1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 #include "msft.h" 39 40 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 41 "\x00\x00\x00\x00\x00\x00\x00\x00" 42 43 /* Handle HCI Event packets */ 44 45 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, 46 u8 *new_status) 47 { 48 __u8 status = *((__u8 *) skb->data); 49 50 BT_DBG("%s status 0x%2.2x", hdev->name, status); 51 52 /* It is possible that we receive Inquiry Complete event right 53 * before we receive Inquiry Cancel Command Complete event, in 54 * which case the latter event should have status of Command 55 * Disallowed (0x0c). This should not be treated as error, since 56 * we actually achieve what Inquiry Cancel wants to achieve, 57 * which is to end the last Inquiry session. 58 */ 59 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { 60 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 61 status = 0x00; 62 } 63 64 *new_status = status; 65 66 if (status) 67 return; 68 69 clear_bit(HCI_INQUIRY, &hdev->flags); 70 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 71 wake_up_bit(&hdev->flags, HCI_INQUIRY); 72 73 hci_dev_lock(hdev); 74 /* Set discovery state to stopped if we're not doing LE active 75 * scanning. 76 */ 77 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 78 hdev->le_scan_type != LE_SCAN_ACTIVE) 79 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 80 hci_dev_unlock(hdev); 81 82 hci_conn_check_pending(hdev); 83 } 84 85 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 86 { 87 __u8 status = *((__u8 *) skb->data); 88 89 BT_DBG("%s status 0x%2.2x", hdev->name, status); 90 91 if (status) 92 return; 93 94 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 95 } 96 97 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 98 { 99 __u8 status = *((__u8 *) skb->data); 100 101 BT_DBG("%s status 0x%2.2x", hdev->name, status); 102 103 if (status) 104 return; 105 106 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 107 108 hci_conn_check_pending(hdev); 109 } 110 111 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 112 struct sk_buff *skb) 113 { 114 BT_DBG("%s", hdev->name); 115 } 116 117 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 118 { 119 struct hci_rp_role_discovery *rp = (void *) skb->data; 120 struct hci_conn *conn; 121 122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 123 124 if (rp->status) 125 return; 126 127 hci_dev_lock(hdev); 128 129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 130 if (conn) 131 conn->role = rp->role; 132 133 hci_dev_unlock(hdev); 134 } 135 136 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 137 { 138 struct hci_rp_read_link_policy *rp = (void *) skb->data; 139 struct hci_conn *conn; 140 141 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 142 143 if (rp->status) 144 return; 145 146 hci_dev_lock(hdev); 147 148 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 149 if (conn) 150 conn->link_policy = __le16_to_cpu(rp->policy); 151 152 hci_dev_unlock(hdev); 153 } 154 155 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 156 { 157 struct hci_rp_write_link_policy *rp = (void *) skb->data; 158 struct hci_conn *conn; 159 void *sent; 160 161 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 162 163 if (rp->status) 164 return; 165 166 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 167 if (!sent) 168 return; 169 170 hci_dev_lock(hdev); 171 172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 173 if (conn) 174 conn->link_policy = get_unaligned_le16(sent + 2); 175 176 hci_dev_unlock(hdev); 177 } 178 179 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 180 struct sk_buff *skb) 181 { 182 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 183 184 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 185 186 if (rp->status) 187 return; 188 189 hdev->link_policy = __le16_to_cpu(rp->policy); 190 } 191 192 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 193 struct sk_buff *skb) 194 { 195 __u8 status = *((__u8 *) skb->data); 196 void *sent; 197 198 BT_DBG("%s status 0x%2.2x", hdev->name, status); 199 200 if (status) 201 return; 202 203 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 204 if (!sent) 205 return; 206 207 hdev->link_policy = get_unaligned_le16(sent); 208 } 209 210 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 211 { 212 __u8 status = *((__u8 *) skb->data); 213 214 BT_DBG("%s status 0x%2.2x", hdev->name, status); 215 216 clear_bit(HCI_RESET, &hdev->flags); 217 218 if (status) 219 return; 220 221 /* Reset all non-persistent flags */ 222 hci_dev_clear_volatile_flags(hdev); 223 224 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 225 226 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 227 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 228 229 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 230 hdev->adv_data_len = 0; 231 232 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 233 hdev->scan_rsp_data_len = 0; 234 235 hdev->le_scan_type = LE_SCAN_PASSIVE; 236 237 hdev->ssp_debug_mode = 0; 238 239 hci_bdaddr_list_clear(&hdev->le_white_list); 240 hci_bdaddr_list_clear(&hdev->le_resolv_list); 241 } 242 243 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 244 struct sk_buff *skb) 245 { 246 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 247 struct hci_cp_read_stored_link_key *sent; 248 249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 250 251 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 252 if (!sent) 253 return; 254 255 if (!rp->status && sent->read_all == 0x01) { 256 hdev->stored_max_keys = rp->max_keys; 257 hdev->stored_num_keys = rp->num_keys; 258 } 259 } 260 261 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 262 struct sk_buff *skb) 263 { 264 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 265 266 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 267 268 if (rp->status) 269 return; 270 271 if (rp->num_keys <= hdev->stored_num_keys) 272 hdev->stored_num_keys -= rp->num_keys; 273 else 274 hdev->stored_num_keys = 0; 275 } 276 277 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 278 { 279 __u8 status = *((__u8 *) skb->data); 280 void *sent; 281 282 BT_DBG("%s status 0x%2.2x", hdev->name, status); 283 284 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 285 if (!sent) 286 return; 287 288 hci_dev_lock(hdev); 289 290 if (hci_dev_test_flag(hdev, HCI_MGMT)) 291 mgmt_set_local_name_complete(hdev, sent, status); 292 else if (!status) 293 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 294 295 hci_dev_unlock(hdev); 296 } 297 298 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 299 { 300 struct hci_rp_read_local_name *rp = (void *) skb->data; 301 302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 303 304 if (rp->status) 305 return; 306 307 if (hci_dev_test_flag(hdev, HCI_SETUP) || 308 hci_dev_test_flag(hdev, HCI_CONFIG)) 309 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 310 } 311 312 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 313 { 314 __u8 status = *((__u8 *) skb->data); 315 void *sent; 316 317 BT_DBG("%s status 0x%2.2x", hdev->name, status); 318 319 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 320 if (!sent) 321 return; 322 323 hci_dev_lock(hdev); 324 325 if (!status) { 326 __u8 param = *((__u8 *) sent); 327 328 if (param == AUTH_ENABLED) 329 set_bit(HCI_AUTH, &hdev->flags); 330 else 331 clear_bit(HCI_AUTH, &hdev->flags); 332 } 333 334 if (hci_dev_test_flag(hdev, HCI_MGMT)) 335 mgmt_auth_enable_complete(hdev, status); 336 337 hci_dev_unlock(hdev); 338 } 339 340 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 341 { 342 __u8 status = *((__u8 *) skb->data); 343 __u8 param; 344 void *sent; 345 346 BT_DBG("%s status 0x%2.2x", hdev->name, status); 347 348 if (status) 349 return; 350 351 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 352 if (!sent) 353 return; 354 355 param = *((__u8 *) sent); 356 357 if (param) 358 set_bit(HCI_ENCRYPT, &hdev->flags); 359 else 360 clear_bit(HCI_ENCRYPT, &hdev->flags); 361 } 362 363 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 364 { 365 __u8 status = *((__u8 *) skb->data); 366 __u8 param; 367 void *sent; 368 369 BT_DBG("%s status 0x%2.2x", hdev->name, status); 370 371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 372 if (!sent) 373 return; 374 375 param = *((__u8 *) sent); 376 377 hci_dev_lock(hdev); 378 379 if (status) { 380 hdev->discov_timeout = 0; 381 goto done; 382 } 383 384 if (param & SCAN_INQUIRY) 385 set_bit(HCI_ISCAN, &hdev->flags); 386 else 387 clear_bit(HCI_ISCAN, &hdev->flags); 388 389 if (param & SCAN_PAGE) 390 set_bit(HCI_PSCAN, &hdev->flags); 391 else 392 clear_bit(HCI_PSCAN, &hdev->flags); 393 394 done: 395 hci_dev_unlock(hdev); 396 } 397 398 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 399 { 400 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 401 402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 403 404 if (rp->status) 405 return; 406 407 memcpy(hdev->dev_class, rp->dev_class, 3); 408 409 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 410 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 411 } 412 413 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 414 { 415 __u8 status = *((__u8 *) skb->data); 416 void *sent; 417 418 BT_DBG("%s status 0x%2.2x", hdev->name, status); 419 420 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 421 if (!sent) 422 return; 423 424 hci_dev_lock(hdev); 425 426 if (status == 0) 427 memcpy(hdev->dev_class, sent, 3); 428 429 if (hci_dev_test_flag(hdev, HCI_MGMT)) 430 mgmt_set_class_of_dev_complete(hdev, sent, status); 431 432 hci_dev_unlock(hdev); 433 } 434 435 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 436 { 437 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 438 __u16 setting; 439 440 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 441 442 if (rp->status) 443 return; 444 445 setting = __le16_to_cpu(rp->voice_setting); 446 447 if (hdev->voice_setting == setting) 448 return; 449 450 hdev->voice_setting = setting; 451 452 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 453 454 if (hdev->notify) 455 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 456 } 457 458 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 459 struct sk_buff *skb) 460 { 461 __u8 status = *((__u8 *) skb->data); 462 __u16 setting; 463 void *sent; 464 465 BT_DBG("%s status 0x%2.2x", hdev->name, status); 466 467 if (status) 468 return; 469 470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 471 if (!sent) 472 return; 473 474 setting = get_unaligned_le16(sent); 475 476 if (hdev->voice_setting == setting) 477 return; 478 479 hdev->voice_setting = setting; 480 481 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 482 483 if (hdev->notify) 484 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 485 } 486 487 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 488 struct sk_buff *skb) 489 { 490 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 491 492 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 493 494 if (rp->status) 495 return; 496 497 hdev->num_iac = rp->num_iac; 498 499 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 500 } 501 502 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 503 { 504 __u8 status = *((__u8 *) skb->data); 505 struct hci_cp_write_ssp_mode *sent; 506 507 BT_DBG("%s status 0x%2.2x", hdev->name, status); 508 509 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 510 if (!sent) 511 return; 512 513 hci_dev_lock(hdev); 514 515 if (!status) { 516 if (sent->mode) 517 hdev->features[1][0] |= LMP_HOST_SSP; 518 else 519 hdev->features[1][0] &= ~LMP_HOST_SSP; 520 } 521 522 if (hci_dev_test_flag(hdev, HCI_MGMT)) 523 mgmt_ssp_enable_complete(hdev, sent->mode, status); 524 else if (!status) { 525 if (sent->mode) 526 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 527 else 528 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 529 } 530 531 hci_dev_unlock(hdev); 532 } 533 534 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 535 { 536 u8 status = *((u8 *) skb->data); 537 struct hci_cp_write_sc_support *sent; 538 539 BT_DBG("%s status 0x%2.2x", hdev->name, status); 540 541 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 542 if (!sent) 543 return; 544 545 hci_dev_lock(hdev); 546 547 if (!status) { 548 if (sent->support) 549 hdev->features[1][0] |= LMP_HOST_SC; 550 else 551 hdev->features[1][0] &= ~LMP_HOST_SC; 552 } 553 554 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 555 if (sent->support) 556 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 557 else 558 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 559 } 560 561 hci_dev_unlock(hdev); 562 } 563 564 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 565 { 566 struct hci_rp_read_local_version *rp = (void *) skb->data; 567 568 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 569 570 if (rp->status) 571 return; 572 573 if (hci_dev_test_flag(hdev, HCI_SETUP) || 574 hci_dev_test_flag(hdev, HCI_CONFIG)) { 575 hdev->hci_ver = rp->hci_ver; 576 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 577 hdev->lmp_ver = rp->lmp_ver; 578 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 579 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 580 } 581 } 582 583 static void hci_cc_read_local_commands(struct hci_dev *hdev, 584 struct sk_buff *skb) 585 { 586 struct hci_rp_read_local_commands *rp = (void *) skb->data; 587 588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 589 590 if (rp->status) 591 return; 592 593 if (hci_dev_test_flag(hdev, HCI_SETUP) || 594 hci_dev_test_flag(hdev, HCI_CONFIG)) 595 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 596 } 597 598 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, 599 struct sk_buff *skb) 600 { 601 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data; 602 struct hci_conn *conn; 603 604 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 605 606 if (rp->status) 607 return; 608 609 hci_dev_lock(hdev); 610 611 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 612 if (conn) 613 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 614 615 hci_dev_unlock(hdev); 616 } 617 618 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, 619 struct sk_buff *skb) 620 { 621 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data; 622 struct hci_conn *conn; 623 void *sent; 624 625 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 626 627 if (rp->status) 628 return; 629 630 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 631 if (!sent) 632 return; 633 634 hci_dev_lock(hdev); 635 636 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 637 if (conn) 638 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 639 640 hci_dev_unlock(hdev); 641 } 642 643 static void hci_cc_read_local_features(struct hci_dev *hdev, 644 struct sk_buff *skb) 645 { 646 struct hci_rp_read_local_features *rp = (void *) skb->data; 647 648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 649 650 if (rp->status) 651 return; 652 653 memcpy(hdev->features, rp->features, 8); 654 655 /* Adjust default settings according to features 656 * supported by device. */ 657 658 if (hdev->features[0][0] & LMP_3SLOT) 659 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 660 661 if (hdev->features[0][0] & LMP_5SLOT) 662 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 663 664 if (hdev->features[0][1] & LMP_HV2) { 665 hdev->pkt_type |= (HCI_HV2); 666 hdev->esco_type |= (ESCO_HV2); 667 } 668 669 if (hdev->features[0][1] & LMP_HV3) { 670 hdev->pkt_type |= (HCI_HV3); 671 hdev->esco_type |= (ESCO_HV3); 672 } 673 674 if (lmp_esco_capable(hdev)) 675 hdev->esco_type |= (ESCO_EV3); 676 677 if (hdev->features[0][4] & LMP_EV4) 678 hdev->esco_type |= (ESCO_EV4); 679 680 if (hdev->features[0][4] & LMP_EV5) 681 hdev->esco_type |= (ESCO_EV5); 682 683 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 684 hdev->esco_type |= (ESCO_2EV3); 685 686 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 687 hdev->esco_type |= (ESCO_3EV3); 688 689 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 690 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 691 } 692 693 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 694 struct sk_buff *skb) 695 { 696 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 697 698 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 699 700 if (rp->status) 701 return; 702 703 if (hdev->max_page < rp->max_page) 704 hdev->max_page = rp->max_page; 705 706 if (rp->page < HCI_MAX_PAGES) 707 memcpy(hdev->features[rp->page], rp->features, 8); 708 } 709 710 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 711 struct sk_buff *skb) 712 { 713 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 714 715 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 716 717 if (rp->status) 718 return; 719 720 hdev->flow_ctl_mode = rp->mode; 721 } 722 723 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 724 { 725 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 726 727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 728 729 if (rp->status) 730 return; 731 732 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 733 hdev->sco_mtu = rp->sco_mtu; 734 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 735 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 736 737 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 738 hdev->sco_mtu = 64; 739 hdev->sco_pkts = 8; 740 } 741 742 hdev->acl_cnt = hdev->acl_pkts; 743 hdev->sco_cnt = hdev->sco_pkts; 744 745 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 746 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 747 } 748 749 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 750 { 751 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 752 753 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 754 755 if (rp->status) 756 return; 757 758 if (test_bit(HCI_INIT, &hdev->flags)) 759 bacpy(&hdev->bdaddr, &rp->bdaddr); 760 761 if (hci_dev_test_flag(hdev, HCI_SETUP)) 762 bacpy(&hdev->setup_addr, &rp->bdaddr); 763 } 764 765 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev, 766 struct sk_buff *skb) 767 { 768 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data; 769 770 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 771 772 if (rp->status) 773 return; 774 775 if (hci_dev_test_flag(hdev, HCI_SETUP) || 776 hci_dev_test_flag(hdev, HCI_CONFIG)) { 777 hdev->pairing_opts = rp->pairing_opts; 778 hdev->max_enc_key_size = rp->max_key_size; 779 } 780 } 781 782 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 783 struct sk_buff *skb) 784 { 785 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 786 787 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 788 789 if (rp->status) 790 return; 791 792 if (test_bit(HCI_INIT, &hdev->flags)) { 793 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 794 hdev->page_scan_window = __le16_to_cpu(rp->window); 795 } 796 } 797 798 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 799 struct sk_buff *skb) 800 { 801 u8 status = *((u8 *) skb->data); 802 struct hci_cp_write_page_scan_activity *sent; 803 804 BT_DBG("%s status 0x%2.2x", hdev->name, status); 805 806 if (status) 807 return; 808 809 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 810 if (!sent) 811 return; 812 813 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 814 hdev->page_scan_window = __le16_to_cpu(sent->window); 815 } 816 817 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 818 struct sk_buff *skb) 819 { 820 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 821 822 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 823 824 if (rp->status) 825 return; 826 827 if (test_bit(HCI_INIT, &hdev->flags)) 828 hdev->page_scan_type = rp->type; 829 } 830 831 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 832 struct sk_buff *skb) 833 { 834 u8 status = *((u8 *) skb->data); 835 u8 *type; 836 837 BT_DBG("%s status 0x%2.2x", hdev->name, status); 838 839 if (status) 840 return; 841 842 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 843 if (type) 844 hdev->page_scan_type = *type; 845 } 846 847 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 848 struct sk_buff *skb) 849 { 850 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 851 852 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 853 854 if (rp->status) 855 return; 856 857 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 858 hdev->block_len = __le16_to_cpu(rp->block_len); 859 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 860 861 hdev->block_cnt = hdev->num_blocks; 862 863 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 864 hdev->block_cnt, hdev->block_len); 865 } 866 867 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 868 { 869 struct hci_rp_read_clock *rp = (void *) skb->data; 870 struct hci_cp_read_clock *cp; 871 struct hci_conn *conn; 872 873 BT_DBG("%s", hdev->name); 874 875 if (skb->len < sizeof(*rp)) 876 return; 877 878 if (rp->status) 879 return; 880 881 hci_dev_lock(hdev); 882 883 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 884 if (!cp) 885 