2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 /* Set discovery state to stopped if we're not doing LE active
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
66 hci_conn_check_pending(hdev);
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 __u8 status = *((__u8 *) skb->data);
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
83 __u8 status = *((__u8 *) skb->data);
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
92 hci_conn_check_pending(hdev);
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
98 BT_DBG("%s", hdev->name);
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
115 conn->role = rp->role;
117 hci_dev_unlock(hdev);
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
134 conn->link_policy = __le16_to_cpu(rp->policy);
136 hci_dev_unlock(hdev);
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
158 conn->link_policy = get_unaligned_le16(sent + 2);
160 hci_dev_unlock(hdev);
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
173 hdev->link_policy = __le16_to_cpu(rp->policy);
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
179 __u8 status = *((__u8 *) skb->data);
182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
191 hdev->link_policy = get_unaligned_le16(sent);
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
196 __u8 status = *((__u8 *) skb->data);
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
200 clear_bit(HCI_RESET, &hdev->flags);
205 /* Reset all non-persistent flags */
206 hci_dev_clear_volatile_flags(hdev);
208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
210 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 hdev->adv_data_len = 0;
216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 hdev->scan_rsp_data_len = 0;
219 hdev->le_scan_type = LE_SCAN_PASSIVE;
221 hdev->ssp_debug_mode = 0;
223 hci_bdaddr_list_clear(&hdev->le_white_list);
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 struct hci_cp_read_stored_link_key *sent;
232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
238 if (!rp->status && sent->read_all == 0x01) {
239 hdev->stored_max_keys = rp->max_keys;
240 hdev->stored_num_keys = rp->num_keys;
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
254 if (rp->num_keys <= hdev->stored_num_keys)
255 hdev->stored_num_keys -= rp->num_keys;
257 hdev->stored_num_keys = 0;
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
262 __u8 status = *((__u8 *) skb->data);
265 BT_DBG("%s status 0x%2.2x", hdev->name, status);
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
273 if (hci_dev_test_flag(hdev, HCI_MGMT))
274 mgmt_set_local_name_complete(hdev, sent, status);
276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
278 hci_dev_unlock(hdev);
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
283 struct hci_rp_read_local_name *rp = (void *) skb->data;
285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
290 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 hci_dev_test_flag(hdev, HCI_CONFIG))
292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
297 __u8 status = *((__u8 *) skb->data);
300 BT_DBG("%s status 0x%2.2x", hdev->name, status);
302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
309 __u8 param = *((__u8 *) sent);
311 if (param == AUTH_ENABLED)
312 set_bit(HCI_AUTH, &hdev->flags);
314 clear_bit(HCI_AUTH, &hdev->flags);
317 if (hci_dev_test_flag(hdev, HCI_MGMT))
318 mgmt_auth_enable_complete(hdev, status);
320 hci_dev_unlock(hdev);
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
325 __u8 status = *((__u8 *) skb->data);
329 BT_DBG("%s status 0x%2.2x", hdev->name, status);
334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
338 param = *((__u8 *) sent);
341 set_bit(HCI_ENCRYPT, &hdev->flags);
343 clear_bit(HCI_ENCRYPT, &hdev->flags);
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
348 __u8 status = *((__u8 *) skb->data);
352 BT_DBG("%s status 0x%2.2x", hdev->name, status);
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
358 param = *((__u8 *) sent);
363 hdev->discov_timeout = 0;
367 if (param & SCAN_INQUIRY)
368 set_bit(HCI_ISCAN, &hdev->flags);
370 clear_bit(HCI_ISCAN, &hdev->flags);
372 if (param & SCAN_PAGE)
373 set_bit(HCI_PSCAN, &hdev->flags);
375 clear_bit(HCI_PSCAN, &hdev->flags);
378 hci_dev_unlock(hdev);
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
390 memcpy(hdev->dev_class, rp->dev_class, 3);
392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
398 __u8 status = *((__u8 *) skb->data);
401 BT_DBG("%s status 0x%2.2x", hdev->name, status);
403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
410 memcpy(hdev->dev_class, sent, 3);
412 if (hci_dev_test_flag(hdev, HCI_MGMT))
413 mgmt_set_class_of_dev_complete(hdev, sent, status);
415 hci_dev_unlock(hdev);
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
420 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
428 setting = __le16_to_cpu(rp->voice_setting);
430 if (hdev->voice_setting == setting)
433 hdev->voice_setting = setting;
435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
444 __u8 status = *((__u8 *) skb->data);
448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
457 setting = get_unaligned_le16(sent);
459 if (hdev->voice_setting == setting)
462 hdev->voice_setting = setting;
464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
480 hdev->num_iac = rp->num_iac;
482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
487 __u8 status = *((__u8 *) skb->data);
488 struct hci_cp_write_ssp_mode *sent;
490 BT_DBG("%s status 0x%2.2x", hdev->name, status);
492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
500 hdev->features[1][0] |= LMP_HOST_SSP;
502 hdev->features[1][0] &= ~LMP_HOST_SSP;
505 if (hci_dev_test_flag(hdev, HCI_MGMT))
506 mgmt_ssp_enable_complete(hdev, sent->mode, status);
509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
514 hci_dev_unlock(hdev);
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
519 u8 status = *((u8 *) skb->data);
520 struct hci_cp_write_sc_support *sent;
522 BT_DBG("%s status 0x%2.2x", hdev->name, status);
524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
532 hdev->features[1][0] |= LMP_HOST_SC;
534 hdev->features[1][0] &= ~LMP_HOST_SC;
537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
539 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
544 hci_dev_unlock(hdev);
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
549 struct hci_rp_read_local_version *rp = (void *) skb->data;
551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
556 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 hdev->hci_ver = rp->hci_ver;
559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 hdev->lmp_ver = rp->lmp_ver;
561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
569 struct hci_rp_read_local_commands *rp = (void *) skb->data;
571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
576 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 hci_dev_test_flag(hdev, HCI_CONFIG))
578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
584 struct hci_rp_read_local_features *rp = (void *) skb->data;
586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
591 memcpy(hdev->features, rp->features, 8);
593 /* Adjust default settings according to features
594 * supported by device. */
596 if (hdev->features[0][0] & LMP_3SLOT)
597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
599 if (hdev->features[0][0] & LMP_5SLOT)
600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
602 if (hdev->features[0][1] & LMP_HV2) {
603 hdev->pkt_type |= (HCI_HV2);
604 hdev->esco_type |= (ESCO_HV2);
607 if (hdev->features[0][1] & LMP_HV3) {
608 hdev->pkt_type |= (HCI_HV3);
609 hdev->esco_type |= (ESCO_HV3);
612 if (lmp_esco_capable(hdev))
613 hdev->esco_type |= (ESCO_EV3);
615 if (hdev->features[0][4] & LMP_EV4)
616 hdev->esco_type |= (ESCO_EV4);
618 if (hdev->features[0][4] & LMP_EV5)
619 hdev->esco_type |= (ESCO_EV5);
621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 hdev->esco_type |= (ESCO_2EV3);
624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 hdev->esco_type |= (ESCO_3EV3);
627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
641 if (hdev->max_page < rp->max_page)
642 hdev->max_page = rp->max_page;
644 if (rp->page < HCI_MAX_PAGES)
645 memcpy(hdev->features[rp->page], rp->features, 8);
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
658 hdev->flow_ctl_mode = rp->mode;
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
671 hdev->sco_mtu = rp->sco_mtu;
672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
680 hdev->acl_cnt = hdev->acl_pkts;
681 hdev->sco_cnt = hdev->sco_pkts;
683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
689 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
696 if (test_bit(HCI_INIT, &hdev->flags))
697 bacpy(&hdev->bdaddr, &rp->bdaddr);
699 if (hci_dev_test_flag(hdev, HCI_SETUP))
700 bacpy(&hdev->setup_addr, &rp->bdaddr);
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
713 if (test_bit(HCI_INIT, &hdev->flags)) {
714 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 hdev->page_scan_window = __le16_to_cpu(rp->window);
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
722 u8 status = *((u8 *) skb->data);
723 struct hci_cp_write_page_scan_activity *sent;
725 BT_DBG("%s status 0x%2.2x", hdev->name, status);
730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
734 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 hdev->page_scan_window = __le16_to_cpu(sent->window);
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
748 if (test_bit(HCI_INIT, &hdev->flags))
749 hdev->page_scan_type = rp->type;
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
755 u8 status = *((u8 *) skb->data);
758 BT_DBG("%s status 0x%2.2x", hdev->name, status);
763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
765 hdev->page_scan_type = *type;
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
771 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 hdev->block_len = __le16_to_cpu(rp->block_len);
780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
782 hdev->block_cnt = hdev->num_blocks;
784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 hdev->block_cnt, hdev->block_len);
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
790 struct hci_rp_read_clock *rp = (void *) skb->data;
791 struct hci_cp_read_clock *cp;
792 struct hci_conn *conn;
794 BT_DBG("%s", hdev->name);
796 if (skb->len < sizeof(*rp))
804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
808 if (cp->which == 0x00) {
809 hdev->clock = le32_to_cpu(rp->clock);
813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
815 conn->clock = le32_to_cpu(rp->clock);
816 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
820 hci_dev_unlock(hdev);
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
833 hdev->amp_status = rp->amp_status;
834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 hdev->amp_type = rp->amp_type;
839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
855 hdev->inq_tx_power = rp->tx_power;
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
860 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 struct hci_cp_pin_code_reply *cp;
862 struct hci_conn *conn;
864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
868 if (hci_dev_test_flag(hdev, HCI_MGMT))
869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
880 conn->pin_length = cp->pin_len;
883 hci_dev_unlock(hdev);
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
894 if (hci_dev_test_flag(hdev, HCI_MGMT))
895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
898 hci_dev_unlock(hdev);
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 hdev->le_pkts = rp->le_max_pkt;
914 hdev->le_cnt = hdev->le_pkts;
916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
922 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
929 memcpy(hdev->le_features, rp->features, 8);
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
942 hdev->adv_tx_power = rp->tx_power;
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
953 if (hci_dev_test_flag(hdev, HCI_MGMT))
954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
957 hci_dev_unlock(hdev);
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 ACL_LINK, 0, rp->status);
973 hci_dev_unlock(hdev);
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
984 if (hci_dev_test_flag(hdev, HCI_MGMT))
985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
988 hci_dev_unlock(hdev);
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 ACL_LINK, 0, rp->status);
1004 hci_dev_unlock(hdev);
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 struct sk_buff *skb)
1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1025 __u8 status = *((__u8 *) skb->data);
1028 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1039 bacpy(&hdev->random_addr, sent);
1041 hci_dev_unlock(hdev);
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1046 __u8 *sent, status = *((__u8 *) skb->data);
1048 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1059 /* If we're doing connection initiation as peripheral. Set a
1060 * timeout in case something goes wrong.
1063 struct hci_conn *conn;
1065 hci_dev_set_flag(hdev, HCI_LE_ADV);
1067 conn = hci_lookup_le_connect(hdev);
1069 queue_delayed_work(hdev->workqueue,
1070 &conn->le_conn_timeout,
1071 conn->conn_timeout);
1073 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1076 hci_dev_unlock(hdev);
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1081 struct hci_cp_le_set_scan_param *cp;
1082 __u8 status = *((__u8 *) skb->data);
1084 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1095 hdev->le_scan_type = cp->type;
1097 hci_dev_unlock(hdev);
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1102 struct discovery_state *d = &hdev->discovery;
1104 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1109 struct discovery_state *d = &hdev->discovery;
1111 bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 d->last_adv_data_len = 0;
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 u8 bdaddr_type, s8 rssi, u32 flags,
1119 struct discovery_state *d = &hdev->discovery;
1121 bacpy(&d->last_adv_addr, bdaddr);
1122 d->last_adv_addr_type = bdaddr_type;
1123 d->last_adv_rssi = rssi;
1124 d->last_adv_flags = flags;
1125 memcpy(d->last_adv_data, data, len);
1126 d->last_adv_data_len = len;
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 struct sk_buff *skb)
1132 struct hci_cp_le_set_scan_enable *cp;
1133 __u8 status = *((__u8 *) skb->data);
1135 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1146 switch (cp->enable) {
1147 case LE_SCAN_ENABLE:
1148 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 clear_pending_adv_report(hdev);
1153 case LE_SCAN_DISABLE:
1154 /* We do this here instead of when setting DISCOVERY_STOPPED
1155 * since the latter would potentially require waiting for
1156 * inquiry to stop too.
