1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI event handling. */ 27 28 #include <asm/unaligned.h> 29 #include <linux/crypto.h> 30 #include <crypto/algapi.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "hci_request.h" 37 #include "hci_debugfs.h" 38 #include "hci_codec.h" 39 #include "a2mp.h" 40 #include "amp.h" 41 #include "smp.h" 42 #include "msft.h" 43 #include "eir.h" 44 45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 46 "\x00\x00\x00\x00\x00\x00\x00\x00" 47 48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000) 49 50 /* Handle HCI Event packets */ 51 52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 53 u8 ev, size_t len) 54 { 55 void *data; 56 57 data = skb_pull_data(skb, len); 58 if (!data) 59 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev); 60 61 return data; 62 } 63 64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 65 u16 op, size_t len) 66 { 67 void *data; 68 69 data = skb_pull_data(skb, len); 70 if (!data) 71 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op); 72 73 return data; 74 } 75 76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 77 u8 ev, size_t len) 78 { 79 void *data; 80 81 data = skb_pull_data(skb, len); 82 if (!data) 83 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev); 84 85 return data; 86 } 87 88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data, 89 struct sk_buff *skb) 90 { 91 struct hci_ev_status *rp = data; 92 93 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 94 95 /* It is possible that we receive Inquiry Complete event right 96 * before we receive Inquiry Cancel Command Complete event, in 97 * which case the latter event should have status of Command 98 * Disallowed (0x0c). This should not be treated as error, since 99 * we actually achieve what Inquiry Cancel wants to achieve, 100 * which is to end the last Inquiry session. 101 */ 102 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { 103 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 104 rp->status = 0x00; 105 } 106 107 if (rp->status) 108 return rp->status; 109 110 clear_bit(HCI_INQUIRY, &hdev->flags); 111 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 112 wake_up_bit(&hdev->flags, HCI_INQUIRY); 113 114 hci_dev_lock(hdev); 115 /* Set discovery state to stopped if we're not doing LE active 116 * scanning. 117 */ 118 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 119 hdev->le_scan_type != LE_SCAN_ACTIVE) 120 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 121 hci_dev_unlock(hdev); 122 123 hci_conn_check_pending(hdev); 124 125 return rp->status; 126 } 127 128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data, 129 struct sk_buff *skb) 130 { 131 struct hci_ev_status *rp = data; 132 133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 134 135 if (rp->status) 136 return rp->status; 137 138 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 139 140 return rp->status; 141 } 142 143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data, 144 struct sk_buff *skb) 145 { 146 struct hci_ev_status *rp = data; 147 148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 149 150 if (rp->status) 151 return rp->status; 152 153 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 154 155 hci_conn_check_pending(hdev); 156 157 return rp->status; 158 } 159 160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data, 161 struct sk_buff *skb) 162 { 163 struct hci_ev_status *rp = data; 164 165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 166 167 return rp->status; 168 } 169 170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data, 171 struct sk_buff *skb) 172 { 173 struct hci_rp_role_discovery *rp = data; 174 struct hci_conn *conn; 175 176 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 177 178 if (rp->status) 179 return rp->status; 180 181 hci_dev_lock(hdev); 182 183 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 184 if (conn) 185 conn->role = rp->role; 186 187 hci_dev_unlock(hdev); 188 189 return rp->status; 190 } 191 192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data, 193 struct sk_buff *skb) 194 { 195 struct hci_rp_read_link_policy *rp = data; 196 struct hci_conn *conn; 197 198 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 199 200 if (rp->status) 201 return rp->status; 202 203 hci_dev_lock(hdev); 204 205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 206 if (conn) 207 conn->link_policy = __le16_to_cpu(rp->policy); 208 209 hci_dev_unlock(hdev); 210 211 return rp->status; 212 } 213 214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data, 215 struct sk_buff *skb) 216 { 217 struct hci_rp_write_link_policy *rp = data; 218 struct hci_conn *conn; 219 void *sent; 220 221 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 222 223 if (rp->status) 224 return rp->status; 225 226 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 227 if (!sent) 228 return rp->status; 229 230 hci_dev_lock(hdev); 231 232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 233 if (conn) 234 conn->link_policy = get_unaligned_le16(sent + 2); 235 236 hci_dev_unlock(hdev); 237 238 return rp->status; 239 } 240 241 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data, 242 struct sk_buff *skb) 243 { 244 struct hci_rp_read_def_link_policy *rp = data; 245 246 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 247 248 if (rp->status) 249 return rp->status; 250 251 hdev->link_policy = __le16_to_cpu(rp->policy); 252 253 return rp->status; 254 } 255 256 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data, 257 struct sk_buff *skb) 258 { 259 struct hci_ev_status *rp = data; 260 void *sent; 261 262 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 263 264 if (rp->status) 265 return rp->status; 266 267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 268 if (!sent) 269 return rp->status; 270 271 hdev->link_policy = get_unaligned_le16(sent); 272 273 return rp->status; 274 } 275 276 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb) 277 { 278 struct hci_ev_status *rp = data; 279 280 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 281 282 clear_bit(HCI_RESET, &hdev->flags); 283 284 if (rp->status) 285 return rp->status; 286 287 /* Reset all non-persistent flags */ 288 hci_dev_clear_volatile_flags(hdev); 289 290 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 291 292 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 293 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 294 295 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 296 hdev->adv_data_len = 0; 297 298 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 299 hdev->scan_rsp_data_len = 0; 300 301 hdev->le_scan_type = LE_SCAN_PASSIVE; 302 303 hdev->ssp_debug_mode = 0; 304 305 hci_bdaddr_list_clear(&hdev->le_accept_list); 306 hci_bdaddr_list_clear(&hdev->le_resolv_list); 307 308 return rp->status; 309 } 310 311 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data, 312 struct sk_buff *skb) 313 { 314 struct hci_rp_read_stored_link_key *rp = data; 315 struct hci_cp_read_stored_link_key *sent; 316 317 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 318 319 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 320 if (!sent) 321 return rp->status; 322 323 if (!rp->status && sent->read_all == 0x01) { 324 hdev->stored_max_keys = le16_to_cpu(rp->max_keys); 325 hdev->stored_num_keys = le16_to_cpu(rp->num_keys); 326 } 327 328 return rp->status; 329 } 330 331 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data, 332 struct sk_buff *skb) 333 { 334 struct hci_rp_delete_stored_link_key *rp = data; 335 u16 num_keys; 336 337 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 338 339 if (rp->status) 340 return rp->status; 341 342 num_keys = le16_to_cpu(rp->num_keys); 343 344 if (num_keys <= hdev->stored_num_keys) 345 hdev->stored_num_keys -= num_keys; 346 else 347 hdev->stored_num_keys = 0; 348 349 return rp->status; 350 } 351 352 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data, 353 struct sk_buff *skb) 354 { 355 struct hci_ev_status *rp = data; 356 void *sent; 357 358 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 359 360 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 361 if (!sent) 362 return rp->status; 363 364 hci_dev_lock(hdev); 365 366 if (hci_dev_test_flag(hdev, HCI_MGMT)) 367 mgmt_set_local_name_complete(hdev, sent, rp->status); 368 else if (!rp->status) 369 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 370 371 hci_dev_unlock(hdev); 372 373 return rp->status; 374 } 375 376 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data, 377 struct sk_buff *skb) 378 { 379 struct hci_rp_read_local_name *rp = data; 380 381 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 382 383 if (rp->status) 384 return rp->status; 385 386 if (hci_dev_test_flag(hdev, HCI_SETUP) || 387 hci_dev_test_flag(hdev, HCI_CONFIG)) 388 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 389 390 return rp->status; 391 } 392 393 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data, 394 struct sk_buff *skb) 395 { 396 struct hci_ev_status *rp = data; 397 void *sent; 398 399 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 400 401 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 402 if (!sent) 403 return rp->status; 404 405 hci_dev_lock(hdev); 406 407 if (!rp->status) { 408 __u8 param = *((__u8 *) sent); 409 410 if (param == AUTH_ENABLED) 411 set_bit(HCI_AUTH, &hdev->flags); 412 else 413 clear_bit(HCI_AUTH, &hdev->flags); 414 } 415 416 if (hci_dev_test_flag(hdev, HCI_MGMT)) 417 mgmt_auth_enable_complete(hdev, rp->status); 418 419 hci_dev_unlock(hdev); 420 421 return rp->status; 422 } 423 424 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data, 425 struct sk_buff *skb) 426 { 427 struct hci_ev_status *rp = data; 428 __u8 param; 429 void *sent; 430 431 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 432 433 if (rp->status) 434 return rp->status; 435 436 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 437 if (!sent) 438 return rp->status; 439 440 param = *((__u8 *) sent); 441 442 if (param) 443 set_bit(HCI_ENCRYPT, &hdev->flags); 444 else 445 clear_bit(HCI_ENCRYPT, &hdev->flags); 446 447 return rp->status; 448 } 449 450 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data, 451 struct sk_buff *skb) 452 { 453 struct hci_ev_status *rp = data; 454 __u8 param; 455 void *sent; 456 457 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 458 459 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 460 if (!sent) 461 return rp->status; 462 463 param = *((__u8 *) sent); 464 465 hci_dev_lock(hdev); 466 467 if (rp->status) { 468 hdev->discov_timeout = 0; 469 goto done; 470 } 471 472 if (param & SCAN_INQUIRY) 473 set_bit(HCI_ISCAN, &hdev->flags); 474 else 475 clear_bit(HCI_ISCAN, &hdev->flags); 476 477 if (param & SCAN_PAGE) 478 set_bit(HCI_PSCAN, &hdev->flags); 479 else 480 clear_bit(HCI_PSCAN, &hdev->flags); 481 482 done: 483 hci_dev_unlock(hdev); 484 485 return rp->status; 486 } 487 488 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data, 489 struct sk_buff *skb) 490 { 491 struct hci_ev_status *rp = data; 492 struct hci_cp_set_event_filter *cp; 493 void *sent; 494 495 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 496 497 if (rp->status) 498 return rp->status; 499 500 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT); 501 if (!sent) 502 return rp->status; 503 504 cp = (struct hci_cp_set_event_filter *)sent; 505 506 if (cp->flt_type == HCI_FLT_CLEAR_ALL) 507 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 508 else 509 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 510 511 return rp->status; 512 } 513 514 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, 515 struct sk_buff *skb) 516 { 517 struct hci_rp_read_class_of_dev *rp = data; 518 519 if (WARN_ON(!hdev)) 520 return HCI_ERROR_UNSPECIFIED; 521 522 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 523 524 if (rp->status) 525 return rp->status; 526 527 memcpy(hdev->dev_class, rp->dev_class, 3); 528 529 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2], 530 hdev->dev_class[1], hdev->dev_class[0]); 531 532 return rp->status; 533 } 534 535 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data, 536 struct sk_buff *skb) 537 { 538 struct hci_ev_status *rp = data; 539 void *sent; 540 541 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 542 543 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 544 if (!sent) 545 return rp->status; 546 547 hci_dev_lock(hdev); 548 549 if (!rp->status) 550 memcpy(hdev->dev_class, sent, 3); 551 552 if (hci_dev_test_flag(hdev, HCI_MGMT)) 553 mgmt_set_class_of_dev_complete(hdev, sent, rp->status); 554 555 hci_dev_unlock(hdev); 556 557 return rp->status; 558 } 559 560 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data, 561 struct sk_buff *skb) 562 { 563 struct hci_rp_read_voice_setting *rp = data; 564 __u16 setting; 565 566 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 567 568 if (rp->status) 569 return rp->status; 570 571 setting = __le16_to_cpu(rp->voice_setting); 572 573 if (hdev->voice_setting == setting) 574 return rp->status; 575 576 hdev->voice_setting = setting; 577 578 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 579 580 if (hdev->notify) 581 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 582 583 return rp->status; 584 } 585 586 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data, 587 struct sk_buff *skb) 588 { 589 struct hci_ev_status *rp = data; 590 __u16 setting; 591 void *sent; 592 593 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 594 595 if (rp->status) 596 return rp->status; 597 598 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 599 if (!sent) 600 return rp->status; 601 602 setting = get_unaligned_le16(sent); 603 604 if (hdev->voice_setting == setting) 605 return rp->status; 606 607 hdev->voice_setting = setting; 608 609 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 610 611 if (hdev->notify) 612 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 613 614 return rp->status; 615 } 616 617 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data, 618 struct sk_buff *skb) 619 { 620 struct hci_rp_read_num_supported_iac *rp = data; 621 622 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 623 624 if (rp->status) 625 return rp->status; 626 627 hdev->num_iac = rp->num_iac; 628 629 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac); 630 631 return rp->status; 632 } 633 634 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data, 635 struct sk_buff *skb) 636 { 637 struct hci_ev_status *rp = data; 638 struct hci_cp_write_ssp_mode *sent; 639 640 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 641 642 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 643 if (!sent) 644 return rp->status; 645 646 hci_dev_lock(hdev); 647 648 if (!rp->status) { 649 if (sent->mode) 650 hdev->features[1][0] |= LMP_HOST_SSP; 651 else 652 hdev->features[1][0] &= ~LMP_HOST_SSP; 653 } 654 655 if (!rp->status) { 656 if (sent->mode) 657 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 658 else 659 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 660 } 661 662 hci_dev_unlock(hdev); 663 664 return rp->status; 665 } 666 667 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data, 668 struct sk_buff *skb) 669 { 670 struct hci_ev_status *rp = data; 671 struct hci_cp_write_sc_support *sent; 672 673 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 674 675 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 676 if (!sent) 677 return rp->status; 678 679 hci_dev_lock(hdev); 680 681 if (!rp->status) { 682 if (sent->support) 683 hdev->features[1][0] |= LMP_HOST_SC; 684 else 685 hdev->features[1][0] &= ~LMP_HOST_SC; 686 } 687 688 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) { 689 if (sent->support) 690 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 691 else 692 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 693 } 694 695 hci_dev_unlock(hdev); 696 697 return rp->status; 698 } 699 700 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data, 701 struct sk_buff *skb) 702 { 703 struct hci_rp_read_local_version *rp = data; 704 705 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 706 707 if (rp->status) 708 return rp->status; 709 710 if (hci_dev_test_flag(hdev, HCI_SETUP) || 711 hci_dev_test_flag(hdev, HCI_CONFIG)) { 712 hdev->hci_ver = rp->hci_ver; 713 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 714 hdev->lmp_ver = rp->lmp_ver; 715 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 716 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 717 } 718 719 return rp->status; 720 } 721 722 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data, 723 struct sk_buff *skb) 724 { 725 struct hci_rp_read_enc_key_size *rp = data; 726 struct hci_conn *conn; 727 u16 handle; 728 u8 status = rp->status; 729 730 bt_dev_dbg(hdev, "status 0x%2.2x", status); 731 732 handle = le16_to_cpu(rp->handle); 733 734 hci_dev_lock(hdev); 735 736 conn = hci_conn_hash_lookup_handle(hdev, handle); 737 if (!conn) { 738 status = 0xFF; 739 goto done; 740 } 741 742 /* While unexpected, the read_enc_key_size command may fail. The most 743 * secure approach is to then assume the key size is 0 to force a 744 * disconnection. 745 */ 746 if (status) { 747 bt_dev_err(hdev, "failed to read key size for handle %u", 748 handle); 749 conn->enc_key_size = 0; 750 } else { 751 conn->enc_key_size = rp->key_size; 752 status = 0; 753 754 if (conn->enc_key_size < hdev->min_enc_key_size) { 755 /* As slave role, the conn->state has been set to 756 * BT_CONNECTED and l2cap conn req might not be received 757 * yet, at this moment the l2cap layer almost does 758 * nothing with the non-zero status. 759 * So we also clear encrypt related bits, and then the 760 * handler of l2cap conn req will get the right secure 761 * state at a later time. 762 */ 763 status = HCI_ERROR_AUTH_FAILURE; 764 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 765 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 766 } 767 } 768 769 hci_encrypt_cfm(conn, status); 770 771 done: 772 hci_dev_unlock(hdev); 773 774 return status; 775 } 776 777 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data, 778 struct sk_buff *skb) 779 { 780 struct hci_rp_read_local_commands *rp = data; 781 782 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 783 784 if (rp->status) 785 return rp->status; 786 787 if (hci_dev_test_flag(hdev, HCI_SETUP) || 788 hci_dev_test_flag(hdev, HCI_CONFIG)) 789 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 790 791 return rp->status; 792 } 793 794 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data, 795 struct sk_buff *skb) 796 { 797 struct hci_rp_read_auth_payload_to *rp = data; 798 struct hci_conn *conn; 799 800 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 801 802 if (rp->status) 803 return rp->status; 804 805 hci_dev_lock(hdev); 806 807 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 808 if (conn) 809 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 810 811 hci_dev_unlock(hdev); 812 813 return rp->status; 814 } 815 816 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data, 817 struct sk_buff *skb) 818 { 819 struct hci_rp_write_auth_payload_to *rp = data; 820 struct hci_conn *conn; 821 void *sent; 822 823 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 824 825 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 826 if (!sent) 827 return rp->status; 828 829 hci_dev_lock(hdev); 830 831 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 832 if (!conn) { 833 rp->status = 0xff; 834 goto unlock; 835 } 836 837 if (!rp->status) 838 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 839 840 unlock: 841 hci_dev_unlock(hdev); 842 843 return rp->status; 844 } 845 846 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data, 847 struct sk_buff *skb) 848 { 849 struct hci_rp_read_local_features *rp = data; 850 851 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 852 853 if (rp->status) 854 return rp->status; 855 856 memcpy(hdev->features, rp->features, 8); 857 858 /* Adjust default settings according to features 859 * supported by device. */ 860 861 if (hdev->features[0][0] & LMP_3SLOT) 862 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 863 864 if (hdev->features[0][0] & LMP_5SLOT) 865 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 866 867 if (hdev->features[0][1] & LMP_HV2) { 868 hdev->pkt_type |= (HCI_HV2); 869 hdev->esco_type |= (ESCO_HV2); 870 } 871 872 if (hdev->features[0][1] & LMP_HV3) { 873 hdev->pkt_type |= (HCI_HV3); 874 hdev->esco_type |= (ESCO_HV3); 875 } 876 877 if (lmp_esco_capable(hdev)) 878 hdev->esco_type |= (ESCO_EV3); 879 880 if (hdev->features[0][4] & LMP_EV4) 881 hdev->esco_type |= (ESCO_EV4); 882 883 if (hdev->features[0][4] & LMP_EV5) 884 hdev->esco_type |= (ESCO_EV5); 885 886 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 887 hdev->esco_type |= (ESCO_2EV3); 888 889 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 890 hdev->esco_type |= (ESCO_3EV3); 891 892 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 893 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 894 895 return rp->status; 896 } 897 898 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, 899 struct sk_buff *skb) 900 { 901 struct hci_rp_read_local_ext_features *rp = data; 902 903 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 904 905 if (rp->status) 906 return rp->status; 907 908 if (hdev->max_page < rp->max_page) { 909 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, 910 &hdev->quirks)) 911 bt_dev_warn(hdev, "broken local ext features page 2"); 912 else 913 hdev->max_page = rp->max_page; 914 } 915 916 if (rp->page < HCI_MAX_PAGES) 917 memcpy(hdev->features[rp->page], rp->features, 8); 918 919 return rp->status; 920 } 921 922 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data, 923 struct sk_buff *skb) 924 { 925 struct hci_rp_read_flow_control_mode *rp = data; 926 927 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 928 929 if (rp->status) 930 return rp->status; 931 932 hdev->flow_ctl_mode = rp->mode; 933 934 return rp->status; 935 } 936 937 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, 938 struct sk_buff *skb) 939 { 940 struct hci_rp_read_buffer_size *rp = data; 941 942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 943 944 if (rp->status) 945 return rp->status; 946 947 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 948 hdev->sco_mtu = rp->sco_mtu; 949 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 950 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 951 952 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 953 hdev->sco_mtu = 64; 954 hdev->sco_pkts = 8; 955 } 956 957 hdev->acl_cnt = hdev->acl_pkts; 958 hdev->sco_cnt = hdev->sco_pkts; 959 960 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 961 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 962 963 return rp->status; 964 } 965 966 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data, 967 struct sk_buff *skb) 968 { 969 struct hci_rp_read_bd_addr *rp = data; 970 971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 972 973 if (rp->status) 974 return rp->status; 975 976 if (test_bit(HCI_INIT, &hdev->flags)) 977 bacpy(&hdev->bdaddr, &rp->bdaddr); 978 979 if (hci_dev_test_flag(hdev, HCI_SETUP)) 980 bacpy(&hdev->setup_addr, &rp->bdaddr); 981 982 return rp->status; 983 } 984 985 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data, 986 struct sk_buff *skb) 987 { 988 struct hci_rp_read_local_pairing_opts *rp = data; 989 990 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 991 992 if (rp->status) 993 return rp->status; 994 995 if (hci_dev_test_flag(hdev, HCI_SETUP) || 996 hci_dev_test_flag(hdev, HCI_CONFIG)) { 997 hdev->pairing_opts = rp->pairing_opts; 998 hdev->max_enc_key_size = rp->max_key_size; 999 } 1000 1001 return rp->status; 1002 } 1003 1004 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data, 1005 struct sk_buff *skb) 1006 { 1007 struct hci_rp_read_page_scan_activity *rp = data; 1008 1009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1010 1011 if (rp->status) 1012 return rp->status; 1013 1014 if (test_bit(HCI_INIT, &hdev->flags)) { 1015 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 1016 hdev->page_scan_window = __le16_to_cpu(rp->window); 1017 } 1018 1019 return rp->status; 1020 } 1021 1022 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data, 1023 struct sk_buff *skb) 1024 { 1025 struct hci_ev_status *rp = data; 1026 struct hci_cp_write_page_scan_activity *sent; 1027 1028 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1029 1030 if (rp->status) 1031 return rp->status; 1032 1033 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 1034 if (!sent) 1035 return rp->status; 1036 1037 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 1038 hdev->page_scan_window = __le16_to_cpu(sent->window); 1039 1040 return rp->status; 1041 } 1042 1043 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data, 1044 struct sk_buff *skb) 1045 { 1046 struct hci_rp_read_page_scan_type *rp = data; 1047 1048 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1049 1050 if (rp->status) 1051 return rp->status; 1052 1053 if (test_bit(HCI_INIT, &hdev->flags)) 1054 hdev->page_scan_type = rp->type; 1055 1056 return rp->status; 1057 } 1058 1059 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data, 1060 struct sk_buff *skb) 1061 { 1062 struct hci_ev_status *rp = data; 1063 u8 *type; 1064 1065 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1066 1067 if (rp->status) 1068 return rp->status; 1069 1070 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 1071 if (type) 1072 hdev->page_scan_type = *type; 1073 1074 return rp->status; 1075 } 1076 1077 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data, 1078 struct sk_buff *skb) 1079 { 1080 struct hci_rp_read_data_block_size *rp = data; 1081 1082 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1083 1084 if (rp->status) 1085 return rp->status; 1086 1087 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 1088 hdev->block_len = __le16_to_cpu(rp->block_len); 1089 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 1090 1091 hdev->block_cnt = hdev->num_blocks; 1092 1093 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 1094 hdev->block_cnt, hdev->block_len); 1095 1096 return rp->status; 1097 } 1098 1099 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, 1100 struct sk_buff *skb) 1101 { 1102 struct hci_rp_read_clock *rp = data; 1103 struct hci_cp_read_clock *cp; 1104 struct hci_conn *conn; 1105 1106 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1107 1108 if (rp->status) 1109 return rp->status; 1110 1111 hci_dev_lock(hdev); 1112 1113 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 1114 if (!cp) 1115 goto unlock; 1116 1117 if (cp->which == 0x00) { 1118 hdev->clock = le32_to_cpu(rp->clock); 1119 goto unlock; 1120 } 1121 1122 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1123 if (conn) { 1124 conn->clock = le32_to_cpu(rp->clock); 1125 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 1126 } 1127 1128 unlock: 1129 hci_dev_unlock(hdev); 1130 return rp->status; 1131 } 1132 1133 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data, 1134 struct sk_buff *skb) 1135 { 1136 struct hci_rp_read_local_amp_info *rp = data; 1137 1138 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1139 1140 if (rp->status) 1141 return rp->status; 1142 1143 hdev->amp_status = rp->amp_status; 1144 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 1145 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 1146 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 1147 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 1148 hdev->amp_type = rp->amp_type; 1149 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 1150 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 1151 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 1152 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 