1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023-2024 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI event handling. */ 27 28 #include <linux/unaligned.h> 29 #include <linux/crypto.h> 30 #include <crypto/algapi.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "hci_debugfs.h" 37 #include "hci_codec.h" 38 #include "smp.h" 39 #include "msft.h" 40 #include "eir.h" 41 42 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 43 "\x00\x00\x00\x00\x00\x00\x00\x00" 44 45 /* Handle HCI Event packets */ 46 47 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 48 u8 ev, size_t len) 49 { 50 void *data; 51 52 data = skb_pull_data(skb, len); 53 if (!data) 54 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev); 55 56 return data; 57 } 58 59 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 60 u16 op, size_t len) 61 { 62 void *data; 63 64 data = skb_pull_data(skb, len); 65 if (!data) 66 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op); 67 68 return data; 69 } 70 71 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 72 u8 ev, size_t len) 73 { 74 void *data; 75 76 data = skb_pull_data(skb, len); 77 if (!data) 78 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev); 79 80 return data; 81 } 82 83 static void hci_store_wake_reason(struct hci_dev *hdev, 84 const bdaddr_t *bdaddr, u8 addr_type) 85 __must_hold(&hdev->lock); 86 87 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data, 88 struct sk_buff *skb) 89 { 90 struct hci_ev_status *rp = data; 91 92 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 93 94 /* It is possible that we receive Inquiry Complete event right 95 * before we receive Inquiry Cancel Command Complete event, in 96 * which case the latter event should have status of Command 97 * Disallowed. This should not be treated as error, since 98 * we actually achieve what Inquiry Cancel wants to achieve, 99 * which is to end the last Inquiry session. 100 */ 101 if (rp->status == HCI_ERROR_COMMAND_DISALLOWED && !test_bit(HCI_INQUIRY, &hdev->flags)) { 102 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 103 rp->status = 0x00; 104 } 105 106 if (rp->status) 107 return rp->status; 108 109 clear_bit(HCI_INQUIRY, &hdev->flags); 110 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 111 wake_up_bit(&hdev->flags, HCI_INQUIRY); 112 113 hci_dev_lock(hdev); 114 /* Set discovery state to stopped if we're not doing LE active 115 * scanning. 116 */ 117 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 118 hdev->le_scan_type != LE_SCAN_ACTIVE) 119 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 120 hci_dev_unlock(hdev); 121 122 return rp->status; 123 } 124 125 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data, 126 struct sk_buff *skb) 127 { 128 struct hci_ev_status *rp = data; 129 130 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 131 132 if (rp->status) 133 return rp->status; 134 135 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 136 137 return rp->status; 138 } 139 140 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data, 141 struct sk_buff *skb) 142 { 143 struct hci_ev_status *rp = data; 144 145 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 146 147 if (rp->status) 148 return rp->status; 149 150 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 151 152 return rp->status; 153 } 154 155 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data, 156 struct sk_buff *skb) 157 { 158 struct hci_rp_remote_name_req_cancel *rp = data; 159 160 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 161 162 return rp->status; 163 } 164 165 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data, 166 struct sk_buff *skb) 167 { 168 struct hci_rp_role_discovery *rp = data; 169 struct hci_conn *conn; 170 171 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 172 173 if (rp->status) 174 return rp->status; 175 176 hci_dev_lock(hdev); 177 178 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 179 if (conn) 180 conn->role = rp->role; 181 182 hci_dev_unlock(hdev); 183 184 return rp->status; 185 } 186 187 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data, 188 struct sk_buff *skb) 189 { 190 struct hci_rp_read_link_policy *rp = data; 191 struct hci_conn *conn; 192 193 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 194 195 if (rp->status) 196 return rp->status; 197 198 hci_dev_lock(hdev); 199 200 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 201 if (conn) 202 conn->link_policy = __le16_to_cpu(rp->policy); 203 204 hci_dev_unlock(hdev); 205 206 return rp->status; 207 } 208 209 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data, 210 struct sk_buff *skb) 211 { 212 struct hci_rp_write_link_policy *rp = data; 213 struct hci_conn *conn; 214 void *sent; 215 216 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 217 218 if (rp->status) 219 return rp->status; 220 221 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 222 if (!sent) 223 return rp->status; 224 225 hci_dev_lock(hdev); 226 227 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 228 if (conn) 229 conn->link_policy = get_unaligned_le16(sent + 2); 230 231 hci_dev_unlock(hdev); 232 233 return rp->status; 234 } 235 236 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data, 237 struct sk_buff *skb) 238 { 239 struct hci_rp_read_def_link_policy *rp = data; 240 241 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 242 243 if (rp->status) 244 return rp->status; 245 246 hdev->link_policy = __le16_to_cpu(rp->policy); 247 248 return rp->status; 249 } 250 251 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data, 252 struct sk_buff *skb) 253 { 254 struct hci_ev_status *rp = data; 255 void *sent; 256 257 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 258 259 if (rp->status) 260 return rp->status; 261 262 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 263 if (!sent) 264 return rp->status; 265 266 hdev->link_policy = get_unaligned_le16(sent); 267 268 return rp->status; 269 } 270 271 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb) 272 { 273 struct hci_ev_status *rp = data; 274 275 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 276 277 clear_bit(HCI_RESET, &hdev->flags); 278 279 if (rp->status) 280 return rp->status; 281 282 /* Reset all non-persistent flags */ 283 hci_dev_clear_volatile_flags(hdev); 284 285 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 286 287 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 288 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 289 290 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 291 hdev->adv_data_len = 0; 292 293 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 294 hdev->scan_rsp_data_len = 0; 295 296 hdev->le_scan_type = LE_SCAN_PASSIVE; 297 298 hdev->ssp_debug_mode = 0; 299 300 hci_bdaddr_list_clear(&hdev->le_accept_list); 301 hci_bdaddr_list_clear(&hdev->le_resolv_list); 302 303 return rp->status; 304 } 305 306 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data, 307 struct sk_buff *skb) 308 { 309 struct hci_rp_read_stored_link_key *rp = data; 310 struct hci_cp_read_stored_link_key *sent; 311 312 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 313 314 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 315 if (!sent) 316 return rp->status; 317 318 if (!rp->status && sent->read_all == 0x01) { 319 hdev->stored_max_keys = le16_to_cpu(rp->max_keys); 320 hdev->stored_num_keys = le16_to_cpu(rp->num_keys); 321 } 322 323 return rp->status; 324 } 325 326 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data, 327 struct sk_buff *skb) 328 { 329 struct hci_rp_delete_stored_link_key *rp = data; 330 u16 num_keys; 331 332 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 333 334 if (rp->status) 335 return rp->status; 336 337 num_keys = le16_to_cpu(rp->num_keys); 338 339 if (num_keys <= hdev->stored_num_keys) 340 hdev->stored_num_keys -= num_keys; 341 else 342 hdev->stored_num_keys = 0; 343 344 return rp->status; 345 } 346 347 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data, 348 struct sk_buff *skb) 349 { 350 struct hci_ev_status *rp = data; 351 void *sent; 352 353 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 354 355 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 356 if (!sent) 357 return rp->status; 358 359 hci_dev_lock(hdev); 360 361 if (hci_dev_test_flag(hdev, HCI_MGMT)) 362 mgmt_set_local_name_complete(hdev, sent, rp->status); 363 else if (!rp->status) 364 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 365 366 hci_dev_unlock(hdev); 367 368 return rp->status; 369 } 370 371 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data, 372 struct sk_buff *skb) 373 { 374 struct hci_rp_read_local_name *rp = data; 375 376 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 377 378 if (rp->status) 379 return rp->status; 380 381 if (hci_dev_test_flag(hdev, HCI_SETUP) || 382 hci_dev_test_flag(hdev, HCI_CONFIG)) 383 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 384 385 return rp->status; 386 } 387 388 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data, 389 struct sk_buff *skb) 390 { 391 struct hci_ev_status *rp = data; 392 void *sent; 393 394 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 395 396 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 397 if (!sent) 398 return rp->status; 399 400 hci_dev_lock(hdev); 401 402 if (!rp->status) { 403 __u8 param = *((__u8 *) sent); 404 405 if (param == AUTH_ENABLED) 406 set_bit(HCI_AUTH, &hdev->flags); 407 else 408 clear_bit(HCI_AUTH, &hdev->flags); 409 } 410 411 if (hci_dev_test_flag(hdev, HCI_MGMT)) 412 mgmt_auth_enable_complete(hdev, rp->status); 413 414 hci_dev_unlock(hdev); 415 416 return rp->status; 417 } 418 419 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data, 420 struct sk_buff *skb) 421 { 422 struct hci_ev_status *rp = data; 423 __u8 param; 424 void *sent; 425 426 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 427 428 if (rp->status) 429 return rp->status; 430 431 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 432 if (!sent) 433 return rp->status; 434 435 param = *((__u8 *) sent); 436 437 if (param) 438 set_bit(HCI_ENCRYPT, &hdev->flags); 439 else 440 clear_bit(HCI_ENCRYPT, &hdev->flags); 441 442 return rp->status; 443 } 444 445 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data, 446 struct sk_buff *skb) 447 { 448 struct hci_ev_status *rp = data; 449 __u8 param; 450 void *sent; 451 452 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 453 454 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 455 if (!sent) 456 return rp->status; 457 458 param = *((__u8 *) sent); 459 460 hci_dev_lock(hdev); 461 462 if (rp->status) { 463 hdev->discov_timeout = 0; 464 goto done; 465 } 466 467 if (param & SCAN_INQUIRY) 468 set_bit(HCI_ISCAN, &hdev->flags); 469 else 470 clear_bit(HCI_ISCAN, &hdev->flags); 471 472 if (param & SCAN_PAGE) 473 set_bit(HCI_PSCAN, &hdev->flags); 474 else 475 clear_bit(HCI_PSCAN, &hdev->flags); 476 477 done: 478 hci_dev_unlock(hdev); 479 480 return rp->status; 481 } 482 483 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data, 484 struct sk_buff *skb) 485 { 486 struct hci_ev_status *rp = data; 487 struct hci_cp_set_event_filter *cp; 488 void *sent; 489 490 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 491 492 if (rp->status) 493 return rp->status; 494 495 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT); 496 if (!sent) 497 return rp->status; 498 499 cp = (struct hci_cp_set_event_filter *)sent; 500 501 if (cp->flt_type == HCI_FLT_CLEAR_ALL) 502 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 503 else 504 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 505 506 return rp->status; 507 } 508 509 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, 510 struct sk_buff *skb) 511 { 512 struct hci_rp_read_class_of_dev *rp = data; 513 514 if (WARN_ON(!hdev)) 515 return HCI_ERROR_UNSPECIFIED; 516 517 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 518 519 if (rp->status) 520 return rp->status; 521 522 memcpy(hdev->dev_class, rp->dev_class, 3); 523 524 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2], 525 hdev->dev_class[1], hdev->dev_class[0]); 526 527 return rp->status; 528 } 529 530 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data, 531 struct sk_buff *skb) 532 { 533 struct hci_ev_status *rp = data; 534 void *sent; 535 536 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 537 538 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 539 if (!sent) 540 return rp->status; 541 542 hci_dev_lock(hdev); 543 544 if (!rp->status) 545 memcpy(hdev->dev_class, sent, 3); 546 547 if (hci_dev_test_flag(hdev, HCI_MGMT)) 548 mgmt_set_class_of_dev_complete(hdev, sent, rp->status); 549 550 hci_dev_unlock(hdev); 551 552 return rp->status; 553 } 554 555 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data, 556 struct sk_buff *skb) 557 { 558 struct hci_rp_read_voice_setting *rp = data; 559 __u16 setting; 560 561 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 562 563 if (rp->status) 564 return rp->status; 565 566 setting = __le16_to_cpu(rp->voice_setting); 567 568 if (hdev->voice_setting == setting) 569 return rp->status; 570 571 hdev->voice_setting = setting; 572 573 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 574 575 if (hdev->notify) 576 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 577 578 return rp->status; 579 } 580 581 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data, 582 struct sk_buff *skb) 583 { 584 struct hci_ev_status *rp = data; 585 __u16 setting; 586 void *sent; 587 588 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 589 590 if (rp->status) 591 return rp->status; 592 593 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 594 if (!sent) 595 return rp->status; 596 597 setting = get_unaligned_le16(sent); 598 599 if (hdev->voice_setting == setting) 600 return rp->status; 601 602 hdev->voice_setting = setting; 603 604 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 605 606 if (hdev->notify) 607 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 608 609 return rp->status; 610 } 611 612 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data, 613 struct sk_buff *skb) 614 { 615 struct hci_rp_read_num_supported_iac *rp = data; 616 617 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 618 619 if (rp->status) 620 return rp->status; 621 622 hdev->num_iac = rp->num_iac; 623 624 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac); 625 626 return rp->status; 627 } 628 629 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data, 630 struct sk_buff *skb) 631 { 632 struct hci_ev_status *rp = data; 633 struct hci_cp_write_ssp_mode *sent; 634 635 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 636 637 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 638 if (!sent) 639 return rp->status; 640 641 hci_dev_lock(hdev); 642 643 if (!rp->status) { 644 if (sent->mode) 645 hdev->features[1][0] |= LMP_HOST_SSP; 646 else 647 hdev->features[1][0] &= ~LMP_HOST_SSP; 648 } 649 650 if (!rp->status) { 651 if (sent->mode) 652 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 653 else 654 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 655 } 656 657 hci_dev_unlock(hdev); 658 659 return rp->status; 660 } 661 662 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data, 663 struct sk_buff *skb) 664 { 665 struct hci_ev_status *rp = data; 666 struct hci_cp_write_sc_support *sent; 667 668 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 669 670 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 671 if (!sent) 672 return rp->status; 673 674 hci_dev_lock(hdev); 675 676 if (!rp->status) { 677 if (sent->support) 678 hdev->features[1][0] |= LMP_HOST_SC; 679 else 680 hdev->features[1][0] &= ~LMP_HOST_SC; 681 } 682 683 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) { 684 if (sent->support) 685 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 686 else 687 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 688 } 689 690 hci_dev_unlock(hdev); 691 692 return rp->status; 693 } 694 695 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data, 696 struct sk_buff *skb) 697 { 698 struct hci_rp_read_local_version *rp = data; 699 700 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 701 702 if (rp->status) 703 return rp->status; 704 705 if (hci_dev_test_flag(hdev, HCI_SETUP) || 706 hci_dev_test_flag(hdev, HCI_CONFIG)) { 707 hdev->hci_ver = rp->hci_ver; 708 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 709 hdev->lmp_ver = rp->lmp_ver; 710 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 711 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 712 } 713 714 return rp->status; 715 } 716 717 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data, 718 struct sk_buff *skb) 719 { 720 struct hci_rp_read_enc_key_size *rp = data; 721 struct hci_conn *conn; 722 u16 handle; 723 u8 status = rp->status; 724 725 bt_dev_dbg(hdev, "status 0x%2.2x", status); 726 727 handle = le16_to_cpu(rp->handle); 728 729 hci_dev_lock(hdev); 730 731 conn = hci_conn_hash_lookup_handle(hdev, handle); 732 if (!conn) { 733 status = 0xFF; 734 goto done; 735 } 736 737 /* While unexpected, the read_enc_key_size command may fail. The most 738 * secure approach is to then assume the key size is 0 to force a 739 * disconnection. 740 */ 741 if (status) { 742 bt_dev_err(hdev, "failed to read key size for handle %u", 743 handle); 744 conn->enc_key_size = 0; 745 } else { 746 u8 *key_enc_size = hci_conn_key_enc_size(conn); 747 748 conn->enc_key_size = rp->key_size; 749 status = 0; 750 751 /* Attempt to check if the key size is too small or if it has 752 * been downgraded from the last time it was stored as part of 753 * the link_key. 754 */ 755 if (conn->enc_key_size < hdev->min_enc_key_size || 756 (key_enc_size && conn->enc_key_size < *key_enc_size)) { 757 /* As slave role, the conn->state has been set to 758 * BT_CONNECTED and l2cap conn req might not be received 759 * yet, at this moment the l2cap layer almost does 760 * nothing with the non-zero status. 761 * So we also clear encrypt related bits, and then the 762 * handler of l2cap conn req will get the right secure 763 * state at a later time. 764 */ 765 status = HCI_ERROR_AUTH_FAILURE; 766 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 767 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 768 } 769 770 /* Update the key encryption size with the connection one */ 771 if (key_enc_size && *key_enc_size != conn->enc_key_size) 772 *key_enc_size = conn->enc_key_size; 773 } 774 775 hci_encrypt_cfm(conn, status); 776 777 done: 778 hci_dev_unlock(hdev); 779 780 return status; 781 } 782 783 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data, 784 struct sk_buff *skb) 785 { 786 struct hci_rp_read_local_commands *rp = data; 787 788 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 789 790 if (rp->status) 791 return rp->status; 792 793 if (hci_dev_test_flag(hdev, HCI_SETUP) || 794 hci_dev_test_flag(hdev, HCI_CONFIG)) 795 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 796 797 return rp->status; 798 } 799 800 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data, 801 struct sk_buff *skb) 802 { 803 struct hci_rp_read_auth_payload_to *rp = data; 804 struct hci_conn *conn; 805 806 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 807 808 if (rp->status) 809 return rp->status; 810 811 hci_dev_lock(hdev); 812 813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 814 if (conn) 815 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 816 817 hci_dev_unlock(hdev); 818 819 return rp->status; 820 } 821 822 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data, 823 struct sk_buff *skb) 824 { 825 struct hci_rp_write_auth_payload_to *rp = data; 826 struct hci_conn *conn; 827 void *sent; 828 829 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 830 831 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 832 if (!sent) 833 return rp->status; 834 835 hci_dev_lock(hdev); 836 837 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 838 if (!conn) { 839 rp->status = 0xff; 840 goto unlock; 841 } 842 843 if (!rp->status) 844 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 845 846 unlock: 847 hci_dev_unlock(hdev); 848 849 return rp->status; 850 } 851 852 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data, 853 struct sk_buff *skb) 854 { 855 struct hci_rp_read_local_features *rp = data; 856 857 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 858 859 if (rp->status) 860 return rp->status; 861 862 memcpy(hdev->features, rp->features, 8); 863 864 /* Adjust default settings according to features 865 * supported by device. */ 866 867 if (hdev->features[0][0] & LMP_3SLOT) 868 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 869 870 if (hdev->features[0][0] & LMP_5SLOT) 871 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 872 873 if (hdev->features[0][1] & LMP_HV2) { 874 hdev->pkt_type |= (HCI_HV2); 875 hdev->esco_type |= (ESCO_HV2); 876 } 877 878 if (hdev->features[0][1] & LMP_HV3) { 879 hdev->pkt_type |= (HCI_HV3); 880 hdev->esco_type |= (ESCO_HV3); 881 } 882 883 if (lmp_esco_capable(hdev)) 884 hdev->esco_type |= (ESCO_EV3); 885 886 if (hdev->features[0][4] & LMP_EV4) 887 hdev->esco_type |= (ESCO_EV4); 888 889 if (hdev->features[0][4] & LMP_EV5) 890 hdev->esco_type |= (ESCO_EV5); 891 892 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 893 hdev->esco_type |= (ESCO_2EV3); 894 895 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 896 hdev->esco_type |= (ESCO_3EV3); 897 898 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 899 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 900 901 return rp->status; 902 } 903 904 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, 905 struct sk_buff *skb) 906 { 907 struct hci_rp_read_local_ext_features *rp = data; 908 909 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 910 911 if (rp->status) 912 return rp->status; 913 914 if (hdev->max_page < rp->max_page) { 915 if (hci_test_quirk(hdev, 916 HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2)) 917 bt_dev_warn(hdev, "broken local ext features page 2"); 918 else 919 hdev->max_page = rp->max_page; 920 } 921 922 if (rp->page < HCI_MAX_PAGES) 923 memcpy(hdev->features[rp->page], rp->features, 8); 924 925 return rp->status; 926 } 927 928 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, 929 struct sk_buff *skb) 930 { 931 struct hci_rp_read_buffer_size *rp = data; 932 933 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 934 935 if (rp->status) 936 return rp->status; 937 938 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 939 hdev->sco_mtu = rp->sco_mtu; 940 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 941 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 942 943 if (hci_test_quirk(hdev, HCI_QUIRK_FIXUP_BUFFER_SIZE)) { 944 hdev->sco_mtu = 64; 945 hdev->sco_pkts = 8; 946 } 947 948 if (!read_voice_setting_capable(hdev)) 949 hdev->sco_pkts = 0; 950 951 hdev->acl_cnt = hdev->acl_pkts; 952 hdev->sco_cnt = hdev->sco_pkts; 953 954 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 955 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 956 957 if (!hdev->acl_mtu || !hdev->acl_pkts) 958 return HCI_ERROR_INVALID_PARAMETERS; 959 960 return rp->status; 961 } 962 963 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data, 964 struct sk_buff *skb) 965 { 966 struct hci_rp_read_bd_addr *rp = data; 967 968 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 969 970 if (rp->status) 971 return rp->status; 972 973 if (test_bit(HCI_INIT, &hdev->flags)) 974 bacpy(&hdev->bdaddr, &rp->bdaddr); 975 976 if (hci_dev_test_flag(hdev, HCI_SETUP)) 977 bacpy(&hdev->setup_addr, &rp->bdaddr); 978 979 return rp->status; 980 } 981 982 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data, 983 struct sk_buff *skb) 984 { 985 struct hci_rp_read_local_pairing_opts *rp = data; 986 987 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 988 989 if (rp->status) 990 return rp->status; 991 992 if (hci_dev_test_flag(hdev, HCI_SETUP) || 993 hci_dev_test_flag(hdev, HCI_CONFIG)) { 994 hdev->pairing_opts = rp->pairing_opts; 995 hdev->max_enc_key_size = rp->max_key_size; 996 } 997 998 return rp->status; 999 } 1000 1001 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data, 1002 struct sk_buff *skb) 1003 { 1004 struct hci_rp_read_page_scan_activity *rp = data; 1005 1006 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1007 1008 if (rp->status) 1009 return rp->status; 1010 1011 if (test_bit(HCI_INIT, &hdev->flags)) { 1012 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 1013 hdev->page_scan_window = __le16_to_cpu(rp->window); 1014 } 1015 1016 return rp->status; 1017 } 1018 1019 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data, 1020 struct sk_buff *skb) 1021 { 1022 struct hci_ev_status *rp = data; 1023 struct hci_cp_write_page_scan_activity *sent; 1024 1025 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1026 1027 if (rp->status) 1028 return rp->status; 1029 1030 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 1031 if (!sent) 1032 return rp->status; 1033 1034 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 1035 hdev->page_scan_window = __le16_to_cpu(sent->window); 1036 1037 return rp->status; 1038 } 1039 1040 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data, 1041 struct sk_buff *skb) 1042 { 1043 struct hci_rp_read_page_scan_type *rp = data; 1044 1045 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1046 1047 if (rp->status) 1048 return rp->status; 1049 1050 if (test_bit(HCI_INIT, &hdev->flags)) 1051 hdev->page_scan_type = rp->type; 1052 1053 return rp->status; 1054 } 1055 1056 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data, 1057 struct sk_buff *skb) 1058 { 1059 struct hci_ev_status *rp = data; 1060 u8 *type; 1061 1062 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1063 1064 if (rp->status) 1065 return rp->status; 1066 1067 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 1068 if (type) 1069 hdev->page_scan_type = *type; 1070 1071 return rp->status; 1072 } 1073 1074 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, 1075 struct sk_buff *skb) 1076 { 1077 struct hci_rp_read_clock *rp = data; 1078 struct hci_cp_read_clock *cp; 1079 struct hci_conn *conn; 1080 1081 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1082 1083 if (rp->status) 1084 return rp->status; 1085 1086 hci_dev_lock(hdev); 1087 1088 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 1089 if (!cp) 1090 goto unlock; 1091 1092 if (cp->which == 0x00) { 1093 hdev->clock = le32_to_cpu(rp->clock); 1094 goto unlock; 1095 } 1096 1097 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1098 if (conn) { 1099 conn->clock = le32_to_cpu(rp->clock); 1100 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 1101 } 1102 1103 unlock: 1104 hci_dev_unlock(hdev); 1105 return rp->status; 1106 } 1107 1108 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data, 1109 struct sk_buff *skb) 1110 { 1111 struct hci_rp_read_inq_rsp_tx_power *rp = data; 1112 1113 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1114 1115 if (rp->status) 1116 return rp->status; 1117 1118 hdev->inq_tx_power = rp->tx_power; 1119 1120 return rp->status; 1121 } 1122 1123 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data, 1124 struct sk_buff *skb) 1125 { 1126 struct hci_rp_read_def_err_data_reporting *rp = data; 1127 1128 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1129 1130 if (rp->status) 1131 return rp->status; 1132 1133 hdev->err_data_reporting = rp->err_data_reporting; 1134 1135 return rp->status; 1136 } 1137 1138 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data, 1139 struct sk_buff *skb) 1140 { 1141 struct hci_ev_status *rp = data; 1142 struct hci_cp_write_def_err_data_reporting *cp; 1143 1144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1145 1146 if (rp->status) 1147 return rp->status; 1148 1149 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 1150 if (!cp) 1151 return rp->status; 1152 1153 hdev->err_data_reporting = cp->err_data_reporting; 1154 1155 return rp->status; 1156 } 1157 1158 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data, 1159 struct sk_buff *skb) 1160 { 1161 struct hci_rp_pin_code_reply *rp = data; 1162 struct hci_cp_pin_code_reply *cp; 1163 struct hci_conn *conn; 1164 1165 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1166 