1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "a2mp.h" 34 #include "amp.h" 35 36 /* Handle HCI Event packets */ 37 38 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 39 { 40 __u8 status = *((__u8 *) skb->data); 41 42 BT_DBG("%s status 0x%2.2x", hdev->name, status); 43 44 if (status) 45 return; 46 47 clear_bit(HCI_INQUIRY, &hdev->flags); 48 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 49 wake_up_bit(&hdev->flags, HCI_INQUIRY); 50 51 hci_conn_check_pending(hdev); 52 } 53 54 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 55 { 56 __u8 status = *((__u8 *) skb->data); 57 58 BT_DBG("%s status 0x%2.2x", hdev->name, status); 59 60 if (status) 61 return; 62 63 set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags); 64 } 65 66 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 67 { 68 __u8 status = *((__u8 *) skb->data); 69 70 BT_DBG("%s status 0x%2.2x", hdev->name, status); 71 72 if (status) 73 return; 74 75 clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags); 76 77 hci_conn_check_pending(hdev); 78 } 79 80 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 81 struct sk_buff *skb) 82 { 83 BT_DBG("%s", hdev->name); 84 } 85 86 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 87 { 88 struct hci_rp_role_discovery *rp = (void *) skb->data; 89 struct hci_conn *conn; 90 91 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 92 93 if (rp->status) 94 return; 95 96 hci_dev_lock(hdev); 97 98 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 99 if (conn) { 100 if (rp->role) 101 conn->link_mode &= ~HCI_LM_MASTER; 102 else 103 conn->link_mode |= HCI_LM_MASTER; 104 } 105 106 hci_dev_unlock(hdev); 107 } 108 109 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 110 { 111 struct hci_rp_read_link_policy *rp = (void *) skb->data; 112 struct hci_conn *conn; 113 114 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 115 116 if (rp->status) 117 return; 118 119 hci_dev_lock(hdev); 120 121 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 122 if (conn) 123 conn->link_policy = __le16_to_cpu(rp->policy); 124 125 hci_dev_unlock(hdev); 126 } 127 128 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 129 { 130 struct hci_rp_write_link_policy *rp = (void *) skb->data; 131 struct hci_conn *conn; 132 void *sent; 133 134 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 135 136 if (rp->status) 137 return; 138 139 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 140 if (!sent) 141 return; 142 143 hci_dev_lock(hdev); 144 145 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 146 if (conn) 147 conn->link_policy = get_unaligned_le16(sent + 2); 148 149 hci_dev_unlock(hdev); 150 } 151 152 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 153 struct sk_buff *skb) 154 { 155 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 156 157 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 158 159 if (rp->status) 160 return; 161 162 hdev->link_policy = __le16_to_cpu(rp->policy); 163 } 164 165 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 166 struct sk_buff *skb) 167 { 168 __u8 status = *((__u8 *) skb->data); 169 void *sent; 170 171 BT_DBG("%s status 0x%2.2x", hdev->name, status); 172 173 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 174 if (!sent) 175 return; 176 177 if (!status) 178 hdev->link_policy = get_unaligned_le16(sent); 179 } 180 181 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 182 { 183 __u8 status = *((__u8 *) skb->data); 184 185 BT_DBG("%s status 0x%2.2x", hdev->name, status); 186 187 clear_bit(HCI_RESET, &hdev->flags); 188 189 /* Reset all non-persistent flags */ 190 hdev->dev_flags &= ~HCI_PERSISTENT_MASK; 191 192 hdev->discovery.state = DISCOVERY_STOPPED; 193 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 194 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 195 196 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 197 hdev->adv_data_len = 0; 198 199 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 200 hdev->scan_rsp_data_len = 0; 201 202 hdev->le_scan_type = LE_SCAN_PASSIVE; 203 204 hdev->ssp_debug_mode = 0; 205 } 206 207 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 208 { 209 __u8 status = *((__u8 *) skb->data); 210 void *sent; 211 212 BT_DBG("%s status 0x%2.2x", hdev->name, status); 213 214 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 215 if (!sent) 216 return; 217 218 hci_dev_lock(hdev); 219 220 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 221 mgmt_set_local_name_complete(hdev, sent, status); 222 else if (!status) 223 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 224 225 hci_dev_unlock(hdev); 226 } 227 228 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 229 { 230 struct hci_rp_read_local_name *rp = (void *) skb->data; 231 232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 233 234 if (rp->status) 235 return; 236 237 if (test_bit(HCI_SETUP, &hdev->dev_flags)) 238 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 239 } 240 241 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 242 { 243 __u8 status = *((__u8 *) skb->data); 244 void *sent; 245 246 BT_DBG("%s status 0x%2.2x", hdev->name, status); 247 248 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 249 if (!sent) 250 return; 251 252 if (!status) { 253 __u8 param = *((__u8 *) sent); 254 255 if (param == AUTH_ENABLED) 256 set_bit(HCI_AUTH, &hdev->flags); 257 else 258 clear_bit(HCI_AUTH, &hdev->flags); 259 } 260 261 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 262 mgmt_auth_enable_complete(hdev, status); 263 } 264 265 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 266 { 267 __u8 status = *((__u8 *) skb->data); 268 void *sent; 269 270 BT_DBG("%s status 0x%2.2x", hdev->name, status); 271 272 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 273 if (!sent) 274 return; 275 276 if (!status) { 277 __u8 param = *((__u8 *) sent); 278 279 if (param) 280 set_bit(HCI_ENCRYPT, &hdev->flags); 281 else 282 clear_bit(HCI_ENCRYPT, &hdev->flags); 283 } 284 } 285 286 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 287 { 288 __u8 param, status = *((__u8 *) skb->data); 289 int old_pscan, old_iscan; 290 void *sent; 291 292 BT_DBG("%s status 0x%2.2x", hdev->name, status); 293 294 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 295 if (!sent) 296 return; 297 298 param = *((__u8 *) sent); 299 300 hci_dev_lock(hdev); 301 302 if (status) { 303 mgmt_write_scan_failed(hdev, param, status); 304 hdev->discov_timeout = 0; 305 goto done; 306 } 307 308 /* We need to ensure that we set this back on if someone changed 309 * the scan mode through a raw HCI socket. 310 */ 311 set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags); 312 313 old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags); 314 old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags); 315 316 if (param & SCAN_INQUIRY) { 317 set_bit(HCI_ISCAN, &hdev->flags); 318 if (!old_iscan) 319 mgmt_discoverable(hdev, 1); 320 } else if (old_iscan) 321 mgmt_discoverable(hdev, 0); 322 323 if (param & SCAN_PAGE) { 324 set_bit(HCI_PSCAN, &hdev->flags); 325 if (!old_pscan) 326 mgmt_connectable(hdev, 1); 327 } else if (old_pscan) 328 mgmt_connectable(hdev, 0); 329 330 done: 331 hci_dev_unlock(hdev); 332 } 333 334 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 335 { 336 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 337 338 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 339 340 if (rp->status) 341 return; 342 343 memcpy(hdev->dev_class, rp->dev_class, 3); 344 345 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 346 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 347 } 348 349 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 350 { 351 __u8 status = *((__u8 *) skb->data); 352 void *sent; 353 354 BT_DBG("%s status 0x%2.2x", hdev->name, status); 355 356 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 357 if (!sent) 358 return; 359 360 hci_dev_lock(hdev); 361 362 if (status == 0) 363 memcpy(hdev->dev_class, sent, 3); 364 365 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 366 mgmt_set_class_of_dev_complete(hdev, sent, status); 367 368 hci_dev_unlock(hdev); 369 } 370 371 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 372 { 373 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 374 __u16 setting; 375 376 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 377 378 if (rp->status) 379 return; 380 381 setting = __le16_to_cpu(rp->voice_setting); 382 383 if (hdev->voice_setting == setting) 384 return; 385 386 hdev->voice_setting = setting; 387 388 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 389 390 if (hdev->notify) 391 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 392 } 393 394 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 395 struct sk_buff *skb) 396 { 397 __u8 status = *((__u8 *) skb->data); 398 __u16 setting; 399 void *sent; 400 401 BT_DBG("%s status 0x%2.2x", hdev->name, status); 402 403 if (status) 404 return; 405 406 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 407 if (!sent) 408 return; 409 410 setting = get_unaligned_le16(sent); 411 412 if (hdev->voice_setting == setting) 413 return; 414 415 hdev->voice_setting = setting; 416 417 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 418 419 if (hdev->notify) 420 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 421 } 422 423 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 424 struct sk_buff *skb) 425 { 426 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 427 428 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 429 430 if (rp->status) 431 return; 432 433 hdev->num_iac = rp->num_iac; 434 435 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 436 } 437 438 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 439 { 440 __u8 status = *((__u8 *) skb->data); 441 struct hci_cp_write_ssp_mode *sent; 442 443 BT_DBG("%s status 0x%2.2x", hdev->name, status); 444 445 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 446 if (!sent) 447 return; 448 449 if (!status) { 450 if (sent->mode) 451 hdev->features[1][0] |= LMP_HOST_SSP; 452 else 453 hdev->features[1][0] &= ~LMP_HOST_SSP; 454 } 455 456 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 457 mgmt_ssp_enable_complete(hdev, sent->mode, status); 458 else if (!status) { 459 if (sent->mode) 460 set_bit(HCI_SSP_ENABLED, &hdev->dev_flags); 461 else 462 clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags); 463 } 464 } 465 466 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 467 { 468 u8 status = *((u8 *) skb->data); 469 struct hci_cp_write_sc_support *sent; 470 471 BT_DBG("%s status 0x%2.2x", hdev->name, status); 472 473 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 474 if (!sent) 475 return; 476 477 if (!status) { 478 if (sent->support) 479 hdev->features[1][0] |= LMP_HOST_SC; 480 else 481 hdev->features[1][0] &= ~LMP_HOST_SC; 482 } 483 484 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 485 mgmt_sc_enable_complete(hdev, sent->support, status); 486 else if (!status) { 487 if (sent->support) 488 set_bit(HCI_SC_ENABLED, &hdev->dev_flags); 489 else 490 clear_bit(HCI_SC_ENABLED, &hdev->dev_flags); 491 } 492 } 493 494 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 495 { 496 struct hci_rp_read_local_version *rp = (void *) skb->data; 497 498 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 499 500 if (rp->status) 501 return; 502 503 if (test_bit(HCI_SETUP, &hdev->dev_flags)) { 504 hdev->hci_ver = rp->hci_ver; 505 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 506 hdev->lmp_ver = rp->lmp_ver; 507 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 508 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 509 } 510 } 511 512 static void hci_cc_read_local_commands(struct hci_dev *hdev, 513 struct sk_buff *skb) 514 { 515 struct hci_rp_read_local_commands *rp = (void *) skb->data; 516 517 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 518 519 if (rp->status) 520 return; 521 522 if (test_bit(HCI_SETUP, &hdev->dev_flags)) 523 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 524 } 525 526 static void hci_cc_read_local_features(struct hci_dev *hdev, 527 struct sk_buff *skb) 528 { 529 struct hci_rp_read_local_features *rp = (void *) skb->data; 530 531 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 532 533 if (rp->status) 534 return; 535 536 memcpy(hdev->features, rp->features, 8); 537 538 /* Adjust default settings according to features 539 * supported by device. */ 540 541 if (hdev->features[0][0] & LMP_3SLOT) 542 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 543 544 if (hdev->features[0][0] & LMP_5SLOT) 545 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 546 547 if (hdev->features[0][1] & LMP_HV2) { 548 hdev->pkt_type |= (HCI_HV2); 549 hdev->esco_type |= (ESCO_HV2); 550 } 551 552 if (hdev->features[0][1] & LMP_HV3) { 553 hdev->pkt_type |= (HCI_HV3); 554 hdev->esco_type |= (ESCO_HV3); 555 } 556 557 if (lmp_esco_capable(hdev)) 558 hdev->esco_type |= (ESCO_EV3); 559 560 if (hdev->features[0][4] & LMP_EV4) 561 hdev->esco_type |= (ESCO_EV4); 562 563 if (hdev->features[0][4] & LMP_EV5) 564 hdev->esco_type |= (ESCO_EV5); 565 566 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 567 hdev->esco_type |= (ESCO_2EV3); 568 569 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 570 hdev->esco_type |= (ESCO_3EV3); 571 572 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 573 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 574 } 575 576 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 577 struct sk_buff *skb) 578 { 579 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 580 581 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 582 583 if (rp->status) 584 return; 585 586 if (hdev->max_page < rp->max_page) 587 hdev->max_page = rp->max_page; 588 589 if (rp->page < HCI_MAX_PAGES) 590 memcpy(hdev->features[rp->page], rp->features, 8); 591 } 592 593 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 594 struct sk_buff *skb) 595 { 596 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 597 598 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 599 600 if (!rp->status) 601 hdev->flow_ctl_mode = rp->mode; 602 } 603 604 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 605 { 606 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 607 608 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 609 610 if (rp->status) 611 return; 612 613 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 614 hdev->sco_mtu = rp->sco_mtu; 615 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 616 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 617 618 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 619 hdev->sco_mtu = 64; 620 hdev->sco_pkts = 8; 621 } 622 623 hdev->acl_cnt = hdev->acl_pkts; 624 hdev->sco_cnt = hdev->sco_pkts; 625 626 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 627 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 628 } 629 630 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 631 { 632 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 633 634 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 635 636 if (!rp->status) 637 bacpy(&hdev->bdaddr, &rp->bdaddr); 638 } 639 640 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 641 struct sk_buff *skb) 642 { 643 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 644 645 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 646 647 if (test_bit(HCI_INIT, &hdev->flags) && !rp->status) { 648 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 649 hdev->page_scan_window = __le16_to_cpu(rp->window); 650 } 651 } 652 653 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 654 struct sk_buff *skb) 655 { 656 u8 status = *((u8 *) skb->data); 657 struct hci_cp_write_page_scan_activity *sent; 658 659 BT_DBG("%s status 0x%2.2x", hdev->name, status); 660 661 if (status) 662 return; 663 664 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 665 if (!sent) 666 return; 667 668 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 669 hdev->page_scan_window = __le16_to_cpu(sent->window); 670 } 671 672 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 673 struct sk_buff *skb) 674 { 675 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 676 677 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 678 679 if (test_bit(HCI_INIT, &hdev->flags) && !rp->status) 680 hdev->page_scan_type = rp->type; 681 } 682 683 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 684 struct sk_buff *skb) 685 { 686 u8 status = *((u8 *) skb->data); 687 u8 *type; 688 689 BT_DBG("%s status 0x%2.2x", hdev->name, status); 690 691 if (status) 692 return; 693 694 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 695 if (type) 696 hdev->page_scan_type = *type; 697 } 698 699 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 700 struct sk_buff *skb) 701 { 702 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 703 704 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 705 706 if (rp->status) 707 return; 708 709 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 710 hdev->block_len = __le16_to_cpu(rp->block_len); 711 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 712 713 hdev->block_cnt = hdev->num_blocks; 714 715 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 716 hdev->block_cnt, hdev->block_len); 717 } 718 719 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 720 struct sk_buff *skb) 721 { 722 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 723 724 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 725 726 if (rp->status) 727 goto a2mp_rsp; 728 729 hdev->amp_status = rp->amp_status; 730 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 731 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 732 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 733 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 734 hdev->amp_type = rp->amp_type; 735 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 736 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 737 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 738 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 739 740 a2mp_rsp: 741 a2mp_send_getinfo_rsp(hdev); 742 } 743 744 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev, 745 struct sk_buff *skb) 746 { 747 struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data; 748 struct amp_assoc *assoc = &hdev->loc_assoc; 749 size_t rem_len, frag_len; 750 751 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 752 753 if (rp->status) 754 goto a2mp_rsp; 755 756 frag_len = skb->len - sizeof(*rp); 757 rem_len = __le16_to_cpu(rp->rem_len); 758 759 if (rem_len > frag_len) { 760 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len); 761 762 memcpy(assoc->data + assoc->offset, rp->frag, frag_len); 763 assoc->offset += frag_len; 764 765 /* Read other fragments */ 766 amp_read_loc_assoc_frag(hdev, rp->phy_handle); 767 768 return; 769 } 770 771 memcpy(assoc->data + assoc->offset, rp->frag, rem_len); 772 assoc->len = assoc->offset + rem_len; 773 assoc->offset = 0; 774 775 a2mp_rsp: 776 /* Send A2MP Rsp when all fragments are received */ 777 a2mp_send_getampassoc_rsp(hdev, rp->status); 778 a2mp_send_create_phy_link_req(hdev, rp->status); 779 } 780 781 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 782 struct sk_buff *skb) 783 { 784 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 785 786 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 787 788 if (!rp->status) 789 hdev->inq_tx_power = rp->tx_power; 790 } 791 792 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 793 { 794 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 795 struct hci_cp_pin_code_reply *cp; 796 struct hci_conn *conn; 797 798 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 799 800 hci_dev_lock(hdev); 801 802 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 803 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 804 805 if (rp->status) 806 goto unlock; 807 808 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 809 if (!cp) 810 goto unlock; 811 812 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 813 if (conn) 814 conn->pin_length = cp->pin_len; 815 816 unlock: 817 hci_dev_unlock(hdev); 818 } 819 820 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 821 { 822 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 823 824 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 825 826 hci_dev_lock(hdev); 827 828 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 829 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 830 rp->status); 831 832 hci_dev_unlock(hdev); 833 } 834 835 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 836 struct sk_buff *skb) 837 { 838 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 839 840 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 841 842 if (rp->status) 843 return; 844 845 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 846 hdev->le_pkts = rp->le_max_pkt; 847 848 hdev->le_cnt = hdev->le_pkts; 849 850 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 851 } 852 853 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 854 struct sk_buff *skb) 855 { 856 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 857 858 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 859 860 if (!rp->status) 861 memcpy(hdev->le_features, rp->features, 8); 862 } 863 864 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 865 struct sk_buff *skb) 866 { 867 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 868 869 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 870 871 if (!rp->status) 872 hdev->adv_tx_power = rp->tx_power; 873 } 874 875 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 876 { 877 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 878 879 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 880 881 hci_dev_lock(hdev); 882 883 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 884 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 885 rp->status); 886 887 hci_dev_unlock(hdev); 888 } 889 890 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 891 struct sk_buff *skb) 892 { 893 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 894 895 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 896 897 hci_dev_lock(hdev); 898 899 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 900 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 901 ACL_LINK, 0, rp->status); 902 903 hci_dev_unlock(hdev); 904 } 905 906 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 907 { 908 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 909 910 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 911 912 hci_dev_lock(hdev); 913 914 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 915 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 916 0, rp->status); 917 918 hci_dev_unlock(hdev); 919 } 920 921 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 922 struct sk_buff *skb) 923 { 924 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 925 926 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 927 928 hci_dev_lock(hdev); 929 930 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 931 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 932 ACL_LINK, 0, rp->status); 933 934 hci_dev_unlock(hdev); 935 } 936 937 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 938 struct sk_buff *skb) 939 { 940 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 941 942 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 943 944 hci_dev_lock(hdev); 945 mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->randomizer, 946 NULL, NULL, rp->status); 947 hci_dev_unlock(hdev); 948 } 949 950 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 951 struct sk_buff *skb) 952 { 953 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 954 955 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 956 957 hci_dev_lock(hdev); 958 mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->randomizer192, 959 rp->hash256, rp->randomizer256, 960 rp->status); 961 hci_dev_unlock(hdev); 962 } 963 964 965 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 966 { 967 __u8 status = *((__u8 *) skb->data); 968 bdaddr_t *sent; 969 970 BT_DBG("%s status 0x%2.2x", hdev->name, status); 971 972 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 973 if (!sent) 974 return; 975 976 hci_dev_lock(hdev); 977 978 if (!status) 979 bacpy(&hdev->random_addr, sent); 980 981 hci_dev_unlock(hdev); 982 } 983 984 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 985 { 986 __u8 *sent, status = *((__u8 *) skb->data); 987 988 BT_DBG("%s status 0x%2.2x", hdev->name, status); 989 990 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 991 if (!sent) 992 return; 993 994 if (status) 995 return; 996 997 hci_dev_lock(hdev); 998 999 /* If we're doing connection initation as peripheral. Set a 1000 * timeout in case something goes wrong. 