1153 1154 return rp->status; 1155 } 1156 1157 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data, 1158 struct sk_buff *skb) 1159 { 1160 struct hci_rp_read_inq_rsp_tx_power *rp = data; 1161 1162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1163 1164 if (rp->status) 1165 return rp->status; 1166 1167 hdev->inq_tx_power = rp->tx_power; 1168 1169 return rp->status; 1170 } 1171 1172 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data, 1173 struct sk_buff *skb) 1174 { 1175 struct hci_rp_read_def_err_data_reporting *rp = data; 1176 1177 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1178 1179 if (rp->status) 1180 return rp->status; 1181 1182 hdev->err_data_reporting = rp->err_data_reporting; 1183 1184 return rp->status; 1185 } 1186 1187 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data, 1188 struct sk_buff *skb) 1189 { 1190 struct hci_ev_status *rp = data; 1191 struct hci_cp_write_def_err_data_reporting *cp; 1192 1193 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1194 1195 if (rp->status) 1196 return rp->status; 1197 1198 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 1199 if (!cp) 1200 return rp->status; 1201 1202 hdev->err_data_reporting = cp->err_data_reporting; 1203 1204 return rp->status; 1205 } 1206 1207 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data, 1208 struct sk_buff *skb) 1209 { 1210 struct hci_rp_pin_code_reply *rp = data; 1211 struct hci_cp_pin_code_reply *cp; 1212 struct hci_conn *conn; 1213 1214 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1215 1216 hci_dev_lock(hdev); 1217 1218 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1219 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 1220 1221 if (rp->status) 1222 goto unlock; 1223 1224 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 1225 if (!cp) 1226 goto unlock; 1227 1228 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1229 if (conn) 1230 conn->pin_length = cp->pin_len; 1231 1232 unlock: 1233 hci_dev_unlock(hdev); 1234 return rp->status; 1235 } 1236 1237 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data, 1238 struct sk_buff *skb) 1239 { 1240 struct hci_rp_pin_code_neg_reply *rp = data; 1241 1242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1243 1244 hci_dev_lock(hdev); 1245 1246 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1247 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1248 rp->status); 1249 1250 hci_dev_unlock(hdev); 1251 1252 return rp->status; 1253 } 1254 1255 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data, 1256 struct sk_buff *skb) 1257 { 1258 struct hci_rp_le_read_buffer_size *rp = data; 1259 1260 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1261 1262 if (rp->status) 1263 return rp->status; 1264 1265 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1266 hdev->le_pkts = rp->le_max_pkt; 1267 1268 hdev->le_cnt = hdev->le_pkts; 1269 1270 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1271 1272 return rp->status; 1273 } 1274 1275 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data, 1276 struct sk_buff *skb) 1277 { 1278 struct hci_rp_le_read_local_features *rp = data; 1279 1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1281 1282 if (rp->status) 1283 return rp->status; 1284 1285 memcpy(hdev->le_features, rp->features, 8); 1286 1287 return rp->status; 1288 } 1289 1290 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data, 1291 struct sk_buff *skb) 1292 { 1293 struct hci_rp_le_read_adv_tx_power *rp = data; 1294 1295 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1296 1297 if (rp->status) 1298 return rp->status; 1299 1300 hdev->adv_tx_power = rp->tx_power; 1301 1302 return rp->status; 1303 } 1304 1305 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data, 1306 struct sk_buff *skb) 1307 { 1308 struct hci_rp_user_confirm_reply *rp = data; 1309 1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1311 1312 hci_dev_lock(hdev); 1313 1314 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1315 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1316 rp->status); 1317 1318 hci_dev_unlock(hdev); 1319 1320 return rp->status; 1321 } 1322 1323 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data, 1324 struct sk_buff *skb) 1325 { 1326 struct hci_rp_user_confirm_reply *rp = data; 1327 1328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1329 1330 hci_dev_lock(hdev); 1331 1332 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1333 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1334 ACL_LINK, 0, rp->status); 1335 1336 hci_dev_unlock(hdev); 1337 1338 return rp->status; 1339 } 1340 1341 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data, 1342 struct sk_buff *skb) 1343 { 1344 struct hci_rp_user_confirm_reply *rp = data; 1345 1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1347 1348 hci_dev_lock(hdev); 1349 1350 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1351 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1352 0, rp->status); 1353 1354 hci_dev_unlock(hdev); 1355 1356 return rp->status; 1357 } 1358 1359 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data, 1360 struct sk_buff *skb) 1361 { 1362 struct hci_rp_user_confirm_reply *rp = data; 1363 1364 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1365 1366 hci_dev_lock(hdev); 1367 1368 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1369 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1370 ACL_LINK, 0, rp->status); 1371 1372 hci_dev_unlock(hdev); 1373 1374 return rp->status; 1375 } 1376 1377 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data, 1378 struct sk_buff *skb) 1379 { 1380 struct hci_rp_read_local_oob_data *rp = data; 1381 1382 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1383 1384 return rp->status; 1385 } 1386 1387 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data, 1388 struct sk_buff *skb) 1389 { 1390 struct hci_rp_read_local_oob_ext_data *rp = data; 1391 1392 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1393 1394 return rp->status; 1395 } 1396 1397 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data, 1398 struct sk_buff *skb) 1399 { 1400 struct hci_ev_status *rp = data; 1401 bdaddr_t *sent; 1402 1403 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1404 1405 if (rp->status) 1406 return rp->status; 1407 1408 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1409 if (!sent) 1410 return rp->status; 1411 1412 hci_dev_lock(hdev); 1413 1414 bacpy(&hdev->random_addr, sent); 1415 1416 if (!bacmp(&hdev->rpa, sent)) { 1417 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED); 1418 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, 1419 secs_to_jiffies(hdev->rpa_timeout)); 1420 } 1421 1422 hci_dev_unlock(hdev); 1423 1424 return rp->status; 1425 } 1426 1427 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data, 1428 struct sk_buff *skb) 1429 { 1430 struct hci_ev_status *rp = data; 1431 struct hci_cp_le_set_default_phy *cp; 1432 1433 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1434 1435 if (rp->status) 1436 return rp->status; 1437 1438 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1439 if (!cp) 1440 return rp->status; 1441 1442 hci_dev_lock(hdev); 1443 1444 hdev->le_tx_def_phys = cp->tx_phys; 1445 hdev->le_rx_def_phys = cp->rx_phys; 1446 1447 hci_dev_unlock(hdev); 1448 1449 return rp->status; 1450 } 1451 1452 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data, 1453 struct sk_buff *skb) 1454 { 1455 struct hci_ev_status *rp = data; 1456 struct hci_cp_le_set_adv_set_rand_addr *cp; 1457 struct adv_info *adv; 1458 1459 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1460 1461 if (rp->status) 1462 return rp->status; 1463 1464 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1465 /* Update only in case the adv instance since handle 0x00 shall be using 1466 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and 1467 * non-extended adverting. 1468 */ 1469 if (!cp || !cp->handle) 1470 return rp->status; 1471 1472 hci_dev_lock(hdev); 1473 1474 adv = hci_find_adv_instance(hdev, cp->handle); 1475 if (adv) { 1476 bacpy(&adv->random_addr, &cp->bdaddr); 1477 if (!bacmp(&hdev->rpa, &cp->bdaddr)) { 1478 adv->rpa_expired = false; 1479 queue_delayed_work(hdev->workqueue, 1480 &adv->rpa_expired_cb, 1481 secs_to_jiffies(hdev->rpa_timeout)); 1482 } 1483 } 1484 1485 hci_dev_unlock(hdev); 1486 1487 return rp->status; 1488 } 1489 1490 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data, 1491 struct sk_buff *skb) 1492 { 1493 struct hci_ev_status *rp = data; 1494 u8 *instance; 1495 int err; 1496 1497 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1498 1499 if (rp->status) 1500 return rp->status; 1501 1502 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET); 1503 if (!instance) 1504 return rp->status; 1505 1506 hci_dev_lock(hdev); 1507 1508 err = hci_remove_adv_instance(hdev, *instance); 1509 if (!err) 1510 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev, 1511 *instance); 1512 1513 hci_dev_unlock(hdev); 1514 1515 return rp->status; 1516 } 1517 1518 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data, 1519 struct sk_buff *skb) 1520 { 1521 struct hci_ev_status *rp = data; 1522 struct adv_info *adv, *n; 1523 int err; 1524 1525 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1526 1527 if (rp->status) 1528 return rp->status; 1529 1530 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS)) 1531 return rp->status; 1532 1533 hci_dev_lock(hdev); 1534 1535 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 1536 u8 instance = adv->instance; 1537 1538 err = hci_remove_adv_instance(hdev, instance); 1539 if (!err) 1540 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), 1541 hdev, instance); 1542 } 1543 1544 hci_dev_unlock(hdev); 1545 1546 return rp->status; 1547 } 1548 1549 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data, 1550 struct sk_buff *skb) 1551 { 1552 struct hci_rp_le_read_transmit_power *rp = data; 1553 1554 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1555 1556 if (rp->status) 1557 return rp->status; 1558 1559 hdev->min_le_tx_power = rp->min_le_tx_power; 1560 hdev->max_le_tx_power = rp->max_le_tx_power; 1561 1562 return rp->status; 1563 } 1564 1565 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, 1566 struct sk_buff *skb) 1567 { 1568 struct hci_ev_status *rp = data; 1569 struct hci_cp_le_set_privacy_mode *cp; 1570 struct hci_conn_params *params; 1571 1572 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1573 1574 if (rp->status) 1575 return rp->status; 1576 1577 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE); 1578 if (!cp) 1579 return rp->status; 1580 1581 hci_dev_lock(hdev); 1582 1583 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); 1584 if (params) 1585 WRITE_ONCE(params->privacy_mode, cp->mode); 1586 1587 hci_dev_unlock(hdev); 1588 1589 return rp->status; 1590 } 1591 1592 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data, 1593 struct sk_buff *skb) 1594 { 1595 struct hci_ev_status *rp = data; 1596 __u8 *sent; 1597 1598 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1599 1600 if (rp->status) 1601 return rp->status; 1602 1603 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1604 if (!sent) 1605 return rp->status; 1606 1607 hci_dev_lock(hdev); 1608 1609 /* If we're doing connection initiation as peripheral. Set a 1610 * timeout in case something goes wrong. 1611 */ 1612 if (*sent) { 1613 struct hci_conn *conn; 1614 1615 hci_dev_set_flag(hdev, HCI_LE_ADV); 1616 1617 conn = hci_lookup_le_connect(hdev); 1618 if (conn) 1619 queue_delayed_work(hdev->workqueue, 1620 &conn->le_conn_timeout, 1621 conn->conn_timeout); 1622 } else { 1623 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1624 } 1625 1626 hci_dev_unlock(hdev); 1627 1628 return rp->status; 1629 } 1630 1631 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, 1632 struct sk_buff *skb) 1633 { 1634 struct hci_cp_le_set_ext_adv_enable *cp; 1635 struct hci_cp_ext_adv_set *set; 1636 struct adv_info *adv = NULL, *n; 1637 struct hci_ev_status *rp = data; 1638 1639 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1640 1641 if (rp->status) 1642 return rp->status; 1643 1644 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1645 if (!cp) 1646 return rp->status; 1647 1648 set = (void *)cp->data; 1649 1650 hci_dev_lock(hdev); 1651 1652 if (cp->num_of_sets) 1653 adv = hci_find_adv_instance(hdev, set->handle); 1654 1655 if (cp->enable) { 1656 struct hci_conn *conn; 1657 1658 hci_dev_set_flag(hdev, HCI_LE_ADV); 1659 1660 if (adv && !adv->periodic) 1661 adv->enabled = true; 1662 1663 conn = hci_lookup_le_connect(hdev); 1664 if (conn) 1665 queue_delayed_work(hdev->workqueue, 1666 &conn->le_conn_timeout, 1667 conn->conn_timeout); 1668 } else { 1669 if (cp->num_of_sets) { 1670 if (adv) 1671 adv->enabled = false; 1672 1673 /* If just one instance was disabled check if there are 1674 * any other instance enabled before clearing HCI_LE_ADV 1675 */ 1676 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1677 list) { 1678 if (adv->enabled) 1679 goto unlock; 1680 } 1681 } else { 1682 /* All instances shall be considered disabled */ 1683 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1684 list) 1685 adv->enabled = false; 1686 } 1687 1688 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1689 } 1690 1691 unlock: 1692 hci_dev_unlock(hdev); 1693 return rp->status; 1694 } 1695 1696 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data, 1697 struct sk_buff *skb) 1698 { 1699 struct hci_cp_le_set_scan_param *cp; 1700 struct hci_ev_status *rp = data; 1701 1702 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1703 1704 if (rp->status) 1705 return rp->status; 1706 1707 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1708 if (!cp) 1709 return rp->status; 1710 1711 hci_dev_lock(hdev); 1712 1713 hdev->le_scan_type = cp->type; 1714 1715 hci_dev_unlock(hdev); 1716 1717 return rp->status; 1718 } 1719 1720 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data, 1721 struct sk_buff *skb) 1722 { 1723 struct hci_cp_le_set_ext_scan_params *cp; 1724 struct hci_ev_status *rp = data; 1725 struct hci_cp_le_scan_phy_params *phy_param; 1726 1727 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1728 1729 if (rp->status) 1730 return rp->status; 1731 1732 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1733 if (!cp) 1734 return rp->status; 1735 1736 phy_param = (void *)cp->data; 1737 1738 hci_dev_lock(hdev); 1739 1740 hdev->le_scan_type = phy_param->type; 1741 1742 hci_dev_unlock(hdev); 1743 1744 return rp->status; 1745 } 1746 1747 static bool has_pending_adv_report(struct hci_dev *hdev) 1748 { 1749 struct discovery_state *d = &hdev->discovery; 1750 1751 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1752 } 1753 1754 static void clear_pending_adv_report(struct hci_dev *hdev) 1755 { 1756 struct discovery_state *d = &hdev->discovery; 1757 1758 bacpy(&d->last_adv_addr, BDADDR_ANY); 1759 d->last_adv_data_len = 0; 1760 } 1761 1762 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1763 u8 bdaddr_type, s8 rssi, u32 flags, 1764 u8 *data, u8 len) 1765 { 1766 struct discovery_state *d = &hdev->discovery; 1767 1768 if (len > max_adv_len(hdev)) 1769 return; 1770 1771 bacpy(&d->last_adv_addr, bdaddr); 1772 d->last_adv_addr_type = bdaddr_type; 1773 d->last_adv_rssi = rssi; 1774 d->last_adv_flags = flags; 1775 memcpy(d->last_adv_data, data, len); 1776 d->last_adv_data_len = len; 1777 } 1778 1779 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1780 { 1781 hci_dev_lock(hdev); 1782 1783 switch (enable) { 1784 case LE_SCAN_ENABLE: 1785 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1786 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1787 clear_pending_adv_report(hdev); 1788 if (hci_dev_test_flag(hdev, HCI_MESH)) 1789 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 1790 break; 1791 1792 case LE_SCAN_DISABLE: 1793 /* We do this here instead of when setting DISCOVERY_STOPPED 1794 * since the latter would potentially require waiting for 1795 * inquiry to stop too. 1796 */ 1797 if (has_pending_adv_report(hdev)) { 1798 struct discovery_state *d = &hdev->discovery; 1799 1800 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1801 d->last_adv_addr_type, NULL, 1802 d->last_adv_rssi, d->last_adv_flags, 1803 d->last_adv_data, 1804 d->last_adv_data_len, NULL, 0, 0); 1805 } 1806 1807 /* Cancel this timer so that we don't try to disable scanning 1808 * when it's already disabled. 1809 */ 1810 cancel_delayed_work(&hdev->le_scan_disable); 1811 1812 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1813 1814 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1815 * interrupted scanning due to a connect request. Mark 1816 * therefore discovery as stopped. 1817 */ 1818 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1819 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1820 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1821 hdev->discovery.state == DISCOVERY_FINDING) 1822 queue_work(hdev->workqueue, &hdev->reenable_adv_work); 1823 1824 break; 1825 1826 default: 1827 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1828 enable); 1829 break; 1830 } 1831 1832 hci_dev_unlock(hdev); 1833 } 1834 1835 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data, 1836 struct sk_buff *skb) 1837 { 1838 struct hci_cp_le_set_scan_enable *cp; 1839 struct hci_ev_status *rp = data; 1840 1841 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1842 1843 if (rp->status) 1844 return rp->status; 1845 1846 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1847 if (!cp) 1848 return rp->status; 1849 1850 le_set_scan_enable_complete(hdev, cp->enable); 1851 1852 return rp->status; 1853 } 1854 1855 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data, 1856 struct sk_buff *skb) 1857 { 1858 struct hci_cp_le_set_ext_scan_enable *cp; 1859 struct hci_ev_status *rp = data; 1860 1861 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1862 1863 if (rp->status) 1864 return rp->status; 1865 1866 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1867 if (!cp) 1868 return rp->status; 1869 1870 le_set_scan_enable_complete(hdev, cp->enable); 1871 1872 return rp->status; 1873 } 1874 1875 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data, 1876 struct sk_buff *skb) 1877 { 1878 struct hci_rp_le_read_num_supported_adv_sets *rp = data; 1879 1880 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status, 1881 rp->num_of_sets); 1882 1883 if (rp->status) 1884 return rp->status; 1885 1886 hdev->le_num_of_adv_sets = rp->num_of_sets; 1887 1888 return rp->status; 1889 } 1890 1891 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data, 1892 struct sk_buff *skb) 1893 { 1894 struct hci_rp_le_read_accept_list_size *rp = data; 1895 1896 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 1897 1898 if (rp->status) 1899 return rp->status; 1900 1901 hdev->le_accept_list_size = rp->size; 1902 1903 return rp->status; 1904 } 1905 1906 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data, 1907 struct sk_buff *skb) 1908 { 1909 struct hci_ev_status *rp = data; 1910 1911 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1912 1913 if (rp->status) 1914 return rp->status; 1915 1916 hci_dev_lock(hdev); 1917 hci_bdaddr_list_clear(&hdev->le_accept_list); 1918 hci_dev_unlock(hdev); 1919 1920 return rp->status; 1921 } 1922 1923 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data, 1924 struct sk_buff *skb) 1925 { 1926 struct hci_cp_le_add_to_accept_list *sent; 1927 struct hci_ev_status *rp = data; 1928 1929 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1930 1931 if (rp->status) 1932 return rp->status; 1933 1934 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); 1935 if (!sent) 1936 return rp->status; 1937 1938 hci_dev_lock(hdev); 1939 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr, 1940 sent->bdaddr_type); 1941 hci_dev_unlock(hdev); 1942 1943 return rp->status; 1944 } 1945 1946 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data, 1947 struct sk_buff *skb) 1948 { 1949 struct hci_cp_le_del_from_accept_list *sent; 1950 struct hci_ev_status *rp = data; 1951 1952 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1953 1954 if (rp->status) 1955 return rp->status; 1956 1957 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST); 1958 if (!sent) 1959 return rp->status; 1960 1961 hci_dev_lock(hdev); 1962 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr, 1963 sent->bdaddr_type); 1964 hci_dev_unlock(hdev); 1965 1966 return rp->status; 1967 } 1968 1969 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data, 1970 struct sk_buff *skb) 1971 { 1972 struct hci_rp_le_read_supported_states *rp = data; 1973 1974 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1975 1976 if (rp->status) 1977 return rp->status; 1978 1979 memcpy(hdev->le_states, rp->le_states, 8); 1980 1981 return rp->status; 1982 } 1983 1984 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data, 1985 struct sk_buff *skb) 1986 { 1987 struct hci_rp_le_read_def_data_len *rp = data; 1988 1989 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1990 1991 if (rp->status) 1992 return rp->status; 1993 1994 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1995 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1996 1997 return rp->status; 1998 } 1999 2000 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data, 2001 struct sk_buff *skb) 2002 { 2003 struct hci_cp_le_write_def_data_len *sent; 2004 struct hci_ev_status *rp = data; 2005 2006 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2007 2008 if (rp->status) 2009 return rp->status; 2010 2011 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 2012 if (!sent) 2013 return rp->status; 2014 2015 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 2016 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 2017 2018 return rp->status; 2019 } 2020 2021 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data, 2022 struct sk_buff *skb) 2023 { 2024 struct hci_cp_le_add_to_resolv_list *sent; 2025 struct hci_ev_status *rp = data; 2026 2027 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2028 2029 if (rp->status) 2030 return rp->status; 2031 2032 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 2033 if (!sent) 2034 return rp->status; 2035 2036 hci_dev_lock(hdev); 2037 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2038 sent->bdaddr_type, sent->peer_irk, 2039 sent->local_irk); 2040 hci_dev_unlock(hdev); 2041 2042 return rp->status; 2043 } 2044 2045 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data, 2046 struct sk_buff *skb) 2047 { 2048 struct hci_cp_le_del_from_resolv_list *sent; 2049 struct hci_ev_status *rp = data; 2050 2051 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2052 2053 if (rp->status) 2054 return rp->status; 2055 2056 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 2057 if (!sent) 2058 return rp->status; 2059 2060 hci_dev_lock(hdev); 2061 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2062 sent->bdaddr_type); 2063 hci_dev_unlock(hdev); 2064 2065 return rp->status; 2066 } 2067 2068 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data, 2069 struct sk_buff *skb) 2070 { 2071 struct hci_ev_status *rp = data; 2072 2073 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2074 2075 if (rp->status) 2076 return rp->status; 2077 2078 hci_dev_lock(hdev); 2079 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2080 hci_dev_unlock(hdev); 2081 2082 return rp->status; 2083 } 2084 2085 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data, 2086 struct sk_buff *skb) 2087 { 2088 struct hci_rp_le_read_resolv_list_size *rp = data; 2089 2090 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 2091 2092 if (rp->status) 2093 return rp->status; 2094 2095 hdev->le_resolv_list_size = rp->size; 2096 2097 return rp->status; 2098 } 2099 2100 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data, 2101 struct sk_buff *skb) 2102 { 2103 struct hci_ev_status *rp = data; 2104 __u8 *sent; 2105 2106 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2107 2108 if (rp->status) 2109 return rp->status; 2110 2111 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 2112 if (!sent) 2113 return rp->status; 2114 2115 hci_dev_lock(hdev); 2116 2117 if (*sent) 2118 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 2119 else 2120 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 2121 2122 hci_dev_unlock(hdev); 2123 2124 return rp->status; 2125 } 2126 2127 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data, 2128 struct sk_buff *skb) 2129 { 2130 struct hci_rp_le_read_max_data_len *rp = data; 2131 2132 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2133 2134 if (rp->status) 2135 return rp->status; 2136 2137 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 2138 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 2139 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 2140 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 2141 2142 return rp->status; 2143 } 2144 2145 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data, 2146 struct sk_buff *skb) 2147 { 2148 struct hci_cp_write_le_host_supported *sent; 2149 struct hci_ev_status *rp = data; 2150 2151 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2152 2153 if (rp->status) 2154 return rp->status; 2155 2156 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 2157 if (!sent) 2158 return rp->status; 2159 2160 hci_dev_lock(hdev); 2161 2162 if (sent->le) { 2163 hdev->features[1][0] |= LMP_HOST_LE; 2164 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 2165 } else { 2166 hdev->features[1][0] &= ~LMP_HOST_LE; 2167 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 2168 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 2169 } 2170 2171 if (sent->simul) 2172 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 2173 else 2174 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 2175 2176 hci_dev_unlock(hdev); 2177 2178 return rp->status; 2179 } 2180 2181 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, 2182 struct sk_buff *skb) 2183 { 2184 struct hci_cp_le_set_adv_param *cp; 2185 struct hci_ev_status *rp = data; 2186 2187 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2188 2189 if (rp->status) 2190 return rp->status; 2191 2192 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 2193 if (!cp) 2194 return rp->status; 2195 2196 hci_dev_lock(hdev); 2197 hdev->adv_addr_type = cp->own_address_type; 2198 hci_dev_unlock(hdev); 2199 2200 return rp->status; 2201 } 2202 2203 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, 2204 struct sk_buff *skb) 2205 { 2206 struct hci_rp_le_set_ext_adv_params *rp = data; 2207 struct hci_cp_le_set_ext_adv_params *cp; 2208 struct adv_info *adv_instance; 2209 2210 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2211 2212 if (rp->status) 2213 return rp->status; 2214 2215 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 2216 if (!cp) 2217 return rp->status; 2218 2219 hci_dev_lock(hdev); 2220 hdev->adv_addr_type = cp->own_addr_type; 2221 if (!cp->handle) { 2222 /* Store in hdev for instance 0 */ 2223 hdev->adv_tx_power = rp->tx_power; 2224 } else { 2225 adv_instance = hci_find_adv_instance(hdev, cp->handle); 2226 if (adv_instance) 2227 adv_instance->tx_power = rp->tx_power; 2228 } 2229 /* Update adv data as tx power is known now */ 2230 hci_update_adv_data(hdev, cp->handle); 2231 2232 hci_dev_unlock(hdev); 2233 2234 return rp->status; 2235 } 2236 2237 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, 2238 struct sk_buff *skb) 2239 { 2240 struct hci_rp_read_rssi *rp = data; 2241 struct hci_conn *conn; 2242 2243 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2244 2245 if (rp->status) 2246 return rp->status; 2247 2248 hci_dev_lock(hdev); 2249 2250 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2251 if (conn) 2252 conn->rssi = rp->rssi; 2253 2254 hci_dev_unlock(hdev); 2255 2256 return rp->status; 2257 } 2258 