2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
61 hci_conn_check_pending(hdev);
64 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
66 __u8 status = *((__u8 *) skb->data);
68 BT_DBG("%s status 0x%2.2x", hdev->name, status);
73 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
76 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
78 __u8 status = *((__u8 *) skb->data);
80 BT_DBG("%s status 0x%2.2x", hdev->name, status);
85 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
87 hci_conn_check_pending(hdev);
90 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
93 BT_DBG("%s", hdev->name);
96 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
98 struct hci_rp_role_discovery *rp = (void *) skb->data;
99 struct hci_conn *conn;
101 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
108 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
110 conn->role = rp->role;
112 hci_dev_unlock(hdev);
115 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
117 struct hci_rp_read_link_policy *rp = (void *) skb->data;
118 struct hci_conn *conn;
120 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
127 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
129 conn->link_policy = __le16_to_cpu(rp->policy);
131 hci_dev_unlock(hdev);
134 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
136 struct hci_rp_write_link_policy *rp = (void *) skb->data;
137 struct hci_conn *conn;
140 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
145 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
153 conn->link_policy = get_unaligned_le16(sent + 2);
155 hci_dev_unlock(hdev);
158 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
161 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
163 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
168 hdev->link_policy = __le16_to_cpu(rp->policy);
171 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
174 __u8 status = *((__u8 *) skb->data);
177 BT_DBG("%s status 0x%2.2x", hdev->name, status);
182 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
186 hdev->link_policy = get_unaligned_le16(sent);
189 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
191 __u8 status = *((__u8 *) skb->data);
193 BT_DBG("%s status 0x%2.2x", hdev->name, status);
195 clear_bit(HCI_RESET, &hdev->flags);
200 /* Reset all non-persistent flags */
201 hci_dev_clear_volatile_flags(hdev);
203 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
205 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
206 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
208 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
209 hdev->adv_data_len = 0;
211 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
212 hdev->scan_rsp_data_len = 0;
214 hdev->le_scan_type = LE_SCAN_PASSIVE;
216 hdev->ssp_debug_mode = 0;
218 hci_bdaddr_list_clear(&hdev->le_white_list);
221 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
224 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
225 struct hci_cp_read_stored_link_key *sent;
227 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
229 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
233 if (!rp->status && sent->read_all == 0x01) {
234 hdev->stored_max_keys = rp->max_keys;
235 hdev->stored_num_keys = rp->num_keys;
239 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
242 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
244 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
249 if (rp->num_keys <= hdev->stored_num_keys)
250 hdev->stored_num_keys -= rp->num_keys;
252 hdev->stored_num_keys = 0;
255 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
257 __u8 status = *((__u8 *) skb->data);
260 BT_DBG("%s status 0x%2.2x", hdev->name, status);
262 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 if (hci_dev_test_flag(hdev, HCI_MGMT))
269 mgmt_set_local_name_complete(hdev, sent, status);
271 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
273 hci_dev_unlock(hdev);
276 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
278 struct hci_rp_read_local_name *rp = (void *) skb->data;
280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
285 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
286 hci_dev_test_flag(hdev, HCI_CONFIG))
287 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
290 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
292 __u8 status = *((__u8 *) skb->data);
295 BT_DBG("%s status 0x%2.2x", hdev->name, status);
297 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
304 __u8 param = *((__u8 *) sent);
306 if (param == AUTH_ENABLED)
307 set_bit(HCI_AUTH, &hdev->flags);
309 clear_bit(HCI_AUTH, &hdev->flags);
312 if (hci_dev_test_flag(hdev, HCI_MGMT))
313 mgmt_auth_enable_complete(hdev, status);
315 hci_dev_unlock(hdev);
318 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
320 __u8 status = *((__u8 *) skb->data);
324 BT_DBG("%s status 0x%2.2x", hdev->name, status);
329 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
333 param = *((__u8 *) sent);
336 set_bit(HCI_ENCRYPT, &hdev->flags);
338 clear_bit(HCI_ENCRYPT, &hdev->flags);
341 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
343 __u8 status = *((__u8 *) skb->data);
347 BT_DBG("%s status 0x%2.2x", hdev->name, status);
349 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
353 param = *((__u8 *) sent);
358 hdev->discov_timeout = 0;
362 if (param & SCAN_INQUIRY)
363 set_bit(HCI_ISCAN, &hdev->flags);
365 clear_bit(HCI_ISCAN, &hdev->flags);
367 if (param & SCAN_PAGE)
368 set_bit(HCI_PSCAN, &hdev->flags);
370 clear_bit(HCI_PSCAN, &hdev->flags);
373 hci_dev_unlock(hdev);
376 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
378 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
380 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
385 memcpy(hdev->dev_class, rp->dev_class, 3);
387 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
388 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
391 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
393 __u8 status = *((__u8 *) skb->data);
396 BT_DBG("%s status 0x%2.2x", hdev->name, status);
398 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
405 memcpy(hdev->dev_class, sent, 3);
407 if (hci_dev_test_flag(hdev, HCI_MGMT))
408 mgmt_set_class_of_dev_complete(hdev, sent, status);
410 hci_dev_unlock(hdev);
413 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
415 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
418 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
423 setting = __le16_to_cpu(rp->voice_setting);
425 if (hdev->voice_setting == setting)
428 hdev->voice_setting = setting;
430 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
433 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
436 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
439 __u8 status = *((__u8 *) skb->data);
443 BT_DBG("%s status 0x%2.2x", hdev->name, status);
448 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
452 setting = get_unaligned_le16(sent);
454 if (hdev->voice_setting == setting)
457 hdev->voice_setting = setting;
459 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
462 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
465 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
468 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
470 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
475 hdev->num_iac = rp->num_iac;
477 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
480 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
482 __u8 status = *((__u8 *) skb->data);
483 struct hci_cp_write_ssp_mode *sent;
485 BT_DBG("%s status 0x%2.2x", hdev->name, status);
487 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
495 hdev->features[1][0] |= LMP_HOST_SSP;
497 hdev->features[1][0] &= ~LMP_HOST_SSP;
500 if (hci_dev_test_flag(hdev, HCI_MGMT))
501 mgmt_ssp_enable_complete(hdev, sent->mode, status);
504 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
506 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
509 hci_dev_unlock(hdev);
512 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
514 u8 status = *((u8 *) skb->data);
515 struct hci_cp_write_sc_support *sent;
517 BT_DBG("%s status 0x%2.2x", hdev->name, status);
519 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
527 hdev->features[1][0] |= LMP_HOST_SC;
529 hdev->features[1][0] &= ~LMP_HOST_SC;
532 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
534 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
536 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
539 hci_dev_unlock(hdev);
542 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
544 struct hci_rp_read_local_version *rp = (void *) skb->data;
546 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
551 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
552 hci_dev_test_flag(hdev, HCI_CONFIG)) {
553 hdev->hci_ver = rp->hci_ver;
554 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
555 hdev->lmp_ver = rp->lmp_ver;
556 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
557 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
561 static void hci_cc_read_local_commands(struct hci_dev *hdev,
564 struct hci_rp_read_local_commands *rp = (void *) skb->data;
566 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
571 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
572 hci_dev_test_flag(hdev, HCI_CONFIG))
573 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
576 static void hci_cc_read_local_features(struct hci_dev *hdev,
579 struct hci_rp_read_local_features *rp = (void *) skb->data;
581 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
586 memcpy(hdev->features, rp->features, 8);
588 /* Adjust default settings according to features
589 * supported by device. */
591 if (hdev->features[0][0] & LMP_3SLOT)
592 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
594 if (hdev->features[0][0] & LMP_5SLOT)
595 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
597 if (hdev->features[0][1] & LMP_HV2) {
598 hdev->pkt_type |= (HCI_HV2);
599 hdev->esco_type |= (ESCO_HV2);
602 if (hdev->features[0][1] & LMP_HV3) {
603 hdev->pkt_type |= (HCI_HV3);
604 hdev->esco_type |= (ESCO_HV3);
607 if (lmp_esco_capable(hdev))
608 hdev->esco_type |= (ESCO_EV3);
610 if (hdev->features[0][4] & LMP_EV4)
611 hdev->esco_type |= (ESCO_EV4);
613 if (hdev->features[0][4] & LMP_EV5)
614 hdev->esco_type |= (ESCO_EV5);
616 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
617 hdev->esco_type |= (ESCO_2EV3);
619 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
620 hdev->esco_type |= (ESCO_3EV3);
622 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
623 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
626 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
629 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
631 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
636 if (hdev->max_page < rp->max_page)
637 hdev->max_page = rp->max_page;
639 if (rp->page < HCI_MAX_PAGES)
640 memcpy(hdev->features[rp->page], rp->features, 8);
643 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
646 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
653 hdev->flow_ctl_mode = rp->mode;
656 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
658 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
660 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
665 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
666 hdev->sco_mtu = rp->sco_mtu;
667 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
668 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
670 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
675 hdev->acl_cnt = hdev->acl_pkts;
676 hdev->sco_cnt = hdev->sco_pkts;
678 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
679 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
682 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
684 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
686 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
691 if (test_bit(HCI_INIT, &hdev->flags))
692 bacpy(&hdev->bdaddr, &rp->bdaddr);
694 if (hci_dev_test_flag(hdev, HCI_SETUP))
695 bacpy(&hdev->setup_addr, &rp->bdaddr);
698 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
701 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
703 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
708 if (test_bit(HCI_INIT, &hdev->flags)) {
709 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
710 hdev->page_scan_window = __le16_to_cpu(rp->window);
714 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
717 u8 status = *((u8 *) skb->data);
718 struct hci_cp_write_page_scan_activity *sent;
720 BT_DBG("%s status 0x%2.2x", hdev->name, status);
725 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
729 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
730 hdev->page_scan_window = __le16_to_cpu(sent->window);
733 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
736 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
738 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
743 if (test_bit(HCI_INIT, &hdev->flags))
744 hdev->page_scan_type = rp->type;
747 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
750 u8 status = *((u8 *) skb->data);
753 BT_DBG("%s status 0x%2.2x", hdev->name, status);
758 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
760 hdev->page_scan_type = *type;
763 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
766 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
768 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
773 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
774 hdev->block_len = __le16_to_cpu(rp->block_len);
775 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
777 hdev->block_cnt = hdev->num_blocks;
779 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
780 hdev->block_cnt, hdev->block_len);
783 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
785 struct hci_rp_read_clock *rp = (void *) skb->data;
786 struct hci_cp_read_clock *cp;
787 struct hci_conn *conn;
789 BT_DBG("%s", hdev->name);
791 if (skb->len < sizeof(*rp))
799 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
803 if (cp->which == 0x00) {
804 hdev->clock = le32_to_cpu(rp->clock);
808 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
810 conn->clock = le32_to_cpu(rp->clock);
811 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
815 hci_dev_unlock(hdev);
818 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
821 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
823 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
828 hdev->amp_status = rp->amp_status;
829 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
830 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
831 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
832 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
833 hdev->amp_type = rp->amp_type;
834 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
835 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
836 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
837 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
840 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
843 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
845 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
850 hdev->inq_tx_power = rp->tx_power;
853 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
855 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
856 struct hci_cp_pin_code_reply *cp;
857 struct hci_conn *conn;
859 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
863 if (hci_dev_test_flag(hdev, HCI_MGMT))
864 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
869 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
873 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
875 conn->pin_length = cp->pin_len;
878 hci_dev_unlock(hdev);
881 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
883 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
885 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
889 if (hci_dev_test_flag(hdev, HCI_MGMT))
890 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
893 hci_dev_unlock(hdev);
896 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
899 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
901 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
906 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
907 hdev->le_pkts = rp->le_max_pkt;
909 hdev->le_cnt = hdev->le_pkts;
911 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
914 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
917 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
919 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
924 memcpy(hdev->le_features, rp->features, 8);
927 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
930 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
932 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
937 hdev->adv_tx_power = rp->tx_power;
940 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
942 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
944 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
948 if (hci_dev_test_flag(hdev, HCI_MGMT))
949 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
952 hci_dev_unlock(hdev);
955 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
958 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
960 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
964 if (hci_dev_test_flag(hdev, HCI_MGMT))
965 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
966 ACL_LINK, 0, rp->status);
968 hci_dev_unlock(hdev);
971 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
973 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
975 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
979 if (hci_dev_test_flag(hdev, HCI_MGMT))
980 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
983 hci_dev_unlock(hdev);
986 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
989 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
991 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
995 if (hci_dev_test_flag(hdev, HCI_MGMT))
996 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
997 ACL_LINK, 0, rp->status);
999 hci_dev_unlock(hdev);
1002 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1003 struct sk_buff *skb)
1005 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1007 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1010 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1011 struct sk_buff *skb)
1013 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1015 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1018 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1020 __u8 status = *((__u8 *) skb->data);
1023 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1028 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034 bacpy(&hdev->random_addr, sent);
1036 hci_dev_unlock(hdev);
1039 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1041 __u8 *sent, status = *((__u8 *) skb->data);
1043 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1048 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054 /* If we're doing connection initiation as peripheral. Set a
1055 * timeout in case something goes wrong.
