search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'iommu-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
[linux/fpc-iii.git] / net / bluetooth / hci_event.c
blob67668be3461e93e0917f9fdd3c25d08b191d0cda
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38 #include "msft.h"
39
40 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
41 "\x00\x00\x00\x00\x00\x00\x00\x00"
42
43 /* Handle HCI Event packets */
44
45 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
46 u8 *new_status)
47 {
48 __u8 status = *((__u8 *) skb->data);
49
50 BT_DBG("%s status 0x%2.2x", hdev->name, status);
51
52 /* It is possible that we receive Inquiry Complete event right
53 * before we receive Inquiry Cancel Command Complete event, in
54 * which case the latter event should have status of Command
55 * Disallowed (0x0c). This should not be treated as error, since
56 * we actually achieve what Inquiry Cancel wants to achieve,
57 * which is to end the last Inquiry session.
58 */
59 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
60 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
61 status = 0x00;
62 }
63
64 *new_status = status;
65
66 if (status)
67 return;
68
69 clear_bit(HCI_INQUIRY, &hdev->flags);
70 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
71 wake_up_bit(&hdev->flags, HCI_INQUIRY);
72
73 hci_dev_lock(hdev);
74 /* Set discovery state to stopped if we're not doing LE active
75 * scanning.
76 */
77 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
78 hdev->le_scan_type != LE_SCAN_ACTIVE)
79 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
80 hci_dev_unlock(hdev);
81
82 hci_conn_check_pending(hdev);
83 }
84
85 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
86 {
87 __u8 status = *((__u8 *) skb->data);
88
89 BT_DBG("%s status 0x%2.2x", hdev->name, status);
90
91 if (status)
92 return;
93
94 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
95 }
96
97 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
98 {
99 __u8 status = *((__u8 *) skb->data);
100
101 BT_DBG("%s status 0x%2.2x", hdev->name, status);
102
103 if (status)
104 return;
105
106 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
107
108 hci_conn_check_pending(hdev);
109 }
110
111 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
112 struct sk_buff *skb)
113 {
114 BT_DBG("%s", hdev->name);
115 }
116
117 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
118 {
119 struct hci_rp_role_discovery *rp = (void *) skb->data;
120 struct hci_conn *conn;
121
122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
123
124 if (rp->status)
125 return;
126
127 hci_dev_lock(hdev);
128
129 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
130 if (conn)
131 conn->role = rp->role;
132
133 hci_dev_unlock(hdev);
134 }
135
136 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
137 {
138 struct hci_rp_read_link_policy *rp = (void *) skb->data;
139 struct hci_conn *conn;
140
141 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
142
143 if (rp->status)
144 return;
145
146 hci_dev_lock(hdev);
147
148 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
149 if (conn)
150 conn->link_policy = __le16_to_cpu(rp->policy);
151
152 hci_dev_unlock(hdev);
153 }
154
155 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
156 {
157 struct hci_rp_write_link_policy *rp = (void *) skb->data;
158 struct hci_conn *conn;
159 void *sent;
160
161 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
162
163 if (rp->status)
164 return;
165
166 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
167 if (!sent)
168 return;
169
170 hci_dev_lock(hdev);
171
172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
173 if (conn)
174 conn->link_policy = get_unaligned_le16(sent + 2);
175
176 hci_dev_unlock(hdev);
177 }
178
179 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
180 struct sk_buff *skb)
181 {
182 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
183
184 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
185
186 if (rp->status)
187 return;
188
189 hdev->link_policy = __le16_to_cpu(rp->policy);
190 }
191
192 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
193 struct sk_buff *skb)
194 {
195 __u8 status = *((__u8 *) skb->data);
196 void *sent;
197
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
199
200 if (status)
201 return;
202
203 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
204 if (!sent)
205 return;
206
207 hdev->link_policy = get_unaligned_le16(sent);
208 }
209
210 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
211 {
212 __u8 status = *((__u8 *) skb->data);
213
214 BT_DBG("%s status 0x%2.2x", hdev->name, status);
215
216 clear_bit(HCI_RESET, &hdev->flags);
217
218 if (status)
219 return;
220
221 /* Reset all non-persistent flags */
222 hci_dev_clear_volatile_flags(hdev);
223
224 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
225
226 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
227 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
228
229 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
230 hdev->adv_data_len = 0;
231
232 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
233 hdev->scan_rsp_data_len = 0;
234
235 hdev->le_scan_type = LE_SCAN_PASSIVE;
236
237 hdev->ssp_debug_mode = 0;
238
239 hci_bdaddr_list_clear(&hdev->le_white_list);
240 hci_bdaddr_list_clear(&hdev->le_resolv_list);
241 }
242
243 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
244 struct sk_buff *skb)
245 {
246 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
247 struct hci_cp_read_stored_link_key *sent;
248
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250
251 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
252 if (!sent)
253 return;
254
255 if (!rp->status && sent->read_all == 0x01) {
256 hdev->stored_max_keys = rp->max_keys;
257 hdev->stored_num_keys = rp->num_keys;
258 }
259 }
260
261 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
262 struct sk_buff *skb)
263 {
264 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
265
266 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
267
268 if (rp->status)
269 return;
270
271 if (rp->num_keys <= hdev->stored_num_keys)
272 hdev->stored_num_keys -= rp->num_keys;
273 else
274 hdev->stored_num_keys = 0;
275 }
276
277 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
278 {
279 __u8 status = *((__u8 *) skb->data);
280 void *sent;
281
282 BT_DBG("%s status 0x%2.2x", hdev->name, status);
283
284 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
285 if (!sent)
286 return;
287
288 hci_dev_lock(hdev);
289
290 if (hci_dev_test_flag(hdev, HCI_MGMT))
291 mgmt_set_local_name_complete(hdev, sent, status);
292 else if (!status)
293 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
294
295 hci_dev_unlock(hdev);
296 }
297
298 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
299 {
300 struct hci_rp_read_local_name *rp = (void *) skb->data;
301
302 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
303
304 if (rp->status)
305 return;
306
307 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
308 hci_dev_test_flag(hdev, HCI_CONFIG))
309 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
310 }
311
312 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
313 {
314 __u8 status = *((__u8 *) skb->data);
315 void *sent;
316
317 BT_DBG("%s status 0x%2.2x", hdev->name, status);
318
319 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
320 if (!sent)
321 return;
322
323 hci_dev_lock(hdev);
324
325 if (!status) {
326 __u8 param = *((__u8 *) sent);
327
328 if (param == AUTH_ENABLED)
329 set_bit(HCI_AUTH, &hdev->flags);
330 else
331 clear_bit(HCI_AUTH, &hdev->flags);
332 }
333
334 if (hci_dev_test_flag(hdev, HCI_MGMT))
335 mgmt_auth_enable_complete(hdev, status);
336
337 hci_dev_unlock(hdev);
338 }
339
340 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
341 {
342 __u8 status = *((__u8 *) skb->data);
343 __u8 param;
344 void *sent;
345
346 BT_DBG("%s status 0x%2.2x", hdev->name, status);
347
348 if (status)
349 return;
350
351 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
352 if (!sent)
353 return;
354
355 param = *((__u8 *) sent);
356
357 if (param)
358 set_bit(HCI_ENCRYPT, &hdev->flags);
359 else
360 clear_bit(HCI_ENCRYPT, &hdev->flags);
361 }
362
363 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
364 {
365 __u8 status = *((__u8 *) skb->data);
366 __u8 param;
367 void *sent;
368
369 BT_DBG("%s status 0x%2.2x", hdev->name, status);
370
371 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
372 if (!sent)
373 return;
374
375 param = *((__u8 *) sent);
376
377 hci_dev_lock(hdev);
378
379 if (status) {
380 hdev->discov_timeout = 0;
381 goto done;
382 }
383
384 if (param & SCAN_INQUIRY)
385 set_bit(HCI_ISCAN, &hdev->flags);
386 else
387 clear_bit(HCI_ISCAN, &hdev->flags);
388
389 if (param & SCAN_PAGE)
390 set_bit(HCI_PSCAN, &hdev->flags);
391 else
392 clear_bit(HCI_PSCAN, &hdev->flags);
393
394 done:
395 hci_dev_unlock(hdev);
396 }
397
398 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
399 {
400 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
401
402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
403
404 if (rp->status)
405 return;
406
407 memcpy(hdev->dev_class, rp->dev_class, 3);
408
409 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
410 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
411 }
412
413 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
414 {
415 __u8 status = *((__u8 *) skb->data);
416 void *sent;
417
418 BT_DBG("%s status 0x%2.2x", hdev->name, status);
419
420 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
421 if (!sent)
422 return;
423
424 hci_dev_lock(hdev);
425
426 if (status == 0)
427 memcpy(hdev->dev_class, sent, 3);
428
429 if (hci_dev_test_flag(hdev, HCI_MGMT))
430 mgmt_set_class_of_dev_complete(hdev, sent, status);
431
432 hci_dev_unlock(hdev);
433 }
434
435 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
436 {
437 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
438 __u16 setting;
439
440 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
441
442 if (rp->status)
443 return;
444
445 setting = __le16_to_cpu(rp->voice_setting);
446
447 if (hdev->voice_setting == setting)
448 return;
449
450 hdev->voice_setting = setting;
451
452 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
453
454 if (hdev->notify)
455 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
456 }
457
458 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
459 struct sk_buff *skb)
460 {
461 __u8 status = *((__u8 *) skb->data);
462 __u16 setting;
463 void *sent;
464
465 BT_DBG("%s status 0x%2.2x", hdev->name, status);
466
467 if (status)
468 return;
469
470 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
471 if (!sent)
472 return;
473
474 setting = get_unaligned_le16(sent);
475
476 if (hdev->voice_setting == setting)
477 return;
478
479 hdev->voice_setting = setting;
480
481 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
482
483 if (hdev->notify)
484 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
485 }
486
487 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
488 struct sk_buff *skb)
489 {
490 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
491
492 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
493
494 if (rp->status)
495 return;
496
497 hdev->num_iac = rp->num_iac;
498
499 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
500 }
501
502 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
503 {
504 __u8 status = *((__u8 *) skb->data);
505 struct hci_cp_write_ssp_mode *sent;
506
507 BT_DBG("%s status 0x%2.2x", hdev->name, status);
508
509 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
510 if (!sent)
511 return;
512
513 hci_dev_lock(hdev);
514
515 if (!status) {
516 if (sent->mode)
517 hdev->features[1][0] |= LMP_HOST_SSP;
518 else
519 hdev->features[1][0] &= ~LMP_HOST_SSP;
520 }
521
522 if (hci_dev_test_flag(hdev, HCI_MGMT))
523 mgmt_ssp_enable_complete(hdev, sent->mode, status);
524 else if (!status) {
525 if (sent->mode)
526 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
527 else
528 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
529 }
530
531 hci_dev_unlock(hdev);
532 }
533
534 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
535 {
536 u8 status = *((u8 *) skb->data);
537 struct hci_cp_write_sc_support *sent;
538
539 BT_DBG("%s status 0x%2.2x", hdev->name, status);
540
541 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
542 if (!sent)
543 return;
544
545 hci_dev_lock(hdev);
546
547 if (!status) {
548 if (sent->support)
549 hdev->features[1][0] |= LMP_HOST_SC;
550 else
551 hdev->features[1][0] &= ~LMP_HOST_SC;
552 }
553
554 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
555 if (sent->support)
556 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
557 else
558 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
559 }
560
561 hci_dev_unlock(hdev);
562 }
563
564 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
565 {
566 struct hci_rp_read_local_version *rp = (void *) skb->data;
567
568 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
569
570 if (rp->status)
571 return;
572
573 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
574 hci_dev_test_flag(hdev, HCI_CONFIG)) {
575 hdev->hci_ver = rp->hci_ver;
576 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
577 hdev->lmp_ver = rp->lmp_ver;
578 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
579 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
580 }
581 }
582
583 static void hci_cc_read_local_commands(struct hci_dev *hdev,
584 struct sk_buff *skb)
585 {
586 struct hci_rp_read_local_commands *rp = (void *) skb->data;
587
588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
589
590 if (rp->status)
591 return;
592
593 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
594 hci_dev_test_flag(hdev, HCI_CONFIG))
595 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
596 }
597
598 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,
599 struct sk_buff *skb)
600 {
601 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data;
602 struct hci_conn *conn;
603
604 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
605
606 if (rp->status)
607 return;
608
609 hci_dev_lock(hdev);
610
611 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
612 if (conn)
613 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
614
615 hci_dev_unlock(hdev);
616 }
617
618 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,
619 struct sk_buff *skb)
620 {
621 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data;
622 struct hci_conn *conn;
623 void *sent;
624
625 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
626
627 if (rp->status)
628 return;
629
630 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
631 if (!sent)
632 return;
633
634 hci_dev_lock(hdev);
635
636 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
637 if (conn)
638 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
639
640 hci_dev_unlock(hdev);
641 }
642
643 static void hci_cc_read_local_features(struct hci_dev *hdev,
644 struct sk_buff *skb)
645 {
646 struct hci_rp_read_local_features *rp = (void *) skb->data;
647
648 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
649
650 if (rp->status)
651 return;
652
653 memcpy(hdev->features, rp->features, 8);
654
655 /* Adjust default settings according to features
656 * supported by device. */
657
658 if (hdev->features[0][0] & LMP_3SLOT)
659 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
660
661 if (hdev->features[0][0] & LMP_5SLOT)
662 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
663
664 if (hdev->features[0][1] & LMP_HV2) {
665 hdev->pkt_type |= (HCI_HV2);
666 hdev->esco_type |= (ESCO_HV2);
667 }
668
669 if (hdev->features[0][1] & LMP_HV3) {
670 hdev->pkt_type |= (HCI_HV3);
671 hdev->esco_type |= (ESCO_HV3);
672 }
673
674 if (lmp_esco_capable(hdev))
675 hdev->esco_type |= (ESCO_EV3);
676
677 if (hdev->features[0][4] & LMP_EV4)
678 hdev->esco_type |= (ESCO_EV4);
679
680 if (hdev->features[0][4] & LMP_EV5)
681 hdev->esco_type |= (ESCO_EV5);
682
683 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
684 hdev->esco_type |= (ESCO_2EV3);
685
686 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
687 hdev->esco_type |= (ESCO_3EV3);
688
689 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
690 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
691 }
692
693 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
694 struct sk_buff *skb)
695 {
696 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
697
698 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
699
700 if (rp->status)
701 return;
702
703 if (hdev->max_page < rp->max_page)
704 hdev->max_page = rp->max_page;
705
706 if (rp->page < HCI_MAX_PAGES)
707 memcpy(hdev->features[rp->page], rp->features, 8);
708 }
709
710 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
711 struct sk_buff *skb)
712 {
713 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
714
715 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
716
717 if (rp->status)
718 return;
719
720 hdev->flow_ctl_mode = rp->mode;
721 }
722
723 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
724 {
725 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
726
727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
728
729 if (rp->status)
730 return;
731
732 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
733 hdev->sco_mtu = rp->sco_mtu;
734 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
735 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
736
737 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
738 hdev->sco_mtu = 64;
739 hdev->sco_pkts = 8;
740 }
741
742 hdev->acl_cnt = hdev->acl_pkts;
743 hdev->sco_cnt = hdev->sco_pkts;
744
745 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
746 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
747 }
748
749 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
750 {
751 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
752
753 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
754
755 if (rp->status)
756 return;
757
758 if (test_bit(HCI_INIT, &hdev->flags))
759 bacpy(&hdev->bdaddr, &rp->bdaddr);
760
761 if (hci_dev_test_flag(hdev, HCI_SETUP))
762 bacpy(&hdev->setup_addr, &rp->bdaddr);
763 }
764
765 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev,
766 struct sk_buff *skb)
767 {
768 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data;
769
770 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
771
772 if (rp->status)
773 return;
774
775 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
776 hci_dev_test_flag(hdev, HCI_CONFIG)) {
777 hdev->pairing_opts = rp->pairing_opts;
778 hdev->max_enc_key_size = rp->max_key_size;
779 }
780 }
781
782 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
783 struct sk_buff *skb)
784 {
785 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
786
787 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
788
789 if (rp->status)
790 return;
791
792 if (test_bit(HCI_INIT, &hdev->flags)) {
793 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
794 hdev->page_scan_window = __le16_to_cpu(rp->window);
795 }
796 }
797
798 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
799 struct sk_buff *skb)
800 {
801 u8 status = *((u8 *) skb->data);
802 struct hci_cp_write_page_scan_activity *sent;
803
804 BT_DBG("%s status 0x%2.2x", hdev->name, status);
805
806 if (status)
807 return;
808
809 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
810 if (!sent)
811 return;
812
813 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
814 hdev->page_scan_window = __le16_to_cpu(sent->window);
815 }
816
817 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
818 struct sk_buff *skb)
819 {
820 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
821
822 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
823
824 if (rp->status)
825 return;
826
827 if (test_bit(HCI_INIT, &hdev->flags))
828 hdev->page_scan_type = rp->type;
829 }
830
831 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
832 struct sk_buff *skb)
833 {
834 u8 status = *((u8 *) skb->data);
835 u8 *type;
836
837 BT_DBG("%s status 0x%2.2x", hdev->name, status);
838
839 if (status)
840 return;
841
842 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
843 if (type)
844 hdev->page_scan_type = *type;
845 }
846
847 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
848 struct sk_buff *skb)
849 {
850 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
851
852 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
853
854 if (rp->status)
855 return;
856
857 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
858 hdev->block_len = __le16_to_cpu(rp->block_len);
859 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
860
861 hdev->block_cnt = hdev->num_blocks;
862
863 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
864 hdev->block_cnt, hdev->block_len);
865 }
866
867 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
868 {
869 struct hci_rp_read_clock *rp = (void *) skb->data;
870 struct hci_cp_read_clock *cp;
871 struct hci_conn *conn;
872
873 BT_DBG("%s", hdev->name);
874
875 if (skb->len < sizeof(*rp))
876 return;
877
878 if (rp->status)
879 return;
880
881 hci_dev_lock(hdev);
882
883 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
884 if (!cp)
885 goto unlock;
886
887 if (cp->which == 0x00) {
888 hdev->clock = le32_to_cpu(rp->clock);
889 goto unlock;
890 }
891
892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
893 if (conn) {
894 conn->clock = le32_to_cpu(rp->clock);
895 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
896 }
897
898 unlock:
899 hci_dev_unlock(hdev);
900 }
901
902 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
903 struct sk_buff *skb)
904 {
905 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
906
907 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
908
909 if (rp->status)
910 return;
911
912 hdev->amp_status = rp->amp_status;
913 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
914 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
915 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
916 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
917 hdev->amp_type = rp->amp_type;
918 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
919 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
920 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
921 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
922 }
923
924 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
925 struct sk_buff *skb)
926 {
927 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
928
929 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
930
931 if (rp->status)
932 return;
933
934 hdev->inq_tx_power = rp->tx_power;
935 }
936
937 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev,
938 struct sk_buff *skb)
939 {
940 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data;
941
942 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
943
944 if (rp->status)
945 return;
946
947 hdev->err_data_reporting = rp->err_data_reporting;
948 }
949
950 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev,
951 struct sk_buff *skb)
952 {
953 __u8 status = *((__u8 *)skb->data);
954 struct hci_cp_write_def_err_data_reporting *cp;
955
956 BT_DBG("%s status 0x%2.2x", hdev->name, status);
957
958 if (status)
959 return;
960
961 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
962 if (!cp)
963 return;
964
965 hdev->err_data_reporting = cp->err_data_reporting;
966 }
967
968 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
969 {
970 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
971 struct hci_cp_pin_code_reply *cp;
972 struct hci_conn *conn;
973
974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
975
976 hci_dev_lock(hdev);
977
978 if (hci_dev_test_flag(hdev, HCI_MGMT))
979 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
980
981 if (rp->status)
982 goto unlock;
983
984 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
985 if (!cp)
986 goto unlock;
987
988 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
989 if (conn)
990 conn->pin_length = cp->pin_len;
991
992 unlock:
993 hci_dev_unlock(hdev);
994 }
995
996 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
997 {
998 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
999
1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1001
1002 hci_dev_lock(hdev);
1003
1004 if (hci_dev_test_flag(hdev, HCI_MGMT))
1005 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1006 rp->status);
1007
1008 hci_dev_unlock(hdev);
1009 }
1010
1011 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
1012 struct sk_buff *skb)
1013 {
1014 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
1015
1016 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1017
1018 if (rp->status)
1019 return;
1020
1021 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1022 hdev->le_pkts = rp->le_max_pkt;
1023
1024 hdev->le_cnt = hdev->le_pkts;
1025
1026 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1027 }
1028
1029 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
1030 struct sk_buff *skb)
1031 {
1032 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
1033
1034 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1035
1036 if (rp->status)
1037 return;
1038
1039 memcpy(hdev->le_features, rp->features, 8);
1040 }
1041
1042 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
1043 struct sk_buff *skb)
1044 {
1045 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
1046
1047 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1048
1049 if (rp->status)
1050 return;
1051
1052 hdev->adv_tx_power = rp->tx_power;
1053 }
1054
1055 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
1056 {
1057 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1058
1059 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1060
1061 hci_dev_lock(hdev);
1062
1063 if (hci_dev_test_flag(hdev, HCI_MGMT))
1064 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1065 rp->status);
1066
1067 hci_dev_unlock(hdev);
1068 }
1069
1070 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
1071 struct sk_buff *skb)
1072 {
1073 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1074
1075 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1076
1077 hci_dev_lock(hdev);
1078
1079 if (hci_dev_test_flag(hdev, HCI_MGMT))
1080 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1081 ACL_LINK, 0, rp->status);
1082
1083 hci_dev_unlock(hdev);
1084 }
1085
1086 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1087 {
1088 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1089
1090 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1091
1092 hci_dev_lock(hdev);
1093
1094 if (hci_dev_test_flag(hdev, HCI_MGMT))
1095 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1096 0, rp->status);
1097
1098 hci_dev_unlock(hdev);
1099 }
1100
1101 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1102 struct sk_buff *skb)
1103 {
1104 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1105
1106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1107
1108 hci_dev_lock(hdev);
1109
1110 if (hci_dev_test_flag(hdev, HCI_MGMT))
1111 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1112 ACL_LINK, 0, rp->status);
1113
1114 hci_dev_unlock(hdev);
1115 }
1116
1117 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1118 struct sk_buff *skb)
1119 {
1120 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1121
1122 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1123 }
1124
1125 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1126 struct sk_buff *skb)
1127 {
1128 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1129
1130 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1131 }
1132
1133 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1134 {
1135 __u8 status = *((__u8 *) skb->data);
1136 bdaddr_t *sent;
1137
1138 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1139
1140 if (status)
1141 return;
1142
1143 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1144 if (!sent)
1145 return;
1146
1147 hci_dev_lock(hdev);
1148
1149 bacpy(&hdev->random_addr, sent);
1150
1151 hci_dev_unlock(hdev);
1152 }
1153
1154 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1155 {
1156 __u8 status = *((__u8 *) skb->data);
1157 struct hci_cp_le_set_default_phy *cp;
1158
1159 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1160
1161 if (status)
1162 return;
1163
1164 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1165 if (!cp)
1166 return;
1167
1168 hci_dev_lock(hdev);
1169
1170 hdev->le_tx_def_phys = cp->tx_phys;
1171 hdev->le_rx_def_phys = cp->rx_phys;
1172
1173 hci_dev_unlock(hdev);
1174 }
1175
1176 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1177 struct sk_buff *skb)
1178 {
1179 __u8 status = *((__u8 *) skb->data);
1180 struct hci_cp_le_set_adv_set_rand_addr *cp;
1181 struct adv_info *adv_instance;
1182
1183 if (status)
1184 return;
1185
1186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1187 if (!cp)
1188 return;
1189
1190 hci_dev_lock(hdev);
1191
1192 if (!hdev->cur_adv_instance) {
1193 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1194 bacpy(&hdev->random_addr, &cp->bdaddr);
1195 } else {
1196 adv_instance = hci_find_adv_instance(hdev,
1197 hdev->cur_adv_instance);
1198 if (adv_instance)
1199 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1200 }
1201
1202 hci_dev_unlock(hdev);
1203 }
1204
1205 static void hci_cc_le_read_transmit_power(struct hci_dev *hdev,
1206 struct sk_buff *skb)
1207 {
1208 struct hci_rp_le_read_transmit_power *rp = (void *)skb->data;
1209
1210 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1211
1212 if (rp->status)
1213 return;
1214
1215 hdev->min_le_tx_power = rp->min_le_tx_power;
1216 hdev->max_le_tx_power = rp->max_le_tx_power;
1217 }
1218
1219 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1220 {
1221 __u8 *sent, status = *((__u8 *) skb->data);
1222
1223 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1224
1225 if (status)
1226 return;
1227
1228 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1229 if (!sent)
1230 return;
1231
1232 hci_dev_lock(hdev);
1233
1234 /* If we're doing connection initiation as peripheral. Set a
1235 * timeout in case something goes wrong.
