1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 40 "\x00\x00\x00\x00\x00\x00\x00\x00" 41 42 /* Handle HCI Event packets */ 43 44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 45 { 46 __u8 status = *((__u8 *) skb->data); 47 48 BT_DBG("%s status 0x%2.2x", hdev->name, status); 49 50 if (status) 51 return; 52 53 clear_bit(HCI_INQUIRY, &hdev->flags); 54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 55 wake_up_bit(&hdev->flags, HCI_INQUIRY); 56 57 hci_dev_lock(hdev); 58 /* Set discovery state to stopped if we're not doing LE active 59 * scanning. 60 */ 61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 62 hdev->le_scan_type != LE_SCAN_ACTIVE) 63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 64 hci_dev_unlock(hdev); 65 66 hci_conn_check_pending(hdev); 67 } 68 69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 70 { 71 __u8 status = *((__u8 *) skb->data); 72 73 BT_DBG("%s status 0x%2.2x", hdev->name, status); 74 75 if (status) 76 return; 77 78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 79 } 80 81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 82 { 83 __u8 status = *((__u8 *) skb->data); 84 85 BT_DBG("%s status 0x%2.2x", hdev->name, status); 86 87 if (status) 88 return; 89 90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 91 92 hci_conn_check_pending(hdev); 93 } 94 95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 96 struct sk_buff *skb) 97 { 98 BT_DBG("%s", hdev->name); 99 } 100 101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 102 { 103 struct hci_rp_role_discovery *rp = (void *) skb->data; 104 struct hci_conn *conn; 105 106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 107 108 if (rp->status) 109 return; 110 111 hci_dev_lock(hdev); 112 113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 114 if (conn) 115 conn->role = rp->role; 116 117 hci_dev_unlock(hdev); 118 } 119 120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 121 { 122 struct hci_rp_read_link_policy *rp = (void *) skb->data; 123 struct hci_conn *conn; 124 125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 126 127 if (rp->status) 128 return; 129 130 hci_dev_lock(hdev); 131 132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 133 if (conn) 134 conn->link_policy = __le16_to_cpu(rp->policy); 135 136 hci_dev_unlock(hdev); 137 } 138 139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 140 { 141 struct hci_rp_write_link_policy *rp = (void *) skb->data; 142 struct hci_conn *conn; 143 void *sent; 144 145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 146 147 if (rp->status) 148 return; 149 150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 151 if (!sent) 152 return; 153 154 hci_dev_lock(hdev); 155 156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 157 if (conn) 158 conn->link_policy = get_unaligned_le16(sent + 2); 159 160 hci_dev_unlock(hdev); 161 } 162 163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 164 struct sk_buff *skb) 165 { 166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 167 168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 169 170 if (rp->status) 171 return; 172 173 hdev->link_policy = __le16_to_cpu(rp->policy); 174 } 175 176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 177 struct sk_buff *skb) 178 { 179 __u8 status = *((__u8 *) skb->data); 180 void *sent; 181 182 BT_DBG("%s status 0x%2.2x", hdev->name, status); 183 184 if (status) 185 return; 186 187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 188 if (!sent) 189 return; 190 191 hdev->link_policy = get_unaligned_le16(sent); 192 } 193 194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 195 { 196 __u8 status = *((__u8 *) skb->data); 197 198 BT_DBG("%s status 0x%2.2x", hdev->name, status); 199 200 clear_bit(HCI_RESET, &hdev->flags); 201 202 if (status) 203 return; 204 205 /* Reset all non-persistent flags */ 206 hci_dev_clear_volatile_flags(hdev); 207 208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 209 210 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 211 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 212 213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 214 hdev->adv_data_len = 0; 215 216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 217 hdev->scan_rsp_data_len = 0; 218 219 hdev->le_scan_type = LE_SCAN_PASSIVE; 220 221 hdev->ssp_debug_mode = 0; 222 223 hci_bdaddr_list_clear(&hdev->le_white_list); 224 } 225 226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 227 struct sk_buff *skb) 228 { 229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 230 struct hci_cp_read_stored_link_key *sent; 231 232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 233 234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 235 if (!sent) 236 return; 237 238 if (!rp->status && sent->read_all == 0x01) { 239 hdev->stored_max_keys = rp->max_keys; 240 hdev->stored_num_keys = rp->num_keys; 241 } 242 } 243 244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 245 struct sk_buff *skb) 246 { 247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 248 249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 250 251 if (rp->status) 252 return; 253 254 if (rp->num_keys <= hdev->stored_num_keys) 255 hdev->stored_num_keys -= rp->num_keys; 256 else 257 hdev->stored_num_keys = 0; 258 } 259 260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 261 { 262 __u8 status = *((__u8 *) skb->data); 263 void *sent; 264 265 BT_DBG("%s status 0x%2.2x", hdev->name, status); 266 267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 268 if (!sent) 269 return; 270 271 hci_dev_lock(hdev); 272 273 if (hci_dev_test_flag(hdev, HCI_MGMT)) 274 mgmt_set_local_name_complete(hdev, sent, status); 275 else if (!status) 276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 277 278 hci_dev_unlock(hdev); 279 } 280 281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 282 { 283 struct hci_rp_read_local_name *rp = (void *) skb->data; 284 285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 286 287 if (rp->status) 288 return; 289 290 if (hci_dev_test_flag(hdev, HCI_SETUP) || 291 hci_dev_test_flag(hdev, HCI_CONFIG)) 292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 293 } 294 295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 296 { 297 __u8 status = *((__u8 *) skb->data); 298 void *sent; 299 300 BT_DBG("%s status 0x%2.2x", hdev->name, status); 301 302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 303 if (!sent) 304 return; 305 306 hci_dev_lock(hdev); 307 308 if (!status) { 309 __u8 param = *((__u8 *) sent); 310 311 if (param == AUTH_ENABLED) 312 set_bit(HCI_AUTH, &hdev->flags); 313 else 314 clear_bit(HCI_AUTH, &hdev->flags); 315 } 316 317 if (hci_dev_test_flag(hdev, HCI_MGMT)) 318 mgmt_auth_enable_complete(hdev, status); 319 320 hci_dev_unlock(hdev); 321 } 322 323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 324 { 325 __u8 status = *((__u8 *) skb->data); 326 __u8 param; 327 void *sent; 328 329 BT_DBG("%s status 0x%2.2x", hdev->name, status); 330 331 if (status) 332 return; 333 334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 335 if (!sent) 336 return; 337 338 param = *((__u8 *) sent); 339 340 if (param) 341 set_bit(HCI_ENCRYPT, &hdev->flags); 342 else 343 clear_bit(HCI_ENCRYPT, &hdev->flags); 344 } 345 346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 347 { 348 __u8 status = *((__u8 *) skb->data); 349 __u8 param; 350 void *sent; 351 352 BT_DBG("%s status 0x%2.2x", hdev->name, status); 353 354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 355 if (!sent) 356 return; 357 358 param = *((__u8 *) sent); 359 360 hci_dev_lock(hdev); 361 362 if (status) { 363 hdev->discov_timeout = 0; 364 goto done; 365 } 366 367 if (param & SCAN_INQUIRY) 368 set_bit(HCI_ISCAN, &hdev->flags); 369 else 370 clear_bit(HCI_ISCAN, &hdev->flags); 371 372 if (param & SCAN_PAGE) 373 set_bit(HCI_PSCAN, &hdev->flags); 374 else 375 clear_bit(HCI_PSCAN, &hdev->flags); 376 377 done: 378 hci_dev_unlock(hdev); 379 } 380 381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 382 { 383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 384 385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 386 387 if (rp->status) 388 return; 389 390 memcpy(hdev->dev_class, rp->dev_class, 3); 391 392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 394 } 395 396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 397 { 398 __u8 status = *((__u8 *) skb->data); 399 void *sent; 400 401 BT_DBG("%s status 0x%2.2x", hdev->name, status); 402 403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 404 if (!sent) 405 return; 406 407 hci_dev_lock(hdev); 408 409 if (status == 0) 410 memcpy(hdev->dev_class, sent, 3); 411 412 if (hci_dev_test_flag(hdev, HCI_MGMT)) 413 mgmt_set_class_of_dev_complete(hdev, sent, status); 414 415 hci_dev_unlock(hdev); 416 } 417 418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 419 { 420 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 421 __u16 setting; 422 423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 424 425 if (rp->status) 426 return; 427 428 setting = __le16_to_cpu(rp->voice_setting); 429 430 if (hdev->voice_setting == setting) 431 return; 432 433 hdev->voice_setting = setting; 434 435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 436 437 if (hdev->notify) 438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 439 } 440 441 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 442 struct sk_buff *skb) 443 { 444 __u8 status = *((__u8 *) skb->data); 445 __u16 setting; 446 void *sent; 447 448 BT_DBG("%s status 0x%2.2x", hdev->name, status); 449 450 if (status) 451 return; 452 453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 454 if (!sent) 455 return; 456 457 setting = get_unaligned_le16(sent); 458 459 if (hdev->voice_setting == setting) 460 return; 461 462 hdev->voice_setting = setting; 463 464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 465 466 if (hdev->notify) 467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 468 } 469 470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 471 struct sk_buff *skb) 472 { 473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 474 475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 476 477 if (rp->status) 478 return; 479 480 hdev->num_iac = rp->num_iac; 481 482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 483 } 484 485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 486 { 487 __u8 status = *((__u8 *) skb->data); 488 struct hci_cp_write_ssp_mode *sent; 489 490 BT_DBG("%s status 0x%2.2x", hdev->name, status); 491 492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 493 if (!sent) 494 return; 495 496 hci_dev_lock(hdev); 497 498 if (!status) { 499 if (sent->mode) 500 hdev->features[1][0] |= LMP_HOST_SSP; 501 else 502 hdev->features[1][0] &= ~LMP_HOST_SSP; 503 } 504 505 if (hci_dev_test_flag(hdev, HCI_MGMT)) 506 mgmt_ssp_enable_complete(hdev, sent->mode, status); 507 else if (!status) { 508 if (sent->mode) 509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 510 else 511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 512 } 513 514 hci_dev_unlock(hdev); 515 } 516 517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 518 { 519 u8 status = *((u8 *) skb->data); 520 struct hci_cp_write_sc_support *sent; 521 522 BT_DBG("%s status 0x%2.2x", hdev->name, status); 523 524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 525 if (!sent) 526 return; 527 528 hci_dev_lock(hdev); 529 530 if (!status) { 531 if (sent->support) 532 hdev->features[1][0] |= LMP_HOST_SC; 533 else 534 hdev->features[1][0] &= ~LMP_HOST_SC; 535 } 536 537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 538 if (sent->support) 539 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 540 else 541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 542 } 543 544 hci_dev_unlock(hdev); 545 } 546 547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 548 { 549 struct hci_rp_read_local_version *rp = (void *) skb->data; 550 551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 552 553 if (rp->status) 554 return; 555 556 if (hci_dev_test_flag(hdev, HCI_SETUP) || 557 hci_dev_test_flag(hdev, HCI_CONFIG)) { 558 hdev->hci_ver = rp->hci_ver; 559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 560 hdev->lmp_ver = rp->lmp_ver; 561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 563 } 564 } 565 566 static void hci_cc_read_local_commands(struct hci_dev *hdev, 567 struct sk_buff *skb) 568 { 569 struct hci_rp_read_local_commands *rp = (void *) skb->data; 570 571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 572 573 if (rp->status) 574 return; 575 576 if (hci_dev_test_flag(hdev, HCI_SETUP) || 577 hci_dev_test_flag(hdev, HCI_CONFIG)) 578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 579 } 580 581 static void hci_cc_read_local_features(struct hci_dev *hdev, 582 struct sk_buff *skb) 583 { 584 struct hci_rp_read_local_features *rp = (void *) skb->data; 585 586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 587 588 if (rp->status) 589 return; 590 591 memcpy(hdev->features, rp->features, 8); 592 593 /* Adjust default settings according to features 594 * supported by device. */ 595 596 if (hdev->features[0][0] & LMP_3SLOT) 597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 598 599 if (hdev->features[0][0] & LMP_5SLOT) 600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 601 602 if (hdev->features[0][1] & LMP_HV2) { 603 hdev->pkt_type |= (HCI_HV2); 604 hdev->esco_type |= (ESCO_HV2); 605 } 606 607 if (hdev->features[0][1] & LMP_HV3) { 608 hdev->pkt_type |= (HCI_HV3); 609 hdev->esco_type |= (ESCO_HV3); 610 } 611 612 if (lmp_esco_capable(hdev)) 613 hdev->esco_type |= (ESCO_EV3); 614 615 if (hdev->features[0][4] & LMP_EV4) 616 hdev->esco_type |= (ESCO_EV4); 617 618 if (hdev->features[0][4] & LMP_EV5) 619 hdev->esco_type |= (ESCO_EV5); 620 621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 622 hdev->esco_type |= (ESCO_2EV3); 623 624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 625 hdev->esco_type |= (ESCO_3EV3); 626 627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 629 } 630 631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 632 struct sk_buff *skb) 633 { 634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 635 636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 637 638 if (rp->status) 639 return; 640 641 if (hdev->max_page < rp->max_page) 642 hdev->max_page = rp->max_page; 643 644 if (rp->page < HCI_MAX_PAGES) 645 memcpy(hdev->features[rp->page], rp->features, 8); 646 } 647 648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 649 struct sk_buff *skb) 650 { 651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 652 653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 654 655 if (rp->status) 656 return; 657 658 hdev->flow_ctl_mode = rp->mode; 659 } 660 661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 662 { 663 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 664 665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 666 667 if (rp->status) 668 return; 669 670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 671 hdev->sco_mtu = rp->sco_mtu; 672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 674 675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 676 hdev->sco_mtu = 64; 677 hdev->sco_pkts = 8; 678 } 679 680 hdev->acl_cnt = hdev->acl_pkts; 681 hdev->sco_cnt = hdev->sco_pkts; 682 683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 685 } 686 687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 688 { 689 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 690 691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 692 693 if (rp->status) 694 return; 695 696 if (test_bit(HCI_INIT, &hdev->flags)) 697 bacpy(&hdev->bdaddr, &rp->bdaddr); 698 699 if (hci_dev_test_flag(hdev, HCI_SETUP)) 700 bacpy(&hdev->setup_addr, &rp->bdaddr); 701 } 702 703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 704 struct sk_buff *skb) 705 { 706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 707 708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 709 710 if (rp->status) 711 return; 712 713 if (test_bit(HCI_INIT, &hdev->flags)) { 714 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 715 hdev->page_scan_window = __le16_to_cpu(rp->window); 716 } 717 } 718 719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 720 struct sk_buff *skb) 721 { 722 u8 status = *((u8 *) skb->data); 723 struct hci_cp_write_page_scan_activity *sent; 724 725 BT_DBG("%s status 0x%2.2x", hdev->name, status); 726 727 if (status) 728 return; 729 730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 731 if (!sent) 732 return; 733 734 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 735 hdev->page_scan_window = __le16_to_cpu(sent->window); 736 } 737 738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 739 struct sk_buff *skb) 740 { 741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 742 743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 744 745 if (rp->status) 746 return; 747 748 if (test_bit(HCI_INIT, &hdev->flags)) 749 hdev->page_scan_type = rp->type; 750 } 751 752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 753 struct sk_buff *skb) 754 { 755 u8 status = *((u8 *) skb->data); 756 u8 *type; 757 758 BT_DBG("%s status 0x%2.2x", hdev->name, status); 759 760 if (status) 761 return; 762 763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 764 if (type) 765 hdev->page_scan_type = *type; 766 } 767 768 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 769 struct sk_buff *skb) 770 { 771 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 772 773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 774 775 if (rp->status) 776 return; 777 778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 779 hdev->block_len = __le16_to_cpu(rp->block_len); 780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 781 782 hdev->block_cnt = hdev->num_blocks; 783 784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 785 hdev->block_cnt, hdev->block_len); 786 } 787 788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 789 { 790 struct hci_rp_read_clock *rp = (void *) skb->data; 791 struct hci_cp_read_clock *cp; 792 struct hci_conn *conn; 793 794 BT_DBG("%s", hdev->name); 