&conn->resp_addr, &hdev->random_addr);
4506 bacpy(&conn->resp_addr, &hdev->bdaddr);
4508 conn->init_addr_type = ev->bdaddr_type;
4509 bacpy(&conn->init_addr, &ev->bdaddr);
4511 /* For incoming connections, set the default minimum
4512 * and maximum connection interval. They will be used
4513 * to check if the parameters are in range and if not
4514 * trigger the connection update procedure.
4516 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4517 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4520 /* Lookup the identity address from the stored connection
4521 * address and address type.
4523 * When establishing connections to an identity address, the
4524 * connection procedure will store the resolvable random
4525 * address first. Now if it can be converted back into the
4526 * identity address, start using the identity address from
4529 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4531 bacpy(&conn->dst, &irk->bdaddr);
4532 conn->dst_type = irk->addr_type;
4536 hci_le_conn_failed(conn, ev->status);
4540 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4541 addr_type = BDADDR_LE_PUBLIC;
4543 addr_type = BDADDR_LE_RANDOM;
4545 /* Drop the connection if the device is blocked */
4546 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4547 hci_conn_drop(conn);
4551 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4552 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4554 conn->sec_level = BT_SECURITY_LOW;
4555 conn->handle = __le16_to_cpu(ev->handle);
4556 conn->state = BT_CONFIG;
4558 conn->le_conn_interval = le16_to_cpu(ev->interval);
4559 conn->le_conn_latency = le16_to_cpu(ev->latency);
4560 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4562 hci_debugfs_create_conn(conn);
4563 hci_conn_add_sysfs(conn);
4566 /* The remote features procedure is defined for master
4567 * role only. So only in case of an initiated connection
4568 * request the remote features.
4570 * If the local controller supports slave-initiated features
4571 * exchange, then requesting the remote features in slave
4572 * role is possible. Otherwise just transition into the
4573 * connected state without requesting the remote features.
4576 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4577 struct hci_cp_le_read_remote_features cp;
4579 cp.handle = __cpu_to_le16(conn->handle);
4581 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4584 hci_conn_hold(conn);
4586 conn->state = BT_CONNECTED;
4587 hci_connect_cfm(conn, ev->status);
4590 hci_connect_cfm(conn, ev->status);
4593 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4596 list_del_init(¶ms->action);
4598 hci_conn_drop(params->conn);
4599 hci_conn_put(params->conn);
4600 params->conn = NULL;
4605 hci_update_background_scan(hdev);
4606 hci_dev_unlock(hdev);
4609 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4610 struct sk_buff *skb)
4612 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4613 struct hci_conn *conn;
4615 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4622 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4624 conn->le_conn_interval = le16_to_cpu(ev->interval);
4625 conn->le_conn_latency = le16_to_cpu(ev->latency);
4626 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4629 hci_dev_unlock(hdev);
4632 /* This function requires the caller holds hdev->lock */
4633 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4635 u8 addr_type, u8 adv_type)
4637 struct hci_conn *conn;
4638 struct hci_conn_params *params;
4640 /* If the event is not connectable don't proceed further */
4641 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4644 /* Ignore if the device is blocked */
4645 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4648 /* Most controller will fail if we try to create new connections
4649 * while we have an existing one in slave role.
4651 if (hdev->conn_hash.le_num_slave > 0)
4654 /* If we're not connectable only connect devices that we have in
4655 * our pend_le_conns list.
4657 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4662 if (!params->explicit_connect) {
4663 switch (params->auto_connect) {
4664 case HCI_AUTO_CONN_DIRECT:
4665 /* Only devices advertising with ADV_DIRECT_IND are
4666 * triggering a connection attempt. This is allowing
4667 * incoming connections from slave devices.
4669 if (adv_type != LE_ADV_DIRECT_IND)
4672 case HCI_AUTO_CONN_ALWAYS:
4673 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4674 * are triggering a connection attempt. This means
4675 * that incoming connectioms from slave device are
4676 * accepted and also outgoing connections to slave
4677 * devices are established when found.
4685 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4686 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4687 if (!IS_ERR(conn)) {
4688 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4689 * by higher layer that tried to connect, if no then
4690 * store the pointer since we don't really have any
4691 * other owner of the object besides the params that
4692 * triggered it. This way we can abort the connection if
4693 * the parameters get removed and keep the reference
4694 * count consistent once the connection is established.