1236 */
1237 if (*sent) {
1238 struct hci_conn *conn;
1239
1240 hci_dev_set_flag(hdev, HCI_LE_ADV);
1241
1242 conn = hci_lookup_le_connect(hdev);
1243 if (conn)
1244 queue_delayed_work(hdev->workqueue,
1245 &conn->le_conn_timeout,
1246 conn->conn_timeout);
1247 } else {
1248 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1249 }
1250
1251 hci_dev_unlock(hdev);
1252 }
1253
1254 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1255 struct sk_buff *skb)
1256 {
1257 struct hci_cp_le_set_ext_adv_enable *cp;
1258 __u8 status = *((__u8 *) skb->data);
1259
1260 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1261
1262 if (status)
1263 return;
1264
1265 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1266 if (!cp)
1267 return;
1268
1269 hci_dev_lock(hdev);
1270
1271 if (cp->enable) {
1272 struct hci_conn *conn;
1273
1274 hci_dev_set_flag(hdev, HCI_LE_ADV);
1275
1276 conn = hci_lookup_le_connect(hdev);
1277 if (conn)
1278 queue_delayed_work(hdev->workqueue,
1279 &conn->le_conn_timeout,
1280 conn->conn_timeout);
1281 } else {
1282 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1283 }
1284
1285 hci_dev_unlock(hdev);
1286 }
1287
1288 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1289 {
1290 struct hci_cp_le_set_scan_param *cp;
1291 __u8 status = *((__u8 *) skb->data);
1292
1293 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1294
1295 if (status)
1296 return;
1297
1298 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1299 if (!cp)
1300 return;
1301
1302 hci_dev_lock(hdev);
1303
1304 hdev->le_scan_type = cp->type;
1305
1306 hci_dev_unlock(hdev);
1307 }
1308
1309 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1310 struct sk_buff *skb)
1311 {
1312 struct hci_cp_le_set_ext_scan_params *cp;
1313 __u8 status = *((__u8 *) skb->data);
1314 struct hci_cp_le_scan_phy_params *phy_param;
1315
1316 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1317
1318 if (status)
1319 return;
1320
1321 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1322 if (!cp)
1323 return;
1324
1325 phy_param = (void *)cp->data;
1326
1327 hci_dev_lock(hdev);
1328
1329 hdev->le_scan_type = phy_param->type;
1330
1331 hci_dev_unlock(hdev);
1332 }
1333
1334 static bool has_pending_adv_report(struct hci_dev *hdev)
1335 {
1336 struct discovery_state *d = &hdev->discovery;
1337
1338 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1339 }
1340
1341 static void clear_pending_adv_report(struct hci_dev *hdev)
1342 {
1343 struct discovery_state *d = &hdev->discovery;
1344
1345 bacpy(&d->last_adv_addr, BDADDR_ANY);
1346 d->last_adv_data_len = 0;
1347 }
1348
1349 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1350 u8 bdaddr_type, s8 rssi, u32 flags,
1351 u8 *data, u8 len)
1352 {
1353 struct discovery_state *d = &hdev->discovery;
1354
1355 if (len > HCI_MAX_AD_LENGTH)
1356 return;
1357
1358 bacpy(&d->last_adv_addr, bdaddr);
1359 d->last_adv_addr_type = bdaddr_type;
1360 d->last_adv_rssi = rssi;
1361 d->last_adv_flags = flags;
1362 memcpy(d->last_adv_data, data, len);
1363 d->last_adv_data_len = len;
1364 }
1365
1366 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1367 {
1368 hci_dev_lock(hdev);
1369
1370 switch (enable) {
1371 case LE_SCAN_ENABLE:
1372 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1373 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1374 clear_pending_adv_report(hdev);
1375 break;
1376
1377 case LE_SCAN_DISABLE:
1378 /* We do this here instead of when setting DISCOVERY_STOPPED
1379 * since the latter would potentially require waiting for
1380 * inquiry to stop too.
1381 */
1382 if (has_pending_adv_report(hdev)) {
1383 struct discovery_state *d = &hdev->discovery;
1384
1385 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1386 d->last_adv_addr_type, NULL,
1387 d->last_adv_rssi, d->last_adv_flags,
1388 d->last_adv_data,
1389 d->last_adv_data_len, NULL, 0);
1390 }
1391
1392 /* Cancel this timer so that we don't try to disable scanning
1393 * when it's already disabled.
1394 */
1395 cancel_delayed_work(&hdev->le_scan_disable);
1396
1397 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1398
1399 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1400 * interrupted scanning due to a connect request. Mark
1401 * therefore discovery as stopped. If this was not
1402 * because of a connect request advertising might have
1403 * been disabled because of active scanning, so
1404 * re-enable it again if necessary.
1405 */
1406 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1407 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1408 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1409 hdev->discovery.state == DISCOVERY_FINDING)
1410 hci_req_reenable_advertising(hdev);
1411
1412 break;
1413
1414 default:
1415 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1416 enable);
1417 break;
1418 }
1419
1420 hci_dev_unlock(hdev);
1421 }
1422
1423 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1424 struct sk_buff *skb)
1425 {
1426 struct hci_cp_le_set_scan_enable *cp;
1427 __u8 status = *((__u8 *) skb->data);
1428
1429 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1430
1431 if (status)
1432 return;
1433
1434 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1435 if (!cp)
1436 return;
1437
1438 le_set_scan_enable_complete(hdev, cp->enable);
1439 }
1440
1441 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1442 struct sk_buff *skb)
1443 {
1444 struct hci_cp_le_set_ext_scan_enable *cp;
1445 __u8 status = *((__u8 *) skb->data);
1446
1447 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1448
1449 if (status)
1450 return;
1451
1452 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1453 if (!cp)
1454 return;
1455
1456 le_set_scan_enable_complete(hdev, cp->enable);
1457 }
1458
1459 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1460 struct sk_buff *skb)
1461 {
1462 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1463
1464 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1465 rp->num_of_sets);
1466
1467 if (rp->status)
1468 return;
1469
1470 hdev->le_num_of_adv_sets = rp->num_of_sets;
1471 }
1472
1473 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1474 struct sk_buff *skb)
1475 {
1476 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1477
1478 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1479
1480 if (rp->status)
1481 return;
1482
1483 hdev->le_white_list_size = rp->size;
1484 }
1485
1486 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1487 struct sk_buff *skb)
1488 {
1489 __u8 status = *((__u8 *) skb->data);
1490
1491 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1492
1493 if (status)
1494 return;
1495
1496 hci_bdaddr_list_clear(&hdev->le_white_list);
1497 }
1498
1499 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1500 struct sk_buff *skb)
1501 {
1502 struct hci_cp_le_add_to_white_list *sent;
1503 __u8 status = *((__u8 *) skb->data);
1504
1505 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1506
1507 if (status)
1508 return;
1509
1510 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1511 if (!sent)
1512 return;
1513
1514 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1515 sent->bdaddr_type);
1516 }
1517
1518 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1519 struct sk_buff *skb)
1520 {
1521 struct hci_cp_le_del_from_white_list *sent;
1522 __u8 status = *((__u8 *) skb->data);
1523
1524 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1525
1526 if (status)
1527 return;
1528
1529 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1530 if (!sent)
1531 return;
1532
1533 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1534 sent->bdaddr_type);
1535 }
1536
1537 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1538 struct sk_buff *skb)
1539 {
1540 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1541
1542 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1543
1544 if (rp->status)
1545 return;
1546
1547 memcpy(hdev->le_states, rp->le_states, 8);
1548 }
1549
1550 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1551 struct sk_buff *skb)
1552 {
1553 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1554
1555 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1556
1557 if (rp->status)
1558 return;
1559
1560 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1561 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1562 }
1563
1564 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1565 struct sk_buff *skb)
1566 {
1567 struct hci_cp_le_write_def_data_len *sent;
1568 __u8 status = *((__u8 *) skb->data);
1569
1570 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1571
1572 if (status)
1573 return;
1574
1575 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1576 if (!sent)
1577 return;
1578
1579 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1580 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1581 }
1582
1583 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1584 struct sk_buff *skb)
1585 {
1586 struct hci_cp_le_add_to_resolv_list *sent;
1587 __u8 status = *((__u8 *) skb->data);
1588
1589 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1590
1591 if (status)
1592 return;
1593
1594 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1595 if (!sent)
1596 return;
1597
1598 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1599 sent->bdaddr_type, sent->peer_irk,
1600 sent->local_irk);
1601 }
1602
1603 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1604 struct sk_buff *skb)
1605 {
1606 struct hci_cp_le_del_from_resolv_list *sent;
1607 __u8 status = *((__u8 *) skb->data);
1608
1609 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1610
1611 if (status)
1612 return;
1613
1614 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1615 if (!sent)
1616 return;
1617
1618 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1619 sent->bdaddr_type);
1620 }
1621
1622 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1623 struct sk_buff *skb)
1624 {
1625 __u8 status = *((__u8 *) skb->data);
1626
1627 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1628
1629 if (status)
1630 return;
1631
1632 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1633 }
1634
1635 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1636 struct sk_buff *skb)
1637 {
1638 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1639
1640 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1641
1642 if (rp->status)
1643 return;
1644
1645 hdev->le_resolv_list_size = rp->size;
1646 }
1647
1648 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1649 struct sk_buff *skb)
1650 {
1651 __u8 *sent, status = *((__u8 *) skb->data);
1652
1653 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1654
1655 if (status)
1656 return;
1657
1658 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1659 if (!sent)
1660 return;
1661
1662 hci_dev_lock(hdev);
1663
1664 if (*sent)
1665 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1666 else
1667 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1668
1669 hci_dev_unlock(hdev);
1670 }
1671
1672 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1673 struct sk_buff *skb)
1674 {
1675 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1676
1677 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1678
1679 if (rp->status)
1680 return;
1681
1682 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1683 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1684 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1685 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1686 }
1687
1688 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1689 struct sk_buff *skb)
1690 {
1691 struct hci_cp_write_le_host_supported *sent;
1692 __u8 status = *((__u8 *) skb->data);
1693
1694 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1695
1696 if (status)
1697 return;
1698
1699 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1700 if (!sent)
1701 return;
1702
1703 hci_dev_lock(hdev);
1704
1705 if (sent->le) {
1706 hdev->features[1][0] |= LMP_HOST_LE;
1707 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1708 } else {
1709 hdev->features[1][0] &= ~LMP_HOST_LE;
1710 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1711 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1712 }
1713
1714 if (sent->simul)
1715 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1716 else
1717 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1718
1719 hci_dev_unlock(hdev);
1720 }
1721
1722 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1723 {
1724 struct hci_cp_le_set_adv_param *cp;
1725 u8 status = *((u8 *) skb->data);
1726
1727 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1728
1729 if (status)
1730 return;
1731
1732 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1733 if (!cp)
1734 return;
1735
1736 hci_dev_lock(hdev);
1737 hdev->adv_addr_type = cp->own_address_type;
1738 hci_dev_unlock(hdev);
1739 }
1740
1741 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1742 {
1743 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1744 struct hci_cp_le_set_ext_adv_params *cp;
1745 struct adv_info *adv_instance;
1746
1747 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1748
1749 if (rp->status)
1750 return;
1751
1752 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1753 if (!cp)
1754 return;
1755
1756 hci_dev_lock(hdev);
1757 hdev->adv_addr_type = cp->own_addr_type;
1758 if (!hdev->cur_adv_instance) {
1759 /* Store in hdev for instance 0 */
1760 hdev->adv_tx_power = rp->tx_power;
1761 } else {
1762 adv_instance = hci_find_adv_instance(hdev,
1763 hdev->cur_adv_instance);
1764 if (adv_instance)
1765 adv_instance->tx_power = rp->tx_power;
1766 }
1767 /* Update adv data as tx power is known now */
1768 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1769
1770 hci_dev_unlock(hdev);
1771 }
1772
1773 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1774 {
1775 struct hci_rp_read_rssi *rp = (void *) skb->data;
1776 struct hci_conn *conn;
1777
1778 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1779
1780 if (rp->status)
1781 return;
1782
1783 hci_dev_lock(hdev);
1784
1785 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1786 if (conn)
1787 conn->rssi = rp->rssi;
1788
1789 hci_dev_unlock(hdev);
1790 }
1791
1792 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1793 {
1794 struct hci_cp_read_tx_power *sent;
1795 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1796 struct hci_conn *conn;
1797
1798 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1799
1800 if (rp->status)
1801 return;
1802
1803 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1804 if (!sent)
1805 return;
1806
1807 hci_dev_lock(hdev);
1808
1809 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1810 if (!conn)
1811 goto unlock;
1812
1813 switch (sent->type) {
1814 case 0x00:
1815 conn->tx_power = rp->tx_power;
1816 break;
1817 case 0x01:
1818 conn->max_tx_power = rp->tx_power;
1819 break;
1820 }
1821
1822 unlock:
1823 hci_dev_unlock(hdev);
1824 }
1825
1826 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1827 {
1828 u8 status = *((u8 *) skb->data);
1829 u8 *mode;
1830
1831 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1832
1833 if (status)
1834 return;
1835
1836 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1837 if (mode)
1838 hdev->ssp_debug_mode = *mode;
1839 }
1840
1841 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1842 {
1843 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1844
1845 if (status) {
1846 hci_conn_check_pending(hdev);
1847 return;
1848 }
1849
1850 set_bit(HCI_INQUIRY, &hdev->flags);
1851 }
1852
1853 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1854 {
1855 struct hci_cp_create_conn *cp;
1856 struct hci_conn *conn;
1857
1858 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1859
1860 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1861 if (!cp)
1862 return;
1863
1864 hci_dev_lock(hdev);
1865
1866 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1867
1868 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1869
1870 if (status) {
1871 if (conn && conn->state == BT_CONNECT) {
1872 if (status != 0x0c || conn->attempt > 2) {
1873 conn->state = BT_CLOSED;
1874 hci_connect_cfm(conn, status);
1875 hci_conn_del(conn);
1876 } else
1877 conn->state = BT_CONNECT2;
1878 }
1879 } else {
1880 if (!conn) {
1881 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1882 HCI_ROLE_MASTER);
1883 if (!conn)
1884 bt_dev_err(hdev, "no memory for new connection");
1885 }
1886 }
1887
1888 hci_dev_unlock(hdev);
1889 }
1890
1891 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1892 {
1893 struct hci_cp_add_sco *cp;
1894 struct hci_conn *acl, *sco;
1895 __u16 handle;
1896
1897 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1898
1899 if (!status)
1900 return;
1901
1902 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1903 if (!cp)
1904 return;
1905
1906 handle = __le16_to_cpu(cp->handle);
1907
1908 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1909
1910 hci_dev_lock(hdev);
1911
1912 acl = hci_conn_hash_lookup_handle(hdev, handle);
1913 if (acl) {
1914 sco = acl->link;
1915 if (sco) {
1916 sco->state = BT_CLOSED;
1917
1918 hci_connect_cfm(sco, status);
1919 hci_conn_del(sco);
1920 }
1921 }
1922
1923 hci_dev_unlock(hdev);
1924 }
1925
1926 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1927 {
1928 struct hci_cp_auth_requested *cp;
1929 struct hci_conn *conn;
1930
1931 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1932
1933 if (!status)
1934 return;
1935
1936 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1937 if (!cp)
1938 return;
1939
1940 hci_dev_lock(hdev);
1941
1942 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1943 if (conn) {
1944 if (conn->state == BT_CONFIG) {
1945 hci_connect_cfm(conn, status);
1946 hci_conn_drop(conn);
1947 }
1948 }
1949
1950 hci_dev_unlock(hdev);
1951 }
1952
1953 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1954 {
1955 struct hci_cp_set_conn_encrypt *cp;
1956 struct hci_conn *conn;
1957
1958 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1959
1960 if (!status)
1961 return;
1962
1963 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1964 if (!cp)
1965 return;
1966
1967 hci_dev_lock(hdev);
1968
1969 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1970 if (conn) {
1971 if (conn->state == BT_CONFIG) {
1972 hci_connect_cfm(conn, status);
1973 hci_conn_drop(conn);
1974 }
1975 }
1976
1977 hci_dev_unlock(hdev);
1978 }
1979
1980 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1981 struct hci_conn *conn)
1982 {
1983 if (conn->state != BT_CONFIG || !conn->out)
1984 return 0;
1985
1986 if (conn->pending_sec_level == BT_SECURITY_SDP)
1987 return 0;
1988
1989 /* Only request authentication for SSP connections or non-SSP
1990 * devices with sec_level MEDIUM or HIGH or if MITM protection
1991 * is requested.