goto unlock; 886 887 if (cp->which == 0x00) { 888 hdev->clock = le32_to_cpu(rp->clock); 889 goto unlock; 890 } 891 892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 893 if (conn) { 894 conn->clock = le32_to_cpu(rp->clock); 895 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 896 } 897 898 unlock: 899 hci_dev_unlock(hdev); 900 } 901 902 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 903 struct sk_buff *skb) 904 { 905 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 906 907 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 908 909 if (rp->status) 910 return; 911 912 hdev->amp_status = rp->amp_status; 913 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 914 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 915 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 916 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 917 hdev->amp_type = rp->amp_type; 918 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 919 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 920 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 921 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 922 } 923 924 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 925 struct sk_buff *skb) 926 { 927 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 928 929 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 930 931 if (rp->status) 932 return; 933 934 hdev->inq_tx_power = rp->tx_power; 935 } 936 937 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, 938 struct sk_buff *skb) 939 { 940 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data; 941 942 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 943 944 if (rp->status) 945 return; 946 947 hdev->err_data_reporting = rp->err_data_reporting; 948 } 949 950 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, 951 struct sk_buff *skb) 952 { 953 __u8 status = *((__u8 *)skb->data); 954 struct hci_cp_write_def_err_data_reporting *cp; 955 956 BT_DBG("%s status 0x%2.2x", hdev->name, status); 957 958 if (status) 959 return; 960 961 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 962 if (!cp) 963 return; 964 965 hdev->err_data_reporting = cp->err_data_reporting; 966 } 967 968 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 969 { 970 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 971 struct hci_cp_pin_code_reply *cp; 972 struct hci_conn *conn; 973 974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 975 976 hci_dev_lock(hdev); 977 978 if (hci_dev_test_flag(hdev, HCI_MGMT)) 979 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 980 981 if (rp->status) 982 goto unlock; 983 984 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 985 if (!cp) 986 goto unlock; 987 988 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 989 if (conn) 990 conn->pin_length = cp->pin_len; 991 992 unlock: 993 hci_dev_unlock(hdev); 994 } 995 996 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 997 { 998 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 999 1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1001 1002 hci_dev_lock(hdev); 1003 1004 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1005 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1006 rp->status); 1007 1008 hci_dev_unlock(hdev); 1009 } 1010 1011 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 1012 struct sk_buff *skb) 1013 { 1014 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 1015 1016 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1017 1018 if (rp->status) 1019 return; 1020 1021 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1022 hdev->le_pkts = rp->le_max_pkt; 1023 1024 hdev->le_cnt = hdev->le_pkts; 1025 1026 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1027 } 1028 1029 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 1030 struct sk_buff *skb) 1031 { 1032 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 1033 1034 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1035 1036 if (rp->status) 1037 return; 1038 1039 memcpy(hdev->le_features, rp->features, 8); 1040 } 1041 1042 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 1043 struct sk_buff *skb) 1044 { 1045 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 1046 1047 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1048 1049 if (rp->status) 1050 return; 1051 1052 hdev->adv_tx_power = rp->tx_power; 1053 } 1054 1055 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 1056 { 1057 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1058 1059 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1060 1061 hci_dev_lock(hdev); 1062 1063 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1064 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1065 rp->status); 1066 1067 hci_dev_unlock(hdev); 1068 } 1069 1070 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 1071 struct sk_buff *skb) 1072 { 1073 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1074 1075 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1076 1077 hci_dev_lock(hdev); 1078 1079 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1080 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1081 ACL_LINK, 0, rp->status); 1082 1083 hci_dev_unlock(hdev); 1084 } 1085 1086 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 1087 { 1088 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1089 1090 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1091 1092 hci_dev_lock(hdev); 1093 1094 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1095 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1096 0, rp->status); 1097 1098 hci_dev_unlock(hdev); 1099 } 1100 1101 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 1102 struct sk_buff *skb) 1103 { 1104 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1105 1106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1107 1108 hci_dev_lock(hdev); 1109 1110 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1111 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1112 ACL_LINK, 0, rp->status); 1113 1114 hci_dev_unlock(hdev); 1115 } 1116 1117 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1118 struct sk_buff *skb) 1119 { 1120 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1121 1122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1123 } 1124 1125 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1126 struct sk_buff *skb) 1127 { 1128 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1129 1130 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1131 } 1132 1133 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1134 { 1135 __u8 status = *((__u8 *) skb->data); 1136 bdaddr_t *sent; 1137 1138 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1139 1140 if (status) 1141 return; 1142 1143 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1144 if (!sent) 1145 return; 1146 1147 hci_dev_lock(hdev); 1148 1149 bacpy(&hdev->random_addr, sent); 1150 1151 hci_dev_unlock(hdev); 1152 } 1153 1154 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb) 1155 { 1156 __u8 status = *((__u8 *) skb->data); 1157 struct hci_cp_le_set_default_phy *cp; 1158 1159 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1160 1161 if (status) 1162 return; 1163 1164 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1165 if (!cp) 1166 return; 1167 1168 hci_dev_lock(hdev); 1169 1170 hdev->le_tx_def_phys = cp->tx_phys; 1171 hdev->le_rx_def_phys = cp->rx_phys; 1172 1173 hci_dev_unlock(hdev); 1174 } 1175 1176 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, 1177 struct sk_buff *skb) 1178 { 1179 __u8 status = *((__u8 *) skb->data); 1180 struct hci_cp_le_set_adv_set_rand_addr *cp; 1181 struct adv_info *adv_instance; 1182 1183 if (status) 1184 return; 1185 1186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1187 if (!cp) 1188 return; 1189 1190 hci_dev_lock(hdev); 1191 1192 if (!hdev->cur_adv_instance) { 1193 /* Store in hdev for instance 0 (Set adv and Directed advs) */ 1194 bacpy(&hdev->random_addr, &cp->bdaddr); 1195 } else { 1196 adv_instance = hci_find_adv_instance(hdev, 1197 hdev->cur_adv_instance); 1198 if (adv_instance) 1199 bacpy(&adv_instance->random_addr, &cp->bdaddr); 1200 } 1201 1202 hci_dev_unlock(hdev); 1203 } 1204 1205 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1206 { 1207 __u8 *sent, status = *((__u8 *) skb->data); 1208 1209 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1210 1211 if (status) 1212 return; 1213 1214 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1215 if (!sent) 1216 return; 1217 1218 hci_dev_lock(hdev); 1219 1220 /* If we're doing connection initiation as peripheral. Set a 1221 * timeout in case something goes wrong. 1222 */ 1223 if (*sent) { 1224 struct hci_conn *conn; 1225 1226 hci_dev_set_flag(hdev, HCI_LE_ADV); 1227 1228 conn = hci_lookup_le_connect(hdev); 1229 if (conn) 1230 queue_delayed_work(hdev->workqueue, 1231 &conn->le_conn_timeout, 1232 conn->conn_timeout); 1233 } else { 1234 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1235 } 1236 1237 hci_dev_unlock(hdev); 1238 } 1239 1240 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, 1241 struct sk_buff *skb) 1242 { 1243 struct hci_cp_le_set_ext_adv_enable *cp; 1244 __u8 status = *((__u8 *) skb->data); 1245 1246 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1247 1248 if (status) 1249 return; 1250 1251 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1252 if (!cp) 1253 return; 1254 1255 hci_dev_lock(hdev); 1256 1257 if (cp->enable) { 1258 struct hci_conn *conn; 1259 1260 hci_dev_set_flag(hdev, HCI_LE_ADV); 1261 1262 conn = hci_lookup_le_connect(hdev); 1263 if (conn) 1264 queue_delayed_work(hdev->workqueue, 1265 &conn->le_conn_timeout, 1266 conn->conn_timeout); 1267 } else { 1268 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1269 } 1270 1271 hci_dev_unlock(hdev); 1272 } 1273 1274 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1275 { 1276 struct hci_cp_le_set_scan_param *cp; 1277 __u8 status = *((__u8 *) skb->data); 1278 1279 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1280 1281 if (status) 1282 return; 1283 1284 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1285 if (!cp) 1286 return; 1287 1288 hci_dev_lock(hdev); 1289 1290 hdev->le_scan_type = cp->type; 1291 1292 hci_dev_unlock(hdev); 1293 } 1294 1295 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, 1296 struct sk_buff *skb) 1297 { 1298 struct hci_cp_le_set_ext_scan_params *cp; 1299 __u8 status = *((__u8 *) skb->data); 1300 struct hci_cp_le_scan_phy_params *phy_param; 1301 1302 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1303 1304 if (status) 1305 return; 1306 1307 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1308 if (!cp) 1309 return; 1310 1311 phy_param = (void *)cp->data; 1312 1313 hci_dev_lock(hdev); 1314 1315 hdev->le_scan_type = phy_param->type; 1316 1317 hci_dev_unlock(hdev); 1318 } 1319 1320 static bool has_pending_adv_report(struct hci_dev *hdev) 1321 { 1322 struct discovery_state *d = &hdev->discovery; 1323 1324 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1325 } 1326 1327 static void clear_pending_adv_report(struct hci_dev *hdev) 1328 { 1329 struct discovery_state *d = &hdev->discovery; 1330 1331 bacpy(&d->last_adv_addr, BDADDR_ANY); 1332 d->last_adv_data_len = 0; 1333 } 1334 1335 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1336 u8 bdaddr_type, s8 rssi, u32 flags, 1337 u8 *data, u8 len) 1338 { 1339 struct discovery_state *d = &hdev->discovery; 1340 1341 if (len > HCI_MAX_AD_LENGTH) 1342 return; 1343 1344 bacpy(&d->last_adv_addr, bdaddr); 1345 d->last_adv_addr_type = bdaddr_type; 1346 d->last_adv_rssi = rssi; 1347 d->last_adv_flags = flags; 1348 memcpy(d->last_adv_data, data, len); 1349 d->last_adv_data_len = len; 1350 } 1351 1352 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1353 { 1354 hci_dev_lock(hdev); 1355 1356 switch (enable) { 1357 case LE_SCAN_ENABLE: 1358 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1359 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1360 clear_pending_adv_report(hdev); 1361 break; 1362 1363 case LE_SCAN_DISABLE: 1364 /* We do this here instead of when setting DISCOVERY_STOPPED 1365 * since the latter would potentially require waiting for 1366 * inquiry to stop too. 1367 */ 1368 if (has_pending_adv_report(hdev)) { 1369 struct discovery_state *d = &hdev->discovery; 1370 1371 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1372 d->last_adv_addr_type, NULL, 1373 d->last_adv_rssi, d->last_adv_flags, 1374 d->last_adv_data, 1375 d->last_adv_data_len, NULL, 0); 1376 } 1377 1378 /* Cancel this timer so that we don't try to disable scanning 1379 * when it's already disabled. 1380 */ 1381 cancel_delayed_work(&hdev->le_scan_disable); 1382 1383 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1384 1385 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1386 * interrupted scanning due to a connect request. Mark 1387 * therefore discovery as stopped. If this was not 1388 * because of a connect request advertising might have 1389 * been disabled because of active scanning, so 1390 * re-enable it again if necessary. 1391 */ 1392 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1393 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1394 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1395 hdev->discovery.state == DISCOVERY_FINDING) 1396 hci_req_reenable_advertising(hdev); 1397 1398 break; 1399 1400 default: 1401 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1402 enable); 1403 break; 1404 } 1405 1406 hci_dev_unlock(hdev); 1407 } 1408 1409 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1410 struct sk_buff *skb) 1411 { 1412 struct hci_cp_le_set_scan_enable *cp; 1413 __u8 status = *((__u8 *) skb->data); 1414 1415 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1416 1417 if (status) 1418 return; 1419 1420 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1421 if (!cp) 1422 return; 1423 1424 le_set_scan_enable_complete(hdev, cp->enable); 1425 } 1426 1427 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, 1428 struct sk_buff *skb) 1429 { 1430 struct hci_cp_le_set_ext_scan_enable *cp; 1431 __u8 status = *((__u8 *) skb->data); 1432 1433 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1434 1435 if (status) 1436 return; 1437 1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1439 if (!cp) 1440 return; 1441 1442 le_set_scan_enable_complete(hdev, cp->enable); 1443 } 1444 1445 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, 1446 struct sk_buff *skb) 1447 { 1448 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data; 1449 1450 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status, 1451 rp->num_of_sets); 1452 1453 if (rp->status) 1454 return; 1455 1456 hdev->le_num_of_adv_sets = rp->num_of_sets; 1457 } 1458 1459 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1460 struct sk_buff *skb) 1461 { 1462 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1463 1464 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1465 1466 if (rp->status) 1467 return; 1468 1469 hdev->le_white_list_size = rp->size; 1470 } 1471 1472 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1473 struct sk_buff *skb) 1474 { 1475 __u8 status = *((__u8 *) skb->data); 1476 1477 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1478 1479 if (status) 1480 return; 1481 1482 hci_bdaddr_list_clear(&hdev->le_white_list); 1483 } 1484 1485 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1486 struct sk_buff *skb) 1487 { 1488 struct hci_cp_le_add_to_white_list *sent; 1489 __u8 status = *((__u8 *) skb->data); 1490 1491 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1492 1493 if (status) 1494 return; 1495 1496 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1497 if (!sent) 1498 return; 1499 1500 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1501 sent->bdaddr_type); 1502 } 1503 1504 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1505 struct sk_buff *skb) 1506 { 1507 struct hci_cp_le_del_from_white_list *sent; 1508 __u8 status = *((__u8 *) skb->data); 1509 1510 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1511 1512 if (status) 1513 return; 1514 1515 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1516 if (!sent) 1517 return; 1518 1519 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1520 sent->bdaddr_type); 1521 } 1522 1523 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1524 struct sk_buff *skb) 1525 { 1526 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1527 1528 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1529 1530 if (rp->status) 1531 return; 1532 1533 memcpy(hdev->le_states, rp->le_states, 8); 1534 } 1535 1536 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1537 struct sk_buff *skb) 1538 { 1539 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1540 1541 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1542 1543 if (rp->status) 1544 return; 1545 1546 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1547 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1548 } 1549 1550 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1551 struct sk_buff *skb) 1552 { 1553 struct hci_cp_le_write_def_data_len *sent; 1554 __u8 status = *((__u8 *) skb->data); 1555 1556 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1557 1558 if (status) 1559 return; 1560 1561 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1562 if (!sent) 1563 return; 1564 1565 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1566 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1567 } 1568 1569 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, 1570 struct sk_buff *skb) 1571 { 1572 struct hci_cp_le_add_to_resolv_list *sent; 1573 __u8 status = *((__u8 *) skb->data); 1574 1575 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1576 1577 if (status) 1578 return; 1579 1580 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1581 if (!sent) 1582 return; 1583 1584 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1585 sent->bdaddr_type, sent->peer_irk, 1586 sent->local_irk); 1587 } 1588 1589 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, 1590 struct sk_buff *skb) 1591 { 1592 struct hci_cp_le_del_from_resolv_list *sent; 1593 __u8 status = *((__u8 *) skb->data); 1594 1595 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1596 1597 if (status) 1598 return; 1599 1600 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 1601 if (!sent) 1602 return; 1603 1604 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1605 sent->bdaddr_type); 1606 } 1607 1608 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev, 1609 struct sk_buff *skb) 1610 { 1611 __u8 status = *((__u8 *) skb->data); 1612 1613 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1614 1615 if (status) 1616 return; 1617 1618 hci_bdaddr_list_clear(&hdev->le_resolv_list); 1619 } 1620 1621 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, 1622 struct sk_buff *skb) 1623 { 1624 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data; 1625 1626 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1627 1628 if (rp->status) 1629 return; 1630 1631 hdev->le_resolv_list_size = rp->size; 1632 } 1633 1634 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, 1635 struct sk_buff *skb) 1636 { 1637 __u8 *sent, status = *((__u8 *) skb->data); 1638 1639 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1640 1641 if (status) 1642 return; 1643 1644 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 1645 if (!sent) 1646 return; 1647 1648 hci_dev_lock(hdev); 1649 1650 if (*sent) 1651 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 1652 else 1653 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 1654 1655 hci_dev_unlock(hdev); 1656 } 1657 1658 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1659 struct sk_buff *skb) 1660 { 1661 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1662 1663 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1664 1665 if (rp->status) 1666 return; 1667 1668 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1669 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1670 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1671 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1672 } 1673 1674 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1675 struct sk_buff *skb) 1676 { 1677 struct hci_cp_write_le_host_supported *sent; 1678 __u8 status = *((__u8 *) skb->data); 1679 1680 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1681 1682 if (status) 1683 return; 1684 1685 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1686 if (!sent) 1687 return; 1688 1689 hci_dev_lock(hdev); 1690 1691 if (sent->le) { 1692 hdev->features[1][0] |= LMP_HOST_LE; 1693 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1694 } else { 1695 hdev->features[1][0] &= ~LMP_HOST_LE; 1696 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1697 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1698 } 1699 1700 if (sent->simul) 1701 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1702 else 1703 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1704 