1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 40 "\x00\x00\x00\x00\x00\x00\x00\x00" 41 42 /* Handle HCI Event packets */ 43 44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 45 { 46 __u8 status = *((__u8 *) skb->data); 47 48 BT_DBG("%s status 0x%2.2x", hdev->name, status); 49 50 if (status) 51 return; 52 53 clear_bit(HCI_INQUIRY, &hdev->flags); 54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 55 wake_up_bit(&hdev->flags, HCI_INQUIRY); 56 57 hci_dev_lock(hdev); 58 /* Set discovery state to stopped if we're not doing LE active 59 * scanning. 60 */ 61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 62 hdev->le_scan_type != LE_SCAN_ACTIVE) 63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 64 hci_dev_unlock(hdev); 65 66 hci_conn_check_pending(hdev); 67 } 68 69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 70 { 71 __u8 status = *((__u8 *) skb->data); 72 73 BT_DBG("%s status 0x%2.2x", hdev->name, status); 74 75 if (status) 76 return; 77 78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 79 } 80 81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 82 { 83 __u8 status = *((__u8 *) skb->data); 84 85 BT_DBG("%s status 0x%2.2x", hdev->name, status); 86 87 if (status) 88 return; 89 90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 91 92 hci_conn_check_pending(hdev); 93 } 94 95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 96 struct sk_buff *skb) 97 { 98 BT_DBG("%s", hdev->name); 99 } 100 101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 102 { 103 struct hci_rp_role_discovery *rp = (void *) skb->data; 104 struct hci_conn *conn; 105 106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 107 108 if (rp->status) 109 return; 110 111 hci_dev_lock(hdev); 112 113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 114 if (conn) 115 conn->role = rp->role; 116 117 hci_dev_unlock(hdev); 118 } 119 120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 121 { 122 struct hci_rp_read_link_policy *rp = (void *) skb->data; 123 struct hci_conn *conn; 124 125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 126 127 if (rp->status) 128 return; 129 130 hci_dev_lock(hdev); 131 132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 133 if (conn) 134 conn->link_policy = __le16_to_cpu(rp->policy); 135 136 hci_dev_unlock(hdev); 137 } 138 139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 140 { 141 struct hci_rp_write_link_policy *rp = (void *) skb->data; 142 struct hci_conn *conn; 143 void *sent; 144 145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 146 147 if (rp->status) 148 return; 149 150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 151 if (!sent) 152 return; 153 154 hci_dev_lock(hdev); 155 156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 157 if (conn) 158 conn->link_policy = get_unaligned_le16(sent + 2); 159 160 hci_dev_unlock(hdev); 161 } 162 163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 164 struct sk_buff *skb) 165 { 166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 167 168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 169 170 if (rp->status) 171 return; 172 173 hdev->link_policy = __le16_to_cpu(rp->policy); 174 } 175 176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 177 struct sk_buff *skb) 178 { 179 __u8 status = *((__u8 *) skb->data); 180 void *sent; 181 182 BT_DBG("%s status 0x%2.2x", hdev->name, status); 183 184 if (status) 185 return; 186 187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 188 if (!sent) 189 return; 190 191 hdev->link_policy = get_unaligned_le16(sent); 192 } 193 194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 195 { 196 __u8 status = *((__u8 *) skb->data); 197 198 BT_DBG("%s status 0x%2.2x", hdev->name, status); 199 200 clear_bit(HCI_RESET, &hdev->flags); 201 202 if (status) 203 return; 204 205 /* Reset all non-persistent flags */ 206 hci_dev_clear_volatile_flags(hdev); 207 208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 209 210 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 211 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 212 213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 214 hdev->adv_data_len = 0; 215 216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 217 hdev->scan_rsp_data_len = 0; 218 219 hdev->le_scan_type = LE_SCAN_PASSIVE; 220 221 hdev->ssp_debug_mode = 0; 222 223 hci_bdaddr_list_clear(&hdev->le_white_list); 224 hci_bdaddr_list_clear(&hdev->le_resolv_list); 225 } 226 227 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 228 struct sk_buff *skb) 229 { 230 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 231 struct hci_cp_read_stored_link_key *sent; 232 233 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 234 235 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 236 if (!sent) 237 return; 238 239 if (!rp->status && sent->read_all == 0x01) { 240 hdev->stored_max_keys = rp->max_keys; 241 hdev->stored_num_keys = rp->num_keys; 242 } 243 } 244 245 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 246 struct sk_buff *skb) 247 { 248 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 249 250 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 251 252 if (rp->status) 253 return; 254 255 if (rp->num_keys <= hdev->stored_num_keys) 256 hdev->stored_num_keys -= rp->num_keys; 257 else 258 hdev->stored_num_keys = 0; 259 } 260 261 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 262 { 263 __u8 status = *((__u8 *) skb->data); 264 void *sent; 265 266 BT_DBG("%s status 0x%2.2x", hdev->name, status); 267 268 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 269 if (!sent) 270 return; 271 272 hci_dev_lock(hdev); 273 274 if (hci_dev_test_flag(hdev, HCI_MGMT)) 275 mgmt_set_local_name_complete(hdev, sent, status); 276 else if (!status) 277 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 278 279 hci_dev_unlock(hdev); 280 } 281 282 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 283 { 284 struct hci_rp_read_local_name *rp = (void *) skb->data; 285 286 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 287 288 if (rp->status) 289 return; 290 291 if (hci_dev_test_flag(hdev, HCI_SETUP) || 292 hci_dev_test_flag(hdev, HCI_CONFIG)) 293 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 294 } 295 296 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 297 { 298 __u8 status = *((__u8 *) skb->data); 299 void *sent; 300 301 BT_DBG("%s status 0x%2.2x", hdev->name, status); 302 303 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 304 if (!sent) 305 return; 306 307 hci_dev_lock(hdev); 308 309 if (!status) { 310 __u8 param = *((__u8 *) sent); 311 312 if (param == AUTH_ENABLED) 313 set_bit(HCI_AUTH, &hdev->flags); 314 else 315 clear_bit(HCI_AUTH, &hdev->flags); 316 } 317 318 if (hci_dev_test_flag(hdev, HCI_MGMT)) 319 mgmt_auth_enable_complete(hdev, status); 320 321 hci_dev_unlock(hdev); 322 } 323 324 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 325 { 326 __u8 status = *((__u8 *) skb->data); 327 __u8 param; 328 void *sent; 329 330 BT_DBG("%s status 0x%2.2x", hdev->name, status); 331 332 if (status) 333 return; 334 335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 336 if (!sent) 337 return; 338 339 param = *((__u8 *) sent); 340 341 if (param) 342 set_bit(HCI_ENCRYPT, &hdev->flags); 343 else 344 clear_bit(HCI_ENCRYPT, &hdev->flags); 345 } 346 347 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 348 { 349 __u8 status = *((__u8 *) skb->data); 350 __u8 param; 351 void *sent; 352 353 BT_DBG("%s status 0x%2.2x", hdev->name, status); 354 355 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 356 if (!sent) 357 return; 358 359 param = *((__u8 *) sent); 360 361 hci_dev_lock(hdev); 362 363 if (status) { 364 hdev->discov_timeout = 0; 365 goto done; 366 } 367 368 if (param & SCAN_INQUIRY) 369 set_bit(HCI_ISCAN, &hdev->flags); 370 else 371 clear_bit(HCI_ISCAN, &hdev->flags); 372 373 if (param & SCAN_PAGE) 374 set_bit(HCI_PSCAN, &hdev->flags); 375 else 376 clear_bit(HCI_PSCAN, &hdev->flags); 377 378 done: 379 hci_dev_unlock(hdev); 380 } 381 382 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 383 { 384 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 385 386 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 387 388 if (rp->status) 389 return; 390 391 memcpy(hdev->dev_class, rp->dev_class, 3); 392 393 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 394 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 395 } 396 397 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 398 { 399 __u8 status = *((__u8 *) skb->data); 400 void *sent; 401 402 BT_DBG("%s status 0x%2.2x", hdev->name, status); 403 404 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 405 if (!sent) 406 return; 407 408 hci_dev_lock(hdev); 409 410 if (status == 0) 411 memcpy(hdev->dev_class, sent, 3); 412 413 if (hci_dev_test_flag(hdev, HCI_MGMT)) 414 mgmt_set_class_of_dev_complete(hdev, sent, status); 415 416 hci_dev_unlock(hdev); 417 } 418 419 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 420 { 421 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 422 __u16 setting; 423 424 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 425 426 if (rp->status) 427 return; 428 429 setting = __le16_to_cpu(rp->voice_setting); 430 431 if (hdev->voice_setting == setting) 432 return; 433 434 hdev->voice_setting = setting; 435 436 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 437 438 if (hdev->notify) 439 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 440 } 441 442 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 443 struct sk_buff *skb) 444 { 445 __u8 status = *((__u8 *) skb->data); 446 __u16 setting; 447 void *sent; 448 449 BT_DBG("%s status 0x%2.2x", hdev->name, status); 450 451 if (status) 452 return; 453 454 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 455 if (!sent) 456 return; 457 458 setting = get_unaligned_le16(sent); 459 460 if (hdev->voice_setting == setting) 461 return; 462 463 hdev->voice_setting = setting; 464 465 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 466 467 if (hdev->notify) 468 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 469 } 470 471 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 472 struct sk_buff *skb) 473 { 474 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 475 476 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 477 478 if (rp->status) 479 return; 480 481 hdev->num_iac = rp->num_iac; 482 483 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 484 } 485 486 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 487 { 488 __u8 status = *((__u8 *) skb->data); 489 struct hci_cp_write_ssp_mode *sent; 490 491 BT_DBG("%s status 0x%2.2x", hdev->name, status); 492 493 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 494 if (!sent) 495 return; 496 497 hci_dev_lock(hdev); 498 499 if (!status) { 500 if (sent->mode) 501 hdev->features[1][0] |= LMP_HOST_SSP; 502 else 503 hdev->features[1][0] &= ~LMP_HOST_SSP; 504 } 505 506 if (hci_dev_test_flag(hdev, HCI_MGMT)) 507 mgmt_ssp_enable_complete(hdev, sent->mode, status); 508 else if (!status) { 509 if (sent->mode) 510 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 511 else 512 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 513 } 514 515 hci_dev_unlock(hdev); 516 } 517 518 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 519 { 520 u8 status = *((u8 *) skb->data); 521 struct hci_cp_write_sc_support *sent; 522 523 BT_DBG("%s status 0x%2.2x", hdev->name, status); 524 525 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 526 if (!sent) 527 return; 528 529 hci_dev_lock(hdev); 530 531 if (!status) { 532 if (sent->support) 533 hdev->features[1][0] |= LMP_HOST_SC; 534 else 535 hdev->features[1][0] &= ~LMP_HOST_SC; 536 } 537 538 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 539 if (sent->support) 540 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 541 else 542 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 543 } 544 545 hci_dev_unlock(hdev); 546 } 547 548 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 549 { 550 struct hci_rp_read_local_version *rp = (void *) skb->data; 551 552 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 553 554 if (rp->status) 555 return; 556 557 if (hci_dev_test_flag(hdev, HCI_SETUP) || 558 hci_dev_test_flag(hdev, HCI_CONFIG)) { 559 hdev->hci_ver = rp->hci_ver; 560 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 561 hdev->lmp_ver = rp->lmp_ver; 562 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 563 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 564 } 565 } 566 567 static void hci_cc_read_local_commands(struct hci_dev *hdev, 568 struct sk_buff *skb) 569 { 570 struct hci_rp_read_local_commands *rp = (void *) skb->data; 571 572 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 573 574 if (rp->status) 575 return; 576 577 if (hci_dev_test_flag(hdev, HCI_SETUP) || 578 hci_dev_test_flag(hdev, HCI_CONFIG)) 579 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 580 } 581 582 static void hci_cc_read_local_features(struct hci_dev *hdev, 583 struct sk_buff *skb) 584 { 585 struct hci_rp_read_local_features *rp = (void *) skb->data; 586 587 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 588 589 if (rp->status) 590 return; 591 592 memcpy(hdev->features, rp->features, 8); 593 594 /* Adjust default settings according to features 595 * supported by device. */ 596 597 if (hdev->features[0][0] & LMP_3SLOT) 598 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 599 600 if (hdev->features[0][0] & LMP_5SLOT) 601 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 602 603 if (hdev->features[0][1] & LMP_HV2) { 604 hdev->pkt_type |= (HCI_HV2); 605 hdev->esco_type |= (ESCO_HV2); 606 } 607 608 if (hdev->features[0][1] & LMP_HV3) { 609 hdev->pkt_type |= (HCI_HV3); 610 hdev->esco_type |= (ESCO_HV3); 611 } 612 613 if (lmp_esco_capable(hdev)) 614 hdev->esco_type |= (ESCO_EV3); 615 616 if (hdev->features[0][4] & LMP_EV4) 617 hdev->esco_type |= (ESCO_EV4); 618 619 if (hdev->features[0][4] & LMP_EV5) 620 hdev->esco_type |= (ESCO_EV5); 621 622 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 623 hdev->esco_type |= (ESCO_2EV3); 624 625 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 626 hdev->esco_type |= (ESCO_3EV3); 627 628 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 629 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 630 } 631 632 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 633 struct sk_buff *skb) 634 { 635 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 636 637 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 638 639 if (rp->status) 640 return; 641 642 if (hdev->max_page < rp->max_page) 643 hdev->max_page = rp->max_page; 644 645 if (rp->page < HCI_MAX_PAGES) 646 memcpy(hdev->features[rp->page], rp->features, 8); 647 } 648 649 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 650 struct sk_buff *skb) 651 { 652 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 653 654 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 655 656 if (rp->status) 657 return; 658 659 hdev->flow_ctl_mode = rp->mode; 660 } 661 662 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 663 { 664 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 665 666 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 667 668 if (rp->status) 669 return; 670 671 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 672 hdev->sco_mtu = rp->sco_mtu; 673 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 674 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 675 676 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 677 hdev->sco_mtu = 64; 678 hdev->sco_pkts = 8; 679 } 680 681 hdev->acl_cnt = hdev->acl_pkts; 682 hdev->sco_cnt = hdev->sco_pkts; 683 684 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 685 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 686 } 687 688 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 689 { 690 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 691 692 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 693 694 if (rp->status) 695 return; 696 697 if (test_bit(HCI_INIT, &hdev->flags)) 698 bacpy(&hdev->bdaddr, &rp->bdaddr); 699 700 if (hci_dev_test_flag(hdev, HCI_SETUP)) 701 bacpy(&hdev->setup_addr, &rp->bdaddr); 702 } 703 704 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 705 struct sk_buff *skb) 706 { 707 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 708 709 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 710 711 if (rp->status) 712 return; 713 714 if (test_bit(HCI_INIT, &hdev->flags)) { 715 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 716 hdev->page_scan_window = __le16_to_cpu(rp->window); 717 } 718 } 719 720 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 721 struct sk_buff *skb) 722 { 723 u8 status = *((u8 *) skb->data); 724 struct hci_cp_write_page_scan_activity *sent; 725 726 BT_DBG("%s status 0x%2.2x", hdev->name, status); 727 728 if (status) 729 return; 730 731 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 732 if (!sent) 733 return; 734 735 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 736 hdev->page_scan_window = __le16_to_cpu(sent->window); 737 } 738 739 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 740 struct sk_buff *skb) 741 { 742 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 743 744 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 745 746 if (rp->status) 747 return; 748 749 if (test_bit(HCI_INIT, &hdev->flags)) 750 hdev->page_scan_type = rp->type; 751 } 752 753 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 754 struct sk_buff *skb) 755 { 756 u8 status = *((u8 *) skb->data); 757 u8 *type; 758 759 BT_DBG("%s status 0x%2.2x", hdev->name, status); 760 761 if (status) 762 return; 763 764 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 765 if (type) 766 hdev->page_scan_type = *type; 767 } 768 769 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 770 struct sk_buff *skb) 771 { 772 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 773 774 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 775 776 if (rp->status) 777 return; 778 779 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 780 hdev->block_len = __le16_to_cpu(rp->block_len); 781 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 782 783 hdev->block_cnt = hdev->num_blocks; 784 785 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 786 hdev->block_cnt, hdev->block_len); 787 } 788 789 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 790 { 791 struct hci_rp_read_clock *rp = (void *) skb->data; 792 struct hci_cp_read_clock *cp; 793 struct hci_conn *conn; 794 795 BT_DBG("%s", hdev->name); 796 797 if (skb->len < sizeof(*rp)) 798 return; 799 800 if (rp->status) 801 return; 802 803 hci_dev_lock(hdev); 804 805 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 806 if (!cp) 807 goto unlock; 808 809 if (cp->which == 0x00) { 810 hdev->clock = le32_to_cpu(rp->clock); 811 goto unlock; 812 } 813 814 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 815 if (conn) { 816 conn->clock = le32_to_cpu(rp->clock); 817 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 818 } 819 820 unlock: 821 hci_dev_unlock(hdev); 822 } 823 824 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 825 struct sk_buff *skb) 826 { 827 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 828 829 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 830 831 if (rp->status) 832 return; 833 834 hdev->amp_status = rp->amp_status; 835 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 836 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 837 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 838 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 839 hdev->amp_type = rp->amp_type; 840 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 841 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 842 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 843 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 