1058 struct hci_conn *conn;
1060 hci_dev_set_flag(hdev, HCI_LE_ADV);
1062 conn = hci_lookup_le_connect(hdev);
1064 queue_delayed_work(hdev->workqueue,
1065 &conn->le_conn_timeout,
1066 conn->conn_timeout);
1068 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1071 hci_dev_unlock(hdev);
1074 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1076 struct hci_cp_le_set_scan_param *cp;
1077 __u8 status = *((__u8 *) skb->data);
1079 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1084 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090 hdev->le_scan_type = cp->type;
1092 hci_dev_unlock(hdev);
1095 static bool has_pending_adv_report(struct hci_dev *hdev)
1097 struct discovery_state *d = &hdev->discovery;
1099 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1102 static void clear_pending_adv_report(struct hci_dev *hdev)
1104 struct discovery_state *d = &hdev->discovery;
1106 bacpy(&d->last_adv_addr, BDADDR_ANY);
1107 d->last_adv_data_len = 0;
1110 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1111 u8 bdaddr_type, s8 rssi, u32 flags,
1114 struct discovery_state *d = &hdev->discovery;
1116 bacpy(&d->last_adv_addr, bdaddr);
1117 d->last_adv_addr_type = bdaddr_type;
1118 d->last_adv_rssi = rssi;
1119 d->last_adv_flags = flags;
1120 memcpy(d->last_adv_data, data, len);
1121 d->last_adv_data_len = len;
1124 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1125 struct sk_buff *skb)
1127 struct hci_cp_le_set_scan_enable *cp;
1128 __u8 status = *((__u8 *) skb->data);
1130 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1135 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141 switch (cp->enable) {
1142 case LE_SCAN_ENABLE:
1143 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1144 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1145 clear_pending_adv_report(hdev);
1148 case LE_SCAN_DISABLE:
1149 /* We do this here instead of when setting DISCOVERY_STOPPED
1150 * since the latter would potentially require waiting for
1151 * inquiry to stop too.
1153 if (has_pending_adv_report(hdev)) {
1154 struct discovery_state *d = &hdev->discovery;
1156 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1157 d->last_adv_addr_type, NULL,
1158 d->last_adv_rssi, d->last_adv_flags,
1160 d->last_adv_data_len, NULL, 0);
1163 /* Cancel this timer so that we don't try to disable scanning
1164 * when it's already disabled.
1166 cancel_delayed_work(&hdev->le_scan_disable);
1168 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1170 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1171 * interrupted scanning due to a connect request. Mark
1172 * therefore discovery as stopped. If this was not
1173 * because of a connect request advertising might have
1174 * been disabled because of active scanning, so
1175 * re-enable it again if necessary.
1177 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1178 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1179 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1180 hdev->discovery.state == DISCOVERY_FINDING)
1181 mgmt_reenable_advertising(hdev);
1186 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1190 hci_dev_unlock(hdev);
1193 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1194 struct sk_buff *skb)
1196 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1198 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1203 hdev->le_white_list_size = rp->size;
1206 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1207 struct sk_buff *skb)
1209 __u8 status = *((__u8 *) skb->data);
1211 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1216 hci_bdaddr_list_clear(&hdev->le_white_list);
1219 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1220 struct sk_buff *skb)
1222 struct hci_cp_le_add_to_white_list *sent;
1223 __u8 status = *((__u8 *) skb->data);
1225 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1230 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1234 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1238 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1239 struct sk_buff *skb)
1241 struct hci_cp_le_del_from_white_list *sent;
1242 __u8 status = *((__u8 *) skb->data);
1244 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1249 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1253 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1257 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1258 struct sk_buff *skb)
1260 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1262 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1267 memcpy(hdev->le_states, rp->le_states, 8);
1270 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1271 struct sk_buff *skb)
1273 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1275 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1280 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1281 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1284 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1285 struct sk_buff *skb)
1287 struct hci_cp_le_write_def_data_len *sent;
1288 __u8 status = *((__u8 *) skb->data);
1290 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1295 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1299 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1300 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1303 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1304 struct sk_buff *skb)
1306 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1308 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1313 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1314 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1315 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1316 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1319 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1320 struct sk_buff *skb)
1322 struct hci_cp_write_le_host_supported *sent;
1323 __u8 status = *((__u8 *) skb->data);
1325 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1330 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1337 hdev->features[1][0] |= LMP_HOST_LE;
1338 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1340 hdev->features[1][0] &= ~LMP_HOST_LE;
1341 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1342 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1346 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1348 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1350 hci_dev_unlock(hdev);
1353 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1355 struct hci_cp_le_set_adv_param *cp;
1356 u8 status = *((u8 *) skb->data);
1358 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1363 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1368 hdev->adv_addr_type = cp->own_address_type;
1369 hci_dev_unlock(hdev);
1372 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1374 struct hci_rp_read_rssi *rp = (void *) skb->data;
1375 struct hci_conn *conn;
1377 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1384 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1386 conn->rssi = rp->rssi;
1388 hci_dev_unlock(hdev);
1391 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1393 struct hci_cp_read_tx_power *sent;
1394 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1395 struct hci_conn *conn;
1397 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1402 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1408 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1412 switch (sent->type) {
1414 conn->tx_power = rp->tx_power;
1417 conn->max_tx_power = rp->tx_power;
1422 hci_dev_unlock(hdev);
1425 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1427 u8 status = *((u8 *) skb->data);
1430 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1435 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1437 hdev->ssp_debug_mode = *mode;
1440 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1442 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1445 hci_conn_check_pending(hdev);
1449 set_bit(HCI_INQUIRY, &hdev->flags);
1452 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1454 struct hci_cp_create_conn *cp;
1455 struct hci_conn *conn;
1457 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1459 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1465 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1467 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1470 if (conn && conn->state == BT_CONNECT) {
1471 if (status != 0x0c || conn->attempt > 2) {
1472 conn->state = BT_CLOSED;
1473 hci_connect_cfm(conn, status);
1476 conn->state = BT_CONNECT2;
1480 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1483 BT_ERR("No memory for new connection");
1487 hci_dev_unlock(hdev);
1490 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1492 struct hci_cp_add_sco *cp;
1493 struct hci_conn *acl, *sco;
1496 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1501 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1505 handle = __le16_to_cpu(cp->handle);
1507 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1511 acl = hci_conn_hash_lookup_handle(hdev, handle);
1515 sco->state = BT_CLOSED;
1517 hci_connect_cfm(sco, status);
1522 hci_dev_unlock(hdev);
1525 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1527 struct hci_cp_auth_requested *cp;
1528 struct hci_conn *conn;
1530 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1535 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1541 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1543 if (conn->state == BT_CONFIG) {
1544 hci_connect_cfm(conn, status);
1545 hci_conn_drop(conn);
1549 hci_dev_unlock(hdev);
1552 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1554 struct hci_cp_set_conn_encrypt *cp;
1555 struct hci_conn *conn;
1557 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1562 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1568 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1570 if (conn->state == BT_CONFIG) {
1571 hci_connect_cfm(conn, status);
1572 hci_conn_drop(conn);
1576 hci_dev_unlock(hdev);
1579 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1580 struct hci_conn *conn)
1582 if (conn->state != BT_CONFIG || !conn->out)
1585 if (conn->pending_sec_level == BT_SECURITY_SDP)
1588 /* Only request authentication for SSP connections or non-SSP
1589 * devices with sec_level MEDIUM or HIGH or if MITM protection
1592 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1593 conn->pending_sec_level != BT_SECURITY_FIPS &&
1594 conn->pending_sec_level != BT_SECURITY_HIGH &&
1595 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1601 static int hci_resolve_name(struct hci_dev *hdev,
1602 struct inquiry_entry *e)
1604 struct hci_cp_remote_name_req cp;
1606 memset(&cp, 0, sizeof(cp));
1608 bacpy(&cp.bdaddr, &e->data.bdaddr);
1609 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1610 cp.pscan_mode = e->data.pscan_mode;
1611 cp.clock_offset = e->data.clock_offset;
1613 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1616 static bool hci_resolve_next_name(struct hci_dev *hdev)
1618 struct discovery_state *discov = &hdev->discovery;
1619 struct inquiry_entry *e;
1621 if (list_empty(&discov->resolve))
1624 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1628 if (hci_resolve_name(hdev, e) == 0) {
1629 e->name_state = NAME_PENDING;
1636 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1637 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1639 struct discovery_state *discov = &hdev->discovery;
1640 struct inquiry_entry *e;
1642 /* Update the mgmt connected state if necessary. Be careful with
1643 * conn objects that exist but are not (yet) connected however.
1644 * Only those in BT_CONFIG or BT_CONNECTED states can be
1645 * considered connected.
1648 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1649 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1650 mgmt_device_connected(hdev, conn, 0, name, name_len);
1652 if (discov->state == DISCOVERY_STOPPED)
1655 if (discov->state == DISCOVERY_STOPPING)
1656 goto discov_complete;
1658 if (discov->state != DISCOVERY_RESOLVING)
1661 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1662 /* If the device was not found in a list of found devices names of which
1663 * are pending. there is no need to continue resolving a next name as it
1664 * will be done upon receiving another Remote Name Request Complete
1671 e->name_state = NAME_KNOWN;
1672 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1673 e->data.rssi, name, name_len);
1675 e->name_state = NAME_NOT_KNOWN;
1678 if (hci_resolve_next_name(hdev))
1682 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1685 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1687 struct hci_cp_remote_name_req *cp;
1688 struct hci_conn *conn;
1690 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1692 /* If successful wait for the name req complete event before
1693 * checking for the need to do authentication */
1697 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1703 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1705 if (hci_dev_test_flag(hdev, HCI_MGMT))
1706 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1711 if (!hci_outgoing_auth_needed(hdev, conn))
1714 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1715 struct hci_cp_auth_requested auth_cp;
1717 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1719 auth_cp.handle = __cpu_to_le16(conn->handle);
1720 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1721 sizeof(auth_cp), &auth_cp);
1725 hci_dev_unlock(hdev);
1728 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1730 struct hci_cp_read_remote_features *cp;
1731 struct hci_conn *conn;
1733 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1738 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1744 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1746 if (conn->state == BT_CONFIG) {
1747 hci_connect_cfm(conn, status);
1748 hci_conn_drop(conn);
1752 hci_dev_unlock(hdev);
1755 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1757 struct hci_cp_read_remote_ext_features *cp;
1758 struct hci_conn *conn;
1760 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1765 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1771 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1773 if (conn->state == BT_CONFIG) {
1774 hci_connect_cfm(conn, status);
1775 hci_conn_drop(conn);
1779 hci_dev_unlock(hdev);
1782 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1784 struct hci_cp_setup_sync_conn *cp;
1785 struct hci_conn *acl, *sco;
1788 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1793 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1797 handle = __le16_to_cpu(cp->handle);
1799 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1803 acl = hci_conn_hash_lookup_handle(hdev, handle);
1807 sco->state = BT_CLOSED;
1809 hci_connect_cfm(sco, status);
1814 hci_dev_unlock(hdev);
1817 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1819 struct hci_cp_sniff_mode *cp;
1820 struct hci_conn *conn;
1822 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1827 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1833 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1835 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1837 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1838 hci_sco_setup(conn, status);
1841 hci_dev_unlock(hdev);
1844 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1846 struct hci_cp_exit_sniff_mode *cp;
1847 struct hci_conn *conn;
1849 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1854 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1860 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1862 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1864 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1865 hci_sco_setup(conn, status);
1868 hci_dev_unlock(hdev);
1871 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1873 struct hci_cp_disconnect *cp;
1874 struct hci_conn *conn;
1879 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1885 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1887 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1888 conn->dst_type, status);
1890 hci_dev_unlock(hdev);
1893 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1895 struct hci_cp_le_create_conn *cp;
1896 struct hci_conn *conn;
1898 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1900 /* All connection failure handling is taken care of by the
1901 * hci_le_conn_failed function which is triggered by the HCI
1902 * request completion callbacks used for connecting.
