2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 /* Set discovery state to stopped if we're not doing LE active
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
66 hci_conn_check_pending(hdev);
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 __u8 status = *((__u8 *) skb->data);
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
83 __u8 status = *((__u8 *) skb->data);
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
92 hci_conn_check_pending(hdev);
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
98 BT_DBG("%s", hdev->name);
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
115 conn->role = rp->role;
117 hci_dev_unlock(hdev);
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
134 conn->link_policy = __le16_to_cpu(rp->policy);
136 hci_dev_unlock(hdev);
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
158 conn->link_policy = get_unaligned_le16(sent + 2);
160 hci_dev_unlock(hdev);
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
173 hdev->link_policy = __le16_to_cpu(rp->policy);
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
179 __u8 status = *((__u8 *) skb->data);
182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
191 hdev->link_policy = get_unaligned_le16(sent);
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
196 __u8 status = *((__u8 *) skb->data);
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
200 clear_bit(HCI_RESET, &hdev->flags);
205 /* Reset all non-persistent flags */
206 hci_dev_clear_volatile_flags(hdev);
208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
210 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 hdev->adv_data_len = 0;
216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 hdev->scan_rsp_data_len = 0;
219 hdev->le_scan_type = LE_SCAN_PASSIVE;
221 hdev->ssp_debug_mode = 0;
223 hci_bdaddr_list_clear(&hdev->le_white_list);
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 struct hci_cp_read_stored_link_key *sent;
232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
238 if (!rp->status && sent->read_all == 0x01) {
239 hdev->stored_max_keys = rp->max_keys;
240 hdev->stored_num_keys = rp->num_keys;
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
254 if (rp->num_keys <= hdev->stored_num_keys)
255 hdev->stored_num_keys -= rp->num_keys;
257 hdev->stored_num_keys = 0;
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
262 __u8 status = *((__u8 *) skb->data);
265 BT_DBG("%s status 0x%2.2x", hdev->name, status);
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
273 if (hci_dev_test_flag(hdev, HCI_MGMT))
274 mgmt_set_local_name_complete(hdev, sent, status);
276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
278 hci_dev_unlock(hdev);
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
283 struct hci_rp_read_local_name *rp = (void *) skb->data;
285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
290 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 hci_dev_test_flag(hdev, HCI_CONFIG))
292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
297 __u8 status = *((__u8 *) skb->data);
300 BT_DBG("%s status 0x%2.2x", hdev->name, status);
302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
309 __u8 param = *((__u8 *) sent);
311 if (param == AUTH_ENABLED)
312 set_bit(HCI_AUTH, &hdev->flags);
314 clear_bit(HCI_AUTH, &hdev->flags);
317 if (hci_dev_test_flag(hdev, HCI_MGMT))
318 mgmt_auth_enable_complete(hdev, status);
320 hci_dev_unlock(hdev);
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
325 __u8 status = *((__u8 *) skb->data);
329 BT_DBG("%s status 0x%2.2x", hdev->name, status);
334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
338 param = *((__u8 *) sent);
341 set_bit(HCI_ENCRYPT, &hdev->flags);
343 clear_bit(HCI_ENCRYPT, &hdev->flags);
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
348 __u8 status = *((__u8 *) skb->data);
352 BT_DBG("%s status 0x%2.2x", hdev->name, status);
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
358 param = *((__u8 *) sent);
363 hdev->discov_timeout = 0;
367 if (param & SCAN_INQUIRY)
368 set_bit(HCI_ISCAN, &hdev->flags);
370 clear_bit(HCI_ISCAN, &hdev->flags);
372 if (param & SCAN_PAGE)
373 set_bit(HCI_PSCAN, &hdev->flags);
375 clear_bit(HCI_PSCAN, &hdev->flags);
378 hci_dev_unlock(hdev);
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
390 memcpy(hdev->dev_class, rp->dev_class, 3);
392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
398 __u8 status = *((__u8 *) skb->data);
401 BT_DBG("%s status 0x%2.2x", hdev->name, status);
403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
410 memcpy(hdev->dev_class, sent, 3);
412 if (hci_dev_test_flag(hdev, HCI_MGMT))
413 mgmt_set_class_of_dev_complete(hdev, sent, status);
415 hci_dev_unlock(hdev);
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
420 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
428 setting = __le16_to_cpu(rp->voice_setting);
430 if (hdev->voice_setting == setting)
433 hdev->voice_setting = setting;
435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
444 __u8 status = *((__u8 *) skb->data);
448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
457 setting = get_unaligned_le16(sent);
459 if (hdev->voice_setting == setting)
462 hdev->voice_setting = setting;
464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
480 hdev->num_iac = rp->num_iac;
482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
487 __u8 status = *((__u8 *) skb->data);
488 struct hci_cp_write_ssp_mode *sent;
490 BT_DBG("%s status 0x%2.2x", hdev->name, status);
492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
500 hdev->features[1][0] |= LMP_HOST_SSP;
502 hdev->features[1][0] &= ~LMP_HOST_SSP;
505 if (hci_dev_test_flag(hdev, HCI_MGMT))
506 mgmt_ssp_enable_complete(hdev, sent->mode, status);
509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
514 hci_dev_unlock(hdev);
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
519 u8 status = *((u8 *) skb->data);
520 struct hci_cp_write_sc_support *sent;
522 BT_DBG("%s status 0x%2.2x", hdev->name, status);
524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
532 hdev->features[1][0] |= LMP_HOST_SC;
534 hdev->features[1][0] &= ~LMP_HOST_SC;
537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
539 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
544 hci_dev_unlock(hdev);
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
549 struct hci_rp_read_local_version *rp = (void *) skb->data;
551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
556 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 hdev->hci_ver = rp->hci_ver;
559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 hdev->lmp_ver = rp->lmp_ver;
561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
569 struct hci_rp_read_local_commands *rp = (void *) skb->data;
571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
576 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 hci_dev_test_flag(hdev, HCI_CONFIG))
578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
584 struct hci_rp_read_local_features *rp = (void *) skb->data;
586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
591 memcpy(hdev->features, rp->features, 8);
593 /* Adjust default settings according to features
594 * supported by device. */
596 if (hdev->features[0][0] & LMP_3SLOT)
597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
599 if (hdev->features[0][0] & LMP_5SLOT)
600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
602 if (hdev->features[0][1] & LMP_HV2) {
603 hdev->pkt_type |= (HCI_HV2);
604 hdev->esco_type |= (ESCO_HV2);
607 if (hdev->features[0][1] & LMP_HV3) {
608 hdev->pkt_type |= (HCI_HV3);
609 hdev->esco_type |= (ESCO_HV3);
612 if (lmp_esco_capable(hdev))
613 hdev->esco_type |= (ESCO_EV3);
615 if (hdev->features[0][4] & LMP_EV4)
616 hdev->esco_type |= (ESCO_EV4);
618 if (hdev->features[0][4] & LMP_EV5)
619 hdev->esco_type |= (ESCO_EV5);
621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 hdev->esco_type |= (ESCO_2EV3);
624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 hdev->esco_type |= (ESCO_3EV3);
627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
641 if (hdev->max_page < rp->max_page)
642 hdev->max_page = rp->max_page;
644 if (rp->page < HCI_MAX_PAGES)
645 memcpy(hdev->features[rp->page], rp->features, 8);
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
658 hdev->flow_ctl_mode = rp->mode;
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
671 hdev->sco_mtu = rp->sco_mtu;
672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
680 hdev->acl_cnt = hdev->acl_pkts;
681 hdev->sco_cnt = hdev->sco_pkts;
683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
689 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
696 if (test_bit(HCI_INIT, &hdev->flags))
697 bacpy(&hdev->bdaddr, &rp->bdaddr);
699 if (hci_dev_test_flag(hdev, HCI_SETUP))
700 bacpy(&hdev->setup_addr, &rp->bdaddr);
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
713 if (test_bit(HCI_INIT, &hdev->flags)) {
714 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 hdev->page_scan_window = __le16_to_cpu(rp->window);
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
722 u8 status = *((u8 *) skb->data);
723 struct hci_cp_write_page_scan_activity *sent;
725 BT_DBG("%s status 0x%2.2x", hdev->name, status);
730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
734 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 hdev->page_scan_window = __le16_to_cpu(sent->window);
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
748 if (test_bit(HCI_INIT, &hdev->flags))
749 hdev->page_scan_type = rp->type;
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
755 u8 status = *((u8 *) skb->data);
758 BT_DBG("%s status 0x%2.2x", hdev->name, status);
763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
765 hdev->page_scan_type = *type;
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
771 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 hdev->block_len = __le16_to_cpu(rp->block_len);
780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
782 hdev->block_cnt = hdev->num_blocks;
784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 hdev->block_cnt, hdev->block_len);
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
790 struct hci_rp_read_clock *rp = (void *) skb->data;
791 struct hci_cp_read_clock *cp;
792 struct hci_conn *conn;
794 BT_DBG("%s", hdev->name);
796 if (skb->len < sizeof(*rp))
804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
808 if (cp->which == 0x00) {
809 hdev->clock = le32_to_cpu(rp->clock);
813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
815 conn->clock = le32_to_cpu(rp->clock);
816 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
820 hci_dev_unlock(hdev);
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
833 hdev->amp_status = rp->amp_status;
834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 hdev->amp_type = rp->amp_type;
839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
855 hdev->inq_tx_power = rp->tx_power;
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
860 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 struct hci_cp_pin_code_reply *cp;
862 struct hci_conn *conn;
864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
868 if (hci_dev_test_flag(hdev, HCI_MGMT))
869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
880 conn->pin_length = cp->pin_len;
883 hci_dev_unlock(hdev);
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
894 if (hci_dev_test_flag(hdev, HCI_MGMT))
895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
898 hci_dev_unlock(hdev);
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 hdev->le_pkts = rp->le_max_pkt;
914 hdev->le_cnt = hdev->le_pkts;
916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
922 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
929 memcpy(hdev->le_features, rp->features, 8);
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
942 hdev->adv_tx_power = rp->tx_power;
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
953 if (hci_dev_test_flag(hdev, HCI_MGMT))
954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
957 hci_dev_unlock(hdev);
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 ACL_LINK, 0, rp->status);
973 hci_dev_unlock(hdev);
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
984 if (hci_dev_test_flag(hdev, HCI_MGMT))
985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
988 hci_dev_unlock(hdev);
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 ACL_LINK, 0, rp->status);
1004 hci_dev_unlock(hdev);
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 struct sk_buff *skb)
1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1025 __u8 status = *((__u8 *) skb->data);
1028 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1039 bacpy(&hdev->random_addr, sent);
1041 hci_dev_unlock(hdev);
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1046 __u8 *sent, status = *((__u8 *) skb->data);
1048 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1059 /* If we're doing connection initiation as peripheral. Set a
1060 * timeout in case something goes wrong.
1063 struct hci_conn *conn;
1065 hci_dev_set_flag(hdev, HCI_LE_ADV);
1067 conn = hci_lookup_le_connect(hdev);
1069 queue_delayed_work(hdev->workqueue,
1070 &conn->le_conn_timeout,
1071 conn->conn_timeout);
1073 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1076 hci_dev_unlock(hdev);
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1081 struct hci_cp_le_set_scan_param *cp;
1082 __u8 status = *((__u8 *) skb->data);
1084 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1095 hdev->le_scan_type = cp->type;
1097 hci_dev_unlock(hdev);
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1102 struct discovery_state *d = &hdev->discovery;
1104 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1109 struct discovery_state *d = &hdev->discovery;
1111 bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 d->last_adv_data_len = 0;
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 u8 bdaddr_type, s8 rssi, u32 flags,
1119 struct discovery_state *d = &hdev->discovery;
1121 bacpy(&d->last_adv_addr, bdaddr);
1122 d->last_adv_addr_type = bdaddr_type;
1123 d->last_adv_rssi = rssi;
1124 d->last_adv_flags = flags;
1125 memcpy(d->last_adv_data, data, len);
1126 d->last_adv_data_len = len;
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 struct sk_buff *skb)
1132 struct hci_cp_le_set_scan_enable *cp;
1133 __u8 status = *((__u8 *) skb->data);
1135 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1146 switch (cp->enable) {
1147 case LE_SCAN_ENABLE:
1148 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 clear_pending_adv_report(hdev);
1153 case LE_SCAN_DISABLE:
1154 /* We do this here instead of when setting DISCOVERY_STOPPED
1155 * since the latter would potentially require waiting for
1156 * inquiry to stop too.
