1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 #include "msft.h" 39 40 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 41 "\x00\x00\x00\x00\x00\x00\x00\x00" 42 43 /* Handle HCI Event packets */ 44 45 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, 46 u8 *new_status) 47 { 48 __u8 status = *((__u8 *) skb->data); 49 50 BT_DBG("%s status 0x%2.2x", hdev->name, status); 51 52 /* It is possible that we receive Inquiry Complete event right 53 * before we receive Inquiry Cancel Command Complete event, in 54 * which case the latter event should have status of Command 55 * Disallowed (0x0c). This should not be treated as error, since 56 * we actually achieve what Inquiry Cancel wants to achieve, 57 * which is to end the last Inquiry session. 58 */ 59 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { 60 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 61 status = 0x00; 62 } 63 64 *new_status = status; 65 66 if (status) 67 return; 68 69 clear_bit(HCI_INQUIRY, &hdev->flags); 70 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 71 wake_up_bit(&hdev->flags, HCI_INQUIRY); 72 73 hci_dev_lock(hdev); 74 /* Set discovery state to stopped if we're not doing LE active 75 * scanning. 76 */ 77 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 78 hdev->le_scan_type != LE_SCAN_ACTIVE) 79 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 80 hci_dev_unlock(hdev); 81 82 hci_conn_check_pending(hdev); 83 } 84 85 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 86 { 87 __u8 status = *((__u8 *) skb->data); 88 89 BT_DBG("%s status 0x%2.2x", hdev->name, status); 90 91 if (status) 92 return; 93 94 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 95 } 96 97 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 98 { 99 __u8 status = *((__u8 *) skb->data); 100 101 BT_DBG("%s status 0x%2.2x", hdev->name, status); 102 103 if (status) 104 return; 105 106 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 107 108 hci_conn_check_pending(hdev); 109 } 110 111 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 112 struct sk_buff *skb) 113 { 114 BT_DBG("%s", hdev->name); 115 } 116 117 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 118 { 119 struct hci_rp_role_discovery *rp = (void *) skb->data; 120 struct hci_conn *conn; 121 122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 123 124 if (rp->status) 125 return; 126 127 hci_dev_lock(hdev); 128 129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 130 if (conn) 131 conn->role = rp->role; 132 133 hci_dev_unlock(hdev); 134 } 135 136 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 137 { 138 struct hci_rp_read_link_policy *rp = (void *) skb->data; 139 struct hci_conn *conn; 140 141 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 142 143 if (rp->status) 144 return; 145 146 hci_dev_lock(hdev); 147 148 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 149 if (conn) 150 conn->link_policy = __le16_to_cpu(rp->policy); 151 152 hci_dev_unlock(hdev); 153 } 154 155 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 156 { 157 struct hci_rp_write_link_policy *rp = (void *) skb->data; 158 struct hci_conn *conn; 159 void *sent; 160 161 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 162 163 if (rp->status) 164 return; 165 166 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 167 if (!sent) 168 return; 169 170 hci_dev_lock(hdev); 171 172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 173 if (conn) 174 conn->link_policy = get_unaligned_le16(sent + 2); 175 176 hci_dev_unlock(hdev); 177 } 178 179 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 180 struct sk_buff *skb) 181 { 182 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 183 184 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 185 186 if (rp->status) 187 return; 188 189 hdev->link_policy = __le16_to_cpu(rp->policy); 190 } 191 192 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 193 struct sk_buff *skb) 194 { 195 __u8 status = *((__u8 *) skb->data); 196 void *sent; 197 198 BT_DBG("%s status 0x%2.2x", hdev->name, status); 199 200 if (status) 201 return; 202 203 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 204 if (!sent) 205 return; 206 207 hdev->link_policy = get_unaligned_le16(sent); 208 } 209 210 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 211 { 212 __u8 status = *((__u8 *) skb->data); 213 214 BT_DBG("%s status 0x%2.2x", hdev->name, status); 215 216 clear_bit(HCI_RESET, &hdev->flags); 217 218 if (status) 219 return; 220 221 /* Reset all non-persistent flags */ 222 hci_dev_clear_volatile_flags(hdev); 223 224 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 225 226 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 227 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 228 229 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 230 hdev->adv_data_len = 0; 231 232 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 233 hdev->scan_rsp_data_len = 0; 234 235 hdev->le_scan_type = LE_SCAN_PASSIVE; 236 237 hdev->ssp_debug_mode = 0; 238 239 hci_bdaddr_list_clear(&hdev->le_white_list); 240 hci_bdaddr_list_clear(&hdev->le_resolv_list); 241 } 242 243 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 244 struct sk_buff *skb) 245 { 246 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 247 struct hci_cp_read_stored_link_key *sent; 248 249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 250 251 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 252 if (!sent) 253 return; 254 255 if (!rp->status && sent->read_all == 0x01) { 256 hdev->stored_max_keys = rp->max_keys; 257 hdev->stored_num_keys = rp->num_keys; 258 } 259 } 260 261 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 262 struct sk_buff *skb) 263 { 264 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 265 266 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 267 268 if (rp->status) 269 return; 270 271 if (rp->num_keys <= hdev->stored_num_keys) 272 hdev->stored_num_keys -= rp->num_keys; 273 else 274 hdev->stored_num_keys = 0; 275 } 276 277 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 278 { 279 __u8 status = *((__u8 *) skb->data); 280 void *sent; 281 282 BT_DBG("%s status 0x%2.2x", hdev->name, status); 283 284 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 285 if (!sent) 286 return; 287 288 hci_dev_lock(hdev); 289 290 if (hci_dev_test_flag(hdev, HCI_MGMT)) 291 mgmt_set_local_name_complete(hdev, sent, status); 292 else if (!status) 293 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 294 295 hci_dev_unlock(hdev); 296 } 297 298 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 299 { 300 struct hci_rp_read_local_name *rp = (void *) skb->data; 301 302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 303 304 if (rp->status) 305 return; 306 307 if (hci_dev_test_flag(hdev, HCI_SETUP) || 308 hci_dev_test_flag(hdev, HCI_CONFIG)) 309 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 310 } 311 312 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 313 { 314 __u8 status = *((__u8 *) skb->data); 315 void *sent; 316 317 BT_DBG("%s status 0x%2.2x", hdev->name, status); 318 319 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 320 if (!sent) 321 return; 322 323 hci_dev_lock(hdev); 324 325 if (!status) { 326 __u8 param = *((__u8 *) sent); 327 328 if (param == AUTH_ENABLED) 329 set_bit(HCI_AUTH, &hdev->flags); 330 else 331 clear_bit(HCI_AUTH, &hdev->flags); 332 } 333 334 if (hci_dev_test_flag(hdev, HCI_MGMT)) 335 mgmt_auth_enable_complete(hdev, status); 336 337 hci_dev_unlock(hdev); 338 } 339 340 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 341 { 342 __u8 status = *((__u8 *) skb->data); 343 __u8 param; 344 void *sent; 345 346 BT_DBG("%s status 0x%2.2x", hdev->name, status); 347 348 if (status) 349 return; 350 351 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 352 if (!sent) 353 return; 354 355 param = *((__u8 *) sent); 356 357 if (param) 358 set_bit(HCI_ENCRYPT, &hdev->flags); 359 else 360 clear_bit(HCI_ENCRYPT, &hdev->flags); 361 } 362 363 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 364 { 365 __u8 status = *((__u8 *) skb->data); 366 __u8 param; 367 void *sent; 368 369 BT_DBG("%s status 0x%2.2x", hdev->name, status); 370 371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 372 if (!sent) 373 return; 374 375 param = *((__u8 *) sent); 376 377 hci_dev_lock(hdev); 378 379 if (status) { 380 hdev->discov_timeout = 0; 381 goto done; 382 } 383 384 if (param & SCAN_INQUIRY) 385 set_bit(HCI_ISCAN, &hdev->flags); 386 else 387 clear_bit(HCI_ISCAN, &hdev->flags); 388 389 if (param & SCAN_PAGE) 390 set_bit(HCI_PSCAN, &hdev->flags); 391 else 392 clear_bit(HCI_PSCAN, &hdev->flags); 393 394 done: 395 hci_dev_unlock(hdev); 396 } 397 398 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 399 { 400 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 401 402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 403 404 if (rp->status) 405 return; 406 407 memcpy(hdev->dev_class, rp->dev_class, 3); 408 409 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 410 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 411 } 412 413 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 414 { 415 __u8 status = *((__u8 *) skb->data); 416 void *sent; 417 418 BT_DBG("%s status 0x%2.2x", hdev->name, status); 419 420 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 421 if (!sent) 422 return; 423 424 hci_dev_lock(hdev); 425 426 if (status == 0) 427 memcpy(hdev->dev_class, sent, 3); 428 429 if (hci_dev_test_flag(hdev, HCI_MGMT)) 430 mgmt_set_class_of_dev_complete(hdev, sent, status); 431 432 hci_dev_unlock(hdev); 433 } 434 435 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 436 { 437 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 438 __u16 setting; 439 440 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 441 442 if (rp->status) 443 return; 444 445 setting = __le16_to_cpu(rp->voice_setting); 446 447 if (hdev->voice_setting == setting) 448 return; 449 450 hdev->voice_setting = setting; 451 452 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 453 454 if (hdev->notify) 455 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 456 } 457 458 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 459 struct sk_buff *skb) 460 { 461 __u8 status = *((__u8 *) skb->data); 462 __u16 setting; 463 void *sent; 464 465 BT_DBG("%s status 0x%2.2x", hdev->name, status); 466 467 if (status) 468 return; 469 470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 471 if (!sent) 472 return; 473 474 setting = get_unaligned_le16(sent); 475 476 if (hdev->voice_setting == setting) 477 return; 478 479 hdev->voice_setting = setting; 480 481 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 482 483 if (hdev->notify) 484 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 485 } 486 487 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 488 struct sk_buff *skb) 489 { 490 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 491 492 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 493 494 if (rp->status) 495 return; 496 497 hdev->num_iac = rp->num_iac; 498 499 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 500 } 501 502 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 503 { 504 __u8 status = *((__u8 *) skb->data); 505 struct hci_cp_write_ssp_mode *sent; 506 507 BT_DBG("%s status 0x%2.2x", hdev->name, status); 508 509 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 510 if (!sent) 511 return; 512 513 hci_dev_lock(hdev); 514 515 if (!status) { 516 if (sent->mode) 517 hdev->features[1][0] |= LMP_HOST_SSP; 518 else 519 hdev->features[1][0] &= ~LMP_HOST_SSP; 520 } 521 522 if (hci_dev_test_flag(hdev, HCI_MGMT)) 523 mgmt_ssp_enable_complete(hdev, sent->mode, status); 524 else if (!status) { 525 if (sent->mode) 526 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 527 else 528 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 529 } 530 531 hci_dev_unlock(hdev); 532 } 533 534 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 535 { 536 u8 status = *((u8 *) skb->data); 537 struct hci_cp_write_sc_support *sent; 538 539 BT_DBG("%s status 0x%2.2x", hdev->name, status); 540 541 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 542 if (!sent) 543 return; 544 545 hci_dev_lock(hdev); 546 547 if (!status) { 548 if (sent->support) 549 hdev->features[1][0] |= LMP_HOST_SC; 550 else 551 hdev->features[1][0] &= ~LMP_HOST_SC; 552 } 553 554 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 555 if (sent->support) 556 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 557 else 558 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 559 } 560 561 hci_dev_unlock(hdev); 562 } 563 564 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 565 { 566 struct hci_rp_read_local_version *rp = (void *) skb->data; 567 568 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 569 570 if (rp->status) 571 return; 572 573 if (hci_dev_test_flag(hdev, HCI_SETUP) || 574 hci_dev_test_flag(hdev, HCI_CONFIG)) { 575 hdev->hci_ver = rp->hci_ver; 576 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 577 hdev->lmp_ver = rp->lmp_ver; 578 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 579 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 580 } 581 } 582 583 static void hci_cc_read_local_commands(struct hci_dev *hdev, 584 struct sk_buff *skb) 585 { 586 struct hci_rp_read_local_commands *rp = (void *) skb->data; 587 588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 589 590 if (rp->status) 591 return; 592 593 if (hci_dev_test_flag(hdev, HCI_SETUP) || 594 hci_dev_test_flag(hdev, HCI_CONFIG)) 595 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 596 } 597 598 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, 599 struct sk_buff *skb) 600 { 601 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data; 602 struct hci_conn *conn; 603 604 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 605 606 if (rp->status) 607 return; 608 609 hci_dev_lock(hdev); 610 611 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 612 if (conn) 613 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 614 615 hci_dev_unlock(hdev); 616 } 617 618 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, 619 struct sk_buff *skb) 620 { 621 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data; 622 struct hci_conn *conn; 623 void *sent; 624 625 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 626 627 if (rp->status) 628 return; 629 630 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 631 if (!sent) 632 return; 633 634 hci_dev_lock(hdev); 635 636 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 637 if (conn) 638 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 639 640 hci_dev_unlock(hdev); 641 } 642 643 static void hci_cc_read_local_features(struct hci_dev *hdev, 644 struct sk_buff *skb) 645 { 646 struct hci_rp_read_local_features *rp = (void *) skb->data; 647 648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 649 650 if (rp->status) 651 return; 652 653 memcpy(hdev->features, rp->features, 8); 654 655 /* Adjust default settings according to features 656 * supported by device. */ 657 658 if (hdev->features[0][0] & LMP_3SLOT) 659 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 660 661 if (hdev->features[0][0] & LMP_5SLOT) 662 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 663 664 if (hdev->features[0][1] & LMP_HV2) { 665 hdev->pkt_type |= (HCI_HV2); 666 hdev->esco_type |= (ESCO_HV2); 667 } 668 669 if (hdev->features[0][1] & LMP_HV3) { 670 hdev->pkt_type |= (HCI_HV3); 671 hdev->esco_type |= (ESCO_HV3); 672 } 673 674 if (lmp_esco_capable(hdev)) 675 hdev->esco_type |= (ESCO_EV3); 676 677 if (hdev->features[0][4] & LMP_EV4) 678 hdev->esco_type |= (ESCO_EV4); 679 680 if (hdev->features[0][4] & LMP_EV5) 681 hdev->esco_type |= (ESCO_EV5); 682 683 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 684 hdev->esco_type |= (ESCO_2EV3); 685 686 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 687 hdev->esco_type |= (ESCO_3EV3); 688 689 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 690 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 691 } 692 693 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 694 struct sk_buff *skb) 695 { 696 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 697 698 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 699 700 if (rp->status) 701 return; 702 703 if (hdev->max_page < rp->max_page) 704 hdev->max_page = rp->max_page; 705 706 if (rp->page < HCI_MAX_PAGES) 707 memcpy(hdev->features[rp->page], rp->features, 8); 708 } 709 710 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 711 struct sk_buff *skb) 712 { 713 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 714 715 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 716 717 if (rp->status) 718 return; 719 720 hdev->flow_ctl_mode = rp->mode; 721 } 722 723 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 724 { 725 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 726 727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 728 729 if (rp->status) 730 return; 731 732 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 733 hdev->sco_mtu = rp->sco_mtu; 734 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 735 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 736 737 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 738 hdev->sco_mtu = 64; 739 hdev->sco_pkts = 8; 740 } 741 742 hdev->acl_cnt = hdev->acl_pkts; 743 hdev->sco_cnt = hdev->sco_pkts; 744 745 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 746 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 747 } 748 749 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 750 { 751 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 752 753 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 754 755 if (rp->status) 756 return; 757 758 if (test_bit(HCI_INIT, &hdev->flags)) 759 bacpy(&hdev->bdaddr, &rp->bdaddr); 760 761 if (hci_dev_test_flag(hdev, HCI_SETUP)) 762 bacpy(&hdev->setup_addr, &rp->bdaddr); 763 } 764 765 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev, 766 struct sk_buff *skb) 767 { 768 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data; 769 770 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 771 772 if (rp->status) 773 return; 774 775 if (hci_dev_test_flag(hdev, HCI_SETUP) || 776 hci_dev_test_flag(hdev, HCI_CONFIG)) { 777 hdev->pairing_opts = rp->pairing_opts; 778 hdev->max_enc_key_size = rp->max_key_size; 779 } 780 } 781 782 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 783 struct sk_buff *skb) 784 { 785 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 786 787 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 788 789 if (rp->status) 790 return; 791 792 if (test_bit(HCI_INIT, &hdev->flags)) { 793 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 794 hdev->page_scan_window = __le16_to_cpu(rp->window); 795 } 796 } 797 798 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 799 struct sk_buff *skb) 800 { 801 u8 status = *((u8 *) skb->data); 802 struct hci_cp_write_page_scan_activity *sent; 803 804 BT_DBG("%s status 0x%2.2x", hdev->name, status); 805 806 if (status) 807 return; 808 809 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 810 if (!sent) 811 return; 812 813 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 814 hdev->page_scan_window = __le16_to_cpu(sent->window); 815 } 816 817 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 818 struct sk_buff *skb) 819 { 820 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 821 822 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 823 824 if (rp->status) 825 return; 826 827 if (test_bit(HCI_INIT, &hdev->flags)) 828 hdev->page_scan_type = rp->type; 829 } 830 831 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 832 struct sk_buff *skb) 833 { 834 u8 status = *((u8 *) skb->data); 835 u8 *type; 836 837 BT_DBG("%s status 0x%2.2x", hdev->name, status); 838 839 if (status) 840 return; 841 842 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 843 if (type) 844 hdev->page_scan_type = *type; 845 } 846 847 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 848 struct sk_buff *skb) 849 { 850 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 851 852 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 853 854 if (rp->status) 855 return; 856 857 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 858 hdev->block_len = __le16_to_cpu(rp->block_len); 859 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 860 861 hdev->block_cnt = hdev->num_blocks; 862 863 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 864 hdev->block_cnt, hdev->block_len); 865 } 866 867 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 868 { 869 struct hci_rp_read_clock *rp = (void *) skb->data; 870 struct hci_cp_read_clock *cp; 871 struct hci_conn *conn; 872 873 BT_DBG("%s", hdev->name); 874 875 if (skb->len < sizeof(*rp)) 876 return; 877 878 if (rp->status) 879 return; 