1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 BlueZ - Bluetooth protocol stack for Linux 4 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 5 Copyright 2023-2024 NXP 6 7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 /* Bluetooth HCI event handling. */ 24 25 #include <linux/unaligned.h> 26 #include <linux/crypto.h> 27 #include <crypto/algapi.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_debugfs.h" 34 #include "hci_codec.h" 35 #include "smp.h" 36 #include "msft.h" 37 #include "eir.h" 38 39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 40 "\x00\x00\x00\x00\x00\x00\x00\x00" 41 42 /* Handle HCI Event packets */ 43 44 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 45 u8 ev, size_t len) 46 { 47 void *data; 48 49 data = skb_pull_data(skb, len); 50 if (!data) 51 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev); 52 53 return data; 54 } 55 56 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 57 u16 op, size_t len) 58 { 59 void *data; 60 61 data = skb_pull_data(skb, len); 62 if (!data) 63 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op); 64 65 return data; 66 } 67 68 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 69 u8 ev, size_t len) 70 { 71 void *data; 72 73 data = skb_pull_data(skb, len); 74 if (!data) 75 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev); 76 77 return data; 78 } 79 80 static void hci_store_wake_reason(struct hci_dev *hdev, 81 const bdaddr_t *bdaddr, u8 addr_type) 82 __must_hold(&hdev->lock); 83 84 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data, 85 struct sk_buff *skb) 86 { 87 struct hci_ev_status *rp = data; 88 89 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 90 91 /* It is possible that we receive Inquiry Complete event right 92 * before we receive Inquiry Cancel Command Complete event, in 93 * which case the latter event should have status of Command 94 * Disallowed. This should not be treated as error, since 95 * we actually achieve what Inquiry Cancel wants to achieve, 96 * which is to end the last Inquiry session. 97 */ 98 if (rp->status == HCI_ERROR_COMMAND_DISALLOWED && !test_bit(HCI_INQUIRY, &hdev->flags)) { 99 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 100 rp->status = 0x00; 101 } 102 103 if (rp->status) 104 return rp->status; 105 106 clear_bit(HCI_INQUIRY, &hdev->flags); 107 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 108 wake_up_bit(&hdev->flags, HCI_INQUIRY); 109 110 hci_dev_lock(hdev); 111 /* Set discovery state to stopped if we're not doing LE active 112 * scanning. 113 */ 114 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 115 hdev->le_scan_type != LE_SCAN_ACTIVE) 116 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 117 hci_dev_unlock(hdev); 118 119 return rp->status; 120 } 121 122 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data, 123 struct sk_buff *skb) 124 { 125 struct hci_ev_status *rp = data; 126 127 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 128 129 if (rp->status) 130 return rp->status; 131 132 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 133 134 return rp->status; 135 } 136 137 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data, 138 struct sk_buff *skb) 139 { 140 struct hci_ev_status *rp = data; 141 142 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 143 144 if (rp->status) 145 return rp->status; 146 147 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 148 149 return rp->status; 150 } 151 152 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data, 153 struct sk_buff *skb) 154 { 155 struct hci_rp_remote_name_req_cancel *rp = data; 156 157 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 158 159 return rp->status; 160 } 161 162 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data, 163 struct sk_buff *skb) 164 { 165 struct hci_rp_role_discovery *rp = data; 166 struct hci_conn *conn; 167 168 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 169 170 if (rp->status) 171 return rp->status; 172 173 hci_dev_lock(hdev); 174 175 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 176 if (conn) 177 conn->role = rp->role; 178 179 hci_dev_unlock(hdev); 180 181 return rp->status; 182 } 183 184 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data, 185 struct sk_buff *skb) 186 { 187 struct hci_rp_read_link_policy *rp = data; 188 struct hci_conn *conn; 189 190 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 191 192 if (rp->status) 193 return rp->status; 194 195 hci_dev_lock(hdev); 196 197 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 198 if (conn) 199 conn->link_policy = __le16_to_cpu(rp->policy); 200 201 hci_dev_unlock(hdev); 202 203 return rp->status; 204 } 205 206 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data, 207 struct sk_buff *skb) 208 { 209 struct hci_rp_write_link_policy *rp = data; 210 struct hci_conn *conn; 211 void *sent; 212 213 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 214 215 if (rp->status) 216 return rp->status; 217 218 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 219 if (!sent) 220 return rp->status; 221 222 hci_dev_lock(hdev); 223 224 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 225 if (conn) 226 conn->link_policy = get_unaligned_le16(sent + 2); 227 228 hci_dev_unlock(hdev); 229 230 return rp->status; 231 } 232 233 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data, 234 struct sk_buff *skb) 235 { 236 struct hci_rp_read_def_link_policy *rp = data; 237 238 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 239 240 if (rp->status) 241 return rp->status; 242 243 hdev->link_policy = __le16_to_cpu(rp->policy); 244 245 return rp->status; 246 } 247 248 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data, 249 struct sk_buff *skb) 250 { 251 struct hci_ev_status *rp = data; 252 void *sent; 253 254 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 255 256 if (rp->status) 257 return rp->status; 258 259 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 260 if (!sent) 261 return rp->status; 262 263 hdev->link_policy = get_unaligned_le16(sent); 264 265 return rp->status; 266 } 267 268 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb) 269 { 270 struct hci_ev_status *rp = data; 271 272 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 273 274 clear_bit(HCI_RESET, &hdev->flags); 275 276 if (rp->status) 277 return rp->status; 278 279 /* Reset all non-persistent flags */ 280 hci_dev_clear_volatile_flags(hdev); 281 282 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 283 284 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 285 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 286 287 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 288 hdev->adv_data_len = 0; 289 290 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 291 hdev->scan_rsp_data_len = 0; 292 293 hdev->le_scan_type = LE_SCAN_PASSIVE; 294 295 hdev->ssp_debug_mode = 0; 296 297 hci_bdaddr_list_clear(&hdev->le_accept_list); 298 hci_bdaddr_list_clear(&hdev->le_resolv_list); 299 300 return rp->status; 301 } 302 303 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data, 304 struct sk_buff *skb) 305 { 306 struct hci_rp_read_stored_link_key *rp = data; 307 struct hci_cp_read_stored_link_key *sent; 308 309 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 310 311 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 312 if (!sent) 313 return rp->status; 314 315 if (!rp->status && sent->read_all == 0x01) { 316 hdev->stored_max_keys = le16_to_cpu(rp->max_keys); 317 hdev->stored_num_keys = le16_to_cpu(rp->num_keys); 318 } 319 320 return rp->status; 321 } 322 323 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data, 324 struct sk_buff *skb) 325 { 326 struct hci_rp_delete_stored_link_key *rp = data; 327 u16 num_keys; 328 329 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 330 331 if (rp->status) 332 return rp->status; 333 334 num_keys = le16_to_cpu(rp->num_keys); 335 336 if (num_keys <= hdev->stored_num_keys) 337 hdev->stored_num_keys -= num_keys; 338 else 339 hdev->stored_num_keys = 0; 340 341 return rp->status; 342 } 343 344 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data, 345 struct sk_buff *skb) 346 { 347 struct hci_ev_status *rp = data; 348 void *sent; 349 350 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 351 352 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 353 if (!sent) 354 return rp->status; 355 356 hci_dev_lock(hdev); 357 358 if (hci_dev_test_flag(hdev, HCI_MGMT)) 359 mgmt_set_local_name_complete(hdev, sent, rp->status); 360 else if (!rp->status) 361 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 362 363 hci_dev_unlock(hdev); 364 365 return rp->status; 366 } 367 368 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data, 369 struct sk_buff *skb) 370 { 371 struct hci_rp_read_local_name *rp = data; 372 373 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 374 375 if (rp->status) 376 return rp->status; 377 378 if (hci_dev_test_flag(hdev, HCI_SETUP) || 379 hci_dev_test_flag(hdev, HCI_CONFIG)) 380 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 381 382 return rp->status; 383 } 384 385 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data, 386 struct sk_buff *skb) 387 { 388 struct hci_ev_status *rp = data; 389 void *sent; 390 391 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 392 393 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 394 if (!sent) 395 return rp->status; 396 397 hci_dev_lock(hdev); 398 399 if (!rp->status) { 400 __u8 param = *((__u8 *) sent); 401 402 if (param == AUTH_ENABLED) 403 set_bit(HCI_AUTH, &hdev->flags); 404 else 405 clear_bit(HCI_AUTH, &hdev->flags); 406 } 407 408 if (hci_dev_test_flag(hdev, HCI_MGMT)) 409 mgmt_auth_enable_complete(hdev, rp->status); 410 411 hci_dev_unlock(hdev); 412 413 return rp->status; 414 } 415 416 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data, 417 struct sk_buff *skb) 418 { 419 struct hci_ev_status *rp = data; 420 __u8 param; 421 void *sent; 422 423 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 424 425 if (rp->status) 426 return rp->status; 427 428 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 429 if (!sent) 430 return rp->status; 431 432 param = *((__u8 *) sent); 433 434 if (param) 435 set_bit(HCI_ENCRYPT, &hdev->flags); 436 else 437 clear_bit(HCI_ENCRYPT, &hdev->flags); 438 439 return rp->status; 440 } 441 442 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data, 443 struct sk_buff *skb) 444 { 445 struct hci_ev_status *rp = data; 446 __u8 param; 447 void *sent; 448 449 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 450 451 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 452 if (!sent) 453 return rp->status; 454 455 param = *((__u8 *) sent); 456 457 hci_dev_lock(hdev); 458 459 if (rp->status) { 460 hdev->discov_timeout = 0; 461 goto done; 462 } 463 464 if (param & SCAN_INQUIRY) 465 set_bit(HCI_ISCAN, &hdev->flags); 466 else 467 clear_bit(HCI_ISCAN, &hdev->flags); 468 469 if (param & SCAN_PAGE) 470 set_bit(HCI_PSCAN, &hdev->flags); 471 else 472 clear_bit(HCI_PSCAN, &hdev->flags); 473 474 done: 475 hci_dev_unlock(hdev); 476 477 return rp->status; 478 } 479 480 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data, 481 struct sk_buff *skb) 482 { 483 struct hci_ev_status *rp = data; 484 struct hci_cp_set_event_filter *cp; 485 void *sent; 486 487 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 488 489 if (rp->status) 490 return rp->status; 491 492 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT); 493 if (!sent) 494 return rp->status; 495 496 cp = (struct hci_cp_set_event_filter *)sent; 497 498 if (cp->flt_type == HCI_FLT_CLEAR_ALL) 499 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 500 else 501 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 502 503 return rp->status; 504 } 505 506 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, 507 struct sk_buff *skb) 508 { 509 struct hci_rp_read_class_of_dev *rp = data; 510 511 if (WARN_ON(!hdev)) 512 return HCI_ERROR_UNSPECIFIED; 513 514 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 515 516 if (rp->status) 517 return rp->status; 518 519 memcpy(hdev->dev_class, rp->dev_class, 3); 520 521 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2], 522 hdev->dev_class[1], hdev->dev_class[0]); 523 524 return rp->status; 525 } 526 527 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data, 528 struct sk_buff *skb) 529 { 530 struct hci_ev_status *rp = data; 531 void *sent; 532 533 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 534 535 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 536 if (!sent) 537 return rp->status; 538 539 hci_dev_lock(hdev); 540 541 if (!rp->status) 542 memcpy(hdev->dev_class, sent, 3); 543 544 if (hci_dev_test_flag(hdev, HCI_MGMT)) 545 mgmt_set_class_of_dev_complete(hdev, sent, rp->status); 546 547 hci_dev_unlock(hdev); 548 549 return rp->status; 550 } 551 552 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data, 553 struct sk_buff *skb) 554 { 555 struct hci_rp_read_voice_setting *rp = data; 556 __u16 setting; 557 558 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 559 560 if (rp->status) 561 return rp->status; 562 563 setting = __le16_to_cpu(rp->voice_setting); 564 565 if (hdev->voice_setting == setting) 566 return rp->status; 567 568 hdev->voice_setting = setting; 569 570 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 571 572 if (hdev->notify) 573 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 574 575 return rp->status; 576 } 577 578 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data, 579 struct sk_buff *skb) 580 { 581 struct hci_ev_status *rp = data; 582 __u16 setting; 583 void *sent; 584 585 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 586 587 if (rp->status) 588 return rp->status; 589 590 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 591 if (!sent) 592 return rp->status; 593 594 setting = get_unaligned_le16(sent); 595 596 if (hdev->voice_setting == setting) 597 return rp->status; 598 599 hdev->voice_setting = setting; 600 601 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 602 603 if (hdev->notify) 604 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 605 606 return rp->status; 607 } 608 609 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data, 610 struct sk_buff *skb) 611 { 612 struct hci_rp_read_num_supported_iac *rp = data; 613 614 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 615 616 if (rp->status) 617 return rp->status; 618 619 hdev->num_iac = rp->num_iac; 620 621 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac); 622 623 return rp->status; 624 } 625 626 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data, 627 struct sk_buff *skb) 628 { 629 struct hci_ev_status *rp = data; 630 struct hci_cp_write_ssp_mode *sent; 631 632 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 633 634 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 635 if (!sent) 636 return rp->status; 637 638 hci_dev_lock(hdev); 639 640 if (!rp->status) { 641 if (sent->mode) 642 hdev->features[1][0] |= LMP_HOST_SSP; 643 else 644 hdev->features[1][0] &= ~LMP_HOST_SSP; 645 } 646 647 if (!rp->status) { 648 if (sent->mode) 649 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 650 else 651 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 652 } 653 654 hci_dev_unlock(hdev); 655 656 return rp->status; 657 } 658 659 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data, 660 struct sk_buff *skb) 661 { 662 struct hci_ev_status *rp = data; 663 struct hci_cp_write_sc_support *sent; 664 665 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 666 667 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 668 if (!sent) 669 return rp->status; 670 671 hci_dev_lock(hdev); 672 673 if (!rp->status) { 674 if (sent->support) 675 hdev->features[1][0] |= LMP_HOST_SC; 676 else 677 hdev->features[1][0] &= ~LMP_HOST_SC; 678 } 679 680 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) { 681 if (sent->support) 682 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 683 else 684 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 685 } 686 687 hci_dev_unlock(hdev); 688 689 return rp->status; 690 } 691 692 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data, 693 struct sk_buff *skb) 694 { 695 struct hci_rp_read_local_version *rp = data; 696 697 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 698 699 if (rp->status) 700 return rp->status; 701 702 if (hci_dev_test_flag(hdev, HCI_SETUP) || 703 hci_dev_test_flag(hdev, HCI_CONFIG)) { 704 hdev->hci_ver = rp->hci_ver; 705 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 706 hdev->lmp_ver = rp->lmp_ver; 707 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 708 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 709 } 710 711 return rp->status; 712 } 713 714 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data, 715 struct sk_buff *skb) 716 { 717 struct hci_rp_read_enc_key_size *rp = data; 718 struct hci_conn *conn; 719 u16 handle; 720 u8 status = rp->status; 721 722 bt_dev_dbg(hdev, "status 0x%2.2x", status); 723 724 handle = le16_to_cpu(rp->handle); 725 726 hci_dev_lock(hdev); 727 728 conn = hci_conn_hash_lookup_handle(hdev, handle); 729 if (!conn) { 730 status = 0xFF; 731 goto done; 732 } 733 734 /* While unexpected, the read_enc_key_size command may fail. The most 735 * secure approach is to then assume the key size is 0 to force a 736 * disconnection. 737 */ 738 if (status) { 739 bt_dev_err(hdev, "failed to read key size for handle %u", 740 handle); 741 conn->enc_key_size = 0; 742 } else { 743 u8 *key_enc_size = hci_conn_key_enc_size(conn); 744 745 conn->enc_key_size = rp->key_size; 746 status = 0; 747 748 /* Attempt to check if the key size is too small or if it has 749 * been downgraded from the last time it was stored as part of 750 * the link_key. 751 */ 752 if (conn->enc_key_size < hdev->min_enc_key_size || 753 (key_enc_size && conn->enc_key_size < *key_enc_size)) { 754 /* As slave role, the conn->state has been set to 755 * BT_CONNECTED and l2cap conn req might not be received 756 * yet, at this moment the l2cap layer almost does 757 * nothing with the non-zero status. 758 * So we also clear encrypt related bits, and then the 759 * handler of l2cap conn req will get the right secure 760 * state at a later time. 761 */ 762 status = HCI_ERROR_AUTH_FAILURE; 763 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 764 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 765 } 766 767 /* Update the key encryption size with the connection one */ 768 if (key_enc_size && *key_enc_size != conn->enc_key_size) 769 *key_enc_size = conn->enc_key_size; 770 } 771 772 hci_encrypt_cfm(conn, status); 773 774 done: 775 hci_dev_unlock(hdev); 776 777 return status; 778 } 779 780 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data, 781 struct sk_buff *skb) 782 { 783 struct hci_rp_read_local_commands *rp = data; 784 785 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 786 787 if (rp->status) 788 return rp->status; 789 790 if (hci_dev_test_flag(hdev, HCI_SETUP) || 791 hci_dev_test_flag(hdev, HCI_CONFIG)) 792 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 793 794 return rp->status; 795 } 796 797 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data, 798 struct sk_buff *skb) 799 { 800 struct hci_rp_read_auth_payload_to *rp = data; 801 struct hci_conn *conn; 802 803 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 804 805 if (rp->status) 806 return rp->status; 807 808 hci_dev_lock(hdev); 809 810 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 811 if (conn) 812 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 813 814 hci_dev_unlock(hdev); 815 816 return rp->status; 817 } 818 819 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data, 820 struct sk_buff *skb) 821 { 822 struct hci_rp_write_auth_payload_to *rp = data; 823 struct hci_conn *conn; 824 void *sent; 825 826 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 827 828 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 829 if (!sent) 830 return rp->status; 831 832 hci_dev_lock(hdev); 833 834 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 835 if (!conn) { 836 rp->status = 0xff; 837 goto unlock; 838 } 839 840 if (!rp->status) 841 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 842 843 unlock: 844 hci_dev_unlock(hdev); 845 846 return rp->status; 847 } 848 849 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data, 850 struct sk_buff *skb) 851 { 852 struct hci_rp_read_local_features *rp = data; 853 854 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 855 856 if (rp->status) 857 return rp->status; 858 859 memcpy(hdev->features, rp->features, 8); 860 861 /* Adjust default settings according to features 862 * supported by device. */ 863 864 if (hdev->features[0][0] & LMP_3SLOT) 865 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 866 867 if (hdev->features[0][0] & LMP_5SLOT) 868 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 869 870 if (hdev->features[0][1] & LMP_HV2) { 871 hdev->pkt_type |= (HCI_HV2); 872 hdev->esco_type |= (ESCO_HV2); 873 } 874 875 if (hdev->features[0][1] & LMP_HV3) { 876 hdev->pkt_type |= (HCI_HV3); 877 hdev->esco_type |= (ESCO_HV3); 878 } 879 880 if (lmp_esco_capable(hdev)) 881 hdev->esco_type |= (ESCO_EV3); 882 883 if (hdev->features[0][4] & LMP_EV4) 884 hdev->esco_type |= (ESCO_EV4); 885 886 if (hdev->features[0][4] & LMP_EV5) 887 hdev->esco_type |= (ESCO_EV5); 888 889 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 890 hdev->esco_type |= (ESCO_2EV3); 891 892 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 893 hdev->esco_type |= (ESCO_3EV3); 894 895 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 896 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 897 898 return rp->status; 899 } 900 901 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, 902 struct sk_buff *skb) 903 { 904 struct hci_rp_read_local_ext_features *rp = data; 905 906 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 907 908 if (rp->status) 909 return rp->status; 910 911 if (hdev->max_page < rp->max_page) { 912 if (hci_test_quirk(hdev, 913 HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2)) 914 bt_dev_warn(hdev, "broken local ext features page 2"); 915 else 916 hdev->max_page = rp->max_page; 917 } 918 919 if (rp->page < HCI_MAX_PAGES) 920 memcpy(hdev->features[rp->page], rp->features, 8); 921 922 return rp->status; 923 } 924 925 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, 926 struct sk_buff *skb) 927 { 928 struct hci_rp_read_buffer_size *rp = data; 929 930 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 931 932 if (rp->status) 933 return rp->status; 934 935 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 936 hdev->sco_mtu = rp->sco_mtu; 937 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 938 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 939 940 if (hci_test_quirk(hdev, HCI_QUIRK_FIXUP_BUFFER_SIZE)) { 941 hdev->sco_mtu = 64; 942 hdev->sco_pkts = 8; 943 } 944 945 if (!read_voice_setting_capable(hdev)) 946 hdev->sco_pkts = 0; 947 948 hdev->acl_cnt = hdev->acl_pkts; 949 hdev->sco_cnt = hdev->sco_pkts; 950 951 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 952 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 953 954 if (!hdev->acl_mtu || !hdev->acl_pkts) 955 return HCI_ERROR_INVALID_PARAMETERS; 956 957 return rp->status; 958 } 959 960 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data, 961 struct sk_buff *skb) 962 { 963 struct hci_rp_read_bd_addr *rp = data; 964 965 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 966 967 if (rp->status) 968 return rp->status; 969 970 if (test_bit(HCI_INIT, &hdev->flags)) 971 bacpy(&hdev->bdaddr, &rp->bdaddr); 972 973 if (hci_dev_test_flag(hdev, HCI_SETUP)) 974 bacpy(&hdev->setup_addr, &rp->bdaddr); 975 976 return rp->status; 977 } 978 979 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data, 980 struct sk_buff *skb) 981 { 982 struct hci_rp_read_local_pairing_opts *rp = data; 983 984 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 985 986 if (rp->status) 987 return rp->status; 988 989 if (hci_dev_test_flag(hdev, HCI_SETUP) || 990 hci_dev_test_flag(hdev, HCI_CONFIG)) { 991 hdev->pairing_opts = rp->pairing_opts; 992 hdev->max_enc_key_size = rp->max_key_size; 993 } 994 995 return rp->status; 996 } 997 998 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data, 999 struct sk_buff *skb) 1000 { 1001 struct hci_rp_read_page_scan_activity *rp = data; 1002 1003 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1004 1005 if (rp->status) 1006 return rp->status; 1007 1008 if (test_bit(HCI_INIT, &hdev->flags)) { 1009 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 1010 hdev->page_scan_window = __le16_to_cpu(rp->window); 1011 } 1012 1013 return rp->status; 1014 } 1015 1016 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data, 1017 struct sk_buff *skb) 1018 { 1019 struct hci_ev_status *rp = data; 1020 struct hci_cp_write_page_scan_activity *sent; 1021 1022 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1023 1024 if (rp->status) 1025 return rp->status; 1026 1027 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 1028 if (!sent) 1029 return rp->status; 1030 1031 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 1032 hdev->page_scan_window = __le16_to_cpu(sent->window); 1033 1034 return rp->status; 1035 } 1036 1037 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data, 1038 struct sk_buff *skb) 1039 { 1040 struct hci_rp_read_page_scan_type *rp = data; 1041 1042 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1043 1044 if (rp->status) 1045 return rp->status; 1046 1047 if (test_bit(HCI_INIT, &hdev->flags)) 1048 hdev->page_scan_type = rp->type; 1049 1050 return rp->status; 1051 } 1052 1053 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data, 1054 struct sk_buff *skb) 1055 { 1056 struct hci_ev_status *rp = data; 1057 u8 *type; 1058 1059 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1060 1061 if (rp->status) 1062 return rp->status; 1063 1064 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 1065 if (type) 1066 hdev->page_scan_type = *type; 1067 1068 return rp->status; 1069 } 1070 1071 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, 1072 struct sk_buff *skb) 1073 { 1074 struct hci_rp_read_clock *rp = data; 1075 struct hci_cp_read_clock *cp; 1076 struct hci_conn *conn; 1077 1078 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1079 1080 if (rp->status) 1081 return rp->status; 1082 1083 hci_dev_lock(hdev); 1084 1085 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 1086 if (!cp) 1087 goto unlock; 1088 1089 if (cp->which == 0x00) { 1090 hdev->clock = le32_to_cpu(rp->clock); 1091 goto unlock; 1092 } 1093 1094 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1095 if (conn) { 1096 conn->clock = le32_to_cpu(rp->clock); 1097 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 1098 } 1099 1100 unlock: 1101 hci_dev_unlock(hdev); 1102 return rp->status; 1103 } 1104 1105 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data, 1106 struct sk_buff *skb) 1107 { 1108 struct hci_rp_read_inq_rsp_tx_power *rp = data; 1109 1110 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1111 1112 if (rp->status) 1113 return rp->status; 1114 1115 hdev->inq_tx_power = rp->tx_power; 1116 1117 return rp->status; 1118 } 1119 1120 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data, 1121 struct sk_buff *skb) 1122 { 1123 struct hci_rp_read_def_err_data_reporting *rp = data; 1124 1125 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1126 1127 if (rp->status) 1128 return rp->status; 1129 1130 hdev->err_data_reporting = rp->err_data_reporting; 1131 1132 return rp->status; 1133 } 1134 1135 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data, 1136 struct sk_buff *skb) 1137 { 1138 struct hci_ev_status *rp = data; 1139 struct hci_cp_write_def_err_data_reporting *cp; 1140 1141 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1142 1143 if (rp->status) 1144 return rp->status; 1145 1146 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 1147 if (!cp) 1148 return rp->status; 1149 1150 hdev->err_data_reporting = cp->err_data_reporting; 1151 1152 return rp->status; 1153 } 1154 1155 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data, 1156 struct sk_buff *skb) 1157 { 1158 struct hci_rp_pin_code_reply *rp = data; 1159 struct hci_cp_pin_code_reply *cp; 1160 struct hci_conn *conn; 1161 1162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1163 1164 