1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI event handling. */ 27 28 #include <asm/unaligned.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/mgmt.h> 33 34 #include "hci_request.h" 35 #include "hci_debugfs.h" 36 #include "a2mp.h" 37 #include "amp.h" 38 #include "smp.h" 39 #include "msft.h" 40 #include "eir.h" 41 42 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 43 "\x00\x00\x00\x00\x00\x00\x00\x00" 44 45 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000) 46 47 /* Handle HCI Event packets */ 48 49 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 50 u8 ev, size_t len) 51 { 52 void *data; 53 54 data = skb_pull_data(skb, len); 55 if (!data) 56 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev); 57 58 return data; 59 } 60 61 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 62 u16 op, size_t len) 63 { 64 void *data; 65 66 data = skb_pull_data(skb, len); 67 if (!data) 68 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op); 69 70 return data; 71 } 72 73 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 74 u8 ev, size_t len) 75 { 76 void *data; 77 78 data = skb_pull_data(skb, len); 79 if (!data) 80 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev); 81 82 return data; 83 } 84 85 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data, 86 struct sk_buff *skb) 87 { 88 struct hci_ev_status *rp = data; 89 90 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 91 92 /* It is possible that we receive Inquiry Complete event right 93 * before we receive Inquiry Cancel Command Complete event, in 94 * which case the latter event should have status of Command 95 * Disallowed (0x0c). This should not be treated as error, since 96 * we actually achieve what Inquiry Cancel wants to achieve, 97 * which is to end the last Inquiry session. 98 */ 99 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { 100 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 101 rp->status = 0x00; 102 } 103 104 if (rp->status) 105 return rp->status; 106 107 clear_bit(HCI_INQUIRY, &hdev->flags); 108 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 109 wake_up_bit(&hdev->flags, HCI_INQUIRY); 110 111 hci_dev_lock(hdev); 112 /* Set discovery state to stopped if we're not doing LE active 113 * scanning. 114 */ 115 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 116 hdev->le_scan_type != LE_SCAN_ACTIVE) 117 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 118 hci_dev_unlock(hdev); 119 120 hci_conn_check_pending(hdev); 121 122 return rp->status; 123 } 124 125 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data, 126 struct sk_buff *skb) 127 { 128 struct hci_ev_status *rp = data; 129 130 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 131 132 if (rp->status) 133 return rp->status; 134 135 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 136 137 return rp->status; 138 } 139 140 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data, 141 struct sk_buff *skb) 142 { 143 struct hci_ev_status *rp = data; 144 145 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 146 147 if (rp->status) 148 return rp->status; 149 150 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 151 152 hci_conn_check_pending(hdev); 153 154 return rp->status; 155 } 156 157 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data, 158 struct sk_buff *skb) 159 { 160 struct hci_ev_status *rp = data; 161 162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 163 164 return rp->status; 165 } 166 167 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data, 168 struct sk_buff *skb) 169 { 170 struct hci_rp_role_discovery *rp = data; 171 struct hci_conn *conn; 172 173 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 174 175 if (rp->status) 176 return rp->status; 177 178 hci_dev_lock(hdev); 179 180 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 181 if (conn) 182 conn->role = rp->role; 183 184 hci_dev_unlock(hdev); 185 186 return rp->status; 187 } 188 189 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data, 190 struct sk_buff *skb) 191 { 192 struct hci_rp_read_link_policy *rp = data; 193 struct hci_conn *conn; 194 195 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 196 197 if (rp->status) 198 return rp->status; 199 200 hci_dev_lock(hdev); 201 202 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 203 if (conn) 204 conn->link_policy = __le16_to_cpu(rp->policy); 205 206 hci_dev_unlock(hdev); 207 208 return rp->status; 209 } 210 211 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data, 212 struct sk_buff *skb) 213 { 214 struct hci_rp_write_link_policy *rp = data; 215 struct hci_conn *conn; 216 void *sent; 217 218 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 219 220 if (rp->status) 221 return rp->status; 222 223 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 224 if (!sent) 225 return rp->status; 226 227 hci_dev_lock(hdev); 228 229 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 230 if (conn) 231 conn->link_policy = get_unaligned_le16(sent + 2); 232 233 hci_dev_unlock(hdev); 234 235 return rp->status; 236 } 237 238 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data, 239 struct sk_buff *skb) 240 { 241 struct hci_rp_read_def_link_policy *rp = data; 242 243 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 244 245 if (rp->status) 246 return rp->status; 247 248 hdev->link_policy = __le16_to_cpu(rp->policy); 249 250 return rp->status; 251 } 252 253 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data, 254 struct sk_buff *skb) 255 { 256 struct hci_ev_status *rp = data; 257 void *sent; 258 259 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 260 261 if (rp->status) 262 return rp->status; 263 264 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 265 if (!sent) 266 return rp->status; 267 268 hdev->link_policy = get_unaligned_le16(sent); 269 270 return rp->status; 271 } 272 273 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb) 274 { 275 struct hci_ev_status *rp = data; 276 277 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 278 279 clear_bit(HCI_RESET, &hdev->flags); 280 281 if (rp->status) 282 return rp->status; 283 284 /* Reset all non-persistent flags */ 285 hci_dev_clear_volatile_flags(hdev); 286 287 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 288 289 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 290 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 291 292 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 293 hdev->adv_data_len = 0; 294 295 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 296 hdev->scan_rsp_data_len = 0; 297 298 hdev->le_scan_type = LE_SCAN_PASSIVE; 299 300 hdev->ssp_debug_mode = 0; 301 302 hci_bdaddr_list_clear(&hdev->le_accept_list); 303 hci_bdaddr_list_clear(&hdev->le_resolv_list); 304 305 return rp->status; 306 } 307 308 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data, 309 struct sk_buff *skb) 310 { 311 struct hci_rp_read_stored_link_key *rp = data; 312 struct hci_cp_read_stored_link_key *sent; 313 314 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 315 316 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 317 if (!sent) 318 return rp->status; 319 320 if (!rp->status && sent->read_all == 0x01) { 321 hdev->stored_max_keys = le16_to_cpu(rp->max_keys); 322 hdev->stored_num_keys = le16_to_cpu(rp->num_keys); 323 } 324 325 return rp->status; 326 } 327 328 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data, 329 struct sk_buff *skb) 330 { 331 struct hci_rp_delete_stored_link_key *rp = data; 332 u16 num_keys; 333 334 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 335 336 if (rp->status) 337 return rp->status; 338 339 num_keys = le16_to_cpu(rp->num_keys); 340 341 if (num_keys <= hdev->stored_num_keys) 342 hdev->stored_num_keys -= num_keys; 343 else 344 hdev->stored_num_keys = 0; 345 346 return rp->status; 347 } 348 349 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data, 350 struct sk_buff *skb) 351 { 352 struct hci_ev_status *rp = data; 353 void *sent; 354 355 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 356 357 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 358 if (!sent) 359 return rp->status; 360 361 hci_dev_lock(hdev); 362 363 if (hci_dev_test_flag(hdev, HCI_MGMT)) 364 mgmt_set_local_name_complete(hdev, sent, rp->status); 365 else if (!rp->status) 366 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 367 368 hci_dev_unlock(hdev); 369 370 return rp->status; 371 } 372 373 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data, 374 struct sk_buff *skb) 375 { 376 struct hci_rp_read_local_name *rp = data; 377 378 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 379 380 if (rp->status) 381 return rp->status; 382 383 if (hci_dev_test_flag(hdev, HCI_SETUP) || 384 hci_dev_test_flag(hdev, HCI_CONFIG)) 385 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 386 387 return rp->status; 388 } 389 390 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data, 391 struct sk_buff *skb) 392 { 393 struct hci_ev_status *rp = data; 394 void *sent; 395 396 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 397 398 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 399 if (!sent) 400 return rp->status; 401 402 hci_dev_lock(hdev); 403 404 if (!rp->status) { 405 __u8 param = *((__u8 *) sent); 406 407 if (param == AUTH_ENABLED) 408 set_bit(HCI_AUTH, &hdev->flags); 409 else 410 clear_bit(HCI_AUTH, &hdev->flags); 411 } 412 413 if (hci_dev_test_flag(hdev, HCI_MGMT)) 414 mgmt_auth_enable_complete(hdev, rp->status); 415 416 hci_dev_unlock(hdev); 417 418 return rp->status; 419 } 420 421 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data, 422 struct sk_buff *skb) 423 { 424 struct hci_ev_status *rp = data; 425 __u8 param; 426 void *sent; 427 428 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 429 430 if (rp->status) 431 return rp->status; 432 433 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 434 if (!sent) 435 return rp->status; 436 437 param = *((__u8 *) sent); 438 439 if (param) 440 set_bit(HCI_ENCRYPT, &hdev->flags); 441 else 442 clear_bit(HCI_ENCRYPT, &hdev->flags); 443 444 return rp->status; 445 } 446 447 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data, 448 struct sk_buff *skb) 449 { 450 struct hci_ev_status *rp = data; 451 __u8 param; 452 void *sent; 453 454 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 455 456 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 457 if (!sent) 458 return rp->status; 459 460 param = *((__u8 *) sent); 461 462 hci_dev_lock(hdev); 463 464 if (rp->status) { 465 hdev->discov_timeout = 0; 466 goto done; 467 } 468 469 if (param & SCAN_INQUIRY) 470 set_bit(HCI_ISCAN, &hdev->flags); 471 else 472 clear_bit(HCI_ISCAN, &hdev->flags); 473 474 if (param & SCAN_PAGE) 475 set_bit(HCI_PSCAN, &hdev->flags); 476 else 477 clear_bit(HCI_PSCAN, &hdev->flags); 478 479 done: 480 hci_dev_unlock(hdev); 481 482 return rp->status; 483 } 484 485 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data, 486 struct sk_buff *skb) 487 { 488 struct hci_ev_status *rp = data; 489 struct hci_cp_set_event_filter *cp; 490 void *sent; 491 492 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 493 494 if (rp->status) 495 return rp->status; 496 497 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT); 498 if (!sent) 499 return rp->status; 500 501 cp = (struct hci_cp_set_event_filter *)sent; 502 503 if (cp->flt_type == HCI_FLT_CLEAR_ALL) 504 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 505 else 506 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 507 508 return rp->status; 509 } 510 511 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, 512 struct sk_buff *skb) 513 { 514 struct hci_rp_read_class_of_dev *rp = data; 515 516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 517 518 if (rp->status) 519 return rp->status; 520 521 memcpy(hdev->dev_class, rp->dev_class, 3); 522 523 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2], 524 hdev->dev_class[1], hdev->dev_class[0]); 525 526 return rp->status; 527 } 528 529 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data, 530 struct sk_buff *skb) 531 { 532 struct hci_ev_status *rp = data; 533 void *sent; 534 535 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 536 537 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 538 if (!sent) 539 return rp->status; 540 541 hci_dev_lock(hdev); 542 543 if (!rp->status) 544 memcpy(hdev->dev_class, sent, 3); 545 546 if (hci_dev_test_flag(hdev, HCI_MGMT)) 547 mgmt_set_class_of_dev_complete(hdev, sent, rp->status); 548 549 hci_dev_unlock(hdev); 550 551 return rp->status; 552 } 553 554 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data, 555 struct sk_buff *skb) 556 { 557 struct hci_rp_read_voice_setting *rp = data; 558 __u16 setting; 559 560 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 561 562 if (rp->status) 563 return rp->status; 564 565 setting = __le16_to_cpu(rp->voice_setting); 566 567 if (hdev->voice_setting == setting) 568 return rp->status; 569 570 hdev->voice_setting = setting; 571 572 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 573 574 if (hdev->notify) 575 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 576 577 return rp->status; 578 } 579 580 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data, 581 struct sk_buff *skb) 582 { 583 struct hci_ev_status *rp = data; 584 __u16 setting; 585 void *sent; 586 587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 588 589 if (rp->status) 590 return rp->status; 591 592 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 593 if (!sent) 594 return rp->status; 595 596 setting = get_unaligned_le16(sent); 597 598 if (hdev->voice_setting == setting) 599 return rp->status; 600 601 hdev->voice_setting = setting; 602 603 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 604 605 if (hdev->notify) 606 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 607 608 return rp->status; 609 } 610 611 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data, 612 struct sk_buff *skb) 613 { 614 struct hci_rp_read_num_supported_iac *rp = data; 615 616 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 617 618 if (rp->status) 619 return rp->status; 620 621 hdev->num_iac = rp->num_iac; 622 623 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac); 624 625 return rp->status; 626 } 627 628 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data, 629 struct sk_buff *skb) 630 { 631 struct hci_ev_status *rp = data; 632 struct hci_cp_write_ssp_mode *sent; 633 634 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 635 636 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 637 if (!sent) 638 return rp->status; 639 640 hci_dev_lock(hdev); 641 642 if (!rp->status) { 643 if (sent->mode) 644 hdev->features[1][0] |= LMP_HOST_SSP; 645 else 646 hdev->features[1][0] &= ~LMP_HOST_SSP; 647 } 648 649 if (!rp->status) { 650 if (sent->mode) 651 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 652 else 653 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 654 } 655 656 hci_dev_unlock(hdev); 657 658 return rp->status; 659 } 660 661 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data, 662 struct sk_buff *skb) 663 { 664 struct hci_ev_status *rp = data; 665 struct hci_cp_write_sc_support *sent; 666 667 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 668 669 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 670 if (!sent) 671 return rp->status; 672 673 hci_dev_lock(hdev); 674 675 if (!rp->status) { 676 if (sent->support) 677 hdev->features[1][0] |= LMP_HOST_SC; 678 else 679 hdev->features[1][0] &= ~LMP_HOST_SC; 680 } 681 682 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) { 683 if (sent->support) 684 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 685 else 686 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 687 } 688 689 hci_dev_unlock(hdev); 690 691 return rp->status; 692 } 693 694 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data, 695 struct sk_buff *skb) 696 { 697 struct hci_rp_read_local_version *rp = data; 698 699 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 700 701 if (rp->status) 702 return rp->status; 703 704 if (hci_dev_test_flag(hdev, HCI_SETUP) || 705 hci_dev_test_flag(hdev, HCI_CONFIG)) { 706 hdev->hci_ver = rp->hci_ver; 707 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 708 hdev->lmp_ver = rp->lmp_ver; 709 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 710 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 711 } 712 713 return rp->status; 714 } 715 716 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data, 717 struct sk_buff *skb) 718 { 719 struct hci_rp_read_enc_key_size *rp = data; 720 struct hci_conn *conn; 721 u16 handle; 722 u8 status = rp->status; 723 724 bt_dev_dbg(hdev, "status 0x%2.2x", status); 725 726 handle = le16_to_cpu(rp->handle); 727 728 hci_dev_lock(hdev); 729 730 conn = hci_conn_hash_lookup_handle(hdev, handle); 731 if (!conn) { 732 status = 0xFF; 733 goto done; 734 } 735 736 /* While unexpected, the read_enc_key_size command may fail. The most 737 * secure approach is to then assume the key size is 0 to force a 738 * disconnection. 739 */ 740 if (status) { 741 bt_dev_err(hdev, "failed to read key size for handle %u", 742 handle); 743 conn->enc_key_size = 0; 744 } else { 745 conn->enc_key_size = rp->key_size; 746 status = 0; 747 } 748 749 hci_encrypt_cfm(conn, 0); 750 751 done: 752 hci_dev_unlock(hdev); 753 754 return status; 755 } 756 757 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data, 758 struct sk_buff *skb) 759 { 760 struct hci_rp_read_local_commands *rp = data; 761 762 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 763 764 if (rp->status) 765 return rp->status; 766 767 if (hci_dev_test_flag(hdev, HCI_SETUP) || 768 hci_dev_test_flag(hdev, HCI_CONFIG)) 769 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 770 771 return rp->status; 772 } 773 774 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data, 775 struct sk_buff *skb) 776 { 777 struct hci_rp_read_auth_payload_to *rp = data; 778 struct hci_conn *conn; 779 780 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 781 782 if (rp->status) 783 return rp->status; 784 785 hci_dev_lock(hdev); 786 787 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 788 if (conn) 789 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 790 791 hci_dev_unlock(hdev); 792 793 return rp->status; 794 } 795 796 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data, 797 struct sk_buff *skb) 798 { 799 struct hci_rp_write_auth_payload_to *rp = data; 800 struct hci_conn *conn; 801 void *sent; 802 803 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 804 805 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 806 if (!sent) 807 return rp->status; 808 809 hci_dev_lock(hdev); 810 811 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 812 if (!conn) { 813 rp->status = 0xff; 814 goto unlock; 815 } 816 817 if (!rp->status) 818 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 819 820 hci_encrypt_cfm(conn, 0); 821 822 unlock: 823 hci_dev_unlock(hdev); 824 825 return rp->status; 826 } 827 828 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data, 829 struct sk_buff *skb) 830 { 831 struct hci_rp_read_local_features *rp = data; 832 833 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 834 835 if (rp->status) 836 return rp->status; 837 838 memcpy(hdev->features, rp->features, 8); 839 840 /* Adjust default settings according to features 841 * supported by device. */ 842 843 if (hdev->features[0][0] & LMP_3SLOT) 844 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 845 846 if (hdev->features[0][0] & LMP_5SLOT) 847 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 848 849 if (hdev->features[0][1] & LMP_HV2) { 850 hdev->pkt_type |= (HCI_HV2); 851 hdev->esco_type |= (ESCO_HV2); 852 } 853 854 if (hdev->features[0][1] & LMP_HV3) { 855 hdev->pkt_type |= (HCI_HV3); 856 hdev->esco_type |= (ESCO_HV3); 857 } 858 859 if (lmp_esco_capable(hdev)) 860 hdev->esco_type |= (ESCO_EV3); 861 862 if (hdev->features[0][4] & LMP_EV4) 863 hdev->esco_type |= (ESCO_EV4); 864 865 if (hdev->features[0][4] & LMP_EV5) 866 hdev->esco_type |= (ESCO_EV5); 867 868 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 869 hdev->esco_type |= (ESCO_2EV3); 870 871 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 872 hdev->esco_type |= (ESCO_3EV3); 873 874 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 875 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 876 877 return rp->status; 878 } 879 880 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, 881 struct sk_buff *skb) 882 { 883 struct hci_rp_read_local_ext_features *rp = data; 884 885 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 886 887 if (rp->status) 888 return rp->status; 889 890 if (hdev->max_page < rp->max_page) { 891 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, 892 &hdev->quirks)) 893 bt_dev_warn(hdev, "broken local ext features page 2"); 894 else 895 hdev->max_page = rp->max_page; 896 } 897 898 if (rp->page < HCI_MAX_PAGES) 899 memcpy(hdev->features[rp->page], rp->features, 8); 900 901 return rp->status; 902 } 903 904 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data, 905 struct sk_buff *skb) 906 { 907 struct hci_rp_read_flow_control_mode *rp = data; 908 909 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 910 911 if (rp->status) 912 return rp->status; 913 914 hdev->flow_ctl_mode = rp->mode; 915 916 return rp->status; 917 } 918 919 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, 920 struct sk_buff *skb) 921 { 922 struct hci_rp_read_buffer_size *rp = data; 923 924 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 925 926 if (rp->status) 927 return rp->status; 928 929 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 930 hdev->sco_mtu = rp->sco_mtu; 931 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 932 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 933 934 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 935 hdev->sco_mtu = 64; 936 hdev->sco_pkts = 8; 937 } 938 939 hdev->acl_cnt = hdev->acl_pkts; 940 hdev->sco_cnt = hdev->sco_pkts; 941 942 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 943 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 944 945 return rp->status; 946 } 947 948 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data, 949 struct sk_buff *skb) 950 { 951 struct hci_rp_read_bd_addr *rp = data; 952 953 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 954 955 if (rp->status) 956 return rp->status; 957 958 if (test_bit(HCI_INIT, &hdev->flags)) 959 bacpy(&hdev->bdaddr, &rp->bdaddr); 960 961 if (hci_dev_test_flag(hdev, HCI_SETUP)) 962 bacpy(&hdev->setup_addr, &rp->bdaddr); 963 964 return rp->status; 965 } 966 967 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data, 968 struct sk_buff *skb) 969 { 970 struct hci_rp_read_local_pairing_opts *rp = data; 971 972 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 973 974 if (rp->status) 975 return rp->status; 976 977 if (hci_dev_test_flag(hdev, HCI_SETUP) || 978 hci_dev_test_flag(hdev, HCI_CONFIG)) { 979 hdev->pairing_opts = rp->pairing_opts; 980 hdev->max_enc_key_size = rp->max_key_size; 981 } 982 983 return rp->status; 984 } 985 986 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data, 987 struct sk_buff *skb) 988 { 989 struct hci_rp_read_page_scan_activity *rp = data; 990 991 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 992 993 if (rp->status) 994 return rp->status; 995 996 if (test_bit(HCI_INIT, &hdev->flags)) { 997 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 998 hdev->page_scan_window = __le16_to_cpu(rp->window); 999 } 1000 1001 return rp->status; 1002 } 1003 1004 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data, 1005 struct sk_buff *skb) 1006 { 1007 struct hci_ev_status *rp = data; 1008 struct hci_cp_write_page_scan_activity *sent; 1009 1010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1011 1012 if (rp->status) 1013 return rp->status; 1014 1015 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 1016 if (!sent) 1017 return rp->status; 1018 1019 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 1020 hdev->page_scan_window = __le16_to_cpu(sent->window); 1021 1022 return rp->status; 1023 } 1024 1025 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data, 1026 struct sk_buff *skb) 1027 { 1028 struct hci_rp_read_page_scan_type *rp = data; 1029 1030 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1031 1032 if (rp->status) 1033 return rp->status; 1034 1035 if (test_bit(HCI_INIT, &hdev->flags)) 1036 hdev->page_scan_type = rp->type; 1037 1038 return rp->status; 1039 } 1040 1041 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data, 1042 struct sk_buff *skb) 1043 { 1044 struct hci_ev_status *rp = data; 1045 u8 *type; 1046 1047 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1048 1049 if (rp->status) 1050 return rp->status; 1051 1052 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 1053 if (type) 1054 hdev->page_scan_type = *type; 1055 1056 return rp->status; 1057 } 1058 1059 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data, 1060 struct sk_buff *skb) 1061 { 1062 struct hci_rp_read_data_block_size *rp = data; 1063 1064 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1065 1066 if (rp->status) 1067 return rp->status; 1068 1069 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 1070 hdev->block_len = __le16_to_cpu(rp->block_len); 1071 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 1072 1073 hdev->block_cnt = hdev->num_blocks; 1074 1075 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 1076 hdev->block_cnt, hdev->block_len); 1077 1078 return rp->status; 1079 } 1080 1081 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, 1082 struct sk_buff *skb) 1083 { 1084 struct hci_rp_read_clock *rp = data; 1085 struct hci_cp_read_clock *cp; 1086 struct hci_conn *conn; 1087 1088 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1089 1090 if (rp->status) 1091 return rp->status; 1092 1093 hci_dev_lock(hdev); 1094 1095 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 1096 if (!cp) 1097 goto unlock; 1098 1099 if (cp->which == 0x00) { 1100 hdev->clock = le32_to_cpu(rp->clock); 1101 goto unlock; 1102 } 1103 1104 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1105 if (conn) { 1106 conn->clock = le32_to_cpu(rp->clock); 1107 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 1108 } 1109 1110 unlock: 1111 hci_dev_unlock(hdev); 1112 return rp->status; 1113 } 1114 1115 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data, 1116 struct sk_buff *skb) 1117 { 1118 struct hci_rp_read_local_amp_info *rp = data; 1119 1120 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1121 1122 if (rp->status) 1123 return rp->status; 1124 1125 hdev->amp_status = rp->amp_status; 1126 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 1127 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 1128 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 1129 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 1130 hdev->amp_type = rp->amp_type; 1131 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 1132 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 