2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
61 hci_conn_check_pending(hdev);
64 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
66 __u8 status = *((__u8 *) skb->data);
68 BT_DBG("%s status 0x%2.2x", hdev->name, status);
73 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
76 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
78 __u8 status = *((__u8 *) skb->data);
80 BT_DBG("%s status 0x%2.2x", hdev->name, status);
85 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
87 hci_conn_check_pending(hdev);
90 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
93 BT_DBG("%s", hdev->name);
96 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
98 struct hci_rp_role_discovery *rp = (void *) skb->data;
99 struct hci_conn *conn;
101 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
108 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
110 conn->role = rp->role;
112 hci_dev_unlock(hdev);
115 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
117 struct hci_rp_read_link_policy *rp = (void *) skb->data;
118 struct hci_conn *conn;
120 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
127 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
129 conn->link_policy = __le16_to_cpu(rp->policy);
131 hci_dev_unlock(hdev);
134 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
136 struct hci_rp_write_link_policy *rp = (void *) skb->data;
137 struct hci_conn *conn;
140 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
145 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
153 conn->link_policy = get_unaligned_le16(sent + 2);
155 hci_dev_unlock(hdev);
158 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
161 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
163 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
168 hdev->link_policy = __le16_to_cpu(rp->policy);
171 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
174 __u8 status = *((__u8 *) skb->data);
177 BT_DBG("%s status 0x%2.2x", hdev->name, status);
182 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
186 hdev->link_policy = get_unaligned_le16(sent);
189 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
191 __u8 status = *((__u8 *) skb->data);
193 BT_DBG("%s status 0x%2.2x", hdev->name, status);
195 clear_bit(HCI_RESET, &hdev->flags);
200 /* Reset all non-persistent flags */
201 hci_dev_clear_volatile_flags(hdev);
203 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
205 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
206 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
208 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
209 hdev->adv_data_len = 0;
211 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
212 hdev->scan_rsp_data_len = 0;
214 hdev->le_scan_type = LE_SCAN_PASSIVE;
216 hdev->ssp_debug_mode = 0;
218 hci_bdaddr_list_clear(&hdev->le_white_list);
221 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
224 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
225 struct hci_cp_read_stored_link_key *sent;
227 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
229 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
233 if (!rp->status && sent->read_all == 0x01) {
234 hdev->stored_max_keys = rp->max_keys;
235 hdev->stored_num_keys = rp->num_keys;
239 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
242 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
244 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
249 if (rp->num_keys <= hdev->stored_num_keys)
250 hdev->stored_num_keys -= rp->num_keys;
252 hdev->stored_num_keys = 0;
255 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
257 __u8 status = *((__u8 *) skb->data);
260 BT_DBG("%s status 0x%2.2x", hdev->name, status);
262 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 if (hci_dev_test_flag(hdev, HCI_MGMT))
269 mgmt_set_local_name_complete(hdev, sent, status);
271 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
273 hci_dev_unlock(hdev);
276 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
278 struct hci_rp_read_local_name *rp = (void *) skb->data;
280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
285 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
286 hci_dev_test_flag(hdev, HCI_CONFIG))
287 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
290 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
292 __u8 status = *((__u8 *) skb->data);
295 BT_DBG("%s status 0x%2.2x", hdev->name, status);
297 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
304 __u8 param = *((__u8 *) sent);
306 if (param == AUTH_ENABLED)
307 set_bit(HCI_AUTH, &hdev->flags);
309 clear_bit(HCI_AUTH, &hdev->flags);
312 if (hci_dev_test_flag(hdev, HCI_MGMT))
313 mgmt_auth_enable_complete(hdev, status);
315 hci_dev_unlock(hdev);
318 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
320 __u8 status = *((__u8 *) skb->data);
324 BT_DBG("%s status 0x%2.2x", hdev->name, status);
329 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
333 param = *((__u8 *) sent);
336 set_bit(HCI_ENCRYPT, &hdev->flags);
338 clear_bit(HCI_ENCRYPT, &hdev->flags);
341 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
343 __u8 status = *((__u8 *) skb->data);
347 BT_DBG("%s status 0x%2.2x", hdev->name, status);
349 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
353 param = *((__u8 *) sent);
358 hdev->discov_timeout = 0;
362 if (param & SCAN_INQUIRY)
363 set_bit(HCI_ISCAN, &hdev->flags);
365 clear_bit(HCI_ISCAN, &hdev->flags);
367 if (param & SCAN_PAGE)
368 set_bit(HCI_PSCAN, &hdev->flags);
370 clear_bit(HCI_PSCAN, &hdev->flags);
373 hci_dev_unlock(hdev);
376 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
378 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
380 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
385 memcpy(hdev->dev_class, rp->dev_class, 3);
387 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
388 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
391 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
393 __u8 status = *((__u8 *) skb->data);
396 BT_DBG("%s status 0x%2.2x", hdev->name, status);
398 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
405 memcpy(hdev->dev_class, sent, 3);
407 if (hci_dev_test_flag(hdev, HCI_MGMT))
408 mgmt_set_class_of_dev_complete(hdev, sent, status);
410 hci_dev_unlock(hdev);
413 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
415 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
418 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
423 setting = __le16_to_cpu(rp->voice_setting);
425 if (hdev->voice_setting == setting)
428 hdev->voice_setting = setting;
430 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
433 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
436 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
439 __u8 status = *((__u8 *) skb->data);
443 BT_DBG("%s status 0x%2.2x", hdev->name, status);
448 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
452 setting = get_unaligned_le16(sent);
454 if (hdev->voice_setting == setting)
457 hdev->voice_setting = setting;
459 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
462 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
465 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
468 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
470 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
475 hdev->num_iac = rp->num_iac;
477 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
480 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
482 __u8 status = *((__u8 *) skb->data);
483 struct hci_cp_write_ssp_mode *sent;
485 BT_DBG("%s status 0x%2.2x", hdev->name, status);
487 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
495 hdev->features[1][0] |= LMP_HOST_SSP;
497 hdev->features[1][0] &= ~LMP_HOST_SSP;
500 if (hci_dev_test_flag(hdev, HCI_MGMT))
501 mgmt_ssp_enable_complete(hdev, sent->mode, status);
504 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
506 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
509 hci_dev_unlock(hdev);
512 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
514 u8 status = *((u8 *) skb->data);
515 struct hci_cp_write_sc_support *sent;
517 BT_DBG("%s status 0x%2.2x", hdev->name, status);
519 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
527 hdev->features[1][0] |= LMP_HOST_SC;
529 hdev->features[1][0] &= ~LMP_HOST_SC;
532 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
534 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
536 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
539 hci_dev_unlock(hdev);
542 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
544 struct hci_rp_read_local_version *rp = (void *) skb->data;
546 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
551 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
552 hci_dev_test_flag(hdev, HCI_CONFIG)) {
553 hdev->hci_ver = rp->hci_ver;
554 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
555 hdev->lmp_ver = rp->lmp_ver;
556 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
557 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
561 static void hci_cc_read_local_commands(struct hci_dev *hdev,
564 struct hci_rp_read_local_commands *rp = (void *) skb->data;
566 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
571 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
572 hci_dev_test_flag(hdev, HCI_CONFIG))
573 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
576 static void hci_cc_read_local_features(struct hci_dev *hdev,
579 struct hci_rp_read_local_features *rp = (void *) skb->data;
581 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
586 memcpy(hdev->features, rp->features, 8);
588 /* Adjust default settings according to features
589 * supported by device. */
591 if (hdev->features[0][0] & LMP_3SLOT)
592 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
594 if (hdev->features[0][0] & LMP_5SLOT)
595 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
597 if (hdev->features[0][1] & LMP_HV2) {
598 hdev->pkt_type |= (HCI_HV2);
599 hdev->esco_type |= (ESCO_HV2);
602 if (hdev->features[0][1] & LMP_HV3) {
603 hdev->pkt_type |= (HCI_HV3);
604 hdev->esco_type |= (ESCO_HV3);
607 if (lmp_esco_capable(hdev))
608 hdev->esco_type |= (ESCO_EV3);
610 if (hdev->features[0][4] & LMP_EV4)
611 hdev->esco_type |= (ESCO_EV4);
613 if (hdev->features[0][4] & LMP_EV5)
614 hdev->esco_type |= (ESCO_EV5);
616 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
617 hdev->esco_type |= (ESCO_2EV3);
619 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
620 hdev->esco_type |= (ESCO_3EV3);
622 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
623 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
626 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
629 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
631 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
636 if (hdev->max_page < rp->max_page)
637 hdev->max_page = rp->max_page;
639 if (rp->page < HCI_MAX_PAGES)
640 memcpy(hdev->features[rp->page], rp->features, 8);
643 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
646 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
653 hdev->flow_ctl_mode = rp->mode;
656 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
658 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
660 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
665 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
666 hdev->sco_mtu = rp->sco_mtu;
667 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
668 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
670 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
675 hdev->acl_cnt = hdev->acl_pkts;
676 hdev->sco_cnt = hdev->sco_pkts;
678 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
679 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
682 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
684 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
686 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
691 if (test_bit(HCI_INIT, &hdev->flags))
692 bacpy(&hdev->bdaddr, &rp->bdaddr);
694 if (hci_dev_test_flag(hdev, HCI_SETUP))
695 bacpy(&hdev->setup_addr, &rp->bdaddr);
698 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
701 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
703 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
708 if (test_bit(HCI_INIT, &hdev->flags)) {
709 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
710 hdev->page_scan_window = __le16_to_cpu(rp->window);
714 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
717 u8 status = *((u8 *) skb->data);
718 struct hci_cp_write_page_scan_activity *sent;
720 BT_DBG("%s status 0x%2.2x", hdev->name, status);
725 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
729 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
730 hdev->page_scan_window = __le16_to_cpu(sent->window);
733 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
736 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
738 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
743 if (test_bit(HCI_INIT, &hdev->flags))
744 hdev->page_scan_type = rp->type;
747 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
750 u8 status = *((u8 *) skb->data);
753 BT_DBG("%s status 0x%2.2x", hdev->name, status);
758 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
760 hdev->page_scan_type = *type;
763 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
766 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
768 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
773 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
774 hdev->block_len = __le16_to_cpu(rp->block_len);
775 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
777 hdev->block_cnt = hdev->num_blocks;
779 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
780 hdev->block_cnt, hdev->block_len);
783 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
785 struct hci_rp_read_clock *rp = (void *) skb->data;
786 struct hci_cp_read_clock *cp;
787 struct hci_conn *conn;
789 BT_DBG("%s", hdev->name);
791 if (skb->len < sizeof(*rp))
799 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
803 if (cp->which == 0x00) {
804 hdev->clock = le32_to_cpu(rp->clock);
808 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
810 conn->clock = le32_to_cpu(rp->clock);
811 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
815 hci_dev_unlock(hdev);
818 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
821 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
823 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
828 hdev->amp_status = rp->amp_status;
829 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
830 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
831 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
832 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
833 hdev->amp_type = rp->amp_type;
834 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
835 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
836 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
837 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
840 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
843 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
845 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
850 hdev->inq_tx_power = rp->tx_power;
853 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
855 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
856 struct hci_cp_pin_code_reply *cp;
857 struct hci_conn *conn;
859 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
863 if (hci_dev_test_flag(hdev, HCI_MGMT))
864 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
869 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
873 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
875 conn->pin_length = cp->pin_len;
878 hci_dev_unlock(hdev);
881 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
883 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
885 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
889 if (hci_dev_test_flag(hdev, HCI_MGMT))
890 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
893 hci_dev_unlock(hdev);
896 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
899 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
901 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
906 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
907 hdev->le_pkts = rp->le_max_pkt;
909 hdev->le_cnt = hdev->le_pkts;
911 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
914 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
917 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
919 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
924 memcpy(hdev->le_features, rp->features, 8);
927 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
930 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
932 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
937 hdev->adv_tx_power = rp->tx_power;
940 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
942 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
944 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
948 if (hci_dev_test_flag(hdev, HCI_MGMT))
949 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
952 hci_dev_unlock(hdev);
955 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
958 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
960 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
964 if (hci_dev_test_flag(hdev, HCI_MGMT))
965 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
966 ACL_LINK, 0, rp->status);
968 hci_dev_unlock(hdev);
971 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
973 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
975 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
979 if (hci_dev_test_flag(hdev, HCI_MGMT))
980 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
983 hci_dev_unlock(hdev);
986 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
989 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
991 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
995 if (hci_dev_test_flag(hdev, HCI_MGMT))
996 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
997 ACL_LINK, 0, rp->status);
999 hci_dev_unlock(hdev);
1002 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1003 struct sk_buff *skb)
1005 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1007 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1010 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1011 struct sk_buff *skb)
1013 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1015 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1018 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1020 __u8 status = *((__u8 *) skb->data);
1023 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1028 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034 bacpy(&hdev->random_addr, sent);
1036 hci_dev_unlock(hdev);
1039 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1041 __u8 *sent, status = *((__u8 *) skb->data);
1043 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1048 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054 /* If we're doing connection initiation as peripheral. Set a
1055 * timeout in case something goes wrong.