1705 hci_dev_unlock(hdev); 1706 } 1707 1708 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1709 { 1710 struct hci_cp_le_set_adv_param *cp; 1711 u8 status = *((u8 *) skb->data); 1712 1713 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1714 1715 if (status) 1716 return; 1717 1718 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1719 if (!cp) 1720 return; 1721 1722 hci_dev_lock(hdev); 1723 hdev->adv_addr_type = cp->own_address_type; 1724 hci_dev_unlock(hdev); 1725 } 1726 1727 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1728 { 1729 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; 1730 struct hci_cp_le_set_ext_adv_params *cp; 1731 struct adv_info *adv_instance; 1732 1733 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1734 1735 if (rp->status) 1736 return; 1737 1738 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 1739 if (!cp) 1740 return; 1741 1742 hci_dev_lock(hdev); 1743 hdev->adv_addr_type = cp->own_addr_type; 1744 if (!hdev->cur_adv_instance) { 1745 /* Store in hdev for instance 0 */ 1746 hdev->adv_tx_power = rp->tx_power; 1747 } else { 1748 adv_instance = hci_find_adv_instance(hdev, 1749 hdev->cur_adv_instance); 1750 if (adv_instance) 1751 adv_instance->tx_power = rp->tx_power; 1752 } 1753 /* Update adv data as tx power is known now */ 1754 hci_req_update_adv_data(hdev, hdev->cur_adv_instance); 1755 hci_dev_unlock(hdev); 1756 } 1757 1758 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1759 { 1760 struct hci_rp_read_rssi *rp = (void *) skb->data; 1761 struct hci_conn *conn; 1762 1763 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1764 1765 if (rp->status) 1766 return; 1767 1768 hci_dev_lock(hdev); 1769 1770 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1771 if (conn) 1772 conn->rssi = rp->rssi; 1773 1774 hci_dev_unlock(hdev); 1775 } 1776 1777 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1778 { 1779 struct hci_cp_read_tx_power *sent; 1780 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1781 struct hci_conn *conn; 1782 1783 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1784 1785 if (rp->status) 1786 return; 1787 1788 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1789 if (!sent) 1790 return; 1791 1792 hci_dev_lock(hdev); 1793 1794 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1795 if (!conn) 1796 goto unlock; 1797 1798 switch (sent->type) { 1799 case 0x00: 1800 conn->tx_power = rp->tx_power; 1801 break; 1802 case 0x01: 1803 conn->max_tx_power = rp->tx_power; 1804 break; 1805 } 1806 1807 unlock: 1808 hci_dev_unlock(hdev); 1809 } 1810 1811 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1812 { 1813 u8 status = *((u8 *) skb->data); 1814 u8 *mode; 1815 1816 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1817 1818 if (status) 1819 return; 1820 1821 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1822 if (mode) 1823 hdev->ssp_debug_mode = *mode; 1824 } 1825 1826 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1827 { 1828 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1829 1830 if (status) { 1831 hci_conn_check_pending(hdev); 1832 return; 1833 } 1834 1835 set_bit(HCI_INQUIRY, &hdev->flags); 1836 } 1837 1838 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1839 { 1840 struct hci_cp_create_conn *cp; 1841 struct hci_conn *conn; 1842 1843 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1844 1845 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1846 if (!cp) 1847 return; 1848 1849 hci_dev_lock(hdev); 1850 1851 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1852 1853 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1854 1855 if (status) { 1856 if (conn && conn->state == BT_CONNECT) { 1857 if (status != 0x0c || conn->attempt > 2) { 1858 conn->state = BT_CLOSED; 1859 hci_connect_cfm(conn, status); 1860 hci_conn_del(conn); 1861 } else 1862 conn->state = BT_CONNECT2; 1863 } 1864 } else { 1865 if (!conn) { 1866 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1867 HCI_ROLE_MASTER); 1868 if (!conn) 1869 bt_dev_err(hdev, "no memory for new connection"); 1870 } 1871 } 1872 1873 hci_dev_unlock(hdev); 1874 } 1875 1876 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1877 { 1878 struct hci_cp_add_sco *cp; 1879 struct hci_conn *acl, *sco; 1880 __u16 handle; 1881 1882 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1883 1884 if (!status) 1885 return; 1886 1887 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1888 if (!cp) 1889 return; 1890 1891 handle = __le16_to_cpu(cp->handle); 1892 1893 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1894 1895 hci_dev_lock(hdev); 1896 1897 acl = hci_conn_hash_lookup_handle(hdev, handle); 1898 if (acl) { 1899 sco = acl->link; 1900 if (sco) { 1901 sco->state = BT_CLOSED; 1902 1903 hci_connect_cfm(sco, status); 1904 hci_conn_del(sco); 1905 } 1906 } 1907 1908 hci_dev_unlock(hdev); 1909 } 1910 1911 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1912 { 1913 struct hci_cp_auth_requested *cp; 1914 struct hci_conn *conn; 1915 1916 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1917 1918 if (!status) 1919 return; 1920 1921 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1922 if (!cp) 1923 return; 1924 1925 hci_dev_lock(hdev); 1926 1927 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1928 if (conn) { 1929 if (conn->state == BT_CONFIG) { 1930 hci_connect_cfm(conn, status); 1931 hci_conn_drop(conn); 1932 } 1933 } 1934 1935 hci_dev_unlock(hdev); 1936 } 1937 1938 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1939 { 1940 struct hci_cp_set_conn_encrypt *cp; 1941 struct hci_conn *conn; 1942 1943 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1944 1945 if (!status) 1946 return; 1947 1948 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1949 if (!cp) 1950 return; 1951 1952 hci_dev_lock(hdev); 1953 1954 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1955 if (conn) { 1956 if (conn->state == BT_CONFIG) { 1957 hci_connect_cfm(conn, status); 1958 hci_conn_drop(conn); 1959 } 1960 } 1961 1962 hci_dev_unlock(hdev); 1963 } 1964 1965 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1966 struct hci_conn *conn) 1967 { 1968 if (conn->state != BT_CONFIG || !conn->out) 1969 return 0; 1970 1971 if (conn->pending_sec_level == BT_SECURITY_SDP) 1972 return 0; 1973 1974 /* Only request authentication for SSP connections or non-SSP 1975 * devices with sec_level MEDIUM or HIGH or if MITM protection 1976 * is requested. 1977 */ 1978 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1979 conn->pending_sec_level != BT_SECURITY_FIPS && 1980 conn->pending_sec_level != BT_SECURITY_HIGH && 1981 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1982 return 0; 1983 1984 return 1; 1985 } 1986 1987 static int hci_resolve_name(struct hci_dev *hdev, 1988 struct inquiry_entry *e) 1989 { 1990 struct hci_cp_remote_name_req cp; 1991 1992 memset(&cp, 0, sizeof(cp)); 1993 1994 bacpy(&cp.bdaddr, &e->data.bdaddr); 1995 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1996 cp.pscan_mode = e->data.pscan_mode; 1997 cp.clock_offset = e->data.clock_offset; 1998 1999 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2000 } 2001 2002 static bool hci_resolve_next_name(struct hci_dev *hdev) 2003 { 2004 struct discovery_state *discov = &hdev->discovery; 2005 struct inquiry_entry *e; 2006 2007 if (list_empty(&discov->resolve)) 2008 return false; 2009 2010 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2011 if (!e) 2012 return false; 2013 2014 if (hci_resolve_name(hdev, e) == 0) { 2015 e->name_state = NAME_PENDING; 2016 return true; 2017 } 2018 2019 return false; 2020 } 2021 2022 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2023 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2024 { 2025 struct discovery_state *discov = &hdev->discovery; 2026 struct inquiry_entry *e; 2027 2028 /* Update the mgmt connected state if necessary. Be careful with 2029 * conn objects that exist but are not (yet) connected however. 2030 * Only those in BT_CONFIG or BT_CONNECTED states can be 2031 * considered connected. 2032 */ 2033 if (conn && 2034 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 2035 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2036 mgmt_device_connected(hdev, conn, 0, name, name_len); 2037 2038 if (discov->state == DISCOVERY_STOPPED) 2039 return; 2040 2041 if (discov->state == DISCOVERY_STOPPING) 2042 goto discov_complete; 2043 2044 if (discov->state != DISCOVERY_RESOLVING) 2045 return; 2046 2047 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2048 /* If the device was not found in a list of found devices names of which 2049 * are pending. there is no need to continue resolving a next name as it 2050 * will be done upon receiving another Remote Name Request Complete 2051 * Event */ 2052 if (!e) 2053 return; 2054 2055 list_del(&e->list); 2056 if (name) { 2057 e->name_state = NAME_KNOWN; 2058 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 2059 e->data.rssi, name, name_len); 2060 } else { 2061 e->name_state = NAME_NOT_KNOWN; 2062 } 2063 2064 if (hci_resolve_next_name(hdev)) 2065 return; 2066 2067 discov_complete: 2068 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2069 } 2070 2071 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2072 { 2073 struct hci_cp_remote_name_req *cp; 2074 struct hci_conn *conn; 2075 2076 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2077 2078 /* If successful wait for the name req complete event before 2079 * checking for the need to do authentication */ 2080 if (!status) 2081 return; 2082 2083 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2084 if (!cp) 2085 return; 2086 2087 hci_dev_lock(hdev); 2088 2089 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2090 2091 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2092 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2093 2094 if (!conn) 2095 goto unlock; 2096 2097 if (!hci_outgoing_auth_needed(hdev, conn)) 2098 goto unlock; 2099 2100 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2101 struct hci_cp_auth_requested auth_cp; 2102 2103 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2104 2105 auth_cp.handle = __cpu_to_le16(conn->handle); 2106 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2107 sizeof(auth_cp), &auth_cp); 2108 } 2109 2110 unlock: 2111 hci_dev_unlock(hdev); 2112 } 2113 2114 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2115 { 2116 struct hci_cp_read_remote_features *cp; 2117 struct hci_conn *conn; 2118 2119 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2120 2121 if (!status) 2122 return; 2123 2124 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2125 if (!cp) 2126 return; 2127 2128 hci_dev_lock(hdev); 2129 2130 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2131 if (conn) { 2132 if (conn->state == BT_CONFIG) { 2133 hci_connect_cfm(conn, status); 2134 hci_conn_drop(conn); 2135 } 2136 } 2137 2138 hci_dev_unlock(hdev); 2139 } 2140 2141 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2142 { 2143 struct hci_cp_read_remote_ext_features *cp; 2144 struct hci_conn *conn; 2145 2146 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2147 2148 if (!status) 2149 return; 2150 2151 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2152 if (!cp) 2153 return; 2154 2155 hci_dev_lock(hdev); 2156 2157 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2158 if (conn) { 2159 if (conn->state == BT_CONFIG) { 2160 hci_connect_cfm(conn, status); 2161 hci_conn_drop(conn); 2162 } 2163 } 2164 2165 hci_dev_unlock(hdev); 2166 } 2167 2168 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2169 { 2170 struct hci_cp_setup_sync_conn *cp; 2171 struct hci_conn *acl, *sco; 2172 __u16 handle; 2173 2174 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2175 2176 if (!status) 2177 return; 2178 2179 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2180 if (!cp) 2181 return; 2182 2183 handle = __le16_to_cpu(cp->handle); 2184 2185 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 2186 2187 hci_dev_lock(hdev); 2188 2189 acl = hci_conn_hash_lookup_handle(hdev, handle); 2190 if (acl) { 2191 sco = acl->link; 2192 if (sco) { 2193 sco->state = BT_CLOSED; 2194 2195 hci_connect_cfm(sco, status); 2196 hci_conn_del(sco); 2197 } 2198 } 2199 2200 hci_dev_unlock(hdev); 2201 } 2202 2203 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2204 { 2205 struct hci_cp_sniff_mode *cp; 2206 struct hci_conn *conn; 2207 2208 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2209 2210 if (!status) 2211 return; 2212 2213 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2214 if (!cp) 2215 return; 2216 2217 hci_dev_lock(hdev); 2218 2219 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2220 if (conn) { 2221 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2222 2223 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2224 hci_sco_setup(conn, status); 2225 } 2226 2227 hci_dev_unlock(hdev); 2228 } 2229 2230 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2231 { 2232 struct hci_cp_exit_sniff_mode *cp; 2233 struct hci_conn *conn; 2234 2235 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2236 2237 if (!status) 2238 return; 2239 2240 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2241 if (!cp) 2242 return; 2243 2244 hci_dev_lock(hdev); 2245 2246 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2247 if (conn) { 2248 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2249 2250 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2251 hci_sco_setup(conn, status); 2252 } 2253 2254 hci_dev_unlock(hdev); 2255 } 2256 2257 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2258 { 2259 struct hci_cp_disconnect *cp; 2260 struct hci_conn *conn; 2261 2262 if (!status) 2263 return; 2264 2265 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2266 if (!cp) 2267 return; 2268 2269 hci_dev_lock(hdev); 2270 2271 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2272 if (conn) { 2273 u8 type = conn->type; 2274 2275 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2276 conn->dst_type, status); 2277 2278 /* If the disconnection failed for any reason, the upper layer 2279 * does not retry to disconnect in current implementation. 2280 * Hence, we need to do some basic cleanup here and re-enable 2281 * advertising if necessary. 2282 */ 2283 hci_conn_del(conn); 2284 if (type == LE_LINK) 2285 hci_req_reenable_advertising(hdev); 2286 } 2287 2288 hci_dev_unlock(hdev); 2289 } 2290 2291 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2292 u8 peer_addr_type, u8 own_address_type, 2293 u8 filter_policy) 2294 { 2295 struct hci_conn *conn; 2296 2297 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2298 peer_addr_type); 2299 if (!conn) 2300 return; 2301 2302 /* When using controller based address resolution, then the new 2303 * address types 0x02 and 0x03 are used. These types need to be 2304 * converted back into either public address or random address type 2305 */ 2306 if (use_ll_privacy(hdev) && 2307 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) { 2308 switch (own_address_type) { 2309 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2310 own_address_type = ADDR_LE_DEV_PUBLIC; 2311 break; 2312 case ADDR_LE_DEV_RANDOM_RESOLVED: 2313 own_address_type = ADDR_LE_DEV_RANDOM; 2314 break; 2315 } 2316 } 2317 2318 /* Store the initiator and responder address information which 2319 * is needed for SMP. These values will not change during the 2320 * lifetime of the connection. 2321 */ 2322 conn->init_addr_type = own_address_type; 2323 if (own_address_type == ADDR_LE_DEV_RANDOM) 2324 bacpy(&conn->init_addr, &hdev->random_addr); 2325 else 2326 bacpy(&conn->init_addr, &hdev->bdaddr); 2327 2328 conn->resp_addr_type = peer_addr_type; 2329 bacpy(&conn->resp_addr, peer_addr); 2330 2331 /* We don't want the connection attempt to stick around 2332 * indefinitely since LE doesn't have a page timeout concept 2333 * like BR/EDR. Set a timer for any connection that doesn't use 2334 * the white list for connecting. 2335 */ 2336 if (filter_policy == HCI_LE_USE_PEER_ADDR) 2337 queue_delayed_work(conn->hdev->workqueue, 2338 &conn->le_conn_timeout, 2339 conn->conn_timeout); 2340 } 2341 2342 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2343 { 2344 struct hci_cp_le_create_conn *cp; 2345 2346 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2347 2348 /* All connection failure handling is taken care of by the 2349 * hci_le_conn_failed function which is triggered by the HCI 2350 * request completion callbacks used for connecting. 2351 */ 2352 if (status) 2353 return; 2354 2355 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2356 if (!cp) 2357 return; 2358 2359 hci_dev_lock(hdev); 2360 2361 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2362 cp->own_address_type, cp->filter_policy); 2363 2364 hci_dev_unlock(hdev); 2365 } 2366 2367 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2368 { 2369 struct hci_cp_le_ext_create_conn *cp; 2370 2371 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2372 2373 /* All connection failure handling is taken care of by the 2374 * hci_le_conn_failed function which is triggered by the HCI 2375 * request completion callbacks used for connecting. 2376 */ 2377 if (status) 2378 return; 2379 2380 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2381 if (!cp) 2382 return; 2383 2384 hci_dev_lock(hdev); 2385 2386 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2387 cp->own_addr_type, cp->filter_policy); 2388 2389 hci_dev_unlock(hdev); 2390 } 2391 2392 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2393 { 2394 struct hci_cp_le_read_remote_features *cp; 2395 struct hci_conn *conn; 2396 2397 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2398 2399 if (!status) 2400 return; 2401 2402 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2403 if (!cp) 2404 return; 2405 2406 hci_dev_lock(hdev); 2407 2408 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2409 if (conn) { 2410 if (conn->state == BT_CONFIG) { 2411 hci_connect_cfm(conn, status); 2412 hci_conn_drop(conn); 2413 } 2414 } 2415 2416 hci_dev_unlock(hdev); 2417 } 2418 2419 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2420 { 2421 struct hci_cp_le_start_enc *cp; 2422 struct hci_conn *conn; 2423 2424 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2425 2426 if (!status) 2427 return; 2428 2429 hci_dev_lock(hdev); 2430 2431 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2432 if (!cp) 2433 goto unlock; 2434 2435 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2436 if (!conn) 2437 goto unlock; 2438 2439 if (conn->state != BT_CONNECTED) 2440 goto unlock; 2441 2442 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2443 hci_conn_drop(conn); 2444 2445 unlock: 2446 hci_dev_unlock(hdev); 2447 } 2448 2449 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2450 { 2451 struct hci_cp_switch_role *cp; 2452 struct hci_conn *conn; 2453 2454 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2455 2456 if (!status) 2457 return; 2458 2459 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2460 if (!cp) 2461 return; 2462 2463 hci_dev_lock(hdev); 2464 2465 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2466 if (conn) 2467 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2468 2469 hci_dev_unlock(hdev); 2470 } 2471 2472 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2473 { 2474 __u8 status = *((__u8 *) skb->data); 2475 struct discovery_state *discov = &hdev->discovery; 2476 struct inquiry_entry *e; 2477 2478 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2479 2480 hci_conn_check_pending(hdev); 2481 2482 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2483 return; 2484 2485 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2486 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2487 2488 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2489 return; 2490 2491 hci_dev_lock(hdev); 2492 2493 if (discov->state != DISCOVERY_FINDING) 2494 goto unlock; 2495 2496 if (list_empty(&discov->resolve)) { 2497 /* When BR/EDR inquiry is active and no LE scanning is in 2498 * progress, then change discovery state to indicate completion. 2499 * 2500 * When running LE scanning and BR/EDR inquiry simultaneously 2501 * and the LE scan already finished, then change the discovery 2502 * state to indicate completion. 2503 */ 2504 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2505 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2506 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2507 goto unlock; 2508 } 2509 2510 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2511 if (e && hci_resolve_name(hdev, e) == 0) { 2512 e->name_state = NAME_PENDING; 2513 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2514 } else { 2515 /* When BR/EDR inquiry is active and no LE scanning is in 2516 * progress, then change discovery state to indicate completion. 2517 * 2518 * When running LE scanning and BR/EDR inquiry simultaneously 2519 * and the LE scan already finished, then change the discovery 2520 * state to indicate completion. 