2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
25 /* Bluetooth HCI event handling. */
27 #include <asm/unaligned.h>
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
42 /* Handle HCI Event packets */
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
46 __u8 status = *((__u8 *) skb->data);
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
58 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
61 hci_conn_check_pending(hdev);
64 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
66 __u8 status = *((__u8 *) skb->data);
68 BT_DBG("%s status 0x%2.2x", hdev->name, status);
73 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
76 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
78 __u8 status = *((__u8 *) skb->data);
80 BT_DBG("%s status 0x%2.2x", hdev->name, status);
85 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
87 hci_conn_check_pending(hdev);
90 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
93 BT_DBG("%s", hdev->name);
96 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
98 struct hci_rp_role_discovery *rp = (void *) skb->data;
99 struct hci_conn *conn;
101 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
108 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
110 conn->role = rp->role;
112 hci_dev_unlock(hdev);
115 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
117 struct hci_rp_read_link_policy *rp = (void *) skb->data;
118 struct hci_conn *conn;
120 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
127 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
129 conn->link_policy = __le16_to_cpu(rp->policy);
131 hci_dev_unlock(hdev);
134 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
136 struct hci_rp_write_link_policy *rp = (void *) skb->data;
137 struct hci_conn *conn;
140 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
145 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
153 conn->link_policy = get_unaligned_le16(sent + 2);
155 hci_dev_unlock(hdev);
158 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
161 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
163 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
168 hdev->link_policy = __le16_to_cpu(rp->policy);
171 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
174 __u8 status = *((__u8 *) skb->data);
177 BT_DBG("%s status 0x%2.2x", hdev->name, status);
182 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
186 hdev->link_policy = get_unaligned_le16(sent);
189 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
191 __u8 status = *((__u8 *) skb->data);
193 BT_DBG("%s status 0x%2.2x", hdev->name, status);
195 clear_bit(HCI_RESET, &hdev->flags);
200 /* Reset all non-persistent flags */
201 hci_dev_clear_volatile_flags(hdev);
203 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
205 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
206 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
208 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
209 hdev->adv_data_len = 0;
211 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
212 hdev->scan_rsp_data_len = 0;
214 hdev->le_scan_type = LE_SCAN_PASSIVE;
216 hdev->ssp_debug_mode = 0;
218 hci_bdaddr_list_clear(&hdev->le_white_list);
221 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
224 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
225 struct hci_cp_read_stored_link_key *sent;
227 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
229 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
233 if (!rp->status && sent->read_all == 0x01) {
234 hdev->stored_max_keys = rp->max_keys;
235 hdev->stored_num_keys = rp->num_keys;
239 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
242 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
244 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
249 if (rp->num_keys <= hdev->stored_num_keys)
250 hdev->stored_num_keys -= rp->num_keys;
252 hdev->stored_num_keys = 0;
255 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
257 __u8 status = *((__u8 *) skb->data);
260 BT_DBG("%s status 0x%2.2x", hdev->name, status);
262 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 if (hci_dev_test_flag(hdev, HCI_MGMT))
269 mgmt_set_local_name_complete(hdev, sent, status);
271 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
273 hci_dev_unlock(hdev);
276 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
278 struct hci_rp_read_local_name *rp = (void *) skb->data;
280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
285 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
286 hci_dev_test_flag(hdev, HCI_CONFIG))
287 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
290 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
292 __u8 status = *((__u8 *) skb->data);
295 BT_DBG("%s status 0x%2.2x", hdev->name, status);
297 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
304 __u8 param = *((__u8 *) sent);
306 if (param == AUTH_ENABLED)
307 set_bit(HCI_AUTH, &hdev->flags);
309 clear_bit(HCI_AUTH, &hdev->flags);
312 if (hci_dev_test_flag(hdev, HCI_MGMT))
313 mgmt_auth_enable_complete(hdev, status);
315 hci_dev_unlock(hdev);
318 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
320 __u8 status = *((__u8 *) skb->data);
324 BT_DBG("%s status 0x%2.2x", hdev->name, status);
329 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
333 param = *((__u8 *) sent);
336 set_bit(HCI_ENCRYPT, &hdev->flags);
338 clear_bit(HCI_ENCRYPT, &hdev->flags);
341 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
343 __u8 status = *((__u8 *) skb->data);
347 BT_DBG("%s status 0x%2.2x", hdev->name, status);
349 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
353 param = *((__u8 *) sent);
358 hdev->discov_timeout = 0;
362 if (param & SCAN_INQUIRY)
363 set_bit(HCI_ISCAN, &hdev->flags);
365 clear_bit(HCI_ISCAN, &hdev->flags);
367 if (param & SCAN_PAGE)
368 set_bit(HCI_PSCAN, &hdev->flags);
370 clear_bit(HCI_PSCAN, &hdev->flags);
373 hci_dev_unlock(hdev);
376 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
378 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
380 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
385 memcpy(hdev->dev_class, rp->dev_class, 3);
387 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
388 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
391 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
393 __u8 status = *((__u8 *) skb->data);
396 BT_DBG("%s status 0x%2.2x", hdev->name, status);
398 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
405 memcpy(hdev->dev_class, sent, 3);
407 if (hci_dev_test_flag(hdev, HCI_MGMT))
408 mgmt_set_class_of_dev_complete(hdev, sent, status);
410 hci_dev_unlock(hdev);
413 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
415 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
418 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
423 setting = __le16_to_cpu(rp->voice_setting);
425 if (hdev->voice_setting == setting)
428 hdev->voice_setting = setting;
430 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
433 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
436 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
439 __u8 status = *((__u8 *) skb->data);
443 BT_DBG("%s status 0x%2.2x", hdev->name, status);
448 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
452 setting = get_unaligned_le16(sent);
454 if (hdev->voice_setting == setting)
457 hdev->voice_setting = setting;
459 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
462 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
465 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
468 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
470 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
475 hdev->num_iac = rp->num_iac;
477 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
480 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
482 __u8 status = *((__u8 *) skb->data);
483 struct hci_cp_write_ssp_mode *sent;
485 BT_DBG("%s status 0x%2.2x", hdev->name, status);
487 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
495 hdev->features[1][0] |= LMP_HOST_SSP;
497 hdev->features[1][0] &= ~LMP_HOST_SSP;
500 if (hci_dev_test_flag(hdev, HCI_MGMT))
501 mgmt_ssp_enable_complete(hdev, sent->mode, status);
504 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
506 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
509 hci_dev_unlock(hdev);
512 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
514 u8 status = *((u8 *) skb->data);
515 struct hci_cp_write_sc_support *sent;
517 BT_DBG("%s status 0x%2.2x", hdev->name, status);
519 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
527 hdev->features[1][0] |= LMP_HOST_SC;
529 hdev->features[1][0] &= ~LMP_HOST_SC;
532 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
534 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
536 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
539 hci_dev_unlock(hdev);
542 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
544 struct hci_rp_read_local_version *rp = (void *) skb->data;
546 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
551 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
552 hci_dev_test_flag(hdev, HCI_CONFIG)) {
553 hdev->hci_ver = rp->hci_ver;
554 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
555 hdev->lmp_ver = rp->lmp_ver;
556 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
557 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
561 static void hci_cc_read_local_commands(struct hci_dev *hdev,
564 struct hci_rp_read_local_commands *rp = (void *) skb->data;
566 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
571 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
572 hci_dev_test_flag(hdev, HCI_CONFIG))
573 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
576 static void hci_cc_read_local_features(struct hci_dev *hdev,
579 struct hci_rp_read_local_features *rp = (void *) skb->data;
581 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
586 memcpy(hdev->features, rp->features, 8);
588 /* Adjust default settings according to features
589 * supported by device. */
591 if (hdev->features[0][0] & LMP_3SLOT)
592 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
594 if (hdev->features[0][0] & LMP_5SLOT)
595 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
597 if (hdev->features[0][1] & LMP_HV2) {
598 hdev->pkt_type |= (HCI_HV2);
599 hdev->esco_type |= (ESCO_HV2);
602 if (hdev->features[0][1] & LMP_HV3) {
603 hdev->pkt_type |= (HCI_HV3);
604 hdev->esco_type |= (ESCO_HV3);
607 if (lmp_esco_capable(hdev))
608 hdev->esco_type |= (ESCO_EV3);
610 if (hdev->features[0][4] & LMP_EV4)
611 hdev->esco_type |= (ESCO_EV4);
613 if (hdev->features[0][4] & LMP_EV5)
614 hdev->esco_type |= (ESCO_EV5);
616 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
617 hdev->esco_type |= (ESCO_2EV3);
619 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
620 hdev->esco_type |= (ESCO_3EV3);
622 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
623 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
626 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
629 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
631 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
636 if (hdev->max_page < rp->max_page)
637 hdev->max_page = rp->max_page;
639 if (rp->page < HCI_MAX_PAGES)
640 memcpy(hdev->features[rp->page], rp->features, 8);
643 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
646 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
653 hdev->flow_ctl_mode = rp->mode;
656 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
658 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
660 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
665 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
666 hdev->sco_mtu = rp->sco_mtu;
667 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
668 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
670 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
675 hdev->acl_cnt = hdev->acl_pkts;
676 hdev->sco_cnt = hdev->sco_pkts;
678 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
679 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
682 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
684 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
686 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
691 if (test_bit(HCI_INIT, &hdev->flags))
692 bacpy(&hdev->bdaddr, &rp->bdaddr);
694 if (hci_dev_test_flag(hdev, HCI_SETUP))
695 bacpy(&hdev->setup_addr, &rp->bdaddr);
698 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
701 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
703 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
708 if (test_bit(HCI_INIT, &hdev->flags)) {
709 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
710 hdev->page_scan_window = __le16_to_cpu(rp->window);
714 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
717 u8 status = *((u8 *) skb->data);
718 struct hci_cp_write_page_scan_activity *sent;
720 BT_DBG("%s status 0x%2.2x", hdev->name, status);
725 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
729 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
730 hdev->page_scan_window = __le16_to_cpu(sent->window);
733 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
736 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
738 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
743 if (test_bit(HCI_INIT, &hdev->flags))
744 hdev->page_scan_type = rp->type;
747 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
750 u8 status = *((u8 *) skb->data);
753 BT_DBG("%s status 0x%2.2x", hdev->name, status);
758 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
760 hdev->page_scan_type = *type;
763 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
766 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
768 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
773 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
774 hdev->block_len = __le16_to_cpu(rp->block_len);
775 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
777 hdev->block_cnt = hdev->num_blocks;
779 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
780 hdev->block_cnt, hdev->block_len);
783 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
785 struct hci_rp_read_clock *rp = (void *) skb->data;
786 struct hci_cp_read_clock *cp;
787 struct hci_conn *conn;
789 BT_DBG("%s", hdev->name);
791 if (skb->len < sizeof(*rp))
799 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
803 if (cp->which == 0x00) {
804 hdev->clock = le32_to_cpu(rp->clock);
808 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
810 conn->clock = le32_to_cpu(rp->clock);
811 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
815 hci_dev_unlock(hdev);
818 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
821 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
823 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
828 hdev->amp_status = rp->amp_status;
829 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
830 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
831 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
832 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
833 hdev->amp_type = rp->amp_type;
834 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
835 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
836 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
837 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
840 a2mp_send_getinfo_rsp(hdev);
843 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
846 struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
847 struct amp_assoc *assoc = &hdev->loc_assoc;
848 size_t rem_len, frag_len;
850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
855 frag_len = skb->len - sizeof(*rp);
856 rem_len = __le16_to_cpu(rp->rem_len);
858 if (rem_len > frag_len) {
859 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
861 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
862 assoc->offset += frag_len;
864 /* Read other fragments */
865 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
870 memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
871 assoc->len = assoc->offset + rem_len;
875 /* Send A2MP Rsp when all fragments are received */
876 a2mp_send_getampassoc_rsp(hdev, rp->status);
877 a2mp_send_create_phy_link_req(hdev, rp->status);
880 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
883 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
885 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
890 hdev->inq_tx_power = rp->tx_power;
893 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
895 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
896 struct hci_cp_pin_code_reply *cp;
897 struct hci_conn *conn;
899 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
903 if (hci_dev_test_flag(hdev, HCI_MGMT))
904 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
909 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
913 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
915 conn->pin_length = cp->pin_len;
918 hci_dev_unlock(hdev);
921 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
923 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
925 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
929 if (hci_dev_test_flag(hdev, HCI_MGMT))
930 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
933 hci_dev_unlock(hdev);
936 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
939 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
941 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
946 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
947 hdev->le_pkts = rp->le_max_pkt;
949 hdev->le_cnt = hdev->le_pkts;
951 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
954 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
957 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
959 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
964 memcpy(hdev->le_features, rp->features, 8);
967 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
970 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
972 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
977 hdev->adv_tx_power = rp->tx_power;
980 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
982 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
984 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
988 if (hci_dev_test_flag(hdev, HCI_MGMT))
989 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
992 hci_dev_unlock(hdev);
995 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
998 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1004 if (hci_dev_test_flag(hdev, HCI_MGMT))
1005 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1006 ACL_LINK, 0, rp->status);
1008 hci_dev_unlock(hdev);
1011 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1013 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1015 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1019 if (hci_dev_test_flag(hdev, HCI_MGMT))
1020 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1023 hci_dev_unlock(hdev);
1026 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1027 struct sk_buff *skb)
1029 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1031 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1035 if (hci_dev_test_flag(hdev, HCI_MGMT))
1036 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1037 ACL_LINK, 0, rp->status);
1039 hci_dev_unlock(hdev);
1042 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1043 struct sk_buff *skb)
1045 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1047 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1050 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1051 struct sk_buff *skb)
1053 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1055 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1058 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1060 __u8 status = *((__u8 *) skb->data);
1063 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1068 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1074 bacpy(&hdev->random_addr, sent);
1076 hci_dev_unlock(hdev);
1079 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1081 __u8 *sent, status = *((__u8 *) skb->data);
1083 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1088 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1094 /* If we're doing connection initiation as peripheral. Set a
1095 * timeout in case something goes wrong.