4697 if (!params->explicit_connect)
4698 params->conn = hci_conn_get(conn);
4703 switch (PTR_ERR(conn)) {
4705 /* If hci_connect() returns -EBUSY it means there is already
4706 * an LE connection attempt going on. Since controllers don't
4707 * support more than one connection attempt at the time, we
4708 * don't consider this an error case.
4712 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4719 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4720 u8 bdaddr_type, bdaddr_t *direct_addr,
4721 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4723 struct discovery_state *d = &hdev->discovery;
4724 struct smp_irk *irk;
4725 struct hci_conn *conn;
4730 /* Find the end of the data in case the report contains padded zero
4731 * bytes at the end causing an invalid length value.
4733 * When data is NULL, len is 0 so there is no need for extra ptr
4734 * check as 'ptr < data + 0' is already false in such case.
4736 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4737 if (ptr + 1 + *ptr > data + len)
4741 real_len = ptr - data;
4743 /* Adjust for actual length */
4744 if (len != real_len) {
4745 BT_ERR_RATELIMITED("%s advertising data length corrected",
4750 /* If the direct address is present, then this report is from
4751 * a LE Direct Advertising Report event. In that case it is
4752 * important to see if the address is matching the local
4753 * controller address.
4756 /* Only resolvable random addresses are valid for these
4757 * kind of reports and others can be ignored.
4759 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4762 /* If the controller is not using resolvable random
4763 * addresses, then this report can be ignored.
4765 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4768 /* If the local IRK of the controller does not match
4769 * with the resolvable random address provided, then
4770 * this report can be ignored.
4772 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4776 /* Check if we need to convert to identity address */
4777 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4779 bdaddr = &irk->bdaddr;
4780 bdaddr_type = irk->addr_type;
4783 /* Check if we have been requested to connect to this device */
4784 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4785 if (conn && type == LE_ADV_IND) {
4786 /* Store report for later inclusion by
4787 * mgmt_device_connected
4789 memcpy(conn->le_adv_data, data, len);
4790 conn->le_adv_data_len = len;
4793 /* Passive scanning shouldn't trigger any device found events,
4794 * except for devices marked as CONN_REPORT for which we do send
4795 * device found events.
4797 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4798 if (type == LE_ADV_DIRECT_IND)
4801 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4802 bdaddr, bdaddr_type))
4805 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4806 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4809 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4810 rssi, flags, data, len, NULL, 0);
4814 /* When receiving non-connectable or scannable undirected
4815 * advertising reports, this means that the remote device is
4816 * not connectable and then clearly indicate this in the
4817 * device found event.
4819 * When receiving a scan response, then there is no way to
4820 * know if the remote device is connectable or not. However
4821 * since scan responses are merged with a previously seen
4822 * advertising report, the flags field from that report
4825 * In the really unlikely case that a controller get confused
4826 * and just sends a scan response event, then it is marked as
4827 * not connectable as well.
4829 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4830 type == LE_ADV_SCAN_RSP)
4831 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4835 /* If there's nothing pending either store the data from this
4836 * event or send an immediate device found event if the data
4837 * should not be stored for later.
4839 if (!has_pending_adv_report(hdev)) {
4840 /* If the report will trigger a SCAN_REQ store it for
4843 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4844 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4845 rssi, flags, data, len);
4849 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4850 rssi, flags, data, len, NULL, 0);
4854 /* Check if the pending report is for the same device as the new one */
4855 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4856 bdaddr_type == d->last_adv_addr_type);
4858 /* If the pending data doesn't match this report or this isn't a
4859 * scan response (e.g. we got a duplicate ADV_IND) then force
4860 * sending of the pending data.
4862 if (type != LE_ADV_SCAN_RSP || !match) {
4863 /* Send out whatever is in the cache, but skip duplicates */
4865 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4866 d->last_adv_addr_type, NULL,
4867 d->last_adv_rssi, d->last_adv_flags,
4869 d->last_adv_data_len, NULL, 0);
4871 /* If the new report will trigger a SCAN_REQ store it for
4874 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4875 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4876 rssi, flags, data, len);
4880 /* The advertising reports cannot be merged, so clear
4881 * the pending report and send out a device found event.
