Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth HCI event handling. */
26
27#include <asm/unaligned.h>
28
29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/mgmt.h>
32
33#include "hci_request.h"
34#include "hci_debugfs.h"
35#include "a2mp.h"
36#include "amp.h"
37#include "smp.h"
38
39#define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
41
42/* Handle HCI Event packets */
43
44static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45{
46 __u8 status = *((__u8 *) skb->data);
47
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
49
50 if (status)
51 return;
52
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
56
57 hci_dev_lock(hdev);
58 /* Set discovery state to stopped if we're not doing LE active
59 * scanning.
60 */
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
64 hci_dev_unlock(hdev);
65
66 hci_conn_check_pending(hdev);
67}
68
69static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
70{
71 __u8 status = *((__u8 *) skb->data);
72
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
74
75 if (status)
76 return;
77
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
79}
80
81static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
82{
83 __u8 status = *((__u8 *) skb->data);
84
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
86
87 if (status)
88 return;
89
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
91
92 hci_conn_check_pending(hdev);
93}
94
95static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
96 struct sk_buff *skb)
97{
98 BT_DBG("%s", hdev->name);
99}
100
101static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102{
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
105
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107
108 if (rp->status)
109 return;
110
111 hci_dev_lock(hdev);
112
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114 if (conn)
115 conn->role = rp->role;
116
117 hci_dev_unlock(hdev);
118}
119
120static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121{
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
124
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126
127 if (rp->status)
128 return;
129
130 hci_dev_lock(hdev);
131
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 if (conn)
134 conn->link_policy = __le16_to_cpu(rp->policy);
135
136 hci_dev_unlock(hdev);
137}
138
139static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140{
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
143 void *sent;
144
145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146
147 if (rp->status)
148 return;
149
150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 if (!sent)
152 return;
153
154 hci_dev_lock(hdev);
155
156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157 if (conn)
158 conn->link_policy = get_unaligned_le16(sent + 2);
159
160 hci_dev_unlock(hdev);
161}
162
163static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164 struct sk_buff *skb)
165{
166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167
168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169
170 if (rp->status)
171 return;
172
173 hdev->link_policy = __le16_to_cpu(rp->policy);
174}
175
176static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177 struct sk_buff *skb)
178{
179 __u8 status = *((__u8 *) skb->data);
180 void *sent;
181
182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
183
184 if (status)
185 return;
186
187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188 if (!sent)
189 return;
190
191 hdev->link_policy = get_unaligned_le16(sent);
192}
193
194static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195{
196 __u8 status = *((__u8 *) skb->data);
197
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
199
200 clear_bit(HCI_RESET, &hdev->flags);
201
202 if (status)
203 return;
204
205 /* Reset all non-persistent flags */
206 hci_dev_clear_volatile_flags(hdev);
207
208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209
210 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212
213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 hdev->adv_data_len = 0;
215
216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 hdev->scan_rsp_data_len = 0;
218
219 hdev->le_scan_type = LE_SCAN_PASSIVE;
220
221 hdev->ssp_debug_mode = 0;
222
223 hci_bdaddr_list_clear(&hdev->le_white_list);
224 hci_bdaddr_list_clear(&hdev->le_resolv_list);
225}
226
227static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
228 struct sk_buff *skb)
229{
230 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
231 struct hci_cp_read_stored_link_key *sent;
232
233 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
234
235 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
236 if (!sent)
237 return;
238
239 if (!rp->status && sent->read_all == 0x01) {
240 hdev->stored_max_keys = rp->max_keys;
241 hdev->stored_num_keys = rp->num_keys;
242 }
243}
244
245static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
246 struct sk_buff *skb)
247{
248 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
249
250 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
251
252 if (rp->status)
253 return;
254
255 if (rp->num_keys <= hdev->stored_num_keys)
256 hdev->stored_num_keys -= rp->num_keys;
257 else
258 hdev->stored_num_keys = 0;
259}
260
261static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
262{
263 __u8 status = *((__u8 *) skb->data);
264 void *sent;
265
266 BT_DBG("%s status 0x%2.2x", hdev->name, status);
267
268 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
269 if (!sent)
270 return;
271
272 hci_dev_lock(hdev);
273
274 if (hci_dev_test_flag(hdev, HCI_MGMT))
275 mgmt_set_local_name_complete(hdev, sent, status);
276 else if (!status)
277 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
278
279 hci_dev_unlock(hdev);
280}
281
282static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
283{
284 struct hci_rp_read_local_name *rp = (void *) skb->data;
285
286 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
287
288 if (rp->status)
289 return;
290
291 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
292 hci_dev_test_flag(hdev, HCI_CONFIG))
293 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
294}
295
296static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
297{
298 __u8 status = *((__u8 *) skb->data);
299 void *sent;
300
301 BT_DBG("%s status 0x%2.2x", hdev->name, status);
302
303 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
304 if (!sent)
305 return;
306
307 hci_dev_lock(hdev);
308
309 if (!status) {
310 __u8 param = *((__u8 *) sent);
311
312 if (param == AUTH_ENABLED)
313 set_bit(HCI_AUTH, &hdev->flags);
314 else
315 clear_bit(HCI_AUTH, &hdev->flags);
316 }
317
318 if (hci_dev_test_flag(hdev, HCI_MGMT))
319 mgmt_auth_enable_complete(hdev, status);
320
321 hci_dev_unlock(hdev);
322}
323
324static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
325{
326 __u8 status = *((__u8 *) skb->data);
327 __u8 param;
328 void *sent;
329
330 BT_DBG("%s status 0x%2.2x", hdev->name, status);
331
332 if (status)
333 return;
334
335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
336 if (!sent)
337 return;
338
339 param = *((__u8 *) sent);
340
341 if (param)
342 set_bit(HCI_ENCRYPT, &hdev->flags);
343 else
344 clear_bit(HCI_ENCRYPT, &hdev->flags);
345}
346
347static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
348{
349 __u8 status = *((__u8 *) skb->data);
350 __u8 param;
351 void *sent;
352
353 BT_DBG("%s status 0x%2.2x", hdev->name, status);
354
355 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
356 if (!sent)
357 return;
358
359 param = *((__u8 *) sent);
360
361 hci_dev_lock(hdev);
362
363 if (status) {
364 hdev->discov_timeout = 0;
365 goto done;
366 }
367
368 if (param & SCAN_INQUIRY)
369 set_bit(HCI_ISCAN, &hdev->flags);
370 else
371 clear_bit(HCI_ISCAN, &hdev->flags);
372
373 if (param & SCAN_PAGE)
374 set_bit(HCI_PSCAN, &hdev->flags);
375 else
376 clear_bit(HCI_PSCAN, &hdev->flags);
377
378done:
379 hci_dev_unlock(hdev);
380}
381
382static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
383{
384 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
385
386 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
387
388 if (rp->status)
389 return;
390
391 memcpy(hdev->dev_class, rp->dev_class, 3);
392
393 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
394 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
395}
396
397static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
398{
399 __u8 status = *((__u8 *) skb->data);
400 void *sent;
401
402 BT_DBG("%s status 0x%2.2x", hdev->name, status);
403
404 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
405 if (!sent)
406 return;
407
408 hci_dev_lock(hdev);
409
410 if (status == 0)
411 memcpy(hdev->dev_class, sent, 3);
412
413 if (hci_dev_test_flag(hdev, HCI_MGMT))
414 mgmt_set_class_of_dev_complete(hdev, sent, status);
415
416 hci_dev_unlock(hdev);
417}
418
419static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
420{
421 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
422 __u16 setting;
423
424 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
425
426 if (rp->status)
427 return;
428
429 setting = __le16_to_cpu(rp->voice_setting);
430
431 if (hdev->voice_setting == setting)
432 return;
433
434 hdev->voice_setting = setting;
435
436 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
437
438 if (hdev->notify)
439 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
440}
441
442static void hci_cc_write_voice_setting(struct hci_dev *hdev,
443 struct sk_buff *skb)
444{
445 __u8 status = *((__u8 *) skb->data);
446 __u16 setting;
447 void *sent;
448
449 BT_DBG("%s status 0x%2.2x", hdev->name, status);
450
451 if (status)
452 return;
453
454 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
455 if (!sent)
456 return;
457
458 setting = get_unaligned_le16(sent);
459
460 if (hdev->voice_setting == setting)
461 return;
462
463 hdev->voice_setting = setting;
464
465 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
466
467 if (hdev->notify)
468 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
469}
470
471static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
472 struct sk_buff *skb)
473{
474 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
475
476 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
477
478 if (rp->status)
479 return;
480
481 hdev->num_iac = rp->num_iac;
482
483 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
484}
485
486static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
487{
488 __u8 status = *((__u8 *) skb->data);
489 struct hci_cp_write_ssp_mode *sent;
490
491 BT_DBG("%s status 0x%2.2x", hdev->name, status);
492
493 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
494 if (!sent)
495 return;
496
497 hci_dev_lock(hdev);
498
499 if (!status) {
500 if (sent->mode)
501 hdev->features[1][0] |= LMP_HOST_SSP;
502 else
503 hdev->features[1][0] &= ~LMP_HOST_SSP;
504 }
505
506 if (hci_dev_test_flag(hdev, HCI_MGMT))
507 mgmt_ssp_enable_complete(hdev, sent->mode, status);
508 else if (!status) {
509 if (sent->mode)
510 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
511 else
512 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
513 }
514
515 hci_dev_unlock(hdev);
516}
517
518static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
519{
520 u8 status = *((u8 *) skb->data);
521 struct hci_cp_write_sc_support *sent;
522
523 BT_DBG("%s status 0x%2.2x", hdev->name, status);
524
525 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
526 if (!sent)
527 return;
528
529 hci_dev_lock(hdev);
530
531 if (!status) {
532 if (sent->support)
533 hdev->features[1][0] |= LMP_HOST_SC;
534 else
535 hdev->features[1][0] &= ~LMP_HOST_SC;
536 }
537
538 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
539 if (sent->support)
540 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
541 else
542 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
543 }
544
545 hci_dev_unlock(hdev);
546}
547
548static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
549{
550 struct hci_rp_read_local_version *rp = (void *) skb->data;
551
552 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
553
554 if (rp->status)
555 return;
556
557 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
558 hci_dev_test_flag(hdev, HCI_CONFIG)) {
559 hdev->hci_ver = rp->hci_ver;
560 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
561 hdev->lmp_ver = rp->lmp_ver;
562 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
563 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
564 }
565}
566
567static void hci_cc_read_local_commands(struct hci_dev *hdev,
568 struct sk_buff *skb)
569{
570 struct hci_rp_read_local_commands *rp = (void *) skb->data;
571
572 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
573
574 if (rp->status)
575 return;
576
577 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
578 hci_dev_test_flag(hdev, HCI_CONFIG))
579 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
580}
581
582static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,
583 struct sk_buff *skb)
584{
585 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data;
586 struct hci_conn *conn;
587
588 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
589
590 if (rp->status)
591 return;
592
593 hci_dev_lock(hdev);
594
595 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
596 if (conn)
597 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
598
599 hci_dev_unlock(hdev);
600}
601
602static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,
603 struct sk_buff *skb)
604{
605 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data;
606 struct hci_conn *conn;
607 void *sent;
608
609 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
610
611 if (rp->status)
612 return;
613
614 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
615 if (!sent)
616 return;
617
618 hci_dev_lock(hdev);
619
620 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
621 if (conn)
622 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
623
624 hci_dev_unlock(hdev);
625}
626
627static void hci_cc_read_local_features(struct hci_dev *hdev,
628 struct sk_buff *skb)
629{
630 struct hci_rp_read_local_features *rp = (void *) skb->data;
631
632 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
633
634 if (rp->status)
635 return;
636
637 memcpy(hdev->features, rp->features, 8);
638
639 /* Adjust default settings according to features
640 * supported by device. */
641
642 if (hdev->features[0][0] & LMP_3SLOT)
643 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
644
645 if (hdev->features[0][0] & LMP_5SLOT)
646 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
647
648 if (hdev->features[0][1] & LMP_HV2) {
649 hdev->pkt_type |= (HCI_HV2);
650 hdev->esco_type |= (ESCO_HV2);
651 }
652
653 if (hdev->features[0][1] & LMP_HV3) {
654 hdev->pkt_type |= (HCI_HV3);
655 hdev->esco_type |= (ESCO_HV3);
656 }
657
658 if (lmp_esco_capable(hdev))
659 hdev->esco_type |= (ESCO_EV3);
660
661 if (hdev->features[0][4] & LMP_EV4)
662 hdev->esco_type |= (ESCO_EV4);
663
664 if (hdev->features[0][4] & LMP_EV5)
665 hdev->esco_type |= (ESCO_EV5);
666
667 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
668 hdev->esco_type |= (ESCO_2EV3);
669
670 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
671 hdev->esco_type |= (ESCO_3EV3);
672
673 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
674 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
675}
676
677static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
678 struct sk_buff *skb)
679{
680 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
681
682 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
683
684 if (rp->status)
685 return;
686
687 if (hdev->max_page < rp->max_page)
688 hdev->max_page = rp->max_page;
689
690 if (rp->page < HCI_MAX_PAGES)
691 memcpy(hdev->features[rp->page], rp->features, 8);
692}
693
694static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
695 struct sk_buff *skb)
696{
697 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
698
699 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
700
701 if (rp->status)
702 return;
703
704 hdev->flow_ctl_mode = rp->mode;
705}
706
707static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
708{
709 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
710
711 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
712
713 if (rp->status)
714 return;
715
716 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
717 hdev->sco_mtu = rp->sco_mtu;
718 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
719 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
720
721 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
722 hdev->sco_mtu = 64;
723 hdev->sco_pkts = 8;
724 }
725
726 hdev->acl_cnt = hdev->acl_pkts;
727 hdev->sco_cnt = hdev->sco_pkts;
728
729 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
730 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
731}
732
733static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
734{
735 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
736
737 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
738
739 if (rp->status)
740 return;
741
742 if (test_bit(HCI_INIT, &hdev->flags))
743 bacpy(&hdev->bdaddr, &rp->bdaddr);
744
745 if (hci_dev_test_flag(hdev, HCI_SETUP))
746 bacpy(&hdev->setup_addr, &rp->bdaddr);
747}
748
749static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
750 struct sk_buff *skb)
751{
752 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
753
754 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
755
756 if (rp->status)
757 return;
758
759 if (test_bit(HCI_INIT, &hdev->flags)) {
760 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
761 hdev->page_scan_window = __le16_to_cpu(rp->window);
762 }
763}
764
765static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
766 struct sk_buff *skb)
767{
768 u8 status = *((u8 *) skb->data);
769 struct hci_cp_write_page_scan_activity *sent;
770
771 BT_DBG("%s status 0x%2.2x", hdev->name, status);
772
773 if (status)
774 return;
775
776 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
777 if (!sent)
778 return;
779
780 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
781 hdev->page_scan_window = __le16_to_cpu(sent->window);
782}
783
784static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
785 struct sk_buff *skb)
786{
787 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
788
789 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
790
791 if (rp->status)
792 return;
793
794 if (test_bit(HCI_INIT, &hdev->flags))
795 hdev->page_scan_type = rp->type;
796}
797
798static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
799 struct sk_buff *skb)
800{
801 u8 status = *((u8 *) skb->data);
802 u8 *type;
803
804 BT_DBG("%s status 0x%2.2x", hdev->name, status);
805
806 if (status)
807 return;
808
809 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
810 if (type)
811 hdev->page_scan_type = *type;
812}
813
814static void hci_cc_read_data_block_size(struct hci_dev *hdev,
815 struct sk_buff *skb)
816{
817 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
818
819 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
820
821 if (rp->status)
822 return;
823
824 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
825 hdev->block_len = __le16_to_cpu(rp->block_len);
826 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
827
828 hdev->block_cnt = hdev->num_blocks;
829
830 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
831 hdev->block_cnt, hdev->block_len);
832}
833
834static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
835{
836 struct hci_rp_read_clock *rp = (void *) skb->data;
837 struct hci_cp_read_clock *cp;
838 struct hci_conn *conn;
839
840 BT_DBG("%s", hdev->name);
841
842 if (skb->len < sizeof(*rp))
843 return;
844
845 if (rp->status)
846 return;
847
848 hci_dev_lock(hdev);
849
850 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
851 if (!cp)
852 goto unlock;
853
854 if (cp->which == 0x00) {
855 hdev->clock = le32_to_cpu(rp->clock);
856 goto unlock;
857 }
858
859 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
860 if (conn) {
861 conn->clock = le32_to_cpu(rp->clock);
862 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
863 }
864
865unlock:
866 hci_dev_unlock(hdev);
867}
868
869static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
870 struct sk_buff *skb)
871{
872 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
873
874 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
875
876 if (rp->status)
877 return;
878
879 hdev->amp_status = rp->amp_status;
880 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
881 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
882 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
883 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
884 hdev->amp_type = rp->amp_type;
885 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
886 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
887 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
888 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
889}
890
891static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
892 struct sk_buff *skb)
893{
894 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
895
896 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
897
898 if (rp->status)
899 return;
900
901 hdev->inq_tx_power = rp->tx_power;
902}
903
904static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
905{
906 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
907 struct hci_cp_pin_code_reply *cp;
908 struct hci_conn *conn;
909
910 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
911
912 hci_dev_lock(hdev);
913
914 if (hci_dev_test_flag(hdev, HCI_MGMT))
915 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
916
917 if (rp->status)
918 goto unlock;
919
920 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
921 if (!cp)
922 goto unlock;
923
924 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
925 if (conn)
926 conn->pin_length = cp->pin_len;
927
928unlock:
929 hci_dev_unlock(hdev);
930}
931
932static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
933{
934 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
935
936 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
937
938 hci_dev_lock(hdev);
939
940 if (hci_dev_test_flag(hdev, HCI_MGMT))
941 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
942 rp->status);
943
944 hci_dev_unlock(hdev);
945}
946
947static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
948 struct sk_buff *skb)
949{
950 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
951
952 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
953
954 if (rp->status)
955 return;
956
957 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
958 hdev->le_pkts = rp->le_max_pkt;
959
960 hdev->le_cnt = hdev->le_pkts;
961
962 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
963}
964
965static void hci_cc_le_read_local_features(struct hci_dev *hdev,
966 struct sk_buff *skb)
967{
968 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
969
970 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
971
972 if (rp->status)
973 return;
974
975 memcpy(hdev->le_features, rp->features, 8);
976}
977
978static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
979 struct sk_buff *skb)
980{
981 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
982
983 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
984
985 if (rp->status)
986 return;
987
988 hdev->adv_tx_power = rp->tx_power;
989}
990
991static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
992{
993 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
994
995 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
996
997 hci_dev_lock(hdev);
998
999 if (hci_dev_test_flag(hdev, HCI_MGMT))
1000 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1001 rp->status);
1002
1003 hci_dev_unlock(hdev);
1004}
1005
1006static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
1007 struct sk_buff *skb)
1008{
1009 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1010
1011 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1012
1013 hci_dev_lock(hdev);
1014
1015 if (hci_dev_test_flag(hdev, HCI_MGMT))
1016 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1017 ACL_LINK, 0, rp->status);
1018
1019 hci_dev_unlock(hdev);
1020}
1021
1022static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1023{
1024 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1025
1026 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1027
1028 hci_dev_lock(hdev);
1029
1030 if (hci_dev_test_flag(hdev, HCI_MGMT))
1031 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1032 0, rp->status);
1033
1034 hci_dev_unlock(hdev);
1035}
1036
1037static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1038 struct sk_buff *skb)
1039{
1040 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1041
1042 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1043
1044 hci_dev_lock(hdev);
1045
1046 if (hci_dev_test_flag(hdev, HCI_MGMT))
1047 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1048 ACL_LINK, 0, rp->status);
1049
1050 hci_dev_unlock(hdev);
1051}
1052
1053static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1054 struct sk_buff *skb)
1055{
1056 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1057
1058 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1059}
1060
1061static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1062 struct sk_buff *skb)
1063{
1064 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1065
1066 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1067}
1068
1069static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1070{
1071 __u8 status = *((__u8 *) skb->data);
1072 bdaddr_t *sent;
1073
1074 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1075
1076 if (status)
1077 return;
1078
1079 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1080 if (!sent)
1081 return;
1082
1083 hci_dev_lock(hdev);
1084
1085 bacpy(&hdev->random_addr, sent);
1086
1087 hci_dev_unlock(hdev);
1088}
1089
1090static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1091{
1092 __u8 status = *((__u8 *) skb->data);
1093 struct hci_cp_le_set_default_phy *cp;
1094
1095 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1096
1097 if (status)
1098 return;
1099
1100 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1101 if (!cp)
1102 return;
1103
1104 hci_dev_lock(hdev);
1105
1106 hdev->le_tx_def_phys = cp->tx_phys;
1107 hdev->le_rx_def_phys = cp->rx_phys;
1108
1109 hci_dev_unlock(hdev);
1110}
1111
1112static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1113 struct sk_buff *skb)
1114{
1115 __u8 status = *((__u8 *) skb->data);
1116 struct hci_cp_le_set_adv_set_rand_addr *cp;
1117 struct adv_info *adv_instance;
1118
1119 if (status)
1120 return;
1121
1122 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1123 if (!cp)
1124 return;
1125
1126 hci_dev_lock(hdev);
1127
1128 if (!hdev->cur_adv_instance) {
1129 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1130 bacpy(&hdev->random_addr, &cp->bdaddr);
1131 } else {
1132 adv_instance = hci_find_adv_instance(hdev,
1133 hdev->cur_adv_instance);
1134 if (adv_instance)
1135 bacpy(&adv_instance->random_addr, &cp->bdaddr);
1136 }
1137
1138 hci_dev_unlock(hdev);
1139}
1140
1141static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1142{
1143 __u8 *sent, status = *((__u8 *) skb->data);
1144
1145 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1146
1147 if (status)
1148 return;
1149
1150 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1151 if (!sent)
1152 return;
1153
1154 hci_dev_lock(hdev);
1155
1156 /* If we're doing connection initiation as peripheral. Set a
1157 * timeout in case something goes wrong.
1158 */
1159 if (*sent) {
1160 struct hci_conn *conn;
1161
1162 hci_dev_set_flag(hdev, HCI_LE_ADV);
1163
1164 conn = hci_lookup_le_connect(hdev);
1165 if (conn)
1166 queue_delayed_work(hdev->workqueue,
1167 &conn->le_conn_timeout,
1168 conn->conn_timeout);
1169 } else {
1170 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1171 }
1172
1173 hci_dev_unlock(hdev);
1174}
1175
1176static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1177 struct sk_buff *skb)
1178{
1179 struct hci_cp_le_set_ext_adv_enable *cp;
1180 __u8 status = *((__u8 *) skb->data);
1181
1182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1183
1184 if (status)
1185 return;
1186
1187 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1188 if (!cp)
1189 return;
1190
1191 hci_dev_lock(hdev);
1192
1193 if (cp->enable) {
1194 struct hci_conn *conn;
1195
1196 hci_dev_set_flag(hdev, HCI_LE_ADV);
1197
1198 conn = hci_lookup_le_connect(hdev);
1199 if (conn)
1200 queue_delayed_work(hdev->workqueue,
1201 &conn->le_conn_timeout,
1202 conn->conn_timeout);
1203 } else {
1204 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1205 }
1206
1207 hci_dev_unlock(hdev);
1208}
1209
1210static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1211{
1212 struct hci_cp_le_set_scan_param *cp;
1213 __u8 status = *((__u8 *) skb->data);
1214
1215 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1216
1217 if (status)
1218 return;
1219
1220 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1221 if (!cp)
1222 return;
1223
1224 hci_dev_lock(hdev);
1225
1226 hdev->le_scan_type = cp->type;
1227
1228 hci_dev_unlock(hdev);
1229}
1230
1231static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1232 struct sk_buff *skb)
1233{
1234 struct hci_cp_le_set_ext_scan_params *cp;
1235 __u8 status = *((__u8 *) skb->data);
1236 struct hci_cp_le_scan_phy_params *phy_param;
1237
1238 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1239
1240 if (status)
1241 return;
1242
1243 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1244 if (!cp)
1245 return;
1246
1247 phy_param = (void *)cp->data;
1248
1249 hci_dev_lock(hdev);
1250
1251 hdev->le_scan_type = phy_param->type;
1252
1253 hci_dev_unlock(hdev);
1254}
1255
1256static bool has_pending_adv_report(struct hci_dev *hdev)
1257{
1258 struct discovery_state *d = &hdev->discovery;
1259
1260 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1261}
1262
1263static void clear_pending_adv_report(struct hci_dev *hdev)
1264{
1265 struct discovery_state *d = &hdev->discovery;
1266
1267 bacpy(&d->last_adv_addr, BDADDR_ANY);
1268 d->last_adv_data_len = 0;
1269}
1270
1271static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1272 u8 bdaddr_type, s8 rssi, u32 flags,
1273 u8 *data, u8 len)
1274{
1275 struct discovery_state *d = &hdev->discovery;
1276
1277 bacpy(&d->last_adv_addr, bdaddr);
1278 d->last_adv_addr_type = bdaddr_type;
1279 d->last_adv_rssi = rssi;
1280 d->last_adv_flags = flags;
1281 memcpy(d->last_adv_data, data, len);
1282 d->last_adv_data_len = len;
1283}
1284
1285static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1286{
1287 hci_dev_lock(hdev);
1288
1289 switch (enable) {
1290 case LE_SCAN_ENABLE:
1291 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1292 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1293 clear_pending_adv_report(hdev);
1294 break;
1295
1296 case LE_SCAN_DISABLE:
1297 /* We do this here instead of when setting DISCOVERY_STOPPED
1298 * since the latter would potentially require waiting for
1299 * inquiry to stop too.
1300 */
1301 if (has_pending_adv_report(hdev)) {
1302 struct discovery_state *d = &hdev->discovery;
1303
1304 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1305 d->last_adv_addr_type, NULL,
1306 d->last_adv_rssi, d->last_adv_flags,
1307 d->last_adv_data,
1308 d->last_adv_data_len, NULL, 0);
1309 }
1310
1311 /* Cancel this timer so that we don't try to disable scanning
1312 * when it's already disabled.
1313 */
1314 cancel_delayed_work(&hdev->le_scan_disable);
1315
1316 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1317
1318 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1319 * interrupted scanning due to a connect request. Mark
1320 * therefore discovery as stopped. If this was not
1321 * because of a connect request advertising might have
1322 * been disabled because of active scanning, so
1323 * re-enable it again if necessary.
1324 */
1325 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1326 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1327 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1328 hdev->discovery.state == DISCOVERY_FINDING)
1329 hci_req_reenable_advertising(hdev);
1330
1331 break;
1332
1333 default:
1334 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1335 enable);
1336 break;
1337 }
1338
1339 hci_dev_unlock(hdev);
1340}
1341
1342static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1343 struct sk_buff *skb)
1344{
1345 struct hci_cp_le_set_scan_enable *cp;
1346 __u8 status = *((__u8 *) skb->data);
1347
1348 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1349
1350 if (status)
1351 return;
1352
1353 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1354 if (!cp)
1355 return;
1356
1357 le_set_scan_enable_complete(hdev, cp->enable);
1358}
1359
1360static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1361 struct sk_buff *skb)
1362{
1363 struct hci_cp_le_set_ext_scan_enable *cp;
1364 __u8 status = *((__u8 *) skb->data);
1365
1366 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1367
1368 if (status)
1369 return;
1370
1371 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1372 if (!cp)
1373 return;
1374
1375 le_set_scan_enable_complete(hdev, cp->enable);
1376}
1377
1378static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1379 struct sk_buff *skb)
1380{
1381 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1382
1383 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1384 rp->num_of_sets);
1385
1386 if (rp->status)
1387 return;
1388
1389 hdev->le_num_of_adv_sets = rp->num_of_sets;
1390}
1391
1392static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1393 struct sk_buff *skb)
1394{
1395 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1396
1397 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1398
1399 if (rp->status)
1400 return;
1401
1402 hdev->le_white_list_size = rp->size;
1403}
1404
1405static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1406 struct sk_buff *skb)
1407{
1408 __u8 status = *((__u8 *) skb->data);
1409
1410 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1411
1412 if (status)
1413 return;
1414
1415 hci_bdaddr_list_clear(&hdev->le_white_list);
1416}
1417
1418static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1419 struct sk_buff *skb)
1420{
1421 struct hci_cp_le_add_to_white_list *sent;
1422 __u8 status = *((__u8 *) skb->data);
1423
1424 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1425
1426 if (status)
1427 return;
1428
1429 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1430 if (!sent)
1431 return;
1432
1433 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1434 sent->bdaddr_type);
1435}
1436
1437static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1438 struct sk_buff *skb)
1439{
1440 struct hci_cp_le_del_from_white_list *sent;
1441 __u8 status = *((__u8 *) skb->data);
1442
1443 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1444
1445 if (status)
1446 return;
1447
1448 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1449 if (!sent)
1450 return;
1451
1452 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1453 sent->bdaddr_type);
1454}
1455
1456static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1457 struct sk_buff *skb)
1458{
1459 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1460
1461 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1462
1463 if (rp->status)
1464 return;
1465
1466 memcpy(hdev->le_states, rp->le_states, 8);
1467}
1468
1469static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1470 struct sk_buff *skb)
1471{
1472 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1473
1474 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1475
1476 if (rp->status)
1477 return;
1478
1479 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1480 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1481}
1482
1483static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1484 struct sk_buff *skb)
1485{
1486 struct hci_cp_le_write_def_data_len *sent;
1487 __u8 status = *((__u8 *) skb->data);
1488
1489 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1490
1491 if (status)
1492 return;
1493
1494 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1495 if (!sent)
1496 return;
1497
1498 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1499 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1500}
1501
1502static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1503 struct sk_buff *skb)
1504{
1505 struct hci_cp_le_add_to_resolv_list *sent;
1506 __u8 status = *((__u8 *) skb->data);
1507
1508 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1509
1510 if (status)
1511 return;
1512
1513 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1514 if (!sent)
1515 return;
1516
1517 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1518 sent->bdaddr_type, sent->peer_irk,
1519 sent->local_irk);
1520}
1521
1522static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1523 struct sk_buff *skb)
1524{
1525 struct hci_cp_le_del_from_resolv_list *sent;
1526 __u8 status = *((__u8 *) skb->data);
1527
1528 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1529
1530 if (status)
1531 return;
1532
1533 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1534 if (!sent)
1535 return;
1536
1537 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1538 sent->bdaddr_type);
1539}
1540
1541static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1542 struct sk_buff *skb)
1543{
1544 __u8 status = *((__u8 *) skb->data);
1545
1546 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1547
1548 if (status)
1549 return;
1550
1551 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1552}
1553
1554static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1555 struct sk_buff *skb)
1556{
1557 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1558
1559 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1560
1561 if (rp->status)
1562 return;
1563
1564 hdev->le_resolv_list_size = rp->size;
1565}
1566
1567static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1568 struct sk_buff *skb)
1569{
1570 __u8 *sent, status = *((__u8 *) skb->data);
1571
1572 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1573
1574 if (status)
1575 return;
1576
1577 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1578 if (!sent)
1579 return;
1580
1581 hci_dev_lock(hdev);
1582
1583 if (*sent)
1584 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1585 else
1586 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1587
1588 hci_dev_unlock(hdev);
1589}
1590
1591static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1592 struct sk_buff *skb)
1593{
1594 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1595
1596 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1597
1598 if (rp->status)
1599 return;
1600
1601 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1602 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1603 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1604 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1605}
1606
1607static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1608 struct sk_buff *skb)
1609{
1610 struct hci_cp_write_le_host_supported *sent;
1611 __u8 status = *((__u8 *) skb->data);
1612
1613 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1614
1615 if (status)
1616 return;
1617
1618 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1619 if (!sent)
1620 return;
1621
1622 hci_dev_lock(hdev);
1623
1624 if (sent->le) {
1625 hdev->features[1][0] |= LMP_HOST_LE;
1626 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1627 } else {
1628 hdev->features[1][0] &= ~LMP_HOST_LE;
1629 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1630 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1631 }
1632
1633 if (sent->simul)
1634 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1635 else
1636 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1637
1638 hci_dev_unlock(hdev);
1639}
1640
1641static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1642{
1643 struct hci_cp_le_set_adv_param *cp;
1644 u8 status = *((u8 *) skb->data);
1645
1646 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1647
1648 if (status)
1649 return;
1650
1651 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1652 if (!cp)
1653 return;
1654
1655 hci_dev_lock(hdev);
1656 hdev->adv_addr_type = cp->own_address_type;
1657 hci_dev_unlock(hdev);
1658}
1659
1660static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1661{
1662 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1663 struct hci_cp_le_set_ext_adv_params *cp;
1664 struct adv_info *adv_instance;
1665
1666 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1667
1668 if (rp->status)
1669 return;
1670
1671 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1672 if (!cp)
1673 return;
1674
1675 hci_dev_lock(hdev);
1676 hdev->adv_addr_type = cp->own_addr_type;
1677 if (!hdev->cur_adv_instance) {
1678 /* Store in hdev for instance 0 */
1679 hdev->adv_tx_power = rp->tx_power;
1680 } else {
1681 adv_instance = hci_find_adv_instance(hdev,
1682 hdev->cur_adv_instance);
1683 if (adv_instance)
1684 adv_instance->tx_power = rp->tx_power;
1685 }
1686 /* Update adv data as tx power is known now */
1687 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1688 hci_dev_unlock(hdev);
1689}
1690
1691static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1692{
1693 struct hci_rp_read_rssi *rp = (void *) skb->data;
1694 struct hci_conn *conn;
1695
1696 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1697
1698 if (rp->status)
1699 return;
1700
1701 hci_dev_lock(hdev);
1702
1703 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1704 if (conn)
1705 conn->rssi = rp->rssi;
1706
1707 hci_dev_unlock(hdev);
1708}
1709
1710static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1711{
1712 struct hci_cp_read_tx_power *sent;
1713 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1714 struct hci_conn *conn;
1715
1716 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1717
1718 if (rp->status)
1719 return;
1720
1721 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1722 if (!sent)
1723 return;
1724
1725 hci_dev_lock(hdev);
1726
1727 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1728 if (!conn)
1729 goto unlock;
1730
1731 switch (sent->type) {
1732 case 0x00:
1733 conn->tx_power = rp->tx_power;
1734 break;
1735 case 0x01:
1736 conn->max_tx_power = rp->tx_power;
1737 break;
1738 }
1739
1740unlock:
1741 hci_dev_unlock(hdev);
1742}
1743
1744static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1745{
1746 u8 status = *((u8 *) skb->data);
1747 u8 *mode;
1748
1749 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1750
1751 if (status)
1752 return;
1753
1754 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1755 if (mode)
1756 hdev->ssp_debug_mode = *mode;
1757}
1758
1759static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1760{
1761 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1762
1763 if (status) {
1764 hci_conn_check_pending(hdev);
1765 return;
1766 }
1767
1768 set_bit(HCI_INQUIRY, &hdev->flags);
1769}
1770
1771static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1772{
1773 struct hci_cp_create_conn *cp;
1774 struct hci_conn *conn;
1775
1776 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1777
1778 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1779 if (!cp)
1780 return;
1781
1782 hci_dev_lock(hdev);
1783
1784 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1785
1786 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1787
1788 if (status) {
1789 if (conn && conn->state == BT_CONNECT) {
1790 if (status != 0x0c || conn->attempt > 2) {
1791 conn->state = BT_CLOSED;
1792 hci_connect_cfm(conn, status);
1793 hci_conn_del(conn);
1794 } else
1795 conn->state = BT_CONNECT2;
1796 }
1797 } else {
1798 if (!conn) {
1799 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1800 HCI_ROLE_MASTER);
1801 if (!conn)
1802 bt_dev_err(hdev, "no memory for new connection");
1803 }
1804 }
1805
1806 hci_dev_unlock(hdev);
1807}
1808
1809static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1810{
1811 struct hci_cp_add_sco *cp;
1812 struct hci_conn *acl, *sco;
1813 __u16 handle;
1814
1815 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1816
1817 if (!status)
1818 return;
1819
1820 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1821 if (!cp)
1822 return;
1823
1824 handle = __le16_to_cpu(cp->handle);
1825
1826 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1827
1828 hci_dev_lock(hdev);
1829
1830 acl = hci_conn_hash_lookup_handle(hdev, handle);
1831 if (acl) {
1832 sco = acl->link;
1833 if (sco) {
1834 sco->state = BT_CLOSED;
1835
1836 hci_connect_cfm(sco, status);
1837 hci_conn_del(sco);
1838 }
1839 }
1840
1841 hci_dev_unlock(hdev);
1842}
1843
1844static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1845{
1846 struct hci_cp_auth_requested *cp;
1847 struct hci_conn *conn;
1848
1849 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1850
1851 if (!status)
1852 return;
1853
1854 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1855 if (!cp)
1856 return;
1857
1858 hci_dev_lock(hdev);
1859
1860 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1861 if (conn) {
1862 if (conn->state == BT_CONFIG) {
1863 hci_connect_cfm(conn, status);
1864 hci_conn_drop(conn);
1865 }
1866 }
1867
1868 hci_dev_unlock(hdev);
1869}
1870
1871static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1872{
1873 struct hci_cp_set_conn_encrypt *cp;
1874 struct hci_conn *conn;
1875
1876 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1877
1878 if (!status)
1879 return;
1880
1881 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1882 if (!cp)
1883 return;
1884
1885 hci_dev_lock(hdev);
1886
1887 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1888 if (conn) {
1889 if (conn->state == BT_CONFIG) {
1890 hci_connect_cfm(conn, status);
1891 hci_conn_drop(conn);
1892 }
1893 }
1894
1895 hci_dev_unlock(hdev);
1896}
1897
1898static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1899 struct hci_conn *conn)
1900{
1901 if (conn->state != BT_CONFIG || !conn->out)
1902 return 0;
1903
1904 if (conn->pending_sec_level == BT_SECURITY_SDP)
1905 return 0;
1906
1907 /* Only request authentication for SSP connections or non-SSP
1908 * devices with sec_level MEDIUM or HIGH or if MITM protection
1909 * is requested.