1167 hci_dev_lock(hdev); 1168 1169 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1170 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 1171 1172 if (rp->status) 1173 goto unlock; 1174 1175 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 1176 if (!cp) 1177 goto unlock; 1178 1179 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1180 if (conn) 1181 conn->pin_length = cp->pin_len; 1182 1183 unlock: 1184 hci_dev_unlock(hdev); 1185 return rp->status; 1186 } 1187 1188 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data, 1189 struct sk_buff *skb) 1190 { 1191 struct hci_rp_pin_code_neg_reply *rp = data; 1192 1193 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1194 1195 hci_dev_lock(hdev); 1196 1197 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1198 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1199 rp->status); 1200 1201 hci_dev_unlock(hdev); 1202 1203 return rp->status; 1204 } 1205 1206 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data, 1207 struct sk_buff *skb) 1208 { 1209 struct hci_rp_le_read_buffer_size *rp = data; 1210 1211 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1212 1213 if (rp->status) 1214 return rp->status; 1215 1216 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1217 hdev->le_pkts = rp->le_max_pkt; 1218 1219 hdev->le_cnt = hdev->le_pkts; 1220 1221 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1222 1223 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 1224 return HCI_ERROR_INVALID_PARAMETERS; 1225 1226 return rp->status; 1227 } 1228 1229 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data, 1230 struct sk_buff *skb) 1231 { 1232 struct hci_rp_le_read_local_features *rp = data; 1233 1234 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1235 1236 if (rp->status) 1237 return rp->status; 1238 1239 memcpy(hdev->le_features, rp->features, 8); 1240 1241 return rp->status; 1242 } 1243 1244 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data, 1245 struct sk_buff *skb) 1246 { 1247 struct hci_rp_le_read_adv_tx_power *rp = data; 1248 1249 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1250 1251 if (rp->status) 1252 return rp->status; 1253 1254 hdev->adv_tx_power = rp->tx_power; 1255 1256 return rp->status; 1257 } 1258 1259 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data, 1260 struct sk_buff *skb) 1261 { 1262 struct hci_rp_user_confirm_reply *rp = data; 1263 1264 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1265 1266 hci_dev_lock(hdev); 1267 1268 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1269 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1270 rp->status); 1271 1272 hci_dev_unlock(hdev); 1273 1274 return rp->status; 1275 } 1276 1277 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data, 1278 struct sk_buff *skb) 1279 { 1280 struct hci_rp_user_confirm_reply *rp = data; 1281 1282 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1283 1284 hci_dev_lock(hdev); 1285 1286 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1287 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1288 ACL_LINK, 0, rp->status); 1289 1290 hci_dev_unlock(hdev); 1291 1292 return rp->status; 1293 } 1294 1295 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data, 1296 struct sk_buff *skb) 1297 { 1298 struct hci_rp_user_confirm_reply *rp = data; 1299 1300 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1301 1302 hci_dev_lock(hdev); 1303 1304 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1305 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1306 0, rp->status); 1307 1308 hci_dev_unlock(hdev); 1309 1310 return rp->status; 1311 } 1312 1313 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data, 1314 struct sk_buff *skb) 1315 { 1316 struct hci_rp_user_confirm_reply *rp = data; 1317 1318 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1319 1320 hci_dev_lock(hdev); 1321 1322 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1323 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1324 ACL_LINK, 0, rp->status); 1325 1326 hci_dev_unlock(hdev); 1327 1328 return rp->status; 1329 } 1330 1331 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data, 1332 struct sk_buff *skb) 1333 { 1334 struct hci_rp_read_local_oob_data *rp = data; 1335 1336 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1337 1338 return rp->status; 1339 } 1340 1341 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data, 1342 struct sk_buff *skb) 1343 { 1344 struct hci_rp_read_local_oob_ext_data *rp = data; 1345 1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1347 1348 return rp->status; 1349 } 1350 1351 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data, 1352 struct sk_buff *skb) 1353 { 1354 struct hci_ev_status *rp = data; 1355 bdaddr_t *sent; 1356 1357 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1358 1359 if (rp->status) 1360 return rp->status; 1361 1362 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1363 if (!sent) 1364 return rp->status; 1365 1366 hci_dev_lock(hdev); 1367 1368 bacpy(&hdev->random_addr, sent); 1369 1370 if (!bacmp(&hdev->rpa, sent)) { 1371 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED); 1372 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, 1373 secs_to_jiffies(hdev->rpa_timeout)); 1374 } 1375 1376 hci_dev_unlock(hdev); 1377 1378 return rp->status; 1379 } 1380 1381 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data, 1382 struct sk_buff *skb) 1383 { 1384 struct hci_ev_status *rp = data; 1385 struct hci_cp_le_set_default_phy *cp; 1386 1387 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1388 1389 if (rp->status) 1390 return rp->status; 1391 1392 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1393 if (!cp) 1394 return rp->status; 1395 1396 hci_dev_lock(hdev); 1397 1398 hdev->le_tx_def_phys = cp->tx_phys; 1399 hdev->le_rx_def_phys = cp->rx_phys; 1400 1401 hci_dev_unlock(hdev); 1402 1403 return rp->status; 1404 } 1405 1406 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data, 1407 struct sk_buff *skb) 1408 { 1409 struct hci_ev_status *rp = data; 1410 struct hci_cp_le_set_adv_set_rand_addr *cp; 1411 struct adv_info *adv; 1412 1413 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1414 1415 if (rp->status) 1416 return rp->status; 1417 1418 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1419 /* Update only in case the adv instance since handle 0x00 shall be using 1420 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and 1421 * non-extended adverting. 1422 */ 1423 if (!cp || !cp->handle) 1424 return rp->status; 1425 1426 hci_dev_lock(hdev); 1427 1428 adv = hci_find_adv_instance(hdev, cp->handle); 1429 if (adv) { 1430 bacpy(&adv->random_addr, &cp->bdaddr); 1431 if (!bacmp(&hdev->rpa, &cp->bdaddr)) { 1432 adv->rpa_expired = false; 1433 queue_delayed_work(hdev->workqueue, 1434 &adv->rpa_expired_cb, 1435 secs_to_jiffies(hdev->rpa_timeout)); 1436 } 1437 } 1438 1439 hci_dev_unlock(hdev); 1440 1441 return rp->status; 1442 } 1443 1444 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data, 1445 struct sk_buff *skb) 1446 { 1447 struct hci_ev_status *rp = data; 1448 u8 *instance; 1449 int err; 1450 1451 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1452 1453 if (rp->status) 1454 return rp->status; 1455 1456 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET); 1457 if (!instance) 1458 return rp->status; 1459 1460 hci_dev_lock(hdev); 1461 1462 err = hci_remove_adv_instance(hdev, *instance); 1463 if (!err) 1464 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev, 1465 *instance); 1466 1467 hci_dev_unlock(hdev); 1468 1469 return rp->status; 1470 } 1471 1472 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data, 1473 struct sk_buff *skb) 1474 { 1475 struct hci_ev_status *rp = data; 1476 struct adv_info *adv, *n; 1477 int err; 1478 1479 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1480 1481 if (rp->status) 1482 return rp->status; 1483 1484 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS)) 1485 return rp->status; 1486 1487 hci_dev_lock(hdev); 1488 1489 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 1490 u8 instance = adv->instance; 1491 1492 err = hci_remove_adv_instance(hdev, instance); 1493 if (!err) 1494 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), 1495 hdev, instance); 1496 } 1497 1498 hci_dev_unlock(hdev); 1499 1500 return rp->status; 1501 } 1502 1503 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data, 1504 struct sk_buff *skb) 1505 { 1506 struct hci_rp_le_read_transmit_power *rp = data; 1507 1508 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1509 1510 if (rp->status) 1511 return rp->status; 1512 1513 hdev->min_le_tx_power = rp->min_le_tx_power; 1514 hdev->max_le_tx_power = rp->max_le_tx_power; 1515 1516 return rp->status; 1517 } 1518 1519 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, 1520 struct sk_buff *skb) 1521 { 1522 struct hci_ev_status *rp = data; 1523 struct hci_cp_le_set_privacy_mode *cp; 1524 struct hci_conn_params *params; 1525 1526 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1527 1528 if (rp->status) 1529 return rp->status; 1530 1531 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE); 1532 if (!cp) 1533 return rp->status; 1534 1535 hci_dev_lock(hdev); 1536 1537 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); 1538 if (params) 1539 WRITE_ONCE(params->privacy_mode, cp->mode); 1540 1541 hci_dev_unlock(hdev); 1542 1543 return rp->status; 1544 } 1545 1546 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data, 1547 struct sk_buff *skb) 1548 { 1549 struct hci_ev_status *rp = data; 1550 __u8 *sent; 1551 1552 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1553 1554 if (rp->status) 1555 return rp->status; 1556 1557 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1558 if (!sent) 1559 return rp->status; 1560 1561 hci_dev_lock(hdev); 1562 1563 /* If we're doing connection initiation as peripheral. Set a 1564 * timeout in case something goes wrong. 1565 */ 1566 if (*sent) { 1567 struct hci_conn *conn; 1568 1569 hci_dev_set_flag(hdev, HCI_LE_ADV); 1570 1571 conn = hci_lookup_le_connect(hdev); 1572 if (conn) 1573 queue_delayed_work(hdev->workqueue, 1574 &conn->le_conn_timeout, 1575 conn->conn_timeout); 1576 } else { 1577 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1578 } 1579 1580 hci_dev_unlock(hdev); 1581 1582 return rp->status; 1583 } 1584 1585 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, 1586 struct sk_buff *skb) 1587 { 1588 struct hci_cp_le_set_ext_adv_enable *cp; 1589 struct hci_cp_ext_adv_set *set; 1590 struct adv_info *adv = NULL, *n; 1591 struct hci_ev_status *rp = data; 1592 1593 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1594 1595 if (rp->status) 1596 return rp->status; 1597 1598 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1599 if (!cp) 1600 return rp->status; 1601 1602 set = (void *)cp->data; 1603 1604 hci_dev_lock(hdev); 1605 1606 if (cp->num_of_sets) 1607 adv = hci_find_adv_instance(hdev, set->handle); 1608 1609 if (cp->enable) { 1610 struct hci_conn *conn; 1611 1612 hci_dev_set_flag(hdev, HCI_LE_ADV); 1613 1614 if (adv) 1615 adv->enabled = true; 1616 else if (!set->handle) 1617 hci_dev_set_flag(hdev, HCI_LE_ADV_0); 1618 1619 conn = hci_lookup_le_connect(hdev); 1620 if (conn) 1621 queue_delayed_work(hdev->workqueue, 1622 &conn->le_conn_timeout, 1623 conn->conn_timeout); 1624 } else { 1625 if (cp->num_of_sets) { 1626 if (adv) 1627 adv->enabled = false; 1628 else if (!set->handle) 1629 hci_dev_clear_flag(hdev, HCI_LE_ADV_0); 1630 1631 /* If just one instance was disabled check if there are 1632 * any other instance enabled before clearing HCI_LE_ADV 1633 */ 1634 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1635 list) { 1636 if (adv->enabled) 1637 goto unlock; 1638 } 1639 } else { 1640 /* All instances shall be considered disabled */ 1641 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1642 list) 1643 adv->enabled = false; 1644 } 1645 1646 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1647 } 1648 1649 unlock: 1650 hci_dev_unlock(hdev); 1651 return rp->status; 1652 } 1653 1654 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data, 1655 struct sk_buff *skb) 1656 { 1657 struct hci_cp_le_set_scan_param *cp; 1658 struct hci_ev_status *rp = data; 1659 1660 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1661 1662 if (rp->status) 1663 return rp->status; 1664 1665 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1666 if (!cp) 1667 return rp->status; 1668 1669 hci_dev_lock(hdev); 1670 1671 hdev->le_scan_type = cp->type; 1672 1673 hci_dev_unlock(hdev); 1674 1675 return rp->status; 1676 } 1677 1678 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data, 1679 struct sk_buff *skb) 1680 { 1681 struct hci_cp_le_set_ext_scan_params *cp; 1682 struct hci_ev_status *rp = data; 1683 struct hci_cp_le_scan_phy_params *phy_param; 1684 1685 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1686 1687 if (rp->status) 1688 return rp->status; 1689 1690 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1691 if (!cp) 1692 return rp->status; 1693 1694 phy_param = (void *)cp->data; 1695 1696 hci_dev_lock(hdev); 1697 1698 hdev->le_scan_type = phy_param->type; 1699 1700 hci_dev_unlock(hdev); 1701 1702 return rp->status; 1703 } 1704 1705 static bool has_pending_adv_report(struct hci_dev *hdev) 1706 { 1707 struct discovery_state *d = &hdev->discovery; 1708 1709 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1710 } 1711 1712 static void clear_pending_adv_report(struct hci_dev *hdev) 1713 { 1714 struct discovery_state *d = &hdev->discovery; 1715 1716 bacpy(&d->last_adv_addr, BDADDR_ANY); 1717 d->last_adv_data_len = 0; 1718 } 1719 1720 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1721 u8 bdaddr_type, s8 rssi, u32 flags, 1722 u8 *data, u8 len) 1723 { 1724 struct discovery_state *d = &hdev->discovery; 1725 1726 if (len > max_adv_len(hdev)) 1727 return; 1728 1729 bacpy(&d->last_adv_addr, bdaddr); 1730 d->last_adv_addr_type = bdaddr_type; 1731 d->last_adv_rssi = rssi; 1732 d->last_adv_flags = flags; 1733 memcpy(d->last_adv_data, data, len); 1734 d->last_adv_data_len = len; 1735 } 1736 1737 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1738 { 1739 hci_dev_lock(hdev); 1740 1741 switch (enable) { 1742 case LE_SCAN_ENABLE: 1743 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1744 if (hdev->le_scan_type == LE_SCAN_ACTIVE) { 1745 clear_pending_adv_report(hdev); 1746 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 1747 } 1748 break; 1749 1750 case LE_SCAN_DISABLE: 1751 /* We do this here instead of when setting DISCOVERY_STOPPED 1752 * since the latter would potentially require waiting for 1753 * inquiry to stop too. 1754 */ 1755 if (has_pending_adv_report(hdev)) { 1756 struct discovery_state *d = &hdev->discovery; 1757 1758 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1759 d->last_adv_addr_type, NULL, 1760 d->last_adv_rssi, d->last_adv_flags, 1761 d->last_adv_data, 1762 d->last_adv_data_len, NULL, 0, 0); 1763 } 1764 1765 /* Cancel this timer so that we don't try to disable scanning 1766 * when it's already disabled. 1767 */ 1768 cancel_delayed_work(&hdev->le_scan_disable); 1769 1770 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1771 1772 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1773 * interrupted scanning due to a connect request. Mark 1774 * therefore discovery as stopped. 1775 */ 1776 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1777 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1778 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1779 hdev->discovery.state == DISCOVERY_FINDING) 1780 queue_work(hdev->workqueue, &hdev->reenable_adv_work); 1781 1782 break; 1783 1784 default: 1785 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1786 enable); 1787 break; 1788 } 1789 1790 hci_dev_unlock(hdev); 1791 } 1792 1793 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data, 1794 struct sk_buff *skb) 1795 { 1796 struct hci_cp_le_set_scan_enable *cp; 1797 struct hci_ev_status *rp = data; 1798 1799 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1800 1801 if (rp->status) 1802 return rp->status; 1803 1804 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1805 if (!cp) 1806 return rp->status; 1807 1808 le_set_scan_enable_complete(hdev, cp->enable); 1809 1810 return rp->status; 1811 } 1812 1813 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data, 1814 struct sk_buff *skb) 1815 { 1816 struct hci_cp_le_set_ext_scan_enable *cp; 1817 struct hci_ev_status *rp = data; 1818 1819 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1820 1821 if (rp->status) 1822 return rp->status; 1823 1824 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1825 if (!cp) 1826 return rp->status; 1827 1828 le_set_scan_enable_complete(hdev, cp->enable); 1829 1830 return rp->status; 1831 } 1832 1833 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data, 1834 struct sk_buff *skb) 1835 { 1836 struct hci_rp_le_read_num_supported_adv_sets *rp = data; 1837 1838 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status, 1839 rp->num_of_sets); 1840 1841 if (rp->status) 1842 return rp->status; 1843 1844 hdev->le_num_of_adv_sets = rp->num_of_sets; 1845 1846 return rp->status; 1847 } 1848 1849 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data, 1850 struct sk_buff *skb) 1851 { 1852 struct hci_rp_le_read_accept_list_size *rp = data; 1853 1854 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 1855 1856 if (rp->status) 1857 return rp->status; 1858 1859 hdev->le_accept_list_size = rp->size; 1860 1861 return rp->status; 1862 } 1863 1864 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data, 1865 struct sk_buff *skb) 1866 { 1867 struct hci_ev_status *rp = data; 1868 1869 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1870 1871 if (rp->status) 1872 return rp->status; 1873 1874 hci_dev_lock(hdev); 1875 hci_bdaddr_list_clear(&hdev->le_accept_list); 1876 hci_dev_unlock(hdev); 1877 1878 return rp->status; 1879 } 1880 1881 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data, 1882 struct sk_buff *skb) 1883 { 1884 struct hci_cp_le_add_to_accept_list *sent; 1885 struct hci_ev_status *rp = data; 1886 1887 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1888 1889 if (rp->status) 1890 return rp->status; 1891 1892 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); 1893 if (!sent) 1894 return rp->status; 1895 1896 hci_dev_lock(hdev); 1897 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr, 1898 sent->bdaddr_type); 1899 hci_dev_unlock(hdev); 1900 1901 return rp->status; 1902 } 1903 1904 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data, 1905 struct sk_buff *skb) 1906 { 1907 struct hci_cp_le_del_from_accept_list *sent; 1908 struct hci_ev_status *rp = data; 1909 1910 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1911 1912 if (rp->status) 1913 return rp->status; 1914 1915 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST); 1916 if (!sent) 1917 return rp->status; 1918 1919 hci_dev_lock(hdev); 1920 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr, 1921 sent->bdaddr_type); 1922 hci_dev_unlock(hdev); 1923 1924 return rp->status; 1925 } 1926 1927 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data, 1928 struct sk_buff *skb) 1929 { 1930 struct hci_rp_le_read_supported_states *rp = data; 1931 1932 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1933 1934 if (rp->status) 1935 return rp->status; 1936 1937 memcpy(hdev->le_states, rp->le_states, 8); 1938 1939 return rp->status; 1940 } 1941 1942 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data, 1943 struct sk_buff *skb) 1944 { 1945 struct hci_rp_le_read_def_data_len *rp = data; 1946 1947 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1948 1949 if (rp->status) 1950 return rp->status; 1951 1952 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1953 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1954 1955 return rp->status; 1956 } 1957 1958 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data, 1959 struct sk_buff *skb) 1960 { 1961 struct hci_cp_le_write_def_data_len *sent; 1962 struct hci_ev_status *rp = data; 1963 1964 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1965 1966 if (rp->status) 1967 return rp->status; 1968 1969 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1970 if (!sent) 1971 return rp->status; 1972 1973 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1974 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1975 1976 return rp->status; 1977 } 1978 1979 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data, 1980 struct sk_buff *skb) 1981 { 1982 struct hci_cp_le_add_to_resolv_list *sent; 1983 struct hci_ev_status *rp = data; 1984 1985 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1986 1987 if (rp->status) 1988 return rp->status; 1989 1990 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 1991 if (!sent) 1992 return rp->status; 1993 1994 hci_dev_lock(hdev); 1995 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 1996 sent->bdaddr_type, sent->peer_irk, 1997 sent->local_irk); 1998 hci_dev_unlock(hdev); 1999 2000 return rp->status; 2001 } 2002 2003 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data, 2004 struct sk_buff *skb) 2005 { 2006 struct hci_cp_le_del_from_resolv_list *sent; 2007 struct hci_ev_status *rp = data; 2008 2009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2010 2011 if (rp->status) 2012 return rp->status; 2013 2014 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 2015 if (!sent) 2016 return rp->status; 2017 2018 hci_dev_lock(hdev); 2019 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2020 sent->bdaddr_type); 2021 hci_dev_unlock(hdev); 2022 2023 return rp->status; 2024 } 2025 2026 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data, 2027 struct sk_buff *skb) 2028 { 2029 struct hci_ev_status *rp = data; 2030 2031 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2032 2033 if (rp->status) 2034 return rp->status; 2035 2036 hci_dev_lock(hdev); 2037 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2038 hci_dev_unlock(hdev); 2039 2040 return rp->status; 2041 } 2042 2043 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data, 2044 struct sk_buff *skb) 2045 { 2046 struct hci_rp_le_read_resolv_list_size *rp = data; 2047 2048 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 2049 2050 if (rp->status) 2051 return rp->status; 2052 2053 hdev->le_resolv_list_size = rp->size; 2054 2055 return rp->status; 2056 } 2057 2058 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data, 2059 struct sk_buff *skb) 2060 { 2061 struct hci_ev_status *rp = data; 2062 __u8 *sent; 2063 2064 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2065 2066 if (rp->status) 2067 return rp->status; 2068 2069 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 2070 if (!sent) 2071 return rp->status; 2072 2073 hci_dev_lock(hdev); 2074 2075 if (*sent) 2076 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 2077 else 2078 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 2079 2080 hci_dev_unlock(hdev); 2081 2082 return rp->status; 2083 } 2084 2085 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data, 2086 struct sk_buff *skb) 2087 { 2088 struct hci_rp_le_read_max_data_len *rp = data; 2089 2090 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2091 2092 if (rp->status) 2093 return rp->status; 2094 2095 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 2096 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 2097 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 2098 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 2099 2100 return rp->status; 2101 } 2102 2103 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data, 2104 struct sk_buff *skb) 2105 { 2106 struct hci_cp_write_le_host_supported *sent; 2107 struct hci_ev_status *rp = data; 2108 2109 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2110 2111 if (rp->status) 2112 return rp->status; 2113 2114 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 2115 if (!sent) 2116 return rp->status; 2117 2118 hci_dev_lock(hdev); 2119 2120 if (sent->le) { 2121 hdev->features[1][0] |= LMP_HOST_LE; 2122 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 2123 } else { 2124 hdev->features[1][0] &= ~LMP_HOST_LE; 2125 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 2126 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 2127 } 2128 2129 if (sent->simul) 2130 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 2131 else 2132 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 2133 2134 hci_dev_unlock(hdev); 2135 2136 return rp->status; 2137 } 2138 2139 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, 2140 struct sk_buff *skb) 2141 { 2142 struct hci_cp_le_set_adv_param *cp; 2143 struct hci_ev_status *rp = data; 2144 2145 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2146 2147 if (rp->status) 2148 return rp->status; 2149 2150 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 2151 if (!cp) 2152 return rp->status; 2153 2154 hci_dev_lock(hdev); 2155 hdev->adv_addr_type = cp->own_address_type; 2156 hci_dev_unlock(hdev); 2157 2158 return rp->status; 2159 } 2160 2161 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, 2162 struct sk_buff *skb) 2163 { 2164 struct hci_rp_read_rssi *rp = data; 2165 struct hci_conn *conn; 2166 2167 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2168 2169 if (rp->status) 2170 return rp->status; 2171 2172 hci_dev_lock(hdev); 2173 2174 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2175 if (conn) 2176 conn->rssi = rp->rssi; 2177 2178 hci_dev_unlock(hdev); 2179 2180 return rp->status; 2181 } 2182 2183 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data, 2184 struct sk_buff *skb) 2185 { 2186 struct hci_cp_read_tx_power *sent; 2187 struct hci_rp_read_tx_power *rp = data; 2188 struct hci_conn *conn; 2189 2190 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2191 2192 if (rp->status) 2193 return rp->status; 2194 2195 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 2196 if (!sent) 2197 return rp->status; 2198 2199 hci_dev_lock(hdev); 2200 2201 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2202 if (!conn) 2203 goto unlock; 2204 2205 switch (sent->type) { 2206 case 0x00: 2207 conn->tx_power = rp->tx_power; 2208 break; 2209 case 0x01: 2210 conn->max_tx_power = rp->tx_power; 2211 break; 2212 } 2213 2214 unlock: 2215 hci_dev_unlock(hdev); 2216 return rp->status; 2217 } 2218 2219 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data, 2220 struct sk_buff *skb) 2221 { 2222 struct hci_ev_status *rp = data; 2223 u8 *mode; 2224 2225 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2226 2227 if (rp->status) 2228 return rp->status; 2229 2230 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 2231 if (mode) 2232 hdev->ssp_debug_mode = *mode; 2233 2234 return rp->status; 2235 } 2236 2237 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 2238 { 2239 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2240 2241 if (status) 2242 return; 2243 2244 if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY)) 2245 set_bit(HCI_INQUIRY, &hdev->flags); 2246 } 2247 2248 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 2249 { 2250 struct hci_cp_create_conn *cp; 2251 struct hci_conn *conn; 2252 2253 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2254 2255 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 2256 if (!cp) 2257 return; 2258 2259 hci_dev_lock(hdev); 2260 2261 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2262 2263 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn); 2264 2265 if (status) { 2266 if (conn && conn->state == BT_CONNECT) { 2267 conn->state = BT_CLOSED; 2268 hci_connect_cfm(conn, status); 2269 hci_conn_del(conn); 2270 } 2271 } else { 2272 if (!conn) { 2273 conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr, 2274 0, HCI_ROLE_MASTER); 2275 if (IS_ERR(conn)) 2276 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 2277 } 2278 } 2279 2280 hci_dev_unlock(hdev); 2281 } 2282 2283 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 2284 { 2285 struct hci_cp_add_sco *cp; 2286 struct hci_conn *acl; 2287 struct hci_link *link; 2288 __u16 handle; 2289 2290 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2291 2292 if (!status) 2293 return; 2294 2295 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 2296 if (!cp) 2297 return; 2298 2299 handle = __le16_to_cpu(cp->handle); 2300 2301 bt_dev_dbg(hdev, "handle 0x%4.4x", handle); 2302 2303 hci_dev_lock(hdev); 2304 2305 acl = hci_conn_hash_lookup_handle(hdev, handle); 2306 if (acl) { 2307 link = list_first_entry_or_null(&acl->link_list, 2308 struct hci_link, list); 2309 if (link && link->conn) { 2310 link->conn->state = BT_CLOSED; 2311 2312 hci_connect_cfm(link->conn, status); 2313 hci_conn_del(link->conn); 2314 } 2315 } 2316 2317 hci_dev_unlock(hdev); 2318 } 2319 2320 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 2321 { 2322 struct hci_cp_auth_requested *cp; 2323 struct hci_conn *conn; 2324 2325 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2326 2327 if (!status) 2328 return; 2329 2330 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 2331 if (!cp) 2332 return; 2333 2334 hci_dev_lock(hdev); 2335 2336 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2337 if (conn) { 2338 if (conn->state == BT_CONFIG) { 2339 hci_connect_cfm(conn, status); 2340 hci_conn_drop(conn); 2341 } 2342 } 2343 2344 hci_dev_unlock(hdev); 2345 } 2346 2347 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 2348 { 2349 struct hci_cp_set_conn_encrypt *cp; 2350 struct hci_conn *conn; 2351 2352 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2353 2354 if (!status) 2355 return; 2356 2357 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 2358 if (!cp) 2359 return; 2360 2361 hci_dev_lock(hdev); 2362 2363 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2364 if (conn) { 2365 if (conn->state == BT_CONFIG) { 2366 hci_connect_cfm(conn, status); 2367 hci_conn_drop(conn); 2368 } 2369 } 2370 2371 hci_dev_unlock(hdev); 2372 } 2373 2374 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 2375 struct hci_conn *conn) 2376 { 2377 if (conn->state != BT_CONFIG || !conn->out) 2378 return 0; 2379 2380 if (conn->pending_sec_level == BT_SECURITY_SDP) 2381 return 0; 2382 2383 /* Only request authentication for SSP connections or non-SSP 2384 * devices with sec_level MEDIUM or HIGH or if MITM protection 2385 * is requested. 