1907 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1913 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1917 /* Store the initiator and responder address information which
1918 * is needed for SMP. These values will not change during the
1919 * lifetime of the connection.
1921 conn->init_addr_type = cp->own_address_type;
1922 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1923 bacpy(&conn->init_addr, &hdev->random_addr);
1925 bacpy(&conn->init_addr, &hdev->bdaddr);
1927 conn->resp_addr_type = cp->peer_addr_type;
1928 bacpy(&conn->resp_addr, &cp->peer_addr);
1930 /* We don't want the connection attempt to stick around
1931 * indefinitely since LE doesn't have a page timeout concept
1932 * like BR/EDR. Set a timer for any connection that doesn't use
1933 * the white list for connecting.
1935 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1936 queue_delayed_work(conn->hdev->workqueue,
1937 &conn->le_conn_timeout,
1938 conn->conn_timeout);
1941 hci_dev_unlock(hdev);
1944 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1946 struct hci_cp_le_read_remote_features *cp;
1947 struct hci_conn *conn;
1949 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1954 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1960 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1962 if (conn->state == BT_CONFIG) {
1963 hci_connect_cfm(conn, status);
1964 hci_conn_drop(conn);
1968 hci_dev_unlock(hdev);
1971 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1973 struct hci_cp_le_start_enc *cp;
1974 struct hci_conn *conn;
1976 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1983 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1987 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1991 if (conn->state != BT_CONNECTED)
1994 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1995 hci_conn_drop(conn);
1998 hci_dev_unlock(hdev);
2001 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2003 struct hci_cp_switch_role *cp;
2004 struct hci_conn *conn;
2006 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2011 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2017 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2019 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2021 hci_dev_unlock(hdev);
2024 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2026 __u8 status = *((__u8 *) skb->data);
2027 struct discovery_state *discov = &hdev->discovery;
2028 struct inquiry_entry *e;
2030 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2032 hci_conn_check_pending(hdev);
2034 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2037 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2038 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2040 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2045 if (discov->state != DISCOVERY_FINDING)
2048 if (list_empty(&discov->resolve)) {
2049 /* When BR/EDR inquiry is active and no LE scanning is in
2050 * progress, then change discovery state to indicate completion.
2052 * When running LE scanning and BR/EDR inquiry simultaneously
2053 * and the LE scan already finished, then change the discovery
2054 * state to indicate completion.
2056 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2057 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2058 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2062 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2063 if (e && hci_resolve_name(hdev, e) == 0) {
2064 e->name_state = NAME_PENDING;
2065 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2067 /* When BR/EDR inquiry is active and no LE scanning is in
2068 * progress, then change discovery state to indicate completion.
2070 * When running LE scanning and BR/EDR inquiry simultaneously
2071 * and the LE scan already finished, then change the discovery
2072 * state to indicate completion.
2074 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2075 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2076 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2080 hci_dev_unlock(hdev);
2083 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2085 struct inquiry_data data;
2086 struct inquiry_info *info = (void *) (skb->data + 1);
2087 int num_rsp = *((__u8 *) skb->data);
2089 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2094 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2099 for (; num_rsp; num_rsp--, info++) {
2102 bacpy(&data.bdaddr, &info->bdaddr);
2103 data.pscan_rep_mode = info->pscan_rep_mode;
2104 data.pscan_period_mode = info->pscan_period_mode;
2105 data.pscan_mode = info->pscan_mode;
2106 memcpy(data.dev_class, info->dev_class, 3);
2107 data.clock_offset = info->clock_offset;
2108 data.rssi = HCI_RSSI_INVALID;
2109 data.ssp_mode = 0x00;
2111 flags = hci_inquiry_cache_update(hdev, &data, false);
2113 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2114 info->dev_class, HCI_RSSI_INVALID,
2115 flags, NULL, 0, NULL, 0);
2118 hci_dev_unlock(hdev);
2121 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2123 struct hci_ev_conn_complete *ev = (void *) skb->data;
2124 struct hci_conn *conn;
2126 BT_DBG("%s", hdev->name);
2130 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2132 if (ev->link_type != SCO_LINK)
2135 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2139 conn->type = SCO_LINK;
2143 conn->handle = __le16_to_cpu(ev->handle);
2145 if (conn->type == ACL_LINK) {
2146 conn->state = BT_CONFIG;
2147 hci_conn_hold(conn);
2149 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2150 !hci_find_link_key(hdev, &ev->bdaddr))
2151 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2153 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2155 conn->state = BT_CONNECTED;
2157 hci_debugfs_create_conn(conn);
2158 hci_conn_add_sysfs(conn);
2160 if (test_bit(HCI_AUTH, &hdev->flags))
2161 set_bit(HCI_CONN_AUTH, &conn->flags);
2163 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2164 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2166 /* Get remote features */
2167 if (conn->type == ACL_LINK) {
2168 struct hci_cp_read_remote_features cp;
2169 cp.handle = ev->handle;
2170 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2173 hci_update_page_scan(hdev);
2176 /* Set packet type for incoming connection */
2177 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2178 struct hci_cp_change_conn_ptype cp;
2179 cp.handle = ev->handle;
2180 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2181 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2185 conn->state = BT_CLOSED;
2186 if (conn->type == ACL_LINK)
2187 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2188 conn->dst_type, ev->status);
2191 if (conn->type == ACL_LINK)
2192 hci_sco_setup(conn, ev->status);
2195 hci_connect_cfm(conn, ev->status);
2197 } else if (ev->link_type != ACL_LINK)
2198 hci_connect_cfm(conn, ev->status);
2201 hci_dev_unlock(hdev);
2203 hci_conn_check_pending(hdev);
2206 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2208 struct hci_cp_reject_conn_req cp;
2210 bacpy(&cp.bdaddr, bdaddr);
2211 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2212 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2215 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2217 struct hci_ev_conn_request *ev = (void *) skb->data;
2218 int mask = hdev->link_mode;
2219 struct inquiry_entry *ie;
2220 struct hci_conn *conn;
2223 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2226 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2229 if (!(mask & HCI_LM_ACCEPT)) {
2230 hci_reject_conn(hdev, &ev->bdaddr);
2234 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2236 hci_reject_conn(hdev, &ev->bdaddr);
2240 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2241 * connection. These features are only touched through mgmt so
2242 * only do the checks if HCI_MGMT is set.
2244 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2245 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2246 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2248 hci_reject_conn(hdev, &ev->bdaddr);
2252 /* Connection accepted */
2256 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2258 memcpy(ie->data.dev_class, ev->dev_class, 3);
2260 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2263 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2266 BT_ERR("No memory for new connection");
2267 hci_dev_unlock(hdev);
2272 memcpy(conn->dev_class, ev->dev_class, 3);
2274 hci_dev_unlock(hdev);
2276 if (ev->link_type == ACL_LINK ||
2277 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2278 struct hci_cp_accept_conn_req cp;
2279 conn->state = BT_CONNECT;
2281 bacpy(&cp.bdaddr, &ev->bdaddr);
2283 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2284 cp.role = 0x00; /* Become master */
2286 cp.role = 0x01; /* Remain slave */
2288 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2289 } else if (!(flags & HCI_PROTO_DEFER)) {
2290 struct hci_cp_accept_sync_conn_req cp;
2291 conn->state = BT_CONNECT;
2293 bacpy(&cp.bdaddr, &ev->bdaddr);
2294 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2296 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2297 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2298 cp.max_latency = cpu_to_le16(0xffff);
2299 cp.content_format = cpu_to_le16(hdev->voice_setting);
2300 cp.retrans_effort = 0xff;
2302 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2305 conn->state = BT_CONNECT2;
2306 hci_connect_cfm(conn, 0);
2310 static u8 hci_to_mgmt_reason(u8 err)
2313 case HCI_ERROR_CONNECTION_TIMEOUT:
2314 return MGMT_DEV_DISCONN_TIMEOUT;
2315 case HCI_ERROR_REMOTE_USER_TERM:
2316 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2317 case HCI_ERROR_REMOTE_POWER_OFF:
2318 return MGMT_DEV_DISCONN_REMOTE;
2319 case HCI_ERROR_LOCAL_HOST_TERM:
2320 return MGMT_DEV_DISCONN_LOCAL_HOST;
2322 return MGMT_DEV_DISCONN_UNKNOWN;
2326 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2328 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2329 u8 reason = hci_to_mgmt_reason(ev->reason);
2330 struct hci_conn_params *params;
2331 struct hci_conn *conn;
2332 bool mgmt_connected;
2335 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2339 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2344 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2345 conn->dst_type, ev->status);
2349 conn->state = BT_CLOSED;
2351 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2352 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2353 reason, mgmt_connected);
2355 if (conn->type == ACL_LINK) {
2356 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2357 hci_remove_link_key(hdev, &conn->dst);
2359 hci_update_page_scan(hdev);
2362 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2364 switch (params->auto_connect) {
2365 case HCI_AUTO_CONN_LINK_LOSS:
2366 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2370 case HCI_AUTO_CONN_DIRECT:
2371 case HCI_AUTO_CONN_ALWAYS:
2372 list_del_init(¶ms->action);
2373 list_add(¶ms->action, &hdev->pend_le_conns);
2374 hci_update_background_scan(hdev);
2384 hci_disconn_cfm(conn, ev->reason);
2387 /* Re-enable advertising if necessary, since it might
2388 * have been disabled by the connection. From the
2389 * HCI_LE_Set_Advertise_Enable command description in
2390 * the core specification (v4.0):
2391 * "The Controller shall continue advertising until the Host
2392 * issues an LE_Set_Advertise_Enable command with
2393 * Advertising_Enable set to 0x00 (Advertising is disabled)
2394 * or until a connection is created or until the Advertising
2395 * is timed out due to Directed Advertising."
2397 if (type == LE_LINK)
2398 mgmt_reenable_advertising(hdev);
2401 hci_dev_unlock(hdev);
2404 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2406 struct hci_ev_auth_complete *ev = (void *) skb->data;
2407 struct hci_conn *conn;
2409 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2418 if (!hci_conn_ssp_enabled(conn) &&
2419 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2420 BT_INFO("re-auth of legacy device is not possible.");
2422 set_bit(HCI_CONN_AUTH, &conn->flags);
2423 conn->sec_level = conn->pending_sec_level;
2426 mgmt_auth_failed(conn, ev->status);
2429 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2430 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2432 if (conn->state == BT_CONFIG) {
2433 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2434 struct hci_cp_set_conn_encrypt cp;
2435 cp.handle = ev->handle;
2437 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2440 conn->state = BT_CONNECTED;
2441 hci_connect_cfm(conn, ev->status);
2442 hci_conn_drop(conn);
2445 hci_auth_cfm(conn, ev->status);
2447 hci_conn_hold(conn);
2448 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2449 hci_conn_drop(conn);
2452 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2454 struct hci_cp_set_conn_encrypt cp;
2455 cp.handle = ev->handle;
2457 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2460 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2461 hci_encrypt_cfm(conn, ev->status, 0x00);
2466 hci_dev_unlock(hdev);
2469 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2471 struct hci_ev_remote_name *ev = (void *) skb->data;
2472 struct hci_conn *conn;
2474 BT_DBG("%s", hdev->name);
2476 hci_conn_check_pending(hdev);
2480 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2482 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2485 if (ev->status == 0)
2486 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2487 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2489 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2495 if (!hci_outgoing_auth_needed(hdev, conn))
2498 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2499 struct hci_cp_auth_requested cp;
2501 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2503 cp.handle = __cpu_to_le16(conn->handle);
2504 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2508 hci_dev_unlock(hdev);
2511 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2512 u16 opcode, struct sk_buff *skb)
2514 const struct hci_rp_read_enc_key_size *rp;
2515 struct hci_conn *conn;
2518 BT_DBG("%s status 0x%02x", hdev->name, status);
2520 if (!skb || skb->len < sizeof(*rp)) {
2521 BT_ERR("%s invalid HCI Read Encryption Key Size response",
2526 rp = (void *)skb->data;
2527 handle = le16_to_cpu(rp->handle);
2531 conn = hci_conn_hash_lookup_handle(hdev, handle);
2535 /* If we fail to read the encryption key size, assume maximum
2536 * (which is the same we do also when this HCI command isn't
2540 BT_ERR("%s failed to read key size for handle %u", hdev->name,
2542 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2544 conn->enc_key_size = rp->key_size;
2547 if (conn->state == BT_CONFIG) {
2548 conn->state = BT_CONNECTED;
2549 hci_connect_cfm(conn, 0);
2550 hci_conn_drop(conn);
2554 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2556 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2561 hci_encrypt_cfm(conn, 0, encrypt);
2565 hci_dev_unlock(hdev);
2568 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2570 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2571 struct hci_conn *conn;
2573 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2577 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2583 /* Encryption implies authentication */
2584 set_bit(HCI_CONN_AUTH, &conn->flags);
2585 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2586 conn->sec_level = conn->pending_sec_level;
2588 /* P-256 authentication key implies FIPS */
2589 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2590 set_bit(HCI_CONN_FIPS, &conn->flags);
2592 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2593 conn->type == LE_LINK)
2594 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2596 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2597 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2601 /* We should disregard the current RPA and generate a new one
2602 * whenever the encryption procedure fails.