1001 */ 1002 if (*sent) { 1003 struct hci_conn *conn; 1004 1005 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT); 1006 if (conn) 1007 queue_delayed_work(hdev->workqueue, 1008 &conn->le_conn_timeout, 1009 HCI_LE_CONN_TIMEOUT); 1010 } 1011 1012 mgmt_advertising(hdev, *sent); 1013 1014 hci_dev_unlock(hdev); 1015 } 1016 1017 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1018 { 1019 struct hci_cp_le_set_scan_param *cp; 1020 __u8 status = *((__u8 *) skb->data); 1021 1022 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1023 1024 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1025 if (!cp) 1026 return; 1027 1028 hci_dev_lock(hdev); 1029 1030 if (!status) 1031 hdev->le_scan_type = cp->type; 1032 1033 hci_dev_unlock(hdev); 1034 } 1035 1036 static bool has_pending_adv_report(struct hci_dev *hdev) 1037 { 1038 struct discovery_state *d = &hdev->discovery; 1039 1040 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1041 } 1042 1043 static void clear_pending_adv_report(struct hci_dev *hdev) 1044 { 1045 struct discovery_state *d = &hdev->discovery; 1046 1047 bacpy(&d->last_adv_addr, BDADDR_ANY); 1048 d->last_adv_data_len = 0; 1049 } 1050 1051 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1052 u8 bdaddr_type, s8 rssi, u8 *data, u8 len) 1053 { 1054 struct discovery_state *d = &hdev->discovery; 1055 1056 bacpy(&d->last_adv_addr, bdaddr); 1057 d->last_adv_addr_type = bdaddr_type; 1058 d->last_adv_rssi = rssi; 1059 memcpy(d->last_adv_data, data, len); 1060 d->last_adv_data_len = len; 1061 } 1062 1063 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1064 struct sk_buff *skb) 1065 { 1066 struct hci_cp_le_set_scan_enable *cp; 1067 __u8 status = *((__u8 *) skb->data); 1068 1069 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1070 1071 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1072 if (!cp) 1073 return; 1074 1075 if (status) 1076 return; 1077 1078 switch (cp->enable) { 1079 case LE_SCAN_ENABLE: 1080 set_bit(HCI_LE_SCAN, &hdev->dev_flags); 1081 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1082 clear_pending_adv_report(hdev); 1083 break; 1084 1085 case LE_SCAN_DISABLE: 1086 /* We do this here instead of when setting DISCOVERY_STOPPED 1087 * since the latter would potentially require waiting for 1088 * inquiry to stop too. 1089 */ 1090 if (has_pending_adv_report(hdev)) { 1091 struct discovery_state *d = &hdev->discovery; 1092 1093 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1094 d->last_adv_addr_type, NULL, 1095 d->last_adv_rssi, 0, 1, 1096 d->last_adv_data, 1097 d->last_adv_data_len, NULL, 0); 1098 } 1099 1100 /* Cancel this timer so that we don't try to disable scanning 1101 * when it's already disabled. 1102 */ 1103 cancel_delayed_work(&hdev->le_scan_disable); 1104 1105 clear_bit(HCI_LE_SCAN, &hdev->dev_flags); 1106 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1107 * interrupted scanning due to a connect request. Mark 1108 * therefore discovery as stopped. 1109 */ 1110 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED, 1111 &hdev->dev_flags)) 1112 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1113 break; 1114 1115 default: 1116 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable); 1117 break; 1118 } 1119 } 1120 1121 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1122 struct sk_buff *skb) 1123 { 1124 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1125 1126 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1127 1128 if (!rp->status) 1129 hdev->le_white_list_size = rp->size; 1130 } 1131 1132 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1133 struct sk_buff *skb) 1134 { 1135 __u8 status = *((__u8 *) skb->data); 1136 1137 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1138 1139 if (!status) 1140 hci_white_list_clear(hdev); 1141 } 1142 1143 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1144 struct sk_buff *skb) 1145 { 1146 struct hci_cp_le_add_to_white_list *sent; 1147 __u8 status = *((__u8 *) skb->data); 1148 1149 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1150 1151 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1152 if (!sent) 1153 return; 1154 1155 if (!status) 1156 hci_white_list_add(hdev, &sent->bdaddr, sent->bdaddr_type); 1157 } 1158 1159 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1160 struct sk_buff *skb) 1161 { 1162 struct hci_cp_le_del_from_white_list *sent; 1163 __u8 status = *((__u8 *) skb->data); 1164 1165 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1166 1167 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1168 if (!sent) 1169 return; 1170 1171 if (!status) 1172 hci_white_list_del(hdev, &sent->bdaddr, sent->bdaddr_type); 1173 } 1174 1175 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1176 struct sk_buff *skb) 1177 { 1178 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1179 1180 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1181 1182 if (!rp->status) 1183 memcpy(hdev->le_states, rp->le_states, 8); 1184 } 1185 1186 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1187 struct sk_buff *skb) 1188 { 1189 struct hci_cp_write_le_host_supported *sent; 1190 __u8 status = *((__u8 *) skb->data); 1191 1192 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1193 1194 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1195 if (!sent) 1196 return; 1197 1198 if (!status) { 1199 if (sent->le) { 1200 hdev->features[1][0] |= LMP_HOST_LE; 1201 set_bit(HCI_LE_ENABLED, &hdev->dev_flags); 1202 } else { 1203 hdev->features[1][0] &= ~LMP_HOST_LE; 1204 clear_bit(HCI_LE_ENABLED, &hdev->dev_flags); 1205 clear_bit(HCI_ADVERTISING, &hdev->dev_flags); 1206 } 1207 1208 if (sent->simul) 1209 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1210 else 1211 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1212 } 1213 } 1214 1215 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1216 { 1217 struct hci_cp_le_set_adv_param *cp; 1218 u8 status = *((u8 *) skb->data); 1219 1220 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1221 1222 if (status) 1223 return; 1224 1225 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1226 if (!cp) 1227 return; 1228 1229 hci_dev_lock(hdev); 1230 hdev->adv_addr_type = cp->own_address_type; 1231 hci_dev_unlock(hdev); 1232 } 1233 1234 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev, 1235 struct sk_buff *skb) 1236 { 1237 struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data; 1238 1239 BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x", 1240 hdev->name, rp->status, rp->phy_handle); 1241 1242 if (rp->status) 1243 return; 1244 1245 amp_write_rem_assoc_continue(hdev, rp->phy_handle); 1246 } 1247 1248 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1249 { 1250 struct hci_rp_read_rssi *rp = (void *) skb->data; 1251 struct hci_conn *conn; 1252 1253 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1254 1255 if (rp->status) 1256 return; 1257 1258 hci_dev_lock(hdev); 1259 1260 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1261 if (conn) 1262 conn->rssi = rp->rssi; 1263 1264 hci_dev_unlock(hdev); 1265 } 1266 1267 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1268 { 1269 struct hci_cp_read_tx_power *sent; 1270 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1271 struct hci_conn *conn; 1272 1273 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1274 1275 if (rp->status) 1276 return; 1277 1278 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1279 if (!sent) 1280 return; 1281 1282 hci_dev_lock(hdev); 1283 1284 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1285 if (!conn) 1286 goto unlock; 1287 1288 switch (sent->type) { 1289 case 0x00: 1290 conn->tx_power = rp->tx_power; 1291 break; 1292 case 0x01: 1293 conn->max_tx_power = rp->tx_power; 1294 break; 1295 } 1296 1297 unlock: 1298 hci_dev_unlock(hdev); 1299 } 1300 1301 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1302 { 1303 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1304 1305 if (status) { 1306 hci_conn_check_pending(hdev); 1307 return; 1308 } 1309 1310 set_bit(HCI_INQUIRY, &hdev->flags); 1311 } 1312 1313 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1314 { 1315 struct hci_cp_create_conn *cp; 1316 struct hci_conn *conn; 1317 1318 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1319 1320 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1321 if (!cp) 1322 return; 1323 1324 hci_dev_lock(hdev); 1325 1326 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1327 1328 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1329 1330 if (status) { 1331 if (conn && conn->state == BT_CONNECT) { 1332 if (status != 0x0c || conn->attempt > 2) { 1333 conn->state = BT_CLOSED; 1334 hci_proto_connect_cfm(conn, status); 1335 hci_conn_del(conn); 1336 } else 1337 conn->state = BT_CONNECT2; 1338 } 1339 } else { 1340 if (!conn) { 1341 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr); 1342 if (conn) { 1343 conn->out = true; 1344 conn->link_mode |= HCI_LM_MASTER; 1345 } else 1346 BT_ERR("No memory for new connection"); 1347 } 1348 } 1349 1350 hci_dev_unlock(hdev); 1351 } 1352 1353 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1354 { 1355 struct hci_cp_add_sco *cp; 1356 struct hci_conn *acl, *sco; 1357 __u16 handle; 1358 1359 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1360 1361 if (!status) 1362 return; 1363 1364 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1365 if (!cp) 1366 return; 1367 1368 handle = __le16_to_cpu(cp->handle); 1369 1370 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1371 1372 hci_dev_lock(hdev); 1373 1374 acl = hci_conn_hash_lookup_handle(hdev, handle); 1375 if (acl) { 1376 sco = acl->link; 1377 if (sco) { 1378 sco->state = BT_CLOSED; 1379 1380 hci_proto_connect_cfm(sco, status); 1381 hci_conn_del(sco); 1382 } 1383 } 1384 1385 hci_dev_unlock(hdev); 1386 } 1387 1388 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1389 { 1390 struct hci_cp_auth_requested *cp; 1391 struct hci_conn *conn; 1392 1393 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1394 1395 if (!status) 1396 return; 1397 1398 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1399 if (!cp) 1400 return; 1401 1402 hci_dev_lock(hdev); 1403 1404 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1405 if (conn) { 1406 if (conn->state == BT_CONFIG) { 1407 hci_proto_connect_cfm(conn, status); 1408 hci_conn_drop(conn); 1409 } 1410 } 1411 1412 hci_dev_unlock(hdev); 1413 } 1414 1415 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1416 { 1417 struct hci_cp_set_conn_encrypt *cp; 1418 struct hci_conn *conn; 1419 1420 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1421 1422 if (!status) 1423 return; 1424 1425 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1426 if (!cp) 1427 return; 1428 1429 hci_dev_lock(hdev); 1430 1431 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1432 if (conn) { 1433 if (conn->state == BT_CONFIG) { 1434 hci_proto_connect_cfm(conn, status); 1435 hci_conn_drop(conn); 1436 } 1437 } 1438 1439 hci_dev_unlock(hdev); 1440 } 1441 1442 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1443 struct hci_conn *conn) 1444 { 1445 if (conn->state != BT_CONFIG || !conn->out) 1446 return 0; 1447 1448 if (conn->pending_sec_level == BT_SECURITY_SDP) 1449 return 0; 1450 1451 /* Only request authentication for SSP connections or non-SSP 1452 * devices with sec_level MEDIUM or HIGH or if MITM protection 1453 * is requested. 1454 */ 1455 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1456 conn->pending_sec_level != BT_SECURITY_FIPS && 1457 conn->pending_sec_level != BT_SECURITY_HIGH && 1458 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1459 return 0; 1460 1461 return 1; 1462 } 1463 1464 static int hci_resolve_name(struct hci_dev *hdev, 1465 struct inquiry_entry *e) 1466 { 1467 struct hci_cp_remote_name_req cp; 1468 1469 memset(&cp, 0, sizeof(cp)); 1470 1471 bacpy(&cp.bdaddr, &e->data.bdaddr); 1472 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1473 cp.pscan_mode = e->data.pscan_mode; 1474 cp.clock_offset = e->data.clock_offset; 1475 1476 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 1477 } 1478 1479 static bool hci_resolve_next_name(struct hci_dev *hdev) 1480 { 1481 struct discovery_state *discov = &hdev->discovery; 1482 struct inquiry_entry *e; 1483 1484 if (list_empty(&discov->resolve)) 1485 return false; 1486 1487 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1488 if (!e) 1489 return false; 1490 1491 if (hci_resolve_name(hdev, e) == 0) { 1492 e->name_state = NAME_PENDING; 1493 return true; 1494 } 1495 1496 return false; 1497 } 1498 1499 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 1500 bdaddr_t *bdaddr, u8 *name, u8 name_len) 1501 { 1502 struct discovery_state *discov = &hdev->discovery; 1503 struct inquiry_entry *e; 1504 1505 if (conn && !