880 881 hci_dev_lock(hdev); 882 883 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 884 if (!cp) 885 goto unlock; 886 887 if (cp->which == 0x00) { 888 hdev->clock = le32_to_cpu(rp->clock); 889 goto unlock; 890 } 891 892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 893 if (conn) { 894 conn->clock = le32_to_cpu(rp->clock); 895 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 896 } 897 898 unlock: 899 hci_dev_unlock(hdev); 900 } 901 902 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 903 struct sk_buff *skb) 904 { 905 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 906 907 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 908 909 if (rp->status) 910 return; 911 912 hdev->amp_status = rp->amp_status; 913 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 914 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 915 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 916 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 917 hdev->amp_type = rp->amp_type; 918 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 919 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 920 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 921 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 922 } 923 924 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 925 struct sk_buff *skb) 926 { 927 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 928 929 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 930 931 if (rp->status) 932 return; 933 934 hdev->inq_tx_power = rp->tx_power; 935 } 936 937 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, 938 struct sk_buff *skb) 939 { 940 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data; 941 942 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 943 944 if (rp->status) 945 return; 946 947 hdev->err_data_reporting = rp->err_data_reporting; 948 } 949 950 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, 951 struct sk_buff *skb) 952 { 953 __u8 status = *((__u8 *)skb->data); 954 struct hci_cp_write_def_err_data_reporting *cp; 955 956 BT_DBG("%s status 0x%2.2x", hdev->name, status); 957 958 if (status) 959 return; 960 961 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 962 if (!cp) 963 return; 964 965 hdev->err_data_reporting = cp->err_data_reporting; 966 } 967 968 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 969 { 970 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 971 struct hci_cp_pin_code_reply *cp; 972 struct hci_conn *conn; 973 974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 975 976 hci_dev_lock(hdev); 977 978 if (hci_dev_test_flag(hdev, HCI_MGMT)) 979 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 980 981 if (rp->status) 982 goto unlock; 983 984 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 985 if (!cp) 986 goto unlock; 987 988 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 989 if (conn) 990 conn->pin_length = cp->pin_len; 991 992 unlock: 993 hci_dev_unlock(hdev); 994 } 995 996 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 997 { 998 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 999 1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1001 1002 hci_dev_lock(hdev); 1003 1004 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1005 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1006 rp->status); 1007 1008 hci_dev_unlock(hdev); 1009 } 1010 1011 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 1012 struct sk_buff *skb) 1013 { 1014 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 1015 1016 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1017 1018 if (rp->status) 1019 return; 1020 1021 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1022 hdev->le_pkts = rp->le_max_pkt; 1023 1024 hdev->le_cnt = hdev->le_pkts; 1025 1026 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1027 } 1028 1029 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 1030 struct sk_buff *skb) 1031 { 1032 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 1033 1034 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1035 1036 if (rp->status) 1037 return; 1038 1039 memcpy(hdev->le_features, rp->features, 8); 1040 } 1041 1042 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 1043 struct sk_buff *skb) 1044 { 1045 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 1046 1047 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1048 1049 if (rp->status) 1050 return; 1051 1052 hdev->adv_tx_power = rp->tx_power; 1053 } 1054 1055 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 1056 { 1057 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1058 1059 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1060 1061 hci_dev_lock(hdev); 1062 1063 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1064 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1065 rp->status); 1066 1067 hci_dev_unlock(hdev); 1068 } 1069 1070 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 1071 struct sk_buff *skb) 1072 { 1073 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1074 1075 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1076 1077 hci_dev_lock(hdev); 1078 1079 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1080 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1081 ACL_LINK, 0, rp->status); 1082 1083 hci_dev_unlock(hdev); 1084 } 1085 1086 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 1087 { 1088 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1089 1090 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1091 1092 hci_dev_lock(hdev); 1093 1094 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1095 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1096 0, rp->status); 1097 1098 hci_dev_unlock(hdev); 1099 } 1100 1101 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 1102 struct sk_buff *skb) 1103 { 1104 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1105 1106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1107 1108 hci_dev_lock(hdev); 1109 1110 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1111 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1112 ACL_LINK, 0, rp->status); 1113 1114 hci_dev_unlock(hdev); 1115 } 1116 1117 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1118 struct sk_buff *skb) 1119 { 1120 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1121 1122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1123 } 1124 1125 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1126 struct sk_buff *skb) 1127 { 1128 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1129 1130 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1131 } 1132 1133 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1134 { 1135 __u8 status = *((__u8 *) skb->data); 1136 bdaddr_t *sent; 1137 1138 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1139 1140 if (status) 1141 return; 1142 1143 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1144 if (!sent) 1145 return; 1146 1147 hci_dev_lock(hdev); 1148 1149 bacpy(&hdev->random_addr, sent); 1150 1151 hci_dev_unlock(hdev); 1152 } 1153 1154 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb) 1155 { 1156 __u8 status = *((__u8 *) skb->data); 1157 struct hci_cp_le_set_default_phy *cp; 1158 1159 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1160 1161 if (status) 1162 return; 1163 1164 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1165 if (!cp) 1166 return; 1167 1168 hci_dev_lock(hdev); 1169 1170 hdev->le_tx_def_phys = cp->tx_phys; 1171 hdev->le_rx_def_phys = cp->rx_phys; 1172 1173 hci_dev_unlock(hdev); 1174 } 1175 1176 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, 1177 struct sk_buff *skb) 1178 { 1179 __u8 status = *((__u8 *) skb->data); 1180 struct hci_cp_le_set_adv_set_rand_addr *cp; 1181 struct adv_info *adv_instance; 1182 1183 if (status) 1184 return; 1185 1186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1187 if (!cp) 1188 return; 1189 1190 hci_dev_lock(hdev); 1191 1192 if (!hdev->cur_adv_instance) { 1193 /* Store in hdev for instance 0 (Set adv and Directed advs) */ 1194 bacpy(&hdev->random_addr, &cp->bdaddr); 1195 } else { 1196 adv_instance = hci_find_adv_instance(hdev, 1197 hdev->cur_adv_instance); 1198 if (adv_instance) 1199 bacpy(&adv_instance->random_addr, &cp->bdaddr); 1200 } 1201 1202 hci_dev_unlock(hdev); 1203 } 1204 1205 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1206 { 1207 __u8 *sent, status = *((__u8 *) skb->data); 1208 1209 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1210 1211 if (status) 1212 return; 1213 1214 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1215 if (!sent) 1216 return; 1217 1218 hci_dev_lock(hdev); 1219 1220 /* If we're doing connection initiation as peripheral. Set a 1221 * timeout in case something goes wrong. 1222 */ 1223 if (*sent) { 1224 struct hci_conn *conn; 1225 1226 hci_dev_set_flag(hdev, HCI_LE_ADV); 1227 1228 conn = hci_lookup_le_connect(hdev); 1229 if (conn) 1230 queue_delayed_work(hdev->workqueue, 1231 &conn->le_conn_timeout, 1232 conn->conn_timeout); 1233 } else { 1234 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1235 } 1236 1237 hci_dev_unlock(hdev); 1238 } 1239 1240 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, 1241 struct sk_buff *skb) 1242 { 1243 struct hci_cp_le_set_ext_adv_enable *cp; 1244 __u8 status = *((__u8 *) skb->data); 1245 1246 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1247 1248 if (status) 1249 return; 1250 1251 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1252 if (!cp) 1253 return; 1254 1255 hci_dev_lock(hdev); 1256 1257 if (cp->enable) { 1258 struct hci_conn *conn; 1259 1260 hci_dev_set_flag(hdev, HCI_LE_ADV); 1261 1262 conn = hci_lookup_le_connect(hdev); 1263 if (conn) 1264 queue_delayed_work(hdev->workqueue, 1265 &conn->le_conn_timeout, 1266 conn->conn_timeout); 1267 } else { 1268 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1269 } 1270 1271 hci_dev_unlock(hdev); 1272 } 1273 1274 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1275 { 1276 struct hci_cp_le_set_scan_param *cp; 1277 __u8 status = *((__u8 *) skb->data); 1278 1279 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1280 1281 if (status) 1282 return; 1283 1284 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1285 if (!cp) 1286 return; 1287 1288 hci_dev_lock(hdev); 1289 1290 hdev->le_scan_type = cp->type; 1291 1292 hci_dev_unlock(hdev); 1293 } 1294 1295 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, 1296 struct sk_buff *skb) 1297 { 1298 struct hci_cp_le_set_ext_scan_params *cp; 1299 __u8 status = *((__u8 *) skb->data); 1300 struct hci_cp_le_scan_phy_params *phy_param; 1301 1302 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1303 1304 if (status) 1305 return; 1306 1307 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1308 if (!cp) 1309 return; 1310 1311 phy_param = (void *)cp->data; 1312 1313 hci_dev_lock(hdev); 1314 1315 hdev->le_scan_type = phy_param->type; 1316 1317 hci_dev_unlock(hdev); 1318 } 1319 1320 static bool has_pending_adv_report(struct hci_dev *hdev) 1321 { 1322 struct discovery_state *d = &hdev->discovery; 1323 1324 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1325 } 1326 1327 static void clear_pending_adv_report(struct hci_dev *hdev) 1328 { 1329 struct discovery_state *d = &hdev->discovery; 1330 1331 bacpy(&d->last_adv_addr, BDADDR_ANY); 1332 d->last_adv_data_len = 0; 1333 } 1334 1335 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1336 u8 bdaddr_type, s8 rssi, u32 flags, 1337 u8 *data, u8 len) 1338 { 1339 struct discovery_state *d = &hdev->discovery; 1340 1341 if (len > HCI_MAX_AD_LENGTH) 1342 return; 1343 1344 bacpy(&d->last_adv_addr, bdaddr); 1345 d->last_adv_addr_type = bdaddr_type; 1346 d->last_adv_rssi = rssi; 1347 d->last_adv_flags = flags; 1348 memcpy(d->last_adv_data, data, len); 1349 d->last_adv_data_len = len; 1350 } 1351 1352 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1353 { 1354 hci_dev_lock(hdev); 1355 1356 switch (enable) { 1357 case LE_SCAN_ENABLE: 1358 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1359 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1360 clear_pending_adv_report(hdev); 1361 break; 1362 1363 case LE_SCAN_DISABLE: 1364 /* We do this here instead of when setting DISCOVERY_STOPPED 1365 * since the latter would potentially require waiting for 1366 * inquiry to stop too. 1367 */ 1368 if (has_pending_adv_report(hdev)) { 1369 struct discovery_state *d = &hdev->discovery; 1370 1371 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1372 d->last_adv_addr_type, NULL, 1373 d->last_adv_rssi, d->last_adv_flags, 1374 d->last_adv_data, 1375 d->last_adv_data_len, NULL, 0); 1376 } 1377 1378 /* Cancel this timer so that we don't try to disable scanning 1379 * when it's already disabled. 1380 */ 1381 cancel_delayed_work(&hdev->le_scan_disable); 1382 1383 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1384 1385 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1386 * interrupted scanning due to a connect request. Mark 1387 * therefore discovery as stopped. If this was not 1388 * because of a connect request advertising might have 1389 * been disabled because of active scanning, so 1390 * re-enable it again if necessary. 1391 */ 1392 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1393 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1394 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1395 hdev->discovery.state == DISCOVERY_FINDING) 1396 hci_req_reenable_advertising(hdev); 1397 1398 break; 1399 1400 default: 1401 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1402 enable); 1403 break; 1404 } 1405 1406 hci_dev_unlock(hdev); 1407 } 1408 1409 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1410 struct sk_buff *skb) 1411 { 1412 struct hci_cp_le_set_scan_enable *cp; 1413 __u8 status = *((__u8 *) skb->data); 1414 1415 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1416 1417 if (status) 1418 return; 1419 1420 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1421 if (!cp) 1422 return; 1423 1424 le_set_scan_enable_complete(hdev, cp->enable); 1425 } 1426 1427 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, 1428 struct sk_buff *skb) 1429 { 1430 struct hci_cp_le_set_ext_scan_enable *cp; 1431 __u8 status = *((__u8 *) skb->data); 1432 1433 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1434 1435 if (status) 1436 return; 1437 1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1439 if (!cp) 1440 return; 1441 1442 le_set_scan_enable_complete(hdev, cp->enable); 1443 } 1444 1445 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, 1446 struct sk_buff *skb) 1447 { 1448 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data; 1449 1450 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status, 1451 rp->num_of_sets); 1452 1453 if (rp->status) 1454 return; 1455 1456 hdev->le_num_of_adv_sets = rp->num_of_sets; 1457 } 1458 1459 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1460 struct sk_buff *skb) 1461 { 1462 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1463 1464 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1465 1466 if (rp->status) 1467 return; 1468 1469 hdev->le_white_list_size = rp->size; 1470 } 1471 1472 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1473 struct sk_buff *skb) 1474 { 1475 __u8 status = *((__u8 *) skb->data); 1476 1477 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1478 1479 if (status) 1480 return; 1481 1482 hci_bdaddr_list_clear(&hdev->le_white_list); 1483 } 1484 1485 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1486 struct sk_buff *skb) 1487 { 1488 struct hci_cp_le_add_to_white_list *sent; 1489 __u8 status = *((__u8 *) skb->data); 1490 1491 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1492 1493 if (status) 1494 return; 1495 1496 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1497 if (!sent) 1498 return; 1499 1500 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1501 sent->bdaddr_type); 1502 } 1503 1504 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1505 struct sk_buff *skb) 1506 { 1507 struct hci_cp_le_del_from_white_list *sent; 1508 __u8 status = *((__u8 *) skb->data); 1509 1510 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1511 1512 if (status) 1513 return; 1514 1515 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1516 if (!sent) 1517 return; 1518 1519 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1520 sent->bdaddr_type); 1521 } 1522 1523 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1524 struct sk_buff *skb) 1525 { 1526 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1527 1528 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1529 1530 if (rp->status) 1531 return; 1532 1533 memcpy(hdev->le_states, rp->le_states, 8); 1534 } 1535 1536 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1537 struct sk_buff *skb) 1538 { 1539 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1540 1541 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1542 1543 if (rp->status) 1544 return; 1545 1546 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1547 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1548 } 1549 1550 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1551 struct sk_buff *skb) 1552 { 1553 struct hci_cp_le_write_def_data_len *sent; 1554 __u8 status = *((__u8 *) skb->data); 1555 1556 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1557 1558 if (status) 1559 return; 1560 1561 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1562 if (!sent) 1563 return; 1564 1565 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1566 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1567 } 1568 1569 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, 1570 struct sk_buff *skb) 1571 { 1572 struct hci_cp_le_add_to_resolv_list *sent; 1573 __u8 status = *((__u8 *) skb->data); 1574 1575 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1576 1577 if (status) 1578 return; 1579 1580 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1581 if (!sent) 1582 return; 1583 1584 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1585 sent->bdaddr_type, sent->peer_irk, 1586 sent->local_irk); 1587 } 1588 1589 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, 1590 struct sk_buff *skb) 1591 { 1592 struct hci_cp_le_del_from_resolv_list *sent; 1593 __u8 status = *((__u8 *) skb->data); 1594 1595 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1596 1597 if (status) 1598 return; 1599 1600 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 1601 if (!sent) 1602 return; 1603 1604 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1605 sent->bdaddr_type); 1606 } 1607 1608 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev, 1609 struct sk_buff *skb) 1610 { 1611 __u8 status = *((__u8 *) skb->data); 1612 1613 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1614 1615 if (status) 1616 return; 1617 1618 hci_bdaddr_list_clear(&hdev->le_resolv_list); 1619 } 1620 1621 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, 1622 struct sk_buff *skb) 1623 { 1624 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data; 1625 1626 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1627 1628 if (rp->status) 1629 return; 1630 1631 hdev->le_resolv_list_size = rp->size; 1632 } 1633 1634 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, 1635 struct sk_buff *skb) 1636 { 1637 __u8 *sent, status = *((__u8 *) skb->data); 1638 1639 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1640 1641 if (status) 1642 return; 1643 1644 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 1645 if (!sent) 1646 return; 1647 1648 hci_dev_lock(hdev); 1649 1650 if (*sent) 1651 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 1652 else 1653 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 1654 1655 hci_dev_unlock(hdev); 1656 } 1657 1658 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1659 struct sk_buff *skb) 1660 { 1661 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1662 1663 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1664 1665 if (rp->status) 1666 return; 1667 1668 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1669 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1670 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1671 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1672 } 1673 1674 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1675 struct sk_buff *skb) 1676 { 1677 struct hci_cp_write_le_host_supported *sent; 1678 __u8 status = *((__u8 *) skb->data); 1679 1680 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1681 1682 if (status) 1683 return; 1684 1685 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1686 if (!sent) 1687 return; 1688 1689 hci_dev_lock(hdev); 1690 1691 if (sent->le) { 1692 hdev->features[1][0] |= LMP_HOST_LE; 1693 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1694 } else { 1695 hdev->features[1][0] &= ~LMP_HOST_LE; 1696 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1697 