1992 */
1993 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1994 conn->pending_sec_level != BT_SECURITY_FIPS &&
1995 conn->pending_sec_level != BT_SECURITY_HIGH &&
1996 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1997 return 0;
1998
1999 return 1;
2000 }
2001
2002 static int hci_resolve_name(struct hci_dev *hdev,
2003 struct inquiry_entry *e)
2004 {
2005 struct hci_cp_remote_name_req cp;
2006
2007 memset(&cp, 0, sizeof(cp));
2008
2009 bacpy(&cp.bdaddr, &e->data.bdaddr);
2010 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2011 cp.pscan_mode = e->data.pscan_mode;
2012 cp.clock_offset = e->data.clock_offset;
2013
2014 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2015 }
2016
2017 static bool hci_resolve_next_name(struct hci_dev *hdev)
2018 {
2019 struct discovery_state *discov = &hdev->discovery;
2020 struct inquiry_entry *e;
2021
2022 if (list_empty(&discov->resolve))
2023 return false;
2024
2025 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2026 if (!e)
2027 return false;
2028
2029 if (hci_resolve_name(hdev, e) == 0) {
2030 e->name_state = NAME_PENDING;
2031 return true;
2032 }
2033
2034 return false;
2035 }
2036
2037 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2038 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2039 {
2040 struct discovery_state *discov = &hdev->discovery;
2041 struct inquiry_entry *e;
2042
2043 /* Update the mgmt connected state if necessary. Be careful with
2044 * conn objects that exist but are not (yet) connected however.
2045 * Only those in BT_CONFIG or BT_CONNECTED states can be
2046 * considered connected.
2047 */
2048 if (conn &&
2049 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2050 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2051 mgmt_device_connected(hdev, conn, 0, name, name_len);
2052
2053 if (discov->state == DISCOVERY_STOPPED)
2054 return;
2055
2056 if (discov->state == DISCOVERY_STOPPING)
2057 goto discov_complete;
2058
2059 if (discov->state != DISCOVERY_RESOLVING)
2060 return;
2061
2062 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2063 /* If the device was not found in a list of found devices names of which
2064 * are pending. there is no need to continue resolving a next name as it
2065 * will be done upon receiving another Remote Name Request Complete
2066 * Event */
2067 if (!e)
2068 return;
2069
2070 list_del(&e->list);
2071 if (name) {
2072 e->name_state = NAME_KNOWN;
2073 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2074 e->data.rssi, name, name_len);
2075 } else {
2076 e->name_state = NAME_NOT_KNOWN;
2077 }
2078
2079 if (hci_resolve_next_name(hdev))
2080 return;
2081
2082 discov_complete:
2083 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2084 }
2085
2086 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2087 {
2088 struct hci_cp_remote_name_req *cp;
2089 struct hci_conn *conn;
2090
2091 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2092
2093 /* If successful wait for the name req complete event before
2094 * checking for the need to do authentication */
2095 if (!status)
2096 return;
2097
2098 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2099 if (!cp)
2100 return;
2101
2102 hci_dev_lock(hdev);
2103
2104 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2105
2106 if (hci_dev_test_flag(hdev, HCI_MGMT))
2107 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2108
2109 if (!conn)
2110 goto unlock;
2111
2112 if (!hci_outgoing_auth_needed(hdev, conn))
2113 goto unlock;
2114
2115 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2116 struct hci_cp_auth_requested auth_cp;
2117
2118 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2119
2120 auth_cp.handle = __cpu_to_le16(conn->handle);
2121 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2122 sizeof(auth_cp), &auth_cp);
2123 }
2124
2125 unlock:
2126 hci_dev_unlock(hdev);
2127 }
2128
2129 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2130 {
2131 struct hci_cp_read_remote_features *cp;
2132 struct hci_conn *conn;
2133
2134 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2135
2136 if (!status)
2137 return;
2138
2139 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2140 if (!cp)
2141 return;
2142
2143 hci_dev_lock(hdev);
2144
2145 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2146 if (conn) {
2147 if (conn->state == BT_CONFIG) {
2148 hci_connect_cfm(conn, status);
2149 hci_conn_drop(conn);
2150 }
2151 }
2152
2153 hci_dev_unlock(hdev);
2154 }
2155
2156 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2157 {
2158 struct hci_cp_read_remote_ext_features *cp;
2159 struct hci_conn *conn;
2160
2161 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2162
2163 if (!status)
2164 return;
2165
2166 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2167 if (!cp)
2168 return;
2169
2170 hci_dev_lock(hdev);
2171
2172 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2173 if (conn) {
2174 if (conn->state == BT_CONFIG) {
2175 hci_connect_cfm(conn, status);
2176 hci_conn_drop(conn);
2177 }
2178 }
2179
2180 hci_dev_unlock(hdev);
2181 }
2182
2183 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2184 {
2185 struct hci_cp_setup_sync_conn *cp;
2186 struct hci_conn *acl, *sco;
2187 __u16 handle;
2188
2189 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2190
2191 if (!status)
2192 return;
2193
2194 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2195 if (!cp)
2196 return;
2197
2198 handle = __le16_to_cpu(cp->handle);
2199
2200 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2201
2202 hci_dev_lock(hdev);
2203
2204 acl = hci_conn_hash_lookup_handle(hdev, handle);
2205 if (acl) {
2206 sco = acl->link;
2207 if (sco) {
2208 sco->state = BT_CLOSED;
2209
2210 hci_connect_cfm(sco, status);
2211 hci_conn_del(sco);
2212 }
2213 }
2214
2215 hci_dev_unlock(hdev);
2216 }
2217
2218 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2219 {
2220 struct hci_cp_sniff_mode *cp;
2221 struct hci_conn *conn;
2222
2223 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2224
2225 if (!status)
2226 return;
2227
2228 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2229 if (!cp)
2230 return;
2231
2232 hci_dev_lock(hdev);
2233
2234 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2235 if (conn) {
2236 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2237
2238 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2239 hci_sco_setup(conn, status);
2240 }
2241
2242 hci_dev_unlock(hdev);
2243 }
2244
2245 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2246 {
2247 struct hci_cp_exit_sniff_mode *cp;
2248 struct hci_conn *conn;
2249
2250 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2251
2252 if (!status)
2253 return;
2254
2255 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2256 if (!cp)
2257 return;
2258
2259 hci_dev_lock(hdev);
2260
2261 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2262 if (conn) {
2263 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2264
2265 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2266 hci_sco_setup(conn, status);
2267 }
2268
2269 hci_dev_unlock(hdev);
2270 }
2271
2272 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2273 {
2274 struct hci_cp_disconnect *cp;
2275 struct hci_conn *conn;
2276
2277 if (!status)
2278 return;
2279
2280 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2281 if (!cp)
2282 return;
2283
2284 hci_dev_lock(hdev);
2285
2286 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2287 if (conn) {
2288 u8 type = conn->type;
2289
2290 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2291 conn->dst_type, status);
2292
2293 /* If the disconnection failed for any reason, the upper layer
2294 * does not retry to disconnect in current implementation.
2295 * Hence, we need to do some basic cleanup here and re-enable
2296 * advertising if necessary.
2297 */
2298 hci_conn_del(conn);
2299 if (type == LE_LINK)
2300 hci_req_reenable_advertising(hdev);
2301 }
2302
2303 hci_dev_unlock(hdev);
2304 }
2305
2306 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2307 u8 peer_addr_type, u8 own_address_type,
2308 u8 filter_policy)
2309 {
2310 struct hci_conn *conn;
2311
2312 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2313 peer_addr_type);
2314 if (!conn)
2315 return;
2316
2317 /* When using controller based address resolution, then the new
2318 * address types 0x02 and 0x03 are used. These types need to be
2319 * converted back into either public address or random address type
2320 */
2321 if (use_ll_privacy(hdev) &&
2322 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) {
2323 switch (own_address_type) {
2324 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2325 own_address_type = ADDR_LE_DEV_PUBLIC;
2326 break;
2327 case ADDR_LE_DEV_RANDOM_RESOLVED:
2328 own_address_type = ADDR_LE_DEV_RANDOM;
2329 break;
2330 }
2331 }
2332
2333 /* Store the initiator and responder address information which
2334 * is needed for SMP. These values will not change during the
2335 * lifetime of the connection.
2336 */
2337 conn->init_addr_type = own_address_type;
2338 if (own_address_type == ADDR_LE_DEV_RANDOM)
2339 bacpy(&conn->init_addr, &hdev->random_addr);
2340 else
2341 bacpy(&conn->init_addr, &hdev->bdaddr);
2342
2343 conn->resp_addr_type = peer_addr_type;
2344 bacpy(&conn->resp_addr, peer_addr);
2345
2346 /* We don't want the connection attempt to stick around
2347 * indefinitely since LE doesn't have a page timeout concept
2348 * like BR/EDR. Set a timer for any connection that doesn't use
2349 * the white list for connecting.
2350 */
2351 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2352 queue_delayed_work(conn->hdev->workqueue,
2353 &conn->le_conn_timeout,
2354 conn->conn_timeout);
2355 }
2356
2357 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2358 {
2359 struct hci_cp_le_create_conn *cp;
2360
2361 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2362
2363 /* All connection failure handling is taken care of by the
2364 * hci_le_conn_failed function which is triggered by the HCI
2365 * request completion callbacks used for connecting.
2366 */
2367 if (status)
2368 return;
2369
2370 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2371 if (!cp)
2372 return;
2373
2374 hci_dev_lock(hdev);
2375
2376 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2377 cp->own_address_type, cp->filter_policy);
2378
2379 hci_dev_unlock(hdev);
2380 }
2381
2382 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2383 {
2384 struct hci_cp_le_ext_create_conn *cp;
2385
2386 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2387
2388 /* All connection failure handling is taken care of by the
2389 * hci_le_conn_failed function which is triggered by the HCI
2390 * request completion callbacks used for connecting.
2391 */
2392 if (status)
2393 return;
2394
2395 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2396 if (!cp)
2397 return;
2398
2399 hci_dev_lock(hdev);
2400
2401 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2402 cp->own_addr_type, cp->filter_policy);
2403
2404 hci_dev_unlock(hdev);
2405 }
2406
2407 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2408 {
2409 struct hci_cp_le_read_remote_features *cp;
2410 struct hci_conn *conn;
2411
2412 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2413
2414 if (!status)
2415 return;
2416
2417 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2418 if (!cp)
2419 return;
2420
2421 hci_dev_lock(hdev);
2422
2423 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2424 if (conn) {
2425 if (conn->state == BT_CONFIG) {
2426 hci_connect_cfm(conn, status);
2427 hci_conn_drop(conn);
2428 }
2429 }
2430
2431 hci_dev_unlock(hdev);
2432 }
2433
2434 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2435 {
2436 struct hci_cp_le_start_enc *cp;
2437 struct hci_conn *conn;
2438
2439 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2440
2441 if (!status)
2442 return;
2443
2444 hci_dev_lock(hdev);
2445
2446 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2447 if (!cp)
2448 goto unlock;
2449
2450 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2451 if (!conn)
2452 goto unlock;
2453
2454 if (conn->state != BT_CONNECTED)
2455 goto unlock;
2456
2457 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2458 hci_conn_drop(conn);
2459
2460 unlock:
2461 hci_dev_unlock(hdev);
2462 }
2463
2464 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2465 {
2466 struct hci_cp_switch_role *cp;
2467 struct hci_conn *conn;
2468
2469 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2470
2471 if (!status)
2472 return;
2473
2474 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2475 if (!cp)
2476 return;
2477
2478 hci_dev_lock(hdev);
2479
2480 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2481 if (conn)
2482 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2483
2484 hci_dev_unlock(hdev);
2485 }
2486
2487 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2488 {
2489 __u8 status = *((__u8 *) skb->data);
2490 struct discovery_state *discov = &hdev->discovery;
2491 struct inquiry_entry *e;
2492
2493 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2494
2495 hci_conn_check_pending(hdev);
2496
2497 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2498 return;
2499
2500 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2501 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2502
2503 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2504 return;
2505
2506 hci_dev_lock(hdev);
2507
2508 if (discov->state != DISCOVERY_FINDING)
2509 goto unlock;
2510
2511 if (list_empty(&discov->resolve)) {
2512 /* When BR/EDR inquiry is active and no LE scanning is in
2513 * progress, then change discovery state to indicate completion.
2514 *
2515 * When running LE scanning and BR/EDR inquiry simultaneously
2516 * and the LE scan already finished, then change the discovery
2517 * state to indicate completion.
2518 */
2519 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2520 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2521 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2522 goto unlock;
2523 }
2524
2525 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2526 if (e && hci_resolve_name(hdev, e) == 0) {
2527 e->name_state = NAME_PENDING;
2528 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2529 } else {
2530 /* When BR/EDR inquiry is active and no LE scanning is in
2531 * progress, then change discovery state to indicate completion.
2532 *
2533 * When running LE scanning and BR/EDR inquiry simultaneously
2534 * and the LE scan already finished, then change the discovery
2535 * state to indicate completion.
2536 */
2537 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2538 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2539 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2540 }
2541
2542 unlock:
2543 hci_dev_unlock(hdev);
2544 }
2545
2546 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2547 {
2548 struct inquiry_data data;
2549 struct inquiry_info *info = (void *) (skb->data + 1);
2550 int num_rsp = *((__u8 *) skb->data);
2551
2552 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2553
2554 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
2555 return;
2556
2557 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2558 return;
2559
2560 hci_dev_lock(hdev);
2561
2562 for (; num_rsp; num_rsp--, info++) {
2563 u32 flags;
2564
2565 bacpy(&data.bdaddr, &info->bdaddr);
2566 data.pscan_rep_mode = info->pscan_rep_mode;
2567 data.pscan_period_mode = info->pscan_period_mode;
2568 data.pscan_mode = info->pscan_mode;
2569 memcpy(data.dev_class, info->dev_class, 3);
2570 data.clock_offset = info->clock_offset;
2571 data.rssi = HCI_RSSI_INVALID;
2572 data.ssp_mode = 0x00;
2573
2574 flags = hci_inquiry_cache_update(hdev, &data, false);
2575
2576 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2577 info->dev_class, HCI_RSSI_INVALID,
2578 flags, NULL, 0, NULL, 0);
2579 }
2580
2581 hci_dev_unlock(hdev);
2582 }
2583
2584 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2585 {
2586 struct hci_ev_conn_complete *ev = (void *) skb->data;
2587 struct hci_conn *conn;
2588
2589 BT_DBG("%s", hdev->name);
2590
2591 hci_dev_lock(hdev);
2592
2593 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2594 if (!conn) {
2595 /* Connection may not exist if auto-connected. Check the bredr
2596 * allowlist to see if this device is allowed to auto connect.
2597 * If link is an ACL type, create a connection class
2598 * automatically.
2599 *
2600 * Auto-connect will only occur if the event filter is
2601 * programmed with a given address. Right now, event filter is
2602 * only used during suspend.
2603 */
2604 if (ev->link_type == ACL_LINK &&
2605 hci_bdaddr_list_lookup_with_flags(&hdev->whitelist,
2606 &ev->bdaddr,
2607 BDADDR_BREDR)) {
2608 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2609 HCI_ROLE_SLAVE);
2610 if (!conn) {
2611 bt_dev_err(hdev, "no memory for new conn");
2612 goto unlock;
2613 }
2614 } else {
2615 if (ev->link_type != SCO_LINK)
2616 goto unlock;
2617
2618 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
2619 &ev->bdaddr);
2620 if (!conn)
2621 goto unlock;
2622
2623 conn->type = SCO_LINK;
2624 }
2625 }
2626
2627 if (!ev->status) {
2628 conn->handle = __le16_to_cpu(ev->handle);
2629
2630 if (conn->type == ACL_LINK) {
2631 conn->state = BT_CONFIG;
2632 hci_conn_hold(conn);
2633
2634 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2635 !hci_find_link_key(hdev, &ev->bdaddr))
2636 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2637 else
2638 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2639 } else
2640 conn->state = BT_CONNECTED;
2641
2642 hci_debugfs_create_conn(conn);
2643 hci_conn_add_sysfs(conn);
2644
2645 if (test_bit(HCI_AUTH, &hdev->flags))
2646 set_bit(HCI_CONN_AUTH, &conn->flags);
2647
2648 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2649 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2650
2651 /* Get remote features */
2652 if (conn->type == ACL_LINK) {
2653 struct hci_cp_read_remote_features cp;
2654 cp.handle = ev->handle;
2655 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2656 sizeof(cp), &cp);
2657
2658 hci_req_update_scan(hdev);
2659 }
2660
2661 /* Set packet type for incoming connection */
2662 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2663 struct hci_cp_change_conn_ptype cp;
2664 cp.handle = ev->handle;
2665 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2666 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2667 &cp);
2668 }
2669 } else {
2670 conn->state = BT_CLOSED;
2671 if (conn->type == ACL_LINK)
2672 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2673 conn->dst_type, ev->status);
2674 }
2675
2676 if (conn->type == ACL_LINK)
2677 hci_sco_setup(conn, ev->status);
2678
2679 if (ev->status) {
2680 hci_connect_cfm(conn, ev->status);
2681 hci_conn_del(conn);
2682 } else if (ev->link_type == SCO_LINK) {
2683 switch (conn->setting & SCO_AIRMODE_MASK) {
2684 case SCO_AIRMODE_CVSD:
2685 if (hdev->notify)
2686 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
2687 break;
2688 }
2689
2690 hci_connect_cfm(conn, ev->status);
2691 }
2692
2693 unlock:
2694 hci_dev_unlock(hdev);
2695
2696 hci_conn_check_pending(hdev);
2697 }
2698
2699 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2700 {
2701 struct hci_cp_reject_conn_req cp;
2702
2703 bacpy(&cp.bdaddr, bdaddr);
2704 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2705 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2706 }
2707
2708 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2709 {
2710 struct hci_ev_conn_request *ev = (void *) skb->data;
2711 int mask = hdev->link_mode;
2712 struct inquiry_entry *ie;
2713 struct hci_conn *conn;
2714 __u8 flags = 0;
2715
2716 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2717 ev->link_type);
2718
2719 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2720 &flags);
2721
2722 if (!(mask & HCI_LM_ACCEPT)) {
2723 hci_reject_conn(hdev, &ev->bdaddr);
2724 return;
2725 }
2726
2727 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2728 BDADDR_BREDR)) {
2729 hci_reject_conn(hdev, &ev->bdaddr);
2730 return;
2731 }
2732
2733 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2734 * connection. These features are only touched through mgmt so
2735 * only do the checks if HCI_MGMT is set.