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 1506 mgmt_device_connected(hdev, bdaddr, ACL_LINK, 0x00, 0, name, 1507 name_len, conn->dev_class); 1508 1509 if (discov->state == DISCOVERY_STOPPED) 1510 return; 1511 1512 if (discov->state == DISCOVERY_STOPPING) 1513 goto discov_complete; 1514 1515 if (discov->state != DISCOVERY_RESOLVING) 1516 return; 1517 1518 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 1519 /* If the device was not found in a list of found devices names of which 1520 * are pending. there is no need to continue resolving a next name as it 1521 * will be done upon receiving another Remote Name Request Complete 1522 * Event */ 1523 if (!e) 1524 return; 1525 1526 list_del(&e->list); 1527 if (name) { 1528 e->name_state = NAME_KNOWN; 1529 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 1530 e->data.rssi, name, name_len); 1531 } else { 1532 e->name_state = NAME_NOT_KNOWN; 1533 } 1534 1535 if (hci_resolve_next_name(hdev)) 1536 return; 1537 1538 discov_complete: 1539 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1540 } 1541 1542 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 1543 { 1544 struct hci_cp_remote_name_req *cp; 1545 struct hci_conn *conn; 1546 1547 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1548 1549 /* If successful wait for the name req complete event before 1550 * checking for the need to do authentication */ 1551 if (!status) 1552 return; 1553 1554 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 1555 if (!cp) 1556 return; 1557 1558 hci_dev_lock(hdev); 1559 1560 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1561 1562 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 1563 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 1564 1565 if (!conn) 1566 goto unlock; 1567 1568 if (!hci_outgoing_auth_needed(hdev, conn)) 1569 goto unlock; 1570 1571 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 1572 struct hci_cp_auth_requested auth_cp; 1573 1574 auth_cp.handle = __cpu_to_le16(conn->handle); 1575 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 1576 sizeof(auth_cp), &auth_cp); 1577 } 1578 1579 unlock: 1580 hci_dev_unlock(hdev); 1581 } 1582 1583 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 1584 { 1585 struct hci_cp_read_remote_features *cp; 1586 struct hci_conn *conn; 1587 1588 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1589 1590 if (!status) 1591 return; 1592 1593 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 1594 if (!cp) 1595 return; 1596 1597 hci_dev_lock(hdev); 1598 1599 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1600 if (conn) { 1601 if (conn->state == BT_CONFIG) { 1602 hci_proto_connect_cfm(conn, status); 1603 hci_conn_drop(conn); 1604 } 1605 } 1606 1607 hci_dev_unlock(hdev); 1608 } 1609 1610 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 1611 { 1612 struct hci_cp_read_remote_ext_features *cp; 1613 struct hci_conn *conn; 1614 1615 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1616 1617 if (!status) 1618 return; 1619 1620 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 1621 if (!cp) 1622 return; 1623 1624 hci_dev_lock(hdev); 1625 1626 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1627 if (conn) { 1628 if (conn->state == BT_CONFIG) { 1629 hci_proto_connect_cfm(conn, status); 1630 hci_conn_drop(conn); 1631 } 1632 } 1633 1634 hci_dev_unlock(hdev); 1635 } 1636 1637 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 1638 { 1639 struct hci_cp_setup_sync_conn *cp; 1640 struct hci_conn *acl, *sco; 1641 __u16 handle; 1642 1643 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1644 1645 if (!status) 1646 return; 1647 1648 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 1649 if (!cp) 1650 return; 1651 1652 handle = __le16_to_cpu(cp->handle); 1653 1654 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1655 1656 hci_dev_lock(hdev); 1657 1658 acl = hci_conn_hash_lookup_handle(hdev, handle); 1659 if (acl) { 1660 sco = acl->link; 1661 if (sco) { 1662 sco->state = BT_CLOSED; 1663 1664 hci_proto_connect_cfm(sco, status); 1665 hci_conn_del(sco); 1666 } 1667 } 1668 1669 hci_dev_unlock(hdev); 1670 } 1671 1672 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 1673 { 1674 struct hci_cp_sniff_mode *cp; 1675 struct hci_conn *conn; 1676 1677 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1678 1679 if (!status) 1680 return; 1681 1682 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 1683 if (!cp) 1684 return; 1685 1686 hci_dev_lock(hdev); 1687 1688 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1689 if (conn) { 1690 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1691 1692 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1693 hci_sco_setup(conn, status); 1694 } 1695 1696 hci_dev_unlock(hdev); 1697 } 1698 1699 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 1700 { 1701 struct hci_cp_exit_sniff_mode *cp; 1702 struct hci_conn *conn; 1703 1704 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1705 1706 if (!status) 1707 return; 1708 1709 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 1710 if (!cp) 1711 return; 1712 1713 hci_dev_lock(hdev); 1714 1715 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1716 if (conn) { 1717 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1718 1719 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1720 hci_sco_setup(conn, status); 1721 } 1722 1723 hci_dev_unlock(hdev); 1724 } 1725 1726 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 1727 { 1728 struct hci_cp_disconnect *cp; 1729 struct hci_conn *conn; 1730 1731 if (!status) 1732 return; 1733 1734 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 1735 if (!cp) 1736 return; 1737 1738 hci_dev_lock(hdev); 1739 1740 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1741 if (conn) 1742 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 1743 conn->dst_type, status); 1744 1745 hci_dev_unlock(hdev); 1746 } 1747 1748 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status) 1749 { 1750 struct hci_cp_create_phy_link *cp; 1751 1752 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1753 1754 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK); 1755 if (!cp) 1756 return; 1757 1758 hci_dev_lock(hdev); 1759 1760 if (status) { 1761 struct hci_conn *hcon; 1762 1763 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle); 1764 if (hcon) 1765 hci_conn_del(hcon); 1766 } else { 1767 amp_write_remote_assoc(hdev, cp->phy_handle); 1768 } 1769 1770 hci_dev_unlock(hdev); 1771 } 1772 1773 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status) 1774 { 1775 struct hci_cp_accept_phy_link *cp; 1776 1777 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1778 1779 if (status) 1780 return; 1781 1782 cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK); 1783 if (!cp) 1784 return; 1785 1786 amp_write_remote_assoc(hdev, cp->phy_handle); 1787 } 1788 1789 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 1790 { 1791 struct hci_cp_le_create_conn *cp; 1792 struct hci_conn *conn; 1793 1794 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1795 1796 /* All connection failure handling is taken care of by the 1797 * hci_le_conn_failed function which is triggered by the HCI 1798 * request completion callbacks used for connecting. 1799 */ 1800 if (status) 1801 return; 1802 1803 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 1804 if (!cp) 1805 return; 1806 1807 hci_dev_lock(hdev); 1808 1809 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr); 1810 if (!conn) 1811 goto unlock; 1812 1813 /* Store the initiator and responder address information which 1814 * is needed for SMP. These values will not change during the 1815 * lifetime of the connection. 1816 */ 1817 conn->init_addr_type = cp->own_address_type; 1818 if (cp->own_address_type == ADDR_LE_DEV_RANDOM) 1819 bacpy(&conn->init_addr, &hdev->random_addr); 1820 else 1821 bacpy(&conn->init_addr, &hdev->bdaddr); 1822 1823 conn->resp_addr_type = cp->peer_addr_type; 1824 bacpy(&conn->resp_addr, &cp->peer_addr); 1825 1826 /* We don't want the connection attempt to stick around 1827 * indefinitely since LE doesn't have a page timeout concept 1828 * like BR/EDR. Set a timer for any connection that doesn't use 1829 * the white list for connecting. 1830 */ 1831 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR) 1832 queue_delayed_work(conn->hdev->workqueue, 1833 &conn->le_conn_timeout, 1834 HCI_LE_CONN_TIMEOUT); 1835 1836 unlock: 1837 hci_dev_unlock(hdev); 1838 } 1839 1840 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 1841 { 1842 struct hci_cp_le_start_enc *cp; 1843 struct hci_conn *conn; 1844 1845 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1846 1847 if (!status) 1848 return; 1849 1850 hci_dev_lock(hdev); 1851 1852 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 1853 if (!cp) 1854 goto unlock; 1855 1856 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1857 if (!conn) 1858 goto unlock; 1859 1860 if (conn->state != BT_CONNECTED) 1861 goto unlock; 1862 1863 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 1864 hci_conn_drop(conn); 1865 1866 unlock: 1867 hci_dev_unlock(hdev); 1868 } 1869 1870 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1871 { 1872 __u8 status = *((__u8 *) skb->data); 1873 struct discovery_state *discov = &hdev->discovery; 1874 struct inquiry_entry *e; 1875 1876 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1877 1878 hci_conn_check_pending(hdev); 1879 1880 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 1881 return; 1882 1883 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 1884 wake_up_bit(&hdev->flags, HCI_INQUIRY); 1885 1886 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 1887 return; 1888 1889 hci_dev_lock(hdev); 1890 1891 if (discov->state != DISCOVERY_FINDING) 1892 goto unlock; 1893 1894 if (list_empty(&discov->resolve)) { 1895 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1896 goto unlock; 1897 } 1898 1899 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1900 if (e && hci_resolve_name(hdev, e) == 0) { 1901 e->name_state = NAME_PENDING; 1902 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 1903 } else { 1904 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1905 } 1906 1907 unlock: 1908 hci_dev_unlock(hdev); 1909 } 1910 1911 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 1912 { 1913 struct inquiry_data data; 1914 struct inquiry_info *info = (void *) (skb->data + 1); 1915 int num_rsp = *((__u8 *) skb->data); 1916 1917 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 1918 1919 if (!num_rsp) 1920 return; 1921 1922 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) 1923 return; 1924 1925 hci_dev_lock(hdev); 1926 1927 for (; num_rsp; num_rsp--, info++) { 1928 bool name_known, ssp; 1929 1930 bacpy(&data.bdaddr, &info->bdaddr); 1931 data.pscan_rep_mode = info->pscan_rep_mode; 1932 data.pscan_period_mode = info->pscan_period_mode; 1933 data.pscan_mode = info->pscan_mode; 1934 memcpy(data.dev_class, info->dev_class, 3); 1935 data.clock_offset = info->clock_offset; 1936 data.rssi = 0x00; 1937 data.ssp_mode = 0x00; 1938 1939 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp); 1940 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 1941 info->dev_class, 0, !name_known, ssp, NULL, 1942 0, NULL, 0); 1943 } 1944 1945 hci_dev_unlock(hdev); 1946 } 1947 1948 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 1949 { 1950 struct hci_ev_conn_complete *ev = (void *) skb->data; 1951 struct hci_conn *conn; 1952 1953 BT_DBG("%s", hdev->name); 1954 1955 hci_dev_lock(hdev); 1956 1957 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 1958 if (!conn) { 1959 if (ev->link_type != SCO_LINK) 1960 goto unlock; 1961 1962 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 1963 if (!conn) 1964 goto unlock; 1965 1966 conn->type = SCO_LINK; 1967 } 1968 1969 if (!ev->status) { 1970 conn->handle = __le16_to_cpu(ev->handle); 1971 1972 if (conn->type == ACL_LINK) { 1973 conn->state = BT_CONFIG; 1974 hci_conn_hold(conn); 1975 1976 if (!conn->out && !hci_conn_ssp_enabled(conn) && 1977 !hci_find_link_key(hdev, &ev->bdaddr)) 1978 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 1979 else 1980 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 