2604 if (ev->status && conn->type == LE_LINK)
2605 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2607 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2609 if (ev->status && conn->state == BT_CONNECTED) {
2610 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2611 hci_conn_drop(conn);
2615 /* In Secure Connections Only mode, do not allow any connections
2616 * that are not encrypted with AES-CCM using a P-256 authenticated
2619 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2620 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2621 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2622 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2623 hci_conn_drop(conn);
2627 /* Try reading the encryption key size for encrypted ACL links */
2628 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2629 struct hci_cp_read_enc_key_size cp;
2630 struct hci_request req;
2632 /* Only send HCI_Read_Encryption_Key_Size if the
2633 * controller really supports it. If it doesn't, assume
2634 * the default size (16).
2636 if (!(hdev->commands[20] & 0x10)) {
2637 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2641 hci_req_init(&req, hdev);
2643 cp.handle = cpu_to_le16(conn->handle);
2644 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2646 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2647 BT_ERR("Sending HCI Read Encryption Key Size failed");
2648 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2656 if (conn->state == BT_CONFIG) {
2658 conn->state = BT_CONNECTED;
2660 hci_connect_cfm(conn, ev->status);
2661 hci_conn_drop(conn);
2663 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2666 hci_dev_unlock(hdev);
2669 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2670 struct sk_buff *skb)
2672 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2673 struct hci_conn *conn;
2675 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2679 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2682 set_bit(HCI_CONN_SECURE, &conn->flags);
2684 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2686 hci_key_change_cfm(conn, ev->status);
2689 hci_dev_unlock(hdev);
2692 static void hci_remote_features_evt(struct hci_dev *hdev,
2693 struct sk_buff *skb)
2695 struct hci_ev_remote_features *ev = (void *) skb->data;
2696 struct hci_conn *conn;
2698 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2702 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2707 memcpy(conn->features[0], ev->features, 8);
2709 if (conn->state != BT_CONFIG)
2712 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2713 lmp_ext_feat_capable(conn)) {
2714 struct hci_cp_read_remote_ext_features cp;
2715 cp.handle = ev->handle;
2717 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2722 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2723 struct hci_cp_remote_name_req cp;
2724 memset(&cp, 0, sizeof(cp));
2725 bacpy(&cp.bdaddr, &conn->dst);
2726 cp.pscan_rep_mode = 0x02;
2727 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2728 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2729 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2731 if (!hci_outgoing_auth_needed(hdev, conn)) {
2732 conn->state = BT_CONNECTED;
2733 hci_connect_cfm(conn, ev->status);
2734 hci_conn_drop(conn);
2738 hci_dev_unlock(hdev);
2741 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2742 u16 *opcode, u8 *status,
2743 hci_req_complete_t *req_complete,
2744 hci_req_complete_skb_t *req_complete_skb)
2746 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2748 *opcode = __le16_to_cpu(ev->opcode);
2749 *status = skb->data[sizeof(*ev)];
2751 skb_pull(skb, sizeof(*ev));
2754 case HCI_OP_INQUIRY_CANCEL:
2755 hci_cc_inquiry_cancel(hdev, skb);
2758 case HCI_OP_PERIODIC_INQ:
2759 hci_cc_periodic_inq(hdev, skb);
2762 case HCI_OP_EXIT_PERIODIC_INQ:
2763 hci_cc_exit_periodic_inq(hdev, skb);
2766 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2767 hci_cc_remote_name_req_cancel(hdev, skb);
2770 case HCI_OP_ROLE_DISCOVERY:
2771 hci_cc_role_discovery(hdev, skb);
2774 case HCI_OP_READ_LINK_POLICY:
2775 hci_cc_read_link_policy(hdev, skb);
2778 case HCI_OP_WRITE_LINK_POLICY:
2779 hci_cc_write_link_policy(hdev, skb);
2782 case HCI_OP_READ_DEF_LINK_POLICY:
2783 hci_cc_read_def_link_policy(hdev, skb);
2786 case HCI_OP_WRITE_DEF_LINK_POLICY:
2787 hci_cc_write_def_link_policy(hdev, skb);
2791 hci_cc_reset(hdev, skb);
2794 case HCI_OP_READ_STORED_LINK_KEY:
2795 hci_cc_read_stored_link_key(hdev, skb);
2798 case HCI_OP_DELETE_STORED_LINK_KEY:
2799 hci_cc_delete_stored_link_key(hdev, skb);
2802 case HCI_OP_WRITE_LOCAL_NAME:
2803 hci_cc_write_local_name(hdev, skb);
2806 case HCI_OP_READ_LOCAL_NAME:
2807 hci_cc_read_local_name(hdev, skb);
2810 case HCI_OP_WRITE_AUTH_ENABLE:
2811 hci_cc_write_auth_enable(hdev, skb);
2814 case HCI_OP_WRITE_ENCRYPT_MODE:
2815 hci_cc_write_encrypt_mode(hdev, skb);
2818 case HCI_OP_WRITE_SCAN_ENABLE:
2819 hci_cc_write_scan_enable(hdev, skb);
2822 case HCI_OP_READ_CLASS_OF_DEV:
2823 hci_cc_read_class_of_dev(hdev, skb);
2826 case HCI_OP_WRITE_CLASS_OF_DEV:
2827 hci_cc_write_class_of_dev(hdev, skb);
2830 case HCI_OP_READ_VOICE_SETTING:
2831 hci_cc_read_voice_setting(hdev, skb);
2834 case HCI_OP_WRITE_VOICE_SETTING:
2835 hci_cc_write_voice_setting(hdev, skb);
2838 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2839 hci_cc_read_num_supported_iac(hdev, skb);
2842 case HCI_OP_WRITE_SSP_MODE:
2843 hci_cc_write_ssp_mode(hdev, skb);
2846 case HCI_OP_WRITE_SC_SUPPORT:
2847 hci_cc_write_sc_support(hdev, skb);
2850 case HCI_OP_READ_LOCAL_VERSION:
2851 hci_cc_read_local_version(hdev, skb);
2854 case HCI_OP_READ_LOCAL_COMMANDS:
2855 hci_cc_read_local_commands(hdev, skb);
2858 case HCI_OP_READ_LOCAL_FEATURES:
2859 hci_cc_read_local_features(hdev, skb);
2862 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2863 hci_cc_read_local_ext_features(hdev, skb);
2866 case HCI_OP_READ_BUFFER_SIZE:
2867 hci_cc_read_buffer_size(hdev, skb);
2870 case HCI_OP_READ_BD_ADDR:
2871 hci_cc_read_bd_addr(hdev, skb);
2874 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2875 hci_cc_read_page_scan_activity(hdev, skb);
2878 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2879 hci_cc_write_page_scan_activity(hdev, skb);
2882 case HCI_OP_READ_PAGE_SCAN_TYPE:
2883 hci_cc_read_page_scan_type(hdev, skb);
2886 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2887 hci_cc_write_page_scan_type(hdev, skb);
2890 case HCI_OP_READ_DATA_BLOCK_SIZE:
2891 hci_cc_read_data_block_size(hdev, skb);
2894 case HCI_OP_READ_FLOW_CONTROL_MODE:
2895 hci_cc_read_flow_control_mode(hdev, skb);
2898 case HCI_OP_READ_LOCAL_AMP_INFO:
2899 hci_cc_read_local_amp_info(hdev, skb);
2902 case HCI_OP_READ_CLOCK:
2903 hci_cc_read_clock(hdev, skb);
2906 case HCI_OP_READ_INQ_RSP_TX_POWER:
2907 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2910 case HCI_OP_PIN_CODE_REPLY:
2911 hci_cc_pin_code_reply(hdev, skb);
2914 case HCI_OP_PIN_CODE_NEG_REPLY:
2915 hci_cc_pin_code_neg_reply(hdev, skb);
2918 case HCI_OP_READ_LOCAL_OOB_DATA:
2919 hci_cc_read_local_oob_data(hdev, skb);
2922 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2923 hci_cc_read_local_oob_ext_data(hdev, skb);
2926 case HCI_OP_LE_READ_BUFFER_SIZE:
2927 hci_cc_le_read_buffer_size(hdev, skb);
2930 case HCI_OP_LE_READ_LOCAL_FEATURES:
2931 hci_cc_le_read_local_features(hdev, skb);
2934 case HCI_OP_LE_READ_ADV_TX_POWER:
2935 hci_cc_le_read_adv_tx_power(hdev, skb);
2938 case HCI_OP_USER_CONFIRM_REPLY:
2939 hci_cc_user_confirm_reply(hdev, skb);
2942 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2943 hci_cc_user_confirm_neg_reply(hdev, skb);
2946 case HCI_OP_USER_PASSKEY_REPLY:
2947 hci_cc_user_passkey_reply(hdev, skb);
2950 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2951 hci_cc_user_passkey_neg_reply(hdev, skb);
2954 case HCI_OP_LE_SET_RANDOM_ADDR:
2955 hci_cc_le_set_random_addr(hdev, skb);
2958 case HCI_OP_LE_SET_ADV_ENABLE:
2959 hci_cc_le_set_adv_enable(hdev, skb);
2962 case HCI_OP_LE_SET_SCAN_PARAM:
2963 hci_cc_le_set_scan_param(hdev, skb);
2966 case HCI_OP_LE_SET_SCAN_ENABLE:
2967 hci_cc_le_set_scan_enable(hdev, skb);
2970 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2971 hci_cc_le_read_white_list_size(hdev, skb);
2974 case HCI_OP_LE_CLEAR_WHITE_LIST:
2975 hci_cc_le_clear_white_list(hdev, skb);
2978 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2979 hci_cc_le_add_to_white_list(hdev, skb);
2982 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2983 hci_cc_le_del_from_white_list(hdev, skb);
2986 case HCI_OP_LE_READ_SUPPORTED_STATES:
2987 hci_cc_le_read_supported_states(hdev, skb);
2990 case HCI_OP_LE_READ_DEF_DATA_LEN:
2991 hci_cc_le_read_def_data_len(hdev, skb);
2994 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
2995 hci_cc_le_write_def_data_len(hdev, skb);
2998 case HCI_OP_LE_READ_MAX_DATA_LEN:
2999 hci_cc_le_read_max_data_len(hdev, skb);
3002 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3003 hci_cc_write_le_host_supported(hdev, skb);
3006 case HCI_OP_LE_SET_ADV_PARAM:
3007 hci_cc_set_adv_param(hdev, skb);
3010 case HCI_OP_READ_RSSI:
3011 hci_cc_read_rssi(hdev, skb);
3014 case HCI_OP_READ_TX_POWER:
3015 hci_cc_read_tx_power(hdev, skb);
3018 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3019 hci_cc_write_ssp_debug_mode(hdev, skb);
3023 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3027 if (*opcode != HCI_OP_NOP)
3028 cancel_delayed_work(&hdev->cmd_timer);
3030 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3031 atomic_set(&hdev->cmd_cnt, 1);
3033 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3036 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3037 queue_work(hdev->workqueue, &hdev->cmd_work);
3040 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3041 u16 *opcode, u8 *status,
3042 hci_req_complete_t *req_complete,
3043 hci_req_complete_skb_t *req_complete_skb)
3045 struct hci_ev_cmd_status *ev = (void *) skb->data;
3047 skb_pull(skb, sizeof(*ev));
3049 *opcode = __le16_to_cpu(ev->opcode);
3050 *status = ev->status;
3053 case HCI_OP_INQUIRY:
3054 hci_cs_inquiry(hdev, ev->status);
3057 case HCI_OP_CREATE_CONN:
3058 hci_cs_create_conn(hdev, ev->status);
3061 case HCI_OP_DISCONNECT:
3062 hci_cs_disconnect(hdev, ev->status);
3065 case HCI_OP_ADD_SCO:
3066 hci_cs_add_sco(hdev, ev->status);
3069 case HCI_OP_AUTH_REQUESTED:
3070 hci_cs_auth_requested(hdev, ev->status);
3073 case HCI_OP_SET_CONN_ENCRYPT:
3074 hci_cs_set_conn_encrypt(hdev, ev->status);
3077 case HCI_OP_REMOTE_NAME_REQ:
3078 hci_cs_remote_name_req(hdev, ev->status);
3081 case HCI_OP_READ_REMOTE_FEATURES:
3082 hci_cs_read_remote_features(hdev, ev->status);
3085 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3086 hci_cs_read_remote_ext_features(hdev, ev->status);
3089 case HCI_OP_SETUP_SYNC_CONN:
3090 hci_cs_setup_sync_conn(hdev, ev->status);
3093 case HCI_OP_SNIFF_MODE:
3094 hci_cs_sniff_mode(hdev, ev->status);
3097 case HCI_OP_EXIT_SNIFF_MODE:
3098 hci_cs_exit_sniff_mode(hdev, ev->status);
3101 case HCI_OP_SWITCH_ROLE:
3102 hci_cs_switch_role(hdev, ev->status);
3105 case HCI_OP_LE_CREATE_CONN:
3106 hci_cs_le_create_conn(hdev, ev->status);
3109 case HCI_OP_LE_READ_REMOTE_FEATURES:
3110 hci_cs_le_read_remote_features(hdev, ev->status);
3113 case HCI_OP_LE_START_ENC:
3114 hci_cs_le_start_enc(hdev, ev->status);
3118 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3122 if (*opcode != HCI_OP_NOP)
3123 cancel_delayed_work(&hdev->cmd_timer);
3125 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3126 atomic_set(&hdev->cmd_cnt, 1);
3128 /* Indicate request completion if the command failed. Also, if
3129 * we're not waiting for a special event and we get a success
3130 * command status we should try to flag the request as completed
3131 * (since for this kind of commands there will not be a command
3135 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
3136 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3139 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3140 queue_work(hdev->workqueue, &hdev->cmd_work);
3143 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3145 struct hci_ev_hardware_error *ev = (void *) skb->data;
3147 hdev->hw_error_code = ev->code;
3149 queue_work(hdev->req_workqueue, &hdev->error_reset);
3152 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3154 struct hci_ev_role_change *ev = (void *) skb->data;
3155 struct hci_conn *conn;
3157 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3161 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3164 conn->role = ev->role;
3166 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3168 hci_role_switch_cfm(conn, ev->status, ev->role);
3171 hci_dev_unlock(hdev);