1058 struct hci_conn *conn;
1060 hci_dev_set_flag(hdev, HCI_LE_ADV);
1062 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1064 queue_delayed_work(hdev->workqueue,
1065 &conn->le_conn_timeout,
1066 conn->conn_timeout);
1068 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1071 hci_dev_unlock(hdev);
1074 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1076 struct hci_cp_le_set_scan_param *cp;
1077 __u8 status = *((__u8 *) skb->data);
1079 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1084 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090 hdev->le_scan_type = cp->type;
1092 hci_dev_unlock(hdev);
1095 static bool has_pending_adv_report(struct hci_dev *hdev)
1097 struct discovery_state *d = &hdev->discovery;
1099 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1102 static void clear_pending_adv_report(struct hci_dev *hdev)
1104 struct discovery_state *d = &hdev->discovery;
1106 bacpy(&d->last_adv_addr, BDADDR_ANY);
1107 d->last_adv_data_len = 0;
1110 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1111 u8 bdaddr_type, s8 rssi, u32 flags,
1114 struct discovery_state *d = &hdev->discovery;
1116 bacpy(&d->last_adv_addr, bdaddr);
1117 d->last_adv_addr_type = bdaddr_type;
1118 d->last_adv_rssi = rssi;
1119 d->last_adv_flags = flags;
1120 memcpy(d->last_adv_data, data, len);
1121 d->last_adv_data_len = len;
1124 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1125 struct sk_buff *skb)
1127 struct hci_cp_le_set_scan_enable *cp;
1128 __u8 status = *((__u8 *) skb->data);
1130 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1135 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141 switch (cp->enable) {
1142 case LE_SCAN_ENABLE:
1143 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1144 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1145 clear_pending_adv_report(hdev);
1148 case LE_SCAN_DISABLE:
1149 /* We do this here instead of when setting DISCOVERY_STOPPED
1150 * since the latter would potentially require waiting for
1151 * inquiry to stop too.
1153 if (has_pending_adv_report(hdev)) {
1154 struct discovery_state *d = &hdev->discovery;
1156 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1157 d->last_adv_addr_type, NULL,
1158 d->last_adv_rssi, d->last_adv_flags,
1160 d->last_adv_data_len, NULL, 0);
1163 /* Cancel this timer so that we don't try to disable scanning
1164 * when it's already disabled.
1166 cancel_delayed_work(&hdev->le_scan_disable);
1168 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1170 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1171 * interrupted scanning due to a connect request. Mark
1172 * therefore discovery as stopped. If this was not
1173 * because of a connect request advertising might have
1174 * been disabled because of active scanning, so
1175 * re-enable it again if necessary.
1177 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1178 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1179 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1180 hdev->discovery.state == DISCOVERY_FINDING)
1181 mgmt_reenable_advertising(hdev);
1186 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1190 hci_dev_unlock(hdev);
1193 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1194 struct sk_buff *skb)
1196 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1198 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1203 hdev->le_white_list_size = rp->size;
1206 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1207 struct sk_buff *skb)
1209 __u8 status = *((__u8 *) skb->data);
1211 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1216 hci_bdaddr_list_clear(&hdev->le_white_list);
1219 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1220 struct sk_buff *skb)
1222 struct hci_cp_le_add_to_white_list *sent;
1223 __u8 status = *((__u8 *) skb->data);
1225 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1230 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1234 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1238 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1239 struct sk_buff *skb)
1241 struct hci_cp_le_del_from_white_list *sent;
1242 __u8 status = *((__u8 *) skb->data);
1244 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1249 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1253 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1257 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1258 struct sk_buff *skb)
1260 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1262 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1267 memcpy(hdev->le_states, rp->le_states, 8);
1270 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1271 struct sk_buff *skb)
1273 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1275 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1280 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1281 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1284 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1285 struct sk_buff *skb)
1287 struct hci_cp_le_write_def_data_len *sent;
1288 __u8 status = *((__u8 *) skb->data);
1290 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1295 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1299 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1300 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1303 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1304 struct sk_buff *skb)
1306 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1308 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1313 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1314 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1315 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1316 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1319 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1320 struct sk_buff *skb)
1322 struct hci_cp_write_le_host_supported *sent;
1323 __u8 status = *((__u8 *) skb->data);
1325 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1330 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1337 hdev->features[1][0] |= LMP_HOST_LE;
1338 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1340 hdev->features[1][0] &= ~LMP_HOST_LE;
1341 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1342 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1346 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1348 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1350 hci_dev_unlock(hdev);
1353 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1355 struct hci_cp_le_set_adv_param *cp;
1356 u8 status = *((u8 *) skb->data);
1358 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1363 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1368 hdev->adv_addr_type = cp->own_address_type;
1369 hci_dev_unlock(hdev);
1372 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1374 struct hci_rp_read_rssi *rp = (void *) skb->data;
1375 struct hci_conn *conn;
1377 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1384 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1386 conn->rssi = rp->rssi;
1388 hci_dev_unlock(hdev);
1391 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1393 struct hci_cp_read_tx_power *sent;
1394 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1395 struct hci_conn *conn;
1397 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1402 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1408 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1412 switch (sent->type) {
1414 conn->tx_power = rp->tx_power;
1417 conn->max_tx_power = rp->tx_power;
1422 hci_dev_unlock(hdev);
1425 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1427 u8 status = *((u8 *) skb->data);
1430 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1435 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1437 hdev->ssp_debug_mode = *mode;
1440 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1442 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1445 hci_conn_check_pending(hdev);
1449 set_bit(HCI_INQUIRY, &hdev->flags);
1452 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1454 struct hci_cp_create_conn *cp;
1455 struct hci_conn *conn;
1457 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1459 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1465 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1467 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1470 if (conn && conn->state == BT_CONNECT) {
1471 if (status != 0x0c || conn->attempt > 2) {
1472 conn->state = BT_CLOSED;
1473 hci_connect_cfm(conn, status);
1476 conn->state = BT_CONNECT2;
1480 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1483 BT_ERR("No memory for new connection");
1487 hci_dev_unlock(hdev);
1490 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1492 struct hci_cp_add_sco *cp;
1493 struct hci_conn *acl, *sco;
1496 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1501 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1505 handle = __le16_to_cpu(cp->handle);
1507 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1511 acl = hci_conn_hash_lookup_handle(hdev, handle);
1515 sco->state = BT_CLOSED;
1517 hci_connect_cfm(sco, status);
1522 hci_dev_unlock(hdev);
1525 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1527 struct hci_cp_auth_requested *cp;
1528 struct hci_conn *conn;
1530 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1535 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1541 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1543 if (conn->state == BT_CONFIG) {
1544 hci_connect_cfm(conn, status);
1545 hci_conn_drop(conn);
1549 hci_dev_unlock(hdev);
1552 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1554 struct hci_cp_set_conn_encrypt *cp;
1555 struct hci_conn *conn;
1557 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1562 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1568 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1570 if (conn->state == BT_CONFIG) {
1571 hci_connect_cfm(conn, status);
1572 hci_conn_drop(conn);
1576 hci_dev_unlock(hdev);
1579 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1580 struct hci_conn *conn)
1582 if (conn->state != BT_CONFIG || !conn->out)
1585 if (conn->pending_sec_level == BT_SECURITY_SDP)
1588 /* Only request authentication for SSP connections or non-SSP
1589 * devices with sec_level MEDIUM or HIGH or if MITM protection
1592 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1593 conn->pending_sec_level != BT_SECURITY_FIPS &&
1594 conn->pending_sec_level != BT_SECURITY_HIGH &&
1595 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1601 static int hci_resolve_name(struct hci_dev *hdev,
1602 struct inquiry_entry *e)
1604 struct hci_cp_remote_name_req cp;
1606 memset(&cp, 0, sizeof(cp));
1608 bacpy(&cp.bdaddr, &e->data.bdaddr);
1609 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1610 cp.pscan_mode = e->data.pscan_mode;
1611 cp.clock_offset = e->data.clock_offset;
1613 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1616 static bool hci_resolve_next_name(struct hci_dev *hdev)
1618 struct discovery_state *discov = &hdev->discovery;
1619 struct inquiry_entry *e;
1621 if (list_empty(&discov->resolve))
1624 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1628 if (hci_resolve_name(hdev, e) == 0) {
1629 e->name_state = NAME_PENDING;
1636 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1637 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1639 struct discovery_state *discov = &hdev->discovery;
1640 struct inquiry_entry *e;
1642 /* Update the mgmt connected state if necessary. Be careful with
1643 * conn objects that exist but are not (yet) connected however.
1644 * Only those in BT_CONFIG or BT_CONNECTED states can be
1645 * considered connected.
1648 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1649 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1650 mgmt_device_connected(hdev, conn, 0, name, name_len);
1652 if (discov->state == DISCOVERY_STOPPED)
1655 if (discov->state == DISCOVERY_STOPPING)
1656 goto discov_complete;
1658 if (discov->state != DISCOVERY_RESOLVING)
1661 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1662 /* If the device was not found in a list of found devices names of which
1663 * are pending. there is no need to continue resolving a next name as it
1664 * will be done upon receiving another Remote Name Request Complete
1671 e->name_state = NAME_KNOWN;
1672 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1673 e->data.rssi, name, name_len);
1675 e->name_state = NAME_NOT_KNOWN;
1678 if (hci_resolve_next_name(hdev))
1682 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1685 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1687 struct hci_cp_remote_name_req *cp;
1688 struct hci_conn *conn;
1690 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1692 /* If successful wait for the name req complete event before
1693 * checking for the need to do authentication */
1697 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1703 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1705 if (hci_dev_test_flag(hdev, HCI_MGMT))
1706 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1711 if (!hci_outgoing_auth_needed(hdev, conn))
1714 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1715 struct hci_cp_auth_requested auth_cp;
1717 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1719 auth_cp.handle = __cpu_to_le16(conn->handle);
1720 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1721 sizeof(auth_cp), &auth_cp);
1725 hci_dev_unlock(hdev);
1728 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1730 struct hci_cp_read_remote_features *cp;
1731 struct hci_conn *conn;
1733 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1738 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1744 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1746 if (conn->state == BT_CONFIG) {
1747 hci_connect_cfm(conn, status);
1748 hci_conn_drop(conn);
1752 hci_dev_unlock(hdev);
1755 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1757 struct hci_cp_read_remote_ext_features *cp;
1758 struct hci_conn *conn;
1760 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1765 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1771 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1773 if (conn->state == BT_CONFIG) {
1774 hci_connect_cfm(conn, status);
1775 hci_conn_drop(conn);
1779 hci_dev_unlock(hdev);
1782 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1784 struct hci_cp_setup_sync_conn *cp;
1785 struct hci_conn *acl, *sco;
1788 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1793 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1797 handle = __le16_to_cpu(cp->handle);
1799 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1803 acl = hci_conn_hash_lookup_handle(hdev, handle);
1807 sco->state = BT_CLOSED;
1809 hci_connect_cfm(sco, status);
1814 hci_dev_unlock(hdev);
1817 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1819 struct hci_cp_sniff_mode *cp;
1820 struct hci_conn *conn;
1822 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1827 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1833 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1835 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1837 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1838 hci_sco_setup(conn, status);
1841 hci_dev_unlock(hdev);
1844 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1846 struct hci_cp_exit_sniff_mode *cp;
1847 struct hci_conn *conn;
1849 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1854 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1860 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1862 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1864 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1865 hci_sco_setup(conn, status);
1868 hci_dev_unlock(hdev);
1871 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1873 struct hci_cp_disconnect *cp;
1874 struct hci_conn *conn;
1879 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1885 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1887 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1888 conn->dst_type, status);
1890 hci_dev_unlock(hdev);
1893 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1895 struct hci_cp_le_create_conn *cp;
1896 struct hci_conn *conn;
1898 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1900 /* All connection failure handling is taken care of by the
1901 * hci_le_conn_failed function which is triggered by the HCI
1902 * request completion callbacks used for connecting.
