1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 #include "msft.h" 39 40 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 41 "\x00\x00\x00\x00\x00\x00\x00\x00" 42 43 /* Handle HCI Event packets */ 44 45 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, 46 u8 *new_status) 47 { 48 __u8 status = *((__u8 *) skb->data); 49 50 BT_DBG("%s status 0x%2.2x", hdev->name, status); 51 52 /* It is possible that we receive Inquiry Complete event right 53 * before we receive Inquiry Cancel Command Complete event, in 54 * which case the latter event should have status of Command 55 * Disallowed (0x0c). This should not be treated as error, since 56 * we actually achieve what Inquiry Cancel wants to achieve, 57 * which is to end the last Inquiry session. 58 */ 59 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { 60 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 61 status = 0x00; 62 } 63 64 *new_status = status; 65 66 if (status) 67 return; 68 69 clear_bit(HCI_INQUIRY, &hdev->flags); 70 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 71 wake_up_bit(&hdev->flags, HCI_INQUIRY); 72 73 hci_dev_lock(hdev); 74 /* Set discovery state to stopped if we're not doing LE active 75 * scanning. 76 */ 77 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 78 hdev->le_scan_type != LE_SCAN_ACTIVE) 79 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 80 hci_dev_unlock(hdev); 81 82 hci_conn_check_pending(hdev); 83 } 84 85 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 86 { 87 __u8 status = *((__u8 *) skb->data); 88 89 BT_DBG("%s status 0x%2.2x", hdev->name, status); 90 91 if (status) 92 return; 93 94 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 95 } 96 97 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 98 { 99 __u8 status = *((__u8 *) skb->data); 100 101 BT_DBG("%s status 0x%2.2x", hdev->name, status); 102 103 if (status) 104 return; 105 106 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 107 108 hci_conn_check_pending(hdev); 109 } 110 111 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 112 struct sk_buff *skb) 113 { 114 BT_DBG("%s", hdev->name); 115 } 116 117 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 118 { 119 struct hci_rp_role_discovery *rp = (void *) skb->data; 120 struct hci_conn *conn; 121 122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 123 124 if (rp->status) 125 return; 126 127 hci_dev_lock(hdev); 128 129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 130 if (conn) 131 conn->role = rp->role; 132 133 hci_dev_unlock(hdev); 134 } 135 136 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 137 { 138 struct hci_rp_read_link_policy *rp = (void *) skb->data; 139 struct hci_conn *conn; 140 141 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 142 143 if (rp->status) 144 return; 145 146 hci_dev_lock(hdev); 147 148 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 149 if (conn) 150 conn->link_policy = __le16_to_cpu(rp->policy); 151 152 hci_dev_unlock(hdev); 153 } 154 155 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 156 { 157 struct hci_rp_write_link_policy *rp = (void *) skb->data; 158 struct hci_conn *conn; 159 void *sent; 160 161 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 162 163 if (rp->status) 164 return; 165 166 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 167 if (!sent) 168 return; 169 170 hci_dev_lock(hdev); 171 172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 173 if (conn) 174 conn->link_policy = get_unaligned_le16(sent + 2); 175 176 hci_dev_unlock(hdev); 177 } 178 179 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 180 struct sk_buff *skb) 181 { 182 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 183 184 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 185 186 if (rp->status) 187 return; 188 189 hdev->link_policy = __le16_to_cpu(rp->policy); 190 } 191 192 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 193 struct sk_buff *skb) 194 { 195 __u8 status = *((__u8 *) skb->data); 196 void *sent; 197 198 BT_DBG("%s status 0x%2.2x", hdev->name, status); 199 200 if (status) 201 return; 202 203 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 204 if (!sent) 205 return; 206 207 hdev->link_policy = get_unaligned_le16(sent); 208 } 209 210 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 211 { 212 __u8 status = *((__u8 *) skb->data); 213 214 BT_DBG("%s status 0x%2.2x", hdev->name, status); 215 216 clear_bit(HCI_RESET, &hdev->flags); 217 218 if (status) 219 return; 220 221 /* Reset all non-persistent flags */ 222 hci_dev_clear_volatile_flags(hdev); 223 224 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 225 226 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 227 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 228 229 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 230 hdev->adv_data_len = 0; 231 232 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 233 hdev->scan_rsp_data_len = 0; 234 235 hdev->le_scan_type = LE_SCAN_PASSIVE; 236 237 hdev->ssp_debug_mode = 0; 238 239 hci_bdaddr_list_clear(&hdev->le_white_list); 240 hci_bdaddr_list_clear(&hdev->le_resolv_list); 241 } 242 243 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 244 struct sk_buff *skb) 245 { 246 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 247 struct hci_cp_read_stored_link_key *sent; 248 249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 250 251 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 252 if (!sent) 253 return; 254 255 if (!rp->status && sent->read_all == 0x01) { 256 hdev->stored_max_keys = rp->max_keys; 257 hdev->stored_num_keys = rp->num_keys; 258 } 259 } 260 261 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 262 struct sk_buff *skb) 263 { 264 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 265 266 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 267 268 if (rp->status) 269 return; 270 271 if (rp->num_keys <= hdev->stored_num_keys) 272 hdev->stored_num_keys -= rp->num_keys; 273 else 274 hdev->stored_num_keys = 0; 275 } 276 277 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 278 { 279 __u8 status = *((__u8 *) skb->data); 280 void *sent; 281 282 BT_DBG("%s status 0x%2.2x", hdev->name, status); 283 284 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 285 if (!sent) 286 return; 287 288 hci_dev_lock(hdev); 289 290 if (hci_dev_test_flag(hdev, HCI_MGMT)) 291 mgmt_set_local_name_complete(hdev, sent, status); 292 else if (!status) 293 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 294 295 hci_dev_unlock(hdev); 296 } 297 298 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 299 { 300 struct hci_rp_read_local_name *rp = (void *) skb->data; 301 302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 303 304 if (rp->status) 305 return; 306 307 if (hci_dev_test_flag(hdev, HCI_SETUP) || 308 hci_dev_test_flag(hdev, HCI_CONFIG)) 309 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 310 } 311 312 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 313 { 314 __u8 status = *((__u8 *) skb->data); 315 void *sent; 316 317 BT_DBG("%s status 0x%2.2x", hdev->name, status); 318 319 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 320 if (!sent) 321 return; 322 323 hci_dev_lock(hdev); 324 325 if (!status) { 326 __u8 param = *((__u8 *) sent); 327 328 if (param == AUTH_ENABLED) 329 set_bit(HCI_AUTH, &hdev->flags); 330 else 331 clear_bit(HCI_AUTH, &hdev->flags); 332 } 333 334 if (hci_dev_test_flag(hdev, HCI_MGMT)) 335 mgmt_auth_enable_complete(hdev, status); 336 337 hci_dev_unlock(hdev); 338 } 339 340 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 341 { 342 __u8 status = *((__u8 *) skb->data); 343 __u8 param; 344 void *sent; 345 346 BT_DBG("%s status 0x%2.2x", hdev->name, status); 347 348 if (status) 349 return; 350 351 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 352 if (!sent) 353 return; 354 355 param = *((__u8 *) sent); 356 357 if (param) 358 set_bit(HCI_ENCRYPT, &hdev->flags); 359 else 360 clear_bit(HCI_ENCRYPT, &hdev->flags); 361 } 362 363 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 364 { 365 __u8 status = *((__u8 *) skb->data); 366 __u8 param; 367 void *sent; 368 369 BT_DBG("%s status 0x%2.2x", hdev->name, status); 370 371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 372 if (!sent) 373 return; 374 375 param = *((__u8 *) sent); 376 377 hci_dev_lock(hdev); 378 379 if (status) { 380 hdev->discov_timeout = 0; 381 goto done; 382 } 383 384 if (param & SCAN_INQUIRY) 385 set_bit(HCI_ISCAN, &hdev->flags); 386 else 387 clear_bit(HCI_ISCAN, &hdev->flags); 388 389 if (param & SCAN_PAGE) 390 set_bit(HCI_PSCAN, &hdev->flags); 391 else 392 clear_bit(HCI_PSCAN, &hdev->flags); 393 394 done: 395 hci_dev_unlock(hdev); 396 } 397 398 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 399 { 400 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 401 402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 403 404 if (rp->status) 405 return; 406 407 memcpy(hdev->dev_class, rp->dev_class, 3); 408 409 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 410 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 411 } 412 413 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 414 { 415 __u8 status = *((__u8 *) skb->data); 416 void *sent; 417 418 BT_DBG("%s status 0x%2.2x", hdev->name, status); 419 420 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 421 if (!sent) 422 return; 423 424 hci_dev_lock(hdev); 425 426 if (status == 0) 427 memcpy(hdev->dev_class, sent, 3); 428 429 if (hci_dev_test_flag(hdev, HCI_MGMT)) 430 mgmt_set_class_of_dev_complete(hdev, sent, status); 431 432 hci_dev_unlock(hdev); 433 } 434 435 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 436 { 437 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 438 __u16 setting; 439 440 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 441 442 if (rp->status) 443 return; 444 445 setting = __le16_to_cpu(rp->voice_setting); 446 447 if (hdev->voice_setting == setting) 448 return; 449 450 hdev->voice_setting = setting; 451 452 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 453 454 if (hdev->notify) 455 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 456 } 457 458 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 459 struct sk_buff *skb) 460 { 461 __u8 status = *((__u8 *) skb->data); 462 __u16 setting; 463 void *sent; 464 465 BT_DBG("%s status 0x%2.2x", hdev->name, status); 466 467 if (status) 468 return; 469 470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 471 if (!sent) 472 return; 473 474 setting = get_unaligned_le16(sent); 475 476 if (hdev->voice_setting == setting) 477 return; 478 479 hdev->voice_setting = setting; 480 481 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 482 483 if (hdev->notify) 484 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 485 } 486 487 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 488 struct sk_buff *skb) 489 { 490 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 491 492 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 493 494 if (rp->status) 495 return; 496 497 hdev->num_iac = rp->num_iac; 498 499 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 500 } 501 502 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 503 { 504 __u8 status = *((__u8 *) skb->data); 505 struct hci_cp_write_ssp_mode *sent; 506 507 BT_DBG("%s status 0x%2.2x", hdev->name, status); 508 509 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 510 if (!sent) 511 return; 512 513 hci_dev_lock(hdev); 514 515 if (!status) { 516 if (sent->mode) 517 hdev->features[1][0] |= LMP_HOST_SSP; 518 else 519 hdev->features[1][0] &= ~LMP_HOST_SSP; 520 } 521 522 if (hci_dev_test_flag(hdev, HCI_MGMT)) 523 mgmt_ssp_enable_complete(hdev, sent->mode, status); 524 else if (!status) { 525 if (sent->mode) 526 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 527 else 528 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 529 } 530 531 hci_dev_unlock(hdev); 532 } 533 534 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 535 { 536 u8 status = *((u8 *) skb->data); 537 struct hci_cp_write_sc_support *sent; 538 539 BT_DBG("%s status 0x%2.2x", hdev->name, status); 540 541 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 542 if (!sent) 543 return; 544 545 hci_dev_lock(hdev); 546 547 if (!status) { 548 if (sent->support) 549 hdev->features[1][0] |= LMP_HOST_SC; 550 else 551 hdev->features[1][0] &= ~LMP_HOST_SC; 552 } 553 554 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 555 if (sent->support) 556 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 557 else 558 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 559 } 560 561 hci_dev_unlock(hdev); 562 } 563 564 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 565 { 566 struct hci_rp_read_local_version *rp = (void *) skb->data; 567 568 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 569 570 if (rp->status) 571 return; 572 573 if (hci_dev_test_flag(hdev, HCI_SETUP) || 574 hci_dev_test_flag(hdev, HCI_CONFIG)) { 575 hdev->hci_ver = rp->hci_ver; 576 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 577 hdev->lmp_ver = rp->lmp_ver; 578 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 579 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 580 } 581 } 582 583 static void hci_cc_read_local_commands(struct hci_dev *hdev, 584 struct sk_buff *skb) 585 { 586 struct hci_rp_read_local_commands *rp = (void *) skb->data; 587 588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 589 590 if (rp->status) 591 return; 592 593 if (hci_dev_test_flag(hdev, HCI_SETUP) || 594 hci_dev_test_flag(hdev, HCI_CONFIG)) 595 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 596 } 597 598 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, 599 struct sk_buff *skb) 600 { 601 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data; 602 struct hci_conn *conn; 603 604 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 605 606 if (rp->status) 607 return; 608 609 hci_dev_lock(hdev); 610 611 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 612 if (conn) 613 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 614 615 hci_dev_unlock(hdev); 616 } 617 618 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, 619 struct sk_buff *skb) 620 { 621 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data; 622 struct hci_conn *conn; 623 void *sent; 624 625 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 626 627 if (rp->status) 628 return; 629 630 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 631 if (!sent) 632 return; 633 634 hci_dev_lock(hdev); 635 636 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 637 if (conn) 638 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 639 640 hci_dev_unlock(hdev); 641 } 642 643 static void hci_cc_read_local_features(struct hci_dev *hdev, 644 struct sk_buff *skb) 645 { 646 struct hci_rp_read_local_features *rp = (void *) skb->data; 647 648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 649 650 if (rp->status) 651 return; 652 653 memcpy(hdev->features, rp->features, 8); 654 655 /* Adjust default settings according to features 656 * supported by device. */ 657 658 if (hdev->features[0][0] & LMP_3SLOT) 659 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 660 661 if (hdev->features[0][0] & LMP_5SLOT) 662 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 663 664 if (hdev->features[0][1] & LMP_HV2) { 665 hdev->pkt_type |= (HCI_HV2); 666 hdev->esco_type |= (ESCO_HV2); 667 } 668 669 if (hdev->features[0][1] & LMP_HV3) { 670 hdev->pkt_type |= (HCI_HV3); 671 hdev->esco_type |= (ESCO_HV3); 672 } 673 674 if (lmp_esco_capable(hdev)) 675 hdev->esco_type |= (ESCO_EV3); 676 677 if (hdev->features[0][4] & LMP_EV4) 678 hdev->esco_type |= (ESCO_EV4); 679 680 if (hdev->features[0][4] & LMP_EV5) 681 hdev->esco_type |= (ESCO_EV5); 682 683 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 684 hdev->esco_type |= (ESCO_2EV3); 685 686 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 687 hdev->esco_type |= (ESCO_3EV3); 688 689 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 690 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 691 } 692 693 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 694 struct sk_buff *skb) 695 { 696 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 697 698 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 699 700 if (rp->status) 701 return; 702 703 if (hdev->max_page < rp->max_page) 704 hdev->max_page = rp->max_page; 705 706 if (rp->page < HCI_MAX_PAGES) 707 memcpy(hdev->features[rp->page], rp->features, 8); 708 } 709 710 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 711 struct sk_buff *skb) 712 { 713 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 714 715 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 716 717 if (rp->status) 718 return; 719 720 hdev->flow_ctl_mode = rp->mode; 721 } 722 723 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 724 { 725 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 726 727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 728 729 if (rp->status) 730 return; 731 732 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 733 hdev->sco_mtu = rp->sco_mtu; 734 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 735 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 736 737 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 738 hdev->sco_mtu = 64; 739 hdev->sco_pkts = 8; 740 } 741 742 hdev->acl_cnt = hdev->acl_pkts; 743 hdev->sco_cnt = hdev->sco_pkts; 744 745 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 746 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 747 } 748 749 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 750 { 751 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 752 753 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 754 755 if (rp->status) 756 return; 757 758 if (test_bit(HCI_INIT, &hdev->flags)) 759 bacpy(&hdev->bdaddr, &rp->bdaddr); 760 761 if (hci_dev_test_flag(hdev, HCI_SETUP)) 762 bacpy(&hdev->setup_addr, &rp->bdaddr); 763 } 764 765 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev, 766 struct sk_buff *skb) 767 { 768 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data; 769 770 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 771 772 if (rp->status) 773 return; 774 775 if (hci_dev_test_flag(hdev, HCI_SETUP) || 776 hci_dev_test_flag(hdev, HCI_CONFIG)) { 777 hdev->pairing_opts = rp->pairing_opts; 778 hdev->max_enc_key_size = rp->max_key_size; 779 } 780 } 781 782 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 783 struct sk_buff *skb) 784 { 785 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 786 787 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 788 789 if (rp->status) 790 return; 791 792 if (test_bit(HCI_INIT, &hdev->flags)) { 793 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 794 hdev->page_scan_window = __le16_to_cpu(rp->window); 795 } 796 } 797 798 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 799 struct sk_buff *skb) 800 { 801 u8 status = *((u8 *) skb->data); 802 struct hci_cp_write_page_scan_activity *sent; 803 804 BT_DBG("%s status 0x%2.2x", hdev->name, status); 805 806 if (status) 807 return; 808 809 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 810 if (!sent) 811 return; 812 813 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 814 hdev->page_scan_window = __le16_to_cpu(sent->window); 815 } 816 817 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 818 struct sk_buff *skb) 819 { 820 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 821 822 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 823 824 if (rp->status) 825 return; 826 827 if (test_bit(HCI_INIT, &hdev->flags)) 828 hdev->page_scan_type = rp->type; 829 } 830 831 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 832 struct sk_buff *skb) 833 { 834 u8 status = *((u8 *) skb->data); 835 u8 *type; 836 837 BT_DBG("%s status 0x%2.2x", hdev->name, status); 838 839 if (status) 840 return; 841 842 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 843 if (type) 844 hdev->page_scan_type = *type; 845 } 846 847 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 848 struct sk_buff *skb) 849 { 850 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 851 852 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 853 854 if (rp->status) 855 return; 856 857 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 858 hdev->block_len = __le16_to_cpu(rp->block_len); 859 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 860 861 hdev->block_cnt = hdev->num_blocks; 862 863 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 864 hdev->block_cnt, hdev->block_len); 865 } 866 867 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 868 { 869 struct hci_rp_read_clock *rp = (void *) skb->data; 870 struct hci_cp_read_clock *cp; 871 struct hci_conn *conn; 872 873 BT_DBG("%s", hdev->name); 874 875 if (skb->len < sizeof(*rp)) 876 return; 877 878 if (rp->status) 879 return; 880 881 hci_dev_lock(hdev); 882 883 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 884 if (!cp) 885 goto unlock; 886 887 if (cp->which == 0x00) { 888 hdev->clock = le32_to_cpu(rp->clock); 889 goto unlock; 890 } 891 892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 893 if (conn) { 894 conn->clock = le32_to_cpu(rp->clock); 895 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 896 } 897 898 unlock: 899 hci_dev_unlock(hdev); 