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1698 } 1699 1700 if (sent->simul) 1701 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1702 else 1703 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1704 1705 hci_dev_unlock(hdev); 1706 } 1707 1708 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1709 { 1710 struct hci_cp_le_set_adv_param *cp; 1711 u8 status = *((u8 *) skb->data); 1712 1713 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1714 1715 if (status) 1716 return; 1717 1718 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1719 if (!cp) 1720 return; 1721 1722 hci_dev_lock(hdev); 1723 hdev->adv_addr_type = cp->own_address_type; 1724 hci_dev_unlock(hdev); 1725 } 1726 1727 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1728 { 1729 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; 1730 struct hci_cp_le_set_ext_adv_params *cp; 1731 struct adv_info *adv_instance; 1732 1733 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1734 1735 if (rp->status) 1736 return; 1737 1738 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 1739 if (!cp) 1740 return; 1741 1742 hci_dev_lock(hdev); 1743 hdev->adv_addr_type = cp->own_addr_type; 1744 if (!hdev->cur_adv_instance) { 1745 /* Store in hdev for instance 0 */ 1746 hdev->adv_tx_power = rp->tx_power; 1747 } else { 1748 adv_instance = hci_find_adv_instance(hdev, 1749 hdev->cur_adv_instance); 1750 if (adv_instance) 1751 adv_instance->tx_power = rp->tx_power; 1752 } 1753 /* Update adv data as tx power is known now */ 1754 hci_req_update_adv_data(hdev, hdev->cur_adv_instance); 1755 hci_dev_unlock(hdev); 1756 } 1757 1758 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1759 { 1760 struct hci_rp_read_rssi *rp = (void *) skb->data; 1761 struct hci_conn *conn; 1762 1763 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1764 1765 if (rp->status) 1766 return; 1767 1768 hci_dev_lock(hdev); 1769 1770 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1771 if (conn) 1772 conn->rssi = rp->rssi; 1773 1774 hci_dev_unlock(hdev); 1775 } 1776 1777 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1778 { 1779 struct hci_cp_read_tx_power *sent; 1780 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1781 struct hci_conn *conn; 1782 1783 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1784 1785 if (rp->status) 1786 return; 1787 1788 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1789 if (!sent) 1790 return; 1791 1792 hci_dev_lock(hdev); 1793 1794 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1795 if (!conn) 1796 goto unlock; 1797 1798 switch (sent->type) { 1799 case 0x00: 1800 conn->tx_power = rp->tx_power; 1801 break; 1802 case 0x01: 1803 conn->max_tx_power = rp->tx_power; 1804 break; 1805 } 1806 1807 unlock: 1808 hci_dev_unlock(hdev); 1809 } 1810 1811 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1812 { 1813 u8 status = *((u8 *) skb->data); 1814 u8 *mode; 1815 1816 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1817 1818 if (status) 1819 return; 1820 1821 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1822 if (mode) 1823 hdev->ssp_debug_mode = *mode; 1824 } 1825 1826 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1827 { 1828 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1829 1830 if (status) { 1831 hci_conn_check_pending(hdev); 1832 return; 1833 } 1834 1835 set_bit(HCI_INQUIRY, &hdev->flags); 1836 } 1837 1838 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1839 { 1840 struct hci_cp_create_conn *cp; 1841 struct hci_conn *conn; 1842 1843 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1844 1845 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1846 if (!cp) 1847 return; 1848 1849 hci_dev_lock(hdev); 1850 1851 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1852 1853 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1854 1855 if (status) { 1856 if (conn && conn->state == BT_CONNECT) { 1857 if (status != 0x0c || conn->attempt > 2) { 1858 conn->state = BT_CLOSED; 1859 hci_connect_cfm(conn, status); 1860 hci_conn_del(conn); 1861 } else 1862 conn->state = BT_CONNECT2; 1863 } 1864 } else { 1865 if (!conn) { 1866 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1867 HCI_ROLE_MASTER); 1868 if (!conn) 1869 bt_dev_err(hdev, "no memory for new connection"); 1870 } 1871 } 1872 1873 hci_dev_unlock(hdev); 1874 } 1875 1876 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1877 { 1878 struct hci_cp_add_sco *cp; 1879 struct hci_conn *acl, *sco; 1880 __u16 handle; 1881 1882 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1883 1884 if (!status) 1885 return; 1886 1887 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1888 if (!cp) 1889 return; 1890 1891 handle = __le16_to_cpu(cp->handle); 1892 1893 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1894 1895 hci_dev_lock(hdev); 1896 1897 acl = hci_conn_hash_lookup_handle(hdev, handle); 1898 if (acl) { 1899 sco = acl->link; 1900 if (sco) { 1901 sco->state = BT_CLOSED; 1902 1903 hci_connect_cfm(sco, status); 1904 hci_conn_del(sco); 1905 } 1906 } 1907 1908 hci_dev_unlock(hdev); 1909 } 1910 1911 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1912 { 1913 struct hci_cp_auth_requested *cp; 1914 struct hci_conn *conn; 1915 1916 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1917 1918 if (!status) 1919 return; 1920 1921 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1922 if (!cp) 1923 return; 1924 1925 hci_dev_lock(hdev); 1926 1927 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1928 if (conn) { 1929 if (conn->state == BT_CONFIG) { 1930 hci_connect_cfm(conn, status); 1931 hci_conn_drop(conn); 1932 } 1933 } 1934 1935 hci_dev_unlock(hdev); 1936 } 1937 1938 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1939 { 1940 struct hci_cp_set_conn_encrypt *cp; 1941 struct hci_conn *conn; 1942 1943 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1944 1945 if (!status) 1946 return; 1947 1948 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1949 if (!cp) 1950 return; 1951 1952 hci_dev_lock(hdev); 1953 1954 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1955 if (conn) { 1956 if (conn->state == BT_CONFIG) { 1957 hci_connect_cfm(conn, status); 1958 hci_conn_drop(conn); 1959 } 1960 } 1961 1962 hci_dev_unlock(hdev); 1963 } 1964 1965 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1966 struct hci_conn *conn) 1967 { 1968 if (conn->state != BT_CONFIG || !conn->out) 1969 return 0; 1970 1971 if (conn->pending_sec_level == BT_SECURITY_SDP) 1972 return 0; 1973 1974 /* Only request authentication for SSP connections or non-SSP 1975 * devices with sec_level MEDIUM or HIGH or if MITM protection 1976 * is requested. 1977 */ 1978 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1979 conn->pending_sec_level != BT_SECURITY_FIPS && 1980 conn->pending_sec_level != BT_SECURITY_HIGH && 1981 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1982 return 0; 1983 1984 return 1; 1985 } 1986 1987 static int hci_resolve_name(struct hci_dev *hdev, 1988 struct inquiry_entry *e) 1989 { 1990 struct hci_cp_remote_name_req cp; 1991 1992 memset(&cp, 0, sizeof(cp)); 1993 1994 bacpy(&cp.bdaddr, &e->data.bdaddr); 1995 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1996 cp.pscan_mode = e->data.pscan_mode; 1997 cp.clock_offset = e->data.clock_offset; 1998 1999 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2000 } 2001 2002 static bool hci_resolve_next_name(struct hci_dev *hdev) 2003 { 2004 struct discovery_state *discov = &hdev->discovery; 2005 struct inquiry_entry *e; 2006 2007 if (list_empty(&discov->resolve)) 2008 return false; 2009 2010 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2011 if (!e) 2012 return false; 2013 2014 if (hci_resolve_name(hdev, e) == 0) { 2015 e->name_state = NAME_PENDING; 2016 return true; 2017 } 2018 2019 return false; 2020 } 2021 2022 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2023 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2024 { 2025 struct discovery_state *discov = &hdev->discovery; 2026 struct inquiry_entry *e; 2027 2028 /* Update the mgmt connected state if necessary. Be careful with 2029 * conn objects that exist but are not (yet) connected however. 2030 * Only those in BT_CONFIG or BT_CONNECTED states can be 2031 * considered connected. 2032 */ 2033 if (conn && 2034 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 2035 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2036 mgmt_device_connected(hdev, conn, 0, name, name_len); 2037 2038 if (discov->state == DISCOVERY_STOPPED) 2039 return; 2040 2041 if (discov->state == DISCOVERY_STOPPING) 2042 goto discov_complete; 2043 2044 if (discov->state != DISCOVERY_RESOLVING) 2045 return; 2046 2047 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2048 /* If the device was not found in a list of found devices names of which 2049 * are pending. there is no need to continue resolving a next name as it 2050 * will be done upon receiving another Remote Name Request Complete 2051 * Event */ 2052 if (!e) 2053 return; 2054 2055 list_del(&e->list); 2056 if (name) { 2057 e->name_state = NAME_KNOWN; 2058 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 2059 e->data.rssi, name, name_len); 2060 } else { 2061 e->name_state = NAME_NOT_KNOWN; 2062 } 2063 2064 if (hci_resolve_next_name(hdev)) 2065 return; 2066 2067 discov_complete: 2068 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2069 } 2070 2071 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2072 { 2073 struct hci_cp_remote_name_req *cp; 2074 struct hci_conn *conn; 2075 2076 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2077 2078 /* If successful wait for the name req complete event before 2079 * checking for the need to do authentication */ 2080 if (!status) 2081 return; 2082 2083 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2084 if (!cp) 2085 return; 2086 2087 hci_dev_lock(hdev); 2088 2089 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2090 2091 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2092 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2093 2094 if (!conn) 2095 goto unlock; 2096 2097 if (!hci_outgoing_auth_needed(hdev, conn)) 2098 goto unlock; 2099 2100 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2101 struct hci_cp_auth_requested auth_cp; 2102 2103 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2104 2105 auth_cp.handle = __cpu_to_le16(conn->handle); 2106 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2107 sizeof(auth_cp), &auth_cp); 2108 } 2109 2110 unlock: 2111 hci_dev_unlock(hdev); 2112 } 2113 2114 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2115 { 2116 struct hci_cp_read_remote_features *cp; 2117 struct hci_conn *conn; 2118 2119 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2120 2121 if (!status) 2122 return; 2123 2124 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2125 if (!cp) 2126 return; 2127 2128 hci_dev_lock(hdev); 2129 2130 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2131 if (conn) { 2132 if (conn->state == BT_CONFIG) { 2133 hci_connect_cfm(conn, status); 2134 hci_conn_drop(conn); 2135 } 2136 } 2137 2138 hci_dev_unlock(hdev); 2139 } 2140 2141 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2142 { 2143 struct hci_cp_read_remote_ext_features *cp; 2144 struct hci_conn *conn; 2145 2146 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2147 2148 if (!status) 2149 return; 2150 2151 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2152 if (!cp) 2153 return; 2154 2155 hci_dev_lock(hdev); 2156 2157 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2158 if (conn) { 2159 if (conn->state == BT_CONFIG) { 2160 hci_connect_cfm(conn, status); 2161 hci_conn_drop(conn); 2162 } 2163 } 2164 2165 hci_dev_unlock(hdev); 2166 } 2167 2168 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2169 { 2170 struct hci_cp_setup_sync_conn *cp; 2171 struct hci_conn *acl, *sco; 2172 __u16 handle; 2173 2174 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2175 2176 if (!status) 2177 return; 2178 2179 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2180 if (!cp) 2181 return; 2182 2183 handle = __le16_to_cpu(cp->handle); 2184 2185 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 2186 2187 hci_dev_lock(hdev); 2188 2189 acl = hci_conn_hash_lookup_handle(hdev, handle); 2190 if (acl) { 2191 sco = acl->link; 2192 if (sco) { 2193 sco->state = BT_CLOSED; 2194 2195 hci_connect_cfm(sco, status); 2196 hci_conn_del(sco); 2197 } 2198 } 2199 2200 hci_dev_unlock(hdev); 2201 } 2202 2203 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2204 { 2205 struct hci_cp_sniff_mode *cp; 2206 struct hci_conn *conn; 2207 2208 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2209 2210 if (!status) 2211 return; 2212 2213 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2214 if (!cp) 2215 return; 2216 2217 hci_dev_lock(hdev); 2218 2219 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2220 if (conn) { 2221 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2222 2223 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2224 hci_sco_setup(conn, status); 2225 } 2226 2227 hci_dev_unlock(hdev); 2228 } 2229 2230 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2231 { 2232 struct hci_cp_exit_sniff_mode *cp; 2233 struct hci_conn *conn; 2234 2235 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2236 2237 if (!status) 2238 return; 2239 2240 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2241 if (!cp) 2242 return; 2243 2244 hci_dev_lock(hdev); 2245 2246 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2247 if (conn) { 2248 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2249 2250 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2251 hci_sco_setup(conn, status); 2252 } 2253 2254 hci_dev_unlock(hdev); 2255 } 2256 2257 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2258 { 2259 struct hci_cp_disconnect *cp; 2260 struct hci_conn *conn; 2261 2262 if (!status) 2263 return; 2264 2265 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2266 if (!cp) 2267 return; 2268 2269 hci_dev_lock(hdev); 2270 2271 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2272 if (conn) { 2273 u8 type = conn->type; 2274 2275 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2276 conn->dst_type, status); 2277 2278 /* If the disconnection failed for any reason, the upper layer 2279 * does not retry to disconnect in current implementation. 2280 * Hence, we need to do some basic cleanup here and re-enable 2281 * advertising if necessary. 2282 */ 2283 hci_conn_del(conn); 2284 if (type == LE_LINK) 2285 hci_req_reenable_advertising(hdev); 2286 } 2287 2288 hci_dev_unlock(hdev); 2289 } 2290 2291 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2292 u8 peer_addr_type, u8 own_address_type, 2293 u8 filter_policy) 2294 { 2295 struct hci_conn *conn; 2296 2297 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2298 peer_addr_type); 2299 if (!conn) 2300 return; 2301 2302 /* Store the initiator and responder address information which 2303 * is needed for SMP. These values will not change during the 2304 * lifetime of the connection. 2305 */ 2306 conn->init_addr_type = own_address_type; 2307 if (own_address_type == ADDR_LE_DEV_RANDOM) 2308 bacpy(&conn->init_addr, &hdev->random_addr); 2309 else 2310 bacpy(&conn->init_addr, &hdev->bdaddr); 2311 2312 conn->resp_addr_type = peer_addr_type; 2313 bacpy(&conn->resp_addr, peer_addr); 2314 2315 /* We don't want the connection attempt to stick around 2316 * indefinitely since LE doesn't have a page timeout concept 2317 * like BR/EDR. Set a timer for any connection that doesn't use 2318 * the white list for connecting. 2319 */ 2320 if (filter_policy == HCI_LE_USE_PEER_ADDR) 2321 queue_delayed_work(conn->hdev->workqueue, 2322 &conn->le_conn_timeout, 2323 conn->conn_timeout); 2324 } 2325 2326 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2327 { 2328 struct hci_cp_le_create_conn *cp; 2329 2330 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2331 2332 /* All connection failure handling is taken care of by the 2333 * hci_le_conn_failed function which is triggered by the HCI 2334 * request completion callbacks used for connecting. 2335 */ 2336 if (status) 2337 return; 2338 2339 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2340 if (!cp) 2341 return; 2342 2343 hci_dev_lock(hdev); 2344 2345 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2346 cp->own_address_type, cp->filter_policy); 2347 2348 hci_dev_unlock(hdev); 2349 } 2350 2351 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2352 { 2353 struct hci_cp_le_ext_create_conn *cp; 2354 2355 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2356 2357 /* All connection failure handling is taken care of by the 2358 * hci_le_conn_failed function which is triggered by the HCI 2359 * request completion callbacks used for connecting. 2360 */ 2361 if (status) 2362 return; 2363 2364 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2365 if (!cp) 2366 return; 2367 2368 hci_dev_lock(hdev); 2369 2370 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2371 cp->own_addr_type, cp->filter_policy); 2372 2373 hci_dev_unlock(hdev); 2374 } 2375 2376 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2377 { 2378 struct hci_cp_le_read_remote_features *cp; 2379 struct hci_conn *conn; 2380 2381 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2382 2383 if (!status) 2384 return; 2385 2386 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2387 if (!cp) 2388 return; 2389 2390 hci_dev_lock(hdev); 2391 2392 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2393 if (conn) { 2394 if (conn->state == BT_CONFIG) { 2395 hci_connect_cfm(conn, status); 2396 hci_conn_drop(conn); 2397 } 2398 } 2399 2400 hci_dev_unlock(hdev); 2401 } 2402 2403 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2404 { 2405 struct hci_cp_le_start_enc *cp; 2406 struct hci_conn *conn; 2407 2408 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2409 2410 if (!status) 2411 return; 2412 2413 hci_dev_lock(hdev); 2414 2415 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2416 if (!cp) 2417 goto unlock; 2418 2419 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2420 if (!conn) 2421 goto unlock; 2422 2423 if (conn->state != BT_CONNECTED) 2424 goto unlock; 2425 2426 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2427 hci_conn_drop(conn); 2428 2429 unlock: 2430 hci_dev_unlock(hdev); 2431 } 2432 2433 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2434 { 2435 struct hci_cp_switch_role *cp; 2436 struct hci_conn *conn; 2437 2438 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2439 2440 if (!status) 2441 return; 2442 2443 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2444 if (!cp) 2445 return; 2446 2447 hci_dev_lock(hdev); 2448 2449 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2450 if (conn) 2451 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2452 2453 hci_dev_unlock(hdev); 2454 } 2455 2456 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2457 { 2458 __u8 status = *((__u8 *) skb->data); 2459 struct discovery_state *discov = &hdev->discovery; 2460 struct inquiry_entry *e; 2461 2462 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2463 2464 hci_conn_check_pending(hdev); 2465 2466 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2467 return; 2468 2469 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2470 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2471 2472 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2473 return; 2474 2475 hci_dev_lock(hdev); 2476 2477 if (discov->state != DISCOVERY_FINDING) 2478 goto unlock; 2479 2480 if (list_empty(&discov->resolve)) { 2481 /* When BR/EDR inquiry is active and no LE scanning is in 2482 * progress, then change discovery state to indicate completion. 2483 * 2484 * When running LE scanning and BR/EDR inquiry simultaneously 2485 * and the LE scan already finished, then change the discovery 2486 * state to indicate completion. 2487 */ 2488 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2489 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2490 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2491 goto unlock; 2492 } 2493 2494 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2495 if (e && hci_resolve_name(hdev, e) == 0) { 2496 e->name_state = NAME_PENDING; 2497 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2498 } else { 2499 /* When BR/EDR inquiry is active and no LE scanning is in 2500 * progress, then change discovery state to indicate completion. 2501 * 2502 * When running LE scanning and BR/EDR inquiry simultaneously 2503 * and the LE scan already finished, then change the discovery 2504 * state to indicate completion. 