1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 40 "\x00\x00\x00\x00\x00\x00\x00\x00" 41 42 /* Handle HCI Event packets */ 43 44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 45 { 46 __u8 status = *((__u8 *) skb->data); 47 48 BT_DBG("%s status 0x%2.2x", hdev->name, status); 49 50 if (status) 51 return; 52 53 clear_bit(HCI_INQUIRY, &hdev->flags); 54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 55 wake_up_bit(&hdev->flags, HCI_INQUIRY); 56 57 hci_dev_lock(hdev); 58 /* Set discovery state to stopped if we're not doing LE active 59 * scanning. 60 */ 61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 62 hdev->le_scan_type != LE_SCAN_ACTIVE) 63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 64 hci_dev_unlock(hdev); 65 66 hci_conn_check_pending(hdev); 67 } 68 69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 70 { 71 __u8 status = *((__u8 *) skb->data); 72 73 BT_DBG("%s status 0x%2.2x", hdev->name, status); 74 75 if (status) 76 return; 77 78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 79 } 80 81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 82 { 83 __u8 status = *((__u8 *) skb->data); 84 85 BT_DBG("%s status 0x%2.2x", hdev->name, status); 86 87 if (status) 88 return; 89 90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 91 92 hci_conn_check_pending(hdev); 93 } 94 95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 96 struct sk_buff *skb) 97 { 98 BT_DBG("%s", hdev->name); 99 } 100 101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 102 { 103 struct hci_rp_role_discovery *rp = (void *) skb->data; 104 struct hci_conn *conn; 105 106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 107 108 if (rp->status) 109 return; 110 111 hci_dev_lock(hdev); 112 113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 114 if (conn) 115 conn->role = rp->role; 116 117 hci_dev_unlock(hdev); 118 } 119 120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 121 { 122 struct hci_rp_read_link_policy *rp = (void *) skb->data; 123 struct hci_conn *conn; 124 125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 126 127 if (rp->status) 128 return; 129 130 hci_dev_lock(hdev); 131 132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 133 if (conn) 134 conn->link_policy = __le16_to_cpu(rp->policy); 135 136 hci_dev_unlock(hdev); 137 } 138 139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 140 { 141 struct hci_rp_write_link_policy *rp = (void *) skb->data; 142 struct hci_conn *conn; 143 void *sent; 144 145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 146 147 if (rp->status) 148 return; 149 150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 151 if (!sent) 152 return; 153 154 hci_dev_lock(hdev); 155 156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 157 if (conn) 158 conn->link_policy = get_unaligned_le16(sent + 2); 159 160 hci_dev_unlock(hdev); 161 } 162 163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 164 struct sk_buff *skb) 165 { 166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 167 168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 169 170 if (rp->status) 171 return; 172 173 hdev->link_policy = __le16_to_cpu(rp->policy); 174 } 175 176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 177 struct sk_buff *skb) 178 { 179 __u8 status = *((__u8 *) skb->data); 180 void *sent; 181 182 BT_DBG("%s status 0x%2.2x", hdev->name, status); 183 184 if (status) 185 return; 186 187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 188 if (!sent) 189 return; 190 191 hdev->link_policy = get_unaligned_le16(sent); 192 } 193 194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 195 { 196 __u8 status = *((__u8 *) skb->data); 197 198 BT_DBG("%s status 0x%2.2x", hdev->name, status); 199 200 clear_bit(HCI_RESET, &hdev->flags); 201 202 if (status) 203 return; 204 205 /* Reset all non-persistent flags */ 206 hci_dev_clear_volatile_flags(hdev); 207 208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 209 210 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 211 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 212 213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 214 hdev->adv_data_len = 0; 215 216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 217 hdev->scan_rsp_data_len = 0; 218 219 hdev->le_scan_type = LE_SCAN_PASSIVE; 220 221 hdev->ssp_debug_mode = 0; 222 223 hci_bdaddr_list_clear(&hdev->le_white_list); 224 hci_bdaddr_list_clear(&hdev->le_resolv_list); 225 } 226 227 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 228 struct sk_buff *skb) 229 { 230 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 231 struct hci_cp_read_stored_link_key *sent; 232 233 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 234 235 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 236 if (!sent) 237 return; 238 239 if (!rp->status && sent->read_all == 0x01) { 240 hdev->stored_max_keys = rp->max_keys; 241 hdev->stored_num_keys = rp->num_keys; 242 } 243 } 244 245 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 246 struct sk_buff *skb) 247 { 248 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 249 250 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 251 252 if (rp->status) 253 return; 254 255 if (rp->num_keys <= hdev->stored_num_keys) 256 hdev->stored_num_keys -= rp->num_keys; 257 else 258 hdev->stored_num_keys = 0; 259 } 260 261 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 262 { 263 __u8 status = *((__u8 *) skb->data); 264 void *sent; 265 266 BT_DBG("%s status 0x%2.2x", hdev->name, status); 267 268 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 269 if (!sent) 270 return; 271 272 hci_dev_lock(hdev); 273 274 if (hci_dev_test_flag(hdev, HCI_MGMT)) 275 mgmt_set_local_name_complete(hdev, sent, status); 276 else if (!status) 277 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 278 279 hci_dev_unlock(hdev); 280 } 281 282 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 283 { 284 struct hci_rp_read_local_name *rp = (void *) skb->data; 285 286 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 287 288 if (rp->status) 289 return; 290 291 if (hci_dev_test_flag(hdev, HCI_SETUP) || 292 hci_dev_test_flag(hdev, HCI_CONFIG)) 293 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 294 } 295 296 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 297 { 298 __u8 status = *((__u8 *) skb->data); 299 void *sent; 300 301 BT_DBG("%s status 0x%2.2x", hdev->name, status); 302 303 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 304 if (!sent) 305 return; 306 307 hci_dev_lock(hdev); 308 309 if (!status) { 310 __u8 param = *((__u8 *) sent); 311 312 if (param == AUTH_ENABLED) 313 set_bit(HCI_AUTH, &hdev->flags); 314 else 315 clear_bit(HCI_AUTH, &hdev->flags); 316 } 317 318 if (hci_dev_test_flag(hdev, HCI_MGMT)) 319 mgmt_auth_enable_complete(hdev, status); 320 321 hci_dev_unlock(hdev); 322 } 323 324 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 325 { 326 __u8 status = *((__u8 *) skb->data); 327 __u8 param; 328 void *sent; 329 330 BT_DBG("%s status 0x%2.2x", hdev->name, status); 331 332 if (status) 333 return; 334 335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 336 if (!sent) 337 return; 338 339 param = *((__u8 *) sent); 340 341 if (param) 342 set_bit(HCI_ENCRYPT, &hdev->flags); 343 else 344 clear_bit(HCI_ENCRYPT, &hdev->flags); 345 } 346 347 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 348 { 349 __u8 status = *((__u8 *) skb->data); 350 __u8 param; 351 void *sent; 352 353 BT_DBG("%s status 0x%2.2x", hdev->name, status); 354 355 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 356 if (!sent) 357 return; 358 359 param = *((__u8 *) sent); 360 361 hci_dev_lock(hdev); 362 363 if (status) { 364 hdev->discov_timeout = 0; 365 goto done; 366 } 367 368 if (param & SCAN_INQUIRY) 369 set_bit(HCI_ISCAN, &hdev->flags); 370 else 371 clear_bit(HCI_ISCAN, &hdev->flags); 372 373 if (param & SCAN_PAGE) 374 set_bit(HCI_PSCAN, &hdev->flags); 375 else 376 clear_bit(HCI_PSCAN, &hdev->flags); 377 378 done: 379 hci_dev_unlock(hdev); 380 } 381 382 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 383 { 384 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 385 386 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 387 388 if (rp->status) 389 return; 390 391 memcpy(hdev->dev_class, rp->dev_class, 3); 392 393 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 394 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 395 } 396 397 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 398 { 399 __u8 status = *((__u8 *) skb->data); 400 void *sent; 401 402 BT_DBG("%s status 0x%2.2x", hdev->name, status); 403 404 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 405 if (!sent) 406 return; 407 408 hci_dev_lock(hdev); 409 410 if (status == 0) 411 memcpy(hdev->dev_class, sent, 3); 412 413 if (hci_dev_test_flag(hdev, HCI_MGMT)) 414 mgmt_set_class_of_dev_complete(hdev, sent, status); 415 416 hci_dev_unlock(hdev); 417 } 418 419 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 420 { 421 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 422 __u16 setting; 423 424 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 425 426 if (rp->status) 427 return; 428 429 setting = __le16_to_cpu(rp->voice_setting); 430 431 if (hdev->voice_setting == setting) 432 return; 433 434 hdev->voice_setting = setting; 435 436 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 437 438 if (hdev->notify) 439 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 440 } 441 442 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 443 struct sk_buff *skb) 444 { 445 __u8 status = *((__u8 *) skb->data); 446 __u16 setting; 447 void *sent; 448 449 BT_DBG("%s status 0x%2.2x", hdev->name, status); 450 451 if (status) 452 return; 453 454 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 455 if (!sent) 456 return; 457 458 setting = get_unaligned_le16(sent); 459 460 if (hdev->voice_setting == setting) 461 return; 462 463 hdev->voice_setting = setting; 464 465 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 466 467 if (hdev->notify) 468 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 469 } 470 471 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 472 struct sk_buff *skb) 473 { 474 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 475 476 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 477 478 if (rp->status) 479 return; 480 481 hdev->num_iac = rp->num_iac; 482 483 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 484 } 485 486 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 487 { 488 __u8 status = *((__u8 *) skb->data); 489 struct hci_cp_write_ssp_mode *sent; 490 491 BT_DBG("%s status 0x%2.2x", hdev->name, status); 492 493 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 494 if (!sent) 495 return; 496 497 hci_dev_lock(hdev); 498 499 if (!status) { 500 if (sent->mode) 501 hdev->features[1][0] |= LMP_HOST_SSP; 502 else 503 hdev->features[1][0] &= ~LMP_HOST_SSP; 504 } 505 506 if (hci_dev_test_flag(hdev, HCI_MGMT)) 507 mgmt_ssp_enable_complete(hdev, sent->mode, status); 508 else if (!status) { 509 if (sent->mode) 510 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 511 else 512 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 513 } 514 515 hci_dev_unlock(hdev); 516 } 517 518 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 519 { 520 u8 status = *((u8 *) skb->data); 521 struct hci_cp_write_sc_support *sent; 522 523 BT_DBG("%s status 0x%2.2x", hdev->name, status); 524 525 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 526 if (!sent) 527 return; 528 529 hci_dev_lock(hdev); 530 531 if (!status) { 532 if (sent->support) 533 hdev->features[1][0] |= LMP_HOST_SC; 534 else 535 hdev->features[1][0] &= ~LMP_HOST_SC; 536 } 537 538 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 539 if (sent->support) 540 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 541 else 542 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 543 } 544 545 hci_dev_unlock(hdev); 546 } 547 548 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 549 { 550 struct hci_rp_read_local_version *rp = (void *) skb->data; 551 552 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 553 554 if (rp->status) 555 return; 556 557 if (hci_dev_test_flag(hdev, HCI_SETUP) || 558 hci_dev_test_flag(hdev, HCI_CONFIG)) { 559 hdev->hci_ver = rp->hci_ver; 560 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 561 hdev->lmp_ver = rp->lmp_ver; 562 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 563 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 564 } 565 } 566 567 static void hci_cc_read_local_commands(struct hci_dev *hdev, 568 struct sk_buff *skb) 569 { 570 struct hci_rp_read_local_commands *rp = (void *) skb->data; 571 572 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 573 574 if (rp->status) 575 return; 576 577 if (hci_dev_test_flag(hdev, HCI_SETUP) || 578 hci_dev_test_flag(hdev, HCI_CONFIG)) 579 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 580 } 581 582 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, 583 struct sk_buff *skb) 584 { 585 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data; 586 struct hci_conn *conn; 587 588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 589 590 if (rp->status) 591 return; 592 593 hci_dev_lock(hdev); 594 595 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 596 if (conn) 597 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 598 599 hci_dev_unlock(hdev); 600 } 601 602 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, 603 struct sk_buff *skb) 604 { 605 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data; 606 struct hci_conn *conn; 607 void *sent; 608 609 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 610 611 if (rp->status) 612 return; 613 614 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 615 if (!sent) 616 return; 617 618 hci_dev_lock(hdev); 619 620 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 621 if (conn) 622 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 623 624 hci_dev_unlock(hdev); 625 } 626 627 static void hci_cc_read_local_features(struct hci_dev *hdev, 628 struct sk_buff *skb) 629 { 630 struct hci_rp_read_local_features *rp = (void *) skb->data; 631 632 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 633 634 if (rp->status) 635 return; 636 637 memcpy(hdev->features, rp->features, 8); 638 639 /* Adjust default settings according to features 640 * supported by device. */ 641 642 if (hdev->features[0][0] & LMP_3SLOT) 643 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 644 645 if (hdev->features[0][0] & LMP_5SLOT) 646 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 647 648 if (hdev->features[0][1] & LMP_HV2) { 649 hdev->pkt_type |= (HCI_HV2); 650 hdev->esco_type |= (ESCO_HV2); 651 } 652 653 if (hdev->features[0][1] & LMP_HV3) { 654 hdev->pkt_type |= (HCI_HV3); 655 hdev->esco_type |= (ESCO_HV3); 656 } 657 658 if (lmp_esco_capable(hdev)) 659 hdev->esco_type |= (ESCO_EV3); 660 661 if (hdev->features[0][4] & LMP_EV4) 662 hdev->esco_type |= (ESCO_EV4); 663 664 if (hdev->features[0][4] & LMP_EV5) 665 hdev->esco_type |= (ESCO_EV5); 666 667 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 668 hdev->esco_type |= (ESCO_2EV3); 669 670 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 671 hdev->esco_type |= (ESCO_3EV3); 672 673 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 674 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 675 } 676 677 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 678 struct sk_buff *skb) 679 { 680 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 681 682 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 683 684 if (rp->status) 685 return; 686 687 if (hdev->max_page < rp->max_page) 688 hdev->max_page = rp->max_page; 689 690 if (rp->page < HCI_MAX_PAGES) 691 memcpy(hdev->features[rp->page], rp->features, 8); 692 } 693 694 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 695 struct sk_buff *skb) 696 { 697 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 698 699 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 700 701 if (rp->status) 702 return; 703 704 hdev->flow_ctl_mode = rp->mode; 705 } 706 707 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 708 { 709 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 710 711 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 712 713 if (rp->status) 714 return; 715 716 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 717 hdev->sco_mtu = rp->sco_mtu; 718 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 719 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 720 721 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 722 hdev->sco_mtu = 64; 723 hdev->sco_pkts = 8; 724 } 725 726 hdev->acl_cnt = hdev->acl_pkts; 727 hdev->sco_cnt = hdev->sco_pkts; 728 729 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 730 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 731 } 732 733 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 734 { 735 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 736 737 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 738 739 if (rp->status) 740 return; 741 742 if (test_bit(HCI_INIT, &hdev->flags)) 743 bacpy(&hdev->bdaddr, &rp->bdaddr); 744 745 if (hci_dev_test_flag(hdev, HCI_SETUP)) 746 bacpy(&hdev->setup_addr, &rp->bdaddr); 747 } 748 749 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 750 struct sk_buff *skb) 751 { 752 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 753 754 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 755 756 if (rp->status) 757 return; 758 759 if (test_bit(HCI_INIT, &hdev->flags)) { 760 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 761 hdev->page_scan_window = __le16_to_cpu(rp->window); 762 } 763 } 764 765 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 766 struct sk_buff *skb) 767 { 768 u8 status = *((u8 *) skb->data); 769 struct hci_cp_write_page_scan_activity *sent; 770 771 BT_DBG("%s status 0x%2.2x", hdev->name, status); 772 773 if (status) 774 return; 775 776 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 777 if (!sent) 778 return; 779 780 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 781 hdev->page_scan_window = __le16_to_cpu(sent->window); 782 } 783 784 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 785 struct sk_buff *skb) 786 { 787 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 788 789 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 790 791 if (rp->status) 792 return; 793 794 if (test_bit(HCI_INIT, &hdev->flags)) 795 hdev->page_scan_type = rp->type; 796 } 797 798 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 799 struct sk_buff *skb) 800 { 801 u8 status = *((u8 *) skb->data); 802 u8 *type; 803 804 BT_DBG("%s status 0x%2.2x", hdev->name, status); 805 806 if (status) 807 return; 808 809 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 810 if (type) 811 hdev->page_scan_type = *type; 812 } 813 814 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 815 struct sk_buff *skb) 816 { 817 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 818 819 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 820 821 if (rp->status) 822 return; 823 824 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 825 hdev->block_len = __le16_to_cpu(rp->block_len); 826 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 827 828 hdev->block_cnt = hdev->num_blocks; 829 830 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 831 hdev->block_cnt, hdev->block_len); 832 } 833 834 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 835 { 836 struct hci_rp_read_clock *rp = (void *) skb->data; 837 struct hci_cp_read_clock *cp; 838 struct hci_conn *conn; 839 840 BT_DBG("%s", hdev->name); 841 842 if (skb->len < sizeof(*rp)) 843 return; 844 845 if (rp->status) 846 return; 847 848 hci_dev_lock(hdev); 849 850 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 851 if (!cp) 852 goto unlock; 853 854 if (cp->which == 0x00) { 855 hdev->clock = le32_to_cpu(rp->clock); 856 goto unlock; 857 } 858 859 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 860 if (conn) { 861 conn->clock = le32_to_cpu(rp->clock); 862 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 863 } 864 865 unlock: 866 hci_dev_unlock(hdev); 867 } 868 869 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 870 struct sk_buff *skb) 871 { 872 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 873 874 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 875 876 if (rp->status) 877 return; 878 879 hdev->amp_status = rp->amp_status; 880 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 881 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 882 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 