2386 */ 2387 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 2388 conn->pending_sec_level != BT_SECURITY_FIPS && 2389 conn->pending_sec_level != BT_SECURITY_HIGH && 2390 conn->pending_sec_level != BT_SECURITY_MEDIUM) 2391 return 0; 2392 2393 return 1; 2394 } 2395 2396 static int hci_resolve_name(struct hci_dev *hdev, 2397 struct inquiry_entry *e) 2398 { 2399 struct hci_cp_remote_name_req cp; 2400 2401 memset(&cp, 0, sizeof(cp)); 2402 2403 bacpy(&cp.bdaddr, &e->data.bdaddr); 2404 cp.pscan_rep_mode = e->data.pscan_rep_mode; 2405 cp.pscan_mode = e->data.pscan_mode; 2406 cp.clock_offset = e->data.clock_offset; 2407 2408 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2409 } 2410 2411 static bool hci_resolve_next_name(struct hci_dev *hdev) 2412 { 2413 struct discovery_state *discov = &hdev->discovery; 2414 struct inquiry_entry *e; 2415 2416 if (list_empty(&discov->resolve)) 2417 return false; 2418 2419 /* We should stop if we already spent too much time resolving names. */ 2420 if (time_after(jiffies, discov->name_resolve_timeout)) { 2421 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long."); 2422 return false; 2423 } 2424 2425 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2426 if (!e) 2427 return false; 2428 2429 if (hci_resolve_name(hdev, e) == 0) { 2430 e->name_state = NAME_PENDING; 2431 return true; 2432 } 2433 2434 return false; 2435 } 2436 2437 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2438 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2439 { 2440 struct discovery_state *discov = &hdev->discovery; 2441 struct inquiry_entry *e; 2442 2443 /* Update the mgmt connected state if necessary. Be careful with 2444 * conn objects that exist but are not (yet) connected however. 2445 * Only those in BT_CONFIG or BT_CONNECTED states can be 2446 * considered connected. 2447 */ 2448 if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED)) 2449 mgmt_device_connected(hdev, conn, name, name_len); 2450 2451 if (discov->state == DISCOVERY_STOPPED) 2452 return; 2453 2454 if (discov->state == DISCOVERY_STOPPING) 2455 goto discov_complete; 2456 2457 if (discov->state != DISCOVERY_RESOLVING) 2458 return; 2459 2460 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2461 /* If the device was not found in a list of found devices names of which 2462 * are pending. there is no need to continue resolving a next name as it 2463 * will be done upon receiving another Remote Name Request Complete 2464 * Event */ 2465 if (!e) 2466 return; 2467 2468 list_del(&e->list); 2469 2470 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN; 2471 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi, 2472 name, name_len); 2473 2474 if (hci_resolve_next_name(hdev)) 2475 return; 2476 2477 discov_complete: 2478 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2479 } 2480 2481 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2482 { 2483 struct hci_cp_remote_name_req *cp; 2484 struct hci_conn *conn; 2485 2486 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2487 2488 /* If successful wait for the name req complete event before 2489 * checking for the need to do authentication */ 2490 if (!status) 2491 return; 2492 2493 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2494 if (!cp) 2495 return; 2496 2497 hci_dev_lock(hdev); 2498 2499 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2500 2501 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2502 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2503 2504 if (!conn) 2505 goto unlock; 2506 2507 if (!hci_outgoing_auth_needed(hdev, conn)) 2508 goto unlock; 2509 2510 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2511 struct hci_cp_auth_requested auth_cp; 2512 2513 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2514 2515 auth_cp.handle = __cpu_to_le16(conn->handle); 2516 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2517 sizeof(auth_cp), &auth_cp); 2518 } 2519 2520 unlock: 2521 hci_dev_unlock(hdev); 2522 } 2523 2524 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2525 { 2526 struct hci_cp_read_remote_features *cp; 2527 struct hci_conn *conn; 2528 2529 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2530 2531 if (!status) 2532 return; 2533 2534 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2535 if (!cp) 2536 return; 2537 2538 hci_dev_lock(hdev); 2539 2540 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2541 if (conn) { 2542 if (conn->state == BT_CONFIG) { 2543 hci_connect_cfm(conn, status); 2544 hci_conn_drop(conn); 2545 } 2546 } 2547 2548 hci_dev_unlock(hdev); 2549 } 2550 2551 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2552 { 2553 struct hci_cp_read_remote_ext_features *cp; 2554 struct hci_conn *conn; 2555 2556 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2557 2558 if (!status) 2559 return; 2560 2561 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2562 if (!cp) 2563 return; 2564 2565 hci_dev_lock(hdev); 2566 2567 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2568 if (conn) { 2569 if (conn->state == BT_CONFIG) { 2570 hci_connect_cfm(conn, status); 2571 hci_conn_drop(conn); 2572 } 2573 } 2574 2575 hci_dev_unlock(hdev); 2576 } 2577 2578 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle, 2579 __u8 status) 2580 { 2581 struct hci_conn *acl; 2582 struct hci_link *link; 2583 2584 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status); 2585 2586 hci_dev_lock(hdev); 2587 2588 acl = hci_conn_hash_lookup_handle(hdev, handle); 2589 if (acl) { 2590 link = list_first_entry_or_null(&acl->link_list, 2591 struct hci_link, list); 2592 if (link && link->conn) { 2593 link->conn->state = BT_CLOSED; 2594 2595 hci_connect_cfm(link->conn, status); 2596 hci_conn_del(link->conn); 2597 } 2598 } 2599 2600 hci_dev_unlock(hdev); 2601 } 2602 2603 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2604 { 2605 struct hci_cp_setup_sync_conn *cp; 2606 2607 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2608 2609 if (!status) 2610 return; 2611 2612 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2613 if (!cp) 2614 return; 2615 2616 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2617 } 2618 2619 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2620 { 2621 struct hci_cp_enhanced_setup_sync_conn *cp; 2622 2623 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2624 2625 if (!status) 2626 return; 2627 2628 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN); 2629 if (!cp) 2630 return; 2631 2632 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2633 } 2634 2635 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2636 { 2637 struct hci_cp_sniff_mode *cp; 2638 struct hci_conn *conn; 2639 2640 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2641 2642 if (!status) 2643 return; 2644 2645 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2646 if (!cp) 2647 return; 2648 2649 hci_dev_lock(hdev); 2650 2651 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2652 if (conn) { 2653 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2654 2655 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2656 hci_sco_setup(conn, status); 2657 } 2658 2659 hci_dev_unlock(hdev); 2660 } 2661 2662 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2663 { 2664 struct hci_cp_exit_sniff_mode *cp; 2665 struct hci_conn *conn; 2666 2667 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2668 2669 if (!status) 2670 return; 2671 2672 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2673 if (!cp) 2674 return; 2675 2676 hci_dev_lock(hdev); 2677 2678 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2679 if (conn) { 2680 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2681 2682 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2683 hci_sco_setup(conn, status); 2684 } 2685 2686 hci_dev_unlock(hdev); 2687 } 2688 2689 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2690 { 2691 struct hci_cp_disconnect *cp; 2692 struct hci_conn_params *params; 2693 struct hci_conn *conn; 2694 bool mgmt_conn; 2695 2696 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2697 2698 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended 2699 * otherwise cleanup the connection immediately. 2700 */ 2701 if (!status && !hdev->suspended) 2702 return; 2703 2704 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2705 if (!cp) 2706 return; 2707 2708 hci_dev_lock(hdev); 2709 2710 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2711 if (!conn) 2712 goto unlock; 2713 2714 if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) { 2715 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2716 conn->dst_type, status); 2717 2718 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 2719 hdev->cur_adv_instance = conn->adv_instance; 2720 hci_enable_advertising(hdev); 2721 } 2722 2723 /* Inform sockets conn is gone before we delete it */ 2724 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); 2725 2726 goto done; 2727 } 2728 2729 /* During suspend, mark connection as closed immediately 2730 * since we might not receive HCI_EV_DISCONN_COMPLETE 2731 */ 2732 if (hdev->suspended) 2733 conn->state = BT_CLOSED; 2734 2735 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2736 2737 if (conn->type == ACL_LINK) { 2738 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2739 hci_remove_link_key(hdev, &conn->dst); 2740 } 2741 2742 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2743 if (params) { 2744 switch (params->auto_connect) { 2745 case HCI_AUTO_CONN_LINK_LOSS: 2746 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2747 break; 2748 fallthrough; 2749 2750 case HCI_AUTO_CONN_DIRECT: 2751 case HCI_AUTO_CONN_ALWAYS: 2752 hci_pend_le_list_del_init(params); 2753 hci_pend_le_list_add(params, &hdev->pend_le_conns); 2754 break; 2755 2756 default: 2757 break; 2758 } 2759 } 2760 2761 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2762 cp->reason, mgmt_conn); 2763 2764 hci_disconn_cfm(conn, cp->reason); 2765 2766 done: 2767 /* If the disconnection failed for any reason, the upper layer 2768 * does not retry to disconnect in current implementation. 2769 * Hence, we need to do some basic cleanup here and re-enable 2770 * advertising if necessary. 2771 */ 2772 hci_conn_del(conn); 2773 unlock: 2774 hci_dev_unlock(hdev); 2775 } 2776 2777 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved) 2778 { 2779 /* When using controller based address resolution, then the new 2780 * address types 0x02 and 0x03 are used. These types need to be 2781 * converted back into either public address or random address type 2782 */ 2783 switch (type) { 2784 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2785 if (resolved) 2786 *resolved = true; 2787 return ADDR_LE_DEV_PUBLIC; 2788 case ADDR_LE_DEV_RANDOM_RESOLVED: 2789 if (resolved) 2790 *resolved = true; 2791 return ADDR_LE_DEV_RANDOM; 2792 } 2793 2794 if (resolved) 2795 *resolved = false; 2796 return type; 2797 } 2798 2799 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2800 u8 peer_addr_type, u8 own_address_type, 2801 u8 filter_policy) 2802 { 2803 struct hci_conn *conn; 2804 2805 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2806 peer_addr_type); 2807 if (!conn) 2808 return; 2809 2810 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL); 2811 2812 /* Store the initiator and responder address information which 2813 * is needed for SMP. These values will not change during the 2814 * lifetime of the connection. 2815 */ 2816 conn->init_addr_type = own_address_type; 2817 if (own_address_type == ADDR_LE_DEV_RANDOM) 2818 bacpy(&conn->init_addr, &hdev->random_addr); 2819 else 2820 bacpy(&conn->init_addr, &hdev->bdaddr); 2821 2822 conn->resp_addr_type = peer_addr_type; 2823 bacpy(&conn->resp_addr, peer_addr); 2824 } 2825 2826 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2827 { 2828 struct hci_cp_le_create_conn *cp; 2829 2830 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2831 2832 /* All connection failure handling is taken care of by the 2833 * hci_conn_failed function which is triggered by the HCI 2834 * request completion callbacks used for connecting. 2835 */ 2836 if (status) 2837 return; 2838 2839 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2840 if (!cp) 2841 return; 2842 2843 hci_dev_lock(hdev); 2844 2845 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2846 cp->own_address_type, cp->filter_policy); 2847 2848 hci_dev_unlock(hdev); 2849 } 2850 2851 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2852 { 2853 struct hci_cp_le_ext_create_conn *cp; 2854 2855 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2856 2857 /* All connection failure handling is taken care of by the 2858 * hci_conn_failed function which is triggered by the HCI 2859 * request completion callbacks used for connecting. 2860 */ 2861 if (status) 2862 return; 2863 2864 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2865 if (!cp) 2866 return; 2867 2868 hci_dev_lock(hdev); 2869 2870 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2871 cp->own_addr_type, cp->filter_policy); 2872 2873 hci_dev_unlock(hdev); 2874 } 2875 2876 static void hci_cs_le_set_phy(struct hci_dev *hdev, u8 status) 2877 { 2878 struct hci_cp_le_set_phy *cp; 2879 struct hci_conn *conn; 2880 2881 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2882 2883 if (status) 2884 return; 2885 2886 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PHY); 2887 if (!cp) 2888 return; 2889 2890 hci_dev_lock(hdev); 2891 2892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2893 if (conn) { 2894 conn->le_tx_def_phys = cp->tx_phys; 2895 conn->le_rx_def_phys = cp->rx_phys; 2896 } 2897 2898 hci_dev_unlock(hdev); 2899 } 2900 2901 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2902 { 2903 struct hci_cp_le_read_remote_features *cp; 2904 struct hci_conn *conn; 2905 2906 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2907 2908 if (!status) 2909 return; 2910 2911 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2912 if (!cp) 2913 return; 2914 2915 hci_dev_lock(hdev); 2916 2917 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2918 if (conn && conn->state == BT_CONFIG) 2919 hci_connect_cfm(conn, status); 2920 2921 hci_dev_unlock(hdev); 2922 } 2923 2924 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2925 { 2926 struct hci_cp_le_start_enc *cp; 2927 struct hci_conn *conn; 2928 2929 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2930 2931 if (!status) 2932 return; 2933 2934 hci_dev_lock(hdev); 2935 2936 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2937 if (!cp) 2938 goto unlock; 2939 2940 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2941 if (!conn) 2942 goto unlock; 2943 2944 if (conn->state != BT_CONNECTED) 2945 goto unlock; 2946 2947 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2948 hci_conn_drop(conn); 2949 2950 unlock: 2951 hci_dev_unlock(hdev); 2952 } 2953 2954 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2955 { 2956 struct hci_cp_switch_role *cp; 2957 struct hci_conn *conn; 2958 2959 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2960 2961 if (!status) 2962 return; 2963 2964 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2965 if (!cp) 2966 return; 2967 2968 hci_dev_lock(hdev); 2969 2970 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2971 if (conn) 2972 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2973 2974 hci_dev_unlock(hdev); 2975 } 2976 2977 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data, 2978 struct sk_buff *skb) 2979 { 2980 struct hci_ev_status *ev = data; 2981 struct discovery_state *discov = &hdev->discovery; 2982 struct inquiry_entry *e; 2983 2984 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 2985 2986 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2987 return; 2988 2989 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2990 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2991 2992 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2993 return; 2994 2995 hci_dev_lock(hdev); 2996 2997 if (discov->state != DISCOVERY_FINDING) 2998 goto unlock; 2999 3000 if (list_empty(&discov->resolve)) { 3001 /* When BR/EDR inquiry is active and no LE scanning is in 3002 * progress, then change discovery state to indicate completion. 3003 * 3004 * When running LE scanning and BR/EDR inquiry simultaneously 3005 * and the LE scan already finished, then change the discovery 3006 * state to indicate completion. 3007 */ 3008 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3009 !hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) 3010 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3011 goto unlock; 3012 } 3013 3014 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 3015 if (e && hci_resolve_name(hdev, e) == 0) { 3016 e->name_state = NAME_PENDING; 3017 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 3018 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION; 3019 } else { 3020 /* When BR/EDR inquiry is active and no LE scanning is in 3021 * progress, then change discovery state to indicate completion. 3022 * 3023 * When running LE scanning and BR/EDR inquiry simultaneously 3024 * and the LE scan already finished, then change the discovery 3025 * state to indicate completion. 3026 */ 3027 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3028 !hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) 3029 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3030 } 3031 3032 unlock: 3033 hci_dev_unlock(hdev); 3034 } 3035 3036 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata, 3037 struct sk_buff *skb) 3038 { 3039 struct hci_ev_inquiry_result *ev = edata; 3040 struct inquiry_data data; 3041 int i; 3042 3043 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT, 3044 flex_array_size(ev, info, ev->num))) 3045 return; 3046 3047 bt_dev_dbg(hdev, "num %d", ev->num); 3048 3049 if (!ev->num) 3050 return; 3051 3052 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3053 return; 3054 3055 hci_dev_lock(hdev); 3056 3057 for (i = 0; i < ev->num; i++) { 3058 struct inquiry_info *info = &ev->info[i]; 3059 u32 flags; 3060 3061 bacpy(&data.bdaddr, &info->bdaddr); 3062 data.pscan_rep_mode = info->pscan_rep_mode; 3063 data.pscan_period_mode = info->pscan_period_mode; 3064 data.pscan_mode = info->pscan_mode; 3065 memcpy(data.dev_class, info->dev_class, 3); 3066 data.clock_offset = info->clock_offset; 3067 data.rssi = HCI_RSSI_INVALID; 3068 data.ssp_mode = 0x00; 3069 3070 flags = hci_inquiry_cache_update(hdev, &data, false); 3071 3072 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3073 info->dev_class, HCI_RSSI_INVALID, 3074 flags, NULL, 0, NULL, 0, 0); 3075 } 3076 3077 hci_dev_unlock(hdev); 3078 } 3079 3080 static int hci_read_enc_key_size(struct hci_dev *hdev, struct hci_conn *conn) 3081 { 3082 struct hci_cp_read_enc_key_size cp; 3083 u8 *key_enc_size = hci_conn_key_enc_size(conn); 3084 3085 if (!read_key_size_capable(hdev)) { 3086 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3087 return -EOPNOTSUPP; 3088 } 3089 3090 bt_dev_dbg(hdev, "hcon %p", conn); 3091 3092 memset(&cp, 0, sizeof(cp)); 3093 cp.handle = cpu_to_le16(conn->handle); 3094 3095 /* If the key enc_size is already known, use it as conn->enc_key_size, 3096 * otherwise use hdev->min_enc_key_size so the likes of 3097 * l2cap_check_enc_key_size don't fail while waiting for 3098 * HCI_OP_READ_ENC_KEY_SIZE response. 3099 */ 3100 if (key_enc_size && *key_enc_size) 3101 conn->enc_key_size = *key_enc_size; 3102 else 3103 conn->enc_key_size = hdev->min_enc_key_size; 3104 3105 return hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 3106 } 3107 3108 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3109 struct sk_buff *skb) 3110 { 3111 struct hci_ev_conn_complete *ev = data; 3112 struct hci_conn *conn; 3113 u8 status = ev->status; 3114 3115 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3116 3117 hci_dev_lock(hdev); 3118 hci_store_wake_reason(hdev, &ev->bdaddr, BDADDR_BREDR); 3119 3120 /* Check for existing connection: 3121 * 3122 * 1. If it doesn't exist then it must be receiver/slave role. 3123 * 2. If it does exist confirm that it is connecting/BT_CONNECT in case 3124 * of initiator/master role since there could be a collision where 3125 * either side is attempting to connect or something like a fuzzing 3126 * testing is trying to play tricks to destroy the hcon object before 3127 * it even attempts to connect (e.g. hcon->state == BT_OPEN). 3128 */ 3129 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3130 if (!conn || 3131 (conn->role == HCI_ROLE_MASTER && conn->state != BT_CONNECT)) { 3132 /* In case of error status and there is no connection pending 3133 * just unlock as there is nothing to cleanup. 3134 */ 3135 if (ev->status) 3136 goto unlock; 3137 3138 /* Connection may not exist if auto-connected. Check the bredr 3139 * allowlist to see if this device is allowed to auto connect. 3140 * If link is an ACL type, create a connection class 3141 * automatically. 3142 * 3143 * Auto-connect will only occur if the event filter is 3144 * programmed with a given address. Right now, event filter is 3145 * only used during suspend. 3146 */ 3147 if (ev->link_type == ACL_LINK && 3148 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3149 &ev->bdaddr, 3150 BDADDR_BREDR)) { 3151 conn = hci_conn_add_unset(hdev, ev->link_type, 3152 &ev->bdaddr, 0, 3153 HCI_ROLE_SLAVE); 3154 if (IS_ERR(conn)) { 3155 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 3156 goto unlock; 3157 } 3158 } else { 3159 if (ev->link_type != SCO_LINK) 3160 goto unlock; 3161 3162 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3163 &ev->bdaddr); 3164 if (!conn) 3165 goto unlock; 3166 3167 conn->type = SCO_LINK; 3168 } 3169 } 3170 3171 /* The HCI_Connection_Complete event is only sent once per connection. 3172 * Processing it more than once per connection can corrupt kernel memory. 3173 * 3174 * As the connection handle is set here for the first time, it indicates 3175 * whether the connection is already set up. 3176 */ 3177 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 3178 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3179 goto unlock; 3180 } 3181 3182 if (!status) { 3183 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 3184 if (status) 3185 goto done; 3186 3187 if (conn->type == ACL_LINK) { 3188 conn->state = BT_CONFIG; 3189 hci_conn_hold(conn); 3190 3191 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3192 !hci_find_link_key(hdev, &ev->bdaddr)) 3193 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3194 else 3195 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3196 } else 3197 conn->state = BT_CONNECTED; 3198 3199 hci_debugfs_create_conn(conn); 3200 hci_conn_add_sysfs(conn); 3201 3202 if (test_bit(HCI_AUTH, &hdev->flags)) 3203 set_bit(HCI_CONN_AUTH, &conn->flags); 3204 3205 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3206 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3207 3208 /* "Link key request" completed ahead of "connect request" completes */ 3209 if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3210 ev->link_type == ACL_LINK) { 3211 struct link_key *key; 3212 3213 key = hci_find_link_key(hdev, &ev->bdaddr); 3214 if (key) { 3215 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3216 hci_read_enc_key_size(hdev, conn); 3217 hci_encrypt_cfm(conn, ev->status); 3218 } 3219 } 3220 3221 /* Get remote features */ 3222 if (conn->type == ACL_LINK) { 3223 struct hci_cp_read_remote_features cp; 3224 cp.handle = ev->handle; 3225 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3226 sizeof(cp), &cp); 3227 3228 hci_update_scan(hdev); 3229 } 3230 3231 /* Set packet type for incoming connection */ 3232 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3233 struct hci_cp_change_conn_ptype cp; 3234 cp.handle = ev->handle; 3235 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3236 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3237 &cp); 3238 } 3239 } 3240 3241 if (conn->type == ACL_LINK) 3242 hci_sco_setup(conn, ev->status); 3243 3244 done: 3245 if (status) { 3246 hci_conn_failed(conn, status); 3247 } else if (ev->link_type == SCO_LINK) { 3248 switch (conn->setting & SCO_AIRMODE_MASK) { 3249 case SCO_AIRMODE_CVSD: 3250 if (hdev->notify) 3251 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3252 break; 3253 } 3254 3255 hci_connect_cfm(conn, status); 3256 } 3257 3258 unlock: 3259 hci_dev_unlock(hdev); 3260 } 3261 3262 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 3263 { 3264 struct hci_cp_reject_conn_req cp; 3265 3266 bacpy(&cp.bdaddr, bdaddr); 3267 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 3268 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 3269 } 3270 3271 static void hci_conn_request_evt(struct hci_dev *hdev, void *data, 3272 struct sk_buff *skb) 3273 { 3274 struct hci_ev_conn_request *ev = data; 3275 int mask = hdev->link_mode; 3276 struct inquiry_entry *ie; 3277 struct hci_conn *conn; 3278 __u8 flags = 0; 3279 3280 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type); 3281 3282 hci_dev_lock(hdev); 3283 hci_store_wake_reason(hdev, &ev->bdaddr, BDADDR_BREDR); 3284 hci_dev_unlock(hdev); 3285 3286 /* Reject incoming connection from device with same BD ADDR against 3287 * CVE-2020-26555 3288 */ 3289 if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) { 3290 bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n", 3291 &ev->bdaddr); 3292 hci_reject_conn(hdev, &ev->bdaddr); 3293 return; 3294 } 3295 3296 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 3297 &flags); 3298 3299 if (!