1910 */
1911 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1912 conn->pending_sec_level != BT_SECURITY_FIPS &&
1913 conn->pending_sec_level != BT_SECURITY_HIGH &&
1914 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1915 return 0;
1916
1917 return 1;
1918}
1919
1920static int hci_resolve_name(struct hci_dev *hdev,
1921 struct inquiry_entry *e)
1922{
1923 struct hci_cp_remote_name_req cp;
1924
1925 memset(&cp, 0, sizeof(cp));
1926
1927 bacpy(&cp.bdaddr, &e->data.bdaddr);
1928 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1929 cp.pscan_mode = e->data.pscan_mode;
1930 cp.clock_offset = e->data.clock_offset;
1931
1932 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1933}
1934
1935static bool hci_resolve_next_name(struct hci_dev *hdev)
1936{
1937 struct discovery_state *discov = &hdev->discovery;
1938 struct inquiry_entry *e;
1939
1940 if (list_empty(&discov->resolve))
1941 return false;
1942
1943 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1944 if (!e)
1945 return false;
1946
1947 if (hci_resolve_name(hdev, e) == 0) {
1948 e->name_state = NAME_PENDING;
1949 return true;
1950 }
1951
1952 return false;
1953}
1954
1955static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1956 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1957{
1958 struct discovery_state *discov = &hdev->discovery;
1959 struct inquiry_entry *e;
1960
1961 /* Update the mgmt connected state if necessary. Be careful with
1962 * conn objects that exist but are not (yet) connected however.
1963 * Only those in BT_CONFIG or BT_CONNECTED states can be
1964 * considered connected.
1965 */
1966 if (conn &&
1967 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1968 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1969 mgmt_device_connected(hdev, conn, 0, name, name_len);
1970
1971 if (discov->state == DISCOVERY_STOPPED)
1972 return;
1973
1974 if (discov->state == DISCOVERY_STOPPING)
1975 goto discov_complete;
1976
1977 if (discov->state != DISCOVERY_RESOLVING)
1978 return;
1979
1980 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1981 /* If the device was not found in a list of found devices names of which
1982 * are pending. there is no need to continue resolving a next name as it
1983 * will be done upon receiving another Remote Name Request Complete
1984 * Event */
1985 if (!e)
1986 return;
1987
1988 list_del(&e->list);
1989 if (name) {
1990 e->name_state = NAME_KNOWN;
1991 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1992 e->data.rssi, name, name_len);
1993 } else {
1994 e->name_state = NAME_NOT_KNOWN;
1995 }
1996
1997 if (hci_resolve_next_name(hdev))
1998 return;
1999
2000discov_complete:
2001 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2002}
2003
2004static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2005{
2006 struct hci_cp_remote_name_req *cp;
2007 struct hci_conn *conn;
2008
2009 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2010
2011 /* If successful wait for the name req complete event before
2012 * checking for the need to do authentication */
2013 if (!status)
2014 return;
2015
2016 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2017 if (!cp)
2018 return;
2019
2020 hci_dev_lock(hdev);
2021
2022 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2023
2024 if (hci_dev_test_flag(hdev, HCI_MGMT))
2025 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2026
2027 if (!conn)
2028 goto unlock;
2029
2030 if (!hci_outgoing_auth_needed(hdev, conn))
2031 goto unlock;
2032
2033 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2034 struct hci_cp_auth_requested auth_cp;
2035
2036 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2037
2038 auth_cp.handle = __cpu_to_le16(conn->handle);
2039 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2040 sizeof(auth_cp), &auth_cp);
2041 }
2042
2043unlock:
2044 hci_dev_unlock(hdev);
2045}
2046
2047static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2048{
2049 struct hci_cp_read_remote_features *cp;
2050 struct hci_conn *conn;
2051
2052 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2053
2054 if (!status)
2055 return;
2056
2057 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2058 if (!cp)
2059 return;
2060
2061 hci_dev_lock(hdev);
2062
2063 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2064 if (conn) {
2065 if (conn->state == BT_CONFIG) {
2066 hci_connect_cfm(conn, status);
2067 hci_conn_drop(conn);
2068 }
2069 }
2070
2071 hci_dev_unlock(hdev);
2072}
2073
2074static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2075{
2076 struct hci_cp_read_remote_ext_features *cp;
2077 struct hci_conn *conn;
2078
2079 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2080
2081 if (!status)
2082 return;
2083
2084 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2085 if (!cp)
2086 return;
2087
2088 hci_dev_lock(hdev);
2089
2090 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2091 if (conn) {
2092 if (conn->state == BT_CONFIG) {
2093 hci_connect_cfm(conn, status);
2094 hci_conn_drop(conn);
2095 }
2096 }
2097
2098 hci_dev_unlock(hdev);
2099}
2100
2101static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2102{
2103 struct hci_cp_setup_sync_conn *cp;
2104 struct hci_conn *acl, *sco;
2105 __u16 handle;
2106
2107 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2108
2109 if (!status)
2110 return;
2111
2112 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2113 if (!cp)
2114 return;
2115
2116 handle = __le16_to_cpu(cp->handle);
2117
2118 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2119
2120 hci_dev_lock(hdev);
2121
2122 acl = hci_conn_hash_lookup_handle(hdev, handle);
2123 if (acl) {
2124 sco = acl->link;
2125 if (sco) {
2126 sco->state = BT_CLOSED;
2127
2128 hci_connect_cfm(sco, status);
2129 hci_conn_del(sco);
2130 }
2131 }
2132
2133 hci_dev_unlock(hdev);
2134}
2135
2136static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2137{
2138 struct hci_cp_sniff_mode *cp;
2139 struct hci_conn *conn;
2140
2141 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2142
2143 if (!status)
2144 return;
2145
2146 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2147 if (!cp)
2148 return;
2149
2150 hci_dev_lock(hdev);
2151
2152 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2153 if (conn) {
2154 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2155
2156 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2157 hci_sco_setup(conn, status);
2158 }
2159
2160 hci_dev_unlock(hdev);
2161}
2162
2163static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2164{
2165 struct hci_cp_exit_sniff_mode *cp;
2166 struct hci_conn *conn;
2167
2168 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2169
2170 if (!status)
2171 return;
2172
2173 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2174 if (!cp)
2175 return;
2176
2177 hci_dev_lock(hdev);
2178
2179 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2180 if (conn) {
2181 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2182
2183 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2184 hci_sco_setup(conn, status);
2185 }
2186
2187 hci_dev_unlock(hdev);
2188}
2189
2190static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2191{
2192 struct hci_cp_disconnect *cp;
2193 struct hci_conn *conn;
2194
2195 if (!status)
2196 return;
2197
2198 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2199 if (!cp)
2200 return;
2201
2202 hci_dev_lock(hdev);
2203
2204 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2205 if (conn)
2206 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2207 conn->dst_type, status);
2208
2209 hci_dev_unlock(hdev);
2210}
2211
2212static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2213 u8 peer_addr_type, u8 own_address_type,
2214 u8 filter_policy)
2215{
2216 struct hci_conn *conn;
2217
2218 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2219 peer_addr_type);
2220 if (!conn)
2221 return;
2222
2223 /* Store the initiator and responder address information which
2224 * is needed for SMP. These values will not change during the
2225 * lifetime of the connection.
2226 */
2227 conn->init_addr_type = own_address_type;
2228 if (own_address_type == ADDR_LE_DEV_RANDOM)
2229 bacpy(&conn->init_addr, &hdev->random_addr);
2230 else
2231 bacpy(&conn->init_addr, &hdev->bdaddr);
2232
2233 conn->resp_addr_type = peer_addr_type;
2234 bacpy(&conn->resp_addr, peer_addr);
2235
2236 /* We don't want the connection attempt to stick around
2237 * indefinitely since LE doesn't have a page timeout concept
2238 * like BR/EDR. Set a timer for any connection that doesn't use
2239 * the white list for connecting.
2240 */
2241 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2242 queue_delayed_work(conn->hdev->workqueue,
2243 &conn->le_conn_timeout,
2244 conn->conn_timeout);
2245}
2246
2247static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2248{
2249 struct hci_cp_le_create_conn *cp;
2250
2251 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2252
2253 /* All connection failure handling is taken care of by the
2254 * hci_le_conn_failed function which is triggered by the HCI
2255 * request completion callbacks used for connecting.
2256 */
2257 if (status)
2258 return;
2259
2260 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2261 if (!cp)
2262 return;
2263
2264 hci_dev_lock(hdev);
2265
2266 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2267 cp->own_address_type, cp->filter_policy);
2268
2269 hci_dev_unlock(hdev);
2270}
2271
2272static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2273{
2274 struct hci_cp_le_ext_create_conn *cp;
2275
2276 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2277
2278 /* All connection failure handling is taken care of by the
2279 * hci_le_conn_failed function which is triggered by the HCI
2280 * request completion callbacks used for connecting.
2281 */
2282 if (status)
2283 return;
2284
2285 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2286 if (!cp)
2287 return;
2288
2289 hci_dev_lock(hdev);
2290
2291 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2292 cp->own_addr_type, cp->filter_policy);
2293
2294 hci_dev_unlock(hdev);
2295}
2296
2297static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2298{
2299 struct hci_cp_le_read_remote_features *cp;
2300 struct hci_conn *conn;
2301
2302 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2303
2304 if (!status)
2305 return;
2306
2307 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2308 if (!cp)
2309 return;
2310
2311 hci_dev_lock(hdev);
2312
2313 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2314 if (conn) {
2315 if (conn->state == BT_CONFIG) {
2316 hci_connect_cfm(conn, status);
2317 hci_conn_drop(conn);
2318 }
2319 }
2320
2321 hci_dev_unlock(hdev);
2322}
2323
2324static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2325{
2326 struct hci_cp_le_start_enc *cp;
2327 struct hci_conn *conn;
2328
2329 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2330
2331 if (!status)
2332 return;
2333
2334 hci_dev_lock(hdev);
2335
2336 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2337 if (!cp)
2338 goto unlock;
2339
2340 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2341 if (!conn)
2342 goto unlock;
2343
2344 if (conn->state != BT_CONNECTED)
2345 goto unlock;
2346
2347 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2348 hci_conn_drop(conn);
2349
2350unlock:
2351 hci_dev_unlock(hdev);
2352}
2353
2354static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2355{
2356 struct hci_cp_switch_role *cp;
2357 struct hci_conn *conn;
2358
2359 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2360
2361 if (!status)
2362 return;
2363
2364 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2365 if (!cp)
2366 return;
2367
2368 hci_dev_lock(hdev);
2369
2370 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2371 if (conn)
2372 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2373
2374 hci_dev_unlock(hdev);
2375}
2376
2377static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2378{
2379 __u8 status = *((__u8 *) skb->data);
2380 struct discovery_state *discov = &hdev->discovery;
2381 struct inquiry_entry *e;
2382
2383 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2384
2385 hci_conn_check_pending(hdev);
2386
2387 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2388 return;
2389
2390 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2391 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2392
2393 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2394 return;
2395
2396 hci_dev_lock(hdev);
2397
2398 if (discov->state != DISCOVERY_FINDING)
2399 goto unlock;
2400
2401 if (list_empty(&discov->resolve)) {
2402 /* When BR/EDR inquiry is active and no LE scanning is in
2403 * progress, then change discovery state to indicate completion.
2404 *
2405 * When running LE scanning and BR/EDR inquiry simultaneously
2406 * and the LE scan already finished, then change the discovery
2407 * state to indicate completion.
2408 */
2409 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2410 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2411 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2412 goto unlock;
2413 }
2414
2415 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2416 if (e && hci_resolve_name(hdev, e) == 0) {
2417 e->name_state = NAME_PENDING;
2418 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2419 } else {
2420 /* When BR/EDR inquiry is active and no LE scanning is in
2421 * progress, then change discovery state to indicate completion.
2422 *
2423 * When running LE scanning and BR/EDR inquiry simultaneously
2424 * and the LE scan already finished, then change the discovery
2425 * state to indicate completion.
2426 */
2427 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2428 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2429 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2430 }
2431
2432unlock:
2433 hci_dev_unlock(hdev);
2434}
2435
2436static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2437{
2438 struct inquiry_data data;
2439 struct inquiry_info *info = (void *) (skb->data + 1);
2440 int num_rsp = *((__u8 *) skb->data);
2441
2442 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2443
2444 if (!num_rsp)
2445 return;
2446
2447 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2448 return;
2449
2450 hci_dev_lock(hdev);
2451
2452 for (; num_rsp; num_rsp--, info++) {
2453 u32 flags;
2454
2455 bacpy(&data.bdaddr, &info->bdaddr);
2456 data.pscan_rep_mode = info->pscan_rep_mode;
2457 data.pscan_period_mode = info->pscan_period_mode;
2458 data.pscan_mode = info->pscan_mode;
2459 memcpy(data.dev_class, info->dev_class, 3);
2460 data.clock_offset = info->clock_offset;
2461 data.rssi = HCI_RSSI_INVALID;
2462 data.ssp_mode = 0x00;
2463
2464 flags = hci_inquiry_cache_update(hdev, &data, false);
2465
2466 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2467 info->dev_class, HCI_RSSI_INVALID,
2468 flags, NULL, 0, NULL, 0);
2469 }
2470
2471 hci_dev_unlock(hdev);
2472}
2473
2474static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2475{
2476 struct hci_ev_conn_complete *ev = (void *) skb->data;
2477 struct hci_conn *conn;
2478
2479 BT_DBG("%s", hdev->name);
2480
2481 hci_dev_lock(hdev);
2482
2483 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2484 if (!conn) {
2485 if (ev->link_type != SCO_LINK)
2486 goto unlock;
2487
2488 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2489 if (!conn)
2490 goto unlock;
2491
2492 conn->type = SCO_LINK;
2493 }
2494
2495 if (!ev->status) {
2496 conn->handle = __le16_to_cpu(ev->handle);
2497
2498 if (conn->type == ACL_LINK) {
2499 conn->state = BT_CONFIG;
2500 hci_conn_hold(conn);
2501
2502 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2503 !hci_find_link_key(hdev, &ev->bdaddr))
2504 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2505 else
2506 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2507 } else
2508 conn->state = BT_CONNECTED;
2509
2510 hci_debugfs_create_conn(conn);
2511 hci_conn_add_sysfs(conn);
2512
2513 if (test_bit(HCI_AUTH, &hdev->flags))
2514 set_bit(HCI_CONN_AUTH, &conn->flags);
2515
2516 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2517 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2518
2519 /* Get remote features */
2520 if (conn->type == ACL_LINK) {
2521 struct hci_cp_read_remote_features cp;
2522 cp.handle = ev->handle;
2523 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2524 sizeof(cp), &cp);
2525
2526 hci_req_update_scan(hdev);
2527 }
2528
2529 /* Set packet type for incoming connection */
2530 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2531 struct hci_cp_change_conn_ptype cp;
2532 cp.handle = ev->handle;
2533 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2534 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2535 &cp);
2536 }
2537 } else {
2538 conn->state = BT_CLOSED;
2539 if (conn->type == ACL_LINK)
2540 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2541 conn->dst_type, ev->status);
2542 }
2543
2544 if (conn->type == ACL_LINK)
2545 hci_sco_setup(conn, ev->status);
2546
2547 if (ev->status) {
2548 hci_connect_cfm(conn, ev->status);
2549 hci_conn_del(conn);
2550 } else if (ev->link_type != ACL_LINK)
2551 hci_connect_cfm(conn, ev->status);
2552
2553unlock:
2554 hci_dev_unlock(hdev);
2555
2556 hci_conn_check_pending(hdev);
2557}
2558
2559static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2560{
2561 struct hci_cp_reject_conn_req cp;
2562
2563 bacpy(&cp.bdaddr, bdaddr);
2564 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2565 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2566}
2567
2568static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2569{
2570 struct hci_ev_conn_request *ev = (void *) skb->data;
2571 int mask = hdev->link_mode;
2572 struct inquiry_entry *ie;
2573 struct hci_conn *conn;
2574 __u8 flags = 0;
2575
2576 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2577 ev->link_type);
2578
2579 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2580 &flags);
2581
2582 if (!(mask & HCI_LM_ACCEPT)) {
2583 hci_reject_conn(hdev, &ev->bdaddr);
2584 return;
2585 }
2586
2587 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2588 BDADDR_BREDR)) {
2589 hci_reject_conn(hdev, &ev->bdaddr);
2590 return;
2591 }
2592
2593 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2594 * connection. These features are only touched through mgmt so
2595 * only do the checks if HCI_MGMT is set.
2596 */
2597 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2598 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2599 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2600 BDADDR_BREDR)) {
2601 hci_reject_conn(hdev, &ev->bdaddr);
2602 return;
2603 }
2604
2605 /* Connection accepted */
2606
2607 hci_dev_lock(hdev);
2608
2609 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2610 if (ie)
2611 memcpy(ie->data.dev_class, ev->dev_class, 3);
2612
2613 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2614 &ev->bdaddr);
2615 if (!conn) {
2616 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2617 HCI_ROLE_SLAVE);
2618 if (!conn) {
2619 bt_dev_err(hdev, "no memory for new connection");
2620 hci_dev_unlock(hdev);
2621 return;
2622 }
2623 }
2624
2625 memcpy(conn->dev_class, ev->dev_class, 3);
2626
2627 hci_dev_unlock(hdev);
2628
2629 if (ev->link_type == ACL_LINK ||
2630 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2631 struct hci_cp_accept_conn_req cp;
2632 conn->state = BT_CONNECT;
2633
2634 bacpy(&cp.bdaddr, &ev->bdaddr);
2635
2636 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2637 cp.role = 0x00; /* Become master */
2638 else
2639 cp.role = 0x01; /* Remain slave */
2640
2641 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2642 } else if (!(flags & HCI_PROTO_DEFER)) {
2643 struct hci_cp_accept_sync_conn_req cp;
2644 conn->state = BT_CONNECT;
2645
2646 bacpy(&cp.bdaddr, &ev->bdaddr);
2647 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2648
2649 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2650 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2651 cp.max_latency = cpu_to_le16(0xffff);
2652 cp.content_format = cpu_to_le16(hdev->voice_setting);
2653 cp.retrans_effort = 0xff;
2654
2655 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2656 &cp);
2657 } else {
2658 conn->state = BT_CONNECT2;
2659 hci_connect_cfm(conn, 0);
2660 }
2661}
2662
2663static u8 hci_to_mgmt_reason(u8 err)
2664{
2665 switch (err) {
2666 case HCI_ERROR_CONNECTION_TIMEOUT:
2667 return MGMT_DEV_DISCONN_TIMEOUT;
2668 case HCI_ERROR_REMOTE_USER_TERM:
2669 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2670 case HCI_ERROR_REMOTE_POWER_OFF:
2671 return MGMT_DEV_DISCONN_REMOTE;
2672 case HCI_ERROR_LOCAL_HOST_TERM:
2673 return MGMT_DEV_DISCONN_LOCAL_HOST;
2674 default:
2675 return MGMT_DEV_DISCONN_UNKNOWN;
2676 }
2677}
2678
2679static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2680{
2681 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2682 u8 reason;
2683 struct hci_conn_params *params;
2684 struct hci_conn *conn;
2685 bool mgmt_connected;
2686 u8 type;
2687
2688 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2689
2690 hci_dev_lock(hdev);
2691
2692 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2693 if (!conn)
2694 goto unlock;
2695
2696 if (ev->status) {
2697 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2698 conn->dst_type, ev->status);
2699 goto unlock;
2700 }
2701
2702 conn->state = BT_CLOSED;
2703
2704 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2705
2706 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2707 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2708 else
2709 reason = hci_to_mgmt_reason(ev->reason);
2710
2711 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2712 reason, mgmt_connected);
2713
2714 if (conn->type == ACL_LINK) {
2715 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2716 hci_remove_link_key(hdev, &conn->dst);
2717
2718 hci_req_update_scan(hdev);
2719 }
2720
2721 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2722 if (params) {
2723 switch (params->auto_connect) {
2724 case HCI_AUTO_CONN_LINK_LOSS:
2725 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2726 break;
2727 /* Fall through */
2728
2729 case HCI_AUTO_CONN_DIRECT:
2730 case HCI_AUTO_CONN_ALWAYS:
2731 list_del_init(¶ms->action);
2732 list_add(¶ms->action, &hdev->pend_le_conns);
2733 hci_update_background_scan(hdev);
2734 break;
2735
2736 default:
2737 break;
2738 }
2739 }
2740
2741 type = conn->type;
2742
2743 hci_disconn_cfm(conn, ev->reason);
2744 hci_conn_del(conn);
2745
2746 /* Re-enable advertising if necessary, since it might
2747 * have been disabled by the connection. From the
2748 * HCI_LE_Set_Advertise_Enable command description in
2749 * the core specification (v4.0):
2750 * "The Controller shall continue advertising until the Host
2751 * issues an LE_Set_Advertise_Enable command with
2752 * Advertising_Enable set to 0x00 (Advertising is disabled)
2753 * or until a connection is created or until the Advertising
2754 * is timed out due to Directed Advertising."
2755 */
2756 if (type == LE_LINK)
2757 hci_req_reenable_advertising(hdev);
2758
2759unlock:
2760 hci_dev_unlock(hdev);
2761}
2762
2763static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2764{
2765 struct hci_ev_auth_complete *ev = (void *) skb->data;
2766 struct hci_conn *conn;
2767
2768 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2769
2770 hci_dev_lock(hdev);
2771
2772 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2773 if (!conn)
2774 goto unlock;
2775
2776 if (!ev->status) {
2777 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2778
2779 if (!hci_conn_ssp_enabled(conn) &&
2780 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2781 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2782 } else {
2783 set_bit(HCI_CONN_AUTH, &conn->flags);
2784 conn->sec_level = conn->pending_sec_level;
2785 }
2786 } else {
2787 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2788 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2789
2790 mgmt_auth_failed(conn, ev->status);
2791 }
2792
2793 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2794 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2795
2796 if (conn->state == BT_CONFIG) {
2797 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2798 struct hci_cp_set_conn_encrypt cp;
2799 cp.handle = ev->handle;
2800 cp.encrypt = 0x01;
2801 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2802 &cp);
2803 } else {
2804 conn->state = BT_CONNECTED;
2805 hci_connect_cfm(conn, ev->status);
2806 hci_conn_drop(conn);
2807 }
2808 } else {
2809 hci_auth_cfm(conn, ev->status);
2810
2811 hci_conn_hold(conn);
2812 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2813 hci_conn_drop(conn);
2814 }
2815
2816 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2817 if (!ev->status) {
2818 struct hci_cp_set_conn_encrypt cp;
2819 cp.handle = ev->handle;
2820 cp.encrypt = 0x01;
2821 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2822 &cp);
2823 } else {
2824 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2825 hci_encrypt_cfm(conn, ev->status, 0x00);
2826 }
2827 }
2828
2829unlock:
2830 hci_dev_unlock(hdev);
2831}
2832
2833static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2834{
2835 struct hci_ev_remote_name *ev = (void *) skb->data;
2836 struct hci_conn *conn;
2837
2838 BT_DBG("%s", hdev->name);
2839
2840 hci_conn_check_pending(hdev);
2841
2842 hci_dev_lock(hdev);
2843
2844 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2845
2846 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2847 goto check_auth;
2848
2849 if (ev->status == 0)
2850 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2851 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2852 else
2853 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2854
2855check_auth:
2856 if (!conn)
2857 goto unlock;
2858
2859 if (!hci_outgoing_auth_needed(hdev, conn))
2860 goto unlock;
2861
2862 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2863 struct hci_cp_auth_requested cp;
2864
2865 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2866
2867 cp.handle = __cpu_to_le16(conn->handle);
2868 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2869 }
2870
2871unlock:
2872 hci_dev_unlock(hdev);
2873}
2874
2875static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2876 u16 opcode, struct sk_buff *skb)
2877{
2878 const struct hci_rp_read_enc_key_size *rp;
2879 struct hci_conn *conn;
2880 u16 handle;
2881
2882 BT_DBG("%s status 0x%02x", hdev->name, status);
2883
2884 if (!skb || skb->len < sizeof(*rp)) {
2885 bt_dev_err(hdev, "invalid read key size response");
2886 return;
2887 }
2888
2889 rp = (void *)skb->data;
2890 handle = le16_to_cpu(rp->handle);
2891
2892 hci_dev_lock(hdev);
2893
2894 conn = hci_conn_hash_lookup_handle(hdev, handle);
2895 if (!conn)
2896 goto unlock;
2897
2898 /* If we fail to read the encryption key size, assume maximum
2899 * (which is the same we do also when this HCI command isn't
2900 * supported.
2901 */
2902 if (rp->status) {
2903 bt_dev_err(hdev, "failed to read key size for handle %u",
2904 handle);
2905 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2906 } else {
2907 conn->enc_key_size = rp->key_size;
2908 }
2909
2910 if (conn->state == BT_CONFIG) {
2911 conn->state = BT_CONNECTED;
2912 hci_connect_cfm(conn, 0);
2913 hci_conn_drop(conn);
2914 } else {
2915 u8 encrypt;
2916
2917 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2918 encrypt = 0x00;
2919 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2920 encrypt = 0x02;
2921 else
2922 encrypt = 0x01;
2923
2924 hci_encrypt_cfm(conn, 0, encrypt);
2925 }
2926
2927unlock:
2928 hci_dev_unlock(hdev);
2929}
2930
2931static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2932{
2933 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2934 struct hci_conn *conn;
2935
2936 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2937
2938 hci_dev_lock(hdev);
2939
2940 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2941 if (!conn)
2942 goto unlock;
2943
2944 if (!ev->status) {
2945 if (ev->encrypt) {
2946 /* Encryption implies authentication */
2947 set_bit(HCI_CONN_AUTH, &conn->flags);
2948 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2949 conn->sec_level = conn->pending_sec_level;
2950
2951 /* P-256 authentication key implies FIPS */
2952 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2953 set_bit(HCI_CONN_FIPS, &conn->flags);
2954
2955 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2956 conn->type == LE_LINK)
2957 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2958 } else {
2959 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2960 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2961 }
2962 }
2963
2964 /* We should disregard the current RPA and generate a new one
2965 * whenever the encryption procedure fails.
2966 */
2967 if (ev->status && conn->type == LE_LINK) {
2968 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2969 hci_adv_instances_set_rpa_expired(hdev, true);
2970 }
2971
2972 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2973
2974 if (ev->status && conn->state == BT_CONNECTED) {
2975 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2976 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2977
2978 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2979 hci_conn_drop(conn);
2980 goto unlock;
2981 }
2982
2983 /* In Secure Connections Only mode, do not allow any connections
2984 * that are not encrypted with AES-CCM using a P-256 authenticated
2985 * combination key.
2986 */
2987 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2988 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2989 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2990 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2991 hci_conn_drop(conn);
2992 goto unlock;
2993 }
2994
2995 /* Try reading the encryption key size for encrypted ACL links */
2996 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2997 struct hci_cp_read_enc_key_size cp;
2998 struct hci_request req;
2999
3000 /* Only send HCI_Read_Encryption_Key_Size if the
3001 * controller really supports it. If it doesn't, assume
3002 * the default size (16).
3003 */
3004 if (!(hdev->commands[20] & 0x10)) {
3005 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3006 goto notify;
3007 }
3008
3009 hci_req_init(&req, hdev);
3010
3011 cp.handle = cpu_to_le16(conn->handle);
3012 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3013
3014 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3015 bt_dev_err(hdev, "sending read key size failed");
3016 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3017 goto notify;
3018 }
3019
3020 goto unlock;
3021 }
3022
3023 /* Set the default Authenticated Payload Timeout after
3024 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3025 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3026 * sent when the link is active and Encryption is enabled, the conn
3027 * type can be either LE or ACL and controller must support LMP Ping.
3028 * Ensure for AES-CCM encryption as well.