1158 if (has_pending_adv_report(hdev)) {
1159 struct discovery_state *d = &hdev->discovery;
1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 d->last_adv_addr_type, NULL,
1163 d->last_adv_rssi, d->last_adv_flags,
1165 d->last_adv_data_len, NULL, 0);
1168 /* Cancel this timer so that we don't try to disable scanning
1169 * when it's already disabled.
1171 cancel_delayed_work(&hdev->le_scan_disable);
1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 * interrupted scanning due to a connect request. Mark
1177 * therefore discovery as stopped. If this was not
1178 * because of a connect request advertising might have
1179 * been disabled because of active scanning, so
1180 * re-enable it again if necessary.
1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 hdev->discovery.state == DISCOVERY_FINDING)
1186 hci_req_reenable_advertising(hdev);
1191 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1195 hci_dev_unlock(hdev);
1198 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1199 struct sk_buff *skb)
1201 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1203 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1208 hdev->le_white_list_size = rp->size;
1211 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1212 struct sk_buff *skb)
1214 __u8 status = *((__u8 *) skb->data);
1216 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1221 hci_bdaddr_list_clear(&hdev->le_white_list);
1224 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1225 struct sk_buff *skb)
1227 struct hci_cp_le_add_to_white_list *sent;
1228 __u8 status = *((__u8 *) skb->data);
1230 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1235 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1239 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1243 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1244 struct sk_buff *skb)
1246 struct hci_cp_le_del_from_white_list *sent;
1247 __u8 status = *((__u8 *) skb->data);
1249 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1254 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1258 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1262 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1263 struct sk_buff *skb)
1265 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1267 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1272 memcpy(hdev->le_states, rp->le_states, 8);
1275 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1276 struct sk_buff *skb)
1278 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1285 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1286 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1289 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1290 struct sk_buff *skb)
1292 struct hci_cp_le_write_def_data_len *sent;
1293 __u8 status = *((__u8 *) skb->data);
1295 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1300 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1304 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1305 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1308 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1309 struct sk_buff *skb)
1311 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1313 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1318 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1319 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1320 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1321 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1324 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1325 struct sk_buff *skb)
1327 struct hci_cp_write_le_host_supported *sent;
1328 __u8 status = *((__u8 *) skb->data);
1330 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1342 hdev->features[1][0] |= LMP_HOST_LE;
1343 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1345 hdev->features[1][0] &= ~LMP_HOST_LE;
1346 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1347 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1351 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1353 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1355 hci_dev_unlock(hdev);
1358 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1360 struct hci_cp_le_set_adv_param *cp;
1361 u8 status = *((u8 *) skb->data);
1363 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1368 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1373 hdev->adv_addr_type = cp->own_address_type;
1374 hci_dev_unlock(hdev);
1377 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1379 struct hci_rp_read_rssi *rp = (void *) skb->data;
1380 struct hci_conn *conn;
1382 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1389 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1391 conn->rssi = rp->rssi;
1393 hci_dev_unlock(hdev);
1396 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1398 struct hci_cp_read_tx_power *sent;
1399 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1400 struct hci_conn *conn;
1402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1407 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1417 switch (sent->type) {
1419 conn->tx_power = rp->tx_power;
1422 conn->max_tx_power = rp->tx_power;
1427 hci_dev_unlock(hdev);
1430 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1432 u8 status = *((u8 *) skb->data);
1435 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1440 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1442 hdev->ssp_debug_mode = *mode;
1445 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1447 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1450 hci_conn_check_pending(hdev);
1454 set_bit(HCI_INQUIRY, &hdev->flags);
1457 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1459 struct hci_cp_create_conn *cp;
1460 struct hci_conn *conn;
1462 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1470 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1472 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1475 if (conn && conn->state == BT_CONNECT) {
1476 if (status != 0x0c || conn->attempt > 2) {
1477 conn->state = BT_CLOSED;
1478 hci_connect_cfm(conn, status);
1481 conn->state = BT_CONNECT2;
1485 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1488 BT_ERR("No memory for new connection");
1492 hci_dev_unlock(hdev);
1495 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1497 struct hci_cp_add_sco *cp;
1498 struct hci_conn *acl, *sco;
1501 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1506 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1510 handle = __le16_to_cpu(cp->handle);
1512 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1516 acl = hci_conn_hash_lookup_handle(hdev, handle);
1520 sco->state = BT_CLOSED;
1522 hci_connect_cfm(sco, status);
1527 hci_dev_unlock(hdev);
1530 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1532 struct hci_cp_auth_requested *cp;
1533 struct hci_conn *conn;
1535 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1540 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1546 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1548 if (conn->state == BT_CONFIG) {
1549 hci_connect_cfm(conn, status);
1550 hci_conn_drop(conn);
1554 hci_dev_unlock(hdev);
1557 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1559 struct hci_cp_set_conn_encrypt *cp;
1560 struct hci_conn *conn;
1562 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1567 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1573 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1575 if (conn->state == BT_CONFIG) {
1576 hci_connect_cfm(conn, status);
1577 hci_conn_drop(conn);
1581 hci_dev_unlock(hdev);
1584 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1585 struct hci_conn *conn)
1587 if (conn->state != BT_CONFIG || !conn->out)
1590 if (conn->pending_sec_level == BT_SECURITY_SDP)
1593 /* Only request authentication for SSP connections or non-SSP
1594 * devices with sec_level MEDIUM or HIGH or if MITM protection
1597 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1598 conn->pending_sec_level != BT_SECURITY_FIPS &&
1599 conn->pending_sec_level != BT_SECURITY_HIGH &&
1600 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1606 static int hci_resolve_name(struct hci_dev *hdev,
1607 struct inquiry_entry *e)
1609 struct hci_cp_remote_name_req cp;
1611 memset(&cp, 0, sizeof(cp));
1613 bacpy(&cp.bdaddr, &e->data.bdaddr);
1614 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1615 cp.pscan_mode = e->data.pscan_mode;
1616 cp.clock_offset = e->data.clock_offset;
1618 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1621 static bool hci_resolve_next_name(struct hci_dev *hdev)
1623 struct discovery_state *discov = &hdev->discovery;
1624 struct inquiry_entry *e;
1626 if (list_empty(&discov->resolve))
1629 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1633 if (hci_resolve_name(hdev, e) == 0) {
1634 e->name_state = NAME_PENDING;
1641 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1642 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1644 struct discovery_state *discov = &hdev->discovery;
1645 struct inquiry_entry *e;
1647 /* Update the mgmt connected state if necessary. Be careful with
1648 * conn objects that exist but are not (yet) connected however.
1649 * Only those in BT_CONFIG or BT_CONNECTED states can be
1650 * considered connected.
1653 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1654 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1655 mgmt_device_connected(hdev, conn, 0, name, name_len);
1657 if (discov->state == DISCOVERY_STOPPED)
1660 if (discov->state == DISCOVERY_STOPPING)
1661 goto discov_complete;
1663 if (discov->state != DISCOVERY_RESOLVING)
1666 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1667 /* If the device was not found in a list of found devices names of which
1668 * are pending. there is no need to continue resolving a next name as it
1669 * will be done upon receiving another Remote Name Request Complete
1676 e->name_state = NAME_KNOWN;
1677 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1678 e->data.rssi, name, name_len);
1680 e->name_state = NAME_NOT_KNOWN;
1683 if (hci_resolve_next_name(hdev))
1687 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1690 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1692 struct hci_cp_remote_name_req *cp;
1693 struct hci_conn *conn;
1695 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1697 /* If successful wait for the name req complete event before
1698 * checking for the need to do authentication */
1702 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1708 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1710 if (hci_dev_test_flag(hdev, HCI_MGMT))
1711 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1716 if (!hci_outgoing_auth_needed(hdev, conn))
1719 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1720 struct hci_cp_auth_requested auth_cp;
1722 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1724 auth_cp.handle = __cpu_to_le16(conn->handle);
1725 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1726 sizeof(auth_cp), &auth_cp);
1730 hci_dev_unlock(hdev);
1733 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1735 struct hci_cp_read_remote_features *cp;
1736 struct hci_conn *conn;
1738 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1743 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1749 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1751 if (conn->state == BT_CONFIG) {
1752 hci_connect_cfm(conn, status);
1753 hci_conn_drop(conn);
1757 hci_dev_unlock(hdev);
1760 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1762 struct hci_cp_read_remote_ext_features *cp;
1763 struct hci_conn *conn;
1765 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1770 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1776 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1778 if (conn->state == BT_CONFIG) {
1779 hci_connect_cfm(conn, status);
1780 hci_conn_drop(conn);
1784 hci_dev_unlock(hdev);
1787 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1789 struct hci_cp_setup_sync_conn *cp;
1790 struct hci_conn *acl, *sco;
1793 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1798 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1802 handle = __le16_to_cpu(cp->handle);
1804 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1808 acl = hci_conn_hash_lookup_handle(hdev, handle);
1812 sco->state = BT_CLOSED;
1814 hci_connect_cfm(sco, status);
1819 hci_dev_unlock(hdev);
1822 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1824 struct hci_cp_sniff_mode *cp;
1825 struct hci_conn *conn;
1827 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1832 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1838 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1840 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1842 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1843 hci_sco_setup(conn, status);
1846 hci_dev_unlock(hdev);
1849 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1851 struct hci_cp_exit_sniff_mode *cp;
1852 struct hci_conn *conn;
1854 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1859 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1867 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1869 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1870 hci_sco_setup(conn, status);
1873 hci_dev_unlock(hdev);
1876 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1878 struct hci_cp_disconnect *cp;
1879 struct hci_conn *conn;
1884 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1893 conn->dst_type, status);
1895 hci_dev_unlock(hdev);
1898 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1900 struct hci_cp_le_create_conn *cp;
1901 struct hci_conn *conn;
1903 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1905 /* All connection failure handling is taken care of by the
1906 * hci_le_conn_failed function which is triggered by the HCI
1907 * request completion callbacks used for connecting.
1912 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1918 conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1919 cp->peer_addr_type);
1923 /* Store the initiator and responder address information which
1924 * is needed for SMP. These values will not change during the
1925 * lifetime of the connection.
1927 conn->init_addr_type = cp->own_address_type;
1928 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1929 bacpy(&conn->init_addr, &hdev->random_addr);
1931 bacpy(&conn->init_addr, &hdev->bdaddr);
1933 conn->resp_addr_type = cp->peer_addr_type;
1934 bacpy(&conn->resp_addr, &cp->peer_addr);
1936 /* We don't want the connection attempt to stick around
1937 * indefinitely since LE doesn't have a page timeout concept
1938 * like BR/EDR. Set a timer for any connection that doesn't use
1939 * the white list for connecting.
1941 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1942 queue_delayed_work(conn->hdev->workqueue,
1943 &conn->le_conn_timeout,
1944 conn->conn_timeout);
1947 hci_dev_unlock(hdev);
1950 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1952 struct hci_cp_le_read_remote_features *cp;
1953 struct hci_conn *conn;
1955 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1960 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1966 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1968 if (conn->state == BT_CONFIG) {
1969 hci_connect_cfm(conn, status);
1970 hci_conn_drop(conn);
1974 hci_dev_unlock(hdev);
1977 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1979 struct hci_cp_le_start_enc *cp;
1980 struct hci_conn *conn;
1982 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1989 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1993 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1997 if (conn->state != BT_CONNECTED)
2000 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2001 hci_conn_drop(conn);
2004 hci_dev_unlock(hdev);
2007 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2009 struct hci_cp_switch_role *cp;
2010 struct hci_conn *conn;
2012 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2017 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2023 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2025 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2027 hci_dev_unlock(hdev);
2030 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2032 __u8 status = *((__u8 *) skb->data);
2033 struct discovery_state *discov = &hdev->discovery;
2034 struct inquiry_entry *e;
2036 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2038 hci_conn_check_pending(hdev);
2040 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2043 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2044 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2046 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2051 if (discov->state != DISCOVERY_FINDING)
2054 if (list_empty(&discov->resolve)) {
2055 /* When BR/EDR inquiry is active and no LE scanning is in
2056 * progress, then change discovery state to indicate completion.