900 } 901 902 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 903 struct sk_buff *skb) 904 { 905 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 906 907 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 908 909 if (rp->status) 910 return; 911 912 hdev->amp_status = rp->amp_status; 913 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 914 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 915 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 916 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 917 hdev->amp_type = rp->amp_type; 918 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 919 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 920 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 921 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 922 } 923 924 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 925 struct sk_buff *skb) 926 { 927 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 928 929 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 930 931 if (rp->status) 932 return; 933 934 hdev->inq_tx_power = rp->tx_power; 935 } 936 937 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, 938 struct sk_buff *skb) 939 { 940 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data; 941 942 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 943 944 if (rp->status) 945 return; 946 947 hdev->err_data_reporting = rp->err_data_reporting; 948 } 949 950 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, 951 struct sk_buff *skb) 952 { 953 __u8 status = *((__u8 *)skb->data); 954 struct hci_cp_write_def_err_data_reporting *cp; 955 956 BT_DBG("%s status 0x%2.2x", hdev->name, status); 957 958 if (status) 959 return; 960 961 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 962 if (!cp) 963 return; 964 965 hdev->err_data_reporting = cp->err_data_reporting; 966 } 967 968 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 969 { 970 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 971 struct hci_cp_pin_code_reply *cp; 972 struct hci_conn *conn; 973 974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 975 976 hci_dev_lock(hdev); 977 978 if (hci_dev_test_flag(hdev, HCI_MGMT)) 979 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 980 981 if (rp->status) 982 goto unlock; 983 984 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 985 if (!cp) 986 goto unlock; 987 988 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 989 if (conn) 990 conn->pin_length = cp->pin_len; 991 992 unlock: 993 hci_dev_unlock(hdev); 994 } 995 996 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 997 { 998 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 999 1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1001 1002 hci_dev_lock(hdev); 1003 1004 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1005 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1006 rp->status); 1007 1008 hci_dev_unlock(hdev); 1009 } 1010 1011 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 1012 struct sk_buff *skb) 1013 { 1014 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 1015 1016 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1017 1018 if (rp->status) 1019 return; 1020 1021 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1022 hdev->le_pkts = rp->le_max_pkt; 1023 1024 hdev->le_cnt = hdev->le_pkts; 1025 1026 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1027 } 1028 1029 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 1030 struct sk_buff *skb) 1031 { 1032 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 1033 1034 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1035 1036 if (rp->status) 1037 return; 1038 1039 memcpy(hdev->le_features, rp->features, 8); 1040 } 1041 1042 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 1043 struct sk_buff *skb) 1044 { 1045 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 1046 1047 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1048 1049 if (rp->status) 1050 return; 1051 1052 hdev->adv_tx_power = rp->tx_power; 1053 } 1054 1055 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 1056 { 1057 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1058 1059 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1060 1061 hci_dev_lock(hdev); 1062 1063 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1064 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1065 rp->status); 1066 1067 hci_dev_unlock(hdev); 1068 } 1069 1070 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 1071 struct sk_buff *skb) 1072 { 1073 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1074 1075 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1076 1077 hci_dev_lock(hdev); 1078 1079 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1080 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1081 ACL_LINK, 0, rp->status); 1082 1083 hci_dev_unlock(hdev); 1084 } 1085 1086 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 1087 { 1088 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1089 1090 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1091 1092 hci_dev_lock(hdev); 1093 1094 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1095 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1096 0, rp->status); 1097 1098 hci_dev_unlock(hdev); 1099 } 1100 1101 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 1102 struct sk_buff *skb) 1103 { 1104 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1105 1106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1107 1108 hci_dev_lock(hdev); 1109 1110 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1111 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1112 ACL_LINK, 0, rp->status); 1113 1114 hci_dev_unlock(hdev); 1115 } 1116 1117 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1118 struct sk_buff *skb) 1119 { 1120 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1121 1122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1123 } 1124 1125 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1126 struct sk_buff *skb) 1127 { 1128 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1129 1130 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1131 } 1132 1133 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1134 { 1135 __u8 status = *((__u8 *) skb->data); 1136 bdaddr_t *sent; 1137 1138 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1139 1140 if (status) 1141 return; 1142 1143 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1144 if (!sent) 1145 return; 1146 1147 hci_dev_lock(hdev); 1148 1149 bacpy(&hdev->random_addr, sent); 1150 1151 hci_dev_unlock(hdev); 1152 } 1153 1154 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb) 1155 { 1156 __u8 status = *((__u8 *) skb->data); 1157 struct hci_cp_le_set_default_phy *cp; 1158 1159 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1160 1161 if (status) 1162 return; 1163 1164 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1165 if (!cp) 1166 return; 1167 1168 hci_dev_lock(hdev); 1169 1170 hdev->le_tx_def_phys = cp->tx_phys; 1171 hdev->le_rx_def_phys = cp->rx_phys; 1172 1173 hci_dev_unlock(hdev); 1174 } 1175 1176 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, 1177 struct sk_buff *skb) 1178 { 1179 __u8 status = *((__u8 *) skb->data); 1180 struct hci_cp_le_set_adv_set_rand_addr *cp; 1181 struct adv_info *adv_instance; 1182 1183 if (status) 1184 return; 1185 1186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1187 if (!cp) 1188 return; 1189 1190 hci_dev_lock(hdev); 1191 1192 if (!hdev->cur_adv_instance) { 1193 /* Store in hdev for instance 0 (Set adv and Directed advs) */ 1194 bacpy(&hdev->random_addr, &cp->bdaddr); 1195 } else { 1196 adv_instance = hci_find_adv_instance(hdev, 1197 hdev->cur_adv_instance); 1198 if (adv_instance) 1199 bacpy(&adv_instance->random_addr, &cp->bdaddr); 1200 } 1201 1202 hci_dev_unlock(hdev); 1203 } 1204 1205 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1206 { 1207 __u8 *sent, status = *((__u8 *) skb->data); 1208 1209 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1210 1211 if (status) 1212 return; 1213 1214 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1215 if (!sent) 1216 return; 1217 1218 hci_dev_lock(hdev); 1219 1220 /* If we're doing connection initiation as peripheral. Set a 1221 * timeout in case something goes wrong. 1222 */ 1223 if (*sent) { 1224 struct hci_conn *conn; 1225 1226 hci_dev_set_flag(hdev, HCI_LE_ADV); 1227 1228 conn = hci_lookup_le_connect(hdev); 1229 if (conn) 1230 queue_delayed_work(hdev->workqueue, 1231 &conn->le_conn_timeout, 1232 conn->conn_timeout); 1233 } else { 1234 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1235 } 1236 1237 hci_dev_unlock(hdev); 1238 } 1239 1240 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, 1241 struct sk_buff *skb) 1242 { 1243 struct hci_cp_le_set_ext_adv_enable *cp; 1244 __u8 status = *((__u8 *) skb->data); 1245 1246 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1247 1248 if (status) 1249 return; 1250 1251 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1252 if (!cp) 1253 return; 1254 1255 hci_dev_lock(hdev); 1256 1257 if (cp->enable) { 1258 struct hci_conn *conn; 1259 1260 hci_dev_set_flag(hdev, HCI_LE_ADV); 1261 1262 conn = hci_lookup_le_connect(hdev); 1263 if (conn) 1264 queue_delayed_work(hdev->workqueue, 1265 &conn->le_conn_timeout, 1266 conn->conn_timeout); 1267 } else { 1268 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1269 } 1270 1271 hci_dev_unlock(hdev); 1272 } 1273 1274 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1275 { 1276 struct hci_cp_le_set_scan_param *cp; 1277 __u8 status = *((__u8 *) skb->data); 1278 1279 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1280 1281 if (status) 1282 return; 1283 1284 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1285 if (!cp) 1286 return; 1287 1288 hci_dev_lock(hdev); 1289 1290 hdev->le_scan_type = cp->type; 1291 1292 hci_dev_unlock(hdev); 1293 } 1294 1295 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, 1296 struct sk_buff *skb) 1297 { 1298 struct hci_cp_le_set_ext_scan_params *cp; 1299 __u8 status = *((__u8 *) skb->data); 1300 struct hci_cp_le_scan_phy_params *phy_param; 1301 1302 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1303 1304 if (status) 1305 return; 1306 1307 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1308 if (!cp) 1309 return; 1310 1311 phy_param = (void *)cp->data; 1312 1313 hci_dev_lock(hdev); 1314 1315 hdev->le_scan_type = phy_param->type; 1316 1317 hci_dev_unlock(hdev); 1318 } 1319 1320 static bool has_pending_adv_report(struct hci_dev *hdev) 1321 { 1322 struct discovery_state *d = &hdev->discovery; 1323 1324 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1325 } 1326 1327 static void clear_pending_adv_report(struct hci_dev *hdev) 1328 { 1329 struct discovery_state *d = &hdev->discovery; 1330 1331 bacpy(&d->last_adv_addr, BDADDR_ANY); 1332 d->last_adv_data_len = 0; 1333 } 1334 1335 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1336 u8 bdaddr_type, s8 rssi, u32 flags, 1337 u8 *data, u8 len) 1338 { 1339 struct discovery_state *d = &hdev->discovery; 1340 1341 if (len > HCI_MAX_AD_LENGTH) 1342 return; 1343 1344 bacpy(&d->last_adv_addr, bdaddr); 1345 d->last_adv_addr_type = bdaddr_type; 1346 d->last_adv_rssi = rssi; 1347 d->last_adv_flags = flags; 1348 memcpy(d->last_adv_data, data, len); 1349 d->last_adv_data_len = len; 1350 } 1351 1352 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1353 { 1354 hci_dev_lock(hdev); 1355 1356 switch (enable) { 1357 case LE_SCAN_ENABLE: 1358 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1359 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1360 clear_pending_adv_report(hdev); 1361 break; 1362 1363 case LE_SCAN_DISABLE: 1364 /* We do this here instead of when setting DISCOVERY_STOPPED 1365 * since the latter would potentially require waiting for 1366 * inquiry to stop too. 1367 */ 1368 if (has_pending_adv_report(hdev)) { 1369 struct discovery_state *d = &hdev->discovery; 1370 1371 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1372 d->last_adv_addr_type, NULL, 1373 d->last_adv_rssi, d->last_adv_flags, 1374 d->last_adv_data, 1375 d->last_adv_data_len, NULL, 0); 1376 } 1377 1378 /* Cancel this timer so that we don't try to disable scanning 1379 * when it's already disabled. 1380 */ 1381 cancel_delayed_work(&hdev->le_scan_disable); 1382 1383 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1384 1385 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1386 * interrupted scanning due to a connect request. Mark 1387 * therefore discovery as stopped. If this was not 1388 * because of a connect request advertising might have 1389 * been disabled because of active scanning, so 1390 * re-enable it again if necessary. 1391 */ 1392 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1393 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1394 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1395 hdev->discovery.state == DISCOVERY_FINDING) 1396 hci_req_reenable_advertising(hdev); 1397 1398 break; 1399 1400 default: 1401 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1402 enable); 1403 break; 1404 } 1405 1406 hci_dev_unlock(hdev); 1407 } 1408 1409 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1410 struct sk_buff *skb) 1411 { 1412 struct hci_cp_le_set_scan_enable *cp; 1413 __u8 status = *((__u8 *) skb->data); 1414 1415 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1416 1417 if (status) 1418 return; 1419 1420 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1421 if (!cp) 1422 return; 1423 1424 le_set_scan_enable_complete(hdev, cp->enable); 1425 } 1426 1427 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, 1428 struct sk_buff *skb) 1429 { 1430 struct hci_cp_le_set_ext_scan_enable *cp; 1431 __u8 status = *((__u8 *) skb->data); 1432 1433 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1434 1435 if (status) 1436 return; 1437 1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1439 if (!cp) 1440 return; 1441 1442 le_set_scan_enable_complete(hdev, cp->enable); 1443 } 1444 1445 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, 1446 struct sk_buff *skb) 1447 { 1448 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data; 1449 1450 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status, 1451 rp->num_of_sets); 1452 1453 if (rp->status) 1454 return; 1455 1456 hdev->le_num_of_adv_sets = rp->num_of_sets; 1457 } 1458 1459 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1460 struct sk_buff *skb) 1461 { 1462 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1463 1464 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1465 1466 if (rp->status) 1467 return; 1468 1469 hdev->le_white_list_size = rp->size; 1470 } 1471 1472 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1473 struct sk_buff *skb) 1474 { 1475 __u8 status = *((__u8 *) skb->data); 1476 1477 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1478 1479 if (status) 1480 return; 1481 1482 hci_bdaddr_list_clear(&hdev->le_white_list); 1483 } 1484 1485 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1486 struct sk_buff *skb) 1487 { 1488 struct hci_cp_le_add_to_white_list *sent; 1489 __u8 status = *((__u8 *) skb->data); 1490 1491 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1492 1493 if (status) 1494 return; 1495 1496 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1497 if (!sent) 1498 return; 1499 1500 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1501 sent->bdaddr_type); 1502 } 1503 1504 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1505 struct sk_buff *skb) 1506 { 1507 struct hci_cp_le_del_from_white_list *sent; 1508 __u8 status = *((__u8 *) skb->data); 1509 1510 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1511 1512 if (status) 1513 return; 1514 1515 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1516 if (!sent) 1517 return; 1518 1519 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1520 sent->bdaddr_type); 1521 } 1522 1523 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1524 struct sk_buff *skb) 1525 { 1526 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1527 1528 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1529 1530 if (rp->status) 1531 return; 1532 1533 memcpy(hdev->le_states, rp->le_states, 8); 1534 } 1535 1536 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1537 struct sk_buff *skb) 1538 { 1539 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1540 1541 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1542 1543 if (rp->status) 1544 return; 1545 1546 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1547 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1548 } 1549 1550 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1551 struct sk_buff *skb) 1552 { 1553 struct hci_cp_le_write_def_data_len *sent; 1554 __u8 status = *((__u8 *) skb->data); 1555 1556 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1557 1558 if (status) 1559 return; 1560 1561 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1562 if (!sent) 1563 return; 1564 1565 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1566 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1567 } 1568 1569 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, 1570 struct sk_buff *skb) 1571 { 1572 struct hci_cp_le_add_to_resolv_list *sent; 1573 __u8 status = *((__u8 *) skb->data); 1574 1575 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1576 1577 if (status) 1578 return; 1579 1580 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1581 if (!sent) 1582 return; 1583 1584 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1585 sent->bdaddr_type, sent->peer_irk, 1586 sent->local_irk); 1587 } 1588 1589 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, 1590 struct sk_buff *skb) 1591 { 1592 struct hci_cp_le_del_from_resolv_list *sent; 1593 __u8 status = *((__u8 *) skb->data); 1594 1595 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1596 1597 if (status) 1598 return; 1599 1600 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 1601 if (!sent) 1602 return; 1603 1604 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1605 sent->bdaddr_type); 1606 } 1607 1608 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev, 1609 struct sk_buff *skb) 1610 { 1611 __u8 status = *((__u8 *) skb->data); 1612 1613 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1614 1615 if (status) 1616 return; 1617 1618 hci_bdaddr_list_clear(&hdev->le_resolv_list); 1619 } 1620 1621 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, 1622 struct sk_buff *skb) 1623 { 1624 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data; 1625 1626 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1627 1628 if (rp->status) 1629 return; 1630 1631 hdev->le_resolv_list_size = rp->size; 1632 } 1633 1634 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, 1635 struct sk_buff *skb) 1636 { 1637 __u8 *sent, status = *((__u8 *) skb->data); 1638 1639 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1640 1641 if (status) 1642 return; 1643 1644 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 1645 if (!sent) 1646 return; 1647 1648 hci_dev_lock(hdev); 1649 1650 if (*sent) 1651 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 1652 else 1653 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 1654 1655 hci_dev_unlock(hdev); 1656 } 1657 1658 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1659 struct sk_buff *skb) 1660 { 1661 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1662 1663 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1664 1665 if (rp->status) 1666 return; 1667 1668 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1669 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1670 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1671 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1672 } 1673 1674 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1675 struct sk_buff *skb) 1676 { 1677 struct hci_cp_write_le_host_supported *sent; 1678 __u8 status = *((__u8 *) skb->data); 1679 1680 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1681 1682 if (status) 1683 return; 1684 1685 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1686 if (!sent) 1687 return; 1688 1689 hci_dev_lock(hdev); 1690 1691 if (sent->le) { 1692 hdev->features[1][0] |= LMP_HOST_LE; 1693 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1694 } else { 1695 hdev->features[1][0] &= ~LMP_HOST_LE; 1696 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1697 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1698 } 1699 1700 if (sent->simul) 1701 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1702 else 1703 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1704 1705 hci_dev_unlock(hdev); 1706 } 1707 1708 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1709 { 1710 struct hci_cp_le_set_adv_param *cp; 1711 u8 status = *((u8 *) skb->data); 1712 1713 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1714 1715 if (status) 1716 return; 1717 1718 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1719 if (!cp) 1720 return; 1721 1722 hci_dev_lock(hdev); 1723 hdev->adv_addr_type = cp->own_address_type; 1724 hci_dev_unlock(hdev); 1725 } 1726 1727 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1728 { 1729 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; 1730 struct hci_cp_le_set_ext_adv_params *cp; 1731 struct adv_info *adv_instance; 1732 1733 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1734 1735 if (rp->status) 1736 return; 1737 1738 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 1739 if (!cp) 1740 return; 1741 1742 hci_dev_lock(hdev); 1743 hdev->adv_addr_type = cp->own_addr_type; 1744 if (!hdev->cur_adv_instance) { 1745 /* Store in hdev for instance 0 */ 1746 hdev->adv_tx_power = rp->tx_power; 1747 } else { 1748 adv_instance = hci_find_adv_instance(hdev, 1749 hdev->cur_adv_instance); 1750 if (adv_instance) 1751 adv_instance->tx_power = rp->tx_power; 1752 } 1753 /* Update adv data as tx power is known now */ 1754 hci_req_update_adv_data(hdev, hdev->cur_adv_instance); 1755 hci_dev_unlock(hdev); 1756 } 1757 1758 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1759 { 1760 struct hci_rp_read_rssi *rp = (void *) skb->data; 1761 struct hci_conn *conn; 1762 1763 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1764 1765 if (rp->status) 1766 return; 1767 1768 hci_dev_lock(hdev); 1769 1770 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1771 if (conn) 1772 conn->rssi = rp->rssi; 1773 1774 hci_dev_unlock(hdev); 1775 } 1776 1777 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1778 { 1779 struct hci_cp_read_tx_power *sent; 1780 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1781 struct hci_conn *conn; 1782 1783 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1784 1785 if (rp->status) 1786 return; 1787 1788 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1789 if (!sent) 1790 return; 1791 1792 hci_dev_lock(hdev); 1793 1794 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1795 if (!conn) 1796 goto unlock; 1797 1798 switch (sent->type) { 1799 case 0x00: 1800 conn->tx_power = rp->tx_power; 1801 break; 1802 case 0x01: 1803 conn->max_tx_power = rp->tx_power; 1804 break; 1805 } 1806 1807 unlock: 1808 hci_dev_unlock(hdev); 1809 } 1810 1811 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1812 { 1813 u8 status = *((u8 *) skb->data); 1814 u8 *mode; 1815 1816 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1817 1818 if (status) 1819 return; 1820 1821 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1822 if (mode) 1823 hdev->ssp_debug_mode = *mode; 1824 } 1825 1826 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1827 { 1828 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1829 1830 if (status) { 1831 hci_conn_check_pending(hdev); 1832 return; 1833 } 1834 1835 set_bit(HCI_INQUIRY, &hdev->flags); 1836 } 1837 1838 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1839 { 1840 struct hci_cp_create_conn *cp; 1841 struct hci_conn *conn; 1842 1843 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1844 1845 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1846 if (!cp) 1847 return; 1848 1849 hci_dev_lock(hdev); 1850 1851 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1852 1853 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1854 1855 if (status) { 1856 if (conn && conn->state == BT_CONNECT) { 1857 if (status != 0x0c || conn->attempt > 2) { 1858 conn->state = BT_CLOSED; 1859 hci_connect_cfm(conn, status); 1860 hci_conn_del(conn); 1861 } else 1862 conn->state = BT_CONNECT2; 1863 } 1864 } else { 1865 if (!conn) { 1866 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1867 HCI_ROLE_MASTER); 1868 if (!conn) 1869 bt_dev_err(hdev, "no memory for new connection"); 1870 } 1871 } 1872 1873 hci_dev_unlock(hdev); 1874 } 1875 1876 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1877 { 1878 struct hci_cp_add_sco *cp; 1879 struct hci_conn *acl, *sco; 1880 __u16 handle; 1881 1882 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1883 1884 if (!status) 1885 return; 1886 1887 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1888 if (!cp) 1889 return; 1890 1891 handle = __le16_to_cpu(cp->handle); 1892 1893 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1894 1895 hci_dev_lock(hdev); 1896 1897 acl = hci_conn_hash_lookup_handle(hdev, handle); 1898 if (acl) { 1899 sco = acl->link; 1900 if (sco) { 1901 sco->state = BT_CLOSED; 1902 1903 hci_connect_cfm(sco, status); 1904 hci_conn_del(sco); 1905 } 1906 } 1907 1908 hci_dev_unlock(hdev); 1909 } 1910 1911 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1912 { 1913 struct hci_cp_auth_requested *cp; 1914 struct hci_conn *conn; 1915 1916 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1917 1918 if (!status) 1919 return; 1920 1921 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1922 if (!cp) 1923 return; 1924 1925 hci_dev_lock(hdev); 1926 1927 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1928 if (conn) { 1929 if (conn->state == BT_CONFIG) { 1930 hci_connect_cfm(conn, status); 1931 hci_conn_drop(conn); 1932 } 1933 } 1934 1935 hci_dev_unlock(hdev); 1936 } 1937 1938 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1939 { 1940 struct hci_cp_set_conn_encrypt *cp; 1941 struct hci_conn *conn; 1942 1943 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1944 1945 if (!status) 1946 return; 1947 1948 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1949 if (!cp) 1950 return; 1951 1952 hci_dev_lock(hdev); 1953 1954 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1955 if (conn) { 1956 if (conn->state == BT_CONFIG) { 1957 hci_connect_cfm(conn, status); 1958 hci_conn_drop(conn); 1959 } 1960 } 1961 1962 hci_dev_unlock(hdev); 1963 } 1964 1965 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1966 struct hci_conn *conn) 1967 { 1968 if (conn->state != BT_CONFIG || !conn->out) 1969 return 0; 1970 1971 if (conn->pending_sec_level == BT_SECURITY_SDP) 1972 return 0; 1973 1974 /* Only request authentication for SSP connections or non-SSP 1975 * devices with sec_level MEDIUM or HIGH or if MITM protection 1976 * is requested. 1977 */ 1978 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1979 conn->pending_sec_level != BT_SECURITY_FIPS && 1980 conn->pending_sec_level != BT_SECURITY_HIGH && 1981 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1982 return 0; 1983 1984 return 1; 1985 } 1986 1987 static int hci_resolve_name(struct hci_dev *hdev, 1988 struct inquiry_entry *e) 1989 { 1990 struct hci_cp_remote_name_req cp; 1991 1992 memset(&cp, 0, sizeof(cp)); 1993 1994 bacpy(&cp.bdaddr, &e->data.bdaddr); 1995 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1996 cp.pscan_mode = e->data.pscan_mode; 1997 cp.clock_offset = e->data.clock_offset; 1998 1999 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2000 } 2001 2002 static bool hci_resolve_next_name(struct hci_dev *hdev) 2003 { 2004 struct discovery_state *discov = &hdev->discovery; 2005 struct inquiry_entry *e; 2006 2007 if (list_empty(&discov->resolve)) 2008 return false; 2009 2010 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2011 if (!e) 2012 return false; 2013 2014 if (hci_resolve_name(hdev, e) == 0) { 2015 e->name_state = NAME_PENDING; 2016 return true; 2017 } 2018 2019 return false; 2020 } 2021 2022 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2023 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2024 { 2025 struct discovery_state *discov = &hdev->discovery; 2026 struct inquiry_entry *e; 2027 2028 /* Update the mgmt connected state if necessary. Be careful with 2029 * conn objects that exist but are not (yet) connected however. 2030 * Only those in BT_CONFIG or BT_CONNECTED states can be 2031 * considered connected. 2032 */ 2033 if (conn && 2034 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 2035 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2036 mgmt_device_connected(hdev, conn, 0, name, name_len); 2037 2038 if (discov->state == DISCOVERY_STOPPED) 2039 return; 2040 2041 if (discov->state == DISCOVERY_STOPPING) 2042 goto discov_complete; 2043 2044 if (discov->state != DISCOVERY_RESOLVING) 2045 return; 2046 2047 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2048 /* If the device was not found in a list of found devices names of which 2049 * are pending. there is no need to continue resolving a next name as it 2050 * will be done upon receiving another Remote Name Request Complete 2051 * Event */ 2052 if (!e) 2053 return; 2054 2055 list_del(&e->list); 2056 if (name) { 2057 e->name_state = NAME_KNOWN; 2058 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 2059 e->data.rssi, name, name_len); 2060 } else { 2061 e->name_state = NAME_NOT_KNOWN; 2062 } 2063 2064 if (hci_resolve_next_name(hdev)) 2065 return; 2066 2067 discov_complete: 2068 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2069 } 2070 2071 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2072 { 2073 struct hci_cp_remote_name_req *cp; 2074 struct hci_conn *conn; 2075 2076 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2077 2078 /* If successful wait for the name req complete event before 2079 * checking for the need to do authentication */ 2080 if (!status) 2081 return; 2082 2083 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2084 if (!cp) 2085 return; 2086 2087 hci_dev_lock(hdev); 2088 2089 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2090 2091 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2092 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2093 2094 if (!conn) 2095 goto unlock; 2096 2097 if (!hci_outgoing_auth_needed(hdev, conn)) 2098 goto unlock; 2099 2100 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2101 struct hci_cp_auth_requested auth_cp; 2102 2103 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2104 2105 auth_cp.handle = __cpu_to_le16(conn->handle); 2106 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2107 sizeof(auth_cp), &auth_cp); 2108 } 2109 2110 unlock: 2111 hci_dev_unlock(hdev); 2112 } 2113 2114 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2115 { 2116 struct hci_cp_read_remote_features *cp; 2117 struct hci_conn *conn; 2118 2119 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2120 2121 if (!status) 2122 return; 2123 2124 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2125 if (!cp) 2126 return; 2127 2128 hci_dev_lock(hdev); 2129 2130 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2131 if (conn) { 2132 if (conn->state == BT_CONFIG) { 2133 hci_connect_cfm(conn, status); 2134 hci_conn_drop(conn); 2135 } 2136 } 2137 2138 hci_dev_unlock(hdev); 2139 } 2140 2141 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2142 { 2143 struct hci_cp_read_remote_ext_features *cp; 2144 struct hci_conn *conn; 2145 2146 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2147 2148 if (!status) 2149 return; 2150 2151 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2152 if (!cp) 2153 return; 2154 2155 hci_dev_lock(hdev); 2156 2157 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2158 if (conn) { 2159 if (conn->state == BT_CONFIG) { 2160 hci_connect_cfm(conn, status); 2161 hci_conn_drop(conn); 2162 } 2163 } 2164 2165 hci_dev_unlock(hdev); 2166 } 2167 2168 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2169 { 2170 struct hci_cp_setup_sync_conn *cp; 2171 struct hci_conn *acl, *sco; 2172 __u16 handle; 2173 2174 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2175 2176 if (!status) 2177 return; 2178 2179 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2180 if (!cp) 2181 return; 2182 2183 handle = __le16_to_cpu(cp->handle); 2184 2185 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 2186 2187 hci_dev_lock(hdev); 2188 2189 acl = hci_conn_hash_lookup_handle(hdev, handle); 2190 if (acl) { 2191 sco = acl->link; 2192 if (sco) { 2193 sco->state = BT_CLOSED; 2194 2195 hci_connect_cfm(sco, status); 2196 hci_conn_del(sco); 2197 } 2198 } 2199 2200 hci_dev_unlock(hdev); 2201 } 2202 2203 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2204 { 2205 struct hci_cp_sniff_mode *cp; 2206 struct hci_conn *conn; 2207 2208 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2209 2210 if (!status) 2211 return; 2212 2213 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2214 if (!cp) 2215 return; 2216 2217 hci_dev_lock(hdev); 2218 2219 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2220 if (conn) { 2221 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2222 2223 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2224 hci_sco_setup(conn, status); 2225 } 2226 2227 hci_dev_unlock(hdev); 2228 } 2229 2230 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2231 { 2232 struct hci_cp_exit_sniff_mode *cp; 2233 struct hci_conn *conn; 2234 2235 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2236 2237 if (!status) 2238 return; 2239 2240 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2241 if (!cp) 2242 return; 2243 2244 hci_dev_lock(hdev); 2245 2246 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2247 if (conn) { 2248 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2249 2250 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2251 hci_sco_setup(conn, status); 2252 } 2253 2254 hci_dev_unlock(hdev); 2255 } 2256 2257 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2258 { 2259 struct hci_cp_disconnect *cp; 2260 struct hci_conn *conn; 2261 2262 if (!status) 2263 return; 2264 2265 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2266 if (!cp) 2267 return; 2268 2269 hci_dev_lock(hdev); 2270 2271 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2272 if (conn) { 2273 u8 type = conn->type; 2274 2275 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2276 conn->dst_type, status); 2277 2278 /* If the disconnection failed for any reason, the upper layer 2279 * does not retry to disconnect in current implementation. 2280 * Hence, we need to do some basic cleanup here and re-enable 2281 * advertising if necessary. 2282 */ 2283 hci_conn_del(conn); 2284 if (type == LE_LINK) 2285 hci_req_reenable_advertising(hdev); 2286 } 2287 2288 hci_dev_unlock(hdev); 2289 } 2290 2291 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2292 u8 peer_addr_type, u8 own_address_type, 2293 u8 filter_policy) 2294 { 2295 struct hci_conn *conn; 2296 2297 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2298 peer_addr_type); 2299 if (!conn) 2300 return; 2301 2302 /* When using controller based address resolution, then the new 2303 * address types 0x02 and 0x03 are used. These types need to be 2304 * converted back into either public address or random address type 2305 */ 2306 if (use_ll_privacy(hdev) && 2307 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) { 2308 switch (own_address_type) { 2309 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2310 own_address_type = ADDR_LE_DEV_PUBLIC; 2311 break; 2312 case ADDR_LE_DEV_RANDOM_RESOLVED: 2313 own_address_type = ADDR_LE_DEV_RANDOM; 2314 break; 2315 } 2316 } 2317 2318 /* Store the initiator and responder address information which 2319 * is needed for SMP. These values will not change during the 2320 * lifetime of the connection. 2321 */ 2322 conn->init_addr_type = own_address_type; 2323 if (own_address_type == ADDR_LE_DEV_RANDOM) 2324 bacpy(&conn->init_addr, &hdev->random_addr); 2325 else 2326 bacpy(&conn->init_addr, &hdev->bdaddr); 2327 2328 conn->resp_addr_type = peer_addr_type; 2329 bacpy(&conn->resp_addr, peer_addr); 2330 2331 /* We don't want the connection attempt to stick around 2332 * indefinitely since LE doesn't have a page timeout concept 2333 * like BR/EDR. Set a timer for any connection that doesn't use 2334 * the white list for connecting. 2335 */ 2336 if (filter_policy == HCI_LE_USE_PEER_ADDR) 2337 queue_delayed_work(conn->hdev->workqueue, 2338 &conn->le_conn_timeout, 2339 conn->conn_timeout); 2340 } 2341 2342 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2343 { 2344 struct hci_cp_le_create_conn *cp; 2345 2346 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2347 2348 /* All connection failure handling is taken care of by the 2349 * hci_le_conn_failed function which is triggered by the HCI 2350 * request completion callbacks used for connecting. 2351 */ 2352 if (status) 2353 return; 2354 2355 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2356 if (!cp) 2357 return; 2358 2359 hci_dev_lock(hdev); 2360 2361 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2362 cp->own_address_type, cp->filter_policy); 2363 2364 hci_dev_unlock(hdev); 2365 } 2366 2367 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2368 { 2369 struct hci_cp_le_ext_create_conn *cp; 2370 2371 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2372 2373 /* All connection failure handling is taken care of by the 2374 * hci_le_conn_failed function which is triggered by the HCI 2375 * request completion callbacks used for connecting. 2376 */ 2377 if (status) 2378 return; 2379 2380 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2381 if (!cp) 2382 return; 2383 2384 hci_dev_lock(hdev); 2385 2386 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2387 cp->own_addr_type, cp->filter_policy); 2388 2389 hci_dev_unlock(hdev); 2390 } 2391 2392 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2393 { 2394 struct hci_cp_le_read_remote_features *cp; 2395 struct hci_conn *conn; 2396 2397 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2398 2399 if (!status) 2400 return; 2401 2402 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2403 if (!cp) 2404 return; 2405 2406 hci_dev_lock(hdev); 2407 2408 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2409 if (conn) { 2410 if (conn->state == BT_CONFIG) { 2411 hci_connect_cfm(conn, status); 2412 hci_conn_drop(conn); 2413 } 2414 } 2415 2416 hci_dev_unlock(hdev); 2417 } 2418 2419 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2420 { 2421 struct hci_cp_le_start_enc *cp; 2422 struct hci_conn *conn; 2423 2424 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2425 2426 if (!status) 2427 return; 2428 2429 hci_dev_lock(hdev); 2430 2431 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2432 if (!cp) 2433 goto unlock; 2434 2435 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2436 if (!conn) 2437 goto unlock; 2438 2439 if (conn->state != BT_CONNECTED) 2440 goto unlock; 2441 2442 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2443 hci_conn_drop(conn); 2444 2445 unlock: 2446 hci_dev_unlock(hdev); 2447 } 2448 2449 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2450 { 2451 struct hci_cp_switch_role *cp; 2452 struct hci_conn *conn; 2453 2454 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2455 2456 if (!status) 2457 return; 2458 2459 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2460 if (!cp) 2461 return; 2462 2463 hci_dev_lock(hdev); 2464 2465 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2466 if (conn) 2467 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2468 2469 hci_dev_unlock(hdev); 2470 } 2471 2472 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2473 { 2474 __u8 status = *((__u8 *) skb->data); 2475 struct discovery_state *discov = &hdev->discovery; 2476 struct inquiry_entry *e; 2477 2478 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2479 2480 hci_conn_check_pending(hdev); 2481 2482 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2483 return; 2484 2485 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2486 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2487 2488 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2489 return; 2490 2491 hci_dev_lock(hdev); 2492 2493 if (discov->state != DISCOVERY_FINDING) 2494 goto unlock; 2495 2496 if (list_empty(&discov->resolve)) { 2497 /* When BR/EDR inquiry is active and no LE scanning is in 2498 * progress, then change discovery state to indicate completion. 2499 * 2500 * When running LE scanning and BR/EDR inquiry simultaneously 2501 * and the LE scan already finished, then change the discovery 2502 * state to indicate completion. 2503 */ 2504 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2505 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2506 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2507 goto unlock; 2508 } 2509 2510 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2511 if (e && hci_resolve_name(hdev, e) == 0) { 2512 e->name_state = NAME_PENDING; 2513 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2514 } else { 2515 /* When BR/EDR inquiry is active and no LE scanning is in 2516 * progress, then change discovery state to indicate completion. 2517 * 2518 * When running LE scanning and BR/EDR inquiry simultaneously 2519 * and the LE scan already finished, then change the discovery 2520 * state to indicate completion. 2521 */ 2522 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2523 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2524 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2525 } 2526 2527 unlock: 2528 hci_dev_unlock(hdev); 2529 } 2530 2531 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2532 { 2533 struct inquiry_data data; 2534 struct inquiry_info *info = (void *) (skb->data + 1); 2535 int num_rsp = *((__u8 *) skb->data); 2536 2537 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2538 2539 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) 2540 return; 2541 2542 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2543 return; 2544 2545 hci_dev_lock(hdev); 2546 2547 for (; num_rsp; num_rsp--, info++) { 2548 u32 flags; 2549 2550 bacpy(&data.bdaddr, &info->bdaddr); 2551 data.pscan_rep_mode = info->pscan_rep_mode; 2552 data.pscan_period_mode = info->pscan_period_mode; 2553 data.pscan_mode = info->pscan_mode; 2554 memcpy(data.dev_class, info->dev_class, 3); 2555 data.clock_offset = info->clock_offset; 2556 data.rssi = HCI_RSSI_INVALID; 2557 data.ssp_mode = 0x00; 2558 2559 flags = hci_inquiry_cache_update(hdev, &data, false); 2560 2561 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2562 info->dev_class, HCI_RSSI_INVALID, 2563 flags, NULL, 0, NULL, 0); 2564 } 2565 2566 hci_dev_unlock(hdev); 2567 } 2568 2569 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2570 { 2571 struct hci_ev_conn_complete *ev = (void *) skb->data; 2572 struct hci_conn *conn; 2573 2574 BT_DBG("%s", hdev->name); 2575 2576 hci_dev_lock(hdev); 2577 2578 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2579 if (!conn) { 2580 /* Connection may not exist if auto-connected. Check the bredr 2581 * allowlist to see if this device is allowed to auto connect. 