hci_dev_lock(hdev); 1165 1166 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1167 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 1168 1169 if (rp->status) 1170 goto unlock; 1171 1172 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 1173 if (!cp) 1174 goto unlock; 1175 1176 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1177 if (conn) 1178 conn->pin_length = cp->pin_len; 1179 1180 unlock: 1181 hci_dev_unlock(hdev); 1182 return rp->status; 1183 } 1184 1185 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data, 1186 struct sk_buff *skb) 1187 { 1188 struct hci_rp_pin_code_neg_reply *rp = data; 1189 1190 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1191 1192 hci_dev_lock(hdev); 1193 1194 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1195 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1196 rp->status); 1197 1198 hci_dev_unlock(hdev); 1199 1200 return rp->status; 1201 } 1202 1203 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data, 1204 struct sk_buff *skb) 1205 { 1206 struct hci_rp_le_read_buffer_size *rp = data; 1207 1208 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1209 1210 if (rp->status) 1211 return rp->status; 1212 1213 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1214 hdev->le_pkts = rp->le_max_pkt; 1215 1216 hdev->le_cnt = hdev->le_pkts; 1217 1218 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1219 1220 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 1221 return HCI_ERROR_INVALID_PARAMETERS; 1222 1223 return rp->status; 1224 } 1225 1226 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data, 1227 struct sk_buff *skb) 1228 { 1229 struct hci_rp_le_read_local_features *rp = data; 1230 1231 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1232 1233 if (rp->status) 1234 return rp->status; 1235 1236 memcpy(hdev->le_features, rp->features, 8); 1237 1238 return rp->status; 1239 } 1240 1241 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data, 1242 struct sk_buff *skb) 1243 { 1244 struct hci_rp_le_read_adv_tx_power *rp = data; 1245 1246 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1247 1248 if (rp->status) 1249 return rp->status; 1250 1251 hdev->adv_tx_power = rp->tx_power; 1252 1253 return rp->status; 1254 } 1255 1256 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data, 1257 struct sk_buff *skb) 1258 { 1259 struct hci_rp_user_confirm_reply *rp = data; 1260 1261 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1262 1263 hci_dev_lock(hdev); 1264 1265 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1266 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1267 rp->status); 1268 1269 hci_dev_unlock(hdev); 1270 1271 return rp->status; 1272 } 1273 1274 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data, 1275 struct sk_buff *skb) 1276 { 1277 struct hci_rp_user_confirm_reply *rp = data; 1278 1279 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1280 1281 hci_dev_lock(hdev); 1282 1283 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1284 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1285 ACL_LINK, 0, rp->status); 1286 1287 hci_dev_unlock(hdev); 1288 1289 return rp->status; 1290 } 1291 1292 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data, 1293 struct sk_buff *skb) 1294 { 1295 struct hci_rp_user_confirm_reply *rp = data; 1296 1297 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1298 1299 hci_dev_lock(hdev); 1300 1301 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1302 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1303 0, rp->status); 1304 1305 hci_dev_unlock(hdev); 1306 1307 return rp->status; 1308 } 1309 1310 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data, 1311 struct sk_buff *skb) 1312 { 1313 struct hci_rp_user_confirm_reply *rp = data; 1314 1315 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1316 1317 hci_dev_lock(hdev); 1318 1319 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1320 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1321 ACL_LINK, 0, rp->status); 1322 1323 hci_dev_unlock(hdev); 1324 1325 return rp->status; 1326 } 1327 1328 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data, 1329 struct sk_buff *skb) 1330 { 1331 struct hci_rp_read_local_oob_data *rp = data; 1332 1333 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1334 1335 return rp->status; 1336 } 1337 1338 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data, 1339 struct sk_buff *skb) 1340 { 1341 struct hci_rp_read_local_oob_ext_data *rp = data; 1342 1343 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1344 1345 return rp->status; 1346 } 1347 1348 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data, 1349 struct sk_buff *skb) 1350 { 1351 struct hci_ev_status *rp = data; 1352 bdaddr_t *sent; 1353 1354 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1355 1356 if (rp->status) 1357 return rp->status; 1358 1359 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1360 if (!sent) 1361 return rp->status; 1362 1363 hci_dev_lock(hdev); 1364 1365 bacpy(&hdev->random_addr, sent); 1366 1367 if (!bacmp(&hdev->rpa, sent)) { 1368 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED); 1369 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, 1370 secs_to_jiffies(hdev->rpa_timeout)); 1371 } 1372 1373 hci_dev_unlock(hdev); 1374 1375 return rp->status; 1376 } 1377 1378 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data, 1379 struct sk_buff *skb) 1380 { 1381 struct hci_ev_status *rp = data; 1382 struct hci_cp_le_set_default_phy *cp; 1383 1384 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1385 1386 if (rp->status) 1387 return rp->status; 1388 1389 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1390 if (!cp) 1391 return rp->status; 1392 1393 hci_dev_lock(hdev); 1394 1395 hdev->le_tx_def_phys = cp->tx_phys; 1396 hdev->le_rx_def_phys = cp->rx_phys; 1397 1398 hci_dev_unlock(hdev); 1399 1400 return rp->status; 1401 } 1402 1403 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data, 1404 struct sk_buff *skb) 1405 { 1406 struct hci_ev_status *rp = data; 1407 struct hci_cp_le_set_adv_set_rand_addr *cp; 1408 struct adv_info *adv; 1409 1410 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1411 1412 if (rp->status) 1413 return rp->status; 1414 1415 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1416 /* Update only in case the adv instance since handle 0x00 shall be using 1417 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and 1418 * non-extended adverting. 1419 */ 1420 if (!cp || !cp->handle) 1421 return rp->status; 1422 1423 hci_dev_lock(hdev); 1424 1425 adv = hci_find_adv_instance(hdev, cp->handle); 1426 if (adv) { 1427 bacpy(&adv->random_addr, &cp->bdaddr); 1428 if (!bacmp(&hdev->rpa, &cp->bdaddr)) { 1429 adv->rpa_expired = false; 1430 queue_delayed_work(hdev->workqueue, 1431 &adv->rpa_expired_cb, 1432 secs_to_jiffies(hdev->rpa_timeout)); 1433 } 1434 } 1435 1436 hci_dev_unlock(hdev); 1437 1438 return rp->status; 1439 } 1440 1441 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data, 1442 struct sk_buff *skb) 1443 { 1444 struct hci_ev_status *rp = data; 1445 u8 *instance; 1446 int err; 1447 1448 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1449 1450 if (rp->status) 1451 return rp->status; 1452 1453 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET); 1454 if (!instance) 1455 return rp->status; 1456 1457 hci_dev_lock(hdev); 1458 1459 err = hci_remove_adv_instance(hdev, *instance); 1460 if (!err) 1461 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev, 1462 *instance); 1463 1464 hci_dev_unlock(hdev); 1465 1466 return rp->status; 1467 } 1468 1469 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data, 1470 struct sk_buff *skb) 1471 { 1472 struct hci_ev_status *rp = data; 1473 struct adv_info *adv, *n; 1474 int err; 1475 1476 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1477 1478 if (rp->status) 1479 return rp->status; 1480 1481 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS)) 1482 return rp->status; 1483 1484 hci_dev_lock(hdev); 1485 1486 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 1487 u8 instance = adv->instance; 1488 1489 err = hci_remove_adv_instance(hdev, instance); 1490 if (!err) 1491 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), 1492 hdev, instance); 1493 } 1494 1495 hci_dev_unlock(hdev); 1496 1497 return rp->status; 1498 } 1499 1500 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data, 1501 struct sk_buff *skb) 1502 { 1503 struct hci_rp_le_read_transmit_power *rp = data; 1504 1505 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1506 1507 if (rp->status) 1508 return rp->status; 1509 1510 hdev->min_le_tx_power = rp->min_le_tx_power; 1511 hdev->max_le_tx_power = rp->max_le_tx_power; 1512 1513 return rp->status; 1514 } 1515 1516 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, 1517 struct sk_buff *skb) 1518 { 1519 struct hci_ev_status *rp = data; 1520 struct hci_cp_le_set_privacy_mode *cp; 1521 struct hci_conn_params *params; 1522 1523 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1524 1525 if (rp->status) 1526 return rp->status; 1527 1528 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE); 1529 if (!cp) 1530 return rp->status; 1531 1532 hci_dev_lock(hdev); 1533 1534 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); 1535 if (params) 1536 WRITE_ONCE(params->privacy_mode, cp->mode); 1537 1538 hci_dev_unlock(hdev); 1539 1540 return rp->status; 1541 } 1542 1543 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data, 1544 struct sk_buff *skb) 1545 { 1546 struct hci_ev_status *rp = data; 1547 __u8 *sent; 1548 1549 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1550 1551 if (rp->status) 1552 return rp->status; 1553 1554 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1555 if (!sent) 1556 return rp->status; 1557 1558 hci_dev_lock(hdev); 1559 1560 /* If we're doing connection initiation as peripheral. Set a 1561 * timeout in case something goes wrong. 1562 */ 1563 if (*sent) { 1564 struct hci_conn *conn; 1565 1566 hci_dev_set_flag(hdev, HCI_LE_ADV); 1567 1568 conn = hci_lookup_le_connect(hdev); 1569 if (conn) 1570 queue_delayed_work(hdev->workqueue, 1571 &conn->le_conn_timeout, 1572 conn->conn_timeout); 1573 } else { 1574 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1575 } 1576 1577 hci_dev_unlock(hdev); 1578 1579 return rp->status; 1580 } 1581 1582 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, 1583 struct sk_buff *skb) 1584 { 1585 struct hci_cp_le_set_ext_adv_enable *cp; 1586 struct hci_cp_ext_adv_set *set; 1587 struct adv_info *adv = NULL, *n; 1588 struct hci_ev_status *rp = data; 1589 1590 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1591 1592 if (rp->status) 1593 return rp->status; 1594 1595 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1596 if (!cp) 1597 return rp->status; 1598 1599 set = (void *)cp->data; 1600 1601 hci_dev_lock(hdev); 1602 1603 if (cp->num_of_sets) 1604 adv = hci_find_adv_instance(hdev, set->handle); 1605 1606 if (cp->enable) { 1607 struct hci_conn *conn; 1608 1609 hci_dev_set_flag(hdev, HCI_LE_ADV); 1610 1611 if (adv) 1612 adv->enabled = true; 1613 else if (!set->handle) 1614 hci_dev_set_flag(hdev, HCI_LE_ADV_0); 1615 1616 conn = hci_lookup_le_connect(hdev); 1617 if (conn) 1618 queue_delayed_work(hdev->workqueue, 1619 &conn->le_conn_timeout, 1620 conn->conn_timeout); 1621 } else { 1622 if (cp->num_of_sets) { 1623 if (adv) 1624 adv->enabled = false; 1625 else if (!set->handle) 1626 hci_dev_clear_flag(hdev, HCI_LE_ADV_0); 1627 1628 /* If just one instance was disabled check if there are 1629 * any other instance enabled before clearing HCI_LE_ADV 1630 */ 1631 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1632 list) { 1633 if (adv->enabled) 1634 goto unlock; 1635 } 1636 } else { 1637 /* All instances shall be considered disabled */ 1638 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1639 list) 1640 adv->enabled = false; 1641 } 1642 1643 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1644 } 1645 1646 unlock: 1647 hci_dev_unlock(hdev); 1648 return rp->status; 1649 } 1650 1651 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data, 1652 struct sk_buff *skb) 1653 { 1654 struct hci_cp_le_set_scan_param *cp; 1655 struct hci_ev_status *rp = data; 1656 1657 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1658 1659 if (rp->status) 1660 return rp->status; 1661 1662 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1663 if (!cp) 1664 return rp->status; 1665 1666 hci_dev_lock(hdev); 1667 1668 hdev->le_scan_type = cp->type; 1669 1670 hci_dev_unlock(hdev); 1671 1672 return rp->status; 1673 } 1674 1675 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data, 1676 struct sk_buff *skb) 1677 { 1678 struct hci_cp_le_set_ext_scan_params *cp; 1679 struct hci_ev_status *rp = data; 1680 struct hci_cp_le_scan_phy_params *phy_param; 1681 1682 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1683 1684 if (rp->status) 1685 return rp->status; 1686 1687 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1688 if (!cp) 1689 return rp->status; 1690 1691 phy_param = (void *)cp->data; 1692 1693 hci_dev_lock(hdev); 1694 1695 hdev->le_scan_type = phy_param->type; 1696 1697 hci_dev_unlock(hdev); 1698 1699 return rp->status; 1700 } 1701 1702 static bool has_pending_adv_report(struct hci_dev *hdev) 1703 { 1704 struct discovery_state *d = &hdev->discovery; 1705 1706 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1707 } 1708 1709 static void clear_pending_adv_report(struct hci_dev *hdev) 1710 { 1711 struct discovery_state *d = &hdev->discovery; 1712 1713 bacpy(&d->last_adv_addr, BDADDR_ANY); 1714 d->last_adv_data_len = 0; 1715 } 1716 1717 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1718 u8 bdaddr_type, s8 rssi, u32 flags, 1719 u8 *data, u8 len) 1720 { 1721 struct discovery_state *d = &hdev->discovery; 1722 1723 if (len > max_adv_len(hdev)) 1724 return; 1725 1726 bacpy(&d->last_adv_addr, bdaddr); 1727 d->last_adv_addr_type = bdaddr_type; 1728 d->last_adv_rssi = rssi; 1729 d->last_adv_flags = flags; 1730 memcpy(d->last_adv_data, data, len); 1731 d->last_adv_data_len = len; 1732 } 1733 1734 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1735 { 1736 hci_dev_lock(hdev); 1737 1738 switch (enable) { 1739 case LE_SCAN_ENABLE: 1740 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1741 if (hdev->le_scan_type == LE_SCAN_ACTIVE) { 1742 clear_pending_adv_report(hdev); 1743 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 1744 } 1745 break; 1746 1747 case LE_SCAN_DISABLE: 1748 /* We do this here instead of when setting DISCOVERY_STOPPED 1749 * since the latter would potentially require waiting for 1750 * inquiry to stop too. 1751 */ 1752 if (has_pending_adv_report(hdev)) { 1753 struct discovery_state *d = &hdev->discovery; 1754 1755 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1756 d->last_adv_addr_type, NULL, 1757 d->last_adv_rssi, d->last_adv_flags, 1758 d->last_adv_data, 1759 d->last_adv_data_len, NULL, 0, 0); 1760 } 1761 1762 /* Cancel this timer so that we don't try to disable scanning 1763 * when it's already disabled. 1764 */ 1765 cancel_delayed_work(&hdev->le_scan_disable); 1766 1767 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1768 1769 if (hdev->discovery.type == DISCOV_TYPE_INTERLEAVED && 1770 hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY) && 1771 !test_bit(HCI_INQUIRY, &hdev->flags) && 1772 hdev->discovery.state == DISCOVERY_FINDING) { 1773 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1774 } 1775 1776 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1777 * interrupted scanning due to a connect request. Mark 1778 * therefore discovery as stopped. 1779 */ 1780 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1781 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1782 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1783 hdev->discovery.state == DISCOVERY_FINDING) 1784 queue_work(hdev->workqueue, &hdev->reenable_adv_work); 1785 1786 break; 1787 1788 default: 1789 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1790 enable); 1791 break; 1792 } 1793 1794 hci_dev_unlock(hdev); 1795 } 1796 1797 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data, 1798 struct sk_buff *skb) 1799 { 1800 struct hci_cp_le_set_scan_enable *cp; 1801 struct hci_ev_status *rp = data; 1802 1803 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1804 1805 if (rp->status) 1806 return rp->status; 1807 1808 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1809 if (!cp) 1810 return rp->status; 1811 1812 le_set_scan_enable_complete(hdev, cp->enable); 1813 1814 return rp->status; 1815 } 1816 1817 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data, 1818 struct sk_buff *skb) 1819 { 1820 struct hci_cp_le_set_ext_scan_enable *cp; 1821 struct hci_ev_status *rp = data; 1822 1823 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1824 1825 if (rp->status) 1826 return rp->status; 1827 1828 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1829 if (!cp) 1830 return rp->status; 1831 1832 le_set_scan_enable_complete(hdev, cp->enable); 1833 1834 return rp->status; 1835 } 1836 1837 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data, 1838 struct sk_buff *skb) 1839 { 1840 struct hci_rp_le_read_num_supported_adv_sets *rp = data; 1841 1842 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status, 1843 rp->num_of_sets); 1844 1845 if (rp->status) 1846 return rp->status; 1847 1848 hdev->le_num_of_adv_sets = rp->num_of_sets; 1849 1850 return rp->status; 1851 } 1852 1853 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data, 1854 struct sk_buff *skb) 1855 { 1856 struct hci_rp_le_read_accept_list_size *rp = data; 1857 1858 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 1859 1860 if (rp->status) 1861 return rp->status; 1862 1863 hdev->le_accept_list_size = rp->size; 1864 1865 return rp->status; 1866 } 1867 1868 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data, 1869 struct sk_buff *skb) 1870 { 1871 struct hci_ev_status *rp = data; 1872 1873 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1874 1875 if (rp->status) 1876 return rp->status; 1877 1878 hci_dev_lock(hdev); 1879 hci_bdaddr_list_clear(&hdev->le_accept_list); 1880 hci_dev_unlock(hdev); 1881 1882 return rp->status; 1883 } 1884 1885 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data, 1886 struct sk_buff *skb) 1887 { 1888 struct hci_cp_le_add_to_accept_list *sent; 1889 struct hci_ev_status *rp = data; 1890 1891 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1892 1893 if (rp->status) 1894 return rp->status; 1895 1896 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); 1897 if (!sent) 1898 return rp->status; 1899 1900 hci_dev_lock(hdev); 1901 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr, 1902 sent->bdaddr_type); 1903 hci_dev_unlock(hdev); 1904 1905 return rp->status; 1906 } 1907 1908 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data, 1909 struct sk_buff *skb) 1910 { 1911 struct hci_cp_le_del_from_accept_list *sent; 1912 struct hci_ev_status *rp = data; 1913 1914 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1915 1916 if (rp->status) 1917 return rp->status; 1918 1919 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST); 1920 if (!sent) 1921 return rp->status; 1922 1923 hci_dev_lock(hdev); 1924 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr, 1925 sent->bdaddr_type); 1926 hci_dev_unlock(hdev); 1927 1928 return rp->status; 1929 } 1930 1931 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data, 1932 struct sk_buff *skb) 1933 { 1934 struct hci_rp_le_read_supported_states *rp = data; 1935 1936 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1937 1938 if (rp->status) 1939 return rp->status; 1940 1941 memcpy(hdev->le_states, rp->le_states, 8); 1942 1943 return rp->status; 1944 } 1945 1946 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data, 1947 struct sk_buff *skb) 1948 { 1949 struct hci_rp_le_read_def_data_len *rp = data; 1950 1951 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1952 1953 if (rp->status) 1954 return rp->status; 1955 1956 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1957 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1958 1959 return rp->status; 1960 } 1961 1962 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data, 1963 struct sk_buff *skb) 1964 { 1965 struct hci_cp_le_write_def_data_len *sent; 1966 struct hci_ev_status *rp = data; 1967 1968 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1969 1970 if (rp->status) 1971 return rp->status; 1972 1973 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1974 if (!sent) 1975 return rp->status; 1976 1977 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1978 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1979 1980 return rp->status; 1981 } 1982 1983 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data, 1984 struct sk_buff *skb) 1985 { 1986 struct hci_cp_le_add_to_resolv_list *sent; 1987 struct hci_ev_status *rp = data; 1988 1989 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1990 1991 if (rp->status) 1992 return rp->status; 1993 1994 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1995 if (!sent) 1996 return rp->status; 1997 1998 hci_dev_lock(hdev); 1999 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2000 sent->bdaddr_type, sent->peer_irk, 2001 sent->local_irk); 2002 hci_dev_unlock(hdev); 2003 2004 return rp->status; 2005 } 2006 2007 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data, 2008 struct sk_buff *skb) 2009 { 2010 struct hci_cp_le_del_from_resolv_list *sent; 2011 struct hci_ev_status *rp = data; 2012 2013 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2014 2015 if (rp->status) 2016 return rp->status; 2017 2018 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 2019 if (!sent) 2020 return rp->status; 2021 2022 hci_dev_lock(hdev); 2023 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2024 sent->bdaddr_type); 2025 hci_dev_unlock(hdev); 2026 2027 return rp->status; 2028 } 2029 2030 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data, 2031 struct sk_buff *skb) 2032 { 2033 struct hci_ev_status *rp = data; 2034 2035 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2036 2037 if (rp->status) 2038 return rp->status; 2039 2040 hci_dev_lock(hdev); 2041 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2042 hci_dev_unlock(hdev); 2043 2044 return rp->status; 2045 } 2046 2047 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data, 2048 struct sk_buff *skb) 2049 { 2050 struct hci_rp_le_read_resolv_list_size *rp = data; 2051 2052 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 2053 2054 if (rp->status) 2055 return rp->status; 2056 2057 hdev->le_resolv_list_size = rp->size; 2058 2059 return rp->status; 2060 } 2061 2062 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data, 2063 struct sk_buff *skb) 2064 { 2065 struct hci_ev_status *rp = data; 2066 __u8 *sent; 2067 2068 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2069 2070 if (rp->status) 2071 return rp->status; 2072 2073 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 2074 if (!sent) 2075 return rp->status; 2076 2077 hci_dev_lock(hdev); 2078 2079 if (*sent) 2080 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 2081 else 2082 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 2083 2084 hci_dev_unlock(hdev); 2085 2086 return rp->status; 2087 } 2088 2089 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data, 2090 struct sk_buff *skb) 2091 { 2092 struct hci_rp_le_read_max_data_len *rp = data; 2093 2094 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2095 2096 if (rp->status) 2097 return rp->status; 2098 2099 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 2100 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 2101 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 2102 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 2103 2104 return rp->status; 2105 } 2106 2107 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data, 2108 struct sk_buff *skb) 2109 { 2110 struct hci_cp_write_le_host_supported *sent; 2111 struct hci_ev_status *rp = data; 2112 2113 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2114 2115 if (rp->status) 2116 return rp->status; 2117 2118 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 2119 if (!sent) 2120 return rp->status; 2121 2122 hci_dev_lock(hdev); 2123 2124 if (sent->le) { 2125 hdev->features[1][0] |= LMP_HOST_LE; 2126 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 2127 } else { 2128 hdev->features[1][0] &= ~LMP_HOST_LE; 2129 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 2130 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 2131 } 2132 2133 if (sent->simul) 2134 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 2135 else 2136 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 2137 2138 hci_dev_unlock(hdev); 2139 2140 return rp->status; 2141 } 2142 2143 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, 2144 struct sk_buff *skb) 2145 { 2146 struct hci_cp_le_set_adv_param *cp; 2147 struct hci_ev_status *rp = data; 2148 2149 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2150 2151 if (rp->status) 2152 return rp->status; 2153 2154 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 2155 if (!cp) 2156 return rp->status; 2157 2158 hci_dev_lock(hdev); 2159 hdev->adv_addr_type = cp->own_address_type; 2160 hci_dev_unlock(hdev); 2161 2162 return rp->status; 2163 } 2164 2165 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, 2166 struct sk_buff *skb) 2167 { 2168 struct hci_rp_read_rssi *rp = data; 2169 struct hci_conn *conn; 2170 2171 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2172 2173 if (rp->status) 2174 return rp->status; 2175 2176 hci_dev_lock(hdev); 2177 2178 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2179 if (conn) 2180 conn->rssi = rp->rssi; 2181 2182 hci_dev_unlock(hdev); 2183 2184 return rp->status; 2185 } 2186 2187 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data, 2188 struct sk_buff *skb) 2189 { 2190 struct hci_cp_read_tx_power *sent; 2191 struct hci_rp_read_tx_power *rp = data; 2192 struct hci_conn *conn; 2193 2194 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2195 2196 if (rp->status) 2197 return rp->status; 2198 2199 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 2200 if (!sent) 2201 return rp->status; 2202 2203 hci_dev_lock(hdev); 2204 2205 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2206 if (!conn) 2207 goto unlock; 2208 2209 switch (sent->type) { 2210 case 0x00: 2211 conn->tx_power = rp->tx_power; 2212 break; 2213 case 0x01: 2214 conn->max_tx_power = rp->tx_power; 2215 break; 2216 } 2217 2218 unlock: 2219 hci_dev_unlock(hdev); 2220 return rp->status; 2221 } 2222 2223 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data, 2224 struct sk_buff *skb) 2225 { 2226 struct hci_ev_status *rp = data; 2227 u8 *mode; 2228 2229 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2230 2231 if (rp->status) 2232 return rp->status; 2233 2234 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 2235 if (mode) 2236 hdev->ssp_debug_mode = *mode; 2237 2238 return rp->status; 2239 } 2240 2241 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 2242 { 2243 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2244 2245 if (status) 2246 return; 2247 2248 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY)) 2249 set_bit(HCI_INQUIRY, &hdev->flags); 2250 } 2251 2252 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 2253 { 2254 struct hci_cp_create_conn *cp; 2255 struct hci_conn *conn; 2256 2257 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2258 2259 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 2260 if (!cp) 2261 return; 2262 2263 hci_dev_lock(hdev); 2264 2265 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2266 2267 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn); 2268 2269 if (status) { 2270 if (conn && conn->state == BT_CONNECT) { 2271 conn->state = BT_CLOSED; 2272 hci_connect_cfm(conn, status); 2273 hci_conn_del(conn); 2274 } 2275 } else { 2276 if (!conn) { 2277 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr, 2278 0, HCI_ROLE_MASTER); 2279 if (IS_ERR(conn)) 2280 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 2281 } 2282 } 2283 2284 hci_dev_unlock(hdev); 2285 } 2286 2287 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 2288 { 2289 struct hci_cp_add_sco *cp; 2290 struct hci_conn *acl; 2291 struct hci_link *link; 2292 __u16 handle; 2293 2294 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2295 2296 if (!status) 2297 return; 2298 2299 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 2300 if (!cp) 2301 return; 2302 2303 handle = __le16_to_cpu(cp->handle); 2304 2305 bt_dev_dbg(hdev, "handle 0x%4.4x", handle); 2306 2307 hci_dev_lock(hdev); 2308 2309 acl = hci_conn_hash_lookup_handle(hdev, handle); 2310 if (acl) { 2311 link = list_first_entry_or_null(&acl->link_list, 2312 struct hci_link, list); 2313 if (link && link->conn) { 2314 link->conn->state = BT_CLOSED; 2315 2316 hci_connect_cfm(link->conn, status); 2317 hci_conn_del(link->conn); 2318 } 2319 } 2320 2321 hci_dev_unlock(hdev); 2322 } 2323 2324 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 2325 { 2326 struct hci_cp_auth_requested *cp; 2327 struct hci_conn *conn; 2328 2329 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2330 2331 if (!status) 2332 return; 2333 2334 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 2335 if (!cp) 2336 return; 2337 2338 hci_dev_lock(hdev); 2339 2340 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2341 if (conn) { 2342 if (conn->state == BT_CONFIG) { 2343 hci_connect_cfm(conn, status); 2344 hci_conn_drop(conn); 2345 } 2346 } 2347 2348 hci_dev_unlock(hdev); 2349 } 2350 2351 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 2352 { 2353 struct hci_cp_set_conn_encrypt *cp; 2354 struct hci_conn *conn; 2355 2356 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2357 2358 if (!status) 2359 return; 2360 2361 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 2362 if (!cp) 2363 return; 2364 2365 hci_dev_lock(hdev); 2366 2367 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2368 if (conn) { 2369 if (conn->state == BT_CONFIG) { 2370 hci_connect_cfm(conn, status); 2371 hci_conn_drop(conn); 2372 } 2373 } 2374 2375 hci_dev_unlock(hdev); 2376 } 2377 2378 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 2379 struct hci_conn *conn) 2380 { 2381 if (conn->state != BT_CONFIG || !conn->out) 2382 return 0; 2383 2384 if (conn->pending_sec_level == BT_SECURITY_SDP) 2385 return 0; 2386 2387 /* Only request authentication for SSP connections or non-SSP 2388 * devices with sec_level MEDIUM or HIGH or if MITM protection 2389 * is requested. 