1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "a2mp.h" 34 #include "amp.h" 35 #include "smp.h" 36 37 /* Handle HCI Event packets */ 38 39 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 40 { 41 __u8 status = *((__u8 *) skb->data); 42 43 BT_DBG("%s status 0x%2.2x", hdev->name, status); 44 45 if (status) 46 return; 47 48 clear_bit(HCI_INQUIRY, &hdev->flags); 49 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 50 wake_up_bit(&hdev->flags, HCI_INQUIRY); 51 52 hci_dev_lock(hdev); 53 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 54 hci_dev_unlock(hdev); 55 56 hci_conn_check_pending(hdev); 57 } 58 59 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 60 { 61 __u8 status = *((__u8 *) skb->data); 62 63 BT_DBG("%s status 0x%2.2x", hdev->name, status); 64 65 if (status) 66 return; 67 68 set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags); 69 } 70 71 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 72 { 73 __u8 status = *((__u8 *) skb->data); 74 75 BT_DBG("%s status 0x%2.2x", hdev->name, status); 76 77 if (status) 78 return; 79 80 clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags); 81 82 hci_conn_check_pending(hdev); 83 } 84 85 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 86 struct sk_buff *skb) 87 { 88 BT_DBG("%s", hdev->name); 89 } 90 91 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 92 { 93 struct hci_rp_role_discovery *rp = (void *) skb->data; 94 struct hci_conn *conn; 95 96 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 97 98 if (rp->status) 99 return; 100 101 hci_dev_lock(hdev); 102 103 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 104 if (conn) 105 conn->role = rp->role; 106 107 hci_dev_unlock(hdev); 108 } 109 110 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 111 { 112 struct hci_rp_read_link_policy *rp = (void *) skb->data; 113 struct hci_conn *conn; 114 115 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 116 117 if (rp->status) 118 return; 119 120 hci_dev_lock(hdev); 121 122 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 123 if (conn) 124 conn->link_policy = __le16_to_cpu(rp->policy); 125 126 hci_dev_unlock(hdev); 127 } 128 129 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 130 { 131 struct hci_rp_write_link_policy *rp = (void *) skb->data; 132 struct hci_conn *conn; 133 void *sent; 134 135 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 136 137 if (rp->status) 138 return; 139 140 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 141 if (!sent) 142 return; 143 144 hci_dev_lock(hdev); 145 146 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 147 if (conn) 148 conn->link_policy = get_unaligned_le16(sent + 2); 149 150 hci_dev_unlock(hdev); 151 } 152 153 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 154 struct sk_buff *skb) 155 { 156 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 157 158 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 159 160 if (rp->status) 161 return; 162 163 hdev->link_policy = __le16_to_cpu(rp->policy); 164 } 165 166 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 167 struct sk_buff *skb) 168 { 169 __u8 status = *((__u8 *) skb->data); 170 void *sent; 171 172 BT_DBG("%s status 0x%2.2x", hdev->name, status); 173 174 if (status) 175 return; 176 177 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 178 if (!sent) 179 return; 180 181 hdev->link_policy = get_unaligned_le16(sent); 182 } 183 184 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 185 { 186 __u8 status = *((__u8 *) skb->data); 187 188 BT_DBG("%s status 0x%2.2x", hdev->name, status); 189 190 clear_bit(HCI_RESET, &hdev->flags); 191 192 if (status) 193 return; 194 195 /* Reset all non-persistent flags */ 196 hdev->dev_flags &= ~HCI_PERSISTENT_MASK; 197 198 hdev->discovery.state = DISCOVERY_STOPPED; 199 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 200 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 201 202 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 203 hdev->adv_data_len = 0; 204 205 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 206 hdev->scan_rsp_data_len = 0; 207 208 hdev->le_scan_type = LE_SCAN_PASSIVE; 209 210 hdev->ssp_debug_mode = 0; 211 212 hci_bdaddr_list_clear(&hdev->le_white_list); 213 } 214 215 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 216 { 217 __u8 status = *((__u8 *) skb->data); 218 void *sent; 219 220 BT_DBG("%s status 0x%2.2x", hdev->name, status); 221 222 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 223 if (!sent) 224 return; 225 226 hci_dev_lock(hdev); 227 228 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 229 mgmt_set_local_name_complete(hdev, sent, status); 230 else if (!status) 231 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 232 233 hci_dev_unlock(hdev); 234 } 235 236 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 237 { 238 struct hci_rp_read_local_name *rp = (void *) skb->data; 239 240 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 241 242 if (rp->status) 243 return; 244 245 if (test_bit(HCI_SETUP, &hdev->dev_flags)) 246 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 247 } 248 249 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 250 { 251 __u8 status = *((__u8 *) skb->data); 252 void *sent; 253 254 BT_DBG("%s status 0x%2.2x", hdev->name, status); 255 256 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 257 if (!sent) 258 return; 259 260 hci_dev_lock(hdev); 261 262 if (!status) { 263 __u8 param = *((__u8 *) sent); 264 265 if (param == AUTH_ENABLED) 266 set_bit(HCI_AUTH, &hdev->flags); 267 else 268 clear_bit(HCI_AUTH, &hdev->flags); 269 } 270 271 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 272 mgmt_auth_enable_complete(hdev, status); 273 274 hci_dev_unlock(hdev); 275 } 276 277 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 278 { 279 __u8 status = *((__u8 *) skb->data); 280 __u8 param; 281 void *sent; 282 283 BT_DBG("%s status 0x%2.2x", hdev->name, status); 284 285 if (status) 286 return; 287 288 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 289 if (!sent) 290 return; 291 292 param = *((__u8 *) sent); 293 294 if (param) 295 set_bit(HCI_ENCRYPT, &hdev->flags); 296 else 297 clear_bit(HCI_ENCRYPT, &hdev->flags); 298 } 299 300 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 301 { 302 __u8 status = *((__u8 *) skb->data); 303 __u8 param; 304 void *sent; 305 306 BT_DBG("%s status 0x%2.2x", hdev->name, status); 307 308 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 309 if (!sent) 310 return; 311 312 param = *((__u8 *) sent); 313 314 hci_dev_lock(hdev); 315 316 if (status) { 317 hdev->discov_timeout = 0; 318 goto done; 319 } 320 321 if (param & SCAN_INQUIRY) 322 set_bit(HCI_ISCAN, &hdev->flags); 323 else 324 clear_bit(HCI_ISCAN, &hdev->flags); 325 326 if (param & SCAN_PAGE) 327 set_bit(HCI_PSCAN, &hdev->flags); 328 else 329 clear_bit(HCI_PSCAN, &hdev->flags); 330 331 done: 332 hci_dev_unlock(hdev); 333 } 334 335 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 336 { 337 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 338 339 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 340 341 if (rp->status) 342 return; 343 344 memcpy(hdev->dev_class, rp->dev_class, 3); 345 346 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 347 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 348 } 349 350 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 351 { 352 __u8 status = *((__u8 *) skb->data); 353 void *sent; 354 355 BT_DBG("%s status 0x%2.2x", hdev->name, status); 356 357 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 358 if (!sent) 359 return; 360 361 hci_dev_lock(hdev); 362 363 if (status == 0) 364 memcpy(hdev->dev_class, sent, 3); 365 366 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 367 mgmt_set_class_of_dev_complete(hdev, sent, status); 368 369 hci_dev_unlock(hdev); 370 } 371 372 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 373 { 374 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 375 __u16 setting; 376 377 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 378 379 if (rp->status) 380 return; 381 382 setting = __le16_to_cpu(rp->voice_setting); 383 384 if (hdev->voice_setting == setting) 385 return; 386 387 hdev->voice_setting = setting; 388 389 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 390 391 if (hdev->notify) 392 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 393 } 394 395 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 396 struct sk_buff *skb) 397 { 398 __u8 status = *((__u8 *) skb->data); 399 __u16 setting; 400 void *sent; 401 402 BT_DBG("%s status 0x%2.2x", hdev->name, status); 403 404 if (status) 405 return; 406 407 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 408 if (!sent) 409 return; 410 411 setting = get_unaligned_le16(sent); 412 413 if (hdev->voice_setting == setting) 414 return; 415 416 hdev->voice_setting = setting; 417 418 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 419 420 if (hdev->notify) 421 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 422 } 423 424 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 425 struct sk_buff *skb) 426 { 427 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 428 429 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 430 431 if (rp->status) 432 return; 433 434 hdev->num_iac = rp->num_iac; 435 436 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 437 } 438 439 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 440 { 441 __u8 status = *((__u8 *) skb->data); 442 struct hci_cp_write_ssp_mode *sent; 443 444 BT_DBG("%s status 0x%2.2x", hdev->name, status); 445 446 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 447 if (!sent) 448 return; 449 450 hci_dev_lock(hdev); 451 452 if (!status) { 453 if (sent->mode) 454 hdev->features[1][0] |= LMP_HOST_SSP; 455 else 456 hdev->features[1][0] &= ~LMP_HOST_SSP; 457 } 458 459 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 460 mgmt_ssp_enable_complete(hdev, sent->mode, status); 461 else if (!status) { 462 if (sent->mode) 463 set_bit(HCI_SSP_ENABLED, &hdev->dev_flags); 464 else 465 clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags); 466 } 467 468 hci_dev_unlock(hdev); 469 } 470 471 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 472 { 473 u8 status = *((u8 *) skb->data); 474 struct hci_cp_write_sc_support *sent; 475 476 BT_DBG("%s status 0x%2.2x", hdev->name, status); 477 478 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 479 if (!sent) 480 return; 481 482 hci_dev_lock(hdev); 483 484 if (!status) { 485 if (sent->support) 486 hdev->features[1][0] |= LMP_HOST_SC; 487 else 488 hdev->features[1][0] &= ~LMP_HOST_SC; 489 } 490 491 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 492 mgmt_sc_enable_complete(hdev, sent->support, status); 493 else if (!status) { 494 if (sent->support) 495 set_bit(HCI_SC_ENABLED, &hdev->dev_flags); 496 else 497 clear_bit(HCI_SC_ENABLED, &hdev->dev_flags); 498 } 499 500 hci_dev_unlock(hdev); 501 } 502 503 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 504 { 505 struct hci_rp_read_local_version *rp = (void *) skb->data; 506 507 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 508 509 if (rp->status) 510 return; 511 512 if (test_bit(HCI_SETUP, &hdev->dev_flags)) { 513 hdev->hci_ver = rp->hci_ver; 514 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 515 hdev->lmp_ver = rp->lmp_ver; 516 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 517 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 518 } 519 } 520 521 static void hci_cc_read_local_commands(struct hci_dev *hdev, 522 struct sk_buff *skb) 523 { 524 struct hci_rp_read_local_commands *rp = (void *) skb->data; 525 526 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 527 528 if (rp->status) 529 return; 530 531 if (test_bit(HCI_SETUP, &hdev->dev_flags)) 532 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 533 } 534 535 static void hci_cc_read_local_features(struct hci_dev *hdev, 536 struct sk_buff *skb) 537 { 538 struct hci_rp_read_local_features *rp = (void *) skb->data; 539 540 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 541 542 if (rp->status) 543 return; 544 545 memcpy(hdev->features, rp->features, 8); 546 547 /* Adjust default settings according to features 548 * supported by device. */ 549 550 if (hdev->features[0][0] & LMP_3SLOT) 551 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 552 553 if (hdev->features[0][0] & LMP_5SLOT) 554 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 555 556 if (hdev->features[0][1] & LMP_HV2) { 557 hdev->pkt_type |= (HCI_HV2); 558 hdev->esco_type |= (ESCO_HV2); 559 } 560 561 if (hdev->features[0][1] & LMP_HV3) { 562 hdev->pkt_type |= (HCI_HV3); 563 hdev->esco_type |= (ESCO_HV3); 564 } 565 566 if (lmp_esco_capable(hdev)) 567 hdev->esco_type |= (ESCO_EV3); 568 569 if (hdev->features[0][4] & LMP_EV4) 570 hdev->esco_type |= (ESCO_EV4); 571 572 if (hdev->features[0][4] & LMP_EV5) 573 hdev->esco_type |= (ESCO_EV5); 574 575 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 576 hdev->esco_type |= (ESCO_2EV3); 577 578 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 579 hdev->esco_type |= (ESCO_3EV3); 580 581 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 582 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 583 } 584 585 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 586 struct sk_buff *skb) 587 { 588 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 589 590 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 591 592 if (rp->status) 593 return; 594 595 if (hdev->max_page < rp->max_page) 596 hdev->max_page = rp->max_page; 597 598 if (rp->page < HCI_MAX_PAGES) 599 memcpy(hdev->features[rp->page], rp->features, 8); 600 } 601 602 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 603 struct sk_buff *skb) 604 { 605 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 606 607 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 608 609 if (rp->status) 610 return; 611 612 hdev->flow_ctl_mode = rp->mode; 613 } 614 615 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 616 { 617 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 618 619 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 620 621 if (rp->status) 622 return; 623 624 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 625 hdev->sco_mtu = rp->sco_mtu; 626 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 627 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 628 629 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 630 hdev->sco_mtu = 64; 631 hdev->sco_pkts = 8; 632 } 633 634 hdev->acl_cnt = hdev->acl_pkts; 635 hdev->sco_cnt = hdev->sco_pkts; 636 637 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 638 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 639 } 640 641 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 642 { 643 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 644 645 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 646 647 if (rp->status) 648 return; 649 650 if (test_bit(HCI_INIT, &hdev->flags)) 651 bacpy(&hdev->bdaddr, &rp->bdaddr); 652 653 if (test_bit(HCI_SETUP, &hdev->dev_flags)) 654 bacpy(&hdev->setup_addr, &rp->bdaddr); 655 } 656 657 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 658 struct sk_buff *skb) 659 { 660 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 661 662 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 663 664 if (rp->status) 665 return; 666 667 if (test_bit(HCI_INIT, &hdev->flags)) { 668 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 669 hdev->page_scan_window = __le16_to_cpu(rp->window); 670 } 671 } 672 673 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 674 struct sk_buff *skb) 675 { 676 u8 status = *((u8 *) skb->data); 677 struct hci_cp_write_page_scan_activity *sent; 678 679 BT_DBG("%s status 0x%2.2x", hdev->name, status); 680 681 if (status) 682 return; 683 684 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 685 if (!sent) 686 return; 687 688 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 689 hdev->page_scan_window = __le16_to_cpu(sent->window); 690 } 691 692 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 693 struct sk_buff *skb) 694 { 695 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 696 697 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 698 699 if (rp->status) 700 return; 701 702 if (test_bit(HCI_INIT, &hdev->flags)) 703 hdev->page_scan_type = rp->type; 704 } 705 706 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 707 struct sk_buff *skb) 708 { 709 u8 status = *((u8 *) skb->data); 710 u8 *type; 711 712 BT_DBG("%s status 0x%2.2x", hdev->name, status); 713 714 if (status) 715 return; 716 717 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 718 if (type) 719 hdev->page_scan_type = *type; 720 } 721 722 