1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 #include "msft.h" 39 #include "eir.h" 40 41 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 42 "\x00\x00\x00\x00\x00\x00\x00\x00" 43 44 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000) 45 46 /* Handle HCI Event packets */ 47 48 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 49 u8 ev, size_t len) 50 { 51 void *data; 52 53 data = skb_pull_data(skb, len); 54 if (!data) 55 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev); 56 57 return data; 58 } 59 60 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, 61 u8 *new_status) 62 { 63 __u8 status = *((__u8 *) skb->data); 64 65 BT_DBG("%s status 0x%2.2x", hdev->name, status); 66 67 /* It is possible that we receive Inquiry Complete event right 68 * before we receive Inquiry Cancel Command Complete event, in 69 * which case the latter event should have status of Command 70 * Disallowed (0x0c). This should not be treated as error, since 71 * we actually achieve what Inquiry Cancel wants to achieve, 72 * which is to end the last Inquiry session. 73 */ 74 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { 75 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 76 status = 0x00; 77 } 78 79 *new_status = status; 80 81 if (status) 82 return; 83 84 clear_bit(HCI_INQUIRY, &hdev->flags); 85 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 86 wake_up_bit(&hdev->flags, HCI_INQUIRY); 87 88 hci_dev_lock(hdev); 89 /* Set discovery state to stopped if we're not doing LE active 90 * scanning. 91 */ 92 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 93 hdev->le_scan_type != LE_SCAN_ACTIVE) 94 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 95 hci_dev_unlock(hdev); 96 97 hci_conn_check_pending(hdev); 98 } 99 100 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 101 { 102 __u8 status = *((__u8 *) skb->data); 103 104 BT_DBG("%s status 0x%2.2x", hdev->name, status); 105 106 if (status) 107 return; 108 109 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 110 } 111 112 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 113 { 114 __u8 status = *((__u8 *) skb->data); 115 116 BT_DBG("%s status 0x%2.2x", hdev->name, status); 117 118 if (status) 119 return; 120 121 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 122 123 hci_conn_check_pending(hdev); 124 } 125 126 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 127 struct sk_buff *skb) 128 { 129 BT_DBG("%s", hdev->name); 130 } 131 132 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 133 { 134 struct hci_rp_role_discovery *rp = (void *) skb->data; 135 struct hci_conn *conn; 136 137 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 138 139 if (rp->status) 140 return; 141 142 hci_dev_lock(hdev); 143 144 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 145 if (conn) 146 conn->role = rp->role; 147 148 hci_dev_unlock(hdev); 149 } 150 151 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 152 { 153 struct hci_rp_read_link_policy *rp = (void *) skb->data; 154 struct hci_conn *conn; 155 156 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 157 158 if (rp->status) 159 return; 160 161 hci_dev_lock(hdev); 162 163 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 164 if (conn) 165 conn->link_policy = __le16_to_cpu(rp->policy); 166 167 hci_dev_unlock(hdev); 168 } 169 170 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 171 { 172 struct hci_rp_write_link_policy *rp = (void *) skb->data; 173 struct hci_conn *conn; 174 void *sent; 175 176 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 177 178 if (rp->status) 179 return; 180 181 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 182 if (!sent) 183 return; 184 185 hci_dev_lock(hdev); 186 187 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 188 if (conn) 189 conn->link_policy = get_unaligned_le16(sent + 2); 190 191 hci_dev_unlock(hdev); 192 } 193 194 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 195 struct sk_buff *skb) 196 { 197 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 198 199 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 200 201 if (rp->status) 202 return; 203 204 hdev->link_policy = __le16_to_cpu(rp->policy); 205 } 206 207 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 208 struct sk_buff *skb) 209 { 210 __u8 status = *((__u8 *) skb->data); 211 void *sent; 212 213 BT_DBG("%s status 0x%2.2x", hdev->name, status); 214 215 if (status) 216 return; 217 218 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 219 if (!sent) 220 return; 221 222 hdev->link_policy = get_unaligned_le16(sent); 223 } 224 225 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 226 { 227 __u8 status = *((__u8 *) skb->data); 228 229 BT_DBG("%s status 0x%2.2x", hdev->name, status); 230 231 clear_bit(HCI_RESET, &hdev->flags); 232 233 if (status) 234 return; 235 236 /* Reset all non-persistent flags */ 237 hci_dev_clear_volatile_flags(hdev); 238 239 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 240 241 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 242 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 243 244 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 245 hdev->adv_data_len = 0; 246 247 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 248 hdev->scan_rsp_data_len = 0; 249 250 hdev->le_scan_type = LE_SCAN_PASSIVE; 251 252 hdev->ssp_debug_mode = 0; 253 254 hci_bdaddr_list_clear(&hdev->le_accept_list); 255 hci_bdaddr_list_clear(&hdev->le_resolv_list); 256 } 257 258 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 259 struct sk_buff *skb) 260 { 261 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 262 struct hci_cp_read_stored_link_key *sent; 263 264 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 265 266 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 267 if (!sent) 268 return; 269 270 if (!rp->status && sent->read_all == 0x01) { 271 hdev->stored_max_keys = le16_to_cpu(rp->max_keys); 272 hdev->stored_num_keys = le16_to_cpu(rp->num_keys); 273 } 274 } 275 276 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 277 struct sk_buff *skb) 278 { 279 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 280 281 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 282 283 if (rp->status) 284 return; 285 286 if (rp->num_keys <= hdev->stored_num_keys) 287 hdev->stored_num_keys -= le16_to_cpu(rp->num_keys); 288 else 289 hdev->stored_num_keys = 0; 290 } 291 292 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 293 { 294 __u8 status = *((__u8 *) skb->data); 295 void *sent; 296 297 BT_DBG("%s status 0x%2.2x", hdev->name, status); 298 299 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 300 if (!sent) 301 return; 302 303 hci_dev_lock(hdev); 304 305 if (hci_dev_test_flag(hdev, HCI_MGMT)) 306 mgmt_set_local_name_complete(hdev, sent, status); 307 else if (!status) 308 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 309 310 hci_dev_unlock(hdev); 311 } 312 313 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 314 { 315 struct hci_rp_read_local_name *rp = (void *) skb->data; 316 317 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 318 319 if (rp->status) 320 return; 321 322 if (hci_dev_test_flag(hdev, HCI_SETUP) || 323 hci_dev_test_flag(hdev, HCI_CONFIG)) 324 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 325 } 326 327 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 328 { 329 __u8 status = *((__u8 *) skb->data); 330 void *sent; 331 332 BT_DBG("%s status 0x%2.2x", hdev->name, status); 333 334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 335 if (!sent) 336 return; 337 338 hci_dev_lock(hdev); 339 340 if (!status) { 341 __u8 param = *((__u8 *) sent); 342 343 if (param == AUTH_ENABLED) 344 set_bit(HCI_AUTH, &hdev->flags); 345 else 346 clear_bit(HCI_AUTH, &hdev->flags); 347 } 348 349 if (hci_dev_test_flag(hdev, HCI_MGMT)) 350 mgmt_auth_enable_complete(hdev, status); 351 352 hci_dev_unlock(hdev); 353 } 354 355 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 356 { 357 __u8 status = *((__u8 *) skb->data); 358 __u8 param; 359 void *sent; 360 361 BT_DBG("%s status 0x%2.2x", hdev->name, status); 362 363 if (status) 364 return; 365 366 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 367 if (!sent) 368 return; 369 370 param = *((__u8 *) sent); 371 372 if (param) 373 set_bit(HCI_ENCRYPT, &hdev->flags); 374 else 375 clear_bit(HCI_ENCRYPT, &hdev->flags); 376 } 377 378 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 379 { 380 __u8 status = *((__u8 *) skb->data); 381 __u8 param; 382 void *sent; 383 384 BT_DBG("%s status 0x%2.2x", hdev->name, status); 385 386 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 387 if (!sent) 388 return; 389 390 param = *((__u8 *) sent); 391 392 hci_dev_lock(hdev); 393 394 if (status) { 395 hdev->discov_timeout = 0; 396 goto done; 397 } 398 399 if (param & SCAN_INQUIRY) 400 set_bit(HCI_ISCAN, &hdev->flags); 401 else 402 clear_bit(HCI_ISCAN, &hdev->flags); 403 404 if (param & SCAN_PAGE) 405 set_bit(HCI_PSCAN, &hdev->flags); 406 else 407 clear_bit(HCI_PSCAN, &hdev->flags); 408 409 done: 410 hci_dev_unlock(hdev); 411 } 412 413 static void hci_cc_set_event_filter(struct hci_dev *hdev, struct sk_buff *skb) 414 { 415 __u8 status = *((__u8 *)skb->data); 416 struct hci_cp_set_event_filter *cp; 417 void *sent; 418 419 BT_DBG("%s status 0x%2.2x", hdev->name, status); 420 421 if (status) 422 return; 423 424 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT); 425 if (!sent) 426 return; 427 428 cp = (struct hci_cp_set_event_filter *)sent; 429 430 if (cp->flt_type == HCI_FLT_CLEAR_ALL) 431 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 432 else 433 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 434 } 435 436 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 437 { 438 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 439 440 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 441 442 if (rp->status) 443 return; 444 445 memcpy(hdev->dev_class, rp->dev_class, 3); 446 447 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 448 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 449 } 450 451 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 452 { 453 __u8 status = *((__u8 *) skb->data); 454 void *sent; 455 456 BT_DBG("%s status 0x%2.2x", hdev->name, status); 457 458 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 459 if (!sent) 460 return; 461 462 hci_dev_lock(hdev); 463 464 if (status == 0) 465 memcpy(hdev->dev_class, sent, 3); 466 467 if (hci_dev_test_flag(hdev, HCI_MGMT)) 468 mgmt_set_class_of_dev_complete(hdev, sent, status); 469 470 hci_dev_unlock(hdev); 471 } 472 473 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 474 { 475 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 476 __u16 setting; 477 478 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 479 480 if (rp->status) 481 return; 482 483 setting = __le16_to_cpu(rp->voice_setting); 484 485 if (hdev->voice_setting == setting) 486 return; 487 488 hdev->voice_setting = setting; 489 490 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 491 492 if (hdev->notify) 493 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 494 } 495 496 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 497 struct sk_buff *skb) 498 { 499 __u8 status = *((__u8 *) skb->data); 500 __u16 setting; 501 void *sent; 502 503 BT_DBG("%s status 0x%2.2x", hdev->name, status); 504 505 if (status) 506 return; 507 508 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 509 if (!sent) 510 return; 511 512 setting = get_unaligned_le16(sent); 513 514 if (hdev->voice_setting == setting) 515 return; 516 517 hdev->voice_setting = setting; 518 519 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 520 521 if (hdev->notify) 522 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 523 } 524 525 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 526 struct sk_buff *skb) 527 { 528 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 529 530 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 531 532 if (rp->status) 533 return; 534 535 hdev->num_iac = rp->num_iac; 536 537 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 538 } 539 540 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 541 { 542 __u8 status = *((__u8 *) skb->data); 543 struct hci_cp_write_ssp_mode *sent; 544 545 BT_DBG("%s status 0x%2.2x", hdev->name, status); 546 547 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 548 if (!sent) 549 return; 550 551 hci_dev_lock(hdev); 552 553 if (!status) { 554 if (sent->mode) 555 hdev->features[1][0] |= LMP_HOST_SSP; 556 else 557 hdev->features[1][0] &= ~LMP_HOST_SSP; 558 } 559 560 if (!status) { 561 if (sent->mode) 562 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 563 else 564 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 565 } 566 567 hci_dev_unlock(hdev); 568 } 569 570 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 571 { 572 u8 status = *((u8 *) skb->data); 573 struct hci_cp_write_sc_support *sent; 574 575 BT_DBG("%s status 0x%2.2x", hdev->name, status); 576 577 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 578 if (!sent) 579 return; 580 581 hci_dev_lock(hdev); 582 583 if (!status) { 584 if (sent->support) 585 hdev->features[1][0] |= LMP_HOST_SC; 586 else 587 hdev->features[1][0] &= ~LMP_HOST_SC; 588 } 589 590 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 591 if (sent->support) 592 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 593 else 594 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 595 } 596 597 hci_dev_unlock(hdev); 598 } 599 600 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 601 { 602 struct hci_rp_read_local_version *rp = (void *) skb->data; 603 604 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 605 606 if (rp->status) 607 return; 608 609 if (hci_dev_test_flag(hdev, HCI_SETUP) || 610 hci_dev_test_flag(hdev, HCI_CONFIG)) { 611 hdev->hci_ver = rp->hci_ver; 612 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 613 hdev->lmp_ver = rp->lmp_ver; 614 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 615 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 616 } 617 } 618 619 static void hci_cc_read_local_commands(struct hci_dev *hdev, 620 struct sk_buff *skb) 621 { 622 struct hci_rp_read_local_commands *rp = (void *) skb->data; 623 624 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 625 626 if (rp->status) 627 return; 628 629 if (hci_dev_test_flag(hdev, HCI_SETUP) || 630 hci_dev_test_flag(hdev, HCI_CONFIG)) 631 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 632 } 633 634 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, 635 struct sk_buff *skb) 636 { 637 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data; 638 struct hci_conn *conn; 639 640 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 641 642 if (rp->status) 643 return; 644 645 hci_dev_lock(hdev); 646 647 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 648 if (conn) 649 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 650 651 hci_dev_unlock(hdev); 652 } 653 654 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, 655 struct sk_buff *skb) 656 { 657 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data; 658 struct hci_conn *conn; 659 void *sent; 660 661 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 662 663 if (rp->status) 664 return; 665 666 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 667 if (!sent) 668 return; 669 670 hci_dev_lock(hdev); 671 672 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 673 if (conn) 674 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 675 676 hci_dev_unlock(hdev); 677 } 678 679 static void hci_cc_read_local_features(struct hci_dev *hdev, 680 struct sk_buff *skb) 681 { 682 struct hci_rp_read_local_features *rp = (void *) skb->data; 683 684 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 685 686 if (rp->status) 687 return; 688 689 memcpy(hdev->features, rp->features, 8); 690 691 /* Adjust default settings according to features 692 * supported by device. */ 693 694 if (hdev->features[0][0] & LMP_3SLOT) 695 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 696 697 if (hdev->features[0][0] & LMP_5SLOT) 698 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 699 700 if (hdev->features[0][1] & LMP_HV2) { 701 hdev->pkt_type |= (HCI_HV2); 702 hdev->esco_type |= (ESCO_HV2); 703 } 704 705 if (hdev->features[0][1] & LMP_HV3) { 706 hdev->pkt_type |= (HCI_HV3); 707 hdev->esco_type |= (ESCO_HV3); 708 } 709 710 if (lmp_esco_capable(hdev)) 711 hdev->esco_type |= (ESCO_EV3); 712 713 if (hdev->features[0][4] & LMP_EV4) 714 hdev->esco_type |= (ESCO_EV4); 715 716 if (hdev->features[0][4] & LMP_EV5) 717 hdev->esco_type |= (ESCO_EV5); 718 719 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 720 hdev->esco_type |= (ESCO_2EV3); 721 722 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 723 hdev->esco_type |= (ESCO_3EV3); 724 725 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 726 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 727 } 728 729 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 730 struct sk_buff *skb) 731 { 732 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 733 734 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 735 736 if (rp->status) 737 return; 738 739 if (hdev->max_page < rp->max_page) 740 hdev->max_page = rp->max_page; 741 742 if (rp->page < HCI_MAX_PAGES) 743 memcpy(hdev->features[rp->page], rp->features, 8); 744 } 745 746 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 747 struct sk_buff *skb) 748 { 749 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 750 751 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 752 753 if (rp->status) 754 return; 755 756 hdev->flow_ctl_mode = rp->mode; 757 } 758 759 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 760 { 761 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 762 763 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 764 765 if (rp->status) 766 return; 767 768 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 769 hdev->sco_mtu = rp->sco_mtu; 770 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 771 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 772 773 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 774 hdev->sco_mtu = 64; 775 hdev->sco_pkts = 8; 776 } 777 778 hdev->acl_cnt = hdev->acl_pkts; 779 hdev->sco_cnt = hdev->sco_pkts; 780 781 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 782 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 783 } 784 785 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 786 { 787 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 788 789 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 790 791 if (rp->status) 792 return; 793 794 if (test_bit(HCI_INIT, &hdev->flags)) 795 bacpy(&hdev->bdaddr, &rp->bdaddr); 796 797 if (hci_dev_test_flag(hdev, HCI_SETUP)) 798 bacpy(&hdev->setup_addr, &rp->bdaddr); 799 } 800 801 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev, 802 struct sk_buff *skb) 803 { 804 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data; 805 806 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 807 808 if (rp->status) 809 return; 810 811 if (hci_dev_test_flag(hdev, HCI_SETUP) || 812 hci_dev_test_flag(hdev, HCI_CONFIG)) { 813 hdev->pairing_opts = rp->pairing_opts; 814 hdev->max_enc_key_size = rp->max_key_size; 815 } 816 } 817 818 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 819 struct sk_buff *skb) 820 { 821 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 822 823 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 824 825 if (rp->status) 826 return; 827 828 if (test_bit(HCI_INIT, &hdev->flags)) { 829 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 830 hdev->page_scan_window = __le16_to_cpu(rp->window); 831 } 832 } 833 834 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 835 struct sk_buff *skb) 836 { 837 u8 status = *((u8 *) skb->data); 838 struct hci_cp_write_page_scan_activity *sent; 839 840 BT_DBG("%s status 0x%2.2x", hdev->name, status); 841 842 if (status) 843 return; 844 845 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 846 if (!sent) 847 return; 848 849 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 850 hdev->page_scan_window = __le16_to_cpu(sent->window); 851 } 852 853 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 854 struct sk_buff *skb) 855 { 856 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 857 858 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 859 860 if (rp->status) 861 return; 862 863 if (test_bit(HCI_INIT, &hdev->flags)) 864 hdev->page_scan_type = rp->type; 865 } 866 867 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 868 struct sk_buff *skb) 869 { 870 u8 status = *((u8 *) skb->data); 871 u8 *type; 872 873 BT_DBG("%s status 0x%2.2x", hdev->name, status); 874 875 if (status) 876 return; 877 878 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 879 if (type) 880 hdev->page_scan_type = *type; 881 } 882 883 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 884 struct sk_buff *skb) 885 { 886 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 887 888 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 889 890 if (rp->status) 891 return; 892 893 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 894 hdev->block_len = __le16_to_cpu(rp->block_len); 895 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 896 897 hdev->block_cnt = hdev->num_blocks; 898 899 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 900 hdev->block_cnt, hdev->block_len); 901 } 902 903 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 904 { 905 struct hci_rp_read_clock *rp = (void *) skb->data; 906 struct hci_cp_read_clock *cp; 907 struct hci_conn *conn; 908 909 BT_DBG("%s", hdev->name); 910 911 if (skb->len < sizeof(*rp)) 912 return; 913 914 if (rp->status) 915 return; 916 917 hci_dev_lock(hdev); 918 919 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 920 if (!cp) 921 goto unlock; 922 923 if (cp->which == 0x00) { 924 hdev->clock = le32_to_cpu(rp->clock); 925 goto unlock; 926 } 927 928 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 929 if (conn) { 930 conn->clock = le32_to_cpu(rp->clock); 931 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 932 } 933 934 unlock: 935 hci_dev_unlock(hdev); 936 } 937 938 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 939 struct sk_buff *skb) 940 { 941 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 942 943 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 944 945 if (rp->status) 946 return; 947 948 hdev->amp_status = rp->amp_status; 949 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 950 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 951 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 952 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 953 hdev->amp_type = rp->amp_type; 954 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 955 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 956 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 957 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 958 } 959 960 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 961 struct sk_buff *skb) 962 { 963 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 964 965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 966 967 if (rp->status) 968 return; 969 970 hdev->inq_tx_power = rp->tx_power; 971 } 972 973 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, 974 struct sk_buff *skb) 975 { 976 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data; 977 978 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 979 980 if (rp->status) 981 return; 982 983 hdev->err_data_reporting = rp->err_data_reporting; 984 } 985 986 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, 987 struct sk_buff *skb) 988 { 989 __u8 status = *((__u8 *)skb->data); 990 struct hci_cp_write_def_err_data_reporting *cp; 991 992 BT_DBG("%s status 0x%2.2x", hdev->name, status); 993 994 if (status) 995 return; 996 997 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 998 if (!cp) 999 return; 1000 1001 hdev->err_data_reporting = cp->err_data_reporting; 1002 } 1003 1004 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 1005 { 1006 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 1007 struct hci_cp_pin_code_reply *cp; 1008 struct hci_conn *conn; 1009 1010 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1011 1012 hci_dev_lock(hdev); 1013 1014 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1015 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 1016 1017 if (rp->status) 1018 goto unlock; 1019 1020 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 1021 if (!cp) 1022 goto unlock; 1023 1024 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1025 if (conn) 1026 conn->pin_length = cp->pin_len; 1027 1028 unlock: 1029 hci_dev_unlock(hdev); 1030 } 1031 1032 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 1033 { 1034 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 1035 1036 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1037 1038 hci_dev_lock(hdev); 1039 1040 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1041 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1042 rp->status); 1043 1044 hci_dev_unlock(hdev); 1045 } 1046 1047 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 1048 struct sk_buff *skb) 1049 { 1050 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 1051 1052 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1053 1054 if (rp->status) 1055 return; 1056 1057 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1058 hdev->le_pkts = rp->le_max_pkt; 1059 1060 hdev->le_cnt = hdev->le_pkts; 1061 1062 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1063 } 1064 1065 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 1066 struct sk_buff *skb) 1067 { 1068 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 1069 1070 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1071 1072 if (rp->status) 1073 return; 1074 1075 memcpy(hdev->le_features, rp->features, 8); 1076 } 1077 1078 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 1079 struct sk_buff *skb) 1080 { 1081 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 1082 1083 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1084 1085 if (rp->status) 1086 return; 1087 1088 hdev->adv_tx_power = rp->tx_power; 1089 } 1090 1091 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 1092 { 1093 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1094 1095 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1096 1097 hci_dev_lock(hdev); 1098 1099 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1100 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1101 rp->status); 1102 1103 hci_dev_unlock(hdev); 1104 } 1105 1106 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 1107 struct sk_buff *skb) 1108 { 1109 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1110 1111 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1112 1113 hci_dev_lock(hdev); 1114 1115 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1116 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1117 ACL_LINK, 0, rp->status); 1118 1119 hci_dev_unlock(hdev); 1120 } 1121 1122 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 1123 { 1124 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1125 1126 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1127 1128 hci_dev_lock(hdev); 1129 1130 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1131 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1132 0, rp->status); 1133 1134 hci_dev_unlock(hdev); 1135 } 1136 1137 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 1138 struct sk_buff *skb) 1139 { 1140 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1141 1142 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1143 1144 hci_dev_lock(hdev); 1145 1146 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1147 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1148 ACL_LINK, 0, rp->status); 1149 1150 hci_dev_unlock(hdev); 1151 } 1152 1153 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1154 struct sk_buff *skb) 1155 { 1156 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1157 1158 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1159 } 1160 1161 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1162 struct sk_buff *skb) 1163 { 1164 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1165 1166 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1167 } 1168 1169 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1170 { 1171 __u8 status = *((__u8 *) skb->data); 1172 bdaddr_t *sent; 1173 1174 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1175 1176 if (status) 1177 return; 1178 1179 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1180 if (!sent) 1181 return; 1182 1183 hci_dev_lock(hdev); 1184 1185 bacpy(&hdev->random_addr, sent); 1186 1187 if (!bacmp(&hdev->rpa, sent)) { 1188 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED); 1189 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, 1190 secs_to_jiffies(hdev->rpa_timeout)); 1191 } 1192 1193 hci_dev_unlock(hdev); 1194 } 1195 1196 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb) 1197 { 1198 __u8 status = *((__u8 *) skb->data); 1199 struct hci_cp_le_set_default_phy *cp; 1200 1201 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1202 1203 if (status) 1204 return; 1205 1206 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1207 if (!cp) 1208 return; 1209 1210 hci_dev_lock(hdev); 1211 1212 hdev->le_tx_def_phys = cp->tx_phys; 1213 hdev->le_rx_def_phys = cp->rx_phys; 1214 1215 hci_dev_unlock(hdev); 1216 } 1217 1218 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, 1219 struct sk_buff *skb) 1220 { 1221 __u8 status = *((__u8 *) skb->data); 1222 struct hci_cp_le_set_adv_set_rand_addr *cp; 1223 struct adv_info *adv; 1224 1225 if (status) 1226 return; 1227 1228 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1229 /* Update only in case the adv instance since handle 0x00 shall be using 1230 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and 1231 * non-extended adverting. 1232 */ 1233 if (!cp || !cp->handle) 1234 return; 1235 1236 hci_dev_lock(hdev); 1237 1238 adv = hci_find_adv_instance(hdev, cp->handle); 1239 if (adv) { 1240 bacpy(&adv->random_addr, &cp->bdaddr); 1241 if (!bacmp(&hdev->rpa, &cp->bdaddr)) { 1242 adv->rpa_expired = false; 1243 queue_delayed_work(hdev->workqueue, 1244 &adv->rpa_expired_cb, 1245 secs_to_jiffies(hdev->rpa_timeout)); 1246 } 1247 } 1248 1249 hci_dev_unlock(hdev); 1250 } 1251 1252 static void hci_cc_le_remove_adv_set(struct hci_dev *hdev, struct sk_buff *skb) 1253 { 1254 __u8 status = *((__u8 *)skb->data); 1255 u8 *instance; 1256 int err; 1257 1258 if (status) 1259 return; 1260 1261 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET); 1262 if (!instance) 1263 return; 1264 1265 hci_dev_lock(hdev); 1266 1267 err = hci_remove_adv_instance(hdev, *instance); 1268 if (!err) 1269 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev, 1270 *instance); 1271 1272 hci_dev_unlock(hdev); 1273 } 1274 1275 static void hci_cc_le_clear_adv_sets(struct hci_dev *hdev, struct sk_buff *skb) 1276 { 1277 __u8 status = *((__u8 *)skb->data); 1278 struct adv_info *adv, *n; 1279 int err; 1280 1281 if (status) 1282 return; 1283 1284 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS)) 1285 return; 1286 1287 hci_dev_lock(hdev); 1288 1289 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 1290 u8 instance = adv->instance; 1291 1292 err = hci_remove_adv_instance(hdev, instance); 1293 if (!err) 1294 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), 1295 hdev, instance); 1296 } 1297 1298 hci_dev_unlock(hdev); 1299 } 1300 1301 static void hci_cc_le_read_transmit_power(struct hci_dev *hdev, 1302 struct sk_buff *skb) 1303 { 1304 struct hci_rp_le_read_transmit_power *rp = (void *)skb->data; 1305 1306 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1307 1308 if (rp->status) 1309 return; 1310 1311 hdev->min_le_tx_power = rp->min_le_tx_power; 1312 hdev->max_le_tx_power = rp->max_le_tx_power; 1313 } 1314 1315 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1316 { 1317 __u8 *sent, status = *((__u8 *) skb->data); 1318 1319 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1320 1321 if (status) 1322 return; 1323 1324 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1325 if (!sent) 1326 return; 1327 1328 hci_dev_lock(hdev); 1329 1330 /* If we're doing connection initiation as peripheral. Set a 1331 * timeout in case something goes wrong. 1332 */ 1333 if (*sent) { 1334 struct hci_conn *conn; 1335 1336 hci_dev_set_flag(hdev, HCI_LE_ADV); 1337 1338 conn = hci_lookup_le_connect(hdev); 1339 if (conn) 1340 queue_delayed_work(hdev->workqueue, 1341 &conn->le_conn_timeout, 1342 conn->conn_timeout); 1343 } else { 1344 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1345 } 1346 1347 hci_dev_unlock(hdev); 1348 } 1349 1350 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, 1351 struct sk_buff *skb) 1352 { 1353 struct hci_cp_le_set_ext_adv_enable *cp; 1354 struct hci_cp_ext_adv_set *set; 1355 __u8 status = *((__u8 *) skb->data); 1356 struct adv_info *adv = NULL, *n; 1357 1358 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1359 1360 if (status) 1361 return; 1362 1363 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1364 if (!cp) 1365 return; 1366 1367 set = (void *)cp->data; 1368 1369 hci_dev_lock(hdev); 1370 1371 if (cp->num_of_sets) 1372 adv = hci_find_adv_instance(hdev, set->handle); 1373 1374 if (cp->enable) { 1375 struct hci_conn *conn; 1376 1377 hci_dev_set_flag(hdev, HCI_LE_ADV); 1378 1379 if (adv) 1380 adv->enabled = true; 1381 1382 conn = hci_lookup_le_connect(hdev); 1383 if (conn) 1384 queue_delayed_work(hdev->workqueue, 1385 &conn->le_conn_timeout, 1386 conn->conn_timeout); 1387 } else { 1388 if (cp->num_of_sets) { 1389 if (adv) 1390 adv->enabled = false; 1391 1392 /* If just one instance was disabled check if there are 1393 * any other instance enabled before clearing HCI_LE_ADV 1394 */ 1395 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1396 list) { 1397 if (adv->enabled) 1398 goto unlock; 1399 } 1400 } else { 1401 /* All instances shall be considered disabled */ 1402 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1403 list) 1404 adv->enabled = false; 1405 } 1406 1407 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1408 } 1409 1410 unlock: 1411 hci_dev_unlock(hdev); 1412 } 1413 1414 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1415 { 1416 struct hci_cp_le_set_scan_param *cp; 1417 __u8 status = *((__u8 *) skb->data); 1418 1419 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1420 1421 if (status) 1422 return; 1423 1424 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1425 if (!cp) 1426 return; 1427 1428 hci_dev_lock(hdev); 1429 1430 hdev->le_scan_type = cp->type; 1431 1432 hci_dev_unlock(hdev); 1433 } 1434 1435 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, 1436 struct sk_buff *skb) 1437 { 1438 struct hci_cp_le_set_ext_scan_params *cp; 1439 __u8 status = *((__u8 *) skb->data); 1440 struct hci_cp_le_scan_phy_params *phy_param; 1441 1442 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1443 1444 if (status) 1445 return; 1446 1447 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1448 if (!cp) 1449 return; 1450 1451 phy_param = (void *)cp->data; 1452 1453 hci_dev_lock(hdev); 1454 1455 hdev->le_scan_type = phy_param->type; 1456 1457 hci_dev_unlock(hdev); 1458 } 1459 1460 static bool has_pending_adv_report(struct hci_dev *hdev) 1461 { 1462 struct discovery_state *d = &hdev->discovery; 1463 1464 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1465 } 1466 1467 static void clear_pending_adv_report(struct hci_dev *hdev) 1468 { 1469 struct discovery_state *d = &hdev->discovery; 1470 1471 bacpy(&d->last_adv_addr, BDADDR_ANY); 1472 d->last_adv_data_len = 0; 1473 } 1474 1475 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1476 u8 bdaddr_type, s8 rssi, u32 flags, 1477 u8 *data, u8 len) 1478 { 1479 struct discovery_state *d = &hdev->discovery; 1480 1481 if (len > HCI_MAX_AD_LENGTH) 1482 return; 1483 1484 bacpy(&d->last_adv_addr, bdaddr); 1485 d->last_adv_addr_type = bdaddr_type; 1486 d->last_adv_rssi = rssi; 1487 d->last_adv_flags = flags; 1488 memcpy(d->last_adv_data, data, len); 1489 d->last_adv_data_len = len; 1490 } 1491 1492 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1493 { 1494 hci_dev_lock(hdev); 1495 1496 switch (enable) { 1497 case LE_SCAN_ENABLE: 1498 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1499 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1500 clear_pending_adv_report(hdev); 1501 break; 1502 1503 case LE_SCAN_DISABLE: 1504 /* We do this here instead of when setting DISCOVERY_STOPPED 1505 * since the latter would potentially require waiting for 1506 * inquiry to stop too. 1507 */ 1508 if (has_pending_adv_report(hdev)) { 1509 struct discovery_state *d = &hdev->discovery; 1510 1511 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1512 d->last_adv_addr_type, NULL, 1513 d->last_adv_rssi, d->last_adv_flags, 1514 d->last_adv_data, 1515 d->last_adv_data_len, NULL, 0); 1516 } 1517 1518 /* Cancel this timer so that we don't try to disable scanning 1519 * when it's already disabled. 1520 */ 1521 cancel_delayed_work(&hdev->le_scan_disable); 1522 1523 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1524 1525 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1526 * interrupted scanning due to a connect request. Mark 1527 * therefore discovery as stopped. 1528 */ 1529 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1530 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1531 1532 break; 1533 1534 default: 1535 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1536 enable); 1537 break; 1538 } 1539 1540 hci_dev_unlock(hdev); 1541 } 1542 1543 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1544 struct sk_buff *skb) 1545 { 1546 struct hci_cp_le_set_scan_enable *cp; 1547 __u8 status = *((__u8 *) skb->data); 1548 1549 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1550 1551 if (status) 1552 return; 1553 1554 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1555 if (!cp) 1556 return; 1557 1558 le_set_scan_enable_complete(hdev, cp->enable); 1559 } 1560 1561 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, 1562 struct sk_buff *skb) 1563 { 1564 struct hci_cp_le_set_ext_scan_enable *cp; 1565 __u8 status = *((__u8 *) skb->data); 1566 1567 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1568 1569 if (status) 1570 return; 1571 1572 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1573 if (!cp) 1574 return; 1575 1576 le_set_scan_enable_complete(hdev, cp->enable); 1577 } 1578 1579 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, 1580 struct sk_buff *skb) 1581 { 1582 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data; 1583 1584 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status, 1585 rp->num_of_sets); 1586 1587 if (rp->status) 1588 return; 1589 1590 hdev->le_num_of_adv_sets = rp->num_of_sets; 1591 } 1592 1593 static void hci_cc_le_read_accept_list_size(struct hci_dev *hdev, 1594 struct sk_buff *skb) 1595 { 1596 struct hci_rp_le_read_accept_list_size *rp = (void *)skb->data; 1597 1598 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1599 1600 if (rp->status) 1601 return; 1602 1603 hdev->le_accept_list_size = rp->size; 1604 } 1605 1606 static void hci_cc_le_clear_accept_list(struct hci_dev *hdev, 1607 struct sk_buff *skb) 1608 { 1609 __u8 status = *((__u8 *) skb->data); 1610 1611 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1612 1613 if (status) 1614 return; 1615 1616 hci_bdaddr_list_clear(&hdev->le_accept_list); 1617 } 1618 1619 static void hci_cc_le_add_to_accept_list(struct hci_dev *hdev, 1620 struct sk_buff *skb) 1621 { 1622 struct hci_cp_le_add_to_accept_list *sent; 1623 __u8 status = *((__u8 *) skb->data); 1624 1625 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1626 1627 if (status) 1628 return; 1629 1630 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); 1631 if (!sent) 1632 return; 1633 1634 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr, 1635 sent->bdaddr_type); 1636 } 1637 1638 static void hci_cc_le_del_from_accept_list(struct hci_dev *hdev, 1639 struct sk_buff *skb) 1640 { 1641 struct hci_cp_le_del_from_accept_list *sent; 1642 __u8 status = *((__u8 *) skb->data); 1643 1644 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1645 1646 if (status) 1647 return; 1648 1649 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST); 1650 if (!sent) 1651 return; 1652 1653 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr, 1654 sent->bdaddr_type); 1655 } 1656 1657 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1658 struct sk_buff *skb) 1659 { 1660 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1661 1662 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1663 1664 if (rp->status) 1665 return; 1666 1667 memcpy(hdev->le_states, rp->le_states, 8); 1668 } 1669 1670 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1671 struct sk_buff *skb) 1672 { 1673 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1674 1675 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1676 1677 if (rp->status) 1678 return; 1679 1680 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1681 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1682 } 1683 1684 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1685 struct sk_buff *skb) 1686 { 1687 struct hci_cp_le_write_def_data_len *sent; 1688 __u8 status = *((__u8 *) skb->data); 1689 1690 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1691 1692 if (status) 1693 return; 1694 1695 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1696 if (!sent) 1697 return; 1698 1699 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1700 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1701 } 1702 1703 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, 1704 struct sk_buff *skb) 1705 { 1706 struct hci_cp_le_add_to_resolv_list *sent; 1707 __u8 status = *((__u8 *) skb->data); 1708 1709 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1710 1711 if (status) 1712 return; 1713 1714 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1715 if (!sent) 1716 return; 1717 1718 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1719 sent->bdaddr_type, sent->peer_irk, 1720 sent->local_irk); 1721 } 1722 1723 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, 1724 struct sk_buff *skb) 1725 { 1726 struct hci_cp_le_del_from_resolv_list *sent; 1727 __u8 status = *((__u8 *) skb->data); 1728 1729 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1730 1731 if (status) 1732 return; 1733 1734 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 1735 if (!sent) 1736 return; 1737 1738 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1739 sent->bdaddr_type); 1740 } 1741 1742 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev, 1743 struct sk_buff *skb) 1744 { 1745 __u8 status = *((__u8 *) skb->data); 1746 1747 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1748 1749 if (status) 1750 return; 1751 1752 hci_bdaddr_list_clear(&hdev->le_resolv_list); 1753 } 1754 1755 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, 1756 struct sk_buff *skb) 1757 { 1758 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data; 1759 1760 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1761 1762 if (rp->status) 1763 return; 1764 1765 hdev->le_resolv_list_size = rp->size; 1766 } 1767 1768 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, 1769 struct sk_buff *skb) 1770 { 1771 __u8 *sent, status = *((__u8 *) skb->data); 1772 1773 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1774 1775 if (status) 1776 return; 1777 1778 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 1779 if (!sent) 1780 return; 1781 1782 hci_dev_lock(hdev); 1783 1784 if (*sent) 1785 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 1786 else 1787 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 1788 1789 hci_dev_unlock(hdev); 1790 } 1791 1792 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1793 struct sk_buff *skb) 1794 { 1795 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1796 1797 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1798 1799 if (rp->status) 1800 return; 1801 1802 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1803 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1804 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1805 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1806 } 1807 1808 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1809 struct sk_buff *skb) 1810 { 1811 struct hci_cp_write_le_host_supported *sent; 1812 __u8 status = *((__u8 *) skb->data); 1813 1814 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1815 1816 if (status) 1817 return; 1818 1819 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1820 if (!sent) 1821 return; 1822 1823 hci_dev_lock(hdev); 1824 1825 if (sent->le) { 1826 hdev->features[1][0] |= LMP_HOST_LE; 1827 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1828 } else { 1829 hdev->features[1][0] &= ~LMP_HOST_LE; 1830 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1831 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1832 } 1833 1834 if (sent->simul) 1835 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1836 else 1837 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1838 1839 hci_dev_unlock(hdev); 1840 } 1841 1842 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1843 { 1844 struct hci_cp_le_set_adv_param *cp; 1845 u8 status = *((u8 *) skb->data); 1846 1847 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1848 1849 if (status) 1850 return; 1851 1852 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1853 if (!cp) 1854 return; 1855 1856 hci_dev_lock(hdev); 1857 hdev->adv_addr_type = cp->own_address_type; 1858 hci_dev_unlock(hdev); 1859 } 1860 1861 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1862 { 1863 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; 1864 struct hci_cp_le_set_ext_adv_params *cp; 1865 struct adv_info *adv_instance; 1866 1867 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1868 1869 if (rp->status) 1870 return; 1871 1872 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 1873 if (!cp) 1874 return; 1875 1876 hci_dev_lock(hdev); 1877 hdev->adv_addr_type = cp->own_addr_type; 1878 if (!cp->handle) { 1879 /* Store in hdev for instance 0 */ 1880 hdev->adv_tx_power = rp->tx_power; 1881 } else { 1882 adv_instance = hci_find_adv_instance(hdev, cp->handle); 1883 if (adv_instance) 1884 adv_instance->tx_power = rp->tx_power; 1885 } 1886 /* Update adv data as tx power is known now */ 1887 hci_req_update_adv_data(hdev, cp->handle); 1888 1889 hci_dev_unlock(hdev); 1890 } 1891 1892 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1893 { 1894 struct hci_rp_read_rssi *rp = (void *) skb->data; 1895 struct hci_conn *conn; 1896 1897 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1898 1899 if (rp->status) 1900 return; 1901 1902 hci_dev_lock(hdev); 1903 1904 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1905 if (conn) 1906 conn->rssi = rp->rssi; 1907 1908 hci_dev_unlock(hdev); 1909 } 1910 1911 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1912 { 1913 struct hci_cp_read_tx_power *sent; 1914 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1915 struct hci_conn *conn; 1916 1917 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1918 1919 if (rp->status) 1920 return; 1921 1922 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1923 if (!sent) 1924 return; 1925 1926 hci_dev_lock(hdev); 1927 1928 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1929 if (!conn) 1930 goto unlock; 1931 1932 switch (sent->type) { 1933 case 0x00: 1934 conn->tx_power = rp->tx_power; 1935 break; 1936 case 0x01: 1937 conn->max_tx_power = rp->tx_power; 1938 break; 1939 } 1940 1941 unlock: 1942 hci_dev_unlock(hdev); 1943 } 1944 1945 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1946 { 1947 u8 status = *((u8 *) skb->data); 1948 u8 *mode; 1949 1950 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1951 1952 if (status) 1953 return; 1954 1955 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1956 if (mode) 1957 hdev->ssp_debug_mode = *mode; 1958 } 1959 1960 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1961 { 1962 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1963 1964 if (status) { 1965 hci_conn_check_pending(hdev); 1966 return; 1967 } 1968 1969 set_bit(HCI_INQUIRY, &hdev->flags); 1970 } 1971 1972 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1973 { 1974 struct hci_cp_create_conn *cp; 1975 struct hci_conn *conn; 1976 1977 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1978 1979 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1980 if (!cp) 1981 return; 1982 1983 hci_dev_lock(hdev); 1984 1985 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1986 1987 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1988 1989 if (status) { 1990 if (conn && conn->state == BT_CONNECT) { 1991 if (status != 0x0c || conn->attempt > 2) { 1992 conn->state = BT_CLOSED; 1993 hci_connect_cfm(conn, status); 1994 hci_conn_del(conn); 1995 } else 1996 conn->state = BT_CONNECT2; 1997 } 1998 } else { 1999 if (!conn) { 2000 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 2001 HCI_ROLE_MASTER); 2002 if (!conn) 2003 bt_dev_err(hdev, "no memory for new connection"); 2004 } 2005 } 2006 2007 hci_dev_unlock(hdev); 2008 } 2009 2010 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 2011 { 2012 struct hci_cp_add_sco *cp; 2013 struct hci_conn *acl, *sco; 2014 __u16 handle; 2015 2016 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2017 2018 if (!status) 2019 return; 2020 2021 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 2022 if (!cp) 2023 return; 2024 2025 handle = __le16_to_cpu(cp->handle); 2026 2027 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 2028 2029 hci_dev_lock(hdev); 2030 2031 acl = hci_conn_hash_lookup_handle(hdev, handle); 2032 if (acl) { 2033 sco = acl->link; 2034 if (sco) { 2035 sco->state = BT_CLOSED; 2036 2037 hci_connect_cfm(sco, status); 2038 hci_conn_del(sco); 2039 } 2040 } 2041 2042 hci_dev_unlock(hdev); 2043 } 2044 2045 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 2046 { 2047 struct hci_cp_auth_requested *cp; 2048 struct hci_conn *conn; 2049 2050 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2051 2052 if (!status) 2053 return; 2054 2055 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 2056 if (!cp) 2057 return; 2058 2059 hci_dev_lock(hdev); 2060 2061 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2062 if (conn) { 2063 if (conn->state == BT_CONFIG) { 2064 hci_connect_cfm(conn, status); 2065 hci_conn_drop(conn); 2066 } 2067 } 2068 2069 hci_dev_unlock(hdev); 2070 } 2071 2072 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 2073 { 2074 struct hci_cp_set_conn_encrypt *cp; 2075 struct hci_conn *conn; 2076 2077 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2078 2079 if (!status) 2080 return; 2081 2082 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 2083 if (!cp) 2084 return; 2085 2086 hci_dev_lock(hdev); 2087 2088 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2089 if (conn) { 2090 if (conn->state == BT_CONFIG) { 2091 hci_connect_cfm(conn, status); 2092 hci_conn_drop(conn); 2093 } 2094 } 2095 2096 hci_dev_unlock(hdev); 2097 } 2098 2099 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 2100 struct hci_conn *conn) 2101 { 2102 if (conn->state != BT_CONFIG || !conn->out) 2103 return 0; 2104 2105 if (conn->pending_sec_level == BT_SECURITY_SDP) 2106 return 0; 2107 2108 /* Only request authentication for SSP connections or non-SSP 2109 * devices with sec_level MEDIUM or HIGH or if MITM protection 2110 * is requested. 2111 */ 2112 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 2113 conn->pending_sec_level != BT_SECURITY_FIPS && 2114 conn->pending_sec_level != BT_SECURITY_HIGH && 2115 conn->pending_sec_level != BT_SECURITY_MEDIUM) 2116 return 0; 2117 2118 return 1; 2119 } 2120 2121 static int hci_resolve_name(struct hci_dev *hdev, 2122 struct inquiry_entry *e) 2123 { 2124 struct hci_cp_remote_name_req cp; 2125 2126 memset(&cp, 0, sizeof(cp)); 2127 2128 bacpy(&cp.bdaddr, &e->data.bdaddr); 2129 cp.pscan_rep_mode = e->data.pscan_rep_mode; 2130 cp.pscan_mode = e->data.pscan_mode; 2131 cp.clock_offset = e->data.clock_offset; 2132 2133 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2134 } 2135 2136 static bool hci_resolve_next_name(struct hci_dev *hdev) 2137 { 2138 struct discovery_state *discov = &hdev->discovery; 2139 struct inquiry_entry *e; 2140 2141 if (list_empty(&discov->resolve)) 2142 return false; 2143 2144 /* We should stop if we already spent too much time resolving names. */ 2145 if (time_after(jiffies, discov->name_resolve_timeout)) { 2146 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long."); 2147 return false; 2148 } 2149 2150 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2151 if (!e) 2152 return false; 2153 2154 if (hci_resolve_name(hdev, e) == 0) { 2155 e->name_state = NAME_PENDING; 2156 return true; 2157 } 2158 2159 return false; 2160 } 2161 2162 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2163 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2164 { 2165 struct discovery_state *discov = &hdev->discovery; 2166 struct inquiry_entry *e; 2167 2168 /* Update the mgmt connected state if necessary. Be careful with 2169 * conn objects that exist but are not (yet) connected however. 2170 * Only those in BT_CONFIG or BT_CONNECTED states can be 2171 * considered connected. 2172 */ 2173 if (conn && 2174 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 2175 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2176 mgmt_device_connected(hdev, conn, name, name_len); 2177 2178 if (discov->state == DISCOVERY_STOPPED) 2179 return; 2180 2181 if (discov->state == DISCOVERY_STOPPING) 2182 goto discov_complete; 2183 2184 if (discov->state != DISCOVERY_RESOLVING) 2185 return; 2186 2187 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2188 /* If the device was not found in a list of found devices names of which 2189 * are pending. there is no need to continue resolving a next name as it 2190 * will be done upon receiving another Remote Name Request Complete 2191 * Event */ 2192 if (!e) 2193 return; 2194 2195 list_del(&e->list); 2196 2197 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN; 2198 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi, 2199 name, name_len); 2200 2201 if (hci_resolve_next_name(hdev)) 2202 return; 2203 2204 discov_complete: 2205 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2206 } 2207 2208 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2209 { 2210 struct hci_cp_remote_name_req *cp; 2211 struct hci_conn *conn; 2212 2213 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2214 2215 /* If successful wait for the name req complete event before 2216 * checking for the need to do authentication */ 2217 if (!status) 2218 return; 2219 2220 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2221 if (!cp) 2222 return; 2223 2224 hci_dev_lock(hdev); 2225 2226 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2227 2228 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2229 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2230 2231 if (!conn) 2232 goto unlock; 2233 2234 if (!hci_outgoing_auth_needed(hdev, conn)) 2235 goto unlock; 2236 2237 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2238 struct hci_cp_auth_requested auth_cp; 2239 2240 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2241 2242 auth_cp.handle = __cpu_to_le16(conn->handle); 2243 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2244 sizeof(auth_cp), &auth_cp); 2245 } 2246 2247 unlock: 2248 hci_dev_unlock(hdev); 2249 } 2250 2251 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2252 { 2253 struct hci_cp_read_remote_features *cp; 2254 struct hci_conn *conn; 2255 2256 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2257 2258 if (!status) 2259 return; 2260 2261 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2262 if (!cp) 2263 return; 2264 2265 hci_dev_lock(hdev); 2266 2267 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2268 if (conn) { 2269 if (conn->state == BT_CONFIG) { 2270 hci_connect_cfm(conn, status); 2271 hci_conn_drop(conn); 2272 } 2273 } 2274 2275 hci_dev_unlock(hdev); 2276 } 2277 2278 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2279 { 2280 struct hci_cp_read_remote_ext_features *cp; 2281 struct hci_conn *conn; 2282 2283 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2284 2285 if (!status) 2286 return; 2287 2288 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2289 if (!cp) 2290 return; 2291 2292 hci_dev_lock(hdev); 2293 2294 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2295 if (conn) { 2296 if (conn->state == BT_CONFIG) { 2297 hci_connect_cfm(conn, status); 2298 hci_conn_drop(conn); 2299 } 2300 } 2301 2302 hci_dev_unlock(hdev); 2303 } 2304 2305 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2306 { 2307 struct hci_cp_setup_sync_conn *cp; 2308 struct hci_conn *acl, *sco; 2309 __u16 handle; 2310 2311 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2312 2313 if (!status) 2314 return; 2315 2316 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2317 if (!cp) 2318 return; 2319 2320 handle = __le16_to_cpu(cp->handle); 2321 2322 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 2323 2324 hci_dev_lock(hdev); 2325 2326 acl = hci_conn_hash_lookup_handle(hdev, handle); 2327 if (acl) { 2328 sco = acl->link; 2329 if (sco) { 2330 sco->state = BT_CLOSED; 2331 2332 hci_connect_cfm(sco, status); 2333 hci_conn_del(sco); 2334 } 2335 } 2336 2337 hci_dev_unlock(hdev); 2338 } 2339 2340 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2341 { 2342 struct hci_cp_enhanced_setup_sync_conn *cp; 2343 struct hci_conn *acl, *sco; 2344 __u16 handle; 2345 2346 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2347 2348 if (!status) 2349 return; 2350 2351 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN); 2352 if (!cp) 2353 return; 2354 2355 handle = __le16_to_cpu(cp->handle); 2356 2357 bt_dev_dbg(hdev, "handle 0x%4.4x", handle); 2358 2359 hci_dev_lock(hdev); 2360 2361 acl = hci_conn_hash_lookup_handle(hdev, handle); 2362 if (acl) { 2363 sco = acl->link; 2364 if (sco) { 2365 sco->state = BT_CLOSED; 2366 2367 hci_connect_cfm(sco, status); 2368 hci_conn_del(sco); 2369 } 2370 } 2371 2372 hci_dev_unlock(hdev); 2373 } 2374 2375 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2376 { 2377 struct hci_cp_sniff_mode *cp; 2378 struct hci_conn *conn; 2379 2380 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2381 2382 if (!status) 2383 return; 2384 2385 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2386 if (!cp) 2387 return; 2388 2389 hci_dev_lock(hdev); 2390 2391 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2392 if (conn) { 2393 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2394 2395 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2396 hci_sco_setup(conn, status); 2397 } 2398 2399 hci_dev_unlock(hdev); 2400 } 2401 2402 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2403 { 2404 struct hci_cp_exit_sniff_mode *cp; 2405 struct hci_conn *conn; 2406 2407 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2408 2409 if (!status) 2410 return; 2411 2412 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2413 if (!cp) 2414 return; 2415 2416 hci_dev_lock(hdev); 2417 2418 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2419 if (conn) { 2420 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2421 2422 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2423 hci_sco_setup(conn, status); 2424 } 2425 2426 hci_dev_unlock(hdev); 2427 } 2428 2429 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2430 { 2431 struct hci_cp_disconnect *cp; 2432 struct hci_conn_params *params; 2433 struct hci_conn *conn; 2434 bool mgmt_conn; 2435 2436 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended 2437 * otherwise cleanup the connection immediately. 2438 */ 2439 if (!status && !hdev->suspended) 2440 return; 2441 2442 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2443 if (!cp) 2444 return; 2445 2446 hci_dev_lock(hdev); 2447 2448 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2449 if (!conn) 2450 goto unlock; 2451 2452 if (status) { 2453 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2454 conn->dst_type, status); 2455 2456 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 2457 hdev->cur_adv_instance = conn->adv_instance; 2458 hci_enable_advertising(hdev); 2459 } 2460 2461 goto done; 2462 } 2463 2464 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2465 2466 if (conn->type == ACL_LINK) { 2467 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2468 hci_remove_link_key(hdev, &conn->dst); 2469 } 2470 2471 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2472 if (params) { 2473 switch (params->auto_connect) { 2474 case HCI_AUTO_CONN_LINK_LOSS: 2475 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2476 break; 2477 fallthrough; 2478 2479 case HCI_AUTO_CONN_DIRECT: 2480 case HCI_AUTO_CONN_ALWAYS: 2481 list_del_init(¶ms->action); 2482 list_add(¶ms->action, &hdev->pend_le_conns); 2483 break; 2484 2485 default: 2486 break; 2487 } 2488 } 2489 2490 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2491 cp->reason, mgmt_conn); 2492 2493 hci_disconn_cfm(conn, cp->reason); 2494 2495 done: 2496 /* If the disconnection failed for any reason, the upper layer 2497 * does not retry to disconnect in current implementation. 2498 * Hence, we need to do some basic cleanup here and re-enable 2499 * advertising if necessary. 2500 */ 2501 hci_conn_del(conn); 2502 unlock: 2503 hci_dev_unlock(hdev); 2504 } 2505 2506 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved) 2507 { 2508 /* When using controller based address resolution, then the new 2509 * address types 0x02 and 0x03 are used. These types need to be 2510 * converted back into either public address or random address type 2511 */ 2512 switch (type) { 2513 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2514 if (resolved) 2515 *resolved = true; 2516 return ADDR_LE_DEV_PUBLIC; 2517 case ADDR_LE_DEV_RANDOM_RESOLVED: 2518 if (resolved) 2519 *resolved = true; 2520 return ADDR_LE_DEV_RANDOM; 2521 } 2522 2523 if (resolved) 2524 *resolved = false; 2525 return type; 2526 } 2527 2528 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2529 u8 peer_addr_type, u8 own_address_type, 2530 u8 filter_policy) 2531 { 2532 struct hci_conn *conn; 2533 2534 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2535 peer_addr_type); 2536 if (!conn) 2537 return; 2538 2539 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL); 2540 2541 /* Store the initiator and responder address information which 2542 * is needed for SMP. These values will not change during the 2543 * lifetime of the connection. 2544 */ 2545 conn->init_addr_type = own_address_type; 2546 if (own_address_type == ADDR_LE_DEV_RANDOM) 2547 bacpy(&conn->init_addr, &hdev->random_addr); 2548 else 2549 bacpy(&conn->init_addr, &hdev->bdaddr); 2550 2551 conn->resp_addr_type = peer_addr_type; 2552 bacpy(&conn->resp_addr, peer_addr); 2553 2554 /* We don't want the connection attempt to stick around 2555 * indefinitely since LE doesn't have a page timeout concept 2556 * like BR/EDR. Set a timer for any connection that doesn't use 2557 * the accept list for connecting. 2558 */ 2559 if (filter_policy == HCI_LE_USE_PEER_ADDR) 2560 queue_delayed_work(conn->hdev->workqueue, 2561 &conn->le_conn_timeout, 2562 conn->conn_timeout); 2563 } 2564 2565 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2566 { 2567 struct hci_cp_le_create_conn *cp; 2568 2569 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2570 2571 /* All connection failure handling is taken care of by the 2572 * hci_le_conn_failed function which is triggered by the HCI 2573 * request completion callbacks used for connecting. 2574 */ 2575 if (status) 2576 return; 2577 2578 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2579 if (!cp) 2580 return; 2581 2582 hci_dev_lock(hdev); 2583 2584 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2585 cp->own_address_type, cp->filter_policy); 2586 2587 hci_dev_unlock(hdev); 2588 } 2589 2590 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2591 { 2592 struct hci_cp_le_ext_create_conn *cp; 2593 2594 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2595 2596 /* All connection failure handling is taken care of by the 2597 * hci_le_conn_failed function which is triggered by the HCI 2598 * request completion callbacks used for connecting. 2599 */ 2600 if (status) 2601 return; 2602 2603 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2604 if (!cp) 2605 return; 2606 2607 hci_dev_lock(hdev); 2608 2609 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2610 cp->own_addr_type, cp->filter_policy); 2611 2612 hci_dev_unlock(hdev); 2613 } 2614 2615 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2616 { 2617 struct hci_cp_le_read_remote_features *cp; 2618 struct hci_conn *conn; 2619 2620 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2621 2622 if (!status) 2623 return; 2624 2625 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2626 if (!cp) 2627 return; 2628 2629 hci_dev_lock(hdev); 2630 2631 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2632 if (conn) { 2633 if (conn->state == BT_CONFIG) { 2634 hci_connect_cfm(conn, status); 2635 hci_conn_drop(conn); 2636 } 2637 } 2638 2639 hci_dev_unlock(hdev); 2640 } 2641 2642 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2643 { 2644 struct hci_cp_le_start_enc *cp; 2645 struct hci_conn *conn; 2646 2647 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2648 2649 if (!status) 2650 return; 2651 2652 hci_dev_lock(hdev); 2653 2654 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2655 if (!cp) 2656 goto unlock; 2657 2658 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2659 if (!conn) 2660 goto unlock; 2661 2662 if (conn->state != BT_CONNECTED) 2663 goto unlock; 2664 2665 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2666 hci_conn_drop(conn); 2667 2668 unlock: 2669 hci_dev_unlock(hdev); 2670 } 2671 2672 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2673 { 2674 struct hci_cp_switch_role *cp; 2675 struct hci_conn *conn; 2676 2677 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2678 2679 if (!status) 2680 return; 2681 2682 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2683 if (!cp) 2684 return; 2685 2686 hci_dev_lock(hdev); 2687 2688 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2689 if (conn) 2690 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2691 2692 hci_dev_unlock(hdev); 2693 } 2694 2695 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2696 { 2697 struct hci_ev_status *ev; 2698 struct discovery_state *discov = &hdev->discovery; 2699 struct inquiry_entry *e; 2700 2701 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_COMPLETE, sizeof(*ev)); 2702 if (!ev) 2703 return; 2704 2705 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2706 2707 hci_conn_check_pending(hdev); 2708 2709 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2710 return; 2711 2712 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2713 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2714 2715 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2716 return; 2717 2718 hci_dev_lock(hdev); 2719 2720 if (discov->state != DISCOVERY_FINDING) 2721 goto unlock; 2722 2723 if (list_empty(&discov->resolve)) { 2724 /* When BR/EDR inquiry is active and no LE scanning is in 2725 * progress, then change discovery state to indicate completion. 2726 * 2727 * When running LE scanning and BR/EDR inquiry simultaneously 2728 * and the LE scan already finished, then change the discovery 2729 * state to indicate completion. 2730 */ 2731 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2732 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2733 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2734 goto unlock; 2735 } 2736 2737 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2738 if (e && hci_resolve_name(hdev, e) == 0) { 2739 e->name_state = NAME_PENDING; 2740 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2741 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION; 2742 } else { 2743 /* When BR/EDR inquiry is active and no LE scanning is in 2744 * progress, then change discovery state to indicate completion. 2745 * 2746 * When running LE scanning and BR/EDR inquiry simultaneously 2747 * and the LE scan already finished, then change the discovery 2748 * state to indicate completion. 