2259 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data, 2260 struct sk_buff *skb) 2261 { 2262 struct hci_cp_read_tx_power *sent; 2263 struct hci_rp_read_tx_power *rp = data; 2264 struct hci_conn *conn; 2265 2266 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2267 2268 if (rp->status) 2269 return rp->status; 2270 2271 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 2272 if (!sent) 2273 return rp->status; 2274 2275 hci_dev_lock(hdev); 2276 2277 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2278 if (!conn) 2279 goto unlock; 2280 2281 switch (sent->type) { 2282 case 0x00: 2283 conn->tx_power = rp->tx_power; 2284 break; 2285 case 0x01: 2286 conn->max_tx_power = rp->tx_power; 2287 break; 2288 } 2289 2290 unlock: 2291 hci_dev_unlock(hdev); 2292 return rp->status; 2293 } 2294 2295 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data, 2296 struct sk_buff *skb) 2297 { 2298 struct hci_ev_status *rp = data; 2299 u8 *mode; 2300 2301 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2302 2303 if (rp->status) 2304 return rp->status; 2305 2306 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 2307 if (mode) 2308 hdev->ssp_debug_mode = *mode; 2309 2310 return rp->status; 2311 } 2312 2313 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 2314 { 2315 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2316 2317 if (status) { 2318 hci_conn_check_pending(hdev); 2319 return; 2320 } 2321 2322 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY)) 2323 set_bit(HCI_INQUIRY, &hdev->flags); 2324 } 2325 2326 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 2327 { 2328 struct hci_cp_create_conn *cp; 2329 struct hci_conn *conn; 2330 2331 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2332 2333 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 2334 if (!cp) 2335 return; 2336 2337 hci_dev_lock(hdev); 2338 2339 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2340 2341 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn); 2342 2343 if (status) { 2344 if (conn && conn->state == BT_CONNECT) { 2345 if (status != 0x0c || conn->attempt > 2) { 2346 conn->state = BT_CLOSED; 2347 hci_connect_cfm(conn, status); 2348 hci_conn_del(conn); 2349 } else 2350 conn->state = BT_CONNECT2; 2351 } 2352 } else { 2353 if (!conn) { 2354 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr, 2355 HCI_ROLE_MASTER); 2356 if (!conn) 2357 bt_dev_err(hdev, "no memory for new connection"); 2358 } 2359 } 2360 2361 hci_dev_unlock(hdev); 2362 } 2363 2364 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 2365 { 2366 struct hci_cp_add_sco *cp; 2367 struct hci_conn *acl; 2368 struct hci_link *link; 2369 __u16 handle; 2370 2371 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2372 2373 if (!status) 2374 return; 2375 2376 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 2377 if (!cp) 2378 return; 2379 2380 handle = __le16_to_cpu(cp->handle); 2381 2382 bt_dev_dbg(hdev, "handle 0x%4.4x", handle); 2383 2384 hci_dev_lock(hdev); 2385 2386 acl = hci_conn_hash_lookup_handle(hdev, handle); 2387 if (acl) { 2388 link = list_first_entry_or_null(&acl->link_list, 2389 struct hci_link, list); 2390 if (link && link->conn) { 2391 link->conn->state = BT_CLOSED; 2392 2393 hci_connect_cfm(link->conn, status); 2394 hci_conn_del(link->conn); 2395 } 2396 } 2397 2398 hci_dev_unlock(hdev); 2399 } 2400 2401 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 2402 { 2403 struct hci_cp_auth_requested *cp; 2404 struct hci_conn *conn; 2405 2406 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2407 2408 if (!status) 2409 return; 2410 2411 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 2412 if (!cp) 2413 return; 2414 2415 hci_dev_lock(hdev); 2416 2417 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2418 if (conn) { 2419 if (conn->state == BT_CONFIG) { 2420 hci_connect_cfm(conn, status); 2421 hci_conn_drop(conn); 2422 } 2423 } 2424 2425 hci_dev_unlock(hdev); 2426 } 2427 2428 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 2429 { 2430 struct hci_cp_set_conn_encrypt *cp; 2431 struct hci_conn *conn; 2432 2433 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2434 2435 if (!status) 2436 return; 2437 2438 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 2439 if (!cp) 2440 return; 2441 2442 hci_dev_lock(hdev); 2443 2444 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2445 if (conn) { 2446 if (conn->state == BT_CONFIG) { 2447 hci_connect_cfm(conn, status); 2448 hci_conn_drop(conn); 2449 } 2450 } 2451 2452 hci_dev_unlock(hdev); 2453 } 2454 2455 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 2456 struct hci_conn *conn) 2457 { 2458 if (conn->state != BT_CONFIG || !conn->out) 2459 return 0; 2460 2461 if (conn->pending_sec_level == BT_SECURITY_SDP) 2462 return 0; 2463 2464 /* Only request authentication for SSP connections or non-SSP 2465 * devices with sec_level MEDIUM or HIGH or if MITM protection 2466 * is requested. 2467 */ 2468 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 2469 conn->pending_sec_level != BT_SECURITY_FIPS && 2470 conn->pending_sec_level != BT_SECURITY_HIGH && 2471 conn->pending_sec_level != BT_SECURITY_MEDIUM) 2472 return 0; 2473 2474 return 1; 2475 } 2476 2477 static int hci_resolve_name(struct hci_dev *hdev, 2478 struct inquiry_entry *e) 2479 { 2480 struct hci_cp_remote_name_req cp; 2481 2482 memset(&cp, 0, sizeof(cp)); 2483 2484 bacpy(&cp.bdaddr, &e->data.bdaddr); 2485 cp.pscan_rep_mode = e->data.pscan_rep_mode; 2486 cp.pscan_mode = e->data.pscan_mode; 2487 cp.clock_offset = e->data.clock_offset; 2488 2489 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2490 } 2491 2492 static bool hci_resolve_next_name(struct hci_dev *hdev) 2493 { 2494 struct discovery_state *discov = &hdev->discovery; 2495 struct inquiry_entry *e; 2496 2497 if (list_empty(&discov->resolve)) 2498 return false; 2499 2500 /* We should stop if we already spent too much time resolving names. */ 2501 if (time_after(jiffies, discov->name_resolve_timeout)) { 2502 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long."); 2503 return false; 2504 } 2505 2506 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2507 if (!e) 2508 return false; 2509 2510 if (hci_resolve_name(hdev, e) == 0) { 2511 e->name_state = NAME_PENDING; 2512 return true; 2513 } 2514 2515 return false; 2516 } 2517 2518 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2519 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2520 { 2521 struct discovery_state *discov = &hdev->discovery; 2522 struct inquiry_entry *e; 2523 2524 /* Update the mgmt connected state if necessary. Be careful with 2525 * conn objects that exist but are not (yet) connected however. 2526 * Only those in BT_CONFIG or BT_CONNECTED states can be 2527 * considered connected. 2528 */ 2529 if (conn && 2530 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 2531 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2532 mgmt_device_connected(hdev, conn, name, name_len); 2533 2534 if (discov->state == DISCOVERY_STOPPED) 2535 return; 2536 2537 if (discov->state == DISCOVERY_STOPPING) 2538 goto discov_complete; 2539 2540 if (discov->state != DISCOVERY_RESOLVING) 2541 return; 2542 2543 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2544 /* If the device was not found in a list of found devices names of which 2545 * are pending. there is no need to continue resolving a next name as it 2546 * will be done upon receiving another Remote Name Request Complete 2547 * Event */ 2548 if (!e) 2549 return; 2550 2551 list_del(&e->list); 2552 2553 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN; 2554 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi, 2555 name, name_len); 2556 2557 if (hci_resolve_next_name(hdev)) 2558 return; 2559 2560 discov_complete: 2561 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2562 } 2563 2564 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2565 { 2566 struct hci_cp_remote_name_req *cp; 2567 struct hci_conn *conn; 2568 2569 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2570 2571 /* If successful wait for the name req complete event before 2572 * checking for the need to do authentication */ 2573 if (!status) 2574 return; 2575 2576 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2577 if (!cp) 2578 return; 2579 2580 hci_dev_lock(hdev); 2581 2582 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2583 2584 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2585 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2586 2587 if (!conn) 2588 goto unlock; 2589 2590 if (!hci_outgoing_auth_needed(hdev, conn)) 2591 goto unlock; 2592 2593 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2594 struct hci_cp_auth_requested auth_cp; 2595 2596 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2597 2598 auth_cp.handle = __cpu_to_le16(conn->handle); 2599 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2600 sizeof(auth_cp), &auth_cp); 2601 } 2602 2603 unlock: 2604 hci_dev_unlock(hdev); 2605 } 2606 2607 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2608 { 2609 struct hci_cp_read_remote_features *cp; 2610 struct hci_conn *conn; 2611 2612 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2613 2614 if (!status) 2615 return; 2616 2617 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2618 if (!cp) 2619 return; 2620 2621 hci_dev_lock(hdev); 2622 2623 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2624 if (conn) { 2625 if (conn->state == BT_CONFIG) { 2626 hci_connect_cfm(conn, status); 2627 hci_conn_drop(conn); 2628 } 2629 } 2630 2631 hci_dev_unlock(hdev); 2632 } 2633 2634 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2635 { 2636 struct hci_cp_read_remote_ext_features *cp; 2637 struct hci_conn *conn; 2638 2639 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2640 2641 if (!status) 2642 return; 2643 2644 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2645 if (!cp) 2646 return; 2647 2648 hci_dev_lock(hdev); 2649 2650 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2651 if (conn) { 2652 if (conn->state == BT_CONFIG) { 2653 hci_connect_cfm(conn, status); 2654 hci_conn_drop(conn); 2655 } 2656 } 2657 2658 hci_dev_unlock(hdev); 2659 } 2660 2661 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle, 2662 __u8 status) 2663 { 2664 struct hci_conn *acl; 2665 struct hci_link *link; 2666 2667 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status); 2668 2669 hci_dev_lock(hdev); 2670 2671 acl = hci_conn_hash_lookup_handle(hdev, handle); 2672 if (acl) { 2673 link = list_first_entry_or_null(&acl->link_list, 2674 struct hci_link, list); 2675 if (link && link->conn) { 2676 link->conn->state = BT_CLOSED; 2677 2678 hci_connect_cfm(link->conn, status); 2679 hci_conn_del(link->conn); 2680 } 2681 } 2682 2683 hci_dev_unlock(hdev); 2684 } 2685 2686 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2687 { 2688 struct hci_cp_setup_sync_conn *cp; 2689 2690 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2691 2692 if (!status) 2693 return; 2694 2695 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2696 if (!cp) 2697 return; 2698 2699 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2700 } 2701 2702 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2703 { 2704 struct hci_cp_enhanced_setup_sync_conn *cp; 2705 2706 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2707 2708 if (!status) 2709 return; 2710 2711 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN); 2712 if (!cp) 2713 return; 2714 2715 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2716 } 2717 2718 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2719 { 2720 struct hci_cp_sniff_mode *cp; 2721 struct hci_conn *conn; 2722 2723 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2724 2725 if (!status) 2726 return; 2727 2728 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2729 if (!cp) 2730 return; 2731 2732 hci_dev_lock(hdev); 2733 2734 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2735 if (conn) { 2736 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2737 2738 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2739 hci_sco_setup(conn, status); 2740 } 2741 2742 hci_dev_unlock(hdev); 2743 } 2744 2745 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2746 { 2747 struct hci_cp_exit_sniff_mode *cp; 2748 struct hci_conn *conn; 2749 2750 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2751 2752 if (!status) 2753 return; 2754 2755 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2756 if (!cp) 2757 return; 2758 2759 hci_dev_lock(hdev); 2760 2761 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2762 if (conn) { 2763 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2764 2765 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2766 hci_sco_setup(conn, status); 2767 } 2768 2769 hci_dev_unlock(hdev); 2770 } 2771 2772 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2773 { 2774 struct hci_cp_disconnect *cp; 2775 struct hci_conn_params *params; 2776 struct hci_conn *conn; 2777 bool mgmt_conn; 2778 2779 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2780 2781 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended 2782 * otherwise cleanup the connection immediately. 2783 */ 2784 if (!status && !hdev->suspended) 2785 return; 2786 2787 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2788 if (!cp) 2789 return; 2790 2791 hci_dev_lock(hdev); 2792 2793 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2794 if (!conn) 2795 goto unlock; 2796 2797 if (status) { 2798 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2799 conn->dst_type, status); 2800 2801 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 2802 hdev->cur_adv_instance = conn->adv_instance; 2803 hci_enable_advertising(hdev); 2804 } 2805 2806 /* Inform sockets conn is gone before we delete it */ 2807 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); 2808 2809 goto done; 2810 } 2811 2812 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2813 2814 if (conn->type == ACL_LINK) { 2815 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2816 hci_remove_link_key(hdev, &conn->dst); 2817 } 2818 2819 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2820 if (params) { 2821 switch (params->auto_connect) { 2822 case HCI_AUTO_CONN_LINK_LOSS: 2823 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2824 break; 2825 fallthrough; 2826 2827 case HCI_AUTO_CONN_DIRECT: 2828 case HCI_AUTO_CONN_ALWAYS: 2829 hci_pend_le_list_del_init(params); 2830 hci_pend_le_list_add(params, &hdev->pend_le_conns); 2831 break; 2832 2833 default: 2834 break; 2835 } 2836 } 2837 2838 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2839 cp->reason, mgmt_conn); 2840 2841 hci_disconn_cfm(conn, cp->reason); 2842 2843 done: 2844 /* If the disconnection failed for any reason, the upper layer 2845 * does not retry to disconnect in current implementation. 2846 * Hence, we need to do some basic cleanup here and re-enable 2847 * advertising if necessary. 2848 */ 2849 hci_conn_del(conn); 2850 unlock: 2851 hci_dev_unlock(hdev); 2852 } 2853 2854 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved) 2855 { 2856 /* When using controller based address resolution, then the new 2857 * address types 0x02 and 0x03 are used. These types need to be 2858 * converted back into either public address or random address type 2859 */ 2860 switch (type) { 2861 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2862 if (resolved) 2863 *resolved = true; 2864 return ADDR_LE_DEV_PUBLIC; 2865 case ADDR_LE_DEV_RANDOM_RESOLVED: 2866 if (resolved) 2867 *resolved = true; 2868 return ADDR_LE_DEV_RANDOM; 2869 } 2870 2871 if (resolved) 2872 *resolved = false; 2873 return type; 2874 } 2875 2876 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2877 u8 peer_addr_type, u8 own_address_type, 2878 u8 filter_policy) 2879 { 2880 struct hci_conn *conn; 2881 2882 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2883 peer_addr_type); 2884 if (!conn) 2885 return; 2886 2887 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL); 2888 2889 /* Store the initiator and responder address information which 2890 * is needed for SMP. These values will not change during the 2891 * lifetime of the connection. 2892 */ 2893 conn->init_addr_type = own_address_type; 2894 if (own_address_type == ADDR_LE_DEV_RANDOM) 2895 bacpy(&conn->init_addr, &hdev->random_addr); 2896 else 2897 bacpy(&conn->init_addr, &hdev->bdaddr); 2898 2899 conn->resp_addr_type = peer_addr_type; 2900 bacpy(&conn->resp_addr, peer_addr); 2901 } 2902 2903 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2904 { 2905 struct hci_cp_le_create_conn *cp; 2906 2907 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2908 2909 /* All connection failure handling is taken care of by the 2910 * hci_conn_failed function which is triggered by the HCI 2911 * request completion callbacks used for connecting. 2912 */ 2913 if (status) 2914 return; 2915 2916 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2917 if (!cp) 2918 return; 2919 2920 hci_dev_lock(hdev); 2921 2922 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2923 cp->own_address_type, cp->filter_policy); 2924 2925 hci_dev_unlock(hdev); 2926 } 2927 2928 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2929 { 2930 struct hci_cp_le_ext_create_conn *cp; 2931 2932 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2933 2934 /* All connection failure handling is taken care of by the 2935 * hci_conn_failed function which is triggered by the HCI 2936 * request completion callbacks used for connecting. 2937 */ 2938 if (status) 2939 return; 2940 2941 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2942 if (!cp) 2943 return; 2944 2945 hci_dev_lock(hdev); 2946 2947 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2948 cp->own_addr_type, cp->filter_policy); 2949 2950 hci_dev_unlock(hdev); 2951 } 2952 2953 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2954 { 2955 struct hci_cp_le_read_remote_features *cp; 2956 struct hci_conn *conn; 2957 2958 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2959 2960 if (!status) 2961 return; 2962 2963 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2964 if (!cp) 2965 return; 2966 2967 hci_dev_lock(hdev); 2968 2969 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2970 if (conn) { 2971 if (conn->state == BT_CONFIG) { 2972 hci_connect_cfm(conn, status); 2973 hci_conn_drop(conn); 2974 } 2975 } 2976 2977 hci_dev_unlock(hdev); 2978 } 2979 2980 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2981 { 2982 struct hci_cp_le_start_enc *cp; 2983 struct hci_conn *conn; 2984 2985 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2986 2987 if (!status) 2988 return; 2989 2990 hci_dev_lock(hdev); 2991 2992 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2993 if (!cp) 2994 goto unlock; 2995 2996 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2997 if (!conn) 2998 goto unlock; 2999 3000 if (conn->state != BT_CONNECTED) 3001 goto unlock; 3002 3003 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3004 hci_conn_drop(conn); 3005 3006 unlock: 3007 hci_dev_unlock(hdev); 3008 } 3009 3010 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 3011 { 3012 struct hci_cp_switch_role *cp; 3013 struct hci_conn *conn; 3014 3015 BT_DBG("%s status 0x%2.2x", hdev->name, status); 3016 3017 if (!status) 3018 return; 3019 3020 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 3021 if (!cp) 3022 return; 3023 3024 hci_dev_lock(hdev); 3025 3026 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 3027 if (conn) 3028 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3029 3030 hci_dev_unlock(hdev); 3031 } 3032 3033 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data, 3034 struct sk_buff *skb) 3035 { 3036 struct hci_ev_status *ev = data; 3037 struct discovery_state *discov = &hdev->discovery; 3038 struct inquiry_entry *e; 3039 3040 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3041 3042 hci_conn_check_pending(hdev); 3043 3044 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 3045 return; 3046 3047 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 3048 wake_up_bit(&hdev->flags, HCI_INQUIRY); 3049 3050 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3051 return; 3052 3053 hci_dev_lock(hdev); 3054 3055 if (discov->state != DISCOVERY_FINDING) 3056 goto unlock; 3057 3058 if (list_empty(&discov->resolve)) { 3059 /* When BR/EDR inquiry is active and no LE scanning is in 3060 * progress, then change discovery state to indicate completion. 3061 * 3062 * When running LE scanning and BR/EDR inquiry simultaneously 3063 * and the LE scan already finished, then change the discovery 3064 * state to indicate completion. 3065 */ 3066 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3067 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 3068 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3069 goto unlock; 3070 } 3071 3072 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 3073 if (e && hci_resolve_name(hdev, e) == 0) { 3074 e->name_state = NAME_PENDING; 3075 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 3076 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION; 3077 } else { 3078 /* When BR/EDR inquiry is active and no LE scanning is in 3079 * progress, then change discovery state to indicate completion. 3080 * 3081 * When running LE scanning and BR/EDR inquiry simultaneously 3082 * and the LE scan already finished, then change the discovery 3083 * state to indicate completion. 3084 */ 3085 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3086 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 3087 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3088 } 3089 3090 unlock: 3091 hci_dev_unlock(hdev); 3092 } 3093 3094 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata, 3095 struct sk_buff *skb) 3096 { 3097 struct hci_ev_inquiry_result *ev = edata; 3098 struct inquiry_data data; 3099 int i; 3100 3101 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT, 3102 flex_array_size(ev, info, ev->num))) 3103 return; 3104 3105 bt_dev_dbg(hdev, "num %d", ev->num); 3106 3107 if (!ev->num) 3108 return; 3109 3110 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3111 return; 3112 3113 hci_dev_lock(hdev); 3114 3115 for (i = 0; i < ev->num; i++) { 3116 struct inquiry_info *info = &ev->info[i]; 3117 u32 flags; 3118 3119 bacpy(&data.bdaddr, &info->bdaddr); 3120 data.pscan_rep_mode = info->pscan_rep_mode; 3121 data.pscan_period_mode = info->pscan_period_mode; 3122 data.pscan_mode = info->pscan_mode; 3123 memcpy(data.dev_class, info->dev_class, 3); 3124 data.clock_offset = info->clock_offset; 3125 data.rssi = HCI_RSSI_INVALID; 3126 data.ssp_mode = 0x00; 3127 3128 flags = hci_inquiry_cache_update(hdev, &data, false); 3129 3130 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3131 info->dev_class, HCI_RSSI_INVALID, 3132 flags, NULL, 0, NULL, 0, 0); 3133 } 3134 3135 hci_dev_unlock(hdev); 3136 } 3137 3138 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3139 struct sk_buff *skb) 3140 { 3141 struct hci_ev_conn_complete *ev = data; 3142 struct hci_conn *conn; 3143 u8 status = ev->status; 3144 3145 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3146 3147 hci_dev_lock(hdev); 3148 3149 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3150 if (!conn) { 3151 /* In case of error status and there is no connection pending 3152 * just unlock as there is nothing to cleanup. 3153 */ 3154 if (ev->status) 3155 goto unlock; 3156 3157 /* Connection may not exist if auto-connected. Check the bredr 3158 * allowlist to see if this device is allowed to auto connect. 3159 * If link is an ACL type, create a connection class 3160 * automatically. 3161 * 3162 * Auto-connect will only occur if the event filter is 3163 * programmed with a given address. Right now, event filter is 3164 * only used during suspend. 3165 */ 3166 if (ev->link_type == ACL_LINK && 3167 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3168 &ev->bdaddr, 3169 BDADDR_BREDR)) { 3170 conn = hci_conn_add_unset(hdev, ev->link_type, 3171 &ev->bdaddr, HCI_ROLE_SLAVE); 3172 if (!conn) { 3173 bt_dev_err(hdev, "no memory for new conn"); 3174 goto unlock; 3175 } 3176 } else { 3177 if (ev->link_type != SCO_LINK) 3178 goto unlock; 3179 3180 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3181 &ev->bdaddr); 3182 if (!conn) 3183 goto unlock; 3184 3185 conn->type = SCO_LINK; 3186 } 3187 } 3188 3189 /* The HCI_Connection_Complete event is only sent once per connection. 3190 * Processing it more than once per connection can corrupt kernel memory. 3191 * 3192 * As the connection handle is set here for the first time, it indicates 3193 * whether the connection is already set up. 3194 */ 3195 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 3196 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3197 goto unlock; 3198 } 3199 3200 if (!status) { 3201 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 3202 if (status) 3203 goto done; 3204 3205 if (conn->type == ACL_LINK) { 3206 conn->state = BT_CONFIG; 3207 hci_conn_hold(conn); 3208 3209 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3210 !hci_find_link_key(hdev, &ev->bdaddr)) 3211 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3212 else 3213 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3214 } else 3215 conn->state = BT_CONNECTED; 3216 3217 hci_debugfs_create_conn(conn); 3218 hci_conn_add_sysfs(conn); 3219 3220 if (test_bit(HCI_AUTH, &hdev->flags)) 3221 set_bit(HCI_CONN_AUTH, &conn->flags); 3222 3223 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3224 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3225 3226 /* Get remote features */ 3227 if (conn->type == ACL_LINK) { 3228 struct hci_cp_read_remote_features cp; 3229 cp.handle = ev->handle; 3230 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3231 sizeof(cp), &cp); 3232 3233 hci_update_scan(hdev); 3234 } 3235 3236 /* Set packet type for incoming connection */ 3237 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3238 struct hci_cp_change_conn_ptype cp; 3239 cp.handle = ev->handle; 3240 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3241 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3242 &cp); 3243 } 3244 } 3245 3246 if (conn->type == ACL_LINK) 3247 hci_sco_setup(conn, ev->status); 3248 3249 done: 3250 if (status) { 3251 hci_conn_failed(conn, status); 3252 } else if (ev->link_type == SCO_LINK) { 3253 switch (conn->setting & SCO_AIRMODE_MASK) { 3254 case SCO_AIRMODE_CVSD: 3255 if (hdev->notify) 3256 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3257 break; 3258 } 3259 3260 hci_connect_cfm(conn, status); 3261 } 3262 3263 unlock: 3264 hci_dev_unlock(hdev); 3265 3266 hci_conn_check_pending(hdev); 3267 } 3268 3269 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 3270 { 3271 struct hci_cp_reject_conn_req cp; 3272 3273 bacpy(&cp.bdaddr, bdaddr); 3274 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 3275 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 3276 } 3277 3278 static void hci_conn_request_evt(struct hci_dev *hdev, void *data, 3279 struct sk_buff *skb) 3280 { 3281 struct hci_ev_conn_request *ev = data; 3282 int mask = hdev->link_mode; 3283 struct inquiry_entry *ie; 3284 struct hci_conn *conn; 3285 __u8 flags = 0; 3286 3287 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type); 3288 3289 /* Reject incoming connection from device with same BD ADDR against 3290 * CVE-2020-26555 3291 */ 3292 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) { 3293 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 3294 &ev->bdaddr); 3295 hci_reject_conn(hdev, &ev->bdaddr); 3296 return; 3297 } 3298 3299 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 3300 &flags); 3301 3302 if (!