2505 */ 2506 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2507 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2508 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2509 } 2510 2511 unlock: 2512 hci_dev_unlock(hdev); 2513 } 2514 2515 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2516 { 2517 struct inquiry_data data; 2518 struct inquiry_info *info = (void *) (skb->data + 1); 2519 int num_rsp = *((__u8 *) skb->data); 2520 2521 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2522 2523 if (!num_rsp) 2524 return; 2525 2526 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2527 return; 2528 2529 hci_dev_lock(hdev); 2530 2531 for (; num_rsp; num_rsp--, info++) { 2532 u32 flags; 2533 2534 bacpy(&data.bdaddr, &info->bdaddr); 2535 data.pscan_rep_mode = info->pscan_rep_mode; 2536 data.pscan_period_mode = info->pscan_period_mode; 2537 data.pscan_mode = info->pscan_mode; 2538 memcpy(data.dev_class, info->dev_class, 3); 2539 data.clock_offset = info->clock_offset; 2540 data.rssi = HCI_RSSI_INVALID; 2541 data.ssp_mode = 0x00; 2542 2543 flags = hci_inquiry_cache_update(hdev, &data, false); 2544 2545 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2546 info->dev_class, HCI_RSSI_INVALID, 2547 flags, NULL, 0, NULL, 0); 2548 } 2549 2550 hci_dev_unlock(hdev); 2551 } 2552 2553 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2554 { 2555 struct hci_ev_conn_complete *ev = (void *) skb->data; 2556 struct inquiry_entry *ie; 2557 struct hci_conn *conn; 2558 2559 BT_DBG("%s", hdev->name); 2560 2561 hci_dev_lock(hdev); 2562 2563 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2564 if (!conn) { 2565 /* Connection may not exist if auto-connected. Check the inquiry 2566 * cache to see if we've already discovered this bdaddr before. 2567 * If found and link is an ACL type, create a connection class 2568 * automatically. 2569 */ 2570 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2571 if (ie && ev->link_type == ACL_LINK) { 2572 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2573 HCI_ROLE_SLAVE); 2574 if (!conn) { 2575 bt_dev_err(hdev, "no memory for new conn"); 2576 goto unlock; 2577 } 2578 } else { 2579 if (ev->link_type != SCO_LINK) 2580 goto unlock; 2581 2582 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 2583 &ev->bdaddr); 2584 if (!conn) 2585 goto unlock; 2586 2587 conn->type = SCO_LINK; 2588 } 2589 } 2590 2591 if (!ev->status) { 2592 conn->handle = __le16_to_cpu(ev->handle); 2593 2594 if (conn->type == ACL_LINK) { 2595 conn->state = BT_CONFIG; 2596 hci_conn_hold(conn); 2597 2598 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2599 !hci_find_link_key(hdev, &ev->bdaddr)) 2600 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2601 else 2602 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2603 } else 2604 conn->state = BT_CONNECTED; 2605 2606 hci_debugfs_create_conn(conn); 2607 hci_conn_add_sysfs(conn); 2608 2609 if (test_bit(HCI_AUTH, &hdev->flags)) 2610 set_bit(HCI_CONN_AUTH, &conn->flags); 2611 2612 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2613 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2614 2615 /* Get remote features */ 2616 if (conn->type == ACL_LINK) { 2617 struct hci_cp_read_remote_features cp; 2618 cp.handle = ev->handle; 2619 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2620 sizeof(cp), &cp); 2621 2622 hci_req_update_scan(hdev); 2623 } 2624 2625 /* Set packet type for incoming connection */ 2626 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2627 struct hci_cp_change_conn_ptype cp; 2628 cp.handle = ev->handle; 2629 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2630 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2631 &cp); 2632 } 2633 } else { 2634 conn->state = BT_CLOSED; 2635 if (conn->type == ACL_LINK) 2636 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2637 conn->dst_type, ev->status); 2638 } 2639 2640 if (conn->type == ACL_LINK) 2641 hci_sco_setup(conn, ev->status); 2642 2643 if (ev->status) { 2644 hci_connect_cfm(conn, ev->status); 2645 hci_conn_del(conn); 2646 } else if (ev->link_type == SCO_LINK) { 2647 switch (conn->setting & SCO_AIRMODE_MASK) { 2648 case SCO_AIRMODE_CVSD: 2649 if (hdev->notify) 2650 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 2651 break; 2652 } 2653 2654 hci_connect_cfm(conn, ev->status); 2655 } 2656 2657 unlock: 2658 hci_dev_unlock(hdev); 2659 2660 hci_conn_check_pending(hdev); 2661 } 2662 2663 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2664 { 2665 struct hci_cp_reject_conn_req cp; 2666 2667 bacpy(&cp.bdaddr, bdaddr); 2668 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2669 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2670 } 2671 2672 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2673 { 2674 struct hci_ev_conn_request *ev = (void *) skb->data; 2675 int mask = hdev->link_mode; 2676 struct inquiry_entry *ie; 2677 struct hci_conn *conn; 2678 __u8 flags = 0; 2679 2680 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2681 ev->link_type); 2682 2683 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2684 &flags); 2685 2686 if (!(mask & HCI_LM_ACCEPT)) { 2687 hci_reject_conn(hdev, &ev->bdaddr); 2688 return; 2689 } 2690 2691 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2692 BDADDR_BREDR)) { 2693 hci_reject_conn(hdev, &ev->bdaddr); 2694 return; 2695 } 2696 2697 /* Require HCI_CONNECTABLE or a whitelist entry to accept the 2698 * connection. These features are only touched through mgmt so 2699 * only do the checks if HCI_MGMT is set. 2700 */ 2701 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2702 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2703 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr, 2704 BDADDR_BREDR)) { 2705 hci_reject_conn(hdev, &ev->bdaddr); 2706 return; 2707 } 2708 2709 /* Connection accepted */ 2710 2711 hci_dev_lock(hdev); 2712 2713 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2714 if (ie) 2715 memcpy(ie->data.dev_class, ev->dev_class, 3); 2716 2717 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2718 &ev->bdaddr); 2719 if (!conn) { 2720 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2721 HCI_ROLE_SLAVE); 2722 if (!conn) { 2723 bt_dev_err(hdev, "no memory for new connection"); 2724 hci_dev_unlock(hdev); 2725 return; 2726 } 2727 } 2728 2729 memcpy(conn->dev_class, ev->dev_class, 3); 2730 2731 hci_dev_unlock(hdev); 2732 2733 if (ev->link_type == ACL_LINK || 2734 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2735 struct hci_cp_accept_conn_req cp; 2736 conn->state = BT_CONNECT; 2737 2738 bacpy(&cp.bdaddr, &ev->bdaddr); 2739 2740 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2741 cp.role = 0x00; /* Become master */ 2742 else 2743 cp.role = 0x01; /* Remain slave */ 2744 2745 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2746 } else if (!(flags & HCI_PROTO_DEFER)) { 2747 struct hci_cp_accept_sync_conn_req cp; 2748 conn->state = BT_CONNECT; 2749 2750 bacpy(&cp.bdaddr, &ev->bdaddr); 2751 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2752 2753 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2754 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2755 cp.max_latency = cpu_to_le16(0xffff); 2756 cp.content_format = cpu_to_le16(hdev->voice_setting); 2757 cp.retrans_effort = 0xff; 2758 2759 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2760 &cp); 2761 } else { 2762 conn->state = BT_CONNECT2; 2763 hci_connect_cfm(conn, 0); 2764 } 2765 } 2766 2767 static u8 hci_to_mgmt_reason(u8 err) 2768 { 2769 switch (err) { 2770 case HCI_ERROR_CONNECTION_TIMEOUT: 2771 return MGMT_DEV_DISCONN_TIMEOUT; 2772 case HCI_ERROR_REMOTE_USER_TERM: 2773 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2774 case HCI_ERROR_REMOTE_POWER_OFF: 2775 return MGMT_DEV_DISCONN_REMOTE; 2776 case HCI_ERROR_LOCAL_HOST_TERM: 2777 return MGMT_DEV_DISCONN_LOCAL_HOST; 2778 default: 2779 return MGMT_DEV_DISCONN_UNKNOWN; 2780 } 2781 } 2782 2783 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2784 { 2785 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2786 u8 reason; 2787 struct hci_conn_params *params; 2788 struct hci_conn *conn; 2789 bool mgmt_connected; 2790 u8 type; 2791 2792 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2793 2794 hci_dev_lock(hdev); 2795 2796 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2797 if (!conn) 2798 goto unlock; 2799 2800 if (ev->status) { 2801 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2802 conn->dst_type, ev->status); 2803 goto unlock; 2804 } 2805 2806 conn->state = BT_CLOSED; 2807 2808 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2809 2810 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 2811 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 2812 else 2813 reason = hci_to_mgmt_reason(ev->reason); 2814 2815 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2816 reason, mgmt_connected); 2817 2818 if (conn->type == ACL_LINK) { 2819 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2820 hci_remove_link_key(hdev, &conn->dst); 2821 2822 hci_req_update_scan(hdev); 2823 } 2824 2825 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2826 if (params) { 2827 switch (params->auto_connect) { 2828 case HCI_AUTO_CONN_LINK_LOSS: 2829 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2830 break; 2831 /* Fall through */ 2832 2833 case HCI_AUTO_CONN_DIRECT: 2834 case HCI_AUTO_CONN_ALWAYS: 2835 list_del_init(¶ms->action); 2836 list_add(¶ms->action, &hdev->pend_le_conns); 2837 hci_update_background_scan(hdev); 2838 break; 2839 2840 default: 2841 break; 2842 } 2843 } 2844 2845 type = conn->type; 2846 2847 hci_disconn_cfm(conn, ev->reason); 2848 hci_conn_del(conn); 2849 2850 /* The suspend notifier is waiting for all devices to disconnect so 2851 * clear the bit from pending tasks and inform the wait queue. 2852 */ 2853 if (list_empty(&hdev->conn_hash.list) && 2854 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) { 2855 wake_up(&hdev->suspend_wait_q); 2856 } 2857 2858 /* Re-enable advertising if necessary, since it might 2859 * have been disabled by the connection. From the 2860 * HCI_LE_Set_Advertise_Enable command description in 2861 * the core specification (v4.0): 2862 * "The Controller shall continue advertising until the Host 2863 * issues an LE_Set_Advertise_Enable command with 2864 * Advertising_Enable set to 0x00 (Advertising is disabled) 2865 * or until a connection is created or until the Advertising 2866 * is timed out due to Directed Advertising." 2867 */ 2868 if (type == LE_LINK) 2869 hci_req_reenable_advertising(hdev); 2870 2871 unlock: 2872 hci_dev_unlock(hdev); 2873 } 2874 2875 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2876 { 2877 struct hci_ev_auth_complete *ev = (void *) skb->data; 2878 struct hci_conn *conn; 2879 2880 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2881 2882 hci_dev_lock(hdev); 2883 2884 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2885 if (!conn) 2886 goto unlock; 2887 2888 if (!ev->status) { 2889 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2890 2891 if (!hci_conn_ssp_enabled(conn) && 2892 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2893 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 2894 } else { 2895 set_bit(HCI_CONN_AUTH, &conn->flags); 2896 conn->sec_level = conn->pending_sec_level; 2897 } 2898 } else { 2899 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2900 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2901 2902 mgmt_auth_failed(conn, ev->status); 2903 } 2904 2905 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2906 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2907 2908 if (conn->state == BT_CONFIG) { 2909 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2910 struct hci_cp_set_conn_encrypt cp; 2911 cp.handle = ev->handle; 2912 cp.encrypt = 0x01; 2913 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2914 &cp); 2915 } else { 2916 conn->state = BT_CONNECTED; 2917 hci_connect_cfm(conn, ev->status); 2918 hci_conn_drop(conn); 2919 } 2920 } else { 2921 hci_auth_cfm(conn, ev->status); 2922 2923 hci_conn_hold(conn); 2924 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2925 hci_conn_drop(conn); 2926 } 2927 2928 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2929 if (!ev->status) { 2930 struct hci_cp_set_conn_encrypt cp; 2931 cp.handle = ev->handle; 2932 cp.encrypt = 0x01; 2933 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2934 &cp); 2935 } else { 2936 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2937 hci_encrypt_cfm(conn, ev->status); 2938 } 2939 } 2940 2941 unlock: 2942 hci_dev_unlock(hdev); 2943 } 2944 2945 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2946 { 2947 struct hci_ev_remote_name *ev = (void *) skb->data; 2948 struct hci_conn *conn; 2949 2950 BT_DBG("%s", hdev->name); 2951 2952 hci_conn_check_pending(hdev); 2953 2954 hci_dev_lock(hdev); 2955 2956 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2957 2958 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2959 goto check_auth; 2960 2961 if (ev->status == 0) 2962 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2963 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2964 else 2965 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2966 2967 check_auth: 2968 if (!conn) 2969 goto unlock; 2970 2971 if (!hci_outgoing_auth_needed(hdev, conn)) 2972 goto unlock; 2973 2974 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2975 struct hci_cp_auth_requested cp; 2976 2977 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2978 2979 cp.handle = __cpu_to_le16(conn->handle); 2980 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2981 } 2982 2983 unlock: 2984 hci_dev_unlock(hdev); 2985 } 2986 2987 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 2988 u16 opcode, struct sk_buff *skb) 2989 { 2990 const struct hci_rp_read_enc_key_size *rp; 2991 struct hci_conn *conn; 2992 u16 handle; 2993 2994 BT_DBG("%s status 0x%02x", hdev->name, status); 2995 2996 if (!skb || skb->len < sizeof(*rp)) { 2997 bt_dev_err(hdev, "invalid read key size response"); 2998 return; 2999 } 3000 3001 rp = (void *)skb->data; 3002 handle = le16_to_cpu(rp->handle); 3003 3004 hci_dev_lock(hdev); 3005 3006 conn = hci_conn_hash_lookup_handle(hdev, handle); 3007 if (!conn) 3008 goto unlock; 3009 3010 /* While unexpected, the read_enc_key_size command may fail. The most 3011 * secure approach is to then assume the key size is 0 to force a 3012 * disconnection. 3013 */ 3014 if (rp->status) { 3015 bt_dev_err(hdev, "failed to read key size for handle %u", 3016 handle); 3017 conn->enc_key_size = 0; 3018 } else { 3019 conn->enc_key_size = rp->key_size; 3020 } 3021 3022 hci_encrypt_cfm(conn, 0); 3023 3024 unlock: 3025 hci_dev_unlock(hdev); 3026 } 3027 3028 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3029 { 3030 struct hci_ev_encrypt_change *ev = (void *) skb->data; 3031 struct hci_conn *conn; 3032 3033 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3034 3035 hci_dev_lock(hdev); 3036 3037 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3038 if (!conn) 3039 goto unlock; 3040 3041 if (!ev->status) { 3042 if (ev->encrypt) { 3043 /* Encryption implies authentication */ 3044 set_bit(HCI_CONN_AUTH, &conn->flags); 3045 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3046 conn->sec_level = conn->pending_sec_level; 3047 3048 /* P-256 authentication key implies FIPS */ 3049 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3050 set_bit(HCI_CONN_FIPS, &conn->flags); 3051 3052 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3053 conn->type == LE_LINK) 3054 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3055 } else { 3056 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3057 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3058 } 3059 } 3060 3061 /* We should disregard the current RPA and generate a new one 3062 * whenever the encryption procedure fails. 3063 */ 3064 if (ev->status && conn->type == LE_LINK) { 3065 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3066 hci_adv_instances_set_rpa_expired(hdev, true); 3067 } 3068 3069 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3070 3071 if (ev->status && conn->state == BT_CONNECTED) { 3072 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3073 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3074 3075 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3076 hci_conn_drop(conn); 3077 goto unlock; 3078 } 3079 3080 /* In Secure Connections Only mode, do not allow any connections 3081 * that are not encrypted with AES-CCM using a P-256 authenticated 3082 * combination key. 3083 */ 3084 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && 3085 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || 3086 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { 3087 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); 3088 hci_conn_drop(conn); 3089 goto unlock; 3090 } 3091 3092 /* Try reading the encryption key size for encrypted ACL links */ 3093 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3094 struct hci_cp_read_enc_key_size cp; 3095 struct hci_request req; 3096 3097 /* Only send HCI_Read_Encryption_Key_Size if the 3098 * controller really supports it. If it doesn't, assume 3099 * the default size (16). 3100 */ 3101 if (!(hdev->commands[20] & 0x10)) { 3102 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3103 goto notify; 3104 } 3105 3106 hci_req_init(&req, hdev); 3107 3108 cp.handle = cpu_to_le16(conn->handle); 3109 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 3110 3111 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 3112 bt_dev_err(hdev, "sending read key size failed"); 3113 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3114 goto notify; 3115 } 3116 3117 goto unlock; 3118 } 3119 3120 /* Set the default Authenticated Payload Timeout after 3121 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3122 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3123 * sent when the link is active and Encryption is enabled, the conn 3124 * type can be either LE or ACL and controller must support LMP Ping. 3125 * Ensure for AES-CCM encryption as well. 3126 */ 3127 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3128 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3129 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3130 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3131 struct hci_cp_write_auth_payload_to cp; 3132 3133 cp.handle = cpu_to_le16(conn->handle); 3134 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3135 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3136 sizeof(cp), &cp); 3137 } 3138 3139 notify: 3140 hci_encrypt_cfm(conn, ev->status); 3141 3142 unlock: 3143 hci_dev_unlock(hdev); 3144 } 3145 3146 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 3147 struct sk_buff *skb) 3148 { 3149 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 3150 struct hci_conn *conn; 3151 3152 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3153 3154 hci_dev_lock(hdev); 3155 3156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3157 if (conn) { 3158 if (!ev->status) 3159 set_bit(HCI_CONN_SECURE, &conn->flags); 3160 3161 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3162 3163 hci_key_change_cfm(conn, ev->status); 3164 } 3165 3166 hci_dev_unlock(hdev); 3167 } 3168 3169 static void hci_remote_features_evt(struct hci_dev *hdev, 3170 struct sk_buff *skb) 3171 { 3172 struct hci_ev_remote_features *ev = (void *) skb->data; 3173 struct hci_conn *conn; 3174 3175 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3176 3177 hci_dev_lock(hdev); 3178 3179 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3180 if (!conn) 3181 goto unlock; 3182 3183 if (!ev->status) 3184 memcpy(conn->features[0], ev->features, 8); 3185 3186 if (conn->state != BT_CONFIG) 3187 goto unlock; 3188 3189 if (!ev->status && lmp_ext_feat_capable(hdev) && 3190 lmp_ext_feat_capable(conn)) { 3191 struct hci_cp_read_remote_ext_features cp; 3192 cp.handle = ev->handle; 3193 cp.page = 0x01; 3194 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3195 sizeof(cp), &cp); 3196 goto unlock; 3197 } 3198 3199 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3200 struct hci_cp_remote_name_req cp; 3201 memset(&cp, 0, sizeof(cp)); 3202 bacpy(&cp.bdaddr, &conn->dst); 3203 cp.pscan_rep_mode = 0x02; 3204 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3205 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3206 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3207 3208 if (!hci_outgoing_auth_needed(hdev, conn)) { 3209 conn->state = BT_CONNECTED; 3210 hci_connect_cfm(conn, ev->status); 3211 hci_conn_drop(conn); 3212 } 3213 3214 unlock: 3215 hci_dev_unlock(hdev); 3216 } 3217 3218 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 3219 u16 *opcode, u8 *status, 3220 hci_req_complete_t *req_complete, 3221 hci_req_complete_skb_t *req_complete_skb) 3222 { 3223 struct hci_ev_cmd_complete *ev = (void *) skb->data; 3224 3225 *opcode = __le16_to_cpu(ev->opcode); 3226 *status = skb->data[sizeof(*ev)]; 3227 3228 skb_pull(skb, sizeof(*ev)); 3229 3230 switch (*opcode) { 3231 case