1133 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 1134 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 1135 1136 return rp->status; 1137 } 1138 1139 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data, 1140 struct sk_buff *skb) 1141 { 1142 struct hci_rp_read_inq_rsp_tx_power *rp = data; 1143 1144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1145 1146 if (rp->status) 1147 return rp->status; 1148 1149 hdev->inq_tx_power = rp->tx_power; 1150 1151 return rp->status; 1152 } 1153 1154 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data, 1155 struct sk_buff *skb) 1156 { 1157 struct hci_rp_read_def_err_data_reporting *rp = data; 1158 1159 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1160 1161 if (rp->status) 1162 return rp->status; 1163 1164 hdev->err_data_reporting = rp->err_data_reporting; 1165 1166 return rp->status; 1167 } 1168 1169 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data, 1170 struct sk_buff *skb) 1171 { 1172 struct hci_ev_status *rp = data; 1173 struct hci_cp_write_def_err_data_reporting *cp; 1174 1175 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1176 1177 if (rp->status) 1178 return rp->status; 1179 1180 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 1181 if (!cp) 1182 return rp->status; 1183 1184 hdev->err_data_reporting = cp->err_data_reporting; 1185 1186 return rp->status; 1187 } 1188 1189 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data, 1190 struct sk_buff *skb) 1191 { 1192 struct hci_rp_pin_code_reply *rp = data; 1193 struct hci_cp_pin_code_reply *cp; 1194 struct hci_conn *conn; 1195 1196 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1197 1198 hci_dev_lock(hdev); 1199 1200 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1201 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 1202 1203 if (rp->status) 1204 goto unlock; 1205 1206 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 1207 if (!cp) 1208 goto unlock; 1209 1210 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1211 if (conn) 1212 conn->pin_length = cp->pin_len; 1213 1214 unlock: 1215 hci_dev_unlock(hdev); 1216 return rp->status; 1217 } 1218 1219 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data, 1220 struct sk_buff *skb) 1221 { 1222 struct hci_rp_pin_code_neg_reply *rp = data; 1223 1224 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1225 1226 hci_dev_lock(hdev); 1227 1228 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1229 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1230 rp->status); 1231 1232 hci_dev_unlock(hdev); 1233 1234 return rp->status; 1235 } 1236 1237 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data, 1238 struct sk_buff *skb) 1239 { 1240 struct hci_rp_le_read_buffer_size *rp = data; 1241 1242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1243 1244 if (rp->status) 1245 return rp->status; 1246 1247 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1248 hdev->le_pkts = rp->le_max_pkt; 1249 1250 hdev->le_cnt = hdev->le_pkts; 1251 1252 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1253 1254 return rp->status; 1255 } 1256 1257 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data, 1258 struct sk_buff *skb) 1259 { 1260 struct hci_rp_le_read_local_features *rp = data; 1261 1262 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1263 1264 if (rp->status) 1265 return rp->status; 1266 1267 memcpy(hdev->le_features, rp->features, 8); 1268 1269 return rp->status; 1270 } 1271 1272 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data, 1273 struct sk_buff *skb) 1274 { 1275 struct hci_rp_le_read_adv_tx_power *rp = data; 1276 1277 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1278 1279 if (rp->status) 1280 return rp->status; 1281 1282 hdev->adv_tx_power = rp->tx_power; 1283 1284 return rp->status; 1285 } 1286 1287 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data, 1288 struct sk_buff *skb) 1289 { 1290 struct hci_rp_user_confirm_reply *rp = data; 1291 1292 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1293 1294 hci_dev_lock(hdev); 1295 1296 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1297 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1298 rp->status); 1299 1300 hci_dev_unlock(hdev); 1301 1302 return rp->status; 1303 } 1304 1305 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data, 1306 struct sk_buff *skb) 1307 { 1308 struct hci_rp_user_confirm_reply *rp = data; 1309 1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1311 1312 hci_dev_lock(hdev); 1313 1314 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1315 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1316 ACL_LINK, 0, rp->status); 1317 1318 hci_dev_unlock(hdev); 1319 1320 return rp->status; 1321 } 1322 1323 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data, 1324 struct sk_buff *skb) 1325 { 1326 struct hci_rp_user_confirm_reply *rp = data; 1327 1328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1329 1330 hci_dev_lock(hdev); 1331 1332 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1333 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1334 0, rp->status); 1335 1336 hci_dev_unlock(hdev); 1337 1338 return rp->status; 1339 } 1340 1341 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data, 1342 struct sk_buff *skb) 1343 { 1344 struct hci_rp_user_confirm_reply *rp = data; 1345 1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1347 1348 hci_dev_lock(hdev); 1349 1350 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1351 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1352 ACL_LINK, 0, rp->status); 1353 1354 hci_dev_unlock(hdev); 1355 1356 return rp->status; 1357 } 1358 1359 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data, 1360 struct sk_buff *skb) 1361 { 1362 struct hci_rp_read_local_oob_data *rp = data; 1363 1364 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1365 1366 return rp->status; 1367 } 1368 1369 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data, 1370 struct sk_buff *skb) 1371 { 1372 struct hci_rp_read_local_oob_ext_data *rp = data; 1373 1374 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1375 1376 return rp->status; 1377 } 1378 1379 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data, 1380 struct sk_buff *skb) 1381 { 1382 struct hci_ev_status *rp = data; 1383 bdaddr_t *sent; 1384 1385 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1386 1387 if (rp->status) 1388 return rp->status; 1389 1390 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1391 if (!sent) 1392 return rp->status; 1393 1394 hci_dev_lock(hdev); 1395 1396 bacpy(&hdev->random_addr, sent); 1397 1398 if (!bacmp(&hdev->rpa, sent)) { 1399 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED); 1400 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, 1401 secs_to_jiffies(hdev->rpa_timeout)); 1402 } 1403 1404 hci_dev_unlock(hdev); 1405 1406 return rp->status; 1407 } 1408 1409 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data, 1410 struct sk_buff *skb) 1411 { 1412 struct hci_ev_status *rp = data; 1413 struct hci_cp_le_set_default_phy *cp; 1414 1415 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1416 1417 if (rp->status) 1418 return rp->status; 1419 1420 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1421 if (!cp) 1422 return rp->status; 1423 1424 hci_dev_lock(hdev); 1425 1426 hdev->le_tx_def_phys = cp->tx_phys; 1427 hdev->le_rx_def_phys = cp->rx_phys; 1428 1429 hci_dev_unlock(hdev); 1430 1431 return rp->status; 1432 } 1433 1434 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data, 1435 struct sk_buff *skb) 1436 { 1437 struct hci_ev_status *rp = data; 1438 struct hci_cp_le_set_adv_set_rand_addr *cp; 1439 struct adv_info *adv; 1440 1441 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1442 1443 if (rp->status) 1444 return rp->status; 1445 1446 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1447 /* Update only in case the adv instance since handle 0x00 shall be using 1448 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and 1449 * non-extended adverting. 1450 */ 1451 if (!cp || !cp->handle) 1452 return rp->status; 1453 1454 hci_dev_lock(hdev); 1455 1456 adv = hci_find_adv_instance(hdev, cp->handle); 1457 if (adv) { 1458 bacpy(&adv->random_addr, &cp->bdaddr); 1459 if (!bacmp(&hdev->rpa, &cp->bdaddr)) { 1460 adv->rpa_expired = false; 1461 queue_delayed_work(hdev->workqueue, 1462 &adv->rpa_expired_cb, 1463 secs_to_jiffies(hdev->rpa_timeout)); 1464 } 1465 } 1466 1467 hci_dev_unlock(hdev); 1468 1469 return rp->status; 1470 } 1471 1472 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data, 1473 struct sk_buff *skb) 1474 { 1475 struct hci_ev_status *rp = data; 1476 u8 *instance; 1477 int err; 1478 1479 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1480 1481 if (rp->status) 1482 return rp->status; 1483 1484 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET); 1485 if (!instance) 1486 return rp->status; 1487 1488 hci_dev_lock(hdev); 1489 1490 err = hci_remove_adv_instance(hdev, *instance); 1491 if (!err) 1492 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev, 1493 *instance); 1494 1495 hci_dev_unlock(hdev); 1496 1497 return rp->status; 1498 } 1499 1500 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data, 1501 struct sk_buff *skb) 1502 { 1503 struct hci_ev_status *rp = data; 1504 struct adv_info *adv, *n; 1505 int err; 1506 1507 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1508 1509 if (rp->status) 1510 return rp->status; 1511 1512 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS)) 1513 return rp->status; 1514 1515 hci_dev_lock(hdev); 1516 1517 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 1518 u8 instance = adv->instance; 1519 1520 err = hci_remove_adv_instance(hdev, instance); 1521 if (!err) 1522 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), 1523 hdev, instance); 1524 } 1525 1526 hci_dev_unlock(hdev); 1527 1528 return rp->status; 1529 } 1530 1531 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data, 1532 struct sk_buff *skb) 1533 { 1534 struct hci_rp_le_read_transmit_power *rp = data; 1535 1536 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1537 1538 if (rp->status) 1539 return rp->status; 1540 1541 hdev->min_le_tx_power = rp->min_le_tx_power; 1542 hdev->max_le_tx_power = rp->max_le_tx_power; 1543 1544 return rp->status; 1545 } 1546 1547 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, 1548 struct sk_buff *skb) 1549 { 1550 struct hci_ev_status *rp = data; 1551 struct hci_cp_le_set_privacy_mode *cp; 1552 struct hci_conn_params *params; 1553 1554 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1555 1556 if (rp->status) 1557 return rp->status; 1558 1559 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE); 1560 if (!cp) 1561 return rp->status; 1562 1563 hci_dev_lock(hdev); 1564 1565 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); 1566 if (params) 1567 params->privacy_mode = cp->mode; 1568 1569 hci_dev_unlock(hdev); 1570 1571 return rp->status; 1572 } 1573 1574 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data, 1575 struct sk_buff *skb) 1576 { 1577 struct hci_ev_status *rp = data; 1578 __u8 *sent; 1579 1580 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1581 1582 if (rp->status) 1583 return rp->status; 1584 1585 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1586 if (!sent) 1587 return rp->status; 1588 1589 hci_dev_lock(hdev); 1590 1591 /* If we're doing connection initiation as peripheral. Set a 1592 * timeout in case something goes wrong. 1593 */ 1594 if (*sent) { 1595 struct hci_conn *conn; 1596 1597 hci_dev_set_flag(hdev, HCI_LE_ADV); 1598 1599 conn = hci_lookup_le_connect(hdev); 1600 if (conn) 1601 queue_delayed_work(hdev->workqueue, 1602 &conn->le_conn_timeout, 1603 conn->conn_timeout); 1604 } else { 1605 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1606 } 1607 1608 hci_dev_unlock(hdev); 1609 1610 return rp->status; 1611 } 1612 1613 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, 1614 struct sk_buff *skb) 1615 { 1616 struct hci_cp_le_set_ext_adv_enable *cp; 1617 struct hci_cp_ext_adv_set *set; 1618 struct adv_info *adv = NULL, *n; 1619 struct hci_ev_status *rp = data; 1620 1621 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1622 1623 if (rp->status) 1624 return rp->status; 1625 1626 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1627 if (!cp) 1628 return rp->status; 1629 1630 set = (void *)cp->data; 1631 1632 hci_dev_lock(hdev); 1633 1634 if (cp->num_of_sets) 1635 adv = hci_find_adv_instance(hdev, set->handle); 1636 1637 if (cp->enable) { 1638 struct hci_conn *conn; 1639 1640 hci_dev_set_flag(hdev, HCI_LE_ADV); 1641 1642 if (adv) 1643 adv->enabled = true; 1644 1645 conn = hci_lookup_le_connect(hdev); 1646 if (conn) 1647 queue_delayed_work(hdev->workqueue, 1648 &conn->le_conn_timeout, 1649 conn->conn_timeout); 1650 } else { 1651 if (cp->num_of_sets) { 1652 if (adv) 1653 adv->enabled = false; 1654 1655 /* If just one instance was disabled check if there are 1656 * any other instance enabled before clearing HCI_LE_ADV 1657 */ 1658 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1659 list) { 1660 if (adv->enabled) 1661 goto unlock; 1662 } 1663 } else { 1664 /* All instances shall be considered disabled */ 1665 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1666 list) 1667 adv->enabled = false; 1668 } 1669 1670 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1671 } 1672 1673 unlock: 1674 hci_dev_unlock(hdev); 1675 return rp->status; 1676 } 1677 1678 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data, 1679 struct sk_buff *skb) 1680 { 1681 struct hci_cp_le_set_scan_param *cp; 1682 struct hci_ev_status *rp = data; 1683 1684 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1685 1686 if (rp->status) 1687 return rp->status; 1688 1689 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1690 if (!cp) 1691 return rp->status; 1692 1693 hci_dev_lock(hdev); 1694 1695 hdev->le_scan_type = cp->type; 1696 1697 hci_dev_unlock(hdev); 1698 1699 return rp->status; 1700 } 1701 1702 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data, 1703 struct sk_buff *skb) 1704 { 1705 struct hci_cp_le_set_ext_scan_params *cp; 1706 struct hci_ev_status *rp = data; 1707 struct hci_cp_le_scan_phy_params *phy_param; 1708 1709 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1710 1711 if (rp->status) 1712 return rp->status; 1713 1714 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1715 if (!cp) 1716 return rp->status; 1717 1718 phy_param = (void *)cp->data; 1719 1720 hci_dev_lock(hdev); 1721 1722 hdev->le_scan_type = phy_param->type; 1723 1724 hci_dev_unlock(hdev); 1725 1726 return rp->status; 1727 } 1728 1729 static bool has_pending_adv_report(struct hci_dev *hdev) 1730 { 1731 struct discovery_state *d = &hdev->discovery; 1732 1733 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1734 } 1735 1736 static void clear_pending_adv_report(struct hci_dev *hdev) 1737 { 1738 struct discovery_state *d = &hdev->discovery; 1739 1740 bacpy(&d->last_adv_addr, BDADDR_ANY); 1741 d->last_adv_data_len = 0; 1742 } 1743 1744 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1745 u8 bdaddr_type, s8 rssi, u32 flags, 1746 u8 *data, u8 len) 1747 { 1748 struct discovery_state *d = &hdev->discovery; 1749 1750 if (len > HCI_MAX_AD_LENGTH) 1751 return; 1752 1753 bacpy(&d->last_adv_addr, bdaddr); 1754 d->last_adv_addr_type = bdaddr_type; 1755 d->last_adv_rssi = rssi; 1756 d->last_adv_flags = flags; 1757 memcpy(d->last_adv_data, data, len); 1758 d->last_adv_data_len = len; 1759 } 1760 1761 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1762 { 1763 hci_dev_lock(hdev); 1764 1765 switch (enable) { 1766 case LE_SCAN_ENABLE: 1767 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1768 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1769 clear_pending_adv_report(hdev); 1770 if (hci_dev_test_flag(hdev, HCI_MESH)) 1771 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 1772 break; 1773 1774 case LE_SCAN_DISABLE: 1775 /* We do this here instead of when setting DISCOVERY_STOPPED 1776 * since the latter would potentially require waiting for 1777 * inquiry to stop too. 1778 */ 1779 if (has_pending_adv_report(hdev)) { 1780 struct discovery_state *d = &hdev->discovery; 1781 1782 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1783 d->last_adv_addr_type, NULL, 1784 d->last_adv_rssi, d->last_adv_flags, 1785 d->last_adv_data, 1786 d->last_adv_data_len, NULL, 0, 0); 1787 } 1788 1789 /* Cancel this timer so that we don't try to disable scanning 1790 * when it's already disabled. 1791 */ 1792 cancel_delayed_work(&hdev->le_scan_disable); 1793 1794 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1795 1796 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1797 * interrupted scanning due to a connect request. Mark 1798 * therefore discovery as stopped. 1799 */ 1800 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1801 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1802 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1803 hdev->discovery.state == DISCOVERY_FINDING) 1804 queue_work(hdev->workqueue, &hdev->reenable_adv_work); 1805 1806 break; 1807 1808 default: 1809 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1810 enable); 1811 break; 1812 } 1813 1814 hci_dev_unlock(hdev); 1815 } 1816 1817 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data, 1818 struct sk_buff *skb) 1819 { 1820 struct hci_cp_le_set_scan_enable *cp; 1821 struct hci_ev_status *rp = data; 1822 1823 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1824 1825 if (rp->status) 1826 return rp->status; 1827 1828 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1829 if (!cp) 1830 return rp->status; 1831 1832 le_set_scan_enable_complete(hdev, cp->enable); 1833 1834 return rp->status; 1835 } 1836 1837 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data, 1838 struct sk_buff *skb) 1839 { 1840 struct hci_cp_le_set_ext_scan_enable *cp; 1841 struct hci_ev_status *rp = data; 1842 1843 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1844 1845 if (rp->status) 1846 return rp->status; 1847 1848 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1849 if (!cp) 1850 return rp->status; 1851 1852 le_set_scan_enable_complete(hdev, cp->enable); 1853 1854 return rp->status; 1855 } 1856 1857 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data, 1858 struct sk_buff *skb) 1859 { 1860 struct hci_rp_le_read_num_supported_adv_sets *rp = data; 1861 1862 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status, 1863 rp->num_of_sets); 1864 1865 if (rp->status) 1866 return rp->status; 1867 1868 hdev->le_num_of_adv_sets = rp->num_of_sets; 1869 1870 return rp->status; 1871 } 1872 1873 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data, 1874 struct sk_buff *skb) 1875 { 1876 struct hci_rp_le_read_accept_list_size *rp = data; 1877 1878 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 1879 1880 if (rp->status) 1881 return rp->status; 1882 1883 hdev->le_accept_list_size = rp->size; 1884 1885 return rp->status; 1886 } 1887 1888 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data, 1889 struct sk_buff *skb) 1890 { 1891 struct hci_ev_status *rp = data; 1892 1893 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1894 1895 if (rp->status) 1896 return rp->status; 1897 1898 hci_dev_lock(hdev); 1899 hci_bdaddr_list_clear(&hdev->le_accept_list); 1900 hci_dev_unlock(hdev); 1901 1902 return rp->status; 1903 } 1904 1905 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data, 1906 struct sk_buff *skb) 1907 { 1908 struct hci_cp_le_add_to_accept_list *sent; 1909 struct hci_ev_status *rp = data; 1910 1911 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1912 1913 if (rp->status) 1914 return rp->status; 1915 1916 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); 1917 if (!sent) 1918 return rp->status; 1919 1920 hci_dev_lock(hdev); 1921 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr, 1922 sent->bdaddr_type); 1923 hci_dev_unlock(hdev); 1924 1925 return rp->status; 1926 } 1927 1928 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data, 1929 struct sk_buff *skb) 1930 { 1931 struct hci_cp_le_del_from_accept_list *sent; 1932 struct hci_ev_status *rp = data; 1933 1934 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1935 1936 if (rp->status) 1937 return rp->status; 1938 1939 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST); 1940 if (!sent) 1941 return rp->status; 1942 1943 hci_dev_lock(hdev); 1944 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr, 1945 sent->bdaddr_type); 1946 hci_dev_unlock(hdev); 1947 1948 return rp->status; 1949 } 1950 1951 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data, 1952 struct sk_buff *skb) 1953 { 1954 struct hci_rp_le_read_supported_states *rp = data; 1955 1956 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1957 1958 if (rp->status) 1959 return rp->status; 1960 1961 memcpy(hdev->le_states, rp->le_states, 8); 1962 1963 return rp->status; 1964 } 1965 1966 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data, 1967 struct sk_buff *skb) 1968 { 1969 struct hci_rp_le_read_def_data_len *rp = data; 1970 1971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1972 1973 if (rp->status) 1974 return rp->status; 1975 1976 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1977 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1978 1979 return rp->status; 1980 } 1981 1982 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data, 1983 struct sk_buff *skb) 1984 { 1985 struct hci_cp_le_write_def_data_len *sent; 1986 struct hci_ev_status *rp = data; 1987 1988 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1989 1990 if (rp->status) 1991 return rp->status; 1992 1993 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1994 if (!sent) 1995 return rp->status; 1996 1997 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1998 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1999 2000 return rp->status; 2001 } 2002 2003 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data, 2004 struct sk_buff *skb) 2005 { 2006 struct hci_cp_le_add_to_resolv_list *sent; 2007 struct hci_ev_status *rp = data; 2008 2009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2010 2011 if (rp->status) 2012 return rp->status; 2013 2014 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 2015 if (!sent) 2016 return rp->status; 2017 2018 hci_dev_lock(hdev); 2019 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2020 sent->bdaddr_type, sent->peer_irk, 2021 sent->local_irk); 2022 hci_dev_unlock(hdev); 2023 2024 return rp->status; 2025 } 2026 2027 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data, 2028 struct sk_buff *skb) 2029 { 2030 struct hci_cp_le_del_from_resolv_list *sent; 2031 struct hci_ev_status *rp = data; 2032 2033 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2034 2035 if (rp->status) 2036 return rp->status; 2037 2038 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 2039 if (!sent) 2040 return rp->status; 2041 2042 hci_dev_lock(hdev); 2043 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2044 sent->bdaddr_type); 2045 hci_dev_unlock(hdev); 2046 2047 return rp->status; 2048 } 2049 2050 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data, 2051 struct sk_buff *skb) 2052 { 2053 struct hci_ev_status *rp = data; 2054 2055 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2056 2057 if (rp->status) 2058 return rp->status; 2059 2060 hci_dev_lock(hdev); 2061 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2062 hci_dev_unlock(hdev); 2063 2064 return rp->status; 2065 } 2066 2067 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data, 2068 struct sk_buff *skb) 2069 { 2070 struct hci_rp_le_read_resolv_list_size *rp = data; 2071 2072 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 2073 2074 if (rp->status) 2075 return rp->status; 2076 2077 hdev->le_resolv_list_size = rp->size; 2078 2079 return rp->status; 2080 } 2081 2082 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data, 2083 struct sk_buff *skb) 2084 { 2085 struct hci_ev_status *rp = data; 2086 __u8 *sent; 2087 2088 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2089 2090 if (rp->status) 2091 return rp->status; 2092 2093 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 2094 if (!sent) 2095 return rp->status; 2096 2097 hci_dev_lock(hdev); 2098 2099 if (*sent) 2100 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 2101 else 2102 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 2103 2104 hci_dev_unlock(hdev); 2105 2106 return rp->status; 2107 } 2108 2109 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data, 2110 struct sk_buff *skb) 2111 { 2112 struct hci_rp_le_read_max_data_len *rp = data; 2113 2114 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2115 2116 if (rp->status) 2117 return rp->status; 2118 2119 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 2120 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 2121 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 2122 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 2123 2124 return rp->status; 2125 } 2126 2127 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data, 2128 struct sk_buff *skb) 2129 { 2130 struct hci_cp_write_le_host_supported *sent; 2131 struct hci_ev_status *rp = data; 2132 2133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2134 2135 if (rp->status) 2136 return rp->status; 2137 2138 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 2139 if (!sent) 2140 return rp->status; 2141 2142 hci_dev_lock(hdev); 2143 2144 if (sent->le) { 2145 hdev->features[1][0] |= LMP_HOST_LE; 2146 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 2147 } else { 2148 hdev->features[1][0] &= ~LMP_HOST_LE; 2149 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 2150 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 2151 } 2152 2153 if (sent->simul) 2154 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 2155 else 2156 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 2157 2158 hci_dev_unlock(hdev); 2159 2160 return rp->status; 2161 } 2162 2163 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, 2164 struct sk_buff *skb) 2165 { 2166 struct hci_cp_le_set_adv_param *cp; 2167 struct hci_ev_status *rp = data; 2168 2169 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2170 2171 if (rp->status) 2172 return rp->status; 2173 2174 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 2175 if (!cp) 2176 return rp->status; 2177 2178 hci_dev_lock(hdev); 2179 hdev->adv_addr_type = cp->own_address_type; 2180 hci_dev_unlock(hdev); 2181 2182 return rp->status; 2183 } 2184 2185 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, 2186 struct sk_buff *skb) 2187 { 2188 struct hci_rp_le_set_ext_adv_params *rp = data; 2189 struct hci_cp_le_set_ext_adv_params *cp; 2190 struct adv_info *adv_instance; 2191 2192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2193 2194 if (rp->status) 2195 return rp->status; 2196 2197 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 2198 if (!cp) 2199 return rp->status; 2200 2201 hci_dev_lock(hdev); 2202 hdev->adv_addr_type = cp->own_addr_type; 2203 if (!cp->handle) { 2204 /* Store