2749 */ 2750 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2751 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2752 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2753 } 2754 2755 unlock: 2756 hci_dev_unlock(hdev); 2757 } 2758 2759 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2760 { 2761 struct inquiry_data data; 2762 struct inquiry_info *info = (void *) (skb->data + 1); 2763 int num_rsp = *((__u8 *) skb->data); 2764 2765 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2766 2767 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) 2768 return; 2769 2770 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2771 return; 2772 2773 hci_dev_lock(hdev); 2774 2775 for (; num_rsp; num_rsp--, info++) { 2776 u32 flags; 2777 2778 bacpy(&data.bdaddr, &info->bdaddr); 2779 data.pscan_rep_mode = info->pscan_rep_mode; 2780 data.pscan_period_mode = info->pscan_period_mode; 2781 data.pscan_mode = info->pscan_mode; 2782 memcpy(data.dev_class, info->dev_class, 3); 2783 data.clock_offset = info->clock_offset; 2784 data.rssi = HCI_RSSI_INVALID; 2785 data.ssp_mode = 0x00; 2786 2787 flags = hci_inquiry_cache_update(hdev, &data, false); 2788 2789 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2790 info->dev_class, HCI_RSSI_INVALID, 2791 flags, NULL, 0, NULL, 0); 2792 } 2793 2794 hci_dev_unlock(hdev); 2795 } 2796 2797 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2798 { 2799 struct hci_ev_conn_complete *ev; 2800 struct hci_conn *conn; 2801 2802 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_CONN_COMPLETE, sizeof(*ev)); 2803 if (!ev) 2804 return; 2805 2806 BT_DBG("%s", hdev->name); 2807 2808 hci_dev_lock(hdev); 2809 2810 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2811 if (!conn) { 2812 /* Connection may not exist if auto-connected. Check the bredr 2813 * allowlist to see if this device is allowed to auto connect. 2814 * If link is an ACL type, create a connection class 2815 * automatically. 2816 * 2817 * Auto-connect will only occur if the event filter is 2818 * programmed with a given address. Right now, event filter is 2819 * only used during suspend. 2820 */ 2821 if (ev->link_type == ACL_LINK && 2822 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 2823 &ev->bdaddr, 2824 BDADDR_BREDR)) { 2825 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2826 HCI_ROLE_SLAVE); 2827 if (!conn) { 2828 bt_dev_err(hdev, "no memory for new conn"); 2829 goto unlock; 2830 } 2831 } else { 2832 if (ev->link_type != SCO_LINK) 2833 goto unlock; 2834 2835 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 2836 &ev->bdaddr); 2837 if (!conn) 2838 goto unlock; 2839 2840 conn->type = SCO_LINK; 2841 } 2842 } 2843 2844 if (!ev->status) { 2845 conn->handle = __le16_to_cpu(ev->handle); 2846 2847 if (conn->type == ACL_LINK) { 2848 conn->state = BT_CONFIG; 2849 hci_conn_hold(conn); 2850 2851 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2852 !hci_find_link_key(hdev, &ev->bdaddr)) 2853 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2854 else 2855 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2856 } else 2857 conn->state = BT_CONNECTED; 2858 2859 hci_debugfs_create_conn(conn); 2860 hci_conn_add_sysfs(conn); 2861 2862 if (test_bit(HCI_AUTH, &hdev->flags)) 2863 set_bit(HCI_CONN_AUTH, &conn->flags); 2864 2865 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2866 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2867 2868 /* Get remote features */ 2869 if (conn->type == ACL_LINK) { 2870 struct hci_cp_read_remote_features cp; 2871 cp.handle = ev->handle; 2872 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2873 sizeof(cp), &cp); 2874 2875 hci_req_update_scan(hdev); 2876 } 2877 2878 /* Set packet type for incoming connection */ 2879 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2880 struct hci_cp_change_conn_ptype cp; 2881 cp.handle = ev->handle; 2882 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2883 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2884 &cp); 2885 } 2886 } else { 2887 conn->state = BT_CLOSED; 2888 if (conn->type == ACL_LINK) 2889 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2890 conn->dst_type, ev->status); 2891 } 2892 2893 if (conn->type == ACL_LINK) 2894 hci_sco_setup(conn, ev->status); 2895 2896 if (ev->status) { 2897 hci_connect_cfm(conn, ev->status); 2898 hci_conn_del(conn); 2899 } else if (ev->link_type == SCO_LINK) { 2900 switch (conn->setting & SCO_AIRMODE_MASK) { 2901 case SCO_AIRMODE_CVSD: 2902 if (hdev->notify) 2903 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 2904 break; 2905 } 2906 2907 hci_connect_cfm(conn, ev->status); 2908 } 2909 2910 unlock: 2911 hci_dev_unlock(hdev); 2912 2913 hci_conn_check_pending(hdev); 2914 } 2915 2916 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2917 { 2918 struct hci_cp_reject_conn_req cp; 2919 2920 bacpy(&cp.bdaddr, bdaddr); 2921 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2922 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2923 } 2924 2925 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2926 { 2927 struct hci_ev_conn_request *ev; 2928 int mask = hdev->link_mode; 2929 struct inquiry_entry *ie; 2930 struct hci_conn *conn; 2931 __u8 flags = 0; 2932 2933 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_CONN_REQUEST, sizeof(*ev)); 2934 if (!ev) 2935 return; 2936 2937 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2938 ev->link_type); 2939 2940 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2941 &flags); 2942 2943 if (!(mask & HCI_LM_ACCEPT)) { 2944 hci_reject_conn(hdev, &ev->bdaddr); 2945 return; 2946 } 2947 2948 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, 2949 BDADDR_BREDR)) { 2950 hci_reject_conn(hdev, &ev->bdaddr); 2951 return; 2952 } 2953 2954 /* Require HCI_CONNECTABLE or an accept list entry to accept the 2955 * connection. These features are only touched through mgmt so 2956 * only do the checks if HCI_MGMT is set. 2957 */ 2958 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2959 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2960 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, 2961 BDADDR_BREDR)) { 2962 hci_reject_conn(hdev, &ev->bdaddr); 2963 return; 2964 } 2965 2966 /* Connection accepted */ 2967 2968 hci_dev_lock(hdev); 2969 2970 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2971 if (ie) 2972 memcpy(ie->data.dev_class, ev->dev_class, 3); 2973 2974 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2975 &ev->bdaddr); 2976 if (!conn) { 2977 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2978 HCI_ROLE_SLAVE); 2979 if (!conn) { 2980 bt_dev_err(hdev, "no memory for new connection"); 2981 hci_dev_unlock(hdev); 2982 return; 2983 } 2984 } 2985 2986 memcpy(conn->dev_class, ev->dev_class, 3); 2987 2988 hci_dev_unlock(hdev); 2989 2990 if (ev->link_type == ACL_LINK || 2991 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2992 struct hci_cp_accept_conn_req cp; 2993 conn->state = BT_CONNECT; 2994 2995 bacpy(&cp.bdaddr, &ev->bdaddr); 2996 2997 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2998 cp.role = 0x00; /* Become central */ 2999 else 3000 cp.role = 0x01; /* Remain peripheral */ 3001 3002 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 3003 } else if (!(flags & HCI_PROTO_DEFER)) { 3004 struct hci_cp_accept_sync_conn_req cp; 3005 conn->state = BT_CONNECT; 3006 3007 bacpy(&cp.bdaddr, &ev->bdaddr); 3008 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3009 3010 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 3011 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 3012 cp.max_latency = cpu_to_le16(0xffff); 3013 cp.content_format = cpu_to_le16(hdev->voice_setting); 3014 cp.retrans_effort = 0xff; 3015 3016 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 3017 &cp); 3018 } else { 3019 conn->state = BT_CONNECT2; 3020 hci_connect_cfm(conn, 0); 3021 } 3022 } 3023 3024 static u8 hci_to_mgmt_reason(u8 err) 3025 { 3026 switch (err) { 3027 case HCI_ERROR_CONNECTION_TIMEOUT: 3028 return MGMT_DEV_DISCONN_TIMEOUT; 3029 case HCI_ERROR_REMOTE_USER_TERM: 3030 case HCI_ERROR_REMOTE_LOW_RESOURCES: 3031 case HCI_ERROR_REMOTE_POWER_OFF: 3032 return MGMT_DEV_DISCONN_REMOTE; 3033 case HCI_ERROR_LOCAL_HOST_TERM: 3034 return MGMT_DEV_DISCONN_LOCAL_HOST; 3035 default: 3036 return MGMT_DEV_DISCONN_UNKNOWN; 3037 } 3038 } 3039 3040 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 3041 { 3042 struct hci_ev_disconn_complete *ev; 3043 u8 reason; 3044 struct hci_conn_params *params; 3045 struct hci_conn *conn; 3046 bool mgmt_connected; 3047 3048 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_DISCONN_COMPLETE, sizeof(*ev)); 3049 if (!ev) 3050 return; 3051 3052 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3053 3054 hci_dev_lock(hdev); 3055 3056 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3057 if (!conn) 3058 goto unlock; 3059 3060 if (ev->status) { 3061 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 3062 conn->dst_type, ev->status); 3063 goto unlock; 3064 } 3065 3066 conn->state = BT_CLOSED; 3067 3068 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 3069 3070 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 3071 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 3072 else 3073 reason = hci_to_mgmt_reason(ev->reason); 3074 3075 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 3076 reason, mgmt_connected); 3077 3078 if (conn->type == ACL_LINK) { 3079 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 3080 hci_remove_link_key(hdev, &conn->dst); 3081 3082 hci_req_update_scan(hdev); 3083 } 3084 3085 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 3086 if (params) { 3087 switch (params->auto_connect) { 3088 case HCI_AUTO_CONN_LINK_LOSS: 3089 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 3090 break; 3091 fallthrough; 3092 3093 case HCI_AUTO_CONN_DIRECT: 3094 case HCI_AUTO_CONN_ALWAYS: 3095 list_del_init(¶ms->action); 3096 list_add(¶ms->action, &hdev->pend_le_conns); 3097 hci_update_passive_scan(hdev); 3098 break; 3099 3100 default: 3101 break; 3102 } 3103 } 3104 3105 hci_disconn_cfm(conn, ev->reason); 3106 3107 /* Re-enable advertising if necessary, since it might 3108 * have been disabled by the connection. From the 3109 * HCI_LE_Set_Advertise_Enable command description in 3110 * the core specification (v4.0): 3111 * "The Controller shall continue advertising until the Host 3112 * issues an LE_Set_Advertise_Enable command with 3113 * Advertising_Enable set to 0x00 (Advertising is disabled) 3114 * or until a connection is created or until the Advertising 3115 * is timed out due to Directed Advertising." 3116 */ 3117 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 3118 hdev->cur_adv_instance = conn->adv_instance; 3119 hci_enable_advertising(hdev); 3120 } 3121 3122 hci_conn_del(conn); 3123 3124 unlock: 3125 hci_dev_unlock(hdev); 3126 } 3127 3128 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 3129 { 3130 struct hci_ev_auth_complete *ev; 3131 struct hci_conn *conn; 3132 3133 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_AUTH_COMPLETE, sizeof(*ev)); 3134 if (!ev) 3135 return; 3136 3137 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3138 3139 hci_dev_lock(hdev); 3140 3141 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3142 if (!conn) 3143 goto unlock; 3144 3145 if (!ev->status) { 3146 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3147 3148 if (!hci_conn_ssp_enabled(conn) && 3149 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 3150 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 3151 } else { 3152 set_bit(HCI_CONN_AUTH, &conn->flags); 3153 conn->sec_level = conn->pending_sec_level; 3154 } 3155 } else { 3156 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3157 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3158 3159 mgmt_auth_failed(conn, ev->status); 3160 } 3161 3162 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3163 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 3164 3165 if (conn->state == BT_CONFIG) { 3166 if (!ev->status && hci_conn_ssp_enabled(conn)) { 3167 struct hci_cp_set_conn_encrypt cp; 3168 cp.handle = ev->handle; 3169 cp.encrypt = 0x01; 3170 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3171 &cp); 3172 } else { 3173 conn->state = BT_CONNECTED; 3174 hci_connect_cfm(conn, ev->status); 3175 hci_conn_drop(conn); 3176 } 3177 } else { 3178 hci_auth_cfm(conn, ev->status); 3179 3180 hci_conn_hold(conn); 3181 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3182 hci_conn_drop(conn); 3183 } 3184 3185 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 3186 if (!ev->status) { 3187 struct hci_cp_set_conn_encrypt cp; 3188 cp.handle = ev->handle; 3189 cp.encrypt = 0x01; 3190 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3191 &cp); 3192 } else { 3193 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3194 hci_encrypt_cfm(conn, ev->status); 3195 } 3196 } 3197 3198 unlock: 3199 hci_dev_unlock(hdev); 3200 } 3201 3202 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 3203 { 3204 struct hci_ev_remote_name *ev; 3205 struct hci_conn *conn; 3206 3207 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_REMOTE_NAME, sizeof(*ev)); 3208 if (!ev) 3209 return; 3210 3211 BT_DBG("%s", hdev->name); 3212 3213 hci_conn_check_pending(hdev); 3214 3215 hci_dev_lock(hdev); 3216 3217 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3218 3219 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3220 goto check_auth; 3221 3222 if (ev->status == 0) 3223 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 3224 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 3225 else 3226 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 3227 3228 check_auth: 3229 if (!conn) 3230 goto unlock; 3231 3232 if (!hci_outgoing_auth_needed(hdev, conn)) 3233 goto unlock; 3234 3235 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3236 struct hci_cp_auth_requested cp; 3237 3238 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 3239 3240 cp.handle = __cpu_to_le16(conn->handle); 3241 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3242 } 3243 3244 unlock: 3245 hci_dev_unlock(hdev); 3246 } 3247 3248 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 3249 u16 opcode, struct sk_buff *skb) 3250 { 3251 const struct hci_rp_read_enc_key_size *rp; 3252 struct hci_conn *conn; 3253 u16 handle; 3254 3255 BT_DBG("%s status 0x%02x", hdev->name, status); 3256 3257 if (!skb || skb->len < sizeof(*rp)) { 3258 bt_dev_err(hdev, "invalid read key size response"); 3259 return; 3260 } 3261 3262 rp = (void *)skb->data; 3263 handle = le16_to_cpu(rp->handle); 3264 3265 hci_dev_lock(hdev); 3266 3267 conn = hci_conn_hash_lookup_handle(hdev, handle); 3268 if (!conn) 3269 goto unlock; 3270 3271 /* While unexpected, the read_enc_key_size command may fail. The most 3272 * secure approach is to then assume the key size is 0 to force a 3273 * disconnection. 3274 */ 3275 if (rp->status) { 3276 bt_dev_err(hdev, "failed to read key size for handle %u", 3277 handle); 3278 conn->enc_key_size = 0; 3279 } else { 3280 conn->enc_key_size = rp->key_size; 3281 } 3282 3283 hci_encrypt_cfm(conn, 0); 3284 3285 unlock: 3286 hci_dev_unlock(hdev); 3287 } 3288 3289 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3290 { 3291 struct hci_ev_encrypt_change *ev; 3292 struct hci_conn *conn; 3293 3294 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_ENCRYPT_CHANGE, sizeof(*ev)); 3295 if (!ev) 3296 return; 3297 3298 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3299 3300 hci_dev_lock(hdev); 3301 3302 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3303 if (!conn) 3304 goto unlock; 3305 3306 if (!ev->status) { 3307 if (ev->encrypt) { 3308 /* Encryption implies authentication */ 3309 set_bit(HCI_CONN_AUTH, &conn->flags); 3310 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3311 conn->sec_level = conn->pending_sec_level; 3312 3313 /* P-256 authentication key implies FIPS */ 3314 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3315 set_bit(HCI_CONN_FIPS, &conn->flags); 3316 3317 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3318 conn->type == LE_LINK) 3319 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3320 } else { 3321 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3322 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3323 } 3324 } 3325 3326 /* We should disregard the current RPA and generate a new one 3327 * whenever the encryption procedure fails. 3328 */ 3329 if (ev->status && conn->type == LE_LINK) { 3330 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3331 hci_adv_instances_set_rpa_expired(hdev, true); 3332 } 3333 3334 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3335 3336 /* Check link security requirements are met */ 3337 if (!hci_conn_check_link_mode(conn)) 3338 ev->status = HCI_ERROR_AUTH_FAILURE; 3339 3340 if (ev->status && conn->state == BT_CONNECTED) { 3341 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3342 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3343 3344 /* Notify upper layers so they can cleanup before 3345 * disconnecting. 3346 */ 3347 hci_encrypt_cfm(conn, ev->status); 3348 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3349 hci_conn_drop(conn); 3350 goto unlock; 3351 } 3352 3353 /* Try reading the encryption key size for encrypted ACL links */ 3354 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3355 struct hci_cp_read_enc_key_size cp; 3356 struct hci_request req; 3357 3358 /* Only send HCI_Read_Encryption_Key_Size if the 3359 * controller really supports it. If it doesn't, assume 3360 * the default size (16). 3361 */ 3362 if (!(hdev->commands[20] & 0x10)) { 3363 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3364 goto notify; 3365 } 3366 3367 hci_req_init(&req, hdev); 3368 3369 cp.handle = cpu_to_le16(conn->handle); 3370 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 3371 3372 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 3373 bt_dev_err(hdev, "sending read key size failed"); 3374 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3375 goto notify; 3376 } 3377 3378 goto unlock; 3379 } 3380 3381 /* Set the default Authenticated Payload Timeout after 3382 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3383 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3384 * sent when the link is active and Encryption is enabled, the conn 3385 * type can be either LE or ACL and controller must support LMP Ping. 3386 * Ensure for AES-CCM encryption as well. 3387 */ 3388 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3389 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3390 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3391 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3392 struct hci_cp_write_auth_payload_to cp; 3393 3394 cp.handle = cpu_to_le16(conn->handle); 3395 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3396 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3397 sizeof(cp), &cp); 3398 } 3399 3400 notify: 3401 hci_encrypt_cfm(conn, ev->status); 3402 3403 unlock: 3404 hci_dev_unlock(hdev); 3405 } 3406 3407 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 3408 struct sk_buff *skb) 3409 { 3410 struct hci_ev_change_link_key_complete *ev; 3411 struct hci_conn *conn; 3412 3413 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_CHANGE_LINK_KEY_COMPLETE, 3414 sizeof(*ev)); 3415 if (!ev) 3416 return; 3417 3418 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3419 3420 hci_dev_lock(hdev); 3421 3422 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3423 if (conn) { 3424 if (!ev->status) 3425 set_bit(HCI_CONN_SECURE, &conn->flags); 3426 3427 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3428 3429 hci_key_change_cfm(conn, ev->status); 3430 } 3431 3432 hci_dev_unlock(hdev); 3433 } 3434 3435 static void hci_remote_features_evt(struct hci_dev *hdev, 3436 struct sk_buff *skb) 3437 { 3438 struct hci_ev_remote_features *ev; 3439 struct hci_conn *conn; 3440 3441 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_REMOTE_FEATURES, sizeof(*ev)); 3442 if (!ev) 3443 return; 3444 3445 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3446 3447 hci_dev_lock(hdev); 3448 3449 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3450 if (!conn) 3451 goto unlock; 3452 3453 if (!ev->status) 3454 memcpy(conn->features[0], ev->features, 8); 3455 3456 if (conn->state != BT_CONFIG) 3457 goto unlock; 3458 3459 if (!ev->status && lmp_ext_feat_capable(hdev) && 3460 lmp_ext_feat_capable(conn)) { 3461 struct hci_cp_read_remote_ext_features cp; 3462 cp.handle = ev->handle; 3463 cp.page = 0x01; 3464 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3465 sizeof(cp), &cp); 3466 goto unlock; 3467 } 3468 3469 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3470 struct hci_cp_remote_name_req cp; 3471 memset(&cp, 0, sizeof(cp)); 3472 bacpy(&cp.bdaddr, &conn->dst); 3473 cp.pscan_rep_mode = 0x02; 3474 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3475 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3476 mgmt_device_connected(hdev, conn, NULL, 0); 3477 3478 if (!hci_outgoing_auth_needed(hdev, conn)) { 3479 conn->state = BT_CONNECTED; 3480 hci_connect_cfm(conn, ev->status); 3481 hci_conn_drop(conn); 3482 } 3483 3484 unlock: 3485 hci_dev_unlock(hdev); 3486 } 3487 3488 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd) 3489 { 3490 cancel_delayed_work(&hdev->cmd_timer); 3491 3492 if (!test_bit(HCI_RESET, &hdev->flags)) { 3493 if (ncmd) { 3494 cancel_delayed_work(&hdev->ncmd_timer); 3495 atomic_set(&hdev->cmd_cnt, 1); 3496 } else { 3497 schedule_delayed_work(&hdev->ncmd_timer, 3498 HCI_NCMD_TIMEOUT); 3499 } 3500 } 3501 } 3502 3503 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 3504 u16 *opcode, u8 *status, 3505 hci_req_complete_t *req_complete, 3506 hci_req_complete_skb_t *req_complete_skb) 3507 { 3508 struct hci_ev_cmd_complete *ev = (void *) skb->data; 3509 3510 *opcode = __le16_to_cpu(ev->opcode); 3511 *status = skb->data[sizeof(*ev)]; 3512 3513 skb_pull(skb, sizeof(*ev)); 3514 3515 switch (*opcode) { 3516 case HCI_OP_INQUIRY_CANCEL: 3517 hci_cc_inquiry_cancel(hdev, skb, status); 3518 break; 3519 3520 case HCI_OP_PERIODIC_INQ: 3521 hci_cc_periodic_inq(hdev, skb); 3522 break; 3523 3524 case HCI_OP_EXIT_PERIODIC_INQ: 3525 hci_cc_exit_periodic_inq(hdev, skb); 3526 break; 3527 3528 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 3529 hci_cc_remote_name_req_cancel(hdev, skb); 3530 break; 3531 3532 case HCI_OP_ROLE_DISCOVERY: 3533 hci_cc_role_discovery(hdev, skb); 3534 break; 3535 3536 case HCI_OP_READ_LINK_POLICY: 3537 hci_cc_read_link_policy(hdev, skb); 3538 break; 3539 3540 case HCI_OP_WRITE_LINK_POLICY: 3541 hci_cc_write_link_policy(hdev, skb); 3542 break; 3543 3544 case HCI_OP_READ_DEF_LINK_POLICY: 3545 hci_cc_read_def_link_policy(hdev, skb); 3546 break; 3547 3548 case HCI_OP_WRITE_DEF_LINK_POLICY: 3549 hci_cc_write_def_link_policy(hdev, skb); 3550 break; 3551 3552 case HCI_OP_RESET: 3553 hci_cc_reset(hdev, skb); 3554 break; 3555 3556 case HCI_OP_READ_STORED_LINK_KEY: 3557 hci_cc_read_stored_link_key(hdev, skb); 3558 break; 3559 3560 case HCI_OP_DELETE_STORED_LINK_KEY: 3561 hci_cc_delete_stored_link_key(hdev, skb); 3562 break; 3563 3564 case HCI_OP_WRITE_LOCAL_NAME: 3565 hci_cc_write_local_name(hdev, skb); 3566 break; 3567 3568 case HCI_OP_READ_LOCAL_NAME: 3569 hci_cc_read_local_name(hdev, skb); 3570 