883 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 884 hdev->amp_type = rp->amp_type; 885 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 886 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 887 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 888 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 889 } 890 891 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 892 struct sk_buff *skb) 893 { 894 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 895 896 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 897 898 if (rp->status) 899 return; 900 901 hdev->inq_tx_power = rp->tx_power; 902 } 903 904 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, 905 struct sk_buff *skb) 906 { 907 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data; 908 909 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 910 911 if (rp->status) 912 return; 913 914 hdev->err_data_reporting = rp->err_data_reporting; 915 } 916 917 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, 918 struct sk_buff *skb) 919 { 920 __u8 status = *((__u8 *)skb->data); 921 struct hci_cp_write_def_err_data_reporting *cp; 922 923 BT_DBG("%s status 0x%2.2x", hdev->name, status); 924 925 if (status) 926 return; 927 928 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 929 if (!cp) 930 return; 931 932 hdev->err_data_reporting = cp->err_data_reporting; 933 } 934 935 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 936 { 937 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 938 struct hci_cp_pin_code_reply *cp; 939 struct hci_conn *conn; 940 941 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 942 943 hci_dev_lock(hdev); 944 945 if (hci_dev_test_flag(hdev, HCI_MGMT)) 946 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 947 948 if (rp->status) 949 goto unlock; 950 951 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 952 if (!cp) 953 goto unlock; 954 955 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 956 if (conn) 957 conn->pin_length = cp->pin_len; 958 959 unlock: 960 hci_dev_unlock(hdev); 961 } 962 963 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 964 { 965 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 966 967 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 968 969 hci_dev_lock(hdev); 970 971 if (hci_dev_test_flag(hdev, HCI_MGMT)) 972 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 973 rp->status); 974 975 hci_dev_unlock(hdev); 976 } 977 978 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 979 struct sk_buff *skb) 980 { 981 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 982 983 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 984 985 if (rp->status) 986 return; 987 988 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 989 hdev->le_pkts = rp->le_max_pkt; 990 991 hdev->le_cnt = hdev->le_pkts; 992 993 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 994 } 995 996 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 997 struct sk_buff *skb) 998 { 999 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 1000 1001 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1002 1003 if (rp->status) 1004 return; 1005 1006 memcpy(hdev->le_features, rp->features, 8); 1007 } 1008 1009 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 1010 struct sk_buff *skb) 1011 { 1012 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 1013 1014 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1015 1016 if (rp->status) 1017 return; 1018 1019 hdev->adv_tx_power = rp->tx_power; 1020 } 1021 1022 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 1023 { 1024 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1025 1026 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1027 1028 hci_dev_lock(hdev); 1029 1030 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1031 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1032 rp->status); 1033 1034 hci_dev_unlock(hdev); 1035 } 1036 1037 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 1038 struct sk_buff *skb) 1039 { 1040 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1041 1042 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1043 1044 hci_dev_lock(hdev); 1045 1046 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1047 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1048 ACL_LINK, 0, rp->status); 1049 1050 hci_dev_unlock(hdev); 1051 } 1052 1053 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 1054 { 1055 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1056 1057 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1058 1059 hci_dev_lock(hdev); 1060 1061 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1062 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1063 0, rp->status); 1064 1065 hci_dev_unlock(hdev); 1066 } 1067 1068 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 1069 struct sk_buff *skb) 1070 { 1071 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 1072 1073 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1074 1075 hci_dev_lock(hdev); 1076 1077 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1078 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1079 ACL_LINK, 0, rp->status); 1080 1081 hci_dev_unlock(hdev); 1082 } 1083 1084 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1085 struct sk_buff *skb) 1086 { 1087 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1088 1089 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1090 } 1091 1092 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1093 struct sk_buff *skb) 1094 { 1095 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1096 1097 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1098 } 1099 1100 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1101 { 1102 __u8 status = *((__u8 *) skb->data); 1103 bdaddr_t *sent; 1104 1105 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1106 1107 if (status) 1108 return; 1109 1110 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1111 if (!sent) 1112 return; 1113 1114 hci_dev_lock(hdev); 1115 1116 bacpy(&hdev->random_addr, sent); 1117 1118 hci_dev_unlock(hdev); 1119 } 1120 1121 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb) 1122 { 1123 __u8 status = *((__u8 *) skb->data); 1124 struct hci_cp_le_set_default_phy *cp; 1125 1126 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1127 1128 if (status) 1129 return; 1130 1131 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1132 if (!cp) 1133 return; 1134 1135 hci_dev_lock(hdev); 1136 1137 hdev->le_tx_def_phys = cp->tx_phys; 1138 hdev->le_rx_def_phys = cp->rx_phys; 1139 1140 hci_dev_unlock(hdev); 1141 } 1142 1143 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, 1144 struct sk_buff *skb) 1145 { 1146 __u8 status = *((__u8 *) skb->data); 1147 struct hci_cp_le_set_adv_set_rand_addr *cp; 1148 struct adv_info *adv_instance; 1149 1150 if (status) 1151 return; 1152 1153 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1154 if (!cp) 1155 return; 1156 1157 hci_dev_lock(hdev); 1158 1159 if (!hdev->cur_adv_instance) { 1160 /* Store in hdev for instance 0 (Set adv and Directed advs) */ 1161 bacpy(&hdev->random_addr, &cp->bdaddr); 1162 } else { 1163 adv_instance = hci_find_adv_instance(hdev, 1164 hdev->cur_adv_instance); 1165 if (adv_instance) 1166 bacpy(&adv_instance->random_addr, &cp->bdaddr); 1167 } 1168 1169 hci_dev_unlock(hdev); 1170 } 1171 1172 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1173 { 1174 __u8 *sent, status = *((__u8 *) skb->data); 1175 1176 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1177 1178 if (status) 1179 return; 1180 1181 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1182 if (!sent) 1183 return; 1184 1185 hci_dev_lock(hdev); 1186 1187 /* If we're doing connection initiation as peripheral. Set a 1188 * timeout in case something goes wrong. 1189 */ 1190 if (*sent) { 1191 struct hci_conn *conn; 1192 1193 hci_dev_set_flag(hdev, HCI_LE_ADV); 1194 1195 conn = hci_lookup_le_connect(hdev); 1196 if (conn) 1197 queue_delayed_work(hdev->workqueue, 1198 &conn->le_conn_timeout, 1199 conn->conn_timeout); 1200 } else { 1201 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1202 } 1203 1204 hci_dev_unlock(hdev); 1205 } 1206 1207 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, 1208 struct sk_buff *skb) 1209 { 1210 struct hci_cp_le_set_ext_adv_enable *cp; 1211 __u8 status = *((__u8 *) skb->data); 1212 1213 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1214 1215 if (status) 1216 return; 1217 1218 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1219 if (!cp) 1220 return; 1221 1222 hci_dev_lock(hdev); 1223 1224 if (cp->enable) { 1225 struct hci_conn *conn; 1226 1227 hci_dev_set_flag(hdev, HCI_LE_ADV); 1228 1229 conn = hci_lookup_le_connect(hdev); 1230 if (conn) 1231 queue_delayed_work(hdev->workqueue, 1232 &conn->le_conn_timeout, 1233 conn->conn_timeout); 1234 } else { 1235 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1236 } 1237 1238 hci_dev_unlock(hdev); 1239 } 1240 1241 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1242 { 1243 struct hci_cp_le_set_scan_param *cp; 1244 __u8 status = *((__u8 *) skb->data); 1245 1246 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1247 1248 if (status) 1249 return; 1250 1251 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1252 if (!cp) 1253 return; 1254 1255 hci_dev_lock(hdev); 1256 1257 hdev->le_scan_type = cp->type; 1258 1259 hci_dev_unlock(hdev); 1260 } 1261 1262 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, 1263 struct sk_buff *skb) 1264 { 1265 struct hci_cp_le_set_ext_scan_params *cp; 1266 __u8 status = *((__u8 *) skb->data); 1267 struct hci_cp_le_scan_phy_params *phy_param; 1268 1269 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1270 1271 if (status) 1272 return; 1273 1274 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1275 if (!cp) 1276 return; 1277 1278 phy_param = (void *)cp->data; 1279 1280 hci_dev_lock(hdev); 1281 1282 hdev->le_scan_type = phy_param->type; 1283 1284 hci_dev_unlock(hdev); 1285 } 1286 1287 static bool has_pending_adv_report(struct hci_dev *hdev) 1288 { 1289 struct discovery_state *d = &hdev->discovery; 1290 1291 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1292 } 1293 1294 static void clear_pending_adv_report(struct hci_dev *hdev) 1295 { 1296 struct discovery_state *d = &hdev->discovery; 1297 1298 bacpy(&d->last_adv_addr, BDADDR_ANY); 1299 d->last_adv_data_len = 0; 1300 } 1301 1302 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1303 u8 bdaddr_type, s8 rssi, u32 flags, 1304 u8 *data, u8 len) 1305 { 1306 struct discovery_state *d = &hdev->discovery; 1307 1308 bacpy(&d->last_adv_addr, bdaddr); 1309 d->last_adv_addr_type = bdaddr_type; 1310 d->last_adv_rssi = rssi; 1311 d->last_adv_flags = flags; 1312 memcpy(d->last_adv_data, data, len); 1313 d->last_adv_data_len = len; 1314 } 1315 1316 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1317 { 1318 hci_dev_lock(hdev); 1319 1320 switch (enable) { 1321 case LE_SCAN_ENABLE: 1322 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1323 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1324 clear_pending_adv_report(hdev); 1325 break; 1326 1327 case LE_SCAN_DISABLE: 1328 /* We do this here instead of when setting DISCOVERY_STOPPED 1329 * since the latter would potentially require waiting for 1330 * inquiry to stop too. 1331 */ 1332 if (has_pending_adv_report(hdev)) { 1333 struct discovery_state *d = &hdev->discovery; 1334 1335 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1336 d->last_adv_addr_type, NULL, 1337 d->last_adv_rssi, d->last_adv_flags, 1338 d->last_adv_data, 1339 d->last_adv_data_len, NULL, 0); 1340 } 1341 1342 /* Cancel this timer so that we don't try to disable scanning 1343 * when it's already disabled. 1344 */ 1345 cancel_delayed_work(&hdev->le_scan_disable); 1346 1347 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1348 1349 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1350 * interrupted scanning due to a connect request. Mark 1351 * therefore discovery as stopped. If this was not 1352 * because of a connect request advertising might have 1353 * been disabled because of active scanning, so 1354 * re-enable it again if necessary. 1355 */ 1356 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1357 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1358 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1359 hdev->discovery.state == DISCOVERY_FINDING) 1360 hci_req_reenable_advertising(hdev); 1361 1362 break; 1363 1364 default: 1365 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1366 enable); 1367 break; 1368 } 1369 1370 hci_dev_unlock(hdev); 1371 } 1372 1373 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1374 struct sk_buff *skb) 1375 { 1376 struct hci_cp_le_set_scan_enable *cp; 1377 __u8 status = *((__u8 *) skb->data); 1378 1379 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1380 1381 if (status) 1382 return; 1383 1384 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1385 if (!cp) 1386 return; 1387 1388 le_set_scan_enable_complete(hdev, cp->enable); 1389 } 1390 1391 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, 1392 struct sk_buff *skb) 1393 { 1394 struct hci_cp_le_set_ext_scan_enable *cp; 1395 __u8 status = *((__u8 *) skb->data); 1396 1397 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1398 1399 if (status) 1400 return; 1401 1402 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1403 if (!cp) 1404 return; 1405 1406 le_set_scan_enable_complete(hdev, cp->enable); 1407 } 1408 1409 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, 1410 struct sk_buff *skb) 1411 { 1412 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data; 1413 1414 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status, 1415 rp->num_of_sets); 1416 1417 if (rp->status) 1418 return; 1419 1420 hdev->le_num_of_adv_sets = rp->num_of_sets; 1421 } 1422 1423 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1424 struct sk_buff *skb) 1425 { 1426 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1427 1428 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1429 1430 if (rp->status) 1431 return; 1432 1433 hdev->le_white_list_size = rp->size; 1434 } 1435 1436 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1437 struct sk_buff *skb) 1438 { 1439 __u8 status = *((__u8 *) skb->data); 1440 1441 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1442 1443 if (status) 1444 return; 1445 1446 hci_bdaddr_list_clear(&hdev->le_white_list); 1447 } 1448 1449 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1450 struct sk_buff *skb) 1451 { 1452 struct hci_cp_le_add_to_white_list *sent; 1453 __u8 status = *((__u8 *) skb->data); 1454 1455 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1456 1457 if (status) 1458 return; 1459 1460 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1461 if (!sent) 1462 return; 1463 1464 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1465 sent->bdaddr_type); 1466 } 1467 1468 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1469 struct sk_buff *skb) 1470 { 1471 struct hci_cp_le_del_from_white_list *sent; 1472 __u8 status = *((__u8 *) skb->data); 1473 1474 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1475 1476 if (status) 1477 return; 1478 1479 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1480 if (!sent) 1481 return; 1482 1483 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1484 sent->bdaddr_type); 1485 } 1486 1487 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1488 struct sk_buff *skb) 1489 { 1490 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1491 1492 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1493 1494 if (rp->status) 1495 return; 1496 1497 memcpy(hdev->le_states, rp->le_states, 8); 1498 } 1499 1500 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1501 struct sk_buff *skb) 1502 { 1503 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1504 1505 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1506 1507 if (rp->status) 1508 return; 1509 1510 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1511 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1512 } 1513 1514 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1515 struct sk_buff *skb) 1516 { 1517 struct hci_cp_le_write_def_data_len *sent; 1518 __u8 status = *((__u8 *) skb->data); 1519 1520 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1521 1522 if (status) 1523 return; 1524 1525 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1526 if (!sent) 1527 return; 1528 1529 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1530 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1531 } 1532 1533 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, 1534 struct sk_buff *skb) 1535 { 1536 struct hci_cp_le_add_to_resolv_list *sent; 1537 __u8 status = *((__u8 *) skb->data); 1538 1539 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1540 1541 if (status) 1542 return; 1543 1544 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1545 if (!sent) 1546 return; 1547 1548 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1549 sent->bdaddr_type, sent->peer_irk, 1550 sent->local_irk); 1551 } 1552 1553 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, 1554 struct sk_buff *skb) 1555 { 1556 struct hci_cp_le_del_from_resolv_list *sent; 1557 __u8 status = *((__u8 *) skb->data); 1558 1559 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1560 1561 if (status) 1562 return; 1563 1564 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 1565 if (!sent) 1566 return; 1567 1568 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1569 sent->bdaddr_type); 1570 } 1571 1572 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev, 1573 struct sk_buff *skb) 1574 { 1575 __u8 status = *((__u8 *) skb->data); 1576 1577 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1578 1579 if (status) 1580 return; 1581 1582 hci_bdaddr_list_clear(&hdev->le_resolv_list); 1583 } 1584 1585 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, 1586 struct sk_buff *skb) 1587 { 1588 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data; 1589 1590 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1591 1592 if (rp->status) 1593 return; 1594 1595 hdev->le_resolv_list_size = rp->size; 1596 } 1597 1598 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, 1599 struct sk_buff *skb) 1600 { 1601 __u8 *sent, status = *((__u8 *) skb->data); 1602 1603 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1604 1605 if (status) 1606 return; 1607 1608 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 1609 if (!sent) 1610 return; 1611 1612 hci_dev_lock(hdev); 1613 1614 if (*sent) 1615 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 1616 else 1617 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 1618 1619 hci_dev_unlock(hdev); 1620 } 1621 1622 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1623 struct sk_buff *skb) 1624 { 1625 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1626 1627 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1628 1629 if (rp->status) 1630 return; 1631 1632 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1633 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1634 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1635 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1636 } 1637 1638 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1639 struct sk_buff *skb) 1640 { 1641 struct hci_cp_write_le_host_supported *sent; 1642 __u8 status = *((__u8 *) skb->data); 1643 1644 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1645 1646 if (status) 1647 return; 1648 1649 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1650 if (!sent) 1651 return; 1652 1653 hci_dev_lock(hdev); 1654 1655 if (sent->le) { 1656 hdev->features[1][0] |= LMP_HOST_LE; 1657 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1658 } else { 1659 hdev->features[1][0] &= ~LMP_HOST_LE; 1660 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1661 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1662 } 1663 1664 if (sent->simul) 1665 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1666 else 1667 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1668 1669 hci_dev_unlock(hdev); 1670 } 1671 1672 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1673 { 1674 struct hci_cp_le_set_adv_param *cp; 1675 u8 status = *((u8 *) skb->data); 1676 1677 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1678 1679 if (status) 1680 return; 1681 1682 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1683 if (!cp) 1684 return; 1685 1686 hci_dev_lock(hdev); 1687 hdev->adv_addr_type = cp->own_address_type; 1688 hci_dev_unlock(hdev); 1689 } 1690 1691 