(mask & HCI_LM_ACCEPT)) { 3303 hci_reject_conn(hdev, &ev->bdaddr); 3304 return; 3305 } 3306 3307 hci_dev_lock(hdev); 3308 3309 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, 3310 BDADDR_BREDR)) { 3311 hci_reject_conn(hdev, &ev->bdaddr); 3312 goto unlock; 3313 } 3314 3315 /* Require HCI_CONNECTABLE or an accept list entry to accept the 3316 * connection. These features are only touched through mgmt so 3317 * only do the checks if HCI_MGMT is set. 3318 */ 3319 if (hci_dev_test_flag(hdev, HCI_MGMT) && 3320 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 3321 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, 3322 BDADDR_BREDR)) { 3323 hci_reject_conn(hdev, &ev->bdaddr); 3324 goto unlock; 3325 } 3326 3327 /* Connection accepted */ 3328 3329 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3330 if (ie) 3331 memcpy(ie->data.dev_class, ev->dev_class, 3); 3332 3333 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 3334 &ev->bdaddr); 3335 if (!conn) { 3336 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr, 3337 HCI_ROLE_SLAVE); 3338 if (!conn) { 3339 bt_dev_err(hdev, "no memory for new connection"); 3340 goto unlock; 3341 } 3342 } 3343 3344 memcpy(conn->dev_class, ev->dev_class, 3); 3345 3346 hci_dev_unlock(hdev); 3347 3348 if (ev->link_type == ACL_LINK || 3349 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 3350 struct hci_cp_accept_conn_req cp; 3351 conn->state = BT_CONNECT; 3352 3353 bacpy(&cp.bdaddr, &ev->bdaddr); 3354 3355 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 3356 cp.role = 0x00; /* Become central */ 3357 else 3358 cp.role = 0x01; /* Remain peripheral */ 3359 3360 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 3361 } else if (!(flags & HCI_PROTO_DEFER)) { 3362 struct hci_cp_accept_sync_conn_req cp; 3363 conn->state = BT_CONNECT; 3364 3365 bacpy(&cp.bdaddr, &ev->bdaddr); 3366 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3367 3368 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 3369 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 3370 cp.max_latency = cpu_to_le16(0xffff); 3371 cp.content_format = cpu_to_le16(hdev->voice_setting); 3372 cp.retrans_effort = 0xff; 3373 3374 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 3375 &cp); 3376 } else { 3377 conn->state = BT_CONNECT2; 3378 hci_connect_cfm(conn, 0); 3379 } 3380 3381 return; 3382 unlock: 3383 hci_dev_unlock(hdev); 3384 } 3385 3386 static u8 hci_to_mgmt_reason(u8 err) 3387 { 3388 switch (err) { 3389 case HCI_ERROR_CONNECTION_TIMEOUT: 3390 return MGMT_DEV_DISCONN_TIMEOUT; 3391 case HCI_ERROR_REMOTE_USER_TERM: 3392 case HCI_ERROR_REMOTE_LOW_RESOURCES: 3393 case HCI_ERROR_REMOTE_POWER_OFF: 3394 return MGMT_DEV_DISCONN_REMOTE; 3395 case HCI_ERROR_LOCAL_HOST_TERM: 3396 return MGMT_DEV_DISCONN_LOCAL_HOST; 3397 default: 3398 return MGMT_DEV_DISCONN_UNKNOWN; 3399 } 3400 } 3401 3402 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, 3403 struct sk_buff *skb) 3404 { 3405 struct hci_ev_disconn_complete *ev = data; 3406 u8 reason; 3407 struct hci_conn_params *params; 3408 struct hci_conn *conn; 3409 bool mgmt_connected; 3410 3411 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3412 3413 hci_dev_lock(hdev); 3414 3415 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3416 if (!conn) 3417 goto unlock; 3418 3419 if (ev->status) { 3420 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 3421 conn->dst_type, ev->status); 3422 goto unlock; 3423 } 3424 3425 conn->state = BT_CLOSED; 3426 3427 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 3428 3429 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 3430 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 3431 else 3432 reason = hci_to_mgmt_reason(ev->reason); 3433 3434 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 3435 reason, mgmt_connected); 3436 3437 if (conn->type == ACL_LINK) { 3438 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 3439 hci_remove_link_key(hdev, &conn->dst); 3440 3441 hci_update_scan(hdev); 3442 } 3443 3444 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 3445 if (params) { 3446 switch (params->auto_connect) { 3447 case HCI_AUTO_CONN_LINK_LOSS: 3448 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 3449 break; 3450 fallthrough; 3451 3452 case HCI_AUTO_CONN_DIRECT: 3453 case HCI_AUTO_CONN_ALWAYS: 3454 hci_pend_le_list_del_init(params); 3455 hci_pend_le_list_add(params, &hdev->pend_le_conns); 3456 hci_update_passive_scan(hdev); 3457 break; 3458 3459 default: 3460 break; 3461 } 3462 } 3463 3464 hci_disconn_cfm(conn, ev->reason); 3465 3466 /* Re-enable advertising if necessary, since it might 3467 * have been disabled by the connection. From the 3468 * HCI_LE_Set_Advertise_Enable command description in 3469 * the core specification (v4.0): 3470 * "The Controller shall continue advertising until the Host 3471 * issues an LE_Set_Advertise_Enable command with 3472 * Advertising_Enable set to 0x00 (Advertising is disabled) 3473 * or until a connection is created or until the Advertising 3474 * is timed out due to Directed Advertising." 3475 */ 3476 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 3477 hdev->cur_adv_instance = conn->adv_instance; 3478 hci_enable_advertising(hdev); 3479 } 3480 3481 hci_conn_del(conn); 3482 3483 unlock: 3484 hci_dev_unlock(hdev); 3485 } 3486 3487 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data, 3488 struct sk_buff *skb) 3489 { 3490 struct hci_ev_auth_complete *ev = data; 3491 struct hci_conn *conn; 3492 3493 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3494 3495 hci_dev_lock(hdev); 3496 3497 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3498 if (!conn) 3499 goto unlock; 3500 3501 if (!ev->status) { 3502 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3503 set_bit(HCI_CONN_AUTH, &conn->flags); 3504 conn->sec_level = conn->pending_sec_level; 3505 } else { 3506 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3507 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3508 3509 mgmt_auth_failed(conn, ev->status); 3510 } 3511 3512 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3513 3514 if (conn->state == BT_CONFIG) { 3515 if (!ev->status && hci_conn_ssp_enabled(conn)) { 3516 struct hci_cp_set_conn_encrypt cp; 3517 cp.handle = ev->handle; 3518 cp.encrypt = 0x01; 3519 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3520 &cp); 3521 } else { 3522 conn->state = BT_CONNECTED; 3523 hci_connect_cfm(conn, ev->status); 3524 hci_conn_drop(conn); 3525 } 3526 } else { 3527 hci_auth_cfm(conn, ev->status); 3528 3529 hci_conn_hold(conn); 3530 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3531 hci_conn_drop(conn); 3532 } 3533 3534 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 3535 if (!ev->status) { 3536 struct hci_cp_set_conn_encrypt cp; 3537 cp.handle = ev->handle; 3538 cp.encrypt = 0x01; 3539 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3540 &cp); 3541 } else { 3542 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3543 hci_encrypt_cfm(conn, ev->status); 3544 } 3545 } 3546 3547 unlock: 3548 hci_dev_unlock(hdev); 3549 } 3550 3551 static void hci_remote_name_evt(struct hci_dev *hdev, void *data, 3552 struct sk_buff *skb) 3553 { 3554 struct hci_ev_remote_name *ev = data; 3555 struct hci_conn *conn; 3556 3557 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3558 3559 hci_conn_check_pending(hdev); 3560 3561 hci_dev_lock(hdev); 3562 3563 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3564 3565 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3566 goto check_auth; 3567 3568 if (ev->status == 0) 3569 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 3570 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 3571 else 3572 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 3573 3574 check_auth: 3575 if (!conn) 3576 goto unlock; 3577 3578 if (!hci_outgoing_auth_needed(hdev, conn)) 3579 goto unlock; 3580 3581 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3582 struct hci_cp_auth_requested cp; 3583 3584 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 3585 3586 cp.handle = __cpu_to_le16(conn->handle); 3587 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3588 } 3589 3590 unlock: 3591 hci_dev_unlock(hdev); 3592 } 3593 3594 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, 3595 struct sk_buff *skb) 3596 { 3597 struct hci_ev_encrypt_change *ev = data; 3598 struct hci_conn *conn; 3599 3600 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3601 3602 hci_dev_lock(hdev); 3603 3604 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3605 if (!conn) 3606 goto unlock; 3607 3608 if (!ev->status) { 3609 if (ev->encrypt) { 3610 /* Encryption implies authentication */ 3611 set_bit(HCI_CONN_AUTH, &conn->flags); 3612 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3613 conn->sec_level = conn->pending_sec_level; 3614 3615 /* P-256 authentication key implies FIPS */ 3616 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3617 set_bit(HCI_CONN_FIPS, &conn->flags); 3618 3619 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3620 conn->type == LE_LINK) 3621 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3622 } else { 3623 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3624 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3625 } 3626 } 3627 3628 /* We should disregard the current RPA and generate a new one 3629 * whenever the encryption procedure fails. 3630 */ 3631 if (ev->status && conn->type == LE_LINK) { 3632 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3633 hci_adv_instances_set_rpa_expired(hdev, true); 3634 } 3635 3636 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3637 3638 /* Check link security requirements are met */ 3639 if (!hci_conn_check_link_mode(conn)) 3640 ev->status = HCI_ERROR_AUTH_FAILURE; 3641 3642 if (ev->status && conn->state == BT_CONNECTED) { 3643 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3644 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3645 3646 /* Notify upper layers so they can cleanup before 3647 * disconnecting. 3648 */ 3649 hci_encrypt_cfm(conn, ev->status); 3650 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3651 hci_conn_drop(conn); 3652 goto unlock; 3653 } 3654 3655 /* Try reading the encryption key size for encrypted ACL links */ 3656 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3657 struct hci_cp_read_enc_key_size cp; 3658 3659 /* Only send HCI_Read_Encryption_Key_Size if the 3660 * controller really supports it. If it doesn't, assume 3661 * the default size (16). 3662 */ 3663 if (!(hdev->commands[20] & 0x10)) { 3664 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3665 goto notify; 3666 } 3667 3668 cp.handle = cpu_to_le16(conn->handle); 3669 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, 3670 sizeof(cp), &cp)) { 3671 bt_dev_err(hdev, "sending read key size failed"); 3672 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3673 goto notify; 3674 } 3675 3676 goto unlock; 3677 } 3678 3679 /* Set the default Authenticated Payload Timeout after 3680 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3681 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3682 * sent when the link is active and Encryption is enabled, the conn 3683 * type can be either LE or ACL and controller must support LMP Ping. 3684 * Ensure for AES-CCM encryption as well. 3685 */ 3686 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3687 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3688 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3689 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3690 struct hci_cp_write_auth_payload_to cp; 3691 3692 cp.handle = cpu_to_le16(conn->handle); 3693 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3694 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3695 sizeof(cp), &cp)) 3696 bt_dev_err(hdev, "write auth payload timeout failed"); 3697 } 3698 3699 notify: 3700 hci_encrypt_cfm(conn, ev->status); 3701 3702 unlock: 3703 hci_dev_unlock(hdev); 3704 } 3705 3706 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data, 3707 struct sk_buff *skb) 3708 { 3709 struct hci_ev_change_link_key_complete *ev = data; 3710 struct hci_conn *conn; 3711 3712 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3713 3714 hci_dev_lock(hdev); 3715 3716 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3717 if (conn) { 3718 if (!ev->status) 3719 set_bit(HCI_CONN_SECURE, &conn->flags); 3720 3721 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3722 3723 hci_key_change_cfm(conn, ev->status); 3724 } 3725 3726 hci_dev_unlock(hdev); 3727 } 3728 3729 static void hci_remote_features_evt(struct hci_dev *hdev, void *data, 3730 struct sk_buff *skb) 3731 { 3732 struct hci_ev_remote_features *ev = data; 3733 struct hci_conn *conn; 3734 3735 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3736 3737 hci_dev_lock(hdev); 3738 3739 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3740 if (!conn) 3741 goto unlock; 3742 3743 if (!ev->status) 3744 memcpy(conn->features[0], ev->features, 8); 3745 3746 if (conn->state != BT_CONFIG) 3747 goto unlock; 3748 3749 if (!ev->status && lmp_ext_feat_capable(hdev) && 3750 lmp_ext_feat_capable(conn)) { 3751 struct hci_cp_read_remote_ext_features cp; 3752 cp.handle = ev->handle; 3753 cp.page = 0x01; 3754 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3755 sizeof(cp), &cp); 3756 goto unlock; 3757 } 3758 3759 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3760 struct hci_cp_remote_name_req cp; 3761 memset(&cp, 0, sizeof(cp)); 3762 bacpy(&cp.bdaddr, &conn->dst); 3763 cp.pscan_rep_mode = 0x02; 3764 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3765 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3766 mgmt_device_connected(hdev, conn, NULL, 0); 3767 3768 if (!hci_outgoing_auth_needed(hdev, conn)) { 3769 conn->state = BT_CONNECTED; 3770 hci_connect_cfm(conn, ev->status); 3771 hci_conn_drop(conn); 3772 } 3773 3774 unlock: 3775 hci_dev_unlock(hdev); 3776 } 3777 3778 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd) 3779 { 3780 cancel_delayed_work(&hdev->cmd_timer); 3781 3782 rcu_read_lock(); 3783 if (!test_bit(HCI_RESET, &hdev->flags)) { 3784 if (ncmd) { 3785 cancel_delayed_work(&hdev->ncmd_timer); 3786 atomic_set(&hdev->cmd_cnt, 1); 3787 } else { 3788 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 3789 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer, 3790 HCI_NCMD_TIMEOUT); 3791 } 3792 } 3793 rcu_read_unlock(); 3794 } 3795 3796 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data, 3797 struct sk_buff *skb) 3798 { 3799 struct hci_rp_le_read_buffer_size_v2 *rp = data; 3800 3801 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3802 3803 if (rp->status) 3804 return rp->status; 3805 3806 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu); 3807 hdev->le_pkts = rp->acl_max_pkt; 3808 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu); 3809 hdev->iso_pkts = rp->iso_max_pkt; 3810 3811 hdev->le_cnt = hdev->le_pkts; 3812 hdev->iso_cnt = hdev->iso_pkts; 3813 3814 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu, 3815 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts); 3816 3817 return rp->status; 3818 } 3819 3820 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status) 3821 { 3822 struct hci_conn *conn, *tmp; 3823 3824 lockdep_assert_held(&hdev->lock); 3825 3826 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) { 3827 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) || 3828 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig) 3829 continue; 3830 3831 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 3832 hci_conn_failed(conn, status); 3833 } 3834 } 3835 3836 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data, 3837 struct sk_buff *skb) 3838 { 3839 struct hci_rp_le_set_cig_params *rp = data; 3840 struct hci_cp_le_set_cig_params *cp; 3841 struct hci_conn *conn; 3842 u8 status = rp->status; 3843 bool pending = false; 3844 int i; 3845 3846 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3847 3848 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS); 3849 if (!rp->status && (!cp || rp->num_handles != cp->num_cis || 3850 rp->cig_id != cp->cig_id)) { 3851 bt_dev_err(hdev, "unexpected Set CIG Parameters response data"); 3852 status = HCI_ERROR_UNSPECIFIED; 3853 } 3854 3855 hci_dev_lock(hdev); 3856 3857 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554 3858 * 3859 * If the Status return parameter is non-zero, then the state of the CIG 3860 * and its CIS configurations shall not be changed by the command. If 3861 * the CIG did not already exist, it shall not be created. 3862 */ 3863 if (status) { 3864 /* Keep current configuration, fail only the unbound CIS */ 3865 hci_unbound_cis_failed(hdev, rp->cig_id, status); 3866 goto unlock; 3867 } 3868 3869 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553 3870 * 3871 * If the Status return parameter is zero, then the Controller shall 3872 * set the Connection_Handle arrayed return parameter to the connection 3873 * handle(s) corresponding to the CIS configurations specified in 3874 * the CIS_IDs command parameter, in the same order. 3875 */ 3876 for (i = 0; i < rp->num_handles; ++i) { 3877 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id, 3878 cp->cis[i].cis_id); 3879 if (!conn || !bacmp(&conn->dst, BDADDR_ANY)) 3880 continue; 3881 3882 if (conn->state != BT_BOUND && conn->state != BT_CONNECT) 3883 continue; 3884 3885 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i]))) 3886 continue; 3887 3888 if (conn->state == BT_CONNECT) 3889 pending = true; 3890 } 3891 3892 unlock: 3893 if (pending) 3894 hci_le_create_cis_pending(hdev); 3895 3896 hci_dev_unlock(hdev); 3897 3898 return rp->status; 3899 } 3900 3901 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data, 3902 struct sk_buff *skb) 3903 { 3904 struct hci_rp_le_setup_iso_path *rp = data; 3905 struct hci_cp_le_setup_iso_path *cp; 3906 struct hci_conn *conn; 3907 3908 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3909 3910 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH); 3911 if (!cp) 3912 return rp->status; 3913 3914 hci_dev_lock(hdev); 3915 3916 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3917 if (!conn) 3918 goto unlock; 3919 3920 if (rp->status) { 3921 hci_connect_cfm(conn, rp->status); 3922 hci_conn_del(conn); 3923 goto unlock; 3924 } 3925 3926 switch (cp->direction) { 3927 /* Input (Host to Controller) */ 3928 case 0x00: 3929 /* Only confirm connection if output only */ 3930 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu) 3931 hci_connect_cfm(conn, rp->status); 3932 break; 3933 /* Output (Controller to Host) */ 3934 case 0x01: 3935 /* Confirm connection since conn->iso_qos is always configured 3936 * last. 3937 */ 3938 hci_connect_cfm(conn, rp->status); 3939 break; 3940 } 3941 3942 unlock: 3943 hci_dev_unlock(hdev); 3944 return rp->status; 3945 } 3946 3947 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status) 3948 { 3949 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3950 } 3951 3952 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data, 3953 struct sk_buff *skb) 3954 { 3955 struct hci_ev_status *rp = data; 3956 struct hci_cp_le_set_per_adv_params *cp; 3957 3958 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3959 3960 if (rp->status) 3961 return rp->status; 3962 3963 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS); 3964 if (!cp) 3965 return rp->status; 3966 3967 /* TODO: set the conn state */ 3968 return rp->status; 3969 } 3970 3971 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, 3972 struct sk_buff *skb) 3973 { 3974 struct hci_ev_status *rp = data; 3975 struct hci_cp_le_set_per_adv_enable *cp; 3976 struct adv_info *adv = NULL, *n; 3977 u8 per_adv_cnt = 0; 3978 3979 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3980 3981 if (rp->status) 3982 return rp->status; 3983 3984 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE); 3985 if (!cp) 3986 return rp->status; 3987 3988 hci_dev_lock(hdev); 3989 3990 adv = hci_find_adv_instance(hdev, cp->handle); 3991 3992 if (cp->enable) { 3993 hci_dev_set_flag(hdev, HCI_LE_PER_ADV); 3994 3995 if (adv) 3996 adv->enabled = true; 3997 } else { 3998 /* If just one instance was disabled check if there are 3999 * any other instance enabled before clearing HCI_LE_PER_ADV. 4000 * The current periodic adv instance will be marked as 4001 * disabled once extended advertising is also disabled. 4002 */ 4003 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 4004 list) { 4005 if (adv->periodic && adv->enabled) 4006 per_adv_cnt++; 4007 } 4008 4009 if (per_adv_cnt > 1) 4010 goto unlock; 4011 4012 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV); 4013 } 4014 4015 unlock: 4016 hci_dev_unlock(hdev); 4017 4018 return rp->status; 4019 } 4020 4021 #define HCI_CC_VL(_op, _func, _min, _max) \ 4022 { \ 4023 .op = _op, \ 4024 .func = _func, \ 4025 .min_len = _min, \ 4026 .max_len = _max, \ 4027 } 4028 4029 #define HCI_CC(_op, _func, _len) \ 4030 HCI_CC_VL(_op, _func, _len, _len) 4031 4032 #define HCI_CC_STATUS(_op, _func) \ 4033 HCI_CC(_op, _func, sizeof(struct hci_ev_status)) 4034 4035 static const struct hci_cc { 4036 u16 op; 4037 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 4038 u16 min_len; 4039 u16 max_len; 4040 } hci_cc_table[] = { 4041 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel), 4042 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq), 4043 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq), 4044 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL, 4045 hci_cc_remote_name_req_cancel), 4046 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery, 4047 sizeof(struct hci_rp_role_discovery)), 4048 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy, 4049 sizeof(struct hci_rp_read_link_policy)), 4050 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy, 4051 sizeof(struct hci_rp_write_link_policy)), 4052 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy, 4053 sizeof(struct hci_rp_read_def_link_policy)), 4054 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY, 4055 hci_cc_write_def_link_policy), 4056 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset), 4057 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key, 4058 sizeof(struct hci_rp_read_stored_link_key)), 4059 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key, 4060 sizeof(struct hci_rp_delete_stored_link_key)), 4061 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name), 4062 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name, 4063 sizeof(struct hci_rp_read_local_name)), 4064 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable), 4065 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode), 4066 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable), 4067 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter), 4068 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev, 4069 sizeof(struct hci_rp_read_class_of_dev)), 4070 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev), 4071 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting, 4072 sizeof(struct hci_rp_read_voice_setting)), 4073 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting), 4074 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac, 4075 sizeof(struct hci_rp_read_num_supported_iac)), 4076 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode), 4077 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support), 4078 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout, 4079 sizeof(struct hci_rp_read_auth_payload_to)), 4080 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout, 4081 sizeof(struct hci_rp_write_auth_payload_to)), 4082 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version, 4083 sizeof(struct hci_rp_read_local_version)), 4084 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands, 4085 sizeof(struct hci_rp_read_local_commands)), 4086 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features, 4087 sizeof(struct hci_rp_read_local_features)), 4088 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features, 4089 sizeof(struct hci_rp_read_local_ext_features)), 4090 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size, 4091 sizeof(struct hci_rp_read_buffer_size)), 4092 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr, 4093 sizeof(struct hci_rp_read_bd_addr)), 4094 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts, 4095 sizeof(struct hci_rp_read_local_pairing_opts)), 4096 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity, 4097 sizeof(struct hci_rp_read_page_scan_activity)), 4098 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, 4099 hci_cc_write_page_scan_activity), 4100 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type, 4101 sizeof(struct hci_rp_read_page_scan_type)), 4102 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type), 4103 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size, 4104 sizeof(struct hci_rp_read_data_block_size)), 4105 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode, 4106 sizeof(struct hci_rp_read_flow_control_mode)), 4107 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info, 4108 sizeof(struct hci_rp_read_local_amp_info)), 4109 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock, 4110 sizeof(struct hci_rp_read_clock)), 4111 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size, 4112 sizeof(struct hci_rp_read_enc_key_size)), 4113 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power, 4114 sizeof(struct hci_rp_read_inq_rsp_tx_power)), 4115 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING, 4116 hci_cc_read_def_err_data_reporting, 4117 sizeof(struct hci_rp_read_def_err_data_reporting)), 4118 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING, 4119 hci_cc_write_def_err_data_reporting), 4120 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply, 4121 sizeof(struct hci_rp_pin_code_reply)), 4122 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply, 4123 sizeof(struct hci_rp_pin_code_neg_reply)), 4124 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data, 4125 sizeof(struct hci_rp_read_local_oob_data)), 4126 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data, 4127 sizeof(struct hci_rp_read_local_oob_ext_data)), 4128 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size, 4129 sizeof(struct hci_rp_le_read_buffer_size)), 4130 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features, 4131 sizeof(struct hci_rp_le_read_local_features)), 4132 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power, 4133 sizeof(struct hci_rp_le_read_adv_tx_power)), 4134 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply, 4135 sizeof(struct hci_rp_user_confirm_reply)), 4136 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply, 4137 sizeof(struct hci_rp_user_confirm_reply)), 4138 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply, 4139 sizeof(struct hci_rp_user_confirm_reply)), 4140 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply, 4141 sizeof(struct hci_rp_user_confirm_reply)), 4142 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr), 4143 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable), 4144 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param), 4145 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable), 4146 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE, 4147 hci_cc_le_read_accept_list_size, 4148 sizeof(struct hci_rp_le_read_accept_list_size)), 4149 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list), 4150 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST, 4151 hci_cc_le_add_to_accept_list), 4152 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST, 4153 hci_cc_le_del_from_accept_list), 4154 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states, 4155 sizeof(struct hci_rp_le_read_supported_states)), 4156 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len, 4157 sizeof(struct hci_rp_le_read_def_data_len)), 4158 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN, 4159 hci_cc_le_write_def_data_len), 4160 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST, 4161 hci_cc_le_add_to_resolv_list), 4162 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST, 4163 hci_cc_le_del_from_resolv_list), 4164 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST, 4165 hci_cc_le_clear_resolv_list), 4166 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size, 4167 sizeof(struct hci_rp_le_read_resolv_list_size)), 4168 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 4169 hci_cc_le_set_addr_resolution_enable), 4170 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len, 4171 sizeof(struct hci_rp_le_read_max_data_len)), 4172 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED, 4173 hci_cc_write_le_host_supported), 4174 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param), 4175 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi, 4176 sizeof(struct hci_rp_read_rssi)), 4177 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power, 4178 sizeof(struct hci_rp_read_tx_power)), 4179 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode), 4180 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS, 4181 hci_cc_le_set_ext_scan_param), 4182 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE, 4183 hci_cc_le_set_ext_scan_enable), 4184 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy), 4185 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, 4186 hci_cc_le_read_num_adv_sets, 4187 sizeof(struct hci_rp_le_read_num_supported_adv_sets)), 4188 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, 4189 sizeof(struct hci_rp_le_set_ext_adv_params)), 4190 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, 4191 hci_cc_le_set_ext_adv_enable), 4192 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, 4193 hci_cc_le_set_adv_set_random_addr), 4194 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set), 4195 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets), 4196 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param), 4197 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE, 4198 hci_cc_le_set_per_adv_enable), 4199 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power, 4200 sizeof(struct hci_rp_le_read_transmit_power)), 4201 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode), 4202 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2, 4203 sizeof(struct hci_rp_le_read_buffer_size_v2)), 4204 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params, 4205 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE), 4206 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path, 4207 sizeof(struct hci_rp_le_setup_iso_path)), 4208 }; 4209 4210 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc, 4211 struct sk_buff *skb) 4212 { 4213 void *data; 4214 4215 if (skb->len < cc->min_len) { 4216 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u", 4217 cc->op, skb->len, cc->min_len); 4218 return HCI_ERROR_UNSPECIFIED; 4219 } 4220 4221 /* Just warn if the length is over max_len size it still be possible to 4222 * partially parse the cc so leave to callback to decide if that is 4223 * acceptable. 