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 723 struct sk_buff *skb) 724 { 725 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 726 727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 728 729 if (rp->status) 730 return; 731 732 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 733 hdev->block_len = __le16_to_cpu(rp->block_len); 734 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 735 736 hdev->block_cnt = hdev->num_blocks; 737 738 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 739 hdev->block_cnt, hdev->block_len); 740 } 741 742 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 743 { 744 struct hci_rp_read_clock *rp = (void *) skb->data; 745 struct hci_cp_read_clock *cp; 746 struct hci_conn *conn; 747 748 BT_DBG("%s", hdev->name); 749 750 if (skb->len < sizeof(*rp)) 751 return; 752 753 if (rp->status) 754 return; 755 756 hci_dev_lock(hdev); 757 758 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 759 if (!cp) 760 goto unlock; 761 762 if (cp->which == 0x00) { 763 hdev->clock = le32_to_cpu(rp->clock); 764 goto unlock; 765 } 766 767 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 768 if (conn) { 769 conn->clock = le32_to_cpu(rp->clock); 770 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 771 } 772 773 unlock: 774 hci_dev_unlock(hdev); 775 } 776 777 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 778 struct sk_buff *skb) 779 { 780 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 781 782 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 783 784 if (rp->status) 785 goto a2mp_rsp; 786 787 hdev->amp_status = rp->amp_status; 788 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 789 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 790 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 791 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 792 hdev->amp_type = rp->amp_type; 793 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 794 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 795 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 796 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 797 798 a2mp_rsp: 799 a2mp_send_getinfo_rsp(hdev); 800 } 801 802 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev, 803 struct sk_buff *skb) 804 { 805 struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data; 806 struct amp_assoc *assoc = &hdev->loc_assoc; 807 size_t rem_len, frag_len; 808 809 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 810 811 if (rp->status) 812 goto a2mp_rsp; 813 814 frag_len = skb->len - sizeof(*rp); 815 rem_len = __le16_to_cpu(rp->rem_len); 816 817 if (rem_len > frag_len) { 818 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len); 819 820 memcpy(assoc->data + assoc->offset, rp->frag, frag_len); 821 assoc->offset += frag_len; 822 823 /* Read other fragments */ 824 amp_read_loc_assoc_frag(hdev, rp->phy_handle); 825 826 return; 827 } 828 829 memcpy(assoc->data + assoc->offset, rp->frag, rem_len); 830 assoc->len = assoc->offset + rem_len; 831 assoc->offset = 0; 832 833 a2mp_rsp: 834 /* Send A2MP Rsp when all fragments are received */ 835 a2mp_send_getampassoc_rsp(hdev, rp->status); 836 a2mp_send_create_phy_link_req(hdev, rp->status); 837 } 838 839 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 840 struct sk_buff *skb) 841 { 842 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 843 844 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 845 846 if (rp->status) 847 return; 848 849 hdev->inq_tx_power = rp->tx_power; 850 } 851 852 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 853 { 854 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 855 struct hci_cp_pin_code_reply *cp; 856 struct hci_conn *conn; 857 858 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 859 860 hci_dev_lock(hdev); 861 862 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 863 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 864 865 if (rp->status) 866 goto unlock; 867 868 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 869 if (!cp) 870 goto unlock; 871 872 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 873 if (conn) 874 conn->pin_length = cp->pin_len; 875 876 unlock: 877 hci_dev_unlock(hdev); 878 } 879 880 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 881 { 882 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 883 884 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 885 886 hci_dev_lock(hdev); 887 888 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 889 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 890 rp->status); 891 892 hci_dev_unlock(hdev); 893 } 894 895 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 896 struct sk_buff *skb) 897 { 898 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 899 900 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 901 902 if (rp->status) 903 return; 904 905 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 906 hdev->le_pkts = rp->le_max_pkt; 907 908 hdev->le_cnt = hdev->le_pkts; 909 910 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 911 } 912 913 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 914 struct sk_buff *skb) 915 { 916 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 917 918 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 919 920 if (rp->status) 921 return; 922 923 memcpy(hdev->le_features, rp->features, 8); 924 } 925 926 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 927 struct sk_buff *skb) 928 { 929 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 930 931 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 932 933 if (rp->status) 934 return; 935 936 hdev->adv_tx_power = rp->tx_power; 937 } 938 939 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 940 { 941 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 942 943 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 944 945 hci_dev_lock(hdev); 946 947 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 948 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 949 rp->status); 950 951 hci_dev_unlock(hdev); 952 } 953 954 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 955 struct sk_buff *skb) 956 { 957 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 958 959 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 960 961 hci_dev_lock(hdev); 962 963 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 964 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 965 ACL_LINK, 0, rp->status); 966 967 hci_dev_unlock(hdev); 968 } 969 970 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 971 { 972 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 973 974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 975 976 hci_dev_lock(hdev); 977 978 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 979 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 980 0, rp->status); 981 982 hci_dev_unlock(hdev); 983 } 984 985 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 986 struct sk_buff *skb) 987 { 988 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 989 990 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 991 992 hci_dev_lock(hdev); 993 994 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 995 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 996 ACL_LINK, 0, rp->status); 997 998 hci_dev_unlock(hdev); 999 } 1000 1001 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1002 struct sk_buff *skb) 1003 { 1004 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1005 1006 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1007 1008 hci_dev_lock(hdev); 1009 mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->rand, NULL, NULL, 1010 rp->status); 1011 hci_dev_unlock(hdev); 1012 } 1013 1014 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1015 struct sk_buff *skb) 1016 { 1017 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1018 1019 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1020 1021 hci_dev_lock(hdev); 1022 mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->rand192, 1023 rp->hash256, rp->rand256, 1024 rp->status); 1025 hci_dev_unlock(hdev); 1026 } 1027 1028 1029 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1030 { 1031 __u8 status = *((__u8 *) skb->data); 1032 bdaddr_t *sent; 1033 1034 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1035 1036 if (status) 1037 return; 1038 1039 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1040 if (!sent) 1041 return; 1042 1043 hci_dev_lock(hdev); 1044 1045 bacpy(&hdev->random_addr, sent); 1046 1047 hci_dev_unlock(hdev); 1048 } 1049 1050 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1051 { 1052 __u8 *sent, status = *((__u8 *) skb->data); 1053 1054 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1055 1056 if (status) 1057 return; 1058 1059 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1060 if (!sent) 1061 return; 1062 1063 hci_dev_lock(hdev); 1064 1065 /* If we're doing connection initiation as peripheral. Set a 1066 * timeout in case something goes wrong. 1067 */ 1068 if (*sent) { 1069 struct hci_conn *conn; 1070 1071 set_bit(HCI_LE_ADV, &hdev->dev_flags); 1072 1073 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT); 1074 if (conn) 1075 queue_delayed_work(hdev->workqueue, 1076 &conn->le_conn_timeout, 1077 conn->conn_timeout); 1078 } else { 1079 clear_bit(HCI_LE_ADV, &hdev->dev_flags); 1080 } 1081 1082 hci_dev_unlock(hdev); 1083 } 1084 1085 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1086 { 1087 struct hci_cp_le_set_scan_param *cp; 1088 __u8 status = *((__u8 *) skb->data); 1089 1090 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1091 1092 if (status) 1093 return; 1094 1095 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1096 if (!cp) 1097 return; 1098 1099 hci_dev_lock(hdev); 1100 1101 hdev->le_scan_type = cp->type; 1102 1103 hci_dev_unlock(hdev); 1104 } 1105 1106 static bool has_pending_adv_report(struct hci_dev *hdev) 1107 { 1108 struct discovery_state *d = &hdev->discovery; 1109 1110 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1111 } 1112 1113 static void clear_pending_adv_report(struct hci_dev *hdev) 1114 { 1115 struct discovery_state *d = &hdev->discovery; 1116 1117 bacpy(&d->last_adv_addr, BDADDR_ANY); 1118 d->last_adv_data_len = 0; 1119 } 1120 1121 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1122 u8 bdaddr_type, s8 rssi, u32 flags, 1123 u8 *data, u8 len) 1124 { 1125 struct discovery_state *d = &hdev->discovery; 1126 1127 bacpy(&d->last_adv_addr, bdaddr); 1128 d->last_adv_addr_type = bdaddr_type; 1129 d->last_adv_rssi = rssi; 1130 d->last_adv_flags = flags; 1131 memcpy(d->last_adv_data, data, len); 1132 d->last_adv_data_len = len; 1133 } 1134 1135 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1136 struct sk_buff *skb) 1137 { 1138 struct hci_cp_le_set_scan_enable *cp; 1139 __u8 status = *((__u8 *) skb->data); 1140 1141 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1142 1143 if (status) 1144 return; 1145 1146 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1147 if (!cp) 1148 return; 1149 1150 hci_dev_lock(hdev); 1151 1152 switch (cp->enable) { 1153 case LE_SCAN_ENABLE: 1154 set_bit(HCI_LE_SCAN, &hdev->dev_flags); 1155 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1156 clear_pending_adv_report(hdev); 1157 break; 1158 1159 case LE_SCAN_DISABLE: 1160 /* We do this here instead of when setting DISCOVERY_STOPPED 1161 * since the latter would potentially require waiting for 1162 * inquiry to stop too. 1163 */ 1164 if (has_pending_adv_report(hdev)) { 1165 struct discovery_state *d = &hdev->discovery; 1166 1167 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1168 d->last_adv_addr_type, NULL, 1169 d->last_adv_rssi, d->last_adv_flags, 1170 d->last_adv_data, 1171 d->last_adv_data_len, NULL, 0); 1172 } 1173 1174 /* Cancel this timer so that we don't try to disable scanning 1175 * when it's already disabled. 1176 */ 1177 cancel_delayed_work(&hdev->le_scan_disable); 1178 1179 clear_bit(HCI_LE_SCAN, &hdev->dev_flags); 1180 1181 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1182 * interrupted scanning due to a connect request. Mark 1183 * therefore discovery as stopped. If this was not 1184 * because of a connect request advertising might have 1185 * been disabled because of active scanning, so 1186 * re-enable it again if necessary. 1187 */ 1188 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED, 1189 &hdev->dev_flags)) 1190 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1191 else if (!test_bit(HCI_LE_ADV, &hdev->dev_flags) && 1192 hdev->discovery.state == DISCOVERY_FINDING) 1193 mgmt_reenable_advertising(hdev); 1194 1195 break; 1196 1197 default: 1198 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable); 1199 break; 1200 } 1201 1202 hci_dev_unlock(hdev); 1203 } 1204 1205 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1206 struct sk_buff *skb) 1207 { 1208 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1209 1210 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1211 1212 if (rp->status) 1213 return; 1214 1215 hdev->le_white_list_size = rp->size; 1216 } 1217 1218 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1219 struct sk_buff *skb) 1220 { 1221 __u8 status = *((__u8 *) skb->data); 1222 1223 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1224 1225 if (status) 1226 return; 1227 1228 hci_bdaddr_list_clear(&hdev->le_white_list); 1229 } 1230 1231 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1232 struct sk_buff *skb) 1233 { 1234 struct hci_cp_le_add_to_white_list *sent; 1235 __u8 status = *((__u8 *) skb->data); 1236 1237 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1238 1239 if (status) 1240 return; 1241 1242 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1243 if (!sent) 1244 return; 1245 1246 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1247 sent->bdaddr_type); 1248 } 1249 1250 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1251 struct sk_buff *skb) 1252 { 1253 struct hci_cp_le_del_from_white_list *sent; 1254 __u8 status = *((__u8 *) skb->data); 1255 1256 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1257 1258 if (status) 1259 return; 1260 1261 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1262 if (!sent) 1263 return; 1264 1265 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1266 sent->bdaddr_type); 1267 } 1268 1269 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1270 struct sk_buff *skb) 1271 { 1272 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1273 1274 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1275 1276 if (rp->status) 1277 return; 1278 1279 memcpy(hdev->le_states, rp->le_states, 8); 1280 } 1281 1282 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1283 struct sk_buff *skb) 1284 { 1285 struct hci_cp_write_le_host_supported *sent; 1286 __u8 status = *((__u8 *) skb->data); 1287 1288 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1289 1290 if (status) 1291 return; 1292 1293 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1294 if (!sent) 1295 return; 1296 1297 hci_dev_lock(hdev); 1298 1299 if (sent->le) { 1300 hdev->features[1][0] |= LMP_HOST_LE; 1301 set_bit(HCI_LE_ENABLED, &hdev->dev_flags); 1302 } else { 1303 hdev->features[1][0] &= ~LMP_HOST_LE; 1304 clear_bit(HCI_LE_ENABLED, &hdev->dev_flags); 1305 clear_bit(HCI_ADVERTISING, &hdev->dev_flags); 1306 } 1307 1308 if (sent->simul) 1309 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1310 else 1311 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1312 1313 hci_dev_unlock(hdev); 1314 } 1315 1316 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1317 { 1318 struct hci_cp_le_set_adv_param *cp; 1319 u8 status = *((u8 *) skb->data); 1320 1321 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1322 1323 if (status) 1324 return; 1325 1326 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1327 if (!cp) 1328 return; 1329 1330 hci_dev_lock(hdev); 1331 hdev->adv_addr_type = cp->own_address_type; 1332 hci_dev_unlock(hdev); 1333 } 1334 1335 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev, 1336 struct sk_buff *skb) 1337 { 1338 struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data; 1339 1340 BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x", 1341 hdev->name, rp->status, rp->phy_handle); 1342 1343 if (rp->status) 1344 return; 1345 1346 amp_write_rem_assoc_continue(hdev, rp->phy_handle); 1347 } 1348 1349 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1350 { 1351 struct hci_rp_read_rssi *rp = (void *) skb->data; 1352 struct hci_conn *conn; 1353 1354 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1355 1356 if (rp->status) 1357 return; 1358 1359 hci_dev_lock(hdev); 1360 1361 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1362 if (conn) 1363 conn->rssi = rp->rssi; 1364 1365 hci_dev_unlock(hdev); 