Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth HCI event handling. */
26
27#include <asm/unaligned.h>
28
29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/mgmt.h>
32
33#include "hci_request.h"
34#include "hci_debugfs.h"
35#include "a2mp.h"
36#include "amp.h"
37#include "smp.h"
38
39#define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
41
42/* Handle HCI Event packets */
43
44static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45{
46 __u8 status = *((__u8 *) skb->data);
47
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
49
50 if (status)
51 return;
52
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
56
57 hci_dev_lock(hdev);
58 /* Set discovery state to stopped if we're not doing LE active
59 * scanning.
60 */
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
64 hci_dev_unlock(hdev);
65
66 hci_conn_check_pending(hdev);
67}
68
69static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
70{
71 __u8 status = *((__u8 *) skb->data);
72
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
74
75 if (status)
76 return;
77
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
79}
80
81static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
82{
83 __u8 status = *((__u8 *) skb->data);
84
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
86
87 if (status)
88 return;
89
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
91
92 hci_conn_check_pending(hdev);
93}
94
95static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
96 struct sk_buff *skb)
97{
98 BT_DBG("%s", hdev->name);
99}
100
101static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102{
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
105
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107
108 if (rp->status)
109 return;
110
111 hci_dev_lock(hdev);
112
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114 if (conn)
115 conn->role = rp->role;
116
117 hci_dev_unlock(hdev);
118}
119
120static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121{
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
124
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126
127 if (rp->status)
128 return;
129
130 hci_dev_lock(hdev);
131
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 if (conn)
134 conn->link_policy = __le16_to_cpu(rp->policy);
135
136 hci_dev_unlock(hdev);
137}
138
139static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140{
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
143 void *sent;
144
145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146
147 if (rp->status)
148 return;
149
150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 if (!sent)
152 return;
153
154 hci_dev_lock(hdev);
155
156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157 if (conn)
158 conn->link_policy = get_unaligned_le16(sent + 2);
159
160 hci_dev_unlock(hdev);
161}
162
163static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164 struct sk_buff *skb)
165{
166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167
168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169
170 if (rp->status)
171 return;
172
173 hdev->link_policy = __le16_to_cpu(rp->policy);
174}
175
176static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177 struct sk_buff *skb)
178{
179 __u8 status = *((__u8 *) skb->data);
180 void *sent;
181
182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
183
184 if (status)
185 return;
186
187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188 if (!sent)
189 return;
190
191 hdev->link_policy = get_unaligned_le16(sent);
192}
193
194static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195{
196 __u8 status = *((__u8 *) skb->data);
197
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
199
200 clear_bit(HCI_RESET, &hdev->flags);
201
202 if (status)
203 return;
204
205 /* Reset all non-persistent flags */
206 hci_dev_clear_volatile_flags(hdev);
207
208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209
210 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212
213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 hdev->adv_data_len = 0;
215
216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 hdev->scan_rsp_data_len = 0;
218
219 hdev->le_scan_type = LE_SCAN_PASSIVE;
220
221 hdev->ssp_debug_mode = 0;
222
223 hci_bdaddr_list_clear(&hdev->le_white_list);
224}
225
226static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
227 struct sk_buff *skb)
228{
229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 struct hci_cp_read_stored_link_key *sent;
231
232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233
234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
235 if (!sent)
236 return;
237
238 if (!rp->status && sent->read_all == 0x01) {
239 hdev->stored_max_keys = rp->max_keys;
240 hdev->stored_num_keys = rp->num_keys;
241 }
242}
243
244static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
245 struct sk_buff *skb)
246{
247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
248
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250
251 if (rp->status)
252 return;
253
254 if (rp->num_keys <= hdev->stored_num_keys)
255 hdev->stored_num_keys -= rp->num_keys;
256 else
257 hdev->stored_num_keys = 0;
258}
259
260static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
261{
262 __u8 status = *((__u8 *) skb->data);
263 void *sent;
264
265 BT_DBG("%s status 0x%2.2x", hdev->name, status);
266
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 if (!sent)
269 return;
270
271 hci_dev_lock(hdev);
272
273 if (hci_dev_test_flag(hdev, HCI_MGMT))
274 mgmt_set_local_name_complete(hdev, sent, status);
275 else if (!status)
276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
277
278 hci_dev_unlock(hdev);
279}
280
281static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
282{
283 struct hci_rp_read_local_name *rp = (void *) skb->data;
284
285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
286
287 if (rp->status)
288 return;
289
290 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 hci_dev_test_flag(hdev, HCI_CONFIG))
292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
293}
294
295static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
296{
297 __u8 status = *((__u8 *) skb->data);
298 void *sent;
299
300 BT_DBG("%s status 0x%2.2x", hdev->name, status);
301
302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
303 if (!sent)
304 return;
305
306 hci_dev_lock(hdev);
307
308 if (!status) {
309 __u8 param = *((__u8 *) sent);
310
311 if (param == AUTH_ENABLED)
312 set_bit(HCI_AUTH, &hdev->flags);
313 else
314 clear_bit(HCI_AUTH, &hdev->flags);
315 }
316
317 if (hci_dev_test_flag(hdev, HCI_MGMT))
318 mgmt_auth_enable_complete(hdev, status);
319
320 hci_dev_unlock(hdev);
321}
322
323static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
324{
325 __u8 status = *((__u8 *) skb->data);
326 __u8 param;
327 void *sent;
328
329 BT_DBG("%s status 0x%2.2x", hdev->name, status);
330
331 if (status)
332 return;
333
334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
335 if (!sent)
336 return;
337
338 param = *((__u8 *) sent);
339
340 if (param)
341 set_bit(HCI_ENCRYPT, &hdev->flags);
342 else
343 clear_bit(HCI_ENCRYPT, &hdev->flags);
344}
345
346static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
347{
348 __u8 status = *((__u8 *) skb->data);
349 __u8 param;
350 void *sent;
351
352 BT_DBG("%s status 0x%2.2x", hdev->name, status);
353
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
355 if (!sent)
356 return;
357
358 param = *((__u8 *) sent);
359
360 hci_dev_lock(hdev);
361
362 if (status) {
363 hdev->discov_timeout = 0;
364 goto done;
365 }
366
367 if (param & SCAN_INQUIRY)
368 set_bit(HCI_ISCAN, &hdev->flags);
369 else
370 clear_bit(HCI_ISCAN, &hdev->flags);
371
372 if (param & SCAN_PAGE)
373 set_bit(HCI_PSCAN, &hdev->flags);
374 else
375 clear_bit(HCI_PSCAN, &hdev->flags);
376
377done:
378 hci_dev_unlock(hdev);
379}
380
381static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
382{
383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
384
385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
386
387 if (rp->status)
388 return;
389
390 memcpy(hdev->dev_class, rp->dev_class, 3);
391
392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
394}
395
396static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
397{
398 __u8 status = *((__u8 *) skb->data);
399 void *sent;
400
401 BT_DBG("%s status 0x%2.2x", hdev->name, status);
402
403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
404 if (!sent)
405 return;
406
407 hci_dev_lock(hdev);
408
409 if (status == 0)
410 memcpy(hdev->dev_class, sent, 3);
411
412 if (hci_dev_test_flag(hdev, HCI_MGMT))
413 mgmt_set_class_of_dev_complete(hdev, sent, status);
414
415 hci_dev_unlock(hdev);
416}
417
418static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
419{
420 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
421 __u16 setting;
422
423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
424
425 if (rp->status)
426 return;
427
428 setting = __le16_to_cpu(rp->voice_setting);
429
430 if (hdev->voice_setting == setting)
431 return;
432
433 hdev->voice_setting = setting;
434
435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
436
437 if (hdev->notify)
438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
439}
440
441static void hci_cc_write_voice_setting(struct hci_dev *hdev,
442 struct sk_buff *skb)
443{
444 __u8 status = *((__u8 *) skb->data);
445 __u16 setting;
446 void *sent;
447
448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
449
450 if (status)
451 return;
452
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
454 if (!sent)
455 return;
456
457 setting = get_unaligned_le16(sent);
458
459 if (hdev->voice_setting == setting)
460 return;
461
462 hdev->voice_setting = setting;
463
464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
465
466 if (hdev->notify)
467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
468}
469
470static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
471 struct sk_buff *skb)
472{
473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
474
475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
476
477 if (rp->status)
478 return;
479
480 hdev->num_iac = rp->num_iac;
481
482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
483}
484
485static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
486{
487 __u8 status = *((__u8 *) skb->data);
488 struct hci_cp_write_ssp_mode *sent;
489
490 BT_DBG("%s status 0x%2.2x", hdev->name, status);
491
492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
493 if (!sent)
494 return;
495
496 hci_dev_lock(hdev);
497
498 if (!status) {
499 if (sent->mode)
500 hdev->features[1][0] |= LMP_HOST_SSP;
501 else
502 hdev->features[1][0] &= ~LMP_HOST_SSP;
503 }
504
505 if (hci_dev_test_flag(hdev, HCI_MGMT))
506 mgmt_ssp_enable_complete(hdev, sent->mode, status);
507 else if (!status) {
508 if (sent->mode)
509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
510 else
511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
512 }
513
514 hci_dev_unlock(hdev);
515}
516
517static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
518{
519 u8 status = *((u8 *) skb->data);
520 struct hci_cp_write_sc_support *sent;
521
522 BT_DBG("%s status 0x%2.2x", hdev->name, status);
523
524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
525 if (!sent)
526 return;
527
528 hci_dev_lock(hdev);
529
530 if (!status) {
531 if (sent->support)
532 hdev->features[1][0] |= LMP_HOST_SC;
533 else
534 hdev->features[1][0] &= ~LMP_HOST_SC;
535 }
536
537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
538 if (sent->support)
539 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
540 else
541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
542 }
543
544 hci_dev_unlock(hdev);
545}
546
547static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
548{
549 struct hci_rp_read_local_version *rp = (void *) skb->data;
550
551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
552
553 if (rp->status)
554 return;
555
556 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 hdev->hci_ver = rp->hci_ver;
559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 hdev->lmp_ver = rp->lmp_ver;
561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
563 }
564}
565
566static void hci_cc_read_local_commands(struct hci_dev *hdev,
567 struct sk_buff *skb)
568{
569 struct hci_rp_read_local_commands *rp = (void *) skb->data;
570
571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572
573 if (rp->status)
574 return;
575
576 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 hci_dev_test_flag(hdev, HCI_CONFIG))
578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
579}
580
581static void hci_cc_read_local_features(struct hci_dev *hdev,
582 struct sk_buff *skb)
583{
584 struct hci_rp_read_local_features *rp = (void *) skb->data;
585
586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
587
588 if (rp->status)
589 return;
590
591 memcpy(hdev->features, rp->features, 8);
592
593 /* Adjust default settings according to features
594 * supported by device. */
595
596 if (hdev->features[0][0] & LMP_3SLOT)
597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
598
599 if (hdev->features[0][0] & LMP_5SLOT)
600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
601
602 if (hdev->features[0][1] & LMP_HV2) {
603 hdev->pkt_type |= (HCI_HV2);
604 hdev->esco_type |= (ESCO_HV2);
605 }
606
607 if (hdev->features[0][1] & LMP_HV3) {
608 hdev->pkt_type |= (HCI_HV3);
609 hdev->esco_type |= (ESCO_HV3);
610 }
611
612 if (lmp_esco_capable(hdev))
613 hdev->esco_type |= (ESCO_EV3);
614
615 if (hdev->features[0][4] & LMP_EV4)
616 hdev->esco_type |= (ESCO_EV4);
617
618 if (hdev->features[0][4] & LMP_EV5)
619 hdev->esco_type |= (ESCO_EV5);
620
621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 hdev->esco_type |= (ESCO_2EV3);
623
624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 hdev->esco_type |= (ESCO_3EV3);
626
627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
629}
630
631static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
632 struct sk_buff *skb)
633{
634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
635
636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
637
638 if (rp->status)
639 return;
640
641 if (hdev->max_page < rp->max_page)
642 hdev->max_page = rp->max_page;
643
644 if (rp->page < HCI_MAX_PAGES)
645 memcpy(hdev->features[rp->page], rp->features, 8);
646}
647
648static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
649 struct sk_buff *skb)
650{
651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
652
653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
654
655 if (rp->status)
656 return;
657
658 hdev->flow_ctl_mode = rp->mode;
659}
660
661static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662{
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
664
665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
666
667 if (rp->status)
668 return;
669
670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
671 hdev->sco_mtu = rp->sco_mtu;
672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
674
675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
676 hdev->sco_mtu = 64;
677 hdev->sco_pkts = 8;
678 }
679
680 hdev->acl_cnt = hdev->acl_pkts;
681 hdev->sco_cnt = hdev->sco_pkts;
682
683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
685}
686
687static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
688{
689 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
690
691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
692
693 if (rp->status)
694 return;
695
696 if (test_bit(HCI_INIT, &hdev->flags))
697 bacpy(&hdev->bdaddr, &rp->bdaddr);
698
699 if (hci_dev_test_flag(hdev, HCI_SETUP))
700 bacpy(&hdev->setup_addr, &rp->bdaddr);
701}
702
703static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
704 struct sk_buff *skb)
705{
706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
707
708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
709
710 if (rp->status)
711 return;
712
713 if (test_bit(HCI_INIT, &hdev->flags)) {
714 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 hdev->page_scan_window = __le16_to_cpu(rp->window);
716 }
717}
718
719static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
720 struct sk_buff *skb)
721{
722 u8 status = *((u8 *) skb->data);
723 struct hci_cp_write_page_scan_activity *sent;
724
725 BT_DBG("%s status 0x%2.2x", hdev->name, status);
726
727 if (status)
728 return;
729
730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
731 if (!sent)
732 return;
733
734 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 hdev->page_scan_window = __le16_to_cpu(sent->window);
736}
737
738static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
739 struct sk_buff *skb)
740{
741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
742
743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
744
745 if (rp->status)
746 return;
747
748 if (test_bit(HCI_INIT, &hdev->flags))
749 hdev->page_scan_type = rp->type;
750}
751
752static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
753 struct sk_buff *skb)
754{
755 u8 status = *((u8 *) skb->data);
756 u8 *type;
757
758 BT_DBG("%s status 0x%2.2x", hdev->name, status);
759
760 if (status)
761 return;
762
763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
764 if (type)
765 hdev->page_scan_type = *type;
766}
767
768static void hci_cc_read_data_block_size(struct hci_dev *hdev,
769 struct sk_buff *skb)
770{
771 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
772
773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
774
775 if (rp->status)
776 return;
777
778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 hdev->block_len = __le16_to_cpu(rp->block_len);
780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
781
782 hdev->block_cnt = hdev->num_blocks;
783
784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 hdev->block_cnt, hdev->block_len);
786}
787
788static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
789{
790 struct hci_rp_read_clock *rp = (void *) skb->data;
791 struct hci_cp_read_clock *cp;
792 struct hci_conn *conn;
793
794 BT_DBG("%s", hdev->name);
795
796 if (skb->len < sizeof(*rp))
797 return;
798
799 if (rp->status)
800 return;
801
802 hci_dev_lock(hdev);
803
804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
805 if (!cp)
806 goto unlock;
807
808 if (cp->which == 0x00) {
809 hdev->clock = le32_to_cpu(rp->clock);
810 goto unlock;
811 }
812
813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
814 if (conn) {
815 conn->clock = le32_to_cpu(rp->clock);
816 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
817 }
818
819unlock:
820 hci_dev_unlock(hdev);
821}
822
823static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
824 struct sk_buff *skb)
825{
826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
827
828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
829
830 if (rp->status)
831 return;
832
833 hdev->amp_status = rp->amp_status;
834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 hdev->amp_type = rp->amp_type;
839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
843}
844
845static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
846 struct sk_buff *skb)
847{
848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
849
850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
851
852 if (rp->status)
853 return;
854
855 hdev->inq_tx_power = rp->tx_power;
856}
857
858static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
859{
860 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 struct hci_cp_pin_code_reply *cp;
862 struct hci_conn *conn;
863
864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
865
866 hci_dev_lock(hdev);
867
868 if (hci_dev_test_flag(hdev, HCI_MGMT))
869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
870
871 if (rp->status)
872 goto unlock;
873
874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
875 if (!cp)
876 goto unlock;
877
878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
879 if (conn)
880 conn->pin_length = cp->pin_len;
881
882unlock:
883 hci_dev_unlock(hdev);
884}
885
886static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
887{
888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
889
890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
891
892 hci_dev_lock(hdev);
893
894 if (hci_dev_test_flag(hdev, HCI_MGMT))
895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
896 rp->status);
897
898 hci_dev_unlock(hdev);
899}
900
901static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
902 struct sk_buff *skb)
903{
904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
905
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
907
908 if (rp->status)
909 return;
910
911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 hdev->le_pkts = rp->le_max_pkt;
913
914 hdev->le_cnt = hdev->le_pkts;
915
916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
917}
918
919static void hci_cc_le_read_local_features(struct hci_dev *hdev,
920 struct sk_buff *skb)
921{
922 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
923
924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
925
926 if (rp->status)
927 return;
928
929 memcpy(hdev->le_features, rp->features, 8);
930}
931
932static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
933 struct sk_buff *skb)
934{
935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
936
937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
938
939 if (rp->status)
940 return;
941
942 hdev->adv_tx_power = rp->tx_power;
943}
944
945static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
946{
947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
948
949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
950
951 hci_dev_lock(hdev);
952
953 if (hci_dev_test_flag(hdev, HCI_MGMT))
954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
955 rp->status);
956
957 hci_dev_unlock(hdev);
958}
959
960static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
961 struct sk_buff *skb)
962{
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
964
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
966
967 hci_dev_lock(hdev);
968
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 ACL_LINK, 0, rp->status);
972
973 hci_dev_unlock(hdev);
974}
975
976static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
977{
978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
979
980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
981
982 hci_dev_lock(hdev);
983
984 if (hci_dev_test_flag(hdev, HCI_MGMT))
985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
986 0, rp->status);
987
988 hci_dev_unlock(hdev);
989}
990
991static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
992 struct sk_buff *skb)
993{
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
995
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
997
998 hci_dev_lock(hdev);
999
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 ACL_LINK, 0, rp->status);
1003
1004 hci_dev_unlock(hdev);
1005}
1006
1007static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1009{
1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1011
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1013}
1014
1015static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 struct sk_buff *skb)
1017{
1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1019
1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021}
1022
1023static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1024{
1025 __u8 status = *((__u8 *) skb->data);
1026 bdaddr_t *sent;
1027
1028 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1029
1030 if (status)
1031 return;
1032
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034 if (!sent)
1035 return;
1036
1037 hci_dev_lock(hdev);
1038
1039 bacpy(&hdev->random_addr, sent);
1040
1041 hci_dev_unlock(hdev);
1042}
1043
1044static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1045{
1046 __u8 *sent, status = *((__u8 *) skb->data);
1047
1048 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049
1050 if (status)
1051 return;
1052
1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054 if (!sent)
1055 return;
1056
1057 hci_dev_lock(hdev);
1058
1059 /* If we're doing connection initiation as peripheral. Set a
1060 * timeout in case something goes wrong.
1061 */
1062 if (*sent) {
1063 struct hci_conn *conn;
1064
1065 hci_dev_set_flag(hdev, HCI_LE_ADV);
1066
1067 conn = hci_lookup_le_connect(hdev);
1068 if (conn)
1069 queue_delayed_work(hdev->workqueue,
1070 &conn->le_conn_timeout,
1071 conn->conn_timeout);
1072 } else {
1073 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1074 }
1075
1076 hci_dev_unlock(hdev);
1077}
1078
1079static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1080{
1081 struct hci_cp_le_set_scan_param *cp;
1082 __u8 status = *((__u8 *) skb->data);
1083
1084 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1085
1086 if (status)
1087 return;
1088
1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090 if (!cp)
1091 return;
1092
1093 hci_dev_lock(hdev);
1094
1095 hdev->le_scan_type = cp->type;
1096
1097 hci_dev_unlock(hdev);
1098}
1099
1100static bool has_pending_adv_report(struct hci_dev *hdev)
1101{
1102 struct discovery_state *d = &hdev->discovery;
1103
1104 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1105}
1106
1107static void clear_pending_adv_report(struct hci_dev *hdev)
1108{
1109 struct discovery_state *d = &hdev->discovery;
1110
1111 bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 d->last_adv_data_len = 0;
1113}
1114
1115static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 u8 bdaddr_type, s8 rssi, u32 flags,
1117 u8 *data, u8 len)
1118{
1119 struct discovery_state *d = &hdev->discovery;
1120
1121 bacpy(&d->last_adv_addr, bdaddr);
1122 d->last_adv_addr_type = bdaddr_type;
1123 d->last_adv_rssi = rssi;
1124 d->last_adv_flags = flags;
1125 memcpy(d->last_adv_data, data, len);
1126 d->last_adv_data_len = len;
1127}
1128
1129static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 struct sk_buff *skb)
1131{
1132 struct hci_cp_le_set_scan_enable *cp;
1133 __u8 status = *((__u8 *) skb->data);
1134
1135 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1136
1137 if (status)
1138 return;
1139
1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141 if (!cp)
1142 return;
1143
1144 hci_dev_lock(hdev);
1145
1146 switch (cp->enable) {
1147 case LE_SCAN_ENABLE:
1148 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 clear_pending_adv_report(hdev);
1151 break;
1152
1153 case LE_SCAN_DISABLE:
1154 /* We do this here instead of when setting DISCOVERY_STOPPED
1155 * since the latter would potentially require waiting for
1156 * inquiry to stop too.
1157 */
1158 if (has_pending_adv_report(hdev)) {
1159 struct discovery_state *d = &hdev->discovery;
1160
1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 d->last_adv_addr_type, NULL,
1163 d->last_adv_rssi, d->last_adv_flags,
1164 d->last_adv_data,
1165 d->last_adv_data_len, NULL, 0);
1166 }
1167
1168 /* Cancel this timer so that we don't try to disable scanning
1169 * when it's already disabled.
1170 */
1171 cancel_delayed_work(&hdev->le_scan_disable);
1172
1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1174
1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 * interrupted scanning due to a connect request. Mark
1177 * therefore discovery as stopped. If this was not
1178 * because of a connect request advertising might have
1179 * been disabled because of active scanning, so
1180 * re-enable it again if necessary.
1181 */
1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 hdev->discovery.state == DISCOVERY_FINDING)
1186 hci_req_reenable_advertising(hdev);
1187
1188 break;
1189
1190 default:
1191 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1192 break;
1193 }
1194
1195 hci_dev_unlock(hdev);
1196}
1197
1198static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1199 struct sk_buff *skb)
1200{
1201 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1202
1203 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1204
1205 if (rp->status)
1206 return;
1207
1208 hdev->le_white_list_size = rp->size;
1209}
1210
1211static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1212 struct sk_buff *skb)
1213{
1214 __u8 status = *((__u8 *) skb->data);
1215
1216 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1217
1218 if (status)
1219 return;
1220
1221 hci_bdaddr_list_clear(&hdev->le_white_list);
1222}
1223
1224static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1225 struct sk_buff *skb)
1226{
1227 struct hci_cp_le_add_to_white_list *sent;
1228 __u8 status = *((__u8 *) skb->data);
1229
1230 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1231
1232 if (status)
1233 return;
1234
1235 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1236 if (!sent)
1237 return;
1238
1239 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1240 sent->bdaddr_type);
1241}
1242
1243static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1244 struct sk_buff *skb)
1245{
1246 struct hci_cp_le_del_from_white_list *sent;
1247 __u8 status = *((__u8 *) skb->data);
1248
1249 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1250
1251 if (status)
1252 return;
1253
1254 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1255 if (!sent)
1256 return;
1257
1258 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1259 sent->bdaddr_type);
1260}
1261
1262static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1263 struct sk_buff *skb)
1264{
1265 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1266
1267 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1268
1269 if (rp->status)
1270 return;
1271
1272 memcpy(hdev->le_states, rp->le_states, 8);
1273}
1274
1275static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1276 struct sk_buff *skb)
1277{
1278 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1279
1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1281
1282 if (rp->status)
1283 return;
1284
1285 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1286 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1287}
1288
1289static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1290 struct sk_buff *skb)
1291{
1292 struct hci_cp_le_write_def_data_len *sent;
1293 __u8 status = *((__u8 *) skb->data);
1294
1295 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1296
1297 if (status)
1298 return;
1299
1300 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1301 if (!sent)
1302 return;
1303
1304 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1305 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1306}
1307
1308static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1309 struct sk_buff *skb)
1310{
1311 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1312
1313 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1314
1315 if (rp->status)
1316 return;
1317
1318 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1319 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1320 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1321 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1322}
1323
1324static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1325 struct sk_buff *skb)
1326{
1327 struct hci_cp_write_le_host_supported *sent;
1328 __u8 status = *((__u8 *) skb->data);
1329
1330 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1331
1332 if (status)
1333 return;
1334
1335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1336 if (!sent)
1337 return;
1338
1339 hci_dev_lock(hdev);
1340
1341 if (sent->le) {
1342 hdev->features[1][0] |= LMP_HOST_LE;
1343 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1344 } else {
1345 hdev->features[1][0] &= ~LMP_HOST_LE;
1346 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1347 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1348 }
1349
1350 if (sent->simul)
1351 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1352 else
1353 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1354
1355 hci_dev_unlock(hdev);
1356}
1357
1358static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1359{
1360 struct hci_cp_le_set_adv_param *cp;
1361 u8 status = *((u8 *) skb->data);
1362
1363 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1364
1365 if (status)
1366 return;
1367
1368 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1369 if (!cp)
1370 return;
1371
1372 hci_dev_lock(hdev);
1373 hdev->adv_addr_type = cp->own_address_type;
1374 hci_dev_unlock(hdev);
1375}
1376
1377static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1378{
1379 struct hci_rp_read_rssi *rp = (void *) skb->data;
1380 struct hci_conn *conn;
1381
1382 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1383
1384 if (rp->status)
1385 return;
1386
1387 hci_dev_lock(hdev);
1388
1389 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1390 if (conn)
1391 conn->rssi = rp->rssi;
1392
1393 hci_dev_unlock(hdev);
1394}
1395
1396static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1397{
1398 struct hci_cp_read_tx_power *sent;
1399 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1400 struct hci_conn *conn;
1401
1402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1403
1404 if (rp->status)
1405 return;
1406
1407 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1408 if (!sent)
1409 return;
1410
1411 hci_dev_lock(hdev);
1412
1413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1414 if (!conn)
1415 goto unlock;
1416
1417 switch (sent->type) {
1418 case 0x00:
1419 conn->tx_power = rp->tx_power;
1420 break;
1421 case 0x01:
1422 conn->max_tx_power = rp->tx_power;
1423 break;
1424 }
1425
1426unlock:
1427 hci_dev_unlock(hdev);
1428}
1429
1430static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1431{
1432 u8 status = *((u8 *) skb->data);
1433 u8 *mode;
1434
1435 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1436
1437 if (status)
1438 return;
1439
1440 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1441 if (mode)
1442 hdev->ssp_debug_mode = *mode;
1443}
1444
1445static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1446{
1447 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1448
1449 if (status) {
1450 hci_conn_check_pending(hdev);
1451 return;
1452 }
1453
1454 set_bit(HCI_INQUIRY, &hdev->flags);
1455}
1456
1457static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1458{
1459 struct hci_cp_create_conn *cp;
1460 struct hci_conn *conn;
1461
1462 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1463
1464 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1465 if (!cp)
1466 return;
1467
1468 hci_dev_lock(hdev);
1469
1470 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1471
1472 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1473
1474 if (status) {
1475 if (conn && conn->state == BT_CONNECT) {
1476 if (status != 0x0c || conn->attempt > 2) {
1477 conn->state = BT_CLOSED;
1478 hci_connect_cfm(conn, status);
1479 hci_conn_del(conn);
1480 } else
1481 conn->state = BT_CONNECT2;
1482 }
1483 } else {
1484 if (!conn) {
1485 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1486 HCI_ROLE_MASTER);
1487 if (!conn)
1488 BT_ERR("No memory for new connection");
1489 }
1490 }
1491
1492 hci_dev_unlock(hdev);
1493}
1494
1495static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1496{
1497 struct hci_cp_add_sco *cp;
1498 struct hci_conn *acl, *sco;
1499 __u16 handle;
1500
1501 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1502
1503 if (!status)
1504 return;
1505
1506 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1507 if (!cp)
1508 return;
1509
1510 handle = __le16_to_cpu(cp->handle);
1511
1512 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1513
1514 hci_dev_lock(hdev);
1515
1516 acl = hci_conn_hash_lookup_handle(hdev, handle);
1517 if (acl) {
1518 sco = acl->link;
1519 if (sco) {
1520 sco->state = BT_CLOSED;
1521
1522 hci_connect_cfm(sco, status);
1523 hci_conn_del(sco);
1524 }
1525 }
1526
1527 hci_dev_unlock(hdev);
1528}
1529
1530static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1531{
1532 struct hci_cp_auth_requested *cp;
1533 struct hci_conn *conn;
1534
1535 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1536
1537 if (!status)
1538 return;
1539
1540 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1541 if (!cp)
1542 return;
1543
1544 hci_dev_lock(hdev);
1545
1546 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1547 if (conn) {
1548 if (conn->state == BT_CONFIG) {
1549 hci_connect_cfm(conn, status);
1550 hci_conn_drop(conn);
1551 }
1552 }
1553
1554 hci_dev_unlock(hdev);
1555}
1556
1557static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1558{
1559 struct hci_cp_set_conn_encrypt *cp;
1560 struct hci_conn *conn;
1561
1562 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1563
1564 if (!status)
1565 return;
1566
1567 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1568 if (!cp)
1569 return;
1570
1571 hci_dev_lock(hdev);
1572
1573 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1574 if (conn) {
1575 if (conn->state == BT_CONFIG) {
1576 hci_connect_cfm(conn, status);
1577 hci_conn_drop(conn);
1578 }
1579 }
1580
1581 hci_dev_unlock(hdev);
1582}
1583
1584static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1585 struct hci_conn *conn)
1586{
1587 if (conn->state != BT_CONFIG || !conn->out)
1588 return 0;
1589
1590 if (conn->pending_sec_level == BT_SECURITY_SDP)
1591 return 0;
1592
1593 /* Only request authentication for SSP connections or non-SSP
1594 * devices with sec_level MEDIUM or HIGH or if MITM protection
1595 * is requested.
1596 */
1597 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1598 conn->pending_sec_level != BT_SECURITY_FIPS &&
1599 conn->pending_sec_level != BT_SECURITY_HIGH &&
1600 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1601 return 0;
1602
1603 return 1;
1604}
1605
1606static int hci_resolve_name(struct hci_dev *hdev,
1607 struct inquiry_entry *e)
1608{
1609 struct hci_cp_remote_name_req cp;
1610
1611 memset(&cp, 0, sizeof(cp));
1612
1613 bacpy(&cp.bdaddr, &e->data.bdaddr);
1614 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1615 cp.pscan_mode = e->data.pscan_mode;
1616 cp.clock_offset = e->data.clock_offset;
1617
1618 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1619}
1620
1621static bool hci_resolve_next_name(struct hci_dev *hdev)
1622{
1623 struct discovery_state *discov = &hdev->discovery;
1624 struct inquiry_entry *e;
1625
1626 if (list_empty(&discov->resolve))
1627 return false;
1628
1629 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1630 if (!e)
1631 return false;
1632
1633 if (hci_resolve_name(hdev, e) == 0) {
1634 e->name_state = NAME_PENDING;
1635 return true;
1636 }
1637
1638 return false;
1639}
1640
1641static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1642 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1643{
1644 struct discovery_state *discov = &hdev->discovery;
1645 struct inquiry_entry *e;
1646
1647 /* Update the mgmt connected state if necessary. Be careful with
1648 * conn objects that exist but are not (yet) connected however.
1649 * Only those in BT_CONFIG or BT_CONNECTED states can be
1650 * considered connected.
1651 */
1652 if (conn &&
1653 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1654 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1655 mgmt_device_connected(hdev, conn, 0, name, name_len);
1656
1657 if (discov->state == DISCOVERY_STOPPED)
1658 return;
1659
1660 if (discov->state == DISCOVERY_STOPPING)
1661 goto discov_complete;
1662
1663 if (discov->state != DISCOVERY_RESOLVING)
1664 return;
1665
1666 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1667 /* If the device was not found in a list of found devices names of which
1668 * are pending. there is no need to continue resolving a next name as it
1669 * will be done upon receiving another Remote Name Request Complete
1670 * Event */
1671 if (!e)
1672 return;
1673
1674 list_del(&e->list);
1675 if (name) {
1676 e->name_state = NAME_KNOWN;
1677 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1678 e->data.rssi, name, name_len);
1679 } else {
1680 e->name_state = NAME_NOT_KNOWN;
1681 }
1682
1683 if (hci_resolve_next_name(hdev))
1684 return;
1685
1686discov_complete:
1687 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1688}
1689
1690static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1691{
1692 struct hci_cp_remote_name_req *cp;
1693 struct hci_conn *conn;
1694
1695 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1696
1697 /* If successful wait for the name req complete event before
1698 * checking for the need to do authentication */
1699 if (!status)
1700 return;
1701
1702 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1703 if (!cp)
1704 return;
1705
1706 hci_dev_lock(hdev);
1707
1708 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1709
1710 if (hci_dev_test_flag(hdev, HCI_MGMT))
1711 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1712
1713 if (!conn)
1714 goto unlock;
1715
1716 if (!hci_outgoing_auth_needed(hdev, conn))
1717 goto unlock;
1718
1719 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1720 struct hci_cp_auth_requested auth_cp;
1721
1722 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1723
1724 auth_cp.handle = __cpu_to_le16(conn->handle);
1725 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1726 sizeof(auth_cp), &auth_cp);
1727 }
1728
1729unlock:
1730 hci_dev_unlock(hdev);
1731}
1732
1733static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1734{
1735 struct hci_cp_read_remote_features *cp;
1736 struct hci_conn *conn;
1737
1738 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1739
1740 if (!status)
1741 return;
1742
1743 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1744 if (!cp)
1745 return;
1746
1747 hci_dev_lock(hdev);
1748
1749 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1750 if (conn) {
1751 if (conn->state == BT_CONFIG) {
1752 hci_connect_cfm(conn, status);
1753 hci_conn_drop(conn);
1754 }
1755 }
1756
1757 hci_dev_unlock(hdev);
1758}
1759
1760static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1761{
1762 struct hci_cp_read_remote_ext_features *cp;
1763 struct hci_conn *conn;
1764
1765 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1766
1767 if (!status)
1768 return;
1769
1770 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1771 if (!cp)
1772 return;
1773
1774 hci_dev_lock(hdev);
1775
1776 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1777 if (conn) {
1778 if (conn->state == BT_CONFIG) {
1779 hci_connect_cfm(conn, status);
1780 hci_conn_drop(conn);
1781 }
1782 }
1783
1784 hci_dev_unlock(hdev);
1785}
1786
1787static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1788{
1789 struct hci_cp_setup_sync_conn *cp;
1790 struct hci_conn *acl, *sco;
1791 __u16 handle;
1792
1793 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1794
1795 if (!status)
1796 return;
1797
1798 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1799 if (!cp)
1800 return;
1801
1802 handle = __le16_to_cpu(cp->handle);
1803
1804 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1805
1806 hci_dev_lock(hdev);
1807
1808 acl = hci_conn_hash_lookup_handle(hdev, handle);
1809 if (acl) {
1810 sco = acl->link;
1811 if (sco) {
1812 sco->state = BT_CLOSED;
1813
1814 hci_connect_cfm(sco, status);
1815 hci_conn_del(sco);
1816 }
1817 }
1818
1819 hci_dev_unlock(hdev);
1820}
1821
1822static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1823{
1824 struct hci_cp_sniff_mode *cp;
1825 struct hci_conn *conn;
1826
1827 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1828
1829 if (!status)
1830 return;
1831
1832 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1833 if (!cp)
1834 return;
1835
1836 hci_dev_lock(hdev);
1837
1838 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1839 if (conn) {
1840 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1841
1842 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1843 hci_sco_setup(conn, status);
1844 }
1845
1846 hci_dev_unlock(hdev);
1847}
1848
1849static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1850{
1851 struct hci_cp_exit_sniff_mode *cp;
1852 struct hci_conn *conn;
1853
1854 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1855
1856 if (!status)
1857 return;
1858
1859 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1860 if (!cp)
1861 return;
1862
1863 hci_dev_lock(hdev);
1864
1865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1866 if (conn) {
1867 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1868
1869 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1870 hci_sco_setup(conn, status);
1871 }
1872
1873 hci_dev_unlock(hdev);
1874}
1875
1876static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1877{
1878 struct hci_cp_disconnect *cp;
1879 struct hci_conn *conn;
1880
1881 if (!status)
1882 return;
1883
1884 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1885 if (!cp)
1886 return;
1887
1888 hci_dev_lock(hdev);
1889
1890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1891 if (conn)
1892 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1893 conn->dst_type, status);
1894
1895 hci_dev_unlock(hdev);
1896}
1897
1898static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1899{
1900 struct hci_cp_le_create_conn *cp;
1901 struct hci_conn *conn;
1902
1903 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1904
1905 /* All connection failure handling is taken care of by the
1906 * hci_le_conn_failed function which is triggered by the HCI
1907 * request completion callbacks used for connecting.
1908 */
1909 if (status)
1910 return;
1911
1912 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1913 if (!cp)
1914 return;
1915
1916 hci_dev_lock(hdev);
1917
1918 conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1919 cp->peer_addr_type);
1920 if (!conn)
1921 goto unlock;
1922
1923 /* Store the initiator and responder address information which
1924 * is needed for SMP. These values will not change during the
1925 * lifetime of the connection.
1926 */
1927 conn->init_addr_type = cp->own_address_type;
1928 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1929 bacpy(&conn->init_addr, &hdev->random_addr);
1930 else
1931 bacpy(&conn->init_addr, &hdev->bdaddr);
1932
1933 conn->resp_addr_type = cp->peer_addr_type;
1934 bacpy(&conn->resp_addr, &cp->peer_addr);
1935
1936 /* We don't want the connection attempt to stick around
1937 * indefinitely since LE doesn't have a page timeout concept
1938 * like BR/EDR. Set a timer for any connection that doesn't use
1939 * the white list for connecting.
1940 */
1941 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1942 queue_delayed_work(conn->hdev->workqueue,
1943 &conn->le_conn_timeout,
1944 conn->conn_timeout);
1945
1946unlock:
1947 hci_dev_unlock(hdev);
1948}
1949
1950static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1951{
1952 struct hci_cp_le_read_remote_features *cp;
1953 struct hci_conn *conn;
1954
1955 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1956
1957 if (!status)
1958 return;
1959
1960 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1961 if (!cp)
1962 return;
1963
1964 hci_dev_lock(hdev);
1965
1966 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1967 if (conn) {
1968 if (conn->state == BT_CONFIG) {
1969 hci_connect_cfm(conn, status);
1970 hci_conn_drop(conn);
1971 }
1972 }
1973
1974 hci_dev_unlock(hdev);
1975}
1976
1977static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1978{
1979 struct hci_cp_le_start_enc *cp;
1980 struct hci_conn *conn;
1981
1982 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1983
1984 if (!status)
1985 return;
1986
1987 hci_dev_lock(hdev);
1988
1989 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1990 if (!cp)
1991 goto unlock;
1992
1993 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1994 if (!conn)
1995 goto unlock;
1996
1997 if (conn->state != BT_CONNECTED)
1998 goto unlock;
1999
2000 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2001 hci_conn_drop(conn);
2002
2003unlock:
2004 hci_dev_unlock(hdev);
2005}
2006
2007static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2008{
2009 struct hci_cp_switch_role *cp;
2010 struct hci_conn *conn;
2011
2012 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2013
2014 if (!status)
2015 return;
2016
2017 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2018 if (!cp)
2019 return;
2020
2021 hci_dev_lock(hdev);
2022
2023 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2024 if (conn)
2025 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2026
2027 hci_dev_unlock(hdev);
2028}
2029
2030static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2031{
2032 __u8 status = *((__u8 *) skb->data);
2033 struct discovery_state *discov = &hdev->discovery;
2034 struct inquiry_entry *e;
2035
2036 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2037
2038 hci_conn_check_pending(hdev);
2039
2040 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2041 return;
2042
2043 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2044 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2045
2046 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2047 return;
2048
2049 hci_dev_lock(hdev);
2050
2051 if (discov->state != DISCOVERY_FINDING)
2052 goto unlock;
2053
2054 if (list_empty(&discov->resolve)) {
2055 /* When BR/EDR inquiry is active and no LE scanning is in
2056 * progress, then change discovery state to indicate completion.