in hdev for instance 0 */ 2205 hdev->adv_tx_power = rp->tx_power; 2206 } else { 2207 adv_instance = hci_find_adv_instance(hdev, cp->handle); 2208 if (adv_instance) 2209 adv_instance->tx_power = rp->tx_power; 2210 } 2211 /* Update adv data as tx power is known now */ 2212 hci_update_adv_data(hdev, cp->handle); 2213 2214 hci_dev_unlock(hdev); 2215 2216 return rp->status; 2217 } 2218 2219 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, 2220 struct sk_buff *skb) 2221 { 2222 struct hci_rp_read_rssi *rp = data; 2223 struct hci_conn *conn; 2224 2225 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2226 2227 if (rp->status) 2228 return rp->status; 2229 2230 hci_dev_lock(hdev); 2231 2232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2233 if (conn) 2234 conn->rssi = rp->rssi; 2235 2236 hci_dev_unlock(hdev); 2237 2238 return rp->status; 2239 } 2240 2241 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data, 2242 struct sk_buff *skb) 2243 { 2244 struct hci_cp_read_tx_power *sent; 2245 struct hci_rp_read_tx_power *rp = data; 2246 struct hci_conn *conn; 2247 2248 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2249 2250 if (rp->status) 2251 return rp->status; 2252 2253 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 2254 if (!sent) 2255 return rp->status; 2256 2257 hci_dev_lock(hdev); 2258 2259 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2260 if (!conn) 2261 goto unlock; 2262 2263 switch (sent->type) { 2264 case 0x00: 2265 conn->tx_power = rp->tx_power; 2266 break; 2267 case 0x01: 2268 conn->max_tx_power = rp->tx_power; 2269 break; 2270 } 2271 2272 unlock: 2273 hci_dev_unlock(hdev); 2274 return rp->status; 2275 } 2276 2277 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data, 2278 struct sk_buff *skb) 2279 { 2280 struct hci_ev_status *rp = data; 2281 u8 *mode; 2282 2283 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2284 2285 if (rp->status) 2286 return rp->status; 2287 2288 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 2289 if (mode) 2290 hdev->ssp_debug_mode = *mode; 2291 2292 return rp->status; 2293 } 2294 2295 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 2296 { 2297 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2298 2299 if (status) { 2300 hci_conn_check_pending(hdev); 2301 return; 2302 } 2303 2304 set_bit(HCI_INQUIRY, &hdev->flags); 2305 } 2306 2307 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 2308 { 2309 struct hci_cp_create_conn *cp; 2310 struct hci_conn *conn; 2311 2312 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2313 2314 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 2315 if (!cp) 2316 return; 2317 2318 hci_dev_lock(hdev); 2319 2320 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2321 2322 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn); 2323 2324 if (status) { 2325 if (conn && conn->state == BT_CONNECT) { 2326 if (status != 0x0c || conn->attempt > 2) { 2327 conn->state = BT_CLOSED; 2328 hci_connect_cfm(conn, status); 2329 hci_conn_del(conn); 2330 } else 2331 conn->state = BT_CONNECT2; 2332 } 2333 } else { 2334 if (!conn) { 2335 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 2336 HCI_ROLE_MASTER); 2337 if (!conn) 2338 bt_dev_err(hdev, "no memory for new connection"); 2339 } 2340 } 2341 2342 hci_dev_unlock(hdev); 2343 } 2344 2345 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 2346 { 2347 struct hci_cp_add_sco *cp; 2348 struct hci_conn *acl; 2349 struct hci_link *link; 2350 __u16 handle; 2351 2352 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2353 2354 if (!status) 2355 return; 2356 2357 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 2358 if (!cp) 2359 return; 2360 2361 handle = __le16_to_cpu(cp->handle); 2362 2363 bt_dev_dbg(hdev, "handle 0x%4.4x", handle); 2364 2365 hci_dev_lock(hdev); 2366 2367 acl = hci_conn_hash_lookup_handle(hdev, handle); 2368 if (acl) { 2369 link = list_first_entry_or_null(&acl->link_list, 2370 struct hci_link, list); 2371 if (link && link->conn) { 2372 link->conn->state = BT_CLOSED; 2373 2374 hci_connect_cfm(link->conn, status); 2375 hci_conn_del(link->conn); 2376 } 2377 } 2378 2379 hci_dev_unlock(hdev); 2380 } 2381 2382 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 2383 { 2384 struct hci_cp_auth_requested *cp; 2385 struct hci_conn *conn; 2386 2387 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2388 2389 if (!status) 2390 return; 2391 2392 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 2393 if (!cp) 2394 return; 2395 2396 hci_dev_lock(hdev); 2397 2398 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2399 if (conn) { 2400 if (conn->state == BT_CONFIG) { 2401 hci_connect_cfm(conn, status); 2402 hci_conn_drop(conn); 2403 } 2404 } 2405 2406 hci_dev_unlock(hdev); 2407 } 2408 2409 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 2410 { 2411 struct hci_cp_set_conn_encrypt *cp; 2412 struct hci_conn *conn; 2413 2414 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2415 2416 if (!status) 2417 return; 2418 2419 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 2420 if (!cp) 2421 return; 2422 2423 hci_dev_lock(hdev); 2424 2425 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2426 if (conn) { 2427 if (conn->state == BT_CONFIG) { 2428 hci_connect_cfm(conn, status); 2429 hci_conn_drop(conn); 2430 } 2431 } 2432 2433 hci_dev_unlock(hdev); 2434 } 2435 2436 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 2437 struct hci_conn *conn) 2438 { 2439 if (conn->state != BT_CONFIG || !conn->out) 2440 return 0; 2441 2442 if (conn->pending_sec_level == BT_SECURITY_SDP) 2443 return 0; 2444 2445 /* Only request authentication for SSP connections or non-SSP 2446 * devices with sec_level MEDIUM or HIGH or if MITM protection 2447 * is requested. 2448 */ 2449 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 2450 conn->pending_sec_level != BT_SECURITY_FIPS && 2451 conn->pending_sec_level != BT_SECURITY_HIGH && 2452 conn->pending_sec_level != BT_SECURITY_MEDIUM) 2453 return 0; 2454 2455 return 1; 2456 } 2457 2458 static int hci_resolve_name(struct hci_dev *hdev, 2459 struct inquiry_entry *e) 2460 { 2461 struct hci_cp_remote_name_req cp; 2462 2463 memset(&cp, 0, sizeof(cp)); 2464 2465 bacpy(&cp.bdaddr, &e->data.bdaddr); 2466 cp.pscan_rep_mode = e->data.pscan_rep_mode; 2467 cp.pscan_mode = e->data.pscan_mode; 2468 cp.clock_offset = e->data.clock_offset; 2469 2470 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2471 } 2472 2473 static bool hci_resolve_next_name(struct hci_dev *hdev) 2474 { 2475 struct discovery_state *discov = &hdev->discovery; 2476 struct inquiry_entry *e; 2477 2478 if (list_empty(&discov->resolve)) 2479 return false; 2480 2481 /* We should stop if we already spent too much time resolving names. */ 2482 if (time_after(jiffies, discov->name_resolve_timeout)) { 2483 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long."); 2484 return false; 2485 } 2486 2487 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2488 if (!e) 2489 return false; 2490 2491 if (hci_resolve_name(hdev, e) == 0) { 2492 e->name_state = NAME_PENDING; 2493 return true; 2494 } 2495 2496 return false; 2497 } 2498 2499 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2500 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2501 { 2502 struct discovery_state *discov = &hdev->discovery; 2503 struct inquiry_entry *e; 2504 2505 /* Update the mgmt connected state if necessary. Be careful with 2506 * conn objects that exist but are not (yet) connected however. 2507 * Only those in BT_CONFIG or BT_CONNECTED states can be 2508 * considered connected. 2509 */ 2510 if (conn && 2511 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 2512 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2513 mgmt_device_connected(hdev, conn, name, name_len); 2514 2515 if (discov->state == DISCOVERY_STOPPED) 2516 return; 2517 2518 if (discov->state == DISCOVERY_STOPPING) 2519 goto discov_complete; 2520 2521 if (discov->state != DISCOVERY_RESOLVING) 2522 return; 2523 2524 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2525 /* If the device was not found in a list of found devices names of which 2526 * are pending. there is no need to continue resolving a next name as it 2527 * will be done upon receiving another Remote Name Request Complete 2528 * Event */ 2529 if (!e) 2530 return; 2531 2532 list_del(&e->list); 2533 2534 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN; 2535 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi, 2536 name, name_len); 2537 2538 if (hci_resolve_next_name(hdev)) 2539 return; 2540 2541 discov_complete: 2542 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2543 } 2544 2545 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2546 { 2547 struct hci_cp_remote_name_req *cp; 2548 struct hci_conn *conn; 2549 2550 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2551 2552 /* If successful wait for the name req complete event before 2553 * checking for the need to do authentication */ 2554 if (!status) 2555 return; 2556 2557 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2558 if (!cp) 2559 return; 2560 2561 hci_dev_lock(hdev); 2562 2563 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2564 2565 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2566 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2567 2568 if (!conn) 2569 goto unlock; 2570 2571 if (!hci_outgoing_auth_needed(hdev, conn)) 2572 goto unlock; 2573 2574 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2575 struct hci_cp_auth_requested auth_cp; 2576 2577 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2578 2579 auth_cp.handle = __cpu_to_le16(conn->handle); 2580 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2581 sizeof(auth_cp), &auth_cp); 2582 } 2583 2584 unlock: 2585 hci_dev_unlock(hdev); 2586 } 2587 2588 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2589 { 2590 struct hci_cp_read_remote_features *cp; 2591 struct hci_conn *conn; 2592 2593 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2594 2595 if (!status) 2596 return; 2597 2598 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2599 if (!cp) 2600 return; 2601 2602 hci_dev_lock(hdev); 2603 2604 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2605 if (conn) { 2606 if (conn->state == BT_CONFIG) { 2607 hci_connect_cfm(conn, status); 2608 hci_conn_drop(conn); 2609 } 2610 } 2611 2612 hci_dev_unlock(hdev); 2613 } 2614 2615 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2616 { 2617 struct hci_cp_read_remote_ext_features *cp; 2618 struct hci_conn *conn; 2619 2620 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2621 2622 if (!status) 2623 return; 2624 2625 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2626 if (!cp) 2627 return; 2628 2629 hci_dev_lock(hdev); 2630 2631 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2632 if (conn) { 2633 if (conn->state == BT_CONFIG) { 2634 hci_connect_cfm(conn, status); 2635 hci_conn_drop(conn); 2636 } 2637 } 2638 2639 hci_dev_unlock(hdev); 2640 } 2641 2642 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle, 2643 __u8 status) 2644 { 2645 struct hci_conn *acl; 2646 struct hci_link *link; 2647 2648 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status); 2649 2650 hci_dev_lock(hdev); 2651 2652 acl = hci_conn_hash_lookup_handle(hdev, handle); 2653 if (acl) { 2654 link = list_first_entry_or_null(&acl->link_list, 2655 struct hci_link, list); 2656 if (link && link->conn) { 2657 link->conn->state = BT_CLOSED; 2658 2659 hci_connect_cfm(link->conn, status); 2660 hci_conn_del(link->conn); 2661 } 2662 } 2663 2664 hci_dev_unlock(hdev); 2665 } 2666 2667 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2668 { 2669 struct hci_cp_setup_sync_conn *cp; 2670 2671 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2672 2673 if (!status) 2674 return; 2675 2676 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2677 if (!cp) 2678 return; 2679 2680 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2681 } 2682 2683 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2684 { 2685 struct hci_cp_enhanced_setup_sync_conn *cp; 2686 2687 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2688 2689 if (!status) 2690 return; 2691 2692 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN); 2693 if (!cp) 2694 return; 2695 2696 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2697 } 2698 2699 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2700 { 2701 struct hci_cp_sniff_mode *cp; 2702 struct hci_conn *conn; 2703 2704 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2705 2706 if (!status) 2707 return; 2708 2709 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2710 if (!cp) 2711 return; 2712 2713 hci_dev_lock(hdev); 2714 2715 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2716 if (conn) { 2717 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2718 2719 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2720 hci_sco_setup(conn, status); 2721 } 2722 2723 hci_dev_unlock(hdev); 2724 } 2725 2726 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2727 { 2728 struct hci_cp_exit_sniff_mode *cp; 2729 struct hci_conn *conn; 2730 2731 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2732 2733 if (!status) 2734 return; 2735 2736 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2737 if (!cp) 2738 return; 2739 2740 hci_dev_lock(hdev); 2741 2742 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2743 if (conn) { 2744 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2745 2746 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2747 hci_sco_setup(conn, status); 2748 } 2749 2750 hci_dev_unlock(hdev); 2751 } 2752 2753 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2754 { 2755 struct hci_cp_disconnect *cp; 2756 struct hci_conn_params *params; 2757 struct hci_conn *conn; 2758 bool mgmt_conn; 2759 2760 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2761 2762 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended 2763 * otherwise cleanup the connection immediately. 2764 */ 2765 if (!status && !hdev->suspended) 2766 return; 2767 2768 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2769 if (!cp) 2770 return; 2771 2772 hci_dev_lock(hdev); 2773 2774 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2775 if (!conn) 2776 goto unlock; 2777 2778 if (status) { 2779 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2780 conn->dst_type, status); 2781 2782 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 2783 hdev->cur_adv_instance = conn->adv_instance; 2784 hci_enable_advertising(hdev); 2785 } 2786 2787 goto done; 2788 } 2789 2790 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2791 2792 if (conn->type == ACL_LINK) { 2793 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2794 hci_remove_link_key(hdev, &conn->dst); 2795 } 2796 2797 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2798 if (params) { 2799 switch (params->auto_connect) { 2800 case HCI_AUTO_CONN_LINK_LOSS: 2801 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2802 break; 2803 fallthrough; 2804 2805 case HCI_AUTO_CONN_DIRECT: 2806 case HCI_AUTO_CONN_ALWAYS: 2807 list_del_init(¶ms->action); 2808 list_add(¶ms->action, &hdev->pend_le_conns); 2809 break; 2810 2811 default: 2812 break; 2813 } 2814 } 2815 2816 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2817 cp->reason, mgmt_conn); 2818 2819 hci_disconn_cfm(conn, cp->reason); 2820 2821 done: 2822 /* If the disconnection failed for any reason, the upper layer 2823 * does not retry to disconnect in current implementation. 2824 * Hence, we need to do some basic cleanup here and re-enable 2825 * advertising if necessary. 2826 */ 2827 hci_conn_del(conn); 2828 unlock: 2829 hci_dev_unlock(hdev); 2830 } 2831 2832 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved) 2833 { 2834 /* When using controller based address resolution, then the new 2835 * address types 0x02 and 0x03 are used. These types need to be 2836 * converted back into either public address or random address type 2837 */ 2838 switch (type) { 2839 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2840 if (resolved) 2841 *resolved = true; 2842 return ADDR_LE_DEV_PUBLIC; 2843 case ADDR_LE_DEV_RANDOM_RESOLVED: 2844 if (resolved) 2845 *resolved = true; 2846 return ADDR_LE_DEV_RANDOM; 2847 } 2848 2849 if (resolved) 2850 *resolved = false; 2851 return type; 2852 } 2853 2854 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2855 u8 peer_addr_type, u8 own_address_type, 2856 u8 filter_policy) 2857 { 2858 struct hci_conn *conn; 2859 2860 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2861 peer_addr_type); 2862 if (!conn) 2863 return; 2864 2865 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL); 2866 2867 /* Store the initiator and responder address information which 2868 * is needed for SMP. These values will not change during the 2869 * lifetime of the connection. 2870 */ 2871 conn->init_addr_type = own_address_type; 2872 if (own_address_type == ADDR_LE_DEV_RANDOM) 2873 bacpy(&conn->init_addr, &hdev->random_addr); 2874 else 2875 bacpy(&conn->init_addr, &hdev->bdaddr); 2876 2877 conn->resp_addr_type = peer_addr_type; 2878 bacpy(&conn->resp_addr, peer_addr); 2879 } 2880 2881 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2882 { 2883 struct hci_cp_le_create_conn *cp; 2884 2885 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2886 2887 /* All connection failure handling is taken care of by the 2888 * hci_conn_failed function which is triggered by the HCI 2889 * request completion callbacks used for connecting. 2890 */ 2891 if (status) 2892 return; 2893 2894 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2895 if (!cp) 2896 return; 2897 2898 hci_dev_lock(hdev); 2899 2900 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2901 cp->own_address_type, cp->filter_policy); 2902 2903 hci_dev_unlock(hdev); 2904 } 2905 2906 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2907 { 2908 struct hci_cp_le_ext_create_conn *cp; 2909 2910 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2911 2912 /* All connection failure handling is taken care of by the 2913 * hci_conn_failed function which is triggered by the HCI 2914 * request completion callbacks used for connecting. 2915 */ 2916 if (status) 2917 return; 2918 2919 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2920 if (!cp) 2921 return; 2922 2923 hci_dev_lock(hdev); 2924 2925 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2926 cp->own_addr_type, cp->filter_policy); 2927 2928 hci_dev_unlock(hdev); 2929 } 2930 2931 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2932 { 2933 struct hci_cp_le_read_remote_features *cp; 2934 struct hci_conn *conn; 2935 2936 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2937 2938 if (!status) 2939 return; 2940 2941 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2942 if (!cp) 2943 return; 2944 2945 hci_dev_lock(hdev); 2946 2947 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2948 if (conn) { 2949 if (conn->state == BT_CONFIG) { 2950 hci_connect_cfm(conn, status); 2951 hci_conn_drop(conn); 2952 } 2953 } 2954 2955 hci_dev_unlock(hdev); 2956 } 2957 2958 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2959 { 2960 struct hci_cp_le_start_enc *cp; 2961 struct hci_conn *conn; 2962 2963 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2964 2965 if (!status) 2966 return; 2967 2968 hci_dev_lock(hdev); 2969 2970 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2971 if (!cp) 2972 goto unlock; 2973 2974 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2975 if (!conn) 2976 goto unlock; 2977 2978 if (conn->state != BT_CONNECTED) 2979 goto unlock; 2980 2981 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2982 hci_conn_drop(conn); 2983 2984 unlock: 2985 hci_dev_unlock(hdev); 2986 } 2987 2988 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2989 { 2990 struct hci_cp_switch_role *cp; 2991 struct hci_conn *conn; 2992 2993 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2994 2995 if (!status) 2996 return; 2997 2998 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2999 if (!cp) 3000 return; 3001 3002 hci_dev_lock(hdev); 3003 3004 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 3005 if (conn) 3006 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3007 3008 hci_dev_unlock(hdev); 3009 } 3010 3011 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data, 3012 struct sk_buff *skb) 3013 { 3014 struct hci_ev_status *ev = data; 3015 struct discovery_state *discov = &hdev->discovery; 3016 struct inquiry_entry *e; 3017 3018 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3019 3020 hci_conn_check_pending(hdev); 3021 3022 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 3023 return; 3024 3025 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 3026 wake_up_bit(&hdev->flags, HCI_INQUIRY); 3027 3028 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3029 return; 3030 3031 hci_dev_lock(hdev); 3032 3033 if (discov->state != DISCOVERY_FINDING) 3034 goto unlock; 3035 3036 if (list_empty(&discov->resolve)) { 3037 /* When BR/EDR inquiry is active and no LE scanning is in 3038 * progress, then change discovery state to indicate completion. 3039 * 3040 * When running LE scanning and BR/EDR inquiry simultaneously 3041 * and the LE scan already finished, then change the discovery 3042 * state to indicate completion. 3043 */ 3044 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3045 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 3046 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3047 goto unlock; 3048 } 3049 3050 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 3051 if (e && hci_resolve_name(hdev, e) == 0) { 3052 e->name_state = NAME_PENDING; 3053 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 3054 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION; 3055 } else { 3056 /* When BR/EDR inquiry is active and no LE scanning is in 3057 * progress, then change discovery state to indicate completion. 3058 * 3059 * When running LE scanning and BR/EDR inquiry simultaneously 3060 * and the LE scan already finished, then change the discovery 3061 * state to indicate completion. 3062 */ 3063 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3064 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 3065 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3066 } 3067 3068 unlock: 3069 hci_dev_unlock(hdev); 3070 } 3071 3072 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata, 3073 struct sk_buff *skb) 3074 { 3075 struct hci_ev_inquiry_result *ev = edata; 3076 struct inquiry_data data; 3077 int i; 3078 3079 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT, 3080 flex_array_size(ev, info, ev->num))) 3081 return; 3082 3083 bt_dev_dbg(hdev, "num %d", ev->num); 3084 3085 if (!ev->num) 3086 return; 3087 3088 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3089 return; 3090 3091 hci_dev_lock(hdev); 3092 3093 for (i = 0; i < ev->num; i++) { 3094 struct inquiry_info *info = &ev->info[i]; 3095 u32 flags; 3096 3097 bacpy(&data.bdaddr, &info->bdaddr); 3098 data.pscan_rep_mode = info->pscan_rep_mode; 3099 data.pscan_period_mode = info->pscan_period_mode; 3100 data.pscan_mode = info->pscan_mode; 3101 memcpy(data.dev_class, info->dev_class, 3); 3102 data.clock_offset = info->clock_offset; 3103 data.rssi = HCI_RSSI_INVALID; 3104 data.ssp_mode = 0x00; 3105 3106 flags = hci_inquiry_cache_update(hdev, &data, false); 3107 3108 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3109 info->dev_class, HCI_RSSI_INVALID, 3110 flags, NULL, 0, NULL, 0, 0); 3111 } 3112 3113 hci_dev_unlock(hdev); 3114 } 3115 3116 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3117 struct sk_buff *skb) 3118 { 3119 struct hci_ev_conn_complete *ev = data; 3120 struct hci_conn *conn; 3121 u8 status = ev->status; 3122 3123 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3124 3125 hci_dev_lock(hdev); 3126 3127 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3128 if (!conn) { 3129 /* In case of error status and there is no connection pending 3130 * just unlock as there is nothing to cleanup. 3131 */ 3132 if (ev->status) 3133 goto unlock; 3134 3135 /* Connection may not exist if auto-connected. Check the bredr 3136 * allowlist to see if this device is allowed to auto connect. 3137 * If link is an ACL type, create a connection class 3138 * automatically. 3139 * 3140 * Auto-connect will only occur if the event filter is 3141 * programmed with a given address. Right now, event filter is 3142 * only used during suspend. 3143 */ 3144 if (ev->link_type == ACL_LINK && 3145 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3146 &ev->bdaddr, 3147 BDADDR_BREDR)) { 3148 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 3149 HCI_ROLE_SLAVE); 3150 if (!conn) { 3151 bt_dev_err(hdev, "no memory for new conn"); 3152 goto unlock; 3153 } 3154 } else { 3155 if (ev->link_type != SCO_LINK) 3156 goto unlock; 3157 3158 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3159 &ev->bdaddr); 3160 if (!conn) 3161 goto unlock; 3162 3163 conn->type = SCO_LINK; 3164 } 3165 } 3166 3167 /* The HCI_Connection_Complete event is only sent once per connection. 3168 * Processing it more than once per connection can corrupt kernel memory. 3169 * 3170 * As the connection handle is set here for the first time, it indicates 3171 * whether the connection is already set up. 3172 */ 3173 if (conn->handle != HCI_CONN_HANDLE_UNSET) { 3174 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3175 goto unlock; 3176 } 3177 3178 if (!status) { 3179 conn->handle = __le16_to_cpu(ev->handle); 3180 if (conn->handle > HCI_CONN_HANDLE_MAX) { 3181 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 3182 conn->handle, HCI_CONN_HANDLE_MAX); 3183 status = HCI_ERROR_INVALID_PARAMETERS; 3184 goto done; 3185 } 3186 3187 if (conn->type == ACL_LINK) { 3188 conn->state = BT_CONFIG; 3189 hci_conn_hold(conn); 3190 3191 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3192 !hci_find_link_key(hdev, &ev->bdaddr)) 3193 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3194 else 3195 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3196 } else 3197 conn->state = BT_CONNECTED; 3198 3199 hci_debugfs_create_conn(conn); 3200 hci_conn_add_sysfs(conn); 3201 3202 if (test_bit(HCI_AUTH, &hdev->flags)) 3203 set_bit(HCI_CONN_AUTH, &conn->flags); 3204 3205 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3206 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3207 3208 /* Get remote features */ 3209 if (conn->type == ACL_LINK) { 3210 struct hci_cp_read_remote_features cp; 3211 cp.handle = ev->handle; 3212 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3213 sizeof(cp), &cp); 3214 3215 hci_update_scan(hdev); 3216 } 3217 3218 /* Set packet type for incoming connection */ 3219 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3220 struct hci_cp_change_conn_ptype cp; 3221 cp.handle = ev->handle; 3222 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3223 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3224 &cp); 3225 } 3226 } 3227 3228 if (conn->type == ACL_LINK) 3229 hci_sco_setup(conn, ev->status); 3230 3231 done: 3232 if (status) { 3233 hci_conn_failed(conn, status); 3234 } else if (ev->link_type == SCO_LINK) { 3235 switch (conn->setting & SCO_AIRMODE_MASK) { 3236 case SCO_AIRMODE_CVSD: 3237 if (hdev->notify) 3238 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3239 break; 3240 } 3241 3242 hci_connect_cfm(conn, status); 3243 } 3244 3245 unlock: 3246 hci_dev_unlock(hdev); 3247 3248 hci_conn_check_pending(hdev); 3249 } 3250 3251 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 3252 { 3253 struct hci_cp_reject_conn_req cp; 3254 3255 bacpy(&cp.bdaddr, bdaddr); 3256 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 3257 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 3258 } 3259 3260 static void hci_conn_request_evt(struct hci_dev *hdev, void *data, 3261 struct sk_buff *skb) 3262 { 3263 struct hci_ev_conn_request *ev = data; 3264 int mask = hdev->link_mode; 3265 struct inquiry_entry *ie; 3266 struct hci_conn *conn; 3267 __u8 flags = 0; 3268 3269 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type); 3270 3271 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 3272 &flags); 3273 3274 if (!