3029 */
3030 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3031 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3032 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3033 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3034 struct hci_cp_write_auth_payload_to cp;
3035
3036 cp.handle = cpu_to_le16(conn->handle);
3037 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3038 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3039 sizeof(cp), &cp);
3040 }
3041
3042notify:
3043 if (conn->state == BT_CONFIG) {
3044 if (!ev->status)
3045 conn->state = BT_CONNECTED;
3046
3047 hci_connect_cfm(conn, ev->status);
3048 hci_conn_drop(conn);
3049 } else
3050 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
3051
3052unlock:
3053 hci_dev_unlock(hdev);
3054}
3055
3056static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3057 struct sk_buff *skb)
3058{
3059 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3060 struct hci_conn *conn;
3061
3062 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3063
3064 hci_dev_lock(hdev);
3065
3066 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3067 if (conn) {
3068 if (!ev->status)
3069 set_bit(HCI_CONN_SECURE, &conn->flags);
3070
3071 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3072
3073 hci_key_change_cfm(conn, ev->status);
3074 }
3075
3076 hci_dev_unlock(hdev);
3077}
3078
3079static void hci_remote_features_evt(struct hci_dev *hdev,
3080 struct sk_buff *skb)
3081{
3082 struct hci_ev_remote_features *ev = (void *) skb->data;
3083 struct hci_conn *conn;
3084
3085 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3086
3087 hci_dev_lock(hdev);
3088
3089 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3090 if (!conn)
3091 goto unlock;
3092
3093 if (!ev->status)
3094 memcpy(conn->features[0], ev->features, 8);
3095
3096 if (conn->state != BT_CONFIG)
3097 goto unlock;
3098
3099 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3100 lmp_ext_feat_capable(conn)) {
3101 struct hci_cp_read_remote_ext_features cp;
3102 cp.handle = ev->handle;
3103 cp.page = 0x01;
3104 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3105 sizeof(cp), &cp);
3106 goto unlock;
3107 }
3108
3109 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3110 struct hci_cp_remote_name_req cp;
3111 memset(&cp, 0, sizeof(cp));
3112 bacpy(&cp.bdaddr, &conn->dst);
3113 cp.pscan_rep_mode = 0x02;
3114 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3115 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3116 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3117
3118 if (!hci_outgoing_auth_needed(hdev, conn)) {
3119 conn->state = BT_CONNECTED;
3120 hci_connect_cfm(conn, ev->status);
3121 hci_conn_drop(conn);
3122 }
3123
3124unlock:
3125 hci_dev_unlock(hdev);
3126}
3127
3128static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3129 u16 *opcode, u8 *status,
3130 hci_req_complete_t *req_complete,
3131 hci_req_complete_skb_t *req_complete_skb)
3132{
3133 struct hci_ev_cmd_complete *ev = (void *) skb->data;
3134
3135 *opcode = __le16_to_cpu(ev->opcode);
3136 *status = skb->data[sizeof(*ev)];
3137
3138 skb_pull(skb, sizeof(*ev));
3139
3140 switch (*opcode) {
3141 case HCI_OP_INQUIRY_CANCEL:
3142 hci_cc_inquiry_cancel(hdev, skb);
3143 break;
3144
3145 case HCI_OP_PERIODIC_INQ:
3146 hci_cc_periodic_inq(hdev, skb);
3147 break;
3148
3149 case HCI_OP_EXIT_PERIODIC_INQ:
3150 hci_cc_exit_periodic_inq(hdev, skb);
3151 break;
3152
3153 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3154 hci_cc_remote_name_req_cancel(hdev, skb);
3155 break;
3156
3157 case HCI_OP_ROLE_DISCOVERY:
3158 hci_cc_role_discovery(hdev, skb);
3159 break;
3160
3161 case HCI_OP_READ_LINK_POLICY:
3162 hci_cc_read_link_policy(hdev, skb);
3163 break;
3164
3165 case HCI_OP_WRITE_LINK_POLICY:
3166 hci_cc_write_link_policy(hdev, skb);
3167 break;
3168
3169 case HCI_OP_READ_DEF_LINK_POLICY:
3170 hci_cc_read_def_link_policy(hdev, skb);
3171 break;
3172
3173 case HCI_OP_WRITE_DEF_LINK_POLICY:
3174 hci_cc_write_def_link_policy(hdev, skb);
3175 break;
3176
3177 case HCI_OP_RESET:
3178 hci_cc_reset(hdev, skb);
3179 break;
3180
3181 case HCI_OP_READ_STORED_LINK_KEY:
3182 hci_cc_read_stored_link_key(hdev, skb);
3183 break;
3184
3185 case HCI_OP_DELETE_STORED_LINK_KEY:
3186 hci_cc_delete_stored_link_key(hdev, skb);
3187 break;
3188
3189 case HCI_OP_WRITE_LOCAL_NAME:
3190 hci_cc_write_local_name(hdev, skb);
3191 break;
3192
3193 case HCI_OP_READ_LOCAL_NAME:
3194 hci_cc_read_local_name(hdev, skb);
3195 break;
3196
3197 case HCI_OP_WRITE_AUTH_ENABLE:
3198 hci_cc_write_auth_enable(hdev, skb);
3199 break;
3200
3201 case HCI_OP_WRITE_ENCRYPT_MODE:
3202 hci_cc_write_encrypt_mode(hdev, skb);
3203 break;
3204
3205 case HCI_OP_WRITE_SCAN_ENABLE:
3206 hci_cc_write_scan_enable(hdev, skb);
3207 break;
3208
3209 case HCI_OP_READ_CLASS_OF_DEV:
3210 hci_cc_read_class_of_dev(hdev, skb);
3211 break;
3212
3213 case HCI_OP_WRITE_CLASS_OF_DEV:
3214 hci_cc_write_class_of_dev(hdev, skb);
3215 break;
3216
3217 case HCI_OP_READ_VOICE_SETTING:
3218 hci_cc_read_voice_setting(hdev, skb);
3219 break;
3220
3221 case HCI_OP_WRITE_VOICE_SETTING:
3222 hci_cc_write_voice_setting(hdev, skb);
3223 break;
3224
3225 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3226 hci_cc_read_num_supported_iac(hdev, skb);
3227 break;
3228
3229 case HCI_OP_WRITE_SSP_MODE:
3230 hci_cc_write_ssp_mode(hdev, skb);
3231 break;
3232
3233 case HCI_OP_WRITE_SC_SUPPORT:
3234 hci_cc_write_sc_support(hdev, skb);
3235 break;
3236
3237 case HCI_OP_READ_AUTH_PAYLOAD_TO:
3238 hci_cc_read_auth_payload_timeout(hdev, skb);
3239 break;
3240
3241 case HCI_OP_WRITE_AUTH_PAYLOAD_TO:
3242 hci_cc_write_auth_payload_timeout(hdev, skb);
3243 break;
3244
3245 case HCI_OP_READ_LOCAL_VERSION:
3246 hci_cc_read_local_version(hdev, skb);
3247 break;
3248
3249 case HCI_OP_READ_LOCAL_COMMANDS:
3250 hci_cc_read_local_commands(hdev, skb);
3251 break;
3252
3253 case HCI_OP_READ_LOCAL_FEATURES:
3254 hci_cc_read_local_features(hdev, skb);
3255 break;
3256
3257 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3258 hci_cc_read_local_ext_features(hdev, skb);
3259 break;
3260
3261 case HCI_OP_READ_BUFFER_SIZE:
3262 hci_cc_read_buffer_size(hdev, skb);
3263 break;
3264
3265 case HCI_OP_READ_BD_ADDR:
3266 hci_cc_read_bd_addr(hdev, skb);
3267 break;
3268
3269 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3270 hci_cc_read_page_scan_activity(hdev, skb);
3271 break;
3272
3273 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3274 hci_cc_write_page_scan_activity(hdev, skb);
3275 break;
3276
3277 case HCI_OP_READ_PAGE_SCAN_TYPE:
3278 hci_cc_read_page_scan_type(hdev, skb);
3279 break;
3280
3281 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3282 hci_cc_write_page_scan_type(hdev, skb);
3283 break;
3284
3285 case HCI_OP_READ_DATA_BLOCK_SIZE:
3286 hci_cc_read_data_block_size(hdev, skb);
3287 break;
3288
3289 case HCI_OP_READ_FLOW_CONTROL_MODE:
3290 hci_cc_read_flow_control_mode(hdev, skb);
3291 break;
3292
3293 case HCI_OP_READ_LOCAL_AMP_INFO:
3294 hci_cc_read_local_amp_info(hdev, skb);
3295 break;
3296
3297 case HCI_OP_READ_CLOCK:
3298 hci_cc_read_clock(hdev, skb);
3299 break;
3300
3301 case HCI_OP_READ_INQ_RSP_TX_POWER:
3302 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3303 break;
3304
3305 case HCI_OP_PIN_CODE_REPLY:
3306 hci_cc_pin_code_reply(hdev, skb);
3307 break;
3308
3309 case HCI_OP_PIN_CODE_NEG_REPLY:
3310 hci_cc_pin_code_neg_reply(hdev, skb);
3311 break;
3312
3313 case HCI_OP_READ_LOCAL_OOB_DATA:
3314 hci_cc_read_local_oob_data(hdev, skb);
3315 break;
3316
3317 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3318 hci_cc_read_local_oob_ext_data(hdev, skb);
3319 break;
3320
3321 case HCI_OP_LE_READ_BUFFER_SIZE:
3322 hci_cc_le_read_buffer_size(hdev, skb);
3323 break;
3324
3325 case HCI_OP_LE_READ_LOCAL_FEATURES:
3326 hci_cc_le_read_local_features(hdev, skb);
3327 break;
3328
3329 case HCI_OP_LE_READ_ADV_TX_POWER:
3330 hci_cc_le_read_adv_tx_power(hdev, skb);
3331 break;
3332
3333 case HCI_OP_USER_CONFIRM_REPLY:
3334 hci_cc_user_confirm_reply(hdev, skb);
3335 break;
3336
3337 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3338 hci_cc_user_confirm_neg_reply(hdev, skb);
3339 break;
3340
3341 case HCI_OP_USER_PASSKEY_REPLY:
3342 hci_cc_user_passkey_reply(hdev, skb);
3343 break;
3344
3345 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3346 hci_cc_user_passkey_neg_reply(hdev, skb);
3347 break;
3348
3349 case HCI_OP_LE_SET_RANDOM_ADDR:
3350 hci_cc_le_set_random_addr(hdev, skb);
3351 break;
3352
3353 case HCI_OP_LE_SET_ADV_ENABLE:
3354 hci_cc_le_set_adv_enable(hdev, skb);
3355 break;
3356
3357 case HCI_OP_LE_SET_SCAN_PARAM:
3358 hci_cc_le_set_scan_param(hdev, skb);
3359 break;
3360
3361 case HCI_OP_LE_SET_SCAN_ENABLE:
3362 hci_cc_le_set_scan_enable(hdev, skb);
3363 break;
3364
3365 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3366 hci_cc_le_read_white_list_size(hdev, skb);
3367 break;
3368
3369 case HCI_OP_LE_CLEAR_WHITE_LIST:
3370 hci_cc_le_clear_white_list(hdev, skb);
3371 break;
3372
3373 case HCI_OP_LE_ADD_TO_WHITE_LIST:
3374 hci_cc_le_add_to_white_list(hdev, skb);
3375 break;
3376
3377 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3378 hci_cc_le_del_from_white_list(hdev, skb);
3379 break;
3380
3381 case HCI_OP_LE_READ_SUPPORTED_STATES:
3382 hci_cc_le_read_supported_states(hdev, skb);
3383 break;
3384
3385 case HCI_OP_LE_READ_DEF_DATA_LEN:
3386 hci_cc_le_read_def_data_len(hdev, skb);
3387 break;
3388
3389 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3390 hci_cc_le_write_def_data_len(hdev, skb);
3391 break;
3392
3393 case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3394 hci_cc_le_add_to_resolv_list(hdev, skb);
3395 break;
3396
3397 case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3398 hci_cc_le_del_from_resolv_list(hdev, skb);
3399 break;
3400
3401 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3402 hci_cc_le_clear_resolv_list(hdev, skb);
3403 break;
3404
3405 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3406 hci_cc_le_read_resolv_list_size(hdev, skb);
3407 break;
3408
3409 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3410 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3411 break;
3412
3413 case HCI_OP_LE_READ_MAX_DATA_LEN:
3414 hci_cc_le_read_max_data_len(hdev, skb);
3415 break;
3416
3417 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3418 hci_cc_write_le_host_supported(hdev, skb);
3419 break;
3420
3421 case HCI_OP_LE_SET_ADV_PARAM:
3422 hci_cc_set_adv_param(hdev, skb);
3423 break;
3424
3425 case HCI_OP_READ_RSSI:
3426 hci_cc_read_rssi(hdev, skb);
3427 break;
3428
3429 case HCI_OP_READ_TX_POWER:
3430 hci_cc_read_tx_power(hdev, skb);
3431 break;
3432
3433 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3434 hci_cc_write_ssp_debug_mode(hdev, skb);
3435 break;
3436
3437 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3438 hci_cc_le_set_ext_scan_param(hdev, skb);
3439 break;
3440
3441 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3442 hci_cc_le_set_ext_scan_enable(hdev, skb);
3443 break;
3444
3445 case HCI_OP_LE_SET_DEFAULT_PHY:
3446 hci_cc_le_set_default_phy(hdev, skb);
3447 break;
3448
3449 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3450 hci_cc_le_read_num_adv_sets(hdev, skb);
3451 break;
3452
3453 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3454 hci_cc_set_ext_adv_param(hdev, skb);
3455 break;
3456
3457 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3458 hci_cc_le_set_ext_adv_enable(hdev, skb);
3459 break;
3460
3461 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3462 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3463 break;
3464
3465 default:
3466 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3467 break;
3468 }
3469
3470 if (*opcode != HCI_OP_NOP)
3471 cancel_delayed_work(&hdev->cmd_timer);
3472
3473 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3474 atomic_set(&hdev->cmd_cnt, 1);
3475
3476 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3477 req_complete_skb);
3478
3479 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3480 bt_dev_err(hdev,
3481 "unexpected event for opcode 0x%4.4x", *opcode);
3482 return;
3483 }
3484
3485 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3486 queue_work(hdev->workqueue, &hdev->cmd_work);
3487}
3488
3489static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3490 u16 *opcode, u8 *status,
3491 hci_req_complete_t *req_complete,
3492 hci_req_complete_skb_t *req_complete_skb)
3493{
3494 struct hci_ev_cmd_status *ev = (void *) skb->data;
3495
3496 skb_pull(skb, sizeof(*ev));
3497
3498 *opcode = __le16_to_cpu(ev->opcode);
3499 *status = ev->status;
3500
3501 switch (*opcode) {
3502 case HCI_OP_INQUIRY:
3503 hci_cs_inquiry(hdev, ev->status);
3504 break;
3505
3506 case HCI_OP_CREATE_CONN:
3507 hci_cs_create_conn(hdev, ev->status);
3508 break;
3509
3510 case HCI_OP_DISCONNECT:
3511 hci_cs_disconnect(hdev, ev->status);
3512 break;
3513
3514 case HCI_OP_ADD_SCO:
3515 hci_cs_add_sco(hdev, ev->status);
3516 break;
3517
3518 case HCI_OP_AUTH_REQUESTED:
3519 hci_cs_auth_requested(hdev, ev->status);
3520 break;
3521
3522 case HCI_OP_SET_CONN_ENCRYPT:
3523 hci_cs_set_conn_encrypt(hdev, ev->status);
3524 break;
3525
3526 case HCI_OP_REMOTE_NAME_REQ:
3527 hci_cs_remote_name_req(hdev, ev->status);
3528 break;
3529
3530 case HCI_OP_READ_REMOTE_FEATURES:
3531 hci_cs_read_remote_features(hdev, ev->status);
3532 break;
3533
3534 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3535 hci_cs_read_remote_ext_features(hdev, ev->status);
3536 break;
3537
3538 case HCI_OP_SETUP_SYNC_CONN:
3539 hci_cs_setup_sync_conn(hdev, ev->status);
3540 break;
3541
3542 case HCI_OP_SNIFF_MODE:
3543 hci_cs_sniff_mode(hdev, ev->status);
3544 break;
3545
3546 case HCI_OP_EXIT_SNIFF_MODE:
3547 hci_cs_exit_sniff_mode(hdev, ev->status);
3548 break;
3549
3550 case HCI_OP_SWITCH_ROLE:
3551 hci_cs_switch_role(hdev, ev->status);
3552 break;
3553
3554 case HCI_OP_LE_CREATE_CONN:
3555 hci_cs_le_create_conn(hdev, ev->status);
3556 break;
3557
3558 case HCI_OP_LE_READ_REMOTE_FEATURES:
3559 hci_cs_le_read_remote_features(hdev, ev->status);
3560 break;
3561
3562 case HCI_OP_LE_START_ENC:
3563 hci_cs_le_start_enc(hdev, ev->status);
3564 break;
3565
3566 case HCI_OP_LE_EXT_CREATE_CONN:
3567 hci_cs_le_ext_create_conn(hdev, ev->status);
3568 break;
3569
3570 default:
3571 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3572 break;
3573 }
3574
3575 if (*opcode != HCI_OP_NOP)
3576 cancel_delayed_work(&hdev->cmd_timer);
3577
3578 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3579 atomic_set(&hdev->cmd_cnt, 1);
3580
3581 /* Indicate request completion if the command failed. Also, if
3582 * we're not waiting for a special event and we get a success
3583 * command status we should try to flag the request as completed
3584 * (since for this kind of commands there will not be a command
3585 * complete event).
3586 */
3587 if (ev->status ||
3588 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3589 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3590 req_complete_skb);
3591
3592 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3593 bt_dev_err(hdev,
3594 "unexpected event for opcode 0x%4.4x", *opcode);
3595 return;
3596 }
3597
3598 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3599 queue_work(hdev->workqueue, &hdev->cmd_work);
3600}
3601
3602static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3603{
3604 struct hci_ev_hardware_error *ev = (void *) skb->data;
3605
3606 hdev->hw_error_code = ev->code;
3607
3608 queue_work(hdev->req_workqueue, &hdev->error_reset);
3609}
3610
3611static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3612{
3613 struct hci_ev_role_change *ev = (void *) skb->data;
3614 struct hci_conn *conn;
3615
3616 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3617
3618 hci_dev_lock(hdev);
3619
3620 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3621 if (conn) {
3622 if (!ev->status)
3623 conn->role = ev->role;
3624
3625 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3626
3627 hci_role_switch_cfm(conn, ev->status, ev->role);
3628 }
3629
3630 hci_dev_unlock(hdev);
3631}
3632
3633static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3634{
3635 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3636 int i;
3637
3638 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3639 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3640 return;
3641 }
3642
3643 if (skb->len < sizeof(*ev) ||
3644 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3645 BT_DBG("%s bad parameters", hdev->name);
3646 return;
3647 }
3648
3649 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3650
3651 for (i = 0; i < ev->num_hndl; i++) {
3652 struct hci_comp_pkts_info *info = &ev->handles[i];
3653 struct hci_conn *conn;
3654 __u16 handle, count;
3655
3656 handle = __le16_to_cpu(info->handle);
3657 count = __le16_to_cpu(info->count);
3658
3659 conn = hci_conn_hash_lookup_handle(hdev, handle);
3660 if (!conn)
3661 continue;
3662
3663 conn->sent -= count;
3664
3665 switch (conn->type) {
3666 case ACL_LINK:
3667 hdev->acl_cnt += count;
3668 if (hdev->acl_cnt > hdev->acl_pkts)
3669 hdev->acl_cnt = hdev->acl_pkts;
3670 break;
3671
3672 case LE_LINK:
3673 if (hdev->le_pkts) {
3674 hdev->le_cnt += count;
3675 if (hdev->le_cnt > hdev->le_pkts)
3676 hdev->le_cnt = hdev->le_pkts;
3677 } else {
3678 hdev->acl_cnt += count;
3679 if (hdev->acl_cnt > hdev->acl_pkts)
3680 hdev->acl_cnt = hdev->acl_pkts;
3681 }
3682 break;
3683
3684 case SCO_LINK:
3685 hdev->sco_cnt += count;
3686 if (hdev->sco_cnt > hdev->sco_pkts)
3687 hdev->sco_cnt = hdev->sco_pkts;
3688 break;
3689
3690 default:
3691 bt_dev_err(hdev, "unknown type %d conn %p",
3692 conn->type, conn);
3693 break;
3694 }
3695 }
3696
3697 queue_work(hdev->workqueue, &hdev->tx_work);
3698}
3699
3700static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3701 __u16 handle)
3702{
3703 struct hci_chan *chan;
3704
3705 switch (hdev->dev_type) {
3706 case HCI_PRIMARY:
3707 return hci_conn_hash_lookup_handle(hdev, handle);
3708 case HCI_AMP:
3709 chan = hci_chan_lookup_handle(hdev, handle);
3710 if (chan)
3711 return chan->conn;
3712 break;
3713 default:
3714 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3715 break;
3716 }
3717
3718 return NULL;
3719}
3720
3721static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3722{
3723 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3724 int i;
3725
3726 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3727 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3728 return;
3729 }
3730
3731 if (skb->len < sizeof(*ev) ||
3732 skb->len < struct_size(ev, handles, ev->num_hndl)) {
3733 BT_DBG("%s bad parameters", hdev->name);
3734 return;
3735 }
3736
3737 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3738 ev->num_hndl);
3739
3740 for (i = 0; i < ev->num_hndl; i++) {
3741 struct hci_comp_blocks_info *info = &ev->handles[i];
3742 struct hci_conn *conn = NULL;
3743 __u16 handle, block_count;
3744
3745 handle = __le16_to_cpu(info->handle);
3746 block_count = __le16_to_cpu(info->blocks);
3747
3748 conn = __hci_conn_lookup_handle(hdev, handle);
3749 if (!conn)
3750 continue;
3751
3752 conn->sent -= block_count;
3753
3754 switch (conn->type) {
3755 case ACL_LINK:
3756 case AMP_LINK:
3757 hdev->block_cnt += block_count;
3758 if (hdev->block_cnt > hdev->num_blocks)
3759 hdev->block_cnt = hdev->num_blocks;
3760 break;
3761
3762 default:
3763 bt_dev_err(hdev, "unknown type %d conn %p",
3764 conn->type, conn);
3765 break;
3766 }
3767 }
3768
3769 queue_work(hdev->workqueue, &hdev->tx_work);
3770}
3771
3772static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3773{
3774 struct hci_ev_mode_change *ev = (void *) skb->data;
3775 struct hci_conn *conn;
3776
3777 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3778
3779 hci_dev_lock(hdev);
3780
3781 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3782 if (conn) {
3783 conn->mode = ev->mode;
3784
3785 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3786 &conn->flags)) {
3787 if (conn->mode == HCI_CM_ACTIVE)
3788 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3789 else
3790 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3791 }
3792
3793 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3794 hci_sco_setup(conn, ev->status);
3795 }
3796
3797 hci_dev_unlock(hdev);
3798}
3799
3800static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3801{
3802 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3803 struct hci_conn *conn;
3804
3805 BT_DBG("%s", hdev->name);
3806
3807 hci_dev_lock(hdev);
3808
3809 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3810 if (!conn)
3811 goto unlock;
3812
3813 if (conn->state == BT_CONNECTED) {
3814 hci_conn_hold(conn);
3815 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3816 hci_conn_drop(conn);
3817 }
3818
3819 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3820 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3821 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3822 sizeof(ev->bdaddr), &ev->bdaddr);
3823 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3824 u8 secure;
3825
3826 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3827 secure = 1;
3828 else
3829 secure = 0;
3830
3831 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3832 }
3833
3834unlock:
3835 hci_dev_unlock(hdev);
3836}
3837
3838static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3839{
3840 if (key_type == HCI_LK_CHANGED_COMBINATION)
3841 return;
3842
3843 conn->pin_length = pin_len;
3844 conn->key_type = key_type;
3845
3846 switch (key_type) {
3847 case HCI_LK_LOCAL_UNIT:
3848 case HCI_LK_REMOTE_UNIT:
3849 case HCI_LK_DEBUG_COMBINATION:
3850 return;
3851 case HCI_LK_COMBINATION:
3852 if (pin_len == 16)
3853 conn->pending_sec_level = BT_SECURITY_HIGH;
3854 else
3855 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3856 break;
3857 case HCI_LK_UNAUTH_COMBINATION_P192:
3858 case HCI_LK_UNAUTH_COMBINATION_P256:
3859 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3860 break;
3861 case HCI_LK_AUTH_COMBINATION_P192:
3862 conn->pending_sec_level = BT_SECURITY_HIGH;
3863 break;
3864 case HCI_LK_AUTH_COMBINATION_P256:
3865 conn->pending_sec_level = BT_SECURITY_FIPS;
3866 break;
3867 }
3868}
3869
3870static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3871{
3872 struct hci_ev_link_key_req *ev = (void *) skb->data;
3873 struct hci_cp_link_key_reply cp;
3874 struct hci_conn *conn;
3875 struct link_key *key;
3876
3877 BT_DBG("%s", hdev->name);
3878
3879 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3880 return;
3881
3882 hci_dev_lock(hdev);
3883
3884 key = hci_find_link_key(hdev, &ev->bdaddr);
3885 if (!key) {
3886 BT_DBG("%s link key not found for %pMR", hdev->name,
3887 &ev->bdaddr);
3888 goto not_found;
3889 }
3890
3891 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3892 &ev->bdaddr);
3893
3894 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3895 if (conn) {
3896 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3897
3898 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3899 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3900 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3901 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3902 goto not_found;
3903 }
3904
3905 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3906 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3907 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3908 BT_DBG("%s ignoring key unauthenticated for high security",
3909 hdev->name);
3910 goto not_found;
3911 }
3912
3913 conn_set_key(conn, key->type, key->pin_len);
3914 }
3915
3916 bacpy(&cp.bdaddr, &ev->bdaddr);
3917 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3918
3919 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3920
3921 hci_dev_unlock(hdev);
3922
3923 return;
3924
3925not_found:
3926 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3927 hci_dev_unlock(hdev);
3928}
3929
3930static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3931{
3932 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3933 struct hci_conn *conn;
3934 struct link_key *key;
3935 bool persistent;
3936 u8 pin_len = 0;
3937
3938 BT_DBG("%s", hdev->name);
3939
3940 hci_dev_lock(hdev);
3941
3942 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3943 if (!conn)
3944 goto unlock;
3945
3946 hci_conn_hold(conn);
3947 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3948 hci_conn_drop(conn);
3949
3950 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3951 conn_set_key(conn, ev->key_type, conn->pin_length);
3952
3953 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3954 goto unlock;
3955
3956 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3957 ev->key_type, pin_len, &persistent);
3958 if (!key)
3959 goto unlock;
3960
3961 /* Update connection information since adding the key will have
3962 * fixed up the type in the case of changed combination keys.
3963 */
3964 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3965 conn_set_key(conn, key->type, key->pin_len);
3966
3967 mgmt_new_link_key(hdev, key, persistent);
3968
3969 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3970 * is set. If it's not set simply remove the key from the kernel
3971 * list (we've still notified user space about it but with
3972 * store_hint being 0).
3973 */
3974 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3975 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3976 list_del_rcu(&key->list);
3977 kfree_rcu(key, rcu);
3978 goto unlock;
3979 }
3980
3981 if (persistent)
3982 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3983 else
3984 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3985
3986unlock:
3987 hci_dev_unlock(hdev);
3988}
3989
3990static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3991{
3992 struct hci_ev_clock_offset *ev = (void *) skb->data;
3993 struct hci_conn *conn;
3994
3995 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3996
3997 hci_dev_lock(hdev);
3998
3999 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4000 if (conn && !ev->status) {
4001 struct inquiry_entry *ie;
4002
4003 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4004 if (ie) {
4005 ie->data.clock_offset = ev->clock_offset;
4006 ie->timestamp = jiffies;
4007 }
4008 }
4009
4010 hci_dev_unlock(hdev);
4011}
4012
4013static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4014{
4015 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4016 struct hci_conn *conn;
4017
4018 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4019
4020 hci_dev_lock(hdev);
4021
4022 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4023 if (conn && !ev->status)
4024 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4025
4026 hci_dev_unlock(hdev);
4027}
4028
4029static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4030{
4031 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4032 struct inquiry_entry *ie;
4033
4034 BT_DBG("%s", hdev->name);
4035
4036 hci_dev_lock(hdev);
4037
4038 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4039 if (ie) {
4040 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4041 ie->timestamp = jiffies;
4042 }
4043
4044 hci_dev_unlock(hdev);
4045}
4046
4047static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4048 struct sk_buff *skb)
4049{
4050 struct inquiry_data data;
4051 int num_rsp = *((__u8 *) skb->data);
4052
4053 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4054
4055 if (!num_rsp)
4056 return;
4057
4058 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4059 return;
4060
4061 hci_dev_lock(hdev);
4062
4063 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4064 struct inquiry_info_with_rssi_and_pscan_mode *info;
4065 info = (void *) (skb->data + 1);
4066
4067 for (; num_rsp; num_rsp--, info++) {
4068 u32 flags;
4069
4070 bacpy(&data.bdaddr, &info->bdaddr);
4071 data.pscan_rep_mode = info->pscan_rep_mode;
4072 data.pscan_period_mode = info->pscan_period_mode;
4073 data.pscan_mode = info->pscan_mode;
4074 memcpy(data.dev_class, info->dev_class, 3);
4075 data.clock_offset = info->clock_offset;
4076 data.rssi = info->rssi;
4077 data.ssp_mode = 0x00;
4078
4079 flags = hci_inquiry_cache_update(hdev, &data, false);
4080
4081 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4082 info->dev_class, info->rssi,
4083 flags, NULL, 0, NULL, 0);
4084 }
4085 } else {
4086 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4087
4088 for (; num_rsp; num_rsp--, info++) {
4089 u32 flags;
4090
4091 bacpy(&data.bdaddr, &info->bdaddr);
4092 data.pscan_rep_mode = info->pscan_rep_mode;
4093 data.pscan_period_mode = info->pscan_period_mode;
4094 data.pscan_mode = 0x00;
4095 memcpy(data.dev_class, info->dev_class, 3);
4096 data.clock_offset = info->clock_offset;
4097 data.rssi = info->rssi;
4098 data.ssp_mode = 0x00;
4099
4100 flags = hci_inquiry_cache_update(hdev, &data, false);
4101
4102 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4103 info->dev_class, info->rssi,
4104 flags, NULL, 0, NULL, 0);
4105 }
4106 }
4107
4108 hci_dev_unlock(hdev);
4109}
4110
4111static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4112 struct sk_buff *skb)
4113{
4114 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4115 struct hci_conn *conn;
4116
4117 BT_DBG("%s", hdev->name);
4118
4119 hci_dev_lock(hdev);
4120
4121 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4122 if (!conn)
4123 goto unlock;
4124
4125 if (ev->page < HCI_MAX_PAGES)
4126 memcpy(conn->features[ev->page], ev->features, 8);
4127
4128 if (!ev->status && ev->page == 0x01) {
4129 struct inquiry_entry *ie;
4130
4131 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4132 if (ie)
4133 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4134
4135 if (ev->features[0] & LMP_HOST_SSP) {
4136 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4137 } else {
4138 /* It is mandatory by the Bluetooth specification that
4139 * Extended Inquiry Results are only used when Secure
4140 * Simple Pairing is enabled, but some devices violate
4141 * this.
4142 *
4143 * To make these devices work, the internal SSP
4144 * enabled flag needs to be cleared if the remote host
4145 * features do not indicate SSP support */
4146 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4147 }
4148
4149 if (ev->features[0] & LMP_HOST_SC)
4150 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4151 }
4152
4153 if (conn->state != BT_CONFIG)
4154 goto unlock;
4155
4156 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4157 struct hci_cp_remote_name_req cp;
4158 memset(&cp, 0, sizeof(cp));
4159 bacpy(&cp.bdaddr, &conn->dst);
4160 cp.pscan_rep_mode = 0x02;
4161 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4162 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4163 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4164
4165 if (!hci_outgoing_auth_needed(hdev, conn)) {
4166 conn->state = BT_CONNECTED;
4167 hci_connect_cfm(conn, ev->status);
4168 hci_conn_drop(conn);
4169 }
4170
4171unlock:
4172 hci_dev_unlock(hdev);
4173}
4174
4175static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4176 struct sk_buff *skb)
4177{
4178 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4179 struct hci_conn *conn;
4180
4181 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4182
4183 hci_dev_lock(hdev);
4184
4185 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4186 if (!conn) {
4187 if (ev->link_type == ESCO_LINK)
4188 goto unlock;
4189
4190 /* When the link type in the event indicates SCO connection
4191 * and lookup of the connection object fails, then check
4192 * if an eSCO connection object exists.
4193 *
4194 * The core limits the synchronous connections to either
4195 * SCO or eSCO. The eSCO connection is preferred and tried
4196 * to be setup first and until successfully established,
4197 * the link type will be hinted as eSCO.
4198 */
4199 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4200 if (!conn)
4201 goto unlock;
4202 }
4203
4204 switch (ev->status) {
4205 case 0x00:
4206 conn->handle = __le16_to_cpu(ev->handle);
4207 conn->state = BT_CONNECTED;
4208 conn->type = ev->link_type;
4209
4210 hci_debugfs_create_conn(conn);
4211 hci_conn_add_sysfs(conn);
4212 break;
4213
4214 case 0x10: /* Connection Accept Timeout */
4215 case 0x0d: /* Connection Rejected due to Limited Resources */
4216 case 0x11: /* Unsupported Feature or Parameter Value */
4217 case 0x1c: /* SCO interval rejected */
4218 case 0x1a: /* Unsupported Remote Feature */
4219 case 0x1f: /* Unspecified error */
4220 case 0x20: /* Unsupported LMP Parameter value */
4221 if (conn->out) {
4222 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4223 (hdev->esco_type & EDR_ESCO_MASK);
4224 if (hci_setup_sync(conn, conn->link->handle))
4225 goto unlock;
4226 }
4227 /* fall through */
4228
4229 default:
4230 conn->state = BT_CLOSED;
4231 break;
4232 }
4233
4234 hci_connect_cfm(conn, ev->status);
4235 if (ev->status)
4236 hci_conn_del(conn);
4237
4238unlock:
4239 hci_dev_unlock(hdev);
4240}
4241
4242static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4243{
4244 size_t parsed = 0;
4245
4246 while (parsed < eir_len) {
4247 u8 field_len = eir[0];
4248
4249 if (field_len == 0)
4250 return parsed;
4251
4252 parsed += field_len + 1;
4253 eir += field_len + 1;
4254 }
4255
4256 return eir_len;
4257}
4258
4259static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4260 struct sk_buff *skb)
4261{
4262 struct inquiry_data data;
4263 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4264 int num_rsp = *((__u8 *) skb->data);
4265 size_t eir_len;
4266
4267 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4268
4269 if (!num_rsp)
4270 return;
4271
4272 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4273 return;
4274
4275 hci_dev_lock(hdev);
4276
4277 for (; num_rsp; num_rsp--, info++) {
4278 u32 flags;
4279 bool name_known;
4280
4281 bacpy(&data.bdaddr, &info->bdaddr);
4282 data.pscan_rep_mode = info->pscan_rep_mode;
4283 data.pscan_period_mode = info->pscan_period_mode;
4284 data.pscan_mode = 0x00;
4285 memcpy(data.dev_class, info->dev_class, 3);
4286 data.clock_offset = info->clock_offset;
4287 data.rssi = info->rssi;
4288 data.ssp_mode = 0x01;
4289
4290 if (hci_dev_test_flag(hdev, HCI_MGMT))
4291 name_known = eir_get_data(info->data,
4292 sizeof(info->data),
4293 EIR_NAME_COMPLETE, NULL);
4294 else
4295 name_known = true;
4296
4297 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4298
4299 eir_len = eir_get_length(info->data, sizeof(info->data));
4300
4301 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4302 info->dev_class, info->rssi,
4303 flags, info->data, eir_len, NULL, 0);
4304 }
4305
4306 hci_dev_unlock(hdev);
4307}
4308
4309static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4310 struct sk_buff *skb)
4311{
4312 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4313 struct hci_conn *conn;
4314
4315 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4316 __le16_to_cpu(ev->handle));
4317
4318 hci_dev_lock(hdev);
4319
4320 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4321 if (!conn)
4322 goto unlock;
4323
4324 /* For BR/EDR the necessary steps are taken through the
4325 * auth_complete event.
4326 */
4327 if (conn->type != LE_LINK)
4328 goto unlock;
4329
4330 if (!ev->status)
4331 conn->sec_level = conn->pending_sec_level;
4332
4333 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4334
4335 if (ev->status && conn->state == BT_CONNECTED) {
4336 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4337 hci_conn_drop(conn);
4338 goto unlock;
4339 }
4340
4341 if (conn->state == BT_CONFIG) {
4342 if (!ev->status)
4343 conn->state = BT_CONNECTED;
4344
4345 hci_connect_cfm(conn, ev->status);
4346 hci_conn_drop(conn);
4347 } else {
4348 hci_auth_cfm(conn, ev->status);
4349
4350 hci_conn_hold(conn);
4351 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4352 hci_conn_drop(conn);
4353 }
4354
4355unlock:
4356 hci_dev_unlock(hdev);
4357}
4358
4359static u8 hci_get_auth_req(struct hci_conn *conn)
4360{
4361 /* If remote requests no-bonding follow that lead */
4362 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4363 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4364 return conn->remote_auth | (conn->auth_type & 0x01);
4365
4366 /* If both remote and local have enough IO capabilities, require
4367 * MITM protection
4368 */
4369 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4370 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4371 return conn->remote_auth | 0x01;
4372
4373 /* No MITM protection possible so ignore remote requirement */
4374 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4375}
4376
4377static u8 bredr_oob_data_present(struct hci_conn *conn)
4378{
4379 struct hci_dev *hdev = conn->hdev;
4380 struct oob_data *data;
4381
4382 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4383 if (!data)
4384 return 0x00;
4385
4386 if (bredr_sc_enabled(hdev)) {
4387 /* When Secure Connections is enabled, then just
4388 * return the present value stored with the OOB
4389 * data. The stored value contains the right present
4390 * information. However it can only be trusted when
4391 * not in Secure Connection Only mode.
4392 */
4393 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4394 return data->present;
4395
4396 /* When Secure Connections Only mode is enabled, then
4397 * the P-256 values are required. If they are not
4398 * available, then do not declare that OOB data is
4399 * present.
4400 */
4401 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4402 !memcmp(data->hash256, ZERO_KEY, 16))
4403 return 0x00;
4404
4405 return 0x02;
4406 }
4407
4408 /* When Secure Connections is not enabled or actually
4409 * not supported by the hardware, then check that if
4410 * P-192 data values are present.
4411 */
4412 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4413 !memcmp(data->hash192, ZERO_KEY, 16))
4414 return 0x00;
4415
4416 return 0x01;
4417}
4418
4419static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4420{
4421 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4422 struct hci_conn *conn;
4423
4424 BT_DBG("%s", hdev->name);
4425
4426 hci_dev_lock(hdev);
4427
4428 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4429 if (!conn)
4430 goto unlock;
4431
4432 hci_conn_hold(conn);
4433
4434 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4435 goto unlock;
4436
4437 /* Allow pairing if we're pairable, the initiators of the
4438 * pairing or if the remote is not requesting bonding.
4439 */
4440 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4441 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4442 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4443 struct hci_cp_io_capability_reply cp;
4444
4445 bacpy(&cp.bdaddr, &ev->bdaddr);
4446 /* Change the IO capability from KeyboardDisplay
4447 * to DisplayYesNo as it is not supported by BT spec. */
4448 cp.capability = (conn->io_capability == 0x04) ?
4449 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4450
4451 /* If we are initiators, there is no remote information yet */
4452 if (conn->remote_auth == 0xff) {
4453 /* Request MITM protection if our IO caps allow it
4454 * except for the no-bonding case.
4455 */
4456 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4457 conn->auth_type != HCI_AT_NO_BONDING)
4458 conn->auth_type |= 0x01;
4459 } else {
4460 conn->auth_type = hci_get_auth_req(conn);
4461 }
4462
4463 /* If we're not bondable, force one of the non-bondable
4464 * authentication requirement values.
4465 */
4466 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4467 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4468
4469 cp.authentication = conn->auth_type;
4470 cp.oob_data = bredr_oob_data_present(conn);
4471
4472 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4473 sizeof(cp), &cp);
4474 } else {
4475 struct hci_cp_io_capability_neg_reply cp;
4476
4477 bacpy(&cp.bdaddr, &ev->bdaddr);
4478 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4479
4480 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4481 sizeof(cp), &cp);
4482 }
4483
4484unlock:
4485 hci_dev_unlock(hdev);
4486}
4487
4488static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4489{
4490 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4491 struct hci_conn *conn;
4492
4493 BT_DBG("%s", hdev->name);
4494
4495 hci_dev_lock(hdev);
4496
4497 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4498 if (!conn)
4499 goto unlock;
4500
4501 conn->remote_cap = ev->capability;
4502 conn->remote_auth = ev->authentication;
4503
4504unlock:
4505 hci_dev_unlock(hdev);
4506}
4507
4508static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4509 struct sk_buff *skb)
4510{
4511 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4512 int loc_mitm, rem_mitm, confirm_hint = 0;
4513 struct hci_conn *conn;
4514
4515 BT_DBG("%s", hdev->name);
4516
4517 hci_dev_lock(hdev);
4518
4519 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4520 goto unlock;
4521
4522 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4523 if (!conn)
4524 goto unlock;
4525
4526 loc_mitm = (conn->auth_type & 0x01);
4527 rem_mitm = (conn->remote_auth & 0x01);
4528
4529 /* If we require MITM but the remote device can't provide that
4530 * (it has NoInputNoOutput) then reject the confirmation
4531 * request. We check the security level here since it doesn't
4532 * necessarily match conn->auth_type.