795 796 if (skb->len < sizeof(*rp)) 797 return; 798 799 if (rp->status) 800 return; 801 802 hci_dev_lock(hdev); 803 804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 805 if (!cp) 806 goto unlock; 807 808 if (cp->which == 0x00) { 809 hdev->clock = le32_to_cpu(rp->clock); 810 goto unlock; 811 } 812 813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 814 if (conn) { 815 conn->clock = le32_to_cpu(rp->clock); 816 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 817 } 818 819 unlock: 820 hci_dev_unlock(hdev); 821 } 822 823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 824 struct sk_buff *skb) 825 { 826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 827 828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 829 830 if (rp->status) 831 return; 832 833 hdev->amp_status = rp->amp_status; 834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 838 hdev->amp_type = rp->amp_type; 839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 843 } 844 845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 846 struct sk_buff *skb) 847 { 848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 849 850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 851 852 if (rp->status) 853 return; 854 855 hdev->inq_tx_power = rp->tx_power; 856 } 857 858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 859 { 860 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 861 struct hci_cp_pin_code_reply *cp; 862 struct hci_conn *conn; 863 864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 865 866 hci_dev_lock(hdev); 867 868 if (hci_dev_test_flag(hdev, HCI_MGMT)) 869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 870 871 if (rp->status) 872 goto unlock; 873 874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 875 if (!cp) 876 goto unlock; 877 878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 879 if (conn) 880 conn->pin_length = cp->pin_len; 881 882 unlock: 883 hci_dev_unlock(hdev); 884 } 885 886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 887 { 888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 889 890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 891 892 hci_dev_lock(hdev); 893 894 if (hci_dev_test_flag(hdev, HCI_MGMT)) 895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 896 rp->status); 897 898 hci_dev_unlock(hdev); 899 } 900 901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 902 struct sk_buff *skb) 903 { 904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 905 906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 907 908 if (rp->status) 909 return; 910 911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 912 hdev->le_pkts = rp->le_max_pkt; 913 914 hdev->le_cnt = hdev->le_pkts; 915 916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 917 } 918 919 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 920 struct sk_buff *skb) 921 { 922 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 923 924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 925 926 if (rp->status) 927 return; 928 929 memcpy(hdev->le_features, rp->features, 8); 930 } 931 932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 933 struct sk_buff *skb) 934 { 935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 936 937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 938 939 if (rp->status) 940 return; 941 942 hdev->adv_tx_power = rp->tx_power; 943 } 944 945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 946 { 947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 948 949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 950 951 hci_dev_lock(hdev); 952 953 if (hci_dev_test_flag(hdev, HCI_MGMT)) 954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 955 rp->status); 956 957 hci_dev_unlock(hdev); 958 } 959 960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 961 struct sk_buff *skb) 962 { 963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 964 965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 966 967 hci_dev_lock(hdev); 968 969 if (hci_dev_test_flag(hdev, HCI_MGMT)) 970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 971 ACL_LINK, 0, rp->status); 972 973 hci_dev_unlock(hdev); 974 } 975 976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 977 { 978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 979 980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 981 982 hci_dev_lock(hdev); 983 984 if (hci_dev_test_flag(hdev, HCI_MGMT)) 985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 986 0, rp->status); 987 988 hci_dev_unlock(hdev); 989 } 990 991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 992 struct sk_buff *skb) 993 { 994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 995 996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 997 998 hci_dev_lock(hdev); 999 1000 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1002 ACL_LINK, 0, rp->status); 1003 1004 hci_dev_unlock(hdev); 1005 } 1006 1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1008 struct sk_buff *skb) 1009 { 1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1011 1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1013 } 1014 1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1016 struct sk_buff *skb) 1017 { 1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1019 1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1021 } 1022 1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1024 { 1025 __u8 status = *((__u8 *) skb->data); 1026 bdaddr_t *sent; 1027 1028 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1029 1030 if (status) 1031 return; 1032 1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1034 if (!sent) 1035 return; 1036 1037 hci_dev_lock(hdev); 1038 1039 bacpy(&hdev->random_addr, sent); 1040 1041 hci_dev_unlock(hdev); 1042 } 1043 1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1045 { 1046 __u8 *sent, status = *((__u8 *) skb->data); 1047 1048 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1049 1050 if (status) 1051 return; 1052 1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1054 if (!sent) 1055 return; 1056 1057 hci_dev_lock(hdev); 1058 1059 /* If we're doing connection initiation as peripheral. Set a 1060 * timeout in case something goes wrong. 1061 */ 1062 if (*sent) { 1063 struct hci_conn *conn; 1064 1065 hci_dev_set_flag(hdev, HCI_LE_ADV); 1066 1067 conn = hci_lookup_le_connect(hdev); 1068 if (conn) 1069 queue_delayed_work(hdev->workqueue, 1070 &conn->le_conn_timeout, 1071 conn->conn_timeout); 1072 } else { 1073 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1074 } 1075 1076 hci_dev_unlock(hdev); 1077 } 1078 1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1080 { 1081 struct hci_cp_le_set_scan_param *cp; 1082 __u8 status = *((__u8 *) skb->data); 1083 1084 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1085 1086 if (status) 1087 return; 1088 1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1090 if (!cp) 1091 return; 1092 1093 hci_dev_lock(hdev); 1094 1095 hdev->le_scan_type = cp->type; 1096 1097 hci_dev_unlock(hdev); 1098 } 1099 1100 static bool has_pending_adv_report(struct hci_dev *hdev) 1101 { 1102 struct discovery_state *d = &hdev->discovery; 1103 1104 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1105 } 1106 1107 static void clear_pending_adv_report(struct hci_dev *hdev) 1108 { 1109 struct discovery_state *d = &hdev->discovery; 1110 1111 bacpy(&d->last_adv_addr, BDADDR_ANY); 1112 d->last_adv_data_len = 0; 1113 } 1114 1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1116 u8 bdaddr_type, s8 rssi, u32 flags, 1117 u8 *data, u8 len) 1118 { 1119 struct discovery_state *d = &hdev->discovery; 1120 1121 bacpy(&d->last_adv_addr, bdaddr); 1122 d->last_adv_addr_type = bdaddr_type; 1123 d->last_adv_rssi = rssi; 1124 d->last_adv_flags = flags; 1125 memcpy(d->last_adv_data, data, len); 1126 d->last_adv_data_len = len; 1127 } 1128 1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1130 struct sk_buff *skb) 1131 { 1132 struct hci_cp_le_set_scan_enable *cp; 1133 __u8 status = *((__u8 *) skb->data); 1134 1135 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1136 1137 if (status) 1138 return; 1139 1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1141 if (!cp) 1142 return; 1143 1144 hci_dev_lock(hdev); 1145 1146 switch (cp->enable) { 1147 case LE_SCAN_ENABLE: 1148 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1150 clear_pending_adv_report(hdev); 1151 break; 1152 1153 case LE_SCAN_DISABLE: 1154 /* We do this here instead of when setting DISCOVERY_STOPPED 1155 * since the latter would potentially require waiting for 1156 * inquiry to stop too. 1157 */ 1158 if (has_pending_adv_report(hdev)) { 1159 struct discovery_state *d = &hdev->discovery; 1160 1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1162 d->last_adv_addr_type, NULL, 1163 d->last_adv_rssi, d->last_adv_flags, 1164 d->last_adv_data, 1165 d->last_adv_data_len, NULL, 0); 1166 } 1167 1168 /* Cancel this timer so that we don't try to disable scanning 1169 * when it's already disabled. 1170 */ 1171 cancel_delayed_work(&hdev->le_scan_disable); 1172 1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1174 1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1176 * interrupted scanning due to a connect request. Mark 1177 * therefore discovery as stopped. If this was not 1178 * because of a connect request advertising might have 1179 * been disabled because of active scanning, so 1180 * re-enable it again if necessary. 1181 */ 1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1185 hdev->discovery.state == DISCOVERY_FINDING) 1186 hci_req_reenable_advertising(hdev); 1187 1188 break; 1189 1190 default: 1191 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1192 cp->enable); 1193 break; 1194 } 1195 1196 hci_dev_unlock(hdev); 1197 } 1198 1199 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1200 struct sk_buff *skb) 1201 { 1202 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1203 1204 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1205 1206 if (rp->status) 1207 return; 1208 1209 hdev->le_white_list_size = rp->size; 1210 } 1211 1212 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1213 struct sk_buff *skb) 1214 { 1215 __u8 status = *((__u8 *) skb->data); 1216 1217 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1218 1219 if (status) 1220 return; 1221 1222 hci_bdaddr_list_clear(&hdev->le_white_list); 1223 } 1224 1225 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1226 struct sk_buff *skb) 1227 { 1228 struct hci_cp_le_add_to_white_list *sent; 1229 __u8 status = *((__u8 *) skb->data); 1230 1231 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1232 1233 if (status) 1234 return; 1235 1236 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1237 if (!sent) 1238 return; 1239 1240 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1241 sent->bdaddr_type); 1242 } 1243 1244 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1245 struct sk_buff *skb) 1246 { 1247 struct hci_cp_le_del_from_white_list *sent; 1248 __u8 status = *((__u8 *) skb->data); 1249 1250 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1251 1252 if (status) 1253 return; 1254 1255 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1256 if (!sent) 1257 return; 1258 1259 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1260 sent->bdaddr_type); 1261 } 1262 1263 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1264 struct sk_buff *skb) 1265 { 1266 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1267 1268 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1269 1270 if (rp->status) 1271 return; 1272 1273 memcpy(hdev->le_states, rp->le_states, 8); 1274 } 1275 1276 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1277 struct sk_buff *skb) 1278 { 1279 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1280 1281 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1282 1283 if (rp->status) 1284 return; 1285 1286 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1287 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1288 } 1289 1290 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1291 struct sk_buff *skb) 1292 { 1293 struct hci_cp_le_write_def_data_len *sent; 1294 __u8 status = *((__u8 *) skb->data); 1295 1296 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1297 1298 if (status) 1299 return; 1300 1301 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1302 if (!sent) 1303 return; 1304 1305 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1306 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1307 } 1308 1309 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1310 struct sk_buff *skb) 1311 { 1312 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1313 1314 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1315 1316 if (rp->status) 1317 return; 1318 1319 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1320 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1321 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1322 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1323 } 1324 1325 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1326 struct sk_buff *skb) 1327 { 1328 struct hci_cp_write_le_host_supported *sent; 1329 __u8 status = *((__u8 *) skb->data); 1330 1331 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1332 1333 if (status) 1334 return; 1335 1336 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1337 if (!sent) 1338 return; 1339 1340 hci_dev_lock(hdev); 1341 1342 if (sent->le) { 1343 hdev->features[1][0] |= LMP_HOST_LE; 1344 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1345 } else { 1346 hdev->features[1][0] &= ~LMP_HOST_LE; 1347 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1348 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1349 } 1350 1351 if (sent->simul) 1352 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1353 else 1354 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1355 1356 hci_dev_unlock(hdev); 1357 } 1358 1359 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1360 { 1361 struct hci_cp_le_set_adv_param *cp; 1362 u8 status = *((u8 *) skb->data); 1363 1364 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1365 1366 if (status) 1367 return; 1368 1369 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1370 if (!cp) 1371 return; 1372 1373 hci_dev_lock(hdev); 1374 hdev->adv_addr_type = cp->own_address_type; 1375 hci_dev_unlock(hdev); 1376 } 1377 1378 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1379 { 1380 struct hci_rp_read_rssi *rp = (void *) skb->data; 1381 struct hci_conn *conn; 1382 1383 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1384 1385 if (rp->status) 1386 return; 1387 1388 hci_dev_lock(hdev); 1389 1390 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1391 if (conn) 1392 conn->rssi = rp->rssi; 1393 1394 hci_dev_unlock(hdev); 1395 } 1396 1397 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1398 { 1399 struct hci_cp_read_tx_power *sent; 1400 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1401 struct hci_conn *conn; 1402 1403 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1404 1405 if (rp->status) 1406 return; 1407 1408 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1409 if (!sent) 1410 return; 1411 1412 hci_dev_lock(hdev); 1413 1414 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1415 if (!conn) 1416 goto unlock; 1417 1418 switch (sent->type) { 1419 case 0x00: 1420 conn->tx_power = rp->tx_power; 1421 break; 1422 case 0x01: 1423 conn->max_tx_power = rp->tx_power; 1424 break; 1425 } 1426 1427 unlock: 1428 hci_dev_unlock(hdev); 1429 } 1430 1431 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1432 { 1433 u8 status = *((u8 *) skb->data); 1434 u8 *mode; 1435 1436 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1437 1438 if (status) 1439 return; 1440 1441 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1442 if (mode) 1443 hdev->ssp_debug_mode = *mode; 1444 } 1445 1446 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1447 { 1448 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1449 1450 if (status) { 1451 hci_conn_check_pending(hdev); 1452 return; 1453 } 1454 1455 set_bit(HCI_INQUIRY, &hdev->flags); 1456 } 1457 1458 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1459 { 1460 struct hci_cp_create_conn *cp; 1461 struct hci_conn *conn; 1462 1463 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1464 1465 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1466 if (!cp) 1467 return; 1468 1469 hci_dev_lock(hdev); 1470 1471 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1472 1473 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1474 1475 if (status) { 1476 if (conn && conn->state == BT_CONNECT) { 1477 if (status != 0x0c || conn->attempt > 2) { 1478 conn->state = BT_CLOSED; 1479 hci_connect_cfm(conn, status); 1480 hci_conn_del(conn); 1481 } else 1482 conn->state = BT_CONNECT2; 1483 } 1484 } else { 1485 if (!conn) { 1486 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1487 HCI_ROLE_MASTER); 1488 if (!conn) 1489 bt_dev_err(hdev, "no memory for new connection"); 1490 } 1491 } 1492 1493 hci_dev_unlock(hdev); 1494 } 1495 1496 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1497 { 1498 struct hci_cp_add_sco *cp; 1499 struct hci_conn *acl, *sco; 1500 __u16 handle; 1501 1502 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1503 1504 if (!status) 1505 return; 1506 1507 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1508 if (!cp) 1509 return; 1510 1511 handle = __le16_to_cpu(cp->handle); 1512 1513 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1514 1515 hci_dev_lock(hdev); 1516 1517 acl = hci_conn_hash_lookup_handle(hdev, handle); 1518 if (acl) { 1519 sco = acl->link; 1520 if (sco) { 1521 sco->state = BT_CLOSED; 1522 1523 hci_connect_cfm(sco, status); 1524 hci_conn_del(sco); 1525 } 1526 } 1527 1528 hci_dev_unlock(hdev); 1529 } 1530 1531 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1532 { 1533 struct hci_cp_auth_requested *cp; 1534 struct hci_conn *conn; 1535 1536 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1537 1538 if (!status) 1539 return; 1540 1541 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1542 if (!cp) 1543 return; 1544 1545 hci_dev_lock(hdev); 1546 1547 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1548 if (conn) { 1549 if (conn->state == BT_CONFIG) { 1550 hci_connect_cfm(conn, status); 1551 hci_conn_drop(conn); 1552 } 1553 } 1554 1555 hci_dev_unlock(hdev); 1556 } 1557 1558 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1559 { 1560 struct hci_cp_set_conn_encrypt *cp; 1561 struct hci_conn *conn; 1562 1563 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1564 1565 if (!status) 1566 return; 1567 1568 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1569 if (!cp) 1570 return; 1571 1572 hci_dev_lock(hdev); 1573 1574 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1575 if (conn) { 1576 if (conn->state == BT_CONFIG) { 1577 hci_connect_cfm(conn, status); 1578 hci_conn_drop(conn); 1579 } 1580 } 1581 1582 hci_dev_unlock(hdev); 1583 } 1584 1585 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1586 struct hci_conn *conn) 1587 { 1588 if (conn->state != BT_CONFIG || !conn->out) 1589 return 0; 1590 1591 if (conn->pending_sec_level == BT_SECURITY_SDP) 1592 return 0; 1593 1594 /* Only request authentication for SSP connections or non-SSP 1595 * devices with sec_level MEDIUM or HIGH or if MITM protection 1596 * is requested. 