2057 *
2058 * When running LE scanning and BR/EDR inquiry simultaneously
2059 * and the LE scan already finished, then change the discovery
2060 * state to indicate completion.
2061 */
2062 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2063 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2064 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2065 goto unlock;
2066 }
2067
2068 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2069 if (e && hci_resolve_name(hdev, e) == 0) {
2070 e->name_state = NAME_PENDING;
2071 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2072 } else {
2073 /* When BR/EDR inquiry is active and no LE scanning is in
2074 * progress, then change discovery state to indicate completion.
2075 *
2076 * When running LE scanning and BR/EDR inquiry simultaneously
2077 * and the LE scan already finished, then change the discovery
2078 * state to indicate completion.
2079 */
2080 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2081 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2082 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2083 }
2084
2085unlock:
2086 hci_dev_unlock(hdev);
2087}
2088
2089static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2090{
2091 struct inquiry_data data;
2092 struct inquiry_info *info = (void *) (skb->data + 1);
2093 int num_rsp = *((__u8 *) skb->data);
2094
2095 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2096
2097 if (!num_rsp)
2098 return;
2099
2100 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2101 return;
2102
2103 hci_dev_lock(hdev);
2104
2105 for (; num_rsp; num_rsp--, info++) {
2106 u32 flags;
2107
2108 bacpy(&data.bdaddr, &info->bdaddr);
2109 data.pscan_rep_mode = info->pscan_rep_mode;
2110 data.pscan_period_mode = info->pscan_period_mode;
2111 data.pscan_mode = info->pscan_mode;
2112 memcpy(data.dev_class, info->dev_class, 3);
2113 data.clock_offset = info->clock_offset;
2114 data.rssi = HCI_RSSI_INVALID;
2115 data.ssp_mode = 0x00;
2116
2117 flags = hci_inquiry_cache_update(hdev, &data, false);
2118
2119 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2120 info->dev_class, HCI_RSSI_INVALID,
2121 flags, NULL, 0, NULL, 0);
2122 }
2123
2124 hci_dev_unlock(hdev);
2125}
2126
2127static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2128{
2129 struct hci_ev_conn_complete *ev = (void *) skb->data;
2130 struct hci_conn *conn;
2131
2132 BT_DBG("%s", hdev->name);
2133
2134 hci_dev_lock(hdev);
2135
2136 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2137 if (!conn) {
2138 if (ev->link_type != SCO_LINK)
2139 goto unlock;
2140
2141 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2142 if (!conn)
2143 goto unlock;
2144
2145 conn->type = SCO_LINK;
2146 }
2147
2148 if (!ev->status) {
2149 conn->handle = __le16_to_cpu(ev->handle);
2150
2151 if (conn->type == ACL_LINK) {
2152 conn->state = BT_CONFIG;
2153 hci_conn_hold(conn);
2154
2155 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2156 !hci_find_link_key(hdev, &ev->bdaddr))
2157 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2158 else
2159 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2160 } else
2161 conn->state = BT_CONNECTED;
2162
2163 hci_debugfs_create_conn(conn);
2164 hci_conn_add_sysfs(conn);
2165
2166 if (test_bit(HCI_AUTH, &hdev->flags))
2167 set_bit(HCI_CONN_AUTH, &conn->flags);
2168
2169 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2170 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2171
2172 /* Get remote features */
2173 if (conn->type == ACL_LINK) {
2174 struct hci_cp_read_remote_features cp;
2175 cp.handle = ev->handle;
2176 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2177 sizeof(cp), &cp);
2178
2179 hci_req_update_scan(hdev);
2180 }
2181
2182 /* Set packet type for incoming connection */
2183 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2184 struct hci_cp_change_conn_ptype cp;
2185 cp.handle = ev->handle;
2186 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2187 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2188 &cp);
2189 }
2190 } else {
2191 conn->state = BT_CLOSED;
2192 if (conn->type == ACL_LINK)
2193 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2194 conn->dst_type, ev->status);
2195 }
2196
2197 if (conn->type == ACL_LINK)
2198 hci_sco_setup(conn, ev->status);
2199
2200 if (ev->status) {
2201 hci_connect_cfm(conn, ev->status);
2202 hci_conn_del(conn);
2203 } else if (ev->link_type != ACL_LINK)
2204 hci_connect_cfm(conn, ev->status);
2205
2206unlock:
2207 hci_dev_unlock(hdev);
2208
2209 hci_conn_check_pending(hdev);
2210}
2211
2212static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2213{
2214 struct hci_cp_reject_conn_req cp;
2215
2216 bacpy(&cp.bdaddr, bdaddr);
2217 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2218 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2219}
2220
2221static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2222{
2223 struct hci_ev_conn_request *ev = (void *) skb->data;
2224 int mask = hdev->link_mode;
2225 struct inquiry_entry *ie;
2226 struct hci_conn *conn;
2227 __u8 flags = 0;
2228
2229 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2230 ev->link_type);
2231
2232 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2233 &flags);
2234
2235 if (!(mask & HCI_LM_ACCEPT)) {
2236 hci_reject_conn(hdev, &ev->bdaddr);
2237 return;
2238 }
2239
2240 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2241 BDADDR_BREDR)) {
2242 hci_reject_conn(hdev, &ev->bdaddr);
2243 return;
2244 }
2245
2246 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2247 * connection. These features are only touched through mgmt so
2248 * only do the checks if HCI_MGMT is set.
2249 */
2250 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2251 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2252 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2253 BDADDR_BREDR)) {
2254 hci_reject_conn(hdev, &ev->bdaddr);
2255 return;
2256 }
2257
2258 /* Connection accepted */
2259
2260 hci_dev_lock(hdev);
2261
2262 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2263 if (ie)
2264 memcpy(ie->data.dev_class, ev->dev_class, 3);
2265
2266 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2267 &ev->bdaddr);
2268 if (!conn) {
2269 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2270 HCI_ROLE_SLAVE);
2271 if (!conn) {
2272 BT_ERR("No memory for new connection");
2273 hci_dev_unlock(hdev);
2274 return;
2275 }
2276 }
2277
2278 memcpy(conn->dev_class, ev->dev_class, 3);
2279
2280 hci_dev_unlock(hdev);
2281
2282 if (ev->link_type == ACL_LINK ||
2283 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2284 struct hci_cp_accept_conn_req cp;
2285 conn->state = BT_CONNECT;
2286
2287 bacpy(&cp.bdaddr, &ev->bdaddr);
2288
2289 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2290 cp.role = 0x00; /* Become master */
2291 else
2292 cp.role = 0x01; /* Remain slave */
2293
2294 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2295 } else if (!(flags & HCI_PROTO_DEFER)) {
2296 struct hci_cp_accept_sync_conn_req cp;
2297 conn->state = BT_CONNECT;
2298
2299 bacpy(&cp.bdaddr, &ev->bdaddr);
2300 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2301
2302 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2303 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2304 cp.max_latency = cpu_to_le16(0xffff);
2305 cp.content_format = cpu_to_le16(hdev->voice_setting);
2306 cp.retrans_effort = 0xff;
2307
2308 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2309 &cp);
2310 } else {
2311 conn->state = BT_CONNECT2;
2312 hci_connect_cfm(conn, 0);
2313 }
2314}
2315
2316static u8 hci_to_mgmt_reason(u8 err)
2317{
2318 switch (err) {
2319 case HCI_ERROR_CONNECTION_TIMEOUT:
2320 return MGMT_DEV_DISCONN_TIMEOUT;
2321 case HCI_ERROR_REMOTE_USER_TERM:
2322 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2323 case HCI_ERROR_REMOTE_POWER_OFF:
2324 return MGMT_DEV_DISCONN_REMOTE;
2325 case HCI_ERROR_LOCAL_HOST_TERM:
2326 return MGMT_DEV_DISCONN_LOCAL_HOST;
2327 default:
2328 return MGMT_DEV_DISCONN_UNKNOWN;
2329 }
2330}
2331
2332static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2333{
2334 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2335 u8 reason = hci_to_mgmt_reason(ev->reason);
2336 struct hci_conn_params *params;
2337 struct hci_conn *conn;
2338 bool mgmt_connected;
2339 u8 type;
2340
2341 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2342
2343 hci_dev_lock(hdev);
2344
2345 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2346 if (!conn)
2347 goto unlock;
2348
2349 if (ev->status) {
2350 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2351 conn->dst_type, ev->status);
2352 goto unlock;
2353 }
2354
2355 conn->state = BT_CLOSED;
2356
2357 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2358 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2359 reason, mgmt_connected);
2360
2361 if (conn->type == ACL_LINK) {
2362 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2363 hci_remove_link_key(hdev, &conn->dst);
2364
2365 hci_req_update_scan(hdev);
2366 }
2367
2368 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2369 if (params) {
2370 switch (params->auto_connect) {
2371 case HCI_AUTO_CONN_LINK_LOSS:
2372 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2373 break;
2374 /* Fall through */
2375
2376 case HCI_AUTO_CONN_DIRECT:
2377 case HCI_AUTO_CONN_ALWAYS:
2378 list_del_init(¶ms->action);
2379 list_add(¶ms->action, &hdev->pend_le_conns);
2380 hci_update_background_scan(hdev);
2381 break;
2382
2383 default:
2384 break;
2385 }
2386 }
2387
2388 type = conn->type;
2389
2390 hci_disconn_cfm(conn, ev->reason);
2391 hci_conn_del(conn);
2392
2393 /* Re-enable advertising if necessary, since it might
2394 * have been disabled by the connection. From the
2395 * HCI_LE_Set_Advertise_Enable command description in
2396 * the core specification (v4.0):
2397 * "The Controller shall continue advertising until the Host
2398 * issues an LE_Set_Advertise_Enable command with
2399 * Advertising_Enable set to 0x00 (Advertising is disabled)
2400 * or until a connection is created or until the Advertising
2401 * is timed out due to Directed Advertising."
2402 */
2403 if (type == LE_LINK)
2404 hci_req_reenable_advertising(hdev);
2405
2406unlock:
2407 hci_dev_unlock(hdev);
2408}
2409
2410static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2411{
2412 struct hci_ev_auth_complete *ev = (void *) skb->data;
2413 struct hci_conn *conn;
2414
2415 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2416
2417 hci_dev_lock(hdev);
2418
2419 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2420 if (!conn)
2421 goto unlock;
2422
2423 if (!ev->status) {
2424 if (!hci_conn_ssp_enabled(conn) &&
2425 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2426 BT_INFO("re-auth of legacy device is not possible.");
2427 } else {
2428 set_bit(HCI_CONN_AUTH, &conn->flags);
2429 conn->sec_level = conn->pending_sec_level;
2430 }
2431 } else {
2432 mgmt_auth_failed(conn, ev->status);
2433 }
2434
2435 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2436 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2437
2438 if (conn->state == BT_CONFIG) {
2439 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2440 struct hci_cp_set_conn_encrypt cp;
2441 cp.handle = ev->handle;
2442 cp.encrypt = 0x01;
2443 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2444 &cp);
2445 } else {
2446 conn->state = BT_CONNECTED;
2447 hci_connect_cfm(conn, ev->status);
2448 hci_conn_drop(conn);
2449 }
2450 } else {
2451 hci_auth_cfm(conn, ev->status);
2452
2453 hci_conn_hold(conn);
2454 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2455 hci_conn_drop(conn);
2456 }
2457
2458 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2459 if (!ev->status) {
2460 struct hci_cp_set_conn_encrypt cp;
2461 cp.handle = ev->handle;
2462 cp.encrypt = 0x01;
2463 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2464 &cp);
2465 } else {
2466 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2467 hci_encrypt_cfm(conn, ev->status, 0x00);
2468 }
2469 }
2470
2471unlock:
2472 hci_dev_unlock(hdev);
2473}
2474
2475static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2476{
2477 struct hci_ev_remote_name *ev = (void *) skb->data;
2478 struct hci_conn *conn;
2479
2480 BT_DBG("%s", hdev->name);
2481
2482 hci_conn_check_pending(hdev);
2483
2484 hci_dev_lock(hdev);
2485
2486 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2487
2488 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2489 goto check_auth;
2490
2491 if (ev->status == 0)
2492 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2493 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2494 else
2495 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2496
2497check_auth:
2498 if (!conn)
2499 goto unlock;
2500
2501 if (!hci_outgoing_auth_needed(hdev, conn))
2502 goto unlock;
2503
2504 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2505 struct hci_cp_auth_requested cp;
2506
2507 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2508
2509 cp.handle = __cpu_to_le16(conn->handle);
2510 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2511 }
2512
2513unlock:
2514 hci_dev_unlock(hdev);
2515}
2516
2517static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2518 u16 opcode, struct sk_buff *skb)
2519{
2520 const struct hci_rp_read_enc_key_size *rp;
2521 struct hci_conn *conn;
2522 u16 handle;
2523
2524 BT_DBG("%s status 0x%02x", hdev->name, status);
2525
2526 if (!skb || skb->len < sizeof(*rp)) {
2527 BT_ERR("%s invalid HCI Read Encryption Key Size response",
2528 hdev->name);
2529 return;
2530 }
2531
2532 rp = (void *)skb->data;
2533 handle = le16_to_cpu(rp->handle);
2534
2535 hci_dev_lock(hdev);
2536
2537 conn = hci_conn_hash_lookup_handle(hdev, handle);
2538 if (!conn)
2539 goto unlock;
2540
2541 /* If we fail to read the encryption key size, assume maximum
2542 * (which is the same we do also when this HCI command isn't
2543 * supported.
2544 */
2545 if (rp->status) {
2546 BT_ERR("%s failed to read key size for handle %u", hdev->name,
2547 handle);
2548 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2549 } else {
2550 conn->enc_key_size = rp->key_size;
2551 }
2552
2553 if (conn->state == BT_CONFIG) {
2554 conn->state = BT_CONNECTED;
2555 hci_connect_cfm(conn, 0);
2556 hci_conn_drop(conn);
2557 } else {
2558 u8 encrypt;
2559
2560 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2561 encrypt = 0x00;
2562 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2563 encrypt = 0x02;
2564 else
2565 encrypt = 0x01;
2566
2567 hci_encrypt_cfm(conn, 0, encrypt);
2568 }
2569
2570unlock:
2571 hci_dev_unlock(hdev);
2572}
2573
2574static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2575{
2576 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2577 struct hci_conn *conn;
2578
2579 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2580
2581 hci_dev_lock(hdev);
2582
2583 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2584 if (!conn)
2585 goto unlock;
2586
2587 if (!ev->status) {
2588 if (ev->encrypt) {
2589 /* Encryption implies authentication */
2590 set_bit(HCI_CONN_AUTH, &conn->flags);
2591 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2592 conn->sec_level = conn->pending_sec_level;
2593
2594 /* P-256 authentication key implies FIPS */
2595 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2596 set_bit(HCI_CONN_FIPS, &conn->flags);
2597
2598 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2599 conn->type == LE_LINK)
2600 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2601 } else {
2602 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2604 }
2605 }
2606
2607 /* We should disregard the current RPA and generate a new one
2608 * whenever the encryption procedure fails.
2609 */
2610 if (ev->status && conn->type == LE_LINK)
2611 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2612
2613 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2614
2615 if (ev->status && conn->state == BT_CONNECTED) {
2616 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2617 hci_conn_drop(conn);
2618 goto unlock;
2619 }
2620
2621 /* In Secure Connections Only mode, do not allow any connections
2622 * that are not encrypted with AES-CCM using a P-256 authenticated
2623 * combination key.
2624 */
2625 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2626 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2627 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2628 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2629 hci_conn_drop(conn);
2630 goto unlock;
2631 }
2632
2633 /* Try reading the encryption key size for encrypted ACL links */
2634 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2635 struct hci_cp_read_enc_key_size cp;
2636 struct hci_request req;
2637
2638 /* Only send HCI_Read_Encryption_Key_Size if the
2639 * controller really supports it. If it doesn't, assume
2640 * the default size (16).
2641 */
2642 if (!(hdev->commands[20] & 0x10)) {
2643 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2644 goto notify;
2645 }
2646
2647 hci_req_init(&req, hdev);
2648
2649 cp.handle = cpu_to_le16(conn->handle);
2650 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2651
2652 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2653 BT_ERR("Sending HCI Read Encryption Key Size failed");
2654 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2655 goto notify;
2656 }
2657
2658 goto unlock;
2659 }
2660
2661notify:
2662 if (conn->state == BT_CONFIG) {
2663 if (!ev->status)
2664 conn->state = BT_CONNECTED;
2665
2666 hci_connect_cfm(conn, ev->status);
2667 hci_conn_drop(conn);
2668 } else
2669 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2670
2671unlock:
2672 hci_dev_unlock(hdev);
2673}
2674
2675static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2676 struct sk_buff *skb)
2677{
2678 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2679 struct hci_conn *conn;
2680
2681 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2682
2683 hci_dev_lock(hdev);
2684
2685 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2686 if (conn) {
2687 if (!ev->status)
2688 set_bit(HCI_CONN_SECURE, &conn->flags);
2689
2690 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2691
2692 hci_key_change_cfm(conn, ev->status);
2693 }
2694
2695 hci_dev_unlock(hdev);
2696}
2697
2698static void hci_remote_features_evt(struct hci_dev *hdev,
2699 struct sk_buff *skb)
2700{
2701 struct hci_ev_remote_features *ev = (void *) skb->data;
2702 struct hci_conn *conn;
2703
2704 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2705
2706 hci_dev_lock(hdev);
2707
2708 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2709 if (!conn)
2710 goto unlock;
2711
2712 if (!ev->status)
2713 memcpy(conn->features[0], ev->features, 8);
2714
2715 if (conn->state != BT_CONFIG)
2716 goto unlock;
2717
2718 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2719 lmp_ext_feat_capable(conn)) {
2720 struct hci_cp_read_remote_ext_features cp;
2721 cp.handle = ev->handle;
2722 cp.page = 0x01;
2723 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2724 sizeof(cp), &cp);
2725 goto unlock;
2726 }
2727
2728 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2729 struct hci_cp_remote_name_req cp;
2730 memset(&cp, 0, sizeof(cp));
2731 bacpy(&cp.bdaddr, &conn->dst);
2732 cp.pscan_rep_mode = 0x02;
2733 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2734 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2735 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2736
2737 if (!hci_outgoing_auth_needed(hdev, conn)) {
2738 conn->state = BT_CONNECTED;
2739 hci_connect_cfm(conn, ev->status);
2740 hci_conn_drop(conn);
2741 }
2742
2743unlock:
2744 hci_dev_unlock(hdev);
2745}
2746
2747static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2748 u16 *opcode, u8 *status,
2749 hci_req_complete_t *req_complete,
2750 hci_req_complete_skb_t *req_complete_skb)
2751{
2752 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2753
2754 *opcode = __le16_to_cpu(ev->opcode);
2755 *status = skb->data[sizeof(*ev)];
2756
2757 skb_pull(skb, sizeof(*ev));
2758
2759 switch (*opcode) {
2760 case HCI_OP_INQUIRY_CANCEL:
2761 hci_cc_inquiry_cancel(hdev, skb);
2762 break;
2763
2764 case HCI_OP_PERIODIC_INQ:
2765 hci_cc_periodic_inq(hdev, skb);
2766 break;
2767
2768 case HCI_OP_EXIT_PERIODIC_INQ:
2769 hci_cc_exit_periodic_inq(hdev, skb);
2770 break;
2771
2772 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2773 hci_cc_remote_name_req_cancel(hdev, skb);
2774 break;
2775
2776 case HCI_OP_ROLE_DISCOVERY:
2777 hci_cc_role_discovery(hdev, skb);
2778 break;
2779
2780 case HCI_OP_READ_LINK_POLICY:
2781 hci_cc_read_link_policy(hdev, skb);
2782 break;
2783
2784 case HCI_OP_WRITE_LINK_POLICY:
2785 hci_cc_write_link_policy(hdev, skb);
2786 break;
2787
2788 case HCI_OP_READ_DEF_LINK_POLICY:
2789 hci_cc_read_def_link_policy(hdev, skb);
2790 break;
2791
2792 case HCI_OP_WRITE_DEF_LINK_POLICY:
2793 hci_cc_write_def_link_policy(hdev, skb);
2794 break;
2795
2796 case HCI_OP_RESET:
2797 hci_cc_reset(hdev, skb);
2798 break;
2799
2800 case HCI_OP_READ_STORED_LINK_KEY:
2801 hci_cc_read_stored_link_key(hdev, skb);
2802 break;
2803
2804 case HCI_OP_DELETE_STORED_LINK_KEY:
2805 hci_cc_delete_stored_link_key(hdev, skb);
2806 break;
2807
2808 case HCI_OP_WRITE_LOCAL_NAME:
2809 hci_cc_write_local_name(hdev, skb);
2810 break;
2811
2812 case HCI_OP_READ_LOCAL_NAME:
2813 hci_cc_read_local_name(hdev, skb);
2814 break;
2815
2816 case HCI_OP_WRITE_AUTH_ENABLE:
2817 hci_cc_write_auth_enable(hdev, skb);
2818 break;
2819
2820 case HCI_OP_WRITE_ENCRYPT_MODE:
2821 hci_cc_write_encrypt_mode(hdev, skb);
2822 break;
2823
2824 case HCI_OP_WRITE_SCAN_ENABLE:
2825 hci_cc_write_scan_enable(hdev, skb);
2826 break;
2827
2828 case HCI_OP_READ_CLASS_OF_DEV:
2829 hci_cc_read_class_of_dev(hdev, skb);
2830 break;
2831
2832 case HCI_OP_WRITE_CLASS_OF_DEV:
2833 hci_cc_write_class_of_dev(hdev, skb);
2834 break;
2835
2836 case HCI_OP_READ_VOICE_SETTING:
2837 hci_cc_read_voice_setting(hdev, skb);
2838 break;
2839
2840 case HCI_OP_WRITE_VOICE_SETTING:
2841 hci_cc_write_voice_setting(hdev, skb);
2842 break;
2843
2844 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2845 hci_cc_read_num_supported_iac(hdev, skb);
2846 break;
2847
2848 case HCI_OP_WRITE_SSP_MODE:
2849 hci_cc_write_ssp_mode(hdev, skb);
2850 break;
2851
2852 case HCI_OP_WRITE_SC_SUPPORT:
2853 hci_cc_write_sc_support(hdev, skb);
2854 break;
2855
2856 case HCI_OP_READ_LOCAL_VERSION:
2857 hci_cc_read_local_version(hdev, skb);
2858 break;
2859
2860 case HCI_OP_READ_LOCAL_COMMANDS:
2861 hci_cc_read_local_commands(hdev, skb);
2862 break;
2863
2864 case HCI_OP_READ_LOCAL_FEATURES:
2865 hci_cc_read_local_features(hdev, skb);
2866 break;
2867
2868 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2869 hci_cc_read_local_ext_features(hdev, skb);
2870 break;
2871
2872 case HCI_OP_READ_BUFFER_SIZE:
2873 hci_cc_read_buffer_size(hdev, skb);
2874 break;
2875
2876 case HCI_OP_READ_BD_ADDR:
2877 hci_cc_read_bd_addr(hdev, skb);
2878 break;
2879
2880 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2881 hci_cc_read_page_scan_activity(hdev, skb);
2882 break;
2883
2884 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2885 hci_cc_write_page_scan_activity(hdev, skb);
2886 break;
2887
2888 case HCI_OP_READ_PAGE_SCAN_TYPE:
2889 hci_cc_read_page_scan_type(hdev, skb);
2890 break;
2891
2892 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2893 hci_cc_write_page_scan_type(hdev, skb);
2894 break;
2895
2896 case HCI_OP_READ_DATA_BLOCK_SIZE:
2897 hci_cc_read_data_block_size(hdev, skb);
2898 break;
2899
2900 case HCI_OP_READ_FLOW_CONTROL_MODE:
2901 hci_cc_read_flow_control_mode(hdev, skb);
2902 break;
2903
2904 case HCI_OP_READ_LOCAL_AMP_INFO:
2905 hci_cc_read_local_amp_info(hdev, skb);
2906 break;
2907
2908 case HCI_OP_READ_CLOCK:
2909 hci_cc_read_clock(hdev, skb);
2910 break;
2911
2912 case HCI_OP_READ_INQ_RSP_TX_POWER:
2913 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2914 break;
2915
2916 case HCI_OP_PIN_CODE_REPLY:
2917 hci_cc_pin_code_reply(hdev, skb);
2918 break;
2919
2920 case HCI_OP_PIN_CODE_NEG_REPLY:
2921 hci_cc_pin_code_neg_reply(hdev, skb);
2922 break;
2923
2924 case HCI_OP_READ_LOCAL_OOB_DATA:
2925 hci_cc_read_local_oob_data(hdev, skb);
2926 break;
2927
2928 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2929 hci_cc_read_local_oob_ext_data(hdev, skb);
2930 break;
2931
2932 case HCI_OP_LE_READ_BUFFER_SIZE:
2933 hci_cc_le_read_buffer_size(hdev, skb);
2934 break;
2935
2936 case HCI_OP_LE_READ_LOCAL_FEATURES:
2937 hci_cc_le_read_local_features(hdev, skb);
2938 break;
2939
2940 case HCI_OP_LE_READ_ADV_TX_POWER:
2941 hci_cc_le_read_adv_tx_power(hdev, skb);
2942 break;
2943
2944 case HCI_OP_USER_CONFIRM_REPLY:
2945 hci_cc_user_confirm_reply(hdev, skb);
2946 break;
2947
2948 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2949 hci_cc_user_confirm_neg_reply(hdev, skb);
2950 break;
2951
2952 case HCI_OP_USER_PASSKEY_REPLY:
2953 hci_cc_user_passkey_reply(hdev, skb);
2954 break;
2955
2956 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2957 hci_cc_user_passkey_neg_reply(hdev, skb);
2958 break;
2959
2960 case HCI_OP_LE_SET_RANDOM_ADDR:
2961 hci_cc_le_set_random_addr(hdev, skb);
2962 break;
2963
2964 case HCI_OP_LE_SET_ADV_ENABLE:
2965 hci_cc_le_set_adv_enable(hdev, skb);
2966 break;
2967
2968 case HCI_OP_LE_SET_SCAN_PARAM:
2969 hci_cc_le_set_scan_param(hdev, skb);
2970 break;
2971
2972 case HCI_OP_LE_SET_SCAN_ENABLE:
2973 hci_cc_le_set_scan_enable(hdev, skb);
2974 break;
2975
2976 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2977 hci_cc_le_read_white_list_size(hdev, skb);
2978 break;
2979
2980 case HCI_OP_LE_CLEAR_WHITE_LIST:
2981 hci_cc_le_clear_white_list(hdev, skb);
2982 break;
2983
2984 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2985 hci_cc_le_add_to_white_list(hdev, skb);
2986 break;
2987
2988 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2989 hci_cc_le_del_from_white_list(hdev, skb);
2990 break;
2991
2992 case HCI_OP_LE_READ_SUPPORTED_STATES:
2993 hci_cc_le_read_supported_states(hdev, skb);
2994 break;
2995
2996 case HCI_OP_LE_READ_DEF_DATA_LEN:
2997 hci_cc_le_read_def_data_len(hdev, skb);
2998 break;
2999
3000 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3001 hci_cc_le_write_def_data_len(hdev, skb);
3002 break;
3003
3004 case HCI_OP_LE_READ_MAX_DATA_LEN:
3005 hci_cc_le_read_max_data_len(hdev, skb);
3006 break;
3007
3008 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3009 hci_cc_write_le_host_supported(hdev, skb);
3010 break;
3011
3012 case HCI_OP_LE_SET_ADV_PARAM:
3013 hci_cc_set_adv_param(hdev, skb);
3014 break;
3015
3016 case HCI_OP_READ_RSSI:
3017 hci_cc_read_rssi(hdev, skb);
3018 break;
3019
3020 case HCI_OP_READ_TX_POWER:
3021 hci_cc_read_tx_power(hdev, skb);
3022 break;
3023
3024 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3025 hci_cc_write_ssp_debug_mode(hdev, skb);
3026 break;
3027
3028 default:
3029 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3030 break;
3031 }
3032
3033 if (*opcode != HCI_OP_NOP)
3034 cancel_delayed_work(&hdev->cmd_timer);
3035
3036 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3037 atomic_set(&hdev->cmd_cnt, 1);
3038
3039 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3040 req_complete_skb);
3041
3042 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3043 queue_work(hdev->workqueue, &hdev->cmd_work);
3044}
3045
3046static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3047 u16 *opcode, u8 *status,
3048 hci_req_complete_t *req_complete,
3049 hci_req_complete_skb_t *req_complete_skb)
3050{
3051 struct hci_ev_cmd_status *ev = (void *) skb->data;
3052
3053 skb_pull(skb, sizeof(*ev));
3054
3055 *opcode = __le16_to_cpu(ev->opcode);
3056 *status = ev->status;
3057
3058 switch (*opcode) {
3059 case HCI_OP_INQUIRY:
3060 hci_cs_inquiry(hdev, ev->status);
3061 break;
3062
3063 case HCI_OP_CREATE_CONN:
3064 hci_cs_create_conn(hdev, ev->status);
3065 break;
3066
3067 case HCI_OP_DISCONNECT:
3068 hci_cs_disconnect(hdev, ev->status);
3069 break;
3070
3071 case HCI_OP_ADD_SCO:
3072 hci_cs_add_sco(hdev, ev->status);
3073 break;
3074
3075 case HCI_OP_AUTH_REQUESTED:
3076 hci_cs_auth_requested(hdev, ev->status);
3077 break;
3078
3079 case HCI_OP_SET_CONN_ENCRYPT:
3080 hci_cs_set_conn_encrypt(hdev, ev->status);
3081 break;
3082
3083 case HCI_OP_REMOTE_NAME_REQ:
3084 hci_cs_remote_name_req(hdev, ev->status);
3085 break;
3086
3087 case HCI_OP_READ_REMOTE_FEATURES:
3088 hci_cs_read_remote_features(hdev, ev->status);
3089 break;
3090
3091 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3092 hci_cs_read_remote_ext_features(hdev, ev->status);
3093 break;
3094
3095 case HCI_OP_SETUP_SYNC_CONN:
3096 hci_cs_setup_sync_conn(hdev, ev->status);
3097 break;
3098
3099 case HCI_OP_SNIFF_MODE:
3100 hci_cs_sniff_mode(hdev, ev->status);
3101 break;
3102
3103 case HCI_OP_EXIT_SNIFF_MODE:
3104 hci_cs_exit_sniff_mode(hdev, ev->status);
3105 break;
3106
3107 case HCI_OP_SWITCH_ROLE:
3108 hci_cs_switch_role(hdev, ev->status);
3109 break;
3110
3111 case HCI_OP_LE_CREATE_CONN:
3112 hci_cs_le_create_conn(hdev, ev->status);
3113 break;
3114
3115 case HCI_OP_LE_READ_REMOTE_FEATURES:
3116 hci_cs_le_read_remote_features(hdev, ev->status);
3117 break;
3118
3119 case HCI_OP_LE_START_ENC:
3120 hci_cs_le_start_enc(hdev, ev->status);
3121 break;
3122
3123 default:
3124 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3125 break;
3126 }
3127
3128 if (*opcode != HCI_OP_NOP)
3129 cancel_delayed_work(&hdev->cmd_timer);
3130
3131 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3132 atomic_set(&hdev->cmd_cnt, 1);
3133
3134 /* Indicate request completion if the command failed. Also, if
3135 * we're not waiting for a special event and we get a success
3136 * command status we should try to flag the request as completed
3137 * (since for this kind of commands there will not be a command
3138 * complete event).
3139 */
3140 if (ev->status ||
3141 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3142 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3143 req_complete_skb);
3144
3145 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3146 queue_work(hdev->workqueue, &hdev->cmd_work);
3147}
3148
3149static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3150{
3151 struct hci_ev_hardware_error *ev = (void *) skb->data;
3152
3153 hdev->hw_error_code = ev->code;
3154
3155 queue_work(hdev->req_workqueue, &hdev->error_reset);
3156}
3157
3158static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3159{
3160 struct hci_ev_role_change *ev = (void *) skb->data;
3161 struct hci_conn *conn;
3162
3163 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3164
3165 hci_dev_lock(hdev);
3166
3167 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3168 if (conn) {
3169 if (!ev->status)
3170 conn->role = ev->role;
3171
3172 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3173
3174 hci_role_switch_cfm(conn, ev->status, ev->role);
3175 }
3176
3177 hci_dev_unlock(hdev);
3178}
3179
3180static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3181{
3182 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3183 int i;
3184
3185 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3186 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3187 return;
3188 }
3189
3190 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3191 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3192 BT_DBG("%s bad parameters", hdev->name);
3193 return;
3194 }
3195
3196 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3197
3198 for (i = 0; i < ev->num_hndl; i++) {
3199 struct hci_comp_pkts_info *info = &ev->handles[i];
3200 struct hci_conn *conn;
3201 __u16 handle, count;
3202
3203 handle = __le16_to_cpu(info->handle);
3204 count = __le16_to_cpu(info->count);
3205
3206 conn = hci_conn_hash_lookup_handle(hdev, handle);
3207 if (!conn)
3208 continue;
3209
3210 conn->sent -= count;
3211
3212 switch (conn->type) {
3213 case ACL_LINK:
3214 hdev->acl_cnt += count;
3215 if (hdev->acl_cnt > hdev->acl_pkts)
3216 hdev->acl_cnt = hdev->acl_pkts;
3217 break;
3218
3219 case LE_LINK:
3220 if (hdev->le_pkts) {
3221 hdev->le_cnt += count;
3222 if (hdev->le_cnt > hdev->le_pkts)
3223 hdev->le_cnt = hdev->le_pkts;
3224 } else {
3225 hdev->acl_cnt += count;
3226 if (hdev->acl_cnt > hdev->acl_pkts)
3227 hdev->acl_cnt = hdev->acl_pkts;
3228 }
3229 break;
3230
3231 case SCO_LINK:
3232 hdev->sco_cnt += count;
3233 if (hdev->sco_cnt > hdev->sco_pkts)
3234 hdev->sco_cnt = hdev->sco_pkts;
3235 break;
3236
3237 default:
3238 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3239 break;
3240 }
3241 }
3242
3243 queue_work(hdev->workqueue, &hdev->tx_work);
3244}
3245
3246static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3247 __u16 handle)
3248{
3249 struct hci_chan *chan;
3250
3251 switch (hdev->dev_type) {
3252 case HCI_BREDR:
3253 return hci_conn_hash_lookup_handle(hdev, handle);
3254 case HCI_AMP:
3255 chan = hci_chan_lookup_handle(hdev, handle);
3256 if (chan)
3257 return chan->conn;
3258 break;
3259 default:
3260 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3261 break;
3262 }
3263
3264 return NULL;
3265}
3266
3267static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3268{
3269 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3270 int i;
3271
3272 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3273 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3274 return;
3275 }
3276
3277 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3278 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3279 BT_DBG("%s bad parameters", hdev->name);
3280 return;
3281 }
3282
3283 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3284 ev->num_hndl);
3285
3286 for (i = 0; i < ev->num_hndl; i++) {
3287 struct hci_comp_blocks_info *info = &ev->handles[i];
3288 struct hci_conn *conn = NULL;
3289 __u16 handle, block_count;
3290
3291 handle = __le16_to_cpu(info->handle);
3292 block_count = __le16_to_cpu(info->blocks);
3293
3294 conn = __hci_conn_lookup_handle(hdev, handle);
3295 if (!conn)
3296 continue;
3297
3298 conn->sent -= block_count;
3299
3300 switch (conn->type) {
3301 case ACL_LINK:
3302 case AMP_LINK:
3303 hdev->block_cnt += block_count;
3304 if (hdev->block_cnt > hdev->num_blocks)
3305 hdev->block_cnt = hdev->num_blocks;
3306 break;
3307
3308 default:
3309 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3310 break;
3311 }
3312 }
3313
3314 queue_work(hdev->workqueue, &hdev->tx_work);
3315}
3316
3317static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3318{
3319 struct hci_ev_mode_change *ev = (void *) skb->data;
3320 struct hci_conn *conn;
3321
3322 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3323
3324 hci_dev_lock(hdev);
3325
3326 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3327 if (conn) {
3328 conn->mode = ev->mode;
3329
3330 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3331 &conn->flags)) {
3332 if (conn->mode == HCI_CM_ACTIVE)
3333 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3334 else
3335 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3336 }
3337
3338 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3339 hci_sco_setup(conn, ev->status);
3340 }
3341
3342 hci_dev_unlock(hdev);
3343}
3344
3345static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3346{
3347 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3348 struct hci_conn *conn;
3349
3350 BT_DBG("%s", hdev->name);
3351
3352 hci_dev_lock(hdev);
3353
3354 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3355 if (!conn)
3356 goto unlock;
3357
3358 if (conn->state == BT_CONNECTED) {
3359 hci_conn_hold(conn);
3360 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3361 hci_conn_drop(conn);
3362 }
3363
3364 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3365 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3366 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3367 sizeof(ev->bdaddr), &ev->bdaddr);
3368 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3369 u8 secure;
3370
3371 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3372 secure = 1;
3373 else
3374 secure = 0;
3375
3376 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3377 }
3378
3379unlock:
3380 hci_dev_unlock(hdev);
3381}
3382
3383static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3384{
3385 if (key_type == HCI_LK_CHANGED_COMBINATION)
3386 return;
3387
3388 conn->pin_length = pin_len;
3389 conn->key_type = key_type;
3390
3391 switch (key_type) {
3392 case HCI_LK_LOCAL_UNIT:
3393 case HCI_LK_REMOTE_UNIT:
3394 case HCI_LK_DEBUG_COMBINATION:
3395 return;
3396 case HCI_LK_COMBINATION:
3397 if (pin_len == 16)
3398 conn->pending_sec_level = BT_SECURITY_HIGH;
3399 else
3400 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3401 break;
3402 case HCI_LK_UNAUTH_COMBINATION_P192:
3403 case HCI_LK_UNAUTH_COMBINATION_P256:
3404 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3405 break;
3406 case HCI_LK_AUTH_COMBINATION_P192:
3407 conn->pending_sec_level = BT_SECURITY_HIGH;
3408 break;
3409 case HCI_LK_AUTH_COMBINATION_P256:
3410 conn->pending_sec_level = BT_SECURITY_FIPS;
3411 break;
3412 }
3413}
3414
3415static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3416{
3417 struct hci_ev_link_key_req *ev = (void *) skb->data;
3418 struct hci_cp_link_key_reply cp;
3419 struct hci_conn *conn;
3420 struct link_key *key;
3421
3422 BT_DBG("%s", hdev->name);
3423
3424 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3425 return;
3426
3427 hci_dev_lock(hdev);
3428
3429 key = hci_find_link_key(hdev, &ev->bdaddr);
3430 if (!key) {
3431 BT_DBG("%s link key not found for %pMR", hdev->name,
3432 &ev->bdaddr);
3433 goto not_found;
3434 }
3435
3436 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3437 &ev->bdaddr);
3438
3439 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3440 if (conn) {
3441 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3442
3443 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3444 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3445 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3446 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3447 goto not_found;
3448 }
3449
3450 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3451 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3452 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3453 BT_DBG("%s ignoring key unauthenticated for high security",
3454 hdev->name);
3455 goto not_found;
3456 }
3457
3458 conn_set_key(conn, key->type, key->pin_len);
3459 }
3460
3461 bacpy(&cp.bdaddr, &ev->bdaddr);
3462 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3463
3464 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3465
3466 hci_dev_unlock(hdev);
3467
3468 return;
3469
3470not_found:
3471 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3472 hci_dev_unlock(hdev);
3473}
3474
3475static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3476{
3477 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3478 struct hci_conn *conn;
3479 struct link_key *key;
3480 bool persistent;
3481 u8 pin_len = 0;
3482
3483 BT_DBG("%s", hdev->name);
3484
3485 hci_dev_lock(hdev);
3486
3487 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3488 if (!conn)
3489 goto unlock;
3490
3491 hci_conn_hold(conn);
3492 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3493 hci_conn_drop(conn);
3494
3495 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3496 conn_set_key(conn, ev->key_type, conn->pin_length);
3497
3498 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3499 goto unlock;
3500
3501 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3502 ev->key_type, pin_len, &persistent);
3503 if (!key)
3504 goto unlock;
3505
3506 /* Update connection information since adding the key will have
3507 * fixed up the type in the case of changed combination keys.