1098 struct hci_conn *conn;
1100 hci_dev_set_flag(hdev, HCI_LE_ADV);
1102 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1104 queue_delayed_work(hdev->workqueue,
1105 &conn->le_conn_timeout,
1106 conn->conn_timeout);
1108 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1111 hci_dev_unlock(hdev);
1114 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1116 struct hci_cp_le_set_scan_param *cp;
1117 __u8 status = *((__u8 *) skb->data);
1119 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1124 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1130 hdev->le_scan_type = cp->type;
1132 hci_dev_unlock(hdev);
1135 static bool has_pending_adv_report(struct hci_dev *hdev)
1137 struct discovery_state *d = &hdev->discovery;
1139 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1142 static void clear_pending_adv_report(struct hci_dev *hdev)
1144 struct discovery_state *d = &hdev->discovery;
1146 bacpy(&d->last_adv_addr, BDADDR_ANY);
1147 d->last_adv_data_len = 0;
1150 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1151 u8 bdaddr_type, s8 rssi, u32 flags,
1154 struct discovery_state *d = &hdev->discovery;
1156 bacpy(&d->last_adv_addr, bdaddr);
1157 d->last_adv_addr_type = bdaddr_type;
1158 d->last_adv_rssi = rssi;
1159 d->last_adv_flags = flags;
1160 memcpy(d->last_adv_data, data, len);
1161 d->last_adv_data_len = len;
1164 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1165 struct sk_buff *skb)
1167 struct hci_cp_le_set_scan_enable *cp;
1168 __u8 status = *((__u8 *) skb->data);
1170 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1175 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1181 switch (cp->enable) {
1182 case LE_SCAN_ENABLE:
1183 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1184 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1185 clear_pending_adv_report(hdev);
1188 case LE_SCAN_DISABLE:
1189 /* We do this here instead of when setting DISCOVERY_STOPPED
1190 * since the latter would potentially require waiting for
1191 * inquiry to stop too.
1193 if (has_pending_adv_report(hdev)) {
1194 struct discovery_state *d = &hdev->discovery;
1196 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1197 d->last_adv_addr_type, NULL,
1198 d->last_adv_rssi, d->last_adv_flags,
1200 d->last_adv_data_len, NULL, 0);
1203 /* Cancel this timer so that we don't try to disable scanning
1204 * when it's already disabled.
1206 cancel_delayed_work(&hdev->le_scan_disable);
1208 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1210 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1211 * interrupted scanning due to a connect request. Mark
1212 * therefore discovery as stopped. If this was not
1213 * because of a connect request advertising might have
1214 * been disabled because of active scanning, so
1215 * re-enable it again if necessary.
1217 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1218 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1219 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1220 hdev->discovery.state == DISCOVERY_FINDING)
1221 mgmt_reenable_advertising(hdev);
1226 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1230 hci_dev_unlock(hdev);
1233 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1234 struct sk_buff *skb)
1236 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1238 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1243 hdev->le_white_list_size = rp->size;
1246 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1247 struct sk_buff *skb)
1249 __u8 status = *((__u8 *) skb->data);
1251 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1256 hci_bdaddr_list_clear(&hdev->le_white_list);
1259 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1260 struct sk_buff *skb)
1262 struct hci_cp_le_add_to_white_list *sent;
1263 __u8 status = *((__u8 *) skb->data);
1265 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1270 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1274 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1278 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1279 struct sk_buff *skb)
1281 struct hci_cp_le_del_from_white_list *sent;
1282 __u8 status = *((__u8 *) skb->data);
1284 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1289 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1293 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1297 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1298 struct sk_buff *skb)
1300 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1307 memcpy(hdev->le_states, rp->le_states, 8);
1310 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1311 struct sk_buff *skb)
1313 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1315 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1320 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1321 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1324 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1325 struct sk_buff *skb)
1327 struct hci_cp_le_write_def_data_len *sent;
1328 __u8 status = *((__u8 *) skb->data);
1330 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1335 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1339 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1340 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1343 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1344 struct sk_buff *skb)
1346 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1348 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1353 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1354 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1355 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1356 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1359 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1360 struct sk_buff *skb)
1362 struct hci_cp_write_le_host_supported *sent;
1363 __u8 status = *((__u8 *) skb->data);
1365 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1370 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1377 hdev->features[1][0] |= LMP_HOST_LE;
1378 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1380 hdev->features[1][0] &= ~LMP_HOST_LE;
1381 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1382 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1386 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1388 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1390 hci_dev_unlock(hdev);
1393 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1395 struct hci_cp_le_set_adv_param *cp;
1396 u8 status = *((u8 *) skb->data);
1398 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1403 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1408 hdev->adv_addr_type = cp->own_address_type;
1409 hci_dev_unlock(hdev);
1412 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1413 struct sk_buff *skb)
1415 struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1417 BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1418 hdev->name, rp->status, rp->phy_handle);
1423 amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1426 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1428 struct hci_rp_read_rssi *rp = (void *) skb->data;
1429 struct hci_conn *conn;
1431 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1438 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1440 conn->rssi = rp->rssi;
1442 hci_dev_unlock(hdev);
1445 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1447 struct hci_cp_read_tx_power *sent;
1448 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1449 struct hci_conn *conn;
1451 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1456 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1462 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1466 switch (sent->type) {
1468 conn->tx_power = rp->tx_power;
1471 conn->max_tx_power = rp->tx_power;
1476 hci_dev_unlock(hdev);
1479 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1481 u8 status = *((u8 *) skb->data);
1484 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1489 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1491 hdev->ssp_debug_mode = *mode;
1494 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1496 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1499 hci_conn_check_pending(hdev);
1503 set_bit(HCI_INQUIRY, &hdev->flags);
1506 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1508 struct hci_cp_create_conn *cp;
1509 struct hci_conn *conn;
1511 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1513 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1519 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1521 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1524 if (conn && conn->state == BT_CONNECT) {
1525 if (status != 0x0c || conn->attempt > 2) {
1526 conn->state = BT_CLOSED;
1527 hci_connect_cfm(conn, status);
1530 conn->state = BT_CONNECT2;
1534 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1537 BT_ERR("No memory for new connection");
1541 hci_dev_unlock(hdev);
1544 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1546 struct hci_cp_add_sco *cp;
1547 struct hci_conn *acl, *sco;
1550 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1555 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1559 handle = __le16_to_cpu(cp->handle);
1561 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1565 acl = hci_conn_hash_lookup_handle(hdev, handle);
1569 sco->state = BT_CLOSED;
1571 hci_connect_cfm(sco, status);
1576 hci_dev_unlock(hdev);
1579 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1581 struct hci_cp_auth_requested *cp;
1582 struct hci_conn *conn;
1584 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1589 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1595 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1597 if (conn->state == BT_CONFIG) {
1598 hci_connect_cfm(conn, status);
1599 hci_conn_drop(conn);
1603 hci_dev_unlock(hdev);
1606 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1608 struct hci_cp_set_conn_encrypt *cp;
1609 struct hci_conn *conn;
1611 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1616 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1622 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1624 if (conn->state == BT_CONFIG) {
1625 hci_connect_cfm(conn, status);
1626 hci_conn_drop(conn);
1630 hci_dev_unlock(hdev);
1633 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1634 struct hci_conn *conn)
1636 if (conn->state != BT_CONFIG || !conn->out)
1639 if (conn->pending_sec_level == BT_SECURITY_SDP)
1642 /* Only request authentication for SSP connections or non-SSP
1643 * devices with sec_level MEDIUM or HIGH or if MITM protection
1646 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1647 conn->pending_sec_level != BT_SECURITY_FIPS &&
1648 conn->pending_sec_level != BT_SECURITY_HIGH &&
1649 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1655 static int hci_resolve_name(struct hci_dev *hdev,
1656 struct inquiry_entry *e)
1658 struct hci_cp_remote_name_req cp;
1660 memset(&cp, 0, sizeof(cp));
1662 bacpy(&cp.bdaddr, &e->data.bdaddr);
1663 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1664 cp.pscan_mode = e->data.pscan_mode;
1665 cp.clock_offset = e->data.clock_offset;
1667 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1670 static bool hci_resolve_next_name(struct hci_dev *hdev)
1672 struct discovery_state *discov = &hdev->discovery;
1673 struct inquiry_entry *e;
1675 if (list_empty(&discov->resolve))
1678 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1682 if (hci_resolve_name(hdev, e) == 0) {
1683 e->name_state = NAME_PENDING;
1690 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1691 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1693 struct discovery_state *discov = &hdev->discovery;
1694 struct inquiry_entry *e;
1696 /* Update the mgmt connected state if necessary. Be careful with
1697 * conn objects that exist but are not (yet) connected however.
1698 * Only those in BT_CONFIG or BT_CONNECTED states can be
1699 * considered connected.
1702 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1703 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1704 mgmt_device_connected(hdev, conn, 0, name, name_len);
1706 if (discov->state == DISCOVERY_STOPPED)
1709 if (discov->state == DISCOVERY_STOPPING)
1710 goto discov_complete;
1712 if (discov->state != DISCOVERY_RESOLVING)
1715 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1716 /* If the device was not found in a list of found devices names of which
1717 * are pending. there is no need to continue resolving a next name as it
1718 * will be done upon receiving another Remote Name Request Complete
1725 e->name_state = NAME_KNOWN;
1726 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1727 e->data.rssi, name, name_len);
1729 e->name_state = NAME_NOT_KNOWN;
1732 if (hci_resolve_next_name(hdev))
1736 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1739 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1741 struct hci_cp_remote_name_req *cp;
1742 struct hci_conn *conn;
1744 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1746 /* If successful wait for the name req complete event before
1747 * checking for the need to do authentication */
1751 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1757 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1759 if (hci_dev_test_flag(hdev, HCI_MGMT))
1760 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1765 if (!hci_outgoing_auth_needed(hdev, conn))
1768 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1769 struct hci_cp_auth_requested auth_cp;
1771 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1773 auth_cp.handle = __cpu_to_le16(conn->handle);
1774 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1775 sizeof(auth_cp), &auth_cp);
1779 hci_dev_unlock(hdev);
1782 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1784 struct hci_cp_read_remote_features *cp;
1785 struct hci_conn *conn;
1787 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1792 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1798 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1800 if (conn->state == BT_CONFIG) {
1801 hci_connect_cfm(conn, status);
1802 hci_conn_drop(conn);
1806 hci_dev_unlock(hdev);
1809 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1811 struct hci_cp_read_remote_ext_features *cp;
1812 struct hci_conn *conn;
1814 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1819 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1825 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1827 if (conn->state == BT_CONFIG) {
1828 hci_connect_cfm(conn, status);
1829 hci_conn_drop(conn);
1833 hci_dev_unlock(hdev);
1836 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1838 struct hci_cp_setup_sync_conn *cp;
1839 struct hci_conn *acl, *sco;
1842 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1847 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1851 handle = __le16_to_cpu(cp->handle);
1853 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1857 acl = hci_conn_hash_lookup_handle(hdev, handle);
1861 sco->state = BT_CLOSED;
1863 hci_connect_cfm(sco, status);
1868 hci_dev_unlock(hdev);
1871 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1873 struct hci_cp_sniff_mode *cp;
1874 struct hci_conn *conn;
1876 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1881 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1887 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1889 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1891 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1892 hci_sco_setup(conn, status);
1895 hci_dev_unlock(hdev);
1898 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1900 struct hci_cp_exit_sniff_mode *cp;
1901 struct hci_conn *conn;
1903 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1908 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1914 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1916 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1918 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1919 hci_sco_setup(conn, status);
1922 hci_dev_unlock(hdev);
1925 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1927 struct hci_cp_disconnect *cp;
1928 struct hci_conn *conn;
1933 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1939 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1941 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1942 conn->dst_type, status);
1944 hci_dev_unlock(hdev);
1947 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1949 struct hci_cp_create_phy_link *cp;
1951 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1953 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1960 struct hci_conn *hcon;
1962 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1966 amp_write_remote_assoc(hdev, cp->phy_handle);
1969 hci_dev_unlock(hdev);
1972 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1974 struct hci_cp_accept_phy_link *cp;
1976 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1981 cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1985 amp_write_remote_assoc(hdev, cp->phy_handle);
1988 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1990 struct hci_cp_le_create_conn *cp;
1991 struct hci_conn *conn;
1993 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1995 /* All connection failure handling is taken care of by the
1996 * hci_le_conn_failed function which is triggered by the HCI
1997 * request completion callbacks used for connecting.