2582 * If link is an ACL type, create a connection class 2583 * automatically. 2584 * 2585 * Auto-connect will only occur if the event filter is 2586 * programmed with a given address. Right now, event filter is 2587 * only used during suspend. 2588 */ 2589 if (ev->link_type == ACL_LINK && 2590 hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, 2591 &ev->bdaddr, 2592 BDADDR_BREDR)) { 2593 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2594 HCI_ROLE_SLAVE); 2595 if (!conn) { 2596 bt_dev_err(hdev, "no memory for new conn"); 2597 goto unlock; 2598 } 2599 } else { 2600 if (ev->link_type != SCO_LINK) 2601 goto unlock; 2602 2603 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 2604 &ev->bdaddr); 2605 if (!conn) 2606 goto unlock; 2607 2608 conn->type = SCO_LINK; 2609 } 2610 } 2611 2612 if (!ev->status) { 2613 conn->handle = __le16_to_cpu(ev->handle); 2614 2615 if (conn->type == ACL_LINK) { 2616 conn->state = BT_CONFIG; 2617 hci_conn_hold(conn); 2618 2619 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2620 !hci_find_link_key(hdev, &ev->bdaddr)) 2621 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2622 else 2623 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2624 } else 2625 conn->state = BT_CONNECTED; 2626 2627 hci_debugfs_create_conn(conn); 2628 hci_conn_add_sysfs(conn); 2629 2630 if (test_bit(HCI_AUTH, &hdev->flags)) 2631 set_bit(HCI_CONN_AUTH, &conn->flags); 2632 2633 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2634 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2635 2636 /* Get remote features */ 2637 if (conn->type == ACL_LINK) { 2638 struct hci_cp_read_remote_features cp; 2639 cp.handle = ev->handle; 2640 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2641 sizeof(cp), &cp); 2642 2643 hci_req_update_scan(hdev); 2644 } 2645 2646 /* Set packet type for incoming connection */ 2647 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2648 struct hci_cp_change_conn_ptype cp; 2649 cp.handle = ev->handle; 2650 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2651 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2652 &cp); 2653 } 2654 } else { 2655 conn->state = BT_CLOSED; 2656 if (conn->type == ACL_LINK) 2657 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2658 conn->dst_type, ev->status); 2659 } 2660 2661 if (conn->type == ACL_LINK) 2662 hci_sco_setup(conn, ev->status); 2663 2664 if (ev->status) { 2665 hci_connect_cfm(conn, ev->status); 2666 hci_conn_del(conn); 2667 } else if (ev->link_type == SCO_LINK) { 2668 switch (conn->setting & SCO_AIRMODE_MASK) { 2669 case SCO_AIRMODE_CVSD: 2670 if (hdev->notify) 2671 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 2672 break; 2673 } 2674 2675 hci_connect_cfm(conn, ev->status); 2676 } 2677 2678 unlock: 2679 hci_dev_unlock(hdev); 2680 2681 hci_conn_check_pending(hdev); 2682 } 2683 2684 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2685 { 2686 struct hci_cp_reject_conn_req cp; 2687 2688 bacpy(&cp.bdaddr, bdaddr); 2689 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2690 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2691 } 2692 2693 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2694 { 2695 struct hci_ev_conn_request *ev = (void *) skb->data; 2696 int mask = hdev->link_mode; 2697 struct inquiry_entry *ie; 2698 struct hci_conn *conn; 2699 __u8 flags = 0; 2700 2701 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2702 ev->link_type); 2703 2704 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2705 &flags); 2706 2707 if (!(mask & HCI_LM_ACCEPT)) { 2708 hci_reject_conn(hdev, &ev->bdaddr); 2709 return; 2710 } 2711 2712 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2713 BDADDR_BREDR)) { 2714 hci_reject_conn(hdev, &ev->bdaddr); 2715 return; 2716 } 2717 2718 /* Require HCI_CONNECTABLE or a whitelist entry to accept the 2719 * connection. These features are only touched through mgmt so 2720 * only do the checks if HCI_MGMT is set. 2721 */ 2722 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2723 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2724 !hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, &ev->bdaddr, 2725 BDADDR_BREDR)) { 2726 hci_reject_conn(hdev, &ev->bdaddr); 2727 return; 2728 } 2729 2730 /* Connection accepted */ 2731 2732 hci_dev_lock(hdev); 2733 2734 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2735 if (ie) 2736 memcpy(ie->data.dev_class, ev->dev_class, 3); 2737 2738 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2739 &ev->bdaddr); 2740 if (!conn) { 2741 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2742 HCI_ROLE_SLAVE); 2743 if (!conn) { 2744 bt_dev_err(hdev, "no memory for new connection"); 2745 hci_dev_unlock(hdev); 2746 return; 2747 } 2748 } 2749 2750 memcpy(conn->dev_class, ev->dev_class, 3); 2751 2752 hci_dev_unlock(hdev); 2753 2754 if (ev->link_type == ACL_LINK || 2755 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2756 struct hci_cp_accept_conn_req cp; 2757 conn->state = BT_CONNECT; 2758 2759 bacpy(&cp.bdaddr, &ev->bdaddr); 2760 2761 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2762 cp.role = 0x00; /* Become master */ 2763 else 2764 cp.role = 0x01; /* Remain slave */ 2765 2766 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2767 } else if (!(flags & HCI_PROTO_DEFER)) { 2768 struct hci_cp_accept_sync_conn_req cp; 2769 conn->state = BT_CONNECT; 2770 2771 bacpy(&cp.bdaddr, &ev->bdaddr); 2772 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2773 2774 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2775 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2776 cp.max_latency = cpu_to_le16(0xffff); 2777 cp.content_format = cpu_to_le16(hdev->voice_setting); 2778 cp.retrans_effort = 0xff; 2779 2780 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2781 &cp); 2782 } else { 2783 conn->state = BT_CONNECT2; 2784 hci_connect_cfm(conn, 0); 2785 } 2786 } 2787 2788 static u8 hci_to_mgmt_reason(u8 err) 2789 { 2790 switch (err) { 2791 case HCI_ERROR_CONNECTION_TIMEOUT: 2792 return MGMT_DEV_DISCONN_TIMEOUT; 2793 case HCI_ERROR_REMOTE_USER_TERM: 2794 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2795 case HCI_ERROR_REMOTE_POWER_OFF: 2796 return MGMT_DEV_DISCONN_REMOTE; 2797 case HCI_ERROR_LOCAL_HOST_TERM: 2798 return MGMT_DEV_DISCONN_LOCAL_HOST; 2799 default: 2800 return MGMT_DEV_DISCONN_UNKNOWN; 2801 } 2802 } 2803 2804 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2805 { 2806 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2807 u8 reason; 2808 struct hci_conn_params *params; 2809 struct hci_conn *conn; 2810 bool mgmt_connected; 2811 u8 type; 2812 2813 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2814 2815 hci_dev_lock(hdev); 2816 2817 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2818 if (!conn) 2819 goto unlock; 2820 2821 if (ev->status) { 2822 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2823 conn->dst_type, ev->status); 2824 goto unlock; 2825 } 2826 2827 conn->state = BT_CLOSED; 2828 2829 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2830 2831 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 2832 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 2833 else 2834 reason = hci_to_mgmt_reason(ev->reason); 2835 2836 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2837 reason, mgmt_connected); 2838 2839 if (conn->type == ACL_LINK) { 2840 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2841 hci_remove_link_key(hdev, &conn->dst); 2842 2843 hci_req_update_scan(hdev); 2844 } 2845 2846 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2847 if (params) { 2848 switch (params->auto_connect) { 2849 case HCI_AUTO_CONN_LINK_LOSS: 2850 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2851 break; 2852 fallthrough; 2853 2854 case HCI_AUTO_CONN_DIRECT: 2855 case HCI_AUTO_CONN_ALWAYS: 2856 list_del_init(¶ms->action); 2857 list_add(¶ms->action, &hdev->pend_le_conns); 2858 hci_update_background_scan(hdev); 2859 break; 2860 2861 default: 2862 break; 2863 } 2864 } 2865 2866 type = conn->type; 2867 2868 hci_disconn_cfm(conn, ev->reason); 2869 hci_conn_del(conn); 2870 2871 /* The suspend notifier is waiting for all devices to disconnect so 2872 * clear the bit from pending tasks and inform the wait queue. 2873 */ 2874 if (list_empty(&hdev->conn_hash.list) && 2875 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) { 2876 wake_up(&hdev->suspend_wait_q); 2877 } 2878 2879 /* Re-enable advertising if necessary, since it might 2880 * have been disabled by the connection. From the 2881 * HCI_LE_Set_Advertise_Enable command description in 2882 * the core specification (v4.0): 2883 * "The Controller shall continue advertising until the Host 2884 * issues an LE_Set_Advertise_Enable command with 2885 * Advertising_Enable set to 0x00 (Advertising is disabled) 2886 * or until a connection is created or until the Advertising 2887 * is timed out due to Directed Advertising." 2888 */ 2889 if (type == LE_LINK) 2890 hci_req_reenable_advertising(hdev); 2891 2892 unlock: 2893 hci_dev_unlock(hdev); 2894 } 2895 2896 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2897 { 2898 struct hci_ev_auth_complete *ev = (void *) skb->data; 2899 struct hci_conn *conn; 2900 2901 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2902 2903 hci_dev_lock(hdev); 2904 2905 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2906 if (!conn) 2907 goto unlock; 2908 2909 if (!ev->status) { 2910 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2911 2912 if (!hci_conn_ssp_enabled(conn) && 2913 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2914 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 2915 } else { 2916 set_bit(HCI_CONN_AUTH, &conn->flags); 2917 conn->sec_level = conn->pending_sec_level; 2918 } 2919 } else { 2920 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2921 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2922 2923 mgmt_auth_failed(conn, ev->status); 2924 } 2925 2926 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2927 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2928 2929 if (conn->state == BT_CONFIG) { 2930 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2931 struct hci_cp_set_conn_encrypt cp; 2932 cp.handle = ev->handle; 2933 cp.encrypt = 0x01; 2934 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2935 &cp); 2936 } else { 2937 conn->state = BT_CONNECTED; 2938 hci_connect_cfm(conn, ev->status); 2939 hci_conn_drop(conn); 2940 } 2941 } else { 2942 hci_auth_cfm(conn, ev->status); 2943 2944 hci_conn_hold(conn); 2945 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2946 hci_conn_drop(conn); 2947 } 2948 2949 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2950 if (!ev->status) { 2951 struct hci_cp_set_conn_encrypt cp; 2952 cp.handle = ev->handle; 2953 cp.encrypt = 0x01; 2954 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2955 &cp); 2956 } else { 2957 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2958 hci_encrypt_cfm(conn, ev->status); 2959 } 2960 } 2961 2962 unlock: 2963 hci_dev_unlock(hdev); 2964 } 2965 2966 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2967 { 2968 struct hci_ev_remote_name *ev = (void *) skb->data; 2969 struct hci_conn *conn; 2970 2971 BT_DBG("%s", hdev->name); 2972 2973 hci_conn_check_pending(hdev); 2974 2975 hci_dev_lock(hdev); 2976 2977 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2978 2979 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2980 goto check_auth; 2981 2982 if (ev->status == 0) 2983 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2984 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2985 else 2986 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2987 2988 check_auth: 2989 if (!conn) 2990 goto unlock; 2991 2992 if (!hci_outgoing_auth_needed(hdev, conn)) 2993 goto unlock; 2994 2995 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2996 struct hci_cp_auth_requested cp; 2997 2998 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2999 3000 cp.handle = __cpu_to_le16(conn->handle); 3001 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3002 } 3003 3004 unlock: 3005 hci_dev_unlock(hdev); 3006 } 3007 3008 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 3009 u16 opcode, struct sk_buff *skb) 3010 { 3011 const struct hci_rp_read_enc_key_size *rp; 3012 struct hci_conn *conn; 3013 u16 handle; 3014 3015 BT_DBG("%s status 0x%02x", hdev->name, status); 3016 3017 if (!skb || skb->len < sizeof(*rp)) { 3018 bt_dev_err(hdev, "invalid read key size response"); 3019 return; 3020 } 3021 3022 rp = (void *)skb->data; 3023 handle = le16_to_cpu(rp->handle); 3024 3025 hci_dev_lock(hdev); 3026 3027 conn = hci_conn_hash_lookup_handle(hdev, handle); 3028 if (!conn) 3029 goto unlock; 3030 3031 /* While unexpected, the read_enc_key_size command may fail. The most 3032 * secure approach is to then assume the key size is 0 to force a 3033 * disconnection. 3034 */ 3035 if (rp->status) { 3036 bt_dev_err(hdev, "failed to read key size for handle %u", 3037 handle); 3038 conn->enc_key_size = 0; 3039 } else { 3040 conn->enc_key_size = rp->key_size; 3041 } 3042 3043 hci_encrypt_cfm(conn, 0); 3044 3045 unlock: 3046 hci_dev_unlock(hdev); 3047 } 3048 3049 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3050 { 3051 struct hci_ev_encrypt_change *ev = (void *) skb->data; 3052 struct hci_conn *conn; 3053 3054 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3055 3056 hci_dev_lock(hdev); 3057 3058 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3059 if (!conn) 3060 goto unlock; 3061 3062 if (!ev->status) { 3063 if (ev->encrypt) { 3064 /* Encryption implies authentication */ 3065 set_bit(HCI_CONN_AUTH, &conn->flags); 3066 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3067 conn->sec_level = conn->pending_sec_level; 3068 3069 /* P-256 authentication key implies FIPS */ 3070 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3071 set_bit(HCI_CONN_FIPS, &conn->flags); 3072 3073 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3074 conn->type == LE_LINK) 3075 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3076 } else { 3077 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3078 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3079 } 3080 } 3081 3082 /* We should disregard the current RPA and generate a new one 3083 * whenever the encryption procedure fails. 3084 */ 3085 if (ev->status && conn->type == LE_LINK) { 3086 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3087 hci_adv_instances_set_rpa_expired(hdev, true); 3088 } 3089 3090 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3091 3092 /* Check link security requirements are met */ 3093 if (!hci_conn_check_link_mode(conn)) 3094 ev->status = HCI_ERROR_AUTH_FAILURE; 3095 3096 if (ev->status && conn->state == BT_CONNECTED) { 3097 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3098 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3099 3100 /* Notify upper layers so they can cleanup before 3101 * disconnecting. 3102 */ 3103 hci_encrypt_cfm(conn, ev->status); 3104 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3105 hci_conn_drop(conn); 3106 goto unlock; 3107 } 3108 3109 /* Try reading the encryption key size for encrypted ACL links */ 3110 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3111 struct hci_cp_read_enc_key_size cp; 3112 struct hci_request req; 3113 3114 /* Only send HCI_Read_Encryption_Key_Size if the 3115 * controller really supports it. If it doesn't, assume 3116 * the default size (16). 3117 */ 3118 if (!(hdev->commands[20] & 0x10)) { 3119 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3120 goto notify; 3121 } 3122 3123 hci_req_init(&req, hdev); 3124 3125 cp.handle = cpu_to_le16(conn->handle); 3126 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 3127 3128 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 3129 bt_dev_err(hdev, "sending read key size failed"); 3130 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3131 goto notify; 3132 } 3133 3134 goto unlock; 3135 } 3136 3137 /* Set the default Authenticated Payload Timeout after 3138 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3139 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3140 * sent when the link is active and Encryption is enabled, the conn 3141 * type can be either LE or ACL and controller must support LMP Ping. 3142 * Ensure for AES-CCM encryption as well. 3143 */ 3144 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3145 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3146 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3147 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3148 struct hci_cp_write_auth_payload_to cp; 3149 3150 cp.handle = cpu_to_le16(conn->handle); 3151 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3152 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3153 sizeof(cp), &cp); 3154 } 3155 3156 notify: 3157 hci_encrypt_cfm(conn, ev->status); 3158 3159 unlock: 3160 hci_dev_unlock(hdev); 3161 } 3162 3163 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 3164 struct sk_buff *skb) 3165 { 3166 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 3167 struct hci_conn *conn; 3168 3169 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3170 3171 hci_dev_lock(hdev); 3172 3173 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3174 if (conn) { 3175 if (!ev->status) 3176 set_bit(HCI_CONN_SECURE, &conn->flags); 3177 3178 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3179 3180 hci_key_change_cfm(conn, ev->status); 3181 } 3182 3183 hci_dev_unlock(hdev); 3184 } 3185 3186 static void hci_remote_features_evt(struct hci_dev *hdev, 3187 struct sk_buff *skb) 3188 { 3189 struct hci_ev_remote_features *ev = (void *) skb->data; 3190 struct hci_conn *conn; 3191 3192 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3193 3194 hci_dev_lock(hdev); 3195 3196 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3197 if (!conn) 3198 goto unlock; 3199 3200 if (!ev->status) 3201 memcpy(conn->features[0], ev->features, 8); 3202 3203 if (conn->state != BT_CONFIG) 3204 goto unlock; 3205 3206 if (!ev->status && lmp_ext_feat_capable(hdev) && 3207 lmp_ext_feat_capable(conn)) { 3208 struct hci_cp_read_remote_ext_features cp; 3209 cp.handle = ev->handle; 3210 cp.page = 0x01; 3211 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3212 sizeof(cp), &cp); 3213 goto unlock; 3214 } 3215 3216 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3217 struct hci_cp_remote_name_req cp; 3218 memset(&cp, 0, sizeof(cp)); 3219 bacpy(&cp.bdaddr, &conn->dst); 3220 cp.pscan_rep_mode = 0x02; 3221 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3222 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3223 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3224 3225 if (!hci_outgoing_auth_needed(hdev, conn)) { 3226 conn->state = BT_CONNECTED; 3227 hci_connect_cfm(conn, ev->status); 3228 hci_conn_drop(conn); 3229 } 3230 3231 unlock: 3232 hci_dev_unlock(hdev); 3233 } 3234 3235 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 3236 u16 *opcode, u8 *status, 3237 hci_req_complete_t *req_complete, 3238 hci_req_complete_skb_t *req_complete_skb) 3239 { 3240 struct hci_ev_cmd_complete *ev = (void *) skb->data; 3241 3242 *opcode = __le16_to_cpu(ev->opcode); 3243 *status = skb->data[sizeof(*ev)]; 3244 3245 skb_pull(skb, sizeof(*ev)); 3246 3247 switch (*opcode) { 3248 case HCI_OP_INQUIRY_CANCEL: 3249 hci_cc_inquiry_cancel(hdev, skb, status); 3250 break; 3251 3252 case HCI_OP_PERIODIC_INQ: 3253 hci_cc_periodic_inq(hdev, skb); 3254 break; 3255 3256 case HCI_OP_EXIT_PERIODIC_INQ: 3257 hci_cc_exit_periodic_inq(hdev, skb); 3258 break; 3259 3260 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 3261 hci_cc_remote_name_req_cancel(hdev, skb); 3262 break; 3263 3264 case HCI_OP_ROLE_DISCOVERY: 3265 hci_cc_role_discovery(hdev, skb); 3266 break; 3267 3268 case HCI_OP_READ_LINK_POLICY: 3269 hci_cc_read_link_policy(hdev, skb); 3270 break; 3271 3272 case HCI_OP_WRITE_LINK_POLICY: 3273 hci_cc_write_link_policy(hdev, skb); 3274 break; 3275 3276 case HCI_OP_READ_DEF_LINK_POLICY: 3277 hci_cc_read_def_link_policy(hdev, skb); 3278 break; 3279 3280 case HCI_OP_WRITE_DEF_LINK_POLICY: 3281 hci_cc_write_def_link_policy(hdev, skb); 3282 break; 3283 3284 case HCI_OP_RESET: 3285 hci_cc_reset(hdev, skb); 3286 break; 3287 3288 case HCI_OP_READ_STORED_LINK_KEY: 3289 hci_cc_read_stored_link_key(hdev, skb); 3290 break; 3291 3292 case HCI_OP_DELETE_STORED_LINK_KEY: 3293 hci_cc_delete_stored_link_key(hdev, skb); 3294 break; 3295 3296 case HCI_OP_WRITE_LOCAL_NAME: 3297 