2521 */ 2522 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2523 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2524 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2525 } 2526 2527 unlock: 2528 hci_dev_unlock(hdev); 2529 } 2530 2531 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2532 { 2533 struct inquiry_data data; 2534 struct inquiry_info *info = (void *) (skb->data + 1); 2535 int num_rsp = *((__u8 *) skb->data); 2536 2537 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2538 2539 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) 2540 return; 2541 2542 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2543 return; 2544 2545 hci_dev_lock(hdev); 2546 2547 for (; num_rsp; num_rsp--, info++) { 2548 u32 flags; 2549 2550 bacpy(&data.bdaddr, &info->bdaddr); 2551 data.pscan_rep_mode = info->pscan_rep_mode; 2552 data.pscan_period_mode = info->pscan_period_mode; 2553 data.pscan_mode = info->pscan_mode; 2554 memcpy(data.dev_class, info->dev_class, 3); 2555 data.clock_offset = info->clock_offset; 2556 data.rssi = HCI_RSSI_INVALID; 2557 data.ssp_mode = 0x00; 2558 2559 flags = hci_inquiry_cache_update(hdev, &data, false); 2560 2561 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2562 info->dev_class, HCI_RSSI_INVALID, 2563 flags, NULL, 0, NULL, 0); 2564 } 2565 2566 hci_dev_unlock(hdev); 2567 } 2568 2569 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2570 { 2571 struct hci_ev_conn_complete *ev = (void *) skb->data; 2572 struct inquiry_entry *ie; 2573 struct hci_conn *conn; 2574 2575 BT_DBG("%s", hdev->name); 2576 2577 hci_dev_lock(hdev); 2578 2579 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2580 if (!conn) { 2581 /* Connection may not exist if auto-connected. Check the inquiry 2582 * cache to see if we've already discovered this bdaddr before. 2583 * If found and link is an ACL type, create a connection class 2584 * automatically. 2585 */ 2586 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2587 if (ie && ev->link_type == ACL_LINK) { 2588 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2589 HCI_ROLE_SLAVE); 2590 if (!conn) { 2591 bt_dev_err(hdev, "no memory for new conn"); 2592 goto unlock; 2593 } 2594 } else { 2595 if (ev->link_type != SCO_LINK) 2596 goto unlock; 2597 2598 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 2599 &ev->bdaddr); 2600 if (!conn) 2601 goto unlock; 2602 2603 conn->type = SCO_LINK; 2604 } 2605 } 2606 2607 if (!ev->status) { 2608 conn->handle = __le16_to_cpu(ev->handle); 2609 2610 if (conn->type == ACL_LINK) { 2611 conn->state = BT_CONFIG; 2612 hci_conn_hold(conn); 2613 2614 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2615 !hci_find_link_key(hdev, &ev->bdaddr)) 2616 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2617 else 2618 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2619 } else 2620 conn->state = BT_CONNECTED; 2621 2622 hci_debugfs_create_conn(conn); 2623 hci_conn_add_sysfs(conn); 2624 2625 if (test_bit(HCI_AUTH, &hdev->flags)) 2626 set_bit(HCI_CONN_AUTH, &conn->flags); 2627 2628 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2629 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2630 2631 /* Get remote features */ 2632 if (conn->type == ACL_LINK) { 2633 struct hci_cp_read_remote_features cp; 2634 cp.handle = ev->handle; 2635 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2636 sizeof(cp), &cp); 2637 2638 hci_req_update_scan(hdev); 2639 } 2640 2641 /* Set packet type for incoming connection */ 2642 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2643 struct hci_cp_change_conn_ptype cp; 2644 cp.handle = ev->handle; 2645 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2646 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2647 &cp); 2648 } 2649 } else { 2650 conn->state = BT_CLOSED; 2651 if (conn->type == ACL_LINK) 2652 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2653 conn->dst_type, ev->status); 2654 } 2655 2656 if (conn->type == ACL_LINK) 2657 hci_sco_setup(conn, ev->status); 2658 2659 if (ev->status) { 2660 hci_connect_cfm(conn, ev->status); 2661 hci_conn_del(conn); 2662 } else if (ev->link_type == SCO_LINK) { 2663 switch (conn->setting & SCO_AIRMODE_MASK) { 2664 case SCO_AIRMODE_CVSD: 2665 if (hdev->notify) 2666 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 2667 break; 2668 } 2669 2670 hci_connect_cfm(conn, ev->status); 2671 } 2672 2673 unlock: 2674 hci_dev_unlock(hdev); 2675 2676 hci_conn_check_pending(hdev); 2677 } 2678 2679 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2680 { 2681 struct hci_cp_reject_conn_req cp; 2682 2683 bacpy(&cp.bdaddr, bdaddr); 2684 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2685 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2686 } 2687 2688 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2689 { 2690 struct hci_ev_conn_request *ev = (void *) skb->data; 2691 int mask = hdev->link_mode; 2692 struct inquiry_entry *ie; 2693 struct hci_conn *conn; 2694 __u8 flags = 0; 2695 2696 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2697 ev->link_type); 2698 2699 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2700 &flags); 2701 2702 if (!(mask & HCI_LM_ACCEPT)) { 2703 hci_reject_conn(hdev, &ev->bdaddr); 2704 return; 2705 } 2706 2707 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2708 BDADDR_BREDR)) { 2709 hci_reject_conn(hdev, &ev->bdaddr); 2710 return; 2711 } 2712 2713 /* Require HCI_CONNECTABLE or a whitelist entry to accept the 2714 * connection. These features are only touched through mgmt so 2715 * only do the checks if HCI_MGMT is set. 2716 */ 2717 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2718 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2719 !hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, &ev->bdaddr, 2720 BDADDR_BREDR)) { 2721 hci_reject_conn(hdev, &ev->bdaddr); 2722 return; 2723 } 2724 2725 /* Connection accepted */ 2726 2727 hci_dev_lock(hdev); 2728 2729 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2730 if (ie) 2731 memcpy(ie->data.dev_class, ev->dev_class, 3); 2732 2733 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2734 &ev->bdaddr); 2735 if (!conn) { 2736 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2737 HCI_ROLE_SLAVE); 2738 if (!conn) { 2739 bt_dev_err(hdev, "no memory for new connection"); 2740 hci_dev_unlock(hdev); 2741 return; 2742 } 2743 } 2744 2745 memcpy(conn->dev_class, ev->dev_class, 3); 2746 2747 hci_dev_unlock(hdev); 2748 2749 if (ev->link_type == ACL_LINK || 2750 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2751 struct hci_cp_accept_conn_req cp; 2752 conn->state = BT_CONNECT; 2753 2754 bacpy(&cp.bdaddr, &ev->bdaddr); 2755 2756 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2757 cp.role = 0x00; /* Become master */ 2758 else 2759 cp.role = 0x01; /* Remain slave */ 2760 2761 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2762 } else if (!(flags & HCI_PROTO_DEFER)) { 2763 struct hci_cp_accept_sync_conn_req cp; 2764 conn->state = BT_CONNECT; 2765 2766 bacpy(&cp.bdaddr, &ev->bdaddr); 2767 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2768 2769 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2770 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2771 cp.max_latency = cpu_to_le16(0xffff); 2772 cp.content_format = cpu_to_le16(hdev->voice_setting); 2773 cp.retrans_effort = 0xff; 2774 2775 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2776 &cp); 2777 } else { 2778 conn->state = BT_CONNECT2; 2779 hci_connect_cfm(conn, 0); 2780 } 2781 } 2782 2783 static u8 hci_to_mgmt_reason(u8 err) 2784 { 2785 switch (err) { 2786 case HCI_ERROR_CONNECTION_TIMEOUT: 2787 return MGMT_DEV_DISCONN_TIMEOUT; 2788 case HCI_ERROR_REMOTE_USER_TERM: 2789 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2790 case HCI_ERROR_REMOTE_POWER_OFF: 2791 return MGMT_DEV_DISCONN_REMOTE; 2792 case HCI_ERROR_LOCAL_HOST_TERM: 2793 return MGMT_DEV_DISCONN_LOCAL_HOST; 2794 default: 2795 return MGMT_DEV_DISCONN_UNKNOWN; 2796 } 2797 } 2798 2799 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2800 { 2801 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2802 u8 reason; 2803 struct hci_conn_params *params; 2804 struct hci_conn *conn; 2805 bool mgmt_connected; 2806 u8 type; 2807 2808 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2809 2810 hci_dev_lock(hdev); 2811 2812 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2813 if (!conn) 2814 goto unlock; 2815 2816 if (ev->status) { 2817 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2818 conn->dst_type, ev->status); 2819 goto unlock; 2820 } 2821 2822 conn->state = BT_CLOSED; 2823 2824 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2825 2826 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 2827 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 2828 else 2829 reason = hci_to_mgmt_reason(ev->reason); 2830 2831 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2832 reason, mgmt_connected); 2833 2834 if (conn->type == ACL_LINK) { 2835 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2836 hci_remove_link_key(hdev, &conn->dst); 2837 2838 hci_req_update_scan(hdev); 2839 } 2840 2841 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2842 if (params) { 2843 switch (params->auto_connect) { 2844 case HCI_AUTO_CONN_LINK_LOSS: 2845 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2846 break; 2847 fallthrough; 2848 2849 case HCI_AUTO_CONN_DIRECT: 2850 case HCI_AUTO_CONN_ALWAYS: 2851 list_del_init(¶ms->action); 2852 list_add(¶ms->action, &hdev->pend_le_conns); 2853 hci_update_background_scan(hdev); 2854 break; 2855 2856 default: 2857 break; 2858 } 2859 } 2860 2861 type = conn->type; 2862 2863 hci_disconn_cfm(conn, ev->reason); 2864 hci_conn_del(conn); 2865 2866 /* The suspend notifier is waiting for all devices to disconnect so 2867 * clear the bit from pending tasks and inform the wait queue. 2868 */ 2869 if (list_empty(&hdev->conn_hash.list) && 2870 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) { 2871 wake_up(&hdev->suspend_wait_q); 2872 } 2873 2874 /* Re-enable advertising if necessary, since it might 2875 * have been disabled by the connection. From the 2876 * HCI_LE_Set_Advertise_Enable command description in 2877 * the core specification (v4.0): 2878 * "The Controller shall continue advertising until the Host 2879 * issues an LE_Set_Advertise_Enable command with 2880 * Advertising_Enable set to 0x00 (Advertising is disabled) 2881 * or until a connection is created or until the Advertising 2882 * is timed out due to Directed Advertising." 2883 */ 2884 if (type == LE_LINK) 2885 hci_req_reenable_advertising(hdev); 2886 2887 unlock: 2888 hci_dev_unlock(hdev); 2889 } 2890 2891 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2892 { 2893 struct hci_ev_auth_complete *ev = (void *) skb->data; 2894 struct hci_conn *conn; 2895 2896 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2897 2898 hci_dev_lock(hdev); 2899 2900 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2901 if (!conn) 2902 goto unlock; 2903 2904 if (!ev->status) { 2905 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2906 2907 if (!hci_conn_ssp_enabled(conn) && 2908 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2909 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 2910 } else { 2911 set_bit(HCI_CONN_AUTH, &conn->flags); 2912 conn->sec_level = conn->pending_sec_level; 2913 } 2914 } else { 2915 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2916 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2917 2918 mgmt_auth_failed(conn, ev->status); 2919 } 2920 2921 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2922 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2923 2924 if (conn->state == BT_CONFIG) { 2925 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2926 struct hci_cp_set_conn_encrypt cp; 2927 cp.handle = ev->handle; 2928 cp.encrypt = 0x01; 2929 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2930 &cp); 2931 } else { 2932 conn->state = BT_CONNECTED; 2933 hci_connect_cfm(conn, ev->status); 2934 hci_conn_drop(conn); 2935 } 2936 } else { 2937 hci_auth_cfm(conn, ev->status); 2938 2939 hci_conn_hold(conn); 2940 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2941 hci_conn_drop(conn); 2942 } 2943 2944 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2945 if (!ev->status) { 2946 struct hci_cp_set_conn_encrypt cp; 2947 cp.handle = ev->handle; 2948 cp.encrypt = 0x01; 2949 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2950 &cp); 2951 } else { 2952 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2953 hci_encrypt_cfm(conn, ev->status); 2954 } 2955 } 2956 2957 unlock: 2958 hci_dev_unlock(hdev); 2959 } 2960 2961 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2962 { 2963 struct hci_ev_remote_name *ev = (void *) skb->data; 2964 struct hci_conn *conn; 2965 2966 BT_DBG("%s", hdev->name); 2967 2968 hci_conn_check_pending(hdev); 2969 2970 hci_dev_lock(hdev); 2971 2972 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2973 2974 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2975 goto check_auth; 2976 2977 if (ev->status == 0) 2978 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2979 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2980 else 2981 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2982 2983 check_auth: 2984 if (!conn) 2985 goto unlock; 2986 2987 if (!hci_outgoing_auth_needed(hdev, conn)) 2988 goto unlock; 2989 2990 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2991 struct hci_cp_auth_requested cp; 2992 2993 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2994 2995 cp.handle = __cpu_to_le16(conn->handle); 2996 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2997 } 2998 2999 unlock: 3000 hci_dev_unlock(hdev); 3001 } 3002 3003 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 3004 u16 opcode, struct sk_buff *skb) 3005 { 3006 const struct hci_rp_read_enc_key_size *rp; 3007 struct hci_conn *conn; 3008 u16 handle; 3009 3010 BT_DBG("%s status 0x%02x", hdev->name, status); 3011 3012 if (!skb || skb->len < sizeof(*rp)) { 3013 bt_dev_err(hdev, "invalid read key size response"); 3014 return; 3015 } 3016 3017 rp = (void *)skb->data; 3018 handle = le16_to_cpu(rp->handle); 3019 3020 hci_dev_lock(hdev); 3021 3022 conn = hci_conn_hash_lookup_handle(hdev, handle); 3023 if (!conn) 3024 goto unlock; 3025 3026 /* While unexpected, the read_enc_key_size command may fail. The most 3027 * secure approach is to then assume the key size is 0 to force a 3028 * disconnection. 3029 */ 3030 if (rp->status) { 3031 bt_dev_err(hdev, "failed to read key size for handle %u", 3032 handle); 3033 conn->enc_key_size = 0; 3034 } else { 3035 conn->enc_key_size = rp->key_size; 3036 } 3037 3038 hci_encrypt_cfm(conn, 0); 3039 3040 unlock: 3041 hci_dev_unlock(hdev); 3042 } 3043 3044 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3045 { 3046 struct hci_ev_encrypt_change *ev = (void *) skb->data; 3047 struct hci_conn *conn; 3048 3049 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3050 3051 hci_dev_lock(hdev); 3052 3053 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3054 if (!conn) 3055 goto unlock; 3056 3057 if (!ev->status) { 3058 if (ev->encrypt) { 3059 /* Encryption implies authentication */ 3060 set_bit(HCI_CONN_AUTH, &conn->flags); 3061 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3062 conn->sec_level = conn->pending_sec_level; 3063 3064 /* P-256 authentication key implies FIPS */ 3065 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3066 set_bit(HCI_CONN_FIPS, &conn->flags); 3067 3068 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3069 conn->type == LE_LINK) 3070 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3071 } else { 3072 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3073 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3074 } 3075 } 3076 3077 /* We should disregard the current RPA and generate a new one 3078 * whenever the encryption procedure fails. 3079 */ 3080 if (ev->status && conn->type == LE_LINK) { 3081 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3082 hci_adv_instances_set_rpa_expired(hdev, true); 3083 } 3084 3085 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3086 3087 /* Check link security requirements are met */ 3088 if (!hci_conn_check_link_mode(conn)) 3089 ev->status = HCI_ERROR_AUTH_FAILURE; 3090 3091 if (ev->status && conn->state == BT_CONNECTED) { 3092 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3093 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3094 3095 /* Notify upper layers so they can cleanup before 3096 * disconnecting. 3097 */ 3098 hci_encrypt_cfm(conn, ev->status); 3099 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3100 hci_conn_drop(conn); 3101 goto unlock; 3102 } 3103 3104 /* Try reading the encryption key size for encrypted ACL links */ 3105 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3106 struct hci_cp_read_enc_key_size cp; 3107 struct hci_request req; 3108 3109 /* Only send HCI_Read_Encryption_Key_Size if the 3110 * controller really supports it. If it doesn't, assume 3111 * the default size (16). 3112 */ 3113 if (!(hdev->commands[20] & 0x10)) { 3114 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3115 goto notify; 3116 } 3117 3118 hci_req_init(&req, hdev); 3119 3120 cp.handle = cpu_to_le16(conn->handle); 3121 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 3122 3123 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 3124 bt_dev_err(hdev, "sending read key size failed"); 3125 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3126 goto notify; 3127 } 3128 3129 goto unlock; 3130 } 3131 3132 /* Set the default Authenticated Payload Timeout after 3133 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3134 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3135 * sent when the link is active and Encryption is enabled, the conn 3136 * type can be either LE or ACL and controller must support LMP Ping. 3137 * Ensure for AES-CCM encryption as well. 3138 */ 3139 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3140 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3141 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3142 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3143 struct hci_cp_write_auth_payload_to cp; 3144 3145 cp.handle = cpu_to_le16(conn->handle); 3146 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3147 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3148 sizeof(cp), &cp); 3149 } 3150 3151 notify: 3152 hci_encrypt_cfm(conn, ev->status); 3153 3154 unlock: 3155 hci_dev_unlock(hdev); 3156 } 3157 3158 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 3159 struct sk_buff *skb) 3160 { 3161 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 3162 struct hci_conn *conn; 3163 3164 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3165 3166 hci_dev_lock(hdev); 3167 3168 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3169 if (conn) { 3170 if (!ev->status) 3171 set_bit(HCI_CONN_SECURE, &conn->flags); 3172 3173 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3174 3175 hci_key_change_cfm(conn, ev->status); 3176 } 3177 3178 hci_dev_unlock(hdev); 3179 } 3180 3181 static void hci_remote_features_evt(struct hci_dev *hdev, 3182 struct sk_buff *skb) 3183 { 3184 struct hci_ev_remote_features *ev = (void *) skb->data; 3185 struct hci_conn *conn; 3186 3187 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3188 3189 hci_dev_lock(hdev); 3190 3191 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3192 if (!conn) 3193 goto unlock; 3194 3195 if (!ev->status) 3196 memcpy(conn->features[0], ev->features, 8); 3197 3198 if (conn->state != BT_CONFIG) 3199 goto unlock; 3200 3201 if (!ev->status && lmp_ext_feat_capable(hdev) && 3202 lmp_ext_feat_capable(conn)) { 3203 struct hci_cp_read_remote_ext_features cp; 3204 cp.handle = ev->handle; 3205 cp.page = 0x01; 3206 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3207 sizeof(cp), &cp); 3208 goto unlock; 3209 } 3210 3211 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3212 struct hci_cp_remote_name_req cp; 3213 memset(&cp, 0, sizeof(cp)); 3214 bacpy(&cp.bdaddr, &conn->dst); 3215 cp.pscan_rep_mode = 0x02; 3216 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3217 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3218 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3219 3220 if (!hci_outgoing_auth_needed(hdev, conn)) { 3221 conn->state = BT_CONNECTED; 3222 hci_connect_cfm(conn, ev->status); 3223 hci_conn_drop(conn); 3224 } 3225 3226 unlock: 3227 hci_dev_unlock(hdev); 3228 } 3229 3230 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 3231 u16 *opcode, u8 *status, 3232 hci_req_complete_t *req_complete, 3233 hci_req_complete_skb_t *req_complete_skb) 3234 { 3235 struct hci_ev_cmd_complete *ev = (void *) skb->data; 3236 3237 *opcode = __le16_to_cpu(ev->opcode); 3238 *status = skb->data[sizeof(*ev)]; 3239 3240 skb_pull(skb, sizeof(*ev)); 3241 3242 switch (*opcode) { 3243 case HCI_OP_INQUIRY_CANCEL: 3244 