1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI event handling. */ 27 28 #include <asm/unaligned.h> 29 #include <linux/crypto.h> 30 #include <crypto/algapi.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "hci_request.h" 37 #include "hci_debugfs.h" 38 #include "hci_codec.h" 39 #include "smp.h" 40 #include "msft.h" 41 #include "eir.h" 42 43 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 44 "\x00\x00\x00\x00\x00\x00\x00\x00" 45 46 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000) 47 48 /* Handle HCI Event packets */ 49 hci_ev_skb_pull(struct hci_dev * hdev,struct sk_buff * skb,u8 ev,size_t len)50 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 51 u8 ev, size_t len) 52 { 53 void *data; 54 55 data = skb_pull_data(skb, len); 56 if (!data) 57 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev); 58 59 return data; 60 } 61 hci_cc_skb_pull(struct hci_dev * hdev,struct sk_buff * skb,u16 op,size_t len)62 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 63 u16 op, size_t len) 64 { 65 void *data; 66 67 data = skb_pull_data(skb, len); 68 if (!data) 69 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op); 70 71 return data; 72 } 73 hci_le_ev_skb_pull(struct hci_dev * hdev,struct sk_buff * skb,u8 ev,size_t len)74 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 75 u8 ev, size_t len) 76 { 77 void *data; 78 79 data = skb_pull_data(skb, len); 80 if (!data) 81 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev); 82 83 return data; 84 } 85 hci_cc_inquiry_cancel(struct hci_dev * hdev,void * data,struct sk_buff * skb)86 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data, 87 struct sk_buff *skb) 88 { 89 struct hci_ev_status *rp = data; 90 91 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 92 93 /* It is possible that we receive Inquiry Complete event right 94 * before we receive Inquiry Cancel Command Complete event, in 95 * which case the latter event should have status of Command 96 * Disallowed. This should not be treated as error, since 97 * we actually achieve what Inquiry Cancel wants to achieve, 98 * which is to end the last Inquiry session. 99 */ 100 if (rp->status == HCI_ERROR_COMMAND_DISALLOWED && !test_bit(HCI_INQUIRY, &hdev->flags)) { 101 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 102 rp->status = 0x00; 103 } 104 105 if (rp->status) 106 return rp->status; 107 108 clear_bit(HCI_INQUIRY, &hdev->flags); 109 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 110 wake_up_bit(&hdev->flags, HCI_INQUIRY); 111 112 hci_dev_lock(hdev); 113 /* Set discovery state to stopped if we're not doing LE active 114 * scanning. 115 */ 116 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 117 hdev->le_scan_type != LE_SCAN_ACTIVE) 118 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 119 hci_dev_unlock(hdev); 120 121 return rp->status; 122 } 123 hci_cc_periodic_inq(struct hci_dev * hdev,void * data,struct sk_buff * skb)124 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data, 125 struct sk_buff *skb) 126 { 127 struct hci_ev_status *rp = data; 128 129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 130 131 if (rp->status) 132 return rp->status; 133 134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 135 136 return rp->status; 137 } 138 hci_cc_exit_periodic_inq(struct hci_dev * hdev,void * data,struct sk_buff * skb)139 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data, 140 struct sk_buff *skb) 141 { 142 struct hci_ev_status *rp = data; 143 144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 145 146 if (rp->status) 147 return rp->status; 148 149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 150 151 return rp->status; 152 } 153 hci_cc_remote_name_req_cancel(struct hci_dev * hdev,void * data,struct sk_buff * skb)154 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data, 155 struct sk_buff *skb) 156 { 157 struct hci_ev_status *rp = data; 158 159 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 160 161 return rp->status; 162 } 163 hci_cc_role_discovery(struct hci_dev * hdev,void * data,struct sk_buff * skb)164 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data, 165 struct sk_buff *skb) 166 { 167 struct hci_rp_role_discovery *rp = data; 168 struct hci_conn *conn; 169 170 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 171 172 if (rp->status) 173 return rp->status; 174 175 hci_dev_lock(hdev); 176 177 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 178 if (conn) 179 conn->role = rp->role; 180 181 hci_dev_unlock(hdev); 182 183 return rp->status; 184 } 185 hci_cc_read_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)186 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data, 187 struct sk_buff *skb) 188 { 189 struct hci_rp_read_link_policy *rp = data; 190 struct hci_conn *conn; 191 192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 193 194 if (rp->status) 195 return rp->status; 196 197 hci_dev_lock(hdev); 198 199 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 200 if (conn) 201 conn->link_policy = __le16_to_cpu(rp->policy); 202 203 hci_dev_unlock(hdev); 204 205 return rp->status; 206 } 207 hci_cc_write_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)208 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data, 209 struct sk_buff *skb) 210 { 211 struct hci_rp_write_link_policy *rp = data; 212 struct hci_conn *conn; 213 void *sent; 214 215 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 216 217 if (rp->status) 218 return rp->status; 219 220 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 221 if (!sent) 222 return rp->status; 223 224 hci_dev_lock(hdev); 225 226 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 227 if (conn) 228 conn->link_policy = get_unaligned_le16(sent + 2); 229 230 hci_dev_unlock(hdev); 231 232 return rp->status; 233 } 234 hci_cc_read_def_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)235 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data, 236 struct sk_buff *skb) 237 { 238 struct hci_rp_read_def_link_policy *rp = data; 239 240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 241 242 if (rp->status) 243 return rp->status; 244 245 hdev->link_policy = __le16_to_cpu(rp->policy); 246 247 return rp->status; 248 } 249 hci_cc_write_def_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)250 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data, 251 struct sk_buff *skb) 252 { 253 struct hci_ev_status *rp = data; 254 void *sent; 255 256 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 257 258 if (rp->status) 259 return rp->status; 260 261 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 262 if (!sent) 263 return rp->status; 264 265 hdev->link_policy = get_unaligned_le16(sent); 266 267 return rp->status; 268 } 269 hci_cc_reset(struct hci_dev * hdev,void * data,struct sk_buff * skb)270 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb) 271 { 272 struct hci_ev_status *rp = data; 273 274 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 275 276 clear_bit(HCI_RESET, &hdev->flags); 277 278 if (rp->status) 279 return rp->status; 280 281 /* Reset all non-persistent flags */ 282 hci_dev_clear_volatile_flags(hdev); 283 284 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 285 286 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 287 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 288 289 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 290 hdev->adv_data_len = 0; 291 292 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 293 hdev->scan_rsp_data_len = 0; 294 295 hdev->le_scan_type = LE_SCAN_PASSIVE; 296 297 hdev->ssp_debug_mode = 0; 298 299 hci_bdaddr_list_clear(&hdev->le_accept_list); 300 hci_bdaddr_list_clear(&hdev->le_resolv_list); 301 302 return rp->status; 303 } 304 hci_cc_read_stored_link_key(struct hci_dev * hdev,void * data,struct sk_buff * skb)305 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data, 306 struct sk_buff *skb) 307 { 308 struct hci_rp_read_stored_link_key *rp = data; 309 struct hci_cp_read_stored_link_key *sent; 310 311 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 312 313 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 314 if (!sent) 315 return rp->status; 316 317 if (!rp->status && sent->read_all == 0x01) { 318 hdev->stored_max_keys = le16_to_cpu(rp->max_keys); 319 hdev->stored_num_keys = le16_to_cpu(rp->num_keys); 320 } 321 322 return rp->status; 323 } 324 hci_cc_delete_stored_link_key(struct hci_dev * hdev,void * data,struct sk_buff * skb)325 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data, 326 struct sk_buff *skb) 327 { 328 struct hci_rp_delete_stored_link_key *rp = data; 329 u16 num_keys; 330 331 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 332 333 if (rp->status) 334 return rp->status; 335 336 num_keys = le16_to_cpu(rp->num_keys); 337 338 if (num_keys <= hdev->stored_num_keys) 339 hdev->stored_num_keys -= num_keys; 340 else 341 hdev->stored_num_keys = 0; 342 343 return rp->status; 344 } 345 hci_cc_write_local_name(struct hci_dev * hdev,void * data,struct sk_buff * skb)346 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data, 347 struct sk_buff *skb) 348 { 349 struct hci_ev_status *rp = data; 350 void *sent; 351 352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 353 354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 355 if (!sent) 356 return rp->status; 357 358 hci_dev_lock(hdev); 359 360 if (hci_dev_test_flag(hdev, HCI_MGMT)) 361 mgmt_set_local_name_complete(hdev, sent, rp->status); 362 else if (!rp->status) 363 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 364 365 hci_dev_unlock(hdev); 366 367 return rp->status; 368 } 369 hci_cc_read_local_name(struct hci_dev * hdev,void * data,struct sk_buff * skb)370 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data, 371 struct sk_buff *skb) 372 { 373 struct hci_rp_read_local_name *rp = data; 374 375 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 376 377 if (rp->status) 378 return rp->status; 379 380 if (hci_dev_test_flag(hdev, HCI_SETUP) || 381 hci_dev_test_flag(hdev, HCI_CONFIG)) 382 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 383 384 return rp->status; 385 } 386 hci_cc_write_auth_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)387 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data, 388 struct sk_buff *skb) 389 { 390 struct hci_ev_status *rp = data; 391 void *sent; 392 393 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 394 395 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 396 if (!sent) 397 return rp->status; 398 399 hci_dev_lock(hdev); 400 401 if (!rp->status) { 402 __u8 param = *((__u8 *) sent); 403 404 if (param == AUTH_ENABLED) 405 set_bit(HCI_AUTH, &hdev->flags); 406 else 407 clear_bit(HCI_AUTH, &hdev->flags); 408 } 409 410 if (hci_dev_test_flag(hdev, HCI_MGMT)) 411 mgmt_auth_enable_complete(hdev, rp->status); 412 413 hci_dev_unlock(hdev); 414 415 return rp->status; 416 } 417 hci_cc_write_encrypt_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)418 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data, 419 struct sk_buff *skb) 420 { 421 struct hci_ev_status *rp = data; 422 __u8 param; 423 void *sent; 424 425 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 426 427 if (rp->status) 428 return rp->status; 429 430 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 431 if (!sent) 432 return rp->status; 433 434 param = *((__u8 *) sent); 435 436 if (param) 437 set_bit(HCI_ENCRYPT, &hdev->flags); 438 else 439 clear_bit(HCI_ENCRYPT, &hdev->flags); 440 441 return rp->status; 442 } 443 hci_cc_write_scan_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)444 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data, 445 struct sk_buff *skb) 446 { 447 struct hci_ev_status *rp = data; 448 __u8 param; 449 void *sent; 450 451 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 452 453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 454 if (!sent) 455 return rp->status; 456 457 param = *((__u8 *) sent); 458 459 hci_dev_lock(hdev); 460 461 if (rp->status) { 462 hdev->discov_timeout = 0; 463 goto done; 464 } 465 466 if (param & SCAN_INQUIRY) 467 set_bit(HCI_ISCAN, &hdev->flags); 468 else 469 clear_bit(HCI_ISCAN, &hdev->flags); 470 471 if (param & SCAN_PAGE) 472 set_bit(HCI_PSCAN, &hdev->flags); 473 else 474 clear_bit(HCI_PSCAN, &hdev->flags); 475 476 done: 477 hci_dev_unlock(hdev); 478 479 return rp->status; 480 } 481 hci_cc_set_event_filter(struct hci_dev * hdev,void * data,struct sk_buff * skb)482 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data, 483 struct sk_buff *skb) 484 { 485 struct hci_ev_status *rp = data; 486 struct hci_cp_set_event_filter *cp; 487 void *sent; 488 489 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 490 491 if (rp->status) 492 return rp->status; 493 494 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT); 495 if (!sent) 496 return rp->status; 497 498 cp = (struct hci_cp_set_event_filter *)sent; 499 500 if (cp->flt_type == HCI_FLT_CLEAR_ALL) 501 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 502 else 503 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 504 505 return rp->status; 506 } 507 hci_cc_read_class_of_dev(struct hci_dev * hdev,void * data,struct sk_buff * skb)508 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, 509 struct sk_buff *skb) 510 { 511 struct hci_rp_read_class_of_dev *rp = data; 512 513 if (WARN_ON(!hdev)) 514 return HCI_ERROR_UNSPECIFIED; 515 516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 517 518 if (rp->status) 519 return rp->status; 520 521 memcpy(hdev->dev_class, rp->dev_class, 3); 522 523 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2], 524 hdev->dev_class[1], hdev->dev_class[0]); 525 526 return rp->status; 527 } 528 hci_cc_write_class_of_dev(struct hci_dev * hdev,void * data,struct sk_buff * skb)529 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data, 530 struct sk_buff *skb) 531 { 532 struct hci_ev_status *rp = data; 533 void *sent; 534 535 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 536 537 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 538 if (!sent) 539 return rp->status; 540 541 hci_dev_lock(hdev); 542 543 if (!rp->status) 544 memcpy(hdev->dev_class, sent, 3); 545 546 if (hci_dev_test_flag(hdev, HCI_MGMT)) 547 mgmt_set_class_of_dev_complete(hdev, sent, rp->status); 548 549 hci_dev_unlock(hdev); 550 551 return rp->status; 552 } 553 hci_cc_read_voice_setting(struct hci_dev * hdev,void * data,struct sk_buff * skb)554 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data, 555 struct sk_buff *skb) 556 { 557 struct hci_rp_read_voice_setting *rp = data; 558 __u16 setting; 559 560 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 561 562 if (rp->status) 563 return rp->status; 564 565 setting = __le16_to_cpu(rp->voice_setting); 566 567 if (hdev->voice_setting == setting) 568 return rp->status; 569 570 hdev->voice_setting = setting; 571 572 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 573 574 if (hdev->notify) 575 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 576 577 return rp->status; 578 } 579 hci_cc_write_voice_setting(struct hci_dev * hdev,void * data,struct sk_buff * skb)580 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data, 581 struct sk_buff *skb) 582 { 583 struct hci_ev_status *rp = data; 584 __u16 setting; 585 void *sent; 586 587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 588 589 if (rp->status) 590 return rp->status; 591 592 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 593 if (!sent) 594 return rp->status; 595 596 setting = get_unaligned_le16(sent); 597 598 if (hdev->voice_setting == setting) 599 return rp->status; 600 601 hdev->voice_setting = setting; 602 603 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 604 605 if (hdev->notify) 606 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 607 608 return rp->status; 609 } 610 hci_cc_read_num_supported_iac(struct hci_dev * hdev,void * data,struct sk_buff * skb)611 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data, 612 struct sk_buff *skb) 613 { 614 struct hci_rp_read_num_supported_iac *rp = data; 615 616 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 617 618 if (rp->status) 619 return rp->status; 620 621 hdev->num_iac = rp->num_iac; 622 623 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac); 624 625 return rp->status; 626 } 627 hci_cc_write_ssp_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)628 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data, 629 struct sk_buff *skb) 630 { 631 struct hci_ev_status *rp = data; 632 struct hci_cp_write_ssp_mode *sent; 633 634 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 635 636 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 637 if (!sent) 638 return rp->status; 639 640 hci_dev_lock(hdev); 641 642 if (!rp->status) { 643 if (sent->mode) 644 hdev->features[1][0] |= LMP_HOST_SSP; 645 else 646 hdev->features[1][0] &= ~LMP_HOST_SSP; 647 } 648 649 if (!rp->status) { 650 if (sent->mode) 651 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 652 else 653 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 654 } 655 656 hci_dev_unlock(hdev); 657 658 return rp->status; 659 } 660 hci_cc_write_sc_support(struct hci_dev * hdev,void * data,struct sk_buff * skb)661 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data, 662 struct sk_buff *skb) 663 { 664 struct hci_ev_status *rp = data; 665 struct hci_cp_write_sc_support *sent; 666 667 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 668 669 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 670 if (!sent) 671 return rp->status; 672 673 hci_dev_lock(hdev); 674 675 if (!rp->status) { 676 if (sent->support) 677 hdev->features[1][0] |= LMP_HOST_SC; 678 else 679 hdev->features[1][0] &= ~LMP_HOST_SC; 680 } 681 682 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) { 683 if (sent->support) 684 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 685 else 686 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 687 } 688 689 hci_dev_unlock(hdev); 690 691 return rp->status; 692 } 693 hci_cc_read_local_version(struct hci_dev * hdev,void * data,struct sk_buff * skb)694 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data, 695 struct sk_buff *skb) 696 { 697 struct hci_rp_read_local_version *rp = data; 698 699 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 700 701 if (rp->status) 702 return rp->status; 703 704 if (hci_dev_test_flag(hdev, HCI_SETUP) || 705 hci_dev_test_flag(hdev, HCI_CONFIG)) { 706 hdev->hci_ver = rp->hci_ver; 707 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 708 hdev->lmp_ver = rp->lmp_ver; 709 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 710 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 711 } 712 713 return rp->status; 714 } 715 hci_cc_read_enc_key_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)716 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data, 717 struct sk_buff *skb) 718 { 719 struct hci_rp_read_enc_key_size *rp = data; 720 struct hci_conn *conn; 721 u16 handle; 722 u8 status = rp->status; 723 724 bt_dev_dbg(hdev, "status 0x%2.2x", status); 725 726 handle = le16_to_cpu(rp->handle); 727 728 hci_dev_lock(hdev); 729 730 conn = hci_conn_hash_lookup_handle(hdev, handle); 731 if (!conn) { 732 status = 0xFF; 733 goto done; 734 } 735 736 /* While unexpected, the read_enc_key_size command may fail. The most 737 * secure approach is to then assume the key size is 0 to force a 738 * disconnection. 739 */ 740 if (status) { 741 bt_dev_err(hdev, "failed to read key size for handle %u", 742 handle); 743 conn->enc_key_size = 0; 744 } else { 745 conn->enc_key_size = rp->key_size; 746 status = 0; 747 748 if (conn->enc_key_size < hdev->min_enc_key_size) { 749 /* As slave role, the conn->state has been set to 750 * BT_CONNECTED and l2cap conn req might not be received 751 * yet, at this moment the l2cap layer almost does 752 * nothing with the non-zero status. 753 * So we also clear encrypt related bits, and then the 754 * handler of l2cap conn req will get the right secure 755 * state at a later time. 756 */ 757 status = HCI_ERROR_AUTH_FAILURE; 758 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 759 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 760 } 761 } 762 763 hci_encrypt_cfm(conn, status); 764 765 done: 766 hci_dev_unlock(hdev); 767 768 return status; 769 } 770 hci_cc_read_local_commands(struct hci_dev * hdev,void * data,struct sk_buff * skb)771 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data, 772 struct sk_buff *skb) 773 { 774 struct hci_rp_read_local_commands *rp = data; 775 776 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 777 778 if (rp->status) 779 return rp->status; 780 781 if (hci_dev_test_flag(hdev, HCI_SETUP) || 782 hci_dev_test_flag(hdev, HCI_CONFIG)) 783 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 784 785 return rp->status; 786 } 787 hci_cc_read_auth_payload_timeout(struct hci_dev * hdev,void * data,struct sk_buff * skb)788 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data, 789 struct sk_buff *skb) 790 { 791 struct hci_rp_read_auth_payload_to *rp = data; 792 struct hci_conn *conn; 793 794 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 795 796 if (rp->status) 797 return rp->status; 798 799 hci_dev_lock(hdev); 800 801 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 802 if (conn) 803 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 804 805 hci_dev_unlock(hdev); 806 807 return rp->status; 808 } 809 hci_cc_write_auth_payload_timeout(struct hci_dev * hdev,void * data,struct sk_buff * skb)810 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data, 811 struct sk_buff *skb) 812 { 813 struct hci_rp_write_auth_payload_to *rp = data; 814 struct hci_conn *conn; 815 void *sent; 816 817 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 818 819 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 820 if (!sent) 821 return rp->status; 822 823 hci_dev_lock(hdev); 824 825 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 826 if (!conn) { 827 rp->status = 0xff; 828 goto unlock; 829 } 830 831 if (!rp->status) 832 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 833 834 unlock: 835 hci_dev_unlock(hdev); 836 837 return rp->status; 838 } 839 hci_cc_read_local_features(struct hci_dev * hdev,void * data,struct sk_buff * skb)840 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data, 841 struct sk_buff *skb) 842 { 843 struct hci_rp_read_local_features *rp = data; 844 845 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 846 847 if (rp->status) 848 return rp->status; 849 850 memcpy(hdev->features, rp->features, 8); 851 852 /* Adjust default settings according to features 853 * supported by device. */ 854 855 if (hdev->features[0][0] & LMP_3SLOT) 856 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 857 858 if (hdev->features[0][0] & LMP_5SLOT) 859 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 860 861 if (hdev->features[0][1] & LMP_HV2) { 862 hdev->pkt_type |= (HCI_HV2); 863 hdev->esco_type |= (ESCO_HV2); 864 } 865 866 if (hdev->features[0][1] & LMP_HV3) { 867 hdev->pkt_type |= (HCI_HV3); 868 hdev->esco_type |= (ESCO_HV3); 869 } 870 871 if (lmp_esco_capable(hdev)) 872 hdev->esco_type |= (ESCO_EV3); 873 874 if (hdev->features[0][4] & LMP_EV4) 875 hdev->esco_type |= (ESCO_EV4); 876 877 if (hdev->features[0][4] & LMP_EV5) 878 hdev->esco_type |= (ESCO_EV5); 879 880 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 881 hdev->esco_type |= (ESCO_2EV3); 882 883 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 884 hdev->esco_type |= (ESCO_3EV3); 885 886 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 887 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 888 889 return rp->status; 890 } 891 hci_cc_read_local_ext_features(struct hci_dev * hdev,void * data,struct sk_buff * skb)892 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, 893 struct sk_buff *skb) 894 { 895 struct hci_rp_read_local_ext_features *rp = data; 896 897 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 898 899 if (rp->status) 900 return rp->status; 901 902 if (hdev->max_page < rp->max_page) { 903 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, 904 &hdev->quirks)) 905 bt_dev_warn(hdev, "broken local ext features page 2"); 906 else 907 hdev->max_page = rp->max_page; 908 } 909 910 if (rp->page < HCI_MAX_PAGES) 911 memcpy(hdev->features[rp->page], rp->features, 8); 912 913 return rp->status; 914 } 915 hci_cc_read_buffer_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)916 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, 917 struct sk_buff *skb) 918 { 919 struct hci_rp_read_buffer_size *rp = data; 920 921 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 922 923 if (rp->status) 924 return rp->status; 925 926 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 927 hdev->sco_mtu = rp->sco_mtu; 928 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 929 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 930 931 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 932 hdev->sco_mtu = 64; 933 hdev->sco_pkts = 8; 934 } 935 936 hdev->acl_cnt = hdev->acl_pkts; 937 hdev->sco_cnt = hdev->sco_pkts; 938 939 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 940 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 941 942 if (!hdev->acl_mtu || !hdev->acl_pkts) 943 return HCI_ERROR_INVALID_PARAMETERS; 944 945 return rp->status; 946 } 947 hci_cc_read_bd_addr(struct hci_dev * hdev,void * data,struct sk_buff * skb)948 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data, 949 struct sk_buff *skb) 950 { 951 struct hci_rp_read_bd_addr *rp = data; 952 953 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 954 955 if (rp->status) 956 return rp->status; 957 958 if (test_bit(HCI_INIT, &hdev->flags)) 959 bacpy(&hdev->bdaddr, &rp->bdaddr); 960 961 if (hci_dev_test_flag(hdev, HCI_SETUP)) 962 bacpy(&hdev->setup_addr, &rp->bdaddr); 963 964 return rp->status; 965 } 966 hci_cc_read_local_pairing_opts(struct hci_dev * hdev,void * data,struct sk_buff * skb)967 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data, 968 struct sk_buff *skb) 969 { 970 struct hci_rp_read_local_pairing_opts *rp = data; 971 972 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 973 974 if (rp->status) 975 return rp->status; 976 977 if (hci_dev_test_flag(hdev, HCI_SETUP) || 978 hci_dev_test_flag(hdev, HCI_CONFIG)) { 979 hdev->pairing_opts = rp->pairing_opts; 980 hdev->max_enc_key_size = rp->max_key_size; 981 } 982 983 return rp->status; 984 } 985 hci_cc_read_page_scan_activity(struct hci_dev * hdev,void * data,struct sk_buff * skb)986 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data, 987 struct sk_buff *skb) 988 { 989 struct hci_rp_read_page_scan_activity *rp = data; 990 991 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 992 993 if (rp->status) 994 return rp->status; 995 996 if (test_bit(HCI_INIT, &hdev->flags)) { 997 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 998 hdev->page_scan_window = __le16_to_cpu(rp->window); 999 } 1000 1001 return rp->status; 1002 } 1003 hci_cc_write_page_scan_activity(struct hci_dev * hdev,void * data,struct sk_buff * skb)1004 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data, 1005 struct sk_buff *skb) 1006 { 1007 struct hci_ev_status *rp = data; 1008 struct hci_cp_write_page_scan_activity *sent; 1009 1010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1011 1012 if (rp->status) 1013 return rp->status; 1014 1015 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 1016 if (!sent) 1017 return rp->status; 1018 1019 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 1020 hdev->page_scan_window = __le16_to_cpu(sent->window); 1021 1022 return rp->status; 1023 } 1024 hci_cc_read_page_scan_type(struct hci_dev * hdev,void * data,struct sk_buff * skb)1025 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data, 1026 struct sk_buff *skb) 1027 { 1028 struct hci_rp_read_page_scan_type *rp = data; 1029 1030 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1031 1032 if (rp->status) 1033 return rp->status; 1034 1035 if (test_bit(HCI_INIT, &hdev->flags)) 1036 hdev->page_scan_type = rp->type; 1037 1038 return rp->status; 1039 } 1040 hci_cc_write_page_scan_type(struct hci_dev * hdev,void * data,struct sk_buff * skb)1041 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data, 1042 struct sk_buff *skb) 1043 { 1044 struct hci_ev_status *rp = data; 1045 u8 *type; 1046 1047 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1048 1049 if (rp->status) 1050 return rp->status; 1051 1052 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 1053 if (type) 1054 hdev->page_scan_type = *type; 1055 1056 return rp->status; 1057 } 1058 hci_cc_read_clock(struct hci_dev * hdev,void * data,struct sk_buff * skb)1059 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, 1060 struct sk_buff *skb) 1061 { 1062 struct hci_rp_read_clock *rp = data; 1063 struct hci_cp_read_clock *cp; 1064 struct hci_conn *conn; 1065 1066 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1067 1068 if (rp->status) 1069 return rp->status; 1070 1071 hci_dev_lock(hdev); 1072 1073 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 1074 if (!cp) 1075 goto unlock; 1076 1077 if (cp->which == 0x00) { 1078 hdev->clock = le32_to_cpu(rp->clock); 1079 goto unlock; 1080 } 1081 1082 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1083 if (conn) { 1084 conn->clock = le32_to_cpu(rp->clock); 1085 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 1086 } 1087 1088 unlock: 1089 hci_dev_unlock(hdev); 1090 return rp->status; 1091 } 1092 hci_cc_read_inq_rsp_tx_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)1093 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data, 1094 struct sk_buff *skb) 1095 { 1096 struct hci_rp_read_inq_rsp_tx_power *rp = data; 1097 1098 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1099 1100 if (rp->status) 1101 return rp->status; 1102 1103 hdev->inq_tx_power = rp->tx_power; 1104 1105 return rp->status; 1106 } 1107 hci_cc_read_def_err_data_reporting(struct hci_dev * hdev,void * data,struct sk_buff * skb)1108 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data, 1109 struct sk_buff *skb) 1110 { 1111 struct hci_rp_read_def_err_data_reporting *rp = data; 1112 1113 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1114 1115 if (rp->status) 1116 return rp->status; 1117 1118 hdev->err_data_reporting = rp->err_data_reporting; 1119 1120 return rp->status; 1121 } 1122 hci_cc_write_def_err_data_reporting(struct hci_dev * hdev,void * data,struct sk_buff * skb)1123 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data, 1124 struct sk_buff *skb) 1125 { 1126 struct hci_ev_status *rp = data; 1127 struct hci_cp_write_def_err_data_reporting *cp; 1128 1129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1130 1131 if (rp->status) 1132 return rp->status; 1133 1134 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 1135 if (!cp) 1136 return rp->status; 1137 1138 hdev->err_data_reporting = cp->err_data_reporting; 1139 1140 return rp->status; 1141 } 1142 hci_cc_pin_code_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1143 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data, 1144 struct sk_buff *skb) 1145 { 1146 struct hci_rp_pin_code_reply *rp = data; 1147 struct hci_cp_pin_code_reply *cp; 1148 struct hci_conn *conn; 1149 1150 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1151 1152 hci_dev_lock(hdev); 1153 1154 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1155 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 1156 1157 if (rp->status) 1158 goto unlock; 1159 1160 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 1161 if (!cp) 1162 goto unlock; 1163 1164 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1165 if (conn) 1166 conn->pin_length = cp->pin_len; 1167 1168 unlock: 1169 hci_dev_unlock(hdev); 1170 return rp->status; 1171 } 1172 hci_cc_pin_code_neg_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1173 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data, 1174 struct sk_buff *skb) 1175 { 1176 struct hci_rp_pin_code_neg_reply *rp = data; 1177 1178 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1179 1180 hci_dev_lock(hdev); 1181 1182 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1183 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1184 rp->status); 1185 1186 hci_dev_unlock(hdev); 1187 1188 return rp->status; 1189 } 1190 hci_cc_le_read_buffer_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)1191 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data, 1192 struct sk_buff *skb) 1193 { 1194 struct hci_rp_le_read_buffer_size *rp = data; 1195 1196 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1197 1198 if (rp->status) 1199 return rp->status; 1200 1201 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1202 hdev->le_pkts = rp->le_max_pkt; 1203 1204 hdev->le_cnt = hdev->le_pkts; 1205 1206 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1207 1208 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 1209 return HCI_ERROR_INVALID_PARAMETERS; 1210 1211 return rp->status; 1212 } 1213 hci_cc_le_read_local_features(struct hci_dev * hdev,void * data,struct sk_buff * skb)1214 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data, 1215 struct sk_buff *skb) 1216 { 1217 struct hci_rp_le_read_local_features *rp = data; 1218 1219 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1220 1221 if (rp->status) 1222 return rp->status; 1223 1224 memcpy(hdev->le_features, rp->features, 8); 1225 1226 return rp->status; 1227 } 1228 hci_cc_le_read_adv_tx_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)1229 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data, 1230 struct sk_buff *skb) 1231 { 1232 struct hci_rp_le_read_adv_tx_power *rp = data; 1233 1234 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1235 1236 if (rp->status) 1237 return rp->status; 1238 1239 hdev->adv_tx_power = rp->tx_power; 1240 1241 return rp->status; 1242 } 1243 hci_cc_user_confirm_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1244 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data, 1245 struct sk_buff *skb) 1246 { 1247 struct hci_rp_user_confirm_reply *rp = data; 1248 1249 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1250 1251 hci_dev_lock(hdev); 1252 1253 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1254 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1255 rp->status); 1256 1257 hci_dev_unlock(hdev); 1258 1259 return rp->status; 1260 } 1261 hci_cc_user_confirm_neg_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1262 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data, 1263 struct sk_buff *skb) 1264 { 1265 struct hci_rp_user_confirm_reply *rp = data; 1266 1267 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1268 1269 hci_dev_lock(hdev); 1270 1271 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1272 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1273 ACL_LINK, 0, rp->status); 1274 1275 hci_dev_unlock(hdev); 1276 1277 return rp->status; 1278 } 1279 hci_cc_user_passkey_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1280 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data, 1281 struct sk_buff *skb) 1282 { 1283 struct hci_rp_user_confirm_reply *rp = data; 1284 1285 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1286 1287 hci_dev_lock(hdev); 1288 1289 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1290 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1291 0, rp->status); 1292 1293 hci_dev_unlock(hdev); 1294 1295 return rp->status; 1296 } 1297 hci_cc_user_passkey_neg_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1298 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data, 1299 struct sk_buff *skb) 1300 { 1301 struct hci_rp_user_confirm_reply *rp = data; 1302 1303 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1304 1305 hci_dev_lock(hdev); 1306 1307 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1308 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1309 ACL_LINK, 0, rp->status); 1310 1311 hci_dev_unlock(hdev); 1312 1313 return rp->status; 1314 } 1315 hci_cc_read_local_oob_data(struct hci_dev * hdev,void * data,struct sk_buff * skb)1316 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data, 1317 struct sk_buff *skb) 1318 { 1319 struct hci_rp_read_local_oob_data *rp = data; 1320 1321 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1322 1323 return rp->status; 1324 } 1325 hci_cc_read_local_oob_ext_data(struct hci_dev * hdev,void * data,struct sk_buff * skb)1326 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data, 1327 struct sk_buff *skb) 1328 { 1329 struct hci_rp_read_local_oob_ext_data *rp = data; 1330 1331 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1332 1333 return rp->status; 1334 } 1335 hci_cc_le_set_random_addr(struct hci_dev * hdev,void * data,struct sk_buff * skb)1336 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data, 1337 struct sk_buff *skb) 1338 { 1339 struct hci_ev_status *rp = data; 1340 bdaddr_t *sent; 1341 1342 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1343 1344 if (rp->status) 1345 return rp->status; 1346 1347 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1348 if (!sent) 1349 return rp->status; 1350 1351 hci_dev_lock(hdev); 1352 1353 bacpy(&hdev->random_addr, sent); 1354 1355 if (!bacmp(&hdev->rpa, sent)) { 1356 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED); 1357 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, 1358 secs_to_jiffies(hdev->rpa_timeout)); 1359 } 1360 1361 hci_dev_unlock(hdev); 1362 1363 return rp->status; 1364 } 1365 hci_cc_le_set_default_phy(struct hci_dev * hdev,void * data,struct sk_buff * skb)1366 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data, 1367 struct sk_buff *skb) 1368 { 1369 struct hci_ev_status *rp = data; 1370 struct hci_cp_le_set_default_phy *cp; 1371 1372 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1373 1374 if (rp->status) 1375 return rp->status; 1376 1377 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1378 if (!cp) 1379 return rp->status; 1380 1381 hci_dev_lock(hdev); 1382 1383 hdev->le_tx_def_phys = cp->tx_phys; 1384 hdev->le_rx_def_phys = cp->rx_phys; 1385 1386 hci_dev_unlock(hdev); 1387 1388 return rp->status; 1389 } 1390 hci_cc_le_set_adv_set_random_addr(struct hci_dev * hdev,void * data,struct sk_buff * skb)1391 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data, 1392 struct sk_buff *skb) 1393 { 1394 struct hci_ev_status *rp = data; 1395 struct hci_cp_le_set_adv_set_rand_addr *cp; 1396 struct adv_info *adv; 1397 1398 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1399 1400 if (rp->status) 1401 return rp->status; 1402 1403 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1404 /* Update only in case the adv instance since handle 0x00 shall be using 1405 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and 1406 * non-extended adverting. 1407 */ 1408 if (!cp || !cp->handle) 1409 return rp->status; 1410 1411 hci_dev_lock(hdev); 1412 1413 adv = hci_find_adv_instance(hdev, cp->handle); 1414 if (adv) { 1415 bacpy(&adv->random_addr, &cp->bdaddr); 1416 if (!bacmp(&hdev->rpa, &cp->bdaddr)) { 1417 adv->rpa_expired = false; 1418 queue_delayed_work(hdev->workqueue, 1419 &adv->rpa_expired_cb, 1420 secs_to_jiffies(hdev->rpa_timeout)); 1421 } 1422 } 1423 1424 hci_dev_unlock(hdev); 1425 1426 return rp->status; 1427 } 1428 hci_cc_le_remove_adv_set(struct hci_dev * hdev,void * data,struct sk_buff * skb)1429 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data, 1430 struct sk_buff *skb) 1431 { 1432 struct hci_ev_status *rp = data; 1433 u8 *instance; 1434 int err; 1435 1436 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1437 1438 if (rp->status) 1439 return rp->status; 1440 1441 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET); 1442 if (!instance) 1443 return rp->status; 1444 1445 hci_dev_lock(hdev); 1446 1447 err = hci_remove_adv_instance(hdev, *instance); 1448 if (!err) 1449 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev, 1450 *instance); 1451 1452 hci_dev_unlock(hdev); 1453 1454 return rp->status; 1455 } 1456 hci_cc_le_clear_adv_sets(struct hci_dev * hdev,void * data,struct sk_buff * skb)1457 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data, 1458 struct sk_buff *skb) 1459 { 1460 struct hci_ev_status *rp = data; 1461 struct adv_info *adv, *n; 1462 int err; 1463 1464 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1465 1466 if (rp->status) 1467 return rp->status; 1468 1469 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS)) 1470 return rp->status; 1471 1472 hci_dev_lock(hdev); 1473 1474 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 1475 u8 instance = adv->instance; 1476 1477 err = hci_remove_adv_instance(hdev, instance); 1478 if (!err) 1479 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), 1480 hdev, instance); 1481 } 1482 1483 hci_dev_unlock(hdev); 1484 1485 return rp->status; 1486 } 1487 hci_cc_le_read_transmit_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)1488 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data, 1489 struct sk_buff *skb) 1490 { 1491 struct hci_rp_le_read_transmit_power *rp = data; 1492 1493 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1494 1495 if (rp->status) 1496 return rp->status; 1497 1498 hdev->min_le_tx_power = rp->min_le_tx_power; 1499 hdev->max_le_tx_power = rp->max_le_tx_power; 1500 1501 return rp->status; 1502 } 1503 hci_cc_le_set_privacy_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)1504 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, 1505 struct sk_buff *skb) 1506 { 1507 struct hci_ev_status *rp = data; 1508 struct hci_cp_le_set_privacy_mode *cp; 1509 struct hci_conn_params *params; 1510 1511 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1512 1513 if (rp->status) 1514 return rp->status; 1515 1516 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE); 1517 if (!cp) 1518 return rp->status; 1519 1520 hci_dev_lock(hdev); 1521 1522 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); 1523 if (params) 1524 WRITE_ONCE(params->privacy_mode, cp->mode); 1525 1526 hci_dev_unlock(hdev); 1527 1528 return rp->status; 1529 } 1530 hci_cc_le_set_adv_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1531 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data, 1532 struct sk_buff *skb) 1533 { 1534 struct hci_ev_status *rp = data; 1535 __u8 *sent; 1536 1537 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1538 1539 if (rp->status) 1540 return rp->status; 1541 1542 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1543 if (!sent) 1544 return rp->status; 1545 1546 hci_dev_lock(hdev); 1547 1548 /* If we're doing connection initiation as peripheral. Set a 1549 * timeout in case something goes wrong. 1550 */ 1551 if (*sent) { 1552 struct hci_conn *conn; 1553 1554 hci_dev_set_flag(hdev, HCI_LE_ADV); 1555 1556 conn = hci_lookup_le_connect(hdev); 1557 if (conn) 1558 queue_delayed_work(hdev->workqueue, 1559 &conn->le_conn_timeout, 1560 conn->conn_timeout); 1561 } else { 1562 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1563 } 1564 1565 hci_dev_unlock(hdev); 1566 1567 return rp->status; 1568 } 1569 hci_cc_le_set_ext_adv_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1570 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, 1571 struct sk_buff *skb) 1572 { 1573 struct hci_cp_le_set_ext_adv_enable *cp; 1574 struct hci_cp_ext_adv_set *set; 1575 struct adv_info *adv = NULL, *n; 1576 struct hci_ev_status *rp = data; 1577 1578 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1579 1580 if (rp->status) 1581 return rp->status; 1582 1583 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1584 if (!cp) 1585 return rp->status; 1586 1587 set = (void *)cp->data; 1588 1589 hci_dev_lock(hdev); 1590 1591 if (cp->num_of_sets) 1592 adv = hci_find_adv_instance(hdev, set->handle); 1593 1594 if (cp->enable) { 1595 struct hci_conn *conn; 1596 1597 hci_dev_set_flag(hdev, HCI_LE_ADV); 1598 1599 if (adv && !adv->periodic) 1600 adv->enabled = true; 1601 1602 conn = hci_lookup_le_connect(hdev); 1603 if (conn) 1604 queue_delayed_work(hdev->workqueue, 1605 &conn->le_conn_timeout, 1606 conn->conn_timeout); 1607 } else { 1608 if (cp->num_of_sets) { 1609 if (adv) 1610 adv->enabled = false; 1611 1612 /* If just one instance was disabled check if there are 1613 * any other instance enabled before clearing HCI_LE_ADV 1614 */ 1615 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1616 list) { 1617 if (adv->enabled) 1618 goto unlock; 1619 } 1620 } else { 1621 /* All instances shall be considered disabled */ 1622 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1623 list) 1624 adv->enabled = false; 1625 } 1626 1627 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1628 } 1629 1630 unlock: 1631 hci_dev_unlock(hdev); 1632 return rp->status; 1633 } 1634 hci_cc_le_set_scan_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)1635 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data, 1636 struct sk_buff *skb) 1637 { 1638 struct hci_cp_le_set_scan_param *cp; 1639 struct hci_ev_status *rp = data; 1640 1641 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1642 1643 if (rp->status) 1644 return rp->status; 1645 1646 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1647 if (!cp) 1648 return rp->status; 1649 1650 hci_dev_lock(hdev); 1651 1652 hdev->le_scan_type = cp->type; 1653 1654 hci_dev_unlock(hdev); 1655 1656 return rp->status; 1657 } 1658 hci_cc_le_set_ext_scan_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)1659 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data, 1660 struct sk_buff *skb) 1661 { 1662 struct hci_cp_le_set_ext_scan_params *cp; 1663 struct hci_ev_status *rp = data; 1664 struct hci_cp_le_scan_phy_params *phy_param; 1665 1666 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1667 1668 if (rp->status) 1669 return rp->status; 1670 1671 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1672 if (!cp) 1673 return rp->status; 1674 1675 phy_param = (void *)cp->data; 1676 1677 hci_dev_lock(hdev); 1678 1679 hdev->le_scan_type = phy_param->type; 1680 1681 hci_dev_unlock(hdev); 1682 1683 return rp->status; 1684 } 1685 has_pending_adv_report(struct hci_dev * hdev)1686 static bool has_pending_adv_report(struct hci_dev *hdev) 1687 { 1688 struct discovery_state *d = &hdev->discovery; 1689 1690 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1691 } 1692 clear_pending_adv_report(struct hci_dev * hdev)1693 static void clear_pending_adv_report(struct hci_dev *hdev) 1694 { 1695 struct discovery_state *d = &hdev->discovery; 1696 1697 bacpy(&d->last_adv_addr, BDADDR_ANY); 1698 d->last_adv_data_len = 0; 1699 } 1700 store_pending_adv_report(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type,s8 rssi,u32 flags,u8 * data,u8 len)1701 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1702 u8 bdaddr_type, s8 rssi, u32 flags, 1703 u8 *data, u8 len) 1704 { 1705 struct discovery_state *d = &hdev->discovery; 1706 1707 if (len > max_adv_len(hdev)) 1708 return; 1709 1710 bacpy(&d->last_adv_addr, bdaddr); 1711 d->last_adv_addr_type = bdaddr_type; 1712 d->last_adv_rssi = rssi; 1713 d->last_adv_flags = flags; 1714 memcpy(d->last_adv_data, data, len); 1715 d->last_adv_data_len = len; 1716 } 1717 le_set_scan_enable_complete(struct hci_dev * hdev,u8 enable)1718 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1719 { 1720 hci_dev_lock(hdev); 1721 1722 switch (enable) { 1723 case LE_SCAN_ENABLE: 1724 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1725 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1726 clear_pending_adv_report(hdev); 1727 if (hci_dev_test_flag(hdev, HCI_MESH)) 1728 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 1729 break; 1730 1731 case LE_SCAN_DISABLE: 1732 /* We do this here instead of when setting DISCOVERY_STOPPED 1733 * since the latter would potentially require waiting for 1734 * inquiry to stop too. 1735 */ 1736 if (has_pending_adv_report(hdev)) { 1737 struct discovery_state *d = &hdev->discovery; 1738 1739 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1740 d->last_adv_addr_type, NULL, 1741 d->last_adv_rssi, d->last_adv_flags, 1742 d->last_adv_data, 1743 d->last_adv_data_len, NULL, 0, 0); 1744 } 1745 1746 /* Cancel this timer so that we don't try to disable scanning 1747 * when it's already disabled. 1748 */ 1749 cancel_delayed_work(&hdev->le_scan_disable); 1750 1751 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1752 1753 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1754 * interrupted scanning due to a connect request. Mark 1755 * therefore discovery as stopped. 1756 */ 1757 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1758 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1759 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1760 hdev->discovery.state == DISCOVERY_FINDING) 1761 queue_work(hdev->workqueue, &hdev->reenable_adv_work); 1762 1763 break; 1764 1765 default: 1766 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1767 enable); 1768 break; 1769 } 1770 1771 hci_dev_unlock(hdev); 1772 } 1773 hci_cc_le_set_scan_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1774 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data, 1775 struct sk_buff *skb) 1776 { 1777 struct hci_cp_le_set_scan_enable *cp; 1778 struct hci_ev_status *rp = data; 1779 1780 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1781 1782 if (rp->status) 1783 return rp->status; 1784 1785 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1786 if (!cp) 1787 return rp->status; 1788 1789 le_set_scan_enable_complete(hdev, cp->enable); 1790 1791 return rp->status; 1792 } 1793 hci_cc_le_set_ext_scan_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1794 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data, 1795 struct sk_buff *skb) 1796 { 1797 struct hci_cp_le_set_ext_scan_enable *cp; 1798 struct hci_ev_status *rp = data; 1799 1800 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1801 1802 if (rp->status) 1803 return rp->status; 1804 1805 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1806 if (!cp) 1807 return rp->status; 1808 1809 le_set_scan_enable_complete(hdev, cp->enable); 1810 1811 return rp->status; 1812 } 1813 hci_cc_le_read_num_adv_sets(struct hci_dev * hdev,void * data,struct sk_buff * skb)1814 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data, 1815 struct sk_buff *skb) 1816 { 1817 struct hci_rp_le_read_num_supported_adv_sets *rp = data; 1818 1819 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status, 1820 rp->num_of_sets); 1821 1822 if (rp->status) 1823 return rp->status; 1824 1825 hdev->le_num_of_adv_sets = rp->num_of_sets; 1826 1827 return rp->status; 1828 } 1829 hci_cc_le_read_accept_list_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)1830 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data, 1831 struct sk_buff *skb) 1832 { 1833 struct hci_rp_le_read_accept_list_size *rp = data; 1834 1835 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 1836 1837 if (rp->status) 1838 return rp->status; 1839 1840 hdev->le_accept_list_size = rp->size; 1841 1842 return rp->status; 1843 } 1844 hci_cc_le_clear_accept_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1845 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data, 1846 struct sk_buff *skb) 1847 { 1848 struct hci_ev_status *rp = data; 1849 1850 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1851 1852 if (rp->status) 1853 return rp->status; 1854 1855 hci_dev_lock(hdev); 1856 hci_bdaddr_list_clear(&hdev->le_accept_list); 1857 hci_dev_unlock(hdev); 1858 1859 return rp->status; 1860 } 1861 hci_cc_le_add_to_accept_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1862 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data, 1863 struct sk_buff *skb) 1864 { 1865 struct hci_cp_le_add_to_accept_list *sent; 1866 struct hci_ev_status *rp = data; 1867 1868 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1869 1870 if (rp->status) 1871 return rp->status; 1872 1873 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); 1874 if (!sent) 1875 return rp->status; 1876 1877 hci_dev_lock(hdev); 1878 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr, 1879 sent->bdaddr_type); 1880 hci_dev_unlock(hdev); 1881 1882 return rp->status; 1883 } 1884 hci_cc_le_del_from_accept_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1885 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data, 1886 struct sk_buff *skb) 1887 { 1888 struct hci_cp_le_del_from_accept_list *sent; 1889 struct hci_ev_status *rp = data; 1890 1891 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1892 1893 if (rp->status) 1894 return rp->status; 1895 1896 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST); 1897 if (!sent) 1898 return rp->status; 1899 1900 hci_dev_lock(hdev); 1901 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr, 1902 sent->bdaddr_type); 1903 hci_dev_unlock(hdev); 1904 1905 return rp->status; 1906 } 1907 hci_cc_le_read_supported_states(struct hci_dev * hdev,void * data,struct sk_buff * skb)1908 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data, 1909 struct sk_buff *skb) 1910 { 1911 struct hci_rp_le_read_supported_states *rp = data; 1912 1913 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1914 1915 if (rp->status) 1916 return rp->status; 1917 1918 memcpy(hdev->le_states, rp->le_states, 8); 1919 1920 return rp->status; 1921 } 1922 hci_cc_le_read_def_data_len(struct hci_dev * hdev,void * data,struct sk_buff * skb)1923 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data, 1924 struct sk_buff *skb) 1925 { 1926 struct hci_rp_le_read_def_data_len *rp = data; 1927 1928 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1929 1930 if (rp->status) 1931 return rp->status; 1932 1933 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1934 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1935 1936 return rp->status; 1937 } 1938 hci_cc_le_write_def_data_len(struct hci_dev * hdev,void * data,struct sk_buff * skb)1939 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data, 1940 struct sk_buff *skb) 1941 { 1942 struct hci_cp_le_write_def_data_len *sent; 1943 struct hci_ev_status *rp = data; 1944 1945 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1946 1947 if (rp->status) 1948 return rp->status; 1949 1950 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1951 if (!sent) 1952 return rp->status; 1953 1954 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1955 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1956 1957 return rp->status; 1958 } 1959 hci_cc_le_add_to_resolv_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1960 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data, 1961 struct sk_buff *skb) 1962 { 1963 struct hci_cp_le_add_to_resolv_list *sent; 1964 struct hci_ev_status *rp = data; 1965 1966 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1967 1968 if (rp->status) 1969 return rp->status; 1970 1971 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1972 if (!sent) 1973 return rp->status; 1974 1975 hci_dev_lock(hdev); 1976 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1977 sent->bdaddr_type, sent->peer_irk, 1978 sent->local_irk); 1979 hci_dev_unlock(hdev); 1980 1981 return rp->status; 1982 } 1983 hci_cc_le_del_from_resolv_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1984 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data, 1985 struct sk_buff *skb) 1986 { 1987 struct hci_cp_le_del_from_resolv_list *sent; 1988 struct hci_ev_status *rp = data; 1989 1990 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1991 1992 if (rp->status) 1993 return rp->status; 1994 1995 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 1996 if (!sent) 1997 return rp->status; 1998 1999 hci_dev_lock(hdev); 2000 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2001 sent->bdaddr_type); 2002 hci_dev_unlock(hdev); 2003 2004 return rp->status; 2005 } 2006 hci_cc_le_clear_resolv_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)2007 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data, 2008 struct sk_buff *skb) 2009 { 2010 struct hci_ev_status *rp = data; 2011 2012 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2013 2014 if (rp->status) 2015 return rp->status; 2016 2017 hci_dev_lock(hdev); 2018 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2019 hci_dev_unlock(hdev); 2020 2021 return rp->status; 2022 } 2023 hci_cc_le_read_resolv_list_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)2024 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data, 2025 struct sk_buff *skb) 2026 { 2027 struct hci_rp_le_read_resolv_list_size *rp = data; 2028 2029 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 2030 2031 if (rp->status) 2032 return rp->status; 2033 2034 hdev->le_resolv_list_size = rp->size; 2035 2036 return rp->status; 2037 } 2038 hci_cc_le_set_addr_resolution_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)2039 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data, 2040 struct sk_buff *skb) 2041 { 2042 struct hci_ev_status *rp = data; 2043 __u8 *sent; 2044 2045 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2046 2047 if (rp->status) 2048 return rp->status; 2049 2050 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 2051 if (!sent) 2052 return rp->status; 2053 2054 hci_dev_lock(hdev); 2055 2056 if (*sent) 2057 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 2058 else 2059 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 2060 2061 hci_dev_unlock(hdev); 2062 2063 return rp->status; 2064 } 2065 hci_cc_le_read_max_data_len(struct hci_dev * hdev,void * data,struct sk_buff * skb)2066 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data, 2067 struct sk_buff *skb) 2068 { 2069 struct hci_rp_le_read_max_data_len *rp = data; 2070 2071 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2072 2073 if (rp->status) 2074 return rp->status; 