3174 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3176 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3179 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3180 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3184 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3185 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3186 BT_DBG("%s bad parameters", hdev->name);
3190 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3192 for (i = 0; i < ev->num_hndl; i++) {
3193 struct hci_comp_pkts_info *info = &ev->handles[i];
3194 struct hci_conn *conn;
3195 __u16 handle, count;
3197 handle = __le16_to_cpu(info->handle);
3198 count = __le16_to_cpu(info->count);
3200 conn = hci_conn_hash_lookup_handle(hdev, handle);
3204 conn->sent -= count;
3206 switch (conn->type) {
3208 hdev->acl_cnt += count;
3209 if (hdev->acl_cnt > hdev->acl_pkts)
3210 hdev->acl_cnt = hdev->acl_pkts;
3214 if (hdev->le_pkts) {
3215 hdev->le_cnt += count;
3216 if (hdev->le_cnt > hdev->le_pkts)
3217 hdev->le_cnt = hdev->le_pkts;
3219 hdev->acl_cnt += count;
3220 if (hdev->acl_cnt > hdev->acl_pkts)
3221 hdev->acl_cnt = hdev->acl_pkts;
3226 hdev->sco_cnt += count;
3227 if (hdev->sco_cnt > hdev->sco_pkts)
3228 hdev->sco_cnt = hdev->sco_pkts;
3232 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3237 queue_work(hdev->workqueue, &hdev->tx_work);
3240 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3243 struct hci_chan *chan;
3245 switch (hdev->dev_type) {
3247 return hci_conn_hash_lookup_handle(hdev, handle);
3249 chan = hci_chan_lookup_handle(hdev, handle);
3254 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3261 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3263 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3266 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3267 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3271 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3272 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3273 BT_DBG("%s bad parameters", hdev->name);
3277 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3280 for (i = 0; i < ev->num_hndl; i++) {
3281 struct hci_comp_blocks_info *info = &ev->handles[i];
3282 struct hci_conn *conn = NULL;
3283 __u16 handle, block_count;
3285 handle = __le16_to_cpu(info->handle);
3286 block_count = __le16_to_cpu(info->blocks);
3288 conn = __hci_conn_lookup_handle(hdev, handle);
3292 conn->sent -= block_count;
3294 switch (conn->type) {
3297 hdev->block_cnt += block_count;
3298 if (hdev->block_cnt > hdev->num_blocks)
3299 hdev->block_cnt = hdev->num_blocks;
3303 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3308 queue_work(hdev->workqueue, &hdev->tx_work);
3311 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3313 struct hci_ev_mode_change *ev = (void *) skb->data;
3314 struct hci_conn *conn;
3316 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3320 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3322 conn->mode = ev->mode;
3324 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3326 if (conn->mode == HCI_CM_ACTIVE)
3327 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3329 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3332 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3333 hci_sco_setup(conn, ev->status);
3336 hci_dev_unlock(hdev);
3339 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3341 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3342 struct hci_conn *conn;
3344 BT_DBG("%s", hdev->name);
3348 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3352 if (conn->state == BT_CONNECTED) {
3353 hci_conn_hold(conn);
3354 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3355 hci_conn_drop(conn);
3358 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3359 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3360 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3361 sizeof(ev->bdaddr), &ev->bdaddr);
3362 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3365 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3370 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3374 hci_dev_unlock(hdev);
3377 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3379 if (key_type == HCI_LK_CHANGED_COMBINATION)
3382 conn->pin_length = pin_len;
3383 conn->key_type = key_type;
3386 case HCI_LK_LOCAL_UNIT:
3387 case HCI_LK_REMOTE_UNIT:
3388 case HCI_LK_DEBUG_COMBINATION:
3390 case HCI_LK_COMBINATION:
3392 conn->pending_sec_level = BT_SECURITY_HIGH;
3394 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3396 case HCI_LK_UNAUTH_COMBINATION_P192:
3397 case HCI_LK_UNAUTH_COMBINATION_P256:
3398 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3400 case HCI_LK_AUTH_COMBINATION_P192:
3401 conn->pending_sec_level = BT_SECURITY_HIGH;
3403 case HCI_LK_AUTH_COMBINATION_P256:
3404 conn->pending_sec_level = BT_SECURITY_FIPS;
3409 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3411 struct hci_ev_link_key_req *ev = (void *) skb->data;
3412 struct hci_cp_link_key_reply cp;
3413 struct hci_conn *conn;
3414 struct link_key *key;
3416 BT_DBG("%s", hdev->name);
3418 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3423 key = hci_find_link_key(hdev, &ev->bdaddr);
3425 BT_DBG("%s link key not found for %pMR", hdev->name,
3430 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3433 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3435 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3437 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3438 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3439 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3440 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3444 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3445 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3446 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3447 BT_DBG("%s ignoring key unauthenticated for high security",
3452 conn_set_key(conn, key->type, key->pin_len);
3455 bacpy(&cp.bdaddr, &ev->bdaddr);
3456 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3458 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3460 hci_dev_unlock(hdev);
3465 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3466 hci_dev_unlock(hdev);
3469 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3471 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3472 struct hci_conn *conn;
3473 struct link_key *key;
3477 BT_DBG("%s", hdev->name);
3481 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3485 hci_conn_hold(conn);
3486 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3487 hci_conn_drop(conn);
3489 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3490 conn_set_key(conn, ev->key_type, conn->pin_length);
3492 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3495 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3496 ev->key_type, pin_len, &persistent);
3500 /* Update connection information since adding the key will have
3501 * fixed up the type in the case of changed combination keys.
3503 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3504 conn_set_key(conn, key->type, key->pin_len);
3506 mgmt_new_link_key(hdev, key, persistent);
3508 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3509 * is set. If it's not set simply remove the key from the kernel
3510 * list (we've still notified user space about it but with
3511 * store_hint being 0).
3513 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3514 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3515 list_del_rcu(&key->list);
3516 kfree_rcu(key, rcu);
3521 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3523 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3526 hci_dev_unlock(hdev);
3529 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3531 struct hci_ev_clock_offset *ev = (void *) skb->data;
3532 struct hci_conn *conn;
3534 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3538 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3539 if (conn && !ev->status) {
3540 struct inquiry_entry *ie;
3542 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3544 ie->data.clock_offset = ev->clock_offset;
3545 ie->timestamp = jiffies;
3549 hci_dev_unlock(hdev);
3552 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3554 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3555 struct hci_conn *conn;
3557 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3561 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3562 if (conn && !ev->status)
3563 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3565 hci_dev_unlock(hdev);
3568 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3570 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3571 struct inquiry_entry *ie;
3573 BT_DBG("%s", hdev->name);
3577 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3579 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3580 ie->timestamp = jiffies;
3583 hci_dev_unlock(hdev);
3586 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3587 struct sk_buff *skb)
3589 struct inquiry_data data;
3590 int num_rsp = *((__u8 *) skb->data);
3592 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3597 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3602 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3603 struct inquiry_info_with_rssi_and_pscan_mode *info;
3604 info = (void *) (skb->data + 1);
3606 for (; num_rsp; num_rsp--, info++) {
3609 bacpy(&data.bdaddr, &info->bdaddr);
3610 data.pscan_rep_mode = info->pscan_rep_mode;
3611 data.pscan_period_mode = info->pscan_period_mode;
3612 data.pscan_mode = info->pscan_mode;
3613 memcpy(data.dev_class, info->dev_class, 3);
3614 data.clock_offset = info->clock_offset;
3615 data.rssi = info->rssi;
3616 data.ssp_mode = 0x00;
3618 flags = hci_inquiry_cache_update(hdev, &data, false);
3620 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3621 info->dev_class, info->rssi,
3622 flags, NULL, 0, NULL, 0);
3625 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3627 for (; num_rsp; num_rsp--, info++) {
3630 bacpy(&data.bdaddr, &info->bdaddr);
3631 data.pscan_rep_mode = info->pscan_rep_mode;
3632 data.pscan_period_mode = info->pscan_period_mode;
3633 data.pscan_mode = 0x00;
3634 memcpy(data.dev_class, info->dev_class, 3);
3635 data.clock_offset = info->clock_offset;
3636 data.rssi = info->rssi;
3637 data.ssp_mode = 0x00;
3639 flags = hci_inquiry_cache_update(hdev, &data, false);
3641 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3642 info->dev_class, info->rssi,
3643 flags, NULL, 0, NULL, 0);
3647 hci_dev_unlock(hdev);
3650 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3651 struct sk_buff *skb)
3653 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3654 struct hci_conn *conn;
3656 BT_DBG("%s", hdev->name);
3660 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3664 if (ev->page < HCI_MAX_PAGES)
3665 memcpy(conn->features[ev->page], ev->features, 8);
3667 if (!ev->status && ev->page == 0x01) {
3668 struct inquiry_entry *ie;
3670 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3672 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3674 if (ev->features[0] & LMP_HOST_SSP) {
3675 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3677 /* It is mandatory by the Bluetooth specification that
3678 * Extended Inquiry Results are only used when Secure
3679 * Simple Pairing is enabled, but some devices violate
3682 * To make these devices work, the internal SSP
3683 * enabled flag needs to be cleared if the remote host
3684 * features do not indicate SSP support */
3685 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3688 if (ev->features[0] & LMP_HOST_SC)
3689 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3692 if (conn->state != BT_CONFIG)
3695 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3696 struct hci_cp_remote_name_req cp;
3697 memset(&cp, 0, sizeof(cp));
3698 bacpy(&cp.bdaddr, &conn->dst);
3699 cp.pscan_rep_mode = 0x02;
3700 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3701 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3702 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3704 if (!hci_outgoing_auth_needed(hdev, conn)) {
3705 conn->state = BT_CONNECTED;
3706 hci_connect_cfm(conn, ev->status);
3707 hci_conn_drop(conn);
3711 hci_dev_unlock(hdev);
3714 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3715 struct sk_buff *skb)
3717 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3718 struct hci_conn *conn;
3720 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3724 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3726 if (ev->link_type == ESCO_LINK)
3729 /* When the link type in the event indicates SCO connection
3730 * and lookup of the connection object fails, then check
3731 * if an eSCO connection object exists.