1907 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1913 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1917 /* Store the initiator and responder address information which
1918 * is needed for SMP. These values will not change during the
1919 * lifetime of the connection.
1921 conn->init_addr_type = cp->own_address_type;
1922 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1923 bacpy(&conn->init_addr, &hdev->random_addr);
1925 bacpy(&conn->init_addr, &hdev->bdaddr);
1927 conn->resp_addr_type = cp->peer_addr_type;
1928 bacpy(&conn->resp_addr, &cp->peer_addr);
1930 /* We don't want the connection attempt to stick around
1931 * indefinitely since LE doesn't have a page timeout concept
1932 * like BR/EDR. Set a timer for any connection that doesn't use
1933 * the white list for connecting.
1935 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1936 queue_delayed_work(conn->hdev->workqueue,
1937 &conn->le_conn_timeout,
1938 conn->conn_timeout);
1941 hci_dev_unlock(hdev);
1944 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1946 struct hci_cp_le_read_remote_features *cp;
1947 struct hci_conn *conn;
1949 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1954 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1960 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1962 if (conn->state == BT_CONFIG) {
1963 hci_connect_cfm(conn, status);
1964 hci_conn_drop(conn);
1968 hci_dev_unlock(hdev);
1971 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1973 struct hci_cp_le_start_enc *cp;
1974 struct hci_conn *conn;
1976 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1983 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1987 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1991 if (conn->state != BT_CONNECTED)
1994 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1995 hci_conn_drop(conn);
1998 hci_dev_unlock(hdev);
2001 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2003 struct hci_cp_switch_role *cp;
2004 struct hci_conn *conn;
2006 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2011 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2017 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2019 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2021 hci_dev_unlock(hdev);
2024 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2026 __u8 status = *((__u8 *) skb->data);
2027 struct discovery_state *discov = &hdev->discovery;
2028 struct inquiry_entry *e;
2030 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2032 hci_conn_check_pending(hdev);
2034 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2037 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2038 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2040 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2045 if (discov->state != DISCOVERY_FINDING)
2048 if (list_empty(&discov->resolve)) {
2049 /* When BR/EDR inquiry is active and no LE scanning is in
2050 * progress, then change discovery state to indicate completion.
2052 * When running LE scanning and BR/EDR inquiry simultaneously
2053 * and the LE scan already finished, then change the discovery
2054 * state to indicate completion.
2056 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2057 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2058 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2062 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2063 if (e && hci_resolve_name(hdev, e) == 0) {
2064 e->name_state = NAME_PENDING;
2065 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2067 /* When BR/EDR inquiry is active and no LE scanning is in
2068 * progress, then change discovery state to indicate completion.
2070 * When running LE scanning and BR/EDR inquiry simultaneously
2071 * and the LE scan already finished, then change the discovery
2072 * state to indicate completion.
2074 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2075 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2076 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2080 hci_dev_unlock(hdev);
2083 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2085 struct inquiry_data data;
2086 struct inquiry_info *info = (void *) (skb->data + 1);
2087 int num_rsp = *((__u8 *) skb->data);
2089 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2094 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2099 for (; num_rsp; num_rsp--, info++) {
2102 bacpy(&data.bdaddr, &info->bdaddr);
2103 data.pscan_rep_mode = info->pscan_rep_mode;
2104 data.pscan_period_mode = info->pscan_period_mode;
2105 data.pscan_mode = info->pscan_mode;
2106 memcpy(data.dev_class, info->dev_class, 3);
2107 data.clock_offset = info->clock_offset;
2108 data.rssi = HCI_RSSI_INVALID;
2109 data.ssp_mode = 0x00;
2111 flags = hci_inquiry_cache_update(hdev, &data, false);
2113 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2114 info->dev_class, HCI_RSSI_INVALID,
2115 flags, NULL, 0, NULL, 0);
2118 hci_dev_unlock(hdev);
2121 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2123 struct hci_ev_conn_complete *ev = (void *) skb->data;
2124 struct hci_conn *conn;
2126 BT_DBG("%s", hdev->name);
2130 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2132 if (ev->link_type != SCO_LINK)
2135 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2139 conn->type = SCO_LINK;
2143 conn->handle = __le16_to_cpu(ev->handle);
2145 if (conn->type == ACL_LINK) {
2146 conn->state = BT_CONFIG;
2147 hci_conn_hold(conn);
2149 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2150 !hci_find_link_key(hdev, &ev->bdaddr))
2151 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2153 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2155 conn->state = BT_CONNECTED;
2157 hci_debugfs_create_conn(conn);
2158 hci_conn_add_sysfs(conn);
2160 if (test_bit(HCI_AUTH, &hdev->flags))
2161 set_bit(HCI_CONN_AUTH, &conn->flags);
2163 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2164 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2166 /* Get remote features */
2167 if (conn->type == ACL_LINK) {
2168 struct hci_cp_read_remote_features cp;
2169 cp.handle = ev->handle;
2170 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2173 hci_update_page_scan(hdev);
2176 /* Set packet type for incoming connection */
2177 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2178 struct hci_cp_change_conn_ptype cp;
2179 cp.handle = ev->handle;
2180 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2181 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2185 conn->state = BT_CLOSED;
2186 if (conn->type == ACL_LINK)
2187 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2188 conn->dst_type, ev->status);
2191 if (conn->type == ACL_LINK)
2192 hci_sco_setup(conn, ev->status);
2195 hci_connect_cfm(conn, ev->status);
2197 } else if (ev->link_type != ACL_LINK)
2198 hci_connect_cfm(conn, ev->status);
2201 hci_dev_unlock(hdev);
2203 hci_conn_check_pending(hdev);
2206 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2208 struct hci_cp_reject_conn_req cp;
2210 bacpy(&cp.bdaddr, bdaddr);
2211 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2212 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2215 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2217 struct hci_ev_conn_request *ev = (void *) skb->data;
2218 int mask = hdev->link_mode;
2219 struct inquiry_entry *ie;
2220 struct hci_conn *conn;
2223 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2226 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2229 if (!(mask & HCI_LM_ACCEPT)) {
2230 hci_reject_conn(hdev, &ev->bdaddr);
2234 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2236 hci_reject_conn(hdev, &ev->bdaddr);
2240 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2241 * connection. These features are only touched through mgmt so
2242 * only do the checks if HCI_MGMT is set.
2244 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2245 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2246 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2248 hci_reject_conn(hdev, &ev->bdaddr);
2252 /* Connection accepted */
2256 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2258 memcpy(ie->data.dev_class, ev->dev_class, 3);
2260 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2263 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2266 BT_ERR("No memory for new connection");
2267 hci_dev_unlock(hdev);
2272 memcpy(conn->dev_class, ev->dev_class, 3);
2274 hci_dev_unlock(hdev);
2276 if (ev->link_type == ACL_LINK ||
2277 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2278 struct hci_cp_accept_conn_req cp;
2279 conn->state = BT_CONNECT;
2281 bacpy(&cp.bdaddr, &ev->bdaddr);
2283 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2284 cp.role = 0x00; /* Become master */
2286 cp.role = 0x01; /* Remain slave */
2288 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2289 } else if (!(flags & HCI_PROTO_DEFER)) {
2290 struct hci_cp_accept_sync_conn_req cp;
2291 conn->state = BT_CONNECT;
2293 bacpy(&cp.bdaddr, &ev->bdaddr);
2294 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2296 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2297 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2298 cp.max_latency = cpu_to_le16(0xffff);
2299 cp.content_format = cpu_to_le16(hdev->voice_setting);
2300 cp.retrans_effort = 0xff;
2302 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2305 conn->state = BT_CONNECT2;
2306 hci_connect_cfm(conn, 0);
2310 static u8 hci_to_mgmt_reason(u8 err)
2313 case HCI_ERROR_CONNECTION_TIMEOUT:
2314 return MGMT_DEV_DISCONN_TIMEOUT;
2315 case HCI_ERROR_REMOTE_USER_TERM:
2316 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2317 case HCI_ERROR_REMOTE_POWER_OFF:
2318 return MGMT_DEV_DISCONN_REMOTE;
2319 case HCI_ERROR_LOCAL_HOST_TERM:
2320 return MGMT_DEV_DISCONN_LOCAL_HOST;
2322 return MGMT_DEV_DISCONN_UNKNOWN;
2326 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2328 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2329 u8 reason = hci_to_mgmt_reason(ev->reason);
2330 struct hci_conn_params *params;
2331 struct hci_conn *conn;
2332 bool mgmt_connected;
2335 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2339 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2344 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2345 conn->dst_type, ev->status);
2349 conn->state = BT_CLOSED;
2351 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2352 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2353 reason, mgmt_connected);
2355 if (conn->type == ACL_LINK) {
2356 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2357 hci_remove_link_key(hdev, &conn->dst);
2359 hci_update_page_scan(hdev);
2362 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2364 switch (params->auto_connect) {
2365 case HCI_AUTO_CONN_LINK_LOSS:
2366 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2370 case HCI_AUTO_CONN_DIRECT:
2371 case HCI_AUTO_CONN_ALWAYS:
2372 list_del_init(¶ms->action);
2373 list_add(¶ms->action, &hdev->pend_le_conns);
2374 hci_update_background_scan(hdev);
2384 hci_disconn_cfm(conn, ev->reason);
2387 /* Re-enable advertising if necessary, since it might
2388 * have been disabled by the connection. From the
2389 * HCI_LE_Set_Advertise_Enable command description in
2390 * the core specification (v4.0):
2391 * "The Controller shall continue advertising until the Host
2392 * issues an LE_Set_Advertise_Enable command with
2393 * Advertising_Enable set to 0x00 (Advertising is disabled)
2394 * or until a connection is created or until the Advertising
2395 * is timed out due to Directed Advertising."
2397 if (type == LE_LINK)
2398 mgmt_reenable_advertising(hdev);
2401 hci_dev_unlock(hdev);
2404 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2406 struct hci_ev_auth_complete *ev = (void *) skb->data;
2407 struct hci_conn *conn;
2409 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2418 if (!hci_conn_ssp_enabled(conn) &&
2419 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2420 BT_INFO("re-auth of legacy device is not possible.");
2422 set_bit(HCI_CONN_AUTH, &conn->flags);
2423 conn->sec_level = conn->pending_sec_level;
2426 mgmt_auth_failed(conn, ev->status);
2429 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2430 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2432 if (conn->state == BT_CONFIG) {
2433 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2434 struct hci_cp_set_conn_encrypt cp;
2435 cp.handle = ev->handle;
2437 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2440 conn->state = BT_CONNECTED;
2441 hci_connect_cfm(conn, ev->status);
2442 hci_conn_drop(conn);
2445 hci_auth_cfm(conn, ev->status);
2447 hci_conn_hold(conn);
2448 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2449 hci_conn_drop(conn);
2452 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2454 struct hci_cp_set_conn_encrypt cp;
2455 cp.handle = ev->handle;
2457 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2460 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2461 hci_encrypt_cfm(conn, ev->status, 0x00);
2466 hci_dev_unlock(hdev);
2469 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2471 struct hci_ev_remote_name *ev = (void *) skb->data;
2472 struct hci_conn *conn;
2474 BT_DBG("%s", hdev->name);
2476 hci_conn_check_pending(hdev);
2480 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2482 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2485 if (ev->status == 0)
2486 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2487 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2489 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2495 if (!hci_outgoing_auth_needed(hdev, conn))
2498 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2499 struct hci_cp_auth_requested cp;
2501 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2503 cp.handle = __cpu_to_le16(conn->handle);
2504 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2508 hci_dev_unlock(hdev);
2511 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2512 u16 opcode, struct sk_buff *skb)
2514 const struct hci_rp_read_enc_key_size *rp;
2515 struct hci_conn *conn;
2518 BT_DBG("%s status 0x%02x", hdev->name, status);
2520 if (!skb || skb->len < sizeof(*rp)) {
2521 BT_ERR("%s invalid HCI Read Encryption Key Size response",
2526 rp = (void *)skb->data;
2527 handle = le16_to_cpu(rp->handle);
2531 conn = hci_conn_hash_lookup_handle(hdev, handle);
2535 /* If we fail to read the encryption key size, assume maximum
2536 * (which is the same we do also when this HCI command isn't
2540 BT_ERR("%s failed to read key size for handle %u", hdev->name,
2542 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2544 conn->enc_key_size = rp->key_size;
2547 if (conn->state == BT_CONFIG) {
2548 conn->state = BT_CONNECTED;
2549 hci_connect_cfm(conn, 0);
2550 hci_conn_drop(conn);
2554 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2556 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2561 hci_encrypt_cfm(conn, 0, encrypt);
2565 hci_dev_unlock(hdev);
2568 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2570 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2571 struct hci_conn *conn;
2573 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2577 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2583 /* Encryption implies authentication */
2584 set_bit(HCI_CONN_AUTH, &conn->flags);
2585 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2586 conn->sec_level = conn->pending_sec_level;
2588 /* P-256 authentication key implies FIPS */
2589 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2590 set_bit(HCI_CONN_FIPS, &conn->flags);
2592 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2593 conn->type == LE_LINK)
2594 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2596 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2597 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2601 /* We should disregard the current RPA and generate a new one
2602 * whenever the encryption procedure fails.