HCI_OP_INQUIRY_CANCEL: 3232 hci_cc_inquiry_cancel(hdev, skb, status); 3233 break; 3234 3235 case HCI_OP_PERIODIC_INQ: 3236 hci_cc_periodic_inq(hdev, skb); 3237 break; 3238 3239 case HCI_OP_EXIT_PERIODIC_INQ: 3240 hci_cc_exit_periodic_inq(hdev, skb); 3241 break; 3242 3243 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 3244 hci_cc_remote_name_req_cancel(hdev, skb); 3245 break; 3246 3247 case HCI_OP_ROLE_DISCOVERY: 3248 hci_cc_role_discovery(hdev, skb); 3249 break; 3250 3251 case HCI_OP_READ_LINK_POLICY: 3252 hci_cc_read_link_policy(hdev, skb); 3253 break; 3254 3255 case HCI_OP_WRITE_LINK_POLICY: 3256 hci_cc_write_link_policy(hdev, skb); 3257 break; 3258 3259 case HCI_OP_READ_DEF_LINK_POLICY: 3260 hci_cc_read_def_link_policy(hdev, skb); 3261 break; 3262 3263 case HCI_OP_WRITE_DEF_LINK_POLICY: 3264 hci_cc_write_def_link_policy(hdev, skb); 3265 break; 3266 3267 case HCI_OP_RESET: 3268 hci_cc_reset(hdev, skb); 3269 break; 3270 3271 case HCI_OP_READ_STORED_LINK_KEY: 3272 hci_cc_read_stored_link_key(hdev, skb); 3273 break; 3274 3275 case HCI_OP_DELETE_STORED_LINK_KEY: 3276 hci_cc_delete_stored_link_key(hdev, skb); 3277 break; 3278 3279 case HCI_OP_WRITE_LOCAL_NAME: 3280 hci_cc_write_local_name(hdev, skb); 3281 break; 3282 3283 case HCI_OP_READ_LOCAL_NAME: 3284 hci_cc_read_local_name(hdev, skb); 3285 break; 3286 3287 case HCI_OP_WRITE_AUTH_ENABLE: 3288 hci_cc_write_auth_enable(hdev, skb); 3289 break; 3290 3291 case HCI_OP_WRITE_ENCRYPT_MODE: 3292 hci_cc_write_encrypt_mode(hdev, skb); 3293 break; 3294 3295 case HCI_OP_WRITE_SCAN_ENABLE: 3296 hci_cc_write_scan_enable(hdev, skb); 3297 break; 3298 3299 case HCI_OP_READ_CLASS_OF_DEV: 3300 hci_cc_read_class_of_dev(hdev, skb); 3301 break; 3302 3303 case HCI_OP_WRITE_CLASS_OF_DEV: 3304 hci_cc_write_class_of_dev(hdev, skb); 3305 break; 3306 3307 case HCI_OP_READ_VOICE_SETTING: 3308 hci_cc_read_voice_setting(hdev, skb); 3309 break; 3310 3311 case HCI_OP_WRITE_VOICE_SETTING: 3312 hci_cc_write_voice_setting(hdev, skb); 3313 break; 3314 3315 case HCI_OP_READ_NUM_SUPPORTED_IAC: 3316 hci_cc_read_num_supported_iac(hdev, skb); 3317 break; 3318 3319 case HCI_OP_WRITE_SSP_MODE: 3320 hci_cc_write_ssp_mode(hdev, skb); 3321 break; 3322 3323 case HCI_OP_WRITE_SC_SUPPORT: 3324 hci_cc_write_sc_support(hdev, skb); 3325 break; 3326 3327 case HCI_OP_READ_AUTH_PAYLOAD_TO: 3328 hci_cc_read_auth_payload_timeout(hdev, skb); 3329 break; 3330 3331 case HCI_OP_WRITE_AUTH_PAYLOAD_TO: 3332 hci_cc_write_auth_payload_timeout(hdev, skb); 3333 break; 3334 3335 case HCI_OP_READ_LOCAL_VERSION: 3336 hci_cc_read_local_version(hdev, skb); 3337 break; 3338 3339 case HCI_OP_READ_LOCAL_COMMANDS: 3340 hci_cc_read_local_commands(hdev, skb); 3341 break; 3342 3343 case HCI_OP_READ_LOCAL_FEATURES: 3344 hci_cc_read_local_features(hdev, skb); 3345 break; 3346 3347 case HCI_OP_READ_LOCAL_EXT_FEATURES: 3348 hci_cc_read_local_ext_features(hdev, skb); 3349 break; 3350 3351 case HCI_OP_READ_BUFFER_SIZE: 3352 hci_cc_read_buffer_size(hdev, skb); 3353 break; 3354 3355 case HCI_OP_READ_BD_ADDR: 3356 hci_cc_read_bd_addr(hdev, skb); 3357 break; 3358 3359 case HCI_OP_READ_LOCAL_PAIRING_OPTS: 3360 hci_cc_read_local_pairing_opts(hdev, skb); 3361 break; 3362 3363 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 3364 hci_cc_read_page_scan_activity(hdev, skb); 3365 break; 3366 3367 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 3368 hci_cc_write_page_scan_activity(hdev, skb); 3369 break; 3370 3371 case HCI_OP_READ_PAGE_SCAN_TYPE: 3372 hci_cc_read_page_scan_type(hdev, skb); 3373 break; 3374 3375 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 3376 hci_cc_write_page_scan_type(hdev, skb); 3377 break; 3378 3379 case HCI_OP_READ_DATA_BLOCK_SIZE: 3380 hci_cc_read_data_block_size(hdev, skb); 3381 break; 3382 3383 case HCI_OP_READ_FLOW_CONTROL_MODE: 3384 hci_cc_read_flow_control_mode(hdev, skb); 3385 break; 3386 3387 case HCI_OP_READ_LOCAL_AMP_INFO: 3388 hci_cc_read_local_amp_info(hdev, skb); 3389 break; 3390 3391 case HCI_OP_READ_CLOCK: 3392 hci_cc_read_clock(hdev, skb); 3393 break; 3394 3395 case HCI_OP_READ_INQ_RSP_TX_POWER: 3396 hci_cc_read_inq_rsp_tx_power(hdev, skb); 3397 break; 3398 3399 case HCI_OP_READ_DEF_ERR_DATA_REPORTING: 3400 hci_cc_read_def_err_data_reporting(hdev, skb); 3401 break; 3402 3403 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING: 3404 hci_cc_write_def_err_data_reporting(hdev, skb); 3405 break; 3406 3407 case HCI_OP_PIN_CODE_REPLY: 3408 hci_cc_pin_code_reply(hdev, skb); 3409 break; 3410 3411 case HCI_OP_PIN_CODE_NEG_REPLY: 3412 hci_cc_pin_code_neg_reply(hdev, skb); 3413 break; 3414 3415 case HCI_OP_READ_LOCAL_OOB_DATA: 3416 hci_cc_read_local_oob_data(hdev, skb); 3417 break; 3418 3419 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 3420 hci_cc_read_local_oob_ext_data(hdev, skb); 3421 break; 3422 3423 case HCI_OP_LE_READ_BUFFER_SIZE: 3424 hci_cc_le_read_buffer_size(hdev, skb); 3425 break; 3426 3427 case HCI_OP_LE_READ_LOCAL_FEATURES: 3428 hci_cc_le_read_local_features(hdev, skb); 3429 break; 3430 3431 case HCI_OP_LE_READ_ADV_TX_POWER: 3432 hci_cc_le_read_adv_tx_power(hdev, skb); 3433 break; 3434 3435 case HCI_OP_USER_CONFIRM_REPLY: 3436 hci_cc_user_confirm_reply(hdev, skb); 3437 break; 3438 3439 case HCI_OP_USER_CONFIRM_NEG_REPLY: 3440 hci_cc_user_confirm_neg_reply(hdev, skb); 3441 break; 3442 3443 case HCI_OP_USER_PASSKEY_REPLY: 3444 hci_cc_user_passkey_reply(hdev, skb); 3445 break; 3446 3447 case HCI_OP_USER_PASSKEY_NEG_REPLY: 3448 hci_cc_user_passkey_neg_reply(hdev, skb); 3449 break; 3450 3451 case HCI_OP_LE_SET_RANDOM_ADDR: 3452 hci_cc_le_set_random_addr(hdev, skb); 3453 break; 3454 3455 case HCI_OP_LE_SET_ADV_ENABLE: 3456 hci_cc_le_set_adv_enable(hdev, skb); 3457 break; 3458 3459 case HCI_OP_LE_SET_SCAN_PARAM: 3460 hci_cc_le_set_scan_param(hdev, skb); 3461 break; 3462 3463 case HCI_OP_LE_SET_SCAN_ENABLE: 3464 hci_cc_le_set_scan_enable(hdev, skb); 3465 break; 3466 3467 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 3468 hci_cc_le_read_white_list_size(hdev, skb); 3469 break; 3470 3471 case HCI_OP_LE_CLEAR_WHITE_LIST: 3472 hci_cc_le_clear_white_list(hdev, skb); 3473 break; 3474 3475 case HCI_OP_LE_ADD_TO_WHITE_LIST: 3476 hci_cc_le_add_to_white_list(hdev, skb); 3477 break; 3478 3479 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 3480 hci_cc_le_del_from_white_list(hdev, skb); 3481 break; 3482 3483 case HCI_OP_LE_READ_SUPPORTED_STATES: 3484 hci_cc_le_read_supported_states(hdev, skb); 3485 break; 3486 3487 case HCI_OP_LE_READ_DEF_DATA_LEN: 3488 hci_cc_le_read_def_data_len(hdev, skb); 3489 break; 3490 3491 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3492 hci_cc_le_write_def_data_len(hdev, skb); 3493 break; 3494 3495 case HCI_OP_LE_ADD_TO_RESOLV_LIST: 3496 hci_cc_le_add_to_resolv_list(hdev, skb); 3497 break; 3498 3499 case HCI_OP_LE_DEL_FROM_RESOLV_LIST: 3500 hci_cc_le_del_from_resolv_list(hdev, skb); 3501 break; 3502 3503 case HCI_OP_LE_CLEAR_RESOLV_LIST: 3504 hci_cc_le_clear_resolv_list(hdev, skb); 3505 break; 3506 3507 case HCI_OP_LE_READ_RESOLV_LIST_SIZE: 3508 hci_cc_le_read_resolv_list_size(hdev, skb); 3509 break; 3510 3511 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE: 3512 hci_cc_le_set_addr_resolution_enable(hdev, skb); 3513 break; 3514 3515 case HCI_OP_LE_READ_MAX_DATA_LEN: 3516 hci_cc_le_read_max_data_len(hdev, skb); 3517 break; 3518 3519 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3520 hci_cc_write_le_host_supported(hdev, skb); 3521 break; 3522 3523 case HCI_OP_LE_SET_ADV_PARAM: 3524 hci_cc_set_adv_param(hdev, skb); 3525 break; 3526 3527 case HCI_OP_READ_RSSI: 3528 hci_cc_read_rssi(hdev, skb); 3529 break; 3530 3531 case HCI_OP_READ_TX_POWER: 3532 hci_cc_read_tx_power(hdev, skb); 3533 break; 3534 3535 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3536 hci_cc_write_ssp_debug_mode(hdev, skb); 3537 break; 3538 3539 case HCI_OP_LE_SET_EXT_SCAN_PARAMS: 3540 hci_cc_le_set_ext_scan_param(hdev, skb); 3541 break; 3542 3543 case HCI_OP_LE_SET_EXT_SCAN_ENABLE: 3544 hci_cc_le_set_ext_scan_enable(hdev, skb); 3545 break; 3546 3547 case HCI_OP_LE_SET_DEFAULT_PHY: 3548 hci_cc_le_set_default_phy(hdev, skb); 3549 break; 3550 3551 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS: 3552 hci_cc_le_read_num_adv_sets(hdev, skb); 3553 break; 3554 3555 case HCI_OP_LE_SET_EXT_ADV_PARAMS: 3556 hci_cc_set_ext_adv_param(hdev, skb); 3557 break; 3558 3559 case HCI_OP_LE_SET_EXT_ADV_ENABLE: 3560 hci_cc_le_set_ext_adv_enable(hdev, skb); 3561 break; 3562 3563 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR: 3564 hci_cc_le_set_adv_set_random_addr(hdev, skb); 3565 break; 3566 3567 default: 3568 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3569 break; 3570 } 3571 3572 if (*opcode != HCI_OP_NOP) 3573 cancel_delayed_work(&hdev->cmd_timer); 3574 3575 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3576 atomic_set(&hdev->cmd_cnt, 1); 3577 3578 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3579 req_complete_skb); 3580 3581 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3582 bt_dev_err(hdev, 3583 "unexpected event for opcode 0x%4.4x", *opcode); 3584 return; 3585 } 3586 3587 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3588 queue_work(hdev->workqueue, &hdev->cmd_work); 3589 } 3590 3591 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3592 u16 *opcode, u8 *status, 3593 hci_req_complete_t *req_complete, 3594 hci_req_complete_skb_t *req_complete_skb) 3595 { 3596 struct hci_ev_cmd_status *ev = (void *) skb->data; 3597 3598 skb_pull(skb, sizeof(*ev)); 3599 3600 *opcode = __le16_to_cpu(ev->opcode); 3601 *status = ev->status; 3602 3603 switch (*opcode) { 3604 case HCI_OP_INQUIRY: 3605 hci_cs_inquiry(hdev, ev->status); 3606 break; 3607 3608 case HCI_OP_CREATE_CONN: 3609 hci_cs_create_conn(hdev, ev->status); 3610 break; 3611 3612 case HCI_OP_DISCONNECT: 3613 hci_cs_disconnect(hdev, ev->status); 3614 break; 3615 3616 case HCI_OP_ADD_SCO: 3617 hci_cs_add_sco(hdev, ev->status); 3618 break; 3619 3620 case HCI_OP_AUTH_REQUESTED: 3621 hci_cs_auth_requested(hdev, ev->status); 3622 break; 3623 3624 case HCI_OP_SET_CONN_ENCRYPT: 3625 hci_cs_set_conn_encrypt(hdev, ev->status); 3626 break; 3627 3628 case HCI_OP_REMOTE_NAME_REQ: 3629 hci_cs_remote_name_req(hdev, ev->status); 3630 break; 3631 3632 case HCI_OP_READ_REMOTE_FEATURES: 3633 hci_cs_read_remote_features(hdev, ev->status); 3634 break; 3635 3636 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3637 hci_cs_read_remote_ext_features(hdev, ev->status); 3638 break; 3639 3640 case HCI_OP_SETUP_SYNC_CONN: 3641 hci_cs_setup_sync_conn(hdev, ev->status); 3642 break; 3643 3644 case HCI_OP_SNIFF_MODE: 3645 hci_cs_sniff_mode(hdev, ev->status); 3646 break; 3647 3648 case HCI_OP_EXIT_SNIFF_MODE: 3649 hci_cs_exit_sniff_mode(hdev, ev->status); 3650 break; 3651 3652 case HCI_OP_SWITCH_ROLE: 3653 hci_cs_switch_role(hdev, ev->status); 3654 break; 3655 3656 case HCI_OP_LE_CREATE_CONN: 3657 hci_cs_le_create_conn(hdev, ev->status); 3658 break; 3659 3660 case HCI_OP_LE_READ_REMOTE_FEATURES: 3661 hci_cs_le_read_remote_features(hdev, ev->status); 3662 break; 3663 3664 case HCI_OP_LE_START_ENC: 3665 hci_cs_le_start_enc(hdev, ev->status); 3666 break; 3667 3668 case HCI_OP_LE_EXT_CREATE_CONN: 3669 hci_cs_le_ext_create_conn(hdev, ev->status); 3670 break; 3671 3672 default: 3673 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3674 break; 3675 } 3676 3677 if (*opcode != HCI_OP_NOP) 3678 cancel_delayed_work(&hdev->cmd_timer); 3679 3680 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3681 atomic_set(&hdev->cmd_cnt, 1); 3682 3683 /* Indicate request completion if the command failed. Also, if 3684 * we're not waiting for a special event and we get a success 3685 * command status we should try to flag the request as completed 3686 * (since for this kind of commands there will not be a command 3687 * complete event). 3688 */ 3689 if (ev->status || 3690 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event)) 3691 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3692 req_complete_skb); 3693 3694 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3695 bt_dev_err(hdev, 3696 "unexpected event for opcode 0x%4.4x", *opcode); 3697 return; 3698 } 3699 3700 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3701 queue_work(hdev->workqueue, &hdev->cmd_work); 3702 } 3703 3704 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 3705 { 3706 struct hci_ev_hardware_error *ev = (void *) skb->data; 3707 3708 hdev->hw_error_code = ev->code; 3709 3710 queue_work(hdev->req_workqueue, &hdev->error_reset); 3711 } 3712 3713 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3714 { 3715 struct hci_ev_role_change *ev = (void *) skb->data; 3716 struct hci_conn *conn; 3717 3718 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3719 3720 hci_dev_lock(hdev); 3721 3722 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3723 if (conn) { 3724 if (!ev->status) 3725 conn->role = ev->role; 3726 3727 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3728 3729 hci_role_switch_cfm(conn, ev->status, ev->role); 3730 } 3731 3732 hci_dev_unlock(hdev); 3733 } 3734 3735 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3736 { 3737 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3738 int i; 3739 3740 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3741 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3742 return; 3743 } 3744 3745 if (skb->len < sizeof(*ev) || 3746 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3747 BT_DBG("%s bad parameters", hdev->name); 3748 return; 3749 } 3750 3751 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3752 3753 for (i = 0; i < ev->num_hndl; i++) { 3754 struct hci_comp_pkts_info *info = &ev->handles[i]; 3755 struct hci_conn *conn; 3756 __u16 handle, count; 3757 3758 handle = __le16_to_cpu(info->handle); 3759 count = __le16_to_cpu(info->count); 3760 3761 conn = hci_conn_hash_lookup_handle(hdev, handle); 3762 if (!conn) 3763 continue; 3764 3765 conn->sent -= count; 3766 3767 switch (conn->type) { 3768 case ACL_LINK: 3769 hdev->acl_cnt += count; 3770 if (hdev->acl_cnt > hdev->acl_pkts) 3771 hdev->acl_cnt = hdev->acl_pkts; 3772 break; 3773 3774 case LE_LINK: 3775 if (hdev->le_pkts) { 3776 hdev->le_cnt += count; 3777 if (hdev->le_cnt > hdev->le_pkts) 3778 hdev->le_cnt = hdev->le_pkts; 3779 } else { 3780 hdev->acl_cnt += count; 3781 if (hdev->acl_cnt > hdev->acl_pkts) 3782 hdev->acl_cnt = hdev->acl_pkts; 3783 } 3784 break; 3785 3786 case SCO_LINK: 3787 hdev->sco_cnt += count; 3788 if (hdev->sco_cnt > hdev->sco_pkts) 3789 hdev->sco_cnt = hdev->sco_pkts; 3790 break; 3791 3792 default: 3793 bt_dev_err(hdev, "unknown type %d conn %p", 3794 conn->type, conn); 3795 break; 3796 } 3797 } 3798 3799 queue_work(hdev->workqueue, &hdev->tx_work); 3800 } 3801 3802 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3803 __u16 handle) 3804 { 3805 struct hci_chan *chan; 3806 3807 switch (hdev->dev_type) { 3808 case HCI_PRIMARY: 3809 return hci_conn_hash_lookup_handle(hdev, handle); 3810 case HCI_AMP: 3811 chan = hci_chan_lookup_handle(hdev, handle); 3812 if (chan) 3813 return chan->conn; 3814 break; 3815 default: 3816 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 3817 break; 3818 } 3819 3820 return NULL; 3821 } 3822 3823 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3824 { 3825 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3826 int i; 3827 3828 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3829 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3830 return; 3831 } 3832 3833 if (skb->len < sizeof(*ev) || 3834 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3835 BT_DBG("%s bad parameters", hdev->name); 3836 return; 3837 } 3838 3839 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3840 ev->num_hndl); 3841 3842 for (i = 0; i < ev->num_hndl; i++) { 3843 struct hci_comp_blocks_info *info = &ev->handles[i]; 3844 struct hci_conn *conn = NULL; 3845 __u16 handle, block_count; 3846 3847 handle = __le16_to_cpu(info->handle); 3848 block_count = __le16_to_cpu(info->blocks); 3849 3850 conn = __hci_conn_lookup_handle(hdev, handle); 3851 if (!conn) 3852 continue; 3853 3854 conn->sent -= block_count; 3855 3856 switch (conn->type) { 3857 case ACL_LINK: 3858 case AMP_LINK: 3859 hdev->block_cnt += block_count; 3860 if (hdev->block_cnt > hdev->num_blocks) 3861 hdev->block_cnt = hdev->num_blocks; 3862 break; 3863 3864 default: 3865 bt_dev_err(hdev, "unknown type %d conn %p", 3866 conn->type, conn); 3867 break; 3868 } 3869 } 3870 3871 queue_work(hdev->workqueue, &hdev->tx_work); 3872 } 3873 3874 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3875 { 3876 struct hci_ev_mode_change *ev = (void *) skb->data; 3877 struct hci_conn *conn; 3878 3879 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3880 3881 hci_dev_lock(hdev); 3882 3883 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3884 if (conn) { 3885 conn->mode = ev->mode; 3886 3887 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3888 &conn->flags)) { 3889 if (conn->mode == HCI_CM_ACTIVE) 3890 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3891 else 3892 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3893 } 3894 3895 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3896 hci_sco_setup(conn, ev->status); 3897 } 3898 3899 hci_dev_unlock(hdev); 3900 } 3901 3902 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3903 { 3904 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3905 struct hci_conn *conn; 3906 3907 BT_DBG("%s", hdev->name); 3908 3909 hci_dev_lock(hdev); 3910 3911 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3912 if (!conn) 3913 goto unlock; 3914 3915 if (conn->state == BT_CONNECTED) { 3916 hci_conn_hold(conn); 3917 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3918 hci_conn_drop(conn); 3919 } 3920 3921 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 3922 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3923 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3924 sizeof(ev->bdaddr), &ev->bdaddr); 3925 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 3926 u8 secure; 3927 3928 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3929 secure = 1; 3930 else 3931 secure = 0; 3932 3933 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3934 } 3935 3936 unlock: 3937 hci_dev_unlock(hdev); 3938 } 3939 3940 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3941 { 3942 if (key_type == HCI_LK_CHANGED_COMBINATION) 3943 return; 3944 3945 conn->pin_length = pin_len; 3946 conn->key_type = key_type; 3947 3948 switch (key_type) { 3949 case HCI_LK_LOCAL_UNIT: 3950 case HCI_LK_REMOTE_UNIT: 3951 case HCI_LK_DEBUG_COMBINATION: 3952 return; 3953 case HCI_LK_COMBINATION: 3954 if (pin_len == 16) 3955 conn->pending_sec_level = BT_SECURITY_HIGH; 3956 else 3957 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3958 break; 3959 case HCI_LK_UNAUTH_COMBINATION_P192: 3960 case HCI_LK_UNAUTH_COMBINATION_P256: 3961 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3962 break; 3963 case HCI_LK_AUTH_COMBINATION_P192: 3964 conn->pending_sec_level = BT_SECURITY_HIGH; 3965 break; 3966 case HCI_LK_AUTH_COMBINATION_P256: 3967 conn->pending_sec_level = BT_SECURITY_FIPS; 3968 break; 3969 } 3970 } 3971 3972 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3973 { 3974 struct hci_ev_link_key_req *ev = (void *) skb->data; 3975 struct hci_cp_link_key_reply cp; 3976 struct hci_conn *conn; 3977 struct link_key *key; 3978 3979 BT_DBG("%s", hdev->name); 3980 3981 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3982 return; 3983 3984 hci_dev_lock(hdev); 3985 3986 key = hci_find_link_key(hdev, &ev->bdaddr); 3987 if (!key) { 3988 BT_DBG("%s link key not found for %pMR", hdev->name, 3989 &ev->bdaddr); 3990 goto not_found; 3991 } 3992 3993 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 3994 &ev->bdaddr); 3995 3996 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3997 if (conn) { 3998 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3999 4000 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4001 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4002 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4003 BT_DBG("%s ignoring unauthenticated key", hdev->name); 4004 goto not_found; 4005 } 4006 4007 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4008 (conn->pending_sec_level == BT_SECURITY_HIGH || 4009 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4010 BT_DBG("%s ignoring key unauthenticated for high security", 4011 hdev->name); 4012 goto not_found; 4013 } 4014 4015 conn_set_key(conn, key->type, key->pin_len); 4016 } 4017 4018 bacpy(&cp.bdaddr, &ev->bdaddr); 4019 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4020 4021 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4022 4023 hci_dev_unlock(hdev); 4024 4025 return; 4026 4027 not_found: 4028 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4029 hci_dev_unlock(hdev); 4030 } 4031 4032 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4033 { 4034 struct hci_ev_link_key_notify *ev = (void *) skb->data; 4035 struct hci_conn *conn; 4036 struct link_key *key; 4037 bool persistent; 4038 u8 pin_len = 0; 4039 4040 BT_DBG("%s", hdev->name); 4041 4042 hci_dev_lock(hdev); 4043 4044 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4045 if (!conn) 4046 goto unlock; 4047 4048 hci_conn_hold(conn); 4049 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4050 hci_conn_drop(conn); 4051 4052 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4053 conn_set_key(conn, ev->key_type, conn->pin_length); 4054 4055 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4056 goto unlock; 4057 4058 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4059 ev->key_type, pin_len, &persistent); 4060 if (!key) 4061 goto unlock; 4062 4063 /* Update connection information since adding the key will have 4064 * fixed up the type in the case of changed combination keys. 4065 */ 4066 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4067 conn_set_key(conn, key->type, key->pin_len); 4068 4069 mgmt_new_link_key(hdev, key, persistent); 4070 4071 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4072 * is set. If it's not set simply remove the key from the kernel 4073 * list (we've still notified user space about it but with 4074 * store_hint being 0). 