3508 */
3509 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3510 conn_set_key(conn, key->type, key->pin_len);
3511
3512 mgmt_new_link_key(hdev, key, persistent);
3513
3514 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3515 * is set. If it's not set simply remove the key from the kernel
3516 * list (we've still notified user space about it but with
3517 * store_hint being 0).
3518 */
3519 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3520 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3521 list_del_rcu(&key->list);
3522 kfree_rcu(key, rcu);
3523 goto unlock;
3524 }
3525
3526 if (persistent)
3527 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3528 else
3529 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3530
3531unlock:
3532 hci_dev_unlock(hdev);
3533}
3534
3535static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3536{
3537 struct hci_ev_clock_offset *ev = (void *) skb->data;
3538 struct hci_conn *conn;
3539
3540 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3541
3542 hci_dev_lock(hdev);
3543
3544 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3545 if (conn && !ev->status) {
3546 struct inquiry_entry *ie;
3547
3548 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3549 if (ie) {
3550 ie->data.clock_offset = ev->clock_offset;
3551 ie->timestamp = jiffies;
3552 }
3553 }
3554
3555 hci_dev_unlock(hdev);
3556}
3557
3558static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3559{
3560 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3561 struct hci_conn *conn;
3562
3563 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3564
3565 hci_dev_lock(hdev);
3566
3567 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3568 if (conn && !ev->status)
3569 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3570
3571 hci_dev_unlock(hdev);
3572}
3573
3574static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3575{
3576 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3577 struct inquiry_entry *ie;
3578
3579 BT_DBG("%s", hdev->name);
3580
3581 hci_dev_lock(hdev);
3582
3583 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3584 if (ie) {
3585 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3586 ie->timestamp = jiffies;
3587 }
3588
3589 hci_dev_unlock(hdev);
3590}
3591
3592static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3593 struct sk_buff *skb)
3594{
3595 struct inquiry_data data;
3596 int num_rsp = *((__u8 *) skb->data);
3597
3598 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3599
3600 if (!num_rsp)
3601 return;
3602
3603 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3604 return;
3605
3606 hci_dev_lock(hdev);
3607
3608 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3609 struct inquiry_info_with_rssi_and_pscan_mode *info;
3610 info = (void *) (skb->data + 1);
3611
3612 for (; num_rsp; num_rsp--, info++) {
3613 u32 flags;
3614
3615 bacpy(&data.bdaddr, &info->bdaddr);
3616 data.pscan_rep_mode = info->pscan_rep_mode;
3617 data.pscan_period_mode = info->pscan_period_mode;
3618 data.pscan_mode = info->pscan_mode;
3619 memcpy(data.dev_class, info->dev_class, 3);
3620 data.clock_offset = info->clock_offset;
3621 data.rssi = info->rssi;
3622 data.ssp_mode = 0x00;
3623
3624 flags = hci_inquiry_cache_update(hdev, &data, false);
3625
3626 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3627 info->dev_class, info->rssi,
3628 flags, NULL, 0, NULL, 0);
3629 }
3630 } else {
3631 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3632
3633 for (; num_rsp; num_rsp--, info++) {
3634 u32 flags;
3635
3636 bacpy(&data.bdaddr, &info->bdaddr);
3637 data.pscan_rep_mode = info->pscan_rep_mode;
3638 data.pscan_period_mode = info->pscan_period_mode;
3639 data.pscan_mode = 0x00;
3640 memcpy(data.dev_class, info->dev_class, 3);
3641 data.clock_offset = info->clock_offset;
3642 data.rssi = info->rssi;
3643 data.ssp_mode = 0x00;
3644
3645 flags = hci_inquiry_cache_update(hdev, &data, false);
3646
3647 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3648 info->dev_class, info->rssi,
3649 flags, NULL, 0, NULL, 0);
3650 }
3651 }
3652
3653 hci_dev_unlock(hdev);
3654}
3655
3656static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3657 struct sk_buff *skb)
3658{
3659 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3660 struct hci_conn *conn;
3661
3662 BT_DBG("%s", hdev->name);
3663
3664 hci_dev_lock(hdev);
3665
3666 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3667 if (!conn)
3668 goto unlock;
3669
3670 if (ev->page < HCI_MAX_PAGES)
3671 memcpy(conn->features[ev->page], ev->features, 8);
3672
3673 if (!ev->status && ev->page == 0x01) {
3674 struct inquiry_entry *ie;
3675
3676 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3677 if (ie)
3678 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3679
3680 if (ev->features[0] & LMP_HOST_SSP) {
3681 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3682 } else {
3683 /* It is mandatory by the Bluetooth specification that
3684 * Extended Inquiry Results are only used when Secure
3685 * Simple Pairing is enabled, but some devices violate
3686 * this.
3687 *
3688 * To make these devices work, the internal SSP
3689 * enabled flag needs to be cleared if the remote host
3690 * features do not indicate SSP support */
3691 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3692 }
3693
3694 if (ev->features[0] & LMP_HOST_SC)
3695 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3696 }
3697
3698 if (conn->state != BT_CONFIG)
3699 goto unlock;
3700
3701 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3702 struct hci_cp_remote_name_req cp;
3703 memset(&cp, 0, sizeof(cp));
3704 bacpy(&cp.bdaddr, &conn->dst);
3705 cp.pscan_rep_mode = 0x02;
3706 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3707 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3708 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3709
3710 if (!hci_outgoing_auth_needed(hdev, conn)) {
3711 conn->state = BT_CONNECTED;
3712 hci_connect_cfm(conn, ev->status);
3713 hci_conn_drop(conn);
3714 }
3715
3716unlock:
3717 hci_dev_unlock(hdev);
3718}
3719
3720static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3721 struct sk_buff *skb)
3722{
3723 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3724 struct hci_conn *conn;
3725
3726 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3727
3728 hci_dev_lock(hdev);
3729
3730 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3731 if (!conn) {
3732 if (ev->link_type == ESCO_LINK)
3733 goto unlock;
3734
3735 /* When the link type in the event indicates SCO connection
3736 * and lookup of the connection object fails, then check
3737 * if an eSCO connection object exists.
3738 *
3739 * The core limits the synchronous connections to either
3740 * SCO or eSCO. The eSCO connection is preferred and tried
3741 * to be setup first and until successfully established,
3742 * the link type will be hinted as eSCO.
3743 */
3744 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3745 if (!conn)
3746 goto unlock;
3747 }
3748
3749 switch (ev->status) {
3750 case 0x00:
3751 conn->handle = __le16_to_cpu(ev->handle);
3752 conn->state = BT_CONNECTED;
3753 conn->type = ev->link_type;
3754
3755 hci_debugfs_create_conn(conn);
3756 hci_conn_add_sysfs(conn);
3757 break;
3758
3759 case 0x10: /* Connection Accept Timeout */
3760 case 0x0d: /* Connection Rejected due to Limited Resources */
3761 case 0x11: /* Unsupported Feature or Parameter Value */
3762 case 0x1c: /* SCO interval rejected */
3763 case 0x1a: /* Unsupported Remote Feature */
3764 case 0x1f: /* Unspecified error */
3765 case 0x20: /* Unsupported LMP Parameter value */
3766 if (conn->out) {
3767 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3768 (hdev->esco_type & EDR_ESCO_MASK);
3769 if (hci_setup_sync(conn, conn->link->handle))
3770 goto unlock;
3771 }
3772 /* fall through */
3773
3774 default:
3775 conn->state = BT_CLOSED;
3776 break;
3777 }
3778
3779 hci_connect_cfm(conn, ev->status);
3780 if (ev->status)
3781 hci_conn_del(conn);
3782
3783unlock:
3784 hci_dev_unlock(hdev);
3785}
3786
3787static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3788{
3789 size_t parsed = 0;
3790
3791 while (parsed < eir_len) {
3792 u8 field_len = eir[0];
3793
3794 if (field_len == 0)
3795 return parsed;
3796
3797 parsed += field_len + 1;
3798 eir += field_len + 1;
3799 }
3800
3801 return eir_len;
3802}
3803
3804static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3805 struct sk_buff *skb)
3806{
3807 struct inquiry_data data;
3808 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3809 int num_rsp = *((__u8 *) skb->data);
3810 size_t eir_len;
3811
3812 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3813
3814 if (!num_rsp)
3815 return;
3816
3817 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3818 return;
3819
3820 hci_dev_lock(hdev);
3821
3822 for (; num_rsp; num_rsp--, info++) {
3823 u32 flags;
3824 bool name_known;
3825
3826 bacpy(&data.bdaddr, &info->bdaddr);
3827 data.pscan_rep_mode = info->pscan_rep_mode;
3828 data.pscan_period_mode = info->pscan_period_mode;
3829 data.pscan_mode = 0x00;
3830 memcpy(data.dev_class, info->dev_class, 3);
3831 data.clock_offset = info->clock_offset;
3832 data.rssi = info->rssi;
3833 data.ssp_mode = 0x01;
3834
3835 if (hci_dev_test_flag(hdev, HCI_MGMT))
3836 name_known = eir_get_data(info->data,
3837 sizeof(info->data),
3838 EIR_NAME_COMPLETE, NULL);
3839 else
3840 name_known = true;
3841
3842 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3843
3844 eir_len = eir_get_length(info->data, sizeof(info->data));
3845
3846 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3847 info->dev_class, info->rssi,
3848 flags, info->data, eir_len, NULL, 0);
3849 }
3850
3851 hci_dev_unlock(hdev);
3852}
3853
3854static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3855 struct sk_buff *skb)
3856{
3857 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3858 struct hci_conn *conn;
3859
3860 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3861 __le16_to_cpu(ev->handle));
3862
3863 hci_dev_lock(hdev);
3864
3865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3866 if (!conn)
3867 goto unlock;
3868
3869 /* For BR/EDR the necessary steps are taken through the
3870 * auth_complete event.
3871 */
3872 if (conn->type != LE_LINK)
3873 goto unlock;
3874
3875 if (!ev->status)
3876 conn->sec_level = conn->pending_sec_level;
3877
3878 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3879
3880 if (ev->status && conn->state == BT_CONNECTED) {
3881 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3882 hci_conn_drop(conn);
3883 goto unlock;
3884 }
3885
3886 if (conn->state == BT_CONFIG) {
3887 if (!ev->status)
3888 conn->state = BT_CONNECTED;
3889
3890 hci_connect_cfm(conn, ev->status);
3891 hci_conn_drop(conn);
3892 } else {
3893 hci_auth_cfm(conn, ev->status);
3894
3895 hci_conn_hold(conn);
3896 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3897 hci_conn_drop(conn);
3898 }
3899
3900unlock:
3901 hci_dev_unlock(hdev);
3902}
3903
3904static u8 hci_get_auth_req(struct hci_conn *conn)
3905{
3906 /* If remote requests no-bonding follow that lead */
3907 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3908 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3909 return conn->remote_auth | (conn->auth_type & 0x01);
3910
3911 /* If both remote and local have enough IO capabilities, require
3912 * MITM protection
3913 */
3914 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3915 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3916 return conn->remote_auth | 0x01;
3917
3918 /* No MITM protection possible so ignore remote requirement */
3919 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3920}
3921
3922static u8 bredr_oob_data_present(struct hci_conn *conn)
3923{
3924 struct hci_dev *hdev = conn->hdev;
3925 struct oob_data *data;
3926
3927 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3928 if (!data)
3929 return 0x00;
3930
3931 if (bredr_sc_enabled(hdev)) {
3932 /* When Secure Connections is enabled, then just
3933 * return the present value stored with the OOB
3934 * data. The stored value contains the right present
3935 * information. However it can only be trusted when
3936 * not in Secure Connection Only mode.
3937 */
3938 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3939 return data->present;
3940
3941 /* When Secure Connections Only mode is enabled, then
3942 * the P-256 values are required. If they are not
3943 * available, then do not declare that OOB data is
3944 * present.
3945 */
3946 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3947 !memcmp(data->hash256, ZERO_KEY, 16))
3948 return 0x00;
3949
3950 return 0x02;
3951 }
3952
3953 /* When Secure Connections is not enabled or actually
3954 * not supported by the hardware, then check that if
3955 * P-192 data values are present.
3956 */
3957 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3958 !memcmp(data->hash192, ZERO_KEY, 16))
3959 return 0x00;
3960
3961 return 0x01;
3962}
3963
3964static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3965{
3966 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3967 struct hci_conn *conn;
3968
3969 BT_DBG("%s", hdev->name);
3970
3971 hci_dev_lock(hdev);
3972
3973 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3974 if (!conn)
3975 goto unlock;
3976
3977 hci_conn_hold(conn);
3978
3979 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3980 goto unlock;
3981
3982 /* Allow pairing if we're pairable, the initiators of the
3983 * pairing or if the remote is not requesting bonding.
3984 */
3985 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
3986 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3987 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3988 struct hci_cp_io_capability_reply cp;
3989
3990 bacpy(&cp.bdaddr, &ev->bdaddr);
3991 /* Change the IO capability from KeyboardDisplay
3992 * to DisplayYesNo as it is not supported by BT spec. */
3993 cp.capability = (conn->io_capability == 0x04) ?
3994 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3995
3996 /* If we are initiators, there is no remote information yet */
3997 if (conn->remote_auth == 0xff) {
3998 /* Request MITM protection if our IO caps allow it
3999 * except for the no-bonding case.
4000 */
4001 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4002 conn->auth_type != HCI_AT_NO_BONDING)
4003 conn->auth_type |= 0x01;
4004 } else {
4005 conn->auth_type = hci_get_auth_req(conn);
4006 }
4007
4008 /* If we're not bondable, force one of the non-bondable
4009 * authentication requirement values.
4010 */
4011 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4012 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4013
4014 cp.authentication = conn->auth_type;
4015 cp.oob_data = bredr_oob_data_present(conn);
4016
4017 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4018 sizeof(cp), &cp);
4019 } else {
4020 struct hci_cp_io_capability_neg_reply cp;
4021
4022 bacpy(&cp.bdaddr, &ev->bdaddr);
4023 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4024
4025 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4026 sizeof(cp), &cp);
4027 }
4028
4029unlock:
4030 hci_dev_unlock(hdev);
4031}
4032
4033static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4034{
4035 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4036 struct hci_conn *conn;
4037
4038 BT_DBG("%s", hdev->name);
4039
4040 hci_dev_lock(hdev);
4041
4042 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4043 if (!conn)
4044 goto unlock;
4045
4046 conn->remote_cap = ev->capability;
4047 conn->remote_auth = ev->authentication;
4048
4049unlock:
4050 hci_dev_unlock(hdev);
4051}
4052
4053static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4054 struct sk_buff *skb)
4055{
4056 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4057 int loc_mitm, rem_mitm, confirm_hint = 0;
4058 struct hci_conn *conn;
4059
4060 BT_DBG("%s", hdev->name);
4061
4062 hci_dev_lock(hdev);
4063
4064 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4065 goto unlock;
4066
4067 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4068 if (!conn)
4069 goto unlock;
4070
4071 loc_mitm = (conn->auth_type & 0x01);
4072 rem_mitm = (conn->remote_auth & 0x01);
4073
4074 /* If we require MITM but the remote device can't provide that
4075 * (it has NoInputNoOutput) then reject the confirmation
4076 * request. We check the security level here since it doesn't
4077 * necessarily match conn->auth_type.
4078 */
4079 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4080 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4081 BT_DBG("Rejecting request: remote device can't provide MITM");
4082 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4083 sizeof(ev->bdaddr), &ev->bdaddr);
4084 goto unlock;
4085 }
4086
4087 /* If no side requires MITM protection; auto-accept */
4088 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4089 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4090
4091 /* If we're not the initiators request authorization to
4092 * proceed from user space (mgmt_user_confirm with
4093 * confirm_hint set to 1). The exception is if neither
4094 * side had MITM or if the local IO capability is
4095 * NoInputNoOutput, in which case we do auto-accept
4096 */
4097 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4098 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4099 (loc_mitm || rem_mitm)) {
4100 BT_DBG("Confirming auto-accept as acceptor");
4101 confirm_hint = 1;
4102 goto confirm;
4103 }
4104
4105 BT_DBG("Auto-accept of user confirmation with %ums delay",
4106 hdev->auto_accept_delay);
4107
4108 if (hdev->auto_accept_delay > 0) {
4109 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4110 queue_delayed_work(conn->hdev->workqueue,
4111 &conn->auto_accept_work, delay);
4112 goto unlock;
4113 }
4114
4115 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4116 sizeof(ev->bdaddr), &ev->bdaddr);
4117 goto unlock;
4118 }
4119
4120confirm:
4121 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4122 le32_to_cpu(ev->passkey), confirm_hint);
4123
4124unlock:
4125 hci_dev_unlock(hdev);
4126}
4127
4128static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4129 struct sk_buff *skb)
4130{
4131 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4132
4133 BT_DBG("%s", hdev->name);
4134
4135 if (hci_dev_test_flag(hdev, HCI_MGMT))
4136 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4137}
4138
4139static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4140 struct sk_buff *skb)
4141{
4142 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4143 struct hci_conn *conn;
4144
4145 BT_DBG("%s", hdev->name);
4146
4147 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4148 if (!conn)
4149 return;
4150
4151 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4152 conn->passkey_entered = 0;
4153
4154 if (hci_dev_test_flag(hdev, HCI_MGMT))
4155 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4156 conn->dst_type, conn->passkey_notify,
4157 conn->passkey_entered);
4158}
4159
4160static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4161{
4162 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4163 struct hci_conn *conn;
4164
4165 BT_DBG("%s", hdev->name);
4166
4167 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4168 if (!conn)
4169 return;
4170
4171 switch (ev->type) {
4172 case HCI_KEYPRESS_STARTED:
4173 conn->passkey_entered = 0;
4174 return;
4175
4176 case HCI_KEYPRESS_ENTERED:
4177 conn->passkey_entered++;
4178 break;
4179
4180 case HCI_KEYPRESS_ERASED:
4181 conn->passkey_entered--;
4182 break;
4183
4184 case HCI_KEYPRESS_CLEARED:
4185 conn->passkey_entered = 0;
4186 break;
4187
4188 case HCI_KEYPRESS_COMPLETED:
4189 return;
4190 }
4191
4192 if (hci_dev_test_flag(hdev, HCI_MGMT))
4193 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4194 conn->dst_type, conn->passkey_notify,
4195 conn->passkey_entered);
4196}
4197
4198static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4199 struct sk_buff *skb)
4200{
4201 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4202 struct hci_conn *conn;
4203
4204 BT_DBG("%s", hdev->name);
4205
4206 hci_dev_lock(hdev);
4207
4208 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4209 if (!conn)
4210 goto unlock;
4211
4212 /* Reset the authentication requirement to unknown */
4213 conn->remote_auth = 0xff;
4214
4215 /* To avoid duplicate auth_failed events to user space we check
4216 * the HCI_CONN_AUTH_PEND flag which will be set if we
4217 * initiated the authentication. A traditional auth_complete
4218 * event gets always produced as initiator and is also mapped to
4219 * the mgmt_auth_failed event */
4220 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4221 mgmt_auth_failed(conn, ev->status);
4222
4223 hci_conn_drop(conn);
4224
4225unlock:
4226 hci_dev_unlock(hdev);
4227}
4228
4229static void hci_remote_host_features_evt(struct hci_dev *hdev,
4230 struct sk_buff *skb)
4231{
4232 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4233 struct inquiry_entry *ie;
4234 struct hci_conn *conn;
4235
4236 BT_DBG("%s", hdev->name);
4237
4238 hci_dev_lock(hdev);
4239
4240 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4241 if (conn)
4242 memcpy(conn->features[1], ev->features, 8);
4243
4244 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4245 if (ie)
4246 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4247
4248 hci_dev_unlock(hdev);
4249}
4250
4251static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4252 struct sk_buff *skb)
4253{
4254 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4255 struct oob_data *data;
4256
4257 BT_DBG("%s", hdev->name);
4258
4259 hci_dev_lock(hdev);
4260
4261 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4262 goto unlock;
4263
4264 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4265 if (!data) {
4266 struct hci_cp_remote_oob_data_neg_reply cp;
4267
4268 bacpy(&cp.bdaddr, &ev->bdaddr);
4269 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4270 sizeof(cp), &cp);
4271 goto unlock;
4272 }
4273
4274 if (bredr_sc_enabled(hdev)) {
4275 struct hci_cp_remote_oob_ext_data_reply cp;
4276
4277 bacpy(&cp.bdaddr, &ev->bdaddr);
4278 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4279 memset(cp.hash192, 0, sizeof(cp.hash192));
4280 memset(cp.rand192, 0, sizeof(cp.rand192));
4281 } else {
4282 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4283 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4284 }
4285 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4286 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4287
4288 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4289 sizeof(cp), &cp);
4290 } else {
4291 struct hci_cp_remote_oob_data_reply cp;
4292
4293 bacpy(&cp.bdaddr, &ev->bdaddr);
4294 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4295 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4296
4297 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4298 sizeof(cp), &cp);
4299 }
4300
4301unlock:
4302 hci_dev_unlock(hdev);
4303}
4304
4305#if IS_ENABLED(CONFIG_BT_HS)
4306static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4307{
4308 struct hci_ev_channel_selected *ev = (void *)skb->data;
4309 struct hci_conn *hcon;
4310
4311 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4312
4313 skb_pull(skb, sizeof(*ev));
4314
4315 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4316 if (!hcon)
4317 return;
4318
4319 amp_read_loc_assoc_final_data(hdev, hcon);
4320}
4321
4322static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4323 struct sk_buff *skb)
4324{
4325 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4326 struct hci_conn *hcon, *bredr_hcon;
4327
4328 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4329 ev->status);
4330
4331 hci_dev_lock(hdev);
4332
4333 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4334 if (!hcon) {
4335 hci_dev_unlock(hdev);
4336 return;
4337 }
4338
4339 if (ev->status) {
4340 hci_conn_del(hcon);
4341 hci_dev_unlock(hdev);
4342 return;
4343 }
4344
4345 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4346
4347 hcon->state = BT_CONNECTED;
4348 bacpy(&hcon->dst, &bredr_hcon->dst);
4349
4350 hci_conn_hold(hcon);
4351 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4352 hci_conn_drop(hcon);
4353
4354 hci_debugfs_create_conn(hcon);
4355 hci_conn_add_sysfs(hcon);
4356
4357 amp_physical_cfm(bredr_hcon, hcon);
4358
4359 hci_dev_unlock(hdev);
4360}
4361
4362static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4363{
4364 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4365 struct hci_conn *hcon;
4366 struct hci_chan *hchan;
4367 struct amp_mgr *mgr;
4368
4369 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4370 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4371 ev->status);
4372
4373 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4374 if (!hcon)
4375 return;
4376
4377 /* Create AMP hchan */
4378 hchan = hci_chan_create(hcon);
4379 if (!hchan)
4380 return;
4381
4382 hchan->handle = le16_to_cpu(ev->handle);
4383
4384 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4385
4386 mgr = hcon->amp_mgr;
4387 if (mgr && mgr->bredr_chan) {
4388 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4389
4390 l2cap_chan_lock(bredr_chan);
4391
4392 bredr_chan->conn->mtu = hdev->block_mtu;
4393 l2cap_logical_cfm(bredr_chan, hchan, 0);
4394 hci_conn_hold(hcon);
4395
4396 l2cap_chan_unlock(bredr_chan);
4397 }
4398}
4399
4400static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4401 struct sk_buff *skb)
4402{
4403 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4404 struct hci_chan *hchan;
4405
4406 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4407 le16_to_cpu(ev->handle), ev->status);
4408
4409 if (ev->status)
4410 return;
4411
4412 hci_dev_lock(hdev);
4413
4414 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4415 if (!hchan)
4416 goto unlock;
4417
4418 amp_destroy_logical_link(hchan, ev->reason);
4419
4420unlock:
4421 hci_dev_unlock(hdev);
4422}
4423
4424static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4425 struct sk_buff *skb)
4426{
4427 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4428 struct hci_conn *hcon;
4429
4430 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4431
4432 if (ev->status)
4433 return;
4434
4435 hci_dev_lock(hdev);
4436
4437 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4438 if (hcon) {
4439 hcon->state = BT_CLOSED;
4440 hci_conn_del(hcon);
4441 }
4442
4443 hci_dev_unlock(hdev);
4444}
4445#endif
4446
4447static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4448{
4449 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4450 struct hci_conn_params *params;
4451 struct hci_conn *conn;
4452 struct smp_irk *irk;
4453 u8 addr_type;
4454
4455 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4456
4457 hci_dev_lock(hdev);
4458
4459 /* All controllers implicitly stop advertising in the event of a
4460 * connection, so ensure that the state bit is cleared.
4461 */
4462 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4463
4464 conn = hci_lookup_le_connect(hdev);
4465 if (!conn) {
4466 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4467 if (!conn) {
4468 BT_ERR("No memory for new connection");
4469 goto unlock;
4470 }
4471
4472 conn->dst_type = ev->bdaddr_type;
4473
4474 /* If we didn't have a hci_conn object previously
4475 * but we're in master role this must be something
4476 * initiated using a white list. Since white list based
4477 * connections are not "first class citizens" we don't
4478 * have full tracking of them. Therefore, we go ahead
4479 * with a "best effort" approach of determining the
4480 * initiator address based on the HCI_PRIVACY flag.
4481 */
4482 if (conn->out) {
4483 conn->resp_addr_type = ev->bdaddr_type;
4484 bacpy(&conn->resp_addr, &ev->bdaddr);
4485 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4486 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4487 bacpy(&conn->init_addr, &hdev->rpa);
4488 } else {
4489 hci_copy_identity_address(hdev,
4490 &conn->init_addr,
4491 &conn->init_addr_type);
4492 }
4493 }
4494 } else {
4495 cancel_delayed_work(&conn->le_conn_timeout);
4496 }
4497
4498 if (!conn->out) {
4499 /* Set the responder (our side) address type based on
4500 * the advertising address type.
4501 */
4502 conn->resp_addr_type = hdev->adv_addr_type;
4503 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4504 bacpy(&conn->resp_addr, &hdev->random_addr);
4505 else
4506 bacpy(&conn->resp_addr, &hdev->bdaddr);
4507
4508 conn->init_addr_type = ev->bdaddr_type;
4509 bacpy(&conn->init_addr, &ev->bdaddr);
4510
4511 /* For incoming connections, set the default minimum
4512 * and maximum connection interval. They will be used
4513 * to check if the parameters are in range and if not
4514 * trigger the connection update procedure.
4515 */
4516 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4517 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4518 }
4519
4520 /* Lookup the identity address from the stored connection
4521 * address and address type.
4522 *
4523 * When establishing connections to an identity address, the
4524 * connection procedure will store the resolvable random
4525 * address first. Now if it can be converted back into the
4526 * identity address, start using the identity address from
4527 * now on.
4528 */
4529 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4530 if (irk) {
4531 bacpy(&conn->dst, &irk->bdaddr);
4532 conn->dst_type = irk->addr_type;
4533 }
4534
4535 if (ev->status) {
4536 hci_le_conn_failed(conn, ev->status);
4537 goto unlock;
4538 }
4539
4540 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4541 addr_type = BDADDR_LE_PUBLIC;
4542 else
4543 addr_type = BDADDR_LE_RANDOM;
4544
4545 /* Drop the connection if the device is blocked */
4546 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4547 hci_conn_drop(conn);
4548 goto unlock;
4549 }
4550
4551 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4552 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4553
4554 conn->sec_level = BT_SECURITY_LOW;
4555 conn->handle = __le16_to_cpu(ev->handle);
4556 conn->state = BT_CONFIG;
4557
4558 conn->le_conn_interval = le16_to_cpu(ev->interval);
4559 conn->le_conn_latency = le16_to_cpu(ev->latency);
4560 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4561
4562 hci_debugfs_create_conn(conn);
4563 hci_conn_add_sysfs(conn);
4564
4565 if (!ev->status) {
4566 /* The remote features procedure is defined for master
4567 * role only. So only in case of an initiated connection
4568 * request the remote features.
4569 *
4570 * If the local controller supports slave-initiated features
4571 * exchange, then requesting the remote features in slave
4572 * role is possible. Otherwise just transition into the
4573 * connected state without requesting the remote features.
4574 */
4575 if (conn->out ||
4576 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4577 struct hci_cp_le_read_remote_features cp;
4578
4579 cp.handle = __cpu_to_le16(conn->handle);
4580
4581 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4582 sizeof(cp), &cp);
4583
4584 hci_conn_hold(conn);
4585 } else {
4586 conn->state = BT_CONNECTED;
4587 hci_connect_cfm(conn, ev->status);
4588 }
4589 } else {
4590 hci_connect_cfm(conn, ev->status);
4591 }
4592
4593 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4594 conn->dst_type);
4595 if (params) {
4596 list_del_init(¶ms->action);
4597 if (params->conn) {
4598 hci_conn_drop(params->conn);
4599 hci_conn_put(params->conn);
4600 params->conn = NULL;
4601 }
4602 }
4603
4604unlock:
4605 hci_update_background_scan(hdev);
4606 hci_dev_unlock(hdev);
4607}
4608
4609static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4610 struct sk_buff *skb)
4611{
4612 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4613 struct hci_conn *conn;
4614
4615 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4616
4617 if (ev->status)
4618 return;
4619
4620 hci_dev_lock(hdev);
4621
4622 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4623 if (conn) {
4624 conn->le_conn_interval = le16_to_cpu(ev->interval);
4625 conn->le_conn_latency = le16_to_cpu(ev->latency);
4626 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4627 }
4628
4629 hci_dev_unlock(hdev);
4630}
4631
4632/* This function requires the caller holds hdev->lock */
4633static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4634 bdaddr_t *addr,
4635 u8 addr_type, u8 adv_type)
4636{
4637 struct hci_conn *conn;
4638 struct hci_conn_params *params;
4639
4640 /* If the event is not connectable don't proceed further */
4641 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4642 return NULL;
4643
4644 /* Ignore if the device is blocked */
4645 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4646 return NULL;
4647
4648 /* Most controller will fail if we try to create new connections
4649 * while we have an existing one in slave role.
4650 */
4651 if (hdev->conn_hash.le_num_slave > 0)
4652 return NULL;
4653
4654 /* If we're not connectable only connect devices that we have in
4655 * our pend_le_conns list.
4656 */
4657 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4658 addr_type);
4659 if (!params)
4660 return NULL;
4661
4662 if (!params->explicit_connect) {
4663 switch (params->auto_connect) {
4664 case HCI_AUTO_CONN_DIRECT:
4665 /* Only devices advertising with ADV_DIRECT_IND are
4666 * triggering a connection attempt. This is allowing
4667 * incoming connections from slave devices.
4668 */
4669 if (adv_type != LE_ADV_DIRECT_IND)
4670 return NULL;
4671 break;
4672 case HCI_AUTO_CONN_ALWAYS:
4673 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4674 * are triggering a connection attempt. This means
4675 * that incoming connectioms from slave device are
4676 * accepted and also outgoing connections to slave
4677 * devices are established when found.
4678 */
4679 break;
4680 default:
4681 return NULL;
4682 }
4683 }
4684
4685 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4686 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4687 if (!IS_ERR(conn)) {
4688 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4689 * by higher layer that tried to connect, if no then
4690 * store the pointer since we don't really have any
4691 * other owner of the object besides the params that
4692 * triggered it. This way we can abort the connection if
4693 * the parameters get removed and keep the reference
4694 * count consistent once the connection is established.
4695 */
4696
4697 if (!params->explicit_connect)
4698 params->conn = hci_conn_get(conn);
4699
4700 return conn;
4701 }
4702
4703 switch (PTR_ERR(conn)) {
4704 case -EBUSY:
4705 /* If hci_connect() returns -EBUSY it means there is already
4706 * an LE connection attempt going on. Since controllers don't
4707 * support more than one connection attempt at the time, we
4708 * don't consider this an error case.
4709 */
4710 break;
4711 default:
4712 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4713 return NULL;
4714 }
4715
4716 return NULL;
4717}
4718
4719static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4720 u8 bdaddr_type, bdaddr_t *direct_addr,
4721 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4722{
4723 struct discovery_state *d = &hdev->discovery;
4724 struct smp_irk *irk;
4725 struct hci_conn *conn;
4726 bool match;
4727 u32 flags;
4728 u8 *ptr, real_len;
4729
4730 /* Find the end of the data in case the report contains padded zero
4731 * bytes at the end causing an invalid length value.
4732 *
4733 * When data is NULL, len is 0 so there is no need for extra ptr
4734 * check as 'ptr < data + 0' is already false in such case.
4735 */
4736 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4737 if (ptr + 1 + *ptr > data + len)
4738 break;
4739 }
4740
4741 real_len = ptr - data;
4742
4743 /* Adjust for actual length */
4744 if (len != real_len) {
4745 BT_ERR_RATELIMITED("%s advertising data length corrected",
4746 hdev->name);
4747 len = real_len;
4748 }
4749
4750 /* If the direct address is present, then this report is from
4751 * a LE Direct Advertising Report event. In that case it is
4752 * important to see if the address is matching the local
4753 * controller address.
4754 */
4755 if (direct_addr) {
4756 /* Only resolvable random addresses are valid for these
4757 * kind of reports and others can be ignored.
4758 */
4759 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4760 return;
4761
4762 /* If the controller is not using resolvable random
4763 * addresses, then this report can be ignored.
4764 */
4765 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4766 return;
4767
4768 /* If the local IRK of the controller does not match
4769 * with the resolvable random address provided, then
4770 * this report can be ignored.
4771 */
4772 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4773 return;
4774 }
4775
4776 /* Check if we need to convert to identity address */
4777 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4778 if (irk) {
4779 bdaddr = &irk->bdaddr;
4780 bdaddr_type = irk->addr_type;
4781 }
4782
4783 /* Check if we have been requested to connect to this device */
4784 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4785 if (conn && type == LE_ADV_IND) {
4786 /* Store report for later inclusion by
4787 * mgmt_device_connected
4788 */
4789 memcpy(conn->le_adv_data, data, len);
4790 conn->le_adv_data_len = len;
4791 }
4792
4793 /* Passive scanning shouldn't trigger any device found events,
4794 * except for devices marked as CONN_REPORT for which we do send
4795 * device found events.
4796 */
4797 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4798 if (type == LE_ADV_DIRECT_IND)
4799 return;
4800
4801 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4802 bdaddr, bdaddr_type))
4803 return;
4804
4805 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4806 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4807 else
4808 flags = 0;
4809 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4810 rssi, flags, data, len, NULL, 0);
4811 return;
4812 }
4813
4814 /* When receiving non-connectable or scannable undirected
4815 * advertising reports, this means that the remote device is
4816 * not connectable and then clearly indicate this in the
4817 * device found event.
4818 *
4819 * When receiving a scan response, then there is no way to
4820 * know if the remote device is connectable or not. However
4821 * since scan responses are merged with a previously seen
4822 * advertising report, the flags field from that report
4823 * will be used.
4824 *
4825 * In the really unlikely case that a controller get confused
4826 * and just sends a scan response event, then it is marked as
4827 * not connectable as well.
4828 */
4829 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4830 type == LE_ADV_SCAN_RSP)
4831 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4832 else
4833 flags = 0;
4834
4835 /* If there's nothing pending either store the data from this
4836 * event or send an immediate device found event if the data
4837 * should not be stored for later.
4838 */
4839 if (!has_pending_adv_report(hdev)) {
4840 /* If the report will trigger a SCAN_REQ store it for
4841 * later merging.
4842 */
4843 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4844 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4845 rssi, flags, data, len);
4846 return;
4847 }
4848
4849 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4850 rssi, flags, data, len, NULL, 0);
4851 return;
4852 }
4853
4854 /* Check if the pending report is for the same device as the new one */
4855 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4856 bdaddr_type == d->last_adv_addr_type);
4857
4858 /* If the pending data doesn't match this report or this isn't a
4859 * scan response (e.g. we got a duplicate ADV_IND) then force
4860 * sending of the pending data.
4861 */
4862 if (type != LE_ADV_SCAN_RSP || !match) {
4863 /* Send out whatever is in the cache, but skip duplicates */
4864 if (!match)
4865 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4866 d->last_adv_addr_type, NULL,
4867 d->last_adv_rssi, d->last_adv_flags,
4868 d->last_adv_data,
4869 d->last_adv_data_len, NULL, 0);
4870
4871 /* If the new report will trigger a SCAN_REQ store it for
4872 * later merging.
4873 */
4874 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4875 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4876 rssi, flags, data, len);
4877 return;
4878 }
4879
4880 /* The advertising reports cannot be merged, so clear
4881 * the pending report and send out a device found event.
4882 */
4883 clear_pending_adv_report(hdev);
4884 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4885 rssi, flags, data, len, NULL, 0);
4886 return;
4887 }
4888
4889 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4890 * the new event is a SCAN_RSP. We can therefore proceed with
4891 * sending a merged device found event.
4892 */
4893 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4894 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4895 d->last_adv_data, d->last_adv_data_len, data, len);
4896 clear_pending_adv_report(hdev);
4897}
4898
4899static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4900{
4901 u8 num_reports = skb->data[0];
4902 void *ptr = &skb->data[1];
4903
4904 hci_dev_lock(hdev);
4905
4906 while (num_reports--) {
4907 struct hci_ev_le_advertising_info *ev = ptr;
4908 s8 rssi;
4909
4910 rssi = ev->data[ev->length];
4911 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4912 ev->bdaddr_type, NULL, 0, rssi,
4913 ev->data, ev->length);
4914
4915 ptr += sizeof(*ev) + ev->length + 1;
4916 }
4917
4918 hci_dev_unlock(hdev);
4919}
4920
4921static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4922 struct sk_buff *skb)
4923{
4924 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4925 struct hci_conn *conn;
4926
4927 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4928
4929 hci_dev_lock(hdev);
4930
4931 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4932 if (conn) {
4933 if (!ev->status)
4934 memcpy(conn->features[0], ev->features, 8);
4935
4936 if (conn->state == BT_CONFIG) {
4937 __u8 status;
4938
4939 /* If the local controller supports slave-initiated
4940 * features exchange, but the remote controller does
4941 * not, then it is possible that the error code 0x1a
4942 * for unsupported remote feature gets returned.
4943 *
4944 * In this specific case, allow the connection to
4945 * transition into connected state and mark it as
4946 * successful.
4947 */
4948 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4949 !conn->out && ev->status == 0x1a)
4950 status = 0x00;
4951 else
4952 status = ev->status;
4953
4954 conn->state = BT_CONNECTED;
4955 hci_connect_cfm(conn, status);
4956 hci_conn_drop(conn);
4957 }
4958 }
4959
4960 hci_dev_unlock(hdev);
4961}
4962
4963static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4964{
4965 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4966 struct hci_cp_le_ltk_reply cp;
4967 struct hci_cp_le_ltk_neg_reply neg;
4968 struct hci_conn *conn;
4969 struct smp_ltk *ltk;
4970
4971 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4972
4973 hci_dev_lock(hdev);
4974
4975 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4976 if (conn == NULL)
4977 goto not_found;
4978
4979 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4980 if (!ltk)
4981 goto not_found;
4982
4983 if (smp_ltk_is_sc(ltk)) {
4984 /* With SC both EDiv and Rand are set to zero */
4985 if (ev->ediv || ev->rand)
4986 goto not_found;
4987 } else {
4988 /* For non-SC keys check that EDiv and Rand match */
4989 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4990 goto not_found;
4991 }
4992
4993 memcpy(cp.ltk, ltk->val, ltk->enc_size);
4994 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
4995 cp.handle = cpu_to_le16(conn->handle);
4996
4997 conn->pending_sec_level = smp_ltk_sec_level(ltk);
4998
4999 conn->enc_key_size = ltk->enc_size;
5000
5001 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5002
5003 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5004 * temporary key used to encrypt a connection following
5005 * pairing. It is used during the Encrypted Session Setup to
5006 * distribute the keys. Later, security can be re-established
5007 * using a distributed LTK.