2002 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2008 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
2012 /* Store the initiator and responder address information which
2013 * is needed for SMP. These values will not change during the
2014 * lifetime of the connection.
2016 conn->init_addr_type = cp->own_address_type;
2017 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
2018 bacpy(&conn->init_addr, &hdev->random_addr);
2020 bacpy(&conn->init_addr, &hdev->bdaddr);
2022 conn->resp_addr_type = cp->peer_addr_type;
2023 bacpy(&conn->resp_addr, &cp->peer_addr);
2025 /* We don't want the connection attempt to stick around
2026 * indefinitely since LE doesn't have a page timeout concept
2027 * like BR/EDR. Set a timer for any connection that doesn't use
2028 * the white list for connecting.
2030 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
2031 queue_delayed_work(conn->hdev->workqueue,
2032 &conn->le_conn_timeout,
2033 conn->conn_timeout);
2036 hci_dev_unlock(hdev);
2039 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2041 struct hci_cp_le_read_remote_features *cp;
2042 struct hci_conn *conn;
2044 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2049 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2055 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2057 if (conn->state == BT_CONFIG) {
2058 hci_connect_cfm(conn, status);
2059 hci_conn_drop(conn);
2063 hci_dev_unlock(hdev);
2066 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2068 struct hci_cp_le_start_enc *cp;
2069 struct hci_conn *conn;
2071 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2078 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2082 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2086 if (conn->state != BT_CONNECTED)
2089 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2090 hci_conn_drop(conn);
2093 hci_dev_unlock(hdev);
2096 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2098 struct hci_cp_switch_role *cp;
2099 struct hci_conn *conn;
2101 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2106 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2112 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2114 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2116 hci_dev_unlock(hdev);
2119 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2121 __u8 status = *((__u8 *) skb->data);
2122 struct discovery_state *discov = &hdev->discovery;
2123 struct inquiry_entry *e;
2125 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2127 hci_conn_check_pending(hdev);
2129 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2132 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2133 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2135 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2140 if (discov->state != DISCOVERY_FINDING)
2143 if (list_empty(&discov->resolve)) {
2144 /* When BR/EDR inquiry is active and no LE scanning is in
2145 * progress, then change discovery state to indicate completion.
2147 * When running LE scanning and BR/EDR inquiry simultaneously
2148 * and the LE scan already finished, then change the discovery
2149 * state to indicate completion.
2151 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2152 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2153 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2157 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2158 if (e && hci_resolve_name(hdev, e) == 0) {
2159 e->name_state = NAME_PENDING;
2160 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2162 /* When BR/EDR inquiry is active and no LE scanning is in
2163 * progress, then change discovery state to indicate completion.
2165 * When running LE scanning and BR/EDR inquiry simultaneously
2166 * and the LE scan already finished, then change the discovery
2167 * state to indicate completion.
2169 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2170 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2171 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2175 hci_dev_unlock(hdev);
2178 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2180 struct inquiry_data data;
2181 struct inquiry_info *info = (void *) (skb->data + 1);
2182 int num_rsp = *((__u8 *) skb->data);
2184 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2189 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2194 for (; num_rsp; num_rsp--, info++) {
2197 bacpy(&data.bdaddr, &info->bdaddr);
2198 data.pscan_rep_mode = info->pscan_rep_mode;
2199 data.pscan_period_mode = info->pscan_period_mode;
2200 data.pscan_mode = info->pscan_mode;
2201 memcpy(data.dev_class, info->dev_class, 3);
2202 data.clock_offset = info->clock_offset;
2203 data.rssi = HCI_RSSI_INVALID;
2204 data.ssp_mode = 0x00;
2206 flags = hci_inquiry_cache_update(hdev, &data, false);
2208 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2209 info->dev_class, HCI_RSSI_INVALID,
2210 flags, NULL, 0, NULL, 0);
2213 hci_dev_unlock(hdev);
2216 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2218 struct hci_ev_conn_complete *ev = (void *) skb->data;
2219 struct hci_conn *conn;
2221 BT_DBG("%s", hdev->name);
2225 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2227 if (ev->link_type != SCO_LINK)
2230 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2234 conn->type = SCO_LINK;
2238 conn->handle = __le16_to_cpu(ev->handle);
2240 if (conn->type == ACL_LINK) {
2241 conn->state = BT_CONFIG;
2242 hci_conn_hold(conn);
2244 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2245 !hci_find_link_key(hdev, &ev->bdaddr))
2246 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2248 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2250 conn->state = BT_CONNECTED;
2252 hci_debugfs_create_conn(conn);
2253 hci_conn_add_sysfs(conn);
2255 if (test_bit(HCI_AUTH, &hdev->flags))
2256 set_bit(HCI_CONN_AUTH, &conn->flags);
2258 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2259 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2261 /* Get remote features */
2262 if (conn->type == ACL_LINK) {
2263 struct hci_cp_read_remote_features cp;
2264 cp.handle = ev->handle;
2265 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2268 hci_update_page_scan(hdev);
2271 /* Set packet type for incoming connection */
2272 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2273 struct hci_cp_change_conn_ptype cp;
2274 cp.handle = ev->handle;
2275 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2276 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2280 conn->state = BT_CLOSED;
2281 if (conn->type == ACL_LINK)
2282 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2283 conn->dst_type, ev->status);
2286 if (conn->type == ACL_LINK)
2287 hci_sco_setup(conn, ev->status);
2290 hci_connect_cfm(conn, ev->status);
2292 } else if (ev->link_type != ACL_LINK)
2293 hci_connect_cfm(conn, ev->status);
2296 hci_dev_unlock(hdev);
2298 hci_conn_check_pending(hdev);
2301 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2303 struct hci_cp_reject_conn_req cp;
2305 bacpy(&cp.bdaddr, bdaddr);
2306 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2307 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2310 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2312 struct hci_ev_conn_request *ev = (void *) skb->data;
2313 int mask = hdev->link_mode;
2314 struct inquiry_entry *ie;
2315 struct hci_conn *conn;
2318 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2321 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2324 if (!(mask & HCI_LM_ACCEPT)) {
2325 hci_reject_conn(hdev, &ev->bdaddr);
2329 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2331 hci_reject_conn(hdev, &ev->bdaddr);
2335 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2336 * connection. These features are only touched through mgmt so
2337 * only do the checks if HCI_MGMT is set.
2339 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2340 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2341 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2343 hci_reject_conn(hdev, &ev->bdaddr);
2347 /* Connection accepted */
2351 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2353 memcpy(ie->data.dev_class, ev->dev_class, 3);
2355 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2358 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2361 BT_ERR("No memory for new connection");
2362 hci_dev_unlock(hdev);
2367 memcpy(conn->dev_class, ev->dev_class, 3);
2369 hci_dev_unlock(hdev);
2371 if (ev->link_type == ACL_LINK ||
2372 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2373 struct hci_cp_accept_conn_req cp;
2374 conn->state = BT_CONNECT;
2376 bacpy(&cp.bdaddr, &ev->bdaddr);
2378 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2379 cp.role = 0x00; /* Become master */
2381 cp.role = 0x01; /* Remain slave */
2383 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2384 } else if (!(flags & HCI_PROTO_DEFER)) {
2385 struct hci_cp_accept_sync_conn_req cp;
2386 conn->state = BT_CONNECT;
2388 bacpy(&cp.bdaddr, &ev->bdaddr);
2389 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2391 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2392 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2393 cp.max_latency = cpu_to_le16(0xffff);
2394 cp.content_format = cpu_to_le16(hdev->voice_setting);
2395 cp.retrans_effort = 0xff;
2397 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2400 conn->state = BT_CONNECT2;
2401 hci_connect_cfm(conn, 0);
2405 static u8 hci_to_mgmt_reason(u8 err)
2408 case HCI_ERROR_CONNECTION_TIMEOUT:
2409 return MGMT_DEV_DISCONN_TIMEOUT;
2410 case HCI_ERROR_REMOTE_USER_TERM:
2411 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2412 case HCI_ERROR_REMOTE_POWER_OFF:
2413 return MGMT_DEV_DISCONN_REMOTE;
2414 case HCI_ERROR_LOCAL_HOST_TERM:
2415 return MGMT_DEV_DISCONN_LOCAL_HOST;
2417 return MGMT_DEV_DISCONN_UNKNOWN;
2421 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2423 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2424 u8 reason = hci_to_mgmt_reason(ev->reason);
2425 struct hci_conn_params *params;
2426 struct hci_conn *conn;
2427 bool mgmt_connected;
2430 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2434 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2439 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2440 conn->dst_type, ev->status);
2444 conn->state = BT_CLOSED;
2446 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2447 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2448 reason, mgmt_connected);
2450 if (conn->type == ACL_LINK) {
2451 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2452 hci_remove_link_key(hdev, &conn->dst);
2454 hci_update_page_scan(hdev);
2457 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2459 switch (params->auto_connect) {
2460 case HCI_AUTO_CONN_LINK_LOSS:
2461 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2465 case HCI_AUTO_CONN_DIRECT:
2466 case HCI_AUTO_CONN_ALWAYS:
2467 list_del_init(¶ms->action);
2468 list_add(¶ms->action, &hdev->pend_le_conns);
2469 hci_update_background_scan(hdev);
2479 hci_disconn_cfm(conn, ev->reason);
2482 /* Re-enable advertising if necessary, since it might
2483 * have been disabled by the connection. From the
2484 * HCI_LE_Set_Advertise_Enable command description in
2485 * the core specification (v4.0):
2486 * "The Controller shall continue advertising until the Host
2487 * issues an LE_Set_Advertise_Enable command with
2488 * Advertising_Enable set to 0x00 (Advertising is disabled)
2489 * or until a connection is created or until the Advertising
2490 * is timed out due to Directed Advertising."