844 } 845 846 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 847 struct sk_buff *skb) 848 { 849 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 850 851 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 852 853 if (rp->status) 854 return; 855 856 hdev->inq_tx_power = rp->tx_power; 857 } 858 859 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 860 { 861 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 862 struct hci_cp_pin_code_reply *cp; 863 struct hci_conn *conn; 864 865 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 866 867 hci_dev_lock(hdev); 868 869 if (hci_dev_test_flag(hdev, HCI_MGMT)) 870 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 871 872 if (rp->status) 873 goto unlock; 874 875 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 876 if (!cp) 877 goto unlock; 878 879 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 880 if (conn) 881 conn->pin_length = cp->pin_len; 882 883 unlock: 884 hci_dev_unlock(hdev); 885 } 886 887 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 888 { 889 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 890 891 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 892 893 hci_dev_lock(hdev); 894 895 if (hci_dev_test_flag(hdev, HCI_MGMT)) 896 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 897 rp->status); 898 899 hci_dev_unlock(hdev); 900 } 901 902 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 903 struct sk_buff *skb) 904 { 905 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 906 907 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 908 909 if (rp->status) 910 return; 911 912 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 913 hdev->le_pkts = rp->le_max_pkt; 914 915 hdev->le_cnt = hdev->le_pkts; 916 917 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 918 } 919 920 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 921 struct sk_buff *skb) 922 { 923 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 924 925 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 926 927 if (rp->status) 928 return; 929 930 memcpy(hdev->le_features, rp->features, 8); 931 } 932 933 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 934 struct sk_buff *skb) 935 { 936 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 937 938 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 939 940 if (rp->status) 941 return; 942 943 hdev->adv_tx_power = rp->tx_power; 944 } 945 946 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 947 { 948 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 949 950 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 951 952 hci_dev_lock(hdev); 953 954 if (hci_dev_test_flag(hdev, HCI_MGMT)) 955 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 956 rp->status); 957 958 hci_dev_unlock(hdev); 959 } 960 961 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 962 struct sk_buff *skb) 963 { 964 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 965 966 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 967 968 hci_dev_lock(hdev); 969 970 if (hci_dev_test_flag(hdev, HCI_MGMT)) 971 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 972 ACL_LINK, 0, rp->status); 973 974 hci_dev_unlock(hdev); 975 } 976 977 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 978 { 979 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 980 981 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 982 983 hci_dev_lock(hdev); 984 985 if (hci_dev_test_flag(hdev, HCI_MGMT)) 986 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 987 0, rp->status); 988 989 hci_dev_unlock(hdev); 990 } 991 992 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 993 struct sk_buff *skb) 994 { 995 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 996 997 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 998 999 hci_dev_lock(hdev); 1000 1001 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1002 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1003 ACL_LINK, 0, rp->status); 1004 1005 hci_dev_unlock(hdev); 1006 } 1007 1008 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1009 struct sk_buff *skb) 1010 { 1011 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1012 1013 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1014 } 1015 1016 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1017 struct sk_buff *skb) 1018 { 1019 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1020 1021 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1022 } 1023 1024 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1025 { 1026 __u8 status = *((__u8 *) skb->data); 1027 bdaddr_t *sent; 1028 1029 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1030 1031 if (status) 1032 return; 1033 1034 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1035 if (!sent) 1036 return; 1037 1038 hci_dev_lock(hdev); 1039 1040 bacpy(&hdev->random_addr, sent); 1041 1042 hci_dev_unlock(hdev); 1043 } 1044 1045 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb) 1046 { 1047 __u8 status = *((__u8 *) skb->data); 1048 struct hci_cp_le_set_default_phy *cp; 1049 1050 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1051 1052 if (status) 1053 return; 1054 1055 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1056 if (!cp) 1057 return; 1058 1059 hci_dev_lock(hdev); 1060 1061 hdev->le_tx_def_phys = cp->tx_phys; 1062 hdev->le_rx_def_phys = cp->rx_phys; 1063 1064 hci_dev_unlock(hdev); 1065 } 1066 1067 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, 1068 struct sk_buff *skb) 1069 { 1070 __u8 status = *((__u8 *) skb->data); 1071 struct hci_cp_le_set_adv_set_rand_addr *cp; 1072 struct adv_info *adv_instance; 1073 1074 if (status) 1075 return; 1076 1077 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1078 if (!cp) 1079 return; 1080 1081 hci_dev_lock(hdev); 1082 1083 if (!hdev->cur_adv_instance) { 1084 /* Store in hdev for instance 0 (Set adv and Directed advs) */ 1085 bacpy(&hdev->random_addr, &cp->bdaddr); 1086 } else { 1087 adv_instance = hci_find_adv_instance(hdev, 1088 hdev->cur_adv_instance); 1089 if (adv_instance) 1090 bacpy(&adv_instance->random_addr, &cp->bdaddr); 1091 } 1092 1093 hci_dev_unlock(hdev); 1094 } 1095 1096 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1097 { 1098 __u8 *sent, status = *((__u8 *) skb->data); 1099 1100 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1101 1102 if (status) 1103 return; 1104 1105 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1106 if (!sent) 1107 return; 1108 1109 hci_dev_lock(hdev); 1110 1111 /* If we're doing connection initiation as peripheral. Set a 1112 * timeout in case something goes wrong. 1113 */ 1114 if (*sent) { 1115 struct hci_conn *conn; 1116 1117 hci_dev_set_flag(hdev, HCI_LE_ADV); 1118 1119 conn = hci_lookup_le_connect(hdev); 1120 if (conn) 1121 queue_delayed_work(hdev->workqueue, 1122 &conn->le_conn_timeout, 1123 conn->conn_timeout); 1124 } else { 1125 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1126 } 1127 1128 hci_dev_unlock(hdev); 1129 } 1130 1131 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, 1132 struct sk_buff *skb) 1133 { 1134 struct hci_cp_le_set_ext_adv_enable *cp; 1135 __u8 status = *((__u8 *) skb->data); 1136 1137 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1138 1139 if (status) 1140 return; 1141 1142 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1143 if (!cp) 1144 return; 1145 1146 hci_dev_lock(hdev); 1147 1148 if (cp->enable) { 1149 struct hci_conn *conn; 1150 1151 hci_dev_set_flag(hdev, HCI_LE_ADV); 1152 1153 conn = hci_lookup_le_connect(hdev); 1154 if (conn) 1155 queue_delayed_work(hdev->workqueue, 1156 &conn->le_conn_timeout, 1157 conn->conn_timeout); 1158 } else { 1159 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1160 } 1161 1162 hci_dev_unlock(hdev); 1163 } 1164 1165 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1166 { 1167 struct hci_cp_le_set_scan_param *cp; 1168 __u8 status = *((__u8 *) skb->data); 1169 1170 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1171 1172 if (status) 1173 return; 1174 1175 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1176 if (!cp) 1177 return; 1178 1179 hci_dev_lock(hdev); 1180 1181 hdev->le_scan_type = cp->type; 1182 1183 hci_dev_unlock(hdev); 1184 } 1185 1186 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, 1187 struct sk_buff *skb) 1188 { 1189 struct hci_cp_le_set_ext_scan_params *cp; 1190 __u8 status = *((__u8 *) skb->data); 1191 struct hci_cp_le_scan_phy_params *phy_param; 1192 1193 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1194 1195 if (status) 1196 return; 1197 1198 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1199 if (!cp) 1200 return; 1201 1202 phy_param = (void *)cp->data; 1203 1204 hci_dev_lock(hdev); 1205 1206 hdev->le_scan_type = phy_param->type; 1207 1208 hci_dev_unlock(hdev); 1209 } 1210 1211 static bool has_pending_adv_report(struct hci_dev *hdev) 1212 { 1213 struct discovery_state *d = &hdev->discovery; 1214 1215 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1216 } 1217 1218 static void clear_pending_adv_report(struct hci_dev *hdev) 1219 { 1220 struct discovery_state *d = &hdev->discovery; 1221 1222 bacpy(&d->last_adv_addr, BDADDR_ANY); 1223 d->last_adv_data_len = 0; 1224 } 1225 1226 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1227 u8 bdaddr_type, s8 rssi, u32 flags, 1228 u8 *data, u8 len) 1229 { 1230 struct discovery_state *d = &hdev->discovery; 1231 1232 bacpy(&d->last_adv_addr, bdaddr); 1233 d->last_adv_addr_type = bdaddr_type; 1234 d->last_adv_rssi = rssi; 1235 d->last_adv_flags = flags; 1236 memcpy(d->last_adv_data, data, len); 1237 d->last_adv_data_len = len; 1238 } 1239 1240 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1241 { 1242 hci_dev_lock(hdev); 1243 1244 switch (enable) { 1245 case LE_SCAN_ENABLE: 1246 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1247 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1248 clear_pending_adv_report(hdev); 1249 break; 1250 1251 case LE_SCAN_DISABLE: 1252 /* We do this here instead of when setting DISCOVERY_STOPPED 1253 * since the latter would potentially require waiting for 1254 * inquiry to stop too. 1255 */ 1256 if (has_pending_adv_report(hdev)) { 1257 struct discovery_state *d = &hdev->discovery; 1258 1259 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1260 d->last_adv_addr_type, NULL, 1261 d->last_adv_rssi, d->last_adv_flags, 1262 d->last_adv_data, 1263 d->last_adv_data_len, NULL, 0); 1264 } 1265 1266 /* Cancel this timer so that we don't try to disable scanning 1267 * when it's already disabled. 1268 */ 1269 cancel_delayed_work(&hdev->le_scan_disable); 1270 1271 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1272 1273 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1274 * interrupted scanning due to a connect request. Mark 1275 * therefore discovery as stopped. If this was not 1276 * because of a connect request advertising might have 1277 * been disabled because of active scanning, so 1278 * re-enable it again if necessary. 1279 */ 1280 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1281 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1282 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1283 hdev->discovery.state == DISCOVERY_FINDING) 1284 hci_req_reenable_advertising(hdev); 1285 1286 break; 1287 1288 default: 1289 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1290 enable); 1291 break; 1292 } 1293 1294 hci_dev_unlock(hdev); 1295 } 1296 1297 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1298 struct sk_buff *skb) 1299 { 1300 struct hci_cp_le_set_scan_enable *cp; 1301 __u8 status = *((__u8 *) skb->data); 1302 1303 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1304 1305 if (status) 1306 return; 1307 1308 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1309 if (!cp) 1310 return; 1311 1312 le_set_scan_enable_complete(hdev, cp->enable); 1313 } 1314 1315 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, 1316 struct sk_buff *skb) 1317 { 1318 struct hci_cp_le_set_ext_scan_enable *cp; 1319 __u8 status = *((__u8 *) skb->data); 1320 1321 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1322 1323 if (status) 1324 return; 1325 1326 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1327 if (!cp) 1328 return; 1329 1330 le_set_scan_enable_complete(hdev, cp->enable); 1331 } 1332 1333 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, 1334 struct sk_buff *skb) 1335 { 1336 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data; 1337 1338 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status, 1339 rp->num_of_sets); 1340 1341 if (rp->status) 1342 return; 1343 1344 hdev->le_num_of_adv_sets = rp->num_of_sets; 1345 } 1346 1347 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1348 struct sk_buff *skb) 1349 { 1350 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1351 1352 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1353 1354 if (rp->status) 1355 return; 1356 1357 hdev->le_white_list_size = rp->size; 1358 } 1359 1360 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1361 struct sk_buff *skb) 1362 { 1363 __u8 status = *((__u8 *) skb->data); 1364 1365 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1366 1367 if (status) 1368 return; 1369 1370 hci_bdaddr_list_clear(&hdev->le_white_list); 1371 } 1372 1373 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1374 struct sk_buff *skb) 1375 { 1376 struct hci_cp_le_add_to_white_list *sent; 1377 __u8 status = *((__u8 *) skb->data); 1378 1379 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1380 1381 if (status) 1382 return; 1383 1384 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1385 if (!sent) 1386 return; 1387 1388 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1389 sent->bdaddr_type); 1390 } 1391 1392 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1393 struct sk_buff *skb) 1394 { 1395 struct hci_cp_le_del_from_white_list *sent; 1396 __u8 status = *((__u8 *) skb->data); 1397 1398 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1399 1400 if (status) 1401 return; 1402 1403 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1404 if (!sent) 1405 return; 1406 1407 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1408 sent->bdaddr_type); 1409 } 1410 1411 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1412 struct sk_buff *skb) 1413 { 1414 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1415 1416 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1417 1418 if (rp->status) 1419 return; 1420 1421 memcpy(hdev->le_states, rp->le_states, 8); 1422 } 1423 1424 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1425 struct sk_buff *skb) 1426 { 1427 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1428 1429 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1430 1431 if (rp->status) 1432 return; 1433 1434 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1435 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1436 } 1437 1438 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1439 struct sk_buff *skb) 1440 { 1441 struct hci_cp_le_write_def_data_len *sent; 1442 __u8 status = *((__u8 *) skb->data); 1443 1444 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1445 1446 if (status) 1447 return; 1448 1449 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1450 if (!sent) 1451 return; 1452 1453 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1454 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1455 } 1456 1457 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, 1458 struct sk_buff *skb) 1459 { 1460 struct hci_cp_le_add_to_resolv_list *sent; 1461 __u8 status = *((__u8 *) skb->data); 1462 1463 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1464 1465 if (status) 1466 return; 1467 1468 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1469 if (!sent) 1470 return; 1471 1472 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1473 sent->bdaddr_type, sent->peer_irk, 1474 sent->local_irk); 1475 } 1476 1477 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, 1478 struct sk_buff *skb) 1479 { 1480 struct hci_cp_le_del_from_resolv_list *sent; 1481 __u8 status = *((__u8 *) skb->data); 1482 1483 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1484 1485 if (status) 1486 return; 1487 1488 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 1489 if (!sent) 1490 return; 1491 1492 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1493 sent->bdaddr_type); 1494 } 1495 1496 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev, 1497 struct sk_buff *skb) 1498 { 1499 __u8 status = *((__u8 *) skb->data); 1500 1501 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1502 1503 if (status) 1504 return; 1505 1506 hci_bdaddr_list_clear(&hdev->le_resolv_list); 1507 } 1508 1509 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, 1510 struct sk_buff *skb) 1511 { 1512 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data; 1513 1514 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1515 1516 if (rp->status) 1517 return; 1518 1519 hdev->le_resolv_list_size = rp->size; 1520 } 1521 1522 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, 1523 struct sk_buff *skb) 1524 { 1525 __u8 *sent, status = *((__u8 *) skb->data); 1526 1527 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1528 1529 if (status) 1530 return; 1531 1532 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 1533 if (!sent) 1534 return; 1535 1536 hci_dev_lock(hdev); 1537 1538 if (*sent) 1539 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 1540 else 1541 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 1542 1543 hci_dev_unlock(hdev); 1544 } 1545 1546 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1547 struct sk_buff *skb) 1548 { 1549 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1550 1551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1552 1553 if (rp->status) 1554 return; 1555 1556 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1557 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1558 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1559 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1560 } 1561 1562 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1563 struct sk_buff *skb) 1564 { 1565 struct hci_cp_write_le_host_supported *sent; 1566 __u8 status = *((__u8 *) skb->data); 1567 1568 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1569 1570 if (status) 1571 return; 1572 1573 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1574 if (!sent) 1575 return; 1576 1577 hci_dev_lock(hdev); 1578 1579 if (sent->le) { 1580 hdev->features[1][0] |= LMP_HOST_LE; 1581 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1582 } else { 1583 hdev->features[1][0] &= ~LMP_HOST_LE; 1584 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1585 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1586 } 1587 1588 if (sent->simul) 1589 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1590 else 1591 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1592 1593 hci_dev_unlock(hdev); 1594 } 1595 1596 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1597 { 1598 struct hci_cp_le_set_adv_param *cp; 1599 u8 status = *((u8 *) skb->data); 1600 1601 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1602 1603 if (status) 1604 return; 1605 1606 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1607 if (!cp) 1608 return; 1609 1610 hci_dev_lock(hdev); 1611 hdev->adv_addr_type = cp->own_address_type; 1612 hci_dev_unlock(hdev); 1613 } 1614 1615 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1616 { 1617 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; 1618 struct hci_cp_le_set_ext_adv_params *cp; 1619 struct adv_info *adv_instance; 1620 1621 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1622 1623 if (rp->status) 1624 return; 1625 1626 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 1627 if (!cp) 1628 return; 1629 1630 hci_dev_lock(hdev); 1631 hdev->adv_addr_type = cp->own_addr_type; 1632 if (!hdev->cur_adv_instance) { 1633 /* Store in hdev for instance 0 */ 1634 hdev->adv_tx_power = rp->tx_power; 1635 } else { 1636 adv_instance = hci_find_adv_instance(hdev, 1637 hdev->cur_adv_instance); 1638 if (adv_instance) 1639 adv_instance->tx_power = rp->tx_power; 1640 } 1641 /* Update adv data as tx power is known now */ 1642 hci_req_update_adv_data(hdev, hdev->cur_adv_instance); 1643 hci_dev_unlock(hdev); 1644 } 1645 1646 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1647 { 1648 struct hci_rp_read_rssi *rp = (void *) skb->data; 1649 struct hci_conn *conn; 1650 1651 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1652 1653 if (rp->status) 1654 return; 1655 1656 hci_dev_lock(hdev); 1657 1658 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1659 if (conn) 1660 conn->rssi = rp->rssi; 1661 1662 hci_dev_unlock(hdev); 1663 } 1664 1665 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1666 { 1667 struct hci_cp_read_tx_power *sent; 1668 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1669 struct hci_conn *conn; 1670 1671 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1672 1673 if (rp->status) 1674 return; 1675 1676 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1677 if (!sent) 1678 return; 1679 1680 hci_dev_lock(hdev); 1681 1682 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1683 if (!conn) 1684 goto unlock; 1685 1686 switch (sent->type) { 1687 case 0x00: 1688 conn->tx_power = rp->tx_power; 1689 break; 1690 case 0x01: 1691 conn->max_tx_power = rp->tx_power; 1692 break; 1693 } 1694 1695 unlock: 1696 hci_dev_unlock(hdev); 1697 } 1698 1699 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1700 { 1701 u8 status = *((u8 *) skb->data); 1702 u8 *mode; 1703 1704 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1705 1706 if (status) 1707 return; 1708 1709 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1710 if (mode) 1711 hdev->ssp_debug_mode = *mode; 1712 } 1713 1714 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1715 { 1716 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1717 1718 if (status) { 1719 hci_conn_check_pending(hdev); 1720 return; 1721 } 1722 1723 set_bit(HCI_INQUIRY, &hdev->flags); 1724 } 1725 1726 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1727 { 1728 struct hci_cp_create_conn *cp; 1729 struct hci_conn *conn; 1730 1731 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1732 1733 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1734 if (!cp) 1735 return; 1736 1737 hci_dev_lock(hdev); 1738 1739 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1740 1741 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1742 1743 if (status) { 1744 if (conn && conn->state == BT_CONNECT) { 1745 if (status != 0x0c || conn->attempt > 2) { 1746 conn->state = BT_CLOSED; 1747 hci_connect_cfm(conn, status); 1748 hci_conn_del(conn); 1749 } else 1750 conn->state = BT_CONNECT2; 1751 } 1752 } else { 1753 if (!conn) { 1754 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1755 HCI_ROLE_MASTER); 1756 if (!conn) 1757 bt_dev_err(hdev, "no memory for new connection"); 1758 } 1759 } 1760 1761 hci_dev_unlock(hdev); 1762 } 1763 1764 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1765 { 1766 struct hci_cp_add_sco *cp; 1767 struct hci_conn *acl, *sco; 1768 __u16 handle; 1769 1770 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1771 1772 if (!status) 1773 return; 1774 1775 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1776 if (!cp) 1777 return; 1778 1779 handle = __le16_to_cpu(cp->handle); 1780 1781 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1782 1783 hci_dev_lock(hdev); 1784 1785 acl = hci_conn_hash_lookup_handle(hdev, handle); 1786 if (acl) { 1787 sco = acl->link; 1788 if (sco) { 1789 sco->state = BT_CLOSED; 1790 1791 hci_connect_cfm(sco, status); 1792 hci_conn_del(sco); 1793 } 1794 } 1795 1796 hci_dev_unlock(hdev); 1797 } 1798 1799 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1800 { 1801 struct hci_cp_auth_requested *cp; 1802 struct hci_conn *conn; 1803 1804 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1805 1806 if (!status) 1807 return; 1808 1809 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1810 if (!cp) 1811 return; 1812 1813 hci_dev_lock(hdev); 1814 1815 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1816 if (conn) { 1817 if (conn->state == BT_CONFIG) { 1818 hci_connect_cfm(conn, status); 1819 hci_conn_drop(conn); 1820 } 1821 } 1822 1823 hci_dev_unlock(hdev); 1824 } 1825 1826 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1827 { 1828 struct hci_cp_set_conn_encrypt *cp; 1829 struct hci_conn *conn; 1830 1831 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1832 1833 if (!status) 1834 return; 1835 1836 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1837 if (!cp) 1838 return; 1839 1840 hci_dev_lock(hdev); 1841 1842 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1843 if (conn) { 1844 if (conn->state == BT_CONFIG) { 1845 hci_connect_cfm(conn, status); 1846 hci_conn_drop(conn); 1847 } 1848 } 1849 1850 hci_dev_unlock(hdev); 1851 } 1852 1853 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1854 struct hci_conn *conn) 1855 { 1856 if (conn->state != BT_CONFIG || !conn->out) 1857 return 0; 1858 1859 if (conn->pending_sec_level == BT_SECURITY_SDP) 1860 return 0; 1861 1862 /* Only request authentication for SSP connections or non-SSP 1863 * devices with sec_level MEDIUM or HIGH or if MITM protection 1864 * is requested. 1865 */ 1866 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1867 conn->pending_sec_level != BT_SECURITY_FIPS && 1868 conn->pending_sec_level != BT_SECURITY_HIGH && 1869 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1870 return 0; 1871 1872 return 1; 1873 } 1874 1875 static int hci_resolve_name(struct hci_dev *hdev, 1876 struct inquiry_entry *e) 1877 { 1878 struct hci_cp_remote_name_req cp; 1879 1880 memset(&cp, 0, sizeof(cp)); 1881 1882 bacpy(&cp.bdaddr, &e->data.bdaddr); 1883 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1884 cp.pscan_mode = e->data.pscan_mode; 1885 cp.clock_offset = e->data.clock_offset; 1886 1887 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 1888 } 1889 1890 static bool hci_resolve_next_name(struct hci_dev *hdev) 1891 { 1892 struct discovery_state *discov = &hdev->discovery; 1893 struct inquiry_entry *e; 1894 1895 if (list_empty(&discov->resolve)) 1896 return false; 1897 1898 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1899 if (!e) 1900 return false; 1901 1902 if (hci_resolve_name(hdev, e) == 0) { 1903 e->name_state = NAME_PENDING; 1904 return true; 1905 } 1906 1907 return false; 1908 } 1909 1910 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 1911 bdaddr_t *bdaddr, u8 *name, u8 name_len) 1912 { 1913 struct discovery_state *discov = &hdev->discovery; 1914 struct inquiry_entry *e; 1915 1916 /* Update the mgmt connected state if necessary. Be careful with 1917 * conn objects that exist but are not (yet) connected however. 1918 * Only those in BT_CONFIG or BT_CONNECTED states can be 1919 * considered connected. 1920 */ 1921 if (conn && 1922 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 1923 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 1924 mgmt_device_connected(hdev, conn, 0, name, name_len); 1925 1926 if (discov->state == DISCOVERY_STOPPED) 1927 return; 1928 1929 if (discov->state == DISCOVERY_STOPPING) 1930 goto discov_complete; 1931 1932 if (discov->state != DISCOVERY_RESOLVING) 1933 return; 1934 1935 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 1936 /* If the device was not found in a list of found devices names of which 1937 * are pending. there is no need to continue resolving a next name as it 1938 * will be done upon receiving another Remote Name Request Complete 1939 * Event */ 1940 if (!e) 1941 return; 1942 1943 list_del(&e->list); 1944 if (name) { 1945 e->name_state = NAME_KNOWN; 1946 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 1947 e->data.rssi, name, name_len); 1948 } else { 1949 e->name_state = NAME_NOT_KNOWN; 1950 } 1951 1952 if (hci_resolve_next_name(hdev)) 1953 return; 1954 1955 discov_complete: 1956 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1957 } 1958 1959 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 1960 { 1961 struct hci_cp_remote_name_req *cp; 1962 struct hci_conn *conn; 1963 1964 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1965 1966 /* If successful wait for the name req complete event before 1967 * checking for the need to do authentication */ 1968 if (!status) 1969 return; 1970 1971 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 1972 if (!cp) 1973 return; 1974 1975 hci_dev_lock(hdev); 1976 1977 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1978 1979 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1980 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 1981 1982 if (!conn) 1983 goto unlock; 1984 1985 if (!hci_outgoing_auth_needed(hdev, conn)) 1986 goto unlock; 1987 1988 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 1989 struct hci_cp_auth_requested auth_cp; 1990 1991 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 1992 1993 auth_cp.handle = __cpu_to_le16(conn->handle); 1994 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 1995 sizeof(auth_cp), &auth_cp); 1996 } 1997 1998 unlock: 1999 hci_dev_unlock(hdev); 2000 } 2001 2002 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2003 { 2004 struct hci_cp_read_remote_features *cp; 2005 struct hci_conn *conn; 2006 2007 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2008 2009 if (!status) 2010 return; 2011 2012 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2013 if (!cp) 2014 return; 2015 2016 hci_dev_lock(hdev); 2017 2018 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2019 if (conn) { 2020 if (conn->state == BT_CONFIG) { 2021 hci_connect_cfm(conn, status); 2022 hci_conn_drop(conn); 2023 } 2024 } 2025 2026 hci_dev_unlock(hdev); 2027 } 2028 2029 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2030 { 2031 struct hci_cp_read_remote_ext_features *cp; 2032 struct hci_conn *conn; 2033 2034 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2035 2036 if (!status) 2037 return; 2038 2039 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2040 if (!cp) 2041 return; 2042 2043 hci_dev_lock(hdev); 2044 2045 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2046 if (conn) { 2047 if (conn->state == BT_CONFIG) { 2048 hci_connect_cfm(conn, status); 2049 hci_conn_drop(conn); 2050 } 2051 } 2052 2053 hci_dev_unlock(hdev); 2054 } 2055 2056 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2057 { 2058 struct hci_cp_setup_sync_conn *cp; 2059 struct hci_conn *acl, *sco; 2060 __u16 handle; 2061 2062 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2063 2064 if (!status) 2065 return; 2066 2067 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2068 if (!cp) 2069 return; 2070 2071 handle = __le16_to_cpu(cp->handle); 2072 2073 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 2074 2075 hci_dev_lock(hdev); 2076 2077 acl = hci_conn_hash_lookup_handle(hdev, handle); 2078 if (acl) { 2079 sco = acl->link; 2080 if (sco) { 2081 sco->state = BT_CLOSED; 2082 2083 hci_connect_cfm(sco, status); 2084 hci_conn_del(sco); 2085 } 2086 } 2087 2088 hci_dev_unlock(hdev); 2089 } 2090 2091 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2092 { 2093 struct hci_cp_sniff_mode *cp; 2094 struct hci_conn *conn; 2095 2096 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2097 2098 if (!status) 2099 return; 2100 2101 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2102 if (!cp) 2103 return; 2104 2105 hci_dev_lock(hdev); 2106 2107 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2108 if (conn) { 2109 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2110 2111 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2112 hci_sco_setup(conn, status); 2113 } 2114 2115 hci_dev_unlock(hdev); 2116 } 2117 2118 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2119 { 2120 struct hci_cp_exit_sniff_mode *cp; 2121 struct hci_conn *conn; 2122 2123 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2124 2125 if (!status) 2126 return; 2127 2128 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2129 if (!cp) 2130 return; 2131 2132 hci_dev_lock(hdev); 2133 2134 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2135 if (conn) { 2136 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2137 2138 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2139 hci_sco_setup(conn, status); 2140 } 2141 2142 hci_dev_unlock(hdev); 2143 } 2144 2145 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2146 { 2147 struct hci_cp_disconnect *cp; 2148 struct hci_conn *conn; 2149 2150 if (!status) 2151 return; 2152 2153 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2154 if (!cp) 2155 return; 2156 2157 hci_dev_lock(hdev); 2158 2159 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2160 if (conn) 2161 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2162 conn->dst_type, status); 2163 2164 hci_dev_unlock(hdev); 2165 } 2166 2167 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2168 u8 peer_addr_type, u8 own_address_type, 2169 u8 filter_policy) 2170 { 2171 struct hci_conn *conn; 2172 2173 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2174 peer_addr_type); 2175 if (!conn) 2176 return; 2177 2178 /* Store the initiator and responder address information which 2179 * is needed for SMP. These values will not change during the 2180 * lifetime of the connection. 2181 */ 2182 conn->init_addr_type = own_address_type; 2183 if (own_address_type == ADDR_LE_DEV_RANDOM) 2184 bacpy(&conn->init_addr, &hdev->random_addr); 2185 else 2186 bacpy(&conn->init_addr, &hdev->bdaddr); 2187 2188 conn->resp_addr_type = peer_addr_type; 2189 bacpy(&conn->resp_addr, peer_addr); 2190 2191 /* We don't want the connection attempt to stick around 2192 * indefinitely since LE doesn't have a page timeout concept 2193 * like BR/EDR. Set a timer for any connection that doesn't use 2194 * the white list for connecting. 2195 */ 2196 if (filter_policy == HCI_LE_USE_PEER_ADDR) 2197 queue_delayed_work(conn->hdev->workqueue, 2198 &conn->le_conn_timeout, 2199 conn->conn_timeout); 2200 } 2201 2202 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2203 { 2204 struct hci_cp_le_create_conn *cp; 2205 2206 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2207 2208 /* All connection failure handling is taken care of by the 2209 * hci_le_conn_failed function which is triggered by the HCI 2210 * request completion callbacks used for connecting. 2211 */ 2212 if (status) 2213 return; 2214 2215 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2216 if (!cp) 2217 return; 2218 2219 hci_dev_lock(hdev); 2220 2221 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2222 cp->own_address_type, cp->filter_policy); 2223 2224 hci_dev_unlock(hdev); 2225 } 2226 2227 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2228 { 2229 struct hci_cp_le_ext_create_conn *cp; 2230 2231 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2232 2233 /* All connection failure handling is taken care of by the 2234 * hci_le_conn_failed function which is triggered by the HCI 2235 * request completion callbacks used for connecting. 2236 */ 2237 if (status) 2238 return; 2239 2240 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2241 if (!cp) 2242 return; 2243 2244 hci_dev_lock(hdev); 2245 2246 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2247 cp->own_addr_type, cp->filter_policy); 2248 2249 hci_dev_unlock(hdev); 2250 } 2251 2252 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2253 { 2254 struct hci_cp_le_read_remote_features *cp; 2255 struct hci_conn *conn; 2256 2257 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2258 2259 if (!status) 2260 return; 2261 2262 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2263 if (!cp) 2264 return; 2265 2266 hci_dev_lock(hdev); 2267 2268 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2269 if (conn) { 2270 if (conn->state == BT_CONFIG) { 2271 hci_connect_cfm(conn, status); 2272 hci_conn_drop(conn); 2273 } 2274 } 2275 2276 hci_dev_unlock(hdev); 2277 } 2278 2279 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2280 { 2281 struct hci_cp_le_start_enc *cp; 2282 struct hci_conn *conn; 2283 2284 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2285 2286 if (!status) 2287 return; 2288 2289 hci_dev_lock(hdev); 2290 2291 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2292 if (!cp) 2293 goto unlock; 2294 2295 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2296 if (!conn) 2297 goto unlock; 2298 2299 if (conn->state != BT_CONNECTED) 2300 goto unlock; 2301 2302 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2303 hci_conn_drop(conn); 2304 2305 unlock: 2306 hci_dev_unlock(hdev); 2307 } 2308 2309 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2310 { 2311 struct hci_cp_switch_role *cp; 2312 struct hci_conn *conn; 2313 2314 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2315 2316 if (!status) 2317 return; 2318 2319 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2320 if (!cp) 2321 return; 2322 2323 hci_dev_lock(hdev); 2324 2325 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2326 if (conn) 2327 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2328 2329 hci_dev_unlock(hdev); 2330 } 2331 2332 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2333 { 2334 __u8 status = *((__u8 *) skb->data); 2335 struct discovery_state *discov = &hdev->discovery; 2336 struct inquiry_entry *e; 2337 2338 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2339 2340 hci_conn_check_pending(hdev); 2341 2342 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2343 return; 2344 2345 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2346 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2347 2348 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2349 return; 2350 2351 hci_dev_lock(hdev); 2352 2353 if (discov->state != DISCOVERY_FINDING) 2354 goto unlock; 2355 2356 if (list_empty(&discov->resolve)) { 2357 /* When BR/EDR inquiry is active and no LE scanning is in 2358 * progress, then change discovery state to indicate completion. 2359 * 2360 * When running LE scanning and BR/EDR inquiry simultaneously 2361 * and the LE scan already finished, then change the discovery 2362 * state to indicate completion. 2363 */ 2364 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2365 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2366 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2367 goto unlock; 2368 } 2369 2370 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2371 if (e && hci_resolve_name(hdev, e) == 0) { 2372 e->name_state = NAME_PENDING; 2373 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2374 } else { 2375 /* When BR/EDR inquiry is active and no LE scanning is in 2376 * progress, then change discovery state to indicate completion. 2377 * 2378 * When running LE scanning and BR/EDR inquiry simultaneously 2379 * and the LE scan already finished, then change the discovery 2380 * state to indicate completion. 