5008 */
5009 if (ltk->type == SMP_STK) {
5010 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5011 list_del_rcu(<k->list);
5012 kfree_rcu(ltk, rcu);
5013 } else {
5014 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5015 }
5016
5017 hci_dev_unlock(hdev);
5018
5019 return;
5020
5021not_found:
5022 neg.handle = ev->handle;
5023 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5024 hci_dev_unlock(hdev);
5025}
5026
5027static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5028 u8 reason)
5029{
5030 struct hci_cp_le_conn_param_req_neg_reply cp;
5031
5032 cp.handle = cpu_to_le16(handle);
5033 cp.reason = reason;
5034
5035 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5036 &cp);
5037}
5038
5039static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5040 struct sk_buff *skb)
5041{
5042 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5043 struct hci_cp_le_conn_param_req_reply cp;
5044 struct hci_conn *hcon;
5045 u16 handle, min, max, latency, timeout;
5046
5047 handle = le16_to_cpu(ev->handle);
5048 min = le16_to_cpu(ev->interval_min);
5049 max = le16_to_cpu(ev->interval_max);
5050 latency = le16_to_cpu(ev->latency);
5051 timeout = le16_to_cpu(ev->timeout);
5052
5053 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5054 if (!hcon || hcon->state != BT_CONNECTED)
5055 return send_conn_param_neg_reply(hdev, handle,
5056 HCI_ERROR_UNKNOWN_CONN_ID);
5057
5058 if (hci_check_conn_params(min, max, latency, timeout))
5059 return send_conn_param_neg_reply(hdev, handle,
5060 HCI_ERROR_INVALID_LL_PARAMS);
5061
5062 if (hcon->role == HCI_ROLE_MASTER) {
5063 struct hci_conn_params *params;
5064 u8 store_hint;
5065
5066 hci_dev_lock(hdev);
5067
5068 params = hci_conn_params_lookup(hdev, &hcon->dst,
5069 hcon->dst_type);
5070 if (params) {
5071 params->conn_min_interval = min;
5072 params->conn_max_interval = max;
5073 params->conn_latency = latency;
5074 params->supervision_timeout = timeout;
5075 store_hint = 0x01;
5076 } else{
5077 store_hint = 0x00;
5078 }
5079
5080 hci_dev_unlock(hdev);
5081
5082 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5083 store_hint, min, max, latency, timeout);
5084 }
5085
5086 cp.handle = ev->handle;
5087 cp.interval_min = ev->interval_min;
5088 cp.interval_max = ev->interval_max;
5089 cp.latency = ev->latency;
5090 cp.timeout = ev->timeout;
5091 cp.min_ce_len = 0;
5092 cp.max_ce_len = 0;
5093
5094 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5095}
5096
5097static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5098 struct sk_buff *skb)
5099{
5100 u8 num_reports = skb->data[0];
5101 void *ptr = &skb->data[1];
5102
5103 hci_dev_lock(hdev);
5104
5105 while (num_reports--) {
5106 struct hci_ev_le_direct_adv_info *ev = ptr;
5107
5108 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5109 ev->bdaddr_type, &ev->direct_addr,
5110 ev->direct_addr_type, ev->rssi, NULL, 0);
5111
5112 ptr += sizeof(*ev);
5113 }
5114
5115 hci_dev_unlock(hdev);
5116}
5117
5118static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5119{
5120 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5121
5122 skb_pull(skb, sizeof(*le_ev));
5123
5124 switch (le_ev->subevent) {
5125 case HCI_EV_LE_CONN_COMPLETE:
5126 hci_le_conn_complete_evt(hdev, skb);
5127 break;
5128
5129 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5130 hci_le_conn_update_complete_evt(hdev, skb);
5131 break;
5132
5133 case HCI_EV_LE_ADVERTISING_REPORT:
5134 hci_le_adv_report_evt(hdev, skb);
5135 break;
5136
5137 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5138 hci_le_remote_feat_complete_evt(hdev, skb);
5139 break;
5140
5141 case HCI_EV_LE_LTK_REQ:
5142 hci_le_ltk_request_evt(hdev, skb);
5143 break;
5144
5145 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5146 hci_le_remote_conn_param_req_evt(hdev, skb);
5147 break;
5148
5149 case HCI_EV_LE_DIRECT_ADV_REPORT:
5150 hci_le_direct_adv_report_evt(hdev, skb);
5151 break;
5152
5153 default:
5154 break;
5155 }
5156}
5157
5158static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5159 u8 event, struct sk_buff *skb)
5160{
5161 struct hci_ev_cmd_complete *ev;
5162 struct hci_event_hdr *hdr;
5163
5164 if (!skb)
5165 return false;
5166
5167 if (skb->len < sizeof(*hdr)) {
5168 BT_ERR("Too short HCI event");
5169 return false;
5170 }
5171
5172 hdr = (void *) skb->data;
5173 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5174
5175 if (event) {
5176 if (hdr->evt != event)
5177 return false;
5178 return true;
5179 }
5180
5181 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5182 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5183 return false;
5184 }
5185
5186 if (skb->len < sizeof(*ev)) {
5187 BT_ERR("Too short cmd_complete event");
5188 return false;
5189 }
5190
5191 ev = (void *) skb->data;
5192 skb_pull(skb, sizeof(*ev));
5193
5194 if (opcode != __le16_to_cpu(ev->opcode)) {
5195 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5196 __le16_to_cpu(ev->opcode));
5197 return false;
5198 }
5199
5200 return true;
5201}
5202
5203void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5204{
5205 struct hci_event_hdr *hdr = (void *) skb->data;
5206 hci_req_complete_t req_complete = NULL;
5207 hci_req_complete_skb_t req_complete_skb = NULL;
5208 struct sk_buff *orig_skb = NULL;
5209 u8 status = 0, event = hdr->evt, req_evt = 0;
5210 u16 opcode = HCI_OP_NOP;
5211
5212 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5213 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5214 opcode = __le16_to_cpu(cmd_hdr->opcode);
5215 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5216 &req_complete_skb);
5217 req_evt = event;
5218 }
5219
5220 /* If it looks like we might end up having to call
5221 * req_complete_skb, store a pristine copy of the skb since the
5222 * various handlers may modify the original one through
5223 * skb_pull() calls, etc.
5224 */
5225 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5226 event == HCI_EV_CMD_COMPLETE)
5227 orig_skb = skb_clone(skb, GFP_KERNEL);
5228
5229 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5230
5231 switch (event) {
5232 case HCI_EV_INQUIRY_COMPLETE:
5233 hci_inquiry_complete_evt(hdev, skb);
5234 break;
5235
5236 case HCI_EV_INQUIRY_RESULT:
5237 hci_inquiry_result_evt(hdev, skb);
5238 break;
5239
5240 case HCI_EV_CONN_COMPLETE:
5241 hci_conn_complete_evt(hdev, skb);
5242 break;
5243
5244 case HCI_EV_CONN_REQUEST:
5245 hci_conn_request_evt(hdev, skb);
5246 break;
5247
5248 case HCI_EV_DISCONN_COMPLETE:
5249 hci_disconn_complete_evt(hdev, skb);
5250 break;
5251
5252 case HCI_EV_AUTH_COMPLETE:
5253 hci_auth_complete_evt(hdev, skb);
5254 break;
5255
5256 case HCI_EV_REMOTE_NAME:
5257 hci_remote_name_evt(hdev, skb);
5258 break;
5259
5260 case HCI_EV_ENCRYPT_CHANGE:
5261 hci_encrypt_change_evt(hdev, skb);
5262 break;
5263
5264 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5265 hci_change_link_key_complete_evt(hdev, skb);
5266 break;
5267
5268 case HCI_EV_REMOTE_FEATURES:
5269 hci_remote_features_evt(hdev, skb);
5270 break;
5271
5272 case HCI_EV_CMD_COMPLETE:
5273 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5274 &req_complete, &req_complete_skb);
5275 break;
5276
5277 case HCI_EV_CMD_STATUS:
5278 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5279 &req_complete_skb);
5280 break;
5281
5282 case HCI_EV_HARDWARE_ERROR:
5283 hci_hardware_error_evt(hdev, skb);
5284 break;
5285
5286 case HCI_EV_ROLE_CHANGE:
5287 hci_role_change_evt(hdev, skb);
5288 break;
5289
5290 case HCI_EV_NUM_COMP_PKTS:
5291 hci_num_comp_pkts_evt(hdev, skb);
5292 break;
5293
5294 case HCI_EV_MODE_CHANGE:
5295 hci_mode_change_evt(hdev, skb);
5296 break;
5297
5298 case HCI_EV_PIN_CODE_REQ:
5299 hci_pin_code_request_evt(hdev, skb);
5300 break;
5301
5302 case HCI_EV_LINK_KEY_REQ:
5303 hci_link_key_request_evt(hdev, skb);
5304 break;
5305
5306 case HCI_EV_LINK_KEY_NOTIFY:
5307 hci_link_key_notify_evt(hdev, skb);
5308 break;
5309
5310 case HCI_EV_CLOCK_OFFSET:
5311 hci_clock_offset_evt(hdev, skb);
5312 break;
5313
5314 case HCI_EV_PKT_TYPE_CHANGE:
5315 hci_pkt_type_change_evt(hdev, skb);
5316 break;
5317
5318 case HCI_EV_PSCAN_REP_MODE:
5319 hci_pscan_rep_mode_evt(hdev, skb);
5320 break;
5321
5322 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5323 hci_inquiry_result_with_rssi_evt(hdev, skb);
5324 break;
5325
5326 case HCI_EV_REMOTE_EXT_FEATURES:
5327 hci_remote_ext_features_evt(hdev, skb);
5328 break;
5329
5330 case HCI_EV_SYNC_CONN_COMPLETE:
5331 hci_sync_conn_complete_evt(hdev, skb);
5332 break;
5333
5334 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5335 hci_extended_inquiry_result_evt(hdev, skb);
5336 break;
5337
5338 case HCI_EV_KEY_REFRESH_COMPLETE:
5339 hci_key_refresh_complete_evt(hdev, skb);
5340 break;
5341
5342 case HCI_EV_IO_CAPA_REQUEST:
5343 hci_io_capa_request_evt(hdev, skb);
5344 break;
5345
5346 case HCI_EV_IO_CAPA_REPLY:
5347 hci_io_capa_reply_evt(hdev, skb);
5348 break;
5349
5350 case HCI_EV_USER_CONFIRM_REQUEST:
5351 hci_user_confirm_request_evt(hdev, skb);
5352 break;
5353
5354 case HCI_EV_USER_PASSKEY_REQUEST:
5355 hci_user_passkey_request_evt(hdev, skb);
5356 break;
5357
5358 case HCI_EV_USER_PASSKEY_NOTIFY:
5359 hci_user_passkey_notify_evt(hdev, skb);
5360 break;
5361
5362 case HCI_EV_KEYPRESS_NOTIFY:
5363 hci_keypress_notify_evt(hdev, skb);
5364 break;
5365
5366 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5367 hci_simple_pair_complete_evt(hdev, skb);
5368 break;
5369
5370 case HCI_EV_REMOTE_HOST_FEATURES:
5371 hci_remote_host_features_evt(hdev, skb);
5372 break;
5373
5374 case HCI_EV_LE_META:
5375 hci_le_meta_evt(hdev, skb);
5376 break;
5377
5378 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5379 hci_remote_oob_data_request_evt(hdev, skb);
5380 break;
5381
5382#if IS_ENABLED(CONFIG_BT_HS)
5383 case HCI_EV_CHANNEL_SELECTED:
5384 hci_chan_selected_evt(hdev, skb);
5385 break;
5386
5387 case HCI_EV_PHY_LINK_COMPLETE:
5388 hci_phy_link_complete_evt(hdev, skb);
5389 break;
5390
5391 case HCI_EV_LOGICAL_LINK_COMPLETE:
5392 hci_loglink_complete_evt(hdev, skb);
5393 break;
5394
5395 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5396 hci_disconn_loglink_complete_evt(hdev, skb);
5397 break;
5398
5399 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5400 hci_disconn_phylink_complete_evt(hdev, skb);
5401 break;
5402#endif
5403
5404 case HCI_EV_NUM_COMP_BLOCKS:
5405 hci_num_comp_blocks_evt(hdev, skb);
5406 break;
5407
5408 default:
5409 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5410 break;
5411 }
5412
5413 if (req_complete) {
5414 req_complete(hdev, status, opcode);
5415 } else if (req_complete_skb) {
5416 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5417 kfree_skb(orig_skb);
5418 orig_skb = NULL;
5419 }
5420 req_complete_skb(hdev, status, opcode, orig_skb);
5421 }
5422
5423 kfree_skb(orig_skb);
5424 kfree_skb(skb);
5425 hdev->stat.evt_rx++;
5426}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 Copyright 2023-2024 NXP
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth HCI event handling. */
27
28#include <asm/unaligned.h>
29#include <linux/crypto.h>
30#include <crypto/algapi.h>
31
32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/mgmt.h>
35
36#include "hci_request.h"
37#include "hci_debugfs.h"
38#include "hci_codec.h"
39#include "smp.h"
40#include "msft.h"
41#include "eir.h"
42
43#define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
44 "\x00\x00\x00\x00\x00\x00\x00\x00"
45
46#define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
47
48/* Handle HCI Event packets */
49
50static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
51 u8 ev, size_t len)
52{
53 void *data;
54
55 data = skb_pull_data(skb, len);
56 if (!data)
57 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
58
59 return data;
60}
61
62static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
63 u16 op, size_t len)
64{
65 void *data;
66
67 data = skb_pull_data(skb, len);
68 if (!data)
69 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
70
71 return data;
72}
73
74static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
75 u8 ev, size_t len)
76{
77 void *data;
78
79 data = skb_pull_data(skb, len);
80 if (!data)
81 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
82
83 return data;
84}
85
86static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
87 struct sk_buff *skb)
88{
89 struct hci_ev_status *rp = data;
90
91 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
92
93 /* It is possible that we receive Inquiry Complete event right
94 * before we receive Inquiry Cancel Command Complete event, in
95 * which case the latter event should have status of Command
96 * Disallowed. This should not be treated as error, since
97 * we actually achieve what Inquiry Cancel wants to achieve,
98 * which is to end the last Inquiry session.
99 */
100 if (rp->status == HCI_ERROR_COMMAND_DISALLOWED && !test_bit(HCI_INQUIRY, &hdev->flags)) {
101 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
102 rp->status = 0x00;
103 }
104
105 if (rp->status)
106 return rp->status;
107
108 clear_bit(HCI_INQUIRY, &hdev->flags);
109 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
110 wake_up_bit(&hdev->flags, HCI_INQUIRY);
111
112 hci_dev_lock(hdev);
113 /* Set discovery state to stopped if we're not doing LE active
114 * scanning.
115 */
116 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
117 hdev->le_scan_type != LE_SCAN_ACTIVE)
118 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
119 hci_dev_unlock(hdev);
120
121 return rp->status;
122}
123
124static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
125 struct sk_buff *skb)
126{
127 struct hci_ev_status *rp = data;
128
129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
130
131 if (rp->status)
132 return rp->status;
133
134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
135
136 return rp->status;
137}
138
139static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
140 struct sk_buff *skb)
141{
142 struct hci_ev_status *rp = data;
143
144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
145
146 if (rp->status)
147 return rp->status;
148
149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
150
151 return rp->status;
152}
153
154static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
155 struct sk_buff *skb)
156{
157 struct hci_ev_status *rp = data;
158
159 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
160
161 return rp->status;
162}
163
164static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
165 struct sk_buff *skb)
166{
167 struct hci_rp_role_discovery *rp = data;
168 struct hci_conn *conn;
169
170 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
171
172 if (rp->status)
173 return rp->status;
174
175 hci_dev_lock(hdev);
176
177 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
178 if (conn)
179 conn->role = rp->role;
180
181 hci_dev_unlock(hdev);
182
183 return rp->status;
184}
185
186static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
187 struct sk_buff *skb)
188{
189 struct hci_rp_read_link_policy *rp = data;
190 struct hci_conn *conn;
191
192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
193
194 if (rp->status)
195 return rp->status;
196
197 hci_dev_lock(hdev);
198
199 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
200 if (conn)
201 conn->link_policy = __le16_to_cpu(rp->policy);
202
203 hci_dev_unlock(hdev);
204
205 return rp->status;
206}
207
208static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
209 struct sk_buff *skb)
210{
211 struct hci_rp_write_link_policy *rp = data;
212 struct hci_conn *conn;
213 void *sent;
214
215 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
216
217 if (rp->status)
218 return rp->status;
219
220 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
221 if (!sent)
222 return rp->status;
223
224 hci_dev_lock(hdev);
225
226 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
227 if (conn)
228 conn->link_policy = get_unaligned_le16(sent + 2);
229
230 hci_dev_unlock(hdev);
231
232 return rp->status;
233}
234
235static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
236 struct sk_buff *skb)
237{
238 struct hci_rp_read_def_link_policy *rp = data;
239
240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
241
242 if (rp->status)
243 return rp->status;
244
245 hdev->link_policy = __le16_to_cpu(rp->policy);
246
247 return rp->status;
248}
249
250static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
251 struct sk_buff *skb)
252{
253 struct hci_ev_status *rp = data;
254 void *sent;
255
256 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
257
258 if (rp->status)
259 return rp->status;
260
261 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
262 if (!sent)
263 return rp->status;
264
265 hdev->link_policy = get_unaligned_le16(sent);
266
267 return rp->status;
268}
269
270static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
271{
272 struct hci_ev_status *rp = data;
273
274 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
275
276 clear_bit(HCI_RESET, &hdev->flags);
277
278 if (rp->status)
279 return rp->status;
280
281 /* Reset all non-persistent flags */
282 hci_dev_clear_volatile_flags(hdev);
283
284 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
285
286 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
287 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
288
289 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
290 hdev->adv_data_len = 0;
291
292 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
293 hdev->scan_rsp_data_len = 0;
294
295 hdev->le_scan_type = LE_SCAN_PASSIVE;
296
297 hdev->ssp_debug_mode = 0;
298
299 hci_bdaddr_list_clear(&hdev->le_accept_list);
300 hci_bdaddr_list_clear(&hdev->le_resolv_list);
301
302 return rp->status;
303}
304
305static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
306 struct sk_buff *skb)
307{
308 struct hci_rp_read_stored_link_key *rp = data;
309 struct hci_cp_read_stored_link_key *sent;
310
311 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
312
313 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
314 if (!sent)
315 return rp->status;
316
317 if (!rp->status && sent->read_all == 0x01) {
318 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
319 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
320 }
321
322 return rp->status;
323}
324
325static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
326 struct sk_buff *skb)
327{
328 struct hci_rp_delete_stored_link_key *rp = data;
329 u16 num_keys;
330
331 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
332
333 if (rp->status)
334 return rp->status;
335
336 num_keys = le16_to_cpu(rp->num_keys);
337
338 if (num_keys <= hdev->stored_num_keys)
339 hdev->stored_num_keys -= num_keys;
340 else
341 hdev->stored_num_keys = 0;
342
343 return rp->status;
344}
345
346static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
347 struct sk_buff *skb)
348{
349 struct hci_ev_status *rp = data;
350 void *sent;
351
352 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
353
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
355 if (!sent)
356 return rp->status;
357
358 hci_dev_lock(hdev);
359
360 if (hci_dev_test_flag(hdev, HCI_MGMT))
361 mgmt_set_local_name_complete(hdev, sent, rp->status);
362 else if (!rp->status)
363 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
364
365 hci_dev_unlock(hdev);
366
367 return rp->status;
368}
369
370static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
371 struct sk_buff *skb)
372{
373 struct hci_rp_read_local_name *rp = data;
374
375 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
376
377 if (rp->status)
378 return rp->status;
379
380 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
381 hci_dev_test_flag(hdev, HCI_CONFIG))
382 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
383
384 return rp->status;
385}
386
387static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
388 struct sk_buff *skb)
389{
390 struct hci_ev_status *rp = data;
391 void *sent;
392
393 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
394
395 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
396 if (!sent)
397 return rp->status;
398
399 hci_dev_lock(hdev);
400
401 if (!rp->status) {
402 __u8 param = *((__u8 *) sent);
403
404 if (param == AUTH_ENABLED)
405 set_bit(HCI_AUTH, &hdev->flags);
406 else
407 clear_bit(HCI_AUTH, &hdev->flags);
408 }
409
410 if (hci_dev_test_flag(hdev, HCI_MGMT))
411 mgmt_auth_enable_complete(hdev, rp->status);
412
413 hci_dev_unlock(hdev);
414
415 return rp->status;
416}
417
418static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
419 struct sk_buff *skb)
420{
421 struct hci_ev_status *rp = data;
422 __u8 param;
423 void *sent;
424
425 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
426
427 if (rp->status)
428 return rp->status;
429
430 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
431 if (!sent)
432 return rp->status;
433
434 param = *((__u8 *) sent);
435
436 if (param)
437 set_bit(HCI_ENCRYPT, &hdev->flags);
438 else
439 clear_bit(HCI_ENCRYPT, &hdev->flags);
440
441 return rp->status;
442}
443
444static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
445 struct sk_buff *skb)
446{
447 struct hci_ev_status *rp = data;
448 __u8 param;
449 void *sent;
450
451 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
452
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
454 if (!sent)
455 return rp->status;
456
457 param = *((__u8 *) sent);
458
459 hci_dev_lock(hdev);
460
461 if (rp->status) {
462 hdev->discov_timeout = 0;
463 goto done;
464 }
465
466 if (param & SCAN_INQUIRY)
467 set_bit(HCI_ISCAN, &hdev->flags);
468 else
469 clear_bit(HCI_ISCAN, &hdev->flags);
470
471 if (param & SCAN_PAGE)
472 set_bit(HCI_PSCAN, &hdev->flags);
473 else
474 clear_bit(HCI_PSCAN, &hdev->flags);
475
476done:
477 hci_dev_unlock(hdev);
478
479 return rp->status;
480}
481
482static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
483 struct sk_buff *skb)
484{
485 struct hci_ev_status *rp = data;
486 struct hci_cp_set_event_filter *cp;
487 void *sent;
488
489 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
490
491 if (rp->status)
492 return rp->status;
493
494 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
495 if (!sent)
496 return rp->status;
497
498 cp = (struct hci_cp_set_event_filter *)sent;
499
500 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
501 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
502 else
503 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
504
505 return rp->status;
506}
507
508static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
509 struct sk_buff *skb)
510{
511 struct hci_rp_read_class_of_dev *rp = data;
512
513 if (WARN_ON(!hdev))
514 return HCI_ERROR_UNSPECIFIED;
515
516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
517
518 if (rp->status)
519 return rp->status;
520
521 memcpy(hdev->dev_class, rp->dev_class, 3);
522
523 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
524 hdev->dev_class[1], hdev->dev_class[0]);
525
526 return rp->status;
527}
528
529static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
530 struct sk_buff *skb)
531{
532 struct hci_ev_status *rp = data;
533 void *sent;
534
535 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
536
537 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
538 if (!sent)
539 return rp->status;
540
541 hci_dev_lock(hdev);
542
543 if (!rp->status)
544 memcpy(hdev->dev_class, sent, 3);
545
546 if (hci_dev_test_flag(hdev, HCI_MGMT))
547 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
548
549 hci_dev_unlock(hdev);
550
551 return rp->status;
552}
553
554static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
555 struct sk_buff *skb)
556{
557 struct hci_rp_read_voice_setting *rp = data;
558 __u16 setting;
559
560 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
561
562 if (rp->status)
563 return rp->status;
564
565 setting = __le16_to_cpu(rp->voice_setting);
566
567 if (hdev->voice_setting == setting)
568 return rp->status;
569
570 hdev->voice_setting = setting;
571
572 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
573
574 if (hdev->notify)
575 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
576
577 return rp->status;
578}
579
580static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
581 struct sk_buff *skb)
582{
583 struct hci_ev_status *rp = data;
584 __u16 setting;
585 void *sent;
586
587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
588
589 if (rp->status)
590 return rp->status;
591
592 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
593 if (!sent)
594 return rp->status;
595
596 setting = get_unaligned_le16(sent);
597
598 if (hdev->voice_setting == setting)
599 return rp->status;
600
601 hdev->voice_setting = setting;
602
603 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
604
605 if (hdev->notify)
606 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
607
608 return rp->status;
609}
610
611static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
612 struct sk_buff *skb)
613{
614 struct hci_rp_read_num_supported_iac *rp = data;
615
616 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
617
618 if (rp->status)
619 return rp->status;
620
621 hdev->num_iac = rp->num_iac;
622
623 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
624
625 return rp->status;
626}
627
628static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
629 struct sk_buff *skb)
630{
631 struct hci_ev_status *rp = data;
632 struct hci_cp_write_ssp_mode *sent;
633
634 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
635
636 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
637 if (!sent)
638 return rp->status;
639
640 hci_dev_lock(hdev);
641
642 if (!rp->status) {
643 if (sent->mode)
644 hdev->features[1][0] |= LMP_HOST_SSP;
645 else
646 hdev->features[1][0] &= ~LMP_HOST_SSP;
647 }
648
649 if (!rp->status) {
650 if (sent->mode)
651 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
652 else
653 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
654 }
655
656 hci_dev_unlock(hdev);
657
658 return rp->status;
659}
660
661static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
662 struct sk_buff *skb)
663{
664 struct hci_ev_status *rp = data;
665 struct hci_cp_write_sc_support *sent;
666
667 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
668
669 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
670 if (!sent)
671 return rp->status;
672
673 hci_dev_lock(hdev);
674
675 if (!rp->status) {
676 if (sent->support)
677 hdev->features[1][0] |= LMP_HOST_SC;
678 else
679 hdev->features[1][0] &= ~LMP_HOST_SC;
680 }
681
682 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
683 if (sent->support)
684 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
685 else
686 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
687 }
688
689 hci_dev_unlock(hdev);
690
691 return rp->status;
692}
693
694static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
695 struct sk_buff *skb)
696{
697 struct hci_rp_read_local_version *rp = data;
698
699 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
700
701 if (rp->status)
702 return rp->status;
703
704 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
705 hci_dev_test_flag(hdev, HCI_CONFIG)) {
706 hdev->hci_ver = rp->hci_ver;
707 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
708 hdev->lmp_ver = rp->lmp_ver;
709 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
710 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
711 }
712
713 return rp->status;
714}
715
716static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
717 struct sk_buff *skb)
718{
719 struct hci_rp_read_enc_key_size *rp = data;
720 struct hci_conn *conn;
721 u16 handle;
722 u8 status = rp->status;
723
724 bt_dev_dbg(hdev, "status 0x%2.2x", status);
725
726 handle = le16_to_cpu(rp->handle);
727
728 hci_dev_lock(hdev);
729
730 conn = hci_conn_hash_lookup_handle(hdev, handle);
731 if (!conn) {
732 status = 0xFF;
733 goto done;
734 }
735
736 /* While unexpected, the read_enc_key_size command may fail. The most
737 * secure approach is to then assume the key size is 0 to force a
738 * disconnection.
739 */
740 if (status) {
741 bt_dev_err(hdev, "failed to read key size for handle %u",
742 handle);
743 conn->enc_key_size = 0;
744 } else {
745 conn->enc_key_size = rp->key_size;
746 status = 0;
747
748 if (conn->enc_key_size < hdev->min_enc_key_size) {
749 /* As slave role, the conn->state has been set to
750 * BT_CONNECTED and l2cap conn req might not be received
751 * yet, at this moment the l2cap layer almost does
752 * nothing with the non-zero status.
753 * So we also clear encrypt related bits, and then the
754 * handler of l2cap conn req will get the right secure
755 * state at a later time.
756 */
757 status = HCI_ERROR_AUTH_FAILURE;
758 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
759 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
760 }
761 }
762
763 hci_encrypt_cfm(conn, status);
764
765done:
766 hci_dev_unlock(hdev);
767
768 return status;
769}
770
771static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
772 struct sk_buff *skb)
773{
774 struct hci_rp_read_local_commands *rp = data;
775
776 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
777
778 if (rp->status)
779 return rp->status;
780
781 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
782 hci_dev_test_flag(hdev, HCI_CONFIG))
783 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
784
785 return rp->status;
786}
787
788static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
789 struct sk_buff *skb)
790{
791 struct hci_rp_read_auth_payload_to *rp = data;
792 struct hci_conn *conn;
793
794 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
795
796 if (rp->status)
797 return rp->status;
798
799 hci_dev_lock(hdev);
800
801 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
802 if (conn)
803 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
804
805 hci_dev_unlock(hdev);
806
807 return rp->status;
808}
809
810static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
811 struct sk_buff *skb)
812{
813 struct hci_rp_write_auth_payload_to *rp = data;
814 struct hci_conn *conn;
815 void *sent;
816
817 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
818
819 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
820 if (!sent)
821 return rp->status;
822
823 hci_dev_lock(hdev);
824
825 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
826 if (!conn) {
827 rp->status = 0xff;
828 goto unlock;
829 }
830
831 if (!rp->status)
832 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
833
834unlock:
835 hci_dev_unlock(hdev);
836
837 return rp->status;
838}
839
840static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
841 struct sk_buff *skb)
842{
843 struct hci_rp_read_local_features *rp = data;
844
845 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
846
847 if (rp->status)
848 return rp->status;
849
850 memcpy(hdev->features, rp->features, 8);
851
852 /* Adjust default settings according to features
853 * supported by device. */
854
855 if (hdev->features[0][0] & LMP_3SLOT)
856 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
857
858 if (hdev->features[0][0] & LMP_5SLOT)
859 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
860
861 if (hdev->features[0][1] & LMP_HV2) {
862 hdev->pkt_type |= (HCI_HV2);
863 hdev->esco_type |= (ESCO_HV2);
864 }
865
866 if (hdev->features[0][1] & LMP_HV3) {
867 hdev->pkt_type |= (HCI_HV3);
868 hdev->esco_type |= (ESCO_HV3);
869 }
870
871 if (lmp_esco_capable(hdev))
872 hdev->esco_type |= (ESCO_EV3);
873
874 if (hdev->features[0][4] & LMP_EV4)
875 hdev->esco_type |= (ESCO_EV4);
876
877 if (hdev->features[0][4] & LMP_EV5)
878 hdev->esco_type |= (ESCO_EV5);
879
880 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
881 hdev->esco_type |= (ESCO_2EV3);
882
883 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
884 hdev->esco_type |= (ESCO_3EV3);
885
886 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
887 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
888
889 return rp->status;
890}
891
892static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
893 struct sk_buff *skb)
894{
895 struct hci_rp_read_local_ext_features *rp = data;
896
897 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
898
899 if (rp->status)
900 return rp->status;
901
902 if (hdev->max_page < rp->max_page) {
903 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
904 &hdev->quirks))
905 bt_dev_warn(hdev, "broken local ext features page 2");
906 else
907 hdev->max_page = rp->max_page;
908 }
909
910 if (rp->page < HCI_MAX_PAGES)
911 memcpy(hdev->features[rp->page], rp->features, 8);
912
913 return rp->status;
914}
915
916static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
917 struct sk_buff *skb)
918{
919 struct hci_rp_read_buffer_size *rp = data;
920
921 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
922
923 if (rp->status)
924 return rp->status;
925
926 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
927 hdev->sco_mtu = rp->sco_mtu;
928 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
929 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
930
931 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
932 hdev->sco_mtu = 64;
933 hdev->sco_pkts = 8;
934 }
935
936 hdev->acl_cnt = hdev->acl_pkts;
937 hdev->sco_cnt = hdev->sco_pkts;
938
939 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
940 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
941
942 if (!hdev->acl_mtu || !hdev->acl_pkts)
943 return HCI_ERROR_INVALID_PARAMETERS;
944
945 return rp->status;
946}
947
948static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
949 struct sk_buff *skb)
950{
951 struct hci_rp_read_bd_addr *rp = data;
952
953 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
954
955 if (rp->status)
956 return rp->status;
957
958 if (test_bit(HCI_INIT, &hdev->flags))
959 bacpy(&hdev->bdaddr, &rp->bdaddr);
960
961 if (hci_dev_test_flag(hdev, HCI_SETUP))
962 bacpy(&hdev->setup_addr, &rp->bdaddr);
963
964 return rp->status;
965}
966
967static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
968 struct sk_buff *skb)
969{
970 struct hci_rp_read_local_pairing_opts *rp = data;
971
972 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
973
974 if (rp->status)
975 return rp->status;
976
977 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
978 hci_dev_test_flag(hdev, HCI_CONFIG)) {
979 hdev->pairing_opts = rp->pairing_opts;
980 hdev->max_enc_key_size = rp->max_key_size;
981 }
982
983 return rp->status;
984}
985
986static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
987 struct sk_buff *skb)
988{
989 struct hci_rp_read_page_scan_activity *rp = data;
990
991 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
992
993 if (rp->status)
994 return rp->status;
995
996 if (test_bit(HCI_INIT, &hdev->flags)) {
997 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
998 hdev->page_scan_window = __le16_to_cpu(rp->window);
999 }
1000
1001 return rp->status;
1002}
1003
1004static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1005 struct sk_buff *skb)
1006{
1007 struct hci_ev_status *rp = data;
1008 struct hci_cp_write_page_scan_activity *sent;
1009
1010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1011
1012 if (rp->status)
1013 return rp->status;
1014
1015 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1016 if (!sent)
1017 return rp->status;
1018
1019 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1020 hdev->page_scan_window = __le16_to_cpu(sent->window);
1021
1022 return rp->status;
1023}
1024
1025static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1026 struct sk_buff *skb)
1027{
1028 struct hci_rp_read_page_scan_type *rp = data;
1029
1030 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1031
1032 if (rp->status)
1033 return rp->status;
1034
1035 if (test_bit(HCI_INIT, &hdev->flags))
1036 hdev->page_scan_type = rp->type;
1037
1038 return rp->status;
1039}
1040
1041static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1042 struct sk_buff *skb)
1043{
1044 struct hci_ev_status *rp = data;
1045 u8 *type;
1046
1047 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1048
1049 if (rp->status)
1050 return rp->status;
1051
1052 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1053 if (type)
1054 hdev->page_scan_type = *type;
1055
1056 return rp->status;
1057}
1058
1059static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1060 struct sk_buff *skb)
1061{
1062 struct hci_rp_read_clock *rp = data;
1063 struct hci_cp_read_clock *cp;
1064 struct hci_conn *conn;
1065
1066 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1067
1068 if (rp->status)
1069 return rp->status;
1070
1071 hci_dev_lock(hdev);
1072
1073 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1074 if (!cp)
1075 goto unlock;
1076
1077 if (cp->which == 0x00) {
1078 hdev->clock = le32_to_cpu(rp->clock);
1079 goto unlock;
1080 }
1081
1082 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1083 if (conn) {
1084 conn->clock = le32_to_cpu(rp->clock);
1085 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1086 }
1087
1088unlock:
1089 hci_dev_unlock(hdev);
1090 return rp->status;
1091}
1092
1093static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1094 struct sk_buff *skb)
1095{
1096 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1097
1098 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1099
1100 if (rp->status)
1101 return rp->status;
1102
1103 hdev->inq_tx_power = rp->tx_power;
1104
1105 return rp->status;
1106}
1107
1108static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1109 struct sk_buff *skb)
1110{
1111 struct hci_rp_read_def_err_data_reporting *rp = data;
1112
1113 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1114
1115 if (rp->status)
1116 return rp->status;
1117
1118 hdev->err_data_reporting = rp->err_data_reporting;
1119
1120 return rp->status;
1121}
1122
1123static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1124 struct sk_buff *skb)
1125{
1126 struct hci_ev_status *rp = data;
1127 struct hci_cp_write_def_err_data_reporting *cp;
1128
1129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1130
1131 if (rp->status)
1132 return rp->status;
1133
1134 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1135 if (!cp)
1136 return rp->status;
1137
1138 hdev->err_data_reporting = cp->err_data_reporting;
1139
1140 return rp->status;
1141}
1142
1143static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1144 struct sk_buff *skb)
1145{
1146 struct hci_rp_pin_code_reply *rp = data;
1147 struct hci_cp_pin_code_reply *cp;
1148 struct hci_conn *conn;
1149
1150 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1151
1152 hci_dev_lock(hdev);
1153
1154 if (hci_dev_test_flag(hdev, HCI_MGMT))
1155 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1156
1157 if (rp->status)
1158 goto unlock;
1159
1160 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1161 if (!cp)
1162 goto unlock;
1163
1164 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1165 if (conn)
1166 conn->pin_length = cp->pin_len;
1167
1168unlock:
1169 hci_dev_unlock(hdev);
1170 return rp->status;
1171}
1172
1173static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1174 struct sk_buff *skb)
1175{
1176 struct hci_rp_pin_code_neg_reply *rp = data;
1177
1178 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1179
1180 hci_dev_lock(hdev);
1181
1182 if (hci_dev_test_flag(hdev, HCI_MGMT))
1183 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1184 rp->status);
1185
1186 hci_dev_unlock(hdev);
1187
1188 return rp->status;
1189}
1190
1191static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1192 struct sk_buff *skb)
1193{
1194 struct hci_rp_le_read_buffer_size *rp = data;
1195
1196 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1197
1198 if (rp->status)
1199 return rp->status;
1200
1201 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1202 hdev->le_pkts = rp->le_max_pkt;
1203
1204 hdev->le_cnt = hdev->le_pkts;
1205
1206 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1207
1208 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
1209 return HCI_ERROR_INVALID_PARAMETERS;
1210
1211 return rp->status;
1212}
1213
1214static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1215 struct sk_buff *skb)
1216{
1217 struct hci_rp_le_read_local_features *rp = data;
1218
1219 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1220
1221 if (rp->status)
1222 return rp->status;
1223
1224 memcpy(hdev->le_features, rp->features, 8);
1225
1226 return rp->status;
1227}
1228
1229static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1230 struct sk_buff *skb)
1231{
1232 struct hci_rp_le_read_adv_tx_power *rp = data;
1233
1234 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1235
1236 if (rp->status)
1237 return rp->status;
1238
1239 hdev->adv_tx_power = rp->tx_power;
1240
1241 return rp->status;
1242}
1243
1244static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1245 struct sk_buff *skb)
1246{
1247 struct hci_rp_user_confirm_reply *rp = data;
1248
1249 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1250
1251 hci_dev_lock(hdev);
1252
1253 if (hci_dev_test_flag(hdev, HCI_MGMT))
1254 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1255 rp->status);
1256
1257 hci_dev_unlock(hdev);
1258
1259 return rp->status;
1260}
1261
1262static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1263 struct sk_buff *skb)
1264{
1265 struct hci_rp_user_confirm_reply *rp = data;
1266
1267 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1268
1269 hci_dev_lock(hdev);
1270
1271 if (hci_dev_test_flag(hdev, HCI_MGMT))
1272 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1273 ACL_LINK, 0, rp->status);
1274
1275 hci_dev_unlock(hdev);
1276
1277 return rp->status;
1278}
1279
1280static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1281 struct sk_buff *skb)
1282{
1283 struct hci_rp_user_confirm_reply *rp = data;
1284
1285 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1286
1287 hci_dev_lock(hdev);
1288
1289 if (hci_dev_test_flag(hdev, HCI_MGMT))
1290 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1291 0, rp->status);
1292
1293 hci_dev_unlock(hdev);
1294
1295 return rp->status;
1296}
1297
1298static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1299 struct sk_buff *skb)
1300{
1301 struct hci_rp_user_confirm_reply *rp = data;
1302
1303 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1304
1305 hci_dev_lock(hdev);
1306
1307 if (hci_dev_test_flag(hdev, HCI_MGMT))
1308 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1309 ACL_LINK, 0, rp->status);
1310
1311 hci_dev_unlock(hdev);
1312
1313 return rp->status;
1314}
1315
1316static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1317 struct sk_buff *skb)
1318{
1319 struct hci_rp_read_local_oob_data *rp = data;
1320
1321 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1322
1323 return rp->status;
1324}
1325
1326static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1327 struct sk_buff *skb)
1328{
1329 struct hci_rp_read_local_oob_ext_data *rp = data;
1330
1331 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1332
1333 return rp->status;
1334}
1335
1336static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1337 struct sk_buff *skb)
1338{
1339 struct hci_ev_status *rp = data;
1340 bdaddr_t *sent;
1341
1342 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1343
1344 if (rp->status)
1345 return rp->status;
1346
1347 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1348 if (!sent)
1349 return rp->status;
1350
1351 hci_dev_lock(hdev);
1352
1353 bacpy(&hdev->random_addr, sent);
1354
1355 if (!bacmp(&hdev->rpa, sent)) {
1356 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1357 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1358 secs_to_jiffies(hdev->rpa_timeout));
1359 }
1360
1361 hci_dev_unlock(hdev);
1362
1363 return rp->status;
1364}
1365
1366static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1367 struct sk_buff *skb)
1368{
1369 struct hci_ev_status *rp = data;
1370 struct hci_cp_le_set_default_phy *cp;
1371
1372 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1373
1374 if (rp->status)
1375 return rp->status;
1376
1377 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1378 if (!cp)
1379 return rp->status;
1380
1381 hci_dev_lock(hdev);
1382
1383 hdev->le_tx_def_phys = cp->tx_phys;
1384 hdev->le_rx_def_phys = cp->rx_phys;
1385
1386 hci_dev_unlock(hdev);
1387
1388 return rp->status;
1389}
1390
1391static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1392 struct sk_buff *skb)
1393{
1394 struct hci_ev_status *rp = data;
1395 struct hci_cp_le_set_adv_set_rand_addr *cp;
1396 struct adv_info *adv;
1397
1398 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1399
1400 if (rp->status)
1401 return rp->status;
1402
1403 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1404 /* Update only in case the adv instance since handle 0x00 shall be using
1405 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1406 * non-extended adverting.