(mask & HCI_LM_ACCEPT)) { 3275 hci_reject_conn(hdev, &ev->bdaddr); 3276 return; 3277 } 3278 3279 hci_dev_lock(hdev); 3280 3281 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, 3282 BDADDR_BREDR)) { 3283 hci_reject_conn(hdev, &ev->bdaddr); 3284 goto unlock; 3285 } 3286 3287 /* Require HCI_CONNECTABLE or an accept list entry to accept the 3288 * connection. These features are only touched through mgmt so 3289 * only do the checks if HCI_MGMT is set. 3290 */ 3291 if (hci_dev_test_flag(hdev, HCI_MGMT) && 3292 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 3293 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, 3294 BDADDR_BREDR)) { 3295 hci_reject_conn(hdev, &ev->bdaddr); 3296 goto unlock; 3297 } 3298 3299 /* Connection accepted */ 3300 3301 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3302 if (ie) 3303 memcpy(ie->data.dev_class, ev->dev_class, 3); 3304 3305 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 3306 &ev->bdaddr); 3307 if (!conn) { 3308 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 3309 HCI_ROLE_SLAVE); 3310 if (!conn) { 3311 bt_dev_err(hdev, "no memory for new connection"); 3312 goto unlock; 3313 } 3314 } 3315 3316 memcpy(conn->dev_class, ev->dev_class, 3); 3317 3318 hci_dev_unlock(hdev); 3319 3320 if (ev->link_type == ACL_LINK || 3321 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 3322 struct hci_cp_accept_conn_req cp; 3323 conn->state = BT_CONNECT; 3324 3325 bacpy(&cp.bdaddr, &ev->bdaddr); 3326 3327 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 3328 cp.role = 0x00; /* Become central */ 3329 else 3330 cp.role = 0x01; /* Remain peripheral */ 3331 3332 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 3333 } else if (!(flags & HCI_PROTO_DEFER)) { 3334 struct hci_cp_accept_sync_conn_req cp; 3335 conn->state = BT_CONNECT; 3336 3337 bacpy(&cp.bdaddr, &ev->bdaddr); 3338 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3339 3340 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 3341 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 3342 cp.max_latency = cpu_to_le16(0xffff); 3343 cp.content_format = cpu_to_le16(hdev->voice_setting); 3344 cp.retrans_effort = 0xff; 3345 3346 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 3347 &cp); 3348 } else { 3349 conn->state = BT_CONNECT2; 3350 hci_connect_cfm(conn, 0); 3351 } 3352 3353 return; 3354 unlock: 3355 hci_dev_unlock(hdev); 3356 } 3357 3358 static u8 hci_to_mgmt_reason(u8 err) 3359 { 3360 switch (err) { 3361 case HCI_ERROR_CONNECTION_TIMEOUT: 3362 return MGMT_DEV_DISCONN_TIMEOUT; 3363 case HCI_ERROR_REMOTE_USER_TERM: 3364 case HCI_ERROR_REMOTE_LOW_RESOURCES: 3365 case HCI_ERROR_REMOTE_POWER_OFF: 3366 return MGMT_DEV_DISCONN_REMOTE; 3367 case HCI_ERROR_LOCAL_HOST_TERM: 3368 return MGMT_DEV_DISCONN_LOCAL_HOST; 3369 default: 3370 return MGMT_DEV_DISCONN_UNKNOWN; 3371 } 3372 } 3373 3374 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, 3375 struct sk_buff *skb) 3376 { 3377 struct hci_ev_disconn_complete *ev = data; 3378 u8 reason; 3379 struct hci_conn_params *params; 3380 struct hci_conn *conn; 3381 bool mgmt_connected; 3382 3383 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3384 3385 hci_dev_lock(hdev); 3386 3387 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3388 if (!conn) 3389 goto unlock; 3390 3391 if (ev->status) { 3392 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 3393 conn->dst_type, ev->status); 3394 goto unlock; 3395 } 3396 3397 conn->state = BT_CLOSED; 3398 3399 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 3400 3401 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 3402 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 3403 else 3404 reason = hci_to_mgmt_reason(ev->reason); 3405 3406 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 3407 reason, mgmt_connected); 3408 3409 if (conn->type == ACL_LINK) { 3410 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 3411 hci_remove_link_key(hdev, &conn->dst); 3412 3413 hci_update_scan(hdev); 3414 } 3415 3416 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 3417 if (params) { 3418 switch (params->auto_connect) { 3419 case HCI_AUTO_CONN_LINK_LOSS: 3420 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 3421 break; 3422 fallthrough; 3423 3424 case HCI_AUTO_CONN_DIRECT: 3425 case HCI_AUTO_CONN_ALWAYS: 3426 list_del_init(¶ms->action); 3427 list_add(¶ms->action, &hdev->pend_le_conns); 3428 hci_update_passive_scan(hdev); 3429 break; 3430 3431 default: 3432 break; 3433 } 3434 } 3435 3436 hci_disconn_cfm(conn, ev->reason); 3437 3438 /* Re-enable advertising if necessary, since it might 3439 * have been disabled by the connection. From the 3440 * HCI_LE_Set_Advertise_Enable command description in 3441 * the core specification (v4.0): 3442 * "The Controller shall continue advertising until the Host 3443 * issues an LE_Set_Advertise_Enable command with 3444 * Advertising_Enable set to 0x00 (Advertising is disabled) 3445 * or until a connection is created or until the Advertising 3446 * is timed out due to Directed Advertising." 3447 */ 3448 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 3449 hdev->cur_adv_instance = conn->adv_instance; 3450 hci_enable_advertising(hdev); 3451 } 3452 3453 hci_conn_del(conn); 3454 3455 unlock: 3456 hci_dev_unlock(hdev); 3457 } 3458 3459 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data, 3460 struct sk_buff *skb) 3461 { 3462 struct hci_ev_auth_complete *ev = data; 3463 struct hci_conn *conn; 3464 3465 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3466 3467 hci_dev_lock(hdev); 3468 3469 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3470 if (!conn) 3471 goto unlock; 3472 3473 if (!ev->status) { 3474 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3475 3476 if (!hci_conn_ssp_enabled(conn) && 3477 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 3478 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 3479 } else { 3480 set_bit(HCI_CONN_AUTH, &conn->flags); 3481 conn->sec_level = conn->pending_sec_level; 3482 } 3483 } else { 3484 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3485 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3486 3487 mgmt_auth_failed(conn, ev->status); 3488 } 3489 3490 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3491 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 3492 3493 if (conn->state == BT_CONFIG) { 3494 if (!ev->status && hci_conn_ssp_enabled(conn)) { 3495 struct hci_cp_set_conn_encrypt cp; 3496 cp.handle = ev->handle; 3497 cp.encrypt = 0x01; 3498 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3499 &cp); 3500 } else { 3501 conn->state = BT_CONNECTED; 3502 hci_connect_cfm(conn, ev->status); 3503 hci_conn_drop(conn); 3504 } 3505 } else { 3506 hci_auth_cfm(conn, ev->status); 3507 3508 hci_conn_hold(conn); 3509 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3510 hci_conn_drop(conn); 3511 } 3512 3513 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 3514 if (!ev->status) { 3515 struct hci_cp_set_conn_encrypt cp; 3516 cp.handle = ev->handle; 3517 cp.encrypt = 0x01; 3518 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3519 &cp); 3520 } else { 3521 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3522 hci_encrypt_cfm(conn, ev->status); 3523 } 3524 } 3525 3526 unlock: 3527 hci_dev_unlock(hdev); 3528 } 3529 3530 static void hci_remote_name_evt(struct hci_dev *hdev, void *data, 3531 struct sk_buff *skb) 3532 { 3533 struct hci_ev_remote_name *ev = data; 3534 struct hci_conn *conn; 3535 3536 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3537 3538 hci_conn_check_pending(hdev); 3539 3540 hci_dev_lock(hdev); 3541 3542 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3543 3544 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3545 goto check_auth; 3546 3547 if (ev->status == 0) 3548 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 3549 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 3550 else 3551 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 3552 3553 check_auth: 3554 if (!conn) 3555 goto unlock; 3556 3557 if (!hci_outgoing_auth_needed(hdev, conn)) 3558 goto unlock; 3559 3560 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3561 struct hci_cp_auth_requested cp; 3562 3563 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 3564 3565 cp.handle = __cpu_to_le16(conn->handle); 3566 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3567 } 3568 3569 unlock: 3570 hci_dev_unlock(hdev); 3571 } 3572 3573 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, 3574 struct sk_buff *skb) 3575 { 3576 struct hci_ev_encrypt_change *ev = data; 3577 struct hci_conn *conn; 3578 3579 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3580 3581 hci_dev_lock(hdev); 3582 3583 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3584 if (!conn) 3585 goto unlock; 3586 3587 if (!ev->status) { 3588 if (ev->encrypt) { 3589 /* Encryption implies authentication */ 3590 set_bit(HCI_CONN_AUTH, &conn->flags); 3591 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3592 conn->sec_level = conn->pending_sec_level; 3593 3594 /* P-256 authentication key implies FIPS */ 3595 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3596 set_bit(HCI_CONN_FIPS, &conn->flags); 3597 3598 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3599 conn->type == LE_LINK) 3600 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3601 } else { 3602 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3603 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3604 } 3605 } 3606 3607 /* We should disregard the current RPA and generate a new one 3608 * whenever the encryption procedure fails. 3609 */ 3610 if (ev->status && conn->type == LE_LINK) { 3611 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3612 hci_adv_instances_set_rpa_expired(hdev, true); 3613 } 3614 3615 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3616 3617 /* Check link security requirements are met */ 3618 if (!hci_conn_check_link_mode(conn)) 3619 ev->status = HCI_ERROR_AUTH_FAILURE; 3620 3621 if (ev->status && conn->state == BT_CONNECTED) { 3622 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3623 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3624 3625 /* Notify upper layers so they can cleanup before 3626 * disconnecting. 3627 */ 3628 hci_encrypt_cfm(conn, ev->status); 3629 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3630 hci_conn_drop(conn); 3631 goto unlock; 3632 } 3633 3634 /* Try reading the encryption key size for encrypted ACL links */ 3635 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3636 struct hci_cp_read_enc_key_size cp; 3637 3638 /* Only send HCI_Read_Encryption_Key_Size if the 3639 * controller really supports it. If it doesn't, assume 3640 * the default size (16). 3641 */ 3642 if (!(hdev->commands[20] & 0x10)) { 3643 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3644 goto notify; 3645 } 3646 3647 cp.handle = cpu_to_le16(conn->handle); 3648 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, 3649 sizeof(cp), &cp)) { 3650 bt_dev_err(hdev, "sending read key size failed"); 3651 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3652 goto notify; 3653 } 3654 3655 goto unlock; 3656 } 3657 3658 /* Set the default Authenticated Payload Timeout after 3659 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3660 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3661 * sent when the link is active and Encryption is enabled, the conn 3662 * type can be either LE or ACL and controller must support LMP Ping. 3663 * Ensure for AES-CCM encryption as well. 3664 */ 3665 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3666 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3667 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3668 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3669 struct hci_cp_write_auth_payload_to cp; 3670 3671 cp.handle = cpu_to_le16(conn->handle); 3672 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3673 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3674 sizeof(cp), &cp)) { 3675 bt_dev_err(hdev, "write auth payload timeout failed"); 3676 goto notify; 3677 } 3678 3679 goto unlock; 3680 } 3681 3682 notify: 3683 hci_encrypt_cfm(conn, ev->status); 3684 3685 unlock: 3686 hci_dev_unlock(hdev); 3687 } 3688 3689 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data, 3690 struct sk_buff *skb) 3691 { 3692 struct hci_ev_change_link_key_complete *ev = data; 3693 struct hci_conn *conn; 3694 3695 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3696 3697 hci_dev_lock(hdev); 3698 3699 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3700 if (conn) { 3701 if (!ev->status) 3702 set_bit(HCI_CONN_SECURE, &conn->flags); 3703 3704 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3705 3706 hci_key_change_cfm(conn, ev->status); 3707 } 3708 3709 hci_dev_unlock(hdev); 3710 } 3711 3712 static void hci_remote_features_evt(struct hci_dev *hdev, void *data, 3713 struct sk_buff *skb) 3714 { 3715 struct hci_ev_remote_features *ev = data; 3716 struct hci_conn *conn; 3717 3718 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3719 3720 hci_dev_lock(hdev); 3721 3722 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3723 if (!conn) 3724 goto unlock; 3725 3726 if (!ev->status) 3727 memcpy(conn->features[0], ev->features, 8); 3728 3729 if (conn->state != BT_CONFIG) 3730 goto unlock; 3731 3732 if (!ev->status && lmp_ext_feat_capable(hdev) && 3733 lmp_ext_feat_capable(conn)) { 3734 struct hci_cp_read_remote_ext_features cp; 3735 cp.handle = ev->handle; 3736 cp.page = 0x01; 3737 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3738 sizeof(cp), &cp); 3739 goto unlock; 3740 } 3741 3742 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3743 struct hci_cp_remote_name_req cp; 3744 memset(&cp, 0, sizeof(cp)); 3745 bacpy(&cp.bdaddr, &conn->dst); 3746 cp.pscan_rep_mode = 0x02; 3747 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3748 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3749 mgmt_device_connected(hdev, conn, NULL, 0); 3750 3751 if (!hci_outgoing_auth_needed(hdev, conn)) { 3752 conn->state = BT_CONNECTED; 3753 hci_connect_cfm(conn, ev->status); 3754 hci_conn_drop(conn); 3755 } 3756 3757 unlock: 3758 hci_dev_unlock(hdev); 3759 } 3760 3761 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd) 3762 { 3763 cancel_delayed_work(&hdev->cmd_timer); 3764 3765 rcu_read_lock(); 3766 if (!test_bit(HCI_RESET, &hdev->flags)) { 3767 if (ncmd) { 3768 cancel_delayed_work(&hdev->ncmd_timer); 3769 atomic_set(&hdev->cmd_cnt, 1); 3770 } else { 3771 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 3772 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer, 3773 HCI_NCMD_TIMEOUT); 3774 } 3775 } 3776 rcu_read_unlock(); 3777 } 3778 3779 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data, 3780 struct sk_buff *skb) 3781 { 3782 struct hci_rp_le_read_buffer_size_v2 *rp = data; 3783 3784 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3785 3786 if (rp->status) 3787 return rp->status; 3788 3789 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu); 3790 hdev->le_pkts = rp->acl_max_pkt; 3791 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu); 3792 hdev->iso_pkts = rp->iso_max_pkt; 3793 3794 hdev->le_cnt = hdev->le_pkts; 3795 hdev->iso_cnt = hdev->iso_pkts; 3796 3797 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu, 3798 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts); 3799 3800 return rp->status; 3801 } 3802 3803 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data, 3804 struct sk_buff *skb) 3805 { 3806 struct hci_rp_le_set_cig_params *rp = data; 3807 struct hci_cp_le_set_cig_params *cp; 3808 struct hci_conn *conn; 3809 u8 status = rp->status; 3810 int i; 3811 3812 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3813 3814 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS); 3815 if (!rp->status && (!cp || rp->num_handles != cp->num_cis || 3816 rp->cig_id != cp->cig_id)) { 3817 bt_dev_err(hdev, "unexpected Set CIG Parameters response data"); 3818 status = HCI_ERROR_UNSPECIFIED; 3819 } 3820 3821 hci_dev_lock(hdev); 3822 3823 if (status) { 3824 while ((conn = hci_conn_hash_lookup_cig(hdev, rp->cig_id))) { 3825 conn->state = BT_CLOSED; 3826 hci_connect_cfm(conn, status); 3827 hci_conn_del(conn); 3828 } 3829 goto unlock; 3830 } 3831 3832 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553 3833 * 3834 * If the Status return parameter is zero, then the Controller shall 3835 * set the Connection_Handle arrayed return parameter to the connection 3836 * handle(s) corresponding to the CIS configurations specified in 3837 * the CIS_IDs command parameter, in the same order. 3838 */ 3839 for (i = 0; i < rp->num_handles; ++i) { 3840 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id, 3841 cp->cis[i].cis_id); 3842 if (!conn || !bacmp(&conn->dst, BDADDR_ANY)) 3843 continue; 3844 3845 if (conn->state != BT_BOUND && conn->state != BT_CONNECT) 3846 continue; 3847 3848 conn->handle = __le16_to_cpu(rp->handle[i]); 3849 3850 bt_dev_dbg(hdev, "%p handle 0x%4.4x parent %p", conn, 3851 conn->handle, conn->parent); 3852 3853 /* Create CIS if LE is already connected */ 3854 if (conn->parent && conn->parent->state == BT_CONNECTED) 3855 hci_le_create_cis(conn); 3856 } 3857 3858 unlock: 3859 hci_dev_unlock(hdev); 3860 3861 return rp->status; 3862 } 3863 3864 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data, 3865 struct sk_buff *skb) 3866 { 3867 struct hci_rp_le_setup_iso_path *rp = data; 3868 struct hci_cp_le_setup_iso_path *cp; 3869 struct hci_conn *conn; 3870 3871 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3872 3873 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH); 3874 if (!cp) 3875 return rp->status; 3876 3877 hci_dev_lock(hdev); 3878 3879 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3880 if (!conn) 3881 goto unlock; 3882 3883 if (rp->status) { 3884 hci_connect_cfm(conn, rp->status); 3885 hci_conn_del(conn); 3886 goto unlock; 3887 } 3888 3889 switch (cp->direction) { 3890 /* Input (Host to Controller) */ 3891 case 0x00: 3892 /* Only confirm connection if output only */ 3893 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu) 3894 hci_connect_cfm(conn, rp->status); 3895 break; 3896 /* Output (Controller to Host) */ 3897 case 0x01: 3898 /* Confirm connection since conn->iso_qos is always configured 3899 * last. 3900 */ 3901 hci_connect_cfm(conn, rp->status); 3902 break; 3903 } 3904 3905 unlock: 3906 hci_dev_unlock(hdev); 3907 return rp->status; 3908 } 3909 3910 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status) 3911 { 3912 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3913 } 3914 3915 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data, 3916 struct sk_buff *skb) 3917 { 3918 struct hci_ev_status *rp = data; 3919 struct hci_cp_le_set_per_adv_params *cp; 3920 3921 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3922 3923 if (rp->status) 3924 return rp->status; 3925 3926 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS); 3927 if (!cp) 3928 return rp->status; 3929 3930 /* TODO: set the conn state */ 3931 return rp->status; 3932 } 3933 3934 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, 3935 struct sk_buff *skb) 3936 { 3937 struct hci_ev_status *rp = data; 3938 __u8 *sent; 3939 3940 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3941 3942 if (rp->status) 3943 return rp->status; 3944 3945 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE); 3946 if (!sent) 3947 return rp->status; 3948 3949 hci_dev_lock(hdev); 3950 3951 if (*sent) 3952 hci_dev_set_flag(hdev, HCI_LE_PER_ADV); 3953 else 3954 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV); 3955 3956 hci_dev_unlock(hdev); 3957 3958 return rp->status; 3959 } 3960 3961 #define HCI_CC_VL(_op, _func, _min, _max) \ 3962 { \ 3963 .op = _op, \ 3964 .func = _func, \ 3965 .min_len = _min, \ 3966 .max_len = _max, \ 3967 } 3968 3969 #define HCI_CC(_op, _func, _len) \ 3970 HCI_CC_VL(_op, _func, _len, _len) 3971 3972 #define HCI_CC_STATUS(_op, _func) \ 3973 HCI_CC(_op, _func, sizeof(struct hci_ev_status)) 3974 3975 static const struct hci_cc { 3976 u16 op; 3977 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 3978 u16 min_len; 3979 u16 max_len; 3980 } hci_cc_table[] = { 3981 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel), 3982 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq), 3983 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq), 3984 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL, 3985 hci_cc_remote_name_req_cancel), 3986 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery, 3987 sizeof(struct hci_rp_role_discovery)), 3988 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy, 3989 sizeof(struct hci_rp_read_link_policy)), 3990 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy, 3991 sizeof(struct hci_rp_write_link_policy)), 3992 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy, 3993 sizeof(struct hci_rp_read_def_link_policy)), 3994 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY, 3995 hci_cc_write_def_link_policy), 3996 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset), 3997 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key, 3998 sizeof(struct hci_rp_read_stored_link_key)), 3999 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key, 4000 sizeof(struct hci_rp_delete_stored_link_key)), 4001 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name), 4002 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name, 4003 sizeof(struct hci_rp_read_local_name)), 4004 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable), 4005 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode), 4006 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable), 4007 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter), 4008 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev, 4009 sizeof(struct hci_rp_read_class_of_dev)), 4010 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev), 4011 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting, 4012 sizeof(struct hci_rp_read_voice_setting)), 4013 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting), 4014 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac, 4015 sizeof(struct hci_rp_read_num_supported_iac)), 4016 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode), 4017 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support), 4018 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout, 4019 sizeof(struct hci_rp_read_auth_payload_to)), 4020 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout, 4021 sizeof(struct hci_rp_write_auth_payload_to)), 4022 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version, 4023 sizeof(struct hci_rp_read_local_version)), 4024 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands, 4025 sizeof(struct hci_rp_read_local_commands)), 4026 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features, 4027 sizeof(struct hci_rp_read_local_features)), 4028 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features, 4029 sizeof(struct hci_rp_read_local_ext_features)), 4030 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size, 4031 sizeof(struct hci_rp_read_buffer_size)), 4032 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr, 4033 sizeof(struct hci_rp_read_bd_addr)), 4034 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts, 4035 sizeof(struct hci_rp_read_local_pairing_opts)), 4036 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity, 4037 sizeof(struct hci_rp_read_page_scan_activity)), 4038 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, 4039 hci_cc_write_page_scan_activity), 4040 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type, 4041 sizeof(struct hci_rp_read_page_scan_type)), 4042 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type), 4043 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size, 4044 sizeof(struct hci_rp_read_data_block_size)), 4045 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode, 4046 sizeof(struct hci_rp_read_flow_control_mode)), 4047 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info, 4048 sizeof(struct hci_rp_read_local_amp_info)), 4049 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock, 4050 sizeof(struct hci_rp_read_clock)), 4051 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size, 4052 sizeof(struct hci_rp_read_enc_key_size)), 4053 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power, 4054 sizeof(struct hci_rp_read_inq_rsp_tx_power)), 4055 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING, 4056 hci_cc_read_def_err_data_reporting, 4057 sizeof(struct hci_rp_read_def_err_data_reporting)), 4058 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING, 4059 hci_cc_write_def_err_data_reporting), 4060 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply, 4061 sizeof(struct hci_rp_pin_code_reply)), 4062 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply, 4063 sizeof(struct hci_rp_pin_code_neg_reply)), 4064 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data, 4065 sizeof(struct hci_rp_read_local_oob_data)), 4066 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data, 4067 sizeof(struct hci_rp_read_local_oob_ext_data)), 4068 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size, 4069 sizeof(struct hci_rp_le_read_buffer_size)), 4070 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features, 4071 sizeof(struct hci_rp_le_read_local_features)), 4072 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power, 4073 sizeof(struct hci_rp_le_read_adv_tx_power)), 4074 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply, 4075 sizeof(struct hci_rp_user_confirm_reply)), 4076 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply, 4077 sizeof(struct hci_rp_user_confirm_reply)), 4078 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply, 4079 sizeof(struct hci_rp_user_confirm_reply)), 4080 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply, 4081 sizeof(struct hci_rp_user_confirm_reply)), 4082 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr), 4083 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable), 4084 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param), 4085 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable), 4086 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE, 4087 hci_cc_le_read_accept_list_size, 4088 sizeof(struct hci_rp_le_read_accept_list_size)), 4089 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list), 4090 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST, 4091 hci_cc_le_add_to_accept_list), 4092 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST, 4093 hci_cc_le_del_from_accept_list), 4094 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states, 4095 sizeof(struct hci_rp_le_read_supported_states)), 4096 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len, 4097 sizeof(struct hci_rp_le_read_def_data_len)), 4098 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN, 4099 hci_cc_le_write_def_data_len), 4100 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST, 4101 hci_cc_le_add_to_resolv_list), 4102 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST, 4103 hci_cc_le_del_from_resolv_list), 4104 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST, 4105 hci_cc_le_clear_resolv_list), 4106 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size, 4107 sizeof(struct hci_rp_le_read_resolv_list_size)), 4108 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 4109 hci_cc_le_set_addr_resolution_enable), 4110 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len, 4111 sizeof(struct hci_rp_le_read_max_data_len)), 4112 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED, 4113 hci_cc_write_le_host_supported), 4114 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param), 4115 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi, 4116 sizeof(struct hci_rp_read_rssi)), 4117 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power, 4118 sizeof(struct hci_rp_read_tx_power)), 4119 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode), 4120 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS, 4121 hci_cc_le_set_ext_scan_param), 4122 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE, 4123 hci_cc_le_set_ext_scan_enable), 4124 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy), 4125 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, 4126 hci_cc_le_read_num_adv_sets, 4127 sizeof(struct hci_rp_le_read_num_supported_adv_sets)), 4128 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, 4129 sizeof(struct hci_rp_le_set_ext_adv_params)), 4130 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, 4131 hci_cc_le_set_ext_adv_enable), 4132 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, 4133 hci_cc_le_set_adv_set_random_addr), 4134 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set), 4135 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets), 4136 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param), 4137 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE, 4138 hci_cc_le_set_per_adv_enable), 4139 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power, 4140 sizeof(struct hci_rp_le_read_transmit_power)), 4141 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode), 4142 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2, 4143 sizeof(struct hci_rp_le_read_buffer_size_v2)), 4144 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params, 4145 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE), 4146 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path, 4147 sizeof(struct hci_rp_le_setup_iso_path)), 4148 }; 4149 4150 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc, 4151 struct sk_buff *skb) 4152 { 4153 void *data; 4154 4155 if (skb->len < cc->min_len) { 4156 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u", 4157 cc->op, skb->len, cc->min_len); 4158 return HCI_ERROR_UNSPECIFIED; 4159 } 4160 4161 /* Just warn if the length is over max_len size it still be possible to 4162 * partially parse the cc so leave to callback to decide if that is 4163 * acceptable. 