1366 } 1367 1368 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1369 { 1370 struct hci_cp_read_tx_power *sent; 1371 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1372 struct hci_conn *conn; 1373 1374 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1375 1376 if (rp->status) 1377 return; 1378 1379 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1380 if (!sent) 1381 return; 1382 1383 hci_dev_lock(hdev); 1384 1385 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1386 if (!conn) 1387 goto unlock; 1388 1389 switch (sent->type) { 1390 case 0x00: 1391 conn->tx_power = rp->tx_power; 1392 break; 1393 case 0x01: 1394 conn->max_tx_power = rp->tx_power; 1395 break; 1396 } 1397 1398 unlock: 1399 hci_dev_unlock(hdev); 1400 } 1401 1402 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1403 { 1404 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1405 1406 if (status) { 1407 hci_conn_check_pending(hdev); 1408 return; 1409 } 1410 1411 set_bit(HCI_INQUIRY, &hdev->flags); 1412 } 1413 1414 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1415 { 1416 struct hci_cp_create_conn *cp; 1417 struct hci_conn *conn; 1418 1419 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1420 1421 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1422 if (!cp) 1423 return; 1424 1425 hci_dev_lock(hdev); 1426 1427 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1428 1429 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1430 1431 if (status) { 1432 if (conn && conn->state == BT_CONNECT) { 1433 if (status != 0x0c || conn->attempt > 2) { 1434 conn->state = BT_CLOSED; 1435 hci_proto_connect_cfm(conn, status); 1436 hci_conn_del(conn); 1437 } else 1438 conn->state = BT_CONNECT2; 1439 } 1440 } else { 1441 if (!conn) { 1442 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1443 HCI_ROLE_MASTER); 1444 if (!conn) 1445 BT_ERR("No memory for new connection"); 1446 } 1447 } 1448 1449 hci_dev_unlock(hdev); 1450 } 1451 1452 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1453 { 1454 struct hci_cp_add_sco *cp; 1455 struct hci_conn *acl, *sco; 1456 __u16 handle; 1457 1458 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1459 1460 if (!status) 1461 return; 1462 1463 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1464 if (!cp) 1465 return; 1466 1467 handle = __le16_to_cpu(cp->handle); 1468 1469 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1470 1471 hci_dev_lock(hdev); 1472 1473 acl = hci_conn_hash_lookup_handle(hdev, handle); 1474 if (acl) { 1475 sco = acl->link; 1476 if (sco) { 1477 sco->state = BT_CLOSED; 1478 1479 hci_proto_connect_cfm(sco, status); 1480 hci_conn_del(sco); 1481 } 1482 } 1483 1484 hci_dev_unlock(hdev); 1485 } 1486 1487 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1488 { 1489 struct hci_cp_auth_requested *cp; 1490 struct hci_conn *conn; 1491 1492 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1493 1494 if (!status) 1495 return; 1496 1497 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1498 if (!cp) 1499 return; 1500 1501 hci_dev_lock(hdev); 1502 1503 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1504 if (conn) { 1505 if (conn->state == BT_CONFIG) { 1506 hci_proto_connect_cfm(conn, status); 1507 hci_conn_drop(conn); 1508 } 1509 } 1510 1511 hci_dev_unlock(hdev); 1512 } 1513 1514 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1515 { 1516 struct hci_cp_set_conn_encrypt *cp; 1517 struct hci_conn *conn; 1518 1519 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1520 1521 if (!status) 1522 return; 1523 1524 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1525 if (!cp) 1526 return; 1527 1528 hci_dev_lock(hdev); 1529 1530 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1531 if (conn) { 1532 if (conn->state == BT_CONFIG) { 1533 hci_proto_connect_cfm(conn, status); 1534 hci_conn_drop(conn); 1535 } 1536 } 1537 1538 hci_dev_unlock(hdev); 1539 } 1540 1541 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1542 struct hci_conn *conn) 1543 { 1544 if (conn->state != BT_CONFIG || !conn->out) 1545 return 0; 1546 1547 if (conn->pending_sec_level == BT_SECURITY_SDP) 1548 return 0; 1549 1550 /* Only request authentication for SSP connections or non-SSP 1551 * devices with sec_level MEDIUM or HIGH or if MITM protection 1552 * is requested. 1553 */ 1554 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1555 conn->pending_sec_level != BT_SECURITY_FIPS && 1556 conn->pending_sec_level != BT_SECURITY_HIGH && 1557 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1558 return 0; 1559 1560 return 1; 1561 } 1562 1563 static int hci_resolve_name(struct hci_dev *hdev, 1564 struct inquiry_entry *e) 1565 { 1566 struct hci_cp_remote_name_req cp; 1567 1568 memset(&cp, 0, sizeof(cp)); 1569 1570 bacpy(&cp.bdaddr, &e->data.bdaddr); 1571 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1572 cp.pscan_mode = e->data.pscan_mode; 1573 cp.clock_offset = e->data.clock_offset; 1574 1575 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 1576 } 1577 1578 static bool hci_resolve_next_name(struct hci_dev *hdev) 1579 { 1580 struct discovery_state *discov = &hdev->discovery; 1581 struct inquiry_entry *e; 1582 1583 if (list_empty(&discov->resolve)) 1584 return false; 1585 1586 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1587 if (!e) 1588 return false; 1589 1590 if (hci_resolve_name(hdev, e) == 0) { 1591 e->name_state = NAME_PENDING; 1592 return true; 1593 } 1594 1595 return false; 1596 } 1597 1598 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 1599 bdaddr_t *bdaddr, u8 *name, u8 name_len) 1600 { 1601 struct discovery_state *discov = &hdev->discovery; 1602 struct inquiry_entry *e; 1603 1604 /* Update the mgmt connected state if necessary. Be careful with 1605 * conn objects that exist but are not (yet) connected however. 1606 * Only those in BT_CONFIG or BT_CONNECTED states can be 1607 * considered connected. 1608 */ 1609 if (conn && 1610 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 1611 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 1612 mgmt_device_connected(hdev, conn, 0, name, name_len); 1613 1614 if (discov->state == DISCOVERY_STOPPED) 1615 return; 1616 1617 if (discov->state == DISCOVERY_STOPPING) 1618 goto discov_complete; 1619 1620 if (discov->state != DISCOVERY_RESOLVING) 1621 return; 1622 1623 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 1624 /* If the device was not found in a list of found devices names of which 1625 * are pending. there is no need to continue resolving a next name as it 1626 * will be done upon receiving another Remote Name Request Complete 1627 * Event */ 1628 if (!e) 1629 return; 1630 1631 list_del(&e->list); 1632 if (name) { 1633 e->name_state = NAME_KNOWN; 1634 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 1635 e->data.rssi, name, name_len); 1636 } else { 1637 e->name_state = NAME_NOT_KNOWN; 1638 } 1639 1640 if (hci_resolve_next_name(hdev)) 1641 return; 1642 1643 discov_complete: 1644 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1645 } 1646 1647 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 1648 { 1649 struct hci_cp_remote_name_req *cp; 1650 struct hci_conn *conn; 1651 1652 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1653 1654 /* If successful wait for the name req complete event before 1655 * checking for the need to do authentication */ 1656 if (!status) 1657 return; 1658 1659 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 1660 if (!cp) 1661 return; 1662 1663 hci_dev_lock(hdev); 1664 1665 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1666 1667 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 1668 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 1669 1670 if (!conn) 1671 goto unlock; 1672 1673 if (!hci_outgoing_auth_needed(hdev, conn)) 1674 goto unlock; 1675 1676 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 1677 struct hci_cp_auth_requested auth_cp; 1678 1679 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 1680 1681 auth_cp.handle = __cpu_to_le16(conn->handle); 1682 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 1683 sizeof(auth_cp), &auth_cp); 1684 } 1685 1686 unlock: 1687 hci_dev_unlock(hdev); 1688 } 1689 1690 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 1691 { 1692 struct hci_cp_read_remote_features *cp; 1693 struct hci_conn *conn; 1694 1695 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1696 1697 if (!status) 1698 return; 1699 1700 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 1701 if (!cp) 1702 return; 1703 1704 hci_dev_lock(hdev); 1705 1706 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1707 if (conn) { 1708 if (conn->state == BT_CONFIG) { 1709 hci_proto_connect_cfm(conn, status); 1710 hci_conn_drop(conn); 1711 } 1712 } 1713 1714 hci_dev_unlock(hdev); 1715 } 1716 1717 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 1718 { 1719 struct hci_cp_read_remote_ext_features *cp; 1720 struct hci_conn *conn; 1721 1722 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1723 1724 if (!status) 1725 return; 1726 1727 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 1728 if (!cp) 1729 return; 1730 1731 hci_dev_lock(hdev); 1732 1733 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1734 if (conn) { 1735 if (conn->state == BT_CONFIG) { 1736 hci_proto_connect_cfm(conn, status); 1737 hci_conn_drop(conn); 1738 } 1739 } 1740 1741 hci_dev_unlock(hdev); 1742 } 1743 1744 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 1745 { 1746 struct hci_cp_setup_sync_conn *cp; 1747 struct hci_conn *acl, *sco; 1748 __u16 handle; 1749 1750 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1751 1752 if (!status) 1753 return; 1754 1755 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 1756 if (!cp) 1757 return; 1758 1759 handle = __le16_to_cpu(cp->handle); 1760 1761 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1762 1763 hci_dev_lock(hdev); 1764 1765 acl = hci_conn_hash_lookup_handle(hdev, handle); 1766 if (acl) { 1767 sco = acl->link; 1768 if (sco) { 1769 sco->state = BT_CLOSED; 1770 1771 hci_proto_connect_cfm(sco, status); 1772 hci_conn_del(sco); 1773 } 1774 } 1775 1776 hci_dev_unlock(hdev); 1777 } 1778 1779 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 1780 { 1781 struct hci_cp_sniff_mode *cp; 1782 struct hci_conn *conn; 1783 1784 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1785 1786 if (!status) 1787 return; 1788 1789 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 1790 if (!cp) 1791 return; 1792 1793 hci_dev_lock(hdev); 1794 1795 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1796 if (conn) { 1797 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1798 1799 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1800 hci_sco_setup(conn, status); 1801 } 1802 1803 hci_dev_unlock(hdev); 1804 } 1805 1806 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 1807 { 1808 struct hci_cp_exit_sniff_mode *cp; 1809 struct hci_conn *conn; 1810 1811 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1812 1813 if (!status) 1814 return; 1815 1816 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 1817 if (!cp) 1818 return; 1819 1820 hci_dev_lock(hdev); 1821 1822 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1823 if (conn) { 1824 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1825 1826 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1827 hci_sco_setup(conn, status); 1828 } 1829 1830 hci_dev_unlock(hdev); 1831 } 1832 1833 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 1834 { 1835 struct hci_cp_disconnect *cp; 1836 struct hci_conn *conn; 1837 1838 if (!status) 1839 return; 1840 1841 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 1842 if (!cp) 1843 return; 1844 1845 hci_dev_lock(hdev); 1846 1847 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1848 if (conn) 1849 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 1850 conn->dst_type, status); 1851 1852 hci_dev_unlock(hdev); 1853 } 1854 1855 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status) 1856 { 1857 struct hci_cp_create_phy_link *cp; 1858 1859 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1860 1861 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK); 1862 if (!cp) 1863 return; 1864 1865 hci_dev_lock(hdev); 1866 1867 if (status) { 1868 struct hci_conn *hcon; 1869 1870 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle); 1871 if (hcon) 1872 hci_conn_del(hcon); 1873 } else { 1874 amp_write_remote_assoc(hdev, cp->phy_handle); 1875 } 1876 1877 hci_dev_unlock(hdev); 1878 } 1879 1880 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status) 1881 { 1882 struct hci_cp_accept_phy_link *cp; 1883 1884 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1885 1886 if (status) 1887 return; 1888 1889 cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK); 1890 if (!cp) 1891 return; 1892 1893 amp_write_remote_assoc(hdev, cp->phy_handle); 1894 } 1895 1896 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 1897 { 1898 struct hci_cp_le_create_conn *cp; 1899 struct hci_conn *conn; 1900 1901 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1902 1903 /* All connection failure handling is taken care of by the 1904 * hci_le_conn_failed function which is triggered by the HCI 1905 * request completion callbacks used for connecting. 1906 */ 1907 if (status) 1908 return; 1909 1910 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 1911 if (!cp) 1912 return; 1913 1914 hci_dev_lock(hdev); 1915 1916 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr); 1917 if (!conn) 1918 goto unlock; 1919 1920 /* Store the initiator and responder address information which 1921 * is needed for SMP. These values will not change during the 1922 * lifetime of the connection. 1923 */ 1924 conn->init_addr_type = cp->own_address_type; 1925 if (cp->own_address_type == ADDR_LE_DEV_RANDOM) 1926 bacpy(&conn->init_addr, &hdev->random_addr); 1927 else 1928 bacpy(&conn->init_addr, &hdev->bdaddr); 1929 1930 conn->resp_addr_type = cp->peer_addr_type; 1931 bacpy(&conn->resp_addr, &cp->peer_addr); 1932 1933 /* We don't want the connection attempt to stick around 1934 * indefinitely since LE doesn't have a page timeout concept 1935 * like BR/EDR. Set a timer for any connection that doesn't use 1936 * the white list for connecting. 