1597 */ 1598 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1599 conn->pending_sec_level != BT_SECURITY_FIPS && 1600 conn->pending_sec_level != BT_SECURITY_HIGH && 1601 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1602 return 0; 1603 1604 return 1; 1605 } 1606 1607 static int hci_resolve_name(struct hci_dev *hdev, 1608 struct inquiry_entry *e) 1609 { 1610 struct hci_cp_remote_name_req cp; 1611 1612 memset(&cp, 0, sizeof(cp)); 1613 1614 bacpy(&cp.bdaddr, &e->data.bdaddr); 1615 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1616 cp.pscan_mode = e->data.pscan_mode; 1617 cp.clock_offset = e->data.clock_offset; 1618 1619 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 1620 } 1621 1622 static bool hci_resolve_next_name(struct hci_dev *hdev) 1623 { 1624 struct discovery_state *discov = &hdev->discovery; 1625 struct inquiry_entry *e; 1626 1627 if (list_empty(&discov->resolve)) 1628 return false; 1629 1630 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1631 if (!e) 1632 return false; 1633 1634 if (hci_resolve_name(hdev, e) == 0) { 1635 e->name_state = NAME_PENDING; 1636 return true; 1637 } 1638 1639 return false; 1640 } 1641 1642 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 1643 bdaddr_t *bdaddr, u8 *name, u8 name_len) 1644 { 1645 struct discovery_state *discov = &hdev->discovery; 1646 struct inquiry_entry *e; 1647 1648 /* Update the mgmt connected state if necessary. Be careful with 1649 * conn objects that exist but are not (yet) connected however. 1650 * Only those in BT_CONFIG or BT_CONNECTED states can be 1651 * considered connected. 1652 */ 1653 if (conn && 1654 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 1655 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 1656 mgmt_device_connected(hdev, conn, 0, name, name_len); 1657 1658 if (discov->state == DISCOVERY_STOPPED) 1659 return; 1660 1661 if (discov->state == DISCOVERY_STOPPING) 1662 goto discov_complete; 1663 1664 if (discov->state != DISCOVERY_RESOLVING) 1665 return; 1666 1667 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 1668 /* If the device was not found in a list of found devices names of which 1669 * are pending. there is no need to continue resolving a next name as it 1670 * will be done upon receiving another Remote Name Request Complete 1671 * Event */ 1672 if (!e) 1673 return; 1674 1675 list_del(&e->list); 1676 if (name) { 1677 e->name_state = NAME_KNOWN; 1678 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 1679 e->data.rssi, name, name_len); 1680 } else { 1681 e->name_state = NAME_NOT_KNOWN; 1682 } 1683 1684 if (hci_resolve_next_name(hdev)) 1685 return; 1686 1687 discov_complete: 1688 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1689 } 1690 1691 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 1692 { 1693 struct hci_cp_remote_name_req *cp; 1694 struct hci_conn *conn; 1695 1696 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1697 1698 /* If successful wait for the name req complete event before 1699 * checking for the need to do authentication */ 1700 if (!status) 1701 return; 1702 1703 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 1704 if (!cp) 1705 return; 1706 1707 hci_dev_lock(hdev); 1708 1709 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1710 1711 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1712 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 1713 1714 if (!conn) 1715 goto unlock; 1716 1717 if (!hci_outgoing_auth_needed(hdev, conn)) 1718 goto unlock; 1719 1720 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 1721 struct hci_cp_auth_requested auth_cp; 1722 1723 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 1724 1725 auth_cp.handle = __cpu_to_le16(conn->handle); 1726 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 1727 sizeof(auth_cp), &auth_cp); 1728 } 1729 1730 unlock: 1731 hci_dev_unlock(hdev); 1732 } 1733 1734 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 1735 { 1736 struct hci_cp_read_remote_features *cp; 1737 struct hci_conn *conn; 1738 1739 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1740 1741 if (!status) 1742 return; 1743 1744 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 1745 if (!cp) 1746 return; 1747 1748 hci_dev_lock(hdev); 1749 1750 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1751 if (conn) { 1752 if (conn->state == BT_CONFIG) { 1753 hci_connect_cfm(conn, status); 1754 hci_conn_drop(conn); 1755 } 1756 } 1757 1758 hci_dev_unlock(hdev); 1759 } 1760 1761 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 1762 { 1763 struct hci_cp_read_remote_ext_features *cp; 1764 struct hci_conn *conn; 1765 1766 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1767 1768 if (!status) 1769 return; 1770 1771 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 1772 if (!cp) 1773 return; 1774 1775 hci_dev_lock(hdev); 1776 1777 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1778 if (conn) { 1779 if (conn->state == BT_CONFIG) { 1780 hci_connect_cfm(conn, status); 1781 hci_conn_drop(conn); 1782 } 1783 } 1784 1785 hci_dev_unlock(hdev); 1786 } 1787 1788 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 1789 { 1790 struct hci_cp_setup_sync_conn *cp; 1791 struct hci_conn *acl, *sco; 1792 __u16 handle; 1793 1794 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1795 1796 if (!status) 1797 return; 1798 1799 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 1800 if (!cp) 1801 return; 1802 1803 handle = __le16_to_cpu(cp->handle); 1804 1805 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1806 1807 hci_dev_lock(hdev); 1808 1809 acl = hci_conn_hash_lookup_handle(hdev, handle); 1810 if (acl) { 1811 sco = acl->link; 1812 if (sco) { 1813 sco->state = BT_CLOSED; 1814 1815 hci_connect_cfm(sco, status); 1816 hci_conn_del(sco); 1817 } 1818 } 1819 1820 hci_dev_unlock(hdev); 1821 } 1822 1823 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 1824 { 1825 struct hci_cp_sniff_mode *cp; 1826 struct hci_conn *conn; 1827 1828 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1829 1830 if (!status) 1831 return; 1832 1833 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 1834 if (!cp) 1835 return; 1836 1837 hci_dev_lock(hdev); 1838 1839 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1840 if (conn) { 1841 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1842 1843 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1844 hci_sco_setup(conn, status); 1845 } 1846 1847 hci_dev_unlock(hdev); 1848 } 1849 1850 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 1851 { 1852 struct hci_cp_exit_sniff_mode *cp; 1853 struct hci_conn *conn; 1854 1855 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1856 1857 if (!status) 1858 return; 1859 1860 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 1861 if (!cp) 1862 return; 1863 1864 hci_dev_lock(hdev); 1865 1866 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1867 if (conn) { 1868 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1869 1870 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1871 hci_sco_setup(conn, status); 1872 } 1873 1874 hci_dev_unlock(hdev); 1875 } 1876 1877 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 1878 { 1879 struct hci_cp_disconnect *cp; 1880 struct hci_conn *conn; 1881 1882 if (!status) 1883 return; 1884 1885 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 1886 if (!cp) 1887 return; 1888 1889 hci_dev_lock(hdev); 1890 1891 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1892 if (conn) 1893 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 1894 conn->dst_type, status); 1895 1896 hci_dev_unlock(hdev); 1897 } 1898 1899 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 1900 { 1901 struct hci_cp_le_create_conn *cp; 1902 struct hci_conn *conn; 1903 1904 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1905 1906 /* All connection failure handling is taken care of by the 1907 * hci_le_conn_failed function which is triggered by the HCI 1908 * request completion callbacks used for connecting. 1909 */ 1910 if (status) 1911 return; 1912 1913 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 1914 if (!cp) 1915 return; 1916 1917 hci_dev_lock(hdev); 1918 1919 conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr, 1920 cp->peer_addr_type); 1921 if (!conn) 1922 goto unlock; 1923 1924 /* Store the initiator and responder address information which 1925 * is needed for SMP. These values will not change during the 1926 * lifetime of the connection. 1927 */ 1928 conn->init_addr_type = cp->own_address_type; 1929 if (cp->own_address_type == ADDR_LE_DEV_RANDOM) 1930 bacpy(&conn->init_addr, &hdev->random_addr); 1931 else 1932 bacpy(&conn->init_addr, &hdev->bdaddr); 1933 1934 conn->resp_addr_type = cp->peer_addr_type; 1935 bacpy(&conn->resp_addr, &cp->peer_addr); 1936 1937 /* We don't want the connection attempt to stick around 1938 * indefinitely since LE doesn't have a page timeout concept 1939 * like BR/EDR. Set a timer for any connection that doesn't use 1940 * the white list for connecting. 1941 */ 1942 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR) 1943 queue_delayed_work(conn->hdev->workqueue, 1944 &conn->le_conn_timeout, 1945 conn->conn_timeout); 1946 1947 unlock: 1948 hci_dev_unlock(hdev); 1949 } 1950 1951 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 1952 { 1953 struct hci_cp_le_read_remote_features *cp; 1954 struct hci_conn *conn; 1955 1956 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1957 1958 if (!status) 1959 return; 1960 1961 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 1962 if (!cp) 1963 return; 1964 1965 hci_dev_lock(hdev); 1966 1967 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1968 if (conn) { 1969 if (conn->state == BT_CONFIG) { 1970 hci_connect_cfm(conn, status); 1971 hci_conn_drop(conn); 1972 } 1973 } 1974 1975 hci_dev_unlock(hdev); 1976 } 1977 1978 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 1979 { 1980 struct hci_cp_le_start_enc *cp; 1981 struct hci_conn *conn; 1982 1983 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1984 1985 if (!status) 1986 return; 1987 1988 hci_dev_lock(hdev); 1989 1990 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 1991 if (!cp) 1992 goto unlock; 1993 1994 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1995 if (!conn) 1996 goto unlock; 1997 1998 if (conn->state != BT_CONNECTED) 1999 goto unlock; 2000 2001 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2002 hci_conn_drop(conn); 2003 2004 unlock: 2005 hci_dev_unlock(hdev); 2006 } 2007 2008 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2009 { 2010 struct hci_cp_switch_role *cp; 2011 struct hci_conn *conn; 2012 2013 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2014 2015 if (!status) 2016 return; 2017 2018 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2019 if (!cp) 2020 return; 2021 2022 hci_dev_lock(hdev); 2023 2024 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2025 if (conn) 2026 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2027 2028 hci_dev_unlock(hdev); 2029 } 2030 2031 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2032 { 2033 __u8 status = *((__u8 *) skb->data); 2034 struct discovery_state *discov = &hdev->discovery; 2035 struct inquiry_entry *e; 2036 2037 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2038 2039 hci_conn_check_pending(hdev); 2040 2041 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2042 return; 2043 2044 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2045 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2046 2047 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2048 return; 2049 2050 hci_dev_lock(hdev); 2051 2052 if (discov->state != DISCOVERY_FINDING) 2053 goto unlock; 2054 2055 if (list_empty(&discov->resolve)) { 2056 /* When BR/EDR inquiry is active and no LE scanning is in 2057 * progress, then change discovery state to indicate completion. 2058 * 2059 * When running LE scanning and BR/EDR inquiry simultaneously 2060 * and the LE scan already finished, then change the discovery 2061 * state to indicate completion. 2062 */ 2063 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2064 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2065 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2066 goto unlock; 2067 } 2068 2069 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2070 if (e && hci_resolve_name(hdev, e) == 0) { 2071 e->name_state = NAME_PENDING; 2072 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2073 } else { 2074 /* When BR/EDR inquiry is active and no LE scanning is in 2075 * progress, then change discovery state to indicate completion. 2076 * 2077 * When running LE scanning and BR/EDR inquiry simultaneously 2078 * and the LE scan already finished, then change the discovery 2079 * state to indicate completion. 2080 */ 2081 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2082 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2083 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2084 } 2085 2086 unlock: 2087 hci_dev_unlock(hdev); 2088 } 2089 2090 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2091 { 2092 struct inquiry_data data; 2093 struct inquiry_info *info = (void *) (skb->data + 1); 2094 int num_rsp = *((__u8 *) skb->data); 2095 2096 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2097 2098 if (!num_rsp) 2099 return; 2100 2101 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2102 return; 2103 2104 hci_dev_lock(hdev); 2105 2106 for (; num_rsp; num_rsp--, info++) { 2107 u32 flags; 2108 2109 bacpy(&data.bdaddr, &info->bdaddr); 2110 data.pscan_rep_mode = info->pscan_rep_mode; 2111 data.pscan_period_mode = info->pscan_period_mode; 2112 data.pscan_mode = info->pscan_mode; 2113 memcpy(data.dev_class, info->dev_class, 3); 2114 data.clock_offset = info->clock_offset; 2115 data.rssi = HCI_RSSI_INVALID; 2116 data.ssp_mode = 0x00; 2117 2118 flags = hci_inquiry_cache_update(hdev, &data, false); 2119 2120 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2121 info->dev_class, HCI_RSSI_INVALID, 2122 flags, NULL, 0, NULL, 0); 2123 } 2124 2125 hci_dev_unlock(hdev); 2126 } 2127 2128 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2129 { 2130 struct hci_ev_conn_complete *ev = (void *) skb->data; 2131 struct hci_conn *conn; 2132 2133 BT_DBG("%s", hdev->name); 2134 2135 hci_dev_lock(hdev); 2136 2137 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2138 if (!conn) { 2139 if (ev->link_type != SCO_LINK) 2140 goto unlock; 2141 2142 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 2143 if (!conn) 2144 goto unlock; 2145 2146 conn->type = SCO_LINK; 2147 } 2148 2149 if (!ev->status) { 2150 conn->handle = __le16_to_cpu(ev->handle); 2151 2152 if (conn->type == ACL_LINK) { 2153 conn->state = BT_CONFIG; 2154 hci_conn_hold(conn); 2155 2156 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2157 !hci_find_link_key(hdev, &ev->bdaddr)) 2158 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2159 else 2160 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2161 } else 2162 conn->state = BT_CONNECTED; 2163 2164 hci_debugfs_create_conn(conn); 2165 hci_conn_add_sysfs(conn); 2166 2167 if (test_bit(HCI_AUTH, &hdev->flags)) 2168 set_bit(HCI_CONN_AUTH, &conn->flags); 2169 2170 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2171 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2172 2173 /* Get remote features */ 2174 if (conn->type == ACL_LINK) { 2175 struct hci_cp_read_remote_features cp; 2176 cp.handle = ev->handle; 2177 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2178 sizeof(cp), &cp); 2179 2180 hci_req_update_scan(hdev); 2181 } 2182 2183 /* Set packet type for incoming connection */ 2184 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2185 struct hci_cp_change_conn_ptype cp; 2186 cp.handle = ev->handle; 2187 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2188 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2189 &cp); 2190 } 2191 } else { 2192 conn->state = BT_CLOSED; 2193 if (conn->type == ACL_LINK) 2194 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2195 conn->dst_type, ev->status); 2196 } 2197 2198 if (conn->type == ACL_LINK) 2199 hci_sco_setup(conn, ev->status); 2200 2201 if (ev->status) { 2202 hci_connect_cfm(conn, ev->status); 2203 hci_conn_del(conn); 2204 } else if (ev->link_type != ACL_LINK) 2205 hci_connect_cfm(conn, ev->status); 2206 2207 unlock: 2208 hci_dev_unlock(hdev); 2209 2210 hci_conn_check_pending(hdev); 2211 } 2212 2213 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2214 { 2215 struct hci_cp_reject_conn_req cp; 2216 2217 bacpy(&cp.bdaddr, bdaddr); 2218 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2219 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2220 } 2221 2222 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2223 { 2224 struct hci_ev_conn_request *ev = (void *) skb->data; 2225 int mask = hdev->link_mode; 2226 struct inquiry_entry *ie; 2227 struct hci_conn *conn; 2228 __u8 flags = 0; 2229 2230 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2231 ev->link_type); 2232 2233 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2234 &flags); 2235 2236 if (!