1407 */
1408 if (!cp || !cp->handle)
1409 return rp->status;
1410
1411 hci_dev_lock(hdev);
1412
1413 adv = hci_find_adv_instance(hdev, cp->handle);
1414 if (adv) {
1415 bacpy(&adv->random_addr, &cp->bdaddr);
1416 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1417 adv->rpa_expired = false;
1418 queue_delayed_work(hdev->workqueue,
1419 &adv->rpa_expired_cb,
1420 secs_to_jiffies(hdev->rpa_timeout));
1421 }
1422 }
1423
1424 hci_dev_unlock(hdev);
1425
1426 return rp->status;
1427}
1428
1429static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1430 struct sk_buff *skb)
1431{
1432 struct hci_ev_status *rp = data;
1433 u8 *instance;
1434 int err;
1435
1436 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1437
1438 if (rp->status)
1439 return rp->status;
1440
1441 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1442 if (!instance)
1443 return rp->status;
1444
1445 hci_dev_lock(hdev);
1446
1447 err = hci_remove_adv_instance(hdev, *instance);
1448 if (!err)
1449 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1450 *instance);
1451
1452 hci_dev_unlock(hdev);
1453
1454 return rp->status;
1455}
1456
1457static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1458 struct sk_buff *skb)
1459{
1460 struct hci_ev_status *rp = data;
1461 struct adv_info *adv, *n;
1462 int err;
1463
1464 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1465
1466 if (rp->status)
1467 return rp->status;
1468
1469 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1470 return rp->status;
1471
1472 hci_dev_lock(hdev);
1473
1474 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1475 u8 instance = adv->instance;
1476
1477 err = hci_remove_adv_instance(hdev, instance);
1478 if (!err)
1479 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1480 hdev, instance);
1481 }
1482
1483 hci_dev_unlock(hdev);
1484
1485 return rp->status;
1486}
1487
1488static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1489 struct sk_buff *skb)
1490{
1491 struct hci_rp_le_read_transmit_power *rp = data;
1492
1493 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1494
1495 if (rp->status)
1496 return rp->status;
1497
1498 hdev->min_le_tx_power = rp->min_le_tx_power;
1499 hdev->max_le_tx_power = rp->max_le_tx_power;
1500
1501 return rp->status;
1502}
1503
1504static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1505 struct sk_buff *skb)
1506{
1507 struct hci_ev_status *rp = data;
1508 struct hci_cp_le_set_privacy_mode *cp;
1509 struct hci_conn_params *params;
1510
1511 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1512
1513 if (rp->status)
1514 return rp->status;
1515
1516 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1517 if (!cp)
1518 return rp->status;
1519
1520 hci_dev_lock(hdev);
1521
1522 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1523 if (params)
1524 WRITE_ONCE(params->privacy_mode, cp->mode);
1525
1526 hci_dev_unlock(hdev);
1527
1528 return rp->status;
1529}
1530
1531static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1532 struct sk_buff *skb)
1533{
1534 struct hci_ev_status *rp = data;
1535 __u8 *sent;
1536
1537 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1538
1539 if (rp->status)
1540 return rp->status;
1541
1542 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1543 if (!sent)
1544 return rp->status;
1545
1546 hci_dev_lock(hdev);
1547
1548 /* If we're doing connection initiation as peripheral. Set a
1549 * timeout in case something goes wrong.
1550 */
1551 if (*sent) {
1552 struct hci_conn *conn;
1553
1554 hci_dev_set_flag(hdev, HCI_LE_ADV);
1555
1556 conn = hci_lookup_le_connect(hdev);
1557 if (conn)
1558 queue_delayed_work(hdev->workqueue,
1559 &conn->le_conn_timeout,
1560 conn->conn_timeout);
1561 } else {
1562 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1563 }
1564
1565 hci_dev_unlock(hdev);
1566
1567 return rp->status;
1568}
1569
1570static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1571 struct sk_buff *skb)
1572{
1573 struct hci_cp_le_set_ext_adv_enable *cp;
1574 struct hci_cp_ext_adv_set *set;
1575 struct adv_info *adv = NULL, *n;
1576 struct hci_ev_status *rp = data;
1577
1578 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1579
1580 if (rp->status)
1581 return rp->status;
1582
1583 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1584 if (!cp)
1585 return rp->status;
1586
1587 set = (void *)cp->data;
1588
1589 hci_dev_lock(hdev);
1590
1591 if (cp->num_of_sets)
1592 adv = hci_find_adv_instance(hdev, set->handle);
1593
1594 if (cp->enable) {
1595 struct hci_conn *conn;
1596
1597 hci_dev_set_flag(hdev, HCI_LE_ADV);
1598
1599 if (adv && !adv->periodic)
1600 adv->enabled = true;
1601
1602 conn = hci_lookup_le_connect(hdev);
1603 if (conn)
1604 queue_delayed_work(hdev->workqueue,
1605 &conn->le_conn_timeout,
1606 conn->conn_timeout);
1607 } else {
1608 if (cp->num_of_sets) {
1609 if (adv)
1610 adv->enabled = false;
1611
1612 /* If just one instance was disabled check if there are
1613 * any other instance enabled before clearing HCI_LE_ADV
1614 */
1615 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1616 list) {
1617 if (adv->enabled)
1618 goto unlock;
1619 }
1620 } else {
1621 /* All instances shall be considered disabled */
1622 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1623 list)
1624 adv->enabled = false;
1625 }
1626
1627 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1628 }
1629
1630unlock:
1631 hci_dev_unlock(hdev);
1632 return rp->status;
1633}
1634
1635static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1636 struct sk_buff *skb)
1637{
1638 struct hci_cp_le_set_scan_param *cp;
1639 struct hci_ev_status *rp = data;
1640
1641 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1642
1643 if (rp->status)
1644 return rp->status;
1645
1646 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1647 if (!cp)
1648 return rp->status;
1649
1650 hci_dev_lock(hdev);
1651
1652 hdev->le_scan_type = cp->type;
1653
1654 hci_dev_unlock(hdev);
1655
1656 return rp->status;
1657}
1658
1659static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1660 struct sk_buff *skb)
1661{
1662 struct hci_cp_le_set_ext_scan_params *cp;
1663 struct hci_ev_status *rp = data;
1664 struct hci_cp_le_scan_phy_params *phy_param;
1665
1666 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1667
1668 if (rp->status)
1669 return rp->status;
1670
1671 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1672 if (!cp)
1673 return rp->status;
1674
1675 phy_param = (void *)cp->data;
1676
1677 hci_dev_lock(hdev);
1678
1679 hdev->le_scan_type = phy_param->type;
1680
1681 hci_dev_unlock(hdev);
1682
1683 return rp->status;
1684}
1685
1686static bool has_pending_adv_report(struct hci_dev *hdev)
1687{
1688 struct discovery_state *d = &hdev->discovery;
1689
1690 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1691}
1692
1693static void clear_pending_adv_report(struct hci_dev *hdev)
1694{
1695 struct discovery_state *d = &hdev->discovery;
1696
1697 bacpy(&d->last_adv_addr, BDADDR_ANY);
1698 d->last_adv_data_len = 0;
1699}
1700
1701static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1702 u8 bdaddr_type, s8 rssi, u32 flags,
1703 u8 *data, u8 len)
1704{
1705 struct discovery_state *d = &hdev->discovery;
1706
1707 if (len > max_adv_len(hdev))
1708 return;
1709
1710 bacpy(&d->last_adv_addr, bdaddr);
1711 d->last_adv_addr_type = bdaddr_type;
1712 d->last_adv_rssi = rssi;
1713 d->last_adv_flags = flags;
1714 memcpy(d->last_adv_data, data, len);
1715 d->last_adv_data_len = len;
1716}
1717
1718static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1719{
1720 hci_dev_lock(hdev);
1721
1722 switch (enable) {
1723 case LE_SCAN_ENABLE:
1724 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1725 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1726 clear_pending_adv_report(hdev);
1727 if (hci_dev_test_flag(hdev, HCI_MESH))
1728 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1729 break;
1730
1731 case LE_SCAN_DISABLE:
1732 /* We do this here instead of when setting DISCOVERY_STOPPED
1733 * since the latter would potentially require waiting for
1734 * inquiry to stop too.
1735 */
1736 if (has_pending_adv_report(hdev)) {
1737 struct discovery_state *d = &hdev->discovery;
1738
1739 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1740 d->last_adv_addr_type, NULL,
1741 d->last_adv_rssi, d->last_adv_flags,
1742 d->last_adv_data,
1743 d->last_adv_data_len, NULL, 0, 0);
1744 }
1745
1746 /* Cancel this timer so that we don't try to disable scanning
1747 * when it's already disabled.
1748 */
1749 cancel_delayed_work(&hdev->le_scan_disable);
1750
1751 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1752
1753 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1754 * interrupted scanning due to a connect request. Mark
1755 * therefore discovery as stopped.
1756 */
1757 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1758 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1759 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1760 hdev->discovery.state == DISCOVERY_FINDING)
1761 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1762
1763 break;
1764
1765 default:
1766 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1767 enable);
1768 break;
1769 }
1770
1771 hci_dev_unlock(hdev);
1772}
1773
1774static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1775 struct sk_buff *skb)
1776{
1777 struct hci_cp_le_set_scan_enable *cp;
1778 struct hci_ev_status *rp = data;
1779
1780 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1781
1782 if (rp->status)
1783 return rp->status;
1784
1785 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1786 if (!cp)
1787 return rp->status;
1788
1789 le_set_scan_enable_complete(hdev, cp->enable);
1790
1791 return rp->status;
1792}
1793
1794static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1795 struct sk_buff *skb)
1796{
1797 struct hci_cp_le_set_ext_scan_enable *cp;
1798 struct hci_ev_status *rp = data;
1799
1800 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1801
1802 if (rp->status)
1803 return rp->status;
1804
1805 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1806 if (!cp)
1807 return rp->status;
1808
1809 le_set_scan_enable_complete(hdev, cp->enable);
1810
1811 return rp->status;
1812}
1813
1814static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1815 struct sk_buff *skb)
1816{
1817 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1818
1819 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1820 rp->num_of_sets);
1821
1822 if (rp->status)
1823 return rp->status;
1824
1825 hdev->le_num_of_adv_sets = rp->num_of_sets;
1826
1827 return rp->status;
1828}
1829
1830static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1831 struct sk_buff *skb)
1832{
1833 struct hci_rp_le_read_accept_list_size *rp = data;
1834
1835 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1836
1837 if (rp->status)
1838 return rp->status;
1839
1840 hdev->le_accept_list_size = rp->size;
1841
1842 return rp->status;
1843}
1844
1845static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1846 struct sk_buff *skb)
1847{
1848 struct hci_ev_status *rp = data;
1849
1850 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1851
1852 if (rp->status)
1853 return rp->status;
1854
1855 hci_dev_lock(hdev);
1856 hci_bdaddr_list_clear(&hdev->le_accept_list);
1857 hci_dev_unlock(hdev);
1858
1859 return rp->status;
1860}
1861
1862static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1863 struct sk_buff *skb)
1864{
1865 struct hci_cp_le_add_to_accept_list *sent;
1866 struct hci_ev_status *rp = data;
1867
1868 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1869
1870 if (rp->status)
1871 return rp->status;
1872
1873 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1874 if (!sent)
1875 return rp->status;
1876
1877 hci_dev_lock(hdev);
1878 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1879 sent->bdaddr_type);
1880 hci_dev_unlock(hdev);
1881
1882 return rp->status;
1883}
1884
1885static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1886 struct sk_buff *skb)
1887{
1888 struct hci_cp_le_del_from_accept_list *sent;
1889 struct hci_ev_status *rp = data;
1890
1891 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1892
1893 if (rp->status)
1894 return rp->status;
1895
1896 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1897 if (!sent)
1898 return rp->status;
1899
1900 hci_dev_lock(hdev);
1901 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1902 sent->bdaddr_type);
1903 hci_dev_unlock(hdev);
1904
1905 return rp->status;
1906}
1907
1908static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1909 struct sk_buff *skb)
1910{
1911 struct hci_rp_le_read_supported_states *rp = data;
1912
1913 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1914
1915 if (rp->status)
1916 return rp->status;
1917
1918 memcpy(hdev->le_states, rp->le_states, 8);
1919
1920 return rp->status;
1921}
1922
1923static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1924 struct sk_buff *skb)
1925{
1926 struct hci_rp_le_read_def_data_len *rp = data;
1927
1928 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1929
1930 if (rp->status)
1931 return rp->status;
1932
1933 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1934 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1935
1936 return rp->status;
1937}
1938
1939static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1940 struct sk_buff *skb)
1941{
1942 struct hci_cp_le_write_def_data_len *sent;
1943 struct hci_ev_status *rp = data;
1944
1945 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1946
1947 if (rp->status)
1948 return rp->status;
1949
1950 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1951 if (!sent)
1952 return rp->status;
1953
1954 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1955 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1956
1957 return rp->status;
1958}
1959
1960static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
1961 struct sk_buff *skb)
1962{
1963 struct hci_cp_le_add_to_resolv_list *sent;
1964 struct hci_ev_status *rp = data;
1965
1966 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1967
1968 if (rp->status)
1969 return rp->status;
1970
1971 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1972 if (!sent)
1973 return rp->status;
1974
1975 hci_dev_lock(hdev);
1976 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1977 sent->bdaddr_type, sent->peer_irk,
1978 sent->local_irk);
1979 hci_dev_unlock(hdev);
1980
1981 return rp->status;
1982}
1983
1984static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
1985 struct sk_buff *skb)
1986{
1987 struct hci_cp_le_del_from_resolv_list *sent;
1988 struct hci_ev_status *rp = data;
1989
1990 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1991
1992 if (rp->status)
1993 return rp->status;
1994
1995 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1996 if (!sent)
1997 return rp->status;
1998
1999 hci_dev_lock(hdev);
2000 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2001 sent->bdaddr_type);
2002 hci_dev_unlock(hdev);
2003
2004 return rp->status;
2005}
2006
2007static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2008 struct sk_buff *skb)
2009{
2010 struct hci_ev_status *rp = data;
2011
2012 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2013
2014 if (rp->status)
2015 return rp->status;
2016
2017 hci_dev_lock(hdev);
2018 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2019 hci_dev_unlock(hdev);
2020
2021 return rp->status;
2022}
2023
2024static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2025 struct sk_buff *skb)
2026{
2027 struct hci_rp_le_read_resolv_list_size *rp = data;
2028
2029 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2030
2031 if (rp->status)
2032 return rp->status;
2033
2034 hdev->le_resolv_list_size = rp->size;
2035
2036 return rp->status;
2037}
2038
2039static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2040 struct sk_buff *skb)
2041{
2042 struct hci_ev_status *rp = data;
2043 __u8 *sent;
2044
2045 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2046
2047 if (rp->status)
2048 return rp->status;
2049
2050 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2051 if (!sent)
2052 return rp->status;
2053
2054 hci_dev_lock(hdev);
2055
2056 if (*sent)
2057 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2058 else
2059 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2060
2061 hci_dev_unlock(hdev);
2062
2063 return rp->status;
2064}
2065
2066static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2067 struct sk_buff *skb)
2068{
2069 struct hci_rp_le_read_max_data_len *rp = data;
2070
2071 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2072
2073 if (rp->status)
2074 return rp->status;
2075
2076 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2077 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2078 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2079 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2080
2081 return rp->status;
2082}
2083
2084static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2085 struct sk_buff *skb)
2086{
2087 struct hci_cp_write_le_host_supported *sent;
2088 struct hci_ev_status *rp = data;
2089
2090 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2091
2092 if (rp->status)
2093 return rp->status;
2094
2095 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2096 if (!sent)
2097 return rp->status;
2098
2099 hci_dev_lock(hdev);
2100
2101 if (sent->le) {
2102 hdev->features[1][0] |= LMP_HOST_LE;
2103 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2104 } else {
2105 hdev->features[1][0] &= ~LMP_HOST_LE;
2106 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2107 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2108 }
2109
2110 if (sent->simul)
2111 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2112 else
2113 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2114
2115 hci_dev_unlock(hdev);
2116
2117 return rp->status;
2118}
2119
2120static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2121 struct sk_buff *skb)
2122{
2123 struct hci_cp_le_set_adv_param *cp;
2124 struct hci_ev_status *rp = data;
2125
2126 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2127
2128 if (rp->status)
2129 return rp->status;
2130
2131 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2132 if (!cp)
2133 return rp->status;
2134
2135 hci_dev_lock(hdev);
2136 hdev->adv_addr_type = cp->own_address_type;
2137 hci_dev_unlock(hdev);
2138
2139 return rp->status;
2140}
2141
2142static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2143 struct sk_buff *skb)
2144{
2145 struct hci_rp_le_set_ext_adv_params *rp = data;
2146 struct hci_cp_le_set_ext_adv_params *cp;
2147 struct adv_info *adv_instance;
2148
2149 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2150
2151 if (rp->status)
2152 return rp->status;
2153
2154 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2155 if (!cp)
2156 return rp->status;
2157
2158 hci_dev_lock(hdev);
2159 hdev->adv_addr_type = cp->own_addr_type;
2160 if (!cp->handle) {
2161 /* Store in hdev for instance 0 */
2162 hdev->adv_tx_power = rp->tx_power;
2163 } else {
2164 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2165 if (adv_instance)
2166 adv_instance->tx_power = rp->tx_power;
2167 }
2168 /* Update adv data as tx power is known now */
2169 hci_update_adv_data(hdev, cp->handle);
2170
2171 hci_dev_unlock(hdev);
2172
2173 return rp->status;
2174}
2175
2176static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2177 struct sk_buff *skb)
2178{
2179 struct hci_rp_read_rssi *rp = data;
2180 struct hci_conn *conn;
2181
2182 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2183
2184 if (rp->status)
2185 return rp->status;
2186
2187 hci_dev_lock(hdev);
2188
2189 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2190 if (conn)
2191 conn->rssi = rp->rssi;
2192
2193 hci_dev_unlock(hdev);
2194
2195 return rp->status;
2196}
2197
2198static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2199 struct sk_buff *skb)
2200{
2201 struct hci_cp_read_tx_power *sent;
2202 struct hci_rp_read_tx_power *rp = data;
2203 struct hci_conn *conn;
2204
2205 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2206
2207 if (rp->status)
2208 return rp->status;
2209
2210 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2211 if (!sent)
2212 return rp->status;
2213
2214 hci_dev_lock(hdev);
2215
2216 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2217 if (!conn)
2218 goto unlock;
2219
2220 switch (sent->type) {
2221 case 0x00:
2222 conn->tx_power = rp->tx_power;
2223 break;
2224 case 0x01:
2225 conn->max_tx_power = rp->tx_power;
2226 break;
2227 }
2228
2229unlock:
2230 hci_dev_unlock(hdev);
2231 return rp->status;
2232}
2233
2234static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2235 struct sk_buff *skb)
2236{
2237 struct hci_ev_status *rp = data;
2238 u8 *mode;
2239
2240 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2241
2242 if (rp->status)
2243 return rp->status;
2244
2245 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2246 if (mode)
2247 hdev->ssp_debug_mode = *mode;
2248
2249 return rp->status;
2250}
2251
2252static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2253{
2254 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2255
2256 if (status)
2257 return;
2258
2259 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2260 set_bit(HCI_INQUIRY, &hdev->flags);
2261}
2262
2263static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2264{
2265 struct hci_cp_create_conn *cp;
2266 struct hci_conn *conn;
2267
2268 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2269
2270 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2271 if (!cp)
2272 return;
2273
2274 hci_dev_lock(hdev);
2275
2276 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2277
2278 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2279
2280 if (status) {
2281 if (conn && conn->state == BT_CONNECT) {
2282 conn->state = BT_CLOSED;
2283 hci_connect_cfm(conn, status);
2284 hci_conn_del(conn);
2285 }
2286 } else {
2287 if (!conn) {
2288 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2289 HCI_ROLE_MASTER);
2290 if (IS_ERR(conn))
2291 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
2292 }
2293 }
2294
2295 hci_dev_unlock(hdev);
2296}
2297
2298static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2299{
2300 struct hci_cp_add_sco *cp;
2301 struct hci_conn *acl;
2302 struct hci_link *link;
2303 __u16 handle;
2304
2305 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2306
2307 if (!status)
2308 return;
2309
2310 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2311 if (!cp)
2312 return;
2313
2314 handle = __le16_to_cpu(cp->handle);
2315
2316 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2317
2318 hci_dev_lock(hdev);
2319
2320 acl = hci_conn_hash_lookup_handle(hdev, handle);
2321 if (acl) {
2322 link = list_first_entry_or_null(&acl->link_list,
2323 struct hci_link, list);
2324 if (link && link->conn) {
2325 link->conn->state = BT_CLOSED;
2326
2327 hci_connect_cfm(link->conn, status);
2328 hci_conn_del(link->conn);
2329 }
2330 }
2331
2332 hci_dev_unlock(hdev);
2333}
2334
2335static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2336{
2337 struct hci_cp_auth_requested *cp;
2338 struct hci_conn *conn;
2339
2340 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2341
2342 if (!status)
2343 return;
2344
2345 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2346 if (!cp)
2347 return;
2348
2349 hci_dev_lock(hdev);
2350
2351 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2352 if (conn) {
2353 if (conn->state == BT_CONFIG) {
2354 hci_connect_cfm(conn, status);
2355 hci_conn_drop(conn);
2356 }
2357 }
2358
2359 hci_dev_unlock(hdev);
2360}
2361
2362static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2363{
2364 struct hci_cp_set_conn_encrypt *cp;
2365 struct hci_conn *conn;
2366
2367 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2368
2369 if (!status)
2370 return;
2371
2372 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2373 if (!cp)
2374 return;
2375
2376 hci_dev_lock(hdev);
2377
2378 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2379 if (conn) {
2380 if (conn->state == BT_CONFIG) {
2381 hci_connect_cfm(conn, status);
2382 hci_conn_drop(conn);
2383 }
2384 }
2385
2386 hci_dev_unlock(hdev);
2387}
2388
2389static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2390 struct hci_conn *conn)
2391{
2392 if (conn->state != BT_CONFIG || !conn->out)
2393 return 0;
2394
2395 if (conn->pending_sec_level == BT_SECURITY_SDP)
2396 return 0;
2397
2398 /* Only request authentication for SSP connections or non-SSP
2399 * devices with sec_level MEDIUM or HIGH or if MITM protection
2400 * is requested.
2401 */
2402 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2403 conn->pending_sec_level != BT_SECURITY_FIPS &&
2404 conn->pending_sec_level != BT_SECURITY_HIGH &&
2405 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2406 return 0;
2407
2408 return 1;
2409}
2410
2411static int hci_resolve_name(struct hci_dev *hdev,
2412 struct inquiry_entry *e)
2413{
2414 struct hci_cp_remote_name_req cp;
2415
2416 memset(&cp, 0, sizeof(cp));
2417
2418 bacpy(&cp.bdaddr, &e->data.bdaddr);
2419 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2420 cp.pscan_mode = e->data.pscan_mode;
2421 cp.clock_offset = e->data.clock_offset;
2422
2423 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2424}
2425
2426static bool hci_resolve_next_name(struct hci_dev *hdev)
2427{
2428 struct discovery_state *discov = &hdev->discovery;
2429 struct inquiry_entry *e;
2430
2431 if (list_empty(&discov->resolve))
2432 return false;
2433
2434 /* We should stop if we already spent too much time resolving names. */
2435 if (time_after(jiffies, discov->name_resolve_timeout)) {
2436 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2437 return false;
2438 }
2439
2440 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2441 if (!e)
2442 return false;
2443
2444 if (hci_resolve_name(hdev, e) == 0) {
2445 e->name_state = NAME_PENDING;
2446 return true;
2447 }
2448
2449 return false;
2450}
2451
2452static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2453 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2454{
2455 struct discovery_state *discov = &hdev->discovery;
2456 struct inquiry_entry *e;
2457
2458 /* Update the mgmt connected state if necessary. Be careful with
2459 * conn objects that exist but are not (yet) connected however.
2460 * Only those in BT_CONFIG or BT_CONNECTED states can be
2461 * considered connected.
2462 */
2463 if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED))
2464 mgmt_device_connected(hdev, conn, name, name_len);
2465
2466 if (discov->state == DISCOVERY_STOPPED)
2467 return;
2468
2469 if (discov->state == DISCOVERY_STOPPING)
2470 goto discov_complete;
2471
2472 if (discov->state != DISCOVERY_RESOLVING)
2473 return;
2474
2475 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2476 /* If the device was not found in a list of found devices names of which
2477 * are pending. there is no need to continue resolving a next name as it
2478 * will be done upon receiving another Remote Name Request Complete
2479 * Event */
2480 if (!e)
2481 return;
2482
2483 list_del(&e->list);
2484
2485 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2486 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2487 name, name_len);
2488
2489 if (hci_resolve_next_name(hdev))
2490 return;
2491
2492discov_complete:
2493 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2494}
2495
2496static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2497{
2498 struct hci_cp_remote_name_req *cp;
2499 struct hci_conn *conn;
2500
2501 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2502
2503 /* If successful wait for the name req complete event before
2504 * checking for the need to do authentication */
2505 if (!status)
2506 return;
2507
2508 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2509 if (!cp)
2510 return;
2511
2512 hci_dev_lock(hdev);
2513
2514 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2515
2516 if (hci_dev_test_flag(hdev, HCI_MGMT))
2517 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2518
2519 if (!conn)
2520 goto unlock;
2521
2522 if (!hci_outgoing_auth_needed(hdev, conn))
2523 goto unlock;
2524
2525 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2526 struct hci_cp_auth_requested auth_cp;
2527
2528 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2529
2530 auth_cp.handle = __cpu_to_le16(conn->handle);
2531 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2532 sizeof(auth_cp), &auth_cp);
2533 }
2534
2535unlock:
2536 hci_dev_unlock(hdev);
2537}
2538
2539static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2540{
2541 struct hci_cp_read_remote_features *cp;
2542 struct hci_conn *conn;
2543
2544 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2545
2546 if (!status)
2547 return;
2548
2549 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2550 if (!cp)
2551 return;
2552
2553 hci_dev_lock(hdev);
2554
2555 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2556 if (conn) {
2557 if (conn->state == BT_CONFIG) {
2558 hci_connect_cfm(conn, status);
2559 hci_conn_drop(conn);
2560 }
2561 }
2562
2563 hci_dev_unlock(hdev);
2564}
2565
2566static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2567{
2568 struct hci_cp_read_remote_ext_features *cp;
2569 struct hci_conn *conn;
2570
2571 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2572
2573 if (!status)
2574 return;
2575
2576 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2577 if (!cp)
2578 return;
2579
2580 hci_dev_lock(hdev);
2581
2582 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2583 if (conn) {
2584 if (conn->state == BT_CONFIG) {
2585 hci_connect_cfm(conn, status);
2586 hci_conn_drop(conn);
2587 }
2588 }
2589
2590 hci_dev_unlock(hdev);
2591}
2592
2593static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2594 __u8 status)
2595{
2596 struct hci_conn *acl;
2597 struct hci_link *link;
2598
2599 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2600
2601 hci_dev_lock(hdev);
2602
2603 acl = hci_conn_hash_lookup_handle(hdev, handle);
2604 if (acl) {
2605 link = list_first_entry_or_null(&acl->link_list,
2606 struct hci_link, list);
2607 if (link && link->conn) {
2608 link->conn->state = BT_CLOSED;
2609
2610 hci_connect_cfm(link->conn, status);
2611 hci_conn_del(link->conn);
2612 }
2613 }
2614
2615 hci_dev_unlock(hdev);
2616}
2617
2618static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2619{
2620 struct hci_cp_setup_sync_conn *cp;
2621
2622 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2623
2624 if (!status)
2625 return;
2626
2627 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2628 if (!cp)
2629 return;
2630
2631 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2632}
2633
2634static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2635{
2636 struct hci_cp_enhanced_setup_sync_conn *cp;
2637
2638 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2639
2640 if (!status)
2641 return;
2642
2643 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2644 if (!cp)
2645 return;
2646
2647 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2648}
2649
2650static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2651{
2652 struct hci_cp_sniff_mode *cp;
2653 struct hci_conn *conn;
2654
2655 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2656
2657 if (!status)
2658 return;
2659
2660 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2661 if (!cp)
2662 return;
2663
2664 hci_dev_lock(hdev);
2665
2666 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2667 if (conn) {
2668 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2669
2670 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2671 hci_sco_setup(conn, status);
2672 }
2673
2674 hci_dev_unlock(hdev);
2675}
2676
2677static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2678{
2679 struct hci_cp_exit_sniff_mode *cp;
2680 struct hci_conn *conn;
2681
2682 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2683
2684 if (!status)
2685 return;
2686
2687 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2688 if (!cp)
2689 return;
2690
2691 hci_dev_lock(hdev);
2692
2693 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2694 if (conn) {
2695 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2696
2697 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2698 hci_sco_setup(conn, status);
2699 }
2700
2701 hci_dev_unlock(hdev);
2702}
2703
2704static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2705{
2706 struct hci_cp_disconnect *cp;
2707 struct hci_conn_params *params;
2708 struct hci_conn *conn;
2709 bool mgmt_conn;
2710
2711 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2712
2713 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2714 * otherwise cleanup the connection immediately.
2715 */
2716 if (!status && !hdev->suspended)
2717 return;
2718
2719 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2720 if (!cp)
2721 return;
2722
2723 hci_dev_lock(hdev);
2724
2725 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2726 if (!conn)
2727 goto unlock;
2728
2729 if (status) {
2730 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2731 conn->dst_type, status);
2732
2733 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2734 hdev->cur_adv_instance = conn->adv_instance;
2735 hci_enable_advertising(hdev);
2736 }
2737
2738 /* Inform sockets conn is gone before we delete it */
2739 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2740
2741 goto done;
2742 }
2743
2744 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2745
2746 if (conn->type == ACL_LINK) {
2747 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2748 hci_remove_link_key(hdev, &conn->dst);
2749 }
2750
2751 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2752 if (params) {
2753 switch (params->auto_connect) {
2754 case HCI_AUTO_CONN_LINK_LOSS:
2755 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2756 break;
2757 fallthrough;
2758
2759 case HCI_AUTO_CONN_DIRECT:
2760 case HCI_AUTO_CONN_ALWAYS:
2761 hci_pend_le_list_del_init(params);
2762 hci_pend_le_list_add(params, &hdev->pend_le_conns);
2763 break;
2764
2765 default:
2766 break;
2767 }
2768 }
2769
2770 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2771 cp->reason, mgmt_conn);
2772
2773 hci_disconn_cfm(conn, cp->reason);
2774
2775done:
2776 /* If the disconnection failed for any reason, the upper layer
2777 * does not retry to disconnect in current implementation.
2778 * Hence, we need to do some basic cleanup here and re-enable
2779 * advertising if necessary.
2780 */
2781 hci_conn_del(conn);
2782unlock:
2783 hci_dev_unlock(hdev);
2784}
2785
2786static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2787{
2788 /* When using controller based address resolution, then the new
2789 * address types 0x02 and 0x03 are used. These types need to be
2790 * converted back into either public address or random address type
2791 */
2792 switch (type) {
2793 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2794 if (resolved)
2795 *resolved = true;
2796 return ADDR_LE_DEV_PUBLIC;
2797 case ADDR_LE_DEV_RANDOM_RESOLVED:
2798 if (resolved)
2799 *resolved = true;
2800 return ADDR_LE_DEV_RANDOM;
2801 }
2802
2803 if (resolved)
2804 *resolved = false;
2805 return type;
2806}
2807
2808static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2809 u8 peer_addr_type, u8 own_address_type,
2810 u8 filter_policy)
2811{
2812 struct hci_conn *conn;
2813
2814 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2815 peer_addr_type);
2816 if (!conn)
2817 return;
2818
2819 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2820
2821 /* Store the initiator and responder address information which
2822 * is needed for SMP. These values will not change during the
2823 * lifetime of the connection.
2824 */
2825 conn->init_addr_type = own_address_type;
2826 if (own_address_type == ADDR_LE_DEV_RANDOM)
2827 bacpy(&conn->init_addr, &hdev->random_addr);
2828 else
2829 bacpy(&conn->init_addr, &hdev->bdaddr);
2830
2831 conn->resp_addr_type = peer_addr_type;
2832 bacpy(&conn->resp_addr, peer_addr);
2833}
2834
2835static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2836{
2837 struct hci_cp_le_create_conn *cp;
2838
2839 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2840
2841 /* All connection failure handling is taken care of by the
2842 * hci_conn_failed function which is triggered by the HCI
2843 * request completion callbacks used for connecting.
2844 */
2845 if (status)
2846 return;
2847
2848 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2849 if (!cp)
2850 return;
2851
2852 hci_dev_lock(hdev);
2853
2854 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2855 cp->own_address_type, cp->filter_policy);
2856
2857 hci_dev_unlock(hdev);
2858}
2859
2860static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2861{
2862 struct hci_cp_le_ext_create_conn *cp;
2863
2864 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2865
2866 /* All connection failure handling is taken care of by the
2867 * hci_conn_failed function which is triggered by the HCI
2868 * request completion callbacks used for connecting.
2869 */
2870 if (status)
2871 return;
2872
2873 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2874 if (!cp)
2875 return;
2876
2877 hci_dev_lock(hdev);
2878
2879 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2880 cp->own_addr_type, cp->filter_policy);
2881
2882 hci_dev_unlock(hdev);
2883}
2884
2885static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2886{
2887 struct hci_cp_le_read_remote_features *cp;
2888 struct hci_conn *conn;
2889
2890 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2891
2892 if (!status)
2893 return;
2894
2895 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2896 if (!cp)
2897 return;
2898
2899 hci_dev_lock(hdev);
2900
2901 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2902 if (conn) {
2903 if (conn->state == BT_CONFIG) {
2904 hci_connect_cfm(conn, status);
2905 hci_conn_drop(conn);
2906 }
2907 }
2908
2909 hci_dev_unlock(hdev);
2910}
2911
2912static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2913{
2914 struct hci_cp_le_start_enc *cp;
2915 struct hci_conn *conn;
2916
2917 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2918
2919 if (!status)
2920 return;
2921
2922 hci_dev_lock(hdev);
2923
2924 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2925 if (!cp)
2926 goto unlock;
2927
2928 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2929 if (!conn)
2930 goto unlock;
2931
2932 if (conn->state != BT_CONNECTED)
2933 goto unlock;
2934
2935 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2936 hci_conn_drop(conn);
2937
2938unlock:
2939 hci_dev_unlock(hdev);
2940}
2941
2942static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2943{
2944 struct hci_cp_switch_role *cp;
2945 struct hci_conn *conn;
2946
2947 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2948
2949 if (!status)
2950 return;
2951
2952 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2953 if (!cp)
2954 return;
2955
2956 hci_dev_lock(hdev);
2957
2958 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2959 if (conn)
2960 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2961
2962 hci_dev_unlock(hdev);
2963}
2964
2965static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
2966 struct sk_buff *skb)
2967{
2968 struct hci_ev_status *ev = data;
2969 struct discovery_state *discov = &hdev->discovery;
2970 struct inquiry_entry *e;
2971
2972 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
2973
2974 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2975 return;
2976
2977 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2978 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2979
2980 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2981 return;
2982
2983 hci_dev_lock(hdev);
2984
2985 if (discov->state != DISCOVERY_FINDING)
2986 goto unlock;
2987
2988 if (list_empty(&discov->resolve)) {
2989 /* When BR/EDR inquiry is active and no LE scanning is in
2990 * progress, then change discovery state to indicate completion.
2991 *
2992 * When running LE scanning and BR/EDR inquiry simultaneously
2993 * and the LE scan already finished, then change the discovery
2994 * state to indicate completion.
2995 */
2996 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2997 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2998 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2999 goto unlock;
3000 }
3001
3002 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3003 if (e && hci_resolve_name(hdev, e) == 0) {
3004 e->name_state = NAME_PENDING;
3005 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3006 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3007 } else {
3008 /* When BR/EDR inquiry is active and no LE scanning is in
3009 * progress, then change discovery state to indicate completion.
3010 *
3011 * When running LE scanning and BR/EDR inquiry simultaneously
3012 * and the LE scan already finished, then change the discovery
3013 * state to indicate completion.
3014 */
3015 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3016 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3017 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3018 }
3019
3020unlock:
3021 hci_dev_unlock(hdev);
3022}
3023
3024static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3025 struct sk_buff *skb)
3026{
3027 struct hci_ev_inquiry_result *ev = edata;
3028 struct inquiry_data data;
3029 int i;
3030
3031 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3032 flex_array_size(ev, info, ev->num)))
3033 return;
3034
3035 bt_dev_dbg(hdev, "num %d", ev->num);
3036
3037 if (!ev->num)
3038 return;
3039
3040 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3041 return;
3042
3043 hci_dev_lock(hdev);
3044
3045 for (i = 0; i < ev->num; i++) {
3046 struct inquiry_info *info = &ev->info[i];
3047 u32 flags;
3048
3049 bacpy(&data.bdaddr, &info->bdaddr);
3050 data.pscan_rep_mode = info->pscan_rep_mode;
3051 data.pscan_period_mode = info->pscan_period_mode;
3052 data.pscan_mode = info->pscan_mode;
3053 memcpy(data.dev_class, info->dev_class, 3);
3054 data.clock_offset = info->clock_offset;
3055 data.rssi = HCI_RSSI_INVALID;
3056 data.ssp_mode = 0x00;
3057
3058 flags = hci_inquiry_cache_update(hdev, &data, false);
3059
3060 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3061 info->dev_class, HCI_RSSI_INVALID,
3062 flags, NULL, 0, NULL, 0, 0);
3063 }
3064
3065 hci_dev_unlock(hdev);
3066}
3067
3068static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3069 struct sk_buff *skb)
3070{
3071 struct hci_ev_conn_complete *ev = data;
3072 struct hci_conn *conn;
3073 u8 status = ev->status;
3074
3075 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3076
3077 hci_dev_lock(hdev);
3078
3079 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3080 if (!conn) {
3081 /* In case of error status and there is no connection pending
3082 * just unlock as there is nothing to cleanup.
3083 */
3084 if (ev->status)
3085 goto unlock;
3086
3087 /* Connection may not exist if auto-connected. Check the bredr
3088 * allowlist to see if this device is allowed to auto connect.
3089 * If link is an ACL type, create a connection class
3090 * automatically.
3091 *
3092 * Auto-connect will only occur if the event filter is
3093 * programmed with a given address. Right now, event filter is
3094 * only used during suspend.