3733 * The core limits the synchronous connections to either
3734 * SCO or eSCO. The eSCO connection is preferred and tried
3735 * to be setup first and until successfully established,
3736 * the link type will be hinted as eSCO.
3738 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3743 switch (ev->status) {
3745 conn->handle = __le16_to_cpu(ev->handle);
3746 conn->state = BT_CONNECTED;
3747 conn->type = ev->link_type;
3749 hci_debugfs_create_conn(conn);
3750 hci_conn_add_sysfs(conn);
3753 case 0x10: /* Connection Accept Timeout */
3754 case 0x0d: /* Connection Rejected due to Limited Resources */
3755 case 0x11: /* Unsupported Feature or Parameter Value */
3756 case 0x1c: /* SCO interval rejected */
3757 case 0x1a: /* Unsupported Remote Feature */
3758 case 0x1f: /* Unspecified error */
3759 case 0x20: /* Unsupported LMP Parameter value */
3761 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3762 (hdev->esco_type & EDR_ESCO_MASK);
3763 if (hci_setup_sync(conn, conn->link->handle))
3769 conn->state = BT_CLOSED;
3773 hci_connect_cfm(conn, ev->status);
3778 hci_dev_unlock(hdev);
3781 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3785 while (parsed < eir_len) {
3786 u8 field_len = eir[0];
3791 parsed += field_len + 1;
3792 eir += field_len + 1;
3798 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3799 struct sk_buff *skb)
3801 struct inquiry_data data;
3802 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3803 int num_rsp = *((__u8 *) skb->data);
3806 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3811 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3816 for (; num_rsp; num_rsp--, info++) {
3820 bacpy(&data.bdaddr, &info->bdaddr);
3821 data.pscan_rep_mode = info->pscan_rep_mode;
3822 data.pscan_period_mode = info->pscan_period_mode;
3823 data.pscan_mode = 0x00;
3824 memcpy(data.dev_class, info->dev_class, 3);
3825 data.clock_offset = info->clock_offset;
3826 data.rssi = info->rssi;
3827 data.ssp_mode = 0x01;
3829 if (hci_dev_test_flag(hdev, HCI_MGMT))
3830 name_known = eir_has_data_type(info->data,
3836 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3838 eir_len = eir_get_length(info->data, sizeof(info->data));
3840 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3841 info->dev_class, info->rssi,
3842 flags, info->data, eir_len, NULL, 0);
3845 hci_dev_unlock(hdev);
3848 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3849 struct sk_buff *skb)
3851 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3852 struct hci_conn *conn;
3854 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3855 __le16_to_cpu(ev->handle));
3859 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3863 /* For BR/EDR the necessary steps are taken through the
3864 * auth_complete event.
3866 if (conn->type != LE_LINK)
3870 conn->sec_level = conn->pending_sec_level;
3872 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3874 if (ev->status && conn->state == BT_CONNECTED) {
3875 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3876 hci_conn_drop(conn);
3880 if (conn->state == BT_CONFIG) {
3882 conn->state = BT_CONNECTED;
3884 hci_connect_cfm(conn, ev->status);
3885 hci_conn_drop(conn);
3887 hci_auth_cfm(conn, ev->status);
3889 hci_conn_hold(conn);
3890 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3891 hci_conn_drop(conn);
3895 hci_dev_unlock(hdev);
3898 static u8 hci_get_auth_req(struct hci_conn *conn)
3900 /* If remote requests no-bonding follow that lead */
3901 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3902 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3903 return conn->remote_auth | (conn->auth_type & 0x01);
3905 /* If both remote and local have enough IO capabilities, require
3908 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3909 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3910 return conn->remote_auth | 0x01;
3912 /* No MITM protection possible so ignore remote requirement */
3913 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3916 static u8 bredr_oob_data_present(struct hci_conn *conn)
3918 struct hci_dev *hdev = conn->hdev;
3919 struct oob_data *data;
3921 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3925 if (bredr_sc_enabled(hdev)) {
3926 /* When Secure Connections is enabled, then just
3927 * return the present value stored with the OOB
3928 * data. The stored value contains the right present
3929 * information. However it can only be trusted when
3930 * not in Secure Connection Only mode.
3932 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3933 return data->present;
3935 /* When Secure Connections Only mode is enabled, then
3936 * the P-256 values are required. If they are not
3937 * available, then do not declare that OOB data is
3940 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3941 !memcmp(data->hash256, ZERO_KEY, 16))
3947 /* When Secure Connections is not enabled or actually
3948 * not supported by the hardware, then check that if
3949 * P-192 data values are present.
3951 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3952 !memcmp(data->hash192, ZERO_KEY, 16))
3958 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3960 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3961 struct hci_conn *conn;
3963 BT_DBG("%s", hdev->name);
3967 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3971 hci_conn_hold(conn);
3973 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3976 /* Allow pairing if we're pairable, the initiators of the
3977 * pairing or if the remote is not requesting bonding.
3979 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
3980 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3981 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3982 struct hci_cp_io_capability_reply cp;
3984 bacpy(&cp.bdaddr, &ev->bdaddr);
3985 /* Change the IO capability from KeyboardDisplay
3986 * to DisplayYesNo as it is not supported by BT spec. */
3987 cp.capability = (conn->io_capability == 0x04) ?
3988 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3990 /* If we are initiators, there is no remote information yet */
3991 if (conn->remote_auth == 0xff) {
3992 /* Request MITM protection if our IO caps allow it
3993 * except for the no-bonding case.
3995 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3996 conn->auth_type != HCI_AT_NO_BONDING)
3997 conn->auth_type |= 0x01;
3999 conn->auth_type = hci_get_auth_req(conn);
4002 /* If we're not bondable, force one of the non-bondable
4003 * authentication requirement values.
4005 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4006 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4008 cp.authentication = conn->auth_type;
4009 cp.oob_data = bredr_oob_data_present(conn);
4011 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4014 struct hci_cp_io_capability_neg_reply cp;
4016 bacpy(&cp.bdaddr, &ev->bdaddr);
4017 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4019 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4024 hci_dev_unlock(hdev);
4027 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4029 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4030 struct hci_conn *conn;
4032 BT_DBG("%s", hdev->name);
4036 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4040 conn->remote_cap = ev->capability;
4041 conn->remote_auth = ev->authentication;
4044 hci_dev_unlock(hdev);
4047 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4048 struct sk_buff *skb)
4050 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4051 int loc_mitm, rem_mitm, confirm_hint = 0;
4052 struct hci_conn *conn;
4054 BT_DBG("%s", hdev->name);
4058 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4061 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4065 loc_mitm = (conn->auth_type & 0x01);
4066 rem_mitm = (conn->remote_auth & 0x01);
4068 /* If we require MITM but the remote device can't provide that
4069 * (it has NoInputNoOutput) then reject the confirmation
4070 * request. We check the security level here since it doesn't
4071 * necessarily match conn->auth_type.
4073 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4074 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4075 BT_DBG("Rejecting request: remote device can't provide MITM");
4076 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4077 sizeof(ev->bdaddr), &ev->bdaddr);
4081 /* If no side requires MITM protection; auto-accept */
4082 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4083 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4085 /* If we're not the initiators request authorization to
4086 * proceed from user space (mgmt_user_confirm with
4087 * confirm_hint set to 1). The exception is if neither
4088 * side had MITM or if the local IO capability is
4089 * NoInputNoOutput, in which case we do auto-accept
4091 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4092 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4093 (loc_mitm || rem_mitm)) {
4094 BT_DBG("Confirming auto-accept as acceptor");
4099 BT_DBG("Auto-accept of user confirmation with %ums delay",
4100 hdev->auto_accept_delay);
4102 if (hdev->auto_accept_delay > 0) {
4103 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4104 queue_delayed_work(conn->hdev->workqueue,
4105 &conn->auto_accept_work, delay);
4109 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4110 sizeof(ev->bdaddr), &ev->bdaddr);
4115 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4116 le32_to_cpu(ev->passkey), confirm_hint);
4119 hci_dev_unlock(hdev);
4122 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4123 struct sk_buff *skb)
4125 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4127 BT_DBG("%s", hdev->name);
4129 if (hci_dev_test_flag(hdev, HCI_MGMT))
4130 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4133 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4134 struct sk_buff *skb)
4136 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4137 struct hci_conn *conn;
4139 BT_DBG("%s", hdev->name);
4141 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4145 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4146 conn->passkey_entered = 0;
4148 if (hci_dev_test_flag(hdev, HCI_MGMT))
4149 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4150 conn->dst_type, conn->passkey_notify,
4151 conn->passkey_entered);
4154 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4156 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4157 struct hci_conn *conn;
4159 BT_DBG("%s", hdev->name);
4161 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4166 case HCI_KEYPRESS_STARTED:
4167 conn->passkey_entered = 0;
4170 case HCI_KEYPRESS_ENTERED:
4171 conn->passkey_entered++;
4174 case HCI_KEYPRESS_ERASED:
4175 conn->passkey_entered--;
4178 case HCI_KEYPRESS_CLEARED:
4179 conn->passkey_entered = 0;
4182 case HCI_KEYPRESS_COMPLETED:
4186 if (hci_dev_test_flag(hdev, HCI_MGMT))
4187 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4188 conn->dst_type, conn->passkey_notify,
4189 conn->passkey_entered);
4192 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4193 struct sk_buff *skb)
4195 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4196 struct hci_conn *conn;
4198 BT_DBG("%s", hdev->name);
4202 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4206 /* Reset the authentication requirement to unknown */
4207 conn->remote_auth = 0xff;
4209 /* To avoid duplicate auth_failed events to user space we check
4210 * the HCI_CONN_AUTH_PEND flag which will be set if we
4211 * initiated the authentication. A traditional auth_complete
4212 * event gets always produced as initiator and is also mapped to
4213 * the mgmt_auth_failed event */
4214 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4215 mgmt_auth_failed(conn, ev->status);
4217 hci_conn_drop(conn);
4220 hci_dev_unlock(hdev);
4223 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4224 struct sk_buff *skb)
4226 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4227 struct inquiry_entry *ie;
4228 struct hci_conn *conn;
4230 BT_DBG("%s", hdev->name);
4234 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4236 memcpy(conn->features[1], ev->features, 8);
4238 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4240 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4242 hci_dev_unlock(hdev);
4245 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4246 struct sk_buff *skb)
4248 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4249 struct oob_data *data;
4251 BT_DBG("%s", hdev->name);
4255 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4258 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4260 struct hci_cp_remote_oob_data_neg_reply cp;
4262 bacpy(&cp.bdaddr, &ev->bdaddr);
4263 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4268 if (bredr_sc_enabled(hdev)) {
4269 struct hci_cp_remote_oob_ext_data_reply cp;
4271 bacpy(&cp.bdaddr, &ev->bdaddr);
4272 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4273 memset(cp.hash192, 0, sizeof(cp.hash192));
4274 memset(cp.rand192, 0, sizeof(cp.rand192));
4276 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4277 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4279 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4280 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4282 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4285 struct hci_cp_remote_oob_data_reply cp;
4287 bacpy(&cp.bdaddr, &ev->bdaddr);
4288 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4289 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4291 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4296 hci_dev_unlock(hdev);
4299 #if IS_ENABLED(CONFIG_BT_HS)
4300 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4302 struct hci_ev_channel_selected *ev = (void *)skb->data;
4303 struct hci_conn *hcon;
4305 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4307 skb_pull(skb, sizeof(*ev));
4309 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4313 amp_read_loc_assoc_final_data(hdev, hcon);
4316 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4317 struct sk_buff *skb)
4319 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4320 struct hci_conn *hcon, *bredr_hcon;
4322 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4327 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4329 hci_dev_unlock(hdev);
4335 hci_dev_unlock(hdev);
4339 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4341 hcon->state = BT_CONNECTED;
4342 bacpy(&hcon->dst, &bredr_hcon->dst);
4344 hci_conn_hold(hcon);
4345 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4346 hci_conn_drop(hcon);
4348 hci_debugfs_create_conn(hcon);
4349 hci_conn_add_sysfs(hcon);
4351 amp_physical_cfm(bredr_hcon, hcon);
4353 hci_dev_unlock(hdev);
4356 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4358 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4359 struct hci_conn *hcon;
4360 struct hci_chan *hchan;
4361 struct amp_mgr *mgr;
4363 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4364 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4367 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4371 /* Create AMP hchan */
4372 hchan = hci_chan_create(hcon);
4376 hchan->handle = le16_to_cpu(ev->handle);
4378 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4380 mgr = hcon->amp_mgr;
4381 if (mgr && mgr->bredr_chan) {
4382 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4384 l2cap_chan_lock(bredr_chan);
4386 bredr_chan->conn->mtu = hdev->block_mtu;
4387 l2cap_logical_cfm(bredr_chan, hchan, 0);
4388 hci_conn_hold(hcon);
4390 l2cap_chan_unlock(bredr_chan);
4394 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4395 struct sk_buff *skb)
4397 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4398 struct hci_chan *hchan;
4400 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4401 le16_to_cpu(ev->handle), ev->status);
4408 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4412 amp_destroy_logical_link(hchan, ev->reason);
4415 hci_dev_unlock(hdev);
4418 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4419 struct sk_buff *skb)
4421 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4422 struct hci_conn *hcon;
4424 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4431 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4433 hcon->state = BT_CLOSED;
4437 hci_dev_unlock(hdev);
4441 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4443 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4444 struct hci_conn_params *params;
4445 struct hci_conn *conn;
4446 struct smp_irk *irk;
4449 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4453 /* All controllers implicitly stop advertising in the event of a
4454 * connection, so ensure that the state bit is cleared.