4883 clear_pending_adv_report(hdev);
4884 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4885 rssi, flags, data, len, NULL, 0);
4889 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4890 * the new event is a SCAN_RSP. We can therefore proceed with
4891 * sending a merged device found event.
4893 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4894 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4895 d->last_adv_data, d->last_adv_data_len, data, len);
4896 clear_pending_adv_report(hdev);
4899 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4901 u8 num_reports = skb->data[0];
4902 void *ptr = &skb->data[1];
4906 while (num_reports--) {
4907 struct hci_ev_le_advertising_info *ev = ptr;
4910 rssi = ev->data[ev->length];
4911 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4912 ev->bdaddr_type, NULL, 0, rssi,
4913 ev->data, ev->length);
4915 ptr += sizeof(*ev) + ev->length + 1;
4918 hci_dev_unlock(hdev);
4921 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4922 struct sk_buff *skb)
4924 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4925 struct hci_conn *conn;
4927 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4931 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4934 memcpy(conn->features[0], ev->features, 8);
4936 if (conn->state == BT_CONFIG) {
4939 /* If the local controller supports slave-initiated
4940 * features exchange, but the remote controller does
4941 * not, then it is possible that the error code 0x1a
4942 * for unsupported remote feature gets returned.
4944 * In this specific case, allow the connection to
4945 * transition into connected state and mark it as
4948 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4949 !conn->out && ev->status == 0x1a)
4952 status = ev->status;
4954 conn->state = BT_CONNECTED;
4955 hci_connect_cfm(conn, status);
4956 hci_conn_drop(conn);
4960 hci_dev_unlock(hdev);
4963 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4965 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4966 struct hci_cp_le_ltk_reply cp;
4967 struct hci_cp_le_ltk_neg_reply neg;
4968 struct hci_conn *conn;
4969 struct smp_ltk *ltk;
4971 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4975 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4979 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4983 if (smp_ltk_is_sc(ltk)) {
4984 /* With SC both EDiv and Rand are set to zero */
4985 if (ev->ediv || ev->rand)
4988 /* For non-SC keys check that EDiv and Rand match */
4989 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4993 memcpy(cp.ltk, ltk->val, ltk->enc_size);
4994 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
4995 cp.handle = cpu_to_le16(conn->handle);
4997 conn->pending_sec_level = smp_ltk_sec_level(ltk);
4999 conn->enc_key_size = ltk->enc_size;
5001 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5003 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5004 * temporary key used to encrypt a connection following
5005 * pairing. It is used during the Encrypted Session Setup to
5006 * distribute the keys. Later, security can be re-established
5007 * using a distributed LTK.
5009 if (ltk->type == SMP_STK) {
5010 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5011 list_del_rcu(<k->list);
5012 kfree_rcu(ltk, rcu);
5014 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5017 hci_dev_unlock(hdev);
5022 neg.handle = ev->handle;
5023 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5024 hci_dev_unlock(hdev);
5027 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5030 struct hci_cp_le_conn_param_req_neg_reply cp;
5032 cp.handle = cpu_to_le16(handle);
5035 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5039 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5040 struct sk_buff *skb)
5042 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5043 struct hci_cp_le_conn_param_req_reply cp;
5044 struct hci_conn *hcon;
5045 u16 handle, min, max, latency, timeout;