(mask & HCI_LM_ACCEPT)) { 3300 hci_reject_conn(hdev, &ev->bdaddr); 3301 return; 3302 } 3303 3304 hci_dev_lock(hdev); 3305 3306 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, 3307 BDADDR_BREDR)) { 3308 hci_reject_conn(hdev, &ev->bdaddr); 3309 goto unlock; 3310 } 3311 3312 /* Require HCI_CONNECTABLE or an accept list entry to accept the 3313 * connection. These features are only touched through mgmt so 3314 * only do the checks if HCI_MGMT is set. 3315 */ 3316 if (hci_dev_test_flag(hdev, HCI_MGMT) && 3317 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 3318 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, 3319 BDADDR_BREDR)) { 3320 hci_reject_conn(hdev, &ev->bdaddr); 3321 goto unlock; 3322 } 3323 3324 /* Connection accepted */ 3325 3326 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3327 if (ie) 3328 memcpy(ie->data.dev_class, ev->dev_class, 3); 3329 3330 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 3331 &ev->bdaddr); 3332 if (!conn) { 3333 conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr, 0, 3334 HCI_ROLE_SLAVE); 3335 if (IS_ERR(conn)) { 3336 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 3337 goto unlock; 3338 } 3339 } 3340 3341 memcpy(conn->dev_class, ev->dev_class, 3); 3342 3343 if (ev->link_type == ACL_LINK || 3344 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 3345 struct hci_cp_accept_conn_req cp; 3346 conn->state = BT_CONNECT; 3347 3348 bacpy(&cp.bdaddr, &ev->bdaddr); 3349 3350 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 3351 cp.role = 0x00; /* Become central */ 3352 else 3353 cp.role = 0x01; /* Remain peripheral */ 3354 3355 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 3356 } else if (!(flags & HCI_PROTO_DEFER)) { 3357 struct hci_cp_accept_sync_conn_req cp; 3358 conn->state = BT_CONNECT; 3359 3360 bacpy(&cp.bdaddr, &ev->bdaddr); 3361 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3362 3363 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 3364 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 3365 cp.max_latency = cpu_to_le16(0xffff); 3366 cp.content_format = cpu_to_le16(hdev->voice_setting); 3367 cp.retrans_effort = 0xff; 3368 3369 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 3370 &cp); 3371 } else { 3372 conn->state = BT_CONNECT2; 3373 hci_connect_cfm(conn, 0); 3374 } 3375 3376 unlock: 3377 hci_dev_unlock(hdev); 3378 } 3379 3380 static u8 hci_to_mgmt_reason(u8 err) 3381 { 3382 switch (err) { 3383 case HCI_ERROR_CONNECTION_TIMEOUT: 3384 return MGMT_DEV_DISCONN_TIMEOUT; 3385 case HCI_ERROR_REMOTE_USER_TERM: 3386 case HCI_ERROR_REMOTE_LOW_RESOURCES: 3387 case HCI_ERROR_REMOTE_POWER_OFF: 3388 return MGMT_DEV_DISCONN_REMOTE; 3389 case HCI_ERROR_LOCAL_HOST_TERM: 3390 return MGMT_DEV_DISCONN_LOCAL_HOST; 3391 default: 3392 return MGMT_DEV_DISCONN_UNKNOWN; 3393 } 3394 } 3395 3396 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, 3397 struct sk_buff *skb) 3398 { 3399 struct hci_ev_disconn_complete *ev = data; 3400 u8 reason; 3401 struct hci_conn_params *params; 3402 struct hci_conn *conn; 3403 bool mgmt_connected; 3404 3405 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3406 3407 hci_dev_lock(hdev); 3408 3409 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3410 if (!conn) 3411 goto unlock; 3412 3413 if (ev->status) { 3414 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 3415 conn->dst_type, ev->status); 3416 goto unlock; 3417 } 3418 3419 conn->state = BT_CLOSED; 3420 3421 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 3422 3423 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 3424 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 3425 else 3426 reason = hci_to_mgmt_reason(ev->reason); 3427 3428 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 3429 reason, mgmt_connected); 3430 3431 if (conn->type == ACL_LINK) { 3432 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 3433 hci_remove_link_key(hdev, &conn->dst); 3434 3435 hci_update_scan(hdev); 3436 } 3437 3438 /* Re-enable passive scanning if disconnected device is marked 3439 * as auto-connectable. 3440 */ 3441 if (conn->type == LE_LINK) { 3442 params = hci_conn_params_lookup(hdev, &conn->dst, 3443 conn->dst_type); 3444 if (params) { 3445 switch (params->auto_connect) { 3446 case HCI_AUTO_CONN_LINK_LOSS: 3447 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 3448 break; 3449 fallthrough; 3450 3451 case HCI_AUTO_CONN_DIRECT: 3452 case HCI_AUTO_CONN_ALWAYS: 3453 hci_pend_le_list_del_init(params); 3454 hci_pend_le_list_add(params, 3455 &hdev->pend_le_conns); 3456 hci_update_passive_scan(hdev); 3457 break; 3458 3459 default: 3460 break; 3461 } 3462 } 3463 } 3464 3465 hci_disconn_cfm(conn, ev->reason); 3466 3467 /* Re-enable advertising if necessary, since it might 3468 * have been disabled by the connection. From the 3469 * HCI_LE_Set_Advertise_Enable command description in 3470 * the core specification (v4.0): 3471 * "The Controller shall continue advertising until the Host 3472 * issues an LE_Set_Advertise_Enable command with 3473 * Advertising_Enable set to 0x00 (Advertising is disabled) 3474 * or until a connection is created or until the Advertising 3475 * is timed out due to Directed Advertising." 3476 */ 3477 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 3478 hdev->cur_adv_instance = conn->adv_instance; 3479 hci_enable_advertising(hdev); 3480 } 3481 3482 hci_conn_del(conn); 3483 3484 unlock: 3485 hci_dev_unlock(hdev); 3486 } 3487 3488 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data, 3489 struct sk_buff *skb) 3490 { 3491 struct hci_ev_auth_complete *ev = data; 3492 struct hci_conn *conn; 3493 3494 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3495 3496 hci_dev_lock(hdev); 3497 3498 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3499 if (!conn) 3500 goto unlock; 3501 3502 if (!ev->status) { 3503 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3504 set_bit(HCI_CONN_AUTH, &conn->flags); 3505 conn->sec_level = conn->pending_sec_level; 3506 } else { 3507 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3508 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3509 3510 mgmt_auth_failed(conn, ev->status); 3511 } 3512 3513 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3514 3515 if (conn->state == BT_CONFIG) { 3516 if (!ev->status && hci_conn_ssp_enabled(conn)) { 3517 struct hci_cp_set_conn_encrypt cp; 3518 cp.handle = ev->handle; 3519 cp.encrypt = 0x01; 3520 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3521 &cp); 3522 } else { 3523 conn->state = BT_CONNECTED; 3524 hci_connect_cfm(conn, ev->status); 3525 hci_conn_drop(conn); 3526 } 3527 } else { 3528 hci_auth_cfm(conn, ev->status); 3529 3530 hci_conn_hold(conn); 3531 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3532 hci_conn_drop(conn); 3533 } 3534 3535 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 3536 if (!ev->status) { 3537 struct hci_cp_set_conn_encrypt cp; 3538 cp.handle = ev->handle; 3539 cp.encrypt = 0x01; 3540 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3541 &cp); 3542 } else { 3543 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3544 hci_encrypt_cfm(conn, ev->status); 3545 } 3546 } 3547 3548 unlock: 3549 hci_dev_unlock(hdev); 3550 } 3551 3552 static void hci_remote_name_evt(struct hci_dev *hdev, void *data, 3553 struct sk_buff *skb) 3554 { 3555 struct hci_ev_remote_name *ev = data; 3556 struct hci_conn *conn; 3557 3558 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3559 3560 hci_dev_lock(hdev); 3561 3562 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3563 3564 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3565 goto check_auth; 3566 3567 if (ev->status == 0) 3568 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 3569 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 3570 else 3571 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 3572 3573 check_auth: 3574 if (!conn) 3575 goto unlock; 3576 3577 if (!hci_outgoing_auth_needed(hdev, conn)) 3578 goto unlock; 3579 3580 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3581 struct hci_cp_auth_requested cp; 3582 3583 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 3584 3585 cp.handle = __cpu_to_le16(conn->handle); 3586 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3587 } 3588 3589 unlock: 3590 hci_dev_unlock(hdev); 3591 } 3592 3593 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, 3594 struct sk_buff *skb) 3595 { 3596 struct hci_ev_encrypt_change *ev = data; 3597 struct hci_conn *conn; 3598 3599 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3600 3601 hci_dev_lock(hdev); 3602 3603 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3604 if (!conn) 3605 goto unlock; 3606 3607 if (!ev->status) { 3608 if (ev->encrypt) { 3609 /* Encryption implies authentication */ 3610 set_bit(HCI_CONN_AUTH, &conn->flags); 3611 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3612 conn->sec_level = conn->pending_sec_level; 3613 3614 /* P-256 authentication key implies FIPS */ 3615 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3616 set_bit(HCI_CONN_FIPS, &conn->flags); 3617 3618 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3619 conn->type == LE_LINK) 3620 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3621 } else { 3622 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3623 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3624 } 3625 } 3626 3627 /* We should disregard the current RPA and generate a new one 3628 * whenever the encryption procedure fails. 3629 */ 3630 if (ev->status && conn->type == LE_LINK) { 3631 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3632 hci_adv_instances_set_rpa_expired(hdev, true); 3633 } 3634 3635 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3636 3637 /* Check link security requirements are met */ 3638 if (!hci_conn_check_link_mode(conn)) 3639 ev->status = HCI_ERROR_AUTH_FAILURE; 3640 3641 if (ev->status && conn->state == BT_CONNECTED) { 3642 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3643 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3644 3645 /* Notify upper layers so they can cleanup before 3646 * disconnecting. 3647 */ 3648 hci_encrypt_cfm(conn, ev->status); 3649 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3650 hci_conn_drop(conn); 3651 goto unlock; 3652 } 3653 3654 /* Try reading the encryption key size for encrypted ACL links */ 3655 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3656 if (hci_read_enc_key_size(hdev, conn)) 3657 goto notify; 3658 3659 goto unlock; 3660 } 3661 3662 /* We skip the WRITE_AUTH_PAYLOAD_TIMEOUT for ATS2851 based controllers 3663 * to avoid unexpected SMP command errors when pairing. 3664 */ 3665 if (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_WRITE_AUTH_PAYLOAD_TIMEOUT)) 3666 goto notify; 3667 3668 /* Set the default Authenticated Payload Timeout after 3669 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3670 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3671 * sent when the link is active and Encryption is enabled, the conn 3672 * type can be either LE or ACL and controller must support LMP Ping. 3673 * Ensure for AES-CCM encryption as well. 3674 */ 3675 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3676 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3677 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3678 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3679 struct hci_cp_write_auth_payload_to cp; 3680 3681 cp.handle = cpu_to_le16(conn->handle); 3682 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3683 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3684 sizeof(cp), &cp)) 3685 bt_dev_err(hdev, "write auth payload timeout failed"); 3686 } 3687 3688 notify: 3689 hci_encrypt_cfm(conn, ev->status); 3690 3691 unlock: 3692 hci_dev_unlock(hdev); 3693 } 3694 3695 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data, 3696 struct sk_buff *skb) 3697 { 3698 struct hci_ev_change_link_key_complete *ev = data; 3699 struct hci_conn *conn; 3700 3701 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3702 3703 hci_dev_lock(hdev); 3704 3705 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3706 if (conn) { 3707 if (!ev->status) 3708 set_bit(HCI_CONN_SECURE, &conn->flags); 3709 3710 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3711 3712 hci_key_change_cfm(conn, ev->status); 3713 } 3714 3715 hci_dev_unlock(hdev); 3716 } 3717 3718 static void hci_remote_features_evt(struct hci_dev *hdev, void *data, 3719 struct sk_buff *skb) 3720 { 3721 struct hci_ev_remote_features *ev = data; 3722 struct hci_conn *conn; 3723 3724 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3725 3726 hci_dev_lock(hdev); 3727 3728 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3729 if (!conn) 3730 goto unlock; 3731 3732 if (!ev->status) 3733 memcpy(conn->features[0], ev->features, 8); 3734 3735 if (conn->state != BT_CONFIG) 3736 goto unlock; 3737 3738 if (!ev->status && lmp_ext_feat_capable(hdev) && 3739 lmp_ext_feat_capable(conn)) { 3740 struct hci_cp_read_remote_ext_features cp; 3741 cp.handle = ev->handle; 3742 cp.page = 0x01; 3743 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3744 sizeof(cp), &cp); 3745 goto unlock; 3746 } 3747 3748 if (!ev->status) { 3749 struct hci_cp_remote_name_req cp; 3750 memset(&cp, 0, sizeof(cp)); 3751 bacpy(&cp.bdaddr, &conn->dst); 3752 cp.pscan_rep_mode = 0x02; 3753 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3754 } else { 3755 mgmt_device_connected(hdev, conn, NULL, 0); 3756 } 3757 3758 if (!hci_outgoing_auth_needed(hdev, conn)) { 3759 conn->state = BT_CONNECTED; 3760 hci_connect_cfm(conn, ev->status); 3761 hci_conn_drop(conn); 3762 } 3763 3764 unlock: 3765 hci_dev_unlock(hdev); 3766 } 3767 3768 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd) 3769 { 3770 cancel_delayed_work(&hdev->cmd_timer); 3771 3772 rcu_read_lock(); 3773 if (!test_bit(HCI_RESET, &hdev->flags)) { 3774 if (ncmd) { 3775 cancel_delayed_work(&hdev->ncmd_timer); 3776 atomic_set(&hdev->cmd_cnt, 1); 3777 } else { 3778 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 3779 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer, 3780 HCI_NCMD_TIMEOUT); 3781 } 3782 } 3783 rcu_read_unlock(); 3784 } 3785 3786 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data, 3787 struct sk_buff *skb) 3788 { 3789 struct hci_rp_le_read_buffer_size_v2 *rp = data; 3790 3791 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3792 3793 if (rp->status) 3794 return rp->status; 3795 3796 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu); 3797 hdev->le_pkts = rp->acl_max_pkt; 3798 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu); 3799 hdev->iso_pkts = rp->iso_max_pkt; 3800 3801 hdev->le_cnt = hdev->le_pkts; 3802 hdev->iso_cnt = hdev->iso_pkts; 3803 3804 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu, 3805 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts); 3806 3807 if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU) 3808 return HCI_ERROR_INVALID_PARAMETERS; 3809 3810 return rp->status; 3811 } 3812 3813 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status) 3814 { 3815 struct hci_conn *conn, *tmp; 3816 3817 lockdep_assert_held(&hdev->lock); 3818 3819 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) { 3820 if (conn->type != CIS_LINK || 3821 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig) 3822 continue; 3823 3824 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 3825 hci_conn_failed(conn, status); 3826 } 3827 } 3828 3829 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data, 3830 struct sk_buff *skb) 3831 { 3832 struct hci_rp_le_set_cig_params *rp = data; 3833 struct hci_cp_le_set_cig_params *cp; 3834 struct hci_conn *conn; 3835 u8 status = rp->status; 3836 bool pending = false; 3837 int i; 3838 3839 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3840 3841 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS); 3842 if (!rp->status && (!cp || rp->num_handles != cp->num_cis || 3843 rp->cig_id != cp->cig_id)) { 3844 bt_dev_err(hdev, "unexpected Set CIG Parameters response data"); 3845 status = HCI_ERROR_UNSPECIFIED; 3846 } 3847 3848 hci_dev_lock(hdev); 3849 3850 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554 3851 * 3852 * If the Status return parameter is non-zero, then the state of the CIG 3853 * and its CIS configurations shall not be changed by the command. If 3854 * the CIG did not already exist, it shall not be created. 3855 */ 3856 if (status) { 3857 /* Keep current configuration, fail only the unbound CIS */ 3858 hci_unbound_cis_failed(hdev, rp->cig_id, status); 3859 goto unlock; 3860 } 3861 3862 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553 3863 * 3864 * If the Status return parameter is zero, then the Controller shall 3865 * set the Connection_Handle arrayed return parameter to the connection 3866 * handle(s) corresponding to the CIS configurations specified in 3867 * the CIS_IDs command parameter, in the same order. 3868 */ 3869 for (i = 0; i < rp->num_handles; ++i) { 3870 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id, 3871 cp->cis[i].cis_id); 3872 if (!conn || !bacmp(&conn->dst, BDADDR_ANY)) 3873 continue; 3874 3875 if (conn->state != BT_BOUND && conn->state != BT_CONNECT) 3876 continue; 3877 3878 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i]))) 3879 continue; 3880 3881 if (conn->state == BT_CONNECT) 3882 pending = true; 3883 } 3884 3885 unlock: 3886 if (pending) 3887 hci_le_create_cis_pending(hdev); 3888 3889 hci_dev_unlock(hdev); 3890 3891 return rp->status; 3892 } 3893 3894 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data, 3895 struct sk_buff *skb) 3896 { 3897 struct hci_rp_le_setup_iso_path *rp = data; 3898 struct hci_cp_le_setup_iso_path *cp; 3899 struct hci_conn *conn; 3900 3901 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3902 3903 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH); 3904 if (!cp) 3905 return rp->status; 3906 3907 hci_dev_lock(hdev); 3908 3909 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3910 if (!conn) 3911 goto unlock; 3912 3913 if (rp->status) { 3914 hci_connect_cfm(conn, rp->status); 3915 hci_conn_del(conn); 3916 goto unlock; 3917 } 3918 3919 switch (cp->direction) { 3920 /* Input (Host to Controller) */ 3921 case 0x00: 3922 /* Only confirm connection if output only */ 3923 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu) 3924 hci_connect_cfm(conn, rp->status); 3925 break; 3926 /* Output (Controller to Host) */ 3927 case 0x01: 3928 /* Confirm connection since conn->iso_qos is always configured 3929 * last. 3930 */ 3931 hci_connect_cfm(conn, rp->status); 3932 3933 /* Notify device connected in case it is a BIG Sync */ 3934 if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags)) 3935 mgmt_device_connected(hdev, conn, NULL, 0); 3936 3937 break; 3938 } 3939 3940 unlock: 3941 hci_dev_unlock(hdev); 3942 return rp->status; 3943 } 3944 3945 static u8 hci_cc_le_read_all_local_features(struct hci_dev *hdev, void *data, 3946 struct sk_buff *skb) 3947 { 3948 struct hci_rp_le_read_all_local_features *rp = data; 3949 3950 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3951 3952 if (rp->status) 3953 return rp->status; 3954 3955 memcpy(hdev->le_features, rp->features, 248); 3956 3957 return rp->status; 3958 } 3959 3960 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status) 3961 { 3962 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3963 } 3964 3965 static void hci_cs_le_read_all_remote_features(struct hci_dev *hdev, u8 status) 3966 { 3967 struct hci_cp_le_read_remote_features *cp; 3968 struct hci_conn *conn; 3969 3970 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3971 3972 if (!status) 3973 return; 3974 3975 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_ALL_REMOTE_FEATURES); 3976 if (!cp) 3977 return; 3978 3979 hci_dev_lock(hdev); 3980 3981 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3982 if (conn && conn->state == BT_CONFIG) 3983 hci_connect_cfm(conn, status); 3984 3985 hci_dev_unlock(hdev); 3986 } 3987 3988 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data, 3989 struct sk_buff *skb) 3990 { 3991 struct hci_ev_status *rp = data; 3992 struct hci_cp_le_set_per_adv_params *cp; 3993 3994 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3995 3996 if (rp->status) 3997 return rp->status; 3998 3999 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS); 4000 if (!cp) 4001 return rp->status; 4002 4003 /* TODO: set the conn state */ 4004 return rp->status; 4005 } 4006 4007 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, 4008 struct sk_buff *skb) 4009 { 4010 struct hci_ev_status *rp = data; 4011 struct hci_cp_le_set_per_adv_enable *cp; 4012 struct adv_info *adv = NULL, *n; 4013 u8 per_adv_cnt = 0; 4014 4015 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 4016 4017 if (rp->status) 4018 return rp->status; 4019 4020 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE); 4021 if (!cp) 4022 return rp->status; 4023 4024 hci_dev_lock(hdev); 4025 4026 adv = hci_find_adv_instance(hdev, cp->handle); 4027 4028 if (cp->enable) { 4029 hci_dev_set_flag(hdev, HCI_LE_PER_ADV); 4030 4031 if (adv) 4032 adv->periodic_enabled = true; 4033 } else { 4034 if (adv) 4035 adv->periodic_enabled = false; 4036 4037 /* If just one instance was disabled check if there are 4038 * any other instance enabled before clearing HCI_LE_PER_ADV. 4039 * The current periodic adv instance will be marked as 4040 * disabled once extended advertising is also disabled. 4041 */ 4042 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 4043 list) { 4044 if (adv->periodic && adv->enabled) 4045 per_adv_cnt++; 4046 } 4047 4048 if (per_adv_cnt > 1) 4049 goto unlock; 4050 4051 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV); 4052 } 4053 4054 unlock: 4055 hci_dev_unlock(hdev); 4056 4057 return rp->status; 4058 } 4059 4060 #define HCI_CC_VL(_op, _func, _min, _max) \ 4061 { \ 4062 .op = _op, \ 4063 .func = _func, \ 4064 .min_len = _min, \ 4065 .max_len = _max, \ 4066 } 4067 4068 #define HCI_CC(_op, _func, _len) \ 4069 HCI_CC_VL(_op, _func, _len, _len) 4070 4071 #define HCI_CC_STATUS(_op, _func) \ 4072 HCI_CC(_op, _func, sizeof(struct hci_ev_status)) 4073 4074 static const struct hci_cc { 4075 u16 op; 4076 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 4077 u16 min_len; 4078 u16 max_len; 4079 } hci_cc_table[] = { 4080 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel), 4081 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq), 4082 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq), 4083 HCI_CC(HCI_OP_REMOTE_NAME_REQ_CANCEL, hci_cc_remote_name_req_cancel, 4084 sizeof(struct hci_rp_remote_name_req_cancel)), 4085 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery, 4086 sizeof(struct hci_rp_role_discovery)), 4087 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy, 4088 sizeof(struct hci_rp_read_link_policy)), 4089 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy, 4090 sizeof(struct hci_rp_write_link_policy)), 4091 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy, 4092 sizeof(struct hci_rp_read_def_link_policy)), 4093 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY, 4094 hci_cc_write_def_link_policy), 4095 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset), 4096 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key, 4097 sizeof(struct hci_rp_read_stored_link_key)), 4098 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key, 4099 sizeof(struct hci_rp_delete_stored_link_key)), 4100 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name), 4101 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name, 4102 sizeof(struct hci_rp_read_local_name)), 4103 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable), 4104 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode), 4105 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable), 4106 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter), 4107 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev, 4108 sizeof(struct hci_rp_read_class_of_dev)), 4109 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev), 4110 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting, 4111 sizeof(struct hci_rp_read_voice_setting)), 4112 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting), 4113 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac, 4114 sizeof(struct hci_rp_read_num_supported_iac)), 4115 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode), 4116 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support), 4117 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout, 4118 sizeof(struct hci_rp_read_auth_payload_to)), 4119 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout, 4120 sizeof(struct hci_rp_write_auth_payload_to)), 4121 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version, 4122 sizeof(struct hci_rp_read_local_version)), 4123 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands, 4124 sizeof(struct hci_rp_read_local_commands)), 4125 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features, 4126 sizeof(struct hci_rp_read_local_features)), 4127 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features, 4128 sizeof(struct hci_rp_read_local_ext_features)), 4129 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size, 4130 sizeof(struct hci_rp_read_buffer_size)), 4131 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr, 4132 sizeof(struct hci_rp_read_bd_addr)), 4133 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts, 4134 sizeof(struct hci_rp_read_local_pairing_opts)), 4135 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity, 4136 sizeof(struct hci_rp_read_page_scan_activity)), 4137 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, 4138 hci_cc_write_page_scan_activity), 4139 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type, 4140 sizeof(struct hci_rp_read_page_scan_type)), 4141 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type), 4142 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock, 4143 sizeof(struct hci_rp_read_clock)), 4144 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size, 4145 sizeof(struct hci_rp_read_enc_key_size)), 4146 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power, 4147 sizeof(struct hci_rp_read_inq_rsp_tx_power)), 4148 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING, 4149 hci_cc_read_def_err_data_reporting, 4150 sizeof(struct hci_rp_read_def_err_data_reporting)), 4151 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING, 4152 hci_cc_write_def_err_data_reporting), 4153 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply, 4154 sizeof(struct hci_rp_pin_code_reply)), 4155 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply, 4156 sizeof(struct hci_rp_pin_code_neg_reply)), 4157 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data, 4158 sizeof(struct hci_rp_read_local_oob_data)), 4159 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data, 4160 sizeof(struct hci_rp_read_local_oob_ext_data)), 4161 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size, 4162 sizeof(struct hci_rp_le_read_buffer_size)), 4163 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features, 4164 sizeof(struct hci_rp_le_read_local_features)), 4165 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power, 4166 sizeof(struct hci_rp_le_read_adv_tx_power)), 4167 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply, 4168 sizeof(struct hci_rp_user_confirm_reply)), 4169 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply, 4170 sizeof(struct hci_rp_user_confirm_reply)), 4171 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply, 4172 sizeof(struct hci_rp_user_confirm_reply)), 4173 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply, 4174 sizeof(struct hci_rp_user_confirm_reply)), 4175 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr), 4176 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable), 4177 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param), 4178 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable), 4179 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE, 4180 hci_cc_le_read_accept_list_size, 4181 sizeof(struct hci_rp_le_read_accept_list_size)), 4182 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list), 4183 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST, 4184 hci_cc_le_add_to_accept_list), 4185 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST, 4186 hci_cc_le_del_from_accept_list), 4187 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states, 4188 sizeof(struct hci_rp_le_read_supported_states)), 4189 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len, 4190 sizeof(struct hci_rp_le_read_def_data_len)), 4191 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN, 4192 hci_cc_le_write_def_data_len), 4193 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST, 4194 hci_cc_le_add_to_resolv_list), 4195 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST, 4196 hci_cc_le_del_from_resolv_list), 4197 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST, 4198 hci_cc_le_clear_resolv_list), 4199 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size, 4200 sizeof(struct hci_rp_le_read_resolv_list_size)), 4201 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 4202 hci_cc_le_set_addr_resolution_enable), 4203 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len, 4204 sizeof(struct hci_rp_le_read_max_data_len)), 4205 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED, 4206 hci_cc_write_le_host_supported), 4207 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param), 4208 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi, 4209 sizeof(struct hci_rp_read_rssi)), 4210 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power, 4211 sizeof(struct hci_rp_read_tx_power)), 4212 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode), 4213 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS, 4214 hci_cc_le_set_ext_scan_param), 4215 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE, 4216 hci_cc_le_set_ext_scan_enable), 4217 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy), 4218 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, 4219 hci_cc_le_read_num_adv_sets, 4220 sizeof(struct hci_rp_le_read_num_supported_adv_sets)), 4221 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, 4222 hci_cc_le_set_ext_adv_enable), 4223 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, 4224 hci_cc_le_set_adv_set_random_addr), 4225 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set), 4226 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets), 4227 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param), 4228 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE, 4229 hci_cc_le_set_per_adv_enable), 4230 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power, 4231 sizeof(struct hci_rp_le_read_transmit_power)), 4232 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode), 4233 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2, 4234 sizeof(struct hci_rp_le_read_buffer_size_v2)), 4235 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params, 4236 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE), 4237 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path, 4238 sizeof(struct hci_rp_le_setup_iso_path)), 4239 HCI_CC(HCI_OP_LE_READ_ALL_LOCAL_FEATURES, 4240 hci_cc_le_read_all_local_features, 4241 sizeof(struct hci_rp_le_read_all_local_features)), 4242 }; 4243 4244 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc, 4245 struct sk_buff *skb) 4246 { 4247 void *data; 4248 4249 if (skb->len < cc->min_len) { 4250 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u", 4251 cc->op, skb->len, cc->min_len); 4252 return HCI_ERROR_UNSPECIFIED; 4253 } 4254 4255 /* Just warn if the length is over max_len size it still be possible to 4256 * partially parse the cc so leave to callback to decide if that is 4257 * acceptable. 