4533 */
4534 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4535 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4536 BT_DBG("Rejecting request: remote device can't provide MITM");
4537 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4538 sizeof(ev->bdaddr), &ev->bdaddr);
4539 goto unlock;
4540 }
4541
4542 /* If no side requires MITM protection; auto-accept */
4543 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4544 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4545
4546 /* If we're not the initiators request authorization to
4547 * proceed from user space (mgmt_user_confirm with
4548 * confirm_hint set to 1). The exception is if neither
4549 * side had MITM or if the local IO capability is
4550 * NoInputNoOutput, in which case we do auto-accept
4551 */
4552 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4553 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4554 (loc_mitm || rem_mitm)) {
4555 BT_DBG("Confirming auto-accept as acceptor");
4556 confirm_hint = 1;
4557 goto confirm;
4558 }
4559
4560 BT_DBG("Auto-accept of user confirmation with %ums delay",
4561 hdev->auto_accept_delay);
4562
4563 if (hdev->auto_accept_delay > 0) {
4564 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4565 queue_delayed_work(conn->hdev->workqueue,
4566 &conn->auto_accept_work, delay);
4567 goto unlock;
4568 }
4569
4570 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4571 sizeof(ev->bdaddr), &ev->bdaddr);
4572 goto unlock;
4573 }
4574
4575confirm:
4576 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4577 le32_to_cpu(ev->passkey), confirm_hint);
4578
4579unlock:
4580 hci_dev_unlock(hdev);
4581}
4582
4583static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4584 struct sk_buff *skb)
4585{
4586 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4587
4588 BT_DBG("%s", hdev->name);
4589
4590 if (hci_dev_test_flag(hdev, HCI_MGMT))
4591 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4592}
4593
4594static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4595 struct sk_buff *skb)
4596{
4597 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4598 struct hci_conn *conn;
4599
4600 BT_DBG("%s", hdev->name);
4601
4602 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4603 if (!conn)
4604 return;
4605
4606 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4607 conn->passkey_entered = 0;
4608
4609 if (hci_dev_test_flag(hdev, HCI_MGMT))
4610 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4611 conn->dst_type, conn->passkey_notify,
4612 conn->passkey_entered);
4613}
4614
4615static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4616{
4617 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4618 struct hci_conn *conn;
4619
4620 BT_DBG("%s", hdev->name);
4621
4622 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4623 if (!conn)
4624 return;
4625
4626 switch (ev->type) {
4627 case HCI_KEYPRESS_STARTED:
4628 conn->passkey_entered = 0;
4629 return;
4630
4631 case HCI_KEYPRESS_ENTERED:
4632 conn->passkey_entered++;
4633 break;
4634
4635 case HCI_KEYPRESS_ERASED:
4636 conn->passkey_entered--;
4637 break;
4638
4639 case HCI_KEYPRESS_CLEARED:
4640 conn->passkey_entered = 0;
4641 break;
4642
4643 case HCI_KEYPRESS_COMPLETED:
4644 return;
4645 }
4646
4647 if (hci_dev_test_flag(hdev, HCI_MGMT))
4648 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4649 conn->dst_type, conn->passkey_notify,
4650 conn->passkey_entered);
4651}
4652
4653static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4654 struct sk_buff *skb)
4655{
4656 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4657 struct hci_conn *conn;
4658
4659 BT_DBG("%s", hdev->name);
4660
4661 hci_dev_lock(hdev);
4662
4663 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4664 if (!conn)
4665 goto unlock;
4666
4667 /* Reset the authentication requirement to unknown */
4668 conn->remote_auth = 0xff;
4669
4670 /* To avoid duplicate auth_failed events to user space we check
4671 * the HCI_CONN_AUTH_PEND flag which will be set if we
4672 * initiated the authentication. A traditional auth_complete
4673 * event gets always produced as initiator and is also mapped to
4674 * the mgmt_auth_failed event */
4675 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4676 mgmt_auth_failed(conn, ev->status);
4677
4678 hci_conn_drop(conn);
4679
4680unlock:
4681 hci_dev_unlock(hdev);
4682}
4683
4684static void hci_remote_host_features_evt(struct hci_dev *hdev,
4685 struct sk_buff *skb)
4686{
4687 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4688 struct inquiry_entry *ie;
4689 struct hci_conn *conn;
4690
4691 BT_DBG("%s", hdev->name);
4692
4693 hci_dev_lock(hdev);
4694
4695 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4696 if (conn)
4697 memcpy(conn->features[1], ev->features, 8);
4698
4699 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4700 if (ie)
4701 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4702
4703 hci_dev_unlock(hdev);
4704}
4705
4706static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4707 struct sk_buff *skb)
4708{
4709 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4710 struct oob_data *data;
4711
4712 BT_DBG("%s", hdev->name);
4713
4714 hci_dev_lock(hdev);
4715
4716 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4717 goto unlock;
4718
4719 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4720 if (!data) {
4721 struct hci_cp_remote_oob_data_neg_reply cp;
4722
4723 bacpy(&cp.bdaddr, &ev->bdaddr);
4724 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4725 sizeof(cp), &cp);
4726 goto unlock;
4727 }
4728
4729 if (bredr_sc_enabled(hdev)) {
4730 struct hci_cp_remote_oob_ext_data_reply cp;
4731
4732 bacpy(&cp.bdaddr, &ev->bdaddr);
4733 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4734 memset(cp.hash192, 0, sizeof(cp.hash192));
4735 memset(cp.rand192, 0, sizeof(cp.rand192));
4736 } else {
4737 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4738 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4739 }
4740 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4741 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4742
4743 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4744 sizeof(cp), &cp);
4745 } else {
4746 struct hci_cp_remote_oob_data_reply cp;
4747
4748 bacpy(&cp.bdaddr, &ev->bdaddr);
4749 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4750 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4751
4752 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4753 sizeof(cp), &cp);
4754 }
4755
4756unlock:
4757 hci_dev_unlock(hdev);
4758}
4759
4760#if IS_ENABLED(CONFIG_BT_HS)
4761static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4762{
4763 struct hci_ev_channel_selected *ev = (void *)skb->data;
4764 struct hci_conn *hcon;
4765
4766 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4767
4768 skb_pull(skb, sizeof(*ev));
4769
4770 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4771 if (!hcon)
4772 return;
4773
4774 amp_read_loc_assoc_final_data(hdev, hcon);
4775}
4776
4777static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4778 struct sk_buff *skb)
4779{
4780 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4781 struct hci_conn *hcon, *bredr_hcon;
4782
4783 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4784 ev->status);
4785
4786 hci_dev_lock(hdev);
4787
4788 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4789 if (!hcon) {
4790 hci_dev_unlock(hdev);
4791 return;
4792 }
4793
4794 if (ev->status) {
4795 hci_conn_del(hcon);
4796 hci_dev_unlock(hdev);
4797 return;
4798 }
4799
4800 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4801
4802 hcon->state = BT_CONNECTED;
4803 bacpy(&hcon->dst, &bredr_hcon->dst);
4804
4805 hci_conn_hold(hcon);
4806 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4807 hci_conn_drop(hcon);
4808
4809 hci_debugfs_create_conn(hcon);
4810 hci_conn_add_sysfs(hcon);
4811
4812 amp_physical_cfm(bredr_hcon, hcon);
4813
4814 hci_dev_unlock(hdev);
4815}
4816
4817static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4818{
4819 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4820 struct hci_conn *hcon;
4821 struct hci_chan *hchan;
4822 struct amp_mgr *mgr;
4823
4824 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4825 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4826 ev->status);
4827
4828 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4829 if (!hcon)
4830 return;
4831
4832 /* Create AMP hchan */
4833 hchan = hci_chan_create(hcon);
4834 if (!hchan)
4835 return;
4836
4837 hchan->handle = le16_to_cpu(ev->handle);
4838
4839 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4840
4841 mgr = hcon->amp_mgr;
4842 if (mgr && mgr->bredr_chan) {
4843 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4844
4845 l2cap_chan_lock(bredr_chan);
4846
4847 bredr_chan->conn->mtu = hdev->block_mtu;
4848 l2cap_logical_cfm(bredr_chan, hchan, 0);
4849 hci_conn_hold(hcon);
4850
4851 l2cap_chan_unlock(bredr_chan);
4852 }
4853}
4854
4855static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4856 struct sk_buff *skb)
4857{
4858 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4859 struct hci_chan *hchan;
4860
4861 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4862 le16_to_cpu(ev->handle), ev->status);
4863
4864 if (ev->status)
4865 return;
4866
4867 hci_dev_lock(hdev);
4868
4869 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4870 if (!hchan)
4871 goto unlock;
4872
4873 amp_destroy_logical_link(hchan, ev->reason);
4874
4875unlock:
4876 hci_dev_unlock(hdev);
4877}
4878
4879static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4880 struct sk_buff *skb)
4881{
4882 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4883 struct hci_conn *hcon;
4884
4885 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4886
4887 if (ev->status)
4888 return;
4889
4890 hci_dev_lock(hdev);
4891
4892 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4893 if (hcon) {
4894 hcon->state = BT_CLOSED;
4895 hci_conn_del(hcon);
4896 }
4897
4898 hci_dev_unlock(hdev);
4899}
4900#endif
4901
4902static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
4903 bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
4904 u16 interval, u16 latency, u16 supervision_timeout)
4905{
4906 struct hci_conn_params *params;
4907 struct hci_conn *conn;
4908 struct smp_irk *irk;
4909 u8 addr_type;
4910
4911 hci_dev_lock(hdev);
4912
4913 /* All controllers implicitly stop advertising in the event of a
4914 * connection, so ensure that the state bit is cleared.
4915 */
4916 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4917
4918 conn = hci_lookup_le_connect(hdev);
4919 if (!conn) {
4920 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
4921 if (!conn) {
4922 bt_dev_err(hdev, "no memory for new connection");
4923 goto unlock;
4924 }
4925
4926 conn->dst_type = bdaddr_type;
4927
4928 /* If we didn't have a hci_conn object previously
4929 * but we're in master role this must be something
4930 * initiated using a white list. Since white list based
4931 * connections are not "first class citizens" we don't
4932 * have full tracking of them. Therefore, we go ahead
4933 * with a "best effort" approach of determining the
4934 * initiator address based on the HCI_PRIVACY flag.
4935 */
4936 if (conn->out) {
4937 conn->resp_addr_type = bdaddr_type;
4938 bacpy(&conn->resp_addr, bdaddr);
4939 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4940 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4941 bacpy(&conn->init_addr, &hdev->rpa);
4942 } else {
4943 hci_copy_identity_address(hdev,
4944 &conn->init_addr,
4945 &conn->init_addr_type);
4946 }
4947 }
4948 } else {
4949 cancel_delayed_work(&conn->le_conn_timeout);
4950 }
4951
4952 if (!conn->out) {
4953 /* Set the responder (our side) address type based on
4954 * the advertising address type.
4955 */
4956 conn->resp_addr_type = hdev->adv_addr_type;
4957 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
4958 /* In case of ext adv, resp_addr will be updated in
4959 * Adv Terminated event.
4960 */
4961 if (!ext_adv_capable(hdev))
4962 bacpy(&conn->resp_addr, &hdev->random_addr);
4963 } else {
4964 bacpy(&conn->resp_addr, &hdev->bdaddr);
4965 }
4966
4967 conn->init_addr_type = bdaddr_type;
4968 bacpy(&conn->init_addr, bdaddr);
4969
4970 /* For incoming connections, set the default minimum
4971 * and maximum connection interval. They will be used
4972 * to check if the parameters are in range and if not
4973 * trigger the connection update procedure.
4974 */
4975 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4976 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4977 }
4978
4979 /* Lookup the identity address from the stored connection
4980 * address and address type.
4981 *
4982 * When establishing connections to an identity address, the
4983 * connection procedure will store the resolvable random
4984 * address first. Now if it can be converted back into the
4985 * identity address, start using the identity address from
4986 * now on.
4987 */
4988 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4989 if (irk) {
4990 bacpy(&conn->dst, &irk->bdaddr);
4991 conn->dst_type = irk->addr_type;
4992 }
4993
4994 if (status) {
4995 hci_le_conn_failed(conn, status);
4996 goto unlock;
4997 }
4998
4999 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5000 addr_type = BDADDR_LE_PUBLIC;
5001 else
5002 addr_type = BDADDR_LE_RANDOM;
5003
5004 /* Drop the connection if the device is blocked */
5005 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
5006 hci_conn_drop(conn);
5007 goto unlock;
5008 }
5009
5010 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5011 mgmt_device_connected(hdev, conn, 0, NULL, 0);
5012
5013 conn->sec_level = BT_SECURITY_LOW;
5014 conn->handle = handle;
5015 conn->state = BT_CONFIG;
5016
5017 conn->le_conn_interval = interval;
5018 conn->le_conn_latency = latency;
5019 conn->le_supv_timeout = supervision_timeout;
5020
5021 hci_debugfs_create_conn(conn);
5022 hci_conn_add_sysfs(conn);
5023
5024 /* The remote features procedure is defined for master
5025 * role only. So only in case of an initiated connection
5026 * request the remote features.
5027 *
5028 * If the local controller supports slave-initiated features
5029 * exchange, then requesting the remote features in slave
5030 * role is possible. Otherwise just transition into the
5031 * connected state without requesting the remote features.
5032 */
5033 if (conn->out ||
5034 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
5035 struct hci_cp_le_read_remote_features cp;
5036
5037 cp.handle = __cpu_to_le16(conn->handle);
5038
5039 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5040 sizeof(cp), &cp);
5041
5042 hci_conn_hold(conn);
5043 } else {
5044 conn->state = BT_CONNECTED;
5045 hci_connect_cfm(conn, status);
5046 }
5047
5048 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5049 conn->dst_type);
5050 if (params) {
5051 list_del_init(¶ms->action);
5052 if (params->conn) {
5053 hci_conn_drop(params->conn);
5054 hci_conn_put(params->conn);
5055 params->conn = NULL;
5056 }
5057 }
5058
5059unlock:
5060 hci_update_background_scan(hdev);
5061 hci_dev_unlock(hdev);
5062}
5063
5064static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5065{
5066 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5067
5068 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5069
5070 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5071 ev->role, le16_to_cpu(ev->handle),
5072 le16_to_cpu(ev->interval),
5073 le16_to_cpu(ev->latency),
5074 le16_to_cpu(ev->supervision_timeout));
5075}
5076
5077static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5078 struct sk_buff *skb)
5079{
5080 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5081
5082 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5083
5084 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5085 ev->role, le16_to_cpu(ev->handle),
5086 le16_to_cpu(ev->interval),
5087 le16_to_cpu(ev->latency),
5088 le16_to_cpu(ev->supervision_timeout));
5089}
5090
5091static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5092{
5093 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5094 struct hci_conn *conn;
5095
5096 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5097
5098 if (ev->status)
5099 return;
5100
5101 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5102 if (conn) {
5103 struct adv_info *adv_instance;
5104
5105 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5106 return;
5107
5108 if (!hdev->cur_adv_instance) {
5109 bacpy(&conn->resp_addr, &hdev->random_addr);
5110 return;
5111 }
5112
5113 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5114 if (adv_instance)
5115 bacpy(&conn->resp_addr, &adv_instance->random_addr);
5116 }
5117}
5118
5119static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5120 struct sk_buff *skb)
5121{
5122 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5123 struct hci_conn *conn;
5124
5125 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5126
5127 if (ev->status)
5128 return;
5129
5130 hci_dev_lock(hdev);
5131
5132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5133 if (conn) {
5134 conn->le_conn_interval = le16_to_cpu(ev->interval);
5135 conn->le_conn_latency = le16_to_cpu(ev->latency);
5136 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5137 }
5138
5139 hci_dev_unlock(hdev);
5140}
5141
5142/* This function requires the caller holds hdev->lock */
5143static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5144 bdaddr_t *addr,
5145 u8 addr_type, u8 adv_type,
5146 bdaddr_t *direct_rpa)
5147{
5148 struct hci_conn *conn;
5149 struct hci_conn_params *params;
5150
5151 /* If the event is not connectable don't proceed further */
5152 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5153 return NULL;
5154
5155 /* Ignore if the device is blocked */
5156 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5157 return NULL;
5158
5159 /* Most controller will fail if we try to create new connections
5160 * while we have an existing one in slave role.
5161 */
5162 if (hdev->conn_hash.le_num_slave > 0)
5163 return NULL;
5164
5165 /* If we're not connectable only connect devices that we have in
5166 * our pend_le_conns list.
5167 */
5168 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5169 addr_type);
5170 if (!params)
5171 return NULL;
5172
5173 if (!params->explicit_connect) {
5174 switch (params->auto_connect) {
5175 case HCI_AUTO_CONN_DIRECT:
5176 /* Only devices advertising with ADV_DIRECT_IND are
5177 * triggering a connection attempt. This is allowing
5178 * incoming connections from slave devices.
5179 */
5180 if (adv_type != LE_ADV_DIRECT_IND)
5181 return NULL;
5182 break;
5183 case HCI_AUTO_CONN_ALWAYS:
5184 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5185 * are triggering a connection attempt. This means
5186 * that incoming connectioms from slave device are
5187 * accepted and also outgoing connections to slave
5188 * devices are established when found.
5189 */
5190 break;
5191 default:
5192 return NULL;
5193 }
5194 }
5195
5196 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5197 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
5198 direct_rpa);
5199 if (!IS_ERR(conn)) {
5200 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5201 * by higher layer that tried to connect, if no then
5202 * store the pointer since we don't really have any
5203 * other owner of the object besides the params that
5204 * triggered it. This way we can abort the connection if
5205 * the parameters get removed and keep the reference
5206 * count consistent once the connection is established.
5207 */
5208
5209 if (!params->explicit_connect)
5210 params->conn = hci_conn_get(conn);
5211
5212 return conn;
5213 }
5214
5215 switch (PTR_ERR(conn)) {
5216 case -EBUSY:
5217 /* If hci_connect() returns -EBUSY it means there is already
5218 * an LE connection attempt going on. Since controllers don't
5219 * support more than one connection attempt at the time, we
5220 * don't consider this an error case.
5221 */
5222 break;
5223 default:
5224 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5225 return NULL;
5226 }
5227
5228 return NULL;
5229}
5230
5231static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5232 u8 bdaddr_type, bdaddr_t *direct_addr,
5233 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
5234{
5235 struct discovery_state *d = &hdev->discovery;
5236 struct smp_irk *irk;
5237 struct hci_conn *conn;
5238 bool match;
5239 u32 flags;
5240 u8 *ptr, real_len;
5241
5242 switch (type) {
5243 case LE_ADV_IND:
5244 case LE_ADV_DIRECT_IND:
5245 case LE_ADV_SCAN_IND:
5246 case LE_ADV_NONCONN_IND:
5247 case LE_ADV_SCAN_RSP:
5248 break;
5249 default:
5250 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5251 "type: 0x%02x", type);
5252 return;
5253 }
5254
5255 /* Find the end of the data in case the report contains padded zero
5256 * bytes at the end causing an invalid length value.
5257 *
5258 * When data is NULL, len is 0 so there is no need for extra ptr
5259 * check as 'ptr < data + 0' is already false in such case.
5260 */
5261 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5262 if (ptr + 1 + *ptr > data + len)
5263 break;
5264 }
5265
5266 real_len = ptr - data;
5267
5268 /* Adjust for actual length */
5269 if (len != real_len) {
5270 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
5271 len = real_len;
5272 }
5273
5274 /* If the direct address is present, then this report is from
5275 * a LE Direct Advertising Report event. In that case it is
5276 * important to see if the address is matching the local
5277 * controller address.
5278 */
5279 if (direct_addr) {
5280 /* Only resolvable random addresses are valid for these
5281 * kind of reports and others can be ignored.
5282 */
5283 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5284 return;
5285
5286 /* If the controller is not using resolvable random
5287 * addresses, then this report can be ignored.
5288 */
5289 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5290 return;
5291
5292 /* If the local IRK of the controller does not match
5293 * with the resolvable random address provided, then
5294 * this report can be ignored.
5295 */
5296 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5297 return;
5298 }
5299
5300 /* Check if we need to convert to identity address */
5301 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5302 if (irk) {
5303 bdaddr = &irk->bdaddr;
5304 bdaddr_type = irk->addr_type;
5305 }
5306
5307 /* Check if we have been requested to connect to this device.
5308 *
5309 * direct_addr is set only for directed advertising reports (it is NULL
5310 * for advertising reports) and is already verified to be RPA above.
5311 */
5312 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5313 direct_addr);
5314 if (conn && type == LE_ADV_IND) {
5315 /* Store report for later inclusion by
5316 * mgmt_device_connected
5317 */
5318 memcpy(conn->le_adv_data, data, len);
5319 conn->le_adv_data_len = len;
5320 }
5321
5322 /* Passive scanning shouldn't trigger any device found events,
5323 * except for devices marked as CONN_REPORT for which we do send
5324 * device found events.
5325 */
5326 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5327 if (type == LE_ADV_DIRECT_IND)
5328 return;
5329
5330 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5331 bdaddr, bdaddr_type))
5332 return;
5333
5334 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5335 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5336 else
5337 flags = 0;
5338 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5339 rssi, flags, data, len, NULL, 0);
5340 return;
5341 }
5342
5343 /* When receiving non-connectable or scannable undirected
5344 * advertising reports, this means that the remote device is
5345 * not connectable and then clearly indicate this in the
5346 * device found event.
5347 *
5348 * When receiving a scan response, then there is no way to
5349 * know if the remote device is connectable or not. However
5350 * since scan responses are merged with a previously seen
5351 * advertising report, the flags field from that report
5352 * will be used.
5353 *
5354 * In the really unlikely case that a controller get confused
5355 * and just sends a scan response event, then it is marked as
5356 * not connectable as well.
5357 */
5358 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5359 type == LE_ADV_SCAN_RSP)
5360 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5361 else
5362 flags = 0;
5363
5364 /* If there's nothing pending either store the data from this
5365 * event or send an immediate device found event if the data
5366 * should not be stored for later.
5367 */
5368 if (!has_pending_adv_report(hdev)) {
5369 /* If the report will trigger a SCAN_REQ store it for
5370 * later merging.
5371 */
5372 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5373 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5374 rssi, flags, data, len);
5375 return;
5376 }
5377
5378 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5379 rssi, flags, data, len, NULL, 0);
5380 return;
5381 }
5382
5383 /* Check if the pending report is for the same device as the new one */
5384 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5385 bdaddr_type == d->last_adv_addr_type);
5386
5387 /* If the pending data doesn't match this report or this isn't a
5388 * scan response (e.g. we got a duplicate ADV_IND) then force
5389 * sending of the pending data.
5390 */
5391 if (type != LE_ADV_SCAN_RSP || !match) {
5392 /* Send out whatever is in the cache, but skip duplicates */
5393 if (!match)
5394 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5395 d->last_adv_addr_type, NULL,
5396 d->last_adv_rssi, d->last_adv_flags,
5397 d->last_adv_data,
5398 d->last_adv_data_len, NULL, 0);
5399
5400 /* If the new report will trigger a SCAN_REQ store it for
5401 * later merging.
5402 */
5403 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5404 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5405 rssi, flags, data, len);
5406 return;
5407 }
5408
5409 /* The advertising reports cannot be merged, so clear
5410 * the pending report and send out a device found event.
5411 */
5412 clear_pending_adv_report(hdev);
5413 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5414 rssi, flags, data, len, NULL, 0);
5415 return;
5416 }
5417
5418 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5419 * the new event is a SCAN_RSP. We can therefore proceed with
5420 * sending a merged device found event.
5421 */
5422 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5423 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5424 d->last_adv_data, d->last_adv_data_len, data, len);
5425 clear_pending_adv_report(hdev);
5426}
5427
5428static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5429{
5430 u8 num_reports = skb->data[0];
5431 void *ptr = &skb->data[1];
5432
5433 hci_dev_lock(hdev);
5434
5435 while (num_reports--) {
5436 struct hci_ev_le_advertising_info *ev = ptr;
5437 s8 rssi;
5438
5439 if (ev->length <= HCI_MAX_AD_LENGTH) {
5440 rssi = ev->data[ev->length];
5441 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5442 ev->bdaddr_type, NULL, 0, rssi,
5443 ev->data, ev->length);
5444 } else {
5445 bt_dev_err(hdev, "Dropping invalid advertising data");
5446 }
5447
5448 ptr += sizeof(*ev) + ev->length + 1;
5449 }
5450
5451 hci_dev_unlock(hdev);
5452}
5453
5454static u8 ext_evt_type_to_legacy(u16 evt_type)
5455{
5456 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5457 switch (evt_type) {
5458 case LE_LEGACY_ADV_IND:
5459 return LE_ADV_IND;
5460 case LE_LEGACY_ADV_DIRECT_IND:
5461 return LE_ADV_DIRECT_IND;
5462 case LE_LEGACY_ADV_SCAN_IND:
5463 return LE_ADV_SCAN_IND;
5464 case LE_LEGACY_NONCONN_IND:
5465 return LE_ADV_NONCONN_IND;
5466 case LE_LEGACY_SCAN_RSP_ADV:
5467 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5468 return LE_ADV_SCAN_RSP;
5469 }
5470
5471 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5472 evt_type);
5473
5474 return LE_ADV_INVALID;
5475 }
5476
5477 if (evt_type & LE_EXT_ADV_CONN_IND) {
5478 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5479 return LE_ADV_DIRECT_IND;
5480
5481 return LE_ADV_IND;
5482 }
5483
5484 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5485 return LE_ADV_SCAN_RSP;
5486
5487 if (evt_type & LE_EXT_ADV_SCAN_IND)
5488 return LE_ADV_SCAN_IND;
5489
5490 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5491 evt_type & LE_EXT_ADV_DIRECT_IND)
5492 return LE_ADV_NONCONN_IND;
5493
5494 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5495 evt_type);
5496
5497 return LE_ADV_INVALID;
5498}
5499
5500static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5501{
5502 u8 num_reports = skb->data[0];
5503 void *ptr = &skb->data[1];
5504
5505 hci_dev_lock(hdev);
5506
5507 while (num_reports--) {
5508 struct hci_ev_le_ext_adv_report *ev = ptr;
5509 u8 legacy_evt_type;
5510 u16 evt_type;
5511
5512 evt_type = __le16_to_cpu(ev->evt_type);
5513 legacy_evt_type = ext_evt_type_to_legacy(evt_type);
5514 if (legacy_evt_type != LE_ADV_INVALID) {
5515 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5516 ev->bdaddr_type, NULL, 0, ev->rssi,
5517 ev->data, ev->length);
5518 }
5519
5520 ptr += sizeof(*ev) + ev->length;
5521 }
5522
5523 hci_dev_unlock(hdev);
5524}
5525
5526static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5527 struct sk_buff *skb)
5528{
5529 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5530 struct hci_conn *conn;
5531
5532 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5533
5534 hci_dev_lock(hdev);
5535
5536 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5537 if (conn) {
5538 if (!ev->status)
5539 memcpy(conn->features[0], ev->features, 8);
5540
5541 if (conn->state == BT_CONFIG) {
5542 __u8 status;
5543
5544 /* If the local controller supports slave-initiated
5545 * features exchange, but the remote controller does
5546 * not, then it is possible that the error code 0x1a
5547 * for unsupported remote feature gets returned.
5548 *
5549 * In this specific case, allow the connection to
5550 * transition into connected state and mark it as
5551 * successful.
5552 */
5553 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5554 !conn->out && ev->status == 0x1a)
5555 status = 0x00;
5556 else
5557 status = ev->status;
5558
5559 conn->state = BT_CONNECTED;
5560 hci_connect_cfm(conn, status);
5561 hci_conn_drop(conn);
5562 }
5563 }
5564
5565 hci_dev_unlock(hdev);
5566}
5567
5568static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5569{
5570 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5571 struct hci_cp_le_ltk_reply cp;
5572 struct hci_cp_le_ltk_neg_reply neg;
5573 struct hci_conn *conn;
5574 struct smp_ltk *ltk;
5575
5576 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5577
5578 hci_dev_lock(hdev);
5579
5580 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5581 if (conn == NULL)
5582 goto not_found;
5583
5584 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5585 if (!ltk)
5586 goto not_found;
5587
5588 if (smp_ltk_is_sc(ltk)) {
5589 /* With SC both EDiv and Rand are set to zero */
5590 if (ev->ediv || ev->rand)
5591 goto not_found;
5592 } else {
5593 /* For non-SC keys check that EDiv and Rand match */
5594 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5595 goto not_found;
5596 }
5597
5598 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5599 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5600 cp.handle = cpu_to_le16(conn->handle);
5601
5602 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5603
5604 conn->enc_key_size = ltk->enc_size;
5605
5606 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5607
5608 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5609 * temporary key used to encrypt a connection following
5610 * pairing. It is used during the Encrypted Session Setup to
5611 * distribute the keys. Later, security can be re-established
5612 * using a distributed LTK.
5613 */
5614 if (ltk->type == SMP_STK) {
5615 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5616 list_del_rcu(<k->list);
5617 kfree_rcu(ltk, rcu);
5618 } else {
5619 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5620 }
5621
5622 hci_dev_unlock(hdev);
5623
5624 return;
5625
5626not_found:
5627 neg.handle = ev->handle;
5628 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5629 hci_dev_unlock(hdev);
5630}
5631
5632static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5633 u8 reason)
5634{
5635 struct hci_cp_le_conn_param_req_neg_reply cp;
5636
5637 cp.handle = cpu_to_le16(handle);
5638 cp.reason = reason;
5639
5640 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5641 &cp);
5642}
5643
5644static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5645 struct sk_buff *skb)
5646{
5647 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5648 struct hci_cp_le_conn_param_req_reply cp;
5649 struct hci_conn *hcon;
5650 u16 handle, min, max, latency, timeout;
5651
5652 handle = le16_to_cpu(ev->handle);
5653 min = le16_to_cpu(ev->interval_min);
5654 max = le16_to_cpu(ev->interval_max);
5655 latency = le16_to_cpu(ev->latency);
5656 timeout = le16_to_cpu(ev->timeout);
5657
5658 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5659 if (!hcon || hcon->state != BT_CONNECTED)
5660 return send_conn_param_neg_reply(hdev, handle,
5661 HCI_ERROR_UNKNOWN_CONN_ID);
5662
5663 if (hci_check_conn_params(min, max, latency, timeout))
5664 return send_conn_param_neg_reply(hdev, handle,
5665 HCI_ERROR_INVALID_LL_PARAMS);
5666
5667 if (hcon->role == HCI_ROLE_MASTER) {
5668 struct hci_conn_params *params;
5669 u8 store_hint;
5670
5671 hci_dev_lock(hdev);
5672
5673 params = hci_conn_params_lookup(hdev, &hcon->dst,
5674 hcon->dst_type);
5675 if (params) {
5676 params->conn_min_interval = min;
5677 params->conn_max_interval = max;
5678 params->conn_latency = latency;
5679 params->supervision_timeout = timeout;
5680 store_hint = 0x01;
5681 } else{
5682 store_hint = 0x00;
5683 }
5684
5685 hci_dev_unlock(hdev);
5686
5687 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5688 store_hint, min, max, latency, timeout);
5689 }
5690
5691 cp.handle = ev->handle;
5692 cp.interval_min = ev->interval_min;
5693 cp.interval_max = ev->interval_max;
5694 cp.latency = ev->latency;
5695 cp.timeout = ev->timeout;
5696 cp.min_ce_len = 0;
5697 cp.max_ce_len = 0;
5698
5699 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5700}
5701
5702static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5703 struct sk_buff *skb)
5704{
5705 u8 num_reports = skb->data[0];
5706 void *ptr = &skb->data[1];
5707
5708 hci_dev_lock(hdev);
5709
5710 while (num_reports--) {
5711 struct hci_ev_le_direct_adv_info *ev = ptr;
5712
5713 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5714 ev->bdaddr_type, &ev->direct_addr,
5715 ev->direct_addr_type, ev->rssi, NULL, 0);
5716
5717 ptr += sizeof(*ev);
5718 }
5719
5720 hci_dev_unlock(hdev);
5721}
5722
5723static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5724{
5725 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5726
5727 skb_pull(skb, sizeof(*le_ev));
5728
5729 switch (le_ev->subevent) {
5730 case HCI_EV_LE_CONN_COMPLETE:
5731 hci_le_conn_complete_evt(hdev, skb);
5732 break;
5733
5734 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5735 hci_le_conn_update_complete_evt(hdev, skb);
5736 break;
5737
5738 case HCI_EV_LE_ADVERTISING_REPORT:
5739 hci_le_adv_report_evt(hdev, skb);
5740 break;
5741
5742 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5743 hci_le_remote_feat_complete_evt(hdev, skb);
5744 break;
5745
5746 case HCI_EV_LE_LTK_REQ:
5747 hci_le_ltk_request_evt(hdev, skb);
5748 break;
5749
5750 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5751 hci_le_remote_conn_param_req_evt(hdev, skb);
5752 break;
5753
5754 case HCI_EV_LE_DIRECT_ADV_REPORT:
5755 hci_le_direct_adv_report_evt(hdev, skb);
5756 break;
5757
5758 case HCI_EV_LE_EXT_ADV_REPORT:
5759 hci_le_ext_adv_report_evt(hdev, skb);
5760 break;
5761
5762 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5763 hci_le_enh_conn_complete_evt(hdev, skb);
5764 break;
5765
5766 case HCI_EV_LE_EXT_ADV_SET_TERM:
5767 hci_le_ext_adv_term_evt(hdev, skb);
5768 break;
5769
5770 default:
5771 break;
5772 }
5773}
5774
5775static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5776 u8 event, struct sk_buff *skb)
5777{
5778 struct hci_ev_cmd_complete *ev;
5779 struct hci_event_hdr *hdr;
5780
5781 if (!skb)
5782 return false;
5783
5784 if (skb->len < sizeof(*hdr)) {
5785 bt_dev_err(hdev, "too short HCI event");
5786 return false;
5787 }
5788
5789 hdr = (void *) skb->data;
5790 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5791
5792 if (event) {
5793 if (hdr->evt != event)
5794 return false;
5795 return true;
5796 }
5797
5798 /* Check if request ended in Command Status - no way to retreive
5799 * any extra parameters in this case.
5800 */
5801 if (hdr->evt == HCI_EV_CMD_STATUS)
5802 return false;
5803
5804 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5805 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5806 hdr->evt);
5807 return false;
5808 }
5809
5810 if (skb->len < sizeof(*ev)) {
5811 bt_dev_err(hdev, "too short cmd_complete event");
5812 return false;
5813 }
5814
5815 ev = (void *) skb->data;
5816 skb_pull(skb, sizeof(*ev));
5817
5818 if (opcode != __le16_to_cpu(ev->opcode)) {
5819 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5820 __le16_to_cpu(ev->opcode));
5821 return false;
5822 }
5823
5824 return true;
5825}
5826
5827void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5828{
5829 struct hci_event_hdr *hdr = (void *) skb->data;
5830 hci_req_complete_t req_complete = NULL;
5831 hci_req_complete_skb_t req_complete_skb = NULL;
5832 struct sk_buff *orig_skb = NULL;
5833 u8 status = 0, event = hdr->evt, req_evt = 0;
5834 u16 opcode = HCI_OP_NOP;
5835
5836 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5837 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5838 opcode = __le16_to_cpu(cmd_hdr->opcode);
5839 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5840 &req_complete_skb);
5841 req_evt = event;
5842 }
5843
5844 /* If it looks like we might end up having to call
5845 * req_complete_skb, store a pristine copy of the skb since the
5846 * various handlers may modify the original one through
5847 * skb_pull() calls, etc.