2604 if (ev->status && conn->type == LE_LINK)
2605 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2607 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2609 if (ev->status && conn->state == BT_CONNECTED) {
2610 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2611 hci_conn_drop(conn);
2615 /* In Secure Connections Only mode, do not allow any connections
2616 * that are not encrypted with AES-CCM using a P-256 authenticated
2619 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2620 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2621 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2622 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2623 hci_conn_drop(conn);
2627 /* Try reading the encryption key size for encrypted ACL links */
2628 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2629 struct hci_cp_read_enc_key_size cp;
2630 struct hci_request req;
2632 /* Only send HCI_Read_Encryption_Key_Size if the
2633 * controller really supports it. If it doesn't, assume
2634 * the default size (16).
2636 if (!(hdev->commands[20] & 0x10)) {
2637 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2641 hci_req_init(&req, hdev);
2643 cp.handle = cpu_to_le16(conn->handle);
2644 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2646 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2647 BT_ERR("Sending HCI Read Encryption Key Size failed");
2648 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2656 if (conn->state == BT_CONFIG) {
2658 conn->state = BT_CONNECTED;
2660 hci_connect_cfm(conn, ev->status);
2661 hci_conn_drop(conn);
2663 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2666 hci_dev_unlock(hdev);
2669 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2670 struct sk_buff *skb)
2672 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2673 struct hci_conn *conn;
2675 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2679 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2682 set_bit(HCI_CONN_SECURE, &conn->flags);
2684 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2686 hci_key_change_cfm(conn, ev->status);
2689 hci_dev_unlock(hdev);
2692 static void hci_remote_features_evt(struct hci_dev *hdev,
2693 struct sk_buff *skb)
2695 struct hci_ev_remote_features *ev = (void *) skb->data;
2696 struct hci_conn *conn;
2698 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2702 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2707 memcpy(conn->features[0], ev->features, 8);
2709 if (conn->state != BT_CONFIG)
2712 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2713 lmp_ext_feat_capable(conn)) {
2714 struct hci_cp_read_remote_ext_features cp;
2715 cp.handle = ev->handle;
2717 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2722 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2723 struct hci_cp_remote_name_req cp;
2724 memset(&cp, 0, sizeof(cp));
2725 bacpy(&cp.bdaddr, &conn->dst);
2726 cp.pscan_rep_mode = 0x02;
2727 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2728 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2729 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2731 if (!hci_outgoing_auth_needed(hdev, conn)) {
2732 conn->state = BT_CONNECTED;
2733 hci_connect_cfm(conn, ev->status);
2734 hci_conn_drop(conn);
2738 hci_dev_unlock(hdev);
2741 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2742 u16 *opcode, u8 *status,
2743 hci_req_complete_t *req_complete,
2744 hci_req_complete_skb_t *req_complete_skb)
2746 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2748 *opcode = __le16_to_cpu(ev->opcode);
2749 *status = skb->data[sizeof(*ev)];
2751 skb_pull(skb, sizeof(*ev));
2754 case HCI_OP_INQUIRY_CANCEL:
2755 hci_cc_inquiry_cancel(hdev, skb);
2758 case HCI_OP_PERIODIC_INQ:
2759 hci_cc_periodic_inq(hdev, skb);
2762 case HCI_OP_EXIT_PERIODIC_INQ:
2763 hci_cc_exit_periodic_inq(hdev, skb);
2766 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2767 hci_cc_remote_name_req_cancel(hdev, skb);
2770 case HCI_OP_ROLE_DISCOVERY:
2771 hci_cc_role_discovery(hdev, skb);
2774 case HCI_OP_READ_LINK_POLICY:
2775 hci_cc_read_link_policy(hdev, skb);
2778 case HCI_OP_WRITE_LINK_POLICY:
2779 hci_cc_write_link_policy(hdev, skb);
2782 case HCI_OP_READ_DEF_LINK_POLICY:
2783 hci_cc_read_def_link_policy(hdev, skb);
2786 case HCI_OP_WRITE_DEF_LINK_POLICY:
2787 hci_cc_write_def_link_policy(hdev, skb);
2791 hci_cc_reset(hdev, skb);
2794 case HCI_OP_READ_STORED_LINK_KEY:
2795 hci_cc_read_stored_link_key(hdev, skb);
2798 case HCI_OP_DELETE_STORED_LINK_KEY:
2799 hci_cc_delete_stored_link_key(hdev, skb);
2802 case HCI_OP_WRITE_LOCAL_NAME:
2803 hci_cc_write_local_name(hdev, skb);
2806 case HCI_OP_READ_LOCAL_NAME:
2807 hci_cc_read_local_name(hdev, skb);
2810 case HCI_OP_WRITE_AUTH_ENABLE:
2811 hci_cc_write_auth_enable(hdev, skb);
2814 case HCI_OP_WRITE_ENCRYPT_MODE:
2815 hci_cc_write_encrypt_mode(hdev, skb);
2818 case HCI_OP_WRITE_SCAN_ENABLE:
2819 hci_cc_write_scan_enable(hdev, skb);
2822 case HCI_OP_READ_CLASS_OF_DEV:
2823 hci_cc_read_class_of_dev(hdev, skb);
2826 case HCI_OP_WRITE_CLASS_OF_DEV:
2827 hci_cc_write_class_of_dev(hdev, skb);
2830 case HCI_OP_READ_VOICE_SETTING:
2831 hci_cc_read_voice_setting(hdev, skb);
2834 case HCI_OP_WRITE_VOICE_SETTING:
2835 hci_cc_write_voice_setting(hdev, skb);
2838 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2839 hci_cc_read_num_supported_iac(hdev, skb);
2842 case HCI_OP_WRITE_SSP_MODE:
2843 hci_cc_write_ssp_mode(hdev, skb);
2846 case HCI_OP_WRITE_SC_SUPPORT:
2847 hci_cc_write_sc_support(hdev, skb);
2850 case HCI_OP_READ_LOCAL_VERSION:
2851 hci_cc_read_local_version(hdev, skb);
2854 case HCI_OP_READ_LOCAL_COMMANDS:
2855 hci_cc_read_local_commands(hdev, skb);
2858 case HCI_OP_READ_LOCAL_FEATURES:
2859 hci_cc_read_local_features(hdev, skb);
2862 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2863 hci_cc_read_local_ext_features(hdev, skb);
2866 case HCI_OP_READ_BUFFER_SIZE:
2867 hci_cc_read_buffer_size(hdev, skb);
2870 case HCI_OP_READ_BD_ADDR:
2871 hci_cc_read_bd_addr(hdev, skb);
2874 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2875 hci_cc_read_page_scan_activity(hdev, skb);
2878 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2879 hci_cc_write_page_scan_activity(hdev, skb);
2882 case HCI_OP_READ_PAGE_SCAN_TYPE:
2883 hci_cc_read_page_scan_type(hdev, skb);
2886 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2887 hci_cc_write_page_scan_type(hdev, skb);
2890 case HCI_OP_READ_DATA_BLOCK_SIZE:
2891 hci_cc_read_data_block_size(hdev, skb);
2894 case HCI_OP_READ_FLOW_CONTROL_MODE:
2895 hci_cc_read_flow_control_mode(hdev, skb);
2898 case HCI_OP_READ_LOCAL_AMP_INFO:
2899 hci_cc_read_local_amp_info(hdev, skb);
2902 case HCI_OP_READ_CLOCK:
2903 hci_cc_read_clock(hdev, skb);
2906 case HCI_OP_READ_INQ_RSP_TX_POWER:
2907 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2910 case HCI_OP_PIN_CODE_REPLY:
2911 hci_cc_pin_code_reply(hdev, skb);
2914 case HCI_OP_PIN_CODE_NEG_REPLY:
2915 hci_cc_pin_code_neg_reply(hdev, skb);
2918 case HCI_OP_READ_LOCAL_OOB_DATA:
2919 hci_cc_read_local_oob_data(hdev, skb);
2922 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2923 hci_cc_read_local_oob_ext_data(hdev, skb);
2926 case HCI_OP_LE_READ_BUFFER_SIZE:
2927 hci_cc_le_read_buffer_size(hdev, skb);
2930 case HCI_OP_LE_READ_LOCAL_FEATURES:
2931 hci_cc_le_read_local_features(hdev, skb);
2934 case HCI_OP_LE_READ_ADV_TX_POWER:
2935 hci_cc_le_read_adv_tx_power(hdev, skb);
2938 case HCI_OP_USER_CONFIRM_REPLY:
2939 hci_cc_user_confirm_reply(hdev, skb);
2942 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2943 hci_cc_user_confirm_neg_reply(hdev, skb);
2946 case HCI_OP_USER_PASSKEY_REPLY:
2947 hci_cc_user_passkey_reply(hdev, skb);
2950 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2951 hci_cc_user_passkey_neg_reply(hdev, skb);
2954 case HCI_OP_LE_SET_RANDOM_ADDR:
2955 hci_cc_le_set_random_addr(hdev, skb);
2958 case HCI_OP_LE_SET_ADV_ENABLE:
2959 hci_cc_le_set_adv_enable(hdev, skb);
2962 case HCI_OP_LE_SET_SCAN_PARAM:
2963 hci_cc_le_set_scan_param(hdev, skb);
2966 case HCI_OP_LE_SET_SCAN_ENABLE:
2967 hci_cc_le_set_scan_enable(hdev, skb);
2970 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2971 hci_cc_le_read_white_list_size(hdev, skb);
2974 case HCI_OP_LE_CLEAR_WHITE_LIST:
2975 hci_cc_le_clear_white_list(hdev, skb);
2978 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2979 hci_cc_le_add_to_white_list(hdev, skb);
2982 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2983 hci_cc_le_del_from_white_list(hdev, skb);
2986 case HCI_OP_LE_READ_SUPPORTED_STATES:
2987 hci_cc_le_read_supported_states(hdev, skb);
2990 case HCI_OP_LE_READ_DEF_DATA_LEN:
2991 hci_cc_le_read_def_data_len(hdev, skb);
2994 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
2995 hci_cc_le_write_def_data_len(hdev, skb);
2998 case HCI_OP_LE_READ_MAX_DATA_LEN:
2999 hci_cc_le_read_max_data_len(hdev, skb);
3002 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3003 hci_cc_write_le_host_supported(hdev, skb);
3006 case HCI_OP_LE_SET_ADV_PARAM:
3007 hci_cc_set_adv_param(hdev, skb);
3010 case HCI_OP_READ_RSSI:
3011 hci_cc_read_rssi(hdev, skb);
3014 case HCI_OP_READ_TX_POWER:
3015 hci_cc_read_tx_power(hdev, skb);
3018 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3019 hci_cc_write_ssp_debug_mode(hdev, skb);
3023 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3027 if (*opcode != HCI_OP_NOP)
3028 cancel_delayed_work(&hdev->cmd_timer);
3030 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3031 atomic_set(&hdev->cmd_cnt, 1);
3033 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3036 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3037 queue_work(hdev->workqueue, &hdev->cmd_work);
3040 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3041 u16 *opcode, u8 *status,
3042 hci_req_complete_t *req_complete,
3043 hci_req_complete_skb_t *req_complete_skb)
3045 struct hci_ev_cmd_status *ev = (void *) skb->data;
3047 skb_pull(skb, sizeof(*ev));
3049 *opcode = __le16_to_cpu(ev->opcode);
3050 *status = ev->status;