2075 2076 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 2077 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 2078 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 2079 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 2080 2081 return rp->status; 2082 } 2083 hci_cc_write_le_host_supported(struct hci_dev * hdev,void * data,struct sk_buff * skb)2084 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data, 2085 struct sk_buff *skb) 2086 { 2087 struct hci_cp_write_le_host_supported *sent; 2088 struct hci_ev_status *rp = data; 2089 2090 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2091 2092 if (rp->status) 2093 return rp->status; 2094 2095 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 2096 if (!sent) 2097 return rp->status; 2098 2099 hci_dev_lock(hdev); 2100 2101 if (sent->le) { 2102 hdev->features[1][0] |= LMP_HOST_LE; 2103 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 2104 } else { 2105 hdev->features[1][0] &= ~LMP_HOST_LE; 2106 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 2107 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 2108 } 2109 2110 if (sent->simul) 2111 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 2112 else 2113 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 2114 2115 hci_dev_unlock(hdev); 2116 2117 return rp->status; 2118 } 2119 hci_cc_set_adv_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)2120 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, 2121 struct sk_buff *skb) 2122 { 2123 struct hci_cp_le_set_adv_param *cp; 2124 struct hci_ev_status *rp = data; 2125 2126 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2127 2128 if (rp->status) 2129 return rp->status; 2130 2131 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 2132 if (!cp) 2133 return rp->status; 2134 2135 hci_dev_lock(hdev); 2136 hdev->adv_addr_type = cp->own_address_type; 2137 hci_dev_unlock(hdev); 2138 2139 return rp->status; 2140 } 2141 hci_cc_set_ext_adv_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)2142 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, 2143 struct sk_buff *skb) 2144 { 2145 struct hci_rp_le_set_ext_adv_params *rp = data; 2146 struct hci_cp_le_set_ext_adv_params *cp; 2147 struct adv_info *adv_instance; 2148 2149 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2150 2151 if (rp->status) 2152 return rp->status; 2153 2154 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 2155 if (!cp) 2156 return rp->status; 2157 2158 hci_dev_lock(hdev); 2159 hdev->adv_addr_type = cp->own_addr_type; 2160 if (!cp->handle) { 2161 /* Store in hdev for instance 0 */ 2162 hdev->adv_tx_power = rp->tx_power; 2163 } else { 2164 adv_instance = hci_find_adv_instance(hdev, cp->handle); 2165 if (adv_instance) 2166 adv_instance->tx_power = rp->tx_power; 2167 } 2168 /* Update adv data as tx power is known now */ 2169 hci_update_adv_data(hdev, cp->handle); 2170 2171 hci_dev_unlock(hdev); 2172 2173 return rp->status; 2174 } 2175 hci_cc_read_rssi(struct hci_dev * hdev,void * data,struct sk_buff * skb)2176 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, 2177 struct sk_buff *skb) 2178 { 2179 struct hci_rp_read_rssi *rp = data; 2180 struct hci_conn *conn; 2181 2182 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2183 2184 if (rp->status) 2185 return rp->status; 2186 2187 hci_dev_lock(hdev); 2188 2189 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2190 if (conn) 2191 conn->rssi = rp->rssi; 2192 2193 hci_dev_unlock(hdev); 2194 2195 return rp->status; 2196 } 2197 hci_cc_read_tx_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)2198 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data, 2199 struct sk_buff *skb) 2200 { 2201 struct hci_cp_read_tx_power *sent; 2202 struct hci_rp_read_tx_power *rp = data; 2203 struct hci_conn *conn; 2204 2205 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2206 2207 if (rp->status) 2208 return rp->status; 2209 2210 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 2211 if (!sent) 2212 return rp->status; 2213 2214 hci_dev_lock(hdev); 2215 2216 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2217 if (!conn) 2218 goto unlock; 2219 2220 switch (sent->type) { 2221 case 0x00: 2222 conn->tx_power = rp->tx_power; 2223 break; 2224 case 0x01: 2225 conn->max_tx_power = rp->tx_power; 2226 break; 2227 } 2228 2229 unlock: 2230 hci_dev_unlock(hdev); 2231 return rp->status; 2232 } 2233 hci_cc_write_ssp_debug_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)2234 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data, 2235 struct sk_buff *skb) 2236 { 2237 struct hci_ev_status *rp = data; 2238 u8 *mode; 2239 2240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2241 2242 if (rp->status) 2243 return rp->status; 2244 2245 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 2246 if (mode) 2247 hdev->ssp_debug_mode = *mode; 2248 2249 return rp->status; 2250 } 2251 hci_cs_inquiry(struct hci_dev * hdev,__u8 status)2252 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 2253 { 2254 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2255 2256 if (status) 2257 return; 2258 2259 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY)) 2260 set_bit(HCI_INQUIRY, &hdev->flags); 2261 } 2262 hci_cs_create_conn(struct hci_dev * hdev,__u8 status)2263 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 2264 { 2265 struct hci_cp_create_conn *cp; 2266 struct hci_conn *conn; 2267 2268 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2269 2270 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 2271 if (!cp) 2272 return; 2273 2274 hci_dev_lock(hdev); 2275 2276 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2277 2278 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn); 2279 2280 if (status) { 2281 if (conn && conn->state == BT_CONNECT) { 2282 conn->state = BT_CLOSED; 2283 hci_connect_cfm(conn, status); 2284 hci_conn_del(conn); 2285 } 2286 } else { 2287 if (!conn) { 2288 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr, 2289 HCI_ROLE_MASTER); 2290 if (IS_ERR(conn)) 2291 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 2292 } 2293 } 2294 2295 hci_dev_unlock(hdev); 2296 } 2297 hci_cs_add_sco(struct hci_dev * hdev,__u8 status)2298 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 2299 { 2300 struct hci_cp_add_sco *cp; 2301 struct hci_conn *acl; 2302 struct hci_link *link; 2303 __u16 handle; 2304 2305 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2306 2307 if (!status) 2308 return; 2309 2310 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 2311 if (!cp) 2312 return; 2313 2314 handle = __le16_to_cpu(cp->handle); 2315 2316 bt_dev_dbg(hdev, "handle 0x%4.4x", handle); 2317 2318 hci_dev_lock(hdev); 2319 2320 acl = hci_conn_hash_lookup_handle(hdev, handle); 2321 if (acl) { 2322 link = list_first_entry_or_null(&acl->link_list, 2323 struct hci_link, list); 2324 if (link && link->conn) { 2325 link->conn->state = BT_CLOSED; 2326 2327 hci_connect_cfm(link->conn, status); 2328 hci_conn_del(link->conn); 2329 } 2330 } 2331 2332 hci_dev_unlock(hdev); 2333 } 2334 hci_cs_auth_requested(struct hci_dev * hdev,__u8 status)2335 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 2336 { 2337 struct hci_cp_auth_requested *cp; 2338 struct hci_conn *conn; 2339 2340 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2341 2342 if (!status) 2343 return; 2344 2345 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 2346 if (!cp) 2347 return; 2348 2349 hci_dev_lock(hdev); 2350 2351 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2352 if (conn) { 2353 if (conn->state == BT_CONFIG) { 2354 hci_connect_cfm(conn, status); 2355 hci_conn_drop(conn); 2356 } 2357 } 2358 2359 hci_dev_unlock(hdev); 2360 } 2361 hci_cs_set_conn_encrypt(struct hci_dev * hdev,__u8 status)2362 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 2363 { 2364 struct hci_cp_set_conn_encrypt *cp; 2365 struct hci_conn *conn; 2366 2367 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2368 2369 if (!status) 2370 return; 2371 2372 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 2373 if (!cp) 2374 return; 2375 2376 hci_dev_lock(hdev); 2377 2378 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2379 if (conn) { 2380 if (conn->state == BT_CONFIG) { 2381 hci_connect_cfm(conn, status); 2382 hci_conn_drop(conn); 2383 } 2384 } 2385 2386 hci_dev_unlock(hdev); 2387 } 2388 hci_outgoing_auth_needed(struct hci_dev * hdev,struct hci_conn * conn)2389 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 2390 struct hci_conn *conn) 2391 { 2392 if (conn->state != BT_CONFIG || !conn->out) 2393 return 0; 2394 2395 if (conn->pending_sec_level == BT_SECURITY_SDP) 2396 return 0; 2397 2398 /* Only request authentication for SSP connections or non-SSP 2399 * devices with sec_level MEDIUM or HIGH or if MITM protection 2400 * is requested. 2401 */ 2402 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 2403 conn->pending_sec_level != BT_SECURITY_FIPS && 2404 conn->pending_sec_level != BT_SECURITY_HIGH && 2405 conn->pending_sec_level != BT_SECURITY_MEDIUM) 2406 return 0; 2407 2408 return 1; 2409 } 2410 hci_resolve_name(struct hci_dev * hdev,struct inquiry_entry * e)2411 static int hci_resolve_name(struct hci_dev *hdev, 2412 struct inquiry_entry *e) 2413 { 2414 struct hci_cp_remote_name_req cp; 2415 2416 memset(&cp, 0, sizeof(cp)); 2417 2418 bacpy(&cp.bdaddr, &e->data.bdaddr); 2419 cp.pscan_rep_mode = e->data.pscan_rep_mode; 2420 cp.pscan_mode = e->data.pscan_mode; 2421 cp.clock_offset = e->data.clock_offset; 2422 2423 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2424 } 2425 hci_resolve_next_name(struct hci_dev * hdev)2426 static bool hci_resolve_next_name(struct hci_dev *hdev) 2427 { 2428 struct discovery_state *discov = &hdev->discovery; 2429 struct inquiry_entry *e; 2430 2431 if (list_empty(&discov->resolve)) 2432 return false; 2433 2434 /* We should stop if we already spent too much time resolving names. */ 2435 if (time_after(jiffies, discov->name_resolve_timeout)) { 2436 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long."); 2437 return false; 2438 } 2439 2440 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2441 if (!e) 2442 return false; 2443 2444 if (hci_resolve_name(hdev, e) == 0) { 2445 e->name_state = NAME_PENDING; 2446 return true; 2447 } 2448 2449 return false; 2450 } 2451 hci_check_pending_name(struct hci_dev * hdev,struct hci_conn * conn,bdaddr_t * bdaddr,u8 * name,u8 name_len)2452 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2453 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2454 { 2455 struct discovery_state *discov = &hdev->discovery; 2456 struct inquiry_entry *e; 2457 2458 /* Update the mgmt connected state if necessary. Be careful with 2459 * conn objects that exist but are not (yet) connected however. 2460 * Only those in BT_CONFIG or BT_CONNECTED states can be 2461 * considered connected. 2462 */ 2463 if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) 2464 mgmt_device_connected(hdev, conn, name, name_len); 2465 2466 if (discov->state == DISCOVERY_STOPPED) 2467 return; 2468 2469 if (discov->state == DISCOVERY_STOPPING) 2470 goto discov_complete; 2471 2472 if (discov->state != DISCOVERY_RESOLVING) 2473 return; 2474 2475 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2476 /* If the device was not found in a list of found devices names of which 2477 * are pending. there is no need to continue resolving a next name as it 2478 * will be done upon receiving another Remote Name Request Complete 2479 * Event */ 2480 if (!e) 2481 return; 2482 2483 list_del(&e->list); 2484 2485 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN; 2486 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi, 2487 name, name_len); 2488 2489 if (hci_resolve_next_name(hdev)) 2490 return; 2491 2492 discov_complete: 2493 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2494 } 2495 hci_cs_remote_name_req(struct hci_dev * hdev,__u8 status)2496 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2497 { 2498 struct hci_cp_remote_name_req *cp; 2499 struct hci_conn *conn; 2500 2501 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2502 2503 /* If successful wait for the name req complete event before 2504 * checking for the need to do authentication */ 2505 if (!status) 2506 return; 2507 2508 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2509 if (!cp) 2510 return; 2511 2512 hci_dev_lock(hdev); 2513 2514 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2515 2516 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2517 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2518 2519 if (!conn) 2520 goto unlock; 2521 2522 if (!hci_outgoing_auth_needed(hdev, conn)) 2523 goto unlock; 2524 2525 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2526 struct hci_cp_auth_requested auth_cp; 2527 2528 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2529 2530 auth_cp.handle = __cpu_to_le16(conn->handle); 2531 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2532 sizeof(auth_cp), &auth_cp); 2533 } 2534 2535 unlock: 2536 hci_dev_unlock(hdev); 2537 } 2538 hci_cs_read_remote_features(struct hci_dev * hdev,__u8 status)2539 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2540 { 2541 struct hci_cp_read_remote_features *cp; 2542 struct hci_conn *conn; 2543 2544 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2545 2546 if (!status) 2547 return; 2548 2549 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2550 if (!cp) 2551 return; 2552 2553 hci_dev_lock(hdev); 2554 2555 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2556 if (conn) { 2557 if (conn->state == BT_CONFIG) { 2558 hci_connect_cfm(conn, status); 2559 hci_conn_drop(conn); 2560 } 2561 } 2562 2563 hci_dev_unlock(hdev); 2564 } 2565 hci_cs_read_remote_ext_features(struct hci_dev * hdev,__u8 status)2566 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2567 { 2568 struct hci_cp_read_remote_ext_features *cp; 2569 struct hci_conn *conn; 2570 2571 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2572 2573 if (!status) 2574 return; 2575 2576 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2577 if (!cp) 2578 return; 2579 2580 hci_dev_lock(hdev); 2581 2582 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2583 if (conn) { 2584 if (conn->state == BT_CONFIG) { 2585 hci_connect_cfm(conn, status); 2586 hci_conn_drop(conn); 2587 } 2588 } 2589 2590 hci_dev_unlock(hdev); 2591 } 2592 hci_setup_sync_conn_status(struct hci_dev * hdev,__u16 handle,__u8 status)2593 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle, 2594 __u8 status) 2595 { 2596 struct hci_conn *acl; 2597 struct hci_link *link; 2598 2599 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status); 2600 2601 hci_dev_lock(hdev); 2602 2603 acl = hci_conn_hash_lookup_handle(hdev, handle); 2604 if (acl) { 2605 link = list_first_entry_or_null(&acl->link_list, 2606 struct hci_link, list); 2607 if (link && link->conn) { 2608 link->conn->state = BT_CLOSED; 2609 2610 hci_connect_cfm(link->conn, status); 2611 hci_conn_del(link->conn); 2612 } 2613 } 2614 2615 hci_dev_unlock(hdev); 2616 } 2617 hci_cs_setup_sync_conn(struct hci_dev * hdev,__u8 status)2618 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2619 { 2620 struct hci_cp_setup_sync_conn *cp; 2621 2622 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2623 2624 if (!status) 2625 return; 2626 2627 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2628 if (!cp) 2629 return; 2630 2631 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2632 } 2633 hci_cs_enhanced_setup_sync_conn(struct hci_dev * hdev,__u8 status)2634 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2635 { 2636 struct hci_cp_enhanced_setup_sync_conn *cp; 2637 2638 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2639 2640 if (!status) 2641 return; 2642 2643 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN); 2644 if (!cp) 2645 return; 2646 2647 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2648 } 2649 hci_cs_sniff_mode(struct hci_dev * hdev,__u8 status)2650 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2651 { 2652 struct hci_cp_sniff_mode *cp; 2653 struct hci_conn *conn; 2654 2655 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2656 2657 if (!status) 2658 return; 2659 2660 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2661 if (!cp) 2662 return; 2663 2664 hci_dev_lock(hdev); 2665 2666 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2667 if (conn) { 2668 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2669 2670 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2671 hci_sco_setup(conn, status); 2672 } 2673 2674 hci_dev_unlock(hdev); 2675 } 2676 hci_cs_exit_sniff_mode(struct hci_dev * hdev,__u8 status)2677 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2678 { 2679 struct hci_cp_exit_sniff_mode *cp; 2680 struct hci_conn *conn; 2681 2682 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2683 2684 if (!status) 2685 return; 2686 2687 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2688 if (!cp) 2689 return; 2690 2691 hci_dev_lock(hdev); 2692 2693 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2694 if (conn) { 2695 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2696 2697 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2698 hci_sco_setup(conn, status); 2699 } 2700 2701 hci_dev_unlock(hdev); 2702 } 2703 hci_cs_disconnect(struct hci_dev * hdev,u8 status)2704 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2705 { 2706 struct hci_cp_disconnect *cp; 2707 struct hci_conn_params *params; 2708 struct hci_conn *conn; 2709 bool mgmt_conn; 2710 2711 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2712 2713 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended 2714 * otherwise cleanup the connection immediately. 2715 */ 2716 if (!status && !hdev->suspended) 2717 return; 2718 2719 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2720 if (!cp) 2721 return; 2722 2723 hci_dev_lock(hdev); 2724 2725 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2726 if (!conn) 2727 goto unlock; 2728 2729 if (status) { 2730 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2731 conn->dst_type, status); 2732 2733 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 2734 hdev->cur_adv_instance = conn->adv_instance; 2735 hci_enable_advertising(hdev); 2736 } 2737 2738 /* Inform sockets conn is gone before we delete it */ 2739 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); 2740 2741 goto done; 2742 } 2743 2744 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2745 2746 if (conn->type == ACL_LINK) { 2747 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2748 hci_remove_link_key(hdev, &conn->dst); 2749 } 2750 2751 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2752 if (params) { 2753 switch (params->auto_connect) { 2754 case HCI_AUTO_CONN_LINK_LOSS: 2755 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2756 break; 2757 fallthrough; 2758 2759 case HCI_AUTO_CONN_DIRECT: 2760 case HCI_AUTO_CONN_ALWAYS: 2761 hci_pend_le_list_del_init(params); 2762 hci_pend_le_list_add(params, &hdev->pend_le_conns); 2763 break; 2764 2765 default: 2766 break; 2767 } 2768 } 2769 2770 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2771 cp->reason, mgmt_conn); 2772 2773 hci_disconn_cfm(conn, cp->reason); 2774 2775 done: 2776 /* If the disconnection failed for any reason, the upper layer 2777 * does not retry to disconnect in current implementation. 2778 * Hence, we need to do some basic cleanup here and re-enable 2779 * advertising if necessary. 2780 */ 2781 hci_conn_del(conn); 2782 unlock: 2783 hci_dev_unlock(hdev); 2784 } 2785 ev_bdaddr_type(struct hci_dev * hdev,u8 type,bool * resolved)2786 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved) 2787 { 2788 /* When using controller based address resolution, then the new 2789 * address types 0x02 and 0x03 are used. These types need to be 2790 * converted back into either public address or random address type 2791 */ 2792 switch (type) { 2793 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2794 if (resolved) 2795 *resolved = true; 2796 return ADDR_LE_DEV_PUBLIC; 2797 case ADDR_LE_DEV_RANDOM_RESOLVED: 2798 if (resolved) 2799 *resolved = true; 2800 return ADDR_LE_DEV_RANDOM; 2801 } 2802 2803 if (resolved) 2804 *resolved = false; 2805 return type; 2806 } 2807 cs_le_create_conn(struct hci_dev * hdev,bdaddr_t * peer_addr,u8 peer_addr_type,u8 own_address_type,u8 filter_policy)2808 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2809 u8 peer_addr_type, u8 own_address_type, 2810 u8 filter_policy) 2811 { 2812 struct hci_conn *conn; 2813 2814 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2815 peer_addr_type); 2816 if (!conn) 2817 return; 2818 2819 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL); 2820 2821 /* Store the initiator and responder address information which 2822 * is needed for SMP. These values will not change during the 2823 * lifetime of the connection. 2824 */ 2825 conn->init_addr_type = own_address_type; 2826 if (own_address_type == ADDR_LE_DEV_RANDOM) 2827 bacpy(&conn->init_addr, &hdev->random_addr); 2828 else 2829 bacpy(&conn->init_addr, &hdev->bdaddr); 2830 2831 conn->resp_addr_type = peer_addr_type; 2832 bacpy(&conn->resp_addr, peer_addr); 2833 } 2834 hci_cs_le_create_conn(struct hci_dev * hdev,u8 status)2835 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2836 { 2837 struct hci_cp_le_create_conn *cp; 2838 2839 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2840 2841 /* All connection failure handling is taken care of by the 2842 * hci_conn_failed function which is triggered by the HCI 2843 * request completion callbacks used for connecting. 2844 */ 2845 if (status) 2846 return; 2847 2848 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2849 if (!cp) 2850 return; 2851 2852 hci_dev_lock(hdev); 2853 2854 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2855 cp->own_address_type, cp->filter_policy); 2856 2857 hci_dev_unlock(hdev); 2858 } 2859 hci_cs_le_ext_create_conn(struct hci_dev * hdev,u8 status)2860 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2861 { 2862 struct hci_cp_le_ext_create_conn *cp; 2863 2864 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2865 2866 /* All connection failure handling is taken care of by the 2867 * hci_conn_failed function which is triggered by the HCI 2868 * request completion callbacks used for connecting. 2869 */ 2870 if (status) 2871 return; 2872 2873 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2874 if (!cp) 2875 return; 2876 2877 hci_dev_lock(hdev); 2878 2879 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2880 cp->own_addr_type, cp->filter_policy); 2881 2882 hci_dev_unlock(hdev); 2883 } 2884 hci_cs_le_read_remote_features(struct hci_dev * hdev,u8 status)2885 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2886 { 2887 struct hci_cp_le_read_remote_features *cp; 2888 struct hci_conn *conn; 2889 2890 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2891 2892 if (!status) 2893 return; 2894 2895 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2896 if (!cp) 2897 return; 2898 2899 hci_dev_lock(hdev); 2900 2901 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2902 if (conn) { 2903 if (conn->state == BT_CONFIG) { 2904 hci_connect_cfm(conn, status); 2905 hci_conn_drop(conn); 2906 } 2907 } 2908 2909 hci_dev_unlock(hdev); 2910 } 2911 hci_cs_le_start_enc(struct hci_dev * hdev,u8 status)2912 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2913 { 2914 struct hci_cp_le_start_enc *cp; 2915 struct hci_conn *conn; 2916 2917 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2918 2919 if (!status) 2920 return; 2921 2922 hci_dev_lock(hdev); 2923 2924 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2925 if (!cp) 2926 goto unlock; 2927 2928 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2929 if (!conn) 2930 goto unlock; 2931 2932 if (conn->state != BT_CONNECTED) 2933 goto unlock; 2934 2935 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2936 hci_conn_drop(conn); 2937 2938 unlock: 2939 hci_dev_unlock(hdev); 2940 } 2941 hci_cs_switch_role(struct hci_dev * hdev,u8 status)2942 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2943 { 2944 struct hci_cp_switch_role *cp; 2945 struct hci_conn *conn; 2946 2947 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2948 2949 if (!status) 2950 return; 2951 2952 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2953 if (!cp) 2954 return; 2955 2956 hci_dev_lock(hdev); 2957 2958 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2959 if (conn) 2960 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2961 2962 hci_dev_unlock(hdev); 2963 } 2964 hci_inquiry_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)2965 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data, 2966 struct sk_buff *skb) 2967 { 2968 struct hci_ev_status *ev = data; 2969 struct discovery_state *discov = &hdev->discovery; 2970 struct inquiry_entry *e; 2971 2972 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 2973 2974 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2975 return; 2976 2977 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2978 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2979 2980 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2981 return; 2982 2983 hci_dev_lock(hdev); 2984 2985 if (discov->state != DISCOVERY_FINDING) 2986 goto unlock; 2987 2988 if (list_empty(&discov->resolve)) { 2989 /* When BR/EDR inquiry is active and no LE scanning is in 2990 * progress, then change discovery state to indicate completion. 2991 * 2992 * When running LE scanning and BR/EDR inquiry simultaneously 2993 * and the LE scan already finished, then change the discovery 2994 * state to indicate completion. 2995 */ 2996 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2997 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2998 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2999 goto unlock; 3000 } 3001 3002 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 3003 if (e && hci_resolve_name(hdev, e) == 0) { 3004 e->name_state = NAME_PENDING; 3005 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 3006 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION; 3007 } else { 3008 /* When BR/EDR inquiry is active and no LE scanning is in 3009 * progress, then change discovery state to indicate completion. 3010 * 3011 * When running LE scanning and BR/EDR inquiry simultaneously 3012 * and the LE scan already finished, then change the discovery 3013 * state to indicate completion. 3014 */ 3015 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3016 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 3017 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3018 } 3019 3020 unlock: 3021 hci_dev_unlock(hdev); 3022 } 3023 hci_inquiry_result_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)3024 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata, 3025 struct sk_buff *skb) 3026 { 3027 struct hci_ev_inquiry_result *ev = edata; 3028 struct inquiry_data data; 3029 int i; 3030 3031 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT, 3032 flex_array_size(ev, info, ev->num))) 3033 return; 3034 3035 bt_dev_dbg(hdev, "num %d", ev->num); 3036 3037 if (!ev->num) 3038 return; 3039 3040 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3041 return; 3042 3043 hci_dev_lock(hdev); 3044 3045 for (i = 0; i < ev->num; i++) { 3046 struct inquiry_info *info = &ev->info[i]; 3047 u32 flags; 3048 3049 bacpy(&data.bdaddr, &info->bdaddr); 3050 data.pscan_rep_mode = info->pscan_rep_mode; 3051 data.pscan_period_mode = info->pscan_period_mode; 3052 data.pscan_mode = info->pscan_mode; 3053 memcpy(data.dev_class, info->dev_class, 3); 3054 data.clock_offset = info->clock_offset; 3055 data.rssi = HCI_RSSI_INVALID; 3056 data.ssp_mode = 0x00; 3057 3058 flags = hci_inquiry_cache_update(hdev, &data, false); 3059 3060 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3061 info->dev_class, HCI_RSSI_INVALID, 3062 flags, NULL, 0, NULL, 0, 0); 3063 } 3064 3065 hci_dev_unlock(hdev); 3066 } 3067 hci_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3068 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3069 struct sk_buff *skb) 3070 { 3071 struct hci_ev_conn_complete *ev = data; 3072 struct hci_conn *conn; 3073 u8 status = ev->status; 3074 3075 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3076 3077 hci_dev_lock(hdev); 3078 3079 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3080 if (!conn) { 3081 /* In case of error status and there is no connection pending 3082 * just unlock as there is nothing to cleanup. 3083 */ 3084 if (ev->status) 3085 goto unlock; 3086 3087 /* Connection may not exist if auto-connected. Check the bredr 3088 * allowlist to see if this device is allowed to auto connect. 3089 * If link is an ACL type, create a connection class 3090 * automatically. 3091 * 3092 * Auto-connect will only occur if the event filter is 3093 * programmed with a given address. Right now, event filter is 3094 * only used during suspend. 