4258 */ 4259 if (skb->len > cc->max_len) 4260 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u", 4261 cc->op, skb->len, cc->max_len); 4262 4263 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len); 4264 if (!data) 4265 return HCI_ERROR_UNSPECIFIED; 4266 4267 return cc->func(hdev, data, skb); 4268 } 4269 4270 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, 4271 struct sk_buff *skb, u16 *opcode, u8 *status, 4272 hci_req_complete_t *req_complete, 4273 hci_req_complete_skb_t *req_complete_skb) 4274 { 4275 struct hci_ev_cmd_complete *ev = data; 4276 int i; 4277 4278 *opcode = __le16_to_cpu(ev->opcode); 4279 4280 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4281 4282 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) { 4283 if (hci_cc_table[i].op == *opcode) { 4284 *status = hci_cc_func(hdev, &hci_cc_table[i], skb); 4285 break; 4286 } 4287 } 4288 4289 if (i == ARRAY_SIZE(hci_cc_table)) { 4290 if (!skb->len) { 4291 bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", 4292 *opcode); 4293 *status = HCI_ERROR_UNSPECIFIED; 4294 return; 4295 } 4296 4297 /* Unknown opcode, assume byte 0 contains the status, so 4298 * that e.g. __hci_cmd_sync() properly returns errors 4299 * for vendor specific commands send by HCI drivers. 4300 * If a vendor doesn't actually follow this convention we may 4301 * need to introduce a vendor CC table in order to properly set 4302 * the status. 4303 */ 4304 *status = skb->data[0]; 4305 } 4306 4307 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4308 4309 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 4310 req_complete_skb); 4311 4312 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4313 bt_dev_err(hdev, 4314 "unexpected event for opcode 0x%4.4x", *opcode); 4315 return; 4316 } 4317 4318 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4319 queue_work(hdev->workqueue, &hdev->cmd_work); 4320 } 4321 4322 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) 4323 { 4324 struct hci_cp_le_create_cis *cp; 4325 bool pending = false; 4326 int i; 4327 4328 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4329 4330 if (!status) 4331 return; 4332 4333 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS); 4334 if (!cp) 4335 return; 4336 4337 hci_dev_lock(hdev); 4338 4339 /* Remove connection if command failed */ 4340 for (i = 0; i < cp->num_cis; i++) { 4341 struct hci_conn *conn; 4342 u16 handle; 4343 4344 handle = __le16_to_cpu(cp->cis[i].cis_handle); 4345 4346 conn = hci_conn_hash_lookup_handle(hdev, handle); 4347 if (conn) { 4348 if (test_and_clear_bit(HCI_CONN_CREATE_CIS, 4349 &conn->flags)) 4350 pending = true; 4351 conn->state = BT_CLOSED; 4352 hci_connect_cfm(conn, status); 4353 hci_conn_del(conn); 4354 } 4355 } 4356 cp->num_cis = 0; 4357 4358 if (pending) 4359 hci_le_create_cis_pending(hdev); 4360 4361 hci_dev_unlock(hdev); 4362 } 4363 4364 #define HCI_CS(_op, _func) \ 4365 { \ 4366 .op = _op, \ 4367 .func = _func, \ 4368 } 4369 4370 static const struct hci_cs { 4371 u16 op; 4372 void (*func)(struct hci_dev *hdev, __u8 status); 4373 } hci_cs_table[] = { 4374 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry), 4375 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn), 4376 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect), 4377 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco), 4378 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested), 4379 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt), 4380 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req), 4381 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features), 4382 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES, 4383 hci_cs_read_remote_ext_features), 4384 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn), 4385 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN, 4386 hci_cs_enhanced_setup_sync_conn), 4387 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode), 4388 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode), 4389 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role), 4390 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn), 4391 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features), 4392 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc), 4393 HCI_CS(HCI_OP_LE_SET_PHY, hci_cs_le_set_phy), 4394 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn), 4395 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis), 4396 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big), 4397 HCI_CS(HCI_OP_LE_READ_ALL_REMOTE_FEATURES, 4398 hci_cs_le_read_all_remote_features), 4399 }; 4400 4401 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data, 4402 struct sk_buff *skb, u16 *opcode, u8 *status, 4403 hci_req_complete_t *req_complete, 4404 hci_req_complete_skb_t *req_complete_skb) 4405 { 4406 struct hci_ev_cmd_status *ev = data; 4407 int i; 4408 4409 *opcode = __le16_to_cpu(ev->opcode); 4410 *status = ev->status; 4411 4412 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4413 4414 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) { 4415 if (hci_cs_table[i].op == *opcode) { 4416 hci_cs_table[i].func(hdev, ev->status); 4417 break; 4418 } 4419 } 4420 4421 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4422 4423 /* Indicate request completion if the command failed. Also, if 4424 * we're not waiting for a special event and we get a success 4425 * command status we should try to flag the request as completed 4426 * (since for this kind of commands there will not be a command 4427 * complete event). 4428 */ 4429 if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) { 4430 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 4431 req_complete_skb); 4432 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4433 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x", 4434 *opcode); 4435 return; 4436 } 4437 } 4438 4439 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4440 queue_work(hdev->workqueue, &hdev->cmd_work); 4441 } 4442 4443 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data, 4444 struct sk_buff *skb) 4445 { 4446 struct hci_ev_hardware_error *ev = data; 4447 4448 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code); 4449 4450 hdev->hw_error_code = ev->code; 4451 4452 queue_work(hdev->req_workqueue, &hdev->error_reset); 4453 } 4454 4455 static void hci_role_change_evt(struct hci_dev *hdev, void *data, 4456 struct sk_buff *skb) 4457 { 4458 struct hci_ev_role_change *ev = data; 4459 struct hci_conn *conn; 4460 4461 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4462 4463 hci_dev_lock(hdev); 4464 4465 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4466 if (conn) { 4467 if (!ev->status) 4468 conn->role = ev->role; 4469 4470 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 4471 4472 hci_role_switch_cfm(conn, ev->status, ev->role); 4473 } 4474 4475 hci_dev_unlock(hdev); 4476 } 4477 4478 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, 4479 struct sk_buff *skb) 4480 { 4481 struct hci_ev_num_comp_pkts *ev = data; 4482 int i; 4483 4484 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, 4485 flex_array_size(ev, handles, ev->num))) 4486 return; 4487 4488 bt_dev_dbg(hdev, "num %d", ev->num); 4489 4490 hci_dev_lock(hdev); 4491 4492 for (i = 0; i < ev->num; i++) { 4493 struct hci_comp_pkts_info *info = &ev->handles[i]; 4494 struct hci_conn *conn; 4495 __u16 handle, count; 4496 unsigned int i; 4497 4498 handle = __le16_to_cpu(info->handle); 4499 count = __le16_to_cpu(info->count); 4500 4501 conn = hci_conn_hash_lookup_handle(hdev, handle); 4502 if (!conn) 4503 continue; 4504 4505 /* Check if there is really enough packets outstanding before 4506 * attempting to decrease the sent counter otherwise it could 4507 * underflow.. 4508 */ 4509 if (conn->sent >= count) { 4510 conn->sent -= count; 4511 } else { 4512 bt_dev_warn(hdev, "hcon %p sent %u < count %u", 4513 conn, conn->sent, count); 4514 conn->sent = 0; 4515 } 4516 4517 for (i = 0; i < count; ++i) 4518 hci_conn_tx_dequeue(conn); 4519 4520 switch (conn->type) { 4521 case ACL_LINK: 4522 hdev->acl_cnt += count; 4523 if (hdev->acl_cnt > hdev->acl_pkts) 4524 hdev->acl_cnt = hdev->acl_pkts; 4525 break; 4526 4527 case LE_LINK: 4528 if (hdev->le_pkts) { 4529 hdev->le_cnt += count; 4530 if (hdev->le_cnt > hdev->le_pkts) 4531 hdev->le_cnt = hdev->le_pkts; 4532 } else { 4533 hdev->acl_cnt += count; 4534 if (hdev->acl_cnt > hdev->acl_pkts) 4535 hdev->acl_cnt = hdev->acl_pkts; 4536 } 4537 break; 4538 4539 case SCO_LINK: 4540 case ESCO_LINK: 4541 hdev->sco_cnt += count; 4542 if (hdev->sco_cnt > hdev->sco_pkts) 4543 hdev->sco_cnt = hdev->sco_pkts; 4544 4545 break; 4546 4547 case CIS_LINK: 4548 case BIS_LINK: 4549 case PA_LINK: 4550 hdev->iso_cnt += count; 4551 if (hdev->iso_cnt > hdev->iso_pkts) 4552 hdev->iso_cnt = hdev->iso_pkts; 4553 break; 4554 4555 default: 4556 bt_dev_err(hdev, "unknown type %d conn %p", 4557 conn->type, conn); 4558 break; 4559 } 4560 } 4561 4562 queue_work(hdev->workqueue, &hdev->tx_work); 4563 4564 hci_dev_unlock(hdev); 4565 } 4566 4567 static void hci_mode_change_evt(struct hci_dev *hdev, void *data, 4568 struct sk_buff *skb) 4569 { 4570 struct hci_ev_mode_change *ev = data; 4571 struct hci_conn *conn; 4572 4573 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4574 4575 hci_dev_lock(hdev); 4576 4577 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4578 if (conn) { 4579 conn->mode = ev->mode; 4580 4581 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 4582 &conn->flags)) { 4583 if (conn->mode == HCI_CM_ACTIVE) 4584 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4585 else 4586 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4587 } 4588 4589 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 4590 hci_sco_setup(conn, ev->status); 4591 } 4592 4593 hci_dev_unlock(hdev); 4594 } 4595 4596 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data, 4597 struct sk_buff *skb) 4598 { 4599 struct hci_ev_pin_code_req *ev = data; 4600 struct hci_conn *conn; 4601 4602 bt_dev_dbg(hdev, ""); 4603 4604 hci_dev_lock(hdev); 4605 4606 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4607 if (!conn) 4608 goto unlock; 4609 4610 if (conn->state == BT_CONNECTED) { 4611 hci_conn_hold(conn); 4612 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 4613 hci_conn_drop(conn); 4614 } 4615 4616 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 4617 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 4618 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 4619 sizeof(ev->bdaddr), &ev->bdaddr); 4620 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 4621 u8 secure; 4622 4623 if (conn->pending_sec_level == BT_SECURITY_HIGH) 4624 secure = 1; 4625 else 4626 secure = 0; 4627 4628 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 4629 } 4630 4631 unlock: 4632 hci_dev_unlock(hdev); 4633 } 4634 4635 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 4636 { 4637 if (key_type == HCI_LK_CHANGED_COMBINATION) 4638 return; 4639 4640 conn->pin_length = pin_len; 4641 conn->key_type = key_type; 4642 4643 switch (key_type) { 4644 case HCI_LK_LOCAL_UNIT: 4645 case HCI_LK_REMOTE_UNIT: 4646 case HCI_LK_DEBUG_COMBINATION: 4647 return; 4648 case HCI_LK_COMBINATION: 4649 if (pin_len == 16) 4650 conn->pending_sec_level = BT_SECURITY_HIGH; 4651 else 4652 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4653 break; 4654 case HCI_LK_UNAUTH_COMBINATION_P192: 4655 case HCI_LK_UNAUTH_COMBINATION_P256: 4656 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4657 break; 4658 case HCI_LK_AUTH_COMBINATION_P192: 4659 conn->pending_sec_level = BT_SECURITY_HIGH; 4660 break; 4661 case HCI_LK_AUTH_COMBINATION_P256: 4662 conn->pending_sec_level = BT_SECURITY_FIPS; 4663 break; 4664 } 4665 } 4666 4667 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data, 4668 struct sk_buff *skb) 4669 { 4670 struct hci_ev_link_key_req *ev = data; 4671 struct hci_cp_link_key_reply cp; 4672 struct hci_conn *conn; 4673 struct link_key *key; 4674 4675 bt_dev_dbg(hdev, ""); 4676 4677 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4678 return; 4679 4680 hci_dev_lock(hdev); 4681 4682 key = hci_find_link_key(hdev, &ev->bdaddr); 4683 if (!key) { 4684 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr); 4685 goto not_found; 4686 } 4687 4688 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr); 4689 4690 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4691 if (conn) { 4692 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4693 4694 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4695 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4696 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4697 bt_dev_dbg(hdev, "ignoring unauthenticated key"); 4698 goto not_found; 4699 } 4700 4701 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4702 (conn->pending_sec_level == BT_SECURITY_HIGH || 4703 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4704 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security"); 4705 goto not_found; 4706 } 4707 4708 conn_set_key(conn, key->type, key->pin_len); 4709 } 4710 4711 bacpy(&cp.bdaddr, &ev->bdaddr); 4712 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4713 4714 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4715 4716 hci_dev_unlock(hdev); 4717 4718 return; 4719 4720 not_found: 4721 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4722 hci_dev_unlock(hdev); 4723 } 4724 4725 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, 4726 struct sk_buff *skb) 4727 { 4728 struct hci_ev_link_key_notify *ev = data; 4729 struct hci_conn *conn; 4730 struct link_key *key; 4731 bool persistent; 4732 u8 pin_len = 0; 4733 4734 bt_dev_dbg(hdev, ""); 4735 4736 hci_dev_lock(hdev); 4737 4738 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4739 if (!conn) 4740 goto unlock; 4741 4742 /* Ignore NULL link key against CVE-2020-26555 */ 4743 if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) { 4744 bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR", 4745 &ev->bdaddr); 4746 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 4747 hci_conn_drop(conn); 4748 goto unlock; 4749 } 4750 4751 hci_conn_hold(conn); 4752 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4753 hci_conn_drop(conn); 4754 4755 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4756 conn_set_key(conn, ev->key_type, conn->pin_length); 4757 4758 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4759 goto unlock; 4760 4761 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4762 ev->key_type, pin_len, &persistent); 4763 if (!key) 4764 goto unlock; 4765 4766 /* Update connection information since adding the key will have 4767 * fixed up the type in the case of changed combination keys. 4768 */ 4769 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4770 conn_set_key(conn, key->type, key->pin_len); 4771 4772 mgmt_new_link_key(hdev, key, persistent); 4773 4774 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4775 * is set. If it's not set simply remove the key from the kernel 4776 * list (we've still notified user space about it but with 4777 * store_hint being 0). 4778 */ 4779 if (key->type == HCI_LK_DEBUG_COMBINATION && 4780 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4781 list_del_rcu(&key->list); 4782 kfree_rcu(key, rcu); 4783 goto unlock; 4784 } 4785 4786 if (persistent) 4787 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4788 else 4789 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4790 4791 unlock: 4792 hci_dev_unlock(hdev); 4793 } 4794 4795 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data, 4796 struct sk_buff *skb) 4797 { 4798 struct hci_ev_clock_offset *ev = data; 4799 struct hci_conn *conn; 4800 4801 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4802 4803 hci_dev_lock(hdev); 4804 4805 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4806 if (conn && !ev->status) { 4807 struct inquiry_entry *ie; 4808 4809 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4810 if (ie) { 4811 ie->data.clock_offset = ev->clock_offset; 4812 ie->timestamp = jiffies; 4813 } 4814 } 4815 4816 hci_dev_unlock(hdev); 4817 } 4818 4819 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data, 4820 struct sk_buff *skb) 4821 { 4822 struct hci_ev_pkt_type_change *ev = data; 4823 struct hci_conn *conn; 4824 4825 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4826 4827 hci_dev_lock(hdev); 4828 4829 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4830 if (conn && !ev->status) 4831 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4832 4833 hci_dev_unlock(hdev); 4834 } 4835 4836 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data, 4837 struct sk_buff *skb) 4838 { 4839 struct hci_ev_pscan_rep_mode *ev = data; 4840 struct inquiry_entry *ie; 4841 4842 bt_dev_dbg(hdev, ""); 4843 4844 hci_dev_lock(hdev); 4845 4846 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4847 if (ie) { 4848 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4849 ie->timestamp = jiffies; 4850 } 4851 4852 hci_dev_unlock(hdev); 4853 } 4854 4855 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata, 4856 struct sk_buff *skb) 4857 { 4858 struct hci_ev_inquiry_result_rssi *ev = edata; 4859 struct inquiry_data data; 4860 int i; 4861 4862 bt_dev_dbg(hdev, "num_rsp %d", ev->num); 4863 4864 if (!ev->num) 4865 return; 4866 4867 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4868 return; 4869 4870 hci_dev_lock(hdev); 4871 4872 if (skb->len == array_size(ev->num, 4873 sizeof(struct inquiry_info_rssi_pscan))) { 4874 struct inquiry_info_rssi_pscan *info; 4875 4876 for (i = 0; i < ev->num; i++) { 4877 u32 flags; 4878 4879 info = hci_ev_skb_pull(hdev, skb, 4880 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4881 sizeof(*info)); 4882 if (!info) { 4883 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4884 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4885 goto unlock; 4886 } 4887 4888 bacpy(&data.bdaddr, &info->bdaddr); 4889 data.pscan_rep_mode = info->pscan_rep_mode; 4890 data.pscan_period_mode = info->pscan_period_mode; 4891 data.pscan_mode = info->pscan_mode; 4892 memcpy(data.dev_class, info->dev_class, 3); 4893 data.clock_offset = info->clock_offset; 4894 data.rssi = info->rssi; 4895 data.ssp_mode = 0x00; 4896 4897 flags = hci_inquiry_cache_update(hdev, &data, false); 4898 4899 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4900 info->dev_class, info->rssi, 4901 flags, NULL, 0, NULL, 0, 0); 4902 } 4903 } else if (skb->len == array_size(ev->num, 4904 sizeof(struct inquiry_info_rssi))) { 4905 struct inquiry_info_rssi *info; 4906 4907 for (i = 0; i < ev->num; i++) { 4908 u32 flags; 4909 4910 info = hci_ev_skb_pull(hdev, skb, 4911 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4912 sizeof(*info)); 4913 if (!info) { 4914 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4915 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4916 goto unlock; 4917 } 4918 4919 bacpy(&data.bdaddr, &info->bdaddr); 4920 data.pscan_rep_mode = info->pscan_rep_mode; 4921 data.pscan_period_mode = info->pscan_period_mode; 4922 data.pscan_mode = 0x00; 4923 memcpy(data.dev_class, info->dev_class, 3); 4924 data.clock_offset = info->clock_offset; 4925 data.rssi = info->rssi; 4926 data.ssp_mode = 0x00; 4927 4928 flags = hci_inquiry_cache_update(hdev, &data, false); 4929 4930 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4931 info->dev_class, info->rssi, 4932 flags, NULL, 0, NULL, 0, 0); 4933 } 4934 } else { 4935 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4936 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4937 } 4938 unlock: 4939 hci_dev_unlock(hdev); 4940 } 4941 4942 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data, 4943 struct sk_buff *skb) 4944 { 4945 struct hci_ev_remote_ext_features *ev = data; 4946 struct hci_conn *conn; 4947 4948 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4949 4950 hci_dev_lock(hdev); 4951 4952 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4953 if (!conn) 4954 goto unlock; 4955 4956 if (ev->page < HCI_MAX_PAGES) 4957 memcpy(conn->features[ev->page], ev->features, 8); 4958 4959 if (!ev->status && ev->page == 0x01) { 4960 struct inquiry_entry *ie; 4961 4962 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4963 if (ie) 4964 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4965 4966 if (ev->features[0] & LMP_HOST_SSP) { 4967 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4968 } else { 4969 /* It is mandatory by the Bluetooth specification that 4970 * Extended Inquiry Results are only used when Secure 4971 * Simple Pairing is enabled, but some devices violate 4972 * this. 4973 * 4974 * To make these devices work, the internal SSP 4975 * enabled flag needs to be cleared if the remote host 4976 * features do not indicate SSP support */ 4977 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4978 } 4979 4980 if (ev->features[0] & LMP_HOST_SC) 4981 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4982 } 4983 4984 if (conn->state != BT_CONFIG) 4985 goto unlock; 4986 4987 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4988 struct hci_cp_remote_name_req cp; 4989 memset(&cp, 0, sizeof(cp)); 4990 bacpy(&cp.bdaddr, &conn->dst); 4991 cp.pscan_rep_mode = 0x02; 4992 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4993 } else { 4994 mgmt_device_connected(hdev, conn, NULL, 0); 4995 } 4996 4997 if (!hci_outgoing_auth_needed(hdev, conn)) { 4998 conn->state = BT_CONNECTED; 4999 hci_connect_cfm(conn, ev->status); 5000 hci_conn_drop(conn); 5001 } 5002 5003 unlock: 5004 hci_dev_unlock(hdev); 5005 } 5006 5007 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, 5008 struct sk_buff *skb) 5009 { 5010 struct hci_ev_sync_conn_complete *ev = data; 5011 struct hci_conn *conn; 5012 u8 status = ev->status; 5013 5014 switch (ev->link_type) { 5015 case SCO_LINK: 5016 case ESCO_LINK: 5017 break; 5018 default: 5019 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type 5020 * for HCI_Synchronous_Connection_Complete is limited to 5021 * either SCO or eSCO 5022 */ 5023 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type"); 5024 return; 5025 } 5026 5027 bt_dev_dbg(hdev, "status 0x%2.2x", status); 5028 5029 hci_dev_lock(hdev); 5030 hci_store_wake_reason(hdev, &ev->bdaddr, BDADDR_BREDR); 5031 5032 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 5033 if (!conn) { 5034 if (ev->link_type == ESCO_LINK) 5035 goto unlock; 5036 5037 /* When the link type in the event indicates SCO connection 5038 * and lookup of the connection object fails, then check 5039 * if an eSCO connection object exists. 5040 * 5041 * The core limits the synchronous connections to either 5042 * SCO or eSCO. The eSCO connection is preferred and tried 5043 * to be setup first and until successfully established, 5044 * the link type will be hinted as eSCO. 5045 */ 5046 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 5047 if (!conn) 5048 goto unlock; 5049 } 5050 5051 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection. 5052 * Processing it more than once per connection can corrupt kernel memory. 5053 * 5054 * As the connection handle is set here for the first time, it indicates 5055 * whether the connection is already set up. 5056 */ 5057 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5058 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection"); 5059 goto unlock; 5060 } 5061 5062 switch (status) { 5063 case 0x00: 5064 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 5065 if (status) { 5066 conn->state = BT_CLOSED; 5067 break; 5068 } 5069 5070 conn->state = BT_CONNECTED; 5071 conn->type = ev->link_type; 5072 5073 hci_debugfs_create_conn(conn); 5074 hci_conn_add_sysfs(conn); 5075 break; 5076 5077 case 0x10: /* Connection Accept Timeout */ 5078 case 0x0d: /* Connection Rejected due to Limited Resources */ 5079 case 0x11: /* Unsupported Feature or Parameter Value */ 5080 case 0x1c: /* SCO interval rejected */ 5081 case 0x1a: /* Unsupported Remote Feature */ 5082 case 0x1e: /* Invalid LMP Parameters */ 5083 case 0x1f: /* Unspecified error */ 5084 case 0x20: /* Unsupported LMP Parameter value */ 5085 if (conn->out) { 5086 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 5087 (hdev->esco_type & EDR_ESCO_MASK); 5088 if (hci_setup_sync(conn, conn->parent->handle)) 5089 goto unlock; 5090 } 5091 fallthrough; 5092 5093 default: 5094 conn->state = BT_CLOSED; 5095 break; 5096 } 5097 5098 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 5099 /* Notify only in case of SCO over HCI transport data path which 5100 * is zero and non-zero value shall be non-HCI transport data path 5101 */ 5102 if (conn->codec.data_path == 0 && hdev->notify) { 5103 switch (ev->air_mode) { 5104 case 0x02: 5105 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 5106 break; 5107 case 0x03: 5108 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 5109 break; 5110 } 5111 } 5112 5113 hci_connect_cfm(conn, status); 5114 if (status) 5115 hci_conn_del(conn); 5116 5117 unlock: 5118 hci_dev_unlock(hdev); 5119 } 5120 5121 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 5122 { 5123 size_t parsed = 0; 5124 5125 while (parsed < eir_len) { 5126 u8 field_len = eir[0]; 5127 5128 if (field_len == 0) 5129 return parsed; 5130 5131 parsed += field_len + 1; 5132 eir += field_len + 1; 5133 } 5134 5135 return eir_len; 5136 } 5137 5138 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata, 5139 struct sk_buff *skb) 5140 { 5141 struct hci_ev_ext_inquiry_result *ev = edata; 5142 struct inquiry_data data; 5143 size_t eir_len; 5144 int i; 5145 5146 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT, 5147 flex_array_size(ev, info, ev->num))) 5148 return; 5149 5150 bt_dev_dbg(hdev, "num %d", ev->num); 5151 5152 if (!ev->num) 5153 return; 5154 5155 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 5156 return; 5157 5158 hci_dev_lock(hdev); 5159 5160 for (i = 0; i < ev->num; i++) { 5161 struct extended_inquiry_info *info = &ev->info[i]; 5162 u32 flags; 5163 bool name_known; 5164 5165 bacpy(&data.bdaddr, &info->bdaddr); 5166 data.pscan_rep_mode = info->pscan_rep_mode; 5167 data.pscan_period_mode = info->pscan_period_mode; 5168 data.pscan_mode = 0x00; 5169 memcpy(data.dev_class, info->dev_class, 3); 5170 data.clock_offset = info->clock_offset; 5171 data.rssi = info->rssi; 5172 data.ssp_mode = 0x01; 5173 5174 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5175 name_known = eir_get_data(info->data, 5176 sizeof(info->data), 5177 EIR_NAME_COMPLETE, NULL); 5178 else 5179 name_known = true; 5180 5181 flags = hci_inquiry_cache_update(hdev, &data, name_known); 5182 5183 eir_len = eir_get_length(info->data, sizeof(info->data)); 5184 5185 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 5186 info->dev_class, info->rssi, 5187 flags, info->data, eir_len, NULL, 0, 0); 5188 } 5189 5190 hci_dev_unlock(hdev); 5191 } 5192 5193 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data, 5194 struct sk_buff *skb) 5195 { 5196 struct hci_ev_key_refresh_complete *ev = data; 5197 struct hci_conn *conn; 5198 5199 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status, 5200 __le16_to_cpu(ev->handle)); 5201 5202 hci_dev_lock(hdev); 5203 5204 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5205 if (!conn) 5206 goto unlock; 5207 5208 /* For BR/EDR the necessary steps are taken through the 5209 * auth_complete event. 