2736 */
2737 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2738 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2739 !hci_bdaddr_list_lookup_with_flags(&hdev->whitelist, &ev->bdaddr,
2740 BDADDR_BREDR)) {
2741 hci_reject_conn(hdev, &ev->bdaddr);
2742 return;
2743 }
2744
2745 /* Connection accepted */
2746
2747 hci_dev_lock(hdev);
2748
2749 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2750 if (ie)
2751 memcpy(ie->data.dev_class, ev->dev_class, 3);
2752
2753 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2754 &ev->bdaddr);
2755 if (!conn) {
2756 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2757 HCI_ROLE_SLAVE);
2758 if (!conn) {
2759 bt_dev_err(hdev, "no memory for new connection");
2760 hci_dev_unlock(hdev);
2761 return;
2762 }
2763 }
2764
2765 memcpy(conn->dev_class, ev->dev_class, 3);
2766
2767 hci_dev_unlock(hdev);
2768
2769 if (ev->link_type == ACL_LINK ||
2770 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2771 struct hci_cp_accept_conn_req cp;
2772 conn->state = BT_CONNECT;
2773
2774 bacpy(&cp.bdaddr, &ev->bdaddr);
2775
2776 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2777 cp.role = 0x00; /* Become master */
2778 else
2779 cp.role = 0x01; /* Remain slave */
2780
2781 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2782 } else if (!(flags & HCI_PROTO_DEFER)) {
2783 struct hci_cp_accept_sync_conn_req cp;
2784 conn->state = BT_CONNECT;
2785
2786 bacpy(&cp.bdaddr, &ev->bdaddr);
2787 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2788
2789 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2790 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2791 cp.max_latency = cpu_to_le16(0xffff);
2792 cp.content_format = cpu_to_le16(hdev->voice_setting);
2793 cp.retrans_effort = 0xff;
2794
2795 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2796 &cp);
2797 } else {
2798 conn->state = BT_CONNECT2;
2799 hci_connect_cfm(conn, 0);
2800 }
2801 }
2802
2803 static u8 hci_to_mgmt_reason(u8 err)
2804 {
2805 switch (err) {
2806 case HCI_ERROR_CONNECTION_TIMEOUT:
2807 return MGMT_DEV_DISCONN_TIMEOUT;
2808 case HCI_ERROR_REMOTE_USER_TERM:
2809 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2810 case HCI_ERROR_REMOTE_POWER_OFF:
2811 return MGMT_DEV_DISCONN_REMOTE;
2812 case HCI_ERROR_LOCAL_HOST_TERM:
2813 return MGMT_DEV_DISCONN_LOCAL_HOST;
2814 default:
2815 return MGMT_DEV_DISCONN_UNKNOWN;
2816 }
2817 }
2818
2819 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2820 {
2821 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2822 u8 reason;
2823 struct hci_conn_params *params;
2824 struct hci_conn *conn;
2825 bool mgmt_connected;
2826 u8 type;
2827
2828 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2829
2830 hci_dev_lock(hdev);
2831
2832 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2833 if (!conn)
2834 goto unlock;
2835
2836 if (ev->status) {
2837 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2838 conn->dst_type, ev->status);
2839 goto unlock;
2840 }
2841
2842 conn->state = BT_CLOSED;
2843
2844 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2845
2846 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2847 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2848 else
2849 reason = hci_to_mgmt_reason(ev->reason);
2850
2851 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2852 reason, mgmt_connected);
2853
2854 if (conn->type == ACL_LINK) {
2855 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2856 hci_remove_link_key(hdev, &conn->dst);
2857
2858 hci_req_update_scan(hdev);
2859 }
2860
2861 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2862 if (params) {
2863 switch (params->auto_connect) {
2864 case HCI_AUTO_CONN_LINK_LOSS:
2865 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2866 break;
2867 fallthrough;
2868
2869 case HCI_AUTO_CONN_DIRECT:
2870 case HCI_AUTO_CONN_ALWAYS:
2871 list_del_init(&params->action);
2872 list_add(&params->action, &hdev->pend_le_conns);
2873 hci_update_background_scan(hdev);
2874 break;
2875
2876 default:
2877 break;
2878 }
2879 }
2880
2881 type = conn->type;
2882
2883 hci_disconn_cfm(conn, ev->reason);
2884 hci_conn_del(conn);
2885
2886 /* The suspend notifier is waiting for all devices to disconnect so
2887 * clear the bit from pending tasks and inform the wait queue.
2888 */
2889 if (list_empty(&hdev->conn_hash.list) &&
2890 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {
2891 wake_up(&hdev->suspend_wait_q);
2892 }
2893
2894 /* Re-enable advertising if necessary, since it might
2895 * have been disabled by the connection. From the
2896 * HCI_LE_Set_Advertise_Enable command description in
2897 * the core specification (v4.0):
2898 * "The Controller shall continue advertising until the Host
2899 * issues an LE_Set_Advertise_Enable command with
2900 * Advertising_Enable set to 0x00 (Advertising is disabled)
2901 * or until a connection is created or until the Advertising
2902 * is timed out due to Directed Advertising."
2903 */
2904 if (type == LE_LINK)
2905 hci_req_reenable_advertising(hdev);
2906
2907 unlock:
2908 hci_dev_unlock(hdev);
2909 }
2910
2911 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2912 {
2913 struct hci_ev_auth_complete *ev = (void *) skb->data;
2914 struct hci_conn *conn;
2915
2916 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2917
2918 hci_dev_lock(hdev);
2919
2920 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2921 if (!conn)
2922 goto unlock;
2923
2924 if (!ev->status) {
2925 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2926
2927 if (!hci_conn_ssp_enabled(conn) &&
2928 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2929 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2930 } else {
2931 set_bit(HCI_CONN_AUTH, &conn->flags);
2932 conn->sec_level = conn->pending_sec_level;
2933 }
2934 } else {
2935 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2936 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2937
2938 mgmt_auth_failed(conn, ev->status);
2939 }
2940
2941 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2942 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2943
2944 if (conn->state == BT_CONFIG) {
2945 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2946 struct hci_cp_set_conn_encrypt cp;
2947 cp.handle = ev->handle;
2948 cp.encrypt = 0x01;
2949 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2950 &cp);
2951 } else {
2952 conn->state = BT_CONNECTED;
2953 hci_connect_cfm(conn, ev->status);
2954 hci_conn_drop(conn);
2955 }
2956 } else {
2957 hci_auth_cfm(conn, ev->status);
2958
2959 hci_conn_hold(conn);
2960 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2961 hci_conn_drop(conn);
2962 }
2963
2964 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2965 if (!ev->status) {
2966 struct hci_cp_set_conn_encrypt cp;
2967 cp.handle = ev->handle;
2968 cp.encrypt = 0x01;
2969 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2970 &cp);
2971 } else {
2972 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2973 hci_encrypt_cfm(conn, ev->status);
2974 }
2975 }
2976
2977 unlock:
2978 hci_dev_unlock(hdev);
2979 }
2980
2981 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2982 {
2983 struct hci_ev_remote_name *ev = (void *) skb->data;
2984 struct hci_conn *conn;
2985
2986 BT_DBG("%s", hdev->name);
2987
2988 hci_conn_check_pending(hdev);
2989
2990 hci_dev_lock(hdev);
2991
2992 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2993
2994 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2995 goto check_auth;
2996
2997 if (ev->status == 0)
2998 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2999 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3000 else
3001 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3002
3003 check_auth:
3004 if (!conn)
3005 goto unlock;
3006
3007 if (!hci_outgoing_auth_needed(hdev, conn))
3008 goto unlock;
3009
3010 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3011 struct hci_cp_auth_requested cp;
3012
3013 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3014
3015 cp.handle = __cpu_to_le16(conn->handle);
3016 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3017 }
3018
3019 unlock:
3020 hci_dev_unlock(hdev);
3021 }
3022
3023 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
3024 u16 opcode, struct sk_buff *skb)
3025 {
3026 const struct hci_rp_read_enc_key_size *rp;
3027 struct hci_conn *conn;
3028 u16 handle;
3029
3030 BT_DBG("%s status 0x%02x", hdev->name, status);
3031
3032 if (!skb || skb->len < sizeof(*rp)) {
3033 bt_dev_err(hdev, "invalid read key size response");
3034 return;
3035 }
3036
3037 rp = (void *)skb->data;
3038 handle = le16_to_cpu(rp->handle);
3039
3040 hci_dev_lock(hdev);
3041
3042 conn = hci_conn_hash_lookup_handle(hdev, handle);
3043 if (!conn)
3044 goto unlock;
3045
3046 /* While unexpected, the read_enc_key_size command may fail. The most
3047 * secure approach is to then assume the key size is 0 to force a
3048 * disconnection.
3049 */
3050 if (rp->status) {
3051 bt_dev_err(hdev, "failed to read key size for handle %u",
3052 handle);
3053 conn->enc_key_size = 0;
3054 } else {
3055 conn->enc_key_size = rp->key_size;
3056 }
3057
3058 hci_encrypt_cfm(conn, 0);
3059
3060 unlock:
3061 hci_dev_unlock(hdev);
3062 }
3063
3064 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3065 {
3066 struct hci_ev_encrypt_change *ev = (void *) skb->data;
3067 struct hci_conn *conn;
3068
3069 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3070
3071 hci_dev_lock(hdev);
3072
3073 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3074 if (!conn)
3075 goto unlock;
3076
3077 if (!ev->status) {
3078 if (ev->encrypt) {
3079 /* Encryption implies authentication */
3080 set_bit(HCI_CONN_AUTH, &conn->flags);
3081 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3082 conn->sec_level = conn->pending_sec_level;
3083
3084 /* P-256 authentication key implies FIPS */
3085 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3086 set_bit(HCI_CONN_FIPS, &conn->flags);
3087
3088 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3089 conn->type == LE_LINK)
3090 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3091 } else {
3092 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3093 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3094 }
3095 }
3096
3097 /* We should disregard the current RPA and generate a new one
3098 * whenever the encryption procedure fails.
3099 */
3100 if (ev->status && conn->type == LE_LINK) {
3101 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3102 hci_adv_instances_set_rpa_expired(hdev, true);
3103 }
3104
3105 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3106
3107 /* Check link security requirements are met */
3108 if (!hci_conn_check_link_mode(conn))
3109 ev->status = HCI_ERROR_AUTH_FAILURE;
3110
3111 if (ev->status && conn->state == BT_CONNECTED) {
3112 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3113 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3114
3115 /* Notify upper layers so they can cleanup before
3116 * disconnecting.
3117 */
3118 hci_encrypt_cfm(conn, ev->status);
3119 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3120 hci_conn_drop(conn);
3121 goto unlock;
3122 }
3123
3124 /* Try reading the encryption key size for encrypted ACL links */
3125 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3126 struct hci_cp_read_enc_key_size cp;
3127 struct hci_request req;
3128
3129 /* Only send HCI_Read_Encryption_Key_Size if the
3130 * controller really supports it. If it doesn't, assume
3131 * the default size (16).
3132 */
3133 if (!(hdev->commands[20] & 0x10)) {
3134 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3135 goto notify;
3136 }
3137
3138 hci_req_init(&req, hdev);
3139
3140 cp.handle = cpu_to_le16(conn->handle);
3141 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3142
3143 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3144 bt_dev_err(hdev, "sending read key size failed");
3145 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3146 goto notify;
3147 }
3148
3149 goto unlock;
3150 }
3151
3152 /* Set the default Authenticated Payload Timeout after
3153 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3154 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3155 * sent when the link is active and Encryption is enabled, the conn
3156 * type can be either LE or ACL and controller must support LMP Ping.
3157 * Ensure for AES-CCM encryption as well.
3158 */
3159 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3160 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3161 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3162 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3163 struct hci_cp_write_auth_payload_to cp;
3164
3165 cp.handle = cpu_to_le16(conn->handle);
3166 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3167 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3168 sizeof(cp), &cp);
3169 }
3170
3171 notify:
3172 hci_encrypt_cfm(conn, ev->status);
3173
3174 unlock:
3175 hci_dev_unlock(hdev);
3176 }
3177
3178 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3179 struct sk_buff *skb)
3180 {
3181 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3182 struct hci_conn *conn;
3183
3184 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3185
3186 hci_dev_lock(hdev);
3187
3188 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3189 if (conn) {
3190 if (!ev->status)
3191 set_bit(HCI_CONN_SECURE, &conn->flags);
3192
3193 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3194
3195 hci_key_change_cfm(conn, ev->status);
3196 }
3197
3198 hci_dev_unlock(hdev);
3199 }
3200
3201 static void hci_remote_features_evt(struct hci_dev *hdev,
3202 struct sk_buff *skb)
3203 {
3204 struct hci_ev_remote_features *ev = (void *) skb->data;
3205 struct hci_conn *conn;
3206
3207 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3208
3209 hci_dev_lock(hdev);
3210
3211 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3212 if (!conn)
3213 goto unlock;
3214
3215 if (!ev->status)
3216 memcpy(conn->features[0], ev->features, 8);
3217
3218 if (conn->state != BT_CONFIG)
3219 goto unlock;
3220
3221 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3222 lmp_ext_feat_capable(conn)) {
3223 struct hci_cp_read_remote_ext_features cp;
3224 cp.handle = ev->handle;
3225 cp.page = 0x01;
3226 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3227 sizeof(cp), &cp);
3228 goto unlock;
3229 }
3230
3231 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3232 struct hci_cp_remote_name_req cp;
3233 memset(&cp, 0, sizeof(cp));
3234 bacpy(&cp.bdaddr, &conn->dst);
3235 cp.pscan_rep_mode = 0x02;
3236 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3237 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3238 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3239
3240 if (!hci_outgoing_auth_needed(hdev, conn)) {
3241 conn->state = BT_CONNECTED;
3242 hci_connect_cfm(conn, ev->status);
3243 hci_conn_drop(conn);
3244 }
3245
3246 unlock:
3247 hci_dev_unlock(hdev);
3248 }
3249
3250 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3251 u16 *opcode, u8 *status,
3252 hci_req_complete_t *req_complete,
3253 hci_req_complete_skb_t *req_complete_skb)
3254 {
3255 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3256
3257 *opcode = __le16_to_cpu(ev->opcode);
3258 *status = skb->data[sizeof(*ev)];
3259
3260 skb_pull(skb, sizeof(*ev));
3261
3262 switch (*opcode) {
3263 case HCI_OP_INQUIRY_CANCEL:
3264 hci_cc_inquiry_cancel(hdev, skb, status);
3265 break;
3266
3267 case HCI_OP_PERIODIC_INQ:
3268 hci_cc_periodic_inq(hdev, skb);
3269 break;
3270
3271 case HCI_OP_EXIT_PERIODIC_INQ:
3272 hci_cc_exit_periodic_inq(hdev, skb);
3273 break;
3274
3275 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3276 hci_cc_remote_name_req_cancel(hdev, skb);
3277 break;
3278
3279 case HCI_OP_ROLE_DISCOVERY:
3280 hci_cc_role_discovery(hdev, skb);
3281 break;
3282
3283 case HCI_OP_READ_LINK_POLICY:
3284 hci_cc_read_link_policy(hdev, skb);
3285 break;
3286
3287 case HCI_OP_WRITE_LINK_POLICY:
3288 hci_cc_write_link_policy(hdev, skb);
3289 break;
3290
3291 case HCI_OP_READ_DEF_LINK_POLICY:
3292 hci_cc_read_def_link_policy(hdev, skb);
3293 break;
3294
3295 case HCI_OP_WRITE_DEF_LINK_POLICY:
3296 hci_cc_write_def_link_policy(hdev, skb);
3297 break;
3298
3299 case HCI_OP_RESET:
3300 hci_cc_reset(hdev, skb);
3301 break;
3302
3303 case HCI_OP_READ_STORED_LINK_KEY:
3304 hci_cc_read_stored_link_key(hdev, skb);
3305 break;
3306
3307 case HCI_OP_DELETE_STORED_LINK_KEY:
3308 hci_cc_delete_stored_link_key(hdev, skb);
3309 break;
3310
3311 case HCI_OP_WRITE_LOCAL_NAME:
3312 hci_cc_write_local_name(hdev, skb);
3313 break;
3314
3315 case HCI_OP_READ_LOCAL_NAME:
3316 hci_cc_read_local_name(hdev, skb);
3317 break;
3318
3319 case HCI_OP_WRITE_AUTH_ENABLE:
3320 hci_cc_write_auth_enable(hdev, skb);
3321 break;
3322
3323 case HCI_OP_WRITE_ENCRYPT_MODE:
3324 hci_cc_write_encrypt_mode(hdev, skb);
3325 break;
3326
3327 case HCI_OP_WRITE_SCAN_ENABLE:
3328 hci_cc_write_scan_enable(hdev, skb);
3329 break;
3330
3331 case HCI_OP_READ_CLASS_OF_DEV:
3332 hci_cc_read_class_of_dev(hdev, skb);
3333 break;
3334
3335 case HCI_OP_WRITE_CLASS_OF_DEV:
3336 hci_cc_write_class_of_dev(hdev, skb);
3337 break;
3338
3339 case HCI_OP_READ_VOICE_SETTING:
3340 hci_cc_read_voice_setting(hdev, skb);
3341 break;
3342
3343 case HCI_OP_WRITE_VOICE_SETTING:
3344 hci_cc_write_voice_setting(hdev, skb);
3345 break;
3346
3347 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3348 hci_cc_read_num_supported_iac(hdev, skb);
3349 break;
3350
3351 case HCI_OP_WRITE_SSP_MODE:
3352 hci_cc_write_ssp_mode(hdev, skb);
3353 break;
3354
3355 case HCI_OP_WRITE_SC_SUPPORT:
3356 hci_cc_write_sc_support(hdev, skb);
3357 break;
3358
3359 case HCI_OP_READ_AUTH_PAYLOAD_TO:
3360 hci_cc_read_auth_payload_timeout(hdev, skb);
3361 break;
3362
3363 case HCI_OP_WRITE_AUTH_PAYLOAD_TO:
3364 hci_cc_write_auth_payload_timeout(hdev, skb);
3365 break;
3366
3367 case HCI_OP_READ_LOCAL_VERSION:
3368 hci_cc_read_local_version(hdev, skb);
3369 break;
3370
3371 case HCI_OP_READ_LOCAL_COMMANDS:
3372 hci_cc_read_local_commands(hdev, skb);
3373 break;
3374
3375 case HCI_OP_READ_LOCAL_FEATURES:
3376 hci_cc_read_local_features(hdev, skb);
3377 break;
3378
3379 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3380 hci_cc_read_local_ext_features(hdev, skb);
3381 break;
3382
3383 case HCI_OP_READ_BUFFER_SIZE:
3384 hci_cc_read_buffer_size(hdev, skb);
3385 break;
3386
3387 case HCI_OP_READ_BD_ADDR:
3388 hci_cc_read_bd_addr(hdev, skb);
3389 break;
3390
3391 case HCI_OP_READ_LOCAL_PAIRING_OPTS:
3392 hci_cc_read_local_pairing_opts(hdev, skb);
3393 break;
3394
3395 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3396 hci_cc_read_page_scan_activity(hdev, skb);
3397 break;
3398
3399 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3400 hci_cc_write_page_scan_activity(hdev, skb);
3401 break;
3402
3403 case HCI_OP_READ_PAGE_SCAN_TYPE:
3404 hci_cc_read_page_scan_type(hdev, skb);
3405 break;
3406