2381 */ 2382 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2383 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2384 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2385 } 2386 2387 unlock: 2388 hci_dev_unlock(hdev); 2389 } 2390 2391 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2392 { 2393 struct inquiry_data data; 2394 struct inquiry_info *info = (void *) (skb->data + 1); 2395 int num_rsp = *((__u8 *) skb->data); 2396 2397 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2398 2399 if (!num_rsp) 2400 return; 2401 2402 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2403 return; 2404 2405 hci_dev_lock(hdev); 2406 2407 for (; num_rsp; num_rsp--, info++) { 2408 u32 flags; 2409 2410 bacpy(&data.bdaddr, &info->bdaddr); 2411 data.pscan_rep_mode = info->pscan_rep_mode; 2412 data.pscan_period_mode = info->pscan_period_mode; 2413 data.pscan_mode = info->pscan_mode; 2414 memcpy(data.dev_class, info->dev_class, 3); 2415 data.clock_offset = info->clock_offset; 2416 data.rssi = HCI_RSSI_INVALID; 2417 data.ssp_mode = 0x00; 2418 2419 flags = hci_inquiry_cache_update(hdev, &data, false); 2420 2421 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2422 info->dev_class, HCI_RSSI_INVALID, 2423 flags, NULL, 0, NULL, 0); 2424 } 2425 2426 hci_dev_unlock(hdev); 2427 } 2428 2429 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2430 { 2431 struct hci_ev_conn_complete *ev = (void *) skb->data; 2432 struct hci_conn *conn; 2433 2434 BT_DBG("%s", hdev->name); 2435 2436 hci_dev_lock(hdev); 2437 2438 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2439 if (!conn) { 2440 if (ev->link_type != SCO_LINK) 2441 goto unlock; 2442 2443 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 2444 if (!conn) 2445 goto unlock; 2446 2447 conn->type = SCO_LINK; 2448 } 2449 2450 if (!ev->status) { 2451 conn->handle = __le16_to_cpu(ev->handle); 2452 2453 if (conn->type == ACL_LINK) { 2454 conn->state = BT_CONFIG; 2455 hci_conn_hold(conn); 2456 2457 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2458 !hci_find_link_key(hdev, &ev->bdaddr)) 2459 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2460 else 2461 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2462 } else 2463 conn->state = BT_CONNECTED; 2464 2465 hci_debugfs_create_conn(conn); 2466 hci_conn_add_sysfs(conn); 2467 2468 if (test_bit(HCI_AUTH, &hdev->flags)) 2469 set_bit(HCI_CONN_AUTH, &conn->flags); 2470 2471 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2472 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2473 2474 /* Get remote features */ 2475 if (conn->type == ACL_LINK) { 2476 struct hci_cp_read_remote_features cp; 2477 cp.handle = ev->handle; 2478 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2479 sizeof(cp), &cp); 2480 2481 hci_req_update_scan(hdev); 2482 } 2483 2484 /* Set packet type for incoming connection */ 2485 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2486 struct hci_cp_change_conn_ptype cp; 2487 cp.handle = ev->handle; 2488 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2489 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2490 &cp); 2491 } 2492 } else { 2493 conn->state = BT_CLOSED; 2494 if (conn->type == ACL_LINK) 2495 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2496 conn->dst_type, ev->status); 2497 } 2498 2499 if (conn->type == ACL_LINK) 2500 hci_sco_setup(conn, ev->status); 2501 2502 if (ev->status) { 2503 hci_connect_cfm(conn, ev->status); 2504 hci_conn_del(conn); 2505 } else if (ev->link_type != ACL_LINK) 2506 hci_connect_cfm(conn, ev->status); 2507 2508 unlock: 2509 hci_dev_unlock(hdev); 2510 2511 hci_conn_check_pending(hdev); 2512 } 2513 2514 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2515 { 2516 struct hci_cp_reject_conn_req cp; 2517 2518 bacpy(&cp.bdaddr, bdaddr); 2519 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2520 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2521 } 2522 2523 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2524 { 2525 struct hci_ev_conn_request *ev = (void *) skb->data; 2526 int mask = hdev->link_mode; 2527 struct inquiry_entry *ie; 2528 struct hci_conn *conn; 2529 __u8 flags = 0; 2530 2531 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2532 ev->link_type); 2533 2534 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2535 &flags); 2536 2537 if (!(mask & HCI_LM_ACCEPT)) { 2538 hci_reject_conn(hdev, &ev->bdaddr); 2539 return; 2540 } 2541 2542 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2543 BDADDR_BREDR)) { 2544 hci_reject_conn(hdev, &ev->bdaddr); 2545 return; 2546 } 2547 2548 /* Require HCI_CONNECTABLE or a whitelist entry to accept the 2549 * connection. These features are only touched through mgmt so 2550 * only do the checks if HCI_MGMT is set. 2551 */ 2552 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2553 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2554 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr, 2555 BDADDR_BREDR)) { 2556 hci_reject_conn(hdev, &ev->bdaddr); 2557 return; 2558 } 2559 2560 /* Connection accepted */ 2561 2562 hci_dev_lock(hdev); 2563 2564 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2565 if (ie) 2566 memcpy(ie->data.dev_class, ev->dev_class, 3); 2567 2568 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2569 &ev->bdaddr); 2570 if (!conn) { 2571 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2572 HCI_ROLE_SLAVE); 2573 if (!conn) { 2574 bt_dev_err(hdev, "no memory for new connection"); 2575 hci_dev_unlock(hdev); 2576 return; 2577 } 2578 } 2579 2580 memcpy(conn->dev_class, ev->dev_class, 3); 2581 2582 hci_dev_unlock(hdev); 2583 2584 if (ev->link_type == ACL_LINK || 2585 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2586 struct hci_cp_accept_conn_req cp; 2587 conn->state = BT_CONNECT; 2588 2589 bacpy(&cp.bdaddr, &ev->bdaddr); 2590 2591 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2592 cp.role = 0x00; /* Become master */ 2593 else 2594 cp.role = 0x01; /* Remain slave */ 2595 2596 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2597 } else if (!(flags & HCI_PROTO_DEFER)) { 2598 struct hci_cp_accept_sync_conn_req cp; 2599 conn->state = BT_CONNECT; 2600 2601 bacpy(&cp.bdaddr, &ev->bdaddr); 2602 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2603 2604 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2605 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2606 cp.max_latency = cpu_to_le16(0xffff); 2607 cp.content_format = cpu_to_le16(hdev->voice_setting); 2608 cp.retrans_effort = 0xff; 2609 2610 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2611 &cp); 2612 } else { 2613 conn->state = BT_CONNECT2; 2614 hci_connect_cfm(conn, 0); 2615 } 2616 } 2617 2618 static u8 hci_to_mgmt_reason(u8 err) 2619 { 2620 switch (err) { 2621 case HCI_ERROR_CONNECTION_TIMEOUT: 2622 return MGMT_DEV_DISCONN_TIMEOUT; 2623 case HCI_ERROR_REMOTE_USER_TERM: 2624 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2625 case HCI_ERROR_REMOTE_POWER_OFF: 2626 return MGMT_DEV_DISCONN_REMOTE; 2627 case HCI_ERROR_LOCAL_HOST_TERM: 2628 return MGMT_DEV_DISCONN_LOCAL_HOST; 2629 default: 2630 return MGMT_DEV_DISCONN_UNKNOWN; 2631 } 2632 } 2633 2634 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2635 { 2636 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2637 u8 reason; 2638 struct hci_conn_params *params; 2639 struct hci_conn *conn; 2640 bool mgmt_connected; 2641 u8 type; 2642 2643 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2644 2645 hci_dev_lock(hdev); 2646 2647 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2648 if (!conn) 2649 goto unlock; 2650 2651 if (ev->status) { 2652 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2653 conn->dst_type, ev->status); 2654 goto unlock; 2655 } 2656 2657 conn->state = BT_CLOSED; 2658 2659 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2660 2661 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 2662 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 2663 else 2664 reason = hci_to_mgmt_reason(ev->reason); 2665 2666 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2667 reason, mgmt_connected); 2668 2669 if (conn->type == ACL_LINK) { 2670 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2671 hci_remove_link_key(hdev, &conn->dst); 2672 2673 hci_req_update_scan(hdev); 2674 } 2675 2676 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2677 if (params) { 2678 switch (params->auto_connect) { 2679 case HCI_AUTO_CONN_LINK_LOSS: 2680 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2681 break; 2682 /* Fall through */ 2683 2684 case HCI_AUTO_CONN_DIRECT: 2685 case HCI_AUTO_CONN_ALWAYS: 2686 list_del_init(¶ms->action); 2687 list_add(¶ms->action, &hdev->pend_le_conns); 2688 hci_update_background_scan(hdev); 2689 break; 2690 2691 default: 2692 break; 2693 } 2694 } 2695 2696 type = conn->type; 2697 2698 hci_disconn_cfm(conn, ev->reason); 2699 hci_conn_del(conn); 2700 2701 /* Re-enable advertising if necessary, since it might 2702 * have been disabled by the connection. From the 2703 * HCI_LE_Set_Advertise_Enable command description in 2704 * the core specification (v4.0): 2705 * "The Controller shall continue advertising until the Host 2706 * issues an LE_Set_Advertise_Enable command with 2707 * Advertising_Enable set to 0x00 (Advertising is disabled) 2708 * or until a connection is created or until the Advertising 2709 * is timed out due to Directed Advertising." 2710 */ 2711 if (type == LE_LINK) 2712 hci_req_reenable_advertising(hdev); 2713 2714 unlock: 2715 hci_dev_unlock(hdev); 2716 } 2717 2718 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2719 { 2720 struct hci_ev_auth_complete *ev = (void *) skb->data; 2721 struct hci_conn *conn; 2722 2723 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2724 2725 hci_dev_lock(hdev); 2726 2727 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2728 if (!conn) 2729 goto unlock; 2730 2731 if (!ev->status) { 2732 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2733 2734 if (!hci_conn_ssp_enabled(conn) && 2735 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2736 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 2737 } else { 2738 set_bit(HCI_CONN_AUTH, &conn->flags); 2739 conn->sec_level = conn->pending_sec_level; 2740 } 2741 } else { 2742 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2743 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2744 2745 mgmt_auth_failed(conn, ev->status); 2746 } 2747 2748 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2749 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2750 2751 if (conn->state == BT_CONFIG) { 2752 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2753 struct hci_cp_set_conn_encrypt cp; 2754 cp.handle = ev->handle; 2755 cp.encrypt = 0x01; 2756 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2757 &cp); 2758 } else { 2759 conn->state = BT_CONNECTED; 2760 hci_connect_cfm(conn, ev->status); 2761 hci_conn_drop(conn); 2762 } 2763 } else { 2764 hci_auth_cfm(conn, ev->status); 2765 2766 hci_conn_hold(conn); 2767 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2768 hci_conn_drop(conn); 2769 } 2770 2771 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2772 if (!ev->status) { 2773 struct hci_cp_set_conn_encrypt cp; 2774 cp.handle = ev->handle; 2775 cp.encrypt = 0x01; 2776 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2777 &cp); 2778 } else { 2779 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2780 hci_encrypt_cfm(conn, ev->status, 0x00); 2781 } 2782 } 2783 2784 unlock: 2785 hci_dev_unlock(hdev); 2786 } 2787 2788 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2789 { 2790 struct hci_ev_remote_name *ev = (void *) skb->data; 2791 struct hci_conn *conn; 2792 2793 BT_DBG("%s", hdev->name); 2794 2795 hci_conn_check_pending(hdev); 2796 2797 hci_dev_lock(hdev); 2798 2799 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2800 2801 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2802 goto check_auth; 2803 2804 if (ev->status == 0) 2805 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2806 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2807 else 2808 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2809 2810 check_auth: 2811 if (!conn) 2812 goto unlock; 2813 2814 if (!hci_outgoing_auth_needed(hdev, conn)) 2815 goto unlock; 2816 2817 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2818 struct hci_cp_auth_requested cp; 2819 2820 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2821 2822 cp.handle = __cpu_to_le16(conn->handle); 2823 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2824 } 2825 2826 unlock: 2827 hci_dev_unlock(hdev); 2828 } 2829 2830 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 2831 u16 opcode, struct sk_buff *skb) 2832 { 2833 const struct hci_rp_read_enc_key_size *rp; 2834 struct hci_conn *conn; 2835 u16 handle; 2836 2837 BT_DBG("%s status 0x%02x", hdev->name, status); 2838 2839 if (!skb || skb->len < sizeof(*rp)) { 2840 bt_dev_err(hdev, "invalid read key size response"); 2841 return; 2842 } 2843 2844 rp = (void *)skb->data; 2845 handle = le16_to_cpu(rp->handle); 2846 2847 hci_dev_lock(hdev); 2848 2849 conn = hci_conn_hash_lookup_handle(hdev, handle); 2850 if (!conn) 2851 goto unlock; 2852 2853 /* If we fail to read the encryption key size, assume maximum 2854 * (which is the same we do also when this HCI command isn't 2855 * supported. 2856 */ 2857 if (rp->status) { 2858 bt_dev_err(hdev, "failed to read key size for handle %u", 2859 handle); 2860 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2861 } else { 2862 conn->enc_key_size = rp->key_size; 2863 } 2864 2865 if (conn->state == BT_CONFIG) { 2866 conn->state = BT_CONNECTED; 2867 hci_connect_cfm(conn, 0); 2868 hci_conn_drop(conn); 2869 } else { 2870 u8 encrypt; 2871 2872 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2873 encrypt = 0x00; 2874 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) 2875 encrypt = 0x02; 2876 else 2877 encrypt = 0x01; 2878 2879 hci_encrypt_cfm(conn, 0, encrypt); 2880 } 2881 2882 unlock: 2883 hci_dev_unlock(hdev); 2884 } 2885 2886 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2887 { 2888 struct hci_ev_encrypt_change *ev = (void *) skb->data; 2889 struct hci_conn *conn; 2890 2891 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2892 2893 hci_dev_lock(hdev); 2894 2895 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2896 if (!conn) 2897 goto unlock; 2898 2899 if (!ev->status) { 2900 if (ev->encrypt) { 2901 /* Encryption implies authentication */ 2902 set_bit(HCI_CONN_AUTH, &conn->flags); 2903 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2904 conn->sec_level = conn->pending_sec_level; 2905 2906 /* P-256 authentication key implies FIPS */ 2907 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 2908 set_bit(HCI_CONN_FIPS, &conn->flags); 2909 2910 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 2911 conn->type == LE_LINK) 2912 set_bit(HCI_CONN_AES_CCM, &conn->flags); 2913 } else { 2914 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 2915 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 2916 } 2917 } 2918 2919 /* We should disregard the current RPA and generate a new one 2920 * whenever the encryption procedure fails. 2921 */ 2922 if (ev->status && conn->type == LE_LINK) { 2923 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 2924 hci_adv_instances_set_rpa_expired(hdev, true); 2925 } 2926 2927 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2928 2929 if (ev->status && conn->state == BT_CONNECTED) { 2930 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2931 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2932 2933 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2934 hci_conn_drop(conn); 2935 goto unlock; 2936 } 2937 2938 /* In Secure Connections Only mode, do not allow any connections 2939 * that are not encrypted with AES-CCM using a P-256 authenticated 2940 * combination key. 2941 */ 2942 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && 2943 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2944 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { 2945 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); 2946 hci_conn_drop(conn); 2947 goto unlock; 2948 } 2949 2950 /* Try reading the encryption key size for encrypted ACL links */ 2951 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 2952 struct hci_cp_read_enc_key_size cp; 2953 struct hci_request req; 2954 2955 /* Only send HCI_Read_Encryption_Key_Size if the 2956 * controller really supports it. If it doesn't, assume 2957 * the default size (16). 2958 */ 2959 if (!(hdev->commands[20] & 0x10)) { 2960 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2961 goto notify; 2962 } 2963 2964 hci_req_init(&req, hdev); 2965 2966 cp.handle = cpu_to_le16(conn->handle); 2967 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 2968 2969 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 2970 bt_dev_err(hdev, "sending read key size failed"); 2971 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2972 goto notify; 2973 } 2974 2975 goto unlock; 2976 } 2977 2978 notify: 2979 if (conn->state == BT_CONFIG) { 2980 if (!ev->status) 2981 conn->state = BT_CONNECTED; 2982 2983 hci_connect_cfm(conn, ev->status); 2984 hci_conn_drop(conn); 2985 } else 2986 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2987 2988 unlock: 2989 hci_dev_unlock(hdev); 2990 } 2991 2992 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 2993 struct sk_buff *skb) 2994 { 2995 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 2996 struct hci_conn *conn; 2997 2998 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2999 3000 hci_dev_lock(hdev); 3001 3002 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3003 if (conn) { 3004 if (!ev->status) 3005 set_bit(HCI_CONN_SECURE, &conn->flags); 3006 3007 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3008 3009 hci_key_change_cfm(conn, ev->status); 3010 } 3011 3012 hci_dev_unlock(hdev); 3013 } 3014 3015 static void hci_remote_features_evt(struct hci_dev *hdev, 3016 struct sk_buff *skb) 3017 { 3018 struct hci_ev_remote_features *ev = (void *) skb->data; 3019 struct hci_conn *conn; 3020 3021 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3022 3023 hci_dev_lock(hdev); 3024 3025 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3026 if (!conn) 3027 goto unlock; 3028 3029 if (!ev->status) 3030 memcpy(conn->features[0], ev->features, 8); 3031 3032 if (conn->state != BT_CONFIG) 3033 goto unlock; 3034 3035 if (!ev->status && lmp_ext_feat_capable(hdev) && 3036 lmp_ext_feat_capable(conn)) { 3037 struct hci_cp_read_remote_ext_features cp; 3038 cp.handle = ev->handle; 3039 cp.page = 0x01; 3040 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3041 sizeof(cp), &cp); 3042 goto unlock; 3043 } 3044 3045 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3046 struct hci_cp_remote_name_req cp; 3047 memset(&cp, 0, sizeof(cp)); 3048 bacpy(&cp.bdaddr, &conn->dst); 3049 cp.pscan_rep_mode = 0x02; 3050 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3051 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3052 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3053 3054 if (!hci_outgoing_auth_needed(hdev, conn)) { 3055 conn->state = BT_CONNECTED; 3056 hci_connect_cfm(conn, ev->status); 3057 hci_conn_drop(conn); 3058 } 3059 3060 unlock: 3061 hci_dev_unlock(hdev); 3062 } 3063 3064 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 3065 u16 *opcode, u8 *status, 3066 hci_req_complete_t *req_complete, 3067 hci_req_complete_skb_t *req_complete_skb) 3068 { 3069 struct hci_ev_cmd_complete *ev = (void *) skb->data; 3070 3071 *opcode = __le16_to_cpu(ev->opcode); 3072 *status = skb->data[sizeof(*ev)]; 3073 3074 skb_pull(skb, sizeof(*ev)); 3075 3076 switch (*opcode) { 3077 case HCI_OP_INQUIRY_CANCEL: 3078 hci_cc_inquiry_cancel(hdev, skb); 3079 break; 3080 3081 case HCI_OP_PERIODIC_INQ: 3082 hci_cc_periodic_inq(hdev, skb); 3083 break; 3084 3085 case HCI_OP_EXIT_PERIODIC_INQ: 3086 hci_cc_exit_periodic_inq(hdev, skb); 3087 break; 3088 3089 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 3090 hci_cc_remote_name_req_cancel(hdev, skb); 3091 break; 3092 3093 case HCI_OP_ROLE_DISCOVERY: 3094 hci_cc_role_discovery(hdev, skb); 3095 break; 3096 3097 case HCI_OP_READ_LINK_POLICY: 3098 hci_cc_read_link_policy(hdev, skb); 3099 break; 3100 3101 case HCI_OP_WRITE_LINK_POLICY: 3102 hci_cc_write_link_policy(hdev, skb); 3103 break; 3104 3105 case HCI_OP_READ_DEF_LINK_POLICY: 3106 hci_cc_read_def_link_policy(hdev, skb); 3107 break; 3108 3109 case HCI_OP_WRITE_DEF_LINK_POLICY: 3110 hci_cc_write_def_link_policy(hdev, skb); 3111 break; 3112 3113 case HCI_OP_RESET: 3114 hci_cc_reset(hdev, skb); 3115 break; 3116 3117 case HCI_OP_READ_STORED_LINK_KEY: 3118 hci_cc_read_stored_link_key(hdev, skb); 3119 break; 3120 3121 case