1158 if (has_pending_adv_report(hdev)) {
1159 struct discovery_state *d = &hdev->discovery;
1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 d->last_adv_addr_type, NULL,
1163 d->last_adv_rssi, d->last_adv_flags,
1165 d->last_adv_data_len, NULL, 0);
1168 /* Cancel this timer so that we don't try to disable scanning
1169 * when it's already disabled.
1171 cancel_delayed_work(&hdev->le_scan_disable);
1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 * interrupted scanning due to a connect request. Mark
1177 * therefore discovery as stopped. If this was not
1178 * because of a connect request advertising might have
1179 * been disabled because of active scanning, so
1180 * re-enable it again if necessary.
1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 hdev->discovery.state == DISCOVERY_FINDING)
1186 mgmt_reenable_advertising(hdev);
1191 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1195 hci_dev_unlock(hdev);
1198 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1199 struct sk_buff *skb)
1201 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1203 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1208 hdev->le_white_list_size = rp->size;
1211 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1212 struct sk_buff *skb)
1214 __u8 status = *((__u8 *) skb->data);
1216 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1221 hci_bdaddr_list_clear(&hdev->le_white_list);
1224 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1225 struct sk_buff *skb)
1227 struct hci_cp_le_add_to_white_list *sent;
1228 __u8 status = *((__u8 *) skb->data);
1230 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1235 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1239 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1243 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1244 struct sk_buff *skb)
1246 struct hci_cp_le_del_from_white_list *sent;
1247 __u8 status = *((__u8 *) skb->data);
1249 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1254 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1258 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1262 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1263 struct sk_buff *skb)
1265 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1267 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1272 memcpy(hdev->le_states, rp->le_states, 8);
1275 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1276 struct sk_buff *skb)
1278 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1285 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1286 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1289 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1290 struct sk_buff *skb)
1292 struct hci_cp_le_write_def_data_len *sent;
1293 __u8 status = *((__u8 *) skb->data);
1295 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1300 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1304 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1305 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1308 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1309 struct sk_buff *skb)
1311 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1313 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1318 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1319 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1320 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1321 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1324 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1325 struct sk_buff *skb)
1327 struct hci_cp_write_le_host_supported *sent;
1328 __u8 status = *((__u8 *) skb->data);
1330 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1342 hdev->features[1][0] |= LMP_HOST_LE;
1343 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1345 hdev->features[1][0] &= ~LMP_HOST_LE;
1346 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1347 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1351 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1353 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1355 hci_dev_unlock(hdev);
1358 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1360 struct hci_cp_le_set_adv_param *cp;
1361 u8 status = *((u8 *) skb->data);
1363 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1368 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1373 hdev->adv_addr_type = cp->own_address_type;
1374 hci_dev_unlock(hdev);
1377 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1379 struct hci_rp_read_rssi *rp = (void *) skb->data;
1380 struct hci_conn *conn;
1382 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1389 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1391 conn->rssi = rp->rssi;
1393 hci_dev_unlock(hdev);
1396 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1398 struct hci_cp_read_tx_power *sent;
1399 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1400 struct hci_conn *conn;
1402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1407 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1417 switch (sent->type) {
1419 conn->tx_power = rp->tx_power;
1422 conn->max_tx_power = rp->tx_power;
1427 hci_dev_unlock(hdev);
1430 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1432 u8 status = *((u8 *) skb->data);
1435 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1440 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1442 hdev->ssp_debug_mode = *mode;
1445 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1447 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1450 hci_conn_check_pending(hdev);
1454 set_bit(HCI_INQUIRY, &hdev->flags);
1457 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1459 struct hci_cp_create_conn *cp;
1460 struct hci_conn *conn;
1462 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1470 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1472 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1475 if (conn && conn->state == BT_CONNECT) {
1476 if (status != 0x0c || conn->attempt > 2) {
1477 conn->state = BT_CLOSED;
1478 hci_connect_cfm(conn, status);
1481 conn->state = BT_CONNECT2;
1485 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1488 BT_ERR("No memory for new connection");
1492 hci_dev_unlock(hdev);
1495 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1497 struct hci_cp_add_sco *cp;
1498 struct hci_conn *acl, *sco;
1501 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1506 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1510 handle = __le16_to_cpu(cp->handle);
1512 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1516 acl = hci_conn_hash_lookup_handle(hdev, handle);
1520 sco->state = BT_CLOSED;
1522 hci_connect_cfm(sco, status);
1527 hci_dev_unlock(hdev);
1530 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1532 struct hci_cp_auth_requested *cp;
1533 struct hci_conn *conn;
1535 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1540 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1546 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1548 if (conn->state == BT_CONFIG) {
1549 hci_connect_cfm(conn, status);
1550 hci_conn_drop(conn);
1554 hci_dev_unlock(hdev);
1557 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1559 struct hci_cp_set_conn_encrypt *cp;
1560 struct hci_conn *conn;
1562 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1567 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1573 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1575 if (conn->state == BT_CONFIG) {
1576 hci_connect_cfm(conn, status);
1577 hci_conn_drop(conn);
1581 hci_dev_unlock(hdev);
1584 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1585 struct hci_conn *conn)
1587 if (conn->state != BT_CONFIG || !conn->out)
1590 if (conn->pending_sec_level == BT_SECURITY_SDP)
1593 /* Only request authentication for SSP connections or non-SSP
1594 * devices with sec_level MEDIUM or HIGH or if MITM protection
1597 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1598 conn->pending_sec_level != BT_SECURITY_FIPS &&
1599 conn->pending_sec_level != BT_SECURITY_HIGH &&
1600 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1606 static int hci_resolve_name(struct hci_dev *hdev,
1607 struct inquiry_entry *e)
1609 struct hci_cp_remote_name_req cp;
1611 memset(&cp, 0, sizeof(cp));
1613 bacpy(&cp.bdaddr, &e->data.bdaddr);
1614 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1615 cp.pscan_mode = e->data.pscan_mode;
1616 cp.clock_offset = e->data.clock_offset;
1618 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1621 static bool hci_resolve_next_name(struct hci_dev *hdev)
1623 struct discovery_state *discov = &hdev->discovery;
1624 struct inquiry_entry *e;
1626 if (list_empty(&discov->resolve))
1629 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1633 if (hci_resolve_name(hdev, e) == 0) {
1634 e->name_state = NAME_PENDING;
1641 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1642 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1644 struct discovery_state *discov = &hdev->discovery;
1645 struct inquiry_entry *e;
1647 /* Update the mgmt connected state if necessary. Be careful with
1648 * conn objects that exist but are not (yet) connected however.
1649 * Only those in BT_CONFIG or BT_CONNECTED states can be
1650 * considered connected.
1653 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1654 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1655 mgmt_device_connected(hdev, conn, 0, name, name_len);
1657 if (discov->state == DISCOVERY_STOPPED)
1660 if (discov->state == DISCOVERY_STOPPING)
1661 goto discov_complete;
1663 if (discov->state != DISCOVERY_RESOLVING)
1666 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1667 /* If the device was not found in a list of found devices names of which
1668 * are pending. there is no need to continue resolving a next name as it
1669 * will be done upon receiving another Remote Name Request Complete
1676 e->name_state = NAME_KNOWN;
1677 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1678 e->data.rssi, name, name_len);
1680 e->name_state = NAME_NOT_KNOWN;
1683 if (hci_resolve_next_name(hdev))
1687 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1690 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1692 struct hci_cp_remote_name_req *cp;
1693 struct hci_conn *conn;
1695 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1697 /* If successful wait for the name req complete event before
1698 * checking for the need to do authentication */
1702 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1708 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1710 if (hci_dev_test_flag(hdev, HCI_MGMT))
1711 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1716 if (!hci_outgoing_auth_needed(hdev, conn))
1719 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1720 struct hci_cp_auth_requested auth_cp;
1722 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1724 auth_cp.handle = __cpu_to_le16(conn->handle);
1725 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1726 sizeof(auth_cp), &auth_cp);
1730 hci_dev_unlock(hdev);
1733 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1735 struct hci_cp_read_remote_features *cp;
1736 struct hci_conn *conn;
1738 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1743 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1749 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1751 if (conn->state == BT_CONFIG) {
1752 hci_connect_cfm(conn, status);
1753 hci_conn_drop(conn);
1757 hci_dev_unlock(hdev);
1760 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1762 struct hci_cp_read_remote_ext_features *cp;
1763 struct hci_conn *conn;
1765 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1770 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1776 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1778 if (conn->state == BT_CONFIG) {
1779 hci_connect_cfm(conn, status);
1780 hci_conn_drop(conn);
1784 hci_dev_unlock(hdev);
1787 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1789 struct hci_cp_setup_sync_conn *cp;
1790 struct hci_conn *acl, *sco;
1793 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1798 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1802 handle = __le16_to_cpu(cp->handle);
1804 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1808 acl = hci_conn_hash_lookup_handle(hdev, handle);
1812 sco->state = BT_CLOSED;
1814 hci_connect_cfm(sco, status);
1819 hci_dev_unlock(hdev);
1822 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1824 struct hci_cp_sniff_mode *cp;
1825 struct hci_conn *conn;
1827 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1832 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1838 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1840 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1842 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1843 hci_sco_setup(conn, status);
1846 hci_dev_unlock(hdev);
1849 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1851 struct hci_cp_exit_sniff_mode *cp;
1852 struct hci_conn *conn;
1854 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1859 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1867 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1869 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1870 hci_sco_setup(conn, status);
1873 hci_dev_unlock(hdev);
1876 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1878 struct hci_cp_disconnect *cp;
1879 struct hci_conn *conn;
1884 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1893 conn->dst_type, status);
1895 hci_dev_unlock(hdev);
1898 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1900 struct hci_cp_le_create_conn *cp;
1901 struct hci_conn *conn;
1903 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1905 /* All connection failure handling is taken care of by the
1906 * hci_le_conn_failed function which is triggered by the HCI
1907 * request completion callbacks used for connecting.
1912 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1918 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1922 /* Store the initiator and responder address information which
1923 * is needed for SMP. These values will not change during the
1924 * lifetime of the connection.
1926 conn->init_addr_type = cp->own_address_type;
1927 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1928 bacpy(&conn->init_addr, &hdev->random_addr);
1930 bacpy(&conn->init_addr, &hdev->bdaddr);
1932 conn->resp_addr_type = cp->peer_addr_type;
1933 bacpy(&conn->resp_addr, &cp->peer_addr);
1935 /* We don't want the connection attempt to stick around
1936 * indefinitely since LE doesn't have a page timeout concept
1937 * like BR/EDR. Set a timer for any connection that doesn't use
1938 * the white list for connecting.