4224 */ 4225 if (skb->len > cc->max_len) 4226 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u", 4227 cc->op, skb->len, cc->max_len); 4228 4229 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len); 4230 if (!data) 4231 return HCI_ERROR_UNSPECIFIED; 4232 4233 return cc->func(hdev, data, skb); 4234 } 4235 4236 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, 4237 struct sk_buff *skb, u16 *opcode, u8 *status, 4238 hci_req_complete_t *req_complete, 4239 hci_req_complete_skb_t *req_complete_skb) 4240 { 4241 struct hci_ev_cmd_complete *ev = data; 4242 int i; 4243 4244 *opcode = __le16_to_cpu(ev->opcode); 4245 4246 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4247 4248 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) { 4249 if (hci_cc_table[i].op == *opcode) { 4250 *status = hci_cc_func(hdev, &hci_cc_table[i], skb); 4251 break; 4252 } 4253 } 4254 4255 if (i == ARRAY_SIZE(hci_cc_table)) { 4256 /* Unknown opcode, assume byte 0 contains the status, so 4257 * that e.g. __hci_cmd_sync() properly returns errors 4258 * for vendor specific commands send by HCI drivers. 4259 * If a vendor doesn't actually follow this convention we may 4260 * need to introduce a vendor CC table in order to properly set 4261 * the status. 4262 */ 4263 *status = skb->data[0]; 4264 } 4265 4266 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4267 4268 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 4269 req_complete_skb); 4270 4271 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4272 bt_dev_err(hdev, 4273 "unexpected event for opcode 0x%4.4x", *opcode); 4274 return; 4275 } 4276 4277 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4278 queue_work(hdev->workqueue, &hdev->cmd_work); 4279 } 4280 4281 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) 4282 { 4283 struct hci_cp_le_create_cis *cp; 4284 bool pending = false; 4285 int i; 4286 4287 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4288 4289 if (!status) 4290 return; 4291 4292 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS); 4293 if (!cp) 4294 return; 4295 4296 hci_dev_lock(hdev); 4297 4298 /* Remove connection if command failed */ 4299 for (i = 0; cp->num_cis; cp->num_cis--, i++) { 4300 struct hci_conn *conn; 4301 u16 handle; 4302 4303 handle = __le16_to_cpu(cp->cis[i].cis_handle); 4304 4305 conn = hci_conn_hash_lookup_handle(hdev, handle); 4306 if (conn) { 4307 if (test_and_clear_bit(HCI_CONN_CREATE_CIS, 4308 &conn->flags)) 4309 pending = true; 4310 conn->state = BT_CLOSED; 4311 hci_connect_cfm(conn, status); 4312 hci_conn_del(conn); 4313 } 4314 } 4315 4316 if (pending) 4317 hci_le_create_cis_pending(hdev); 4318 4319 hci_dev_unlock(hdev); 4320 } 4321 4322 #define HCI_CS(_op, _func) \ 4323 { \ 4324 .op = _op, \ 4325 .func = _func, \ 4326 } 4327 4328 static const struct hci_cs { 4329 u16 op; 4330 void (*func)(struct hci_dev *hdev, __u8 status); 4331 } hci_cs_table[] = { 4332 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry), 4333 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn), 4334 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect), 4335 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco), 4336 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested), 4337 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt), 4338 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req), 4339 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features), 4340 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES, 4341 hci_cs_read_remote_ext_features), 4342 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn), 4343 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN, 4344 hci_cs_enhanced_setup_sync_conn), 4345 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode), 4346 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode), 4347 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role), 4348 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn), 4349 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features), 4350 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc), 4351 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn), 4352 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis), 4353 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big), 4354 }; 4355 4356 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data, 4357 struct sk_buff *skb, u16 *opcode, u8 *status, 4358 hci_req_complete_t *req_complete, 4359 hci_req_complete_skb_t *req_complete_skb) 4360 { 4361 struct hci_ev_cmd_status *ev = data; 4362 int i; 4363 4364 *opcode = __le16_to_cpu(ev->opcode); 4365 *status = ev->status; 4366 4367 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4368 4369 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) { 4370 if (hci_cs_table[i].op == *opcode) { 4371 hci_cs_table[i].func(hdev, ev->status); 4372 break; 4373 } 4374 } 4375 4376 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4377 4378 /* Indicate request completion if the command failed. Also, if 4379 * we're not waiting for a special event and we get a success 4380 * command status we should try to flag the request as completed 4381 * (since for this kind of commands there will not be a command 4382 * complete event). 4383 */ 4384 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) { 4385 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 4386 req_complete_skb); 4387 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4388 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x", 4389 *opcode); 4390 return; 4391 } 4392 } 4393 4394 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4395 queue_work(hdev->workqueue, &hdev->cmd_work); 4396 } 4397 4398 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data, 4399 struct sk_buff *skb) 4400 { 4401 struct hci_ev_hardware_error *ev = data; 4402 4403 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code); 4404 4405 hdev->hw_error_code = ev->code; 4406 4407 queue_work(hdev->req_workqueue, &hdev->error_reset); 4408 } 4409 4410 static void hci_role_change_evt(struct hci_dev *hdev, void *data, 4411 struct sk_buff *skb) 4412 { 4413 struct hci_ev_role_change *ev = data; 4414 struct hci_conn *conn; 4415 4416 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4417 4418 hci_dev_lock(hdev); 4419 4420 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4421 if (conn) { 4422 if (!ev->status) 4423 conn->role = ev->role; 4424 4425 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 4426 4427 hci_role_switch_cfm(conn, ev->status, ev->role); 4428 } 4429 4430 hci_dev_unlock(hdev); 4431 } 4432 4433 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, 4434 struct sk_buff *skb) 4435 { 4436 struct hci_ev_num_comp_pkts *ev = data; 4437 int i; 4438 4439 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, 4440 flex_array_size(ev, handles, ev->num))) 4441 return; 4442 4443 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 4444 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 4445 return; 4446 } 4447 4448 bt_dev_dbg(hdev, "num %d", ev->num); 4449 4450 for (i = 0; i < ev->num; i++) { 4451 struct hci_comp_pkts_info *info = &ev->handles[i]; 4452 struct hci_conn *conn; 4453 __u16 handle, count; 4454 4455 handle = __le16_to_cpu(info->handle); 4456 count = __le16_to_cpu(info->count); 4457 4458 conn = hci_conn_hash_lookup_handle(hdev, handle); 4459 if (!conn) 4460 continue; 4461 4462 conn->sent -= count; 4463 4464 switch (conn->type) { 4465 case ACL_LINK: 4466 hdev->acl_cnt += count; 4467 if (hdev->acl_cnt > hdev->acl_pkts) 4468 hdev->acl_cnt = hdev->acl_pkts; 4469 break; 4470 4471 case LE_LINK: 4472 if (hdev->le_pkts) { 4473 hdev->le_cnt += count; 4474 if (hdev->le_cnt > hdev->le_pkts) 4475 hdev->le_cnt = hdev->le_pkts; 4476 } else { 4477 hdev->acl_cnt += count; 4478 if (hdev->acl_cnt > hdev->acl_pkts) 4479 hdev->acl_cnt = hdev->acl_pkts; 4480 } 4481 break; 4482 4483 case SCO_LINK: 4484 hdev->sco_cnt += count; 4485 if (hdev->sco_cnt > hdev->sco_pkts) 4486 hdev->sco_cnt = hdev->sco_pkts; 4487 break; 4488 4489 case ISO_LINK: 4490 if (hdev->iso_pkts) { 4491 hdev->iso_cnt += count; 4492 if (hdev->iso_cnt > hdev->iso_pkts) 4493 hdev->iso_cnt = hdev->iso_pkts; 4494 } else if (hdev->le_pkts) { 4495 hdev->le_cnt += count; 4496 if (hdev->le_cnt > hdev->le_pkts) 4497 hdev->le_cnt = hdev->le_pkts; 4498 } else { 4499 hdev->acl_cnt += count; 4500 if (hdev->acl_cnt > hdev->acl_pkts) 4501 hdev->acl_cnt = hdev->acl_pkts; 4502 } 4503 break; 4504 4505 default: 4506 bt_dev_err(hdev, "unknown type %d conn %p", 4507 conn->type, conn); 4508 break; 4509 } 4510 } 4511 4512 queue_work(hdev->workqueue, &hdev->tx_work); 4513 } 4514 4515 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 4516 __u16 handle) 4517 { 4518 struct hci_chan *chan; 4519 4520 switch (hdev->dev_type) { 4521 case HCI_PRIMARY: 4522 return hci_conn_hash_lookup_handle(hdev, handle); 4523 case HCI_AMP: 4524 chan = hci_chan_lookup_handle(hdev, handle); 4525 if (chan) 4526 return chan->conn; 4527 break; 4528 default: 4529 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 4530 break; 4531 } 4532 4533 return NULL; 4534 } 4535 4536 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data, 4537 struct sk_buff *skb) 4538 { 4539 struct hci_ev_num_comp_blocks *ev = data; 4540 int i; 4541 4542 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS, 4543 flex_array_size(ev, handles, ev->num_hndl))) 4544 return; 4545 4546 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 4547 bt_dev_err(hdev, "wrong event for mode %d", 4548 hdev->flow_ctl_mode); 4549 return; 4550 } 4551 4552 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks, 4553 ev->num_hndl); 4554 4555 for (i = 0; i < ev->num_hndl; i++) { 4556 struct hci_comp_blocks_info *info = &ev->handles[i]; 4557 struct hci_conn *conn = NULL; 4558 __u16 handle, block_count; 4559 4560 handle = __le16_to_cpu(info->handle); 4561 block_count = __le16_to_cpu(info->blocks); 4562 4563 conn = __hci_conn_lookup_handle(hdev, handle); 4564 if (!conn) 4565 continue; 4566 4567 conn->sent -= block_count; 4568 4569 switch (conn->type) { 4570 case ACL_LINK: 4571 case AMP_LINK: 4572 hdev->block_cnt += block_count; 4573 if (hdev->block_cnt > hdev->num_blocks) 4574 hdev->block_cnt = hdev->num_blocks; 4575 break; 4576 4577 default: 4578 bt_dev_err(hdev, "unknown type %d conn %p", 4579 conn->type, conn); 4580 break; 4581 } 4582 } 4583 4584 queue_work(hdev->workqueue, &hdev->tx_work); 4585 } 4586 4587 static void hci_mode_change_evt(struct hci_dev *hdev, void *data, 4588 struct sk_buff *skb) 4589 { 4590 struct hci_ev_mode_change *ev = data; 4591 struct hci_conn *conn; 4592 4593 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4594 4595 hci_dev_lock(hdev); 4596 4597 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4598 if (conn) { 4599 conn->mode = ev->mode; 4600 4601 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 4602 &conn->flags)) { 4603 if (conn->mode == HCI_CM_ACTIVE) 4604 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4605 else 4606 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4607 } 4608 4609 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 4610 hci_sco_setup(conn, ev->status); 4611 } 4612 4613 hci_dev_unlock(hdev); 4614 } 4615 4616 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data, 4617 struct sk_buff *skb) 4618 { 4619 struct hci_ev_pin_code_req *ev = data; 4620 struct hci_conn *conn; 4621 4622 bt_dev_dbg(hdev, ""); 4623 4624 hci_dev_lock(hdev); 4625 4626 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4627 if (!conn) 4628 goto unlock; 4629 4630 if (conn->state == BT_CONNECTED) { 4631 hci_conn_hold(conn); 4632 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 4633 hci_conn_drop(conn); 4634 } 4635 4636 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 4637 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 4638 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 4639 sizeof(ev->bdaddr), &ev->bdaddr); 4640 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 4641 u8 secure; 4642 4643 if (conn->pending_sec_level == BT_SECURITY_HIGH) 4644 secure = 1; 4645 else 4646 secure = 0; 4647 4648 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 4649 } 4650 4651 unlock: 4652 hci_dev_unlock(hdev); 4653 } 4654 4655 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 4656 { 4657 if (key_type == HCI_LK_CHANGED_COMBINATION) 4658 return; 4659 4660 conn->pin_length = pin_len; 4661 conn->key_type = key_type; 4662 4663 switch (key_type) { 4664 case HCI_LK_LOCAL_UNIT: 4665 case HCI_LK_REMOTE_UNIT: 4666 case HCI_LK_DEBUG_COMBINATION: 4667 return; 4668 case HCI_LK_COMBINATION: 4669 if (pin_len == 16) 4670 conn->pending_sec_level = BT_SECURITY_HIGH; 4671 else 4672 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4673 break; 4674 case HCI_LK_UNAUTH_COMBINATION_P192: 4675 case HCI_LK_UNAUTH_COMBINATION_P256: 4676 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4677 break; 4678 case HCI_LK_AUTH_COMBINATION_P192: 4679 conn->pending_sec_level = BT_SECURITY_HIGH; 4680 break; 4681 case HCI_LK_AUTH_COMBINATION_P256: 4682 conn->pending_sec_level = BT_SECURITY_FIPS; 4683 break; 4684 } 4685 } 4686 4687 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data, 4688 struct sk_buff *skb) 4689 { 4690 struct hci_ev_link_key_req *ev = data; 4691 struct hci_cp_link_key_reply cp; 4692 struct hci_conn *conn; 4693 struct link_key *key; 4694 4695 bt_dev_dbg(hdev, ""); 4696 4697 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4698 return; 4699 4700 hci_dev_lock(hdev); 4701 4702 key = hci_find_link_key(hdev, &ev->bdaddr); 4703 if (!key) { 4704 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr); 4705 goto not_found; 4706 } 4707 4708 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr); 4709 4710 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4711 if (conn) { 4712 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4713 4714 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4715 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4716 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4717 bt_dev_dbg(hdev, "ignoring unauthenticated key"); 4718 goto not_found; 4719 } 4720 4721 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4722 (conn->pending_sec_level == BT_SECURITY_HIGH || 4723 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4724 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security"); 4725 goto not_found; 4726 } 4727 4728 conn_set_key(conn, key->type, key->pin_len); 4729 } 4730 4731 bacpy(&cp.bdaddr, &ev->bdaddr); 4732 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4733 4734 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4735 4736 hci_dev_unlock(hdev); 4737 4738 return; 4739 4740 not_found: 4741 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4742 hci_dev_unlock(hdev); 4743 } 4744 4745 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, 4746 struct sk_buff *skb) 4747 { 4748 struct hci_ev_link_key_notify *ev = data; 4749 struct hci_conn *conn; 4750 struct link_key *key; 4751 bool persistent; 4752 u8 pin_len = 0; 4753 4754 bt_dev_dbg(hdev, ""); 4755 4756 hci_dev_lock(hdev); 4757 4758 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4759 if (!conn) 4760 goto unlock; 4761 4762 /* Ignore NULL link key against CVE-2020-26555 */ 4763 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { 4764 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR", 4765 &ev->bdaddr); 4766 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4767 hci_conn_drop(conn); 4768 goto unlock; 4769 } 4770 4771 hci_conn_hold(conn); 4772 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4773 hci_conn_drop(conn); 4774 4775 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4776 conn_set_key(conn, ev->key_type, conn->pin_length); 4777 4778 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4779 goto unlock; 4780 4781 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4782 ev->key_type, pin_len, &persistent); 4783 if (!key) 4784 goto unlock; 4785 4786 /* Update connection information since adding the key will have 4787 * fixed up the type in the case of changed combination keys. 4788 */ 4789 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4790 conn_set_key(conn, key->type, key->pin_len); 4791 4792 mgmt_new_link_key(hdev, key, persistent); 4793 4794 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4795 * is set. If it's not set simply remove the key from the kernel 4796 * list (we've still notified user space about it but with 4797 * store_hint being 0). 4798 */ 4799 if (key->type == HCI_LK_DEBUG_COMBINATION && 4800 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4801 list_del_rcu(&key->list); 4802 kfree_rcu(key, rcu); 4803 goto unlock; 4804 } 4805 4806 if (persistent) 4807 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4808 else 4809 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4810 4811 unlock: 4812 hci_dev_unlock(hdev); 4813 } 4814 4815 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data, 4816 struct sk_buff *skb) 4817 { 4818 struct hci_ev_clock_offset *ev = data; 4819 struct hci_conn *conn; 4820 4821 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4822 4823 hci_dev_lock(hdev); 4824 4825 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4826 if (conn && !ev->status) { 4827 struct inquiry_entry *ie; 4828 4829 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4830 if (ie) { 4831 ie->data.clock_offset = ev->clock_offset; 4832 ie->timestamp = jiffies; 4833 } 4834 } 4835 4836 hci_dev_unlock(hdev); 4837 } 4838 4839 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data, 4840 struct sk_buff *skb) 4841 { 4842 struct hci_ev_pkt_type_change *ev = data; 4843 struct hci_conn *conn; 4844 4845 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4846 4847 hci_dev_lock(hdev); 4848 4849 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4850 if (conn && !ev->status) 4851 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4852 4853 hci_dev_unlock(hdev); 4854 } 4855 4856 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data, 4857 struct sk_buff *skb) 4858 { 4859 struct hci_ev_pscan_rep_mode *ev = data; 4860 struct inquiry_entry *ie; 4861 4862 bt_dev_dbg(hdev, ""); 4863 4864 hci_dev_lock(hdev); 4865 4866 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4867 if (ie) { 4868 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4869 ie->timestamp = jiffies; 4870 } 4871 4872 hci_dev_unlock(hdev); 4873 } 4874 4875 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata, 4876 struct sk_buff *skb) 4877 { 4878 struct hci_ev_inquiry_result_rssi *ev = edata; 4879 struct inquiry_data data; 4880 int i; 4881 4882 bt_dev_dbg(hdev, "num_rsp %d", ev->num); 4883 4884 if (!ev->num) 4885 return; 4886 4887 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4888 return; 4889 4890 hci_dev_lock(hdev); 4891 4892 if (skb->len == array_size(ev->num, 4893 sizeof(struct inquiry_info_rssi_pscan))) { 4894 struct inquiry_info_rssi_pscan *info; 4895 4896 for (i = 0; i < ev->num; i++) { 4897 u32 flags; 4898 4899 info = hci_ev_skb_pull(hdev, skb, 4900 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4901 sizeof(*info)); 4902 if (!info) { 4903 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4904 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4905 goto unlock; 4906 } 4907 4908 bacpy(&data.bdaddr, &info->bdaddr); 4909 data.pscan_rep_mode = info->pscan_rep_mode; 4910 data.pscan_period_mode = info->pscan_period_mode; 4911 data.pscan_mode = info->pscan_mode; 4912 memcpy(data.dev_class, info->dev_class, 3); 4913 data.clock_offset = info->clock_offset; 4914 data.rssi = info->rssi; 4915 data.ssp_mode = 0x00; 4916 4917 flags = hci_inquiry_cache_update(hdev, &data, false); 4918 4919 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4920 info->dev_class, info->rssi, 4921 flags, NULL, 0, NULL, 0, 0); 4922 } 4923 } else if (skb->len == array_size(ev->num, 4924 sizeof(struct inquiry_info_rssi))) { 4925 struct inquiry_info_rssi *info; 4926 4927 for (i = 0; i < ev->num; i++) { 4928 u32 flags; 4929 4930 info = hci_ev_skb_pull(hdev, skb, 4931 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4932 sizeof(*info)); 4933 if (!info) { 4934 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4935 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4936 goto unlock; 4937 } 4938 4939 bacpy(&data.bdaddr, &info->bdaddr); 4940 data.pscan_rep_mode = info->pscan_rep_mode; 4941 data.pscan_period_mode = info->pscan_period_mode; 4942 data.pscan_mode = 0x00; 4943 memcpy(data.dev_class, info->dev_class, 3); 4944 data.clock_offset = info->clock_offset; 4945 data.rssi = info->rssi; 4946 data.ssp_mode = 0x00; 4947 4948 flags = hci_inquiry_cache_update(hdev, &data, false); 4949 4950 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4951 info->dev_class, info->rssi, 4952 flags, NULL, 0, NULL, 0, 0); 4953 } 4954 } else { 4955 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4956 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4957 } 4958 unlock: 4959 hci_dev_unlock(hdev); 4960 } 4961 4962 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data, 4963 struct sk_buff *skb) 4964 { 4965 struct hci_ev_remote_ext_features *ev = data; 4966 struct hci_conn *conn; 4967 4968 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4969 4970 hci_dev_lock(hdev); 4971 4972 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4973 if (!conn) 4974 goto unlock; 4975 4976 if (ev->page < HCI_MAX_PAGES) 4977 memcpy(conn->features[ev->page], ev->features, 8); 4978 4979 if (!ev->status && ev->page == 0x01) { 4980 struct inquiry_entry *ie; 4981 4982 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4983 if (ie) 4984 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4985 4986 if (ev->features[0] & LMP_HOST_SSP) { 4987 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4988 } else { 4989 /* It is mandatory by the Bluetooth specification that 4990 * Extended Inquiry Results are only used when Secure 4991 * Simple Pairing is enabled, but some devices violate 4992 * this. 4993 * 4994 * To make these devices work, the internal SSP 4995 * enabled flag needs to be cleared if the remote host 4996 * features do not indicate SSP support */ 4997 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4998 } 4999 5000 if (ev->features[0] & LMP_HOST_SC) 5001 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 5002 } 5003 5004 if (conn->state != BT_CONFIG) 5005 goto unlock; 5006 5007 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 5008 struct hci_cp_remote_name_req cp; 5009 memset(&cp, 0, sizeof(cp)); 5010 bacpy(&cp.bdaddr, &conn->dst); 5011 cp.pscan_rep_mode = 0x02; 5012 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 5013 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5014 mgmt_device_connected(hdev, conn, NULL, 0); 5015 5016 if (!hci_outgoing_auth_needed(hdev, conn)) { 5017 conn->state = BT_CONNECTED; 5018 hci_connect_cfm(conn, ev->status); 5019 hci_conn_drop(conn); 5020 } 5021 5022 unlock: 5023 hci_dev_unlock(hdev); 5024 } 5025 5026 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, 5027 struct sk_buff *skb) 5028 { 5029 struct hci_ev_sync_conn_complete *ev = data; 5030 struct hci_conn *conn; 5031 u8 status = ev->status; 5032 5033 switch (ev->link_type) { 5034 case SCO_LINK: 5035 case ESCO_LINK: 5036 break; 5037 default: 5038 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type 5039 * for HCI_Synchronous_Connection_Complete is limited to 5040 * either SCO or eSCO 5041 */ 5042 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type"); 5043 return; 5044 } 5045 5046 bt_dev_dbg(hdev, "status 0x%2.2x", status); 5047 5048 hci_dev_lock(hdev); 5049 5050 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 5051 if (!conn) { 5052 if (ev->link_type == ESCO_LINK) 5053 goto unlock; 5054 5055 /* When the link type in the event indicates SCO connection 5056 * and lookup of the connection object fails, then check 5057 * if an eSCO connection object exists. 5058 * 5059 * The core limits the synchronous connections to either 5060 * SCO or eSCO. The eSCO connection is preferred and tried 5061 * to be setup first and until successfully established, 5062 * the link type will be hinted as eSCO. 5063 */ 5064 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 5065 if (!conn) 5066 goto unlock; 5067 } 5068 5069 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection. 5070 * Processing it more than once per connection can corrupt kernel memory. 