4075 */ 4076 if (key->type == HCI_LK_DEBUG_COMBINATION && 4077 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4078 list_del_rcu(&key->list); 4079 kfree_rcu(key, rcu); 4080 goto unlock; 4081 } 4082 4083 if (persistent) 4084 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4085 else 4086 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4087 4088 unlock: 4089 hci_dev_unlock(hdev); 4090 } 4091 4092 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 4093 { 4094 struct hci_ev_clock_offset *ev = (void *) skb->data; 4095 struct hci_conn *conn; 4096 4097 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4098 4099 hci_dev_lock(hdev); 4100 4101 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4102 if (conn && !ev->status) { 4103 struct inquiry_entry *ie; 4104 4105 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4106 if (ie) { 4107 ie->data.clock_offset = ev->clock_offset; 4108 ie->timestamp = jiffies; 4109 } 4110 } 4111 4112 hci_dev_unlock(hdev); 4113 } 4114 4115 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 4116 { 4117 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 4118 struct hci_conn *conn; 4119 4120 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4121 4122 hci_dev_lock(hdev); 4123 4124 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4125 if (conn && !ev->status) 4126 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4127 4128 hci_dev_unlock(hdev); 4129 } 4130 4131 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 4132 { 4133 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 4134 struct inquiry_entry *ie; 4135 4136 BT_DBG("%s", hdev->name); 4137 4138 hci_dev_lock(hdev); 4139 4140 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4141 if (ie) { 4142 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4143 ie->timestamp = jiffies; 4144 } 4145 4146 hci_dev_unlock(hdev); 4147 } 4148 4149 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 4150 struct sk_buff *skb) 4151 { 4152 struct inquiry_data data; 4153 int num_rsp = *((__u8 *) skb->data); 4154 4155 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4156 4157 if (!num_rsp) 4158 return; 4159 4160 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4161 return; 4162 4163 hci_dev_lock(hdev); 4164 4165 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 4166 struct inquiry_info_with_rssi_and_pscan_mode *info; 4167 info = (void *) (skb->data + 1); 4168 4169 for (; num_rsp; num_rsp--, info++) { 4170 u32 flags; 4171 4172 bacpy(&data.bdaddr, &info->bdaddr); 4173 data.pscan_rep_mode = info->pscan_rep_mode; 4174 data.pscan_period_mode = info->pscan_period_mode; 4175 data.pscan_mode = info->pscan_mode; 4176 memcpy(data.dev_class, info->dev_class, 3); 4177 data.clock_offset = info->clock_offset; 4178 data.rssi = info->rssi; 4179 data.ssp_mode = 0x00; 4180 4181 flags = hci_inquiry_cache_update(hdev, &data, false); 4182 4183 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4184 info->dev_class, info->rssi, 4185 flags, NULL, 0, NULL, 0); 4186 } 4187 } else { 4188 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 4189 4190 for (; num_rsp; num_rsp--, info++) { 4191 u32 flags; 4192 4193 bacpy(&data.bdaddr, &info->bdaddr); 4194 data.pscan_rep_mode = info->pscan_rep_mode; 4195 data.pscan_period_mode = info->pscan_period_mode; 4196 data.pscan_mode = 0x00; 4197 memcpy(data.dev_class, info->dev_class, 3); 4198 data.clock_offset = info->clock_offset; 4199 data.rssi = info->rssi; 4200 data.ssp_mode = 0x00; 4201 4202 flags = hci_inquiry_cache_update(hdev, &data, false); 4203 4204 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4205 info->dev_class, info->rssi, 4206 flags, NULL, 0, NULL, 0); 4207 } 4208 } 4209 4210 hci_dev_unlock(hdev); 4211 } 4212 4213 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 4214 struct sk_buff *skb) 4215 { 4216 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 4217 struct hci_conn *conn; 4218 4219 BT_DBG("%s", hdev->name); 4220 4221 hci_dev_lock(hdev); 4222 4223 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4224 if (!conn) 4225 goto unlock; 4226 4227 if (ev->page < HCI_MAX_PAGES) 4228 memcpy(conn->features[ev->page], ev->features, 8); 4229 4230 if (!ev->status && ev->page == 0x01) { 4231 struct inquiry_entry *ie; 4232 4233 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4234 if (ie) 4235 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4236 4237 if (ev->features[0] & LMP_HOST_SSP) { 4238 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4239 } else { 4240 /* It is mandatory by the Bluetooth specification that 4241 * Extended Inquiry Results are only used when Secure 4242 * Simple Pairing is enabled, but some devices violate 4243 * this. 4244 * 4245 * To make these devices work, the internal SSP 4246 * enabled flag needs to be cleared if the remote host 4247 * features do not indicate SSP support */ 4248 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4249 } 4250 4251 if (ev->features[0] & LMP_HOST_SC) 4252 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4253 } 4254 4255 if (conn->state != BT_CONFIG) 4256 goto unlock; 4257 4258 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4259 struct hci_cp_remote_name_req cp; 4260 memset(&cp, 0, sizeof(cp)); 4261 bacpy(&cp.bdaddr, &conn->dst); 4262 cp.pscan_rep_mode = 0x02; 4263 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4264 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4265 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4266 4267 if (!hci_outgoing_auth_needed(hdev, conn)) { 4268 conn->state = BT_CONNECTED; 4269 hci_connect_cfm(conn, ev->status); 4270 hci_conn_drop(conn); 4271 } 4272 4273 unlock: 4274 hci_dev_unlock(hdev); 4275 } 4276 4277 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 4278 struct sk_buff *skb) 4279 { 4280 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 4281 struct hci_conn *conn; 4282 4283 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4284 4285 hci_dev_lock(hdev); 4286 4287 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4288 if (!conn) { 4289 if (ev->link_type == ESCO_LINK) 4290 goto unlock; 4291 4292 /* When the link type in the event indicates SCO connection 4293 * and lookup of the connection object fails, then check 4294 * if an eSCO connection object exists. 4295 * 4296 * The core limits the synchronous connections to either 4297 * SCO or eSCO. The eSCO connection is preferred and tried 4298 * to be setup first and until successfully established, 4299 * the link type will be hinted as eSCO. 4300 */ 4301 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4302 if (!conn) 4303 goto unlock; 4304 } 4305 4306 switch (ev->status) { 4307 case 0x00: 4308 conn->handle = __le16_to_cpu(ev->handle); 4309 conn->state = BT_CONNECTED; 4310 conn->type = ev->link_type; 4311 4312 hci_debugfs_create_conn(conn); 4313 hci_conn_add_sysfs(conn); 4314 break; 4315 4316 case 0x10: /* Connection Accept Timeout */ 4317 case 0x0d: /* Connection Rejected due to Limited Resources */ 4318 case 0x11: /* Unsupported Feature or Parameter Value */ 4319 case 0x1c: /* SCO interval rejected */ 4320 case 0x1a: /* Unsupported Remote Feature */ 4321 case 0x1e: /* Invalid LMP Parameters */ 4322 case 0x1f: /* Unspecified error */ 4323 case 0x20: /* Unsupported LMP Parameter value */ 4324 if (conn->out) { 4325 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 4326 (hdev->esco_type & EDR_ESCO_MASK); 4327 if (hci_setup_sync(conn, conn->link->handle)) 4328 goto unlock; 4329 } 4330 /* fall through */ 4331 4332 default: 4333 conn->state = BT_CLOSED; 4334 break; 4335 } 4336 4337 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 4338 4339 switch (conn->setting & SCO_AIRMODE_MASK) { 4340 case SCO_AIRMODE_CVSD: 4341 if (hdev->notify) 4342 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 4343 break; 4344 case SCO_AIRMODE_TRANSP: 4345 if (hdev->notify) 4346 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 4347 break; 4348 } 4349 4350 hci_connect_cfm(conn, ev->status); 4351 if (ev->status) 4352 hci_conn_del(conn); 4353 4354 unlock: 4355 hci_dev_unlock(hdev); 4356 } 4357 4358 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 4359 { 4360 size_t parsed = 0; 4361 4362 while (parsed < eir_len) { 4363 u8 field_len = eir[0]; 4364 4365 if (field_len == 0) 4366 return parsed; 4367 4368 parsed += field_len + 1; 4369 eir += field_len + 1; 4370 } 4371 4372 return eir_len; 4373 } 4374 4375 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 4376 struct sk_buff *skb) 4377 { 4378 struct inquiry_data data; 4379 struct extended_inquiry_info *info = (void *) (skb->data + 1); 4380 int num_rsp = *((__u8 *) skb->data); 4381 size_t eir_len; 4382 4383 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4384 4385 if (!num_rsp) 4386 return; 4387 4388 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4389 return; 4390 4391 hci_dev_lock(hdev); 4392 4393 for (; num_rsp; num_rsp--, info++) { 4394 u32 flags; 4395 bool name_known; 4396 4397 bacpy(&data.bdaddr, &info->bdaddr); 4398 data.pscan_rep_mode = info->pscan_rep_mode; 4399 data.pscan_period_mode = info->pscan_period_mode; 4400 data.pscan_mode = 0x00; 4401 memcpy(data.dev_class, info->dev_class, 3); 4402 data.clock_offset = info->clock_offset; 4403 data.rssi = info->rssi; 4404 data.ssp_mode = 0x01; 4405 4406 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4407 name_known = eir_get_data(info->data, 4408 sizeof(info->data), 4409 EIR_NAME_COMPLETE, NULL); 4410 else 4411 name_known = true; 4412 4413 flags = hci_inquiry_cache_update(hdev, &data, name_known); 4414 4415 eir_len = eir_get_length(info->data, sizeof(info->data)); 4416 4417 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4418 info->dev_class, info->rssi, 4419 flags, info->data, eir_len, NULL, 0); 4420 } 4421 4422 hci_dev_unlock(hdev); 4423 } 4424 4425 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 4426 struct sk_buff *skb) 4427 { 4428 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 4429 struct hci_conn *conn; 4430 4431 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 4432 __le16_to_cpu(ev->handle)); 4433 4434 hci_dev_lock(hdev); 4435 4436 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4437 if (!conn) 4438 goto unlock; 4439 4440 /* For BR/EDR the necessary steps are taken through the 4441 * auth_complete event. 4442 */ 4443 if (conn->type != LE_LINK) 4444 goto unlock; 4445 4446 if (!ev->status) 4447 conn->sec_level = conn->pending_sec_level; 4448 4449 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 4450 4451 if (ev->status && conn->state == BT_CONNECTED) { 4452 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4453 hci_conn_drop(conn); 4454 goto unlock; 4455 } 4456 4457 if (conn->state == BT_CONFIG) { 4458 if (!ev->status) 4459 conn->state = BT_CONNECTED; 4460 4461 hci_connect_cfm(conn, ev->status); 4462 hci_conn_drop(conn); 4463 } else { 4464 hci_auth_cfm(conn, ev->status); 4465 4466 hci_conn_hold(conn); 4467 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4468 hci_conn_drop(conn); 4469 } 4470 4471 unlock: 4472 hci_dev_unlock(hdev); 4473 } 4474 4475 static u8 hci_get_auth_req(struct hci_conn *conn) 4476 { 4477 /* If remote requests no-bonding follow that lead */ 4478 if (conn->remote_auth == HCI_AT_NO_BONDING || 4479 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 4480 return conn->remote_auth | (conn->auth_type & 0x01); 4481 4482 /* If both remote and local have enough IO capabilities, require 4483 * MITM protection 4484 */ 4485 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 4486 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 4487 return conn->remote_auth | 0x01; 4488 4489 /* No MITM protection possible so ignore remote requirement */ 4490 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 4491 } 4492 4493 static u8 bredr_oob_data_present(struct hci_conn *conn) 4494 { 4495 struct hci_dev *hdev = conn->hdev; 4496 struct oob_data *data; 4497 4498 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 4499 if (!data) 4500 return 0x00; 4501 4502 if (bredr_sc_enabled(hdev)) { 4503 /* When Secure Connections is enabled, then just 4504 * return the present value stored with the OOB 4505 * data. The stored value contains the right present 4506 * information. However it can only be trusted when 4507 * not in Secure Connection Only mode. 4508 */ 4509 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 4510 return data->present; 4511 4512 /* When Secure Connections Only mode is enabled, then 4513 * the P-256 values are required. If they are not 4514 * available, then do not declare that OOB data is 4515 * present. 4516 */ 4517 if (!memcmp(data->rand256, ZERO_KEY, 16) || 4518 !memcmp(data->hash256, ZERO_KEY, 16)) 4519 return 0x00; 4520 4521 return 0x02; 4522 } 4523 4524 /* When Secure Connections is not enabled or actually 4525 * not supported by the hardware, then check that if 4526 * P-192 data values are present. 4527 */ 4528 if (!memcmp(data->rand192, ZERO_KEY, 16) || 4529 !memcmp(data->hash192, ZERO_KEY, 16)) 4530 return 0x00; 4531 4532 return 0x01; 4533 } 4534 4535 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4536 { 4537 struct hci_ev_io_capa_request *ev = (void *) skb->data; 4538 struct hci_conn *conn; 4539 4540 BT_DBG("%s", hdev->name); 4541 4542 hci_dev_lock(hdev); 4543 4544 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4545 if (!conn) 4546 goto unlock; 4547 4548 hci_conn_hold(conn); 4549 4550 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4551 goto unlock; 4552 4553 /* Allow pairing if we're pairable, the initiators of the 4554 * pairing or if the remote is not requesting bonding. 4555 */ 4556 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 4557 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 4558 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 4559 struct hci_cp_io_capability_reply cp; 4560 4561 bacpy(&cp.bdaddr, &ev->bdaddr); 4562 /* Change the IO capability from KeyboardDisplay 4563 * to DisplayYesNo as it is not supported by BT spec. */ 4564 cp.capability = (conn->io_capability == 0x04) ? 4565 HCI_IO_DISPLAY_YESNO : conn->io_capability; 4566 4567 /* If we are initiators, there is no remote information yet */ 4568 if (conn->remote_auth == 0xff) { 4569 /* Request MITM protection if our IO caps allow it 4570 * except for the no-bonding case. 4571 */ 4572 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4573 conn->auth_type != HCI_AT_NO_BONDING) 4574 conn->auth_type |= 0x01; 4575 } else { 4576 conn->auth_type = hci_get_auth_req(conn); 4577 } 4578 4579 /* If we're not bondable, force one of the non-bondable 4580 * authentication requirement values. 4581 */ 4582 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4583 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4584 4585 cp.authentication = conn->auth_type; 4586 cp.oob_data = bredr_oob_data_present(conn); 4587 4588 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4589 sizeof(cp), &cp); 4590 } else { 4591 struct hci_cp_io_capability_neg_reply cp; 4592 4593 bacpy(&cp.bdaddr, &ev->bdaddr); 4594 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4595 4596 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4597 sizeof(cp), &cp); 4598 } 4599 4600 unlock: 4601 hci_dev_unlock(hdev); 4602 } 4603 4604 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4605 { 4606 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 4607 struct hci_conn *conn; 4608 4609 BT_DBG("%s", hdev->name); 4610 4611 hci_dev_lock(hdev); 4612 4613 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4614 if (!conn) 4615 goto unlock; 4616 4617 conn->remote_cap = ev->capability; 4618 conn->remote_auth = ev->authentication; 4619 4620 unlock: 4621 hci_dev_unlock(hdev); 4622 } 4623 4624 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 4625 struct sk_buff *skb) 4626 { 4627 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 4628 int loc_mitm, rem_mitm, confirm_hint = 0; 4629 struct hci_conn *conn; 4630 4631 BT_DBG("%s", hdev->name); 4632 4633 hci_dev_lock(hdev); 4634 4635 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4636 goto unlock; 4637 4638 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4639 if (!conn) 4640 goto unlock; 4641 4642 loc_mitm = (conn->auth_type & 0x01); 4643 rem_mitm = (conn->remote_auth & 0x01); 4644 4645 /* If we require MITM but the remote device can't provide that 4646 * (it has NoInputNoOutput) then reject the confirmation 4647 * request. We check the security level here since it doesn't 4648 * necessarily match conn->auth_type. 4649 */ 4650 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 4651 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 4652 BT_DBG("Rejecting request: remote device can't provide MITM"); 4653 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 4654 sizeof(ev->bdaddr), &ev->bdaddr); 4655 goto unlock; 4656 } 4657 4658 /* If no side requires MITM protection; auto-accept */ 4659 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 4660 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 4661 4662 /* If we're not the initiators request authorization to 4663 * proceed from user space (mgmt_user_confirm with 4664 * confirm_hint set to 1). The exception is if neither 4665 * side had MITM or if the local IO capability is 4666 * NoInputNoOutput, in which case we do auto-accept 4667 */ 4668 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 4669 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4670 (loc_mitm || rem_mitm)) { 4671 BT_DBG("Confirming auto-accept as acceptor"); 4672 confirm_hint = 1; 4673 goto confirm; 4674 } 4675 4676 /* If there already exists link key in local host, leave the 4677 * decision to user space since the remote device could be 4678 * legitimate or malicious. 