1940 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1941 queue_delayed_work(conn->hdev->workqueue,
1942 &conn->le_conn_timeout,
1943 conn->conn_timeout);
1946 hci_dev_unlock(hdev);
1949 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1951 struct hci_cp_le_read_remote_features *cp;
1952 struct hci_conn *conn;
1954 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1959 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1965 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1967 if (conn->state == BT_CONFIG) {
1968 hci_connect_cfm(conn, status);
1969 hci_conn_drop(conn);
1973 hci_dev_unlock(hdev);
1976 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1978 struct hci_cp_le_start_enc *cp;
1979 struct hci_conn *conn;
1981 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1988 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1992 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1996 if (conn->state != BT_CONNECTED)
1999 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2000 hci_conn_drop(conn);
2003 hci_dev_unlock(hdev);
2006 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2008 struct hci_cp_switch_role *cp;
2009 struct hci_conn *conn;
2011 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2016 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2022 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2024 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2026 hci_dev_unlock(hdev);
2029 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2031 __u8 status = *((__u8 *) skb->data);
2032 struct discovery_state *discov = &hdev->discovery;
2033 struct inquiry_entry *e;
2035 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2037 hci_conn_check_pending(hdev);
2039 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2042 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2043 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2045 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2050 if (discov->state != DISCOVERY_FINDING)
2053 if (list_empty(&discov->resolve)) {
2054 /* When BR/EDR inquiry is active and no LE scanning is in
2055 * progress, then change discovery state to indicate completion.
2057 * When running LE scanning and BR/EDR inquiry simultaneously
2058 * and the LE scan already finished, then change the discovery
2059 * state to indicate completion.
2061 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2062 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2063 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2067 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2068 if (e && hci_resolve_name(hdev, e) == 0) {
2069 e->name_state = NAME_PENDING;
2070 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2072 /* When BR/EDR inquiry is active and no LE scanning is in
2073 * progress, then change discovery state to indicate completion.
2075 * When running LE scanning and BR/EDR inquiry simultaneously
2076 * and the LE scan already finished, then change the discovery
2077 * state to indicate completion.
2079 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2080 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2081 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2085 hci_dev_unlock(hdev);
2088 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2090 struct inquiry_data data;
2091 struct inquiry_info *info = (void *) (skb->data + 1);
2092 int num_rsp = *((__u8 *) skb->data);
2094 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2099 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2104 for (; num_rsp; num_rsp--, info++) {
2107 bacpy(&data.bdaddr, &info->bdaddr);
2108 data.pscan_rep_mode = info->pscan_rep_mode;
2109 data.pscan_period_mode = info->pscan_period_mode;
2110 data.pscan_mode = info->pscan_mode;
2111 memcpy(data.dev_class, info->dev_class, 3);
2112 data.clock_offset = info->clock_offset;
2113 data.rssi = HCI_RSSI_INVALID;
2114 data.ssp_mode = 0x00;
2116 flags = hci_inquiry_cache_update(hdev, &data, false);
2118 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2119 info->dev_class, HCI_RSSI_INVALID,
2120 flags, NULL, 0, NULL, 0);
2123 hci_dev_unlock(hdev);
2126 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2128 struct hci_ev_conn_complete *ev = (void *) skb->data;
2129 struct hci_conn *conn;
2131 BT_DBG("%s", hdev->name);
2135 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2137 if (ev->link_type != SCO_LINK)
2140 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2144 conn->type = SCO_LINK;
2148 conn->handle = __le16_to_cpu(ev->handle);
2150 if (conn->type == ACL_LINK) {
2151 conn->state = BT_CONFIG;
2152 hci_conn_hold(conn);
2154 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2155 !hci_find_link_key(hdev, &ev->bdaddr))
2156 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2158 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2160 conn->state = BT_CONNECTED;
2162 hci_debugfs_create_conn(conn);
2163 hci_conn_add_sysfs(conn);
2165 if (test_bit(HCI_AUTH, &hdev->flags))
2166 set_bit(HCI_CONN_AUTH, &conn->flags);
2168 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2169 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2171 /* Get remote features */
2172 if (conn->type == ACL_LINK) {
2173 struct hci_cp_read_remote_features cp;
2174 cp.handle = ev->handle;
2175 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2178 hci_update_page_scan(hdev);
2181 /* Set packet type for incoming connection */
2182 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2183 struct hci_cp_change_conn_ptype cp;
2184 cp.handle = ev->handle;
2185 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2186 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2190 conn->state = BT_CLOSED;
2191 if (conn->type == ACL_LINK)
2192 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2193 conn->dst_type, ev->status);
2196 if (conn->type == ACL_LINK)
2197 hci_sco_setup(conn, ev->status);
2200 hci_connect_cfm(conn, ev->status);
2202 } else if (ev->link_type != ACL_LINK)
2203 hci_connect_cfm(conn, ev->status);
2206 hci_dev_unlock(hdev);
2208 hci_conn_check_pending(hdev);
2211 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2213 struct hci_cp_reject_conn_req cp;
2215 bacpy(&cp.bdaddr, bdaddr);
2216 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2217 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2220 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2222 struct hci_ev_conn_request *ev = (void *) skb->data;
2223 int mask = hdev->link_mode;
2224 struct inquiry_entry *ie;
2225 struct hci_conn *conn;
2228 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2231 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2234 if (!(mask & HCI_LM_ACCEPT)) {
2235 hci_reject_conn(hdev, &ev->bdaddr);
2239 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2241 hci_reject_conn(hdev, &ev->bdaddr);
2245 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2246 * connection. These features are only touched through mgmt so
2247 * only do the checks if HCI_MGMT is set.
2249 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2250 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2251 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2253 hci_reject_conn(hdev, &ev->bdaddr);
2257 /* Connection accepted */
2261 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2263 memcpy(ie->data.dev_class, ev->dev_class, 3);
2265 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2268 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2271 BT_ERR("No memory for new connection");
2272 hci_dev_unlock(hdev);
2277 memcpy(conn->dev_class, ev->dev_class, 3);
2279 hci_dev_unlock(hdev);
2281 if (ev->link_type == ACL_LINK ||
2282 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2283 struct hci_cp_accept_conn_req cp;
2284 conn->state = BT_CONNECT;
2286 bacpy(&cp.bdaddr, &ev->bdaddr);
2288 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2289 cp.role = 0x00; /* Become master */
2291 cp.role = 0x01; /* Remain slave */
2293 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2294 } else if (!(flags & HCI_PROTO_DEFER)) {
2295 struct hci_cp_accept_sync_conn_req cp;
2296 conn->state = BT_CONNECT;
2298 bacpy(&cp.bdaddr, &ev->bdaddr);
2299 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2301 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2302 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2303 cp.max_latency = cpu_to_le16(0xffff);
2304 cp.content_format = cpu_to_le16(hdev->voice_setting);
2305 cp.retrans_effort = 0xff;
2307 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2310 conn->state = BT_CONNECT2;
2311 hci_connect_cfm(conn, 0);
2315 static u8 hci_to_mgmt_reason(u8 err)
2318 case HCI_ERROR_CONNECTION_TIMEOUT:
2319 return MGMT_DEV_DISCONN_TIMEOUT;
2320 case HCI_ERROR_REMOTE_USER_TERM:
2321 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2322 case HCI_ERROR_REMOTE_POWER_OFF:
2323 return MGMT_DEV_DISCONN_REMOTE;
2324 case HCI_ERROR_LOCAL_HOST_TERM:
2325 return MGMT_DEV_DISCONN_LOCAL_HOST;
2327 return MGMT_DEV_DISCONN_UNKNOWN;
2331 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2333 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2334 u8 reason = hci_to_mgmt_reason(ev->reason);
2335 struct hci_conn_params *params;
2336 struct hci_conn *conn;
2337 bool mgmt_connected;
2340 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2344 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2349 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2350 conn->dst_type, ev->status);
2354 conn->state = BT_CLOSED;
2356 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2357 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2358 reason, mgmt_connected);
2360 if (conn->type == ACL_LINK) {
2361 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2362 hci_remove_link_key(hdev, &conn->dst);
2364 hci_update_page_scan(hdev);
2367 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2369 switch (params->auto_connect) {
2370 case HCI_AUTO_CONN_LINK_LOSS:
2371 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2375 case HCI_AUTO_CONN_DIRECT:
2376 case HCI_AUTO_CONN_ALWAYS:
2377 list_del_init(¶ms->action);
2378 list_add(¶ms->action, &hdev->pend_le_conns);
2379 hci_update_background_scan(hdev);
2389 hci_disconn_cfm(conn, ev->reason);
2392 /* Re-enable advertising if necessary, since it might
2393 * have been disabled by the connection. From the
2394 * HCI_LE_Set_Advertise_Enable command description in
2395 * the core specification (v4.0):
2396 * "The Controller shall continue advertising until the Host
2397 * issues an LE_Set_Advertise_Enable command with
2398 * Advertising_Enable set to 0x00 (Advertising is disabled)
2399 * or until a connection is created or until the Advertising
2400 * is timed out due to Directed Advertising."
2402 if (type == LE_LINK)
2403 mgmt_reenable_advertising(hdev);
2406 hci_dev_unlock(hdev);
2409 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2411 struct hci_ev_auth_complete *ev = (void *) skb->data;
2412 struct hci_conn *conn;
2414 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2418 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2423 if (!hci_conn_ssp_enabled(conn) &&
2424 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2425 BT_INFO("re-auth of legacy device is not possible.");
2427 set_bit(HCI_CONN_AUTH, &conn->flags);
2428 conn->sec_level = conn->pending_sec_level;
2431 mgmt_auth_failed(conn, ev->status);
2434 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2435 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2437 if (conn->state == BT_CONFIG) {
2438 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2439 struct hci_cp_set_conn_encrypt cp;
2440 cp.handle = ev->handle;
2442 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2445 conn->state = BT_CONNECTED;
2446 hci_connect_cfm(conn, ev->status);
2447 hci_conn_drop(conn);
2450 hci_auth_cfm(conn, ev->status);
2452 hci_conn_hold(conn);
2453 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2454 hci_conn_drop(conn);
2457 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2459 struct hci_cp_set_conn_encrypt cp;
2460 cp.handle = ev->handle;
2462 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2465 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2466 hci_encrypt_cfm(conn, ev->status, 0x00);
2471 hci_dev_unlock(hdev);
2474 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2476 struct hci_ev_remote_name *ev = (void *) skb->data;
2477 struct hci_conn *conn;
2479 BT_DBG("%s", hdev->name);
2481 hci_conn_check_pending(hdev);
2485 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2487 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2490 if (ev->status == 0)
2491 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2492 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2494 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2500 if (!hci_outgoing_auth_needed(hdev, conn))
2503 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2504 struct hci_cp_auth_requested cp;
2506 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2508 cp.handle = __cpu_to_le16(conn->handle);
2509 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2513 hci_dev_unlock(hdev);
2516 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2517 u16 opcode, struct sk_buff *skb)
2519 const struct hci_rp_read_enc_key_size *rp;
2520 struct hci_conn *conn;
2523 BT_DBG("%s status 0x%02x", hdev->name, status);
2525 if (!skb || skb->len < sizeof(*rp)) {
2526 BT_ERR("%s invalid HCI Read Encryption Key Size response",
2531 rp = (void *)skb->data;
2532 handle = le16_to_cpu(rp->handle);
2536 conn = hci_conn_hash_lookup_handle(hdev, handle);
2540 /* If we fail to read the encryption key size, assume maximum
2541 * (which is the same we do also when this HCI command isn't
2545 BT_ERR("%s failed to read key size for handle %u", hdev->name,
2547 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2549 conn->enc_key_size = rp->key_size;
2552 if (conn->state == BT_CONFIG) {
2553 conn->state = BT_CONNECTED;
2554 hci_connect_cfm(conn, 0);
2555 hci_conn_drop(conn);
2559 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2561 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2566 hci_encrypt_cfm(conn, 0, encrypt);
2570 hci_dev_unlock(hdev);
2573 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2575 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2576 struct hci_conn *conn;
2578 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2582 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2588 /* Encryption implies authentication */
2589 set_bit(HCI_CONN_AUTH, &conn->flags);
2590 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2591 conn->sec_level = conn->pending_sec_level;
2593 /* P-256 authentication key implies FIPS */
2594 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2595 set_bit(HCI_CONN_FIPS, &conn->flags);
2597 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2598 conn->type == LE_LINK)
2599 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2601 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2602 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2606 /* We should disregard the current RPA and generate a new one
2607 * whenever the encryption procedure fails.