5071 * 5072 * As the connection handle is set here for the first time, it indicates 5073 * whether the connection is already set up. 5074 */ 5075 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5076 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection"); 5077 goto unlock; 5078 } 5079 5080 switch (status) { 5081 case 0x00: 5082 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 5083 if (status) { 5084 conn->state = BT_CLOSED; 5085 break; 5086 } 5087 5088 conn->state = BT_CONNECTED; 5089 conn->type = ev->link_type; 5090 5091 hci_debugfs_create_conn(conn); 5092 hci_conn_add_sysfs(conn); 5093 break; 5094 5095 case 0x10: /* Connection Accept Timeout */ 5096 case 0x0d: /* Connection Rejected due to Limited Resources */ 5097 case 0x11: /* Unsupported Feature or Parameter Value */ 5098 case 0x1c: /* SCO interval rejected */ 5099 case 0x1a: /* Unsupported Remote Feature */ 5100 case 0x1e: /* Invalid LMP Parameters */ 5101 case 0x1f: /* Unspecified error */ 5102 case 0x20: /* Unsupported LMP Parameter value */ 5103 if (conn->out) { 5104 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 5105 (hdev->esco_type & EDR_ESCO_MASK); 5106 if (hci_setup_sync(conn, conn->parent->handle)) 5107 goto unlock; 5108 } 5109 fallthrough; 5110 5111 default: 5112 conn->state = BT_CLOSED; 5113 break; 5114 } 5115 5116 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 5117 /* Notify only in case of SCO over HCI transport data path which 5118 * is zero and non-zero value shall be non-HCI transport data path 5119 */ 5120 if (conn->codec.data_path == 0 && hdev->notify) { 5121 switch (ev->air_mode) { 5122 case 0x02: 5123 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 5124 break; 5125 case 0x03: 5126 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 5127 break; 5128 } 5129 } 5130 5131 hci_connect_cfm(conn, status); 5132 if (status) 5133 hci_conn_del(conn); 5134 5135 unlock: 5136 hci_dev_unlock(hdev); 5137 } 5138 5139 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 5140 { 5141 size_t parsed = 0; 5142 5143 while (parsed < eir_len) { 5144 u8 field_len = eir[0]; 5145 5146 if (field_len == 0) 5147 return parsed; 5148 5149 parsed += field_len + 1; 5150 eir += field_len + 1; 5151 } 5152 5153 return eir_len; 5154 } 5155 5156 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata, 5157 struct sk_buff *skb) 5158 { 5159 struct hci_ev_ext_inquiry_result *ev = edata; 5160 struct inquiry_data data; 5161 size_t eir_len; 5162 int i; 5163 5164 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT, 5165 flex_array_size(ev, info, ev->num))) 5166 return; 5167 5168 bt_dev_dbg(hdev, "num %d", ev->num); 5169 5170 if (!ev->num) 5171 return; 5172 5173 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 5174 return; 5175 5176 hci_dev_lock(hdev); 5177 5178 for (i = 0; i < ev->num; i++) { 5179 struct extended_inquiry_info *info = &ev->info[i]; 5180 u32 flags; 5181 bool name_known; 5182 5183 bacpy(&data.bdaddr, &info->bdaddr); 5184 data.pscan_rep_mode = info->pscan_rep_mode; 5185 data.pscan_period_mode = info->pscan_period_mode; 5186 data.pscan_mode = 0x00; 5187 memcpy(data.dev_class, info->dev_class, 3); 5188 data.clock_offset = info->clock_offset; 5189 data.rssi = info->rssi; 5190 data.ssp_mode = 0x01; 5191 5192 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5193 name_known = eir_get_data(info->data, 5194 sizeof(info->data), 5195 EIR_NAME_COMPLETE, NULL); 5196 else 5197 name_known = true; 5198 5199 flags = hci_inquiry_cache_update(hdev, &data, name_known); 5200 5201 eir_len = eir_get_length(info->data, sizeof(info->data)); 5202 5203 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 5204 info->dev_class, info->rssi, 5205 flags, info->data, eir_len, NULL, 0, 0); 5206 } 5207 5208 hci_dev_unlock(hdev); 5209 } 5210 5211 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data, 5212 struct sk_buff *skb) 5213 { 5214 struct hci_ev_key_refresh_complete *ev = data; 5215 struct hci_conn *conn; 5216 5217 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status, 5218 __le16_to_cpu(ev->handle)); 5219 5220 hci_dev_lock(hdev); 5221 5222 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5223 if (!conn) 5224 goto unlock; 5225 5226 /* For BR/EDR the necessary steps are taken through the 5227 * auth_complete event. 5228 */ 5229 if (conn->type != LE_LINK) 5230 goto unlock; 5231 5232 if (!ev->status) 5233 conn->sec_level = conn->pending_sec_level; 5234 5235 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 5236 5237 if (ev->status && conn->state == BT_CONNECTED) { 5238 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 5239 hci_conn_drop(conn); 5240 goto unlock; 5241 } 5242 5243 if (conn->state == BT_CONFIG) { 5244 if (!ev->status) 5245 conn->state = BT_CONNECTED; 5246 5247 hci_connect_cfm(conn, ev->status); 5248 hci_conn_drop(conn); 5249 } else { 5250 hci_auth_cfm(conn, ev->status); 5251 5252 hci_conn_hold(conn); 5253 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 5254 hci_conn_drop(conn); 5255 } 5256 5257 unlock: 5258 hci_dev_unlock(hdev); 5259 } 5260 5261 static u8 hci_get_auth_req(struct hci_conn *conn) 5262 { 5263 /* If remote requests no-bonding follow that lead */ 5264 if (conn->remote_auth == HCI_AT_NO_BONDING || 5265 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 5266 return conn->remote_auth | (conn->auth_type & 0x01); 5267 5268 /* If both remote and local have enough IO capabilities, require 5269 * MITM protection 5270 */ 5271 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 5272 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 5273 return conn->remote_auth | 0x01; 5274 5275 /* No MITM protection possible so ignore remote requirement */ 5276 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 5277 } 5278 5279 static u8 bredr_oob_data_present(struct hci_conn *conn) 5280 { 5281 struct hci_dev *hdev = conn->hdev; 5282 struct oob_data *data; 5283 5284 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 5285 if (!data) 5286 return 0x00; 5287 5288 if (bredr_sc_enabled(hdev)) { 5289 /* When Secure Connections is enabled, then just 5290 * return the present value stored with the OOB 5291 * data. The stored value contains the right present 5292 * information. However it can only be trusted when 5293 * not in Secure Connection Only mode. 5294 */ 5295 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 5296 return data->present; 5297 5298 /* When Secure Connections Only mode is enabled, then 5299 * the P-256 values are required. If they are not 5300 * available, then do not declare that OOB data is 5301 * present. 5302 */ 5303 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) || 5304 !crypto_memneq(data->hash256, ZERO_KEY, 16)) 5305 return 0x00; 5306 5307 return 0x02; 5308 } 5309 5310 /* When Secure Connections is not enabled or actually 5311 * not supported by the hardware, then check that if 5312 * P-192 data values are present. 5313 */ 5314 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) || 5315 !crypto_memneq(data->hash192, ZERO_KEY, 16)) 5316 return 0x00; 5317 5318 return 0x01; 5319 } 5320 5321 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data, 5322 struct sk_buff *skb) 5323 { 5324 struct hci_ev_io_capa_request *ev = data; 5325 struct hci_conn *conn; 5326 5327 bt_dev_dbg(hdev, ""); 5328 5329 hci_dev_lock(hdev); 5330 5331 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5332 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) 5333 goto unlock; 5334 5335 /* Assume remote supports SSP since it has triggered this event */ 5336 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 5337 5338 hci_conn_hold(conn); 5339 5340 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5341 goto unlock; 5342 5343 /* Allow pairing if we're pairable, the initiators of the 5344 * pairing or if the remote is not requesting bonding. 5345 */ 5346 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 5347 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 5348 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 5349 struct hci_cp_io_capability_reply cp; 5350 5351 bacpy(&cp.bdaddr, &ev->bdaddr); 5352 /* Change the IO capability from KeyboardDisplay 5353 * to DisplayYesNo as it is not supported by BT spec. */ 5354 cp.capability = (conn->io_capability == 0x04) ? 5355 HCI_IO_DISPLAY_YESNO : conn->io_capability; 5356 5357 /* If we are initiators, there is no remote information yet */ 5358 if (conn->remote_auth == 0xff) { 5359 /* Request MITM protection if our IO caps allow it 5360 * except for the no-bonding case. 5361 */ 5362 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5363 conn->auth_type != HCI_AT_NO_BONDING) 5364 conn->auth_type |= 0x01; 5365 } else { 5366 conn->auth_type = hci_get_auth_req(conn); 5367 } 5368 5369 /* If we're not bondable, force one of the non-bondable 5370 * authentication requirement values. 5371 */ 5372 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 5373 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 5374 5375 cp.authentication = conn->auth_type; 5376 cp.oob_data = bredr_oob_data_present(conn); 5377 5378 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 5379 sizeof(cp), &cp); 5380 } else { 5381 struct hci_cp_io_capability_neg_reply cp; 5382 5383 bacpy(&cp.bdaddr, &ev->bdaddr); 5384 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 5385 5386 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 5387 sizeof(cp), &cp); 5388 } 5389 5390 unlock: 5391 hci_dev_unlock(hdev); 5392 } 5393 5394 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data, 5395 struct sk_buff *skb) 5396 { 5397 struct hci_ev_io_capa_reply *ev = data; 5398 struct hci_conn *conn; 5399 5400 bt_dev_dbg(hdev, ""); 5401 5402 hci_dev_lock(hdev); 5403 5404 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5405 if (!conn) 5406 goto unlock; 5407 5408 conn->remote_cap = ev->capability; 5409 conn->remote_auth = ev->authentication; 5410 5411 unlock: 5412 hci_dev_unlock(hdev); 5413 } 5414 5415 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data, 5416 struct sk_buff *skb) 5417 { 5418 struct hci_ev_user_confirm_req *ev = data; 5419 int loc_mitm, rem_mitm, confirm_hint = 0; 5420 struct hci_conn *conn; 5421 5422 bt_dev_dbg(hdev, ""); 5423 5424 hci_dev_lock(hdev); 5425 5426 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5427 goto unlock; 5428 5429 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5430 if (!conn) 5431 goto unlock; 5432 5433 loc_mitm = (conn->auth_type & 0x01); 5434 rem_mitm = (conn->remote_auth & 0x01); 5435 5436 /* If we require MITM but the remote device can't provide that 5437 * (it has NoInputNoOutput) then reject the confirmation 5438 * request. We check the security level here since it doesn't 5439 * necessarily match conn->auth_type. 5440 */ 5441 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 5442 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 5443 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM"); 5444 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 5445 sizeof(ev->bdaddr), &ev->bdaddr); 5446 goto unlock; 5447 } 5448 5449 /* If no side requires MITM protection; auto-accept */ 5450 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 5451 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 5452 5453 /* If we're not the initiators request authorization to 5454 * proceed from user space (mgmt_user_confirm with 5455 * confirm_hint set to 1). The exception is if neither 5456 * side had MITM or if the local IO capability is 5457 * NoInputNoOutput, in which case we do auto-accept 5458 */ 5459 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 5460 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5461 (loc_mitm || rem_mitm)) { 5462 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor"); 5463 confirm_hint = 1; 5464 goto confirm; 5465 } 5466 5467 /* If there already exists link key in local host, leave the 5468 * decision to user space since the remote device could be 5469 * legitimate or malicious. 5470 */ 5471 if (hci_find_link_key(hdev, &ev->bdaddr)) { 5472 bt_dev_dbg(hdev, "Local host already has link key"); 5473 confirm_hint = 1; 5474 goto confirm; 5475 } 5476 5477 BT_DBG("Auto-accept of user confirmation with %ums delay", 5478 hdev->auto_accept_delay); 5479 5480 if (hdev->auto_accept_delay > 0) { 5481 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 5482 queue_delayed_work(conn->hdev->workqueue, 5483 &conn->auto_accept_work, delay); 5484 goto unlock; 5485 } 5486 5487 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 5488 sizeof(ev->bdaddr), &ev->bdaddr); 5489 goto unlock; 5490 } 5491 5492 confirm: 5493 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 5494 le32_to_cpu(ev->passkey), confirm_hint); 5495 5496 unlock: 5497 hci_dev_unlock(hdev); 5498 } 5499 5500 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data, 5501 struct sk_buff *skb) 5502 { 5503 struct hci_ev_user_passkey_req *ev = data; 5504 5505 bt_dev_dbg(hdev, ""); 5506 5507 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5508 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 5509 } 5510 5511 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, 5512 struct sk_buff *skb) 5513 { 5514 struct hci_ev_user_passkey_notify *ev = data; 5515 struct hci_conn *conn; 5516 5517 bt_dev_dbg(hdev, ""); 5518 5519 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5520 if (!conn) 5521 return; 5522 5523 conn->passkey_notify = __le32_to_cpu(ev->passkey); 5524 conn->passkey_entered = 0; 5525 5526 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5527 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5528 conn->dst_type, conn->passkey_notify, 5529 conn->passkey_entered); 5530 } 5531 5532 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, 5533 struct sk_buff *skb) 5534 { 5535 struct hci_ev_keypress_notify *ev = data; 5536 struct hci_conn *conn; 5537 5538 bt_dev_dbg(hdev, ""); 5539 5540 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5541 if (!conn) 5542 return; 5543 5544 switch (ev->type) { 5545 case HCI_KEYPRESS_STARTED: 5546 conn->passkey_entered = 0; 5547 return; 5548 5549 case HCI_KEYPRESS_ENTERED: 5550 conn->passkey_entered++; 5551 break; 5552 5553 case HCI_KEYPRESS_ERASED: 5554 conn->passkey_entered--; 5555 break; 5556 5557 case HCI_KEYPRESS_CLEARED: 5558 conn->passkey_entered = 0; 5559 break; 5560 5561 case HCI_KEYPRESS_COMPLETED: 5562 return; 5563 } 5564 5565 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5566 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5567 conn->dst_type, conn->passkey_notify, 5568 conn->passkey_entered); 5569 } 5570 5571 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data, 5572 struct sk_buff *skb) 5573 { 5574 struct hci_ev_simple_pair_complete *ev = data; 5575 struct hci_conn *conn; 5576 5577 bt_dev_dbg(hdev, ""); 5578 5579 hci_dev_lock(hdev); 5580 5581 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5582 if (!conn || !hci_conn_ssp_enabled(conn)) 5583 goto unlock; 5584 5585 /* Reset the authentication requirement to unknown */ 5586 conn->remote_auth = 0xff; 5587 5588 /* To avoid duplicate auth_failed events to user space we check 5589 * the HCI_CONN_AUTH_PEND flag which will be set if we 5590 * initiated the authentication. A traditional auth_complete 5591 * event gets always produced as initiator and is also mapped to 5592 * the mgmt_auth_failed event */ 5593 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 5594 mgmt_auth_failed(conn, ev->status); 5595 5596 hci_conn_drop(conn); 5597 5598 unlock: 5599 hci_dev_unlock(hdev); 5600 } 5601 5602 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data, 5603 struct sk_buff *skb) 5604 { 5605 struct hci_ev_remote_host_features *ev = data; 5606 struct inquiry_entry *ie; 5607 struct hci_conn *conn; 5608 5609 bt_dev_dbg(hdev, ""); 5610 5611 hci_dev_lock(hdev); 5612 5613 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5614 if (conn) 5615 memcpy(conn->features[1], ev->features, 8); 5616 5617 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 5618 if (ie) 5619 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 5620 5621 hci_dev_unlock(hdev); 5622 } 5623 5624 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata, 5625 struct sk_buff *skb) 5626 { 5627 struct hci_ev_remote_oob_data_request *ev = edata; 5628 struct oob_data *data; 5629 5630 bt_dev_dbg(hdev, ""); 5631 5632 hci_dev_lock(hdev); 5633 5634 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5635 goto unlock; 5636 5637 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 5638 if (!data) { 5639 struct hci_cp_remote_oob_data_neg_reply cp; 5640 5641 bacpy(&cp.bdaddr, &ev->bdaddr); 5642 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 5643 sizeof(cp), &cp); 5644 goto unlock; 5645 } 5646 5647 if (bredr_sc_enabled(hdev)) { 5648 struct hci_cp_remote_oob_ext_data_reply cp; 5649 5650 bacpy(&cp.bdaddr, &ev->bdaddr); 5651 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 5652 memset(cp.hash192, 0, sizeof(cp.hash192)); 5653 memset(cp.rand192, 0, sizeof(cp.rand192)); 5654 } else { 5655 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 5656 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 5657 } 5658 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 5659 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 5660 5661 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 5662 sizeof(cp), &cp); 5663 } else { 5664 struct hci_cp_remote_oob_data_reply cp; 5665 5666 bacpy(&cp.bdaddr, &ev->bdaddr); 5667 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 5668 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 5669 5670 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 5671 sizeof(cp), &cp); 5672 } 5673 5674 unlock: 5675 hci_dev_unlock(hdev); 5676 } 5677 5678 #if IS_ENABLED(CONFIG_BT_HS) 5679 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data, 5680 struct sk_buff *skb) 5681 { 5682 struct hci_ev_channel_selected *ev = data; 5683 struct hci_conn *hcon; 5684 5685 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle); 5686 5687 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5688 if (!hcon) 5689 return; 5690 5691 amp_read_loc_assoc_final_data(hdev, hcon); 5692 } 5693 5694 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data, 5695 struct sk_buff *skb) 5696 { 5697 struct hci_ev_phy_link_complete *ev = data; 5698 struct hci_conn *hcon, *bredr_hcon; 5699 5700 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle, 5701 ev->status); 5702 5703 hci_dev_lock(hdev); 5704 5705 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5706 if (!hcon) 5707 goto unlock; 5708 5709 if (!hcon->amp_mgr) 5710 goto unlock; 5711 5712 if (ev->status) { 5713 hci_conn_del(hcon); 5714 goto unlock; 5715 } 5716 5717 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 5718 5719 hcon->state = BT_CONNECTED; 5720 bacpy(&hcon->dst, &bredr_hcon->dst); 5721 5722 hci_conn_hold(hcon); 5723 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 5724 hci_conn_drop(hcon); 5725 5726 hci_debugfs_create_conn(hcon); 5727 hci_conn_add_sysfs(hcon); 5728 5729 amp_physical_cfm(bredr_hcon, hcon); 5730 5731 unlock: 5732 hci_dev_unlock(hdev); 5733 } 5734 5735 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data, 5736 struct sk_buff *skb) 5737 { 5738 struct hci_ev_logical_link_complete *ev = data; 5739 struct hci_conn *hcon; 5740 struct hci_chan *hchan; 5741 struct amp_mgr *mgr; 5742 5743 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 5744 le16_to_cpu(ev->handle), ev->phy_handle, ev->status); 5745 5746 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5747 if (!hcon) 5748 return; 5749 5750 /* Create AMP hchan */ 5751 hchan = hci_chan_create(hcon); 5752 if (!hchan) 5753 return; 5754 5755 hchan->handle = le16_to_cpu(ev->handle); 5756 hchan->amp = true; 5757 5758 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 5759 5760 mgr = hcon->amp_mgr; 5761 if (mgr && mgr->bredr_chan) { 5762 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 5763 5764 l2cap_chan_lock(bredr_chan); 5765 5766 bredr_chan->conn->mtu = hdev->block_mtu; 5767 l2cap_logical_cfm(bredr_chan, hchan, 0); 5768 hci_conn_hold(hcon); 5769 5770 l2cap_chan_unlock(bredr_chan); 5771 } 5772 } 5773 5774 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data, 5775 struct sk_buff *skb) 5776 { 5777 struct hci_ev_disconn_logical_link_complete *ev = data; 5778 struct hci_chan *hchan; 5779 5780 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", 5781 le16_to_cpu(ev->handle), ev->status); 5782 5783 if (ev->status) 5784 return; 5785 5786 hci_dev_lock(hdev); 5787 5788 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 5789 if (!hchan || !hchan->amp) 5790 goto unlock; 5791 5792 amp_destroy_logical_link(hchan, ev->reason); 5793 5794 unlock: 5795 hci_dev_unlock(hdev); 5796 } 5797 5798 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data, 5799 struct sk_buff *skb) 5800 { 5801 struct hci_ev_disconn_phy_link_complete *ev = data; 5802 struct hci_conn *hcon; 5803 5804 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5805 5806 if (ev->status) 5807 return; 5808 5809 hci_dev_lock(hdev); 5810 5811 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5812 if (hcon && hcon->type == AMP_LINK) { 5813 hcon->state = BT_CLOSED; 5814 hci_disconn_cfm(hcon, ev->reason); 5815 hci_conn_del(hcon); 5816 } 5817 5818 hci_dev_unlock(hdev); 5819 } 5820 #endif 5821 5822 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr, 5823 u8 bdaddr_type, bdaddr_t *local_rpa) 5824 { 5825 if (conn->out) { 5826 conn->dst_type = bdaddr_type; 5827 conn->resp_addr_type = bdaddr_type; 5828 bacpy(&conn->resp_addr, bdaddr); 5829 5830 /* Check if the controller has set a Local RPA then it must be 5831 * used instead or hdev->rpa. 5832 */ 5833 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5834 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5835 bacpy(&conn->init_addr, local_rpa); 5836 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) { 5837 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5838 bacpy(&conn->init_addr, &conn->hdev->rpa); 5839 } else { 5840 hci_copy_identity_address(conn->hdev, &conn->init_addr, 5841 &conn->init_addr_type); 5842 } 5843 } else { 5844 conn->resp_addr_type = conn->hdev->adv_addr_type; 5845 /* Check if the controller has set a Local RPA then it must be 5846 * used instead or hdev->rpa. 5847 */ 5848 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5849 conn->resp_addr_type = ADDR_LE_DEV_RANDOM; 5850 bacpy(&conn->resp_addr, local_rpa); 5851 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5852 /* In case of ext adv, resp_addr will be updated in 5853 * Adv Terminated event. 5854 */ 5855 if (!ext_adv_capable(conn->hdev)) 5856 bacpy(&conn->resp_addr, 5857 &conn->hdev->random_addr); 5858 } else { 5859 bacpy(&conn->resp_addr, &conn->hdev->bdaddr); 5860 } 5861 5862 conn->init_addr_type = bdaddr_type; 5863 bacpy(&conn->init_addr, bdaddr); 5864 5865 /* For incoming connections, set the default minimum 5866 * and maximum connection interval. They will be used 5867 * to check if the parameters are in range and if not 5868 * trigger the connection update procedure. 5869 */ 5870 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval; 5871 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval; 5872 } 5873 } 5874 5875 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5876 bdaddr_t *bdaddr, u8 bdaddr_type, 5877 bdaddr_t *local_rpa, u8 role, u16 handle, 5878 u16 interval, u16 latency, 5879 u16 supervision_timeout) 5880 { 5881 struct hci_conn_params *params; 5882 struct hci_conn *conn; 5883 struct smp_irk *irk; 5884 u8 addr_type; 5885 5886 hci_dev_lock(hdev); 5887 5888 /* All controllers implicitly stop advertising in the event of a 5889 * connection, so ensure that the state bit is cleared. 5890 */ 5891 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5892 5893 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr); 5894 if (!conn) { 5895 /* In case of error status and there is no connection pending 5896 * just unlock as there is nothing to cleanup. 5897 */ 5898 if (status) 5899 goto unlock; 5900 5901 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role); 5902 if (!conn) { 5903 bt_dev_err(hdev, "no memory for new connection"); 5904 goto unlock; 5905 } 5906 5907 conn->dst_type = bdaddr_type; 5908 5909 /* If we didn't have a hci_conn object previously 5910 * but we're in central role this must be something 5911 * initiated using an accept list. Since accept list based 5912 * connections are not "first class citizens" we don't 5913 * have full tracking of them. Therefore, we go ahead 5914 * with a "best effort" approach of determining the 5915 * initiator address based on the HCI_PRIVACY flag. 5916 */ 5917 if (conn->out) { 5918 conn->resp_addr_type = bdaddr_type; 5919 bacpy(&conn->resp_addr, bdaddr); 5920 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5921 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5922 bacpy(&conn->init_addr, &hdev->rpa); 5923 } else { 5924 hci_copy_identity_address(hdev, 5925 &conn->init_addr, 5926 &conn->init_addr_type); 5927 } 5928 } 5929 } else { 5930 cancel_delayed_work(&conn->le_conn_timeout); 5931 } 5932 5933 /* The HCI_LE_Connection_Complete event is only sent once per connection. 5934 * Processing it more than once per connection can corrupt kernel memory. 5935 * 5936 * As the connection handle is set here for the first time, it indicates 5937 * whether the connection is already set up. 5938 */ 5939 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5940 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 5941 goto unlock; 5942 } 5943 5944 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa); 5945 5946 /* Lookup the identity address from the stored connection 5947 * address and address type. 5948 * 5949 * When establishing connections to an identity address, the 5950 * connection procedure will store the resolvable random 5951 * address first. Now if it can be converted back into the 5952 * identity address, start using the identity address from 5953 * now on. 5954 */ 5955 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5956 if (irk) { 5957 bacpy(&conn->dst, &irk->bdaddr); 5958 conn->dst_type = irk->addr_type; 5959 } 5960 5961 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL); 5962 5963 /* All connection failure handling is taken care of by the 5964 * hci_conn_failed function which is triggered by the HCI 5965 * request completion callbacks used for connecting. 5966 */ 5967 if (status || hci_conn_set_handle(conn, handle)) 5968 goto unlock; 5969 5970 /* Drop the connection if it has been aborted */ 5971 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) { 5972 hci_conn_drop(conn); 5973 goto unlock; 5974 } 5975 5976 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5977 addr_type = BDADDR_LE_PUBLIC; 5978 else 5979 addr_type = BDADDR_LE_RANDOM; 5980 5981 /* Drop the connection if the device is blocked */ 5982 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) { 5983 hci_conn_drop(conn); 5984 goto unlock; 5985 } 5986 5987 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5988 mgmt_device_connected(hdev, conn, NULL, 0); 5989 5990 conn->sec_level = BT_SECURITY_LOW; 5991 conn->state = BT_CONFIG; 5992 5993 /* Store current advertising instance as connection advertising instance 5994 * when sotfware rotation is in use so it can be re-enabled when 5995 * disconnected. 5996 */ 5997 if (!ext_adv_capable(hdev)) 5998 conn->adv_instance = hdev->cur_adv_instance; 5999 6000 conn->le_conn_interval = interval; 6001 conn->le_conn_latency = latency; 6002 conn->le_supv_timeout = supervision_timeout; 6003 6004 hci_debugfs_create_conn(conn); 6005 hci_conn_add_sysfs(conn); 6006 6007 /* The remote features procedure is defined for central 6008 * role only. So only in case of an initiated connection 6009 * request the remote features. 6010 * 6011 * If the local controller supports peripheral-initiated features 6012 * exchange, then requesting the remote features in peripheral 6013 * role is possible. Otherwise just transition into the 6014 * connected state without requesting the remote features. 