1981 } else 1982 conn->state = BT_CONNECTED; 1983 1984 hci_conn_add_sysfs(conn); 1985 1986 if (test_bit(HCI_AUTH, &hdev->flags)) 1987 conn->link_mode |= HCI_LM_AUTH; 1988 1989 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 1990 conn->link_mode |= HCI_LM_ENCRYPT; 1991 1992 /* Get remote features */ 1993 if (conn->type == ACL_LINK) { 1994 struct hci_cp_read_remote_features cp; 1995 cp.handle = ev->handle; 1996 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 1997 sizeof(cp), &cp); 1998 } 1999 2000 /* Set packet type for incoming connection */ 2001 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2002 struct hci_cp_change_conn_ptype cp; 2003 cp.handle = ev->handle; 2004 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2005 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2006 &cp); 2007 } 2008 } else { 2009 conn->state = BT_CLOSED; 2010 if (conn->type == ACL_LINK) 2011 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2012 conn->dst_type, ev->status); 2013 } 2014 2015 if (conn->type == ACL_LINK) 2016 hci_sco_setup(conn, ev->status); 2017 2018 if (ev->status) { 2019 hci_proto_connect_cfm(conn, ev->status); 2020 hci_conn_del(conn); 2021 } else if (ev->link_type != ACL_LINK) 2022 hci_proto_connect_cfm(conn, ev->status); 2023 2024 unlock: 2025 hci_dev_unlock(hdev); 2026 2027 hci_conn_check_pending(hdev); 2028 } 2029 2030 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2031 { 2032 struct hci_ev_conn_request *ev = (void *) skb->data; 2033 int mask = hdev->link_mode; 2034 __u8 flags = 0; 2035 2036 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2037 ev->link_type); 2038 2039 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2040 &flags); 2041 2042 if ((mask & HCI_LM_ACCEPT) && 2043 !hci_blacklist_lookup(hdev, &ev->bdaddr, BDADDR_BREDR)) { 2044 /* Connection accepted */ 2045 struct inquiry_entry *ie; 2046 struct hci_conn *conn; 2047 2048 hci_dev_lock(hdev); 2049 2050 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2051 if (ie) 2052 memcpy(ie->data.dev_class, ev->dev_class, 3); 2053 2054 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2055 &ev->bdaddr); 2056 if (!conn) { 2057 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr); 2058 if (!conn) { 2059 BT_ERR("No memory for new connection"); 2060 hci_dev_unlock(hdev); 2061 return; 2062 } 2063 } 2064 2065 memcpy(conn->dev_class, ev->dev_class, 3); 2066 2067 hci_dev_unlock(hdev); 2068 2069 if (ev->link_type == ACL_LINK || 2070 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2071 struct hci_cp_accept_conn_req cp; 2072 conn->state = BT_CONNECT; 2073 2074 bacpy(&cp.bdaddr, &ev->bdaddr); 2075 2076 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2077 cp.role = 0x00; /* Become master */ 2078 else 2079 cp.role = 0x01; /* Remain slave */ 2080 2081 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), 2082 &cp); 2083 } else if (!(flags & HCI_PROTO_DEFER)) { 2084 struct hci_cp_accept_sync_conn_req cp; 2085 conn->state = BT_CONNECT; 2086 2087 bacpy(&cp.bdaddr, &ev->bdaddr); 2088 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2089 2090 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2091 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2092 cp.max_latency = cpu_to_le16(0xffff); 2093 cp.content_format = cpu_to_le16(hdev->voice_setting); 2094 cp.retrans_effort = 0xff; 2095 2096 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, 2097 sizeof(cp), &cp); 2098 } else { 2099 conn->state = BT_CONNECT2; 2100 hci_proto_connect_cfm(conn, 0); 2101 } 2102 } else { 2103 /* Connection rejected */ 2104 struct hci_cp_reject_conn_req cp; 2105 2106 bacpy(&cp.bdaddr, &ev->bdaddr); 2107 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2108 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2109 } 2110 } 2111 2112 static u8 hci_to_mgmt_reason(u8 err) 2113 { 2114 switch (err) { 2115 case HCI_ERROR_CONNECTION_TIMEOUT: 2116 return MGMT_DEV_DISCONN_TIMEOUT; 2117 case HCI_ERROR_REMOTE_USER_TERM: 2118 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2119 case HCI_ERROR_REMOTE_POWER_OFF: 2120 return MGMT_DEV_DISCONN_REMOTE; 2121 case HCI_ERROR_LOCAL_HOST_TERM: 2122 return MGMT_DEV_DISCONN_LOCAL_HOST; 2123 default: 2124 return MGMT_DEV_DISCONN_UNKNOWN; 2125 } 2126 } 2127 2128 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2129 { 2130 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2131 u8 reason = hci_to_mgmt_reason(ev->reason); 2132 struct hci_conn_params *params; 2133 struct hci_conn *conn; 2134 bool mgmt_connected; 2135 u8 type; 2136 2137 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2138 2139 hci_dev_lock(hdev); 2140 2141 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2142 if (!conn) 2143 goto unlock; 2144 2145 if (ev->status) { 2146 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2147 conn->dst_type, ev->status); 2148 goto unlock; 2149 } 2150 2151 conn->state = BT_CLOSED; 2152 2153 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2154 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2155 reason, mgmt_connected); 2156 2157 if (conn->type == ACL_LINK && conn->flush_key) 2158 hci_remove_link_key(hdev, &conn->dst); 2159 2160 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2161 if (params) { 2162 switch (params->auto_connect) { 2163 case HCI_AUTO_CONN_LINK_LOSS: 2164 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2165 break; 2166 /* Fall through */ 2167 2168 case HCI_AUTO_CONN_ALWAYS: 2169 hci_pend_le_conn_add(hdev, &conn->dst, conn->dst_type); 2170 break; 2171 2172 default: 2173 break; 2174 } 2175 } 2176 2177 type = conn->type; 2178 2179 hci_proto_disconn_cfm(conn, ev->reason); 2180 hci_conn_del(conn); 2181 2182 /* Re-enable advertising if necessary, since it might 2183 * have been disabled by the connection. From the 2184 * HCI_LE_Set_Advertise_Enable command description in 2185 * the core specification (v4.0): 2186 * "The Controller shall continue advertising until the Host 2187 * issues an LE_Set_Advertise_Enable command with 2188 * Advertising_Enable set to 0x00 (Advertising is disabled) 2189 * or until a connection is created or until the Advertising 2190 * is timed out due to Directed Advertising." 2191 */ 2192 if (type == LE_LINK) 2193 mgmt_reenable_advertising(hdev); 2194 2195 unlock: 2196 hci_dev_unlock(hdev); 2197 } 2198 2199 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2200 { 2201 struct hci_ev_auth_complete *ev = (void *) skb->data; 2202 struct hci_conn *conn; 2203 2204 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2205 2206 hci_dev_lock(hdev); 2207 2208 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2209 if (!conn) 2210 goto unlock; 2211 2212 if (!ev->status) { 2213 if (!hci_conn_ssp_enabled(conn) && 2214 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2215 BT_INFO("re-auth of legacy device is not possible."); 2216 } else { 2217 conn->link_mode |= HCI_LM_AUTH; 2218 conn->sec_level = conn->pending_sec_level; 2219 } 2220 } else { 2221 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type, 2222 ev->status); 2223 } 2224 2225 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2226 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2227 2228 if (conn->state == BT_CONFIG) { 2229 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2230 struct hci_cp_set_conn_encrypt cp; 2231 cp.handle = ev->handle; 2232 cp.encrypt = 0x01; 2233 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2234 &cp); 2235 } else { 2236 conn->state = BT_CONNECTED; 2237 hci_proto_connect_cfm(conn, ev->status); 2238 hci_conn_drop(conn); 2239 } 2240 } else { 2241 hci_auth_cfm(conn, ev->status); 2242 2243 hci_conn_hold(conn); 2244 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2245 hci_conn_drop(conn); 2246 } 2247 2248 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2249 if (!ev->status) { 2250 struct hci_cp_set_conn_encrypt cp; 2251 cp.handle = ev->handle; 2252 cp.encrypt = 0x01; 2253 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2254 &cp); 2255 } else { 2256 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2257 hci_encrypt_cfm(conn, ev->status, 0x00); 2258 } 2259 } 2260 2261 unlock: 2262 hci_dev_unlock(hdev); 2263 } 2264 2265 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2266 { 2267 struct hci_ev_remote_name *ev = (void *) skb->data; 2268 struct hci_conn *conn; 2269 2270 BT_DBG("%s", hdev->name); 2271 2272 hci_conn_check_pending(hdev); 2273 2274 hci_dev_lock(hdev); 2275 2276 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2277 2278 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 2279 goto check_auth; 2280 2281 if (ev->status == 0) 2282 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2283 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2284 else 2285 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2286 2287 check_auth: 2288 if (!conn) 2289 goto unlock; 2290 2291 if (!hci_outgoing_auth_needed(hdev, conn)) 2292 goto unlock; 2293 2294 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2295 struct hci_cp_auth_requested cp; 2296 cp.handle = __cpu_to_le16(conn->handle); 2297 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2298 } 2299 2300 unlock: 2301 hci_dev_unlock(hdev); 2302 } 2303 2304 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2305 { 2306 struct hci_ev_encrypt_change *ev = (void *) skb->data; 2307 struct hci_conn *conn; 2308 2309 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2310 2311 hci_dev_lock(hdev); 2312 2313 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2314 if (!conn) 2315 goto unlock; 2316 2317 if (!ev->status) { 2318 if (ev->encrypt) { 2319 /* Encryption implies authentication */ 2320 conn->link_mode |= HCI_LM_AUTH; 2321 conn->link_mode |= HCI_LM_ENCRYPT; 2322 conn->sec_level = conn->pending_sec_level; 2323 2324 /* P-256 authentication key implies FIPS */ 2325 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 2326 conn->link_mode |= HCI_LM_FIPS; 2327 2328 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 2329 conn->type == LE_LINK) 2330 set_bit(HCI_CONN_AES_CCM, &conn->flags); 2331 } else { 2332 conn->link_mode &= ~HCI_LM_ENCRYPT; 2333 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 2334 } 2335 } 2336 2337 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2338 2339 if (ev->status && conn->state == BT_CONNECTED) { 2340 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2341 hci_conn_drop(conn); 2342 goto unlock; 2343 } 2344 2345 if (conn->state == BT_CONFIG) { 2346 if (!ev->status) 2347 conn->state = BT_CONNECTED; 2348 2349 /* In Secure Connections Only mode, do not allow any 2350 * connections that are not encrypted with AES-CCM 2351 * using a P-256 authenticated combination key. 2352 */ 2353 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && 2354 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2355 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { 2356 hci_proto_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); 2357 hci_conn_drop(conn); 2358 goto unlock; 2359 } 2360 2361 hci_proto_connect_cfm(conn, ev->status); 2362 hci_conn_drop(conn); 2363 } else 2364 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2365 2366 unlock: 2367 hci_dev_unlock(hdev); 2368 } 2369 2370 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 2371 struct sk_buff *skb) 2372 { 2373 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 2374 struct hci_conn *conn; 2375 2376 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2377 2378 hci_dev_lock(hdev); 2379 2380 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2381 if (conn) { 2382 if (!ev->status) 2383 conn->link_mode |= HCI_LM_SECURE; 2384 2385 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2386 2387 hci_key_change_cfm(conn, ev->status); 2388 } 2389 2390 hci_dev_unlock(hdev); 2391 } 2392 2393 static void hci_remote_features_evt(struct hci_dev *hdev, 2394 struct sk_buff *skb) 2395 { 2396 struct hci_ev_remote_features *ev = (void *) skb->data; 2397 struct hci_conn *conn; 2398 2399 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2400 2401 hci_dev_lock(hdev); 2402 2403 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2404 if (!conn) 2405 goto unlock; 2406 2407 if (!ev->status) 2408 memcpy(conn->features[0], ev->features, 8); 2409 2410 if (conn->state != BT_CONFIG) 2411 goto unlock; 2412 2413 if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) { 2414 struct hci_cp_read_remote_ext_features cp; 2415 cp.handle = ev->handle; 2416 cp.page = 0x01; 2417 