5210 */ 5211 if (conn->type != LE_LINK) 5212 goto unlock; 5213 5214 if (!ev->status) 5215 conn->sec_level = conn->pending_sec_level; 5216 5217 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 5218 5219 if (ev->status && conn->state == BT_CONNECTED) { 5220 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 5221 hci_conn_drop(conn); 5222 goto unlock; 5223 } 5224 5225 if (conn->state == BT_CONFIG) { 5226 if (!ev->status) 5227 conn->state = BT_CONNECTED; 5228 5229 hci_connect_cfm(conn, ev->status); 5230 hci_conn_drop(conn); 5231 } else { 5232 hci_auth_cfm(conn, ev->status); 5233 5234 hci_conn_hold(conn); 5235 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 5236 hci_conn_drop(conn); 5237 } 5238 5239 unlock: 5240 hci_dev_unlock(hdev); 5241 } 5242 5243 static u8 hci_get_auth_req(struct hci_conn *conn) 5244 { 5245 /* If remote requests no-bonding follow that lead */ 5246 if (conn->remote_auth == HCI_AT_NO_BONDING || 5247 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 5248 return conn->remote_auth | (conn->auth_type & 0x01); 5249 5250 /* If both remote and local have enough IO capabilities, require 5251 * MITM protection 5252 */ 5253 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 5254 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 5255 return conn->remote_auth | 0x01; 5256 5257 /* No MITM protection possible so ignore remote requirement */ 5258 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 5259 } 5260 5261 static u8 bredr_oob_data_present(struct hci_conn *conn) 5262 { 5263 struct hci_dev *hdev = conn->hdev; 5264 struct oob_data *data; 5265 5266 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 5267 if (!data) 5268 return 0x00; 5269 5270 if (bredr_sc_enabled(hdev)) { 5271 /* When Secure Connections is enabled, then just 5272 * return the present value stored with the OOB 5273 * data. The stored value contains the right present 5274 * information. However it can only be trusted when 5275 * not in Secure Connection Only mode. 5276 */ 5277 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 5278 return data->present; 5279 5280 /* When Secure Connections Only mode is enabled, then 5281 * the P-256 values are required. If they are not 5282 * available, then do not declare that OOB data is 5283 * present. 5284 */ 5285 if (!crypto_memneq(data->rand256, ZERO_KEY, 16) || 5286 !crypto_memneq(data->hash256, ZERO_KEY, 16)) 5287 return 0x00; 5288 5289 return 0x02; 5290 } 5291 5292 /* When Secure Connections is not enabled or actually 5293 * not supported by the hardware, then check that if 5294 * P-192 data values are present. 5295 */ 5296 if (!crypto_memneq(data->rand192, ZERO_KEY, 16) || 5297 !crypto_memneq(data->hash192, ZERO_KEY, 16)) 5298 return 0x00; 5299 5300 return 0x01; 5301 } 5302 5303 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data, 5304 struct sk_buff *skb) 5305 { 5306 struct hci_ev_io_capa_request *ev = data; 5307 struct hci_conn *conn; 5308 5309 bt_dev_dbg(hdev, ""); 5310 5311 hci_dev_lock(hdev); 5312 5313 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5314 if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) 5315 goto unlock; 5316 5317 /* Assume remote supports SSP since it has triggered this event */ 5318 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 5319 5320 hci_conn_hold(conn); 5321 5322 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5323 goto unlock; 5324 5325 /* Allow pairing if we're pairable, the initiators of the 5326 * pairing or if the remote is not requesting bonding. 5327 */ 5328 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 5329 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 5330 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 5331 struct hci_cp_io_capability_reply cp; 5332 5333 bacpy(&cp.bdaddr, &ev->bdaddr); 5334 /* Change the IO capability from KeyboardDisplay 5335 * to DisplayYesNo as it is not supported by BT spec. */ 5336 cp.capability = (conn->io_capability == 0x04) ? 5337 HCI_IO_DISPLAY_YESNO : conn->io_capability; 5338 5339 /* If we are initiators, there is no remote information yet */ 5340 if (conn->remote_auth == 0xff) { 5341 /* Request MITM protection if our IO caps allow it 5342 * except for the no-bonding case. 5343 */ 5344 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5345 conn->auth_type != HCI_AT_NO_BONDING) 5346 conn->auth_type |= 0x01; 5347 } else { 5348 conn->auth_type = hci_get_auth_req(conn); 5349 } 5350 5351 /* If we're not bondable, force one of the non-bondable 5352 * authentication requirement values. 5353 */ 5354 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 5355 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 5356 5357 cp.authentication = conn->auth_type; 5358 cp.oob_data = bredr_oob_data_present(conn); 5359 5360 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 5361 sizeof(cp), &cp); 5362 } else { 5363 struct hci_cp_io_capability_neg_reply cp; 5364 5365 bacpy(&cp.bdaddr, &ev->bdaddr); 5366 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 5367 5368 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 5369 sizeof(cp), &cp); 5370 } 5371 5372 unlock: 5373 hci_dev_unlock(hdev); 5374 } 5375 5376 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data, 5377 struct sk_buff *skb) 5378 { 5379 struct hci_ev_io_capa_reply *ev = data; 5380 struct hci_conn *conn; 5381 5382 bt_dev_dbg(hdev, ""); 5383 5384 hci_dev_lock(hdev); 5385 5386 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5387 if (!conn) 5388 goto unlock; 5389 5390 conn->remote_cap = ev->capability; 5391 conn->remote_auth = ev->authentication; 5392 5393 unlock: 5394 hci_dev_unlock(hdev); 5395 } 5396 5397 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data, 5398 struct sk_buff *skb) 5399 { 5400 struct hci_ev_user_confirm_req *ev = data; 5401 int loc_mitm, rem_mitm, confirm_hint = 0; 5402 struct hci_conn *conn; 5403 5404 bt_dev_dbg(hdev, ""); 5405 5406 hci_dev_lock(hdev); 5407 5408 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5409 goto unlock; 5410 5411 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5412 if (!conn) 5413 goto unlock; 5414 5415 loc_mitm = (conn->auth_type & 0x01); 5416 rem_mitm = (conn->remote_auth & 0x01); 5417 5418 /* If we require MITM but the remote device can't provide that 5419 * (it has NoInputNoOutput) then reject the confirmation 5420 * request. We check the security level here since it doesn't 5421 * necessarily match conn->auth_type. 5422 */ 5423 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 5424 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 5425 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM"); 5426 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 5427 sizeof(ev->bdaddr), &ev->bdaddr); 5428 goto unlock; 5429 } 5430 5431 /* If no side requires MITM protection; use JUST_CFM method */ 5432 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 5433 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 5434 5435 /* If we're not the initiator of request authorization and the 5436 * local IO capability is not NoInputNoOutput, use JUST_WORKS 5437 * method (mgmt_user_confirm with confirm_hint set to 1). 5438 */ 5439 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 5440 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) { 5441 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor"); 5442 confirm_hint = 1; 5443 goto confirm; 5444 } 5445 5446 /* If there already exists link key in local host, leave the 5447 * decision to user space since the remote device could be 5448 * legitimate or malicious. 5449 */ 5450 if (hci_find_link_key(hdev, &ev->bdaddr)) { 5451 bt_dev_dbg(hdev, "Local host already has link key"); 5452 confirm_hint = 1; 5453 goto confirm; 5454 } 5455 5456 BT_DBG("Auto-accept of user confirmation with %ums delay", 5457 hdev->auto_accept_delay); 5458 5459 if (hdev->auto_accept_delay > 0) { 5460 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 5461 queue_delayed_work(conn->hdev->workqueue, 5462 &conn->auto_accept_work, delay); 5463 goto unlock; 5464 } 5465 5466 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 5467 sizeof(ev->bdaddr), &ev->bdaddr); 5468 goto unlock; 5469 } 5470 5471 confirm: 5472 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 5473 le32_to_cpu(ev->passkey), confirm_hint); 5474 5475 unlock: 5476 hci_dev_unlock(hdev); 5477 } 5478 5479 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data, 5480 struct sk_buff *skb) 5481 { 5482 struct hci_ev_user_passkey_req *ev = data; 5483 5484 bt_dev_dbg(hdev, ""); 5485 5486 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5487 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 5488 } 5489 5490 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, 5491 struct sk_buff *skb) 5492 { 5493 struct hci_ev_user_passkey_notify *ev = data; 5494 struct hci_conn *conn; 5495 5496 bt_dev_dbg(hdev, ""); 5497 5498 hci_dev_lock(hdev); 5499 5500 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5501 if (!conn) 5502 goto unlock; 5503 5504 conn->passkey_notify = __le32_to_cpu(ev->passkey); 5505 conn->passkey_entered = 0; 5506 5507 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5508 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5509 conn->dst_type, conn->passkey_notify, 5510 conn->passkey_entered); 5511 5512 unlock: 5513 hci_dev_unlock(hdev); 5514 } 5515 5516 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, 5517 struct sk_buff *skb) 5518 { 5519 struct hci_ev_keypress_notify *ev = data; 5520 struct hci_conn *conn; 5521 5522 bt_dev_dbg(hdev, ""); 5523 5524 hci_dev_lock(hdev); 5525 5526 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5527 if (!conn) 5528 goto unlock; 5529 5530 switch (ev->type) { 5531 case HCI_KEYPRESS_STARTED: 5532 conn->passkey_entered = 0; 5533 goto unlock; 5534 5535 case HCI_KEYPRESS_ENTERED: 5536 conn->passkey_entered++; 5537 break; 5538 5539 case HCI_KEYPRESS_ERASED: 5540 conn->passkey_entered--; 5541 break; 5542 5543 case HCI_KEYPRESS_CLEARED: 5544 conn->passkey_entered = 0; 5545 break; 5546 5547 case HCI_KEYPRESS_COMPLETED: 5548 goto unlock; 5549 } 5550 5551 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5552 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5553 conn->dst_type, conn->passkey_notify, 5554 conn->passkey_entered); 5555 5556 unlock: 5557 hci_dev_unlock(hdev); 5558 } 5559 5560 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data, 5561 struct sk_buff *skb) 5562 { 5563 struct hci_ev_simple_pair_complete *ev = data; 5564 struct hci_conn *conn; 5565 5566 bt_dev_dbg(hdev, ""); 5567 5568 hci_dev_lock(hdev); 5569 5570 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5571 if (!conn || !hci_conn_ssp_enabled(conn)) 5572 goto unlock; 5573 5574 /* Reset the authentication requirement to unknown */ 5575 conn->remote_auth = 0xff; 5576 5577 /* To avoid duplicate auth_failed events to user space we check 5578 * the HCI_CONN_AUTH_PEND flag which will be set if we 5579 * initiated the authentication. A traditional auth_complete 5580 * event gets always produced as initiator and is also mapped to 5581 * the mgmt_auth_failed event */ 5582 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 5583 mgmt_auth_failed(conn, ev->status); 5584 5585 hci_conn_drop(conn); 5586 5587 unlock: 5588 hci_dev_unlock(hdev); 5589 } 5590 5591 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data, 5592 struct sk_buff *skb) 5593 { 5594 struct hci_ev_remote_host_features *ev = data; 5595 struct inquiry_entry *ie; 5596 struct hci_conn *conn; 5597 5598 bt_dev_dbg(hdev, ""); 5599 5600 hci_dev_lock(hdev); 5601 5602 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5603 if (conn) 5604 memcpy(conn->features[1], ev->features, 8); 5605 5606 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 5607 if (ie) 5608 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 5609 5610 hci_dev_unlock(hdev); 5611 } 5612 5613 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata, 5614 struct sk_buff *skb) 5615 { 5616 struct hci_ev_remote_oob_data_request *ev = edata; 5617 struct oob_data *data; 5618 5619 bt_dev_dbg(hdev, ""); 5620 5621 hci_dev_lock(hdev); 5622 5623 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5624 goto unlock; 5625 5626 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 5627 if (!data) { 5628 struct hci_cp_remote_oob_data_neg_reply cp; 5629 5630 bacpy(&cp.bdaddr, &ev->bdaddr); 5631 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 5632 sizeof(cp), &cp); 5633 goto unlock; 5634 } 5635 5636 if (bredr_sc_enabled(hdev)) { 5637 struct hci_cp_remote_oob_ext_data_reply cp; 5638 5639 bacpy(&cp.bdaddr, &ev->bdaddr); 5640 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 5641 memset(cp.hash192, 0, sizeof(cp.hash192)); 5642 memset(cp.rand192, 0, sizeof(cp.rand192)); 5643 } else { 5644 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 5645 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 5646 } 5647 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 5648 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 5649 5650 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 5651 sizeof(cp), &cp); 5652 } else { 5653 struct hci_cp_remote_oob_data_reply cp; 5654 5655 bacpy(&cp.bdaddr, &ev->bdaddr); 5656 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 5657 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 5658 5659 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 5660 sizeof(cp), &cp); 5661 } 5662 5663 unlock: 5664 hci_dev_unlock(hdev); 5665 } 5666 5667 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr, 5668 u8 bdaddr_type, bdaddr_t *local_rpa) 5669 { 5670 if (conn->out) { 5671 conn->dst_type = bdaddr_type; 5672 conn->resp_addr_type = bdaddr_type; 5673 bacpy(&conn->resp_addr, bdaddr); 5674 5675 /* Check if the controller has set a Local RPA then it must be 5676 * used instead or hdev->rpa. 5677 */ 5678 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5679 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5680 bacpy(&conn->init_addr, local_rpa); 5681 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) { 5682 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5683 bacpy(&conn->init_addr, &conn->hdev->rpa); 5684 } else { 5685 hci_copy_identity_address(conn->hdev, &conn->init_addr, 5686 &conn->init_addr_type); 5687 } 5688 } else { 5689 conn->resp_addr_type = conn->hdev->adv_addr_type; 5690 /* Check if the controller has set a Local RPA then it must be 5691 * used instead or hdev->rpa. 5692 */ 5693 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5694 conn->resp_addr_type = ADDR_LE_DEV_RANDOM; 5695 bacpy(&conn->resp_addr, local_rpa); 5696 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5697 /* In case of ext adv, resp_addr will be updated in 5698 * Adv Terminated event. 5699 */ 5700 if (!ext_adv_capable(conn->hdev)) 5701 bacpy(&conn->resp_addr, 5702 &conn->hdev->random_addr); 5703 } else { 5704 bacpy(&conn->resp_addr, &conn->hdev->bdaddr); 5705 } 5706 5707 conn->init_addr_type = bdaddr_type; 5708 bacpy(&conn->init_addr, bdaddr); 5709 5710 /* For incoming connections, set the default minimum 5711 * and maximum connection interval. They will be used 5712 * to check if the parameters are in range and if not 5713 * trigger the connection update procedure. 5714 */ 5715 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval; 5716 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval; 5717 } 5718 } 5719 5720 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5721 bdaddr_t *bdaddr, u8 bdaddr_type, 5722 bdaddr_t *local_rpa, u8 role, u16 handle, 5723 u16 interval, u16 latency, 5724 u16 supervision_timeout) 5725 { 5726 struct hci_conn_params *params; 5727 struct hci_conn *conn; 5728 struct smp_irk *irk; 5729 u8 addr_type; 5730 int err; 5731 5732 hci_dev_lock(hdev); 5733 hci_store_wake_reason(hdev, bdaddr, bdaddr_type); 5734 5735 /* All controllers implicitly stop advertising in the event of a 5736 * connection, so ensure that the state bit is cleared. 5737 */ 5738 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5739 5740 /* Check for existing connection: 5741 * 5742 * 1. If it doesn't exist then use the role to create a new object. 5743 * 2. If it does exist confirm that it is connecting/BT_CONNECT in case 5744 * of initiator/master role since there could be a collision where 5745 * either side is attempting to connect or something like a fuzzing 5746 * testing is trying to play tricks to destroy the hcon object before 5747 * it even attempts to connect (e.g. hcon->state == BT_OPEN). 5748 */ 5749 conn = hci_conn_hash_lookup_role(hdev, LE_LINK, role, bdaddr); 5750 if (!conn || 5751 (conn->role == HCI_ROLE_MASTER && conn->state != BT_CONNECT)) { 5752 /* In case of error status and there is no connection pending 5753 * just unlock as there is nothing to cleanup. 5754 */ 5755 if (status) 5756 goto unlock; 5757 5758 conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, bdaddr_type, 5759 role); 5760 if (IS_ERR(conn)) { 5761 bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn)); 5762 goto unlock; 5763 } 5764 5765 /* If we didn't have a hci_conn object previously 5766 * but we're in central role this must be something 5767 * initiated using an accept list. Since accept list based 5768 * connections are not "first class citizens" we don't 5769 * have full tracking of them. Therefore, we go ahead 5770 * with a "best effort" approach of determining the 5771 * initiator address based on the HCI_PRIVACY flag. 5772 */ 5773 if (conn->out) { 5774 conn->resp_addr_type = bdaddr_type; 5775 bacpy(&conn->resp_addr, bdaddr); 5776 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5777 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5778 bacpy(&conn->init_addr, &hdev->rpa); 5779 } else { 5780 hci_copy_identity_address(hdev, 5781 &conn->init_addr, 5782 &conn->init_addr_type); 5783 } 5784 } 5785 } else { 5786 cancel_delayed_work(&conn->le_conn_timeout); 5787 } 5788 5789 /* The HCI_LE_Connection_Complete event is only sent once per connection. 5790 * Processing it more than once per connection can corrupt kernel memory. 5791 * 5792 * As the connection handle is set here for the first time, it indicates 5793 * whether the connection is already set up. 5794 */ 5795 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5796 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 5797 goto unlock; 5798 } 5799 5800 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa); 5801 5802 /* Lookup the identity address from the stored connection 5803 * address and address type. 5804 * 5805 * When establishing connections to an identity address, the 5806 * connection procedure will store the resolvable random 5807 * address first. Now if it can be converted back into the 5808 * identity address, start using the identity address from 5809 * now on. 5810 */ 5811 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5812 if (irk) { 5813 bacpy(&conn->dst, &irk->bdaddr); 5814 conn->dst_type = irk->addr_type; 5815 } 5816 5817 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL); 5818 5819 /* All connection failure handling is taken care of by the 5820 * hci_conn_failed function which is triggered by the HCI 5821 * request completion callbacks used for connecting. 5822 */ 5823 if (status || hci_conn_set_handle(conn, handle)) 5824 goto unlock; 5825 5826 /* Drop the connection if it has been aborted */ 5827 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) { 5828 hci_conn_drop(conn); 5829 goto unlock; 5830 } 5831 5832 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5833 addr_type = BDADDR_LE_PUBLIC; 5834 else 5835 addr_type = BDADDR_LE_RANDOM; 5836 5837 /* Drop the connection if the device is blocked */ 5838 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) { 5839 hci_conn_drop(conn); 5840 goto unlock; 5841 } 5842 5843 mgmt_device_connected(hdev, conn, NULL, 0); 5844 5845 conn->sec_level = BT_SECURITY_LOW; 5846 conn->state = BT_CONFIG; 5847 5848 /* Store current advertising instance as connection advertising instance 5849 * when software rotation is in use so it can be re-enabled when 5850 * disconnected. 5851 */ 5852 if (!ext_adv_capable(hdev)) 5853 conn->adv_instance = hdev->cur_adv_instance; 5854 5855 conn->le_conn_interval = interval; 5856 conn->le_conn_latency = latency; 5857 conn->le_supv_timeout = supervision_timeout; 5858 5859 hci_debugfs_create_conn(conn); 5860 hci_conn_add_sysfs(conn); 5861 5862 err = hci_le_read_remote_features(conn); 5863 if (err) { 5864 conn->state = BT_CONNECTED; 5865 hci_connect_cfm(conn, status); 5866 } 5867 5868 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 5869 conn->dst_type); 5870 if (params) { 5871 hci_pend_le_list_del_init(params); 5872 if (params->conn) { 5873 hci_conn_drop(params->conn); 5874 hci_conn_put(params->conn); 5875 params->conn = NULL; 5876 } 5877 } 5878 5879 unlock: 5880 hci_update_passive_scan(hdev); 5881 hci_dev_unlock(hdev); 5882 } 5883 5884 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data, 5885 struct sk_buff *skb) 5886 { 5887 struct hci_ev_le_conn_complete *ev = data; 5888 5889 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5890 5891 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5892 NULL, ev->role, le16_to_cpu(ev->handle), 5893 le16_to_cpu(ev->interval), 5894 le16_to_cpu(ev->latency), 5895 le16_to_cpu(ev->supervision_timeout)); 5896 } 5897 5898 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data, 5899 struct sk_buff *skb) 5900 { 5901 struct hci_ev_le_enh_conn_complete *ev = data; 5902 5903 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5904 5905 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 5906 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle), 5907 le16_to_cpu(ev->interval), 5908 le16_to_cpu(ev->latency), 5909 le16_to_cpu(ev->supervision_timeout)); 5910 } 5911 5912 static void hci_le_pa_sync_lost_evt(struct hci_dev *hdev, void *data, 5913 struct sk_buff *skb) 5914 { 5915 struct hci_ev_le_pa_sync_lost *ev = data; 5916 u16 handle = le16_to_cpu(ev->handle); 5917 struct hci_conn *conn; 5918 5919 bt_dev_dbg(hdev, "sync handle 0x%4.4x", handle); 5920 5921 hci_dev_lock(hdev); 5922 5923 /* Delete the pa sync connection */ 5924 conn = hci_conn_hash_lookup_pa_sync_handle(hdev, handle); 5925 if (conn) { 5926 clear_bit(HCI_CONN_BIG_SYNC, &conn->flags); 5927 clear_bit(HCI_CONN_PA_SYNC, &conn->flags); 5928 hci_disconn_cfm(conn, HCI_ERROR_REMOTE_USER_TERM); 5929 hci_conn_del(conn); 5930 } 5931 5932 hci_dev_unlock(hdev); 5933 } 5934 5935 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data, 5936 struct sk_buff *skb) 5937 { 5938 struct hci_evt_le_ext_adv_set_term *ev = data; 5939 struct hci_conn *conn; 5940 struct adv_info *adv, *n; 5941 5942 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5943 5944 /* The Bluetooth Core 5.3 specification clearly states that this event 5945 * shall not be sent when the Host disables the advertising set. So in 5946 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event. 5947 * 5948 * When the Host disables an advertising set, all cleanup is done via 5949 * its command callback and not needed to be duplicated here. 5950 */ 5951 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) { 5952 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event"); 5953 return; 5954 } 5955 5956 hci_dev_lock(hdev); 5957 5958 adv = hci_find_adv_instance(hdev, ev->handle); 5959 5960 if (ev->status) { 5961 if (!adv) 5962 goto unlock; 5963 5964 /* Remove advertising as it has been terminated */ 5965 hci_remove_adv_instance(hdev, ev->handle); 5966 mgmt_advertising_removed(NULL, hdev, ev->handle); 5967 5968 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 5969 if (adv->enabled) 5970 goto unlock; 5971 } 5972 5973 /* We are no longer advertising, clear HCI_LE_ADV */ 5974 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5975 goto unlock; 5976 } 5977 5978 if (adv) 5979 adv->enabled = false; 5980 5981 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 5982 if (conn) { 5983 /* Store handle in the connection so the correct advertising 5984 * instance can be re-enabled when disconnected. 5985 */ 5986 conn->adv_instance = ev->handle; 5987 5988 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM || 5989 bacmp(&conn->resp_addr, BDADDR_ANY)) 5990 goto unlock; 5991 5992 if (!ev->handle) { 5993 bacpy(&conn->resp_addr, &hdev->random_addr); 5994 goto unlock; 5995 } 5996 5997 if (adv) 5998 bacpy(&conn->resp_addr, &adv->random_addr); 5999 } 6000 6001 unlock: 6002 hci_dev_unlock(hdev); 6003 } 6004 6005 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle) 6006 { 6007 struct hci_cp_le_pa_term_sync cp; 6008 6009 memset(&cp, 0, sizeof(cp)); 6010 cp.handle = handle; 6011 6012 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp); 6013 } 6014 6015 static void hci_le_past_received_evt(struct hci_dev *hdev, void *data, 6016 struct sk_buff *skb) 6017 { 6018 struct hci_ev_le_past_received *ev = data; 6019 int mask = hdev->link_mode; 6020 __u8 flags = 0; 6021 struct hci_conn *pa_sync, *conn; 6022 6023 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6024 6025 hci_dev_lock(hdev); 6026 hci_store_wake_reason(hdev, &ev->bdaddr, ev->bdaddr_type); 6027 6028 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6029 6030 conn = hci_conn_hash_lookup_create_pa_sync(hdev); 6031 if (!conn) { 6032 bt_dev_err(hdev, 6033 "Unable to find connection for dst %pMR sid 0x%2.2x", 6034 &ev->bdaddr, ev->sid); 6035 goto unlock; 6036 } 6037 6038 conn->sync_handle = le16_to_cpu(ev->sync_handle); 6039 conn->sid = HCI_SID_INVALID; 6040 6041 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, PA_LINK, 6042 &flags); 6043 if (!(mask & HCI_LM_ACCEPT)) { 6044 hci_le_pa_term_sync(hdev, ev->sync_handle); 6045 goto unlock; 6046 } 6047 6048 if (!