5047 handle = le16_to_cpu(ev->handle);
5048 min = le16_to_cpu(ev->interval_min);
5049 max = le16_to_cpu(ev->interval_max);
5050 latency = le16_to_cpu(ev->latency);
5051 timeout = le16_to_cpu(ev->timeout);
5053 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5054 if (!hcon || hcon->state != BT_CONNECTED)
5055 return send_conn_param_neg_reply(hdev, handle,
5056 HCI_ERROR_UNKNOWN_CONN_ID);
5058 if (hci_check_conn_params(min, max, latency, timeout))
5059 return send_conn_param_neg_reply(hdev, handle,
5060 HCI_ERROR_INVALID_LL_PARAMS);
5062 if (hcon->role == HCI_ROLE_MASTER) {
5063 struct hci_conn_params *params;
5068 params = hci_conn_params_lookup(hdev, &hcon->dst,
5071 params->conn_min_interval = min;
5072 params->conn_max_interval = max;
5073 params->conn_latency = latency;
5074 params->supervision_timeout = timeout;
5080 hci_dev_unlock(hdev);
5082 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5083 store_hint, min, max, latency, timeout);
5086 cp.handle = ev->handle;
5087 cp.interval_min = ev->interval_min;
5088 cp.interval_max = ev->interval_max;
5089 cp.latency = ev->latency;
5090 cp.timeout = ev->timeout;
5094 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5097 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5098 struct sk_buff *skb)
5100 u8 num_reports = skb->data[0];
5101 void *ptr = &skb->data[1];
5105 while (num_reports--) {
5106 struct hci_ev_le_direct_adv_info *ev = ptr;
5108 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5109 ev->bdaddr_type, &ev->direct_addr,
5110 ev->direct_addr_type, ev->rssi, NULL, 0);
5115 hci_dev_unlock(hdev);
5118 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5120 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5122 skb_pull(skb, sizeof(*le_ev));
5124 switch (le_ev->subevent) {
5125 case HCI_EV_LE_CONN_COMPLETE:
5126 hci_le_conn_complete_evt(hdev, skb);
5129 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5130 hci_le_conn_update_complete_evt(hdev, skb);
5133 case HCI_EV_LE_ADVERTISING_REPORT:
5134 hci_le_adv_report_evt(hdev, skb);
5137 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5138 hci_le_remote_feat_complete_evt(hdev, skb);
5141 case HCI_EV_LE_LTK_REQ:
5142 hci_le_ltk_request_evt(hdev, skb);
5145 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5146 hci_le_remote_conn_param_req_evt(hdev, skb);
5149 case HCI_EV_LE_DIRECT_ADV_REPORT:
5150 hci_le_direct_adv_report_evt(hdev, skb);
5158 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5159 u8 event, struct sk_buff *skb)
5161 struct hci_ev_cmd_complete *ev;
5162 struct hci_event_hdr *hdr;
5167 if (skb->len < sizeof(*hdr)) {
5168 BT_ERR("Too short HCI event");
5172 hdr = (void *) skb->data;
5173 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5176 if (hdr->evt != event)
5181 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5182 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5186 if (skb->len < sizeof(*ev)) {
5187 BT_ERR("Too short cmd_complete event");
5191 ev = (void *) skb->data;
5192 skb_pull(skb, sizeof(*ev));
5194 if (opcode != __le16_to_cpu(ev->opcode)) {
5195 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5196 __le16_to_cpu(ev->opcode));
5203 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5205 struct hci_event_hdr *hdr = (void *) skb->data;
5206 hci_req_complete_t req_complete = NULL;
5207 hci_req_complete_skb_t req_complete_skb = NULL;
5208 struct sk_buff *orig_skb = NULL;
5209 u8 status = 0, event = hdr->evt, req_evt = 0;
5210 u16 opcode = HCI_OP_NOP;
5212 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5213 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5214 opcode = __le16_to_cpu(cmd_hdr->opcode);
5215 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5220 /* If it looks like we might end up having to call
5221 * req_complete_skb, store a pristine copy of the skb since the
5222 * various handlers may modify the original one through
5223 * skb_pull() calls, etc.