2390 */ 2391 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 2392 conn->pending_sec_level != BT_SECURITY_FIPS && 2393 conn->pending_sec_level != BT_SECURITY_HIGH && 2394 conn->pending_sec_level != BT_SECURITY_MEDIUM) 2395 return 0; 2396 2397 return 1; 2398 } 2399 2400 static int hci_resolve_name(struct hci_dev *hdev, 2401 struct inquiry_entry *e) 2402 { 2403 struct hci_cp_remote_name_req cp; 2404 2405 memset(&cp, 0, sizeof(cp)); 2406 2407 bacpy(&cp.bdaddr, &e->data.bdaddr); 2408 cp.pscan_rep_mode = e->data.pscan_rep_mode; 2409 cp.pscan_mode = e->data.pscan_mode; 2410 cp.clock_offset = e->data.clock_offset; 2411 2412 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2413 } 2414 2415 static bool hci_resolve_next_name(struct hci_dev *hdev) 2416 { 2417 struct discovery_state *discov = &hdev->discovery; 2418 struct inquiry_entry *e; 2419 2420 if (list_empty(&discov->resolve)) 2421 return false; 2422 2423 /* We should stop if we already spent too much time resolving names. */ 2424 if (time_after(jiffies, discov->name_resolve_timeout)) { 2425 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long."); 2426 return false; 2427 } 2428 2429 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2430 if (!e) 2431 return false; 2432 2433 if (hci_resolve_name(hdev, e) == 0) { 2434 e->name_state = NAME_PENDING; 2435 return true; 2436 } 2437 2438 return false; 2439 } 2440 2441 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2442 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2443 { 2444 struct discovery_state *discov = &hdev->discovery; 2445 struct inquiry_entry *e; 2446 2447 /* Update the mgmt connected state if necessary. Be careful with 2448 * conn objects that exist but are not (yet) connected however. 2449 * Only those in BT_CONFIG or BT_CONNECTED states can be 2450 * considered connected. 2451 */ 2452 if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) 2453 mgmt_device_connected(hdev, conn, name, name_len); 2454 2455 if (discov->state == DISCOVERY_STOPPED) 2456 return; 2457 2458 if (discov->state == DISCOVERY_STOPPING) 2459 goto discov_complete; 2460 2461 if (discov->state != DISCOVERY_RESOLVING) 2462 return; 2463 2464 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2465 /* If the device was not found in a list of found devices names of which 2466 * are pending. there is no need to continue resolving a next name as it 2467 * will be done upon receiving another Remote Name Request Complete 2468 * Event */ 2469 if (!e) 2470 return; 2471 2472 list_del(&e->list); 2473 2474 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN; 2475 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi, 2476 name, name_len); 2477 2478 if (hci_resolve_next_name(hdev)) 2479 return; 2480 2481 discov_complete: 2482 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2483 } 2484 2485 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2486 { 2487 struct hci_cp_remote_name_req *cp; 2488 struct hci_conn *conn; 2489 2490 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2491 2492 /* If successful wait for the name req complete event before 2493 * checking for the need to do authentication */ 2494 if (!status) 2495 return; 2496 2497 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2498 if (!cp) 2499 return; 2500 2501 hci_dev_lock(hdev); 2502 2503 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2504 2505 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2506 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2507 2508 if (!conn) 2509 goto unlock; 2510 2511 if (!hci_outgoing_auth_needed(hdev, conn)) 2512 goto unlock; 2513 2514 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2515 struct hci_cp_auth_requested auth_cp; 2516 2517 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2518 2519 auth_cp.handle = __cpu_to_le16(conn->handle); 2520 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2521 sizeof(auth_cp), &auth_cp); 2522 } 2523 2524 unlock: 2525 hci_dev_unlock(hdev); 2526 } 2527 2528 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2529 { 2530 struct hci_cp_read_remote_features *cp; 2531 struct hci_conn *conn; 2532 2533 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2534 2535 if (!status) 2536 return; 2537 2538 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2539 if (!cp) 2540 return; 2541 2542 hci_dev_lock(hdev); 2543 2544 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2545 if (conn) { 2546 if (conn->state == BT_CONFIG) { 2547 hci_connect_cfm(conn, status); 2548 hci_conn_drop(conn); 2549 } 2550 } 2551 2552 hci_dev_unlock(hdev); 2553 } 2554 2555 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2556 { 2557 struct hci_cp_read_remote_ext_features *cp; 2558 struct hci_conn *conn; 2559 2560 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2561 2562 if (!status) 2563 return; 2564 2565 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2566 if (!cp) 2567 return; 2568 2569 hci_dev_lock(hdev); 2570 2571 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2572 if (conn) { 2573 if (conn->state == BT_CONFIG) { 2574 hci_connect_cfm(conn, status); 2575 hci_conn_drop(conn); 2576 } 2577 } 2578 2579 hci_dev_unlock(hdev); 2580 } 2581 2582 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle, 2583 __u8 status) 2584 { 2585 struct hci_conn *acl; 2586 struct hci_link *link; 2587 2588 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status); 2589 2590 hci_dev_lock(hdev); 2591 2592 acl = hci_conn_hash_lookup_handle(hdev, handle); 2593 if (acl) { 2594 link = list_first_entry_or_null(&acl->link_list, 2595 struct hci_link, list); 2596 if (link && link->conn) { 2597 link->conn->state = BT_CLOSED; 2598 2599 hci_connect_cfm(link->conn, status); 2600 hci_conn_del(link->conn); 2601 } 2602 } 2603 2604 hci_dev_unlock(hdev); 2605 } 2606 2607 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2608 { 2609 struct hci_cp_setup_sync_conn *cp; 2610 2611 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2612 2613 if (!status) 2614 return; 2615 2616 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2617 if (!cp) 2618 return; 2619 2620 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2621 } 2622 2623 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2624 { 2625 struct hci_cp_enhanced_setup_sync_conn *cp; 2626 2627 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2628 2629 if (!status) 2630 return; 2631 2632 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN); 2633 if (!cp) 2634 return; 2635 2636 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2637 } 2638 2639 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2640 { 2641 struct hci_cp_sniff_mode *cp; 2642 struct hci_conn *conn; 2643 2644 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2645 2646 if (!status) 2647 return; 2648 2649 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2650 if (!cp) 2651 return; 2652 2653 hci_dev_lock(hdev); 2654 2655 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2656 if (conn) { 2657 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2658 2659 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2660 hci_sco_setup(conn, status); 2661 } 2662 2663 hci_dev_unlock(hdev); 2664 } 2665 2666 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2667 { 2668 struct hci_cp_exit_sniff_mode *cp; 2669 struct hci_conn *conn; 2670 2671 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2672 2673 if (!status) 2674 return; 2675 2676 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2677 if (!cp) 2678 return; 2679 2680 hci_dev_lock(hdev); 2681 2682 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2683 if (conn) { 2684 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2685 2686 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2687 hci_sco_setup(conn, status); 2688 } 2689 2690 hci_dev_unlock(hdev); 2691 } 2692 2693 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2694 { 2695 struct hci_cp_disconnect *cp; 2696 struct hci_conn_params *params; 2697 struct hci_conn *conn; 2698 bool mgmt_conn; 2699 2700 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2701 2702 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended 2703 * otherwise cleanup the connection immediately. 2704 */ 2705 if (!status && !hdev->suspended) 2706 return; 2707 2708 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2709 if (!cp) 2710 return; 2711 2712 hci_dev_lock(hdev); 2713 2714 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2715 if (!conn) 2716 goto unlock; 2717 2718 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) { 2719 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2720 conn->dst_type, status); 2721 2722 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 2723 hdev->cur_adv_instance = conn->adv_instance; 2724 hci_enable_advertising(hdev); 2725 } 2726 2727 /* Inform sockets conn is gone before we delete it */ 2728 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); 2729 2730 goto done; 2731 } 2732 2733 /* During suspend, mark connection as closed immediately 2734 * since we might not receive HCI_EV_DISCONN_COMPLETE 2735 */ 2736 if (hdev->suspended) 2737 conn->state = BT_CLOSED; 2738 2739 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2740 2741 if (conn->type == ACL_LINK) { 2742 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2743 hci_remove_link_key(hdev, &conn->dst); 2744 } 2745 2746 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2747 if (params) { 2748 switch (params->auto_connect) { 2749 case HCI_AUTO_CONN_LINK_LOSS: 2750 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2751 break; 2752 fallthrough; 2753 2754 case HCI_AUTO_CONN_DIRECT: 2755 case HCI_AUTO_CONN_ALWAYS: 2756 hci_pend_le_list_del_init(params); 2757 hci_pend_le_list_add(params, &hdev->pend_le_conns); 2758 break; 2759 2760 default: 2761 break; 2762 } 2763 } 2764 2765 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2766 cp->reason, mgmt_conn); 2767 2768 hci_disconn_cfm(conn, cp->reason); 2769 2770 done: 2771 /* If the disconnection failed for any reason, the upper layer 2772 * does not retry to disconnect in current implementation. 2773 * Hence, we need to do some basic cleanup here and re-enable 2774 * advertising if necessary. 2775 */ 2776 hci_conn_del(conn); 2777 unlock: 2778 hci_dev_unlock(hdev); 2779 } 2780 2781 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved) 2782 { 2783 /* When using controller based address resolution, then the new 2784 * address types 0x02 and 0x03 are used. These types need to be 2785 * converted back into either public address or random address type 2786 */ 2787 switch (type) { 2788 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2789 if (resolved) 2790 *resolved = true; 2791 return ADDR_LE_DEV_PUBLIC; 2792 case ADDR_LE_DEV_RANDOM_RESOLVED: 2793 if (resolved) 2794 *resolved = true; 2795 return ADDR_LE_DEV_RANDOM; 2796 } 2797 2798 if (resolved) 2799 *resolved = false; 2800 return type; 2801 } 2802 2803 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2804 u8 peer_addr_type, u8 own_address_type, 2805 u8 filter_policy) 2806 { 2807 struct hci_conn *conn; 2808 2809 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2810 peer_addr_type); 2811 if (!conn) 2812 return; 2813 2814 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL); 2815 2816 /* Store the initiator and responder address information which 2817 * is needed for SMP. These values will not change during the 2818 * lifetime of the connection. 2819 */ 2820 conn->init_addr_type = own_address_type; 2821 if (own_address_type == ADDR_LE_DEV_RANDOM) 2822 bacpy(&conn->init_addr, &hdev->random_addr); 2823 else 2824 bacpy(&conn->init_addr, &hdev->bdaddr); 2825 2826 conn->resp_addr_type = peer_addr_type; 2827 bacpy(&conn->resp_addr, peer_addr); 2828 } 2829 2830 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2831 { 2832 struct hci_cp_le_create_conn *cp; 2833 2834 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2835 2836 /* All connection failure handling is taken care of by the 2837 * hci_conn_failed function which is triggered by the HCI 2838 * request completion callbacks used for connecting. 2839 */ 2840 if (status) 2841 return; 2842 2843 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2844 if (!cp) 2845 return; 2846 2847 hci_dev_lock(hdev); 2848 2849 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2850 cp->own_address_type, cp->filter_policy); 2851 2852 hci_dev_unlock(hdev); 2853 } 2854 2855 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2856 { 2857 struct hci_cp_le_ext_create_conn *cp; 2858 2859 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2860 2861 /* All connection failure handling is taken care of by the 2862 * hci_conn_failed function which is triggered by the HCI 2863 * request completion callbacks used for connecting. 2864 */ 2865 if (status) 2866 return; 2867 2868 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2869 if (!cp) 2870 return; 2871 2872 hci_dev_lock(hdev); 2873 2874 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2875 cp->own_addr_type, cp->filter_policy); 2876 2877 hci_dev_unlock(hdev); 2878 } 2879 2880 static void hci_cs_le_set_phy(struct hci_dev *hdev, u8 status) 2881 { 2882 struct hci_cp_le_set_phy *cp; 2883 struct hci_conn *conn; 2884 2885 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2886 2887 if (status) 2888 return; 2889 2890 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PHY); 2891 if (!cp) 2892 return; 2893 2894 hci_dev_lock(hdev); 2895 2896 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2897 if (conn) { 2898 conn->le_tx_def_phys = cp->tx_phys; 2899 conn->le_rx_def_phys = cp->rx_phys; 2900 } 2901 2902 hci_dev_unlock(hdev); 2903 } 2904 2905 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2906 { 2907 struct hci_cp_le_read_remote_features *cp; 2908 struct hci_conn *conn; 2909 2910 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2911 2912 if (!status) 2913 return; 2914 2915 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2916 if (!cp) 2917 return; 2918 2919 hci_dev_lock(hdev); 2920 2921 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2922 if (conn && conn->state == BT_CONFIG) 2923 hci_connect_cfm(conn, status); 2924 2925 hci_dev_unlock(hdev); 2926 } 2927 2928 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2929 { 2930 struct hci_cp_le_start_enc *cp; 2931 struct hci_conn *conn; 2932 2933 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2934 2935 if (!status) 2936 return; 2937 2938 hci_dev_lock(hdev); 2939 2940 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2941 if (!cp) 2942 goto unlock; 2943 2944 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2945 if (!conn) 2946 goto unlock; 2947 2948 if (conn->state != BT_CONNECTED) 2949 goto unlock; 2950 2951 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2952 hci_conn_drop(conn); 2953 2954 unlock: 2955 hci_dev_unlock(hdev); 2956 } 2957 2958 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2959 { 2960 struct hci_cp_switch_role *cp; 2961 struct hci_conn *conn; 2962 2963 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2964 2965 if (!status) 2966 return; 2967 2968 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2969 if (!cp) 2970 return; 2971 2972 hci_dev_lock(hdev); 2973 2974 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2975 if (conn) 2976 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2977 2978 hci_dev_unlock(hdev); 2979 } 2980 2981 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data, 2982 struct sk_buff *skb) 2983 { 2984 struct hci_ev_status *ev = data; 2985 struct discovery_state *discov = &hdev->discovery; 2986 struct inquiry_entry *e; 2987 2988 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 2989 2990 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2991 return; 2992 2993 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2994 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2995 2996 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2997 return; 2998 2999 hci_dev_lock(hdev); 3000 3001 if (discov->state != DISCOVERY_FINDING) 3002 goto unlock; 3003 3004 if (list_empty(&discov->resolve)) { 3005 /* When BR/EDR inquiry is active and no LE scanning is in 3006 * progress, then change discovery state to indicate completion. 3007 * 3008 * When running LE scanning and BR/EDR inquiry simultaneously 3009 * and the LE scan already finished, then change the discovery 3010 * state to indicate completion. 3011 */ 3012 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3013 !hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) 3014 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3015 goto unlock; 3016 } 3017 3018 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 3019 if (e && hci_resolve_name(hdev, e) == 0) { 3020 e->name_state = NAME_PENDING; 3021 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 3022 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION; 3023 } else { 3024 /* When BR/EDR inquiry is active and no LE scanning is in 3025 * progress, then change discovery state to indicate completion. 3026 * 3027 * When running LE scanning and BR/EDR inquiry simultaneously 3028 * and the LE scan already finished, then change the discovery 3029 * state to indicate completion. 3030 */ 3031 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3032 !hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) 3033 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3034 } 3035 3036 unlock: 3037 hci_dev_unlock(hdev); 3038 } 3039 3040 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata, 3041 struct sk_buff *skb) 3042 { 3043 struct hci_ev_inquiry_result *ev = edata; 3044 struct inquiry_data data; 3045 int i; 3046 3047 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT, 3048 flex_array_size(ev, info, ev->num))) 3049 return; 3050 3051 bt_dev_dbg(hdev, "num %d", ev->num); 3052 3053 if (!ev->num) 3054 return; 3055 3056 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3057 return; 3058 3059 hci_dev_lock(hdev); 3060 3061 for (i = 0; i < ev->num; i++) { 3062 struct inquiry_info *info = &ev->info[i]; 3063 u32 flags; 3064 3065 bacpy(&data.bdaddr, &info->bdaddr); 3066 data.pscan_rep_mode = info->pscan_rep_mode; 3067 data.pscan_period_mode = info->pscan_period_mode; 3068 data.pscan_mode = info->pscan_mode; 3069 memcpy(data.dev_class, info->dev_class, 3); 3070 data.clock_offset = info->clock_offset; 3071 data.rssi = HCI_RSSI_INVALID; 3072 data.ssp_mode = 0x00; 3073 3074 flags = hci_inquiry_cache_update(hdev, &data, false); 3075 3076 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3077 info->dev_class, HCI_RSSI_INVALID, 3078 flags, NULL, 0, NULL, 0, 0); 3079 } 3080 3081 hci_dev_unlock(hdev); 3082 } 3083 3084 static int hci_read_enc_key_size(struct hci_dev *hdev, struct hci_conn *conn) 3085 { 3086 struct hci_cp_read_enc_key_size cp; 3087 u8 *key_enc_size = hci_conn_key_enc_size(conn); 3088 3089 if (!read_key_size_capable(hdev)) { 3090 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3091 return -EOPNOTSUPP; 3092 } 3093 3094 bt_dev_dbg(hdev, "hcon %p", conn); 3095 3096 memset(&cp, 0, sizeof(cp)); 3097 cp.handle = cpu_to_le16(conn->handle); 3098 3099 /* If the key enc_size is already known, use it as conn->enc_key_size, 3100 * otherwise use hdev->min_enc_key_size so the likes of 3101 * l2cap_check_enc_key_size don't fail while waiting for 3102 * HCI_OP_READ_ENC_KEY_SIZE response. 3103 */ 3104 if (key_enc_size && *key_enc_size) 3105 conn->enc_key_size = *key_enc_size; 3106 else 3107 conn->enc_key_size = hdev->min_enc_key_size; 3108 3109 return hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 3110 } 3111 3112 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3113 struct sk_buff *skb) 3114 { 3115 struct hci_ev_conn_complete *ev = data; 3116 struct hci_conn *conn; 3117 u8 status = ev->status; 3118 3119 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3120 3121 hci_dev_lock(hdev); 3122 hci_store_wake_reason(hdev, &ev->bdaddr, BDADDR_BREDR); 3123 3124 /* Check for existing connection: 3125 * 3126 * 1. If it doesn't exist then it must be receiver/slave role. 3127 * 2. If it does exist confirm that it is connecting/BT_CONNECT in case 3128 * of initiator/master role since there could be a collision where 3129 * either side is attempting to connect or something like a fuzzing 3130 * testing is trying to play tricks to destroy the hcon object before 3131 * it even attempts to connect (e.g. hcon->state == BT_OPEN). 3132 */ 3133 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3134 if (!conn || 3135 (conn->role == HCI_ROLE_MASTER && conn->state != BT_CONNECT)) { 3136 /* In case of error status and there is no connection pending 3137 * just unlock as there is nothing to cleanup. 3138 */ 3139 if (ev->status) 3140 goto unlock; 3141 3142 /* Connection may not exist if auto-connected. Check the bredr 3143 * allowlist to see if this device is allowed to auto connect. 3144 * If link is an ACL type, create a connection class 3145 * automatically. 3146 * 3147 * Auto-connect will only occur if the event filter is 3148 * programmed with a given address. Right now, event filter is 3149 * only used during suspend. 3150 */ 3151 if (ev->link_type == ACL_LINK && 3152 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3153 &ev->bdaddr, 3154 BDADDR_BREDR)) { 3155 conn = hci_conn_add_unset(hdev, ev->link_type, 3156 &ev->bdaddr, 0, 3157 HCI_ROLE_SLAVE); 3158 if (IS_ERR(conn)) { 3159 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 3160 goto unlock; 3161 } 3162 } else { 3163 if (ev->link_type != SCO_LINK) 3164 goto unlock; 3165 3166 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3167 &ev->bdaddr); 3168 if (!conn) 3169 goto unlock; 3170 3171 conn->type = SCO_LINK; 3172 } 3173 } 3174 3175 /* The HCI_Connection_Complete event is only sent once per connection. 3176 * Processing it more than once per connection can corrupt kernel memory. 3177 * 3178 * As the connection handle is set here for the first time, it indicates 3179 * whether the connection is already set up. 3180 */ 3181 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 3182 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3183 goto unlock; 3184 } 3185 3186 if (!status) { 3187 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 3188 if (status) 3189 goto done; 3190 3191 if (conn->type == ACL_LINK) { 3192 conn->state = BT_CONFIG; 3193 hci_conn_hold(conn); 3194 3195 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3196 !hci_find_link_key(hdev, &ev->bdaddr)) 3197 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3198 else 3199 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3200 } else 3201 conn->state = BT_CONNECTED; 3202 3203 hci_debugfs_create_conn(conn); 3204 hci_conn_add_sysfs(conn); 3205 3206 if (test_bit(HCI_AUTH, &hdev->flags)) 3207 set_bit(HCI_CONN_AUTH, &conn->flags); 3208 3209 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3210 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3211 3212 /* "Link key request" completed ahead of "connect request" completes */ 3213 if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3214 ev->link_type == ACL_LINK) { 3215 struct link_key *key; 3216 3217 key = hci_find_link_key(hdev, &ev->bdaddr); 3218 if (key) { 3219 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3220 hci_read_enc_key_size(hdev, conn); 3221 hci_encrypt_cfm(conn, ev->status); 3222 } 3223 } 3224 3225 /* Get remote features */ 3226 if (conn->type == ACL_LINK) { 3227 struct hci_cp_read_remote_features cp; 3228 cp.handle = ev->handle; 3229 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3230 sizeof(cp), &cp); 3231 3232 hci_update_scan(hdev); 3233 } 3234 3235 /* Set packet type for incoming connection */ 3236 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3237 struct hci_cp_change_conn_ptype cp; 3238 cp.handle = ev->handle; 3239 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3240 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3241 &cp); 3242 } 3243 } 3244 3245 if (conn->type == ACL_LINK) 3246 hci_sco_setup(conn, ev->status); 3247 3248 done: 3249 if (status) { 3250 hci_conn_failed(conn, status); 3251 } else if (ev->link_type == SCO_LINK) { 3252 switch (conn->setting & SCO_AIRMODE_MASK) { 3253 case SCO_AIRMODE_CVSD: 3254 if (hdev->notify) 3255 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3256 break; 3257 } 3258 3259 hci_connect_cfm(conn, status); 3260 } 3261 3262 unlock: 3263 hci_dev_unlock(hdev); 3264 } 3265 3266 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 3267 { 3268 struct hci_cp_reject_conn_req cp; 3269 3270 bacpy(&cp.bdaddr, bdaddr); 3271 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 3272 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 3273 } 3274 3275 static void hci_conn_request_evt(struct hci_dev *hdev, void *data, 3276 struct sk_buff *skb) 3277 { 3278 struct hci_ev_conn_request *ev = data; 3279 int mask = hdev->link_mode; 3280 struct inquiry_entry *ie; 3281 struct hci_conn *conn; 3282 __u8 flags = 0; 3283 3284 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type); 3285 3286 hci_dev_lock(hdev); 3287 hci_store_wake_reason(hdev, &ev->bdaddr, BDADDR_BREDR); 3288 hci_dev_unlock(hdev); 3289 3290 /* Reject incoming connection from device with same BD ADDR against 3291 * CVE-2020-26555 3292 */ 3293 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) { 3294 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 3295 &ev->bdaddr); 3296 hci_reject_conn(hdev, &ev->bdaddr); 3297 return; 3298 } 3299 3300 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 3301 &flags); 3302 3303 if (!