2058 * When running LE scanning and BR/EDR inquiry simultaneously
2059 * and the LE scan already finished, then change the discovery
2060 * state to indicate completion.
2062 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2063 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2064 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2068 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2069 if (e && hci_resolve_name(hdev, e) == 0) {
2070 e->name_state = NAME_PENDING;
2071 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2073 /* When BR/EDR inquiry is active and no LE scanning is in
2074 * progress, then change discovery state to indicate completion.
2076 * When running LE scanning and BR/EDR inquiry simultaneously
2077 * and the LE scan already finished, then change the discovery
2078 * state to indicate completion.
2080 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2081 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2082 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2086 hci_dev_unlock(hdev);
2089 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2091 struct inquiry_data data;
2092 struct inquiry_info *info = (void *) (skb->data + 1);
2093 int num_rsp = *((__u8 *) skb->data);
2095 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2100 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2105 for (; num_rsp; num_rsp--, info++) {
2108 bacpy(&data.bdaddr, &info->bdaddr);
2109 data.pscan_rep_mode = info->pscan_rep_mode;
2110 data.pscan_period_mode = info->pscan_period_mode;
2111 data.pscan_mode = info->pscan_mode;
2112 memcpy(data.dev_class, info->dev_class, 3);
2113 data.clock_offset = info->clock_offset;
2114 data.rssi = HCI_RSSI_INVALID;
2115 data.ssp_mode = 0x00;
2117 flags = hci_inquiry_cache_update(hdev, &data, false);
2119 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2120 info->dev_class, HCI_RSSI_INVALID,
2121 flags, NULL, 0, NULL, 0);
2124 hci_dev_unlock(hdev);
2127 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2129 struct hci_ev_conn_complete *ev = (void *) skb->data;
2130 struct hci_conn *conn;
2132 BT_DBG("%s", hdev->name);
2136 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2138 if (ev->link_type != SCO_LINK)
2141 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2145 conn->type = SCO_LINK;
2149 conn->handle = __le16_to_cpu(ev->handle);
2151 if (conn->type == ACL_LINK) {
2152 conn->state = BT_CONFIG;
2153 hci_conn_hold(conn);
2155 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2156 !hci_find_link_key(hdev, &ev->bdaddr))
2157 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2159 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2161 conn->state = BT_CONNECTED;
2163 hci_debugfs_create_conn(conn);
2164 hci_conn_add_sysfs(conn);
2166 if (test_bit(HCI_AUTH, &hdev->flags))
2167 set_bit(HCI_CONN_AUTH, &conn->flags);
2169 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2170 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2172 /* Get remote features */
2173 if (conn->type == ACL_LINK) {
2174 struct hci_cp_read_remote_features cp;
2175 cp.handle = ev->handle;
2176 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2179 hci_req_update_scan(hdev);
2182 /* Set packet type for incoming connection */
2183 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2184 struct hci_cp_change_conn_ptype cp;
2185 cp.handle = ev->handle;
2186 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2187 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2191 conn->state = BT_CLOSED;
2192 if (conn->type == ACL_LINK)
2193 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2194 conn->dst_type, ev->status);
2197 if (conn->type == ACL_LINK)
2198 hci_sco_setup(conn, ev->status);
2201 hci_connect_cfm(conn, ev->status);
2203 } else if (ev->link_type != ACL_LINK)
2204 hci_connect_cfm(conn, ev->status);
2207 hci_dev_unlock(hdev);
2209 hci_conn_check_pending(hdev);
2212 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2214 struct hci_cp_reject_conn_req cp;
2216 bacpy(&cp.bdaddr, bdaddr);
2217 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2218 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2221 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2223 struct hci_ev_conn_request *ev = (void *) skb->data;
2224 int mask = hdev->link_mode;
2225 struct inquiry_entry *ie;
2226 struct hci_conn *conn;
2229 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2232 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2235 if (!(mask & HCI_LM_ACCEPT)) {
2236 hci_reject_conn(hdev, &ev->bdaddr);
2240 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2242 hci_reject_conn(hdev, &ev->bdaddr);
2246 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2247 * connection. These features are only touched through mgmt so
2248 * only do the checks if HCI_MGMT is set.
2250 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2251 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2252 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2254 hci_reject_conn(hdev, &ev->bdaddr);
2258 /* Connection accepted */
2262 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2264 memcpy(ie->data.dev_class, ev->dev_class, 3);
2266 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2269 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2272 BT_ERR("No memory for new connection");
2273 hci_dev_unlock(hdev);
2278 memcpy(conn->dev_class, ev->dev_class, 3);
2280 hci_dev_unlock(hdev);
2282 if (ev->link_type == ACL_LINK ||
2283 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2284 struct hci_cp_accept_conn_req cp;
2285 conn->state = BT_CONNECT;
2287 bacpy(&cp.bdaddr, &ev->bdaddr);
2289 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2290 cp.role = 0x00; /* Become master */
2292 cp.role = 0x01; /* Remain slave */
2294 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2295 } else if (!(flags & HCI_PROTO_DEFER)) {
2296 struct hci_cp_accept_sync_conn_req cp;
2297 conn->state = BT_CONNECT;
2299 bacpy(&cp.bdaddr, &ev->bdaddr);
2300 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2302 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2303 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2304 cp.max_latency = cpu_to_le16(0xffff);
2305 cp.content_format = cpu_to_le16(hdev->voice_setting);
2306 cp.retrans_effort = 0xff;
2308 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2311 conn->state = BT_CONNECT2;
2312 hci_connect_cfm(conn, 0);
2316 static u8 hci_to_mgmt_reason(u8 err)
2319 case HCI_ERROR_CONNECTION_TIMEOUT:
2320 return MGMT_DEV_DISCONN_TIMEOUT;
2321 case HCI_ERROR_REMOTE_USER_TERM:
2322 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2323 case HCI_ERROR_REMOTE_POWER_OFF:
2324 return MGMT_DEV_DISCONN_REMOTE;
2325 case HCI_ERROR_LOCAL_HOST_TERM:
2326 return MGMT_DEV_DISCONN_LOCAL_HOST;
2328 return MGMT_DEV_DISCONN_UNKNOWN;
2332 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2334 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2336 struct hci_conn_params *params;
2337 struct hci_conn *conn;
2338 bool mgmt_connected;
2341 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2345 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2350 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2351 conn->dst_type, ev->status);
2355 conn->state = BT_CLOSED;
2357 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2359 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2360 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2362 reason = hci_to_mgmt_reason(ev->reason);
2364 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2365 reason, mgmt_connected);
2367 if (conn->type == ACL_LINK) {
2368 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2369 hci_remove_link_key(hdev, &conn->dst);
2371 hci_req_update_scan(hdev);
2374 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2376 switch (params->auto_connect) {
2377 case HCI_AUTO_CONN_LINK_LOSS:
2378 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2382 case HCI_AUTO_CONN_DIRECT:
2383 case HCI_AUTO_CONN_ALWAYS:
2384 list_del_init(¶ms->action);
2385 list_add(¶ms->action, &hdev->pend_le_conns);
2386 hci_update_background_scan(hdev);
2396 hci_disconn_cfm(conn, ev->reason);
2399 /* Re-enable advertising if necessary, since it might
2400 * have been disabled by the connection. From the
2401 * HCI_LE_Set_Advertise_Enable command description in
2402 * the core specification (v4.0):
2403 * "The Controller shall continue advertising until the Host
2404 * issues an LE_Set_Advertise_Enable command with
2405 * Advertising_Enable set to 0x00 (Advertising is disabled)
2406 * or until a connection is created or until the Advertising
2407 * is timed out due to Directed Advertising."
2409 if (type == LE_LINK)
2410 hci_req_reenable_advertising(hdev);
2413 hci_dev_unlock(hdev);
2416 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2418 struct hci_ev_auth_complete *ev = (void *) skb->data;
2419 struct hci_conn *conn;
2421 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2425 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2430 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2432 if (!hci_conn_ssp_enabled(conn) &&
2433 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2434 BT_INFO("re-auth of legacy device is not possible.");
2436 set_bit(HCI_CONN_AUTH, &conn->flags);
2437 conn->sec_level = conn->pending_sec_level;
2440 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2441 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2443 mgmt_auth_failed(conn, ev->status);
2446 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2447 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2449 if (conn->state == BT_CONFIG) {
2450 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2451 struct hci_cp_set_conn_encrypt cp;
2452 cp.handle = ev->handle;
2454 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2457 conn->state = BT_CONNECTED;
2458 hci_connect_cfm(conn, ev->status);
2459 hci_conn_drop(conn);
2462 hci_auth_cfm(conn, ev->status);
2464 hci_conn_hold(conn);
2465 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2466 hci_conn_drop(conn);
2469 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2471 struct hci_cp_set_conn_encrypt cp;
2472 cp.handle = ev->handle;
2474 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2477 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2478 hci_encrypt_cfm(conn, ev->status, 0x00);
2483 hci_dev_unlock(hdev);
2486 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2488 struct hci_ev_remote_name *ev = (void *) skb->data;
2489 struct hci_conn *conn;
2491 BT_DBG("%s", hdev->name);
2493 hci_conn_check_pending(hdev);
2497 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2499 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2502 if (ev->status == 0)
2503 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2504 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2506 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2512 if (!hci_outgoing_auth_needed(hdev, conn))
2515 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2516 struct hci_cp_auth_requested cp;
2518 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2520 cp.handle = __cpu_to_le16(conn->handle);
2521 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2525 hci_dev_unlock(hdev);
2528 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2529 u16 opcode, struct sk_buff *skb)
2531 const struct hci_rp_read_enc_key_size *rp;
2532 struct hci_conn *conn;
2535 BT_DBG("%s status 0x%02x", hdev->name, status);
2537 if (!skb || skb->len < sizeof(*rp)) {
2538 BT_ERR("%s invalid HCI Read Encryption Key Size response",
2543 rp = (void *)skb->data;
2544 handle = le16_to_cpu(rp->handle);
2548 conn = hci_conn_hash_lookup_handle(hdev, handle);
2552 /* If we fail to read the encryption key size, assume maximum
2553 * (which is the same we do also when this HCI command isn't
2557 BT_ERR("%s failed to read key size for handle %u", hdev->name,
2559 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2561 conn->enc_key_size = rp->key_size;
2564 if (conn->state == BT_CONFIG) {
2565 conn->state = BT_CONNECTED;
2566 hci_connect_cfm(conn, 0);
2567 hci_conn_drop(conn);
2571 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2573 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2578 hci_encrypt_cfm(conn, 0, encrypt);
2582 hci_dev_unlock(hdev);
2585 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2587 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2588 struct hci_conn *conn;
2590 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2594 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2600 /* Encryption implies authentication */
2601 set_bit(HCI_CONN_AUTH, &conn->flags);
2602 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 conn->sec_level = conn->pending_sec_level;
2605 /* P-256 authentication key implies FIPS */
2606 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2607 set_bit(HCI_CONN_FIPS, &conn->flags);
2609 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2610 conn->type == LE_LINK)
2611 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2613 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2614 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2618 /* We should disregard the current RPA and generate a new one
2619 * whenever the encryption procedure fails.