3407 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3408 hci_cc_write_page_scan_type(hdev, skb);
3409 break;
3410
3411 case HCI_OP_READ_DATA_BLOCK_SIZE:
3412 hci_cc_read_data_block_size(hdev, skb);
3413 break;
3414
3415 case HCI_OP_READ_FLOW_CONTROL_MODE:
3416 hci_cc_read_flow_control_mode(hdev, skb);
3417 break;
3418
3419 case HCI_OP_READ_LOCAL_AMP_INFO:
3420 hci_cc_read_local_amp_info(hdev, skb);
3421 break;
3422
3423 case HCI_OP_READ_CLOCK:
3424 hci_cc_read_clock(hdev, skb);
3425 break;
3426
3427 case HCI_OP_READ_INQ_RSP_TX_POWER:
3428 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3429 break;
3430
3431 case HCI_OP_READ_DEF_ERR_DATA_REPORTING:
3432 hci_cc_read_def_err_data_reporting(hdev, skb);
3433 break;
3434
3435 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING:
3436 hci_cc_write_def_err_data_reporting(hdev, skb);
3437 break;
3438
3439 case HCI_OP_PIN_CODE_REPLY:
3440 hci_cc_pin_code_reply(hdev, skb);
3441 break;
3442
3443 case HCI_OP_PIN_CODE_NEG_REPLY:
3444 hci_cc_pin_code_neg_reply(hdev, skb);
3445 break;
3446
3447 case HCI_OP_READ_LOCAL_OOB_DATA:
3448 hci_cc_read_local_oob_data(hdev, skb);
3449 break;
3450
3451 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3452 hci_cc_read_local_oob_ext_data(hdev, skb);
3453 break;
3454
3455 case HCI_OP_LE_READ_BUFFER_SIZE:
3456 hci_cc_le_read_buffer_size(hdev, skb);
3457 break;
3458
3459 case HCI_OP_LE_READ_LOCAL_FEATURES:
3460 hci_cc_le_read_local_features(hdev, skb);
3461 break;
3462
3463 case HCI_OP_LE_READ_ADV_TX_POWER:
3464 hci_cc_le_read_adv_tx_power(hdev, skb);
3465 break;
3466
3467 case HCI_OP_USER_CONFIRM_REPLY:
3468 hci_cc_user_confirm_reply(hdev, skb);
3469 break;
3470
3471 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3472 hci_cc_user_confirm_neg_reply(hdev, skb);
3473 break;
3474
3475 case HCI_OP_USER_PASSKEY_REPLY:
3476 hci_cc_user_passkey_reply(hdev, skb);
3477 break;
3478
3479 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3480 hci_cc_user_passkey_neg_reply(hdev, skb);
3481 break;
3482
3483 case HCI_OP_LE_SET_RANDOM_ADDR:
3484 hci_cc_le_set_random_addr(hdev, skb);
3485 break;
3486
3487 case HCI_OP_LE_SET_ADV_ENABLE:
3488 hci_cc_le_set_adv_enable(hdev, skb);
3489 break;
3490
3491 case HCI_OP_LE_SET_SCAN_PARAM:
3492 hci_cc_le_set_scan_param(hdev, skb);
3493 break;
3494
3495 case HCI_OP_LE_SET_SCAN_ENABLE:
3496 hci_cc_le_set_scan_enable(hdev, skb);
3497 break;
3498
3499 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3500 hci_cc_le_read_white_list_size(hdev, skb);
3501 break;
3502
3503 case HCI_OP_LE_CLEAR_WHITE_LIST:
3504 hci_cc_le_clear_white_list(hdev, skb);
3505 break;
3506
3507 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3508 hci_cc_le_add_to_white_list(hdev, skb);
3509 break;
3510
3511 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3512 hci_cc_le_del_from_white_list(hdev, skb);
3513 break;
3514
3515 case HCI_OP_LE_READ_SUPPORTED_STATES:
3516 hci_cc_le_read_supported_states(hdev, skb);
3517 break;
3518
3519 case HCI_OP_LE_READ_DEF_DATA_LEN:
3520 hci_cc_le_read_def_data_len(hdev, skb);
3521 break;
3522
3523 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3524 hci_cc_le_write_def_data_len(hdev, skb);
3525 break;
3526
3527 case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3528 hci_cc_le_add_to_resolv_list(hdev, skb);
3529 break;
3530
3531 case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3532 hci_cc_le_del_from_resolv_list(hdev, skb);
3533 break;
3534
3535 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3536 hci_cc_le_clear_resolv_list(hdev, skb);
3537 break;
3538
3539 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3540 hci_cc_le_read_resolv_list_size(hdev, skb);
3541 break;
3542
3543 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3544 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3545 break;
3546
3547 case HCI_OP_LE_READ_MAX_DATA_LEN:
3548 hci_cc_le_read_max_data_len(hdev, skb);
3549 break;
3550
3551 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3552 hci_cc_write_le_host_supported(hdev, skb);
3553 break;
3554
3555 case HCI_OP_LE_SET_ADV_PARAM:
3556 hci_cc_set_adv_param(hdev, skb);
3557 break;
3558
3559 case HCI_OP_READ_RSSI:
3560 hci_cc_read_rssi(hdev, skb);
3561 break;
3562
3563 case HCI_OP_READ_TX_POWER:
3564 hci_cc_read_tx_power(hdev, skb);
3565 break;
3566
3567 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3568 hci_cc_write_ssp_debug_mode(hdev, skb);
3569 break;
3570
3571 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3572 hci_cc_le_set_ext_scan_param(hdev, skb);
3573 break;
3574
3575 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3576 hci_cc_le_set_ext_scan_enable(hdev, skb);
3577 break;
3578
3579 case HCI_OP_LE_SET_DEFAULT_PHY:
3580 hci_cc_le_set_default_phy(hdev, skb);
3581 break;
3582
3583 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3584 hci_cc_le_read_num_adv_sets(hdev, skb);
3585 break;
3586
3587 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3588 hci_cc_set_ext_adv_param(hdev, skb);
3589 break;
3590
3591 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3592 hci_cc_le_set_ext_adv_enable(hdev, skb);
3593 break;
3594
3595 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3596 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3597 break;
3598
3599 case HCI_OP_LE_READ_TRANSMIT_POWER:
3600 hci_cc_le_read_transmit_power(hdev, skb);
3601 break;
3602
3603 default:
3604 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3605 break;
3606 }
3607
3608 if (*opcode != HCI_OP_NOP)
3609 cancel_delayed_work(&hdev->cmd_timer);
3610
3611 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3612 atomic_set(&hdev->cmd_cnt, 1);
3613
3614 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3615 req_complete_skb);
3616
3617 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3618 bt_dev_err(hdev,
3619 "unexpected event for opcode 0x%4.4x", *opcode);
3620 return;
3621 }
3622
3623 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3624 queue_work(hdev->workqueue, &hdev->cmd_work);
3625 }
3626
3627 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3628 u16 *opcode, u8 *status,
3629 hci_req_complete_t *req_complete,
3630 hci_req_complete_skb_t *req_complete_skb)
3631 {
3632 struct hci_ev_cmd_status *ev = (void *) skb->data;
3633
3634 skb_pull(skb, sizeof(*ev));
3635
3636 *opcode = __le16_to_cpu(ev->opcode);
3637 *status = ev->status;
3638
3639 switch (*opcode) {
3640 case HCI_OP_INQUIRY:
3641 hci_cs_inquiry(hdev, ev->status);
3642 break;
3643
3644 case HCI_OP_CREATE_CONN:
3645 hci_cs_create_conn(hdev, ev->status);
3646 break;
3647
3648 case HCI_OP_DISCONNECT:
3649 hci_cs_disconnect(hdev, ev->status);
3650 break;
3651
3652 case HCI_OP_ADD_SCO:
3653 hci_cs_add_sco(hdev, ev->status);
3654 break;
3655
3656 case HCI_OP_AUTH_REQUESTED:
3657 hci_cs_auth_requested(hdev, ev->status);
3658 break;
3659
3660 case HCI_OP_SET_CONN_ENCRYPT:
3661 hci_cs_set_conn_encrypt(hdev, ev->status);
3662 break;
3663
3664 case HCI_OP_REMOTE_NAME_REQ:
3665 hci_cs_remote_name_req(hdev, ev->status);
3666 break;
3667
3668 case HCI_OP_READ_REMOTE_FEATURES:
3669 hci_cs_read_remote_features(hdev, ev->status);
3670 break;
3671
3672 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3673 hci_cs_read_remote_ext_features(hdev, ev->status);
3674 break;
3675
3676 case HCI_OP_SETUP_SYNC_CONN:
3677 hci_cs_setup_sync_conn(hdev, ev->status);
3678 break;
3679
3680 case HCI_OP_SNIFF_MODE:
3681 hci_cs_sniff_mode(hdev, ev->status);
3682 break;
3683
3684 case HCI_OP_EXIT_SNIFF_MODE:
3685 hci_cs_exit_sniff_mode(hdev, ev->status);
3686 break;
3687
3688 case HCI_OP_SWITCH_ROLE:
3689 hci_cs_switch_role(hdev, ev->status);
3690 break;
3691
3692 case HCI_OP_LE_CREATE_CONN:
3693 hci_cs_le_create_conn(hdev, ev->status);
3694 break;
3695
3696 case HCI_OP_LE_READ_REMOTE_FEATURES:
3697 hci_cs_le_read_remote_features(hdev, ev->status);
3698 break;
3699
3700 case HCI_OP_LE_START_ENC:
3701 hci_cs_le_start_enc(hdev, ev->status);
3702 break;
3703
3704 case HCI_OP_LE_EXT_CREATE_CONN:
3705 hci_cs_le_ext_create_conn(hdev, ev->status);
3706 break;
3707
3708 default:
3709 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3710 break;
3711 }
3712
3713 if (*opcode != HCI_OP_NOP)
3714 cancel_delayed_work(&hdev->cmd_timer);
3715
3716 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3717 atomic_set(&hdev->cmd_cnt, 1);
3718
3719 /* Indicate request completion if the command failed. Also, if
3720 * we're not waiting for a special event and we get a success
3721 * command status we should try to flag the request as completed
3722 * (since for this kind of commands there will not be a command
3723 * complete event).
3724 */
3725 if (ev->status ||
3726 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3727 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3728 req_complete_skb);
3729
3730 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3731 bt_dev_err(hdev,
3732 "unexpected event for opcode 0x%4.4x", *opcode);
3733 return;
3734 }
3735
3736 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3737 queue_work(hdev->workqueue, &hdev->cmd_work);
3738 }
3739
3740 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3741 {
3742 struct hci_ev_hardware_error *ev = (void *) skb->data;
3743
3744 hdev->hw_error_code = ev->code;
3745
3746 queue_work(hdev->req_workqueue, &hdev->error_reset);
3747 }
3748
3749 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3750 {
3751 struct hci_ev_role_change *ev = (void *) skb->data;
3752 struct hci_conn *conn;
3753
3754 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3755
3756 hci_dev_lock(hdev);
3757
3758 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3759 if (conn) {
3760 if (!ev->status)
3761 conn->role = ev->role;
3762
3763 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3764
3765 hci_role_switch_cfm(conn, ev->status, ev->role);
3766 }
3767
3768 hci_dev_unlock(hdev);
3769 }
3770
3771 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3772 {
3773 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3774 int i;
3775
3776 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3777 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3778 return;
3779 }
3780
3781 if (skb->len < sizeof(*ev) ||
3782 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3783 BT_DBG("%s bad parameters", hdev->name);
3784 return;
3785 }
3786
3787 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3788
3789 for (i = 0; i < ev->num_hndl; i++) {
3790 struct hci_comp_pkts_info *info = &ev->handles[i];
3791 struct hci_conn *conn;
3792 __u16 handle, count;
3793
3794 handle = __le16_to_cpu(info->handle);
3795 count = __le16_to_cpu(info->count);
3796
3797 conn = hci_conn_hash_lookup_handle(hdev, handle);
3798 if (!conn)
3799 continue;
3800
3801 conn->sent -= count;
3802
3803 switch (conn->type) {
3804 case ACL_LINK:
3805 hdev->acl_cnt += count;
3806 if (hdev->acl_cnt > hdev->acl_pkts)
3807 hdev->acl_cnt = hdev->acl_pkts;
3808 break;
3809
3810 case LE_LINK:
3811 if (hdev->le_pkts) {
3812 hdev->le_cnt += count;
3813 if (hdev->le_cnt > hdev->le_pkts)
3814 hdev->le_cnt = hdev->le_pkts;
3815 } else {
3816 hdev->acl_cnt += count;
3817 if (hdev->acl_cnt > hdev->acl_pkts)
3818 hdev->acl_cnt = hdev->acl_pkts;
3819 }
3820 break;
3821
3822 case SCO_LINK:
3823 hdev->sco_cnt += count;
3824 if (hdev->sco_cnt > hdev->sco_pkts)
3825 hdev->sco_cnt = hdev->sco_pkts;
3826 break;
3827
3828 default:
3829 bt_dev_err(hdev, "unknown type %d conn %p",
3830 conn->type, conn);
3831 break;
3832 }
3833 }
3834
3835 queue_work(hdev->workqueue, &hdev->tx_work);
3836 }
3837
3838 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3839 __u16 handle)
3840 {
3841 struct hci_chan *chan;
3842
3843 switch (hdev->dev_type) {
3844 case HCI_PRIMARY:
3845 return hci_conn_hash_lookup_handle(hdev, handle);
3846 case HCI_AMP:
3847 chan = hci_chan_lookup_handle(hdev, handle);
3848 if (chan)
3849 return chan->conn;
3850 break;
3851 default:
3852 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3853 break;
3854 }
3855
3856 return NULL;
3857 }
3858
3859 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3860 {
3861 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3862 int i;
3863
3864 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3865 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3866 return;
3867 }
3868
3869 if (skb->len < sizeof(*ev) ||
3870 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3871 BT_DBG("%s bad parameters", hdev->name);
3872 return;
3873 }
3874
3875 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3876 ev->num_hndl);
3877
3878 for (i = 0; i < ev->num_hndl; i++) {
3879 struct hci_comp_blocks_info *info = &ev->handles[i];
3880 struct hci_conn *conn = NULL;
3881 __u16 handle, block_count;
3882
3883 handle = __le16_to_cpu(info->handle);
3884 block_count = __le16_to_cpu(info->blocks);
3885
3886 conn = __hci_conn_lookup_handle(hdev, handle);
3887 if (!conn)
3888 continue;
3889
3890 conn->sent -= block_count;
3891
3892 switch (conn->type) {
3893 case ACL_LINK:
3894 case AMP_LINK:
3895 hdev->block_cnt += block_count;
3896 if (hdev->block_cnt > hdev->num_blocks)
3897 hdev->block_cnt = hdev->num_blocks;
3898 break;
3899
3900 default:
3901 bt_dev_err(hdev, "unknown type %d conn %p",
3902 conn->type, conn);
3903 break;
3904 }
3905 }
3906
3907 queue_work(hdev->workqueue, &hdev->tx_work);
3908 }
3909
3910 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3911 {
3912 struct hci_ev_mode_change *ev = (void *) skb->data;
3913 struct hci_conn *conn;
3914
3915 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3916
3917 hci_dev_lock(hdev);
3918
3919 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3920 if (conn) {
3921 conn->mode = ev->mode;
3922
3923 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3924 &conn->flags)) {
3925 if (conn->mode == HCI_CM_ACTIVE)
3926 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3927 else
3928 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3929 }
3930
3931 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3932 hci_sco_setup(conn, ev->status);
3933 }
3934
3935 hci_dev_unlock(hdev);
3936 }
3937
3938 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3939 {
3940 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3941 struct hci_conn *conn;
3942
3943 BT_DBG("%s", hdev->name);
3944
3945 hci_dev_lock(hdev);
3946
3947 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3948 if (!conn)
3949 goto unlock;
3950
3951 if (conn->state == BT_CONNECTED) {
3952 hci_conn_hold(conn);
3953 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3954 hci_conn_drop(conn);
3955 }
3956
3957 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3958 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3959 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3960 sizeof(ev->bdaddr), &ev->bdaddr);
3961 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3962 u8 secure;
3963
3964 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3965 secure = 1;
3966 else
3967 secure = 0;
3968
3969 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3970 }
3971
3972 unlock:
3973 hci_dev_unlock(hdev);
3974 }
3975
3976 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3977 {
3978 if (key_type == HCI_LK_CHANGED_COMBINATION)
3979 return;
3980
3981 conn->pin_length = pin_len;
3982 conn->key_type = key_type;
3983
3984 switch (key_type) {
3985 case HCI_LK_LOCAL_UNIT:
3986 case HCI_LK_REMOTE_UNIT:
3987 case HCI_LK_DEBUG_COMBINATION:
3988 return;
3989 case HCI_LK_COMBINATION:
3990 if (pin_len == 16)
3991 conn->pending_sec_level = BT_SECURITY_HIGH;
3992 else
3993 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3994 break;
3995 case HCI_LK_UNAUTH_COMBINATION_P192:
3996 case HCI_LK_UNAUTH_COMBINATION_P256:
3997 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3998 break;
3999 case HCI_LK_AUTH_COMBINATION_P192:
4000 conn->pending_sec_level = BT_SECURITY_HIGH;
4001 break;
4002 case HCI_LK_AUTH_COMBINATION_P256:
4003 conn->pending_sec_level = BT_SECURITY_FIPS;
4004 break;
4005 }
4006 }
4007
4008 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4009 {
4010 struct hci_ev_link_key_req *ev = (void *) skb->data;
4011 struct hci_cp_link_key_reply cp;
4012 struct hci_conn *conn;
4013 struct link_key *key;
4014
4015 BT_DBG("%s", hdev->name);
4016
4017 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4018 return;
4019
4020 hci_dev_lock(hdev);
4021
4022 key = hci_find_link_key(hdev, &ev->bdaddr);
4023 if (!key) {
4024 BT_DBG("%s link key not found for %pMR", hdev->name,
4025 &ev->bdaddr);
4026 goto not_found;
4027 }
4028
4029 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
4030 &ev->bdaddr);
4031
4032 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4033 if (conn) {
4034 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4035
4036 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4037 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4038 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4039 BT_DBG("%s ignoring unauthenticated key", hdev->name);
4040 goto not_found;
4041 }
4042
4043 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4044 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4045 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4046 BT_DBG("%s ignoring key unauthenticated for high security",
4047 hdev->name);
4048 goto not_found;
4049 }
4050
4051 conn_set_key(conn, key->type, key->pin_len);
4052 }
4053
4054 bacpy(&cp.bdaddr, &ev->bdaddr);
4055 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4056
4057 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4058
4059 hci_dev_unlock(hdev);
4060
4061 return;
4062
4063 not_found:
4064 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4065 hci_dev_unlock(hdev);
4066 }
4067
4068 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4069 {
4070 struct hci_ev_link_key_notify *ev = (void *) skb->data;
4071 struct hci_conn *conn;
4072 struct link_key *key;
4073 bool persistent;
4074 u8 pin_len = 0;
4075
4076 BT_DBG("%s", hdev->name);
4077
4078 hci_dev_lock(hdev);
4079
4080 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4081 if (!conn)
4082 goto unlock;
4083
4084 hci_conn_hold(conn);
4085 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4086 hci_conn_drop(conn);
4087
4088 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4089 conn_set_key(conn, ev->key_type, conn->pin_length);
4090
4091 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4092 goto unlock;
4093
4094 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4095 ev->key_type, pin_len, &persistent);
4096 if (!key)
4097 goto unlock;
4098
4099 /* Update connection information since adding the key will have
4100 * fixed up the type in the case of changed combination keys.
4101 */
4102 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4103 conn_set_key(conn, key->type, key->pin_len);
4104
4105 mgmt_new_link_key(hdev, key, persistent);
4106
4107 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4108 * is set. If it's not set simply remove the key from the kernel
4109 * list (we've still notified user space about it but with
4110 * store_hint being 0).