(mask & HCI_LM_ACCEPT)) { 3304 hci_reject_conn(hdev, &ev->bdaddr); 3305 return; 3306 } 3307 3308 hci_dev_lock(hdev); 3309 3310 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, 3311 BDADDR_BREDR)) { 3312 hci_reject_conn(hdev, &ev->bdaddr); 3313 goto unlock; 3314 } 3315 3316 /* Require HCI_CONNECTABLE or an accept list entry to accept the 3317 * connection. These features are only touched through mgmt so 3318 * only do the checks if HCI_MGMT is set. 3319 */ 3320 if (hci_dev_test_flag(hdev, HCI_MGMT) && 3321 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 3322 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, 3323 BDADDR_BREDR)) { 3324 hci_reject_conn(hdev, &ev->bdaddr); 3325 goto unlock; 3326 } 3327 3328 /* Connection accepted */ 3329 3330 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3331 if (ie) 3332 memcpy(ie->data.dev_class, ev->dev_class, 3); 3333 3334 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 3335 &ev->bdaddr); 3336 if (!conn) { 3337 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr, 0, 3338 HCI_ROLE_SLAVE); 3339 if (IS_ERR(conn)) { 3340 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 3341 goto unlock; 3342 } 3343 } 3344 3345 memcpy(conn->dev_class, ev->dev_class, 3); 3346 3347 if (ev->link_type == ACL_LINK || 3348 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 3349 struct hci_cp_accept_conn_req cp; 3350 conn->state = BT_CONNECT; 3351 3352 bacpy(&cp.bdaddr, &ev->bdaddr); 3353 3354 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 3355 cp.role = 0x00; /* Become central */ 3356 else 3357 cp.role = 0x01; /* Remain peripheral */ 3358 3359 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 3360 } else if (!(flags & HCI_PROTO_DEFER)) { 3361 struct hci_cp_accept_sync_conn_req cp; 3362 conn->state = BT_CONNECT; 3363 3364 bacpy(&cp.bdaddr, &ev->bdaddr); 3365 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3366 3367 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 3368 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 3369 cp.max_latency = cpu_to_le16(0xffff); 3370 cp.content_format = cpu_to_le16(hdev->voice_setting); 3371 cp.retrans_effort = 0xff; 3372 3373 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 3374 &cp); 3375 } else { 3376 conn->state = BT_CONNECT2; 3377 hci_connect_cfm(conn, 0); 3378 } 3379 3380 unlock: 3381 hci_dev_unlock(hdev); 3382 } 3383 3384 static u8 hci_to_mgmt_reason(u8 err) 3385 { 3386 switch (err) { 3387 case HCI_ERROR_CONNECTION_TIMEOUT: 3388 return MGMT_DEV_DISCONN_TIMEOUT; 3389 case HCI_ERROR_REMOTE_USER_TERM: 3390 case HCI_ERROR_REMOTE_LOW_RESOURCES: 3391 case HCI_ERROR_REMOTE_POWER_OFF: 3392 return MGMT_DEV_DISCONN_REMOTE; 3393 case HCI_ERROR_LOCAL_HOST_TERM: 3394 return MGMT_DEV_DISCONN_LOCAL_HOST; 3395 default: 3396 return MGMT_DEV_DISCONN_UNKNOWN; 3397 } 3398 } 3399 3400 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, 3401 struct sk_buff *skb) 3402 { 3403 struct hci_ev_disconn_complete *ev = data; 3404 u8 reason; 3405 struct hci_conn_params *params; 3406 struct hci_conn *conn; 3407 bool mgmt_connected; 3408 3409 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3410 3411 hci_dev_lock(hdev); 3412 3413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3414 if (!conn) 3415 goto unlock; 3416 3417 if (ev->status) { 3418 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 3419 conn->dst_type, ev->status); 3420 goto unlock; 3421 } 3422 3423 conn->state = BT_CLOSED; 3424 3425 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 3426 3427 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 3428 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 3429 else 3430 reason = hci_to_mgmt_reason(ev->reason); 3431 3432 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 3433 reason, mgmt_connected); 3434 3435 if (conn->type == ACL_LINK) { 3436 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 3437 hci_remove_link_key(hdev, &conn->dst); 3438 3439 hci_update_scan(hdev); 3440 } 3441 3442 /* Re-enable passive scanning if disconnected device is marked 3443 * as auto-connectable. 3444 */ 3445 if (conn->type == LE_LINK) { 3446 params = hci_conn_params_lookup(hdev, &conn->dst, 3447 conn->dst_type); 3448 if (params) { 3449 switch (params->auto_connect) { 3450 case HCI_AUTO_CONN_LINK_LOSS: 3451 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 3452 break; 3453 fallthrough; 3454 3455 case HCI_AUTO_CONN_DIRECT: 3456 case HCI_AUTO_CONN_ALWAYS: 3457 hci_pend_le_list_del_init(params); 3458 hci_pend_le_list_add(params, 3459 &hdev->pend_le_conns); 3460 hci_update_passive_scan(hdev); 3461 break; 3462 3463 default: 3464 break; 3465 } 3466 } 3467 } 3468 3469 hci_disconn_cfm(conn, ev->reason); 3470 3471 /* Re-enable advertising if necessary, since it might 3472 * have been disabled by the connection. From the 3473 * HCI_LE_Set_Advertise_Enable command description in 3474 * the core specification (v4.0): 3475 * "The Controller shall continue advertising until the Host 3476 * issues an LE_Set_Advertise_Enable command with 3477 * Advertising_Enable set to 0x00 (Advertising is disabled) 3478 * or until a connection is created or until the Advertising 3479 * is timed out due to Directed Advertising." 3480 */ 3481 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 3482 hdev->cur_adv_instance = conn->adv_instance; 3483 hci_enable_advertising(hdev); 3484 } 3485 3486 hci_conn_del(conn); 3487 3488 unlock: 3489 hci_dev_unlock(hdev); 3490 } 3491 3492 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data, 3493 struct sk_buff *skb) 3494 { 3495 struct hci_ev_auth_complete *ev = data; 3496 struct hci_conn *conn; 3497 3498 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3499 3500 hci_dev_lock(hdev); 3501 3502 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3503 if (!conn) 3504 goto unlock; 3505 3506 if (!ev->status) { 3507 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3508 set_bit(HCI_CONN_AUTH, &conn->flags); 3509 conn->sec_level = conn->pending_sec_level; 3510 } else { 3511 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3512 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3513 3514 mgmt_auth_failed(conn, ev->status); 3515 } 3516 3517 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3518 3519 if (conn->state == BT_CONFIG) { 3520 if (!ev->status && hci_conn_ssp_enabled(conn)) { 3521 struct hci_cp_set_conn_encrypt cp; 3522 cp.handle = ev->handle; 3523 cp.encrypt = 0x01; 3524 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3525 &cp); 3526 } else { 3527 conn->state = BT_CONNECTED; 3528 hci_connect_cfm(conn, ev->status); 3529 hci_conn_drop(conn); 3530 } 3531 } else { 3532 hci_auth_cfm(conn, ev->status); 3533 3534 hci_conn_hold(conn); 3535 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3536 hci_conn_drop(conn); 3537 } 3538 3539 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 3540 if (!ev->status) { 3541 struct hci_cp_set_conn_encrypt cp; 3542 cp.handle = ev->handle; 3543 cp.encrypt = 0x01; 3544 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3545 &cp); 3546 } else { 3547 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3548 hci_encrypt_cfm(conn, ev->status); 3549 } 3550 } 3551 3552 unlock: 3553 hci_dev_unlock(hdev); 3554 } 3555 3556 static void hci_remote_name_evt(struct hci_dev *hdev, void *data, 3557 struct sk_buff *skb) 3558 { 3559 struct hci_ev_remote_name *ev = data; 3560 struct hci_conn *conn; 3561 3562 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3563 3564 hci_dev_lock(hdev); 3565 3566 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3567 3568 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3569 goto check_auth; 3570 3571 if (ev->status == 0) 3572 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 3573 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 3574 else 3575 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 3576 3577 check_auth: 3578 if (!conn) 3579 goto unlock; 3580 3581 if (!hci_outgoing_auth_needed(hdev, conn)) 3582 goto unlock; 3583 3584 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3585 struct hci_cp_auth_requested cp; 3586 3587 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 3588 3589 cp.handle = __cpu_to_le16(conn->handle); 3590 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3591 } 3592 3593 unlock: 3594 hci_dev_unlock(hdev); 3595 } 3596 3597 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, 3598 struct sk_buff *skb) 3599 { 3600 struct hci_ev_encrypt_change *ev = data; 3601 struct hci_conn *conn; 3602 3603 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3604 3605 hci_dev_lock(hdev); 3606 3607 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3608 if (!conn) 3609 goto unlock; 3610 3611 if (!ev->status) { 3612 if (ev->encrypt) { 3613 /* Encryption implies authentication */ 3614 set_bit(HCI_CONN_AUTH, &conn->flags); 3615 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3616 conn->sec_level = conn->pending_sec_level; 3617 3618 /* P-256 authentication key implies FIPS */ 3619 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3620 set_bit(HCI_CONN_FIPS, &conn->flags); 3621 3622 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3623 conn->type == LE_LINK) 3624 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3625 } else { 3626 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3627 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3628 } 3629 } 3630 3631 /* We should disregard the current RPA and generate a new one 3632 * whenever the encryption procedure fails. 3633 */ 3634 if (ev->status && conn->type == LE_LINK) { 3635 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3636 hci_adv_instances_set_rpa_expired(hdev, true); 3637 } 3638 3639 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3640 3641 /* Check link security requirements are met */ 3642 if (!hci_conn_check_link_mode(conn)) 3643 ev->status = HCI_ERROR_AUTH_FAILURE; 3644 3645 if (ev->status && conn->state == BT_CONNECTED) { 3646 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3647 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3648 3649 /* Notify upper layers so they can cleanup before 3650 * disconnecting. 3651 */ 3652 hci_encrypt_cfm(conn, ev->status); 3653 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3654 hci_conn_drop(conn); 3655 goto unlock; 3656 } 3657 3658 /* Try reading the encryption key size for encrypted ACL links */ 3659 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3660 if (hci_read_enc_key_size(hdev, conn)) 3661 goto notify; 3662 3663 goto unlock; 3664 } 3665 3666 /* We skip the WRITE_AUTH_PAYLOAD_TIMEOUT for ATS2851 based controllers 3667 * to avoid unexpected SMP command errors when pairing. 3668 */ 3669 if (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_WRITE_AUTH_PAYLOAD_TIMEOUT)) 3670 goto notify; 3671 3672 /* Set the default Authenticated Payload Timeout after 3673 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3674 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3675 * sent when the link is active and Encryption is enabled, the conn 3676 * type can be either LE or ACL and controller must support LMP Ping. 3677 * Ensure for AES-CCM encryption as well. 3678 */ 3679 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3680 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3681 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3682 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3683 struct hci_cp_write_auth_payload_to cp; 3684 3685 cp.handle = cpu_to_le16(conn->handle); 3686 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3687 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3688 sizeof(cp), &cp)) 3689 bt_dev_err(hdev, "write auth payload timeout failed"); 3690 } 3691 3692 notify: 3693 hci_encrypt_cfm(conn, ev->status); 3694 3695 unlock: 3696 hci_dev_unlock(hdev); 3697 } 3698 3699 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data, 3700 struct sk_buff *skb) 3701 { 3702 struct hci_ev_change_link_key_complete *ev = data; 3703 struct hci_conn *conn; 3704 3705 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3706 3707 hci_dev_lock(hdev); 3708 3709 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3710 if (conn) { 3711 if (!ev->status) 3712 set_bit(HCI_CONN_SECURE, &conn->flags); 3713 3714 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3715 3716 hci_key_change_cfm(conn, ev->status); 3717 } 3718 3719 hci_dev_unlock(hdev); 3720 } 3721 3722 static void hci_remote_features_evt(struct hci_dev *hdev, void *data, 3723 struct sk_buff *skb) 3724 { 3725 struct hci_ev_remote_features *ev = data; 3726 struct hci_conn *conn; 3727 3728 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3729 3730 hci_dev_lock(hdev); 3731 3732 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3733 if (!conn) 3734 goto unlock; 3735 3736 if (!ev->status) 3737 memcpy(conn->features[0], ev->features, 8); 3738 3739 if (conn->state != BT_CONFIG) 3740 goto unlock; 3741 3742 if (!ev->status && lmp_ext_feat_capable(hdev) && 3743 lmp_ext_feat_capable(conn)) { 3744 struct hci_cp_read_remote_ext_features cp; 3745 cp.handle = ev->handle; 3746 cp.page = 0x01; 3747 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3748 sizeof(cp), &cp); 3749 goto unlock; 3750 } 3751 3752 if (!ev->status) { 3753 struct hci_cp_remote_name_req cp; 3754 memset(&cp, 0, sizeof(cp)); 3755 bacpy(&cp.bdaddr, &conn->dst); 3756 cp.pscan_rep_mode = 0x02; 3757 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3758 } else { 3759 mgmt_device_connected(hdev, conn, NULL, 0); 3760 } 3761 3762 if (!hci_outgoing_auth_needed(hdev, conn)) { 3763 conn->state = BT_CONNECTED; 3764 hci_connect_cfm(conn, ev->status); 3765 hci_conn_drop(conn); 3766 } 3767 3768 unlock: 3769 hci_dev_unlock(hdev); 3770 } 3771 3772 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd) 3773 { 3774 cancel_delayed_work(&hdev->cmd_timer); 3775 3776 rcu_read_lock(); 3777 if (!test_bit(HCI_RESET, &hdev->flags)) { 3778 if (ncmd) { 3779 cancel_delayed_work(&hdev->ncmd_timer); 3780 atomic_set(&hdev->cmd_cnt, 1); 3781 } else { 3782 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 3783 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer, 3784 HCI_NCMD_TIMEOUT); 3785 } 3786 } 3787 rcu_read_unlock(); 3788 } 3789 3790 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data, 3791 struct sk_buff *skb) 3792 { 3793 struct hci_rp_le_read_buffer_size_v2 *rp = data; 3794 3795 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3796 3797 if (rp->status) 3798 return rp->status; 3799 3800 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu); 3801 hdev->le_pkts = rp->acl_max_pkt; 3802 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu); 3803 hdev->iso_pkts = rp->iso_max_pkt; 3804 3805 hdev->le_cnt = hdev->le_pkts; 3806 hdev->iso_cnt = hdev->iso_pkts; 3807 3808 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu, 3809 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts); 3810 3811 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 3812 return HCI_ERROR_INVALID_PARAMETERS; 3813 3814 return rp->status; 3815 } 3816 3817 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status) 3818 { 3819 struct hci_conn *conn, *tmp; 3820 3821 lockdep_assert_held(&hdev->lock); 3822 3823 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) { 3824 if (conn->type != CIS_LINK || 3825 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig) 3826 continue; 3827 3828 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 3829 hci_conn_failed(conn, status); 3830 } 3831 } 3832 3833 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data, 3834 struct sk_buff *skb) 3835 { 3836 struct hci_rp_le_set_cig_params *rp = data; 3837 struct hci_cp_le_set_cig_params *cp; 3838 struct hci_conn *conn; 3839 u8 status = rp->status; 3840 bool pending = false; 3841 int i; 3842 3843 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3844 3845 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS); 3846 if (!rp->status && (!cp || rp->num_handles != cp->num_cis || 3847 rp->cig_id != cp->cig_id)) { 3848 bt_dev_err(hdev, "unexpected Set CIG Parameters response data"); 3849 status = HCI_ERROR_UNSPECIFIED; 3850 } 3851 3852 hci_dev_lock(hdev); 3853 3854 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554 3855 * 3856 * If the Status return parameter is non-zero, then the state of the CIG 3857 * and its CIS configurations shall not be changed by the command. If 3858 * the CIG did not already exist, it shall not be created. 3859 */ 3860 if (status) { 3861 /* Keep current configuration, fail only the unbound CIS */ 3862 hci_unbound_cis_failed(hdev, rp->cig_id, status); 3863 goto unlock; 3864 } 3865 3866 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553 3867 * 3868 * If the Status return parameter is zero, then the Controller shall 3869 * set the Connection_Handle arrayed return parameter to the connection 3870 * handle(s) corresponding to the CIS configurations specified in 3871 * the CIS_IDs command parameter, in the same order. 3872 */ 3873 for (i = 0; i < rp->num_handles; ++i) { 3874 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id, 3875 cp->cis[i].cis_id); 3876 if (!conn || !bacmp(&conn->dst, BDADDR_ANY)) 3877 continue; 3878 3879 if (conn->state != BT_BOUND && conn->state != BT_CONNECT) 3880 continue; 3881 3882 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i]))) 3883 continue; 3884 3885 if (conn->state == BT_CONNECT) 3886 pending = true; 3887 } 3888 3889 unlock: 3890 if (pending) 3891 hci_le_create_cis_pending(hdev); 3892 3893 hci_dev_unlock(hdev); 3894 3895 return rp->status; 3896 } 3897 3898 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data, 3899 struct sk_buff *skb) 3900 { 3901 struct hci_rp_le_setup_iso_path *rp = data; 3902 struct hci_cp_le_setup_iso_path *cp; 3903 struct hci_conn *conn; 3904 3905 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3906 3907 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH); 3908 if (!cp) 3909 return rp->status; 3910 3911 hci_dev_lock(hdev); 3912 3913 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3914 if (!conn) 3915 goto unlock; 3916 3917 if (rp->status) { 3918 hci_connect_cfm(conn, rp->status); 3919 hci_conn_del(conn); 3920 goto unlock; 3921 } 3922 3923 switch (cp->direction) { 3924 /* Input (Host to Controller) */ 3925 case 0x00: 3926 /* Only confirm connection if output only */ 3927 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu) 3928 hci_connect_cfm(conn, rp->status); 3929 break; 3930 /* Output (Controller to Host) */ 3931 case 0x01: 3932 /* Confirm connection since conn->iso_qos is always configured 3933 * last. 3934 */ 3935 hci_connect_cfm(conn, rp->status); 3936 3937 /* Notify device connected in case it is a BIG Sync */ 3938 if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags)) 3939 mgmt_device_connected(hdev, conn, NULL, 0); 3940 3941 break; 3942 } 3943 3944 unlock: 3945 hci_dev_unlock(hdev); 3946 return rp->status; 3947 } 3948 3949 static u8 hci_cc_le_read_all_local_features(struct hci_dev *hdev, void *data, 3950 struct sk_buff *skb) 3951 { 3952 struct hci_rp_le_read_all_local_features *rp = data; 3953 3954 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3955 3956 if (rp->status) 3957 return rp->status; 3958 3959 memcpy(hdev->le_features, rp->features, 248); 3960 3961 return rp->status; 3962 } 3963 3964 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status) 3965 { 3966 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3967 } 3968 3969 static void hci_cs_le_read_all_remote_features(struct hci_dev *hdev, u8 status) 3970 { 3971 struct hci_cp_le_read_remote_features *cp; 3972 struct hci_conn *conn; 3973 3974 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3975 3976 if (!status) 3977 return; 3978 3979 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_ALL_REMOTE_FEATURES); 3980 if (!cp) 3981 return; 3982 3983 hci_dev_lock(hdev); 3984 3985 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3986 if (conn && conn->state == BT_CONFIG) 3987 hci_connect_cfm(conn, status); 3988 3989 hci_dev_unlock(hdev); 3990 } 3991 3992 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data, 3993 struct sk_buff *skb) 3994 { 3995 struct hci_ev_status *rp = data; 3996 struct hci_cp_le_set_per_adv_params *cp; 3997 3998 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3999 4000 if (rp->status) 4001 return rp->status; 4002 4003 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS); 4004 if (!cp) 4005 return rp->status; 4006 4007 /* TODO: set the conn state */ 4008 return rp->status; 4009 } 4010 4011 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, 4012 struct sk_buff *skb) 4013 { 4014 struct hci_ev_status *rp = data; 4015 struct hci_cp_le_set_per_adv_enable *cp; 4016 struct adv_info *adv = NULL, *n; 4017 u8 per_adv_cnt = 0; 4018 4019 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 4020 4021 if (rp->status) 4022 return rp->status; 4023 4024 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE); 4025 if (!cp) 4026 return rp->status; 4027 4028 hci_dev_lock(hdev); 4029 4030 adv = hci_find_adv_instance(hdev, cp->handle); 4031 4032 if (cp->enable) { 4033 hci_dev_set_flag(hdev, HCI_LE_PER_ADV); 4034 4035 if (adv) 4036 adv->periodic_enabled = true; 4037 } else { 4038 if (adv) 4039 adv->periodic_enabled = false; 4040 4041 /* If just one instance was disabled check if there are 4042 * any other instance enabled before clearing HCI_LE_PER_ADV. 4043 * The current periodic adv instance will be marked as 4044 * disabled once extended advertising is also disabled. 4045 */ 4046 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 4047 list) { 4048 if (adv->periodic && adv->enabled) 4049 per_adv_cnt++; 4050 } 4051 4052 if (per_adv_cnt > 1) 4053 goto unlock; 4054 4055 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV); 4056 } 4057 4058 unlock: 4059 hci_dev_unlock(hdev); 4060 4061 return rp->status; 4062 } 4063 4064 #define HCI_CC_VL(_op, _func, _min, _max) \ 4065 { \ 4066 .op = _op, \ 4067 .func = _func, \ 4068 .min_len = _min, \ 4069 .max_len = _max, \ 4070 } 4071 4072 #define HCI_CC(_op, _func, _len) \ 4073 HCI_CC_VL(_op, _func, _len, _len) 4074 4075 #define HCI_CC_STATUS(_op, _func) \ 4076 HCI_CC(_op, _func, sizeof(struct hci_ev_status)) 4077 4078 static const struct hci_cc { 4079 u16 op; 4080 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 4081 u16 min_len; 4082 u16 max_len; 4083 } hci_cc_table[] = { 4084 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel), 4085 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq), 4086 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq), 4087 HCI_CC(HCI_OP_REMOTE_NAME_REQ_CANCEL, hci_cc_remote_name_req_cancel, 4088 sizeof(struct hci_rp_remote_name_req_cancel)), 4089 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery, 4090 sizeof(struct hci_rp_role_discovery)), 4091 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy, 4092 sizeof(struct hci_rp_read_link_policy)), 4093 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy, 4094 sizeof(struct hci_rp_write_link_policy)), 4095 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy, 4096 sizeof(struct hci_rp_read_def_link_policy)), 4097 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY, 4098 hci_cc_write_def_link_policy), 4099 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset), 4100 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key, 4101 sizeof(struct hci_rp_read_stored_link_key)), 4102 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key, 4103 sizeof(struct hci_rp_delete_stored_link_key)), 4104 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name), 4105 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name, 4106 sizeof(struct hci_rp_read_local_name)), 4107 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable), 4108 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode), 4109 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable), 4110 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter), 4111 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev, 4112 sizeof(struct hci_rp_read_class_of_dev)), 4113 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev), 4114 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting, 4115 sizeof(struct hci_rp_read_voice_setting)), 4116 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting), 4117 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac, 4118 sizeof(struct hci_rp_read_num_supported_iac)), 4119 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode), 4120 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support), 4121 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout, 4122 sizeof(struct hci_rp_read_auth_payload_to)), 4123 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout, 4124 sizeof(struct hci_rp_write_auth_payload_to)), 4125 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version, 4126 sizeof(struct hci_rp_read_local_version)), 4127 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands, 4128 sizeof(struct hci_rp_read_local_commands)), 4129 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features, 4130 sizeof(struct hci_rp_read_local_features)), 4131 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features, 4132 sizeof(struct hci_rp_read_local_ext_features)), 4133 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size, 4134 sizeof(struct hci_rp_read_buffer_size)), 4135 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr, 4136 sizeof(struct hci_rp_read_bd_addr)), 4137 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts, 4138 sizeof(struct hci_rp_read_local_pairing_opts)), 4139 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity, 4140 sizeof(struct hci_rp_read_page_scan_activity)), 4141 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, 4142 hci_cc_write_page_scan_activity), 4143 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type, 4144 sizeof(struct hci_rp_read_page_scan_type)), 4145 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type), 4146 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock, 4147 sizeof(struct hci_rp_read_clock)), 4148 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size, 4149 sizeof(struct hci_rp_read_enc_key_size)), 4150 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power, 4151 sizeof(struct hci_rp_read_inq_rsp_tx_power)), 4152 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING, 4153 hci_cc_read_def_err_data_reporting, 4154 sizeof(struct hci_rp_read_def_err_data_reporting)), 4155 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING, 4156 hci_cc_write_def_err_data_reporting), 4157 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply, 4158 sizeof(struct hci_rp_pin_code_reply)), 4159 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply, 4160 sizeof(struct hci_rp_pin_code_neg_reply)), 4161 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data, 4162 sizeof(struct hci_rp_read_local_oob_data)), 4163 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data, 4164 sizeof(struct hci_rp_read_local_oob_ext_data)), 4165 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size, 4166 sizeof(struct hci_rp_le_read_buffer_size)), 4167 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features, 4168 sizeof(struct hci_rp_le_read_local_features)), 4169 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power, 4170 sizeof(struct hci_rp_le_read_adv_tx_power)), 4171 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply, 4172 sizeof(struct hci_rp_user_confirm_reply)), 4173 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply, 4174 sizeof(struct hci_rp_user_confirm_reply)), 4175 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply, 4176 sizeof(struct hci_rp_user_confirm_reply)), 4177 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply, 4178 sizeof(struct hci_rp_user_confirm_reply)), 4179 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr), 4180 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable), 4181 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param), 4182 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable), 4183 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE, 4184 hci_cc_le_read_accept_list_size, 4185 sizeof(struct hci_rp_le_read_accept_list_size)), 4186 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list), 4187 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST, 4188 hci_cc_le_add_to_accept_list), 4189 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST, 4190 hci_cc_le_del_from_accept_list), 4191 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states, 4192 sizeof(struct hci_rp_le_read_supported_states)), 4193 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len, 4194 sizeof(struct hci_rp_le_read_def_data_len)), 4195 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN, 4196 hci_cc_le_write_def_data_len), 4197 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST, 4198 hci_cc_le_add_to_resolv_list), 4199 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST, 4200 hci_cc_le_del_from_resolv_list), 4201 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST, 4202 hci_cc_le_clear_resolv_list), 4203 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size, 4204 sizeof(struct hci_rp_le_read_resolv_list_size)), 4205 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 4206 hci_cc_le_set_addr_resolution_enable), 4207 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len, 4208 sizeof(struct hci_rp_le_read_max_data_len)), 4209 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED, 4210 hci_cc_write_le_host_supported), 4211 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param), 4212 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi, 4213 sizeof(struct hci_rp_read_rssi)), 4214 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power, 4215 sizeof(struct hci_rp_read_tx_power)), 4216 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode), 4217 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS, 4218 hci_cc_le_set_ext_scan_param), 4219 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE, 4220 hci_cc_le_set_ext_scan_enable), 4221 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy), 4222 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, 4223 hci_cc_le_read_num_adv_sets, 4224 sizeof(struct hci_rp_le_read_num_supported_adv_sets)), 4225 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, 4226 hci_cc_le_set_ext_adv_enable), 4227 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, 4228 hci_cc_le_set_adv_set_random_addr), 4229 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set), 4230 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets), 4231 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param), 4232 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE, 4233 hci_cc_le_set_per_adv_enable), 4234 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power, 4235 sizeof(struct hci_rp_le_read_transmit_power)), 4236 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode), 4237 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2, 4238 sizeof(struct hci_rp_le_read_buffer_size_v2)), 4239 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params, 4240 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE), 4241 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path, 4242 sizeof(struct hci_rp_le_setup_iso_path)), 4243 HCI_CC(HCI_OP_LE_READ_ALL_LOCAL_FEATURES, 4244 hci_cc_le_read_all_local_features, 4245 sizeof(struct hci_rp_le_read_all_local_features)), 4246 }; 4247 4248 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc, 4249 struct sk_buff *skb) 4250 { 4251 void *data; 4252 4253 if (skb->len < cc->min_len) { 4254 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u", 4255 cc->op, skb->len, cc->min_len); 4256 return HCI_ERROR_UNSPECIFIED; 4257 } 4258 4259 /* Just warn if the length is over max_len size it still be possible to 4260 * partially parse the cc so leave to callback to decide if that is 4261 * acceptable. 