hci_cc_write_local_name(hdev, skb); 3298 break; 3299 3300 case HCI_OP_READ_LOCAL_NAME: 3301 hci_cc_read_local_name(hdev, skb); 3302 break; 3303 3304 case HCI_OP_WRITE_AUTH_ENABLE: 3305 hci_cc_write_auth_enable(hdev, skb); 3306 break; 3307 3308 case HCI_OP_WRITE_ENCRYPT_MODE: 3309 hci_cc_write_encrypt_mode(hdev, skb); 3310 break; 3311 3312 case HCI_OP_WRITE_SCAN_ENABLE: 3313 hci_cc_write_scan_enable(hdev, skb); 3314 break; 3315 3316 case HCI_OP_READ_CLASS_OF_DEV: 3317 hci_cc_read_class_of_dev(hdev, skb); 3318 break; 3319 3320 case HCI_OP_WRITE_CLASS_OF_DEV: 3321 hci_cc_write_class_of_dev(hdev, skb); 3322 break; 3323 3324 case HCI_OP_READ_VOICE_SETTING: 3325 hci_cc_read_voice_setting(hdev, skb); 3326 break; 3327 3328 case HCI_OP_WRITE_VOICE_SETTING: 3329 hci_cc_write_voice_setting(hdev, skb); 3330 break; 3331 3332 case HCI_OP_READ_NUM_SUPPORTED_IAC: 3333 hci_cc_read_num_supported_iac(hdev, skb); 3334 break; 3335 3336 case HCI_OP_WRITE_SSP_MODE: 3337 hci_cc_write_ssp_mode(hdev, skb); 3338 break; 3339 3340 case HCI_OP_WRITE_SC_SUPPORT: 3341 hci_cc_write_sc_support(hdev, skb); 3342 break; 3343 3344 case HCI_OP_READ_AUTH_PAYLOAD_TO: 3345 hci_cc_read_auth_payload_timeout(hdev, skb); 3346 break; 3347 3348 case HCI_OP_WRITE_AUTH_PAYLOAD_TO: 3349 hci_cc_write_auth_payload_timeout(hdev, skb); 3350 break; 3351 3352 case HCI_OP_READ_LOCAL_VERSION: 3353 hci_cc_read_local_version(hdev, skb); 3354 break; 3355 3356 case HCI_OP_READ_LOCAL_COMMANDS: 3357 hci_cc_read_local_commands(hdev, skb); 3358 break; 3359 3360 case HCI_OP_READ_LOCAL_FEATURES: 3361 hci_cc_read_local_features(hdev, skb); 3362 break; 3363 3364 case HCI_OP_READ_LOCAL_EXT_FEATURES: 3365 hci_cc_read_local_ext_features(hdev, skb); 3366 break; 3367 3368 case HCI_OP_READ_BUFFER_SIZE: 3369 hci_cc_read_buffer_size(hdev, skb); 3370 break; 3371 3372 case HCI_OP_READ_BD_ADDR: 3373 hci_cc_read_bd_addr(hdev, skb); 3374 break; 3375 3376 case HCI_OP_READ_LOCAL_PAIRING_OPTS: 3377 hci_cc_read_local_pairing_opts(hdev, skb); 3378 break; 3379 3380 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 3381 hci_cc_read_page_scan_activity(hdev, skb); 3382 break; 3383 3384 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 3385 hci_cc_write_page_scan_activity(hdev, skb); 3386 break; 3387 3388 case HCI_OP_READ_PAGE_SCAN_TYPE: 3389 hci_cc_read_page_scan_type(hdev, skb); 3390 break; 3391 3392 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 3393 hci_cc_write_page_scan_type(hdev, skb); 3394 break; 3395 3396 case HCI_OP_READ_DATA_BLOCK_SIZE: 3397 hci_cc_read_data_block_size(hdev, skb); 3398 break; 3399 3400 case HCI_OP_READ_FLOW_CONTROL_MODE: 3401 hci_cc_read_flow_control_mode(hdev, skb); 3402 break; 3403 3404 case HCI_OP_READ_LOCAL_AMP_INFO: 3405 hci_cc_read_local_amp_info(hdev, skb); 3406 break; 3407 3408 case HCI_OP_READ_CLOCK: 3409 hci_cc_read_clock(hdev, skb); 3410 break; 3411 3412 case HCI_OP_READ_INQ_RSP_TX_POWER: 3413 hci_cc_read_inq_rsp_tx_power(hdev, skb); 3414 break; 3415 3416 case HCI_OP_READ_DEF_ERR_DATA_REPORTING: 3417 hci_cc_read_def_err_data_reporting(hdev, skb); 3418 break; 3419 3420 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING: 3421 hci_cc_write_def_err_data_reporting(hdev, skb); 3422 break; 3423 3424 case HCI_OP_PIN_CODE_REPLY: 3425 hci_cc_pin_code_reply(hdev, skb); 3426 break; 3427 3428 case HCI_OP_PIN_CODE_NEG_REPLY: 3429 hci_cc_pin_code_neg_reply(hdev, skb); 3430 break; 3431 3432 case HCI_OP_READ_LOCAL_OOB_DATA: 3433 hci_cc_read_local_oob_data(hdev, skb); 3434 break; 3435 3436 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 3437 hci_cc_read_local_oob_ext_data(hdev, skb); 3438 break; 3439 3440 case HCI_OP_LE_READ_BUFFER_SIZE: 3441 hci_cc_le_read_buffer_size(hdev, skb); 3442 break; 3443 3444 case HCI_OP_LE_READ_LOCAL_FEATURES: 3445 hci_cc_le_read_local_features(hdev, skb); 3446 break; 3447 3448 case HCI_OP_LE_READ_ADV_TX_POWER: 3449 hci_cc_le_read_adv_tx_power(hdev, skb); 3450 break; 3451 3452 case HCI_OP_USER_CONFIRM_REPLY: 3453 hci_cc_user_confirm_reply(hdev, skb); 3454 break; 3455 3456 case HCI_OP_USER_CONFIRM_NEG_REPLY: 3457 hci_cc_user_confirm_neg_reply(hdev, skb); 3458 break; 3459 3460 case HCI_OP_USER_PASSKEY_REPLY: 3461 hci_cc_user_passkey_reply(hdev, skb); 3462 break; 3463 3464 case HCI_OP_USER_PASSKEY_NEG_REPLY: 3465 hci_cc_user_passkey_neg_reply(hdev, skb); 3466 break; 3467 3468 case HCI_OP_LE_SET_RANDOM_ADDR: 3469 hci_cc_le_set_random_addr(hdev, skb); 3470 break; 3471 3472 case HCI_OP_LE_SET_ADV_ENABLE: 3473 hci_cc_le_set_adv_enable(hdev, skb); 3474 break; 3475 3476 case HCI_OP_LE_SET_SCAN_PARAM: 3477 hci_cc_le_set_scan_param(hdev, skb); 3478 break; 3479 3480 case HCI_OP_LE_SET_SCAN_ENABLE: 3481 hci_cc_le_set_scan_enable(hdev, skb); 3482 break; 3483 3484 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 3485 hci_cc_le_read_white_list_size(hdev, skb); 3486 break; 3487 3488 case HCI_OP_LE_CLEAR_WHITE_LIST: 3489 hci_cc_le_clear_white_list(hdev, skb); 3490 break; 3491 3492 case HCI_OP_LE_ADD_TO_WHITE_LIST: 3493 hci_cc_le_add_to_white_list(hdev, skb); 3494 break; 3495 3496 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 3497 hci_cc_le_del_from_white_list(hdev, skb); 3498 break; 3499 3500 case HCI_OP_LE_READ_SUPPORTED_STATES: 3501 hci_cc_le_read_supported_states(hdev, skb); 3502 break; 3503 3504 case HCI_OP_LE_READ_DEF_DATA_LEN: 3505 hci_cc_le_read_def_data_len(hdev, skb); 3506 break; 3507 3508 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3509 hci_cc_le_write_def_data_len(hdev, skb); 3510 break; 3511 3512 case HCI_OP_LE_ADD_TO_RESOLV_LIST: 3513 hci_cc_le_add_to_resolv_list(hdev, skb); 3514 break; 3515 3516 case HCI_OP_LE_DEL_FROM_RESOLV_LIST: 3517 hci_cc_le_del_from_resolv_list(hdev, skb); 3518 break; 3519 3520 case HCI_OP_LE_CLEAR_RESOLV_LIST: 3521 hci_cc_le_clear_resolv_list(hdev, skb); 3522 break; 3523 3524 case HCI_OP_LE_READ_RESOLV_LIST_SIZE: 3525 hci_cc_le_read_resolv_list_size(hdev, skb); 3526 break; 3527 3528 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE: 3529 hci_cc_le_set_addr_resolution_enable(hdev, skb); 3530 break; 3531 3532 case HCI_OP_LE_READ_MAX_DATA_LEN: 3533 hci_cc_le_read_max_data_len(hdev, skb); 3534 break; 3535 3536 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3537 hci_cc_write_le_host_supported(hdev, skb); 3538 break; 3539 3540 case HCI_OP_LE_SET_ADV_PARAM: 3541 hci_cc_set_adv_param(hdev, skb); 3542 break; 3543 3544 case HCI_OP_READ_RSSI: 3545 hci_cc_read_rssi(hdev, skb); 3546 break; 3547 3548 case HCI_OP_READ_TX_POWER: 3549 hci_cc_read_tx_power(hdev, skb); 3550 break; 3551 3552 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3553 hci_cc_write_ssp_debug_mode(hdev, skb); 3554 break; 3555 3556 case HCI_OP_LE_SET_EXT_SCAN_PARAMS: 3557 hci_cc_le_set_ext_scan_param(hdev, skb); 3558 break; 3559 3560 case HCI_OP_LE_SET_EXT_SCAN_ENABLE: 3561 hci_cc_le_set_ext_scan_enable(hdev, skb); 3562 break; 3563 3564 case HCI_OP_LE_SET_DEFAULT_PHY: 3565 hci_cc_le_set_default_phy(hdev, skb); 3566 break; 3567 3568 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS: 3569 hci_cc_le_read_num_adv_sets(hdev, skb); 3570 break; 3571 3572 case HCI_OP_LE_SET_EXT_ADV_PARAMS: 3573 hci_cc_set_ext_adv_param(hdev, skb); 3574 break; 3575 3576 case HCI_OP_LE_SET_EXT_ADV_ENABLE: 3577 hci_cc_le_set_ext_adv_enable(hdev, skb); 3578 break; 3579 3580 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR: 3581 hci_cc_le_set_adv_set_random_addr(hdev, skb); 3582 break; 3583 3584 default: 3585 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3586 break; 3587 } 3588 3589 if (*opcode != HCI_OP_NOP) 3590 cancel_delayed_work(&hdev->cmd_timer); 3591 3592 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3593 atomic_set(&hdev->cmd_cnt, 1); 3594 3595 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3596 req_complete_skb); 3597 3598 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3599 bt_dev_err(hdev, 3600 "unexpected event for opcode 0x%4.4x", *opcode); 3601 return; 3602 } 3603 3604 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3605 queue_work(hdev->workqueue, &hdev->cmd_work); 3606 } 3607 3608 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3609 u16 *opcode, u8 *status, 3610 hci_req_complete_t *req_complete, 3611 hci_req_complete_skb_t *req_complete_skb) 3612 { 3613 struct hci_ev_cmd_status *ev = (void *) skb->data; 3614 3615 skb_pull(skb, sizeof(*ev)); 3616 3617 *opcode = __le16_to_cpu(ev->opcode); 3618 *status = ev->status; 3619 3620 switch (*opcode) { 3621 case HCI_OP_INQUIRY: 3622 hci_cs_inquiry(hdev, ev->status); 3623 break; 3624 3625 case HCI_OP_CREATE_CONN: 3626 hci_cs_create_conn(hdev, ev->status); 3627 break; 3628 3629 case HCI_OP_DISCONNECT: 3630 hci_cs_disconnect(hdev, ev->status); 3631 break; 3632 3633 case HCI_OP_ADD_SCO: 3634 hci_cs_add_sco(hdev, ev->status); 3635 break; 3636 3637 case HCI_OP_AUTH_REQUESTED: 3638 hci_cs_auth_requested(hdev, ev->status); 3639 break; 3640 3641 case HCI_OP_SET_CONN_ENCRYPT: 3642 hci_cs_set_conn_encrypt(hdev, ev->status); 3643 break; 3644 3645 case HCI_OP_REMOTE_NAME_REQ: 3646 hci_cs_remote_name_req(hdev, ev->status); 3647 break; 3648 3649 case HCI_OP_READ_REMOTE_FEATURES: 3650 hci_cs_read_remote_features(hdev, ev->status); 3651 break; 3652 3653 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3654 hci_cs_read_remote_ext_features(hdev, ev->status); 3655 break; 3656 3657 case HCI_OP_SETUP_SYNC_CONN: 3658 hci_cs_setup_sync_conn(hdev, ev->status); 3659 break; 3660 3661 case HCI_OP_SNIFF_MODE: 3662 hci_cs_sniff_mode(hdev, ev->status); 3663 break; 3664 3665 case HCI_OP_EXIT_SNIFF_MODE: 3666 hci_cs_exit_sniff_mode(hdev, ev->status); 3667 break; 3668 3669 case HCI_OP_SWITCH_ROLE: 3670 hci_cs_switch_role(hdev, ev->status); 3671 break; 3672 3673 case HCI_OP_LE_CREATE_CONN: 3674 hci_cs_le_create_conn(hdev, ev->status); 3675 break; 3676 3677 case HCI_OP_LE_READ_REMOTE_FEATURES: 3678 hci_cs_le_read_remote_features(hdev, ev->status); 3679 break; 3680 3681 case HCI_OP_LE_START_ENC: 3682 hci_cs_le_start_enc(hdev, ev->status); 3683 break; 3684 3685 case HCI_OP_LE_EXT_CREATE_CONN: 3686 hci_cs_le_ext_create_conn(hdev, ev->status); 3687 break; 3688 3689 default: 3690 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3691 break; 3692 } 3693 3694 if (*opcode != HCI_OP_NOP) 3695 cancel_delayed_work(&hdev->cmd_timer); 3696 3697 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3698 atomic_set(&hdev->cmd_cnt, 1); 3699 3700 /* Indicate request completion if the command failed. Also, if 3701 * we're not waiting for a special event and we get a success 3702 * command status we should try to flag the request as completed 3703 * (since for this kind of commands there will not be a command 3704 * complete event). 3705 */ 3706 if (ev->status || 3707 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event)) 3708 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3709 req_complete_skb); 3710 3711 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3712 bt_dev_err(hdev, 3713 "unexpected event for opcode 0x%4.4x", *opcode); 3714 return; 3715 } 3716 3717 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3718 queue_work(hdev->workqueue, &hdev->cmd_work); 3719 } 3720 3721 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 3722 { 3723 struct hci_ev_hardware_error *ev = (void *) skb->data; 3724 3725 hdev->hw_error_code = ev->code; 3726 3727 queue_work(hdev->req_workqueue, &hdev->error_reset); 3728 } 3729 3730 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3731 { 3732 struct hci_ev_role_change *ev = (void *) skb->data; 3733 struct hci_conn *conn; 3734 3735 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3736 3737 hci_dev_lock(hdev); 3738 3739 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3740 if (conn) { 3741 if (!ev->status) 3742 conn->role = ev->role; 3743 3744 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3745 3746 hci_role_switch_cfm(conn, ev->status, ev->role); 3747 } 3748 3749 hci_dev_unlock(hdev); 3750 } 3751 3752 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3753 { 3754 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3755 int i; 3756 3757 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3758 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3759 return; 3760 } 3761 3762 if (skb->len < sizeof(*ev) || 3763 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3764 BT_DBG("%s bad parameters", hdev->name); 3765 return; 3766 } 3767 3768 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3769 3770 for (i = 0; i < ev->num_hndl; i++) { 3771 struct hci_comp_pkts_info *info = &ev->handles[i]; 3772 struct hci_conn *conn; 3773 __u16 handle, count; 3774 3775 handle = __le16_to_cpu(info->handle); 3776 count = __le16_to_cpu(info->count); 3777 3778 conn = hci_conn_hash_lookup_handle(hdev, handle); 3779 if (!conn) 3780 continue; 3781 3782 conn->sent -= count; 3783 3784 switch (conn->type) { 3785 case ACL_LINK: 3786 hdev->acl_cnt += count; 3787 if (hdev->acl_cnt > hdev->acl_pkts) 3788 hdev->acl_cnt = hdev->acl_pkts; 3789 break; 3790 3791 case LE_LINK: 3792 if (hdev->le_pkts) { 3793 hdev->le_cnt += count; 3794 if (hdev->le_cnt > hdev->le_pkts) 3795 hdev->le_cnt = hdev->le_pkts; 3796 } else { 3797 hdev->acl_cnt += count; 3798 if (hdev->acl_cnt > hdev->acl_pkts) 3799 hdev->acl_cnt = hdev->acl_pkts; 3800 } 3801 break; 3802 3803 case SCO_LINK: 3804 hdev->sco_cnt += count; 3805 if (hdev->sco_cnt > hdev->sco_pkts) 3806 hdev->sco_cnt = hdev->sco_pkts; 3807 break; 3808 3809 default: 3810 bt_dev_err(hdev, "unknown type %d conn %p", 3811 conn->type, conn); 3812 break; 3813 } 3814 } 3815 3816 queue_work(hdev->workqueue, &hdev->tx_work); 3817 } 3818 3819 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3820 __u16 handle) 3821 { 3822 struct hci_chan *chan; 3823 3824 switch (hdev->dev_type) { 3825 case HCI_PRIMARY: 3826 return hci_conn_hash_lookup_handle(hdev, handle); 3827 case HCI_AMP: 3828 chan = hci_chan_lookup_handle(hdev, handle); 3829 if (chan) 3830 return chan->conn; 3831 break; 3832 default: 3833 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 3834 break; 3835 } 3836 3837 return NULL; 3838 } 3839 3840 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3841 { 3842 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3843 int i; 3844 3845 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3846 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3847 return; 3848 } 3849 3850 if (skb->len < sizeof(*ev) || 3851 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3852 BT_DBG("%s bad parameters", hdev->name); 3853 return; 3854 } 3855 3856 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3857 ev->num_hndl); 3858 3859 for (i = 0; i < ev->num_hndl; i++) { 3860 struct hci_comp_blocks_info *info = &ev->handles[i]; 3861 struct hci_conn *conn = NULL; 3862 __u16 handle, block_count; 3863 3864 handle = __le16_to_cpu(info->handle); 3865 block_count = __le16_to_cpu(info->blocks); 3866 3867 conn = __hci_conn_lookup_handle(hdev, handle); 3868 if (!conn) 3869 continue; 3870 3871 conn->sent -= block_count; 3872 3873 switch (conn->type) { 3874 case ACL_LINK: 3875 case AMP_LINK: 3876 hdev->block_cnt += block_count; 3877 if (hdev->block_cnt > hdev->num_blocks) 3878 hdev->block_cnt = hdev->num_blocks; 3879 break; 3880 3881 default: 3882 bt_dev_err(hdev, "unknown type %d conn %p", 3883 conn->type, conn); 3884 break; 3885 } 3886 } 3887 3888 queue_work(hdev->workqueue, &hdev->tx_work); 3889 } 3890 3891 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3892 { 3893 struct hci_ev_mode_change *ev = (void *) skb->data; 3894 struct hci_conn *conn; 3895 3896 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3897 3898 hci_dev_lock(hdev); 3899 3900 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3901 if (conn) { 3902 conn->mode = ev->mode; 3903 3904 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3905 &conn->flags)) { 3906 if (conn->mode == HCI_CM_ACTIVE) 3907 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3908 else 3909 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3910 } 3911 3912 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3913 hci_sco_setup(conn, ev->status); 3914 } 3915 3916 hci_dev_unlock(hdev); 3917 } 3918 3919 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3920 { 3921 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3922 struct hci_conn *conn; 3923 3924 BT_DBG("%s", hdev->name); 3925 3926 hci_dev_lock(hdev); 3927 3928 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3929 if (!conn) 3930 goto unlock; 3931 3932 if (conn->state == BT_CONNECTED) { 3933 hci_conn_hold(conn); 3934 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3935 hci_conn_drop(conn); 3936 } 3937 3938 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 3939 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3940 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3941 sizeof(ev->bdaddr), &ev->bdaddr); 3942 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 3943 u8 secure; 3944 3945 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3946 secure = 1; 3947 else 3948 secure = 0; 3949 3950 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3951 } 3952 3953 unlock: 3954 hci_dev_unlock(hdev); 3955 } 3956 3957 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3958 { 3959 if (key_type == HCI_LK_CHANGED_COMBINATION) 3960 return; 3961 3962 conn->pin_length = pin_len; 3963 conn->key_type = key_type; 3964 3965 switch (key_type) { 3966 case HCI_LK_LOCAL_UNIT: 3967 case HCI_LK_REMOTE_UNIT: 3968 case HCI_LK_DEBUG_COMBINATION: 3969 return; 3970 case HCI_LK_COMBINATION: 3971 if (pin_len == 16) 3972 conn->pending_sec_level = BT_SECURITY_HIGH; 3973 else 3974 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3975 break; 3976 case HCI_LK_UNAUTH_COMBINATION_P192: 3977 case HCI_LK_UNAUTH_COMBINATION_P256: 3978 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3979 break; 3980 case HCI_LK_AUTH_COMBINATION_P192: 3981 conn->pending_sec_level = BT_SECURITY_HIGH; 3982 break; 3983 case HCI_LK_AUTH_COMBINATION_P256: 3984 conn->pending_sec_level = BT_SECURITY_FIPS; 3985 break; 3986 } 3987 } 3988 3989 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3990 { 3991 struct hci_ev_link_key_req *ev = (void *) skb->data; 3992 struct hci_cp_link_key_reply cp; 3993 struct hci_conn *conn; 3994 struct link_key *key; 3995 3996 BT_DBG("%s", hdev->name); 3997 3998 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3999 return; 4000 4001 hci_dev_lock(hdev); 4002 4003 key = hci_find_link_key(hdev, &ev->bdaddr); 4004 if (!key) { 4005 BT_DBG("%s link key not found for %pMR", hdev->name, 4006 &ev->bdaddr); 4007 goto not_found; 4008 } 4009 4010 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 4011 &ev->bdaddr); 4012 4013 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4014 if (conn) { 4015 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4016 4017 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4018 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4019 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4020 BT_DBG("%s ignoring unauthenticated key", hdev->name); 4021 goto not_found; 4022 } 4023 4024 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4025 (conn->pending_sec_level == BT_SECURITY_HIGH || 4026 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4027 BT_DBG("%s ignoring key unauthenticated for high security", 4028 hdev->name); 4029 goto not_found; 4030 } 4031 4032 conn_set_key(conn, key->type, key->pin_len); 4033 } 4034 4035 bacpy(&cp.bdaddr, &ev->bdaddr); 4036 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4037 4038 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4039 4040 hci_dev_unlock(hdev); 4041 4042 return; 4043 4044 not_found: 4045 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4046 hci_dev_unlock(hdev); 4047 } 4048 4049 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4050 { 4051 struct hci_ev_link_key_notify *ev = (void *) skb->data; 4052 struct hci_conn *conn; 4053 struct link_key *key; 4054 bool persistent; 4055 u8 pin_len = 0; 4056 4057 BT_DBG("%s", hdev->name); 4058 4059 hci_dev_lock(hdev); 4060 4061 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4062 if (!conn) 4063 goto unlock; 4064 4065 hci_conn_hold(conn); 4066 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4067 hci_conn_drop(conn); 4068 4069 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4070 conn_set_key(conn, ev->key_type, conn->pin_length); 4071 4072 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4073 goto unlock; 4074 4075 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4076 ev->key_type, pin_len, &persistent); 4077 if (!key) 4078 goto unlock; 4079 4080 /* Update connection information since adding the key will have 4081 * fixed up the type in the case of changed combination keys. 4082 */ 4083 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4084 conn_set_key(conn, key->type, key->pin_len); 4085 4086 mgmt_new_link_key(hdev, key, persistent); 4087 4088 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4089 * is set. If it's not set simply remove the key from the kernel 4090 * list (we've still notified user space about it but with 4091 * store_hint being 0). 