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1692 { 1693 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data; 1694 struct hci_cp_le_set_ext_adv_params *cp; 1695 struct adv_info *adv_instance; 1696 1697 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1698 1699 if (rp->status) 1700 return; 1701 1702 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 1703 if (!cp) 1704 return; 1705 1706 hci_dev_lock(hdev); 1707 hdev->adv_addr_type = cp->own_addr_type; 1708 if (!hdev->cur_adv_instance) { 1709 /* Store in hdev for instance 0 */ 1710 hdev->adv_tx_power = rp->tx_power; 1711 } else { 1712 adv_instance = hci_find_adv_instance(hdev, 1713 hdev->cur_adv_instance); 1714 if (adv_instance) 1715 adv_instance->tx_power = rp->tx_power; 1716 } 1717 /* Update adv data as tx power is known now */ 1718 hci_req_update_adv_data(hdev, hdev->cur_adv_instance); 1719 hci_dev_unlock(hdev); 1720 } 1721 1722 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1723 { 1724 struct hci_rp_read_rssi *rp = (void *) skb->data; 1725 struct hci_conn *conn; 1726 1727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1728 1729 if (rp->status) 1730 return; 1731 1732 hci_dev_lock(hdev); 1733 1734 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1735 if (conn) 1736 conn->rssi = rp->rssi; 1737 1738 hci_dev_unlock(hdev); 1739 } 1740 1741 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1742 { 1743 struct hci_cp_read_tx_power *sent; 1744 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1745 struct hci_conn *conn; 1746 1747 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1748 1749 if (rp->status) 1750 return; 1751 1752 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1753 if (!sent) 1754 return; 1755 1756 hci_dev_lock(hdev); 1757 1758 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1759 if (!conn) 1760 goto unlock; 1761 1762 switch (sent->type) { 1763 case 0x00: 1764 conn->tx_power = rp->tx_power; 1765 break; 1766 case 0x01: 1767 conn->max_tx_power = rp->tx_power; 1768 break; 1769 } 1770 1771 unlock: 1772 hci_dev_unlock(hdev); 1773 } 1774 1775 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1776 { 1777 u8 status = *((u8 *) skb->data); 1778 u8 *mode; 1779 1780 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1781 1782 if (status) 1783 return; 1784 1785 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1786 if (mode) 1787 hdev->ssp_debug_mode = *mode; 1788 } 1789 1790 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1791 { 1792 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1793 1794 if (status) { 1795 hci_conn_check_pending(hdev); 1796 return; 1797 } 1798 1799 set_bit(HCI_INQUIRY, &hdev->flags); 1800 } 1801 1802 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1803 { 1804 struct hci_cp_create_conn *cp; 1805 struct hci_conn *conn; 1806 1807 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1808 1809 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1810 if (!cp) 1811 return; 1812 1813 hci_dev_lock(hdev); 1814 1815 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1816 1817 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1818 1819 if (status) { 1820 if (conn && conn->state == BT_CONNECT) { 1821 if (status != 0x0c || conn->attempt > 2) { 1822 conn->state = BT_CLOSED; 1823 hci_connect_cfm(conn, status); 1824 hci_conn_del(conn); 1825 } else 1826 conn->state = BT_CONNECT2; 1827 } 1828 } else { 1829 if (!conn) { 1830 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1831 HCI_ROLE_MASTER); 1832 if (!conn) 1833 bt_dev_err(hdev, "no memory for new connection"); 1834 } 1835 } 1836 1837 hci_dev_unlock(hdev); 1838 } 1839 1840 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1841 { 1842 struct hci_cp_add_sco *cp; 1843 struct hci_conn *acl, *sco; 1844 __u16 handle; 1845 1846 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1847 1848 if (!status) 1849 return; 1850 1851 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1852 if (!cp) 1853 return; 1854 1855 handle = __le16_to_cpu(cp->handle); 1856 1857 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1858 1859 hci_dev_lock(hdev); 1860 1861 acl = hci_conn_hash_lookup_handle(hdev, handle); 1862 if (acl) { 1863 sco = acl->link; 1864 if (sco) { 1865 sco->state = BT_CLOSED; 1866 1867 hci_connect_cfm(sco, status); 1868 hci_conn_del(sco); 1869 } 1870 } 1871 1872 hci_dev_unlock(hdev); 1873 } 1874 1875 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1876 { 1877 struct hci_cp_auth_requested *cp; 1878 struct hci_conn *conn; 1879 1880 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1881 1882 if (!status) 1883 return; 1884 1885 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1886 if (!cp) 1887 return; 1888 1889 hci_dev_lock(hdev); 1890 1891 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1892 if (conn) { 1893 if (conn->state == BT_CONFIG) { 1894 hci_connect_cfm(conn, status); 1895 hci_conn_drop(conn); 1896 } 1897 } 1898 1899 hci_dev_unlock(hdev); 1900 } 1901 1902 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1903 { 1904 struct hci_cp_set_conn_encrypt *cp; 1905 struct hci_conn *conn; 1906 1907 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1908 1909 if (!status) 1910 return; 1911 1912 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1913 if (!cp) 1914 return; 1915 1916 hci_dev_lock(hdev); 1917 1918 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1919 if (conn) { 1920 if (conn->state == BT_CONFIG) { 1921 hci_connect_cfm(conn, status); 1922 hci_conn_drop(conn); 1923 } 1924 } 1925 1926 hci_dev_unlock(hdev); 1927 } 1928 1929 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1930 struct hci_conn *conn) 1931 { 1932 if (conn->state != BT_CONFIG || !conn->out) 1933 return 0; 1934 1935 if (conn->pending_sec_level == BT_SECURITY_SDP) 1936 return 0; 1937 1938 /* Only request authentication for SSP connections or non-SSP 1939 * devices with sec_level MEDIUM or HIGH or if MITM protection 1940 * is requested. 1941 */ 1942 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1943 conn->pending_sec_level != BT_SECURITY_FIPS && 1944 conn->pending_sec_level != BT_SECURITY_HIGH && 1945 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1946 return 0; 1947 1948 return 1; 1949 } 1950 1951 static int hci_resolve_name(struct hci_dev *hdev, 1952 struct inquiry_entry *e) 1953 { 1954 struct hci_cp_remote_name_req cp; 1955 1956 memset(&cp, 0, sizeof(cp)); 1957 1958 bacpy(&cp.bdaddr, &e->data.bdaddr); 1959 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1960 cp.pscan_mode = e->data.pscan_mode; 1961 cp.clock_offset = e->data.clock_offset; 1962 1963 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 1964 } 1965 1966 static bool hci_resolve_next_name(struct hci_dev *hdev) 1967 { 1968 struct discovery_state *discov = &hdev->discovery; 1969 struct inquiry_entry *e; 1970 1971 if (list_empty(&discov->resolve)) 1972 return false; 1973 1974 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1975 if (!e) 1976 return false; 1977 1978 if (hci_resolve_name(hdev, e) == 0) { 1979 e->name_state = NAME_PENDING; 1980 return true; 1981 } 1982 1983 return false; 1984 } 1985 1986 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 1987 bdaddr_t *bdaddr, u8 *name, u8 name_len) 1988 { 1989 struct discovery_state *discov = &hdev->discovery; 1990 struct inquiry_entry *e; 1991 1992 /* Update the mgmt connected state if necessary. Be careful with 1993 * conn objects that exist but are not (yet) connected however. 1994 * Only those in BT_CONFIG or BT_CONNECTED states can be 1995 * considered connected. 1996 */ 1997 if (conn && 1998 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 1999 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2000 mgmt_device_connected(hdev, conn, 0, name, name_len); 2001 2002 if (discov->state == DISCOVERY_STOPPED) 2003 return; 2004 2005 if (discov->state == DISCOVERY_STOPPING) 2006 goto discov_complete; 2007 2008 if (discov->state != DISCOVERY_RESOLVING) 2009 return; 2010 2011 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2012 /* If the device was not found in a list of found devices names of which 2013 * are pending. there is no need to continue resolving a next name as it 2014 * will be done upon receiving another Remote Name Request Complete 2015 * Event */ 2016 if (!e) 2017 return; 2018 2019 list_del(&e->list); 2020 if (name) { 2021 e->name_state = NAME_KNOWN; 2022 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 2023 e->data.rssi, name, name_len); 2024 } else { 2025 e->name_state = NAME_NOT_KNOWN; 2026 } 2027 2028 if (hci_resolve_next_name(hdev)) 2029 return; 2030 2031 discov_complete: 2032 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2033 } 2034 2035 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2036 { 2037 struct hci_cp_remote_name_req *cp; 2038 struct hci_conn *conn; 2039 2040 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2041 2042 /* If successful wait for the name req complete event before 2043 * checking for the need to do authentication */ 2044 if (!status) 2045 return; 2046 2047 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2048 if (!cp) 2049 return; 2050 2051 hci_dev_lock(hdev); 2052 2053 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2054 2055 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2056 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2057 2058 if (!conn) 2059 goto unlock; 2060 2061 if (!hci_outgoing_auth_needed(hdev, conn)) 2062 goto unlock; 2063 2064 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2065 struct hci_cp_auth_requested auth_cp; 2066 2067 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2068 2069 auth_cp.handle = __cpu_to_le16(conn->handle); 2070 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2071 sizeof(auth_cp), &auth_cp); 2072 } 2073 2074 unlock: 2075 hci_dev_unlock(hdev); 2076 } 2077 2078 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2079 { 2080 struct hci_cp_read_remote_features *cp; 2081 struct hci_conn *conn; 2082 2083 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2084 2085 if (!status) 2086 return; 2087 2088 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2089 if (!cp) 2090 return; 2091 2092 hci_dev_lock(hdev); 2093 2094 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2095 if (conn) { 2096 if (conn->state == BT_CONFIG) { 2097 hci_connect_cfm(conn, status); 2098 hci_conn_drop(conn); 2099 } 2100 } 2101 2102 hci_dev_unlock(hdev); 2103 } 2104 2105 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2106 { 2107 struct hci_cp_read_remote_ext_features *cp; 2108 struct hci_conn *conn; 2109 2110 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2111 2112 if (!status) 2113 return; 2114 2115 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2116 if (!cp) 2117 return; 2118 2119 hci_dev_lock(hdev); 2120 2121 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2122 if (conn) { 2123 if (conn->state == BT_CONFIG) { 2124 hci_connect_cfm(conn, status); 2125 hci_conn_drop(conn); 2126 } 2127 } 2128 2129 hci_dev_unlock(hdev); 2130 } 2131 2132 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2133 { 2134 struct hci_cp_setup_sync_conn *cp; 2135 struct hci_conn *acl, *sco; 2136 __u16 handle; 2137 2138 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2139 2140 if (!status) 2141 return; 2142 2143 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2144 if (!cp) 2145 return; 2146 2147 handle = __le16_to_cpu(cp->handle); 2148 2149 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 2150 2151 hci_dev_lock(hdev); 2152 2153 acl = hci_conn_hash_lookup_handle(hdev, handle); 2154 if (acl) { 2155 sco = acl->link; 2156 if (sco) { 2157 sco->state = BT_CLOSED; 2158 2159 hci_connect_cfm(sco, status); 2160 hci_conn_del(sco); 2161 } 2162 } 2163 2164 hci_dev_unlock(hdev); 2165 } 2166 2167 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2168 { 2169 struct hci_cp_sniff_mode *cp; 2170 struct hci_conn *conn; 2171 2172 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2173 2174 if (!status) 2175 return; 2176 2177 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2178 if (!cp) 2179 return; 2180 2181 hci_dev_lock(hdev); 2182 2183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2184 if (conn) { 2185 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2186 2187 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2188 hci_sco_setup(conn, status); 2189 } 2190 2191 hci_dev_unlock(hdev); 2192 } 2193 2194 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2195 { 2196 struct hci_cp_exit_sniff_mode *cp; 2197 struct hci_conn *conn; 2198 2199 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2200 2201 if (!status) 2202 return; 2203 2204 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2205 if (!cp) 2206 return; 2207 2208 hci_dev_lock(hdev); 2209 2210 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2211 if (conn) { 2212 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2213 2214 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2215 hci_sco_setup(conn, status); 2216 } 2217 2218 hci_dev_unlock(hdev); 2219 } 2220 2221 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2222 { 2223 struct hci_cp_disconnect *cp; 2224 struct hci_conn *conn; 2225 2226 if (!status) 2227 return; 2228 2229 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2230 if (!cp) 2231 return; 2232 2233 hci_dev_lock(hdev); 2234 2235 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2236 if (conn) { 2237 u8 type = conn->type; 2238 2239 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2240 conn->dst_type, status); 2241 2242 /* If the disconnection failed for any reason, the upper layer 2243 * does not retry to disconnect in current implementation. 2244 * Hence, we need to do some basic cleanup here and re-enable 2245 * advertising if necessary. 2246 */ 2247 hci_conn_del(conn); 2248 if (type == LE_LINK) 2249 hci_req_reenable_advertising(hdev); 2250 } 2251 2252 hci_dev_unlock(hdev); 2253 } 2254 2255 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2256 u8 peer_addr_type, u8 own_address_type, 2257 u8 filter_policy) 2258 { 2259 struct hci_conn *conn; 2260 2261 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2262 peer_addr_type); 2263 if (!conn) 2264 return; 2265 2266 /* Store the initiator and responder address information which 2267 * is needed for SMP. These values will not change during the 2268 * lifetime of the connection. 2269 */ 2270 conn->init_addr_type = own_address_type; 2271 if (own_address_type == ADDR_LE_DEV_RANDOM) 2272 bacpy(&conn->init_addr, &hdev->random_addr); 2273 else 2274 bacpy(&conn->init_addr, &hdev->bdaddr); 2275 2276 conn->resp_addr_type = peer_addr_type; 2277 bacpy(&conn->resp_addr, peer_addr); 2278 2279 /* We don't want the connection attempt to stick around 2280 * indefinitely since LE doesn't have a page timeout concept 2281 * like BR/EDR. Set a timer for any connection that doesn't use 2282 * the white list for connecting. 2283 */ 2284 if (filter_policy == HCI_LE_USE_PEER_ADDR) 2285 queue_delayed_work(conn->hdev->workqueue, 2286 &conn->le_conn_timeout, 2287 conn->conn_timeout); 2288 } 2289 2290 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2291 { 2292 struct hci_cp_le_create_conn *cp; 2293 2294 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2295 2296 /* All connection failure handling is taken care of by the 2297 * hci_le_conn_failed function which is triggered by the HCI 2298 * request completion callbacks used for connecting. 2299 */ 2300 if (status) 2301 return; 2302 2303 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2304 if (!cp) 2305 return; 2306 2307 hci_dev_lock(hdev); 2308 2309 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2310 cp->own_address_type, cp->filter_policy); 2311 2312 hci_dev_unlock(hdev); 2313 } 2314 2315 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2316 { 2317 struct hci_cp_le_ext_create_conn *cp; 2318 2319 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2320 2321 /* All connection failure handling is taken care of by the 2322 * hci_le_conn_failed function which is triggered by the HCI 2323 * request completion callbacks used for connecting. 2324 */ 2325 if (status) 2326 return; 2327 2328 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2329 if (!cp) 2330 return; 2331 2332 hci_dev_lock(hdev); 2333 2334 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2335 cp->own_addr_type, cp->filter_policy); 2336 2337 hci_dev_unlock(hdev); 2338 } 2339 2340 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2341 { 2342 struct hci_cp_le_read_remote_features *cp; 2343 struct hci_conn *conn; 2344 2345 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2346 2347 if (!status) 2348 return; 2349 2350 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2351 if (!cp) 2352 return; 2353 2354 hci_dev_lock(hdev); 2355 2356 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2357 if (conn) { 2358 if (conn->state == BT_CONFIG) { 2359 hci_connect_cfm(conn, status); 2360 hci_conn_drop(conn); 2361 } 2362 } 2363 2364 hci_dev_unlock(hdev); 2365 } 2366 2367 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2368 { 2369 struct hci_cp_le_start_enc *cp; 2370 struct hci_conn *conn; 2371 2372 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2373 2374 if (!status) 2375 return; 2376 2377 hci_dev_lock(hdev); 2378 2379 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2380 if (!cp) 2381 goto unlock; 2382 2383 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2384 if (!conn) 2385 goto unlock; 2386 2387 if (conn->state != BT_CONNECTED) 2388 goto unlock; 2389 2390 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2391 hci_conn_drop(conn); 2392 2393 unlock: 2394 hci_dev_unlock(hdev); 2395 } 2396 2397 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2398 { 2399 struct hci_cp_switch_role *cp; 2400 struct hci_conn *conn; 2401 2402 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2403 2404 if (!status) 2405 return; 2406 2407 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2408 if (!cp) 2409 return; 2410 2411 hci_dev_lock(hdev); 2412 2413 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2414 if (conn) 2415 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2416 2417 hci_dev_unlock(hdev); 2418 } 2419 2420 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2421 { 2422 __u8 status = *((__u8 *) skb->data); 2423 struct discovery_state *discov = &hdev->discovery; 2424 struct inquiry_entry *e; 2425 2426 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2427 2428 hci_conn_check_pending(hdev); 2429 2430 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2431 return; 2432 2433 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2434 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2435 2436 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2437 return; 2438 2439 hci_dev_lock(hdev); 2440 2441 if (discov->state != DISCOVERY_FINDING) 2442 goto unlock; 2443 2444 if (list_empty(&discov->resolve)) { 2445 /* When BR/EDR inquiry is active and no LE scanning is in 2446 * progress, then change discovery state to indicate completion. 2447 * 2448 * When running LE scanning and BR/EDR inquiry simultaneously 2449 * and the LE scan already finished, then change the discovery 2450 * state to indicate completion. 2451 */ 2452 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2453 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2454 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2455 goto unlock; 2456 } 2457 2458 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2459 if (e && hci_resolve_name(hdev, e) == 0) { 2460 e->name_state = NAME_PENDING; 2461 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2462 } else { 2463 /* When BR/EDR inquiry is active and no LE scanning is in 2464 * progress, then change discovery state to indicate completion. 2465 * 2466 * When running LE scanning and BR/EDR inquiry simultaneously 2467 * and the LE scan already finished, then change the discovery 2468 * state to indicate completion. 