4262 */ 4263 if (skb->len > cc->max_len) 4264 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u", 4265 cc->op, skb->len, cc->max_len); 4266 4267 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len); 4268 if (!data) 4269 return HCI_ERROR_UNSPECIFIED; 4270 4271 return cc->func(hdev, data, skb); 4272 } 4273 4274 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, 4275 struct sk_buff *skb, u16 *opcode, u8 *status, 4276 hci_req_complete_t *req_complete, 4277 hci_req_complete_skb_t *req_complete_skb) 4278 { 4279 struct hci_ev_cmd_complete *ev = data; 4280 int i; 4281 4282 *opcode = __le16_to_cpu(ev->opcode); 4283 4284 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4285 4286 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) { 4287 if (hci_cc_table[i].op == *opcode) { 4288 *status = hci_cc_func(hdev, &hci_cc_table[i], skb); 4289 break; 4290 } 4291 } 4292 4293 if (i == ARRAY_SIZE(hci_cc_table)) { 4294 if (!skb->len) { 4295 bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", 4296 *opcode); 4297 *status = HCI_ERROR_UNSPECIFIED; 4298 return; 4299 } 4300 4301 /* Unknown opcode, assume byte 0 contains the status, so 4302 * that e.g. __hci_cmd_sync() properly returns errors 4303 * for vendor specific commands send by HCI drivers. 4304 * If a vendor doesn't actually follow this convention we may 4305 * need to introduce a vendor CC table in order to properly set 4306 * the status. 4307 */ 4308 *status = skb->data[0]; 4309 } 4310 4311 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4312 4313 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 4314 req_complete_skb); 4315 4316 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4317 bt_dev_err(hdev, 4318 "unexpected event for opcode 0x%4.4x", *opcode); 4319 return; 4320 } 4321 4322 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4323 queue_work(hdev->workqueue, &hdev->cmd_work); 4324 } 4325 4326 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) 4327 { 4328 struct hci_cp_le_create_cis *cp; 4329 bool pending = false; 4330 int i; 4331 4332 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4333 4334 if (!status) 4335 return; 4336 4337 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS); 4338 if (!cp) 4339 return; 4340 4341 hci_dev_lock(hdev); 4342 4343 /* Remove connection if command failed */ 4344 for (i = 0; i < cp->num_cis; i++) { 4345 struct hci_conn *conn; 4346 u16 handle; 4347 4348 handle = __le16_to_cpu(cp->cis[i].cis_handle); 4349 4350 conn = hci_conn_hash_lookup_handle(hdev, handle); 4351 if (conn) { 4352 if (test_and_clear_bit(HCI_CONN_CREATE_CIS, 4353 &conn->flags)) 4354 pending = true; 4355 conn->state = BT_CLOSED; 4356 hci_connect_cfm(conn, status); 4357 hci_conn_del(conn); 4358 } 4359 } 4360 cp->num_cis = 0; 4361 4362 if (pending) 4363 hci_le_create_cis_pending(hdev); 4364 4365 hci_dev_unlock(hdev); 4366 } 4367 4368 #define HCI_CS(_op, _func) \ 4369 { \ 4370 .op = _op, \ 4371 .func = _func, \ 4372 } 4373 4374 static const struct hci_cs { 4375 u16 op; 4376 void (*func)(struct hci_dev *hdev, __u8 status); 4377 } hci_cs_table[] = { 4378 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry), 4379 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn), 4380 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect), 4381 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco), 4382 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested), 4383 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt), 4384 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req), 4385 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features), 4386 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES, 4387 hci_cs_read_remote_ext_features), 4388 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn), 4389 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN, 4390 hci_cs_enhanced_setup_sync_conn), 4391 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode), 4392 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode), 4393 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role), 4394 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn), 4395 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features), 4396 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc), 4397 HCI_CS(HCI_OP_LE_SET_PHY, hci_cs_le_set_phy), 4398 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn), 4399 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis), 4400 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big), 4401 HCI_CS(HCI_OP_LE_READ_ALL_REMOTE_FEATURES, 4402 hci_cs_le_read_all_remote_features), 4403 }; 4404 4405 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data, 4406 struct sk_buff *skb, u16 *opcode, u8 *status, 4407 hci_req_complete_t *req_complete, 4408 hci_req_complete_skb_t *req_complete_skb) 4409 { 4410 struct hci_ev_cmd_status *ev = data; 4411 int i; 4412 4413 *opcode = __le16_to_cpu(ev->opcode); 4414 *status = ev->status; 4415 4416 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4417 4418 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) { 4419 if (hci_cs_table[i].op == *opcode) { 4420 hci_cs_table[i].func(hdev, ev->status); 4421 break; 4422 } 4423 } 4424 4425 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4426 4427 /* Indicate request completion if the command failed. Also, if 4428 * we're not waiting for a special event and we get a success 4429 * command status we should try to flag the request as completed 4430 * (since for this kind of commands there will not be a command 4431 * complete event). 4432 */ 4433 if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) { 4434 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 4435 req_complete_skb); 4436 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4437 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x", 4438 *opcode); 4439 return; 4440 } 4441 } 4442 4443 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4444 queue_work(hdev->workqueue, &hdev->cmd_work); 4445 } 4446 4447 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data, 4448 struct sk_buff *skb) 4449 { 4450 struct hci_ev_hardware_error *ev = data; 4451 4452 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code); 4453 4454 hdev->hw_error_code = ev->code; 4455 4456 queue_work(hdev->req_workqueue, &hdev->error_reset); 4457 } 4458 4459 static void hci_role_change_evt(struct hci_dev *hdev, void *data, 4460 struct sk_buff *skb) 4461 { 4462 struct hci_ev_role_change *ev = data; 4463 struct hci_conn *conn; 4464 4465 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4466 4467 hci_dev_lock(hdev); 4468 4469 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4470 if (conn) { 4471 if (!ev->status) 4472 conn->role = ev->role; 4473 4474 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 4475 4476 hci_role_switch_cfm(conn, ev->status, ev->role); 4477 } 4478 4479 hci_dev_unlock(hdev); 4480 } 4481 4482 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, 4483 struct sk_buff *skb) 4484 { 4485 struct hci_ev_num_comp_pkts *ev = data; 4486 int i; 4487 4488 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, 4489 flex_array_size(ev, handles, ev->num))) 4490 return; 4491 4492 bt_dev_dbg(hdev, "num %d", ev->num); 4493 4494 hci_dev_lock(hdev); 4495 4496 for (i = 0; i < ev->num; i++) { 4497 struct hci_comp_pkts_info *info = &ev->handles[i]; 4498 struct hci_conn *conn; 4499 __u16 handle, count; 4500 unsigned int i; 4501 4502 handle = __le16_to_cpu(info->handle); 4503 count = __le16_to_cpu(info->count); 4504 4505 conn = hci_conn_hash_lookup_handle(hdev, handle); 4506 if (!conn) 4507 continue; 4508 4509 /* Check if there is really enough packets outstanding before 4510 * attempting to decrease the sent counter otherwise it could 4511 * underflow.. 4512 */ 4513 if (conn->sent >= count) { 4514 conn->sent -= count; 4515 } else { 4516 bt_dev_warn(hdev, "hcon %p sent %u < count %u", 4517 conn, conn->sent, count); 4518 conn->sent = 0; 4519 } 4520 4521 for (i = 0; i < count; ++i) 4522 hci_conn_tx_dequeue(conn); 4523 4524 switch (conn->type) { 4525 case ACL_LINK: 4526 hdev->acl_cnt += count; 4527 if (hdev->acl_cnt > hdev->acl_pkts) 4528 hdev->acl_cnt = hdev->acl_pkts; 4529 break; 4530 4531 case LE_LINK: 4532 if (hdev->le_pkts) { 4533 hdev->le_cnt += count; 4534 if (hdev->le_cnt > hdev->le_pkts) 4535 hdev->le_cnt = hdev->le_pkts; 4536 } else { 4537 hdev->acl_cnt += count; 4538 if (hdev->acl_cnt > hdev->acl_pkts) 4539 hdev->acl_cnt = hdev->acl_pkts; 4540 } 4541 break; 4542 4543 case SCO_LINK: 4544 case ESCO_LINK: 4545 hdev->sco_cnt += count; 4546 if (hdev->sco_cnt > hdev->sco_pkts) 4547 hdev->sco_cnt = hdev->sco_pkts; 4548 4549 break; 4550 4551 case CIS_LINK: 4552 case BIS_LINK: 4553 case PA_LINK: 4554 hdev->iso_cnt += count; 4555 if (hdev->iso_cnt > hdev->iso_pkts) 4556 hdev->iso_cnt = hdev->iso_pkts; 4557 break; 4558 4559 default: 4560 bt_dev_err(hdev, "unknown type %d conn %p", 4561 conn->type, conn); 4562 break; 4563 } 4564 } 4565 4566 queue_work(hdev->workqueue, &hdev->tx_work); 4567 4568 hci_dev_unlock(hdev); 4569 } 4570 4571 static void hci_mode_change_evt(struct hci_dev *hdev, void *data, 4572 struct sk_buff *skb) 4573 { 4574 struct hci_ev_mode_change *ev = data; 4575 struct hci_conn *conn; 4576 4577 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4578 4579 hci_dev_lock(hdev); 4580 4581 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4582 if (conn) { 4583 conn->mode = ev->mode; 4584 4585 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 4586 &conn->flags)) { 4587 if (conn->mode == HCI_CM_ACTIVE) 4588 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4589 else 4590 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4591 } 4592 4593 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 4594 hci_sco_setup(conn, ev->status); 4595 } 4596 4597 hci_dev_unlock(hdev); 4598 } 4599 4600 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data, 4601 struct sk_buff *skb) 4602 { 4603 struct hci_ev_pin_code_req *ev = data; 4604 struct hci_conn *conn; 4605 4606 bt_dev_dbg(hdev, ""); 4607 4608 hci_dev_lock(hdev); 4609 4610 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4611 if (!conn) 4612 goto unlock; 4613 4614 if (conn->state == BT_CONNECTED) { 4615 hci_conn_hold(conn); 4616 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 4617 hci_conn_drop(conn); 4618 } 4619 4620 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 4621 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 4622 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 4623 sizeof(ev->bdaddr), &ev->bdaddr); 4624 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 4625 u8 secure; 4626 4627 if (conn->pending_sec_level == BT_SECURITY_HIGH) 4628 secure = 1; 4629 else 4630 secure = 0; 4631 4632 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 4633 } 4634 4635 unlock: 4636 hci_dev_unlock(hdev); 4637 } 4638 4639 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 4640 { 4641 if (key_type == HCI_LK_CHANGED_COMBINATION) 4642 return; 4643 4644 conn->pin_length = pin_len; 4645 conn->key_type = key_type; 4646 4647 switch (key_type) { 4648 case HCI_LK_LOCAL_UNIT: 4649 case HCI_LK_REMOTE_UNIT: 4650 case HCI_LK_DEBUG_COMBINATION: 4651 return; 4652 case HCI_LK_COMBINATION: 4653 if (pin_len == 16) 4654 conn->pending_sec_level = BT_SECURITY_HIGH; 4655 else 4656 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4657 break; 4658 case HCI_LK_UNAUTH_COMBINATION_P192: 4659 case HCI_LK_UNAUTH_COMBINATION_P256: 4660 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4661 break; 4662 case HCI_LK_AUTH_COMBINATION_P192: 4663 conn->pending_sec_level = BT_SECURITY_HIGH; 4664 break; 4665 case HCI_LK_AUTH_COMBINATION_P256: 4666 conn->pending_sec_level = BT_SECURITY_FIPS; 4667 break; 4668 } 4669 } 4670 4671 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data, 4672 struct sk_buff *skb) 4673 { 4674 struct hci_ev_link_key_req *ev = data; 4675 struct hci_cp_link_key_reply cp; 4676 struct hci_conn *conn; 4677 struct link_key *key; 4678 4679 bt_dev_dbg(hdev, ""); 4680 4681 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4682 return; 4683 4684 hci_dev_lock(hdev); 4685 4686 key = hci_find_link_key(hdev, &ev->bdaddr); 4687 if (!key) { 4688 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr); 4689 goto not_found; 4690 } 4691 4692 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr); 4693 4694 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4695 if (conn) { 4696 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4697 4698 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4699 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4700 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4701 bt_dev_dbg(hdev, "ignoring unauthenticated key"); 4702 goto not_found; 4703 } 4704 4705 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4706 (conn->pending_sec_level == BT_SECURITY_HIGH || 4707 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4708 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security"); 4709 goto not_found; 4710 } 4711 4712 conn_set_key(conn, key->type, key->pin_len); 4713 } 4714 4715 bacpy(&cp.bdaddr, &ev->bdaddr); 4716 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4717 4718 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4719 4720 hci_dev_unlock(hdev); 4721 4722 return; 4723 4724 not_found: 4725 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4726 hci_dev_unlock(hdev); 4727 } 4728 4729 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, 4730 struct sk_buff *skb) 4731 { 4732 struct hci_ev_link_key_notify *ev = data; 4733 struct hci_conn *conn; 4734 struct link_key *key; 4735 bool persistent; 4736 u8 pin_len = 0; 4737 4738 bt_dev_dbg(hdev, ""); 4739 4740 hci_dev_lock(hdev); 4741 4742 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4743 if (!conn) 4744 goto unlock; 4745 4746 /* Ignore NULL link key against CVE-2020-26555 */ 4747 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { 4748 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR", 4749 &ev->bdaddr); 4750 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4751 hci_conn_drop(conn); 4752 goto unlock; 4753 } 4754 4755 hci_conn_hold(conn); 4756 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4757 hci_conn_drop(conn); 4758 4759 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4760 conn_set_key(conn, ev->key_type, conn->pin_length); 4761 4762 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4763 goto unlock; 4764 4765 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4766 ev->key_type, pin_len, &persistent); 4767 if (!key) 4768 goto unlock; 4769 4770 /* Update connection information since adding the key will have 4771 * fixed up the type in the case of changed combination keys. 4772 */ 4773 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4774 conn_set_key(conn, key->type, key->pin_len); 4775 4776 mgmt_new_link_key(hdev, key, persistent); 4777 4778 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4779 * is set. If it's not set simply remove the key from the kernel 4780 * list (we've still notified user space about it but with 4781 * store_hint being 0). 4782 */ 4783 if (key->type == HCI_LK_DEBUG_COMBINATION && 4784 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4785 list_del_rcu(&key->list); 4786 kfree_rcu(key, rcu); 4787 goto unlock; 4788 } 4789 4790 if (persistent) 4791 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4792 else 4793 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4794 4795 unlock: 4796 hci_dev_unlock(hdev); 4797 } 4798 4799 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data, 4800 struct sk_buff *skb) 4801 { 4802 struct hci_ev_clock_offset *ev = data; 4803 struct hci_conn *conn; 4804 4805 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4806 4807 hci_dev_lock(hdev); 4808 4809 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4810 if (conn && !ev->status) { 4811 struct inquiry_entry *ie; 4812 4813 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4814 if (ie) { 4815 ie->data.clock_offset = ev->clock_offset; 4816 ie->timestamp = jiffies; 4817 } 4818 } 4819 4820 hci_dev_unlock(hdev); 4821 } 4822 4823 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data, 4824 struct sk_buff *skb) 4825 { 4826 struct hci_ev_pkt_type_change *ev = data; 4827 struct hci_conn *conn; 4828 4829 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4830 4831 hci_dev_lock(hdev); 4832 4833 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4834 if (conn && !ev->status) 4835 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4836 4837 hci_dev_unlock(hdev); 4838 } 4839 4840 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data, 4841 struct sk_buff *skb) 4842 { 4843 struct hci_ev_pscan_rep_mode *ev = data; 4844 struct inquiry_entry *ie; 4845 4846 bt_dev_dbg(hdev, ""); 4847 4848 hci_dev_lock(hdev); 4849 4850 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4851 if (ie) { 4852 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4853 ie->timestamp = jiffies; 4854 } 4855 4856 hci_dev_unlock(hdev); 4857 } 4858 4859 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata, 4860 struct sk_buff *skb) 4861 { 4862 struct hci_ev_inquiry_result_rssi *ev = edata; 4863 struct inquiry_data data; 4864 int i; 4865 4866 bt_dev_dbg(hdev, "num_rsp %d", ev->num); 4867 4868 if (!ev->num) 4869 return; 4870 4871 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4872 return; 4873 4874 hci_dev_lock(hdev); 4875 4876 if (skb->len == array_size(ev->num, 4877 sizeof(struct inquiry_info_rssi_pscan))) { 4878 struct inquiry_info_rssi_pscan *info; 4879 4880 for (i = 0; i < ev->num; i++) { 4881 u32 flags; 4882 4883 info = hci_ev_skb_pull(hdev, skb, 4884 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4885 sizeof(*info)); 4886 if (!info) { 4887 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4888 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4889 goto unlock; 4890 } 4891 4892 bacpy(&data.bdaddr, &info->bdaddr); 4893 data.pscan_rep_mode = info->pscan_rep_mode; 4894 data.pscan_period_mode = info->pscan_period_mode; 4895 data.pscan_mode = info->pscan_mode; 4896 memcpy(data.dev_class, info->dev_class, 3); 4897 data.clock_offset = info->clock_offset; 4898 data.rssi = info->rssi; 4899 data.ssp_mode = 0x00; 4900 4901 flags = hci_inquiry_cache_update(hdev, &data, false); 4902 4903 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4904 info->dev_class, info->rssi, 4905 flags, NULL, 0, NULL, 0, 0); 4906 } 4907 } else if (skb->len == array_size(ev->num, 4908 sizeof(struct inquiry_info_rssi))) { 4909 struct inquiry_info_rssi *info; 4910 4911 for (i = 0; i < ev->num; i++) { 4912 u32 flags; 4913 4914 info = hci_ev_skb_pull(hdev, skb, 4915 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4916 sizeof(*info)); 4917 if (!info) { 4918 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4919 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4920 goto unlock; 4921 } 4922 4923 bacpy(&data.bdaddr, &info->bdaddr); 4924 data.pscan_rep_mode = info->pscan_rep_mode; 4925 data.pscan_period_mode = info->pscan_period_mode; 4926 data.pscan_mode = 0x00; 4927 memcpy(data.dev_class, info->dev_class, 3); 4928 data.clock_offset = info->clock_offset; 4929 data.rssi = info->rssi; 4930 data.ssp_mode = 0x00; 4931 4932 flags = hci_inquiry_cache_update(hdev, &data, false); 4933 4934 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4935 info->dev_class, info->rssi, 4936 flags, NULL, 0, NULL, 0, 0); 4937 } 4938 } else { 4939 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4940 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4941 } 4942 unlock: 4943 hci_dev_unlock(hdev); 4944 } 4945 4946 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data, 4947 struct sk_buff *skb) 4948 { 4949 struct hci_ev_remote_ext_features *ev = data; 4950 struct hci_conn *conn; 4951 4952 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4953 4954 hci_dev_lock(hdev); 4955 4956 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4957 if (!conn) 4958 goto unlock; 4959 4960 if (ev->page < HCI_MAX_PAGES) 4961 memcpy(conn->features[ev->page], ev->features, 8); 4962 4963 if (!ev->status && ev->page == 0x01) { 4964 struct inquiry_entry *ie; 4965 4966 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4967 if (ie) 4968 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4969 4970 if (ev->features[0] & LMP_HOST_SSP) { 4971 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4972 } else { 4973 /* It is mandatory by the Bluetooth specification that 4974 * Extended Inquiry Results are only used when Secure 4975 * Simple Pairing is enabled, but some devices violate 4976 * this. 4977 * 4978 * To make these devices work, the internal SSP 4979 * enabled flag needs to be cleared if the remote host 4980 * features do not indicate SSP support */ 4981 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4982 } 4983 4984 if (ev->features[0] & LMP_HOST_SC) 4985 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4986 } 4987 4988 if (conn->state != BT_CONFIG) 4989 goto unlock; 4990 4991 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4992 struct hci_cp_remote_name_req cp; 4993 memset(&cp, 0, sizeof(cp)); 4994 bacpy(&cp.bdaddr, &conn->dst); 4995 cp.pscan_rep_mode = 0x02; 4996 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4997 } else { 4998 mgmt_device_connected(hdev, conn, NULL, 0); 4999 } 5000 5001 if (!hci_outgoing_auth_needed(hdev, conn)) { 5002 conn->state = BT_CONNECTED; 5003 hci_connect_cfm(conn, ev->status); 5004 hci_conn_drop(conn); 5005 } 5006 5007 unlock: 5008 hci_dev_unlock(hdev); 5009 } 5010 5011 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, 5012 struct sk_buff *skb) 5013 { 5014 struct hci_ev_sync_conn_complete *ev = data; 5015 struct hci_conn *conn; 5016 u8 status = ev->status; 5017 5018 switch (ev->link_type) { 5019 case SCO_LINK: 5020 case ESCO_LINK: 5021 break; 5022 default: 5023 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type 5024 * for HCI_Synchronous_Connection_Complete is limited to 5025 * either SCO or eSCO 5026 */ 5027 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type"); 5028 return; 5029 } 5030 5031 bt_dev_dbg(hdev, "status 0x%2.2x", status); 5032 5033 hci_dev_lock(hdev); 5034 hci_store_wake_reason(hdev, &ev->bdaddr, BDADDR_BREDR); 5035 5036 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 5037 if (!conn) { 5038 if (ev->link_type == ESCO_LINK) 5039 goto unlock; 5040 5041 /* When the link type in the event indicates SCO connection 5042 * and lookup of the connection object fails, then check 5043 * if an eSCO connection object exists. 5044 * 5045 * The core limits the synchronous connections to either 5046 * SCO or eSCO. The eSCO connection is preferred and tried 5047 * to be setup first and until successfully established, 5048 * the link type will be hinted as eSCO. 5049 */ 5050 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 5051 if (!conn) 5052 goto unlock; 5053 } 5054 5055 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection. 5056 * Processing it more than once per connection can corrupt kernel memory. 5057 * 5058 * As the connection handle is set here for the first time, it indicates 5059 * whether the connection is already set up. 5060 */ 5061 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5062 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection"); 5063 goto unlock; 5064 } 5065 5066 switch (status) { 5067 case 0x00: 5068 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 5069 if (status) { 5070 conn->state = BT_CLOSED; 5071 break; 5072 } 5073 5074 conn->state = BT_CONNECTED; 5075 conn->type = ev->link_type; 5076 5077 hci_debugfs_create_conn(conn); 5078 hci_conn_add_sysfs(conn); 5079 break; 5080 5081 case 0x10: /* Connection Accept Timeout */ 5082 case 0x0d: /* Connection Rejected due to Limited Resources */ 5083 case 0x11: /* Unsupported Feature or Parameter Value */ 5084 case 0x1c: /* SCO interval rejected */ 5085 case 0x1a: /* Unsupported Remote Feature */ 5086 case 0x1e: /* Invalid LMP Parameters */ 5087 case 0x1f: /* Unspecified error */ 5088 case 0x20: /* Unsupported LMP Parameter value */ 5089 if (conn->out) { 5090 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 5091 (hdev->esco_type & EDR_ESCO_MASK); 5092 if (hci_setup_sync(conn, conn->parent->handle)) 5093 goto unlock; 5094 } 5095 fallthrough; 5096 5097 default: 5098 conn->state = BT_CLOSED; 5099 break; 5100 } 5101 5102 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 5103 /* Notify only in case of SCO over HCI transport data path which 5104 * is zero and non-zero value shall be non-HCI transport data path 5105 */ 5106 if (conn->codec.data_path == 0 && hdev->notify) { 5107 switch (ev->air_mode) { 5108 case 0x02: 5109 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 5110 break; 5111 case 0x03: 5112 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 5113 break; 5114 } 5115 } 5116 5117 hci_connect_cfm(conn, status); 5118 if (status) 5119 hci_conn_del(conn); 5120 5121 unlock: 5122 hci_dev_unlock(hdev); 5123 } 5124 5125 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 5126 { 5127 size_t parsed = 0; 5128 5129 while (parsed < eir_len) { 5130 u8 field_len = eir[0]; 5131 5132 if (field_len == 0) 5133 return parsed; 5134 5135 parsed += field_len + 1; 5136 eir += field_len + 1; 5137 } 5138 5139 return eir_len; 5140 } 5141 5142 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata, 5143 struct sk_buff *skb) 5144 { 5145 struct hci_ev_ext_inquiry_result *ev = edata; 5146 struct inquiry_data data; 5147 size_t eir_len; 5148 int i; 5149 5150 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT, 5151 flex_array_size(ev, info, ev->num))) 5152 return; 5153 5154 bt_dev_dbg(hdev, "num %d", ev->num); 5155 5156 if (!ev->num) 5157 return; 5158 5159 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 5160 return; 5161 5162 hci_dev_lock(hdev); 5163 5164 for (i = 0; i < ev->num; i++) { 5165 struct extended_inquiry_info *info = &ev->info[i]; 5166 u32 flags; 5167 bool name_known; 5168 5169 bacpy(&data.bdaddr, &info->bdaddr); 5170 data.pscan_rep_mode = info->pscan_rep_mode; 5171 data.pscan_period_mode = info->pscan_period_mode; 5172 data.pscan_mode = 0x00; 5173 memcpy(data.dev_class, info->dev_class, 3); 5174 data.clock_offset = info->clock_offset; 5175 data.rssi = info->rssi; 5176 data.ssp_mode = 0x01; 5177 5178 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5179 name_known = eir_get_data(info->data, 5180 sizeof(info->data), 5181 EIR_NAME_COMPLETE, NULL); 5182 else 5183 name_known = true; 5184 5185 flags = hci_inquiry_cache_update(hdev, &data, name_known); 5186 5187 eir_len = eir_get_length(info->data, sizeof(info->data)); 5188 5189 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 5190 info->dev_class, info->rssi, 5191 flags, info->data, eir_len, NULL, 0, 0); 5192 } 5193 5194 hci_dev_unlock(hdev); 5195 } 5196 5197 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data, 5198 struct sk_buff *skb) 5199 { 5200 struct hci_ev_key_refresh_complete *ev = data; 5201 struct hci_conn *conn; 5202 5203 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status, 5204 __le16_to_cpu(ev->handle)); 5205 5206 hci_dev_lock(hdev); 5207 5208 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5209 if (!conn) 5210 goto unlock; 5211 5212 /* For BR/EDR the necessary steps are taken through the 5213 * auth_complete event. 