2492 if (type == LE_LINK)
2493 mgmt_reenable_advertising(hdev);
2496 hci_dev_unlock(hdev);
2499 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2501 struct hci_ev_auth_complete *ev = (void *) skb->data;
2502 struct hci_conn *conn;
2504 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2508 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2513 if (!hci_conn_ssp_enabled(conn) &&
2514 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2515 BT_INFO("re-auth of legacy device is not possible.");
2517 set_bit(HCI_CONN_AUTH, &conn->flags);
2518 conn->sec_level = conn->pending_sec_level;
2521 mgmt_auth_failed(conn, ev->status);
2524 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2525 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2527 if (conn->state == BT_CONFIG) {
2528 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2529 struct hci_cp_set_conn_encrypt cp;
2530 cp.handle = ev->handle;
2532 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2535 conn->state = BT_CONNECTED;
2536 hci_connect_cfm(conn, ev->status);
2537 hci_conn_drop(conn);
2540 hci_auth_cfm(conn, ev->status);
2542 hci_conn_hold(conn);
2543 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2544 hci_conn_drop(conn);
2547 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2549 struct hci_cp_set_conn_encrypt cp;
2550 cp.handle = ev->handle;
2552 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2555 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2556 hci_encrypt_cfm(conn, ev->status, 0x00);
2561 hci_dev_unlock(hdev);
2564 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2566 struct hci_ev_remote_name *ev = (void *) skb->data;
2567 struct hci_conn *conn;
2569 BT_DBG("%s", hdev->name);
2571 hci_conn_check_pending(hdev);
2575 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2577 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2580 if (ev->status == 0)
2581 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2582 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2584 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2590 if (!hci_outgoing_auth_needed(hdev, conn))
2593 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2594 struct hci_cp_auth_requested cp;
2596 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2598 cp.handle = __cpu_to_le16(conn->handle);
2599 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2603 hci_dev_unlock(hdev);
2606 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2607 u16 opcode, struct sk_buff *skb)
2609 const struct hci_rp_read_enc_key_size *rp;
2610 struct hci_conn *conn;
2613 BT_DBG("%s status 0x%02x", hdev->name, status);
2615 if (!skb || skb->len < sizeof(*rp)) {
2616 BT_ERR("%s invalid HCI Read Encryption Key Size response",
2621 rp = (void *)skb->data;
2622 handle = le16_to_cpu(rp->handle);
2626 conn = hci_conn_hash_lookup_handle(hdev, handle);
2630 /* If we fail to read the encryption key size, assume maximum
2631 * (which is the same we do also when this HCI command isn't
2635 BT_ERR("%s failed to read key size for handle %u", hdev->name,
2637 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2639 conn->enc_key_size = rp->key_size;
2642 if (conn->state == BT_CONFIG) {
2643 conn->state = BT_CONNECTED;
2644 hci_connect_cfm(conn, 0);
2645 hci_conn_drop(conn);
2649 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2651 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2656 hci_encrypt_cfm(conn, 0, encrypt);
2660 hci_dev_unlock(hdev);
2663 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2665 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2666 struct hci_conn *conn;
2668 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2672 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2678 /* Encryption implies authentication */
2679 set_bit(HCI_CONN_AUTH, &conn->flags);
2680 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2681 conn->sec_level = conn->pending_sec_level;
2683 /* P-256 authentication key implies FIPS */
2684 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2685 set_bit(HCI_CONN_FIPS, &conn->flags);
2687 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2688 conn->type == LE_LINK)
2689 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2691 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2692 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2696 /* We should disregard the current RPA and generate a new one
2697 * whenever the encryption procedure fails.
2699 if (ev->status && conn->type == LE_LINK)
2700 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2702 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2704 if (ev->status && conn->state == BT_CONNECTED) {
2705 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2706 hci_conn_drop(conn);
2710 /* In Secure Connections Only mode, do not allow any connections
2711 * that are not encrypted with AES-CCM using a P-256 authenticated
2714 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2715 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2716 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2717 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2718 hci_conn_drop(conn);
2722 /* Try reading the encryption key size for encrypted ACL links */
2723 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2724 struct hci_cp_read_enc_key_size cp;
2725 struct hci_request req;
2727 /* Only send HCI_Read_Encryption_Key_Size if the
2728 * controller really supports it. If it doesn't, assume
2729 * the default size (16).
2731 if (!(hdev->commands[20] & 0x10)) {
2732 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2736 hci_req_init(&req, hdev);
2738 cp.handle = cpu_to_le16(conn->handle);
2739 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2741 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2742 BT_ERR("Sending HCI Read Encryption Key Size failed");
2743 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2751 if (conn->state == BT_CONFIG) {
2753 conn->state = BT_CONNECTED;
2755 hci_connect_cfm(conn, ev->status);
2756 hci_conn_drop(conn);
2758 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2761 hci_dev_unlock(hdev);
2764 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2765 struct sk_buff *skb)
2767 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2768 struct hci_conn *conn;
2770 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2774 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2777 set_bit(HCI_CONN_SECURE, &conn->flags);
2779 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2781 hci_key_change_cfm(conn, ev->status);
2784 hci_dev_unlock(hdev);
2787 static void hci_remote_features_evt(struct hci_dev *hdev,
2788 struct sk_buff *skb)
2790 struct hci_ev_remote_features *ev = (void *) skb->data;
2791 struct hci_conn *conn;
2793 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2797 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2802 memcpy(conn->features[0], ev->features, 8);
2804 if (conn->state != BT_CONFIG)
2807 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2808 lmp_ext_feat_capable(conn)) {
2809 struct hci_cp_read_remote_ext_features cp;
2810 cp.handle = ev->handle;
2812 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2817 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2818 struct hci_cp_remote_name_req cp;
2819 memset(&cp, 0, sizeof(cp));
2820 bacpy(&cp.bdaddr, &conn->dst);
2821 cp.pscan_rep_mode = 0x02;
2822 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2823 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2824 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2826 if (!hci_outgoing_auth_needed(hdev, conn)) {
2827 conn->state = BT_CONNECTED;
2828 hci_connect_cfm(conn, ev->status);
2829 hci_conn_drop(conn);
2833 hci_dev_unlock(hdev);
2836 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2837 u16 *opcode, u8 *status,
2838 hci_req_complete_t *req_complete,
2839 hci_req_complete_skb_t *req_complete_skb)
2841 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2843 *opcode = __le16_to_cpu(ev->opcode);
2844 *status = skb->data[sizeof(*ev)];
2846 skb_pull(skb, sizeof(*ev));
2849 case HCI_OP_INQUIRY_CANCEL:
2850 hci_cc_inquiry_cancel(hdev, skb);
2853 case HCI_OP_PERIODIC_INQ:
2854 hci_cc_periodic_inq(hdev, skb);
2857 case HCI_OP_EXIT_PERIODIC_INQ:
2858 hci_cc_exit_periodic_inq(hdev, skb);
2861 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2862 hci_cc_remote_name_req_cancel(hdev, skb);
2865 case HCI_OP_ROLE_DISCOVERY:
2866 hci_cc_role_discovery(hdev, skb);
2869 case HCI_OP_READ_LINK_POLICY:
2870 hci_cc_read_link_policy(hdev, skb);
2873 case HCI_OP_WRITE_LINK_POLICY:
2874 hci_cc_write_link_policy(hdev, skb);
2877 case HCI_OP_READ_DEF_LINK_POLICY:
2878 hci_cc_read_def_link_policy(hdev, skb);
2881 case HCI_OP_WRITE_DEF_LINK_POLICY:
2882 hci_cc_write_def_link_policy(hdev, skb);
2886 hci_cc_reset(hdev, skb);
2889 case HCI_OP_READ_STORED_LINK_KEY:
2890 hci_cc_read_stored_link_key(hdev, skb);
2893 case HCI_OP_DELETE_STORED_LINK_KEY:
2894 hci_cc_delete_stored_link_key(hdev, skb);
2897 case HCI_OP_WRITE_LOCAL_NAME:
2898 hci_cc_write_local_name(hdev, skb);
2901 case HCI_OP_READ_LOCAL_NAME:
2902 hci_cc_read_local_name(hdev, skb);
2905 case HCI_OP_WRITE_AUTH_ENABLE:
2906 hci_cc_write_auth_enable(hdev, skb);
2909 case HCI_OP_WRITE_ENCRYPT_MODE:
2910 hci_cc_write_encrypt_mode(hdev, skb);
2913 case HCI_OP_WRITE_SCAN_ENABLE:
2914 hci_cc_write_scan_enable(hdev, skb);
2917 case HCI_OP_READ_CLASS_OF_DEV:
2918 hci_cc_read_class_of_dev(hdev, skb);
2921 case HCI_OP_WRITE_CLASS_OF_DEV:
2922 hci_cc_write_class_of_dev(hdev, skb);
2925 case HCI_OP_READ_VOICE_SETTING:
2926 hci_cc_read_voice_setting(hdev, skb);
2929 case HCI_OP_WRITE_VOICE_SETTING:
2930 hci_cc_write_voice_setting(hdev, skb);
2933 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2934 hci_cc_read_num_supported_iac(hdev, skb);
2937 case HCI_OP_WRITE_SSP_MODE:
2938 hci_cc_write_ssp_mode(hdev, skb);
2941 case HCI_OP_WRITE_SC_SUPPORT:
2942 hci_cc_write_sc_support(hdev, skb);
2945 case HCI_OP_READ_LOCAL_VERSION:
2946 hci_cc_read_local_version(hdev, skb);
2949 case HCI_OP_READ_LOCAL_COMMANDS:
2950 hci_cc_read_local_commands(hdev, skb);
2953 case HCI_OP_READ_LOCAL_FEATURES:
2954 hci_cc_read_local_features(hdev, skb);
2957 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2958 hci_cc_read_local_ext_features(hdev, skb);
2961 case HCI_OP_READ_BUFFER_SIZE:
2962 hci_cc_read_buffer_size(hdev, skb);
2965 case HCI_OP_READ_BD_ADDR:
2966 hci_cc_read_bd_addr(hdev, skb);
2969 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2970 hci_cc_read_page_scan_activity(hdev, skb);
2973 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2974 hci_cc_write_page_scan_activity(hdev, skb);
2977 case HCI_OP_READ_PAGE_SCAN_TYPE:
2978 hci_cc_read_page_scan_type(hdev, skb);
2981 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2982 hci_cc_write_page_scan_type(hdev, skb);
2985 case HCI_OP_READ_DATA_BLOCK_SIZE:
2986 hci_cc_read_data_block_size(hdev, skb);
2989 case HCI_OP_READ_FLOW_CONTROL_MODE:
2990 hci_cc_read_flow_control_mode(hdev, skb);
2993 case HCI_OP_READ_LOCAL_AMP_INFO:
2994 hci_cc_read_local_amp_info(hdev, skb);
2997 case HCI_OP_READ_CLOCK:
2998 hci_cc_read_clock(hdev, skb);
3001 case HCI_OP_READ_LOCAL_AMP_ASSOC:
3002 hci_cc_read_local_amp_assoc(hdev, skb);
3005 case HCI_OP_READ_INQ_RSP_TX_POWER:
3006 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3009 case HCI_OP_PIN_CODE_REPLY:
3010 hci_cc_pin_code_reply(hdev, skb);
3013 case HCI_OP_PIN_CODE_NEG_REPLY:
3014 hci_cc_pin_code_neg_reply(hdev, skb);
3017 case HCI_OP_READ_LOCAL_OOB_DATA:
3018 hci_cc_read_local_oob_data(hdev, skb);
3021 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3022 hci_cc_read_local_oob_ext_data(hdev, skb);
3025 case HCI_OP_LE_READ_BUFFER_SIZE:
3026 hci_cc_le_read_buffer_size(hdev, skb);
3029 case HCI_OP_LE_READ_LOCAL_FEATURES:
3030 hci_cc_le_read_local_features(hdev, skb);
3033 case HCI_OP_LE_READ_ADV_TX_POWER:
3034 hci_cc_le_read_adv_tx_power(hdev, skb);
3037 case HCI_OP_USER_CONFIRM_REPLY:
3038 hci_cc_user_confirm_reply(hdev, skb);
3041 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3042 hci_cc_user_confirm_neg_reply(hdev, skb);
3045 case HCI_OP_USER_PASSKEY_REPLY:
3046 hci_cc_user_passkey_reply(hdev, skb);
3049 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3050 hci_cc_user_passkey_neg_reply(hdev, skb);
3053 case HCI_OP_LE_SET_RANDOM_ADDR:
3054 hci_cc_le_set_random_addr(hdev, skb);