4111 */
4112 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4113 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4114 list_del_rcu(&key->list);
4115 kfree_rcu(key, rcu);
4116 goto unlock;
4117 }
4118
4119 if (persistent)
4120 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4121 else
4122 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4123
4124 unlock:
4125 hci_dev_unlock(hdev);
4126 }
4127
4128 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4129 {
4130 struct hci_ev_clock_offset *ev = (void *) skb->data;
4131 struct hci_conn *conn;
4132
4133 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4134
4135 hci_dev_lock(hdev);
4136
4137 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4138 if (conn && !ev->status) {
4139 struct inquiry_entry *ie;
4140
4141 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4142 if (ie) {
4143 ie->data.clock_offset = ev->clock_offset;
4144 ie->timestamp = jiffies;
4145 }
4146 }
4147
4148 hci_dev_unlock(hdev);
4149 }
4150
4151 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4152 {
4153 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4154 struct hci_conn *conn;
4155
4156 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4157
4158 hci_dev_lock(hdev);
4159
4160 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4161 if (conn && !ev->status)
4162 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4163
4164 hci_dev_unlock(hdev);
4165 }
4166
4167 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4168 {
4169 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4170 struct inquiry_entry *ie;
4171
4172 BT_DBG("%s", hdev->name);
4173
4174 hci_dev_lock(hdev);
4175
4176 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4177 if (ie) {
4178 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4179 ie->timestamp = jiffies;
4180 }
4181
4182 hci_dev_unlock(hdev);
4183 }
4184
4185 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4186 struct sk_buff *skb)
4187 {
4188 struct inquiry_data data;
4189 int num_rsp = *((__u8 *) skb->data);
4190
4191 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4192
4193 if (!num_rsp)
4194 return;
4195
4196 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4197 return;
4198
4199 hci_dev_lock(hdev);
4200
4201 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4202 struct inquiry_info_with_rssi_and_pscan_mode *info;
4203 info = (void *) (skb->data + 1);
4204
4205 if (skb->len < num_rsp * sizeof(*info) + 1)
4206 goto unlock;
4207
4208 for (; num_rsp; num_rsp--, info++) {
4209 u32 flags;
4210
4211 bacpy(&data.bdaddr, &info->bdaddr);
4212 data.pscan_rep_mode = info->pscan_rep_mode;
4213 data.pscan_period_mode = info->pscan_period_mode;
4214 data.pscan_mode = info->pscan_mode;
4215 memcpy(data.dev_class, info->dev_class, 3);
4216 data.clock_offset = info->clock_offset;
4217 data.rssi = info->rssi;
4218 data.ssp_mode = 0x00;
4219
4220 flags = hci_inquiry_cache_update(hdev, &data, false);
4221
4222 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4223 info->dev_class, info->rssi,
4224 flags, NULL, 0, NULL, 0);
4225 }
4226 } else {
4227 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4228
4229 if (skb->len < num_rsp * sizeof(*info) + 1)
4230 goto unlock;
4231
4232 for (; num_rsp; num_rsp--, info++) {
4233 u32 flags;
4234
4235 bacpy(&data.bdaddr, &info->bdaddr);
4236 data.pscan_rep_mode = info->pscan_rep_mode;
4237 data.pscan_period_mode = info->pscan_period_mode;
4238 data.pscan_mode = 0x00;
4239 memcpy(data.dev_class, info->dev_class, 3);
4240 data.clock_offset = info->clock_offset;
4241 data.rssi = info->rssi;
4242 data.ssp_mode = 0x00;
4243
4244 flags = hci_inquiry_cache_update(hdev, &data, false);
4245
4246 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4247 info->dev_class, info->rssi,
4248 flags, NULL, 0, NULL, 0);
4249 }
4250 }
4251
4252 unlock:
4253 hci_dev_unlock(hdev);
4254 }
4255
4256 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4257 struct sk_buff *skb)
4258 {
4259 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4260 struct hci_conn *conn;
4261
4262 BT_DBG("%s", hdev->name);
4263
4264 hci_dev_lock(hdev);
4265
4266 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4267 if (!conn)
4268 goto unlock;
4269
4270 if (ev->page < HCI_MAX_PAGES)
4271 memcpy(conn->features[ev->page], ev->features, 8);
4272
4273 if (!ev->status && ev->page == 0x01) {
4274 struct inquiry_entry *ie;
4275
4276 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4277 if (ie)
4278 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4279
4280 if (ev->features[0] & LMP_HOST_SSP) {
4281 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4282 } else {
4283 /* It is mandatory by the Bluetooth specification that
4284 * Extended Inquiry Results are only used when Secure
4285 * Simple Pairing is enabled, but some devices violate
4286 * this.
4287 *
4288 * To make these devices work, the internal SSP
4289 * enabled flag needs to be cleared if the remote host
4290 * features do not indicate SSP support */
4291 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4292 }
4293
4294 if (ev->features[0] & LMP_HOST_SC)
4295 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4296 }
4297
4298 if (conn->state != BT_CONFIG)
4299 goto unlock;
4300
4301 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4302 struct hci_cp_remote_name_req cp;
4303 memset(&cp, 0, sizeof(cp));
4304 bacpy(&cp.bdaddr, &conn->dst);
4305 cp.pscan_rep_mode = 0x02;
4306 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4307 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4308 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4309
4310 if (!hci_outgoing_auth_needed(hdev, conn)) {
4311 conn->state = BT_CONNECTED;
4312 hci_connect_cfm(conn, ev->status);
4313 hci_conn_drop(conn);
4314 }
4315
4316 unlock:
4317 hci_dev_unlock(hdev);
4318 }
4319
4320 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4321 struct sk_buff *skb)
4322 {
4323 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4324 struct hci_conn *conn;
4325
4326 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4327
4328 hci_dev_lock(hdev);
4329
4330 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4331 if (!conn) {
4332 if (ev->link_type == ESCO_LINK)
4333 goto unlock;
4334
4335 /* When the link type in the event indicates SCO connection
4336 * and lookup of the connection object fails, then check
4337 * if an eSCO connection object exists.
4338 *
4339 * The core limits the synchronous connections to either
4340 * SCO or eSCO. The eSCO connection is preferred and tried
4341 * to be setup first and until successfully established,
4342 * the link type will be hinted as eSCO.
4343 */
4344 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4345 if (!conn)
4346 goto unlock;
4347 }
4348
4349 switch (ev->status) {
4350 case 0x00:
4351 conn->handle = __le16_to_cpu(ev->handle);
4352 conn->state = BT_CONNECTED;
4353 conn->type = ev->link_type;
4354
4355 hci_debugfs_create_conn(conn);
4356 hci_conn_add_sysfs(conn);
4357 break;
4358
4359 case 0x10: /* Connection Accept Timeout */
4360 case 0x0d: /* Connection Rejected due to Limited Resources */
4361 case 0x11: /* Unsupported Feature or Parameter Value */
4362 case 0x1c: /* SCO interval rejected */
4363 case 0x1a: /* Unsupported Remote Feature */
4364 case 0x1e: /* Invalid LMP Parameters */
4365 case 0x1f: /* Unspecified error */
4366 case 0x20: /* Unsupported LMP Parameter value */
4367 if (conn->out) {
4368 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4369 (hdev->esco_type & EDR_ESCO_MASK);
4370 if (hci_setup_sync(conn, conn->link->handle))
4371 goto unlock;
4372 }
4373 fallthrough;
4374
4375 default:
4376 conn->state = BT_CLOSED;
4377 break;
4378 }
4379
4380 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4381
4382 switch (conn->setting & SCO_AIRMODE_MASK) {
4383 case SCO_AIRMODE_CVSD:
4384 if (hdev->notify)
4385 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
4386 break;
4387 case SCO_AIRMODE_TRANSP:
4388 if (hdev->notify)
4389 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
4390 break;
4391 }
4392
4393 hci_connect_cfm(conn, ev->status);
4394 if (ev->status)
4395 hci_conn_del(conn);
4396
4397 unlock:
4398 hci_dev_unlock(hdev);
4399 }
4400
4401 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4402 {
4403 size_t parsed = 0;
4404
4405 while (parsed < eir_len) {
4406 u8 field_len = eir[0];
4407
4408 if (field_len == 0)
4409 return parsed;
4410
4411 parsed += field_len + 1;
4412 eir += field_len + 1;
4413 }
4414
4415 return eir_len;
4416 }
4417
4418 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4419 struct sk_buff *skb)
4420 {
4421 struct inquiry_data data;
4422 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4423 int num_rsp = *((__u8 *) skb->data);
4424 size_t eir_len;
4425
4426 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4427
4428 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
4429 return;
4430
4431 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4432 return;
4433
4434 hci_dev_lock(hdev);
4435
4436 for (; num_rsp; num_rsp--, info++) {
4437 u32 flags;
4438 bool name_known;
4439
4440 bacpy(&data.bdaddr, &info->bdaddr);
4441 data.pscan_rep_mode = info->pscan_rep_mode;
4442 data.pscan_period_mode = info->pscan_period_mode;
4443 data.pscan_mode = 0x00;
4444 memcpy(data.dev_class, info->dev_class, 3);
4445 data.clock_offset = info->clock_offset;
4446 data.rssi = info->rssi;
4447 data.ssp_mode = 0x01;
4448
4449 if (hci_dev_test_flag(hdev, HCI_MGMT))
4450 name_known = eir_get_data(info->data,
4451 sizeof(info->data),
4452 EIR_NAME_COMPLETE, NULL);
4453 else
4454 name_known = true;
4455
4456 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4457
4458 eir_len = eir_get_length(info->data, sizeof(info->data));
4459
4460 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4461 info->dev_class, info->rssi,
4462 flags, info->data, eir_len, NULL, 0);
4463 }
4464
4465 hci_dev_unlock(hdev);
4466 }
4467
4468 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4469 struct sk_buff *skb)
4470 {
4471 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4472 struct hci_conn *conn;
4473
4474 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4475 __le16_to_cpu(ev->handle));
4476
4477 hci_dev_lock(hdev);
4478
4479 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4480 if (!conn)
4481 goto unlock;
4482
4483 /* For BR/EDR the necessary steps are taken through the
4484 * auth_complete event.
4485 */
4486 if (conn->type != LE_LINK)
4487 goto unlock;
4488
4489 if (!ev->status)
4490 conn->sec_level = conn->pending_sec_level;
4491
4492 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4493
4494 if (ev->status && conn->state == BT_CONNECTED) {
4495 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4496 hci_conn_drop(conn);
4497 goto unlock;
4498 }
4499
4500 if (conn->state == BT_CONFIG) {
4501 if (!ev->status)
4502 conn->state = BT_CONNECTED;
4503
4504 hci_connect_cfm(conn, ev->status);
4505 hci_conn_drop(conn);
4506 } else {
4507 hci_auth_cfm(conn, ev->status);
4508
4509 hci_conn_hold(conn);
4510 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4511 hci_conn_drop(conn);
4512 }
4513
4514 unlock:
4515 hci_dev_unlock(hdev);
4516 }
4517
4518 static u8 hci_get_auth_req(struct hci_conn *conn)
4519 {
4520 /* If remote requests no-bonding follow that lead */
4521 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4522 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4523 return conn->remote_auth | (conn->auth_type & 0x01);
4524
4525 /* If both remote and local have enough IO capabilities, require
4526 * MITM protection
4527 */
4528 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4529 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4530 return conn->remote_auth | 0x01;
4531
4532 /* No MITM protection possible so ignore remote requirement */
4533 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4534 }
4535
4536 static u8 bredr_oob_data_present(struct hci_conn *conn)
4537 {
4538 struct hci_dev *hdev = conn->hdev;
4539 struct oob_data *data;
4540
4541 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4542 if (!data)
4543 return 0x00;
4544
4545 if (bredr_sc_enabled(hdev)) {
4546 /* When Secure Connections is enabled, then just
4547 * return the present value stored with the OOB
4548 * data. The stored value contains the right present
4549 * information. However it can only be trusted when
4550 * not in Secure Connection Only mode.
4551 */
4552 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4553 return data->present;
4554
4555 /* When Secure Connections Only mode is enabled, then
4556 * the P-256 values are required. If they are not
4557 * available, then do not declare that OOB data is
4558 * present.
4559 */
4560 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4561 !memcmp(data->hash256, ZERO_KEY, 16))
4562 return 0x00;
4563
4564 return 0x02;
4565 }
4566
4567 /* When Secure Connections is not enabled or actually
4568 * not supported by the hardware, then check that if
4569 * P-192 data values are present.
4570 */
4571 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4572 !memcmp(data->hash192, ZERO_KEY, 16))
4573 return 0x00;
4574
4575 return 0x01;
4576 }
4577
4578 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4579 {
4580 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4581 struct hci_conn *conn;
4582
4583 BT_DBG("%s", hdev->name);
4584
4585 hci_dev_lock(hdev);
4586
4587 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4588 if (!conn)
4589 goto unlock;
4590
4591 hci_conn_hold(conn);
4592
4593 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4594 goto unlock;
4595
4596 /* Allow pairing if we're pairable, the initiators of the
4597 * pairing or if the remote is not requesting bonding.
4598 */
4599 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4600 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4601 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4602 struct hci_cp_io_capability_reply cp;
4603
4604 bacpy(&cp.bdaddr, &ev->bdaddr);
4605 /* Change the IO capability from KeyboardDisplay
4606 * to DisplayYesNo as it is not supported by BT spec. */
4607 cp.capability = (conn->io_capability == 0x04) ?
4608 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4609
4610 /* If we are initiators, there is no remote information yet */
4611 if (conn->remote_auth == 0xff) {
4612 /* Request MITM protection if our IO caps allow it
4613 * except for the no-bonding case.
4614 */
4615 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4616 conn->auth_type != HCI_AT_NO_BONDING)
4617 conn->auth_type |= 0x01;
4618 } else {
4619 conn->auth_type = hci_get_auth_req(conn);
4620 }
4621
4622 /* If we're not bondable, force one of the non-bondable
4623 * authentication requirement values.
4624 */
4625 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4626 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4627
4628 cp.authentication = conn->auth_type;
4629 cp.oob_data = bredr_oob_data_present(conn);
4630
4631 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4632 sizeof(cp), &cp);
4633 } else {
4634 struct hci_cp_io_capability_neg_reply cp;
4635
4636 bacpy(&cp.bdaddr, &ev->bdaddr);
4637 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4638
4639 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4640 sizeof(cp), &cp);
4641 }
4642
4643 unlock:
4644 hci_dev_unlock(hdev);
4645 }
4646
4647 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4648 {
4649 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4650 struct hci_conn *conn;
4651
4652 BT_DBG("%s", hdev->name);
4653
4654 hci_dev_lock(hdev);
4655
4656 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4657 if (!conn)
4658 goto unlock;
4659
4660 conn->remote_cap = ev->capability;
4661 conn->remote_auth = ev->authentication;
4662
4663 unlock:
4664 hci_dev_unlock(hdev);
4665 }
4666
4667 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4668 struct sk_buff *skb)
4669 {
4670 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4671 int loc_mitm, rem_mitm, confirm_hint = 0;
4672 struct hci_conn *conn;
4673
4674 BT_DBG("%s", hdev->name);
4675
4676 hci_dev_lock(hdev);
4677
4678 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4679 goto unlock;
4680
4681 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4682 if (!conn)
4683 goto unlock;
4684
4685 loc_mitm = (conn->auth_type & 0x01);
4686 rem_mitm = (conn->remote_auth & 0x01);
4687
4688 /* If we require MITM but the remote device can't provide that
4689 * (it has NoInputNoOutput) then reject the confirmation
4690 * request. We check the security level here since it doesn't
4691 * necessarily match conn->auth_type.
4692 */
4693 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4694 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4695 BT_DBG("Rejecting request: remote device can't provide MITM");
4696 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4697 sizeof(ev->bdaddr), &ev->bdaddr);
4698 goto unlock;
4699 }
4700
4701 /* If no side requires MITM protection; auto-accept */
4702 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4703 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4704
4705 /* If we're not the initiators request authorization to
4706 * proceed from user space (mgmt_user_confirm with
4707 * confirm_hint set to 1). The exception is if neither
4708 * side had MITM or if the local IO capability is
4709 * NoInputNoOutput, in which case we do auto-accept
4710 */
4711 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4712 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4713 (loc_mitm || rem_mitm)) {
4714 BT_DBG("Confirming auto-accept as acceptor");
4715 confirm_hint = 1;
4716 goto confirm;
4717 }
4718
4719 /* If there already exists link key in local host, leave the
4720 * decision to user space since the remote device could be
4721 * legitimate or malicious.
4722 */
4723 if (hci_find_link_key(hdev, &ev->bdaddr)) {
4724 bt_dev_dbg(hdev, "Local host already has link key");
4725 confirm_hint = 1;
4726 goto confirm;
4727 }
4728
4729 BT_DBG("Auto-accept of user confirmation with %ums delay",
4730 hdev->auto_accept_delay);
4731
4732 if (hdev->auto_accept_delay > 0) {
4733 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4734 queue_delayed_work(conn->hdev->workqueue,
4735 &conn->auto_accept_work, delay);
4736 goto unlock;
4737 }
4738
4739 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4740 sizeof(ev->bdaddr), &ev->bdaddr);
4741 goto unlock;
4742 }
4743
4744 confirm:
4745 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4746 le32_to_cpu(ev->passkey), confirm_hint);
4747
4748 unlock:
4749 hci_dev_unlock(hdev);
4750 }
4751
4752 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4753 struct sk_buff *skb)
4754 {
4755 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4756
4757 BT_DBG("%s", hdev->name);
4758
4759 if (hci_dev_test_flag(hdev, HCI_MGMT))
4760 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4761 }
4762
4763 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4764 struct sk_buff *skb)
4765 {
4766 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4767 struct hci_conn *conn;
4768
4769 BT_DBG("%s", hdev->name);
4770
4771 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4772 if (!conn)
4773 return;
4774
4775 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4776 conn->passkey_entered = 0;
4777
4778 if (hci_dev_test_flag(hdev, HCI_MGMT))
4779 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4780 conn->dst_type, conn->passkey_notify,
4781 conn->passkey_entered);
4782 }
4783
4784 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4785 {
4786 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4787 struct hci_conn *conn;
4788
4789 BT_DBG("%s", hdev->name);
4790
4791 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4792 if (!conn)
4793 return;
4794
4795 switch (ev->type) {
4796 case HCI_KEYPRESS_STARTED:
4797 conn->passkey_entered = 0;
4798 return;
4799
4800 case HCI_KEYPRESS_ENTERED:
4801 conn->passkey_entered++;
4802 break;
4803
4804 case HCI_KEYPRESS_ERASED:
4805 conn->passkey_entered--;
4806 break;
4807
4808 case HCI_KEYPRESS_CLEARED:
4809 conn->passkey_entered = 0;
4810 break;
4811
4812 case HCI_KEYPRESS_COMPLETED:
4813 return;
4814 }
4815
4816 if (hci_dev_test_flag(hdev, HCI_MGMT))
4817 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4818 conn->dst_type, conn->passkey_notify,
4819 conn->passkey_entered);
4820 }
4821
4822 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4823 struct sk_buff *skb)
4824 {
4825 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4826 struct hci_conn *conn;
4827
4828 BT_DBG("%s", hdev->name);
4829
4830 hci_dev_lock(hdev);
4831
4832 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4833 if (!conn)
4834 goto unlock;
4835
4836 /* Reset the authentication requirement to unknown */
4837 conn->remote_auth = 0xff;
4838
4839 /* To avoid duplicate auth_failed events to user space we check
4840 * the HCI_CONN_AUTH_PEND flag which will be set if we
4841 * initiated the authentication. A traditional auth_complete
4842 * event gets always produced as initiator and is also mapped to
4843 * the mgmt_auth_failed event */
4844 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4845 mgmt_auth_failed(conn, ev->status);
4846
4847 hci_conn_drop(conn);
4848
4849 unlock:
4850 hci_dev_unlock(hdev);
4851 }
4852
4853 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4854 struct sk_buff *skb)
4855 {
4856 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4857 struct inquiry_entry *ie;
4858 struct hci_conn *conn;
4859
4860 BT_DBG("%s", hdev->name);
4861
4862 hci_dev_lock(hdev);
4863
4864 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4865 if (conn)
4866 memcpy(conn->features[1], ev->features, 8);
4867
4868 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4869 if (ie)
4870 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4871
4872 hci_dev_unlock(hdev);
4873 }
4874
4875 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4876 struct sk_buff *skb)
4877 {
4878 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4879 struct oob_data *data;
4880
4881 BT_DBG("%s", hdev->name);
4882
4883 hci_dev_lock(hdev);
4884
4885 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4886 goto unlock;
4887
4888 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4889 if (!data) {
4890 struct hci_cp_remote_oob_data_neg_reply cp;
4891
4892 bacpy(&cp.bdaddr, &ev->bdaddr);
4893 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4894 sizeof(cp), &cp);
4895 goto unlock;
4896 }
4897
4898 if (bredr_sc_enabled(hdev)) {
4899 struct hci_cp_remote_oob_ext_data_reply cp;
4900
4901 bacpy(&cp.bdaddr, &ev->bdaddr);
4902 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4903 memset(cp.hash192, 0, sizeof(cp.hash192));
4904 memset(cp.rand192, 0, sizeof(cp.rand192));
4905 } else {
4906 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4907 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4908 }
4909 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4910 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4911
4912 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4913 sizeof(cp), &cp);
4914 } else {
4915 struct hci_cp_remote_oob_data_reply cp;
4916
4917 bacpy(&cp.bdaddr, &ev->bdaddr);
4918 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4919 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4920
4921 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4922 sizeof(cp), &cp);
4923 }
4924
4925 unlock:
4926 hci_dev_unlock(hdev);
4927 }
4928
4929 #if IS_ENABLED(CONFIG_BT_HS)
4930 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4931 {
4932 struct hci_ev_channel_selected *ev = (void *)skb->data;
4933 struct hci_conn *hcon;
4934
4935 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4936
4937 skb_pull(skb, sizeof(*ev));
4938
4939 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4940 if (!hcon)
4941 return;
4942
4943 amp_read_loc_assoc_final_data(hdev, hcon);
4944 }
4945
4946 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4947 struct sk_buff *skb)
4948 {
4949 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4950 struct hci_conn *hcon, *bredr_hcon;
4951
4952 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4953 ev->status);
4954
4955 hci_dev_lock(hdev);
4956
4957 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4958 if (!hcon)
4959 goto unlock;
4960
4961 if (!hcon->amp_mgr)
4962 goto unlock;
4963
4964 if (ev->status) {
4965 hci_conn_del(hcon);
4966 goto unlock;
4967 }
4968
4969 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4970
4971 hcon->state = BT_CONNECTED;
4972 bacpy(&hcon->dst, &bredr_hcon->dst);
4973
4974 hci_conn_hold(hcon);
4975 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4976 hci_conn_drop(hcon);
4977
4978 hci_debugfs_create_conn(hcon);
4979 hci_conn_add_sysfs(hcon);
4980
4981 amp_physical_cfm(bredr_hcon, hcon);
4982
4983 unlock:
4984 hci_dev_unlock(hdev);
4985 }
4986
4987 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4988 {
4989 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4990 struct hci_conn *hcon;
4991 struct hci_chan *hchan;
4992 struct amp_mgr *mgr;
4993
4994 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4995 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4996 ev->status);
4997
4998 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4999 if (!hcon)
5000 return;
5001
5002 /* Create AMP hchan */
5003 hchan = hci_chan_create(hcon);
5004 if (!hchan)
5005 return;
5006
5007 hchan->handle = le16_to_cpu(ev->handle);
5008
5009 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5010
5011 mgr = hcon->amp_mgr;
5012 if (mgr && mgr->bredr_chan) {
5013 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5014
5015 l2cap_chan_lock(bredr_chan);
5016
5017 bredr_chan->conn->mtu = hdev->block_mtu;
5018 l2cap_logical_cfm(bredr_chan, hchan, 0);
5019 hci_conn_hold(hcon);
5020
5021 l2cap_chan_unlock(bredr_chan);
5022 }
5023 }
5024
5025 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
5026 struct sk_buff *skb)
5027 {
5028 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
5029 struct hci_chan *hchan;
5030
5031 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
5032 le16_to_cpu(ev->handle), ev->status);
5033
5034 if (ev->status)
5035 return;
5036
5037 hci_dev_lock(hdev);
5038
5039 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5040 if (!hchan)
5041 goto unlock;
5042
5043 amp_destroy_logical_link(hchan, ev->reason);
5044
5045 unlock:
5046 hci_dev_unlock(hdev);
5047 }
5048
5049 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
5050 struct sk_buff *skb)
5051 {
5052 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
5053 struct hci_conn *hcon;
5054
5055 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5056
5057 if (ev->status)
5058 return;
5059
5060 hci_dev_lock(hdev);
5061
5062 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5063 if (hcon) {
5064 hcon->state = BT_CLOSED;
5065 hci_conn_del(hcon);
5066 }
5067
5068 hci_dev_unlock(hdev);
5069 }
5070 #endif
5071
5072 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5073 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
5074 u16 interval, u16 latency, u16 supervision_timeout)
5075 {
5076 struct hci_conn_params *params;
5077 struct hci_conn *conn;
5078 struct smp_irk *irk;
5079 u8 addr_type;
5080
5081 hci_dev_lock(hdev);
5082
5083 /* All controllers implicitly stop advertising in the event of a
5084 * connection, so ensure that the state bit is cleared.