5848 */
5849 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5850 event == HCI_EV_CMD_COMPLETE)
5851 orig_skb = skb_clone(skb, GFP_KERNEL);
5852
5853 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5854
5855 switch (event) {
5856 case HCI_EV_INQUIRY_COMPLETE:
5857 hci_inquiry_complete_evt(hdev, skb);
5858 break;
5859
5860 case HCI_EV_INQUIRY_RESULT:
5861 hci_inquiry_result_evt(hdev, skb);
5862 break;
5863
5864 case HCI_EV_CONN_COMPLETE:
5865 hci_conn_complete_evt(hdev, skb);
5866 break;
5867
5868 case HCI_EV_CONN_REQUEST:
5869 hci_conn_request_evt(hdev, skb);
5870 break;
5871
5872 case HCI_EV_DISCONN_COMPLETE:
5873 hci_disconn_complete_evt(hdev, skb);
5874 break;
5875
5876 case HCI_EV_AUTH_COMPLETE:
5877 hci_auth_complete_evt(hdev, skb);
5878 break;
5879
5880 case HCI_EV_REMOTE_NAME:
5881 hci_remote_name_evt(hdev, skb);
5882 break;
5883
5884 case HCI_EV_ENCRYPT_CHANGE:
5885 hci_encrypt_change_evt(hdev, skb);
5886 break;
5887
5888 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5889 hci_change_link_key_complete_evt(hdev, skb);
5890 break;
5891
5892 case HCI_EV_REMOTE_FEATURES:
5893 hci_remote_features_evt(hdev, skb);
5894 break;
5895
5896 case HCI_EV_CMD_COMPLETE:
5897 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5898 &req_complete, &req_complete_skb);
5899 break;
5900
5901 case HCI_EV_CMD_STATUS:
5902 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5903 &req_complete_skb);
5904 break;
5905
5906 case HCI_EV_HARDWARE_ERROR:
5907 hci_hardware_error_evt(hdev, skb);
5908 break;
5909
5910 case HCI_EV_ROLE_CHANGE:
5911 hci_role_change_evt(hdev, skb);
5912 break;
5913
5914 case HCI_EV_NUM_COMP_PKTS:
5915 hci_num_comp_pkts_evt(hdev, skb);
5916 break;
5917
5918 case HCI_EV_MODE_CHANGE:
5919 hci_mode_change_evt(hdev, skb);
5920 break;
5921
5922 case HCI_EV_PIN_CODE_REQ:
5923 hci_pin_code_request_evt(hdev, skb);
5924 break;
5925
5926 case HCI_EV_LINK_KEY_REQ:
5927 hci_link_key_request_evt(hdev, skb);
5928 break;
5929
5930 case HCI_EV_LINK_KEY_NOTIFY:
5931 hci_link_key_notify_evt(hdev, skb);
5932 break;
5933
5934 case HCI_EV_CLOCK_OFFSET:
5935 hci_clock_offset_evt(hdev, skb);
5936 break;
5937
5938 case HCI_EV_PKT_TYPE_CHANGE:
5939 hci_pkt_type_change_evt(hdev, skb);
5940 break;
5941
5942 case HCI_EV_PSCAN_REP_MODE:
5943 hci_pscan_rep_mode_evt(hdev, skb);
5944 break;
5945
5946 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5947 hci_inquiry_result_with_rssi_evt(hdev, skb);
5948 break;
5949
5950 case HCI_EV_REMOTE_EXT_FEATURES:
5951 hci_remote_ext_features_evt(hdev, skb);
5952 break;
5953
5954 case HCI_EV_SYNC_CONN_COMPLETE:
5955 hci_sync_conn_complete_evt(hdev, skb);
5956 break;
5957
5958 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5959 hci_extended_inquiry_result_evt(hdev, skb);
5960 break;
5961
5962 case HCI_EV_KEY_REFRESH_COMPLETE:
5963 hci_key_refresh_complete_evt(hdev, skb);
5964 break;
5965
5966 case HCI_EV_IO_CAPA_REQUEST:
5967 hci_io_capa_request_evt(hdev, skb);
5968 break;
5969
5970 case HCI_EV_IO_CAPA_REPLY:
5971 hci_io_capa_reply_evt(hdev, skb);
5972 break;
5973
5974 case HCI_EV_USER_CONFIRM_REQUEST:
5975 hci_user_confirm_request_evt(hdev, skb);
5976 break;
5977
5978 case HCI_EV_USER_PASSKEY_REQUEST:
5979 hci_user_passkey_request_evt(hdev, skb);
5980 break;
5981
5982 case HCI_EV_USER_PASSKEY_NOTIFY:
5983 hci_user_passkey_notify_evt(hdev, skb);
5984 break;
5985
5986 case HCI_EV_KEYPRESS_NOTIFY:
5987 hci_keypress_notify_evt(hdev, skb);
5988 break;
5989
5990 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5991 hci_simple_pair_complete_evt(hdev, skb);
5992 break;
5993
5994 case HCI_EV_REMOTE_HOST_FEATURES:
5995 hci_remote_host_features_evt(hdev, skb);
5996 break;
5997
5998 case HCI_EV_LE_META:
5999 hci_le_meta_evt(hdev, skb);
6000 break;
6001
6002 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6003 hci_remote_oob_data_request_evt(hdev, skb);
6004 break;
6005
6006#if IS_ENABLED(CONFIG_BT_HS)
6007 case HCI_EV_CHANNEL_SELECTED:
6008 hci_chan_selected_evt(hdev, skb);
6009 break;
6010
6011 case HCI_EV_PHY_LINK_COMPLETE:
6012 hci_phy_link_complete_evt(hdev, skb);
6013 break;
6014
6015 case HCI_EV_LOGICAL_LINK_COMPLETE:
6016 hci_loglink_complete_evt(hdev, skb);
6017 break;
6018
6019 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6020 hci_disconn_loglink_complete_evt(hdev, skb);
6021 break;
6022
6023 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6024 hci_disconn_phylink_complete_evt(hdev, skb);
6025 break;
6026#endif
6027
6028 case HCI_EV_NUM_COMP_BLOCKS:
6029 hci_num_comp_blocks_evt(hdev, skb);
6030 break;
6031
6032 default:
6033 BT_DBG("%s event 0x%2.2x", hdev->name, event);
6034 break;
6035 }
6036
6037 if (req_complete) {
6038 req_complete(hdev, status, opcode);
6039 } else if (req_complete_skb) {
6040 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6041 kfree_skb(orig_skb);
6042 orig_skb = NULL;
6043 }
6044 req_complete_skb(hdev, status, opcode, orig_skb);
6045 }
6046
6047 kfree_skb(orig_skb);
6048 kfree_skb(skb);
6049 hdev->stat.evt_rx++;
6050}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth HCI event handling. */
26
27#include <asm/unaligned.h>
28
29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h>
31#include <net/bluetooth/mgmt.h>
32
33#include "hci_request.h"
34#include "hci_debugfs.h"
35#include "a2mp.h"
36#include "amp.h"
37#include "smp.h"
38
39#define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 "\x00\x00\x00\x00\x00\x00\x00\x00"
41
42/* Handle HCI Event packets */
43
44static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45{
46 __u8 status = *((__u8 *) skb->data);
47
48 BT_DBG("%s status 0x%2.2x", hdev->name, status);
49
50 if (status)
51 return;
52
53 clear_bit(HCI_INQUIRY, &hdev->flags);
54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 wake_up_bit(&hdev->flags, HCI_INQUIRY);
56
57 hci_dev_lock(hdev);
58 /* Set discovery state to stopped if we're not doing LE active
59 * scanning.
60 */
61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 hdev->le_scan_type != LE_SCAN_ACTIVE)
63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
64 hci_dev_unlock(hdev);
65
66 hci_conn_check_pending(hdev);
67}
68
69static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
70{
71 __u8 status = *((__u8 *) skb->data);
72
73 BT_DBG("%s status 0x%2.2x", hdev->name, status);
74
75 if (status)
76 return;
77
78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
79}
80
81static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
82{
83 __u8 status = *((__u8 *) skb->data);
84
85 BT_DBG("%s status 0x%2.2x", hdev->name, status);
86
87 if (status)
88 return;
89
90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
91
92 hci_conn_check_pending(hdev);
93}
94
95static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
96 struct sk_buff *skb)
97{
98 BT_DBG("%s", hdev->name);
99}
100
101static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102{
103 struct hci_rp_role_discovery *rp = (void *) skb->data;
104 struct hci_conn *conn;
105
106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107
108 if (rp->status)
109 return;
110
111 hci_dev_lock(hdev);
112
113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114 if (conn)
115 conn->role = rp->role;
116
117 hci_dev_unlock(hdev);
118}
119
120static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121{
122 struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 struct hci_conn *conn;
124
125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126
127 if (rp->status)
128 return;
129
130 hci_dev_lock(hdev);
131
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 if (conn)
134 conn->link_policy = __le16_to_cpu(rp->policy);
135
136 hci_dev_unlock(hdev);
137}
138
139static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140{
141 struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
143 void *sent;
144
145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146
147 if (rp->status)
148 return;
149
150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 if (!sent)
152 return;
153
154 hci_dev_lock(hdev);
155
156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157 if (conn)
158 conn->link_policy = get_unaligned_le16(sent + 2);
159
160 hci_dev_unlock(hdev);
161}
162
163static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164 struct sk_buff *skb)
165{
166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167
168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169
170 if (rp->status)
171 return;
172
173 hdev->link_policy = __le16_to_cpu(rp->policy);
174}
175
176static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177 struct sk_buff *skb)
178{
179 __u8 status = *((__u8 *) skb->data);
180 void *sent;
181
182 BT_DBG("%s status 0x%2.2x", hdev->name, status);
183
184 if (status)
185 return;
186
187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188 if (!sent)
189 return;
190
191 hdev->link_policy = get_unaligned_le16(sent);
192}
193
194static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195{
196 __u8 status = *((__u8 *) skb->data);
197
198 BT_DBG("%s status 0x%2.2x", hdev->name, status);
199
200 clear_bit(HCI_RESET, &hdev->flags);
201
202 if (status)
203 return;
204
205 /* Reset all non-persistent flags */
206 hci_dev_clear_volatile_flags(hdev);
207
208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209
210 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212
213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 hdev->adv_data_len = 0;
215
216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 hdev->scan_rsp_data_len = 0;
218
219 hdev->le_scan_type = LE_SCAN_PASSIVE;
220
221 hdev->ssp_debug_mode = 0;
222
223 hci_bdaddr_list_clear(&hdev->le_white_list);
224}
225
226static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
227 struct sk_buff *skb)
228{
229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 struct hci_cp_read_stored_link_key *sent;
231
232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233
234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
235 if (!sent)
236 return;
237
238 if (!rp->status && sent->read_all == 0x01) {
239 hdev->stored_max_keys = rp->max_keys;
240 hdev->stored_num_keys = rp->num_keys;
241 }
242}
243
244static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
245 struct sk_buff *skb)
246{
247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
248
249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250
251 if (rp->status)
252 return;
253
254 if (rp->num_keys <= hdev->stored_num_keys)
255 hdev->stored_num_keys -= rp->num_keys;
256 else
257 hdev->stored_num_keys = 0;
258}
259
260static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
261{
262 __u8 status = *((__u8 *) skb->data);
263 void *sent;
264
265 BT_DBG("%s status 0x%2.2x", hdev->name, status);
266
267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 if (!sent)
269 return;
270
271 hci_dev_lock(hdev);
272
273 if (hci_dev_test_flag(hdev, HCI_MGMT))
274 mgmt_set_local_name_complete(hdev, sent, status);
275 else if (!status)
276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
277
278 hci_dev_unlock(hdev);
279}
280
281static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
282{
283 struct hci_rp_read_local_name *rp = (void *) skb->data;
284
285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
286
287 if (rp->status)
288 return;
289
290 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 hci_dev_test_flag(hdev, HCI_CONFIG))
292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
293}
294
295static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
296{
297 __u8 status = *((__u8 *) skb->data);
298 void *sent;
299
300 BT_DBG("%s status 0x%2.2x", hdev->name, status);
301
302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
303 if (!sent)
304 return;
305
306 hci_dev_lock(hdev);
307
308 if (!status) {
309 __u8 param = *((__u8 *) sent);
310
311 if (param == AUTH_ENABLED)
312 set_bit(HCI_AUTH, &hdev->flags);
313 else
314 clear_bit(HCI_AUTH, &hdev->flags);
315 }
316
317 if (hci_dev_test_flag(hdev, HCI_MGMT))
318 mgmt_auth_enable_complete(hdev, status);
319
320 hci_dev_unlock(hdev);
321}
322
323static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
324{
325 __u8 status = *((__u8 *) skb->data);
326 __u8 param;
327 void *sent;
328
329 BT_DBG("%s status 0x%2.2x", hdev->name, status);
330
331 if (status)
332 return;
333
334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
335 if (!sent)
336 return;
337
338 param = *((__u8 *) sent);
339
340 if (param)
341 set_bit(HCI_ENCRYPT, &hdev->flags);
342 else
343 clear_bit(HCI_ENCRYPT, &hdev->flags);
344}
345
346static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
347{
348 __u8 status = *((__u8 *) skb->data);
349 __u8 param;
350 void *sent;
351
352 BT_DBG("%s status 0x%2.2x", hdev->name, status);
353
354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
355 if (!sent)
356 return;
357
358 param = *((__u8 *) sent);
359
360 hci_dev_lock(hdev);
361
362 if (status) {
363 hdev->discov_timeout = 0;
364 goto done;
365 }
366
367 if (param & SCAN_INQUIRY)
368 set_bit(HCI_ISCAN, &hdev->flags);
369 else
370 clear_bit(HCI_ISCAN, &hdev->flags);
371
372 if (param & SCAN_PAGE)
373 set_bit(HCI_PSCAN, &hdev->flags);
374 else
375 clear_bit(HCI_PSCAN, &hdev->flags);
376
377done:
378 hci_dev_unlock(hdev);
379}
380
381static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
382{
383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
384
385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
386
387 if (rp->status)
388 return;
389
390 memcpy(hdev->dev_class, rp->dev_class, 3);
391
392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
394}
395
396static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
397{
398 __u8 status = *((__u8 *) skb->data);
399 void *sent;
400
401 BT_DBG("%s status 0x%2.2x", hdev->name, status);
402
403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
404 if (!sent)
405 return;
406
407 hci_dev_lock(hdev);
408
409 if (status == 0)
410 memcpy(hdev->dev_class, sent, 3);
411
412 if (hci_dev_test_flag(hdev, HCI_MGMT))
413 mgmt_set_class_of_dev_complete(hdev, sent, status);
414
415 hci_dev_unlock(hdev);
416}
417
418static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
419{
420 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
421 __u16 setting;
422
423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
424
425 if (rp->status)
426 return;
427
428 setting = __le16_to_cpu(rp->voice_setting);
429
430 if (hdev->voice_setting == setting)
431 return;
432
433 hdev->voice_setting = setting;
434
435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
436
437 if (hdev->notify)
438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
439}
440
441static void hci_cc_write_voice_setting(struct hci_dev *hdev,
442 struct sk_buff *skb)
443{
444 __u8 status = *((__u8 *) skb->data);
445 __u16 setting;
446 void *sent;
447
448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
449
450 if (status)
451 return;
452
453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
454 if (!sent)
455 return;
456
457 setting = get_unaligned_le16(sent);
458
459 if (hdev->voice_setting == setting)
460 return;
461
462 hdev->voice_setting = setting;
463
464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
465
466 if (hdev->notify)
467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
468}
469
470static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
471 struct sk_buff *skb)
472{
473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
474
475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
476
477 if (rp->status)
478 return;
479
480 hdev->num_iac = rp->num_iac;
481
482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
483}
484
485static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
486{
487 __u8 status = *((__u8 *) skb->data);
488 struct hci_cp_write_ssp_mode *sent;
489
490 BT_DBG("%s status 0x%2.2x", hdev->name, status);
491
492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
493 if (!sent)
494 return;
495
496 hci_dev_lock(hdev);
497
498 if (!status) {
499 if (sent->mode)
500 hdev->features[1][0] |= LMP_HOST_SSP;
501 else
502 hdev->features[1][0] &= ~LMP_HOST_SSP;
503 }
504
505 if (hci_dev_test_flag(hdev, HCI_MGMT))
506 mgmt_ssp_enable_complete(hdev, sent->mode, status);
507 else if (!status) {
508 if (sent->mode)
509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
510 else
511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
512 }
513
514 hci_dev_unlock(hdev);
515}
516
517static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
518{
519 u8 status = *((u8 *) skb->data);
520 struct hci_cp_write_sc_support *sent;
521
522 BT_DBG("%s status 0x%2.2x", hdev->name, status);
523
524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
525 if (!sent)
526 return;
527
528 hci_dev_lock(hdev);
529
530 if (!status) {
531 if (sent->support)
532 hdev->features[1][0] |= LMP_HOST_SC;
533 else
534 hdev->features[1][0] &= ~LMP_HOST_SC;
535 }
536
537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
538 if (sent->support)
539 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
540 else
541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
542 }
543
544 hci_dev_unlock(hdev);
545}
546
547static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
548{
549 struct hci_rp_read_local_version *rp = (void *) skb->data;
550
551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
552
553 if (rp->status)
554 return;
555
556 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 hdev->hci_ver = rp->hci_ver;
559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 hdev->lmp_ver = rp->lmp_ver;
561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
563 }
564}
565
566static void hci_cc_read_local_commands(struct hci_dev *hdev,
567 struct sk_buff *skb)
568{
569 struct hci_rp_read_local_commands *rp = (void *) skb->data;
570
571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572
573 if (rp->status)
574 return;
575
576 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 hci_dev_test_flag(hdev, HCI_CONFIG))
578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
579}
580
581static void hci_cc_read_local_features(struct hci_dev *hdev,
582 struct sk_buff *skb)
583{
584 struct hci_rp_read_local_features *rp = (void *) skb->data;
585
586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
587
588 if (rp->status)
589 return;
590
591 memcpy(hdev->features, rp->features, 8);
592
593 /* Adjust default settings according to features
594 * supported by device. */
595
596 if (hdev->features[0][0] & LMP_3SLOT)
597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
598
599 if (hdev->features[0][0] & LMP_5SLOT)
600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
601
602 if (hdev->features[0][1] & LMP_HV2) {
603 hdev->pkt_type |= (HCI_HV2);
604 hdev->esco_type |= (ESCO_HV2);
605 }
606
607 if (hdev->features[0][1] & LMP_HV3) {
608 hdev->pkt_type |= (HCI_HV3);
609 hdev->esco_type |= (ESCO_HV3);
610 }
611
612 if (lmp_esco_capable(hdev))
613 hdev->esco_type |= (ESCO_EV3);
614
615 if (hdev->features[0][4] & LMP_EV4)
616 hdev->esco_type |= (ESCO_EV4);
617
618 if (hdev->features[0][4] & LMP_EV5)
619 hdev->esco_type |= (ESCO_EV5);
620
621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 hdev->esco_type |= (ESCO_2EV3);
623
624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 hdev->esco_type |= (ESCO_3EV3);
626
627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
629}
630
631static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
632 struct sk_buff *skb)
633{
634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
635
636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
637
638 if (rp->status)
639 return;
640
641 if (hdev->max_page < rp->max_page)
642 hdev->max_page = rp->max_page;
643
644 if (rp->page < HCI_MAX_PAGES)
645 memcpy(hdev->features[rp->page], rp->features, 8);
646}
647
648static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
649 struct sk_buff *skb)
650{
651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
652
653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
654
655 if (rp->status)
656 return;
657
658 hdev->flow_ctl_mode = rp->mode;
659}
660
661static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662{
663 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
664
665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
666
667 if (rp->status)
668 return;
669
670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
671 hdev->sco_mtu = rp->sco_mtu;
672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
674
675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
676 hdev->sco_mtu = 64;
677 hdev->sco_pkts = 8;
678 }
679
680 hdev->acl_cnt = hdev->acl_pkts;
681 hdev->sco_cnt = hdev->sco_pkts;
682
683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
685}
686
687static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
688{
689 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
690
691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
692
693 if (rp->status)
694 return;
695
696 if (test_bit(HCI_INIT, &hdev->flags))
697 bacpy(&hdev->bdaddr, &rp->bdaddr);
698
699 if (hci_dev_test_flag(hdev, HCI_SETUP))
700 bacpy(&hdev->setup_addr, &rp->bdaddr);
701}
702
703static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
704 struct sk_buff *skb)
705{
706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
707
708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
709
710 if (rp->status)
711 return;
712
713 if (test_bit(HCI_INIT, &hdev->flags)) {
714 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 hdev->page_scan_window = __le16_to_cpu(rp->window);
716 }
717}
718
719static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
720 struct sk_buff *skb)
721{
722 u8 status = *((u8 *) skb->data);
723 struct hci_cp_write_page_scan_activity *sent;
724
725 BT_DBG("%s status 0x%2.2x", hdev->name, status);
726
727 if (status)
728 return;
729
730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
731 if (!sent)
732 return;
733
734 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 hdev->page_scan_window = __le16_to_cpu(sent->window);
736}
737
738static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
739 struct sk_buff *skb)
740{
741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
742
743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
744
745 if (rp->status)
746 return;
747
748 if (test_bit(HCI_INIT, &hdev->flags))
749 hdev->page_scan_type = rp->type;
750}
751
752static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
753 struct sk_buff *skb)
754{
755 u8 status = *((u8 *) skb->data);
756 u8 *type;
757
758 BT_DBG("%s status 0x%2.2x", hdev->name, status);
759
760 if (status)
761 return;
762
763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
764 if (type)
765 hdev->page_scan_type = *type;
766}
767
768static void hci_cc_read_data_block_size(struct hci_dev *hdev,
769 struct sk_buff *skb)
770{
771 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
772
773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
774
775 if (rp->status)
776 return;
777
778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 hdev->block_len = __le16_to_cpu(rp->block_len);
780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
781
782 hdev->block_cnt = hdev->num_blocks;
783
784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 hdev->block_cnt, hdev->block_len);
786}
787
788static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
789{
790 struct hci_rp_read_clock *rp = (void *) skb->data;
791 struct hci_cp_read_clock *cp;
792 struct hci_conn *conn;
793
794 BT_DBG("%s", hdev->name);
795
796 if (skb->len < sizeof(*rp))
797 return;
798
799 if (rp->status)
800 return;
801
802 hci_dev_lock(hdev);
803
804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
805 if (!cp)
806 goto unlock;
807
808 if (cp->which == 0x00) {
809 hdev->clock = le32_to_cpu(rp->clock);
810 goto unlock;
811 }
812
813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
814 if (conn) {
815 conn->clock = le32_to_cpu(rp->clock);
816 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
817 }
818
819unlock:
820 hci_dev_unlock(hdev);
821}
822
823static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
824 struct sk_buff *skb)
825{
826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
827
828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
829
830 if (rp->status)
831 return;
832
833 hdev->amp_status = rp->amp_status;
834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 hdev->amp_type = rp->amp_type;
839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
843}
844
845static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
846 struct sk_buff *skb)
847{
848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
849
850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
851
852 if (rp->status)
853 return;
854
855 hdev->inq_tx_power = rp->tx_power;
856}
857
858static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
859{
860 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 struct hci_cp_pin_code_reply *cp;
862 struct hci_conn *conn;
863
864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
865
866 hci_dev_lock(hdev);
867
868 if (hci_dev_test_flag(hdev, HCI_MGMT))
869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
870
871 if (rp->status)
872 goto unlock;
873
874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
875 if (!cp)
876 goto unlock;
877
878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
879 if (conn)
880 conn->pin_length = cp->pin_len;
881
882unlock:
883 hci_dev_unlock(hdev);
884}
885
886static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
887{
888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
889
890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
891
892 hci_dev_lock(hdev);
893
894 if (hci_dev_test_flag(hdev, HCI_MGMT))
895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
896 rp->status);
897
898 hci_dev_unlock(hdev);
899}
900
901static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
902 struct sk_buff *skb)
903{
904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
905
906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
907
908 if (rp->status)
909 return;
910
911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 hdev->le_pkts = rp->le_max_pkt;
913
914 hdev->le_cnt = hdev->le_pkts;
915
916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
917}
918
919static void hci_cc_le_read_local_features(struct hci_dev *hdev,
920 struct sk_buff *skb)
921{
922 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
923
924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
925
926 if (rp->status)
927 return;
928
929 memcpy(hdev->le_features, rp->features, 8);
930}
931
932static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
933 struct sk_buff *skb)
934{
935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
936
937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
938
939 if (rp->status)
940 return;
941
942 hdev->adv_tx_power = rp->tx_power;
943}
944
945static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
946{
947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
948
949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
950
951 hci_dev_lock(hdev);
952
953 if (hci_dev_test_flag(hdev, HCI_MGMT))
954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
955 rp->status);
956
957 hci_dev_unlock(hdev);
958}
959
960static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
961 struct sk_buff *skb)
962{
963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
964
965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
966
967 hci_dev_lock(hdev);
968
969 if (hci_dev_test_flag(hdev, HCI_MGMT))
970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 ACL_LINK, 0, rp->status);
972
973 hci_dev_unlock(hdev);
974}
975
976static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
977{
978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
979
980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
981
982 hci_dev_lock(hdev);
983
984 if (hci_dev_test_flag(hdev, HCI_MGMT))
985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
986 0, rp->status);
987
988 hci_dev_unlock(hdev);
989}
990
991static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
992 struct sk_buff *skb)
993{
994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
995
996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
997
998 hci_dev_lock(hdev);
999
1000 if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 ACL_LINK, 0, rp->status);
1003
1004 hci_dev_unlock(hdev);
1005}
1006
1007static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 struct sk_buff *skb)
1009{
1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1011
1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1013}
1014
1015static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 struct sk_buff *skb)
1017{
1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1019
1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021}
1022
1023static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1024{
1025 __u8 status = *((__u8 *) skb->data);
1026 bdaddr_t *sent;
1027
1028 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1029
1030 if (status)
1031 return;
1032
1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034 if (!sent)
1035 return;
1036
1037 hci_dev_lock(hdev);
1038
1039 bacpy(&hdev->random_addr, sent);
1040
1041 hci_dev_unlock(hdev);
1042}
1043
1044static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1045{
1046 __u8 *sent, status = *((__u8 *) skb->data);
1047
1048 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049
1050 if (status)
1051 return;
1052
1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054 if (!sent)
1055 return;
1056
1057 hci_dev_lock(hdev);
1058
1059 /* If we're doing connection initiation as peripheral. Set a
1060 * timeout in case something goes wrong.
1061 */
1062 if (*sent) {
1063 struct hci_conn *conn;
1064
1065 hci_dev_set_flag(hdev, HCI_LE_ADV);
1066
1067 conn = hci_lookup_le_connect(hdev);
1068 if (conn)
1069 queue_delayed_work(hdev->workqueue,
1070 &conn->le_conn_timeout,
1071 conn->conn_timeout);
1072 } else {
1073 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1074 }
1075
1076 hci_dev_unlock(hdev);
1077}
1078
1079static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1080{
1081 struct hci_cp_le_set_scan_param *cp;
1082 __u8 status = *((__u8 *) skb->data);
1083
1084 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1085
1086 if (status)
1087 return;
1088
1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090 if (!cp)
1091 return;
1092
1093 hci_dev_lock(hdev);
1094
1095 hdev->le_scan_type = cp->type;
1096
1097 hci_dev_unlock(hdev);
1098}
1099
1100static bool has_pending_adv_report(struct hci_dev *hdev)
1101{
1102 struct discovery_state *d = &hdev->discovery;
1103
1104 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1105}
1106
1107static void clear_pending_adv_report(struct hci_dev *hdev)
1108{
1109 struct discovery_state *d = &hdev->discovery;
1110
1111 bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 d->last_adv_data_len = 0;
1113}
1114
1115static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 u8 bdaddr_type, s8 rssi, u32 flags,
1117 u8 *data, u8 len)
1118{
1119 struct discovery_state *d = &hdev->discovery;
1120
1121 bacpy(&d->last_adv_addr, bdaddr);
1122 d->last_adv_addr_type = bdaddr_type;
1123 d->last_adv_rssi = rssi;
1124 d->last_adv_flags = flags;
1125 memcpy(d->last_adv_data, data, len);
1126 d->last_adv_data_len = len;
1127}
1128
1129static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 struct sk_buff *skb)
1131{
1132 struct hci_cp_le_set_scan_enable *cp;
1133 __u8 status = *((__u8 *) skb->data);
1134
1135 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1136
1137 if (status)
1138 return;
1139
1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141 if (!cp)
1142 return;
1143
1144 hci_dev_lock(hdev);
1145
1146 switch (cp->enable) {
1147 case LE_SCAN_ENABLE:
1148 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 clear_pending_adv_report(hdev);
1151 break;
1152
1153 case LE_SCAN_DISABLE:
1154 /* We do this here instead of when setting DISCOVERY_STOPPED
1155 * since the latter would potentially require waiting for
1156 * inquiry to stop too.
1157 */
1158 if (has_pending_adv_report(hdev)) {
1159 struct discovery_state *d = &hdev->discovery;
1160
1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 d->last_adv_addr_type, NULL,
1163 d->last_adv_rssi, d->last_adv_flags,
1164 d->last_adv_data,
1165 d->last_adv_data_len, NULL, 0);
1166 }
1167
1168 /* Cancel this timer so that we don't try to disable scanning
1169 * when it's already disabled.
1170 */
1171 cancel_delayed_work(&hdev->le_scan_disable);
1172
1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1174
1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 * interrupted scanning due to a connect request. Mark
1177 * therefore discovery as stopped. If this was not
1178 * because of a connect request advertising might have
1179 * been disabled because of active scanning, so
1180 * re-enable it again if necessary.
1181 */
1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 hdev->discovery.state == DISCOVERY_FINDING)
1186 hci_req_reenable_advertising(hdev);
1187
1188 break;
1189
1190 default:
1191 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1192 cp->enable);
1193 break;
1194 }
1195
1196 hci_dev_unlock(hdev);
1197}
1198
1199static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1200 struct sk_buff *skb)
1201{
1202 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1203
1204 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1205
1206 if (rp->status)
1207 return;
1208
1209 hdev->le_white_list_size = rp->size;
1210}
1211
1212static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1213 struct sk_buff *skb)
1214{
1215 __u8 status = *((__u8 *) skb->data);
1216
1217 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1218
1219 if (status)
1220 return;
1221
1222 hci_bdaddr_list_clear(&hdev->le_white_list);
1223}
1224
1225static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1226 struct sk_buff *skb)
1227{
1228 struct hci_cp_le_add_to_white_list *sent;
1229 __u8 status = *((__u8 *) skb->data);
1230
1231 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1232
1233 if (status)
1234 return;
1235
1236 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1237 if (!sent)
1238 return;
1239
1240 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1241 sent->bdaddr_type);
1242}
1243
1244static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1245 struct sk_buff *skb)
1246{
1247 struct hci_cp_le_del_from_white_list *sent;
1248 __u8 status = *((__u8 *) skb->data);
1249
1250 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1251
1252 if (status)
1253 return;
1254
1255 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1256 if (!sent)
1257 return;
1258
1259 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1260 sent->bdaddr_type);
1261}
1262
1263static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1264 struct sk_buff *skb)
1265{
1266 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1267
1268 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1269
1270 if (rp->status)
1271 return;
1272
1273 memcpy(hdev->le_states, rp->le_states, 8);
1274}
1275
1276static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1277 struct sk_buff *skb)
1278{
1279 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1280
1281 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1282
1283 if (rp->status)
1284 return;
1285
1286 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1287 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1288}
1289
1290static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1291 struct sk_buff *skb)
1292{
1293 struct hci_cp_le_write_def_data_len *sent;
1294 __u8 status = *((__u8 *) skb->data);
1295
1296 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1297
1298 if (status)
1299 return;
1300
1301 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1302 if (!sent)
1303 return;
1304
1305 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1306 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1307}
1308
1309static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1310 struct sk_buff *skb)
1311{
1312 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1313
1314 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1315
1316 if (rp->status)
1317 return;
1318
1319 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1320 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1321 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1322 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1323}
1324
1325static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1326 struct sk_buff *skb)
1327{
1328 struct hci_cp_write_le_host_supported *sent;
1329 __u8 status = *((__u8 *) skb->data);
1330
1331 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1332
1333 if (status)
1334 return;
1335
1336 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1337 if (!sent)
1338 return;
1339
1340 hci_dev_lock(hdev);
1341
1342 if (sent->le) {
1343 hdev->features[1][0] |= LMP_HOST_LE;
1344 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1345 } else {
1346 hdev->features[1][0] &= ~LMP_HOST_LE;
1347 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1348 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1349 }
1350
1351 if (sent->simul)
1352 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1353 else
1354 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1355
1356 hci_dev_unlock(hdev);
1357}
1358
1359static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1360{
1361 struct hci_cp_le_set_adv_param *cp;
1362 u8 status = *((u8 *) skb->data);
1363
1364 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1365
1366 if (status)
1367 return;
1368
1369 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1370 if (!cp)
1371 return;
1372
1373 hci_dev_lock(hdev);
1374 hdev->adv_addr_type = cp->own_address_type;
1375 hci_dev_unlock(hdev);
1376}
1377
1378static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1379{
1380 struct hci_rp_read_rssi *rp = (void *) skb->data;
1381 struct hci_conn *conn;
1382
1383 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1384
1385 if (rp->status)
1386 return;
1387
1388 hci_dev_lock(hdev);
1389
1390 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1391 if (conn)
1392 conn->rssi = rp->rssi;
1393
1394 hci_dev_unlock(hdev);
1395}
1396
1397static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1398{
1399 struct hci_cp_read_tx_power *sent;
1400 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1401 struct hci_conn *conn;
1402
1403 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1404
1405 if (rp->status)
1406 return;
1407
1408 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1409 if (!sent)
1410 return;
1411
1412 hci_dev_lock(hdev);
1413
1414 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1415 if (!conn)
1416 goto unlock;
1417
1418 switch (sent->type) {
1419 case 0x00:
1420 conn->tx_power = rp->tx_power;
1421 break;
1422 case 0x01:
1423 conn->max_tx_power = rp->tx_power;
1424 break;
1425 }
1426
1427unlock:
1428 hci_dev_unlock(hdev);
1429}
1430
1431static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1432{
1433 u8 status = *((u8 *) skb->data);
1434 u8 *mode;
1435
1436 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1437
1438 if (status)
1439 return;
1440
1441 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1442 if (mode)
1443 hdev->ssp_debug_mode = *mode;
1444}
1445
1446static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1447{
1448 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1449
1450 if (status) {
1451 hci_conn_check_pending(hdev);
1452 return;
1453 }
1454
1455 set_bit(HCI_INQUIRY, &hdev->flags);
1456}
1457
1458static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1459{
1460 struct hci_cp_create_conn *cp;
1461 struct hci_conn *conn;
1462
1463 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464
1465 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1466 if (!cp)
1467 return;
1468
1469 hci_dev_lock(hdev);
1470
1471 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1472
1473 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1474
1475 if (status) {
1476 if (conn && conn->state == BT_CONNECT) {
1477 if (status != 0x0c || conn->attempt > 2) {
1478 conn->state = BT_CLOSED;
1479 hci_connect_cfm(conn, status);
1480 hci_conn_del(conn);
1481 } else
1482 conn->state = BT_CONNECT2;
1483 }
1484 } else {
1485 if (!conn) {
1486 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1487 HCI_ROLE_MASTER);
1488 if (!conn)
1489 bt_dev_err(hdev, "no memory for new connection");
1490 }
1491 }
1492
1493 hci_dev_unlock(hdev);
1494}
1495
1496static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1497{
1498 struct hci_cp_add_sco *cp;
1499 struct hci_conn *acl, *sco;
1500 __u16 handle;
1501
1502 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1503
1504 if (!status)
1505 return;
1506
1507 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1508 if (!cp)
1509 return;
1510
1511 handle = __le16_to_cpu(cp->handle);
1512
1513 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1514
1515 hci_dev_lock(hdev);
1516
1517 acl = hci_conn_hash_lookup_handle(hdev, handle);
1518 if (acl) {
1519 sco = acl->link;
1520 if (sco) {
1521 sco->state = BT_CLOSED;
1522
1523 hci_connect_cfm(sco, status);
1524 hci_conn_del(sco);
1525 }
1526 }
1527
1528 hci_dev_unlock(hdev);
1529}
1530
1531static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1532{
1533 struct hci_cp_auth_requested *cp;
1534 struct hci_conn *conn;
1535
1536 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1537
1538 if (!status)
1539 return;
1540
1541 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1542 if (!cp)
1543 return;
1544
1545 hci_dev_lock(hdev);
1546
1547 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1548 if (conn) {
1549 if (conn->state == BT_CONFIG) {
1550 hci_connect_cfm(conn, status);
1551 hci_conn_drop(conn);
1552 }
1553 }
1554
1555 hci_dev_unlock(hdev);
1556}
1557
1558static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1559{
1560 struct hci_cp_set_conn_encrypt *cp;
1561 struct hci_conn *conn;
1562
1563 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1564
1565 if (!status)
1566 return;
1567
1568 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1569 if (!cp)
1570 return;
1571
1572 hci_dev_lock(hdev);
1573
1574 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1575 if (conn) {
1576 if (conn->state == BT_CONFIG) {
1577 hci_connect_cfm(conn, status);
1578 hci_conn_drop(conn);
1579 }
1580 }
1581
1582 hci_dev_unlock(hdev);
1583}
1584
1585static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1586 struct hci_conn *conn)
1587{
1588 if (conn->state != BT_CONFIG || !conn->out)
1589 return 0;
1590
1591 if (conn->pending_sec_level == BT_SECURITY_SDP)
1592 return 0;
1593
1594 /* Only request authentication for SSP connections or non-SSP
1595 * devices with sec_level MEDIUM or HIGH or if MITM protection
1596 * is requested.