4456 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4458 conn = hci_lookup_le_connect(hdev);
4460 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4462 BT_ERR("No memory for new connection");
4466 conn->dst_type = ev->bdaddr_type;
4468 /* If we didn't have a hci_conn object previously
4469 * but we're in master role this must be something
4470 * initiated using a white list. Since white list based
4471 * connections are not "first class citizens" we don't
4472 * have full tracking of them. Therefore, we go ahead
4473 * with a "best effort" approach of determining the
4474 * initiator address based on the HCI_PRIVACY flag.
4477 conn->resp_addr_type = ev->bdaddr_type;
4478 bacpy(&conn->resp_addr, &ev->bdaddr);
4479 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4480 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4481 bacpy(&conn->init_addr, &hdev->rpa);
4483 hci_copy_identity_address(hdev,
4485 &conn->init_addr_type);
4489 cancel_delayed_work(&conn->le_conn_timeout);
4493 /* Set the responder (our side) address type based on
4494 * the advertising address type.
4496 conn->resp_addr_type = hdev->adv_addr_type;
4497 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4498 bacpy(&conn->resp_addr, &hdev->random_addr);
4500 bacpy(&conn->resp_addr, &hdev->bdaddr);
4502 conn->init_addr_type = ev->bdaddr_type;
4503 bacpy(&conn->init_addr, &ev->bdaddr);
4505 /* For incoming connections, set the default minimum
4506 * and maximum connection interval. They will be used
4507 * to check if the parameters are in range and if not
4508 * trigger the connection update procedure.
4510 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4511 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4514 /* Lookup the identity address from the stored connection
4515 * address and address type.
4517 * When establishing connections to an identity address, the
4518 * connection procedure will store the resolvable random
4519 * address first. Now if it can be converted back into the
4520 * identity address, start using the identity address from
4523 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4525 bacpy(&conn->dst, &irk->bdaddr);
4526 conn->dst_type = irk->addr_type;
4530 hci_le_conn_failed(conn, ev->status);
4534 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4535 addr_type = BDADDR_LE_PUBLIC;
4537 addr_type = BDADDR_LE_RANDOM;
4539 /* Drop the connection if the device is blocked */
4540 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4541 hci_conn_drop(conn);
4545 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4546 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4548 conn->sec_level = BT_SECURITY_LOW;
4549 conn->handle = __le16_to_cpu(ev->handle);
4550 conn->state = BT_CONFIG;
4552 conn->le_conn_interval = le16_to_cpu(ev->interval);
4553 conn->le_conn_latency = le16_to_cpu(ev->latency);
4554 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4556 hci_debugfs_create_conn(conn);
4557 hci_conn_add_sysfs(conn);
4560 /* The remote features procedure is defined for master
4561 * role only. So only in case of an initiated connection
4562 * request the remote features.
4564 * If the local controller supports slave-initiated features
4565 * exchange, then requesting the remote features in slave
4566 * role is possible. Otherwise just transition into the
4567 * connected state without requesting the remote features.
4570 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4571 struct hci_cp_le_read_remote_features cp;
4573 cp.handle = __cpu_to_le16(conn->handle);
4575 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4578 hci_conn_hold(conn);
4580 conn->state = BT_CONNECTED;
4581 hci_connect_cfm(conn, ev->status);
4584 hci_connect_cfm(conn, ev->status);
4587 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4590 list_del_init(¶ms->action);
4592 hci_conn_drop(params->conn);
4593 hci_conn_put(params->conn);
4594 params->conn = NULL;
4599 hci_update_background_scan(hdev);
4600 hci_dev_unlock(hdev);
4603 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4604 struct sk_buff *skb)
4606 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4607 struct hci_conn *conn;
4609 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4616 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4618 conn->le_conn_interval = le16_to_cpu(ev->interval);
4619 conn->le_conn_latency = le16_to_cpu(ev->latency);
4620 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4623 hci_dev_unlock(hdev);
4626 /* This function requires the caller holds hdev->lock */
4627 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4629 u8 addr_type, u8 adv_type)
4631 struct hci_conn *conn;
4632 struct hci_conn_params *params;
4634 /* If the event is not connectable don't proceed further */
4635 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4638 /* Ignore if the device is blocked */
4639 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4642 /* Most controller will fail if we try to create new connections
4643 * while we have an existing one in slave role.
4645 if (hdev->conn_hash.le_num_slave > 0)
4648 /* If we're not connectable only connect devices that we have in
4649 * our pend_le_conns list.
4651 params = hci_explicit_connect_lookup(hdev, addr, addr_type);
4656 if (!params->explicit_connect) {
4657 switch (params->auto_connect) {
4658 case HCI_AUTO_CONN_DIRECT:
4659 /* Only devices advertising with ADV_DIRECT_IND are
4660 * triggering a connection attempt. This is allowing
4661 * incoming connections from slave devices.
4663 if (adv_type != LE_ADV_DIRECT_IND)
4666 case HCI_AUTO_CONN_ALWAYS:
4667 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4668 * are triggering a connection attempt. This means
4669 * that incoming connectioms from slave device are
4670 * accepted and also outgoing connections to slave
4671 * devices are established when found.
4679 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4680 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4681 if (!IS_ERR(conn)) {
4682 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4683 * by higher layer that tried to connect, if no then
4684 * store the pointer since we don't really have any
4685 * other owner of the object besides the params that
4686 * triggered it. This way we can abort the connection if
4687 * the parameters get removed and keep the reference
4688 * count consistent once the connection is established.
4691 if (!params->explicit_connect)
4692 params->conn = hci_conn_get(conn);
4697 switch (PTR_ERR(conn)) {
4699 /* If hci_connect() returns -EBUSY it means there is already
4700 * an LE connection attempt going on. Since controllers don't
4701 * support more than one connection attempt at the time, we
4702 * don't consider this an error case.
4706 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4713 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4714 u8 bdaddr_type, bdaddr_t *direct_addr,
4715 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4717 struct discovery_state *d = &hdev->discovery;
4718 struct smp_irk *irk;
4719 struct hci_conn *conn;
4723 /* If the direct address is present, then this report is from
4724 * a LE Direct Advertising Report event. In that case it is
4725 * important to see if the address is matching the local
4726 * controller address.
4729 /* Only resolvable random addresses are valid for these
4730 * kind of reports and others can be ignored.
4732 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4735 /* If the controller is not using resolvable random
4736 * addresses, then this report can be ignored.
4738 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4741 /* If the local IRK of the controller does not match
4742 * with the resolvable random address provided, then
4743 * this report can be ignored.
4745 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4749 /* Check if we need to convert to identity address */
4750 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4752 bdaddr = &irk->bdaddr;
4753 bdaddr_type = irk->addr_type;
4756 /* Check if we have been requested to connect to this device */
4757 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4758 if (conn && type == LE_ADV_IND) {
4759 /* Store report for later inclusion by
4760 * mgmt_device_connected
4762 memcpy(conn->le_adv_data, data, len);
4763 conn->le_adv_data_len = len;
4766 /* Passive scanning shouldn't trigger any device found events,
4767 * except for devices marked as CONN_REPORT for which we do send
4768 * device found events.
4770 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4771 if (type == LE_ADV_DIRECT_IND)
4774 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4775 bdaddr, bdaddr_type))
4778 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4779 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4782 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4783 rssi, flags, data, len, NULL, 0);
4787 /* When receiving non-connectable or scannable undirected
4788 * advertising reports, this means that the remote device is
4789 * not connectable and then clearly indicate this in the
4790 * device found event.
4792 * When receiving a scan response, then there is no way to
4793 * know if the remote device is connectable or not. However
4794 * since scan responses are merged with a previously seen
4795 * advertising report, the flags field from that report
4798 * In the really unlikely case that a controller get confused
4799 * and just sends a scan response event, then it is marked as
4800 * not connectable as well.
4802 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4803 type == LE_ADV_SCAN_RSP)
4804 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4808 /* If there's nothing pending either store the data from this
4809 * event or send an immediate device found event if the data
4810 * should not be stored for later.
4812 if (!has_pending_adv_report(hdev)) {
4813 /* If the report will trigger a SCAN_REQ store it for
4816 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4817 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4818 rssi, flags, data, len);
4822 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4823 rssi, flags, data, len, NULL, 0);
4827 /* Check if the pending report is for the same device as the new one */
4828 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4829 bdaddr_type == d->last_adv_addr_type);
4831 /* If the pending data doesn't match this report or this isn't a
4832 * scan response (e.g. we got a duplicate ADV_IND) then force
4833 * sending of the pending data.
4835 if (type != LE_ADV_SCAN_RSP || !match) {
4836 /* Send out whatever is in the cache, but skip duplicates */
4838 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4839 d->last_adv_addr_type, NULL,
4840 d->last_adv_rssi, d->last_adv_flags,
4842 d->last_adv_data_len, NULL, 0);
4844 /* If the new report will trigger a SCAN_REQ store it for
4847 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4848 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4849 rssi, flags, data, len);
4853 /* The advertising reports cannot be merged, so clear
4854 * the pending report and send out a device found event.
4856 clear_pending_adv_report(hdev);
4857 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4858 rssi, flags, data, len, NULL, 0);
4862 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4863 * the new event is a SCAN_RSP. We can therefore proceed with
4864 * sending a merged device found event.