1937 */ 1938 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR) 1939 queue_delayed_work(conn->hdev->workqueue, 1940 &conn->le_conn_timeout, 1941 conn->conn_timeout); 1942 1943 unlock: 1944 hci_dev_unlock(hdev); 1945 } 1946 1947 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 1948 { 1949 struct hci_cp_le_start_enc *cp; 1950 struct hci_conn *conn; 1951 1952 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1953 1954 if (!status) 1955 return; 1956 1957 hci_dev_lock(hdev); 1958 1959 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 1960 if (!cp) 1961 goto unlock; 1962 1963 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1964 if (!conn) 1965 goto unlock; 1966 1967 if (conn->state != BT_CONNECTED) 1968 goto unlock; 1969 1970 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 1971 hci_conn_drop(conn); 1972 1973 unlock: 1974 hci_dev_unlock(hdev); 1975 } 1976 1977 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 1978 { 1979 struct hci_cp_switch_role *cp; 1980 struct hci_conn *conn; 1981 1982 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1983 1984 if (!status) 1985 return; 1986 1987 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 1988 if (!cp) 1989 return; 1990 1991 hci_dev_lock(hdev); 1992 1993 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1994 if (conn) 1995 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 1996 1997 hci_dev_unlock(hdev); 1998 } 1999 2000 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2001 { 2002 __u8 status = *((__u8 *) skb->data); 2003 struct discovery_state *discov = &hdev->discovery; 2004 struct inquiry_entry *e; 2005 2006 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2007 2008 hci_conn_check_pending(hdev); 2009 2010 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2011 return; 2012 2013 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2014 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2015 2016 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 2017 return; 2018 2019 hci_dev_lock(hdev); 2020 2021 if (discov->state != DISCOVERY_FINDING) 2022 goto unlock; 2023 2024 if (list_empty(&discov->resolve)) { 2025 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2026 goto unlock; 2027 } 2028 2029 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2030 if (e && hci_resolve_name(hdev, e) == 0) { 2031 e->name_state = NAME_PENDING; 2032 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2033 } else { 2034 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2035 } 2036 2037 unlock: 2038 hci_dev_unlock(hdev); 2039 } 2040 2041 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2042 { 2043 struct inquiry_data data; 2044 struct inquiry_info *info = (void *) (skb->data + 1); 2045 int num_rsp = *((__u8 *) skb->data); 2046 2047 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2048 2049 if (!num_rsp) 2050 return; 2051 2052 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) 2053 return; 2054 2055 hci_dev_lock(hdev); 2056 2057 for (; num_rsp; num_rsp--, info++) { 2058 u32 flags; 2059 2060 bacpy(&data.bdaddr, &info->bdaddr); 2061 data.pscan_rep_mode = info->pscan_rep_mode; 2062 data.pscan_period_mode = info->pscan_period_mode; 2063 data.pscan_mode = info->pscan_mode; 2064 memcpy(data.dev_class, info->dev_class, 3); 2065 data.clock_offset = info->clock_offset; 2066 data.rssi = HCI_RSSI_INVALID; 2067 data.ssp_mode = 0x00; 2068 2069 flags = hci_inquiry_cache_update(hdev, &data, false); 2070 2071 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2072 info->dev_class, HCI_RSSI_INVALID, 2073 flags, NULL, 0, NULL, 0); 2074 } 2075 2076 hci_dev_unlock(hdev); 2077 } 2078 2079 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2080 { 2081 struct hci_ev_conn_complete *ev = (void *) skb->data; 2082 struct hci_conn *conn; 2083 2084 BT_DBG("%s", hdev->name); 2085 2086 hci_dev_lock(hdev); 2087 2088 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2089 if (!conn) { 2090 if (ev->link_type != SCO_LINK) 2091 goto unlock; 2092 2093 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 2094 if (!conn) 2095 goto unlock; 2096 2097 conn->type = SCO_LINK; 2098 } 2099 2100 if (!ev->status) { 2101 conn->handle = __le16_to_cpu(ev->handle); 2102 2103 if (conn->type == ACL_LINK) { 2104 conn->state = BT_CONFIG; 2105 hci_conn_hold(conn); 2106 2107 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2108 !hci_find_link_key(hdev, &ev->bdaddr)) 2109 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2110 else 2111 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2112 } else 2113 conn->state = BT_CONNECTED; 2114 2115 hci_conn_add_sysfs(conn); 2116 2117 if (test_bit(HCI_AUTH, &hdev->flags)) 2118 set_bit(HCI_CONN_AUTH, &conn->flags); 2119 2120 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2121 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2122 2123 /* Get remote features */ 2124 if (conn->type == ACL_LINK) { 2125 struct hci_cp_read_remote_features cp; 2126 cp.handle = ev->handle; 2127 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2128 sizeof(cp), &cp); 2129 2130 hci_update_page_scan(hdev, NULL); 2131 } 2132 2133 /* Set packet type for incoming connection */ 2134 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2135 struct hci_cp_change_conn_ptype cp; 2136 cp.handle = ev->handle; 2137 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2138 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2139 &cp); 2140 } 2141 } else { 2142 conn->state = BT_CLOSED; 2143 if (conn->type == ACL_LINK) 2144 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2145 conn->dst_type, ev->status); 2146 } 2147 2148 if (conn->type == ACL_LINK) 2149 hci_sco_setup(conn, ev->status); 2150 2151 if (ev->status) { 2152 hci_proto_connect_cfm(conn, ev->status); 2153 hci_conn_del(conn); 2154 } else if (ev->link_type != ACL_LINK) 2155 hci_proto_connect_cfm(conn, ev->status); 2156 2157 unlock: 2158 hci_dev_unlock(hdev); 2159 2160 hci_conn_check_pending(hdev); 2161 } 2162 2163 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2164 { 2165 struct hci_cp_reject_conn_req cp; 2166 2167 bacpy(&cp.bdaddr, bdaddr); 2168 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2169 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2170 } 2171 2172 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2173 { 2174 struct hci_ev_conn_request *ev = (void *) skb->data; 2175 int mask = hdev->link_mode; 2176 struct inquiry_entry *ie; 2177 struct hci_conn *conn; 2178 __u8 flags = 0; 2179 2180 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2181 ev->link_type); 2182 2183 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2184 &flags); 2185 2186 if (!(mask & HCI_LM_ACCEPT)) { 2187 hci_reject_conn(hdev, &ev->bdaddr); 2188 return; 2189 } 2190 2191 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2192 BDADDR_BREDR)) { 2193 hci_reject_conn(hdev, &ev->bdaddr); 2194 return; 2195 } 2196 2197 if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags) && 2198 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr, 2199 BDADDR_BREDR)) { 2200 hci_reject_conn(hdev, &ev->bdaddr); 2201 return; 2202 } 2203 2204 /* Connection accepted */ 2205 2206 hci_dev_lock(hdev); 2207 2208 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2209 if (ie) 2210 memcpy(ie->data.dev_class, ev->dev_class, 3); 2211 2212 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2213 &ev->bdaddr); 2214 if (!conn) { 2215 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2216 HCI_ROLE_SLAVE); 2217 if (!conn) { 2218 BT_ERR("No memory for new connection"); 2219 hci_dev_unlock(hdev); 2220 return; 2221 } 2222 } 2223 2224 memcpy(conn->dev_class, ev->dev_class, 3); 2225 2226 hci_dev_unlock(hdev); 2227 2228 if (ev->link_type == ACL_LINK || 2229 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2230 struct hci_cp_accept_conn_req cp; 2231 conn->state = BT_CONNECT; 2232 2233 bacpy(&cp.bdaddr, &ev->bdaddr); 2234 2235 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2236 cp.role = 0x00; /* Become master */ 2237 else 2238 cp.role = 0x01; /* Remain slave */ 2239 2240 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2241 } else if (!(flags & HCI_PROTO_DEFER)) { 2242 struct hci_cp_accept_sync_conn_req cp; 2243 conn->state = BT_CONNECT; 2244 2245 bacpy(&cp.bdaddr, &ev->bdaddr); 2246 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2247 2248 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2249 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2250 cp.max_latency = cpu_to_le16(0xffff); 2251 cp.content_format = cpu_to_le16(hdev->voice_setting); 2252 cp.retrans_effort = 0xff; 2253 2254 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2255 &cp); 2256 } else { 2257 conn->state = BT_CONNECT2; 2258 hci_proto_connect_cfm(conn, 0); 2259 } 2260 } 2261 2262 static u8 hci_to_mgmt_reason(u8 err) 2263 { 2264 switch (err) { 2265 case HCI_ERROR_CONNECTION_TIMEOUT: 2266 return MGMT_DEV_DISCONN_TIMEOUT; 2267 case HCI_ERROR_REMOTE_USER_TERM: 2268 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2269 case HCI_ERROR_REMOTE_POWER_OFF: 2270 return MGMT_DEV_DISCONN_REMOTE; 2271 case HCI_ERROR_LOCAL_HOST_TERM: 2272 return MGMT_DEV_DISCONN_LOCAL_HOST; 2273 default: 2274 return MGMT_DEV_DISCONN_UNKNOWN; 2275 } 2276 } 2277 2278 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2279 { 2280 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2281 u8 reason = hci_to_mgmt_reason(ev->reason); 2282 struct hci_conn_params *params; 2283 struct hci_conn *conn; 2284 bool mgmt_connected; 2285 u8 type; 2286 2287 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2288 2289 hci_dev_lock(hdev); 2290 2291 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2292 if (!conn) 2293 goto unlock; 2294 2295 if (ev->status) { 2296 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2297 conn->dst_type, ev->status); 2298 goto unlock; 2299 } 2300 2301 conn->state = BT_CLOSED; 2302 2303 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2304 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2305 reason, mgmt_connected); 2306 2307 if (conn->type == ACL_LINK) { 2308 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2309 hci_remove_link_key(hdev, &conn->dst); 2310 2311 hci_update_page_scan(hdev, NULL); 2312 } 2313 2314 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2315 if (params) { 2316 switch (params->auto_connect) { 2317 case HCI_AUTO_CONN_LINK_LOSS: 2318 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2319 break; 2320 /* Fall through */ 2321 2322 case HCI_AUTO_CONN_DIRECT: 2323 case HCI_AUTO_CONN_ALWAYS: 2324 list_del_init(¶ms->action); 2325 list_add(¶ms->action, &hdev->pend_le_conns); 2326 hci_update_background_scan(hdev); 2327 break; 2328 2329 default: 2330 break; 2331 } 2332 } 2333 2334 type = conn->type; 2335 2336 hci_proto_disconn_cfm(conn, ev->reason); 2337 hci_conn_del(conn); 2338 2339 /* Re-enable advertising if necessary, since it might 2340 * have been disabled by the connection. From the 2341 * HCI_LE_Set_Advertise_Enable command description in 2342 * the core specification (v4.0): 2343 * "The Controller shall continue advertising until the Host 2344 * issues an LE_Set_Advertise_Enable command with 2345 * Advertising_Enable set to 0x00 (Advertising is disabled) 2346 * or until a connection is created or until the Advertising 2347 * is timed out due to Directed Advertising." 2348 */ 2349 if (type == LE_LINK) 2350 mgmt_reenable_advertising(hdev); 2351 2352 unlock: 2353 hci_dev_unlock(hdev); 2354 } 2355 2356 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2357 { 2358 struct hci_ev_auth_complete *ev = (void *) skb->data; 2359 struct hci_conn *conn; 2360 2361 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2362 2363 hci_dev_lock(hdev); 2364 2365 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2366 if (!conn) 2367 goto unlock; 2368 2369 if (!ev->status) { 2370 if (!hci_conn_ssp_enabled(conn) && 2371 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2372 BT_INFO("re-auth of legacy device is not possible."); 2373 } else { 2374 set_bit(HCI_CONN_AUTH, &conn->flags); 2375 conn->sec_level = conn->pending_sec_level; 2376 } 2377 } else { 2378 mgmt_auth_failed(conn, ev->status); 2379 } 2380 2381 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2382 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2383 2384 if (conn->state == BT_CONFIG) { 2385 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2386 struct hci_cp_set_conn_encrypt cp; 2387 cp.handle = ev->handle; 2388 cp.encrypt = 0x01; 2389 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2390 &cp); 2391 } else { 2392 conn->state = BT_CONNECTED; 2393 hci_proto_connect_cfm(conn, ev->status); 2394 hci_conn_drop(conn); 2395 } 2396 } else { 2397 hci_auth_cfm(conn, ev->status); 2398 2399 hci_conn_hold(conn); 2400 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2401 hci_conn_drop(conn); 2402 } 2403 2404 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2405 if (!ev->status) { 2406 struct hci_cp_set_conn_encrypt cp; 2407 cp.handle = ev->handle; 2408 cp.encrypt = 0x01; 2409 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2410 &cp); 2411 } else { 2412 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2413 hci_encrypt_cfm(conn, ev->status, 0x00); 2414 } 2415 } 2416 2417 unlock: 2418 hci_dev_unlock(hdev); 2419 } 2420 2421 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2422 { 2423 struct hci_ev_remote_name *ev = (void *) skb->data; 2424 struct hci_conn *conn; 2425 2426 BT_DBG("%s", hdev->name); 2427 2428 hci_conn_check_pending(hdev); 2429 2430 hci_dev_lock(hdev); 2431 2432 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2433 2434 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 2435 goto check_auth; 2436 2437 if (ev->status == 0) 2438 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2439 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2440 else 2441 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2442 2443 check_auth: 2444 if (!conn) 2445 goto unlock; 2446 2447 if (!hci_outgoing_auth_needed(hdev, conn)) 2448 goto unlock; 2449 2450 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2451 struct hci_cp_auth_requested cp; 2452 2453 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2454 2455 cp.handle = __cpu_to_le16(conn->handle); 2456 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2457 } 2458 2459 unlock: 2460 hci_dev_unlock(hdev); 2461 } 2462 2463 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2464 { 2465 struct hci_ev_encrypt_change *ev = (void *) skb->data; 2466 struct hci_conn *conn; 2467 2468 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2469 2470 hci_dev_lock(hdev); 2471 2472 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2473 if (!conn) 2474 goto unlock; 2475 2476 if (!ev->status) { 2477 if (ev->encrypt) { 2478 /* Encryption implies authentication */ 2479 set_bit(HCI_CONN_AUTH, &conn->flags); 2480 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2481 conn->sec_level = conn->pending_sec_level; 2482 2483 /* P-256 authentication key implies FIPS */ 2484 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 2485 set_bit(HCI_CONN_FIPS, &conn->flags); 2486 2487 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 2488 conn->type == LE_LINK) 2489 set_bit(HCI_CONN_AES_CCM, &conn->flags); 2490 } else { 2491 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 2492 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 2493 } 2494 } 2495 2496 /* We should disregard the current RPA and generate a new one 2497 * whenever the encryption procedure fails. 2498 */ 2499 if (ev->status && conn->type == LE_LINK) 2500 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags); 2501 2502 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2503 2504 if (ev->status && conn->state == BT_CONNECTED) { 2505 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2506 hci_conn_drop(conn); 2507 goto unlock; 2508 } 2509 2510 if (conn->state == BT_CONFIG) { 2511 if (!ev->status) 2512 conn->state = BT_CONNECTED; 2513 2514 /* In Secure Connections Only mode, do not allow any 2515 * connections that are not encrypted with AES-CCM 2516 * using a P-256 authenticated combination key. 2517 */ 2518 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && 2519 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2520 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { 2521 hci_proto_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); 2522 hci_conn_drop(conn); 2523 goto unlock; 2524 } 2525 2526 hci_proto_connect_cfm(conn, ev->status); 2527 hci_conn_drop(conn); 2528 } else 2529 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2530 2531 unlock: 2532 hci_dev_unlock(hdev); 2533 } 2534 2535 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 2536 struct sk_buff *skb) 2537 { 2538 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 2539 struct hci_conn *conn; 2540 2541 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2542 2543 hci_dev_lock(hdev); 2544 2545 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2546 if (conn) { 2547 if (!ev->status) 2548 set_bit(HCI_CONN_SECURE, &conn->flags); 2549 2550 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2551 2552 hci_key_change_cfm(conn, ev->status); 2553 } 2554 2555 hci_dev_unlock(hdev); 2556 } 2557 2558 static void hci_remote_features_evt(struct hci_dev *hdev, 2559 struct sk_buff *skb) 2560 { 2561 struct hci_ev_remote_features *ev = (void *) skb->data; 2562 struct hci_conn *conn; 2563 2564 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2565 2566 hci_dev_lock(hdev); 2567 2568 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2569 if (!conn) 2570 goto unlock; 2571 2572 if (!ev->status) 2573 memcpy(conn->features[0], ev->features, 8); 2574 2575 if (conn->state != BT_CONFIG) 2576 goto unlock; 2577 2578 if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) { 2579 struct hci_cp_read_remote_ext_features cp; 2580 cp.handle = ev->handle; 2581 cp.page = 0x01; 2582 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 2583 sizeof(cp), &cp); 2584 goto unlock; 2585 } 2586 2587 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 2588 struct hci_cp_remote_name_req cp; 2589 memset(&cp, 0, sizeof(cp)); 2590 bacpy(&cp.bdaddr, &conn->dst); 2591 cp.pscan_rep_mode = 0x02; 2592 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2593 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2594 mgmt_device_connected(hdev, conn, 0, NULL, 0); 2595 2596 if (!hci_outgoing_auth_needed(hdev, conn)) { 2597 conn->state = BT_CONNECTED; 2598 hci_proto_connect_cfm(conn, ev->status); 2599 hci_conn_drop(conn); 2600 } 2601 2602 unlock: 2603 hci_dev_unlock(hdev); 2604 } 2605 2606 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2607 { 2608 struct hci_ev_cmd_complete *ev = (void *) skb->data; 2609 u8 status = skb->data[sizeof(*ev)]; 2610 __u16 opcode; 2611 2612 skb_pull(skb, sizeof(*ev)); 2613 2614 opcode = __le16_to_cpu(ev->opcode); 2615 2616 switch (opcode) { 2617 case HCI_OP_INQUIRY_CANCEL: 2618 hci_cc_inquiry_cancel(hdev, skb); 2619 break; 2620 2621 case HCI_OP_PERIODIC_INQ: 2622 hci_cc_periodic_inq(hdev, skb); 2623 break; 2624 2625 case HCI_OP_EXIT_PERIODIC_INQ: 2626 hci_cc_exit_periodic_inq(hdev, skb); 2627 break; 2628 2629 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 2630 hci_cc_remote_name_req_cancel(hdev, skb); 