2469 */ 2470 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2471 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2472 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2473 } 2474 2475 unlock: 2476 hci_dev_unlock(hdev); 2477 } 2478 2479 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2480 { 2481 struct inquiry_data data; 2482 struct inquiry_info *info = (void *) (skb->data + 1); 2483 int num_rsp = *((__u8 *) skb->data); 2484 2485 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2486 2487 if (!num_rsp) 2488 return; 2489 2490 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2491 return; 2492 2493 hci_dev_lock(hdev); 2494 2495 for (; num_rsp; num_rsp--, info++) { 2496 u32 flags; 2497 2498 bacpy(&data.bdaddr, &info->bdaddr); 2499 data.pscan_rep_mode = info->pscan_rep_mode; 2500 data.pscan_period_mode = info->pscan_period_mode; 2501 data.pscan_mode = info->pscan_mode; 2502 memcpy(data.dev_class, info->dev_class, 3); 2503 data.clock_offset = info->clock_offset; 2504 data.rssi = HCI_RSSI_INVALID; 2505 data.ssp_mode = 0x00; 2506 2507 flags = hci_inquiry_cache_update(hdev, &data, false); 2508 2509 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2510 info->dev_class, HCI_RSSI_INVALID, 2511 flags, NULL, 0, NULL, 0); 2512 } 2513 2514 hci_dev_unlock(hdev); 2515 } 2516 2517 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2518 { 2519 struct hci_ev_conn_complete *ev = (void *) skb->data; 2520 struct inquiry_entry *ie; 2521 struct hci_conn *conn; 2522 2523 BT_DBG("%s", hdev->name); 2524 2525 hci_dev_lock(hdev); 2526 2527 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2528 if (!conn) { 2529 /* Connection may not exist if auto-connected. Check the inquiry 2530 * cache to see if we've already discovered this bdaddr before. 2531 * If found and link is an ACL type, create a connection class 2532 * automatically. 2533 */ 2534 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2535 if (ie && ev->link_type == ACL_LINK) { 2536 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2537 HCI_ROLE_SLAVE); 2538 if (!conn) { 2539 bt_dev_err(hdev, "no memory for new conn"); 2540 goto unlock; 2541 } 2542 } else { 2543 if (ev->link_type != SCO_LINK) 2544 goto unlock; 2545 2546 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 2547 &ev->bdaddr); 2548 if (!conn) 2549 goto unlock; 2550 2551 conn->type = SCO_LINK; 2552 } 2553 } 2554 2555 if (!ev->status) { 2556 conn->handle = __le16_to_cpu(ev->handle); 2557 2558 if (conn->type == ACL_LINK) { 2559 conn->state = BT_CONFIG; 2560 hci_conn_hold(conn); 2561 2562 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2563 !hci_find_link_key(hdev, &ev->bdaddr)) 2564 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2565 else 2566 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2567 } else 2568 conn->state = BT_CONNECTED; 2569 2570 hci_debugfs_create_conn(conn); 2571 hci_conn_add_sysfs(conn); 2572 2573 if (test_bit(HCI_AUTH, &hdev->flags)) 2574 set_bit(HCI_CONN_AUTH, &conn->flags); 2575 2576 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2577 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2578 2579 /* Get remote features */ 2580 if (conn->type == ACL_LINK) { 2581 struct hci_cp_read_remote_features cp; 2582 cp.handle = ev->handle; 2583 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2584 sizeof(cp), &cp); 2585 2586 hci_req_update_scan(hdev); 2587 } 2588 2589 /* Set packet type for incoming connection */ 2590 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2591 struct hci_cp_change_conn_ptype cp; 2592 cp.handle = ev->handle; 2593 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2594 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2595 &cp); 2596 } 2597 } else { 2598 conn->state = BT_CLOSED; 2599 if (conn->type == ACL_LINK) 2600 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2601 conn->dst_type, ev->status); 2602 } 2603 2604 if (conn->type == ACL_LINK) 2605 hci_sco_setup(conn, ev->status); 2606 2607 if (ev->status) { 2608 hci_connect_cfm(conn, ev->status); 2609 hci_conn_del(conn); 2610 } else if (ev->link_type != ACL_LINK) 2611 hci_connect_cfm(conn, ev->status); 2612 2613 unlock: 2614 hci_dev_unlock(hdev); 2615 2616 hci_conn_check_pending(hdev); 2617 } 2618 2619 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2620 { 2621 struct hci_cp_reject_conn_req cp; 2622 2623 bacpy(&cp.bdaddr, bdaddr); 2624 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2625 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2626 } 2627 2628 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2629 { 2630 struct hci_ev_conn_request *ev = (void *) skb->data; 2631 int mask = hdev->link_mode; 2632 struct inquiry_entry *ie; 2633 struct hci_conn *conn; 2634 __u8 flags = 0; 2635 2636 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2637 ev->link_type); 2638 2639 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2640 &flags); 2641 2642 if (!(mask & HCI_LM_ACCEPT)) { 2643 hci_reject_conn(hdev, &ev->bdaddr); 2644 return; 2645 } 2646 2647 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2648 BDADDR_BREDR)) { 2649 hci_reject_conn(hdev, &ev->bdaddr); 2650 return; 2651 } 2652 2653 /* Require HCI_CONNECTABLE or a whitelist entry to accept the 2654 * connection. These features are only touched through mgmt so 2655 * only do the checks if HCI_MGMT is set. 2656 */ 2657 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2658 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2659 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr, 2660 BDADDR_BREDR)) { 2661 hci_reject_conn(hdev, &ev->bdaddr); 2662 return; 2663 } 2664 2665 /* Connection accepted */ 2666 2667 hci_dev_lock(hdev); 2668 2669 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2670 if (ie) 2671 memcpy(ie->data.dev_class, ev->dev_class, 3); 2672 2673 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2674 &ev->bdaddr); 2675 if (!conn) { 2676 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2677 HCI_ROLE_SLAVE); 2678 if (!conn) { 2679 bt_dev_err(hdev, "no memory for new connection"); 2680 hci_dev_unlock(hdev); 2681 return; 2682 } 2683 } 2684 2685 memcpy(conn->dev_class, ev->dev_class, 3); 2686 2687 hci_dev_unlock(hdev); 2688 2689 if (ev->link_type == ACL_LINK || 2690 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2691 struct hci_cp_accept_conn_req cp; 2692 conn->state = BT_CONNECT; 2693 2694 bacpy(&cp.bdaddr, &ev->bdaddr); 2695 2696 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2697 cp.role = 0x00; /* Become master */ 2698 else 2699 cp.role = 0x01; /* Remain slave */ 2700 2701 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2702 } else if (!(flags & HCI_PROTO_DEFER)) { 2703 struct hci_cp_accept_sync_conn_req cp; 2704 conn->state = BT_CONNECT; 2705 2706 bacpy(&cp.bdaddr, &ev->bdaddr); 2707 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2708 2709 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2710 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2711 cp.max_latency = cpu_to_le16(0xffff); 2712 cp.content_format = cpu_to_le16(hdev->voice_setting); 2713 cp.retrans_effort = 0xff; 2714 2715 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2716 &cp); 2717 } else { 2718 conn->state = BT_CONNECT2; 2719 hci_connect_cfm(conn, 0); 2720 } 2721 } 2722 2723 static u8 hci_to_mgmt_reason(u8 err) 2724 { 2725 switch (err) { 2726 case HCI_ERROR_CONNECTION_TIMEOUT: 2727 return MGMT_DEV_DISCONN_TIMEOUT; 2728 case HCI_ERROR_REMOTE_USER_TERM: 2729 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2730 case HCI_ERROR_REMOTE_POWER_OFF: 2731 return MGMT_DEV_DISCONN_REMOTE; 2732 case HCI_ERROR_LOCAL_HOST_TERM: 2733 return MGMT_DEV_DISCONN_LOCAL_HOST; 2734 default: 2735 return MGMT_DEV_DISCONN_UNKNOWN; 2736 } 2737 } 2738 2739 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2740 { 2741 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2742 u8 reason; 2743 struct hci_conn_params *params; 2744 struct hci_conn *conn; 2745 bool mgmt_connected; 2746 u8 type; 2747 2748 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2749 2750 hci_dev_lock(hdev); 2751 2752 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2753 if (!conn) 2754 goto unlock; 2755 2756 if (ev->status) { 2757 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2758 conn->dst_type, ev->status); 2759 goto unlock; 2760 } 2761 2762 conn->state = BT_CLOSED; 2763 2764 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2765 2766 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 2767 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 2768 else 2769 reason = hci_to_mgmt_reason(ev->reason); 2770 2771 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2772 reason, mgmt_connected); 2773 2774 if (conn->type == ACL_LINK) { 2775 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2776 hci_remove_link_key(hdev, &conn->dst); 2777 2778 hci_req_update_scan(hdev); 2779 } 2780 2781 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2782 if (params) { 2783 switch (params->auto_connect) { 2784 case HCI_AUTO_CONN_LINK_LOSS: 2785 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2786 break; 2787 /* Fall through */ 2788 2789 case HCI_AUTO_CONN_DIRECT: 2790 case HCI_AUTO_CONN_ALWAYS: 2791 list_del_init(¶ms->action); 2792 list_add(¶ms->action, &hdev->pend_le_conns); 2793 hci_update_background_scan(hdev); 2794 break; 2795 2796 default: 2797 break; 2798 } 2799 } 2800 2801 type = conn->type; 2802 2803 hci_disconn_cfm(conn, ev->reason); 2804 hci_conn_del(conn); 2805 2806 /* The suspend notifier is waiting for all devices to disconnect so 2807 * clear the bit from pending tasks and inform the wait queue. 2808 */ 2809 if (list_empty(&hdev->conn_hash.list) && 2810 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) { 2811 wake_up(&hdev->suspend_wait_q); 2812 } 2813 2814 /* Re-enable advertising if necessary, since it might 2815 * have been disabled by the connection. From the 2816 * HCI_LE_Set_Advertise_Enable command description in 2817 * the core specification (v4.0): 2818 * "The Controller shall continue advertising until the Host 2819 * issues an LE_Set_Advertise_Enable command with 2820 * Advertising_Enable set to 0x00 (Advertising is disabled) 2821 * or until a connection is created or until the Advertising 2822 * is timed out due to Directed Advertising." 2823 */ 2824 if (type == LE_LINK) 2825 hci_req_reenable_advertising(hdev); 2826 2827 unlock: 2828 hci_dev_unlock(hdev); 2829 } 2830 2831 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2832 { 2833 struct hci_ev_auth_complete *ev = (void *) skb->data; 2834 struct hci_conn *conn; 2835 2836 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2837 2838 hci_dev_lock(hdev); 2839 2840 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2841 if (!conn) 2842 goto unlock; 2843 2844 if (!ev->status) { 2845 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2846 2847 if (!hci_conn_ssp_enabled(conn) && 2848 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2849 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 2850 } else { 2851 set_bit(HCI_CONN_AUTH, &conn->flags); 2852 conn->sec_level = conn->pending_sec_level; 2853 } 2854 } else { 2855 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 2856 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 2857 2858 mgmt_auth_failed(conn, ev->status); 2859 } 2860 2861 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2862 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2863 2864 if (conn->state == BT_CONFIG) { 2865 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2866 struct hci_cp_set_conn_encrypt cp; 2867 cp.handle = ev->handle; 2868 cp.encrypt = 0x01; 2869 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2870 &cp); 2871 } else { 2872 conn->state = BT_CONNECTED; 2873 hci_connect_cfm(conn, ev->status); 2874 hci_conn_drop(conn); 2875 } 2876 } else { 2877 hci_auth_cfm(conn, ev->status); 2878 2879 hci_conn_hold(conn); 2880 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2881 hci_conn_drop(conn); 2882 } 2883 2884 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2885 if (!ev->status) { 2886 struct hci_cp_set_conn_encrypt cp; 2887 cp.handle = ev->handle; 2888 cp.encrypt = 0x01; 2889 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2890 &cp); 2891 } else { 2892 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2893 hci_encrypt_cfm(conn, ev->status, 0x00); 2894 } 2895 } 2896 2897 unlock: 2898 hci_dev_unlock(hdev); 2899 } 2900 2901 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2902 { 2903 struct hci_ev_remote_name *ev = (void *) skb->data; 2904 struct hci_conn *conn; 2905 2906 BT_DBG("%s", hdev->name); 2907 2908 hci_conn_check_pending(hdev); 2909 2910 hci_dev_lock(hdev); 2911 2912 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2913 2914 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2915 goto check_auth; 2916 2917 if (ev->status == 0) 2918 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2919 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2920 else 2921 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2922 2923 check_auth: 2924 if (!conn) 2925 goto unlock; 2926 2927 if (!hci_outgoing_auth_needed(hdev, conn)) 2928 goto unlock; 2929 2930 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2931 struct hci_cp_auth_requested cp; 2932 2933 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2934 2935 cp.handle = __cpu_to_le16(conn->handle); 2936 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2937 } 2938 2939 unlock: 2940 hci_dev_unlock(hdev); 2941 } 2942 2943 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 2944 u16 opcode, struct sk_buff *skb) 2945 { 2946 const struct hci_rp_read_enc_key_size *rp; 2947 struct hci_conn *conn; 2948 u16 handle; 2949 2950 BT_DBG("%s status 0x%02x", hdev->name, status); 2951 2952 if (!skb || skb->len < sizeof(*rp)) { 2953 bt_dev_err(hdev, "invalid read key size response"); 2954 return; 2955 } 2956 2957 rp = (void *)skb->data; 2958 handle = le16_to_cpu(rp->handle); 2959 2960 hci_dev_lock(hdev); 2961 2962 conn = hci_conn_hash_lookup_handle(hdev, handle); 2963 if (!conn) 2964 goto unlock; 2965 2966 /* While unexpected, the read_enc_key_size command may fail. The most 2967 * secure approach is to then assume the key size is 0 to force a 2968 * disconnection. 2969 */ 2970 if (rp->status) { 2971 bt_dev_err(hdev, "failed to read key size for handle %u", 2972 handle); 2973 conn->enc_key_size = 0; 2974 } else { 2975 conn->enc_key_size = rp->key_size; 2976 } 2977 2978 if (conn->state == BT_CONFIG) { 2979 conn->state = BT_CONNECTED; 2980 hci_connect_cfm(conn, 0); 2981 hci_conn_drop(conn); 2982 } else { 2983 u8 encrypt; 2984 2985 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2986 encrypt = 0x00; 2987 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) 2988 encrypt = 0x02; 2989 else 2990 encrypt = 0x01; 2991 2992 hci_encrypt_cfm(conn, 0, encrypt); 2993 } 2994 2995 unlock: 2996 hci_dev_unlock(hdev); 2997 } 2998 2999 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3000 { 3001 struct hci_ev_encrypt_change *ev = (void *) skb->data; 3002 struct hci_conn *conn; 3003 3004 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3005 3006 hci_dev_lock(hdev); 3007 3008 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3009 if (!conn) 3010 goto unlock; 3011 3012 if (!ev->status) { 3013 if (ev->encrypt) { 3014 /* Encryption implies authentication */ 3015 set_bit(HCI_CONN_AUTH, &conn->flags); 3016 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3017 conn->sec_level = conn->pending_sec_level; 3018 3019 /* P-256 authentication key implies FIPS */ 3020 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3021 set_bit(HCI_CONN_FIPS, &conn->flags); 3022 3023 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3024 conn->type == LE_LINK) 3025 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3026 } else { 3027 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3028 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3029 } 3030 } 3031 3032 /* We should disregard the current RPA and generate a new one 3033 * whenever the encryption procedure fails. 3034 */ 3035 if (ev->status && conn->type == LE_LINK) { 3036 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3037 hci_adv_instances_set_rpa_expired(hdev, true); 3038 } 3039 3040 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3041 3042 if (ev->status && conn->state == BT_CONNECTED) { 3043 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3044 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3045 3046 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3047 hci_conn_drop(conn); 3048 goto unlock; 3049 } 3050 3051 /* In Secure Connections Only mode, do not allow any connections 3052 * that are not encrypted with AES-CCM using a P-256 authenticated 3053 * combination key. 3054 */ 3055 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && 3056 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || 3057 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { 3058 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); 3059 hci_conn_drop(conn); 3060 goto unlock; 3061 } 3062 3063 /* Try reading the encryption key size for encrypted ACL links */ 3064 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3065 struct hci_cp_read_enc_key_size cp; 3066 struct hci_request req; 3067 3068 /* Only send HCI_Read_Encryption_Key_Size if the 3069 * controller really supports it. If it doesn't, assume 3070 * the default size (16). 3071 */ 3072 if (!(hdev->commands[20] & 0x10)) { 3073 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3074 goto notify; 3075 } 3076 3077 hci_req_init(&req, hdev); 3078 3079 cp.handle = cpu_to_le16(conn->handle); 3080 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 3081 3082 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 3083 bt_dev_err(hdev, "sending read key size failed"); 3084 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3085 goto notify; 3086 } 3087 3088 goto unlock; 3089 } 3090 3091 /* Set the default Authenticated Payload Timeout after 3092 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3093 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3094 * sent when the link is active and Encryption is enabled, the conn 3095 * type can be either LE or ACL and controller must support LMP Ping. 3096 * Ensure for AES-CCM encryption as well. 3097 */ 3098 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3099 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3100 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3101 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3102 struct hci_cp_write_auth_payload_to cp; 3103 3104 cp.handle = cpu_to_le16(conn->handle); 3105 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3106 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3107 sizeof(cp), &cp); 3108 } 3109 3110 notify: 3111 if (conn->state == BT_CONFIG) { 3112 if (!ev->status) 3113 conn->state = BT_CONNECTED; 3114 3115 hci_connect_cfm(conn, ev->status); 3116 hci_conn_drop(conn); 3117 } else 3118 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 3119 3120 unlock: 3121 hci_dev_unlock(hdev); 3122 } 3123 3124 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 3125 struct sk_buff *skb) 3126 { 3127 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 3128 struct hci_conn *conn; 3129 3130 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3131 3132 hci_dev_lock(hdev); 3133 3134 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3135 if (conn) { 3136 if (!ev->status) 3137 set_bit(HCI_CONN_SECURE, &conn->flags); 3138 3139 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3140 3141 hci_key_change_cfm(conn, ev->status); 3142 } 3143 3144 hci_dev_unlock(hdev); 3145 } 3146 3147 static void hci_remote_features_evt(struct hci_dev *hdev, 3148 struct sk_buff *skb) 3149 { 3150 struct hci_ev_remote_features *ev = (void *) skb->data; 3151 struct hci_conn *conn; 3152 3153 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3154 3155 hci_dev_lock(hdev); 3156 3157 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3158 if (!conn) 3159 goto unlock; 3160 3161 if (!ev->status) 3162 memcpy(conn->features[0], ev->features, 8); 3163 3164 if (conn->state != BT_CONFIG) 3165 goto unlock; 3166 3167 if (!ev->status && lmp_ext_feat_capable(hdev) && 3168 lmp_ext_feat_capable(conn)) { 3169 struct hci_cp_read_remote_ext_features cp; 3170 cp.handle = ev->handle; 3171 cp.page = 0x01; 3172 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3173 sizeof(cp), &cp); 3174 goto unlock; 3175 } 3176 3177 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3178 struct hci_cp_remote_name_req cp; 3179 memset(&cp, 0, sizeof(cp)); 3180 bacpy(&cp.bdaddr, &conn->dst); 3181 cp.pscan_rep_mode = 0x02; 3182 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3183 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3184 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3185 3186 if (!hci_outgoing_auth_needed(hdev, conn)) { 3187 conn->state = BT_CONNECTED; 3188 hci_connect_cfm(conn, ev->status); 3189 hci_conn_drop(conn); 3190 } 3191 3192 unlock: 3193 hci_dev_unlock(hdev); 3194 } 3195 3196 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 3197 u16 *opcode, u8 *status, 3198 hci_req_complete_t *req_complete, 3199 hci_req_complete_skb_t *req_complete_skb) 3200 { 3201 struct hci_ev_cmd_complete *ev = (void *) skb->data; 3202 3203 *opcode = __le16_to_cpu(ev->opcode); 3204 *status = skb->data[sizeof(*ev)]; 3205 