3095 */
3096 if (ev->link_type == ACL_LINK &&
3097 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3098 &ev->bdaddr,
3099 BDADDR_BREDR)) {
3100 conn = hci_conn_add_unset(hdev, ev->link_type,
3101 &ev->bdaddr, HCI_ROLE_SLAVE);
3102 if (IS_ERR(conn)) {
3103 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3104 goto unlock;
3105 }
3106 } else {
3107 if (ev->link_type != SCO_LINK)
3108 goto unlock;
3109
3110 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3111 &ev->bdaddr);
3112 if (!conn)
3113 goto unlock;
3114
3115 conn->type = SCO_LINK;
3116 }
3117 }
3118
3119 /* The HCI_Connection_Complete event is only sent once per connection.
3120 * Processing it more than once per connection can corrupt kernel memory.
3121 *
3122 * As the connection handle is set here for the first time, it indicates
3123 * whether the connection is already set up.
3124 */
3125 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3126 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3127 goto unlock;
3128 }
3129
3130 if (!status) {
3131 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3132 if (status)
3133 goto done;
3134
3135 if (conn->type == ACL_LINK) {
3136 conn->state = BT_CONFIG;
3137 hci_conn_hold(conn);
3138
3139 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3140 !hci_find_link_key(hdev, &ev->bdaddr))
3141 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3142 else
3143 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3144 } else
3145 conn->state = BT_CONNECTED;
3146
3147 hci_debugfs_create_conn(conn);
3148 hci_conn_add_sysfs(conn);
3149
3150 if (test_bit(HCI_AUTH, &hdev->flags))
3151 set_bit(HCI_CONN_AUTH, &conn->flags);
3152
3153 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3154 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3155
3156 /* "Link key request" completed ahead of "connect request" completes */
3157 if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3158 ev->link_type == ACL_LINK) {
3159 struct link_key *key;
3160 struct hci_cp_read_enc_key_size cp;
3161
3162 key = hci_find_link_key(hdev, &ev->bdaddr);
3163 if (key) {
3164 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3165
3166 if (!read_key_size_capable(hdev)) {
3167 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3168 } else {
3169 cp.handle = cpu_to_le16(conn->handle);
3170 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3171 sizeof(cp), &cp)) {
3172 bt_dev_err(hdev, "sending read key size failed");
3173 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3174 }
3175 }
3176
3177 hci_encrypt_cfm(conn, ev->status);
3178 }
3179 }
3180
3181 /* Get remote features */
3182 if (conn->type == ACL_LINK) {
3183 struct hci_cp_read_remote_features cp;
3184 cp.handle = ev->handle;
3185 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3186 sizeof(cp), &cp);
3187
3188 hci_update_scan(hdev);
3189 }
3190
3191 /* Set packet type for incoming connection */
3192 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3193 struct hci_cp_change_conn_ptype cp;
3194 cp.handle = ev->handle;
3195 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3196 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3197 &cp);
3198 }
3199 }
3200
3201 if (conn->type == ACL_LINK)
3202 hci_sco_setup(conn, ev->status);
3203
3204done:
3205 if (status) {
3206 hci_conn_failed(conn, status);
3207 } else if (ev->link_type == SCO_LINK) {
3208 switch (conn->setting & SCO_AIRMODE_MASK) {
3209 case SCO_AIRMODE_CVSD:
3210 if (hdev->notify)
3211 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3212 break;
3213 }
3214
3215 hci_connect_cfm(conn, status);
3216 }
3217
3218unlock:
3219 hci_dev_unlock(hdev);
3220}
3221
3222static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3223{
3224 struct hci_cp_reject_conn_req cp;
3225
3226 bacpy(&cp.bdaddr, bdaddr);
3227 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3228 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3229}
3230
3231static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3232 struct sk_buff *skb)
3233{
3234 struct hci_ev_conn_request *ev = data;
3235 int mask = hdev->link_mode;
3236 struct inquiry_entry *ie;
3237 struct hci_conn *conn;
3238 __u8 flags = 0;
3239
3240 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3241
3242 /* Reject incoming connection from device with same BD ADDR against
3243 * CVE-2020-26555
3244 */
3245 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3246 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3247 &ev->bdaddr);
3248 hci_reject_conn(hdev, &ev->bdaddr);
3249 return;
3250 }
3251
3252 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3253 &flags);
3254
3255 if (!(mask & HCI_LM_ACCEPT)) {
3256 hci_reject_conn(hdev, &ev->bdaddr);
3257 return;
3258 }
3259
3260 hci_dev_lock(hdev);
3261
3262 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3263 BDADDR_BREDR)) {
3264 hci_reject_conn(hdev, &ev->bdaddr);
3265 goto unlock;
3266 }
3267
3268 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3269 * connection. These features are only touched through mgmt so
3270 * only do the checks if HCI_MGMT is set.
3271 */
3272 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3273 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3274 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3275 BDADDR_BREDR)) {
3276 hci_reject_conn(hdev, &ev->bdaddr);
3277 goto unlock;
3278 }
3279
3280 /* Connection accepted */
3281
3282 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3283 if (ie)
3284 memcpy(ie->data.dev_class, ev->dev_class, 3);
3285
3286 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3287 &ev->bdaddr);
3288 if (!conn) {
3289 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3290 HCI_ROLE_SLAVE);
3291 if (IS_ERR(conn)) {
3292 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3293 goto unlock;
3294 }
3295 }
3296
3297 memcpy(conn->dev_class, ev->dev_class, 3);
3298
3299 hci_dev_unlock(hdev);
3300
3301 if (ev->link_type == ACL_LINK ||
3302 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3303 struct hci_cp_accept_conn_req cp;
3304 conn->state = BT_CONNECT;
3305
3306 bacpy(&cp.bdaddr, &ev->bdaddr);
3307
3308 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3309 cp.role = 0x00; /* Become central */
3310 else
3311 cp.role = 0x01; /* Remain peripheral */
3312
3313 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3314 } else if (!(flags & HCI_PROTO_DEFER)) {
3315 struct hci_cp_accept_sync_conn_req cp;
3316 conn->state = BT_CONNECT;
3317
3318 bacpy(&cp.bdaddr, &ev->bdaddr);
3319 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3320
3321 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3322 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3323 cp.max_latency = cpu_to_le16(0xffff);
3324 cp.content_format = cpu_to_le16(hdev->voice_setting);
3325 cp.retrans_effort = 0xff;
3326
3327 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3328 &cp);
3329 } else {
3330 conn->state = BT_CONNECT2;
3331 hci_connect_cfm(conn, 0);
3332 }
3333
3334 return;
3335unlock:
3336 hci_dev_unlock(hdev);
3337}
3338
3339static u8 hci_to_mgmt_reason(u8 err)
3340{
3341 switch (err) {
3342 case HCI_ERROR_CONNECTION_TIMEOUT:
3343 return MGMT_DEV_DISCONN_TIMEOUT;
3344 case HCI_ERROR_REMOTE_USER_TERM:
3345 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3346 case HCI_ERROR_REMOTE_POWER_OFF:
3347 return MGMT_DEV_DISCONN_REMOTE;
3348 case HCI_ERROR_LOCAL_HOST_TERM:
3349 return MGMT_DEV_DISCONN_LOCAL_HOST;
3350 default:
3351 return MGMT_DEV_DISCONN_UNKNOWN;
3352 }
3353}
3354
3355static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3356 struct sk_buff *skb)
3357{
3358 struct hci_ev_disconn_complete *ev = data;
3359 u8 reason;
3360 struct hci_conn_params *params;
3361 struct hci_conn *conn;
3362 bool mgmt_connected;
3363
3364 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3365
3366 hci_dev_lock(hdev);
3367
3368 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3369 if (!conn)
3370 goto unlock;
3371
3372 if (ev->status) {
3373 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3374 conn->dst_type, ev->status);
3375 goto unlock;
3376 }
3377
3378 conn->state = BT_CLOSED;
3379
3380 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3381
3382 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3383 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3384 else
3385 reason = hci_to_mgmt_reason(ev->reason);
3386
3387 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3388 reason, mgmt_connected);
3389
3390 if (conn->type == ACL_LINK) {
3391 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3392 hci_remove_link_key(hdev, &conn->dst);
3393
3394 hci_update_scan(hdev);
3395 }
3396
3397 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3398 if (params) {
3399 switch (params->auto_connect) {
3400 case HCI_AUTO_CONN_LINK_LOSS:
3401 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3402 break;
3403 fallthrough;
3404
3405 case HCI_AUTO_CONN_DIRECT:
3406 case HCI_AUTO_CONN_ALWAYS:
3407 hci_pend_le_list_del_init(params);
3408 hci_pend_le_list_add(params, &hdev->pend_le_conns);
3409 hci_update_passive_scan(hdev);
3410 break;
3411
3412 default:
3413 break;
3414 }
3415 }
3416
3417 hci_disconn_cfm(conn, ev->reason);
3418
3419 /* Re-enable advertising if necessary, since it might
3420 * have been disabled by the connection. From the
3421 * HCI_LE_Set_Advertise_Enable command description in
3422 * the core specification (v4.0):
3423 * "The Controller shall continue advertising until the Host
3424 * issues an LE_Set_Advertise_Enable command with
3425 * Advertising_Enable set to 0x00 (Advertising is disabled)
3426 * or until a connection is created or until the Advertising
3427 * is timed out due to Directed Advertising."
3428 */
3429 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3430 hdev->cur_adv_instance = conn->adv_instance;
3431 hci_enable_advertising(hdev);
3432 }
3433
3434 hci_conn_del(conn);
3435
3436unlock:
3437 hci_dev_unlock(hdev);
3438}
3439
3440static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3441 struct sk_buff *skb)
3442{
3443 struct hci_ev_auth_complete *ev = data;
3444 struct hci_conn *conn;
3445
3446 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3447
3448 hci_dev_lock(hdev);
3449
3450 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3451 if (!conn)
3452 goto unlock;
3453
3454 if (!ev->status) {
3455 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3456 set_bit(HCI_CONN_AUTH, &conn->flags);
3457 conn->sec_level = conn->pending_sec_level;
3458 } else {
3459 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3460 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3461
3462 mgmt_auth_failed(conn, ev->status);
3463 }
3464
3465 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3466
3467 if (conn->state == BT_CONFIG) {
3468 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3469 struct hci_cp_set_conn_encrypt cp;
3470 cp.handle = ev->handle;
3471 cp.encrypt = 0x01;
3472 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3473 &cp);
3474 } else {
3475 conn->state = BT_CONNECTED;
3476 hci_connect_cfm(conn, ev->status);
3477 hci_conn_drop(conn);
3478 }
3479 } else {
3480 hci_auth_cfm(conn, ev->status);
3481
3482 hci_conn_hold(conn);
3483 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3484 hci_conn_drop(conn);
3485 }
3486
3487 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3488 if (!ev->status) {
3489 struct hci_cp_set_conn_encrypt cp;
3490 cp.handle = ev->handle;
3491 cp.encrypt = 0x01;
3492 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3493 &cp);
3494 } else {
3495 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3496 hci_encrypt_cfm(conn, ev->status);
3497 }
3498 }
3499
3500unlock:
3501 hci_dev_unlock(hdev);
3502}
3503
3504static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3505 struct sk_buff *skb)
3506{
3507 struct hci_ev_remote_name *ev = data;
3508 struct hci_conn *conn;
3509
3510 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3511
3512 hci_dev_lock(hdev);
3513
3514 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3515
3516 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3517 goto check_auth;
3518
3519 if (ev->status == 0)
3520 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3521 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3522 else
3523 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3524
3525check_auth:
3526 if (!conn)
3527 goto unlock;
3528
3529 if (!hci_outgoing_auth_needed(hdev, conn))
3530 goto unlock;
3531
3532 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3533 struct hci_cp_auth_requested cp;
3534
3535 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3536
3537 cp.handle = __cpu_to_le16(conn->handle);
3538 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3539 }
3540
3541unlock:
3542 hci_dev_unlock(hdev);
3543}
3544
3545static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3546 struct sk_buff *skb)
3547{
3548 struct hci_ev_encrypt_change *ev = data;
3549 struct hci_conn *conn;
3550
3551 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3552
3553 hci_dev_lock(hdev);
3554
3555 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3556 if (!conn)
3557 goto unlock;
3558
3559 if (!ev->status) {
3560 if (ev->encrypt) {
3561 /* Encryption implies authentication */
3562 set_bit(HCI_CONN_AUTH, &conn->flags);
3563 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3564 conn->sec_level = conn->pending_sec_level;
3565
3566 /* P-256 authentication key implies FIPS */
3567 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3568 set_bit(HCI_CONN_FIPS, &conn->flags);
3569
3570 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3571 conn->type == LE_LINK)
3572 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3573 } else {
3574 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3575 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3576 }
3577 }
3578
3579 /* We should disregard the current RPA and generate a new one
3580 * whenever the encryption procedure fails.
3581 */
3582 if (ev->status && conn->type == LE_LINK) {
3583 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3584 hci_adv_instances_set_rpa_expired(hdev, true);
3585 }
3586
3587 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3588
3589 /* Check link security requirements are met */
3590 if (!hci_conn_check_link_mode(conn))
3591 ev->status = HCI_ERROR_AUTH_FAILURE;
3592
3593 if (ev->status && conn->state == BT_CONNECTED) {
3594 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3595 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3596
3597 /* Notify upper layers so they can cleanup before
3598 * disconnecting.
3599 */
3600 hci_encrypt_cfm(conn, ev->status);
3601 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3602 hci_conn_drop(conn);
3603 goto unlock;
3604 }
3605
3606 /* Try reading the encryption key size for encrypted ACL links */
3607 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3608 struct hci_cp_read_enc_key_size cp;
3609
3610 /* Only send HCI_Read_Encryption_Key_Size if the
3611 * controller really supports it. If it doesn't, assume
3612 * the default size (16).
3613 */
3614 if (!read_key_size_capable(hdev)) {
3615 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3616 goto notify;
3617 }
3618
3619 cp.handle = cpu_to_le16(conn->handle);
3620 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3621 sizeof(cp), &cp)) {
3622 bt_dev_err(hdev, "sending read key size failed");
3623 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3624 goto notify;
3625 }
3626
3627 goto unlock;
3628 }
3629
3630 /* Set the default Authenticated Payload Timeout after
3631 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3632 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3633 * sent when the link is active and Encryption is enabled, the conn
3634 * type can be either LE or ACL and controller must support LMP Ping.
3635 * Ensure for AES-CCM encryption as well.
3636 */
3637 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3638 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3639 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3640 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3641 struct hci_cp_write_auth_payload_to cp;
3642
3643 cp.handle = cpu_to_le16(conn->handle);
3644 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3645 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3646 sizeof(cp), &cp))
3647 bt_dev_err(hdev, "write auth payload timeout failed");
3648 }
3649
3650notify:
3651 hci_encrypt_cfm(conn, ev->status);
3652
3653unlock:
3654 hci_dev_unlock(hdev);
3655}
3656
3657static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3658 struct sk_buff *skb)
3659{
3660 struct hci_ev_change_link_key_complete *ev = data;
3661 struct hci_conn *conn;
3662
3663 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3664
3665 hci_dev_lock(hdev);
3666
3667 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3668 if (conn) {
3669 if (!ev->status)
3670 set_bit(HCI_CONN_SECURE, &conn->flags);
3671
3672 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3673
3674 hci_key_change_cfm(conn, ev->status);
3675 }
3676
3677 hci_dev_unlock(hdev);
3678}
3679
3680static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3681 struct sk_buff *skb)
3682{
3683 struct hci_ev_remote_features *ev = data;
3684 struct hci_conn *conn;
3685
3686 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3687
3688 hci_dev_lock(hdev);
3689
3690 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3691 if (!conn)
3692 goto unlock;
3693
3694 if (!ev->status)
3695 memcpy(conn->features[0], ev->features, 8);
3696
3697 if (conn->state != BT_CONFIG)
3698 goto unlock;
3699
3700 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3701 lmp_ext_feat_capable(conn)) {
3702 struct hci_cp_read_remote_ext_features cp;
3703 cp.handle = ev->handle;
3704 cp.page = 0x01;
3705 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3706 sizeof(cp), &cp);
3707 goto unlock;
3708 }
3709
3710 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3711 struct hci_cp_remote_name_req cp;
3712 memset(&cp, 0, sizeof(cp));
3713 bacpy(&cp.bdaddr, &conn->dst);
3714 cp.pscan_rep_mode = 0x02;
3715 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3716 } else {
3717 mgmt_device_connected(hdev, conn, NULL, 0);
3718 }
3719
3720 if (!hci_outgoing_auth_needed(hdev, conn)) {
3721 conn->state = BT_CONNECTED;
3722 hci_connect_cfm(conn, ev->status);
3723 hci_conn_drop(conn);
3724 }
3725
3726unlock:
3727 hci_dev_unlock(hdev);
3728}
3729
3730static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3731{
3732 cancel_delayed_work(&hdev->cmd_timer);
3733
3734 rcu_read_lock();
3735 if (!test_bit(HCI_RESET, &hdev->flags)) {
3736 if (ncmd) {
3737 cancel_delayed_work(&hdev->ncmd_timer);
3738 atomic_set(&hdev->cmd_cnt, 1);
3739 } else {
3740 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3741 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3742 HCI_NCMD_TIMEOUT);
3743 }
3744 }
3745 rcu_read_unlock();
3746}
3747
3748static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3749 struct sk_buff *skb)
3750{
3751 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3752
3753 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3754
3755 if (rp->status)
3756 return rp->status;
3757
3758 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3759 hdev->le_pkts = rp->acl_max_pkt;
3760 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3761 hdev->iso_pkts = rp->iso_max_pkt;
3762
3763 hdev->le_cnt = hdev->le_pkts;
3764 hdev->iso_cnt = hdev->iso_pkts;
3765
3766 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3767 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3768
3769 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
3770 return HCI_ERROR_INVALID_PARAMETERS;
3771
3772 return rp->status;
3773}
3774
3775static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3776{
3777 struct hci_conn *conn, *tmp;
3778
3779 lockdep_assert_held(&hdev->lock);
3780
3781 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3782 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3783 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3784 continue;
3785
3786 if (HCI_CONN_HANDLE_UNSET(conn->handle))
3787 hci_conn_failed(conn, status);
3788 }
3789}
3790
3791static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3792 struct sk_buff *skb)
3793{
3794 struct hci_rp_le_set_cig_params *rp = data;
3795 struct hci_cp_le_set_cig_params *cp;
3796 struct hci_conn *conn;
3797 u8 status = rp->status;
3798 bool pending = false;
3799 int i;
3800
3801 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3802
3803 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3804 if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3805 rp->cig_id != cp->cig_id)) {
3806 bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3807 status = HCI_ERROR_UNSPECIFIED;
3808 }
3809
3810 hci_dev_lock(hdev);
3811
3812 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3813 *
3814 * If the Status return parameter is non-zero, then the state of the CIG
3815 * and its CIS configurations shall not be changed by the command. If
3816 * the CIG did not already exist, it shall not be created.
3817 */
3818 if (status) {
3819 /* Keep current configuration, fail only the unbound CIS */
3820 hci_unbound_cis_failed(hdev, rp->cig_id, status);
3821 goto unlock;
3822 }
3823
3824 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3825 *
3826 * If the Status return parameter is zero, then the Controller shall
3827 * set the Connection_Handle arrayed return parameter to the connection
3828 * handle(s) corresponding to the CIS configurations specified in
3829 * the CIS_IDs command parameter, in the same order.
3830 */
3831 for (i = 0; i < rp->num_handles; ++i) {
3832 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3833 cp->cis[i].cis_id);
3834 if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3835 continue;
3836
3837 if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3838 continue;
3839
3840 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3841 continue;
3842
3843 if (conn->state == BT_CONNECT)
3844 pending = true;
3845 }
3846
3847unlock:
3848 if (pending)
3849 hci_le_create_cis_pending(hdev);
3850
3851 hci_dev_unlock(hdev);
3852
3853 return rp->status;
3854}
3855
3856static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3857 struct sk_buff *skb)
3858{
3859 struct hci_rp_le_setup_iso_path *rp = data;
3860 struct hci_cp_le_setup_iso_path *cp;
3861 struct hci_conn *conn;
3862
3863 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3864
3865 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3866 if (!cp)
3867 return rp->status;
3868
3869 hci_dev_lock(hdev);
3870
3871 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3872 if (!conn)
3873 goto unlock;
3874
3875 if (rp->status) {
3876 hci_connect_cfm(conn, rp->status);
3877 hci_conn_del(conn);
3878 goto unlock;
3879 }
3880
3881 switch (cp->direction) {
3882 /* Input (Host to Controller) */
3883 case 0x00:
3884 /* Only confirm connection if output only */
3885 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3886 hci_connect_cfm(conn, rp->status);
3887 break;
3888 /* Output (Controller to Host) */
3889 case 0x01:
3890 /* Confirm connection since conn->iso_qos is always configured
3891 * last.
3892 */
3893 hci_connect_cfm(conn, rp->status);
3894
3895 /* Notify device connected in case it is a BIG Sync */
3896 if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags))
3897 mgmt_device_connected(hdev, conn, NULL, 0);
3898
3899 break;
3900 }
3901
3902unlock:
3903 hci_dev_unlock(hdev);
3904 return rp->status;
3905}
3906
3907static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3908{
3909 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3910}
3911
3912static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3913 struct sk_buff *skb)
3914{
3915 struct hci_ev_status *rp = data;
3916 struct hci_cp_le_set_per_adv_params *cp;
3917
3918 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3919
3920 if (rp->status)
3921 return rp->status;
3922
3923 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3924 if (!cp)
3925 return rp->status;
3926
3927 /* TODO: set the conn state */
3928 return rp->status;
3929}
3930
3931static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3932 struct sk_buff *skb)
3933{
3934 struct hci_ev_status *rp = data;
3935 struct hci_cp_le_set_per_adv_enable *cp;
3936 struct adv_info *adv = NULL, *n;
3937 u8 per_adv_cnt = 0;
3938
3939 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3940
3941 if (rp->status)
3942 return rp->status;
3943
3944 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
3945 if (!cp)
3946 return rp->status;
3947
3948 hci_dev_lock(hdev);
3949
3950 adv = hci_find_adv_instance(hdev, cp->handle);
3951
3952 if (cp->enable) {
3953 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
3954
3955 if (adv)
3956 adv->enabled = true;
3957 } else {
3958 /* If just one instance was disabled check if there are
3959 * any other instance enabled before clearing HCI_LE_PER_ADV.
3960 * The current periodic adv instance will be marked as
3961 * disabled once extended advertising is also disabled.
3962 */
3963 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
3964 list) {
3965 if (adv->periodic && adv->enabled)
3966 per_adv_cnt++;
3967 }
3968
3969 if (per_adv_cnt > 1)
3970 goto unlock;
3971
3972 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
3973 }
3974
3975unlock:
3976 hci_dev_unlock(hdev);
3977
3978 return rp->status;
3979}
3980
3981#define HCI_CC_VL(_op, _func, _min, _max) \
3982{ \
3983 .op = _op, \
3984 .func = _func, \
3985 .min_len = _min, \
3986 .max_len = _max, \
3987}
3988
3989#define HCI_CC(_op, _func, _len) \
3990 HCI_CC_VL(_op, _func, _len, _len)
3991
3992#define HCI_CC_STATUS(_op, _func) \
3993 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
3994
3995static const struct hci_cc {
3996 u16 op;
3997 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
3998 u16 min_len;
3999 u16 max_len;
4000} hci_cc_table[] = {
4001 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4002 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4003 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4004 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4005 hci_cc_remote_name_req_cancel),
4006 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4007 sizeof(struct hci_rp_role_discovery)),
4008 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4009 sizeof(struct hci_rp_read_link_policy)),
4010 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4011 sizeof(struct hci_rp_write_link_policy)),
4012 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4013 sizeof(struct hci_rp_read_def_link_policy)),
4014 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4015 hci_cc_write_def_link_policy),
4016 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4017 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4018 sizeof(struct hci_rp_read_stored_link_key)),
4019 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4020 sizeof(struct hci_rp_delete_stored_link_key)),
4021 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4022 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4023 sizeof(struct hci_rp_read_local_name)),
4024 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4025 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4026 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4027 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4028 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4029 sizeof(struct hci_rp_read_class_of_dev)),
4030 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4031 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4032 sizeof(struct hci_rp_read_voice_setting)),
4033 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4034 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4035 sizeof(struct hci_rp_read_num_supported_iac)),
4036 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4037 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4038 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4039 sizeof(struct hci_rp_read_auth_payload_to)),
4040 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4041 sizeof(struct hci_rp_write_auth_payload_to)),
4042 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4043 sizeof(struct hci_rp_read_local_version)),
4044 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4045 sizeof(struct hci_rp_read_local_commands)),
4046 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4047 sizeof(struct hci_rp_read_local_features)),
4048 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4049 sizeof(struct hci_rp_read_local_ext_features)),
4050 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4051 sizeof(struct hci_rp_read_buffer_size)),
4052 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4053 sizeof(struct hci_rp_read_bd_addr)),
4054 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4055 sizeof(struct hci_rp_read_local_pairing_opts)),
4056 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4057 sizeof(struct hci_rp_read_page_scan_activity)),
4058 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4059 hci_cc_write_page_scan_activity),
4060 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4061 sizeof(struct hci_rp_read_page_scan_type)),
4062 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4063 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4064 sizeof(struct hci_rp_read_clock)),
4065 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4066 sizeof(struct hci_rp_read_enc_key_size)),
4067 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4068 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4069 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4070 hci_cc_read_def_err_data_reporting,
4071 sizeof(struct hci_rp_read_def_err_data_reporting)),
4072 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4073 hci_cc_write_def_err_data_reporting),
4074 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4075 sizeof(struct hci_rp_pin_code_reply)),
4076 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4077 sizeof(struct hci_rp_pin_code_neg_reply)),
4078 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4079 sizeof(struct hci_rp_read_local_oob_data)),
4080 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4081 sizeof(struct hci_rp_read_local_oob_ext_data)),
4082 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4083 sizeof(struct hci_rp_le_read_buffer_size)),
4084 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4085 sizeof(struct hci_rp_le_read_local_features)),
4086 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4087 sizeof(struct hci_rp_le_read_adv_tx_power)),
4088 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4089 sizeof(struct hci_rp_user_confirm_reply)),
4090 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4091 sizeof(struct hci_rp_user_confirm_reply)),
4092 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4093 sizeof(struct hci_rp_user_confirm_reply)),
4094 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4095 sizeof(struct hci_rp_user_confirm_reply)),
4096 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4097 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4098 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4099 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4100 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4101 hci_cc_le_read_accept_list_size,
4102 sizeof(struct hci_rp_le_read_accept_list_size)),
4103 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4104 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4105 hci_cc_le_add_to_accept_list),
4106 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4107 hci_cc_le_del_from_accept_list),
4108 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4109 sizeof(struct hci_rp_le_read_supported_states)),
4110 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4111 sizeof(struct hci_rp_le_read_def_data_len)),
4112 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4113 hci_cc_le_write_def_data_len),
4114 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4115 hci_cc_le_add_to_resolv_list),
4116 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4117 hci_cc_le_del_from_resolv_list),
4118 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4119 hci_cc_le_clear_resolv_list),
4120 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4121 sizeof(struct hci_rp_le_read_resolv_list_size)),
4122 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4123 hci_cc_le_set_addr_resolution_enable),
4124 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4125 sizeof(struct hci_rp_le_read_max_data_len)),
4126 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4127 hci_cc_write_le_host_supported),
4128 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4129 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4130 sizeof(struct hci_rp_read_rssi)),
4131 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4132 sizeof(struct hci_rp_read_tx_power)),
4133 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4134 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4135 hci_cc_le_set_ext_scan_param),
4136 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4137 hci_cc_le_set_ext_scan_enable),
4138 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4139 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4140 hci_cc_le_read_num_adv_sets,
4141 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4142 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4143 sizeof(struct hci_rp_le_set_ext_adv_params)),
4144 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4145 hci_cc_le_set_ext_adv_enable),
4146 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4147 hci_cc_le_set_adv_set_random_addr),
4148 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4149 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4150 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4151 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4152 hci_cc_le_set_per_adv_enable),
4153 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4154 sizeof(struct hci_rp_le_read_transmit_power)),
4155 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4156 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4157 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4158 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4159 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4160 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4161 sizeof(struct hci_rp_le_setup_iso_path)),
4162};
4163
4164static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4165 struct sk_buff *skb)
4166{
4167 void *data;
4168
4169 if (skb->len < cc->min_len) {
4170 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4171 cc->op, skb->len, cc->min_len);
4172 return HCI_ERROR_UNSPECIFIED;
4173 }
4174
4175 /* Just warn if the length is over max_len size it still be possible to
4176 * partially parse the cc so leave to callback to decide if that is
4177 * acceptable.
4178 */
4179 if (skb->len > cc->max_len)
4180 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4181 cc->op, skb->len, cc->max_len);
4182
4183 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4184 if (!data)
4185 return HCI_ERROR_UNSPECIFIED;
4186
4187 return cc->func(hdev, data, skb);
4188}
4189
4190static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4191 struct sk_buff *skb, u16 *opcode, u8 *status,
4192 hci_req_complete_t *req_complete,
4193 hci_req_complete_skb_t *req_complete_skb)
4194{
4195 struct hci_ev_cmd_complete *ev = data;
4196 int i;
4197
4198 *opcode = __le16_to_cpu(ev->opcode);
4199
4200 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4201
4202 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4203 if (hci_cc_table[i].op == *opcode) {
4204 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4205 break;
4206 }
4207 }
4208
4209 if (i == ARRAY_SIZE(hci_cc_table)) {
4210 /* Unknown opcode, assume byte 0 contains the status, so
4211 * that e.g. __hci_cmd_sync() properly returns errors
4212 * for vendor specific commands send by HCI drivers.
4213 * If a vendor doesn't actually follow this convention we may
4214 * need to introduce a vendor CC table in order to properly set
4215 * the status.
4216 */
4217 *status = skb->data[0];
4218 }
4219
4220 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4221
4222 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4223 req_complete_skb);
4224
4225 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4226 bt_dev_err(hdev,
4227 "unexpected event for opcode 0x%4.4x", *opcode);
4228 return;
4229 }
4230
4231 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4232 queue_work(hdev->workqueue, &hdev->cmd_work);
4233}
4234
4235static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4236{
4237 struct hci_cp_le_create_cis *cp;
4238 bool pending = false;
4239 int i;
4240
4241 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4242
4243 if (!status)
4244 return;
4245
4246 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4247 if (!cp)
4248 return;
4249
4250 hci_dev_lock(hdev);
4251
4252 /* Remove connection if command failed */
4253 for (i = 0; i < cp->num_cis; i++) {
4254 struct hci_conn *conn;
4255 u16 handle;
4256
4257 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4258
4259 conn = hci_conn_hash_lookup_handle(hdev, handle);
4260 if (conn) {
4261 if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4262 &conn->flags))
4263 pending = true;
4264 conn->state = BT_CLOSED;
4265 hci_connect_cfm(conn, status);
4266 hci_conn_del(conn);
4267 }
4268 }
4269 cp->num_cis = 0;
4270
4271 if (pending)
4272 hci_le_create_cis_pending(hdev);
4273
4274 hci_dev_unlock(hdev);
4275}
4276
4277#define HCI_CS(_op, _func) \
4278{ \
4279 .op = _op, \
4280 .func = _func, \
4281}
4282
4283static const struct hci_cs {
4284 u16 op;
4285 void (*func)(struct hci_dev *hdev, __u8 status);
4286} hci_cs_table[] = {
4287 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4288 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4289 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4290 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4291 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4292 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4293 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4294 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4295 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4296 hci_cs_read_remote_ext_features),
4297 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4298 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4299 hci_cs_enhanced_setup_sync_conn),
4300 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4301 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4302 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4303 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4304 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4305 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4306 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4307 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4308 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4309};
4310
4311static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4312 struct sk_buff *skb, u16 *opcode, u8 *status,
4313 hci_req_complete_t *req_complete,
4314 hci_req_complete_skb_t *req_complete_skb)
4315{
4316 struct hci_ev_cmd_status *ev = data;
4317 int i;
4318
4319 *opcode = __le16_to_cpu(ev->opcode);
4320 *status = ev->status;
4321
4322 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4323
4324 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4325 if (hci_cs_table[i].op == *opcode) {
4326 hci_cs_table[i].func(hdev, ev->status);
4327 break;
4328 }
4329 }
4330
4331 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4332
4333 /* Indicate request completion if the command failed. Also, if
4334 * we're not waiting for a special event and we get a success
4335 * command status we should try to flag the request as completed
4336 * (since for this kind of commands there will not be a command
4337 * complete event).
4338 */
4339 if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) {
4340 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4341 req_complete_skb);
4342 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4343 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4344 *opcode);
4345 return;
4346 }
4347 }
4348
4349 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4350 queue_work(hdev->workqueue, &hdev->cmd_work);
4351}
4352
4353static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4354 struct sk_buff *skb)
4355{
4356 struct hci_ev_hardware_error *ev = data;
4357
4358 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4359
4360 hdev->hw_error_code = ev->code;
4361
4362 queue_work(hdev->req_workqueue, &hdev->error_reset);
4363}
4364
4365static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4366 struct sk_buff *skb)
4367{
4368 struct hci_ev_role_change *ev = data;
4369 struct hci_conn *conn;
4370
4371 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4372
4373 hci_dev_lock(hdev);
4374
4375 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4376 if (conn) {
4377 if (!ev->status)
4378 conn->role = ev->role;
4379
4380 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4381
4382 hci_role_switch_cfm(conn, ev->status, ev->role);
4383 }
4384
4385 hci_dev_unlock(hdev);
4386}
4387
4388static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4389 struct sk_buff *skb)
4390{
4391 struct hci_ev_num_comp_pkts *ev = data;
4392 int i;
4393
4394 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4395 flex_array_size(ev, handles, ev->num)))
4396 return;
4397
4398 bt_dev_dbg(hdev, "num %d", ev->num);
4399
4400 for (i = 0; i < ev->num; i++) {
4401 struct hci_comp_pkts_info *info = &ev->handles[i];
4402 struct hci_conn *conn;
4403 __u16 handle, count;
4404
4405 handle = __le16_to_cpu(info->handle);
4406 count = __le16_to_cpu(info->count);
4407
4408 conn = hci_conn_hash_lookup_handle(hdev, handle);
4409 if (!conn)
4410 continue;
4411
4412 conn->sent -= count;
4413
4414 switch (conn->type) {
4415 case ACL_LINK:
4416 hdev->acl_cnt += count;
4417 if (hdev->acl_cnt > hdev->acl_pkts)
4418 hdev->acl_cnt = hdev->acl_pkts;
4419 break;
4420
4421 case LE_LINK:
4422 if (hdev->le_pkts) {
4423 hdev->le_cnt += count;
4424 if (hdev->le_cnt > hdev->le_pkts)
4425 hdev->le_cnt = hdev->le_pkts;
4426 } else {
4427 hdev->acl_cnt += count;
4428 if (hdev->acl_cnt > hdev->acl_pkts)
4429 hdev->acl_cnt = hdev->acl_pkts;
4430 }
4431 break;
4432
4433 case SCO_LINK:
4434 hdev->sco_cnt += count;
4435 if (hdev->sco_cnt > hdev->sco_pkts)
4436 hdev->sco_cnt = hdev->sco_pkts;
4437 break;
4438
4439 case ISO_LINK:
4440 if (hdev->iso_pkts) {
4441 hdev->iso_cnt += count;
4442 if (hdev->iso_cnt > hdev->iso_pkts)
4443 hdev->iso_cnt = hdev->iso_pkts;
4444 } else if (hdev->le_pkts) {
4445 hdev->le_cnt += count;
4446 if (hdev->le_cnt > hdev->le_pkts)
4447 hdev->le_cnt = hdev->le_pkts;
4448 } else {
4449 hdev->acl_cnt += count;
4450 if (hdev->acl_cnt > hdev->acl_pkts)
4451 hdev->acl_cnt = hdev->acl_pkts;
4452 }
4453 break;
4454
4455 default:
4456 bt_dev_err(hdev, "unknown type %d conn %p",
4457 conn->type, conn);
4458 break;
4459 }
4460 }
4461
4462 queue_work(hdev->workqueue, &hdev->tx_work);
4463}
4464
4465static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4466 struct sk_buff *skb)
4467{
4468 struct hci_ev_mode_change *ev = data;
4469 struct hci_conn *conn;
4470
4471 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4472
4473 hci_dev_lock(hdev);
4474
4475 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4476 if (conn) {
4477 conn->mode = ev->mode;
4478
4479 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4480 &conn->flags)) {
4481 if (conn->mode == HCI_CM_ACTIVE)
4482 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4483 else
4484 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4485 }
4486
4487 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4488 hci_sco_setup(conn, ev->status);
4489 }
4490
4491 hci_dev_unlock(hdev);
4492}
4493
4494static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4495 struct sk_buff *skb)
4496{
4497 struct hci_ev_pin_code_req *ev = data;
4498 struct hci_conn *conn;
4499
4500 bt_dev_dbg(hdev, "");
4501
4502 hci_dev_lock(hdev);
4503
4504 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4505 if (!conn)
4506 goto unlock;
4507
4508 if (conn->state == BT_CONNECTED) {
4509 hci_conn_hold(conn);
4510 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4511 hci_conn_drop(conn);
4512 }
4513
4514 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4515 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4516 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4517 sizeof(ev->bdaddr), &ev->bdaddr);
4518 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4519 u8 secure;
4520
4521 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4522 secure = 1;
4523 else
4524 secure = 0;
4525
4526 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4527 }
4528
4529unlock:
4530 hci_dev_unlock(hdev);
4531}
4532
4533static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4534{
4535 if (key_type == HCI_LK_CHANGED_COMBINATION)
4536 return;
4537
4538 conn->pin_length = pin_len;
4539 conn->key_type = key_type;
4540
4541 switch (key_type) {
4542 case HCI_LK_LOCAL_UNIT:
4543 case HCI_LK_REMOTE_UNIT:
4544 case HCI_LK_DEBUG_COMBINATION:
4545 return;
4546 case HCI_LK_COMBINATION:
4547 if (pin_len == 16)
4548 conn->pending_sec_level = BT_SECURITY_HIGH;
4549 else
4550 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4551 break;
4552 case HCI_LK_UNAUTH_COMBINATION_P192:
4553 case HCI_LK_UNAUTH_COMBINATION_P256:
4554 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4555 break;
4556 case HCI_LK_AUTH_COMBINATION_P192:
4557 conn->pending_sec_level = BT_SECURITY_HIGH;
4558 break;
4559 case HCI_LK_AUTH_COMBINATION_P256:
4560 conn->pending_sec_level = BT_SECURITY_FIPS;
4561 break;
4562 }
4563}
4564
4565static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4566 struct sk_buff *skb)
4567{
4568 struct hci_ev_link_key_req *ev = data;
4569 struct hci_cp_link_key_reply cp;
4570 struct hci_conn *conn;
4571 struct link_key *key;
4572
4573 bt_dev_dbg(hdev, "");
4574
4575 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4576 return;
4577
4578 hci_dev_lock(hdev);
4579
4580 key = hci_find_link_key(hdev, &ev->bdaddr);
4581 if (!key) {
4582 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4583 goto not_found;
4584 }
4585
4586 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4587
4588 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4589 if (conn) {
4590 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4591
4592 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4593 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4594 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4595 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4596 goto not_found;
4597 }
4598
4599 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4600 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4601 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4602 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4603 goto not_found;
4604 }
4605
4606 conn_set_key(conn, key->type, key->pin_len);
4607 }
4608
4609 bacpy(&cp.bdaddr, &ev->bdaddr);
4610 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4611
4612 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4613
4614 hci_dev_unlock(hdev);
4615
4616 return;
4617
4618not_found:
4619 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4620 hci_dev_unlock(hdev);
4621}
4622
4623static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4624 struct sk_buff *skb)
4625{
4626 struct hci_ev_link_key_notify *ev = data;
4627 struct hci_conn *conn;
4628 struct link_key *key;
4629 bool persistent;
4630 u8 pin_len = 0;
4631
4632 bt_dev_dbg(hdev, "");
4633
4634 hci_dev_lock(hdev);
4635
4636 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4637 if (!conn)
4638 goto unlock;
4639
4640 /* Ignore NULL link key against CVE-2020-26555 */
4641 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4642 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4643 &ev->bdaddr);
4644 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4645 hci_conn_drop(conn);
4646 goto unlock;
4647 }
4648
4649 hci_conn_hold(conn);
4650 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4651 hci_conn_drop(conn);
4652
4653 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4654 conn_set_key(conn, ev->key_type, conn->pin_length);
4655
4656 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4657 goto unlock;
4658
4659 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4660 ev->key_type, pin_len, &persistent);
4661 if (!key)
4662 goto unlock;
4663
4664 /* Update connection information since adding the key will have
4665 * fixed up the type in the case of changed combination keys.