2609 if (ev->status && conn->type == LE_LINK)
2610 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2612 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2614 if (ev->status && conn->state == BT_CONNECTED) {
2615 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2616 hci_conn_drop(conn);
2620 /* In Secure Connections Only mode, do not allow any connections
2621 * that are not encrypted with AES-CCM using a P-256 authenticated
2624 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2625 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2626 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2627 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2628 hci_conn_drop(conn);
2632 /* Try reading the encryption key size for encrypted ACL links */
2633 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2634 struct hci_cp_read_enc_key_size cp;
2635 struct hci_request req;
2637 /* Only send HCI_Read_Encryption_Key_Size if the
2638 * controller really supports it. If it doesn't, assume
2639 * the default size (16).
2641 if (!(hdev->commands[20] & 0x10)) {
2642 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2646 hci_req_init(&req, hdev);
2648 cp.handle = cpu_to_le16(conn->handle);
2649 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2651 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2652 BT_ERR("Sending HCI Read Encryption Key Size failed");
2653 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2661 if (conn->state == BT_CONFIG) {
2663 conn->state = BT_CONNECTED;
2665 hci_connect_cfm(conn, ev->status);
2666 hci_conn_drop(conn);
2668 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2671 hci_dev_unlock(hdev);
2674 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2675 struct sk_buff *skb)
2677 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2678 struct hci_conn *conn;
2680 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2684 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2687 set_bit(HCI_CONN_SECURE, &conn->flags);
2689 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2691 hci_key_change_cfm(conn, ev->status);
2694 hci_dev_unlock(hdev);
2697 static void hci_remote_features_evt(struct hci_dev *hdev,
2698 struct sk_buff *skb)
2700 struct hci_ev_remote_features *ev = (void *) skb->data;
2701 struct hci_conn *conn;
2703 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2707 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2712 memcpy(conn->features[0], ev->features, 8);
2714 if (conn->state != BT_CONFIG)
2717 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2718 lmp_ext_feat_capable(conn)) {
2719 struct hci_cp_read_remote_ext_features cp;
2720 cp.handle = ev->handle;
2722 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2727 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2728 struct hci_cp_remote_name_req cp;
2729 memset(&cp, 0, sizeof(cp));
2730 bacpy(&cp.bdaddr, &conn->dst);
2731 cp.pscan_rep_mode = 0x02;
2732 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2733 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2734 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2736 if (!hci_outgoing_auth_needed(hdev, conn)) {
2737 conn->state = BT_CONNECTED;
2738 hci_connect_cfm(conn, ev->status);
2739 hci_conn_drop(conn);
2743 hci_dev_unlock(hdev);
2746 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2747 u16 *opcode, u8 *status,
2748 hci_req_complete_t *req_complete,
2749 hci_req_complete_skb_t *req_complete_skb)
2751 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2753 *opcode = __le16_to_cpu(ev->opcode);
2754 *status = skb->data[sizeof(*ev)];
2756 skb_pull(skb, sizeof(*ev));
2759 case HCI_OP_INQUIRY_CANCEL:
2760 hci_cc_inquiry_cancel(hdev, skb);
2763 case HCI_OP_PERIODIC_INQ:
2764 hci_cc_periodic_inq(hdev, skb);
2767 case HCI_OP_EXIT_PERIODIC_INQ:
2768 hci_cc_exit_periodic_inq(hdev, skb);
2771 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2772 hci_cc_remote_name_req_cancel(hdev, skb);
2775 case HCI_OP_ROLE_DISCOVERY:
2776 hci_cc_role_discovery(hdev, skb);
2779 case HCI_OP_READ_LINK_POLICY:
2780 hci_cc_read_link_policy(hdev, skb);
2783 case HCI_OP_WRITE_LINK_POLICY:
2784 hci_cc_write_link_policy(hdev, skb);
2787 case HCI_OP_READ_DEF_LINK_POLICY:
2788 hci_cc_read_def_link_policy(hdev, skb);
2791 case HCI_OP_WRITE_DEF_LINK_POLICY:
2792 hci_cc_write_def_link_policy(hdev, skb);
2796 hci_cc_reset(hdev, skb);
2799 case HCI_OP_READ_STORED_LINK_KEY:
2800 hci_cc_read_stored_link_key(hdev, skb);
2803 case HCI_OP_DELETE_STORED_LINK_KEY:
2804 hci_cc_delete_stored_link_key(hdev, skb);
2807 case HCI_OP_WRITE_LOCAL_NAME:
2808 hci_cc_write_local_name(hdev, skb);
2811 case HCI_OP_READ_LOCAL_NAME:
2812 hci_cc_read_local_name(hdev, skb);
2815 case HCI_OP_WRITE_AUTH_ENABLE:
2816 hci_cc_write_auth_enable(hdev, skb);
2819 case HCI_OP_WRITE_ENCRYPT_MODE:
2820 hci_cc_write_encrypt_mode(hdev, skb);
2823 case HCI_OP_WRITE_SCAN_ENABLE:
2824 hci_cc_write_scan_enable(hdev, skb);
2827 case HCI_OP_READ_CLASS_OF_DEV:
2828 hci_cc_read_class_of_dev(hdev, skb);
2831 case HCI_OP_WRITE_CLASS_OF_DEV:
2832 hci_cc_write_class_of_dev(hdev, skb);
2835 case HCI_OP_READ_VOICE_SETTING:
2836 hci_cc_read_voice_setting(hdev, skb);
2839 case HCI_OP_WRITE_VOICE_SETTING:
2840 hci_cc_write_voice_setting(hdev, skb);
2843 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2844 hci_cc_read_num_supported_iac(hdev, skb);
2847 case HCI_OP_WRITE_SSP_MODE:
2848 hci_cc_write_ssp_mode(hdev, skb);
2851 case HCI_OP_WRITE_SC_SUPPORT:
2852 hci_cc_write_sc_support(hdev, skb);
2855 case HCI_OP_READ_LOCAL_VERSION:
2856 hci_cc_read_local_version(hdev, skb);
2859 case HCI_OP_READ_LOCAL_COMMANDS:
2860 hci_cc_read_local_commands(hdev, skb);
2863 case HCI_OP_READ_LOCAL_FEATURES:
2864 hci_cc_read_local_features(hdev, skb);
2867 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2868 hci_cc_read_local_ext_features(hdev, skb);
2871 case HCI_OP_READ_BUFFER_SIZE:
2872 hci_cc_read_buffer_size(hdev, skb);
2875 case HCI_OP_READ_BD_ADDR:
2876 hci_cc_read_bd_addr(hdev, skb);
2879 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2880 hci_cc_read_page_scan_activity(hdev, skb);
2883 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2884 hci_cc_write_page_scan_activity(hdev, skb);
2887 case HCI_OP_READ_PAGE_SCAN_TYPE:
2888 hci_cc_read_page_scan_type(hdev, skb);
2891 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2892 hci_cc_write_page_scan_type(hdev, skb);
2895 case HCI_OP_READ_DATA_BLOCK_SIZE:
2896 hci_cc_read_data_block_size(hdev, skb);
2899 case HCI_OP_READ_FLOW_CONTROL_MODE:
2900 hci_cc_read_flow_control_mode(hdev, skb);
2903 case HCI_OP_READ_LOCAL_AMP_INFO:
2904 hci_cc_read_local_amp_info(hdev, skb);
2907 case HCI_OP_READ_CLOCK:
2908 hci_cc_read_clock(hdev, skb);
2911 case HCI_OP_READ_INQ_RSP_TX_POWER:
2912 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2915 case HCI_OP_PIN_CODE_REPLY:
2916 hci_cc_pin_code_reply(hdev, skb);
2919 case HCI_OP_PIN_CODE_NEG_REPLY:
2920 hci_cc_pin_code_neg_reply(hdev, skb);
2923 case HCI_OP_READ_LOCAL_OOB_DATA:
2924 hci_cc_read_local_oob_data(hdev, skb);
2927 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2928 hci_cc_read_local_oob_ext_data(hdev, skb);
2931 case HCI_OP_LE_READ_BUFFER_SIZE:
2932 hci_cc_le_read_buffer_size(hdev, skb);
2935 case HCI_OP_LE_READ_LOCAL_FEATURES:
2936 hci_cc_le_read_local_features(hdev, skb);
2939 case HCI_OP_LE_READ_ADV_TX_POWER:
2940 hci_cc_le_read_adv_tx_power(hdev, skb);
2943 case HCI_OP_USER_CONFIRM_REPLY:
2944 hci_cc_user_confirm_reply(hdev, skb);
2947 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2948 hci_cc_user_confirm_neg_reply(hdev, skb);
2951 case HCI_OP_USER_PASSKEY_REPLY:
2952 hci_cc_user_passkey_reply(hdev, skb);
2955 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2956 hci_cc_user_passkey_neg_reply(hdev, skb);
2959 case HCI_OP_LE_SET_RANDOM_ADDR:
2960 hci_cc_le_set_random_addr(hdev, skb);
2963 case HCI_OP_LE_SET_ADV_ENABLE:
2964 hci_cc_le_set_adv_enable(hdev, skb);
2967 case HCI_OP_LE_SET_SCAN_PARAM:
2968 hci_cc_le_set_scan_param(hdev, skb);
2971 case HCI_OP_LE_SET_SCAN_ENABLE:
2972 hci_cc_le_set_scan_enable(hdev, skb);
2975 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2976 hci_cc_le_read_white_list_size(hdev, skb);
2979 case HCI_OP_LE_CLEAR_WHITE_LIST:
2980 hci_cc_le_clear_white_list(hdev, skb);
2983 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2984 hci_cc_le_add_to_white_list(hdev, skb);
2987 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2988 hci_cc_le_del_from_white_list(hdev, skb);
2991 case HCI_OP_LE_READ_SUPPORTED_STATES:
2992 hci_cc_le_read_supported_states(hdev, skb);
2995 case HCI_OP_LE_READ_DEF_DATA_LEN:
2996 hci_cc_le_read_def_data_len(hdev, skb);
2999 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3000 hci_cc_le_write_def_data_len(hdev, skb);
3003 case HCI_OP_LE_READ_MAX_DATA_LEN:
3004 hci_cc_le_read_max_data_len(hdev, skb);
3007 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3008 hci_cc_write_le_host_supported(hdev, skb);
3011 case HCI_OP_LE_SET_ADV_PARAM:
3012 hci_cc_set_adv_param(hdev, skb);
3015 case HCI_OP_READ_RSSI:
3016 hci_cc_read_rssi(hdev, skb);
3019 case HCI_OP_READ_TX_POWER:
3020 hci_cc_read_tx_power(hdev, skb);
3023 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3024 hci_cc_write_ssp_debug_mode(hdev, skb);
3028 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3032 if (*opcode != HCI_OP_NOP)
3033 cancel_delayed_work(&hdev->cmd_timer);
3035 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3036 atomic_set(&hdev->cmd_cnt, 1);
3038 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3041 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3042 queue_work(hdev->workqueue, &hdev->cmd_work);
3045 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3046 u16 *opcode, u8 *status,
3047 hci_req_complete_t *req_complete,
3048 hci_req_complete_skb_t *req_complete_skb)
3050 struct hci_ev_cmd_status *ev = (void *) skb->data;
3052 skb_pull(skb, sizeof(*ev));
3054 *opcode = __le16_to_cpu(ev->opcode);
3055 *status = ev->status;
3058 case HCI_OP_INQUIRY:
3059 hci_cs_inquiry(hdev, ev->status);
3062 case HCI_OP_CREATE_CONN:
3063 hci_cs_create_conn(hdev, ev->status);
3066 case HCI_OP_DISCONNECT:
3067 hci_cs_disconnect(hdev, ev->status);
3070 case HCI_OP_ADD_SCO:
3071 hci_cs_add_sco(hdev, ev->status);
3074 case HCI_OP_AUTH_REQUESTED:
3075 hci_cs_auth_requested(hdev, ev->status);
3078 case HCI_OP_SET_CONN_ENCRYPT:
3079 hci_cs_set_conn_encrypt(hdev, ev->status);
3082 case HCI_OP_REMOTE_NAME_REQ:
3083 hci_cs_remote_name_req(hdev, ev->status);
3086 case HCI_OP_READ_REMOTE_FEATURES:
3087 hci_cs_read_remote_features(hdev, ev->status);
3090 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3091 hci_cs_read_remote_ext_features(hdev, ev->status);
3094 case HCI_OP_SETUP_SYNC_CONN:
3095 hci_cs_setup_sync_conn(hdev, ev->status);
3098 case HCI_OP_SNIFF_MODE:
3099 hci_cs_sniff_mode(hdev, ev->status);
3102 case HCI_OP_EXIT_SNIFF_MODE:
3103 hci_cs_exit_sniff_mode(hdev, ev->status);
3106 case HCI_OP_SWITCH_ROLE:
3107 hci_cs_switch_role(hdev, ev->status);
3110 case HCI_OP_LE_CREATE_CONN:
3111 hci_cs_le_create_conn(hdev, ev->status);
3114 case HCI_OP_LE_READ_REMOTE_FEATURES:
3115 hci_cs_le_read_remote_features(hdev, ev->status);
3118 case HCI_OP_LE_START_ENC:
3119 hci_cs_le_start_enc(hdev, ev->status);
3123 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3127 if (*opcode != HCI_OP_NOP)
3128 cancel_delayed_work(&hdev->cmd_timer);
3130 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3131 atomic_set(&hdev->cmd_cnt, 1);
3133 /* Indicate request completion if the command failed. Also, if
3134 * we're not waiting for a special event and we get a success
3135 * command status we should try to flag the request as completed
3136 * (since for this kind of commands there will not be a command
3140 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
3141 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3144 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3145 queue_work(hdev->workqueue, &hdev->cmd_work);
3148 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3150 struct hci_ev_hardware_error *ev = (void *) skb->data;
3152 hdev->hw_error_code = ev->code;
3154 queue_work(hdev->req_workqueue, &hdev->error_reset);
3157 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3159 struct hci_ev_role_change *ev = (void *) skb->data;
3160 struct hci_conn *conn;
3162 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3166 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3169 conn->role = ev->role;
3171 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3173 hci_role_switch_cfm(conn, ev->status, ev->role);
3176 hci_dev_unlock(hdev);