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 2418 sizeof(cp), &cp); 2419 goto unlock; 2420 } 2421 2422 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 2423 struct hci_cp_remote_name_req cp; 2424 memset(&cp, 0, sizeof(cp)); 2425 bacpy(&cp.bdaddr, &conn->dst); 2426 cp.pscan_rep_mode = 0x02; 2427 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2428 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2429 mgmt_device_connected(hdev, &conn->dst, conn->type, 2430 conn->dst_type, 0, NULL, 0, 2431 conn->dev_class); 2432 2433 if (!hci_outgoing_auth_needed(hdev, conn)) { 2434 conn->state = BT_CONNECTED; 2435 hci_proto_connect_cfm(conn, ev->status); 2436 hci_conn_drop(conn); 2437 } 2438 2439 unlock: 2440 hci_dev_unlock(hdev); 2441 } 2442 2443 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2444 { 2445 struct hci_ev_cmd_complete *ev = (void *) skb->data; 2446 u8 status = skb->data[sizeof(*ev)]; 2447 __u16 opcode; 2448 2449 skb_pull(skb, sizeof(*ev)); 2450 2451 opcode = __le16_to_cpu(ev->opcode); 2452 2453 switch (opcode) { 2454 case HCI_OP_INQUIRY_CANCEL: 2455 hci_cc_inquiry_cancel(hdev, skb); 2456 break; 2457 2458 case HCI_OP_PERIODIC_INQ: 2459 hci_cc_periodic_inq(hdev, skb); 2460 break; 2461 2462 case HCI_OP_EXIT_PERIODIC_INQ: 2463 hci_cc_exit_periodic_inq(hdev, skb); 2464 break; 2465 2466 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 2467 hci_cc_remote_name_req_cancel(hdev, skb); 2468 break; 2469 2470 case HCI_OP_ROLE_DISCOVERY: 2471 hci_cc_role_discovery(hdev, skb); 2472 break; 2473 2474 case HCI_OP_READ_LINK_POLICY: 2475 hci_cc_read_link_policy(hdev, skb); 2476 break; 2477 2478 case HCI_OP_WRITE_LINK_POLICY: 2479 hci_cc_write_link_policy(hdev, skb); 2480 break; 2481 2482 case HCI_OP_READ_DEF_LINK_POLICY: 2483 hci_cc_read_def_link_policy(hdev, skb); 2484 break; 2485 2486 case HCI_OP_WRITE_DEF_LINK_POLICY: 2487 hci_cc_write_def_link_policy(hdev, skb); 2488 break; 2489 2490 case HCI_OP_RESET: 2491 hci_cc_reset(hdev, skb); 2492 break; 2493 2494 case HCI_OP_WRITE_LOCAL_NAME: 2495 hci_cc_write_local_name(hdev, skb); 2496 break; 2497 2498 case HCI_OP_READ_LOCAL_NAME: 2499 hci_cc_read_local_name(hdev, skb); 2500 break; 2501 2502 case HCI_OP_WRITE_AUTH_ENABLE: 2503 hci_cc_write_auth_enable(hdev, skb); 2504 break; 2505 2506 case HCI_OP_WRITE_ENCRYPT_MODE: 2507 hci_cc_write_encrypt_mode(hdev, skb); 2508 break; 2509 2510 case HCI_OP_WRITE_SCAN_ENABLE: 2511 hci_cc_write_scan_enable(hdev, skb); 2512 break; 2513 2514 case HCI_OP_READ_CLASS_OF_DEV: 2515 hci_cc_read_class_of_dev(hdev, skb); 2516 break; 2517 2518 case HCI_OP_WRITE_CLASS_OF_DEV: 2519 hci_cc_write_class_of_dev(hdev, skb); 2520 break; 2521 2522 case HCI_OP_READ_VOICE_SETTING: 2523 hci_cc_read_voice_setting(hdev, skb); 2524 break; 2525 2526 case HCI_OP_WRITE_VOICE_SETTING: 2527 hci_cc_write_voice_setting(hdev, skb); 2528 break; 2529 2530 case HCI_OP_READ_NUM_SUPPORTED_IAC: 2531 hci_cc_read_num_supported_iac(hdev, skb); 2532 break; 2533 2534 case HCI_OP_WRITE_SSP_MODE: 2535 hci_cc_write_ssp_mode(hdev, skb); 2536 break; 2537 2538 case HCI_OP_WRITE_SC_SUPPORT: 2539 hci_cc_write_sc_support(hdev, skb); 2540 break; 2541 2542 case HCI_OP_READ_LOCAL_VERSION: 2543 hci_cc_read_local_version(hdev, skb); 2544 break; 2545 2546 case HCI_OP_READ_LOCAL_COMMANDS: 2547 hci_cc_read_local_commands(hdev, skb); 2548 break; 2549 2550 case HCI_OP_READ_LOCAL_FEATURES: 2551 hci_cc_read_local_features(hdev, skb); 2552 break; 2553 2554 case HCI_OP_READ_LOCAL_EXT_FEATURES: 2555 hci_cc_read_local_ext_features(hdev, skb); 2556 break; 2557 2558 case HCI_OP_READ_BUFFER_SIZE: 2559 hci_cc_read_buffer_size(hdev, skb); 2560 break; 2561 2562 case HCI_OP_READ_BD_ADDR: 2563 hci_cc_read_bd_addr(hdev, skb); 2564 break; 2565 2566 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 2567 hci_cc_read_page_scan_activity(hdev, skb); 2568 break; 2569 2570 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 2571 hci_cc_write_page_scan_activity(hdev, skb); 2572 break; 2573 2574 case HCI_OP_READ_PAGE_SCAN_TYPE: 2575 hci_cc_read_page_scan_type(hdev, skb); 2576 break; 2577 2578 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 2579 hci_cc_write_page_scan_type(hdev, skb); 2580 break; 2581 2582 case HCI_OP_READ_DATA_BLOCK_SIZE: 2583 hci_cc_read_data_block_size(hdev, skb); 2584 break; 2585 2586 case HCI_OP_READ_FLOW_CONTROL_MODE: 2587 hci_cc_read_flow_control_mode(hdev, skb); 2588 break; 2589 2590 case HCI_OP_READ_LOCAL_AMP_INFO: 2591 hci_cc_read_local_amp_info(hdev, skb); 2592 break; 2593 2594 case HCI_OP_READ_LOCAL_AMP_ASSOC: 2595 hci_cc_read_local_amp_assoc(hdev, skb); 2596 break; 2597 2598 case HCI_OP_READ_INQ_RSP_TX_POWER: 2599 hci_cc_read_inq_rsp_tx_power(hdev, skb); 2600 break; 2601 2602 case HCI_OP_PIN_CODE_REPLY: 2603 hci_cc_pin_code_reply(hdev, skb); 2604 break; 2605 2606 case HCI_OP_PIN_CODE_NEG_REPLY: 2607 hci_cc_pin_code_neg_reply(hdev, skb); 2608 break; 2609 2610 case HCI_OP_READ_LOCAL_OOB_DATA: 2611 hci_cc_read_local_oob_data(hdev, skb); 2612 break; 2613 2614 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 2615 hci_cc_read_local_oob_ext_data(hdev, skb); 2616 break; 2617 2618 case HCI_OP_LE_READ_BUFFER_SIZE: 2619 hci_cc_le_read_buffer_size(hdev, skb); 2620 break; 2621 2622 case HCI_OP_LE_READ_LOCAL_FEATURES: 2623 hci_cc_le_read_local_features(hdev, skb); 2624 break; 2625 2626 case HCI_OP_LE_READ_ADV_TX_POWER: 2627 hci_cc_le_read_adv_tx_power(hdev, skb); 2628 break; 2629 2630 case HCI_OP_USER_CONFIRM_REPLY: 2631 hci_cc_user_confirm_reply(hdev, skb); 2632 break; 2633 2634 case HCI_OP_USER_CONFIRM_NEG_REPLY: 2635 hci_cc_user_confirm_neg_reply(hdev, skb); 2636 break; 2637 2638 case HCI_OP_USER_PASSKEY_REPLY: 2639 hci_cc_user_passkey_reply(hdev, skb); 2640 break; 2641 2642 case HCI_OP_USER_PASSKEY_NEG_REPLY: 2643 hci_cc_user_passkey_neg_reply(hdev, skb); 2644 break; 2645 2646 case HCI_OP_LE_SET_RANDOM_ADDR: 2647 hci_cc_le_set_random_addr(hdev, skb); 2648 break; 2649 2650 case HCI_OP_LE_SET_ADV_ENABLE: 2651 hci_cc_le_set_adv_enable(hdev, skb); 2652 break; 2653 2654 case HCI_OP_LE_SET_SCAN_PARAM: 2655 hci_cc_le_set_scan_param(hdev, skb); 2656 break; 2657 2658 case HCI_OP_LE_SET_SCAN_ENABLE: 2659 hci_cc_le_set_scan_enable(hdev, skb); 2660 break; 2661 2662 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 2663 hci_cc_le_read_white_list_size(hdev, skb); 2664 break; 2665 2666 case HCI_OP_LE_CLEAR_WHITE_LIST: 2667 hci_cc_le_clear_white_list(hdev, skb); 2668 break; 2669 2670 case HCI_OP_LE_ADD_TO_WHITE_LIST: 2671 hci_cc_le_add_to_white_list(hdev, skb); 2672 break; 2673 2674 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 2675 hci_cc_le_del_from_white_list(hdev, skb); 2676 break; 2677 2678 case HCI_OP_LE_READ_SUPPORTED_STATES: 2679 hci_cc_le_read_supported_states(hdev, skb); 2680 break; 2681 2682 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 2683 hci_cc_write_le_host_supported(hdev, skb); 2684 break; 2685 2686 case HCI_OP_LE_SET_ADV_PARAM: 2687 hci_cc_set_adv_param(hdev, skb); 2688 break; 2689 2690 case HCI_OP_WRITE_REMOTE_AMP_ASSOC: 2691 hci_cc_write_remote_amp_assoc(hdev, skb); 2692 break; 2693 2694 case HCI_OP_READ_RSSI: 2695 hci_cc_read_rssi(hdev, skb); 2696 break; 2697 2698 case HCI_OP_READ_TX_POWER: 2699 hci_cc_read_tx_power(hdev, skb); 2700 break; 2701 2702 default: 2703 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2704 break; 2705 } 2706 2707 if (opcode != HCI_OP_NOP) 2708 del_timer(&hdev->cmd_timer); 2709 2710 hci_req_cmd_complete(hdev, opcode, status); 2711 2712 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { 2713 atomic_set(&hdev->cmd_cnt, 1); 2714 if (!skb_queue_empty(&hdev->cmd_q)) 2715 queue_work(hdev->workqueue, &hdev->cmd_work); 2716 } 2717 } 2718 2719 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb) 2720 { 2721 struct hci_ev_cmd_status *ev = (void *) skb->data; 2722 __u16 opcode; 2723 2724 skb_pull(skb, sizeof(*ev)); 2725 2726 opcode = __le16_to_cpu(ev->opcode); 2727 2728 switch (opcode) { 2729 case HCI_OP_INQUIRY: 2730 hci_cs_inquiry(hdev, ev->status); 2731 break; 2732 2733 case HCI_OP_CREATE_CONN: 2734 hci_cs_create_conn(hdev, ev->status); 2735 break; 2736 2737 case HCI_OP_ADD_SCO: 2738 hci_cs_add_sco(hdev, ev->status); 2739 break; 2740 2741 case HCI_OP_AUTH_REQUESTED: 2742 hci_cs_auth_requested(hdev, ev->status); 2743 break; 2744 2745 case HCI_OP_SET_CONN_ENCRYPT: 2746 hci_cs_set_conn_encrypt(hdev, ev->status); 2747 break; 2748 2749 case HCI_OP_REMOTE_NAME_REQ: 2750 hci_cs_remote_name_req(hdev, ev->status); 2751 break; 2752 2753 case HCI_OP_READ_REMOTE_FEATURES: 2754 hci_cs_read_remote_features(hdev, ev->status); 2755 break; 2756 2757 case HCI_OP_READ_REMOTE_EXT_FEATURES: 2758 hci_cs_read_remote_ext_features(hdev, ev->status); 2759 break; 2760 2761 case HCI_OP_SETUP_SYNC_CONN: 2762 hci_cs_setup_sync_conn(hdev, ev->status); 2763 break; 2764 2765 case HCI_OP_SNIFF_MODE: 2766 hci_cs_sniff_mode(hdev, ev->status); 2767 break; 2768 2769 case HCI_OP_EXIT_SNIFF_MODE: 2770 hci_cs_exit_sniff_mode(hdev, ev->status); 2771 break; 2772 2773 case HCI_OP_DISCONNECT: 2774 hci_cs_disconnect(hdev, ev->status); 2775 break; 2776 2777 case HCI_OP_CREATE_PHY_LINK: 2778 hci_cs_create_phylink(hdev, ev->status); 2779 break; 2780 2781 case HCI_OP_ACCEPT_PHY_LINK: 2782 hci_cs_accept_phylink(hdev, ev->status); 2783 break; 2784 2785 case HCI_OP_LE_CREATE_CONN: 2786 hci_cs_le_create_conn(hdev, ev->status); 2787 break; 2788 2789 case HCI_OP_LE_START_ENC: 2790 hci_cs_le_start_enc(hdev, ev->status); 2791 break; 2792 2793 default: 2794 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode); 2795 break; 2796 } 2797 2798 if (opcode != HCI_OP_NOP) 2799 del_timer(&hdev->cmd_timer); 2800 2801 if (ev->status || 2802 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event)) 2803 hci_req_cmd_complete(hdev, opcode, ev->status); 2804 2805 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { 2806 atomic_set(&hdev->cmd_cnt, 1); 2807 if (!skb_queue_empty(&hdev->cmd_q)) 2808 queue_work(hdev->workqueue, &hdev->cmd_work); 2809 } 2810 } 2811 2812 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2813 { 2814 struct hci_ev_role_change *ev = (void *) skb->data; 2815 struct hci_conn *conn; 2816 2817 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2818 2819 hci_dev_lock(hdev); 2820 2821 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2822 if (conn) { 2823 if (!ev->status) { 2824 if (ev->role) 2825 conn->link_mode &= ~HCI_LM_MASTER; 2826 else 2827 conn->link_mode |= HCI_LM_MASTER; 2828 } 2829 2830 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2831 2832 hci_role_switch_cfm(conn, ev->status, ev->role); 2833 } 2834 2835 hci_dev_unlock(hdev); 2836 } 2837 2838 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 2839 { 2840 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 2841 int i; 2842 2843 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 2844 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode); 2845 return; 2846 } 2847 2848 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 2849 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) { 2850 BT_DBG("%s bad parameters", hdev->name); 2851 return; 2852 } 2853 2854 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 2855 2856 for (i = 0; i < ev->num_hndl; i++) { 2857 struct hci_comp_pkts_info *info = &ev->handles[i]; 2858 struct hci_conn *conn; 2859 __u16 handle, count; 2860 2861 handle = __le16_to_cpu(info->handle); 2862 count = __le16_to_cpu(info->count); 2863 2864 conn = hci_conn_hash_lookup_handle(hdev, handle); 2865 if (!conn) 2866 continue; 2867 2868 conn->sent -= count; 2869 2870 switch (conn->type) { 2871 case ACL_LINK: 2872 hdev->acl_cnt += count; 2873 if (hdev->acl_cnt > hdev->acl_pkts) 2874 hdev->acl_cnt = hdev->acl_pkts; 2875 break; 2876 2877 case LE_LINK: 2878 if (hdev->le_pkts) { 2879 hdev->le_cnt += count; 2880 if (hdev->le_cnt > hdev->le_pkts) 2881 hdev->le_cnt = hdev->le_pkts; 2882 } else { 2883 hdev->acl_cnt += count; 2884 if (hdev->acl_cnt > hdev->acl_pkts) 2885 hdev->acl_cnt = hdev->acl_pkts; 2886 } 2887 break; 2888 2889 case SCO_LINK: 2890 hdev->sco_cnt += count; 2891 if (hdev->sco_cnt > hdev->sco_pkts) 2892 hdev->sco_cnt = hdev->sco_pkts; 2893 break; 2894 2895 default: 2896 BT_ERR("Unknown type %d conn %p", conn->type, conn); 2897 break; 2898 } 2899 } 2900 2901 queue_work(hdev->workqueue, &hdev->tx_work); 2902 } 2903 2904 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 2905 __u16 handle) 2906 { 2907 struct hci_chan *chan; 2908 2909 switch (hdev->dev_type) { 2910 