2631 break; 2632 2633 case HCI_OP_ROLE_DISCOVERY: 2634 hci_cc_role_discovery(hdev, skb); 2635 break; 2636 2637 case HCI_OP_READ_LINK_POLICY: 2638 hci_cc_read_link_policy(hdev, skb); 2639 break; 2640 2641 case HCI_OP_WRITE_LINK_POLICY: 2642 hci_cc_write_link_policy(hdev, skb); 2643 break; 2644 2645 case HCI_OP_READ_DEF_LINK_POLICY: 2646 hci_cc_read_def_link_policy(hdev, skb); 2647 break; 2648 2649 case HCI_OP_WRITE_DEF_LINK_POLICY: 2650 hci_cc_write_def_link_policy(hdev, skb); 2651 break; 2652 2653 case HCI_OP_RESET: 2654 hci_cc_reset(hdev, skb); 2655 break; 2656 2657 case HCI_OP_WRITE_LOCAL_NAME: 2658 hci_cc_write_local_name(hdev, skb); 2659 break; 2660 2661 case HCI_OP_READ_LOCAL_NAME: 2662 hci_cc_read_local_name(hdev, skb); 2663 break; 2664 2665 case HCI_OP_WRITE_AUTH_ENABLE: 2666 hci_cc_write_auth_enable(hdev, skb); 2667 break; 2668 2669 case HCI_OP_WRITE_ENCRYPT_MODE: 2670 hci_cc_write_encrypt_mode(hdev, skb); 2671 break; 2672 2673 case HCI_OP_WRITE_SCAN_ENABLE: 2674 hci_cc_write_scan_enable(hdev, skb); 2675 break; 2676 2677 case HCI_OP_READ_CLASS_OF_DEV: 2678 hci_cc_read_class_of_dev(hdev, skb); 2679 break; 2680 2681 case HCI_OP_WRITE_CLASS_OF_DEV: 2682 hci_cc_write_class_of_dev(hdev, skb); 2683 break; 2684 2685 case HCI_OP_READ_VOICE_SETTING: 2686 hci_cc_read_voice_setting(hdev, skb); 2687 break; 2688 2689 case HCI_OP_WRITE_VOICE_SETTING: 2690 hci_cc_write_voice_setting(hdev, skb); 2691 break; 2692 2693 case HCI_OP_READ_NUM_SUPPORTED_IAC: 2694 hci_cc_read_num_supported_iac(hdev, skb); 2695 break; 2696 2697 case HCI_OP_WRITE_SSP_MODE: 2698 hci_cc_write_ssp_mode(hdev, skb); 2699 break; 2700 2701 case HCI_OP_WRITE_SC_SUPPORT: 2702 hci_cc_write_sc_support(hdev, skb); 2703 break; 2704 2705 case HCI_OP_READ_LOCAL_VERSION: 2706 hci_cc_read_local_version(hdev, skb); 2707 break; 2708 2709 case HCI_OP_READ_LOCAL_COMMANDS: 2710 hci_cc_read_local_commands(hdev, skb); 2711 break; 2712 2713 case HCI_OP_READ_LOCAL_FEATURES: 2714 hci_cc_read_local_features(hdev, skb); 2715 break; 2716 2717 case HCI_OP_READ_LOCAL_EXT_FEATURES: 2718 hci_cc_read_local_ext_features(hdev, skb); 2719 break; 2720 2721 case HCI_OP_READ_BUFFER_SIZE: 2722 hci_cc_read_buffer_size(hdev, skb); 2723 break; 2724 2725 case HCI_OP_READ_BD_ADDR: 2726 hci_cc_read_bd_addr(hdev, skb); 2727 break; 2728 2729 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 2730 hci_cc_read_page_scan_activity(hdev, skb); 2731 break; 2732 2733 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 2734 hci_cc_write_page_scan_activity(hdev, skb); 2735 break; 2736 2737 case HCI_OP_READ_PAGE_SCAN_TYPE: 2738 hci_cc_read_page_scan_type(hdev, skb); 2739 break; 2740 2741 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 2742 hci_cc_write_page_scan_type(hdev, skb); 2743 break; 2744 2745 case HCI_OP_READ_DATA_BLOCK_SIZE: 2746 hci_cc_read_data_block_size(hdev, skb); 2747 break; 2748 2749 case HCI_OP_READ_FLOW_CONTROL_MODE: 2750 hci_cc_read_flow_control_mode(hdev, skb); 2751 break; 2752 2753 case HCI_OP_READ_LOCAL_AMP_INFO: 2754 hci_cc_read_local_amp_info(hdev, skb); 2755 break; 2756 2757 case HCI_OP_READ_CLOCK: 2758 hci_cc_read_clock(hdev, skb); 2759 break; 2760 2761 case HCI_OP_READ_LOCAL_AMP_ASSOC: 2762 hci_cc_read_local_amp_assoc(hdev, skb); 2763 break; 2764 2765 case HCI_OP_READ_INQ_RSP_TX_POWER: 2766 hci_cc_read_inq_rsp_tx_power(hdev, skb); 2767 break; 2768 2769 case HCI_OP_PIN_CODE_REPLY: 2770 hci_cc_pin_code_reply(hdev, skb); 2771 break; 2772 2773 case HCI_OP_PIN_CODE_NEG_REPLY: 2774 hci_cc_pin_code_neg_reply(hdev, skb); 2775 break; 2776 2777 case HCI_OP_READ_LOCAL_OOB_DATA: 2778 hci_cc_read_local_oob_data(hdev, skb); 2779 break; 2780 2781 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 2782 hci_cc_read_local_oob_ext_data(hdev, skb); 2783 break; 2784 2785 case HCI_OP_LE_READ_BUFFER_SIZE: 2786 hci_cc_le_read_buffer_size(hdev, skb); 2787 break; 2788 2789 case HCI_OP_LE_READ_LOCAL_FEATURES: 2790 hci_cc_le_read_local_features(hdev, skb); 2791 break; 2792 2793 case HCI_OP_LE_READ_ADV_TX_POWER: 2794 hci_cc_le_read_adv_tx_power(hdev, skb); 2795 break; 2796 2797 case HCI_OP_USER_CONFIRM_REPLY: 2798 hci_cc_user_confirm_reply(hdev, skb); 2799 break; 2800 2801 case HCI_OP_USER_CONFIRM_NEG_REPLY: 2802 hci_cc_user_confirm_neg_reply(hdev, skb); 2803 break; 2804 2805 case HCI_OP_USER_PASSKEY_REPLY: 2806 hci_cc_user_passkey_reply(hdev, skb); 2807 break; 2808 2809 case HCI_OP_USER_PASSKEY_NEG_REPLY: 2810 hci_cc_user_passkey_neg_reply(hdev, skb); 2811 break; 2812 2813 case HCI_OP_LE_SET_RANDOM_ADDR: 2814 hci_cc_le_set_random_addr(hdev, skb); 2815 break; 2816 2817 case HCI_OP_LE_SET_ADV_ENABLE: 2818 hci_cc_le_set_adv_enable(hdev, skb); 2819 break; 2820 2821 case HCI_OP_LE_SET_SCAN_PARAM: 2822 hci_cc_le_set_scan_param(hdev, skb); 2823 break; 2824 2825 case HCI_OP_LE_SET_SCAN_ENABLE: 2826 hci_cc_le_set_scan_enable(hdev, skb); 2827 break; 2828 2829 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 2830 hci_cc_le_read_white_list_size(hdev, skb); 2831 break; 2832 2833 case HCI_OP_LE_CLEAR_WHITE_LIST: 2834 hci_cc_le_clear_white_list(hdev, skb); 2835 break; 2836 2837 case HCI_OP_LE_ADD_TO_WHITE_LIST: 2838 hci_cc_le_add_to_white_list(hdev, skb); 2839 break; 2840 2841 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 2842 hci_cc_le_del_from_white_list(hdev, skb); 2843 break; 2844 2845 case HCI_OP_LE_READ_SUPPORTED_STATES: 2846 hci_cc_le_read_supported_states(hdev, skb); 2847 break; 2848 2849 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 2850 hci_cc_write_le_host_supported(hdev, skb); 2851 break; 2852 2853 case HCI_OP_LE_SET_ADV_PARAM: 2854 hci_cc_set_adv_param(hdev, skb); 2855 break; 2856 2857 case HCI_OP_WRITE_REMOTE_AMP_ASSOC: 2858 hci_cc_write_remote_amp_assoc(hdev, skb); 2859 break; 2860 2861 case HCI_OP_READ_RSSI: 2862 hci_cc_read_rssi(hdev, skb); 2863 break; 2864 2865 case HCI_OP_READ_TX_POWER: 2866 hci_cc_read_tx_power(hdev, skb); 2867 break; 2868 2869 default: 2870 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2871 break; 2872 } 2873 2874 if (opcode != HCI_OP_NOP) 2875 cancel_delayed_work(&hdev->cmd_timer); 2876 2877 hci_req_cmd_complete(hdev, opcode, status); 2878 2879 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { 2880 atomic_set(&hdev->cmd_cnt, 1); 2881 if (!skb_queue_empty(&hdev->cmd_q)) 2882 queue_work(hdev->workqueue, &hdev->cmd_work); 2883 } 2884 } 2885 2886 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb) 2887 { 2888 struct hci_ev_cmd_status *ev = (void *) skb->data; 2889 __u16 opcode; 2890 2891 skb_pull(skb, sizeof(*ev)); 2892 2893 opcode = __le16_to_cpu(ev->opcode); 2894 2895 switch (opcode) { 2896 case HCI_OP_INQUIRY: 2897 hci_cs_inquiry(hdev, ev->status); 2898 break; 2899 2900 case HCI_OP_CREATE_CONN: 2901 hci_cs_create_conn(hdev, ev->status); 2902 break; 2903 2904 case HCI_OP_DISCONNECT: 2905 hci_cs_disconnect(hdev, ev->status); 2906 break; 2907 2908 case HCI_OP_ADD_SCO: 2909 hci_cs_add_sco(hdev, ev->status); 2910 break; 2911 2912 case HCI_OP_AUTH_REQUESTED: 2913 hci_cs_auth_requested(hdev, ev->status); 2914 break; 2915 2916 case HCI_OP_SET_CONN_ENCRYPT: 2917 hci_cs_set_conn_encrypt(hdev, ev->status); 2918 break; 2919 2920 case HCI_OP_REMOTE_NAME_REQ: 2921 hci_cs_remote_name_req(hdev, ev->status); 2922 break; 2923 2924 case HCI_OP_READ_REMOTE_FEATURES: 2925 hci_cs_read_remote_features(hdev, ev->status); 2926 break; 2927 2928 case HCI_OP_READ_REMOTE_EXT_FEATURES: 2929 hci_cs_read_remote_ext_features(hdev, ev->status); 2930 break; 2931 2932 case HCI_OP_SETUP_SYNC_CONN: 2933 hci_cs_setup_sync_conn(hdev, ev->status); 2934 break; 2935 2936 case HCI_OP_CREATE_PHY_LINK: 2937 hci_cs_create_phylink(hdev, ev->status); 2938 break; 2939 2940 case HCI_OP_ACCEPT_PHY_LINK: 2941 hci_cs_accept_phylink(hdev, ev->status); 2942 break; 2943 2944 case HCI_OP_SNIFF_MODE: 2945 hci_cs_sniff_mode(hdev, ev->status); 2946 break; 2947 2948 case HCI_OP_EXIT_SNIFF_MODE: 2949 hci_cs_exit_sniff_mode(hdev, ev->status); 2950 break; 2951 2952 case HCI_OP_SWITCH_ROLE: 2953 hci_cs_switch_role(hdev, ev->status); 2954 break; 2955 2956 case HCI_OP_LE_CREATE_CONN: 2957 hci_cs_le_create_conn(hdev, ev->status); 2958 break; 2959 2960 case HCI_OP_LE_START_ENC: 2961 hci_cs_le_start_enc(hdev, ev->status); 2962 break; 2963 2964 default: 2965 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2966 break; 2967 } 2968 2969 if (opcode != HCI_OP_NOP) 2970 cancel_delayed_work(&hdev->cmd_timer); 2971 2972 if (ev->status || 2973 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event)) 2974 hci_req_cmd_complete(hdev, opcode, ev->status); 2975 2976 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { 2977 atomic_set(&hdev->cmd_cnt, 1); 2978 if (!skb_queue_empty(&hdev->cmd_q)) 2979 queue_work(hdev->workqueue, &hdev->cmd_work); 2980 } 2981 } 2982 2983 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 2984 { 2985 struct hci_ev_hardware_error *ev = (void *) skb->data; 2986 2987 BT_ERR("%s hardware error 0x%2.2x", hdev->name, ev->code); 2988 } 2989 2990 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2991 { 2992 struct hci_ev_role_change *ev = (void *) skb->data; 2993 struct hci_conn *conn; 2994 2995 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2996 2997 hci_dev_lock(hdev); 2998 2999 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3000 if (conn) { 3001 if (!ev->status) 3002 conn->role = ev->role; 3003 3004 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3005 3006 hci_role_switch_cfm(conn, ev->status, ev->role); 3007 } 3008 3009 hci_dev_unlock(hdev); 3010 } 3011 3012 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3013 { 3014 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3015 int i; 3016 3017 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3018 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode); 3019 return; 3020 } 3021 3022 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 3023 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) { 3024 BT_DBG("%s bad parameters", hdev->name); 3025 return; 3026 } 3027 3028 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3029 3030 for (i = 0; i < ev->num_hndl; i++) { 3031 struct hci_comp_pkts_info *info = &ev->handles[i]; 3032 struct hci_conn *conn; 3033 __u16 handle, count; 3034 3035 handle = __le16_to_cpu(info->handle); 3036 count = __le16_to_cpu(info->count); 3037 3038 conn = hci_conn_hash_lookup_handle(hdev, handle); 3039 if (!conn) 3040 continue; 3041 3042 conn->sent -= count; 3043 3044 switch (conn->type) { 3045 case ACL_LINK: 3046 hdev->acl_cnt += count; 3047 if (hdev->acl_cnt > hdev->acl_pkts) 3048 hdev->acl_cnt = hdev->acl_pkts; 3049 break; 3050 3051 case LE_LINK: 3052 if (hdev->le_pkts) { 3053 hdev->le_cnt += count; 3054 if (hdev->le_cnt > hdev->le_pkts) 3055 hdev->le_cnt = hdev->le_pkts; 3056 } else { 3057 hdev->acl_cnt += count; 3058 if (hdev->acl_cnt > hdev->acl_pkts) 3059 hdev->acl_cnt = hdev->acl_pkts; 3060 } 3061 break; 3062 3063 case SCO_LINK: 3064 hdev->sco_cnt += count; 3065 if (hdev->sco_cnt > hdev->sco_pkts) 3066 hdev->sco_cnt = hdev->sco_pkts; 3067 break; 3068 3069 default: 3070 BT_ERR("Unknown type %d conn %p", conn->type, conn); 3071 break; 3072 } 3073 } 3074 3075 queue_work(hdev->workqueue, &hdev->tx_work); 3076 } 3077 3078 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3079 __u16 handle) 3080 { 3081 struct hci_chan *chan; 3082 3083 switch (hdev->dev_type) { 3084 case HCI_BREDR: 3085 return hci_conn_hash_lookup_handle(hdev, handle); 3086 case HCI_AMP: 3087 chan = hci_chan_lookup_handle(hdev, handle); 3088 if (chan) 3089 return chan->conn; 3090 break; 3091 default: 3092 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type); 3093 break; 3094 } 3095 3096 return NULL; 3097 } 3098 3099 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3100 { 3101 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3102 int i; 3103 3104 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3105 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode); 3106 return; 3107 } 3108 3109 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 3110 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) { 3111 BT_DBG("%s bad parameters", hdev->name); 3112 return; 3113 } 3114 3115 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3116 ev->num_hndl); 3117 3118 for (i = 0; i < ev->num_hndl; i++) { 3119 struct hci_comp_blocks_info *info = &ev->handles[i]; 3120 struct hci_conn *conn = NULL; 3121 __u16 handle, block_count; 3122 3123 handle = __le16_to_cpu(info->handle); 3124 block_count = __le16_to_cpu(info->blocks); 3125 3126 conn = __hci_conn_lookup_handle(hdev, handle); 3127 if (!conn) 3128 continue; 3129 3130 conn->sent -= block_count; 3131 3132 switch (conn->type) { 3133 case ACL_LINK: 3134 case AMP_LINK: 3135 hdev->block_cnt += block_count; 3136 if (hdev->block_cnt > hdev->num_blocks) 3137 hdev->block_cnt = hdev->num_blocks; 3138 break; 3139 3140 default: 3141 BT_ERR("Unknown type %d conn %p", conn->type, conn); 3142 break; 3143 } 3144 } 3145 3146 queue_work(hdev->workqueue, &hdev->tx_work); 3147 } 3148 3149 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3150 { 3151 struct hci_ev_mode_change *ev = (void *) skb->data; 3152 struct hci_conn *conn; 3153 3154 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3155 3156 hci_dev_lock(hdev); 3157 3158 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3159 if (conn) { 3160 conn->mode = ev->mode; 3161 3162 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3163 &conn->flags)) { 3164 if (conn->mode == HCI_CM_ACTIVE) 3165 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3166 else 3167 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3168 } 3169 3170 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3171 hci_sco_setup(conn, ev->status); 3172 } 3173 3174 hci_dev_unlock(hdev); 3175 } 3176 3177 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3178 { 3179 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3180 struct hci_conn *conn; 3181 3182 BT_DBG("%s", hdev->name); 3183 3184 hci_dev_lock(hdev); 3185 3186 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3187 if (!conn) 3188 goto unlock; 3189 3190 if (conn->state == BT_CONNECTED) { 3191 hci_conn_hold(conn); 3192 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3193 hci_conn_drop(conn); 3194 } 3195 3196 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) && 3197 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3198 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3199 sizeof(ev->bdaddr), &ev->bdaddr); 3200 } else if (test_bit(HCI_MGMT, &hdev->dev_flags)) { 3201 u8 secure; 3202 3203 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3204 secure = 1; 3205 else 3206 secure = 0; 3207 3208 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3209 } 3210 3211 unlock: 3212 hci_dev_unlock(hdev); 3213 } 3214 3215 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3216 { 3217 if (key_type == HCI_LK_CHANGED_COMBINATION) 3218 return; 3219 3220 conn->pin_length = pin_len; 3221 conn->key_type = key_type; 3222 3223 switch (key_type) { 3224 case HCI_LK_LOCAL_UNIT: 3225 case HCI_LK_REMOTE_UNIT: 3226 case HCI_LK_DEBUG_COMBINATION: 3227 return; 3228 case HCI_LK_COMBINATION: 3229 if (pin_len == 16) 3230 conn->pending_sec_level = BT_SECURITY_HIGH; 3231 else 3232 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3233 break; 3234 case HCI_LK_UNAUTH_COMBINATION_P192: 3235 case HCI_LK_UNAUTH_COMBINATION_P256: 3236 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3237 break; 3238 case HCI_LK_AUTH_COMBINATION_P192: 3239 conn->pending_sec_level = BT_SECURITY_HIGH; 3240 break; 3241 case HCI_LK_AUTH_COMBINATION_P256: 3242 conn->pending_sec_level = BT_SECURITY_FIPS; 3243 break; 3244 } 3245 } 3246 3247 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3248 { 3249 struct hci_ev_link_key_req *ev = (void *) skb->data; 3250 struct hci_cp_link_key_reply cp; 3251 struct hci_conn *conn; 3252 struct link_key *key; 3253 3254 BT_DBG("%s", hdev->name); 3255 3256 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3257 return; 3258 3259 hci_dev_lock(hdev); 3260 3261 key = hci_find_link_key(hdev, &ev->bdaddr); 3262 if (!key) { 3263 BT_DBG("%s link key not found for %pMR", hdev->name, 3264 &ev->bdaddr); 3265 goto not_found; 3266 } 3267 3268 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 3269 &ev->bdaddr); 3270 3271 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3272 if (conn) { 3273 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3274 3275 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3276 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3277 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3278 BT_DBG("%s ignoring unauthenticated key", hdev->name); 3279 goto not_found; 3280 } 3281 3282 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3283 (conn->pending_sec_level == BT_SECURITY_HIGH || 3284 conn->pending_sec_level == BT_SECURITY_FIPS)) { 3285 BT_DBG("%s ignoring key unauthenticated for high security", 3286 hdev->name); 3287 goto not_found; 3288 } 3289 3290 conn_set_key(conn, key->type, key->pin_len); 3291 } 3292 3293 bacpy(&cp.bdaddr, &ev->bdaddr); 3294 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 3295 3296 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 3297 3298 hci_dev_unlock(hdev); 3299 3300 return; 3301 3302 not_found: 3303 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 3304 hci_dev_unlock(hdev); 3305 } 3306 3307 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 3308 { 3309 struct hci_ev_link_key_notify *ev = (void *) skb->data; 3310 struct hci_conn *conn; 3311 struct link_key *key; 3312 bool persistent; 3313 u8 pin_len = 0; 3314 3315 BT_DBG("%s", hdev->name); 3316 3317 hci_dev_lock(hdev); 3318 3319 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3320 if (!conn) 3321 goto unlock; 3322 3323 hci_conn_hold(conn); 3324 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3325 hci_conn_drop(conn); 3326 3327 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3328 conn_set_key(conn, ev->key_type, conn->pin_length); 3329 3330 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3331 goto unlock; 3332 3333 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 3334 ev->key_type, pin_len, &persistent); 3335 if (!key) 3336 goto unlock; 3337 3338 /* Update connection information since adding the key will have 3339 * fixed up the type in the case of changed combination keys. 3340 */ 3341 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 3342 conn_set_key(conn, key->type, key->pin_len); 3343 3344 mgmt_new_link_key(hdev, key, persistent); 3345 3346 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 3347 * is set. If it's not set simply remove the key from the kernel 3348 * list (we've still notified user space about it but with 3349 * store_hint being 0). 