3206 skb_pull(skb, sizeof(*ev)); 3207 3208 switch (*opcode) { 3209 case HCI_OP_INQUIRY_CANCEL: 3210 hci_cc_inquiry_cancel(hdev, skb); 3211 break; 3212 3213 case HCI_OP_PERIODIC_INQ: 3214 hci_cc_periodic_inq(hdev, skb); 3215 break; 3216 3217 case HCI_OP_EXIT_PERIODIC_INQ: 3218 hci_cc_exit_periodic_inq(hdev, skb); 3219 break; 3220 3221 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 3222 hci_cc_remote_name_req_cancel(hdev, skb); 3223 break; 3224 3225 case HCI_OP_ROLE_DISCOVERY: 3226 hci_cc_role_discovery(hdev, skb); 3227 break; 3228 3229 case HCI_OP_READ_LINK_POLICY: 3230 hci_cc_read_link_policy(hdev, skb); 3231 break; 3232 3233 case HCI_OP_WRITE_LINK_POLICY: 3234 hci_cc_write_link_policy(hdev, skb); 3235 break; 3236 3237 case HCI_OP_READ_DEF_LINK_POLICY: 3238 hci_cc_read_def_link_policy(hdev, skb); 3239 break; 3240 3241 case HCI_OP_WRITE_DEF_LINK_POLICY: 3242 hci_cc_write_def_link_policy(hdev, skb); 3243 break; 3244 3245 case HCI_OP_RESET: 3246 hci_cc_reset(hdev, skb); 3247 break; 3248 3249 case HCI_OP_READ_STORED_LINK_KEY: 3250 hci_cc_read_stored_link_key(hdev, skb); 3251 break; 3252 3253 case HCI_OP_DELETE_STORED_LINK_KEY: 3254 hci_cc_delete_stored_link_key(hdev, skb); 3255 break; 3256 3257 case HCI_OP_WRITE_LOCAL_NAME: 3258 hci_cc_write_local_name(hdev, skb); 3259 break; 3260 3261 case HCI_OP_READ_LOCAL_NAME: 3262 hci_cc_read_local_name(hdev, skb); 3263 break; 3264 3265 case HCI_OP_WRITE_AUTH_ENABLE: 3266 hci_cc_write_auth_enable(hdev, skb); 3267 break; 3268 3269 case HCI_OP_WRITE_ENCRYPT_MODE: 3270 hci_cc_write_encrypt_mode(hdev, skb); 3271 break; 3272 3273 case HCI_OP_WRITE_SCAN_ENABLE: 3274 hci_cc_write_scan_enable(hdev, skb); 3275 break; 3276 3277 case HCI_OP_READ_CLASS_OF_DEV: 3278 hci_cc_read_class_of_dev(hdev, skb); 3279 break; 3280 3281 case HCI_OP_WRITE_CLASS_OF_DEV: 3282 hci_cc_write_class_of_dev(hdev, skb); 3283 break; 3284 3285 case HCI_OP_READ_VOICE_SETTING: 3286 hci_cc_read_voice_setting(hdev, skb); 3287 break; 3288 3289 case HCI_OP_WRITE_VOICE_SETTING: 3290 hci_cc_write_voice_setting(hdev, skb); 3291 break; 3292 3293 case HCI_OP_READ_NUM_SUPPORTED_IAC: 3294 hci_cc_read_num_supported_iac(hdev, skb); 3295 break; 3296 3297 case HCI_OP_WRITE_SSP_MODE: 3298 hci_cc_write_ssp_mode(hdev, skb); 3299 break; 3300 3301 case HCI_OP_WRITE_SC_SUPPORT: 3302 hci_cc_write_sc_support(hdev, skb); 3303 break; 3304 3305 case HCI_OP_READ_AUTH_PAYLOAD_TO: 3306 hci_cc_read_auth_payload_timeout(hdev, skb); 3307 break; 3308 3309 case HCI_OP_WRITE_AUTH_PAYLOAD_TO: 3310 hci_cc_write_auth_payload_timeout(hdev, skb); 3311 break; 3312 3313 case HCI_OP_READ_LOCAL_VERSION: 3314 hci_cc_read_local_version(hdev, skb); 3315 break; 3316 3317 case HCI_OP_READ_LOCAL_COMMANDS: 3318 hci_cc_read_local_commands(hdev, skb); 3319 break; 3320 3321 case HCI_OP_READ_LOCAL_FEATURES: 3322 hci_cc_read_local_features(hdev, skb); 3323 break; 3324 3325 case HCI_OP_READ_LOCAL_EXT_FEATURES: 3326 hci_cc_read_local_ext_features(hdev, skb); 3327 break; 3328 3329 case HCI_OP_READ_BUFFER_SIZE: 3330 hci_cc_read_buffer_size(hdev, skb); 3331 break; 3332 3333 case HCI_OP_READ_BD_ADDR: 3334 hci_cc_read_bd_addr(hdev, skb); 3335 break; 3336 3337 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 3338 hci_cc_read_page_scan_activity(hdev, skb); 3339 break; 3340 3341 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 3342 hci_cc_write_page_scan_activity(hdev, skb); 3343 break; 3344 3345 case HCI_OP_READ_PAGE_SCAN_TYPE: 3346 hci_cc_read_page_scan_type(hdev, skb); 3347 break; 3348 3349 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 3350 hci_cc_write_page_scan_type(hdev, skb); 3351 break; 3352 3353 case HCI_OP_READ_DATA_BLOCK_SIZE: 3354 hci_cc_read_data_block_size(hdev, skb); 3355 break; 3356 3357 case HCI_OP_READ_FLOW_CONTROL_MODE: 3358 hci_cc_read_flow_control_mode(hdev, skb); 3359 break; 3360 3361 case HCI_OP_READ_LOCAL_AMP_INFO: 3362 hci_cc_read_local_amp_info(hdev, skb); 3363 break; 3364 3365 case HCI_OP_READ_CLOCK: 3366 hci_cc_read_clock(hdev, skb); 3367 break; 3368 3369 case HCI_OP_READ_INQ_RSP_TX_POWER: 3370 hci_cc_read_inq_rsp_tx_power(hdev, skb); 3371 break; 3372 3373 case HCI_OP_READ_DEF_ERR_DATA_REPORTING: 3374 hci_cc_read_def_err_data_reporting(hdev, skb); 3375 break; 3376 3377 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING: 3378 hci_cc_write_def_err_data_reporting(hdev, skb); 3379 break; 3380 3381 case HCI_OP_PIN_CODE_REPLY: 3382 hci_cc_pin_code_reply(hdev, skb); 3383 break; 3384 3385 case HCI_OP_PIN_CODE_NEG_REPLY: 3386 hci_cc_pin_code_neg_reply(hdev, skb); 3387 break; 3388 3389 case HCI_OP_READ_LOCAL_OOB_DATA: 3390 hci_cc_read_local_oob_data(hdev, skb); 3391 break; 3392 3393 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 3394 hci_cc_read_local_oob_ext_data(hdev, skb); 3395 break; 3396 3397 case HCI_OP_LE_READ_BUFFER_SIZE: 3398 hci_cc_le_read_buffer_size(hdev, skb); 3399 break; 3400 3401 case HCI_OP_LE_READ_LOCAL_FEATURES: 3402 hci_cc_le_read_local_features(hdev, skb); 3403 break; 3404 3405 case HCI_OP_LE_READ_ADV_TX_POWER: 3406 hci_cc_le_read_adv_tx_power(hdev, skb); 3407 break; 3408 3409 case HCI_OP_USER_CONFIRM_REPLY: 3410 hci_cc_user_confirm_reply(hdev, skb); 3411 break; 3412 3413 case HCI_OP_USER_CONFIRM_NEG_REPLY: 3414 hci_cc_user_confirm_neg_reply(hdev, skb); 3415 break; 3416 3417 case HCI_OP_USER_PASSKEY_REPLY: 3418 hci_cc_user_passkey_reply(hdev, skb); 3419 break; 3420 3421 case HCI_OP_USER_PASSKEY_NEG_REPLY: 3422 hci_cc_user_passkey_neg_reply(hdev, skb); 3423 break; 3424 3425 case HCI_OP_LE_SET_RANDOM_ADDR: 3426 hci_cc_le_set_random_addr(hdev, skb); 3427 break; 3428 3429 case HCI_OP_LE_SET_ADV_ENABLE: 3430 hci_cc_le_set_adv_enable(hdev, skb); 3431 break; 3432 3433 case HCI_OP_LE_SET_SCAN_PARAM: 3434 hci_cc_le_set_scan_param(hdev, skb); 3435 break; 3436 3437 case HCI_OP_LE_SET_SCAN_ENABLE: 3438 hci_cc_le_set_scan_enable(hdev, skb); 3439 break; 3440 3441 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 3442 hci_cc_le_read_white_list_size(hdev, skb); 3443 break; 3444 3445 case HCI_OP_LE_CLEAR_WHITE_LIST: 3446 hci_cc_le_clear_white_list(hdev, skb); 3447 break; 3448 3449 case HCI_OP_LE_ADD_TO_WHITE_LIST: 3450 hci_cc_le_add_to_white_list(hdev, skb); 3451 break; 3452 3453 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 3454 hci_cc_le_del_from_white_list(hdev, skb); 3455 break; 3456 3457 case HCI_OP_LE_READ_SUPPORTED_STATES: 3458 hci_cc_le_read_supported_states(hdev, skb); 3459 break; 3460 3461 case HCI_OP_LE_READ_DEF_DATA_LEN: 3462 hci_cc_le_read_def_data_len(hdev, skb); 3463 break; 3464 3465 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3466 hci_cc_le_write_def_data_len(hdev, skb); 3467 break; 3468 3469 case HCI_OP_LE_ADD_TO_RESOLV_LIST: 3470 hci_cc_le_add_to_resolv_list(hdev, skb); 3471 break; 3472 3473 case HCI_OP_LE_DEL_FROM_RESOLV_LIST: 3474 hci_cc_le_del_from_resolv_list(hdev, skb); 3475 break; 3476 3477 case HCI_OP_LE_CLEAR_RESOLV_LIST: 3478 hci_cc_le_clear_resolv_list(hdev, skb); 3479 break; 3480 3481 case HCI_OP_LE_READ_RESOLV_LIST_SIZE: 3482 hci_cc_le_read_resolv_list_size(hdev, skb); 3483 break; 3484 3485 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE: 3486 hci_cc_le_set_addr_resolution_enable(hdev, skb); 3487 break; 3488 3489 case HCI_OP_LE_READ_MAX_DATA_LEN: 3490 hci_cc_le_read_max_data_len(hdev, skb); 3491 break; 3492 3493 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3494 hci_cc_write_le_host_supported(hdev, skb); 3495 break; 3496 3497 case HCI_OP_LE_SET_ADV_PARAM: 3498 hci_cc_set_adv_param(hdev, skb); 3499 break; 3500 3501 case HCI_OP_READ_RSSI: 3502 hci_cc_read_rssi(hdev, skb); 3503 break; 3504 3505 case HCI_OP_READ_TX_POWER: 3506 hci_cc_read_tx_power(hdev, skb); 3507 break; 3508 3509 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3510 hci_cc_write_ssp_debug_mode(hdev, skb); 3511 break; 3512 3513 case HCI_OP_LE_SET_EXT_SCAN_PARAMS: 3514 hci_cc_le_set_ext_scan_param(hdev, skb); 3515 break; 3516 3517 case HCI_OP_LE_SET_EXT_SCAN_ENABLE: 3518 hci_cc_le_set_ext_scan_enable(hdev, skb); 3519 break; 3520 3521 case HCI_OP_LE_SET_DEFAULT_PHY: 3522 hci_cc_le_set_default_phy(hdev, skb); 3523 break; 3524 3525 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS: 3526 hci_cc_le_read_num_adv_sets(hdev, skb); 3527 break; 3528 3529 case HCI_OP_LE_SET_EXT_ADV_PARAMS: 3530 hci_cc_set_ext_adv_param(hdev, skb); 3531 break; 3532 3533 case HCI_OP_LE_SET_EXT_ADV_ENABLE: 3534 hci_cc_le_set_ext_adv_enable(hdev, skb); 3535 break; 3536 3537 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR: 3538 hci_cc_le_set_adv_set_random_addr(hdev, skb); 3539 break; 3540 3541 default: 3542 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3543 break; 3544 } 3545 3546 if (*opcode != HCI_OP_NOP) 3547 cancel_delayed_work(&hdev->cmd_timer); 3548 3549 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3550 atomic_set(&hdev->cmd_cnt, 1); 3551 3552 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3553 req_complete_skb); 3554 3555 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3556 bt_dev_err(hdev, 3557 "unexpected event for opcode 0x%4.4x", *opcode); 3558 return; 3559 } 3560 3561 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3562 queue_work(hdev->workqueue, &hdev->cmd_work); 3563 } 3564 3565 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3566 u16 *opcode, u8 *status, 3567 hci_req_complete_t *req_complete, 3568 hci_req_complete_skb_t *req_complete_skb) 3569 { 3570 struct hci_ev_cmd_status *ev = (void *) skb->data; 3571 3572 skb_pull(skb, sizeof(*ev)); 3573 3574 *opcode = __le16_to_cpu(ev->opcode); 3575 *status = ev->status; 3576 3577 switch (*opcode) { 3578 case HCI_OP_INQUIRY: 3579 hci_cs_inquiry(hdev, ev->status); 3580 break; 3581 3582 case HCI_OP_CREATE_CONN: 3583 hci_cs_create_conn(hdev, ev->status); 3584 break; 3585 3586 case HCI_OP_DISCONNECT: 3587 hci_cs_disconnect(hdev, ev->status); 3588 break; 3589 3590 case HCI_OP_ADD_SCO: 3591 hci_cs_add_sco(hdev, ev->status); 3592 break; 3593 3594 case HCI_OP_AUTH_REQUESTED: 3595 hci_cs_auth_requested(hdev, ev->status); 3596 break; 3597 3598 case HCI_OP_SET_CONN_ENCRYPT: 3599 hci_cs_set_conn_encrypt(hdev, ev->status); 3600 break; 3601 3602 case HCI_OP_REMOTE_NAME_REQ: 3603 hci_cs_remote_name_req(hdev, ev->status); 3604 break; 3605 3606 case HCI_OP_READ_REMOTE_FEATURES: 3607 hci_cs_read_remote_features(hdev, ev->status); 3608 break; 3609 3610 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3611 hci_cs_read_remote_ext_features(hdev, ev->status); 3612 break; 3613 3614 case HCI_OP_SETUP_SYNC_CONN: 3615 hci_cs_setup_sync_conn(hdev, ev->status); 3616 break; 3617 3618 case HCI_OP_SNIFF_MODE: 3619 hci_cs_sniff_mode(hdev, ev->status); 3620 break; 3621 3622 case HCI_OP_EXIT_SNIFF_MODE: 3623 hci_cs_exit_sniff_mode(hdev, ev->status); 3624 break; 3625 3626 case HCI_OP_SWITCH_ROLE: 3627 hci_cs_switch_role(hdev, ev->status); 3628 break; 3629 3630 case HCI_OP_LE_CREATE_CONN: 3631 hci_cs_le_create_conn(hdev, ev->status); 3632 break; 3633 3634 case HCI_OP_LE_READ_REMOTE_FEATURES: 3635 hci_cs_le_read_remote_features(hdev, ev->status); 3636 break; 3637 3638 case HCI_OP_LE_START_ENC: 3639 hci_cs_le_start_enc(hdev, ev->status); 3640 break; 3641 3642 case HCI_OP_LE_EXT_CREATE_CONN: 3643 hci_cs_le_ext_create_conn(hdev, ev->status); 3644 break; 3645 3646 default: 3647 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3648 break; 3649 } 3650 3651 if (*opcode != HCI_OP_NOP) 3652 cancel_delayed_work(&hdev->cmd_timer); 3653 3654 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3655 atomic_set(&hdev->cmd_cnt, 1); 3656 3657 /* Indicate request completion if the command failed. Also, if 3658 * we're not waiting for a special event and we get a success 3659 * command status we should try to flag the request as completed 3660 * (since for this kind of commands there will not be a command 3661 * complete event). 3662 */ 3663 if (ev->status || 3664 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event)) 3665 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3666 req_complete_skb); 3667 3668 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 3669 bt_dev_err(hdev, 3670 "unexpected event for opcode 0x%4.4x", *opcode); 3671 return; 3672 } 3673 3674 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3675 queue_work(hdev->workqueue, &hdev->cmd_work); 3676 } 3677 3678 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 3679 { 3680 struct hci_ev_hardware_error *ev = (void *) skb->data; 3681 3682 hdev->hw_error_code = ev->code; 3683 3684 queue_work(hdev->req_workqueue, &hdev->error_reset); 3685 } 3686 3687 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3688 { 3689 struct hci_ev_role_change *ev = (void *) skb->data; 3690 struct hci_conn *conn; 3691 3692 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3693 3694 hci_dev_lock(hdev); 3695 3696 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3697 if (conn) { 3698 if (!ev->status) 3699 conn->role = ev->role; 3700 3701 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3702 3703 hci_role_switch_cfm(conn, ev->status, ev->role); 3704 } 3705 3706 hci_dev_unlock(hdev); 3707 } 3708 3709 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3710 { 3711 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3712 int i; 3713 3714 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3715 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3716 return; 3717 } 3718 3719 if (skb->len < sizeof(*ev) || 3720 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3721 BT_DBG("%s bad parameters", hdev->name); 3722 return; 3723 } 3724 3725 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3726 3727 for (i = 0; i < ev->num_hndl; i++) { 3728 struct hci_comp_pkts_info *info = &ev->handles[i]; 3729 struct hci_conn *conn; 3730 __u16 handle, count; 3731 3732 handle = __le16_to_cpu(info->handle); 3733 count = __le16_to_cpu(info->count); 3734 3735 conn = hci_conn_hash_lookup_handle(hdev, handle); 3736 if (!conn) 3737 continue; 3738 3739 conn->sent -= count; 3740 3741 switch (conn->type) { 3742 case ACL_LINK: 3743 hdev->acl_cnt += count; 3744 if (hdev->acl_cnt > hdev->acl_pkts) 3745 hdev->acl_cnt = hdev->acl_pkts; 3746 break; 3747 3748 case LE_LINK: 3749 if (hdev->le_pkts) { 3750 hdev->le_cnt += count; 3751 if (hdev->le_cnt > hdev->le_pkts) 3752 hdev->le_cnt = hdev->le_pkts; 3753 } else { 3754 hdev->acl_cnt += count; 3755 if (hdev->acl_cnt > hdev->acl_pkts) 3756 hdev->acl_cnt = hdev->acl_pkts; 3757 } 3758 break; 3759 3760 case SCO_LINK: 3761 hdev->sco_cnt += count; 3762 if (hdev->sco_cnt > hdev->sco_pkts) 3763 hdev->sco_cnt = hdev->sco_pkts; 3764 break; 3765 3766 default: 3767 bt_dev_err(hdev, "unknown type %d conn %p", 3768 conn->type, conn); 3769 break; 3770 } 3771 } 3772 3773 queue_work(hdev->workqueue, &hdev->tx_work); 3774 } 3775 3776 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3777 __u16 handle) 3778 { 3779 struct hci_chan *chan; 3780 3781 switch (hdev->dev_type) { 3782 case HCI_PRIMARY: 3783 return hci_conn_hash_lookup_handle(hdev, handle); 3784 case HCI_AMP: 3785 chan = hci_chan_lookup_handle(hdev, handle); 3786 if (chan) 3787 return chan->conn; 3788 break; 3789 default: 3790 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 3791 break; 3792 } 3793 3794 return NULL; 3795 } 3796 3797 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3798 { 3799 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3800 int i; 3801 3802 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3803 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 3804 return; 3805 } 3806 3807 if (skb->len < sizeof(*ev) || 3808 skb->len < struct_size(ev, handles, ev->num_hndl)) { 3809 BT_DBG("%s bad parameters", hdev->name); 3810 return; 3811 } 3812 3813 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3814 ev->num_hndl); 3815 3816 for (i = 0; i < ev->num_hndl; i++) { 3817 struct hci_comp_blocks_info *info = &ev->handles[i]; 3818 struct hci_conn *conn = NULL; 3819 __u16 handle, block_count; 3820 3821 handle = __le16_to_cpu(info->handle); 3822 block_count = __le16_to_cpu(info->blocks); 3823 3824 conn = __hci_conn_lookup_handle(hdev, handle); 3825 if (!conn) 3826 continue; 3827 3828 conn->sent -= block_count; 3829 3830 switch (conn->type) { 3831 case ACL_LINK: 3832 case AMP_LINK: 3833 hdev->block_cnt += block_count; 3834 if (hdev->block_cnt > hdev->num_blocks) 3835 hdev->block_cnt = hdev->num_blocks; 3836 break; 3837 3838 default: 3839 bt_dev_err(hdev, "unknown type %d conn %p", 3840 conn->type, conn); 3841 break; 3842 } 3843 } 3844 3845 queue_work(hdev->workqueue, &hdev->tx_work); 3846 } 3847 3848 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3849 { 3850 struct hci_ev_mode_change *ev = (void *) skb->data; 3851 struct hci_conn *conn; 3852 3853 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3854 3855 hci_dev_lock(hdev); 3856 3857 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3858 if (conn) { 3859 conn->mode = ev->mode; 3860 3861 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3862 &conn->flags)) { 3863 if (conn->mode == HCI_CM_ACTIVE) 3864 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3865 else 3866 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3867 } 3868 3869 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3870 hci_sco_setup(conn, ev->status); 3871 } 3872 3873 hci_dev_unlock(hdev); 3874 } 3875 3876 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3877 { 3878 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3879 struct hci_conn *conn; 3880 3881 BT_DBG("%s", hdev->name); 3882 3883 hci_dev_lock(hdev); 3884 3885 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3886 if (!conn) 3887 goto unlock; 3888 3889 if (conn->state == BT_CONNECTED) { 3890 hci_conn_hold(conn); 3891 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3892 hci_conn_drop(conn); 3893 } 3894 3895 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 3896 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3897 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3898 sizeof(ev->bdaddr), &ev->bdaddr); 3899 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 3900 u8 secure; 3901 3902 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3903 secure = 1; 3904 else 3905 secure = 0; 3906 3907 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3908 } 3909 3910 unlock: 3911 hci_dev_unlock(hdev); 3912 } 3913 3914 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3915 { 3916 if (key_type == HCI_LK_CHANGED_COMBINATION) 3917 return; 3918 3919 conn->pin_length = pin_len; 3920 conn->key_type = key_type; 3921 3922 switch (key_type) { 3923 case HCI_LK_LOCAL_UNIT: 3924 case HCI_LK_REMOTE_UNIT: 3925 case HCI_LK_DEBUG_COMBINATION: 3926 return; 3927 case HCI_LK_COMBINATION: 3928 if (pin_len == 16) 3929 conn->pending_sec_level = BT_SECURITY_HIGH; 3930 else 3931 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3932 break; 3933 case HCI_LK_UNAUTH_COMBINATION_P192: 3934 case HCI_LK_UNAUTH_COMBINATION_P256: 3935 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3936 break; 3937 case HCI_LK_AUTH_COMBINATION_P192: 3938 conn->pending_sec_level = BT_SECURITY_HIGH; 3939 break; 3940 case HCI_LK_AUTH_COMBINATION_P256: 3941 conn->pending_sec_level = BT_SECURITY_FIPS; 3942 break; 3943 } 3944 } 3945 3946 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3947 { 3948 struct hci_ev_link_key_req *ev = (void *) skb->data; 3949 struct hci_cp_link_key_reply cp; 3950 struct hci_conn *conn; 3951 struct link_key *key; 3952 3953 BT_DBG("%s", hdev->name); 3954 3955 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3956 return; 3957 3958 hci_dev_lock(hdev); 3959 3960 key = hci_find_link_key(hdev, &ev->bdaddr); 3961 if (!key) { 3962 BT_DBG("%s link key not found for %pMR", hdev->name, 3963 &ev->bdaddr); 3964 goto not_found; 3965 } 3966 3967 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 3968 &ev->bdaddr); 3969 3970 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3971 if (conn) { 3972 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3973 3974 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3975 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3976 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3977 BT_DBG("%s ignoring unauthenticated key", hdev->name); 3978 goto not_found; 3979 } 3980 3981 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3982 (conn->pending_sec_level == BT_SECURITY_HIGH || 3983 conn->pending_sec_level == BT_SECURITY_FIPS)) { 3984 BT_DBG("%s ignoring key unauthenticated for high security", 3985 hdev->name); 3986 goto not_found; 3987 } 3988 3989 conn_set_key(conn, key->type, key->pin_len); 3990 } 3991 3992 bacpy(&cp.bdaddr, &ev->bdaddr); 3993 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 3994 3995 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 3996 3997 hci_dev_unlock(hdev); 3998 3999 return; 4000 4001 not_found: 4002 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4003 hci_dev_unlock(hdev); 4004 } 4005 4006 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4007 { 4008 struct hci_ev_link_key_notify *ev = (void *) skb->data; 4009 struct hci_conn *conn; 4010 struct link_key *key; 4011 bool persistent; 4012 u8 pin_len = 0; 4013 4014 BT_DBG("%s", hdev->name); 4015 4016 hci_dev_lock(hdev); 4017 4018 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4019 if (!conn) 4020 goto unlock; 4021 4022 hci_conn_hold(conn); 4023 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4024 hci_conn_drop(conn); 4025 4026 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4027 conn_set_key(conn, ev->key_type, conn->pin_length); 4028 4029 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4030 goto unlock; 4031 4032 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4033 ev->key_type, pin_len, &persistent); 4034 if (!key) 4035 goto unlock; 4036 4037 /* Update connection information since adding the key will have 4038 * fixed up the type in the case of changed combination keys. 4039 */ 4040 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4041 conn_set_key(conn, key->type, key->pin_len); 4042 4043 mgmt_new_link_key(hdev, key, persistent); 4044 4045 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4046 * is set. If it's not set simply remove the key from the kernel 4047 * list (we've still notified user space about it but with 4048 * store_hint being 0). 