case HCI_BREDR: 2911 return hci_conn_hash_lookup_handle(hdev, handle); 2912 case HCI_AMP: 2913 chan = hci_chan_lookup_handle(hdev, handle); 2914 if (chan) 2915 return chan->conn; 2916 break; 2917 default: 2918 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type); 2919 break; 2920 } 2921 2922 return NULL; 2923 } 2924 2925 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 2926 { 2927 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 2928 int i; 2929 2930 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 2931 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode); 2932 return; 2933 } 2934 2935 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 2936 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) { 2937 BT_DBG("%s bad parameters", hdev->name); 2938 return; 2939 } 2940 2941 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 2942 ev->num_hndl); 2943 2944 for (i = 0; i < ev->num_hndl; i++) { 2945 struct hci_comp_blocks_info *info = &ev->handles[i]; 2946 struct hci_conn *conn = NULL; 2947 __u16 handle, block_count; 2948 2949 handle = __le16_to_cpu(info->handle); 2950 block_count = __le16_to_cpu(info->blocks); 2951 2952 conn = __hci_conn_lookup_handle(hdev, handle); 2953 if (!conn) 2954 continue; 2955 2956 conn->sent -= block_count; 2957 2958 switch (conn->type) { 2959 case ACL_LINK: 2960 case AMP_LINK: 2961 hdev->block_cnt += block_count; 2962 if (hdev->block_cnt > hdev->num_blocks) 2963 hdev->block_cnt = hdev->num_blocks; 2964 break; 2965 2966 default: 2967 BT_ERR("Unknown type %d conn %p", conn->type, conn); 2968 break; 2969 } 2970 } 2971 2972 queue_work(hdev->workqueue, &hdev->tx_work); 2973 } 2974 2975 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2976 { 2977 struct hci_ev_mode_change *ev = (void *) skb->data; 2978 struct hci_conn *conn; 2979 2980 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2981 2982 hci_dev_lock(hdev); 2983 2984 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2985 if (conn) { 2986 conn->mode = ev->mode; 2987 2988 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 2989 &conn->flags)) { 2990 if (conn->mode == HCI_CM_ACTIVE) 2991 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 2992 else 2993 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 2994 } 2995 2996 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2997 hci_sco_setup(conn, ev->status); 2998 } 2999 3000 hci_dev_unlock(hdev); 3001 } 3002 3003 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3004 { 3005 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3006 struct hci_conn *conn; 3007 3008 BT_DBG("%s", hdev->name); 3009 3010 hci_dev_lock(hdev); 3011 3012 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3013 if (!conn) 3014 goto unlock; 3015 3016 if (conn->state == BT_CONNECTED) { 3017 hci_conn_hold(conn); 3018 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3019 hci_conn_drop(conn); 3020 } 3021 3022 if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags)) 3023 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3024 sizeof(ev->bdaddr), &ev->bdaddr); 3025 else if (test_bit(HCI_MGMT, &hdev->dev_flags)) { 3026 u8 secure; 3027 3028 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3029 secure = 1; 3030 else 3031 secure = 0; 3032 3033 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3034 } 3035 3036 unlock: 3037 hci_dev_unlock(hdev); 3038 } 3039 3040 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3041 { 3042 struct hci_ev_link_key_req *ev = (void *) skb->data; 3043 struct hci_cp_link_key_reply cp; 3044 struct hci_conn *conn; 3045 struct link_key *key; 3046 3047 BT_DBG("%s", hdev->name); 3048 3049 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3050 return; 3051 3052 hci_dev_lock(hdev); 3053 3054 key = hci_find_link_key(hdev, &ev->bdaddr); 3055 if (!key) { 3056 BT_DBG("%s link key not found for %pMR", hdev->name, 3057 &ev->bdaddr); 3058 goto not_found; 3059 } 3060 3061 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 3062 &ev->bdaddr); 3063 3064 if (!test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) && 3065 key->type == HCI_LK_DEBUG_COMBINATION) { 3066 BT_DBG("%s ignoring debug key", hdev->name); 3067 goto not_found; 3068 } 3069 3070 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3071 if (conn) { 3072 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3073 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3074 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3075 BT_DBG("%s ignoring unauthenticated key", hdev->name); 3076 goto not_found; 3077 } 3078 3079 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3080 (conn->pending_sec_level == BT_SECURITY_HIGH || 3081 conn->pending_sec_level == BT_SECURITY_FIPS)) { 3082 BT_DBG("%s ignoring key unauthenticated for high security", 3083 hdev->name); 3084 goto not_found; 3085 } 3086 3087 conn->key_type = key->type; 3088 conn->pin_length = key->pin_len; 3089 } 3090 3091 bacpy(&cp.bdaddr, &ev->bdaddr); 3092 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 3093 3094 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 3095 3096 hci_dev_unlock(hdev); 3097 3098 return; 3099 3100 not_found: 3101 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 3102 hci_dev_unlock(hdev); 3103 } 3104 3105 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 3106 { 3107 struct hci_ev_link_key_notify *ev = (void *) skb->data; 3108 struct hci_conn *conn; 3109 u8 pin_len = 0; 3110 3111 BT_DBG("%s", hdev->name); 3112 3113 hci_dev_lock(hdev); 3114 3115 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3116 if (conn) { 3117 hci_conn_hold(conn); 3118 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3119 pin_len = conn->pin_length; 3120 3121 if (ev->key_type != HCI_LK_CHANGED_COMBINATION) 3122 conn->key_type = ev->key_type; 3123 3124 hci_conn_drop(conn); 3125 } 3126 3127 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3128 hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key, 3129 ev->key_type, pin_len); 3130 3131 hci_dev_unlock(hdev); 3132 } 3133 3134 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 3135 { 3136 struct hci_ev_clock_offset *ev = (void *) skb->data; 3137 struct hci_conn *conn; 3138 3139 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3140 3141 hci_dev_lock(hdev); 3142 3143 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3144 if (conn && !ev->status) { 3145 struct inquiry_entry *ie; 3146 3147 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3148 if (ie) { 3149 ie->data.clock_offset = ev->clock_offset; 3150 ie->timestamp = jiffies; 3151 } 3152 } 3153 3154 hci_dev_unlock(hdev); 3155 } 3156 3157 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3158 { 3159 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 3160 struct hci_conn *conn; 3161 3162 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3163 3164 hci_dev_lock(hdev); 3165 3166 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3167 if (conn && !ev->status) 3168 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 3169 3170 hci_dev_unlock(hdev); 3171 } 3172 3173 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 3174 { 3175 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 3176 struct inquiry_entry *ie; 3177 3178 BT_DBG("%s", hdev->name); 3179 3180 hci_dev_lock(hdev); 3181 3182 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3183 if (ie) { 3184 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 3185 ie->timestamp = jiffies; 3186 } 3187 3188 hci_dev_unlock(hdev); 3189 } 3190 3191 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 3192 struct sk_buff *skb) 3193 { 3194 struct inquiry_data data; 3195 int num_rsp = *((__u8 *) skb->data); 3196 bool name_known, ssp; 3197 3198 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3199 3200 if (!num_rsp) 3201 return; 3202 3203 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) 3204 return; 3205 3206 hci_dev_lock(hdev); 3207 3208 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 3209 struct inquiry_info_with_rssi_and_pscan_mode *info; 3210 info = (void *) (skb->data + 1); 3211 3212 for (; num_rsp; num_rsp--, info++) { 3213 bacpy(&data.bdaddr, &info->bdaddr); 3214 data.pscan_rep_mode = info->pscan_rep_mode; 3215 data.pscan_period_mode = info->pscan_period_mode; 3216 data.pscan_mode = info->pscan_mode; 3217 memcpy(data.dev_class, info->dev_class, 3); 3218 data.clock_offset = info->clock_offset; 3219 data.rssi = info->rssi; 3220 data.ssp_mode = 0x00; 3221 3222 name_known = hci_inquiry_cache_update(hdev, &data, 3223 false, &ssp); 3224 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3225 info->dev_class, info->rssi, 3226 !name_known, ssp, NULL, 0, NULL, 0); 3227 } 3228 } else { 3229 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 3230 3231 for (; num_rsp; num_rsp--, info++) { 3232 bacpy(&data.bdaddr, &info->bdaddr); 3233 data.pscan_rep_mode = info->pscan_rep_mode; 3234 data.pscan_period_mode = info->pscan_period_mode; 3235 data.pscan_mode = 0x00; 3236 memcpy(data.dev_class, info->dev_class, 3); 3237 data.clock_offset = info->clock_offset; 3238 data.rssi = info->rssi; 3239 data.ssp_mode = 0x00; 3240 name_known = hci_inquiry_cache_update(hdev, &data, 3241 false, &ssp); 3242 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3243 info->dev_class, info->rssi, 3244 !name_known, ssp, NULL, 0, NULL, 0); 3245 } 3246 } 3247 3248 hci_dev_unlock(hdev); 3249 } 3250 3251 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 3252 struct sk_buff *skb) 3253 { 3254 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 3255 struct hci_conn *conn; 3256 3257 BT_DBG("%s", hdev->name); 3258 3259 hci_dev_lock(hdev); 3260 3261 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3262 if (!conn) 3263 goto unlock; 3264 3265 if (ev->page < HCI_MAX_PAGES) 3266 memcpy(conn->features[ev->page], ev->features, 8); 3267 3268 if (!ev->status && ev->page == 0x01) { 3269 struct inquiry_entry *ie; 3270 3271 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3272 if (ie) 3273 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 3274 3275 if (ev->features[0] & LMP_HOST_SSP) { 3276 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3277 } else { 3278 /* It is mandatory by the Bluetooth specification that 3279 * Extended Inquiry Results are only used when Secure 3280 * Simple Pairing is enabled, but some devices violate 3281 * this. 3282 * 3283 * To make these devices work, the internal SSP 3284 * enabled flag needs to be cleared if the remote host 3285 * features do not indicate SSP support */ 3286 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3287 } 3288 3289 if (ev->features[0] & LMP_HOST_SC) 3290 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 3291 } 3292 3293 if (conn->state != BT_CONFIG) 3294 goto unlock; 3295 3296 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3297 struct hci_cp_remote_name_req cp; 3298 memset(&cp, 0, sizeof(cp)); 3299 bacpy(&cp.bdaddr, &conn->dst); 3300 cp.pscan_rep_mode = 0x02; 3301 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3302 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3303 mgmt_device_connected(hdev, &conn->dst, conn->type, 3304 conn->dst_type, 0, NULL, 0, 3305 conn->dev_class); 3306 3307 if (!hci_outgoing_auth_needed(hdev, conn)) { 3308 conn->state = BT_CONNECTED; 3309 hci_proto_connect_cfm(conn, ev->status); 3310 hci_conn_drop(conn); 3311 } 3312 3313 unlock: 3314 hci_dev_unlock(hdev); 3315 } 3316 3317 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 3318 struct sk_buff *skb) 3319 { 3320 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 3321 struct hci_conn *conn; 3322 3323 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3324 3325 hci_dev_lock(hdev); 3326 3327 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3328 if (!conn) { 3329 if (ev->link_type == ESCO_LINK) 3330 goto unlock; 3331 3332 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 3333 if (!conn) 3334 goto unlock; 3335 3336 conn->type = SCO_LINK; 3337 } 3338 3339 switch (ev->status) { 3340 case 0x00: 3341 conn->handle = __le16_to_cpu(ev->handle); 3342 conn->state = BT_CONNECTED; 3343 3344 hci_conn_add_sysfs(conn); 3345 break; 3346 3347 case 0x0d: /* Connection Rejected due to Limited Resources */ 3348 case 0x11: /* Unsupported Feature or Parameter Value */ 3349 case 0x1c: /* SCO interval rejected */ 3350 case 0x1a: /* Unsupported Remote Feature */ 3351 case 0x1f: /* Unspecified error */ 3352 case 0x20: /* Unsupported LMP Parameter value */ 3353 if (conn->out) { 3354 