hci_cc_inquiry_cancel(hdev, skb, status); 3245 break; 3246 3247 case HCI_OP_PERIODIC_INQ: 3248 hci_cc_periodic_inq(hdev, skb); 3249 break; 3250 3251 case HCI_OP_EXIT_PERIODIC_INQ: 3252 hci_cc_exit_periodic_inq(hdev, skb); 3253 break; 3254 3255 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 3256 hci_cc_remote_name_req_cancel(hdev, skb); 3257 break; 3258 3259 case HCI_OP_ROLE_DISCOVERY: 3260 hci_cc_role_discovery(hdev, skb); 3261 break; 3262 3263 case HCI_OP_READ_LINK_POLICY: 3264 hci_cc_read_link_policy(hdev, skb); 3265 break; 3266 3267 case HCI_OP_WRITE_LINK_POLICY: 3268 hci_cc_write_link_policy(hdev, skb); 3269 break; 3270 3271 case HCI_OP_READ_DEF_LINK_POLICY: 3272 hci_cc_read_def_link_policy(hdev, skb); 3273 break; 3274 3275 case HCI_OP_WRITE_DEF_LINK_POLICY: 3276 hci_cc_write_def_link_policy(hdev, skb); 3277 break; 3278 3279 case HCI_OP_RESET: 3280 hci_cc_reset(hdev, skb); 3281 break; 3282 3283 case HCI_OP_READ_STORED_LINK_KEY: 3284 hci_cc_read_stored_link_key(hdev, skb); 3285 break; 3286 3287 case HCI_OP_DELETE_STORED_LINK_KEY: 3288 hci_cc_delete_stored_link_key(hdev, skb); 3289 break; 3290 3291 case HCI_OP_WRITE_LOCAL_NAME: 3292 hci_cc_write_local_name(hdev, skb); 3293 break; 3294 3295 case HCI_OP_READ_LOCAL_NAME: 3296 hci_cc_read_local_name(hdev, skb); 3297 break; 3298 3299 case HCI_OP_WRITE_AUTH_ENABLE: 3300 hci_cc_write_auth_enable(hdev, skb); 3301 break; 3302 3303 case HCI_OP_WRITE_ENCRYPT_MODE: 3304 hci_cc_write_encrypt_mode(hdev, skb); 3305 break; 3306 3307 case HCI_OP_WRITE_SCAN_ENABLE: 3308 hci_cc_write_scan_enable(hdev, skb); 3309 break; 3310 3311 case HCI_OP_READ_CLASS_OF_DEV: 3312 hci_cc_read_class_of_dev(hdev, skb); 3313 break; 3314 3315 case HCI_OP_WRITE_CLASS_OF_DEV: 3316 hci_cc_write_class_of_dev(hdev, skb); 3317 break; 3318 3319 case HCI_OP_READ_VOICE_SETTING: 3320 hci_cc_read_voice_setting(hdev, skb); 3321 break; 3322 3323 case HCI_OP_WRITE_VOICE_SETTING: 3324 hci_cc_write_voice_setting(hdev, skb); 3325 break; 3326 3327 case HCI_OP_READ_NUM_SUPPORTED_IAC: 3328 hci_cc_read_num_supported_iac(hdev, skb); 3329 break; 3330 3331 case HCI_OP_WRITE_SSP_MODE: 3332 hci_cc_write_ssp_mode(hdev, skb); 3333 break; 3334 3335 case HCI_OP_WRITE_SC_SUPPORT: 3336 hci_cc_write_sc_support(hdev, skb); 3337 break; 3338 3339 case HCI_OP_READ_AUTH_PAYLOAD_TO: 3340 hci_cc_read_auth_payload_timeout(hdev, skb); 3341 break; 3342 3343 case HCI_OP_WRITE_AUTH_PAYLOAD_TO: 3344 hci_cc_write_auth_payload_timeout(hdev, skb); 3345 break; 3346 3347 case HCI_OP_READ_LOCAL_VERSION: 3348 hci_cc_read_local_version(hdev, skb); 3349 break; 3350 3351 case HCI_OP_READ_LOCAL_COMMANDS: 3352 hci_cc_read_local_commands(hdev, skb); 3353 break; 3354 3355 case HCI_OP_READ_LOCAL_FEATURES: 3356 hci_cc_read_local_features(hdev, skb); 3357 break; 3358 3359 case HCI_OP_READ_LOCAL_EXT_FEATURES: 3360 hci_cc_read_local_ext_features(hdev, skb); 3361 break; 3362 3363 case HCI_OP_READ_BUFFER_SIZE: 3364 hci_cc_read_buffer_size(hdev, skb); 3365 break; 3366 3367 case HCI_OP_READ_BD_ADDR: 3368 hci_cc_read_bd_addr(hdev, skb); 3369 break; 3370 3371 case HCI_OP_READ_LOCAL_PAIRING_OPTS: 3372 hci_cc_read_local_pairing_opts(hdev, skb); 3373 break; 3374 3375 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 3376 hci_cc_read_page_scan_activity(hdev, skb); 3377 break; 3378 3379 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 3380 hci_cc_write_page_scan_activity(hdev, skb); 3381 break; 3382 3383 case HCI_OP_READ_PAGE_SCAN_TYPE: 3384 hci_cc_read_page_scan_type(hdev, skb); 3385 break; 3386 3387 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 3388 hci_cc_write_page_scan_type(hdev, skb); 3389 break; 3390 3391 case HCI_OP_READ_DATA_BLOCK_SIZE: 3392 hci_cc_read_data_block_size(hdev, skb); 3393 break; 3394 3395 case HCI_OP_READ_FLOW_CONTROL_MODE: 3396 hci_cc_read_flow_control_mode(hdev, skb); 3397 break; 3398 3399 case HCI_OP_READ_LOCAL_AMP_INFO: 3400 hci_cc_read_local_amp_info(hdev, skb); 3401 break; 3402 3403 case HCI_OP_READ_CLOCK: 3404 hci_cc_read_clock(hdev, skb); 3405 break; 3406 3407 case HCI_OP_READ_INQ_RSP_TX_POWER: 3408 hci_cc_read_inq_rsp_tx_power(hdev, skb); 3409 break; 3410 3411 case HCI_OP_READ_DEF_ERR_DATA_REPORTING: 3412 hci_cc_read_def_err_data_reporting(hdev, skb); 3413 break; 3414 3415 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING: 3416 hci_cc_write_def_err_data_reporting(hdev, skb); 3417 break; 3418 3419 case HCI_OP_PIN_CODE_REPLY: 3420 hci_cc_pin_code_reply(hdev, skb); 3421 break; 3422 3423 case HCI_OP_PIN_CODE_NEG_REPLY: 3424 hci_cc_pin_code_neg_reply(hdev, skb); 3425 break; 3426 3427 case HCI_OP_READ_LOCAL_OOB_DATA: 3428 hci_cc_read_local_oob_data(hdev, skb); 3429 break; 3430 3431 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 3432 hci_cc_read_local_oob_ext_data(hdev, skb); 3433 break; 3434 3435 case HCI_OP_LE_READ_BUFFER_SIZE: 3436 hci_cc_le_read_buffer_size(hdev, skb); 3437 break; 3438 3439 case HCI_OP_LE_READ_LOCAL_FEATURES: 3440 hci_cc_le_read_local_features(hdev, skb); 3441 break; 3442 3443 case HCI_OP_LE_READ_ADV_TX_POWER: 3444 hci_cc_le_read_adv_tx_power(hdev, skb); 3445 break; 3446 3447 case HCI_OP_USER_CONFIRM_REPLY: 3448 hci_cc_user_confirm_reply(hdev, skb); 3449 break; 3450 3451 case HCI_OP_USER_CONFIRM_NEG_REPLY: 3452 hci_cc_user_confirm_neg_reply(hdev, skb); 3453 break; 3454 3455 case HCI_OP_USER_PASSKEY_REPLY: 3456 hci_cc_user_passkey_reply(hdev, skb); 3457 break; 3458 3459 case HCI_OP_USER_PASSKEY_NEG_REPLY: 3460 hci_cc_user_passkey_neg_reply(hdev, skb); 3461 break; 3462 3463 case HCI_OP_LE_SET_RANDOM_ADDR: 3464 hci_cc_le_set_random_addr(hdev, skb); 3465 break; 3466 3467 case HCI_OP_LE_SET_ADV_ENABLE: 3468 hci_cc_le_set_adv_enable(hdev, skb); 3469 break; 3470 3471 case HCI_OP_LE_SET_SCAN_PARAM: 3472 hci_cc_le_set_scan_param(hdev, skb); 3473 break; 3474 3475 case HCI_OP_LE_SET_SCAN_ENABLE: 3476 hci_cc_le_set_scan_enable(hdev, skb); 3477 break; 3478 3479 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 3480 hci_cc_le_read_white_list_size(hdev, skb); 3481 break; 3482 3483 case HCI_OP_LE_CLEAR_WHITE_LIST: 3484 hci_cc_le_clear_white_list(hdev, skb); 3485 break; 3486 3487 case HCI_OP_LE_ADD_TO_WHITE_LIST: 3488 hci_cc_le_add_to_white_list(hdev, skb); 3489 break; 3490 3491 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 3492 hci_cc_le_del_from_white_list(hdev, skb); 3493 break; 3494 3495 case HCI_OP_LE_READ_SUPPORTED_STATES: 3496 hci_cc_le_read_supported_states(hdev, skb); 3497 break; 3498 3499 case HCI_OP_LE_READ_DEF_DATA_LEN: 3500 hci_cc_le_read_def_data_len(hdev, skb); 3501 break; 3502 3503 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3504 hci_cc_le_write_def_data_len(hdev, skb); 3505 break; 3506 3507 case HCI_OP_LE_ADD_TO_RESOLV_LIST: 3508 hci_cc_le_add_to_resolv_list(hdev, skb); 3509 break; 3510 3511 case HCI_OP_LE_DEL_FROM_RESOLV_LIST: 3512 hci_cc_le_del_from_resolv_list(hdev, skb); 3513 break; 3514 3515 case HCI_OP_LE_CLEAR_RESOLV_LIST: 3516 hci_cc_le_clear_resolv_list(hdev, skb); 3517 break; 3518 3519 case HCI_OP_LE_READ_RESOLV_LIST_SIZE: 3520 hci_cc_le_read_resolv_list_size(hdev, skb); 3521 break; 3522 3523 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE: 3524 hci_cc_le_set_addr_resolution_enable(hdev, skb); 3525 break; 3526 3527 case HCI_OP_LE_READ_MAX_DATA_LEN: 3528 hci_cc_le_read_max_data_len(hdev, skb); 3529 break; 3530 3531 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3532 hci_cc_write_le_host_supported(hdev, skb); 3533 break; 3534 3535 case HCI_OP_LE_SET_ADV_PARAM: 3536 hci_cc_set_adv_param(hdev, skb); 3537 break; 3538 3539 case HCI_OP_READ_RSSI: 3540 hci_cc_read_rssi(hdev, skb); 3541 break; 3542 3543 case HCI_OP_READ_TX_POWER: 3544 hci_cc_read_tx_power(hdev, skb); 3545 break; 3546 3547 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3548 hci_cc_write_ssp_debug_mode(hdev, skb); 3549 break; 3550 3551 case HCI_OP_LE_SET_EXT_SCAN_PARAMS: 3552 hci_cc_le_set_ext_scan_param(hdev, skb); 3553 break; 3554 3555 case HCI_OP_LE_SET_EXT_SCAN_ENABLE: 3556 hci_cc_le_set_ext_scan_enable(hdev, skb); 3557 break; 3558 3559 case HCI_OP_LE_SET_DEFAULT_PHY: 3560 hci_cc_le_set_default_phy(hdev, skb); 3561 break; 3562 3563 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS: 3564 hci_cc_le_read_num_adv_sets(hdev, skb); 3565 break; 3566 3567 case HCI_OP_LE_SET_EXT_ADV_PARAMS: 3568 hci_cc_set_ext_adv_param(hdev, skb); 3569 break; 3570 3571 case HCI_OP_LE_SET_EXT_ADV_ENABLE: 3572 hci_cc_le_set_ext_adv_enable(hdev, skb); 3573 break; 3574 3575 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR: 3576 hci_cc_le_set_adv_set_random_addr(hdev, skb); 3577 break; 3578 3579 default: 3580 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3581 break; 3582 } 3583 3584 if (*opcode != HCI_OP_NOP) 3585 cancel_delayed_work(&hdev->cmd_timer); 3586 3587 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3588 atomic_set(&hdev->cmd_cnt, 1); 3589 3590 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3591 req_complete_skb); 3592 3593 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3594 bt_dev_err(hdev, 3595 "unexpected event for opcode 0x%4.4x", *opcode); 3596 return; 3597 } 3598 3599 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3600 queue_work(hdev->workqueue, &hdev->cmd_work); 3601 } 3602 3603 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3604 u16 *opcode, u8 *status, 3605 hci_req_complete_t *req_complete, 3606 hci_req_complete_skb_t *req_complete_skb) 3607 { 3608 struct hci_ev_cmd_status *ev = (void *) skb->data; 3609 3610 skb_pull(skb, sizeof(*ev)); 3611 3612 *opcode = __le16_to_cpu(ev->opcode); 3613 *status = ev->status; 3614 3615 switch (*opcode) { 3616 case HCI_OP_INQUIRY: 3617 hci_cs_inquiry(hdev, ev->status); 3618 break; 3619 3620 case HCI_OP_CREATE_CONN: 3621 hci_cs_create_conn(hdev, ev->status); 3622 break; 3623 3624 case HCI_OP_DISCONNECT: 3625 hci_cs_disconnect(hdev, ev->status); 3626 break; 3627 3628 case HCI_OP_ADD_SCO: 3629 hci_cs_add_sco(hdev, ev->status); 3630 break; 3631 3632 case HCI_OP_AUTH_REQUESTED: 3633 hci_cs_auth_requested(hdev, ev->status); 3634 break; 3635 3636 case HCI_OP_SET_CONN_ENCRYPT: 3637 hci_cs_set_conn_encrypt(hdev, ev->status); 3638 break; 3639 3640 case HCI_OP_REMOTE_NAME_REQ: 3641 hci_cs_remote_name_req(hdev, ev->status); 3642 break; 3643 3644 case HCI_OP_READ_REMOTE_FEATURES: 3645 hci_cs_read_remote_features(hdev, ev->status); 3646 break; 3647 3648 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3649 hci_cs_read_remote_ext_features(hdev, ev->status); 3650 break; 3651 3652 case HCI_OP_SETUP_SYNC_CONN: 3653 hci_cs_setup_sync_conn(hdev, ev->status); 3654 break; 3655 3656 case HCI_OP_SNIFF_MODE: 3657 hci_cs_sniff_mode(hdev, ev->status); 3658 break; 3659 3660 case HCI_OP_EXIT_SNIFF_MODE: 3661 hci_cs_exit_sniff_mode(hdev, ev->status); 3662 break; 3663 3664 case HCI_OP_SWITCH_ROLE: 3665 hci_cs_switch_role(hdev, ev->status); 3666 break; 3667 3668 case HCI_OP_LE_CREATE_CONN: 3669 hci_cs_le_create_conn(hdev, ev->status); 3670 break; 3671 3672 case HCI_OP_LE_READ_REMOTE_FEATURES: 3673 hci_cs_le_read_remote_features(hdev, ev->status); 3674 break; 3675 3676 case HCI_OP_LE_START_ENC: 3677 hci_cs_le_start_enc(hdev, ev->status); 3678 break; 3679 3680 case HCI_OP_LE_EXT_CREATE_CONN: 3681 hci_cs_le_ext_create_conn(hdev, ev->status); 3682 break; 3683 3684 default: 3685 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3686 break; 3687 } 3688 3689 if (*opcode != HCI_OP_NOP) 3690 cancel_delayed_work(&hdev->cmd_timer); 3691 3692 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3693 atomic_set(&hdev->cmd_cnt, 1); 3694 3695 /* Indicate request completion if the command failed. Also, if 3696 * we're not waiting for a special event and we get a success 3697 * command status we should try to flag the request as completed 3698 * (since for this kind of commands there will not be a command 3699 * complete event). 3700 */ 3701 if (ev->status || 3702 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event)) 3703 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3704 req_complete_skb); 3705 3706 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3707 bt_dev_err(hdev, 3708 "unexpected event for opcode 0x%4.4x", *opcode); 3709 return; 3710 } 3711 3712 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3713 queue_work(hdev->workqueue, &hdev->cmd_work); 3714 } 3715 3716 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 3717 { 3718 struct hci_ev_hardware_error *ev = (void *) skb->data; 3719 3720 hdev->hw_error_code = ev->code; 3721 3722 queue_work(hdev->req_workqueue, &hdev->error_reset); 3723 } 3724 3725 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3726 { 3727 struct hci_ev_role_change *ev = (void *) skb->data; 3728 struct hci_conn *conn; 3729 3730 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3731 3732 hci_dev_lock(hdev); 3733 3734 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3735 if (conn) { 3736 if (!ev->status) 3737 conn->role = ev->role; 3738 3739 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3740 3741 hci_role_switch_cfm(conn, ev->status, ev->role); 3742 } 3743 3744 hci_dev_unlock(hdev); 3745 } 3746 3747 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3748 { 3749 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3750 int i; 3751 3752 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3753 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3754 return; 3755 } 3756 3757 if (skb->len < sizeof(*ev) || 3758 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3759 BT_DBG("%s bad parameters", hdev->name); 3760 return; 3761 } 3762 3763 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3764 3765 for (i = 0; i < ev->num_hndl; i++) { 3766 struct hci_comp_pkts_info *info = &ev->handles[i]; 3767 struct hci_conn *conn; 3768 __u16 handle, count; 3769 3770 handle = __le16_to_cpu(info->handle); 3771 count = __le16_to_cpu(info->count); 3772 3773 conn = hci_conn_hash_lookup_handle(hdev, handle); 3774 if (!conn) 3775 continue; 3776 3777 conn->sent -= count; 3778 3779 switch (conn->type) { 3780 case ACL_LINK: 3781 hdev->acl_cnt += count; 3782 if (hdev->acl_cnt > hdev->acl_pkts) 3783 hdev->acl_cnt = hdev->acl_pkts; 3784 break; 3785 3786 case LE_LINK: 3787 if (hdev->le_pkts) { 3788 hdev->le_cnt += count; 3789 if (hdev->le_cnt > hdev->le_pkts) 3790 hdev->le_cnt = hdev->le_pkts; 3791 } else { 3792 hdev->acl_cnt += count; 3793 if (hdev->acl_cnt > hdev->acl_pkts) 3794 hdev->acl_cnt = hdev->acl_pkts; 3795 } 3796 break; 3797 3798 case SCO_LINK: 3799 hdev->sco_cnt += count; 3800 if (hdev->sco_cnt > hdev->sco_pkts) 3801 hdev->sco_cnt = hdev->sco_pkts; 3802 break; 3803 3804 default: 3805 bt_dev_err(hdev, "unknown type %d conn %p", 3806 conn->type, conn); 3807 break; 3808 } 3809 } 3810 3811 queue_work(hdev->workqueue, &hdev->tx_work); 3812 } 3813 3814 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3815 __u16 handle) 3816 { 3817 struct hci_chan *chan; 3818 3819 switch (hdev->dev_type) { 3820 case HCI_PRIMARY: 3821 return hci_conn_hash_lookup_handle(hdev, handle); 3822 case HCI_AMP: 3823 chan = hci_chan_lookup_handle(hdev, handle); 3824 if (chan) 3825 return chan->conn; 3826 break; 3827 default: 3828 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 3829 break; 3830 } 3831 3832 return NULL; 3833 } 3834 3835 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3836 { 3837 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3838 int i; 3839 3840 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3841 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3842 return; 3843 } 3844 3845 if (skb->len < sizeof(*ev) || 3846 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3847 BT_DBG("%s bad parameters", hdev->name); 3848 return; 3849 } 3850 3851 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3852 ev->num_hndl); 3853 3854 for (i = 0; i < ev->num_hndl; i++) { 3855 struct hci_comp_blocks_info *info = &ev->handles[i]; 3856 struct hci_conn *conn = NULL; 3857 __u16 handle, block_count; 3858 3859 handle = __le16_to_cpu(info->handle); 3860 block_count = __le16_to_cpu(info->blocks); 3861 3862 conn = __hci_conn_lookup_handle(hdev, handle); 3863 if (!conn) 3864 continue; 3865 3866 conn->sent -= block_count; 3867 3868 switch (conn->type) { 3869 case ACL_LINK: 3870 case AMP_LINK: 3871 hdev->block_cnt += block_count; 3872 if (hdev->block_cnt > hdev->num_blocks) 3873 hdev->block_cnt = hdev->num_blocks; 3874 break; 3875 3876 default: 3877 bt_dev_err(hdev, "unknown type %d conn %p", 3878 conn->type, conn); 3879 break; 3880 } 3881 } 3882 3883 queue_work(hdev->workqueue, &hdev->tx_work); 3884 } 3885 3886 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3887 { 3888 struct hci_ev_mode_change *ev = (void *) skb->data; 3889 struct hci_conn *conn; 3890 3891 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3892 3893 hci_dev_lock(hdev); 3894 3895 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3896 if (conn) { 3897 conn->mode = ev->mode; 3898 3899 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3900 &conn->flags)) { 3901 if (conn->mode == HCI_CM_ACTIVE) 3902 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3903 else 3904 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3905 } 3906 3907 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3908 hci_sco_setup(conn, ev->status); 3909 } 3910 3911 hci_dev_unlock(hdev); 3912 } 3913 3914 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3915 { 3916 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3917 struct hci_conn *conn; 3918 3919 BT_DBG("%s", hdev->name); 3920 3921 hci_dev_lock(hdev); 3922 3923 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3924 if (!conn) 3925 goto unlock; 3926 3927 if (conn->state == BT_CONNECTED) { 3928 hci_conn_hold(conn); 3929 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3930 hci_conn_drop(conn); 3931 } 3932 3933 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 3934 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3935 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3936 sizeof(ev->bdaddr), &ev->bdaddr); 3937 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 3938 u8 secure; 3939 3940 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3941 secure = 1; 3942 else 3943 secure = 0; 3944 3945 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3946 } 3947 3948 unlock: 3949 hci_dev_unlock(hdev); 3950 } 3951 3952 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3953 { 3954 if (key_type == HCI_LK_CHANGED_COMBINATION) 3955 return; 3956 3957 conn->pin_length = pin_len; 3958 conn->key_type = key_type; 3959 3960 switch (key_type) { 3961 case HCI_LK_LOCAL_UNIT: 3962 case HCI_LK_REMOTE_UNIT: 3963 case HCI_LK_DEBUG_COMBINATION: 3964 return; 3965 case HCI_LK_COMBINATION: 3966 if (pin_len == 16) 3967 conn->pending_sec_level = BT_SECURITY_HIGH; 3968 else 3969 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3970 break; 3971 case HCI_LK_UNAUTH_COMBINATION_P192: 3972 case HCI_LK_UNAUTH_COMBINATION_P256: 3973 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3974 break; 3975 case HCI_LK_AUTH_COMBINATION_P192: 3976 conn->pending_sec_level = BT_SECURITY_HIGH; 3977 break; 3978 case HCI_LK_AUTH_COMBINATION_P256: 3979 conn->pending_sec_level = BT_SECURITY_FIPS; 3980 break; 3981 } 3982 } 3983 3984 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3985 { 3986 struct hci_ev_link_key_req *ev = (void *) skb->data; 3987 struct hci_cp_link_key_reply cp; 3988 struct hci_conn *conn; 3989 struct link_key *key; 3990 3991 BT_DBG("%s", hdev->name); 3992 3993 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3994 return; 3995 3996 hci_dev_lock(hdev); 3997 3998 key = hci_find_link_key(hdev, &ev->bdaddr); 3999 if (!key) { 4000 BT_DBG("%s link key not found for %pMR", hdev->name, 4001 &ev->bdaddr); 4002 goto not_found; 4003 } 4004 4005 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 4006 &ev->bdaddr); 4007 4008 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4009 if (conn) { 4010 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4011 4012 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4013 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4014 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4015 BT_DBG("%s ignoring unauthenticated key", hdev->name); 4016 goto not_found; 4017 } 4018 4019 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4020 (conn->pending_sec_level == BT_SECURITY_HIGH || 4021 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4022 BT_DBG("%s ignoring key unauthenticated for high security", 4023 hdev->name); 4024 goto not_found; 4025 } 4026 4027 conn_set_key(conn, key->type, key->pin_len); 4028 } 4029 4030 bacpy(&cp.bdaddr, &ev->bdaddr); 4031 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4032 4033 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4034 4035 hci_dev_unlock(hdev); 4036 4037 return; 4038 4039 not_found: 4040 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4041 hci_dev_unlock(hdev); 4042 } 4043 4044 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4045 { 4046 struct hci_ev_link_key_notify *ev = (void *) skb->data; 4047 struct hci_conn *conn; 4048 struct link_key *key; 4049 bool persistent; 4050 u8 pin_len = 0; 4051 4052 BT_DBG("%s", hdev->name); 4053 4054 hci_dev_lock(hdev); 4055 4056 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4057 if (!conn) 4058 goto unlock; 4059 4060 hci_conn_hold(conn); 4061 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4062 hci_conn_drop(conn); 4063 4064 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4065 conn_set_key(conn, ev->key_type, conn->pin_length); 4066 4067 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4068 goto unlock; 4069 4070 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4071 ev->key_type, pin_len, &persistent); 4072 if (!key) 4073 goto unlock; 4074 4075 /* Update connection information since adding the key will have 4076 * fixed up the type in the case of changed combination keys. 4077 */ 4078 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4079 conn_set_key(conn, key->type, key->pin_len); 4080 4081 mgmt_new_link_key(hdev, key, persistent); 4082 4083 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4084 * is set. If it's not set simply remove the key from the kernel 4085 * list (we've still notified user space about it but with 4086 * store_hint being 0). 