4049 */ 4050 if (key->type == HCI_LK_DEBUG_COMBINATION && 4051 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4052 list_del_rcu(&key->list); 4053 kfree_rcu(key, rcu); 4054 goto unlock; 4055 } 4056 4057 if (persistent) 4058 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4059 else 4060 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4061 4062 unlock: 4063 hci_dev_unlock(hdev); 4064 } 4065 4066 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 4067 { 4068 struct hci_ev_clock_offset *ev = (void *) skb->data; 4069 struct hci_conn *conn; 4070 4071 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4072 4073 hci_dev_lock(hdev); 4074 4075 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4076 if (conn && !ev->status) { 4077 struct inquiry_entry *ie; 4078 4079 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4080 if (ie) { 4081 ie->data.clock_offset = ev->clock_offset; 4082 ie->timestamp = jiffies; 4083 } 4084 } 4085 4086 hci_dev_unlock(hdev); 4087 } 4088 4089 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 4090 { 4091 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 4092 struct hci_conn *conn; 4093 4094 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4095 4096 hci_dev_lock(hdev); 4097 4098 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4099 if (conn && !ev->status) 4100 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4101 4102 hci_dev_unlock(hdev); 4103 } 4104 4105 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 4106 { 4107 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 4108 struct inquiry_entry *ie; 4109 4110 BT_DBG("%s", hdev->name); 4111 4112 hci_dev_lock(hdev); 4113 4114 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4115 if (ie) { 4116 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4117 ie->timestamp = jiffies; 4118 } 4119 4120 hci_dev_unlock(hdev); 4121 } 4122 4123 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 4124 struct sk_buff *skb) 4125 { 4126 struct inquiry_data data; 4127 int num_rsp = *((__u8 *) skb->data); 4128 4129 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4130 4131 if (!num_rsp) 4132 return; 4133 4134 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4135 return; 4136 4137 hci_dev_lock(hdev); 4138 4139 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 4140 struct inquiry_info_with_rssi_and_pscan_mode *info; 4141 info = (void *) (skb->data + 1); 4142 4143 for (; num_rsp; num_rsp--, info++) { 4144 u32 flags; 4145 4146 bacpy(&data.bdaddr, &info->bdaddr); 4147 data.pscan_rep_mode = info->pscan_rep_mode; 4148 data.pscan_period_mode = info->pscan_period_mode; 4149 data.pscan_mode = info->pscan_mode; 4150 memcpy(data.dev_class, info->dev_class, 3); 4151 data.clock_offset = info->clock_offset; 4152 data.rssi = info->rssi; 4153 data.ssp_mode = 0x00; 4154 4155 flags = hci_inquiry_cache_update(hdev, &data, false); 4156 4157 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4158 info->dev_class, info->rssi, 4159 flags, NULL, 0, NULL, 0); 4160 } 4161 } else { 4162 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 4163 4164 for (; num_rsp; num_rsp--, info++) { 4165 u32 flags; 4166 4167 bacpy(&data.bdaddr, &info->bdaddr); 4168 data.pscan_rep_mode = info->pscan_rep_mode; 4169 data.pscan_period_mode = info->pscan_period_mode; 4170 data.pscan_mode = 0x00; 4171 memcpy(data.dev_class, info->dev_class, 3); 4172 data.clock_offset = info->clock_offset; 4173 data.rssi = info->rssi; 4174 data.ssp_mode = 0x00; 4175 4176 flags = hci_inquiry_cache_update(hdev, &data, false); 4177 4178 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4179 info->dev_class, info->rssi, 4180 flags, NULL, 0, NULL, 0); 4181 } 4182 } 4183 4184 hci_dev_unlock(hdev); 4185 } 4186 4187 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 4188 struct sk_buff *skb) 4189 { 4190 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 4191 struct hci_conn *conn; 4192 4193 BT_DBG("%s", hdev->name); 4194 4195 hci_dev_lock(hdev); 4196 4197 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4198 if (!conn) 4199 goto unlock; 4200 4201 if (ev->page < HCI_MAX_PAGES) 4202 memcpy(conn->features[ev->page], ev->features, 8); 4203 4204 if (!ev->status && ev->page == 0x01) { 4205 struct inquiry_entry *ie; 4206 4207 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4208 if (ie) 4209 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4210 4211 if (ev->features[0] & LMP_HOST_SSP) { 4212 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4213 } else { 4214 /* It is mandatory by the Bluetooth specification that 4215 * Extended Inquiry Results are only used when Secure 4216 * Simple Pairing is enabled, but some devices violate 4217 * this. 4218 * 4219 * To make these devices work, the internal SSP 4220 * enabled flag needs to be cleared if the remote host 4221 * features do not indicate SSP support */ 4222 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4223 } 4224 4225 if (ev->features[0] & LMP_HOST_SC) 4226 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4227 } 4228 4229 if (conn->state != BT_CONFIG) 4230 goto unlock; 4231 4232 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4233 struct hci_cp_remote_name_req cp; 4234 memset(&cp, 0, sizeof(cp)); 4235 bacpy(&cp.bdaddr, &conn->dst); 4236 cp.pscan_rep_mode = 0x02; 4237 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4238 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4239 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4240 4241 if (!hci_outgoing_auth_needed(hdev, conn)) { 4242 conn->state = BT_CONNECTED; 4243 hci_connect_cfm(conn, ev->status); 4244 hci_conn_drop(conn); 4245 } 4246 4247 unlock: 4248 hci_dev_unlock(hdev); 4249 } 4250 4251 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 4252 struct sk_buff *skb) 4253 { 4254 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 4255 struct hci_conn *conn; 4256 4257 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4258 4259 hci_dev_lock(hdev); 4260 4261 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 4262 if (!conn) { 4263 if (ev->link_type == ESCO_LINK) 4264 goto unlock; 4265 4266 /* When the link type in the event indicates SCO connection 4267 * and lookup of the connection object fails, then check 4268 * if an eSCO connection object exists. 4269 * 4270 * The core limits the synchronous connections to either 4271 * SCO or eSCO. The eSCO connection is preferred and tried 4272 * to be setup first and until successfully established, 4273 * the link type will be hinted as eSCO. 4274 */ 4275 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 4276 if (!conn) 4277 goto unlock; 4278 } 4279 4280 switch (ev->status) { 4281 case 0x00: 4282 conn->handle = __le16_to_cpu(ev->handle); 4283 conn->state = BT_CONNECTED; 4284 conn->type = ev->link_type; 4285 4286 hci_debugfs_create_conn(conn); 4287 hci_conn_add_sysfs(conn); 4288 break; 4289 4290 case 0x10: /* Connection Accept Timeout */ 4291 case 0x0d: /* Connection Rejected due to Limited Resources */ 4292 case 0x11: /* Unsupported Feature or Parameter Value */ 4293 case 0x1c: /* SCO interval rejected */ 4294 case 0x1a: /* Unsupported Remote Feature */ 4295 case 0x1f: /* Unspecified error */ 4296 case 0x20: /* Unsupported LMP Parameter value */ 4297 if (conn->out) { 4298 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 4299 (hdev->esco_type & EDR_ESCO_MASK); 4300 if (hci_setup_sync(conn, conn->link->handle)) 4301 goto unlock; 4302 } 4303 /* fall through */ 4304 4305 default: 4306 conn->state = BT_CLOSED; 4307 break; 4308 } 4309 4310 hci_connect_cfm(conn, ev->status); 4311 if (ev->status) 4312 hci_conn_del(conn); 4313 4314 unlock: 4315 hci_dev_unlock(hdev); 4316 } 4317 4318 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 4319 { 4320 size_t parsed = 0; 4321 4322 while (parsed < eir_len) { 4323 u8 field_len = eir[0]; 4324 4325 if (field_len == 0) 4326 return parsed; 4327 4328 parsed += field_len + 1; 4329 eir += field_len + 1; 4330 } 4331 4332 return eir_len; 4333 } 4334 4335 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 4336 struct sk_buff *skb) 4337 { 4338 struct inquiry_data data; 4339 struct extended_inquiry_info *info = (void *) (skb->data + 1); 4340 int num_rsp = *((__u8 *) skb->data); 4341 size_t eir_len; 4342 4343 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 4344 4345 if (!num_rsp) 4346 return; 4347 4348 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4349 return; 4350 4351 hci_dev_lock(hdev); 4352 4353 for (; num_rsp; num_rsp--, info++) { 4354 u32 flags; 4355 bool name_known; 4356 4357 bacpy(&data.bdaddr, &info->bdaddr); 4358 data.pscan_rep_mode = info->pscan_rep_mode; 4359 data.pscan_period_mode = info->pscan_period_mode; 4360 data.pscan_mode = 0x00; 4361 memcpy(data.dev_class, info->dev_class, 3); 4362 data.clock_offset = info->clock_offset; 4363 data.rssi = info->rssi; 4364 data.ssp_mode = 0x01; 4365 4366 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4367 name_known = eir_get_data(info->data, 4368 sizeof(info->data), 4369 EIR_NAME_COMPLETE, NULL); 4370 else 4371 name_known = true; 4372 4373 flags = hci_inquiry_cache_update(hdev, &data, name_known); 4374 4375 eir_len = eir_get_length(info->data, sizeof(info->data)); 4376 4377 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4378 info->dev_class, info->rssi, 4379 flags, info->data, eir_len, NULL, 0); 4380 } 4381 4382 hci_dev_unlock(hdev); 4383 } 4384 4385 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 4386 struct sk_buff *skb) 4387 { 4388 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 4389 struct hci_conn *conn; 4390 4391 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 4392 __le16_to_cpu(ev->handle)); 4393 4394 hci_dev_lock(hdev); 4395 4396 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4397 if (!conn) 4398 goto unlock; 4399 4400 /* For BR/EDR the necessary steps are taken through the 4401 * auth_complete event. 4402 */ 4403 if (conn->type != LE_LINK) 4404 goto unlock; 4405 4406 if (!ev->status) 4407 conn->sec_level = conn->pending_sec_level; 4408 4409 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 4410 4411 if (ev->status && conn->state == BT_CONNECTED) { 4412 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4413 hci_conn_drop(conn); 4414 goto unlock; 4415 } 4416 4417 if (conn->state == BT_CONFIG) { 4418 if (!ev->status) 4419 conn->state = BT_CONNECTED; 4420 4421 hci_connect_cfm(conn, ev->status); 4422 hci_conn_drop(conn); 4423 } else { 4424 hci_auth_cfm(conn, ev->status); 4425 4426 hci_conn_hold(conn); 4427 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4428 hci_conn_drop(conn); 4429 } 4430 4431 unlock: 4432 hci_dev_unlock(hdev); 4433 } 4434 4435 static u8 hci_get_auth_req(struct hci_conn *conn) 4436 { 4437 /* If remote requests no-bonding follow that lead */ 4438 if (conn->remote_auth == HCI_AT_NO_BONDING || 4439 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 4440 return conn->remote_auth | (conn->auth_type & 0x01); 4441 4442 /* If both remote and local have enough IO capabilities, require 4443 * MITM protection 4444 */ 4445 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 4446 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 4447 return conn->remote_auth | 0x01; 4448 4449 /* No MITM protection possible so ignore remote requirement */ 4450 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 4451 } 4452 4453 static u8 bredr_oob_data_present(struct hci_conn *conn) 4454 { 4455 struct hci_dev *hdev = conn->hdev; 4456 struct oob_data *data; 4457 4458 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 4459 if (!data) 4460 return 0x00; 4461 4462 if (bredr_sc_enabled(hdev)) { 4463 /* When Secure Connections is enabled, then just 4464 * return the present value stored with the OOB 4465 * data. The stored value contains the right present 4466 * information. However it can only be trusted when 4467 * not in Secure Connection Only mode. 4468 */ 4469 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 4470 return data->present; 4471 4472 /* When Secure Connections Only mode is enabled, then 4473 * the P-256 values are required. If they are not 4474 * available, then do not declare that OOB data is 4475 * present. 4476 */ 4477 if (!memcmp(data->rand256, ZERO_KEY, 16) || 4478 !memcmp(data->hash256, ZERO_KEY, 16)) 4479 return 0x00; 4480 4481 return 0x02; 4482 } 4483 4484 /* When Secure Connections is not enabled or actually 4485 * not supported by the hardware, then check that if 4486 * P-192 data values are present. 4487 */ 4488 if (!memcmp(data->rand192, ZERO_KEY, 16) || 4489 !memcmp(data->hash192, ZERO_KEY, 16)) 4490 return 0x00; 4491 4492 return 0x01; 4493 } 4494 4495 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4496 { 4497 struct hci_ev_io_capa_request *ev = (void *) skb->data; 4498 struct hci_conn *conn; 4499 4500 BT_DBG("%s", hdev->name); 4501 4502 hci_dev_lock(hdev); 4503 4504 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4505 if (!conn) 4506 goto unlock; 4507 4508 hci_conn_hold(conn); 4509 4510 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4511 goto unlock; 4512 4513 /* Allow pairing if we're pairable, the initiators of the 4514 * pairing or if the remote is not requesting bonding. 4515 */ 4516 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 4517 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 4518 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 4519 struct hci_cp_io_capability_reply cp; 4520 4521 bacpy(&cp.bdaddr, &ev->bdaddr); 4522 /* Change the IO capability from KeyboardDisplay 4523 * to DisplayYesNo as it is not supported by BT spec. */ 4524 cp.capability = (conn->io_capability == 0x04) ? 4525 HCI_IO_DISPLAY_YESNO : conn->io_capability; 4526 4527 /* If we are initiators, there is no remote information yet */ 4528 if (conn->remote_auth == 0xff) { 4529 /* Request MITM protection if our IO caps allow it 4530 * except for the no-bonding case. 4531 */ 4532 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4533 conn->auth_type != HCI_AT_NO_BONDING) 4534 conn->auth_type |= 0x01; 4535 } else { 4536 conn->auth_type = hci_get_auth_req(conn); 4537 } 4538 4539 /* If we're not bondable, force one of the non-bondable 4540 * authentication requirement values. 4541 */ 4542 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4543 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4544 4545 cp.authentication = conn->auth_type; 4546 cp.oob_data = bredr_oob_data_present(conn); 4547 4548 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4549 sizeof(cp), &cp); 4550 } else { 4551 struct hci_cp_io_capability_neg_reply cp; 4552 4553 bacpy(&cp.bdaddr, &ev->bdaddr); 4554 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4555 4556 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4557 sizeof(cp), &cp); 4558 } 4559 4560 unlock: 4561 hci_dev_unlock(hdev); 4562 } 4563 4564 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4565 { 4566 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 4567 struct hci_conn *conn; 4568 4569 BT_DBG("%s", hdev->name); 4570 4571 hci_dev_lock(hdev); 4572 4573 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4574 if (!conn) 4575 goto unlock; 4576 4577 conn->remote_cap = ev->capability; 4578 conn->remote_auth = ev->authentication; 4579 4580 unlock: 4581 hci_dev_unlock(hdev); 4582 } 4583 4584 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 4585 struct sk_buff *skb) 4586 { 4587 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 4588 int loc_mitm, rem_mitm, confirm_hint = 0; 4589 struct hci_conn *conn; 4590 4591 BT_DBG("%s", hdev->name); 4592 4593 hci_dev_lock(hdev); 4594 4595 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4596 goto unlock; 4597 4598 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4599 if (!conn) 4600 goto unlock; 4601 4602 loc_mitm = (conn->auth_type & 0x01); 4603 rem_mitm = (conn->remote_auth & 0x01); 4604 4605 /* If we require MITM but the remote device can't provide that 4606 * (it has NoInputNoOutput) then reject the confirmation 4607 * request. We check the security level here since it doesn't 4608 * necessarily match conn->auth_type. 4609 */ 4610 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 4611 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 4612 BT_DBG("Rejecting request: remote device can't provide MITM"); 4613 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 4614 sizeof(ev->bdaddr), &ev->bdaddr); 4615 goto unlock; 4616 } 4617 4618 /* If no side requires MITM protection; auto-accept */ 4619 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 4620 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 4621 4622 /* If we're not the initiators request authorization to 4623 * proceed from user space (mgmt_user_confirm with 4624 * confirm_hint set to 1). The exception is if neither 4625 * side had MITM or if the local IO capability is 4626 * NoInputNoOutput, in which case we do auto-accept 4627 */ 4628 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 4629 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4630 (loc_mitm || rem_mitm)) { 4631 BT_DBG("Confirming auto-accept as acceptor"); 4632 confirm_hint = 1; 4633 goto confirm; 4634 } 4635 4636 /* If there already exists link key in local host, leave the 4637 * decision to user space since the remote device could be 4638 * legitimate or malicious. 