(mask & HCI_LM_ACCEPT)) { 2237 hci_reject_conn(hdev, &ev->bdaddr); 2238 return; 2239 } 2240 2241 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2242 BDADDR_BREDR)) { 2243 hci_reject_conn(hdev, &ev->bdaddr); 2244 return; 2245 } 2246 2247 /* Require HCI_CONNECTABLE or a whitelist entry to accept the 2248 * connection. These features are only touched through mgmt so 2249 * only do the checks if HCI_MGMT is set. 2250 */ 2251 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2252 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2253 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr, 2254 BDADDR_BREDR)) { 2255 hci_reject_conn(hdev, &ev->bdaddr); 2256 return; 2257 } 2258 2259 /* Connection accepted */ 2260 2261 hci_dev_lock(hdev); 2262 2263 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2264 if (ie) 2265 memcpy(ie->data.dev_class, ev->dev_class, 3); 2266 2267 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2268 &ev->bdaddr); 2269 if (!conn) { 2270 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2271 HCI_ROLE_SLAVE); 2272 if (!conn) { 2273 bt_dev_err(hdev, "no memory for new connection"); 2274 hci_dev_unlock(hdev); 2275 return; 2276 } 2277 } 2278 2279 memcpy(conn->dev_class, ev->dev_class, 3); 2280 2281 hci_dev_unlock(hdev); 2282 2283 if (ev->link_type == ACL_LINK || 2284 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2285 struct hci_cp_accept_conn_req cp; 2286 conn->state = BT_CONNECT; 2287 2288 bacpy(&cp.bdaddr, &ev->bdaddr); 2289 2290 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2291 cp.role = 0x00; /* Become master */ 2292 else 2293 cp.role = 0x01; /* Remain slave */ 2294 2295 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2296 } else if (!(flags & HCI_PROTO_DEFER)) { 2297 struct hci_cp_accept_sync_conn_req cp; 2298 conn->state = BT_CONNECT; 2299 2300 bacpy(&cp.bdaddr, &ev->bdaddr); 2301 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2302 2303 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2304 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2305 cp.max_latency = cpu_to_le16(0xffff); 2306 cp.content_format = cpu_to_le16(hdev->voice_setting); 2307 cp.retrans_effort = 0xff; 2308 2309 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2310 &cp); 2311 } else { 2312 conn->state = BT_CONNECT2; 2313 hci_connect_cfm(conn, 0); 2314 } 2315 } 2316 2317 static u8 hci_to_mgmt_reason(u8 err) 2318 { 2319 switch (err) { 2320 case HCI_ERROR_CONNECTION_TIMEOUT: 2321 return MGMT_DEV_DISCONN_TIMEOUT; 2322 case HCI_ERROR_REMOTE_USER_TERM: 2323 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2324 case HCI_ERROR_REMOTE_POWER_OFF: 2325 return MGMT_DEV_DISCONN_REMOTE; 2326 case HCI_ERROR_LOCAL_HOST_TERM: 2327 return MGMT_DEV_DISCONN_LOCAL_HOST; 2328 default: 2329 return MGMT_DEV_DISCONN_UNKNOWN; 2330 } 2331 } 2332 2333 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2334 { 2335 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2336 u8 reason; 2337 struct hci_conn_params *params; 2338 struct hci_conn *conn; 2339 bool mgmt_connected; 2340 u8 type; 2341 2342 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2343 2344 hci_dev_lock(hdev); 2345 2346 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2347 if (!conn) 2348 goto unlock; 2349 2350 if (ev->status) { 2351 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2352 conn->dst_type, ev->status); 2353 goto unlock; 2354 } 2355 2356 conn->state = BT_CLOSED; 2357 2358 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2359 2360 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 2361 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 2362 else 2363 reason = hci_to_mgmt_reason(ev->reason); 2364 2365 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2366 reason, mgmt_connected); 2367 2368 if (conn->type == ACL_LINK) { 2369 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2370 hci_remove_link_key(hdev, &conn->dst); 2371 2372 hci_req_update_scan(hdev); 2373 } 2374 2375 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2376 if (params) { 2377 switch (params->auto_connect) { 2378 case HCI_AUTO_CONN_LINK_LOSS: 2379 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2380 break; 2381 /* Fall through */ 2382 2383 case HCI_AUTO_CONN_DIRECT: 2384 case HCI_AUTO_CONN_ALWAYS: 2385 list_del_init(¶ms->action); 2386 list_add(¶ms->action, &hdev->pend_le_conns); 2387 hci_update_background_scan(hdev); 2388 break; 2389 2390 default: 2391 break; 2392 } 2393 } 2394 2395 type = conn->type; 2396 2397 hci_disconn_cfm(conn, ev->reason); 2398 hci_conn_del(conn); 2399 2400 /* Re-enable advertising if necessary, since it might 2401 * have been disabled by the connection. From the 2402 * HCI_LE_Set_Advertise_Enable command description in 2403 * the core specification (v4.0): 2404 * "The Controller shall continue advertising until the Host 2405 * issues an LE_Set_Advertise_Enable command with 2406 * Advertising_Enable set to 0x00 (Advertising is disabled) 2407 * or until a connection is created or until the Advertising 2408 * is timed out due to Directed Advertising." 2409 */ 2410 if (type == LE_LINK) 2411 hci_req_reenable_advertising(hdev); 2412 2413 unlock: 2414 hci_dev_unlock(hdev); 2415 } 2416 2417 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2418 { 2419 struct hci_ev_auth_complete *ev = (void *) skb->data; 2420 struct hci_conn *conn; 2421 2422 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2423 2424 hci_dev_lock(hdev); 2425 2426 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2427 if (!conn) 2428 goto unlock; 2429 2430 if (!ev->status) { 2431 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2432 2433 if (!hci_conn_ssp_enabled(conn) && 2434 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2435 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 2436 } else { 2437 set_bit(HCI_CONN_AUTH, &conn->flags); 2438 conn->sec_level = conn->pending_sec_level; 2439 } 2440 } else { 2441 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2442 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2443 2444 mgmt_auth_failed(conn, ev->status); 2445 } 2446 2447 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2448 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2449 2450 if (conn->state == BT_CONFIG) { 2451 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2452 struct hci_cp_set_conn_encrypt cp; 2453 cp.handle = ev->handle; 2454 cp.encrypt = 0x01; 2455 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2456 &cp); 2457 } else { 2458 conn->state = BT_CONNECTED; 2459 hci_connect_cfm(conn, ev->status); 2460 hci_conn_drop(conn); 2461 } 2462 } else { 2463 hci_auth_cfm(conn, ev->status); 2464 2465 hci_conn_hold(conn); 2466 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2467 hci_conn_drop(conn); 2468 } 2469 2470 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2471 if (!ev->status) { 2472 struct hci_cp_set_conn_encrypt cp; 2473 cp.handle = ev->handle; 2474 cp.encrypt = 0x01; 2475 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2476 &cp); 2477 } else { 2478 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2479 hci_encrypt_cfm(conn, ev->status, 0x00); 2480 } 2481 } 2482 2483 unlock: 2484 hci_dev_unlock(hdev); 2485 } 2486 2487 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2488 { 2489 struct hci_ev_remote_name *ev = (void *) skb->data; 2490 struct hci_conn *conn; 2491 2492 BT_DBG("%s", hdev->name); 2493 2494 hci_conn_check_pending(hdev); 2495 2496 hci_dev_lock(hdev); 2497 2498 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2499 2500 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2501 goto check_auth; 2502 2503 if (ev->status == 0) 2504 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2505 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2506 else 2507 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2508 2509 check_auth: 2510 if (!conn) 2511 goto unlock; 2512 2513 if (!hci_outgoing_auth_needed(hdev, conn)) 2514 goto unlock; 2515 2516 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2517 struct hci_cp_auth_requested cp; 2518 2519 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2520 2521 cp.handle = __cpu_to_le16(conn->handle); 2522 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2523 } 2524 2525 unlock: 2526 hci_dev_unlock(hdev); 2527 } 2528 2529 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 2530 u16 opcode, struct sk_buff *skb) 2531 { 2532 const struct hci_rp_read_enc_key_size *rp; 2533 struct hci_conn *conn; 2534 u16 handle; 2535 2536 BT_DBG("%s status 0x%02x", hdev->name, status); 2537 2538 if (!skb || skb->len < sizeof(*rp)) { 2539 bt_dev_err(hdev, "invalid read key size response"); 2540 return; 2541 } 2542 2543 rp = (void *)skb->data; 2544 handle = le16_to_cpu(rp->handle); 2545 2546 hci_dev_lock(hdev); 2547 2548 conn = hci_conn_hash_lookup_handle(hdev, handle); 2549 if (!conn) 2550 goto unlock; 2551 2552 /* If we fail to read the encryption key size, assume maximum 2553 * (which is the same we do also when this HCI command isn't 2554 * supported. 2555 */ 2556 if (rp->status) { 2557 bt_dev_err(hdev, "failed to read key size for handle %u", 2558 handle); 2559 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2560 } else { 2561 conn->enc_key_size = rp->key_size; 2562 } 2563 2564 if (conn->state == BT_CONFIG) { 2565 conn->state = BT_CONNECTED; 2566 hci_connect_cfm(conn, 0); 2567 hci_conn_drop(conn); 2568 } else { 2569 u8 encrypt; 2570 2571 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2572 encrypt = 0x00; 2573 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) 2574 encrypt = 0x02; 2575 else 2576 encrypt = 0x01; 2577 2578 hci_encrypt_cfm(conn, 0, encrypt); 2579 } 2580 2581 unlock: 2582 hci_dev_unlock(hdev); 2583 } 2584 2585 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2586 { 2587 struct hci_ev_encrypt_change *ev = (void *) skb->data; 2588 struct hci_conn *conn; 2589 2590 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2591 2592 hci_dev_lock(hdev); 2593 2594 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2595 if (!conn) 2596 goto unlock; 2597 2598 if (!ev->status) { 2599 if (ev->encrypt) { 2600 /* Encryption implies authentication */ 2601 set_bit(HCI_CONN_AUTH, &conn->flags); 2602 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2603 conn->sec_level = conn->pending_sec_level; 2604 2605 /* P-256 authentication key implies FIPS */ 2606 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 2607 set_bit(HCI_CONN_FIPS, &conn->flags); 2608 2609 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 2610 conn->type == LE_LINK) 2611 set_bit(HCI_CONN_AES_CCM, &conn->flags); 2612 } else { 2613 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 2614 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 2615 } 2616 } 2617 2618 /* We should disregard the current RPA and generate a new one 2619 * whenever the encryption procedure fails. 2620 */ 2621 if (ev->status && conn->type == LE_LINK) 2622 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 2623 2624 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2625 2626 if (ev->status && conn->state == BT_CONNECTED) { 2627 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2628 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2629 2630 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2631 hci_conn_drop(conn); 2632 goto unlock; 2633 } 2634 2635 /* In Secure Connections Only mode, do not allow any connections 2636 * that are not encrypted with AES-CCM using a P-256 authenticated 2637 * combination key. 2638 */ 2639 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && 2640 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2641 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { 2642 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); 2643 hci_conn_drop(conn); 2644 goto unlock; 2645 } 2646 2647 /* Try reading the encryption key size for encrypted ACL links */ 2648 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 2649 struct hci_cp_read_enc_key_size cp; 2650 struct hci_request req; 2651 2652 /* Only send HCI_Read_Encryption_Key_Size if the 2653 * controller really supports it. If it doesn't, assume 2654 * the default size (16). 2655 */ 2656 if (!(hdev->commands[20] & 0x10)) { 2657 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2658 goto notify; 2659 } 2660 2661 hci_req_init(&req, hdev); 2662 2663 cp.handle = cpu_to_le16(conn->handle); 2664 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 2665 2666 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 2667 bt_dev_err(hdev, "sending read key size failed"); 2668 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2669 goto notify; 2670 } 2671 2672 goto unlock; 2673 } 2674 2675 notify: 2676 if (conn->state == BT_CONFIG) { 2677 if (!ev->status) 2678 conn->state = BT_CONNECTED; 2679 2680 hci_connect_cfm(conn, ev->status); 2681 hci_conn_drop(conn); 2682 } else 2683 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2684 2685 unlock: 2686 hci_dev_unlock(hdev); 2687 } 2688 2689 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 2690 struct sk_buff *skb) 2691 { 2692 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 2693 struct hci_conn *conn; 2694 2695 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2696 2697 hci_dev_lock(hdev); 2698 2699 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2700 if (conn) { 2701 if (!ev->status) 2702 set_bit(HCI_CONN_SECURE, &conn->flags); 2703 2704 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2705 2706 hci_key_change_cfm(conn, ev->status); 2707 } 2708 2709 hci_dev_unlock(hdev); 2710 } 2711 2712 static void hci_remote_features_evt(struct hci_dev *hdev, 2713 struct sk_buff *skb) 2714 { 2715 struct hci_ev_remote_features *ev = (void *) skb->data; 2716 struct hci_conn *conn; 2717 2718 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2719 2720 hci_dev_lock(hdev); 2721 2722 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2723 if (!conn) 2724 goto unlock; 2725 2726 if (!ev->status) 2727 memcpy(conn->features[0], ev->features, 8); 2728 2729 if (conn->state != BT_CONFIG) 2730 goto unlock; 2731 2732 if (!ev->status && lmp_ext_feat_capable(hdev) && 2733 lmp_ext_feat_capable(conn)) { 2734 struct hci_cp_read_remote_ext_features cp; 2735 cp.handle = ev->handle; 2736 cp.page = 0x01; 2737 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 2738 sizeof(cp), &cp); 2739 goto unlock; 2740 } 2741 2742 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 2743 struct hci_cp_remote_name_req cp; 2744 memset(&cp, 0, sizeof(cp)); 2745 bacpy(&cp.bdaddr, &conn->dst); 2746 cp.pscan_rep_mode = 0x02; 2747 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2748 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2749 mgmt_device_connected(hdev, conn, 0, NULL, 0); 2750 2751 if (!hci_outgoing_auth_needed(hdev, conn)) { 2752 conn->state = BT_CONNECTED; 2753 hci_connect_cfm(conn, ev->status); 2754 hci_conn_drop(conn); 2755 } 2756 2757 unlock: 2758 hci_dev_unlock(hdev); 2759 } 2760 2761 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 2762 u16 *opcode, u8 *status, 2763 hci_req_complete_t *req_complete, 2764 hci_req_complete_skb_t *req_complete_skb) 2765 { 2766 struct hci_ev_cmd_complete *ev = (void *) skb->data; 2767 2768 *opcode = __le16_to_cpu(ev->opcode); 2769 *status = skb->data[sizeof(*ev)]; 2770 2771 skb_pull(skb, sizeof(*ev)); 2772 2773 switch (*opcode) { 2774 case HCI_OP_INQUIRY_CANCEL: 2775 hci_cc_inquiry_cancel(hdev, skb); 2776 break; 2777 2778 case HCI_OP_PERIODIC_INQ: 2779 hci_cc_periodic_inq(hdev, skb); 2780 break; 2781 2782 case HCI_OP_EXIT_PERIODIC_INQ: 2783 hci_cc_exit_periodic_inq(hdev, skb); 2784 break; 2785 2786 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 2787 hci_cc_remote_name_req_cancel(hdev, skb); 2788 break; 2789 2790 case HCI_OP_ROLE_DISCOVERY: 2791 hci_cc_role_discovery(hdev, skb); 2792 break; 2793 2794 case HCI_OP_READ_LINK_POLICY: 2795 hci_cc_read_link_policy(hdev, skb); 2796 break; 2797 2798 case HCI_OP_WRITE_LINK_POLICY: 2799 hci_cc_write_link_policy(hdev, skb); 2800 break; 2801 2802 case HCI_OP_READ_DEF_LINK_POLICY: 2803 hci_cc_read_def_link_policy(hdev, skb); 2804 break; 2805 2806 case HCI_OP_WRITE_DEF_LINK_POLICY: 2807 hci_cc_write_def_link_policy(hdev, skb); 2808 break; 2809 2810 case HCI_OP_RESET: 2811 hci_cc_reset(hdev, skb); 2812 break; 2813 2814 case HCI_OP_READ_STORED_LINK_KEY: 2815 hci_cc_read_stored_link_key(hdev, skb); 2816 break; 2817 2818 case HCI_OP_DELETE_STORED_LINK_KEY: 2819 hci_cc_delete_stored_link_key(hdev, skb); 2820 break; 2821 2822 case HCI_OP_WRITE_LOCAL_NAME: 2823 hci_cc_write_local_name(hdev, skb); 2824 break; 2825 2826 case HCI_OP_READ_LOCAL_NAME: 2827 hci_cc_read_local_name(hdev, skb); 2828 break; 2829 2830 case HCI_OP_WRITE_AUTH_ENABLE: 2831 hci_cc_write_auth_enable(hdev, skb); 2832 break; 2833 2834 case HCI_OP_WRITE_ENCRYPT_MODE: 2835 hci_cc_write_encrypt_mode(hdev, skb); 2836 break; 2837 2838 case HCI_OP_WRITE_SCAN_ENABLE: 2839 hci_cc_write_scan_enable(hdev, skb); 2840 break; 2841 2842 case HCI_OP_READ_CLASS_OF_DEV: 2843 hci_cc_read_class_of_dev(hdev, skb); 2844 break; 2845 2846 case HCI_OP_WRITE_CLASS_OF_DEV: 2847 hci_cc_write_class_of_dev(hdev, skb); 2848 break; 2849 2850 case HCI_OP_READ_VOICE_SETTING: 2851 hci_cc_read_voice_setting(hdev, skb); 2852 break; 2853 2854 case HCI_OP_WRITE_VOICE_SETTING: 2855 hci_cc_write_voice_setting(hdev, skb); 2856 break; 2857 2858 case HCI_OP_READ_NUM_SUPPORTED_IAC: 2859 hci_cc_read_num_supported_iac(hdev, skb); 2860 break; 2861 2862 case HCI_OP_WRITE_SSP_MODE: 2863 hci_cc_write_ssp_mode(hdev, skb); 2864 break; 2865 2866 case HCI_OP_WRITE_SC_SUPPORT: 2867 hci_cc_write_sc_support(hdev, skb); 2868 break; 2869 2870 case HCI_OP_READ_LOCAL_VERSION: 2871 hci_cc_read_local_version(hdev, skb); 2872 break; 2873 2874 case HCI_OP_READ_LOCAL_COMMANDS: 2875 hci_cc_read_local_commands(hdev, skb); 2876 break; 2877 2878 case HCI_OP_READ_LOCAL_FEATURES: 2879 hci_cc_read_local_features(hdev, skb); 2880 break; 2881 2882 case HCI_OP_READ_LOCAL_EXT_FEATURES: 2883 hci_cc_read_local_ext_features(hdev, skb); 