break; 3571 3572 case HCI_OP_WRITE_AUTH_ENABLE: 3573 hci_cc_write_auth_enable(hdev, skb); 3574 break; 3575 3576 case HCI_OP_WRITE_ENCRYPT_MODE: 3577 hci_cc_write_encrypt_mode(hdev, skb); 3578 break; 3579 3580 case HCI_OP_WRITE_SCAN_ENABLE: 3581 hci_cc_write_scan_enable(hdev, skb); 3582 break; 3583 3584 case HCI_OP_SET_EVENT_FLT: 3585 hci_cc_set_event_filter(hdev, skb); 3586 break; 3587 3588 case HCI_OP_READ_CLASS_OF_DEV: 3589 hci_cc_read_class_of_dev(hdev, skb); 3590 break; 3591 3592 case HCI_OP_WRITE_CLASS_OF_DEV: 3593 hci_cc_write_class_of_dev(hdev, skb); 3594 break; 3595 3596 case HCI_OP_READ_VOICE_SETTING: 3597 hci_cc_read_voice_setting(hdev, skb); 3598 break; 3599 3600 case HCI_OP_WRITE_VOICE_SETTING: 3601 hci_cc_write_voice_setting(hdev, skb); 3602 break; 3603 3604 case HCI_OP_READ_NUM_SUPPORTED_IAC: 3605 hci_cc_read_num_supported_iac(hdev, skb); 3606 break; 3607 3608 case HCI_OP_WRITE_SSP_MODE: 3609 hci_cc_write_ssp_mode(hdev, skb); 3610 break; 3611 3612 case HCI_OP_WRITE_SC_SUPPORT: 3613 hci_cc_write_sc_support(hdev, skb); 3614 break; 3615 3616 case HCI_OP_READ_AUTH_PAYLOAD_TO: 3617 hci_cc_read_auth_payload_timeout(hdev, skb); 3618 break; 3619 3620 case HCI_OP_WRITE_AUTH_PAYLOAD_TO: 3621 hci_cc_write_auth_payload_timeout(hdev, skb); 3622 break; 3623 3624 case HCI_OP_READ_LOCAL_VERSION: 3625 hci_cc_read_local_version(hdev, skb); 3626 break; 3627 3628 case HCI_OP_READ_LOCAL_COMMANDS: 3629 hci_cc_read_local_commands(hdev, skb); 3630 break; 3631 3632 case HCI_OP_READ_LOCAL_FEATURES: 3633 hci_cc_read_local_features(hdev, skb); 3634 break; 3635 3636 case HCI_OP_READ_LOCAL_EXT_FEATURES: 3637 hci_cc_read_local_ext_features(hdev, skb); 3638 break; 3639 3640 case HCI_OP_READ_BUFFER_SIZE: 3641 hci_cc_read_buffer_size(hdev, skb); 3642 break; 3643 3644 case HCI_OP_READ_BD_ADDR: 3645 hci_cc_read_bd_addr(hdev, skb); 3646 break; 3647 3648 case HCI_OP_READ_LOCAL_PAIRING_OPTS: 3649 hci_cc_read_local_pairing_opts(hdev, skb); 3650 break; 3651 3652 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 3653 hci_cc_read_page_scan_activity(hdev, skb); 3654 break; 3655 3656 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 3657 hci_cc_write_page_scan_activity(hdev, skb); 3658 break; 3659 3660 case HCI_OP_READ_PAGE_SCAN_TYPE: 3661 hci_cc_read_page_scan_type(hdev, skb); 3662 break; 3663 3664 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 3665 hci_cc_write_page_scan_type(hdev, skb); 3666 break; 3667 3668 case HCI_OP_READ_DATA_BLOCK_SIZE: 3669 hci_cc_read_data_block_size(hdev, skb); 3670 break; 3671 3672 case HCI_OP_READ_FLOW_CONTROL_MODE: 3673 hci_cc_read_flow_control_mode(hdev, skb); 3674 break; 3675 3676 case HCI_OP_READ_LOCAL_AMP_INFO: 3677 hci_cc_read_local_amp_info(hdev, skb); 3678 break; 3679 3680 case HCI_OP_READ_CLOCK: 3681 hci_cc_read_clock(hdev, skb); 3682 break; 3683 3684 case HCI_OP_READ_INQ_RSP_TX_POWER: 3685 hci_cc_read_inq_rsp_tx_power(hdev, skb); 3686 break; 3687 3688 case HCI_OP_READ_DEF_ERR_DATA_REPORTING: 3689 hci_cc_read_def_err_data_reporting(hdev, skb); 3690 break; 3691 3692 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING: 3693 hci_cc_write_def_err_data_reporting(hdev, skb); 3694 break; 3695 3696 case HCI_OP_PIN_CODE_REPLY: 3697 hci_cc_pin_code_reply(hdev, skb); 3698 break; 3699 3700 case HCI_OP_PIN_CODE_NEG_REPLY: 3701 hci_cc_pin_code_neg_reply(hdev, skb); 3702 break; 3703 3704 case HCI_OP_READ_LOCAL_OOB_DATA: 3705 hci_cc_read_local_oob_data(hdev, skb); 3706 break; 3707 3708 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 3709 hci_cc_read_local_oob_ext_data(hdev, skb); 3710 break; 3711 3712 case HCI_OP_LE_READ_BUFFER_SIZE: 3713 hci_cc_le_read_buffer_size(hdev, skb); 3714 break; 3715 3716 case HCI_OP_LE_READ_LOCAL_FEATURES: 3717 hci_cc_le_read_local_features(hdev, skb); 3718 break; 3719 3720 case HCI_OP_LE_READ_ADV_TX_POWER: 3721 hci_cc_le_read_adv_tx_power(hdev, skb); 3722 break; 3723 3724 case HCI_OP_USER_CONFIRM_REPLY: 3725 hci_cc_user_confirm_reply(hdev, skb); 3726 break; 3727 3728 case HCI_OP_USER_CONFIRM_NEG_REPLY: 3729 hci_cc_user_confirm_neg_reply(hdev, skb); 3730 break; 3731 3732 case HCI_OP_USER_PASSKEY_REPLY: 3733 hci_cc_user_passkey_reply(hdev, skb); 3734 break; 3735 3736 case HCI_OP_USER_PASSKEY_NEG_REPLY: 3737 hci_cc_user_passkey_neg_reply(hdev, skb); 3738 break; 3739 3740 case HCI_OP_LE_SET_RANDOM_ADDR: 3741 hci_cc_le_set_random_addr(hdev, skb); 3742 break; 3743 3744 case HCI_OP_LE_SET_ADV_ENABLE: 3745 hci_cc_le_set_adv_enable(hdev, skb); 3746 break; 3747 3748 case HCI_OP_LE_SET_SCAN_PARAM: 3749 hci_cc_le_set_scan_param(hdev, skb); 3750 break; 3751 3752 case HCI_OP_LE_SET_SCAN_ENABLE: 3753 hci_cc_le_set_scan_enable(hdev, skb); 3754 break; 3755 3756 case HCI_OP_LE_READ_ACCEPT_LIST_SIZE: 3757 hci_cc_le_read_accept_list_size(hdev, skb); 3758 break; 3759 3760 case HCI_OP_LE_CLEAR_ACCEPT_LIST: 3761 hci_cc_le_clear_accept_list(hdev, skb); 3762 break; 3763 3764 case HCI_OP_LE_ADD_TO_ACCEPT_LIST: 3765 hci_cc_le_add_to_accept_list(hdev, skb); 3766 break; 3767 3768 case HCI_OP_LE_DEL_FROM_ACCEPT_LIST: 3769 hci_cc_le_del_from_accept_list(hdev, skb); 3770 break; 3771 3772 case HCI_OP_LE_READ_SUPPORTED_STATES: 3773 hci_cc_le_read_supported_states(hdev, skb); 3774 break; 3775 3776 case HCI_OP_LE_READ_DEF_DATA_LEN: 3777 hci_cc_le_read_def_data_len(hdev, skb); 3778 break; 3779 3780 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3781 hci_cc_le_write_def_data_len(hdev, skb); 3782 break; 3783 3784 case HCI_OP_LE_ADD_TO_RESOLV_LIST: 3785 hci_cc_le_add_to_resolv_list(hdev, skb); 3786 break; 3787 3788 case HCI_OP_LE_DEL_FROM_RESOLV_LIST: 3789 hci_cc_le_del_from_resolv_list(hdev, skb); 3790 break; 3791 3792 case HCI_OP_LE_CLEAR_RESOLV_LIST: 3793 hci_cc_le_clear_resolv_list(hdev, skb); 3794 break; 3795 3796 case HCI_OP_LE_READ_RESOLV_LIST_SIZE: 3797 hci_cc_le_read_resolv_list_size(hdev, skb); 3798 break; 3799 3800 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE: 3801 hci_cc_le_set_addr_resolution_enable(hdev, skb); 3802 break; 3803 3804 case HCI_OP_LE_READ_MAX_DATA_LEN: 3805 hci_cc_le_read_max_data_len(hdev, skb); 3806 break; 3807 3808 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3809 hci_cc_write_le_host_supported(hdev, skb); 3810 break; 3811 3812 case HCI_OP_LE_SET_ADV_PARAM: 3813 hci_cc_set_adv_param(hdev, skb); 3814 break; 3815 3816 case HCI_OP_READ_RSSI: 3817 hci_cc_read_rssi(hdev, skb); 3818 break; 3819 3820 case HCI_OP_READ_TX_POWER: 3821 hci_cc_read_tx_power(hdev, skb); 3822 break; 3823 3824 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3825 hci_cc_write_ssp_debug_mode(hdev, skb); 3826 break; 3827 3828 case HCI_OP_LE_SET_EXT_SCAN_PARAMS: 3829 hci_cc_le_set_ext_scan_param(hdev, skb); 3830 break; 3831 3832 case HCI_OP_LE_SET_EXT_SCAN_ENABLE: 3833 hci_cc_le_set_ext_scan_enable(hdev, skb); 3834 break; 3835 3836 case HCI_OP_LE_SET_DEFAULT_PHY: 3837 hci_cc_le_set_default_phy(hdev, skb); 3838 break; 3839 3840 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS: 3841 hci_cc_le_read_num_adv_sets(hdev, skb); 3842 break; 3843 3844 case HCI_OP_LE_SET_EXT_ADV_PARAMS: 3845 hci_cc_set_ext_adv_param(hdev, skb); 3846 break; 3847 3848 case HCI_OP_LE_SET_EXT_ADV_ENABLE: 3849 hci_cc_le_set_ext_adv_enable(hdev, skb); 3850 break; 3851 3852 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR: 3853 hci_cc_le_set_adv_set_random_addr(hdev, skb); 3854 break; 3855 3856 case HCI_OP_LE_REMOVE_ADV_SET: 3857 hci_cc_le_remove_adv_set(hdev, skb); 3858 break; 3859 3860 case HCI_OP_LE_CLEAR_ADV_SETS: 3861 hci_cc_le_clear_adv_sets(hdev, skb); 3862 break; 3863 3864 case HCI_OP_LE_READ_TRANSMIT_POWER: 3865 hci_cc_le_read_transmit_power(hdev, skb); 3866 break; 3867 3868 default: 3869 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3870 break; 3871 } 3872 3873 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 3874 3875 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3876 req_complete_skb); 3877 3878 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3879 bt_dev_err(hdev, 3880 "unexpected event for opcode 0x%4.4x", *opcode); 3881 return; 3882 } 3883 3884 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3885 queue_work(hdev->workqueue, &hdev->cmd_work); 3886 } 3887 3888 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3889 u16 *opcode, u8 *status, 3890 hci_req_complete_t *req_complete, 3891 hci_req_complete_skb_t *req_complete_skb) 3892 { 3893 struct hci_ev_cmd_status *ev; 3894 3895 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_CMD_STATUS, sizeof(*ev)); 3896 if (!ev) 3897 return; 3898 3899 *opcode = __le16_to_cpu(ev->opcode); 3900 *status = ev->status; 3901 3902 switch (*opcode) { 3903 case HCI_OP_INQUIRY: 3904 hci_cs_inquiry(hdev, ev->status); 3905 break; 3906 3907 case HCI_OP_CREATE_CONN: 3908 hci_cs_create_conn(hdev, ev->status); 3909 break; 3910 3911 case HCI_OP_DISCONNECT: 3912 hci_cs_disconnect(hdev, ev->status); 3913 break; 3914 3915 case HCI_OP_ADD_SCO: 3916 hci_cs_add_sco(hdev, ev->status); 3917 break; 3918 3919 case HCI_OP_AUTH_REQUESTED: 3920 hci_cs_auth_requested(hdev, ev->status); 3921 break; 3922 3923 case HCI_OP_SET_CONN_ENCRYPT: 3924 hci_cs_set_conn_encrypt(hdev, ev->status); 3925 break; 3926 3927 case HCI_OP_REMOTE_NAME_REQ: 3928 hci_cs_remote_name_req(hdev, ev->status); 3929 break; 3930 3931 case HCI_OP_READ_REMOTE_FEATURES: 3932 hci_cs_read_remote_features(hdev, ev->status); 3933 break; 3934 3935 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3936 hci_cs_read_remote_ext_features(hdev, ev->status); 3937 break; 3938 3939 case HCI_OP_SETUP_SYNC_CONN: 3940 hci_cs_setup_sync_conn(hdev, ev->status); 3941 break; 3942 3943 case HCI_OP_ENHANCED_SETUP_SYNC_CONN: 3944 hci_cs_enhanced_setup_sync_conn(hdev, ev->status); 3945 break; 3946 3947 case HCI_OP_SNIFF_MODE: 3948 hci_cs_sniff_mode(hdev, ev->status); 3949 break; 3950 3951 case HCI_OP_EXIT_SNIFF_MODE: 3952 hci_cs_exit_sniff_mode(hdev, ev->status); 3953 break; 3954 3955 case HCI_OP_SWITCH_ROLE: 3956 hci_cs_switch_role(hdev, ev->status); 3957 break; 3958 3959 case HCI_OP_LE_CREATE_CONN: 3960 hci_cs_le_create_conn(hdev, ev->status); 3961 break; 3962 3963 case HCI_OP_LE_READ_REMOTE_FEATURES: 3964 hci_cs_le_read_remote_features(hdev, ev->status); 3965 break; 3966 3967 case HCI_OP_LE_START_ENC: 3968 hci_cs_le_start_enc(hdev, ev->status); 3969 break; 3970 3971 case HCI_OP_LE_EXT_CREATE_CONN: 3972 hci_cs_le_ext_create_conn(hdev, ev->status); 3973 break; 3974 3975 default: 3976 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3977 break; 3978 } 3979 3980 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 3981 3982 /* Indicate request completion if the command failed. Also, if 3983 * we're not waiting for a special event and we get a success 3984 * command status we should try to flag the request as completed 3985 * (since for this kind of commands there will not be a command 3986 * complete event). 3987 */ 3988 if (ev->status || 3989 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event)) 3990 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3991 req_complete_skb); 3992 3993 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3994 bt_dev_err(hdev, 3995 "unexpected event for opcode 0x%4.4x", *opcode); 3996 return; 3997 } 3998 3999 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4000 queue_work(hdev->workqueue, &hdev->cmd_work); 4001 } 4002 4003 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 4004 { 4005 struct hci_ev_hardware_error *ev; 4006 4007 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_HARDWARE_ERROR, sizeof(*ev)); 4008 if (!ev) 4009 return; 4010 4011 hdev->hw_error_code = ev->code; 4012 4013 queue_work(hdev->req_workqueue, &hdev->error_reset); 4014 } 4015 4016 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 4017 { 4018 struct hci_ev_role_change *ev; 4019 struct hci_conn *conn; 4020 4021 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_ROLE_CHANGE, sizeof(*ev)); 4022 if (!ev) 4023 return; 4024 4025 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4026 4027 hci_dev_lock(hdev); 4028 4029 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4030 if (conn) { 4031 if (!ev->status) 4032 conn->role = ev->role; 4033 4034 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 4035 4036 hci_role_switch_cfm(conn, ev->status, ev->role); 4037 } 4038 4039 hci_dev_unlock(hdev); 4040 } 4041 4042 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 4043 { 4044 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 4045 int i; 4046 4047 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 4048 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 4049 return; 4050 } 4051 4052 if (skb->len < sizeof(*ev) || 4053 skb->len < struct_size(ev, handles, ev->num_hndl)) { 4054 BT_DBG("%s bad parameters", hdev->name); 4055 return; 4056 } 4057 4058 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 4059 4060 for (i = 0; i < ev->num_hndl; i++) { 4061 struct hci_comp_pkts_info *info = &ev->handles[i]; 4062 struct hci_conn *conn; 4063 __u16 handle, count; 4064 4065 handle = __le16_to_cpu(info->handle); 4066 count = __le16_to_cpu(info->count); 4067 4068 conn = hci_conn_hash_lookup_handle(hdev, handle); 4069 if (!conn) 4070 continue; 4071 4072 conn->sent -= count; 4073 4074 switch (conn->type) { 4075 case ACL_LINK: 4076 hdev->acl_cnt += count; 4077 if (hdev->acl_cnt > hdev->acl_pkts) 4078 hdev->acl_cnt = hdev->acl_pkts; 4079 break; 4080 4081 case LE_LINK: 4082 if (hdev->le_pkts) { 4083 hdev->le_cnt += count; 4084 if (hdev->le_cnt > hdev->le_pkts) 4085 hdev->le_cnt = hdev->le_pkts; 4086 } else { 4087 hdev->acl_cnt += count; 4088 if (hdev->acl_cnt > hdev->acl_pkts) 4089 hdev->acl_cnt = hdev->acl_pkts; 4090 } 4091 break; 4092 4093 case SCO_LINK: 4094 hdev->sco_cnt += count; 4095 if (hdev->sco_cnt > hdev->sco_pkts) 4096 hdev->sco_cnt = hdev->sco_pkts; 4097 break; 4098 4099 default: 4100 bt_dev_err(hdev, "unknown type %d conn %p", 4101 conn->type, conn); 4102 break; 4103 } 4104 } 4105 4106 queue_work(hdev->workqueue, &hdev->tx_work); 4107 } 4108 4109 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 4110 __u16 handle) 4111 { 4112 struct hci_chan *chan; 4113 4114 switch (hdev->dev_type) { 4115 case HCI_PRIMARY: 4116 return hci_conn_hash_lookup_handle(hdev, handle); 4117 case HCI_AMP: 4118 chan = hci_chan_lookup_handle(hdev, handle); 4119 if (chan) 4120 return chan->conn; 4121 break; 4122 default: 4123 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 4124 break; 4125 } 4126 4127 return NULL; 4128 } 4129 4130 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 4131 { 4132 struct hci_ev_num_comp_blocks *ev; 4133 int i; 4134 4135 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS, sizeof(*ev)); 4136 if (!ev) 4137 return; 4138 4139 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS, 4140 flex_array_size(ev, handles, ev->num_hndl))) 4141 return; 4142 4143 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 4144 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 4145 return; 4146 } 4147 4148 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 4149 ev->num_hndl); 4150 4151 for (i = 0; i < ev->num_hndl; i++) { 4152 struct hci_comp_blocks_info *info = &ev->handles[i]; 4153 struct hci_conn *conn = NULL; 4154 __u16 handle, block_count; 4155 4156 handle = __le16_to_cpu(info->handle); 4157 block_count = __le16_to_cpu(info->blocks); 4158 4159 conn = __hci_conn_lookup_handle(hdev, handle); 4160 if (!conn) 4161 continue; 4162 4163 conn->sent -= block_count; 4164 4165 switch (conn->type) { 4166 case ACL_LINK: 4167 case AMP_LINK: 4168 hdev->block_cnt += block_count; 4169 if (hdev->block_cnt > hdev->num_blocks) 4170 hdev->block_cnt = hdev->num_blocks; 4171 break; 4172 4173 default: 4174 bt_dev_err(hdev, "unknown type %d conn %p", 4175 conn->type, conn); 4176 break; 4177 } 4178 } 4179 4180 queue_work(hdev->workqueue, &hdev->tx_work); 4181 } 4182 4183 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 4184 { 4185 struct hci_ev_mode_change *ev; 4186 struct hci_conn *conn; 4187 4188 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_MODE_CHANGE, sizeof(*ev)); 4189 if (!ev) 4190 return; 4191 4192 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4193 4194 hci_dev_lock(hdev); 4195 4196 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4197 if (conn) { 4198 conn->mode = ev->mode; 4199 4200 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 4201 &conn->flags)) { 4202 if (conn->mode == HCI_CM_ACTIVE) 4203 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4204 else 4205 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4206 } 4207 4208 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 4209 hci_sco_setup(conn, ev->status); 4210 } 4211 4212 hci_dev_unlock(hdev); 4213 } 4214 4215 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4216 { 4217 struct hci_ev_pin_code_req *ev; 4218 struct hci_conn *conn; 4219 4220 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_PIN_CODE_REQ, sizeof(*ev)); 4221 if (!ev) 4222 return; 4223 4224 BT_DBG("%s", hdev->name); 4225 4226 hci_dev_lock(hdev); 4227 4228 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4229 if (!conn) 4230 goto unlock; 4231 4232 if (conn->state == BT_CONNECTED) { 4233 hci_conn_hold(conn); 4234 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 4235 hci_conn_drop(conn); 4236 } 4237 4238 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 4239 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 4240 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 4241 sizeof(ev->bdaddr), &ev->bdaddr); 4242 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 4243 u8 secure; 4244 4245 if (conn->pending_sec_level == BT_SECURITY_HIGH) 4246 secure = 1; 4247 else 4248 secure = 0; 4249 4250 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 4251 } 4252 4253 unlock: 4254 hci_dev_unlock(hdev); 4255 } 4256 4257 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 4258 { 4259 if (key_type == HCI_LK_CHANGED_COMBINATION) 4260 return; 4261 4262 conn->pin_length = pin_len; 4263 conn->key_type = key_type; 4264 4265 switch (key_type) { 4266 case HCI_LK_LOCAL_UNIT: 4267 case HCI_LK_REMOTE_UNIT: 4268 case HCI_LK_DEBUG_COMBINATION: 4269 return; 4270 case HCI_LK_COMBINATION: 4271 if (pin_len == 16) 4272 conn->pending_sec_level = BT_SECURITY_HIGH; 4273 else 4274 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4275 break; 4276 case HCI_LK_UNAUTH_COMBINATION_P192: 4277 case HCI_LK_UNAUTH_COMBINATION_P256: 4278 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4279 break; 4280 case HCI_LK_AUTH_COMBINATION_P192: 4281 conn->pending_sec_level = BT_SECURITY_HIGH; 4282 break; 4283 case HCI_LK_AUTH_COMBINATION_P256: 4284 conn->pending_sec_level = BT_SECURITY_FIPS; 4285 break; 4286 } 4287 } 4288 4289 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4290 { 4291 struct hci_ev_link_key_req *ev; 4292 struct hci_cp_link_key_reply cp; 4293 struct hci_conn *conn; 4294 struct link_key *key; 4295 4296 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_LINK_KEY_REQ, sizeof(*ev)); 4297 if (!ev) 4298 return; 4299 4300 BT_DBG("%s", hdev->name); 4301 4302 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4303 return; 4304 4305 hci_dev_lock(hdev); 4306 4307 key = hci_find_link_key(hdev, &ev->bdaddr); 4308 if (!key) { 4309 BT_DBG("%s link key not found for %pMR", hdev->name, 4310 &ev->bdaddr); 4311 goto not_found; 4312 } 4313 4314 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 4315 &ev->bdaddr); 4316 4317 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4318 if (conn) { 4319 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4320 4321 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4322 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4323 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4324 BT_DBG("%s ignoring unauthenticated key", hdev->name); 4325 goto not_found; 4326 } 4327 4328 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4329 (conn->pending_sec_level == BT_SECURITY_HIGH || 4330 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4331 BT_DBG("%s ignoring key unauthenticated for high security", 4332 hdev->name); 4333 goto not_found; 4334 } 4335 4336 conn_set_key(conn, key->type, key->pin_len); 4337 } 4338 4339 bacpy(&cp.bdaddr, &ev->bdaddr); 4340 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4341 4342 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4343 4344 hci_dev_unlock(hdev); 4345 4346 return; 4347 4348 not_found: 4349 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4350 hci_dev_unlock(hdev); 4351 } 4352 4353 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4354 { 4355 struct hci_ev_link_key_notify *ev; 4356 struct hci_conn *conn; 4357 struct link_key *key; 4358 bool persistent; 4359 u8 pin_len = 0; 4360 4361 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_LINK_KEY_NOTIFY, sizeof(*ev)); 4362 if (!ev) 4363 return; 4364 4365 BT_DBG("%s", hdev->name); 4366 4367 hci_dev_lock(hdev); 4368 4369 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4370 if (!conn) 4371 goto unlock; 4372 4373 hci_conn_hold(conn); 4374 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4375 hci_conn_drop(conn); 4376 4377 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4378 conn_set_key(conn, ev->key_type, conn->pin_length); 4379 4380 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4381 goto unlock; 4382 4383 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4384 ev->key_type, pin_len, &persistent); 4385 if (!key) 4386 goto unlock; 4387 4388 /* Update connection information since adding the key will have 4389 * fixed up the type in the case of changed combination keys. 4390 */ 4391 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4392 conn_set_key(conn, key->type, key->pin_len); 4393 4394 mgmt_new_link_key(hdev, key, persistent); 4395 4396 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4397 * is set. If it's not set simply remove the key from the kernel 4398 * list (we've still notified user space about it but with 4399 * store_hint being 0). 