4666 */
4667 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4668 conn_set_key(conn, key->type, key->pin_len);
4669
4670 mgmt_new_link_key(hdev, key, persistent);
4671
4672 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4673 * is set. If it's not set simply remove the key from the kernel
4674 * list (we've still notified user space about it but with
4675 * store_hint being 0).
4676 */
4677 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4678 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4679 list_del_rcu(&key->list);
4680 kfree_rcu(key, rcu);
4681 goto unlock;
4682 }
4683
4684 if (persistent)
4685 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4686 else
4687 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4688
4689unlock:
4690 hci_dev_unlock(hdev);
4691}
4692
4693static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4694 struct sk_buff *skb)
4695{
4696 struct hci_ev_clock_offset *ev = data;
4697 struct hci_conn *conn;
4698
4699 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4700
4701 hci_dev_lock(hdev);
4702
4703 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4704 if (conn && !ev->status) {
4705 struct inquiry_entry *ie;
4706
4707 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4708 if (ie) {
4709 ie->data.clock_offset = ev->clock_offset;
4710 ie->timestamp = jiffies;
4711 }
4712 }
4713
4714 hci_dev_unlock(hdev);
4715}
4716
4717static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4718 struct sk_buff *skb)
4719{
4720 struct hci_ev_pkt_type_change *ev = data;
4721 struct hci_conn *conn;
4722
4723 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4724
4725 hci_dev_lock(hdev);
4726
4727 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4728 if (conn && !ev->status)
4729 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4730
4731 hci_dev_unlock(hdev);
4732}
4733
4734static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4735 struct sk_buff *skb)
4736{
4737 struct hci_ev_pscan_rep_mode *ev = data;
4738 struct inquiry_entry *ie;
4739
4740 bt_dev_dbg(hdev, "");
4741
4742 hci_dev_lock(hdev);
4743
4744 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4745 if (ie) {
4746 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4747 ie->timestamp = jiffies;
4748 }
4749
4750 hci_dev_unlock(hdev);
4751}
4752
4753static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4754 struct sk_buff *skb)
4755{
4756 struct hci_ev_inquiry_result_rssi *ev = edata;
4757 struct inquiry_data data;
4758 int i;
4759
4760 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4761
4762 if (!ev->num)
4763 return;
4764
4765 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4766 return;
4767
4768 hci_dev_lock(hdev);
4769
4770 if (skb->len == array_size(ev->num,
4771 sizeof(struct inquiry_info_rssi_pscan))) {
4772 struct inquiry_info_rssi_pscan *info;
4773
4774 for (i = 0; i < ev->num; i++) {
4775 u32 flags;
4776
4777 info = hci_ev_skb_pull(hdev, skb,
4778 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4779 sizeof(*info));
4780 if (!info) {
4781 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4782 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4783 goto unlock;
4784 }
4785
4786 bacpy(&data.bdaddr, &info->bdaddr);
4787 data.pscan_rep_mode = info->pscan_rep_mode;
4788 data.pscan_period_mode = info->pscan_period_mode;
4789 data.pscan_mode = info->pscan_mode;
4790 memcpy(data.dev_class, info->dev_class, 3);
4791 data.clock_offset = info->clock_offset;
4792 data.rssi = info->rssi;
4793 data.ssp_mode = 0x00;
4794
4795 flags = hci_inquiry_cache_update(hdev, &data, false);
4796
4797 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4798 info->dev_class, info->rssi,
4799 flags, NULL, 0, NULL, 0, 0);
4800 }
4801 } else if (skb->len == array_size(ev->num,
4802 sizeof(struct inquiry_info_rssi))) {
4803 struct inquiry_info_rssi *info;
4804
4805 for (i = 0; i < ev->num; i++) {
4806 u32 flags;
4807
4808 info = hci_ev_skb_pull(hdev, skb,
4809 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4810 sizeof(*info));
4811 if (!info) {
4812 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4813 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4814 goto unlock;
4815 }
4816
4817 bacpy(&data.bdaddr, &info->bdaddr);
4818 data.pscan_rep_mode = info->pscan_rep_mode;
4819 data.pscan_period_mode = info->pscan_period_mode;
4820 data.pscan_mode = 0x00;
4821 memcpy(data.dev_class, info->dev_class, 3);
4822 data.clock_offset = info->clock_offset;
4823 data.rssi = info->rssi;
4824 data.ssp_mode = 0x00;
4825
4826 flags = hci_inquiry_cache_update(hdev, &data, false);
4827
4828 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4829 info->dev_class, info->rssi,
4830 flags, NULL, 0, NULL, 0, 0);
4831 }
4832 } else {
4833 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4834 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4835 }
4836unlock:
4837 hci_dev_unlock(hdev);
4838}
4839
4840static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4841 struct sk_buff *skb)
4842{
4843 struct hci_ev_remote_ext_features *ev = data;
4844 struct hci_conn *conn;
4845
4846 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4847
4848 hci_dev_lock(hdev);
4849
4850 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4851 if (!conn)
4852 goto unlock;
4853
4854 if (ev->page < HCI_MAX_PAGES)
4855 memcpy(conn->features[ev->page], ev->features, 8);
4856
4857 if (!ev->status && ev->page == 0x01) {
4858 struct inquiry_entry *ie;
4859
4860 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4861 if (ie)
4862 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4863
4864 if (ev->features[0] & LMP_HOST_SSP) {
4865 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4866 } else {
4867 /* It is mandatory by the Bluetooth specification that
4868 * Extended Inquiry Results are only used when Secure
4869 * Simple Pairing is enabled, but some devices violate
4870 * this.
4871 *
4872 * To make these devices work, the internal SSP
4873 * enabled flag needs to be cleared if the remote host
4874 * features do not indicate SSP support */
4875 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4876 }
4877
4878 if (ev->features[0] & LMP_HOST_SC)
4879 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4880 }
4881
4882 if (conn->state != BT_CONFIG)
4883 goto unlock;
4884
4885 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4886 struct hci_cp_remote_name_req cp;
4887 memset(&cp, 0, sizeof(cp));
4888 bacpy(&cp.bdaddr, &conn->dst);
4889 cp.pscan_rep_mode = 0x02;
4890 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4891 } else {
4892 mgmt_device_connected(hdev, conn, NULL, 0);
4893 }
4894
4895 if (!hci_outgoing_auth_needed(hdev, conn)) {
4896 conn->state = BT_CONNECTED;
4897 hci_connect_cfm(conn, ev->status);
4898 hci_conn_drop(conn);
4899 }
4900
4901unlock:
4902 hci_dev_unlock(hdev);
4903}
4904
4905static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
4906 struct sk_buff *skb)
4907{
4908 struct hci_ev_sync_conn_complete *ev = data;
4909 struct hci_conn *conn;
4910 u8 status = ev->status;
4911
4912 switch (ev->link_type) {
4913 case SCO_LINK:
4914 case ESCO_LINK:
4915 break;
4916 default:
4917 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
4918 * for HCI_Synchronous_Connection_Complete is limited to
4919 * either SCO or eSCO
4920 */
4921 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
4922 return;
4923 }
4924
4925 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4926
4927 hci_dev_lock(hdev);
4928
4929 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4930 if (!conn) {
4931 if (ev->link_type == ESCO_LINK)
4932 goto unlock;
4933
4934 /* When the link type in the event indicates SCO connection
4935 * and lookup of the connection object fails, then check
4936 * if an eSCO connection object exists.
4937 *
4938 * The core limits the synchronous connections to either
4939 * SCO or eSCO. The eSCO connection is preferred and tried
4940 * to be setup first and until successfully established,
4941 * the link type will be hinted as eSCO.
4942 */
4943 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4944 if (!conn)
4945 goto unlock;
4946 }
4947
4948 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
4949 * Processing it more than once per connection can corrupt kernel memory.
4950 *
4951 * As the connection handle is set here for the first time, it indicates
4952 * whether the connection is already set up.
4953 */
4954 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
4955 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
4956 goto unlock;
4957 }
4958
4959 switch (status) {
4960 case 0x00:
4961 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
4962 if (status) {
4963 conn->state = BT_CLOSED;
4964 break;
4965 }
4966
4967 conn->state = BT_CONNECTED;
4968 conn->type = ev->link_type;
4969
4970 hci_debugfs_create_conn(conn);
4971 hci_conn_add_sysfs(conn);
4972 break;
4973
4974 case 0x10: /* Connection Accept Timeout */
4975 case 0x0d: /* Connection Rejected due to Limited Resources */
4976 case 0x11: /* Unsupported Feature or Parameter Value */
4977 case 0x1c: /* SCO interval rejected */
4978 case 0x1a: /* Unsupported Remote Feature */
4979 case 0x1e: /* Invalid LMP Parameters */
4980 case 0x1f: /* Unspecified error */
4981 case 0x20: /* Unsupported LMP Parameter value */
4982 if (conn->out) {
4983 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4984 (hdev->esco_type & EDR_ESCO_MASK);
4985 if (hci_setup_sync(conn, conn->parent->handle))
4986 goto unlock;
4987 }
4988 fallthrough;
4989
4990 default:
4991 conn->state = BT_CLOSED;
4992 break;
4993 }
4994
4995 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4996 /* Notify only in case of SCO over HCI transport data path which
4997 * is zero and non-zero value shall be non-HCI transport data path
4998 */
4999 if (conn->codec.data_path == 0 && hdev->notify) {
5000 switch (ev->air_mode) {
5001 case 0x02:
5002 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5003 break;
5004 case 0x03:
5005 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5006 break;
5007 }
5008 }
5009
5010 hci_connect_cfm(conn, status);
5011 if (status)
5012 hci_conn_del(conn);
5013
5014unlock:
5015 hci_dev_unlock(hdev);
5016}
5017
5018static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5019{
5020 size_t parsed = 0;
5021
5022 while (parsed < eir_len) {
5023 u8 field_len = eir[0];
5024
5025 if (field_len == 0)
5026 return parsed;
5027
5028 parsed += field_len + 1;
5029 eir += field_len + 1;
5030 }
5031
5032 return eir_len;
5033}
5034
5035static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5036 struct sk_buff *skb)
5037{
5038 struct hci_ev_ext_inquiry_result *ev = edata;
5039 struct inquiry_data data;
5040 size_t eir_len;
5041 int i;
5042
5043 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5044 flex_array_size(ev, info, ev->num)))
5045 return;
5046
5047 bt_dev_dbg(hdev, "num %d", ev->num);
5048
5049 if (!ev->num)
5050 return;
5051
5052 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5053 return;
5054
5055 hci_dev_lock(hdev);
5056
5057 for (i = 0; i < ev->num; i++) {
5058 struct extended_inquiry_info *info = &ev->info[i];
5059 u32 flags;
5060 bool name_known;
5061
5062 bacpy(&data.bdaddr, &info->bdaddr);
5063 data.pscan_rep_mode = info->pscan_rep_mode;
5064 data.pscan_period_mode = info->pscan_period_mode;
5065 data.pscan_mode = 0x00;
5066 memcpy(data.dev_class, info->dev_class, 3);
5067 data.clock_offset = info->clock_offset;
5068 data.rssi = info->rssi;
5069 data.ssp_mode = 0x01;
5070
5071 if (hci_dev_test_flag(hdev, HCI_MGMT))
5072 name_known = eir_get_data(info->data,
5073 sizeof(info->data),
5074 EIR_NAME_COMPLETE, NULL);
5075 else
5076 name_known = true;
5077
5078 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5079
5080 eir_len = eir_get_length(info->data, sizeof(info->data));
5081
5082 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5083 info->dev_class, info->rssi,
5084 flags, info->data, eir_len, NULL, 0, 0);
5085 }
5086
5087 hci_dev_unlock(hdev);
5088}
5089
5090static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5091 struct sk_buff *skb)
5092{
5093 struct hci_ev_key_refresh_complete *ev = data;
5094 struct hci_conn *conn;
5095
5096 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5097 __le16_to_cpu(ev->handle));
5098
5099 hci_dev_lock(hdev);
5100
5101 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5102 if (!conn)
5103 goto unlock;
5104
5105 /* For BR/EDR the necessary steps are taken through the
5106 * auth_complete event.
5107 */
5108 if (conn->type != LE_LINK)
5109 goto unlock;
5110
5111 if (!ev->status)
5112 conn->sec_level = conn->pending_sec_level;
5113
5114 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5115
5116 if (ev->status && conn->state == BT_CONNECTED) {
5117 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5118 hci_conn_drop(conn);
5119 goto unlock;
5120 }
5121
5122 if (conn->state == BT_CONFIG) {
5123 if (!ev->status)
5124 conn->state = BT_CONNECTED;
5125
5126 hci_connect_cfm(conn, ev->status);
5127 hci_conn_drop(conn);
5128 } else {
5129 hci_auth_cfm(conn, ev->status);
5130
5131 hci_conn_hold(conn);
5132 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5133 hci_conn_drop(conn);
5134 }
5135
5136unlock:
5137 hci_dev_unlock(hdev);
5138}
5139
5140static u8 hci_get_auth_req(struct hci_conn *conn)
5141{
5142 /* If remote requests no-bonding follow that lead */
5143 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5144 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5145 return conn->remote_auth | (conn->auth_type & 0x01);
5146
5147 /* If both remote and local have enough IO capabilities, require
5148 * MITM protection
5149 */
5150 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5151 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5152 return conn->remote_auth | 0x01;
5153
5154 /* No MITM protection possible so ignore remote requirement */
5155 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5156}
5157
5158static u8 bredr_oob_data_present(struct hci_conn *conn)
5159{
5160 struct hci_dev *hdev = conn->hdev;
5161 struct oob_data *data;
5162
5163 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5164 if (!data)
5165 return 0x00;
5166
5167 if (bredr_sc_enabled(hdev)) {
5168 /* When Secure Connections is enabled, then just
5169 * return the present value stored with the OOB
5170 * data. The stored value contains the right present
5171 * information. However it can only be trusted when
5172 * not in Secure Connection Only mode.
5173 */
5174 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5175 return data->present;
5176
5177 /* When Secure Connections Only mode is enabled, then
5178 * the P-256 values are required. If they are not
5179 * available, then do not declare that OOB data is
5180 * present.
5181 */
5182 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5183 !crypto_memneq(data->hash256, ZERO_KEY, 16))
5184 return 0x00;
5185
5186 return 0x02;
5187 }
5188
5189 /* When Secure Connections is not enabled or actually
5190 * not supported by the hardware, then check that if
5191 * P-192 data values are present.
5192 */
5193 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5194 !crypto_memneq(data->hash192, ZERO_KEY, 16))
5195 return 0x00;
5196
5197 return 0x01;
5198}
5199
5200static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5201 struct sk_buff *skb)
5202{
5203 struct hci_ev_io_capa_request *ev = data;
5204 struct hci_conn *conn;
5205
5206 bt_dev_dbg(hdev, "");
5207
5208 hci_dev_lock(hdev);
5209
5210 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5211 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5212 goto unlock;
5213
5214 /* Assume remote supports SSP since it has triggered this event */
5215 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5216
5217 hci_conn_hold(conn);
5218
5219 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5220 goto unlock;
5221
5222 /* Allow pairing if we're pairable, the initiators of the
5223 * pairing or if the remote is not requesting bonding.
5224 */
5225 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5226 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5227 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5228 struct hci_cp_io_capability_reply cp;
5229
5230 bacpy(&cp.bdaddr, &ev->bdaddr);
5231 /* Change the IO capability from KeyboardDisplay
5232 * to DisplayYesNo as it is not supported by BT spec. */
5233 cp.capability = (conn->io_capability == 0x04) ?
5234 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5235
5236 /* If we are initiators, there is no remote information yet */
5237 if (conn->remote_auth == 0xff) {
5238 /* Request MITM protection if our IO caps allow it
5239 * except for the no-bonding case.
5240 */
5241 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5242 conn->auth_type != HCI_AT_NO_BONDING)
5243 conn->auth_type |= 0x01;
5244 } else {
5245 conn->auth_type = hci_get_auth_req(conn);
5246 }
5247
5248 /* If we're not bondable, force one of the non-bondable
5249 * authentication requirement values.
5250 */
5251 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5252 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5253
5254 cp.authentication = conn->auth_type;
5255 cp.oob_data = bredr_oob_data_present(conn);
5256
5257 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5258 sizeof(cp), &cp);
5259 } else {
5260 struct hci_cp_io_capability_neg_reply cp;
5261
5262 bacpy(&cp.bdaddr, &ev->bdaddr);
5263 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5264
5265 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5266 sizeof(cp), &cp);
5267 }
5268
5269unlock:
5270 hci_dev_unlock(hdev);
5271}
5272
5273static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5274 struct sk_buff *skb)
5275{
5276 struct hci_ev_io_capa_reply *ev = data;
5277 struct hci_conn *conn;
5278
5279 bt_dev_dbg(hdev, "");
5280
5281 hci_dev_lock(hdev);
5282
5283 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5284 if (!conn)
5285 goto unlock;
5286
5287 conn->remote_cap = ev->capability;
5288 conn->remote_auth = ev->authentication;
5289
5290unlock:
5291 hci_dev_unlock(hdev);
5292}
5293
5294static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5295 struct sk_buff *skb)
5296{
5297 struct hci_ev_user_confirm_req *ev = data;
5298 int loc_mitm, rem_mitm, confirm_hint = 0;
5299 struct hci_conn *conn;
5300
5301 bt_dev_dbg(hdev, "");
5302
5303 hci_dev_lock(hdev);
5304
5305 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5306 goto unlock;
5307
5308 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5309 if (!conn)
5310 goto unlock;
5311
5312 loc_mitm = (conn->auth_type & 0x01);
5313 rem_mitm = (conn->remote_auth & 0x01);
5314
5315 /* If we require MITM but the remote device can't provide that
5316 * (it has NoInputNoOutput) then reject the confirmation
5317 * request. We check the security level here since it doesn't
5318 * necessarily match conn->auth_type.
5319 */
5320 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5321 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5322 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5323 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5324 sizeof(ev->bdaddr), &ev->bdaddr);
5325 goto unlock;
5326 }
5327
5328 /* If no side requires MITM protection; auto-accept */
5329 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5330 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5331
5332 /* If we're not the initiators request authorization to
5333 * proceed from user space (mgmt_user_confirm with
5334 * confirm_hint set to 1). The exception is if neither
5335 * side had MITM or if the local IO capability is
5336 * NoInputNoOutput, in which case we do auto-accept
5337 */
5338 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5339 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5340 (loc_mitm || rem_mitm)) {
5341 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5342 confirm_hint = 1;
5343 goto confirm;
5344 }
5345
5346 /* If there already exists link key in local host, leave the
5347 * decision to user space since the remote device could be
5348 * legitimate or malicious.
5349 */
5350 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5351 bt_dev_dbg(hdev, "Local host already has link key");
5352 confirm_hint = 1;
5353 goto confirm;
5354 }
5355
5356 BT_DBG("Auto-accept of user confirmation with %ums delay",
5357 hdev->auto_accept_delay);
5358
5359 if (hdev->auto_accept_delay > 0) {
5360 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5361 queue_delayed_work(conn->hdev->workqueue,
5362 &conn->auto_accept_work, delay);
5363 goto unlock;
5364 }
5365
5366 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5367 sizeof(ev->bdaddr), &ev->bdaddr);
5368 goto unlock;
5369 }
5370
5371confirm:
5372 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5373 le32_to_cpu(ev->passkey), confirm_hint);
5374
5375unlock:
5376 hci_dev_unlock(hdev);
5377}
5378
5379static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5380 struct sk_buff *skb)
5381{
5382 struct hci_ev_user_passkey_req *ev = data;
5383
5384 bt_dev_dbg(hdev, "");
5385
5386 if (hci_dev_test_flag(hdev, HCI_MGMT))
5387 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5388}
5389
5390static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5391 struct sk_buff *skb)
5392{
5393 struct hci_ev_user_passkey_notify *ev = data;
5394 struct hci_conn *conn;
5395
5396 bt_dev_dbg(hdev, "");
5397
5398 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5399 if (!conn)
5400 return;
5401
5402 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5403 conn->passkey_entered = 0;
5404
5405 if (hci_dev_test_flag(hdev, HCI_MGMT))
5406 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5407 conn->dst_type, conn->passkey_notify,
5408 conn->passkey_entered);
5409}
5410
5411static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5412 struct sk_buff *skb)
5413{
5414 struct hci_ev_keypress_notify *ev = data;
5415 struct hci_conn *conn;
5416
5417 bt_dev_dbg(hdev, "");
5418
5419 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5420 if (!conn)
5421 return;
5422
5423 switch (ev->type) {
5424 case HCI_KEYPRESS_STARTED:
5425 conn->passkey_entered = 0;
5426 return;
5427
5428 case HCI_KEYPRESS_ENTERED:
5429 conn->passkey_entered++;
5430 break;
5431
5432 case HCI_KEYPRESS_ERASED:
5433 conn->passkey_entered--;
5434 break;
5435
5436 case HCI_KEYPRESS_CLEARED:
5437 conn->passkey_entered = 0;
5438 break;
5439
5440 case HCI_KEYPRESS_COMPLETED:
5441 return;
5442 }
5443
5444 if (hci_dev_test_flag(hdev, HCI_MGMT))
5445 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5446 conn->dst_type, conn->passkey_notify,
5447 conn->passkey_entered);
5448}
5449
5450static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5451 struct sk_buff *skb)
5452{
5453 struct hci_ev_simple_pair_complete *ev = data;
5454 struct hci_conn *conn;
5455
5456 bt_dev_dbg(hdev, "");
5457
5458 hci_dev_lock(hdev);
5459
5460 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5461 if (!conn || !hci_conn_ssp_enabled(conn))
5462 goto unlock;
5463
5464 /* Reset the authentication requirement to unknown */
5465 conn->remote_auth = 0xff;
5466
5467 /* To avoid duplicate auth_failed events to user space we check
5468 * the HCI_CONN_AUTH_PEND flag which will be set if we
5469 * initiated the authentication. A traditional auth_complete
5470 * event gets always produced as initiator and is also mapped to
5471 * the mgmt_auth_failed event */
5472 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5473 mgmt_auth_failed(conn, ev->status);
5474
5475 hci_conn_drop(conn);
5476
5477unlock:
5478 hci_dev_unlock(hdev);
5479}
5480
5481static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5482 struct sk_buff *skb)
5483{
5484 struct hci_ev_remote_host_features *ev = data;
5485 struct inquiry_entry *ie;
5486 struct hci_conn *conn;
5487
5488 bt_dev_dbg(hdev, "");
5489
5490 hci_dev_lock(hdev);
5491
5492 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5493 if (conn)
5494 memcpy(conn->features[1], ev->features, 8);
5495
5496 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5497 if (ie)
5498 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5499
5500 hci_dev_unlock(hdev);
5501}
5502
5503static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5504 struct sk_buff *skb)
5505{
5506 struct hci_ev_remote_oob_data_request *ev = edata;
5507 struct oob_data *data;
5508
5509 bt_dev_dbg(hdev, "");
5510
5511 hci_dev_lock(hdev);
5512
5513 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5514 goto unlock;
5515
5516 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5517 if (!data) {
5518 struct hci_cp_remote_oob_data_neg_reply cp;
5519
5520 bacpy(&cp.bdaddr, &ev->bdaddr);
5521 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5522 sizeof(cp), &cp);
5523 goto unlock;
5524 }
5525
5526 if (bredr_sc_enabled(hdev)) {
5527 struct hci_cp_remote_oob_ext_data_reply cp;
5528
5529 bacpy(&cp.bdaddr, &ev->bdaddr);
5530 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5531 memset(cp.hash192, 0, sizeof(cp.hash192));
5532 memset(cp.rand192, 0, sizeof(cp.rand192));
5533 } else {
5534 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5535 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5536 }
5537 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5538 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5539
5540 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5541 sizeof(cp), &cp);
5542 } else {
5543 struct hci_cp_remote_oob_data_reply cp;
5544
5545 bacpy(&cp.bdaddr, &ev->bdaddr);
5546 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5547 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5548
5549 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5550 sizeof(cp), &cp);
5551 }
5552
5553unlock:
5554 hci_dev_unlock(hdev);
5555}
5556
5557static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5558 u8 bdaddr_type, bdaddr_t *local_rpa)
5559{
5560 if (conn->out) {
5561 conn->dst_type = bdaddr_type;
5562 conn->resp_addr_type = bdaddr_type;
5563 bacpy(&conn->resp_addr, bdaddr);
5564
5565 /* Check if the controller has set a Local RPA then it must be
5566 * used instead or hdev->rpa.
5567 */
5568 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5569 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5570 bacpy(&conn->init_addr, local_rpa);
5571 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5572 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5573 bacpy(&conn->init_addr, &conn->hdev->rpa);
5574 } else {
5575 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5576 &conn->init_addr_type);
5577 }
5578 } else {
5579 conn->resp_addr_type = conn->hdev->adv_addr_type;
5580 /* Check if the controller has set a Local RPA then it must be
5581 * used instead or hdev->rpa.
5582 */
5583 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5584 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5585 bacpy(&conn->resp_addr, local_rpa);
5586 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5587 /* In case of ext adv, resp_addr will be updated in
5588 * Adv Terminated event.
5589 */
5590 if (!ext_adv_capable(conn->hdev))
5591 bacpy(&conn->resp_addr,
5592 &conn->hdev->random_addr);
5593 } else {
5594 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5595 }
5596
5597 conn->init_addr_type = bdaddr_type;
5598 bacpy(&conn->init_addr, bdaddr);
5599
5600 /* For incoming connections, set the default minimum
5601 * and maximum connection interval. They will be used
5602 * to check if the parameters are in range and if not
5603 * trigger the connection update procedure.
5604 */
5605 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5606 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5607 }
5608}
5609
5610static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5611 bdaddr_t *bdaddr, u8 bdaddr_type,
5612 bdaddr_t *local_rpa, u8 role, u16 handle,
5613 u16 interval, u16 latency,
5614 u16 supervision_timeout)
5615{
5616 struct hci_conn_params *params;
5617 struct hci_conn *conn;
5618 struct smp_irk *irk;
5619 u8 addr_type;
5620
5621 hci_dev_lock(hdev);
5622
5623 /* All controllers implicitly stop advertising in the event of a
5624 * connection, so ensure that the state bit is cleared.
5625 */
5626 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5627
5628 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5629 if (!conn) {
5630 /* In case of error status and there is no connection pending
5631 * just unlock as there is nothing to cleanup.
5632 */
5633 if (status)
5634 goto unlock;
5635
5636 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5637 if (IS_ERR(conn)) {
5638 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
5639 goto unlock;
5640 }
5641
5642 conn->dst_type = bdaddr_type;
5643
5644 /* If we didn't have a hci_conn object previously
5645 * but we're in central role this must be something
5646 * initiated using an accept list. Since accept list based
5647 * connections are not "first class citizens" we don't
5648 * have full tracking of them. Therefore, we go ahead
5649 * with a "best effort" approach of determining the
5650 * initiator address based on the HCI_PRIVACY flag.
5651 */
5652 if (conn->out) {
5653 conn->resp_addr_type = bdaddr_type;
5654 bacpy(&conn->resp_addr, bdaddr);
5655 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5656 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5657 bacpy(&conn->init_addr, &hdev->rpa);
5658 } else {
5659 hci_copy_identity_address(hdev,
5660 &conn->init_addr,
5661 &conn->init_addr_type);
5662 }
5663 }
5664 } else {
5665 cancel_delayed_work(&conn->le_conn_timeout);
5666 }
5667
5668 /* The HCI_LE_Connection_Complete event is only sent once per connection.
5669 * Processing it more than once per connection can corrupt kernel memory.
5670 *
5671 * As the connection handle is set here for the first time, it indicates
5672 * whether the connection is already set up.
5673 */
5674 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5675 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5676 goto unlock;
5677 }
5678
5679 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5680
5681 /* Lookup the identity address from the stored connection
5682 * address and address type.
5683 *
5684 * When establishing connections to an identity address, the
5685 * connection procedure will store the resolvable random
5686 * address first. Now if it can be converted back into the
5687 * identity address, start using the identity address from
5688 * now on.
5689 */
5690 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5691 if (irk) {
5692 bacpy(&conn->dst, &irk->bdaddr);
5693 conn->dst_type = irk->addr_type;
5694 }
5695
5696 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5697
5698 /* All connection failure handling is taken care of by the
5699 * hci_conn_failed function which is triggered by the HCI
5700 * request completion callbacks used for connecting.
5701 */
5702 if (status || hci_conn_set_handle(conn, handle))
5703 goto unlock;
5704
5705 /* Drop the connection if it has been aborted */
5706 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5707 hci_conn_drop(conn);
5708 goto unlock;
5709 }
5710
5711 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5712 addr_type = BDADDR_LE_PUBLIC;
5713 else
5714 addr_type = BDADDR_LE_RANDOM;
5715
5716 /* Drop the connection if the device is blocked */
5717 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5718 hci_conn_drop(conn);
5719 goto unlock;
5720 }
5721
5722 mgmt_device_connected(hdev, conn, NULL, 0);
5723
5724 conn->sec_level = BT_SECURITY_LOW;
5725 conn->state = BT_CONFIG;
5726
5727 /* Store current advertising instance as connection advertising instance
5728 * when sotfware rotation is in use so it can be re-enabled when
5729 * disconnected.
5730 */
5731 if (!ext_adv_capable(hdev))
5732 conn->adv_instance = hdev->cur_adv_instance;
5733
5734 conn->le_conn_interval = interval;
5735 conn->le_conn_latency = latency;
5736 conn->le_supv_timeout = supervision_timeout;
5737
5738 hci_debugfs_create_conn(conn);
5739 hci_conn_add_sysfs(conn);
5740
5741 /* The remote features procedure is defined for central
5742 * role only. So only in case of an initiated connection
5743 * request the remote features.
5744 *
5745 * If the local controller supports peripheral-initiated features
5746 * exchange, then requesting the remote features in peripheral
5747 * role is possible. Otherwise just transition into the
5748 * connected state without requesting the remote features.
5749 */
5750 if (conn->out ||
5751 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5752 struct hci_cp_le_read_remote_features cp;
5753
5754 cp.handle = __cpu_to_le16(conn->handle);
5755
5756 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5757 sizeof(cp), &cp);
5758
5759 hci_conn_hold(conn);
5760 } else {
5761 conn->state = BT_CONNECTED;
5762 hci_connect_cfm(conn, status);
5763 }
5764
5765 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5766 conn->dst_type);
5767 if (params) {
5768 hci_pend_le_list_del_init(params);
5769 if (params->conn) {
5770 hci_conn_drop(params->conn);
5771 hci_conn_put(params->conn);
5772 params->conn = NULL;
5773 }
5774 }
5775
5776unlock:
5777 hci_update_passive_scan(hdev);
5778 hci_dev_unlock(hdev);
5779}
5780
5781static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
5782 struct sk_buff *skb)
5783{
5784 struct hci_ev_le_conn_complete *ev = data;
5785
5786 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5787
5788 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5789 NULL, ev->role, le16_to_cpu(ev->handle),
5790 le16_to_cpu(ev->interval),
5791 le16_to_cpu(ev->latency),
5792 le16_to_cpu(ev->supervision_timeout));
5793}
5794
5795static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
5796 struct sk_buff *skb)
5797{
5798 struct hci_ev_le_enh_conn_complete *ev = data;
5799
5800 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5801
5802 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5803 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5804 le16_to_cpu(ev->interval),
5805 le16_to_cpu(ev->latency),
5806 le16_to_cpu(ev->supervision_timeout));
5807}
5808
5809static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
5810 struct sk_buff *skb)
5811{
5812 struct hci_evt_le_ext_adv_set_term *ev = data;
5813 struct hci_conn *conn;
5814 struct adv_info *adv, *n;
5815
5816 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5817
5818 /* The Bluetooth Core 5.3 specification clearly states that this event
5819 * shall not be sent when the Host disables the advertising set. So in
5820 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
5821 *
5822 * When the Host disables an advertising set, all cleanup is done via
5823 * its command callback and not needed to be duplicated here.
5824 */
5825 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
5826 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
5827 return;
5828 }
5829
5830 hci_dev_lock(hdev);
5831
5832 adv = hci_find_adv_instance(hdev, ev->handle);
5833
5834 if (ev->status) {
5835 if (!adv)
5836 goto unlock;
5837
5838 /* Remove advertising as it has been terminated */
5839 hci_remove_adv_instance(hdev, ev->handle);
5840 mgmt_advertising_removed(NULL, hdev, ev->handle);
5841
5842 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
5843 if (adv->enabled)
5844 goto unlock;
5845 }
5846
5847 /* We are no longer advertising, clear HCI_LE_ADV */
5848 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5849 goto unlock;
5850 }
5851
5852 if (adv)
5853 adv->enabled = false;
5854
5855 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5856 if (conn) {
5857 /* Store handle in the connection so the correct advertising
5858 * instance can be re-enabled when disconnected.
5859 */
5860 conn->adv_instance = ev->handle;
5861
5862 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
5863 bacmp(&conn->resp_addr, BDADDR_ANY))
5864 goto unlock;
5865
5866 if (!ev->handle) {
5867 bacpy(&conn->resp_addr, &hdev->random_addr);
5868 goto unlock;
5869 }
5870
5871 if (adv)
5872 bacpy(&conn->resp_addr, &adv->random_addr);
5873 }
5874
5875unlock:
5876 hci_dev_unlock(hdev);
5877}
5878
5879static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
5880 struct sk_buff *skb)
5881{
5882 struct hci_ev_le_conn_update_complete *ev = data;
5883 struct hci_conn *conn;
5884
5885 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5886
5887 if (ev->status)
5888 return;
5889
5890 hci_dev_lock(hdev);
5891
5892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5893 if (conn) {
5894 conn->le_conn_interval = le16_to_cpu(ev->interval);
5895 conn->le_conn_latency = le16_to_cpu(ev->latency);
5896 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5897 }
5898
5899 hci_dev_unlock(hdev);
5900}
5901
5902/* This function requires the caller holds hdev->lock */
5903static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5904 bdaddr_t *addr,
5905 u8 addr_type, bool addr_resolved,
5906 u8 adv_type, u8 phy, u8 sec_phy)
5907{
5908 struct hci_conn *conn;
5909 struct hci_conn_params *params;
5910
5911 /* If the event is not connectable don't proceed further */
5912 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5913 return NULL;
5914
5915 /* Ignore if the device is blocked or hdev is suspended */
5916 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
5917 hdev->suspended)
5918 return NULL;
5919
5920 /* Most controller will fail if we try to create new connections
5921 * while we have an existing one in peripheral role.
5922 */
5923 if (hdev->conn_hash.le_num_peripheral > 0 &&
5924 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5925 !(hdev->le_states[3] & 0x10)))
5926 return NULL;
5927
5928 /* If we're not connectable only connect devices that we have in
5929 * our pend_le_conns list.
5930 */
5931 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5932 addr_type);
5933 if (!params)
5934 return NULL;
5935
5936 if (!params->explicit_connect) {
5937 switch (params->auto_connect) {
5938 case HCI_AUTO_CONN_DIRECT:
5939 /* Only devices advertising with ADV_DIRECT_IND are
5940 * triggering a connection attempt. This is allowing
5941 * incoming connections from peripheral devices.
5942 */
5943 if (adv_type != LE_ADV_DIRECT_IND)
5944 return NULL;
5945 break;
5946 case HCI_AUTO_CONN_ALWAYS:
5947 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5948 * are triggering a connection attempt. This means
5949 * that incoming connections from peripheral device are
5950 * accepted and also outgoing connections to peripheral
5951 * devices are established when found.
5952 */
5953 break;
5954 default:
5955 return NULL;
5956 }
5957 }
5958
5959 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
5960 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
5961 HCI_ROLE_MASTER, phy, sec_phy);
5962 if (!IS_ERR(conn)) {
5963 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5964 * by higher layer that tried to connect, if no then
5965 * store the pointer since we don't really have any
5966 * other owner of the object besides the params that
5967 * triggered it. This way we can abort the connection if
5968 * the parameters get removed and keep the reference
5969 * count consistent once the connection is established.
5970 */
5971
5972 if (!params->explicit_connect)
5973 params->conn = hci_conn_get(conn);
5974
5975 return conn;
5976 }
5977
5978 switch (PTR_ERR(conn)) {
5979 case -EBUSY:
5980 /* If hci_connect() returns -EBUSY it means there is already
5981 * an LE connection attempt going on. Since controllers don't
5982 * support more than one connection attempt at the time, we
5983 * don't consider this an error case.
5984 */
5985 break;
5986 default:
5987 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5988 return NULL;
5989 }
5990
5991 return NULL;
5992}
5993
5994static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5995 u8 bdaddr_type, bdaddr_t *direct_addr,
5996 u8 direct_addr_type, u8 phy, u8 sec_phy, s8 rssi,
5997 u8 *data, u8 len, bool ext_adv, bool ctl_time,
5998 u64 instant)
5999{
6000 struct discovery_state *d = &hdev->discovery;
6001 struct smp_irk *irk;
6002 struct hci_conn *conn;
6003 bool match, bdaddr_resolved;
6004 u32 flags;
6005 u8 *ptr;
6006
6007 switch (type) {
6008 case LE_ADV_IND:
6009 case LE_ADV_DIRECT_IND:
6010 case LE_ADV_SCAN_IND:
6011 case LE_ADV_NONCONN_IND:
6012 case LE_ADV_SCAN_RSP:
6013 break;
6014 default:
6015 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6016 "type: 0x%02x", type);
6017 return;
6018 }
6019
6020 if (len > max_adv_len(hdev)) {
6021 bt_dev_err_ratelimited(hdev,
6022 "adv larger than maximum supported");
6023 return;
6024 }
6025
6026 /* Find the end of the data in case the report contains padded zero
6027 * bytes at the end causing an invalid length value.
6028 *
6029 * When data is NULL, len is 0 so there is no need for extra ptr
6030 * check as 'ptr < data + 0' is already false in such case.
6031 */
6032 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6033 if (ptr + 1 + *ptr > data + len)
6034 break;
6035 }
6036
6037 /* Adjust for actual length. This handles the case when remote
6038 * device is advertising with incorrect data length.
6039 */
6040 len = ptr - data;
6041
6042 /* If the direct address is present, then this report is from
6043 * a LE Direct Advertising Report event. In that case it is
6044 * important to see if the address is matching the local
6045 * controller address.
6046 */
6047 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6048 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6049 &bdaddr_resolved);
6050
6051 /* Only resolvable random addresses are valid for these
6052 * kind of reports and others can be ignored.
6053 */
6054 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6055 return;
6056
6057 /* If the controller is not using resolvable random
6058 * addresses, then this report can be ignored.
6059 */
6060 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6061 return;
6062
6063 /* If the local IRK of the controller does not match
6064 * with the resolvable random address provided, then
6065 * this report can be ignored.
6066 */
6067 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6068 return;
6069 }
6070
6071 /* Check if we need to convert to identity address */
6072 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6073 if (irk) {
6074 bdaddr = &irk->bdaddr;
6075 bdaddr_type = irk->addr_type;
6076 }
6077
6078 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6079
6080 /* Check if we have been requested to connect to this device.
6081 *
6082 * direct_addr is set only for directed advertising reports (it is NULL
6083 * for advertising reports) and is already verified to be RPA above.