4087 */ 4088 if (key->type == HCI_LK_DEBUG_COMBINATION && 4089 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4090 list_del_rcu(&key->list); 4091 kfree_rcu(key, rcu); 4092 goto unlock; 4093 } 4094 4095 if (persistent) 4096 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4097 else 4098 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4099 4100 unlock: 4101 hci_dev_unlock(hdev); 4102 } 4103 4104 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 4105 { 4106 struct hci_ev_clock_offset *ev = (void *) skb->data; 4107 struct hci_conn *conn; 4108 4109 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4110 4111 hci_dev_lock(hdev); 4112 4113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4114 if (conn && !ev->status) { 4115 struct inquiry_entry *ie; 4116 4117 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4118 if (ie) { 4119 ie->data.clock_offset = ev->clock_offset; 4120 ie->timestamp = jiffies; 4121 } 4122 } 4123 4124 hci_dev_unlock(hdev); 4125 } 4126 4127 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 4128 { 4129 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 4130 struct hci_conn *conn; 4131 4132 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4133 4134 hci_dev_lock(hdev); 4135 4136 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4137 if (conn && !ev->status) 4138 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4139 4140 hci_dev_unlock(hdev); 4141 } 4142 4143 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 4144 { 4145 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 4146 struct inquiry_entry *ie; 4147 4148 BT_DBG("%s", hdev->name); 4149 4150 hci_dev_lock(hdev); 4151 4152 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4153 if (ie) { 4154 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4155 ie->timestamp = jiffies; 4156 } 4157 4158 hci_dev_unlock(hdev); 4159 } 4160 4161 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 4162 struct sk_buff *skb) 4163 { 4164 struct inquiry_data data; 4165 int num_rsp = *((__u8 *) skb->data); 4166 4167 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4168 4169 if (!num_rsp) 4170 return; 4171 4172 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4173 return; 4174 4175 hci_dev_lock(hdev); 4176 4177 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 4178 struct inquiry_info_with_rssi_and_pscan_mode *info; 4179 info = (void *) (skb->data + 1); 4180 4181 if (skb->len < num_rsp * sizeof(*info) + 1) 4182 goto unlock; 4183 4184 for (; num_rsp; num_rsp--, info++) { 4185 u32 flags; 4186 4187 bacpy(&data.bdaddr, &info->bdaddr); 4188 data.pscan_rep_mode = info->pscan_rep_mode; 4189 data.pscan_period_mode = info->pscan_period_mode; 4190 data.pscan_mode = info->pscan_mode; 4191 memcpy(data.dev_class, info->dev_class, 3); 4192 data.clock_offset = info->clock_offset; 4193 data.rssi = info->rssi; 4194 data.ssp_mode = 0x00; 4195 4196 flags = hci_inquiry_cache_update(hdev, &data, false); 4197 4198 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4199 info->dev_class, info->rssi, 4200 flags, NULL, 0, NULL, 0); 4201 } 4202 } else { 4203 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 4204 4205 if (skb->len < num_rsp * sizeof(*info) + 1) 4206 goto unlock; 4207 4208 for (; num_rsp; num_rsp--, info++) { 4209 u32 flags; 4210 4211 bacpy(&data.bdaddr, &info->bdaddr); 4212 data.pscan_rep_mode = info->pscan_rep_mode; 4213 data.pscan_period_mode = info->pscan_period_mode; 4214 data.pscan_mode = 0x00; 4215 memcpy(data.dev_class, info->dev_class, 3); 4216 data.clock_offset = info->clock_offset; 4217 data.rssi = info->rssi; 4218 data.ssp_mode = 0x00; 4219 4220 flags = hci_inquiry_cache_update(hdev, &data, false); 4221 4222 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4223 info->dev_class, info->rssi, 4224 flags, NULL, 0, NULL, 0); 4225 } 4226 } 4227 4228 unlock: 4229 hci_dev_unlock(hdev); 4230 } 4231 4232 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 4233 struct sk_buff *skb) 4234 { 4235 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 4236 struct hci_conn *conn; 4237 4238 BT_DBG("%s", hdev->name); 4239 4240 hci_dev_lock(hdev); 4241 4242 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4243 if (!conn) 4244 goto unlock; 4245 4246 if (ev->page < HCI_MAX_PAGES) 4247 memcpy(conn->features[ev->page], ev->features, 8); 4248 4249 if (!ev->status && ev->page == 0x01) { 4250 struct inquiry_entry *ie; 4251 4252 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4253 if (ie) 4254 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4255 4256 if (ev->features[0] & LMP_HOST_SSP) { 4257 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4258 } else { 4259 /* It is mandatory by the Bluetooth specification that 4260 * Extended Inquiry Results are only used when Secure 4261 * Simple Pairing is enabled, but some devices violate 4262 * this. 4263 * 4264 * To make these devices work, the internal SSP 4265 * enabled flag needs to be cleared if the remote host 4266 * features do not indicate SSP support */ 4267 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4268 } 4269 4270 if (ev->features[0] & LMP_HOST_SC) 4271 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4272 } 4273 4274 if (conn->state != BT_CONFIG) 4275 goto unlock; 4276 4277 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4278 struct hci_cp_remote_name_req cp; 4279 memset(&cp, 0, sizeof(cp)); 4280 bacpy(&cp.bdaddr, &conn->dst); 4281 cp.pscan_rep_mode = 0x02; 4282 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4283 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4284 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4285 4286 if (!hci_outgoing_auth_needed(hdev, conn)) { 4287 conn->state = BT_CONNECTED; 4288 hci_connect_cfm(conn, ev->status); 4289 hci_conn_drop(conn); 4290 } 4291 4292 unlock: 4293 hci_dev_unlock(hdev); 4294 } 4295 4296 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 4297 struct sk_buff *skb) 4298 { 4299 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 4300 struct hci_conn *conn; 4301 4302 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4303 4304 hci_dev_lock(hdev); 4305 4306 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4307 if (!conn) { 4308 if (ev->link_type == ESCO_LINK) 4309 goto unlock; 4310 4311 /* When the link type in the event indicates SCO connection 4312 * and lookup of the connection object fails, then check 4313 * if an eSCO connection object exists. 4314 * 4315 * The core limits the synchronous connections to either 4316 * SCO or eSCO. The eSCO connection is preferred and tried 4317 * to be setup first and until successfully established, 4318 * the link type will be hinted as eSCO. 4319 */ 4320 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4321 if (!conn) 4322 goto unlock; 4323 } 4324 4325 switch (ev->status) { 4326 case 0x00: 4327 conn->handle = __le16_to_cpu(ev->handle); 4328 conn->state = BT_CONNECTED; 4329 conn->type = ev->link_type; 4330 4331 hci_debugfs_create_conn(conn); 4332 hci_conn_add_sysfs(conn); 4333 break; 4334 4335 case 0x10: /* Connection Accept Timeout */ 4336 case 0x0d: /* Connection Rejected due to Limited Resources */ 4337 case 0x11: /* Unsupported Feature or Parameter Value */ 4338 case 0x1c: /* SCO interval rejected */ 4339 case 0x1a: /* Unsupported Remote Feature */ 4340 case 0x1e: /* Invalid LMP Parameters */ 4341 case 0x1f: /* Unspecified error */ 4342 case 0x20: /* Unsupported LMP Parameter value */ 4343 if (conn->out) { 4344 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 4345 (hdev->esco_type & EDR_ESCO_MASK); 4346 if (hci_setup_sync(conn, conn->link->handle)) 4347 goto unlock; 4348 } 4349 fallthrough; 4350 4351 default: 4352 conn->state = BT_CLOSED; 4353 break; 4354 } 4355 4356 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 4357 4358 switch (conn->setting & SCO_AIRMODE_MASK) { 4359 case SCO_AIRMODE_CVSD: 4360 if (hdev->notify) 4361 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 4362 break; 4363 case SCO_AIRMODE_TRANSP: 4364 if (hdev->notify) 4365 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 4366 break; 4367 } 4368 4369 hci_connect_cfm(conn, ev->status); 4370 if (ev->status) 4371 hci_conn_del(conn); 4372 4373 unlock: 4374 hci_dev_unlock(hdev); 4375 } 4376 4377 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 4378 { 4379 size_t parsed = 0; 4380 4381 while (parsed < eir_len) { 4382 u8 field_len = eir[0]; 4383 4384 if (field_len == 0) 4385 return parsed; 4386 4387 parsed += field_len + 1; 4388 eir += field_len + 1; 4389 } 4390 4391 return eir_len; 4392 } 4393 4394 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 4395 struct sk_buff *skb) 4396 { 4397 struct inquiry_data data; 4398 struct extended_inquiry_info *info = (void *) (skb->data + 1); 4399 int num_rsp = *((__u8 *) skb->data); 4400 size_t eir_len; 4401 4402 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4403 4404 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1) 4405 return; 4406 4407 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4408 return; 4409 4410 hci_dev_lock(hdev); 4411 4412 for (; num_rsp; num_rsp--, info++) { 4413 u32 flags; 4414 bool name_known; 4415 4416 bacpy(&data.bdaddr, &info->bdaddr); 4417 data.pscan_rep_mode = info->pscan_rep_mode; 4418 data.pscan_period_mode = info->pscan_period_mode; 4419 data.pscan_mode = 0x00; 4420 memcpy(data.dev_class, info->dev_class, 3); 4421 data.clock_offset = info->clock_offset; 4422 data.rssi = info->rssi; 4423 data.ssp_mode = 0x01; 4424 4425 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4426 name_known = eir_get_data(info->data, 4427 sizeof(info->data), 4428 EIR_NAME_COMPLETE, NULL); 4429 else 4430 name_known = true; 4431 4432 flags = hci_inquiry_cache_update(hdev, &data, name_known); 4433 4434 eir_len = eir_get_length(info->data, sizeof(info->data)); 4435 4436 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4437 info->dev_class, info->rssi, 4438 flags, info->data, eir_len, NULL, 0); 4439 } 4440 4441 hci_dev_unlock(hdev); 4442 } 4443 4444 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 4445 struct sk_buff *skb) 4446 { 4447 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 4448 struct hci_conn *conn; 4449 4450 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 4451 __le16_to_cpu(ev->handle)); 4452 4453 hci_dev_lock(hdev); 4454 4455 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4456 if (!conn) 4457 goto unlock; 4458 4459 /* For BR/EDR the necessary steps are taken through the 4460 * auth_complete event. 4461 */ 4462 if (conn->type != LE_LINK) 4463 goto unlock; 4464 4465 if (!ev->status) 4466 conn->sec_level = conn->pending_sec_level; 4467 4468 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 4469 4470 if (ev->status && conn->state == BT_CONNECTED) { 4471 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4472 hci_conn_drop(conn); 4473 goto unlock; 4474 } 4475 4476 if (conn->state == BT_CONFIG) { 4477 if (!ev->status) 4478 conn->state = BT_CONNECTED; 4479 4480 hci_connect_cfm(conn, ev->status); 4481 hci_conn_drop(conn); 4482 } else { 4483 hci_auth_cfm(conn, ev->status); 4484 4485 hci_conn_hold(conn); 4486 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4487 hci_conn_drop(conn); 4488 } 4489 4490 unlock: 4491 hci_dev_unlock(hdev); 4492 } 4493 4494 static u8 hci_get_auth_req(struct hci_conn *conn) 4495 { 4496 /* If remote requests no-bonding follow that lead */ 4497 if (conn->remote_auth == HCI_AT_NO_BONDING || 4498 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 4499 return conn->remote_auth | (conn->auth_type & 0x01); 4500 4501 /* If both remote and local have enough IO capabilities, require 4502 * MITM protection 4503 */ 4504 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 4505 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 4506 return conn->remote_auth | 0x01; 4507 4508 /* No MITM protection possible so ignore remote requirement */ 4509 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 4510 } 4511 4512 static u8 bredr_oob_data_present(struct hci_conn *conn) 4513 { 4514 struct hci_dev *hdev = conn->hdev; 4515 struct oob_data *data; 4516 4517 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 4518 if (!data) 4519 return 0x00; 4520 4521 if (bredr_sc_enabled(hdev)) { 4522 /* When Secure Connections is enabled, then just 4523 * return the present value stored with the OOB 4524 * data. The stored value contains the right present 4525 * information. However it can only be trusted when 4526 * not in Secure Connection Only mode. 4527 */ 4528 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 4529 return data->present; 4530 4531 /* When Secure Connections Only mode is enabled, then 4532 * the P-256 values are required. If they are not 4533 * available, then do not declare that OOB data is 4534 * present. 4535 */ 4536 if (!memcmp(data->rand256, ZERO_KEY, 16) || 4537 !memcmp(data->hash256, ZERO_KEY, 16)) 4538 return 0x00; 4539 4540 return 0x02; 4541 } 4542 4543 /* When Secure Connections is not enabled or actually 4544 * not supported by the hardware, then check that if 4545 * P-192 data values are present. 4546 */ 4547 if (!memcmp(data->rand192, ZERO_KEY, 16) || 4548 !memcmp(data->hash192, ZERO_KEY, 16)) 4549 return 0x00; 4550 4551 return 0x01; 4552 } 4553 4554 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4555 { 4556 struct hci_ev_io_capa_request *ev = (void *) skb->data; 4557 struct hci_conn *conn; 4558 4559 BT_DBG("%s", hdev->name); 4560 4561 hci_dev_lock(hdev); 4562 4563 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4564 if (!conn) 4565 goto unlock; 4566 4567 hci_conn_hold(conn); 4568 4569 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4570 goto unlock; 4571 4572 /* Allow pairing if we're pairable, the initiators of the 4573 * pairing or if the remote is not requesting bonding. 4574 */ 4575 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 4576 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 4577 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 4578 struct hci_cp_io_capability_reply cp; 4579 4580 bacpy(&cp.bdaddr, &ev->bdaddr); 4581 /* Change the IO capability from KeyboardDisplay 4582 * to DisplayYesNo as it is not supported by BT spec. */ 4583 cp.capability = (conn->io_capability == 0x04) ? 4584 HCI_IO_DISPLAY_YESNO : conn->io_capability; 4585 4586 /* If we are initiators, there is no remote information yet */ 4587 if (conn->remote_auth == 0xff) { 4588 /* Request MITM protection if our IO caps allow it 4589 * except for the no-bonding case. 4590 */ 4591 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4592 conn->auth_type != HCI_AT_NO_BONDING) 4593 conn->auth_type |= 0x01; 4594 } else { 4595 conn->auth_type = hci_get_auth_req(conn); 4596 } 4597 4598 /* If we're not bondable, force one of the non-bondable 4599 * authentication requirement values. 4600 */ 4601 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4602 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4603 4604 cp.authentication = conn->auth_type; 4605 cp.oob_data = bredr_oob_data_present(conn); 4606 4607 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4608 sizeof(cp), &cp); 4609 } else { 4610 struct hci_cp_io_capability_neg_reply cp; 4611 4612 bacpy(&cp.bdaddr, &ev->bdaddr); 4613 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4614 4615 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4616 sizeof(cp), &cp); 4617 } 4618 4619 unlock: 4620 hci_dev_unlock(hdev); 4621 } 4622 4623 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4624 { 4625 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 4626 struct hci_conn *conn; 4627 4628 BT_DBG("%s", hdev->name); 4629 4630 hci_dev_lock(hdev); 4631 4632 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4633 if (!conn) 4634 goto unlock; 4635 4636 conn->remote_cap = ev->capability; 4637 conn->remote_auth = ev->authentication; 4638 4639 unlock: 4640 hci_dev_unlock(hdev); 4641 } 4642 4643 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 4644 struct sk_buff *skb) 4645 { 4646 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 4647 int loc_mitm, rem_mitm, confirm_hint = 0; 4648 struct hci_conn *conn; 4649 4650 BT_DBG("%s", hdev->name); 4651 4652 hci_dev_lock(hdev); 4653 4654 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4655 goto unlock; 4656 4657 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4658 if (!conn) 4659 goto unlock; 4660 4661 loc_mitm = (conn->auth_type & 0x01); 4662 rem_mitm = (conn->remote_auth & 0x01); 4663 4664 /* If we require MITM but the remote device can't provide that 4665 * (it has NoInputNoOutput) then reject the confirmation 4666 * request. We check the security level here since it doesn't 4667 * necessarily match conn->auth_type. 4668 */ 4669 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 4670 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 4671 BT_DBG("Rejecting request: remote device can't provide MITM"); 4672 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 4673 sizeof(ev->bdaddr), &ev->bdaddr); 4674 goto unlock; 4675 } 4676 4677 /* If no side requires MITM protection; auto-accept */ 4678 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 4679 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 4680 4681 /* If we're not the initiators request authorization to 4682 * proceed from user space (mgmt_user_confirm with 4683 * confirm_hint set to 1). The exception is if neither 4684 * side had MITM or if the local IO capability is 4685 * NoInputNoOutput, in which case we do auto-accept 4686 */ 4687 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 4688 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4689 (loc_mitm || rem_mitm)) { 4690 BT_DBG("Confirming auto-accept as acceptor"); 4691 confirm_hint = 1; 4692 goto confirm; 4693 } 4694 4695 /* If there already exists link key in local host, leave the 4696 * decision to user space since the remote device could be 4697 * legitimate or malicious. 