4400 */ 4401 if (key->type == HCI_LK_DEBUG_COMBINATION && 4402 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4403 list_del_rcu(&key->list); 4404 kfree_rcu(key, rcu); 4405 goto unlock; 4406 } 4407 4408 if (persistent) 4409 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4410 else 4411 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4412 4413 unlock: 4414 hci_dev_unlock(hdev); 4415 } 4416 4417 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 4418 { 4419 struct hci_ev_clock_offset *ev; 4420 struct hci_conn *conn; 4421 4422 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_CLOCK_OFFSET, sizeof(*ev)); 4423 if (!ev) 4424 return; 4425 4426 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4427 4428 hci_dev_lock(hdev); 4429 4430 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4431 if (conn && !ev->status) { 4432 struct inquiry_entry *ie; 4433 4434 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4435 if (ie) { 4436 ie->data.clock_offset = ev->clock_offset; 4437 ie->timestamp = jiffies; 4438 } 4439 } 4440 4441 hci_dev_unlock(hdev); 4442 } 4443 4444 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 4445 { 4446 struct hci_ev_pkt_type_change *ev; 4447 struct hci_conn *conn; 4448 4449 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_PKT_TYPE_CHANGE, sizeof(*ev)); 4450 if (!ev) 4451 return; 4452 4453 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4454 4455 hci_dev_lock(hdev); 4456 4457 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4458 if (conn && !ev->status) 4459 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4460 4461 hci_dev_unlock(hdev); 4462 } 4463 4464 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 4465 { 4466 struct hci_ev_pscan_rep_mode *ev; 4467 struct inquiry_entry *ie; 4468 4469 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_PSCAN_REP_MODE, sizeof(*ev)); 4470 if (!ev) 4471 return; 4472 4473 BT_DBG("%s", hdev->name); 4474 4475 hci_dev_lock(hdev); 4476 4477 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4478 if (ie) { 4479 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4480 ie->timestamp = jiffies; 4481 } 4482 4483 hci_dev_unlock(hdev); 4484 } 4485 4486 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 4487 struct sk_buff *skb) 4488 { 4489 struct inquiry_data data; 4490 int num_rsp = *((__u8 *) skb->data); 4491 4492 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4493 4494 if (!num_rsp) 4495 return; 4496 4497 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4498 return; 4499 4500 hci_dev_lock(hdev); 4501 4502 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 4503 struct inquiry_info_with_rssi_and_pscan_mode *info; 4504 info = (void *) (skb->data + 1); 4505 4506 if (skb->len < num_rsp * sizeof(*info) + 1) 4507 goto unlock; 4508 4509 for (; num_rsp; num_rsp--, info++) { 4510 u32 flags; 4511 4512 bacpy(&data.bdaddr, &info->bdaddr); 4513 data.pscan_rep_mode = info->pscan_rep_mode; 4514 data.pscan_period_mode = info->pscan_period_mode; 4515 data.pscan_mode = info->pscan_mode; 4516 memcpy(data.dev_class, info->dev_class, 3); 4517 data.clock_offset = info->clock_offset; 4518 data.rssi = info->rssi; 4519 data.ssp_mode = 0x00; 4520 4521 flags = hci_inquiry_cache_update(hdev, &data, false); 4522 4523 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4524 info->dev_class, info->rssi, 4525 flags, NULL, 0, NULL, 0); 4526 } 4527 } else { 4528 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 4529 4530 if (skb->len < num_rsp * sizeof(*info) + 1) 4531 goto unlock; 4532 4533 for (; num_rsp; num_rsp--, info++) { 4534 u32 flags; 4535 4536 bacpy(&data.bdaddr, &info->bdaddr); 4537 data.pscan_rep_mode = info->pscan_rep_mode; 4538 data.pscan_period_mode = info->pscan_period_mode; 4539 data.pscan_mode = 0x00; 4540 memcpy(data.dev_class, info->dev_class, 3); 4541 data.clock_offset = info->clock_offset; 4542 data.rssi = info->rssi; 4543 data.ssp_mode = 0x00; 4544 4545 flags = hci_inquiry_cache_update(hdev, &data, false); 4546 4547 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4548 info->dev_class, info->rssi, 4549 flags, NULL, 0, NULL, 0); 4550 } 4551 } 4552 4553 unlock: 4554 hci_dev_unlock(hdev); 4555 } 4556 4557 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 4558 struct sk_buff *skb) 4559 { 4560 struct hci_ev_remote_ext_features *ev; 4561 struct hci_conn *conn; 4562 4563 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_REMOTE_EXT_FEATURES, 4564 sizeof(*ev)); 4565 if (!ev) 4566 return; 4567 4568 BT_DBG("%s", hdev->name); 4569 4570 hci_dev_lock(hdev); 4571 4572 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4573 if (!conn) 4574 goto unlock; 4575 4576 if (ev->page < HCI_MAX_PAGES) 4577 memcpy(conn->features[ev->page], ev->features, 8); 4578 4579 if (!ev->status && ev->page == 0x01) { 4580 struct inquiry_entry *ie; 4581 4582 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4583 if (ie) 4584 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4585 4586 if (ev->features[0] & LMP_HOST_SSP) { 4587 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4588 } else { 4589 /* It is mandatory by the Bluetooth specification that 4590 * Extended Inquiry Results are only used when Secure 4591 * Simple Pairing is enabled, but some devices violate 4592 * this. 4593 * 4594 * To make these devices work, the internal SSP 4595 * enabled flag needs to be cleared if the remote host 4596 * features do not indicate SSP support */ 4597 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4598 } 4599 4600 if (ev->features[0] & LMP_HOST_SC) 4601 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4602 } 4603 4604 if (conn->state != BT_CONFIG) 4605 goto unlock; 4606 4607 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4608 struct hci_cp_remote_name_req cp; 4609 memset(&cp, 0, sizeof(cp)); 4610 bacpy(&cp.bdaddr, &conn->dst); 4611 cp.pscan_rep_mode = 0x02; 4612 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4613 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4614 mgmt_device_connected(hdev, conn, NULL, 0); 4615 4616 if (!hci_outgoing_auth_needed(hdev, conn)) { 4617 conn->state = BT_CONNECTED; 4618 hci_connect_cfm(conn, ev->status); 4619 hci_conn_drop(conn); 4620 } 4621 4622 unlock: 4623 hci_dev_unlock(hdev); 4624 } 4625 4626 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 4627 struct sk_buff *skb) 4628 { 4629 struct hci_ev_sync_conn_complete *ev; 4630 struct hci_conn *conn; 4631 4632 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_SYNC_CONN_COMPLETE, sizeof(*ev)); 4633 if (!ev) 4634 return; 4635 4636 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4637 4638 hci_dev_lock(hdev); 4639 4640 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4641 if (!conn) { 4642 if (ev->link_type == ESCO_LINK) 4643 goto unlock; 4644 4645 /* When the link type in the event indicates SCO connection 4646 * and lookup of the connection object fails, then check 4647 * if an eSCO connection object exists. 4648 * 4649 * The core limits the synchronous connections to either 4650 * SCO or eSCO. The eSCO connection is preferred and tried 4651 * to be setup first and until successfully established, 4652 * the link type will be hinted as eSCO. 4653 */ 4654 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4655 if (!conn) 4656 goto unlock; 4657 } 4658 4659 switch (ev->status) { 4660 case 0x00: 4661 /* The synchronous connection complete event should only be 4662 * sent once per new connection. Receiving a successful 4663 * complete event when the connection status is already 4664 * BT_CONNECTED means that the device is misbehaving and sent 4665 * multiple complete event packets for the same new connection. 4666 * 4667 * Registering the device more than once can corrupt kernel 4668 * memory, hence upon detecting this invalid event, we report 4669 * an error and ignore the packet. 4670 */ 4671 if (conn->state == BT_CONNECTED) { 4672 bt_dev_err(hdev, "Ignoring connect complete event for existing connection"); 4673 goto unlock; 4674 } 4675 4676 conn->handle = __le16_to_cpu(ev->handle); 4677 conn->state = BT_CONNECTED; 4678 conn->type = ev->link_type; 4679 4680 hci_debugfs_create_conn(conn); 4681 hci_conn_add_sysfs(conn); 4682 break; 4683 4684 case 0x10: /* Connection Accept Timeout */ 4685 case 0x0d: /* Connection Rejected due to Limited Resources */ 4686 case 0x11: /* Unsupported Feature or Parameter Value */ 4687 case 0x1c: /* SCO interval rejected */ 4688 case 0x1a: /* Unsupported Remote Feature */ 4689 case 0x1e: /* Invalid LMP Parameters */ 4690 case 0x1f: /* Unspecified error */ 4691 case 0x20: /* Unsupported LMP Parameter value */ 4692 if (conn->out) { 4693 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 4694 (hdev->esco_type & EDR_ESCO_MASK); 4695 if (hci_setup_sync(conn, conn->link->handle)) 4696 goto unlock; 4697 } 4698 fallthrough; 4699 4700 default: 4701 conn->state = BT_CLOSED; 4702 break; 4703 } 4704 4705 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 4706 /* Notify only in case of SCO over HCI transport data path which 4707 * is zero and non-zero value shall be non-HCI transport data path 4708 */ 4709 if (conn->codec.data_path == 0 && hdev->notify) { 4710 switch (ev->air_mode) { 4711 case 0x02: 4712 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 4713 break; 4714 case 0x03: 4715 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 4716 break; 4717 } 4718 } 4719 4720 hci_connect_cfm(conn, ev->status); 4721 if (ev->status) 4722 hci_conn_del(conn); 4723 4724 unlock: 4725 hci_dev_unlock(hdev); 4726 } 4727 4728 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 4729 { 4730 size_t parsed = 0; 4731 4732 while (parsed < eir_len) { 4733 u8 field_len = eir[0]; 4734 4735 if (field_len == 0) 4736 return parsed; 4737 4738 parsed += field_len + 1; 4739 eir += field_len + 1; 4740 } 4741 4742 return eir_len; 4743 } 4744 4745 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 4746 struct sk_buff *skb) 4747 { 4748 struct inquiry_data data; 4749 struct extended_inquiry_info *info = (void *) (skb->data + 1); 4750 int num_rsp = *((__u8 *) skb->data); 4751 size_t eir_len; 4752 4753 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4754 4755 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) 4756 return; 4757 4758 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4759 return; 4760 4761 hci_dev_lock(hdev); 4762 4763 for (; num_rsp; num_rsp--, info++) { 4764 u32 flags; 4765 bool name_known; 4766 4767 bacpy(&data.bdaddr, &info->bdaddr); 4768 data.pscan_rep_mode = info->pscan_rep_mode; 4769 data.pscan_period_mode = info->pscan_period_mode; 4770 data.pscan_mode = 0x00; 4771 memcpy(data.dev_class, info->dev_class, 3); 4772 data.clock_offset = info->clock_offset; 4773 data.rssi = info->rssi; 4774 data.ssp_mode = 0x01; 4775 4776 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4777 name_known = eir_get_data(info->data, 4778 sizeof(info->data), 4779 EIR_NAME_COMPLETE, NULL); 4780 else 4781 name_known = true; 4782 4783 flags = hci_inquiry_cache_update(hdev, &data, name_known); 4784 4785 eir_len = eir_get_length(info->data, sizeof(info->data)); 4786 4787 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4788 info->dev_class, info->rssi, 4789 flags, info->data, eir_len, NULL, 0); 4790 } 4791 4792 hci_dev_unlock(hdev); 4793 } 4794 4795 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 4796 struct sk_buff *skb) 4797 { 4798 struct hci_ev_key_refresh_complete *ev; 4799 struct hci_conn *conn; 4800 4801 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_KEY_REFRESH_COMPLETE, 4802 sizeof(*ev)); 4803 if (!ev) 4804 return; 4805 4806 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 4807 __le16_to_cpu(ev->handle)); 4808 4809 hci_dev_lock(hdev); 4810 4811 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4812 if (!conn) 4813 goto unlock; 4814 4815 /* For BR/EDR the necessary steps are taken through the 4816 * auth_complete event. 4817 */ 4818 if (conn->type != LE_LINK) 4819 goto unlock; 4820 4821 if (!ev->status) 4822 conn->sec_level = conn->pending_sec_level; 4823 4824 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 4825 4826 if (ev->status && conn->state == BT_CONNECTED) { 4827 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4828 hci_conn_drop(conn); 4829 goto unlock; 4830 } 4831 4832 if (conn->state == BT_CONFIG) { 4833 if (!ev->status) 4834 conn->state = BT_CONNECTED; 4835 4836 hci_connect_cfm(conn, ev->status); 4837 hci_conn_drop(conn); 4838 } else { 4839 hci_auth_cfm(conn, ev->status); 4840 4841 hci_conn_hold(conn); 4842 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4843 hci_conn_drop(conn); 4844 } 4845 4846 unlock: 4847 hci_dev_unlock(hdev); 4848 } 4849 4850 static u8 hci_get_auth_req(struct hci_conn *conn) 4851 { 4852 /* If remote requests no-bonding follow that lead */ 4853 if (conn->remote_auth == HCI_AT_NO_BONDING || 4854 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 4855 return conn->remote_auth | (conn->auth_type & 0x01); 4856 4857 /* If both remote and local have enough IO capabilities, require 4858 * MITM protection 4859 */ 4860 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 4861 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 4862 return conn->remote_auth | 0x01; 4863 4864 /* No MITM protection possible so ignore remote requirement */ 4865 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 4866 } 4867 4868 static u8 bredr_oob_data_present(struct hci_conn *conn) 4869 { 4870 struct hci_dev *hdev = conn->hdev; 4871 struct oob_data *data; 4872 4873 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 4874 if (!data) 4875 return 0x00; 4876 4877 if (bredr_sc_enabled(hdev)) { 4878 /* When Secure Connections is enabled, then just 4879 * return the present value stored with the OOB 4880 * data. The stored value contains the right present 4881 * information. However it can only be trusted when 4882 * not in Secure Connection Only mode. 4883 */ 4884 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 4885 return data->present; 4886 4887 /* When Secure Connections Only mode is enabled, then 4888 * the P-256 values are required. If they are not 4889 * available, then do not declare that OOB data is 4890 * present. 4891 */ 4892 if (!memcmp(data->rand256, ZERO_KEY, 16) || 4893 !memcmp(data->hash256, ZERO_KEY, 16)) 4894 return 0x00; 4895 4896 return 0x02; 4897 } 4898 4899 /* When Secure Connections is not enabled or actually 4900 * not supported by the hardware, then check that if 4901 * P-192 data values are present. 4902 */ 4903 if (!memcmp(data->rand192, ZERO_KEY, 16) || 4904 !memcmp(data->hash192, ZERO_KEY, 16)) 4905 return 0x00; 4906 4907 return 0x01; 4908 } 4909 4910 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4911 { 4912 struct hci_ev_io_capa_request *ev; 4913 struct hci_conn *conn; 4914 4915 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_IO_CAPA_REQUEST, sizeof(*ev)); 4916 if (!ev) 4917 return; 4918 4919 BT_DBG("%s", hdev->name); 4920 4921 hci_dev_lock(hdev); 4922 4923 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4924 if (!conn) 4925 goto unlock; 4926 4927 hci_conn_hold(conn); 4928 4929 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4930 goto unlock; 4931 4932 /* Allow pairing if we're pairable, the initiators of the 4933 * pairing or if the remote is not requesting bonding. 4934 */ 4935 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 4936 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 4937 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 4938 struct hci_cp_io_capability_reply cp; 4939 4940 bacpy(&cp.bdaddr, &ev->bdaddr); 4941 /* Change the IO capability from KeyboardDisplay 4942 * to DisplayYesNo as it is not supported by BT spec. */ 4943 cp.capability = (conn->io_capability == 0x04) ? 4944 HCI_IO_DISPLAY_YESNO : conn->io_capability; 4945 4946 /* If we are initiators, there is no remote information yet */ 4947 if (conn->remote_auth == 0xff) { 4948 /* Request MITM protection if our IO caps allow it 4949 * except for the no-bonding case. 4950 */ 4951 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4952 conn->auth_type != HCI_AT_NO_BONDING) 4953 conn->auth_type |= 0x01; 4954 } else { 4955 conn->auth_type = hci_get_auth_req(conn); 4956 } 4957 4958 /* If we're not bondable, force one of the non-bondable 4959 * authentication requirement values. 4960 */ 4961 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4962 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4963 4964 cp.authentication = conn->auth_type; 4965 cp.oob_data = bredr_oob_data_present(conn); 4966 4967 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4968 sizeof(cp), &cp); 4969 } else { 4970 struct hci_cp_io_capability_neg_reply cp; 4971 4972 bacpy(&cp.bdaddr, &ev->bdaddr); 4973 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4974 4975 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4976 sizeof(cp), &cp); 4977 } 4978 4979 unlock: 4980 hci_dev_unlock(hdev); 4981 } 4982 4983 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4984 { 4985 struct hci_ev_io_capa_reply *ev; 4986 struct hci_conn *conn; 4987 4988 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_IO_CAPA_REPLY, sizeof(*ev)); 4989 if (!ev) 4990 return; 4991 4992 BT_DBG("%s", hdev->name); 4993 4994 hci_dev_lock(hdev); 4995 4996 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4997 if (!conn) 4998 goto unlock; 4999 5000 conn->remote_cap = ev->capability; 5001 conn->remote_auth = ev->authentication; 5002 5003 unlock: 5004 hci_dev_unlock(hdev); 5005 } 5006 5007 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 5008 struct sk_buff *skb) 5009 { 5010 struct hci_ev_user_confirm_req *ev; 5011 int loc_mitm, rem_mitm, confirm_hint = 0; 5012 struct hci_conn *conn; 5013 5014 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_USER_CONFIRM_REQUEST, 5015 sizeof(*ev)); 5016 if (!ev) 5017 return; 5018 5019 BT_DBG("%s", hdev->name); 5020 5021 hci_dev_lock(hdev); 5022 5023 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5024 goto unlock; 5025 5026 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5027 if (!conn) 5028 goto unlock; 5029 5030 loc_mitm = (conn->auth_type & 0x01); 5031 rem_mitm = (conn->remote_auth & 0x01); 5032 5033 /* If we require MITM but the remote device can't provide that 5034 * (it has NoInputNoOutput) then reject the confirmation 5035 * request. We check the security level here since it doesn't 5036 * necessarily match conn->auth_type. 5037 */ 5038 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 5039 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 5040 BT_DBG("Rejecting request: remote device can't provide MITM"); 5041 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 5042 sizeof(ev->bdaddr), &ev->bdaddr); 5043 goto unlock; 5044 } 5045 5046 /* If no side requires MITM protection; auto-accept */ 5047 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 5048 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 5049 5050 /* If we're not the initiators request authorization to 5051 * proceed from user space (mgmt_user_confirm with 5052 * confirm_hint set to 1). The exception is if neither 5053 * side had MITM or if the local IO capability is 5054 * NoInputNoOutput, in which case we do auto-accept 5055 */ 5056 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 5057 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5058 (loc_mitm || rem_mitm)) { 5059 BT_DBG("Confirming auto-accept as acceptor"); 5060 confirm_hint = 1; 5061 goto confirm; 5062 } 5063 5064 /* If there already exists link key in local host, leave the 5065 * decision to user space since the remote device could be 5066 * legitimate or malicious. 5067 */ 5068 if (hci_find_link_key(hdev, &ev->bdaddr)) { 5069 bt_dev_dbg(hdev, "Local host already has link key"); 5070 confirm_hint = 1; 5071 goto confirm; 5072 } 5073 5074 BT_DBG("Auto-accept of user confirmation with %ums delay", 5075 hdev->auto_accept_delay); 5076 5077 if (hdev->auto_accept_delay > 0) { 5078 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 5079 queue_delayed_work(conn->hdev->workqueue, 5080 &conn->auto_accept_work, delay); 5081 goto unlock; 5082 } 5083 5084 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 5085 sizeof(ev->bdaddr), &ev->bdaddr); 5086 goto unlock; 5087 } 5088 5089 confirm: 5090 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 5091 le32_to_cpu(ev->passkey), confirm_hint); 5092 5093 unlock: 5094 hci_dev_unlock(hdev); 5095 } 5096 5097 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 5098 struct sk_buff *skb) 5099 { 5100 struct hci_ev_user_passkey_req *ev; 5101 5102 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_USER_PASSKEY_REQUEST, 5103 sizeof(*ev)); 5104 if (!ev) 5105 return; 5106 5107 BT_DBG("%s", hdev->name); 5108 5109 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5110 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 5111 } 5112 5113 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 5114 struct sk_buff *skb) 5115 { 5116 struct hci_ev_user_passkey_notify *ev; 5117 struct hci_conn *conn; 5118 5119 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_USER_PASSKEY_NOTIFY, 5120 sizeof(*ev)); 5121 if (!ev) 5122 return; 5123 5124 BT_DBG("%s", hdev->name); 5125 5126 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5127 if (!conn) 5128 return; 5129 5130 conn->passkey_notify = __le32_to_cpu(ev->passkey); 5131 conn->passkey_entered = 0; 5132 5133 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5134 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5135 conn->dst_type, conn->passkey_notify, 5136 conn->passkey_entered); 5137 } 5138 5139 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 5140 { 5141 struct hci_ev_keypress_notify *ev; 5142 struct hci_conn *conn; 5143 5144 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_KEYPRESS_NOTIFY, sizeof(*ev)); 5145 if (!ev) 5146 return; 5147 5148 BT_DBG("%s", hdev->name); 5149 5150 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5151 if (!conn) 5152 return; 5153 5154 switch (ev->type) { 5155 case HCI_KEYPRESS_STARTED: 5156 conn->passkey_entered = 0; 5157 return; 5158 5159 case HCI_KEYPRESS_ENTERED: 5160 conn->passkey_entered++; 5161 break; 5162 5163 case HCI_KEYPRESS_ERASED: 5164 conn->passkey_entered--; 5165 break; 5166 5167 case HCI_KEYPRESS_CLEARED: 5168 conn->passkey_entered = 0; 5169 break; 5170 5171 case HCI_KEYPRESS_COMPLETED: 5172 return; 5173 } 5174 5175 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5176 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5177 conn->dst_type, conn->passkey_notify, 5178 conn->passkey_entered); 5179 } 5180 5181 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 5182 struct sk_buff *skb) 5183 { 5184 struct hci_ev_simple_pair_complete *ev; 5185 struct hci_conn *conn; 5186 5187 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_SIMPLE_PAIR_COMPLETE, 5188 sizeof(*ev)); 5189 if (!ev) 5190 return; 5191 5192 BT_DBG("%s", hdev->name); 5193 5194 hci_dev_lock(hdev); 5195 5196 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5197 if (!conn) 5198 goto unlock; 5199 5200 /* Reset the authentication requirement to unknown */ 5201 conn->remote_auth = 0xff; 5202 5203 /* To avoid duplicate auth_failed events to user space we check 5204 * the HCI_CONN_AUTH_PEND flag which will be set if we 5205 * initiated the authentication. A traditional auth_complete 5206 * event gets always produced as initiator and is also mapped to 5207 * the mgmt_auth_failed event */ 5208 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 5209 mgmt_auth_failed(conn, ev->status); 5210 5211 hci_conn_drop(conn); 5212 5213 unlock: 5214 hci_dev_unlock(hdev); 5215 } 5216 5217 static void hci_remote_host_features_evt(struct hci_dev *hdev, 5218 struct sk_buff *skb) 5219 { 5220 struct hci_ev_remote_host_features *ev; 5221 struct inquiry_entry *ie; 5222 struct hci_conn *conn; 5223 5224 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_REMOTE_HOST_FEATURES, 5225 sizeof(*ev)); 5226 if (!ev) 5227 return; 5228 5229 BT_DBG("%s", hdev->name); 5230 5231 hci_dev_lock(hdev); 5232 5233 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5234 if (conn) 5235 memcpy(conn->features[1], ev->features, 8); 