4092 */ 4093 if (key->type == HCI_LK_DEBUG_COMBINATION && 4094 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4095 list_del_rcu(&key->list); 4096 kfree_rcu(key, rcu); 4097 goto unlock; 4098 } 4099 4100 if (persistent) 4101 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4102 else 4103 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4104 4105 unlock: 4106 hci_dev_unlock(hdev); 4107 } 4108 4109 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 4110 { 4111 struct hci_ev_clock_offset *ev = (void *) skb->data; 4112 struct hci_conn *conn; 4113 4114 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4115 4116 hci_dev_lock(hdev); 4117 4118 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4119 if (conn && !ev->status) { 4120 struct inquiry_entry *ie; 4121 4122 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4123 if (ie) { 4124 ie->data.clock_offset = ev->clock_offset; 4125 ie->timestamp = jiffies; 4126 } 4127 } 4128 4129 hci_dev_unlock(hdev); 4130 } 4131 4132 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 4133 { 4134 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 4135 struct hci_conn *conn; 4136 4137 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4138 4139 hci_dev_lock(hdev); 4140 4141 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4142 if (conn && !ev->status) 4143 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4144 4145 hci_dev_unlock(hdev); 4146 } 4147 4148 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 4149 { 4150 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 4151 struct inquiry_entry *ie; 4152 4153 BT_DBG("%s", hdev->name); 4154 4155 hci_dev_lock(hdev); 4156 4157 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4158 if (ie) { 4159 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4160 ie->timestamp = jiffies; 4161 } 4162 4163 hci_dev_unlock(hdev); 4164 } 4165 4166 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 4167 struct sk_buff *skb) 4168 { 4169 struct inquiry_data data; 4170 int num_rsp = *((__u8 *) skb->data); 4171 4172 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4173 4174 if (!num_rsp) 4175 return; 4176 4177 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4178 return; 4179 4180 hci_dev_lock(hdev); 4181 4182 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 4183 struct inquiry_info_with_rssi_and_pscan_mode *info; 4184 info = (void *) (skb->data + 1); 4185 4186 if (skb->len < num_rsp * sizeof(*info) + 1) 4187 goto unlock; 4188 4189 for (; num_rsp; num_rsp--, info++) { 4190 u32 flags; 4191 4192 bacpy(&data.bdaddr, &info->bdaddr); 4193 data.pscan_rep_mode = info->pscan_rep_mode; 4194 data.pscan_period_mode = info->pscan_period_mode; 4195 data.pscan_mode = info->pscan_mode; 4196 memcpy(data.dev_class, info->dev_class, 3); 4197 data.clock_offset = info->clock_offset; 4198 data.rssi = info->rssi; 4199 data.ssp_mode = 0x00; 4200 4201 flags = hci_inquiry_cache_update(hdev, &data, false); 4202 4203 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4204 info->dev_class, info->rssi, 4205 flags, NULL, 0, NULL, 0); 4206 } 4207 } else { 4208 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 4209 4210 if (skb->len < num_rsp * sizeof(*info) + 1) 4211 goto unlock; 4212 4213 for (; num_rsp; num_rsp--, info++) { 4214 u32 flags; 4215 4216 bacpy(&data.bdaddr, &info->bdaddr); 4217 data.pscan_rep_mode = info->pscan_rep_mode; 4218 data.pscan_period_mode = info->pscan_period_mode; 4219 data.pscan_mode = 0x00; 4220 memcpy(data.dev_class, info->dev_class, 3); 4221 data.clock_offset = info->clock_offset; 4222 data.rssi = info->rssi; 4223 data.ssp_mode = 0x00; 4224 4225 flags = hci_inquiry_cache_update(hdev, &data, false); 4226 4227 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4228 info->dev_class, info->rssi, 4229 flags, NULL, 0, NULL, 0); 4230 } 4231 } 4232 4233 unlock: 4234 hci_dev_unlock(hdev); 4235 } 4236 4237 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 4238 struct sk_buff *skb) 4239 { 4240 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 4241 struct hci_conn *conn; 4242 4243 BT_DBG("%s", hdev->name); 4244 4245 hci_dev_lock(hdev); 4246 4247 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4248 if (!conn) 4249 goto unlock; 4250 4251 if (ev->page < HCI_MAX_PAGES) 4252 memcpy(conn->features[ev->page], ev->features, 8); 4253 4254 if (!ev->status && ev->page == 0x01) { 4255 struct inquiry_entry *ie; 4256 4257 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4258 if (ie) 4259 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4260 4261 if (ev->features[0] & LMP_HOST_SSP) { 4262 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4263 } else { 4264 /* It is mandatory by the Bluetooth specification that 4265 * Extended Inquiry Results are only used when Secure 4266 * Simple Pairing is enabled, but some devices violate 4267 * this. 4268 * 4269 * To make these devices work, the internal SSP 4270 * enabled flag needs to be cleared if the remote host 4271 * features do not indicate SSP support */ 4272 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4273 } 4274 4275 if (ev->features[0] & LMP_HOST_SC) 4276 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4277 } 4278 4279 if (conn->state != BT_CONFIG) 4280 goto unlock; 4281 4282 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4283 struct hci_cp_remote_name_req cp; 4284 memset(&cp, 0, sizeof(cp)); 4285 bacpy(&cp.bdaddr, &conn->dst); 4286 cp.pscan_rep_mode = 0x02; 4287 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4288 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4289 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4290 4291 if (!hci_outgoing_auth_needed(hdev, conn)) { 4292 conn->state = BT_CONNECTED; 4293 hci_connect_cfm(conn, ev->status); 4294 hci_conn_drop(conn); 4295 } 4296 4297 unlock: 4298 hci_dev_unlock(hdev); 4299 } 4300 4301 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 4302 struct sk_buff *skb) 4303 { 4304 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 4305 struct hci_conn *conn; 4306 4307 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4308 4309 hci_dev_lock(hdev); 4310 4311 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4312 if (!conn) { 4313 if (ev->link_type == ESCO_LINK) 4314 goto unlock; 4315 4316 /* When the link type in the event indicates SCO connection 4317 * and lookup of the connection object fails, then check 4318 * if an eSCO connection object exists. 4319 * 4320 * The core limits the synchronous connections to either 4321 * SCO or eSCO. The eSCO connection is preferred and tried 4322 * to be setup first and until successfully established, 4323 * the link type will be hinted as eSCO. 4324 */ 4325 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4326 if (!conn) 4327 goto unlock; 4328 } 4329 4330 switch (ev->status) { 4331 case 0x00: 4332 conn->handle = __le16_to_cpu(ev->handle); 4333 conn->state = BT_CONNECTED; 4334 conn->type = ev->link_type; 4335 4336 hci_debugfs_create_conn(conn); 4337 hci_conn_add_sysfs(conn); 4338 break; 4339 4340 case 0x10: /* Connection Accept Timeout */ 4341 case 0x0d: /* Connection Rejected due to Limited Resources */ 4342 case 0x11: /* Unsupported Feature or Parameter Value */ 4343 case 0x1c: /* SCO interval rejected */ 4344 case 0x1a: /* Unsupported Remote Feature */ 4345 case 0x1e: /* Invalid LMP Parameters */ 4346 case 0x1f: /* Unspecified error */ 4347 case 0x20: /* Unsupported LMP Parameter value */ 4348 if (conn->out) { 4349 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 4350 (hdev->esco_type & EDR_ESCO_MASK); 4351 if (hci_setup_sync(conn, conn->link->handle)) 4352 goto unlock; 4353 } 4354 fallthrough; 4355 4356 default: 4357 conn->state = BT_CLOSED; 4358 break; 4359 } 4360 4361 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 4362 4363 switch (conn->setting & SCO_AIRMODE_MASK) { 4364 case SCO_AIRMODE_CVSD: 4365 if (hdev->notify) 4366 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 4367 break; 4368 case SCO_AIRMODE_TRANSP: 4369 if (hdev->notify) 4370 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 4371 break; 4372 } 4373 4374 hci_connect_cfm(conn, ev->status); 4375 if (ev->status) 4376 hci_conn_del(conn); 4377 4378 unlock: 4379 hci_dev_unlock(hdev); 4380 } 4381 4382 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 4383 { 4384 size_t parsed = 0; 4385 4386 while (parsed < eir_len) { 4387 u8 field_len = eir[0]; 4388 4389 if (field_len == 0) 4390 return parsed; 4391 4392 parsed += field_len + 1; 4393 eir += field_len + 1; 4394 } 4395 4396 return eir_len; 4397 } 4398 4399 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 4400 struct sk_buff *skb) 4401 { 4402 struct inquiry_data data; 4403 struct extended_inquiry_info *info = (void *) (skb->data + 1); 4404 int num_rsp = *((__u8 *) skb->data); 4405 size_t eir_len; 4406 4407 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4408 4409 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) 4410 return; 4411 4412 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4413 return; 4414 4415 hci_dev_lock(hdev); 4416 4417 for (; num_rsp; num_rsp--, info++) { 4418 u32 flags; 4419 bool name_known; 4420 4421 bacpy(&data.bdaddr, &info->bdaddr); 4422 data.pscan_rep_mode = info->pscan_rep_mode; 4423 data.pscan_period_mode = info->pscan_period_mode; 4424 data.pscan_mode = 0x00; 4425 memcpy(data.dev_class, info->dev_class, 3); 4426 data.clock_offset = info->clock_offset; 4427 data.rssi = info->rssi; 4428 data.ssp_mode = 0x01; 4429 4430 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4431 name_known = eir_get_data(info->data, 4432 sizeof(info->data), 4433 EIR_NAME_COMPLETE, NULL); 4434 else 4435 name_known = true; 4436 4437 flags = hci_inquiry_cache_update(hdev, &data, name_known); 4438 4439 eir_len = eir_get_length(info->data, sizeof(info->data)); 4440 4441 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4442 info->dev_class, info->rssi, 4443 flags, info->data, eir_len, NULL, 0); 4444 } 4445 4446 hci_dev_unlock(hdev); 4447 } 4448 4449 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 4450 struct sk_buff *skb) 4451 { 4452 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 4453 struct hci_conn *conn; 4454 4455 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 4456 __le16_to_cpu(ev->handle)); 4457 4458 hci_dev_lock(hdev); 4459 4460 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4461 if (!conn) 4462 goto unlock; 4463 4464 /* For BR/EDR the necessary steps are taken through the 4465 * auth_complete event. 4466 */ 4467 if (conn->type != LE_LINK) 4468 goto unlock; 4469 4470 if (!ev->status) 4471 conn->sec_level = conn->pending_sec_level; 4472 4473 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 4474 4475 if (ev->status && conn->state == BT_CONNECTED) { 4476 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4477 hci_conn_drop(conn); 4478 goto unlock; 4479 } 4480 4481 if (conn->state == BT_CONFIG) { 4482 if (!ev->status) 4483 conn->state = BT_CONNECTED; 4484 4485 hci_connect_cfm(conn, ev->status); 4486 hci_conn_drop(conn); 4487 } else { 4488 hci_auth_cfm(conn, ev->status); 4489 4490 hci_conn_hold(conn); 4491 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4492 hci_conn_drop(conn); 4493 } 4494 4495 unlock: 4496 hci_dev_unlock(hdev); 4497 } 4498 4499 static u8 hci_get_auth_req(struct hci_conn *conn) 4500 { 4501 /* If remote requests no-bonding follow that lead */ 4502 if (conn->remote_auth == HCI_AT_NO_BONDING || 4503 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 4504 return conn->remote_auth | (conn->auth_type & 0x01); 4505 4506 /* If both remote and local have enough IO capabilities, require 4507 * MITM protection 4508 */ 4509 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 4510 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 4511 return conn->remote_auth | 0x01; 4512 4513 /* No MITM protection possible so ignore remote requirement */ 4514 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 4515 } 4516 4517 static u8 bredr_oob_data_present(struct hci_conn *conn) 4518 { 4519 struct hci_dev *hdev = conn->hdev; 4520 struct oob_data *data; 4521 4522 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 4523 if (!data) 4524 return 0x00; 4525 4526 if (bredr_sc_enabled(hdev)) { 4527 /* When Secure Connections is enabled, then just 4528 * return the present value stored with the OOB 4529 * data. The stored value contains the right present 4530 * information. However it can only be trusted when 4531 * not in Secure Connection Only mode. 4532 */ 4533 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 4534 return data->present; 4535 4536 /* When Secure Connections Only mode is enabled, then 4537 * the P-256 values are required. If they are not 4538 * available, then do not declare that OOB data is 4539 * present. 4540 */ 4541 if (!memcmp(data->rand256, ZERO_KEY, 16) || 4542 !memcmp(data->hash256, ZERO_KEY, 16)) 4543 return 0x00; 4544 4545 return 0x02; 4546 } 4547 4548 /* When Secure Connections is not enabled or actually 4549 * not supported by the hardware, then check that if 4550 * P-192 data values are present. 4551 */ 4552 if (!memcmp(data->rand192, ZERO_KEY, 16) || 4553 !memcmp(data->hash192, ZERO_KEY, 16)) 4554 return 0x00; 4555 4556 return 0x01; 4557 } 4558 4559 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4560 { 4561 struct hci_ev_io_capa_request *ev = (void *) skb->data; 4562 struct hci_conn *conn; 4563 4564 BT_DBG("%s", hdev->name); 4565 4566 hci_dev_lock(hdev); 4567 4568 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4569 if (!conn) 4570 goto unlock; 4571 4572 hci_conn_hold(conn); 4573 4574 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4575 goto unlock; 4576 4577 /* Allow pairing if we're pairable, the initiators of the 4578 * pairing or if the remote is not requesting bonding. 4579 */ 4580 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 4581 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 4582 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 4583 struct hci_cp_io_capability_reply cp; 4584 4585 bacpy(&cp.bdaddr, &ev->bdaddr); 4586 /* Change the IO capability from KeyboardDisplay 4587 * to DisplayYesNo as it is not supported by BT spec. */ 4588 cp.capability = (conn->io_capability == 0x04) ? 4589 HCI_IO_DISPLAY_YESNO : conn->io_capability; 4590 4591 /* If we are initiators, there is no remote information yet */ 4592 if (conn->remote_auth == 0xff) { 4593 /* Request MITM protection if our IO caps allow it 4594 * except for the no-bonding case. 4595 */ 4596 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4597 conn->auth_type != HCI_AT_NO_BONDING) 4598 conn->auth_type |= 0x01; 4599 } else { 4600 conn->auth_type = hci_get_auth_req(conn); 4601 } 4602 4603 /* If we're not bondable, force one of the non-bondable 4604 * authentication requirement values. 4605 */ 4606 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4607 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4608 4609 cp.authentication = conn->auth_type; 4610 cp.oob_data = bredr_oob_data_present(conn); 4611 4612 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4613 sizeof(cp), &cp); 4614 } else { 4615 struct hci_cp_io_capability_neg_reply cp; 4616 4617 bacpy(&cp.bdaddr, &ev->bdaddr); 4618 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4619 4620 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4621 sizeof(cp), &cp); 4622 } 4623 4624 unlock: 4625 hci_dev_unlock(hdev); 4626 } 4627 4628 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4629 { 4630 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 4631 struct hci_conn *conn; 4632 4633 BT_DBG("%s", hdev->name); 4634 4635 hci_dev_lock(hdev); 4636 4637 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4638 if (!conn) 4639 goto unlock; 4640 4641 conn->remote_cap = ev->capability; 4642 conn->remote_auth = ev->authentication; 4643 4644 unlock: 4645 hci_dev_unlock(hdev); 4646 } 4647 4648 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 4649 struct sk_buff *skb) 4650 { 4651 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 4652 int loc_mitm, rem_mitm, confirm_hint = 0; 4653 struct hci_conn *conn; 4654 4655 BT_DBG("%s", hdev->name); 4656 4657 hci_dev_lock(hdev); 4658 4659 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4660 goto unlock; 4661 4662 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4663 if (!conn) 4664 goto unlock; 4665 4666 loc_mitm = (conn->auth_type & 0x01); 4667 rem_mitm = (conn->remote_auth & 0x01); 4668 4669 /* If we require MITM but the remote device can't provide that 4670 * (it has NoInputNoOutput) then reject the confirmation 4671 * request. We check the security level here since it doesn't 4672 * necessarily match conn->auth_type. 4673 */ 4674 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 4675 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 4676 BT_DBG("Rejecting request: remote device can't provide MITM"); 4677 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 4678 sizeof(ev->bdaddr), &ev->bdaddr); 4679 goto unlock; 4680 } 4681 4682 /* If no side requires MITM protection; auto-accept */ 4683 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 4684 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 4685 4686 /* If we're not the initiators request authorization to 4687 * proceed from user space (mgmt_user_confirm with 4688 * confirm_hint set to 1). The exception is if neither 4689 * side had MITM or if the local IO capability is 4690 * NoInputNoOutput, in which case we do auto-accept 4691 */ 4692 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 4693 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4694 (loc_mitm || rem_mitm)) { 4695 BT_DBG("Confirming auto-accept as acceptor"); 4696 confirm_hint = 1; 4697 goto confirm; 4698 } 4699 4700 /* If there already exists link key in local host, leave the 4701 * decision to user space since the remote device could be 4702 * legitimate or malicious. 4703 */ 4704 if (hci_find_link_key(hdev, &ev->bdaddr)) { 4705 bt_dev_dbg(hdev, "Local host already has link key"); 4706 confirm_hint = 1; 4707 goto confirm; 4708 } 4709 4710 BT_DBG("Auto-accept of user confirmation with %ums delay", 4711 hdev->auto_accept_delay); 4712 4713 if (hdev->auto_accept_delay > 0) { 4714 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 4715 queue_delayed_work(conn->hdev->workqueue, 4716 &conn->auto_accept_work, delay); 4717 goto unlock; 4718 } 4719 4720 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 4721 sizeof(ev->bdaddr), &ev->bdaddr); 4722 goto unlock; 4723 } 4724 4725 confirm: 4726 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 4727 le32_to_cpu(ev->passkey), confirm_hint); 4728 4729 unlock: 4730 hci_dev_unlock(hdev); 4731 } 4732 4733 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 4734 struct sk_buff *skb) 4735 { 4736 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 4737 4738 BT_DBG("%s", hdev->name); 4739 4740 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4741 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 4742 } 4743 4744 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 4745 struct sk_buff *skb) 4746 { 4747 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 4748 struct hci_conn *conn; 4749 4750 BT_DBG("%s", hdev->name); 4751 4752 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4753 if (!conn) 4754 return; 4755 4756 conn->passkey_notify = __le32_to_cpu(ev->passkey); 4757 conn->passkey_entered = 0; 4758 4759 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4760 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4761 conn->dst_type, conn->passkey_notify, 4762 conn->passkey_entered); 4763 } 4764 4765 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4766 { 4767 struct hci_ev_keypress_notify *ev = (void *) skb->data; 4768 struct hci_conn *conn; 4769 4770 BT_DBG("%s", hdev->name); 4771 4772 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4773 if (!conn) 4774 return; 4775 4776 switch (ev->type) { 4777 case HCI_KEYPRESS_STARTED: 4778 conn->passkey_entered = 0; 4779 return; 4780 4781 case HCI_KEYPRESS_ENTERED: 4782 conn->passkey_entered++; 4783 break; 4784 4785 case HCI_KEYPRESS_ERASED: 4786 conn->passkey_entered--; 4787 break; 4788 4789 case HCI_KEYPRESS_CLEARED: 4790 conn->passkey_entered = 0; 4791 break; 4792 4793 case HCI_KEYPRESS_COMPLETED: 4794 return; 4795 } 4796 4797 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4798 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4799 conn->dst_type, conn->passkey_notify, 4800 conn->passkey_entered); 4801 } 4802 4803 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 4804 struct sk_buff *skb) 4805 { 4806 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 4807 struct hci_conn *conn; 4808 4809 BT_DBG("%s", hdev->name); 4810 4811 hci_dev_lock(hdev); 4812 4813 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4814 if (!conn) 4815 goto unlock; 4816 4817 /* Reset the authentication requirement to unknown */ 4818 conn->remote_auth = 0xff; 4819 4820 /* To avoid duplicate auth_failed events to user space we check 4821 * the HCI_CONN_AUTH_PEND flag which will be set if we 4822 * initiated the authentication. A traditional auth_complete 4823 * event gets always produced as initiator and is also mapped to 4824 * the mgmt_auth_failed event */ 4825 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4826 mgmt_auth_failed(conn, ev->status); 4827 4828 hci_conn_drop(conn); 4829 4830 unlock: 4831 hci_dev_unlock(hdev); 4832 } 4833 4834 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4835 struct sk_buff *skb) 4836 { 4837 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4838 struct inquiry_entry *ie; 4839 struct hci_conn *conn; 4840 4841 BT_DBG("%s", hdev->name); 4842 4843 hci_dev_lock(hdev); 4844 4845 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4846 if (conn) 4847 memcpy(conn->features[1], ev->features, 8); 4848 4849 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4850 if (ie) 4851 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4852 4853 hci_dev_unlock(hdev); 4854 } 4855 4856 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4857 struct sk_buff *skb) 4858 { 4859 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4860 struct oob_data *data; 4861 4862 BT_DBG("%s", hdev->name); 4863 4864 hci_dev_lock(hdev); 4865 4866 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4867 goto unlock; 4868 4869 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4870 if (!data) { 4871 struct hci_cp_remote_oob_data_neg_reply cp; 4872 4873 bacpy(&cp.bdaddr, &ev->bdaddr); 4874 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4875 sizeof(cp), &cp); 4876 goto unlock; 4877 } 4878 4879 if (bredr_sc_enabled(hdev)) { 4880 struct hci_cp_remote_oob_ext_data_reply cp; 4881 4882 bacpy(&cp.bdaddr, &ev->bdaddr); 4883 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 4884 memset(cp.hash192, 0, sizeof(cp.hash192)); 4885 memset(cp.rand192, 0, sizeof(cp.rand192)); 4886 } else { 4887 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4888 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4889 } 4890 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4891 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4892 4893 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4894 sizeof(cp), &cp); 4895 } else { 4896 struct hci_cp_remote_oob_data_reply cp; 4897 4898 bacpy(&cp.bdaddr, &ev->bdaddr); 4899 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4900 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4901 4902 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4903 sizeof(cp), &cp); 4904 } 4905 4906 unlock: 4907 hci_dev_unlock(hdev); 4908 } 4909 4910 #if IS_ENABLED(CONFIG_BT_HS) 4911 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4912 { 4913 struct hci_ev_channel_selected *ev = (void *)skb->data; 4914 struct hci_conn *hcon; 4915 4916 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4917 4918 skb_pull(skb, sizeof(*ev)); 4919 4920 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4921 if (!hcon) 4922 return; 4923 4924 amp_read_loc_assoc_final_data(hdev, hcon); 4925 } 4926 4927 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4928 struct sk_buff *skb) 4929 { 4930 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4931 struct hci_conn *hcon, *bredr_hcon; 4932 4933 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4934 ev->status); 4935 4936 hci_dev_lock(hdev); 4937 4938 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4939 if (!hcon) { 4940 hci_dev_unlock(hdev); 4941 return; 4942 } 4943 4944 if (ev->status) { 4945 hci_conn_del(hcon); 4946 hci_dev_unlock(hdev); 4947 return; 4948 } 4949 4950 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4951 4952 hcon->state = BT_CONNECTED; 4953 bacpy(&hcon->dst, &bredr_hcon->dst); 4954 4955 hci_conn_hold(hcon); 4956 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4957 hci_conn_drop(hcon); 4958 4959 hci_debugfs_create_conn(hcon); 4960 hci_conn_add_sysfs(hcon); 4961 4962 amp_physical_cfm(bredr_hcon, hcon); 4963 4964 hci_dev_unlock(hdev); 4965 } 4966 4967 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4968 { 4969 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4970 struct hci_conn *hcon; 4971 struct hci_chan *hchan; 4972 struct amp_mgr *mgr; 4973 4974 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4975 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4976 ev->status); 4977 4978 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4979 if (!hcon) 4980 return; 4981 4982 /* Create AMP hchan */ 4983 hchan = hci_chan_create(hcon); 4984 if (!hchan) 4985 return; 4986 4987 hchan->handle = le16_to_cpu(ev->handle); 4988 4989 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4990 4991 mgr = hcon->amp_mgr; 4992 if (mgr && mgr->bredr_chan) { 4993 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4994 4995 l2cap_chan_lock(bredr_chan); 4996 4997 bredr_chan->conn->mtu = hdev->block_mtu; 4998 l2cap_logical_cfm(bredr_chan, hchan, 0); 4999 hci_conn_hold(hcon); 5000 5001 l2cap_chan_unlock(bredr_chan); 5002 } 5003 } 5004 5005 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 5006 struct sk_buff *skb) 5007 { 5008 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 5009 struct hci_chan *hchan; 5010 5011 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 5012 le16_to_cpu(ev->handle), ev->status); 5013 5014 if (ev->status) 5015 return; 5016 5017 hci_dev_lock(hdev); 5018 5019 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 5020 if (!hchan) 5021 goto unlock; 5022 5023 amp_destroy_logical_link(hchan, ev->reason); 5024 5025 unlock: 5026 hci_dev_unlock(hdev); 5027 } 5028 5029 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 5030 struct sk_buff *skb) 5031 { 5032 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 5033 struct hci_conn *hcon; 5034 5035 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5036 5037 if (ev->status) 5038 return; 5039 5040 hci_dev_lock(hdev); 5041 5042 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5043 if (hcon) { 5044 hcon->state = BT_CLOSED; 5045 hci_conn_del(hcon); 5046 } 5047 5048 hci_dev_unlock(hdev); 5049 } 5050 #endif 5051 5052 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5053 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle, 5054 u16 interval, u16 latency, u16 supervision_timeout) 5055 { 5056 struct hci_conn_params *params; 5057 struct hci_conn *conn; 5058 struct smp_irk *irk; 5059 u8 addr_type; 5060 5061 hci_dev_lock(hdev); 5062 5063 /* All controllers implicitly stop advertising in the event of a 5064 * connection, so ensure that the state bit is cleared. 5065 */ 5066 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5067 5068 conn = hci_lookup_le_connect(hdev); 5069 if (!conn) { 5070 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 5071 if (!conn) { 5072 bt_dev_err(hdev, "no memory for new connection"); 5073 goto unlock; 5074 } 5075 5076 conn->dst_type = bdaddr_type; 5077 5078 /* If we didn't have a hci_conn object previously 5079 * but we're in master role this must be something 5080 * initiated using a white list. Since white list based 5081 * connections are not "first class citizens" we don't 5082 * have full tracking of them. Therefore, we go ahead 5083 * with a "best effort" approach of determining the 5084 * initiator address based on the HCI_PRIVACY flag. 5085 */ 5086 if (conn->out) { 5087 conn->resp_addr_type = bdaddr_type; 5088 bacpy(&conn->resp_addr, bdaddr); 5089 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5090 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5091 bacpy(&conn->init_addr, &hdev->rpa); 5092 } else { 5093 hci_copy_identity_address(hdev, 5094 &conn->init_addr, 5095 &conn->init_addr_type); 5096 } 5097 } 5098 } else { 5099 cancel_delayed_work(&conn->le_conn_timeout); 5100 } 5101 5102 if (!conn->out) { 5103 /* Set the responder (our side) address type based on 5104 * the advertising address type. 5105 */ 5106 conn->resp_addr_type = hdev->adv_addr_type; 5107 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5108 /* In case of ext adv, resp_addr will be updated in 5109 * Adv Terminated event. 5110 */ 5111 if (!ext_adv_capable(hdev)) 5112 bacpy(&conn->resp_addr, &hdev->random_addr); 5113 } else { 5114 bacpy(&conn->resp_addr, &hdev->bdaddr); 5115 } 5116 5117 conn->init_addr_type = bdaddr_type; 5118 bacpy(&conn->init_addr, bdaddr); 5119 5120 /* For incoming connections, set the default minimum 5121 * and maximum connection interval. They will be used 5122 * to check if the parameters are in range and if not 5123 * trigger the connection update procedure. 5124 */ 5125 conn->le_conn_min_interval = hdev->le_conn_min_interval; 5126 conn->le_conn_max_interval = hdev->le_conn_max_interval; 5127 } 5128 5129 /* Lookup the identity address from the stored connection 5130 * address and address type. 5131 * 5132 * When establishing connections to an identity address, the 5133 * connection procedure will store the resolvable random 5134 * address first. Now if it can be converted back into the 5135 * identity address, start using the identity address from 5136 * now on. 5137 */ 5138 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5139 if (irk) { 5140 bacpy(&conn->dst, &irk->bdaddr); 5141 conn->dst_type = irk->addr_type; 5142 } 5143 5144 if (status) { 5145 hci_le_conn_failed(conn, status); 5146 goto unlock; 5147 } 5148 5149 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5150 addr_type = BDADDR_LE_PUBLIC; 5151 else 5152 addr_type = BDADDR_LE_RANDOM; 5153 5154 /* Drop the connection if the device is blocked */ 5155 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 5156 hci_conn_drop(conn); 5157 goto unlock; 5158 } 5159 5160 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5161 mgmt_device_connected(hdev, conn, 0, NULL, 0); 5162 5163 conn->sec_level = BT_SECURITY_LOW; 5164 conn->handle = handle; 5165 conn->state = BT_CONFIG; 5166 5167 conn->le_conn_interval = interval; 5168 conn->le_conn_latency = latency; 5169 conn->le_supv_timeout = supervision_timeout; 5170 5171 hci_debugfs_create_conn(conn); 5172 hci_conn_add_sysfs(conn); 5173 5174 /* The remote features procedure is defined for master 5175 * role only. So only in case of an initiated connection 5176 * request the remote features. 5177 * 5178 * If the local controller supports slave-initiated features 5179 * exchange, then requesting the remote features in slave 5180 * role is possible. Otherwise just transition into the 5181 * connected state without requesting the remote features. 5182 */ 5183 if (conn->out || 5184 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) { 5185 struct hci_cp_le_read_remote_features cp; 5186 5187 cp.handle = __cpu_to_le16(conn->handle); 5188 5189 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 5190 sizeof(cp), &cp); 5191 5192 hci_conn_hold(conn); 5193 } else { 5194 conn->state = BT_CONNECTED; 5195 hci_connect_cfm(conn, status); 5196 } 5197 5198 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5199 conn->dst_type); 5200 if (params) { 5201 list_del_init(¶ms->action); 5202 if (params->conn) { 5203 hci_conn_drop(params->conn); 5204 hci_conn_put(params->conn); 5205 params->conn = NULL; 5206 } 5207 } 5208 5209 unlock: 5210 hci_update_background_scan(hdev); 5211 hci_dev_unlock(hdev); 5212 } 5213 5214 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 5215 { 5216 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 5217 5218 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5219 5220 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5221 ev->role, le16_to_cpu(ev->handle), 5222 le16_to_cpu(ev->interval), 5223 le16_to_cpu(ev->latency), 5224 le16_to_cpu(ev->supervision_timeout)); 5225 } 5226 5227 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, 5228 struct sk_buff *skb) 5229 { 5230 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data; 5231 5232 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5233 5234 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5235 ev->role, le16_to_cpu(ev->handle), 5236 le16_to_cpu(ev->interval), 5237 le16_to_cpu(ev->latency), 5238 le16_to_cpu(ev->supervision_timeout)); 5239 5240 if (use_ll_privacy(hdev) && 5241 hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) && 5242 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) 5243 hci_req_disable_address_resolution(hdev); 5244 } 5245 5246 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb) 5247 { 5248 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data; 5249 struct hci_conn *conn; 5250 5251 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5252 5253 if (ev->status) 5254 return; 5255 5256 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5257 if (conn) { 5258 struct adv_info *adv_instance; 5259 5260 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM) 5261 return; 5262 5263 if (!hdev->cur_adv_instance) { 5264 bacpy(&conn->resp_addr, &hdev->random_addr); 5265 return; 5266 } 5267 5268 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance); 5269 if (adv_instance) 5270 bacpy(&conn->resp_addr, &adv_instance->random_addr); 5271 } 5272 } 5273 5274 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 5275 struct sk_buff *skb) 5276 { 5277 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 5278 struct hci_conn *conn; 5279 5280 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5281 5282 if (ev->status) 5283 return; 5284 5285 hci_dev_lock(hdev); 5286 5287 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5288 if (conn) { 5289 conn->le_conn_interval = le16_to_cpu(ev->interval); 5290 conn->le_conn_latency = le16_to_cpu(ev->latency); 5291 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 5292 } 5293 5294 hci_dev_unlock(hdev); 5295 } 5296 5297 /* This function requires the caller holds hdev->lock */ 5298 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 5299 bdaddr_t *addr, 5300 u8 addr_type, u8 adv_type, 5301 bdaddr_t *direct_rpa) 5302 { 5303 struct hci_conn *conn; 5304 struct hci_conn_params *params; 5305 5306 /* If the event is not connectable don't proceed further */ 5307 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 5308 return NULL; 5309 5310 /* Ignore if the device is blocked */ 5311 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 5312 return NULL; 5313 5314 /* Most controller will fail if we try to create new connections 5315 * while we have an existing one in slave role. 5316 */ 5317 if (hdev->conn_hash.le_num_slave > 0 && 5318 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 5319 !(hdev->le_states[3] & 0x10))) 5320 return NULL; 5321 5322 /* If we're not connectable only connect devices that we have in 5323 * our pend_le_conns list. 5324 */ 5325 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 5326 addr_type); 5327 if (!params) 5328 return NULL; 5329 5330 if (!params->explicit_connect) { 5331 switch (params->auto_connect) { 5332 case HCI_AUTO_CONN_DIRECT: 5333 /* Only devices advertising with ADV_DIRECT_IND are 5334 * triggering a connection attempt. This is allowing 5335 * incoming connections from slave devices. 5336 */ 5337 if (adv_type != LE_ADV_DIRECT_IND) 5338 return NULL; 5339 break; 5340 case HCI_AUTO_CONN_ALWAYS: 5341 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 5342 * are triggering a connection attempt. This means 5343 * that incoming connections from slave device are 5344 * accepted and also outgoing connections to slave 5345 * devices are established when found. 5346 */ 5347 break; 5348 default: 5349 return NULL; 5350 } 5351 } 5352 5353 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 5354 hdev->def_le_autoconnect_timeout, HCI_ROLE_MASTER, 5355 direct_rpa); 5356 if (!IS_ERR(conn)) { 5357 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 5358 * by higher layer that tried to connect, if no then 5359 * store the pointer since we don't really have any 5360 * other owner of the object besides the params that 5361 * triggered it. This way we can abort the connection if 5362 * the parameters get removed and keep the reference 5363 * count consistent once the connection is established. 5364 */ 5365 5366 if (!params->explicit_connect) 5367 params->conn = hci_conn_get(conn); 5368 5369 return conn; 5370 } 5371 5372 switch (PTR_ERR(conn)) { 5373 case -EBUSY: 5374 /* If hci_connect() returns -EBUSY it means there is already 5375 * an LE connection attempt going on. Since controllers don't 5376 * support more than one connection attempt at the time, we 5377 * don't consider this an error case. 5378 */ 5379 break; 5380 default: 5381 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 5382 return NULL; 5383 } 5384 5385 return NULL; 5386 } 5387 5388 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 5389 u8 bdaddr_type, bdaddr_t *direct_addr, 5390 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 5391 bool ext_adv) 5392 { 5393 struct discovery_state *d = &hdev->discovery; 5394 struct smp_irk *irk; 5395 struct hci_conn *conn; 5396 bool match; 5397 u32 flags; 5398 u8 *ptr, real_len; 5399 5400 switch (type) { 5401 case LE_ADV_IND: 5402 case LE_ADV_DIRECT_IND: 5403 case LE_ADV_SCAN_IND: 5404 case LE_ADV_NONCONN_IND: 5405 case LE_ADV_SCAN_RSP: 5406 break; 5407 default: 5408 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 5409 "type: 0x%02x", type); 5410 return; 5411 } 5412 5413 if (!ext_adv && len > HCI_MAX_AD_LENGTH) { 5414 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes"); 5415 return; 5416 } 5417 5418 /* Find the end of the data in case the report contains padded zero 5419 * bytes at the end causing an invalid length value. 5420 * 5421 * When data is NULL, len is 0 so there is no need for extra ptr 5422 * check as 'ptr < data + 0' is already false in such case. 5423 */ 5424 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 5425 if (ptr + 1 + *ptr > data + len) 5426 break; 5427 } 5428 5429 real_len = ptr - data; 5430 5431 /* Adjust for actual length */ 5432 if (len != real_len) { 5433 bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u", 5434 len, real_len); 5435 len = real_len; 5436 } 5437 5438 /* If the direct address is present, then this report is from 5439 * a LE Direct Advertising Report event. In that case it is 5440 * important to see if the address is matching the local 5441 * controller address. 5442 */ 5443 if (direct_addr) { 5444 /* Only resolvable random addresses are valid for these 5445 * kind of reports and others can be ignored. 5446 */ 5447 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 5448 return; 5449 5450 /* If the controller is not using resolvable random 5451 * addresses, then this report can be ignored. 5452 */ 5453 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 5454 return; 5455 5456 /* If the local IRK of the controller does not match 5457 * with the resolvable random address provided, then 5458 * this report can be ignored. 5459 */ 5460 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 5461 return; 5462 } 5463 5464 /* Check if we need to convert to identity address */ 5465 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 5466 if (irk) { 5467 bdaddr = &irk->bdaddr; 5468 bdaddr_type = irk->addr_type; 5469 } 5470 5471 /* Check if we have been requested to connect to this device. 5472 * 5473 * direct_addr is set only for directed advertising reports (it is NULL 5474 * for advertising reports) and is already verified to be RPA above. 5475 */ 5476 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, 5477 direct_addr); 5478 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { 5479 /* Store report for later inclusion by 5480 * mgmt_device_connected 5481 */ 5482 memcpy(conn->le_adv_data, data, len); 5483 conn->le_adv_data_len = len; 5484 } 5485 5486 /* Passive scanning shouldn't trigger any device found events, 5487 * except for devices marked as CONN_REPORT for which we do send 5488 * device found events, or advertisement monitoring requested. 5489 */ 5490 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 5491 if (type == LE_ADV_DIRECT_IND) 5492 return; 5493 5494 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 5495 bdaddr, bdaddr_type) && 5496 idr_is_empty(&hdev->adv_monitors_idr)) 5497 return; 5498 5499 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 5500 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5501 else 5502 flags = 0; 5503 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5504 rssi, flags, data, len, NULL, 0); 5505 return; 5506 } 5507 5508 /* When receiving non-connectable or scannable undirected 5509 * advertising reports, this means that the remote device is 5510 * not connectable and then clearly indicate this in the 5511 * device found event. 5512 * 5513 * When receiving a scan response, then there is no way to 5514 * know if the remote device is connectable or not. However 5515 * since scan responses are merged with a previously seen 5516 * advertising report, the flags field from that report 5517 * will be used. 5518 * 5519 * In the really unlikely case that a controller get confused 5520 * and just sends a scan response event, then it is marked as 5521 * not connectable as well. 5522 */ 5523 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 5524 type == LE_ADV_SCAN_RSP) 5525 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5526 else 5527 flags = 0; 5528 5529 /* If there's nothing pending either store the data from this 5530 * event or send an immediate device found event if the data 5531 * should not be stored for later. 5532 */ 5533 if (!ext_adv && !has_pending_adv_report(hdev)) { 5534 /* If the report will trigger a SCAN_REQ store it for 5535 * later merging. 