3095 */ 3096 if (ev->link_type == ACL_LINK && 3097 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3098 &ev->bdaddr, 3099 BDADDR_BREDR)) { 3100 conn = hci_conn_add_unset(hdev, ev->link_type, 3101 &ev->bdaddr, HCI_ROLE_SLAVE); 3102 if (IS_ERR(conn)) { 3103 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 3104 goto unlock; 3105 } 3106 } else { 3107 if (ev->link_type != SCO_LINK) 3108 goto unlock; 3109 3110 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3111 &ev->bdaddr); 3112 if (!conn) 3113 goto unlock; 3114 3115 conn->type = SCO_LINK; 3116 } 3117 } 3118 3119 /* The HCI_Connection_Complete event is only sent once per connection. 3120 * Processing it more than once per connection can corrupt kernel memory. 3121 * 3122 * As the connection handle is set here for the first time, it indicates 3123 * whether the connection is already set up. 3124 */ 3125 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 3126 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3127 goto unlock; 3128 } 3129 3130 if (!status) { 3131 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 3132 if (status) 3133 goto done; 3134 3135 if (conn->type == ACL_LINK) { 3136 conn->state = BT_CONFIG; 3137 hci_conn_hold(conn); 3138 3139 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3140 !hci_find_link_key(hdev, &ev->bdaddr)) 3141 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3142 else 3143 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3144 } else 3145 conn->state = BT_CONNECTED; 3146 3147 hci_debugfs_create_conn(conn); 3148 hci_conn_add_sysfs(conn); 3149 3150 if (test_bit(HCI_AUTH, &hdev->flags)) 3151 set_bit(HCI_CONN_AUTH, &conn->flags); 3152 3153 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3154 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3155 3156 /* "Link key request" completed ahead of "connect request" completes */ 3157 if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3158 ev->link_type == ACL_LINK) { 3159 struct link_key *key; 3160 struct hci_cp_read_enc_key_size cp; 3161 3162 key = hci_find_link_key(hdev, &ev->bdaddr); 3163 if (key) { 3164 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3165 3166 if (!read_key_size_capable(hdev)) { 3167 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3168 } else { 3169 cp.handle = cpu_to_le16(conn->handle); 3170 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, 3171 sizeof(cp), &cp)) { 3172 bt_dev_err(hdev, "sending read key size failed"); 3173 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3174 } 3175 } 3176 3177 hci_encrypt_cfm(conn, ev->status); 3178 } 3179 } 3180 3181 /* Get remote features */ 3182 if (conn->type == ACL_LINK) { 3183 struct hci_cp_read_remote_features cp; 3184 cp.handle = ev->handle; 3185 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3186 sizeof(cp), &cp); 3187 3188 hci_update_scan(hdev); 3189 } 3190 3191 /* Set packet type for incoming connection */ 3192 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3193 struct hci_cp_change_conn_ptype cp; 3194 cp.handle = ev->handle; 3195 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3196 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3197 &cp); 3198 } 3199 } 3200 3201 if (conn->type == ACL_LINK) 3202 hci_sco_setup(conn, ev->status); 3203 3204 done: 3205 if (status) { 3206 hci_conn_failed(conn, status); 3207 } else if (ev->link_type == SCO_LINK) { 3208 switch (conn->setting & SCO_AIRMODE_MASK) { 3209 case SCO_AIRMODE_CVSD: 3210 if (hdev->notify) 3211 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3212 break; 3213 } 3214 3215 hci_connect_cfm(conn, status); 3216 } 3217 3218 unlock: 3219 hci_dev_unlock(hdev); 3220 } 3221 hci_reject_conn(struct hci_dev * hdev,bdaddr_t * bdaddr)3222 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 3223 { 3224 struct hci_cp_reject_conn_req cp; 3225 3226 bacpy(&cp.bdaddr, bdaddr); 3227 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 3228 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 3229 } 3230 hci_conn_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3231 static void hci_conn_request_evt(struct hci_dev *hdev, void *data, 3232 struct sk_buff *skb) 3233 { 3234 struct hci_ev_conn_request *ev = data; 3235 int mask = hdev->link_mode; 3236 struct inquiry_entry *ie; 3237 struct hci_conn *conn; 3238 __u8 flags = 0; 3239 3240 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type); 3241 3242 /* Reject incoming connection from device with same BD ADDR against 3243 * CVE-2020-26555 3244 */ 3245 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) { 3246 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 3247 &ev->bdaddr); 3248 hci_reject_conn(hdev, &ev->bdaddr); 3249 return; 3250 } 3251 3252 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 3253 &flags); 3254 3255 if (!(mask & HCI_LM_ACCEPT)) { 3256 hci_reject_conn(hdev, &ev->bdaddr); 3257 return; 3258 } 3259 3260 hci_dev_lock(hdev); 3261 3262 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, 3263 BDADDR_BREDR)) { 3264 hci_reject_conn(hdev, &ev->bdaddr); 3265 goto unlock; 3266 } 3267 3268 /* Require HCI_CONNECTABLE or an accept list entry to accept the 3269 * connection. These features are only touched through mgmt so 3270 * only do the checks if HCI_MGMT is set. 3271 */ 3272 if (hci_dev_test_flag(hdev, HCI_MGMT) && 3273 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 3274 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, 3275 BDADDR_BREDR)) { 3276 hci_reject_conn(hdev, &ev->bdaddr); 3277 goto unlock; 3278 } 3279 3280 /* Connection accepted */ 3281 3282 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3283 if (ie) 3284 memcpy(ie->data.dev_class, ev->dev_class, 3); 3285 3286 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 3287 &ev->bdaddr); 3288 if (!conn) { 3289 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr, 3290 HCI_ROLE_SLAVE); 3291 if (IS_ERR(conn)) { 3292 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 3293 goto unlock; 3294 } 3295 } 3296 3297 memcpy(conn->dev_class, ev->dev_class, 3); 3298 3299 hci_dev_unlock(hdev); 3300 3301 if (ev->link_type == ACL_LINK || 3302 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 3303 struct hci_cp_accept_conn_req cp; 3304 conn->state = BT_CONNECT; 3305 3306 bacpy(&cp.bdaddr, &ev->bdaddr); 3307 3308 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 3309 cp.role = 0x00; /* Become central */ 3310 else 3311 cp.role = 0x01; /* Remain peripheral */ 3312 3313 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 3314 } else if (!(flags & HCI_PROTO_DEFER)) { 3315 struct hci_cp_accept_sync_conn_req cp; 3316 conn->state = BT_CONNECT; 3317 3318 bacpy(&cp.bdaddr, &ev->bdaddr); 3319 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3320 3321 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 3322 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 3323 cp.max_latency = cpu_to_le16(0xffff); 3324 cp.content_format = cpu_to_le16(hdev->voice_setting); 3325 cp.retrans_effort = 0xff; 3326 3327 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 3328 &cp); 3329 } else { 3330 conn->state = BT_CONNECT2; 3331 hci_connect_cfm(conn, 0); 3332 } 3333 3334 return; 3335 unlock: 3336 hci_dev_unlock(hdev); 3337 } 3338 hci_to_mgmt_reason(u8 err)3339 static u8 hci_to_mgmt_reason(u8 err) 3340 { 3341 switch (err) { 3342 case HCI_ERROR_CONNECTION_TIMEOUT: 3343 return MGMT_DEV_DISCONN_TIMEOUT; 3344 case HCI_ERROR_REMOTE_USER_TERM: 3345 case HCI_ERROR_REMOTE_LOW_RESOURCES: 3346 case HCI_ERROR_REMOTE_POWER_OFF: 3347 return MGMT_DEV_DISCONN_REMOTE; 3348 case HCI_ERROR_LOCAL_HOST_TERM: 3349 return MGMT_DEV_DISCONN_LOCAL_HOST; 3350 default: 3351 return MGMT_DEV_DISCONN_UNKNOWN; 3352 } 3353 } 3354 hci_disconn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3355 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, 3356 struct sk_buff *skb) 3357 { 3358 struct hci_ev_disconn_complete *ev = data; 3359 u8 reason; 3360 struct hci_conn_params *params; 3361 struct hci_conn *conn; 3362 bool mgmt_connected; 3363 3364 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3365 3366 hci_dev_lock(hdev); 3367 3368 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3369 if (!conn) 3370 goto unlock; 3371 3372 if (ev->status) { 3373 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 3374 conn->dst_type, ev->status); 3375 goto unlock; 3376 } 3377 3378 conn->state = BT_CLOSED; 3379 3380 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 3381 3382 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 3383 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 3384 else 3385 reason = hci_to_mgmt_reason(ev->reason); 3386 3387 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 3388 reason, mgmt_connected); 3389 3390 if (conn->type == ACL_LINK) { 3391 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 3392 hci_remove_link_key(hdev, &conn->dst); 3393 3394 hci_update_scan(hdev); 3395 } 3396 3397 /* Re-enable passive scanning if disconnected device is marked 3398 * as auto-connectable. 3399 */ 3400 if (conn->type == LE_LINK) { 3401 params = hci_conn_params_lookup(hdev, &conn->dst, 3402 conn->dst_type); 3403 if (params) { 3404 switch (params->auto_connect) { 3405 case HCI_AUTO_CONN_LINK_LOSS: 3406 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 3407 break; 3408 fallthrough; 3409 3410 case HCI_AUTO_CONN_DIRECT: 3411 case HCI_AUTO_CONN_ALWAYS: 3412 hci_pend_le_list_del_init(params); 3413 hci_pend_le_list_add(params, 3414 &hdev->pend_le_conns); 3415 hci_update_passive_scan(hdev); 3416 break; 3417 3418 default: 3419 break; 3420 } 3421 } 3422 } 3423 3424 hci_disconn_cfm(conn, ev->reason); 3425 3426 /* Re-enable advertising if necessary, since it might 3427 * have been disabled by the connection. From the 3428 * HCI_LE_Set_Advertise_Enable command description in 3429 * the core specification (v4.0): 3430 * "The Controller shall continue advertising until the Host 3431 * issues an LE_Set_Advertise_Enable command with 3432 * Advertising_Enable set to 0x00 (Advertising is disabled) 3433 * or until a connection is created or until the Advertising 3434 * is timed out due to Directed Advertising." 3435 */ 3436 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 3437 hdev->cur_adv_instance = conn->adv_instance; 3438 hci_enable_advertising(hdev); 3439 } 3440 3441 hci_conn_del(conn); 3442 3443 unlock: 3444 hci_dev_unlock(hdev); 3445 } 3446 hci_auth_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3447 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data, 3448 struct sk_buff *skb) 3449 { 3450 struct hci_ev_auth_complete *ev = data; 3451 struct hci_conn *conn; 3452 3453 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3454 3455 hci_dev_lock(hdev); 3456 3457 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3458 if (!conn) 3459 goto unlock; 3460 3461 if (!ev->status) { 3462 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3463 set_bit(HCI_CONN_AUTH, &conn->flags); 3464 conn->sec_level = conn->pending_sec_level; 3465 } else { 3466 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3467 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3468 3469 mgmt_auth_failed(conn, ev->status); 3470 } 3471 3472 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3473 3474 if (conn->state == BT_CONFIG) { 3475 if (!ev->status && hci_conn_ssp_enabled(conn)) { 3476 struct hci_cp_set_conn_encrypt cp; 3477 cp.handle = ev->handle; 3478 cp.encrypt = 0x01; 3479 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3480 &cp); 3481 } else { 3482 conn->state = BT_CONNECTED; 3483 hci_connect_cfm(conn, ev->status); 3484 hci_conn_drop(conn); 3485 } 3486 } else { 3487 hci_auth_cfm(conn, ev->status); 3488 3489 hci_conn_hold(conn); 3490 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3491 hci_conn_drop(conn); 3492 } 3493 3494 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 3495 if (!ev->status) { 3496 struct hci_cp_set_conn_encrypt cp; 3497 cp.handle = ev->handle; 3498 cp.encrypt = 0x01; 3499 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3500 &cp); 3501 } else { 3502 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3503 hci_encrypt_cfm(conn, ev->status); 3504 } 3505 } 3506 3507 unlock: 3508 hci_dev_unlock(hdev); 3509 } 3510 hci_remote_name_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3511 static void hci_remote_name_evt(struct hci_dev *hdev, void *data, 3512 struct sk_buff *skb) 3513 { 3514 struct hci_ev_remote_name *ev = data; 3515 struct hci_conn *conn; 3516 3517 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3518 3519 hci_dev_lock(hdev); 3520 3521 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3522 3523 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3524 goto check_auth; 3525 3526 if (ev->status == 0) 3527 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 3528 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 3529 else 3530 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 3531 3532 check_auth: 3533 if (!conn) 3534 goto unlock; 3535 3536 if (!hci_outgoing_auth_needed(hdev, conn)) 3537 goto unlock; 3538 3539 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3540 struct hci_cp_auth_requested cp; 3541 3542 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 3543 3544 cp.handle = __cpu_to_le16(conn->handle); 3545 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3546 } 3547 3548 unlock: 3549 hci_dev_unlock(hdev); 3550 } 3551 hci_encrypt_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3552 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, 3553 struct sk_buff *skb) 3554 { 3555 struct hci_ev_encrypt_change *ev = data; 3556 struct hci_conn *conn; 3557 3558 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3559 3560 hci_dev_lock(hdev); 3561 3562 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3563 if (!conn) 3564 goto unlock; 3565 3566 if (!ev->status) { 3567 if (ev->encrypt) { 3568 /* Encryption implies authentication */ 3569 set_bit(HCI_CONN_AUTH, &conn->flags); 3570 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3571 conn->sec_level = conn->pending_sec_level; 3572 3573 /* P-256 authentication key implies FIPS */ 3574 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3575 set_bit(HCI_CONN_FIPS, &conn->flags); 3576 3577 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3578 conn->type == LE_LINK) 3579 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3580 } else { 3581 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3582 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3583 } 3584 } 3585 3586 /* We should disregard the current RPA and generate a new one 3587 * whenever the encryption procedure fails. 3588 */ 3589 if (ev->status && conn->type == LE_LINK) { 3590 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3591 hci_adv_instances_set_rpa_expired(hdev, true); 3592 } 3593 3594 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3595 3596 /* Check link security requirements are met */ 3597 if (!hci_conn_check_link_mode(conn)) 3598 ev->status = HCI_ERROR_AUTH_FAILURE; 3599 3600 if (ev->status && conn->state == BT_CONNECTED) { 3601 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3602 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3603 3604 /* Notify upper layers so they can cleanup before 3605 * disconnecting. 3606 */ 3607 hci_encrypt_cfm(conn, ev->status); 3608 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3609 hci_conn_drop(conn); 3610 goto unlock; 3611 } 3612 3613 /* Try reading the encryption key size for encrypted ACL links */ 3614 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3615 struct hci_cp_read_enc_key_size cp; 3616 3617 /* Only send HCI_Read_Encryption_Key_Size if the 3618 * controller really supports it. If it doesn't, assume 3619 * the default size (16). 3620 */ 3621 if (!read_key_size_capable(hdev)) { 3622 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3623 goto notify; 3624 } 3625 3626 cp.handle = cpu_to_le16(conn->handle); 3627 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, 3628 sizeof(cp), &cp)) { 3629 bt_dev_err(hdev, "sending read key size failed"); 3630 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3631 goto notify; 3632 } 3633 3634 goto unlock; 3635 } 3636 3637 /* We skip the WRITE_AUTH_PAYLOAD_TIMEOUT for ATS2851 based controllers 3638 * to avoid unexpected SMP command errors when pairing. 3639 */ 3640 if (test_bit(HCI_QUIRK_BROKEN_WRITE_AUTH_PAYLOAD_TIMEOUT, 3641 &hdev->quirks)) 3642 goto notify; 3643 3644 /* Set the default Authenticated Payload Timeout after 3645 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3646 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3647 * sent when the link is active and Encryption is enabled, the conn 3648 * type can be either LE or ACL and controller must support LMP Ping. 3649 * Ensure for AES-CCM encryption as well. 3650 */ 3651 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3652 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3653 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3654 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3655 struct hci_cp_write_auth_payload_to cp; 3656 3657 cp.handle = cpu_to_le16(conn->handle); 3658 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3659 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3660 sizeof(cp), &cp)) 3661 bt_dev_err(hdev, "write auth payload timeout failed"); 3662 } 3663 3664 notify: 3665 hci_encrypt_cfm(conn, ev->status); 3666 3667 unlock: 3668 hci_dev_unlock(hdev); 3669 } 3670 hci_change_link_key_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3671 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data, 3672 struct sk_buff *skb) 3673 { 3674 struct hci_ev_change_link_key_complete *ev = data; 3675 struct hci_conn *conn; 3676 3677 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3678 3679 hci_dev_lock(hdev); 3680 3681 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3682 if (conn) { 3683 if (!ev->status) 3684 set_bit(HCI_CONN_SECURE, &conn->flags); 3685 3686 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3687 3688 hci_key_change_cfm(conn, ev->status); 3689 } 3690 3691 hci_dev_unlock(hdev); 3692 } 3693 hci_remote_features_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3694 static void hci_remote_features_evt(struct hci_dev *hdev, void *data, 3695 struct sk_buff *skb) 3696 { 3697 struct hci_ev_remote_features *ev = data; 3698 struct hci_conn *conn; 3699 3700 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3701 3702 hci_dev_lock(hdev); 3703 3704 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3705 if (!conn) 3706 goto unlock; 3707 3708 if (!ev->status) 3709 memcpy(conn->features[0], ev->features, 8); 3710 3711 if (conn->state != BT_CONFIG) 3712 goto unlock; 3713 3714 if (!ev->status && lmp_ext_feat_capable(hdev) && 3715 lmp_ext_feat_capable(conn)) { 3716 struct hci_cp_read_remote_ext_features cp; 3717 cp.handle = ev->handle; 3718 cp.page = 0x01; 3719 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3720 sizeof(cp), &cp); 3721 goto unlock; 3722 } 3723 3724 if (!ev->status) { 3725 struct hci_cp_remote_name_req cp; 3726 memset(&cp, 0, sizeof(cp)); 3727 bacpy(&cp.bdaddr, &conn->dst); 3728 cp.pscan_rep_mode = 0x02; 3729 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3730 } else { 3731 mgmt_device_connected(hdev, conn, NULL, 0); 3732 } 3733 3734 if (!hci_outgoing_auth_needed(hdev, conn)) { 3735 conn->state = BT_CONNECTED; 3736 hci_connect_cfm(conn, ev->status); 3737 hci_conn_drop(conn); 3738 } 3739 3740 unlock: 3741 hci_dev_unlock(hdev); 3742 } 3743 handle_cmd_cnt_and_timer(struct hci_dev * hdev,u8 ncmd)3744 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd) 3745 { 3746 cancel_delayed_work(&hdev->cmd_timer); 3747 3748 rcu_read_lock(); 3749 if (!test_bit(HCI_RESET, &hdev->flags)) { 3750 if (ncmd) { 3751 cancel_delayed_work(&hdev->ncmd_timer); 3752 atomic_set(&hdev->cmd_cnt, 1); 3753 } else { 3754 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 3755 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer, 3756 HCI_NCMD_TIMEOUT); 3757 } 3758 } 3759 rcu_read_unlock(); 3760 } 3761 hci_cc_le_read_buffer_size_v2(struct hci_dev * hdev,void * data,struct sk_buff * skb)3762 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data, 3763 struct sk_buff *skb) 3764 { 3765 struct hci_rp_le_read_buffer_size_v2 *rp = data; 3766 3767 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3768 3769 if (rp->status) 3770 return rp->status; 3771 3772 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu); 3773 hdev->le_pkts = rp->acl_max_pkt; 3774 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu); 3775 hdev->iso_pkts = rp->iso_max_pkt; 3776 3777 hdev->le_cnt = hdev->le_pkts; 3778 hdev->iso_cnt = hdev->iso_pkts; 3779 3780 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu, 3781 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts); 3782 3783 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 3784 return HCI_ERROR_INVALID_PARAMETERS; 3785 3786 return rp->status; 3787 } 3788 hci_unbound_cis_failed(struct hci_dev * hdev,u8 cig,u8 status)3789 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status) 3790 { 3791 struct hci_conn *conn, *tmp; 3792 3793 lockdep_assert_held(&hdev->lock); 3794 3795 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) { 3796 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) || 3797 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig) 3798 continue; 3799 3800 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 3801 hci_conn_failed(conn, status); 3802 } 3803 } 3804 hci_cc_le_set_cig_params(struct hci_dev * hdev,void * data,struct sk_buff * skb)3805 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data, 3806 struct sk_buff *skb) 3807 { 3808 struct hci_rp_le_set_cig_params *rp = data; 3809 struct hci_cp_le_set_cig_params *cp; 3810 struct hci_conn *conn; 3811 u8 status = rp->status; 3812 bool pending = false; 3813 int i; 3814 3815 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3816 3817 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS); 3818 if (!rp->status && (!cp || rp->num_handles != cp->num_cis || 3819 rp->cig_id != cp->cig_id)) { 3820 bt_dev_err(hdev, "unexpected Set CIG Parameters response data"); 3821 status = HCI_ERROR_UNSPECIFIED; 3822 } 3823 3824 hci_dev_lock(hdev); 3825 3826 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554 3827 * 3828 * If the Status return parameter is non-zero, then the state of the CIG 3829 * and its CIS configurations shall not be changed by the command. If 3830 * the CIG did not already exist, it shall not be created. 3831 */ 3832 if (status) { 3833 /* Keep current configuration, fail only the unbound CIS */ 3834 hci_unbound_cis_failed(hdev, rp->cig_id, status); 3835 goto unlock; 3836 } 3837 3838 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553 3839 * 3840 * If the Status return parameter is zero, then the Controller shall 3841 * set the Connection_Handle arrayed return parameter to the connection 3842 * handle(s) corresponding to the CIS configurations specified in 3843 * the CIS_IDs command parameter, in the same order. 3844 */ 3845 for (i = 0; i < rp->num_handles; ++i) { 3846 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id, 3847 cp->cis[i].cis_id); 3848 if (!conn || !bacmp(&conn->dst, BDADDR_ANY)) 3849 continue; 3850 3851 if (conn->state != BT_BOUND && conn->state != BT_CONNECT) 3852 continue; 3853 3854 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i]))) 3855 continue; 3856 3857 if (conn->state == BT_CONNECT) 3858 pending = true; 3859 } 3860 3861 unlock: 3862 if (pending) 3863 hci_le_create_cis_pending(hdev); 3864 3865 hci_dev_unlock(hdev); 3866 3867 return rp->status; 3868 } 3869 hci_cc_le_setup_iso_path(struct hci_dev * hdev,void * data,struct sk_buff * skb)3870 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data, 3871 struct sk_buff *skb) 3872 { 3873 struct hci_rp_le_setup_iso_path *rp = data; 3874 struct hci_cp_le_setup_iso_path *cp; 3875 struct hci_conn *conn; 3876 3877 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3878 3879 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH); 3880 if (!cp) 3881 return rp->status; 3882 3883 hci_dev_lock(hdev); 3884 3885 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3886 if (!conn) 3887 goto unlock; 3888 3889 if (rp->status) { 3890 hci_connect_cfm(conn, rp->status); 3891 hci_conn_del(conn); 3892 goto unlock; 3893 } 3894 3895 switch (cp->direction) { 3896 /* Input (Host to Controller) */ 3897 case 0x00: 3898 /* Only confirm connection if output only */ 3899 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu) 3900 hci_connect_cfm(conn, rp->status); 3901 break; 3902 /* Output (Controller to Host) */ 3903 case 0x01: 3904 /* Confirm connection since conn->iso_qos is always configured 3905 * last. 3906 */ 3907 hci_connect_cfm(conn, rp->status); 3908 3909 /* Notify device connected in case it is a BIG Sync */ 3910 if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags)) 3911 mgmt_device_connected(hdev, conn, NULL, 0); 3912 3913 break; 3914 } 3915 3916 unlock: 3917 hci_dev_unlock(hdev); 3918 return rp->status; 3919 } 3920 hci_cs_le_create_big(struct hci_dev * hdev,u8 status)3921 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status) 3922 { 3923 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3924 } 3925 hci_cc_set_per_adv_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)3926 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data, 3927 struct sk_buff *skb) 3928 { 3929 struct hci_ev_status *rp = data; 3930 struct hci_cp_le_set_per_adv_params *cp; 3931 3932 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3933 3934 if (rp->status) 3935 return rp->status; 3936 3937 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS); 3938 if (!cp) 3939 return rp->status; 3940 3941 /* TODO: set the conn state */ 3942 return rp->status; 3943 } 3944 hci_cc_le_set_per_adv_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)3945 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, 3946 struct sk_buff *skb) 3947 { 3948 struct hci_ev_status *rp = data; 3949 struct hci_cp_le_set_per_adv_enable *cp; 3950 struct adv_info *adv = NULL, *n; 3951 u8 per_adv_cnt = 0; 3952 3953 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3954 3955 if (rp->status) 3956 return rp->status; 3957 3958 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE); 3959 if (!cp) 3960 return rp->status; 3961 3962 hci_dev_lock(hdev); 3963 3964 adv = hci_find_adv_instance(hdev, cp->handle); 3965 3966 if (cp->enable) { 3967 hci_dev_set_flag(hdev, HCI_LE_PER_ADV); 3968 3969 if (adv) 3970 adv->enabled = true; 3971 } else { 3972 /* If just one instance was disabled check if there are 3973 * any other instance enabled before clearing HCI_LE_PER_ADV. 3974 * The current periodic adv instance will be marked as 3975 * disabled once extended advertising is also disabled. 