2621 if (ev->status && conn->type == LE_LINK)
2622 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2624 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2626 if (ev->status && conn->state == BT_CONNECTED) {
2627 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2628 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2630 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2631 hci_conn_drop(conn);
2635 /* In Secure Connections Only mode, do not allow any connections
2636 * that are not encrypted with AES-CCM using a P-256 authenticated
2639 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2640 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2641 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2642 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2643 hci_conn_drop(conn);
2647 /* Try reading the encryption key size for encrypted ACL links */
2648 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2649 struct hci_cp_read_enc_key_size cp;
2650 struct hci_request req;
2652 /* Only send HCI_Read_Encryption_Key_Size if the
2653 * controller really supports it. If it doesn't, assume
2654 * the default size (16).
2656 if (!(hdev->commands[20] & 0x10)) {
2657 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2661 hci_req_init(&req, hdev);
2663 cp.handle = cpu_to_le16(conn->handle);
2664 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2666 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2667 BT_ERR("Sending HCI Read Encryption Key Size failed");
2668 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2676 if (conn->state == BT_CONFIG) {
2678 conn->state = BT_CONNECTED;
2680 hci_connect_cfm(conn, ev->status);
2681 hci_conn_drop(conn);
2683 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2686 hci_dev_unlock(hdev);
2689 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2690 struct sk_buff *skb)
2692 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2693 struct hci_conn *conn;
2695 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2699 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2702 set_bit(HCI_CONN_SECURE, &conn->flags);
2704 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2706 hci_key_change_cfm(conn, ev->status);
2709 hci_dev_unlock(hdev);
2712 static void hci_remote_features_evt(struct hci_dev *hdev,
2713 struct sk_buff *skb)
2715 struct hci_ev_remote_features *ev = (void *) skb->data;
2716 struct hci_conn *conn;
2718 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2722 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2727 memcpy(conn->features[0], ev->features, 8);
2729 if (conn->state != BT_CONFIG)
2732 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2733 lmp_ext_feat_capable(conn)) {
2734 struct hci_cp_read_remote_ext_features cp;
2735 cp.handle = ev->handle;
2737 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2742 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2743 struct hci_cp_remote_name_req cp;
2744 memset(&cp, 0, sizeof(cp));
2745 bacpy(&cp.bdaddr, &conn->dst);
2746 cp.pscan_rep_mode = 0x02;
2747 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2748 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2749 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2751 if (!hci_outgoing_auth_needed(hdev, conn)) {
2752 conn->state = BT_CONNECTED;
2753 hci_connect_cfm(conn, ev->status);
2754 hci_conn_drop(conn);
2758 hci_dev_unlock(hdev);
2761 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2762 u16 *opcode, u8 *status,
2763 hci_req_complete_t *req_complete,
2764 hci_req_complete_skb_t *req_complete_skb)
2766 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2768 *opcode = __le16_to_cpu(ev->opcode);
2769 *status = skb->data[sizeof(*ev)];
2771 skb_pull(skb, sizeof(*ev));
2774 case HCI_OP_INQUIRY_CANCEL:
2775 hci_cc_inquiry_cancel(hdev, skb);
2778 case HCI_OP_PERIODIC_INQ:
2779 hci_cc_periodic_inq(hdev, skb);
2782 case HCI_OP_EXIT_PERIODIC_INQ:
2783 hci_cc_exit_periodic_inq(hdev, skb);
2786 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2787 hci_cc_remote_name_req_cancel(hdev, skb);
2790 case HCI_OP_ROLE_DISCOVERY:
2791 hci_cc_role_discovery(hdev, skb);
2794 case HCI_OP_READ_LINK_POLICY:
2795 hci_cc_read_link_policy(hdev, skb);
2798 case HCI_OP_WRITE_LINK_POLICY:
2799 hci_cc_write_link_policy(hdev, skb);
2802 case HCI_OP_READ_DEF_LINK_POLICY:
2803 hci_cc_read_def_link_policy(hdev, skb);
2806 case HCI_OP_WRITE_DEF_LINK_POLICY:
2807 hci_cc_write_def_link_policy(hdev, skb);
2811 hci_cc_reset(hdev, skb);
2814 case HCI_OP_READ_STORED_LINK_KEY:
2815 hci_cc_read_stored_link_key(hdev, skb);
2818 case HCI_OP_DELETE_STORED_LINK_KEY:
2819 hci_cc_delete_stored_link_key(hdev, skb);
2822 case HCI_OP_WRITE_LOCAL_NAME:
2823 hci_cc_write_local_name(hdev, skb);
2826 case HCI_OP_READ_LOCAL_NAME:
2827 hci_cc_read_local_name(hdev, skb);
2830 case HCI_OP_WRITE_AUTH_ENABLE:
2831 hci_cc_write_auth_enable(hdev, skb);
2834 case HCI_OP_WRITE_ENCRYPT_MODE:
2835 hci_cc_write_encrypt_mode(hdev, skb);
2838 case HCI_OP_WRITE_SCAN_ENABLE:
2839 hci_cc_write_scan_enable(hdev, skb);
2842 case HCI_OP_READ_CLASS_OF_DEV:
2843 hci_cc_read_class_of_dev(hdev, skb);
2846 case HCI_OP_WRITE_CLASS_OF_DEV:
2847 hci_cc_write_class_of_dev(hdev, skb);
2850 case HCI_OP_READ_VOICE_SETTING:
2851 hci_cc_read_voice_setting(hdev, skb);
2854 case HCI_OP_WRITE_VOICE_SETTING:
2855 hci_cc_write_voice_setting(hdev, skb);
2858 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2859 hci_cc_read_num_supported_iac(hdev, skb);
2862 case HCI_OP_WRITE_SSP_MODE:
2863 hci_cc_write_ssp_mode(hdev, skb);
2866 case HCI_OP_WRITE_SC_SUPPORT:
2867 hci_cc_write_sc_support(hdev, skb);
2870 case HCI_OP_READ_LOCAL_VERSION:
2871 hci_cc_read_local_version(hdev, skb);
2874 case HCI_OP_READ_LOCAL_COMMANDS:
2875 hci_cc_read_local_commands(hdev, skb);
2878 case HCI_OP_READ_LOCAL_FEATURES:
2879 hci_cc_read_local_features(hdev, skb);
2882 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2883 hci_cc_read_local_ext_features(hdev, skb);
2886 case HCI_OP_READ_BUFFER_SIZE:
2887 hci_cc_read_buffer_size(hdev, skb);
2890 case HCI_OP_READ_BD_ADDR:
2891 hci_cc_read_bd_addr(hdev, skb);
2894 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2895 hci_cc_read_page_scan_activity(hdev, skb);
2898 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2899 hci_cc_write_page_scan_activity(hdev, skb);
2902 case HCI_OP_READ_PAGE_SCAN_TYPE:
2903 hci_cc_read_page_scan_type(hdev, skb);
2906 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2907 hci_cc_write_page_scan_type(hdev, skb);
2910 case HCI_OP_READ_DATA_BLOCK_SIZE:
2911 hci_cc_read_data_block_size(hdev, skb);
2914 case HCI_OP_READ_FLOW_CONTROL_MODE:
2915 hci_cc_read_flow_control_mode(hdev, skb);
2918 case HCI_OP_READ_LOCAL_AMP_INFO:
2919 hci_cc_read_local_amp_info(hdev, skb);
2922 case HCI_OP_READ_CLOCK:
2923 hci_cc_read_clock(hdev, skb);
2926 case HCI_OP_READ_INQ_RSP_TX_POWER:
2927 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2930 case HCI_OP_PIN_CODE_REPLY:
2931 hci_cc_pin_code_reply(hdev, skb);
2934 case HCI_OP_PIN_CODE_NEG_REPLY:
2935 hci_cc_pin_code_neg_reply(hdev, skb);
2938 case HCI_OP_READ_LOCAL_OOB_DATA:
2939 hci_cc_read_local_oob_data(hdev, skb);
2942 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2943 hci_cc_read_local_oob_ext_data(hdev, skb);
2946 case HCI_OP_LE_READ_BUFFER_SIZE:
2947 hci_cc_le_read_buffer_size(hdev, skb);
2950 case HCI_OP_LE_READ_LOCAL_FEATURES:
2951 hci_cc_le_read_local_features(hdev, skb);
2954 case HCI_OP_LE_READ_ADV_TX_POWER:
2955 hci_cc_le_read_adv_tx_power(hdev, skb);
2958 case HCI_OP_USER_CONFIRM_REPLY:
2959 hci_cc_user_confirm_reply(hdev, skb);
2962 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2963 hci_cc_user_confirm_neg_reply(hdev, skb);
2966 case HCI_OP_USER_PASSKEY_REPLY:
2967 hci_cc_user_passkey_reply(hdev, skb);
2970 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2971 hci_cc_user_passkey_neg_reply(hdev, skb);
2974 case HCI_OP_LE_SET_RANDOM_ADDR:
2975 hci_cc_le_set_random_addr(hdev, skb);
2978 case HCI_OP_LE_SET_ADV_ENABLE:
2979 hci_cc_le_set_adv_enable(hdev, skb);
2982 case HCI_OP_LE_SET_SCAN_PARAM:
2983 hci_cc_le_set_scan_param(hdev, skb);
2986 case HCI_OP_LE_SET_SCAN_ENABLE:
2987 hci_cc_le_set_scan_enable(hdev, skb);
2990 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2991 hci_cc_le_read_white_list_size(hdev, skb);
2994 case HCI_OP_LE_CLEAR_WHITE_LIST:
2995 hci_cc_le_clear_white_list(hdev, skb);
2998 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2999 hci_cc_le_add_to_white_list(hdev, skb);
3002 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3003 hci_cc_le_del_from_white_list(hdev, skb);
3006 case HCI_OP_LE_READ_SUPPORTED_STATES:
3007 hci_cc_le_read_supported_states(hdev, skb);
3010 case HCI_OP_LE_READ_DEF_DATA_LEN:
3011 hci_cc_le_read_def_data_len(hdev, skb);
3014 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3015 hci_cc_le_write_def_data_len(hdev, skb);
3018 case HCI_OP_LE_READ_MAX_DATA_LEN:
3019 hci_cc_le_read_max_data_len(hdev, skb);
3022 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3023 hci_cc_write_le_host_supported(hdev, skb);
3026 case HCI_OP_LE_SET_ADV_PARAM:
3027 hci_cc_set_adv_param(hdev, skb);
3030 case HCI_OP_READ_RSSI:
3031 hci_cc_read_rssi(hdev, skb);
3034 case HCI_OP_READ_TX_POWER:
3035 hci_cc_read_tx_power(hdev, skb);
3038 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3039 hci_cc_write_ssp_debug_mode(hdev, skb);
3043 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3047 if (*opcode != HCI_OP_NOP)
3048 cancel_delayed_work(&hdev->cmd_timer);
3050 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3051 atomic_set(&hdev->cmd_cnt, 1);
3053 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3056 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3057 queue_work(hdev->workqueue, &hdev->cmd_work);
3060 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3061 u16 *opcode, u8 *status,
3062 hci_req_complete_t *req_complete,
3063 hci_req_complete_skb_t *req_complete_skb)
3065 struct hci_ev_cmd_status *ev = (void *) skb->data;
3067 skb_pull(skb, sizeof(*ev));
3069 *opcode = __le16_to_cpu(ev->opcode);
3070 *status = ev->status;
3073 case HCI_OP_INQUIRY:
3074 hci_cs_inquiry(hdev, ev->status);
3077 case HCI_OP_CREATE_CONN:
3078 hci_cs_create_conn(hdev, ev->status);
3081 case HCI_OP_DISCONNECT:
3082 hci_cs_disconnect(hdev, ev->status);
3085 case HCI_OP_ADD_SCO:
3086 hci_cs_add_sco(hdev, ev->status);
3089 case HCI_OP_AUTH_REQUESTED:
3090 hci_cs_auth_requested(hdev, ev->status);
3093 case HCI_OP_SET_CONN_ENCRYPT:
3094 hci_cs_set_conn_encrypt(hdev, ev->status);
3097 case HCI_OP_REMOTE_NAME_REQ:
3098 hci_cs_remote_name_req(hdev, ev->status);
3101 case HCI_OP_READ_REMOTE_FEATURES:
3102 hci_cs_read_remote_features(hdev, ev->status);
3105 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3106 hci_cs_read_remote_ext_features(hdev, ev->status);
3109 case HCI_OP_SETUP_SYNC_CONN:
3110 hci_cs_setup_sync_conn(hdev, ev->status);
3113 case HCI_OP_SNIFF_MODE:
3114 hci_cs_sniff_mode(hdev, ev->status);
3117 case HCI_OP_EXIT_SNIFF_MODE:
3118 hci_cs_exit_sniff_mode(hdev, ev->status);
3121 case HCI_OP_SWITCH_ROLE:
3122 hci_cs_switch_role(hdev, ev->status);
3125 case HCI_OP_LE_CREATE_CONN:
3126 hci_cs_le_create_conn(hdev, ev->status);
3129 case HCI_OP_LE_READ_REMOTE_FEATURES:
3130 hci_cs_le_read_remote_features(hdev, ev->status);
3133 case HCI_OP_LE_START_ENC:
3134 hci_cs_le_start_enc(hdev, ev->status);
3138 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3142 if (*opcode != HCI_OP_NOP)
3143 cancel_delayed_work(&hdev->cmd_timer);
3145 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3146 atomic_set(&hdev->cmd_cnt, 1);
3148 /* Indicate request completion if the command failed. Also, if
3149 * we're not waiting for a special event and we get a success
3150 * command status we should try to flag the request as completed
3151 * (since for this kind of commands there will not be a command
3155 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3156 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3159 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3160 queue_work(hdev->workqueue, &hdev->cmd_work);
3163 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3165 struct hci_ev_hardware_error *ev = (void *) skb->data;
3167 hdev->hw_error_code = ev->code;
3169 queue_work(hdev->req_workqueue, &hdev->error_reset);
3172 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3174 struct hci_ev_role_change *ev = (void *) skb->data;
3175 struct hci_conn *conn;
3177 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3181 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3184 conn->role = ev->role;
3186 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3188 hci_role_switch_cfm(conn, ev->status, ev->role);