3053 case HCI_OP_INQUIRY:
3054 hci_cs_inquiry(hdev, ev->status);
3057 case HCI_OP_CREATE_CONN:
3058 hci_cs_create_conn(hdev, ev->status);
3061 case HCI_OP_DISCONNECT:
3062 hci_cs_disconnect(hdev, ev->status);
3065 case HCI_OP_ADD_SCO:
3066 hci_cs_add_sco(hdev, ev->status);
3069 case HCI_OP_AUTH_REQUESTED:
3070 hci_cs_auth_requested(hdev, ev->status);
3073 case HCI_OP_SET_CONN_ENCRYPT:
3074 hci_cs_set_conn_encrypt(hdev, ev->status);
3077 case HCI_OP_REMOTE_NAME_REQ:
3078 hci_cs_remote_name_req(hdev, ev->status);
3081 case HCI_OP_READ_REMOTE_FEATURES:
3082 hci_cs_read_remote_features(hdev, ev->status);
3085 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3086 hci_cs_read_remote_ext_features(hdev, ev->status);
3089 case HCI_OP_SETUP_SYNC_CONN:
3090 hci_cs_setup_sync_conn(hdev, ev->status);
3093 case HCI_OP_SNIFF_MODE:
3094 hci_cs_sniff_mode(hdev, ev->status);
3097 case HCI_OP_EXIT_SNIFF_MODE:
3098 hci_cs_exit_sniff_mode(hdev, ev->status);
3101 case HCI_OP_SWITCH_ROLE:
3102 hci_cs_switch_role(hdev, ev->status);
3105 case HCI_OP_LE_CREATE_CONN:
3106 hci_cs_le_create_conn(hdev, ev->status);
3109 case HCI_OP_LE_READ_REMOTE_FEATURES:
3110 hci_cs_le_read_remote_features(hdev, ev->status);
3113 case HCI_OP_LE_START_ENC:
3114 hci_cs_le_start_enc(hdev, ev->status);
3118 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3122 if (*opcode != HCI_OP_NOP)
3123 cancel_delayed_work(&hdev->cmd_timer);
3125 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3126 atomic_set(&hdev->cmd_cnt, 1);
3128 /* Indicate request completion if the command failed. Also, if
3129 * we're not waiting for a special event and we get a success
3130 * command status we should try to flag the request as completed
3131 * (since for this kind of commands there will not be a command
3135 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
3136 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3139 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3140 queue_work(hdev->workqueue, &hdev->cmd_work);
3143 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3145 struct hci_ev_hardware_error *ev = (void *) skb->data;
3147 hdev->hw_error_code = ev->code;
3149 queue_work(hdev->req_workqueue, &hdev->error_reset);
3152 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3154 struct hci_ev_role_change *ev = (void *) skb->data;
3155 struct hci_conn *conn;
3157 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3161 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3164 conn->role = ev->role;
3166 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3168 hci_role_switch_cfm(conn, ev->status, ev->role);
3171 hci_dev_unlock(hdev);
3174 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3176 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3179 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3180 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3184 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3185 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3186 BT_DBG("%s bad parameters", hdev->name);
3190 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3192 for (i = 0; i < ev->num_hndl; i++) {
3193 struct hci_comp_pkts_info *info = &ev->handles[i];
3194 struct hci_conn *conn;
3195 __u16 handle, count;
3197 handle = __le16_to_cpu(info->handle);
3198 count = __le16_to_cpu(info->count);
3200 conn = hci_conn_hash_lookup_handle(hdev, handle);
3204 conn->sent -= count;
3206 switch (conn->type) {
3208 hdev->acl_cnt += count;
3209 if (hdev->acl_cnt > hdev->acl_pkts)
3210 hdev->acl_cnt = hdev->acl_pkts;
3214 if (hdev->le_pkts) {
3215 hdev->le_cnt += count;
3216 if (hdev->le_cnt > hdev->le_pkts)
3217 hdev->le_cnt = hdev->le_pkts;
3219 hdev->acl_cnt += count;
3220 if (hdev->acl_cnt > hdev->acl_pkts)
3221 hdev->acl_cnt = hdev->acl_pkts;
3226 hdev->sco_cnt += count;
3227 if (hdev->sco_cnt > hdev->sco_pkts)
3228 hdev->sco_cnt = hdev->sco_pkts;
3232 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3237 queue_work(hdev->workqueue, &hdev->tx_work);
3240 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3243 struct hci_chan *chan;
3245 switch (hdev->dev_type) {
3247 return hci_conn_hash_lookup_handle(hdev, handle);
3249 chan = hci_chan_lookup_handle(hdev, handle);
3254 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3261 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3263 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3266 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3267 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3271 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3272 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3273 BT_DBG("%s bad parameters", hdev->name);
3277 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3280 for (i = 0; i < ev->num_hndl; i++) {
3281 struct hci_comp_blocks_info *info = &ev->handles[i];
3282 struct hci_conn *conn = NULL;
3283 __u16 handle, block_count;
3285 handle = __le16_to_cpu(info->handle);
3286 block_count = __le16_to_cpu(info->blocks);
3288 conn = __hci_conn_lookup_handle(hdev, handle);
3292 conn->sent -= block_count;
3294 switch (conn->type) {
3297 hdev->block_cnt += block_count;
3298 if (hdev->block_cnt > hdev->num_blocks)
3299 hdev->block_cnt = hdev->num_blocks;
3303 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3308 queue_work(hdev->workqueue, &hdev->tx_work);
3311 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3313 struct hci_ev_mode_change *ev = (void *) skb->data;
3314 struct hci_conn *conn;
3316 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3320 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3322 conn->mode = ev->mode;
3324 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3326 if (conn->mode == HCI_CM_ACTIVE)
3327 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3329 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3332 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3333 hci_sco_setup(conn, ev->status);
3336 hci_dev_unlock(hdev);
3339 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3341 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3342 struct hci_conn *conn;
3344 BT_DBG("%s", hdev->name);
3348 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3352 if (conn->state == BT_CONNECTED) {
3353 hci_conn_hold(conn);
3354 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3355 hci_conn_drop(conn);
3358 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3359 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3360 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3361 sizeof(ev->bdaddr), &ev->bdaddr);
3362 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3365 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3370 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3374 hci_dev_unlock(hdev);
3377 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3379 if (key_type == HCI_LK_CHANGED_COMBINATION)
3382 conn->pin_length = pin_len;
3383 conn->key_type = key_type;
3386 case HCI_LK_LOCAL_UNIT:
3387 case HCI_LK_REMOTE_UNIT:
3388 case HCI_LK_DEBUG_COMBINATION:
3390 case HCI_LK_COMBINATION:
3392 conn->pending_sec_level = BT_SECURITY_HIGH;
3394 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3396 case HCI_LK_UNAUTH_COMBINATION_P192:
3397 case HCI_LK_UNAUTH_COMBINATION_P256:
3398 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3400 case HCI_LK_AUTH_COMBINATION_P192:
3401 conn->pending_sec_level = BT_SECURITY_HIGH;
3403 case HCI_LK_AUTH_COMBINATION_P256:
3404 conn->pending_sec_level = BT_SECURITY_FIPS;
3409 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3411 struct hci_ev_link_key_req *ev = (void *) skb->data;
3412 struct hci_cp_link_key_reply cp;
3413 struct hci_conn *conn;
3414 struct link_key *key;
3416 BT_DBG("%s", hdev->name);
3418 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3423 key = hci_find_link_key(hdev, &ev->bdaddr);
3425 BT_DBG("%s link key not found for %pMR", hdev->name,
3430 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3433 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3435 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3437 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3438 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3439 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3440 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3444 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3445 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3446 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3447 BT_DBG("%s ignoring key unauthenticated for high security",
3452 conn_set_key(conn, key->type, key->pin_len);
3455 bacpy(&cp.bdaddr, &ev->bdaddr);
3456 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3458 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3460 hci_dev_unlock(hdev);
3465 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3466 hci_dev_unlock(hdev);
3469 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3471 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3472 struct hci_conn *conn;
3473 struct link_key *key;
3477 BT_DBG("%s", hdev->name);
3481 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3485 hci_conn_hold(conn);
3486 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3487 hci_conn_drop(conn);
3489 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3490 conn_set_key(conn, ev->key_type, conn->pin_length);
3492 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3495 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3496 ev->key_type, pin_len, &persistent);
3500 /* Update connection information since adding the key will have
3501 * fixed up the type in the case of changed combination keys.
3503 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3504 conn_set_key(conn, key->type, key->pin_len);
3506 mgmt_new_link_key(hdev, key, persistent);
3508 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3509 * is set. If it's not set simply remove the key from the kernel
3510 * list (we've still notified user space about it but with
3511 * store_hint being 0).