4164 */ 4165 if (skb->len > cc->max_len) 4166 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u", 4167 cc->op, skb->len, cc->max_len); 4168 4169 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len); 4170 if (!data) 4171 return HCI_ERROR_UNSPECIFIED; 4172 4173 return cc->func(hdev, data, skb); 4174 } 4175 4176 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, 4177 struct sk_buff *skb, u16 *opcode, u8 *status, 4178 hci_req_complete_t *req_complete, 4179 hci_req_complete_skb_t *req_complete_skb) 4180 { 4181 struct hci_ev_cmd_complete *ev = data; 4182 int i; 4183 4184 *opcode = __le16_to_cpu(ev->opcode); 4185 4186 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4187 4188 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) { 4189 if (hci_cc_table[i].op == *opcode) { 4190 *status = hci_cc_func(hdev, &hci_cc_table[i], skb); 4191 break; 4192 } 4193 } 4194 4195 if (i == ARRAY_SIZE(hci_cc_table)) { 4196 /* Unknown opcode, assume byte 0 contains the status, so 4197 * that e.g. __hci_cmd_sync() properly returns errors 4198 * for vendor specific commands send by HCI drivers. 4199 * If a vendor doesn't actually follow this convention we may 4200 * need to introduce a vendor CC table in order to properly set 4201 * the status. 4202 */ 4203 *status = skb->data[0]; 4204 } 4205 4206 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4207 4208 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 4209 req_complete_skb); 4210 4211 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4212 bt_dev_err(hdev, 4213 "unexpected event for opcode 0x%4.4x", *opcode); 4214 return; 4215 } 4216 4217 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4218 queue_work(hdev->workqueue, &hdev->cmd_work); 4219 } 4220 4221 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) 4222 { 4223 struct hci_cp_le_create_cis *cp; 4224 int i; 4225 4226 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4227 4228 if (!status) 4229 return; 4230 4231 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS); 4232 if (!cp) 4233 return; 4234 4235 hci_dev_lock(hdev); 4236 4237 /* Remove connection if command failed */ 4238 for (i = 0; cp->num_cis; cp->num_cis--, i++) { 4239 struct hci_conn *conn; 4240 u16 handle; 4241 4242 handle = __le16_to_cpu(cp->cis[i].cis_handle); 4243 4244 conn = hci_conn_hash_lookup_handle(hdev, handle); 4245 if (conn) { 4246 conn->state = BT_CLOSED; 4247 hci_connect_cfm(conn, status); 4248 hci_conn_del(conn); 4249 } 4250 } 4251 4252 hci_dev_unlock(hdev); 4253 } 4254 4255 #define HCI_CS(_op, _func) \ 4256 { \ 4257 .op = _op, \ 4258 .func = _func, \ 4259 } 4260 4261 static const struct hci_cs { 4262 u16 op; 4263 void (*func)(struct hci_dev *hdev, __u8 status); 4264 } hci_cs_table[] = { 4265 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry), 4266 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn), 4267 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect), 4268 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco), 4269 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested), 4270 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt), 4271 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req), 4272 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features), 4273 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES, 4274 hci_cs_read_remote_ext_features), 4275 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn), 4276 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN, 4277 hci_cs_enhanced_setup_sync_conn), 4278 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode), 4279 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode), 4280 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role), 4281 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn), 4282 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features), 4283 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc), 4284 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn), 4285 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis), 4286 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big), 4287 }; 4288 4289 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data, 4290 struct sk_buff *skb, u16 *opcode, u8 *status, 4291 hci_req_complete_t *req_complete, 4292 hci_req_complete_skb_t *req_complete_skb) 4293 { 4294 struct hci_ev_cmd_status *ev = data; 4295 int i; 4296 4297 *opcode = __le16_to_cpu(ev->opcode); 4298 *status = ev->status; 4299 4300 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4301 4302 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) { 4303 if (hci_cs_table[i].op == *opcode) { 4304 hci_cs_table[i].func(hdev, ev->status); 4305 break; 4306 } 4307 } 4308 4309 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4310 4311 /* Indicate request completion if the command failed. Also, if 4312 * we're not waiting for a special event and we get a success 4313 * command status we should try to flag the request as completed 4314 * (since for this kind of commands there will not be a command 4315 * complete event). 4316 */ 4317 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) { 4318 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 4319 req_complete_skb); 4320 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4321 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x", 4322 *opcode); 4323 return; 4324 } 4325 } 4326 4327 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4328 queue_work(hdev->workqueue, &hdev->cmd_work); 4329 } 4330 4331 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data, 4332 struct sk_buff *skb) 4333 { 4334 struct hci_ev_hardware_error *ev = data; 4335 4336 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code); 4337 4338 hdev->hw_error_code = ev->code; 4339 4340 queue_work(hdev->req_workqueue, &hdev->error_reset); 4341 } 4342 4343 static void hci_role_change_evt(struct hci_dev *hdev, void *data, 4344 struct sk_buff *skb) 4345 { 4346 struct hci_ev_role_change *ev = data; 4347 struct hci_conn *conn; 4348 4349 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4350 4351 hci_dev_lock(hdev); 4352 4353 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4354 if (conn) { 4355 if (!ev->status) 4356 conn->role = ev->role; 4357 4358 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 4359 4360 hci_role_switch_cfm(conn, ev->status, ev->role); 4361 } 4362 4363 hci_dev_unlock(hdev); 4364 } 4365 4366 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, 4367 struct sk_buff *skb) 4368 { 4369 struct hci_ev_num_comp_pkts *ev = data; 4370 int i; 4371 4372 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, 4373 flex_array_size(ev, handles, ev->num))) 4374 return; 4375 4376 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 4377 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 4378 return; 4379 } 4380 4381 bt_dev_dbg(hdev, "num %d", ev->num); 4382 4383 for (i = 0; i < ev->num; i++) { 4384 struct hci_comp_pkts_info *info = &ev->handles[i]; 4385 struct hci_conn *conn; 4386 __u16 handle, count; 4387 4388 handle = __le16_to_cpu(info->handle); 4389 count = __le16_to_cpu(info->count); 4390 4391 conn = hci_conn_hash_lookup_handle(hdev, handle); 4392 if (!conn) 4393 continue; 4394 4395 conn->sent -= count; 4396 4397 switch (conn->type) { 4398 case ACL_LINK: 4399 hdev->acl_cnt += count; 4400 if (hdev->acl_cnt > hdev->acl_pkts) 4401 hdev->acl_cnt = hdev->acl_pkts; 4402 break; 4403 4404 case LE_LINK: 4405 if (hdev->le_pkts) { 4406 hdev->le_cnt += count; 4407 if (hdev->le_cnt > hdev->le_pkts) 4408 hdev->le_cnt = hdev->le_pkts; 4409 } else { 4410 hdev->acl_cnt += count; 4411 if (hdev->acl_cnt > hdev->acl_pkts) 4412 hdev->acl_cnt = hdev->acl_pkts; 4413 } 4414 break; 4415 4416 case SCO_LINK: 4417 hdev->sco_cnt += count; 4418 if (hdev->sco_cnt > hdev->sco_pkts) 4419 hdev->sco_cnt = hdev->sco_pkts; 4420 break; 4421 4422 case ISO_LINK: 4423 if (hdev->iso_pkts) { 4424 hdev->iso_cnt += count; 4425 if (hdev->iso_cnt > hdev->iso_pkts) 4426 hdev->iso_cnt = hdev->iso_pkts; 4427 } else if (hdev->le_pkts) { 4428 hdev->le_cnt += count; 4429 if (hdev->le_cnt > hdev->le_pkts) 4430 hdev->le_cnt = hdev->le_pkts; 4431 } else { 4432 hdev->acl_cnt += count; 4433 if (hdev->acl_cnt > hdev->acl_pkts) 4434 hdev->acl_cnt = hdev->acl_pkts; 4435 } 4436 break; 4437 4438 default: 4439 bt_dev_err(hdev, "unknown type %d conn %p", 4440 conn->type, conn); 4441 break; 4442 } 4443 } 4444 4445 queue_work(hdev->workqueue, &hdev->tx_work); 4446 } 4447 4448 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 4449 __u16 handle) 4450 { 4451 struct hci_chan *chan; 4452 4453 switch (hdev->dev_type) { 4454 case HCI_PRIMARY: 4455 return hci_conn_hash_lookup_handle(hdev, handle); 4456 case HCI_AMP: 4457 chan = hci_chan_lookup_handle(hdev, handle); 4458 if (chan) 4459 return chan->conn; 4460 break; 4461 default: 4462 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 4463 break; 4464 } 4465 4466 return NULL; 4467 } 4468 4469 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data, 4470 struct sk_buff *skb) 4471 { 4472 struct hci_ev_num_comp_blocks *ev = data; 4473 int i; 4474 4475 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS, 4476 flex_array_size(ev, handles, ev->num_hndl))) 4477 return; 4478 4479 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 4480 bt_dev_err(hdev, "wrong event for mode %d", 4481 hdev->flow_ctl_mode); 4482 return; 4483 } 4484 4485 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks, 4486 ev->num_hndl); 4487 4488 for (i = 0; i < ev->num_hndl; i++) { 4489 struct hci_comp_blocks_info *info = &ev->handles[i]; 4490 struct hci_conn *conn = NULL; 4491 __u16 handle, block_count; 4492 4493 handle = __le16_to_cpu(info->handle); 4494 block_count = __le16_to_cpu(info->blocks); 4495 4496 conn = __hci_conn_lookup_handle(hdev, handle); 4497 if (!conn) 4498 continue; 4499 4500 conn->sent -= block_count; 4501 4502 switch (conn->type) { 4503 case ACL_LINK: 4504 case AMP_LINK: 4505 hdev->block_cnt += block_count; 4506 if (hdev->block_cnt > hdev->num_blocks) 4507 hdev->block_cnt = hdev->num_blocks; 4508 break; 4509 4510 default: 4511 bt_dev_err(hdev, "unknown type %d conn %p", 4512 conn->type, conn); 4513 break; 4514 } 4515 } 4516 4517 queue_work(hdev->workqueue, &hdev->tx_work); 4518 } 4519 4520 static void hci_mode_change_evt(struct hci_dev *hdev, void *data, 4521 struct sk_buff *skb) 4522 { 4523 struct hci_ev_mode_change *ev = data; 4524 struct hci_conn *conn; 4525 4526 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4527 4528 hci_dev_lock(hdev); 4529 4530 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4531 if (conn) { 4532 conn->mode = ev->mode; 4533 4534 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 4535 &conn->flags)) { 4536 if (conn->mode == HCI_CM_ACTIVE) 4537 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4538 else 4539 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4540 } 4541 4542 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 4543 hci_sco_setup(conn, ev->status); 4544 } 4545 4546 hci_dev_unlock(hdev); 4547 } 4548 4549 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data, 4550 struct sk_buff *skb) 4551 { 4552 struct hci_ev_pin_code_req *ev = data; 4553 struct hci_conn *conn; 4554 4555 bt_dev_dbg(hdev, ""); 4556 4557 hci_dev_lock(hdev); 4558 4559 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4560 if (!conn) 4561 goto unlock; 4562 4563 if (conn->state == BT_CONNECTED) { 4564 hci_conn_hold(conn); 4565 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 4566 hci_conn_drop(conn); 4567 } 4568 4569 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 4570 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 4571 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 4572 sizeof(ev->bdaddr), &ev->bdaddr); 4573 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 4574 u8 secure; 4575 4576 if (conn->pending_sec_level == BT_SECURITY_HIGH) 4577 secure = 1; 4578 else 4579 secure = 0; 4580 4581 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 4582 } 4583 4584 unlock: 4585 hci_dev_unlock(hdev); 4586 } 4587 4588 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 4589 { 4590 if (key_type == HCI_LK_CHANGED_COMBINATION) 4591 return; 4592 4593 conn->pin_length = pin_len; 4594 conn->key_type = key_type; 4595 4596 switch (key_type) { 4597 case HCI_LK_LOCAL_UNIT: 4598 case HCI_LK_REMOTE_UNIT: 4599 case HCI_LK_DEBUG_COMBINATION: 4600 return; 4601 case HCI_LK_COMBINATION: 4602 if (pin_len == 16) 4603 conn->pending_sec_level = BT_SECURITY_HIGH; 4604 else 4605 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4606 break; 4607 case HCI_LK_UNAUTH_COMBINATION_P192: 4608 case HCI_LK_UNAUTH_COMBINATION_P256: 4609 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4610 break; 4611 case HCI_LK_AUTH_COMBINATION_P192: 4612 conn->pending_sec_level = BT_SECURITY_HIGH; 4613 break; 4614 case HCI_LK_AUTH_COMBINATION_P256: 4615 conn->pending_sec_level = BT_SECURITY_FIPS; 4616 break; 4617 } 4618 } 4619 4620 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data, 4621 struct sk_buff *skb) 4622 { 4623 struct hci_ev_link_key_req *ev = data; 4624 struct hci_cp_link_key_reply cp; 4625 struct hci_conn *conn; 4626 struct link_key *key; 4627 4628 bt_dev_dbg(hdev, ""); 4629 4630 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4631 return; 4632 4633 hci_dev_lock(hdev); 4634 4635 key = hci_find_link_key(hdev, &ev->bdaddr); 4636 if (!key) { 4637 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr); 4638 goto not_found; 4639 } 4640 4641 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr); 4642 4643 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4644 if (conn) { 4645 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4646 4647 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4648 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4649 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4650 bt_dev_dbg(hdev, "ignoring unauthenticated key"); 4651 goto not_found; 4652 } 4653 4654 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4655 (conn->pending_sec_level == BT_SECURITY_HIGH || 4656 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4657 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security"); 4658 goto not_found; 4659 } 4660 4661 conn_set_key(conn, key->type, key->pin_len); 4662 } 4663 4664 bacpy(&cp.bdaddr, &ev->bdaddr); 4665 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4666 4667 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4668 4669 hci_dev_unlock(hdev); 4670 4671 return; 4672 4673 not_found: 4674 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4675 hci_dev_unlock(hdev); 4676 } 4677 4678 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, 4679 struct sk_buff *skb) 4680 { 4681 struct hci_ev_link_key_notify *ev = data; 4682 struct hci_conn *conn; 4683 struct link_key *key; 4684 bool persistent; 4685 u8 pin_len = 0; 4686 4687 bt_dev_dbg(hdev, ""); 4688 4689 hci_dev_lock(hdev); 4690 4691 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4692 if (!conn) 4693 goto unlock; 4694 4695 hci_conn_hold(conn); 4696 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4697 hci_conn_drop(conn); 4698 4699 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4700 conn_set_key(conn, ev->key_type, conn->pin_length); 4701 4702 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4703 goto unlock; 4704 4705 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4706 ev->key_type, pin_len, &persistent); 4707 if (!key) 4708 goto unlock; 4709 4710 /* Update connection information since adding the key will have 4711 * fixed up the type in the case of changed combination keys. 4712 */ 4713 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4714 conn_set_key(conn, key->type, key->pin_len); 4715 4716 mgmt_new_link_key(hdev, key, persistent); 4717 4718 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4719 * is set. If it's not set simply remove the key from the kernel 4720 * list (we've still notified user space about it but with 4721 * store_hint being 0). 4722 */ 4723 if (key->type == HCI_LK_DEBUG_COMBINATION && 4724 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4725 list_del_rcu(&key->list); 4726 kfree_rcu(key, rcu); 4727 goto unlock; 4728 } 4729 4730 if (persistent) 4731 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4732 else 4733 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4734 4735 unlock: 4736 hci_dev_unlock(hdev); 4737 } 4738 4739 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data, 4740 struct sk_buff *skb) 4741 { 4742 struct hci_ev_clock_offset *ev = data; 4743 struct hci_conn *conn; 4744 4745 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4746 4747 hci_dev_lock(hdev); 4748 4749 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4750 if (conn && !ev->status) { 4751 struct inquiry_entry *ie; 4752 4753 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4754 if (ie) { 4755 ie->data.clock_offset = ev->clock_offset; 4756 ie->timestamp = jiffies; 4757 } 4758 } 4759 4760 hci_dev_unlock(hdev); 4761 } 4762 4763 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data, 4764 struct sk_buff *skb) 4765 { 4766 struct hci_ev_pkt_type_change *ev = data; 4767 struct hci_conn *conn; 4768 4769 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4770 4771 hci_dev_lock(hdev); 4772 4773 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4774 if (conn && !ev->status) 4775 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4776 4777 hci_dev_unlock(hdev); 4778 } 4779 4780 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data, 4781 struct sk_buff *skb) 4782 { 4783 struct hci_ev_pscan_rep_mode *ev = data; 4784 struct inquiry_entry *ie; 4785 4786 bt_dev_dbg(hdev, ""); 4787 4788 hci_dev_lock(hdev); 4789 4790 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4791 if (ie) { 4792 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4793 ie->timestamp = jiffies; 4794 } 4795 4796 hci_dev_unlock(hdev); 4797 } 4798 4799 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata, 4800 struct sk_buff *skb) 4801 { 4802 struct hci_ev_inquiry_result_rssi *ev = edata; 4803 struct inquiry_data data; 4804 int i; 4805 4806 bt_dev_dbg(hdev, "num_rsp %d", ev->num); 4807 4808 if (!ev->num) 4809 return; 4810 4811 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4812 return; 4813 4814 hci_dev_lock(hdev); 4815 4816 if (skb->len == array_size(ev->num, 4817 sizeof(struct inquiry_info_rssi_pscan))) { 4818 struct inquiry_info_rssi_pscan *info; 4819 4820 for (i = 0; i < ev->num; i++) { 4821 u32 flags; 4822 4823 info = hci_ev_skb_pull(hdev, skb, 4824 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4825 sizeof(*info)); 4826 if (!info) { 4827 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4828 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4829 goto unlock; 4830 } 4831 4832 bacpy(&data.bdaddr, &info->bdaddr); 4833 data.pscan_rep_mode = info->pscan_rep_mode; 4834 data.pscan_period_mode = info->pscan_period_mode; 4835 data.pscan_mode = info->pscan_mode; 4836 memcpy(data.dev_class, info->dev_class, 3); 4837 data.clock_offset = info->clock_offset; 4838 data.rssi = info->rssi; 4839 data.ssp_mode = 0x00; 4840 4841 flags = hci_inquiry_cache_update(hdev, &data, false); 4842 4843 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4844 info->dev_class, info->rssi, 4845 flags, NULL, 0, NULL, 0, 0); 4846 } 4847 } else if (skb->len == array_size(ev->num, 4848 sizeof(struct inquiry_info_rssi))) { 4849 struct inquiry_info_rssi *info; 4850 4851 for (i = 0; i < ev->num; i++) { 4852 u32 flags; 4853 4854 info = hci_ev_skb_pull(hdev, skb, 4855 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4856 sizeof(*info)); 4857 if (!info) { 4858 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4859 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4860 goto unlock; 4861 } 4862 4863 bacpy(&data.bdaddr, &info->bdaddr); 4864 data.pscan_rep_mode = info->pscan_rep_mode; 4865 data.pscan_period_mode = info->pscan_period_mode; 4866 data.pscan_mode = 0x00; 4867 memcpy(data.dev_class, info->dev_class, 3); 4868 data.clock_offset = info->clock_offset; 4869 data.rssi = info->rssi; 4870 data.ssp_mode = 0x00; 4871 4872 flags = hci_inquiry_cache_update(hdev, &data, false); 4873 4874 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4875 info->dev_class, info->rssi, 4876 flags, NULL, 0, NULL, 0, 0); 4877 } 4878 } else { 4879 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4880 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4881 } 4882 unlock: 4883 hci_dev_unlock(hdev); 4884 } 4885 4886 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data, 4887 struct sk_buff *skb) 4888 { 4889 struct hci_ev_remote_ext_features *ev = data; 4890 struct hci_conn *conn; 4891 4892 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4893 4894 hci_dev_lock(hdev); 4895 4896 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4897 if (!conn) 4898 goto unlock; 4899 4900 if (ev->page < HCI_MAX_PAGES) 4901 memcpy(conn->features[ev->page], ev->features, 8); 4902 4903 if (!ev->status && ev->page == 0x01) { 4904 struct inquiry_entry *ie; 4905 4906 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4907 if (ie) 4908 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4909 4910 if (ev->features[0] & LMP_HOST_SSP) { 4911 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4912 } else { 4913 /* It is mandatory by the Bluetooth specification that 4914 * Extended Inquiry Results are only used when Secure 4915 * Simple Pairing is enabled, but some devices violate 4916 * this. 4917 * 4918 * To make these devices work, the internal SSP 4919 * enabled flag needs to be cleared if the remote host 4920 * features do not indicate SSP support */ 4921 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4922 } 4923 4924 if (ev->features[0] & LMP_HOST_SC) 4925 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4926 } 4927 4928 if (conn->state != BT_CONFIG) 4929 goto unlock; 4930 4931 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4932 struct hci_cp_remote_name_req cp; 4933 memset(&cp, 0, sizeof(cp)); 4934 bacpy(&cp.bdaddr, &conn->dst); 4935 cp.pscan_rep_mode = 0x02; 4936 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4937 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4938 mgmt_device_connected(hdev, conn, NULL, 0); 4939 4940 if (!hci_outgoing_auth_needed(hdev, conn)) { 4941 conn->state = BT_CONNECTED; 4942 hci_connect_cfm(conn, ev->status); 4943 hci_conn_drop(conn); 4944 } 4945 4946 unlock: 4947 hci_dev_unlock(hdev); 4948 } 4949 4950 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, 4951 struct sk_buff *skb) 4952 { 4953 struct hci_ev_sync_conn_complete *ev = data; 4954 struct hci_conn *conn; 4955 u8 status = ev->status; 4956 4957 switch (ev->link_type) { 4958 case SCO_LINK: 4959 case ESCO_LINK: 4960 break; 4961 default: 4962 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type 4963 * for HCI_Synchronous_Connection_Complete is limited to 4964 * either SCO or eSCO 4965 */ 4966 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type"); 4967 return; 4968 } 4969 4970 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4971 4972 hci_dev_lock(hdev); 4973 4974 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4975 if (!conn) { 4976 if (ev->link_type == ESCO_LINK) 4977 goto unlock; 4978 4979 /* When the link type in the event indicates SCO connection 4980 * and lookup of the connection object fails, then check 4981 * if an eSCO connection object exists. 