3350 */ 3351 if (key->type == HCI_LK_DEBUG_COMBINATION && 3352 !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) { 3353 list_del_rcu(&key->list); 3354 kfree_rcu(key, rcu); 3355 goto unlock; 3356 } 3357 3358 if (persistent) 3359 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3360 else 3361 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3362 3363 unlock: 3364 hci_dev_unlock(hdev); 3365 } 3366 3367 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 3368 { 3369 struct hci_ev_clock_offset *ev = (void *) skb->data; 3370 struct hci_conn *conn; 3371 3372 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3373 3374 hci_dev_lock(hdev); 3375 3376 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3377 if (conn && !ev->status) { 3378 struct inquiry_entry *ie; 3379 3380 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3381 if (ie) { 3382 ie->data.clock_offset = ev->clock_offset; 3383 ie->timestamp = jiffies; 3384 } 3385 } 3386 3387 hci_dev_unlock(hdev); 3388 } 3389 3390 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3391 { 3392 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 3393 struct hci_conn *conn; 3394 3395 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3396 3397 hci_dev_lock(hdev); 3398 3399 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3400 if (conn && !ev->status) 3401 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 3402 3403 hci_dev_unlock(hdev); 3404 } 3405 3406 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 3407 { 3408 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 3409 struct inquiry_entry *ie; 3410 3411 BT_DBG("%s", hdev->name); 3412 3413 hci_dev_lock(hdev); 3414 3415 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3416 if (ie) { 3417 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 3418 ie->timestamp = jiffies; 3419 } 3420 3421 hci_dev_unlock(hdev); 3422 } 3423 3424 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 3425 struct sk_buff *skb) 3426 { 3427 struct inquiry_data data; 3428 int num_rsp = *((__u8 *) skb->data); 3429 3430 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3431 3432 if (!num_rsp) 3433 return; 3434 3435 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) 3436 return; 3437 3438 hci_dev_lock(hdev); 3439 3440 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 3441 struct inquiry_info_with_rssi_and_pscan_mode *info; 3442 info = (void *) (skb->data + 1); 3443 3444 for (; num_rsp; num_rsp--, info++) { 3445 u32 flags; 3446 3447 bacpy(&data.bdaddr, &info->bdaddr); 3448 data.pscan_rep_mode = info->pscan_rep_mode; 3449 data.pscan_period_mode = info->pscan_period_mode; 3450 data.pscan_mode = info->pscan_mode; 3451 memcpy(data.dev_class, info->dev_class, 3); 3452 data.clock_offset = info->clock_offset; 3453 data.rssi = info->rssi; 3454 data.ssp_mode = 0x00; 3455 3456 flags = hci_inquiry_cache_update(hdev, &data, false); 3457 3458 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3459 info->dev_class, info->rssi, 3460 flags, NULL, 0, NULL, 0); 3461 } 3462 } else { 3463 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 3464 3465 for (; num_rsp; num_rsp--, info++) { 3466 u32 flags; 3467 3468 bacpy(&data.bdaddr, &info->bdaddr); 3469 data.pscan_rep_mode = info->pscan_rep_mode; 3470 data.pscan_period_mode = info->pscan_period_mode; 3471 data.pscan_mode = 0x00; 3472 memcpy(data.dev_class, info->dev_class, 3); 3473 data.clock_offset = info->clock_offset; 3474 data.rssi = info->rssi; 3475 data.ssp_mode = 0x00; 3476 3477 flags = hci_inquiry_cache_update(hdev, &data, false); 3478 3479 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3480 info->dev_class, info->rssi, 3481 flags, NULL, 0, NULL, 0); 3482 } 3483 } 3484 3485 hci_dev_unlock(hdev); 3486 } 3487 3488 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 3489 struct sk_buff *skb) 3490 { 3491 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 3492 struct hci_conn *conn; 3493 3494 BT_DBG("%s", hdev->name); 3495 3496 hci_dev_lock(hdev); 3497 3498 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3499 if (!conn) 3500 goto unlock; 3501 3502 if (ev->page < HCI_MAX_PAGES) 3503 memcpy(conn->features[ev->page], ev->features, 8); 3504 3505 if (!ev->status && ev->page == 0x01) { 3506 struct inquiry_entry *ie; 3507 3508 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3509 if (ie) 3510 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 3511 3512 if (ev->features[0] & LMP_HOST_SSP) { 3513 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3514 } else { 3515 /* It is mandatory by the Bluetooth specification that 3516 * Extended Inquiry Results are only used when Secure 3517 * Simple Pairing is enabled, but some devices violate 3518 * this. 3519 * 3520 * To make these devices work, the internal SSP 3521 * enabled flag needs to be cleared if the remote host 3522 * features do not indicate SSP support */ 3523 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3524 } 3525 3526 if (ev->features[0] & LMP_HOST_SC) 3527 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 3528 } 3529 3530 if (conn->state != BT_CONFIG) 3531 goto unlock; 3532 3533 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3534 struct hci_cp_remote_name_req cp; 3535 memset(&cp, 0, sizeof(cp)); 3536 bacpy(&cp.bdaddr, &conn->dst); 3537 cp.pscan_rep_mode = 0x02; 3538 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3539 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3540 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3541 3542 if (!hci_outgoing_auth_needed(hdev, conn)) { 3543 conn->state = BT_CONNECTED; 3544 hci_proto_connect_cfm(conn, ev->status); 3545 hci_conn_drop(conn); 3546 } 3547 3548 unlock: 3549 hci_dev_unlock(hdev); 3550 } 3551 3552 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 3553 struct sk_buff *skb) 3554 { 3555 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 3556 struct hci_conn *conn; 3557 3558 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3559 3560 hci_dev_lock(hdev); 3561 3562 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3563 if (!conn) { 3564 if (ev->link_type == ESCO_LINK) 3565 goto unlock; 3566 3567 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 3568 if (!conn) 3569 goto unlock; 3570 3571 conn->type = SCO_LINK; 3572 } 3573 3574 switch (ev->status) { 3575 case 0x00: 3576 conn->handle = __le16_to_cpu(ev->handle); 3577 conn->state = BT_CONNECTED; 3578 3579 hci_conn_add_sysfs(conn); 3580 break; 3581 3582 case 0x10: /* Connection Accept Timeout */ 3583 case 0x0d: /* Connection Rejected due to Limited Resources */ 3584 case 0x11: /* Unsupported Feature or Parameter Value */ 3585 case 0x1c: /* SCO interval rejected */ 3586 case 0x1a: /* Unsupported Remote Feature */ 3587 case 0x1f: /* Unspecified error */ 3588 case 0x20: /* Unsupported LMP Parameter value */ 3589 if (conn->out) { 3590 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 3591 (hdev->esco_type & EDR_ESCO_MASK); 3592 if (hci_setup_sync(conn, conn->link->handle)) 3593 goto unlock; 3594 } 3595 /* fall through */ 3596 3597 default: 3598 conn->state = BT_CLOSED; 3599 break; 3600 } 3601 3602 hci_proto_connect_cfm(conn, ev->status); 3603 if (ev->status) 3604 hci_conn_del(conn); 3605 3606 unlock: 3607 hci_dev_unlock(hdev); 3608 } 3609 3610 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 3611 { 3612 size_t parsed = 0; 3613 3614 while (parsed < eir_len) { 3615 u8 field_len = eir[0]; 3616 3617 if (field_len == 0) 3618 return parsed; 3619 3620 parsed += field_len + 1; 3621 eir += field_len + 1; 3622 } 3623 3624 return eir_len; 3625 } 3626 3627 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 3628 struct sk_buff *skb) 3629 { 3630 struct inquiry_data data; 3631 struct extended_inquiry_info *info = (void *) (skb->data + 1); 3632 int num_rsp = *((__u8 *) skb->data); 3633 size_t eir_len; 3634 3635 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3636 3637 if (!num_rsp) 3638 return; 3639 3640 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) 3641 return; 3642 3643 hci_dev_lock(hdev); 3644 3645 for (; num_rsp; num_rsp--, info++) { 3646 u32 flags; 3647 bool name_known; 3648 3649 bacpy(&data.bdaddr, &info->bdaddr); 3650 data.pscan_rep_mode = info->pscan_rep_mode; 3651 data.pscan_period_mode = info->pscan_period_mode; 3652 data.pscan_mode = 0x00; 3653 memcpy(data.dev_class, info->dev_class, 3); 3654 data.clock_offset = info->clock_offset; 3655 data.rssi = info->rssi; 3656 data.ssp_mode = 0x01; 3657 3658 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3659 name_known = eir_has_data_type(info->data, 3660 sizeof(info->data), 3661 EIR_NAME_COMPLETE); 3662 else 3663 name_known = true; 3664 3665 flags = hci_inquiry_cache_update(hdev, &data, name_known); 3666 3667 eir_len = eir_get_length(info->data, sizeof(info->data)); 3668 3669 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3670 info->dev_class, info->rssi, 3671 flags, info->data, eir_len, NULL, 0); 3672 } 3673 3674 hci_dev_unlock(hdev); 3675 } 3676 3677 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 3678 struct sk_buff *skb) 3679 { 3680 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 3681 struct hci_conn *conn; 3682 3683 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 3684 __le16_to_cpu(ev->handle)); 3685 3686 hci_dev_lock(hdev); 3687 3688 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3689 if (!conn) 3690 goto unlock; 3691 3692 /* For BR/EDR the necessary steps are taken through the 3693 * auth_complete event. 3694 */ 3695 if (conn->type != LE_LINK) 3696 goto unlock; 3697 3698 if (!ev->status) 3699 conn->sec_level = conn->pending_sec_level; 3700 3701 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3702 3703 if (ev->status && conn->state == BT_CONNECTED) { 3704 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3705 hci_conn_drop(conn); 3706 goto unlock; 3707 } 3708 3709 if (conn->state == BT_CONFIG) { 3710 if (!ev->status) 3711 conn->state = BT_CONNECTED; 3712 3713 hci_proto_connect_cfm(conn, ev->status); 3714 hci_conn_drop(conn); 3715 } else { 3716 hci_auth_cfm(conn, ev->status); 3717 3718 hci_conn_hold(conn); 3719 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3720 hci_conn_drop(conn); 3721 } 3722 3723 unlock: 3724 hci_dev_unlock(hdev); 3725 } 3726 3727 static u8 hci_get_auth_req(struct hci_conn *conn) 3728 { 3729 /* If remote requests no-bonding follow that lead */ 3730 if (conn->remote_auth == HCI_AT_NO_BONDING || 3731 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 3732 return conn->remote_auth | (conn->auth_type & 0x01); 3733 3734 /* If both remote and local have enough IO capabilities, require 3735 * MITM protection 3736 */ 3737 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 3738 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 3739 return conn->remote_auth | 0x01; 3740 3741 /* No MITM protection possible so ignore remote requirement */ 3742 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 3743 } 3744 3745 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3746 { 3747 struct hci_ev_io_capa_request *ev = (void *) skb->data; 3748 struct hci_conn *conn; 3749 3750 BT_DBG("%s", hdev->name); 3751 3752 hci_dev_lock(hdev); 3753 3754 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3755 if (!conn) 3756 goto unlock; 3757 3758 hci_conn_hold(conn); 3759 3760 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3761 goto unlock; 3762 3763 /* Allow pairing if we're pairable, the initiators of the 3764 * pairing or if the remote is not requesting bonding. 3765 */ 3766 if (test_bit(HCI_BONDABLE, &hdev->dev_flags) || 3767 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 3768 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 3769 struct hci_cp_io_capability_reply cp; 3770 3771 bacpy(&cp.bdaddr, &ev->bdaddr); 3772 /* Change the IO capability from KeyboardDisplay 3773 * to DisplayYesNo as it is not supported by BT spec. */ 3774 cp.capability = (conn->io_capability == 0x04) ? 3775 HCI_IO_DISPLAY_YESNO : conn->io_capability; 3776 3777 /* If we are initiators, there is no remote information yet */ 3778 if (conn->remote_auth == 0xff) { 3779 /* Request MITM protection if our IO caps allow it 3780 * except for the no-bonding case. 3781 */ 3782 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 3783 conn->auth_type != HCI_AT_NO_BONDING) 3784 conn->auth_type |= 0x01; 3785 } else { 3786 conn->auth_type = hci_get_auth_req(conn); 3787 } 3788 3789 /* If we're not bondable, force one of the non-bondable 3790 * authentication requirement values. 