3976 */ 3977 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 3978 list) { 3979 if (adv->periodic && adv->enabled) 3980 per_adv_cnt++; 3981 } 3982 3983 if (per_adv_cnt > 1) 3984 goto unlock; 3985 3986 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV); 3987 } 3988 3989 unlock: 3990 hci_dev_unlock(hdev); 3991 3992 return rp->status; 3993 } 3994 3995 #define HCI_CC_VL(_op, _func, _min, _max) \ 3996 { \ 3997 .op = _op, \ 3998 .func = _func, \ 3999 .min_len = _min, \ 4000 .max_len = _max, \ 4001 } 4002 4003 #define HCI_CC(_op, _func, _len) \ 4004 HCI_CC_VL(_op, _func, _len, _len) 4005 4006 #define HCI_CC_STATUS(_op, _func) \ 4007 HCI_CC(_op, _func, sizeof(struct hci_ev_status)) 4008 4009 static const struct hci_cc { 4010 u16 op; 4011 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 4012 u16 min_len; 4013 u16 max_len; 4014 } hci_cc_table[] = { 4015 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel), 4016 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq), 4017 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq), 4018 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL, 4019 hci_cc_remote_name_req_cancel), 4020 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery, 4021 sizeof(struct hci_rp_role_discovery)), 4022 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy, 4023 sizeof(struct hci_rp_read_link_policy)), 4024 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy, 4025 sizeof(struct hci_rp_write_link_policy)), 4026 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy, 4027 sizeof(struct hci_rp_read_def_link_policy)), 4028 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY, 4029 hci_cc_write_def_link_policy), 4030 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset), 4031 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key, 4032 sizeof(struct hci_rp_read_stored_link_key)), 4033 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key, 4034 sizeof(struct hci_rp_delete_stored_link_key)), 4035 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name), 4036 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name, 4037 sizeof(struct hci_rp_read_local_name)), 4038 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable), 4039 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode), 4040 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable), 4041 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter), 4042 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev, 4043 sizeof(struct hci_rp_read_class_of_dev)), 4044 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev), 4045 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting, 4046 sizeof(struct hci_rp_read_voice_setting)), 4047 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting), 4048 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac, 4049 sizeof(struct hci_rp_read_num_supported_iac)), 4050 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode), 4051 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support), 4052 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout, 4053 sizeof(struct hci_rp_read_auth_payload_to)), 4054 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout, 4055 sizeof(struct hci_rp_write_auth_payload_to)), 4056 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version, 4057 sizeof(struct hci_rp_read_local_version)), 4058 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands, 4059 sizeof(struct hci_rp_read_local_commands)), 4060 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features, 4061 sizeof(struct hci_rp_read_local_features)), 4062 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features, 4063 sizeof(struct hci_rp_read_local_ext_features)), 4064 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size, 4065 sizeof(struct hci_rp_read_buffer_size)), 4066 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr, 4067 sizeof(struct hci_rp_read_bd_addr)), 4068 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts, 4069 sizeof(struct hci_rp_read_local_pairing_opts)), 4070 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity, 4071 sizeof(struct hci_rp_read_page_scan_activity)), 4072 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, 4073 hci_cc_write_page_scan_activity), 4074 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type, 4075 sizeof(struct hci_rp_read_page_scan_type)), 4076 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type), 4077 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock, 4078 sizeof(struct hci_rp_read_clock)), 4079 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size, 4080 sizeof(struct hci_rp_read_enc_key_size)), 4081 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power, 4082 sizeof(struct hci_rp_read_inq_rsp_tx_power)), 4083 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING, 4084 hci_cc_read_def_err_data_reporting, 4085 sizeof(struct hci_rp_read_def_err_data_reporting)), 4086 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING, 4087 hci_cc_write_def_err_data_reporting), 4088 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply, 4089 sizeof(struct hci_rp_pin_code_reply)), 4090 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply, 4091 sizeof(struct hci_rp_pin_code_neg_reply)), 4092 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data, 4093 sizeof(struct hci_rp_read_local_oob_data)), 4094 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data, 4095 sizeof(struct hci_rp_read_local_oob_ext_data)), 4096 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size, 4097 sizeof(struct hci_rp_le_read_buffer_size)), 4098 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features, 4099 sizeof(struct hci_rp_le_read_local_features)), 4100 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power, 4101 sizeof(struct hci_rp_le_read_adv_tx_power)), 4102 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply, 4103 sizeof(struct hci_rp_user_confirm_reply)), 4104 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply, 4105 sizeof(struct hci_rp_user_confirm_reply)), 4106 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply, 4107 sizeof(struct hci_rp_user_confirm_reply)), 4108 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply, 4109 sizeof(struct hci_rp_user_confirm_reply)), 4110 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr), 4111 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable), 4112 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param), 4113 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable), 4114 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE, 4115 hci_cc_le_read_accept_list_size, 4116 sizeof(struct hci_rp_le_read_accept_list_size)), 4117 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list), 4118 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST, 4119 hci_cc_le_add_to_accept_list), 4120 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST, 4121 hci_cc_le_del_from_accept_list), 4122 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states, 4123 sizeof(struct hci_rp_le_read_supported_states)), 4124 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len, 4125 sizeof(struct hci_rp_le_read_def_data_len)), 4126 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN, 4127 hci_cc_le_write_def_data_len), 4128 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST, 4129 hci_cc_le_add_to_resolv_list), 4130 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST, 4131 hci_cc_le_del_from_resolv_list), 4132 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST, 4133 hci_cc_le_clear_resolv_list), 4134 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size, 4135 sizeof(struct hci_rp_le_read_resolv_list_size)), 4136 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 4137 hci_cc_le_set_addr_resolution_enable), 4138 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len, 4139 sizeof(struct hci_rp_le_read_max_data_len)), 4140 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED, 4141 hci_cc_write_le_host_supported), 4142 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param), 4143 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi, 4144 sizeof(struct hci_rp_read_rssi)), 4145 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power, 4146 sizeof(struct hci_rp_read_tx_power)), 4147 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode), 4148 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS, 4149 hci_cc_le_set_ext_scan_param), 4150 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE, 4151 hci_cc_le_set_ext_scan_enable), 4152 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy), 4153 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, 4154 hci_cc_le_read_num_adv_sets, 4155 sizeof(struct hci_rp_le_read_num_supported_adv_sets)), 4156 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, 4157 sizeof(struct hci_rp_le_set_ext_adv_params)), 4158 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, 4159 hci_cc_le_set_ext_adv_enable), 4160 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, 4161 hci_cc_le_set_adv_set_random_addr), 4162 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set), 4163 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets), 4164 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param), 4165 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE, 4166 hci_cc_le_set_per_adv_enable), 4167 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power, 4168 sizeof(struct hci_rp_le_read_transmit_power)), 4169 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode), 4170 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2, 4171 sizeof(struct hci_rp_le_read_buffer_size_v2)), 4172 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params, 4173 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE), 4174 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path, 4175 sizeof(struct hci_rp_le_setup_iso_path)), 4176 }; 4177 hci_cc_func(struct hci_dev * hdev,const struct hci_cc * cc,struct sk_buff * skb)4178 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc, 4179 struct sk_buff *skb) 4180 { 4181 void *data; 4182 4183 if (skb->len < cc->min_len) { 4184 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u", 4185 cc->op, skb->len, cc->min_len); 4186 return HCI_ERROR_UNSPECIFIED; 4187 } 4188 4189 /* Just warn if the length is over max_len size it still be possible to 4190 * partially parse the cc so leave to callback to decide if that is 4191 * acceptable. 4192 */ 4193 if (skb->len > cc->max_len) 4194 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u", 4195 cc->op, skb->len, cc->max_len); 4196 4197 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len); 4198 if (!data) 4199 return HCI_ERROR_UNSPECIFIED; 4200 4201 return cc->func(hdev, data, skb); 4202 } 4203 hci_cmd_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)4204 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, 4205 struct sk_buff *skb, u16 *opcode, u8 *status, 4206 hci_req_complete_t *req_complete, 4207 hci_req_complete_skb_t *req_complete_skb) 4208 { 4209 struct hci_ev_cmd_complete *ev = data; 4210 int i; 4211 4212 *opcode = __le16_to_cpu(ev->opcode); 4213 4214 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4215 4216 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) { 4217 if (hci_cc_table[i].op == *opcode) { 4218 *status = hci_cc_func(hdev, &hci_cc_table[i], skb); 4219 break; 4220 } 4221 } 4222 4223 if (i == ARRAY_SIZE(hci_cc_table)) { 4224 /* Unknown opcode, assume byte 0 contains the status, so 4225 * that e.g. __hci_cmd_sync() properly returns errors 4226 * for vendor specific commands send by HCI drivers. 4227 * If a vendor doesn't actually follow this convention we may 4228 * need to introduce a vendor CC table in order to properly set 4229 * the status. 4230 */ 4231 *status = skb->data[0]; 4232 } 4233 4234 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4235 4236 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 4237 req_complete_skb); 4238 4239 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4240 bt_dev_err(hdev, 4241 "unexpected event for opcode 0x%4.4x", *opcode); 4242 return; 4243 } 4244 4245 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4246 queue_work(hdev->workqueue, &hdev->cmd_work); 4247 } 4248 hci_cs_le_create_cis(struct hci_dev * hdev,u8 status)4249 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) 4250 { 4251 struct hci_cp_le_create_cis *cp; 4252 bool pending = false; 4253 int i; 4254 4255 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4256 4257 if (!status) 4258 return; 4259 4260 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS); 4261 if (!cp) 4262 return; 4263 4264 hci_dev_lock(hdev); 4265 4266 /* Remove connection if command failed */ 4267 for (i = 0; cp->num_cis; cp->num_cis--, i++) { 4268 struct hci_conn *conn; 4269 u16 handle; 4270 4271 handle = __le16_to_cpu(cp->cis[i].cis_handle); 4272 4273 conn = hci_conn_hash_lookup_handle(hdev, handle); 4274 if (conn) { 4275 if (test_and_clear_bit(HCI_CONN_CREATE_CIS, 4276 &conn->flags)) 4277 pending = true; 4278 conn->state = BT_CLOSED; 4279 hci_connect_cfm(conn, status); 4280 hci_conn_del(conn); 4281 } 4282 } 4283 4284 if (pending) 4285 hci_le_create_cis_pending(hdev); 4286 4287 hci_dev_unlock(hdev); 4288 } 4289 4290 #define HCI_CS(_op, _func) \ 4291 { \ 4292 .op = _op, \ 4293 .func = _func, \ 4294 } 4295 4296 static const struct hci_cs { 4297 u16 op; 4298 void (*func)(struct hci_dev *hdev, __u8 status); 4299 } hci_cs_table[] = { 4300 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry), 4301 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn), 4302 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect), 4303 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco), 4304 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested), 4305 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt), 4306 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req), 4307 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features), 4308 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES, 4309 hci_cs_read_remote_ext_features), 4310 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn), 4311 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN, 4312 hci_cs_enhanced_setup_sync_conn), 4313 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode), 4314 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode), 4315 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role), 4316 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn), 4317 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features), 4318 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc), 4319 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn), 4320 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis), 4321 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big), 4322 }; 4323 hci_cmd_status_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)4324 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data, 4325 struct sk_buff *skb, u16 *opcode, u8 *status, 4326 hci_req_complete_t *req_complete, 4327 hci_req_complete_skb_t *req_complete_skb) 4328 { 4329 struct hci_ev_cmd_status *ev = data; 4330 int i; 4331 4332 *opcode = __le16_to_cpu(ev->opcode); 4333 *status = ev->status; 4334 4335 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4336 4337 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) { 4338 if (hci_cs_table[i].op == *opcode) { 4339 hci_cs_table[i].func(hdev, ev->status); 4340 break; 4341 } 4342 } 4343 4344 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4345 4346 /* Indicate request completion if the command failed. Also, if 4347 * we're not waiting for a special event and we get a success 4348 * command status we should try to flag the request as completed 4349 * (since for this kind of commands there will not be a command 4350 * complete event). 4351 */ 4352 if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) { 4353 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 4354 req_complete_skb); 4355 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4356 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x", 4357 *opcode); 4358 return; 4359 } 4360 } 4361 4362 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4363 queue_work(hdev->workqueue, &hdev->cmd_work); 4364 } 4365 hci_hardware_error_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4366 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data, 4367 struct sk_buff *skb) 4368 { 4369 struct hci_ev_hardware_error *ev = data; 4370 4371 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code); 4372 4373 hdev->hw_error_code = ev->code; 4374 4375 queue_work(hdev->req_workqueue, &hdev->error_reset); 4376 } 4377 hci_role_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4378 static void hci_role_change_evt(struct hci_dev *hdev, void *data, 4379 struct sk_buff *skb) 4380 { 4381 struct hci_ev_role_change *ev = data; 4382 struct hci_conn *conn; 4383 4384 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4385 4386 hci_dev_lock(hdev); 4387 4388 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4389 if (conn) { 4390 if (!ev->status) 4391 conn->role = ev->role; 4392 4393 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 4394 4395 hci_role_switch_cfm(conn, ev->status, ev->role); 4396 } 4397 4398 hci_dev_unlock(hdev); 4399 } 4400 hci_num_comp_pkts_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4401 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, 4402 struct sk_buff *skb) 4403 { 4404 struct hci_ev_num_comp_pkts *ev = data; 4405 int i; 4406 4407 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, 4408 flex_array_size(ev, handles, ev->num))) 4409 return; 4410 4411 bt_dev_dbg(hdev, "num %d", ev->num); 4412 4413 for (i = 0; i < ev->num; i++) { 4414 struct hci_comp_pkts_info *info = &ev->handles[i]; 4415 struct hci_conn *conn; 4416 __u16 handle, count; 4417 4418 handle = __le16_to_cpu(info->handle); 4419 count = __le16_to_cpu(info->count); 4420 4421 conn = hci_conn_hash_lookup_handle(hdev, handle); 4422 if (!conn) 4423 continue; 4424 4425 conn->sent -= count; 4426 4427 switch (conn->type) { 4428 case ACL_LINK: 4429 hdev->acl_cnt += count; 4430 if (hdev->acl_cnt > hdev->acl_pkts) 4431 hdev->acl_cnt = hdev->acl_pkts; 4432 break; 4433 4434 case LE_LINK: 4435 if (hdev->le_pkts) { 4436 hdev->le_cnt += count; 4437 if (hdev->le_cnt > hdev->le_pkts) 4438 hdev->le_cnt = hdev->le_pkts; 4439 } else { 4440 hdev->acl_cnt += count; 4441 if (hdev->acl_cnt > hdev->acl_pkts) 4442 hdev->acl_cnt = hdev->acl_pkts; 4443 } 4444 break; 4445 4446 case SCO_LINK: 4447 hdev->sco_cnt += count; 4448 if (hdev->sco_cnt > hdev->sco_pkts) 4449 hdev->sco_cnt = hdev->sco_pkts; 4450 break; 4451 4452 case ISO_LINK: 4453 if (hdev->iso_pkts) { 4454 hdev->iso_cnt += count; 4455 if (hdev->iso_cnt > hdev->iso_pkts) 4456 hdev->iso_cnt = hdev->iso_pkts; 4457 } else if (hdev->le_pkts) { 4458 hdev->le_cnt += count; 4459 if (hdev->le_cnt > hdev->le_pkts) 4460 hdev->le_cnt = hdev->le_pkts; 4461 } else { 4462 hdev->acl_cnt += count; 4463 if (hdev->acl_cnt > hdev->acl_pkts) 4464 hdev->acl_cnt = hdev->acl_pkts; 4465 } 4466 break; 4467 4468 default: 4469 bt_dev_err(hdev, "unknown type %d conn %p", 4470 conn->type, conn); 4471 break; 4472 } 4473 } 4474 4475 queue_work(hdev->workqueue, &hdev->tx_work); 4476 } 4477 hci_mode_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4478 static void hci_mode_change_evt(struct hci_dev *hdev, void *data, 4479 struct sk_buff *skb) 4480 { 4481 struct hci_ev_mode_change *ev = data; 4482 struct hci_conn *conn; 4483 4484 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4485 4486 hci_dev_lock(hdev); 4487 4488 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4489 if (conn) { 4490 conn->mode = ev->mode; 4491 4492 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 4493 &conn->flags)) { 4494 if (conn->mode == HCI_CM_ACTIVE) 4495 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4496 else 4497 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4498 } 4499 4500 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 4501 hci_sco_setup(conn, ev->status); 4502 } 4503 4504 hci_dev_unlock(hdev); 4505 } 4506 hci_pin_code_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4507 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data, 4508 struct sk_buff *skb) 4509 { 4510 struct hci_ev_pin_code_req *ev = data; 4511 struct hci_conn *conn; 4512 4513 bt_dev_dbg(hdev, ""); 4514 4515 hci_dev_lock(hdev); 4516 4517 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4518 if (!conn) 4519 goto unlock; 4520 4521 if (conn->state == BT_CONNECTED) { 4522 hci_conn_hold(conn); 4523 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 4524 hci_conn_drop(conn); 4525 } 4526 4527 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 4528 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 4529 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 4530 sizeof(ev->bdaddr), &ev->bdaddr); 4531 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 4532 u8 secure; 4533 4534 if (conn->pending_sec_level == BT_SECURITY_HIGH) 4535 secure = 1; 4536 else 4537 secure = 0; 4538 4539 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 4540 } 4541 4542 unlock: 4543 hci_dev_unlock(hdev); 4544 } 4545 conn_set_key(struct hci_conn * conn,u8 key_type,u8 pin_len)4546 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 4547 { 4548 if (key_type == HCI_LK_CHANGED_COMBINATION) 4549 return; 4550 4551 conn->pin_length = pin_len; 4552 conn->key_type = key_type; 4553 4554 switch (key_type) { 4555 case HCI_LK_LOCAL_UNIT: 4556 case HCI_LK_REMOTE_UNIT: 4557 case HCI_LK_DEBUG_COMBINATION: 4558 return; 4559 case HCI_LK_COMBINATION: 4560 if (pin_len == 16) 4561 conn->pending_sec_level = BT_SECURITY_HIGH; 4562 else 4563 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4564 break; 4565 case HCI_LK_UNAUTH_COMBINATION_P192: 4566 case HCI_LK_UNAUTH_COMBINATION_P256: 4567 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4568 break; 4569 case HCI_LK_AUTH_COMBINATION_P192: 4570 conn->pending_sec_level = BT_SECURITY_HIGH; 4571 break; 4572 case HCI_LK_AUTH_COMBINATION_P256: 4573 conn->pending_sec_level = BT_SECURITY_FIPS; 4574 break; 4575 } 4576 } 4577 hci_link_key_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4578 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data, 4579 struct sk_buff *skb) 4580 { 4581 struct hci_ev_link_key_req *ev = data; 4582 struct hci_cp_link_key_reply cp; 4583 struct hci_conn *conn; 4584 struct link_key *key; 4585 4586 bt_dev_dbg(hdev, ""); 4587 4588 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4589 return; 4590 4591 hci_dev_lock(hdev); 4592 4593 key = hci_find_link_key(hdev, &ev->bdaddr); 4594 if (!key) { 4595 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr); 4596 goto not_found; 4597 } 4598 4599 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr); 4600 4601 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4602 if (conn) { 4603 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4604 4605 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4606 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4607 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4608 bt_dev_dbg(hdev, "ignoring unauthenticated key"); 4609 goto not_found; 4610 } 4611 4612 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4613 (conn->pending_sec_level == BT_SECURITY_HIGH || 4614 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4615 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security"); 4616 goto not_found; 4617 } 4618 4619 conn_set_key(conn, key->type, key->pin_len); 4620 } 4621 4622 bacpy(&cp.bdaddr, &ev->bdaddr); 4623 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4624 4625 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4626 4627 hci_dev_unlock(hdev); 4628 4629 return; 4630 4631 not_found: 4632 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4633 hci_dev_unlock(hdev); 4634 } 4635 hci_link_key_notify_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4636 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, 4637 struct sk_buff *skb) 4638 { 4639 struct hci_ev_link_key_notify *ev = data; 4640 struct hci_conn *conn; 4641 struct link_key *key; 4642 bool persistent; 4643 u8 pin_len = 0; 4644 4645 bt_dev_dbg(hdev, ""); 4646 4647 hci_dev_lock(hdev); 4648 4649 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4650 if (!conn) 4651 goto unlock; 4652 4653 /* Ignore NULL link key against CVE-2020-26555 */ 4654 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { 4655 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR", 4656 &ev->bdaddr); 4657 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4658 hci_conn_drop(conn); 4659 goto unlock; 4660 } 4661 4662 hci_conn_hold(conn); 4663 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4664 hci_conn_drop(conn); 4665 4666 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4667 conn_set_key(conn, ev->key_type, conn->pin_length); 4668 4669 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4670 goto unlock; 4671 4672 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4673 ev->key_type, pin_len, &persistent); 4674 if (!key) 4675 goto unlock; 4676 4677 /* Update connection information since adding the key will have 4678 * fixed up the type in the case of changed combination keys. 4679 */ 4680 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4681 conn_set_key(conn, key->type, key->pin_len); 4682 4683 mgmt_new_link_key(hdev, key, persistent); 4684 4685 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4686 * is set. If it's not set simply remove the key from the kernel 4687 * list (we've still notified user space about it but with 4688 * store_hint being 0). 4689 */ 4690 if (key->type == HCI_LK_DEBUG_COMBINATION && 4691 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4692 list_del_rcu(&key->list); 4693 kfree_rcu(key, rcu); 4694 goto unlock; 4695 } 4696 4697 if (persistent) 4698 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4699 else 4700 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4701 4702 unlock: 4703 hci_dev_unlock(hdev); 4704 } 4705 hci_clock_offset_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4706 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data, 4707 struct sk_buff *skb) 4708 { 4709 struct hci_ev_clock_offset *ev = data; 4710 struct hci_conn *conn; 4711 4712 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4713 4714 hci_dev_lock(hdev); 4715 4716 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4717 if (conn && !ev->status) { 4718 struct inquiry_entry *ie; 4719 4720 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4721 if (ie) { 4722 ie->data.clock_offset = ev->clock_offset; 4723 ie->timestamp = jiffies; 4724 } 4725 } 4726 4727 hci_dev_unlock(hdev); 4728 } 4729 hci_pkt_type_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4730 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data, 4731 struct sk_buff *skb) 4732 { 4733 struct hci_ev_pkt_type_change *ev = data; 4734 struct hci_conn *conn; 4735 4736 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4737 4738 hci_dev_lock(hdev); 4739 4740 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4741 if (conn && !ev->status) 4742 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4743 4744 hci_dev_unlock(hdev); 4745 } 4746 hci_pscan_rep_mode_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4747 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data, 4748 struct sk_buff *skb) 4749 { 4750 struct hci_ev_pscan_rep_mode *ev = data; 4751 struct inquiry_entry *ie; 4752 4753 bt_dev_dbg(hdev, ""); 4754 4755 hci_dev_lock(hdev); 4756 4757 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4758 if (ie) { 4759 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4760 ie->timestamp = jiffies; 4761 } 4762 4763 hci_dev_unlock(hdev); 4764 } 4765 hci_inquiry_result_with_rssi_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)4766 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata, 4767 struct sk_buff *skb) 4768 { 4769 struct hci_ev_inquiry_result_rssi *ev = edata; 4770 struct inquiry_data data; 4771 int i; 4772 4773 bt_dev_dbg(hdev, "num_rsp %d", ev->num); 4774 4775 if (!ev->num) 4776 return; 4777 4778 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4779 return; 4780 4781 hci_dev_lock(hdev); 4782 4783 if (skb->len == array_size(ev->num, 4784 sizeof(struct inquiry_info_rssi_pscan))) { 4785 struct inquiry_info_rssi_pscan *info; 4786 4787 for (i = 0; i < ev->num; i++) { 4788 u32 flags; 4789 4790 info = hci_ev_skb_pull(hdev, skb, 4791 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4792 sizeof(*info)); 4793 if (!info) { 4794 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4795 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4796 goto unlock; 4797 } 4798 4799 bacpy(&data.bdaddr, &info->bdaddr); 4800 data.pscan_rep_mode = info->pscan_rep_mode; 4801 data.pscan_period_mode = info->pscan_period_mode; 4802 data.pscan_mode = info->pscan_mode; 4803 memcpy(data.dev_class, info->dev_class, 3); 4804 data.clock_offset = info->clock_offset; 4805 data.rssi = info->rssi; 4806 data.ssp_mode = 0x00; 4807 4808 flags = hci_inquiry_cache_update(hdev, &data, false); 4809 4810 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4811 info->dev_class, info->rssi, 4812 flags, NULL, 0, NULL, 0, 0); 4813 } 4814 } else if (skb->len == array_size(ev->num, 4815 sizeof(struct inquiry_info_rssi))) { 4816 struct inquiry_info_rssi *info; 4817 4818 for (i = 0; i < ev->num; i++) { 4819 u32 flags; 4820 4821 info = hci_ev_skb_pull(hdev, skb, 4822 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4823 sizeof(*info)); 4824 if (!info) { 4825 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4826 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4827 goto unlock; 4828 } 4829 4830 bacpy(&data.bdaddr, &info->bdaddr); 4831 data.pscan_rep_mode = info->pscan_rep_mode; 4832 data.pscan_period_mode = info->pscan_period_mode; 4833 data.pscan_mode = 0x00; 4834 memcpy(data.dev_class, info->dev_class, 3); 4835 data.clock_offset = info->clock_offset; 4836 data.rssi = info->rssi; 4837 data.ssp_mode = 0x00; 4838 4839 flags = hci_inquiry_cache_update(hdev, &data, false); 4840 4841 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4842 info->dev_class, info->rssi, 4843 flags, NULL, 0, NULL, 0, 0); 4844 } 4845 } else { 4846 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4847 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4848 } 4849 unlock: 4850 hci_dev_unlock(hdev); 4851 } 4852 hci_remote_ext_features_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4853 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data, 4854 struct sk_buff *skb) 4855 { 4856 struct hci_ev_remote_ext_features *ev = data; 4857 struct hci_conn *conn; 4858 4859 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4860 4861 hci_dev_lock(hdev); 4862 4863 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4864 if (!conn) 4865 goto unlock; 4866 4867 if (ev->page < HCI_MAX_PAGES) 4868 memcpy(conn->features[ev->page], ev->features, 8); 4869 4870 if (!ev->status && ev->page == 0x01) { 4871 struct inquiry_entry *ie; 4872 4873 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4874 if (ie) 4875 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4876 4877 if (ev->features[0] & LMP_HOST_SSP) { 4878 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4879 } else { 4880 /* It is mandatory by the Bluetooth specification that 4881 * Extended Inquiry Results are only used when Secure 4882 * Simple Pairing is enabled, but some devices violate 4883 * this. 4884 * 4885 * To make these devices work, the internal SSP 4886 * enabled flag needs to be cleared if the remote host 4887 * features do not indicate SSP support */ 4888 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4889 } 4890 4891 if (ev->features[0] & LMP_HOST_SC) 4892 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4893 } 4894 4895 if (conn->state != BT_CONFIG) 4896 goto unlock; 4897 4898 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4899 struct hci_cp_remote_name_req cp; 4900 memset(&cp, 0, sizeof(cp)); 4901 bacpy(&cp.bdaddr, &conn->dst); 4902 cp.pscan_rep_mode = 0x02; 4903 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4904 } else { 4905 mgmt_device_connected(hdev, conn, NULL, 0); 4906 } 4907 4908 if (!hci_outgoing_auth_needed(hdev, conn)) { 4909 conn->state = BT_CONNECTED; 4910 hci_connect_cfm(conn, ev->status); 4911 hci_conn_drop(conn); 4912 } 4913 4914 unlock: 4915 hci_dev_unlock(hdev); 4916 } 4917 hci_sync_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4918 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, 4919 struct sk_buff *skb) 4920 { 4921 struct hci_ev_sync_conn_complete *ev = data; 4922 struct hci_conn *conn; 4923 u8 status = ev->status; 4924 4925 switch (ev->link_type) { 4926 case SCO_LINK: 4927 case ESCO_LINK: 4928 break; 4929 default: 4930 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type 4931 * for HCI_Synchronous_Connection_Complete is limited to 4932 * either SCO or eSCO 4933 */ 4934 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type"); 4935 return; 4936 } 4937 4938 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4939 4940 hci_dev_lock(hdev); 4941 4942 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4943 if (!conn) { 4944 if (ev->link_type == ESCO_LINK) 4945 goto unlock; 4946 4947 /* When the link type in the event indicates SCO connection 4948 * and lookup of the connection object fails, then check 4949 * if an eSCO connection object exists. 