(flags & HCI_PROTO_DEFER)) 6049 goto unlock; 6050 6051 /* Add connection to indicate PA sync event */ 6052 pa_sync = hci_conn_add_unset(hdev, PA_LINK, BDADDR_ANY, 0, 6053 HCI_ROLE_SLAVE); 6054 6055 if (IS_ERR(pa_sync)) 6056 goto unlock; 6057 6058 pa_sync->sync_handle = le16_to_cpu(ev->sync_handle); 6059 6060 if (ev->status) { 6061 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags); 6062 6063 /* Notify iso layer */ 6064 hci_connect_cfm(pa_sync, ev->status); 6065 } 6066 6067 unlock: 6068 hci_dev_unlock(hdev); 6069 } 6070 6071 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data, 6072 struct sk_buff *skb) 6073 { 6074 struct hci_ev_le_conn_update_complete *ev = data; 6075 struct hci_conn *conn; 6076 6077 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6078 6079 if (ev->status) 6080 return; 6081 6082 hci_dev_lock(hdev); 6083 6084 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6085 if (conn) { 6086 conn->le_conn_interval = le16_to_cpu(ev->interval); 6087 conn->le_conn_latency = le16_to_cpu(ev->latency); 6088 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 6089 } 6090 6091 hci_dev_unlock(hdev); 6092 } 6093 6094 /* This function requires the caller holds hdev->lock */ 6095 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 6096 bdaddr_t *addr, 6097 u8 addr_type, bool addr_resolved, 6098 u8 adv_type, u8 phy, u8 sec_phy) 6099 { 6100 struct hci_conn *conn; 6101 struct hci_conn_params *params; 6102 6103 /* If the event is not connectable don't proceed further */ 6104 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 6105 return NULL; 6106 6107 /* Ignore if the device is blocked or hdev is suspended */ 6108 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) || 6109 hdev->suspended) 6110 return NULL; 6111 6112 /* Most controller will fail if we try to create new connections 6113 * while we have an existing one in peripheral role. 6114 */ 6115 if (hdev->conn_hash.le_num_peripheral > 0 && 6116 (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_LE_STATES) || 6117 !(hdev->le_states[3] & 0x10))) 6118 return NULL; 6119 6120 /* If we're not connectable only connect devices that we have in 6121 * our pend_le_conns list. 6122 */ 6123 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 6124 addr_type); 6125 if (!params) 6126 return NULL; 6127 6128 if (!params->explicit_connect) { 6129 switch (params->auto_connect) { 6130 case HCI_AUTO_CONN_DIRECT: 6131 /* Only devices advertising with ADV_DIRECT_IND are 6132 * triggering a connection attempt. This is allowing 6133 * incoming connections from peripheral devices. 6134 */ 6135 if (adv_type != LE_ADV_DIRECT_IND) 6136 return NULL; 6137 break; 6138 case HCI_AUTO_CONN_ALWAYS: 6139 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 6140 * are triggering a connection attempt. This means 6141 * that incoming connections from peripheral device are 6142 * accepted and also outgoing connections to peripheral 6143 * devices are established when found. 6144 */ 6145 break; 6146 default: 6147 return NULL; 6148 } 6149 } 6150 6151 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved, 6152 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout, 6153 HCI_ROLE_MASTER, phy, sec_phy); 6154 if (!IS_ERR(conn)) { 6155 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 6156 * by higher layer that tried to connect, if no then 6157 * store the pointer since we don't really have any 6158 * other owner of the object besides the params that 6159 * triggered it. This way we can abort the connection if 6160 * the parameters get removed and keep the reference 6161 * count consistent once the connection is established. 6162 */ 6163 6164 if (!params->explicit_connect) 6165 params->conn = hci_conn_get(conn); 6166 6167 return conn; 6168 } 6169 6170 switch (PTR_ERR(conn)) { 6171 case -EBUSY: 6172 /* If hci_connect() returns -EBUSY it means there is already 6173 * an LE connection attempt going on. Since controllers don't 6174 * support more than one connection attempt at the time, we 6175 * don't consider this an error case. 6176 */ 6177 break; 6178 default: 6179 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 6180 return NULL; 6181 } 6182 6183 return NULL; 6184 } 6185 6186 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 6187 u8 bdaddr_type, bdaddr_t *direct_addr, 6188 u8 direct_addr_type, u8 phy, u8 sec_phy, s8 rssi, 6189 u8 *data, u8 len, bool ext_adv, bool ctl_time, 6190 u64 instant) 6191 { 6192 struct discovery_state *d = &hdev->discovery; 6193 struct smp_irk *irk; 6194 struct hci_conn *conn; 6195 bool match, bdaddr_resolved; 6196 u32 flags; 6197 u8 *ptr; 6198 6199 switch (type) { 6200 case LE_ADV_IND: 6201 case LE_ADV_DIRECT_IND: 6202 case LE_ADV_SCAN_IND: 6203 case LE_ADV_NONCONN_IND: 6204 case LE_ADV_SCAN_RSP: 6205 break; 6206 default: 6207 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 6208 "type: 0x%02x", type); 6209 return; 6210 } 6211 6212 if (len > max_adv_len(hdev)) { 6213 bt_dev_err_ratelimited(hdev, 6214 "adv larger than maximum supported"); 6215 return; 6216 } 6217 6218 /* Find the end of the data in case the report contains padded zero 6219 * bytes at the end causing an invalid length value. 6220 * 6221 * When data is NULL, len is 0 so there is no need for extra ptr 6222 * check as 'ptr < data + 0' is already false in such case. 6223 */ 6224 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 6225 if (ptr + 1 + *ptr > data + len) 6226 break; 6227 } 6228 6229 /* Adjust for actual length. This handles the case when remote 6230 * device is advertising with incorrect data length. 6231 */ 6232 len = ptr - data; 6233 6234 /* If the direct address is present, then this report is from 6235 * a LE Direct Advertising Report event. In that case it is 6236 * important to see if the address is matching the local 6237 * controller address. 6238 * 6239 * If local privacy is not enable the controller shall not be 6240 * generating such event since according to its documentation it is only 6241 * valid for filter_policy 0x02 and 0x03, but the fact that it did 6242 * generate LE Direct Advertising Report means it is probably broken and 6243 * won't generate any other event which can potentially break 6244 * auto-connect logic so in case local privacy is not enable this 6245 * ignores the direct_addr so it works as a regular report. 6246 */ 6247 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr && 6248 hci_dev_test_flag(hdev, HCI_PRIVACY)) { 6249 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type, 6250 &bdaddr_resolved); 6251 6252 /* Only resolvable random addresses are valid for these 6253 * kind of reports and others can be ignored. 6254 */ 6255 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 6256 return; 6257 6258 /* If the local IRK of the controller does not match 6259 * with the resolvable random address provided, then 6260 * this report can be ignored. 6261 */ 6262 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 6263 return; 6264 } 6265 6266 /* Check if we need to convert to identity address */ 6267 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 6268 if (irk) { 6269 bdaddr = &irk->bdaddr; 6270 bdaddr_type = irk->addr_type; 6271 } 6272 6273 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved); 6274 6275 /* Check if we have been requested to connect to this device. 6276 * 6277 * direct_addr is set only for directed advertising reports (it is NULL 6278 * for advertising reports) and is already verified to be RPA above. 6279 */ 6280 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved, 6281 type, phy, sec_phy); 6282 if (!ext_adv && conn && type == LE_ADV_IND && 6283 len <= max_adv_len(hdev)) { 6284 /* Store report for later inclusion by 6285 * mgmt_device_connected 6286 */ 6287 memcpy(conn->le_adv_data, data, len); 6288 conn->le_adv_data_len = len; 6289 } 6290 6291 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 6292 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 6293 else 6294 flags = 0; 6295 6296 /* All scan results should be sent up for Mesh systems */ 6297 if (hci_dev_test_flag(hdev, HCI_MESH)) { 6298 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6299 rssi, flags, data, len, NULL, 0, instant); 6300 return; 6301 } 6302 6303 /* Passive scanning shouldn't trigger any device found events, 6304 * except for devices marked as CONN_REPORT for which we do send 6305 * device found events, or advertisement monitoring requested. 6306 */ 6307 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 6308 if (type == LE_ADV_DIRECT_IND) 6309 return; 6310 6311 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 6312 bdaddr, bdaddr_type) && 6313 idr_is_empty(&hdev->adv_monitors_idr)) 6314 return; 6315 6316 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6317 rssi, flags, data, len, NULL, 0, 0); 6318 return; 6319 } 6320 6321 /* When receiving a scan response, then there is no way to 6322 * know if the remote device is connectable or not. However 6323 * since scan responses are merged with a previously seen 6324 * advertising report, the flags field from that report 6325 * will be used. 6326 * 6327 * In the unlikely case that a controller just sends a scan 6328 * response event that doesn't match the pending report, then 6329 * it is marked as a standalone SCAN_RSP. 6330 */ 6331 if (type == LE_ADV_SCAN_RSP) 6332 flags = MGMT_DEV_FOUND_SCAN_RSP; 6333 6334 /* If there's nothing pending either store the data from this 6335 * event or send an immediate device found event if the data 6336 * should not be stored for later. 6337 */ 6338 if (!has_pending_adv_report(hdev)) { 6339 /* If the report will trigger a SCAN_REQ store it for 6340 * later merging. 6341 */ 6342 if (!ext_adv && (type == LE_ADV_IND || 6343 type == LE_ADV_SCAN_IND)) { 6344 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6345 rssi, flags, data, len); 6346 return; 6347 } 6348 6349 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6350 rssi, flags, data, len, NULL, 0, 0); 6351 return; 6352 } 6353 6354 /* Check if the pending report is for the same device as the new one */ 6355 match = (!bacmp(bdaddr, &d->last_adv_addr) && 6356 bdaddr_type == d->last_adv_addr_type); 6357 6358 /* If the pending data doesn't match this report or this isn't a 6359 * scan response (e.g. we got a duplicate ADV_IND) then force 6360 * sending of the pending data. 6361 */ 6362 if (type != LE_ADV_SCAN_RSP || !match) { 6363 /* Send out whatever is in the cache, but skip duplicates */ 6364 if (!match) 6365 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6366 d->last_adv_addr_type, NULL, 6367 d->last_adv_rssi, d->last_adv_flags, 6368 d->last_adv_data, 6369 d->last_adv_data_len, NULL, 0, 0); 6370 6371 /* If the new report will trigger a SCAN_REQ store it for 6372 * later merging. 6373 */ 6374 if (!ext_adv && (type == LE_ADV_IND || 6375 type == LE_ADV_SCAN_IND)) { 6376 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6377 rssi, flags, data, len); 6378 return; 6379 } 6380 6381 /* The advertising reports cannot be merged, so clear 6382 * the pending report and send out a device found event. 6383 */ 6384 clear_pending_adv_report(hdev); 6385 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6386 rssi, flags, data, len, NULL, 0, 0); 6387 return; 6388 } 6389 6390 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 6391 * the new event is a SCAN_RSP. We can therefore proceed with 6392 * sending a merged device found event. 6393 */ 6394 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6395 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 6396 d->last_adv_data, d->last_adv_data_len, data, len, 0); 6397 clear_pending_adv_report(hdev); 6398 } 6399 6400 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data, 6401 struct sk_buff *skb) 6402 { 6403 struct hci_ev_le_advertising_report *ev = data; 6404 u64 instant = jiffies; 6405 6406 if (!ev->num) 6407 return; 6408 6409 hci_dev_lock(hdev); 6410 6411 while (ev->num--) { 6412 struct hci_ev_le_advertising_info *info; 6413 s8 rssi; 6414 6415 info = hci_le_ev_skb_pull(hdev, skb, 6416 HCI_EV_LE_ADVERTISING_REPORT, 6417 sizeof(*info)); 6418 if (!info) 6419 break; 6420 6421 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT, 6422 info->length + 1)) 6423 break; 6424 6425 hci_store_wake_reason(hdev, &info->bdaddr, info->bdaddr_type); 6426 6427 if (info->length <= max_adv_len(hdev)) { 6428 rssi = info->data[info->length]; 6429 process_adv_report(hdev, info->type, &info->bdaddr, 6430 info->bdaddr_type, NULL, 0, 6431 HCI_ADV_PHY_1M, 0, rssi, 6432 info->data, info->length, false, 6433 false, instant); 6434 } else { 6435 bt_dev_err(hdev, "Dropping invalid advertising data"); 6436 } 6437 } 6438 6439 hci_dev_unlock(hdev); 6440 } 6441 6442 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 6443 { 6444 u16 pdu_type = evt_type & ~LE_EXT_ADV_DATA_STATUS_MASK; 6445 6446 if (!pdu_type) 6447 return LE_ADV_NONCONN_IND; 6448 6449 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 6450 switch (evt_type) { 6451 case LE_LEGACY_ADV_IND: 6452 return LE_ADV_IND; 6453 case LE_LEGACY_ADV_DIRECT_IND: 6454 return LE_ADV_DIRECT_IND; 6455 case LE_LEGACY_ADV_SCAN_IND: 6456 return LE_ADV_SCAN_IND; 6457 case LE_LEGACY_NONCONN_IND: 6458 return LE_ADV_NONCONN_IND; 6459 case LE_LEGACY_SCAN_RSP_ADV: 6460 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 6461 return LE_ADV_SCAN_RSP; 6462 } 6463 6464 goto invalid; 6465 } 6466 6467 if (evt_type & LE_EXT_ADV_CONN_IND) { 6468 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6469 return LE_ADV_DIRECT_IND; 6470 6471 return LE_ADV_IND; 6472 } 6473 6474 if (evt_type & LE_EXT_ADV_SCAN_RSP) 6475 return LE_ADV_SCAN_RSP; 6476 6477 if (evt_type & LE_EXT_ADV_SCAN_IND) 6478 return LE_ADV_SCAN_IND; 6479 6480 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6481 return LE_ADV_NONCONN_IND; 6482 6483 invalid: 6484 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 6485 evt_type); 6486 6487 return LE_ADV_INVALID; 6488 } 6489 6490 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data, 6491 struct sk_buff *skb) 6492 { 6493 struct hci_ev_le_ext_adv_report *ev = data; 6494 u64 instant = jiffies; 6495 6496 if (!ev->num) 6497 return; 6498 6499 hci_dev_lock(hdev); 6500 6501 while (ev->num--) { 6502 struct hci_ev_le_ext_adv_info *info; 6503 u8 legacy_evt_type; 6504 u16 evt_type; 6505 6506 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6507 sizeof(*info)); 6508 if (!info) 6509 break; 6510 6511 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6512 info->length)) 6513 break; 6514 6515 hci_store_wake_reason(hdev, &info->bdaddr, info->bdaddr_type); 6516 6517 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK; 6518 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 6519 6520 if (hci_test_quirk(hdev, 6521 HCI_QUIRK_FIXUP_LE_EXT_ADV_REPORT_PHY)) { 6522 info->primary_phy &= 0x1f; 6523 info->secondary_phy &= 0x1f; 6524 } 6525 6526 /* Check if PA Sync is pending and if the hci_conn SID has not 6527 * been set update it. 6528 */ 6529 if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) { 6530 struct hci_conn *conn; 6531 6532 conn = hci_conn_hash_lookup_create_pa_sync(hdev); 6533 if (conn && conn->sid == HCI_SID_INVALID) 6534 conn->sid = info->sid; 6535 } 6536 6537 if (legacy_evt_type != LE_ADV_INVALID) { 6538 process_adv_report(hdev, legacy_evt_type, &info->bdaddr, 6539 info->bdaddr_type, NULL, 0, 6540 info->primary_phy, 6541 info->secondary_phy, 6542 info->rssi, info->data, info->length, 6543 !(evt_type & LE_EXT_ADV_LEGACY_PDU), 6544 false, instant); 6545 } 6546 } 6547 6548 hci_dev_unlock(hdev); 6549 } 6550 6551 static void hci_le_pa_sync_established_evt(struct hci_dev *hdev, void *data, 6552 struct sk_buff *skb) 6553 { 6554 struct hci_ev_le_pa_sync_established *ev = data; 6555 int mask = hdev->link_mode; 6556 __u8 flags = 0; 6557 struct hci_conn *pa_sync, *conn; 6558 6559 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6560 6561 hci_dev_lock(hdev); 6562 hci_store_wake_reason(hdev, &ev->bdaddr, ev->bdaddr_type); 6563 6564 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6565 6566 conn = hci_conn_hash_lookup_create_pa_sync(hdev); 6567 if (!conn) { 6568 bt_dev_err(hdev, 6569 "Unable to find connection for dst %pMR sid 0x%2.2x", 6570 &ev->bdaddr, ev->sid); 6571 goto unlock; 6572 } 6573 6574 clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags); 6575 6576 conn->sync_handle = le16_to_cpu(ev->handle); 6577 conn->sid = HCI_SID_INVALID; 6578 6579 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, PA_LINK, 6580 &flags); 6581 if (!(mask & HCI_LM_ACCEPT)) { 6582 hci_le_pa_term_sync(hdev, ev->handle); 6583 goto unlock; 6584 } 6585 6586 if (!(flags & HCI_PROTO_DEFER)) 6587 goto unlock; 6588 6589 /* Add connection to indicate PA sync event */ 6590 pa_sync = hci_conn_add_unset(hdev, PA_LINK, BDADDR_ANY, 0, 6591 HCI_ROLE_SLAVE); 6592 6593 if (IS_ERR(pa_sync)) 6594 goto unlock; 6595 6596 pa_sync->sync_handle = le16_to_cpu(ev->handle); 6597 6598 if (ev->status) { 6599 set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags); 6600 6601 /* Notify iso layer */ 6602 hci_connect_cfm(pa_sync, ev->status); 6603 } 6604 6605 unlock: 6606 hci_dev_unlock(hdev); 6607 } 6608 6609 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data, 6610 struct sk_buff *skb) 6611 { 6612 struct hci_ev_le_per_adv_report *ev = data; 6613 int mask = hdev->link_mode; 6614 __u8 flags = 0; 6615 struct hci_conn *pa_sync; 6616 6617 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 6618 6619 hci_dev_lock(hdev); 6620 6621 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, PA_LINK, &flags); 6622 if (!(mask & HCI_LM_ACCEPT)) 6623 goto unlock; 6624 6625 if (!(flags & HCI_PROTO_DEFER)) 6626 goto unlock; 6627 6628 pa_sync = hci_conn_hash_lookup_pa_sync_handle 6629 (hdev, 6630 le16_to_cpu(ev->sync_handle)); 6631 6632 if (!pa_sync) 6633 goto unlock; 6634 6635 if (ev->data_status == LE_PA_DATA_COMPLETE && 6636 !test_and_set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags)) { 6637 /* Notify iso layer */ 6638 hci_connect_cfm(pa_sync, 0); 6639 6640 /* Notify MGMT layer */ 6641 mgmt_device_connected(hdev, pa_sync, NULL, 0); 6642 } 6643 6644 unlock: 6645 hci_dev_unlock(hdev); 6646 } 6647 6648 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data, 6649 struct sk_buff *skb) 6650 { 6651 struct hci_ev_le_remote_feat_complete *ev = data; 6652 struct hci_conn *conn; 6653 6654 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6655 6656 hci_dev_lock(hdev); 6657 6658 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6659 if (conn) { 6660 if (!ev->status) { 6661 memcpy(conn->le_features, ev->features, 8); 6662 6663 /* Update supported PHYs */ 6664 if (!(conn->le_features[1] & HCI_LE_PHY_2M)) { 6665 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_2M; 6666 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_2M; 6667 } 6668 6669 if (!(conn->le_features[1] & HCI_LE_PHY_CODED)) { 6670 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_CODED; 6671 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_CODED; 6672 } 6673 } 6674 6675 if (conn->state == BT_CONFIG) { 6676 __u8 status; 6677 6678 /* If the local controller supports peripheral-initiated 6679 * features exchange, but the remote controller does 6680 * not, then it is possible that the error code 0x1a 6681 * for unsupported remote feature gets returned. 6682 * 6683 * In this specific case, allow the connection to 6684 * transition into connected state and mark it as 6685 * successful. 6686 */ 6687 if (!conn->out && ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE && 6688 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 6689 status = 0x00; 6690 else 6691 status = ev->status; 6692 6693 conn->state = BT_CONNECTED; 6694 hci_connect_cfm(conn, status); 6695 } 6696 } 6697 6698 hci_dev_unlock(hdev); 6699 } 6700 6701 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data, 6702 struct sk_buff *skb) 6703 { 6704 struct hci_ev_le_ltk_req *ev = data; 6705 struct hci_cp_le_ltk_reply cp; 6706 struct hci_cp_le_ltk_neg_reply neg; 6707 struct hci_conn *conn; 6708 struct smp_ltk *ltk; 6709 6710 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6711 6712 hci_dev_lock(hdev); 6713 6714 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6715 if (conn == NULL) 6716 goto not_found; 6717 6718 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 6719 if (!ltk) 6720 goto not_found; 6721 6722 if (smp_ltk_is_sc(ltk)) { 6723 /* With SC both EDiv and Rand are set to zero */ 6724 if (ev->ediv || ev->rand) 6725 goto not_found; 6726 } else { 6727 /* For non-SC keys check that EDiv and Rand match */ 6728 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 6729 goto not_found; 6730 } 6731 6732 memcpy(cp.ltk, ltk->val, ltk->enc_size); 6733 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 6734 cp.handle = cpu_to_le16(conn->handle); 6735 6736 conn->pending_sec_level = smp_ltk_sec_level(ltk); 6737 6738 conn->enc_key_size = ltk->enc_size; 6739 6740 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 6741 6742 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 6743 * temporary key used to encrypt a connection following 6744 * pairing. It is used during the Encrypted Session Setup to 6745 * distribute the keys. Later, security can be re-established 6746 * using a distributed LTK. 6747 */ 6748 if (ltk->type == SMP_STK) { 6749 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6750 list_del_rcu(<k->list); 6751 kfree_rcu(ltk, rcu); 6752 } else { 6753 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6754 } 6755 6756 hci_dev_unlock(hdev); 6757 6758 return; 6759 6760 not_found: 6761 neg.handle = ev->handle; 6762 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 6763 hci_dev_unlock(hdev); 6764 } 6765 6766 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 6767 u8 reason) 6768 { 6769 struct hci_cp_le_conn_param_req_neg_reply cp; 6770 6771 cp.handle = cpu_to_le16(handle); 6772 cp.reason = reason; 6773 6774 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 6775 &cp); 6776 } 6777 6778 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, 6779 struct sk_buff *skb) 6780 { 6781 struct hci_ev_le_remote_conn_param_req *ev = data; 6782 struct hci_cp_le_conn_param_req_reply cp; 6783 struct hci_conn *hcon; 6784 u16 handle, min, max, latency, timeout; 6785 6786 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6787 6788 handle = le16_to_cpu(ev->handle); 6789 min = le16_to_cpu(ev->interval_min); 6790 max = le16_to_cpu(ev->interval_max); 6791 latency = le16_to_cpu(ev->latency); 6792 timeout = le16_to_cpu(ev->timeout); 6793 6794 hci_dev_lock(hdev); 6795 6796 hcon = hci_conn_hash_lookup_handle(hdev, handle); 6797 if (!hcon || hcon->state != BT_CONNECTED) { 6798 send_conn_param_neg_reply(hdev, handle, 6799 HCI_ERROR_UNKNOWN_CONN_ID); 6800 goto unlock; 6801 } 6802 6803 if (max > hcon->le_conn_max_interval) { 6804 send_conn_param_neg_reply(hdev, handle, 6805 HCI_ERROR_INVALID_LL_PARAMS); 6806 goto unlock; 6807 } 6808 6809 if (hci_check_conn_params(min, max, latency, timeout)) { 6810 send_conn_param_neg_reply(hdev, handle, 6811 HCI_ERROR_INVALID_LL_PARAMS); 6812 goto unlock; 6813 } 6814 6815 if (hcon->role == HCI_ROLE_MASTER) { 6816 struct hci_conn_params *params; 6817 u8 store_hint; 6818 6819 params = hci_conn_params_lookup(hdev, &hcon->dst, 6820 hcon->dst_type); 6821 if (params) { 6822 params->conn_min_interval = min; 6823 params->conn_max_interval = max; 6824 params->conn_latency = latency; 6825 params->supervision_timeout = timeout; 6826 store_hint = 0x01; 6827 } else { 6828 store_hint = 0x00; 6829 } 6830 6831 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 6832 store_hint, min, max, latency, timeout); 6833 } 6834 6835 cp.handle = ev->handle; 6836 cp.interval_min = ev->interval_min; 6837 cp.interval_max = ev->interval_max; 6838 cp.latency = ev->latency; 6839 cp.timeout = ev->timeout; 6840 cp.min_ce_len = 0; 6841 cp.max_ce_len = 0; 6842 6843 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 6844 6845 unlock: 6846 hci_dev_unlock(hdev); 6847 } 6848 6849 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, 6850 struct sk_buff *skb) 6851 { 6852 struct hci_ev_le_direct_adv_report *ev = data; 6853 u64 instant = jiffies; 6854 int i; 6855 6856 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT, 6857 flex_array_size(ev, info, ev->num))) 6858 return; 6859 6860 if (!ev->num) 6861 return; 6862 6863 hci_dev_lock(hdev); 6864 6865 for (i = 0; i < ev->num; i++) { 6866 struct hci_ev_le_direct_adv_info *info = &ev->info[i]; 6867 6868 hci_store_wake_reason(hdev, &info->bdaddr, info->bdaddr_type); 6869 6870 process_adv_report(hdev, info->type, &info->bdaddr, 6871 info->bdaddr_type, &info->direct_addr, 6872 info->direct_addr_type, HCI_ADV_PHY_1M, 0, 6873 info->rssi, NULL, 0, false, false, instant); 6874 } 6875 6876 hci_dev_unlock(hdev); 6877 } 6878 6879 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data, 6880 struct sk_buff *skb) 6881 { 6882 struct hci_ev_le_phy_update_complete *ev = data; 6883 struct hci_conn *conn; 6884 6885 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6886 6887 if (ev->status) 6888 return; 6889 6890 hci_dev_lock(hdev); 6891 6892 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6893 if (!conn) 6894 goto unlock; 6895 6896 conn->le_tx_phy = ev->tx_phy; 6897 conn->le_rx_phy = ev->rx_phy; 6898 6899 unlock: 6900 hci_dev_unlock(hdev); 6901 } 6902 6903 /* Convert LE PHY to QoS PHYs */ 6904 static u8 le_phy_qos(u8 phy) 6905 { 6906 switch (phy) { 6907 case 0x01: 6908 return HCI_LE_SET_PHY_1M; 6909 case 0x02: 6910 return HCI_LE_SET_PHY_2M; 6911 case 0x03: 6912 return HCI_LE_SET_PHY_CODED; 6913 } 6914 6915 return 0; 6916 } 6917 6918 static void hci_le_cis_established_evt(struct hci_dev *hdev, void *data, 6919 struct sk_buff *skb) 6920 { 6921 struct hci_evt_le_cis_established *ev = data; 6922 struct hci_conn *conn; 6923 struct bt_iso_qos *qos; 6924 bool pending = false; 6925 u16 handle = __le16_to_cpu(ev->handle); 6926 u32 c_sdu_interval, p_sdu_interval; 6927 6928 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6929 6930 hci_dev_lock(hdev); 6931 6932 conn = hci_conn_hash_lookup_handle(hdev, handle); 6933 if (!conn) { 6934 bt_dev_err(hdev, 6935 "Unable to find connection with handle 0x%4.4x", 6936 handle); 6937 goto unlock; 6938 } 6939 6940 if (conn->type != CIS_LINK) { 6941 bt_dev_err(hdev, 6942 "Invalid connection link type handle 0x%4.4x", 6943 handle); 6944 goto unlock; 6945 } 6946 6947 qos = &conn->iso_qos; 6948 6949 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags); 6950 6951 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G 6952 * page 3075: 6953 * Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) × 6954 * ISO_Interval + SDU_Interval_C_To_P 6955 * ... 6956 * SDU_Interval = (CIG_Sync_Delay + (FT) x ISO_Interval) - 6957 * Transport_Latency 6958 */ 6959 c_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) + 6960 (ev->c_ft * le16_to_cpu(ev->interval) * 1250)) - 6961 get_unaligned_le24(ev->c_latency); 6962 p_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) + 6963 (ev->p_ft * le16_to_cpu(ev->interval) * 1250)) - 6964 get_unaligned_le24(ev->p_latency); 6965 6966 switch (conn->role) { 6967 case HCI_ROLE_SLAVE: 6968 qos->ucast.in.interval = c_sdu_interval; 6969 qos->ucast.out.interval = p_sdu_interval; 6970 /* Convert Transport Latency (us) to Latency (msec) */ 6971 qos->ucast.in.latency = 6972 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6973 1000); 6974 qos->ucast.out.latency = 6975 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6976 1000); 6977 qos->ucast.in.sdu = ev->c_bn ? le16_to_cpu(ev->c_mtu) : 0; 6978 qos->ucast.out.sdu = ev->p_bn ? le16_to_cpu(ev->p_mtu) : 0; 6979 qos->ucast.in.phys = le_phy_qos(ev->c_phy); 6980 qos->ucast.out.phys = le_phy_qos(ev->p_phy); 6981 break; 6982 case HCI_ROLE_MASTER: 6983 qos->ucast.in.interval = p_sdu_interval; 6984 qos->ucast.out.interval = c_sdu_interval; 6985 /* Convert Transport Latency (us) to Latency (msec) */ 6986 qos->ucast.out.latency = 6987 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6988 1000); 6989 qos->ucast.in.latency = 6990 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6991 1000); 6992 qos->ucast.out.sdu = ev->c_bn ? le16_to_cpu(ev->c_mtu) : 0; 6993 qos->ucast.in.sdu = ev->p_bn ? le16_to_cpu(ev->p_mtu) : 0; 6994 qos->ucast.out.phys = le_phy_qos(ev->c_phy); 6995 qos->ucast.in.phys = le_phy_qos(ev->p_phy); 6996 break; 6997 } 6998 6999 if (!ev->status) { 7000 conn->state = BT_CONNECTED; 7001 hci_debugfs_create_conn(conn); 7002 hci_conn_add_sysfs(conn); 7003 hci_iso_setup_path(conn); 7004 goto unlock; 7005 } 7006 7007 conn->state = BT_CLOSED; 7008 hci_connect_cfm(conn, ev->status); 7009 hci_conn_del(conn); 7010 7011 unlock: 7012 if (pending) 7013 hci_le_create_cis_pending(hdev); 7014 7015 hci_dev_unlock(hdev); 7016 } 7017 7018 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle) 7019 { 7020 struct hci_cp_le_reject_cis cp; 7021 7022 memset(&cp, 0, sizeof(cp)); 7023 cp.handle = handle; 7024 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 7025 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp); 7026 } 7027 7028 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle) 7029 { 7030 struct hci_cp_le_accept_cis cp; 7031 7032 memset(&cp, 0, sizeof(cp)); 7033 cp.handle = handle; 7034 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 7035 } 7036 7037 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data, 7038 struct sk_buff *skb) 7039 { 7040 struct hci_evt_le_cis_req *ev = data; 7041 u16 acl_handle, cis_handle; 7042 struct hci_conn *acl, *cis; 7043 int mask; 7044 __u8 flags = 0; 7045 7046 acl_handle = __le16_to_cpu(ev->acl_handle); 7047 cis_handle = __le16_to_cpu(ev->cis_handle); 7048 7049 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x", 7050 acl_handle, cis_handle, ev->cig_id, ev->cis_id); 7051 7052 hci_dev_lock(hdev); 7053 7054 acl = hci_conn_hash_lookup_handle(hdev, acl_handle); 7055 if (!acl) 7056 goto unlock; 7057 7058 mask = hci_proto_connect_ind(hdev, &acl->dst, CIS_LINK, &flags); 7059 if (!