5236 5237 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 5238 if (ie) 5239 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 5240 5241 hci_dev_unlock(hdev); 5242 } 5243 5244 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 5245 struct sk_buff *skb) 5246 { 5247 struct hci_ev_remote_oob_data_request *ev; 5248 struct oob_data *data; 5249 5250 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_REMOTE_OOB_DATA_REQUEST, 5251 sizeof(*ev)); 5252 if (!ev) 5253 return; 5254 5255 BT_DBG("%s", hdev->name); 5256 5257 hci_dev_lock(hdev); 5258 5259 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5260 goto unlock; 5261 5262 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 5263 if (!data) { 5264 struct hci_cp_remote_oob_data_neg_reply cp; 5265 5266 bacpy(&cp.bdaddr, &ev->bdaddr); 5267 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 5268 sizeof(cp), &cp); 5269 goto unlock; 5270 } 5271 5272 if (bredr_sc_enabled(hdev)) { 5273 struct hci_cp_remote_oob_ext_data_reply cp; 5274 5275 bacpy(&cp.bdaddr, &ev->bdaddr); 5276 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 5277 memset(cp.hash192, 0, sizeof(cp.hash192)); 5278 memset(cp.rand192, 0, sizeof(cp.rand192)); 5279 } else { 5280 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 5281 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 5282 } 5283 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 5284 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 5285 5286 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 5287 sizeof(cp), &cp); 5288 } else { 5289 struct hci_cp_remote_oob_data_reply cp; 5290 5291 bacpy(&cp.bdaddr, &ev->bdaddr); 5292 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 5293 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 5294 5295 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 5296 sizeof(cp), &cp); 5297 } 5298 5299 unlock: 5300 hci_dev_unlock(hdev); 5301 } 5302 5303 #if IS_ENABLED(CONFIG_BT_HS) 5304 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 5305 { 5306 struct hci_ev_channel_selected *ev; 5307 struct hci_conn *hcon; 5308 5309 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_CHANNEL_SELECTED, sizeof(*ev)); 5310 if (!ev) 5311 return; 5312 5313 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 5314 5315 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5316 if (!hcon) 5317 return; 5318 5319 amp_read_loc_assoc_final_data(hdev, hcon); 5320 } 5321 5322 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 5323 struct sk_buff *skb) 5324 { 5325 struct hci_ev_phy_link_complete *ev; 5326 struct hci_conn *hcon, *bredr_hcon; 5327 5328 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_PHY_LINK_COMPLETE, sizeof(*ev)); 5329 if (!ev) 5330 return; 5331 5332 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 5333 ev->status); 5334 5335 hci_dev_lock(hdev); 5336 5337 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5338 if (!hcon) 5339 goto unlock; 5340 5341 if (!hcon->amp_mgr) 5342 goto unlock; 5343 5344 if (ev->status) { 5345 hci_conn_del(hcon); 5346 goto unlock; 5347 } 5348 5349 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 5350 5351 hcon->state = BT_CONNECTED; 5352 bacpy(&hcon->dst, &bredr_hcon->dst); 5353 5354 hci_conn_hold(hcon); 5355 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 5356 hci_conn_drop(hcon); 5357 5358 hci_debugfs_create_conn(hcon); 5359 hci_conn_add_sysfs(hcon); 5360 5361 amp_physical_cfm(bredr_hcon, hcon); 5362 5363 unlock: 5364 hci_dev_unlock(hdev); 5365 } 5366 5367 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 5368 { 5369 struct hci_ev_logical_link_complete *ev; 5370 struct hci_conn *hcon; 5371 struct hci_chan *hchan; 5372 struct amp_mgr *mgr; 5373 5374 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_LOGICAL_LINK_COMPLETE, 5375 sizeof(*ev)); 5376 if (!ev) 5377 return; 5378 5379 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 5380 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 5381 ev->status); 5382 5383 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5384 if (!hcon) 5385 return; 5386 5387 /* Create AMP hchan */ 5388 hchan = hci_chan_create(hcon); 5389 if (!hchan) 5390 return; 5391 5392 hchan->handle = le16_to_cpu(ev->handle); 5393 hchan->amp = true; 5394 5395 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 5396 5397 mgr = hcon->amp_mgr; 5398 if (mgr && mgr->bredr_chan) { 5399 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 5400 5401 l2cap_chan_lock(bredr_chan); 5402 5403 bredr_chan->conn->mtu = hdev->block_mtu; 5404 l2cap_logical_cfm(bredr_chan, hchan, 0); 5405 hci_conn_hold(hcon); 5406 5407 l2cap_chan_unlock(bredr_chan); 5408 } 5409 } 5410 5411 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 5412 struct sk_buff *skb) 5413 { 5414 struct hci_ev_disconn_logical_link_complete *ev; 5415 struct hci_chan *hchan; 5416 5417 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE, 5418 sizeof(*ev)); 5419 if (!ev) 5420 return; 5421 5422 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 5423 le16_to_cpu(ev->handle), ev->status); 5424 5425 if (ev->status) 5426 return; 5427 5428 hci_dev_lock(hdev); 5429 5430 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 5431 if (!hchan || !hchan->amp) 5432 goto unlock; 5433 5434 amp_destroy_logical_link(hchan, ev->reason); 5435 5436 unlock: 5437 hci_dev_unlock(hdev); 5438 } 5439 5440 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 5441 struct sk_buff *skb) 5442 { 5443 struct hci_ev_disconn_phy_link_complete *ev; 5444 struct hci_conn *hcon; 5445 5446 ev = hci_ev_skb_pull(hdev, skb, HCI_EV_DISCONN_PHY_LINK_COMPLETE, 5447 sizeof(*ev)); 5448 if (!ev) 5449 return; 5450 5451 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5452 5453 if (ev->status) 5454 return; 5455 5456 hci_dev_lock(hdev); 5457 5458 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5459 if (hcon) { 5460 hcon->state = BT_CLOSED; 5461 hci_conn_del(hcon); 5462 } 5463 5464 hci_dev_unlock(hdev); 5465 } 5466 #endif 5467 5468 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr, 5469 u8 bdaddr_type, bdaddr_t *local_rpa) 5470 { 5471 if (conn->out) { 5472 conn->dst_type = bdaddr_type; 5473 conn->resp_addr_type = bdaddr_type; 5474 bacpy(&conn->resp_addr, bdaddr); 5475 5476 /* Check if the controller has set a Local RPA then it must be 5477 * used instead or hdev->rpa. 5478 */ 5479 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5480 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5481 bacpy(&conn->init_addr, local_rpa); 5482 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) { 5483 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5484 bacpy(&conn->init_addr, &conn->hdev->rpa); 5485 } else { 5486 hci_copy_identity_address(conn->hdev, &conn->init_addr, 5487 &conn->init_addr_type); 5488 } 5489 } else { 5490 conn->resp_addr_type = conn->hdev->adv_addr_type; 5491 /* Check if the controller has set a Local RPA then it must be 5492 * used instead or hdev->rpa. 5493 */ 5494 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5495 conn->resp_addr_type = ADDR_LE_DEV_RANDOM; 5496 bacpy(&conn->resp_addr, local_rpa); 5497 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5498 /* In case of ext adv, resp_addr will be updated in 5499 * Adv Terminated event. 5500 */ 5501 if (!ext_adv_capable(conn->hdev)) 5502 bacpy(&conn->resp_addr, 5503 &conn->hdev->random_addr); 5504 } else { 5505 bacpy(&conn->resp_addr, &conn->hdev->bdaddr); 5506 } 5507 5508 conn->init_addr_type = bdaddr_type; 5509 bacpy(&conn->init_addr, bdaddr); 5510 5511 /* For incoming connections, set the default minimum 5512 * and maximum connection interval. They will be used 5513 * to check if the parameters are in range and if not 5514 * trigger the connection update procedure. 5515 */ 5516 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval; 5517 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval; 5518 } 5519 } 5520 5521 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5522 bdaddr_t *bdaddr, u8 bdaddr_type, 5523 bdaddr_t *local_rpa, u8 role, u16 handle, 5524 u16 interval, u16 latency, 5525 u16 supervision_timeout) 5526 { 5527 struct hci_conn_params *params; 5528 struct hci_conn *conn; 5529 struct smp_irk *irk; 5530 u8 addr_type; 5531 5532 hci_dev_lock(hdev); 5533 5534 /* All controllers implicitly stop advertising in the event of a 5535 * connection, so ensure that the state bit is cleared. 5536 */ 5537 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5538 5539 conn = hci_lookup_le_connect(hdev); 5540 if (!conn) { 5541 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 5542 if (!conn) { 5543 bt_dev_err(hdev, "no memory for new connection"); 5544 goto unlock; 5545 } 5546 5547 conn->dst_type = bdaddr_type; 5548 5549 /* If we didn't have a hci_conn object previously 5550 * but we're in central role this must be something 5551 * initiated using an accept list. Since accept list based 5552 * connections are not "first class citizens" we don't 5553 * have full tracking of them. Therefore, we go ahead 5554 * with a "best effort" approach of determining the 5555 * initiator address based on the HCI_PRIVACY flag. 5556 */ 5557 if (conn->out) { 5558 conn->resp_addr_type = bdaddr_type; 5559 bacpy(&conn->resp_addr, bdaddr); 5560 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5561 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5562 bacpy(&conn->init_addr, &hdev->rpa); 5563 } else { 5564 hci_copy_identity_address(hdev, 5565 &conn->init_addr, 5566 &conn->init_addr_type); 5567 } 5568 } 5569 } else { 5570 cancel_delayed_work(&conn->le_conn_timeout); 5571 } 5572 5573 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa); 5574 5575 /* Lookup the identity address from the stored connection 5576 * address and address type. 5577 * 5578 * When establishing connections to an identity address, the 5579 * connection procedure will store the resolvable random 5580 * address first. Now if it can be converted back into the 5581 * identity address, start using the identity address from 5582 * now on. 5583 */ 5584 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5585 if (irk) { 5586 bacpy(&conn->dst, &irk->bdaddr); 5587 conn->dst_type = irk->addr_type; 5588 } 5589 5590 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL); 5591 5592 if (status) { 5593 hci_le_conn_failed(conn, status); 5594 goto unlock; 5595 } 5596 5597 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5598 addr_type = BDADDR_LE_PUBLIC; 5599 else 5600 addr_type = BDADDR_LE_RANDOM; 5601 5602 /* Drop the connection if the device is blocked */ 5603 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) { 5604 hci_conn_drop(conn); 5605 goto unlock; 5606 } 5607 5608 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5609 mgmt_device_connected(hdev, conn, NULL, 0); 5610 5611 conn->sec_level = BT_SECURITY_LOW; 5612 conn->handle = handle; 5613 conn->state = BT_CONFIG; 5614 5615 /* Store current advertising instance as connection advertising instance 5616 * when sotfware rotation is in use so it can be re-enabled when 5617 * disconnected. 5618 */ 5619 if (!ext_adv_capable(hdev)) 5620 conn->adv_instance = hdev->cur_adv_instance; 5621 5622 conn->le_conn_interval = interval; 5623 conn->le_conn_latency = latency; 5624 conn->le_supv_timeout = supervision_timeout; 5625 5626 hci_debugfs_create_conn(conn); 5627 hci_conn_add_sysfs(conn); 5628 5629 /* The remote features procedure is defined for central 5630 * role only. So only in case of an initiated connection 5631 * request the remote features. 5632 * 5633 * If the local controller supports peripheral-initiated features 5634 * exchange, then requesting the remote features in peripheral 5635 * role is possible. Otherwise just transition into the 5636 * connected state without requesting the remote features. 5637 */ 5638 if (conn->out || 5639 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) { 5640 struct hci_cp_le_read_remote_features cp; 5641 5642 cp.handle = __cpu_to_le16(conn->handle); 5643 5644 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 5645 sizeof(cp), &cp); 5646 5647 hci_conn_hold(conn); 5648 } else { 5649 conn->state = BT_CONNECTED; 5650 hci_connect_cfm(conn, status); 5651 } 5652 5653 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5654 conn->dst_type); 5655 if (params) { 5656 list_del_init(¶ms->action); 5657 if (params->conn) { 5658 hci_conn_drop(params->conn); 5659 hci_conn_put(params->conn); 5660 params->conn = NULL; 5661 } 5662 } 5663 5664 unlock: 5665 hci_update_passive_scan(hdev); 5666 hci_dev_unlock(hdev); 5667 } 5668 5669 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 5670 { 5671 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 5672 5673 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5674 5675 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5676 NULL, ev->role, le16_to_cpu(ev->handle), 5677 le16_to_cpu(ev->interval), 5678 le16_to_cpu(ev->latency), 5679 le16_to_cpu(ev->supervision_timeout)); 5680 } 5681 5682 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, 5683 struct sk_buff *skb) 5684 { 5685 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data; 5686 5687 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5688 5689 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5690 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle), 5691 le16_to_cpu(ev->interval), 5692 le16_to_cpu(ev->latency), 5693 le16_to_cpu(ev->supervision_timeout)); 5694 } 5695 5696 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb) 5697 { 5698 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data; 5699 struct hci_conn *conn; 5700 struct adv_info *adv, *n; 5701 5702 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5703 5704 adv = hci_find_adv_instance(hdev, ev->handle); 5705 5706 /* The Bluetooth Core 5.3 specification clearly states that this event 5707 * shall not be sent when the Host disables the advertising set. So in 5708 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event. 5709 * 5710 * When the Host disables an advertising set, all cleanup is done via 5711 * its command callback and not needed to be duplicated here. 5712 */ 5713 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) { 5714 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event"); 5715 return; 5716 } 5717 5718 if (ev->status) { 5719 if (!adv) 5720 return; 5721 5722 /* Remove advertising as it has been terminated */ 5723 hci_remove_adv_instance(hdev, ev->handle); 5724 mgmt_advertising_removed(NULL, hdev, ev->handle); 5725 5726 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 5727 if (adv->enabled) 5728 return; 5729 } 5730 5731 /* We are no longer advertising, clear HCI_LE_ADV */ 5732 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5733 return; 5734 } 5735 5736 if (adv) 5737 adv->enabled = false; 5738 5739 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5740 if (conn) { 5741 /* Store handle in the connection so the correct advertising 5742 * instance can be re-enabled when disconnected. 5743 */ 5744 conn->adv_instance = ev->handle; 5745 5746 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM || 5747 bacmp(&conn->resp_addr, BDADDR_ANY)) 5748 return; 5749 5750 if (!ev->handle) { 5751 bacpy(&conn->resp_addr, &hdev->random_addr); 5752 return; 5753 } 5754 5755 if (adv) 5756 bacpy(&conn->resp_addr, &adv->random_addr); 5757 } 5758 } 5759 5760 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 5761 struct sk_buff *skb) 5762 { 5763 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 5764 struct hci_conn *conn; 5765 5766 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5767 5768 if (ev->status) 5769 return; 5770 5771 hci_dev_lock(hdev); 5772 5773 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5774 if (conn) { 5775 conn->le_conn_interval = le16_to_cpu(ev->interval); 5776 conn->le_conn_latency = le16_to_cpu(ev->latency); 5777 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 5778 } 5779 5780 hci_dev_unlock(hdev); 5781 } 5782 5783 /* This function requires the caller holds hdev->lock */ 5784 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 5785 bdaddr_t *addr, 5786 u8 addr_type, bool addr_resolved, 5787 u8 adv_type, bdaddr_t *direct_rpa) 5788 { 5789 struct hci_conn *conn; 5790 struct hci_conn_params *params; 5791 5792 /* If the event is not connectable don't proceed further */ 5793 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 5794 return NULL; 5795 5796 /* Ignore if the device is blocked or hdev is suspended */ 5797 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) || 5798 hdev->suspended) 5799 return NULL; 5800 5801 /* Most controller will fail if we try to create new connections 5802 * while we have an existing one in peripheral role. 5803 */ 5804 if (hdev->conn_hash.le_num_peripheral > 0 && 5805 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 5806 !(hdev->le_states[3] & 0x10))) 5807 return NULL; 5808 5809 /* If we're not connectable only connect devices that we have in 5810 * our pend_le_conns list. 5811 */ 5812 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 5813 addr_type); 5814 if (!params) 5815 return NULL; 5816 5817 if (!params->explicit_connect) { 5818 switch (params->auto_connect) { 5819 case HCI_AUTO_CONN_DIRECT: 5820 /* Only devices advertising with ADV_DIRECT_IND are 5821 * triggering a connection attempt. This is allowing 5822 * incoming connections from peripheral devices. 5823 */ 5824 if (adv_type != LE_ADV_DIRECT_IND) 5825 return NULL; 5826 break; 5827 case HCI_AUTO_CONN_ALWAYS: 5828 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 5829 * are triggering a connection attempt. This means 5830 * that incoming connections from peripheral device are 5831 * accepted and also outgoing connections to peripheral 5832 * devices are established when found. 5833 */ 5834 break; 5835 default: 5836 return NULL; 5837 } 5838 } 5839 5840 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved, 5841 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout, 5842 HCI_ROLE_MASTER, direct_rpa); 5843 if (!IS_ERR(conn)) { 5844 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 5845 * by higher layer that tried to connect, if no then 5846 * store the pointer since we don't really have any 5847 * other owner of the object besides the params that 5848 * triggered it. This way we can abort the connection if 5849 * the parameters get removed and keep the reference 5850 * count consistent once the connection is established. 5851 */ 5852 5853 if (!params->explicit_connect) 5854 params->conn = hci_conn_get(conn); 5855 5856 return conn; 5857 } 5858 5859 switch (PTR_ERR(conn)) { 5860 case -EBUSY: 5861 /* If hci_connect() returns -EBUSY it means there is already 5862 * an LE connection attempt going on. Since controllers don't 5863 * support more than one connection attempt at the time, we 5864 * don't consider this an error case. 5865 */ 5866 break; 5867 default: 5868 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 5869 return NULL; 5870 } 5871 5872 return NULL; 5873 } 5874 5875 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 5876 u8 bdaddr_type, bdaddr_t *direct_addr, 5877 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 5878 bool ext_adv) 5879 { 5880 struct discovery_state *d = &hdev->discovery; 5881 struct smp_irk *irk; 5882 struct hci_conn *conn; 5883 bool match, bdaddr_resolved; 5884 u32 flags; 5885 u8 *ptr; 5886 5887 switch (type) { 5888 case LE_ADV_IND: 5889 case LE_ADV_DIRECT_IND: 5890 case LE_ADV_SCAN_IND: 5891 case LE_ADV_NONCONN_IND: 5892 case LE_ADV_SCAN_RSP: 5893 break; 5894 default: 5895 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 5896 "type: 0x%02x", type); 5897 return; 5898 } 5899 5900 if (!ext_adv && len > HCI_MAX_AD_LENGTH) { 5901 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes"); 5902 return; 5903 } 5904 5905 /* Find the end of the data in case the report contains padded zero 5906 * bytes at the end causing an invalid length value. 5907 * 5908 * When data is NULL, len is 0 so there is no need for extra ptr 5909 * check as 'ptr < data + 0' is already false in such case. 5910 */ 5911 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 5912 if (ptr + 1 + *ptr > data + len) 5913 break; 5914 } 5915 5916 /* Adjust for actual length. This handles the case when remote 5917 * device is advertising with incorrect data length. 5918 */ 5919 len = ptr - data; 5920 5921 /* If the direct address is present, then this report is from 5922 * a LE Direct Advertising Report event. In that case it is 5923 * important to see if the address is matching the local 5924 * controller address. 5925 */ 5926 if (direct_addr) { 5927 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type, 5928 &bdaddr_resolved); 5929 5930 /* Only resolvable random addresses are valid for these 5931 * kind of reports and others can be ignored. 5932 */ 5933 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 5934 return; 5935 5936 /* If the controller is not using resolvable random 5937 * addresses, then this report can be ignored. 5938 */ 5939 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 5940 return; 5941 5942 /* If the local IRK of the controller does not match 5943 * with the resolvable random address provided, then 5944 * this report can be ignored. 5945 */ 5946 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 5947 return; 5948 } 5949 5950 /* Check if we need to convert to identity address */ 5951 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 5952 if (irk) { 5953 bdaddr = &irk->bdaddr; 5954 bdaddr_type = irk->addr_type; 5955 } 5956 5957 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved); 5958 5959 /* Check if we have been requested to connect to this device. 5960 * 5961 * direct_addr is set only for directed advertising reports (it is NULL 5962 * for advertising reports) and is already verified to be RPA above. 5963 */ 5964 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved, 5965 type, direct_addr); 5966 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { 5967 /* Store report for later inclusion by 5968 * mgmt_device_connected 5969 */ 5970 memcpy(conn->le_adv_data, data, len); 5971 conn->le_adv_data_len = len; 5972 } 5973 5974 /* Passive scanning shouldn't trigger any device found events, 5975 * except for devices marked as CONN_REPORT for which we do send 5976 * device found events, or advertisement monitoring requested. 5977 */ 5978 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 5979 if (type == LE_ADV_DIRECT_IND) 5980 return; 5981 5982 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 5983 bdaddr, bdaddr_type) && 5984 idr_is_empty(&hdev->adv_monitors_idr)) 5985 return; 5986 5987 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 5988 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5989 else 5990 flags = 0; 5991 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5992 rssi, flags, data, len, NULL, 0); 5993 return; 5994 } 5995 5996 /* When receiving non-connectable or scannable undirected 5997 * advertising reports, this means that the remote device is 5998 * not connectable and then clearly indicate this in the 5999 * device found event. 