3057 case HCI_OP_LE_SET_ADV_ENABLE:
3058 hci_cc_le_set_adv_enable(hdev, skb);
3061 case HCI_OP_LE_SET_SCAN_PARAM:
3062 hci_cc_le_set_scan_param(hdev, skb);
3065 case HCI_OP_LE_SET_SCAN_ENABLE:
3066 hci_cc_le_set_scan_enable(hdev, skb);
3069 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3070 hci_cc_le_read_white_list_size(hdev, skb);
3073 case HCI_OP_LE_CLEAR_WHITE_LIST:
3074 hci_cc_le_clear_white_list(hdev, skb);
3077 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3078 hci_cc_le_add_to_white_list(hdev, skb);
3081 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3082 hci_cc_le_del_from_white_list(hdev, skb);
3085 case HCI_OP_LE_READ_SUPPORTED_STATES:
3086 hci_cc_le_read_supported_states(hdev, skb);
3089 case HCI_OP_LE_READ_DEF_DATA_LEN:
3090 hci_cc_le_read_def_data_len(hdev, skb);
3093 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3094 hci_cc_le_write_def_data_len(hdev, skb);
3097 case HCI_OP_LE_READ_MAX_DATA_LEN:
3098 hci_cc_le_read_max_data_len(hdev, skb);
3101 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3102 hci_cc_write_le_host_supported(hdev, skb);
3105 case HCI_OP_LE_SET_ADV_PARAM:
3106 hci_cc_set_adv_param(hdev, skb);
3109 case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
3110 hci_cc_write_remote_amp_assoc(hdev, skb);
3113 case HCI_OP_READ_RSSI:
3114 hci_cc_read_rssi(hdev, skb);
3117 case HCI_OP_READ_TX_POWER:
3118 hci_cc_read_tx_power(hdev, skb);
3121 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3122 hci_cc_write_ssp_debug_mode(hdev, skb);
3126 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3130 if (*opcode != HCI_OP_NOP)
3131 cancel_delayed_work(&hdev->cmd_timer);
3133 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3134 atomic_set(&hdev->cmd_cnt, 1);
3136 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3139 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3140 queue_work(hdev->workqueue, &hdev->cmd_work);
3143 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3144 u16 *opcode, u8 *status,
3145 hci_req_complete_t *req_complete,
3146 hci_req_complete_skb_t *req_complete_skb)
3148 struct hci_ev_cmd_status *ev = (void *) skb->data;
3150 skb_pull(skb, sizeof(*ev));
3152 *opcode = __le16_to_cpu(ev->opcode);
3153 *status = ev->status;
3156 case HCI_OP_INQUIRY:
3157 hci_cs_inquiry(hdev, ev->status);
3160 case HCI_OP_CREATE_CONN:
3161 hci_cs_create_conn(hdev, ev->status);
3164 case HCI_OP_DISCONNECT:
3165 hci_cs_disconnect(hdev, ev->status);
3168 case HCI_OP_ADD_SCO:
3169 hci_cs_add_sco(hdev, ev->status);
3172 case HCI_OP_AUTH_REQUESTED:
3173 hci_cs_auth_requested(hdev, ev->status);
3176 case HCI_OP_SET_CONN_ENCRYPT:
3177 hci_cs_set_conn_encrypt(hdev, ev->status);
3180 case HCI_OP_REMOTE_NAME_REQ:
3181 hci_cs_remote_name_req(hdev, ev->status);
3184 case HCI_OP_READ_REMOTE_FEATURES:
3185 hci_cs_read_remote_features(hdev, ev->status);
3188 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3189 hci_cs_read_remote_ext_features(hdev, ev->status);
3192 case HCI_OP_SETUP_SYNC_CONN:
3193 hci_cs_setup_sync_conn(hdev, ev->status);
3196 case HCI_OP_CREATE_PHY_LINK:
3197 hci_cs_create_phylink(hdev, ev->status);
3200 case HCI_OP_ACCEPT_PHY_LINK:
3201 hci_cs_accept_phylink(hdev, ev->status);
3204 case HCI_OP_SNIFF_MODE:
3205 hci_cs_sniff_mode(hdev, ev->status);
3208 case HCI_OP_EXIT_SNIFF_MODE:
3209 hci_cs_exit_sniff_mode(hdev, ev->status);
3212 case HCI_OP_SWITCH_ROLE:
3213 hci_cs_switch_role(hdev, ev->status);
3216 case HCI_OP_LE_CREATE_CONN:
3217 hci_cs_le_create_conn(hdev, ev->status);
3220 case HCI_OP_LE_READ_REMOTE_FEATURES:
3221 hci_cs_le_read_remote_features(hdev, ev->status);
3224 case HCI_OP_LE_START_ENC:
3225 hci_cs_le_start_enc(hdev, ev->status);
3229 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3233 if (*opcode != HCI_OP_NOP)
3234 cancel_delayed_work(&hdev->cmd_timer);
3236 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3237 atomic_set(&hdev->cmd_cnt, 1);
3239 /* Indicate request completion if the command failed. Also, if
3240 * we're not waiting for a special event and we get a success
3241 * command status we should try to flag the request as completed
3242 * (since for this kind of commands there will not be a command
3246 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
3247 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3250 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3251 queue_work(hdev->workqueue, &hdev->cmd_work);
3254 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3256 struct hci_ev_hardware_error *ev = (void *) skb->data;
3258 hdev->hw_error_code = ev->code;
3260 queue_work(hdev->req_workqueue, &hdev->error_reset);
3263 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3265 struct hci_ev_role_change *ev = (void *) skb->data;
3266 struct hci_conn *conn;
3268 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3272 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3275 conn->role = ev->role;
3277 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3279 hci_role_switch_cfm(conn, ev->status, ev->role);
3282 hci_dev_unlock(hdev);
3285 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3287 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3290 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3291 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3295 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3296 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3297 BT_DBG("%s bad parameters", hdev->name);
3301 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3303 for (i = 0; i < ev->num_hndl; i++) {
3304 struct hci_comp_pkts_info *info = &ev->handles[i];
3305 struct hci_conn *conn;
3306 __u16 handle, count;
3308 handle = __le16_to_cpu(info->handle);
3309 count = __le16_to_cpu(info->count);
3311 conn = hci_conn_hash_lookup_handle(hdev, handle);
3315 conn->sent -= count;
3317 switch (conn->type) {
3319 hdev->acl_cnt += count;
3320 if (hdev->acl_cnt > hdev->acl_pkts)
3321 hdev->acl_cnt = hdev->acl_pkts;
3325 if (hdev->le_pkts) {
3326 hdev->le_cnt += count;
3327 if (hdev->le_cnt > hdev->le_pkts)
3328 hdev->le_cnt = hdev->le_pkts;
3330 hdev->acl_cnt += count;
3331 if (hdev->acl_cnt > hdev->acl_pkts)
3332 hdev->acl_cnt = hdev->acl_pkts;
3337 hdev->sco_cnt += count;
3338 if (hdev->sco_cnt > hdev->sco_pkts)
3339 hdev->sco_cnt = hdev->sco_pkts;
3343 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3348 queue_work(hdev->workqueue, &hdev->tx_work);
3351 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3354 struct hci_chan *chan;
3356 switch (hdev->dev_type) {
3358 return hci_conn_hash_lookup_handle(hdev, handle);
3360 chan = hci_chan_lookup_handle(hdev, handle);
3365 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3372 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3374 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3377 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3378 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3382 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3383 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3384 BT_DBG("%s bad parameters", hdev->name);
3388 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3391 for (i = 0; i < ev->num_hndl; i++) {
3392 struct hci_comp_blocks_info *info = &ev->handles[i];
3393 struct hci_conn *conn = NULL;
3394 __u16 handle, block_count;
3396 handle = __le16_to_cpu(info->handle);
3397 block_count = __le16_to_cpu(info->blocks);
3399 conn = __hci_conn_lookup_handle(hdev, handle);
3403 conn->sent -= block_count;
3405 switch (conn->type) {
3408 hdev->block_cnt += block_count;
3409 if (hdev->block_cnt > hdev->num_blocks)
3410 hdev->block_cnt = hdev->num_blocks;
3414 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3419 queue_work(hdev->workqueue, &hdev->tx_work);
3422 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3424 struct hci_ev_mode_change *ev = (void *) skb->data;
3425 struct hci_conn *conn;
3427 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3431 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3433 conn->mode = ev->mode;
3435 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3437 if (conn->mode == HCI_CM_ACTIVE)
3438 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3440 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3443 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3444 hci_sco_setup(conn, ev->status);
3447 hci_dev_unlock(hdev);
3450 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3452 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3453 struct hci_conn *conn;
3455 BT_DBG("%s", hdev->name);
3459 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3463 if (conn->state == BT_CONNECTED) {
3464 hci_conn_hold(conn);
3465 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3466 hci_conn_drop(conn);
3469 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3470 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3471 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3472 sizeof(ev->bdaddr), &ev->bdaddr);
3473 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3476 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3481 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3485 hci_dev_unlock(hdev);
3488 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3490 if (key_type == HCI_LK_CHANGED_COMBINATION)
3493 conn->pin_length = pin_len;
3494 conn->key_type = key_type;
3497 case HCI_LK_LOCAL_UNIT:
3498 case HCI_LK_REMOTE_UNIT:
3499 case HCI_LK_DEBUG_COMBINATION:
3501 case HCI_LK_COMBINATION:
3503 conn->pending_sec_level = BT_SECURITY_HIGH;
3505 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3507 case HCI_LK_UNAUTH_COMBINATION_P192:
3508 case HCI_LK_UNAUTH_COMBINATION_P256:
3509 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3511 case HCI_LK_AUTH_COMBINATION_P192:
3512 conn->pending_sec_level = BT_SECURITY_HIGH;
3514 case HCI_LK_AUTH_COMBINATION_P256:
3515 conn->pending_sec_level = BT_SECURITY_FIPS;
3520 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3522 struct hci_ev_link_key_req *ev = (void *) skb->data;
3523 struct hci_cp_link_key_reply cp;
3524 struct hci_conn *conn;
3525 struct link_key *key;
3527 BT_DBG("%s", hdev->name);
3529 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3534 key = hci_find_link_key(hdev, &ev->bdaddr);
3536 BT_DBG("%s link key not found for %pMR", hdev->name,
3541 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3544 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3546 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3548 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3549 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3550 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3551 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3555 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3556 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3557 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3558 BT_DBG("%s ignoring key unauthenticated for high security",
3563 conn_set_key(conn, key->type, key->pin_len);
3566 bacpy(&cp.bdaddr, &ev->bdaddr);
3567 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3569 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3571 hci_dev_unlock(hdev);
3576 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3577 hci_dev_unlock(hdev);
3580 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3582 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3583 struct hci_conn *conn;
3584 struct link_key *key;
3588 BT_DBG("%s", hdev->name);
3592 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3596 hci_conn_hold(conn);
3597 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3598 hci_conn_drop(conn);
3600 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3601 conn_set_key(conn, ev->key_type, conn->pin_length);
3603 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3606 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3607 ev->key_type, pin_len, &persistent);
3611 /* Update connection information since adding the key will have
3612 * fixed up the type in the case of changed combination keys.
3614 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3615 conn_set_key(conn, key->type, key->pin_len);
3617 mgmt_new_link_key(hdev, key, persistent);
3619 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3620 * is set. If it's not set simply remove the key from the kernel
3621 * list (we've still notified user space about it but with
3622 * store_hint being 0).