(mask & HCI_LM_ACCEPT)) { 7060 hci_le_reject_cis(hdev, ev->cis_handle); 7061 goto unlock; 7062 } 7063 7064 cis = hci_conn_hash_lookup_handle(hdev, cis_handle); 7065 if (!cis) { 7066 cis = hci_conn_add(hdev, CIS_LINK, &acl->dst, acl->dst_type, 7067 HCI_ROLE_SLAVE, cis_handle); 7068 if (IS_ERR(cis)) { 7069 hci_le_reject_cis(hdev, ev->cis_handle); 7070 goto unlock; 7071 } 7072 } 7073 7074 cis->iso_qos.ucast.cig = ev->cig_id; 7075 cis->iso_qos.ucast.cis = ev->cis_id; 7076 7077 if (!(flags & HCI_PROTO_DEFER)) { 7078 hci_le_accept_cis(hdev, ev->cis_handle); 7079 } else { 7080 cis->state = BT_CONNECT2; 7081 hci_connect_cfm(cis, 0); 7082 } 7083 7084 unlock: 7085 hci_dev_unlock(hdev); 7086 } 7087 7088 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data) 7089 { 7090 u8 handle = PTR_UINT(data); 7091 7092 return hci_le_terminate_big_sync(hdev, handle, 7093 HCI_ERROR_LOCAL_HOST_TERM); 7094 } 7095 7096 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, 7097 struct sk_buff *skb) 7098 { 7099 struct hci_evt_le_create_big_complete *ev = data; 7100 struct hci_conn *conn; 7101 __u8 i = 0; 7102 7103 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 7104 7105 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE, 7106 flex_array_size(ev, bis_handle, ev->num_bis))) 7107 return; 7108 7109 hci_dev_lock(hdev); 7110 7111 /* Connect all BISes that are bound to the BIG */ 7112 while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle, 7113 BT_BOUND, 7114 HCI_ROLE_MASTER))) { 7115 if (ev->status) { 7116 hci_connect_cfm(conn, ev->status); 7117 hci_conn_del(conn); 7118 continue; 7119 } 7120 7121 if (hci_conn_set_handle(conn, 7122 __le16_to_cpu(ev->bis_handle[i++]))) 7123 continue; 7124 7125 conn->state = BT_CONNECTED; 7126 set_bit(HCI_CONN_BIG_CREATED, &conn->flags); 7127 hci_debugfs_create_conn(conn); 7128 hci_conn_add_sysfs(conn); 7129 hci_iso_setup_path(conn); 7130 } 7131 7132 if (!ev->status && !i) 7133 /* If no BISes have been connected for the BIG, 7134 * terminate. This is in case all bound connections 7135 * have been closed before the BIG creation 7136 * has completed. 7137 */ 7138 hci_cmd_sync_queue(hdev, hci_iso_term_big_sync, 7139 UINT_PTR(ev->handle), NULL); 7140 7141 hci_dev_unlock(hdev); 7142 } 7143 7144 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, 7145 struct sk_buff *skb) 7146 { 7147 struct hci_evt_le_big_sync_established *ev = data; 7148 struct hci_conn *bis, *conn; 7149 int i; 7150 7151 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 7152 7153 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABLISHED, 7154 flex_array_size(ev, bis, ev->num_bis))) 7155 return; 7156 7157 hci_dev_lock(hdev); 7158 7159 conn = hci_conn_hash_lookup_big_sync_pend(hdev, ev->handle, 7160 ev->num_bis); 7161 if (!conn) { 7162 bt_dev_err(hdev, 7163 "Unable to find connection for big 0x%2.2x", 7164 ev->handle); 7165 goto unlock; 7166 } 7167 7168 clear_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags); 7169 7170 conn->num_bis = 0; 7171 memset(conn->bis, 0, sizeof(conn->num_bis)); 7172 7173 for (i = 0; i < ev->num_bis; i++) { 7174 u16 handle = le16_to_cpu(ev->bis[i]); 7175 __le32 interval; 7176 7177 bis = hci_conn_hash_lookup_handle(hdev, handle); 7178 if (!bis) { 7179 if (handle > HCI_CONN_HANDLE_MAX) { 7180 bt_dev_dbg(hdev, "ignore too large handle %u", handle); 7181 continue; 7182 } 7183 bis = hci_conn_add(hdev, BIS_LINK, BDADDR_ANY, 0, 7184 HCI_ROLE_SLAVE, handle); 7185 if (IS_ERR(bis)) 7186 continue; 7187 } 7188 7189 if (ev->status != 0x42) 7190 /* Mark PA sync as established */ 7191 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 7192 7193 bis->sync_handle = conn->sync_handle; 7194 bis->iso_qos.bcast.big = ev->handle; 7195 memset(&interval, 0, sizeof(interval)); 7196 memcpy(&interval, ev->latency, sizeof(ev->latency)); 7197 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval); 7198 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */ 7199 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100; 7200 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); 7201 7202 if (!ev->status) { 7203 bis->state = BT_CONNECTED; 7204 set_bit(HCI_CONN_BIG_SYNC, &bis->flags); 7205 hci_debugfs_create_conn(bis); 7206 hci_conn_add_sysfs(bis); 7207 hci_iso_setup_path(bis); 7208 } 7209 } 7210 7211 /* In case BIG sync failed, notify each failed connection to 7212 * the user after all hci connections have been added 7213 */ 7214 if (ev->status) 7215 for (i = 0; i < ev->num_bis; i++) { 7216 u16 handle = le16_to_cpu(ev->bis[i]); 7217 7218 bis = hci_conn_hash_lookup_handle(hdev, handle); 7219 if (!bis) 7220 continue; 7221 7222 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); 7223 hci_connect_cfm(bis, ev->status); 7224 } 7225 7226 unlock: 7227 hci_dev_unlock(hdev); 7228 } 7229 7230 static void hci_le_big_sync_lost_evt(struct hci_dev *hdev, void *data, 7231 struct sk_buff *skb) 7232 { 7233 struct hci_evt_le_big_sync_lost *ev = data; 7234 struct hci_conn *bis; 7235 bool mgmt_conn = false; 7236 7237 bt_dev_dbg(hdev, "big handle 0x%2.2x", ev->handle); 7238 7239 hci_dev_lock(hdev); 7240 7241 /* Delete each bis connection */ 7242 while ((bis = hci_conn_hash_lookup_big_state(hdev, ev->handle, 7243 BT_CONNECTED, 7244 HCI_ROLE_SLAVE))) { 7245 if (!mgmt_conn) { 7246 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, 7247 &bis->flags); 7248 mgmt_device_disconnected(hdev, &bis->dst, bis->type, 7249 bis->dst_type, ev->reason, 7250 mgmt_conn); 7251 } 7252 7253 clear_bit(HCI_CONN_BIG_SYNC, &bis->flags); 7254 hci_disconn_cfm(bis, ev->reason); 7255 hci_conn_del(bis); 7256 } 7257 7258 hci_dev_unlock(hdev); 7259 } 7260 7261 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data, 7262 struct sk_buff *skb) 7263 { 7264 struct hci_evt_le_big_info_adv_report *ev = data; 7265 int mask = hdev->link_mode; 7266 __u8 flags = 0; 7267 struct hci_conn *pa_sync; 7268 7269 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 7270 7271 hci_dev_lock(hdev); 7272 7273 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, BIS_LINK, &flags); 7274 if (!(mask & HCI_LM_ACCEPT)) 7275 goto unlock; 7276 7277 if (!(flags & HCI_PROTO_DEFER)) 7278 goto unlock; 7279 7280 pa_sync = hci_conn_hash_lookup_pa_sync_handle 7281 (hdev, 7282 le16_to_cpu(ev->sync_handle)); 7283 7284 if (!pa_sync) 7285 goto unlock; 7286 7287 pa_sync->iso_qos.bcast.encryption = ev->encryption; 7288 7289 /* Notify iso layer */ 7290 hci_connect_cfm(pa_sync, 0); 7291 7292 unlock: 7293 hci_dev_unlock(hdev); 7294 } 7295 7296 static void hci_le_read_all_remote_features_evt(struct hci_dev *hdev, 7297 void *data, struct sk_buff *skb) 7298 { 7299 struct hci_evt_le_read_all_remote_features_complete *ev = data; 7300 struct hci_conn *conn; 7301 7302 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 7303 7304 hci_dev_lock(hdev); 7305 7306 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 7307 if (!conn) 7308 goto unlock; 7309 7310 if (!ev->status) { 7311 memcpy(conn->le_features, ev->features, 248); 7312 7313 /* Update supported PHYs */ 7314 if (!(conn->le_features[1] & HCI_LE_PHY_2M)) { 7315 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_2M; 7316 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_2M; 7317 } 7318 7319 if (!(conn->le_features[1] & HCI_LE_PHY_CODED)) { 7320 conn->le_tx_def_phys &= ~HCI_LE_SET_PHY_CODED; 7321 conn->le_rx_def_phys &= ~HCI_LE_SET_PHY_CODED; 7322 } 7323 } 7324 7325 if (conn->state == BT_CONFIG) { 7326 __u8 status; 7327 7328 /* If the local controller supports peripheral-initiated 7329 * features exchange, but the remote controller does 7330 * not, then it is possible that the error code 0x1a 7331 * for unsupported remote feature gets returned. 7332 * 7333 * In this specific case, allow the connection to 7334 * transition into connected state and mark it as 7335 * successful. 7336 */ 7337 if (!conn->out && 7338 ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE && 7339 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 7340 status = 0x00; 7341 else 7342 status = ev->status; 7343 7344 conn->state = BT_CONNECTED; 7345 hci_connect_cfm(conn, status); 7346 } 7347 7348 unlock: 7349 hci_dev_unlock(hdev); 7350 } 7351 7352 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \ 7353 [_op] = { \ 7354 .func = _func, \ 7355 .min_len = _min_len, \ 7356 .max_len = _max_len, \ 7357 } 7358 7359 #define HCI_LE_EV(_op, _func, _len) \ 7360 HCI_LE_EV_VL(_op, _func, _len, _len) 7361 7362 #define HCI_LE_EV_STATUS(_op, _func) \ 7363 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status)) 7364 7365 /* Entries in this table shall have their position according to the subevent 7366 * opcode they handle so the use of the macros above is recommend since it does 7367 * attempt to initialize at its proper index using Designated Initializers that 7368 * way events without a callback function can be omitted. 7369 */ 7370 static const struct hci_le_ev { 7371 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 7372 u16 min_len; 7373 u16 max_len; 7374 } hci_le_ev_table[U8_MAX + 1] = { 7375 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */ 7376 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt, 7377 sizeof(struct hci_ev_le_conn_complete)), 7378 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */ 7379 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt, 7380 sizeof(struct hci_ev_le_advertising_report), 7381 HCI_MAX_EVENT_SIZE), 7382 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */ 7383 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE, 7384 hci_le_conn_update_complete_evt, 7385 sizeof(struct hci_ev_le_conn_update_complete)), 7386 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */ 7387 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE, 7388 hci_le_remote_feat_complete_evt, 7389 sizeof(struct hci_ev_le_remote_feat_complete)), 7390 /* [0x05 = HCI_EV_LE_LTK_REQ] */ 7391 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt, 7392 sizeof(struct hci_ev_le_ltk_req)), 7393 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */ 7394 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ, 7395 hci_le_remote_conn_param_req_evt, 7396 sizeof(struct hci_ev_le_remote_conn_param_req)), 7397 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */ 7398 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE, 7399 hci_le_enh_conn_complete_evt, 7400 sizeof(struct hci_ev_le_enh_conn_complete)), 7401 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */ 7402 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt, 7403 sizeof(struct hci_ev_le_direct_adv_report), 7404 HCI_MAX_EVENT_SIZE), 7405 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */ 7406 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt, 7407 sizeof(struct hci_ev_le_phy_update_complete)), 7408 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */ 7409 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt, 7410 sizeof(struct hci_ev_le_ext_adv_report), 7411 HCI_MAX_EVENT_SIZE), 7412 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */ 7413 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED, 7414 hci_le_pa_sync_established_evt, 7415 sizeof(struct hci_ev_le_pa_sync_established)), 7416 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */ 7417 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT, 7418 hci_le_per_adv_report_evt, 7419 sizeof(struct hci_ev_le_per_adv_report), 7420 HCI_MAX_EVENT_SIZE), 7421 /* [0x10 = HCI_EV_LE_PA_SYNC_LOST] */ 7422 HCI_LE_EV(HCI_EV_LE_PA_SYNC_LOST, hci_le_pa_sync_lost_evt, 7423 sizeof(struct hci_ev_le_pa_sync_lost)), 7424 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ 7425 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, 7426 sizeof(struct hci_evt_le_ext_adv_set_term)), 7427 /* [0x18 = HCI_EVT_LE_PAST_RECEIVED] */ 7428 HCI_LE_EV(HCI_EV_LE_PAST_RECEIVED, 7429 hci_le_past_received_evt, 7430 sizeof(struct hci_ev_le_past_received)), 7431 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */ 7432 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_established_evt, 7433 sizeof(struct hci_evt_le_cis_established)), 7434 /* [0x1a = HCI_EVT_LE_CIS_REQ] */ 7435 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt, 7436 sizeof(struct hci_evt_le_cis_req)), 7437 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */ 7438 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE, 7439 hci_le_create_big_complete_evt, 7440 sizeof(struct hci_evt_le_create_big_complete), 7441 HCI_MAX_EVENT_SIZE), 7442 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABLISHED] */ 7443 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABLISHED, 7444 hci_le_big_sync_established_evt, 7445 sizeof(struct hci_evt_le_big_sync_established), 7446 HCI_MAX_EVENT_SIZE), 7447 /* [0x1e = HCI_EVT_LE_BIG_SYNC_LOST] */ 7448 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_LOST, 7449 hci_le_big_sync_lost_evt, 7450 sizeof(struct hci_evt_le_big_sync_lost), 7451 HCI_MAX_EVENT_SIZE), 7452 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */ 7453 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT, 7454 hci_le_big_info_adv_report_evt, 7455 sizeof(struct hci_evt_le_big_info_adv_report), 7456 HCI_MAX_EVENT_SIZE), 7457 /* [0x2b = HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE] */ 7458 HCI_LE_EV_VL(HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE, 7459 hci_le_read_all_remote_features_evt, 7460 sizeof(struct 7461 hci_evt_le_read_all_remote_features_complete), 7462 HCI_MAX_EVENT_SIZE), 7463 }; 7464 7465 static void hci_le_meta_evt(struct hci_dev *hdev, void *data, 7466 struct sk_buff *skb, u16 *opcode, u8 *status, 7467 hci_req_complete_t *req_complete, 7468 hci_req_complete_skb_t *req_complete_skb) 7469 { 7470 struct hci_ev_le_meta *ev = data; 7471 const struct hci_le_ev *subev; 7472 7473 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent); 7474 7475 /* Only match event if command OGF is for LE */ 7476 if (hdev->req_skb && 7477 (hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 || 7478 hci_skb_opcode(hdev->req_skb) == HCI_OP_NOP) && 7479 hci_skb_event(hdev->req_skb) == ev->subevent) { 7480 *opcode = hci_skb_opcode(hdev->req_skb); 7481 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete, 7482 req_complete_skb); 7483 } 7484 7485 subev = &hci_le_ev_table[ev->subevent]; 7486 if (!subev->func) 7487 return; 7488 7489 if (skb->len < subev->min_len) { 7490 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u", 7491 ev->subevent, skb->len, subev->min_len); 7492 return; 7493 } 7494 7495 /* Just warn if the length is over max_len size it still be 7496 * possible to partially parse the event so leave to callback to 7497 * decide if that is acceptable. 7498 */ 7499 if (skb->len > subev->max_len) 7500 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u", 7501 ev->subevent, skb->len, subev->max_len); 7502 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len); 7503 if (!data) 7504 return; 7505 7506 subev->func(hdev, data, skb); 7507 } 7508 7509 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 7510 u8 event, struct sk_buff *skb) 7511 { 7512 struct hci_ev_cmd_complete *ev; 7513 struct hci_event_hdr *hdr; 7514 7515 if (!skb) 7516 return false; 7517 7518 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr)); 7519 if (!hdr) 7520 return false; 7521 7522 if (event) { 7523 if (hdr->evt != event) 7524 return false; 7525 return true; 7526 } 7527 7528 /* Check if request ended in Command Status - no way to retrieve 7529 * any extra parameters in this case. 7530 */ 7531 if (hdr->evt == HCI_EV_CMD_STATUS) 7532 return false; 7533 7534 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 7535 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 7536 hdr->evt); 7537 return false; 7538 } 7539 7540 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev)); 7541 if (!ev) 7542 return false; 7543 7544 if (opcode != __le16_to_cpu(ev->opcode)) { 7545 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 7546 __le16_to_cpu(ev->opcode)); 7547 return false; 7548 } 7549 7550 return true; 7551 } 7552 7553 static void hci_store_wake_reason(struct hci_dev *hdev, 7554 const bdaddr_t *bdaddr, u8 addr_type) 7555 __must_hold(&hdev->lock) 7556 { 7557 lockdep_assert_held(&hdev->lock); 7558 7559 /* If we are currently suspended and this is the first BT event seen, 7560 * save the wake reason associated with the event. 7561 */ 7562 if (!hdev->suspended || hdev->wake_reason) 7563 return; 7564 7565 if (!bdaddr) { 7566 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 7567 return; 7568 } 7569 7570 /* Default to remote wake. Values for wake_reason are documented in the 7571 * Bluez mgmt api docs. 7572 */ 7573 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 7574 bacpy(&hdev->wake_addr, bdaddr); 7575 hdev->wake_addr_type = addr_type; 7576 } 7577 7578 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \ 7579 [_op] = { \ 7580 .req = false, \ 7581 .func = _func, \ 7582 .min_len = _min_len, \ 7583 .max_len = _max_len, \ 7584 } 7585 7586 #define HCI_EV(_op, _func, _len) \ 7587 HCI_EV_VL(_op, _func, _len, _len) 7588 7589 #define HCI_EV_STATUS(_op, _func) \ 7590 HCI_EV(_op, _func, sizeof(struct hci_ev_status)) 7591 7592 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \ 7593 [_op] = { \ 7594 .req = true, \ 7595 .func_req = _func, \ 7596 .min_len = _min_len, \ 7597 .max_len = _max_len, \ 7598 } 7599 7600 #define HCI_EV_REQ(_op, _func, _len) \ 7601 HCI_EV_REQ_VL(_op, _func, _len, _len) 7602 7603 /* Entries in this table shall have their position according to the event opcode 7604 * they handle so the use of the macros above is recommend since it does attempt 7605 * to initialize at its proper index using Designated Initializers that way 7606 * events without a callback function don't have entered. 7607 */ 7608 static const struct hci_ev { 7609 bool req; 7610 union { 7611 void (*func)(struct hci_dev *hdev, void *data, 7612 struct sk_buff *skb); 7613 void (*func_req)(struct hci_dev *hdev, void *data, 7614 struct sk_buff *skb, u16 *opcode, u8 *status, 7615 hci_req_complete_t *req_complete, 7616 hci_req_complete_skb_t *req_complete_skb); 7617 }; 7618 u16 min_len; 7619 u16 max_len; 7620 } hci_ev_table[U8_MAX + 1] = { 7621 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */ 7622 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt), 7623 /* [0x02 = HCI_EV_INQUIRY_RESULT] */ 7624 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt, 7625 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE), 7626 /* [0x03 = HCI_EV_CONN_COMPLETE] */ 7627 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt, 7628 sizeof(struct hci_ev_conn_complete)), 7629 /* [0x04 = HCI_EV_CONN_REQUEST] */ 7630 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt, 7631 sizeof(struct hci_ev_conn_request)), 7632 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */ 7633 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt, 7634 sizeof(struct hci_ev_disconn_complete)), 7635 /* [0x06 = HCI_EV_AUTH_COMPLETE] */ 7636 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt, 7637 sizeof(struct hci_ev_auth_complete)), 7638 /* [0x07 = HCI_EV_REMOTE_NAME] */ 7639 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt, 7640 sizeof(struct hci_ev_remote_name)), 7641 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */ 7642 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt, 7643 sizeof(struct hci_ev_encrypt_change)), 7644 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */ 7645 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE, 7646 hci_change_link_key_complete_evt, 7647 sizeof(struct hci_ev_change_link_key_complete)), 7648 /* [0x0b = HCI_EV_REMOTE_FEATURES] */ 7649 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt, 7650 sizeof(struct hci_ev_remote_features)), 7651 /* [0x0e = HCI_EV_CMD_COMPLETE] */ 7652 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt, 7653 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE), 7654 /* [0x0f = HCI_EV_CMD_STATUS] */ 7655 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt, 7656 sizeof(struct hci_ev_cmd_status)), 7657 /* [0x10 = HCI_EV_CMD_STATUS] */ 7658 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt, 7659 sizeof(struct hci_ev_hardware_error)), 7660 /* [0x12 = HCI_EV_ROLE_CHANGE] */ 7661 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt, 7662 sizeof(struct hci_ev_role_change)), 7663 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */ 7664 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt, 7665 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE), 7666 /* [0x14 = HCI_EV_MODE_CHANGE] */ 7667 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt, 7668 sizeof(struct hci_ev_mode_change)), 7669 /* [0x16 = HCI_EV_PIN_CODE_REQ] */ 7670 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt, 7671 sizeof(struct hci_ev_pin_code_req)), 7672 /* [0x17 = HCI_EV_LINK_KEY_REQ] */ 7673 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt, 7674 sizeof(struct hci_ev_link_key_req)), 7675 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */ 7676 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt, 7677 sizeof(struct hci_ev_link_key_notify)), 7678 /* [0x1c = HCI_EV_CLOCK_OFFSET] */ 7679 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt, 7680 sizeof(struct hci_ev_clock_offset)), 7681 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */ 7682 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt, 7683 sizeof(struct hci_ev_pkt_type_change)), 7684 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */ 7685 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt, 7686 sizeof(struct hci_ev_pscan_rep_mode)), 7687 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */ 7688 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI, 7689 hci_inquiry_result_with_rssi_evt, 7690 sizeof(struct hci_ev_inquiry_result_rssi), 7691 HCI_MAX_EVENT_SIZE), 7692 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */ 7693 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt, 7694 sizeof(struct hci_ev_remote_ext_features)), 7695 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */ 7696 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt, 7697 sizeof(struct hci_ev_sync_conn_complete)), 7698 /* [0x2f = HCI_EV_EXTENDED_INQUIRY_RESULT] */ 7699 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT, 7700 hci_extended_inquiry_result_evt, 7701 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE), 7702 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */ 7703 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt, 7704 sizeof(struct hci_ev_key_refresh_complete)), 7705 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */ 7706 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt, 7707 sizeof(struct hci_ev_io_capa_request)), 7708 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */ 7709 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt, 7710 sizeof(struct hci_ev_io_capa_reply)), 7711 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */ 7712 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt, 7713 sizeof(struct hci_ev_user_confirm_req)), 7714 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */ 7715 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt, 7716 sizeof(struct hci_ev_user_passkey_req)), 7717 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */ 7718 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt, 7719 sizeof(struct hci_ev_remote_oob_data_request)), 7720 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */ 7721 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt, 7722 sizeof(struct hci_ev_simple_pair_complete)), 7723 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */ 7724 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt, 7725 sizeof(struct hci_ev_user_passkey_notify)), 7726 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */ 7727 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt, 7728 sizeof(struct hci_ev_keypress_notify)), 7729 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */ 7730 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt, 7731 sizeof(struct hci_ev_remote_host_features)), 7732 /* [0x3e = HCI_EV_LE_META] */ 7733 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt, 7734 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE), 7735 /* [0xff = HCI_EV_VENDOR] */ 7736 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE), 7737 }; 7738 7739 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb, 7740 u16 *opcode, u8 *status, 7741 hci_req_complete_t *req_complete, 7742 hci_req_complete_skb_t *req_complete_skb) 7743 { 7744 const struct hci_ev *ev = &hci_ev_table[event]; 7745 void *data; 7746 7747 if (!ev->func) 7748 return; 7749 7750 if (skb->len < ev->min_len) { 7751 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u", 7752 event, skb->len, ev->min_len); 7753 return; 7754 } 7755 7756 /* Just warn if the length is over max_len size it still be 7757 * possible to partially parse the event so leave to callback to 7758 * decide if that is acceptable. 7759 */ 7760 if (skb->len > ev->max_len) 7761 bt_dev_warn_ratelimited(hdev, 7762 "unexpected event 0x%2.2x length: %u > %u", 7763 event, skb->len, ev->max_len); 7764 7765 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len); 7766 if (!data) 7767 return; 7768 7769 if (ev->req) 7770 ev->func_req(hdev, data, skb, opcode, status, req_complete, 7771 req_complete_skb); 7772 else 7773 ev->func(hdev, data, skb); 7774 } 7775 7776 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 7777 { 7778 struct hci_event_hdr *hdr = (void *) skb->data; 7779 hci_req_complete_t req_complete = NULL; 7780 hci_req_complete_skb_t req_complete_skb = NULL; 7781 struct sk_buff *orig_skb = NULL; 7782 u8 status = 0, event, req_evt = 0; 7783 u16 opcode = HCI_OP_NOP; 7784 7785 if (skb->len < sizeof(*hdr)) { 7786 bt_dev_err(hdev, "Malformed HCI Event"); 7787 goto done; 7788 } 7789 7790 hci_dev_lock(hdev); 7791 kfree_skb(hdev->recv_event); 7792 hdev->recv_event = skb_clone(skb, GFP_KERNEL); 7793 hci_dev_unlock(hdev); 7794 7795 event = hdr->evt; 7796 if (!event) { 7797 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x", 7798 event); 7799 goto done; 7800 } 7801 7802 /* Only match event if command OGF is not for LE */ 7803 if (hdev->req_skb && 7804 hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 && 7805 hci_skb_event(hdev->req_skb) == event) { 7806 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb), 7807 status, &req_complete, &req_complete_skb); 7808 req_evt = event; 7809 } 7810 7811 /* If it looks like we might end up having to call 7812 * req_complete_skb, store a pristine copy of the skb since the 7813 * various handlers may modify the original one through 7814 * skb_pull() calls, etc. 7815 */ 7816 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 7817 event == HCI_EV_CMD_COMPLETE) 7818 orig_skb = skb_clone(skb, GFP_KERNEL); 7819 7820 skb_pull(skb, HCI_EVENT_HDR_SIZE); 7821 7822 bt_dev_dbg(hdev, "event 0x%2.2x", event); 7823 7824 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete, 7825 &req_complete_skb); 7826 7827 hci_dev_lock(hdev); 7828 hci_store_wake_reason(hdev, NULL, 0); 7829 hci_dev_unlock(hdev); 7830 7831 if (req_complete) { 7832 req_complete(hdev, status, opcode); 7833 } else if (req_complete_skb) { 7834 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 7835 kfree_skb(orig_skb); 7836 orig_skb = NULL; 7837 } 7838 req_complete_skb(hdev, status, opcode, orig_skb); 7839 } 7840 7841 done: 7842 kfree_skb(orig_skb); 7843 kfree_skb(skb); 7844 hdev->stat.evt_rx++; 7845 } 7846