3191 hci_dev_unlock(hdev);
3194 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3196 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3199 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3200 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3204 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3205 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3206 BT_DBG("%s bad parameters", hdev->name);
3210 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3212 for (i = 0; i < ev->num_hndl; i++) {
3213 struct hci_comp_pkts_info *info = &ev->handles[i];
3214 struct hci_conn *conn;
3215 __u16 handle, count;
3217 handle = __le16_to_cpu(info->handle);
3218 count = __le16_to_cpu(info->count);
3220 conn = hci_conn_hash_lookup_handle(hdev, handle);
3224 conn->sent -= count;
3226 switch (conn->type) {
3228 hdev->acl_cnt += count;
3229 if (hdev->acl_cnt > hdev->acl_pkts)
3230 hdev->acl_cnt = hdev->acl_pkts;
3234 if (hdev->le_pkts) {
3235 hdev->le_cnt += count;
3236 if (hdev->le_cnt > hdev->le_pkts)
3237 hdev->le_cnt = hdev->le_pkts;
3239 hdev->acl_cnt += count;
3240 if (hdev->acl_cnt > hdev->acl_pkts)
3241 hdev->acl_cnt = hdev->acl_pkts;
3246 hdev->sco_cnt += count;
3247 if (hdev->sco_cnt > hdev->sco_pkts)
3248 hdev->sco_cnt = hdev->sco_pkts;
3252 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3257 queue_work(hdev->workqueue, &hdev->tx_work);
3260 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3263 struct hci_chan *chan;
3265 switch (hdev->dev_type) {
3267 return hci_conn_hash_lookup_handle(hdev, handle);
3269 chan = hci_chan_lookup_handle(hdev, handle);
3274 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3281 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3283 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3286 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3287 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3291 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3292 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3293 BT_DBG("%s bad parameters", hdev->name);
3297 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3300 for (i = 0; i < ev->num_hndl; i++) {
3301 struct hci_comp_blocks_info *info = &ev->handles[i];
3302 struct hci_conn *conn = NULL;
3303 __u16 handle, block_count;
3305 handle = __le16_to_cpu(info->handle);
3306 block_count = __le16_to_cpu(info->blocks);
3308 conn = __hci_conn_lookup_handle(hdev, handle);
3312 conn->sent -= block_count;
3314 switch (conn->type) {
3317 hdev->block_cnt += block_count;
3318 if (hdev->block_cnt > hdev->num_blocks)
3319 hdev->block_cnt = hdev->num_blocks;
3323 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3328 queue_work(hdev->workqueue, &hdev->tx_work);
3331 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3333 struct hci_ev_mode_change *ev = (void *) skb->data;
3334 struct hci_conn *conn;
3336 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3340 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3342 conn->mode = ev->mode;
3344 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3346 if (conn->mode == HCI_CM_ACTIVE)
3347 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3349 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3352 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3353 hci_sco_setup(conn, ev->status);
3356 hci_dev_unlock(hdev);
3359 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3361 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3362 struct hci_conn *conn;
3364 BT_DBG("%s", hdev->name);
3368 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3372 if (conn->state == BT_CONNECTED) {
3373 hci_conn_hold(conn);
3374 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3375 hci_conn_drop(conn);
3378 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3379 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3380 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3381 sizeof(ev->bdaddr), &ev->bdaddr);
3382 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3385 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3390 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3394 hci_dev_unlock(hdev);
3397 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3399 if (key_type == HCI_LK_CHANGED_COMBINATION)
3402 conn->pin_length = pin_len;
3403 conn->key_type = key_type;
3406 case HCI_LK_LOCAL_UNIT:
3407 case HCI_LK_REMOTE_UNIT:
3408 case HCI_LK_DEBUG_COMBINATION:
3410 case HCI_LK_COMBINATION:
3412 conn->pending_sec_level = BT_SECURITY_HIGH;
3414 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3416 case HCI_LK_UNAUTH_COMBINATION_P192:
3417 case HCI_LK_UNAUTH_COMBINATION_P256:
3418 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3420 case HCI_LK_AUTH_COMBINATION_P192:
3421 conn->pending_sec_level = BT_SECURITY_HIGH;
3423 case HCI_LK_AUTH_COMBINATION_P256:
3424 conn->pending_sec_level = BT_SECURITY_FIPS;
3429 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3431 struct hci_ev_link_key_req *ev = (void *) skb->data;
3432 struct hci_cp_link_key_reply cp;
3433 struct hci_conn *conn;
3434 struct link_key *key;
3436 BT_DBG("%s", hdev->name);
3438 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3443 key = hci_find_link_key(hdev, &ev->bdaddr);
3445 BT_DBG("%s link key not found for %pMR", hdev->name,
3450 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3453 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3455 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3457 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3458 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3459 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3460 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3464 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3465 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3466 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3467 BT_DBG("%s ignoring key unauthenticated for high security",
3472 conn_set_key(conn, key->type, key->pin_len);
3475 bacpy(&cp.bdaddr, &ev->bdaddr);
3476 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3478 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3480 hci_dev_unlock(hdev);
3485 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3486 hci_dev_unlock(hdev);
3489 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3491 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3492 struct hci_conn *conn;
3493 struct link_key *key;
3497 BT_DBG("%s", hdev->name);
3501 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3505 hci_conn_hold(conn);
3506 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3507 hci_conn_drop(conn);
3509 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3510 conn_set_key(conn, ev->key_type, conn->pin_length);
3512 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3515 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3516 ev->key_type, pin_len, &persistent);
3520 /* Update connection information since adding the key will have
3521 * fixed up the type in the case of changed combination keys.
3523 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3524 conn_set_key(conn, key->type, key->pin_len);
3526 mgmt_new_link_key(hdev, key, persistent);
3528 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3529 * is set. If it's not set simply remove the key from the kernel
3530 * list (we've still notified user space about it but with
3531 * store_hint being 0).
3533 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3534 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3535 list_del_rcu(&key->list);
3536 kfree_rcu(key, rcu);
3541 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3543 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3546 hci_dev_unlock(hdev);
3549 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3551 struct hci_ev_clock_offset *ev = (void *) skb->data;
3552 struct hci_conn *conn;
3554 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3558 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3559 if (conn && !ev->status) {
3560 struct inquiry_entry *ie;
3562 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3564 ie->data.clock_offset = ev->clock_offset;
3565 ie->timestamp = jiffies;
3569 hci_dev_unlock(hdev);
3572 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3574 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3575 struct hci_conn *conn;
3577 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3581 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3582 if (conn && !ev->status)
3583 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3585 hci_dev_unlock(hdev);
3588 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3590 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3591 struct inquiry_entry *ie;
3593 BT_DBG("%s", hdev->name);
3597 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3599 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3600 ie->timestamp = jiffies;
3603 hci_dev_unlock(hdev);
3606 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3607 struct sk_buff *skb)
3609 struct inquiry_data data;
3610 int num_rsp = *((__u8 *) skb->data);
3612 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3617 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3622 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3623 struct inquiry_info_with_rssi_and_pscan_mode *info;
3624 info = (void *) (skb->data + 1);
3626 for (; num_rsp; num_rsp--, info++) {
3629 bacpy(&data.bdaddr, &info->bdaddr);
3630 data.pscan_rep_mode = info->pscan_rep_mode;
3631 data.pscan_period_mode = info->pscan_period_mode;
3632 data.pscan_mode = info->pscan_mode;
3633 memcpy(data.dev_class, info->dev_class, 3);
3634 data.clock_offset = info->clock_offset;
3635 data.rssi = info->rssi;
3636 data.ssp_mode = 0x00;
3638 flags = hci_inquiry_cache_update(hdev, &data, false);
3640 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3641 info->dev_class, info->rssi,
3642 flags, NULL, 0, NULL, 0);
3645 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3647 for (; num_rsp; num_rsp--, info++) {
3650 bacpy(&data.bdaddr, &info->bdaddr);
3651 data.pscan_rep_mode = info->pscan_rep_mode;
3652 data.pscan_period_mode = info->pscan_period_mode;
3653 data.pscan_mode = 0x00;
3654 memcpy(data.dev_class, info->dev_class, 3);
3655 data.clock_offset = info->clock_offset;
3656 data.rssi = info->rssi;
3657 data.ssp_mode = 0x00;
3659 flags = hci_inquiry_cache_update(hdev, &data, false);
3661 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3662 info->dev_class, info->rssi,
3663 flags, NULL, 0, NULL, 0);
3667 hci_dev_unlock(hdev);
3670 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3671 struct sk_buff *skb)
3673 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3674 struct hci_conn *conn;
3676 BT_DBG("%s", hdev->name);
3680 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3684 if (ev->page < HCI_MAX_PAGES)
3685 memcpy(conn->features[ev->page], ev->features, 8);
3687 if (!ev->status && ev->page == 0x01) {
3688 struct inquiry_entry *ie;
3690 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3692 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3694 if (ev->features[0] & LMP_HOST_SSP) {
3695 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3697 /* It is mandatory by the Bluetooth specification that
3698 * Extended Inquiry Results are only used when Secure
3699 * Simple Pairing is enabled, but some devices violate
3702 * To make these devices work, the internal SSP
3703 * enabled flag needs to be cleared if the remote host
3704 * features do not indicate SSP support */
3705 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3708 if (ev->features[0] & LMP_HOST_SC)
3709 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3712 if (conn->state != BT_CONFIG)
3715 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3716 struct hci_cp_remote_name_req cp;
3717 memset(&cp, 0, sizeof(cp));
3718 bacpy(&cp.bdaddr, &conn->dst);
3719 cp.pscan_rep_mode = 0x02;
3720 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3721 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3722 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3724 if (!hci_outgoing_auth_needed(hdev, conn)) {
3725 conn->state = BT_CONNECTED;
3726 hci_connect_cfm(conn, ev->status);
3727 hci_conn_drop(conn);
3731 hci_dev_unlock(hdev);
3734 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3735 struct sk_buff *skb)
3737 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3738 struct hci_conn *conn;
3740 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3744 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3746 if (ev->link_type == ESCO_LINK)
3749 /* When the link type in the event indicates SCO connection
3750 * and lookup of the connection object fails, then check
3751 * if an eSCO connection object exists.