5085 */
5086 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5087
5088 conn = hci_lookup_le_connect(hdev);
5089 if (!conn) {
5090 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5091 if (!conn) {
5092 bt_dev_err(hdev, "no memory for new connection");
5093 goto unlock;
5094 }
5095
5096 conn->dst_type = bdaddr_type;
5097
5098 /* If we didn't have a hci_conn object previously
5099 * but we're in master role this must be something
5100 * initiated using a white list. Since white list based
5101 * connections are not "first class citizens" we don't
5102 * have full tracking of them. Therefore, we go ahead
5103 * with a "best effort" approach of determining the
5104 * initiator address based on the HCI_PRIVACY flag.
5105 */
5106 if (conn->out) {
5107 conn->resp_addr_type = bdaddr_type;
5108 bacpy(&conn->resp_addr, bdaddr);
5109 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5110 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5111 bacpy(&conn->init_addr, &hdev->rpa);
5112 } else {
5113 hci_copy_identity_address(hdev,
5114 &conn->init_addr,
5115 &conn->init_addr_type);
5116 }
5117 }
5118 } else {
5119 cancel_delayed_work(&conn->le_conn_timeout);
5120 }
5121
5122 if (!conn->out) {
5123 /* Set the responder (our side) address type based on
5124 * the advertising address type.
5125 */
5126 conn->resp_addr_type = hdev->adv_addr_type;
5127 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5128 /* In case of ext adv, resp_addr will be updated in
5129 * Adv Terminated event.
5130 */
5131 if (!ext_adv_capable(hdev))
5132 bacpy(&conn->resp_addr, &hdev->random_addr);
5133 } else {
5134 bacpy(&conn->resp_addr, &hdev->bdaddr);
5135 }
5136
5137 conn->init_addr_type = bdaddr_type;
5138 bacpy(&conn->init_addr, bdaddr);
5139
5140 /* For incoming connections, set the default minimum
5141 * and maximum connection interval. They will be used
5142 * to check if the parameters are in range and if not
5143 * trigger the connection update procedure.
5144 */
5145 conn->le_conn_min_interval = hdev->le_conn_min_interval;
5146 conn->le_conn_max_interval = hdev->le_conn_max_interval;
5147 }
5148
5149 /* Lookup the identity address from the stored connection
5150 * address and address type.
5151 *
5152 * When establishing connections to an identity address, the
5153 * connection procedure will store the resolvable random
5154 * address first. Now if it can be converted back into the
5155 * identity address, start using the identity address from
5156 * now on.
5157 */
5158 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5159 if (irk) {
5160 bacpy(&conn->dst, &irk->bdaddr);
5161 conn->dst_type = irk->addr_type;
5162 }
5163
5164 if (status) {
5165 hci_le_conn_failed(conn, status);
5166 goto unlock;
5167 }
5168
5169 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5170 addr_type = BDADDR_LE_PUBLIC;
5171 else
5172 addr_type = BDADDR_LE_RANDOM;
5173
5174 /* Drop the connection if the device is blocked */
5175 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
5176 hci_conn_drop(conn);
5177 goto unlock;
5178 }
5179
5180 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5181 mgmt_device_connected(hdev, conn, 0, NULL, 0);
5182
5183 conn->sec_level = BT_SECURITY_LOW;
5184 conn->handle = handle;
5185 conn->state = BT_CONFIG;
5186
5187 conn->le_conn_interval = interval;
5188 conn->le_conn_latency = latency;
5189 conn->le_supv_timeout = supervision_timeout;
5190
5191 hci_debugfs_create_conn(conn);
5192 hci_conn_add_sysfs(conn);
5193
5194 /* The remote features procedure is defined for master
5195 * role only. So only in case of an initiated connection
5196 * request the remote features.
5197 *
5198 * If the local controller supports slave-initiated features
5199 * exchange, then requesting the remote features in slave
5200 * role is possible. Otherwise just transition into the
5201 * connected state without requesting the remote features.
5202 */
5203 if (conn->out ||
5204 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
5205 struct hci_cp_le_read_remote_features cp;
5206
5207 cp.handle = __cpu_to_le16(conn->handle);
5208
5209 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5210 sizeof(cp), &cp);
5211
5212 hci_conn_hold(conn);
5213 } else {
5214 conn->state = BT_CONNECTED;
5215 hci_connect_cfm(conn, status);
5216 }
5217
5218 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5219 conn->dst_type);
5220 if (params) {
5221 list_del_init(&params->action);
5222 if (params->conn) {
5223 hci_conn_drop(params->conn);
5224 hci_conn_put(params->conn);
5225 params->conn = NULL;
5226 }
5227 }
5228
5229 unlock:
5230 hci_update_background_scan(hdev);
5231 hci_dev_unlock(hdev);
5232 }
5233
5234 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5235 {
5236 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5237
5238 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5239
5240 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5241 ev->role, le16_to_cpu(ev->handle),
5242 le16_to_cpu(ev->interval),
5243 le16_to_cpu(ev->latency),
5244 le16_to_cpu(ev->supervision_timeout));
5245 }
5246
5247 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5248 struct sk_buff *skb)
5249 {
5250 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5251
5252 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5253
5254 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5255 ev->role, le16_to_cpu(ev->handle),
5256 le16_to_cpu(ev->interval),
5257 le16_to_cpu(ev->latency),
5258 le16_to_cpu(ev->supervision_timeout));
5259
5260 if (use_ll_privacy(hdev) &&
5261 hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&
5262 hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))
5263 hci_req_disable_address_resolution(hdev);
5264 }
5265
5266 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5267 {
5268 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5269 struct hci_conn *conn;
5270
5271 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5272
5273 if (ev->status)
5274 return;
5275
5276 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5277 if (conn) {
5278 struct adv_info *adv_instance;
5279
5280 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5281 return;
5282
5283 if (!hdev->cur_adv_instance) {
5284 bacpy(&conn->resp_addr, &hdev->random_addr);
5285 return;
5286 }
5287
5288 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5289 if (adv_instance)
5290 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5291 }
5292 }
5293
5294 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5295 struct sk_buff *skb)
5296 {
5297 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5298 struct hci_conn *conn;
5299
5300 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5301
5302 if (ev->status)
5303 return;
5304
5305 hci_dev_lock(hdev);
5306
5307 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5308 if (conn) {
5309 conn->le_conn_interval = le16_to_cpu(ev->interval);
5310 conn->le_conn_latency = le16_to_cpu(ev->latency);
5311 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5312 }
5313
5314 hci_dev_unlock(hdev);
5315 }
5316
5317 /* This function requires the caller holds hdev->lock */
5318 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5319 bdaddr_t *addr,
5320 u8 addr_type, u8 adv_type,
5321 bdaddr_t *direct_rpa)
5322 {
5323 struct hci_conn *conn;
5324 struct hci_conn_params *params;
5325
5326 /* If the event is not connectable don't proceed further */
5327 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5328 return NULL;
5329
5330 /* Ignore if the device is blocked */
5331 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5332 return NULL;
5333
5334 /* Most controller will fail if we try to create new connections
5335 * while we have an existing one in slave role.
5336 */
5337 if (hdev->conn_hash.le_num_slave > 0 &&
5338 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5339 !(hdev->le_states[3] & 0x10)))
5340 return NULL;
5341
5342 /* If we're not connectable only connect devices that we have in
5343 * our pend_le_conns list.
5344 */
5345 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5346 addr_type);
5347 if (!params)
5348 return NULL;
5349
5350 if (!params->explicit_connect) {
5351 switch (params->auto_connect) {
5352 case HCI_AUTO_CONN_DIRECT:
5353 /* Only devices advertising with ADV_DIRECT_IND are
5354 * triggering a connection attempt. This is allowing
5355 * incoming connections from slave devices.
5356 */
5357 if (adv_type != LE_ADV_DIRECT_IND)
5358 return NULL;
5359 break;
5360 case HCI_AUTO_CONN_ALWAYS:
5361 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5362 * are triggering a connection attempt. This means
5363 * that incoming connections from slave device are
5364 * accepted and also outgoing connections to slave
5365 * devices are established when found.
5366 */
5367 break;
5368 default:
5369 return NULL;
5370 }
5371 }
5372
5373 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5374 hdev->def_le_autoconnect_timeout, HCI_ROLE_MASTER,
5375 direct_rpa);
5376 if (!IS_ERR(conn)) {
5377 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5378 * by higher layer that tried to connect, if no then
5379 * store the pointer since we don't really have any
5380 * other owner of the object besides the params that
5381 * triggered it. This way we can abort the connection if
5382 * the parameters get removed and keep the reference
5383 * count consistent once the connection is established.
5384 */
5385
5386 if (!params->explicit_connect)
5387 params->conn = hci_conn_get(conn);
5388
5389 return conn;
5390 }
5391
5392 switch (PTR_ERR(conn)) {
5393 case -EBUSY:
5394 /* If hci_connect() returns -EBUSY it means there is already
5395 * an LE connection attempt going on. Since controllers don't
5396 * support more than one connection attempt at the time, we
5397 * don't consider this an error case.
5398 */
5399 break;
5400 default:
5401 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5402 return NULL;
5403 }
5404
5405 return NULL;
5406 }
5407
5408 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5409 u8 bdaddr_type, bdaddr_t *direct_addr,
5410 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
5411 bool ext_adv)
5412 {
5413 struct discovery_state *d = &hdev->discovery;
5414 struct smp_irk *irk;
5415 struct hci_conn *conn;
5416 bool match;
5417 u32 flags;
5418 u8 *ptr, real_len;
5419
5420 switch (type) {
5421 case LE_ADV_IND:
5422 case LE_ADV_DIRECT_IND:
5423 case LE_ADV_SCAN_IND:
5424 case LE_ADV_NONCONN_IND:
5425 case LE_ADV_SCAN_RSP:
5426 break;
5427 default:
5428 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5429 "type: 0x%02x", type);
5430 return;
5431 }
5432
5433 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
5434 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
5435 return;
5436 }
5437
5438 /* Find the end of the data in case the report contains padded zero
5439 * bytes at the end causing an invalid length value.
5440 *
5441 * When data is NULL, len is 0 so there is no need for extra ptr
5442 * check as 'ptr < data + 0' is already false in such case.
5443 */
5444 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5445 if (ptr + 1 + *ptr > data + len)
5446 break;
5447 }
5448
5449 real_len = ptr - data;
5450
5451 /* Adjust for actual length */
5452 if (len != real_len) {
5453 bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u",
5454 len, real_len);
5455 len = real_len;
5456 }
5457
5458 /* If the direct address is present, then this report is from
5459 * a LE Direct Advertising Report event. In that case it is
5460 * important to see if the address is matching the local
5461 * controller address.
5462 */
5463 if (direct_addr) {
5464 /* Only resolvable random addresses are valid for these
5465 * kind of reports and others can be ignored.
5466 */
5467 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5468 return;
5469
5470 /* If the controller is not using resolvable random
5471 * addresses, then this report can be ignored.
5472 */
5473 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5474 return;
5475
5476 /* If the local IRK of the controller does not match
5477 * with the resolvable random address provided, then
5478 * this report can be ignored.
5479 */
5480 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5481 return;
5482 }
5483
5484 /* Check if we need to convert to identity address */
5485 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5486 if (irk) {
5487 bdaddr = &irk->bdaddr;
5488 bdaddr_type = irk->addr_type;
5489 }
5490
5491 /* Check if we have been requested to connect to this device.
5492 *
5493 * direct_addr is set only for directed advertising reports (it is NULL
5494 * for advertising reports) and is already verified to be RPA above.
5495 */
5496 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5497 direct_addr);
5498 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
5499 /* Store report for later inclusion by
5500 * mgmt_device_connected
5501 */
5502 memcpy(conn->le_adv_data, data, len);
5503 conn->le_adv_data_len = len;
5504 }
5505
5506 /* Passive scanning shouldn't trigger any device found events,
5507 * except for devices marked as CONN_REPORT for which we do send
5508 * device found events, or advertisement monitoring requested.
5509 */
5510 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5511 if (type == LE_ADV_DIRECT_IND)
5512 return;
5513
5514 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5515 bdaddr, bdaddr_type) &&
5516 idr_is_empty(&hdev->adv_monitors_idr))
5517 return;
5518
5519 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5520 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5521 else
5522 flags = 0;
5523 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5524 rssi, flags, data, len, NULL, 0);
5525 return;
5526 }
5527
5528 /* When receiving non-connectable or scannable undirected
5529 * advertising reports, this means that the remote device is
5530 * not connectable and then clearly indicate this in the
5531 * device found event.
5532 *
5533 * When receiving a scan response, then there is no way to
5534 * know if the remote device is connectable or not. However
5535 * since scan responses are merged with a previously seen
5536 * advertising report, the flags field from that report
5537 * will be used.
5538 *
5539 * In the really unlikely case that a controller get confused
5540 * and just sends a scan response event, then it is marked as
5541 * not connectable as well.
5542 */
5543 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5544 type == LE_ADV_SCAN_RSP)
5545 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5546 else
5547 flags = 0;
5548
5549 /* If there's nothing pending either store the data from this
5550 * event or send an immediate device found event if the data
5551 * should not be stored for later.
5552 */
5553 if (!ext_adv && !has_pending_adv_report(hdev)) {
5554 /* If the report will trigger a SCAN_REQ store it for
5555 * later merging.
5556 */
5557 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5558 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5559 rssi, flags, data, len);
5560 return;
5561 }
5562
5563 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5564 rssi, flags, data, len, NULL, 0);
5565 return;
5566 }
5567
5568 /* Check if the pending report is for the same device as the new one */
5569 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5570 bdaddr_type == d->last_adv_addr_type);
5571
5572 /* If the pending data doesn't match this report or this isn't a
5573 * scan response (e.g. we got a duplicate ADV_IND) then force
5574 * sending of the pending data.
5575 */
5576 if (type != LE_ADV_SCAN_RSP || !match) {
5577 /* Send out whatever is in the cache, but skip duplicates */
5578 if (!match)
5579 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5580 d->last_adv_addr_type, NULL,
5581 d->last_adv_rssi, d->last_adv_flags,
5582 d->last_adv_data,
5583 d->last_adv_data_len, NULL, 0);
5584
5585 /* If the new report will trigger a SCAN_REQ store it for
5586 * later merging.
5587 */
5588 if (!ext_adv && (type == LE_ADV_IND ||
5589 type == LE_ADV_SCAN_IND)) {
5590 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5591 rssi, flags, data, len);
5592 return;
5593 }
5594
5595 /* The advertising reports cannot be merged, so clear
5596 * the pending report and send out a device found event.
5597 */
5598 clear_pending_adv_report(hdev);
5599 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5600 rssi, flags, data, len, NULL, 0);
5601 return;
5602 }
5603
5604 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5605 * the new event is a SCAN_RSP. We can therefore proceed with
5606 * sending a merged device found event.
5607 */
5608 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5609 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5610 d->last_adv_data, d->last_adv_data_len, data, len);
5611 clear_pending_adv_report(hdev);
5612 }
5613
5614 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5615 {
5616 u8 num_reports = skb->data[0];
5617 void *ptr = &skb->data[1];
5618
5619 hci_dev_lock(hdev);
5620
5621 while (num_reports--) {
5622 struct hci_ev_le_advertising_info *ev = ptr;
5623 s8 rssi;
5624
5625 if (ev->length <= HCI_MAX_AD_LENGTH) {
5626 rssi = ev->data[ev->length];
5627 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5628 ev->bdaddr_type, NULL, 0, rssi,
5629 ev->data, ev->length, false);
5630 } else {
5631 bt_dev_err(hdev, "Dropping invalid advertising data");
5632 }
5633
5634 ptr += sizeof(*ev) + ev->length + 1;
5635 }
5636
5637 hci_dev_unlock(hdev);
5638 }
5639
5640 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
5641 {
5642 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5643 switch (evt_type) {
5644 case LE_LEGACY_ADV_IND:
5645 return LE_ADV_IND;
5646 case LE_LEGACY_ADV_DIRECT_IND:
5647 return LE_ADV_DIRECT_IND;
5648 case LE_LEGACY_ADV_SCAN_IND:
5649 return LE_ADV_SCAN_IND;
5650 case LE_LEGACY_NONCONN_IND:
5651 return LE_ADV_NONCONN_IND;
5652 case LE_LEGACY_SCAN_RSP_ADV:
5653 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5654 return LE_ADV_SCAN_RSP;
5655 }
5656
5657 goto invalid;
5658 }
5659
5660 if (evt_type & LE_EXT_ADV_CONN_IND) {
5661 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5662 return LE_ADV_DIRECT_IND;
5663
5664 return LE_ADV_IND;
5665 }
5666
5667 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5668 return LE_ADV_SCAN_RSP;
5669
5670 if (evt_type & LE_EXT_ADV_SCAN_IND)
5671 return LE_ADV_SCAN_IND;
5672
5673 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5674 evt_type & LE_EXT_ADV_DIRECT_IND)
5675 return LE_ADV_NONCONN_IND;
5676
5677 invalid:
5678 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
5679 evt_type);
5680
5681 return LE_ADV_INVALID;
5682 }
5683
5684 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5685 {
5686 u8 num_reports = skb->data[0];
5687 void *ptr = &skb->data[1];
5688
5689 hci_dev_lock(hdev);
5690
5691 while (num_reports--) {
5692 struct hci_ev_le_ext_adv_report *ev = ptr;
5693 u8 legacy_evt_type;
5694 u16 evt_type;
5695
5696 evt_type = __le16_to_cpu(ev->evt_type);
5697 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
5698 if (legacy_evt_type != LE_ADV_INVALID) {
5699 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5700 ev->bdaddr_type, NULL, 0, ev->rssi,
5701 ev->data, ev->length,
5702 !(evt_type & LE_EXT_ADV_LEGACY_PDU));
5703 }
5704
5705 ptr += sizeof(*ev) + ev->length;
5706 }
5707
5708 hci_dev_unlock(hdev);
5709 }
5710
5711 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5712 struct sk_buff *skb)
5713 {
5714 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5715 struct hci_conn *conn;
5716
5717 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5718
5719 hci_dev_lock(hdev);
5720
5721 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5722 if (conn) {
5723 if (!ev->status)
5724 memcpy(conn->features[0], ev->features, 8);
5725
5726 if (conn->state == BT_CONFIG) {
5727 __u8 status;
5728
5729 /* If the local controller supports slave-initiated
5730 * features exchange, but the remote controller does
5731 * not, then it is possible that the error code 0x1a
5732 * for unsupported remote feature gets returned.