3179 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3181 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3184 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3185 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3189 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3190 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3191 BT_DBG("%s bad parameters", hdev->name);
3195 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3197 for (i = 0; i < ev->num_hndl; i++) {
3198 struct hci_comp_pkts_info *info = &ev->handles[i];
3199 struct hci_conn *conn;
3200 __u16 handle, count;
3202 handle = __le16_to_cpu(info->handle);
3203 count = __le16_to_cpu(info->count);
3205 conn = hci_conn_hash_lookup_handle(hdev, handle);
3209 conn->sent -= count;
3211 switch (conn->type) {
3213 hdev->acl_cnt += count;
3214 if (hdev->acl_cnt > hdev->acl_pkts)
3215 hdev->acl_cnt = hdev->acl_pkts;
3219 if (hdev->le_pkts) {
3220 hdev->le_cnt += count;
3221 if (hdev->le_cnt > hdev->le_pkts)
3222 hdev->le_cnt = hdev->le_pkts;
3224 hdev->acl_cnt += count;
3225 if (hdev->acl_cnt > hdev->acl_pkts)
3226 hdev->acl_cnt = hdev->acl_pkts;
3231 hdev->sco_cnt += count;
3232 if (hdev->sco_cnt > hdev->sco_pkts)
3233 hdev->sco_cnt = hdev->sco_pkts;
3237 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3242 queue_work(hdev->workqueue, &hdev->tx_work);
3245 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3248 struct hci_chan *chan;
3250 switch (hdev->dev_type) {
3252 return hci_conn_hash_lookup_handle(hdev, handle);
3254 chan = hci_chan_lookup_handle(hdev, handle);
3259 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3266 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3268 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3271 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3272 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3276 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3277 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3278 BT_DBG("%s bad parameters", hdev->name);
3282 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3285 for (i = 0; i < ev->num_hndl; i++) {
3286 struct hci_comp_blocks_info *info = &ev->handles[i];
3287 struct hci_conn *conn = NULL;
3288 __u16 handle, block_count;
3290 handle = __le16_to_cpu(info->handle);
3291 block_count = __le16_to_cpu(info->blocks);
3293 conn = __hci_conn_lookup_handle(hdev, handle);
3297 conn->sent -= block_count;
3299 switch (conn->type) {
3302 hdev->block_cnt += block_count;
3303 if (hdev->block_cnt > hdev->num_blocks)
3304 hdev->block_cnt = hdev->num_blocks;
3308 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3313 queue_work(hdev->workqueue, &hdev->tx_work);
3316 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3318 struct hci_ev_mode_change *ev = (void *) skb->data;
3319 struct hci_conn *conn;
3321 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3325 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3327 conn->mode = ev->mode;
3329 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3331 if (conn->mode == HCI_CM_ACTIVE)
3332 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3334 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3337 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3338 hci_sco_setup(conn, ev->status);
3341 hci_dev_unlock(hdev);
3344 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3346 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3347 struct hci_conn *conn;
3349 BT_DBG("%s", hdev->name);
3353 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3357 if (conn->state == BT_CONNECTED) {
3358 hci_conn_hold(conn);
3359 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3360 hci_conn_drop(conn);
3363 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3364 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3365 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3366 sizeof(ev->bdaddr), &ev->bdaddr);
3367 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3370 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3375 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3379 hci_dev_unlock(hdev);
3382 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3384 if (key_type == HCI_LK_CHANGED_COMBINATION)
3387 conn->pin_length = pin_len;
3388 conn->key_type = key_type;
3391 case HCI_LK_LOCAL_UNIT:
3392 case HCI_LK_REMOTE_UNIT:
3393 case HCI_LK_DEBUG_COMBINATION:
3395 case HCI_LK_COMBINATION:
3397 conn->pending_sec_level = BT_SECURITY_HIGH;
3399 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3401 case HCI_LK_UNAUTH_COMBINATION_P192:
3402 case HCI_LK_UNAUTH_COMBINATION_P256:
3403 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3405 case HCI_LK_AUTH_COMBINATION_P192:
3406 conn->pending_sec_level = BT_SECURITY_HIGH;
3408 case HCI_LK_AUTH_COMBINATION_P256:
3409 conn->pending_sec_level = BT_SECURITY_FIPS;
3414 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3416 struct hci_ev_link_key_req *ev = (void *) skb->data;
3417 struct hci_cp_link_key_reply cp;
3418 struct hci_conn *conn;
3419 struct link_key *key;
3421 BT_DBG("%s", hdev->name);
3423 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3428 key = hci_find_link_key(hdev, &ev->bdaddr);
3430 BT_DBG("%s link key not found for %pMR", hdev->name,
3435 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3438 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3440 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3442 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3443 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3444 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3445 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3449 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3450 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3451 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3452 BT_DBG("%s ignoring key unauthenticated for high security",
3457 conn_set_key(conn, key->type, key->pin_len);
3460 bacpy(&cp.bdaddr, &ev->bdaddr);
3461 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3463 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3465 hci_dev_unlock(hdev);
3470 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3471 hci_dev_unlock(hdev);
3474 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3476 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3477 struct hci_conn *conn;
3478 struct link_key *key;
3482 BT_DBG("%s", hdev->name);
3486 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3490 hci_conn_hold(conn);
3491 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3492 hci_conn_drop(conn);
3494 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3495 conn_set_key(conn, ev->key_type, conn->pin_length);
3497 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3500 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3501 ev->key_type, pin_len, &persistent);
3505 /* Update connection information since adding the key will have
3506 * fixed up the type in the case of changed combination keys.
3508 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3509 conn_set_key(conn, key->type, key->pin_len);
3511 mgmt_new_link_key(hdev, key, persistent);
3513 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3514 * is set. If it's not set simply remove the key from the kernel
3515 * list (we've still notified user space about it but with
3516 * store_hint being 0).
3518 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3519 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3520 list_del_rcu(&key->list);
3521 kfree_rcu(key, rcu);
3526 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3528 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3531 hci_dev_unlock(hdev);
3534 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3536 struct hci_ev_clock_offset *ev = (void *) skb->data;
3537 struct hci_conn *conn;
3539 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3543 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3544 if (conn && !ev->status) {
3545 struct inquiry_entry *ie;
3547 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3549 ie->data.clock_offset = ev->clock_offset;
3550 ie->timestamp = jiffies;
3554 hci_dev_unlock(hdev);
3557 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3559 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3560 struct hci_conn *conn;
3562 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3566 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3567 if (conn && !ev->status)
3568 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3570 hci_dev_unlock(hdev);
3573 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3575 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3576 struct inquiry_entry *ie;
3578 BT_DBG("%s", hdev->name);
3582 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3584 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3585 ie->timestamp = jiffies;
3588 hci_dev_unlock(hdev);
3591 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3592 struct sk_buff *skb)
3594 struct inquiry_data data;
3595 int num_rsp = *((__u8 *) skb->data);
3597 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3602 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3607 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3608 struct inquiry_info_with_rssi_and_pscan_mode *info;
3609 info = (void *) (skb->data + 1);
3611 for (; num_rsp; num_rsp--, info++) {
3614 bacpy(&data.bdaddr, &info->bdaddr);
3615 data.pscan_rep_mode = info->pscan_rep_mode;
3616 data.pscan_period_mode = info->pscan_period_mode;
3617 data.pscan_mode = info->pscan_mode;
3618 memcpy(data.dev_class, info->dev_class, 3);
3619 data.clock_offset = info->clock_offset;
3620 data.rssi = info->rssi;
3621 data.ssp_mode = 0x00;
3623 flags = hci_inquiry_cache_update(hdev, &data, false);
3625 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3626 info->dev_class, info->rssi,
3627 flags, NULL, 0, NULL, 0);
3630 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3632 for (; num_rsp; num_rsp--, info++) {
3635 bacpy(&data.bdaddr, &info->bdaddr);
3636 data.pscan_rep_mode = info->pscan_rep_mode;
3637 data.pscan_period_mode = info->pscan_period_mode;
3638 data.pscan_mode = 0x00;
3639 memcpy(data.dev_class, info->dev_class, 3);
3640 data.clock_offset = info->clock_offset;
3641 data.rssi = info->rssi;
3642 data.ssp_mode = 0x00;
3644 flags = hci_inquiry_cache_update(hdev, &data, false);
3646 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3647 info->dev_class, info->rssi,
3648 flags, NULL, 0, NULL, 0);
3652 hci_dev_unlock(hdev);
3655 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3656 struct sk_buff *skb)
3658 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3659 struct hci_conn *conn;
3661 BT_DBG("%s", hdev->name);
3665 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3669 if (ev->page < HCI_MAX_PAGES)
3670 memcpy(conn->features[ev->page], ev->features, 8);
3672 if (!ev->status && ev->page == 0x01) {
3673 struct inquiry_entry *ie;
3675 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3677 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3679 if (ev->features[0] & LMP_HOST_SSP) {
3680 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3682 /* It is mandatory by the Bluetooth specification that
3683 * Extended Inquiry Results are only used when Secure
3684 * Simple Pairing is enabled, but some devices violate
3687 * To make these devices work, the internal SSP
3688 * enabled flag needs to be cleared if the remote host
3689 * features do not indicate SSP support */
3690 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3693 if (ev->features[0] & LMP_HOST_SC)
3694 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3697 if (conn->state != BT_CONFIG)
3700 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3701 struct hci_cp_remote_name_req cp;
3702 memset(&cp, 0, sizeof(cp));
3703 bacpy(&cp.bdaddr, &conn->dst);
3704 cp.pscan_rep_mode = 0x02;
3705 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3706 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3707 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3709 if (!hci_outgoing_auth_needed(hdev, conn)) {
3710 conn->state = BT_CONNECTED;
3711 hci_connect_cfm(conn, ev->status);
3712 hci_conn_drop(conn);
3716 hci_dev_unlock(hdev);
3719 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3720 struct sk_buff *skb)
3722 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3723 struct hci_conn *conn;
3725 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3729 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3731 if (ev->link_type == ESCO_LINK)
3734 /* When the link type in the event indicates SCO connection
3735 * and lookup of the connection object fails, then check
3736 * if an eSCO connection object exists.