3753 * The core limits the synchronous connections to either
3754 * SCO or eSCO. The eSCO connection is preferred and tried
3755 * to be setup first and until successfully established,
3756 * the link type will be hinted as eSCO.
3758 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3763 switch (ev->status) {
3765 conn->handle = __le16_to_cpu(ev->handle);
3766 conn->state = BT_CONNECTED;
3767 conn->type = ev->link_type;
3769 hci_debugfs_create_conn(conn);
3770 hci_conn_add_sysfs(conn);
3773 case 0x10: /* Connection Accept Timeout */
3774 case 0x0d: /* Connection Rejected due to Limited Resources */
3775 case 0x11: /* Unsupported Feature or Parameter Value */
3776 case 0x1c: /* SCO interval rejected */
3777 case 0x1a: /* Unsupported Remote Feature */
3778 case 0x1f: /* Unspecified error */
3779 case 0x20: /* Unsupported LMP Parameter value */
3781 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3782 (hdev->esco_type & EDR_ESCO_MASK);
3783 if (hci_setup_sync(conn, conn->link->handle))
3789 conn->state = BT_CLOSED;
3793 hci_connect_cfm(conn, ev->status);
3798 hci_dev_unlock(hdev);
3801 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3805 while (parsed < eir_len) {
3806 u8 field_len = eir[0];
3811 parsed += field_len + 1;
3812 eir += field_len + 1;
3818 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3819 struct sk_buff *skb)
3821 struct inquiry_data data;
3822 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3823 int num_rsp = *((__u8 *) skb->data);
3826 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3831 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3836 for (; num_rsp; num_rsp--, info++) {
3840 bacpy(&data.bdaddr, &info->bdaddr);
3841 data.pscan_rep_mode = info->pscan_rep_mode;
3842 data.pscan_period_mode = info->pscan_period_mode;
3843 data.pscan_mode = 0x00;
3844 memcpy(data.dev_class, info->dev_class, 3);
3845 data.clock_offset = info->clock_offset;
3846 data.rssi = info->rssi;
3847 data.ssp_mode = 0x01;
3849 if (hci_dev_test_flag(hdev, HCI_MGMT))
3850 name_known = eir_get_data(info->data,
3852 EIR_NAME_COMPLETE, NULL);
3856 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3858 eir_len = eir_get_length(info->data, sizeof(info->data));
3860 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3861 info->dev_class, info->rssi,
3862 flags, info->data, eir_len, NULL, 0);
3865 hci_dev_unlock(hdev);
3868 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3869 struct sk_buff *skb)
3871 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3872 struct hci_conn *conn;
3874 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3875 __le16_to_cpu(ev->handle));
3879 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3883 /* For BR/EDR the necessary steps are taken through the
3884 * auth_complete event.
3886 if (conn->type != LE_LINK)
3890 conn->sec_level = conn->pending_sec_level;
3892 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3894 if (ev->status && conn->state == BT_CONNECTED) {
3895 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3896 hci_conn_drop(conn);
3900 if (conn->state == BT_CONFIG) {
3902 conn->state = BT_CONNECTED;
3904 hci_connect_cfm(conn, ev->status);
3905 hci_conn_drop(conn);
3907 hci_auth_cfm(conn, ev->status);
3909 hci_conn_hold(conn);
3910 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3911 hci_conn_drop(conn);
3915 hci_dev_unlock(hdev);
3918 static u8 hci_get_auth_req(struct hci_conn *conn)
3920 /* If remote requests no-bonding follow that lead */
3921 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3922 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3923 return conn->remote_auth | (conn->auth_type & 0x01);
3925 /* If both remote and local have enough IO capabilities, require
3928 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3929 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3930 return conn->remote_auth | 0x01;
3932 /* No MITM protection possible so ignore remote requirement */
3933 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3936 static u8 bredr_oob_data_present(struct hci_conn *conn)
3938 struct hci_dev *hdev = conn->hdev;
3939 struct oob_data *data;
3941 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3945 if (bredr_sc_enabled(hdev)) {
3946 /* When Secure Connections is enabled, then just
3947 * return the present value stored with the OOB
3948 * data. The stored value contains the right present
3949 * information. However it can only be trusted when
3950 * not in Secure Connection Only mode.
3952 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3953 return data->present;
3955 /* When Secure Connections Only mode is enabled, then
3956 * the P-256 values are required. If they are not
3957 * available, then do not declare that OOB data is
3960 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3961 !memcmp(data->hash256, ZERO_KEY, 16))
3967 /* When Secure Connections is not enabled or actually
3968 * not supported by the hardware, then check that if
3969 * P-192 data values are present.
3971 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3972 !memcmp(data->hash192, ZERO_KEY, 16))
3978 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3980 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3981 struct hci_conn *conn;
3983 BT_DBG("%s", hdev->name);
3987 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3991 hci_conn_hold(conn);
3993 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3996 /* Allow pairing if we're pairable, the initiators of the
3997 * pairing or if the remote is not requesting bonding.
3999 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4000 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4001 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4002 struct hci_cp_io_capability_reply cp;
4004 bacpy(&cp.bdaddr, &ev->bdaddr);
4005 /* Change the IO capability from KeyboardDisplay
4006 * to DisplayYesNo as it is not supported by BT spec. */
4007 cp.capability = (conn->io_capability == 0x04) ?
4008 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4010 /* If we are initiators, there is no remote information yet */
4011 if (conn->remote_auth == 0xff) {
4012 /* Request MITM protection if our IO caps allow it
4013 * except for the no-bonding case.
4015 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4016 conn->auth_type != HCI_AT_NO_BONDING)
4017 conn->auth_type |= 0x01;
4019 conn->auth_type = hci_get_auth_req(conn);
4022 /* If we're not bondable, force one of the non-bondable
4023 * authentication requirement values.
4025 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4026 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4028 cp.authentication = conn->auth_type;
4029 cp.oob_data = bredr_oob_data_present(conn);
4031 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4034 struct hci_cp_io_capability_neg_reply cp;
4036 bacpy(&cp.bdaddr, &ev->bdaddr);
4037 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4039 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4044 hci_dev_unlock(hdev);
4047 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4049 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4050 struct hci_conn *conn;
4052 BT_DBG("%s", hdev->name);
4056 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4060 conn->remote_cap = ev->capability;
4061 conn->remote_auth = ev->authentication;
4064 hci_dev_unlock(hdev);
4067 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4068 struct sk_buff *skb)
4070 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4071 int loc_mitm, rem_mitm, confirm_hint = 0;
4072 struct hci_conn *conn;
4074 BT_DBG("%s", hdev->name);
4078 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4081 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4085 loc_mitm = (conn->auth_type & 0x01);
4086 rem_mitm = (conn->remote_auth & 0x01);
4088 /* If we require MITM but the remote device can't provide that
4089 * (it has NoInputNoOutput) then reject the confirmation
4090 * request. We check the security level here since it doesn't
4091 * necessarily match conn->auth_type.
4093 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4094 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4095 BT_DBG("Rejecting request: remote device can't provide MITM");
4096 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4097 sizeof(ev->bdaddr), &ev->bdaddr);
4101 /* If no side requires MITM protection; auto-accept */
4102 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4103 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4105 /* If we're not the initiators request authorization to
4106 * proceed from user space (mgmt_user_confirm with
4107 * confirm_hint set to 1). The exception is if neither
4108 * side had MITM or if the local IO capability is
4109 * NoInputNoOutput, in which case we do auto-accept
4111 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4112 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4113 (loc_mitm || rem_mitm)) {
4114 BT_DBG("Confirming auto-accept as acceptor");
4119 BT_DBG("Auto-accept of user confirmation with %ums delay",
4120 hdev->auto_accept_delay);
4122 if (hdev->auto_accept_delay > 0) {
4123 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4124 queue_delayed_work(conn->hdev->workqueue,
4125 &conn->auto_accept_work, delay);
4129 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4130 sizeof(ev->bdaddr), &ev->bdaddr);
4135 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4136 le32_to_cpu(ev->passkey), confirm_hint);
4139 hci_dev_unlock(hdev);
4142 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4143 struct sk_buff *skb)
4145 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4147 BT_DBG("%s", hdev->name);
4149 if (hci_dev_test_flag(hdev, HCI_MGMT))
4150 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4153 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4154 struct sk_buff *skb)
4156 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4157 struct hci_conn *conn;
4159 BT_DBG("%s", hdev->name);
4161 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4165 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4166 conn->passkey_entered = 0;
4168 if (hci_dev_test_flag(hdev, HCI_MGMT))
4169 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4170 conn->dst_type, conn->passkey_notify,
4171 conn->passkey_entered);
4174 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4176 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4177 struct hci_conn *conn;
4179 BT_DBG("%s", hdev->name);
4181 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4186 case HCI_KEYPRESS_STARTED:
4187 conn->passkey_entered = 0;
4190 case HCI_KEYPRESS_ENTERED:
4191 conn->passkey_entered++;
4194 case HCI_KEYPRESS_ERASED:
4195 conn->passkey_entered--;
4198 case HCI_KEYPRESS_CLEARED:
4199 conn->passkey_entered = 0;
4202 case HCI_KEYPRESS_COMPLETED:
4206 if (hci_dev_test_flag(hdev, HCI_MGMT))
4207 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4208 conn->dst_type, conn->passkey_notify,
4209 conn->passkey_entered);
4212 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4213 struct sk_buff *skb)
4215 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4216 struct hci_conn *conn;
4218 BT_DBG("%s", hdev->name);
4222 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4226 /* Reset the authentication requirement to unknown */
4227 conn->remote_auth = 0xff;
4229 /* To avoid duplicate auth_failed events to user space we check
4230 * the HCI_CONN_AUTH_PEND flag which will be set if we
4231 * initiated the authentication. A traditional auth_complete
4232 * event gets always produced as initiator and is also mapped to
4233 * the mgmt_auth_failed event */
4234 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4235 mgmt_auth_failed(conn, ev->status);
4237 hci_conn_drop(conn);
4240 hci_dev_unlock(hdev);
4243 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4244 struct sk_buff *skb)
4246 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4247 struct inquiry_entry *ie;
4248 struct hci_conn *conn;
4250 BT_DBG("%s", hdev->name);
4254 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4256 memcpy(conn->features[1], ev->features, 8);
4258 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4260 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4262 hci_dev_unlock(hdev);
4265 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4266 struct sk_buff *skb)
4268 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4269 struct oob_data *data;
4271 BT_DBG("%s", hdev->name);
4275 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4278 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4280 struct hci_cp_remote_oob_data_neg_reply cp;
4282 bacpy(&cp.bdaddr, &ev->bdaddr);
4283 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4288 if (bredr_sc_enabled(hdev)) {
4289 struct hci_cp_remote_oob_ext_data_reply cp;
4291 bacpy(&cp.bdaddr, &ev->bdaddr);
4292 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4293 memset(cp.hash192, 0, sizeof(cp.hash192));
4294 memset(cp.rand192, 0, sizeof(cp.rand192));
4296 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4297 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4299 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4300 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4302 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4305 struct hci_cp_remote_oob_data_reply cp;
4307 bacpy(&cp.bdaddr, &ev->bdaddr);
4308 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4309 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4311 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4316 hci_dev_unlock(hdev);
4319 #if IS_ENABLED(CONFIG_BT_HS)
4320 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4322 struct hci_ev_channel_selected *ev = (void *)skb->data;
4323 struct hci_conn *hcon;
4325 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4327 skb_pull(skb, sizeof(*ev));
4329 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4333 amp_read_loc_assoc_final_data(hdev, hcon);
4336 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4337 struct sk_buff *skb)
4339 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4340 struct hci_conn *hcon, *bredr_hcon;
4342 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4347 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4349 hci_dev_unlock(hdev);
4355 hci_dev_unlock(hdev);
4359 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4361 hcon->state = BT_CONNECTED;
4362 bacpy(&hcon->dst, &bredr_hcon->dst);
4364 hci_conn_hold(hcon);
4365 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4366 hci_conn_drop(hcon);
4368 hci_debugfs_create_conn(hcon);
4369 hci_conn_add_sysfs(hcon);
4371 amp_physical_cfm(bredr_hcon, hcon);
4373 hci_dev_unlock(hdev);
4376 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4378 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4379 struct hci_conn *hcon;
4380 struct hci_chan *hchan;
4381 struct amp_mgr *mgr;
4383 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4384 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4387 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4391 /* Create AMP hchan */
4392 hchan = hci_chan_create(hcon);
4396 hchan->handle = le16_to_cpu(ev->handle);
4398 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4400 mgr = hcon->amp_mgr;
4401 if (mgr && mgr->bredr_chan) {
4402 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4404 l2cap_chan_lock(bredr_chan);
4406 bredr_chan->conn->mtu = hdev->block_mtu;
4407 l2cap_logical_cfm(bredr_chan, hchan, 0);
4408 hci_conn_hold(hcon);
4410 l2cap_chan_unlock(bredr_chan);
4414 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4415 struct sk_buff *skb)
4417 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4418 struct hci_chan *hchan;
4420 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4421 le16_to_cpu(ev->handle), ev->status);
4428 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4432 amp_destroy_logical_link(hchan, ev->reason);
4435 hci_dev_unlock(hdev);
4438 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4439 struct sk_buff *skb)
4441 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4442 struct hci_conn *hcon;
4444 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4451 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4453 hcon->state = BT_CLOSED;
4457 hci_dev_unlock(hdev);
4461 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4463 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4464 struct hci_conn_params *params;
4465 struct hci_conn *conn;
4466 struct smp_irk *irk;
4469 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4473 /* All controllers implicitly stop advertising in the event of a
4474 * connection, so ensure that the state bit is cleared.