4982 * 4983 * The core limits the synchronous connections to either 4984 * SCO or eSCO. The eSCO connection is preferred and tried 4985 * to be setup first and until successfully established, 4986 * the link type will be hinted as eSCO. 4987 */ 4988 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4989 if (!conn) 4990 goto unlock; 4991 } 4992 4993 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection. 4994 * Processing it more than once per connection can corrupt kernel memory. 4995 * 4996 * As the connection handle is set here for the first time, it indicates 4997 * whether the connection is already set up. 4998 */ 4999 if (conn->handle != HCI_CONN_HANDLE_UNSET) { 5000 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection"); 5001 goto unlock; 5002 } 5003 5004 switch (status) { 5005 case 0x00: 5006 conn->handle = __le16_to_cpu(ev->handle); 5007 if (conn->handle > HCI_CONN_HANDLE_MAX) { 5008 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", 5009 conn->handle, HCI_CONN_HANDLE_MAX); 5010 status = HCI_ERROR_INVALID_PARAMETERS; 5011 conn->state = BT_CLOSED; 5012 break; 5013 } 5014 5015 conn->state = BT_CONNECTED; 5016 conn->type = ev->link_type; 5017 5018 hci_debugfs_create_conn(conn); 5019 hci_conn_add_sysfs(conn); 5020 break; 5021 5022 case 0x10: /* Connection Accept Timeout */ 5023 case 0x0d: /* Connection Rejected due to Limited Resources */ 5024 case 0x11: /* Unsupported Feature or Parameter Value */ 5025 case 0x1c: /* SCO interval rejected */ 5026 case 0x1a: /* Unsupported Remote Feature */ 5027 case 0x1e: /* Invalid LMP Parameters */ 5028 case 0x1f: /* Unspecified error */ 5029 case 0x20: /* Unsupported LMP Parameter value */ 5030 if (conn->out) { 5031 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 5032 (hdev->esco_type & EDR_ESCO_MASK); 5033 if (hci_setup_sync(conn, conn->parent->handle)) 5034 goto unlock; 5035 } 5036 fallthrough; 5037 5038 default: 5039 conn->state = BT_CLOSED; 5040 break; 5041 } 5042 5043 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 5044 /* Notify only in case of SCO over HCI transport data path which 5045 * is zero and non-zero value shall be non-HCI transport data path 5046 */ 5047 if (conn->codec.data_path == 0 && hdev->notify) { 5048 switch (ev->air_mode) { 5049 case 0x02: 5050 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 5051 break; 5052 case 0x03: 5053 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 5054 break; 5055 } 5056 } 5057 5058 hci_connect_cfm(conn, status); 5059 if (status) 5060 hci_conn_del(conn); 5061 5062 unlock: 5063 hci_dev_unlock(hdev); 5064 } 5065 5066 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 5067 { 5068 size_t parsed = 0; 5069 5070 while (parsed < eir_len) { 5071 u8 field_len = eir[0]; 5072 5073 if (field_len == 0) 5074 return parsed; 5075 5076 parsed += field_len + 1; 5077 eir += field_len + 1; 5078 } 5079 5080 return eir_len; 5081 } 5082 5083 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata, 5084 struct sk_buff *skb) 5085 { 5086 struct hci_ev_ext_inquiry_result *ev = edata; 5087 struct inquiry_data data; 5088 size_t eir_len; 5089 int i; 5090 5091 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT, 5092 flex_array_size(ev, info, ev->num))) 5093 return; 5094 5095 bt_dev_dbg(hdev, "num %d", ev->num); 5096 5097 if (!ev->num) 5098 return; 5099 5100 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 5101 return; 5102 5103 hci_dev_lock(hdev); 5104 5105 for (i = 0; i < ev->num; i++) { 5106 struct extended_inquiry_info *info = &ev->info[i]; 5107 u32 flags; 5108 bool name_known; 5109 5110 bacpy(&data.bdaddr, &info->bdaddr); 5111 data.pscan_rep_mode = info->pscan_rep_mode; 5112 data.pscan_period_mode = info->pscan_period_mode; 5113 data.pscan_mode = 0x00; 5114 memcpy(data.dev_class, info->dev_class, 3); 5115 data.clock_offset = info->clock_offset; 5116 data.rssi = info->rssi; 5117 data.ssp_mode = 0x01; 5118 5119 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5120 name_known = eir_get_data(info->data, 5121 sizeof(info->data), 5122 EIR_NAME_COMPLETE, NULL); 5123 else 5124 name_known = true; 5125 5126 flags = hci_inquiry_cache_update(hdev, &data, name_known); 5127 5128 eir_len = eir_get_length(info->data, sizeof(info->data)); 5129 5130 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 5131 info->dev_class, info->rssi, 5132 flags, info->data, eir_len, NULL, 0, 0); 5133 } 5134 5135 hci_dev_unlock(hdev); 5136 } 5137 5138 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data, 5139 struct sk_buff *skb) 5140 { 5141 struct hci_ev_key_refresh_complete *ev = data; 5142 struct hci_conn *conn; 5143 5144 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status, 5145 __le16_to_cpu(ev->handle)); 5146 5147 hci_dev_lock(hdev); 5148 5149 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5150 if (!conn) 5151 goto unlock; 5152 5153 /* For BR/EDR the necessary steps are taken through the 5154 * auth_complete event. 5155 */ 5156 if (conn->type != LE_LINK) 5157 goto unlock; 5158 5159 if (!ev->status) 5160 conn->sec_level = conn->pending_sec_level; 5161 5162 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 5163 5164 if (ev->status && conn->state == BT_CONNECTED) { 5165 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 5166 hci_conn_drop(conn); 5167 goto unlock; 5168 } 5169 5170 if (conn->state == BT_CONFIG) { 5171 if (!ev->status) 5172 conn->state = BT_CONNECTED; 5173 5174 hci_connect_cfm(conn, ev->status); 5175 hci_conn_drop(conn); 5176 } else { 5177 hci_auth_cfm(conn, ev->status); 5178 5179 hci_conn_hold(conn); 5180 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 5181 hci_conn_drop(conn); 5182 } 5183 5184 unlock: 5185 hci_dev_unlock(hdev); 5186 } 5187 5188 static u8 hci_get_auth_req(struct hci_conn *conn) 5189 { 5190 /* If remote requests no-bonding follow that lead */ 5191 if (conn->remote_auth == HCI_AT_NO_BONDING || 5192 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 5193 return conn->remote_auth | (conn->auth_type & 0x01); 5194 5195 /* If both remote and local have enough IO capabilities, require 5196 * MITM protection 5197 */ 5198 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 5199 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 5200 return conn->remote_auth | 0x01; 5201 5202 /* No MITM protection possible so ignore remote requirement */ 5203 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 5204 } 5205 5206 static u8 bredr_oob_data_present(struct hci_conn *conn) 5207 { 5208 struct hci_dev *hdev = conn->hdev; 5209 struct oob_data *data; 5210 5211 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 5212 if (!data) 5213 return 0x00; 5214 5215 if (bredr_sc_enabled(hdev)) { 5216 /* When Secure Connections is enabled, then just 5217 * return the present value stored with the OOB 5218 * data. The stored value contains the right present 5219 * information. However it can only be trusted when 5220 * not in Secure Connection Only mode. 5221 */ 5222 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 5223 return data->present; 5224 5225 /* When Secure Connections Only mode is enabled, then 5226 * the P-256 values are required. If they are not 5227 * available, then do not declare that OOB data is 5228 * present. 5229 */ 5230 if (!memcmp(data->rand256, ZERO_KEY, 16) || 5231 !memcmp(data->hash256, ZERO_KEY, 16)) 5232 return 0x00; 5233 5234 return 0x02; 5235 } 5236 5237 /* When Secure Connections is not enabled or actually 5238 * not supported by the hardware, then check that if 5239 * P-192 data values are present. 5240 */ 5241 if (!memcmp(data->rand192, ZERO_KEY, 16) || 5242 !memcmp(data->hash192, ZERO_KEY, 16)) 5243 return 0x00; 5244 5245 return 0x01; 5246 } 5247 5248 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data, 5249 struct sk_buff *skb) 5250 { 5251 struct hci_ev_io_capa_request *ev = data; 5252 struct hci_conn *conn; 5253 5254 bt_dev_dbg(hdev, ""); 5255 5256 hci_dev_lock(hdev); 5257 5258 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5259 if (!conn) 5260 goto unlock; 5261 5262 hci_conn_hold(conn); 5263 5264 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5265 goto unlock; 5266 5267 /* Allow pairing if we're pairable, the initiators of the 5268 * pairing or if the remote is not requesting bonding. 5269 */ 5270 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 5271 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 5272 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 5273 struct hci_cp_io_capability_reply cp; 5274 5275 bacpy(&cp.bdaddr, &ev->bdaddr); 5276 /* Change the IO capability from KeyboardDisplay 5277 * to DisplayYesNo as it is not supported by BT spec. */ 5278 cp.capability = (conn->io_capability == 0x04) ? 5279 HCI_IO_DISPLAY_YESNO : conn->io_capability; 5280 5281 /* If we are initiators, there is no remote information yet */ 5282 if (conn->remote_auth == 0xff) { 5283 /* Request MITM protection if our IO caps allow it 5284 * except for the no-bonding case. 5285 */ 5286 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5287 conn->auth_type != HCI_AT_NO_BONDING) 5288 conn->auth_type |= 0x01; 5289 } else { 5290 conn->auth_type = hci_get_auth_req(conn); 5291 } 5292 5293 /* If we're not bondable, force one of the non-bondable 5294 * authentication requirement values. 5295 */ 5296 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 5297 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 5298 5299 cp.authentication = conn->auth_type; 5300 cp.oob_data = bredr_oob_data_present(conn); 5301 5302 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 5303 sizeof(cp), &cp); 5304 } else { 5305 struct hci_cp_io_capability_neg_reply cp; 5306 5307 bacpy(&cp.bdaddr, &ev->bdaddr); 5308 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 5309 5310 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 5311 sizeof(cp), &cp); 5312 } 5313 5314 unlock: 5315 hci_dev_unlock(hdev); 5316 } 5317 5318 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data, 5319 struct sk_buff *skb) 5320 { 5321 struct hci_ev_io_capa_reply *ev = data; 5322 struct hci_conn *conn; 5323 5324 bt_dev_dbg(hdev, ""); 5325 5326 hci_dev_lock(hdev); 5327 5328 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5329 if (!conn) 5330 goto unlock; 5331 5332 conn->remote_cap = ev->capability; 5333 conn->remote_auth = ev->authentication; 5334 5335 unlock: 5336 hci_dev_unlock(hdev); 5337 } 5338 5339 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data, 5340 struct sk_buff *skb) 5341 { 5342 struct hci_ev_user_confirm_req *ev = data; 5343 int loc_mitm, rem_mitm, confirm_hint = 0; 5344 struct hci_conn *conn; 5345 5346 bt_dev_dbg(hdev, ""); 5347 5348 hci_dev_lock(hdev); 5349 5350 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5351 goto unlock; 5352 5353 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5354 if (!conn) 5355 goto unlock; 5356 5357 loc_mitm = (conn->auth_type & 0x01); 5358 rem_mitm = (conn->remote_auth & 0x01); 5359 5360 /* If we require MITM but the remote device can't provide that 5361 * (it has NoInputNoOutput) then reject the confirmation 5362 * request. We check the security level here since it doesn't 5363 * necessarily match conn->auth_type. 5364 */ 5365 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 5366 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 5367 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM"); 5368 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 5369 sizeof(ev->bdaddr), &ev->bdaddr); 5370 goto unlock; 5371 } 5372 5373 /* If no side requires MITM protection; auto-accept */ 5374 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 5375 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 5376 5377 /* If we're not the initiators request authorization to 5378 * proceed from user space (mgmt_user_confirm with 5379 * confirm_hint set to 1). The exception is if neither 5380 * side had MITM or if the local IO capability is 5381 * NoInputNoOutput, in which case we do auto-accept 5382 */ 5383 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 5384 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5385 (loc_mitm || rem_mitm)) { 5386 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor"); 5387 confirm_hint = 1; 5388 goto confirm; 5389 } 5390 5391 /* If there already exists link key in local host, leave the 5392 * decision to user space since the remote device could be 5393 * legitimate or malicious. 5394 */ 5395 if (hci_find_link_key(hdev, &ev->bdaddr)) { 5396 bt_dev_dbg(hdev, "Local host already has link key"); 5397 confirm_hint = 1; 5398 goto confirm; 5399 } 5400 5401 BT_DBG("Auto-accept of user confirmation with %ums delay", 5402 hdev->auto_accept_delay); 5403 5404 if (hdev->auto_accept_delay > 0) { 5405 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 5406 queue_delayed_work(conn->hdev->workqueue, 5407 &conn->auto_accept_work, delay); 5408 goto unlock; 5409 } 5410 5411 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 5412 sizeof(ev->bdaddr), &ev->bdaddr); 5413 goto unlock; 5414 } 5415 5416 confirm: 5417 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 5418 le32_to_cpu(ev->passkey), confirm_hint); 5419 5420 unlock: 5421 hci_dev_unlock(hdev); 5422 } 5423 5424 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data, 5425 struct sk_buff *skb) 5426 { 5427 struct hci_ev_user_passkey_req *ev = data; 5428 5429 bt_dev_dbg(hdev, ""); 5430 5431 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5432 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 5433 } 5434 5435 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, 5436 struct sk_buff *skb) 5437 { 5438 struct hci_ev_user_passkey_notify *ev = data; 5439 struct hci_conn *conn; 5440 5441 bt_dev_dbg(hdev, ""); 5442 5443 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5444 if (!conn) 5445 return; 5446 5447 conn->passkey_notify = __le32_to_cpu(ev->passkey); 5448 conn->passkey_entered = 0; 5449 5450 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5451 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5452 conn->dst_type, conn->passkey_notify, 5453 conn->passkey_entered); 5454 } 5455 5456 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, 5457 struct sk_buff *skb) 5458 { 5459 struct hci_ev_keypress_notify *ev = data; 5460 struct hci_conn *conn; 5461 5462 bt_dev_dbg(hdev, ""); 5463 5464 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5465 if (!conn) 5466 return; 5467 5468 switch (ev->type) { 5469 case HCI_KEYPRESS_STARTED: 5470 conn->passkey_entered = 0; 5471 return; 5472 5473 case HCI_KEYPRESS_ENTERED: 5474 conn->passkey_entered++; 5475 break; 5476 5477 case HCI_KEYPRESS_ERASED: 5478 conn->passkey_entered--; 5479 break; 5480 5481 case HCI_KEYPRESS_CLEARED: 5482 conn->passkey_entered = 0; 5483 break; 5484 5485 case HCI_KEYPRESS_COMPLETED: 5486 return; 5487 } 5488 5489 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5490 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5491 conn->dst_type, conn->passkey_notify, 5492 conn->passkey_entered); 5493 } 5494 5495 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data, 5496 struct sk_buff *skb) 5497 { 5498 struct hci_ev_simple_pair_complete *ev = data; 5499 struct hci_conn *conn; 5500 5501 bt_dev_dbg(hdev, ""); 5502 5503 hci_dev_lock(hdev); 5504 5505 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5506 if (!conn) 5507 goto unlock; 5508 5509 /* Reset the authentication requirement to unknown */ 5510 conn->remote_auth = 0xff; 5511 5512 /* To avoid duplicate auth_failed events to user space we check 5513 * the HCI_CONN_AUTH_PEND flag which will be set if we 5514 * initiated the authentication. A traditional auth_complete 5515 * event gets always produced as initiator and is also mapped to 5516 * the mgmt_auth_failed event */ 5517 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 5518 mgmt_auth_failed(conn, ev->status); 5519 5520 hci_conn_drop(conn); 5521 5522 unlock: 5523 hci_dev_unlock(hdev); 5524 } 5525 5526 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data, 5527 struct sk_buff *skb) 5528 { 5529 struct hci_ev_remote_host_features *ev = data; 5530 struct inquiry_entry *ie; 5531 struct hci_conn *conn; 5532 5533 bt_dev_dbg(hdev, ""); 5534 5535 hci_dev_lock(hdev); 5536 5537 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5538 if (conn) 5539 memcpy(conn->features[1], ev->features, 8); 5540 5541 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 5542 if (ie) 5543 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 5544 5545 hci_dev_unlock(hdev); 5546 } 5547 5548 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata, 5549 struct sk_buff *skb) 5550 { 5551 struct hci_ev_remote_oob_data_request *ev = edata; 5552 struct oob_data *data; 5553 5554 bt_dev_dbg(hdev, ""); 5555 5556 hci_dev_lock(hdev); 5557 5558 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5559 goto unlock; 5560 5561 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 5562 if (!data) { 5563 struct hci_cp_remote_oob_data_neg_reply cp; 5564 5565 bacpy(&cp.bdaddr, &ev->bdaddr); 5566 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 5567 sizeof(cp), &cp); 5568 goto unlock; 5569 } 5570 5571 if (bredr_sc_enabled(hdev)) { 5572 struct hci_cp_remote_oob_ext_data_reply cp; 5573 5574 bacpy(&cp.bdaddr, &ev->bdaddr); 5575 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 5576 memset(cp.hash192, 0, sizeof(cp.hash192)); 5577 memset(cp.rand192, 0, sizeof(cp.rand192)); 5578 } else { 5579 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 5580 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 5581 } 5582 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 5583 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 5584 5585 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 5586 sizeof(cp), &cp); 5587 } else { 5588 struct hci_cp_remote_oob_data_reply cp; 5589 5590 bacpy(&cp.bdaddr, &ev->bdaddr); 5591 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 5592 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 5593 5594 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 5595 sizeof(cp), &cp); 5596 } 5597 5598 unlock: 5599 hci_dev_unlock(hdev); 5600 } 5601 5602 #if IS_ENABLED(CONFIG_BT_HS) 5603 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data, 5604 struct sk_buff *skb) 5605 { 5606 struct hci_ev_channel_selected *ev = data; 5607 struct hci_conn *hcon; 5608 5609 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle); 5610 5611 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5612 if (!hcon) 5613 return; 5614 5615 amp_read_loc_assoc_final_data(hdev, hcon); 5616 } 5617 5618 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data, 5619 struct sk_buff *skb) 5620 { 5621 struct hci_ev_phy_link_complete *ev = data; 5622 struct hci_conn *hcon, *bredr_hcon; 5623 5624 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle, 5625 ev->status); 5626 5627 hci_dev_lock(hdev); 5628 5629 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5630 if (!hcon) 5631 goto unlock; 5632 5633 if (!hcon->amp_mgr) 5634 goto unlock; 5635 5636 if (ev->status) { 5637 hci_conn_del(hcon); 5638 goto unlock; 5639 } 5640 5641 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 5642 5643 hcon->state = BT_CONNECTED; 5644 bacpy(&hcon->dst, &bredr_hcon->dst); 5645 5646 hci_conn_hold(hcon); 5647 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 5648 hci_conn_drop(hcon); 5649 5650 hci_debugfs_create_conn(hcon); 5651 hci_conn_add_sysfs(hcon); 5652 5653 amp_physical_cfm(bredr_hcon, hcon); 5654 5655 unlock: 5656 hci_dev_unlock(hdev); 5657 } 5658 5659 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data, 5660 struct sk_buff *skb) 5661 { 5662 struct hci_ev_logical_link_complete *ev = data; 5663 struct hci_conn *hcon; 5664 struct hci_chan *hchan; 5665 struct amp_mgr *mgr; 5666 5667 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 5668 le16_to_cpu(ev->handle), ev->phy_handle, ev->status); 5669 5670 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5671 if (!hcon) 5672 return; 5673 5674 /* Create AMP hchan */ 5675 hchan = hci_chan_create(hcon); 5676 if (!hchan) 5677 return; 5678 5679 hchan->handle = le16_to_cpu(ev->handle); 5680 hchan->amp = true; 5681 5682 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 5683 5684 mgr = hcon->amp_mgr; 5685 if (mgr && mgr->bredr_chan) { 5686 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 5687 5688 l2cap_chan_lock(bredr_chan); 5689 5690 bredr_chan->conn->mtu = hdev->block_mtu; 5691 l2cap_logical_cfm(bredr_chan, hchan, 0); 5692 hci_conn_hold(hcon); 5693 5694 l2cap_chan_unlock(bredr_chan); 5695 } 5696 } 5697 5698 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data, 5699 struct sk_buff *skb) 5700 { 5701 struct hci_ev_disconn_logical_link_complete *ev = data; 5702 struct hci_chan *hchan; 5703 5704 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", 5705 le16_to_cpu(ev->handle), ev->status); 5706 5707 if (ev->status) 5708 return; 5709 5710 hci_dev_lock(hdev); 5711 5712 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 5713 if (!hchan || !hchan->amp) 5714 goto unlock; 5715 5716 amp_destroy_logical_link(hchan, ev->reason); 5717 5718 unlock: 5719 hci_dev_unlock(hdev); 5720 } 5721 5722 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data, 5723 struct sk_buff *skb) 5724 { 5725 struct hci_ev_disconn_phy_link_complete *ev = data; 5726 struct hci_conn *hcon; 5727 5728 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5729 5730 if (ev->status) 5731 return; 5732 5733 hci_dev_lock(hdev); 5734 5735 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5736 if (hcon && hcon->type == AMP_LINK) { 5737 hcon->state = BT_CLOSED; 5738 hci_disconn_cfm(hcon, ev->reason); 5739 hci_conn_del(hcon); 5740 } 5741 5742 hci_dev_unlock(hdev); 5743 } 5744 #endif 5745 5746 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr, 5747 u8 bdaddr_type, bdaddr_t *local_rpa) 5748 { 5749 if (conn->out) { 5750 conn->dst_type = bdaddr_type; 5751 conn->resp_addr_type = bdaddr_type; 5752 bacpy(&conn->resp_addr, bdaddr); 5753 5754 /* Check if the controller has set a Local RPA then it must be 5755 * used instead or hdev->rpa. 5756 */ 5757 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5758 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5759 bacpy(&conn->init_addr, local_rpa); 5760 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) { 5761 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5762 bacpy(&conn->init_addr, &conn->hdev->rpa); 5763 } else { 5764 hci_copy_identity_address(conn->hdev, &conn->init_addr, 5765 &conn->init_addr_type); 5766 } 5767 } else { 5768 conn->resp_addr_type = conn->hdev->adv_addr_type; 5769 /* Check if the controller has set a Local RPA then it must be 5770 * used instead or hdev->rpa. 5771 */ 5772 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5773 conn->resp_addr_type = ADDR_LE_DEV_RANDOM; 5774 bacpy(&conn->resp_addr, local_rpa); 5775 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5776 /* In case of ext adv, resp_addr will be updated in 5777 * Adv Terminated event. 5778 */ 5779 if (!ext_adv_capable(conn->hdev)) 5780 bacpy(&conn->resp_addr, 5781 &conn->hdev->random_addr); 5782 } else { 5783 bacpy(&conn->resp_addr, &conn->hdev->bdaddr); 5784 } 5785 5786 conn->init_addr_type = bdaddr_type; 5787 bacpy(&conn->init_addr, bdaddr); 5788 5789 /* For incoming connections, set the default minimum 5790 * and maximum connection interval. They will be used 5791 * to check if the parameters are in range and if not 5792 * trigger the connection update procedure. 5793 */ 5794 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval; 5795 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval; 5796 } 5797 } 5798 5799 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5800 bdaddr_t *bdaddr, u8 bdaddr_type, 5801 bdaddr_t *local_rpa, u8 role, u16 handle, 5802 u16 interval, u16 latency, 5803 u16 supervision_timeout) 5804 { 5805 struct hci_conn_params *params; 5806 struct hci_conn *conn; 5807 struct smp_irk *irk; 5808 u8 addr_type; 5809 5810 hci_dev_lock(hdev); 5811 5812 /* All controllers implicitly stop advertising in the event of a 5813 * connection, so ensure that the state bit is cleared. 5814 */ 5815 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5816 5817 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr); 5818 if (!conn) { 5819 /* In case of error status and there is no connection pending 5820 * just unlock as there is nothing to cleanup. 5821 */ 5822 if (status) 5823 goto unlock; 5824 5825 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 5826 if (!conn) { 5827 bt_dev_err(hdev, "no memory for new connection"); 5828 goto unlock; 5829 } 5830 5831 conn->dst_type = bdaddr_type; 5832 5833 /* If we didn't have a hci_conn object previously 5834 * but we're in central role this must be something 5835 * initiated using an accept list. Since accept list based 5836 * connections are not "first class citizens" we don't 5837 * have full tracking of them. Therefore, we go ahead 5838 * with a "best effort" approach of determining the 5839 * initiator address based on the HCI_PRIVACY flag. 5840 */ 5841 if (conn->out) { 5842 conn->resp_addr_type = bdaddr_type; 5843 bacpy(&conn->resp_addr, bdaddr); 5844 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5845 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5846 bacpy(&conn->init_addr, &hdev->rpa); 5847 } else { 5848 hci_copy_identity_address(hdev, 5849 &conn->init_addr, 5850 &conn->init_addr_type); 5851 } 5852 } 5853 } else { 5854 cancel_delayed_work(&conn->le_conn_timeout); 5855 } 5856 5857 /* The HCI_LE_Connection_Complete event is only sent once per connection. 5858 * Processing it more than once per connection can corrupt kernel memory. 5859 * 5860 * As the connection handle is set here for the first time, it indicates 5861 * whether the connection is already set up. 5862 */ 5863 if (conn->handle != HCI_CONN_HANDLE_UNSET) { 5864 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 5865 goto unlock; 5866 } 5867 5868 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa); 5869 5870 /* Lookup the identity address from the stored connection 5871 * address and address type. 5872 * 5873 * When establishing connections to an identity address, the 5874 * connection procedure will store the resolvable random 5875 * address first. Now if it can be converted back into the 5876 * identity address, start using the identity address from 5877 * now on. 5878 */ 5879 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5880 if (irk) { 5881 bacpy(&conn->dst, &irk->bdaddr); 5882 conn->dst_type = irk->addr_type; 5883 } 5884 5885 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL); 5886 5887 if (handle > HCI_CONN_HANDLE_MAX) { 5888 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", handle, 5889 HCI_CONN_HANDLE_MAX); 5890 status = HCI_ERROR_INVALID_PARAMETERS; 5891 } 5892 5893 /* All connection failure handling is taken care of by the 5894 * hci_conn_failed function which is triggered by the HCI 5895 * request completion callbacks used for connecting. 