3513 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3514 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3515 list_del_rcu(&key->list);
3516 kfree_rcu(key, rcu);
3521 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3523 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3526 hci_dev_unlock(hdev);
3529 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3531 struct hci_ev_clock_offset *ev = (void *) skb->data;
3532 struct hci_conn *conn;
3534 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3538 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3539 if (conn && !ev->status) {
3540 struct inquiry_entry *ie;
3542 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3544 ie->data.clock_offset = ev->clock_offset;
3545 ie->timestamp = jiffies;
3549 hci_dev_unlock(hdev);
3552 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3554 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3555 struct hci_conn *conn;
3557 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3561 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3562 if (conn && !ev->status)
3563 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3565 hci_dev_unlock(hdev);
3568 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3570 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3571 struct inquiry_entry *ie;
3573 BT_DBG("%s", hdev->name);
3577 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3579 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3580 ie->timestamp = jiffies;
3583 hci_dev_unlock(hdev);
3586 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3587 struct sk_buff *skb)
3589 struct inquiry_data data;
3590 int num_rsp = *((__u8 *) skb->data);
3592 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3597 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3602 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3603 struct inquiry_info_with_rssi_and_pscan_mode *info;
3604 info = (void *) (skb->data + 1);
3606 for (; num_rsp; num_rsp--, info++) {
3609 bacpy(&data.bdaddr, &info->bdaddr);
3610 data.pscan_rep_mode = info->pscan_rep_mode;
3611 data.pscan_period_mode = info->pscan_period_mode;
3612 data.pscan_mode = info->pscan_mode;
3613 memcpy(data.dev_class, info->dev_class, 3);
3614 data.clock_offset = info->clock_offset;
3615 data.rssi = info->rssi;
3616 data.ssp_mode = 0x00;
3618 flags = hci_inquiry_cache_update(hdev, &data, false);
3620 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3621 info->dev_class, info->rssi,
3622 flags, NULL, 0, NULL, 0);
3625 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3627 for (; num_rsp; num_rsp--, info++) {
3630 bacpy(&data.bdaddr, &info->bdaddr);
3631 data.pscan_rep_mode = info->pscan_rep_mode;
3632 data.pscan_period_mode = info->pscan_period_mode;
3633 data.pscan_mode = 0x00;
3634 memcpy(data.dev_class, info->dev_class, 3);
3635 data.clock_offset = info->clock_offset;
3636 data.rssi = info->rssi;
3637 data.ssp_mode = 0x00;
3639 flags = hci_inquiry_cache_update(hdev, &data, false);
3641 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3642 info->dev_class, info->rssi,
3643 flags, NULL, 0, NULL, 0);
3647 hci_dev_unlock(hdev);
3650 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3651 struct sk_buff *skb)
3653 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3654 struct hci_conn *conn;
3656 BT_DBG("%s", hdev->name);
3660 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3664 if (ev->page < HCI_MAX_PAGES)
3665 memcpy(conn->features[ev->page], ev->features, 8);
3667 if (!ev->status && ev->page == 0x01) {
3668 struct inquiry_entry *ie;
3670 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3672 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3674 if (ev->features[0] & LMP_HOST_SSP) {
3675 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3677 /* It is mandatory by the Bluetooth specification that
3678 * Extended Inquiry Results are only used when Secure
3679 * Simple Pairing is enabled, but some devices violate
3682 * To make these devices work, the internal SSP
3683 * enabled flag needs to be cleared if the remote host
3684 * features do not indicate SSP support */
3685 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3688 if (ev->features[0] & LMP_HOST_SC)
3689 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3692 if (conn->state != BT_CONFIG)
3695 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3696 struct hci_cp_remote_name_req cp;
3697 memset(&cp, 0, sizeof(cp));
3698 bacpy(&cp.bdaddr, &conn->dst);
3699 cp.pscan_rep_mode = 0x02;
3700 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3701 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3702 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3704 if (!hci_outgoing_auth_needed(hdev, conn)) {
3705 conn->state = BT_CONNECTED;
3706 hci_connect_cfm(conn, ev->status);
3707 hci_conn_drop(conn);
3711 hci_dev_unlock(hdev);
3714 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3715 struct sk_buff *skb)
3717 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3718 struct hci_conn *conn;
3720 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3724 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3726 if (ev->link_type == ESCO_LINK)
3729 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3733 conn->type = SCO_LINK;
3736 switch (ev->status) {
3738 conn->handle = __le16_to_cpu(ev->handle);
3739 conn->state = BT_CONNECTED;
3741 hci_debugfs_create_conn(conn);
3742 hci_conn_add_sysfs(conn);
3745 case 0x10: /* Connection Accept Timeout */
3746 case 0x0d: /* Connection Rejected due to Limited Resources */
3747 case 0x11: /* Unsupported Feature or Parameter Value */
3748 case 0x1c: /* SCO interval rejected */
3749 case 0x1a: /* Unsupported Remote Feature */
3750 case 0x1f: /* Unspecified error */
3751 case 0x20: /* Unsupported LMP Parameter value */
3753 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3754 (hdev->esco_type & EDR_ESCO_MASK);
3755 if (hci_setup_sync(conn, conn->link->handle))
3761 conn->state = BT_CLOSED;
3765 hci_connect_cfm(conn, ev->status);
3770 hci_dev_unlock(hdev);
3773 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3777 while (parsed < eir_len) {
3778 u8 field_len = eir[0];
3783 parsed += field_len + 1;
3784 eir += field_len + 1;
3790 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3791 struct sk_buff *skb)
3793 struct inquiry_data data;
3794 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3795 int num_rsp = *((__u8 *) skb->data);
3798 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3803 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3808 for (; num_rsp; num_rsp--, info++) {
3812 bacpy(&data.bdaddr, &info->bdaddr);
3813 data.pscan_rep_mode = info->pscan_rep_mode;
3814 data.pscan_period_mode = info->pscan_period_mode;
3815 data.pscan_mode = 0x00;
3816 memcpy(data.dev_class, info->dev_class, 3);
3817 data.clock_offset = info->clock_offset;
3818 data.rssi = info->rssi;
3819 data.ssp_mode = 0x01;
3821 if (hci_dev_test_flag(hdev, HCI_MGMT))
3822 name_known = eir_has_data_type(info->data,
3828 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3830 eir_len = eir_get_length(info->data, sizeof(info->data));
3832 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3833 info->dev_class, info->rssi,
3834 flags, info->data, eir_len, NULL, 0);
3837 hci_dev_unlock(hdev);
3840 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3841 struct sk_buff *skb)
3843 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3844 struct hci_conn *conn;
3846 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3847 __le16_to_cpu(ev->handle));
3851 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3855 /* For BR/EDR the necessary steps are taken through the
3856 * auth_complete event.
3858 if (conn->type != LE_LINK)
3862 conn->sec_level = conn->pending_sec_level;
3864 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3866 if (ev->status && conn->state == BT_CONNECTED) {
3867 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3868 hci_conn_drop(conn);
3872 if (conn->state == BT_CONFIG) {
3874 conn->state = BT_CONNECTED;
3876 hci_connect_cfm(conn, ev->status);
3877 hci_conn_drop(conn);
3879 hci_auth_cfm(conn, ev->status);
3881 hci_conn_hold(conn);
3882 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3883 hci_conn_drop(conn);
3887 hci_dev_unlock(hdev);
3890 static u8 hci_get_auth_req(struct hci_conn *conn)
3892 /* If remote requests no-bonding follow that lead */
3893 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3894 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3895 return conn->remote_auth | (conn->auth_type & 0x01);
3897 /* If both remote and local have enough IO capabilities, require
3900 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3901 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3902 return conn->remote_auth | 0x01;
3904 /* No MITM protection possible so ignore remote requirement */
3905 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3908 static u8 bredr_oob_data_present(struct hci_conn *conn)
3910 struct hci_dev *hdev = conn->hdev;
3911 struct oob_data *data;
3913 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3917 if (bredr_sc_enabled(hdev)) {
3918 /* When Secure Connections is enabled, then just
3919 * return the present value stored with the OOB
3920 * data. The stored value contains the right present
3921 * information. However it can only be trusted when
3922 * not in Secure Connection Only mode.
3924 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3925 return data->present;
3927 /* When Secure Connections Only mode is enabled, then
3928 * the P-256 values are required. If they are not
3929 * available, then do not declare that OOB data is
3932 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3933 !memcmp(data->hash256, ZERO_KEY, 16))
3939 /* When Secure Connections is not enabled or actually
3940 * not supported by the hardware, then check that if
3941 * P-192 data values are present.
3943 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3944 !memcmp(data->hash192, ZERO_KEY, 16))
3950 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3952 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3953 struct hci_conn *conn;
3955 BT_DBG("%s", hdev->name);
3959 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3963 hci_conn_hold(conn);
3965 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3968 /* Allow pairing if we're pairable, the initiators of the
3969 * pairing or if the remote is not requesting bonding.
3971 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
3972 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3973 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3974 struct hci_cp_io_capability_reply cp;
3976 bacpy(&cp.bdaddr, &ev->bdaddr);
3977 /* Change the IO capability from KeyboardDisplay
3978 * to DisplayYesNo as it is not supported by BT spec. */
3979 cp.capability = (conn->io_capability == 0x04) ?
3980 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3982 /* If we are initiators, there is no remote information yet */
3983 if (conn->remote_auth == 0xff) {
3984 /* Request MITM protection if our IO caps allow it
3985 * except for the no-bonding case.
3987 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3988 conn->auth_type != HCI_AT_NO_BONDING)
3989 conn->auth_type |= 0x01;
3991 conn->auth_type = hci_get_auth_req(conn);
3994 /* If we're not bondable, force one of the non-bondable
3995 * authentication requirement values.
3997 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
3998 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4000 cp.authentication = conn->auth_type;
4001 cp.oob_data = bredr_oob_data_present(conn);
4003 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4006 struct hci_cp_io_capability_neg_reply cp;
4008 bacpy(&cp.bdaddr, &ev->bdaddr);
4009 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4011 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4016 hci_dev_unlock(hdev);
4019 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4021 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4022 struct hci_conn *conn;
4024 BT_DBG("%s", hdev->name);
4028 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4032 conn->remote_cap = ev->capability;
4033 conn->remote_auth = ev->authentication;
4036 hci_dev_unlock(hdev);
4039 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4040 struct sk_buff *skb)
4042 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4043 int loc_mitm, rem_mitm, confirm_hint = 0;
4044 struct hci_conn *conn;
4046 BT_DBG("%s", hdev->name);
4050 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4053 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4057 loc_mitm = (conn->auth_type & 0x01);
4058 rem_mitm = (conn->remote_auth & 0x01);
4060 /* If we require MITM but the remote device can't provide that
4061 * (it has NoInputNoOutput) then reject the confirmation
4062 * request. We check the security level here since it doesn't
4063 * necessarily match conn->auth_type.
4065 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4066 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4067 BT_DBG("Rejecting request: remote device can't provide MITM");
4068 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4069 sizeof(ev->bdaddr), &ev->bdaddr);
4073 /* If no side requires MITM protection; auto-accept */
4074 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4075 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4077 /* If we're not the initiators request authorization to
4078 * proceed from user space (mgmt_user_confirm with
4079 * confirm_hint set to 1). The exception is if neither
4080 * side had MITM or if the local IO capability is
4081 * NoInputNoOutput, in which case we do auto-accept
4083 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4084 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4085 (loc_mitm || rem_mitm)) {
4086 BT_DBG("Confirming auto-accept as acceptor");
4091 BT_DBG("Auto-accept of user confirmation with %ums delay",
4092 hdev->auto_accept_delay);
4094 if (hdev->auto_accept_delay > 0) {
4095 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4096 queue_delayed_work(conn->hdev->workqueue,
4097 &conn->auto_accept_work, delay);
4101 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4102 sizeof(ev->bdaddr), &ev->bdaddr);
4107 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4108 le32_to_cpu(ev->passkey), confirm_hint);
4111 hci_dev_unlock(hdev);
4114 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4115 struct sk_buff *skb)
4117 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4119 BT_DBG("%s", hdev->name);
4121 if (hci_dev_test_flag(hdev, HCI_MGMT))
4122 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4125 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4126 struct sk_buff *skb)
4128 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4129 struct hci_conn *conn;
4131 BT_DBG("%s", hdev->name);
4133 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4137 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4138 conn->passkey_entered = 0;
4140 if (hci_dev_test_flag(hdev, HCI_MGMT))
4141 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4142 conn->dst_type, conn->passkey_notify,
4143 conn->passkey_entered);
4146 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4148 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4149 struct hci_conn *conn;
4151 BT_DBG("%s", hdev->name);
4153 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4158 case HCI_KEYPRESS_STARTED:
4159 conn->passkey_entered = 0;
4162 case HCI_KEYPRESS_ENTERED:
4163 conn->passkey_entered++;
4166 case HCI_KEYPRESS_ERASED:
4167 conn->passkey_entered--;
4170 case HCI_KEYPRESS_CLEARED:
4171 conn->passkey_entered = 0;
4174 case HCI_KEYPRESS_COMPLETED:
4178 if (hci_dev_test_flag(hdev, HCI_MGMT))
4179 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4180 conn->dst_type, conn->passkey_notify,
4181 conn->passkey_entered);
4184 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4185 struct sk_buff *skb)
4187 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4188 struct hci_conn *conn;
4190 BT_DBG("%s", hdev->name);
4194 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4198 /* Reset the authentication requirement to unknown */
4199 conn->remote_auth = 0xff;
4201 /* To avoid duplicate auth_failed events to user space we check
4202 * the HCI_CONN_AUTH_PEND flag which will be set if we
4203 * initiated the authentication. A traditional auth_complete
4204 * event gets always produced as initiator and is also mapped to
4205 * the mgmt_auth_failed event */
4206 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4207 mgmt_auth_failed(conn, ev->status);
4209 hci_conn_drop(conn);
4212 hci_dev_unlock(hdev);
4215 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4216 struct sk_buff *skb)
4218 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4219 struct inquiry_entry *ie;
4220 struct hci_conn *conn;
4222 BT_DBG("%s", hdev->name);
4226 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4228 memcpy(conn->features[1], ev->features, 8);
4230 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4232 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4234 hci_dev_unlock(hdev);
4237 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4238 struct sk_buff *skb)
4240 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4241 struct oob_data *data;
4243 BT_DBG("%s", hdev->name);
4247 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4250 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4252 struct hci_cp_remote_oob_data_neg_reply cp;
4254 bacpy(&cp.bdaddr, &ev->bdaddr);
4255 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4260 if (bredr_sc_enabled(hdev)) {
4261 struct hci_cp_remote_oob_ext_data_reply cp;
4263 bacpy(&cp.bdaddr, &ev->bdaddr);
4264 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4265 memset(cp.hash192, 0, sizeof(cp.hash192));
4266 memset(cp.rand192, 0, sizeof(cp.rand192));
4268 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4269 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4271 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4272 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4274 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4277 struct hci_cp_remote_oob_data_reply cp;
4279 bacpy(&cp.bdaddr, &ev->bdaddr);
4280 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4281 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4283 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4288 hci_dev_unlock(hdev);
4291 #if IS_ENABLED(CONFIG_BT_HS)
4292 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4294 struct hci_ev_channel_selected *ev = (void *)skb->data;
4295 struct hci_conn *hcon;
4297 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4299 skb_pull(skb, sizeof(*ev));
4301 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4305 amp_read_loc_assoc_final_data(hdev, hcon);
4308 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4309 struct sk_buff *skb)
4311 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4312 struct hci_conn *hcon, *bredr_hcon;
4314 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4319 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4321 hci_dev_unlock(hdev);
4327 hci_dev_unlock(hdev);
4331 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4333 hcon->state = BT_CONNECTED;
4334 bacpy(&hcon->dst, &bredr_hcon->dst);
4336 hci_conn_hold(hcon);
4337 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4338 hci_conn_drop(hcon);
4340 hci_debugfs_create_conn(hcon);
4341 hci_conn_add_sysfs(hcon);
4343 amp_physical_cfm(bredr_hcon, hcon);
4345 hci_dev_unlock(hdev);
4348 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4350 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4351 struct hci_conn *hcon;
4352 struct hci_chan *hchan;
4353 struct amp_mgr *mgr;
4355 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4356 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4359 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4363 /* Create AMP hchan */
4364 hchan = hci_chan_create(hcon);
4368 hchan->handle = le16_to_cpu(ev->handle);
4370 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4372 mgr = hcon->amp_mgr;
4373 if (mgr && mgr->bredr_chan) {
4374 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4376 l2cap_chan_lock(bredr_chan);
4378 bredr_chan->conn->mtu = hdev->block_mtu;
4379 l2cap_logical_cfm(bredr_chan, hchan, 0);
4380 hci_conn_hold(hcon);
4382 l2cap_chan_unlock(bredr_chan);
4386 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4387 struct sk_buff *skb)
4389 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4390 struct hci_chan *hchan;
4392 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4393 le16_to_cpu(ev->handle), ev->status);
4400 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4404 amp_destroy_logical_link(hchan, ev->reason);
4407 hci_dev_unlock(hdev);
4410 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4411 struct sk_buff *skb)
4413 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4414 struct hci_conn *hcon;
4416 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4423 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4425 hcon->state = BT_CLOSED;
4429 hci_dev_unlock(hdev);
4433 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4435 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4436 struct hci_conn_params *params;
4437 struct hci_conn *conn;
4438 struct smp_irk *irk;
4441 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4445 /* All controllers implicitly stop advertising in the event of a
4446 * connection, so ensure that the state bit is cleared.