3738 * The core limits the synchronous connections to either
3739 * SCO or eSCO. The eSCO connection is preferred and tried
3740 * to be setup first and until successfully established,
3741 * the link type will be hinted as eSCO.
3743 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3748 switch (ev->status) {
3750 conn->handle = __le16_to_cpu(ev->handle);
3751 conn->state = BT_CONNECTED;
3752 conn->type = ev->link_type;
3754 hci_debugfs_create_conn(conn);
3755 hci_conn_add_sysfs(conn);
3758 case 0x10: /* Connection Accept Timeout */
3759 case 0x0d: /* Connection Rejected due to Limited Resources */
3760 case 0x11: /* Unsupported Feature or Parameter Value */
3761 case 0x1c: /* SCO interval rejected */
3762 case 0x1a: /* Unsupported Remote Feature */
3763 case 0x1f: /* Unspecified error */
3764 case 0x20: /* Unsupported LMP Parameter value */
3766 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3767 (hdev->esco_type & EDR_ESCO_MASK);
3768 if (hci_setup_sync(conn, conn->link->handle))
3774 conn->state = BT_CLOSED;
3778 hci_connect_cfm(conn, ev->status);
3783 hci_dev_unlock(hdev);
3786 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3790 while (parsed < eir_len) {
3791 u8 field_len = eir[0];
3796 parsed += field_len + 1;
3797 eir += field_len + 1;
3803 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3804 struct sk_buff *skb)
3806 struct inquiry_data data;
3807 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3808 int num_rsp = *((__u8 *) skb->data);
3811 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3816 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3821 for (; num_rsp; num_rsp--, info++) {
3825 bacpy(&data.bdaddr, &info->bdaddr);
3826 data.pscan_rep_mode = info->pscan_rep_mode;
3827 data.pscan_period_mode = info->pscan_period_mode;
3828 data.pscan_mode = 0x00;
3829 memcpy(data.dev_class, info->dev_class, 3);
3830 data.clock_offset = info->clock_offset;
3831 data.rssi = info->rssi;
3832 data.ssp_mode = 0x01;
3834 if (hci_dev_test_flag(hdev, HCI_MGMT))
3835 name_known = eir_has_data_type(info->data,
3841 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3843 eir_len = eir_get_length(info->data, sizeof(info->data));
3845 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3846 info->dev_class, info->rssi,
3847 flags, info->data, eir_len, NULL, 0);
3850 hci_dev_unlock(hdev);
3853 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3854 struct sk_buff *skb)
3856 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3857 struct hci_conn *conn;
3859 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3860 __le16_to_cpu(ev->handle));
3864 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3868 /* For BR/EDR the necessary steps are taken through the
3869 * auth_complete event.
3871 if (conn->type != LE_LINK)
3875 conn->sec_level = conn->pending_sec_level;
3877 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3879 if (ev->status && conn->state == BT_CONNECTED) {
3880 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3881 hci_conn_drop(conn);
3885 if (conn->state == BT_CONFIG) {
3887 conn->state = BT_CONNECTED;
3889 hci_connect_cfm(conn, ev->status);
3890 hci_conn_drop(conn);
3892 hci_auth_cfm(conn, ev->status);
3894 hci_conn_hold(conn);
3895 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3896 hci_conn_drop(conn);
3900 hci_dev_unlock(hdev);
3903 static u8 hci_get_auth_req(struct hci_conn *conn)
3905 /* If remote requests no-bonding follow that lead */
3906 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3907 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3908 return conn->remote_auth | (conn->auth_type & 0x01);
3910 /* If both remote and local have enough IO capabilities, require
3913 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3914 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3915 return conn->remote_auth | 0x01;
3917 /* No MITM protection possible so ignore remote requirement */
3918 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3921 static u8 bredr_oob_data_present(struct hci_conn *conn)
3923 struct hci_dev *hdev = conn->hdev;
3924 struct oob_data *data;
3926 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3930 if (bredr_sc_enabled(hdev)) {
3931 /* When Secure Connections is enabled, then just
3932 * return the present value stored with the OOB
3933 * data. The stored value contains the right present
3934 * information. However it can only be trusted when
3935 * not in Secure Connection Only mode.
3937 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3938 return data->present;
3940 /* When Secure Connections Only mode is enabled, then
3941 * the P-256 values are required. If they are not
3942 * available, then do not declare that OOB data is
3945 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3946 !memcmp(data->hash256, ZERO_KEY, 16))
3952 /* When Secure Connections is not enabled or actually
3953 * not supported by the hardware, then check that if
3954 * P-192 data values are present.
3956 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3957 !memcmp(data->hash192, ZERO_KEY, 16))
3963 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3965 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3966 struct hci_conn *conn;
3968 BT_DBG("%s", hdev->name);
3972 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3976 hci_conn_hold(conn);
3978 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3981 /* Allow pairing if we're pairable, the initiators of the
3982 * pairing or if the remote is not requesting bonding.
3984 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
3985 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3986 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3987 struct hci_cp_io_capability_reply cp;
3989 bacpy(&cp.bdaddr, &ev->bdaddr);
3990 /* Change the IO capability from KeyboardDisplay
3991 * to DisplayYesNo as it is not supported by BT spec. */
3992 cp.capability = (conn->io_capability == 0x04) ?
3993 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3995 /* If we are initiators, there is no remote information yet */
3996 if (conn->remote_auth == 0xff) {
3997 /* Request MITM protection if our IO caps allow it
3998 * except for the no-bonding case.
4000 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4001 conn->auth_type != HCI_AT_NO_BONDING)
4002 conn->auth_type |= 0x01;
4004 conn->auth_type = hci_get_auth_req(conn);
4007 /* If we're not bondable, force one of the non-bondable
4008 * authentication requirement values.
4010 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4011 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4013 cp.authentication = conn->auth_type;
4014 cp.oob_data = bredr_oob_data_present(conn);
4016 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4019 struct hci_cp_io_capability_neg_reply cp;
4021 bacpy(&cp.bdaddr, &ev->bdaddr);
4022 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4024 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4029 hci_dev_unlock(hdev);
4032 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4034 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4035 struct hci_conn *conn;
4037 BT_DBG("%s", hdev->name);
4041 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4045 conn->remote_cap = ev->capability;
4046 conn->remote_auth = ev->authentication;
4049 hci_dev_unlock(hdev);
4052 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4053 struct sk_buff *skb)
4055 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4056 int loc_mitm, rem_mitm, confirm_hint = 0;
4057 struct hci_conn *conn;
4059 BT_DBG("%s", hdev->name);
4063 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4066 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4070 loc_mitm = (conn->auth_type & 0x01);
4071 rem_mitm = (conn->remote_auth & 0x01);
4073 /* If we require MITM but the remote device can't provide that
4074 * (it has NoInputNoOutput) then reject the confirmation
4075 * request. We check the security level here since it doesn't
4076 * necessarily match conn->auth_type.
4078 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4079 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4080 BT_DBG("Rejecting request: remote device can't provide MITM");
4081 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4082 sizeof(ev->bdaddr), &ev->bdaddr);
4086 /* If no side requires MITM protection; auto-accept */
4087 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4088 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4090 /* If we're not the initiators request authorization to
4091 * proceed from user space (mgmt_user_confirm with
4092 * confirm_hint set to 1). The exception is if neither
4093 * side had MITM or if the local IO capability is
4094 * NoInputNoOutput, in which case we do auto-accept
4096 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4097 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4098 (loc_mitm || rem_mitm)) {
4099 BT_DBG("Confirming auto-accept as acceptor");
4104 BT_DBG("Auto-accept of user confirmation with %ums delay",
4105 hdev->auto_accept_delay);
4107 if (hdev->auto_accept_delay > 0) {
4108 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4109 queue_delayed_work(conn->hdev->workqueue,
4110 &conn->auto_accept_work, delay);
4114 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4115 sizeof(ev->bdaddr), &ev->bdaddr);
4120 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4121 le32_to_cpu(ev->passkey), confirm_hint);
4124 hci_dev_unlock(hdev);
4127 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4128 struct sk_buff *skb)
4130 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4132 BT_DBG("%s", hdev->name);
4134 if (hci_dev_test_flag(hdev, HCI_MGMT))
4135 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4138 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4139 struct sk_buff *skb)
4141 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4142 struct hci_conn *conn;
4144 BT_DBG("%s", hdev->name);
4146 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4150 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4151 conn->passkey_entered = 0;
4153 if (hci_dev_test_flag(hdev, HCI_MGMT))
4154 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4155 conn->dst_type, conn->passkey_notify,
4156 conn->passkey_entered);
4159 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4161 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4162 struct hci_conn *conn;
4164 BT_DBG("%s", hdev->name);
4166 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4171 case HCI_KEYPRESS_STARTED:
4172 conn->passkey_entered = 0;
4175 case HCI_KEYPRESS_ENTERED:
4176 conn->passkey_entered++;
4179 case HCI_KEYPRESS_ERASED:
4180 conn->passkey_entered--;
4183 case HCI_KEYPRESS_CLEARED:
4184 conn->passkey_entered = 0;
4187 case HCI_KEYPRESS_COMPLETED:
4191 if (hci_dev_test_flag(hdev, HCI_MGMT))
4192 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4193 conn->dst_type, conn->passkey_notify,
4194 conn->passkey_entered);
4197 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4198 struct sk_buff *skb)
4200 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4201 struct hci_conn *conn;
4203 BT_DBG("%s", hdev->name);
4207 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4211 /* Reset the authentication requirement to unknown */
4212 conn->remote_auth = 0xff;
4214 /* To avoid duplicate auth_failed events to user space we check
4215 * the HCI_CONN_AUTH_PEND flag which will be set if we
4216 * initiated the authentication. A traditional auth_complete
4217 * event gets always produced as initiator and is also mapped to
4218 * the mgmt_auth_failed event */
4219 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4220 mgmt_auth_failed(conn, ev->status);
4222 hci_conn_drop(conn);
4225 hci_dev_unlock(hdev);
4228 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4229 struct sk_buff *skb)
4231 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4232 struct inquiry_entry *ie;
4233 struct hci_conn *conn;
4235 BT_DBG("%s", hdev->name);
4239 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4241 memcpy(conn->features[1], ev->features, 8);
4243 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4245 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4247 hci_dev_unlock(hdev);
4250 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4251 struct sk_buff *skb)
4253 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4254 struct oob_data *data;
4256 BT_DBG("%s", hdev->name);
4260 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4263 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4265 struct hci_cp_remote_oob_data_neg_reply cp;
4267 bacpy(&cp.bdaddr, &ev->bdaddr);
4268 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4273 if (bredr_sc_enabled(hdev)) {
4274 struct hci_cp_remote_oob_ext_data_reply cp;
4276 bacpy(&cp.bdaddr, &ev->bdaddr);
4277 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4278 memset(cp.hash192, 0, sizeof(cp.hash192));
4279 memset(cp.rand192, 0, sizeof(cp.rand192));
4281 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4282 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4284 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4285 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4287 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4290 struct hci_cp_remote_oob_data_reply cp;
4292 bacpy(&cp.bdaddr, &ev->bdaddr);
4293 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4294 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4296 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4301 hci_dev_unlock(hdev);
4304 #if IS_ENABLED(CONFIG_BT_HS)
4305 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4307 struct hci_ev_channel_selected *ev = (void *)skb->data;
4308 struct hci_conn *hcon;
4310 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4312 skb_pull(skb, sizeof(*ev));
4314 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4318 amp_read_loc_assoc_final_data(hdev, hcon);
4321 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4322 struct sk_buff *skb)
4324 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4325 struct hci_conn *hcon, *bredr_hcon;
4327 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4332 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4334 hci_dev_unlock(hdev);
4340 hci_dev_unlock(hdev);
4344 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4346 hcon->state = BT_CONNECTED;
4347 bacpy(&hcon->dst, &bredr_hcon->dst);
4349 hci_conn_hold(hcon);
4350 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4351 hci_conn_drop(hcon);
4353 hci_debugfs_create_conn(hcon);
4354 hci_conn_add_sysfs(hcon);
4356 amp_physical_cfm(bredr_hcon, hcon);
4358 hci_dev_unlock(hdev);
4361 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4363 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4364 struct hci_conn *hcon;
4365 struct hci_chan *hchan;
4366 struct amp_mgr *mgr;
4368 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4369 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4372 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4376 /* Create AMP hchan */
4377 hchan = hci_chan_create(hcon);
4381 hchan->handle = le16_to_cpu(ev->handle);
4383 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4385 mgr = hcon->amp_mgr;
4386 if (mgr && mgr->bredr_chan) {
4387 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4389 l2cap_chan_lock(bredr_chan);
4391 bredr_chan->conn->mtu = hdev->block_mtu;
4392 l2cap_logical_cfm(bredr_chan, hchan, 0);
4393 hci_conn_hold(hcon);
4395 l2cap_chan_unlock(bredr_chan);
4399 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4400 struct sk_buff *skb)
4402 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4403 struct hci_chan *hchan;
4405 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4406 le16_to_cpu(ev->handle), ev->status);
4413 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4417 amp_destroy_logical_link(hchan, ev->reason);
4420 hci_dev_unlock(hdev);
4423 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4424 struct sk_buff *skb)
4426 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4427 struct hci_conn *hcon;
4429 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4436 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4438 hcon->state = BT_CLOSED;
4442 hci_dev_unlock(hdev);
4446 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4448 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4449 struct hci_conn_params *params;
4450 struct hci_conn *conn;
4451 struct smp_irk *irk;
4454 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4458 /* All controllers implicitly stop advertising in the event of a
4459 * connection, so ensure that the state bit is cleared.