4698 */ 4699 if (hci_find_link_key(hdev, &ev->bdaddr)) { 4700 bt_dev_dbg(hdev, "Local host already has link key"); 4701 confirm_hint = 1; 4702 goto confirm; 4703 } 4704 4705 BT_DBG("Auto-accept of user confirmation with %ums delay", 4706 hdev->auto_accept_delay); 4707 4708 if (hdev->auto_accept_delay > 0) { 4709 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 4710 queue_delayed_work(conn->hdev->workqueue, 4711 &conn->auto_accept_work, delay); 4712 goto unlock; 4713 } 4714 4715 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 4716 sizeof(ev->bdaddr), &ev->bdaddr); 4717 goto unlock; 4718 } 4719 4720 confirm: 4721 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 4722 le32_to_cpu(ev->passkey), confirm_hint); 4723 4724 unlock: 4725 hci_dev_unlock(hdev); 4726 } 4727 4728 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 4729 struct sk_buff *skb) 4730 { 4731 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 4732 4733 BT_DBG("%s", hdev->name); 4734 4735 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4736 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 4737 } 4738 4739 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 4740 struct sk_buff *skb) 4741 { 4742 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 4743 struct hci_conn *conn; 4744 4745 BT_DBG("%s", hdev->name); 4746 4747 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4748 if (!conn) 4749 return; 4750 4751 conn->passkey_notify = __le32_to_cpu(ev->passkey); 4752 conn->passkey_entered = 0; 4753 4754 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4755 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4756 conn->dst_type, conn->passkey_notify, 4757 conn->passkey_entered); 4758 } 4759 4760 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4761 { 4762 struct hci_ev_keypress_notify *ev = (void *) skb->data; 4763 struct hci_conn *conn; 4764 4765 BT_DBG("%s", hdev->name); 4766 4767 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4768 if (!conn) 4769 return; 4770 4771 switch (ev->type) { 4772 case HCI_KEYPRESS_STARTED: 4773 conn->passkey_entered = 0; 4774 return; 4775 4776 case HCI_KEYPRESS_ENTERED: 4777 conn->passkey_entered++; 4778 break; 4779 4780 case HCI_KEYPRESS_ERASED: 4781 conn->passkey_entered--; 4782 break; 4783 4784 case HCI_KEYPRESS_CLEARED: 4785 conn->passkey_entered = 0; 4786 break; 4787 4788 case HCI_KEYPRESS_COMPLETED: 4789 return; 4790 } 4791 4792 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4793 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4794 conn->dst_type, conn->passkey_notify, 4795 conn->passkey_entered); 4796 } 4797 4798 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 4799 struct sk_buff *skb) 4800 { 4801 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 4802 struct hci_conn *conn; 4803 4804 BT_DBG("%s", hdev->name); 4805 4806 hci_dev_lock(hdev); 4807 4808 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4809 if (!conn) 4810 goto unlock; 4811 4812 /* Reset the authentication requirement to unknown */ 4813 conn->remote_auth = 0xff; 4814 4815 /* To avoid duplicate auth_failed events to user space we check 4816 * the HCI_CONN_AUTH_PEND flag which will be set if we 4817 * initiated the authentication. A traditional auth_complete 4818 * event gets always produced as initiator and is also mapped to 4819 * the mgmt_auth_failed event */ 4820 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4821 mgmt_auth_failed(conn, ev->status); 4822 4823 hci_conn_drop(conn); 4824 4825 unlock: 4826 hci_dev_unlock(hdev); 4827 } 4828 4829 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4830 struct sk_buff *skb) 4831 { 4832 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4833 struct inquiry_entry *ie; 4834 struct hci_conn *conn; 4835 4836 BT_DBG("%s", hdev->name); 4837 4838 hci_dev_lock(hdev); 4839 4840 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4841 if (conn) 4842 memcpy(conn->features[1], ev->features, 8); 4843 4844 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4845 if (ie) 4846 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4847 4848 hci_dev_unlock(hdev); 4849 } 4850 4851 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4852 struct sk_buff *skb) 4853 { 4854 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4855 struct oob_data *data; 4856 4857 BT_DBG("%s", hdev->name); 4858 4859 hci_dev_lock(hdev); 4860 4861 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4862 goto unlock; 4863 4864 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4865 if (!data) { 4866 struct hci_cp_remote_oob_data_neg_reply cp; 4867 4868 bacpy(&cp.bdaddr, &ev->bdaddr); 4869 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4870 sizeof(cp), &cp); 4871 goto unlock; 4872 } 4873 4874 if (bredr_sc_enabled(hdev)) { 4875 struct hci_cp_remote_oob_ext_data_reply cp; 4876 4877 bacpy(&cp.bdaddr, &ev->bdaddr); 4878 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 4879 memset(cp.hash192, 0, sizeof(cp.hash192)); 4880 memset(cp.rand192, 0, sizeof(cp.rand192)); 4881 } else { 4882 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4883 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4884 } 4885 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4886 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4887 4888 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4889 sizeof(cp), &cp); 4890 } else { 4891 struct hci_cp_remote_oob_data_reply cp; 4892 4893 bacpy(&cp.bdaddr, &ev->bdaddr); 4894 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4895 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4896 4897 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4898 sizeof(cp), &cp); 4899 } 4900 4901 unlock: 4902 hci_dev_unlock(hdev); 4903 } 4904 4905 #if IS_ENABLED(CONFIG_BT_HS) 4906 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4907 { 4908 struct hci_ev_channel_selected *ev = (void *)skb->data; 4909 struct hci_conn *hcon; 4910 4911 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4912 4913 skb_pull(skb, sizeof(*ev)); 4914 4915 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4916 if (!hcon) 4917 return; 4918 4919 amp_read_loc_assoc_final_data(hdev, hcon); 4920 } 4921 4922 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4923 struct sk_buff *skb) 4924 { 4925 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4926 struct hci_conn *hcon, *bredr_hcon; 4927 4928 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4929 ev->status); 4930 4931 hci_dev_lock(hdev); 4932 4933 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4934 if (!hcon) { 4935 hci_dev_unlock(hdev); 4936 return; 4937 } 4938 4939 if (ev->status) { 4940 hci_conn_del(hcon); 4941 hci_dev_unlock(hdev); 4942 return; 4943 } 4944 4945 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4946 4947 hcon->state = BT_CONNECTED; 4948 bacpy(&hcon->dst, &bredr_hcon->dst); 4949 4950 hci_conn_hold(hcon); 4951 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4952 hci_conn_drop(hcon); 4953 4954 hci_debugfs_create_conn(hcon); 4955 hci_conn_add_sysfs(hcon); 4956 4957 amp_physical_cfm(bredr_hcon, hcon); 4958 4959 hci_dev_unlock(hdev); 4960 } 4961 4962 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4963 { 4964 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4965 struct hci_conn *hcon; 4966 struct hci_chan *hchan; 4967 struct amp_mgr *mgr; 4968 4969 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4970 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4971 ev->status); 4972 4973 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4974 if (!hcon) 4975 return; 4976 4977 /* Create AMP hchan */ 4978 hchan = hci_chan_create(hcon); 4979 if (!hchan) 4980 return; 4981 4982 hchan->handle = le16_to_cpu(ev->handle); 4983 4984 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4985 4986 mgr = hcon->amp_mgr; 4987 if (mgr && mgr->bredr_chan) { 4988 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4989 4990 l2cap_chan_lock(bredr_chan); 4991 4992 bredr_chan->conn->mtu = hdev->block_mtu; 4993 l2cap_logical_cfm(bredr_chan, hchan, 0); 4994 hci_conn_hold(hcon); 4995 4996 l2cap_chan_unlock(bredr_chan); 4997 } 4998 } 4999 5000 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 5001 struct sk_buff *skb) 5002 { 5003 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 5004 struct hci_chan *hchan; 5005 5006 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 5007 le16_to_cpu(ev->handle), ev->status); 5008 5009 if (ev->status) 5010 return; 5011 5012 hci_dev_lock(hdev); 5013 5014 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 5015 if (!hchan) 5016 goto unlock; 5017 5018 amp_destroy_logical_link(hchan, ev->reason); 5019 5020 unlock: 5021 hci_dev_unlock(hdev); 5022 } 5023 5024 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 5025 struct sk_buff *skb) 5026 { 5027 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 5028 struct hci_conn *hcon; 5029 5030 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5031 5032 if (ev->status) 5033 return; 5034 5035 hci_dev_lock(hdev); 5036 5037 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5038 if (hcon) { 5039 hcon->state = BT_CLOSED; 5040 hci_conn_del(hcon); 5041 } 5042 5043 hci_dev_unlock(hdev); 5044 } 5045 #endif 5046 5047 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5048 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle, 5049 u16 interval, u16 latency, u16 supervision_timeout) 5050 { 5051 struct hci_conn_params *params; 5052 struct hci_conn *conn; 5053 struct smp_irk *irk; 5054 u8 addr_type; 5055 5056 hci_dev_lock(hdev); 5057 5058 /* All controllers implicitly stop advertising in the event of a 5059 * connection, so ensure that the state bit is cleared. 5060 */ 5061 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5062 5063 conn = hci_lookup_le_connect(hdev); 5064 if (!conn) { 5065 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 5066 if (!conn) { 5067 bt_dev_err(hdev, "no memory for new connection"); 5068 goto unlock; 5069 } 5070 5071 conn->dst_type = bdaddr_type; 5072 5073 /* If we didn't have a hci_conn object previously 5074 * but we're in master role this must be something 5075 * initiated using a white list. Since white list based 5076 * connections are not "first class citizens" we don't 5077 * have full tracking of them. Therefore, we go ahead 5078 * with a "best effort" approach of determining the 5079 * initiator address based on the HCI_PRIVACY flag. 5080 */ 5081 if (conn->out) { 5082 conn->resp_addr_type = bdaddr_type; 5083 bacpy(&conn->resp_addr, bdaddr); 5084 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5085 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5086 bacpy(&conn->init_addr, &hdev->rpa); 5087 } else { 5088 hci_copy_identity_address(hdev, 5089 &conn->init_addr, 5090 &conn->init_addr_type); 5091 } 5092 } 5093 } else { 5094 cancel_delayed_work(&conn->le_conn_timeout); 5095 } 5096 5097 if (!conn->out) { 5098 /* Set the responder (our side) address type based on 5099 * the advertising address type. 5100 */ 5101 conn->resp_addr_type = hdev->adv_addr_type; 5102 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5103 /* In case of ext adv, resp_addr will be updated in 5104 * Adv Terminated event. 5105 */ 5106 if (!ext_adv_capable(hdev)) 5107 bacpy(&conn->resp_addr, &hdev->random_addr); 5108 } else { 5109 bacpy(&conn->resp_addr, &hdev->bdaddr); 5110 } 5111 5112 conn->init_addr_type = bdaddr_type; 5113 bacpy(&conn->init_addr, bdaddr); 5114 5115 /* For incoming connections, set the default minimum 5116 * and maximum connection interval. They will be used 5117 * to check if the parameters are in range and if not 5118 * trigger the connection update procedure. 5119 */ 5120 conn->le_conn_min_interval = hdev->le_conn_min_interval; 5121 conn->le_conn_max_interval = hdev->le_conn_max_interval; 5122 } 5123 5124 /* Lookup the identity address from the stored connection 5125 * address and address type. 5126 * 5127 * When establishing connections to an identity address, the 5128 * connection procedure will store the resolvable random 5129 * address first. Now if it can be converted back into the 5130 * identity address, start using the identity address from 5131 * now on. 5132 */ 5133 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5134 if (irk) { 5135 bacpy(&conn->dst, &irk->bdaddr); 5136 conn->dst_type = irk->addr_type; 5137 } 5138 5139 if (status) { 5140 hci_le_conn_failed(conn, status); 5141 goto unlock; 5142 } 5143 5144 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5145 addr_type = BDADDR_LE_PUBLIC; 5146 else 5147 addr_type = BDADDR_LE_RANDOM; 5148 5149 /* Drop the connection if the device is blocked */ 5150 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 5151 hci_conn_drop(conn); 5152 goto unlock; 5153 } 5154 5155 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5156 mgmt_device_connected(hdev, conn, 0, NULL, 0); 5157 5158 conn->sec_level = BT_SECURITY_LOW; 5159 conn->handle = handle; 5160 conn->state = BT_CONFIG; 5161 5162 conn->le_conn_interval = interval; 5163 conn->le_conn_latency = latency; 5164 conn->le_supv_timeout = supervision_timeout; 5165 5166 hci_debugfs_create_conn(conn); 5167 hci_conn_add_sysfs(conn); 5168 5169 /* The remote features procedure is defined for master 5170 * role only. So only in case of an initiated connection 5171 * request the remote features. 5172 * 5173 * If the local controller supports slave-initiated features 5174 * exchange, then requesting the remote features in slave 5175 * role is possible. Otherwise just transition into the 5176 * connected state without requesting the remote features. 5177 */ 5178 if (conn->out || 5179 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) { 5180 struct hci_cp_le_read_remote_features cp; 5181 5182 cp.handle = __cpu_to_le16(conn->handle); 5183 5184 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 5185 sizeof(cp), &cp); 5186 5187 hci_conn_hold(conn); 5188 } else { 5189 conn->state = BT_CONNECTED; 5190 hci_connect_cfm(conn, status); 5191 } 5192 5193 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5194 conn->dst_type); 5195 if (params) { 5196 list_del_init(¶ms->action); 5197 if (params->conn) { 5198 hci_conn_drop(params->conn); 5199 hci_conn_put(params->conn); 5200 params->conn = NULL; 5201 } 5202 } 5203 5204 unlock: 5205 hci_update_background_scan(hdev); 5206 hci_dev_unlock(hdev); 5207 } 5208 5209 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 5210 { 5211 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 5212 5213 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5214 5215 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5216 ev->role, le16_to_cpu(ev->handle), 5217 le16_to_cpu(ev->interval), 5218 le16_to_cpu(ev->latency), 5219 le16_to_cpu(ev->supervision_timeout)); 5220 } 5221 5222 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, 5223 struct sk_buff *skb) 5224 { 5225 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data; 5226 5227 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5228 5229 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5230 ev->role, le16_to_cpu(ev->handle), 5231 le16_to_cpu(ev->interval), 5232 le16_to_cpu(ev->latency), 5233 le16_to_cpu(ev->supervision_timeout)); 5234 5235 if (use_ll_privacy(hdev) && 5236 hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) && 5237 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) 5238 hci_req_disable_address_resolution(hdev); 5239 } 5240 5241 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb) 5242 { 5243 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data; 5244 struct hci_conn *conn; 5245 5246 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5247 5248 if (ev->status) 5249 return; 5250 5251 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5252 if (conn) { 5253 struct adv_info *adv_instance; 5254 5255 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM) 5256 return; 5257 5258 if (!hdev->cur_adv_instance) { 5259 bacpy(&conn->resp_addr, &hdev->random_addr); 5260 return; 5261 } 5262 5263 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance); 5264 if (adv_instance) 5265 bacpy(&conn->resp_addr, &adv_instance->random_addr); 5266 } 5267 } 5268 5269 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 5270 struct sk_buff *skb) 5271 { 5272 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 5273 struct hci_conn *conn; 5274 5275 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5276 5277 if (ev->status) 5278 return; 5279 5280 hci_dev_lock(hdev); 5281 5282 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5283 if (conn) { 5284 conn->le_conn_interval = le16_to_cpu(ev->interval); 5285 conn->le_conn_latency = le16_to_cpu(ev->latency); 5286 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 5287 } 5288 5289 hci_dev_unlock(hdev); 5290 } 5291 5292 /* This function requires the caller holds hdev->lock */ 5293 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 5294 bdaddr_t *addr, 5295 u8 addr_type, u8 adv_type, 5296 bdaddr_t *direct_rpa) 5297 { 5298 struct hci_conn *conn; 5299 struct hci_conn_params *params; 5300 5301 /* If the event is not connectable don't proceed further */ 5302 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 5303 return NULL; 5304 5305 /* Ignore if the device is blocked */ 5306 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 5307 return NULL; 5308 5309 /* Most controller will fail if we try to create new connections 5310 * while we have an existing one in slave role. 5311 */ 5312 if (hdev->conn_hash.le_num_slave > 0 && 5313 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 5314 !(hdev->le_states[3] & 0x10))) 5315 return NULL; 5316 5317 /* If we're not connectable only connect devices that we have in 5318 * our pend_le_conns list. 5319 */ 5320 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 5321 addr_type); 5322 if (!params) 5323 return NULL; 5324 5325 if (!params->explicit_connect) { 5326 switch (params->auto_connect) { 5327 case HCI_AUTO_CONN_DIRECT: 5328 /* Only devices advertising with ADV_DIRECT_IND are 5329 * triggering a connection attempt. This is allowing 5330 * incoming connections from slave devices. 5331 */ 5332 if (adv_type != LE_ADV_DIRECT_IND) 5333 return NULL; 5334 break; 5335 case HCI_AUTO_CONN_ALWAYS: 5336 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 5337 * are triggering a connection attempt. This means 5338 * that incoming connections from slave device are 5339 * accepted and also outgoing connections to slave 5340 * devices are established when found. 5341 */ 5342 break; 5343 default: 5344 return NULL; 5345 } 5346 } 5347 5348 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 5349 hdev->def_le_autoconnect_timeout, HCI_ROLE_MASTER, 5350 direct_rpa); 5351 if (!IS_ERR(conn)) { 5352 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 5353 * by higher layer that tried to connect, if no then 5354 * store the pointer since we don't really have any 5355 * other owner of the object besides the params that 5356 * triggered it. This way we can abort the connection if 5357 * the parameters get removed and keep the reference 5358 * count consistent once the connection is established. 5359 */ 5360 5361 if (!params->explicit_connect) 5362 params->conn = hci_conn_get(conn); 5363 5364 return conn; 5365 } 5366 5367 switch (PTR_ERR(conn)) { 5368 case -EBUSY: 5369 /* If hci_connect() returns -EBUSY it means there is already 5370 * an LE connection attempt going on. Since controllers don't 5371 * support more than one connection attempt at the time, we 5372 * don't consider this an error case. 5373 */ 5374 break; 5375 default: 5376 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 5377 return NULL; 5378 } 5379 5380 return NULL; 5381 } 5382 5383 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 5384 u8 bdaddr_type, bdaddr_t *direct_addr, 5385 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 5386 bool ext_adv) 5387 { 5388 struct discovery_state *d = &hdev->discovery; 5389 struct smp_irk *irk; 5390 struct hci_conn *conn; 5391 bool match; 5392 u32 flags; 5393 u8 *ptr, real_len; 5394 5395 switch (type) { 5396 case LE_ADV_IND: 5397 case LE_ADV_DIRECT_IND: 5398 case LE_ADV_SCAN_IND: 5399 case LE_ADV_NONCONN_IND: 5400 case LE_ADV_SCAN_RSP: 5401 break; 5402 default: 5403 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 5404 "type: 0x%02x", type); 5405 return; 5406 } 5407 5408 if (!ext_adv && len > HCI_MAX_AD_LENGTH) { 5409 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes"); 5410 return; 5411 } 5412 5413 /* Find the end of the data in case the report contains padded zero 5414 * bytes at the end causing an invalid length value. 5415 * 5416 * When data is NULL, len is 0 so there is no need for extra ptr 5417 * check as 'ptr < data + 0' is already false in such case. 5418 */ 5419 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 5420 if (ptr + 1 + *ptr > data + len) 5421 break; 5422 } 5423 5424 real_len = ptr - data; 5425 5426 /* Adjust for actual length */ 5427 if (len != real_len) { 5428 bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u", 5429 len, real_len); 5430 len = real_len; 5431 } 5432 5433 /* If the direct address is present, then this report is from 5434 * a LE Direct Advertising Report event. In that case it is 5435 * important to see if the address is matching the local 5436 * controller address. 5437 */ 5438 if (direct_addr) { 5439 /* Only resolvable random addresses are valid for these 5440 * kind of reports and others can be ignored. 5441 */ 5442 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 5443 return; 5444 5445 /* If the controller is not using resolvable random 5446 * addresses, then this report can be ignored. 5447 */ 5448 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 5449 return; 5450 5451 /* If the local IRK of the controller does not match 5452 * with the resolvable random address provided, then 5453 * this report can be ignored. 5454 */ 5455 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 5456 return; 5457 } 5458 5459 /* Check if we need to convert to identity address */ 5460 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 5461 if (irk) { 5462 bdaddr = &irk->bdaddr; 5463 bdaddr_type = irk->addr_type; 5464 } 5465 5466 /* Check if we have been requested to connect to this device. 5467 * 5468 * direct_addr is set only for directed advertising reports (it is NULL 5469 * for advertising reports) and is already verified to be RPA above. 5470 */ 5471 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, 5472 direct_addr); 5473 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) { 5474 /* Store report for later inclusion by 5475 * mgmt_device_connected 5476 */ 5477 memcpy(conn->le_adv_data, data, len); 5478 conn->le_adv_data_len = len; 5479 } 5480 5481 /* Passive scanning shouldn't trigger any device found events, 5482 * except for devices marked as CONN_REPORT for which we do send 5483 * device found events, or advertisement monitoring requested. 