3624 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3625 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3626 list_del_rcu(&key->list);
3627 kfree_rcu(key, rcu);
3632 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3634 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3637 hci_dev_unlock(hdev);
3640 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3642 struct hci_ev_clock_offset *ev = (void *) skb->data;
3643 struct hci_conn *conn;
3645 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3649 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3650 if (conn && !ev->status) {
3651 struct inquiry_entry *ie;
3653 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3655 ie->data.clock_offset = ev->clock_offset;
3656 ie->timestamp = jiffies;
3660 hci_dev_unlock(hdev);
3663 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3665 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3666 struct hci_conn *conn;
3668 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3672 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3673 if (conn && !ev->status)
3674 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3676 hci_dev_unlock(hdev);
3679 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3681 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3682 struct inquiry_entry *ie;
3684 BT_DBG("%s", hdev->name);
3688 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3690 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3691 ie->timestamp = jiffies;
3694 hci_dev_unlock(hdev);
3697 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3698 struct sk_buff *skb)
3700 struct inquiry_data data;
3701 int num_rsp = *((__u8 *) skb->data);
3703 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3708 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3713 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3714 struct inquiry_info_with_rssi_and_pscan_mode *info;
3715 info = (void *) (skb->data + 1);
3717 for (; num_rsp; num_rsp--, info++) {
3720 bacpy(&data.bdaddr, &info->bdaddr);
3721 data.pscan_rep_mode = info->pscan_rep_mode;
3722 data.pscan_period_mode = info->pscan_period_mode;
3723 data.pscan_mode = info->pscan_mode;
3724 memcpy(data.dev_class, info->dev_class, 3);
3725 data.clock_offset = info->clock_offset;
3726 data.rssi = info->rssi;
3727 data.ssp_mode = 0x00;
3729 flags = hci_inquiry_cache_update(hdev, &data, false);
3731 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3732 info->dev_class, info->rssi,
3733 flags, NULL, 0, NULL, 0);
3736 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3738 for (; num_rsp; num_rsp--, info++) {
3741 bacpy(&data.bdaddr, &info->bdaddr);
3742 data.pscan_rep_mode = info->pscan_rep_mode;
3743 data.pscan_period_mode = info->pscan_period_mode;
3744 data.pscan_mode = 0x00;
3745 memcpy(data.dev_class, info->dev_class, 3);
3746 data.clock_offset = info->clock_offset;
3747 data.rssi = info->rssi;
3748 data.ssp_mode = 0x00;
3750 flags = hci_inquiry_cache_update(hdev, &data, false);
3752 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3753 info->dev_class, info->rssi,
3754 flags, NULL, 0, NULL, 0);
3758 hci_dev_unlock(hdev);
3761 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3762 struct sk_buff *skb)
3764 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3765 struct hci_conn *conn;
3767 BT_DBG("%s", hdev->name);
3771 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3775 if (ev->page < HCI_MAX_PAGES)
3776 memcpy(conn->features[ev->page], ev->features, 8);
3778 if (!ev->status && ev->page == 0x01) {
3779 struct inquiry_entry *ie;
3781 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3783 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3785 if (ev->features[0] & LMP_HOST_SSP) {
3786 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3788 /* It is mandatory by the Bluetooth specification that
3789 * Extended Inquiry Results are only used when Secure
3790 * Simple Pairing is enabled, but some devices violate
3793 * To make these devices work, the internal SSP
3794 * enabled flag needs to be cleared if the remote host
3795 * features do not indicate SSP support */
3796 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3799 if (ev->features[0] & LMP_HOST_SC)
3800 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3803 if (conn->state != BT_CONFIG)
3806 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3807 struct hci_cp_remote_name_req cp;
3808 memset(&cp, 0, sizeof(cp));
3809 bacpy(&cp.bdaddr, &conn->dst);
3810 cp.pscan_rep_mode = 0x02;
3811 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3812 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3813 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3815 if (!hci_outgoing_auth_needed(hdev, conn)) {
3816 conn->state = BT_CONNECTED;
3817 hci_connect_cfm(conn, ev->status);
3818 hci_conn_drop(conn);
3822 hci_dev_unlock(hdev);
3825 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3826 struct sk_buff *skb)
3828 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3829 struct hci_conn *conn;
3831 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3835 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3837 if (ev->link_type == ESCO_LINK)
3840 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3844 conn->type = SCO_LINK;
3847 switch (ev->status) {
3849 conn->handle = __le16_to_cpu(ev->handle);
3850 conn->state = BT_CONNECTED;
3852 hci_debugfs_create_conn(conn);
3853 hci_conn_add_sysfs(conn);
3856 case 0x10: /* Connection Accept Timeout */
3857 case 0x0d: /* Connection Rejected due to Limited Resources */
3858 case 0x11: /* Unsupported Feature or Parameter Value */
3859 case 0x1c: /* SCO interval rejected */
3860 case 0x1a: /* Unsupported Remote Feature */
3861 case 0x1f: /* Unspecified error */
3862 case 0x20: /* Unsupported LMP Parameter value */
3864 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3865 (hdev->esco_type & EDR_ESCO_MASK);
3866 if (hci_setup_sync(conn, conn->link->handle))
3872 conn->state = BT_CLOSED;
3876 hci_connect_cfm(conn, ev->status);
3881 hci_dev_unlock(hdev);
3884 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3888 while (parsed < eir_len) {
3889 u8 field_len = eir[0];
3894 parsed += field_len + 1;
3895 eir += field_len + 1;
3901 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3902 struct sk_buff *skb)
3904 struct inquiry_data data;
3905 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3906 int num_rsp = *((__u8 *) skb->data);
3909 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3914 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3919 for (; num_rsp; num_rsp--, info++) {
3923 bacpy(&data.bdaddr, &info->bdaddr);
3924 data.pscan_rep_mode = info->pscan_rep_mode;
3925 data.pscan_period_mode = info->pscan_period_mode;
3926 data.pscan_mode = 0x00;
3927 memcpy(data.dev_class, info->dev_class, 3);
3928 data.clock_offset = info->clock_offset;
3929 data.rssi = info->rssi;
3930 data.ssp_mode = 0x01;
3932 if (hci_dev_test_flag(hdev, HCI_MGMT))
3933 name_known = eir_has_data_type(info->data,
3939 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3941 eir_len = eir_get_length(info->data, sizeof(info->data));
3943 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3944 info->dev_class, info->rssi,
3945 flags, info->data, eir_len, NULL, 0);
3948 hci_dev_unlock(hdev);
3951 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3952 struct sk_buff *skb)
3954 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3955 struct hci_conn *conn;
3957 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3958 __le16_to_cpu(ev->handle));
3962 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3966 /* For BR/EDR the necessary steps are taken through the
3967 * auth_complete event.
3969 if (conn->type != LE_LINK)
3973 conn->sec_level = conn->pending_sec_level;
3975 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3977 if (ev->status && conn->state == BT_CONNECTED) {
3978 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3979 hci_conn_drop(conn);
3983 if (conn->state == BT_CONFIG) {
3985 conn->state = BT_CONNECTED;
3987 hci_connect_cfm(conn, ev->status);
3988 hci_conn_drop(conn);
3990 hci_auth_cfm(conn, ev->status);
3992 hci_conn_hold(conn);
3993 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3994 hci_conn_drop(conn);
3998 hci_dev_unlock(hdev);
4001 static u8 hci_get_auth_req(struct hci_conn *conn)
4003 /* If remote requests no-bonding follow that lead */
4004 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4005 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4006 return conn->remote_auth | (conn->auth_type & 0x01);
4008 /* If both remote and local have enough IO capabilities, require
4011 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4012 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4013 return conn->remote_auth | 0x01;
4015 /* No MITM protection possible so ignore remote requirement */
4016 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4019 static u8 bredr_oob_data_present(struct hci_conn *conn)
4021 struct hci_dev *hdev = conn->hdev;
4022 struct oob_data *data;
4024 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4028 if (bredr_sc_enabled(hdev)) {
4029 /* When Secure Connections is enabled, then just
4030 * return the present value stored with the OOB
4031 * data. The stored value contains the right present
4032 * information. However it can only be trusted when
4033 * not in Secure Connection Only mode.
4035 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4036 return data->present;
4038 /* When Secure Connections Only mode is enabled, then
4039 * the P-256 values are required. If they are not
4040 * available, then do not declare that OOB data is
4043 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4044 !memcmp(data->hash256, ZERO_KEY, 16))
4050 /* When Secure Connections is not enabled or actually
4051 * not supported by the hardware, then check that if
4052 * P-192 data values are present.
4054 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4055 !memcmp(data->hash192, ZERO_KEY, 16))
4061 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4063 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4064 struct hci_conn *conn;
4066 BT_DBG("%s", hdev->name);
4070 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4074 hci_conn_hold(conn);
4076 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4079 /* Allow pairing if we're pairable, the initiators of the
4080 * pairing or if the remote is not requesting bonding.
4082 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4083 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4084 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4085 struct hci_cp_io_capability_reply cp;
4087 bacpy(&cp.bdaddr, &ev->bdaddr);
4088 /* Change the IO capability from KeyboardDisplay
4089 * to DisplayYesNo as it is not supported by BT spec. */
4090 cp.capability = (conn->io_capability == 0x04) ?
4091 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4093 /* If we are initiators, there is no remote information yet */
4094 if (conn->remote_auth == 0xff) {
4095 /* Request MITM protection if our IO caps allow it
4096 * except for the no-bonding case.
4098 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4099 conn->auth_type != HCI_AT_NO_BONDING)
4100 conn->auth_type |= 0x01;
4102 conn->auth_type = hci_get_auth_req(conn);
4105 /* If we're not bondable, force one of the non-bondable
4106 * authentication requirement values.
4108 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4109 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4111 cp.authentication = conn->auth_type;
4112 cp.oob_data = bredr_oob_data_present(conn);
4114 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4117 struct hci_cp_io_capability_neg_reply cp;
4119 bacpy(&cp.bdaddr, &ev->bdaddr);
4120 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4122 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4127 hci_dev_unlock(hdev);
4130 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4132 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4133 struct hci_conn *conn;
4135 BT_DBG("%s", hdev->name);
4139 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4143 conn->remote_cap = ev->capability;
4144 conn->remote_auth = ev->authentication;
4147 hci_dev_unlock(hdev);
4150 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4151 struct sk_buff *skb)
4153 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4154 int loc_mitm, rem_mitm, confirm_hint = 0;
4155 struct hci_conn *conn;
4157 BT_DBG("%s", hdev->name);
4161 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4164 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4168 loc_mitm = (conn->auth_type & 0x01);
4169 rem_mitm = (conn->remote_auth & 0x01);
4171 /* If we require MITM but the remote device can't provide that
4172 * (it has NoInputNoOutput) then reject the confirmation
4173 * request. We check the security level here since it doesn't
4174 * necessarily match conn->auth_type.