5214 */ 5215 if (conn->type != LE_LINK) 5216 goto unlock; 5217 5218 if (!ev->status) 5219 conn->sec_level = conn->pending_sec_level; 5220 5221 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 5222 5223 if (ev->status && conn->state == BT_CONNECTED) { 5224 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 5225 hci_conn_drop(conn); 5226 goto unlock; 5227 } 5228 5229 if (conn->state == BT_CONFIG) { 5230 if (!ev->status) 5231 conn->state = BT_CONNECTED; 5232 5233 hci_connect_cfm(conn, ev->status); 5234 hci_conn_drop(conn); 5235 } else { 5236 hci_auth_cfm(conn, ev->status); 5237 5238 hci_conn_hold(conn); 5239 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 5240 hci_conn_drop(conn); 5241 } 5242 5243 unlock: 5244 hci_dev_unlock(hdev); 5245 } 5246 5247 static u8 hci_get_auth_req(struct hci_conn *conn) 5248 { 5249 /* If remote requests no-bonding follow that lead */ 5250 if (conn->remote_auth == HCI_AT_NO_BONDING || 5251 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 5252 return conn->remote_auth | (conn->auth_type & 0x01); 5253 5254 /* If both remote and local have enough IO capabilities, require 5255 * MITM protection 5256 */ 5257 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 5258 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 5259 return conn->remote_auth | 0x01; 5260 5261 /* No MITM protection possible so ignore remote requirement */ 5262 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 5263 } 5264 5265 static u8 bredr_oob_data_present(struct hci_conn *conn) 5266 { 5267 struct hci_dev *hdev = conn->hdev; 5268 struct oob_data *data; 5269 5270 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 5271 if (!data) 5272 return 0x00; 5273 5274 if (bredr_sc_enabled(hdev)) { 5275 /* When Secure Connections is enabled, then just 5276 * return the present value stored with the OOB 5277 * data. The stored value contains the right present 5278 * information. However it can only be trusted when 5279 * not in Secure Connection Only mode. 5280 */ 5281 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 5282 return data->present; 5283 5284 /* When Secure Connections Only mode is enabled, then 5285 * the P-256 values are required. If they are not 5286 * available, then do not declare that OOB data is 5287 * present. 5288 */ 5289 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) || 5290 !crypto_memneq(data->hash256, ZERO_KEY, 16)) 5291 return 0x00; 5292 5293 return 0x02; 5294 } 5295 5296 /* When Secure Connections is not enabled or actually 5297 * not supported by the hardware, then check that if 5298 * P-192 data values are present. 5299 */ 5300 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) || 5301 !crypto_memneq(data->hash192, ZERO_KEY, 16)) 5302 return 0x00; 5303 5304 return 0x01; 5305 } 5306 5307 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data, 5308 struct sk_buff *skb) 5309 { 5310 struct hci_ev_io_capa_request *ev = data; 5311 struct hci_conn *conn; 5312 5313 bt_dev_dbg(hdev, ""); 5314 5315 hci_dev_lock(hdev); 5316 5317 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5318 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) 5319 goto unlock; 5320 5321 /* Assume remote supports SSP since it has triggered this event */ 5322 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 5323 5324 hci_conn_hold(conn); 5325 5326 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5327 goto unlock; 5328 5329 /* Allow pairing if we're pairable, the initiators of the 5330 * pairing or if the remote is not requesting bonding. 5331 */ 5332 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 5333 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 5334 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 5335 struct hci_cp_io_capability_reply cp; 5336 5337 bacpy(&cp.bdaddr, &ev->bdaddr); 5338 /* Change the IO capability from KeyboardDisplay 5339 * to DisplayYesNo as it is not supported by BT spec. */ 5340 cp.capability = (conn->io_capability == 0x04) ? 5341 HCI_IO_DISPLAY_YESNO : conn->io_capability; 5342 5343 /* If we are initiators, there is no remote information yet */ 5344 if (conn->remote_auth == 0xff) { 5345 /* Request MITM protection if our IO caps allow it 5346 * except for the no-bonding case. 5347 */ 5348 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5349 conn->auth_type != HCI_AT_NO_BONDING) 5350 conn->auth_type |= 0x01; 5351 } else { 5352 conn->auth_type = hci_get_auth_req(conn); 5353 } 5354 5355 /* If we're not bondable, force one of the non-bondable 5356 * authentication requirement values. 5357 */ 5358 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 5359 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 5360 5361 cp.authentication = conn->auth_type; 5362 cp.oob_data = bredr_oob_data_present(conn); 5363 5364 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 5365 sizeof(cp), &cp); 5366 } else { 5367 struct hci_cp_io_capability_neg_reply cp; 5368 5369 bacpy(&cp.bdaddr, &ev->bdaddr); 5370 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 5371 5372 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 5373 sizeof(cp), &cp); 5374 } 5375 5376 unlock: 5377 hci_dev_unlock(hdev); 5378 } 5379 5380 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data, 5381 struct sk_buff *skb) 5382 { 5383 struct hci_ev_io_capa_reply *ev = data; 5384 struct hci_conn *conn; 5385 5386 bt_dev_dbg(hdev, ""); 5387 5388 hci_dev_lock(hdev); 5389 5390 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5391 if (!conn) 5392 goto unlock; 5393 5394 conn->remote_cap = ev->capability; 5395 conn->remote_auth = ev->authentication; 5396 5397 unlock: 5398 hci_dev_unlock(hdev); 5399 } 5400 5401 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data, 5402 struct sk_buff *skb) 5403 { 5404 struct hci_ev_user_confirm_req *ev = data; 5405 int loc_mitm, rem_mitm, confirm_hint = 0; 5406 struct hci_conn *conn; 5407 5408 bt_dev_dbg(hdev, ""); 5409 5410 hci_dev_lock(hdev); 5411 5412 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5413 goto unlock; 5414 5415 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5416 if (!conn) 5417 goto unlock; 5418 5419 loc_mitm = (conn->auth_type & 0x01); 5420 rem_mitm = (conn->remote_auth & 0x01); 5421 5422 /* If we require MITM but the remote device can't provide that 5423 * (it has NoInputNoOutput) then reject the confirmation 5424 * request. We check the security level here since it doesn't 5425 * necessarily match conn->auth_type. 5426 */ 5427 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 5428 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 5429 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM"); 5430 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 5431 sizeof(ev->bdaddr), &ev->bdaddr); 5432 goto unlock; 5433 } 5434 5435 /* If no side requires MITM protection; use JUST_CFM method */ 5436 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 5437 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 5438 5439 /* If we're not the initiator of request authorization and the 5440 * local IO capability is not NoInputNoOutput, use JUST_WORKS 5441 * method (mgmt_user_confirm with confirm_hint set to 1). 5442 */ 5443 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 5444 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) { 5445 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor"); 5446 confirm_hint = 1; 5447 goto confirm; 5448 } 5449 5450 /* If there already exists link key in local host, leave the 5451 * decision to user space since the remote device could be 5452 * legitimate or malicious. 5453 */ 5454 if (hci_find_link_key(hdev, &ev->bdaddr)) { 5455 bt_dev_dbg(hdev, "Local host already has link key"); 5456 confirm_hint = 1; 5457 goto confirm; 5458 } 5459 5460 BT_DBG("Auto-accept of user confirmation with %ums delay", 5461 hdev->auto_accept_delay); 5462 5463 if (hdev->auto_accept_delay > 0) { 5464 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 5465 queue_delayed_work(conn->hdev->workqueue, 5466 &conn->auto_accept_work, delay); 5467 goto unlock; 5468 } 5469 5470 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 5471 sizeof(ev->bdaddr), &ev->bdaddr); 5472 goto unlock; 5473 } 5474 5475 confirm: 5476 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 5477 le32_to_cpu(ev->passkey), confirm_hint); 5478 5479 unlock: 5480 hci_dev_unlock(hdev); 5481 } 5482 5483 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data, 5484 struct sk_buff *skb) 5485 { 5486 struct hci_ev_user_passkey_req *ev = data; 5487 5488 bt_dev_dbg(hdev, ""); 5489 5490 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5491 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 5492 } 5493 5494 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, 5495 struct sk_buff *skb) 5496 { 5497 struct hci_ev_user_passkey_notify *ev = data; 5498 struct hci_conn *conn; 5499 5500 bt_dev_dbg(hdev, ""); 5501 5502 hci_dev_lock(hdev); 5503 5504 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5505 if (!conn) 5506 goto unlock; 5507 5508 conn->passkey_notify = __le32_to_cpu(ev->passkey); 5509 conn->passkey_entered = 0; 5510 5511 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5512 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5513 conn->dst_type, conn->passkey_notify, 5514 conn->passkey_entered); 5515 5516 unlock: 5517 hci_dev_unlock(hdev); 5518 } 5519 5520 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, 5521 struct sk_buff *skb) 5522 { 5523 struct hci_ev_keypress_notify *ev = data; 5524 struct hci_conn *conn; 5525 5526 bt_dev_dbg(hdev, ""); 5527 5528 hci_dev_lock(hdev); 5529 5530 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5531 if (!conn) 5532 goto unlock; 5533 5534 switch (ev->type) { 5535 case HCI_KEYPRESS_STARTED: 5536 conn->passkey_entered = 0; 5537 goto unlock; 5538 5539 case HCI_KEYPRESS_ENTERED: 5540 conn->passkey_entered++; 5541 break; 5542 5543 case HCI_KEYPRESS_ERASED: 5544 conn->passkey_entered--; 5545 break; 5546 5547 case HCI_KEYPRESS_CLEARED: 5548 conn->passkey_entered = 0; 5549 break; 5550 5551 case HCI_KEYPRESS_COMPLETED: 5552 goto unlock; 5553 } 5554 5555 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5556 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5557 conn->dst_type, conn->passkey_notify, 5558 conn->passkey_entered); 5559 5560 unlock: 5561 hci_dev_unlock(hdev); 5562 } 5563 5564 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data, 5565 struct sk_buff *skb) 5566 { 5567 struct hci_ev_simple_pair_complete *ev = data; 5568 struct hci_conn *conn; 5569 5570 bt_dev_dbg(hdev, ""); 5571 5572 hci_dev_lock(hdev); 5573 5574 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5575 if (!conn || !hci_conn_ssp_enabled(conn)) 5576 goto unlock; 5577 5578 /* Reset the authentication requirement to unknown */ 5579 conn->remote_auth = 0xff; 5580 5581 /* To avoid duplicate auth_failed events to user space we check 5582 * the HCI_CONN_AUTH_PEND flag which will be set if we 5583 * initiated the authentication. A traditional auth_complete 5584 * event gets always produced as initiator and is also mapped to 5585 * the mgmt_auth_failed event */ 5586 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 5587 mgmt_auth_failed(conn, ev->status); 5588 5589 hci_conn_drop(conn); 5590 5591 unlock: 5592 hci_dev_unlock(hdev); 5593 } 5594 5595 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data, 5596 struct sk_buff *skb) 5597 { 5598 struct hci_ev_remote_host_features *ev = data; 5599 struct inquiry_entry *ie; 5600 struct hci_conn *conn; 5601 5602 bt_dev_dbg(hdev, ""); 5603 5604 hci_dev_lock(hdev); 5605 5606 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5607 if (conn) 5608 memcpy(conn->features[1], ev->features, 8); 5609 5610 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 5611 if (ie) 5612 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 5613 5614 hci_dev_unlock(hdev); 5615 } 5616 5617 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata, 5618 struct sk_buff *skb) 5619 { 5620 struct hci_ev_remote_oob_data_request *ev = edata; 5621 struct oob_data *data; 5622 5623 bt_dev_dbg(hdev, ""); 5624 5625 hci_dev_lock(hdev); 5626 5627 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5628 goto unlock; 5629 5630 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 5631 if (!data) { 5632 struct hci_cp_remote_oob_data_neg_reply cp; 5633 5634 bacpy(&cp.bdaddr, &ev->bdaddr); 5635 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 5636 sizeof(cp), &cp); 5637 goto unlock; 5638 } 5639 5640 if (bredr_sc_enabled(hdev)) { 5641 struct hci_cp_remote_oob_ext_data_reply cp; 5642 5643 bacpy(&cp.bdaddr, &ev->bdaddr); 5644 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 5645 memset(cp.hash192, 0, sizeof(cp.hash192)); 5646 memset(cp.rand192, 0, sizeof(cp.rand192)); 5647 } else { 5648 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 5649 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 5650 } 5651 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 5652 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 5653 5654 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 5655 sizeof(cp), &cp); 5656 } else { 5657 struct hci_cp_remote_oob_data_reply cp; 5658 5659 bacpy(&cp.bdaddr, &ev->bdaddr); 5660 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 5661 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 5662 5663 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 5664 sizeof(cp), &cp); 5665 } 5666 5667 unlock: 5668 hci_dev_unlock(hdev); 5669 } 5670 5671 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr, 5672 u8 bdaddr_type, bdaddr_t *local_rpa) 5673 { 5674 if (conn->out) { 5675 conn->dst_type = bdaddr_type; 5676 conn->resp_addr_type = bdaddr_type; 5677 bacpy(&conn->resp_addr, bdaddr); 5678 5679 /* Check if the controller has set a Local RPA then it must be 5680 * used instead or hdev->rpa. 5681 */ 5682 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5683 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5684 bacpy(&conn->init_addr, local_rpa); 5685 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) { 5686 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5687 bacpy(&conn->init_addr, &conn->hdev->rpa); 5688 } else { 5689 hci_copy_identity_address(conn->hdev, &conn->init_addr, 5690 &conn->init_addr_type); 5691 } 5692 } else { 5693 conn->resp_addr_type = conn->hdev->adv_addr_type; 5694 /* Check if the controller has set a Local RPA then it must be 5695 * used instead or hdev->rpa. 5696 */ 5697 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5698 conn->resp_addr_type = ADDR_LE_DEV_RANDOM; 5699 bacpy(&conn->resp_addr, local_rpa); 5700 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5701 /* In case of ext adv, resp_addr will be updated in 5702 * Adv Terminated event. 5703 */ 5704 if (!ext_adv_capable(conn->hdev)) 5705 bacpy(&conn->resp_addr, 5706 &conn->hdev->random_addr); 5707 } else { 5708 bacpy(&conn->resp_addr, &conn->hdev->bdaddr); 5709 } 5710 5711 conn->init_addr_type = bdaddr_type; 5712 bacpy(&conn->init_addr, bdaddr); 5713 5714 /* For incoming connections, set the default minimum 5715 * and maximum connection interval. They will be used 5716 * to check if the parameters are in range and if not 5717 * trigger the connection update procedure. 5718 */ 5719 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval; 5720 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval; 5721 } 5722 } 5723 5724 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5725 bdaddr_t *bdaddr, u8 bdaddr_type, 5726 bdaddr_t *local_rpa, u8 role, u16 handle, 5727 u16 interval, u16 latency, 5728 u16 supervision_timeout) 5729 { 5730 struct hci_conn_params *params; 5731 struct hci_conn *conn; 5732 struct smp_irk *irk; 5733 u8 addr_type; 5734 int err; 5735 5736 hci_dev_lock(hdev); 5737 hci_store_wake_reason(hdev, bdaddr, bdaddr_type); 5738 5739 /* All controllers implicitly stop advertising in the event of a 5740 * connection, so ensure that the state bit is cleared. 5741 */ 5742 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5743 5744 /* Check for existing connection: 5745 * 5746 * 1. If it doesn't exist then use the role to create a new object. 5747 * 2. If it does exist confirm that it is connecting/BT_CONNECT in case 5748 * of initiator/master role since there could be a collision where 5749 * either side is attempting to connect or something like a fuzzing 5750 * testing is trying to play tricks to destroy the hcon object before 5751 * it even attempts to connect (e.g. hcon->state == BT_OPEN). 5752 */ 5753 conn = hci_conn_hash_lookup_role(hdev, LE_LINK, role, bdaddr); 5754 if (!conn || 5755 (conn->role == HCI_ROLE_MASTER && conn->state != BT_CONNECT)) { 5756 /* In case of error status and there is no connection pending 5757 * just unlock as there is nothing to cleanup. 5758 */ 5759 if (status) 5760 goto unlock; 5761 5762 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, bdaddr_type, 5763 role); 5764 if (IS_ERR(conn)) { 5765 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 5766 goto unlock; 5767 } 5768 5769 /* If we didn't have a hci_conn object previously 5770 * but we're in central role this must be something 5771 * initiated using an accept list. Since accept list based 5772 * connections are not "first class citizens" we don't 5773 * have full tracking of them. Therefore, we go ahead 5774 * with a "best effort" approach of determining the 5775 * initiator address based on the HCI_PRIVACY flag. 5776 */ 5777 if (conn->out) { 5778 conn->resp_addr_type = bdaddr_type; 5779 bacpy(&conn->resp_addr, bdaddr); 5780 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5781 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5782 bacpy(&conn->init_addr, &hdev->rpa); 5783 } else { 5784 hci_copy_identity_address(hdev, 5785 &conn->init_addr, 5786 &conn->init_addr_type); 5787 } 5788 } 5789 } else { 5790 cancel_delayed_work(&conn->le_conn_timeout); 5791 } 5792 5793 /* The HCI_LE_Connection_Complete event is only sent once per connection. 5794 * Processing it more than once per connection can corrupt kernel memory. 5795 * 5796 * As the connection handle is set here for the first time, it indicates 5797 * whether the connection is already set up. 5798 */ 5799 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5800 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 5801 goto unlock; 5802 } 5803 5804 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa); 5805 5806 /* Lookup the identity address from the stored connection 5807 * address and address type. 5808 * 5809 * When establishing connections to an identity address, the 5810 * connection procedure will store the resolvable random 5811 * address first. Now if it can be converted back into the 5812 * identity address, start using the identity address from 5813 * now on. 5814 */ 5815 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5816 if (irk) { 5817 bacpy(&conn->dst, &irk->bdaddr); 5818 conn->dst_type = irk->addr_type; 5819 } 5820 5821 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL); 5822 5823 /* All connection failure handling is taken care of by the 5824 * hci_conn_failed function which is triggered by the HCI 5825 * request completion callbacks used for connecting. 5826 */ 5827 if (status || hci_conn_set_handle(conn, handle)) 5828 goto unlock; 5829 5830 /* Drop the connection if it has been aborted */ 5831 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) { 5832 hci_conn_drop(conn); 5833 goto unlock; 5834 } 5835 5836 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5837 addr_type = BDADDR_LE_PUBLIC; 5838 else 5839 addr_type = BDADDR_LE_RANDOM; 5840 5841 /* Drop the connection if the device is blocked */ 5842 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) { 5843 hci_conn_drop(conn); 5844 goto unlock; 5845 } 5846 5847 mgmt_device_connected(hdev, conn, NULL, 0); 5848 5849 conn->sec_level = BT_SECURITY_LOW; 5850 conn->state = BT_CONFIG; 5851 5852 /* Store current advertising instance as connection advertising instance 5853 * when software rotation is in use so it can be re-enabled when 5854 * disconnected. 5855 */ 5856 if (!ext_adv_capable(hdev)) 5857 conn->adv_instance = hdev->cur_adv_instance; 5858 5859 conn->le_conn_interval = interval; 5860 conn->le_conn_latency = latency; 5861 conn->le_supv_timeout = supervision_timeout; 5862 5863 hci_debugfs_create_conn(conn); 5864 hci_conn_add_sysfs(conn); 5865 5866 err = hci_le_read_remote_features(conn); 5867 if (err) { 5868 conn->state = BT_CONNECTED; 5869 hci_connect_cfm(conn, status); 5870 } 5871 5872 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5873 conn->dst_type); 5874 if (params) { 5875 hci_pend_le_list_del_init(params); 5876 if (params->conn) { 5877 hci_conn_drop(params->conn); 5878 hci_conn_put(params->conn); 5879 params->conn = NULL; 5880 } 5881 } 5882 5883 unlock: 5884 hci_update_passive_scan(hdev); 5885 hci_dev_unlock(hdev); 5886 } 5887 5888 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data, 5889 struct sk_buff *skb) 5890 { 5891 struct hci_ev_le_conn_complete *ev = data; 5892 5893 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5894 5895 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5896 NULL, ev->role, le16_to_cpu(ev->handle), 5897 le16_to_cpu(ev->interval), 5898 le16_to_cpu(ev->latency), 5899 le16_to_cpu(ev->supervision_timeout)); 5900 } 5901 5902 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data, 5903 struct sk_buff *skb) 5904 { 5905 struct hci_ev_le_enh_conn_complete *ev = data; 5906 5907 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5908 5909 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5910 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle), 5911 le16_to_cpu(ev->interval), 5912 le16_to_cpu(ev->latency), 5913 le16_to_cpu(ev->supervision_timeout)); 5914 } 5915 5916 static void hci_le_pa_sync_lost_evt(struct hci_dev *hdev, void *data, 5917 struct sk_buff *skb) 5918 { 5919 struct hci_ev_le_pa_sync_lost *ev = data; 5920 u16 handle = le16_to_cpu(ev->handle); 5921 struct hci_conn *conn; 5922 5923 bt_dev_dbg(hdev, "sync handle 0x%4.4x", handle); 5924 5925 hci_dev_lock(hdev); 5926 5927 /* Delete the pa sync connection */ 5928 conn = hci_conn_hash_lookup_pa_sync_handle(hdev, handle); 5929 if (conn) { 5930 clear_bit(HCI_CONN_BIG_SYNC, &conn->flags); 5931 clear_bit(HCI_CONN_PA_SYNC, &conn->flags); 5932 hci_disconn_cfm(conn, HCI_ERROR_REMOTE_USER_TERM); 5933 hci_conn_del(conn); 5934 } 5935 5936 hci_dev_unlock(hdev); 5937 } 5938 5939 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data, 5940 struct sk_buff *skb) 5941 { 5942 struct hci_evt_le_ext_adv_set_term *ev = data; 5943 struct hci_conn *conn; 5944 struct adv_info *adv, *n; 5945 5946 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5947 5948 /* The Bluetooth Core 5.3 specification clearly states that this event 5949 * shall not be sent when the Host disables the advertising set. So in 5950 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event. 5951 * 5952 * When the Host disables an advertising set, all cleanup is done via 5953 * its command callback and not needed to be duplicated here. 5954 */ 5955 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) { 5956 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event"); 5957 return; 5958 } 5959 5960 hci_dev_lock(hdev); 5961 5962 adv = hci_find_adv_instance(hdev, ev->handle); 5963 5964 if (ev->status) { 5965 if (!adv) 5966 goto unlock; 5967 5968 /* Remove advertising as it has been terminated */ 5969 hci_remove_adv_instance(hdev, ev->handle); 5970 mgmt_advertising_removed(NULL, hdev, ev->handle); 5971 5972 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 5973 if (adv->enabled) 5974 goto unlock; 5975 } 5976 5977 /* We are no longer advertising, clear HCI_LE_ADV */ 5978 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5979 goto unlock; 5980 } 5981 5982 if (adv) 5983 adv->enabled = false; 5984 5985 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5986 if (conn) { 5987 /* Store handle in the connection so the correct advertising 5988 * instance can be re-enabled when disconnected. 5989 */ 5990 conn->adv_instance = ev->handle; 5991 5992 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM || 5993 bacmp(&conn->resp_addr, BDADDR_ANY)) 5994 goto unlock; 5995 5996 if (!ev->handle) { 5997 bacpy(&conn->resp_addr, &hdev->random_addr); 5998 goto unlock; 5999 } 6000 6001 if (adv) 6002 bacpy(&conn->resp_addr, &adv->random_addr); 6003 } 6004 6005 unlock: 6006 hci_dev_unlock(hdev); 6007 } 6008 6009 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle) 6010 { 6011 struct hci_cp_le_pa_term_sync cp; 6012 6013 memset(&cp, 0, sizeof(cp)); 6014 cp.handle = handle; 6015 6016 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp); 6017 } 6018 6019 static void hci_le_past_received_evt(struct hci_dev *hdev, void *data, 6020 struct sk_buff *skb) 6021 { 6022 struct hci_ev_le_past_received *ev = data; 6023 int mask = hdev->link_mode; 6024 __u8 flags = 0; 6025 struct hci_conn *pa_sync, *conn; 6026 6027 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6028 6029 hci_dev_lock(hdev); 6030 hci_store_wake_reason(hdev, &ev->bdaddr, ev->bdaddr_type); 6031 6032 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6033 6034 conn = hci_conn_hash_lookup_create_pa_sync(hdev); 6035 if (!conn) { 6036 bt_dev_err(hdev, 6037 "Unable to find connection for dst %pMR sid 0x%2.2x", 6038 &ev->bdaddr, ev->sid); 6039 goto unlock; 6040 } 6041 6042 conn->sync_handle = le16_to_cpu(ev->sync_handle); 6043 conn->sid = HCI_SID_INVALID; 6044 6045 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, PA_LINK, 6046 &flags); 6047 if (!(mask & HCI_LM_ACCEPT)) { 6048 hci_le_pa_term_sync(hdev, ev->sync_handle); 6049 goto unlock; 6050 } 6051 6052 if (!(flags & HCI_PROTO_DEFER)) 6053 goto unlock; 6054 6055 /* Add connection to indicate PA sync event */ 6056 pa_sync = hci_conn_add_unset(hdev, PA_LINK, BDADDR_ANY, 0, 6057 HCI_ROLE_SLAVE); 6058 6059 if (IS_ERR(pa_sync)) 6060 goto unlock; 6061 6062 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle); 6063 6064 if (ev->status) { 6065 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags); 6066 6067 /* Notify iso layer */ 6068 hci_connect_cfm(pa_sync, ev->status); 6069 } 6070 6071 unlock: 6072 hci_dev_unlock(hdev); 6073 } 6074 6075 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data, 6076 struct sk_buff *skb) 6077 { 6078 struct hci_ev_le_conn_update_complete *ev = data; 6079 struct hci_conn *conn; 6080 6081 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6082 6083 if (ev->status) 6084 return; 6085 6086 hci_dev_lock(hdev); 6087 6088 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6089 if (conn) { 6090 conn->le_conn_interval = le16_to_cpu(ev->interval); 6091 conn->le_conn_latency = le16_to_cpu(ev->latency); 6092 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 6093 } 6094 6095 hci_dev_unlock(hdev); 6096 } 6097 6098 /* This function requires the caller holds hdev->lock */ 6099 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 6100 bdaddr_t *addr, 6101 u8 addr_type, bool addr_resolved, 6102 u8 adv_type, u8 phy, u8 sec_phy) 6103 { 6104 struct hci_conn *conn; 6105 struct hci_conn_params *params; 6106 6107 /* If the event is not connectable don't proceed further */ 6108 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 6109 return NULL; 6110 6111 /* Ignore if the device is blocked or hdev is suspended */ 6112 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) || 6113 hdev->suspended) 6114 return NULL; 6115 6116 /* Most controller will fail if we try to create new connections 6117 * while we have an existing one in peripheral role. 6118 */ 6119 if (hdev->conn_hash.le_num_peripheral > 0 && 6120 (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_LE_STATES) || 6121 !