6015 */ 6016 if (conn->out || 6017 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) { 6018 struct hci_cp_le_read_remote_features cp; 6019 6020 cp.handle = __cpu_to_le16(conn->handle); 6021 6022 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 6023 sizeof(cp), &cp); 6024 6025 hci_conn_hold(conn); 6026 } else { 6027 conn->state = BT_CONNECTED; 6028 hci_connect_cfm(conn, status); 6029 } 6030 6031 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 6032 conn->dst_type); 6033 if (params) { 6034 hci_pend_le_list_del_init(params); 6035 if (params->conn) { 6036 hci_conn_drop(params->conn); 6037 hci_conn_put(params->conn); 6038 params->conn = NULL; 6039 } 6040 } 6041 6042 unlock: 6043 hci_update_passive_scan(hdev); 6044 hci_dev_unlock(hdev); 6045 } 6046 6047 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data, 6048 struct sk_buff *skb) 6049 { 6050 struct hci_ev_le_conn_complete *ev = data; 6051 6052 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6053 6054 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 6055 NULL, ev->role, le16_to_cpu(ev->handle), 6056 le16_to_cpu(ev->interval), 6057 le16_to_cpu(ev->latency), 6058 le16_to_cpu(ev->supervision_timeout)); 6059 } 6060 6061 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data, 6062 struct sk_buff *skb) 6063 { 6064 struct hci_ev_le_enh_conn_complete *ev = data; 6065 6066 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6067 6068 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 6069 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle), 6070 le16_to_cpu(ev->interval), 6071 le16_to_cpu(ev->latency), 6072 le16_to_cpu(ev->supervision_timeout)); 6073 } 6074 6075 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data, 6076 struct sk_buff *skb) 6077 { 6078 struct hci_evt_le_ext_adv_set_term *ev = data; 6079 struct hci_conn *conn; 6080 struct adv_info *adv, *n; 6081 6082 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6083 6084 /* The Bluetooth Core 5.3 specification clearly states that this event 6085 * shall not be sent when the Host disables the advertising set. So in 6086 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event. 6087 * 6088 * When the Host disables an advertising set, all cleanup is done via 6089 * its command callback and not needed to be duplicated here. 6090 */ 6091 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) { 6092 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event"); 6093 return; 6094 } 6095 6096 hci_dev_lock(hdev); 6097 6098 adv = hci_find_adv_instance(hdev, ev->handle); 6099 6100 if (ev->status) { 6101 if (!adv) 6102 goto unlock; 6103 6104 /* Remove advertising as it has been terminated */ 6105 hci_remove_adv_instance(hdev, ev->handle); 6106 mgmt_advertising_removed(NULL, hdev, ev->handle); 6107 6108 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 6109 if (adv->enabled) 6110 goto unlock; 6111 } 6112 6113 /* We are no longer advertising, clear HCI_LE_ADV */ 6114 hci_dev_clear_flag(hdev, HCI_LE_ADV); 6115 goto unlock; 6116 } 6117 6118 if (adv) 6119 adv->enabled = false; 6120 6121 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 6122 if (conn) { 6123 /* Store handle in the connection so the correct advertising 6124 * instance can be re-enabled when disconnected. 6125 */ 6126 conn->adv_instance = ev->handle; 6127 6128 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM || 6129 bacmp(&conn->resp_addr, BDADDR_ANY)) 6130 goto unlock; 6131 6132 if (!ev->handle) { 6133 bacpy(&conn->resp_addr, &hdev->random_addr); 6134 goto unlock; 6135 } 6136 6137 if (adv) 6138 bacpy(&conn->resp_addr, &adv->random_addr); 6139 } 6140 6141 unlock: 6142 hci_dev_unlock(hdev); 6143 } 6144 6145 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data, 6146 struct sk_buff *skb) 6147 { 6148 struct hci_ev_le_conn_update_complete *ev = data; 6149 struct hci_conn *conn; 6150 6151 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6152 6153 if (ev->status) 6154 return; 6155 6156 hci_dev_lock(hdev); 6157 6158 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6159 if (conn) { 6160 conn->le_conn_interval = le16_to_cpu(ev->interval); 6161 conn->le_conn_latency = le16_to_cpu(ev->latency); 6162 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 6163 } 6164 6165 hci_dev_unlock(hdev); 6166 } 6167 6168 /* This function requires the caller holds hdev->lock */ 6169 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 6170 bdaddr_t *addr, 6171 u8 addr_type, bool addr_resolved, 6172 u8 adv_type) 6173 { 6174 struct hci_conn *conn; 6175 struct hci_conn_params *params; 6176 6177 /* If the event is not connectable don't proceed further */ 6178 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 6179 return NULL; 6180 6181 /* Ignore if the device is blocked or hdev is suspended */ 6182 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) || 6183 hdev->suspended) 6184 return NULL; 6185 6186 /* Most controller will fail if we try to create new connections 6187 * while we have an existing one in peripheral role. 6188 */ 6189 if (hdev->conn_hash.le_num_peripheral > 0 && 6190 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 6191 !(hdev->le_states[3] & 0x10))) 6192 return NULL; 6193 6194 /* If we're not connectable only connect devices that we have in 6195 * our pend_le_conns list. 6196 */ 6197 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 6198 addr_type); 6199 if (!params) 6200 return NULL; 6201 6202 if (!params->explicit_connect) { 6203 switch (params->auto_connect) { 6204 case HCI_AUTO_CONN_DIRECT: 6205 /* Only devices advertising with ADV_DIRECT_IND are 6206 * triggering a connection attempt. This is allowing 6207 * incoming connections from peripheral devices. 6208 */ 6209 if (adv_type != LE_ADV_DIRECT_IND) 6210 return NULL; 6211 break; 6212 case HCI_AUTO_CONN_ALWAYS: 6213 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 6214 * are triggering a connection attempt. This means 6215 * that incoming connections from peripheral device are 6216 * accepted and also outgoing connections to peripheral 6217 * devices are established when found. 6218 */ 6219 break; 6220 default: 6221 return NULL; 6222 } 6223 } 6224 6225 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved, 6226 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout, 6227 HCI_ROLE_MASTER); 6228 if (!IS_ERR(conn)) { 6229 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 6230 * by higher layer that tried to connect, if no then 6231 * store the pointer since we don't really have any 6232 * other owner of the object besides the params that 6233 * triggered it. This way we can abort the connection if 6234 * the parameters get removed and keep the reference 6235 * count consistent once the connection is established. 6236 */ 6237 6238 if (!params->explicit_connect) 6239 params->conn = hci_conn_get(conn); 6240 6241 return conn; 6242 } 6243 6244 switch (PTR_ERR(conn)) { 6245 case -EBUSY: 6246 /* If hci_connect() returns -EBUSY it means there is already 6247 * an LE connection attempt going on. Since controllers don't 6248 * support more than one connection attempt at the time, we 6249 * don't consider this an error case. 6250 */ 6251 break; 6252 default: 6253 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 6254 return NULL; 6255 } 6256 6257 return NULL; 6258 } 6259 6260 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 6261 u8 bdaddr_type, bdaddr_t *direct_addr, 6262 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 6263 bool ext_adv, bool ctl_time, u64 instant) 6264 { 6265 struct discovery_state *d = &hdev->discovery; 6266 struct smp_irk *irk; 6267 struct hci_conn *conn; 6268 bool match, bdaddr_resolved; 6269 u32 flags; 6270 u8 *ptr; 6271 6272 switch (type) { 6273 case LE_ADV_IND: 6274 case LE_ADV_DIRECT_IND: 6275 case LE_ADV_SCAN_IND: 6276 case LE_ADV_NONCONN_IND: 6277 case LE_ADV_SCAN_RSP: 6278 break; 6279 default: 6280 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 6281 "type: 0x%02x", type); 6282 return; 6283 } 6284 6285 if (len > max_adv_len(hdev)) { 6286 bt_dev_err_ratelimited(hdev, 6287 "adv larger than maximum supported"); 6288 return; 6289 } 6290 6291 /* Find the end of the data in case the report contains padded zero 6292 * bytes at the end causing an invalid length value. 6293 * 6294 * When data is NULL, len is 0 so there is no need for extra ptr 6295 * check as 'ptr < data + 0' is already false in such case. 6296 */ 6297 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 6298 if (ptr + 1 + *ptr > data + len) 6299 break; 6300 } 6301 6302 /* Adjust for actual length. This handles the case when remote 6303 * device is advertising with incorrect data length. 6304 */ 6305 len = ptr - data; 6306 6307 /* If the direct address is present, then this report is from 6308 * a LE Direct Advertising Report event. In that case it is 6309 * important to see if the address is matching the local 6310 * controller address. 6311 */ 6312 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) { 6313 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type, 6314 &bdaddr_resolved); 6315 6316 /* Only resolvable random addresses are valid for these 6317 * kind of reports and others can be ignored. 6318 */ 6319 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 6320 return; 6321 6322 /* If the controller is not using resolvable random 6323 * addresses, then this report can be ignored. 6324 */ 6325 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 6326 return; 6327 6328 /* If the local IRK of the controller does not match 6329 * with the resolvable random address provided, then 6330 * this report can be ignored. 6331 */ 6332 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 6333 return; 6334 } 6335 6336 /* Check if we need to convert to identity address */ 6337 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 6338 if (irk) { 6339 bdaddr = &irk->bdaddr; 6340 bdaddr_type = irk->addr_type; 6341 } 6342 6343 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved); 6344 6345 /* Check if we have been requested to connect to this device. 6346 * 6347 * direct_addr is set only for directed advertising reports (it is NULL 6348 * for advertising reports) and is already verified to be RPA above. 6349 */ 6350 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved, 6351 type); 6352 if (!ext_adv && conn && type == LE_ADV_IND && 6353 len <= max_adv_len(hdev)) { 6354 /* Store report for later inclusion by 6355 * mgmt_device_connected 6356 */ 6357 memcpy(conn->le_adv_data, data, len); 6358 conn->le_adv_data_len = len; 6359 } 6360 6361 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 6362 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 6363 else 6364 flags = 0; 6365 6366 /* All scan results should be sent up for Mesh systems */ 6367 if (hci_dev_test_flag(hdev, HCI_MESH)) { 6368 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6369 rssi, flags, data, len, NULL, 0, instant); 6370 return; 6371 } 6372 6373 /* Passive scanning shouldn't trigger any device found events, 6374 * except for devices marked as CONN_REPORT for which we do send 6375 * device found events, or advertisement monitoring requested. 6376 */ 6377 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 6378 if (type == LE_ADV_DIRECT_IND) 6379 return; 6380 6381 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 6382 bdaddr, bdaddr_type) && 6383 idr_is_empty(&hdev->adv_monitors_idr)) 6384 return; 6385 6386 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6387 rssi, flags, data, len, NULL, 0, 0); 6388 return; 6389 } 6390 6391 /* When receiving a scan response, then there is no way to 6392 * know if the remote device is connectable or not. However 6393 * since scan responses are merged with a previously seen 6394 * advertising report, the flags field from that report 6395 * will be used. 6396 * 6397 * In the unlikely case that a controller just sends a scan 6398 * response event that doesn't match the pending report, then 6399 * it is marked as a standalone SCAN_RSP. 6400 */ 6401 if (type == LE_ADV_SCAN_RSP) 6402 flags = MGMT_DEV_FOUND_SCAN_RSP; 6403 6404 /* If there's nothing pending either store the data from this 6405 * event or send an immediate device found event if the data 6406 * should not be stored for later. 6407 */ 6408 if (!ext_adv && !has_pending_adv_report(hdev)) { 6409 /* If the report will trigger a SCAN_REQ store it for 6410 * later merging. 6411 */ 6412 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 6413 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6414 rssi, flags, data, len); 6415 return; 6416 } 6417 6418 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6419 rssi, flags, data, len, NULL, 0, 0); 6420 return; 6421 } 6422 6423 /* Check if the pending report is for the same device as the new one */ 6424 match = (!bacmp(bdaddr, &d->last_adv_addr) && 6425 bdaddr_type == d->last_adv_addr_type); 6426 6427 /* If the pending data doesn't match this report or this isn't a 6428 * scan response (e.g. we got a duplicate ADV_IND) then force 6429 * sending of the pending data. 6430 */ 6431 if (type != LE_ADV_SCAN_RSP || !match) { 6432 /* Send out whatever is in the cache, but skip duplicates */ 6433 if (!match) 6434 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6435 d->last_adv_addr_type, NULL, 6436 d->last_adv_rssi, d->last_adv_flags, 6437 d->last_adv_data, 6438 d->last_adv_data_len, NULL, 0, 0); 6439 6440 /* If the new report will trigger a SCAN_REQ store it for 6441 * later merging. 6442 */ 6443 if (!ext_adv && (type == LE_ADV_IND || 6444 type == LE_ADV_SCAN_IND)) { 6445 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6446 rssi, flags, data, len); 6447 return; 6448 } 6449 6450 /* The advertising reports cannot be merged, so clear 6451 * the pending report and send out a device found event. 6452 */ 6453 clear_pending_adv_report(hdev); 6454 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6455 rssi, flags, data, len, NULL, 0, 0); 6456 return; 6457 } 6458 6459 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 6460 * the new event is a SCAN_RSP. We can therefore proceed with 6461 * sending a merged device found event. 6462 */ 6463 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6464 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 6465 d->last_adv_data, d->last_adv_data_len, data, len, 0); 6466 clear_pending_adv_report(hdev); 6467 } 6468 6469 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data, 6470 struct sk_buff *skb) 6471 { 6472 struct hci_ev_le_advertising_report *ev = data; 6473 u64 instant = jiffies; 6474 6475 if (!ev->num) 6476 return; 6477 6478 hci_dev_lock(hdev); 6479 6480 while (ev->num--) { 6481 struct hci_ev_le_advertising_info *info; 6482 s8 rssi; 6483 6484 info = hci_le_ev_skb_pull(hdev, skb, 6485 HCI_EV_LE_ADVERTISING_REPORT, 6486 sizeof(*info)); 6487 if (!info) 6488 break; 6489 6490 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT, 6491 info->length + 1)) 6492 break; 6493 6494 if (info->length <= max_adv_len(hdev)) { 6495 rssi = info->data[info->length]; 6496 process_adv_report(hdev, info->type, &info->bdaddr, 6497 info->bdaddr_type, NULL, 0, rssi, 6498 info->data, info->length, false, 6499 false, instant); 6500 } else { 6501 bt_dev_err(hdev, "Dropping invalid advertising data"); 6502 } 6503 } 6504 6505 hci_dev_unlock(hdev); 6506 } 6507 6508 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 6509 { 6510 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 6511 switch (evt_type) { 6512 case LE_LEGACY_ADV_IND: 6513 return LE_ADV_IND; 6514 case LE_LEGACY_ADV_DIRECT_IND: 6515 return LE_ADV_DIRECT_IND; 6516 case LE_LEGACY_ADV_SCAN_IND: 6517 return LE_ADV_SCAN_IND; 6518 case LE_LEGACY_NONCONN_IND: 6519 return LE_ADV_NONCONN_IND; 6520 case LE_LEGACY_SCAN_RSP_ADV: 6521 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 6522 return LE_ADV_SCAN_RSP; 6523 } 6524 6525 goto invalid; 6526 } 6527 6528 if (evt_type & LE_EXT_ADV_CONN_IND) { 6529 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6530 return LE_ADV_DIRECT_IND; 6531 6532 return LE_ADV_IND; 6533 } 6534 6535 if (evt_type & LE_EXT_ADV_SCAN_RSP) 6536 return LE_ADV_SCAN_RSP; 6537 6538 if (evt_type & LE_EXT_ADV_SCAN_IND) 6539 return LE_ADV_SCAN_IND; 6540 6541 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 6542 evt_type & LE_EXT_ADV_DIRECT_IND) 6543 return LE_ADV_NONCONN_IND; 6544 6545 invalid: 6546 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 6547 evt_type); 6548 6549 return LE_ADV_INVALID; 6550 } 6551 6552 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data, 6553 struct sk_buff *skb) 6554 { 6555 struct hci_ev_le_ext_adv_report *ev = data; 6556 u64 instant = jiffies; 6557 6558 if (!ev->num) 6559 return; 6560 6561 hci_dev_lock(hdev); 6562 6563 while (ev->num--) { 6564 struct hci_ev_le_ext_adv_info *info; 6565 u8 legacy_evt_type; 6566 u16 evt_type; 6567 6568 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6569 sizeof(*info)); 6570 if (!info) 6571 break; 6572 6573 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6574 info->length)) 6575 break; 6576 6577 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK; 6578 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 6579 if (legacy_evt_type != LE_ADV_INVALID) { 6580 process_adv_report(hdev, legacy_evt_type, &info->bdaddr, 6581 info->bdaddr_type, NULL, 0, 6582 info->rssi, info->data, info->length, 6583 !(evt_type & LE_EXT_ADV_LEGACY_PDU), 6584 false, instant); 6585 } 6586 } 6587 6588 hci_dev_unlock(hdev); 6589 } 6590 6591 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle) 6592 { 6593 struct hci_cp_le_pa_term_sync cp; 6594 6595 memset(&cp, 0, sizeof(cp)); 6596 cp.handle = handle; 6597 6598 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp); 6599 } 6600 6601 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data, 6602 struct sk_buff *skb) 6603 { 6604 struct hci_ev_le_pa_sync_established *ev = data; 6605 int mask = hdev->link_mode; 6606 __u8 flags = 0; 6607 struct hci_conn *pa_sync; 6608 6609 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6610 6611 hci_dev_lock(hdev); 6612 6613 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6614 6615 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags); 6616 if (!(mask & HCI_LM_ACCEPT)) { 6617 hci_le_pa_term_sync(hdev, ev->handle); 6618 goto unlock; 6619 } 6620 6621 if (!(flags & HCI_PROTO_DEFER)) 6622 goto unlock; 6623 6624 if (ev->status) { 6625 /* Add connection to indicate the failed PA sync event */ 6626 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY, 6627 HCI_ROLE_SLAVE); 6628 6629 if (!pa_sync) 6630 goto unlock; 6631 6632 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags); 6633 6634 /* Notify iso layer */ 6635 hci_connect_cfm(pa_sync, ev->status); 6636 } 6637 6638 unlock: 6639 hci_dev_unlock(hdev); 6640 } 6641 6642 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data, 6643 struct sk_buff *skb) 6644 { 6645 struct hci_ev_le_per_adv_report *ev = data; 6646 int mask = hdev->link_mode; 6647 __u8 flags = 0; 6648 6649 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 6650 6651 hci_dev_lock(hdev); 6652 6653 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); 6654 if (!(mask & HCI_LM_ACCEPT)) 6655 hci_le_pa_term_sync(hdev, ev->sync_handle); 6656 6657 hci_dev_unlock(hdev); 6658 } 6659 6660 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data, 6661 struct sk_buff *skb) 6662 { 6663 struct hci_ev_le_remote_feat_complete *ev = data; 6664 struct hci_conn *conn; 6665 6666 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6667 6668 hci_dev_lock(hdev); 6669 6670 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6671 if (conn) { 6672 if (!ev->status) 6673 memcpy(conn->features[0], ev->features, 8); 6674 6675 if (conn->state == BT_CONFIG) { 6676 __u8 status; 6677 6678 /* If the local controller supports peripheral-initiated 6679 * features exchange, but the remote controller does 6680 * not, then it is possible that the error code 0x1a 6681 * for unsupported remote feature gets returned. 6682 * 6683 * In this specific case, allow the connection to 6684 * transition into connected state and mark it as 6685 * successful. 6686 */ 6687 if (!conn->out && ev->status == 0x1a && 6688 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 6689 status = 0x00; 6690 else 6691 status = ev->status; 6692 6693 conn->state = BT_CONNECTED; 6694 hci_connect_cfm(conn, status); 6695 hci_conn_drop(conn); 6696 } 6697 } 6698 6699 hci_dev_unlock(hdev); 6700 } 6701 6702 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data, 6703 struct sk_buff *skb) 6704 { 6705 struct hci_ev_le_ltk_req *ev = data; 6706 struct hci_cp_le_ltk_reply cp; 6707 struct hci_cp_le_ltk_neg_reply neg; 6708 struct hci_conn *conn; 6709 struct smp_ltk *ltk; 6710 6711 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6712 6713 hci_dev_lock(hdev); 6714 6715 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6716 if (conn == NULL) 6717 goto not_found; 6718 6719 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 6720 if (!ltk) 6721 goto not_found; 6722 6723 if (smp_ltk_is_sc(ltk)) { 6724 /* With SC both EDiv and Rand are set to zero */ 6725 if (ev->ediv || ev->rand) 6726 goto not_found; 6727 } else { 6728 /* For non-SC keys check that EDiv and Rand match */ 6729 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 6730 goto not_found; 6731 } 6732 6733 memcpy(cp.ltk, ltk->val, ltk->enc_size); 6734 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 6735 cp.handle = cpu_to_le16(conn->handle); 6736 6737 conn->pending_sec_level = smp_ltk_sec_level(ltk); 6738 6739 conn->enc_key_size = ltk->enc_size; 6740 6741 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 6742 6743 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 6744 * temporary key used to encrypt a connection following 6745 * pairing. It is used during the Encrypted Session Setup to 6746 * distribute the keys. Later, security can be re-established 6747 * using a distributed LTK. 6748 */ 6749 if (ltk->type == SMP_STK) { 6750 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6751 list_del_rcu(<k->list); 6752 kfree_rcu(ltk, rcu); 6753 } else { 6754 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6755 } 6756 6757 hci_dev_unlock(hdev); 6758 6759 return; 6760 6761 not_found: 6762 neg.handle = ev->handle; 6763 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 6764 hci_dev_unlock(hdev); 6765 } 6766 6767 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 6768 u8 reason) 6769 { 6770 struct hci_cp_le_conn_param_req_neg_reply cp; 6771 6772 cp.handle = cpu_to_le16(handle); 6773 cp.reason = reason; 6774 6775 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 6776 &cp); 6777 } 6778 6779 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, 6780 struct sk_buff *skb) 6781 { 6782 struct hci_ev_le_remote_conn_param_req *ev = data; 6783 struct hci_cp_le_conn_param_req_reply cp; 6784 struct hci_conn *hcon; 6785 u16 handle, min, max, latency, timeout; 6786 6787 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6788 6789 handle = le16_to_cpu(ev->handle); 6790 min = le16_to_cpu(ev->interval_min); 6791 max = le16_to_cpu(ev->interval_max); 6792 latency = le16_to_cpu(ev->latency); 6793 timeout = le16_to_cpu(ev->timeout); 6794 6795 hcon = hci_conn_hash_lookup_handle(hdev, handle); 6796 if (!hcon || hcon->state != BT_CONNECTED) 6797 return send_conn_param_neg_reply(hdev, handle, 6798 HCI_ERROR_UNKNOWN_CONN_ID); 6799 6800 if (max > hcon->le_conn_max_interval) 6801 return send_conn_param_neg_reply(hdev, handle, 6802 HCI_ERROR_INVALID_LL_PARAMS); 6803 6804 if (hci_check_conn_params(min, max, latency, timeout)) 6805 return send_conn_param_neg_reply(hdev, handle, 6806 HCI_ERROR_INVALID_LL_PARAMS); 6807 6808 if (hcon->role == HCI_ROLE_MASTER) { 6809 struct hci_conn_params *params; 6810 u8 store_hint; 6811 6812 hci_dev_lock(hdev); 6813 6814 params = hci_conn_params_lookup(hdev, &hcon->dst, 6815 hcon->dst_type); 6816 if (params) { 6817 params->conn_min_interval = min; 6818 params->conn_max_interval = max; 6819 params->conn_latency = latency; 6820 params->supervision_timeout = timeout; 6821 store_hint = 0x01; 6822 } else { 6823 store_hint = 0x00; 6824 } 6825 6826 hci_dev_unlock(hdev); 6827 6828 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 6829 store_hint, min, max, latency, timeout); 6830 } 6831 6832 cp.handle = ev->handle; 6833 cp.interval_min = ev->interval_min; 6834 cp.interval_max = ev->interval_max; 6835 cp.latency = ev->latency; 6836 cp.timeout = ev->timeout; 6837 cp.min_ce_len = 0; 6838 cp.max_ce_len = 0; 6839 6840 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 6841 } 6842 6843 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, 6844 struct sk_buff *skb) 6845 { 6846 struct hci_ev_le_direct_adv_report *ev = data; 6847 u64 instant = jiffies; 6848 int i; 6849 6850 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT, 6851 flex_array_size(ev, info, ev->num))) 6852 return; 6853 6854 if (!ev->num) 6855 return; 6856 6857 hci_dev_lock(hdev); 6858 6859 for (i = 0; i < ev->num; i++) { 6860 struct hci_ev_le_direct_adv_info *info = &ev->info[i]; 6861 6862 process_adv_report(hdev, info->type, &info->bdaddr, 6863 info->bdaddr_type, &info->direct_addr, 6864 info->direct_addr_type, info->rssi, NULL, 0, 6865 false, false, instant); 6866 } 6867 6868 hci_dev_unlock(hdev); 6869 } 6870 6871 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data, 6872 struct sk_buff *skb) 6873 { 6874 struct hci_ev_le_phy_update_complete *ev = data; 6875 struct hci_conn *conn; 6876 6877 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6878 6879 if (ev->status) 6880 return; 6881 6882 hci_dev_lock(hdev); 6883 6884 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6885 if (!conn) 6886 goto unlock; 6887 6888 conn->le_tx_phy = ev->tx_phy; 6889 conn->le_rx_phy = ev->rx_phy; 6890 6891 unlock: 6892 hci_dev_unlock(hdev); 6893 } 6894 6895 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data, 6896 struct sk_buff *skb) 6897 { 6898 struct hci_evt_le_cis_established *ev = data; 6899 struct hci_conn *conn; 6900 struct bt_iso_qos *qos; 6901 bool pending = false; 6902 u16 handle = __le16_to_cpu(ev->handle); 6903 6904 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6905 6906 hci_dev_lock(hdev); 6907 6908 conn = hci_conn_hash_lookup_handle(hdev, handle); 6909 if (!conn) { 6910 bt_dev_err(hdev, 6911 "Unable to find connection with handle 0x%4.4x", 6912 handle); 6913 goto unlock; 6914 } 6915 6916 if (conn->type != ISO_LINK) { 6917 bt_dev_err(hdev, 6918 "Invalid connection link type handle 0x%4.4x", 6919 handle); 6920 goto unlock; 6921 } 6922 6923 qos = &conn->iso_qos; 6924 6925 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags); 6926 6927 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */ 6928 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250; 6929 qos->ucast.out.interval = qos->ucast.in.interval; 6930 6931 switch (conn->role) { 6932 case HCI_ROLE_SLAVE: 6933 /* Convert Transport Latency (us) to Latency (msec) */ 6934 qos->ucast.in.latency = 6935 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6936 1000); 6937 qos->ucast.out.latency = 6938 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6939 1000); 6940 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu); 6941 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu); 6942 qos->ucast.in.phy = ev->c_phy; 6943 qos->ucast.out.phy = ev->p_phy; 6944 break; 6945 case HCI_ROLE_MASTER: 6946 /* Convert Transport Latency (us) to Latency (msec) */ 6947 qos->ucast.out.latency = 6948 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6949 1000); 6950 qos->ucast.in.latency = 6951 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6952 1000); 6953 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu); 6954 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu); 6955 qos->ucast.out.phy = ev->c_phy; 6956 qos->ucast.in.phy = ev->p_phy; 6957 break; 6958 } 6959 6960 if (!ev->status) { 6961 conn->state = BT_CONNECTED; 6962 hci_debugfs_create_conn(conn); 6963 hci_conn_add_sysfs(conn); 6964 hci_iso_setup_path(conn); 6965 goto unlock; 6966 } 6967 6968 conn->state = BT_CLOSED; 6969 hci_connect_cfm(conn, ev->status); 6970 hci_conn_del(conn); 6971 6972 unlock: 6973 if (pending) 6974 hci_le_create_cis_pending(hdev); 6975 6976 hci_dev_unlock(hdev); 6977 } 6978 6979 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle) 6980 { 6981 struct hci_cp_le_reject_cis cp; 6982 6983 memset(&cp, 0, sizeof(cp)); 6984 cp.handle = handle; 6985 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 6986 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp); 6987 } 6988 6989 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle) 6990 { 6991 struct hci_cp_le_accept_cis cp; 6992 6993 memset(&cp, 0, sizeof(cp)); 6994 cp.handle = handle; 6995 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 6996 } 6997 6998 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data, 6999 struct sk_buff *skb) 7000 { 7001 struct hci_evt_le_cis_req *ev = data; 7002 u16 acl_handle, cis_handle; 7003 struct hci_conn *acl, *cis; 7004 int mask; 7005 __u8 flags = 0; 7006 7007 acl_handle = __le16_to_cpu(ev->acl_handle); 7008 cis_handle = __le16_to_cpu(ev->cis_handle); 7009 7010 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x", 7011 acl_handle, cis_handle, ev->cig_id, ev->cis_id); 7012 7013 hci_dev_lock(hdev); 7014 7015 acl = hci_conn_hash_lookup_handle(hdev, acl_handle); 7016 if (!acl) 7017 goto unlock; 7018 7019 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags); 7020 if (!