4476 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4478 conn = hci_lookup_le_connect(hdev);
4480 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4482 BT_ERR("No memory for new connection");
4486 conn->dst_type = ev->bdaddr_type;
4488 /* If we didn't have a hci_conn object previously
4489 * but we're in master role this must be something
4490 * initiated using a white list. Since white list based
4491 * connections are not "first class citizens" we don't
4492 * have full tracking of them. Therefore, we go ahead
4493 * with a "best effort" approach of determining the
4494 * initiator address based on the HCI_PRIVACY flag.
4497 conn->resp_addr_type = ev->bdaddr_type;
4498 bacpy(&conn->resp_addr, &ev->bdaddr);
4499 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4500 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4501 bacpy(&conn->init_addr, &hdev->rpa);
4503 hci_copy_identity_address(hdev,
4505 &conn->init_addr_type);
4509 cancel_delayed_work(&conn->le_conn_timeout);
4513 /* Set the responder (our side) address type based on
4514 * the advertising address type.
4516 conn->resp_addr_type = hdev->adv_addr_type;
4517 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4518 bacpy(&conn->resp_addr, &hdev->random_addr);
4520 bacpy(&conn->resp_addr, &hdev->bdaddr);
4522 conn->init_addr_type = ev->bdaddr_type;
4523 bacpy(&conn->init_addr, &ev->bdaddr);
4525 /* For incoming connections, set the default minimum
4526 * and maximum connection interval. They will be used
4527 * to check if the parameters are in range and if not
4528 * trigger the connection update procedure.
4530 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4531 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4534 /* Lookup the identity address from the stored connection
4535 * address and address type.
4537 * When establishing connections to an identity address, the
4538 * connection procedure will store the resolvable random
4539 * address first. Now if it can be converted back into the
4540 * identity address, start using the identity address from
4543 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4545 bacpy(&conn->dst, &irk->bdaddr);
4546 conn->dst_type = irk->addr_type;
4550 hci_le_conn_failed(conn, ev->status);
4554 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4555 addr_type = BDADDR_LE_PUBLIC;
4557 addr_type = BDADDR_LE_RANDOM;
4559 /* Drop the connection if the device is blocked */
4560 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4561 hci_conn_drop(conn);
4565 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4566 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4568 conn->sec_level = BT_SECURITY_LOW;
4569 conn->handle = __le16_to_cpu(ev->handle);
4570 conn->state = BT_CONFIG;
4572 conn->le_conn_interval = le16_to_cpu(ev->interval);
4573 conn->le_conn_latency = le16_to_cpu(ev->latency);
4574 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4576 hci_debugfs_create_conn(conn);
4577 hci_conn_add_sysfs(conn);
4580 /* The remote features procedure is defined for master
4581 * role only. So only in case of an initiated connection
4582 * request the remote features.
4584 * If the local controller supports slave-initiated features
4585 * exchange, then requesting the remote features in slave
4586 * role is possible. Otherwise just transition into the
4587 * connected state without requesting the remote features.
4590 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4591 struct hci_cp_le_read_remote_features cp;
4593 cp.handle = __cpu_to_le16(conn->handle);
4595 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4598 hci_conn_hold(conn);
4600 conn->state = BT_CONNECTED;
4601 hci_connect_cfm(conn, ev->status);
4604 hci_connect_cfm(conn, ev->status);
4607 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4610 list_del_init(¶ms->action);
4612 hci_conn_drop(params->conn);
4613 hci_conn_put(params->conn);
4614 params->conn = NULL;
4619 hci_update_background_scan(hdev);
4620 hci_dev_unlock(hdev);
4623 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4624 struct sk_buff *skb)
4626 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4627 struct hci_conn *conn;
4629 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4636 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4638 conn->le_conn_interval = le16_to_cpu(ev->interval);
4639 conn->le_conn_latency = le16_to_cpu(ev->latency);
4640 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4643 hci_dev_unlock(hdev);
4646 /* This function requires the caller holds hdev->lock */
4647 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4649 u8 addr_type, u8 adv_type)
4651 struct hci_conn *conn;
4652 struct hci_conn_params *params;
4654 /* If the event is not connectable don't proceed further */
4655 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4658 /* Ignore if the device is blocked */
4659 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4662 /* Most controller will fail if we try to create new connections
4663 * while we have an existing one in slave role.
4665 if (hdev->conn_hash.le_num_slave > 0)
4668 /* If we're not connectable only connect devices that we have in
4669 * our pend_le_conns list.
4671 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4676 if (!params->explicit_connect) {
4677 switch (params->auto_connect) {
4678 case HCI_AUTO_CONN_DIRECT:
4679 /* Only devices advertising with ADV_DIRECT_IND are
4680 * triggering a connection attempt. This is allowing
4681 * incoming connections from slave devices.
4683 if (adv_type != LE_ADV_DIRECT_IND)
4686 case HCI_AUTO_CONN_ALWAYS:
4687 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4688 * are triggering a connection attempt. This means
4689 * that incoming connectioms from slave device are
4690 * accepted and also outgoing connections to slave
4691 * devices are established when found.
4699 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4700 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4701 if (!IS_ERR(conn)) {
4702 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4703 * by higher layer that tried to connect, if no then
4704 * store the pointer since we don't really have any
4705 * other owner of the object besides the params that
4706 * triggered it. This way we can abort the connection if
4707 * the parameters get removed and keep the reference
4708 * count consistent once the connection is established.
4711 if (!params->explicit_connect)
4712 params->conn = hci_conn_get(conn);
4717 switch (PTR_ERR(conn)) {
4719 /* If hci_connect() returns -EBUSY it means there is already
4720 * an LE connection attempt going on. Since controllers don't
4721 * support more than one connection attempt at the time, we
4722 * don't consider this an error case.
4726 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4733 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4734 u8 bdaddr_type, bdaddr_t *direct_addr,
4735 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4737 struct discovery_state *d = &hdev->discovery;
4738 struct smp_irk *irk;
4739 struct hci_conn *conn;
4746 case LE_ADV_DIRECT_IND:
4747 case LE_ADV_SCAN_IND:
4748 case LE_ADV_NONCONN_IND:
4749 case LE_ADV_SCAN_RSP:
4752 BT_ERR_RATELIMITED("Unknown advetising packet type: 0x%02x",
4757 /* Find the end of the data in case the report contains padded zero
4758 * bytes at the end causing an invalid length value.
4760 * When data is NULL, len is 0 so there is no need for extra ptr
4761 * check as 'ptr < data + 0' is already false in such case.
4763 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4764 if (ptr + 1 + *ptr > data + len)
4768 real_len = ptr - data;
4770 /* Adjust for actual length */
4771 if (len != real_len) {
4772 BT_ERR_RATELIMITED("%s advertising data length corrected",
4777 /* If the direct address is present, then this report is from
4778 * a LE Direct Advertising Report event. In that case it is
4779 * important to see if the address is matching the local
4780 * controller address.
4783 /* Only resolvable random addresses are valid for these
4784 * kind of reports and others can be ignored.
4786 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4789 /* If the controller is not using resolvable random
4790 * addresses, then this report can be ignored.
4792 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4795 /* If the local IRK of the controller does not match
4796 * with the resolvable random address provided, then
4797 * this report can be ignored.
4799 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4803 /* Check if we need to convert to identity address */
4804 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4806 bdaddr = &irk->bdaddr;
4807 bdaddr_type = irk->addr_type;
4810 /* Check if we have been requested to connect to this device */
4811 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4812 if (conn && type == LE_ADV_IND) {
4813 /* Store report for later inclusion by
4814 * mgmt_device_connected
4816 memcpy(conn->le_adv_data, data, len);
4817 conn->le_adv_data_len = len;
4820 /* Passive scanning shouldn't trigger any device found events,
4821 * except for devices marked as CONN_REPORT for which we do send
4822 * device found events.
4824 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4825 if (type == LE_ADV_DIRECT_IND)
4828 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4829 bdaddr, bdaddr_type))
4832 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4833 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4836 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4837 rssi, flags, data, len, NULL, 0);
4841 /* When receiving non-connectable or scannable undirected
4842 * advertising reports, this means that the remote device is
4843 * not connectable and then clearly indicate this in the
4844 * device found event.
4846 * When receiving a scan response, then there is no way to
4847 * know if the remote device is connectable or not. However
4848 * since scan responses are merged with a previously seen
4849 * advertising report, the flags field from that report
4852 * In the really unlikely case that a controller get confused
4853 * and just sends a scan response event, then it is marked as
4854 * not connectable as well.
4856 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4857 type == LE_ADV_SCAN_RSP)
4858 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4862 /* If there's nothing pending either store the data from this
4863 * event or send an immediate device found event if the data
4864 * should not be stored for later.
4866 if (!has_pending_adv_report(hdev)) {
4867 /* If the report will trigger a SCAN_REQ store it for
4870 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4871 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4872 rssi, flags, data, len);
4876 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4877 rssi, flags, data, len, NULL, 0);
4881 /* Check if the pending report is for the same device as the new one */
4882 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4883 bdaddr_type == d->last_adv_addr_type);
4885 /* If the pending data doesn't match this report or this isn't a
4886 * scan response (e.g. we got a duplicate ADV_IND) then force
4887 * sending of the pending data.
4889 if (type != LE_ADV_SCAN_RSP || !match) {
4890 /* Send out whatever is in the cache, but skip duplicates */
4892 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4893 d->last_adv_addr_type, NULL,
4894 d->last_adv_rssi, d->last_adv_flags,
4896 d->last_adv_data_len, NULL, 0);
4898 /* If the new report will trigger a SCAN_REQ store it for
4901 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4902 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4903 rssi, flags, data, len);
4907 /* The advertising reports cannot be merged, so clear
4908 * the pending report and send out a device found event.
4910 clear_pending_adv_report(hdev);
4911 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4912 rssi, flags, data, len, NULL, 0);
4916 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4917 * the new event is a SCAN_RSP. We can therefore proceed with
4918 * sending a merged device found event.