4448 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4450 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
4452 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4454 BT_ERR("No memory for new connection");
4458 conn->dst_type = ev->bdaddr_type;
4460 /* If we didn't have a hci_conn object previously
4461 * but we're in master role this must be something
4462 * initiated using a white list. Since white list based
4463 * connections are not "first class citizens" we don't
4464 * have full tracking of them. Therefore, we go ahead
4465 * with a "best effort" approach of determining the
4466 * initiator address based on the HCI_PRIVACY flag.
4469 conn->resp_addr_type = ev->bdaddr_type;
4470 bacpy(&conn->resp_addr, &ev->bdaddr);
4471 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4472 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4473 bacpy(&conn->init_addr, &hdev->rpa);
4475 hci_copy_identity_address(hdev,
4477 &conn->init_addr_type);
4481 cancel_delayed_work(&conn->le_conn_timeout);
4485 /* Set the responder (our side) address type based on
4486 * the advertising address type.
4488 conn->resp_addr_type = hdev->adv_addr_type;
4489 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4490 bacpy(&conn->resp_addr, &hdev->random_addr);
4492 bacpy(&conn->resp_addr, &hdev->bdaddr);
4494 conn->init_addr_type = ev->bdaddr_type;
4495 bacpy(&conn->init_addr, &ev->bdaddr);
4497 /* For incoming connections, set the default minimum
4498 * and maximum connection interval. They will be used
4499 * to check if the parameters are in range and if not
4500 * trigger the connection update procedure.
4502 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4503 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4506 /* Lookup the identity address from the stored connection
4507 * address and address type.
4509 * When establishing connections to an identity address, the
4510 * connection procedure will store the resolvable random
4511 * address first. Now if it can be converted back into the
4512 * identity address, start using the identity address from
4515 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4517 bacpy(&conn->dst, &irk->bdaddr);
4518 conn->dst_type = irk->addr_type;
4522 hci_le_conn_failed(conn, ev->status);
4526 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4527 addr_type = BDADDR_LE_PUBLIC;
4529 addr_type = BDADDR_LE_RANDOM;
4531 /* Drop the connection if the device is blocked */
4532 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4533 hci_conn_drop(conn);
4537 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4538 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4540 conn->sec_level = BT_SECURITY_LOW;
4541 conn->handle = __le16_to_cpu(ev->handle);
4542 conn->state = BT_CONFIG;
4544 conn->le_conn_interval = le16_to_cpu(ev->interval);
4545 conn->le_conn_latency = le16_to_cpu(ev->latency);
4546 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4548 hci_debugfs_create_conn(conn);
4549 hci_conn_add_sysfs(conn);
4552 /* The remote features procedure is defined for master
4553 * role only. So only in case of an initiated connection
4554 * request the remote features.
4556 * If the local controller supports slave-initiated features
4557 * exchange, then requesting the remote features in slave
4558 * role is possible. Otherwise just transition into the
4559 * connected state without requesting the remote features.
4562 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4563 struct hci_cp_le_read_remote_features cp;
4565 cp.handle = __cpu_to_le16(conn->handle);
4567 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4570 hci_conn_hold(conn);
4572 conn->state = BT_CONNECTED;
4573 hci_connect_cfm(conn, ev->status);
4576 hci_connect_cfm(conn, ev->status);
4579 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4582 list_del_init(¶ms->action);
4584 hci_conn_drop(params->conn);
4585 hci_conn_put(params->conn);
4586 params->conn = NULL;
4591 hci_update_background_scan(hdev);
4592 hci_dev_unlock(hdev);
4595 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4596 struct sk_buff *skb)
4598 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4599 struct hci_conn *conn;
4601 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4608 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4610 conn->le_conn_interval = le16_to_cpu(ev->interval);
4611 conn->le_conn_latency = le16_to_cpu(ev->latency);
4612 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4615 hci_dev_unlock(hdev);
4618 /* This function requires the caller holds hdev->lock */
4619 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4621 u8 addr_type, u8 adv_type)
4623 struct hci_conn *conn;
4624 struct hci_conn_params *params;
4626 /* If the event is not connectable don't proceed further */
4627 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4630 /* Ignore if the device is blocked */
4631 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4634 /* Most controller will fail if we try to create new connections
4635 * while we have an existing one in slave role.
4637 if (hdev->conn_hash.le_num_slave > 0)
4640 /* If we're not connectable only connect devices that we have in
4641 * our pend_le_conns list.
4643 params = hci_pend_le_action_lookup(&hdev->pend_le_conns,
4648 switch (params->auto_connect) {
4649 case HCI_AUTO_CONN_DIRECT:
4650 /* Only devices advertising with ADV_DIRECT_IND are
4651 * triggering a connection attempt. This is allowing
4652 * incoming connections from slave devices.
4654 if (adv_type != LE_ADV_DIRECT_IND)
4657 case HCI_AUTO_CONN_ALWAYS:
4658 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4659 * are triggering a connection attempt. This means
4660 * that incoming connectioms from slave device are
4661 * accepted and also outgoing connections to slave
4662 * devices are established when found.
4669 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4670 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4671 if (!IS_ERR(conn)) {
4672 /* Store the pointer since we don't really have any
4673 * other owner of the object besides the params that
4674 * triggered it. This way we can abort the connection if
4675 * the parameters get removed and keep the reference
4676 * count consistent once the connection is established.
4678 params->conn = hci_conn_get(conn);
4682 switch (PTR_ERR(conn)) {
4684 /* If hci_connect() returns -EBUSY it means there is already
4685 * an LE connection attempt going on. Since controllers don't
4686 * support more than one connection attempt at the time, we
4687 * don't consider this an error case.
4691 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4698 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4699 u8 bdaddr_type, bdaddr_t *direct_addr,
4700 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4702 struct discovery_state *d = &hdev->discovery;
4703 struct smp_irk *irk;
4704 struct hci_conn *conn;
4708 /* If the direct address is present, then this report is from
4709 * a LE Direct Advertising Report event. In that case it is
4710 * important to see if the address is matching the local
4711 * controller address.
4714 /* Only resolvable random addresses are valid for these
4715 * kind of reports and others can be ignored.
4717 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4720 /* If the controller is not using resolvable random
4721 * addresses, then this report can be ignored.
4723 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4726 /* If the local IRK of the controller does not match
4727 * with the resolvable random address provided, then
4728 * this report can be ignored.
4730 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4734 /* Check if we need to convert to identity address */
4735 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4737 bdaddr = &irk->bdaddr;
4738 bdaddr_type = irk->addr_type;
4741 /* Check if we have been requested to connect to this device */
4742 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4743 if (conn && type == LE_ADV_IND) {
4744 /* Store report for later inclusion by
4745 * mgmt_device_connected
4747 memcpy(conn->le_adv_data, data, len);
4748 conn->le_adv_data_len = len;
4751 /* Passive scanning shouldn't trigger any device found events,
4752 * except for devices marked as CONN_REPORT for which we do send
4753 * device found events.
4755 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4756 if (type == LE_ADV_DIRECT_IND)
4759 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4760 bdaddr, bdaddr_type))
4763 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4764 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4767 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4768 rssi, flags, data, len, NULL, 0);
4772 /* When receiving non-connectable or scannable undirected
4773 * advertising reports, this means that the remote device is
4774 * not connectable and then clearly indicate this in the
4775 * device found event.
4777 * When receiving a scan response, then there is no way to
4778 * know if the remote device is connectable or not. However
4779 * since scan responses are merged with a previously seen
4780 * advertising report, the flags field from that report
4783 * In the really unlikely case that a controller get confused
4784 * and just sends a scan response event, then it is marked as
4785 * not connectable as well.
4787 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4788 type == LE_ADV_SCAN_RSP)
4789 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4793 /* If there's nothing pending either store the data from this
4794 * event or send an immediate device found event if the data
4795 * should not be stored for later.
4797 if (!has_pending_adv_report(hdev)) {
4798 /* If the report will trigger a SCAN_REQ store it for
4801 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4802 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4803 rssi, flags, data, len);
4807 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4808 rssi, flags, data, len, NULL, 0);
4812 /* Check if the pending report is for the same device as the new one */
4813 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4814 bdaddr_type == d->last_adv_addr_type);
4816 /* If the pending data doesn't match this report or this isn't a
4817 * scan response (e.g. we got a duplicate ADV_IND) then force
4818 * sending of the pending data.
4820 if (type != LE_ADV_SCAN_RSP || !match) {
4821 /* Send out whatever is in the cache, but skip duplicates */
4823 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4824 d->last_adv_addr_type, NULL,
4825 d->last_adv_rssi, d->last_adv_flags,
4827 d->last_adv_data_len, NULL, 0);
4829 /* If the new report will trigger a SCAN_REQ store it for
4832 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4833 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4834 rssi, flags, data, len);
4838 /* The advertising reports cannot be merged, so clear
4839 * the pending report and send out a device found event.
4841 clear_pending_adv_report(hdev);
4842 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4843 rssi, flags, data, len, NULL, 0);
4847 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4848 * the new event is a SCAN_RSP. We can therefore proceed with
4849 * sending a merged device found event.