2884 break; 2885 2886 case HCI_OP_READ_BUFFER_SIZE: 2887 hci_cc_read_buffer_size(hdev, skb); 2888 break; 2889 2890 case HCI_OP_READ_BD_ADDR: 2891 hci_cc_read_bd_addr(hdev, skb); 2892 break; 2893 2894 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 2895 hci_cc_read_page_scan_activity(hdev, skb); 2896 break; 2897 2898 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 2899 hci_cc_write_page_scan_activity(hdev, skb); 2900 break; 2901 2902 case HCI_OP_READ_PAGE_SCAN_TYPE: 2903 hci_cc_read_page_scan_type(hdev, skb); 2904 break; 2905 2906 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 2907 hci_cc_write_page_scan_type(hdev, skb); 2908 break; 2909 2910 case HCI_OP_READ_DATA_BLOCK_SIZE: 2911 hci_cc_read_data_block_size(hdev, skb); 2912 break; 2913 2914 case HCI_OP_READ_FLOW_CONTROL_MODE: 2915 hci_cc_read_flow_control_mode(hdev, skb); 2916 break; 2917 2918 case HCI_OP_READ_LOCAL_AMP_INFO: 2919 hci_cc_read_local_amp_info(hdev, skb); 2920 break; 2921 2922 case HCI_OP_READ_CLOCK: 2923 hci_cc_read_clock(hdev, skb); 2924 break; 2925 2926 case HCI_OP_READ_INQ_RSP_TX_POWER: 2927 hci_cc_read_inq_rsp_tx_power(hdev, skb); 2928 break; 2929 2930 case HCI_OP_PIN_CODE_REPLY: 2931 hci_cc_pin_code_reply(hdev, skb); 2932 break; 2933 2934 case HCI_OP_PIN_CODE_NEG_REPLY: 2935 hci_cc_pin_code_neg_reply(hdev, skb); 2936 break; 2937 2938 case HCI_OP_READ_LOCAL_OOB_DATA: 2939 hci_cc_read_local_oob_data(hdev, skb); 2940 break; 2941 2942 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 2943 hci_cc_read_local_oob_ext_data(hdev, skb); 2944 break; 2945 2946 case HCI_OP_LE_READ_BUFFER_SIZE: 2947 hci_cc_le_read_buffer_size(hdev, skb); 2948 break; 2949 2950 case HCI_OP_LE_READ_LOCAL_FEATURES: 2951 hci_cc_le_read_local_features(hdev, skb); 2952 break; 2953 2954 case HCI_OP_LE_READ_ADV_TX_POWER: 2955 hci_cc_le_read_adv_tx_power(hdev, skb); 2956 break; 2957 2958 case HCI_OP_USER_CONFIRM_REPLY: 2959 hci_cc_user_confirm_reply(hdev, skb); 2960 break; 2961 2962 case HCI_OP_USER_CONFIRM_NEG_REPLY: 2963 hci_cc_user_confirm_neg_reply(hdev, skb); 2964 break; 2965 2966 case HCI_OP_USER_PASSKEY_REPLY: 2967 hci_cc_user_passkey_reply(hdev, skb); 2968 break; 2969 2970 case HCI_OP_USER_PASSKEY_NEG_REPLY: 2971 hci_cc_user_passkey_neg_reply(hdev, skb); 2972 break; 2973 2974 case HCI_OP_LE_SET_RANDOM_ADDR: 2975 hci_cc_le_set_random_addr(hdev, skb); 2976 break; 2977 2978 case HCI_OP_LE_SET_ADV_ENABLE: 2979 hci_cc_le_set_adv_enable(hdev, skb); 2980 break; 2981 2982 case HCI_OP_LE_SET_SCAN_PARAM: 2983 hci_cc_le_set_scan_param(hdev, skb); 2984 break; 2985 2986 case HCI_OP_LE_SET_SCAN_ENABLE: 2987 hci_cc_le_set_scan_enable(hdev, skb); 2988 break; 2989 2990 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 2991 hci_cc_le_read_white_list_size(hdev, skb); 2992 break; 2993 2994 case HCI_OP_LE_CLEAR_WHITE_LIST: 2995 hci_cc_le_clear_white_list(hdev, skb); 2996 break; 2997 2998 case HCI_OP_LE_ADD_TO_WHITE_LIST: 2999 hci_cc_le_add_to_white_list(hdev, skb); 3000 break; 3001 3002 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 3003 hci_cc_le_del_from_white_list(hdev, skb); 3004 break; 3005 3006 case HCI_OP_LE_READ_SUPPORTED_STATES: 3007 hci_cc_le_read_supported_states(hdev, skb); 3008 break; 3009 3010 case HCI_OP_LE_READ_DEF_DATA_LEN: 3011 hci_cc_le_read_def_data_len(hdev, skb); 3012 break; 3013 3014 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3015 hci_cc_le_write_def_data_len(hdev, skb); 3016 break; 3017 3018 case HCI_OP_LE_READ_MAX_DATA_LEN: 3019 hci_cc_le_read_max_data_len(hdev, skb); 3020 break; 3021 3022 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3023 hci_cc_write_le_host_supported(hdev, skb); 3024 break; 3025 3026 case HCI_OP_LE_SET_ADV_PARAM: 3027 hci_cc_set_adv_param(hdev, skb); 3028 break; 3029 3030 case HCI_OP_READ_RSSI: 3031 hci_cc_read_rssi(hdev, skb); 3032 break; 3033 3034 case HCI_OP_READ_TX_POWER: 3035 hci_cc_read_tx_power(hdev, skb); 3036 break; 3037 3038 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3039 hci_cc_write_ssp_debug_mode(hdev, skb); 3040 break; 3041 3042 default: 3043 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3044 break; 3045 } 3046 3047 if (*opcode != HCI_OP_NOP) 3048 cancel_delayed_work(&hdev->cmd_timer); 3049 3050 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3051 atomic_set(&hdev->cmd_cnt, 1); 3052 3053 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3054 req_complete_skb); 3055 3056 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3057 queue_work(hdev->workqueue, &hdev->cmd_work); 3058 } 3059 3060 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3061 u16 *opcode, u8 *status, 3062 hci_req_complete_t *req_complete, 3063 hci_req_complete_skb_t *req_complete_skb) 3064 { 3065 struct hci_ev_cmd_status *ev = (void *) skb->data; 3066 3067 skb_pull(skb, sizeof(*ev)); 3068 3069 *opcode = __le16_to_cpu(ev->opcode); 3070 *status = ev->status; 3071 3072 switch (*opcode) { 3073 case HCI_OP_INQUIRY: 3074 hci_cs_inquiry(hdev, ev->status); 3075 break; 3076 3077 case HCI_OP_CREATE_CONN: 3078 hci_cs_create_conn(hdev, ev->status); 3079 break; 3080 3081 case HCI_OP_DISCONNECT: 3082 hci_cs_disconnect(hdev, ev->status); 3083 break; 3084 3085 case HCI_OP_ADD_SCO: 3086 hci_cs_add_sco(hdev, ev->status); 3087 break; 3088 3089 case HCI_OP_AUTH_REQUESTED: 3090 hci_cs_auth_requested(hdev, ev->status); 3091 break; 3092 3093 case HCI_OP_SET_CONN_ENCRYPT: 3094 hci_cs_set_conn_encrypt(hdev, ev->status); 3095 break; 3096 3097 case HCI_OP_REMOTE_NAME_REQ: 3098 hci_cs_remote_name_req(hdev, ev->status); 3099 break; 3100 3101 case HCI_OP_READ_REMOTE_FEATURES: 3102 hci_cs_read_remote_features(hdev, ev->status); 3103 break; 3104 3105 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3106 hci_cs_read_remote_ext_features(hdev, ev->status); 3107 break; 3108 3109 case HCI_OP_SETUP_SYNC_CONN: 3110 hci_cs_setup_sync_conn(hdev, ev->status); 3111 break; 3112 3113 case HCI_OP_SNIFF_MODE: 3114 hci_cs_sniff_mode(hdev, ev->status); 3115 break; 3116 3117 case HCI_OP_EXIT_SNIFF_MODE: 3118 hci_cs_exit_sniff_mode(hdev, ev->status); 3119 break; 3120 3121 case HCI_OP_SWITCH_ROLE: 3122 hci_cs_switch_role(hdev, ev->status); 3123 break; 3124 3125 case HCI_OP_LE_CREATE_CONN: 3126 hci_cs_le_create_conn(hdev, ev->status); 3127 break; 3128 3129 case HCI_OP_LE_READ_REMOTE_FEATURES: 3130 hci_cs_le_read_remote_features(hdev, ev->status); 3131 break; 3132 3133 case HCI_OP_LE_START_ENC: 3134 hci_cs_le_start_enc(hdev, ev->status); 3135 break; 3136 3137 default: 3138 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3139 break; 3140 } 3141 3142 if (*opcode != HCI_OP_NOP) 3143 cancel_delayed_work(&hdev->cmd_timer); 3144 3145 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3146 atomic_set(&hdev->cmd_cnt, 1); 3147 3148 /* Indicate request completion if the command failed. Also, if 3149 * we're not waiting for a special event and we get a success 3150 * command status we should try to flag the request as completed 3151 * (since for this kind of commands there will not be a command 3152 * complete event). 3153 */ 3154 if (ev->status || 3155 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event)) 3156 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3157 req_complete_skb); 3158 3159 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3160 queue_work(hdev->workqueue, &hdev->cmd_work); 3161 } 3162 3163 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 3164 { 3165 struct hci_ev_hardware_error *ev = (void *) skb->data; 3166 3167 hdev->hw_error_code = ev->code; 3168 3169 queue_work(hdev->req_workqueue, &hdev->error_reset); 3170 } 3171 3172 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3173 { 3174 struct hci_ev_role_change *ev = (void *) skb->data; 3175 struct hci_conn *conn; 3176 3177 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3178 3179 hci_dev_lock(hdev); 3180 3181 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3182 if (conn) { 3183 if (!ev->status) 3184 conn->role = ev->role; 3185 3186 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3187 3188 hci_role_switch_cfm(conn, ev->status, ev->role); 3189 } 3190 3191 hci_dev_unlock(hdev); 3192 } 3193 3194 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3195 { 3196 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3197 int i; 3198 3199 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3200 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3201 return; 3202 } 3203 3204 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 3205 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) { 3206 BT_DBG("%s bad parameters", hdev->name); 3207 return; 3208 } 3209 3210 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3211 3212 for (i = 0; i < ev->num_hndl; i++) { 3213 struct hci_comp_pkts_info *info = &ev->handles[i]; 3214 struct hci_conn *conn; 3215 __u16 handle, count; 3216 3217 handle = __le16_to_cpu(info->handle); 3218 count = __le16_to_cpu(info->count); 3219 3220 conn = hci_conn_hash_lookup_handle(hdev, handle); 3221 if (!conn) 3222 continue; 3223 3224 conn->sent -= count; 3225 3226 switch (conn->type) { 3227 case ACL_LINK: 3228 hdev->acl_cnt += count; 3229 if (hdev->acl_cnt > hdev->acl_pkts) 3230 hdev->acl_cnt = hdev->acl_pkts; 3231 break; 3232 3233 case LE_LINK: 3234 if (hdev->le_pkts) { 3235 hdev->le_cnt += count; 3236 if (hdev->le_cnt > hdev->le_pkts) 3237 hdev->le_cnt = hdev->le_pkts; 3238 } else { 3239 hdev->acl_cnt += count; 3240 if (hdev->acl_cnt > hdev->acl_pkts) 3241 hdev->acl_cnt = hdev->acl_pkts; 3242 } 3243 break; 3244 3245 case SCO_LINK: 3246 hdev->sco_cnt += count; 3247 if (hdev->sco_cnt > hdev->sco_pkts) 3248 hdev->sco_cnt = hdev->sco_pkts; 3249 break; 3250 3251 default: 3252 bt_dev_err(hdev, "unknown type %d conn %p", 3253 conn->type, conn); 3254 break; 3255 } 3256 } 3257 3258 queue_work(hdev->workqueue, &hdev->tx_work); 3259 } 3260 3261 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3262 __u16 handle) 3263 { 3264 struct hci_chan *chan; 3265 3266 switch (hdev->dev_type) { 3267 case HCI_PRIMARY: 3268 return hci_conn_hash_lookup_handle(hdev, handle); 3269 case HCI_AMP: 3270 chan = hci_chan_lookup_handle(hdev, handle); 3271 if (chan) 3272 return chan->conn; 3273 break; 3274 default: 3275 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 3276 break; 3277 } 3278 3279 return NULL; 3280 } 3281 3282 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3283 { 3284 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3285 int i; 3286 3287 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3288 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3289 return; 3290 } 3291 3292 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 3293 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) { 3294 BT_DBG("%s bad parameters", hdev->name); 3295 return; 3296 } 3297 3298 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3299 ev->num_hndl); 3300 3301 for (i = 0; i < ev->num_hndl; i++) { 3302 struct hci_comp_blocks_info *info = &ev->handles[i]; 3303 struct hci_conn *conn = NULL; 3304 __u16 handle, block_count; 3305 3306 handle = __le16_to_cpu(info->handle); 3307 block_count = __le16_to_cpu(info->blocks); 3308 3309 conn = __hci_conn_lookup_handle(hdev, handle); 3310 if (!conn) 3311 continue; 3312 3313 conn->sent -= block_count; 3314 3315 switch (conn->type) { 3316 case ACL_LINK: 3317 case AMP_LINK: 3318 hdev->block_cnt += block_count; 3319 if (hdev->block_cnt > hdev->num_blocks) 3320 hdev->block_cnt = hdev->num_blocks; 3321 break; 3322 3323 default: 3324 bt_dev_err(hdev, "unknown type %d conn %p", 3325 conn->type, conn); 3326 break; 3327 } 3328 } 3329 3330 queue_work(hdev->workqueue, &hdev->tx_work); 3331 } 3332 3333 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3334 { 3335 struct hci_ev_mode_change *ev = (void *) skb->data; 3336 struct hci_conn *conn; 3337 3338 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3339 3340 hci_dev_lock(hdev); 3341 3342 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3343 if (conn) { 3344 conn->mode = ev->mode; 3345 3346 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3347 &conn->flags)) { 3348 if (conn->mode == HCI_CM_ACTIVE) 3349 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3350 else 3351 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3352 } 3353 3354 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3355 hci_sco_setup(conn, ev->status); 3356 } 3357 3358 hci_dev_unlock(hdev); 3359 } 3360 3361 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3362 { 3363 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3364 struct hci_conn *conn; 3365 3366 BT_DBG("%s", hdev->name); 3367 3368 hci_dev_lock(hdev); 3369 3370 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3371 if (!conn) 3372 goto unlock; 3373 3374 if (conn->state == BT_CONNECTED) { 3375 hci_conn_hold(conn); 3376 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3377 hci_conn_drop(conn); 3378 } 3379 3380 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 3381 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3382 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3383 sizeof(ev->bdaddr), &ev->bdaddr); 3384 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 3385 u8 secure; 3386 3387 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3388 secure = 1; 3389 else 3390 secure = 0; 3391 3392 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3393 } 3394 3395 unlock: 3396 hci_dev_unlock(hdev); 3397 } 3398 3399 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3400 { 3401 if (key_type == HCI_LK_CHANGED_COMBINATION) 3402 return; 3403 3404 conn->pin_length = pin_len; 3405 conn->key_type = key_type; 3406 3407 switch (key_type) { 3408 case HCI_LK_LOCAL_UNIT: 3409 case HCI_LK_REMOTE_UNIT: 3410 case HCI_LK_DEBUG_COMBINATION: 3411 return; 3412 case HCI_LK_COMBINATION: 3413 if (pin_len == 16) 3414 conn->pending_sec_level = BT_SECURITY_HIGH; 3415 else 3416 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3417 break; 3418 case HCI_LK_UNAUTH_COMBINATION_P192: 3419 case HCI_LK_UNAUTH_COMBINATION_P256: 3420 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3421 break; 3422 case HCI_LK_AUTH_COMBINATION_P192: 3423 conn->pending_sec_level = BT_SECURITY_HIGH; 3424 break; 3425 case HCI_LK_AUTH_COMBINATION_P256: 3426 conn->pending_sec_level = BT_SECURITY_FIPS; 3427 break; 3428 } 3429 } 3430 3431 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3432 { 3433 struct hci_ev_link_key_req *ev = (void *) skb->data; 3434 struct hci_cp_link_key_reply cp; 3435 struct hci_conn *conn; 3436 struct link_key *key; 3437 3438 BT_DBG("%s", hdev->name); 3439 3440 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3441 return; 3442 3443 hci_dev_lock(hdev); 3444 3445 key = hci_find_link_key(hdev, &ev->bdaddr); 3446 if (!key) { 3447 BT_DBG("%s link key not found for %pMR", hdev->name, 3448 &ev->bdaddr); 3449 goto not_found; 3450 } 3451 3452 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 3453 &ev->bdaddr); 3454 3455 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3456 if (conn) { 3457 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3458 3459 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3460 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3461 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3462 BT_DBG("%s ignoring unauthenticated key", hdev->name); 3463 goto not_found; 3464 } 3465 3466 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3467 (conn->pending_sec_level == BT_SECURITY_HIGH || 3468 conn->pending_sec_level == BT_SECURITY_FIPS)) { 3469 BT_DBG("%s ignoring key unauthenticated for high security", 3470 hdev->name); 3471 goto not_found; 3472 } 3473 3474 conn_set_key(conn, key->type, key->pin_len); 3475 } 3476 3477 bacpy(&cp.bdaddr, &ev->bdaddr); 3478 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 3479 3480 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 3481 3482 hci_dev_unlock(hdev); 3483 3484 return; 3485 3486 not_found: 3487 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 3488 hci_dev_unlock(hdev); 3489 } 3490 3491 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 3492 { 3493 struct hci_ev_link_key_notify *ev = (void *) skb->data; 3494 struct hci_conn *conn; 3495 struct link_key *key; 3496 bool persistent; 3497 u8 pin_len = 0; 3498 3499 BT_DBG("%s", hdev->name); 3500 3501 hci_dev_lock(hdev); 3502 3503 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3504 if (!conn) 3505 goto unlock; 3506 3507 hci_conn_hold(conn); 3508 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3509 hci_conn_drop(conn); 3510 3511 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3512 conn_set_key(conn, ev->key_type, conn->pin_length); 3513 3514 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3515 goto unlock; 3516 3517 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 3518 ev->key_type, pin_len, &persistent); 3519 if (!key) 3520 goto unlock; 3521 3522 /* Update connection information since adding the key will have 3523 * fixed up the type in the case of changed combination keys. 3524 */ 3525 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 3526 conn_set_key(conn, key->type, key->pin_len); 3527 3528 mgmt_new_link_key(hdev, key, persistent); 3529 3530 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 3531 * is set. If it's not set simply remove the key from the kernel 3532 * list (we've still notified user space about it but with 3533 * store_hint being 0). 