4950 * 4951 * The core limits the synchronous connections to either 4952 * SCO or eSCO. The eSCO connection is preferred and tried 4953 * to be setup first and until successfully established, 4954 * the link type will be hinted as eSCO. 4955 */ 4956 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4957 if (!conn) 4958 goto unlock; 4959 } 4960 4961 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection. 4962 * Processing it more than once per connection can corrupt kernel memory. 4963 * 4964 * As the connection handle is set here for the first time, it indicates 4965 * whether the connection is already set up. 4966 */ 4967 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 4968 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection"); 4969 goto unlock; 4970 } 4971 4972 switch (status) { 4973 case 0x00: 4974 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 4975 if (status) { 4976 conn->state = BT_CLOSED; 4977 break; 4978 } 4979 4980 conn->state = BT_CONNECTED; 4981 conn->type = ev->link_type; 4982 4983 hci_debugfs_create_conn(conn); 4984 hci_conn_add_sysfs(conn); 4985 break; 4986 4987 case 0x10: /* Connection Accept Timeout */ 4988 case 0x0d: /* Connection Rejected due to Limited Resources */ 4989 case 0x11: /* Unsupported Feature or Parameter Value */ 4990 case 0x1c: /* SCO interval rejected */ 4991 case 0x1a: /* Unsupported Remote Feature */ 4992 case 0x1e: /* Invalid LMP Parameters */ 4993 case 0x1f: /* Unspecified error */ 4994 case 0x20: /* Unsupported LMP Parameter value */ 4995 if (conn->out) { 4996 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 4997 (hdev->esco_type & EDR_ESCO_MASK); 4998 if (hci_setup_sync(conn, conn->parent->handle)) 4999 goto unlock; 5000 } 5001 fallthrough; 5002 5003 default: 5004 conn->state = BT_CLOSED; 5005 break; 5006 } 5007 5008 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 5009 /* Notify only in case of SCO over HCI transport data path which 5010 * is zero and non-zero value shall be non-HCI transport data path 5011 */ 5012 if (conn->codec.data_path == 0 && hdev->notify) { 5013 switch (ev->air_mode) { 5014 case 0x02: 5015 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 5016 break; 5017 case 0x03: 5018 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 5019 break; 5020 } 5021 } 5022 5023 hci_connect_cfm(conn, status); 5024 if (status) 5025 hci_conn_del(conn); 5026 5027 unlock: 5028 hci_dev_unlock(hdev); 5029 } 5030 eir_get_length(u8 * eir,size_t eir_len)5031 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 5032 { 5033 size_t parsed = 0; 5034 5035 while (parsed < eir_len) { 5036 u8 field_len = eir[0]; 5037 5038 if (field_len == 0) 5039 return parsed; 5040 5041 parsed += field_len + 1; 5042 eir += field_len + 1; 5043 } 5044 5045 return eir_len; 5046 } 5047 hci_extended_inquiry_result_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)5048 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata, 5049 struct sk_buff *skb) 5050 { 5051 struct hci_ev_ext_inquiry_result *ev = edata; 5052 struct inquiry_data data; 5053 size_t eir_len; 5054 int i; 5055 5056 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT, 5057 flex_array_size(ev, info, ev->num))) 5058 return; 5059 5060 bt_dev_dbg(hdev, "num %d", ev->num); 5061 5062 if (!ev->num) 5063 return; 5064 5065 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 5066 return; 5067 5068 hci_dev_lock(hdev); 5069 5070 for (i = 0; i < ev->num; i++) { 5071 struct extended_inquiry_info *info = &ev->info[i]; 5072 u32 flags; 5073 bool name_known; 5074 5075 bacpy(&data.bdaddr, &info->bdaddr); 5076 data.pscan_rep_mode = info->pscan_rep_mode; 5077 data.pscan_period_mode = info->pscan_period_mode; 5078 data.pscan_mode = 0x00; 5079 memcpy(data.dev_class, info->dev_class, 3); 5080 data.clock_offset = info->clock_offset; 5081 data.rssi = info->rssi; 5082 data.ssp_mode = 0x01; 5083 5084 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5085 name_known = eir_get_data(info->data, 5086 sizeof(info->data), 5087 EIR_NAME_COMPLETE, NULL); 5088 else 5089 name_known = true; 5090 5091 flags = hci_inquiry_cache_update(hdev, &data, name_known); 5092 5093 eir_len = eir_get_length(info->data, sizeof(info->data)); 5094 5095 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 5096 info->dev_class, info->rssi, 5097 flags, info->data, eir_len, NULL, 0, 0); 5098 } 5099 5100 hci_dev_unlock(hdev); 5101 } 5102 hci_key_refresh_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5103 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data, 5104 struct sk_buff *skb) 5105 { 5106 struct hci_ev_key_refresh_complete *ev = data; 5107 struct hci_conn *conn; 5108 5109 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status, 5110 __le16_to_cpu(ev->handle)); 5111 5112 hci_dev_lock(hdev); 5113 5114 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5115 if (!conn) 5116 goto unlock; 5117 5118 /* For BR/EDR the necessary steps are taken through the 5119 * auth_complete event. 5120 */ 5121 if (conn->type != LE_LINK) 5122 goto unlock; 5123 5124 if (!ev->status) 5125 conn->sec_level = conn->pending_sec_level; 5126 5127 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 5128 5129 if (ev->status && conn->state == BT_CONNECTED) { 5130 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 5131 hci_conn_drop(conn); 5132 goto unlock; 5133 } 5134 5135 if (conn->state == BT_CONFIG) { 5136 if (!ev->status) 5137 conn->state = BT_CONNECTED; 5138 5139 hci_connect_cfm(conn, ev->status); 5140 hci_conn_drop(conn); 5141 } else { 5142 hci_auth_cfm(conn, ev->status); 5143 5144 hci_conn_hold(conn); 5145 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 5146 hci_conn_drop(conn); 5147 } 5148 5149 unlock: 5150 hci_dev_unlock(hdev); 5151 } 5152 hci_get_auth_req(struct hci_conn * conn)5153 static u8 hci_get_auth_req(struct hci_conn *conn) 5154 { 5155 /* If remote requests no-bonding follow that lead */ 5156 if (conn->remote_auth == HCI_AT_NO_BONDING || 5157 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 5158 return conn->remote_auth | (conn->auth_type & 0x01); 5159 5160 /* If both remote and local have enough IO capabilities, require 5161 * MITM protection 5162 */ 5163 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 5164 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 5165 return conn->remote_auth | 0x01; 5166 5167 /* No MITM protection possible so ignore remote requirement */ 5168 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 5169 } 5170 bredr_oob_data_present(struct hci_conn * conn)5171 static u8 bredr_oob_data_present(struct hci_conn *conn) 5172 { 5173 struct hci_dev *hdev = conn->hdev; 5174 struct oob_data *data; 5175 5176 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 5177 if (!data) 5178 return 0x00; 5179 5180 if (bredr_sc_enabled(hdev)) { 5181 /* When Secure Connections is enabled, then just 5182 * return the present value stored with the OOB 5183 * data. The stored value contains the right present 5184 * information. However it can only be trusted when 5185 * not in Secure Connection Only mode. 5186 */ 5187 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 5188 return data->present; 5189 5190 /* When Secure Connections Only mode is enabled, then 5191 * the P-256 values are required. If they are not 5192 * available, then do not declare that OOB data is 5193 * present. 5194 */ 5195 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) || 5196 !crypto_memneq(data->hash256, ZERO_KEY, 16)) 5197 return 0x00; 5198 5199 return 0x02; 5200 } 5201 5202 /* When Secure Connections is not enabled or actually 5203 * not supported by the hardware, then check that if 5204 * P-192 data values are present. 5205 */ 5206 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) || 5207 !crypto_memneq(data->hash192, ZERO_KEY, 16)) 5208 return 0x00; 5209 5210 return 0x01; 5211 } 5212 hci_io_capa_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5213 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data, 5214 struct sk_buff *skb) 5215 { 5216 struct hci_ev_io_capa_request *ev = data; 5217 struct hci_conn *conn; 5218 5219 bt_dev_dbg(hdev, ""); 5220 5221 hci_dev_lock(hdev); 5222 5223 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5224 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) 5225 goto unlock; 5226 5227 /* Assume remote supports SSP since it has triggered this event */ 5228 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 5229 5230 hci_conn_hold(conn); 5231 5232 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5233 goto unlock; 5234 5235 /* Allow pairing if we're pairable, the initiators of the 5236 * pairing or if the remote is not requesting bonding. 5237 */ 5238 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 5239 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 5240 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 5241 struct hci_cp_io_capability_reply cp; 5242 5243 bacpy(&cp.bdaddr, &ev->bdaddr); 5244 /* Change the IO capability from KeyboardDisplay 5245 * to DisplayYesNo as it is not supported by BT spec. */ 5246 cp.capability = (conn->io_capability == 0x04) ? 5247 HCI_IO_DISPLAY_YESNO : conn->io_capability; 5248 5249 /* If we are initiators, there is no remote information yet */ 5250 if (conn->remote_auth == 0xff) { 5251 /* Request MITM protection if our IO caps allow it 5252 * except for the no-bonding case. 5253 */ 5254 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5255 conn->auth_type != HCI_AT_NO_BONDING) 5256 conn->auth_type |= 0x01; 5257 } else { 5258 conn->auth_type = hci_get_auth_req(conn); 5259 } 5260 5261 /* If we're not bondable, force one of the non-bondable 5262 * authentication requirement values. 5263 */ 5264 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 5265 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 5266 5267 cp.authentication = conn->auth_type; 5268 cp.oob_data = bredr_oob_data_present(conn); 5269 5270 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 5271 sizeof(cp), &cp); 5272 } else { 5273 struct hci_cp_io_capability_neg_reply cp; 5274 5275 bacpy(&cp.bdaddr, &ev->bdaddr); 5276 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 5277 5278 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 5279 sizeof(cp), &cp); 5280 } 5281 5282 unlock: 5283 hci_dev_unlock(hdev); 5284 } 5285 hci_io_capa_reply_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5286 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data, 5287 struct sk_buff *skb) 5288 { 5289 struct hci_ev_io_capa_reply *ev = data; 5290 struct hci_conn *conn; 5291 5292 bt_dev_dbg(hdev, ""); 5293 5294 hci_dev_lock(hdev); 5295 5296 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5297 if (!conn) 5298 goto unlock; 5299 5300 conn->remote_cap = ev->capability; 5301 conn->remote_auth = ev->authentication; 5302 5303 unlock: 5304 hci_dev_unlock(hdev); 5305 } 5306 hci_user_confirm_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5307 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data, 5308 struct sk_buff *skb) 5309 { 5310 struct hci_ev_user_confirm_req *ev = data; 5311 int loc_mitm, rem_mitm, confirm_hint = 0; 5312 struct hci_conn *conn; 5313 5314 bt_dev_dbg(hdev, ""); 5315 5316 hci_dev_lock(hdev); 5317 5318 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5319 goto unlock; 5320 5321 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5322 if (!conn) 5323 goto unlock; 5324 5325 loc_mitm = (conn->auth_type & 0x01); 5326 rem_mitm = (conn->remote_auth & 0x01); 5327 5328 /* If we require MITM but the remote device can't provide that 5329 * (it has NoInputNoOutput) then reject the confirmation 5330 * request. We check the security level here since it doesn't 5331 * necessarily match conn->auth_type. 5332 */ 5333 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 5334 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 5335 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM"); 5336 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 5337 sizeof(ev->bdaddr), &ev->bdaddr); 5338 goto unlock; 5339 } 5340 5341 /* If no side requires MITM protection; use JUST_CFM method */ 5342 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 5343 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 5344 5345 /* If we're not the initiator of request authorization and the 5346 * local IO capability is not NoInputNoOutput, use JUST_WORKS 5347 * method (mgmt_user_confirm with confirm_hint set to 1). 5348 */ 5349 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 5350 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) { 5351 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor"); 5352 confirm_hint = 1; 5353 goto confirm; 5354 } 5355 5356 /* If there already exists link key in local host, leave the 5357 * decision to user space since the remote device could be 5358 * legitimate or malicious. 5359 */ 5360 if (hci_find_link_key(hdev, &ev->bdaddr)) { 5361 bt_dev_dbg(hdev, "Local host already has link key"); 5362 confirm_hint = 1; 5363 goto confirm; 5364 } 5365 5366 BT_DBG("Auto-accept of user confirmation with %ums delay", 5367 hdev->auto_accept_delay); 5368 5369 if (hdev->auto_accept_delay > 0) { 5370 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 5371 queue_delayed_work(conn->hdev->workqueue, 5372 &conn->auto_accept_work, delay); 5373 goto unlock; 5374 } 5375 5376 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 5377 sizeof(ev->bdaddr), &ev->bdaddr); 5378 goto unlock; 5379 } 5380 5381 confirm: 5382 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 5383 le32_to_cpu(ev->passkey), confirm_hint); 5384 5385 unlock: 5386 hci_dev_unlock(hdev); 5387 } 5388 hci_user_passkey_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5389 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data, 5390 struct sk_buff *skb) 5391 { 5392 struct hci_ev_user_passkey_req *ev = data; 5393 5394 bt_dev_dbg(hdev, ""); 5395 5396 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5397 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 5398 } 5399 hci_user_passkey_notify_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5400 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, 5401 struct sk_buff *skb) 5402 { 5403 struct hci_ev_user_passkey_notify *ev = data; 5404 struct hci_conn *conn; 5405 5406 bt_dev_dbg(hdev, ""); 5407 5408 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5409 if (!conn) 5410 return; 5411 5412 conn->passkey_notify = __le32_to_cpu(ev->passkey); 5413 conn->passkey_entered = 0; 5414 5415 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5416 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5417 conn->dst_type, conn->passkey_notify, 5418 conn->passkey_entered); 5419 } 5420 hci_keypress_notify_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5421 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, 5422 struct sk_buff *skb) 5423 { 5424 struct hci_ev_keypress_notify *ev = data; 5425 struct hci_conn *conn; 5426 5427 bt_dev_dbg(hdev, ""); 5428 5429 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5430 if (!conn) 5431 return; 5432 5433 switch (ev->type) { 5434 case HCI_KEYPRESS_STARTED: 5435 conn->passkey_entered = 0; 5436 return; 5437 5438 case HCI_KEYPRESS_ENTERED: 5439 conn->passkey_entered++; 5440 break; 5441 5442 case HCI_KEYPRESS_ERASED: 5443 conn->passkey_entered--; 5444 break; 5445 5446 case HCI_KEYPRESS_CLEARED: 5447 conn->passkey_entered = 0; 5448 break; 5449 5450 case HCI_KEYPRESS_COMPLETED: 5451 return; 5452 } 5453 5454 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5455 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5456 conn->dst_type, conn->passkey_notify, 5457 conn->passkey_entered); 5458 } 5459 hci_simple_pair_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5460 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data, 5461 struct sk_buff *skb) 5462 { 5463 struct hci_ev_simple_pair_complete *ev = data; 5464 struct hci_conn *conn; 5465 5466 bt_dev_dbg(hdev, ""); 5467 5468 hci_dev_lock(hdev); 5469 5470 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5471 if (!conn || !hci_conn_ssp_enabled(conn)) 5472 goto unlock; 5473 5474 /* Reset the authentication requirement to unknown */ 5475 conn->remote_auth = 0xff; 5476 5477 /* To avoid duplicate auth_failed events to user space we check 5478 * the HCI_CONN_AUTH_PEND flag which will be set if we 5479 * initiated the authentication. A traditional auth_complete 5480 * event gets always produced as initiator and is also mapped to 5481 * the mgmt_auth_failed event */ 5482 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 5483 mgmt_auth_failed(conn, ev->status); 5484 5485 hci_conn_drop(conn); 5486 5487 unlock: 5488 hci_dev_unlock(hdev); 5489 } 5490 hci_remote_host_features_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5491 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data, 5492 struct sk_buff *skb) 5493 { 5494 struct hci_ev_remote_host_features *ev = data; 5495 struct inquiry_entry *ie; 5496 struct hci_conn *conn; 5497 5498 bt_dev_dbg(hdev, ""); 5499 5500 hci_dev_lock(hdev); 5501 5502 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5503 if (conn) 5504 memcpy(conn->features[1], ev->features, 8); 5505 5506 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 5507 if (ie) 5508 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 5509 5510 hci_dev_unlock(hdev); 5511 } 5512 hci_remote_oob_data_request_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)5513 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata, 5514 struct sk_buff *skb) 5515 { 5516 struct hci_ev_remote_oob_data_request *ev = edata; 5517 struct oob_data *data; 5518 5519 bt_dev_dbg(hdev, ""); 5520 5521 hci_dev_lock(hdev); 5522 5523 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5524 goto unlock; 5525 5526 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 5527 if (!data) { 5528 struct hci_cp_remote_oob_data_neg_reply cp; 5529 5530 bacpy(&cp.bdaddr, &ev->bdaddr); 5531 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 5532 sizeof(cp), &cp); 5533 goto unlock; 5534 } 5535 5536 if (bredr_sc_enabled(hdev)) { 5537 struct hci_cp_remote_oob_ext_data_reply cp; 5538 5539 bacpy(&cp.bdaddr, &ev->bdaddr); 5540 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 5541 memset(cp.hash192, 0, sizeof(cp.hash192)); 5542 memset(cp.rand192, 0, sizeof(cp.rand192)); 5543 } else { 5544 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 5545 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 5546 } 5547 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 5548 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 5549 5550 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 5551 sizeof(cp), &cp); 5552 } else { 5553 struct hci_cp_remote_oob_data_reply cp; 5554 5555 bacpy(&cp.bdaddr, &ev->bdaddr); 5556 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 5557 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 5558 5559 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 5560 sizeof(cp), &cp); 5561 } 5562 5563 unlock: 5564 hci_dev_unlock(hdev); 5565 } 5566 le_conn_update_addr(struct hci_conn * conn,bdaddr_t * bdaddr,u8 bdaddr_type,bdaddr_t * local_rpa)5567 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr, 5568 u8 bdaddr_type, bdaddr_t *local_rpa) 5569 { 5570 if (conn->out) { 5571 conn->dst_type = bdaddr_type; 5572 conn->resp_addr_type = bdaddr_type; 5573 bacpy(&conn->resp_addr, bdaddr); 5574 5575 /* Check if the controller has set a Local RPA then it must be 5576 * used instead or hdev->rpa. 5577 */ 5578 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5579 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5580 bacpy(&conn->init_addr, local_rpa); 5581 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) { 5582 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5583 bacpy(&conn->init_addr, &conn->hdev->rpa); 5584 } else { 5585 hci_copy_identity_address(conn->hdev, &conn->init_addr, 5586 &conn->init_addr_type); 5587 } 5588 } else { 5589 conn->resp_addr_type = conn->hdev->adv_addr_type; 5590 /* Check if the controller has set a Local RPA then it must be 5591 * used instead or hdev->rpa. 5592 */ 5593 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5594 conn->resp_addr_type = ADDR_LE_DEV_RANDOM; 5595 bacpy(&conn->resp_addr, local_rpa); 5596 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5597 /* In case of ext adv, resp_addr will be updated in 5598 * Adv Terminated event. 5599 */ 5600 if (!ext_adv_capable(conn->hdev)) 5601 bacpy(&conn->resp_addr, 5602 &conn->hdev->random_addr); 5603 } else { 5604 bacpy(&conn->resp_addr, &conn->hdev->bdaddr); 5605 } 5606 5607 conn->init_addr_type = bdaddr_type; 5608 bacpy(&conn->init_addr, bdaddr); 5609 5610 /* For incoming connections, set the default minimum 5611 * and maximum connection interval. They will be used 5612 * to check if the parameters are in range and if not 5613 * trigger the connection update procedure. 5614 */ 5615 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval; 5616 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval; 5617 } 5618 } 5619 le_conn_complete_evt(struct hci_dev * hdev,u8 status,bdaddr_t * bdaddr,u8 bdaddr_type,bdaddr_t * local_rpa,u8 role,u16 handle,u16 interval,u16 latency,u16 supervision_timeout)5620 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5621 bdaddr_t *bdaddr, u8 bdaddr_type, 5622 bdaddr_t *local_rpa, u8 role, u16 handle, 5623 u16 interval, u16 latency, 5624 u16 supervision_timeout) 5625 { 5626 struct hci_conn_params *params; 5627 struct hci_conn *conn; 5628 struct smp_irk *irk; 5629 u8 addr_type; 5630 5631 hci_dev_lock(hdev); 5632 5633 /* All controllers implicitly stop advertising in the event of a 5634 * connection, so ensure that the state bit is cleared. 5635 */ 5636 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5637 5638 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr); 5639 if (!conn) { 5640 /* In case of error status and there is no connection pending 5641 * just unlock as there is nothing to cleanup. 5642 */ 5643 if (status) 5644 goto unlock; 5645 5646 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role); 5647 if (IS_ERR(conn)) { 5648 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 5649 goto unlock; 5650 } 5651 5652 conn->dst_type = bdaddr_type; 5653 5654 /* If we didn't have a hci_conn object previously 5655 * but we're in central role this must be something 5656 * initiated using an accept list. Since accept list based 5657 * connections are not "first class citizens" we don't 5658 * have full tracking of them. Therefore, we go ahead 5659 * with a "best effort" approach of determining the 5660 * initiator address based on the HCI_PRIVACY flag. 5661 */ 5662 if (conn->out) { 5663 conn->resp_addr_type = bdaddr_type; 5664 bacpy(&conn->resp_addr, bdaddr); 5665 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5666 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5667 bacpy(&conn->init_addr, &hdev->rpa); 5668 } else { 5669 hci_copy_identity_address(hdev, 5670 &conn->init_addr, 5671 &conn->init_addr_type); 5672 } 5673 } 5674 } else { 5675 cancel_delayed_work(&conn->le_conn_timeout); 5676 } 5677 5678 /* The HCI_LE_Connection_Complete event is only sent once per connection. 5679 * Processing it more than once per connection can corrupt kernel memory. 5680 * 5681 * As the connection handle is set here for the first time, it indicates 5682 * whether the connection is already set up. 5683 */ 5684 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5685 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 5686 goto unlock; 5687 } 5688 5689 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa); 5690 5691 /* Lookup the identity address from the stored connection 5692 * address and address type. 5693 * 5694 * When establishing connections to an identity address, the 5695 * connection procedure will store the resolvable random 5696 * address first. Now if it can be converted back into the 5697 * identity address, start using the identity address from 5698 * now on. 5699 */ 5700 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5701 if (irk) { 5702 bacpy(&conn->dst, &irk->bdaddr); 5703 conn->dst_type = irk->addr_type; 5704 } 5705 5706 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL); 5707 5708 /* All connection failure handling is taken care of by the 5709 * hci_conn_failed function which is triggered by the HCI 5710 * request completion callbacks used for connecting. 5711 */ 5712 if (status || hci_conn_set_handle(conn, handle)) 5713 goto unlock; 5714 5715 /* Drop the connection if it has been aborted */ 5716 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) { 5717 hci_conn_drop(conn); 5718 goto unlock; 5719 } 5720 5721 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5722 addr_type = BDADDR_LE_PUBLIC; 5723 else 5724 addr_type = BDADDR_LE_RANDOM; 5725 5726 /* Drop the connection if the device is blocked */ 5727 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) { 5728 hci_conn_drop(conn); 5729 goto unlock; 5730 } 5731 5732 mgmt_device_connected(hdev, conn, NULL, 0); 5733 5734 conn->sec_level = BT_SECURITY_LOW; 5735 conn->state = BT_CONFIG; 5736 5737 /* Store current advertising instance as connection advertising instance 5738 * when sotfware rotation is in use so it can be re-enabled when 5739 * disconnected. 5740 */ 5741 if (!ext_adv_capable(hdev)) 5742 conn->adv_instance = hdev->cur_adv_instance; 5743 5744 conn->le_conn_interval = interval; 5745 conn->le_conn_latency = latency; 5746 conn->le_supv_timeout = supervision_timeout; 5747 5748 hci_debugfs_create_conn(conn); 5749 hci_conn_add_sysfs(conn); 5750 5751 /* The remote features procedure is defined for central 5752 * role only. So only in case of an initiated connection 5753 * request the remote features. 5754 * 5755 * If the local controller supports peripheral-initiated features 5756 * exchange, then requesting the remote features in peripheral 5757 * role is possible. Otherwise just transition into the 5758 * connected state without requesting the remote features. 