HCI_OP_DELETE_STORED_LINK_KEY: 3122 hci_cc_delete_stored_link_key(hdev, skb); 3123 break; 3124 3125 case HCI_OP_WRITE_LOCAL_NAME: 3126 hci_cc_write_local_name(hdev, skb); 3127 break; 3128 3129 case HCI_OP_READ_LOCAL_NAME: 3130 hci_cc_read_local_name(hdev, skb); 3131 break; 3132 3133 case HCI_OP_WRITE_AUTH_ENABLE: 3134 hci_cc_write_auth_enable(hdev, skb); 3135 break; 3136 3137 case HCI_OP_WRITE_ENCRYPT_MODE: 3138 hci_cc_write_encrypt_mode(hdev, skb); 3139 break; 3140 3141 case HCI_OP_WRITE_SCAN_ENABLE: 3142 hci_cc_write_scan_enable(hdev, skb); 3143 break; 3144 3145 case HCI_OP_READ_CLASS_OF_DEV: 3146 hci_cc_read_class_of_dev(hdev, skb); 3147 break; 3148 3149 case HCI_OP_WRITE_CLASS_OF_DEV: 3150 hci_cc_write_class_of_dev(hdev, skb); 3151 break; 3152 3153 case HCI_OP_READ_VOICE_SETTING: 3154 hci_cc_read_voice_setting(hdev, skb); 3155 break; 3156 3157 case HCI_OP_WRITE_VOICE_SETTING: 3158 hci_cc_write_voice_setting(hdev, skb); 3159 break; 3160 3161 case HCI_OP_READ_NUM_SUPPORTED_IAC: 3162 hci_cc_read_num_supported_iac(hdev, skb); 3163 break; 3164 3165 case HCI_OP_WRITE_SSP_MODE: 3166 hci_cc_write_ssp_mode(hdev, skb); 3167 break; 3168 3169 case HCI_OP_WRITE_SC_SUPPORT: 3170 hci_cc_write_sc_support(hdev, skb); 3171 break; 3172 3173 case HCI_OP_READ_LOCAL_VERSION: 3174 hci_cc_read_local_version(hdev, skb); 3175 break; 3176 3177 case HCI_OP_READ_LOCAL_COMMANDS: 3178 hci_cc_read_local_commands(hdev, skb); 3179 break; 3180 3181 case HCI_OP_READ_LOCAL_FEATURES: 3182 hci_cc_read_local_features(hdev, skb); 3183 break; 3184 3185 case HCI_OP_READ_LOCAL_EXT_FEATURES: 3186 hci_cc_read_local_ext_features(hdev, skb); 3187 break; 3188 3189 case HCI_OP_READ_BUFFER_SIZE: 3190 hci_cc_read_buffer_size(hdev, skb); 3191 break; 3192 3193 case HCI_OP_READ_BD_ADDR: 3194 hci_cc_read_bd_addr(hdev, skb); 3195 break; 3196 3197 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 3198 hci_cc_read_page_scan_activity(hdev, skb); 3199 break; 3200 3201 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 3202 hci_cc_write_page_scan_activity(hdev, skb); 3203 break; 3204 3205 case HCI_OP_READ_PAGE_SCAN_TYPE: 3206 hci_cc_read_page_scan_type(hdev, skb); 3207 break; 3208 3209 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 3210 hci_cc_write_page_scan_type(hdev, skb); 3211 break; 3212 3213 case HCI_OP_READ_DATA_BLOCK_SIZE: 3214 hci_cc_read_data_block_size(hdev, skb); 3215 break; 3216 3217 case HCI_OP_READ_FLOW_CONTROL_MODE: 3218 hci_cc_read_flow_control_mode(hdev, skb); 3219 break; 3220 3221 case HCI_OP_READ_LOCAL_AMP_INFO: 3222 hci_cc_read_local_amp_info(hdev, skb); 3223 break; 3224 3225 case HCI_OP_READ_CLOCK: 3226 hci_cc_read_clock(hdev, skb); 3227 break; 3228 3229 case HCI_OP_READ_INQ_RSP_TX_POWER: 3230 hci_cc_read_inq_rsp_tx_power(hdev, skb); 3231 break; 3232 3233 case HCI_OP_PIN_CODE_REPLY: 3234 hci_cc_pin_code_reply(hdev, skb); 3235 break; 3236 3237 case HCI_OP_PIN_CODE_NEG_REPLY: 3238 hci_cc_pin_code_neg_reply(hdev, skb); 3239 break; 3240 3241 case HCI_OP_READ_LOCAL_OOB_DATA: 3242 hci_cc_read_local_oob_data(hdev, skb); 3243 break; 3244 3245 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 3246 hci_cc_read_local_oob_ext_data(hdev, skb); 3247 break; 3248 3249 case HCI_OP_LE_READ_BUFFER_SIZE: 3250 hci_cc_le_read_buffer_size(hdev, skb); 3251 break; 3252 3253 case HCI_OP_LE_READ_LOCAL_FEATURES: 3254 hci_cc_le_read_local_features(hdev, skb); 3255 break; 3256 3257 case HCI_OP_LE_READ_ADV_TX_POWER: 3258 hci_cc_le_read_adv_tx_power(hdev, skb); 3259 break; 3260 3261 case HCI_OP_USER_CONFIRM_REPLY: 3262 hci_cc_user_confirm_reply(hdev, skb); 3263 break; 3264 3265 case HCI_OP_USER_CONFIRM_NEG_REPLY: 3266 hci_cc_user_confirm_neg_reply(hdev, skb); 3267 break; 3268 3269 case HCI_OP_USER_PASSKEY_REPLY: 3270 hci_cc_user_passkey_reply(hdev, skb); 3271 break; 3272 3273 case HCI_OP_USER_PASSKEY_NEG_REPLY: 3274 hci_cc_user_passkey_neg_reply(hdev, skb); 3275 break; 3276 3277 case HCI_OP_LE_SET_RANDOM_ADDR: 3278 hci_cc_le_set_random_addr(hdev, skb); 3279 break; 3280 3281 case HCI_OP_LE_SET_ADV_ENABLE: 3282 hci_cc_le_set_adv_enable(hdev, skb); 3283 break; 3284 3285 case HCI_OP_LE_SET_SCAN_PARAM: 3286 hci_cc_le_set_scan_param(hdev, skb); 3287 break; 3288 3289 case HCI_OP_LE_SET_SCAN_ENABLE: 3290 hci_cc_le_set_scan_enable(hdev, skb); 3291 break; 3292 3293 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 3294 hci_cc_le_read_white_list_size(hdev, skb); 3295 break; 3296 3297 case HCI_OP_LE_CLEAR_WHITE_LIST: 3298 hci_cc_le_clear_white_list(hdev, skb); 3299 break; 3300 3301 case HCI_OP_LE_ADD_TO_WHITE_LIST: 3302 hci_cc_le_add_to_white_list(hdev, skb); 3303 break; 3304 3305 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 3306 hci_cc_le_del_from_white_list(hdev, skb); 3307 break; 3308 3309 case HCI_OP_LE_READ_SUPPORTED_STATES: 3310 hci_cc_le_read_supported_states(hdev, skb); 3311 break; 3312 3313 case HCI_OP_LE_READ_DEF_DATA_LEN: 3314 hci_cc_le_read_def_data_len(hdev, skb); 3315 break; 3316 3317 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3318 hci_cc_le_write_def_data_len(hdev, skb); 3319 break; 3320 3321 case HCI_OP_LE_ADD_TO_RESOLV_LIST: 3322 hci_cc_le_add_to_resolv_list(hdev, skb); 3323 break; 3324 3325 case HCI_OP_LE_DEL_FROM_RESOLV_LIST: 3326 hci_cc_le_del_from_resolv_list(hdev, skb); 3327 break; 3328 3329 case HCI_OP_LE_CLEAR_RESOLV_LIST: 3330 hci_cc_le_clear_resolv_list(hdev, skb); 3331 break; 3332 3333 case HCI_OP_LE_READ_RESOLV_LIST_SIZE: 3334 hci_cc_le_read_resolv_list_size(hdev, skb); 3335 break; 3336 3337 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE: 3338 hci_cc_le_set_addr_resolution_enable(hdev, skb); 3339 break; 3340 3341 case HCI_OP_LE_READ_MAX_DATA_LEN: 3342 hci_cc_le_read_max_data_len(hdev, skb); 3343 break; 3344 3345 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3346 hci_cc_write_le_host_supported(hdev, skb); 3347 break; 3348 3349 case HCI_OP_LE_SET_ADV_PARAM: 3350 hci_cc_set_adv_param(hdev, skb); 3351 break; 3352 3353 case HCI_OP_READ_RSSI: 3354 hci_cc_read_rssi(hdev, skb); 3355 break; 3356 3357 case HCI_OP_READ_TX_POWER: 3358 hci_cc_read_tx_power(hdev, skb); 3359 break; 3360 3361 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3362 hci_cc_write_ssp_debug_mode(hdev, skb); 3363 break; 3364 3365 case HCI_OP_LE_SET_EXT_SCAN_PARAMS: 3366 hci_cc_le_set_ext_scan_param(hdev, skb); 3367 break; 3368 3369 case HCI_OP_LE_SET_EXT_SCAN_ENABLE: 3370 hci_cc_le_set_ext_scan_enable(hdev, skb); 3371 break; 3372 3373 case HCI_OP_LE_SET_DEFAULT_PHY: 3374 hci_cc_le_set_default_phy(hdev, skb); 3375 break; 3376 3377 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS: 3378 hci_cc_le_read_num_adv_sets(hdev, skb); 3379 break; 3380 3381 case HCI_OP_LE_SET_EXT_ADV_PARAMS: 3382 hci_cc_set_ext_adv_param(hdev, skb); 3383 break; 3384 3385 case HCI_OP_LE_SET_EXT_ADV_ENABLE: 3386 hci_cc_le_set_ext_adv_enable(hdev, skb); 3387 break; 3388 3389 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR: 3390 hci_cc_le_set_adv_set_random_addr(hdev, skb); 3391 break; 3392 3393 default: 3394 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3395 break; 3396 } 3397 3398 if (*opcode != HCI_OP_NOP) 3399 cancel_delayed_work(&hdev->cmd_timer); 3400 3401 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3402 atomic_set(&hdev->cmd_cnt, 1); 3403 3404 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3405 req_complete_skb); 3406 3407 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3408 queue_work(hdev->workqueue, &hdev->cmd_work); 3409 } 3410 3411 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3412 u16 *opcode, u8 *status, 3413 hci_req_complete_t *req_complete, 3414 hci_req_complete_skb_t *req_complete_skb) 3415 { 3416 struct hci_ev_cmd_status *ev = (void *) skb->data; 3417 3418 skb_pull(skb, sizeof(*ev)); 3419 3420 *opcode = __le16_to_cpu(ev->opcode); 3421 *status = ev->status; 3422 3423 switch (*opcode) { 3424 case HCI_OP_INQUIRY: 3425 hci_cs_inquiry(hdev, ev->status); 3426 break; 3427 3428 case HCI_OP_CREATE_CONN: 3429 hci_cs_create_conn(hdev, ev->status); 3430 break; 3431 3432 case HCI_OP_DISCONNECT: 3433 hci_cs_disconnect(hdev, ev->status); 3434 break; 3435 3436 case HCI_OP_ADD_SCO: 3437 hci_cs_add_sco(hdev, ev->status); 3438 break; 3439 3440 case HCI_OP_AUTH_REQUESTED: 3441 hci_cs_auth_requested(hdev, ev->status); 3442 break; 3443 3444 case HCI_OP_SET_CONN_ENCRYPT: 3445 hci_cs_set_conn_encrypt(hdev, ev->status); 3446 break; 3447 3448 case HCI_OP_REMOTE_NAME_REQ: 3449 hci_cs_remote_name_req(hdev, ev->status); 3450 break; 3451 3452 case HCI_OP_READ_REMOTE_FEATURES: 3453 hci_cs_read_remote_features(hdev, ev->status); 3454 break; 3455 3456 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3457 hci_cs_read_remote_ext_features(hdev, ev->status); 3458 break; 3459 3460 case HCI_OP_SETUP_SYNC_CONN: 3461 hci_cs_setup_sync_conn(hdev, ev->status); 3462 break; 3463 3464 case HCI_OP_SNIFF_MODE: 3465 hci_cs_sniff_mode(hdev, ev->status); 3466 break; 3467 3468 case HCI_OP_EXIT_SNIFF_MODE: 3469 hci_cs_exit_sniff_mode(hdev, ev->status); 3470 break; 3471 3472 case HCI_OP_SWITCH_ROLE: 3473 hci_cs_switch_role(hdev, ev->status); 3474 break; 3475 3476 case HCI_OP_LE_CREATE_CONN: 3477 hci_cs_le_create_conn(hdev, ev->status); 3478 break; 3479 3480 case HCI_OP_LE_READ_REMOTE_FEATURES: 3481 hci_cs_le_read_remote_features(hdev, ev->status); 3482 break; 3483 3484 case HCI_OP_LE_START_ENC: 3485 hci_cs_le_start_enc(hdev, ev->status); 3486 break; 3487 3488 case HCI_OP_LE_EXT_CREATE_CONN: 3489 hci_cs_le_ext_create_conn(hdev, ev->status); 3490 break; 3491 3492 default: 3493 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3494 break; 3495 } 3496 3497 if (*opcode != HCI_OP_NOP) 3498 cancel_delayed_work(&hdev->cmd_timer); 3499 3500 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3501 atomic_set(&hdev->cmd_cnt, 1); 3502 3503 /* Indicate request completion if the command failed. Also, if 3504 * we're not waiting for a special event and we get a success 3505 * command status we should try to flag the request as completed 3506 * (since for this kind of commands there will not be a command 3507 * complete event). 3508 */ 3509 if (ev->status || 3510 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event)) 3511 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3512 req_complete_skb); 3513 3514 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3515 queue_work(hdev->workqueue, &hdev->cmd_work); 3516 } 3517 3518 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 3519 { 3520 struct hci_ev_hardware_error *ev = (void *) skb->data; 3521 3522 hdev->hw_error_code = ev->code; 3523 3524 queue_work(hdev->req_workqueue, &hdev->error_reset); 3525 } 3526 3527 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3528 { 3529 struct hci_ev_role_change *ev = (void *) skb->data; 3530 struct hci_conn *conn; 3531 3532 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3533 3534 hci_dev_lock(hdev); 3535 3536 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3537 if (conn) { 3538 if (!ev->status) 3539 conn->role = ev->role; 3540 3541 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3542 3543 hci_role_switch_cfm(conn, ev->status, ev->role); 3544 } 3545 3546 hci_dev_unlock(hdev); 3547 } 3548 3549 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3550 { 3551 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3552 int i; 3553 3554 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3555 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3556 return; 3557 } 3558 3559 if (skb->len < sizeof(*ev) || 3560 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3561 BT_DBG("%s bad parameters", hdev->name); 3562 return; 3563 } 3564 3565 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3566 3567 for (i = 0; i < ev->num_hndl; i++) { 3568 struct hci_comp_pkts_info *info = &ev->handles[i]; 3569 struct hci_conn *conn; 3570 __u16 handle, count; 3571 3572 handle = __le16_to_cpu(info->handle); 3573 count = __le16_to_cpu(info->count); 3574 3575 conn = hci_conn_hash_lookup_handle(hdev, handle); 3576 if (!conn) 3577 continue; 3578 3579 conn->sent -= count; 3580 3581 switch (conn->type) { 3582 case ACL_LINK: 3583 hdev->acl_cnt += count; 3584 if (hdev->acl_cnt > hdev->acl_pkts) 3585 hdev->acl_cnt = hdev->acl_pkts; 3586 break; 3587 3588 case LE_LINK: 3589 if (hdev->le_pkts) { 3590 hdev->le_cnt += count; 3591 if (hdev->le_cnt > hdev->le_pkts) 3592 hdev->le_cnt = hdev->le_pkts; 3593 } else { 3594 hdev->acl_cnt += count; 3595 if (hdev->acl_cnt > hdev->acl_pkts) 3596 hdev->acl_cnt = hdev->acl_pkts; 3597 } 3598 break; 3599 3600 case SCO_LINK: 3601 hdev->sco_cnt += count; 3602 if (hdev->sco_cnt > hdev->sco_pkts) 3603 hdev->sco_cnt = hdev->sco_pkts; 3604 break; 3605 3606 default: 3607 bt_dev_err(hdev, "unknown type %d conn %p", 3608 conn->type, conn); 3609 break; 3610 } 3611 } 3612 3613 queue_work(hdev->workqueue, &hdev->tx_work); 3614 } 3615 3616 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3617 __u16 handle) 3618 { 3619 struct hci_chan *chan; 3620 3621 switch (hdev->dev_type) { 3622 case HCI_PRIMARY: 3623 return hci_conn_hash_lookup_handle(hdev, handle); 3624 case HCI_AMP: 3625 chan = hci_chan_lookup_handle(hdev, handle); 3626 if (chan) 3627 return chan->conn; 3628 break; 3629 default: 3630 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 3631 break; 3632 } 3633 3634 return NULL; 3635 } 3636 3637 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3638 { 3639 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3640 int i; 3641 3642 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3643 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3644 return; 3645 } 3646 3647 if (skb->len < sizeof(*ev) || 3648 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3649 BT_DBG("%s bad parameters", hdev->name); 3650 return; 3651 } 3652 3653 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3654 ev->num_hndl); 3655 3656 for (i = 0; i < ev->num_hndl; i++) { 3657 struct hci_comp_blocks_info *info = &ev->handles[i]; 3658 struct hci_conn *conn = NULL; 3659 __u16 handle, block_count; 3660 3661 handle = __le16_to_cpu(info->handle); 3662 block_count = __le16_to_cpu(info->blocks); 3663 3664 conn = __hci_conn_lookup_handle(hdev, handle); 3665 if (!conn) 3666 continue; 3667 3668 conn->sent -= block_count; 3669 3670 switch (conn->type) { 3671 case ACL_LINK: 3672 case AMP_LINK: 3673 hdev->block_cnt += block_count; 3674 if (hdev->block_cnt > hdev->num_blocks) 3675 hdev->block_cnt = hdev->num_blocks; 3676 break; 3677 3678 default: 3679 bt_dev_err(hdev, "unknown type %d conn %p", 3680 conn->type, conn); 3681 break; 3682 } 3683 } 3684 3685 queue_work(hdev->workqueue, &hdev->tx_work); 3686 } 3687 3688 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3689 { 3690 struct hci_ev_mode_change *ev = (void *) skb->data; 3691 struct hci_conn *conn; 3692 3693 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3694 3695 hci_dev_lock(hdev); 3696 3697 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3698 if (conn) { 3699 conn->mode = ev->mode; 3700 3701 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3702 &conn->flags)) { 3703 if (conn->mode == HCI_CM_ACTIVE) 3704 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3705 else 3706 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3707 } 3708 3709 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3710 hci_sco_setup(conn, ev->status); 3711 } 3712 3713 hci_dev_unlock(hdev); 3714 } 3715 3716 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3717 { 3718 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3719 struct hci_conn *conn; 3720 3721 BT_DBG("%s", hdev->name); 3722 3723 hci_dev_lock(hdev); 3724 3725 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3726 if (!conn) 3727 goto unlock; 3728 3729 if (conn->state == BT_CONNECTED) { 3730 hci_conn_hold(conn); 3731 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3732 hci_conn_drop(conn); 3733 } 3734 3735 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 3736 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3737 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3738 sizeof(ev->bdaddr), &ev->bdaddr); 3739 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 3740 u8 secure; 3741 3742 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3743 secure = 1; 3744 else 3745 secure = 0; 3746 3747 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3748 } 3749 3750 unlock: 3751 hci_dev_unlock(hdev); 3752 } 3753 3754 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3755 { 3756 if (key_type == HCI_LK_CHANGED_COMBINATION) 3757 return; 3758 3759 conn->pin_length = pin_len; 3760 conn->key_type = key_type; 3761 3762 switch (key_type) { 3763 case HCI_LK_LOCAL_UNIT: 3764 case HCI_LK_REMOTE_UNIT: 3765 case HCI_LK_DEBUG_COMBINATION: 3766 return; 3767 case HCI_LK_COMBINATION: 3768 if (pin_len == 16) 3769 conn->pending_sec_level = BT_SECURITY_HIGH; 3770 else 3771 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3772 break; 3773 case HCI_LK_UNAUTH_COMBINATION_P192: 3774 case HCI_LK_UNAUTH_COMBINATION_P256: 3775 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3776 break; 3777 case HCI_LK_AUTH_COMBINATION_P192: 3778 conn->pending_sec_level = BT_SECURITY_HIGH; 3779 break; 3780 case HCI_LK_AUTH_COMBINATION_P256: 3781 conn->pending_sec_level = BT_SECURITY_FIPS; 3782 break; 3783 } 3784 } 3785 3786 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3787 { 3788 struct hci_ev_link_key_req *ev = (void *) skb->data; 3789 struct hci_cp_link_key_reply cp; 3790 struct hci_conn *conn; 3791 struct link_key *key; 3792 3793 BT_DBG("%s", hdev->name); 3794 3795 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3796 return; 3797 3798 hci_dev_lock(hdev); 3799 3800 key = hci_find_link_key(hdev, &ev->bdaddr); 3801 if (!key) { 3802 BT_DBG("%s link key not found for %pMR", hdev->name, 3803 &ev->bdaddr); 3804 goto not_found; 3805 } 3806 3807 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 3808 &ev->bdaddr); 3809 3810 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3811 if (conn) { 3812 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3813 3814 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3815 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3816 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3817 BT_DBG("%s ignoring unauthenticated key", hdev->name); 3818 goto not_found; 3819 } 3820 3821 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3822 (conn->pending_sec_level == BT_SECURITY_HIGH || 3823 conn->pending_sec_level == BT_SECURITY_FIPS)) { 3824 BT_DBG("%s ignoring key unauthenticated for high security", 3825 hdev->name); 3826 goto not_found; 3827 } 3828 3829 conn_set_key(conn, key->type, key->pin_len); 3830 } 3831 3832 bacpy(&cp.bdaddr, &ev->bdaddr); 3833 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 3834 3835 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 3836 3837 hci_dev_unlock(hdev); 3838 3839 return; 3840 3841 not_found: 3842 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 3843 hci_dev_unlock(hdev); 3844 } 3845 3846 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 3847 { 3848 struct hci_ev_link_key_notify *ev = (void *) skb->data; 3849 struct hci_conn *conn; 3850 struct link_key *key; 3851 bool persistent; 3852 u8 pin_len = 0; 3853 3854 BT_DBG("%s", hdev->name); 3855 3856 hci_dev_lock(hdev); 3857 3858 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3859 if (!conn) 3860 goto unlock; 3861 3862 hci_conn_hold(conn); 3863 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3864 hci_conn_drop(conn); 3865 3866 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3867 conn_set_key(conn, ev->key_type, conn->pin_length); 3868 3869 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3870 goto unlock; 3871 3872 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 3873 ev->key_type, pin_len, &persistent); 3874 if (!key) 3875 goto unlock; 3876 3877 /* Update connection information since adding the key will have 3878 * fixed up the type in the case of changed combination keys. 3879 */ 3880 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 3881 conn_set_key(conn, key->type, key->pin_len); 3882 3883 mgmt_new_link_key(hdev, key, persistent); 3884 3885 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 3886 * is set. If it's not set simply remove the key from the kernel 3887 * list (we've still notified user space about it but with 3888 * store_hint being 0). 