5896 */ 5897 if (status) 5898 goto unlock; 5899 5900 /* Drop the connection if it has been aborted */ 5901 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) { 5902 hci_conn_drop(conn); 5903 goto unlock; 5904 } 5905 5906 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5907 addr_type = BDADDR_LE_PUBLIC; 5908 else 5909 addr_type = BDADDR_LE_RANDOM; 5910 5911 /* Drop the connection if the device is blocked */ 5912 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) { 5913 hci_conn_drop(conn); 5914 goto unlock; 5915 } 5916 5917 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5918 mgmt_device_connected(hdev, conn, NULL, 0); 5919 5920 conn->sec_level = BT_SECURITY_LOW; 5921 conn->handle = handle; 5922 conn->state = BT_CONFIG; 5923 5924 /* Store current advertising instance as connection advertising instance 5925 * when sotfware rotation is in use so it can be re-enabled when 5926 * disconnected. 5927 */ 5928 if (!ext_adv_capable(hdev)) 5929 conn->adv_instance = hdev->cur_adv_instance; 5930 5931 conn->le_conn_interval = interval; 5932 conn->le_conn_latency = latency; 5933 conn->le_supv_timeout = supervision_timeout; 5934 5935 hci_debugfs_create_conn(conn); 5936 hci_conn_add_sysfs(conn); 5937 5938 /* The remote features procedure is defined for central 5939 * role only. So only in case of an initiated connection 5940 * request the remote features. 5941 * 5942 * If the local controller supports peripheral-initiated features 5943 * exchange, then requesting the remote features in peripheral 5944 * role is possible. Otherwise just transition into the 5945 * connected state without requesting the remote features. 5946 */ 5947 if (conn->out || 5948 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) { 5949 struct hci_cp_le_read_remote_features cp; 5950 5951 cp.handle = __cpu_to_le16(conn->handle); 5952 5953 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 5954 sizeof(cp), &cp); 5955 5956 hci_conn_hold(conn); 5957 } else { 5958 conn->state = BT_CONNECTED; 5959 hci_connect_cfm(conn, status); 5960 } 5961 5962 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5963 conn->dst_type); 5964 if (params) { 5965 list_del_init(¶ms->action); 5966 if (params->conn) { 5967 hci_conn_drop(params->conn); 5968 hci_conn_put(params->conn); 5969 params->conn = NULL; 5970 } 5971 } 5972 5973 unlock: 5974 hci_update_passive_scan(hdev); 5975 hci_dev_unlock(hdev); 5976 } 5977 5978 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data, 5979 struct sk_buff *skb) 5980 { 5981 struct hci_ev_le_conn_complete *ev = data; 5982 5983 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5984 5985 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5986 NULL, ev->role, le16_to_cpu(ev->handle), 5987 le16_to_cpu(ev->interval), 5988 le16_to_cpu(ev->latency), 5989 le16_to_cpu(ev->supervision_timeout)); 5990 } 5991 5992 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data, 5993 struct sk_buff *skb) 5994 { 5995 struct hci_ev_le_enh_conn_complete *ev = data; 5996 5997 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5998 5999 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 6000 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle), 6001 le16_to_cpu(ev->interval), 6002 le16_to_cpu(ev->latency), 6003 le16_to_cpu(ev->supervision_timeout)); 6004 } 6005 6006 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data, 6007 struct sk_buff *skb) 6008 { 6009 struct hci_evt_le_ext_adv_set_term *ev = data; 6010 struct hci_conn *conn; 6011 struct adv_info *adv, *n; 6012 6013 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6014 6015 /* The Bluetooth Core 5.3 specification clearly states that this event 6016 * shall not be sent when the Host disables the advertising set. So in 6017 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event. 6018 * 6019 * When the Host disables an advertising set, all cleanup is done via 6020 * its command callback and not needed to be duplicated here. 6021 */ 6022 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) { 6023 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event"); 6024 return; 6025 } 6026 6027 hci_dev_lock(hdev); 6028 6029 adv = hci_find_adv_instance(hdev, ev->handle); 6030 6031 if (ev->status) { 6032 if (!adv) 6033 goto unlock; 6034 6035 /* Remove advertising as it has been terminated */ 6036 hci_remove_adv_instance(hdev, ev->handle); 6037 mgmt_advertising_removed(NULL, hdev, ev->handle); 6038 6039 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 6040 if (adv->enabled) 6041 goto unlock; 6042 } 6043 6044 /* We are no longer advertising, clear HCI_LE_ADV */ 6045 hci_dev_clear_flag(hdev, HCI_LE_ADV); 6046 goto unlock; 6047 } 6048 6049 if (adv) 6050 adv->enabled = false; 6051 6052 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 6053 if (conn) { 6054 /* Store handle in the connection so the correct advertising 6055 * instance can be re-enabled when disconnected. 6056 */ 6057 conn->adv_instance = ev->handle; 6058 6059 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM || 6060 bacmp(&conn->resp_addr, BDADDR_ANY)) 6061 goto unlock; 6062 6063 if (!ev->handle) { 6064 bacpy(&conn->resp_addr, &hdev->random_addr); 6065 goto unlock; 6066 } 6067 6068 if (adv) 6069 bacpy(&conn->resp_addr, &adv->random_addr); 6070 } 6071 6072 unlock: 6073 hci_dev_unlock(hdev); 6074 } 6075 6076 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data, 6077 struct sk_buff *skb) 6078 { 6079 struct hci_ev_le_conn_update_complete *ev = data; 6080 struct hci_conn *conn; 6081 6082 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6083 6084 if (ev->status) 6085 return; 6086 6087 hci_dev_lock(hdev); 6088 6089 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6090 if (conn) { 6091 conn->le_conn_interval = le16_to_cpu(ev->interval); 6092 conn->le_conn_latency = le16_to_cpu(ev->latency); 6093 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 6094 } 6095 6096 hci_dev_unlock(hdev); 6097 } 6098 6099 /* This function requires the caller holds hdev->lock */ 6100 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 6101 bdaddr_t *addr, 6102 u8 addr_type, bool addr_resolved, 6103 u8 adv_type) 6104 { 6105 struct hci_conn *conn; 6106 struct hci_conn_params *params; 6107 6108 /* If the event is not connectable don't proceed further */ 6109 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 6110 return NULL; 6111 6112 /* Ignore if the device is blocked or hdev is suspended */ 6113 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) || 6114 hdev->suspended) 6115 return NULL; 6116 6117 /* Most controller will fail if we try to create new connections 6118 * while we have an existing one in peripheral role. 6119 */ 6120 if (hdev->conn_hash.le_num_peripheral > 0 && 6121 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 6122 !(hdev->le_states[3] & 0x10))) 6123 return NULL; 6124 6125 /* If we're not connectable only connect devices that we have in 6126 * our pend_le_conns list. 6127 */ 6128 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 6129 addr_type); 6130 if (!params) 6131 return NULL; 6132 6133 if (!params->explicit_connect) { 6134 switch (params->auto_connect) { 6135 case HCI_AUTO_CONN_DIRECT: 6136 /* Only devices advertising with ADV_DIRECT_IND are 6137 * triggering a connection attempt. This is allowing 6138 * incoming connections from peripheral devices. 6139 */ 6140 if (adv_type != LE_ADV_DIRECT_IND) 6141 return NULL; 6142 break; 6143 case HCI_AUTO_CONN_ALWAYS: 6144 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 6145 * are triggering a connection attempt. This means 6146 * that incoming connections from peripheral device are 6147 * accepted and also outgoing connections to peripheral 6148 * devices are established when found. 6149 */ 6150 break; 6151 default: 6152 return NULL; 6153 } 6154 } 6155 6156 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved, 6157 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout, 6158 HCI_ROLE_MASTER); 6159 if (!IS_ERR(conn)) { 6160 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 6161 * by higher layer that tried to connect, if no then 6162 * store the pointer since we don't really have any 6163 * other owner of the object besides the params that 6164 * triggered it. This way we can abort the connection if 6165 * the parameters get removed and keep the reference 6166 * count consistent once the connection is established. 6167 */ 6168 6169 if (!params->explicit_connect) 6170 params->conn = hci_conn_get(conn); 6171 6172 return conn; 6173 } 6174 6175 switch (PTR_ERR(conn)) { 6176 case -EBUSY: 6177 /* If hci_connect() returns -EBUSY it means there is already 6178 * an LE connection attempt going on. Since controllers don't 6179 * support more than one connection attempt at the time, we 6180 * don't consider this an error case. 6181 */ 6182 break; 6183 default: 6184 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 6185 return NULL; 6186 } 6187 6188 return NULL; 6189 } 6190 6191 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 6192 u8 bdaddr_type, bdaddr_t *direct_addr, 6193 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 6194 bool ext_adv, bool ctl_time, u64 instant) 6195 { 6196 struct discovery_state *d = &hdev->discovery; 6197 struct smp_irk *irk; 6198 struct hci_conn *conn; 6199 bool match, bdaddr_resolved; 6200 u32 flags; 6201 u8 *ptr; 6202 6203 switch (type) { 6204 case LE_ADV_IND: 6205 case LE_ADV_DIRECT_IND: 6206 case LE_ADV_SCAN_IND: 6207 case LE_ADV_NONCONN_IND: 6208 case LE_ADV_SCAN_RSP: 6209 break; 6210 default: 6211 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 6212 "type: 0x%02x", type); 6213 return; 6214 } 6215 6216 if (!ext_adv && len > HCI_MAX_AD_LENGTH) { 6217 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes"); 6218 return; 6219 } 6220 6221 /* Find the end of the data in case the report contains padded zero 6222 * bytes at the end causing an invalid length value. 6223 * 6224 * When data is NULL, len is 0 so there is no need for extra ptr 6225 * check as 'ptr < data + 0' is already false in such case. 6226 */ 6227 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 6228 if (ptr + 1 + *ptr > data + len) 6229 break; 6230 } 6231 6232 /* Adjust for actual length. This handles the case when remote 6233 * device is advertising with incorrect data length. 6234 */ 6235 len = ptr - data; 6236 6237 /* If the direct address is present, then this report is from 6238 * a LE Direct Advertising Report event. In that case it is 6239 * important to see if the address is matching the local 6240 * controller address. 6241 */ 6242 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) { 6243 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type, 6244 &bdaddr_resolved); 6245 6246 /* Only resolvable random addresses are valid for these 6247 * kind of reports and others can be ignored. 6248 */ 6249 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 6250 return; 6251 6252 /* If the controller is not using resolvable random 6253 * addresses, then this report can be ignored. 6254 */ 6255 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 6256 return; 6257 6258 /* If the local IRK of the controller does not match 6259 * with the resolvable random address provided, then 6260 * this report can be ignored. 6261 */ 6262 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 6263 return; 6264 } 6265 6266 /* Check if we need to convert to identity address */ 6267 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 6268 if (irk) { 6269 bdaddr = &irk->bdaddr; 6270 bdaddr_type = irk->addr_type; 6271 } 6272 6273 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved); 6274 6275 /* Check if we have been requested to connect to this device. 6276 * 6277 * direct_addr is set only for directed advertising reports (it is NULL 6278 * for advertising reports) and is already verified to be RPA above. 6279 */ 6280 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved, 6281 type); 6282 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { 6283 /* Store report for later inclusion by 6284 * mgmt_device_connected 6285 */ 6286 memcpy(conn->le_adv_data, data, len); 6287 conn->le_adv_data_len = len; 6288 } 6289 6290 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 6291 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 6292 else 6293 flags = 0; 6294 6295 /* All scan results should be sent up for Mesh systems */ 6296 if (hci_dev_test_flag(hdev, HCI_MESH)) { 6297 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6298 rssi, flags, data, len, NULL, 0, instant); 6299 return; 6300 } 6301 6302 /* Passive scanning shouldn't trigger any device found events, 6303 * except for devices marked as CONN_REPORT for which we do send 6304 * device found events, or advertisement monitoring requested. 6305 */ 6306 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 6307 if (type == LE_ADV_DIRECT_IND) 6308 return; 6309 6310 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 6311 bdaddr, bdaddr_type) && 6312 idr_is_empty(&hdev->adv_monitors_idr)) 6313 return; 6314 6315 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6316 rssi, flags, data, len, NULL, 0, 0); 6317 return; 6318 } 6319 6320 /* When receiving a scan response, then there is no way to 6321 * know if the remote device is connectable or not. However 6322 * since scan responses are merged with a previously seen 6323 * advertising report, the flags field from that report 6324 * will be used. 6325 * 6326 * In the unlikely case that a controller just sends a scan 6327 * response event that doesn't match the pending report, then 6328 * it is marked as a standalone SCAN_RSP. 6329 */ 6330 if (type == LE_ADV_SCAN_RSP) 6331 flags = MGMT_DEV_FOUND_SCAN_RSP; 6332 6333 /* If there's nothing pending either store the data from this 6334 * event or send an immediate device found event if the data 6335 * should not be stored for later. 6336 */ 6337 if (!ext_adv && !has_pending_adv_report(hdev)) { 6338 /* If the report will trigger a SCAN_REQ store it for 6339 * later merging. 6340 */ 6341 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 6342 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6343 rssi, flags, data, len); 6344 return; 6345 } 6346 6347 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6348 rssi, flags, data, len, NULL, 0, 0); 6349 return; 6350 } 6351 6352 /* Check if the pending report is for the same device as the new one */ 6353 match = (!bacmp(bdaddr, &d->last_adv_addr) && 6354 bdaddr_type == d->last_adv_addr_type); 6355 6356 /* If the pending data doesn't match this report or this isn't a 6357 * scan response (e.g. we got a duplicate ADV_IND) then force 6358 * sending of the pending data. 6359 */ 6360 if (type != LE_ADV_SCAN_RSP || !match) { 6361 /* Send out whatever is in the cache, but skip duplicates */ 6362 if (!match) 6363 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6364 d->last_adv_addr_type, NULL, 6365 d->last_adv_rssi, d->last_adv_flags, 6366 d->last_adv_data, 6367 d->last_adv_data_len, NULL, 0, 0); 6368 6369 /* If the new report will trigger a SCAN_REQ store it for 6370 * later merging. 6371 */ 6372 if (!ext_adv && (type == LE_ADV_IND || 6373 type == LE_ADV_SCAN_IND)) { 6374 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6375 rssi, flags, data, len); 6376 return; 6377 } 6378 6379 /* The advertising reports cannot be merged, so clear 6380 * the pending report and send out a device found event. 6381 */ 6382 clear_pending_adv_report(hdev); 6383 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6384 rssi, flags, data, len, NULL, 0, 0); 6385 return; 6386 } 6387 6388 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 6389 * the new event is a SCAN_RSP. We can therefore proceed with 6390 * sending a merged device found event. 6391 */ 6392 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6393 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 6394 d->last_adv_data, d->last_adv_data_len, data, len, 0); 6395 clear_pending_adv_report(hdev); 6396 } 6397 6398 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data, 6399 struct sk_buff *skb) 6400 { 6401 struct hci_ev_le_advertising_report *ev = data; 6402 u64 instant = jiffies; 6403 6404 if (!ev->num) 6405 return; 6406 6407 hci_dev_lock(hdev); 6408 6409 while (ev->num--) { 6410 struct hci_ev_le_advertising_info *info; 6411 s8 rssi; 6412 6413 info = hci_le_ev_skb_pull(hdev, skb, 6414 HCI_EV_LE_ADVERTISING_REPORT, 6415 sizeof(*info)); 6416 if (!info) 6417 break; 6418 6419 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT, 6420 info->length + 1)) 6421 break; 6422 6423 if (info->length <= HCI_MAX_AD_LENGTH) { 6424 rssi = info->data[info->length]; 6425 process_adv_report(hdev, info->type, &info->bdaddr, 6426 info->bdaddr_type, NULL, 0, rssi, 6427 info->data, info->length, false, 6428 false, instant); 6429 } else { 6430 bt_dev_err(hdev, "Dropping invalid advertising data"); 6431 } 6432 } 6433 6434 hci_dev_unlock(hdev); 6435 } 6436 6437 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 6438 { 6439 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 6440 switch (evt_type) { 6441 case LE_LEGACY_ADV_IND: 6442 return LE_ADV_IND; 6443 case LE_LEGACY_ADV_DIRECT_IND: 6444 return LE_ADV_DIRECT_IND; 6445 case LE_LEGACY_ADV_SCAN_IND: 6446 return LE_ADV_SCAN_IND; 6447 case LE_LEGACY_NONCONN_IND: 6448 return LE_ADV_NONCONN_IND; 6449 case LE_LEGACY_SCAN_RSP_ADV: 6450 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 6451 return LE_ADV_SCAN_RSP; 6452 } 6453 6454 goto invalid; 6455 } 6456 6457 if (evt_type & LE_EXT_ADV_CONN_IND) { 6458 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6459 return LE_ADV_DIRECT_IND; 6460 6461 return LE_ADV_IND; 6462 } 6463 6464 if (evt_type & LE_EXT_ADV_SCAN_RSP) 6465 return LE_ADV_SCAN_RSP; 6466 6467 if (evt_type & LE_EXT_ADV_SCAN_IND) 6468 return LE_ADV_SCAN_IND; 6469 6470 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 6471 evt_type & LE_EXT_ADV_DIRECT_IND) 6472 return LE_ADV_NONCONN_IND; 6473 6474 invalid: 6475 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 6476 evt_type); 6477 6478 return LE_ADV_INVALID; 6479 } 6480 6481 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data, 6482 struct sk_buff *skb) 6483 { 6484 struct hci_ev_le_ext_adv_report *ev = data; 6485 u64 instant = jiffies; 6486 6487 if (!ev->num) 6488 return; 6489 6490 hci_dev_lock(hdev); 6491 6492 while (ev->num--) { 6493 struct hci_ev_le_ext_adv_info *info; 6494 u8 legacy_evt_type; 6495 u16 evt_type; 6496 6497 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6498 sizeof(*info)); 6499 if (!info) 6500 break; 6501 6502 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6503 info->length)) 6504 break; 6505 6506 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK; 6507 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 6508 if (legacy_evt_type != LE_ADV_INVALID) { 6509 process_adv_report(hdev, legacy_evt_type, &info->bdaddr, 6510 info->bdaddr_type, NULL, 0, 6511 info->rssi, info->data, info->length, 6512 !(evt_type & LE_EXT_ADV_LEGACY_PDU), 6513 false, instant); 6514 } 6515 } 6516 6517 hci_dev_unlock(hdev); 6518 } 6519 6520 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle) 6521 { 6522 struct hci_cp_le_pa_term_sync cp; 6523 6524 memset(&cp, 0, sizeof(cp)); 6525 cp.handle = handle; 6526 6527 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp); 6528 } 6529 6530 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data, 6531 struct sk_buff *skb) 6532 { 6533 struct hci_ev_le_pa_sync_established *ev = data; 6534 int mask = hdev->link_mode; 6535 __u8 flags = 0; 6536 6537 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6538 6539 if (ev->status) 6540 return; 6541 6542 hci_dev_lock(hdev); 6543 6544 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6545 6546 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags); 6547 if (!(mask & HCI_LM_ACCEPT)) 6548 hci_le_pa_term_sync(hdev, ev->handle); 6549 6550 hci_dev_unlock(hdev); 6551 } 6552 6553 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data, 6554 struct sk_buff *skb) 6555 { 6556 struct hci_ev_le_remote_feat_complete *ev = data; 6557 struct hci_conn *conn; 6558 6559 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6560 6561 hci_dev_lock(hdev); 6562 6563 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6564 if (conn) { 6565 if (!ev->status) 6566 memcpy(conn->features[0], ev->features, 8); 6567 6568 if (conn->state == BT_CONFIG) { 6569 __u8 status; 6570 6571 /* If the local controller supports peripheral-initiated 6572 * features exchange, but the remote controller does 6573 * not, then it is possible that the error code 0x1a 6574 * for unsupported remote feature gets returned. 6575 * 6576 * In this specific case, allow the connection to 6577 * transition into connected state and mark it as 6578 * successful. 6579 */ 6580 if (!conn->out && ev->status == 0x1a && 6581 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 6582 status = 0x00; 6583 else 6584 status = ev->status; 6585 6586 conn->state = BT_CONNECTED; 6587 hci_connect_cfm(conn, status); 6588 hci_conn_drop(conn); 6589 } 6590 } 6591 6592 hci_dev_unlock(hdev); 6593 } 6594 6595 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data, 6596 struct sk_buff *skb) 6597 { 6598 struct hci_ev_le_ltk_req *ev = data; 6599 struct hci_cp_le_ltk_reply cp; 6600 struct hci_cp_le_ltk_neg_reply neg; 6601 struct hci_conn *conn; 6602 struct smp_ltk *ltk; 6603 6604 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6605 6606 hci_dev_lock(hdev); 6607 6608 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6609 if (conn == NULL) 6610 goto not_found; 6611 6612 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 6613 if (!ltk) 6614 goto not_found; 6615 6616 if (smp_ltk_is_sc(ltk)) { 6617 /* With SC both EDiv and Rand are set to zero */ 6618 if (ev->ediv || ev->rand) 6619 goto not_found; 6620 } else { 6621 /* For non-SC keys check that EDiv and Rand match */ 6622 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 6623 goto not_found; 6624 } 6625 6626 memcpy(cp.ltk, ltk->val, ltk->enc_size); 6627 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 6628 cp.handle = cpu_to_le16(conn->handle); 6629 6630 conn->pending_sec_level = smp_ltk_sec_level(ltk); 6631 6632 conn->enc_key_size = ltk->enc_size; 6633 6634 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 6635 6636 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 6637 * temporary key used to encrypt a connection following 6638 * pairing. It is used during the Encrypted Session Setup to 6639 * distribute the keys. Later, security can be re-established 6640 * using a distributed LTK. 6641 */ 6642 if (ltk->type == SMP_STK) { 6643 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6644 list_del_rcu(<k->list); 6645 kfree_rcu(ltk, rcu); 6646 } else { 6647 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6648 } 6649 6650 hci_dev_unlock(hdev); 6651 6652 return; 6653 6654 not_found: 6655 neg.handle = ev->handle; 6656 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 6657 hci_dev_unlock(hdev); 6658 } 6659 6660 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 6661 u8 reason) 6662 { 6663 struct hci_cp_le_conn_param_req_neg_reply cp; 6664 6665 cp.handle = cpu_to_le16(handle); 6666 cp.reason = reason; 6667 6668 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 6669 &cp); 6670 } 6671 6672 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, 6673 struct sk_buff *skb) 6674 { 6675 struct hci_ev_le_remote_conn_param_req *ev = data; 6676 struct hci_cp_le_conn_param_req_reply cp; 6677 struct hci_conn *hcon; 6678 u16 handle, min, max, latency, timeout; 6679 6680 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6681 6682 handle = le16_to_cpu(ev->handle); 6683 min = le16_to_cpu(ev->interval_min); 6684 max = le16_to_cpu(ev->interval_max); 6685 latency = le16_to_cpu(ev->latency); 6686 timeout = le16_to_cpu(ev->timeout); 6687 6688 hcon = hci_conn_hash_lookup_handle(hdev, handle); 6689 if (!hcon || hcon->state != BT_CONNECTED) 6690 return send_conn_param_neg_reply(hdev, handle, 6691 HCI_ERROR_UNKNOWN_CONN_ID); 6692 6693 if (hci_check_conn_params(min, max, latency, timeout)) 6694 return send_conn_param_neg_reply(hdev, handle, 6695 HCI_ERROR_INVALID_LL_PARAMS); 6696 6697 if (hcon->role == HCI_ROLE_MASTER) { 6698 struct hci_conn_params *params; 6699 u8 store_hint; 6700 6701 hci_dev_lock(hdev); 6702 6703 params = hci_conn_params_lookup(hdev, &hcon->dst, 6704 hcon->dst_type); 6705 if (params) { 6706 params->conn_min_interval = min; 6707 params->conn_max_interval = max; 6708 params->conn_latency = latency; 6709 params->supervision_timeout = timeout; 6710 store_hint = 0x01; 6711 } else { 6712 store_hint = 0x00; 6713 } 6714 6715 hci_dev_unlock(hdev); 6716 6717 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 6718 store_hint, min, max, latency, timeout); 6719 } 6720 6721 cp.handle = ev->handle; 6722 cp.interval_min = ev->interval_min; 6723 cp.interval_max = ev->interval_max; 6724 cp.latency = ev->latency; 6725 cp.timeout = ev->timeout; 6726 cp.min_ce_len = 0; 6727 cp.max_ce_len = 0; 6728 6729 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 6730 } 6731 6732 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, 6733 struct sk_buff *skb) 6734 { 6735 struct hci_ev_le_direct_adv_report *ev = data; 6736 u64 instant = jiffies; 6737 int i; 6738 6739 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT, 6740 flex_array_size(ev, info, ev->num))) 6741 return; 6742 6743 if (!ev->num) 6744 return; 6745 6746 hci_dev_lock(hdev); 6747 6748 for (i = 0; i < ev->num; i++) { 6749 struct hci_ev_le_direct_adv_info *info = &ev->info[i]; 6750 6751 process_adv_report(hdev, info->type, &info->bdaddr, 6752 info->bdaddr_type, &info->direct_addr, 6753 info->direct_addr_type, info->rssi, NULL, 0, 6754 false, false, instant); 6755 } 6756 6757 hci_dev_unlock(hdev); 6758 } 6759 6760 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data, 6761 struct sk_buff *skb) 6762 { 6763 struct hci_ev_le_phy_update_complete *ev = data; 6764 struct hci_conn *conn; 6765 6766 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6767 6768 if (ev->status) 6769 return; 6770 6771 hci_dev_lock(hdev); 6772 6773 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6774 if (!conn) 6775 goto unlock; 6776 6777 conn->le_tx_phy = ev->tx_phy; 6778 conn->le_rx_phy = ev->rx_phy; 6779 6780 unlock: 6781 hci_dev_unlock(hdev); 6782 } 6783 6784 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data, 6785 struct sk_buff *skb) 6786 { 6787 struct hci_evt_le_cis_established *ev = data; 6788 struct hci_conn *conn; 6789 struct bt_iso_qos *qos; 6790 u16 handle = __le16_to_cpu(ev->handle); 6791 6792 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6793 6794 hci_dev_lock(hdev); 6795 6796 conn = hci_conn_hash_lookup_handle(hdev, handle); 6797 if (!conn) { 6798 bt_dev_err(hdev, 6799 "Unable to find connection with handle 0x%4.4x", 6800 handle); 6801 goto unlock; 6802 } 6803 6804 if (conn->type != ISO_LINK) { 6805 bt_dev_err(hdev, 6806 "Invalid connection link type handle 0x%4.4x", 6807 handle); 6808 goto unlock; 6809 } 6810 6811 qos = &conn->iso_qos; 6812 6813 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */ 6814 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250; 6815 qos->ucast.out.interval = qos->ucast.in.interval; 6816 6817 switch (conn->role) { 6818 case HCI_ROLE_SLAVE: 6819 /* Convert Transport Latency (us) to Latency (msec) */ 6820 qos->ucast.in.latency = 6821 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6822 1000); 6823 qos->ucast.out.latency = 6824 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6825 1000); 6826 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu); 6827 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu); 6828 qos->ucast.in.phy = ev->c_phy; 6829 qos->ucast.out.phy = ev->p_phy; 6830 break; 6831 case HCI_ROLE_MASTER: 6832 /* Convert Transport Latency (us) to Latency (msec) */ 6833 qos->ucast.out.latency = 6834 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6835 1000); 6836 qos->ucast.in.latency = 6837 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6838 1000); 6839 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu); 6840 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu); 6841 qos->ucast.out.phy = ev->c_phy; 6842 qos->ucast.in.phy = ev->p_phy; 6843 break; 6844 } 6845 6846 if (!ev->status) { 6847 conn->state = BT_CONNECTED; 6848 hci_debugfs_create_conn(conn); 6849 hci_conn_add_sysfs(conn); 6850 hci_iso_setup_path(conn); 6851 goto unlock; 6852 } 6853 6854 hci_connect_cfm(conn, ev->status); 6855 hci_conn_del(conn); 6856 6857 unlock: 6858 hci_dev_unlock(hdev); 6859 } 6860 6861 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle) 6862 { 6863 struct hci_cp_le_reject_cis cp; 6864 6865 memset(&cp, 0, sizeof(cp)); 6866 cp.handle = handle; 6867 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 6868 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp); 6869 } 6870 6871 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle) 6872 { 6873 struct hci_cp_le_accept_cis cp; 6874 6875 memset(&cp, 0, sizeof(cp)); 6876 cp.handle = handle; 6877 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 6878 } 6879 6880 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data, 6881 struct sk_buff *skb) 6882 { 6883 struct hci_evt_le_cis_req *ev = data; 6884 u16 acl_handle, cis_handle; 6885 struct hci_conn *acl, *cis; 6886 int mask; 6887 __u8 flags = 0; 6888 6889 acl_handle = __le16_to_cpu(ev->acl_handle); 6890 cis_handle = __le16_to_cpu(ev->cis_handle); 6891 6892 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x", 6893 acl_handle, cis_handle, ev->cig_id, ev->cis_id); 6894 6895 hci_dev_lock(hdev); 6896 6897 acl = hci_conn_hash_lookup_handle(hdev, acl_handle); 6898 if (!acl) 6899 goto unlock; 6900 6901 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags); 6902 if (!