3534 */ 3535 if (key->type == HCI_LK_DEBUG_COMBINATION && 3536 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 3537 list_del_rcu(&key->list); 3538 kfree_rcu(key, rcu); 3539 goto unlock; 3540 } 3541 3542 if (persistent) 3543 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3544 else 3545 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3546 3547 unlock: 3548 hci_dev_unlock(hdev); 3549 } 3550 3551 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 3552 { 3553 struct hci_ev_clock_offset *ev = (void *) skb->data; 3554 struct hci_conn *conn; 3555 3556 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3557 3558 hci_dev_lock(hdev); 3559 3560 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3561 if (conn && !ev->status) { 3562 struct inquiry_entry *ie; 3563 3564 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3565 if (ie) { 3566 ie->data.clock_offset = ev->clock_offset; 3567 ie->timestamp = jiffies; 3568 } 3569 } 3570 3571 hci_dev_unlock(hdev); 3572 } 3573 3574 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3575 { 3576 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 3577 struct hci_conn *conn; 3578 3579 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3580 3581 hci_dev_lock(hdev); 3582 3583 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3584 if (conn && !ev->status) 3585 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 3586 3587 hci_dev_unlock(hdev); 3588 } 3589 3590 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 3591 { 3592 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 3593 struct inquiry_entry *ie; 3594 3595 BT_DBG("%s", hdev->name); 3596 3597 hci_dev_lock(hdev); 3598 3599 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3600 if (ie) { 3601 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 3602 ie->timestamp = jiffies; 3603 } 3604 3605 hci_dev_unlock(hdev); 3606 } 3607 3608 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 3609 struct sk_buff *skb) 3610 { 3611 struct inquiry_data data; 3612 int num_rsp = *((__u8 *) skb->data); 3613 3614 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3615 3616 if (!num_rsp) 3617 return; 3618 3619 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3620 return; 3621 3622 hci_dev_lock(hdev); 3623 3624 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 3625 struct inquiry_info_with_rssi_and_pscan_mode *info; 3626 info = (void *) (skb->data + 1); 3627 3628 for (; num_rsp; num_rsp--, info++) { 3629 u32 flags; 3630 3631 bacpy(&data.bdaddr, &info->bdaddr); 3632 data.pscan_rep_mode = info->pscan_rep_mode; 3633 data.pscan_period_mode = info->pscan_period_mode; 3634 data.pscan_mode = info->pscan_mode; 3635 memcpy(data.dev_class, info->dev_class, 3); 3636 data.clock_offset = info->clock_offset; 3637 data.rssi = info->rssi; 3638 data.ssp_mode = 0x00; 3639 3640 flags = hci_inquiry_cache_update(hdev, &data, false); 3641 3642 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3643 info->dev_class, info->rssi, 3644 flags, NULL, 0, NULL, 0); 3645 } 3646 } else { 3647 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 3648 3649 for (; num_rsp; num_rsp--, info++) { 3650 u32 flags; 3651 3652 bacpy(&data.bdaddr, &info->bdaddr); 3653 data.pscan_rep_mode = info->pscan_rep_mode; 3654 data.pscan_period_mode = info->pscan_period_mode; 3655 data.pscan_mode = 0x00; 3656 memcpy(data.dev_class, info->dev_class, 3); 3657 data.clock_offset = info->clock_offset; 3658 data.rssi = info->rssi; 3659 data.ssp_mode = 0x00; 3660 3661 flags = hci_inquiry_cache_update(hdev, &data, false); 3662 3663 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3664 info->dev_class, info->rssi, 3665 flags, NULL, 0, NULL, 0); 3666 } 3667 } 3668 3669 hci_dev_unlock(hdev); 3670 } 3671 3672 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 3673 struct sk_buff *skb) 3674 { 3675 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 3676 struct hci_conn *conn; 3677 3678 BT_DBG("%s", hdev->name); 3679 3680 hci_dev_lock(hdev); 3681 3682 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3683 if (!conn) 3684 goto unlock; 3685 3686 if (ev->page < HCI_MAX_PAGES) 3687 memcpy(conn->features[ev->page], ev->features, 8); 3688 3689 if (!ev->status && ev->page == 0x01) { 3690 struct inquiry_entry *ie; 3691 3692 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3693 if (ie) 3694 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 3695 3696 if (ev->features[0] & LMP_HOST_SSP) { 3697 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3698 } else { 3699 /* It is mandatory by the Bluetooth specification that 3700 * Extended Inquiry Results are only used when Secure 3701 * Simple Pairing is enabled, but some devices violate 3702 * this. 3703 * 3704 * To make these devices work, the internal SSP 3705 * enabled flag needs to be cleared if the remote host 3706 * features do not indicate SSP support */ 3707 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3708 } 3709 3710 if (ev->features[0] & LMP_HOST_SC) 3711 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 3712 } 3713 3714 if (conn->state != BT_CONFIG) 3715 goto unlock; 3716 3717 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3718 struct hci_cp_remote_name_req cp; 3719 memset(&cp, 0, sizeof(cp)); 3720 bacpy(&cp.bdaddr, &conn->dst); 3721 cp.pscan_rep_mode = 0x02; 3722 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3723 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3724 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3725 3726 if (!hci_outgoing_auth_needed(hdev, conn)) { 3727 conn->state = BT_CONNECTED; 3728 hci_connect_cfm(conn, ev->status); 3729 hci_conn_drop(conn); 3730 } 3731 3732 unlock: 3733 hci_dev_unlock(hdev); 3734 } 3735 3736 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 3737 struct sk_buff *skb) 3738 { 3739 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 3740 struct hci_conn *conn; 3741 3742 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3743 3744 hci_dev_lock(hdev); 3745 3746 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3747 if (!conn) { 3748 if (ev->link_type == ESCO_LINK) 3749 goto unlock; 3750 3751 /* When the link type in the event indicates SCO connection 3752 * and lookup of the connection object fails, then check 3753 * if an eSCO connection object exists. 3754 * 3755 * The core limits the synchronous connections to either 3756 * SCO or eSCO. The eSCO connection is preferred and tried 3757 * to be setup first and until successfully established, 3758 * the link type will be hinted as eSCO. 3759 */ 3760 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 3761 if (!conn) 3762 goto unlock; 3763 } 3764 3765 switch (ev->status) { 3766 case 0x00: 3767 conn->handle = __le16_to_cpu(ev->handle); 3768 conn->state = BT_CONNECTED; 3769 conn->type = ev->link_type; 3770 3771 hci_debugfs_create_conn(conn); 3772 hci_conn_add_sysfs(conn); 3773 break; 3774 3775 case 0x10: /* Connection Accept Timeout */ 3776 case 0x0d: /* Connection Rejected due to Limited Resources */ 3777 case 0x11: /* Unsupported Feature or Parameter Value */ 3778 case 0x1c: /* SCO interval rejected */ 3779 case 0x1a: /* Unsupported Remote Feature */ 3780 case 0x1f: /* Unspecified error */ 3781 case 0x20: /* Unsupported LMP Parameter value */ 3782 if (conn->out) { 3783 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 3784 (hdev->esco_type & EDR_ESCO_MASK); 3785 if (hci_setup_sync(conn, conn->link->handle)) 3786 goto unlock; 3787 } 3788 /* fall through */ 3789 3790 default: 3791 conn->state = BT_CLOSED; 3792 break; 3793 } 3794 3795 hci_connect_cfm(conn, ev->status); 3796 if (ev->status) 3797 hci_conn_del(conn); 3798 3799 unlock: 3800 hci_dev_unlock(hdev); 3801 } 3802 3803 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 3804 { 3805 size_t parsed = 0; 3806 3807 while (parsed < eir_len) { 3808 u8 field_len = eir[0]; 3809 3810 if (field_len == 0) 3811 return parsed; 3812 3813 parsed += field_len + 1; 3814 eir += field_len + 1; 3815 } 3816 3817 return eir_len; 3818 } 3819 3820 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 3821 struct sk_buff *skb) 3822 { 3823 struct inquiry_data data; 3824 struct extended_inquiry_info *info = (void *) (skb->data + 1); 3825 int num_rsp = *((__u8 *) skb->data); 3826 size_t eir_len; 3827 3828 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3829 3830 if (!num_rsp) 3831 return; 3832 3833 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3834 return; 3835 3836 hci_dev_lock(hdev); 3837 3838 for (; num_rsp; num_rsp--, info++) { 3839 u32 flags; 3840 bool name_known; 3841 3842 bacpy(&data.bdaddr, &info->bdaddr); 3843 data.pscan_rep_mode = info->pscan_rep_mode; 3844 data.pscan_period_mode = info->pscan_period_mode; 3845 data.pscan_mode = 0x00; 3846 memcpy(data.dev_class, info->dev_class, 3); 3847 data.clock_offset = info->clock_offset; 3848 data.rssi = info->rssi; 3849 data.ssp_mode = 0x01; 3850 3851 if (hci_dev_test_flag(hdev, HCI_MGMT)) 3852 name_known = eir_get_data(info->data, 3853 sizeof(info->data), 3854 EIR_NAME_COMPLETE, NULL); 3855 else 3856 name_known = true; 3857 3858 flags = hci_inquiry_cache_update(hdev, &data, name_known); 3859 3860 eir_len = eir_get_length(info->data, sizeof(info->data)); 3861 3862 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3863 info->dev_class, info->rssi, 3864 flags, info->data, eir_len, NULL, 0); 3865 } 3866 3867 hci_dev_unlock(hdev); 3868 } 3869 3870 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 3871 struct sk_buff *skb) 3872 { 3873 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 3874 struct hci_conn *conn; 3875 3876 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 3877 __le16_to_cpu(ev->handle)); 3878 3879 hci_dev_lock(hdev); 3880 3881 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3882 if (!conn) 3883 goto unlock; 3884 3885 /* For BR/EDR the necessary steps are taken through the 3886 * auth_complete event. 3887 */ 3888 if (conn->type != LE_LINK) 3889 goto unlock; 3890 3891 if (!ev->status) 3892 conn->sec_level = conn->pending_sec_level; 3893 3894 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3895 3896 if (ev->status && conn->state == BT_CONNECTED) { 3897 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3898 hci_conn_drop(conn); 3899 goto unlock; 3900 } 3901 3902 if (conn->state == BT_CONFIG) { 3903 if (!ev->status) 3904 conn->state = BT_CONNECTED; 3905 3906 hci_connect_cfm(conn, ev->status); 3907 hci_conn_drop(conn); 3908 } else { 3909 hci_auth_cfm(conn, ev->status); 3910 3911 hci_conn_hold(conn); 3912 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3913 hci_conn_drop(conn); 3914 } 3915 3916 unlock: 3917 hci_dev_unlock(hdev); 3918 } 3919 3920 static u8 hci_get_auth_req(struct hci_conn *conn) 3921 { 3922 /* If remote requests no-bonding follow that lead */ 3923 if (conn->remote_auth == HCI_AT_NO_BONDING || 3924 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 3925 return conn->remote_auth | (conn->auth_type & 0x01); 3926 3927 /* If both remote and local have enough IO capabilities, require 3928 * MITM protection 3929 */ 3930 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 3931 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 3932 return conn->remote_auth | 0x01; 3933 3934 /* No MITM protection possible so ignore remote requirement */ 3935 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 3936 } 3937 3938 static u8 bredr_oob_data_present(struct hci_conn *conn) 3939 { 3940 struct hci_dev *hdev = conn->hdev; 3941 struct oob_data *data; 3942 3943 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 3944 if (!data) 3945 return 0x00; 3946 3947 if (bredr_sc_enabled(hdev)) { 3948 /* When Secure Connections is enabled, then just 3949 * return the present value stored with the OOB 3950 * data. The stored value contains the right present 3951 * information. However it can only be trusted when 3952 * not in Secure Connection Only mode. 3953 */ 3954 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 3955 return data->present; 3956 3957 /* When Secure Connections Only mode is enabled, then 3958 * the P-256 values are required. If they are not 3959 * available, then do not declare that OOB data is 3960 * present. 3961 */ 3962 if (!memcmp(data->rand256, ZERO_KEY, 16) || 3963 !memcmp(data->hash256, ZERO_KEY, 16)) 3964 return 0x00; 3965 3966 return 0x02; 3967 } 3968 3969 /* When Secure Connections is not enabled or actually 3970 * not supported by the hardware, then check that if 3971 * P-192 data values are present. 3972 */ 3973 if (!memcmp(data->rand192, ZERO_KEY, 16) || 3974 !memcmp(data->hash192, ZERO_KEY, 16)) 3975 return 0x00; 3976 3977 return 0x01; 3978 } 3979 3980 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3981 { 3982 struct hci_ev_io_capa_request *ev = (void *) skb->data; 3983 struct hci_conn *conn; 3984 3985 BT_DBG("%s", hdev->name); 3986 3987 hci_dev_lock(hdev); 3988 3989 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3990 if (!conn) 3991 goto unlock; 3992 3993 hci_conn_hold(conn); 3994 3995 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3996 goto unlock; 3997 3998 /* Allow pairing if we're pairable, the initiators of the 3999 * pairing or if the remote is not requesting bonding. 4000 */ 4001 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 4002 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 4003 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 4004 struct hci_cp_io_capability_reply cp; 4005 4006 bacpy(&cp.bdaddr, &ev->bdaddr); 4007 /* Change the IO capability from KeyboardDisplay 4008 * to DisplayYesNo as it is not supported by BT spec. */ 4009 cp.capability = (conn->io_capability == 0x04) ? 4010 HCI_IO_DISPLAY_YESNO : conn->io_capability; 4011 4012 /* If we are initiators, there is no remote information yet */ 4013 if (conn->remote_auth == 0xff) { 4014 /* Request MITM protection if our IO caps allow it 4015 * except for the no-bonding case. 4016 */ 4017 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4018 conn->auth_type != HCI_AT_NO_BONDING) 4019 conn->auth_type |= 0x01; 4020 } else { 4021 conn->auth_type = hci_get_auth_req(conn); 4022 } 4023 4024 /* If we're not bondable, force one of the non-bondable 4025 * authentication requirement values. 4026 */ 4027 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4028 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4029 4030 cp.authentication = conn->auth_type; 4031 cp.oob_data = bredr_oob_data_present(conn); 4032 4033 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4034 sizeof(cp), &cp); 4035 } else { 4036 struct hci_cp_io_capability_neg_reply cp; 4037 4038 bacpy(&cp.bdaddr, &ev->bdaddr); 4039 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4040 4041 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4042 sizeof(cp), &cp); 4043 } 4044 4045 unlock: 4046 hci_dev_unlock(hdev); 4047 } 4048 4049 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4050 { 4051 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 4052 struct hci_conn *conn; 4053 4054 BT_DBG("%s", hdev->name); 4055 4056 hci_dev_lock(hdev); 4057 4058 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4059 if (!conn) 4060 goto unlock; 4061 4062 conn->remote_cap = ev->capability; 4063 conn->remote_auth = ev->authentication; 4064 4065 unlock: 4066 hci_dev_unlock(hdev); 4067 } 4068 4069 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 4070 struct sk_buff *skb) 4071 { 4072 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 4073 int loc_mitm, rem_mitm, confirm_hint = 0; 4074 struct hci_conn *conn; 4075 4076 BT_DBG("%s", hdev->name); 4077 4078 hci_dev_lock(hdev); 4079 4080 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4081 goto unlock; 4082 4083 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4084 if (!conn) 4085 goto unlock; 4086 4087 loc_mitm = (conn->auth_type & 0x01); 4088 rem_mitm = (conn->remote_auth & 0x01); 4089 4090 /* If we require MITM but the remote device can't provide that 4091 * (it has NoInputNoOutput) then reject the confirmation 4092 * request. We check the security level here since it doesn't 4093 * necessarily match conn->auth_type. 4094 */ 4095 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 4096 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 4097 BT_DBG("Rejecting request: remote device can't provide MITM"); 4098 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 4099 sizeof(ev->bdaddr), &ev->bdaddr); 4100 goto unlock; 4101 } 4102 4103 /* If no side requires MITM protection; auto-accept */ 4104 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 4105 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 4106 4107 /* If we're not the initiators request authorization to 4108 * proceed from user space (mgmt_user_confirm with 4109 * confirm_hint set to 1). The exception is if neither 4110 * side had MITM or if the local IO capability is 4111 * NoInputNoOutput, in which case we do auto-accept 4112 */ 4113 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 4114 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4115 (loc_mitm || rem_mitm)) { 4116 BT_DBG("Confirming auto-accept as acceptor"); 4117 confirm_hint = 1; 4118 goto confirm; 4119 } 4120 4121 BT_DBG("Auto-accept of user confirmation with %ums delay", 4122 hdev->auto_accept_delay); 4123 4124 if (hdev->auto_accept_delay > 0) { 4125 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 4126 queue_delayed_work(conn->hdev->workqueue, 4127 &conn->auto_accept_work, delay); 4128 goto unlock; 4129 } 4130 4131 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 4132 sizeof(ev->bdaddr), &ev->bdaddr); 4133 goto unlock; 4134 } 4135 4136 confirm: 4137 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 4138 le32_to_cpu(ev->passkey), confirm_hint); 4139 4140 unlock: 4141 hci_dev_unlock(hdev); 4142 } 4143 4144 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 4145 struct sk_buff *skb) 4146 { 4147 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 4148 4149 BT_DBG("%s", hdev->name); 4150 4151 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4152 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 4153 } 4154 4155 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 4156 struct sk_buff *skb) 4157 { 4158 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 4159 struct hci_conn *conn; 4160 4161 BT_DBG("%s", hdev->name); 4162 4163 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4164 if (!conn) 4165 return; 4166 4167 conn->passkey_notify = __le32_to_cpu(ev->passkey); 4168 conn->passkey_entered = 0; 4169 4170 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4171 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4172 conn->dst_type, conn->passkey_notify, 4173 conn->passkey_entered); 4174 } 4175 4176 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4177 { 4178 struct hci_ev_keypress_notify *ev = (void *) skb->data; 4179 struct hci_conn *conn; 4180 4181 BT_DBG("%s", hdev->name); 4182 4183 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4184 if (!conn) 4185 return; 4186 4187 switch (ev->type) { 4188 case HCI_KEYPRESS_STARTED: 