3889 */ 3890 if (key->type == HCI_LK_DEBUG_COMBINATION && 3891 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 3892 list_del_rcu(&key->list); 3893 kfree_rcu(key, rcu); 3894 goto unlock; 3895 } 3896 3897 if (persistent) 3898 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3899 else 3900 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3901 3902 unlock: 3903 hci_dev_unlock(hdev); 3904 } 3905 3906 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 3907 { 3908 struct hci_ev_clock_offset *ev = (void *) skb->data; 3909 struct hci_conn *conn; 3910 3911 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3912 3913 hci_dev_lock(hdev); 3914 3915 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3916 if (conn && !ev->status) { 3917 struct inquiry_entry *ie; 3918 3919 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3920 if (ie) { 3921 ie->data.clock_offset = ev->clock_offset; 3922 ie->timestamp = jiffies; 3923 } 3924 } 3925 3926 hci_dev_unlock(hdev); 3927 } 3928 3929 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3930 { 3931 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 3932 struct hci_conn *conn; 3933 3934 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3935 3936 hci_dev_lock(hdev); 3937 3938 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3939 if (conn && !ev->status) 3940 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 3941 3942 hci_dev_unlock(hdev); 3943 } 3944 3945 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 3946 { 3947 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 3948 struct inquiry_entry *ie; 3949 3950 BT_DBG("%s", hdev->name); 3951 3952 hci_dev_lock(hdev); 3953 3954 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3955 if (ie) { 3956 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 3957 ie->timestamp = jiffies; 3958 } 3959 3960 hci_dev_unlock(hdev); 3961 } 3962 3963 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 3964 struct sk_buff *skb) 3965 { 3966 struct inquiry_data data; 3967 int num_rsp = *((__u8 *) skb->data); 3968 3969 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3970 3971 if (!num_rsp) 3972 return; 3973 3974 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3975 return; 3976 3977 hci_dev_lock(hdev); 3978 3979 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 3980 struct inquiry_info_with_rssi_and_pscan_mode *info; 3981 info = (void *) (skb->data + 1); 3982 3983 for (; num_rsp; num_rsp--, info++) { 3984 u32 flags; 3985 3986 bacpy(&data.bdaddr, &info->bdaddr); 3987 data.pscan_rep_mode = info->pscan_rep_mode; 3988 data.pscan_period_mode = info->pscan_period_mode; 3989 data.pscan_mode = info->pscan_mode; 3990 memcpy(data.dev_class, info->dev_class, 3); 3991 data.clock_offset = info->clock_offset; 3992 data.rssi = info->rssi; 3993 data.ssp_mode = 0x00; 3994 3995 flags = hci_inquiry_cache_update(hdev, &data, false); 3996 3997 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3998 info->dev_class, info->rssi, 3999 flags, NULL, 0, NULL, 0); 4000 } 4001 } else { 4002 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 4003 4004 for (; num_rsp; num_rsp--, info++) { 4005 u32 flags; 4006 4007 bacpy(&data.bdaddr, &info->bdaddr); 4008 data.pscan_rep_mode = info->pscan_rep_mode; 4009 data.pscan_period_mode = info->pscan_period_mode; 4010 data.pscan_mode = 0x00; 4011 memcpy(data.dev_class, info->dev_class, 3); 4012 data.clock_offset = info->clock_offset; 4013 data.rssi = info->rssi; 4014 data.ssp_mode = 0x00; 4015 4016 flags = hci_inquiry_cache_update(hdev, &data, false); 4017 4018 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4019 info->dev_class, info->rssi, 4020 flags, NULL, 0, NULL, 0); 4021 } 4022 } 4023 4024 hci_dev_unlock(hdev); 4025 } 4026 4027 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 4028 struct sk_buff *skb) 4029 { 4030 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 4031 struct hci_conn *conn; 4032 4033 BT_DBG("%s", hdev->name); 4034 4035 hci_dev_lock(hdev); 4036 4037 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4038 if (!conn) 4039 goto unlock; 4040 4041 if (ev->page < HCI_MAX_PAGES) 4042 memcpy(conn->features[ev->page], ev->features, 8); 4043 4044 if (!ev->status && ev->page == 0x01) { 4045 struct inquiry_entry *ie; 4046 4047 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4048 if (ie) 4049 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4050 4051 if (ev->features[0] & LMP_HOST_SSP) { 4052 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4053 } else { 4054 /* It is mandatory by the Bluetooth specification that 4055 * Extended Inquiry Results are only used when Secure 4056 * Simple Pairing is enabled, but some devices violate 4057 * this. 4058 * 4059 * To make these devices work, the internal SSP 4060 * enabled flag needs to be cleared if the remote host 4061 * features do not indicate SSP support */ 4062 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4063 } 4064 4065 if (ev->features[0] & LMP_HOST_SC) 4066 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4067 } 4068 4069 if (conn->state != BT_CONFIG) 4070 goto unlock; 4071 4072 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4073 struct hci_cp_remote_name_req cp; 4074 memset(&cp, 0, sizeof(cp)); 4075 bacpy(&cp.bdaddr, &conn->dst); 4076 cp.pscan_rep_mode = 0x02; 4077 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4078 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4079 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4080 4081 if (!hci_outgoing_auth_needed(hdev, conn)) { 4082 conn->state = BT_CONNECTED; 4083 hci_connect_cfm(conn, ev->status); 4084 hci_conn_drop(conn); 4085 } 4086 4087 unlock: 4088 hci_dev_unlock(hdev); 4089 } 4090 4091 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 4092 struct sk_buff *skb) 4093 { 4094 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 4095 struct hci_conn *conn; 4096 4097 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4098 4099 hci_dev_lock(hdev); 4100 4101 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4102 if (!conn) { 4103 if (ev->link_type == ESCO_LINK) 4104 goto unlock; 4105 4106 /* When the link type in the event indicates SCO connection 4107 * and lookup of the connection object fails, then check 4108 * if an eSCO connection object exists. 4109 * 4110 * The core limits the synchronous connections to either 4111 * SCO or eSCO. The eSCO connection is preferred and tried 4112 * to be setup first and until successfully established, 4113 * the link type will be hinted as eSCO. 4114 */ 4115 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4116 if (!conn) 4117 goto unlock; 4118 } 4119 4120 switch (ev->status) { 4121 case 0x00: 4122 conn->handle = __le16_to_cpu(ev->handle); 4123 conn->state = BT_CONNECTED; 4124 conn->type = ev->link_type; 4125 4126 hci_debugfs_create_conn(conn); 4127 hci_conn_add_sysfs(conn); 4128 break; 4129 4130 case 0x10: /* Connection Accept Timeout */ 4131 case 0x0d: /* Connection Rejected due to Limited Resources */ 4132 case 0x11: /* Unsupported Feature or Parameter Value */ 4133 case 0x1c: /* SCO interval rejected */ 4134 case 0x1a: /* Unsupported Remote Feature */ 4135 case 0x1f: /* Unspecified error */ 4136 case 0x20: /* Unsupported LMP Parameter value */ 4137 if (conn->out) { 4138 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 4139 (hdev->esco_type & EDR_ESCO_MASK); 4140 if (hci_setup_sync(conn, conn->link->handle)) 4141 goto unlock; 4142 } 4143 /* fall through */ 4144 4145 default: 4146 conn->state = BT_CLOSED; 4147 break; 4148 } 4149 4150 hci_connect_cfm(conn, ev->status); 4151 if (ev->status) 4152 hci_conn_del(conn); 4153 4154 unlock: 4155 hci_dev_unlock(hdev); 4156 } 4157 4158 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 4159 { 4160 size_t parsed = 0; 4161 4162 while (parsed < eir_len) { 4163 u8 field_len = eir[0]; 4164 4165 if (field_len == 0) 4166 return parsed; 4167 4168 parsed += field_len + 1; 4169 eir += field_len + 1; 4170 } 4171 4172 return eir_len; 4173 } 4174 4175 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 4176 struct sk_buff *skb) 4177 { 4178 struct inquiry_data data; 4179 struct extended_inquiry_info *info = (void *) (skb->data + 1); 4180 int num_rsp = *((__u8 *) skb->data); 4181 size_t eir_len; 4182 4183 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4184 4185 if (!num_rsp) 4186 return; 4187 4188 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4189 return; 4190 4191 hci_dev_lock(hdev); 4192 4193 for (; num_rsp; num_rsp--, info++) { 4194 u32 flags; 4195 bool name_known; 4196 4197 bacpy(&data.bdaddr, &info->bdaddr); 4198 data.pscan_rep_mode = info->pscan_rep_mode; 4199 data.pscan_period_mode = info->pscan_period_mode; 4200 data.pscan_mode = 0x00; 4201 memcpy(data.dev_class, info->dev_class, 3); 4202 data.clock_offset = info->clock_offset; 4203 data.rssi = info->rssi; 4204 data.ssp_mode = 0x01; 4205 4206 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4207 name_known = eir_get_data(info->data, 4208 sizeof(info->data), 4209 EIR_NAME_COMPLETE, NULL); 4210 else 4211 name_known = true; 4212 4213 flags = hci_inquiry_cache_update(hdev, &data, name_known); 4214 4215 eir_len = eir_get_length(info->data, sizeof(info->data)); 4216 4217 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4218 info->dev_class, info->rssi, 4219 flags, info->data, eir_len, NULL, 0); 4220 } 4221 4222 hci_dev_unlock(hdev); 4223 } 4224 4225 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 4226 struct sk_buff *skb) 4227 { 4228 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 4229 struct hci_conn *conn; 4230 4231 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 4232 __le16_to_cpu(ev->handle)); 4233 4234 hci_dev_lock(hdev); 4235 4236 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4237 if (!conn) 4238 goto unlock; 4239 4240 /* For BR/EDR the necessary steps are taken through the 4241 * auth_complete event. 4242 */ 4243 if (conn->type != LE_LINK) 4244 goto unlock; 4245 4246 if (!ev->status) 4247 conn->sec_level = conn->pending_sec_level; 4248 4249 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 4250 4251 if (ev->status && conn->state == BT_CONNECTED) { 4252 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4253 hci_conn_drop(conn); 4254 goto unlock; 4255 } 4256 4257 if (conn->state == BT_CONFIG) { 4258 if (!ev->status) 4259 conn->state = BT_CONNECTED; 4260 4261 hci_connect_cfm(conn, ev->status); 4262 hci_conn_drop(conn); 4263 } else { 4264 hci_auth_cfm(conn, ev->status); 4265 4266 hci_conn_hold(conn); 4267 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4268 hci_conn_drop(conn); 4269 } 4270 4271 unlock: 4272 hci_dev_unlock(hdev); 4273 } 4274 4275 static u8 hci_get_auth_req(struct hci_conn *conn) 4276 { 4277 /* If remote requests no-bonding follow that lead */ 4278 if (conn->remote_auth == HCI_AT_NO_BONDING || 4279 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 4280 return conn->remote_auth | (conn->auth_type & 0x01); 4281 4282 /* If both remote and local have enough IO capabilities, require 4283 * MITM protection 4284 */ 4285 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 4286 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 4287 return conn->remote_auth | 0x01; 4288 4289 /* No MITM protection possible so ignore remote requirement */ 4290 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 4291 } 4292 4293 static u8 bredr_oob_data_present(struct hci_conn *conn) 4294 { 4295 struct hci_dev *hdev = conn->hdev; 4296 struct oob_data *data; 4297 4298 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 4299 if (!data) 4300 return 0x00; 4301 4302 if (bredr_sc_enabled(hdev)) { 4303 /* When Secure Connections is enabled, then just 4304 * return the present value stored with the OOB 4305 * data. The stored value contains the right present 4306 * information. However it can only be trusted when 4307 * not in Secure Connection Only mode. 4308 */ 4309 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 4310 return data->present; 4311 4312 /* When Secure Connections Only mode is enabled, then 4313 * the P-256 values are required. If they are not 4314 * available, then do not declare that OOB data is 4315 * present. 4316 */ 4317 if (!memcmp(data->rand256, ZERO_KEY, 16) || 4318 !memcmp(data->hash256, ZERO_KEY, 16)) 4319 return 0x00; 4320 4321 return 0x02; 4322 } 4323 4324 /* When Secure Connections is not enabled or actually 4325 * not supported by the hardware, then check that if 4326 * P-192 data values are present. 4327 */ 4328 if (!memcmp(data->rand192, ZERO_KEY, 16) || 4329 !memcmp(data->hash192, ZERO_KEY, 16)) 4330 return 0x00; 4331 4332 return 0x01; 4333 } 4334 4335 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4336 { 4337 struct hci_ev_io_capa_request *ev = (void *) skb->data; 4338 struct hci_conn *conn; 4339 4340 BT_DBG("%s", hdev->name); 4341 4342 hci_dev_lock(hdev); 4343 4344 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4345 if (!conn) 4346 goto unlock; 4347 4348 hci_conn_hold(conn); 4349 4350 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4351 goto unlock; 4352 4353 /* Allow pairing if we're pairable, the initiators of the 4354 * pairing or if the remote is not requesting bonding. 4355 */ 4356 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 4357 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 4358 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 4359 struct hci_cp_io_capability_reply cp; 4360 4361 bacpy(&cp.bdaddr, &ev->bdaddr); 4362 /* Change the IO capability from KeyboardDisplay 4363 * to DisplayYesNo as it is not supported by BT spec. */ 4364 cp.capability = (conn->io_capability == 0x04) ? 4365 HCI_IO_DISPLAY_YESNO : conn->io_capability; 4366 4367 /* If we are initiators, there is no remote information yet */ 4368 if (conn->remote_auth == 0xff) { 4369 /* Request MITM protection if our IO caps allow it 4370 * except for the no-bonding case. 4371 */ 4372 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4373 conn->auth_type != HCI_AT_NO_BONDING) 4374 conn->auth_type |= 0x01; 4375 } else { 4376 conn->auth_type = hci_get_auth_req(conn); 4377 } 4378 4379 /* If we're not bondable, force one of the non-bondable 4380 * authentication requirement values. 4381 */ 4382 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4383 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4384 4385 cp.authentication = conn->auth_type; 4386 cp.oob_data = bredr_oob_data_present(conn); 4387 4388 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4389 sizeof(cp), &cp); 4390 } else { 4391 struct hci_cp_io_capability_neg_reply cp; 4392 4393 bacpy(&cp.bdaddr, &ev->bdaddr); 4394 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4395 4396 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4397 sizeof(cp), &cp); 4398 } 4399 4400 unlock: 4401 hci_dev_unlock(hdev); 4402 } 4403 4404 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4405 { 4406 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 4407 struct hci_conn *conn; 4408 4409 BT_DBG("%s", hdev->name); 4410 4411 hci_dev_lock(hdev); 4412 4413 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4414 if (!conn) 4415 goto unlock; 4416 4417 conn->remote_cap = ev->capability; 4418 conn->remote_auth = ev->authentication; 4419 4420 unlock: 4421 hci_dev_unlock(hdev); 4422 } 4423 4424 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 4425 struct sk_buff *skb) 4426 { 4427 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 4428 int loc_mitm, rem_mitm, confirm_hint = 0; 4429 struct hci_conn *conn; 4430 4431 BT_DBG("%s", hdev->name); 4432 4433 hci_dev_lock(hdev); 4434 4435 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4436 goto unlock; 4437 4438 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4439 if (!conn) 4440 goto unlock; 4441 4442 loc_mitm = (conn->auth_type & 0x01); 4443 rem_mitm = (conn->remote_auth & 0x01); 4444 4445 /* If we require MITM but the remote device can't provide that 4446 * (it has NoInputNoOutput) then reject the confirmation 4447 * request. We check the security level here since it doesn't 4448 * necessarily match conn->auth_type. 4449 */ 4450 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 4451 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 4452 BT_DBG("Rejecting request: remote device can't provide MITM"); 4453 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 4454 sizeof(ev->bdaddr), &ev->bdaddr); 4455 goto unlock; 4456 } 4457 4458 /* If no side requires MITM protection; auto-accept */ 4459 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 4460 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 4461 4462 /* If we're not the initiators request authorization to 4463 * proceed from user space (mgmt_user_confirm with 4464 * confirm_hint set to 1). The exception is if neither 4465 * side had MITM or if the local IO capability is 4466 * NoInputNoOutput, in which case we do auto-accept 4467 */ 4468 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 4469 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4470 (loc_mitm || rem_mitm)) { 4471 BT_DBG("Confirming auto-accept as acceptor"); 4472 confirm_hint = 1; 4473 goto confirm; 4474 } 4475 4476 BT_DBG("Auto-accept of user confirmation with %ums delay", 4477 hdev->auto_accept_delay); 4478 4479 if (hdev->auto_accept_delay > 0) { 4480 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 4481 queue_delayed_work(conn->hdev->workqueue, 4482 &conn->auto_accept_work, delay); 4483 goto unlock; 4484 } 4485 4486 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 4487 sizeof(ev->bdaddr), &ev->bdaddr); 4488 goto unlock; 4489 } 4490 4491 confirm: 4492 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 4493 le32_to_cpu(ev->passkey), confirm_hint); 4494 4495 unlock: 4496 hci_dev_unlock(hdev); 4497 } 4498 4499 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 4500 struct sk_buff *skb) 4501 { 4502 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 4503 4504 BT_DBG("%s", hdev->name); 4505 4506 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4507 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 4508 } 4509 4510 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 4511 struct sk_buff *skb) 4512 { 4513 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 4514 struct hci_conn *conn; 4515 4516 BT_DBG("%s", hdev->name); 4517 4518 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4519 if (!conn) 4520 return; 4521 4522 conn->passkey_notify = __le32_to_cpu(ev->passkey); 4523 conn->passkey_entered = 0; 4524 4525 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4526 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4527 conn->dst_type, conn->passkey_notify, 4528 conn->passkey_entered); 4529 } 4530 4531 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4532 { 4533 struct hci_ev_keypress_notify *ev = (void *) skb->data; 4534 struct hci_conn *conn; 4535 4536 BT_DBG("%s", hdev->name); 4537 4538 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4539 if (!conn) 4540 return; 4541 4542 switch (ev->type) { 4543 case HCI_KEYPRESS_STARTED: 4544 conn->passkey_entered = 0; 4545 return; 4546 4547 case HCI_KEYPRESS_ENTERED: 4548 conn->passkey_entered++; 4549 break; 4550 4551 case HCI_KEYPRESS_ERASED: 4552 conn->passkey_entered--; 4553 break; 4554 4555 case HCI_KEYPRESS_CLEARED: 4556 conn->passkey_entered = 0; 4557 break; 4558 4559 case HCI_KEYPRESS_COMPLETED: 4560 return; 4561 } 4562 4563 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4564 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4565 conn->dst_type, conn->passkey_notify, 4566 conn->passkey_entered); 