1597 */
1598 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1599 conn->pending_sec_level != BT_SECURITY_FIPS &&
1600 conn->pending_sec_level != BT_SECURITY_HIGH &&
1601 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1602 return 0;
1603
1604 return 1;
1605}
1606
1607static int hci_resolve_name(struct hci_dev *hdev,
1608 struct inquiry_entry *e)
1609{
1610 struct hci_cp_remote_name_req cp;
1611
1612 memset(&cp, 0, sizeof(cp));
1613
1614 bacpy(&cp.bdaddr, &e->data.bdaddr);
1615 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1616 cp.pscan_mode = e->data.pscan_mode;
1617 cp.clock_offset = e->data.clock_offset;
1618
1619 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1620}
1621
1622static bool hci_resolve_next_name(struct hci_dev *hdev)
1623{
1624 struct discovery_state *discov = &hdev->discovery;
1625 struct inquiry_entry *e;
1626
1627 if (list_empty(&discov->resolve))
1628 return false;
1629
1630 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1631 if (!e)
1632 return false;
1633
1634 if (hci_resolve_name(hdev, e) == 0) {
1635 e->name_state = NAME_PENDING;
1636 return true;
1637 }
1638
1639 return false;
1640}
1641
1642static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1643 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1644{
1645 struct discovery_state *discov = &hdev->discovery;
1646 struct inquiry_entry *e;
1647
1648 /* Update the mgmt connected state if necessary. Be careful with
1649 * conn objects that exist but are not (yet) connected however.
1650 * Only those in BT_CONFIG or BT_CONNECTED states can be
1651 * considered connected.
1652 */
1653 if (conn &&
1654 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1655 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1656 mgmt_device_connected(hdev, conn, 0, name, name_len);
1657
1658 if (discov->state == DISCOVERY_STOPPED)
1659 return;
1660
1661 if (discov->state == DISCOVERY_STOPPING)
1662 goto discov_complete;
1663
1664 if (discov->state != DISCOVERY_RESOLVING)
1665 return;
1666
1667 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1668 /* If the device was not found in a list of found devices names of which
1669 * are pending. there is no need to continue resolving a next name as it
1670 * will be done upon receiving another Remote Name Request Complete
1671 * Event */
1672 if (!e)
1673 return;
1674
1675 list_del(&e->list);
1676 if (name) {
1677 e->name_state = NAME_KNOWN;
1678 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1679 e->data.rssi, name, name_len);
1680 } else {
1681 e->name_state = NAME_NOT_KNOWN;
1682 }
1683
1684 if (hci_resolve_next_name(hdev))
1685 return;
1686
1687discov_complete:
1688 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1689}
1690
1691static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1692{
1693 struct hci_cp_remote_name_req *cp;
1694 struct hci_conn *conn;
1695
1696 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1697
1698 /* If successful wait for the name req complete event before
1699 * checking for the need to do authentication */
1700 if (!status)
1701 return;
1702
1703 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1704 if (!cp)
1705 return;
1706
1707 hci_dev_lock(hdev);
1708
1709 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1710
1711 if (hci_dev_test_flag(hdev, HCI_MGMT))
1712 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1713
1714 if (!conn)
1715 goto unlock;
1716
1717 if (!hci_outgoing_auth_needed(hdev, conn))
1718 goto unlock;
1719
1720 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1721 struct hci_cp_auth_requested auth_cp;
1722
1723 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1724
1725 auth_cp.handle = __cpu_to_le16(conn->handle);
1726 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1727 sizeof(auth_cp), &auth_cp);
1728 }
1729
1730unlock:
1731 hci_dev_unlock(hdev);
1732}
1733
1734static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1735{
1736 struct hci_cp_read_remote_features *cp;
1737 struct hci_conn *conn;
1738
1739 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1740
1741 if (!status)
1742 return;
1743
1744 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1745 if (!cp)
1746 return;
1747
1748 hci_dev_lock(hdev);
1749
1750 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1751 if (conn) {
1752 if (conn->state == BT_CONFIG) {
1753 hci_connect_cfm(conn, status);
1754 hci_conn_drop(conn);
1755 }
1756 }
1757
1758 hci_dev_unlock(hdev);
1759}
1760
1761static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1762{
1763 struct hci_cp_read_remote_ext_features *cp;
1764 struct hci_conn *conn;
1765
1766 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1767
1768 if (!status)
1769 return;
1770
1771 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1772 if (!cp)
1773 return;
1774
1775 hci_dev_lock(hdev);
1776
1777 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1778 if (conn) {
1779 if (conn->state == BT_CONFIG) {
1780 hci_connect_cfm(conn, status);
1781 hci_conn_drop(conn);
1782 }
1783 }
1784
1785 hci_dev_unlock(hdev);
1786}
1787
1788static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1789{
1790 struct hci_cp_setup_sync_conn *cp;
1791 struct hci_conn *acl, *sco;
1792 __u16 handle;
1793
1794 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1795
1796 if (!status)
1797 return;
1798
1799 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1800 if (!cp)
1801 return;
1802
1803 handle = __le16_to_cpu(cp->handle);
1804
1805 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1806
1807 hci_dev_lock(hdev);
1808
1809 acl = hci_conn_hash_lookup_handle(hdev, handle);
1810 if (acl) {
1811 sco = acl->link;
1812 if (sco) {
1813 sco->state = BT_CLOSED;
1814
1815 hci_connect_cfm(sco, status);
1816 hci_conn_del(sco);
1817 }
1818 }
1819
1820 hci_dev_unlock(hdev);
1821}
1822
1823static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1824{
1825 struct hci_cp_sniff_mode *cp;
1826 struct hci_conn *conn;
1827
1828 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1829
1830 if (!status)
1831 return;
1832
1833 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1834 if (!cp)
1835 return;
1836
1837 hci_dev_lock(hdev);
1838
1839 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1840 if (conn) {
1841 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1842
1843 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1844 hci_sco_setup(conn, status);
1845 }
1846
1847 hci_dev_unlock(hdev);
1848}
1849
1850static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1851{
1852 struct hci_cp_exit_sniff_mode *cp;
1853 struct hci_conn *conn;
1854
1855 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1856
1857 if (!status)
1858 return;
1859
1860 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1861 if (!cp)
1862 return;
1863
1864 hci_dev_lock(hdev);
1865
1866 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1867 if (conn) {
1868 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1869
1870 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1871 hci_sco_setup(conn, status);
1872 }
1873
1874 hci_dev_unlock(hdev);
1875}
1876
1877static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1878{
1879 struct hci_cp_disconnect *cp;
1880 struct hci_conn *conn;
1881
1882 if (!status)
1883 return;
1884
1885 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1886 if (!cp)
1887 return;
1888
1889 hci_dev_lock(hdev);
1890
1891 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892 if (conn)
1893 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1894 conn->dst_type, status);
1895
1896 hci_dev_unlock(hdev);
1897}
1898
1899static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1900{
1901 struct hci_cp_le_create_conn *cp;
1902 struct hci_conn *conn;
1903
1904 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1905
1906 /* All connection failure handling is taken care of by the
1907 * hci_le_conn_failed function which is triggered by the HCI
1908 * request completion callbacks used for connecting.
1909 */
1910 if (status)
1911 return;
1912
1913 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1914 if (!cp)
1915 return;
1916
1917 hci_dev_lock(hdev);
1918
1919 conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1920 cp->peer_addr_type);
1921 if (!conn)
1922 goto unlock;
1923
1924 /* Store the initiator and responder address information which
1925 * is needed for SMP. These values will not change during the
1926 * lifetime of the connection.
1927 */
1928 conn->init_addr_type = cp->own_address_type;
1929 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1930 bacpy(&conn->init_addr, &hdev->random_addr);
1931 else
1932 bacpy(&conn->init_addr, &hdev->bdaddr);
1933
1934 conn->resp_addr_type = cp->peer_addr_type;
1935 bacpy(&conn->resp_addr, &cp->peer_addr);
1936
1937 /* We don't want the connection attempt to stick around
1938 * indefinitely since LE doesn't have a page timeout concept
1939 * like BR/EDR. Set a timer for any connection that doesn't use
1940 * the white list for connecting.
1941 */
1942 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1943 queue_delayed_work(conn->hdev->workqueue,
1944 &conn->le_conn_timeout,
1945 conn->conn_timeout);
1946
1947unlock:
1948 hci_dev_unlock(hdev);
1949}
1950
1951static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1952{
1953 struct hci_cp_le_read_remote_features *cp;
1954 struct hci_conn *conn;
1955
1956 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1957
1958 if (!status)
1959 return;
1960
1961 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1962 if (!cp)
1963 return;
1964
1965 hci_dev_lock(hdev);
1966
1967 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1968 if (conn) {
1969 if (conn->state == BT_CONFIG) {
1970 hci_connect_cfm(conn, status);
1971 hci_conn_drop(conn);
1972 }
1973 }
1974
1975 hci_dev_unlock(hdev);
1976}
1977
1978static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1979{
1980 struct hci_cp_le_start_enc *cp;
1981 struct hci_conn *conn;
1982
1983 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1984
1985 if (!status)
1986 return;
1987
1988 hci_dev_lock(hdev);
1989
1990 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1991 if (!cp)
1992 goto unlock;
1993
1994 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1995 if (!conn)
1996 goto unlock;
1997
1998 if (conn->state != BT_CONNECTED)
1999 goto unlock;
2000
2001 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2002 hci_conn_drop(conn);
2003
2004unlock:
2005 hci_dev_unlock(hdev);
2006}
2007
2008static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2009{
2010 struct hci_cp_switch_role *cp;
2011 struct hci_conn *conn;
2012
2013 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2014
2015 if (!status)
2016 return;
2017
2018 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2019 if (!cp)
2020 return;
2021
2022 hci_dev_lock(hdev);
2023
2024 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2025 if (conn)
2026 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2027
2028 hci_dev_unlock(hdev);
2029}
2030
2031static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2032{
2033 __u8 status = *((__u8 *) skb->data);
2034 struct discovery_state *discov = &hdev->discovery;
2035 struct inquiry_entry *e;
2036
2037 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2038
2039 hci_conn_check_pending(hdev);
2040
2041 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2042 return;
2043
2044 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2045 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2046
2047 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2048 return;
2049
2050 hci_dev_lock(hdev);
2051
2052 if (discov->state != DISCOVERY_FINDING)
2053 goto unlock;
2054
2055 if (list_empty(&discov->resolve)) {
2056 /* When BR/EDR inquiry is active and no LE scanning is in
2057 * progress, then change discovery state to indicate completion.
2058 *
2059 * When running LE scanning and BR/EDR inquiry simultaneously
2060 * and the LE scan already finished, then change the discovery
2061 * state to indicate completion.
2062 */
2063 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2064 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2065 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2066 goto unlock;
2067 }
2068
2069 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2070 if (e && hci_resolve_name(hdev, e) == 0) {
2071 e->name_state = NAME_PENDING;
2072 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2073 } else {
2074 /* When BR/EDR inquiry is active and no LE scanning is in
2075 * progress, then change discovery state to indicate completion.
2076 *
2077 * When running LE scanning and BR/EDR inquiry simultaneously
2078 * and the LE scan already finished, then change the discovery
2079 * state to indicate completion.
2080 */
2081 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2082 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2083 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2084 }
2085
2086unlock:
2087 hci_dev_unlock(hdev);
2088}
2089
2090static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2091{
2092 struct inquiry_data data;
2093 struct inquiry_info *info = (void *) (skb->data + 1);
2094 int num_rsp = *((__u8 *) skb->data);
2095
2096 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2097
2098 if (!num_rsp)
2099 return;
2100
2101 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2102 return;
2103
2104 hci_dev_lock(hdev);
2105
2106 for (; num_rsp; num_rsp--, info++) {
2107 u32 flags;
2108
2109 bacpy(&data.bdaddr, &info->bdaddr);
2110 data.pscan_rep_mode = info->pscan_rep_mode;
2111 data.pscan_period_mode = info->pscan_period_mode;
2112 data.pscan_mode = info->pscan_mode;
2113 memcpy(data.dev_class, info->dev_class, 3);
2114 data.clock_offset = info->clock_offset;
2115 data.rssi = HCI_RSSI_INVALID;
2116 data.ssp_mode = 0x00;
2117
2118 flags = hci_inquiry_cache_update(hdev, &data, false);
2119
2120 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2121 info->dev_class, HCI_RSSI_INVALID,
2122 flags, NULL, 0, NULL, 0);
2123 }
2124
2125 hci_dev_unlock(hdev);
2126}
2127
2128static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2129{
2130 struct hci_ev_conn_complete *ev = (void *) skb->data;
2131 struct hci_conn *conn;
2132
2133 BT_DBG("%s", hdev->name);
2134
2135 hci_dev_lock(hdev);
2136
2137 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2138 if (!conn) {
2139 if (ev->link_type != SCO_LINK)
2140 goto unlock;
2141
2142 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2143 if (!conn)
2144 goto unlock;
2145
2146 conn->type = SCO_LINK;
2147 }
2148
2149 if (!ev->status) {
2150 conn->handle = __le16_to_cpu(ev->handle);
2151
2152 if (conn->type == ACL_LINK) {
2153 conn->state = BT_CONFIG;
2154 hci_conn_hold(conn);
2155
2156 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2157 !hci_find_link_key(hdev, &ev->bdaddr))
2158 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2159 else
2160 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2161 } else
2162 conn->state = BT_CONNECTED;
2163
2164 hci_debugfs_create_conn(conn);
2165 hci_conn_add_sysfs(conn);
2166
2167 if (test_bit(HCI_AUTH, &hdev->flags))
2168 set_bit(HCI_CONN_AUTH, &conn->flags);
2169
2170 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2171 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2172
2173 /* Get remote features */
2174 if (conn->type == ACL_LINK) {
2175 struct hci_cp_read_remote_features cp;
2176 cp.handle = ev->handle;
2177 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2178 sizeof(cp), &cp);
2179
2180 hci_req_update_scan(hdev);
2181 }
2182
2183 /* Set packet type for incoming connection */
2184 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2185 struct hci_cp_change_conn_ptype cp;
2186 cp.handle = ev->handle;
2187 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2188 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2189 &cp);
2190 }
2191 } else {
2192 conn->state = BT_CLOSED;
2193 if (conn->type == ACL_LINK)
2194 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2195 conn->dst_type, ev->status);
2196 }
2197
2198 if (conn->type == ACL_LINK)
2199 hci_sco_setup(conn, ev->status);
2200
2201 if (ev->status) {
2202 hci_connect_cfm(conn, ev->status);
2203 hci_conn_del(conn);
2204 } else if (ev->link_type != ACL_LINK)
2205 hci_connect_cfm(conn, ev->status);
2206
2207unlock:
2208 hci_dev_unlock(hdev);
2209
2210 hci_conn_check_pending(hdev);
2211}
2212
2213static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2214{
2215 struct hci_cp_reject_conn_req cp;
2216
2217 bacpy(&cp.bdaddr, bdaddr);
2218 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2219 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2220}
2221
2222static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2223{
2224 struct hci_ev_conn_request *ev = (void *) skb->data;
2225 int mask = hdev->link_mode;
2226 struct inquiry_entry *ie;
2227 struct hci_conn *conn;
2228 __u8 flags = 0;
2229
2230 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2231 ev->link_type);
2232
2233 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2234 &flags);
2235
2236 if (!(mask & HCI_LM_ACCEPT)) {
2237 hci_reject_conn(hdev, &ev->bdaddr);
2238 return;
2239 }
2240
2241 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2242 BDADDR_BREDR)) {
2243 hci_reject_conn(hdev, &ev->bdaddr);
2244 return;
2245 }
2246
2247 /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2248 * connection. These features are only touched through mgmt so
2249 * only do the checks if HCI_MGMT is set.
2250 */
2251 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2252 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2253 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2254 BDADDR_BREDR)) {
2255 hci_reject_conn(hdev, &ev->bdaddr);
2256 return;
2257 }
2258
2259 /* Connection accepted */
2260
2261 hci_dev_lock(hdev);
2262
2263 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2264 if (ie)
2265 memcpy(ie->data.dev_class, ev->dev_class, 3);
2266
2267 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2268 &ev->bdaddr);
2269 if (!conn) {
2270 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2271 HCI_ROLE_SLAVE);
2272 if (!conn) {
2273 bt_dev_err(hdev, "no memory for new connection");
2274 hci_dev_unlock(hdev);
2275 return;
2276 }
2277 }
2278
2279 memcpy(conn->dev_class, ev->dev_class, 3);
2280
2281 hci_dev_unlock(hdev);
2282
2283 if (ev->link_type == ACL_LINK ||
2284 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2285 struct hci_cp_accept_conn_req cp;
2286 conn->state = BT_CONNECT;
2287
2288 bacpy(&cp.bdaddr, &ev->bdaddr);
2289
2290 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2291 cp.role = 0x00; /* Become master */
2292 else
2293 cp.role = 0x01; /* Remain slave */
2294
2295 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2296 } else if (!(flags & HCI_PROTO_DEFER)) {
2297 struct hci_cp_accept_sync_conn_req cp;
2298 conn->state = BT_CONNECT;
2299
2300 bacpy(&cp.bdaddr, &ev->bdaddr);
2301 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2302
2303 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2304 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2305 cp.max_latency = cpu_to_le16(0xffff);
2306 cp.content_format = cpu_to_le16(hdev->voice_setting);
2307 cp.retrans_effort = 0xff;
2308
2309 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2310 &cp);
2311 } else {
2312 conn->state = BT_CONNECT2;
2313 hci_connect_cfm(conn, 0);
2314 }
2315}
2316
2317static u8 hci_to_mgmt_reason(u8 err)
2318{
2319 switch (err) {
2320 case HCI_ERROR_CONNECTION_TIMEOUT:
2321 return MGMT_DEV_DISCONN_TIMEOUT;
2322 case HCI_ERROR_REMOTE_USER_TERM:
2323 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2324 case HCI_ERROR_REMOTE_POWER_OFF:
2325 return MGMT_DEV_DISCONN_REMOTE;
2326 case HCI_ERROR_LOCAL_HOST_TERM:
2327 return MGMT_DEV_DISCONN_LOCAL_HOST;
2328 default:
2329 return MGMT_DEV_DISCONN_UNKNOWN;
2330 }
2331}
2332
2333static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2334{
2335 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2336 u8 reason;
2337 struct hci_conn_params *params;
2338 struct hci_conn *conn;
2339 bool mgmt_connected;
2340 u8 type;
2341
2342 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2343
2344 hci_dev_lock(hdev);
2345
2346 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2347 if (!conn)
2348 goto unlock;
2349
2350 if (ev->status) {
2351 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2352 conn->dst_type, ev->status);
2353 goto unlock;
2354 }
2355
2356 conn->state = BT_CLOSED;
2357
2358 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2359
2360 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2361 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2362 else
2363 reason = hci_to_mgmt_reason(ev->reason);
2364
2365 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2366 reason, mgmt_connected);
2367
2368 if (conn->type == ACL_LINK) {
2369 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2370 hci_remove_link_key(hdev, &conn->dst);
2371
2372 hci_req_update_scan(hdev);
2373 }
2374
2375 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2376 if (params) {
2377 switch (params->auto_connect) {
2378 case HCI_AUTO_CONN_LINK_LOSS:
2379 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2380 break;
2381 /* Fall through */
2382
2383 case HCI_AUTO_CONN_DIRECT:
2384 case HCI_AUTO_CONN_ALWAYS:
2385 list_del_init(¶ms->action);
2386 list_add(¶ms->action, &hdev->pend_le_conns);
2387 hci_update_background_scan(hdev);
2388 break;
2389
2390 default:
2391 break;
2392 }
2393 }
2394
2395 type = conn->type;
2396
2397 hci_disconn_cfm(conn, ev->reason);
2398 hci_conn_del(conn);
2399
2400 /* Re-enable advertising if necessary, since it might
2401 * have been disabled by the connection. From the
2402 * HCI_LE_Set_Advertise_Enable command description in
2403 * the core specification (v4.0):
2404 * "The Controller shall continue advertising until the Host
2405 * issues an LE_Set_Advertise_Enable command with
2406 * Advertising_Enable set to 0x00 (Advertising is disabled)
2407 * or until a connection is created or until the Advertising
2408 * is timed out due to Directed Advertising."
2409 */
2410 if (type == LE_LINK)
2411 hci_req_reenable_advertising(hdev);
2412
2413unlock:
2414 hci_dev_unlock(hdev);
2415}
2416
2417static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2418{
2419 struct hci_ev_auth_complete *ev = (void *) skb->data;
2420 struct hci_conn *conn;
2421
2422 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2423
2424 hci_dev_lock(hdev);
2425
2426 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2427 if (!conn)
2428 goto unlock;
2429
2430 if (!ev->status) {
2431 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2432
2433 if (!hci_conn_ssp_enabled(conn) &&
2434 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2435 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2436 } else {
2437 set_bit(HCI_CONN_AUTH, &conn->flags);
2438 conn->sec_level = conn->pending_sec_level;
2439 }
2440 } else {
2441 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2442 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2443
2444 mgmt_auth_failed(conn, ev->status);
2445 }
2446
2447 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2448 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2449
2450 if (conn->state == BT_CONFIG) {
2451 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2452 struct hci_cp_set_conn_encrypt cp;
2453 cp.handle = ev->handle;
2454 cp.encrypt = 0x01;
2455 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2456 &cp);
2457 } else {
2458 conn->state = BT_CONNECTED;
2459 hci_connect_cfm(conn, ev->status);
2460 hci_conn_drop(conn);
2461 }
2462 } else {
2463 hci_auth_cfm(conn, ev->status);
2464
2465 hci_conn_hold(conn);
2466 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2467 hci_conn_drop(conn);
2468 }
2469
2470 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2471 if (!ev->status) {
2472 struct hci_cp_set_conn_encrypt cp;
2473 cp.handle = ev->handle;
2474 cp.encrypt = 0x01;
2475 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2476 &cp);
2477 } else {
2478 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2479 hci_encrypt_cfm(conn, ev->status, 0x00);
2480 }
2481 }
2482
2483unlock:
2484 hci_dev_unlock(hdev);
2485}
2486
2487static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2488{
2489 struct hci_ev_remote_name *ev = (void *) skb->data;
2490 struct hci_conn *conn;
2491
2492 BT_DBG("%s", hdev->name);
2493
2494 hci_conn_check_pending(hdev);
2495
2496 hci_dev_lock(hdev);
2497
2498 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2499
2500 if (!hci_dev_test_flag(hdev, HCI_MGMT))
2501 goto check_auth;
2502
2503 if (ev->status == 0)
2504 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2505 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2506 else
2507 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2508
2509check_auth:
2510 if (!conn)
2511 goto unlock;
2512
2513 if (!hci_outgoing_auth_needed(hdev, conn))
2514 goto unlock;
2515
2516 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2517 struct hci_cp_auth_requested cp;
2518
2519 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2520
2521 cp.handle = __cpu_to_le16(conn->handle);
2522 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2523 }
2524
2525unlock:
2526 hci_dev_unlock(hdev);
2527}
2528
2529static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2530 u16 opcode, struct sk_buff *skb)
2531{
2532 const struct hci_rp_read_enc_key_size *rp;
2533 struct hci_conn *conn;
2534 u16 handle;
2535
2536 BT_DBG("%s status 0x%02x", hdev->name, status);
2537
2538 if (!skb || skb->len < sizeof(*rp)) {
2539 bt_dev_err(hdev, "invalid read key size response");
2540 return;
2541 }
2542
2543 rp = (void *)skb->data;
2544 handle = le16_to_cpu(rp->handle);
2545
2546 hci_dev_lock(hdev);
2547
2548 conn = hci_conn_hash_lookup_handle(hdev, handle);
2549 if (!conn)
2550 goto unlock;
2551
2552 /* If we fail to read the encryption key size, assume maximum
2553 * (which is the same we do also when this HCI command isn't
2554 * supported.
2555 */
2556 if (rp->status) {
2557 bt_dev_err(hdev, "failed to read key size for handle %u",
2558 handle);
2559 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2560 } else {
2561 conn->enc_key_size = rp->key_size;
2562 }
2563
2564 if (conn->state == BT_CONFIG) {
2565 conn->state = BT_CONNECTED;
2566 hci_connect_cfm(conn, 0);
2567 hci_conn_drop(conn);
2568 } else {
2569 u8 encrypt;
2570
2571 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2572 encrypt = 0x00;
2573 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2574 encrypt = 0x02;
2575 else
2576 encrypt = 0x01;
2577
2578 hci_encrypt_cfm(conn, 0, encrypt);
2579 }
2580
2581unlock:
2582 hci_dev_unlock(hdev);
2583}
2584
2585static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2586{
2587 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2588 struct hci_conn *conn;
2589
2590 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2591
2592 hci_dev_lock(hdev);
2593
2594 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2595 if (!conn)
2596 goto unlock;
2597
2598 if (!ev->status) {
2599 if (ev->encrypt) {
2600 /* Encryption implies authentication */
2601 set_bit(HCI_CONN_AUTH, &conn->flags);
2602 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 conn->sec_level = conn->pending_sec_level;
2604
2605 /* P-256 authentication key implies FIPS */
2606 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2607 set_bit(HCI_CONN_FIPS, &conn->flags);
2608
2609 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2610 conn->type == LE_LINK)
2611 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2612 } else {
2613 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2614 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2615 }
2616 }
2617
2618 /* We should disregard the current RPA and generate a new one
2619 * whenever the encryption procedure fails.
2620 */
2621 if (ev->status && conn->type == LE_LINK)
2622 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2623
2624 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2625
2626 if (ev->status && conn->state == BT_CONNECTED) {
2627 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2628 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2629
2630 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2631 hci_conn_drop(conn);
2632 goto unlock;
2633 }
2634
2635 /* In Secure Connections Only mode, do not allow any connections
2636 * that are not encrypted with AES-CCM using a P-256 authenticated
2637 * combination key.
2638 */
2639 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2640 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2641 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2642 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2643 hci_conn_drop(conn);
2644 goto unlock;
2645 }
2646
2647 /* Try reading the encryption key size for encrypted ACL links */
2648 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2649 struct hci_cp_read_enc_key_size cp;
2650 struct hci_request req;
2651
2652 /* Only send HCI_Read_Encryption_Key_Size if the
2653 * controller really supports it. If it doesn't, assume
2654 * the default size (16).