4189 conn->passkey_entered = 0; 4190 return; 4191 4192 case HCI_KEYPRESS_ENTERED: 4193 conn->passkey_entered++; 4194 break; 4195 4196 case HCI_KEYPRESS_ERASED: 4197 conn->passkey_entered--; 4198 break; 4199 4200 case HCI_KEYPRESS_CLEARED: 4201 conn->passkey_entered = 0; 4202 break; 4203 4204 case HCI_KEYPRESS_COMPLETED: 4205 return; 4206 } 4207 4208 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4209 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4210 conn->dst_type, conn->passkey_notify, 4211 conn->passkey_entered); 4212 } 4213 4214 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 4215 struct sk_buff *skb) 4216 { 4217 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 4218 struct hci_conn *conn; 4219 4220 BT_DBG("%s", hdev->name); 4221 4222 hci_dev_lock(hdev); 4223 4224 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4225 if (!conn) 4226 goto unlock; 4227 4228 /* Reset the authentication requirement to unknown */ 4229 conn->remote_auth = 0xff; 4230 4231 /* To avoid duplicate auth_failed events to user space we check 4232 * the HCI_CONN_AUTH_PEND flag which will be set if we 4233 * initiated the authentication. A traditional auth_complete 4234 * event gets always produced as initiator and is also mapped to 4235 * the mgmt_auth_failed event */ 4236 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4237 mgmt_auth_failed(conn, ev->status); 4238 4239 hci_conn_drop(conn); 4240 4241 unlock: 4242 hci_dev_unlock(hdev); 4243 } 4244 4245 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4246 struct sk_buff *skb) 4247 { 4248 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4249 struct inquiry_entry *ie; 4250 struct hci_conn *conn; 4251 4252 BT_DBG("%s", hdev->name); 4253 4254 hci_dev_lock(hdev); 4255 4256 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4257 if (conn) 4258 memcpy(conn->features[1], ev->features, 8); 4259 4260 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4261 if (ie) 4262 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4263 4264 hci_dev_unlock(hdev); 4265 } 4266 4267 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4268 struct sk_buff *skb) 4269 { 4270 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4271 struct oob_data *data; 4272 4273 BT_DBG("%s", hdev->name); 4274 4275 hci_dev_lock(hdev); 4276 4277 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4278 goto unlock; 4279 4280 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4281 if (!data) { 4282 struct hci_cp_remote_oob_data_neg_reply cp; 4283 4284 bacpy(&cp.bdaddr, &ev->bdaddr); 4285 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4286 sizeof(cp), &cp); 4287 goto unlock; 4288 } 4289 4290 if (bredr_sc_enabled(hdev)) { 4291 struct hci_cp_remote_oob_ext_data_reply cp; 4292 4293 bacpy(&cp.bdaddr, &ev->bdaddr); 4294 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 4295 memset(cp.hash192, 0, sizeof(cp.hash192)); 4296 memset(cp.rand192, 0, sizeof(cp.rand192)); 4297 } else { 4298 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4299 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4300 } 4301 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4302 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4303 4304 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4305 sizeof(cp), &cp); 4306 } else { 4307 struct hci_cp_remote_oob_data_reply cp; 4308 4309 bacpy(&cp.bdaddr, &ev->bdaddr); 4310 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4311 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4312 4313 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4314 sizeof(cp), &cp); 4315 } 4316 4317 unlock: 4318 hci_dev_unlock(hdev); 4319 } 4320 4321 #if IS_ENABLED(CONFIG_BT_HS) 4322 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4323 { 4324 struct hci_ev_channel_selected *ev = (void *)skb->data; 4325 struct hci_conn *hcon; 4326 4327 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4328 4329 skb_pull(skb, sizeof(*ev)); 4330 4331 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4332 if (!hcon) 4333 return; 4334 4335 amp_read_loc_assoc_final_data(hdev, hcon); 4336 } 4337 4338 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4339 struct sk_buff *skb) 4340 { 4341 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4342 struct hci_conn *hcon, *bredr_hcon; 4343 4344 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4345 ev->status); 4346 4347 hci_dev_lock(hdev); 4348 4349 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4350 if (!hcon) { 4351 hci_dev_unlock(hdev); 4352 return; 4353 } 4354 4355 if (ev->status) { 4356 hci_conn_del(hcon); 4357 hci_dev_unlock(hdev); 4358 return; 4359 } 4360 4361 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4362 4363 hcon->state = BT_CONNECTED; 4364 bacpy(&hcon->dst, &bredr_hcon->dst); 4365 4366 hci_conn_hold(hcon); 4367 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4368 hci_conn_drop(hcon); 4369 4370 hci_debugfs_create_conn(hcon); 4371 hci_conn_add_sysfs(hcon); 4372 4373 amp_physical_cfm(bredr_hcon, hcon); 4374 4375 hci_dev_unlock(hdev); 4376 } 4377 4378 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4379 { 4380 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4381 struct hci_conn *hcon; 4382 struct hci_chan *hchan; 4383 struct amp_mgr *mgr; 4384 4385 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4386 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4387 ev->status); 4388 4389 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4390 if (!hcon) 4391 return; 4392 4393 /* Create AMP hchan */ 4394 hchan = hci_chan_create(hcon); 4395 if (!hchan) 4396 return; 4397 4398 hchan->handle = le16_to_cpu(ev->handle); 4399 4400 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4401 4402 mgr = hcon->amp_mgr; 4403 if (mgr && mgr->bredr_chan) { 4404 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4405 4406 l2cap_chan_lock(bredr_chan); 4407 4408 bredr_chan->conn->mtu = hdev->block_mtu; 4409 l2cap_logical_cfm(bredr_chan, hchan, 0); 4410 hci_conn_hold(hcon); 4411 4412 l2cap_chan_unlock(bredr_chan); 4413 } 4414 } 4415 4416 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 4417 struct sk_buff *skb) 4418 { 4419 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 4420 struct hci_chan *hchan; 4421 4422 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 4423 le16_to_cpu(ev->handle), ev->status); 4424 4425 if (ev->status) 4426 return; 4427 4428 hci_dev_lock(hdev); 4429 4430 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 4431 if (!hchan) 4432 goto unlock; 4433 4434 amp_destroy_logical_link(hchan, ev->reason); 4435 4436 unlock: 4437 hci_dev_unlock(hdev); 4438 } 4439 4440 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 4441 struct sk_buff *skb) 4442 { 4443 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 4444 struct hci_conn *hcon; 4445 4446 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4447 4448 if (ev->status) 4449 return; 4450 4451 hci_dev_lock(hdev); 4452 4453 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4454 if (hcon) { 4455 hcon->state = BT_CLOSED; 4456 hci_conn_del(hcon); 4457 } 4458 4459 hci_dev_unlock(hdev); 4460 } 4461 #endif 4462 4463 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4464 { 4465 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 4466 struct hci_conn_params *params; 4467 struct hci_conn *conn; 4468 struct smp_irk *irk; 4469 u8 addr_type; 4470 4471 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4472 4473 hci_dev_lock(hdev); 4474 4475 /* All controllers implicitly stop advertising in the event of a 4476 * connection, so ensure that the state bit is cleared. 4477 */ 4478 hci_dev_clear_flag(hdev, HCI_LE_ADV); 4479 4480 conn = hci_lookup_le_connect(hdev); 4481 if (!conn) { 4482 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role); 4483 if (!conn) { 4484 bt_dev_err(hdev, "no memory for new connection"); 4485 goto unlock; 4486 } 4487 4488 conn->dst_type = ev->bdaddr_type; 4489 4490 /* If we didn't have a hci_conn object previously 4491 * but we're in master role this must be something 4492 * initiated using a white list. Since white list based 4493 * connections are not "first class citizens" we don't 4494 * have full tracking of them. Therefore, we go ahead 4495 * with a "best effort" approach of determining the 4496 * initiator address based on the HCI_PRIVACY flag. 4497 */ 4498 if (conn->out) { 4499 conn->resp_addr_type = ev->bdaddr_type; 4500 bacpy(&conn->resp_addr, &ev->bdaddr); 4501 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 4502 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 4503 bacpy(&conn->init_addr, &hdev->rpa); 4504 } else { 4505 hci_copy_identity_address(hdev, 4506 &conn->init_addr, 4507 &conn->init_addr_type); 4508 } 4509 } 4510 } else { 4511 cancel_delayed_work(&conn->le_conn_timeout); 4512 } 4513 4514 if (!conn->out) { 4515 /* Set the responder (our side) address type based on 4516 * the advertising address type. 4517 */ 4518 conn->resp_addr_type = hdev->adv_addr_type; 4519 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) 4520 bacpy(&conn->resp_addr, &hdev->random_addr); 4521 else 4522 bacpy(&conn->resp_addr, &hdev->bdaddr); 4523 4524 conn->init_addr_type = ev->bdaddr_type; 4525 bacpy(&conn->init_addr, &ev->bdaddr); 4526 4527 /* For incoming connections, set the default minimum 4528 * and maximum connection interval. They will be used 4529 * to check if the parameters are in range and if not 4530 * trigger the connection update procedure. 4531 */ 4532 conn->le_conn_min_interval = hdev->le_conn_min_interval; 4533 conn->le_conn_max_interval = hdev->le_conn_max_interval; 4534 } 4535 4536 /* Lookup the identity address from the stored connection 4537 * address and address type. 4538 * 4539 * When establishing connections to an identity address, the 4540 * connection procedure will store the resolvable random 4541 * address first. Now if it can be converted back into the 4542 * identity address, start using the identity address from 4543 * now on. 4544 */ 4545 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 4546 if (irk) { 4547 bacpy(&conn->dst, &irk->bdaddr); 4548 conn->dst_type = irk->addr_type; 4549 } 4550 4551 if (ev->status) { 4552 hci_le_conn_failed(conn, ev->status); 4553 goto unlock; 4554 } 4555 4556 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 4557 addr_type = BDADDR_LE_PUBLIC; 4558 else 4559 addr_type = BDADDR_LE_RANDOM; 4560 4561 /* Drop the connection if the device is blocked */ 4562 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 4563 hci_conn_drop(conn); 4564 goto unlock; 4565 } 4566 4567 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4568 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4569 4570 conn->sec_level = BT_SECURITY_LOW; 4571 conn->handle = __le16_to_cpu(ev->handle); 4572 conn->state = BT_CONFIG; 4573 4574 conn->le_conn_interval = le16_to_cpu(ev->interval); 4575 conn->le_conn_latency = le16_to_cpu(ev->latency); 4576 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 4577 4578 hci_debugfs_create_conn(conn); 4579 hci_conn_add_sysfs(conn); 4580 4581 if (!ev->status) { 4582 /* The remote features procedure is defined for master 4583 * role only. So only in case of an initiated connection 4584 * request the remote features. 4585 * 4586 * If the local controller supports slave-initiated features 4587 * exchange, then requesting the remote features in slave 4588 * role is possible. Otherwise just transition into the 4589 * connected state without requesting the remote features. 4590 */ 4591 if (conn->out || 4592 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) { 4593 struct hci_cp_le_read_remote_features cp; 4594 4595 cp.handle = __cpu_to_le16(conn->handle); 4596 4597 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 4598 sizeof(cp), &cp); 4599 4600 hci_conn_hold(conn); 4601 } else { 4602 conn->state = BT_CONNECTED; 4603 hci_connect_cfm(conn, ev->status); 4604 } 4605 } else { 4606 hci_connect_cfm(conn, ev->status); 4607 } 4608 4609 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 4610 conn->dst_type); 4611 if (params) { 4612 list_del_init(¶ms->action); 4613 if (params->conn) { 4614 hci_conn_drop(params->conn); 4615 hci_conn_put(params->conn); 4616 params->conn = NULL; 4617 } 4618 } 4619 4620 unlock: 4621 hci_update_background_scan(hdev); 4622 hci_dev_unlock(hdev); 4623 } 4624 4625 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 4626 struct sk_buff *skb) 4627 { 4628 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 4629 struct hci_conn *conn; 4630 4631 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4632 4633 if (ev->status) 4634 return; 4635 4636 hci_dev_lock(hdev); 4637 4638 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4639 if (conn) { 4640 conn->le_conn_interval = le16_to_cpu(ev->interval); 4641 conn->le_conn_latency = le16_to_cpu(ev->latency); 4642 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 4643 } 4644 4645 hci_dev_unlock(hdev); 4646 } 4647 4648 /* This function requires the caller holds hdev->lock */ 4649 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 4650 bdaddr_t *addr, 4651 u8 addr_type, u8 adv_type, 4652 bdaddr_t *direct_rpa) 4653 { 4654 struct hci_conn *conn; 4655 struct hci_conn_params *params; 4656 4657 /* If the event is not connectable don't proceed further */ 4658 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 4659 return NULL; 4660 4661 /* Ignore if the device is blocked */ 4662 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 4663 return NULL; 4664 4665 /* Most controller will fail if we try to create new connections 4666 * while we have an existing one in slave role. 4667 */ 4668 if (hdev->conn_hash.le_num_slave > 0) 4669 return NULL; 4670 4671 /* If we're not connectable only connect devices that we have in 4672 * our pend_le_conns list. 4673 */ 4674 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 4675 addr_type); 4676 if (!params) 4677 return NULL; 4678 4679 if (!params->explicit_connect) { 4680 switch (params->auto_connect) { 4681 case HCI_AUTO_CONN_DIRECT: 4682 /* Only devices advertising with ADV_DIRECT_IND are 4683 * triggering a connection attempt. This is allowing 4684 * incoming connections from slave devices. 4685 */ 4686 if (adv_type != LE_ADV_DIRECT_IND) 4687 return NULL; 4688 break; 4689 case HCI_AUTO_CONN_ALWAYS: 4690 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 4691 * are triggering a connection attempt. This means 4692 * that incoming connectioms from slave device are 4693 * accepted and also outgoing connections to slave 4694 * devices are established when found. 4695 */ 4696 break; 4697 default: 4698 return NULL; 4699 } 4700 } 4701 4702 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 4703 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER, 4704 direct_rpa); 4705 if (!IS_ERR(conn)) { 4706 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 4707 * by higher layer that tried to connect, if no then 4708 * store the pointer since we don't really have any 4709 * other owner of the object besides the params that 4710 * triggered it. This way we can abort the connection if 4711 * the parameters get removed and keep the reference 4712 * count consistent once the connection is established. 4713 */ 4714 4715 if (!params->explicit_connect) 4716 params->conn = hci_conn_get(conn); 4717 4718 return conn; 4719 } 4720 4721 switch (PTR_ERR(conn)) { 4722 case -EBUSY: 4723 /* If hci_connect() returns -EBUSY it means there is already 4724 * an LE connection attempt going on. Since controllers don't 4725 * support more than one connection attempt at the time, we 4726 * don't consider this an error case. 4727 */ 4728 break; 4729 default: 4730 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 4731 return NULL; 4732 } 4733 4734 return NULL; 4735 } 4736 4737 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 4738 u8 bdaddr_type, bdaddr_t *direct_addr, 4739 u8 direct_addr_type, s8 rssi, u8 *data, u8 len) 4740 { 4741 struct discovery_state *d = &hdev->discovery; 4742 struct smp_irk *irk; 4743 struct hci_conn *conn; 4744 bool match; 4745 u32 flags; 4746 u8 *ptr, real_len; 4747 4748 switch (type) { 4749 case LE_ADV_IND: 4750 case LE_ADV_DIRECT_IND: 4751 case LE_ADV_SCAN_IND: 4752 case LE_ADV_NONCONN_IND: 4753 case LE_ADV_SCAN_RSP: 4754 break; 4755 default: 4756 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 4757 "type: 0x%02x", type); 4758 return; 4759 } 4760 4761 /* Find the end of the data in case the report contains padded zero 4762 * bytes at the end causing an invalid length value. 4763 * 4764 * When data is NULL, len is 0 so there is no need for extra ptr 4765 * check as 'ptr < data + 0' is already false in such case. 4766 */ 4767 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 4768 if (ptr + 1 + *ptr > data + len) 4769 break; 4770 } 4771 4772 real_len = ptr - data; 4773 4774 /* Adjust for actual length */ 4775 if (len != real_len) { 4776 bt_dev_err_ratelimited(hdev, "advertising data len corrected"); 4777 len = real_len; 4778 } 4779 4780 /* If the direct address is present, then this report is from 4781 * a LE Direct Advertising Report event. In that case it is 4782 * important to see if the address is matching the local 4783 * controller address. 4784 */ 4785 if (direct_addr) { 4786 /* Only resolvable random addresses are valid for these 4787 * kind of reports and others can be ignored. 4788 */ 4789 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 4790 return; 4791 4792 /* If the controller is not using resolvable random 4793 * addresses, then this report can be ignored. 4794 */ 4795 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 4796 return; 4797 4798 /* If the local IRK of the controller does not match 4799 * with the resolvable random address provided, then 4800 * this report can be ignored. 4801 */ 4802 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 4803 return; 4804 } 4805 4806 /* Check if we need to convert to identity address */ 4807 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 4808 if (irk) { 4809 bdaddr = &irk->bdaddr; 4810 bdaddr_type = irk->addr_type; 4811 } 4812 4813 /* Check if we have been requested to connect to this device. 