(hdev->le_states[3] & 0x10))) 6122 return NULL; 6123 6124 /* If we're not connectable only connect devices that we have in 6125 * our pend_le_conns list. 6126 */ 6127 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 6128 addr_type); 6129 if (!params) 6130 return NULL; 6131 6132 if (!params->explicit_connect) { 6133 switch (params->auto_connect) { 6134 case HCI_AUTO_CONN_DIRECT: 6135 /* Only devices advertising with ADV_DIRECT_IND are 6136 * triggering a connection attempt. This is allowing 6137 * incoming connections from peripheral devices. 6138 */ 6139 if (adv_type != LE_ADV_DIRECT_IND) 6140 return NULL; 6141 break; 6142 case HCI_AUTO_CONN_ALWAYS: 6143 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 6144 * are triggering a connection attempt. This means 6145 * that incoming connections from peripheral device are 6146 * accepted and also outgoing connections to peripheral 6147 * devices are established when found. 6148 */ 6149 break; 6150 default: 6151 return NULL; 6152 } 6153 } 6154 6155 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved, 6156 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout, 6157 HCI_ROLE_MASTER, phy, sec_phy); 6158 if (!IS_ERR(conn)) { 6159 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 6160 * by higher layer that tried to connect, if no then 6161 * store the pointer since we don't really have any 6162 * other owner of the object besides the params that 6163 * triggered it. This way we can abort the connection if 6164 * the parameters get removed and keep the reference 6165 * count consistent once the connection is established. 6166 */ 6167 6168 if (!params->explicit_connect) 6169 params->conn = hci_conn_get(conn); 6170 6171 return conn; 6172 } 6173 6174 switch (PTR_ERR(conn)) { 6175 case -EBUSY: 6176 /* If hci_connect() returns -EBUSY it means there is already 6177 * an LE connection attempt going on. Since controllers don't 6178 * support more than one connection attempt at the time, we 6179 * don't consider this an error case. 6180 */ 6181 break; 6182 default: 6183 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 6184 return NULL; 6185 } 6186 6187 return NULL; 6188 } 6189 6190 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 6191 u8 bdaddr_type, bdaddr_t *direct_addr, 6192 u8 direct_addr_type, u8 phy, u8 sec_phy, s8 rssi, 6193 u8 *data, u8 len, bool ext_adv, bool ctl_time, 6194 u64 instant) 6195 { 6196 struct discovery_state *d = &hdev->discovery; 6197 struct smp_irk *irk; 6198 struct hci_conn *conn; 6199 bool match, bdaddr_resolved; 6200 u32 flags; 6201 u8 *ptr; 6202 6203 switch (type) { 6204 case LE_ADV_IND: 6205 case LE_ADV_DIRECT_IND: 6206 case LE_ADV_SCAN_IND: 6207 case LE_ADV_NONCONN_IND: 6208 case LE_ADV_SCAN_RSP: 6209 break; 6210 default: 6211 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 6212 "type: 0x%02x", type); 6213 return; 6214 } 6215 6216 if (len > max_adv_len(hdev)) { 6217 bt_dev_err_ratelimited(hdev, 6218 "adv larger than maximum supported"); 6219 return; 6220 } 6221 6222 /* Find the end of the data in case the report contains padded zero 6223 * bytes at the end causing an invalid length value. 6224 * 6225 * When data is NULL, len is 0 so there is no need for extra ptr 6226 * check as 'ptr < data + 0' is already false in such case. 6227 */ 6228 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 6229 if (ptr + 1 + *ptr > data + len) 6230 break; 6231 } 6232 6233 /* Adjust for actual length. This handles the case when remote 6234 * device is advertising with incorrect data length. 6235 */ 6236 len = ptr - data; 6237 6238 /* If the direct address is present, then this report is from 6239 * a LE Direct Advertising Report event. In that case it is 6240 * important to see if the address is matching the local 6241 * controller address. 6242 * 6243 * If local privacy is not enable the controller shall not be 6244 * generating such event since according to its documentation it is only 6245 * valid for filter_policy 0x02 and 0x03, but the fact that it did 6246 * generate LE Direct Advertising Report means it is probably broken and 6247 * won't generate any other event which can potentially break 6248 * auto-connect logic so in case local privacy is not enable this 6249 * ignores the direct_addr so it works as a regular report. 6250 */ 6251 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr && 6252 hci_dev_test_flag(hdev, HCI_PRIVACY)) { 6253 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type, 6254 &bdaddr_resolved); 6255 6256 /* Only resolvable random addresses are valid for these 6257 * kind of reports and others can be ignored. 6258 */ 6259 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 6260 return; 6261 6262 /* If the local IRK of the controller does not match 6263 * with the resolvable random address provided, then 6264 * this report can be ignored. 6265 */ 6266 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 6267 return; 6268 } 6269 6270 /* Check if we need to convert to identity address */ 6271 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 6272 if (irk) { 6273 bdaddr = &irk->bdaddr; 6274 bdaddr_type = irk->addr_type; 6275 } 6276 6277 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved); 6278 6279 /* Check if we have been requested to connect to this device. 6280 * 6281 * direct_addr is set only for directed advertising reports (it is NULL 6282 * for advertising reports) and is already verified to be RPA above. 6283 */ 6284 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved, 6285 type, phy, sec_phy); 6286 if (!ext_adv && conn && type == LE_ADV_IND && 6287 len <= max_adv_len(hdev)) { 6288 /* Store report for later inclusion by 6289 * mgmt_device_connected 6290 */ 6291 memcpy(conn->le_adv_data, data, len); 6292 conn->le_adv_data_len = len; 6293 } 6294 6295 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 6296 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 6297 else 6298 flags = 0; 6299 6300 /* All scan results should be sent up for Mesh systems */ 6301 if (hci_dev_test_flag(hdev, HCI_MESH)) { 6302 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6303 rssi, flags, data, len, NULL, 0, instant); 6304 return; 6305 } 6306 6307 /* Passive scanning shouldn't trigger any device found events, 6308 * except for devices marked as CONN_REPORT for which we do send 6309 * device found events, or advertisement monitoring requested. 6310 */ 6311 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 6312 if (type == LE_ADV_DIRECT_IND) 6313 return; 6314 6315 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 6316 bdaddr, bdaddr_type) && 6317 idr_is_empty(&hdev->adv_monitors_idr)) 6318 return; 6319 6320 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6321 rssi, flags, data, len, NULL, 0, 0); 6322 return; 6323 } 6324 6325 /* When receiving a scan response, then there is no way to 6326 * know if the remote device is connectable or not. However 6327 * since scan responses are merged with a previously seen 6328 * advertising report, the flags field from that report 6329 * will be used. 6330 * 6331 * In the unlikely case that a controller just sends a scan 6332 * response event that doesn't match the pending report, then 6333 * it is marked as a standalone SCAN_RSP. 6334 */ 6335 if (type == LE_ADV_SCAN_RSP) 6336 flags = MGMT_DEV_FOUND_SCAN_RSP; 6337 6338 /* If there's nothing pending either store the data from this 6339 * event or send an immediate device found event if the data 6340 * should not be stored for later. 6341 */ 6342 if (!has_pending_adv_report(hdev)) { 6343 /* If the report will trigger a SCAN_REQ store it for 6344 * later merging. 6345 */ 6346 if (!ext_adv && (type == LE_ADV_IND || 6347 type == LE_ADV_SCAN_IND)) { 6348 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6349 rssi, flags, data, len); 6350 return; 6351 } 6352 6353 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6354 rssi, flags, data, len, NULL, 0, 0); 6355 return; 6356 } 6357 6358 /* Check if the pending report is for the same device as the new one */ 6359 match = (!bacmp(bdaddr, &d->last_adv_addr) && 6360 bdaddr_type == d->last_adv_addr_type); 6361 6362 /* If the pending data doesn't match this report or this isn't a 6363 * scan response (e.g. we got a duplicate ADV_IND) then force 6364 * sending of the pending data. 6365 */ 6366 if (type != LE_ADV_SCAN_RSP || !match) { 6367 /* Send out whatever is in the cache, but skip duplicates */ 6368 if (!match) 6369 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6370 d->last_adv_addr_type, NULL, 6371 d->last_adv_rssi, d->last_adv_flags, 6372 d->last_adv_data, 6373 d->last_adv_data_len, NULL, 0, 0); 6374 6375 /* If the new report will trigger a SCAN_REQ store it for 6376 * later merging. 6377 */ 6378 if (!ext_adv && (type == LE_ADV_IND || 6379 type == LE_ADV_SCAN_IND)) { 6380 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6381 rssi, flags, data, len); 6382 return; 6383 } 6384 6385 /* The advertising reports cannot be merged, so clear 6386 * the pending report and send out a device found event. 6387 */ 6388 clear_pending_adv_report(hdev); 6389 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6390 rssi, flags, data, len, NULL, 0, 0); 6391 return; 6392 } 6393 6394 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 6395 * the new event is a SCAN_RSP. We can therefore proceed with 6396 * sending a merged device found event. 6397 */ 6398 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6399 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 6400 d->last_adv_data, d->last_adv_data_len, data, len, 0); 6401 clear_pending_adv_report(hdev); 6402 } 6403 6404 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data, 6405 struct sk_buff *skb) 6406 { 6407 struct hci_ev_le_advertising_report *ev = data; 6408 u64 instant = jiffies; 6409 6410 if (!ev->num) 6411 return; 6412 6413 hci_dev_lock(hdev); 6414 6415 while (ev->num--) { 6416 struct hci_ev_le_advertising_info *info; 6417 s8 rssi; 6418 6419 info = hci_le_ev_skb_pull(hdev, skb, 6420 HCI_EV_LE_ADVERTISING_REPORT, 6421 sizeof(*info)); 6422 if (!info) 6423 break; 6424 6425 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT, 6426 info->length + 1)) 6427 break; 6428 6429 hci_store_wake_reason(hdev, &info->bdaddr, info->bdaddr_type); 6430 6431 if (info->length <= max_adv_len(hdev)) { 6432 rssi = info->data[info->length]; 6433 process_adv_report(hdev, info->type, &info->bdaddr, 6434 info->bdaddr_type, NULL, 0, 6435 HCI_ADV_PHY_1M, 0, rssi, 6436 info->data, info->length, false, 6437 false, instant); 6438 } else { 6439 bt_dev_err(hdev, "Dropping invalid advertising data"); 6440 } 6441 } 6442 6443 hci_dev_unlock(hdev); 6444 } 6445 6446 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 6447 { 6448 u16 pdu_type = evt_type & ~LE_EXT_ADV_DATA_STATUS_MASK; 6449 6450 if (!pdu_type) 6451 return LE_ADV_NONCONN_IND; 6452 6453 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 6454 switch (evt_type) { 6455 case LE_LEGACY_ADV_IND: 6456 return LE_ADV_IND; 6457 case LE_LEGACY_ADV_DIRECT_IND: 6458 return LE_ADV_DIRECT_IND; 6459 case LE_LEGACY_ADV_SCAN_IND: 6460 return LE_ADV_SCAN_IND; 6461 case LE_LEGACY_NONCONN_IND: 6462 return LE_ADV_NONCONN_IND; 6463 case LE_LEGACY_SCAN_RSP_ADV: 6464 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 6465 return LE_ADV_SCAN_RSP; 6466 } 6467 6468 goto invalid; 6469 } 6470 6471 if (evt_type & LE_EXT_ADV_CONN_IND) { 6472 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6473 return LE_ADV_DIRECT_IND; 6474 6475 return LE_ADV_IND; 6476 } 6477 6478 if (evt_type & LE_EXT_ADV_SCAN_RSP) 6479 return LE_ADV_SCAN_RSP; 6480 6481 if (evt_type & LE_EXT_ADV_SCAN_IND) 6482 return LE_ADV_SCAN_IND; 6483 6484 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6485 return LE_ADV_NONCONN_IND; 6486 6487 invalid: 6488 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 6489 evt_type); 6490 6491 return LE_ADV_INVALID; 6492 } 6493 6494 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data, 6495 struct sk_buff *skb) 6496 { 6497 struct hci_ev_le_ext_adv_report *ev = data; 6498 u64 instant = jiffies; 6499 6500 if (!ev->num) 6501 return; 6502 6503 hci_dev_lock(hdev); 6504 6505 while (ev->num--) { 6506 struct hci_ev_le_ext_adv_info *info; 6507 u8 legacy_evt_type; 6508 u16 evt_type; 6509 6510 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6511 sizeof(*info)); 6512 if (!info) 6513 break; 6514 6515 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6516 info->length)) 6517 break; 6518 6519 hci_store_wake_reason(hdev, &info->bdaddr, info->bdaddr_type); 6520 6521 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK; 6522 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 6523 6524 if (hci_test_quirk(hdev, 6525 HCI_QUIRK_FIXUP_LE_EXT_ADV_REPORT_PHY)) { 6526 info->primary_phy &= 0x1f; 6527 info->secondary_phy &= 0x1f; 6528 } 6529 6530 /* Check if PA Sync is pending and if the hci_conn SID has not 6531 * been set update it. 6532 */ 6533 if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) { 6534 struct hci_conn *conn; 6535 6536 conn = hci_conn_hash_lookup_create_pa_sync(hdev); 6537 if (conn && conn->sid == HCI_SID_INVALID) 6538 conn->sid = info->sid; 6539 } 6540 6541 if (legacy_evt_type != LE_ADV_INVALID) { 6542 process_adv_report(hdev, legacy_evt_type, &info->bdaddr, 6543 info->bdaddr_type, NULL, 0, 6544 info->primary_phy, 6545 info->secondary_phy, 6546 info->rssi, info->data, info->length, 6547 !(evt_type & LE_EXT_ADV_LEGACY_PDU), 6548 false, instant); 6549 } 6550 } 6551 6552 hci_dev_unlock(hdev); 6553 } 6554 6555 static void hci_le_pa_sync_established_evt(struct hci_dev *hdev, void *data, 6556 struct sk_buff *skb) 6557 { 6558 struct hci_ev_le_pa_sync_established *ev = data; 6559 int mask = hdev->link_mode; 6560 __u8 flags = 0; 6561 struct hci_conn *pa_sync, *conn; 6562 6563 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6564 6565 hci_dev_lock(hdev); 6566 hci_store_wake_reason(hdev, &ev->bdaddr, ev->bdaddr_type); 6567 6568 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6569 6570 conn = hci_conn_hash_lookup_create_pa_sync(hdev); 6571 if (!conn) { 6572 bt_dev_err(hdev, 6573 "Unable to find connection for dst %pMR sid 0x%2.2x", 6574 &ev->bdaddr, ev->sid); 6575 goto unlock; 6576 } 6577 6578 clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags); 6579 6580 conn->sync_handle = le16_to_cpu(ev->handle); 6581 conn->sid = HCI_SID_INVALID; 6582 6583 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, PA_LINK, 6584 &flags); 6585 if (!(mask & HCI_LM_ACCEPT)) { 6586 hci_le_pa_term_sync(hdev, ev->handle); 6587 goto unlock; 6588 } 6589 6590 if (!(flags & HCI_PROTO_DEFER)) 6591 goto unlock; 6592 6593 /* Add connection to indicate PA sync event */ 6594 pa_sync = hci_conn_add_unset(hdev, PA_LINK, BDADDR_ANY, 0, 6595 HCI_ROLE_SLAVE); 6596 6597 if (IS_ERR(pa_sync)) 6598 goto unlock; 6599 6600 pa_sync->sync_handle = le16_to_cpu(ev->handle); 6601 6602 if (ev->status) { 6603 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags); 6604 6605 /* Notify iso layer */ 6606 hci_connect_cfm(pa_sync, ev->status); 6607 } 6608 6609 unlock: 6610 hci_dev_unlock(hdev); 6611 } 6612 6613 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data, 6614 struct sk_buff *skb) 6615 { 6616 struct hci_ev_le_per_adv_report *ev = data; 6617 int mask = hdev->link_mode; 6618 __u8 flags = 0; 6619 struct hci_conn *pa_sync; 6620 6621 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 6622 6623 hci_dev_lock(hdev); 6624 6625 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, PA_LINK, &flags); 6626 if (!(mask & HCI_LM_ACCEPT)) 6627 goto unlock; 6628 6629 if (!(flags & HCI_PROTO_DEFER)) 6630 goto unlock; 6631 6632 pa_sync = hci_conn_hash_lookup_pa_sync_handle 6633 (hdev, 6634 le16_to_cpu(ev->sync_handle)); 6635 6636 if (!pa_sync) 6637 goto unlock; 6638 6639 if (ev->data_status == LE_PA_DATA_COMPLETE && 6640 !test_and_set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags)) { 6641 /* Notify iso layer */ 6642 hci_connect_cfm(pa_sync, 0); 6643 6644 /* Notify MGMT layer */ 6645 mgmt_device_connected(hdev, pa_sync, NULL, 0); 6646 } 6647 6648 unlock: 6649 hci_dev_unlock(hdev); 6650 } 6651 6652 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data, 6653 struct sk_buff *skb) 6654 { 6655 struct hci_ev_le_remote_feat_complete *ev = data; 6656 struct hci_conn *conn; 6657 6658 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6659 6660 hci_dev_lock(hdev); 6661 6662 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6663 if (conn) { 6664 if (!ev->status) { 6665 memcpy(conn->le_features, ev->features, 8); 6666 6667 /* Update supported PHYs */ 6668 if (!(conn->le_features[1] & HCI_LE_PHY_2M)) { 6669 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_2M; 6670 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_2M; 6671 } 6672 6673 if (!(conn->le_features[1] & HCI_LE_PHY_CODED)) { 6674 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_CODED; 6675 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_CODED; 6676 } 6677 } 6678 6679 if (conn->state == BT_CONFIG) { 6680 __u8 status; 6681 6682 /* If the local controller supports peripheral-initiated 6683 * features exchange, but the remote controller does 6684 * not, then it is possible that the error code 0x1a 6685 * for unsupported remote feature gets returned. 6686 * 6687 * In this specific case, allow the connection to 6688 * transition into connected state and mark it as 6689 * successful. 6690 */ 6691 if (!conn->out && ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE && 6692 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 6693 status = 0x00; 6694 else 6695 status = ev->status; 6696 6697 conn->state = BT_CONNECTED; 6698 hci_connect_cfm(conn, status); 6699 } 6700 } 6701 6702 hci_dev_unlock(hdev); 6703 } 6704 6705 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data, 6706 struct sk_buff *skb) 6707 { 6708 struct hci_ev_le_ltk_req *ev = data; 6709 struct hci_cp_le_ltk_reply cp; 6710 struct hci_cp_le_ltk_neg_reply neg; 6711 struct hci_conn *conn; 6712 struct smp_ltk *ltk; 6713 6714 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6715 6716 hci_dev_lock(hdev); 6717 6718 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6719 if (conn == NULL) 6720 goto not_found; 6721 6722 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 6723 if (!ltk) 6724 goto not_found; 6725 6726 if (smp_ltk_is_sc(ltk)) { 6727 /* With SC both EDiv and Rand are set to zero */ 6728 if (ev->ediv || ev->rand) 6729 goto not_found; 6730 } else { 6731 /* For non-SC keys check that EDiv and Rand match */ 6732 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 6733 goto not_found; 6734 } 6735 6736 memcpy(cp.ltk, ltk->val, ltk->enc_size); 6737 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 6738 cp.handle = cpu_to_le16(conn->handle); 6739 6740 conn->pending_sec_level = smp_ltk_sec_level(ltk); 6741 6742 conn->enc_key_size = ltk->enc_size; 6743 6744 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 6745 6746 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 6747 * temporary key used to encrypt a connection following 6748 * pairing. It is used during the Encrypted Session Setup to 6749 * distribute the keys. Later, security can be re-established 6750 * using a distributed LTK. 6751 */ 6752 if (ltk->type == SMP_STK) { 6753 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6754 list_del_rcu(<k->list); 6755 kfree_rcu(ltk, rcu); 6756 } else { 6757 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6758 } 6759 6760 hci_dev_unlock(hdev); 6761 6762 return; 6763 6764 not_found: 6765 neg.handle = ev->handle; 6766 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 6767 hci_dev_unlock(hdev); 6768 } 6769 6770 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 6771 u8 reason) 6772 { 6773 struct hci_cp_le_conn_param_req_neg_reply cp; 6774 6775 cp.handle = cpu_to_le16(handle); 6776 cp.reason = reason; 6777 6778 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 6779 &cp); 6780 } 6781 6782 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, 6783 struct sk_buff *skb) 6784 { 6785 struct hci_ev_le_remote_conn_param_req *ev = data; 6786 struct hci_cp_le_conn_param_req_reply cp; 6787 struct hci_conn *hcon; 6788 u16 handle, min, max, latency, timeout; 6789 6790 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6791 6792 handle = le16_to_cpu(ev->handle); 6793 min = le16_to_cpu(ev->interval_min); 6794 max = le16_to_cpu(ev->interval_max); 6795 latency = le16_to_cpu(ev->latency); 6796 timeout = le16_to_cpu(ev->timeout); 6797 6798 hci_dev_lock(hdev); 6799 6800 hcon = hci_conn_hash_lookup_handle(hdev, handle); 6801 if (!hcon || hcon->state != BT_CONNECTED) { 6802 send_conn_param_neg_reply(hdev, handle, 6803 HCI_ERROR_UNKNOWN_CONN_ID); 6804 goto unlock; 6805 } 6806 6807 if (max > hcon->le_conn_max_interval) { 6808 send_conn_param_neg_reply(hdev, handle, 6809 HCI_ERROR_INVALID_LL_PARAMS); 6810 goto unlock; 6811 } 6812 6813 if (hci_check_conn_params(min, max, latency, timeout)) { 6814 send_conn_param_neg_reply(hdev, handle, 6815 HCI_ERROR_INVALID_LL_PARAMS); 6816 goto unlock; 6817 } 6818 6819 if (hcon->role == HCI_ROLE_MASTER) { 6820 struct hci_conn_params *params; 6821 u8 store_hint; 6822 6823 params = hci_conn_params_lookup(hdev, &hcon->dst, 6824 hcon->dst_type); 6825 if (params) { 6826 params->conn_min_interval = min; 6827 params->conn_max_interval = max; 6828 params->conn_latency = latency; 6829 params->supervision_timeout = timeout; 6830 store_hint = 0x01; 6831 } else { 6832 store_hint = 0x00; 6833 } 6834 6835 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 6836 store_hint, min, max, latency, timeout); 6837 } 6838 6839 cp.handle = ev->handle; 6840 cp.interval_min = ev->interval_min; 6841 cp.interval_max = ev->interval_max; 6842 cp.latency = ev->latency; 6843 cp.timeout = ev->timeout; 6844 cp.min_ce_len = 0; 6845 cp.max_ce_len = 0; 6846 6847 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 6848 6849 unlock: 6850 hci_dev_unlock(hdev); 6851 } 6852 6853 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, 6854 struct sk_buff *skb) 6855 { 6856 struct hci_ev_le_direct_adv_report *ev = data; 6857 u64 instant = jiffies; 6858 int i; 6859 6860 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT, 6861 flex_array_size(ev, info, ev->num))) 6862 return; 6863 6864 if (!ev->num) 6865 return; 6866 6867 hci_dev_lock(hdev); 6868 6869 for (i = 0; i < ev->num; i++) { 6870 struct hci_ev_le_direct_adv_info *info = &ev->info[i]; 6871 6872 hci_store_wake_reason(hdev, &info->bdaddr, info->bdaddr_type); 6873 6874 process_adv_report(hdev, info->type, &info->bdaddr, 6875 info->bdaddr_type, &info->direct_addr, 6876 info->direct_addr_type, HCI_ADV_PHY_1M, 0, 6877 info->rssi, NULL, 0, false, false, instant); 6878 } 6879 6880 hci_dev_unlock(hdev); 6881 } 6882 6883 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data, 6884 struct sk_buff *skb) 6885 { 6886 struct hci_ev_le_phy_update_complete *ev = data; 6887 struct hci_conn *conn; 6888 6889 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6890 6891 if (ev->status) 6892 return; 6893 6894 hci_dev_lock(hdev); 6895 6896 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6897 if (!conn) 6898 goto unlock; 6899 6900 conn->le_tx_phy = ev->tx_phy; 6901 conn->le_rx_phy = ev->rx_phy; 6902 6903 unlock: 6904 hci_dev_unlock(hdev); 6905 } 6906 6907 /* Convert LE PHY to QoS PHYs */ 6908 static u8 le_phy_qos(u8 phy) 6909 { 6910 switch (phy) { 6911 case 0x01: 6912 return HCI_LE_SET_PHY_1M; 6913 case 0x02: 6914 return HCI_LE_SET_PHY_2M; 6915 case 0x03: 6916 return HCI_LE_SET_PHY_CODED; 6917 } 6918 6919 return 0; 6920 } 6921 6922 static void hci_le_cis_established_evt(struct hci_dev *hdev, void *data, 6923 struct sk_buff *skb) 6924 { 6925 struct hci_evt_le_cis_established *ev = data; 6926 struct hci_conn *conn; 6927 struct bt_iso_qos *qos; 6928 bool pending = false; 6929 u16 handle = __le16_to_cpu(ev->handle); 6930 u32 c_sdu_interval, p_sdu_interval; 6931 6932 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6933 6934 hci_dev_lock(hdev); 6935 6936 conn = hci_conn_hash_lookup_handle(hdev, handle); 6937 if (!conn) { 6938 bt_dev_err(hdev, 6939 "Unable to find connection with handle 0x%4.4x", 6940 handle); 6941 goto unlock; 6942 } 6943 6944 if (conn->type != CIS_LINK) { 6945 bt_dev_err(hdev, 6946 "Invalid connection link type handle 0x%4.4x", 6947 handle); 6948 goto unlock; 6949 } 6950 6951 qos = &conn->iso_qos; 6952 6953 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags); 6954 6955 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G 6956 * page 3075: 6957 * Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) × 6958 * ISO_Interval + SDU_Interval_C_To_P 6959 * ... 6960 * SDU_Interval = (CIG_Sync_Delay + (FT) x ISO_Interval) - 6961 * Transport_Latency 6962 */ 6963 c_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) + 6964 (ev->c_ft * le16_to_cpu(ev->interval) * 1250)) - 6965 get_unaligned_le24(ev->c_latency); 6966 p_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) + 6967 (ev->p_ft * le16_to_cpu(ev->interval) * 1250)) - 6968 get_unaligned_le24(ev->p_latency); 6969 6970 switch (conn->role) { 6971 case HCI_ROLE_SLAVE: 6972 qos->ucast.in.interval = c_sdu_interval; 6973 qos->ucast.out.interval = p_sdu_interval; 6974 /* Convert Transport Latency (us) to Latency (msec) */ 6975 qos->ucast.in.latency = 6976 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6977 1000); 6978 qos->ucast.out.latency = 6979 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6980 1000); 6981 qos->ucast.in.sdu = ev->c_bn ? le16_to_cpu(ev->c_mtu) : 0; 6982 qos->ucast.out.sdu = ev->p_bn ? le16_to_cpu(ev->p_mtu) : 0; 6983 qos->ucast.in.phys = le_phy_qos(ev->c_phy); 6984 qos->ucast.out.phys = le_phy_qos(ev->p_phy); 6985 break; 6986 case HCI_ROLE_MASTER: 6987 qos->ucast.in.interval = p_sdu_interval; 6988 qos->ucast.out.interval = c_sdu_interval; 6989 /* Convert Transport Latency (us) to Latency (msec) */ 6990 qos->ucast.out.latency = 6991 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6992 1000); 6993 qos->ucast.in.latency = 6994 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6995 1000); 6996 qos->ucast.out.sdu = ev->c_bn ? le16_to_cpu(ev->c_mtu) : 0; 6997 qos->ucast.in.sdu = ev->p_bn ? le16_to_cpu(ev->p_mtu) : 0; 6998 qos->ucast.out.phys = le_phy_qos(ev->c_phy); 6999 qos->ucast.in.phys = le_phy_qos(ev->p_phy); 7000 break; 7001 } 7002 7003 if (!ev->status) { 7004 conn->state = BT_CONNECTED; 7005 hci_debugfs_create_conn(conn); 7006 hci_conn_add_sysfs(conn); 7007 hci_iso_setup_path(conn); 7008 goto unlock; 7009 } 7010 7011 conn->state = BT_CLOSED; 7012 hci_connect_cfm(conn, ev->status); 7013 hci_conn_del(conn); 7014 7015 unlock: 7016 if (pending) 7017 hci_le_create_cis_pending(hdev); 7018 7019 hci_dev_unlock(hdev); 7020 } 7021 7022 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle) 7023 { 7024 struct hci_cp_le_reject_cis cp; 7025 7026 memset(&cp, 0, sizeof(cp)); 7027 cp.handle = handle; 7028 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 7029 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp); 7030 } 7031 7032 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle) 7033 { 7034 struct hci_cp_le_accept_cis cp; 7035 7036 memset(&cp, 0, sizeof(cp)); 7037 cp.handle = handle; 7038 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 7039 } 7040 7041 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data, 7042 struct sk_buff *skb) 7043 { 7044 struct hci_evt_le_cis_req *ev = data; 7045 u16 acl_handle, cis_handle; 7046 struct hci_conn *acl, *cis; 7047 int mask; 7048 __u8 flags = 0; 7049 7050 acl_handle = __le16_to_cpu(ev->acl_handle); 7051 cis_handle = __le16_to_cpu(ev->cis_handle); 7052 7053 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x", 7054 acl_handle, cis_handle, ev->cig_id, ev->cis_id); 7055 7056 hci_dev_lock(hdev); 7057 7058 acl = hci_conn_hash_lookup_handle(hdev, acl_handle); 7059 if (!acl) 7060 goto unlock; 7061 7062 mask = hci_proto_connect_ind(hdev, &acl->dst, CIS_LINK, &flags); 7063 if (!