5759 */ 5760 if (conn->out || 5761 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) { 5762 struct hci_cp_le_read_remote_features cp; 5763 5764 cp.handle = __cpu_to_le16(conn->handle); 5765 5766 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 5767 sizeof(cp), &cp); 5768 5769 hci_conn_hold(conn); 5770 } else { 5771 conn->state = BT_CONNECTED; 5772 hci_connect_cfm(conn, status); 5773 } 5774 5775 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5776 conn->dst_type); 5777 if (params) { 5778 hci_pend_le_list_del_init(params); 5779 if (params->conn) { 5780 hci_conn_drop(params->conn); 5781 hci_conn_put(params->conn); 5782 params->conn = NULL; 5783 } 5784 } 5785 5786 unlock: 5787 hci_update_passive_scan(hdev); 5788 hci_dev_unlock(hdev); 5789 } 5790 hci_le_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5791 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data, 5792 struct sk_buff *skb) 5793 { 5794 struct hci_ev_le_conn_complete *ev = data; 5795 5796 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5797 5798 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5799 NULL, ev->role, le16_to_cpu(ev->handle), 5800 le16_to_cpu(ev->interval), 5801 le16_to_cpu(ev->latency), 5802 le16_to_cpu(ev->supervision_timeout)); 5803 } 5804 hci_le_enh_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5805 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data, 5806 struct sk_buff *skb) 5807 { 5808 struct hci_ev_le_enh_conn_complete *ev = data; 5809 5810 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5811 5812 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5813 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle), 5814 le16_to_cpu(ev->interval), 5815 le16_to_cpu(ev->latency), 5816 le16_to_cpu(ev->supervision_timeout)); 5817 } 5818 hci_le_ext_adv_term_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5819 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data, 5820 struct sk_buff *skb) 5821 { 5822 struct hci_evt_le_ext_adv_set_term *ev = data; 5823 struct hci_conn *conn; 5824 struct adv_info *adv, *n; 5825 5826 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5827 5828 /* The Bluetooth Core 5.3 specification clearly states that this event 5829 * shall not be sent when the Host disables the advertising set. So in 5830 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event. 5831 * 5832 * When the Host disables an advertising set, all cleanup is done via 5833 * its command callback and not needed to be duplicated here. 5834 */ 5835 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) { 5836 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event"); 5837 return; 5838 } 5839 5840 hci_dev_lock(hdev); 5841 5842 adv = hci_find_adv_instance(hdev, ev->handle); 5843 5844 if (ev->status) { 5845 if (!adv) 5846 goto unlock; 5847 5848 /* Remove advertising as it has been terminated */ 5849 hci_remove_adv_instance(hdev, ev->handle); 5850 mgmt_advertising_removed(NULL, hdev, ev->handle); 5851 5852 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 5853 if (adv->enabled) 5854 goto unlock; 5855 } 5856 5857 /* We are no longer advertising, clear HCI_LE_ADV */ 5858 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5859 goto unlock; 5860 } 5861 5862 if (adv) 5863 adv->enabled = false; 5864 5865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5866 if (conn) { 5867 /* Store handle in the connection so the correct advertising 5868 * instance can be re-enabled when disconnected. 5869 */ 5870 conn->adv_instance = ev->handle; 5871 5872 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM || 5873 bacmp(&conn->resp_addr, BDADDR_ANY)) 5874 goto unlock; 5875 5876 if (!ev->handle) { 5877 bacpy(&conn->resp_addr, &hdev->random_addr); 5878 goto unlock; 5879 } 5880 5881 if (adv) 5882 bacpy(&conn->resp_addr, &adv->random_addr); 5883 } 5884 5885 unlock: 5886 hci_dev_unlock(hdev); 5887 } 5888 hci_le_conn_update_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5889 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data, 5890 struct sk_buff *skb) 5891 { 5892 struct hci_ev_le_conn_update_complete *ev = data; 5893 struct hci_conn *conn; 5894 5895 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5896 5897 if (ev->status) 5898 return; 5899 5900 hci_dev_lock(hdev); 5901 5902 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5903 if (conn) { 5904 conn->le_conn_interval = le16_to_cpu(ev->interval); 5905 conn->le_conn_latency = le16_to_cpu(ev->latency); 5906 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 5907 } 5908 5909 hci_dev_unlock(hdev); 5910 } 5911 5912 /* This function requires the caller holds hdev->lock */ check_pending_le_conn(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type,bool addr_resolved,u8 adv_type)5913 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 5914 bdaddr_t *addr, 5915 u8 addr_type, bool addr_resolved, 5916 u8 adv_type) 5917 { 5918 struct hci_conn *conn; 5919 struct hci_conn_params *params; 5920 5921 /* If the event is not connectable don't proceed further */ 5922 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 5923 return NULL; 5924 5925 /* Ignore if the device is blocked or hdev is suspended */ 5926 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) || 5927 hdev->suspended) 5928 return NULL; 5929 5930 /* Most controller will fail if we try to create new connections 5931 * while we have an existing one in peripheral role. 5932 */ 5933 if (hdev->conn_hash.le_num_peripheral > 0 && 5934 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 5935 !(hdev->le_states[3] & 0x10))) 5936 return NULL; 5937 5938 /* If we're not connectable only connect devices that we have in 5939 * our pend_le_conns list. 5940 */ 5941 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 5942 addr_type); 5943 if (!params) 5944 return NULL; 5945 5946 if (!params->explicit_connect) { 5947 switch (params->auto_connect) { 5948 case HCI_AUTO_CONN_DIRECT: 5949 /* Only devices advertising with ADV_DIRECT_IND are 5950 * triggering a connection attempt. This is allowing 5951 * incoming connections from peripheral devices. 5952 */ 5953 if (adv_type != LE_ADV_DIRECT_IND) 5954 return NULL; 5955 break; 5956 case HCI_AUTO_CONN_ALWAYS: 5957 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 5958 * are triggering a connection attempt. This means 5959 * that incoming connections from peripheral device are 5960 * accepted and also outgoing connections to peripheral 5961 * devices are established when found. 5962 */ 5963 break; 5964 default: 5965 return NULL; 5966 } 5967 } 5968 5969 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved, 5970 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout, 5971 HCI_ROLE_MASTER); 5972 if (!IS_ERR(conn)) { 5973 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 5974 * by higher layer that tried to connect, if no then 5975 * store the pointer since we don't really have any 5976 * other owner of the object besides the params that 5977 * triggered it. This way we can abort the connection if 5978 * the parameters get removed and keep the reference 5979 * count consistent once the connection is established. 5980 */ 5981 5982 if (!params->explicit_connect) 5983 params->conn = hci_conn_get(conn); 5984 5985 return conn; 5986 } 5987 5988 switch (PTR_ERR(conn)) { 5989 case -EBUSY: 5990 /* If hci_connect() returns -EBUSY it means there is already 5991 * an LE connection attempt going on. Since controllers don't 5992 * support more than one connection attempt at the time, we 5993 * don't consider this an error case. 5994 */ 5995 break; 5996 default: 5997 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 5998 return NULL; 5999 } 6000 6001 return NULL; 6002 } 6003 process_adv_report(struct hci_dev * hdev,u8 type,bdaddr_t * bdaddr,u8 bdaddr_type,bdaddr_t * direct_addr,u8 direct_addr_type,s8 rssi,u8 * data,u8 len,bool ext_adv,bool ctl_time,u64 instant)6004 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 6005 u8 bdaddr_type, bdaddr_t *direct_addr, 6006 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 6007 bool ext_adv, bool ctl_time, u64 instant) 6008 { 6009 struct discovery_state *d = &hdev->discovery; 6010 struct smp_irk *irk; 6011 struct hci_conn *conn; 6012 bool match, bdaddr_resolved; 6013 u32 flags; 6014 u8 *ptr; 6015 6016 switch (type) { 6017 case LE_ADV_IND: 6018 case LE_ADV_DIRECT_IND: 6019 case LE_ADV_SCAN_IND: 6020 case LE_ADV_NONCONN_IND: 6021 case LE_ADV_SCAN_RSP: 6022 break; 6023 default: 6024 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 6025 "type: 0x%02x", type); 6026 return; 6027 } 6028 6029 if (len > max_adv_len(hdev)) { 6030 bt_dev_err_ratelimited(hdev, 6031 "adv larger than maximum supported"); 6032 return; 6033 } 6034 6035 /* Find the end of the data in case the report contains padded zero 6036 * bytes at the end causing an invalid length value. 6037 * 6038 * When data is NULL, len is 0 so there is no need for extra ptr 6039 * check as 'ptr < data + 0' is already false in such case. 6040 */ 6041 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 6042 if (ptr + 1 + *ptr > data + len) 6043 break; 6044 } 6045 6046 /* Adjust for actual length. This handles the case when remote 6047 * device is advertising with incorrect data length. 6048 */ 6049 len = ptr - data; 6050 6051 /* If the direct address is present, then this report is from 6052 * a LE Direct Advertising Report event. In that case it is 6053 * important to see if the address is matching the local 6054 * controller address. 6055 */ 6056 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) { 6057 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type, 6058 &bdaddr_resolved); 6059 6060 /* Only resolvable random addresses are valid for these 6061 * kind of reports and others can be ignored. 6062 */ 6063 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 6064 return; 6065 6066 /* If the controller is not using resolvable random 6067 * addresses, then this report can be ignored. 6068 */ 6069 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 6070 return; 6071 6072 /* If the local IRK of the controller does not match 6073 * with the resolvable random address provided, then 6074 * this report can be ignored. 6075 */ 6076 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 6077 return; 6078 } 6079 6080 /* Check if we need to convert to identity address */ 6081 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 6082 if (irk) { 6083 bdaddr = &irk->bdaddr; 6084 bdaddr_type = irk->addr_type; 6085 } 6086 6087 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved); 6088 6089 /* Check if we have been requested to connect to this device. 6090 * 6091 * direct_addr is set only for directed advertising reports (it is NULL 6092 * for advertising reports) and is already verified to be RPA above. 6093 */ 6094 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved, 6095 type); 6096 if (!ext_adv && conn && type == LE_ADV_IND && 6097 len <= max_adv_len(hdev)) { 6098 /* Store report for later inclusion by 6099 * mgmt_device_connected 6100 */ 6101 memcpy(conn->le_adv_data, data, len); 6102 conn->le_adv_data_len = len; 6103 } 6104 6105 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 6106 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 6107 else 6108 flags = 0; 6109 6110 /* All scan results should be sent up for Mesh systems */ 6111 if (hci_dev_test_flag(hdev, HCI_MESH)) { 6112 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6113 rssi, flags, data, len, NULL, 0, instant); 6114 return; 6115 } 6116 6117 /* Passive scanning shouldn't trigger any device found events, 6118 * except for devices marked as CONN_REPORT for which we do send 6119 * device found events, or advertisement monitoring requested. 6120 */ 6121 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 6122 if (type == LE_ADV_DIRECT_IND) 6123 return; 6124 6125 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 6126 bdaddr, bdaddr_type) && 6127 idr_is_empty(&hdev->adv_monitors_idr)) 6128 return; 6129 6130 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6131 rssi, flags, data, len, NULL, 0, 0); 6132 return; 6133 } 6134 6135 /* When receiving a scan response, then there is no way to 6136 * know if the remote device is connectable or not. However 6137 * since scan responses are merged with a previously seen 6138 * advertising report, the flags field from that report 6139 * will be used. 6140 * 6141 * In the unlikely case that a controller just sends a scan 6142 * response event that doesn't match the pending report, then 6143 * it is marked as a standalone SCAN_RSP. 6144 */ 6145 if (type == LE_ADV_SCAN_RSP) 6146 flags = MGMT_DEV_FOUND_SCAN_RSP; 6147 6148 /* If there's nothing pending either store the data from this 6149 * event or send an immediate device found event if the data 6150 * should not be stored for later. 6151 */ 6152 if (!ext_adv && !has_pending_adv_report(hdev)) { 6153 /* If the report will trigger a SCAN_REQ store it for 6154 * later merging. 6155 */ 6156 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 6157 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6158 rssi, flags, data, len); 6159 return; 6160 } 6161 6162 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6163 rssi, flags, data, len, NULL, 0, 0); 6164 return; 6165 } 6166 6167 /* Check if the pending report is for the same device as the new one */ 6168 match = (!bacmp(bdaddr, &d->last_adv_addr) && 6169 bdaddr_type == d->last_adv_addr_type); 6170 6171 /* If the pending data doesn't match this report or this isn't a 6172 * scan response (e.g. we got a duplicate ADV_IND) then force 6173 * sending of the pending data. 6174 */ 6175 if (type != LE_ADV_SCAN_RSP || !match) { 6176 /* Send out whatever is in the cache, but skip duplicates */ 6177 if (!match) 6178 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6179 d->last_adv_addr_type, NULL, 6180 d->last_adv_rssi, d->last_adv_flags, 6181 d->last_adv_data, 6182 d->last_adv_data_len, NULL, 0, 0); 6183 6184 /* If the new report will trigger a SCAN_REQ store it for 6185 * later merging. 6186 */ 6187 if (!ext_adv && (type == LE_ADV_IND || 6188 type == LE_ADV_SCAN_IND)) { 6189 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6190 rssi, flags, data, len); 6191 return; 6192 } 6193 6194 /* The advertising reports cannot be merged, so clear 6195 * the pending report and send out a device found event. 6196 */ 6197 clear_pending_adv_report(hdev); 6198 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6199 rssi, flags, data, len, NULL, 0, 0); 6200 return; 6201 } 6202 6203 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 6204 * the new event is a SCAN_RSP. We can therefore proceed with 6205 * sending a merged device found event. 6206 */ 6207 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6208 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 6209 d->last_adv_data, d->last_adv_data_len, data, len, 0); 6210 clear_pending_adv_report(hdev); 6211 } 6212 hci_le_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6213 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data, 6214 struct sk_buff *skb) 6215 { 6216 struct hci_ev_le_advertising_report *ev = data; 6217 u64 instant = jiffies; 6218 6219 if (!ev->num) 6220 return; 6221 6222 hci_dev_lock(hdev); 6223 6224 while (ev->num--) { 6225 struct hci_ev_le_advertising_info *info; 6226 s8 rssi; 6227 6228 info = hci_le_ev_skb_pull(hdev, skb, 6229 HCI_EV_LE_ADVERTISING_REPORT, 6230 sizeof(*info)); 6231 if (!info) 6232 break; 6233 6234 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT, 6235 info->length + 1)) 6236 break; 6237 6238 if (info->length <= max_adv_len(hdev)) { 6239 rssi = info->data[info->length]; 6240 process_adv_report(hdev, info->type, &info->bdaddr, 6241 info->bdaddr_type, NULL, 0, rssi, 6242 info->data, info->length, false, 6243 false, instant); 6244 } else { 6245 bt_dev_err(hdev, "Dropping invalid advertising data"); 6246 } 6247 } 6248 6249 hci_dev_unlock(hdev); 6250 } 6251 ext_evt_type_to_legacy(struct hci_dev * hdev,u16 evt_type)6252 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 6253 { 6254 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 6255 switch (evt_type) { 6256 case LE_LEGACY_ADV_IND: 6257 return LE_ADV_IND; 6258 case LE_LEGACY_ADV_DIRECT_IND: 6259 return LE_ADV_DIRECT_IND; 6260 case LE_LEGACY_ADV_SCAN_IND: 6261 return LE_ADV_SCAN_IND; 6262 case LE_LEGACY_NONCONN_IND: 6263 return LE_ADV_NONCONN_IND; 6264 case LE_LEGACY_SCAN_RSP_ADV: 6265 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 6266 return LE_ADV_SCAN_RSP; 6267 } 6268 6269 goto invalid; 6270 } 6271 6272 if (evt_type & LE_EXT_ADV_CONN_IND) { 6273 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6274 return LE_ADV_DIRECT_IND; 6275 6276 return LE_ADV_IND; 6277 } 6278 6279 if (evt_type & LE_EXT_ADV_SCAN_RSP) 6280 return LE_ADV_SCAN_RSP; 6281 6282 if (evt_type & LE_EXT_ADV_SCAN_IND) 6283 return LE_ADV_SCAN_IND; 6284 6285 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 6286 evt_type & LE_EXT_ADV_DIRECT_IND) 6287 return LE_ADV_NONCONN_IND; 6288 6289 invalid: 6290 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 6291 evt_type); 6292 6293 return LE_ADV_INVALID; 6294 } 6295 hci_le_ext_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6296 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data, 6297 struct sk_buff *skb) 6298 { 6299 struct hci_ev_le_ext_adv_report *ev = data; 6300 u64 instant = jiffies; 6301 6302 if (!ev->num) 6303 return; 6304 6305 hci_dev_lock(hdev); 6306 6307 while (ev->num--) { 6308 struct hci_ev_le_ext_adv_info *info; 6309 u8 legacy_evt_type; 6310 u16 evt_type; 6311 6312 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6313 sizeof(*info)); 6314 if (!info) 6315 break; 6316 6317 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6318 info->length)) 6319 break; 6320 6321 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK; 6322 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 6323 if (legacy_evt_type != LE_ADV_INVALID) { 6324 process_adv_report(hdev, legacy_evt_type, &info->bdaddr, 6325 info->bdaddr_type, NULL, 0, 6326 info->rssi, info->data, info->length, 6327 !(evt_type & LE_EXT_ADV_LEGACY_PDU), 6328 false, instant); 6329 } 6330 } 6331 6332 hci_dev_unlock(hdev); 6333 } 6334 hci_le_pa_term_sync(struct hci_dev * hdev,__le16 handle)6335 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle) 6336 { 6337 struct hci_cp_le_pa_term_sync cp; 6338 6339 memset(&cp, 0, sizeof(cp)); 6340 cp.handle = handle; 6341 6342 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp); 6343 } 6344 hci_le_pa_sync_estabilished_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6345 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data, 6346 struct sk_buff *skb) 6347 { 6348 struct hci_ev_le_pa_sync_established *ev = data; 6349 int mask = hdev->link_mode; 6350 __u8 flags = 0; 6351 struct hci_conn *pa_sync; 6352 6353 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6354 6355 hci_dev_lock(hdev); 6356 6357 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6358 6359 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags); 6360 if (!(mask & HCI_LM_ACCEPT)) { 6361 hci_le_pa_term_sync(hdev, ev->handle); 6362 goto unlock; 6363 } 6364 6365 if (!(flags & HCI_PROTO_DEFER)) 6366 goto unlock; 6367 6368 if (ev->status) { 6369 /* Add connection to indicate the failed PA sync event */ 6370 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY, 6371 HCI_ROLE_SLAVE); 6372 6373 if (!pa_sync) 6374 goto unlock; 6375 6376 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags); 6377 6378 /* Notify iso layer */ 6379 hci_connect_cfm(pa_sync, ev->status); 6380 } 6381 6382 unlock: 6383 hci_dev_unlock(hdev); 6384 } 6385 hci_le_per_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6386 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data, 6387 struct sk_buff *skb) 6388 { 6389 struct hci_ev_le_per_adv_report *ev = data; 6390 int mask = hdev->link_mode; 6391 __u8 flags = 0; 6392 6393 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 6394 6395 hci_dev_lock(hdev); 6396 6397 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); 6398 if (!(mask & HCI_LM_ACCEPT)) 6399 hci_le_pa_term_sync(hdev, ev->sync_handle); 6400 6401 hci_dev_unlock(hdev); 6402 } 6403 hci_le_remote_feat_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6404 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data, 6405 struct sk_buff *skb) 6406 { 6407 struct hci_ev_le_remote_feat_complete *ev = data; 6408 struct hci_conn *conn; 6409 6410 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6411 6412 hci_dev_lock(hdev); 6413 6414 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6415 if (conn) { 6416 if (!ev->status) 6417 memcpy(conn->features[0], ev->features, 8); 6418 6419 if (conn->state == BT_CONFIG) { 6420 __u8 status; 6421 6422 /* If the local controller supports peripheral-initiated 6423 * features exchange, but the remote controller does 6424 * not, then it is possible that the error code 0x1a 6425 * for unsupported remote feature gets returned. 6426 * 6427 * In this specific case, allow the connection to 6428 * transition into connected state and mark it as 6429 * successful. 6430 */ 6431 if (!conn->out && ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE && 6432 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 6433 status = 0x00; 6434 else 6435 status = ev->status; 6436 6437 conn->state = BT_CONNECTED; 6438 hci_connect_cfm(conn, status); 6439 hci_conn_drop(conn); 6440 } 6441 } 6442 6443 hci_dev_unlock(hdev); 6444 } 6445 hci_le_ltk_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6446 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data, 6447 struct sk_buff *skb) 6448 { 6449 struct hci_ev_le_ltk_req *ev = data; 6450 struct hci_cp_le_ltk_reply cp; 6451 struct hci_cp_le_ltk_neg_reply neg; 6452 struct hci_conn *conn; 6453 struct smp_ltk *ltk; 6454 6455 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6456 6457 hci_dev_lock(hdev); 6458 6459 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6460 if (conn == NULL) 6461 goto not_found; 6462 6463 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 6464 if (!ltk) 6465 goto not_found; 6466 6467 if (smp_ltk_is_sc(ltk)) { 6468 /* With SC both EDiv and Rand are set to zero */ 6469 if (ev->ediv || ev->rand) 6470 goto not_found; 6471 } else { 6472 /* For non-SC keys check that EDiv and Rand match */ 6473 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 6474 goto not_found; 6475 } 6476 6477 memcpy(cp.ltk, ltk->val, ltk->enc_size); 6478 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 6479 cp.handle = cpu_to_le16(conn->handle); 6480 6481 conn->pending_sec_level = smp_ltk_sec_level(ltk); 6482 6483 conn->enc_key_size = ltk->enc_size; 6484 6485 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 6486 6487 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 6488 * temporary key used to encrypt a connection following 6489 * pairing. It is used during the Encrypted Session Setup to 6490 * distribute the keys. Later, security can be re-established 6491 * using a distributed LTK. 6492 */ 6493 if (ltk->type == SMP_STK) { 6494 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6495 list_del_rcu(<k->list); 6496 kfree_rcu(ltk, rcu); 6497 } else { 6498 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6499 } 6500 6501 hci_dev_unlock(hdev); 6502 6503 return; 6504 6505 not_found: 6506 neg.handle = ev->handle; 6507 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 6508 hci_dev_unlock(hdev); 6509 } 6510 send_conn_param_neg_reply(struct hci_dev * hdev,u16 handle,u8 reason)6511 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 6512 u8 reason) 6513 { 6514 struct hci_cp_le_conn_param_req_neg_reply cp; 6515 6516 cp.handle = cpu_to_le16(handle); 6517 cp.reason = reason; 6518 6519 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 6520 &cp); 6521 } 6522 hci_le_remote_conn_param_req_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6523 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, 6524 struct sk_buff *skb) 6525 { 6526 struct hci_ev_le_remote_conn_param_req *ev = data; 6527 struct hci_cp_le_conn_param_req_reply cp; 6528 struct hci_conn *hcon; 6529 u16 handle, min, max, latency, timeout; 6530 6531 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6532 6533 handle = le16_to_cpu(ev->handle); 6534 min = le16_to_cpu(ev->interval_min); 6535 max = le16_to_cpu(ev->interval_max); 6536 latency = le16_to_cpu(ev->latency); 6537 timeout = le16_to_cpu(ev->timeout); 6538 6539 hcon = hci_conn_hash_lookup_handle(hdev, handle); 6540 if (!hcon || hcon->state != BT_CONNECTED) 6541 return send_conn_param_neg_reply(hdev, handle, 6542 HCI_ERROR_UNKNOWN_CONN_ID); 6543 6544 if (max > hcon->le_conn_max_interval) 6545 return send_conn_param_neg_reply(hdev, handle, 6546 HCI_ERROR_INVALID_LL_PARAMS); 6547 6548 if (hci_check_conn_params(min, max, latency, timeout)) 6549 return send_conn_param_neg_reply(hdev, handle, 6550 HCI_ERROR_INVALID_LL_PARAMS); 6551 6552 if (hcon->role == HCI_ROLE_MASTER) { 6553 struct hci_conn_params *params; 6554 u8 store_hint; 6555 6556 hci_dev_lock(hdev); 6557 6558 params = hci_conn_params_lookup(hdev, &hcon->dst, 6559 hcon->dst_type); 6560 if (params) { 6561 params->conn_min_interval = min; 6562 params->conn_max_interval = max; 6563 params->conn_latency = latency; 6564 params->supervision_timeout = timeout; 6565 store_hint = 0x01; 6566 } else { 6567 store_hint = 0x00; 6568 } 6569 6570 hci_dev_unlock(hdev); 6571 6572 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 6573 store_hint, min, max, latency, timeout); 6574 } 6575 6576 cp.handle = ev->handle; 6577 cp.interval_min = ev->interval_min; 6578 cp.interval_max = ev->interval_max; 6579 cp.latency = ev->latency; 6580 cp.timeout = ev->timeout; 6581 cp.min_ce_len = 0; 6582 cp.max_ce_len = 0; 6583 6584 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 6585 } 6586 hci_le_direct_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6587 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, 6588 struct sk_buff *skb) 6589 { 6590 struct hci_ev_le_direct_adv_report *ev = data; 6591 u64 instant = jiffies; 6592 int i; 6593 6594 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT, 6595 flex_array_size(ev, info, ev->num))) 6596 return; 6597 6598 if (!ev->num) 6599 return; 6600 6601 hci_dev_lock(hdev); 6602 6603 for (i = 0; i < ev->num; i++) { 6604 struct hci_ev_le_direct_adv_info *info = &ev->info[i]; 6605 6606 process_adv_report(hdev, info->type, &info->bdaddr, 6607 info->bdaddr_type, &info->direct_addr, 6608 info->direct_addr_type, info->rssi, NULL, 0, 6609 false, false, instant); 6610 } 6611 6612 hci_dev_unlock(hdev); 6613 } 6614 hci_le_phy_update_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6615 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data, 6616 struct sk_buff *skb) 6617 { 6618 struct hci_ev_le_phy_update_complete *ev = data; 6619 struct hci_conn *conn; 6620 6621 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6622 6623 if (ev->status) 6624 return; 6625 6626 hci_dev_lock(hdev); 6627 6628 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6629 if (!conn) 6630 goto unlock; 6631 6632 conn->le_tx_phy = ev->tx_phy; 6633 conn->le_rx_phy = ev->rx_phy; 6634 6635 unlock: 6636 hci_dev_unlock(hdev); 6637 } 6638 hci_le_cis_estabilished_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6639 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data, 6640 struct sk_buff *skb) 6641 { 6642 struct hci_evt_le_cis_established *ev = data; 6643 struct hci_conn *conn; 6644 struct bt_iso_qos *qos; 6645 bool pending = false; 6646 u16 handle = __le16_to_cpu(ev->handle); 6647 u32 c_sdu_interval, p_sdu_interval; 6648 6649 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6650 6651 hci_dev_lock(hdev); 6652 6653 conn = hci_conn_hash_lookup_handle(hdev, handle); 6654 if (!conn) { 6655 bt_dev_err(hdev, 6656 "Unable to find connection with handle 0x%4.4x", 6657 handle); 6658 goto unlock; 6659 } 6660 6661 if (conn->type != ISO_LINK) { 6662 bt_dev_err(hdev, 6663 "Invalid connection link type handle 0x%4.4x", 6664 handle); 6665 goto unlock; 6666 } 6667 6668 qos = &conn->iso_qos; 6669 6670 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags); 6671 6672 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G 6673 * page 3075: 6674 * Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) × 6675 * ISO_Interval + SDU_Interval_C_To_P 6676 * ... 