6084 */
6085 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6086 type, phy, sec_phy);
6087 if (!ext_adv && conn && type == LE_ADV_IND &&
6088 len <= max_adv_len(hdev)) {
6089 /* Store report for later inclusion by
6090 * mgmt_device_connected
6091 */
6092 memcpy(conn->le_adv_data, data, len);
6093 conn->le_adv_data_len = len;
6094 }
6095
6096 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6097 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6098 else
6099 flags = 0;
6100
6101 /* All scan results should be sent up for Mesh systems */
6102 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6103 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6104 rssi, flags, data, len, NULL, 0, instant);
6105 return;
6106 }
6107
6108 /* Passive scanning shouldn't trigger any device found events,
6109 * except for devices marked as CONN_REPORT for which we do send
6110 * device found events, or advertisement monitoring requested.
6111 */
6112 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6113 if (type == LE_ADV_DIRECT_IND)
6114 return;
6115
6116 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6117 bdaddr, bdaddr_type) &&
6118 idr_is_empty(&hdev->adv_monitors_idr))
6119 return;
6120
6121 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6122 rssi, flags, data, len, NULL, 0, 0);
6123 return;
6124 }
6125
6126 /* When receiving a scan response, then there is no way to
6127 * know if the remote device is connectable or not. However
6128 * since scan responses are merged with a previously seen
6129 * advertising report, the flags field from that report
6130 * will be used.
6131 *
6132 * In the unlikely case that a controller just sends a scan
6133 * response event that doesn't match the pending report, then
6134 * it is marked as a standalone SCAN_RSP.
6135 */
6136 if (type == LE_ADV_SCAN_RSP)
6137 flags = MGMT_DEV_FOUND_SCAN_RSP;
6138
6139 /* If there's nothing pending either store the data from this
6140 * event or send an immediate device found event if the data
6141 * should not be stored for later.
6142 */
6143 if (!ext_adv && !has_pending_adv_report(hdev)) {
6144 /* If the report will trigger a SCAN_REQ store it for
6145 * later merging.
6146 */
6147 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6148 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6149 rssi, flags, data, len);
6150 return;
6151 }
6152
6153 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6154 rssi, flags, data, len, NULL, 0, 0);
6155 return;
6156 }
6157
6158 /* Check if the pending report is for the same device as the new one */
6159 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6160 bdaddr_type == d->last_adv_addr_type);
6161
6162 /* If the pending data doesn't match this report or this isn't a
6163 * scan response (e.g. we got a duplicate ADV_IND) then force
6164 * sending of the pending data.
6165 */
6166 if (type != LE_ADV_SCAN_RSP || !match) {
6167 /* Send out whatever is in the cache, but skip duplicates */
6168 if (!match)
6169 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6170 d->last_adv_addr_type, NULL,
6171 d->last_adv_rssi, d->last_adv_flags,
6172 d->last_adv_data,
6173 d->last_adv_data_len, NULL, 0, 0);
6174
6175 /* If the new report will trigger a SCAN_REQ store it for
6176 * later merging.
6177 */
6178 if (!ext_adv && (type == LE_ADV_IND ||
6179 type == LE_ADV_SCAN_IND)) {
6180 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6181 rssi, flags, data, len);
6182 return;
6183 }
6184
6185 /* The advertising reports cannot be merged, so clear
6186 * the pending report and send out a device found event.
6187 */
6188 clear_pending_adv_report(hdev);
6189 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6190 rssi, flags, data, len, NULL, 0, 0);
6191 return;
6192 }
6193
6194 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6195 * the new event is a SCAN_RSP. We can therefore proceed with
6196 * sending a merged device found event.
6197 */
6198 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6199 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6200 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6201 clear_pending_adv_report(hdev);
6202}
6203
6204static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6205 struct sk_buff *skb)
6206{
6207 struct hci_ev_le_advertising_report *ev = data;
6208 u64 instant = jiffies;
6209
6210 if (!ev->num)
6211 return;
6212
6213 hci_dev_lock(hdev);
6214
6215 while (ev->num--) {
6216 struct hci_ev_le_advertising_info *info;
6217 s8 rssi;
6218
6219 info = hci_le_ev_skb_pull(hdev, skb,
6220 HCI_EV_LE_ADVERTISING_REPORT,
6221 sizeof(*info));
6222 if (!info)
6223 break;
6224
6225 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6226 info->length + 1))
6227 break;
6228
6229 if (info->length <= max_adv_len(hdev)) {
6230 rssi = info->data[info->length];
6231 process_adv_report(hdev, info->type, &info->bdaddr,
6232 info->bdaddr_type, NULL, 0,
6233 HCI_ADV_PHY_1M, 0, rssi,
6234 info->data, info->length, false,
6235 false, instant);
6236 } else {
6237 bt_dev_err(hdev, "Dropping invalid advertising data");
6238 }
6239 }
6240
6241 hci_dev_unlock(hdev);
6242}
6243
6244static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6245{
6246 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6247 switch (evt_type) {
6248 case LE_LEGACY_ADV_IND:
6249 return LE_ADV_IND;
6250 case LE_LEGACY_ADV_DIRECT_IND:
6251 return LE_ADV_DIRECT_IND;
6252 case LE_LEGACY_ADV_SCAN_IND:
6253 return LE_ADV_SCAN_IND;
6254 case LE_LEGACY_NONCONN_IND:
6255 return LE_ADV_NONCONN_IND;
6256 case LE_LEGACY_SCAN_RSP_ADV:
6257 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6258 return LE_ADV_SCAN_RSP;
6259 }
6260
6261 goto invalid;
6262 }
6263
6264 if (evt_type & LE_EXT_ADV_CONN_IND) {
6265 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6266 return LE_ADV_DIRECT_IND;
6267
6268 return LE_ADV_IND;
6269 }
6270
6271 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6272 return LE_ADV_SCAN_RSP;
6273
6274 if (evt_type & LE_EXT_ADV_SCAN_IND)
6275 return LE_ADV_SCAN_IND;
6276
6277 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6278 evt_type & LE_EXT_ADV_DIRECT_IND)
6279 return LE_ADV_NONCONN_IND;
6280
6281invalid:
6282 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6283 evt_type);
6284
6285 return LE_ADV_INVALID;
6286}
6287
6288static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6289 struct sk_buff *skb)
6290{
6291 struct hci_ev_le_ext_adv_report *ev = data;
6292 u64 instant = jiffies;
6293
6294 if (!ev->num)
6295 return;
6296
6297 hci_dev_lock(hdev);
6298
6299 while (ev->num--) {
6300 struct hci_ev_le_ext_adv_info *info;
6301 u8 legacy_evt_type;
6302 u16 evt_type;
6303
6304 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6305 sizeof(*info));
6306 if (!info)
6307 break;
6308
6309 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6310 info->length))
6311 break;
6312
6313 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6314 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6315 if (legacy_evt_type != LE_ADV_INVALID) {
6316 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6317 info->bdaddr_type, NULL, 0,
6318 info->primary_phy,
6319 info->secondary_phy,
6320 info->rssi, info->data, info->length,
6321 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6322 false, instant);
6323 }
6324 }
6325
6326 hci_dev_unlock(hdev);
6327}
6328
6329static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6330{
6331 struct hci_cp_le_pa_term_sync cp;
6332
6333 memset(&cp, 0, sizeof(cp));
6334 cp.handle = handle;
6335
6336 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6337}
6338
6339static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6340 struct sk_buff *skb)
6341{
6342 struct hci_ev_le_pa_sync_established *ev = data;
6343 int mask = hdev->link_mode;
6344 __u8 flags = 0;
6345 struct hci_conn *pa_sync;
6346
6347 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6348
6349 hci_dev_lock(hdev);
6350
6351 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6352
6353 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6354 if (!(mask & HCI_LM_ACCEPT)) {
6355 hci_le_pa_term_sync(hdev, ev->handle);
6356 goto unlock;
6357 }
6358
6359 if (!(flags & HCI_PROTO_DEFER))
6360 goto unlock;
6361
6362 /* Add connection to indicate PA sync event */
6363 pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6364 HCI_ROLE_SLAVE);
6365
6366 if (IS_ERR(pa_sync))
6367 goto unlock;
6368
6369 pa_sync->sync_handle = le16_to_cpu(ev->handle);
6370
6371 if (ev->status) {
6372 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6373
6374 /* Notify iso layer */
6375 hci_connect_cfm(pa_sync, ev->status);
6376 }
6377
6378unlock:
6379 hci_dev_unlock(hdev);
6380}
6381
6382static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6383 struct sk_buff *skb)
6384{
6385 struct hci_ev_le_per_adv_report *ev = data;
6386 int mask = hdev->link_mode;
6387 __u8 flags = 0;
6388 struct hci_conn *pa_sync;
6389
6390 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6391
6392 hci_dev_lock(hdev);
6393
6394 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6395 if (!(mask & HCI_LM_ACCEPT))
6396 goto unlock;
6397
6398 if (!(flags & HCI_PROTO_DEFER))
6399 goto unlock;
6400
6401 pa_sync = hci_conn_hash_lookup_pa_sync_handle
6402 (hdev,
6403 le16_to_cpu(ev->sync_handle));
6404
6405 if (!pa_sync)
6406 goto unlock;
6407
6408 if (ev->data_status == LE_PA_DATA_COMPLETE &&
6409 !test_and_set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags)) {
6410 /* Notify iso layer */
6411 hci_connect_cfm(pa_sync, 0);
6412
6413 /* Notify MGMT layer */
6414 mgmt_device_connected(hdev, pa_sync, NULL, 0);
6415 }
6416
6417unlock:
6418 hci_dev_unlock(hdev);
6419}
6420
6421static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6422 struct sk_buff *skb)
6423{
6424 struct hci_ev_le_remote_feat_complete *ev = data;
6425 struct hci_conn *conn;
6426
6427 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6428
6429 hci_dev_lock(hdev);
6430
6431 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6432 if (conn) {
6433 if (!ev->status)
6434 memcpy(conn->features[0], ev->features, 8);
6435
6436 if (conn->state == BT_CONFIG) {
6437 __u8 status;
6438
6439 /* If the local controller supports peripheral-initiated
6440 * features exchange, but the remote controller does
6441 * not, then it is possible that the error code 0x1a
6442 * for unsupported remote feature gets returned.
6443 *
6444 * In this specific case, allow the connection to
6445 * transition into connected state and mark it as
6446 * successful.
6447 */
6448 if (!conn->out && ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE &&
6449 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6450 status = 0x00;
6451 else
6452 status = ev->status;
6453
6454 conn->state = BT_CONNECTED;
6455 hci_connect_cfm(conn, status);
6456 hci_conn_drop(conn);
6457 }
6458 }
6459
6460 hci_dev_unlock(hdev);
6461}
6462
6463static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6464 struct sk_buff *skb)
6465{
6466 struct hci_ev_le_ltk_req *ev = data;
6467 struct hci_cp_le_ltk_reply cp;
6468 struct hci_cp_le_ltk_neg_reply neg;
6469 struct hci_conn *conn;
6470 struct smp_ltk *ltk;
6471
6472 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6473
6474 hci_dev_lock(hdev);
6475
6476 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6477 if (conn == NULL)
6478 goto not_found;
6479
6480 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6481 if (!ltk)
6482 goto not_found;
6483
6484 if (smp_ltk_is_sc(ltk)) {
6485 /* With SC both EDiv and Rand are set to zero */
6486 if (ev->ediv || ev->rand)
6487 goto not_found;
6488 } else {
6489 /* For non-SC keys check that EDiv and Rand match */
6490 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6491 goto not_found;
6492 }
6493
6494 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6495 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6496 cp.handle = cpu_to_le16(conn->handle);
6497
6498 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6499
6500 conn->enc_key_size = ltk->enc_size;
6501
6502 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6503
6504 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6505 * temporary key used to encrypt a connection following
6506 * pairing. It is used during the Encrypted Session Setup to
6507 * distribute the keys. Later, security can be re-established
6508 * using a distributed LTK.
6509 */
6510 if (ltk->type == SMP_STK) {
6511 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6512 list_del_rcu(<k->list);
6513 kfree_rcu(ltk, rcu);
6514 } else {
6515 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6516 }
6517
6518 hci_dev_unlock(hdev);
6519
6520 return;
6521
6522not_found:
6523 neg.handle = ev->handle;
6524 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6525 hci_dev_unlock(hdev);
6526}
6527
6528static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6529 u8 reason)
6530{
6531 struct hci_cp_le_conn_param_req_neg_reply cp;
6532
6533 cp.handle = cpu_to_le16(handle);
6534 cp.reason = reason;
6535
6536 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6537 &cp);
6538}
6539
6540static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6541 struct sk_buff *skb)
6542{
6543 struct hci_ev_le_remote_conn_param_req *ev = data;
6544 struct hci_cp_le_conn_param_req_reply cp;
6545 struct hci_conn *hcon;
6546 u16 handle, min, max, latency, timeout;
6547
6548 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6549
6550 handle = le16_to_cpu(ev->handle);
6551 min = le16_to_cpu(ev->interval_min);
6552 max = le16_to_cpu(ev->interval_max);
6553 latency = le16_to_cpu(ev->latency);
6554 timeout = le16_to_cpu(ev->timeout);
6555
6556 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6557 if (!hcon || hcon->state != BT_CONNECTED)
6558 return send_conn_param_neg_reply(hdev, handle,
6559 HCI_ERROR_UNKNOWN_CONN_ID);
6560
6561 if (max > hcon->le_conn_max_interval)
6562 return send_conn_param_neg_reply(hdev, handle,
6563 HCI_ERROR_INVALID_LL_PARAMS);
6564
6565 if (hci_check_conn_params(min, max, latency, timeout))
6566 return send_conn_param_neg_reply(hdev, handle,
6567 HCI_ERROR_INVALID_LL_PARAMS);
6568
6569 if (hcon->role == HCI_ROLE_MASTER) {
6570 struct hci_conn_params *params;
6571 u8 store_hint;
6572
6573 hci_dev_lock(hdev);
6574
6575 params = hci_conn_params_lookup(hdev, &hcon->dst,
6576 hcon->dst_type);
6577 if (params) {
6578 params->conn_min_interval = min;
6579 params->conn_max_interval = max;
6580 params->conn_latency = latency;
6581 params->supervision_timeout = timeout;
6582 store_hint = 0x01;
6583 } else {
6584 store_hint = 0x00;
6585 }
6586
6587 hci_dev_unlock(hdev);
6588
6589 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6590 store_hint, min, max, latency, timeout);
6591 }
6592
6593 cp.handle = ev->handle;
6594 cp.interval_min = ev->interval_min;
6595 cp.interval_max = ev->interval_max;
6596 cp.latency = ev->latency;
6597 cp.timeout = ev->timeout;
6598 cp.min_ce_len = 0;
6599 cp.max_ce_len = 0;
6600
6601 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6602}
6603
6604static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6605 struct sk_buff *skb)
6606{
6607 struct hci_ev_le_direct_adv_report *ev = data;
6608 u64 instant = jiffies;
6609 int i;
6610
6611 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6612 flex_array_size(ev, info, ev->num)))
6613 return;
6614
6615 if (!ev->num)
6616 return;
6617
6618 hci_dev_lock(hdev);
6619
6620 for (i = 0; i < ev->num; i++) {
6621 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6622
6623 process_adv_report(hdev, info->type, &info->bdaddr,
6624 info->bdaddr_type, &info->direct_addr,
6625 info->direct_addr_type, HCI_ADV_PHY_1M, 0,
6626 info->rssi, NULL, 0, false, false, instant);
6627 }
6628
6629 hci_dev_unlock(hdev);
6630}
6631
6632static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6633 struct sk_buff *skb)
6634{
6635 struct hci_ev_le_phy_update_complete *ev = data;
6636 struct hci_conn *conn;
6637
6638 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6639
6640 if (ev->status)
6641 return;
6642
6643 hci_dev_lock(hdev);
6644
6645 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6646 if (!conn)
6647 goto unlock;
6648
6649 conn->le_tx_phy = ev->tx_phy;
6650 conn->le_rx_phy = ev->rx_phy;
6651
6652unlock:
6653 hci_dev_unlock(hdev);
6654}
6655
6656static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6657 struct sk_buff *skb)
6658{
6659 struct hci_evt_le_cis_established *ev = data;
6660 struct hci_conn *conn;
6661 struct bt_iso_qos *qos;
6662 bool pending = false;
6663 u16 handle = __le16_to_cpu(ev->handle);
6664
6665 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6666
6667 hci_dev_lock(hdev);
6668
6669 conn = hci_conn_hash_lookup_handle(hdev, handle);
6670 if (!conn) {
6671 bt_dev_err(hdev,
6672 "Unable to find connection with handle 0x%4.4x",
6673 handle);
6674 goto unlock;
6675 }
6676
6677 if (conn->type != ISO_LINK) {
6678 bt_dev_err(hdev,
6679 "Invalid connection link type handle 0x%4.4x",
6680 handle);
6681 goto unlock;
6682 }
6683
6684 qos = &conn->iso_qos;
6685
6686 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6687
6688 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
6689 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
6690 qos->ucast.out.interval = qos->ucast.in.interval;
6691
6692 switch (conn->role) {
6693 case HCI_ROLE_SLAVE:
6694 /* Convert Transport Latency (us) to Latency (msec) */
6695 qos->ucast.in.latency =
6696 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6697 1000);
6698 qos->ucast.out.latency =
6699 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6700 1000);
6701 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
6702 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
6703 qos->ucast.in.phy = ev->c_phy;
6704 qos->ucast.out.phy = ev->p_phy;
6705 break;
6706 case HCI_ROLE_MASTER:
6707 /* Convert Transport Latency (us) to Latency (msec) */
6708 qos->ucast.out.latency =
6709 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6710 1000);
6711 qos->ucast.in.latency =
6712 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6713 1000);
6714 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
6715 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
6716 qos->ucast.out.phy = ev->c_phy;
6717 qos->ucast.in.phy = ev->p_phy;
6718 break;
6719 }
6720
6721 if (!ev->status) {
6722 conn->state = BT_CONNECTED;
6723 hci_debugfs_create_conn(conn);
6724 hci_conn_add_sysfs(conn);
6725 hci_iso_setup_path(conn);
6726 goto unlock;
6727 }
6728
6729 conn->state = BT_CLOSED;
6730 hci_connect_cfm(conn, ev->status);
6731 hci_conn_del(conn);
6732
6733unlock:
6734 if (pending)
6735 hci_le_create_cis_pending(hdev);
6736
6737 hci_dev_unlock(hdev);
6738}
6739
6740static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6741{
6742 struct hci_cp_le_reject_cis cp;
6743
6744 memset(&cp, 0, sizeof(cp));
6745 cp.handle = handle;
6746 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6747 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6748}
6749
6750static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6751{
6752 struct hci_cp_le_accept_cis cp;
6753
6754 memset(&cp, 0, sizeof(cp));
6755 cp.handle = handle;
6756 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6757}
6758
6759static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6760 struct sk_buff *skb)
6761{
6762 struct hci_evt_le_cis_req *ev = data;
6763 u16 acl_handle, cis_handle;
6764 struct hci_conn *acl, *cis;
6765 int mask;
6766 __u8 flags = 0;
6767
6768 acl_handle = __le16_to_cpu(ev->acl_handle);
6769 cis_handle = __le16_to_cpu(ev->cis_handle);
6770
6771 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
6772 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
6773
6774 hci_dev_lock(hdev);
6775
6776 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
6777 if (!acl)
6778 goto unlock;
6779
6780 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
6781 if (!(mask & HCI_LM_ACCEPT)) {
6782 hci_le_reject_cis(hdev, ev->cis_handle);
6783 goto unlock;
6784 }
6785
6786 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
6787 if (!cis) {
6788 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
6789 cis_handle);
6790 if (IS_ERR(cis)) {
6791 hci_le_reject_cis(hdev, ev->cis_handle);
6792 goto unlock;
6793 }
6794 }
6795
6796 cis->iso_qos.ucast.cig = ev->cig_id;
6797 cis->iso_qos.ucast.cis = ev->cis_id;
6798
6799 if (!(flags & HCI_PROTO_DEFER)) {
6800 hci_le_accept_cis(hdev, ev->cis_handle);
6801 } else {
6802 cis->state = BT_CONNECT2;
6803 hci_connect_cfm(cis, 0);
6804 }
6805
6806unlock:
6807 hci_dev_unlock(hdev);
6808}
6809
6810static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
6811{
6812 u8 handle = PTR_UINT(data);
6813
6814 return hci_le_terminate_big_sync(hdev, handle,
6815 HCI_ERROR_LOCAL_HOST_TERM);
6816}
6817
6818static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
6819 struct sk_buff *skb)
6820{
6821 struct hci_evt_le_create_big_complete *ev = data;
6822 struct hci_conn *conn;
6823 __u8 i = 0;
6824
6825 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6826
6827 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
6828 flex_array_size(ev, bis_handle, ev->num_bis)))
6829 return;
6830
6831 hci_dev_lock(hdev);
6832 rcu_read_lock();
6833
6834 /* Connect all BISes that are bound to the BIG */
6835 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
6836 if (bacmp(&conn->dst, BDADDR_ANY) ||
6837 conn->type != ISO_LINK ||
6838 conn->iso_qos.bcast.big != ev->handle)
6839 continue;
6840
6841 if (hci_conn_set_handle(conn,
6842 __le16_to_cpu(ev->bis_handle[i++])))
6843 continue;
6844
6845 if (!ev->status) {
6846 conn->state = BT_CONNECTED;
6847 set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
6848 rcu_read_unlock();
6849 hci_debugfs_create_conn(conn);
6850 hci_conn_add_sysfs(conn);
6851 hci_iso_setup_path(conn);
6852 rcu_read_lock();
6853 continue;
6854 }
6855
6856 hci_connect_cfm(conn, ev->status);
6857 rcu_read_unlock();
6858 hci_conn_del(conn);
6859 rcu_read_lock();
6860 }
6861
6862 rcu_read_unlock();
6863
6864 if (!ev->status && !i)
6865 /* If no BISes have been connected for the BIG,
6866 * terminate. This is in case all bound connections
6867 * have been closed before the BIG creation
6868 * has completed.
6869 */
6870 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
6871 UINT_PTR(ev->handle), NULL);
6872
6873 hci_dev_unlock(hdev);
6874}
6875
6876static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
6877 struct sk_buff *skb)
6878{
6879 struct hci_evt_le_big_sync_estabilished *ev = data;
6880 struct hci_conn *bis;
6881 int i;
6882
6883 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6884
6885 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
6886 flex_array_size(ev, bis, ev->num_bis)))
6887 return;
6888
6889 hci_dev_lock(hdev);
6890
6891 for (i = 0; i < ev->num_bis; i++) {
6892 u16 handle = le16_to_cpu(ev->bis[i]);
6893 __le32 interval;
6894
6895 bis = hci_conn_hash_lookup_handle(hdev, handle);
6896 if (!bis) {
6897 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
6898 HCI_ROLE_SLAVE, handle);
6899 if (IS_ERR(bis))
6900 continue;
6901 }
6902
6903 if (ev->status != 0x42)
6904 /* Mark PA sync as established */
6905 set_bit(HCI_CONN_PA_SYNC, &bis->flags);
6906
6907 bis->iso_qos.bcast.big = ev->handle;
6908 memset(&interval, 0, sizeof(interval));
6909 memcpy(&interval, ev->latency, sizeof(ev->latency));
6910 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
6911 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
6912 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
6913 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
6914
6915 if (!ev->status) {
6916 set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
6917 hci_iso_setup_path(bis);
6918 }
6919 }
6920
6921 /* In case BIG sync failed, notify each failed connection to
6922 * the user after all hci connections have been added
6923 */
6924 if (ev->status)
6925 for (i = 0; i < ev->num_bis; i++) {
6926 u16 handle = le16_to_cpu(ev->bis[i]);
6927
6928 bis = hci_conn_hash_lookup_handle(hdev, handle);
6929 if (!bis)
6930 continue;
6931
6932 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
6933 hci_connect_cfm(bis, ev->status);
6934 }
6935
6936 hci_dev_unlock(hdev);
6937}
6938
6939static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
6940 struct sk_buff *skb)
6941{
6942 struct hci_evt_le_big_info_adv_report *ev = data;
6943 int mask = hdev->link_mode;
6944 __u8 flags = 0;
6945 struct hci_conn *pa_sync;
6946
6947 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6948
6949 hci_dev_lock(hdev);
6950
6951 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6952 if (!(mask & HCI_LM_ACCEPT))
6953 goto unlock;
6954
6955 if (!(flags & HCI_PROTO_DEFER))
6956 goto unlock;
6957
6958 pa_sync = hci_conn_hash_lookup_pa_sync_handle
6959 (hdev,
6960 le16_to_cpu(ev->sync_handle));
6961
6962 if (IS_ERR(pa_sync))
6963 goto unlock;
6964
6965 /* Notify iso layer */
6966 hci_connect_cfm(pa_sync, 0);
6967
6968unlock:
6969 hci_dev_unlock(hdev);
6970}
6971
6972#define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
6973[_op] = { \
6974 .func = _func, \
6975 .min_len = _min_len, \
6976 .max_len = _max_len, \
6977}
6978
6979#define HCI_LE_EV(_op, _func, _len) \
6980 HCI_LE_EV_VL(_op, _func, _len, _len)
6981
6982#define HCI_LE_EV_STATUS(_op, _func) \
6983 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
6984
6985/* Entries in this table shall have their position according to the subevent
6986 * opcode they handle so the use of the macros above is recommend since it does
6987 * attempt to initialize at its proper index using Designated Initializers that
6988 * way events without a callback function can be ommited.
6989 */
6990static const struct hci_le_ev {
6991 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
6992 u16 min_len;
6993 u16 max_len;
6994} hci_le_ev_table[U8_MAX + 1] = {
6995 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
6996 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
6997 sizeof(struct hci_ev_le_conn_complete)),
6998 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
6999 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7000 sizeof(struct hci_ev_le_advertising_report),
7001 HCI_MAX_EVENT_SIZE),
7002 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7003 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7004 hci_le_conn_update_complete_evt,
7005 sizeof(struct hci_ev_le_conn_update_complete)),
7006 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7007 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7008 hci_le_remote_feat_complete_evt,
7009 sizeof(struct hci_ev_le_remote_feat_complete)),
7010 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7011 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7012 sizeof(struct hci_ev_le_ltk_req)),
7013 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7014 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7015 hci_le_remote_conn_param_req_evt,
7016 sizeof(struct hci_ev_le_remote_conn_param_req)),
7017 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7018 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7019 hci_le_enh_conn_complete_evt,
7020 sizeof(struct hci_ev_le_enh_conn_complete)),
7021 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7022 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7023 sizeof(struct hci_ev_le_direct_adv_report),
7024 HCI_MAX_EVENT_SIZE),
7025 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7026 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7027 sizeof(struct hci_ev_le_phy_update_complete)),
7028 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7029 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7030 sizeof(struct hci_ev_le_ext_adv_report),
7031 HCI_MAX_EVENT_SIZE),
7032 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7033 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7034 hci_le_pa_sync_estabilished_evt,
7035 sizeof(struct hci_ev_le_pa_sync_established)),
7036 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7037 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7038 hci_le_per_adv_report_evt,
7039 sizeof(struct hci_ev_le_per_adv_report),
7040 HCI_MAX_EVENT_SIZE),
7041 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7042 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7043 sizeof(struct hci_evt_le_ext_adv_set_term)),
7044 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7045 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7046 sizeof(struct hci_evt_le_cis_established)),
7047 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7048 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7049 sizeof(struct hci_evt_le_cis_req)),
7050 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7051 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7052 hci_le_create_big_complete_evt,
7053 sizeof(struct hci_evt_le_create_big_complete),
7054 HCI_MAX_EVENT_SIZE),
7055 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7056 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7057 hci_le_big_sync_established_evt,
7058 sizeof(struct hci_evt_le_big_sync_estabilished),
7059 HCI_MAX_EVENT_SIZE),
7060 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7061 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7062 hci_le_big_info_adv_report_evt,
7063 sizeof(struct hci_evt_le_big_info_adv_report),
7064 HCI_MAX_EVENT_SIZE),
7065};
7066
7067static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7068 struct sk_buff *skb, u16 *opcode, u8 *status,
7069 hci_req_complete_t *req_complete,
7070 hci_req_complete_skb_t *req_complete_skb)
7071{
7072 struct hci_ev_le_meta *ev = data;
7073 const struct hci_le_ev *subev;
7074
7075 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7076
7077 /* Only match event if command OGF is for LE */
7078 if (hdev->req_skb &&
7079 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 &&
7080 hci_skb_event(hdev->req_skb) == ev->subevent) {
7081 *opcode = hci_skb_opcode(hdev->req_skb);
7082 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7083 req_complete_skb);
7084 }
7085
7086 subev = &hci_le_ev_table[ev->subevent];
7087 if (!subev->func)
7088 return;
7089
7090 if (skb->len < subev->min_len) {
7091 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7092 ev->subevent, skb->len, subev->min_len);
7093 return;
7094 }
7095
7096 /* Just warn if the length is over max_len size it still be
7097 * possible to partially parse the event so leave to callback to
7098 * decide if that is acceptable.
7099 */
7100 if (skb->len > subev->max_len)
7101 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7102 ev->subevent, skb->len, subev->max_len);
7103 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7104 if (!data)
7105 return;
7106
7107 subev->func(hdev, data, skb);
7108}
7109
7110static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7111 u8 event, struct sk_buff *skb)
7112{
7113 struct hci_ev_cmd_complete *ev;
7114 struct hci_event_hdr *hdr;
7115
7116 if (!skb)
7117 return false;
7118
7119 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7120 if (!hdr)
7121 return false;
7122
7123 if (event) {
7124 if (hdr->evt != event)
7125 return false;
7126 return true;
7127 }
7128
7129 /* Check if request ended in Command Status - no way to retrieve
7130 * any extra parameters in this case.
7131 */
7132 if (hdr->evt == HCI_EV_CMD_STATUS)
7133 return false;
7134
7135 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7136 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7137 hdr->evt);
7138 return false;
7139 }
7140
7141 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7142 if (!ev)
7143 return false;
7144
7145 if (opcode != __le16_to_cpu(ev->opcode)) {
7146 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7147 __le16_to_cpu(ev->opcode));
7148 return false;
7149 }
7150
7151 return true;
7152}
7153
7154static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7155 struct sk_buff *skb)
7156{
7157 struct hci_ev_le_advertising_info *adv;
7158 struct hci_ev_le_direct_adv_info *direct_adv;
7159 struct hci_ev_le_ext_adv_info *ext_adv;
7160 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7161 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7162
7163 hci_dev_lock(hdev);
7164
7165 /* If we are currently suspended and this is the first BT event seen,
7166 * save the wake reason associated with the event.
7167 */
7168 if (!hdev->suspended || hdev->wake_reason)
7169 goto unlock;
7170
7171 /* Default to remote wake. Values for wake_reason are documented in the
7172 * Bluez mgmt api docs.
7173 */
7174 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7175
7176 /* Once configured for remote wakeup, we should only wake up for
7177 * reconnections. It's useful to see which device is waking us up so
7178 * keep track of the bdaddr of the connection event that woke us up.
7179 */
7180 if (event == HCI_EV_CONN_REQUEST) {
7181 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7182 hdev->wake_addr_type = BDADDR_BREDR;
7183 } else if (event == HCI_EV_CONN_COMPLETE) {
7184 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7185 hdev->wake_addr_type = BDADDR_BREDR;
7186 } else if (event == HCI_EV_LE_META) {
7187 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7188 u8 subevent = le_ev->subevent;
7189 u8 *ptr = &skb->data[sizeof(*le_ev)];
7190 u8 num_reports = *ptr;
7191
7192 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7193 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7194 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7195 num_reports) {
7196 adv = (void *)(ptr + 1);
7197 direct_adv = (void *)(ptr + 1);
7198 ext_adv = (void *)(ptr + 1);
7199
7200 switch (subevent) {
7201 case HCI_EV_LE_ADVERTISING_REPORT:
7202 bacpy(&hdev->wake_addr, &adv->bdaddr);
7203 hdev->wake_addr_type = adv->bdaddr_type;
7204 break;
7205 case HCI_EV_LE_DIRECT_ADV_REPORT:
7206 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7207 hdev->wake_addr_type = direct_adv->bdaddr_type;
7208 break;
7209 case HCI_EV_LE_EXT_ADV_REPORT:
7210 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7211 hdev->wake_addr_type = ext_adv->bdaddr_type;
7212 break;
7213 }
7214 }
7215 } else {
7216 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7217 }
7218
7219unlock:
7220 hci_dev_unlock(hdev);
7221}
7222
7223#define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7224[_op] = { \
7225 .req = false, \
7226 .func = _func, \
7227 .min_len = _min_len, \
7228 .max_len = _max_len, \
7229}
7230
7231#define HCI_EV(_op, _func, _len) \
7232 HCI_EV_VL(_op, _func, _len, _len)
7233
7234#define HCI_EV_STATUS(_op, _func) \
7235 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7236
7237#define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7238[_op] = { \
7239 .req = true, \
7240 .func_req = _func, \
7241 .min_len = _min_len, \
7242 .max_len = _max_len, \
7243}
7244
7245#define HCI_EV_REQ(_op, _func, _len) \
7246 HCI_EV_REQ_VL(_op, _func, _len, _len)
7247
7248/* Entries in this table shall have their position according to the event opcode
7249 * they handle so the use of the macros above is recommend since it does attempt
7250 * to initialize at its proper index using Designated Initializers that way
7251 * events without a callback function don't have entered.
7252 */
7253static const struct hci_ev {
7254 bool req;
7255 union {
7256 void (*func)(struct hci_dev *hdev, void *data,
7257 struct sk_buff *skb);
7258 void (*func_req)(struct hci_dev *hdev, void *data,
7259 struct sk_buff *skb, u16 *opcode, u8 *status,
7260 hci_req_complete_t *req_complete,
7261 hci_req_complete_skb_t *req_complete_skb);
7262 };
7263 u16 min_len;
7264 u16 max_len;
7265} hci_ev_table[U8_MAX + 1] = {
7266 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7267 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7268 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7269 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7270 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7271 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7272 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7273 sizeof(struct hci_ev_conn_complete)),
7274 /* [0x04 = HCI_EV_CONN_REQUEST] */
7275 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7276 sizeof(struct hci_ev_conn_request)),
7277 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7278 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7279 sizeof(struct hci_ev_disconn_complete)),
7280 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7281 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7282 sizeof(struct hci_ev_auth_complete)),
7283 /* [0x07 = HCI_EV_REMOTE_NAME] */
7284 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7285 sizeof(struct hci_ev_remote_name)),
7286 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7287 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7288 sizeof(struct hci_ev_encrypt_change)),
7289 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7290 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7291 hci_change_link_key_complete_evt,
7292 sizeof(struct hci_ev_change_link_key_complete)),
7293 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7294 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7295 sizeof(struct hci_ev_remote_features)),
7296 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7297 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7298 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7299 /* [0x0f = HCI_EV_CMD_STATUS] */
7300 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7301 sizeof(struct hci_ev_cmd_status)),
7302 /* [0x10 = HCI_EV_CMD_STATUS] */
7303 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7304 sizeof(struct hci_ev_hardware_error)),
7305 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7306 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7307 sizeof(struct hci_ev_role_change)),
7308 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7309 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7310 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7311 /* [0x14 = HCI_EV_MODE_CHANGE] */
7312 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7313 sizeof(struct hci_ev_mode_change)),
7314 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7315 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7316 sizeof(struct hci_ev_pin_code_req)),
7317 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7318 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7319 sizeof(struct hci_ev_link_key_req)),
7320 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7321 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7322 sizeof(struct hci_ev_link_key_notify)),
7323 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7324 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7325 sizeof(struct hci_ev_clock_offset)),
7326 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7327 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7328 sizeof(struct hci_ev_pkt_type_change)),
7329 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7330 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7331 sizeof(struct hci_ev_pscan_rep_mode)),
7332 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7333 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7334 hci_inquiry_result_with_rssi_evt,
7335 sizeof(struct hci_ev_inquiry_result_rssi),
7336 HCI_MAX_EVENT_SIZE),
7337 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7338 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7339 sizeof(struct hci_ev_remote_ext_features)),
7340 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7341 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7342 sizeof(struct hci_ev_sync_conn_complete)),
7343 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7344 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7345 hci_extended_inquiry_result_evt,
7346 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7347 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7348 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7349 sizeof(struct hci_ev_key_refresh_complete)),
7350 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7351 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7352 sizeof(struct hci_ev_io_capa_request)),
7353 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7354 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7355 sizeof(struct hci_ev_io_capa_reply)),
7356 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7357 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7358 sizeof(struct hci_ev_user_confirm_req)),
7359 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7360 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7361 sizeof(struct hci_ev_user_passkey_req)),
7362 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7363 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7364 sizeof(struct hci_ev_remote_oob_data_request)),
7365 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7366 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7367 sizeof(struct hci_ev_simple_pair_complete)),
7368 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7369 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7370 sizeof(struct hci_ev_user_passkey_notify)),
7371 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7372 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7373 sizeof(struct hci_ev_keypress_notify)),
7374 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7375 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7376 sizeof(struct hci_ev_remote_host_features)),
7377 /* [0x3e = HCI_EV_LE_META] */
7378 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7379 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7380 /* [0xff = HCI_EV_VENDOR] */
7381 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7382};
7383
7384static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7385 u16 *opcode, u8 *status,
7386 hci_req_complete_t *req_complete,
7387 hci_req_complete_skb_t *req_complete_skb)
7388{
7389 const struct hci_ev *ev = &hci_ev_table[event];
7390 void *data;
7391
7392 if (!ev->func)
7393 return;
7394
7395 if (skb->len < ev->min_len) {
7396 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7397 event, skb->len, ev->min_len);
7398 return;
7399 }
7400
7401 /* Just warn if the length is over max_len size it still be
7402 * possible to partially parse the event so leave to callback to
7403 * decide if that is acceptable.
7404 */
7405 if (skb->len > ev->max_len)
7406 bt_dev_warn_ratelimited(hdev,
7407 "unexpected event 0x%2.2x length: %u > %u",
7408 event, skb->len, ev->max_len);
7409
7410 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7411 if (!data)
7412 return;
7413
7414 if (ev->req)
7415 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7416 req_complete_skb);
7417 else
7418 ev->func(hdev, data, skb);
7419}
7420
7421void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7422{
7423 struct hci_event_hdr *hdr = (void *) skb->data;
7424 hci_req_complete_t req_complete = NULL;
7425 hci_req_complete_skb_t req_complete_skb = NULL;
7426 struct sk_buff *orig_skb = NULL;
7427 u8 status = 0, event, req_evt = 0;
7428 u16 opcode = HCI_OP_NOP;
7429
7430 if (skb->len < sizeof(*hdr)) {
7431 bt_dev_err(hdev, "Malformed HCI Event");
7432 goto done;
7433 }
7434
7435 kfree_skb(hdev->recv_event);
7436 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7437
7438 event = hdr->evt;
7439 if (!event) {
7440 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7441 event);
7442 goto done;
7443 }
7444
7445 /* Only match event if command OGF is not for LE */
7446 if (hdev->req_skb &&
7447 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 &&
7448 hci_skb_event(hdev->req_skb) == event) {
7449 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb),
7450 status, &req_complete, &req_complete_skb);
7451 req_evt = event;
7452 }
7453
7454 /* If it looks like we might end up having to call
7455 * req_complete_skb, store a pristine copy of the skb since the
7456 * various handlers may modify the original one through
7457 * skb_pull() calls, etc.
7458 */
7459 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7460 event == HCI_EV_CMD_COMPLETE)
7461 orig_skb = skb_clone(skb, GFP_KERNEL);
7462
7463 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7464
7465 /* Store wake reason if we're suspended */
7466 hci_store_wake_reason(hdev, event, skb);
7467
7468 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7469
7470 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7471 &req_complete_skb);
7472
7473 if (req_complete) {
7474 req_complete(hdev, status, opcode);
7475 } else if (req_complete_skb) {
7476 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7477 kfree_skb(orig_skb);
7478 orig_skb = NULL;
7479 }
7480 req_complete_skb(hdev, status, opcode, orig_skb);
7481 }
7482
7483done:
7484 kfree_skb(orig_skb);
7485 kfree_skb(skb);
7486 hdev->stat.evt_rx++;
7487}