(mask & HCI_LM_ACCEPT)) { 6903 hci_le_reject_cis(hdev, ev->cis_handle); 6904 goto unlock; 6905 } 6906 6907 cis = hci_conn_hash_lookup_handle(hdev, cis_handle); 6908 if (!cis) { 6909 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE); 6910 if (!cis) { 6911 hci_le_reject_cis(hdev, ev->cis_handle); 6912 goto unlock; 6913 } 6914 cis->handle = cis_handle; 6915 } 6916 6917 cis->iso_qos.ucast.cig = ev->cig_id; 6918 cis->iso_qos.ucast.cis = ev->cis_id; 6919 6920 if (!(flags & HCI_PROTO_DEFER)) { 6921 hci_le_accept_cis(hdev, ev->cis_handle); 6922 } else { 6923 cis->state = BT_CONNECT2; 6924 hci_connect_cfm(cis, 0); 6925 } 6926 6927 unlock: 6928 hci_dev_unlock(hdev); 6929 } 6930 6931 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, 6932 struct sk_buff *skb) 6933 { 6934 struct hci_evt_le_create_big_complete *ev = data; 6935 struct hci_conn *conn; 6936 6937 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 6938 6939 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE, 6940 flex_array_size(ev, bis_handle, ev->num_bis))) 6941 return; 6942 6943 hci_dev_lock(hdev); 6944 6945 conn = hci_conn_hash_lookup_big(hdev, ev->handle); 6946 if (!conn) 6947 goto unlock; 6948 6949 if (conn->type != ISO_LINK) { 6950 bt_dev_err(hdev, 6951 "Invalid connection link type handle 0x%2.2x", 6952 ev->handle); 6953 goto unlock; 6954 } 6955 6956 if (ev->num_bis) 6957 conn->handle = __le16_to_cpu(ev->bis_handle[0]); 6958 6959 if (!ev->status) { 6960 conn->state = BT_CONNECTED; 6961 hci_debugfs_create_conn(conn); 6962 hci_conn_add_sysfs(conn); 6963 hci_iso_setup_path(conn); 6964 goto unlock; 6965 } 6966 6967 hci_connect_cfm(conn, ev->status); 6968 hci_conn_del(conn); 6969 6970 unlock: 6971 hci_dev_unlock(hdev); 6972 } 6973 6974 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, 6975 struct sk_buff *skb) 6976 { 6977 struct hci_evt_le_big_sync_estabilished *ev = data; 6978 struct hci_conn *bis; 6979 int i; 6980 6981 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6982 6983 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 6984 flex_array_size(ev, bis, ev->num_bis))) 6985 return; 6986 6987 if (ev->status) 6988 return; 6989 6990 hci_dev_lock(hdev); 6991 6992 for (i = 0; i < ev->num_bis; i++) { 6993 u16 handle = le16_to_cpu(ev->bis[i]); 6994 __le32 interval; 6995 6996 bis = hci_conn_hash_lookup_handle(hdev, handle); 6997 if (!bis) { 6998 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, 6999 HCI_ROLE_SLAVE); 7000 if (!bis) 7001 continue; 7002 bis->handle = handle; 7003 } 7004 7005 bis->iso_qos.bcast.big = ev->handle; 7006 memset(&interval, 0, sizeof(interval)); 7007 memcpy(&interval, ev->latency, sizeof(ev->latency)); 7008 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval); 7009 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */ 7010 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100; 7011 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); 7012 7013 hci_iso_setup_path(bis); 7014 } 7015 7016 hci_dev_unlock(hdev); 7017 } 7018 7019 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data, 7020 struct sk_buff *skb) 7021 { 7022 struct hci_evt_le_big_info_adv_report *ev = data; 7023 int mask = hdev->link_mode; 7024 __u8 flags = 0; 7025 7026 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 7027 7028 hci_dev_lock(hdev); 7029 7030 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); 7031 if (!(mask & HCI_LM_ACCEPT)) 7032 hci_le_pa_term_sync(hdev, ev->sync_handle); 7033 7034 hci_dev_unlock(hdev); 7035 } 7036 7037 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \ 7038 [_op] = { \ 7039 .func = _func, \ 7040 .min_len = _min_len, \ 7041 .max_len = _max_len, \ 7042 } 7043 7044 #define HCI_LE_EV(_op, _func, _len) \ 7045 HCI_LE_EV_VL(_op, _func, _len, _len) 7046 7047 #define HCI_LE_EV_STATUS(_op, _func) \ 7048 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status)) 7049 7050 /* Entries in this table shall have their position according to the subevent 7051 * opcode they handle so the use of the macros above is recommend since it does 7052 * attempt to initialize at its proper index using Designated Initializers that 7053 * way events without a callback function can be ommited. 7054 */ 7055 static const struct hci_le_ev { 7056 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 7057 u16 min_len; 7058 u16 max_len; 7059 } hci_le_ev_table[U8_MAX + 1] = { 7060 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */ 7061 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt, 7062 sizeof(struct hci_ev_le_conn_complete)), 7063 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */ 7064 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt, 7065 sizeof(struct hci_ev_le_advertising_report), 7066 HCI_MAX_EVENT_SIZE), 7067 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */ 7068 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE, 7069 hci_le_conn_update_complete_evt, 7070 sizeof(struct hci_ev_le_conn_update_complete)), 7071 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */ 7072 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE, 7073 hci_le_remote_feat_complete_evt, 7074 sizeof(struct hci_ev_le_remote_feat_complete)), 7075 /* [0x05 = HCI_EV_LE_LTK_REQ] */ 7076 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt, 7077 sizeof(struct hci_ev_le_ltk_req)), 7078 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */ 7079 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ, 7080 hci_le_remote_conn_param_req_evt, 7081 sizeof(struct hci_ev_le_remote_conn_param_req)), 7082 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */ 7083 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE, 7084 hci_le_enh_conn_complete_evt, 7085 sizeof(struct hci_ev_le_enh_conn_complete)), 7086 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */ 7087 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt, 7088 sizeof(struct hci_ev_le_direct_adv_report), 7089 HCI_MAX_EVENT_SIZE), 7090 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */ 7091 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt, 7092 sizeof(struct hci_ev_le_phy_update_complete)), 7093 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */ 7094 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt, 7095 sizeof(struct hci_ev_le_ext_adv_report), 7096 HCI_MAX_EVENT_SIZE), 7097 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */ 7098 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED, 7099 hci_le_pa_sync_estabilished_evt, 7100 sizeof(struct hci_ev_le_pa_sync_established)), 7101 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ 7102 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, 7103 sizeof(struct hci_evt_le_ext_adv_set_term)), 7104 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */ 7105 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt, 7106 sizeof(struct hci_evt_le_cis_established)), 7107 /* [0x1a = HCI_EVT_LE_CIS_REQ] */ 7108 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt, 7109 sizeof(struct hci_evt_le_cis_req)), 7110 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */ 7111 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE, 7112 hci_le_create_big_complete_evt, 7113 sizeof(struct hci_evt_le_create_big_complete), 7114 HCI_MAX_EVENT_SIZE), 7115 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */ 7116 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 7117 hci_le_big_sync_established_evt, 7118 sizeof(struct hci_evt_le_big_sync_estabilished), 7119 HCI_MAX_EVENT_SIZE), 7120 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */ 7121 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT, 7122 hci_le_big_info_adv_report_evt, 7123 sizeof(struct hci_evt_le_big_info_adv_report), 7124 HCI_MAX_EVENT_SIZE), 7125 }; 7126 7127 static void hci_le_meta_evt(struct hci_dev *hdev, void *data, 7128 struct sk_buff *skb, u16 *opcode, u8 *status, 7129 hci_req_complete_t *req_complete, 7130 hci_req_complete_skb_t *req_complete_skb) 7131 { 7132 struct hci_ev_le_meta *ev = data; 7133 const struct hci_le_ev *subev; 7134 7135 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent); 7136 7137 /* Only match event if command OGF is for LE */ 7138 if (hdev->sent_cmd && 7139 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 && 7140 hci_skb_event(hdev->sent_cmd) == ev->subevent) { 7141 *opcode = hci_skb_opcode(hdev->sent_cmd); 7142 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete, 7143 req_complete_skb); 7144 } 7145 7146 subev = &hci_le_ev_table[ev->subevent]; 7147 if (!subev->func) 7148 return; 7149 7150 if (skb->len < subev->min_len) { 7151 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u", 7152 ev->subevent, skb->len, subev->min_len); 7153 return; 7154 } 7155 7156 /* Just warn if the length is over max_len size it still be 7157 * possible to partially parse the event so leave to callback to 7158 * decide if that is acceptable. 7159 */ 7160 if (skb->len > subev->max_len) 7161 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u", 7162 ev->subevent, skb->len, subev->max_len); 7163 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len); 7164 if (!data) 7165 return; 7166 7167 subev->func(hdev, data, skb); 7168 } 7169 7170 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 7171 u8 event, struct sk_buff *skb) 7172 { 7173 struct hci_ev_cmd_complete *ev; 7174 struct hci_event_hdr *hdr; 7175 7176 if (!skb) 7177 return false; 7178 7179 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr)); 7180 if (!hdr) 7181 return false; 7182 7183 if (event) { 7184 if (hdr->evt != event) 7185 return false; 7186 return true; 7187 } 7188 7189 /* Check if request ended in Command Status - no way to retrieve 7190 * any extra parameters in this case. 7191 */ 7192 if (hdr->evt == HCI_EV_CMD_STATUS) 7193 return false; 7194 7195 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 7196 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 7197 hdr->evt); 7198 return false; 7199 } 7200 7201 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev)); 7202 if (!ev) 7203 return false; 7204 7205 if (opcode != __le16_to_cpu(ev->opcode)) { 7206 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 7207 __le16_to_cpu(ev->opcode)); 7208 return false; 7209 } 7210 7211 return true; 7212 } 7213 7214 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, 7215 struct sk_buff *skb) 7216 { 7217 struct hci_ev_le_advertising_info *adv; 7218 struct hci_ev_le_direct_adv_info *direct_adv; 7219 struct hci_ev_le_ext_adv_info *ext_adv; 7220 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data; 7221 const struct hci_ev_conn_request *conn_request = (void *)skb->data; 7222 7223 hci_dev_lock(hdev); 7224 7225 /* If we are currently suspended and this is the first BT event seen, 7226 * save the wake reason associated with the event. 7227 */ 7228 if (!hdev->suspended || hdev->wake_reason) 7229 goto unlock; 7230 7231 /* Default to remote wake. Values for wake_reason are documented in the 7232 * Bluez mgmt api docs. 7233 */ 7234 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 7235 7236 /* Once configured for remote wakeup, we should only wake up for 7237 * reconnections. It's useful to see which device is waking us up so 7238 * keep track of the bdaddr of the connection event that woke us up. 7239 */ 7240 if (event == HCI_EV_CONN_REQUEST) { 7241 bacpy(&hdev->wake_addr, &conn_complete->bdaddr); 7242 hdev->wake_addr_type = BDADDR_BREDR; 7243 } else if (event == HCI_EV_CONN_COMPLETE) { 7244 bacpy(&hdev->wake_addr, &conn_request->bdaddr); 7245 hdev->wake_addr_type = BDADDR_BREDR; 7246 } else if (event == HCI_EV_LE_META) { 7247 struct hci_ev_le_meta *le_ev = (void *)skb->data; 7248 u8 subevent = le_ev->subevent; 7249 u8 *ptr = &skb->data[sizeof(*le_ev)]; 7250 u8 num_reports = *ptr; 7251 7252 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT || 7253 subevent == HCI_EV_LE_DIRECT_ADV_REPORT || 7254 subevent == HCI_EV_LE_EXT_ADV_REPORT) && 7255 num_reports) { 7256 adv = (void *)(ptr + 1); 7257 direct_adv = (void *)(ptr + 1); 7258 ext_adv = (void *)(ptr + 1); 7259 7260 switch (subevent) { 7261 case HCI_EV_LE_ADVERTISING_REPORT: 7262 bacpy(&hdev->wake_addr, &adv->bdaddr); 7263 hdev->wake_addr_type = adv->bdaddr_type; 7264 break; 7265 case HCI_EV_LE_DIRECT_ADV_REPORT: 7266 bacpy(&hdev->wake_addr, &direct_adv->bdaddr); 7267 hdev->wake_addr_type = direct_adv->bdaddr_type; 7268 break; 7269 case HCI_EV_LE_EXT_ADV_REPORT: 7270 bacpy(&hdev->wake_addr, &ext_adv->bdaddr); 7271 hdev->wake_addr_type = ext_adv->bdaddr_type; 7272 break; 7273 } 7274 } 7275 } else { 7276 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 7277 } 7278 7279 unlock: 7280 hci_dev_unlock(hdev); 7281 } 7282 7283 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \ 7284 [_op] = { \ 7285 .req = false, \ 7286 .func = _func, \ 7287 .min_len = _min_len, \ 7288 .max_len = _max_len, \ 7289 } 7290 7291 #define HCI_EV(_op, _func, _len) \ 7292 HCI_EV_VL(_op, _func, _len, _len) 7293 7294 #define HCI_EV_STATUS(_op, _func) \ 7295 HCI_EV(_op, _func, sizeof(struct hci_ev_status)) 7296 7297 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \ 7298 [_op] = { \ 7299 .req = true, \ 7300 .func_req = _func, \ 7301 .min_len = _min_len, \ 7302 .max_len = _max_len, \ 7303 } 7304 7305 #define HCI_EV_REQ(_op, _func, _len) \ 7306 HCI_EV_REQ_VL(_op, _func, _len, _len) 7307 7308 /* Entries in this table shall have their position according to the event opcode 7309 * they handle so the use of the macros above is recommend since it does attempt 7310 * to initialize at its proper index using Designated Initializers that way 7311 * events without a callback function don't have entered. 7312 */ 7313 static const struct hci_ev { 7314 bool req; 7315 union { 7316 void (*func)(struct hci_dev *hdev, void *data, 7317 struct sk_buff *skb); 7318 void (*func_req)(struct hci_dev *hdev, void *data, 7319 struct sk_buff *skb, u16 *opcode, u8 *status, 7320 hci_req_complete_t *req_complete, 7321 hci_req_complete_skb_t *req_complete_skb); 7322 }; 7323 u16 min_len; 7324 u16 max_len; 7325 } hci_ev_table[U8_MAX + 1] = { 7326 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */ 7327 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt), 7328 /* [0x02 = HCI_EV_INQUIRY_RESULT] */ 7329 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt, 7330 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE), 7331 /* [0x03 = HCI_EV_CONN_COMPLETE] */ 7332 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt, 7333 sizeof(struct hci_ev_conn_complete)), 7334 /* [0x04 = HCI_EV_CONN_REQUEST] */ 7335 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt, 7336 sizeof(struct hci_ev_conn_request)), 7337 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */ 7338 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt, 7339 sizeof(struct hci_ev_disconn_complete)), 7340 /* [0x06 = HCI_EV_AUTH_COMPLETE] */ 7341 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt, 7342 sizeof(struct hci_ev_auth_complete)), 7343 /* [0x07 = HCI_EV_REMOTE_NAME] */ 7344 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt, 7345 sizeof(struct hci_ev_remote_name)), 7346 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */ 7347 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt, 7348 sizeof(struct hci_ev_encrypt_change)), 7349 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */ 7350 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE, 7351 hci_change_link_key_complete_evt, 7352 sizeof(struct hci_ev_change_link_key_complete)), 7353 /* [0x0b = HCI_EV_REMOTE_FEATURES] */ 7354 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt, 7355 sizeof(struct hci_ev_remote_features)), 7356 /* [0x0e = HCI_EV_CMD_COMPLETE] */ 7357 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt, 7358 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE), 7359 /* [0x0f = HCI_EV_CMD_STATUS] */ 7360 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt, 7361 sizeof(struct hci_ev_cmd_status)), 7362 /* [0x10 = HCI_EV_CMD_STATUS] */ 7363 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt, 7364 sizeof(struct hci_ev_hardware_error)), 7365 /* [0x12 = HCI_EV_ROLE_CHANGE] */ 7366 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt, 7367 sizeof(struct hci_ev_role_change)), 7368 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */ 7369 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt, 7370 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE), 7371 /* [0x14 = HCI_EV_MODE_CHANGE] */ 7372 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt, 7373 sizeof(struct hci_ev_mode_change)), 7374 /* [0x16 = HCI_EV_PIN_CODE_REQ] */ 7375 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt, 7376 sizeof(struct hci_ev_pin_code_req)), 7377 /* [0x17 = HCI_EV_LINK_KEY_REQ] */ 7378 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt, 7379 sizeof(struct hci_ev_link_key_req)), 7380 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */ 7381 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt, 7382 sizeof(struct hci_ev_link_key_notify)), 7383 /* [0x1c = HCI_EV_CLOCK_OFFSET] */ 7384 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt, 7385 sizeof(struct hci_ev_clock_offset)), 7386 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */ 7387 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt, 7388 sizeof(struct hci_ev_pkt_type_change)), 7389 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */ 7390 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt, 7391 sizeof(struct hci_ev_pscan_rep_mode)), 7392 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */ 7393 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI, 7394 hci_inquiry_result_with_rssi_evt, 7395 sizeof(struct hci_ev_inquiry_result_rssi), 7396 HCI_MAX_EVENT_SIZE), 7397 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */ 7398 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt, 7399 sizeof(struct hci_ev_remote_ext_features)), 7400 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */ 7401 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt, 7402 sizeof(struct hci_ev_sync_conn_complete)), 7403 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */ 7404 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT, 7405 hci_extended_inquiry_result_evt, 7406 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE), 7407 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */ 7408 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt, 7409 sizeof(struct hci_ev_key_refresh_complete)), 7410 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */ 7411 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt, 7412 sizeof(struct hci_ev_io_capa_request)), 7413 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */ 7414 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt, 7415 sizeof(struct hci_ev_io_capa_reply)), 7416 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */ 7417 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt, 7418 sizeof(struct hci_ev_user_confirm_req)), 7419 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */ 7420 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt, 7421 sizeof(struct hci_ev_user_passkey_req)), 7422 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */ 7423 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt, 7424 sizeof(struct hci_ev_remote_oob_data_request)), 7425 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */ 7426 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt, 7427 sizeof(struct hci_ev_simple_pair_complete)), 7428 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */ 7429 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt, 7430 sizeof(struct hci_ev_user_passkey_notify)), 7431 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */ 7432 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt, 7433 sizeof(struct hci_ev_keypress_notify)), 7434 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */ 7435 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt, 7436 sizeof(struct hci_ev_remote_host_features)), 7437 /* [0x3e = HCI_EV_LE_META] */ 7438 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt, 7439 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE), 7440 #if IS_ENABLED(CONFIG_BT_HS) 7441 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */ 7442 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt, 7443 sizeof(struct hci_ev_phy_link_complete)), 7444 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */ 7445 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt, 7446 sizeof(struct hci_ev_channel_selected)), 7447 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */ 7448 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE, 7449 hci_disconn_loglink_complete_evt, 7450 sizeof(struct hci_ev_disconn_logical_link_complete)), 7451 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */ 7452 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt, 7453 sizeof(struct hci_ev_logical_link_complete)), 7454 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */ 7455 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE, 7456 hci_disconn_phylink_complete_evt, 7457 sizeof(struct hci_ev_disconn_phy_link_complete)), 7458 #endif 7459 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */ 7460 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt, 7461 sizeof(struct hci_ev_num_comp_blocks)), 7462 /* [0xff = HCI_EV_VENDOR] */ 7463 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE), 7464 }; 7465 7466 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb, 7467 u16 *opcode, u8 *status, 7468 hci_req_complete_t *req_complete, 7469 hci_req_complete_skb_t *req_complete_skb) 7470 { 7471 const struct hci_ev *ev = &hci_ev_table[event]; 7472 void *data; 7473 7474 if (!ev->func) 7475 return; 7476 7477 if (skb->len < ev->min_len) { 7478 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u", 7479 event, skb->len, ev->min_len); 7480 return; 7481 } 7482 7483 /* Just warn if the length is over max_len size it still be 7484 * possible to partially parse the event so leave to callback to 7485 * decide if that is acceptable. 7486 */ 7487 if (skb->len > ev->max_len) 7488 bt_dev_warn_ratelimited(hdev, 7489 "unexpected event 0x%2.2x length: %u > %u", 7490 event, skb->len, ev->max_len); 7491 7492 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len); 7493 if (!data) 7494 return; 7495 7496 if (ev->req) 7497 ev->func_req(hdev, data, skb, opcode, status, req_complete, 7498 req_complete_skb); 7499 else 7500 ev->func(hdev, data, skb); 7501 } 7502 7503 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 7504 { 7505 struct hci_event_hdr *hdr = (void *) skb->data; 7506 hci_req_complete_t req_complete = NULL; 7507 hci_req_complete_skb_t req_complete_skb = NULL; 7508 struct sk_buff *orig_skb = NULL; 7509 u8 status = 0, event, req_evt = 0; 7510 u16 opcode = HCI_OP_NOP; 7511 7512 if (skb->len < sizeof(*hdr)) { 7513 bt_dev_err(hdev, "Malformed HCI Event"); 7514 goto done; 7515 } 7516 7517 kfree_skb(hdev->recv_event); 7518 hdev->recv_event = skb_clone(skb, GFP_KERNEL); 7519 7520 event = hdr->evt; 7521 if (!event) { 7522 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x", 7523 event); 7524 goto done; 7525 } 7526 7527 /* Only match event if command OGF is not for LE */ 7528 if (hdev->sent_cmd && 7529 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 && 7530 hci_skb_event(hdev->sent_cmd) == event) { 7531 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd), 7532 status, &req_complete, &req_complete_skb); 7533 req_evt = event; 7534 } 7535 7536 /* If it looks like we might end up having to call 7537 * req_complete_skb, store a pristine copy of the skb since the 7538 * various handlers may modify the original one through 7539 * skb_pull() calls, etc. 7540 */ 7541 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 7542 event == HCI_EV_CMD_COMPLETE) 7543 orig_skb = skb_clone(skb, GFP_KERNEL); 7544 7545 skb_pull(skb, HCI_EVENT_HDR_SIZE); 7546 7547 /* Store wake reason if we're suspended */ 7548 hci_store_wake_reason(hdev, event, skb); 7549 7550 bt_dev_dbg(hdev, "event 0x%2.2x", event); 7551 7552 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete, 7553 &req_complete_skb); 7554 7555 if (req_complete) { 7556 req_complete(hdev, status, opcode); 7557 } else if (req_complete_skb) { 7558 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 7559 kfree_skb(orig_skb); 7560 orig_skb = NULL; 7561 } 7562 req_complete_skb(hdev, status, opcode, orig_skb); 7563 } 7564 7565 done: 7566 kfree_skb(orig_skb); 7567 kfree_skb(skb); 7568 hdev->stat.evt_rx++; 7569 } 7570