4461 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4463 conn = hci_lookup_le_connect(hdev);
4465 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4467 BT_ERR("No memory for new connection");
4471 conn->dst_type = ev->bdaddr_type;
4473 /* If we didn't have a hci_conn object previously
4474 * but we're in master role this must be something
4475 * initiated using a white list. Since white list based
4476 * connections are not "first class citizens" we don't
4477 * have full tracking of them. Therefore, we go ahead
4478 * with a "best effort" approach of determining the
4479 * initiator address based on the HCI_PRIVACY flag.
4482 conn->resp_addr_type = ev->bdaddr_type;
4483 bacpy(&conn->resp_addr, &ev->bdaddr);
4484 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4485 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4486 bacpy(&conn->init_addr, &hdev->rpa);
4488 hci_copy_identity_address(hdev,
4490 &conn->init_addr_type);
4494 cancel_delayed_work(&conn->le_conn_timeout);
4498 /* Set the responder (our side) address type based on
4499 * the advertising address type.
4501 conn->resp_addr_type = hdev->adv_addr_type;
4502 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4503 bacpy(&conn->resp_addr, &hdev->random_addr);
4505 bacpy(&conn->resp_addr, &hdev->bdaddr);
4507 conn->init_addr_type = ev->bdaddr_type;
4508 bacpy(&conn->init_addr, &ev->bdaddr);
4510 /* For incoming connections, set the default minimum
4511 * and maximum connection interval. They will be used
4512 * to check if the parameters are in range and if not
4513 * trigger the connection update procedure.
4515 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4516 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4519 /* Lookup the identity address from the stored connection
4520 * address and address type.
4522 * When establishing connections to an identity address, the
4523 * connection procedure will store the resolvable random
4524 * address first. Now if it can be converted back into the
4525 * identity address, start using the identity address from
4528 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4530 bacpy(&conn->dst, &irk->bdaddr);
4531 conn->dst_type = irk->addr_type;
4535 hci_le_conn_failed(conn, ev->status);
4539 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4540 addr_type = BDADDR_LE_PUBLIC;
4542 addr_type = BDADDR_LE_RANDOM;
4544 /* Drop the connection if the device is blocked */
4545 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4546 hci_conn_drop(conn);
4550 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4551 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4553 conn->sec_level = BT_SECURITY_LOW;
4554 conn->handle = __le16_to_cpu(ev->handle);
4555 conn->state = BT_CONFIG;
4557 conn->le_conn_interval = le16_to_cpu(ev->interval);
4558 conn->le_conn_latency = le16_to_cpu(ev->latency);
4559 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4561 hci_debugfs_create_conn(conn);
4562 hci_conn_add_sysfs(conn);
4565 /* The remote features procedure is defined for master
4566 * role only. So only in case of an initiated connection
4567 * request the remote features.
4569 * If the local controller supports slave-initiated features
4570 * exchange, then requesting the remote features in slave
4571 * role is possible. Otherwise just transition into the
4572 * connected state without requesting the remote features.
4575 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4576 struct hci_cp_le_read_remote_features cp;
4578 cp.handle = __cpu_to_le16(conn->handle);
4580 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4583 hci_conn_hold(conn);
4585 conn->state = BT_CONNECTED;
4586 hci_connect_cfm(conn, ev->status);
4589 hci_connect_cfm(conn, ev->status);
4592 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4595 list_del_init(¶ms->action);
4597 hci_conn_drop(params->conn);
4598 hci_conn_put(params->conn);
4599 params->conn = NULL;
4604 hci_update_background_scan(hdev);
4605 hci_dev_unlock(hdev);
4608 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4609 struct sk_buff *skb)
4611 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4612 struct hci_conn *conn;
4614 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4621 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4623 conn->le_conn_interval = le16_to_cpu(ev->interval);
4624 conn->le_conn_latency = le16_to_cpu(ev->latency);
4625 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4628 hci_dev_unlock(hdev);
4631 /* This function requires the caller holds hdev->lock */
4632 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4634 u8 addr_type, u8 adv_type)
4636 struct hci_conn *conn;
4637 struct hci_conn_params *params;
4639 /* If the event is not connectable don't proceed further */
4640 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4643 /* Ignore if the device is blocked */
4644 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4647 /* Most controller will fail if we try to create new connections
4648 * while we have an existing one in slave role.
4650 if (hdev->conn_hash.le_num_slave > 0)
4653 /* If we're not connectable only connect devices that we have in
4654 * our pend_le_conns list.
4656 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4661 if (!params->explicit_connect) {
4662 switch (params->auto_connect) {
4663 case HCI_AUTO_CONN_DIRECT:
4664 /* Only devices advertising with ADV_DIRECT_IND are
4665 * triggering a connection attempt. This is allowing
4666 * incoming connections from slave devices.
4668 if (adv_type != LE_ADV_DIRECT_IND)
4671 case HCI_AUTO_CONN_ALWAYS:
4672 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4673 * are triggering a connection attempt. This means
4674 * that incoming connectioms from slave device are
4675 * accepted and also outgoing connections to slave
4676 * devices are established when found.
4684 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4685 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4686 if (!IS_ERR(conn)) {
4687 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4688 * by higher layer that tried to connect, if no then
4689 * store the pointer since we don't really have any
4690 * other owner of the object besides the params that
4691 * triggered it. This way we can abort the connection if
4692 * the parameters get removed and keep the reference
4693 * count consistent once the connection is established.
4696 if (!params->explicit_connect)
4697 params->conn = hci_conn_get(conn);
4702 switch (PTR_ERR(conn)) {
4704 /* If hci_connect() returns -EBUSY it means there is already
4705 * an LE connection attempt going on. Since controllers don't
4706 * support more than one connection attempt at the time, we
4707 * don't consider this an error case.
4711 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4718 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4719 u8 bdaddr_type, bdaddr_t *direct_addr,
4720 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4722 struct discovery_state *d = &hdev->discovery;
4723 struct smp_irk *irk;
4724 struct hci_conn *conn;
4728 /* If the direct address is present, then this report is from
4729 * a LE Direct Advertising Report event. In that case it is
4730 * important to see if the address is matching the local
4731 * controller address.
4734 /* Only resolvable random addresses are valid for these
4735 * kind of reports and others can be ignored.
4737 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4740 /* If the controller is not using resolvable random
4741 * addresses, then this report can be ignored.
4743 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4746 /* If the local IRK of the controller does not match
4747 * with the resolvable random address provided, then
4748 * this report can be ignored.
4750 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4754 /* Check if we need to convert to identity address */
4755 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4757 bdaddr = &irk->bdaddr;
4758 bdaddr_type = irk->addr_type;
4761 /* Check if we have been requested to connect to this device */
4762 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4763 if (conn && type == LE_ADV_IND) {
4764 /* Store report for later inclusion by
4765 * mgmt_device_connected
4767 memcpy(conn->le_adv_data, data, len);
4768 conn->le_adv_data_len = len;
4771 /* Passive scanning shouldn't trigger any device found events,
4772 * except for devices marked as CONN_REPORT for which we do send
4773 * device found events.
4775 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4776 if (type == LE_ADV_DIRECT_IND)
4779 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4780 bdaddr, bdaddr_type))
4783 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4784 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4787 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4788 rssi, flags, data, len, NULL, 0);
4792 /* When receiving non-connectable or scannable undirected
4793 * advertising reports, this means that the remote device is
4794 * not connectable and then clearly indicate this in the
4795 * device found event.
4797 * When receiving a scan response, then there is no way to
4798 * know if the remote device is connectable or not. However
4799 * since scan responses are merged with a previously seen
4800 * advertising report, the flags field from that report
4803 * In the really unlikely case that a controller get confused
4804 * and just sends a scan response event, then it is marked as
4805 * not connectable as well.
4807 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4808 type == LE_ADV_SCAN_RSP)
4809 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4813 /* If there's nothing pending either store the data from this
4814 * event or send an immediate device found event if the data
4815 * should not be stored for later.
4817 if (!has_pending_adv_report(hdev)) {
4818 /* If the report will trigger a SCAN_REQ store it for
4821 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4822 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4823 rssi, flags, data, len);
4827 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4828 rssi, flags, data, len, NULL, 0);
4832 /* Check if the pending report is for the same device as the new one */
4833 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4834 bdaddr_type == d->last_adv_addr_type);
4836 /* If the pending data doesn't match this report or this isn't a
4837 * scan response (e.g. we got a duplicate ADV_IND) then force
4838 * sending of the pending data.
4840 if (type != LE_ADV_SCAN_RSP || !match) {
4841 /* Send out whatever is in the cache, but skip duplicates */
4843 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4844 d->last_adv_addr_type, NULL,
4845 d->last_adv_rssi, d->last_adv_flags,
4847 d->last_adv_data_len, NULL, 0);
4849 /* If the new report will trigger a SCAN_REQ store it for
4852 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4853 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4854 rssi, flags, data, len);
4858 /* The advertising reports cannot be merged, so clear
4859 * the pending report and send out a device found event.
4861 clear_pending_adv_report(hdev);
4862 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4863 rssi, flags, data, len, NULL, 0);
4867 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4868 * the new event is a SCAN_RSP. We can therefore proceed with
4869 * sending a merged device found event.
4871 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4872 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4873 d->last_adv_data, d->last_adv_data_len, data, len);
4874 clear_pending_adv_report(hdev);
4877 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4879 u8 num_reports = skb->data[0];
4880 void *ptr = &skb->data[1];
4884 while (num_reports--) {
4885 struct hci_ev_le_advertising_info *ev = ptr;
4888 rssi = ev->data[ev->length];
4889 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4890 ev->bdaddr_type, NULL, 0, rssi,
4891 ev->data, ev->length);
4893 ptr += sizeof(*ev) + ev->length + 1;
4896 hci_dev_unlock(hdev);
4899 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4900 struct sk_buff *skb)
4902 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4903 struct hci_conn *conn;
4905 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4909 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4912 memcpy(conn->features[0], ev->features, 8);
4914 if (conn->state == BT_CONFIG) {
4917 /* If the local controller supports slave-initiated
4918 * features exchange, but the remote controller does
4919 * not, then it is possible that the error code 0x1a
4920 * for unsupported remote feature gets returned.