5733 *
5734 * In this specific case, allow the connection to
5735 * transition into connected state and mark it as
5736 * successful.
5737 */
5738 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5739 !conn->out && ev->status == 0x1a)
5740 status = 0x00;
5741 else
5742 status = ev->status;
5743
5744 conn->state = BT_CONNECTED;
5745 hci_connect_cfm(conn, status);
5746 hci_conn_drop(conn);
5747 }
5748 }
5749
5750 hci_dev_unlock(hdev);
5751 }
5752
5753 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5754 {
5755 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5756 struct hci_cp_le_ltk_reply cp;
5757 struct hci_cp_le_ltk_neg_reply neg;
5758 struct hci_conn *conn;
5759 struct smp_ltk *ltk;
5760
5761 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5762
5763 hci_dev_lock(hdev);
5764
5765 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5766 if (conn == NULL)
5767 goto not_found;
5768
5769 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5770 if (!ltk)
5771 goto not_found;
5772
5773 if (smp_ltk_is_sc(ltk)) {
5774 /* With SC both EDiv and Rand are set to zero */
5775 if (ev->ediv || ev->rand)
5776 goto not_found;
5777 } else {
5778 /* For non-SC keys check that EDiv and Rand match */
5779 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5780 goto not_found;
5781 }
5782
5783 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5784 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5785 cp.handle = cpu_to_le16(conn->handle);
5786
5787 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5788
5789 conn->enc_key_size = ltk->enc_size;
5790
5791 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5792
5793 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5794 * temporary key used to encrypt a connection following
5795 * pairing. It is used during the Encrypted Session Setup to
5796 * distribute the keys. Later, security can be re-established
5797 * using a distributed LTK.
5798 */
5799 if (ltk->type == SMP_STK) {
5800 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5801 list_del_rcu(&ltk->list);
5802 kfree_rcu(ltk, rcu);
5803 } else {
5804 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5805 }
5806
5807 hci_dev_unlock(hdev);
5808
5809 return;
5810
5811 not_found:
5812 neg.handle = ev->handle;
5813 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5814 hci_dev_unlock(hdev);
5815 }
5816
5817 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5818 u8 reason)
5819 {
5820 struct hci_cp_le_conn_param_req_neg_reply cp;
5821
5822 cp.handle = cpu_to_le16(handle);
5823 cp.reason = reason;
5824
5825 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5826 &cp);
5827 }
5828
5829 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5830 struct sk_buff *skb)
5831 {
5832 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5833 struct hci_cp_le_conn_param_req_reply cp;
5834 struct hci_conn *hcon;
5835 u16 handle, min, max, latency, timeout;
5836
5837 handle = le16_to_cpu(ev->handle);
5838 min = le16_to_cpu(ev->interval_min);
5839 max = le16_to_cpu(ev->interval_max);
5840 latency = le16_to_cpu(ev->latency);
5841 timeout = le16_to_cpu(ev->timeout);
5842
5843 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5844 if (!hcon || hcon->state != BT_CONNECTED)
5845 return send_conn_param_neg_reply(hdev, handle,
5846 HCI_ERROR_UNKNOWN_CONN_ID);
5847
5848 if (hci_check_conn_params(min, max, latency, timeout))
5849 return send_conn_param_neg_reply(hdev, handle,
5850 HCI_ERROR_INVALID_LL_PARAMS);
5851
5852 if (hcon->role == HCI_ROLE_MASTER) {
5853 struct hci_conn_params *params;
5854 u8 store_hint;
5855
5856 hci_dev_lock(hdev);
5857
5858 params = hci_conn_params_lookup(hdev, &hcon->dst,
5859 hcon->dst_type);
5860 if (params) {
5861 params->conn_min_interval = min;
5862 params->conn_max_interval = max;
5863 params->conn_latency = latency;
5864 params->supervision_timeout = timeout;
5865 store_hint = 0x01;
5866 } else{
5867 store_hint = 0x00;
5868 }
5869
5870 hci_dev_unlock(hdev);
5871
5872 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5873 store_hint, min, max, latency, timeout);
5874 }
5875
5876 cp.handle = ev->handle;
5877 cp.interval_min = ev->interval_min;
5878 cp.interval_max = ev->interval_max;
5879 cp.latency = ev->latency;
5880 cp.timeout = ev->timeout;
5881 cp.min_ce_len = 0;
5882 cp.max_ce_len = 0;
5883
5884 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5885 }
5886
5887 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5888 struct sk_buff *skb)
5889 {
5890 u8 num_reports = skb->data[0];
5891 struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1];
5892
5893 if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1)
5894 return;
5895
5896 hci_dev_lock(hdev);
5897
5898 for (; num_reports; num_reports--, ev++)
5899 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5900 ev->bdaddr_type, &ev->direct_addr,
5901 ev->direct_addr_type, ev->rssi, NULL, 0,
5902 false);
5903
5904 hci_dev_unlock(hdev);
5905 }
5906
5907 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
5908 {
5909 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data;
5910 struct hci_conn *conn;
5911
5912 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5913
5914 if (!ev->status)
5915 return;
5916
5917 hci_dev_lock(hdev);
5918
5919 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5920 if (!conn)
5921 goto unlock;
5922
5923 conn->le_tx_phy = ev->tx_phy;
5924 conn->le_rx_phy = ev->rx_phy;
5925
5926 unlock:
5927 hci_dev_unlock(hdev);
5928 }
5929
5930 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5931 {
5932 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5933
5934 skb_pull(skb, sizeof(*le_ev));
5935
5936 switch (le_ev->subevent) {
5937 case HCI_EV_LE_CONN_COMPLETE:
5938 hci_le_conn_complete_evt(hdev, skb);
5939 break;
5940
5941 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5942 hci_le_conn_update_complete_evt(hdev, skb);
5943 break;
5944
5945 case HCI_EV_LE_ADVERTISING_REPORT:
5946 hci_le_adv_report_evt(hdev, skb);
5947 break;
5948
5949 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5950 hci_le_remote_feat_complete_evt(hdev, skb);
5951 break;
5952
5953 case HCI_EV_LE_LTK_REQ:
5954 hci_le_ltk_request_evt(hdev, skb);
5955 break;
5956
5957 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5958 hci_le_remote_conn_param_req_evt(hdev, skb);
5959 break;
5960
5961 case HCI_EV_LE_DIRECT_ADV_REPORT:
5962 hci_le_direct_adv_report_evt(hdev, skb);
5963 break;
5964
5965 case HCI_EV_LE_PHY_UPDATE_COMPLETE:
5966 hci_le_phy_update_evt(hdev, skb);
5967 break;
5968
5969 case HCI_EV_LE_EXT_ADV_REPORT:
5970 hci_le_ext_adv_report_evt(hdev, skb);
5971 break;
5972
5973 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5974 hci_le_enh_conn_complete_evt(hdev, skb);
5975 break;
5976
5977 case HCI_EV_LE_EXT_ADV_SET_TERM:
5978 hci_le_ext_adv_term_evt(hdev, skb);
5979 break;
5980
5981 default:
5982 break;
5983 }
5984 }
5985
5986 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5987 u8 event, struct sk_buff *skb)
5988 {
5989 struct hci_ev_cmd_complete *ev;
5990 struct hci_event_hdr *hdr;
5991
5992 if (!skb)
5993 return false;
5994
5995 if (skb->len < sizeof(*hdr)) {
5996 bt_dev_err(hdev, "too short HCI event");
5997 return false;
5998 }
5999
6000 hdr = (void *) skb->data;
6001 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6002
6003 if (event) {
6004 if (hdr->evt != event)
6005 return false;
6006 return true;
6007 }
6008
6009 /* Check if request ended in Command Status - no way to retreive
6010 * any extra parameters in this case.
6011 */
6012 if (hdr->evt == HCI_EV_CMD_STATUS)
6013 return false;
6014
6015 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
6016 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
6017 hdr->evt);
6018 return false;
6019 }
6020
6021 if (skb->len < sizeof(*ev)) {
6022 bt_dev_err(hdev, "too short cmd_complete event");
6023 return false;
6024 }
6025
6026 ev = (void *) skb->data;
6027 skb_pull(skb, sizeof(*ev));
6028
6029 if (opcode != __le16_to_cpu(ev->opcode)) {
6030 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
6031 __le16_to_cpu(ev->opcode));
6032 return false;
6033 }
6034
6035 return true;
6036 }
6037
6038 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
6039 struct sk_buff *skb)
6040 {
6041 struct hci_ev_le_advertising_info *adv;
6042 struct hci_ev_le_direct_adv_info *direct_adv;
6043 struct hci_ev_le_ext_adv_report *ext_adv;
6044 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
6045 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
6046
6047 hci_dev_lock(hdev);
6048
6049 /* If we are currently suspended and this is the first BT event seen,
6050 * save the wake reason associated with the event.
6051 */
6052 if (!hdev->suspended || hdev->wake_reason)
6053 goto unlock;
6054
6055 /* Default to remote wake. Values for wake_reason are documented in the
6056 * Bluez mgmt api docs.
6057 */
6058 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
6059
6060 /* Once configured for remote wakeup, we should only wake up for
6061 * reconnections. It's useful to see which device is waking us up so
6062 * keep track of the bdaddr of the connection event that woke us up.
6063 */
6064 if (event == HCI_EV_CONN_REQUEST) {
6065 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
6066 hdev->wake_addr_type = BDADDR_BREDR;
6067 } else if (event == HCI_EV_CONN_COMPLETE) {
6068 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
6069 hdev->wake_addr_type = BDADDR_BREDR;
6070 } else if (event == HCI_EV_LE_META) {
6071 struct hci_ev_le_meta *le_ev = (void *)skb->data;
6072 u8 subevent = le_ev->subevent;
6073 u8 *ptr = &skb->data[sizeof(*le_ev)];
6074 u8 num_reports = *ptr;
6075
6076 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
6077 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
6078 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
6079 num_reports) {
6080 adv = (void *)(ptr + 1);
6081 direct_adv = (void *)(ptr + 1);
6082 ext_adv = (void *)(ptr + 1);
6083
6084 switch (subevent) {
6085 case HCI_EV_LE_ADVERTISING_REPORT:
6086 bacpy(&hdev->wake_addr, &adv->bdaddr);
6087 hdev->wake_addr_type = adv->bdaddr_type;
6088 break;
6089 case HCI_EV_LE_DIRECT_ADV_REPORT:
6090 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
6091 hdev->wake_addr_type = direct_adv->bdaddr_type;
6092 break;
6093 case HCI_EV_LE_EXT_ADV_REPORT:
6094 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
6095 hdev->wake_addr_type = ext_adv->bdaddr_type;
6096 break;
6097 }
6098 }
6099 } else {
6100 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
6101 }
6102
6103 unlock:
6104 hci_dev_unlock(hdev);
6105 }
6106
6107 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
6108 {
6109 struct hci_event_hdr *hdr = (void *) skb->data;
6110 hci_req_complete_t req_complete = NULL;
6111 hci_req_complete_skb_t req_complete_skb = NULL;
6112 struct sk_buff *orig_skb = NULL;
6113 u8 status = 0, event = hdr->evt, req_evt = 0;
6114 u16 opcode = HCI_OP_NOP;
6115
6116 if (!event) {
6117 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
6118 goto done;
6119 }
6120
6121 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
6122 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
6123 opcode = __le16_to_cpu(cmd_hdr->opcode);
6124 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
6125 &req_complete_skb);
6126 req_evt = event;
6127 }
6128
6129 /* If it looks like we might end up having to call
6130 * req_complete_skb, store a pristine copy of the skb since the
6131 * various handlers may modify the original one through
6132 * skb_pull() calls, etc.
6133 */
6134 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
6135 event == HCI_EV_CMD_COMPLETE)
6136 orig_skb = skb_clone(skb, GFP_KERNEL);
6137
6138 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6139
6140 /* Store wake reason if we're suspended */
6141 hci_store_wake_reason(hdev, event, skb);
6142
6143 switch (event) {
6144 case HCI_EV_INQUIRY_COMPLETE:
6145 hci_inquiry_complete_evt(hdev, skb);
6146 break;
6147
6148 case HCI_EV_INQUIRY_RESULT:
6149 hci_inquiry_result_evt(hdev, skb);
6150 break;
6151
6152 case HCI_EV_CONN_COMPLETE:
6153 hci_conn_complete_evt(hdev, skb);
6154 break;
6155
6156 case HCI_EV_CONN_REQUEST:
6157 hci_conn_request_evt(hdev, skb);
6158 break;
6159
6160 case HCI_EV_DISCONN_COMPLETE:
6161 hci_disconn_complete_evt(hdev, skb);
6162 break;
6163
6164 case HCI_EV_AUTH_COMPLETE:
6165 hci_auth_complete_evt(hdev, skb);
6166 break;
6167
6168 case HCI_EV_REMOTE_NAME:
6169 hci_remote_name_evt(hdev, skb);
6170 break;
6171
6172 case HCI_EV_ENCRYPT_CHANGE:
6173 hci_encrypt_change_evt(hdev, skb);
6174 break;
6175
6176 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6177 hci_change_link_key_complete_evt(hdev, skb);
6178 break;
6179
6180 case HCI_EV_REMOTE_FEATURES:
6181 hci_remote_features_evt(hdev, skb);
6182 break;
6183
6184 case HCI_EV_CMD_COMPLETE:
6185 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6186 &req_complete, &req_complete_skb);
6187 break;
6188
6189 case HCI_EV_CMD_STATUS:
6190 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6191 &req_complete_skb);
6192 break;
6193
6194 case HCI_EV_HARDWARE_ERROR:
6195 hci_hardware_error_evt(hdev, skb);
6196 break;
6197
6198 case HCI_EV_ROLE_CHANGE:
6199 hci_role_change_evt(hdev, skb);
6200 break;
6201
6202 case HCI_EV_NUM_COMP_PKTS:
6203 hci_num_comp_pkts_evt(hdev, skb);
6204 break;
6205
6206 case HCI_EV_MODE_CHANGE:
6207 hci_mode_change_evt(hdev, skb);
6208 break;
6209
6210 case HCI_EV_PIN_CODE_REQ:
6211 hci_pin_code_request_evt(hdev, skb);
6212 break;
6213
6214 case HCI_EV_LINK_KEY_REQ:
6215 hci_link_key_request_evt(hdev, skb);
6216 break;
6217
6218 case HCI_EV_LINK_KEY_NOTIFY:
6219 hci_link_key_notify_evt(hdev, skb);
6220 break;
6221
6222 case HCI_EV_CLOCK_OFFSET:
6223 hci_clock_offset_evt(hdev, skb);
6224 break;
6225
6226 case HCI_EV_PKT_TYPE_CHANGE:
6227 hci_pkt_type_change_evt(hdev, skb);
6228 break;
6229
6230 case HCI_EV_PSCAN_REP_MODE:
6231 hci_pscan_rep_mode_evt(hdev, skb);
6232 break;
6233
6234 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6235 hci_inquiry_result_with_rssi_evt(hdev, skb);
6236 break;
6237
6238 case HCI_EV_REMOTE_EXT_FEATURES:
6239 hci_remote_ext_features_evt(hdev, skb);
6240 break;
6241
6242 case HCI_EV_SYNC_CONN_COMPLETE:
6243 hci_sync_conn_complete_evt(hdev, skb);
6244 break;
6245
6246 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6247 hci_extended_inquiry_result_evt(hdev, skb);
6248 break;
6249
6250 case HCI_EV_KEY_REFRESH_COMPLETE:
6251 hci_key_refresh_complete_evt(hdev, skb);
6252 break;
6253
6254 case HCI_EV_IO_CAPA_REQUEST:
6255 hci_io_capa_request_evt(hdev, skb);
6256 break;
6257
6258 case HCI_EV_IO_CAPA_REPLY:
6259 hci_io_capa_reply_evt(hdev, skb);
6260 break;
6261
6262 case HCI_EV_USER_CONFIRM_REQUEST:
6263 hci_user_confirm_request_evt(hdev, skb);
6264 break;
6265
6266 case HCI_EV_USER_PASSKEY_REQUEST:
6267 hci_user_passkey_request_evt(hdev, skb);
6268 break;
6269
6270 case HCI_EV_USER_PASSKEY_NOTIFY:
6271 hci_user_passkey_notify_evt(hdev, skb);
6272 break;
6273
6274 case HCI_EV_KEYPRESS_NOTIFY:
6275 hci_keypress_notify_evt(hdev, skb);
6276 break;
6277
6278 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6279 hci_simple_pair_complete_evt(hdev, skb);
6280 break;
6281
6282 case HCI_EV_REMOTE_HOST_FEATURES:
6283 hci_remote_host_features_evt(hdev, skb);
6284 break;
6285
6286 case HCI_EV_LE_META:
6287 hci_le_meta_evt(hdev, skb);
6288 break;
6289
6290 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6291 hci_remote_oob_data_request_evt(hdev, skb);
6292 break;
6293
6294 #if IS_ENABLED(CONFIG_BT_HS)
6295 case HCI_EV_CHANNEL_SELECTED:
6296 hci_chan_selected_evt(hdev, skb);
6297 break;
6298
6299 case HCI_EV_PHY_LINK_COMPLETE:
6300 hci_phy_link_complete_evt(hdev, skb);
6301 break;
6302
6303 case HCI_EV_LOGICAL_LINK_COMPLETE:
6304 hci_loglink_complete_evt(hdev, skb);
6305 break;
6306
6307 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6308 hci_disconn_loglink_complete_evt(hdev, skb);
6309 break;
6310
6311 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6312 hci_disconn_phylink_complete_evt(hdev, skb);
6313 break;
6314 #endif
6315
6316 case HCI_EV_NUM_COMP_BLOCKS:
6317 hci_num_comp_blocks_evt(hdev, skb);
6318 break;
6319
6320 case HCI_EV_VENDOR:
6321 msft_vendor_evt(hdev, skb);
6322 break;
6323
6324 default:
6325 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6326 break;
6327 }
6328
6329 if (req_complete) {
6330 req_complete(hdev, status, opcode);
6331 } else if (req_complete_skb) {
6332 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6333 kfree_skb(orig_skb);
6334 orig_skb = NULL;
6335 }
6336 req_complete_skb(hdev, status, opcode, orig_skb);
6337 }
6338
6339 done:
6340 kfree_skb(orig_skb);
6341 kfree_skb(skb);
6342 hdev->stat.evt_rx++;
6343 }
Linux with added FPC-III support