4639 */ 4640 if (hci_find_link_key(hdev, &ev->bdaddr)) { 4641 bt_dev_dbg(hdev, "Local host already has link key"); 4642 confirm_hint = 1; 4643 goto confirm; 4644 } 4645 4646 BT_DBG("Auto-accept of user confirmation with %ums delay", 4647 hdev->auto_accept_delay); 4648 4649 if (hdev->auto_accept_delay > 0) { 4650 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 4651 queue_delayed_work(conn->hdev->workqueue, 4652 &conn->auto_accept_work, delay); 4653 goto unlock; 4654 } 4655 4656 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 4657 sizeof(ev->bdaddr), &ev->bdaddr); 4658 goto unlock; 4659 } 4660 4661 confirm: 4662 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 4663 le32_to_cpu(ev->passkey), confirm_hint); 4664 4665 unlock: 4666 hci_dev_unlock(hdev); 4667 } 4668 4669 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 4670 struct sk_buff *skb) 4671 { 4672 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 4673 4674 BT_DBG("%s", hdev->name); 4675 4676 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4677 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 4678 } 4679 4680 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 4681 struct sk_buff *skb) 4682 { 4683 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 4684 struct hci_conn *conn; 4685 4686 BT_DBG("%s", hdev->name); 4687 4688 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4689 if (!conn) 4690 return; 4691 4692 conn->passkey_notify = __le32_to_cpu(ev->passkey); 4693 conn->passkey_entered = 0; 4694 4695 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4696 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4697 conn->dst_type, conn->passkey_notify, 4698 conn->passkey_entered); 4699 } 4700 4701 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4702 { 4703 struct hci_ev_keypress_notify *ev = (void *) skb->data; 4704 struct hci_conn *conn; 4705 4706 BT_DBG("%s", hdev->name); 4707 4708 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4709 if (!conn) 4710 return; 4711 4712 switch (ev->type) { 4713 case HCI_KEYPRESS_STARTED: 4714 conn->passkey_entered = 0; 4715 return; 4716 4717 case HCI_KEYPRESS_ENTERED: 4718 conn->passkey_entered++; 4719 break; 4720 4721 case HCI_KEYPRESS_ERASED: 4722 conn->passkey_entered--; 4723 break; 4724 4725 case HCI_KEYPRESS_CLEARED: 4726 conn->passkey_entered = 0; 4727 break; 4728 4729 case HCI_KEYPRESS_COMPLETED: 4730 return; 4731 } 4732 4733 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4734 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4735 conn->dst_type, conn->passkey_notify, 4736 conn->passkey_entered); 4737 } 4738 4739 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 4740 struct sk_buff *skb) 4741 { 4742 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 4743 struct hci_conn *conn; 4744 4745 BT_DBG("%s", hdev->name); 4746 4747 hci_dev_lock(hdev); 4748 4749 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4750 if (!conn) 4751 goto unlock; 4752 4753 /* Reset the authentication requirement to unknown */ 4754 conn->remote_auth = 0xff; 4755 4756 /* To avoid duplicate auth_failed events to user space we check 4757 * the HCI_CONN_AUTH_PEND flag which will be set if we 4758 * initiated the authentication. A traditional auth_complete 4759 * event gets always produced as initiator and is also mapped to 4760 * the mgmt_auth_failed event */ 4761 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4762 mgmt_auth_failed(conn, ev->status); 4763 4764 hci_conn_drop(conn); 4765 4766 unlock: 4767 hci_dev_unlock(hdev); 4768 } 4769 4770 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4771 struct sk_buff *skb) 4772 { 4773 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4774 struct inquiry_entry *ie; 4775 struct hci_conn *conn; 4776 4777 BT_DBG("%s", hdev->name); 4778 4779 hci_dev_lock(hdev); 4780 4781 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4782 if (conn) 4783 memcpy(conn->features[1], ev->features, 8); 4784 4785 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4786 if (ie) 4787 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4788 4789 hci_dev_unlock(hdev); 4790 } 4791 4792 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4793 struct sk_buff *skb) 4794 { 4795 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4796 struct oob_data *data; 4797 4798 BT_DBG("%s", hdev->name); 4799 4800 hci_dev_lock(hdev); 4801 4802 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4803 goto unlock; 4804 4805 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4806 if (!data) { 4807 struct hci_cp_remote_oob_data_neg_reply cp; 4808 4809 bacpy(&cp.bdaddr, &ev->bdaddr); 4810 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4811 sizeof(cp), &cp); 4812 goto unlock; 4813 } 4814 4815 if (bredr_sc_enabled(hdev)) { 4816 struct hci_cp_remote_oob_ext_data_reply cp; 4817 4818 bacpy(&cp.bdaddr, &ev->bdaddr); 4819 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 4820 memset(cp.hash192, 0, sizeof(cp.hash192)); 4821 memset(cp.rand192, 0, sizeof(cp.rand192)); 4822 } else { 4823 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4824 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4825 } 4826 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4827 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4828 4829 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4830 sizeof(cp), &cp); 4831 } else { 4832 struct hci_cp_remote_oob_data_reply cp; 4833 4834 bacpy(&cp.bdaddr, &ev->bdaddr); 4835 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4836 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4837 4838 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4839 sizeof(cp), &cp); 4840 } 4841 4842 unlock: 4843 hci_dev_unlock(hdev); 4844 } 4845 4846 #if IS_ENABLED(CONFIG_BT_HS) 4847 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4848 { 4849 struct hci_ev_channel_selected *ev = (void *)skb->data; 4850 struct hci_conn *hcon; 4851 4852 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4853 4854 skb_pull(skb, sizeof(*ev)); 4855 4856 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4857 if (!hcon) 4858 return; 4859 4860 amp_read_loc_assoc_final_data(hdev, hcon); 4861 } 4862 4863 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4864 struct sk_buff *skb) 4865 { 4866 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4867 struct hci_conn *hcon, *bredr_hcon; 4868 4869 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4870 ev->status); 4871 4872 hci_dev_lock(hdev); 4873 4874 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4875 if (!hcon) { 4876 hci_dev_unlock(hdev); 4877 return; 4878 } 4879 4880 if (ev->status) { 4881 hci_conn_del(hcon); 4882 hci_dev_unlock(hdev); 4883 return; 4884 } 4885 4886 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4887 4888 hcon->state = BT_CONNECTED; 4889 bacpy(&hcon->dst, &bredr_hcon->dst); 4890 4891 hci_conn_hold(hcon); 4892 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4893 hci_conn_drop(hcon); 4894 4895 hci_debugfs_create_conn(hcon); 4896 hci_conn_add_sysfs(hcon); 4897 4898 amp_physical_cfm(bredr_hcon, hcon); 4899 4900 hci_dev_unlock(hdev); 4901 } 4902 4903 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4904 { 4905 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4906 struct hci_conn *hcon; 4907 struct hci_chan *hchan; 4908 struct amp_mgr *mgr; 4909 4910 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4911 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4912 ev->status); 4913 4914 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4915 if (!hcon) 4916 return; 4917 4918 /* Create AMP hchan */ 4919 hchan = hci_chan_create(hcon); 4920 if (!hchan) 4921 return; 4922 4923 hchan->handle = le16_to_cpu(ev->handle); 4924 4925 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4926 4927 mgr = hcon->amp_mgr; 4928 if (mgr && mgr->bredr_chan) { 4929 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4930 4931 l2cap_chan_lock(bredr_chan); 4932 4933 bredr_chan->conn->mtu = hdev->block_mtu; 4934 l2cap_logical_cfm(bredr_chan, hchan, 0); 4935 hci_conn_hold(hcon); 4936 4937 l2cap_chan_unlock(bredr_chan); 4938 } 4939 } 4940 4941 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 4942 struct sk_buff *skb) 4943 { 4944 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 4945 struct hci_chan *hchan; 4946 4947 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 4948 le16_to_cpu(ev->handle), ev->status); 4949 4950 if (ev->status) 4951 return; 4952 4953 hci_dev_lock(hdev); 4954 4955 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 4956 if (!hchan) 4957 goto unlock; 4958 4959 amp_destroy_logical_link(hchan, ev->reason); 4960 4961 unlock: 4962 hci_dev_unlock(hdev); 4963 } 4964 4965 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 4966 struct sk_buff *skb) 4967 { 4968 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 4969 struct hci_conn *hcon; 4970 4971 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4972 4973 if (ev->status) 4974 return; 4975 4976 hci_dev_lock(hdev); 4977 4978 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4979 if (hcon) { 4980 hcon->state = BT_CLOSED; 4981 hci_conn_del(hcon); 4982 } 4983 4984 hci_dev_unlock(hdev); 4985 } 4986 #endif 4987 4988 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 4989 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle, 4990 u16 interval, u16 latency, u16 supervision_timeout) 4991 { 4992 struct hci_conn_params *params; 4993 struct hci_conn *conn; 4994 struct smp_irk *irk; 4995 u8 addr_type; 4996 4997 hci_dev_lock(hdev); 4998 4999 /* All controllers implicitly stop advertising in the event of a 5000 * connection, so ensure that the state bit is cleared. 5001 */ 5002 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5003 5004 conn = hci_lookup_le_connect(hdev); 5005 if (!conn) { 5006 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 5007 if (!conn) { 5008 bt_dev_err(hdev, "no memory for new connection"); 5009 goto unlock; 5010 } 5011 5012 conn->dst_type = bdaddr_type; 5013 5014 /* If we didn't have a hci_conn object previously 5015 * but we're in master role this must be something 5016 * initiated using a white list. Since white list based 5017 * connections are not "first class citizens" we don't 5018 * have full tracking of them. Therefore, we go ahead 5019 * with a "best effort" approach of determining the 5020 * initiator address based on the HCI_PRIVACY flag. 5021 */ 5022 if (conn->out) { 5023 conn->resp_addr_type = bdaddr_type; 5024 bacpy(&conn->resp_addr, bdaddr); 5025 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5026 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5027 bacpy(&conn->init_addr, &hdev->rpa); 5028 } else { 5029 hci_copy_identity_address(hdev, 5030 &conn->init_addr, 5031 &conn->init_addr_type); 5032 } 5033 } 5034 } else { 5035 cancel_delayed_work(&conn->le_conn_timeout); 5036 } 5037 5038 if (!conn->out) { 5039 /* Set the responder (our side) address type based on 5040 * the advertising address type. 5041 */ 5042 conn->resp_addr_type = hdev->adv_addr_type; 5043 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5044 /* In case of ext adv, resp_addr will be updated in 5045 * Adv Terminated event. 5046 */ 5047 if (!ext_adv_capable(hdev)) 5048 bacpy(&conn->resp_addr, &hdev->random_addr); 5049 } else { 5050 bacpy(&conn->resp_addr, &hdev->bdaddr); 5051 } 5052 5053 conn->init_addr_type = bdaddr_type; 5054 bacpy(&conn->init_addr, bdaddr); 5055 5056 /* For incoming connections, set the default minimum 5057 * and maximum connection interval. They will be used 5058 * to check if the parameters are in range and if not 5059 * trigger the connection update procedure. 5060 */ 5061 conn->le_conn_min_interval = hdev->le_conn_min_interval; 5062 conn->le_conn_max_interval = hdev->le_conn_max_interval; 5063 } 5064 5065 /* Lookup the identity address from the stored connection 5066 * address and address type. 5067 * 5068 * When establishing connections to an identity address, the 5069 * connection procedure will store the resolvable random 5070 * address first. Now if it can be converted back into the 5071 * identity address, start using the identity address from 5072 * now on. 5073 */ 5074 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5075 if (irk) { 5076 bacpy(&conn->dst, &irk->bdaddr); 5077 conn->dst_type = irk->addr_type; 5078 } 5079 5080 if (status) { 5081 hci_le_conn_failed(conn, status); 5082 goto unlock; 5083 } 5084 5085 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5086 addr_type = BDADDR_LE_PUBLIC; 5087 else 5088 addr_type = BDADDR_LE_RANDOM; 5089 5090 /* Drop the connection if the device is blocked */ 5091 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 5092 hci_conn_drop(conn); 5093 goto unlock; 5094 } 5095 5096 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5097 mgmt_device_connected(hdev, conn, 0, NULL, 0); 5098 5099 conn->sec_level = BT_SECURITY_LOW; 5100 conn->handle = handle; 5101 conn->state = BT_CONFIG; 5102 5103 conn->le_conn_interval = interval; 5104 conn->le_conn_latency = latency; 5105 conn->le_supv_timeout = supervision_timeout; 5106 5107 hci_debugfs_create_conn(conn); 5108 hci_conn_add_sysfs(conn); 5109 5110 /* The remote features procedure is defined for master 5111 * role only. So only in case of an initiated connection 5112 * request the remote features. 5113 * 5114 * If the local controller supports slave-initiated features 5115 * exchange, then requesting the remote features in slave 5116 * role is possible. Otherwise just transition into the 5117 * connected state without requesting the remote features. 5118 */ 5119 if (conn->out || 5120 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) { 5121 struct hci_cp_le_read_remote_features cp; 5122 5123 cp.handle = __cpu_to_le16(conn->handle); 5124 5125 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 5126 sizeof(cp), &cp); 5127 5128 hci_conn_hold(conn); 5129 } else { 5130 conn->state = BT_CONNECTED; 5131 hci_connect_cfm(conn, status); 5132 } 5133 5134 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5135 conn->dst_type); 5136 if (params) { 5137 list_del_init(¶ms->action); 5138 if (params->conn) { 5139 hci_conn_drop(params->conn); 5140 hci_conn_put(params->conn); 5141 params->conn = NULL; 5142 } 5143 } 5144 5145 unlock: 5146 hci_update_background_scan(hdev); 5147 hci_dev_unlock(hdev); 5148 } 5149 5150 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 5151 { 5152 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 5153 5154 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5155 5156 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5157 ev->role, le16_to_cpu(ev->handle), 5158 le16_to_cpu(ev->interval), 5159 le16_to_cpu(ev->latency), 5160 le16_to_cpu(ev->supervision_timeout)); 5161 } 5162 5163 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, 5164 struct sk_buff *skb) 5165 { 5166 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data; 5167 5168 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5169 5170 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5171 ev->role, le16_to_cpu(ev->handle), 5172 le16_to_cpu(ev->interval), 5173 le16_to_cpu(ev->latency), 5174 le16_to_cpu(ev->supervision_timeout)); 5175 } 5176 5177 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb) 5178 { 5179 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data; 5180 struct hci_conn *conn; 5181 5182 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5183 5184 if (ev->status) 5185 return; 5186 5187 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5188 if (conn) { 5189 struct adv_info *adv_instance; 5190 5191 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM) 5192 return; 5193 5194 if (!hdev->cur_adv_instance) { 5195 bacpy(&conn->resp_addr, &hdev->random_addr); 5196 return; 5197 } 5198 5199 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance); 5200 if (adv_instance) 5201 bacpy(&conn->resp_addr, &adv_instance->random_addr); 5202 } 5203 } 5204 5205 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 5206 struct sk_buff *skb) 5207 { 5208 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 5209 struct hci_conn *conn; 5210 5211 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5212 5213 if (ev->status) 5214 return; 5215 5216 hci_dev_lock(hdev); 5217 5218 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5219 if (conn) { 5220 conn->le_conn_interval = le16_to_cpu(ev->interval); 5221 conn->le_conn_latency = le16_to_cpu(ev->latency); 5222 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 5223 } 5224 5225 hci_dev_unlock(hdev); 5226 } 5227 5228 /* This function requires the caller holds hdev->lock */ 5229 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 5230 bdaddr_t *addr, 5231 u8 addr_type, u8 adv_type, 5232 bdaddr_t *direct_rpa) 5233 { 5234 struct hci_conn *conn; 5235 struct hci_conn_params *params; 5236 5237 /* If the event is not connectable don't proceed further */ 5238 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 5239 return NULL; 5240 5241 /* Ignore if the device is blocked */ 5242 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 5243 return NULL; 5244 5245 /* Most controller will fail if we try to create new connections 5246 * while we have an existing one in slave role. 5247 */ 5248 if (hdev->conn_hash.le_num_slave > 0) 5249 return NULL; 5250 5251 /* If we're not connectable only connect devices that we have in 5252 * our pend_le_conns list. 5253 */ 5254 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 5255 addr_type); 5256 if (!params) 5257 return NULL; 5258 5259 if (!params->explicit_connect) { 5260 switch (params->auto_connect) { 5261 case HCI_AUTO_CONN_DIRECT: 5262 /* Only devices advertising with ADV_DIRECT_IND are 5263 * triggering a connection attempt. This is allowing 5264 * incoming connections from slave devices. 5265 */ 5266 if (adv_type != LE_ADV_DIRECT_IND) 5267 return NULL; 5268 break; 5269 case HCI_AUTO_CONN_ALWAYS: 5270 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 5271 * are triggering a connection attempt. This means 5272 * that incoming connectioms from slave device are 5273 * accepted and also outgoing connections to slave 5274 * devices are established when found. 5275 */ 5276 break; 5277 default: 5278 return NULL; 5279 } 5280 } 5281 5282 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 5283 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER, 5284 direct_rpa); 5285 if (!IS_ERR(conn)) { 5286 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 5287 * by higher layer that tried to connect, if no then 5288 * store the pointer since we don't really have any 5289 * other owner of the object besides the params that 5290 * triggered it. This way we can abort the connection if 5291 * the parameters get removed and keep the reference 5292 * count consistent once the connection is established. 5293 */ 5294 5295 if (!params->explicit_connect) 5296 params->conn = hci_conn_get(conn); 5297 5298 return conn; 5299 } 5300 5301 switch (PTR_ERR(conn)) { 5302 case -EBUSY: 5303 /* If hci_connect() returns -EBUSY it means there is already 5304 * an LE connection attempt going on. Since controllers don't 5305 * support more than one connection attempt at the time, we 5306 * don't consider this an error case. 5307 */ 5308 break; 5309 default: 5310 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 5311 return NULL; 5312 } 5313 5314 return NULL; 5315 } 5316 5317 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 5318 u8 bdaddr_type, bdaddr_t *direct_addr, 5319 u8 direct_addr_type, s8 rssi, u8 *data, u8 len) 5320 { 5321 struct discovery_state *d = &hdev->discovery; 5322 struct smp_irk *irk; 5323 struct hci_conn *conn; 5324 bool match; 5325 u32 flags; 5326 u8 *ptr, real_len; 5327 5328 switch (type) { 5329 case LE_ADV_IND: 5330 case LE_ADV_DIRECT_IND: 5331 case LE_ADV_SCAN_IND: 5332 case LE_ADV_NONCONN_IND: 5333 case LE_ADV_SCAN_RSP: 5334 break; 5335 default: 5336 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 5337 "type: 0x%02x", type); 5338 return; 5339 } 5340 5341 /* Find the end of the data in case the report contains padded zero 5342 * bytes at the end causing an invalid length value. 5343 * 5344 * When data is NULL, len is 0 so there is no need for extra ptr 5345 * check as 'ptr < data + 0' is already false in such case. 5346 */ 5347 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 5348 if (ptr + 1 + *ptr > data + len) 5349 break; 5350 } 5351 5352 real_len = ptr - data; 5353 5354 /* Adjust for actual length */ 5355 if (len != real_len) { 5356 bt_dev_err_ratelimited(hdev, "advertising data len corrected"); 5357 len = real_len; 5358 } 5359 5360 /* If the direct address is present, then this report is from 5361 * a LE Direct Advertising Report event. In that case it is 5362 * important to see if the address is matching the local 5363 * controller address. 5364 */ 5365 if (direct_addr) { 5366 /* Only resolvable random addresses are valid for these 5367 * kind of reports and others can be ignored. 5368 */ 5369 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 5370 return; 5371 5372 /* If the controller is not using resolvable random 5373 * addresses, then this report can be ignored. 5374 */ 5375 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 5376 return; 5377 5378 /* If the local IRK of the controller does not match 5379 * with the resolvable random address provided, then 5380 * this report can be ignored. 5381 */ 5382 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 5383 return; 5384 } 5385 5386 /* Check if we need to convert to identity address */ 5387 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 5388 if (irk) { 5389 bdaddr = &irk->bdaddr; 5390 bdaddr_type = irk->addr_type; 5391 } 5392 5393 /* Check if we have been requested to connect to this device. 5394 * 5395 * direct_addr is set only for directed advertising reports (it is NULL 5396 * for advertising reports) and is already verified to be RPA above. 5397 */ 5398 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type, 5399 direct_addr); 5400 if (conn && type == LE_ADV_IND) { 5401 /* Store report for later inclusion by 5402 * mgmt_device_connected 5403 */ 5404 memcpy(conn->le_adv_data, data, len); 5405 conn->le_adv_data_len = len; 5406 } 5407 5408 /* Passive scanning shouldn't trigger any device found events, 5409 * except for devices marked as CONN_REPORT for which we do send 5410 * device found events. 