4679 */ 4680 if (hci_find_link_key(hdev, &ev->bdaddr)) { 4681 bt_dev_dbg(hdev, "Local host already has link key"); 4682 confirm_hint = 1; 4683 goto confirm; 4684 } 4685 4686 BT_DBG("Auto-accept of user confirmation with %ums delay", 4687 hdev->auto_accept_delay); 4688 4689 if (hdev->auto_accept_delay > 0) { 4690 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 4691 queue_delayed_work(conn->hdev->workqueue, 4692 &conn->auto_accept_work, delay); 4693 goto unlock; 4694 } 4695 4696 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 4697 sizeof(ev->bdaddr), &ev->bdaddr); 4698 goto unlock; 4699 } 4700 4701 confirm: 4702 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 4703 le32_to_cpu(ev->passkey), confirm_hint); 4704 4705 unlock: 4706 hci_dev_unlock(hdev); 4707 } 4708 4709 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 4710 struct sk_buff *skb) 4711 { 4712 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 4713 4714 BT_DBG("%s", hdev->name); 4715 4716 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4717 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 4718 } 4719 4720 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 4721 struct sk_buff *skb) 4722 { 4723 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 4724 struct hci_conn *conn; 4725 4726 BT_DBG("%s", hdev->name); 4727 4728 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4729 if (!conn) 4730 return; 4731 4732 conn->passkey_notify = __le32_to_cpu(ev->passkey); 4733 conn->passkey_entered = 0; 4734 4735 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4736 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4737 conn->dst_type, conn->passkey_notify, 4738 conn->passkey_entered); 4739 } 4740 4741 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4742 { 4743 struct hci_ev_keypress_notify *ev = (void *) skb->data; 4744 struct hci_conn *conn; 4745 4746 BT_DBG("%s", hdev->name); 4747 4748 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4749 if (!conn) 4750 return; 4751 4752 switch (ev->type) { 4753 case HCI_KEYPRESS_STARTED: 4754 conn->passkey_entered = 0; 4755 return; 4756 4757 case HCI_KEYPRESS_ENTERED: 4758 conn->passkey_entered++; 4759 break; 4760 4761 case HCI_KEYPRESS_ERASED: 4762 conn->passkey_entered--; 4763 break; 4764 4765 case HCI_KEYPRESS_CLEARED: 4766 conn->passkey_entered = 0; 4767 break; 4768 4769 case HCI_KEYPRESS_COMPLETED: 4770 return; 4771 } 4772 4773 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4774 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4775 conn->dst_type, conn->passkey_notify, 4776 conn->passkey_entered); 4777 } 4778 4779 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 4780 struct sk_buff *skb) 4781 { 4782 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 4783 struct hci_conn *conn; 4784 4785 BT_DBG("%s", hdev->name); 4786 4787 hci_dev_lock(hdev); 4788 4789 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4790 if (!conn) 4791 goto unlock; 4792 4793 /* Reset the authentication requirement to unknown */ 4794 conn->remote_auth = 0xff; 4795 4796 /* To avoid duplicate auth_failed events to user space we check 4797 * the HCI_CONN_AUTH_PEND flag which will be set if we 4798 * initiated the authentication. A traditional auth_complete 4799 * event gets always produced as initiator and is also mapped to 4800 * the mgmt_auth_failed event */ 4801 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4802 mgmt_auth_failed(conn, ev->status); 4803 4804 hci_conn_drop(conn); 4805 4806 unlock: 4807 hci_dev_unlock(hdev); 4808 } 4809 4810 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4811 struct sk_buff *skb) 4812 { 4813 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4814 struct inquiry_entry *ie; 4815 struct hci_conn *conn; 4816 4817 BT_DBG("%s", hdev->name); 4818 4819 hci_dev_lock(hdev); 4820 4821 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4822 if (conn) 4823 memcpy(conn->features[1], ev->features, 8); 4824 4825 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4826 if (ie) 4827 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4828 4829 hci_dev_unlock(hdev); 4830 } 4831 4832 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4833 struct sk_buff *skb) 4834 { 4835 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4836 struct oob_data *data; 4837 4838 BT_DBG("%s", hdev->name); 4839 4840 hci_dev_lock(hdev); 4841 4842 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4843 goto unlock; 4844 4845 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4846 if (!data) { 4847 struct hci_cp_remote_oob_data_neg_reply cp; 4848 4849 bacpy(&cp.bdaddr, &ev->bdaddr); 4850 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4851 sizeof(cp), &cp); 4852 goto unlock; 4853 } 4854 4855 if (bredr_sc_enabled(hdev)) { 4856 struct hci_cp_remote_oob_ext_data_reply cp; 4857 4858 bacpy(&cp.bdaddr, &ev->bdaddr); 4859 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 4860 memset(cp.hash192, 0, sizeof(cp.hash192)); 4861 memset(cp.rand192, 0, sizeof(cp.rand192)); 4862 } else { 4863 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4864 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4865 } 4866 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4867 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4868 4869 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4870 sizeof(cp), &cp); 4871 } else { 4872 struct hci_cp_remote_oob_data_reply cp; 4873 4874 bacpy(&cp.bdaddr, &ev->bdaddr); 4875 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4876 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4877 4878 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4879 sizeof(cp), &cp); 4880 } 4881 4882 unlock: 4883 hci_dev_unlock(hdev); 4884 } 4885 4886 #if IS_ENABLED(CONFIG_BT_HS) 4887 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4888 { 4889 struct hci_ev_channel_selected *ev = (void *)skb->data; 4890 struct hci_conn *hcon; 4891 4892 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4893 4894 skb_pull(skb, sizeof(*ev)); 4895 4896 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4897 if (!hcon) 4898 return; 4899 4900 amp_read_loc_assoc_final_data(hdev, hcon); 4901 } 4902 4903 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4904 struct sk_buff *skb) 4905 { 4906 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4907 struct hci_conn *hcon, *bredr_hcon; 4908 4909 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4910 ev->status); 4911 4912 hci_dev_lock(hdev); 4913 4914 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4915 if (!hcon) { 4916 hci_dev_unlock(hdev); 4917 return; 4918 } 4919 4920 if (ev->status) { 4921 hci_conn_del(hcon); 4922 hci_dev_unlock(hdev); 4923 return; 4924 } 4925 4926 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4927 4928 hcon->state = BT_CONNECTED; 4929 bacpy(&hcon->dst, &bredr_hcon->dst); 4930 4931 hci_conn_hold(hcon); 4932 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4933 hci_conn_drop(hcon); 4934 4935 hci_debugfs_create_conn(hcon); 4936 hci_conn_add_sysfs(hcon); 4937 4938 amp_physical_cfm(bredr_hcon, hcon); 4939 4940 hci_dev_unlock(hdev); 4941 } 4942 4943 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4944 { 4945 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4946 struct hci_conn *hcon; 4947 struct hci_chan *hchan; 4948 struct amp_mgr *mgr; 4949 4950 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4951 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4952 ev->status); 4953 4954 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4955 if (!hcon) 4956 return; 4957 4958 /* Create AMP hchan */ 4959 hchan = hci_chan_create(hcon); 4960 if (!hchan) 4961 return; 4962 4963 hchan->handle = le16_to_cpu(ev->handle); 4964 4965 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4966 4967 mgr = hcon->amp_mgr; 4968 if (mgr && mgr->bredr_chan) { 4969 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4970 4971 l2cap_chan_lock(bredr_chan); 4972 4973 bredr_chan->conn->mtu = hdev->block_mtu; 4974 l2cap_logical_cfm(bredr_chan, hchan, 0); 4975 hci_conn_hold(hcon); 4976 4977 l2cap_chan_unlock(bredr_chan); 4978 } 4979 } 4980 4981 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 4982 struct sk_buff *skb) 4983 { 4984 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 4985 struct hci_chan *hchan; 4986 4987 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 4988 le16_to_cpu(ev->handle), ev->status); 4989 4990 if (ev->status) 4991 return; 4992 4993 hci_dev_lock(hdev); 4994 4995 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 4996 if (!hchan) 4997 goto unlock; 4998 4999 amp_destroy_logical_link(hchan, ev->reason); 5000 5001 unlock: 5002 hci_dev_unlock(hdev); 5003 } 5004 5005 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 5006 struct sk_buff *skb) 5007 { 5008 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 5009 struct hci_conn *hcon; 5010 5011 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5012 5013 if (ev->status) 5014 return; 5015 5016 hci_dev_lock(hdev); 5017 5018 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5019 if (hcon) { 5020 hcon->state = BT_CLOSED; 5021 hci_conn_del(hcon); 5022 } 5023 5024 hci_dev_unlock(hdev); 5025 } 5026 #endif 5027 5028 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5029 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle, 5030 u16 interval, u16 latency, u16 supervision_timeout) 5031 { 5032 struct hci_conn_params *params; 5033 struct hci_conn *conn; 5034 struct smp_irk *irk; 5035 u8 addr_type; 5036 5037 hci_dev_lock(hdev); 5038 5039 /* All controllers implicitly stop advertising in the event of a 5040 * connection, so ensure that the state bit is cleared. 5041 */ 5042 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5043 5044 conn = hci_lookup_le_connect(hdev); 5045 if (!conn) { 5046 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 5047 if (!conn) { 5048 bt_dev_err(hdev, "no memory for new connection"); 5049 goto unlock; 5050 } 5051 5052 conn->dst_type = bdaddr_type; 5053 5054 /* If we didn't have a hci_conn object previously 5055 * but we're in master role this must be something 5056 * initiated using a white list. Since white list based 5057 * connections are not "first class citizens" we don't 5058 * have full tracking of them. Therefore, we go ahead 5059 * with a "best effort" approach of determining the 5060 * initiator address based on the HCI_PRIVACY flag. 5061 */ 5062 if (conn->out) { 5063 conn->resp_addr_type = bdaddr_type; 5064 bacpy(&conn->resp_addr, bdaddr); 5065 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5066 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5067 bacpy(&conn->init_addr, &hdev->rpa); 5068 } else { 5069 hci_copy_identity_address(hdev, 5070 &conn->init_addr, 5071 &conn->init_addr_type); 5072 } 5073 } 5074 } else { 5075 cancel_delayed_work(&conn->le_conn_timeout); 5076 } 5077 5078 if (!conn->out) { 5079 /* Set the responder (our side) address type based on 5080 * the advertising address type. 5081 */ 5082 conn->resp_addr_type = hdev->adv_addr_type; 5083 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5084 /* In case of ext adv, resp_addr will be updated in 5085 * Adv Terminated event. 5086 */ 5087 if (!ext_adv_capable(hdev)) 5088 bacpy(&conn->resp_addr, &hdev->random_addr); 5089 } else { 5090 bacpy(&conn->resp_addr, &hdev->bdaddr); 5091 } 5092 5093 conn->init_addr_type = bdaddr_type; 5094 bacpy(&conn->init_addr, bdaddr); 5095 5096 /* For incoming connections, set the default minimum 5097 * and maximum connection interval. They will be used 5098 * to check if the parameters are in range and if not 5099 * trigger the connection update procedure. 5100 */ 5101 conn->le_conn_min_interval = hdev->le_conn_min_interval; 5102 conn->le_conn_max_interval = hdev->le_conn_max_interval; 5103 } 5104 5105 /* Lookup the identity address from the stored connection 5106 * address and address type. 5107 * 5108 * When establishing connections to an identity address, the 5109 * connection procedure will store the resolvable random 5110 * address first. Now if it can be converted back into the 5111 * identity address, start using the identity address from 5112 * now on. 5113 */ 5114 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5115 if (irk) { 5116 bacpy(&conn->dst, &irk->bdaddr); 5117 conn->dst_type = irk->addr_type; 5118 } 5119 5120 if (status) { 5121 hci_le_conn_failed(conn, status); 5122 goto unlock; 5123 } 5124 5125 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5126 addr_type = BDADDR_LE_PUBLIC; 5127 else 5128 addr_type = BDADDR_LE_RANDOM; 5129 5130 /* Drop the connection if the device is blocked */ 5131 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 5132 hci_conn_drop(conn); 5133 goto unlock; 5134 } 5135 5136 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5137 mgmt_device_connected(hdev, conn, 0, NULL, 0); 5138 5139 conn->sec_level = BT_SECURITY_LOW; 5140 conn->handle = handle; 5141 conn->state = BT_CONFIG; 5142 5143 conn->le_conn_interval = interval; 5144 conn->le_conn_latency = latency; 5145 conn->le_supv_timeout = supervision_timeout; 5146 5147 hci_debugfs_create_conn(conn); 5148 hci_conn_add_sysfs(conn); 5149 5150 /* The remote features procedure is defined for master 5151 * role only. So only in case of an initiated connection 5152 * request the remote features. 5153 * 5154 * If the local controller supports slave-initiated features 5155 * exchange, then requesting the remote features in slave 5156 * role is possible. Otherwise just transition into the 5157 * connected state without requesting the remote features. 5158 */ 5159 if (conn->out || 5160 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) { 5161 struct hci_cp_le_read_remote_features cp; 5162 5163 cp.handle = __cpu_to_le16(conn->handle); 5164 5165 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 5166 sizeof(cp), &cp); 5167 5168 hci_conn_hold(conn); 5169 } else { 5170 conn->state = BT_CONNECTED; 5171 hci_connect_cfm(conn, status); 5172 } 5173 5174 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5175 conn->dst_type); 5176 if (params) { 5177 list_del_init(¶ms->action); 5178 if (params->conn) { 5179 hci_conn_drop(params->conn); 5180 hci_conn_put(params->conn); 5181 params->conn = NULL; 5182 } 5183 } 5184 5185 unlock: 5186 hci_update_background_scan(hdev); 5187 hci_dev_unlock(hdev); 5188 } 5189 5190 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 5191 { 5192 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 5193 5194 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5195 5196 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5197 ev->role, le16_to_cpu(ev->handle), 5198 le16_to_cpu(ev->interval), 5199 le16_to_cpu(ev->latency), 5200 le16_to_cpu(ev->supervision_timeout)); 5201 } 5202 5203 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, 5204 struct sk_buff *skb) 5205 { 5206 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data; 5207 5208 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5209 5210 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5211 ev->role, le16_to_cpu(ev->handle), 5212 le16_to_cpu(ev->interval), 5213 le16_to_cpu(ev->latency), 5214 le16_to_cpu(ev->supervision_timeout)); 5215 } 5216 5217 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb) 5218 { 5219 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data; 5220 struct hci_conn *conn; 5221 5222 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5223 5224 if (ev->status) 5225 return; 5226 5227 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5228 if (conn) { 5229 struct adv_info *adv_instance; 5230 5231 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM) 5232 return; 5233 5234 if (!hdev->cur_adv_instance) { 5235 bacpy(&conn->resp_addr, &hdev->random_addr); 5236 return; 5237 } 5238 5239 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance); 5240 if (adv_instance) 5241 bacpy(&conn->resp_addr, &adv_instance->random_addr); 5242 } 5243 } 5244 5245 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 5246 struct sk_buff *skb) 5247 { 5248 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 5249 struct hci_conn *conn; 5250 5251 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5252 5253 if (ev->status) 5254 return; 5255 5256 hci_dev_lock(hdev); 5257 5258 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5259 if (conn) { 5260 conn->le_conn_interval = le16_to_cpu(ev->interval); 5261 conn->le_conn_latency = le16_to_cpu(ev->latency); 5262 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 5263 } 5264 5265 hci_dev_unlock(hdev); 5266 } 5267 5268 /* This function requires the caller holds hdev->lock */ 5269 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 5270 bdaddr_t *addr, 5271 u8 addr_type, u8 adv_type, 5272 bdaddr_t *direct_rpa) 5273 { 5274 struct hci_conn *conn; 5275 struct hci_conn_params *params; 5276 5277 /* If the event is not connectable don't proceed further */ 5278 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 5279 return NULL; 5280 5281 /* Ignore if the device is blocked */ 5282 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 5283 return NULL; 5284 5285 /* Most controller will fail if we try to create new connections 5286 * while we have an existing one in slave role. 5287 */ 5288 if (hdev->conn_hash.le_num_slave > 0 && 5289 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 5290 !(hdev->le_states[3] & 0x10))) 5291 return NULL; 5292 5293 /* If we're not connectable only connect devices that we have in 5294 * our pend_le_conns list. 5295 */ 5296 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 5297 addr_type); 5298 if (!params) 5299 return NULL; 5300 5301 if (!params->explicit_connect) { 5302 switch (params->auto_connect) { 5303 case HCI_AUTO_CONN_DIRECT: 5304 /* Only devices advertising with ADV_DIRECT_IND are 5305 * triggering a connection attempt. This is allowing 5306 * incoming connections from slave devices. 5307 */ 5308 if (adv_type != LE_ADV_DIRECT_IND) 5309 return NULL; 5310 break; 5311 case HCI_AUTO_CONN_ALWAYS: 5312 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 5313 * are triggering a connection attempt. This means 5314 * that incoming connections from slave device are 5315 * accepted and also outgoing connections to slave 5316 * devices are established when found. 5317 */ 5318 break; 5319 default: 5320 return NULL; 5321 } 5322 } 5323 5324 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 5325 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER, 5326 direct_rpa); 5327 if (!IS_ERR(conn)) { 5328 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 5329 * by higher layer that tried to connect, if no then 5330 * store the pointer since we don't really have any 5331 * other owner of the object besides the params that 5332 * triggered it. This way we can abort the connection if 5333 * the parameters get removed and keep the reference 5334 * count consistent once the connection is established. 5335 */ 5336 5337 if (!params->explicit_connect) 5338 params->conn = hci_conn_get(conn); 5339 5340 return conn; 5341 } 5342 5343 switch (PTR_ERR(conn)) { 5344 case -EBUSY: 5345 /* If hci_connect() returns -EBUSY it means there is already 5346 * an LE connection attempt going on. Since controllers don't 5347 * support more than one connection attempt at the time, we 5348 * don't consider this an error case. 5349 */ 5350 break; 5351 default: 5352 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 5353 return NULL; 5354 } 5355 5356 return NULL; 5357 } 5358 5359 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 5360 u8 bdaddr_type, bdaddr_t *direct_addr, 5361 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 5362 bool ext_adv) 5363 { 5364 struct discovery_state *d = &hdev->discovery; 5365 struct smp_irk *irk; 5366 struct hci_conn *conn; 5367 bool match; 5368 u32 flags; 5369 u8 *ptr, real_len; 5370 5371 switch (type) { 5372 case LE_ADV_IND: 5373 case LE_ADV_DIRECT_IND: 5374 case LE_ADV_SCAN_IND: 5375 case LE_ADV_NONCONN_IND: 5376 case LE_ADV_SCAN_RSP: 5377 break; 5378 default: 5379 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 5380 "type: 0x%02x", type); 5381 return; 5382 } 5383 5384 if (!ext_adv && len > HCI_MAX_AD_LENGTH) { 5385 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes"); 5386 return; 5387 } 5388 5389 /* Find the end of the data in case the report contains padded zero 5390 * bytes at the end causing an invalid length value. 5391 * 5392 * When data is NULL, len is 0 so there is no need for extra ptr 5393 * check as 'ptr < data + 0' is already false in such case. 5394 */ 5395 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 5396 if (ptr + 1 + *ptr > data + len) 5397 break; 5398 } 5399 5400 real_len = ptr - data; 5401 5402 /* Adjust for actual length */ 5403 if (len != real_len) { 5404 bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u", 5405 len, real_len); 5406 len = real_len; 5407 } 5408 5409 /* If the direct address is present, then this report is from 5410 * a LE Direct Advertising Report event. In that case it is 5411 * important to see if the address is matching the local 5412 * controller address. 5413 */ 5414 if (direct_addr) { 5415 /* Only resolvable random addresses are valid for these 5416 * kind of reports and others can be ignored. 5417 */ 5418 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 5419 return; 5420 5421 /* If the controller is not using resolvable random 5422 * addresses, then this report can be ignored. 5423 */ 5424 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 5425 return; 5426 5427 /* If the local IRK of the controller does not match 5428 * with the resolvable random address provided, then 5429 * this report can be ignored. 5430 */ 5431 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 5432 return; 5433 } 5434 5435 /* Check if we need to convert to identity address */ 5436 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 5437 if (irk) { 5438 bdaddr = &irk->bdaddr; 5439 bdaddr_type = irk->addr_type; 5440 } 5441 5442 /* Check if we have been requested to connect to this device. 5443 * 5444 * direct_addr is set only for directed advertising reports (it is NULL 5445 * for advertising reports) and is already verified to be RPA above. 5446 */ 5447 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, 5448 direct_addr); 5449 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { 5450 /* Store report for later inclusion by 5451 * mgmt_device_connected 5452 */ 5453 memcpy(conn->le_adv_data, data, len); 5454 conn->le_adv_data_len = len; 5455 } 5456 5457 /* Passive scanning shouldn't trigger any device found events, 5458 * except for devices marked as CONN_REPORT for which we do send 5459 * device found events. 