4922 * In this specific case, allow the connection to
4923 * transition into connected state and mark it as
4926 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4927 !conn->out && ev->status == 0x1a)
4930 status = ev->status;
4932 conn->state = BT_CONNECTED;
4933 hci_connect_cfm(conn, status);
4934 hci_conn_drop(conn);
4938 hci_dev_unlock(hdev);
4941 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4943 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4944 struct hci_cp_le_ltk_reply cp;
4945 struct hci_cp_le_ltk_neg_reply neg;
4946 struct hci_conn *conn;
4947 struct smp_ltk *ltk;
4949 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4953 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4957 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4961 if (smp_ltk_is_sc(ltk)) {
4962 /* With SC both EDiv and Rand are set to zero */
4963 if (ev->ediv || ev->rand)
4966 /* For non-SC keys check that EDiv and Rand match */
4967 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4971 memcpy(cp.ltk, ltk->val, ltk->enc_size);
4972 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
4973 cp.handle = cpu_to_le16(conn->handle);
4975 conn->pending_sec_level = smp_ltk_sec_level(ltk);
4977 conn->enc_key_size = ltk->enc_size;
4979 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4981 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4982 * temporary key used to encrypt a connection following
4983 * pairing. It is used during the Encrypted Session Setup to
4984 * distribute the keys. Later, security can be re-established
4985 * using a distributed LTK.
4987 if (ltk->type == SMP_STK) {
4988 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4989 list_del_rcu(<k->list);
4990 kfree_rcu(ltk, rcu);
4992 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4995 hci_dev_unlock(hdev);
5000 neg.handle = ev->handle;
5001 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5002 hci_dev_unlock(hdev);
5005 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5008 struct hci_cp_le_conn_param_req_neg_reply cp;
5010 cp.handle = cpu_to_le16(handle);
5013 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5017 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5018 struct sk_buff *skb)
5020 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5021 struct hci_cp_le_conn_param_req_reply cp;
5022 struct hci_conn *hcon;
5023 u16 handle, min, max, latency, timeout;
5025 handle = le16_to_cpu(ev->handle);
5026 min = le16_to_cpu(ev->interval_min);
5027 max = le16_to_cpu(ev->interval_max);
5028 latency = le16_to_cpu(ev->latency);
5029 timeout = le16_to_cpu(ev->timeout);
5031 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5032 if (!hcon || hcon->state != BT_CONNECTED)
5033 return send_conn_param_neg_reply(hdev, handle,
5034 HCI_ERROR_UNKNOWN_CONN_ID);
5036 if (hci_check_conn_params(min, max, latency, timeout))
5037 return send_conn_param_neg_reply(hdev, handle,
5038 HCI_ERROR_INVALID_LL_PARAMS);
5040 if (hcon->role == HCI_ROLE_MASTER) {
5041 struct hci_conn_params *params;
5046 params = hci_conn_params_lookup(hdev, &hcon->dst,
5049 params->conn_min_interval = min;
5050 params->conn_max_interval = max;
5051 params->conn_latency = latency;
5052 params->supervision_timeout = timeout;
5058 hci_dev_unlock(hdev);
5060 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5061 store_hint, min, max, latency, timeout);
5064 cp.handle = ev->handle;
5065 cp.interval_min = ev->interval_min;
5066 cp.interval_max = ev->interval_max;
5067 cp.latency = ev->latency;
5068 cp.timeout = ev->timeout;
5072 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5075 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5076 struct sk_buff *skb)
5078 u8 num_reports = skb->data[0];
5079 void *ptr = &skb->data[1];
5083 while (num_reports--) {
5084 struct hci_ev_le_direct_adv_info *ev = ptr;
5086 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5087 ev->bdaddr_type, &ev->direct_addr,
5088 ev->direct_addr_type, ev->rssi, NULL, 0);
5093 hci_dev_unlock(hdev);
5096 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5098 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5100 skb_pull(skb, sizeof(*le_ev));
5102 switch (le_ev->subevent) {
5103 case HCI_EV_LE_CONN_COMPLETE:
5104 hci_le_conn_complete_evt(hdev, skb);
5107 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5108 hci_le_conn_update_complete_evt(hdev, skb);
5111 case HCI_EV_LE_ADVERTISING_REPORT:
5112 hci_le_adv_report_evt(hdev, skb);
5115 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5116 hci_le_remote_feat_complete_evt(hdev, skb);
5119 case HCI_EV_LE_LTK_REQ:
5120 hci_le_ltk_request_evt(hdev, skb);
5123 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5124 hci_le_remote_conn_param_req_evt(hdev, skb);
5127 case HCI_EV_LE_DIRECT_ADV_REPORT:
5128 hci_le_direct_adv_report_evt(hdev, skb);
5136 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5137 u8 event, struct sk_buff *skb)
5139 struct hci_ev_cmd_complete *ev;
5140 struct hci_event_hdr *hdr;
5145 if (skb->len < sizeof(*hdr)) {
5146 BT_ERR("Too short HCI event");
5150 hdr = (void *) skb->data;
5151 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5154 if (hdr->evt != event)
5159 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5160 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5164 if (skb->len < sizeof(*ev)) {
5165 BT_ERR("Too short cmd_complete event");
5169 ev = (void *) skb->data;
5170 skb_pull(skb, sizeof(*ev));
5172 if (opcode != __le16_to_cpu(ev->opcode)) {
5173 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5174 __le16_to_cpu(ev->opcode));
5181 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5183 struct hci_event_hdr *hdr = (void *) skb->data;
5184 hci_req_complete_t req_complete = NULL;
5185 hci_req_complete_skb_t req_complete_skb = NULL;
5186 struct sk_buff *orig_skb = NULL;
5187 u8 status = 0, event = hdr->evt, req_evt = 0;
5188 u16 opcode = HCI_OP_NOP;
5190 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
5191 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5192 opcode = __le16_to_cpu(cmd_hdr->opcode);
5193 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5198 /* If it looks like we might end up having to call
5199 * req_complete_skb, store a pristine copy of the skb since the
5200 * various handlers may modify the original one through
5201 * skb_pull() calls, etc.
5203 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5204 event == HCI_EV_CMD_COMPLETE)
5205 orig_skb = skb_clone(skb, GFP_KERNEL);
5207 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5210 case HCI_EV_INQUIRY_COMPLETE:
5211 hci_inquiry_complete_evt(hdev, skb);
5214 case HCI_EV_INQUIRY_RESULT:
5215 hci_inquiry_result_evt(hdev, skb);
5218 case HCI_EV_CONN_COMPLETE:
5219 hci_conn_complete_evt(hdev, skb);
5222 case HCI_EV_CONN_REQUEST:
5223 hci_conn_request_evt(hdev, skb);
5226 case HCI_EV_DISCONN_COMPLETE:
5227 hci_disconn_complete_evt(hdev, skb);
5230 case HCI_EV_AUTH_COMPLETE:
5231 hci_auth_complete_evt(hdev, skb);
5234 case HCI_EV_REMOTE_NAME:
5235 hci_remote_name_evt(hdev, skb);
5238 case HCI_EV_ENCRYPT_CHANGE:
5239 hci_encrypt_change_evt(hdev, skb);
5242 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5243 hci_change_link_key_complete_evt(hdev, skb);
5246 case HCI_EV_REMOTE_FEATURES:
5247 hci_remote_features_evt(hdev, skb);
5250 case HCI_EV_CMD_COMPLETE:
5251 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5252 &req_complete, &req_complete_skb);
5255 case HCI_EV_CMD_STATUS:
5256 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5260 case HCI_EV_HARDWARE_ERROR:
5261 hci_hardware_error_evt(hdev, skb);
5264 case HCI_EV_ROLE_CHANGE:
5265 hci_role_change_evt(hdev, skb);
5268 case HCI_EV_NUM_COMP_PKTS:
5269 hci_num_comp_pkts_evt(hdev, skb);
5272 case HCI_EV_MODE_CHANGE:
5273 hci_mode_change_evt(hdev, skb);
5276 case HCI_EV_PIN_CODE_REQ:
5277 hci_pin_code_request_evt(hdev, skb);
5280 case HCI_EV_LINK_KEY_REQ:
5281 hci_link_key_request_evt(hdev, skb);
5284 case HCI_EV_LINK_KEY_NOTIFY:
5285 hci_link_key_notify_evt(hdev, skb);
5288 case HCI_EV_CLOCK_OFFSET:
5289 hci_clock_offset_evt(hdev, skb);
5292 case HCI_EV_PKT_TYPE_CHANGE:
5293 hci_pkt_type_change_evt(hdev, skb);
5296 case HCI_EV_PSCAN_REP_MODE:
5297 hci_pscan_rep_mode_evt(hdev, skb);
5300 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5301 hci_inquiry_result_with_rssi_evt(hdev, skb);
5304 case HCI_EV_REMOTE_EXT_FEATURES:
5305 hci_remote_ext_features_evt(hdev, skb);
5308 case HCI_EV_SYNC_CONN_COMPLETE:
5309 hci_sync_conn_complete_evt(hdev, skb);
5312 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5313 hci_extended_inquiry_result_evt(hdev, skb);
5316 case HCI_EV_KEY_REFRESH_COMPLETE:
5317 hci_key_refresh_complete_evt(hdev, skb);
5320 case HCI_EV_IO_CAPA_REQUEST:
5321 hci_io_capa_request_evt(hdev, skb);
5324 case HCI_EV_IO_CAPA_REPLY:
5325 hci_io_capa_reply_evt(hdev, skb);
5328 case HCI_EV_USER_CONFIRM_REQUEST:
5329 hci_user_confirm_request_evt(hdev, skb);
5332 case HCI_EV_USER_PASSKEY_REQUEST:
5333 hci_user_passkey_request_evt(hdev, skb);
5336 case HCI_EV_USER_PASSKEY_NOTIFY:
5337 hci_user_passkey_notify_evt(hdev, skb);
5340 case HCI_EV_KEYPRESS_NOTIFY:
5341 hci_keypress_notify_evt(hdev, skb);
5344 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5345 hci_simple_pair_complete_evt(hdev, skb);
5348 case HCI_EV_REMOTE_HOST_FEATURES:
5349 hci_remote_host_features_evt(hdev, skb);
5352 case HCI_EV_LE_META:
5353 hci_le_meta_evt(hdev, skb);
5356 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5357 hci_remote_oob_data_request_evt(hdev, skb);
5360 #if IS_ENABLED(CONFIG_BT_HS)
5361 case HCI_EV_CHANNEL_SELECTED:
5362 hci_chan_selected_evt(hdev, skb);
5365 case HCI_EV_PHY_LINK_COMPLETE:
5366 hci_phy_link_complete_evt(hdev, skb);
5369 case HCI_EV_LOGICAL_LINK_COMPLETE:
5370 hci_loglink_complete_evt(hdev, skb);
5373 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5374 hci_disconn_loglink_complete_evt(hdev, skb);
5377 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5378 hci_disconn_phylink_complete_evt(hdev, skb);
5382 case HCI_EV_NUM_COMP_BLOCKS:
5383 hci_num_comp_blocks_evt(hdev, skb);
5387 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5392 req_complete(hdev, status, opcode);
5393 } else if (req_complete_skb) {
5394 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5395 kfree_skb(orig_skb);
5398 req_complete_skb(hdev, status, opcode, orig_skb);
5401 kfree_skb(orig_skb);
5403 hdev->stat.evt_rx++;
projects / karo-tx-linux.git / blob