5484 */ 5485 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 5486 if (type == LE_ADV_DIRECT_IND) 5487 return; 5488 5489 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 5490 bdaddr, bdaddr_type) && 5491 idr_is_empty(&hdev->adv_monitors_idr)) 5492 return; 5493 5494 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 5495 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5496 else 5497 flags = 0; 5498 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5499 rssi, flags, data, len, NULL, 0); 5500 return; 5501 } 5502 5503 /* When receiving non-connectable or scannable undirected 5504 * advertising reports, this means that the remote device is 5505 * not connectable and then clearly indicate this in the 5506 * device found event. 5507 * 5508 * When receiving a scan response, then there is no way to 5509 * know if the remote device is connectable or not. However 5510 * since scan responses are merged with a previously seen 5511 * advertising report, the flags field from that report 5512 * will be used. 5513 * 5514 * In the really unlikely case that a controller get confused 5515 * and just sends a scan response event, then it is marked as 5516 * not connectable as well. 5517 */ 5518 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 5519 type == LE_ADV_SCAN_RSP) 5520 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5521 else 5522 flags = 0; 5523 5524 /* If there's nothing pending either store the data from this 5525 * event or send an immediate device found event if the data 5526 * should not be stored for later. 5527 */ 5528 if (!ext_adv && !has_pending_adv_report(hdev)) { 5529 /* If the report will trigger a SCAN_REQ store it for 5530 * later merging. 5531 */ 5532 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 5533 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5534 rssi, flags, data, len); 5535 return; 5536 } 5537 5538 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5539 rssi, flags, data, len, NULL, 0); 5540 return; 5541 } 5542 5543 /* Check if the pending report is for the same device as the new one */ 5544 match = (!bacmp(bdaddr, &d->last_adv_addr) && 5545 bdaddr_type == d->last_adv_addr_type); 5546 5547 /* If the pending data doesn't match this report or this isn't a 5548 * scan response (e.g. we got a duplicate ADV_IND) then force 5549 * sending of the pending data. 5550 */ 5551 if (type != LE_ADV_SCAN_RSP || !match) { 5552 /* Send out whatever is in the cache, but skip duplicates */ 5553 if (!match) 5554 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5555 d->last_adv_addr_type, NULL, 5556 d->last_adv_rssi, d->last_adv_flags, 5557 d->last_adv_data, 5558 d->last_adv_data_len, NULL, 0); 5559 5560 /* If the new report will trigger a SCAN_REQ store it for 5561 * later merging. 5562 */ 5563 if (!ext_adv && (type == LE_ADV_IND || 5564 type == LE_ADV_SCAN_IND)) { 5565 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5566 rssi, flags, data, len); 5567 return; 5568 } 5569 5570 /* The advertising reports cannot be merged, so clear 5571 * the pending report and send out a device found event. 5572 */ 5573 clear_pending_adv_report(hdev); 5574 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5575 rssi, flags, data, len, NULL, 0); 5576 return; 5577 } 5578 5579 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 5580 * the new event is a SCAN_RSP. We can therefore proceed with 5581 * sending a merged device found event. 5582 */ 5583 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5584 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 5585 d->last_adv_data, d->last_adv_data_len, data, len); 5586 clear_pending_adv_report(hdev); 5587 } 5588 5589 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5590 { 5591 u8 num_reports = skb->data[0]; 5592 void *ptr = &skb->data[1]; 5593 5594 hci_dev_lock(hdev); 5595 5596 while (num_reports--) { 5597 struct hci_ev_le_advertising_info *ev = ptr; 5598 s8 rssi; 5599 5600 if (ev->length <= HCI_MAX_AD_LENGTH) { 5601 rssi = ev->data[ev->length]; 5602 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5603 ev->bdaddr_type, NULL, 0, rssi, 5604 ev->data, ev->length, false); 5605 } else { 5606 bt_dev_err(hdev, "Dropping invalid advertising data"); 5607 } 5608 5609 ptr += sizeof(*ev) + ev->length + 1; 5610 } 5611 5612 hci_dev_unlock(hdev); 5613 } 5614 5615 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 5616 { 5617 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 5618 switch (evt_type) { 5619 case LE_LEGACY_ADV_IND: 5620 return LE_ADV_IND; 5621 case LE_LEGACY_ADV_DIRECT_IND: 5622 return LE_ADV_DIRECT_IND; 5623 case LE_LEGACY_ADV_SCAN_IND: 5624 return LE_ADV_SCAN_IND; 5625 case LE_LEGACY_NONCONN_IND: 5626 return LE_ADV_NONCONN_IND; 5627 case LE_LEGACY_SCAN_RSP_ADV: 5628 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 5629 return LE_ADV_SCAN_RSP; 5630 } 5631 5632 goto invalid; 5633 } 5634 5635 if (evt_type & LE_EXT_ADV_CONN_IND) { 5636 if (evt_type & LE_EXT_ADV_DIRECT_IND) 5637 return LE_ADV_DIRECT_IND; 5638 5639 return LE_ADV_IND; 5640 } 5641 5642 if (evt_type & LE_EXT_ADV_SCAN_RSP) 5643 return LE_ADV_SCAN_RSP; 5644 5645 if (evt_type & LE_EXT_ADV_SCAN_IND) 5646 return LE_ADV_SCAN_IND; 5647 5648 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 5649 evt_type & LE_EXT_ADV_DIRECT_IND) 5650 return LE_ADV_NONCONN_IND; 5651 5652 invalid: 5653 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 5654 evt_type); 5655 5656 return LE_ADV_INVALID; 5657 } 5658 5659 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5660 { 5661 u8 num_reports = skb->data[0]; 5662 void *ptr = &skb->data[1]; 5663 5664 hci_dev_lock(hdev); 5665 5666 while (num_reports--) { 5667 struct hci_ev_le_ext_adv_report *ev = ptr; 5668 u8 legacy_evt_type; 5669 u16 evt_type; 5670 5671 evt_type = __le16_to_cpu(ev->evt_type); 5672 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 5673 if (legacy_evt_type != LE_ADV_INVALID) { 5674 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, 5675 ev->bdaddr_type, NULL, 0, ev->rssi, 5676 ev->data, ev->length, 5677 !(evt_type & LE_EXT_ADV_LEGACY_PDU)); 5678 } 5679 5680 ptr += sizeof(*ev) + ev->length; 5681 } 5682 5683 hci_dev_unlock(hdev); 5684 } 5685 5686 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 5687 struct sk_buff *skb) 5688 { 5689 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 5690 struct hci_conn *conn; 5691 5692 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5693 5694 hci_dev_lock(hdev); 5695 5696 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5697 if (conn) { 5698 if (!ev->status) 5699 memcpy(conn->features[0], ev->features, 8); 5700 5701 if (conn->state == BT_CONFIG) { 5702 __u8 status; 5703 5704 /* If the local controller supports slave-initiated 5705 * features exchange, but the remote controller does 5706 * not, then it is possible that the error code 0x1a 5707 * for unsupported remote feature gets returned. 5708 * 5709 * In this specific case, allow the connection to 5710 * transition into connected state and mark it as 5711 * successful. 5712 */ 5713 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) && 5714 !conn->out && ev->status == 0x1a) 5715 status = 0x00; 5716 else 5717 status = ev->status; 5718 5719 conn->state = BT_CONNECTED; 5720 hci_connect_cfm(conn, status); 5721 hci_conn_drop(conn); 5722 } 5723 } 5724 5725 hci_dev_unlock(hdev); 5726 } 5727 5728 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 5729 { 5730 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 5731 struct hci_cp_le_ltk_reply cp; 5732 struct hci_cp_le_ltk_neg_reply neg; 5733 struct hci_conn *conn; 5734 struct smp_ltk *ltk; 5735 5736 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 5737 5738 hci_dev_lock(hdev); 5739 5740 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5741 if (conn == NULL) 5742 goto not_found; 5743 5744 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 5745 if (!ltk) 5746 goto not_found; 5747 5748 if (smp_ltk_is_sc(ltk)) { 5749 /* With SC both EDiv and Rand are set to zero */ 5750 if (ev->ediv || ev->rand) 5751 goto not_found; 5752 } else { 5753 /* For non-SC keys check that EDiv and Rand match */ 5754 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 5755 goto not_found; 5756 } 5757 5758 memcpy(cp.ltk, ltk->val, ltk->enc_size); 5759 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 5760 cp.handle = cpu_to_le16(conn->handle); 5761 5762 conn->pending_sec_level = smp_ltk_sec_level(ltk); 5763 5764 conn->enc_key_size = ltk->enc_size; 5765 5766 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 5767 5768 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 5769 * temporary key used to encrypt a connection following 5770 * pairing. It is used during the Encrypted Session Setup to 5771 * distribute the keys. Later, security can be re-established 5772 * using a distributed LTK. 5773 */ 5774 if (ltk->type == SMP_STK) { 5775 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5776 list_del_rcu(<k->list); 5777 kfree_rcu(ltk, rcu); 5778 } else { 5779 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5780 } 5781 5782 hci_dev_unlock(hdev); 5783 5784 return; 5785 5786 not_found: 5787 neg.handle = ev->handle; 5788 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 5789 hci_dev_unlock(hdev); 5790 } 5791 5792 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 5793 u8 reason) 5794 { 5795 struct hci_cp_le_conn_param_req_neg_reply cp; 5796 5797 cp.handle = cpu_to_le16(handle); 5798 cp.reason = reason; 5799 5800 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 5801 &cp); 5802 } 5803 5804 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 5805 struct sk_buff *skb) 5806 { 5807 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 5808 struct hci_cp_le_conn_param_req_reply cp; 5809 struct hci_conn *hcon; 5810 u16 handle, min, max, latency, timeout; 5811 5812 handle = le16_to_cpu(ev->handle); 5813 min = le16_to_cpu(ev->interval_min); 5814 max = le16_to_cpu(ev->interval_max); 5815 latency = le16_to_cpu(ev->latency); 5816 timeout = le16_to_cpu(ev->timeout); 5817 5818 hcon = hci_conn_hash_lookup_handle(hdev, handle); 5819 if (!hcon || hcon->state != BT_CONNECTED) 5820 return send_conn_param_neg_reply(hdev, handle, 5821 HCI_ERROR_UNKNOWN_CONN_ID); 5822 5823 if (hci_check_conn_params(min, max, latency, timeout)) 5824 return send_conn_param_neg_reply(hdev, handle, 5825 HCI_ERROR_INVALID_LL_PARAMS); 5826 5827 if (hcon->role == HCI_ROLE_MASTER) { 5828 struct hci_conn_params *params; 5829 u8 store_hint; 5830 5831 hci_dev_lock(hdev); 5832 5833 params = hci_conn_params_lookup(hdev, &hcon->dst, 5834 hcon->dst_type); 5835 if (params) { 5836 params->conn_min_interval = min; 5837 params->conn_max_interval = max; 5838 params->conn_latency = latency; 5839 params->supervision_timeout = timeout; 5840 store_hint = 0x01; 5841 } else{ 5842 store_hint = 0x00; 5843 } 5844 5845 hci_dev_unlock(hdev); 5846 5847 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 5848 store_hint, min, max, latency, timeout); 5849 } 5850 5851 cp.handle = ev->handle; 5852 cp.interval_min = ev->interval_min; 5853 cp.interval_max = ev->interval_max; 5854 cp.latency = ev->latency; 5855 cp.timeout = ev->timeout; 5856 cp.min_ce_len = 0; 5857 cp.max_ce_len = 0; 5858 5859 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 5860 } 5861 5862 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 5863 struct sk_buff *skb) 5864 { 5865 u8 num_reports = skb->data[0]; 5866 void *ptr = &skb->data[1]; 5867 5868 hci_dev_lock(hdev); 5869 5870 while (num_reports--) { 5871 struct hci_ev_le_direct_adv_info *ev = ptr; 5872 5873 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5874 ev->bdaddr_type, &ev->direct_addr, 5875 ev->direct_addr_type, ev->rssi, NULL, 0, 5876 false); 5877 5878 ptr += sizeof(*ev); 5879 } 5880 5881 hci_dev_unlock(hdev); 5882 } 5883 5884 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb) 5885 { 5886 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data; 5887 struct hci_conn *conn; 5888 5889 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5890 5891 if (!ev->status) 5892 return; 5893 5894 hci_dev_lock(hdev); 5895 5896 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5897 if (!conn) 5898 goto unlock; 5899 5900 conn->le_tx_phy = ev->tx_phy; 5901 conn->le_rx_phy = ev->rx_phy; 5902 5903 unlock: 5904 hci_dev_unlock(hdev); 5905 } 5906 5907 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 5908 { 5909 struct hci_ev_le_meta *le_ev = (void *) skb->data; 5910 5911 skb_pull(skb, sizeof(*le_ev)); 5912 5913 switch (le_ev->subevent) { 5914 case HCI_EV_LE_CONN_COMPLETE: 5915 hci_le_conn_complete_evt(hdev, skb); 5916 break; 5917 5918 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 5919 hci_le_conn_update_complete_evt(hdev, skb); 5920 break; 5921 5922 case HCI_EV_LE_ADVERTISING_REPORT: 5923 hci_le_adv_report_evt(hdev, skb); 5924 break; 5925 5926 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 5927 hci_le_remote_feat_complete_evt(hdev, skb); 5928 break; 5929 5930 case HCI_EV_LE_LTK_REQ: 5931 hci_le_ltk_request_evt(hdev, skb); 5932 break; 5933 5934 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 5935 hci_le_remote_conn_param_req_evt(hdev, skb); 5936 break; 5937 5938 case HCI_EV_LE_DIRECT_ADV_REPORT: 5939 hci_le_direct_adv_report_evt(hdev, skb); 5940 break; 5941 5942 case HCI_EV_LE_PHY_UPDATE_COMPLETE: 5943 hci_le_phy_update_evt(hdev, skb); 5944 break; 5945 5946 case HCI_EV_LE_EXT_ADV_REPORT: 5947 hci_le_ext_adv_report_evt(hdev, skb); 5948 break; 5949 5950 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 5951 hci_le_enh_conn_complete_evt(hdev, skb); 5952 break; 5953 5954 case HCI_EV_LE_EXT_ADV_SET_TERM: 5955 hci_le_ext_adv_term_evt(hdev, skb); 5956 break; 5957 5958 default: 5959 break; 5960 } 5961 } 5962 5963 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 5964 u8 event, struct sk_buff *skb) 5965 { 5966 struct hci_ev_cmd_complete *ev; 5967 struct hci_event_hdr *hdr; 5968 5969 if (!skb) 5970 return false; 5971 5972 if (skb->len < sizeof(*hdr)) { 5973 bt_dev_err(hdev, "too short HCI event"); 5974 return false; 5975 } 5976 5977 hdr = (void *) skb->data; 5978 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5979 5980 if (event) { 5981 if (hdr->evt != event) 5982 return false; 5983 return true; 5984 } 5985 5986 /* Check if request ended in Command Status - no way to retreive 5987 * any extra parameters in this case. 5988 */ 5989 if (hdr->evt == HCI_EV_CMD_STATUS) 5990 return false; 5991 5992 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 5993 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 5994 hdr->evt); 5995 return false; 5996 } 5997 5998 if (skb->len < sizeof(*ev)) { 5999 bt_dev_err(hdev, "too short cmd_complete event"); 6000 return false; 6001 } 6002 6003 ev = (void *) skb->data; 6004 skb_pull(skb, sizeof(*ev)); 6005 6006 if (opcode != __le16_to_cpu(ev->opcode)) { 6007 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 6008 __le16_to_cpu(ev->opcode)); 6009 return false; 6010 } 6011 6012 return true; 6013 } 6014 6015 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 6016 { 6017 struct hci_event_hdr *hdr = (void *) skb->data; 6018 hci_req_complete_t req_complete = NULL; 6019 hci_req_complete_skb_t req_complete_skb = NULL; 6020 struct sk_buff *orig_skb = NULL; 6021 u8 status = 0, event = hdr->evt, req_evt = 0; 6022 u16 opcode = HCI_OP_NOP; 6023 6024 if (!event) { 6025 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); 6026 goto done; 6027 } 6028 6029 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { 6030 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 6031 opcode = __le16_to_cpu(cmd_hdr->opcode); 6032 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 6033 &req_complete_skb); 6034 req_evt = event; 6035 } 6036 6037 /* If it looks like we might end up having to call 6038 * req_complete_skb, store a pristine copy of the skb since the 6039 * various handlers may modify the original one through 6040 * skb_pull() calls, etc. 6041 */ 6042 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 6043 event == HCI_EV_CMD_COMPLETE) 6044 orig_skb = skb_clone(skb, GFP_KERNEL); 6045 6046 skb_pull(skb, HCI_EVENT_HDR_SIZE); 6047 6048 switch (event) { 6049 case HCI_EV_INQUIRY_COMPLETE: 6050 hci_inquiry_complete_evt(hdev, skb); 6051 break; 6052 6053 case HCI_EV_INQUIRY_RESULT: 6054 hci_inquiry_result_evt(hdev, skb); 6055 break; 6056 6057 case HCI_EV_CONN_COMPLETE: 6058 hci_conn_complete_evt(hdev, skb); 6059 break; 6060 6061 case HCI_EV_CONN_REQUEST: 6062 hci_conn_request_evt(hdev, skb); 6063 break; 6064 6065 case HCI_EV_DISCONN_COMPLETE: 6066 hci_disconn_complete_evt(hdev, skb); 6067 break; 6068 6069 case HCI_EV_AUTH_COMPLETE: 6070 hci_auth_complete_evt(hdev, skb); 6071 break; 6072 6073 case HCI_EV_REMOTE_NAME: 6074 hci_remote_name_evt(hdev, skb); 6075 break; 6076 6077 case HCI_EV_ENCRYPT_CHANGE: 6078 hci_encrypt_change_evt(hdev, skb); 6079 break; 6080 6081 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 6082 hci_change_link_key_complete_evt(hdev, skb); 6083 break; 6084 6085 case HCI_EV_REMOTE_FEATURES: 6086 hci_remote_features_evt(hdev, skb); 6087 break; 6088 6089 case HCI_EV_CMD_COMPLETE: 6090 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 6091 &req_complete, &req_complete_skb); 6092 break; 6093 6094 case HCI_EV_CMD_STATUS: 6095 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 6096 &req_complete_skb); 6097 break; 6098 6099 case HCI_EV_HARDWARE_ERROR: 6100 hci_hardware_error_evt(hdev, skb); 6101 break; 6102 6103 case HCI_EV_ROLE_CHANGE: 6104 hci_role_change_evt(hdev, skb); 6105 break; 6106 6107 case HCI_EV_NUM_COMP_PKTS: 6108 hci_num_comp_pkts_evt(hdev, skb); 6109 break; 6110 6111 case HCI_EV_MODE_CHANGE: 6112 hci_mode_change_evt(hdev, skb); 6113 break; 6114 6115 case HCI_EV_PIN_CODE_REQ: 6116 hci_pin_code_request_evt(hdev, skb); 6117 break; 6118 6119 case HCI_EV_LINK_KEY_REQ: 6120 hci_link_key_request_evt(hdev, skb); 6121 break; 6122 6123 case HCI_EV_LINK_KEY_NOTIFY: 6124 hci_link_key_notify_evt(hdev, skb); 6125 break; 6126 6127 case HCI_EV_CLOCK_OFFSET: 6128 hci_clock_offset_evt(hdev, skb); 6129 break; 6130 6131 case HCI_EV_PKT_TYPE_CHANGE: 6132 hci_pkt_type_change_evt(hdev, skb); 6133 break; 6134 6135 case HCI_EV_PSCAN_REP_MODE: 6136 hci_pscan_rep_mode_evt(hdev, skb); 6137 break; 6138 6139 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 6140 hci_inquiry_result_with_rssi_evt(hdev, skb); 6141 break; 6142 6143 case HCI_EV_REMOTE_EXT_FEATURES: 6144 hci_remote_ext_features_evt(hdev, skb); 6145 break; 6146 6147 case HCI_EV_SYNC_CONN_COMPLETE: 6148 hci_sync_conn_complete_evt(hdev, skb); 6149 break; 6150 6151 case HCI_EV_EXTENDED_INQUIRY_RESULT: 6152 hci_extended_inquiry_result_evt(hdev, skb); 6153 break; 6154 6155 case HCI_EV_KEY_REFRESH_COMPLETE: 6156 hci_key_refresh_complete_evt(hdev, skb); 6157 break; 6158 6159 case HCI_EV_IO_CAPA_REQUEST: 6160 hci_io_capa_request_evt(hdev, skb); 6161 break; 6162 6163 case HCI_EV_IO_CAPA_REPLY: 6164 hci_io_capa_reply_evt(hdev, skb); 6165 break; 6166 6167 case HCI_EV_USER_CONFIRM_REQUEST: 6168 hci_user_confirm_request_evt(hdev, skb); 6169 break; 6170 6171 case HCI_EV_USER_PASSKEY_REQUEST: 6172 hci_user_passkey_request_evt(hdev, skb); 6173 break; 6174 6175 case HCI_EV_USER_PASSKEY_NOTIFY: 6176 hci_user_passkey_notify_evt(hdev, skb); 6177 break; 6178 6179 case HCI_EV_KEYPRESS_NOTIFY: 6180 hci_keypress_notify_evt(hdev, skb); 6181 break; 6182 6183 case HCI_EV_SIMPLE_PAIR_COMPLETE: 6184 hci_simple_pair_complete_evt(hdev, skb); 6185 break; 6186 6187 case HCI_EV_REMOTE_HOST_FEATURES: 6188 hci_remote_host_features_evt(hdev, skb); 6189 break; 6190 6191 case HCI_EV_LE_META: 6192 hci_le_meta_evt(hdev, skb); 6193 break; 6194 6195 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 6196 hci_remote_oob_data_request_evt(hdev, skb); 6197 break; 6198 6199 #if IS_ENABLED(CONFIG_BT_HS) 6200 case HCI_EV_CHANNEL_SELECTED: 6201 hci_chan_selected_evt(hdev, skb); 6202 break; 6203 6204 case HCI_EV_PHY_LINK_COMPLETE: 6205 hci_phy_link_complete_evt(hdev, skb); 6206 break; 6207 6208 case HCI_EV_LOGICAL_LINK_COMPLETE: 6209 hci_loglink_complete_evt(hdev, skb); 6210 break; 6211 6212 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 6213 hci_disconn_loglink_complete_evt(hdev, skb); 6214 break; 6215 6216 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 6217 hci_disconn_phylink_complete_evt(hdev, skb); 6218 break; 6219 #endif 6220 6221 case HCI_EV_NUM_COMP_BLOCKS: 6222 hci_num_comp_blocks_evt(hdev, skb); 6223 break; 6224 6225 case HCI_EV_VENDOR: 6226 msft_vendor_evt(hdev, skb); 6227 break; 6228 6229 default: 6230 BT_DBG("%s event 0x%2.2x", hdev->name, event); 6231 break; 6232 } 6233 6234 if (req_complete) { 6235 req_complete(hdev, status, opcode); 6236 } else if (req_complete_skb) { 6237 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 6238 kfree_skb(orig_skb); 6239 orig_skb = NULL; 6240 } 6241 req_complete_skb(hdev, status, opcode, orig_skb); 6242 } 6243 6244 done: 6245 kfree_skb(orig_skb); 6246 kfree_skb(skb); 6247 hdev->stat.evt_rx++; 6248 } 6249