3791 */ 3792 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags)) 3793 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 3794 3795 cp.authentication = conn->auth_type; 3796 3797 if (hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR) && 3798 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags))) 3799 cp.oob_data = 0x01; 3800 else 3801 cp.oob_data = 0x00; 3802 3803 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 3804 sizeof(cp), &cp); 3805 } else { 3806 struct hci_cp_io_capability_neg_reply cp; 3807 3808 bacpy(&cp.bdaddr, &ev->bdaddr); 3809 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 3810 3811 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 3812 sizeof(cp), &cp); 3813 } 3814 3815 unlock: 3816 hci_dev_unlock(hdev); 3817 } 3818 3819 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 3820 { 3821 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 3822 struct hci_conn *conn; 3823 3824 BT_DBG("%s", hdev->name); 3825 3826 hci_dev_lock(hdev); 3827 3828 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3829 if (!conn) 3830 goto unlock; 3831 3832 conn->remote_cap = ev->capability; 3833 conn->remote_auth = ev->authentication; 3834 if (ev->oob_data) 3835 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags); 3836 3837 unlock: 3838 hci_dev_unlock(hdev); 3839 } 3840 3841 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 3842 struct sk_buff *skb) 3843 { 3844 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 3845 int loc_mitm, rem_mitm, confirm_hint = 0; 3846 struct hci_conn *conn; 3847 3848 BT_DBG("%s", hdev->name); 3849 3850 hci_dev_lock(hdev); 3851 3852 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3853 goto unlock; 3854 3855 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3856 if (!conn) 3857 goto unlock; 3858 3859 loc_mitm = (conn->auth_type & 0x01); 3860 rem_mitm = (conn->remote_auth & 0x01); 3861 3862 /* If we require MITM but the remote device can't provide that 3863 * (it has NoInputNoOutput) then reject the confirmation 3864 * request. We check the security level here since it doesn't 3865 * necessarily match conn->auth_type. 3866 */ 3867 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 3868 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 3869 BT_DBG("Rejecting request: remote device can't provide MITM"); 3870 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 3871 sizeof(ev->bdaddr), &ev->bdaddr); 3872 goto unlock; 3873 } 3874 3875 /* If no side requires MITM protection; auto-accept */ 3876 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 3877 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 3878 3879 /* If we're not the initiators request authorization to 3880 * proceed from user space (mgmt_user_confirm with 3881 * confirm_hint set to 1). The exception is if neither 3882 * side had MITM or if the local IO capability is 3883 * NoInputNoOutput, in which case we do auto-accept 3884 */ 3885 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 3886 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 3887 (loc_mitm || rem_mitm)) { 3888 BT_DBG("Confirming auto-accept as acceptor"); 3889 confirm_hint = 1; 3890 goto confirm; 3891 } 3892 3893 BT_DBG("Auto-accept of user confirmation with %ums delay", 3894 hdev->auto_accept_delay); 3895 3896 if (hdev->auto_accept_delay > 0) { 3897 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 3898 queue_delayed_work(conn->hdev->workqueue, 3899 &conn->auto_accept_work, delay); 3900 goto unlock; 3901 } 3902 3903 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 3904 sizeof(ev->bdaddr), &ev->bdaddr); 3905 goto unlock; 3906 } 3907 3908 confirm: 3909 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 3910 le32_to_cpu(ev->passkey), confirm_hint); 3911 3912 unlock: 3913 hci_dev_unlock(hdev); 3914 } 3915 3916 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 3917 struct sk_buff *skb) 3918 { 3919 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 3920 3921 BT_DBG("%s", hdev->name); 3922 3923 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3924 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 3925 } 3926 3927 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 3928 struct sk_buff *skb) 3929 { 3930 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 3931 struct hci_conn *conn; 3932 3933 BT_DBG("%s", hdev->name); 3934 3935 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3936 if (!conn) 3937 return; 3938 3939 conn->passkey_notify = __le32_to_cpu(ev->passkey); 3940 conn->passkey_entered = 0; 3941 3942 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3943 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 3944 conn->dst_type, conn->passkey_notify, 3945 conn->passkey_entered); 3946 } 3947 3948 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 3949 { 3950 struct hci_ev_keypress_notify *ev = (void *) skb->data; 3951 struct hci_conn *conn; 3952 3953 BT_DBG("%s", hdev->name); 3954 3955 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3956 if (!conn) 3957 return; 3958 3959 switch (ev->type) { 3960 case HCI_KEYPRESS_STARTED: 3961 conn->passkey_entered = 0; 3962 return; 3963 3964 case HCI_KEYPRESS_ENTERED: 3965 conn->passkey_entered++; 3966 break; 3967 3968 case HCI_KEYPRESS_ERASED: 3969 conn->passkey_entered--; 3970 break; 3971 3972 case HCI_KEYPRESS_CLEARED: 3973 conn->passkey_entered = 0; 3974 break; 3975 3976 case HCI_KEYPRESS_COMPLETED: 3977 return; 3978 } 3979 3980 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3981 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 3982 conn->dst_type, conn->passkey_notify, 3983 conn->passkey_entered); 3984 } 3985 3986 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 3987 struct sk_buff *skb) 3988 { 3989 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 3990 struct hci_conn *conn; 3991 3992 BT_DBG("%s", hdev->name); 3993 3994 hci_dev_lock(hdev); 3995 3996 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3997 if (!conn) 3998 goto unlock; 3999 4000 /* Reset the authentication requirement to unknown */ 4001 conn->remote_auth = 0xff; 4002 4003 /* To avoid duplicate auth_failed events to user space we check 4004 * the HCI_CONN_AUTH_PEND flag which will be set if we 4005 * initiated the authentication. A traditional auth_complete 4006 * event gets always produced as initiator and is also mapped to 4007 * the mgmt_auth_failed event */ 4008 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4009 mgmt_auth_failed(conn, ev->status); 4010 4011 hci_conn_drop(conn); 4012 4013 unlock: 4014 hci_dev_unlock(hdev); 4015 } 4016 4017 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4018 struct sk_buff *skb) 4019 { 4020 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4021 struct inquiry_entry *ie; 4022 struct hci_conn *conn; 4023 4024 BT_DBG("%s", hdev->name); 4025 4026 hci_dev_lock(hdev); 4027 4028 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4029 if (conn) 4030 memcpy(conn->features[1], ev->features, 8); 4031 4032 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4033 if (ie) 4034 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4035 4036 hci_dev_unlock(hdev); 4037 } 4038 4039 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4040 struct sk_buff *skb) 4041 { 4042 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4043 struct oob_data *data; 4044 4045 BT_DBG("%s", hdev->name); 4046 4047 hci_dev_lock(hdev); 4048 4049 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 4050 goto unlock; 4051 4052 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4053 if (data) { 4054 if (bredr_sc_enabled(hdev)) { 4055 struct hci_cp_remote_oob_ext_data_reply cp; 4056 4057 bacpy(&cp.bdaddr, &ev->bdaddr); 4058 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4059 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4060 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4061 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4062 4063 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4064 sizeof(cp), &cp); 4065 } else { 4066 struct hci_cp_remote_oob_data_reply cp; 4067 4068 bacpy(&cp.bdaddr, &ev->bdaddr); 4069 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4070 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4071 4072 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4073 sizeof(cp), &cp); 4074 } 4075 } else { 4076 struct hci_cp_remote_oob_data_neg_reply cp; 4077 4078 bacpy(&cp.bdaddr, &ev->bdaddr); 4079 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4080 sizeof(cp), &cp); 4081 } 4082 4083 unlock: 4084 hci_dev_unlock(hdev); 4085 } 4086 4087 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4088 struct sk_buff *skb) 4089 { 4090 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4091 struct hci_conn *hcon, *bredr_hcon; 4092 4093 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4094 ev->status); 4095 4096 hci_dev_lock(hdev); 4097 4098 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4099 if (!hcon) { 4100 hci_dev_unlock(hdev); 4101 return; 4102 } 4103 4104 if (ev->status) { 4105 hci_conn_del(hcon); 4106 hci_dev_unlock(hdev); 4107 return; 4108 } 4109 4110 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4111 4112 hcon->state = BT_CONNECTED; 4113 bacpy(&hcon->dst, &bredr_hcon->dst); 4114 4115 hci_conn_hold(hcon); 4116 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4117 hci_conn_drop(hcon); 4118 4119 hci_conn_add_sysfs(hcon); 4120 4121 amp_physical_cfm(bredr_hcon, hcon); 4122 4123 hci_dev_unlock(hdev); 4124 } 4125 4126 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4127 { 4128 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4129 struct hci_conn *hcon; 4130 struct hci_chan *hchan; 4131 struct amp_mgr *mgr; 4132 4133 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4134 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4135 ev->status); 4136 4137 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4138 if (!hcon) 4139 return; 4140 4141 /* Create AMP hchan */ 4142 hchan = hci_chan_create(hcon); 4143 if (!hchan) 4144 return; 4145 4146 hchan->handle = le16_to_cpu(ev->handle); 4147 4148 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4149 4150 mgr = hcon->amp_mgr; 4151 if (mgr && mgr->bredr_chan) { 4152 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4153 4154 l2cap_chan_lock(bredr_chan); 4155 4156 bredr_chan->conn->mtu = hdev->block_mtu; 4157 l2cap_logical_cfm(bredr_chan, hchan, 0); 4158 hci_conn_hold(hcon); 4159 4160 l2cap_chan_unlock(bredr_chan); 4161 } 4162 } 4163 4164 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 4165 struct sk_buff *skb) 4166 { 4167 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 4168 struct hci_chan *hchan; 4169 4170 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 4171 le16_to_cpu(ev->handle), ev->status); 4172 4173 if (ev->status) 4174 return; 4175 4176 hci_dev_lock(hdev); 4177 4178 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 4179 if (!hchan) 4180 goto unlock; 4181 4182 amp_destroy_logical_link(hchan, ev->reason); 4183 4184 unlock: 4185 hci_dev_unlock(hdev); 4186 } 4187 4188 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 4189 struct sk_buff *skb) 4190 { 4191 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 4192 struct hci_conn *hcon; 4193 4194 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4195 4196 if (ev->status) 4197 return; 4198 4199 hci_dev_lock(hdev); 4200 4201 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4202 if (hcon) { 4203 hcon->state = BT_CLOSED; 4204 hci_conn_del(hcon); 4205 } 4206 4207 hci_dev_unlock(hdev); 4208 } 4209 4210 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4211 { 4212 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 4213 struct hci_conn_params *params; 4214 struct hci_conn *conn; 4215 struct smp_irk *irk; 4216 u8 addr_type; 4217 4218 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4219 4220 hci_dev_lock(hdev); 4221 4222 /* All controllers implicitly stop advertising in the event of a 4223 * connection, so ensure that the state bit is cleared. 4224 */ 4225 clear_bit(HCI_LE_ADV, &hdev->dev_flags); 4226 4227 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT); 4228 if (!conn) { 4229 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role); 4230 if (!conn) { 4231 BT_ERR("No memory for new connection"); 4232 goto unlock; 4233 } 4234 4235 conn->dst_type = ev->bdaddr_type; 4236 4237 /* If we didn't have a hci_conn object previously 4238 * but we're in master role this must be something 4239 * initiated using a white list. Since white list based 4240 * connections are not "first class citizens" we don't 4241 * have full tracking of them. Therefore, we go ahead 4242 * with a "best effort" approach of determining the 4243 * initiator address based on the HCI_PRIVACY flag. 4244 */ 4245 if (conn->out) { 4246 conn->resp_addr_type = ev->bdaddr_type; 4247 bacpy(&conn->resp_addr, &ev->bdaddr); 4248 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) { 4249 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 4250 bacpy(&conn->init_addr, &hdev->rpa); 4251 } else { 4252 hci_copy_identity_address(hdev, 4253 &conn->init_addr, 4254 &conn->init_addr_type); 4255 } 4256 } 4257 } else { 4258 cancel_delayed_work(&conn->le_conn_timeout); 4259 } 4260 4261 if (!conn->out) { 4262 /* Set the responder (our side) address type based on 4263 * the advertising address type. 4264 */ 4265 conn->resp_addr_type = hdev->adv_addr_type; 4266 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) 4267 bacpy(&conn->resp_addr, &hdev->random_addr); 4268 else 4269 bacpy(&conn->resp_addr, &hdev->bdaddr); 4270 4271 conn->init_addr_type = ev->bdaddr_type; 4272 bacpy(&conn->init_addr, &ev->bdaddr); 4273 4274 /* For incoming connections, set the default minimum 4275 * and maximum connection interval. They will be used 4276 * to check if the parameters are in range and if not 4277 * trigger the connection update procedure. 4278 */ 4279 conn->le_conn_min_interval = hdev->le_conn_min_interval; 4280 conn->le_conn_max_interval = hdev->le_conn_max_interval; 4281 } 4282 4283 /* Lookup the identity address from the stored connection 4284 * address and address type. 4285 * 4286 * When establishing connections to an identity address, the 4287 * connection procedure will store the resolvable random 4288 * address first. Now if it can be converted back into the 4289 * identity address, start using the identity address from 4290 * now on. 4291 */ 4292 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 4293 if (irk) { 4294 bacpy(&conn->dst, &irk->bdaddr); 4295 conn->dst_type = irk->addr_type; 4296 } 4297 4298 if (ev->status) { 4299 hci_le_conn_failed(conn, ev->status); 4300 goto unlock; 4301 } 4302 4303 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 4304 addr_type = BDADDR_LE_PUBLIC; 4305 else 4306 addr_type = BDADDR_LE_RANDOM; 4307 4308 /* Drop the connection if the device is blocked */ 4309 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 4310 hci_conn_drop(conn); 4311 goto unlock; 4312 } 4313 4314 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4315 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4316 4317 conn->sec_level = BT_SECURITY_LOW; 4318 conn->handle = __le16_to_cpu(ev->handle); 4319 conn->state = BT_CONNECTED; 4320 4321 conn->le_conn_interval = le16_to_cpu(ev->interval); 4322 conn->le_conn_latency = le16_to_cpu(ev->latency); 4323 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 4324 4325 hci_conn_add_sysfs(conn); 4326 4327 hci_proto_connect_cfm(conn, ev->status); 4328 4329 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 4330 conn->dst_type); 4331 if (params) { 4332 list_del_init(¶ms->action); 4333 if (params->conn) { 4334 hci_conn_drop(params->conn); 4335 hci_conn_put(params->conn); 4336 params->conn = NULL; 4337 } 4338 } 4339 4340 unlock: 4341 hci_update_background_scan(hdev); 4342 hci_dev_unlock(hdev); 4343 } 4344 4345 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 4346 struct sk_buff *skb) 4347 { 4348 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 4349 struct hci_conn *conn; 4350 4351 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4352 4353 if (ev->status) 4354 return; 4355 4356 hci_dev_lock(hdev); 4357 4358 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4359 if (conn) { 4360 conn->le_conn_interval = le16_to_cpu(ev->interval); 4361 conn->le_conn_latency = le16_to_cpu(ev->latency); 4362 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 4363 } 4364 4365 hci_dev_unlock(hdev); 4366 } 4367 4368 /* This function requires the caller holds hdev->lock */ 4369 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 4370 bdaddr_t *addr, 4371 u8 addr_type, u8 adv_type) 4372 { 4373 struct hci_conn *conn; 4374 struct hci_conn_params *params; 4375 4376 /* If the event is not connectable don't proceed further */ 4377 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 4378 return NULL; 4379 4380 /* Ignore if the device is blocked */ 4381 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 4382 return NULL; 4383 4384 /* Most controller will fail if we try to create new connections 4385 * while we have an existing one in slave role. 4386 */ 4387 if (hdev->conn_hash.le_num_slave > 0) 4388 return NULL; 4389 4390 /* If we're not connectable only connect devices that we have in 4391 * our pend_le_conns list. 4392 */ 4393 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, 4394 addr, addr_type); 4395 if (!params) 4396 return NULL; 4397 4398 switch (params->auto_connect) { 4399 case HCI_AUTO_CONN_DIRECT: 4400 /* Only devices advertising with ADV_DIRECT_IND are 4401 * triggering a connection attempt. This is allowing 4402 * incoming connections from slave devices. 4403 */ 4404 if (adv_type != LE_ADV_DIRECT_IND) 4405 return NULL; 4406 break; 4407 case HCI_AUTO_CONN_ALWAYS: 4408 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 4409 * are triggering a connection attempt. This means 4410 * that incoming connectioms from slave device are 4411 * accepted and also outgoing connections to slave 4412 * devices are established when found. 4413 */ 4414 break; 4415 default: 4416 return NULL; 4417 } 4418 4419 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 4420 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER); 4421 if (!IS_ERR(conn)) { 4422 /* Store the pointer since we don't really have any 4423 * other owner of the object besides the params that 4424 * triggered it. This way we can abort the connection if 4425 * the parameters get removed and keep the reference 4426 * count consistent once the connection is established. 