2655 */
2656 if (!(hdev->commands[20] & 0x10)) {
2657 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2658 goto notify;
2659 }
2660
2661 hci_req_init(&req, hdev);
2662
2663 cp.handle = cpu_to_le16(conn->handle);
2664 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2665
2666 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2667 bt_dev_err(hdev, "sending read key size failed");
2668 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2669 goto notify;
2670 }
2671
2672 goto unlock;
2673 }
2674
2675notify:
2676 if (conn->state == BT_CONFIG) {
2677 if (!ev->status)
2678 conn->state = BT_CONNECTED;
2679
2680 hci_connect_cfm(conn, ev->status);
2681 hci_conn_drop(conn);
2682 } else
2683 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2684
2685unlock:
2686 hci_dev_unlock(hdev);
2687}
2688
2689static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2690 struct sk_buff *skb)
2691{
2692 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2693 struct hci_conn *conn;
2694
2695 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2696
2697 hci_dev_lock(hdev);
2698
2699 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2700 if (conn) {
2701 if (!ev->status)
2702 set_bit(HCI_CONN_SECURE, &conn->flags);
2703
2704 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2705
2706 hci_key_change_cfm(conn, ev->status);
2707 }
2708
2709 hci_dev_unlock(hdev);
2710}
2711
2712static void hci_remote_features_evt(struct hci_dev *hdev,
2713 struct sk_buff *skb)
2714{
2715 struct hci_ev_remote_features *ev = (void *) skb->data;
2716 struct hci_conn *conn;
2717
2718 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2719
2720 hci_dev_lock(hdev);
2721
2722 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2723 if (!conn)
2724 goto unlock;
2725
2726 if (!ev->status)
2727 memcpy(conn->features[0], ev->features, 8);
2728
2729 if (conn->state != BT_CONFIG)
2730 goto unlock;
2731
2732 if (!ev->status && lmp_ext_feat_capable(hdev) &&
2733 lmp_ext_feat_capable(conn)) {
2734 struct hci_cp_read_remote_ext_features cp;
2735 cp.handle = ev->handle;
2736 cp.page = 0x01;
2737 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2738 sizeof(cp), &cp);
2739 goto unlock;
2740 }
2741
2742 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2743 struct hci_cp_remote_name_req cp;
2744 memset(&cp, 0, sizeof(cp));
2745 bacpy(&cp.bdaddr, &conn->dst);
2746 cp.pscan_rep_mode = 0x02;
2747 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2748 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2749 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2750
2751 if (!hci_outgoing_auth_needed(hdev, conn)) {
2752 conn->state = BT_CONNECTED;
2753 hci_connect_cfm(conn, ev->status);
2754 hci_conn_drop(conn);
2755 }
2756
2757unlock:
2758 hci_dev_unlock(hdev);
2759}
2760
2761static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2762 u16 *opcode, u8 *status,
2763 hci_req_complete_t *req_complete,
2764 hci_req_complete_skb_t *req_complete_skb)
2765{
2766 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2767
2768 *opcode = __le16_to_cpu(ev->opcode);
2769 *status = skb->data[sizeof(*ev)];
2770
2771 skb_pull(skb, sizeof(*ev));
2772
2773 switch (*opcode) {
2774 case HCI_OP_INQUIRY_CANCEL:
2775 hci_cc_inquiry_cancel(hdev, skb);
2776 break;
2777
2778 case HCI_OP_PERIODIC_INQ:
2779 hci_cc_periodic_inq(hdev, skb);
2780 break;
2781
2782 case HCI_OP_EXIT_PERIODIC_INQ:
2783 hci_cc_exit_periodic_inq(hdev, skb);
2784 break;
2785
2786 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2787 hci_cc_remote_name_req_cancel(hdev, skb);
2788 break;
2789
2790 case HCI_OP_ROLE_DISCOVERY:
2791 hci_cc_role_discovery(hdev, skb);
2792 break;
2793
2794 case HCI_OP_READ_LINK_POLICY:
2795 hci_cc_read_link_policy(hdev, skb);
2796 break;
2797
2798 case HCI_OP_WRITE_LINK_POLICY:
2799 hci_cc_write_link_policy(hdev, skb);
2800 break;
2801
2802 case HCI_OP_READ_DEF_LINK_POLICY:
2803 hci_cc_read_def_link_policy(hdev, skb);
2804 break;
2805
2806 case HCI_OP_WRITE_DEF_LINK_POLICY:
2807 hci_cc_write_def_link_policy(hdev, skb);
2808 break;
2809
2810 case HCI_OP_RESET:
2811 hci_cc_reset(hdev, skb);
2812 break;
2813
2814 case HCI_OP_READ_STORED_LINK_KEY:
2815 hci_cc_read_stored_link_key(hdev, skb);
2816 break;
2817
2818 case HCI_OP_DELETE_STORED_LINK_KEY:
2819 hci_cc_delete_stored_link_key(hdev, skb);
2820 break;
2821
2822 case HCI_OP_WRITE_LOCAL_NAME:
2823 hci_cc_write_local_name(hdev, skb);
2824 break;
2825
2826 case HCI_OP_READ_LOCAL_NAME:
2827 hci_cc_read_local_name(hdev, skb);
2828 break;
2829
2830 case HCI_OP_WRITE_AUTH_ENABLE:
2831 hci_cc_write_auth_enable(hdev, skb);
2832 break;
2833
2834 case HCI_OP_WRITE_ENCRYPT_MODE:
2835 hci_cc_write_encrypt_mode(hdev, skb);
2836 break;
2837
2838 case HCI_OP_WRITE_SCAN_ENABLE:
2839 hci_cc_write_scan_enable(hdev, skb);
2840 break;
2841
2842 case HCI_OP_READ_CLASS_OF_DEV:
2843 hci_cc_read_class_of_dev(hdev, skb);
2844 break;
2845
2846 case HCI_OP_WRITE_CLASS_OF_DEV:
2847 hci_cc_write_class_of_dev(hdev, skb);
2848 break;
2849
2850 case HCI_OP_READ_VOICE_SETTING:
2851 hci_cc_read_voice_setting(hdev, skb);
2852 break;
2853
2854 case HCI_OP_WRITE_VOICE_SETTING:
2855 hci_cc_write_voice_setting(hdev, skb);
2856 break;
2857
2858 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2859 hci_cc_read_num_supported_iac(hdev, skb);
2860 break;
2861
2862 case HCI_OP_WRITE_SSP_MODE:
2863 hci_cc_write_ssp_mode(hdev, skb);
2864 break;
2865
2866 case HCI_OP_WRITE_SC_SUPPORT:
2867 hci_cc_write_sc_support(hdev, skb);
2868 break;
2869
2870 case HCI_OP_READ_LOCAL_VERSION:
2871 hci_cc_read_local_version(hdev, skb);
2872 break;
2873
2874 case HCI_OP_READ_LOCAL_COMMANDS:
2875 hci_cc_read_local_commands(hdev, skb);
2876 break;
2877
2878 case HCI_OP_READ_LOCAL_FEATURES:
2879 hci_cc_read_local_features(hdev, skb);
2880 break;
2881
2882 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2883 hci_cc_read_local_ext_features(hdev, skb);
2884 break;
2885
2886 case HCI_OP_READ_BUFFER_SIZE:
2887 hci_cc_read_buffer_size(hdev, skb);
2888 break;
2889
2890 case HCI_OP_READ_BD_ADDR:
2891 hci_cc_read_bd_addr(hdev, skb);
2892 break;
2893
2894 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2895 hci_cc_read_page_scan_activity(hdev, skb);
2896 break;
2897
2898 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2899 hci_cc_write_page_scan_activity(hdev, skb);
2900 break;
2901
2902 case HCI_OP_READ_PAGE_SCAN_TYPE:
2903 hci_cc_read_page_scan_type(hdev, skb);
2904 break;
2905
2906 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2907 hci_cc_write_page_scan_type(hdev, skb);
2908 break;
2909
2910 case HCI_OP_READ_DATA_BLOCK_SIZE:
2911 hci_cc_read_data_block_size(hdev, skb);
2912 break;
2913
2914 case HCI_OP_READ_FLOW_CONTROL_MODE:
2915 hci_cc_read_flow_control_mode(hdev, skb);
2916 break;
2917
2918 case HCI_OP_READ_LOCAL_AMP_INFO:
2919 hci_cc_read_local_amp_info(hdev, skb);
2920 break;
2921
2922 case HCI_OP_READ_CLOCK:
2923 hci_cc_read_clock(hdev, skb);
2924 break;
2925
2926 case HCI_OP_READ_INQ_RSP_TX_POWER:
2927 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2928 break;
2929
2930 case HCI_OP_PIN_CODE_REPLY:
2931 hci_cc_pin_code_reply(hdev, skb);
2932 break;
2933
2934 case HCI_OP_PIN_CODE_NEG_REPLY:
2935 hci_cc_pin_code_neg_reply(hdev, skb);
2936 break;
2937
2938 case HCI_OP_READ_LOCAL_OOB_DATA:
2939 hci_cc_read_local_oob_data(hdev, skb);
2940 break;
2941
2942 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2943 hci_cc_read_local_oob_ext_data(hdev, skb);
2944 break;
2945
2946 case HCI_OP_LE_READ_BUFFER_SIZE:
2947 hci_cc_le_read_buffer_size(hdev, skb);
2948 break;
2949
2950 case HCI_OP_LE_READ_LOCAL_FEATURES:
2951 hci_cc_le_read_local_features(hdev, skb);
2952 break;
2953
2954 case HCI_OP_LE_READ_ADV_TX_POWER:
2955 hci_cc_le_read_adv_tx_power(hdev, skb);
2956 break;
2957
2958 case HCI_OP_USER_CONFIRM_REPLY:
2959 hci_cc_user_confirm_reply(hdev, skb);
2960 break;
2961
2962 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2963 hci_cc_user_confirm_neg_reply(hdev, skb);
2964 break;
2965
2966 case HCI_OP_USER_PASSKEY_REPLY:
2967 hci_cc_user_passkey_reply(hdev, skb);
2968 break;
2969
2970 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2971 hci_cc_user_passkey_neg_reply(hdev, skb);
2972 break;
2973
2974 case HCI_OP_LE_SET_RANDOM_ADDR:
2975 hci_cc_le_set_random_addr(hdev, skb);
2976 break;
2977
2978 case HCI_OP_LE_SET_ADV_ENABLE:
2979 hci_cc_le_set_adv_enable(hdev, skb);
2980 break;
2981
2982 case HCI_OP_LE_SET_SCAN_PARAM:
2983 hci_cc_le_set_scan_param(hdev, skb);
2984 break;
2985
2986 case HCI_OP_LE_SET_SCAN_ENABLE:
2987 hci_cc_le_set_scan_enable(hdev, skb);
2988 break;
2989
2990 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2991 hci_cc_le_read_white_list_size(hdev, skb);
2992 break;
2993
2994 case HCI_OP_LE_CLEAR_WHITE_LIST:
2995 hci_cc_le_clear_white_list(hdev, skb);
2996 break;
2997
2998 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2999 hci_cc_le_add_to_white_list(hdev, skb);
3000 break;
3001
3002 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3003 hci_cc_le_del_from_white_list(hdev, skb);
3004 break;
3005
3006 case HCI_OP_LE_READ_SUPPORTED_STATES:
3007 hci_cc_le_read_supported_states(hdev, skb);
3008 break;
3009
3010 case HCI_OP_LE_READ_DEF_DATA_LEN:
3011 hci_cc_le_read_def_data_len(hdev, skb);
3012 break;
3013
3014 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3015 hci_cc_le_write_def_data_len(hdev, skb);
3016 break;
3017
3018 case HCI_OP_LE_READ_MAX_DATA_LEN:
3019 hci_cc_le_read_max_data_len(hdev, skb);
3020 break;
3021
3022 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3023 hci_cc_write_le_host_supported(hdev, skb);
3024 break;
3025
3026 case HCI_OP_LE_SET_ADV_PARAM:
3027 hci_cc_set_adv_param(hdev, skb);
3028 break;
3029
3030 case HCI_OP_READ_RSSI:
3031 hci_cc_read_rssi(hdev, skb);
3032 break;
3033
3034 case HCI_OP_READ_TX_POWER:
3035 hci_cc_read_tx_power(hdev, skb);
3036 break;
3037
3038 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3039 hci_cc_write_ssp_debug_mode(hdev, skb);
3040 break;
3041
3042 default:
3043 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3044 break;
3045 }
3046
3047 if (*opcode != HCI_OP_NOP)
3048 cancel_delayed_work(&hdev->cmd_timer);
3049
3050 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3051 atomic_set(&hdev->cmd_cnt, 1);
3052
3053 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3054 req_complete_skb);
3055
3056 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3057 queue_work(hdev->workqueue, &hdev->cmd_work);
3058}
3059
3060static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3061 u16 *opcode, u8 *status,
3062 hci_req_complete_t *req_complete,
3063 hci_req_complete_skb_t *req_complete_skb)
3064{
3065 struct hci_ev_cmd_status *ev = (void *) skb->data;
3066
3067 skb_pull(skb, sizeof(*ev));
3068
3069 *opcode = __le16_to_cpu(ev->opcode);
3070 *status = ev->status;
3071
3072 switch (*opcode) {
3073 case HCI_OP_INQUIRY:
3074 hci_cs_inquiry(hdev, ev->status);
3075 break;
3076
3077 case HCI_OP_CREATE_CONN:
3078 hci_cs_create_conn(hdev, ev->status);
3079 break;
3080
3081 case HCI_OP_DISCONNECT:
3082 hci_cs_disconnect(hdev, ev->status);
3083 break;
3084
3085 case HCI_OP_ADD_SCO:
3086 hci_cs_add_sco(hdev, ev->status);
3087 break;
3088
3089 case HCI_OP_AUTH_REQUESTED:
3090 hci_cs_auth_requested(hdev, ev->status);
3091 break;
3092
3093 case HCI_OP_SET_CONN_ENCRYPT:
3094 hci_cs_set_conn_encrypt(hdev, ev->status);
3095 break;
3096
3097 case HCI_OP_REMOTE_NAME_REQ:
3098 hci_cs_remote_name_req(hdev, ev->status);
3099 break;
3100
3101 case HCI_OP_READ_REMOTE_FEATURES:
3102 hci_cs_read_remote_features(hdev, ev->status);
3103 break;
3104
3105 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3106 hci_cs_read_remote_ext_features(hdev, ev->status);
3107 break;
3108
3109 case HCI_OP_SETUP_SYNC_CONN:
3110 hci_cs_setup_sync_conn(hdev, ev->status);
3111 break;
3112
3113 case HCI_OP_SNIFF_MODE:
3114 hci_cs_sniff_mode(hdev, ev->status);
3115 break;
3116
3117 case HCI_OP_EXIT_SNIFF_MODE:
3118 hci_cs_exit_sniff_mode(hdev, ev->status);
3119 break;
3120
3121 case HCI_OP_SWITCH_ROLE:
3122 hci_cs_switch_role(hdev, ev->status);
3123 break;
3124
3125 case HCI_OP_LE_CREATE_CONN:
3126 hci_cs_le_create_conn(hdev, ev->status);
3127 break;
3128
3129 case HCI_OP_LE_READ_REMOTE_FEATURES:
3130 hci_cs_le_read_remote_features(hdev, ev->status);
3131 break;
3132
3133 case HCI_OP_LE_START_ENC:
3134 hci_cs_le_start_enc(hdev, ev->status);
3135 break;
3136
3137 default:
3138 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3139 break;
3140 }
3141
3142 if (*opcode != HCI_OP_NOP)
3143 cancel_delayed_work(&hdev->cmd_timer);
3144
3145 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3146 atomic_set(&hdev->cmd_cnt, 1);
3147
3148 /* Indicate request completion if the command failed. Also, if
3149 * we're not waiting for a special event and we get a success
3150 * command status we should try to flag the request as completed
3151 * (since for this kind of commands there will not be a command
3152 * complete event).
3153 */
3154 if (ev->status ||
3155 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3156 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3157 req_complete_skb);
3158
3159 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3160 queue_work(hdev->workqueue, &hdev->cmd_work);
3161}
3162
3163static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3164{
3165 struct hci_ev_hardware_error *ev = (void *) skb->data;
3166
3167 hdev->hw_error_code = ev->code;
3168
3169 queue_work(hdev->req_workqueue, &hdev->error_reset);
3170}
3171
3172static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3173{
3174 struct hci_ev_role_change *ev = (void *) skb->data;
3175 struct hci_conn *conn;
3176
3177 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3178
3179 hci_dev_lock(hdev);
3180
3181 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3182 if (conn) {
3183 if (!ev->status)
3184 conn->role = ev->role;
3185
3186 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3187
3188 hci_role_switch_cfm(conn, ev->status, ev->role);
3189 }
3190
3191 hci_dev_unlock(hdev);
3192}
3193
3194static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3195{
3196 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3197 int i;
3198
3199 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3200 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3201 return;
3202 }
3203
3204 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3205 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3206 BT_DBG("%s bad parameters", hdev->name);
3207 return;
3208 }
3209
3210 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3211
3212 for (i = 0; i < ev->num_hndl; i++) {
3213 struct hci_comp_pkts_info *info = &ev->handles[i];
3214 struct hci_conn *conn;
3215 __u16 handle, count;
3216
3217 handle = __le16_to_cpu(info->handle);
3218 count = __le16_to_cpu(info->count);
3219
3220 conn = hci_conn_hash_lookup_handle(hdev, handle);
3221 if (!conn)
3222 continue;
3223
3224 conn->sent -= count;
3225
3226 switch (conn->type) {
3227 case ACL_LINK:
3228 hdev->acl_cnt += count;
3229 if (hdev->acl_cnt > hdev->acl_pkts)
3230 hdev->acl_cnt = hdev->acl_pkts;
3231 break;
3232
3233 case LE_LINK:
3234 if (hdev->le_pkts) {
3235 hdev->le_cnt += count;
3236 if (hdev->le_cnt > hdev->le_pkts)
3237 hdev->le_cnt = hdev->le_pkts;
3238 } else {
3239 hdev->acl_cnt += count;
3240 if (hdev->acl_cnt > hdev->acl_pkts)
3241 hdev->acl_cnt = hdev->acl_pkts;
3242 }
3243 break;
3244
3245 case SCO_LINK:
3246 hdev->sco_cnt += count;
3247 if (hdev->sco_cnt > hdev->sco_pkts)
3248 hdev->sco_cnt = hdev->sco_pkts;
3249 break;
3250
3251 default:
3252 bt_dev_err(hdev, "unknown type %d conn %p",
3253 conn->type, conn);
3254 break;
3255 }
3256 }
3257
3258 queue_work(hdev->workqueue, &hdev->tx_work);
3259}
3260
3261static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3262 __u16 handle)
3263{
3264 struct hci_chan *chan;
3265
3266 switch (hdev->dev_type) {
3267 case HCI_PRIMARY:
3268 return hci_conn_hash_lookup_handle(hdev, handle);
3269 case HCI_AMP:
3270 chan = hci_chan_lookup_handle(hdev, handle);
3271 if (chan)
3272 return chan->conn;
3273 break;
3274 default:
3275 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3276 break;
3277 }
3278
3279 return NULL;
3280}
3281
3282static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3283{
3284 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3285 int i;
3286
3287 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3288 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3289 return;
3290 }
3291
3292 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3293 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3294 BT_DBG("%s bad parameters", hdev->name);
3295 return;
3296 }
3297
3298 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3299 ev->num_hndl);
3300
3301 for (i = 0; i < ev->num_hndl; i++) {
3302 struct hci_comp_blocks_info *info = &ev->handles[i];
3303 struct hci_conn *conn = NULL;
3304 __u16 handle, block_count;
3305
3306 handle = __le16_to_cpu(info->handle);
3307 block_count = __le16_to_cpu(info->blocks);
3308
3309 conn = __hci_conn_lookup_handle(hdev, handle);
3310 if (!conn)
3311 continue;
3312
3313 conn->sent -= block_count;
3314
3315 switch (conn->type) {
3316 case ACL_LINK:
3317 case AMP_LINK:
3318 hdev->block_cnt += block_count;
3319 if (hdev->block_cnt > hdev->num_blocks)
3320 hdev->block_cnt = hdev->num_blocks;
3321 break;
3322
3323 default:
3324 bt_dev_err(hdev, "unknown type %d conn %p",
3325 conn->type, conn);
3326 break;
3327 }
3328 }
3329
3330 queue_work(hdev->workqueue, &hdev->tx_work);
3331}
3332
3333static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3334{
3335 struct hci_ev_mode_change *ev = (void *) skb->data;
3336 struct hci_conn *conn;
3337
3338 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3339
3340 hci_dev_lock(hdev);
3341
3342 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3343 if (conn) {
3344 conn->mode = ev->mode;
3345
3346 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3347 &conn->flags)) {
3348 if (conn->mode == HCI_CM_ACTIVE)
3349 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3350 else
3351 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3352 }
3353
3354 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3355 hci_sco_setup(conn, ev->status);
3356 }
3357
3358 hci_dev_unlock(hdev);
3359}
3360
3361static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3362{
3363 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3364 struct hci_conn *conn;
3365
3366 BT_DBG("%s", hdev->name);
3367
3368 hci_dev_lock(hdev);
3369
3370 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3371 if (!conn)
3372 goto unlock;
3373
3374 if (conn->state == BT_CONNECTED) {
3375 hci_conn_hold(conn);
3376 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3377 hci_conn_drop(conn);
3378 }
3379
3380 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3381 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3382 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3383 sizeof(ev->bdaddr), &ev->bdaddr);
3384 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3385 u8 secure;
3386
3387 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3388 secure = 1;
3389 else
3390 secure = 0;
3391
3392 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3393 }
3394
3395unlock:
3396 hci_dev_unlock(hdev);
3397}
3398
3399static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3400{
3401 if (key_type == HCI_LK_CHANGED_COMBINATION)
3402 return;
3403
3404 conn->pin_length = pin_len;
3405 conn->key_type = key_type;
3406
3407 switch (key_type) {
3408 case HCI_LK_LOCAL_UNIT:
3409 case HCI_LK_REMOTE_UNIT:
3410 case HCI_LK_DEBUG_COMBINATION:
3411 return;
3412 case HCI_LK_COMBINATION:
3413 if (pin_len == 16)
3414 conn->pending_sec_level = BT_SECURITY_HIGH;
3415 else
3416 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3417 break;
3418 case HCI_LK_UNAUTH_COMBINATION_P192:
3419 case HCI_LK_UNAUTH_COMBINATION_P256:
3420 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3421 break;
3422 case HCI_LK_AUTH_COMBINATION_P192:
3423 conn->pending_sec_level = BT_SECURITY_HIGH;
3424 break;
3425 case HCI_LK_AUTH_COMBINATION_P256:
3426 conn->pending_sec_level = BT_SECURITY_FIPS;
3427 break;
3428 }
3429}
3430
3431static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3432{
3433 struct hci_ev_link_key_req *ev = (void *) skb->data;
3434 struct hci_cp_link_key_reply cp;
3435 struct hci_conn *conn;
3436 struct link_key *key;
3437
3438 BT_DBG("%s", hdev->name);
3439
3440 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3441 return;
3442
3443 hci_dev_lock(hdev);
3444
3445 key = hci_find_link_key(hdev, &ev->bdaddr);
3446 if (!key) {
3447 BT_DBG("%s link key not found for %pMR", hdev->name,
3448 &ev->bdaddr);
3449 goto not_found;
3450 }
3451
3452 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3453 &ev->bdaddr);
3454
3455 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3456 if (conn) {
3457 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3458
3459 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3460 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3461 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3462 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3463 goto not_found;
3464 }
3465
3466 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3467 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3468 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3469 BT_DBG("%s ignoring key unauthenticated for high security",
3470 hdev->name);
3471 goto not_found;
3472 }
3473
3474 conn_set_key(conn, key->type, key->pin_len);
3475 }
3476
3477 bacpy(&cp.bdaddr, &ev->bdaddr);
3478 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3479
3480 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3481
3482 hci_dev_unlock(hdev);
3483
3484 return;
3485
3486not_found:
3487 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3488 hci_dev_unlock(hdev);
3489}
3490
3491static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3492{
3493 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3494 struct hci_conn *conn;
3495 struct link_key *key;
3496 bool persistent;
3497 u8 pin_len = 0;
3498
3499 BT_DBG("%s", hdev->name);
3500
3501 hci_dev_lock(hdev);
3502
3503 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3504 if (!conn)
3505 goto unlock;
3506
3507 hci_conn_hold(conn);
3508 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3509 hci_conn_drop(conn);
3510
3511 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3512 conn_set_key(conn, ev->key_type, conn->pin_length);
3513
3514 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3515 goto unlock;
3516
3517 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3518 ev->key_type, pin_len, &persistent);
3519 if (!key)
3520 goto unlock;
3521
3522 /* Update connection information since adding the key will have
3523 * fixed up the type in the case of changed combination keys.
3524 */
3525 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3526 conn_set_key(conn, key->type, key->pin_len);
3527
3528 mgmt_new_link_key(hdev, key, persistent);
3529
3530 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3531 * is set. If it's not set simply remove the key from the kernel
3532 * list (we've still notified user space about it but with
3533 * store_hint being 0).
3534 */
3535 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3536 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3537 list_del_rcu(&key->list);
3538 kfree_rcu(key, rcu);
3539 goto unlock;
3540 }
3541
3542 if (persistent)
3543 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3544 else
3545 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3546
3547unlock:
3548 hci_dev_unlock(hdev);
3549}
3550
3551static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3552{
3553 struct hci_ev_clock_offset *ev = (void *) skb->data;
3554 struct hci_conn *conn;
3555
3556 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3557
3558 hci_dev_lock(hdev);
3559
3560 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3561 if (conn && !ev->status) {
3562 struct inquiry_entry *ie;
3563
3564 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3565 if (ie) {
3566 ie->data.clock_offset = ev->clock_offset;
3567 ie->timestamp = jiffies;
3568 }
3569 }
3570
3571 hci_dev_unlock(hdev);
3572}
3573
3574static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3575{
3576 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3577 struct hci_conn *conn;
3578
3579 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3580
3581 hci_dev_lock(hdev);
3582
3583 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3584 if (conn && !ev->status)
3585 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3586
3587 hci_dev_unlock(hdev);
3588}
3589
3590static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3591{
3592 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3593 struct inquiry_entry *ie;
3594
3595 BT_DBG("%s", hdev->name);
3596
3597 hci_dev_lock(hdev);
3598
3599 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3600 if (ie) {
3601 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3602 ie->timestamp = jiffies;
3603 }
3604
3605 hci_dev_unlock(hdev);
3606}
3607
3608static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3609 struct sk_buff *skb)
3610{
3611 struct inquiry_data data;
3612 int num_rsp = *((__u8 *) skb->data);
3613
3614 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3615
3616 if (!num_rsp)
3617 return;
3618
3619 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3620 return;
3621
3622 hci_dev_lock(hdev);
3623
3624 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3625 struct inquiry_info_with_rssi_and_pscan_mode *info;
3626 info = (void *) (skb->data + 1);
3627
3628 for (; num_rsp; num_rsp--, info++) {
3629 u32 flags;
3630
3631 bacpy(&data.bdaddr, &info->bdaddr);
3632 data.pscan_rep_mode = info->pscan_rep_mode;
3633 data.pscan_period_mode = info->pscan_period_mode;
3634 data.pscan_mode = info->pscan_mode;
3635 memcpy(data.dev_class, info->dev_class, 3);
3636 data.clock_offset = info->clock_offset;
3637 data.rssi = info->rssi;
3638 data.ssp_mode = 0x00;
3639
3640 flags = hci_inquiry_cache_update(hdev, &data, false);
3641
3642 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3643 info->dev_class, info->rssi,
3644 flags, NULL, 0, NULL, 0);
3645 }
3646 } else {
3647 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3648
3649 for (; num_rsp; num_rsp--, info++) {
3650 u32 flags;
3651
3652 bacpy(&data.bdaddr, &info->bdaddr);
3653 data.pscan_rep_mode = info->pscan_rep_mode;
3654 data.pscan_period_mode = info->pscan_period_mode;
3655 data.pscan_mode = 0x00;
3656 memcpy(data.dev_class, info->dev_class, 3);
3657 data.clock_offset = info->clock_offset;
3658 data.rssi = info->rssi;
3659 data.ssp_mode = 0x00;
3660
3661 flags = hci_inquiry_cache_update(hdev, &data, false);
3662
3663 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3664 info->dev_class, info->rssi,
3665 flags, NULL, 0, NULL, 0);
3666 }
3667 }
3668
3669 hci_dev_unlock(hdev);
3670}
3671
3672static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3673 struct sk_buff *skb)
3674{
3675 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3676 struct hci_conn *conn;
3677
3678 BT_DBG("%s", hdev->name);
3679
3680 hci_dev_lock(hdev);
3681
3682 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3683 if (!conn)
3684 goto unlock;
3685
3686 if (ev->page < HCI_MAX_PAGES)
3687 memcpy(conn->features[ev->page], ev->features, 8);
3688
3689 if (!ev->status && ev->page == 0x01) {
3690 struct inquiry_entry *ie;
3691
3692 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3693 if (ie)
3694 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3695
3696 if (ev->features[0] & LMP_HOST_SSP) {
3697 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3698 } else {
3699 /* It is mandatory by the Bluetooth specification that
3700 * Extended Inquiry Results are only used when Secure
3701 * Simple Pairing is enabled, but some devices violate
3702 * this.
3703 *
3704 * To make these devices work, the internal SSP
3705 * enabled flag needs to be cleared if the remote host
3706 * features do not indicate SSP support */
3707 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3708 }
3709
3710 if (ev->features[0] & LMP_HOST_SC)
3711 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3712 }
3713
3714 if (conn->state != BT_CONFIG)
3715 goto unlock;
3716
3717 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3718 struct hci_cp_remote_name_req cp;
3719 memset(&cp, 0, sizeof(cp));
3720 bacpy(&cp.bdaddr, &conn->dst);
3721 cp.pscan_rep_mode = 0x02;
3722 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3723 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3724 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3725
3726 if (!hci_outgoing_auth_needed(hdev, conn)) {
3727 conn->state = BT_CONNECTED;
3728 hci_connect_cfm(conn, ev->status);
3729 hci_conn_drop(conn);
3730 }
3731
3732unlock:
3733 hci_dev_unlock(hdev);
3734}
3735
3736static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3737 struct sk_buff *skb)
3738{
3739 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3740 struct hci_conn *conn;
3741
3742 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3743
3744 hci_dev_lock(hdev);
3745
3746 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3747 if (!conn) {
3748 if (ev->link_type == ESCO_LINK)
3749 goto unlock;
3750
3751 /* When the link type in the event indicates SCO connection
3752 * and lookup of the connection object fails, then check
3753 * if an eSCO connection object exists.
3754 *
3755 * The core limits the synchronous connections to either
3756 * SCO or eSCO. The eSCO connection is preferred and tried
3757 * to be setup first and until successfully established,
3758 * the link type will be hinted as eSCO.
3759 */
3760 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3761 if (!conn)
3762 goto unlock;
3763 }
3764
3765 switch (ev->status) {
3766 case 0x00:
3767 conn->handle = __le16_to_cpu(ev->handle);
3768 conn->state = BT_CONNECTED;
3769 conn->type = ev->link_type;
3770
3771 hci_debugfs_create_conn(conn);
3772 hci_conn_add_sysfs(conn);
3773 break;
3774
3775 case 0x10: /* Connection Accept Timeout */
3776 case 0x0d: /* Connection Rejected due to Limited Resources */
3777 case 0x11: /* Unsupported Feature or Parameter Value */
3778 case 0x1c: /* SCO interval rejected */
3779 case 0x1a: /* Unsupported Remote Feature */
3780 case 0x1f: /* Unspecified error */
3781 case 0x20: /* Unsupported LMP Parameter value */
3782 if (conn->out) {
3783 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3784 (hdev->esco_type & EDR_ESCO_MASK);
3785 if (hci_setup_sync(conn, conn->link->handle))
3786 goto unlock;
3787 }
3788 /* fall through */
3789
3790 default:
3791 conn->state = BT_CLOSED;
3792 break;
3793 }
3794
3795 hci_connect_cfm(conn, ev->status);
3796 if (ev->status)
3797 hci_conn_del(conn);
3798
3799unlock:
3800 hci_dev_unlock(hdev);
3801}
3802
3803static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3804{
3805 size_t parsed = 0;
3806
3807 while (parsed < eir_len) {
3808 u8 field_len = eir[0];
3809
3810 if (field_len == 0)
3811 return parsed;
3812
3813 parsed += field_len + 1;
3814 eir += field_len + 1;
3815 }
3816
3817 return eir_len;
3818}
3819
3820static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3821 struct sk_buff *skb)
3822{
3823 struct inquiry_data data;
3824 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3825 int num_rsp = *((__u8 *) skb->data);
3826 size_t eir_len;
3827
3828 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3829
3830 if (!num_rsp)
3831 return;
3832
3833 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3834 return;
3835
3836 hci_dev_lock(hdev);
3837
3838 for (; num_rsp; num_rsp--, info++) {
3839 u32 flags;
3840 bool name_known;
3841
3842 bacpy(&data.bdaddr, &info->bdaddr);
3843 data.pscan_rep_mode = info->pscan_rep_mode;
3844 data.pscan_period_mode = info->pscan_period_mode;
3845 data.pscan_mode = 0x00;
3846 memcpy(data.dev_class, info->dev_class, 3);
3847 data.clock_offset = info->clock_offset;
3848 data.rssi = info->rssi;
3849 data.ssp_mode = 0x01;
3850
3851 if (hci_dev_test_flag(hdev, HCI_MGMT))
3852 name_known = eir_get_data(info->data,
3853 sizeof(info->data),
3854 EIR_NAME_COMPLETE, NULL);
3855 else
3856 name_known = true;
3857
3858 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3859
3860 eir_len = eir_get_length(info->data, sizeof(info->data));
3861
3862 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3863 info->dev_class, info->rssi,
3864 flags, info->data, eir_len, NULL, 0);
3865 }
3866
3867 hci_dev_unlock(hdev);
3868}
3869
3870static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3871 struct sk_buff *skb)
3872{
3873 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3874 struct hci_conn *conn;
3875
3876 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3877 __le16_to_cpu(ev->handle));
3878
3879 hci_dev_lock(hdev);
3880
3881 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3882 if (!conn)
3883 goto unlock;
3884
3885 /* For BR/EDR the necessary steps are taken through the
3886 * auth_complete event.
3887 */
3888 if (conn->type != LE_LINK)
3889 goto unlock;
3890
3891 if (!ev->status)
3892 conn->sec_level = conn->pending_sec_level;
3893
3894 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3895
3896 if (ev->status && conn->state == BT_CONNECTED) {
3897 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3898 hci_conn_drop(conn);
3899 goto unlock;
3900 }
3901
3902 if (conn->state == BT_CONFIG) {
3903 if (!ev->status)
3904 conn->state = BT_CONNECTED;
3905
3906 hci_connect_cfm(conn, ev->status);
3907 hci_conn_drop(conn);
3908 } else {
3909 hci_auth_cfm(conn, ev->status);
3910
3911 hci_conn_hold(conn);
3912 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3913 hci_conn_drop(conn);
3914 }
3915
3916unlock:
3917 hci_dev_unlock(hdev);
3918}
3919
3920static u8 hci_get_auth_req(struct hci_conn *conn)
3921{
3922 /* If remote requests no-bonding follow that lead */
3923 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3924 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3925 return conn->remote_auth | (conn->auth_type & 0x01);
3926
3927 /* If both remote and local have enough IO capabilities, require
3928 * MITM protection
3929 */
3930 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3931 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3932 return conn->remote_auth | 0x01;
3933
3934 /* No MITM protection possible so ignore remote requirement */
3935 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3936}
3937
3938static u8 bredr_oob_data_present(struct hci_conn *conn)
3939{
3940 struct hci_dev *hdev = conn->hdev;
3941 struct oob_data *data;
3942
3943 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3944 if (!data)
3945 return 0x00;
3946
3947 if (bredr_sc_enabled(hdev)) {
3948 /* When Secure Connections is enabled, then just
3949 * return the present value stored with the OOB
3950 * data. The stored value contains the right present
3951 * information. However it can only be trusted when
3952 * not in Secure Connection Only mode.
3953 */
3954 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3955 return data->present;
3956
3957 /* When Secure Connections Only mode is enabled, then
3958 * the P-256 values are required. If they are not
3959 * available, then do not declare that OOB data is
3960 * present.
3961 */
3962 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3963 !memcmp(data->hash256, ZERO_KEY, 16))
3964 return 0x00;
3965
3966 return 0x02;
3967 }
3968
3969 /* When Secure Connections is not enabled or actually
3970 * not supported by the hardware, then check that if
3971 * P-192 data values are present.
3972 */
3973 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3974 !memcmp(data->hash192, ZERO_KEY, 16))
3975 return 0x00;
3976
3977 return 0x01;
3978}
3979
3980static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3981{
3982 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3983 struct hci_conn *conn;
3984
3985 BT_DBG("%s", hdev->name);
3986
3987 hci_dev_lock(hdev);
3988
3989 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3990 if (!conn)
3991 goto unlock;
3992
3993 hci_conn_hold(conn);
3994
3995 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3996 goto unlock;
3997
3998 /* Allow pairing if we're pairable, the initiators of the
3999 * pairing or if the remote is not requesting bonding.
4000 */
4001 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4002 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4003 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4004 struct hci_cp_io_capability_reply cp;
4005
4006 bacpy(&cp.bdaddr, &ev->bdaddr);
4007 /* Change the IO capability from KeyboardDisplay
4008 * to DisplayYesNo as it is not supported by BT spec. */
4009 cp.capability = (conn->io_capability == 0x04) ?
4010 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4011
4012 /* If we are initiators, there is no remote information yet */
4013 if (conn->remote_auth == 0xff) {
4014 /* Request MITM protection if our IO caps allow it
4015 * except for the no-bonding case.
4016 */
4017 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4018 conn->auth_type != HCI_AT_NO_BONDING)
4019 conn->auth_type |= 0x01;
4020 } else {
4021 conn->auth_type = hci_get_auth_req(conn);
4022 }
4023
4024 /* If we're not bondable, force one of the non-bondable
4025 * authentication requirement values.
4026 */
4027 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4028 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4029
4030 cp.authentication = conn->auth_type;
4031 cp.oob_data = bredr_oob_data_present(conn);
4032
4033 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4034 sizeof(cp), &cp);
4035 } else {
4036 struct hci_cp_io_capability_neg_reply cp;
4037
4038 bacpy(&cp.bdaddr, &ev->bdaddr);
4039 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4040
4041 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4042 sizeof(cp), &cp);
4043 }
4044
4045unlock:
4046 hci_dev_unlock(hdev);
4047}
4048
4049static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4050{
4051 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4052 struct hci_conn *conn;
4053
4054 BT_DBG("%s", hdev->name);
4055
4056 hci_dev_lock(hdev);
4057
4058 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4059 if (!conn)
4060 goto unlock;
4061
4062 conn->remote_cap = ev->capability;
4063 conn->remote_auth = ev->authentication;
4064
4065unlock:
4066 hci_dev_unlock(hdev);
4067}
4068
4069static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4070 struct sk_buff *skb)
4071{
4072 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4073 int loc_mitm, rem_mitm, confirm_hint = 0;
4074 struct hci_conn *conn;
4075
4076 BT_DBG("%s", hdev->name);
4077
4078 hci_dev_lock(hdev);
4079
4080 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4081 goto unlock;
4082
4083 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4084 if (!conn)
4085 goto unlock;
4086
4087 loc_mitm = (conn->auth_type & 0x01);
4088 rem_mitm = (conn->remote_auth & 0x01);
4089
4090 /* If we require MITM but the remote device can't provide that
4091 * (it has NoInputNoOutput) then reject the confirmation
4092 * request. We check the security level here since it doesn't
4093 * necessarily match conn->auth_type.