5536 */ 5537 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 5538 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5539 rssi, flags, data, len); 5540 return; 5541 } 5542 5543 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5544 rssi, flags, data, len, NULL, 0); 5545 return; 5546 } 5547 5548 /* Check if the pending report is for the same device as the new one */ 5549 match = (!bacmp(bdaddr, &d->last_adv_addr) && 5550 bdaddr_type == d->last_adv_addr_type); 5551 5552 /* If the pending data doesn't match this report or this isn't a 5553 * scan response (e.g. we got a duplicate ADV_IND) then force 5554 * sending of the pending data. 5555 */ 5556 if (type != LE_ADV_SCAN_RSP || !match) { 5557 /* Send out whatever is in the cache, but skip duplicates */ 5558 if (!match) 5559 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5560 d->last_adv_addr_type, NULL, 5561 d->last_adv_rssi, d->last_adv_flags, 5562 d->last_adv_data, 5563 d->last_adv_data_len, NULL, 0); 5564 5565 /* If the new report will trigger a SCAN_REQ store it for 5566 * later merging. 5567 */ 5568 if (!ext_adv && (type == LE_ADV_IND || 5569 type == LE_ADV_SCAN_IND)) { 5570 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5571 rssi, flags, data, len); 5572 return; 5573 } 5574 5575 /* The advertising reports cannot be merged, so clear 5576 * the pending report and send out a device found event. 5577 */ 5578 clear_pending_adv_report(hdev); 5579 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5580 rssi, flags, data, len, NULL, 0); 5581 return; 5582 } 5583 5584 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 5585 * the new event is a SCAN_RSP. We can therefore proceed with 5586 * sending a merged device found event. 5587 */ 5588 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5589 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 5590 d->last_adv_data, d->last_adv_data_len, data, len); 5591 clear_pending_adv_report(hdev); 5592 } 5593 5594 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5595 { 5596 u8 num_reports = skb->data[0]; 5597 void *ptr = &skb->data[1]; 5598 5599 hci_dev_lock(hdev); 5600 5601 while (num_reports--) { 5602 struct hci_ev_le_advertising_info *ev = ptr; 5603 s8 rssi; 5604 5605 if (ev->length <= HCI_MAX_AD_LENGTH) { 5606 rssi = ev->data[ev->length]; 5607 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5608 ev->bdaddr_type, NULL, 0, rssi, 5609 ev->data, ev->length, false); 5610 } else { 5611 bt_dev_err(hdev, "Dropping invalid advertising data"); 5612 } 5613 5614 ptr += sizeof(*ev) + ev->length + 1; 5615 } 5616 5617 hci_dev_unlock(hdev); 5618 } 5619 5620 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 5621 { 5622 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 5623 switch (evt_type) { 5624 case LE_LEGACY_ADV_IND: 5625 return LE_ADV_IND; 5626 case LE_LEGACY_ADV_DIRECT_IND: 5627 return LE_ADV_DIRECT_IND; 5628 case LE_LEGACY_ADV_SCAN_IND: 5629 return LE_ADV_SCAN_IND; 5630 case LE_LEGACY_NONCONN_IND: 5631 return LE_ADV_NONCONN_IND; 5632 case LE_LEGACY_SCAN_RSP_ADV: 5633 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 5634 return LE_ADV_SCAN_RSP; 5635 } 5636 5637 goto invalid; 5638 } 5639 5640 if (evt_type & LE_EXT_ADV_CONN_IND) { 5641 if (evt_type & LE_EXT_ADV_DIRECT_IND) 5642 return LE_ADV_DIRECT_IND; 5643 5644 return LE_ADV_IND; 5645 } 5646 5647 if (evt_type & LE_EXT_ADV_SCAN_RSP) 5648 return LE_ADV_SCAN_RSP; 5649 5650 if (evt_type & LE_EXT_ADV_SCAN_IND) 5651 return LE_ADV_SCAN_IND; 5652 5653 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 5654 evt_type & LE_EXT_ADV_DIRECT_IND) 5655 return LE_ADV_NONCONN_IND; 5656 5657 invalid: 5658 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 5659 evt_type); 5660 5661 return LE_ADV_INVALID; 5662 } 5663 5664 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5665 { 5666 u8 num_reports = skb->data[0]; 5667 void *ptr = &skb->data[1]; 5668 5669 hci_dev_lock(hdev); 5670 5671 while (num_reports--) { 5672 struct hci_ev_le_ext_adv_report *ev = ptr; 5673 u8 legacy_evt_type; 5674 u16 evt_type; 5675 5676 evt_type = __le16_to_cpu(ev->evt_type); 5677 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 5678 if (legacy_evt_type != LE_ADV_INVALID) { 5679 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, 5680 ev->bdaddr_type, NULL, 0, ev->rssi, 5681 ev->data, ev->length, 5682 !(evt_type & LE_EXT_ADV_LEGACY_PDU)); 5683 } 5684 5685 ptr += sizeof(*ev) + ev->length; 5686 } 5687 5688 hci_dev_unlock(hdev); 5689 } 5690 5691 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 5692 struct sk_buff *skb) 5693 { 5694 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 5695 struct hci_conn *conn; 5696 5697 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5698 5699 hci_dev_lock(hdev); 5700 5701 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5702 if (conn) { 5703 if (!ev->status) 5704 memcpy(conn->features[0], ev->features, 8); 5705 5706 if (conn->state == BT_CONFIG) { 5707 __u8 status; 5708 5709 /* If the local controller supports slave-initiated 5710 * features exchange, but the remote controller does 5711 * not, then it is possible that the error code 0x1a 5712 * for unsupported remote feature gets returned. 5713 * 5714 * In this specific case, allow the connection to 5715 * transition into connected state and mark it as 5716 * successful. 5717 */ 5718 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) && 5719 !conn->out && ev->status == 0x1a) 5720 status = 0x00; 5721 else 5722 status = ev->status; 5723 5724 conn->state = BT_CONNECTED; 5725 hci_connect_cfm(conn, status); 5726 hci_conn_drop(conn); 5727 } 5728 } 5729 5730 hci_dev_unlock(hdev); 5731 } 5732 5733 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 5734 { 5735 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 5736 struct hci_cp_le_ltk_reply cp; 5737 struct hci_cp_le_ltk_neg_reply neg; 5738 struct hci_conn *conn; 5739 struct smp_ltk *ltk; 5740 5741 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 5742 5743 hci_dev_lock(hdev); 5744 5745 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5746 if (conn == NULL) 5747 goto not_found; 5748 5749 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 5750 if (!ltk) 5751 goto not_found; 5752 5753 if (smp_ltk_is_sc(ltk)) { 5754 /* With SC both EDiv and Rand are set to zero */ 5755 if (ev->ediv || ev->rand) 5756 goto not_found; 5757 } else { 5758 /* For non-SC keys check that EDiv and Rand match */ 5759 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 5760 goto not_found; 5761 } 5762 5763 memcpy(cp.ltk, ltk->val, ltk->enc_size); 5764 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 5765 cp.handle = cpu_to_le16(conn->handle); 5766 5767 conn->pending_sec_level = smp_ltk_sec_level(ltk); 5768 5769 conn->enc_key_size = ltk->enc_size; 5770 5771 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 5772 5773 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 5774 * temporary key used to encrypt a connection following 5775 * pairing. It is used during the Encrypted Session Setup to 5776 * distribute the keys. Later, security can be re-established 5777 * using a distributed LTK. 5778 */ 5779 if (ltk->type == SMP_STK) { 5780 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5781 list_del_rcu(<k->list); 5782 kfree_rcu(ltk, rcu); 5783 } else { 5784 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5785 } 5786 5787 hci_dev_unlock(hdev); 5788 5789 return; 5790 5791 not_found: 5792 neg.handle = ev->handle; 5793 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 5794 hci_dev_unlock(hdev); 5795 } 5796 5797 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 5798 u8 reason) 5799 { 5800 struct hci_cp_le_conn_param_req_neg_reply cp; 5801 5802 cp.handle = cpu_to_le16(handle); 5803 cp.reason = reason; 5804 5805 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 5806 &cp); 5807 } 5808 5809 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 5810 struct sk_buff *skb) 5811 { 5812 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 5813 struct hci_cp_le_conn_param_req_reply cp; 5814 struct hci_conn *hcon; 5815 u16 handle, min, max, latency, timeout; 5816 5817 handle = le16_to_cpu(ev->handle); 5818 min = le16_to_cpu(ev->interval_min); 5819 max = le16_to_cpu(ev->interval_max); 5820 latency = le16_to_cpu(ev->latency); 5821 timeout = le16_to_cpu(ev->timeout); 5822 5823 hcon = hci_conn_hash_lookup_handle(hdev, handle); 5824 if (!hcon || hcon->state != BT_CONNECTED) 5825 return send_conn_param_neg_reply(hdev, handle, 5826 HCI_ERROR_UNKNOWN_CONN_ID); 5827 5828 if (hci_check_conn_params(min, max, latency, timeout)) 5829 return send_conn_param_neg_reply(hdev, handle, 5830 HCI_ERROR_INVALID_LL_PARAMS); 5831 5832 if (hcon->role == HCI_ROLE_MASTER) { 5833 struct hci_conn_params *params; 5834 u8 store_hint; 5835 5836 hci_dev_lock(hdev); 5837 5838 params = hci_conn_params_lookup(hdev, &hcon->dst, 5839 hcon->dst_type); 5840 if (params) { 5841 params->conn_min_interval = min; 5842 params->conn_max_interval = max; 5843 params->conn_latency = latency; 5844 params->supervision_timeout = timeout; 5845 store_hint = 0x01; 5846 } else{ 5847 store_hint = 0x00; 5848 } 5849 5850 hci_dev_unlock(hdev); 5851 5852 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 5853 store_hint, min, max, latency, timeout); 5854 } 5855 5856 cp.handle = ev->handle; 5857 cp.interval_min = ev->interval_min; 5858 cp.interval_max = ev->interval_max; 5859 cp.latency = ev->latency; 5860 cp.timeout = ev->timeout; 5861 cp.min_ce_len = 0; 5862 cp.max_ce_len = 0; 5863 5864 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 5865 } 5866 5867 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 5868 struct sk_buff *skb) 5869 { 5870 u8 num_reports = skb->data[0]; 5871 void *ptr = &skb->data[1]; 5872 5873 hci_dev_lock(hdev); 5874 5875 while (num_reports--) { 5876 struct hci_ev_le_direct_adv_info *ev = ptr; 5877 5878 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5879 ev->bdaddr_type, &ev->direct_addr, 5880 ev->direct_addr_type, ev->rssi, NULL, 0, 5881 false); 5882 5883 ptr += sizeof(*ev); 5884 } 5885 5886 hci_dev_unlock(hdev); 5887 } 5888 5889 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb) 5890 { 5891 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data; 5892 struct hci_conn *conn; 5893 5894 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5895 5896 if (!ev->status) 5897 return; 5898 5899 hci_dev_lock(hdev); 5900 5901 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5902 if (!conn) 5903 goto unlock; 5904 5905 conn->le_tx_phy = ev->tx_phy; 5906 conn->le_rx_phy = ev->rx_phy; 5907 5908 unlock: 5909 hci_dev_unlock(hdev); 5910 } 5911 5912 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 5913 { 5914 struct hci_ev_le_meta *le_ev = (void *) skb->data; 5915 5916 skb_pull(skb, sizeof(*le_ev)); 5917 5918 switch (le_ev->subevent) { 5919 case HCI_EV_LE_CONN_COMPLETE: 5920 hci_le_conn_complete_evt(hdev, skb); 5921 break; 5922 5923 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 5924 hci_le_conn_update_complete_evt(hdev, skb); 5925 break; 5926 5927 case HCI_EV_LE_ADVERTISING_REPORT: 5928 hci_le_adv_report_evt(hdev, skb); 5929 break; 5930 5931 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 5932 hci_le_remote_feat_complete_evt(hdev, skb); 5933 break; 5934 5935 case HCI_EV_LE_LTK_REQ: 5936 hci_le_ltk_request_evt(hdev, skb); 5937 break; 5938 5939 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 5940 hci_le_remote_conn_param_req_evt(hdev, skb); 5941 break; 5942 5943 case HCI_EV_LE_DIRECT_ADV_REPORT: 5944 hci_le_direct_adv_report_evt(hdev, skb); 5945 break; 5946 5947 case HCI_EV_LE_PHY_UPDATE_COMPLETE: 5948 hci_le_phy_update_evt(hdev, skb); 5949 break; 5950 5951 case HCI_EV_LE_EXT_ADV_REPORT: 5952 hci_le_ext_adv_report_evt(hdev, skb); 5953 break; 5954 5955 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 5956 hci_le_enh_conn_complete_evt(hdev, skb); 5957 break; 5958 5959 case HCI_EV_LE_EXT_ADV_SET_TERM: 5960 hci_le_ext_adv_term_evt(hdev, skb); 5961 break; 5962 5963 default: 5964 break; 5965 } 5966 } 5967 5968 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 5969 u8 event, struct sk_buff *skb) 5970 { 5971 struct hci_ev_cmd_complete *ev; 5972 struct hci_event_hdr *hdr; 5973 5974 if (!skb) 5975 return false; 5976 5977 if (skb->len < sizeof(*hdr)) { 5978 bt_dev_err(hdev, "too short HCI event"); 5979 return false; 5980 } 5981 5982 hdr = (void *) skb->data; 5983 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5984 5985 if (event) { 5986 if (hdr->evt != event) 5987 return false; 5988 return true; 5989 } 5990 5991 /* Check if request ended in Command Status - no way to retreive 5992 * any extra parameters in this case. 5993 */ 5994 if (hdr->evt == HCI_EV_CMD_STATUS) 5995 return false; 5996 5997 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 5998 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 5999 hdr->evt); 6000 return false; 6001 } 6002 6003 if (skb->len < sizeof(*ev)) { 6004 bt_dev_err(hdev, "too short cmd_complete event"); 6005 return false; 6006 } 6007 6008 ev = (void *) skb->data; 6009 skb_pull(skb, sizeof(*ev)); 6010 6011 if (opcode != __le16_to_cpu(ev->opcode)) { 6012 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 6013 __le16_to_cpu(ev->opcode)); 6014 return false; 6015 } 6016 6017 return true; 6018 } 6019 6020 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, 6021 struct sk_buff *skb) 6022 { 6023 struct hci_ev_le_advertising_info *adv; 6024 struct hci_ev_le_direct_adv_info *direct_adv; 6025 struct hci_ev_le_ext_adv_report *ext_adv; 6026 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data; 6027 const struct hci_ev_conn_request *conn_request = (void *)skb->data; 6028 6029 hci_dev_lock(hdev); 6030 6031 /* If we are currently suspended and this is the first BT event seen, 6032 * save the wake reason associated with the event. 6033 */ 6034 if (!hdev->suspended || hdev->wake_reason) 6035 goto unlock; 6036 6037 /* Default to remote wake. Values for wake_reason are documented in the 6038 * Bluez mgmt api docs. 6039 */ 6040 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 6041 6042 /* Once configured for remote wakeup, we should only wake up for 6043 * reconnections. It's useful to see which device is waking us up so 6044 * keep track of the bdaddr of the connection event that woke us up. 6045 */ 6046 if (event == HCI_EV_CONN_REQUEST) { 6047 bacpy(&hdev->wake_addr, &conn_complete->bdaddr); 6048 hdev->wake_addr_type = BDADDR_BREDR; 6049 } else if (event == HCI_EV_CONN_COMPLETE) { 6050 bacpy(&hdev->wake_addr, &conn_request->bdaddr); 6051 hdev->wake_addr_type = BDADDR_BREDR; 6052 } else if (event == HCI_EV_LE_META) { 6053 struct hci_ev_le_meta *le_ev = (void *)skb->data; 6054 u8 subevent = le_ev->subevent; 6055 u8 *ptr = &skb->data[sizeof(*le_ev)]; 6056 u8 num_reports = *ptr; 6057 6058 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT || 6059 subevent == HCI_EV_LE_DIRECT_ADV_REPORT || 6060 subevent == HCI_EV_LE_EXT_ADV_REPORT) && 6061 num_reports) { 6062 adv = (void *)(ptr + 1); 6063 direct_adv = (void *)(ptr + 1); 6064 ext_adv = (void *)(ptr + 1); 6065 6066 switch (subevent) { 6067 case HCI_EV_LE_ADVERTISING_REPORT: 6068 bacpy(&hdev->wake_addr, &adv->bdaddr); 6069 hdev->wake_addr_type = adv->bdaddr_type; 6070 break; 6071 case HCI_EV_LE_DIRECT_ADV_REPORT: 6072 bacpy(&hdev->wake_addr, &direct_adv->bdaddr); 6073 hdev->wake_addr_type = direct_adv->bdaddr_type; 6074 break; 6075 case HCI_EV_LE_EXT_ADV_REPORT: 6076 bacpy(&hdev->wake_addr, &ext_adv->bdaddr); 6077 hdev->wake_addr_type = ext_adv->bdaddr_type; 6078 break; 6079 } 6080 } 6081 } else { 6082 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 6083 } 6084 6085 unlock: 6086 hci_dev_unlock(hdev); 6087 } 6088 6089 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 6090 { 6091 struct hci_event_hdr *hdr = (void *) skb->data; 6092 hci_req_complete_t req_complete = NULL; 6093 hci_req_complete_skb_t req_complete_skb = NULL; 6094 struct sk_buff *orig_skb = NULL; 6095 u8 status = 0, event = hdr->evt, req_evt = 0; 6096 u16 opcode = HCI_OP_NOP; 6097 6098 if (!event) { 6099 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); 6100 goto done; 6101 } 6102 6103 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { 6104 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 6105 opcode = __le16_to_cpu(cmd_hdr->opcode); 6106 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 6107 &req_complete_skb); 6108 req_evt = event; 6109 } 6110 6111 /* If it looks like we might end up having to call 6112 * req_complete_skb, store a pristine copy of the skb since the 6113 * various handlers may modify the original one through 6114 * skb_pull() calls, etc. 6115 */ 6116 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 6117 event == HCI_EV_CMD_COMPLETE) 6118 orig_skb = skb_clone(skb, GFP_KERNEL); 6119 6120 skb_pull(skb, HCI_EVENT_HDR_SIZE); 6121 6122 /* Store wake reason if we're suspended */ 6123 hci_store_wake_reason(hdev, event, skb); 6124 6125 switch (event) { 6126 case HCI_EV_INQUIRY_COMPLETE: 6127 hci_inquiry_complete_evt(hdev, skb); 6128 break; 6129 6130 case HCI_EV_INQUIRY_RESULT: 6131 hci_inquiry_result_evt(hdev, skb); 6132 break; 6133 6134 case HCI_EV_CONN_COMPLETE: 6135 hci_conn_complete_evt(hdev, skb); 6136 break; 6137 6138 case HCI_EV_CONN_REQUEST: 6139 hci_conn_request_evt(hdev, skb); 6140 break; 6141 6142 case HCI_EV_DISCONN_COMPLETE: 6143 hci_disconn_complete_evt(hdev, skb); 6144 break; 6145 6146 case HCI_EV_AUTH_COMPLETE: 6147 hci_auth_complete_evt(hdev, skb); 6148 break; 6149 6150 case HCI_EV_REMOTE_NAME: 6151 hci_remote_name_evt(hdev, skb); 6152 break; 6153 6154 case HCI_EV_ENCRYPT_CHANGE: 6155 hci_encrypt_change_evt(hdev, skb); 6156 break; 6157 6158 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 6159 hci_change_link_key_complete_evt(hdev, skb); 6160 break; 6161 6162 case HCI_EV_REMOTE_FEATURES: 6163 hci_remote_features_evt(hdev, skb); 6164 break; 6165 6166 case HCI_EV_CMD_COMPLETE: 6167 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 6168 &req_complete, &req_complete_skb); 6169 break; 6170 6171 case HCI_EV_CMD_STATUS: 6172 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 6173 &req_complete_skb); 6174 break; 6175 6176 case HCI_EV_HARDWARE_ERROR: 6177 hci_hardware_error_evt(hdev, skb); 6178 break; 6179 6180 case HCI_EV_ROLE_CHANGE: 6181 hci_role_change_evt(hdev, skb); 6182 break; 6183 6184 case HCI_EV_NUM_COMP_PKTS: 6185 hci_num_comp_pkts_evt(hdev, skb); 6186 break; 6187 6188 case HCI_EV_MODE_CHANGE: 6189 hci_mode_change_evt(hdev, skb); 6190 break; 6191 6192 case HCI_EV_PIN_CODE_REQ: 6193 hci_pin_code_request_evt(hdev, skb); 6194 break; 6195 6196 case HCI_EV_LINK_KEY_REQ: 6197 hci_link_key_request_evt(hdev, skb); 6198 break; 6199 6200 case HCI_EV_LINK_KEY_NOTIFY: 6201 hci_link_key_notify_evt(hdev, skb); 6202 break; 6203 6204 case HCI_EV_CLOCK_OFFSET: 6205 hci_clock_offset_evt(hdev, skb); 6206 break; 6207 6208 case HCI_EV_PKT_TYPE_CHANGE: 6209 hci_pkt_type_change_evt(hdev, skb); 6210 break; 6211 6212 case HCI_EV_PSCAN_REP_MODE: 6213 hci_pscan_rep_mode_evt(hdev, skb); 6214 break; 6215 6216 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 6217 hci_inquiry_result_with_rssi_evt(hdev, skb); 6218 break; 6219 6220 case HCI_EV_REMOTE_EXT_FEATURES: 6221 hci_remote_ext_features_evt(hdev, skb); 6222 break; 6223 6224 case HCI_EV_SYNC_CONN_COMPLETE: 6225 hci_sync_conn_complete_evt(hdev, skb); 6226 break; 6227 6228 case HCI_EV_EXTENDED_INQUIRY_RESULT: 6229 hci_extended_inquiry_result_evt(hdev, skb); 6230 break; 6231 6232 case HCI_EV_KEY_REFRESH_COMPLETE: 6233 hci_key_refresh_complete_evt(hdev, skb); 6234 break; 6235 6236 case HCI_EV_IO_CAPA_REQUEST: 6237 hci_io_capa_request_evt(hdev, skb); 6238 break; 6239 6240 case HCI_EV_IO_CAPA_REPLY: 6241 hci_io_capa_reply_evt(hdev, skb); 6242 break; 6243 6244 case HCI_EV_USER_CONFIRM_REQUEST: 6245 hci_user_confirm_request_evt(hdev, skb); 6246 break; 6247 6248 case HCI_EV_USER_PASSKEY_REQUEST: 6249 hci_user_passkey_request_evt(hdev, skb); 6250 break; 6251 6252 case HCI_EV_USER_PASSKEY_NOTIFY: 6253 hci_user_passkey_notify_evt(hdev, skb); 6254 break; 6255 6256 case HCI_EV_KEYPRESS_NOTIFY: 6257 hci_keypress_notify_evt(hdev, skb); 6258 break; 6259 6260 case HCI_EV_SIMPLE_PAIR_COMPLETE: 6261 hci_simple_pair_complete_evt(hdev, skb); 6262 break; 6263 6264 case HCI_EV_REMOTE_HOST_FEATURES: 6265 hci_remote_host_features_evt(hdev, skb); 6266 break; 6267 6268 case HCI_EV_LE_META: 6269 hci_le_meta_evt(hdev, skb); 6270 break; 6271 6272 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 6273 hci_remote_oob_data_request_evt(hdev, skb); 6274 break; 6275 6276 #if IS_ENABLED(CONFIG_BT_HS) 6277 case HCI_EV_CHANNEL_SELECTED: 6278 hci_chan_selected_evt(hdev, skb); 6279 break; 6280 6281 case HCI_EV_PHY_LINK_COMPLETE: 6282 hci_phy_link_complete_evt(hdev, skb); 6283 break; 6284 6285 case HCI_EV_LOGICAL_LINK_COMPLETE: 6286 hci_loglink_complete_evt(hdev, skb); 6287 break; 6288 6289 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 6290 hci_disconn_loglink_complete_evt(hdev, skb); 6291 break; 6292 6293 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 6294 hci_disconn_phylink_complete_evt(hdev, skb); 6295 break; 6296 #endif 6297 6298 case HCI_EV_NUM_COMP_BLOCKS: 6299 hci_num_comp_blocks_evt(hdev, skb); 6300 break; 6301 6302 case HCI_EV_VENDOR: 6303 msft_vendor_evt(hdev, skb); 6304 break; 6305 6306 default: 6307 BT_DBG("%s event 0x%2.2x", hdev->name, event); 6308 break; 6309 } 6310 6311 if (req_complete) { 6312 req_complete(hdev, status, opcode); 6313 } else if (req_complete_skb) { 6314 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 6315 kfree_skb(orig_skb); 6316 orig_skb = NULL; 6317 } 6318 req_complete_skb(hdev, status, opcode, orig_skb); 6319 } 6320 6321 done: 6322 kfree_skb(orig_skb); 6323 kfree_skb(skb); 6324 hdev->stat.evt_rx++; 6325 } 6326