4567 } 4568 4569 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 4570 struct sk_buff *skb) 4571 { 4572 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 4573 struct hci_conn *conn; 4574 4575 BT_DBG("%s", hdev->name); 4576 4577 hci_dev_lock(hdev); 4578 4579 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4580 if (!conn) 4581 goto unlock; 4582 4583 /* Reset the authentication requirement to unknown */ 4584 conn->remote_auth = 0xff; 4585 4586 /* To avoid duplicate auth_failed events to user space we check 4587 * the HCI_CONN_AUTH_PEND flag which will be set if we 4588 * initiated the authentication. A traditional auth_complete 4589 * event gets always produced as initiator and is also mapped to 4590 * the mgmt_auth_failed event */ 4591 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4592 mgmt_auth_failed(conn, ev->status); 4593 4594 hci_conn_drop(conn); 4595 4596 unlock: 4597 hci_dev_unlock(hdev); 4598 } 4599 4600 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4601 struct sk_buff *skb) 4602 { 4603 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4604 struct inquiry_entry *ie; 4605 struct hci_conn *conn; 4606 4607 BT_DBG("%s", hdev->name); 4608 4609 hci_dev_lock(hdev); 4610 4611 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4612 if (conn) 4613 memcpy(conn->features[1], ev->features, 8); 4614 4615 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4616 if (ie) 4617 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4618 4619 hci_dev_unlock(hdev); 4620 } 4621 4622 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4623 struct sk_buff *skb) 4624 { 4625 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4626 struct oob_data *data; 4627 4628 BT_DBG("%s", hdev->name); 4629 4630 hci_dev_lock(hdev); 4631 4632 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4633 goto unlock; 4634 4635 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4636 if (!data) { 4637 struct hci_cp_remote_oob_data_neg_reply cp; 4638 4639 bacpy(&cp.bdaddr, &ev->bdaddr); 4640 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4641 sizeof(cp), &cp); 4642 goto unlock; 4643 } 4644 4645 if (bredr_sc_enabled(hdev)) { 4646 struct hci_cp_remote_oob_ext_data_reply cp; 4647 4648 bacpy(&cp.bdaddr, &ev->bdaddr); 4649 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 4650 memset(cp.hash192, 0, sizeof(cp.hash192)); 4651 memset(cp.rand192, 0, sizeof(cp.rand192)); 4652 } else { 4653 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4654 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4655 } 4656 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4657 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4658 4659 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4660 sizeof(cp), &cp); 4661 } else { 4662 struct hci_cp_remote_oob_data_reply cp; 4663 4664 bacpy(&cp.bdaddr, &ev->bdaddr); 4665 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4666 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4667 4668 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4669 sizeof(cp), &cp); 4670 } 4671 4672 unlock: 4673 hci_dev_unlock(hdev); 4674 } 4675 4676 #if IS_ENABLED(CONFIG_BT_HS) 4677 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4678 { 4679 struct hci_ev_channel_selected *ev = (void *)skb->data; 4680 struct hci_conn *hcon; 4681 4682 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4683 4684 skb_pull(skb, sizeof(*ev)); 4685 4686 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4687 if (!hcon) 4688 return; 4689 4690 amp_read_loc_assoc_final_data(hdev, hcon); 4691 } 4692 4693 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4694 struct sk_buff *skb) 4695 { 4696 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4697 struct hci_conn *hcon, *bredr_hcon; 4698 4699 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4700 ev->status); 4701 4702 hci_dev_lock(hdev); 4703 4704 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4705 if (!hcon) { 4706 hci_dev_unlock(hdev); 4707 return; 4708 } 4709 4710 if (ev->status) { 4711 hci_conn_del(hcon); 4712 hci_dev_unlock(hdev); 4713 return; 4714 } 4715 4716 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4717 4718 hcon->state = BT_CONNECTED; 4719 bacpy(&hcon->dst, &bredr_hcon->dst); 4720 4721 hci_conn_hold(hcon); 4722 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4723 hci_conn_drop(hcon); 4724 4725 hci_debugfs_create_conn(hcon); 4726 hci_conn_add_sysfs(hcon); 4727 4728 amp_physical_cfm(bredr_hcon, hcon); 4729 4730 hci_dev_unlock(hdev); 4731 } 4732 4733 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4734 { 4735 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4736 struct hci_conn *hcon; 4737 struct hci_chan *hchan; 4738 struct amp_mgr *mgr; 4739 4740 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4741 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4742 ev->status); 4743 4744 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4745 if (!hcon) 4746 return; 4747 4748 /* Create AMP hchan */ 4749 hchan = hci_chan_create(hcon); 4750 if (!hchan) 4751 return; 4752 4753 hchan->handle = le16_to_cpu(ev->handle); 4754 4755 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4756 4757 mgr = hcon->amp_mgr; 4758 if (mgr && mgr->bredr_chan) { 4759 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4760 4761 l2cap_chan_lock(bredr_chan); 4762 4763 bredr_chan->conn->mtu = hdev->block_mtu; 4764 l2cap_logical_cfm(bredr_chan, hchan, 0); 4765 hci_conn_hold(hcon); 4766 4767 l2cap_chan_unlock(bredr_chan); 4768 } 4769 } 4770 4771 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 4772 struct sk_buff *skb) 4773 { 4774 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 4775 struct hci_chan *hchan; 4776 4777 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 4778 le16_to_cpu(ev->handle), ev->status); 4779 4780 if (ev->status) 4781 return; 4782 4783 hci_dev_lock(hdev); 4784 4785 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 4786 if (!hchan) 4787 goto unlock; 4788 4789 amp_destroy_logical_link(hchan, ev->reason); 4790 4791 unlock: 4792 hci_dev_unlock(hdev); 4793 } 4794 4795 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 4796 struct sk_buff *skb) 4797 { 4798 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 4799 struct hci_conn *hcon; 4800 4801 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4802 4803 if (ev->status) 4804 return; 4805 4806 hci_dev_lock(hdev); 4807 4808 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4809 if (hcon) { 4810 hcon->state = BT_CLOSED; 4811 hci_conn_del(hcon); 4812 } 4813 4814 hci_dev_unlock(hdev); 4815 } 4816 #endif 4817 4818 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 4819 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle, 4820 u16 interval, u16 latency, u16 supervision_timeout) 4821 { 4822 struct hci_conn_params *params; 4823 struct hci_conn *conn; 4824 struct smp_irk *irk; 4825 u8 addr_type; 4826 4827 hci_dev_lock(hdev); 4828 4829 /* All controllers implicitly stop advertising in the event of a 4830 * connection, so ensure that the state bit is cleared. 4831 */ 4832 hci_dev_clear_flag(hdev, HCI_LE_ADV); 4833 4834 conn = hci_lookup_le_connect(hdev); 4835 if (!conn) { 4836 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 4837 if (!conn) { 4838 bt_dev_err(hdev, "no memory for new connection"); 4839 goto unlock; 4840 } 4841 4842 conn->dst_type = bdaddr_type; 4843 4844 /* If we didn't have a hci_conn object previously 4845 * but we're in master role this must be something 4846 * initiated using a white list. Since white list based 4847 * connections are not "first class citizens" we don't 4848 * have full tracking of them. Therefore, we go ahead 4849 * with a "best effort" approach of determining the 4850 * initiator address based on the HCI_PRIVACY flag. 4851 */ 4852 if (conn->out) { 4853 conn->resp_addr_type = bdaddr_type; 4854 bacpy(&conn->resp_addr, bdaddr); 4855 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 4856 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 4857 bacpy(&conn->init_addr, &hdev->rpa); 4858 } else { 4859 hci_copy_identity_address(hdev, 4860 &conn->init_addr, 4861 &conn->init_addr_type); 4862 } 4863 } 4864 } else { 4865 cancel_delayed_work(&conn->le_conn_timeout); 4866 } 4867 4868 if (!conn->out) { 4869 /* Set the responder (our side) address type based on 4870 * the advertising address type. 4871 */ 4872 conn->resp_addr_type = hdev->adv_addr_type; 4873 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 4874 /* In case of ext adv, resp_addr will be updated in 4875 * Adv Terminated event. 4876 */ 4877 if (!ext_adv_capable(hdev)) 4878 bacpy(&conn->resp_addr, &hdev->random_addr); 4879 } else { 4880 bacpy(&conn->resp_addr, &hdev->bdaddr); 4881 } 4882 4883 conn->init_addr_type = bdaddr_type; 4884 bacpy(&conn->init_addr, bdaddr); 4885 4886 /* For incoming connections, set the default minimum 4887 * and maximum connection interval. They will be used 4888 * to check if the parameters are in range and if not 4889 * trigger the connection update procedure. 4890 */ 4891 conn->le_conn_min_interval = hdev->le_conn_min_interval; 4892 conn->le_conn_max_interval = hdev->le_conn_max_interval; 4893 } 4894 4895 /* Lookup the identity address from the stored connection 4896 * address and address type. 4897 * 4898 * When establishing connections to an identity address, the 4899 * connection procedure will store the resolvable random 4900 * address first. Now if it can be converted back into the 4901 * identity address, start using the identity address from 4902 * now on. 4903 */ 4904 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 4905 if (irk) { 4906 bacpy(&conn->dst, &irk->bdaddr); 4907 conn->dst_type = irk->addr_type; 4908 } 4909 4910 if (status) { 4911 hci_le_conn_failed(conn, status); 4912 goto unlock; 4913 } 4914 4915 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 4916 addr_type = BDADDR_LE_PUBLIC; 4917 else 4918 addr_type = BDADDR_LE_RANDOM; 4919 4920 /* Drop the connection if the device is blocked */ 4921 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 4922 hci_conn_drop(conn); 4923 goto unlock; 4924 } 4925 4926 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4927 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4928 4929 conn->sec_level = BT_SECURITY_LOW; 4930 conn->handle = handle; 4931 conn->state = BT_CONFIG; 4932 4933 conn->le_conn_interval = interval; 4934 conn->le_conn_latency = latency; 4935 conn->le_supv_timeout = supervision_timeout; 4936 4937 hci_debugfs_create_conn(conn); 4938 hci_conn_add_sysfs(conn); 4939 4940 /* The remote features procedure is defined for master 4941 * role only. So only in case of an initiated connection 4942 * request the remote features. 4943 * 4944 * If the local controller supports slave-initiated features 4945 * exchange, then requesting the remote features in slave 4946 * role is possible. Otherwise just transition into the 4947 * connected state without requesting the remote features. 4948 */ 4949 if (conn->out || 4950 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) { 4951 struct hci_cp_le_read_remote_features cp; 4952 4953 cp.handle = __cpu_to_le16(conn->handle); 4954 4955 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 4956 sizeof(cp), &cp); 4957 4958 hci_conn_hold(conn); 4959 } else { 4960 conn->state = BT_CONNECTED; 4961 hci_connect_cfm(conn, status); 4962 } 4963 4964 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 4965 conn->dst_type); 4966 if (params) { 4967 list_del_init(¶ms->action); 4968 if (params->conn) { 4969 hci_conn_drop(params->conn); 4970 hci_conn_put(params->conn); 4971 params->conn = NULL; 4972 } 4973 } 4974 4975 unlock: 4976 hci_update_background_scan(hdev); 4977 hci_dev_unlock(hdev); 4978 } 4979 4980 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4981 { 4982 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 4983 4984 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4985 4986 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 4987 ev->role, le16_to_cpu(ev->handle), 4988 le16_to_cpu(ev->interval), 4989 le16_to_cpu(ev->latency), 4990 le16_to_cpu(ev->supervision_timeout)); 4991 } 4992 4993 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, 4994 struct sk_buff *skb) 4995 { 4996 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data; 4997 4998 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4999 5000 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5001 ev->role, le16_to_cpu(ev->handle), 5002 le16_to_cpu(ev->interval), 5003 le16_to_cpu(ev->latency), 5004 le16_to_cpu(ev->supervision_timeout)); 5005 } 5006 5007 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb) 5008 { 5009 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data; 5010 struct hci_conn *conn; 5011 5012 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5013 5014 if (ev->status) 5015 return; 5016 5017 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5018 if (conn) { 5019 struct adv_info *adv_instance; 5020 5021 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM) 5022 return; 5023 5024 if (!hdev->cur_adv_instance) { 5025 bacpy(&conn->resp_addr, &hdev->random_addr); 5026 return; 5027 } 5028 5029 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance); 5030 if (adv_instance) 5031 bacpy(&conn->resp_addr, &adv_instance->random_addr); 5032 } 5033 } 5034 5035 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 5036 struct sk_buff *skb) 5037 { 5038 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 5039 struct hci_conn *conn; 5040 5041 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5042 5043 if (ev->status) 5044 return; 5045 5046 hci_dev_lock(hdev); 5047 5048 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5049 if (conn) { 5050 conn->le_conn_interval = le16_to_cpu(ev->interval); 5051 conn->le_conn_latency = le16_to_cpu(ev->latency); 5052 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 5053 } 5054 5055 hci_dev_unlock(hdev); 5056 } 5057 5058 /* This function requires the caller holds hdev->lock */ 5059 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 5060 bdaddr_t *addr, 5061 u8 addr_type, u8 adv_type, 5062 bdaddr_t *direct_rpa) 5063 { 5064 struct hci_conn *conn; 5065 struct hci_conn_params *params; 5066 5067 /* If the event is not connectable don't proceed further */ 5068 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 5069 return NULL; 5070 5071 /* Ignore if the device is blocked */ 5072 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 5073 return NULL; 5074 5075 /* Most controller will fail if we try to create new connections 5076 * while we have an existing one in slave role. 5077 */ 5078 if (hdev->conn_hash.le_num_slave > 0) 5079 return NULL; 5080 5081 /* If we're not connectable only connect devices that we have in 5082 * our pend_le_conns list. 5083 */ 5084 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 5085 addr_type); 5086 if (!params) 5087 return NULL; 5088 5089 if (!params->explicit_connect) { 5090 switch (params->auto_connect) { 5091 case HCI_AUTO_CONN_DIRECT: 5092 /* Only devices advertising with ADV_DIRECT_IND are 5093 * triggering a connection attempt. This is allowing 5094 * incoming connections from slave devices. 5095 */ 5096 if (adv_type != LE_ADV_DIRECT_IND) 5097 return NULL; 5098 break; 5099 case HCI_AUTO_CONN_ALWAYS: 5100 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 5101 * are triggering a connection attempt. This means 5102 * that incoming connectioms from slave device are 5103 * accepted and also outgoing connections to slave 5104 * devices are established when found. 5105 */ 5106 break; 5107 default: 5108 return NULL; 5109 } 5110 } 5111 5112 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 5113 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER, 5114 direct_rpa); 5115 if (!IS_ERR(conn)) { 5116 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 5117 * by higher layer that tried to connect, if no then 5118 * store the pointer since we don't really have any 5119 * other owner of the object besides the params that 5120 * triggered it. This way we can abort the connection if 5121 * the parameters get removed and keep the reference 5122 * count consistent once the connection is established. 5123 */ 5124 5125 if (!params->explicit_connect) 5126 params->conn = hci_conn_get(conn); 5127 5128 return conn; 5129 } 5130 5131 switch (PTR_ERR(conn)) { 5132 case -EBUSY: 5133 /* If hci_connect() returns -EBUSY it means there is already 5134 * an LE connection attempt going on. Since controllers don't 5135 * support more than one connection attempt at the time, we 5136 * don't consider this an error case. 5137 */ 5138 break; 5139 default: 5140 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 5141 return NULL; 5142 } 5143 5144 return NULL; 5145 } 5146 5147 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 5148 u8 bdaddr_type, bdaddr_t *direct_addr, 5149 u8 direct_addr_type, s8 rssi, u8 *data, u8 len) 5150 { 5151 struct discovery_state *d = &hdev->discovery; 5152 struct smp_irk *irk; 5153 struct hci_conn *conn; 5154 bool match; 5155 u32 flags; 5156 u8 *ptr, real_len; 5157 5158 switch (type) { 5159 case LE_ADV_IND: 5160 case LE_ADV_DIRECT_IND: 5161 case LE_ADV_SCAN_IND: 5162 case LE_ADV_NONCONN_IND: 5163 case LE_ADV_SCAN_RSP: 5164 break; 5165 default: 5166 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 5167 "type: 0x%02x", type); 5168 return; 5169 } 5170 5171 /* Find the end of the data in case the report contains padded zero 5172 * bytes at the end causing an invalid length value. 5173 * 5174 * When data is NULL, len is 0 so there is no need for extra ptr 5175 * check as 'ptr < data + 0' is already false in such case. 5176 */ 5177 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 5178 if (ptr + 1 + *ptr > data + len) 5179 break; 5180 } 5181 5182 real_len = ptr - data; 5183 5184 /* Adjust for actual length */ 5185 if (len != real_len) { 5186 bt_dev_err_ratelimited(hdev, "advertising data len corrected"); 5187 len = real_len; 5188 } 5189 5190 /* If the direct address is present, then this report is from 5191 * a LE Direct Advertising Report event. In that case it is 5192 * important to see if the address is matching the local 5193 * controller address. 5194 */ 5195 if (direct_addr) { 5196 /* Only resolvable random addresses are valid for these 5197 * kind of reports and others can be ignored. 5198 */ 5199 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 5200 return; 5201 5202 /* If the controller is not using resolvable random 5203 * addresses, then this report can be ignored. 5204 */ 5205 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 5206 return; 5207 5208 /* If the local IRK of the controller does not match 5209 * with the resolvable random address provided, then 5210 * this report can be ignored. 5211 */ 5212 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 5213 return; 5214 } 5215 5216 /* Check if we need to convert to identity address */ 5217 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 5218 if (irk) { 5219 bdaddr = &irk->bdaddr; 5220 bdaddr_type = irk->addr_type; 5221 } 5222 5223 /* Check if we have been requested to connect to this device. 5224 * 5225 * direct_addr is set only for directed advertising reports (it is NULL 5226 * for advertising reports) and is already verified to be RPA above. 5227 */ 5228 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, 5229 direct_addr); 5230 if (conn && type == LE_ADV_IND) { 5231 /* Store report for later inclusion by 5232 * mgmt_device_connected 5233 */ 5234 memcpy(conn->le_adv_data, data, len); 5235 conn->le_adv_data_len = len; 5236 } 5237 5238 /* Passive scanning shouldn't trigger any device found events, 5239 * except for devices marked as CONN_REPORT for which we do send 5240 * device found events. 