4920 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4921 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4922 d->last_adv_data, d->last_adv_data_len, data, len);
4923 clear_pending_adv_report(hdev);
4926 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4928 u8 num_reports = skb->data[0];
4929 void *ptr = &skb->data[1];
4933 while (num_reports--) {
4934 struct hci_ev_le_advertising_info *ev = ptr;
4937 rssi = ev->data[ev->length];
4938 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4939 ev->bdaddr_type, NULL, 0, rssi,
4940 ev->data, ev->length);
4942 ptr += sizeof(*ev) + ev->length + 1;
4945 hci_dev_unlock(hdev);
4948 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4949 struct sk_buff *skb)
4951 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4952 struct hci_conn *conn;
4954 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4958 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4961 memcpy(conn->features[0], ev->features, 8);
4963 if (conn->state == BT_CONFIG) {
4966 /* If the local controller supports slave-initiated
4967 * features exchange, but the remote controller does
4968 * not, then it is possible that the error code 0x1a
4969 * for unsupported remote feature gets returned.
4971 * In this specific case, allow the connection to
4972 * transition into connected state and mark it as
4975 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4976 !conn->out && ev->status == 0x1a)
4979 status = ev->status;
4981 conn->state = BT_CONNECTED;
4982 hci_connect_cfm(conn, status);
4983 hci_conn_drop(conn);
4987 hci_dev_unlock(hdev);
4990 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4992 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4993 struct hci_cp_le_ltk_reply cp;
4994 struct hci_cp_le_ltk_neg_reply neg;
4995 struct hci_conn *conn;
4996 struct smp_ltk *ltk;
4998 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5002 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5006 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5010 if (smp_ltk_is_sc(ltk)) {
5011 /* With SC both EDiv and Rand are set to zero */
5012 if (ev->ediv || ev->rand)
5015 /* For non-SC keys check that EDiv and Rand match */
5016 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5020 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5021 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5022 cp.handle = cpu_to_le16(conn->handle);
5024 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5026 conn->enc_key_size = ltk->enc_size;
5028 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5030 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5031 * temporary key used to encrypt a connection following
5032 * pairing. It is used during the Encrypted Session Setup to
5033 * distribute the keys. Later, security can be re-established
5034 * using a distributed LTK.
5036 if (ltk->type == SMP_STK) {
5037 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5038 list_del_rcu(<k->list);
5039 kfree_rcu(ltk, rcu);
5041 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5044 hci_dev_unlock(hdev);
5049 neg.handle = ev->handle;
5050 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5051 hci_dev_unlock(hdev);
5054 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5057 struct hci_cp_le_conn_param_req_neg_reply cp;
5059 cp.handle = cpu_to_le16(handle);
5062 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5066 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5067 struct sk_buff *skb)
5069 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5070 struct hci_cp_le_conn_param_req_reply cp;
5071 struct hci_conn *hcon;
5072 u16 handle, min, max, latency, timeout;
5074 handle = le16_to_cpu(ev->handle);
5075 min = le16_to_cpu(ev->interval_min);
5076 max = le16_to_cpu(ev->interval_max);
5077 latency = le16_to_cpu(ev->latency);
5078 timeout = le16_to_cpu(ev->timeout);
5080 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5081 if (!hcon || hcon->state != BT_CONNECTED)
5082 return send_conn_param_neg_reply(hdev, handle,
5083 HCI_ERROR_UNKNOWN_CONN_ID);
5085 if (hci_check_conn_params(min, max, latency, timeout))
5086 return send_conn_param_neg_reply(hdev, handle,
5087 HCI_ERROR_INVALID_LL_PARAMS);
5089 if (hcon->role == HCI_ROLE_MASTER) {
5090 struct hci_conn_params *params;
5095 params = hci_conn_params_lookup(hdev, &hcon->dst,
5098 params->conn_min_interval = min;
5099 params->conn_max_interval = max;
5100 params->conn_latency = latency;
5101 params->supervision_timeout = timeout;
5107 hci_dev_unlock(hdev);
5109 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5110 store_hint, min, max, latency, timeout);
5113 cp.handle = ev->handle;
5114 cp.interval_min = ev->interval_min;
5115 cp.interval_max = ev->interval_max;
5116 cp.latency = ev->latency;
5117 cp.timeout = ev->timeout;
5121 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5124 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5125 struct sk_buff *skb)
5127 u8 num_reports = skb->data[0];
5128 void *ptr = &skb->data[1];
5132 while (num_reports--) {
5133 struct hci_ev_le_direct_adv_info *ev = ptr;
5135 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5136 ev->bdaddr_type, &ev->direct_addr,
5137 ev->direct_addr_type, ev->rssi, NULL, 0);
5142 hci_dev_unlock(hdev);
5145 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5147 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5149 skb_pull(skb, sizeof(*le_ev));
5151 switch (le_ev->subevent) {
5152 case HCI_EV_LE_CONN_COMPLETE:
5153 hci_le_conn_complete_evt(hdev, skb);
5156 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5157 hci_le_conn_update_complete_evt(hdev, skb);
5160 case HCI_EV_LE_ADVERTISING_REPORT:
5161 hci_le_adv_report_evt(hdev, skb);
5164 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5165 hci_le_remote_feat_complete_evt(hdev, skb);
5168 case HCI_EV_LE_LTK_REQ:
5169 hci_le_ltk_request_evt(hdev, skb);
5172 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5173 hci_le_remote_conn_param_req_evt(hdev, skb);
5176 case HCI_EV_LE_DIRECT_ADV_REPORT:
5177 hci_le_direct_adv_report_evt(hdev, skb);
5185 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5186 u8 event, struct sk_buff *skb)
5188 struct hci_ev_cmd_complete *ev;
5189 struct hci_event_hdr *hdr;
5194 if (skb->len < sizeof(*hdr)) {
5195 BT_ERR("Too short HCI event");
5199 hdr = (void *) skb->data;
5200 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5203 if (hdr->evt != event)
5208 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5209 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5213 if (skb->len < sizeof(*ev)) {
5214 BT_ERR("Too short cmd_complete event");
5218 ev = (void *) skb->data;
5219 skb_pull(skb, sizeof(*ev));
5221 if (opcode != __le16_to_cpu(ev->opcode)) {
5222 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5223 __le16_to_cpu(ev->opcode));
5230 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5232 struct hci_event_hdr *hdr = (void *) skb->data;
5233 hci_req_complete_t req_complete = NULL;
5234 hci_req_complete_skb_t req_complete_skb = NULL;
5235 struct sk_buff *orig_skb = NULL;
5236 u8 status = 0, event = hdr->evt, req_evt = 0;
5237 u16 opcode = HCI_OP_NOP;
5239 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5240 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5241 opcode = __le16_to_cpu(cmd_hdr->opcode);
5242 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5247 /* If it looks like we might end up having to call
5248 * req_complete_skb, store a pristine copy of the skb since the
5249 * various handlers may modify the original one through
5250 * skb_pull() calls, etc.
5252 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5253 event == HCI_EV_CMD_COMPLETE)
5254 orig_skb = skb_clone(skb, GFP_KERNEL);
5256 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5259 case HCI_EV_INQUIRY_COMPLETE:
5260 hci_inquiry_complete_evt(hdev, skb);
5263 case HCI_EV_INQUIRY_RESULT:
5264 hci_inquiry_result_evt(hdev, skb);
5267 case HCI_EV_CONN_COMPLETE:
5268 hci_conn_complete_evt(hdev, skb);
5271 case HCI_EV_CONN_REQUEST:
5272 hci_conn_request_evt(hdev, skb);
5275 case HCI_EV_DISCONN_COMPLETE:
5276 hci_disconn_complete_evt(hdev, skb);
5279 case HCI_EV_AUTH_COMPLETE:
5280 hci_auth_complete_evt(hdev, skb);
5283 case HCI_EV_REMOTE_NAME:
5284 hci_remote_name_evt(hdev, skb);
5287 case HCI_EV_ENCRYPT_CHANGE:
5288 hci_encrypt_change_evt(hdev, skb);
5291 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5292 hci_change_link_key_complete_evt(hdev, skb);
5295 case HCI_EV_REMOTE_FEATURES:
5296 hci_remote_features_evt(hdev, skb);
5299 case HCI_EV_CMD_COMPLETE:
5300 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5301 &req_complete, &req_complete_skb);
5304 case HCI_EV_CMD_STATUS:
5305 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5309 case HCI_EV_HARDWARE_ERROR:
5310 hci_hardware_error_evt(hdev, skb);
5313 case HCI_EV_ROLE_CHANGE:
5314 hci_role_change_evt(hdev, skb);
5317 case HCI_EV_NUM_COMP_PKTS:
5318 hci_num_comp_pkts_evt(hdev, skb);
5321 case HCI_EV_MODE_CHANGE:
5322 hci_mode_change_evt(hdev, skb);
5325 case HCI_EV_PIN_CODE_REQ:
5326 hci_pin_code_request_evt(hdev, skb);
5329 case HCI_EV_LINK_KEY_REQ:
5330 hci_link_key_request_evt(hdev, skb);
5333 case HCI_EV_LINK_KEY_NOTIFY:
5334 hci_link_key_notify_evt(hdev, skb);
5337 case HCI_EV_CLOCK_OFFSET:
5338 hci_clock_offset_evt(hdev, skb);
5341 case HCI_EV_PKT_TYPE_CHANGE:
5342 hci_pkt_type_change_evt(hdev, skb);
5345 case HCI_EV_PSCAN_REP_MODE:
5346 hci_pscan_rep_mode_evt(hdev, skb);
5349 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5350 hci_inquiry_result_with_rssi_evt(hdev, skb);
5353 case HCI_EV_REMOTE_EXT_FEATURES:
5354 hci_remote_ext_features_evt(hdev, skb);
5357 case HCI_EV_SYNC_CONN_COMPLETE:
5358 hci_sync_conn_complete_evt(hdev, skb);
5361 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5362 hci_extended_inquiry_result_evt(hdev, skb);
5365 case HCI_EV_KEY_REFRESH_COMPLETE:
5366 hci_key_refresh_complete_evt(hdev, skb);
5369 case HCI_EV_IO_CAPA_REQUEST:
5370 hci_io_capa_request_evt(hdev, skb);
5373 case HCI_EV_IO_CAPA_REPLY:
5374 hci_io_capa_reply_evt(hdev, skb);
5377 case HCI_EV_USER_CONFIRM_REQUEST:
5378 hci_user_confirm_request_evt(hdev, skb);
5381 case HCI_EV_USER_PASSKEY_REQUEST:
5382 hci_user_passkey_request_evt(hdev, skb);
5385 case HCI_EV_USER_PASSKEY_NOTIFY:
5386 hci_user_passkey_notify_evt(hdev, skb);
5389 case HCI_EV_KEYPRESS_NOTIFY:
5390 hci_keypress_notify_evt(hdev, skb);
5393 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5394 hci_simple_pair_complete_evt(hdev, skb);
5397 case HCI_EV_REMOTE_HOST_FEATURES:
5398 hci_remote_host_features_evt(hdev, skb);
5401 case HCI_EV_LE_META:
5402 hci_le_meta_evt(hdev, skb);
5405 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5406 hci_remote_oob_data_request_evt(hdev, skb);
5409 #if IS_ENABLED(CONFIG_BT_HS)
5410 case HCI_EV_CHANNEL_SELECTED:
5411 hci_chan_selected_evt(hdev, skb);
5414 case HCI_EV_PHY_LINK_COMPLETE:
5415 hci_phy_link_complete_evt(hdev, skb);
5418 case HCI_EV_LOGICAL_LINK_COMPLETE:
5419 hci_loglink_complete_evt(hdev, skb);
5422 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5423 hci_disconn_loglink_complete_evt(hdev, skb);
5426 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5427 hci_disconn_phylink_complete_evt(hdev, skb);
5431 case HCI_EV_NUM_COMP_BLOCKS:
5432 hci_num_comp_blocks_evt(hdev, skb);
5436 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5441 req_complete(hdev, status, opcode);
5442 } else if (req_complete_skb) {
5443 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5444 kfree_skb(orig_skb);
5447 req_complete_skb(hdev, status, opcode, orig_skb);
5450 kfree_skb(orig_skb);
5452 hdev->stat.evt_rx++;
projects / cascardo / linux.git / blob