4176 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4177 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4178 BT_DBG("Rejecting request: remote device can't provide MITM");
4179 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4180 sizeof(ev->bdaddr), &ev->bdaddr);
4184 /* If no side requires MITM protection; auto-accept */
4185 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4186 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4188 /* If we're not the initiators request authorization to
4189 * proceed from user space (mgmt_user_confirm with
4190 * confirm_hint set to 1). The exception is if neither
4191 * side had MITM or if the local IO capability is
4192 * NoInputNoOutput, in which case we do auto-accept
4194 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4195 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4196 (loc_mitm || rem_mitm)) {
4197 BT_DBG("Confirming auto-accept as acceptor");
4202 BT_DBG("Auto-accept of user confirmation with %ums delay",
4203 hdev->auto_accept_delay);
4205 if (hdev->auto_accept_delay > 0) {
4206 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4207 queue_delayed_work(conn->hdev->workqueue,
4208 &conn->auto_accept_work, delay);
4212 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4213 sizeof(ev->bdaddr), &ev->bdaddr);
4218 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4219 le32_to_cpu(ev->passkey), confirm_hint);
4222 hci_dev_unlock(hdev);
4225 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4226 struct sk_buff *skb)
4228 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4230 BT_DBG("%s", hdev->name);
4232 if (hci_dev_test_flag(hdev, HCI_MGMT))
4233 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4236 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4237 struct sk_buff *skb)
4239 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4240 struct hci_conn *conn;
4242 BT_DBG("%s", hdev->name);
4244 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4248 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4249 conn->passkey_entered = 0;
4251 if (hci_dev_test_flag(hdev, HCI_MGMT))
4252 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4253 conn->dst_type, conn->passkey_notify,
4254 conn->passkey_entered);
4257 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4259 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4260 struct hci_conn *conn;
4262 BT_DBG("%s", hdev->name);
4264 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4269 case HCI_KEYPRESS_STARTED:
4270 conn->passkey_entered = 0;
4273 case HCI_KEYPRESS_ENTERED:
4274 conn->passkey_entered++;
4277 case HCI_KEYPRESS_ERASED:
4278 conn->passkey_entered--;
4281 case HCI_KEYPRESS_CLEARED:
4282 conn->passkey_entered = 0;
4285 case HCI_KEYPRESS_COMPLETED:
4289 if (hci_dev_test_flag(hdev, HCI_MGMT))
4290 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4291 conn->dst_type, conn->passkey_notify,
4292 conn->passkey_entered);
4295 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4296 struct sk_buff *skb)
4298 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4299 struct hci_conn *conn;
4301 BT_DBG("%s", hdev->name);
4305 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4309 /* Reset the authentication requirement to unknown */
4310 conn->remote_auth = 0xff;
4312 /* To avoid duplicate auth_failed events to user space we check
4313 * the HCI_CONN_AUTH_PEND flag which will be set if we
4314 * initiated the authentication. A traditional auth_complete
4315 * event gets always produced as initiator and is also mapped to
4316 * the mgmt_auth_failed event */
4317 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4318 mgmt_auth_failed(conn, ev->status);
4320 hci_conn_drop(conn);
4323 hci_dev_unlock(hdev);
4326 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4327 struct sk_buff *skb)
4329 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4330 struct inquiry_entry *ie;
4331 struct hci_conn *conn;
4333 BT_DBG("%s", hdev->name);
4337 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4339 memcpy(conn->features[1], ev->features, 8);
4341 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4343 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4345 hci_dev_unlock(hdev);
4348 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4349 struct sk_buff *skb)
4351 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4352 struct oob_data *data;
4354 BT_DBG("%s", hdev->name);
4358 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4361 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4363 struct hci_cp_remote_oob_data_neg_reply cp;
4365 bacpy(&cp.bdaddr, &ev->bdaddr);
4366 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4371 if (bredr_sc_enabled(hdev)) {
4372 struct hci_cp_remote_oob_ext_data_reply cp;
4374 bacpy(&cp.bdaddr, &ev->bdaddr);
4375 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4376 memset(cp.hash192, 0, sizeof(cp.hash192));
4377 memset(cp.rand192, 0, sizeof(cp.rand192));
4379 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4380 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4382 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4383 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4385 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4388 struct hci_cp_remote_oob_data_reply cp;
4390 bacpy(&cp.bdaddr, &ev->bdaddr);
4391 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4392 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4394 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4399 hci_dev_unlock(hdev);
4402 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4403 struct sk_buff *skb)
4405 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4406 struct hci_conn *hcon, *bredr_hcon;
4408 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4413 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4415 hci_dev_unlock(hdev);
4421 hci_dev_unlock(hdev);
4425 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4427 hcon->state = BT_CONNECTED;
4428 bacpy(&hcon->dst, &bredr_hcon->dst);
4430 hci_conn_hold(hcon);
4431 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4432 hci_conn_drop(hcon);
4434 hci_debugfs_create_conn(hcon);
4435 hci_conn_add_sysfs(hcon);
4437 amp_physical_cfm(bredr_hcon, hcon);
4439 hci_dev_unlock(hdev);
4442 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4444 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4445 struct hci_conn *hcon;
4446 struct hci_chan *hchan;
4447 struct amp_mgr *mgr;
4449 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4450 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4453 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4457 /* Create AMP hchan */
4458 hchan = hci_chan_create(hcon);
4462 hchan->handle = le16_to_cpu(ev->handle);
4464 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4466 mgr = hcon->amp_mgr;
4467 if (mgr && mgr->bredr_chan) {
4468 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4470 l2cap_chan_lock(bredr_chan);
4472 bredr_chan->conn->mtu = hdev->block_mtu;
4473 l2cap_logical_cfm(bredr_chan, hchan, 0);
4474 hci_conn_hold(hcon);
4476 l2cap_chan_unlock(bredr_chan);
4480 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4481 struct sk_buff *skb)
4483 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4484 struct hci_chan *hchan;
4486 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4487 le16_to_cpu(ev->handle), ev->status);
4494 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4498 amp_destroy_logical_link(hchan, ev->reason);
4501 hci_dev_unlock(hdev);
4504 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4505 struct sk_buff *skb)
4507 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4508 struct hci_conn *hcon;
4510 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4517 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4519 hcon->state = BT_CLOSED;
4523 hci_dev_unlock(hdev);
4526 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4528 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4529 struct hci_conn_params *params;
4530 struct hci_conn *conn;
4531 struct smp_irk *irk;
4534 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4538 /* All controllers implicitly stop advertising in the event of a
4539 * connection, so ensure that the state bit is cleared.
4541 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4543 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
4545 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4547 BT_ERR("No memory for new connection");
4551 conn->dst_type = ev->bdaddr_type;
4553 /* If we didn't have a hci_conn object previously
4554 * but we're in master role this must be something
4555 * initiated using a white list. Since white list based
4556 * connections are not "first class citizens" we don't
4557 * have full tracking of them. Therefore, we go ahead
4558 * with a "best effort" approach of determining the
4559 * initiator address based on the HCI_PRIVACY flag.
4562 conn->resp_addr_type = ev->bdaddr_type;
4563 bacpy(&conn->resp_addr, &ev->bdaddr);
4564 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4565 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4566 bacpy(&conn->init_addr, &hdev->rpa);
4568 hci_copy_identity_address(hdev,
4570 &conn->init_addr_type);
4574 cancel_delayed_work(&conn->le_conn_timeout);
4578 /* Set the responder (our side) address type based on
4579 * the advertising address type.
4581 conn->resp_addr_type = hdev->adv_addr_type;
4582 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4583 bacpy(&conn->resp_addr, &hdev->random_addr);
4585 bacpy(&conn->resp_addr, &hdev->bdaddr);
4587 conn->init_addr_type = ev->bdaddr_type;
4588 bacpy(&conn->init_addr, &ev->bdaddr);
4590 /* For incoming connections, set the default minimum
4591 * and maximum connection interval. They will be used
4592 * to check if the parameters are in range and if not
4593 * trigger the connection update procedure.
4595 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4596 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4599 /* Lookup the identity address from the stored connection
4600 * address and address type.
4602 * When establishing connections to an identity address, the
4603 * connection procedure will store the resolvable random
4604 * address first. Now if it can be converted back into the
4605 * identity address, start using the identity address from
4608 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4610 bacpy(&conn->dst, &irk->bdaddr);
4611 conn->dst_type = irk->addr_type;
4615 hci_le_conn_failed(conn, ev->status);
4619 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4620 addr_type = BDADDR_LE_PUBLIC;
4622 addr_type = BDADDR_LE_RANDOM;
4624 /* Drop the connection if the device is blocked */
4625 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4626 hci_conn_drop(conn);
4630 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4631 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4633 conn->sec_level = BT_SECURITY_LOW;
4634 conn->handle = __le16_to_cpu(ev->handle);
4635 conn->state = BT_CONFIG;
4637 conn->le_conn_interval = le16_to_cpu(ev->interval);
4638 conn->le_conn_latency = le16_to_cpu(ev->latency);
4639 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4641 hci_debugfs_create_conn(conn);
4642 hci_conn_add_sysfs(conn);
4645 /* The remote features procedure is defined for master
4646 * role only. So only in case of an initiated connection
4647 * request the remote features.
4649 * If the local controller supports slave-initiated features
4650 * exchange, then requesting the remote features in slave
4651 * role is possible. Otherwise just transition into the
4652 * connected state without requesting the remote features.
4655 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4656 struct hci_cp_le_read_remote_features cp;
4658 cp.handle = __cpu_to_le16(conn->handle);
4660 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4663 hci_conn_hold(conn);
4665 conn->state = BT_CONNECTED;
4666 hci_connect_cfm(conn, ev->status);
4669 hci_connect_cfm(conn, ev->status);
4672 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4675 list_del_init(¶ms->action);
4677 hci_conn_drop(params->conn);
4678 hci_conn_put(params->conn);
4679 params->conn = NULL;
4684 hci_update_background_scan(hdev);
4685 hci_dev_unlock(hdev);
4688 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4689 struct sk_buff *skb)
4691 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4692 struct hci_conn *conn;
4694 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4701 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4703 conn->le_conn_interval = le16_to_cpu(ev->interval);
4704 conn->le_conn_latency = le16_to_cpu(ev->latency);
4705 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4708 hci_dev_unlock(hdev);
4711 /* This function requires the caller holds hdev->lock */
4712 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4714 u8 addr_type, u8 adv_type)
4716 struct hci_conn *conn;
4717 struct hci_conn_params *params;
4719 /* If the event is not connectable don't proceed further */
4720 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4723 /* Ignore if the device is blocked */
4724 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4727 /* Most controller will fail if we try to create new connections
4728 * while we have an existing one in slave role.
4730 if (hdev->conn_hash.le_num_slave > 0)
4733 /* If we're not connectable only connect devices that we have in
4734 * our pend_le_conns list.
4736 params = hci_pend_le_action_lookup(&hdev->pend_le_conns,
4741 switch (params->auto_connect) {
4742 case HCI_AUTO_CONN_DIRECT:
4743 /* Only devices advertising with ADV_DIRECT_IND are
4744 * triggering a connection attempt. This is allowing
4745 * incoming connections from slave devices.
4747 if (adv_type != LE_ADV_DIRECT_IND)
4750 case HCI_AUTO_CONN_ALWAYS:
4751 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4752 * are triggering a connection attempt. This means
4753 * that incoming connectioms from slave device are
4754 * accepted and also outgoing connections to slave
4755 * devices are established when found.
4762 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4763 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4764 if (!IS_ERR(conn)) {
4765 /* Store the pointer since we don't really have any
4766 * other owner of the object besides the params that
4767 * triggered it. This way we can abort the connection if
4768 * the parameters get removed and keep the reference
4769 * count consistent once the connection is established.
4771 params->conn = hci_conn_get(conn);
4775 switch (PTR_ERR(conn)) {
4777 /* If hci_connect() returns -EBUSY it means there is already
4778 * an LE connection attempt going on. Since controllers don't
4779 * support more than one connection attempt at the time, we
4780 * don't consider this an error case.
4784 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4791 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4792 u8 bdaddr_type, bdaddr_t *direct_addr,
4793 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4795 struct discovery_state *d = &hdev->discovery;
4796 struct smp_irk *irk;
4797 struct hci_conn *conn;
4801 /* If the direct address is present, then this report is from
4802 * a LE Direct Advertising Report event. In that case it is
4803 * important to see if the address is matching the local
4804 * controller address.
4807 /* Only resolvable random addresses are valid for these
4808 * kind of reports and others can be ignored.
4810 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4813 /* If the controller is not using resolvable random
4814 * addresses, then this report can be ignored.
4816 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4819 /* If the local IRK of the controller does not match
4820 * with the resolvable random address provided, then
4821 * this report can be ignored.
4823 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4827 /* Check if we need to convert to identity address */
4828 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4830 bdaddr = &irk->bdaddr;
4831 bdaddr_type = irk->addr_type;
4834 /* Check if we have been requested to connect to this device */
4835 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4836 if (conn && type == LE_ADV_IND) {
4837 /* Store report for later inclusion by
4838 * mgmt_device_connected
4840 memcpy(conn->le_adv_data, data, len);
4841 conn->le_adv_data_len = len;
4844 /* Passive scanning shouldn't trigger any device found events,
4845 * except for devices marked as CONN_REPORT for which we do send
4846 * device found events.
4848 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4849 if (type == LE_ADV_DIRECT_IND)
4852 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4853 bdaddr, bdaddr_type))
4856 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4857 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4860 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4861 rssi, flags, data, len, NULL, 0);
4865 /* When receiving non-connectable or scannable undirected
4866 * advertising reports, this means that the remote device is
4867 * not connectable and then clearly indicate this in the
4868 * device found event.
4870 * When receiving a scan response, then there is no way to
4871 * know if the remote device is connectable or not. However
4872 * since scan responses are merged with a previously seen
4873 * advertising report, the flags field from that report
4876 * In the really unlikely case that a controller get confused
4877 * and just sends a scan response event, then it is marked as
4878 * not connectable as well.
4880 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4881 type == LE_ADV_SCAN_RSP)
4882 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4886 /* If there's nothing pending either store the data from this
4887 * event or send an immediate device found event if the data
4888 * should not be stored for later.
4890 if (!has_pending_adv_report(hdev)) {
4891 /* If the report will trigger a SCAN_REQ store it for
4894 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4895 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4896 rssi, flags, data, len);
4900 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4901 rssi, flags, data, len, NULL, 0);
4905 /* Check if the pending report is for the same device as the new one */
4906 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4907 bdaddr_type == d->last_adv_addr_type);
4909 /* If the pending data doesn't match this report or this isn't a
4910 * scan response (e.g. we got a duplicate ADV_IND) then force
4911 * sending of the pending data.
4913 if (type != LE_ADV_SCAN_RSP || !match) {
4914 /* Send out whatever is in the cache, but skip duplicates */
4916 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4917 d->last_adv_addr_type, NULL,
4918 d->last_adv_rssi, d->last_adv_flags,
4920 d->last_adv_data_len, NULL, 0);
4922 /* If the new report will trigger a SCAN_REQ store it for
4925 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4926 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4927 rssi, flags, data, len);
4931 /* The advertising reports cannot be merged, so clear
4932 * the pending report and send out a device found event.
4934 clear_pending_adv_report(hdev);
4935 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4936 rssi, flags, data, len, NULL, 0);
4940 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4941 * the new event is a SCAN_RSP. We can therefore proceed with
4942 * sending a merged device found event.