4427 */ 4428 params->conn = hci_conn_get(conn); 4429 return conn; 4430 } 4431 4432 switch (PTR_ERR(conn)) { 4433 case -EBUSY: 4434 /* If hci_connect() returns -EBUSY it means there is already 4435 * an LE connection attempt going on. Since controllers don't 4436 * support more than one connection attempt at the time, we 4437 * don't consider this an error case. 4438 */ 4439 break; 4440 default: 4441 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 4442 return NULL; 4443 } 4444 4445 return NULL; 4446 } 4447 4448 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 4449 u8 bdaddr_type, bdaddr_t *direct_addr, 4450 u8 direct_addr_type, s8 rssi, u8 *data, u8 len) 4451 { 4452 struct discovery_state *d = &hdev->discovery; 4453 struct smp_irk *irk; 4454 struct hci_conn *conn; 4455 bool match; 4456 u32 flags; 4457 4458 /* If the direct address is present, then this report is from 4459 * a LE Direct Advertising Report event. In that case it is 4460 * important to see if the address is matching the local 4461 * controller address. 4462 */ 4463 if (direct_addr) { 4464 /* Only resolvable random addresses are valid for these 4465 * kind of reports and others can be ignored. 4466 */ 4467 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 4468 return; 4469 4470 /* If the controller is not using resolvable random 4471 * addresses, then this report can be ignored. 4472 */ 4473 if (!test_bit(HCI_PRIVACY, &hdev->dev_flags)) 4474 return; 4475 4476 /* If the local IRK of the controller does not match 4477 * with the resolvable random address provided, then 4478 * this report can be ignored. 4479 */ 4480 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 4481 return; 4482 } 4483 4484 /* Check if we need to convert to identity address */ 4485 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 4486 if (irk) { 4487 bdaddr = &irk->bdaddr; 4488 bdaddr_type = irk->addr_type; 4489 } 4490 4491 /* Check if we have been requested to connect to this device */ 4492 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type); 4493 if (conn && type == LE_ADV_IND) { 4494 /* Store report for later inclusion by 4495 * mgmt_device_connected 4496 */ 4497 memcpy(conn->le_adv_data, data, len); 4498 conn->le_adv_data_len = len; 4499 } 4500 4501 /* Passive scanning shouldn't trigger any device found events, 4502 * except for devices marked as CONN_REPORT for which we do send 4503 * device found events. 4504 */ 4505 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 4506 if (type == LE_ADV_DIRECT_IND) 4507 return; 4508 4509 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 4510 bdaddr, bdaddr_type)) 4511 return; 4512 4513 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 4514 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 4515 else 4516 flags = 0; 4517 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4518 rssi, flags, data, len, NULL, 0); 4519 return; 4520 } 4521 4522 /* When receiving non-connectable or scannable undirected 4523 * advertising reports, this means that the remote device is 4524 * not connectable and then clearly indicate this in the 4525 * device found event. 4526 * 4527 * When receiving a scan response, then there is no way to 4528 * know if the remote device is connectable or not. However 4529 * since scan responses are merged with a previously seen 4530 * advertising report, the flags field from that report 4531 * will be used. 4532 * 4533 * In the really unlikely case that a controller get confused 4534 * and just sends a scan response event, then it is marked as 4535 * not connectable as well. 4536 */ 4537 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 4538 type == LE_ADV_SCAN_RSP) 4539 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 4540 else 4541 flags = 0; 4542 4543 /* If there's nothing pending either store the data from this 4544 * event or send an immediate device found event if the data 4545 * should not be stored for later. 4546 */ 4547 if (!has_pending_adv_report(hdev)) { 4548 /* If the report will trigger a SCAN_REQ store it for 4549 * later merging. 4550 */ 4551 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4552 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4553 rssi, flags, data, len); 4554 return; 4555 } 4556 4557 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4558 rssi, flags, data, len, NULL, 0); 4559 return; 4560 } 4561 4562 /* Check if the pending report is for the same device as the new one */ 4563 match = (!bacmp(bdaddr, &d->last_adv_addr) && 4564 bdaddr_type == d->last_adv_addr_type); 4565 4566 /* If the pending data doesn't match this report or this isn't a 4567 * scan response (e.g. we got a duplicate ADV_IND) then force 4568 * sending of the pending data. 4569 */ 4570 if (type != LE_ADV_SCAN_RSP || !match) { 4571 /* Send out whatever is in the cache, but skip duplicates */ 4572 if (!match) 4573 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4574 d->last_adv_addr_type, NULL, 4575 d->last_adv_rssi, d->last_adv_flags, 4576 d->last_adv_data, 4577 d->last_adv_data_len, NULL, 0); 4578 4579 /* If the new report will trigger a SCAN_REQ store it for 4580 * later merging. 4581 */ 4582 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4583 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4584 rssi, flags, data, len); 4585 return; 4586 } 4587 4588 /* The advertising reports cannot be merged, so clear 4589 * the pending report and send out a device found event. 4590 */ 4591 clear_pending_adv_report(hdev); 4592 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4593 rssi, flags, data, len, NULL, 0); 4594 return; 4595 } 4596 4597 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 4598 * the new event is a SCAN_RSP. We can therefore proceed with 4599 * sending a merged device found event. 4600 */ 4601 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4602 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 4603 d->last_adv_data, d->last_adv_data_len, data, len); 4604 clear_pending_adv_report(hdev); 4605 } 4606 4607 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 4608 { 4609 u8 num_reports = skb->data[0]; 4610 void *ptr = &skb->data[1]; 4611 4612 hci_dev_lock(hdev); 4613 4614 while (num_reports--) { 4615 struct hci_ev_le_advertising_info *ev = ptr; 4616 s8 rssi; 4617 4618 rssi = ev->data[ev->length]; 4619 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 4620 ev->bdaddr_type, NULL, 0, rssi, 4621 ev->data, ev->length); 4622 4623 ptr += sizeof(*ev) + ev->length + 1; 4624 } 4625 4626 hci_dev_unlock(hdev); 4627 } 4628 4629 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4630 { 4631 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 4632 struct hci_cp_le_ltk_reply cp; 4633 struct hci_cp_le_ltk_neg_reply neg; 4634 struct hci_conn *conn; 4635 struct smp_ltk *ltk; 4636 4637 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 4638 4639 hci_dev_lock(hdev); 4640 4641 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4642 if (conn == NULL) 4643 goto not_found; 4644 4645 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 4646 if (!ltk) 4647 goto not_found; 4648 4649 if (smp_ltk_is_sc(ltk)) { 4650 /* With SC both EDiv and Rand are set to zero */ 4651 if (ev->ediv || ev->rand) 4652 goto not_found; 4653 } else { 4654 /* For non-SC keys check that EDiv and Rand match */ 4655 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 4656 goto not_found; 4657 } 4658 4659 memcpy(cp.ltk, ltk->val, sizeof(ltk->val)); 4660 cp.handle = cpu_to_le16(conn->handle); 4661 4662 conn->pending_sec_level = smp_ltk_sec_level(ltk); 4663 4664 conn->enc_key_size = ltk->enc_size; 4665 4666 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 4667 4668 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 4669 * temporary key used to encrypt a connection following 4670 * pairing. It is used during the Encrypted Session Setup to 4671 * distribute the keys. Later, security can be re-established 4672 * using a distributed LTK. 4673 */ 4674 if (ltk->type == SMP_STK) { 4675 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 4676 list_del_rcu(<k->list); 4677 kfree_rcu(ltk, rcu); 4678 } else { 4679 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 4680 } 4681 4682 hci_dev_unlock(hdev); 4683 4684 return; 4685 4686 not_found: 4687 neg.handle = ev->handle; 4688 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 4689 hci_dev_unlock(hdev); 4690 } 4691 4692 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 4693 u8 reason) 4694 { 4695 struct hci_cp_le_conn_param_req_neg_reply cp; 4696 4697 cp.handle = cpu_to_le16(handle); 4698 cp.reason = reason; 4699 4700 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 4701 &cp); 4702 } 4703 4704 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 4705 struct sk_buff *skb) 4706 { 4707 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 4708 struct hci_cp_le_conn_param_req_reply cp; 4709 struct hci_conn *hcon; 4710 u16 handle, min, max, latency, timeout; 4711 4712 handle = le16_to_cpu(ev->handle); 4713 min = le16_to_cpu(ev->interval_min); 4714 max = le16_to_cpu(ev->interval_max); 4715 latency = le16_to_cpu(ev->latency); 4716 timeout = le16_to_cpu(ev->timeout); 4717 4718 hcon = hci_conn_hash_lookup_handle(hdev, handle); 4719 if (!hcon || hcon->state != BT_CONNECTED) 4720 return send_conn_param_neg_reply(hdev, handle, 4721 HCI_ERROR_UNKNOWN_CONN_ID); 4722 4723 if (hci_check_conn_params(min, max, latency, timeout)) 4724 return send_conn_param_neg_reply(hdev, handle, 4725 HCI_ERROR_INVALID_LL_PARAMS); 4726 4727 if (hcon->role == HCI_ROLE_MASTER) { 4728 struct hci_conn_params *params; 4729 u8 store_hint; 4730 4731 hci_dev_lock(hdev); 4732 4733 params = hci_conn_params_lookup(hdev, &hcon->dst, 4734 hcon->dst_type); 4735 if (params) { 4736 params->conn_min_interval = min; 4737 params->conn_max_interval = max; 4738 params->conn_latency = latency; 4739 params->supervision_timeout = timeout; 4740 store_hint = 0x01; 4741 } else{ 4742 store_hint = 0x00; 4743 } 4744 4745 hci_dev_unlock(hdev); 4746 4747 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 4748 store_hint, min, max, latency, timeout); 4749 } 4750 4751 cp.handle = ev->handle; 4752 cp.interval_min = ev->interval_min; 4753 cp.interval_max = ev->interval_max; 4754 cp.latency = ev->latency; 4755 cp.timeout = ev->timeout; 4756 cp.min_ce_len = 0; 4757 cp.max_ce_len = 0; 4758 4759 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 4760 } 4761 4762 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 4763 struct sk_buff *skb) 4764 { 4765 u8 num_reports = skb->data[0]; 4766 void *ptr = &skb->data[1]; 4767 4768 hci_dev_lock(hdev); 4769 4770 while (num_reports--) { 4771 struct hci_ev_le_direct_adv_info *ev = ptr; 4772 4773 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 4774 ev->bdaddr_type, &ev->direct_addr, 4775 ev->direct_addr_type, ev->rssi, NULL, 0); 4776 4777 ptr += sizeof(*ev); 4778 } 4779 4780 hci_dev_unlock(hdev); 4781 } 4782 4783 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 4784 { 4785 struct hci_ev_le_meta *le_ev = (void *) skb->data; 4786 4787 skb_pull(skb, sizeof(*le_ev)); 4788 4789 switch (le_ev->subevent) { 4790 case HCI_EV_LE_CONN_COMPLETE: 4791 hci_le_conn_complete_evt(hdev, skb); 4792 break; 4793 4794 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 4795 hci_le_conn_update_complete_evt(hdev, skb); 4796 break; 4797 4798 case HCI_EV_LE_ADVERTISING_REPORT: 4799 hci_le_adv_report_evt(hdev, skb); 4800 break; 4801 4802 case HCI_EV_LE_LTK_REQ: 4803 hci_le_ltk_request_evt(hdev, skb); 4804 break; 4805 4806 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 4807 hci_le_remote_conn_param_req_evt(hdev, skb); 4808 break; 4809 4810 case HCI_EV_LE_DIRECT_ADV_REPORT: 4811 hci_le_direct_adv_report_evt(hdev, skb); 4812 break; 4813 4814 default: 4815 break; 4816 } 4817 } 4818 4819 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4820 { 4821 struct hci_ev_channel_selected *ev = (void *) skb->data; 4822 struct hci_conn *hcon; 4823 4824 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4825 4826 skb_pull(skb, sizeof(*ev)); 4827 4828 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4829 if (!hcon) 4830 return; 4831 4832 amp_read_loc_assoc_final_data(hdev, hcon); 4833 } 4834 4835 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 4836 { 4837 struct hci_event_hdr *hdr = (void *) skb->data; 4838 __u8 event = hdr->evt; 4839 4840 hci_dev_lock(hdev); 4841 4842 /* Received events are (currently) only needed when a request is 4843 * ongoing so avoid unnecessary memory allocation. 4844 */ 4845 if (hci_req_pending(hdev)) { 4846 kfree_skb(hdev->recv_evt); 4847 hdev->recv_evt = skb_clone(skb, GFP_KERNEL); 4848 } 4849 4850 hci_dev_unlock(hdev); 4851 4852 skb_pull(skb, HCI_EVENT_HDR_SIZE); 4853 4854 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) { 4855 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 4856 u16 opcode = __le16_to_cpu(cmd_hdr->opcode); 4857 4858 hci_req_cmd_complete(hdev, opcode, 0); 4859 } 4860 4861 switch (event) { 4862 case HCI_EV_INQUIRY_COMPLETE: 4863 hci_inquiry_complete_evt(hdev, skb); 4864 break; 4865 4866 case HCI_EV_INQUIRY_RESULT: 4867 hci_inquiry_result_evt(hdev, skb); 4868 break; 4869 4870 case HCI_EV_CONN_COMPLETE: 4871 hci_conn_complete_evt(hdev, skb); 4872 break; 4873 4874 case HCI_EV_CONN_REQUEST: 4875 hci_conn_request_evt(hdev, skb); 4876 break; 4877 4878 case HCI_EV_DISCONN_COMPLETE: 4879 hci_disconn_complete_evt(hdev, skb); 4880 break; 4881 4882 case HCI_EV_AUTH_COMPLETE: 4883 hci_auth_complete_evt(hdev, skb); 4884 break; 4885 4886 case HCI_EV_REMOTE_NAME: 4887 hci_remote_name_evt(hdev, skb); 4888 break; 4889 4890 case HCI_EV_ENCRYPT_CHANGE: 4891 hci_encrypt_change_evt(hdev, skb); 4892 break; 4893 4894 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 4895 hci_change_link_key_complete_evt(hdev, skb); 4896 break; 4897 4898 case HCI_EV_REMOTE_FEATURES: 4899 hci_remote_features_evt(hdev, skb); 4900 break; 4901 4902 case HCI_EV_CMD_COMPLETE: 4903 hci_cmd_complete_evt(hdev, skb); 4904 break; 4905 4906 case HCI_EV_CMD_STATUS: 4907 hci_cmd_status_evt(hdev, skb); 4908 break; 4909 4910 case HCI_EV_HARDWARE_ERROR: 4911 hci_hardware_error_evt(hdev, skb); 4912 break; 4913 4914 case HCI_EV_ROLE_CHANGE: 4915 hci_role_change_evt(hdev, skb); 4916 break; 4917 4918 case HCI_EV_NUM_COMP_PKTS: 4919 hci_num_comp_pkts_evt(hdev, skb); 4920 break; 4921 4922 case HCI_EV_MODE_CHANGE: 4923 hci_mode_change_evt(hdev, skb); 4924 break; 4925 4926 case HCI_EV_PIN_CODE_REQ: 4927 hci_pin_code_request_evt(hdev, skb); 4928 break; 4929 4930 case HCI_EV_LINK_KEY_REQ: 4931 hci_link_key_request_evt(hdev, skb); 4932 break; 4933 4934 case HCI_EV_LINK_KEY_NOTIFY: 4935 hci_link_key_notify_evt(hdev, skb); 4936 break; 4937 4938 case HCI_EV_CLOCK_OFFSET: 4939 hci_clock_offset_evt(hdev, skb); 4940 break; 4941 4942 case HCI_EV_PKT_TYPE_CHANGE: 4943 hci_pkt_type_change_evt(hdev, skb); 4944 break; 4945 4946 case HCI_EV_PSCAN_REP_MODE: 4947 hci_pscan_rep_mode_evt(hdev, skb); 4948 break; 4949 4950 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 4951 hci_inquiry_result_with_rssi_evt(hdev, skb); 4952 break; 4953 4954 case HCI_EV_REMOTE_EXT_FEATURES: 4955 hci_remote_ext_features_evt(hdev, skb); 4956 break; 4957 4958 case HCI_EV_SYNC_CONN_COMPLETE: 4959 hci_sync_conn_complete_evt(hdev, skb); 4960 break; 4961 4962 case HCI_EV_EXTENDED_INQUIRY_RESULT: 4963 hci_extended_inquiry_result_evt(hdev, skb); 4964 break; 4965 4966 case HCI_EV_KEY_REFRESH_COMPLETE: 4967 hci_key_refresh_complete_evt(hdev, skb); 4968 break; 4969 4970 case HCI_EV_IO_CAPA_REQUEST: 4971 hci_io_capa_request_evt(hdev, skb); 4972 break; 4973 4974 case HCI_EV_IO_CAPA_REPLY: 4975 hci_io_capa_reply_evt(hdev, skb); 4976 break; 4977 4978 case HCI_EV_USER_CONFIRM_REQUEST: 4979 hci_user_confirm_request_evt(hdev, skb); 4980 break; 4981 4982 case HCI_EV_USER_PASSKEY_REQUEST: 4983 hci_user_passkey_request_evt(hdev, skb); 4984 break; 4985 4986 case HCI_EV_USER_PASSKEY_NOTIFY: 4987 hci_user_passkey_notify_evt(hdev, skb); 4988 break; 4989 4990 case HCI_EV_KEYPRESS_NOTIFY: 4991 hci_keypress_notify_evt(hdev, skb); 4992 break; 4993 4994 case HCI_EV_SIMPLE_PAIR_COMPLETE: 4995 hci_simple_pair_complete_evt(hdev, skb); 4996 break; 4997 4998 case HCI_EV_REMOTE_HOST_FEATURES: 4999 hci_remote_host_features_evt(hdev, skb); 5000 break; 5001 5002 case HCI_EV_LE_META: 5003 hci_le_meta_evt(hdev, skb); 5004 break; 5005 5006 case HCI_EV_CHANNEL_SELECTED: 5007 hci_chan_selected_evt(hdev, skb); 5008 break; 5009 5010 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 5011 hci_remote_oob_data_request_evt(hdev, skb); 5012 break; 5013 5014 case HCI_EV_PHY_LINK_COMPLETE: 5015 hci_phy_link_complete_evt(hdev, skb); 5016 break; 5017 5018 case HCI_EV_LOGICAL_LINK_COMPLETE: 5019 hci_loglink_complete_evt(hdev, skb); 5020 break; 5021 5022 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 5023 hci_disconn_loglink_complete_evt(hdev, skb); 5024 break; 5025 5026 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 5027 hci_disconn_phylink_complete_evt(hdev, skb); 5028 break; 5029 5030 case HCI_EV_NUM_COMP_BLOCKS: 5031 hci_num_comp_blocks_evt(hdev, skb); 5032 break; 5033 5034 default: 5035 BT_DBG("%s event 0x%2.2x", hdev->name, event); 5036 break; 5037 } 5038 5039 kfree_skb(skb); 5040 hdev->stat.evt_rx++; 5041 } 5042