4866 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4867 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4868 d->last_adv_data, d->last_adv_data_len, data, len);
4869 clear_pending_adv_report(hdev);
4872 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4874 u8 num_reports = skb->data[0];
4875 void *ptr = &skb->data[1];
4879 while (num_reports--) {
4880 struct hci_ev_le_advertising_info *ev = ptr;
4883 rssi = ev->data[ev->length];
4884 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4885 ev->bdaddr_type, NULL, 0, rssi,
4886 ev->data, ev->length);
4888 ptr += sizeof(*ev) + ev->length + 1;
4891 hci_dev_unlock(hdev);
4894 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4895 struct sk_buff *skb)
4897 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4898 struct hci_conn *conn;
4900 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4904 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4907 memcpy(conn->features[0], ev->features, 8);
4909 if (conn->state == BT_CONFIG) {
4912 /* If the local controller supports slave-initiated
4913 * features exchange, but the remote controller does
4914 * not, then it is possible that the error code 0x1a
4915 * for unsupported remote feature gets returned.
4917 * In this specific case, allow the connection to
4918 * transition into connected state and mark it as
4921 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4922 !conn->out && ev->status == 0x1a)
4925 status = ev->status;
4927 conn->state = BT_CONNECTED;
4928 hci_connect_cfm(conn, status);
4929 hci_conn_drop(conn);
4933 hci_dev_unlock(hdev);
4936 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4938 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4939 struct hci_cp_le_ltk_reply cp;
4940 struct hci_cp_le_ltk_neg_reply neg;
4941 struct hci_conn *conn;
4942 struct smp_ltk *ltk;
4944 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4948 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4952 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4956 if (smp_ltk_is_sc(ltk)) {
4957 /* With SC both EDiv and Rand are set to zero */
4958 if (ev->ediv || ev->rand)
4961 /* For non-SC keys check that EDiv and Rand match */
4962 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4966 memcpy(cp.ltk, ltk->val, ltk->enc_size);
4967 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
4968 cp.handle = cpu_to_le16(conn->handle);
4970 conn->pending_sec_level = smp_ltk_sec_level(ltk);
4972 conn->enc_key_size = ltk->enc_size;
4974 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4976 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4977 * temporary key used to encrypt a connection following
4978 * pairing. It is used during the Encrypted Session Setup to
4979 * distribute the keys. Later, security can be re-established
4980 * using a distributed LTK.
4982 if (ltk->type == SMP_STK) {
4983 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4984 list_del_rcu(<k->list);
4985 kfree_rcu(ltk, rcu);
4987 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4990 hci_dev_unlock(hdev);
4995 neg.handle = ev->handle;
4996 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4997 hci_dev_unlock(hdev);
5000 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5003 struct hci_cp_le_conn_param_req_neg_reply cp;
5005 cp.handle = cpu_to_le16(handle);
5008 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5012 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5013 struct sk_buff *skb)
5015 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5016 struct hci_cp_le_conn_param_req_reply cp;
5017 struct hci_conn *hcon;
5018 u16 handle, min, max, latency, timeout;
5020 handle = le16_to_cpu(ev->handle);
5021 min = le16_to_cpu(ev->interval_min);
5022 max = le16_to_cpu(ev->interval_max);
5023 latency = le16_to_cpu(ev->latency);
5024 timeout = le16_to_cpu(ev->timeout);
5026 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5027 if (!hcon || hcon->state != BT_CONNECTED)
5028 return send_conn_param_neg_reply(hdev, handle,
5029 HCI_ERROR_UNKNOWN_CONN_ID);
5031 if (hci_check_conn_params(min, max, latency, timeout))
5032 return send_conn_param_neg_reply(hdev, handle,
5033 HCI_ERROR_INVALID_LL_PARAMS);
5035 if (hcon->role == HCI_ROLE_MASTER) {
5036 struct hci_conn_params *params;
5041 params = hci_conn_params_lookup(hdev, &hcon->dst,
5044 params->conn_min_interval = min;
5045 params->conn_max_interval = max;
5046 params->conn_latency = latency;
5047 params->supervision_timeout = timeout;
5053 hci_dev_unlock(hdev);
5055 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5056 store_hint, min, max, latency, timeout);
5059 cp.handle = ev->handle;
5060 cp.interval_min = ev->interval_min;
5061 cp.interval_max = ev->interval_max;
5062 cp.latency = ev->latency;
5063 cp.timeout = ev->timeout;
5067 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5070 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5071 struct sk_buff *skb)
5073 u8 num_reports = skb->data[0];
5074 void *ptr = &skb->data[1];
5078 while (num_reports--) {
5079 struct hci_ev_le_direct_adv_info *ev = ptr;
5081 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5082 ev->bdaddr_type, &ev->direct_addr,
5083 ev->direct_addr_type, ev->rssi, NULL, 0);
5088 hci_dev_unlock(hdev);
5091 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5093 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5095 skb_pull(skb, sizeof(*le_ev));
5097 switch (le_ev->subevent) {
5098 case HCI_EV_LE_CONN_COMPLETE:
5099 hci_le_conn_complete_evt(hdev, skb);
5102 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5103 hci_le_conn_update_complete_evt(hdev, skb);
5106 case HCI_EV_LE_ADVERTISING_REPORT:
5107 hci_le_adv_report_evt(hdev, skb);
5110 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5111 hci_le_remote_feat_complete_evt(hdev, skb);
5114 case HCI_EV_LE_LTK_REQ:
5115 hci_le_ltk_request_evt(hdev, skb);
5118 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5119 hci_le_remote_conn_param_req_evt(hdev, skb);
5122 case HCI_EV_LE_DIRECT_ADV_REPORT:
5123 hci_le_direct_adv_report_evt(hdev, skb);
5131 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5132 u8 event, struct sk_buff *skb)
5134 struct hci_ev_cmd_complete *ev;
5135 struct hci_event_hdr *hdr;
5140 if (skb->len < sizeof(*hdr)) {
5141 BT_ERR("Too short HCI event");
5145 hdr = (void *) skb->data;
5146 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5149 if (hdr->evt != event)
5154 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5155 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5159 if (skb->len < sizeof(*ev)) {
5160 BT_ERR("Too short cmd_complete event");
5164 ev = (void *) skb->data;
5165 skb_pull(skb, sizeof(*ev));
5167 if (opcode != __le16_to_cpu(ev->opcode)) {
5168 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5169 __le16_to_cpu(ev->opcode));
5176 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5178 struct hci_event_hdr *hdr = (void *) skb->data;
5179 hci_req_complete_t req_complete = NULL;
5180 hci_req_complete_skb_t req_complete_skb = NULL;
5181 struct sk_buff *orig_skb = NULL;
5182 u8 status = 0, event = hdr->evt, req_evt = 0;
5183 u16 opcode = HCI_OP_NOP;
5185 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
5186 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5187 opcode = __le16_to_cpu(cmd_hdr->opcode);
5188 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5193 /* If it looks like we might end up having to call
5194 * req_complete_skb, store a pristine copy of the skb since the
5195 * various handlers may modify the original one through
5196 * skb_pull() calls, etc.
5198 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5199 event == HCI_EV_CMD_COMPLETE)
5200 orig_skb = skb_clone(skb, GFP_KERNEL);
5202 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5205 case HCI_EV_INQUIRY_COMPLETE:
5206 hci_inquiry_complete_evt(hdev, skb);
5209 case HCI_EV_INQUIRY_RESULT:
5210 hci_inquiry_result_evt(hdev, skb);
5213 case HCI_EV_CONN_COMPLETE:
5214 hci_conn_complete_evt(hdev, skb);
5217 case HCI_EV_CONN_REQUEST:
5218 hci_conn_request_evt(hdev, skb);
5221 case HCI_EV_DISCONN_COMPLETE:
5222 hci_disconn_complete_evt(hdev, skb);
5225 case HCI_EV_AUTH_COMPLETE:
5226 hci_auth_complete_evt(hdev, skb);
5229 case HCI_EV_REMOTE_NAME:
5230 hci_remote_name_evt(hdev, skb);
5233 case HCI_EV_ENCRYPT_CHANGE:
5234 hci_encrypt_change_evt(hdev, skb);
5237 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5238 hci_change_link_key_complete_evt(hdev, skb);
5241 case HCI_EV_REMOTE_FEATURES:
5242 hci_remote_features_evt(hdev, skb);
5245 case HCI_EV_CMD_COMPLETE:
5246 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5247 &req_complete, &req_complete_skb);
5250 case HCI_EV_CMD_STATUS:
5251 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5255 case HCI_EV_HARDWARE_ERROR:
5256 hci_hardware_error_evt(hdev, skb);
5259 case HCI_EV_ROLE_CHANGE:
5260 hci_role_change_evt(hdev, skb);
5263 case HCI_EV_NUM_COMP_PKTS:
5264 hci_num_comp_pkts_evt(hdev, skb);
5267 case HCI_EV_MODE_CHANGE:
5268 hci_mode_change_evt(hdev, skb);
5271 case HCI_EV_PIN_CODE_REQ:
5272 hci_pin_code_request_evt(hdev, skb);
5275 case HCI_EV_LINK_KEY_REQ:
5276 hci_link_key_request_evt(hdev, skb);
5279 case HCI_EV_LINK_KEY_NOTIFY:
5280 hci_link_key_notify_evt(hdev, skb);
5283 case HCI_EV_CLOCK_OFFSET:
5284 hci_clock_offset_evt(hdev, skb);
5287 case HCI_EV_PKT_TYPE_CHANGE:
5288 hci_pkt_type_change_evt(hdev, skb);
5291 case HCI_EV_PSCAN_REP_MODE:
5292 hci_pscan_rep_mode_evt(hdev, skb);
5295 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5296 hci_inquiry_result_with_rssi_evt(hdev, skb);
5299 case HCI_EV_REMOTE_EXT_FEATURES:
5300 hci_remote_ext_features_evt(hdev, skb);
5303 case HCI_EV_SYNC_CONN_COMPLETE:
5304 hci_sync_conn_complete_evt(hdev, skb);
5307 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5308 hci_extended_inquiry_result_evt(hdev, skb);
5311 case HCI_EV_KEY_REFRESH_COMPLETE:
5312 hci_key_refresh_complete_evt(hdev, skb);
5315 case HCI_EV_IO_CAPA_REQUEST:
5316 hci_io_capa_request_evt(hdev, skb);
5319 case HCI_EV_IO_CAPA_REPLY:
5320 hci_io_capa_reply_evt(hdev, skb);
5323 case HCI_EV_USER_CONFIRM_REQUEST:
5324 hci_user_confirm_request_evt(hdev, skb);
5327 case HCI_EV_USER_PASSKEY_REQUEST:
5328 hci_user_passkey_request_evt(hdev, skb);
5331 case HCI_EV_USER_PASSKEY_NOTIFY:
5332 hci_user_passkey_notify_evt(hdev, skb);
5335 case HCI_EV_KEYPRESS_NOTIFY:
5336 hci_keypress_notify_evt(hdev, skb);
5339 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5340 hci_simple_pair_complete_evt(hdev, skb);
5343 case HCI_EV_REMOTE_HOST_FEATURES:
5344 hci_remote_host_features_evt(hdev, skb);
5347 case HCI_EV_LE_META:
5348 hci_le_meta_evt(hdev, skb);
5351 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5352 hci_remote_oob_data_request_evt(hdev, skb);
5355 #if IS_ENABLED(CONFIG_BT_HS)
5356 case HCI_EV_CHANNEL_SELECTED:
5357 hci_chan_selected_evt(hdev, skb);
5360 case HCI_EV_PHY_LINK_COMPLETE:
5361 hci_phy_link_complete_evt(hdev, skb);
5364 case HCI_EV_LOGICAL_LINK_COMPLETE:
5365 hci_loglink_complete_evt(hdev, skb);
5368 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5369 hci_disconn_loglink_complete_evt(hdev, skb);
5372 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5373 hci_disconn_phylink_complete_evt(hdev, skb);
5377 case HCI_EV_NUM_COMP_BLOCKS:
5378 hci_num_comp_blocks_evt(hdev, skb);
5382 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5387 req_complete(hdev, status, opcode);
5388 } else if (req_complete_skb) {
5389 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5390 kfree_skb(orig_skb);
5393 req_complete_skb(hdev, status, opcode, orig_skb);
5396 kfree_skb(orig_skb);
5398 hdev->stat.evt_rx++;
projects / cascardo / linux.git / blob