(mask & HCI_LM_ACCEPT)) { 7064 hci_le_reject_cis(hdev, ev->cis_handle); 7065 goto unlock; 7066 } 7067 7068 cis = hci_conn_hash_lookup_handle(hdev, cis_handle); 7069 if (!cis) { 7070 cis = hci_conn_add(hdev, CIS_LINK, &acl->dst, acl->dst_type, 7071 HCI_ROLE_SLAVE, cis_handle); 7072 if (IS_ERR(cis)) { 7073 hci_le_reject_cis(hdev, ev->cis_handle); 7074 goto unlock; 7075 } 7076 } 7077 7078 cis->iso_qos.ucast.cig = ev->cig_id; 7079 cis->iso_qos.ucast.cis = ev->cis_id; 7080 7081 if (!(flags & HCI_PROTO_DEFER)) { 7082 hci_le_accept_cis(hdev, ev->cis_handle); 7083 } else { 7084 cis->state = BT_CONNECT2; 7085 hci_connect_cfm(cis, 0); 7086 } 7087 7088 unlock: 7089 hci_dev_unlock(hdev); 7090 } 7091 7092 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data) 7093 { 7094 u8 handle = PTR_UINT(data); 7095 7096 return hci_le_terminate_big_sync(hdev, handle, 7097 HCI_ERROR_LOCAL_HOST_TERM); 7098 } 7099 7100 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, 7101 struct sk_buff *skb) 7102 { 7103 struct hci_evt_le_create_big_complete *ev = data; 7104 struct hci_conn *conn; 7105 __u8 i = 0; 7106 7107 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 7108 7109 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE, 7110 flex_array_size(ev, bis_handle, ev->num_bis))) 7111 return; 7112 7113 hci_dev_lock(hdev); 7114 7115 /* Connect all BISes that are bound to the BIG */ 7116 while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle, 7117 BT_BOUND, 7118 HCI_ROLE_MASTER))) { 7119 if (ev->status) { 7120 hci_connect_cfm(conn, ev->status); 7121 hci_conn_del(conn); 7122 continue; 7123 } 7124 7125 if (ev->num_bis <= i) { 7126 bt_dev_err(hdev, 7127 "Not enough BIS handles for BIG 0x%2.2x", 7128 ev->handle); 7129 ev->status = HCI_ERROR_UNSPECIFIED; 7130 hci_connect_cfm(conn, ev->status); 7131 hci_conn_del(conn); 7132 continue; 7133 } 7134 7135 if (hci_conn_set_handle(conn, 7136 __le16_to_cpu(ev->bis_handle[i++]))) { 7137 bt_dev_err(hdev, 7138 "Failed to set BIS handle for BIG 0x%2.2x", 7139 ev->handle); 7140 /* Force error so BIG gets terminated as not all BIS 7141 * could be connected. 7142 */ 7143 ev->status = HCI_ERROR_UNSPECIFIED; 7144 hci_connect_cfm(conn, ev->status); 7145 hci_conn_del(conn); 7146 continue; 7147 } 7148 7149 conn->state = BT_CONNECTED; 7150 set_bit(HCI_CONN_BIG_CREATED, &conn->flags); 7151 hci_debugfs_create_conn(conn); 7152 hci_conn_add_sysfs(conn); 7153 hci_iso_setup_path(conn); 7154 } 7155 7156 /* If there is an unexpected error or if no BISes have been connected 7157 * for the BIG, terminate it. 7158 */ 7159 if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i)) 7160 /* If no BISes have been connected for the BIG, 7161 * terminate. This is in case all bound connections 7162 * have been closed before the BIG creation 7163 * has completed. 7164 */ 7165 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync, 7166 UINT_PTR(ev->handle), NULL); 7167 7168 hci_dev_unlock(hdev); 7169 } 7170 7171 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, 7172 struct sk_buff *skb) 7173 { 7174 struct hci_evt_le_big_sync_established *ev = data; 7175 struct hci_conn *bis, *conn; 7176 int i; 7177 7178 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 7179 7180 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABLISHED, 7181 flex_array_size(ev, bis, ev->num_bis))) 7182 return; 7183 7184 hci_dev_lock(hdev); 7185 7186 conn = hci_conn_hash_lookup_big_sync_pend(hdev, ev->handle, 7187 ev->num_bis); 7188 if (!conn) { 7189 bt_dev_err(hdev, 7190 "Unable to find connection for big 0x%2.2x", 7191 ev->handle); 7192 goto unlock; 7193 } 7194 7195 clear_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags); 7196 7197 conn->num_bis = 0; 7198 memset(conn->bis, 0, sizeof(conn->bis)); 7199 7200 for (i = 0; i < ev->num_bis; i++) { 7201 u16 handle = le16_to_cpu(ev->bis[i]); 7202 __le32 interval; 7203 7204 bis = hci_conn_hash_lookup_handle(hdev, handle); 7205 if (!bis) { 7206 if (handle > HCI_CONN_HANDLE_MAX) { 7207 bt_dev_dbg(hdev, "ignore too large handle %u", handle); 7208 continue; 7209 } 7210 bis = hci_conn_add(hdev, BIS_LINK, BDADDR_ANY, 0, 7211 HCI_ROLE_SLAVE, handle); 7212 if (IS_ERR(bis)) 7213 continue; 7214 } 7215 7216 if (ev->status != 0x42) 7217 /* Mark PA sync as established */ 7218 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 7219 7220 bis->sync_handle = conn->sync_handle; 7221 bis->iso_qos.bcast.big = ev->handle; 7222 memset(&interval, 0, sizeof(interval)); 7223 memcpy(&interval, ev->latency, sizeof(ev->latency)); 7224 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval); 7225 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */ 7226 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100; 7227 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); 7228 7229 if (!ev->status) { 7230 bis->state = BT_CONNECTED; 7231 set_bit(HCI_CONN_BIG_SYNC, &bis->flags); 7232 hci_debugfs_create_conn(bis); 7233 hci_conn_add_sysfs(bis); 7234 hci_iso_setup_path(bis); 7235 } 7236 } 7237 7238 /* In case BIG sync failed, notify each failed connection to 7239 * the user after all hci connections have been added 7240 */ 7241 if (ev->status) 7242 for (i = 0; i < ev->num_bis; i++) { 7243 u16 handle = le16_to_cpu(ev->bis[i]); 7244 7245 bis = hci_conn_hash_lookup_handle(hdev, handle); 7246 if (!bis) 7247 continue; 7248 7249 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); 7250 hci_connect_cfm(bis, ev->status); 7251 } 7252 7253 unlock: 7254 hci_dev_unlock(hdev); 7255 } 7256 7257 static void hci_le_big_sync_lost_evt(struct hci_dev *hdev, void *data, 7258 struct sk_buff *skb) 7259 { 7260 struct hci_evt_le_big_sync_lost *ev = data; 7261 struct hci_conn *bis; 7262 bool mgmt_conn = false; 7263 7264 bt_dev_dbg(hdev, "big handle 0x%2.2x", ev->handle); 7265 7266 hci_dev_lock(hdev); 7267 7268 /* Delete each bis connection */ 7269 while ((bis = hci_conn_hash_lookup_big_state(hdev, ev->handle, 7270 BT_CONNECTED, 7271 HCI_ROLE_SLAVE))) { 7272 if (!mgmt_conn) { 7273 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, 7274 &bis->flags); 7275 mgmt_device_disconnected(hdev, &bis->dst, bis->type, 7276 bis->dst_type, ev->reason, 7277 mgmt_conn); 7278 } 7279 7280 clear_bit(HCI_CONN_BIG_SYNC, &bis->flags); 7281 hci_disconn_cfm(bis, ev->reason); 7282 hci_conn_del(bis); 7283 } 7284 7285 hci_dev_unlock(hdev); 7286 } 7287 7288 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data, 7289 struct sk_buff *skb) 7290 { 7291 struct hci_evt_le_big_info_adv_report *ev = data; 7292 int mask = hdev->link_mode; 7293 __u8 flags = 0; 7294 struct hci_conn *pa_sync; 7295 7296 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 7297 7298 hci_dev_lock(hdev); 7299 7300 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, BIS_LINK, &flags); 7301 if (!(mask & HCI_LM_ACCEPT)) 7302 goto unlock; 7303 7304 if (!(flags & HCI_PROTO_DEFER)) 7305 goto unlock; 7306 7307 pa_sync = hci_conn_hash_lookup_pa_sync_handle 7308 (hdev, 7309 le16_to_cpu(ev->sync_handle)); 7310 7311 if (!pa_sync) 7312 goto unlock; 7313 7314 pa_sync->iso_qos.bcast.encryption = ev->encryption; 7315 7316 /* Notify iso layer */ 7317 hci_connect_cfm(pa_sync, 0); 7318 7319 unlock: 7320 hci_dev_unlock(hdev); 7321 } 7322 7323 static void hci_le_read_all_remote_features_evt(struct hci_dev *hdev, 7324 void *data, struct sk_buff *skb) 7325 { 7326 struct hci_evt_le_read_all_remote_features_complete *ev = data; 7327 struct hci_conn *conn; 7328 7329 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 7330 7331 hci_dev_lock(hdev); 7332 7333 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 7334 if (!conn) 7335 goto unlock; 7336 7337 if (!ev->status) { 7338 memcpy(conn->le_features, ev->features, 248); 7339 7340 /* Update supported PHYs */ 7341 if (!(conn->le_features[1] & HCI_LE_PHY_2M)) { 7342 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_2M; 7343 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_2M; 7344 } 7345 7346 if (!(conn->le_features[1] & HCI_LE_PHY_CODED)) { 7347 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_CODED; 7348 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_CODED; 7349 } 7350 } 7351 7352 if (conn->state == BT_CONFIG) { 7353 __u8 status; 7354 7355 /* If the local controller supports peripheral-initiated 7356 * features exchange, but the remote controller does 7357 * not, then it is possible that the error code 0x1a 7358 * for unsupported remote feature gets returned. 7359 * 7360 * In this specific case, allow the connection to 7361 * transition into connected state and mark it as 7362 * successful. 7363 */ 7364 if (!conn->out && 7365 ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE && 7366 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 7367 status = 0x00; 7368 else 7369 status = ev->status; 7370 7371 conn->state = BT_CONNECTED; 7372 hci_connect_cfm(conn, status); 7373 } 7374 7375 unlock: 7376 hci_dev_unlock(hdev); 7377 } 7378 7379 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \ 7380 [_op] = { \ 7381 .func = _func, \ 7382 .min_len = _min_len, \ 7383 .max_len = _max_len, \ 7384 } 7385 7386 #define HCI_LE_EV(_op, _func, _len) \ 7387 HCI_LE_EV_VL(_op, _func, _len, _len) 7388 7389 #define HCI_LE_EV_STATUS(_op, _func) \ 7390 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status)) 7391 7392 /* Entries in this table shall have their position according to the subevent 7393 * opcode they handle so the use of the macros above is recommend since it does 7394 * attempt to initialize at its proper index using Designated Initializers that 7395 * way events without a callback function can be omitted. 7396 */ 7397 static const struct hci_le_ev { 7398 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 7399 u16 min_len; 7400 u16 max_len; 7401 } hci_le_ev_table[U8_MAX + 1] = { 7402 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */ 7403 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt, 7404 sizeof(struct hci_ev_le_conn_complete)), 7405 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */ 7406 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt, 7407 sizeof(struct hci_ev_le_advertising_report), 7408 HCI_MAX_EVENT_SIZE), 7409 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */ 7410 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE, 7411 hci_le_conn_update_complete_evt, 7412 sizeof(struct hci_ev_le_conn_update_complete)), 7413 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */ 7414 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE, 7415 hci_le_remote_feat_complete_evt, 7416 sizeof(struct hci_ev_le_remote_feat_complete)), 7417 /* [0x05 = HCI_EV_LE_LTK_REQ] */ 7418 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt, 7419 sizeof(struct hci_ev_le_ltk_req)), 7420 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */ 7421 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ, 7422 hci_le_remote_conn_param_req_evt, 7423 sizeof(struct hci_ev_le_remote_conn_param_req)), 7424 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */ 7425 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE, 7426 hci_le_enh_conn_complete_evt, 7427 sizeof(struct hci_ev_le_enh_conn_complete)), 7428 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */ 7429 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt, 7430 sizeof(struct hci_ev_le_direct_adv_report), 7431 HCI_MAX_EVENT_SIZE), 7432 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */ 7433 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt, 7434 sizeof(struct hci_ev_le_phy_update_complete)), 7435 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */ 7436 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt, 7437 sizeof(struct hci_ev_le_ext_adv_report), 7438 HCI_MAX_EVENT_SIZE), 7439 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */ 7440 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED, 7441 hci_le_pa_sync_established_evt, 7442 sizeof(struct hci_ev_le_pa_sync_established)), 7443 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */ 7444 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT, 7445 hci_le_per_adv_report_evt, 7446 sizeof(struct hci_ev_le_per_adv_report), 7447 HCI_MAX_EVENT_SIZE), 7448 /* [0x10 = HCI_EV_LE_PA_SYNC_LOST] */ 7449 HCI_LE_EV(HCI_EV_LE_PA_SYNC_LOST, hci_le_pa_sync_lost_evt, 7450 sizeof(struct hci_ev_le_pa_sync_lost)), 7451 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ 7452 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, 7453 sizeof(struct hci_evt_le_ext_adv_set_term)), 7454 /* [0x18 = HCI_EVT_LE_PAST_RECEIVED] */ 7455 HCI_LE_EV(HCI_EV_LE_PAST_RECEIVED, 7456 hci_le_past_received_evt, 7457 sizeof(struct hci_ev_le_past_received)), 7458 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */ 7459 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_established_evt, 7460 sizeof(struct hci_evt_le_cis_established)), 7461 /* [0x1a = HCI_EVT_LE_CIS_REQ] */ 7462 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt, 7463 sizeof(struct hci_evt_le_cis_req)), 7464 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */ 7465 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE, 7466 hci_le_create_big_complete_evt, 7467 sizeof(struct hci_evt_le_create_big_complete), 7468 HCI_MAX_EVENT_SIZE), 7469 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABLISHED] */ 7470 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABLISHED, 7471 hci_le_big_sync_established_evt, 7472 sizeof(struct hci_evt_le_big_sync_established), 7473 HCI_MAX_EVENT_SIZE), 7474 /* [0x1e = HCI_EVT_LE_BIG_SYNC_LOST] */ 7475 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_LOST, 7476 hci_le_big_sync_lost_evt, 7477 sizeof(struct hci_evt_le_big_sync_lost), 7478 HCI_MAX_EVENT_SIZE), 7479 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */ 7480 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT, 7481 hci_le_big_info_adv_report_evt, 7482 sizeof(struct hci_evt_le_big_info_adv_report), 7483 HCI_MAX_EVENT_SIZE), 7484 /* [0x2b = HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE] */ 7485 HCI_LE_EV_VL(HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE, 7486 hci_le_read_all_remote_features_evt, 7487 sizeof(struct 7488 hci_evt_le_read_all_remote_features_complete), 7489 HCI_MAX_EVENT_SIZE), 7490 }; 7491 7492 static void hci_le_meta_evt(struct hci_dev *hdev, void *data, 7493 struct sk_buff *skb, u16 *opcode, u8 *status, 7494 hci_req_complete_t *req_complete, 7495 hci_req_complete_skb_t *req_complete_skb) 7496 { 7497 struct hci_ev_le_meta *ev = data; 7498 const struct hci_le_ev *subev; 7499 7500 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent); 7501 7502 /* Only match event if command OGF is for LE */ 7503 if (hdev->req_skb && 7504 (hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 || 7505 hci_skb_opcode(hdev->req_skb) == HCI_OP_NOP) && 7506 hci_skb_event(hdev->req_skb) == ev->subevent) { 7507 *opcode = hci_skb_opcode(hdev->req_skb); 7508 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete, 7509 req_complete_skb); 7510 } 7511 7512 subev = &hci_le_ev_table[ev->subevent]; 7513 if (!subev->func) 7514 return; 7515 7516 if (skb->len < subev->min_len) { 7517 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u", 7518 ev->subevent, skb->len, subev->min_len); 7519 return; 7520 } 7521 7522 /* Just warn if the length is over max_len size it still be 7523 * possible to partially parse the event so leave to callback to 7524 * decide if that is acceptable. 7525 */ 7526 if (skb->len > subev->max_len) 7527 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u", 7528 ev->subevent, skb->len, subev->max_len); 7529 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len); 7530 if (!data) 7531 return; 7532 7533 subev->func(hdev, data, skb); 7534 } 7535 7536 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 7537 u8 event, struct sk_buff *skb) 7538 { 7539 struct hci_ev_cmd_complete *ev; 7540 struct hci_event_hdr *hdr; 7541 7542 if (!skb) 7543 return false; 7544 7545 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr)); 7546 if (!hdr) 7547 return false; 7548 7549 if (event) { 7550 if (hdr->evt != event) 7551 return false; 7552 return true; 7553 } 7554 7555 /* Check if request ended in Command Status - no way to retrieve 7556 * any extra parameters in this case. 7557 */ 7558 if (hdr->evt == HCI_EV_CMD_STATUS) 7559 return false; 7560 7561 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 7562 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 7563 hdr->evt); 7564 return false; 7565 } 7566 7567 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev)); 7568 if (!ev) 7569 return false; 7570 7571 if (opcode != __le16_to_cpu(ev->opcode)) { 7572 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 7573 __le16_to_cpu(ev->opcode)); 7574 return false; 7575 } 7576 7577 return true; 7578 } 7579 7580 static void hci_store_wake_reason(struct hci_dev *hdev, 7581 const bdaddr_t *bdaddr, u8 addr_type) 7582 __must_hold(&hdev->lock) 7583 { 7584 lockdep_assert_held(&hdev->lock); 7585 7586 /* If we are currently suspended and this is the first BT event seen, 7587 * save the wake reason associated with the event. 7588 */ 7589 if (!hdev->suspended || hdev->wake_reason) 7590 return; 7591 7592 if (!bdaddr) { 7593 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 7594 return; 7595 } 7596 7597 /* Default to remote wake. Values for wake_reason are documented in the 7598 * Bluez mgmt api docs. 7599 */ 7600 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 7601 bacpy(&hdev->wake_addr, bdaddr); 7602 hdev->wake_addr_type = addr_type; 7603 } 7604 7605 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \ 7606 [_op] = { \ 7607 .req = false, \ 7608 .func = _func, \ 7609 .min_len = _min_len, \ 7610 .max_len = _max_len, \ 7611 } 7612 7613 #define HCI_EV(_op, _func, _len) \ 7614 HCI_EV_VL(_op, _func, _len, _len) 7615 7616 #define HCI_EV_STATUS(_op, _func) \ 7617 HCI_EV(_op, _func, sizeof(struct hci_ev_status)) 7618 7619 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \ 7620 [_op] = { \ 7621 .req = true, \ 7622 .func_req = _func, \ 7623 .min_len = _min_len, \ 7624 .max_len = _max_len, \ 7625 } 7626 7627 #define HCI_EV_REQ(_op, _func, _len) \ 7628 HCI_EV_REQ_VL(_op, _func, _len, _len) 7629 7630 /* Entries in this table shall have their position according to the event opcode 7631 * they handle so the use of the macros above is recommend since it does attempt 7632 * to initialize at its proper index using Designated Initializers that way 7633 * events without a callback function don't have entered. 7634 */ 7635 static const struct hci_ev { 7636 bool req; 7637 union { 7638 void (*func)(struct hci_dev *hdev, void *data, 7639 struct sk_buff *skb); 7640 void (*func_req)(struct hci_dev *hdev, void *data, 7641 struct sk_buff *skb, u16 *opcode, u8 *status, 7642 hci_req_complete_t *req_complete, 7643 hci_req_complete_skb_t *req_complete_skb); 7644 }; 7645 u16 min_len; 7646 u16 max_len; 7647 } hci_ev_table[U8_MAX + 1] = { 7648 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */ 7649 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt), 7650 /* [0x02 = HCI_EV_INQUIRY_RESULT] */ 7651 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt, 7652 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE), 7653 /* [0x03 = HCI_EV_CONN_COMPLETE] */ 7654 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt, 7655 sizeof(struct hci_ev_conn_complete)), 7656 /* [0x04 = HCI_EV_CONN_REQUEST] */ 7657 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt, 7658 sizeof(struct hci_ev_conn_request)), 7659 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */ 7660 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt, 7661 sizeof(struct hci_ev_disconn_complete)), 7662 /* [0x06 = HCI_EV_AUTH_COMPLETE] */ 7663 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt, 7664 sizeof(struct hci_ev_auth_complete)), 7665 /* [0x07 = HCI_EV_REMOTE_NAME] */ 7666 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt, 7667 sizeof(struct hci_ev_remote_name)), 7668 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */ 7669 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt, 7670 sizeof(struct hci_ev_encrypt_change)), 7671 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */ 7672 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE, 7673 hci_change_link_key_complete_evt, 7674 sizeof(struct hci_ev_change_link_key_complete)), 7675 /* [0x0b = HCI_EV_REMOTE_FEATURES] */ 7676 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt, 7677 sizeof(struct hci_ev_remote_features)), 7678 /* [0x0e = HCI_EV_CMD_COMPLETE] */ 7679 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt, 7680 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE), 7681 /* [0x0f = HCI_EV_CMD_STATUS] */ 7682 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt, 7683 sizeof(struct hci_ev_cmd_status)), 7684 /* [0x10 = HCI_EV_CMD_STATUS] */ 7685 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt, 7686 sizeof(struct hci_ev_hardware_error)), 7687 /* [0x12 = HCI_EV_ROLE_CHANGE] */ 7688 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt, 7689 sizeof(struct hci_ev_role_change)), 7690 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */ 7691 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt, 7692 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE), 7693 /* [0x14 = HCI_EV_MODE_CHANGE] */ 7694 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt, 7695 sizeof(struct hci_ev_mode_change)), 7696 /* [0x16 = HCI_EV_PIN_CODE_REQ] */ 7697 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt, 7698 sizeof(struct hci_ev_pin_code_req)), 7699 /* [0x17 = HCI_EV_LINK_KEY_REQ] */ 7700 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt, 7701 sizeof(struct hci_ev_link_key_req)), 7702 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */ 7703 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt, 7704 sizeof(struct hci_ev_link_key_notify)), 7705 /* [0x1c = HCI_EV_CLOCK_OFFSET] */ 7706 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt, 7707 sizeof(struct hci_ev_clock_offset)), 7708 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */ 7709 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt, 7710 sizeof(struct hci_ev_pkt_type_change)), 7711 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */ 7712 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt, 7713 sizeof(struct hci_ev_pscan_rep_mode)), 7714 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */ 7715 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI, 7716 hci_inquiry_result_with_rssi_evt, 7717 sizeof(struct hci_ev_inquiry_result_rssi), 7718 HCI_MAX_EVENT_SIZE), 7719 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */ 7720 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt, 7721 sizeof(struct hci_ev_remote_ext_features)), 7722 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */ 7723 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt, 7724 sizeof(struct hci_ev_sync_conn_complete)), 7725 /* [0x2f = HCI_EV_EXTENDED_INQUIRY_RESULT] */ 7726 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT, 7727 hci_extended_inquiry_result_evt, 7728 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE), 7729 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */ 7730 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt, 7731 sizeof(struct hci_ev_key_refresh_complete)), 7732 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */ 7733 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt, 7734 sizeof(struct hci_ev_io_capa_request)), 7735 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */ 7736 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt, 7737 sizeof(struct hci_ev_io_capa_reply)), 7738 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */ 7739 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt, 7740 sizeof(struct hci_ev_user_confirm_req)), 7741 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */ 7742 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt, 7743 sizeof(struct hci_ev_user_passkey_req)), 7744 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */ 7745 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt, 7746 sizeof(struct hci_ev_remote_oob_data_request)), 7747 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */ 7748 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt, 7749 sizeof(struct hci_ev_simple_pair_complete)), 7750 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */ 7751 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt, 7752 sizeof(struct hci_ev_user_passkey_notify)), 7753 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */ 7754 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt, 7755 sizeof(struct hci_ev_keypress_notify)), 7756 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */ 7757 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt, 7758 sizeof(struct hci_ev_remote_host_features)), 7759 /* [0x3e = HCI_EV_LE_META] */ 7760 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt, 7761 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE), 7762 /* [0xff = HCI_EV_VENDOR] */ 7763 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE), 7764 }; 7765 7766 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb, 7767 u16 *opcode, u8 *status, 7768 hci_req_complete_t *req_complete, 7769 hci_req_complete_skb_t *req_complete_skb) 7770 { 7771 const struct hci_ev *ev = &hci_ev_table[event]; 7772 void *data; 7773 7774 if (!ev->func) 7775 return; 7776 7777 if (skb->len < ev->min_len) { 7778 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u", 7779 event, skb->len, ev->min_len); 7780 return; 7781 } 7782 7783 /* Just warn if the length is over max_len size it still be 7784 * possible to partially parse the event so leave to callback to 7785 * decide if that is acceptable. 7786 */ 7787 if (skb->len > ev->max_len) 7788 bt_dev_warn_ratelimited(hdev, 7789 "unexpected event 0x%2.2x length: %u > %u", 7790 event, skb->len, ev->max_len); 7791 7792 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len); 7793 if (!data) 7794 return; 7795 7796 if (ev->req) 7797 ev->func_req(hdev, data, skb, opcode, status, req_complete, 7798 req_complete_skb); 7799 else 7800 ev->func(hdev, data, skb); 7801 } 7802 7803 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 7804 { 7805 struct hci_event_hdr *hdr = (void *) skb->data; 7806 hci_req_complete_t req_complete = NULL; 7807 hci_req_complete_skb_t req_complete_skb = NULL; 7808 struct sk_buff *orig_skb = NULL; 7809 u8 status = 0, event, req_evt = 0; 7810 u16 opcode = HCI_OP_NOP; 7811 7812 if (skb->len < sizeof(*hdr)) { 7813 bt_dev_err(hdev, "Malformed HCI Event"); 7814 goto done; 7815 } 7816 7817 hci_dev_lock(hdev); 7818 kfree_skb(hdev->recv_event); 7819 hdev->recv_event = skb_clone(skb, GFP_KERNEL); 7820 hci_dev_unlock(hdev); 7821 7822 event = hdr->evt; 7823 if (!event) { 7824 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x", 7825 event); 7826 goto done; 7827 } 7828 7829 /* Only match event if command OGF is not for LE */ 7830 if (hdev->req_skb && 7831 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 && 7832 hci_skb_event(hdev->req_skb) == event) { 7833 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb), 7834 status, &req_complete, &req_complete_skb); 7835 req_evt = event; 7836 } 7837 7838 /* If it looks like we might end up having to call 7839 * req_complete_skb, store a pristine copy of the skb since the 7840 * various handlers may modify the original one through 7841 * skb_pull() calls, etc. 7842 */ 7843 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 7844 event == HCI_EV_CMD_COMPLETE) 7845 orig_skb = skb_clone(skb, GFP_KERNEL); 7846 7847 skb_pull(skb, HCI_EVENT_HDR_SIZE); 7848 7849 bt_dev_dbg(hdev, "event 0x%2.2x", event); 7850 7851 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete, 7852 &req_complete_skb); 7853 7854 hci_dev_lock(hdev); 7855 hci_store_wake_reason(hdev, NULL, 0); 7856 hci_dev_unlock(hdev); 7857 7858 if (req_complete) { 7859 req_complete(hdev, status, opcode); 7860 } else if (req_complete_skb) { 7861 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 7862 kfree_skb(orig_skb); 7863 orig_skb = NULL; 7864 } 7865 req_complete_skb(hdev, status, opcode, orig_skb); 7866 } 7867 7868 done: 7869 kfree_skb(orig_skb); 7870 kfree_skb(skb); 7871 hdev->stat.evt_rx++; 7872 } 7873