6677 * SDU_Interval = (CIG_Sync_Delay + (FT) x ISO_Interval) - 6678 * Transport_Latency 6679 */ 6680 c_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) + 6681 (ev->c_ft * le16_to_cpu(ev->interval) * 1250)) - 6682 get_unaligned_le24(ev->c_latency); 6683 p_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) + 6684 (ev->p_ft * le16_to_cpu(ev->interval) * 1250)) - 6685 get_unaligned_le24(ev->p_latency); 6686 6687 switch (conn->role) { 6688 case HCI_ROLE_SLAVE: 6689 qos->ucast.in.interval = c_sdu_interval; 6690 qos->ucast.out.interval = p_sdu_interval; 6691 /* Convert Transport Latency (us) to Latency (msec) */ 6692 qos->ucast.in.latency = 6693 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6694 1000); 6695 qos->ucast.out.latency = 6696 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6697 1000); 6698 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu); 6699 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu); 6700 qos->ucast.in.phy = ev->c_phy; 6701 qos->ucast.out.phy = ev->p_phy; 6702 break; 6703 case HCI_ROLE_MASTER: 6704 qos->ucast.in.interval = p_sdu_interval; 6705 qos->ucast.out.interval = c_sdu_interval; 6706 /* Convert Transport Latency (us) to Latency (msec) */ 6707 qos->ucast.out.latency = 6708 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6709 1000); 6710 qos->ucast.in.latency = 6711 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6712 1000); 6713 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu); 6714 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu); 6715 qos->ucast.out.phy = ev->c_phy; 6716 qos->ucast.in.phy = ev->p_phy; 6717 break; 6718 } 6719 6720 if (!ev->status) { 6721 conn->state = BT_CONNECTED; 6722 hci_debugfs_create_conn(conn); 6723 hci_conn_add_sysfs(conn); 6724 hci_iso_setup_path(conn); 6725 goto unlock; 6726 } 6727 6728 conn->state = BT_CLOSED; 6729 hci_connect_cfm(conn, ev->status); 6730 hci_conn_del(conn); 6731 6732 unlock: 6733 if (pending) 6734 hci_le_create_cis_pending(hdev); 6735 6736 hci_dev_unlock(hdev); 6737 } 6738 hci_le_reject_cis(struct hci_dev * hdev,__le16 handle)6739 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle) 6740 { 6741 struct hci_cp_le_reject_cis cp; 6742 6743 memset(&cp, 0, sizeof(cp)); 6744 cp.handle = handle; 6745 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 6746 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp); 6747 } 6748 hci_le_accept_cis(struct hci_dev * hdev,__le16 handle)6749 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle) 6750 { 6751 struct hci_cp_le_accept_cis cp; 6752 6753 memset(&cp, 0, sizeof(cp)); 6754 cp.handle = handle; 6755 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 6756 } 6757 hci_le_cis_req_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6758 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data, 6759 struct sk_buff *skb) 6760 { 6761 struct hci_evt_le_cis_req *ev = data; 6762 u16 acl_handle, cis_handle; 6763 struct hci_conn *acl, *cis; 6764 int mask; 6765 __u8 flags = 0; 6766 6767 acl_handle = __le16_to_cpu(ev->acl_handle); 6768 cis_handle = __le16_to_cpu(ev->cis_handle); 6769 6770 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x", 6771 acl_handle, cis_handle, ev->cig_id, ev->cis_id); 6772 6773 hci_dev_lock(hdev); 6774 6775 acl = hci_conn_hash_lookup_handle(hdev, acl_handle); 6776 if (!acl) 6777 goto unlock; 6778 6779 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags); 6780 if (!(mask & HCI_LM_ACCEPT)) { 6781 hci_le_reject_cis(hdev, ev->cis_handle); 6782 goto unlock; 6783 } 6784 6785 cis = hci_conn_hash_lookup_handle(hdev, cis_handle); 6786 if (!cis) { 6787 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE, 6788 cis_handle); 6789 if (IS_ERR(cis)) { 6790 hci_le_reject_cis(hdev, ev->cis_handle); 6791 goto unlock; 6792 } 6793 } 6794 6795 cis->iso_qos.ucast.cig = ev->cig_id; 6796 cis->iso_qos.ucast.cis = ev->cis_id; 6797 6798 if (!(flags & HCI_PROTO_DEFER)) { 6799 hci_le_accept_cis(hdev, ev->cis_handle); 6800 } else { 6801 cis->state = BT_CONNECT2; 6802 hci_connect_cfm(cis, 0); 6803 } 6804 6805 unlock: 6806 hci_dev_unlock(hdev); 6807 } 6808 hci_iso_term_big_sync(struct hci_dev * hdev,void * data)6809 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data) 6810 { 6811 u8 handle = PTR_UINT(data); 6812 6813 return hci_le_terminate_big_sync(hdev, handle, 6814 HCI_ERROR_LOCAL_HOST_TERM); 6815 } 6816 hci_le_create_big_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6817 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, 6818 struct sk_buff *skb) 6819 { 6820 struct hci_evt_le_create_big_complete *ev = data; 6821 struct hci_conn *conn; 6822 __u8 i = 0; 6823 6824 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 6825 6826 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE, 6827 flex_array_size(ev, bis_handle, ev->num_bis))) 6828 return; 6829 6830 hci_dev_lock(hdev); 6831 6832 /* Connect all BISes that are bound to the BIG */ 6833 while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle, 6834 BT_BOUND))) { 6835 if (ev->status) { 6836 hci_connect_cfm(conn, ev->status); 6837 hci_conn_del(conn); 6838 continue; 6839 } 6840 6841 if (hci_conn_set_handle(conn, 6842 __le16_to_cpu(ev->bis_handle[i++]))) 6843 continue; 6844 6845 conn->state = BT_CONNECTED; 6846 set_bit(HCI_CONN_BIG_CREATED, &conn->flags); 6847 hci_debugfs_create_conn(conn); 6848 hci_conn_add_sysfs(conn); 6849 hci_iso_setup_path(conn); 6850 } 6851 6852 if (!ev->status && !i) 6853 /* If no BISes have been connected for the BIG, 6854 * terminate. This is in case all bound connections 6855 * have been closed before the BIG creation 6856 * has completed. 6857 */ 6858 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync, 6859 UINT_PTR(ev->handle), NULL); 6860 6861 hci_dev_unlock(hdev); 6862 } 6863 hci_le_big_sync_established_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6864 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, 6865 struct sk_buff *skb) 6866 { 6867 struct hci_evt_le_big_sync_estabilished *ev = data; 6868 struct hci_conn *bis; 6869 struct hci_conn *pa_sync; 6870 int i; 6871 6872 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6873 6874 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 6875 flex_array_size(ev, bis, ev->num_bis))) 6876 return; 6877 6878 hci_dev_lock(hdev); 6879 6880 if (!ev->status) { 6881 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle); 6882 if (pa_sync) 6883 /* Also mark the BIG sync established event on the 6884 * associated PA sync hcon 6885 */ 6886 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags); 6887 } 6888 6889 for (i = 0; i < ev->num_bis; i++) { 6890 u16 handle = le16_to_cpu(ev->bis[i]); 6891 __le32 interval; 6892 6893 bis = hci_conn_hash_lookup_handle(hdev, handle); 6894 if (!bis) { 6895 if (handle > HCI_CONN_HANDLE_MAX) { 6896 bt_dev_dbg(hdev, "ignore too large handle %u", handle); 6897 continue; 6898 } 6899 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, 6900 HCI_ROLE_SLAVE, handle); 6901 if (IS_ERR(bis)) 6902 continue; 6903 } 6904 6905 if (ev->status != 0x42) 6906 /* Mark PA sync as established */ 6907 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 6908 6909 bis->iso_qos.bcast.big = ev->handle; 6910 memset(&interval, 0, sizeof(interval)); 6911 memcpy(&interval, ev->latency, sizeof(ev->latency)); 6912 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval); 6913 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */ 6914 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100; 6915 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); 6916 6917 if (!ev->status) { 6918 set_bit(HCI_CONN_BIG_SYNC, &bis->flags); 6919 hci_iso_setup_path(bis); 6920 } 6921 } 6922 6923 /* In case BIG sync failed, notify each failed connection to 6924 * the user after all hci connections have been added 6925 */ 6926 if (ev->status) 6927 for (i = 0; i < ev->num_bis; i++) { 6928 u16 handle = le16_to_cpu(ev->bis[i]); 6929 6930 bis = hci_conn_hash_lookup_handle(hdev, handle); 6931 if (!bis) 6932 continue; 6933 6934 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); 6935 hci_connect_cfm(bis, ev->status); 6936 } 6937 6938 hci_dev_unlock(hdev); 6939 } 6940 hci_le_big_info_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6941 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data, 6942 struct sk_buff *skb) 6943 { 6944 struct hci_evt_le_big_info_adv_report *ev = data; 6945 int mask = hdev->link_mode; 6946 __u8 flags = 0; 6947 struct hci_conn *pa_sync; 6948 6949 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 6950 6951 hci_dev_lock(hdev); 6952 6953 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); 6954 if (!(mask & HCI_LM_ACCEPT)) { 6955 hci_le_pa_term_sync(hdev, ev->sync_handle); 6956 goto unlock; 6957 } 6958 6959 if (!(flags & HCI_PROTO_DEFER)) 6960 goto unlock; 6961 6962 pa_sync = hci_conn_hash_lookup_pa_sync_handle 6963 (hdev, 6964 le16_to_cpu(ev->sync_handle)); 6965 6966 if (pa_sync) 6967 goto unlock; 6968 6969 /* Add connection to indicate the PA sync event */ 6970 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY, 6971 HCI_ROLE_SLAVE); 6972 6973 if (IS_ERR(pa_sync)) 6974 goto unlock; 6975 6976 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle); 6977 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags); 6978 6979 /* Notify iso layer */ 6980 hci_connect_cfm(pa_sync, 0x00); 6981 6982 /* Notify MGMT layer */ 6983 mgmt_device_connected(hdev, pa_sync, NULL, 0); 6984 6985 unlock: 6986 hci_dev_unlock(hdev); 6987 } 6988 6989 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \ 6990 [_op] = { \ 6991 .func = _func, \ 6992 .min_len = _min_len, \ 6993 .max_len = _max_len, \ 6994 } 6995 6996 #define HCI_LE_EV(_op, _func, _len) \ 6997 HCI_LE_EV_VL(_op, _func, _len, _len) 6998 6999 #define HCI_LE_EV_STATUS(_op, _func) \ 7000 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status)) 7001 7002 /* Entries in this table shall have their position according to the subevent 7003 * opcode they handle so the use of the macros above is recommend since it does 7004 * attempt to initialize at its proper index using Designated Initializers that 7005 * way events without a callback function can be ommited. 7006 */ 7007 static const struct hci_le_ev { 7008 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 7009 u16 min_len; 7010 u16 max_len; 7011 } hci_le_ev_table[U8_MAX + 1] = { 7012 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */ 7013 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt, 7014 sizeof(struct hci_ev_le_conn_complete)), 7015 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */ 7016 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt, 7017 sizeof(struct hci_ev_le_advertising_report), 7018 HCI_MAX_EVENT_SIZE), 7019 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */ 7020 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE, 7021 hci_le_conn_update_complete_evt, 7022 sizeof(struct hci_ev_le_conn_update_complete)), 7023 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */ 7024 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE, 7025 hci_le_remote_feat_complete_evt, 7026 sizeof(struct hci_ev_le_remote_feat_complete)), 7027 /* [0x05 = HCI_EV_LE_LTK_REQ] */ 7028 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt, 7029 sizeof(struct hci_ev_le_ltk_req)), 7030 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */ 7031 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ, 7032 hci_le_remote_conn_param_req_evt, 7033 sizeof(struct hci_ev_le_remote_conn_param_req)), 7034 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */ 7035 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE, 7036 hci_le_enh_conn_complete_evt, 7037 sizeof(struct hci_ev_le_enh_conn_complete)), 7038 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */ 7039 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt, 7040 sizeof(struct hci_ev_le_direct_adv_report), 7041 HCI_MAX_EVENT_SIZE), 7042 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */ 7043 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt, 7044 sizeof(struct hci_ev_le_phy_update_complete)), 7045 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */ 7046 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt, 7047 sizeof(struct hci_ev_le_ext_adv_report), 7048 HCI_MAX_EVENT_SIZE), 7049 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */ 7050 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED, 7051 hci_le_pa_sync_estabilished_evt, 7052 sizeof(struct hci_ev_le_pa_sync_established)), 7053 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */ 7054 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT, 7055 hci_le_per_adv_report_evt, 7056 sizeof(struct hci_ev_le_per_adv_report), 7057 HCI_MAX_EVENT_SIZE), 7058 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ 7059 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, 7060 sizeof(struct hci_evt_le_ext_adv_set_term)), 7061 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */ 7062 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt, 7063 sizeof(struct hci_evt_le_cis_established)), 7064 /* [0x1a = HCI_EVT_LE_CIS_REQ] */ 7065 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt, 7066 sizeof(struct hci_evt_le_cis_req)), 7067 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */ 7068 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE, 7069 hci_le_create_big_complete_evt, 7070 sizeof(struct hci_evt_le_create_big_complete), 7071 HCI_MAX_EVENT_SIZE), 7072 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */ 7073 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 7074 hci_le_big_sync_established_evt, 7075 sizeof(struct hci_evt_le_big_sync_estabilished), 7076 HCI_MAX_EVENT_SIZE), 7077 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */ 7078 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT, 7079 hci_le_big_info_adv_report_evt, 7080 sizeof(struct hci_evt_le_big_info_adv_report), 7081 HCI_MAX_EVENT_SIZE), 7082 }; 7083 hci_le_meta_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)7084 static void hci_le_meta_evt(struct hci_dev *hdev, void *data, 7085 struct sk_buff *skb, u16 *opcode, u8 *status, 7086 hci_req_complete_t *req_complete, 7087 hci_req_complete_skb_t *req_complete_skb) 7088 { 7089 struct hci_ev_le_meta *ev = data; 7090 const struct hci_le_ev *subev; 7091 7092 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent); 7093 7094 /* Only match event if command OGF is for LE */ 7095 if (hdev->req_skb && 7096 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 && 7097 hci_skb_event(hdev->req_skb) == ev->subevent) { 7098 *opcode = hci_skb_opcode(hdev->req_skb); 7099 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete, 7100 req_complete_skb); 7101 } 7102 7103 subev = &hci_le_ev_table[ev->subevent]; 7104 if (!subev->func) 7105 return; 7106 7107 if (skb->len < subev->min_len) { 7108 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u", 7109 ev->subevent, skb->len, subev->min_len); 7110 return; 7111 } 7112 7113 /* Just warn if the length is over max_len size it still be 7114 * possible to partially parse the event so leave to callback to 7115 * decide if that is acceptable. 7116 */ 7117 if (skb->len > subev->max_len) 7118 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u", 7119 ev->subevent, skb->len, subev->max_len); 7120 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len); 7121 if (!data) 7122 return; 7123 7124 subev->func(hdev, data, skb); 7125 } 7126 hci_get_cmd_complete(struct hci_dev * hdev,u16 opcode,u8 event,struct sk_buff * skb)7127 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 7128 u8 event, struct sk_buff *skb) 7129 { 7130 struct hci_ev_cmd_complete *ev; 7131 struct hci_event_hdr *hdr; 7132 7133 if (!skb) 7134 return false; 7135 7136 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr)); 7137 if (!hdr) 7138 return false; 7139 7140 if (event) { 7141 if (hdr->evt != event) 7142 return false; 7143 return true; 7144 } 7145 7146 /* Check if request ended in Command Status - no way to retrieve 7147 * any extra parameters in this case. 7148 */ 7149 if (hdr->evt == HCI_EV_CMD_STATUS) 7150 return false; 7151 7152 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 7153 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 7154 hdr->evt); 7155 return false; 7156 } 7157 7158 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev)); 7159 if (!ev) 7160 return false; 7161 7162 if (opcode != __le16_to_cpu(ev->opcode)) { 7163 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 7164 __le16_to_cpu(ev->opcode)); 7165 return false; 7166 } 7167 7168 return true; 7169 } 7170 hci_store_wake_reason(struct hci_dev * hdev,u8 event,struct sk_buff * skb)7171 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, 7172 struct sk_buff *skb) 7173 { 7174 struct hci_ev_le_advertising_info *adv; 7175 struct hci_ev_le_direct_adv_info *direct_adv; 7176 struct hci_ev_le_ext_adv_info *ext_adv; 7177 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data; 7178 const struct hci_ev_conn_request *conn_request = (void *)skb->data; 7179 7180 hci_dev_lock(hdev); 7181 7182 /* If we are currently suspended and this is the first BT event seen, 7183 * save the wake reason associated with the event. 7184 */ 7185 if (!hdev->suspended || hdev->wake_reason) 7186 goto unlock; 7187 7188 /* Default to remote wake. Values for wake_reason are documented in the 7189 * Bluez mgmt api docs. 7190 */ 7191 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 7192 7193 /* Once configured for remote wakeup, we should only wake up for 7194 * reconnections. It's useful to see which device is waking us up so 7195 * keep track of the bdaddr of the connection event that woke us up. 7196 */ 7197 if (event == HCI_EV_CONN_REQUEST) { 7198 bacpy(&hdev->wake_addr, &conn_request->bdaddr); 7199 hdev->wake_addr_type = BDADDR_BREDR; 7200 } else if (event == HCI_EV_CONN_COMPLETE) { 7201 bacpy(&hdev->wake_addr, &conn_complete->bdaddr); 7202 hdev->wake_addr_type = BDADDR_BREDR; 7203 } else if (event == HCI_EV_LE_META) { 7204 struct hci_ev_le_meta *le_ev = (void *)skb->data; 7205 u8 subevent = le_ev->subevent; 7206 u8 *ptr = &skb->data[sizeof(*le_ev)]; 7207 u8 num_reports = *ptr; 7208 7209 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT || 7210 subevent == HCI_EV_LE_DIRECT_ADV_REPORT || 7211 subevent == HCI_EV_LE_EXT_ADV_REPORT) && 7212 num_reports) { 7213 adv = (void *)(ptr + 1); 7214 direct_adv = (void *)(ptr + 1); 7215 ext_adv = (void *)(ptr + 1); 7216 7217 switch (subevent) { 7218 case HCI_EV_LE_ADVERTISING_REPORT: 7219 bacpy(&hdev->wake_addr, &adv->bdaddr); 7220 hdev->wake_addr_type = adv->bdaddr_type; 7221 break; 7222 case HCI_EV_LE_DIRECT_ADV_REPORT: 7223 bacpy(&hdev->wake_addr, &direct_adv->bdaddr); 7224 hdev->wake_addr_type = direct_adv->bdaddr_type; 7225 break; 7226 case HCI_EV_LE_EXT_ADV_REPORT: 7227 bacpy(&hdev->wake_addr, &ext_adv->bdaddr); 7228 hdev->wake_addr_type = ext_adv->bdaddr_type; 7229 break; 7230 } 7231 } 7232 } else { 7233 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 7234 } 7235 7236 unlock: 7237 hci_dev_unlock(hdev); 7238 } 7239 7240 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \ 7241 [_op] = { \ 7242 .req = false, \ 7243 .func = _func, \ 7244 .min_len = _min_len, \ 7245 .max_len = _max_len, \ 7246 } 7247 7248 #define HCI_EV(_op, _func, _len) \ 7249 HCI_EV_VL(_op, _func, _len, _len) 7250 7251 #define HCI_EV_STATUS(_op, _func) \ 7252 HCI_EV(_op, _func, sizeof(struct hci_ev_status)) 7253 7254 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \ 7255 [_op] = { \ 7256 .req = true, \ 7257 .func_req = _func, \ 7258 .min_len = _min_len, \ 7259 .max_len = _max_len, \ 7260 } 7261 7262 #define HCI_EV_REQ(_op, _func, _len) \ 7263 HCI_EV_REQ_VL(_op, _func, _len, _len) 7264 7265 /* Entries in this table shall have their position according to the event opcode 7266 * they handle so the use of the macros above is recommend since it does attempt 7267 * to initialize at its proper index using Designated Initializers that way 7268 * events without a callback function don't have entered. 7269 */ 7270 static const struct hci_ev { 7271 bool req; 7272 union { 7273 void (*func)(struct hci_dev *hdev, void *data, 7274 struct sk_buff *skb); 7275 void (*func_req)(struct hci_dev *hdev, void *data, 7276 struct sk_buff *skb, u16 *opcode, u8 *status, 7277 hci_req_complete_t *req_complete, 7278 hci_req_complete_skb_t *req_complete_skb); 7279 }; 7280 u16 min_len; 7281 u16 max_len; 7282 } hci_ev_table[U8_MAX + 1] = { 7283 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */ 7284 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt), 7285 /* [0x02 = HCI_EV_INQUIRY_RESULT] */ 7286 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt, 7287 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE), 7288 /* [0x03 = HCI_EV_CONN_COMPLETE] */ 7289 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt, 7290 sizeof(struct hci_ev_conn_complete)), 7291 /* [0x04 = HCI_EV_CONN_REQUEST] */ 7292 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt, 7293 sizeof(struct hci_ev_conn_request)), 7294 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */ 7295 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt, 7296 sizeof(struct hci_ev_disconn_complete)), 7297 /* [0x06 = HCI_EV_AUTH_COMPLETE] */ 7298 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt, 7299 sizeof(struct hci_ev_auth_complete)), 7300 /* [0x07 = HCI_EV_REMOTE_NAME] */ 7301 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt, 7302 sizeof(struct hci_ev_remote_name)), 7303 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */ 7304 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt, 7305 sizeof(struct hci_ev_encrypt_change)), 7306 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */ 7307 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE, 7308 hci_change_link_key_complete_evt, 7309 sizeof(struct hci_ev_change_link_key_complete)), 7310 /* [0x0b = HCI_EV_REMOTE_FEATURES] */ 7311 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt, 7312 sizeof(struct hci_ev_remote_features)), 7313 /* [0x0e = HCI_EV_CMD_COMPLETE] */ 7314 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt, 7315 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE), 7316 /* [0x0f = HCI_EV_CMD_STATUS] */ 7317 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt, 7318 sizeof(struct hci_ev_cmd_status)), 7319 /* [0x10 = HCI_EV_CMD_STATUS] */ 7320 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt, 7321 sizeof(struct hci_ev_hardware_error)), 7322 /* [0x12 = HCI_EV_ROLE_CHANGE] */ 7323 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt, 7324 sizeof(struct hci_ev_role_change)), 7325 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */ 7326 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt, 7327 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE), 7328 /* [0x14 = HCI_EV_MODE_CHANGE] */ 7329 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt, 7330 sizeof(struct hci_ev_mode_change)), 7331 /* [0x16 = HCI_EV_PIN_CODE_REQ] */ 7332 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt, 7333 sizeof(struct hci_ev_pin_code_req)), 7334 /* [0x17 = HCI_EV_LINK_KEY_REQ] */ 7335 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt, 7336 sizeof(struct hci_ev_link_key_req)), 7337 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */ 7338 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt, 7339 sizeof(struct hci_ev_link_key_notify)), 7340 /* [0x1c = HCI_EV_CLOCK_OFFSET] */ 7341 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt, 7342 sizeof(struct hci_ev_clock_offset)), 7343 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */ 7344 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt, 7345 sizeof(struct hci_ev_pkt_type_change)), 7346 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */ 7347 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt, 7348 sizeof(struct hci_ev_pscan_rep_mode)), 7349 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */ 7350 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI, 7351 hci_inquiry_result_with_rssi_evt, 7352 sizeof(struct hci_ev_inquiry_result_rssi), 7353 HCI_MAX_EVENT_SIZE), 7354 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */ 7355 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt, 7356 sizeof(struct hci_ev_remote_ext_features)), 7357 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */ 7358 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt, 7359 sizeof(struct hci_ev_sync_conn_complete)), 7360 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */ 7361 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT, 7362 hci_extended_inquiry_result_evt, 7363 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE), 7364 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */ 7365 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt, 7366 sizeof(struct hci_ev_key_refresh_complete)), 7367 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */ 7368 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt, 7369 sizeof(struct hci_ev_io_capa_request)), 7370 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */ 7371 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt, 7372 sizeof(struct hci_ev_io_capa_reply)), 7373 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */ 7374 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt, 7375 sizeof(struct hci_ev_user_confirm_req)), 7376 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */ 7377 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt, 7378 sizeof(struct hci_ev_user_passkey_req)), 7379 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */ 7380 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt, 7381 sizeof(struct hci_ev_remote_oob_data_request)), 7382 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */ 7383 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt, 7384 sizeof(struct hci_ev_simple_pair_complete)), 7385 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */ 7386 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt, 7387 sizeof(struct hci_ev_user_passkey_notify)), 7388 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */ 7389 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt, 7390 sizeof(struct hci_ev_keypress_notify)), 7391 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */ 7392 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt, 7393 sizeof(struct hci_ev_remote_host_features)), 7394 /* [0x3e = HCI_EV_LE_META] */ 7395 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt, 7396 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE), 7397 /* [0xff = HCI_EV_VENDOR] */ 7398 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE), 7399 }; 7400 hci_event_func(struct hci_dev * hdev,u8 event,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)7401 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb, 7402 u16 *opcode, u8 *status, 7403 hci_req_complete_t *req_complete, 7404 hci_req_complete_skb_t *req_complete_skb) 7405 { 7406 const struct hci_ev *ev = &hci_ev_table[event]; 7407 void *data; 7408 7409 if (!ev->func) 7410 return; 7411 7412 if (skb->len < ev->min_len) { 7413 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u", 7414 event, skb->len, ev->min_len); 7415 return; 7416 } 7417 7418 /* Just warn if the length is over max_len size it still be 7419 * possible to partially parse the event so leave to callback to 7420 * decide if that is acceptable. 7421 */ 7422 if (skb->len > ev->max_len) 7423 bt_dev_warn_ratelimited(hdev, 7424 "unexpected event 0x%2.2x length: %u > %u", 7425 event, skb->len, ev->max_len); 7426 7427 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len); 7428 if (!data) 7429 return; 7430 7431 if (ev->req) 7432 ev->func_req(hdev, data, skb, opcode, status, req_complete, 7433 req_complete_skb); 7434 else 7435 ev->func(hdev, data, skb); 7436 } 7437 hci_event_packet(struct hci_dev * hdev,struct sk_buff * skb)7438 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 7439 { 7440 struct hci_event_hdr *hdr = (void *) skb->data; 7441 hci_req_complete_t req_complete = NULL; 7442 hci_req_complete_skb_t req_complete_skb = NULL; 7443 struct sk_buff *orig_skb = NULL; 7444 u8 status = 0, event, req_evt = 0; 7445 u16 opcode = HCI_OP_NOP; 7446 7447 if (skb->len < sizeof(*hdr)) { 7448 bt_dev_err(hdev, "Malformed HCI Event"); 7449 goto done; 7450 } 7451 7452 kfree_skb(hdev->recv_event); 7453 hdev->recv_event = skb_clone(skb, GFP_KERNEL); 7454 7455 event = hdr->evt; 7456 if (!event) { 7457 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x", 7458 event); 7459 goto done; 7460 } 7461 7462 /* Only match event if command OGF is not for LE */ 7463 if (hdev->req_skb && 7464 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 && 7465 hci_skb_event(hdev->req_skb) == event) { 7466 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb), 7467 status, &req_complete, &req_complete_skb); 7468 req_evt = event; 7469 } 7470 7471 /* If it looks like we might end up having to call 7472 * req_complete_skb, store a pristine copy of the skb since the 7473 * various handlers may modify the original one through 7474 * skb_pull() calls, etc. 7475 */ 7476 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 7477 event == HCI_EV_CMD_COMPLETE) 7478 orig_skb = skb_clone(skb, GFP_KERNEL); 7479 7480 skb_pull(skb, HCI_EVENT_HDR_SIZE); 7481 7482 /* Store wake reason if we're suspended */ 7483 hci_store_wake_reason(hdev, event, skb); 7484 7485 bt_dev_dbg(hdev, "event 0x%2.2x", event); 7486 7487 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete, 7488 &req_complete_skb); 7489 7490 if (req_complete) { 7491 req_complete(hdev, status, opcode); 7492 } else if (req_complete_skb) { 7493 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 7494 kfree_skb(orig_skb); 7495 orig_skb = NULL; 7496 } 7497 req_complete_skb(hdev, status, opcode, orig_skb); 7498 } 7499 7500 done: 7501 kfree_skb(orig_skb); 7502 kfree_skb(skb); 7503 hdev->stat.evt_rx++; 7504 } 7505