5225 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5226 event == HCI_EV_CMD_COMPLETE)
5227 orig_skb = skb_clone(skb, GFP_KERNEL);
5229 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5232 case HCI_EV_INQUIRY_COMPLETE:
5233 hci_inquiry_complete_evt(hdev, skb);
5236 case HCI_EV_INQUIRY_RESULT:
5237 hci_inquiry_result_evt(hdev, skb);
5240 case HCI_EV_CONN_COMPLETE:
5241 hci_conn_complete_evt(hdev, skb);
5244 case HCI_EV_CONN_REQUEST:
5245 hci_conn_request_evt(hdev, skb);
5248 case HCI_EV_DISCONN_COMPLETE:
5249 hci_disconn_complete_evt(hdev, skb);
5252 case HCI_EV_AUTH_COMPLETE:
5253 hci_auth_complete_evt(hdev, skb);
5256 case HCI_EV_REMOTE_NAME:
5257 hci_remote_name_evt(hdev, skb);
5260 case HCI_EV_ENCRYPT_CHANGE:
5261 hci_encrypt_change_evt(hdev, skb);
5264 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5265 hci_change_link_key_complete_evt(hdev, skb);
5268 case HCI_EV_REMOTE_FEATURES:
5269 hci_remote_features_evt(hdev, skb);
5272 case HCI_EV_CMD_COMPLETE:
5273 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5274 &req_complete, &req_complete_skb);
5277 case HCI_EV_CMD_STATUS:
5278 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5282 case HCI_EV_HARDWARE_ERROR:
5283 hci_hardware_error_evt(hdev, skb);
5286 case HCI_EV_ROLE_CHANGE:
5287 hci_role_change_evt(hdev, skb);
5290 case HCI_EV_NUM_COMP_PKTS:
5291 hci_num_comp_pkts_evt(hdev, skb);
5294 case HCI_EV_MODE_CHANGE:
5295 hci_mode_change_evt(hdev, skb);
5298 case HCI_EV_PIN_CODE_REQ:
5299 hci_pin_code_request_evt(hdev, skb);
5302 case HCI_EV_LINK_KEY_REQ:
5303 hci_link_key_request_evt(hdev, skb);
5306 case HCI_EV_LINK_KEY_NOTIFY:
5307 hci_link_key_notify_evt(hdev, skb);
5310 case HCI_EV_CLOCK_OFFSET:
5311 hci_clock_offset_evt(hdev, skb);
5314 case HCI_EV_PKT_TYPE_CHANGE:
5315 hci_pkt_type_change_evt(hdev, skb);
5318 case HCI_EV_PSCAN_REP_MODE:
5319 hci_pscan_rep_mode_evt(hdev, skb);
5322 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5323 hci_inquiry_result_with_rssi_evt(hdev, skb);
5326 case HCI_EV_REMOTE_EXT_FEATURES:
5327 hci_remote_ext_features_evt(hdev, skb);
5330 case HCI_EV_SYNC_CONN_COMPLETE:
5331 hci_sync_conn_complete_evt(hdev, skb);
5334 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5335 hci_extended_inquiry_result_evt(hdev, skb);
5338 case HCI_EV_KEY_REFRESH_COMPLETE:
5339 hci_key_refresh_complete_evt(hdev, skb);
5342 case HCI_EV_IO_CAPA_REQUEST:
5343 hci_io_capa_request_evt(hdev, skb);
5346 case HCI_EV_IO_CAPA_REPLY:
5347 hci_io_capa_reply_evt(hdev, skb);
5350 case HCI_EV_USER_CONFIRM_REQUEST:
5351 hci_user_confirm_request_evt(hdev, skb);
5354 case HCI_EV_USER_PASSKEY_REQUEST:
5355 hci_user_passkey_request_evt(hdev, skb);
5358 case HCI_EV_USER_PASSKEY_NOTIFY:
5359 hci_user_passkey_notify_evt(hdev, skb);
5362 case HCI_EV_KEYPRESS_NOTIFY:
5363 hci_keypress_notify_evt(hdev, skb);
5366 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5367 hci_simple_pair_complete_evt(hdev, skb);
5370 case HCI_EV_REMOTE_HOST_FEATURES:
5371 hci_remote_host_features_evt(hdev, skb);
5374 case HCI_EV_LE_META:
5375 hci_le_meta_evt(hdev, skb);
5378 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5379 hci_remote_oob_data_request_evt(hdev, skb);
5382 #if IS_ENABLED(CONFIG_BT_HS)
5383 case HCI_EV_CHANNEL_SELECTED:
5384 hci_chan_selected_evt(hdev, skb);
5387 case HCI_EV_PHY_LINK_COMPLETE:
5388 hci_phy_link_complete_evt(hdev, skb);
5391 case HCI_EV_LOGICAL_LINK_COMPLETE:
5392 hci_loglink_complete_evt(hdev, skb);
5395 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5396 hci_disconn_loglink_complete_evt(hdev, skb);
5399 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5400 hci_disconn_phylink_complete_evt(hdev, skb);
5404 case HCI_EV_NUM_COMP_BLOCKS:
5405 hci_num_comp_blocks_evt(hdev, skb);
5409 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5414 req_complete(hdev, status, opcode);
5415 } else if (req_complete_skb) {
5416 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5417 kfree_skb(orig_skb);
5420 req_complete_skb(hdev, status, opcode, orig_skb);
5423 kfree_skb(orig_skb);
5425 hdev->stat.evt_rx++;
Code Review / kvmfornfv.git / blob