4851 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4852 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4853 d->last_adv_data, d->last_adv_data_len, data, len);
4854 clear_pending_adv_report(hdev);
4857 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4859 u8 num_reports = skb->data[0];
4860 void *ptr = &skb->data[1];
4864 while (num_reports--) {
4865 struct hci_ev_le_advertising_info *ev = ptr;
4868 rssi = ev->data[ev->length];
4869 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4870 ev->bdaddr_type, NULL, 0, rssi,
4871 ev->data, ev->length);
4873 ptr += sizeof(*ev) + ev->length + 1;
4876 hci_dev_unlock(hdev);
4879 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4880 struct sk_buff *skb)
4882 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4883 struct hci_conn *conn;
4885 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4889 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4892 memcpy(conn->features[0], ev->features, 8);
4894 if (conn->state == BT_CONFIG) {
4897 /* If the local controller supports slave-initiated
4898 * features exchange, but the remote controller does
4899 * not, then it is possible that the error code 0x1a
4900 * for unsupported remote feature gets returned.
4902 * In this specific case, allow the connection to
4903 * transition into connected state and mark it as
4906 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4907 !conn->out && ev->status == 0x1a)
4910 status = ev->status;
4912 conn->state = BT_CONNECTED;
4913 hci_connect_cfm(conn, status);
4914 hci_conn_drop(conn);
4918 hci_dev_unlock(hdev);
4921 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4923 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4924 struct hci_cp_le_ltk_reply cp;
4925 struct hci_cp_le_ltk_neg_reply neg;
4926 struct hci_conn *conn;
4927 struct smp_ltk *ltk;
4929 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4933 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4937 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4941 if (smp_ltk_is_sc(ltk)) {
4942 /* With SC both EDiv and Rand are set to zero */
4943 if (ev->ediv || ev->rand)
4946 /* For non-SC keys check that EDiv and Rand match */
4947 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4951 memcpy(cp.ltk, ltk->val, ltk->enc_size);
4952 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
4953 cp.handle = cpu_to_le16(conn->handle);
4955 conn->pending_sec_level = smp_ltk_sec_level(ltk);
4957 conn->enc_key_size = ltk->enc_size;
4959 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4961 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4962 * temporary key used to encrypt a connection following
4963 * pairing. It is used during the Encrypted Session Setup to
4964 * distribute the keys. Later, security can be re-established
4965 * using a distributed LTK.
4967 if (ltk->type == SMP_STK) {
4968 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4969 list_del_rcu(<k->list);
4970 kfree_rcu(ltk, rcu);
4972 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4975 hci_dev_unlock(hdev);
4980 neg.handle = ev->handle;
4981 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4982 hci_dev_unlock(hdev);
4985 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
4988 struct hci_cp_le_conn_param_req_neg_reply cp;
4990 cp.handle = cpu_to_le16(handle);
4993 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
4997 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
4998 struct sk_buff *skb)
5000 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5001 struct hci_cp_le_conn_param_req_reply cp;
5002 struct hci_conn *hcon;
5003 u16 handle, min, max, latency, timeout;
5005 handle = le16_to_cpu(ev->handle);
5006 min = le16_to_cpu(ev->interval_min);
5007 max = le16_to_cpu(ev->interval_max);
5008 latency = le16_to_cpu(ev->latency);
5009 timeout = le16_to_cpu(ev->timeout);
5011 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5012 if (!hcon || hcon->state != BT_CONNECTED)
5013 return send_conn_param_neg_reply(hdev, handle,
5014 HCI_ERROR_UNKNOWN_CONN_ID);
5016 if (hci_check_conn_params(min, max, latency, timeout))
5017 return send_conn_param_neg_reply(hdev, handle,
5018 HCI_ERROR_INVALID_LL_PARAMS);
5020 if (hcon->role == HCI_ROLE_MASTER) {
5021 struct hci_conn_params *params;
5026 params = hci_conn_params_lookup(hdev, &hcon->dst,
5029 params->conn_min_interval = min;
5030 params->conn_max_interval = max;
5031 params->conn_latency = latency;
5032 params->supervision_timeout = timeout;
5038 hci_dev_unlock(hdev);
5040 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5041 store_hint, min, max, latency, timeout);
5044 cp.handle = ev->handle;
5045 cp.interval_min = ev->interval_min;
5046 cp.interval_max = ev->interval_max;
5047 cp.latency = ev->latency;
5048 cp.timeout = ev->timeout;
5052 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5055 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5056 struct sk_buff *skb)
5058 u8 num_reports = skb->data[0];
5059 void *ptr = &skb->data[1];
5063 while (num_reports--) {
5064 struct hci_ev_le_direct_adv_info *ev = ptr;
5066 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5067 ev->bdaddr_type, &ev->direct_addr,
5068 ev->direct_addr_type, ev->rssi, NULL, 0);
5073 hci_dev_unlock(hdev);
5076 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5078 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5080 skb_pull(skb, sizeof(*le_ev));
5082 switch (le_ev->subevent) {
5083 case HCI_EV_LE_CONN_COMPLETE:
5084 hci_le_conn_complete_evt(hdev, skb);
5087 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5088 hci_le_conn_update_complete_evt(hdev, skb);
5091 case HCI_EV_LE_ADVERTISING_REPORT:
5092 hci_le_adv_report_evt(hdev, skb);
5095 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5096 hci_le_remote_feat_complete_evt(hdev, skb);
5099 case HCI_EV_LE_LTK_REQ:
5100 hci_le_ltk_request_evt(hdev, skb);
5103 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5104 hci_le_remote_conn_param_req_evt(hdev, skb);
5107 case HCI_EV_LE_DIRECT_ADV_REPORT:
5108 hci_le_direct_adv_report_evt(hdev, skb);
5116 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5117 u8 event, struct sk_buff *skb)
5119 struct hci_ev_cmd_complete *ev;
5120 struct hci_event_hdr *hdr;
5125 if (skb->len < sizeof(*hdr)) {
5126 BT_ERR("Too short HCI event");
5130 hdr = (void *) skb->data;
5131 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5134 if (hdr->evt != event)
5139 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5140 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5144 if (skb->len < sizeof(*ev)) {
5145 BT_ERR("Too short cmd_complete event");
5149 ev = (void *) skb->data;
5150 skb_pull(skb, sizeof(*ev));
5152 if (opcode != __le16_to_cpu(ev->opcode)) {
5153 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5154 __le16_to_cpu(ev->opcode));
5161 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5163 struct hci_event_hdr *hdr = (void *) skb->data;
5164 hci_req_complete_t req_complete = NULL;
5165 hci_req_complete_skb_t req_complete_skb = NULL;
5166 struct sk_buff *orig_skb = NULL;
5167 u8 status = 0, event = hdr->evt, req_evt = 0;
5168 u16 opcode = HCI_OP_NOP;
5170 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
5171 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5172 opcode = __le16_to_cpu(cmd_hdr->opcode);
5173 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5178 /* If it looks like we might end up having to call
5179 * req_complete_skb, store a pristine copy of the skb since the
5180 * various handlers may modify the original one through
5181 * skb_pull() calls, etc.
5183 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5184 event == HCI_EV_CMD_COMPLETE)
5185 orig_skb = skb_clone(skb, GFP_KERNEL);
5187 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5190 case HCI_EV_INQUIRY_COMPLETE:
5191 hci_inquiry_complete_evt(hdev, skb);
5194 case HCI_EV_INQUIRY_RESULT:
5195 hci_inquiry_result_evt(hdev, skb);
5198 case HCI_EV_CONN_COMPLETE:
5199 hci_conn_complete_evt(hdev, skb);
5202 case HCI_EV_CONN_REQUEST:
5203 hci_conn_request_evt(hdev, skb);
5206 case HCI_EV_DISCONN_COMPLETE:
5207 hci_disconn_complete_evt(hdev, skb);
5210 case HCI_EV_AUTH_COMPLETE:
5211 hci_auth_complete_evt(hdev, skb);
5214 case HCI_EV_REMOTE_NAME:
5215 hci_remote_name_evt(hdev, skb);
5218 case HCI_EV_ENCRYPT_CHANGE:
5219 hci_encrypt_change_evt(hdev, skb);
5222 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5223 hci_change_link_key_complete_evt(hdev, skb);
5226 case HCI_EV_REMOTE_FEATURES:
5227 hci_remote_features_evt(hdev, skb);
5230 case HCI_EV_CMD_COMPLETE:
5231 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5232 &req_complete, &req_complete_skb);
5235 case HCI_EV_CMD_STATUS:
5236 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5240 case HCI_EV_HARDWARE_ERROR:
5241 hci_hardware_error_evt(hdev, skb);
5244 case HCI_EV_ROLE_CHANGE:
5245 hci_role_change_evt(hdev, skb);
5248 case HCI_EV_NUM_COMP_PKTS:
5249 hci_num_comp_pkts_evt(hdev, skb);
5252 case HCI_EV_MODE_CHANGE:
5253 hci_mode_change_evt(hdev, skb);
5256 case HCI_EV_PIN_CODE_REQ:
5257 hci_pin_code_request_evt(hdev, skb);
5260 case HCI_EV_LINK_KEY_REQ:
5261 hci_link_key_request_evt(hdev, skb);
5264 case HCI_EV_LINK_KEY_NOTIFY:
5265 hci_link_key_notify_evt(hdev, skb);
5268 case HCI_EV_CLOCK_OFFSET:
5269 hci_clock_offset_evt(hdev, skb);
5272 case HCI_EV_PKT_TYPE_CHANGE:
5273 hci_pkt_type_change_evt(hdev, skb);
5276 case HCI_EV_PSCAN_REP_MODE:
5277 hci_pscan_rep_mode_evt(hdev, skb);
5280 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5281 hci_inquiry_result_with_rssi_evt(hdev, skb);
5284 case HCI_EV_REMOTE_EXT_FEATURES:
5285 hci_remote_ext_features_evt(hdev, skb);
5288 case HCI_EV_SYNC_CONN_COMPLETE:
5289 hci_sync_conn_complete_evt(hdev, skb);
5292 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5293 hci_extended_inquiry_result_evt(hdev, skb);
5296 case HCI_EV_KEY_REFRESH_COMPLETE:
5297 hci_key_refresh_complete_evt(hdev, skb);
5300 case HCI_EV_IO_CAPA_REQUEST:
5301 hci_io_capa_request_evt(hdev, skb);
5304 case HCI_EV_IO_CAPA_REPLY:
5305 hci_io_capa_reply_evt(hdev, skb);
5308 case HCI_EV_USER_CONFIRM_REQUEST:
5309 hci_user_confirm_request_evt(hdev, skb);
5312 case HCI_EV_USER_PASSKEY_REQUEST:
5313 hci_user_passkey_request_evt(hdev, skb);
5316 case HCI_EV_USER_PASSKEY_NOTIFY:
5317 hci_user_passkey_notify_evt(hdev, skb);
5320 case HCI_EV_KEYPRESS_NOTIFY:
5321 hci_keypress_notify_evt(hdev, skb);
5324 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5325 hci_simple_pair_complete_evt(hdev, skb);
5328 case HCI_EV_REMOTE_HOST_FEATURES:
5329 hci_remote_host_features_evt(hdev, skb);
5332 case HCI_EV_LE_META:
5333 hci_le_meta_evt(hdev, skb);
5336 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5337 hci_remote_oob_data_request_evt(hdev, skb);
5340 #if IS_ENABLED(CONFIG_BT_HS)
5341 case HCI_EV_CHANNEL_SELECTED:
5342 hci_chan_selected_evt(hdev, skb);
5345 case HCI_EV_PHY_LINK_COMPLETE:
5346 hci_phy_link_complete_evt(hdev, skb);
5349 case HCI_EV_LOGICAL_LINK_COMPLETE:
5350 hci_loglink_complete_evt(hdev, skb);
5353 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5354 hci_disconn_loglink_complete_evt(hdev, skb);
5357 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5358 hci_disconn_phylink_complete_evt(hdev, skb);
5362 case HCI_EV_NUM_COMP_BLOCKS:
5363 hci_num_comp_blocks_evt(hdev, skb);
5367 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5372 req_complete(hdev, status, opcode);
5373 } else if (req_complete_skb) {
5374 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5375 kfree_skb(orig_skb);
5378 req_complete_skb(hdev, status, opcode, orig_skb);
5381 kfree_skb(orig_skb);
5383 hdev->stat.evt_rx++;
projects / karo-tx-linux.git / blob