5241 */ 5242 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 5243 if (type == LE_ADV_DIRECT_IND) 5244 return; 5245 5246 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 5247 bdaddr, bdaddr_type)) 5248 return; 5249 5250 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 5251 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5252 else 5253 flags = 0; 5254 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5255 rssi, flags, data, len, NULL, 0); 5256 return; 5257 } 5258 5259 /* When receiving non-connectable or scannable undirected 5260 * advertising reports, this means that the remote device is 5261 * not connectable and then clearly indicate this in the 5262 * device found event. 5263 * 5264 * When receiving a scan response, then there is no way to 5265 * know if the remote device is connectable or not. However 5266 * since scan responses are merged with a previously seen 5267 * advertising report, the flags field from that report 5268 * will be used. 5269 * 5270 * In the really unlikely case that a controller get confused 5271 * and just sends a scan response event, then it is marked as 5272 * not connectable as well. 5273 */ 5274 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 5275 type == LE_ADV_SCAN_RSP) 5276 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5277 else 5278 flags = 0; 5279 5280 /* If there's nothing pending either store the data from this 5281 * event or send an immediate device found event if the data 5282 * should not be stored for later. 5283 */ 5284 if (!has_pending_adv_report(hdev)) { 5285 /* If the report will trigger a SCAN_REQ store it for 5286 * later merging. 5287 */ 5288 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 5289 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5290 rssi, flags, data, len); 5291 return; 5292 } 5293 5294 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5295 rssi, flags, data, len, NULL, 0); 5296 return; 5297 } 5298 5299 /* Check if the pending report is for the same device as the new one */ 5300 match = (!bacmp(bdaddr, &d->last_adv_addr) && 5301 bdaddr_type == d->last_adv_addr_type); 5302 5303 /* If the pending data doesn't match this report or this isn't a 5304 * scan response (e.g. we got a duplicate ADV_IND) then force 5305 * sending of the pending data. 5306 */ 5307 if (type != LE_ADV_SCAN_RSP || !match) { 5308 /* Send out whatever is in the cache, but skip duplicates */ 5309 if (!match) 5310 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5311 d->last_adv_addr_type, NULL, 5312 d->last_adv_rssi, d->last_adv_flags, 5313 d->last_adv_data, 5314 d->last_adv_data_len, NULL, 0); 5315 5316 /* If the new report will trigger a SCAN_REQ store it for 5317 * later merging. 5318 */ 5319 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 5320 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5321 rssi, flags, data, len); 5322 return; 5323 } 5324 5325 /* The advertising reports cannot be merged, so clear 5326 * the pending report and send out a device found event. 5327 */ 5328 clear_pending_adv_report(hdev); 5329 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5330 rssi, flags, data, len, NULL, 0); 5331 return; 5332 } 5333 5334 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 5335 * the new event is a SCAN_RSP. We can therefore proceed with 5336 * sending a merged device found event. 5337 */ 5338 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5339 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 5340 d->last_adv_data, d->last_adv_data_len, data, len); 5341 clear_pending_adv_report(hdev); 5342 } 5343 5344 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5345 { 5346 u8 num_reports = skb->data[0]; 5347 void *ptr = &skb->data[1]; 5348 5349 hci_dev_lock(hdev); 5350 5351 while (num_reports--) { 5352 struct hci_ev_le_advertising_info *ev = ptr; 5353 s8 rssi; 5354 5355 if (ev->length <= HCI_MAX_AD_LENGTH) { 5356 rssi = ev->data[ev->length]; 5357 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5358 ev->bdaddr_type, NULL, 0, rssi, 5359 ev->data, ev->length); 5360 } else { 5361 bt_dev_err(hdev, "Dropping invalid advertising data"); 5362 } 5363 5364 ptr += sizeof(*ev) + ev->length + 1; 5365 } 5366 5367 hci_dev_unlock(hdev); 5368 } 5369 5370 static u8 ext_evt_type_to_legacy(u16 evt_type) 5371 { 5372 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 5373 switch (evt_type) { 5374 case LE_LEGACY_ADV_IND: 5375 return LE_ADV_IND; 5376 case LE_LEGACY_ADV_DIRECT_IND: 5377 return LE_ADV_DIRECT_IND; 5378 case LE_LEGACY_ADV_SCAN_IND: 5379 return LE_ADV_SCAN_IND; 5380 case LE_LEGACY_NONCONN_IND: 5381 return LE_ADV_NONCONN_IND; 5382 case LE_LEGACY_SCAN_RSP_ADV: 5383 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 5384 return LE_ADV_SCAN_RSP; 5385 } 5386 5387 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x", 5388 evt_type); 5389 5390 return LE_ADV_INVALID; 5391 } 5392 5393 if (evt_type & LE_EXT_ADV_CONN_IND) { 5394 if (evt_type & LE_EXT_ADV_DIRECT_IND) 5395 return LE_ADV_DIRECT_IND; 5396 5397 return LE_ADV_IND; 5398 } 5399 5400 if (evt_type & LE_EXT_ADV_SCAN_RSP) 5401 return LE_ADV_SCAN_RSP; 5402 5403 if (evt_type & LE_EXT_ADV_SCAN_IND) 5404 return LE_ADV_SCAN_IND; 5405 5406 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 5407 evt_type & LE_EXT_ADV_DIRECT_IND) 5408 return LE_ADV_NONCONN_IND; 5409 5410 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x", 5411 evt_type); 5412 5413 return LE_ADV_INVALID; 5414 } 5415 5416 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5417 { 5418 u8 num_reports = skb->data[0]; 5419 void *ptr = &skb->data[1]; 5420 5421 hci_dev_lock(hdev); 5422 5423 while (num_reports--) { 5424 struct hci_ev_le_ext_adv_report *ev = ptr; 5425 u8 legacy_evt_type; 5426 u16 evt_type; 5427 5428 evt_type = __le16_to_cpu(ev->evt_type); 5429 legacy_evt_type = ext_evt_type_to_legacy(evt_type); 5430 if (legacy_evt_type != LE_ADV_INVALID) { 5431 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, 5432 ev->bdaddr_type, NULL, 0, ev->rssi, 5433 ev->data, ev->length); 5434 } 5435 5436 ptr += sizeof(*ev) + ev->length + 1; 5437 } 5438 5439 hci_dev_unlock(hdev); 5440 } 5441 5442 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 5443 struct sk_buff *skb) 5444 { 5445 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 5446 struct hci_conn *conn; 5447 5448 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5449 5450 hci_dev_lock(hdev); 5451 5452 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5453 if (conn) { 5454 if (!ev->status) 5455 memcpy(conn->features[0], ev->features, 8); 5456 5457 if (conn->state == BT_CONFIG) { 5458 __u8 status; 5459 5460 /* If the local controller supports slave-initiated 5461 * features exchange, but the remote controller does 5462 * not, then it is possible that the error code 0x1a 5463 * for unsupported remote feature gets returned. 5464 * 5465 * In this specific case, allow the connection to 5466 * transition into connected state and mark it as 5467 * successful. 5468 */ 5469 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) && 5470 !conn->out && ev->status == 0x1a) 5471 status = 0x00; 5472 else 5473 status = ev->status; 5474 5475 conn->state = BT_CONNECTED; 5476 hci_connect_cfm(conn, status); 5477 hci_conn_drop(conn); 5478 } 5479 } 5480 5481 hci_dev_unlock(hdev); 5482 } 5483 5484 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 5485 { 5486 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 5487 struct hci_cp_le_ltk_reply cp; 5488 struct hci_cp_le_ltk_neg_reply neg; 5489 struct hci_conn *conn; 5490 struct smp_ltk *ltk; 5491 5492 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 5493 5494 hci_dev_lock(hdev); 5495 5496 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5497 if (conn == NULL) 5498 goto not_found; 5499 5500 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 5501 if (!ltk) 5502 goto not_found; 5503 5504 if (smp_ltk_is_sc(ltk)) { 5505 /* With SC both EDiv and Rand are set to zero */ 5506 if (ev->ediv || ev->rand) 5507 goto not_found; 5508 } else { 5509 /* For non-SC keys check that EDiv and Rand match */ 5510 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 5511 goto not_found; 5512 } 5513 5514 memcpy(cp.ltk, ltk->val, ltk->enc_size); 5515 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 5516 cp.handle = cpu_to_le16(conn->handle); 5517 5518 conn->pending_sec_level = smp_ltk_sec_level(ltk); 5519 5520 conn->enc_key_size = ltk->enc_size; 5521 5522 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 5523 5524 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 5525 * temporary key used to encrypt a connection following 5526 * pairing. It is used during the Encrypted Session Setup to 5527 * distribute the keys. Later, security can be re-established 5528 * using a distributed LTK. 5529 */ 5530 if (ltk->type == SMP_STK) { 5531 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5532 list_del_rcu(<k->list); 5533 kfree_rcu(ltk, rcu); 5534 } else { 5535 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5536 } 5537 5538 hci_dev_unlock(hdev); 5539 5540 return; 5541 5542 not_found: 5543 neg.handle = ev->handle; 5544 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 5545 hci_dev_unlock(hdev); 5546 } 5547 5548 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 5549 u8 reason) 5550 { 5551 struct hci_cp_le_conn_param_req_neg_reply cp; 5552 5553 cp.handle = cpu_to_le16(handle); 5554 cp.reason = reason; 5555 5556 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 5557 &cp); 5558 } 5559 5560 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 5561 struct sk_buff *skb) 5562 { 5563 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 5564 struct hci_cp_le_conn_param_req_reply cp; 5565 struct hci_conn *hcon; 5566 u16 handle, min, max, latency, timeout; 5567 5568 handle = le16_to_cpu(ev->handle); 5569 min = le16_to_cpu(ev->interval_min); 5570 max = le16_to_cpu(ev->interval_max); 5571 latency = le16_to_cpu(ev->latency); 5572 timeout = le16_to_cpu(ev->timeout); 5573 5574 hcon = hci_conn_hash_lookup_handle(hdev, handle); 5575 if (!hcon || hcon->state != BT_CONNECTED) 5576 return send_conn_param_neg_reply(hdev, handle, 5577 HCI_ERROR_UNKNOWN_CONN_ID); 5578 5579 if (hci_check_conn_params(min, max, latency, timeout)) 5580 return send_conn_param_neg_reply(hdev, handle, 5581 HCI_ERROR_INVALID_LL_PARAMS); 5582 5583 if (hcon->role == HCI_ROLE_MASTER) { 5584 struct hci_conn_params *params; 5585 u8 store_hint; 5586 5587 hci_dev_lock(hdev); 5588 5589 params = hci_conn_params_lookup(hdev, &hcon->dst, 5590 hcon->dst_type); 5591 if (params) { 5592 params->conn_min_interval = min; 5593 params->conn_max_interval = max; 5594 params->conn_latency = latency; 5595 params->supervision_timeout = timeout; 5596 store_hint = 0x01; 5597 } else{ 5598 store_hint = 0x00; 5599 } 5600 5601 hci_dev_unlock(hdev); 5602 5603 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 5604 store_hint, min, max, latency, timeout); 5605 } 5606 5607 cp.handle = ev->handle; 5608 cp.interval_min = ev->interval_min; 5609 cp.interval_max = ev->interval_max; 5610 cp.latency = ev->latency; 5611 cp.timeout = ev->timeout; 5612 cp.min_ce_len = 0; 5613 cp.max_ce_len = 0; 5614 5615 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 5616 } 5617 5618 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 5619 struct sk_buff *skb) 5620 { 5621 u8 num_reports = skb->data[0]; 5622 void *ptr = &skb->data[1]; 5623 5624 hci_dev_lock(hdev); 5625 5626 while (num_reports--) { 5627 struct hci_ev_le_direct_adv_info *ev = ptr; 5628 5629 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5630 ev->bdaddr_type, &ev->direct_addr, 5631 ev->direct_addr_type, ev->rssi, NULL, 0); 5632 5633 ptr += sizeof(*ev); 5634 } 5635 5636 hci_dev_unlock(hdev); 5637 } 5638 5639 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 5640 { 5641 struct hci_ev_le_meta *le_ev = (void *) skb->data; 5642 5643 skb_pull(skb, sizeof(*le_ev)); 5644 5645 switch (le_ev->subevent) { 5646 case HCI_EV_LE_CONN_COMPLETE: 5647 hci_le_conn_complete_evt(hdev, skb); 5648 break; 5649 5650 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 5651 hci_le_conn_update_complete_evt(hdev, skb); 5652 break; 5653 5654 case HCI_EV_LE_ADVERTISING_REPORT: 5655 hci_le_adv_report_evt(hdev, skb); 5656 break; 5657 5658 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 5659 hci_le_remote_feat_complete_evt(hdev, skb); 5660 break; 5661 5662 case HCI_EV_LE_LTK_REQ: 5663 hci_le_ltk_request_evt(hdev, skb); 5664 break; 5665 5666 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 5667 hci_le_remote_conn_param_req_evt(hdev, skb); 5668 break; 5669 5670 case HCI_EV_LE_DIRECT_ADV_REPORT: 5671 hci_le_direct_adv_report_evt(hdev, skb); 5672 break; 5673 5674 case HCI_EV_LE_EXT_ADV_REPORT: 5675 hci_le_ext_adv_report_evt(hdev, skb); 5676 break; 5677 5678 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 5679 hci_le_enh_conn_complete_evt(hdev, skb); 5680 break; 5681 5682 case HCI_EV_LE_EXT_ADV_SET_TERM: 5683 hci_le_ext_adv_term_evt(hdev, skb); 5684 break; 5685 5686 default: 5687 break; 5688 } 5689 } 5690 5691 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 5692 u8 event, struct sk_buff *skb) 5693 { 5694 struct hci_ev_cmd_complete *ev; 5695 struct hci_event_hdr *hdr; 5696 5697 if (!skb) 5698 return false; 5699 5700 if (skb->len < sizeof(*hdr)) { 5701 bt_dev_err(hdev, "too short HCI event"); 5702 return false; 5703 } 5704 5705 hdr = (void *) skb->data; 5706 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5707 5708 if (event) { 5709 if (hdr->evt != event) 5710 return false; 5711 return true; 5712 } 5713 5714 /* Check if request ended in Command Status - no way to retreive 5715 * any extra parameters in this case. 5716 */ 5717 if (hdr->evt == HCI_EV_CMD_STATUS) 5718 return false; 5719 5720 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 5721 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 5722 hdr->evt); 5723 return false; 5724 } 5725 5726 if (skb->len < sizeof(*ev)) { 5727 bt_dev_err(hdev, "too short cmd_complete event"); 5728 return false; 5729 } 5730 5731 ev = (void *) skb->data; 5732 skb_pull(skb, sizeof(*ev)); 5733 5734 if (opcode != __le16_to_cpu(ev->opcode)) { 5735 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 5736 __le16_to_cpu(ev->opcode)); 5737 return false; 5738 } 5739 5740 return true; 5741 } 5742 5743 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 5744 { 5745 struct hci_event_hdr *hdr = (void *) skb->data; 5746 hci_req_complete_t req_complete = NULL; 5747 hci_req_complete_skb_t req_complete_skb = NULL; 5748 struct sk_buff *orig_skb = NULL; 5749 u8 status = 0, event = hdr->evt, req_evt = 0; 5750 u16 opcode = HCI_OP_NOP; 5751 5752 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { 5753 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 5754 opcode = __le16_to_cpu(cmd_hdr->opcode); 5755 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 5756 &req_complete_skb); 5757 req_evt = event; 5758 } 5759 5760 /* If it looks like we might end up having to call 5761 * req_complete_skb, store a pristine copy of the skb since the 5762 * various handlers may modify the original one through 5763 * skb_pull() calls, etc. 5764 */ 5765 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 5766 event == HCI_EV_CMD_COMPLETE) 5767 orig_skb = skb_clone(skb, GFP_KERNEL); 5768 5769 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5770 5771 switch (event) { 5772 case HCI_EV_INQUIRY_COMPLETE: 5773 hci_inquiry_complete_evt(hdev, skb); 5774 break; 5775 5776 case HCI_EV_INQUIRY_RESULT: 5777 hci_inquiry_result_evt(hdev, skb); 5778 break; 5779 5780 case HCI_EV_CONN_COMPLETE: 5781 hci_conn_complete_evt(hdev, skb); 5782 break; 5783 5784 case HCI_EV_CONN_REQUEST: 5785 hci_conn_request_evt(hdev, skb); 5786 break; 5787 5788 case HCI_EV_DISCONN_COMPLETE: 5789 hci_disconn_complete_evt(hdev, skb); 5790 break; 5791 5792 case HCI_EV_AUTH_COMPLETE: 5793 hci_auth_complete_evt(hdev, skb); 5794 break; 5795 5796 case HCI_EV_REMOTE_NAME: 5797 hci_remote_name_evt(hdev, skb); 5798 break; 5799 5800 case HCI_EV_ENCRYPT_CHANGE: 5801 hci_encrypt_change_evt(hdev, skb); 5802 break; 5803 5804 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 5805 hci_change_link_key_complete_evt(hdev, skb); 5806 break; 5807 5808 case HCI_EV_REMOTE_FEATURES: 5809 hci_remote_features_evt(hdev, skb); 5810 break; 5811 5812 case HCI_EV_CMD_COMPLETE: 5813 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 5814 &req_complete, &req_complete_skb); 5815 break; 5816 5817 case HCI_EV_CMD_STATUS: 5818 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 5819 &req_complete_skb); 5820 break; 5821 5822 case HCI_EV_HARDWARE_ERROR: 5823 hci_hardware_error_evt(hdev, skb); 5824 break; 5825 5826 case HCI_EV_ROLE_CHANGE: 5827 hci_role_change_evt(hdev, skb); 5828 break; 5829 5830 case HCI_EV_NUM_COMP_PKTS: 5831 hci_num_comp_pkts_evt(hdev, skb); 5832 break; 5833 5834 case HCI_EV_MODE_CHANGE: 5835 hci_mode_change_evt(hdev, skb); 5836 break; 5837 5838 case HCI_EV_PIN_CODE_REQ: 5839 hci_pin_code_request_evt(hdev, skb); 5840 break; 5841 5842 case HCI_EV_LINK_KEY_REQ: 5843 hci_link_key_request_evt(hdev, skb); 5844 break; 5845 5846 case HCI_EV_LINK_KEY_NOTIFY: 5847 hci_link_key_notify_evt(hdev, skb); 5848 break; 5849 5850 case HCI_EV_CLOCK_OFFSET: 5851 hci_clock_offset_evt(hdev, skb); 5852 break; 5853 5854 case HCI_EV_PKT_TYPE_CHANGE: 5855 hci_pkt_type_change_evt(hdev, skb); 5856 break; 5857 5858 case HCI_EV_PSCAN_REP_MODE: 5859 hci_pscan_rep_mode_evt(hdev, skb); 5860 break; 5861 5862 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 5863 hci_inquiry_result_with_rssi_evt(hdev, skb); 5864 break; 5865 5866 case HCI_EV_REMOTE_EXT_FEATURES: 5867 hci_remote_ext_features_evt(hdev, skb); 5868 break; 5869 5870 case HCI_EV_SYNC_CONN_COMPLETE: 5871 hci_sync_conn_complete_evt(hdev, skb); 5872 break; 5873 5874 case HCI_EV_EXTENDED_INQUIRY_RESULT: 5875 hci_extended_inquiry_result_evt(hdev, skb); 5876 break; 5877 5878 case HCI_EV_KEY_REFRESH_COMPLETE: 5879 hci_key_refresh_complete_evt(hdev, skb); 5880 break; 5881 5882 case HCI_EV_IO_CAPA_REQUEST: 5883 hci_io_capa_request_evt(hdev, skb); 5884 break; 5885 5886 case HCI_EV_IO_CAPA_REPLY: 5887 hci_io_capa_reply_evt(hdev, skb); 5888 break; 5889 5890 case HCI_EV_USER_CONFIRM_REQUEST: 5891 hci_user_confirm_request_evt(hdev, skb); 5892 break; 5893 5894 case HCI_EV_USER_PASSKEY_REQUEST: 5895 hci_user_passkey_request_evt(hdev, skb); 5896 break; 5897 5898 case HCI_EV_USER_PASSKEY_NOTIFY: 5899 hci_user_passkey_notify_evt(hdev, skb); 5900 break; 5901 5902 case HCI_EV_KEYPRESS_NOTIFY: 5903 hci_keypress_notify_evt(hdev, skb); 5904 break; 5905 5906 case HCI_EV_SIMPLE_PAIR_COMPLETE: 5907 hci_simple_pair_complete_evt(hdev, skb); 5908 break; 5909 5910 case HCI_EV_REMOTE_HOST_FEATURES: 5911 hci_remote_host_features_evt(hdev, skb); 5912 break; 5913 5914 case HCI_EV_LE_META: 5915 hci_le_meta_evt(hdev, skb); 5916 break; 5917 5918 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 5919 hci_remote_oob_data_request_evt(hdev, skb); 5920 break; 5921 5922 #if IS_ENABLED(CONFIG_BT_HS) 5923 case HCI_EV_CHANNEL_SELECTED: 5924 hci_chan_selected_evt(hdev, skb); 5925 break; 5926 5927 case HCI_EV_PHY_LINK_COMPLETE: 5928 hci_phy_link_complete_evt(hdev, skb); 5929 break; 5930 5931 case HCI_EV_LOGICAL_LINK_COMPLETE: 5932 hci_loglink_complete_evt(hdev, skb); 5933 break; 5934 5935 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 5936 hci_disconn_loglink_complete_evt(hdev, skb); 5937 break; 5938 5939 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 5940 hci_disconn_phylink_complete_evt(hdev, skb); 5941 break; 5942 #endif 5943 5944 case HCI_EV_NUM_COMP_BLOCKS: 5945 hci_num_comp_blocks_evt(hdev, skb); 5946 break; 5947 5948 default: 5949 BT_DBG("%s event 0x%2.2x", hdev->name, event); 5950 break; 5951 } 5952 5953 if (req_complete) { 5954 req_complete(hdev, status, opcode); 5955 } else if (req_complete_skb) { 5956 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 5957 kfree_skb(orig_skb); 5958 orig_skb = NULL; 5959 } 5960 req_complete_skb(hdev, status, opcode, orig_skb); 5961 } 5962 5963 kfree_skb(orig_skb); 5964 kfree_skb(skb); 5965 hdev->stat.evt_rx++; 5966 } 5967