5460 */ 5461 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 5462 if (type == LE_ADV_DIRECT_IND) 5463 return; 5464 5465 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 5466 bdaddr, bdaddr_type)) 5467 return; 5468 5469 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 5470 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5471 else 5472 flags = 0; 5473 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5474 rssi, flags, data, len, NULL, 0); 5475 return; 5476 } 5477 5478 /* When receiving non-connectable or scannable undirected 5479 * advertising reports, this means that the remote device is 5480 * not connectable and then clearly indicate this in the 5481 * device found event. 5482 * 5483 * When receiving a scan response, then there is no way to 5484 * know if the remote device is connectable or not. However 5485 * since scan responses are merged with a previously seen 5486 * advertising report, the flags field from that report 5487 * will be used. 5488 * 5489 * In the really unlikely case that a controller get confused 5490 * and just sends a scan response event, then it is marked as 5491 * not connectable as well. 5492 */ 5493 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 5494 type == LE_ADV_SCAN_RSP) 5495 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5496 else 5497 flags = 0; 5498 5499 /* If there's nothing pending either store the data from this 5500 * event or send an immediate device found event if the data 5501 * should not be stored for later. 5502 */ 5503 if (!ext_adv && !has_pending_adv_report(hdev)) { 5504 /* If the report will trigger a SCAN_REQ store it for 5505 * later merging. 5506 */ 5507 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 5508 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5509 rssi, flags, data, len); 5510 return; 5511 } 5512 5513 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5514 rssi, flags, data, len, NULL, 0); 5515 return; 5516 } 5517 5518 /* Check if the pending report is for the same device as the new one */ 5519 match = (!bacmp(bdaddr, &d->last_adv_addr) && 5520 bdaddr_type == d->last_adv_addr_type); 5521 5522 /* If the pending data doesn't match this report or this isn't a 5523 * scan response (e.g. we got a duplicate ADV_IND) then force 5524 * sending of the pending data. 5525 */ 5526 if (type != LE_ADV_SCAN_RSP || !match) { 5527 /* Send out whatever is in the cache, but skip duplicates */ 5528 if (!match) 5529 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5530 d->last_adv_addr_type, NULL, 5531 d->last_adv_rssi, d->last_adv_flags, 5532 d->last_adv_data, 5533 d->last_adv_data_len, NULL, 0); 5534 5535 /* If the new report will trigger a SCAN_REQ store it for 5536 * later merging. 5537 */ 5538 if (!ext_adv && (type == LE_ADV_IND || 5539 type == LE_ADV_SCAN_IND)) { 5540 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5541 rssi, flags, data, len); 5542 return; 5543 } 5544 5545 /* The advertising reports cannot be merged, so clear 5546 * the pending report and send out a device found event. 5547 */ 5548 clear_pending_adv_report(hdev); 5549 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5550 rssi, flags, data, len, NULL, 0); 5551 return; 5552 } 5553 5554 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 5555 * the new event is a SCAN_RSP. We can therefore proceed with 5556 * sending a merged device found event. 5557 */ 5558 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5559 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 5560 d->last_adv_data, d->last_adv_data_len, data, len); 5561 clear_pending_adv_report(hdev); 5562 } 5563 5564 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5565 { 5566 u8 num_reports = skb->data[0]; 5567 void *ptr = &skb->data[1]; 5568 5569 hci_dev_lock(hdev); 5570 5571 while (num_reports--) { 5572 struct hci_ev_le_advertising_info *ev = ptr; 5573 s8 rssi; 5574 5575 if (ev->length <= HCI_MAX_AD_LENGTH) { 5576 rssi = ev->data[ev->length]; 5577 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5578 ev->bdaddr_type, NULL, 0, rssi, 5579 ev->data, ev->length, false); 5580 } else { 5581 bt_dev_err(hdev, "Dropping invalid advertising data"); 5582 } 5583 5584 ptr += sizeof(*ev) + ev->length + 1; 5585 } 5586 5587 hci_dev_unlock(hdev); 5588 } 5589 5590 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 5591 { 5592 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 5593 switch (evt_type) { 5594 case LE_LEGACY_ADV_IND: 5595 return LE_ADV_IND; 5596 case LE_LEGACY_ADV_DIRECT_IND: 5597 return LE_ADV_DIRECT_IND; 5598 case LE_LEGACY_ADV_SCAN_IND: 5599 return LE_ADV_SCAN_IND; 5600 case LE_LEGACY_NONCONN_IND: 5601 return LE_ADV_NONCONN_IND; 5602 case LE_LEGACY_SCAN_RSP_ADV: 5603 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 5604 return LE_ADV_SCAN_RSP; 5605 } 5606 5607 goto invalid; 5608 } 5609 5610 if (evt_type & LE_EXT_ADV_CONN_IND) { 5611 if (evt_type & LE_EXT_ADV_DIRECT_IND) 5612 return LE_ADV_DIRECT_IND; 5613 5614 return LE_ADV_IND; 5615 } 5616 5617 if (evt_type & LE_EXT_ADV_SCAN_RSP) 5618 return LE_ADV_SCAN_RSP; 5619 5620 if (evt_type & LE_EXT_ADV_SCAN_IND) 5621 return LE_ADV_SCAN_IND; 5622 5623 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 5624 evt_type & LE_EXT_ADV_DIRECT_IND) 5625 return LE_ADV_NONCONN_IND; 5626 5627 invalid: 5628 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 5629 evt_type); 5630 5631 return LE_ADV_INVALID; 5632 } 5633 5634 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5635 { 5636 u8 num_reports = skb->data[0]; 5637 void *ptr = &skb->data[1]; 5638 5639 hci_dev_lock(hdev); 5640 5641 while (num_reports--) { 5642 struct hci_ev_le_ext_adv_report *ev = ptr; 5643 u8 legacy_evt_type; 5644 u16 evt_type; 5645 5646 evt_type = __le16_to_cpu(ev->evt_type); 5647 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 5648 if (legacy_evt_type != LE_ADV_INVALID) { 5649 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, 5650 ev->bdaddr_type, NULL, 0, ev->rssi, 5651 ev->data, ev->length, 5652 !(evt_type & LE_EXT_ADV_LEGACY_PDU)); 5653 } 5654 5655 ptr += sizeof(*ev) + ev->length; 5656 } 5657 5658 hci_dev_unlock(hdev); 5659 } 5660 5661 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 5662 struct sk_buff *skb) 5663 { 5664 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 5665 struct hci_conn *conn; 5666 5667 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5668 5669 hci_dev_lock(hdev); 5670 5671 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5672 if (conn) { 5673 if (!ev->status) 5674 memcpy(conn->features[0], ev->features, 8); 5675 5676 if (conn->state == BT_CONFIG) { 5677 __u8 status; 5678 5679 /* If the local controller supports slave-initiated 5680 * features exchange, but the remote controller does 5681 * not, then it is possible that the error code 0x1a 5682 * for unsupported remote feature gets returned. 5683 * 5684 * In this specific case, allow the connection to 5685 * transition into connected state and mark it as 5686 * successful. 5687 */ 5688 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) && 5689 !conn->out && ev->status == 0x1a) 5690 status = 0x00; 5691 else 5692 status = ev->status; 5693 5694 conn->state = BT_CONNECTED; 5695 hci_connect_cfm(conn, status); 5696 hci_conn_drop(conn); 5697 } 5698 } 5699 5700 hci_dev_unlock(hdev); 5701 } 5702 5703 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 5704 { 5705 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 5706 struct hci_cp_le_ltk_reply cp; 5707 struct hci_cp_le_ltk_neg_reply neg; 5708 struct hci_conn *conn; 5709 struct smp_ltk *ltk; 5710 5711 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 5712 5713 hci_dev_lock(hdev); 5714 5715 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5716 if (conn == NULL) 5717 goto not_found; 5718 5719 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 5720 if (!ltk) 5721 goto not_found; 5722 5723 if (smp_ltk_is_sc(ltk)) { 5724 /* With SC both EDiv and Rand are set to zero */ 5725 if (ev->ediv || ev->rand) 5726 goto not_found; 5727 } else { 5728 /* For non-SC keys check that EDiv and Rand match */ 5729 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 5730 goto not_found; 5731 } 5732 5733 memcpy(cp.ltk, ltk->val, ltk->enc_size); 5734 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 5735 cp.handle = cpu_to_le16(conn->handle); 5736 5737 conn->pending_sec_level = smp_ltk_sec_level(ltk); 5738 5739 conn->enc_key_size = ltk->enc_size; 5740 5741 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 5742 5743 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 5744 * temporary key used to encrypt a connection following 5745 * pairing. It is used during the Encrypted Session Setup to 5746 * distribute the keys. Later, security can be re-established 5747 * using a distributed LTK. 5748 */ 5749 if (ltk->type == SMP_STK) { 5750 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5751 list_del_rcu(<k->list); 5752 kfree_rcu(ltk, rcu); 5753 } else { 5754 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5755 } 5756 5757 hci_dev_unlock(hdev); 5758 5759 return; 5760 5761 not_found: 5762 neg.handle = ev->handle; 5763 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 5764 hci_dev_unlock(hdev); 5765 } 5766 5767 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 5768 u8 reason) 5769 { 5770 struct hci_cp_le_conn_param_req_neg_reply cp; 5771 5772 cp.handle = cpu_to_le16(handle); 5773 cp.reason = reason; 5774 5775 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 5776 &cp); 5777 } 5778 5779 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 5780 struct sk_buff *skb) 5781 { 5782 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 5783 struct hci_cp_le_conn_param_req_reply cp; 5784 struct hci_conn *hcon; 5785 u16 handle, min, max, latency, timeout; 5786 5787 handle = le16_to_cpu(ev->handle); 5788 min = le16_to_cpu(ev->interval_min); 5789 max = le16_to_cpu(ev->interval_max); 5790 latency = le16_to_cpu(ev->latency); 5791 timeout = le16_to_cpu(ev->timeout); 5792 5793 hcon = hci_conn_hash_lookup_handle(hdev, handle); 5794 if (!hcon || hcon->state != BT_CONNECTED) 5795 return send_conn_param_neg_reply(hdev, handle, 5796 HCI_ERROR_UNKNOWN_CONN_ID); 5797 5798 if (hci_check_conn_params(min, max, latency, timeout)) 5799 return send_conn_param_neg_reply(hdev, handle, 5800 HCI_ERROR_INVALID_LL_PARAMS); 5801 5802 if (hcon->role == HCI_ROLE_MASTER) { 5803 struct hci_conn_params *params; 5804 u8 store_hint; 5805 5806 hci_dev_lock(hdev); 5807 5808 params = hci_conn_params_lookup(hdev, &hcon->dst, 5809 hcon->dst_type); 5810 if (params) { 5811 params->conn_min_interval = min; 5812 params->conn_max_interval = max; 5813 params->conn_latency = latency; 5814 params->supervision_timeout = timeout; 5815 store_hint = 0x01; 5816 } else{ 5817 store_hint = 0x00; 5818 } 5819 5820 hci_dev_unlock(hdev); 5821 5822 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 5823 store_hint, min, max, latency, timeout); 5824 } 5825 5826 cp.handle = ev->handle; 5827 cp.interval_min = ev->interval_min; 5828 cp.interval_max = ev->interval_max; 5829 cp.latency = ev->latency; 5830 cp.timeout = ev->timeout; 5831 cp.min_ce_len = 0; 5832 cp.max_ce_len = 0; 5833 5834 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 5835 } 5836 5837 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 5838 struct sk_buff *skb) 5839 { 5840 u8 num_reports = skb->data[0]; 5841 void *ptr = &skb->data[1]; 5842 5843 hci_dev_lock(hdev); 5844 5845 while (num_reports--) { 5846 struct hci_ev_le_direct_adv_info *ev = ptr; 5847 5848 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5849 ev->bdaddr_type, &ev->direct_addr, 5850 ev->direct_addr_type, ev->rssi, NULL, 0, 5851 false); 5852 5853 ptr += sizeof(*ev); 5854 } 5855 5856 hci_dev_unlock(hdev); 5857 } 5858 5859 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb) 5860 { 5861 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data; 5862 struct hci_conn *conn; 5863 5864 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5865 5866 if (!ev->status) 5867 return; 5868 5869 hci_dev_lock(hdev); 5870 5871 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5872 if (!conn) 5873 goto unlock; 5874 5875 conn->le_tx_phy = ev->tx_phy; 5876 conn->le_rx_phy = ev->rx_phy; 5877 5878 unlock: 5879 hci_dev_unlock(hdev); 5880 } 5881 5882 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 5883 { 5884 struct hci_ev_le_meta *le_ev = (void *) skb->data; 5885 5886 skb_pull(skb, sizeof(*le_ev)); 5887 5888 switch (le_ev->subevent) { 5889 case HCI_EV_LE_CONN_COMPLETE: 5890 hci_le_conn_complete_evt(hdev, skb); 5891 break; 5892 5893 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 5894 hci_le_conn_update_complete_evt(hdev, skb); 5895 break; 5896 5897 case HCI_EV_LE_ADVERTISING_REPORT: 5898 hci_le_adv_report_evt(hdev, skb); 5899 break; 5900 5901 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 5902 hci_le_remote_feat_complete_evt(hdev, skb); 5903 break; 5904 5905 case HCI_EV_LE_LTK_REQ: 5906 hci_le_ltk_request_evt(hdev, skb); 5907 break; 5908 5909 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 5910 hci_le_remote_conn_param_req_evt(hdev, skb); 5911 break; 5912 5913 case HCI_EV_LE_DIRECT_ADV_REPORT: 5914 hci_le_direct_adv_report_evt(hdev, skb); 5915 break; 5916 5917 case HCI_EV_LE_PHY_UPDATE_COMPLETE: 5918 hci_le_phy_update_evt(hdev, skb); 5919 break; 5920 5921 case HCI_EV_LE_EXT_ADV_REPORT: 5922 hci_le_ext_adv_report_evt(hdev, skb); 5923 break; 5924 5925 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 5926 hci_le_enh_conn_complete_evt(hdev, skb); 5927 break; 5928 5929 case HCI_EV_LE_EXT_ADV_SET_TERM: 5930 hci_le_ext_adv_term_evt(hdev, skb); 5931 break; 5932 5933 default: 5934 break; 5935 } 5936 } 5937 5938 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 5939 u8 event, struct sk_buff *skb) 5940 { 5941 struct hci_ev_cmd_complete *ev; 5942 struct hci_event_hdr *hdr; 5943 5944 if (!skb) 5945 return false; 5946 5947 if (skb->len < sizeof(*hdr)) { 5948 bt_dev_err(hdev, "too short HCI event"); 5949 return false; 5950 } 5951 5952 hdr = (void *) skb->data; 5953 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5954 5955 if (event) { 5956 if (hdr->evt != event) 5957 return false; 5958 return true; 5959 } 5960 5961 /* Check if request ended in Command Status - no way to retreive 5962 * any extra parameters in this case. 5963 */ 5964 if (hdr->evt == HCI_EV_CMD_STATUS) 5965 return false; 5966 5967 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 5968 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 5969 hdr->evt); 5970 return false; 5971 } 5972 5973 if (skb->len < sizeof(*ev)) { 5974 bt_dev_err(hdev, "too short cmd_complete event"); 5975 return false; 5976 } 5977 5978 ev = (void *) skb->data; 5979 skb_pull(skb, sizeof(*ev)); 5980 5981 if (opcode != __le16_to_cpu(ev->opcode)) { 5982 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 5983 __le16_to_cpu(ev->opcode)); 5984 return false; 5985 } 5986 5987 return true; 5988 } 5989 5990 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 5991 { 5992 struct hci_event_hdr *hdr = (void *) skb->data; 5993 hci_req_complete_t req_complete = NULL; 5994 hci_req_complete_skb_t req_complete_skb = NULL; 5995 struct sk_buff *orig_skb = NULL; 5996 u8 status = 0, event = hdr->evt, req_evt = 0; 5997 u16 opcode = HCI_OP_NOP; 5998 5999 if (!event) { 6000 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); 6001 goto done; 6002 } 6003 6004 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { 6005 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 6006 opcode = __le16_to_cpu(cmd_hdr->opcode); 6007 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 6008 &req_complete_skb); 6009 req_evt = event; 6010 } 6011 6012 /* If it looks like we might end up having to call 6013 * req_complete_skb, store a pristine copy of the skb since the 6014 * various handlers may modify the original one through 6015 * skb_pull() calls, etc. 6016 */ 6017 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 6018 event == HCI_EV_CMD_COMPLETE) 6019 orig_skb = skb_clone(skb, GFP_KERNEL); 6020 6021 skb_pull(skb, HCI_EVENT_HDR_SIZE); 6022 6023 switch (event) { 6024 case HCI_EV_INQUIRY_COMPLETE: 6025 hci_inquiry_complete_evt(hdev, skb); 6026 break; 6027 6028 case HCI_EV_INQUIRY_RESULT: 6029 hci_inquiry_result_evt(hdev, skb); 6030 break; 6031 6032 case HCI_EV_CONN_COMPLETE: 6033 hci_conn_complete_evt(hdev, skb); 6034 break; 6035 6036 case HCI_EV_CONN_REQUEST: 6037 hci_conn_request_evt(hdev, skb); 6038 break; 6039 6040 case HCI_EV_DISCONN_COMPLETE: 6041 hci_disconn_complete_evt(hdev, skb); 6042 break; 6043 6044 case HCI_EV_AUTH_COMPLETE: 6045 hci_auth_complete_evt(hdev, skb); 6046 break; 6047 6048 case HCI_EV_REMOTE_NAME: 6049 hci_remote_name_evt(hdev, skb); 6050 break; 6051 6052 case HCI_EV_ENCRYPT_CHANGE: 6053 hci_encrypt_change_evt(hdev, skb); 6054 break; 6055 6056 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 6057 hci_change_link_key_complete_evt(hdev, skb); 6058 break; 6059 6060 case HCI_EV_REMOTE_FEATURES: 6061 hci_remote_features_evt(hdev, skb); 6062 break; 6063 6064 case HCI_EV_CMD_COMPLETE: 6065 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 6066 &req_complete, &req_complete_skb); 6067 break; 6068 6069 case HCI_EV_CMD_STATUS: 6070 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 6071 &req_complete_skb); 6072 break; 6073 6074 case HCI_EV_HARDWARE_ERROR: 6075 hci_hardware_error_evt(hdev, skb); 6076 break; 6077 6078 case HCI_EV_ROLE_CHANGE: 6079 hci_role_change_evt(hdev, skb); 6080 break; 6081 6082 case HCI_EV_NUM_COMP_PKTS: 6083 hci_num_comp_pkts_evt(hdev, skb); 6084 break; 6085 6086 case HCI_EV_MODE_CHANGE: 6087 hci_mode_change_evt(hdev, skb); 6088 break; 6089 6090 case HCI_EV_PIN_CODE_REQ: 6091 hci_pin_code_request_evt(hdev, skb); 6092 break; 6093 6094 case HCI_EV_LINK_KEY_REQ: 6095 hci_link_key_request_evt(hdev, skb); 6096 break; 6097 6098 case HCI_EV_LINK_KEY_NOTIFY: 6099 hci_link_key_notify_evt(hdev, skb); 6100 break; 6101 6102 case HCI_EV_CLOCK_OFFSET: 6103 hci_clock_offset_evt(hdev, skb); 6104 break; 6105 6106 case HCI_EV_PKT_TYPE_CHANGE: 6107 hci_pkt_type_change_evt(hdev, skb); 6108 break; 6109 6110 case HCI_EV_PSCAN_REP_MODE: 6111 hci_pscan_rep_mode_evt(hdev, skb); 6112 break; 6113 6114 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 6115 hci_inquiry_result_with_rssi_evt(hdev, skb); 6116 break; 6117 6118 case HCI_EV_REMOTE_EXT_FEATURES: 6119 hci_remote_ext_features_evt(hdev, skb); 6120 break; 6121 6122 case HCI_EV_SYNC_CONN_COMPLETE: 6123 hci_sync_conn_complete_evt(hdev, skb); 6124 break; 6125 6126 case HCI_EV_EXTENDED_INQUIRY_RESULT: 6127 hci_extended_inquiry_result_evt(hdev, skb); 6128 break; 6129 6130 case HCI_EV_KEY_REFRESH_COMPLETE: 6131 hci_key_refresh_complete_evt(hdev, skb); 6132 break; 6133 6134 case HCI_EV_IO_CAPA_REQUEST: 6135 hci_io_capa_request_evt(hdev, skb); 6136 break; 6137 6138 case HCI_EV_IO_CAPA_REPLY: 6139 hci_io_capa_reply_evt(hdev, skb); 6140 break; 6141 6142 case HCI_EV_USER_CONFIRM_REQUEST: 6143 hci_user_confirm_request_evt(hdev, skb); 6144 break; 6145 6146 case HCI_EV_USER_PASSKEY_REQUEST: 6147 hci_user_passkey_request_evt(hdev, skb); 6148 break; 6149 6150 case HCI_EV_USER_PASSKEY_NOTIFY: 6151 hci_user_passkey_notify_evt(hdev, skb); 6152 break; 6153 6154 case HCI_EV_KEYPRESS_NOTIFY: 6155 hci_keypress_notify_evt(hdev, skb); 6156 break; 6157 6158 case HCI_EV_SIMPLE_PAIR_COMPLETE: 6159 hci_simple_pair_complete_evt(hdev, skb); 6160 break; 6161 6162 case HCI_EV_REMOTE_HOST_FEATURES: 6163 hci_remote_host_features_evt(hdev, skb); 6164 break; 6165 6166 case HCI_EV_LE_META: 6167 hci_le_meta_evt(hdev, skb); 6168 break; 6169 6170 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 6171 hci_remote_oob_data_request_evt(hdev, skb); 6172 break; 6173 6174 #if IS_ENABLED(CONFIG_BT_HS) 6175 case HCI_EV_CHANNEL_SELECTED: 6176 hci_chan_selected_evt(hdev, skb); 6177 break; 6178 6179 case HCI_EV_PHY_LINK_COMPLETE: 6180 hci_phy_link_complete_evt(hdev, skb); 6181 break; 6182 6183 case HCI_EV_LOGICAL_LINK_COMPLETE: 6184 hci_loglink_complete_evt(hdev, skb); 6185 break; 6186 6187 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 6188 hci_disconn_loglink_complete_evt(hdev, skb); 6189 break; 6190 6191 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 6192 hci_disconn_phylink_complete_evt(hdev, skb); 6193 break; 6194 #endif 6195 6196 case HCI_EV_NUM_COMP_BLOCKS: 6197 hci_num_comp_blocks_evt(hdev, skb); 6198 break; 6199 6200 case HCI_EV_VENDOR: 6201 msft_vendor_evt(hdev, skb); 6202 break; 6203 6204 default: 6205 BT_DBG("%s event 0x%2.2x", hdev->name, event); 6206 break; 6207 } 6208 6209 if (req_complete) { 6210 req_complete(hdev, status, opcode); 6211 } else if (req_complete_skb) { 6212 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 6213 kfree_skb(orig_skb); 6214 orig_skb = NULL; 6215 } 6216 req_complete_skb(hdev, status, opcode, orig_skb); 6217 } 6218 6219 done: 6220 kfree_skb(orig_skb); 6221 kfree_skb(skb); 6222 hdev->stat.evt_rx++; 6223 } 6224