(mask & HCI_LM_ACCEPT)) { 7021 hci_le_reject_cis(hdev, ev->cis_handle); 7022 goto unlock; 7023 } 7024 7025 cis = hci_conn_hash_lookup_handle(hdev, cis_handle); 7026 if (!cis) { 7027 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE, 7028 cis_handle); 7029 if (!cis) { 7030 hci_le_reject_cis(hdev, ev->cis_handle); 7031 goto unlock; 7032 } 7033 } 7034 7035 cis->iso_qos.ucast.cig = ev->cig_id; 7036 cis->iso_qos.ucast.cis = ev->cis_id; 7037 7038 if (!(flags & HCI_PROTO_DEFER)) { 7039 hci_le_accept_cis(hdev, ev->cis_handle); 7040 } else { 7041 cis->state = BT_CONNECT2; 7042 hci_connect_cfm(cis, 0); 7043 } 7044 7045 unlock: 7046 hci_dev_unlock(hdev); 7047 } 7048 7049 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data) 7050 { 7051 u8 handle = PTR_UINT(data); 7052 7053 return hci_le_terminate_big_sync(hdev, handle, 7054 HCI_ERROR_LOCAL_HOST_TERM); 7055 } 7056 7057 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, 7058 struct sk_buff *skb) 7059 { 7060 struct hci_evt_le_create_big_complete *ev = data; 7061 struct hci_conn *conn; 7062 __u8 i = 0; 7063 7064 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 7065 7066 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE, 7067 flex_array_size(ev, bis_handle, ev->num_bis))) 7068 return; 7069 7070 hci_dev_lock(hdev); 7071 rcu_read_lock(); 7072 7073 /* Connect all BISes that are bound to the BIG */ 7074 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 7075 if (bacmp(&conn->dst, BDADDR_ANY) || 7076 conn->type != ISO_LINK || 7077 conn->iso_qos.bcast.big != ev->handle) 7078 continue; 7079 7080 if (hci_conn_set_handle(conn, 7081 __le16_to_cpu(ev->bis_handle[i++]))) 7082 continue; 7083 7084 if (!ev->status) { 7085 conn->state = BT_CONNECTED; 7086 set_bit(HCI_CONN_BIG_CREATED, &conn->flags); 7087 rcu_read_unlock(); 7088 hci_debugfs_create_conn(conn); 7089 hci_conn_add_sysfs(conn); 7090 hci_iso_setup_path(conn); 7091 rcu_read_lock(); 7092 continue; 7093 } 7094 7095 hci_connect_cfm(conn, ev->status); 7096 rcu_read_unlock(); 7097 hci_conn_del(conn); 7098 rcu_read_lock(); 7099 } 7100 7101 rcu_read_unlock(); 7102 7103 if (!ev->status && !i) 7104 /* If no BISes have been connected for the BIG, 7105 * terminate. This is in case all bound connections 7106 * have been closed before the BIG creation 7107 * has completed. 7108 */ 7109 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync, 7110 UINT_PTR(ev->handle), NULL); 7111 7112 hci_dev_unlock(hdev); 7113 } 7114 7115 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, 7116 struct sk_buff *skb) 7117 { 7118 struct hci_evt_le_big_sync_estabilished *ev = data; 7119 struct hci_conn *bis; 7120 struct hci_conn *pa_sync; 7121 int i; 7122 7123 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 7124 7125 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 7126 flex_array_size(ev, bis, ev->num_bis))) 7127 return; 7128 7129 hci_dev_lock(hdev); 7130 7131 if (!ev->status) { 7132 pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle); 7133 if (pa_sync) 7134 /* Also mark the BIG sync established event on the 7135 * associated PA sync hcon 7136 */ 7137 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags); 7138 } 7139 7140 for (i = 0; i < ev->num_bis; i++) { 7141 u16 handle = le16_to_cpu(ev->bis[i]); 7142 __le32 interval; 7143 7144 bis = hci_conn_hash_lookup_handle(hdev, handle); 7145 if (!bis) { 7146 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, 7147 HCI_ROLE_SLAVE, handle); 7148 if (!bis) 7149 continue; 7150 } 7151 7152 if (ev->status != 0x42) 7153 /* Mark PA sync as established */ 7154 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 7155 7156 bis->iso_qos.bcast.big = ev->handle; 7157 memset(&interval, 0, sizeof(interval)); 7158 memcpy(&interval, ev->latency, sizeof(ev->latency)); 7159 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval); 7160 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */ 7161 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100; 7162 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); 7163 7164 if (!ev->status) { 7165 set_bit(HCI_CONN_BIG_SYNC, &bis->flags); 7166 hci_iso_setup_path(bis); 7167 } 7168 } 7169 7170 /* In case BIG sync failed, notify each failed connection to 7171 * the user after all hci connections have been added 7172 */ 7173 if (ev->status) 7174 for (i = 0; i < ev->num_bis; i++) { 7175 u16 handle = le16_to_cpu(ev->bis[i]); 7176 7177 bis = hci_conn_hash_lookup_handle(hdev, handle); 7178 7179 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); 7180 hci_connect_cfm(bis, ev->status); 7181 } 7182 7183 hci_dev_unlock(hdev); 7184 } 7185 7186 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data, 7187 struct sk_buff *skb) 7188 { 7189 struct hci_evt_le_big_info_adv_report *ev = data; 7190 int mask = hdev->link_mode; 7191 __u8 flags = 0; 7192 struct hci_conn *pa_sync; 7193 7194 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 7195 7196 hci_dev_lock(hdev); 7197 7198 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); 7199 if (!(mask & HCI_LM_ACCEPT)) { 7200 hci_le_pa_term_sync(hdev, ev->sync_handle); 7201 goto unlock; 7202 } 7203 7204 if (!(flags & HCI_PROTO_DEFER)) 7205 goto unlock; 7206 7207 pa_sync = hci_conn_hash_lookup_pa_sync_handle 7208 (hdev, 7209 le16_to_cpu(ev->sync_handle)); 7210 7211 if (pa_sync) 7212 goto unlock; 7213 7214 /* Add connection to indicate the PA sync event */ 7215 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY, 7216 HCI_ROLE_SLAVE); 7217 7218 if (!pa_sync) 7219 goto unlock; 7220 7221 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle); 7222 set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags); 7223 7224 /* Notify iso layer */ 7225 hci_connect_cfm(pa_sync, 0x00); 7226 7227 unlock: 7228 hci_dev_unlock(hdev); 7229 } 7230 7231 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \ 7232 [_op] = { \ 7233 .func = _func, \ 7234 .min_len = _min_len, \ 7235 .max_len = _max_len, \ 7236 } 7237 7238 #define HCI_LE_EV(_op, _func, _len) \ 7239 HCI_LE_EV_VL(_op, _func, _len, _len) 7240 7241 #define HCI_LE_EV_STATUS(_op, _func) \ 7242 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status)) 7243 7244 /* Entries in this table shall have their position according to the subevent 7245 * opcode they handle so the use of the macros above is recommend since it does 7246 * attempt to initialize at its proper index using Designated Initializers that 7247 * way events without a callback function can be ommited. 7248 */ 7249 static const struct hci_le_ev { 7250 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 7251 u16 min_len; 7252 u16 max_len; 7253 } hci_le_ev_table[U8_MAX + 1] = { 7254 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */ 7255 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt, 7256 sizeof(struct hci_ev_le_conn_complete)), 7257 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */ 7258 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt, 7259 sizeof(struct hci_ev_le_advertising_report), 7260 HCI_MAX_EVENT_SIZE), 7261 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */ 7262 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE, 7263 hci_le_conn_update_complete_evt, 7264 sizeof(struct hci_ev_le_conn_update_complete)), 7265 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */ 7266 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE, 7267 hci_le_remote_feat_complete_evt, 7268 sizeof(struct hci_ev_le_remote_feat_complete)), 7269 /* [0x05 = HCI_EV_LE_LTK_REQ] */ 7270 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt, 7271 sizeof(struct hci_ev_le_ltk_req)), 7272 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */ 7273 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ, 7274 hci_le_remote_conn_param_req_evt, 7275 sizeof(struct hci_ev_le_remote_conn_param_req)), 7276 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */ 7277 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE, 7278 hci_le_enh_conn_complete_evt, 7279 sizeof(struct hci_ev_le_enh_conn_complete)), 7280 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */ 7281 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt, 7282 sizeof(struct hci_ev_le_direct_adv_report), 7283 HCI_MAX_EVENT_SIZE), 7284 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */ 7285 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt, 7286 sizeof(struct hci_ev_le_phy_update_complete)), 7287 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */ 7288 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt, 7289 sizeof(struct hci_ev_le_ext_adv_report), 7290 HCI_MAX_EVENT_SIZE), 7291 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */ 7292 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED, 7293 hci_le_pa_sync_estabilished_evt, 7294 sizeof(struct hci_ev_le_pa_sync_established)), 7295 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */ 7296 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT, 7297 hci_le_per_adv_report_evt, 7298 sizeof(struct hci_ev_le_per_adv_report), 7299 HCI_MAX_EVENT_SIZE), 7300 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ 7301 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, 7302 sizeof(struct hci_evt_le_ext_adv_set_term)), 7303 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */ 7304 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt, 7305 sizeof(struct hci_evt_le_cis_established)), 7306 /* [0x1a = HCI_EVT_LE_CIS_REQ] */ 7307 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt, 7308 sizeof(struct hci_evt_le_cis_req)), 7309 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */ 7310 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE, 7311 hci_le_create_big_complete_evt, 7312 sizeof(struct hci_evt_le_create_big_complete), 7313 HCI_MAX_EVENT_SIZE), 7314 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */ 7315 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 7316 hci_le_big_sync_established_evt, 7317 sizeof(struct hci_evt_le_big_sync_estabilished), 7318 HCI_MAX_EVENT_SIZE), 7319 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */ 7320 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT, 7321 hci_le_big_info_adv_report_evt, 7322 sizeof(struct hci_evt_le_big_info_adv_report), 7323 HCI_MAX_EVENT_SIZE), 7324 }; 7325 7326 static void hci_le_meta_evt(struct hci_dev *hdev, void *data, 7327 struct sk_buff *skb, u16 *opcode, u8 *status, 7328 hci_req_complete_t *req_complete, 7329 hci_req_complete_skb_t *req_complete_skb) 7330 { 7331 struct hci_ev_le_meta *ev = data; 7332 const struct hci_le_ev *subev; 7333 7334 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent); 7335 7336 /* Only match event if command OGF is for LE */ 7337 if (hdev->sent_cmd && 7338 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 && 7339 hci_skb_event(hdev->sent_cmd) == ev->subevent) { 7340 *opcode = hci_skb_opcode(hdev->sent_cmd); 7341 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete, 7342 req_complete_skb); 7343 } 7344 7345 subev = &hci_le_ev_table[ev->subevent]; 7346 if (!subev->func) 7347 return; 7348 7349 if (skb->len < subev->min_len) { 7350 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u", 7351 ev->subevent, skb->len, subev->min_len); 7352 return; 7353 } 7354 7355 /* Just warn if the length is over max_len size it still be 7356 * possible to partially parse the event so leave to callback to 7357 * decide if that is acceptable. 7358 */ 7359 if (skb->len > subev->max_len) 7360 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u", 7361 ev->subevent, skb->len, subev->max_len); 7362 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len); 7363 if (!data) 7364 return; 7365 7366 subev->func(hdev, data, skb); 7367 } 7368 7369 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 7370 u8 event, struct sk_buff *skb) 7371 { 7372 struct hci_ev_cmd_complete *ev; 7373 struct hci_event_hdr *hdr; 7374 7375 if (!skb) 7376 return false; 7377 7378 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr)); 7379 if (!hdr) 7380 return false; 7381 7382 if (event) { 7383 if (hdr->evt != event) 7384 return false; 7385 return true; 7386 } 7387 7388 /* Check if request ended in Command Status - no way to retrieve 7389 * any extra parameters in this case. 7390 */ 7391 if (hdr->evt == HCI_EV_CMD_STATUS) 7392 return false; 7393 7394 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 7395 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 7396 hdr->evt); 7397 return false; 7398 } 7399 7400 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev)); 7401 if (!ev) 7402 return false; 7403 7404 if (opcode != __le16_to_cpu(ev->opcode)) { 7405 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 7406 __le16_to_cpu(ev->opcode)); 7407 return false; 7408 } 7409 7410 return true; 7411 } 7412 7413 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, 7414 struct sk_buff *skb) 7415 { 7416 struct hci_ev_le_advertising_info *adv; 7417 struct hci_ev_le_direct_adv_info *direct_adv; 7418 struct hci_ev_le_ext_adv_info *ext_adv; 7419 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data; 7420 const struct hci_ev_conn_request *conn_request = (void *)skb->data; 7421 7422 hci_dev_lock(hdev); 7423 7424 /* If we are currently suspended and this is the first BT event seen, 7425 * save the wake reason associated with the event. 7426 */ 7427 if (!hdev->suspended || hdev->wake_reason) 7428 goto unlock; 7429 7430 /* Default to remote wake. Values for wake_reason are documented in the 7431 * Bluez mgmt api docs. 7432 */ 7433 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 7434 7435 /* Once configured for remote wakeup, we should only wake up for 7436 * reconnections. It's useful to see which device is waking us up so 7437 * keep track of the bdaddr of the connection event that woke us up. 7438 */ 7439 if (event == HCI_EV_CONN_REQUEST) { 7440 bacpy(&hdev->wake_addr, &conn_request->bdaddr); 7441 hdev->wake_addr_type = BDADDR_BREDR; 7442 } else if (event == HCI_EV_CONN_COMPLETE) { 7443 bacpy(&hdev->wake_addr, &conn_complete->bdaddr); 7444 hdev->wake_addr_type = BDADDR_BREDR; 7445 } else if (event == HCI_EV_LE_META) { 7446 struct hci_ev_le_meta *le_ev = (void *)skb->data; 7447 u8 subevent = le_ev->subevent; 7448 u8 *ptr = &skb->data[sizeof(*le_ev)]; 7449 u8 num_reports = *ptr; 7450 7451 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT || 7452 subevent == HCI_EV_LE_DIRECT_ADV_REPORT || 7453 subevent == HCI_EV_LE_EXT_ADV_REPORT) && 7454 num_reports) { 7455 adv = (void *)(ptr + 1); 7456 direct_adv = (void *)(ptr + 1); 7457 ext_adv = (void *)(ptr + 1); 7458 7459 switch (subevent) { 7460 case HCI_EV_LE_ADVERTISING_REPORT: 7461 bacpy(&hdev->wake_addr, &adv->bdaddr); 7462 hdev->wake_addr_type = adv->bdaddr_type; 7463 break; 7464 case HCI_EV_LE_DIRECT_ADV_REPORT: 7465 bacpy(&hdev->wake_addr, &direct_adv->bdaddr); 7466 hdev->wake_addr_type = direct_adv->bdaddr_type; 7467 break; 7468 case HCI_EV_LE_EXT_ADV_REPORT: 7469 bacpy(&hdev->wake_addr, &ext_adv->bdaddr); 7470 hdev->wake_addr_type = ext_adv->bdaddr_type; 7471 break; 7472 } 7473 } 7474 } else { 7475 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 7476 } 7477 7478 unlock: 7479 hci_dev_unlock(hdev); 7480 } 7481 7482 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \ 7483 [_op] = { \ 7484 .req = false, \ 7485 .func = _func, \ 7486 .min_len = _min_len, \ 7487 .max_len = _max_len, \ 7488 } 7489 7490 #define HCI_EV(_op, _func, _len) \ 7491 HCI_EV_VL(_op, _func, _len, _len) 7492 7493 #define HCI_EV_STATUS(_op, _func) \ 7494 HCI_EV(_op, _func, sizeof(struct hci_ev_status)) 7495 7496 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \ 7497 [_op] = { \ 7498 .req = true, \ 7499 .func_req = _func, \ 7500 .min_len = _min_len, \ 7501 .max_len = _max_len, \ 7502 } 7503 7504 #define HCI_EV_REQ(_op, _func, _len) \ 7505 HCI_EV_REQ_VL(_op, _func, _len, _len) 7506 7507 /* Entries in this table shall have their position according to the event opcode 7508 * they handle so the use of the macros above is recommend since it does attempt 7509 * to initialize at its proper index using Designated Initializers that way 7510 * events without a callback function don't have entered. 7511 */ 7512 static const struct hci_ev { 7513 bool req; 7514 union { 7515 void (*func)(struct hci_dev *hdev, void *data, 7516 struct sk_buff *skb); 7517 void (*func_req)(struct hci_dev *hdev, void *data, 7518 struct sk_buff *skb, u16 *opcode, u8 *status, 7519 hci_req_complete_t *req_complete, 7520 hci_req_complete_skb_t *req_complete_skb); 7521 }; 7522 u16 min_len; 7523 u16 max_len; 7524 } hci_ev_table[U8_MAX + 1] = { 7525 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */ 7526 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt), 7527 /* [0x02 = HCI_EV_INQUIRY_RESULT] */ 7528 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt, 7529 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE), 7530 /* [0x03 = HCI_EV_CONN_COMPLETE] */ 7531 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt, 7532 sizeof(struct hci_ev_conn_complete)), 7533 /* [0x04 = HCI_EV_CONN_REQUEST] */ 7534 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt, 7535 sizeof(struct hci_ev_conn_request)), 7536 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */ 7537 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt, 7538 sizeof(struct hci_ev_disconn_complete)), 7539 /* [0x06 = HCI_EV_AUTH_COMPLETE] */ 7540 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt, 7541 sizeof(struct hci_ev_auth_complete)), 7542 /* [0x07 = HCI_EV_REMOTE_NAME] */ 7543 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt, 7544 sizeof(struct hci_ev_remote_name)), 7545 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */ 7546 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt, 7547 sizeof(struct hci_ev_encrypt_change)), 7548 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */ 7549 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE, 7550 hci_change_link_key_complete_evt, 7551 sizeof(struct hci_ev_change_link_key_complete)), 7552 /* [0x0b = HCI_EV_REMOTE_FEATURES] */ 7553 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt, 7554 sizeof(struct hci_ev_remote_features)), 7555 /* [0x0e = HCI_EV_CMD_COMPLETE] */ 7556 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt, 7557 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE), 7558 /* [0x0f = HCI_EV_CMD_STATUS] */ 7559 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt, 7560 sizeof(struct hci_ev_cmd_status)), 7561 /* [0x10 = HCI_EV_CMD_STATUS] */ 7562 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt, 7563 sizeof(struct hci_ev_hardware_error)), 7564 /* [0x12 = HCI_EV_ROLE_CHANGE] */ 7565 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt, 7566 sizeof(struct hci_ev_role_change)), 7567 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */ 7568 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt, 7569 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE), 7570 /* [0x14 = HCI_EV_MODE_CHANGE] */ 7571 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt, 7572 sizeof(struct hci_ev_mode_change)), 7573 /* [0x16 = HCI_EV_PIN_CODE_REQ] */ 7574 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt, 7575 sizeof(struct hci_ev_pin_code_req)), 7576 /* [0x17 = HCI_EV_LINK_KEY_REQ] */ 7577 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt, 7578 sizeof(struct hci_ev_link_key_req)), 7579 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */ 7580 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt, 7581 sizeof(struct hci_ev_link_key_notify)), 7582 /* [0x1c = HCI_EV_CLOCK_OFFSET] */ 7583 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt, 7584 sizeof(struct hci_ev_clock_offset)), 7585 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */ 7586 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt, 7587 sizeof(struct hci_ev_pkt_type_change)), 7588 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */ 7589 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt, 7590 sizeof(struct hci_ev_pscan_rep_mode)), 7591 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */ 7592 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI, 7593 hci_inquiry_result_with_rssi_evt, 7594 sizeof(struct hci_ev_inquiry_result_rssi), 7595 HCI_MAX_EVENT_SIZE), 7596 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */ 7597 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt, 7598 sizeof(struct hci_ev_remote_ext_features)), 7599 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */ 7600 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt, 7601 sizeof(struct hci_ev_sync_conn_complete)), 7602 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */ 7603 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT, 7604 hci_extended_inquiry_result_evt, 7605 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE), 7606 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */ 7607 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt, 7608 sizeof(struct hci_ev_key_refresh_complete)), 7609 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */ 7610 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt, 7611 sizeof(struct hci_ev_io_capa_request)), 7612 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */ 7613 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt, 7614 sizeof(struct hci_ev_io_capa_reply)), 7615 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */ 7616 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt, 7617 sizeof(struct hci_ev_user_confirm_req)), 7618 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */ 7619 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt, 7620 sizeof(struct hci_ev_user_passkey_req)), 7621 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */ 7622 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt, 7623 sizeof(struct hci_ev_remote_oob_data_request)), 7624 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */ 7625 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt, 7626 sizeof(struct hci_ev_simple_pair_complete)), 7627 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */ 7628 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt, 7629 sizeof(struct hci_ev_user_passkey_notify)), 7630 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */ 7631 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt, 7632 sizeof(struct hci_ev_keypress_notify)), 7633 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */ 7634 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt, 7635 sizeof(struct hci_ev_remote_host_features)), 7636 /* [0x3e = HCI_EV_LE_META] */ 7637 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt, 7638 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE), 7639 #if IS_ENABLED(CONFIG_BT_HS) 7640 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */ 7641 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt, 7642 sizeof(struct hci_ev_phy_link_complete)), 7643 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */ 7644 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt, 7645 sizeof(struct hci_ev_channel_selected)), 7646 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */ 7647 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE, 7648 hci_disconn_loglink_complete_evt, 7649 sizeof(struct hci_ev_disconn_logical_link_complete)), 7650 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */ 7651 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt, 7652 sizeof(struct hci_ev_logical_link_complete)), 7653 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */ 7654 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE, 7655 hci_disconn_phylink_complete_evt, 7656 sizeof(struct hci_ev_disconn_phy_link_complete)), 7657 #endif 7658 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */ 7659 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt, 7660 sizeof(struct hci_ev_num_comp_blocks)), 7661 /* [0xff = HCI_EV_VENDOR] */ 7662 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE), 7663 }; 7664 7665 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb, 7666 u16 *opcode, u8 *status, 7667 hci_req_complete_t *req_complete, 7668 hci_req_complete_skb_t *req_complete_skb) 7669 { 7670 const struct hci_ev *ev = &hci_ev_table[event]; 7671 void *data; 7672 7673 if (!ev->func) 7674 return; 7675 7676 if (skb->len < ev->min_len) { 7677 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u", 7678 event, skb->len, ev->min_len); 7679 return; 7680 } 7681 7682 /* Just warn if the length is over max_len size it still be 7683 * possible to partially parse the event so leave to callback to 7684 * decide if that is acceptable. 7685 */ 7686 if (skb->len > ev->max_len) 7687 bt_dev_warn_ratelimited(hdev, 7688 "unexpected event 0x%2.2x length: %u > %u", 7689 event, skb->len, ev->max_len); 7690 7691 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len); 7692 if (!data) 7693 return; 7694 7695 if (ev->req) 7696 ev->func_req(hdev, data, skb, opcode, status, req_complete, 7697 req_complete_skb); 7698 else 7699 ev->func(hdev, data, skb); 7700 } 7701 7702 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 7703 { 7704 struct hci_event_hdr *hdr = (void *) skb->data; 7705 hci_req_complete_t req_complete = NULL; 7706 hci_req_complete_skb_t req_complete_skb = NULL; 7707 struct sk_buff *orig_skb = NULL; 7708 u8 status = 0, event, req_evt = 0; 7709 u16 opcode = HCI_OP_NOP; 7710 7711 if (skb->len < sizeof(*hdr)) { 7712 bt_dev_err(hdev, "Malformed HCI Event"); 7713 goto done; 7714 } 7715 7716 kfree_skb(hdev->recv_event); 7717 hdev->recv_event = skb_clone(skb, GFP_KERNEL); 7718 7719 event = hdr->evt; 7720 if (!event) { 7721 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x", 7722 event); 7723 goto done; 7724 } 7725 7726 /* Only match event if command OGF is not for LE */ 7727 if (hdev->sent_cmd && 7728 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 && 7729 hci_skb_event(hdev->sent_cmd) == event) { 7730 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd), 7731 status, &req_complete, &req_complete_skb); 7732 req_evt = event; 7733 } 7734 7735 /* If it looks like we might end up having to call 7736 * req_complete_skb, store a pristine copy of the skb since the 7737 * various handlers may modify the original one through 7738 * skb_pull() calls, etc. 7739 */ 7740 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 7741 event == HCI_EV_CMD_COMPLETE) 7742 orig_skb = skb_clone(skb, GFP_KERNEL); 7743 7744 skb_pull(skb, HCI_EVENT_HDR_SIZE); 7745 7746 /* Store wake reason if we're suspended */ 7747 hci_store_wake_reason(hdev, event, skb); 7748 7749 bt_dev_dbg(hdev, "event 0x%2.2x", event); 7750 7751 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete, 7752 &req_complete_skb); 7753 7754 if (req_complete) { 7755 req_complete(hdev, status, opcode); 7756 } else if (req_complete_skb) { 7757 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 7758 kfree_skb(orig_skb); 7759 orig_skb = NULL; 7760 } 7761 req_complete_skb(hdev, status, opcode, orig_skb); 7762 } 7763 7764 done: 7765 kfree_skb(orig_skb); 7766 kfree_skb(skb); 7767 hdev->stat.evt_rx++; 7768 } 7769