4944 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4945 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4946 d->last_adv_data, d->last_adv_data_len, data, len);
4947 clear_pending_adv_report(hdev);
4950 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4952 u8 num_reports = skb->data[0];
4953 void *ptr = &skb->data[1];
4957 while (num_reports--) {
4958 struct hci_ev_le_advertising_info *ev = ptr;
4961 rssi = ev->data[ev->length];
4962 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4963 ev->bdaddr_type, NULL, 0, rssi,
4964 ev->data, ev->length);
4966 ptr += sizeof(*ev) + ev->length + 1;
4969 hci_dev_unlock(hdev);
4972 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4973 struct sk_buff *skb)
4975 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4976 struct hci_conn *conn;
4978 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4982 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4985 memcpy(conn->features[0], ev->features, 8);
4987 if (conn->state == BT_CONFIG) {
4990 /* If the local controller supports slave-initiated
4991 * features exchange, but the remote controller does
4992 * not, then it is possible that the error code 0x1a
4993 * for unsupported remote feature gets returned.
4995 * In this specific case, allow the connection to
4996 * transition into connected state and mark it as
4999 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5000 !conn->out && ev->status == 0x1a)
5003 status = ev->status;
5005 conn->state = BT_CONNECTED;
5006 hci_connect_cfm(conn, status);
5007 hci_conn_drop(conn);
5011 hci_dev_unlock(hdev);
5014 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5016 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5017 struct hci_cp_le_ltk_reply cp;
5018 struct hci_cp_le_ltk_neg_reply neg;
5019 struct hci_conn *conn;
5020 struct smp_ltk *ltk;
5022 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5026 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5030 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5034 if (smp_ltk_is_sc(ltk)) {
5035 /* With SC both EDiv and Rand are set to zero */
5036 if (ev->ediv || ev->rand)
5039 /* For non-SC keys check that EDiv and Rand match */
5040 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5044 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5045 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5046 cp.handle = cpu_to_le16(conn->handle);
5048 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5050 conn->enc_key_size = ltk->enc_size;
5052 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5054 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5055 * temporary key used to encrypt a connection following
5056 * pairing. It is used during the Encrypted Session Setup to
5057 * distribute the keys. Later, security can be re-established
5058 * using a distributed LTK.
5060 if (ltk->type == SMP_STK) {
5061 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5062 list_del_rcu(<k->list);
5063 kfree_rcu(ltk, rcu);
5065 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5068 hci_dev_unlock(hdev);
5073 neg.handle = ev->handle;
5074 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5075 hci_dev_unlock(hdev);
5078 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5081 struct hci_cp_le_conn_param_req_neg_reply cp;
5083 cp.handle = cpu_to_le16(handle);
5086 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5090 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5091 struct sk_buff *skb)
5093 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5094 struct hci_cp_le_conn_param_req_reply cp;
5095 struct hci_conn *hcon;
5096 u16 handle, min, max, latency, timeout;
5098 handle = le16_to_cpu(ev->handle);
5099 min = le16_to_cpu(ev->interval_min);
5100 max = le16_to_cpu(ev->interval_max);
5101 latency = le16_to_cpu(ev->latency);
5102 timeout = le16_to_cpu(ev->timeout);
5104 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5105 if (!hcon || hcon->state != BT_CONNECTED)
5106 return send_conn_param_neg_reply(hdev, handle,
5107 HCI_ERROR_UNKNOWN_CONN_ID);
5109 if (hci_check_conn_params(min, max, latency, timeout))
5110 return send_conn_param_neg_reply(hdev, handle,
5111 HCI_ERROR_INVALID_LL_PARAMS);
5113 if (hcon->role == HCI_ROLE_MASTER) {
5114 struct hci_conn_params *params;
5119 params = hci_conn_params_lookup(hdev, &hcon->dst,
5122 params->conn_min_interval = min;
5123 params->conn_max_interval = max;
5124 params->conn_latency = latency;
5125 params->supervision_timeout = timeout;
5131 hci_dev_unlock(hdev);
5133 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5134 store_hint, min, max, latency, timeout);
5137 cp.handle = ev->handle;
5138 cp.interval_min = ev->interval_min;
5139 cp.interval_max = ev->interval_max;
5140 cp.latency = ev->latency;
5141 cp.timeout = ev->timeout;
5145 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5148 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5149 struct sk_buff *skb)
5151 u8 num_reports = skb->data[0];
5152 void *ptr = &skb->data[1];
5156 while (num_reports--) {
5157 struct hci_ev_le_direct_adv_info *ev = ptr;
5159 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5160 ev->bdaddr_type, &ev->direct_addr,
5161 ev->direct_addr_type, ev->rssi, NULL, 0);
5166 hci_dev_unlock(hdev);
5169 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5171 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5173 skb_pull(skb, sizeof(*le_ev));
5175 switch (le_ev->subevent) {
5176 case HCI_EV_LE_CONN_COMPLETE:
5177 hci_le_conn_complete_evt(hdev, skb);
5180 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5181 hci_le_conn_update_complete_evt(hdev, skb);
5184 case HCI_EV_LE_ADVERTISING_REPORT:
5185 hci_le_adv_report_evt(hdev, skb);
5188 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5189 hci_le_remote_feat_complete_evt(hdev, skb);
5192 case HCI_EV_LE_LTK_REQ:
5193 hci_le_ltk_request_evt(hdev, skb);
5196 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5197 hci_le_remote_conn_param_req_evt(hdev, skb);
5200 case HCI_EV_LE_DIRECT_ADV_REPORT:
5201 hci_le_direct_adv_report_evt(hdev, skb);
5209 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
5211 struct hci_ev_channel_selected *ev = (void *) skb->data;
5212 struct hci_conn *hcon;
5214 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
5216 skb_pull(skb, sizeof(*ev));
5218 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5222 amp_read_loc_assoc_final_data(hdev, hcon);
5225 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5226 u8 event, struct sk_buff *skb)
5228 struct hci_ev_cmd_complete *ev;
5229 struct hci_event_hdr *hdr;
5234 if (skb->len < sizeof(*hdr)) {
5235 BT_ERR("Too short HCI event");
5239 hdr = (void *) skb->data;
5240 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5243 if (hdr->evt != event)
5248 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5249 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5253 if (skb->len < sizeof(*ev)) {
5254 BT_ERR("Too short cmd_complete event");
5258 ev = (void *) skb->data;
5259 skb_pull(skb, sizeof(*ev));
5261 if (opcode != __le16_to_cpu(ev->opcode)) {
5262 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5263 __le16_to_cpu(ev->opcode));
5270 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5272 struct hci_event_hdr *hdr = (void *) skb->data;
5273 hci_req_complete_t req_complete = NULL;
5274 hci_req_complete_skb_t req_complete_skb = NULL;
5275 struct sk_buff *orig_skb = NULL;
5276 u8 status = 0, event = hdr->evt, req_evt = 0;
5277 u16 opcode = HCI_OP_NOP;
5279 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
5280 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5281 opcode = __le16_to_cpu(cmd_hdr->opcode);
5282 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5287 /* If it looks like we might end up having to call
5288 * req_complete_skb, store a pristine copy of the skb since the
5289 * various handlers may modify the original one through
5290 * skb_pull() calls, etc.
5292 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5293 event == HCI_EV_CMD_COMPLETE)
5294 orig_skb = skb_clone(skb, GFP_KERNEL);
5296 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5299 case HCI_EV_INQUIRY_COMPLETE:
5300 hci_inquiry_complete_evt(hdev, skb);
5303 case HCI_EV_INQUIRY_RESULT:
5304 hci_inquiry_result_evt(hdev, skb);
5307 case HCI_EV_CONN_COMPLETE:
5308 hci_conn_complete_evt(hdev, skb);
5311 case HCI_EV_CONN_REQUEST:
5312 hci_conn_request_evt(hdev, skb);
5315 case HCI_EV_DISCONN_COMPLETE:
5316 hci_disconn_complete_evt(hdev, skb);
5319 case HCI_EV_AUTH_COMPLETE:
5320 hci_auth_complete_evt(hdev, skb);
5323 case HCI_EV_REMOTE_NAME:
5324 hci_remote_name_evt(hdev, skb);
5327 case HCI_EV_ENCRYPT_CHANGE:
5328 hci_encrypt_change_evt(hdev, skb);
5331 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5332 hci_change_link_key_complete_evt(hdev, skb);
5335 case HCI_EV_REMOTE_FEATURES:
5336 hci_remote_features_evt(hdev, skb);
5339 case HCI_EV_CMD_COMPLETE:
5340 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5341 &req_complete, &req_complete_skb);
5344 case HCI_EV_CMD_STATUS:
5345 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5349 case HCI_EV_HARDWARE_ERROR:
5350 hci_hardware_error_evt(hdev, skb);
5353 case HCI_EV_ROLE_CHANGE:
5354 hci_role_change_evt(hdev, skb);
5357 case HCI_EV_NUM_COMP_PKTS:
5358 hci_num_comp_pkts_evt(hdev, skb);
5361 case HCI_EV_MODE_CHANGE:
5362 hci_mode_change_evt(hdev, skb);
5365 case HCI_EV_PIN_CODE_REQ:
5366 hci_pin_code_request_evt(hdev, skb);
5369 case HCI_EV_LINK_KEY_REQ:
5370 hci_link_key_request_evt(hdev, skb);
5373 case HCI_EV_LINK_KEY_NOTIFY:
5374 hci_link_key_notify_evt(hdev, skb);
5377 case HCI_EV_CLOCK_OFFSET:
5378 hci_clock_offset_evt(hdev, skb);
5381 case HCI_EV_PKT_TYPE_CHANGE:
5382 hci_pkt_type_change_evt(hdev, skb);
5385 case HCI_EV_PSCAN_REP_MODE:
5386 hci_pscan_rep_mode_evt(hdev, skb);
5389 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5390 hci_inquiry_result_with_rssi_evt(hdev, skb);
5393 case HCI_EV_REMOTE_EXT_FEATURES:
5394 hci_remote_ext_features_evt(hdev, skb);
5397 case HCI_EV_SYNC_CONN_COMPLETE:
5398 hci_sync_conn_complete_evt(hdev, skb);
5401 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5402 hci_extended_inquiry_result_evt(hdev, skb);
5405 case HCI_EV_KEY_REFRESH_COMPLETE:
5406 hci_key_refresh_complete_evt(hdev, skb);
5409 case HCI_EV_IO_CAPA_REQUEST:
5410 hci_io_capa_request_evt(hdev, skb);
5413 case HCI_EV_IO_CAPA_REPLY:
5414 hci_io_capa_reply_evt(hdev, skb);
5417 case HCI_EV_USER_CONFIRM_REQUEST:
5418 hci_user_confirm_request_evt(hdev, skb);
5421 case HCI_EV_USER_PASSKEY_REQUEST:
5422 hci_user_passkey_request_evt(hdev, skb);
5425 case HCI_EV_USER_PASSKEY_NOTIFY:
5426 hci_user_passkey_notify_evt(hdev, skb);
5429 case HCI_EV_KEYPRESS_NOTIFY:
5430 hci_keypress_notify_evt(hdev, skb);
5433 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5434 hci_simple_pair_complete_evt(hdev, skb);
5437 case HCI_EV_REMOTE_HOST_FEATURES:
5438 hci_remote_host_features_evt(hdev, skb);
5441 case HCI_EV_LE_META:
5442 hci_le_meta_evt(hdev, skb);
5445 case HCI_EV_CHANNEL_SELECTED:
5446 hci_chan_selected_evt(hdev, skb);
5449 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5450 hci_remote_oob_data_request_evt(hdev, skb);
5453 case HCI_EV_PHY_LINK_COMPLETE:
5454 hci_phy_link_complete_evt(hdev, skb);
5457 case HCI_EV_LOGICAL_LINK_COMPLETE:
5458 hci_loglink_complete_evt(hdev, skb);
5461 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5462 hci_disconn_loglink_complete_evt(hdev, skb);
5465 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5466 hci_disconn_phylink_complete_evt(hdev, skb);
5469 case HCI_EV_NUM_COMP_BLOCKS:
5470 hci_num_comp_blocks_evt(hdev, skb);
5474 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5479 req_complete(hdev, status, opcode);
5480 } else if (req_complete_skb) {
5481 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5482 kfree_skb(orig_skb);
5485 req_complete_skb(hdev, status, opcode, orig_skb);
5488 kfree_skb(orig_skb);
5490 hdev->stat.evt_rx++;
OSDN Git Service