5411 */ 5412 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 5413 if (type == LE_ADV_DIRECT_IND) 5414 return; 5415 5416 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 5417 bdaddr, bdaddr_type)) 5418 return; 5419 5420 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 5421 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5422 else 5423 flags = 0; 5424 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5425 rssi, flags, data, len, NULL, 0); 5426 return; 5427 } 5428 5429 /* When receiving non-connectable or scannable undirected 5430 * advertising reports, this means that the remote device is 5431 * not connectable and then clearly indicate this in the 5432 * device found event. 5433 * 5434 * When receiving a scan response, then there is no way to 5435 * know if the remote device is connectable or not. However 5436 * since scan responses are merged with a previously seen 5437 * advertising report, the flags field from that report 5438 * will be used. 5439 * 5440 * In the really unlikely case that a controller get confused 5441 * and just sends a scan response event, then it is marked as 5442 * not connectable as well. 5443 */ 5444 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 5445 type == LE_ADV_SCAN_RSP) 5446 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 5447 else 5448 flags = 0; 5449 5450 /* If there's nothing pending either store the data from this 5451 * event or send an immediate device found event if the data 5452 * should not be stored for later. 5453 */ 5454 if (!has_pending_adv_report(hdev)) { 5455 /* If the report will trigger a SCAN_REQ store it for 5456 * later merging. 5457 */ 5458 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 5459 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5460 rssi, flags, data, len); 5461 return; 5462 } 5463 5464 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5465 rssi, flags, data, len, NULL, 0); 5466 return; 5467 } 5468 5469 /* Check if the pending report is for the same device as the new one */ 5470 match = (!bacmp(bdaddr, &d->last_adv_addr) && 5471 bdaddr_type == d->last_adv_addr_type); 5472 5473 /* If the pending data doesn't match this report or this isn't a 5474 * scan response (e.g. we got a duplicate ADV_IND) then force 5475 * sending of the pending data. 5476 */ 5477 if (type != LE_ADV_SCAN_RSP || !match) { 5478 /* Send out whatever is in the cache, but skip duplicates */ 5479 if (!match) 5480 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5481 d->last_adv_addr_type, NULL, 5482 d->last_adv_rssi, d->last_adv_flags, 5483 d->last_adv_data, 5484 d->last_adv_data_len, NULL, 0); 5485 5486 /* If the new report will trigger a SCAN_REQ store it for 5487 * later merging. 5488 */ 5489 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 5490 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 5491 rssi, flags, data, len); 5492 return; 5493 } 5494 5495 /* The advertising reports cannot be merged, so clear 5496 * the pending report and send out a device found event. 5497 */ 5498 clear_pending_adv_report(hdev); 5499 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 5500 rssi, flags, data, len, NULL, 0); 5501 return; 5502 } 5503 5504 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 5505 * the new event is a SCAN_RSP. We can therefore proceed with 5506 * sending a merged device found event. 5507 */ 5508 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 5509 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 5510 d->last_adv_data, d->last_adv_data_len, data, len); 5511 clear_pending_adv_report(hdev); 5512 } 5513 5514 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5515 { 5516 u8 num_reports = skb->data[0]; 5517 void *ptr = &skb->data[1]; 5518 5519 hci_dev_lock(hdev); 5520 5521 while (num_reports--) { 5522 struct hci_ev_le_advertising_info *ev = ptr; 5523 s8 rssi; 5524 5525 if (ev->length <= HCI_MAX_AD_LENGTH) { 5526 rssi = ev->data[ev->length]; 5527 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5528 ev->bdaddr_type, NULL, 0, rssi, 5529 ev->data, ev->length); 5530 } else { 5531 bt_dev_err(hdev, "Dropping invalid advertising data"); 5532 } 5533 5534 ptr += sizeof(*ev) + ev->length + 1; 5535 } 5536 5537 hci_dev_unlock(hdev); 5538 } 5539 5540 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 5541 { 5542 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 5543 switch (evt_type) { 5544 case LE_LEGACY_ADV_IND: 5545 return LE_ADV_IND; 5546 case LE_LEGACY_ADV_DIRECT_IND: 5547 return LE_ADV_DIRECT_IND; 5548 case LE_LEGACY_ADV_SCAN_IND: 5549 return LE_ADV_SCAN_IND; 5550 case LE_LEGACY_NONCONN_IND: 5551 return LE_ADV_NONCONN_IND; 5552 case LE_LEGACY_SCAN_RSP_ADV: 5553 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 5554 return LE_ADV_SCAN_RSP; 5555 } 5556 5557 goto invalid; 5558 } 5559 5560 if (evt_type & LE_EXT_ADV_CONN_IND) { 5561 if (evt_type & LE_EXT_ADV_DIRECT_IND) 5562 return LE_ADV_DIRECT_IND; 5563 5564 return LE_ADV_IND; 5565 } 5566 5567 if (evt_type & LE_EXT_ADV_SCAN_RSP) 5568 return LE_ADV_SCAN_RSP; 5569 5570 if (evt_type & LE_EXT_ADV_SCAN_IND) 5571 return LE_ADV_SCAN_IND; 5572 5573 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 5574 evt_type & LE_EXT_ADV_DIRECT_IND) 5575 return LE_ADV_NONCONN_IND; 5576 5577 invalid: 5578 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 5579 evt_type); 5580 5581 return LE_ADV_INVALID; 5582 } 5583 5584 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 5585 { 5586 u8 num_reports = skb->data[0]; 5587 void *ptr = &skb->data[1]; 5588 5589 hci_dev_lock(hdev); 5590 5591 while (num_reports--) { 5592 struct hci_ev_le_ext_adv_report *ev = ptr; 5593 u8 legacy_evt_type; 5594 u16 evt_type; 5595 5596 evt_type = __le16_to_cpu(ev->evt_type); 5597 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 5598 if (legacy_evt_type != LE_ADV_INVALID) { 5599 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, 5600 ev->bdaddr_type, NULL, 0, ev->rssi, 5601 ev->data, ev->length); 5602 } 5603 5604 ptr += sizeof(*ev) + ev->length; 5605 } 5606 5607 hci_dev_unlock(hdev); 5608 } 5609 5610 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 5611 struct sk_buff *skb) 5612 { 5613 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 5614 struct hci_conn *conn; 5615 5616 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5617 5618 hci_dev_lock(hdev); 5619 5620 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5621 if (conn) { 5622 if (!ev->status) 5623 memcpy(conn->features[0], ev->features, 8); 5624 5625 if (conn->state == BT_CONFIG) { 5626 __u8 status; 5627 5628 /* If the local controller supports slave-initiated 5629 * features exchange, but the remote controller does 5630 * not, then it is possible that the error code 0x1a 5631 * for unsupported remote feature gets returned. 5632 * 5633 * In this specific case, allow the connection to 5634 * transition into connected state and mark it as 5635 * successful. 5636 */ 5637 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) && 5638 !conn->out && ev->status == 0x1a) 5639 status = 0x00; 5640 else 5641 status = ev->status; 5642 5643 conn->state = BT_CONNECTED; 5644 hci_connect_cfm(conn, status); 5645 hci_conn_drop(conn); 5646 } 5647 } 5648 5649 hci_dev_unlock(hdev); 5650 } 5651 5652 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 5653 { 5654 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 5655 struct hci_cp_le_ltk_reply cp; 5656 struct hci_cp_le_ltk_neg_reply neg; 5657 struct hci_conn *conn; 5658 struct smp_ltk *ltk; 5659 5660 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 5661 5662 hci_dev_lock(hdev); 5663 5664 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5665 if (conn == NULL) 5666 goto not_found; 5667 5668 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 5669 if (!ltk) 5670 goto not_found; 5671 5672 if (smp_ltk_is_sc(ltk)) { 5673 /* With SC both EDiv and Rand are set to zero */ 5674 if (ev->ediv || ev->rand) 5675 goto not_found; 5676 } else { 5677 /* For non-SC keys check that EDiv and Rand match */ 5678 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 5679 goto not_found; 5680 } 5681 5682 memcpy(cp.ltk, ltk->val, ltk->enc_size); 5683 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 5684 cp.handle = cpu_to_le16(conn->handle); 5685 5686 conn->pending_sec_level = smp_ltk_sec_level(ltk); 5687 5688 conn->enc_key_size = ltk->enc_size; 5689 5690 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 5691 5692 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 5693 * temporary key used to encrypt a connection following 5694 * pairing. It is used during the Encrypted Session Setup to 5695 * distribute the keys. Later, security can be re-established 5696 * using a distributed LTK. 5697 */ 5698 if (ltk->type == SMP_STK) { 5699 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5700 list_del_rcu(<k->list); 5701 kfree_rcu(ltk, rcu); 5702 } else { 5703 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 5704 } 5705 5706 hci_dev_unlock(hdev); 5707 5708 return; 5709 5710 not_found: 5711 neg.handle = ev->handle; 5712 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 5713 hci_dev_unlock(hdev); 5714 } 5715 5716 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 5717 u8 reason) 5718 { 5719 struct hci_cp_le_conn_param_req_neg_reply cp; 5720 5721 cp.handle = cpu_to_le16(handle); 5722 cp.reason = reason; 5723 5724 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 5725 &cp); 5726 } 5727 5728 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 5729 struct sk_buff *skb) 5730 { 5731 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 5732 struct hci_cp_le_conn_param_req_reply cp; 5733 struct hci_conn *hcon; 5734 u16 handle, min, max, latency, timeout; 5735 5736 handle = le16_to_cpu(ev->handle); 5737 min = le16_to_cpu(ev->interval_min); 5738 max = le16_to_cpu(ev->interval_max); 5739 latency = le16_to_cpu(ev->latency); 5740 timeout = le16_to_cpu(ev->timeout); 5741 5742 hcon = hci_conn_hash_lookup_handle(hdev, handle); 5743 if (!hcon || hcon->state != BT_CONNECTED) 5744 return send_conn_param_neg_reply(hdev, handle, 5745 HCI_ERROR_UNKNOWN_CONN_ID); 5746 5747 if (hci_check_conn_params(min, max, latency, timeout)) 5748 return send_conn_param_neg_reply(hdev, handle, 5749 HCI_ERROR_INVALID_LL_PARAMS); 5750 5751 if (hcon->role == HCI_ROLE_MASTER) { 5752 struct hci_conn_params *params; 5753 u8 store_hint; 5754 5755 hci_dev_lock(hdev); 5756 5757 params = hci_conn_params_lookup(hdev, &hcon->dst, 5758 hcon->dst_type); 5759 if (params) { 5760 params->conn_min_interval = min; 5761 params->conn_max_interval = max; 5762 params->conn_latency = latency; 5763 params->supervision_timeout = timeout; 5764 store_hint = 0x01; 5765 } else{ 5766 store_hint = 0x00; 5767 } 5768 5769 hci_dev_unlock(hdev); 5770 5771 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 5772 store_hint, min, max, latency, timeout); 5773 } 5774 5775 cp.handle = ev->handle; 5776 cp.interval_min = ev->interval_min; 5777 cp.interval_max = ev->interval_max; 5778 cp.latency = ev->latency; 5779 cp.timeout = ev->timeout; 5780 cp.min_ce_len = 0; 5781 cp.max_ce_len = 0; 5782 5783 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 5784 } 5785 5786 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 5787 struct sk_buff *skb) 5788 { 5789 u8 num_reports = skb->data[0]; 5790 void *ptr = &skb->data[1]; 5791 5792 hci_dev_lock(hdev); 5793 5794 while (num_reports--) { 5795 struct hci_ev_le_direct_adv_info *ev = ptr; 5796 5797 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5798 ev->bdaddr_type, &ev->direct_addr, 5799 ev->direct_addr_type, ev->rssi, NULL, 0); 5800 5801 ptr += sizeof(*ev); 5802 } 5803 5804 hci_dev_unlock(hdev); 5805 } 5806 5807 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb) 5808 { 5809 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data; 5810 struct hci_conn *conn; 5811 5812 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 5813 5814 if (!ev->status) 5815 return; 5816 5817 hci_dev_lock(hdev); 5818 5819 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5820 if (!conn) 5821 goto unlock; 5822 5823 conn->le_tx_phy = ev->tx_phy; 5824 conn->le_rx_phy = ev->rx_phy; 5825 5826 unlock: 5827 hci_dev_unlock(hdev); 5828 } 5829 5830 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 5831 { 5832 struct hci_ev_le_meta *le_ev = (void *) skb->data; 5833 5834 skb_pull(skb, sizeof(*le_ev)); 5835 5836 switch (le_ev->subevent) { 5837 case HCI_EV_LE_CONN_COMPLETE: 5838 hci_le_conn_complete_evt(hdev, skb); 5839 break; 5840 5841 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 5842 hci_le_conn_update_complete_evt(hdev, skb); 5843 break; 5844 5845 case HCI_EV_LE_ADVERTISING_REPORT: 5846 hci_le_adv_report_evt(hdev, skb); 5847 break; 5848 5849 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 5850 hci_le_remote_feat_complete_evt(hdev, skb); 5851 break; 5852 5853 case HCI_EV_LE_LTK_REQ: 5854 hci_le_ltk_request_evt(hdev, skb); 5855 break; 5856 5857 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 5858 hci_le_remote_conn_param_req_evt(hdev, skb); 5859 break; 5860 5861 case HCI_EV_LE_DIRECT_ADV_REPORT: 5862 hci_le_direct_adv_report_evt(hdev, skb); 5863 break; 5864 5865 case HCI_EV_LE_PHY_UPDATE_COMPLETE: 5866 hci_le_phy_update_evt(hdev, skb); 5867 break; 5868 5869 case HCI_EV_LE_EXT_ADV_REPORT: 5870 hci_le_ext_adv_report_evt(hdev, skb); 5871 break; 5872 5873 case HCI_EV_LE_ENHANCED_CONN_COMPLETE: 5874 hci_le_enh_conn_complete_evt(hdev, skb); 5875 break; 5876 5877 case HCI_EV_LE_EXT_ADV_SET_TERM: 5878 hci_le_ext_adv_term_evt(hdev, skb); 5879 break; 5880 5881 default: 5882 break; 5883 } 5884 } 5885 5886 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 5887 u8 event, struct sk_buff *skb) 5888 { 5889 struct hci_ev_cmd_complete *ev; 5890 struct hci_event_hdr *hdr; 5891 5892 if (!skb) 5893 return false; 5894 5895 if (skb->len < sizeof(*hdr)) { 5896 bt_dev_err(hdev, "too short HCI event"); 5897 return false; 5898 } 5899 5900 hdr = (void *) skb->data; 5901 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5902 5903 if (event) { 5904 if (hdr->evt != event) 5905 return false; 5906 return true; 5907 } 5908 5909 /* Check if request ended in Command Status - no way to retreive 5910 * any extra parameters in this case. 5911 */ 5912 if (hdr->evt == HCI_EV_CMD_STATUS) 5913 return false; 5914 5915 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 5916 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 5917 hdr->evt); 5918 return false; 5919 } 5920 5921 if (skb->len < sizeof(*ev)) { 5922 bt_dev_err(hdev, "too short cmd_complete event"); 5923 return false; 5924 } 5925 5926 ev = (void *) skb->data; 5927 skb_pull(skb, sizeof(*ev)); 5928 5929 if (opcode != __le16_to_cpu(ev->opcode)) { 5930 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 5931 __le16_to_cpu(ev->opcode)); 5932 return false; 5933 } 5934 5935 return true; 5936 } 5937 5938 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 5939 { 5940 struct hci_event_hdr *hdr = (void *) skb->data; 5941 hci_req_complete_t req_complete = NULL; 5942 hci_req_complete_skb_t req_complete_skb = NULL; 5943 struct sk_buff *orig_skb = NULL; 5944 u8 status = 0, event = hdr->evt, req_evt = 0; 5945 u16 opcode = HCI_OP_NOP; 5946 5947 if (!event) { 5948 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); 5949 goto done; 5950 } 5951 5952 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { 5953 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 5954 opcode = __le16_to_cpu(cmd_hdr->opcode); 5955 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 5956 &req_complete_skb); 5957 req_evt = event; 5958 } 5959 5960 /* If it looks like we might end up having to call 5961 * req_complete_skb, store a pristine copy of the skb since the 5962 * various handlers may modify the original one through 5963 * skb_pull() calls, etc. 5964 */ 5965 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 5966 event == HCI_EV_CMD_COMPLETE) 5967 orig_skb = skb_clone(skb, GFP_KERNEL); 5968 5969 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5970 5971 switch (event) { 5972 case HCI_EV_INQUIRY_COMPLETE: 5973 hci_inquiry_complete_evt(hdev, skb); 5974 break; 5975 5976 case HCI_EV_INQUIRY_RESULT: 5977 hci_inquiry_result_evt(hdev, skb); 5978 break; 5979 5980 case HCI_EV_CONN_COMPLETE: 5981 hci_conn_complete_evt(hdev, skb); 5982 break; 5983 5984 case HCI_EV_CONN_REQUEST: 5985 hci_conn_request_evt(hdev, skb); 5986 break; 5987 5988 case HCI_EV_DISCONN_COMPLETE: 5989 hci_disconn_complete_evt(hdev, skb); 5990 break; 5991 5992 case HCI_EV_AUTH_COMPLETE: 5993 hci_auth_complete_evt(hdev, skb); 5994 break; 5995 5996 case HCI_EV_REMOTE_NAME: 5997 hci_remote_name_evt(hdev, skb); 5998 break; 5999 6000 case HCI_EV_ENCRYPT_CHANGE: 6001 hci_encrypt_change_evt(hdev, skb); 6002 break; 6003 6004 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 6005 hci_change_link_key_complete_evt(hdev, skb); 6006 break; 6007 6008 case HCI_EV_REMOTE_FEATURES: 6009 hci_remote_features_evt(hdev, skb); 6010 break; 6011 6012 case HCI_EV_CMD_COMPLETE: 6013 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 6014 &req_complete, &req_complete_skb); 6015 break; 6016 6017 case HCI_EV_CMD_STATUS: 6018 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 6019 &req_complete_skb); 6020 break; 6021 6022 case HCI_EV_HARDWARE_ERROR: 6023 hci_hardware_error_evt(hdev, skb); 6024 break; 6025 6026 case HCI_EV_ROLE_CHANGE: 6027 hci_role_change_evt(hdev, skb); 6028 break; 6029 6030 case HCI_EV_NUM_COMP_PKTS: 6031 hci_num_comp_pkts_evt(hdev, skb); 6032 break; 6033 6034 case HCI_EV_MODE_CHANGE: 6035 hci_mode_change_evt(hdev, skb); 6036 break; 6037 6038 case HCI_EV_PIN_CODE_REQ: 6039 hci_pin_code_request_evt(hdev, skb); 6040 break; 6041 6042 case HCI_EV_LINK_KEY_REQ: 6043 hci_link_key_request_evt(hdev, skb); 6044 break; 6045 6046 case HCI_EV_LINK_KEY_NOTIFY: 6047 hci_link_key_notify_evt(hdev, skb); 6048 break; 6049 6050 case HCI_EV_CLOCK_OFFSET: 6051 hci_clock_offset_evt(hdev, skb); 6052 break; 6053 6054 case HCI_EV_PKT_TYPE_CHANGE: 6055 hci_pkt_type_change_evt(hdev, skb); 6056 break; 6057 6058 case HCI_EV_PSCAN_REP_MODE: 6059 hci_pscan_rep_mode_evt(hdev, skb); 6060 break; 6061 6062 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 6063 hci_inquiry_result_with_rssi_evt(hdev, skb); 6064 break; 6065 6066 case HCI_EV_REMOTE_EXT_FEATURES: 6067 hci_remote_ext_features_evt(hdev, skb); 6068 break; 6069 6070 case HCI_EV_SYNC_CONN_COMPLETE: 6071 hci_sync_conn_complete_evt(hdev, skb); 6072 break; 6073 6074 case HCI_EV_EXTENDED_INQUIRY_RESULT: 6075 hci_extended_inquiry_result_evt(hdev, skb); 6076 break; 6077 6078 case HCI_EV_KEY_REFRESH_COMPLETE: 6079 hci_key_refresh_complete_evt(hdev, skb); 6080 break; 6081 6082 case HCI_EV_IO_CAPA_REQUEST: 6083 hci_io_capa_request_evt(hdev, skb); 6084 break; 6085 6086 case HCI_EV_IO_CAPA_REPLY: 6087 hci_io_capa_reply_evt(hdev, skb); 6088 break; 6089 6090 case HCI_EV_USER_CONFIRM_REQUEST: 6091 hci_user_confirm_request_evt(hdev, skb); 6092 break; 6093 6094 case HCI_EV_USER_PASSKEY_REQUEST: 6095 hci_user_passkey_request_evt(hdev, skb); 6096 break; 6097 6098 case HCI_EV_USER_PASSKEY_NOTIFY: 6099 hci_user_passkey_notify_evt(hdev, skb); 6100 break; 6101 6102 case HCI_EV_KEYPRESS_NOTIFY: 6103 hci_keypress_notify_evt(hdev, skb); 6104 break; 6105 6106 case HCI_EV_SIMPLE_PAIR_COMPLETE: 6107 hci_simple_pair_complete_evt(hdev, skb); 6108 break; 6109 6110 case HCI_EV_REMOTE_HOST_FEATURES: 6111 hci_remote_host_features_evt(hdev, skb); 6112 break; 6113 6114 case HCI_EV_LE_META: 6115 hci_le_meta_evt(hdev, skb); 6116 break; 6117 6118 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 6119 hci_remote_oob_data_request_evt(hdev, skb); 6120 break; 6121 6122 #if IS_ENABLED(CONFIG_BT_HS) 6123 case HCI_EV_CHANNEL_SELECTED: 6124 hci_chan_selected_evt(hdev, skb); 6125 break; 6126 6127 case HCI_EV_PHY_LINK_COMPLETE: 6128 hci_phy_link_complete_evt(hdev, skb); 6129 break; 6130 6131 case HCI_EV_LOGICAL_LINK_COMPLETE: 6132 hci_loglink_complete_evt(hdev, skb); 6133 break; 6134 6135 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 6136 hci_disconn_loglink_complete_evt(hdev, skb); 6137 break; 6138 6139 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 6140 hci_disconn_phylink_complete_evt(hdev, skb); 6141 break; 6142 #endif 6143 6144 case HCI_EV_NUM_COMP_BLOCKS: 6145 hci_num_comp_blocks_evt(hdev, skb); 6146 break; 6147 6148 default: 6149 BT_DBG("%s event 0x%2.2x", hdev->name, event); 6150 break; 6151 } 6152 6153 if (req_complete) { 6154 req_complete(hdev, status, opcode); 6155 } else if (req_complete_skb) { 6156 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 6157 kfree_skb(orig_skb); 6158 orig_skb = NULL; 6159 } 6160 req_complete_skb(hdev, status, opcode, orig_skb); 6161 } 6162 6163 done: 6164 kfree_skb(orig_skb); 6165 kfree_skb(skb); 6166 hdev->stat.evt_rx++; 6167 } 6168