4094 */
4095 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4096 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4097 BT_DBG("Rejecting request: remote device can't provide MITM");
4098 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4099 sizeof(ev->bdaddr), &ev->bdaddr);
4100 goto unlock;
4101 }
4102
4103 /* If no side requires MITM protection; auto-accept */
4104 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4105 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4106
4107 /* If we're not the initiators request authorization to
4108 * proceed from user space (mgmt_user_confirm with
4109 * confirm_hint set to 1). The exception is if neither
4110 * side had MITM or if the local IO capability is
4111 * NoInputNoOutput, in which case we do auto-accept
4112 */
4113 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4114 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4115 (loc_mitm || rem_mitm)) {
4116 BT_DBG("Confirming auto-accept as acceptor");
4117 confirm_hint = 1;
4118 goto confirm;
4119 }
4120
4121 BT_DBG("Auto-accept of user confirmation with %ums delay",
4122 hdev->auto_accept_delay);
4123
4124 if (hdev->auto_accept_delay > 0) {
4125 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4126 queue_delayed_work(conn->hdev->workqueue,
4127 &conn->auto_accept_work, delay);
4128 goto unlock;
4129 }
4130
4131 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4132 sizeof(ev->bdaddr), &ev->bdaddr);
4133 goto unlock;
4134 }
4135
4136confirm:
4137 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4138 le32_to_cpu(ev->passkey), confirm_hint);
4139
4140unlock:
4141 hci_dev_unlock(hdev);
4142}
4143
4144static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4145 struct sk_buff *skb)
4146{
4147 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4148
4149 BT_DBG("%s", hdev->name);
4150
4151 if (hci_dev_test_flag(hdev, HCI_MGMT))
4152 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4153}
4154
4155static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4156 struct sk_buff *skb)
4157{
4158 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4159 struct hci_conn *conn;
4160
4161 BT_DBG("%s", hdev->name);
4162
4163 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4164 if (!conn)
4165 return;
4166
4167 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4168 conn->passkey_entered = 0;
4169
4170 if (hci_dev_test_flag(hdev, HCI_MGMT))
4171 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4172 conn->dst_type, conn->passkey_notify,
4173 conn->passkey_entered);
4174}
4175
4176static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4177{
4178 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4179 struct hci_conn *conn;
4180
4181 BT_DBG("%s", hdev->name);
4182
4183 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4184 if (!conn)
4185 return;
4186
4187 switch (ev->type) {
4188 case HCI_KEYPRESS_STARTED:
4189 conn->passkey_entered = 0;
4190 return;
4191
4192 case HCI_KEYPRESS_ENTERED:
4193 conn->passkey_entered++;
4194 break;
4195
4196 case HCI_KEYPRESS_ERASED:
4197 conn->passkey_entered--;
4198 break;
4199
4200 case HCI_KEYPRESS_CLEARED:
4201 conn->passkey_entered = 0;
4202 break;
4203
4204 case HCI_KEYPRESS_COMPLETED:
4205 return;
4206 }
4207
4208 if (hci_dev_test_flag(hdev, HCI_MGMT))
4209 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4210 conn->dst_type, conn->passkey_notify,
4211 conn->passkey_entered);
4212}
4213
4214static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4215 struct sk_buff *skb)
4216{
4217 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4218 struct hci_conn *conn;
4219
4220 BT_DBG("%s", hdev->name);
4221
4222 hci_dev_lock(hdev);
4223
4224 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4225 if (!conn)
4226 goto unlock;
4227
4228 /* Reset the authentication requirement to unknown */
4229 conn->remote_auth = 0xff;
4230
4231 /* To avoid duplicate auth_failed events to user space we check
4232 * the HCI_CONN_AUTH_PEND flag which will be set if we
4233 * initiated the authentication. A traditional auth_complete
4234 * event gets always produced as initiator and is also mapped to
4235 * the mgmt_auth_failed event */
4236 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4237 mgmt_auth_failed(conn, ev->status);
4238
4239 hci_conn_drop(conn);
4240
4241unlock:
4242 hci_dev_unlock(hdev);
4243}
4244
4245static void hci_remote_host_features_evt(struct hci_dev *hdev,
4246 struct sk_buff *skb)
4247{
4248 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4249 struct inquiry_entry *ie;
4250 struct hci_conn *conn;
4251
4252 BT_DBG("%s", hdev->name);
4253
4254 hci_dev_lock(hdev);
4255
4256 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4257 if (conn)
4258 memcpy(conn->features[1], ev->features, 8);
4259
4260 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4261 if (ie)
4262 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4263
4264 hci_dev_unlock(hdev);
4265}
4266
4267static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4268 struct sk_buff *skb)
4269{
4270 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4271 struct oob_data *data;
4272
4273 BT_DBG("%s", hdev->name);
4274
4275 hci_dev_lock(hdev);
4276
4277 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4278 goto unlock;
4279
4280 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4281 if (!data) {
4282 struct hci_cp_remote_oob_data_neg_reply cp;
4283
4284 bacpy(&cp.bdaddr, &ev->bdaddr);
4285 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4286 sizeof(cp), &cp);
4287 goto unlock;
4288 }
4289
4290 if (bredr_sc_enabled(hdev)) {
4291 struct hci_cp_remote_oob_ext_data_reply cp;
4292
4293 bacpy(&cp.bdaddr, &ev->bdaddr);
4294 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4295 memset(cp.hash192, 0, sizeof(cp.hash192));
4296 memset(cp.rand192, 0, sizeof(cp.rand192));
4297 } else {
4298 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4299 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4300 }
4301 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4302 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4303
4304 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4305 sizeof(cp), &cp);
4306 } else {
4307 struct hci_cp_remote_oob_data_reply cp;
4308
4309 bacpy(&cp.bdaddr, &ev->bdaddr);
4310 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4311 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4312
4313 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4314 sizeof(cp), &cp);
4315 }
4316
4317unlock:
4318 hci_dev_unlock(hdev);
4319}
4320
4321#if IS_ENABLED(CONFIG_BT_HS)
4322static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4323{
4324 struct hci_ev_channel_selected *ev = (void *)skb->data;
4325 struct hci_conn *hcon;
4326
4327 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4328
4329 skb_pull(skb, sizeof(*ev));
4330
4331 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4332 if (!hcon)
4333 return;
4334
4335 amp_read_loc_assoc_final_data(hdev, hcon);
4336}
4337
4338static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4339 struct sk_buff *skb)
4340{
4341 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4342 struct hci_conn *hcon, *bredr_hcon;
4343
4344 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4345 ev->status);
4346
4347 hci_dev_lock(hdev);
4348
4349 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4350 if (!hcon) {
4351 hci_dev_unlock(hdev);
4352 return;
4353 }
4354
4355 if (ev->status) {
4356 hci_conn_del(hcon);
4357 hci_dev_unlock(hdev);
4358 return;
4359 }
4360
4361 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4362
4363 hcon->state = BT_CONNECTED;
4364 bacpy(&hcon->dst, &bredr_hcon->dst);
4365
4366 hci_conn_hold(hcon);
4367 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4368 hci_conn_drop(hcon);
4369
4370 hci_debugfs_create_conn(hcon);
4371 hci_conn_add_sysfs(hcon);
4372
4373 amp_physical_cfm(bredr_hcon, hcon);
4374
4375 hci_dev_unlock(hdev);
4376}
4377
4378static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4379{
4380 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4381 struct hci_conn *hcon;
4382 struct hci_chan *hchan;
4383 struct amp_mgr *mgr;
4384
4385 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4386 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4387 ev->status);
4388
4389 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4390 if (!hcon)
4391 return;
4392
4393 /* Create AMP hchan */
4394 hchan = hci_chan_create(hcon);
4395 if (!hchan)
4396 return;
4397
4398 hchan->handle = le16_to_cpu(ev->handle);
4399
4400 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4401
4402 mgr = hcon->amp_mgr;
4403 if (mgr && mgr->bredr_chan) {
4404 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4405
4406 l2cap_chan_lock(bredr_chan);
4407
4408 bredr_chan->conn->mtu = hdev->block_mtu;
4409 l2cap_logical_cfm(bredr_chan, hchan, 0);
4410 hci_conn_hold(hcon);
4411
4412 l2cap_chan_unlock(bredr_chan);
4413 }
4414}
4415
4416static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4417 struct sk_buff *skb)
4418{
4419 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4420 struct hci_chan *hchan;
4421
4422 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4423 le16_to_cpu(ev->handle), ev->status);
4424
4425 if (ev->status)
4426 return;
4427
4428 hci_dev_lock(hdev);
4429
4430 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4431 if (!hchan)
4432 goto unlock;
4433
4434 amp_destroy_logical_link(hchan, ev->reason);
4435
4436unlock:
4437 hci_dev_unlock(hdev);
4438}
4439
4440static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4441 struct sk_buff *skb)
4442{
4443 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4444 struct hci_conn *hcon;
4445
4446 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4447
4448 if (ev->status)
4449 return;
4450
4451 hci_dev_lock(hdev);
4452
4453 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4454 if (hcon) {
4455 hcon->state = BT_CLOSED;
4456 hci_conn_del(hcon);
4457 }
4458
4459 hci_dev_unlock(hdev);
4460}
4461#endif
4462
4463static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4464{
4465 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4466 struct hci_conn_params *params;
4467 struct hci_conn *conn;
4468 struct smp_irk *irk;
4469 u8 addr_type;
4470
4471 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4472
4473 hci_dev_lock(hdev);
4474
4475 /* All controllers implicitly stop advertising in the event of a
4476 * connection, so ensure that the state bit is cleared.
4477 */
4478 hci_dev_clear_flag(hdev, HCI_LE_ADV);
4479
4480 conn = hci_lookup_le_connect(hdev);
4481 if (!conn) {
4482 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4483 if (!conn) {
4484 bt_dev_err(hdev, "no memory for new connection");
4485 goto unlock;
4486 }
4487
4488 conn->dst_type = ev->bdaddr_type;
4489
4490 /* If we didn't have a hci_conn object previously
4491 * but we're in master role this must be something
4492 * initiated using a white list. Since white list based
4493 * connections are not "first class citizens" we don't
4494 * have full tracking of them. Therefore, we go ahead
4495 * with a "best effort" approach of determining the
4496 * initiator address based on the HCI_PRIVACY flag.
4497 */
4498 if (conn->out) {
4499 conn->resp_addr_type = ev->bdaddr_type;
4500 bacpy(&conn->resp_addr, &ev->bdaddr);
4501 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4502 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4503 bacpy(&conn->init_addr, &hdev->rpa);
4504 } else {
4505 hci_copy_identity_address(hdev,
4506 &conn->init_addr,
4507 &conn->init_addr_type);
4508 }
4509 }
4510 } else {
4511 cancel_delayed_work(&conn->le_conn_timeout);
4512 }
4513
4514 if (!conn->out) {
4515 /* Set the responder (our side) address type based on
4516 * the advertising address type.
4517 */
4518 conn->resp_addr_type = hdev->adv_addr_type;
4519 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4520 bacpy(&conn->resp_addr, &hdev->random_addr);
4521 else
4522 bacpy(&conn->resp_addr, &hdev->bdaddr);
4523
4524 conn->init_addr_type = ev->bdaddr_type;
4525 bacpy(&conn->init_addr, &ev->bdaddr);
4526
4527 /* For incoming connections, set the default minimum
4528 * and maximum connection interval. They will be used
4529 * to check if the parameters are in range and if not
4530 * trigger the connection update procedure.
4531 */
4532 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4533 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4534 }
4535
4536 /* Lookup the identity address from the stored connection
4537 * address and address type.
4538 *
4539 * When establishing connections to an identity address, the
4540 * connection procedure will store the resolvable random
4541 * address first. Now if it can be converted back into the
4542 * identity address, start using the identity address from
4543 * now on.
4544 */
4545 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4546 if (irk) {
4547 bacpy(&conn->dst, &irk->bdaddr);
4548 conn->dst_type = irk->addr_type;
4549 }
4550
4551 if (ev->status) {
4552 hci_le_conn_failed(conn, ev->status);
4553 goto unlock;
4554 }
4555
4556 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4557 addr_type = BDADDR_LE_PUBLIC;
4558 else
4559 addr_type = BDADDR_LE_RANDOM;
4560
4561 /* Drop the connection if the device is blocked */
4562 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4563 hci_conn_drop(conn);
4564 goto unlock;
4565 }
4566
4567 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4568 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4569
4570 conn->sec_level = BT_SECURITY_LOW;
4571 conn->handle = __le16_to_cpu(ev->handle);
4572 conn->state = BT_CONFIG;
4573
4574 conn->le_conn_interval = le16_to_cpu(ev->interval);
4575 conn->le_conn_latency = le16_to_cpu(ev->latency);
4576 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4577
4578 hci_debugfs_create_conn(conn);
4579 hci_conn_add_sysfs(conn);
4580
4581 if (!ev->status) {
4582 /* The remote features procedure is defined for master
4583 * role only. So only in case of an initiated connection
4584 * request the remote features.
4585 *
4586 * If the local controller supports slave-initiated features
4587 * exchange, then requesting the remote features in slave
4588 * role is possible. Otherwise just transition into the
4589 * connected state without requesting the remote features.
4590 */
4591 if (conn->out ||
4592 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4593 struct hci_cp_le_read_remote_features cp;
4594
4595 cp.handle = __cpu_to_le16(conn->handle);
4596
4597 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4598 sizeof(cp), &cp);
4599
4600 hci_conn_hold(conn);
4601 } else {
4602 conn->state = BT_CONNECTED;
4603 hci_connect_cfm(conn, ev->status);
4604 }
4605 } else {
4606 hci_connect_cfm(conn, ev->status);
4607 }
4608
4609 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4610 conn->dst_type);
4611 if (params) {
4612 list_del_init(¶ms->action);
4613 if (params->conn) {
4614 hci_conn_drop(params->conn);
4615 hci_conn_put(params->conn);
4616 params->conn = NULL;
4617 }
4618 }
4619
4620unlock:
4621 hci_update_background_scan(hdev);
4622 hci_dev_unlock(hdev);
4623}
4624
4625static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4626 struct sk_buff *skb)
4627{
4628 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4629 struct hci_conn *conn;
4630
4631 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4632
4633 if (ev->status)
4634 return;
4635
4636 hci_dev_lock(hdev);
4637
4638 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4639 if (conn) {
4640 conn->le_conn_interval = le16_to_cpu(ev->interval);
4641 conn->le_conn_latency = le16_to_cpu(ev->latency);
4642 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4643 }
4644
4645 hci_dev_unlock(hdev);
4646}
4647
4648/* This function requires the caller holds hdev->lock */
4649static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4650 bdaddr_t *addr,
4651 u8 addr_type, u8 adv_type,
4652 bdaddr_t *direct_rpa)
4653{
4654 struct hci_conn *conn;
4655 struct hci_conn_params *params;
4656
4657 /* If the event is not connectable don't proceed further */
4658 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4659 return NULL;
4660
4661 /* Ignore if the device is blocked */
4662 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4663 return NULL;
4664
4665 /* Most controller will fail if we try to create new connections
4666 * while we have an existing one in slave role.
4667 */
4668 if (hdev->conn_hash.le_num_slave > 0)
4669 return NULL;
4670
4671 /* If we're not connectable only connect devices that we have in
4672 * our pend_le_conns list.
4673 */
4674 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4675 addr_type);
4676 if (!params)
4677 return NULL;
4678
4679 if (!params->explicit_connect) {
4680 switch (params->auto_connect) {
4681 case HCI_AUTO_CONN_DIRECT:
4682 /* Only devices advertising with ADV_DIRECT_IND are
4683 * triggering a connection attempt. This is allowing
4684 * incoming connections from slave devices.
4685 */
4686 if (adv_type != LE_ADV_DIRECT_IND)
4687 return NULL;
4688 break;
4689 case HCI_AUTO_CONN_ALWAYS:
4690 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4691 * are triggering a connection attempt. This means
4692 * that incoming connectioms from slave device are
4693 * accepted and also outgoing connections to slave
4694 * devices are established when found.
4695 */
4696 break;
4697 default:
4698 return NULL;
4699 }
4700 }
4701
4702 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4703 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
4704 direct_rpa);
4705 if (!IS_ERR(conn)) {
4706 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4707 * by higher layer that tried to connect, if no then
4708 * store the pointer since we don't really have any
4709 * other owner of the object besides the params that
4710 * triggered it. This way we can abort the connection if
4711 * the parameters get removed and keep the reference
4712 * count consistent once the connection is established.
4713 */
4714
4715 if (!params->explicit_connect)
4716 params->conn = hci_conn_get(conn);
4717
4718 return conn;
4719 }
4720
4721 switch (PTR_ERR(conn)) {
4722 case -EBUSY:
4723 /* If hci_connect() returns -EBUSY it means there is already
4724 * an LE connection attempt going on. Since controllers don't
4725 * support more than one connection attempt at the time, we
4726 * don't consider this an error case.
4727 */
4728 break;
4729 default:
4730 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4731 return NULL;
4732 }
4733
4734 return NULL;
4735}
4736
4737static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4738 u8 bdaddr_type, bdaddr_t *direct_addr,
4739 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4740{
4741 struct discovery_state *d = &hdev->discovery;
4742 struct smp_irk *irk;
4743 struct hci_conn *conn;
4744 bool match;
4745 u32 flags;
4746 u8 *ptr, real_len;
4747
4748 switch (type) {
4749 case LE_ADV_IND:
4750 case LE_ADV_DIRECT_IND:
4751 case LE_ADV_SCAN_IND:
4752 case LE_ADV_NONCONN_IND:
4753 case LE_ADV_SCAN_RSP:
4754 break;
4755 default:
4756 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
4757 "type: 0x%02x", type);
4758 return;
4759 }
4760
4761 /* Find the end of the data in case the report contains padded zero
4762 * bytes at the end causing an invalid length value.
4763 *
4764 * When data is NULL, len is 0 so there is no need for extra ptr
4765 * check as 'ptr < data + 0' is already false in such case.
4766 */
4767 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4768 if (ptr + 1 + *ptr > data + len)
4769 break;
4770 }
4771
4772 real_len = ptr - data;
4773
4774 /* Adjust for actual length */
4775 if (len != real_len) {
4776 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
4777 len = real_len;
4778 }
4779
4780 /* If the direct address is present, then this report is from
4781 * a LE Direct Advertising Report event. In that case it is
4782 * important to see if the address is matching the local
4783 * controller address.
4784 */
4785 if (direct_addr) {
4786 /* Only resolvable random addresses are valid for these
4787 * kind of reports and others can be ignored.
4788 */
4789 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4790 return;
4791
4792 /* If the controller is not using resolvable random
4793 * addresses, then this report can be ignored.
4794 */
4795 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4796 return;
4797
4798 /* If the local IRK of the controller does not match
4799 * with the resolvable random address provided, then
4800 * this report can be ignored.
4801 */
4802 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4803 return;
4804 }
4805
4806 /* Check if we need to convert to identity address */
4807 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4808 if (irk) {
4809 bdaddr = &irk->bdaddr;
4810 bdaddr_type = irk->addr_type;
4811 }
4812
4813 /* Check if we have been requested to connect to this device.
4814 *
4815 * direct_addr is set only for directed advertising reports (it is NULL
4816 * for advertising reports) and is already verified to be RPA above.
4817 */
4818 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
4819 direct_addr);
4820 if (conn && type == LE_ADV_IND) {
4821 /* Store report for later inclusion by
4822 * mgmt_device_connected
4823 */
4824 memcpy(conn->le_adv_data, data, len);
4825 conn->le_adv_data_len = len;
4826 }
4827
4828 /* Passive scanning shouldn't trigger any device found events,
4829 * except for devices marked as CONN_REPORT for which we do send
4830 * device found events.
4831 */
4832 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4833 if (type == LE_ADV_DIRECT_IND)
4834 return;
4835
4836 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4837 bdaddr, bdaddr_type))
4838 return;
4839
4840 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4841 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4842 else
4843 flags = 0;
4844 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4845 rssi, flags, data, len, NULL, 0);
4846 return;
4847 }
4848
4849 /* When receiving non-connectable or scannable undirected
4850 * advertising reports, this means that the remote device is
4851 * not connectable and then clearly indicate this in the
4852 * device found event.
4853 *
4854 * When receiving a scan response, then there is no way to
4855 * know if the remote device is connectable or not. However
4856 * since scan responses are merged with a previously seen
4857 * advertising report, the flags field from that report
4858 * will be used.
4859 *
4860 * In the really unlikely case that a controller get confused
4861 * and just sends a scan response event, then it is marked as
4862 * not connectable as well.
4863 */
4864 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4865 type == LE_ADV_SCAN_RSP)
4866 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4867 else
4868 flags = 0;
4869
4870 /* If there's nothing pending either store the data from this
4871 * event or send an immediate device found event if the data
4872 * should not be stored for later.
4873 */
4874 if (!has_pending_adv_report(hdev)) {
4875 /* If the report will trigger a SCAN_REQ store it for
4876 * later merging.
4877 */
4878 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4879 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4880 rssi, flags, data, len);
4881 return;
4882 }
4883
4884 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4885 rssi, flags, data, len, NULL, 0);
4886 return;
4887 }
4888
4889 /* Check if the pending report is for the same device as the new one */
4890 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4891 bdaddr_type == d->last_adv_addr_type);
4892
4893 /* If the pending data doesn't match this report or this isn't a
4894 * scan response (e.g. we got a duplicate ADV_IND) then force
4895 * sending of the pending data.
4896 */
4897 if (type != LE_ADV_SCAN_RSP || !match) {
4898 /* Send out whatever is in the cache, but skip duplicates */
4899 if (!match)
4900 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4901 d->last_adv_addr_type, NULL,
4902 d->last_adv_rssi, d->last_adv_flags,
4903 d->last_adv_data,
4904 d->last_adv_data_len, NULL, 0);
4905
4906 /* If the new report will trigger a SCAN_REQ store it for
4907 * later merging.
4908 */
4909 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4910 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4911 rssi, flags, data, len);
4912 return;
4913 }
4914
4915 /* The advertising reports cannot be merged, so clear
4916 * the pending report and send out a device found event.
4917 */
4918 clear_pending_adv_report(hdev);
4919 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4920 rssi, flags, data, len, NULL, 0);
4921 return;
4922 }
4923
4924 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4925 * the new event is a SCAN_RSP. We can therefore proceed with
4926 * sending a merged device found event.
4927 */
4928 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4929 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4930 d->last_adv_data, d->last_adv_data_len, data, len);
4931 clear_pending_adv_report(hdev);
4932}
4933
4934static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4935{
4936 u8 num_reports = skb->data[0];
4937 void *ptr = &skb->data[1];
4938
4939 hci_dev_lock(hdev);
4940
4941 while (num_reports--) {
4942 struct hci_ev_le_advertising_info *ev = ptr;
4943 s8 rssi;
4944
4945 rssi = ev->data[ev->length];
4946 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4947 ev->bdaddr_type, NULL, 0, rssi,
4948 ev->data, ev->length);
4949
4950 ptr += sizeof(*ev) + ev->length + 1;
4951 }
4952
4953 hci_dev_unlock(hdev);
4954}
4955
4956static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4957 struct sk_buff *skb)
4958{
4959 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4960 struct hci_conn *conn;
4961
4962 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4963
4964 hci_dev_lock(hdev);
4965
4966 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4967 if (conn) {
4968 if (!ev->status)
4969 memcpy(conn->features[0], ev->features, 8);
4970
4971 if (conn->state == BT_CONFIG) {
4972 __u8 status;
4973
4974 /* If the local controller supports slave-initiated
4975 * features exchange, but the remote controller does
4976 * not, then it is possible that the error code 0x1a
4977 * for unsupported remote feature gets returned.
4978 *
4979 * In this specific case, allow the connection to
4980 * transition into connected state and mark it as
4981 * successful.
4982 */
4983 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4984 !conn->out && ev->status == 0x1a)
4985 status = 0x00;
4986 else
4987 status = ev->status;
4988
4989 conn->state = BT_CONNECTED;
4990 hci_connect_cfm(conn, status);
4991 hci_conn_drop(conn);
4992 }
4993 }
4994
4995 hci_dev_unlock(hdev);
4996}
4997
4998static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4999{
5000 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5001 struct hci_cp_le_ltk_reply cp;
5002 struct hci_cp_le_ltk_neg_reply neg;
5003 struct hci_conn *conn;
5004 struct smp_ltk *ltk;
5005
5006 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5007
5008 hci_dev_lock(hdev);
5009
5010 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5011 if (conn == NULL)
5012 goto not_found;
5013
5014 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5015 if (!ltk)
5016 goto not_found;
5017
5018 if (smp_ltk_is_sc(ltk)) {
5019 /* With SC both EDiv and Rand are set to zero */
5020 if (ev->ediv || ev->rand)
5021 goto not_found;
5022 } else {
5023 /* For non-SC keys check that EDiv and Rand match */
5024 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5025 goto not_found;
5026 }
5027
5028 memcpy(cp.ltk, ltk->val, ltk->enc_size);
5029 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5030 cp.handle = cpu_to_le16(conn->handle);
5031
5032 conn->pending_sec_level = smp_ltk_sec_level(ltk);
5033
5034 conn->enc_key_size = ltk->enc_size;
5035
5036 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5037
5038 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5039 * temporary key used to encrypt a connection following
5040 * pairing. It is used during the Encrypted Session Setup to
5041 * distribute the keys. Later, security can be re-established
5042 * using a distributed LTK.
5043 */
5044 if (ltk->type == SMP_STK) {
5045 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5046 list_del_rcu(<k->list);
5047 kfree_rcu(ltk, rcu);
5048 } else {
5049 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5050 }
5051
5052 hci_dev_unlock(hdev);
5053
5054 return;
5055
5056not_found:
5057 neg.handle = ev->handle;
5058 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5059 hci_dev_unlock(hdev);
5060}
5061
5062static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5063 u8 reason)
5064{
5065 struct hci_cp_le_conn_param_req_neg_reply cp;
5066
5067 cp.handle = cpu_to_le16(handle);
5068 cp.reason = reason;
5069
5070 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5071 &cp);
5072}
5073
5074static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5075 struct sk_buff *skb)
5076{
5077 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5078 struct hci_cp_le_conn_param_req_reply cp;
5079 struct hci_conn *hcon;
5080 u16 handle, min, max, latency, timeout;
5081
5082 handle = le16_to_cpu(ev->handle);
5083 min = le16_to_cpu(ev->interval_min);
5084 max = le16_to_cpu(ev->interval_max);
5085 latency = le16_to_cpu(ev->latency);
5086 timeout = le16_to_cpu(ev->timeout);
5087
5088 hcon = hci_conn_hash_lookup_handle(hdev, handle);
5089 if (!hcon || hcon->state != BT_CONNECTED)
5090 return send_conn_param_neg_reply(hdev, handle,
5091 HCI_ERROR_UNKNOWN_CONN_ID);
5092
5093 if (hci_check_conn_params(min, max, latency, timeout))
5094 return send_conn_param_neg_reply(hdev, handle,
5095 HCI_ERROR_INVALID_LL_PARAMS);
5096
5097 if (hcon->role == HCI_ROLE_MASTER) {
5098 struct hci_conn_params *params;
5099 u8 store_hint;
5100
5101 hci_dev_lock(hdev);
5102
5103 params = hci_conn_params_lookup(hdev, &hcon->dst,
5104 hcon->dst_type);
5105 if (params) {
5106 params->conn_min_interval = min;
5107 params->conn_max_interval = max;
5108 params->conn_latency = latency;
5109 params->supervision_timeout = timeout;
5110 store_hint = 0x01;
5111 } else{
5112 store_hint = 0x00;
5113 }
5114
5115 hci_dev_unlock(hdev);
5116
5117 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5118 store_hint, min, max, latency, timeout);
5119 }
5120
5121 cp.handle = ev->handle;
5122 cp.interval_min = ev->interval_min;
5123 cp.interval_max = ev->interval_max;
5124 cp.latency = ev->latency;
5125 cp.timeout = ev->timeout;
5126 cp.min_ce_len = 0;
5127 cp.max_ce_len = 0;
5128
5129 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5130}
5131
5132static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5133 struct sk_buff *skb)
5134{
5135 u8 num_reports = skb->data[0];
5136 void *ptr = &skb->data[1];
5137
5138 hci_dev_lock(hdev);
5139
5140 while (num_reports--) {
5141 struct hci_ev_le_direct_adv_info *ev = ptr;
5142
5143 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5144 ev->bdaddr_type, &ev->direct_addr,
5145 ev->direct_addr_type, ev->rssi, NULL, 0);
5146
5147 ptr += sizeof(*ev);
5148 }
5149
5150 hci_dev_unlock(hdev);
5151}
5152
5153static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5154{
5155 struct hci_ev_le_meta *le_ev = (void *) skb->data;
5156
5157 skb_pull(skb, sizeof(*le_ev));
5158
5159 switch (le_ev->subevent) {
5160 case HCI_EV_LE_CONN_COMPLETE:
5161 hci_le_conn_complete_evt(hdev, skb);
5162 break;
5163
5164 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5165 hci_le_conn_update_complete_evt(hdev, skb);
5166 break;
5167
5168 case HCI_EV_LE_ADVERTISING_REPORT:
5169 hci_le_adv_report_evt(hdev, skb);
5170 break;
5171
5172 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5173 hci_le_remote_feat_complete_evt(hdev, skb);
5174 break;
5175
5176 case HCI_EV_LE_LTK_REQ:
5177 hci_le_ltk_request_evt(hdev, skb);
5178 break;
5179
5180 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5181 hci_le_remote_conn_param_req_evt(hdev, skb);
5182 break;
5183
5184 case HCI_EV_LE_DIRECT_ADV_REPORT:
5185 hci_le_direct_adv_report_evt(hdev, skb);
5186 break;
5187
5188 default:
5189 break;
5190 }
5191}
5192
5193static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5194 u8 event, struct sk_buff *skb)
5195{
5196 struct hci_ev_cmd_complete *ev;
5197 struct hci_event_hdr *hdr;
5198
5199 if (!skb)
5200 return false;
5201
5202 if (skb->len < sizeof(*hdr)) {
5203 bt_dev_err(hdev, "too short HCI event");
5204 return false;
5205 }
5206
5207 hdr = (void *) skb->data;
5208 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5209
5210 if (event) {
5211 if (hdr->evt != event)
5212 return false;
5213 return true;
5214 }
5215
5216 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5217 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5218 hdr->evt);
5219 return false;
5220 }
5221
5222 if (skb->len < sizeof(*ev)) {
5223 bt_dev_err(hdev, "too short cmd_complete event");
5224 return false;
5225 }
5226
5227 ev = (void *) skb->data;
5228 skb_pull(skb, sizeof(*ev));
5229
5230 if (opcode != __le16_to_cpu(ev->opcode)) {
5231 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5232 __le16_to_cpu(ev->opcode));
5233 return false;
5234 }
5235
5236 return true;
5237}
5238
5239void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5240{
5241 struct hci_event_hdr *hdr = (void *) skb->data;
5242 hci_req_complete_t req_complete = NULL;
5243 hci_req_complete_skb_t req_complete_skb = NULL;
5244 struct sk_buff *orig_skb = NULL;
5245 u8 status = 0, event = hdr->evt, req_evt = 0;
5246 u16 opcode = HCI_OP_NOP;
5247
5248 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5249 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5250 opcode = __le16_to_cpu(cmd_hdr->opcode);
5251 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5252 &req_complete_skb);
5253 req_evt = event;
5254 }
5255
5256 /* If it looks like we might end up having to call
5257 * req_complete_skb, store a pristine copy of the skb since the
5258 * various handlers may modify the original one through
5259 * skb_pull() calls, etc.
5260 */
5261 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5262 event == HCI_EV_CMD_COMPLETE)
5263 orig_skb = skb_clone(skb, GFP_KERNEL);
5264
5265 skb_pull(skb, HCI_EVENT_HDR_SIZE);
5266
5267 switch (event) {
5268 case HCI_EV_INQUIRY_COMPLETE:
5269 hci_inquiry_complete_evt(hdev, skb);
5270 break;
5271
5272 case HCI_EV_INQUIRY_RESULT:
5273 hci_inquiry_result_evt(hdev, skb);
5274 break;
5275
5276 case HCI_EV_CONN_COMPLETE:
5277 hci_conn_complete_evt(hdev, skb);
5278 break;
5279
5280 case HCI_EV_CONN_REQUEST:
5281 hci_conn_request_evt(hdev, skb);
5282 break;
5283
5284 case HCI_EV_DISCONN_COMPLETE:
5285 hci_disconn_complete_evt(hdev, skb);
5286 break;
5287
5288 case HCI_EV_AUTH_COMPLETE:
5289 hci_auth_complete_evt(hdev, skb);
5290 break;
5291
5292 case HCI_EV_REMOTE_NAME:
5293 hci_remote_name_evt(hdev, skb);
5294 break;
5295
5296 case HCI_EV_ENCRYPT_CHANGE:
5297 hci_encrypt_change_evt(hdev, skb);
5298 break;
5299
5300 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5301 hci_change_link_key_complete_evt(hdev, skb);
5302 break;
5303
5304 case HCI_EV_REMOTE_FEATURES:
5305 hci_remote_features_evt(hdev, skb);
5306 break;
5307
5308 case HCI_EV_CMD_COMPLETE:
5309 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5310 &req_complete, &req_complete_skb);
5311 break;
5312
5313 case HCI_EV_CMD_STATUS:
5314 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5315 &req_complete_skb);
5316 break;
5317
5318 case HCI_EV_HARDWARE_ERROR:
5319 hci_hardware_error_evt(hdev, skb);
5320 break;
5321
5322 case HCI_EV_ROLE_CHANGE:
5323 hci_role_change_evt(hdev, skb);
5324 break;
5325
5326 case HCI_EV_NUM_COMP_PKTS:
5327 hci_num_comp_pkts_evt(hdev, skb);
5328 break;
5329
5330 case HCI_EV_MODE_CHANGE:
5331 hci_mode_change_evt(hdev, skb);
5332 break;
5333
5334 case HCI_EV_PIN_CODE_REQ:
5335 hci_pin_code_request_evt(hdev, skb);
5336 break;
5337
5338 case HCI_EV_LINK_KEY_REQ:
5339 hci_link_key_request_evt(hdev, skb);
5340 break;
5341
5342 case HCI_EV_LINK_KEY_NOTIFY:
5343 hci_link_key_notify_evt(hdev, skb);
5344 break;
5345
5346 case HCI_EV_CLOCK_OFFSET:
5347 hci_clock_offset_evt(hdev, skb);
5348 break;
5349
5350 case HCI_EV_PKT_TYPE_CHANGE:
5351 hci_pkt_type_change_evt(hdev, skb);
5352 break;
5353
5354 case HCI_EV_PSCAN_REP_MODE:
5355 hci_pscan_rep_mode_evt(hdev, skb);
5356 break;
5357
5358 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5359 hci_inquiry_result_with_rssi_evt(hdev, skb);
5360 break;
5361
5362 case HCI_EV_REMOTE_EXT_FEATURES:
5363 hci_remote_ext_features_evt(hdev, skb);
5364 break;
5365
5366 case HCI_EV_SYNC_CONN_COMPLETE:
5367 hci_sync_conn_complete_evt(hdev, skb);
5368 break;
5369
5370 case HCI_EV_EXTENDED_INQUIRY_RESULT:
5371 hci_extended_inquiry_result_evt(hdev, skb);
5372 break;
5373
5374 case HCI_EV_KEY_REFRESH_COMPLETE:
5375 hci_key_refresh_complete_evt(hdev, skb);
5376 break;
5377
5378 case HCI_EV_IO_CAPA_REQUEST:
5379 hci_io_capa_request_evt(hdev, skb);
5380 break;
5381
5382 case HCI_EV_IO_CAPA_REPLY:
5383 hci_io_capa_reply_evt(hdev, skb);
5384 break;
5385
5386 case HCI_EV_USER_CONFIRM_REQUEST:
5387 hci_user_confirm_request_evt(hdev, skb);
5388 break;
5389
5390 case HCI_EV_USER_PASSKEY_REQUEST:
5391 hci_user_passkey_request_evt(hdev, skb);
5392 break;
5393
5394 case HCI_EV_USER_PASSKEY_NOTIFY:
5395 hci_user_passkey_notify_evt(hdev, skb);
5396 break;
5397
5398 case HCI_EV_KEYPRESS_NOTIFY:
5399 hci_keypress_notify_evt(hdev, skb);
5400 break;
5401
5402 case HCI_EV_SIMPLE_PAIR_COMPLETE:
5403 hci_simple_pair_complete_evt(hdev, skb);
5404 break;
5405
5406 case HCI_EV_REMOTE_HOST_FEATURES:
5407 hci_remote_host_features_evt(hdev, skb);
5408 break;
5409
5410 case HCI_EV_LE_META:
5411 hci_le_meta_evt(hdev, skb);
5412 break;
5413
5414 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5415 hci_remote_oob_data_request_evt(hdev, skb);
5416 break;
5417
5418#if IS_ENABLED(CONFIG_BT_HS)
5419 case HCI_EV_CHANNEL_SELECTED:
5420 hci_chan_selected_evt(hdev, skb);
5421 break;
5422
5423 case HCI_EV_PHY_LINK_COMPLETE:
5424 hci_phy_link_complete_evt(hdev, skb);
5425 break;
5426
5427 case HCI_EV_LOGICAL_LINK_COMPLETE:
5428 hci_loglink_complete_evt(hdev, skb);
5429 break;
5430
5431 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5432 hci_disconn_loglink_complete_evt(hdev, skb);
5433 break;
5434
5435 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5436 hci_disconn_phylink_complete_evt(hdev, skb);
5437 break;
5438#endif
5439
5440 case HCI_EV_NUM_COMP_BLOCKS:
5441 hci_num_comp_blocks_evt(hdev, skb);
5442 break;
5443
5444 default:
5445 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5446 break;
5447 }
5448
5449 if (req_complete) {
5450 req_complete(hdev, status, opcode);
5451 } else if (req_complete_skb) {
5452 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5453 kfree_skb(orig_skb);
5454 orig_skb = NULL;
5455 }
5456 req_complete_skb(hdev, status, opcode, orig_skb);
5457 }
5458
5459 kfree_skb(orig_skb);
5460 kfree_skb(skb);
5461 hdev->stat.evt_rx++;
5462}