6000 * 6001 * When receiving a scan response, then there is no way to 6002 * know if the remote device is connectable or not. However 6003 * since scan responses are merged with a previously seen 6004 * advertising report, the flags field from that report 6005 * will be used. 6006 * 6007 * In the really unlikely case that a controller get confused 6008 * and just sends a scan response event, then it is marked as 6009 * not connectable as well. 6010 */ 6011 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 6012 type == LE_ADV_SCAN_RSP) 6013 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 6014 else 6015 flags = 0; 6016 6017 /* If there's nothing pending either store the data from this 6018 * event or send an immediate device found event if the data 6019 * should not be stored for later. 6020 */ 6021 if (!ext_adv && !has_pending_adv_report(hdev)) { 6022 /* If the report will trigger a SCAN_REQ store it for 6023 * later merging. 6024 */ 6025 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 6026 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6027 rssi, flags, data, len); 6028 return; 6029 } 6030 6031 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6032 rssi, flags, data, len, NULL, 0); 6033 return; 6034 } 6035 6036 /* Check if the pending report is for the same device as the new one */ 6037 match = (!bacmp(bdaddr, &d->last_adv_addr) && 6038 bdaddr_type == d->last_adv_addr_type); 6039 6040 /* If the pending data doesn't match this report or this isn't a 6041 * scan response (e.g. we got a duplicate ADV_IND) then force 6042 * sending of the pending data. 6043 */ 6044 if (type != LE_ADV_SCAN_RSP || !match) { 6045 /* Send out whatever is in the cache, but skip duplicates */ 6046 if (!match) 6047 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6048 d->last_adv_addr_type, NULL, 6049 d->last_adv_rssi, d->last_adv_flags, 6050 d->last_adv_data, 6051 d->last_adv_data_len, NULL, 0); 6052 6053 /* If the new report will trigger a SCAN_REQ store it for 6054 * later merging. 6055 */ 6056 if (!ext_adv && (type == LE_ADV_IND || 6057 type == LE_ADV_SCAN_IND)) { 6058 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6059 rssi, flags, data, len); 6060 return; 6061 } 6062 6063 /* The advertising reports cannot be merged, so clear 6064 * the pending report and send out a device found event. 6065 */ 6066 clear_pending_adv_report(hdev); 6067 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6068 rssi, flags, data, len, NULL, 0); 6069 return; 6070 } 6071 6072 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 6073 * the new event is a SCAN_RSP. We can therefore proceed with 6074 * sending a merged device found event. 6075 */ 6076 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6077 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 6078 d->last_adv_data, d->last_adv_data_len, data, len); 6079 clear_pending_adv_report(hdev); 6080 } 6081 6082 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 6083 { 6084 u8 num_reports = skb->data[0]; 6085 void *ptr = &skb->data[1]; 6086 6087 hci_dev_lock(hdev); 6088 6089 while (num_reports--) { 6090 struct hci_ev_le_advertising_info *ev = ptr; 6091 s8 rssi; 6092 6093 if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) { 6094 bt_dev_err(hdev, "Malicious advertising data."); 6095 break; 6096 } 6097 6098 if (ev->length <= HCI_MAX_AD_LENGTH && 6099 ev->data + ev->length <= skb_tail_pointer(skb)) { 6100 rssi = ev->data[ev->length]; 6101 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 6102 ev->bdaddr_type, NULL, 0, rssi, 6103 ev->data, ev->length, false); 6104 } else { 6105 bt_dev_err(hdev, "Dropping invalid advertising data"); 6106 } 6107 6108 ptr += sizeof(*ev) + ev->length + 1; 6109 } 6110 6111 hci_dev_unlock(hdev); 6112 } 6113 6114 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 6115 { 6116 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 6117 switch (evt_type) { 6118 case LE_LEGACY_ADV_IND: 6119 return LE_ADV_IND; 6120 case LE_LEGACY_ADV_DIRECT_IND: 6121 return LE_ADV_DIRECT_IND; 6122 case LE_LEGACY_ADV_SCAN_IND: 6123 return LE_ADV_SCAN_IND; 6124 case LE_LEGACY_NONCONN_IND: 6125 return LE_ADV_NONCONN_IND; 6126 case LE_LEGACY_SCAN_RSP_ADV: 6127 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 6128 return LE_ADV_SCAN_RSP; 6129 } 6130 6131 goto invalid; 6132 } 6133 6134 if (evt_type & LE_EXT_ADV_CONN_IND) { 6135 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6136 return LE_ADV_DIRECT_IND; 6137 6138 return LE_ADV_IND; 6139 } 6140 6141 if (evt_type & LE_EXT_ADV_SCAN_RSP) 6142 return LE_ADV_SCAN_RSP; 6143 6144 if (evt_type & LE_EXT_ADV_SCAN_IND) 6145 return LE_ADV_SCAN_IND; 6146 6147 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 6148 evt_type & LE_EXT_ADV_DIRECT_IND) 6149 return LE_ADV_NONCONN_IND; 6150 6151 invalid: 6152 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 6153 evt_type); 6154 6155 return LE_ADV_INVALID; 6156 } 6157 6158 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 6159 { 6160 u8 num_reports = skb->data[0]; 6161 void *ptr = &skb->data[1]; 6162 6163 hci_dev_lock(hdev); 6164 6165 while (num_reports--) { 6166 struct hci_ev_le_ext_adv_report *ev = ptr; 6167 u8 legacy_evt_type; 6168 u16 evt_type; 6169 6170 evt_type = __le16_to_cpu(ev->evt_type); 6171 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 6172 if (legacy_evt_type != LE_ADV_INVALID) { 6173 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, 6174 ev->bdaddr_type, NULL, 0, ev->rssi, 6175 ev->data, ev->length, 6176 !(evt_type & LE_EXT_ADV_LEGACY_PDU)); 6177 } 6178 6179 ptr += sizeof(*ev) + ev->length; 6180 } 6181 6182 hci_dev_unlock(hdev); 6183 } 6184 6185 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 6186 struct sk_buff *skb) 6187 { 6188 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 6189 struct hci_conn *conn; 6190 6191 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 6192 6193 hci_dev_lock(hdev); 6194 6195 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6196 if (conn) { 6197 if (!ev->status) 6198 memcpy(conn->features[0], ev->features, 8); 6199 6200 if (conn->state == BT_CONFIG) { 6201 __u8 status; 6202 6203 /* If the local controller supports peripheral-initiated 6204 * features exchange, but the remote controller does 6205 * not, then it is possible that the error code 0x1a 6206 * for unsupported remote feature gets returned. 6207 * 6208 * In this specific case, allow the connection to 6209 * transition into connected state and mark it as 6210 * successful. 6211 */ 6212 if (!conn->out && ev->status == 0x1a && 6213 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 6214 status = 0x00; 6215 else 6216 status = ev->status; 6217 6218 conn->state = BT_CONNECTED; 6219 hci_connect_cfm(conn, status); 6220 hci_conn_drop(conn); 6221 } 6222 } 6223 6224 hci_dev_unlock(hdev); 6225 } 6226 6227 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 6228 { 6229 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 6230 struct hci_cp_le_ltk_reply cp; 6231 struct hci_cp_le_ltk_neg_reply neg; 6232 struct hci_conn *conn; 6233 struct smp_ltk *ltk; 6234 6235 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 6236 6237 hci_dev_lock(hdev); 6238 6239 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6240 if (conn == NULL) 6241 goto not_found; 6242 6243 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 6244 if (!ltk) 6245 goto not_found; 6246 6247 if (smp_ltk_is_sc(ltk)) { 6248 /* With SC both EDiv and Rand are set to zero */ 6249 if (ev->ediv || ev->rand) 6250 goto not_found; 6251 } else { 6252 /* For non-SC keys check that EDiv and Rand match */ 6253 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 6254 goto not_found; 6255 } 6256 6257 memcpy(cp.ltk, ltk->val, ltk->enc_size); 6258 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 6259 cp.handle = cpu_to_le16(conn->handle); 6260 6261 conn->pending_sec_level = smp_ltk_sec_level(ltk); 6262 6263 conn->enc_key_size = ltk->enc_size; 6264 6265 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 6266 6267 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 6268 * temporary key used to encrypt a connection following 6269 * pairing. It is used during the Encrypted Session Setup to 6270 * distribute the keys. Later, security can be re-established 6271 * using a distributed LTK. 6272 */ 6273 if (ltk->type == SMP_STK) { 6274 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6275 list_del_rcu(<k->list); 6276 kfree_rcu(ltk, rcu); 6277 } else { 6278 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6279 } 6280 6281 hci_dev_unlock(hdev); 6282 6283 return; 6284 6285 not_found: 6286 neg.handle = ev->handle; 6287 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 6288 hci_dev_unlock(hdev); 6289 } 6290 6291 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 6292 u8 reason) 6293 { 6294 struct hci_cp_le_conn_param_req_neg_reply cp; 6295 6296 cp.handle = cpu_to_le16(handle); 6297 cp.reason = reason; 6298 6299 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 6300 &cp); 6301 } 6302 6303 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 6304 struct sk_buff *skb) 6305 { 6306 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 6307 struct hci_cp_le_conn_param_req_reply cp; 6308 struct hci_conn *hcon; 6309 u16 handle, min, max, latency, timeout; 6310 6311 handle = le16_to_cpu(ev->handle); 6312 min = le16_to_cpu(ev->interval_min); 6313 max = le16_to_cpu(ev->interval_max); 6314 latency = le16_to_cpu(ev->latency); 6315 timeout = le16_to_cpu(ev->timeout); 6316 6317 hcon = hci_conn_hash_lookup_handle(hdev, handle); 6318 if (!hcon || hcon->state != BT_CONNECTED) 6319 return send_conn_param_neg_reply(hdev, handle, 6320 HCI_ERROR_UNKNOWN_CONN_ID); 6321 6322 if (hci_check_conn_params(min, max, latency, timeout)) 6323 return send_conn_param_neg_reply(hdev, handle, 6324 HCI_ERROR_INVALID_LL_PARAMS); 6325 6326 if (hcon->role == HCI_ROLE_MASTER) { 6327 struct hci_conn_params *params; 6328 u8 store_hint; 6329 6330 hci_dev_lock(hdev); 6331 6332 params = hci_conn_params_lookup(hdev, &hcon->dst, 6333 hcon->dst_type); 6334 if (params) { 6335 params->conn_min_interval = min; 6336 params->conn_max_interval = max; 6337 params->conn_latency = latency; 6338 params->supervision_timeout = timeout; 6339 store_hint = 0x01; 6340 } else { 6341 store_hint = 0x00; 6342 } 6343 6344 hci_dev_unlock(hdev); 6345 6346 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 6347 store_hint, min, max, latency, timeout); 6348 } 6349 6350 cp.handle = ev->handle; 6351 cp.interval_min = ev->interval_min; 6352 cp.interval_max = ev->interval_max; 6353 cp.latency = ev->latency; 6354 cp.timeout = ev->timeout; 6355 cp.min_ce_len = 0; 6356 cp.max_ce_len = 0; 6357 6358 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 6359 } 6360 6361 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 6362 struct sk_buff *skb) 6363 { 6364 u8 num_reports = skb->data[0]; 6365 struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1]; 6366 6367 if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1) 6368 return; 6369 6370 hci_dev_lock(hdev); 6371 6372 for (; num_reports; num_reports--, ev++) 6373 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 6374 ev->bdaddr_type, &ev->direct_addr, 6375 ev->direct_addr_type, ev->rssi, NULL, 0, 6376 false); 6377 6378 hci_dev_unlock(hdev); 6379 } 6380 6381 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb) 6382 { 6383 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data; 6384 struct hci_conn *conn; 6385 6386 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 6387 6388 if (ev->status) 6389 return; 6390 6391 hci_dev_lock(hdev); 6392 6393 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6394 if (!conn) 6395 goto unlock; 6396 6397 conn->le_tx_phy = ev->tx_phy; 6398 conn->le_rx_phy = ev->rx_phy; 6399 6400 unlock: 6401 hci_dev_unlock(hdev); 6402 } 6403 6404 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 6405 { 6406 struct hci_ev_le_meta *le_ev = (void *) skb->data; 6407 6408 skb_pull(skb, sizeof(*le_ev)); 6409 6410 switch (le_ev->subevent) { 6411 case HCI_EV_LE_CONN_COMPLETE: 6412 hci_le_conn_complete_evt(hdev, skb); 6413 break; 6414 6415 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 6416 hci_le_conn_update_complete_evt(hdev, skb); 6417 break; 6418 6419 case HCI_EV_LE_ADVERTISING_REPORT: 6420 hci_le_adv_report_evt(hdev, skb); 6421 break; 6422 6423 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 6424 hci_le_remote_feat_complete_evt(hdev, skb); 6425 break; 6426 6427 case HCI_EV_LE_LTK_REQ: 6428 hci_le_ltk_request_evt(hdev, skb); 6429 break; 6430 6431 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 6432 hci_le_remote_conn_param_req_evt(hdev, skb); 6433 break; 6434 6435 case HCI_EV_LE_DIRECT_ADV_REPORT: 6436 hci_le_direct_adv_report_evt(hdev, skb); 6437 break; 6438 6439 case HCI_EV_LE_PHY_UPDATE_COMPLETE: 6440 hci_le_phy_update_evt(hdev, skb); 6441 break; 6442 6443 case HCI_EV_LE_EXT_ADV_REPORT: 6444 hci_le_ext_adv_report_evt(hdev, skb); 6445 break; 6446 6447 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 6448 hci_le_enh_conn_complete_evt(hdev, skb); 6449 break; 6450 6451 case HCI_EV_LE_EXT_ADV_SET_TERM: 6452 hci_le_ext_adv_term_evt(hdev, skb); 6453 break; 6454 6455 default: 6456 break; 6457 } 6458 } 6459 6460 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 6461 u8 event, struct sk_buff *skb) 6462 { 6463 struct hci_ev_cmd_complete *ev; 6464 struct hci_event_hdr *hdr; 6465 6466 if (!skb) 6467 return false; 6468 6469 if (skb->len < sizeof(*hdr)) { 6470 bt_dev_err(hdev, "too short HCI event"); 6471 return false; 6472 } 6473 6474 hdr = (void *) skb->data; 6475 skb_pull(skb, HCI_EVENT_HDR_SIZE); 6476 6477 if (event) { 6478 if (hdr->evt != event) 6479 return false; 6480 return true; 6481 } 6482 6483 /* Check if request ended in Command Status - no way to retrieve 6484 * any extra parameters in this case. 6485 */ 6486 if (hdr->evt == HCI_EV_CMD_STATUS) 6487 return false; 6488 6489 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 6490 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 6491 hdr->evt); 6492 return false; 6493 } 6494 6495 if (skb->len < sizeof(*ev)) { 6496 bt_dev_err(hdev, "too short cmd_complete event"); 6497 return false; 6498 } 6499 6500 ev = (void *) skb->data; 6501 skb_pull(skb, sizeof(*ev)); 6502 6503 if (opcode != __le16_to_cpu(ev->opcode)) { 6504 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 6505 __le16_to_cpu(ev->opcode)); 6506 return false; 6507 } 6508 6509 return true; 6510 } 6511 6512 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, 6513 struct sk_buff *skb) 6514 { 6515 struct hci_ev_le_advertising_info *adv; 6516 struct hci_ev_le_direct_adv_info *direct_adv; 6517 struct hci_ev_le_ext_adv_report *ext_adv; 6518 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data; 6519 const struct hci_ev_conn_request *conn_request = (void *)skb->data; 6520 6521 hci_dev_lock(hdev); 6522 6523 /* If we are currently suspended and this is the first BT event seen, 6524 * save the wake reason associated with the event. 6525 */ 6526 if (!hdev->suspended || hdev->wake_reason) 6527 goto unlock; 6528 6529 /* Default to remote wake. Values for wake_reason are documented in the 6530 * Bluez mgmt api docs. 6531 */ 6532 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 6533 6534 /* Once configured for remote wakeup, we should only wake up for 6535 * reconnections. It's useful to see which device is waking us up so 6536 * keep track of the bdaddr of the connection event that woke us up. 6537 */ 6538 if (event == HCI_EV_CONN_REQUEST) { 6539 bacpy(&hdev->wake_addr, &conn_complete->bdaddr); 6540 hdev->wake_addr_type = BDADDR_BREDR; 6541 } else if (event == HCI_EV_CONN_COMPLETE) { 6542 bacpy(&hdev->wake_addr, &conn_request->bdaddr); 6543 hdev->wake_addr_type = BDADDR_BREDR; 6544 } else if (event == HCI_EV_LE_META) { 6545 struct hci_ev_le_meta *le_ev = (void *)skb->data; 6546 u8 subevent = le_ev->subevent; 6547 u8 *ptr = &skb->data[sizeof(*le_ev)]; 6548 u8 num_reports = *ptr; 6549 6550 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT || 6551 subevent == HCI_EV_LE_DIRECT_ADV_REPORT || 6552 subevent == HCI_EV_LE_EXT_ADV_REPORT) && 6553 num_reports) { 6554 adv = (void *)(ptr + 1); 6555 direct_adv = (void *)(ptr + 1); 6556 ext_adv = (void *)(ptr + 1); 6557 6558 switch (subevent) { 6559 case HCI_EV_LE_ADVERTISING_REPORT: 6560 bacpy(&hdev->wake_addr, &adv->bdaddr); 6561 hdev->wake_addr_type = adv->bdaddr_type; 6562 break; 6563 case HCI_EV_LE_DIRECT_ADV_REPORT: 6564 bacpy(&hdev->wake_addr, &direct_adv->bdaddr); 6565 hdev->wake_addr_type = direct_adv->bdaddr_type; 6566 break; 6567 case HCI_EV_LE_EXT_ADV_REPORT: 6568 bacpy(&hdev->wake_addr, &ext_adv->bdaddr); 6569 hdev->wake_addr_type = ext_adv->bdaddr_type; 6570 break; 6571 } 6572 } 6573 } else { 6574 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 6575 } 6576 6577 unlock: 6578 hci_dev_unlock(hdev); 6579 } 6580 6581 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 6582 { 6583 struct hci_event_hdr *hdr = (void *) skb->data; 6584 hci_req_complete_t req_complete = NULL; 6585 hci_req_complete_skb_t req_complete_skb = NULL; 6586 struct sk_buff *orig_skb = NULL; 6587 u8 status = 0, event = hdr->evt, req_evt = 0; 6588 u16 opcode = HCI_OP_NOP; 6589 6590 if (!event) { 6591 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); 6592 goto done; 6593 } 6594 6595 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { 6596 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 6597 opcode = __le16_to_cpu(cmd_hdr->opcode); 6598 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 6599 &req_complete_skb); 6600 req_evt = event; 6601 } 6602 6603 /* If it looks like we might end up having to call 6604 * req_complete_skb, store a pristine copy of the skb since the 6605 * various handlers may modify the original one through 6606 * skb_pull() calls, etc. 6607 */ 6608 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 6609 event == HCI_EV_CMD_COMPLETE) 6610 orig_skb = skb_clone(skb, GFP_KERNEL); 6611 6612 skb_pull(skb, HCI_EVENT_HDR_SIZE); 6613 6614 /* Store wake reason if we're suspended */ 6615 hci_store_wake_reason(hdev, event, skb); 6616 6617 switch (event) { 6618 case HCI_EV_INQUIRY_COMPLETE: 6619 hci_inquiry_complete_evt(hdev, skb); 6620 break; 6621 6622 case HCI_EV_INQUIRY_RESULT: 6623 hci_inquiry_result_evt(hdev, skb); 6624 break; 6625 6626 case HCI_EV_CONN_COMPLETE: 6627 hci_conn_complete_evt(hdev, skb); 6628 break; 6629 6630 case HCI_EV_CONN_REQUEST: 6631 hci_conn_request_evt(hdev, skb); 6632 break; 6633 6634 case HCI_EV_DISCONN_COMPLETE: 6635 hci_disconn_complete_evt(hdev, skb); 6636 break; 6637 6638 case HCI_EV_AUTH_COMPLETE: 6639 hci_auth_complete_evt(hdev, skb); 6640 break; 6641 6642 case HCI_EV_REMOTE_NAME: 6643 hci_remote_name_evt(hdev, skb); 6644 break; 6645 6646 case HCI_EV_ENCRYPT_CHANGE: 6647 hci_encrypt_change_evt(hdev, skb); 6648 break; 6649 6650 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 6651 hci_change_link_key_complete_evt(hdev, skb); 6652 break; 6653 6654 case HCI_EV_REMOTE_FEATURES: 6655 hci_remote_features_evt(hdev, skb); 6656 break; 6657 6658 case HCI_EV_CMD_COMPLETE: 6659 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 6660 &req_complete, &req_complete_skb); 6661 break; 6662 6663 case HCI_EV_CMD_STATUS: 6664 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 6665 &req_complete_skb); 6666 break; 6667 6668 case HCI_EV_HARDWARE_ERROR: 6669 hci_hardware_error_evt(hdev, skb); 6670 break; 6671 6672 case HCI_EV_ROLE_CHANGE: 6673 hci_role_change_evt(hdev, skb); 6674 break; 6675 6676 case HCI_EV_NUM_COMP_PKTS: 6677 hci_num_comp_pkts_evt(hdev, skb); 6678 break; 6679 6680 case HCI_EV_MODE_CHANGE: 6681 hci_mode_change_evt(hdev, skb); 6682 break; 6683 6684 case HCI_EV_PIN_CODE_REQ: 6685 hci_pin_code_request_evt(hdev, skb); 6686 break; 6687 6688 case HCI_EV_LINK_KEY_REQ: 6689 hci_link_key_request_evt(hdev, skb); 6690 break; 6691 6692 case HCI_EV_LINK_KEY_NOTIFY: 6693 hci_link_key_notify_evt(hdev, skb); 6694 break; 6695 6696 case HCI_EV_CLOCK_OFFSET: 6697 hci_clock_offset_evt(hdev, skb); 6698 break; 6699 6700 case HCI_EV_PKT_TYPE_CHANGE: 6701 hci_pkt_type_change_evt(hdev, skb); 6702 break; 6703 6704 case HCI_EV_PSCAN_REP_MODE: 6705 hci_pscan_rep_mode_evt(hdev, skb); 6706 break; 6707 6708 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 6709 hci_inquiry_result_with_rssi_evt(hdev, skb); 6710 break; 6711 6712 case HCI_EV_REMOTE_EXT_FEATURES: 6713 hci_remote_ext_features_evt(hdev, skb); 6714 break; 6715 6716 case HCI_EV_SYNC_CONN_COMPLETE: 6717 hci_sync_conn_complete_evt(hdev, skb); 6718 break; 6719 6720 case HCI_EV_EXTENDED_INQUIRY_RESULT: 6721 hci_extended_inquiry_result_evt(hdev, skb); 6722 break; 6723 6724 case HCI_EV_KEY_REFRESH_COMPLETE: 6725 hci_key_refresh_complete_evt(hdev, skb); 6726 break; 6727 6728 case HCI_EV_IO_CAPA_REQUEST: 6729 hci_io_capa_request_evt(hdev, skb); 6730 break; 6731 6732 case HCI_EV_IO_CAPA_REPLY: 6733 hci_io_capa_reply_evt(hdev, skb); 6734 break; 6735 6736 case HCI_EV_USER_CONFIRM_REQUEST: 6737 hci_user_confirm_request_evt(hdev, skb); 6738 break; 6739 6740 case HCI_EV_USER_PASSKEY_REQUEST: 6741 hci_user_passkey_request_evt(hdev, skb); 6742 break; 6743 6744 case HCI_EV_USER_PASSKEY_NOTIFY: 6745 hci_user_passkey_notify_evt(hdev, skb); 6746 break; 6747 6748 case HCI_EV_KEYPRESS_NOTIFY: 6749 hci_keypress_notify_evt(hdev, skb); 6750 break; 6751 6752 case HCI_EV_SIMPLE_PAIR_COMPLETE: 6753 hci_simple_pair_complete_evt(hdev, skb); 6754 break; 6755 6756 case HCI_EV_REMOTE_HOST_FEATURES: 6757 hci_remote_host_features_evt(hdev, skb); 6758 break; 6759 6760 case HCI_EV_LE_META: 6761 hci_le_meta_evt(hdev, skb); 6762 break; 6763 6764 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 6765 hci_remote_oob_data_request_evt(hdev, skb); 6766 break; 6767 6768 #if IS_ENABLED(CONFIG_BT_HS) 6769 case HCI_EV_CHANNEL_SELECTED: 6770 hci_chan_selected_evt(hdev, skb); 6771 break; 6772 6773 case HCI_EV_PHY_LINK_COMPLETE: 6774 hci_phy_link_complete_evt(hdev, skb); 6775 break; 6776 6777 case HCI_EV_LOGICAL_LINK_COMPLETE: 6778 hci_loglink_complete_evt(hdev, skb); 6779 break; 6780 6781 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 6782 hci_disconn_loglink_complete_evt(hdev, skb); 6783 break; 6784 6785 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 6786 hci_disconn_phylink_complete_evt(hdev, skb); 6787 break; 6788 #endif 6789 6790 case HCI_EV_NUM_COMP_BLOCKS: 6791 hci_num_comp_blocks_evt(hdev, skb); 6792 break; 6793 6794 case HCI_EV_VENDOR: 6795 msft_vendor_evt(hdev, skb); 6796 break; 6797 6798 default: 6799 BT_DBG("%s event 0x%2.2x", hdev->name, event); 6800 break; 6801 } 6802 6803 if (req_complete) { 6804 req_complete(hdev, status, opcode); 6805 } else if (req_complete_skb) { 6806 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 6807 kfree_skb(orig_skb); 6808 orig_skb = NULL; 6809 } 6810 req_complete_skb(hdev, status, opcode, orig_skb); 6811 } 6812 6813 done: 6814 kfree_skb(orig_skb); 6815 kfree_skb(skb); 6816 hdev->stat.evt_rx++; 6817 } 6818