4814 * 4815 * direct_addr is set only for directed advertising reports (it is NULL 4816 * for advertising reports) and is already verified to be RPA above. 4817 */ 4818 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, 4819 direct_addr); 4820 if (conn && type == LE_ADV_IND) { 4821 /* Store report for later inclusion by 4822 * mgmt_device_connected 4823 */ 4824 memcpy(conn->le_adv_data, data, len); 4825 conn->le_adv_data_len = len; 4826 } 4827 4828 /* Passive scanning shouldn't trigger any device found events, 4829 * except for devices marked as CONN_REPORT for which we do send 4830 * device found events. 4831 */ 4832 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 4833 if (type == LE_ADV_DIRECT_IND) 4834 return; 4835 4836 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 4837 bdaddr, bdaddr_type)) 4838 return; 4839 4840 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 4841 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 4842 else 4843 flags = 0; 4844 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4845 rssi, flags, data, len, NULL, 0); 4846 return; 4847 } 4848 4849 /* When receiving non-connectable or scannable undirected 4850 * advertising reports, this means that the remote device is 4851 * not connectable and then clearly indicate this in the 4852 * device found event. 4853 * 4854 * When receiving a scan response, then there is no way to 4855 * know if the remote device is connectable or not. However 4856 * since scan responses are merged with a previously seen 4857 * advertising report, the flags field from that report 4858 * will be used. 4859 * 4860 * In the really unlikely case that a controller get confused 4861 * and just sends a scan response event, then it is marked as 4862 * not connectable as well. 4863 */ 4864 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 4865 type == LE_ADV_SCAN_RSP) 4866 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 4867 else 4868 flags = 0; 4869 4870 /* If there's nothing pending either store the data from this 4871 * event or send an immediate device found event if the data 4872 * should not be stored for later. 4873 */ 4874 if (!has_pending_adv_report(hdev)) { 4875 /* If the report will trigger a SCAN_REQ store it for 4876 * later merging. 4877 */ 4878 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4879 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4880 rssi, flags, data, len); 4881 return; 4882 } 4883 4884 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4885 rssi, flags, data, len, NULL, 0); 4886 return; 4887 } 4888 4889 /* Check if the pending report is for the same device as the new one */ 4890 match = (!bacmp(bdaddr, &d->last_adv_addr) && 4891 bdaddr_type == d->last_adv_addr_type); 4892 4893 /* If the pending data doesn't match this report or this isn't a 4894 * scan response (e.g. we got a duplicate ADV_IND) then force 4895 * sending of the pending data. 4896 */ 4897 if (type != LE_ADV_SCAN_RSP || !match) { 4898 /* Send out whatever is in the cache, but skip duplicates */ 4899 if (!match) 4900 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4901 d->last_adv_addr_type, NULL, 4902 d->last_adv_rssi, d->last_adv_flags, 4903 d->last_adv_data, 4904 d->last_adv_data_len, NULL, 0); 4905 4906 /* If the new report will trigger a SCAN_REQ store it for 4907 * later merging. 4908 */ 4909 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4910 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4911 rssi, flags, data, len); 4912 return; 4913 } 4914 4915 /* The advertising reports cannot be merged, so clear 4916 * the pending report and send out a device found event. 4917 */ 4918 clear_pending_adv_report(hdev); 4919 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4920 rssi, flags, data, len, NULL, 0); 4921 return; 4922 } 4923 4924 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 4925 * the new event is a SCAN_RSP. We can therefore proceed with 4926 * sending a merged device found event. 4927 */ 4928 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4929 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 4930 d->last_adv_data, d->last_adv_data_len, data, len); 4931 clear_pending_adv_report(hdev); 4932 } 4933 4934 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 4935 { 4936 u8 num_reports = skb->data[0]; 4937 void *ptr = &skb->data[1]; 4938 4939 hci_dev_lock(hdev); 4940 4941 while (num_reports--) { 4942 struct hci_ev_le_advertising_info *ev = ptr; 4943 s8 rssi; 4944 4945 rssi = ev->data[ev->length]; 4946 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 4947 ev->bdaddr_type, NULL, 0, rssi, 4948 ev->data, ev->length); 4949 4950 ptr += sizeof(*ev) + ev->length + 1; 4951 } 4952 4953 hci_dev_unlock(hdev); 4954 } 4955 4956 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 4957 struct sk_buff *skb) 4958 { 4959 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 4960 struct hci_conn *conn; 4961 4962 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4963 4964 hci_dev_lock(hdev); 4965 4966 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4967 if (conn) { 4968 if (!ev->status) 4969 memcpy(conn->features[0], ev->features, 8); 4970 4971 if (conn->state == BT_CONFIG) { 4972 __u8 status; 4973 4974 /* If the local controller supports slave-initiated 4975 * features exchange, but the remote controller does 4976 * not, then it is possible that the error code 0x1a 4977 * for unsupported remote feature gets returned. 4978 * 4979 * In this specific case, allow the connection to 4980 * transition into connected state and mark it as 4981 * successful. 4982 */ 4983 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) && 4984 !conn->out && ev->status == 0x1a) 4985 status = 0x00; 4986 else 4987 status = ev->status; 4988 4989 conn->state = BT_CONNECTED; 4990 hci_connect_cfm(conn, status); 4991 hci_conn_drop(conn); 4992 } 4993 } 4994 4995 hci_dev_unlock(hdev); 4996 } 4997 4998 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4999 { 5000 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 5001 struct hci_cp_le_ltk_reply cp; 5002 struct hci_cp_le_ltk_neg_reply neg; 5003 struct hci_conn *conn; 5004 struct smp_ltk *ltk; 5005 5006 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 5007 5008 hci_dev_lock(hdev); 5009 5010 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5011 if (conn == NULL) 5012 goto not_found; 5013 5014 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 5015 if (!ltk) 5016 goto not_found; 5017 5018 if (smp_ltk_is_sc(ltk)) { 5019 /* With SC both EDiv and Rand are set to zero */ 5020 if (ev->ediv || ev->rand) 5021 goto not_found; 5022 } else { 5023 /* For non-SC keys check that EDiv and Rand match */ 5024 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 5025 goto not_found; 5026 } 5027 5028 memcpy(cp.ltk, ltk->val, ltk->enc_size); 5029 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 5030 cp.handle = cpu_to_le16(conn->handle); 5031 5032 conn->pending_sec_level = smp_ltk_sec_level(ltk); 5033 5034 conn->enc_key_size = ltk->enc_size; 5035 5036 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 5037 5038 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 5039 * temporary key used to encrypt a connection following 5040 * pairing. It is used during the Encrypted Session Setup to 5041 * distribute the keys. Later, security can be re-established 5042 * using a distributed LTK. 5043 */ 5044 if (ltk->type == SMP_STK) { 5045 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5046 list_del_rcu(<k->list); 5047 kfree_rcu(ltk, rcu); 5048 } else { 5049 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5050 } 5051 5052 hci_dev_unlock(hdev); 5053 5054 return; 5055 5056 not_found: 5057 neg.handle = ev->handle; 5058 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 5059 hci_dev_unlock(hdev); 5060 } 5061 5062 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 5063 u8 reason) 5064 { 5065 struct hci_cp_le_conn_param_req_neg_reply cp; 5066 5067 cp.handle = cpu_to_le16(handle); 5068 cp.reason = reason; 5069 5070 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 5071 &cp); 5072 } 5073 5074 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 5075 struct sk_buff *skb) 5076 { 5077 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 5078 struct hci_cp_le_conn_param_req_reply cp; 5079 struct hci_conn *hcon; 5080 u16 handle, min, max, latency, timeout; 5081 5082 handle = le16_to_cpu(ev->handle); 5083 min = le16_to_cpu(ev->interval_min); 5084 max = le16_to_cpu(ev->interval_max); 5085 latency = le16_to_cpu(ev->latency); 5086 timeout = le16_to_cpu(ev->timeout); 5087 5088 hcon = hci_conn_hash_lookup_handle(hdev, handle); 5089 if (!hcon || hcon->state != BT_CONNECTED) 5090 return send_conn_param_neg_reply(hdev, handle, 5091 HCI_ERROR_UNKNOWN_CONN_ID); 5092 5093 if (hci_check_conn_params(min, max, latency, timeout)) 5094 return send_conn_param_neg_reply(hdev, handle, 5095 HCI_ERROR_INVALID_LL_PARAMS); 5096 5097 if (hcon->role == HCI_ROLE_MASTER) { 5098 struct hci_conn_params *params; 5099 u8 store_hint; 5100 5101 hci_dev_lock(hdev); 5102 5103 params = hci_conn_params_lookup(hdev, &hcon->dst, 5104 hcon->dst_type); 5105 if (params) { 5106 params->conn_min_interval = min; 5107 params->conn_max_interval = max; 5108 params->conn_latency = latency; 5109 params->supervision_timeout = timeout; 5110 store_hint = 0x01; 5111 } else{ 5112 store_hint = 0x00; 5113 } 5114 5115 hci_dev_unlock(hdev); 5116 5117 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 5118 store_hint, min, max, latency, timeout); 5119 } 5120 5121 cp.handle = ev->handle; 5122 cp.interval_min = ev->interval_min; 5123 cp.interval_max = ev->interval_max; 5124 cp.latency = ev->latency; 5125 cp.timeout = ev->timeout; 5126 cp.min_ce_len = 0; 5127 cp.max_ce_len = 0; 5128 5129 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 5130 } 5131 5132 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 5133 struct sk_buff *skb) 5134 { 5135 u8 num_reports = skb->data[0]; 5136 void *ptr = &skb->data[1]; 5137 5138 hci_dev_lock(hdev); 5139 5140 while (num_reports--) { 5141 struct hci_ev_le_direct_adv_info *ev = ptr; 5142 5143 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5144 ev->bdaddr_type, &ev->direct_addr, 5145 ev->direct_addr_type, ev->rssi, NULL, 0); 5146 5147 ptr += sizeof(*ev); 5148 } 5149 5150 hci_dev_unlock(hdev); 5151 } 5152 5153 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 5154 { 5155 struct hci_ev_le_meta *le_ev = (void *) skb->data; 5156 5157 skb_pull(skb, sizeof(*le_ev)); 5158 5159 switch (le_ev->subevent) { 5160 case HCI_EV_LE_CONN_COMPLETE: 5161 hci_le_conn_complete_evt(hdev, skb); 5162 break; 5163 5164 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 5165 hci_le_conn_update_complete_evt(hdev, skb); 5166 break; 5167 5168 case HCI_EV_LE_ADVERTISING_REPORT: 5169 hci_le_adv_report_evt(hdev, skb); 5170 break; 5171 5172 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 5173 hci_le_remote_feat_complete_evt(hdev, skb); 5174 break; 5175 5176 case HCI_EV_LE_LTK_REQ: 5177 hci_le_ltk_request_evt(hdev, skb); 5178 break; 5179 5180 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 5181 hci_le_remote_conn_param_req_evt(hdev, skb); 5182 break; 5183 5184 case HCI_EV_LE_DIRECT_ADV_REPORT: 5185 hci_le_direct_adv_report_evt(hdev, skb); 5186 break; 5187 5188 default: 5189 break; 5190 } 5191 } 5192 5193 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 5194 u8 event, struct sk_buff *skb) 5195 { 5196 struct hci_ev_cmd_complete *ev; 5197 struct hci_event_hdr *hdr; 5198 5199 if (!skb) 5200 return false; 5201 5202 if (skb->len < sizeof(*hdr)) { 5203 bt_dev_err(hdev, "too short HCI event"); 5204 return false; 5205 } 5206 5207 hdr = (void *) skb->data; 5208 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5209 5210 if (event) { 5211 if (hdr->evt != event) 5212 return false; 5213 return true; 5214 } 5215 5216 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 5217 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 5218 hdr->evt); 5219 return false; 5220 } 5221 5222 if (skb->len < sizeof(*ev)) { 5223 bt_dev_err(hdev, "too short cmd_complete event"); 5224 return false; 5225 } 5226 5227 ev = (void *) skb->data; 5228 skb_pull(skb, sizeof(*ev)); 5229 5230 if (opcode != __le16_to_cpu(ev->opcode)) { 5231 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 5232 __le16_to_cpu(ev->opcode)); 5233 return false; 5234 } 5235 5236 return true; 5237 } 5238 5239 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 5240 { 5241 struct hci_event_hdr *hdr = (void *) skb->data; 5242 hci_req_complete_t req_complete = NULL; 5243 hci_req_complete_skb_t req_complete_skb = NULL; 5244 struct sk_buff *orig_skb = NULL; 5245 u8 status = 0, event = hdr->evt, req_evt = 0; 5246 u16 opcode = HCI_OP_NOP; 5247 5248 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { 5249 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 5250 opcode = __le16_to_cpu(cmd_hdr->opcode); 5251 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 5252 &req_complete_skb); 5253 req_evt = event; 5254 } 5255 5256 /* If it looks like we might end up having to call 5257 * req_complete_skb, store a pristine copy of the skb since the 5258 * various handlers may modify the original one through 5259 * skb_pull() calls, etc. 5260 */ 5261 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 5262 event == HCI_EV_CMD_COMPLETE) 5263 orig_skb = skb_clone(skb, GFP_KERNEL); 5264 5265 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5266 5267 switch (event) { 5268 case HCI_EV_INQUIRY_COMPLETE: 5269 hci_inquiry_complete_evt(hdev, skb); 5270 break; 5271 5272 case HCI_EV_INQUIRY_RESULT: 5273 hci_inquiry_result_evt(hdev, skb); 5274 break; 5275 5276 case HCI_EV_CONN_COMPLETE: 5277 hci_conn_complete_evt(hdev, skb); 5278 break; 5279 5280 case HCI_EV_CONN_REQUEST: 5281 hci_conn_request_evt(hdev, skb); 5282 break; 5283 5284 case HCI_EV_DISCONN_COMPLETE: 5285 hci_disconn_complete_evt(hdev, skb); 5286 break; 5287 5288 case HCI_EV_AUTH_COMPLETE: 5289 hci_auth_complete_evt(hdev, skb); 5290 break; 5291 5292 case HCI_EV_REMOTE_NAME: 5293 hci_remote_name_evt(hdev, skb); 5294 break; 5295 5296 case HCI_EV_ENCRYPT_CHANGE: 5297 hci_encrypt_change_evt(hdev, skb); 5298 break; 5299 5300 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 5301 hci_change_link_key_complete_evt(hdev, skb); 5302 break; 5303 5304 case HCI_EV_REMOTE_FEATURES: 5305 hci_remote_features_evt(hdev, skb); 5306 break; 5307 5308 case HCI_EV_CMD_COMPLETE: 5309 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 5310 &req_complete, &req_complete_skb); 5311 break; 5312 5313 case HCI_EV_CMD_STATUS: 5314 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 5315 &req_complete_skb); 5316 break; 5317 5318 case HCI_EV_HARDWARE_ERROR: 5319 hci_hardware_error_evt(hdev, skb); 5320 break; 5321 5322 case HCI_EV_ROLE_CHANGE: 5323 hci_role_change_evt(hdev, skb); 5324 break; 5325 5326 case HCI_EV_NUM_COMP_PKTS: 5327 hci_num_comp_pkts_evt(hdev, skb); 5328 break; 5329 5330 case HCI_EV_MODE_CHANGE: 5331 hci_mode_change_evt(hdev, skb); 5332 break; 5333 5334 case HCI_EV_PIN_CODE_REQ: 5335 hci_pin_code_request_evt(hdev, skb); 5336 break; 5337 5338 case HCI_EV_LINK_KEY_REQ: 5339 hci_link_key_request_evt(hdev, skb); 5340 break; 5341 5342 case HCI_EV_LINK_KEY_NOTIFY: 5343 hci_link_key_notify_evt(hdev, skb); 5344 break; 5345 5346 case HCI_EV_CLOCK_OFFSET: 5347 hci_clock_offset_evt(hdev, skb); 5348 break; 5349 5350 case HCI_EV_PKT_TYPE_CHANGE: 5351 hci_pkt_type_change_evt(hdev, skb); 5352 break; 5353 5354 case HCI_EV_PSCAN_REP_MODE: 5355 hci_pscan_rep_mode_evt(hdev, skb); 5356 break; 5357 5358 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 5359 hci_inquiry_result_with_rssi_evt(hdev, skb); 5360 break; 5361 5362 case HCI_EV_REMOTE_EXT_FEATURES: 5363 hci_remote_ext_features_evt(hdev, skb); 5364 break; 5365 5366 case HCI_EV_SYNC_CONN_COMPLETE: 5367 hci_sync_conn_complete_evt(hdev, skb); 5368 break; 5369 5370 case HCI_EV_EXTENDED_INQUIRY_RESULT: 5371 hci_extended_inquiry_result_evt(hdev, skb); 5372 break; 5373 5374 case HCI_EV_KEY_REFRESH_COMPLETE: 5375 hci_key_refresh_complete_evt(hdev, skb); 5376 break; 5377 5378 case HCI_EV_IO_CAPA_REQUEST: 5379 hci_io_capa_request_evt(hdev, skb); 5380 break; 5381 5382 case HCI_EV_IO_CAPA_REPLY: 5383 hci_io_capa_reply_evt(hdev, skb); 5384 break; 5385 5386 case HCI_EV_USER_CONFIRM_REQUEST: 5387 hci_user_confirm_request_evt(hdev, skb); 5388 break; 5389 5390 case HCI_EV_USER_PASSKEY_REQUEST: 5391 hci_user_passkey_request_evt(hdev, skb); 5392 break; 5393 5394 case HCI_EV_USER_PASSKEY_NOTIFY: 5395 hci_user_passkey_notify_evt(hdev, skb); 5396 break; 5397 5398 case HCI_EV_KEYPRESS_NOTIFY: 5399 hci_keypress_notify_evt(hdev, skb); 5400 break; 5401 5402 case HCI_EV_SIMPLE_PAIR_COMPLETE: 5403 hci_simple_pair_complete_evt(hdev, skb); 5404 break; 5405 5406 case HCI_EV_REMOTE_HOST_FEATURES: 5407 hci_remote_host_features_evt(hdev, skb); 5408 break; 5409 5410 case HCI_EV_LE_META: 5411 hci_le_meta_evt(hdev, skb); 5412 break; 5413 5414 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 5415 hci_remote_oob_data_request_evt(hdev, skb); 5416 break; 5417 5418 #if IS_ENABLED(CONFIG_BT_HS) 5419 case HCI_EV_CHANNEL_SELECTED: 5420 hci_chan_selected_evt(hdev, skb); 5421 break; 5422 5423 case HCI_EV_PHY_LINK_COMPLETE: 5424 hci_phy_link_complete_evt(hdev, skb); 5425 break; 5426 5427 case HCI_EV_LOGICAL_LINK_COMPLETE: 5428 hci_loglink_complete_evt(hdev, skb); 5429 break; 5430 5431 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 5432 hci_disconn_loglink_complete_evt(hdev, skb); 5433 break; 5434 5435 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 5436 hci_disconn_phylink_complete_evt(hdev, skb); 5437 break; 5438 #endif 5439 5440 case HCI_EV_NUM_COMP_BLOCKS: 5441 hci_num_comp_blocks_evt(hdev, skb); 5442 break; 5443 5444 default: 5445 BT_DBG("%s event 0x%2.2x", hdev->name, event); 5446 break; 5447 } 5448 5449 if (req_complete) { 5450 req_complete(hdev, status, opcode); 5451 } else if (req_complete_skb) { 5452 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 5453 kfree_skb(orig_skb); 5454 orig_skb = NULL; 5455 } 5456 req_complete_skb(hdev, status, opcode, orig_skb); 5457 } 5458 5459 kfree_skb(orig_skb); 5460 kfree_skb(skb); 5461 hdev->stat.evt_rx++; 5462 } 5463