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 3355 (hdev->esco_type & EDR_ESCO_MASK); 3356 if (hci_setup_sync(conn, conn->link->handle)) 3357 goto unlock; 3358 } 3359 /* fall through */ 3360 3361 default: 3362 conn->state = BT_CLOSED; 3363 break; 3364 } 3365 3366 hci_proto_connect_cfm(conn, ev->status); 3367 if (ev->status) 3368 hci_conn_del(conn); 3369 3370 unlock: 3371 hci_dev_unlock(hdev); 3372 } 3373 3374 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 3375 { 3376 size_t parsed = 0; 3377 3378 while (parsed < eir_len) { 3379 u8 field_len = eir[0]; 3380 3381 if (field_len == 0) 3382 return parsed; 3383 3384 parsed += field_len + 1; 3385 eir += field_len + 1; 3386 } 3387 3388 return eir_len; 3389 } 3390 3391 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 3392 struct sk_buff *skb) 3393 { 3394 struct inquiry_data data; 3395 struct extended_inquiry_info *info = (void *) (skb->data + 1); 3396 int num_rsp = *((__u8 *) skb->data); 3397 size_t eir_len; 3398 3399 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3400 3401 if (!num_rsp) 3402 return; 3403 3404 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) 3405 return; 3406 3407 hci_dev_lock(hdev); 3408 3409 for (; num_rsp; num_rsp--, info++) { 3410 bool name_known, ssp; 3411 3412 bacpy(&data.bdaddr, &info->bdaddr); 3413 data.pscan_rep_mode = info->pscan_rep_mode; 3414 data.pscan_period_mode = info->pscan_period_mode; 3415 data.pscan_mode = 0x00; 3416 memcpy(data.dev_class, info->dev_class, 3); 3417 data.clock_offset = info->clock_offset; 3418 data.rssi = info->rssi; 3419 data.ssp_mode = 0x01; 3420 3421 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3422 name_known = eir_has_data_type(info->data, 3423 sizeof(info->data), 3424 EIR_NAME_COMPLETE); 3425 else 3426 name_known = true; 3427 3428 name_known = hci_inquiry_cache_update(hdev, &data, name_known, 3429 &ssp); 3430 eir_len = eir_get_length(info->data, sizeof(info->data)); 3431 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3432 info->dev_class, info->rssi, !name_known, 3433 ssp, info->data, eir_len, NULL, 0); 3434 } 3435 3436 hci_dev_unlock(hdev); 3437 } 3438 3439 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 3440 struct sk_buff *skb) 3441 { 3442 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 3443 struct hci_conn *conn; 3444 3445 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 3446 __le16_to_cpu(ev->handle)); 3447 3448 hci_dev_lock(hdev); 3449 3450 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3451 if (!conn) 3452 goto unlock; 3453 3454 /* For BR/EDR the necessary steps are taken through the 3455 * auth_complete event. 3456 */ 3457 if (conn->type != LE_LINK) 3458 goto unlock; 3459 3460 if (!ev->status) 3461 conn->sec_level = conn->pending_sec_level; 3462 3463 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3464 3465 if (ev->status && conn->state == BT_CONNECTED) { 3466 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3467 hci_conn_drop(conn); 3468 goto unlock; 3469 } 3470 3471 if (conn->state == BT_CONFIG) { 3472 if (!ev->status) 3473 conn->state = BT_CONNECTED; 3474 3475 hci_proto_connect_cfm(conn, ev->status); 3476 hci_conn_drop(conn); 3477 } else { 3478 hci_auth_cfm(conn, ev->status); 3479 3480 hci_conn_hold(conn); 3481 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3482 hci_conn_drop(conn); 3483 } 3484 3485 unlock: 3486 hci_dev_unlock(hdev); 3487 } 3488 3489 static u8 hci_get_auth_req(struct hci_conn *conn) 3490 { 3491 /* If remote requests no-bonding follow that lead */ 3492 if (conn->remote_auth == HCI_AT_NO_BONDING || 3493 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 3494 return conn->remote_auth | (conn->auth_type & 0x01); 3495 3496 /* If both remote and local have enough IO capabilities, require 3497 * MITM protection 3498 */ 3499 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 3500 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 3501 return conn->remote_auth | 0x01; 3502 3503 /* No MITM protection possible so ignore remote requirement */ 3504 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 3505 } 3506 3507 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3508 { 3509 struct hci_ev_io_capa_request *ev = (void *) skb->data; 3510 struct hci_conn *conn; 3511 3512 BT_DBG("%s", hdev->name); 3513 3514 hci_dev_lock(hdev); 3515 3516 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3517 if (!conn) 3518 goto unlock; 3519 3520 hci_conn_hold(conn); 3521 3522 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3523 goto unlock; 3524 3525 if (test_bit(HCI_PAIRABLE, &hdev->dev_flags) || 3526 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 3527 struct hci_cp_io_capability_reply cp; 3528 3529 bacpy(&cp.bdaddr, &ev->bdaddr); 3530 /* Change the IO capability from KeyboardDisplay 3531 * to DisplayYesNo as it is not supported by BT spec. */ 3532 cp.capability = (conn->io_capability == 0x04) ? 3533 HCI_IO_DISPLAY_YESNO : conn->io_capability; 3534 3535 /* If we are initiators, there is no remote information yet */ 3536 if (conn->remote_auth == 0xff) { 3537 cp.authentication = conn->auth_type; 3538 3539 /* Request MITM protection if our IO caps allow it 3540 * except for the no-bonding case 3541 */ 3542 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 3543 cp.authentication != HCI_AT_NO_BONDING) 3544 cp.authentication |= 0x01; 3545 } else { 3546 conn->auth_type = hci_get_auth_req(conn); 3547 cp.authentication = conn->auth_type; 3548 } 3549 3550 if (hci_find_remote_oob_data(hdev, &conn->dst) && 3551 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags))) 3552 cp.oob_data = 0x01; 3553 else 3554 cp.oob_data = 0x00; 3555 3556 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 3557 sizeof(cp), &cp); 3558 } else { 3559 struct hci_cp_io_capability_neg_reply cp; 3560 3561 bacpy(&cp.bdaddr, &ev->bdaddr); 3562 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 3563 3564 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 3565 sizeof(cp), &cp); 3566 } 3567 3568 unlock: 3569 hci_dev_unlock(hdev); 3570 } 3571 3572 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 3573 { 3574 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 3575 struct hci_conn *conn; 3576 3577 BT_DBG("%s", hdev->name); 3578 3579 hci_dev_lock(hdev); 3580 3581 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3582 if (!conn) 3583 goto unlock; 3584 3585 conn->remote_cap = ev->capability; 3586 conn->remote_auth = ev->authentication; 3587 if (ev->oob_data) 3588 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags); 3589 3590 unlock: 3591 hci_dev_unlock(hdev); 3592 } 3593 3594 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 3595 struct sk_buff *skb) 3596 { 3597 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 3598 int loc_mitm, rem_mitm, confirm_hint = 0; 3599 struct hci_conn *conn; 3600 3601 BT_DBG("%s", hdev->name); 3602 3603 hci_dev_lock(hdev); 3604 3605 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3606 goto unlock; 3607 3608 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3609 if (!conn) 3610 goto unlock; 3611 3612 loc_mitm = (conn->auth_type & 0x01); 3613 rem_mitm = (conn->remote_auth & 0x01); 3614 3615 /* If we require MITM but the remote device can't provide that 3616 * (it has NoInputNoOutput) then reject the confirmation request 3617 */ 3618 if (loc_mitm && conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 3619 BT_DBG("Rejecting request: remote device can't provide MITM"); 3620 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 3621 sizeof(ev->bdaddr), &ev->bdaddr); 3622 goto unlock; 3623 } 3624 3625 /* If no side requires MITM protection; auto-accept */ 3626 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 3627 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 3628 3629 /* If we're not the initiators request authorization to 3630 * proceed from user space (mgmt_user_confirm with 3631 * confirm_hint set to 1). */ 3632 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3633 BT_DBG("Confirming auto-accept as acceptor"); 3634 confirm_hint = 1; 3635 goto confirm; 3636 } 3637 3638 BT_DBG("Auto-accept of user confirmation with %ums delay", 3639 hdev->auto_accept_delay); 3640 3641 if (hdev->auto_accept_delay > 0) { 3642 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 3643 queue_delayed_work(conn->hdev->workqueue, 3644 &conn->auto_accept_work, delay); 3645 goto unlock; 3646 } 3647 3648 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 3649 sizeof(ev->bdaddr), &ev->bdaddr); 3650 goto unlock; 3651 } 3652 3653 confirm: 3654 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 3655 le32_to_cpu(ev->passkey), confirm_hint); 3656 3657 unlock: 3658 hci_dev_unlock(hdev); 3659 } 3660 3661 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 3662 struct sk_buff *skb) 3663 { 3664 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 3665 3666 BT_DBG("%s", hdev->name); 3667 3668 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3669 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 3670 } 3671 3672 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 3673 struct sk_buff *skb) 3674 { 3675 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 3676 struct hci_conn *conn; 3677 3678 BT_DBG("%s", hdev->name); 3679 3680 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3681 if (!conn) 3682 return; 3683 3684 conn->passkey_notify = __le32_to_cpu(ev->passkey); 3685 conn->passkey_entered = 0; 3686 3687 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3688 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 3689 conn->dst_type, conn->passkey_notify, 3690 conn->passkey_entered); 3691 } 3692 3693 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 3694 { 3695 struct hci_ev_keypress_notify *ev = (void *) skb->data; 3696 struct hci_conn *conn; 3697 3698 BT_DBG("%s", hdev->name); 3699 3700 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3701 if (!conn) 3702 return; 3703 3704 switch (ev->type) { 3705 case HCI_KEYPRESS_STARTED: 3706 conn->passkey_entered = 0; 3707 return; 3708 3709 case HCI_KEYPRESS_ENTERED: 3710 conn->passkey_entered++; 3711 break; 3712 3713 case HCI_KEYPRESS_ERASED: 3714 conn->passkey_entered--; 3715 break; 3716 3717 case HCI_KEYPRESS_CLEARED: 3718 conn->passkey_entered = 0; 3719 break; 3720 3721 case HCI_KEYPRESS_COMPLETED: 3722 return; 3723 } 3724 3725 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 3726 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 3727 conn->dst_type, conn->passkey_notify, 3728 conn->passkey_entered); 3729 } 3730 3731 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 3732 struct sk_buff *skb) 3733 { 3734 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 3735 struct hci_conn *conn; 3736 3737 BT_DBG("%s", hdev->name); 3738 3739 hci_dev_lock(hdev); 3740 3741 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3742 if (!conn) 3743 goto unlock; 3744 3745 /* To avoid duplicate auth_failed events to user space we check 3746 * the HCI_CONN_AUTH_PEND flag which will be set if we 3747 * initiated the authentication. A traditional auth_complete 3748 * event gets always produced as initiator and is also mapped to 3749 * the mgmt_auth_failed event */ 3750 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 3751 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type, 3752 ev->status); 3753 3754 hci_conn_drop(conn); 3755 3756 unlock: 3757 hci_dev_unlock(hdev); 3758 } 3759 3760 static void hci_remote_host_features_evt(struct hci_dev *hdev, 3761 struct sk_buff *skb) 3762 { 3763 struct hci_ev_remote_host_features *ev = (void *) skb->data; 3764 struct inquiry_entry *ie; 3765 struct hci_conn *conn; 3766 3767 BT_DBG("%s", hdev->name); 3768 3769 hci_dev_lock(hdev); 3770 3771 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3772 if (conn) 3773 memcpy(conn->features[1], ev->features, 8); 3774 3775 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3776 if (ie) 3777 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 3778 3779 hci_dev_unlock(hdev); 3780 } 3781 3782 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 3783 struct sk_buff *skb) 3784 { 3785 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 3786 struct oob_data *data; 3787 3788 BT_DBG("%s", hdev->name); 3789 3790 hci_dev_lock(hdev); 3791 3792 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 3793 goto unlock; 3794 3795 data = hci_find_remote_oob_data(hdev, &ev->bdaddr); 3796 if (data) { 3797 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) { 3798 struct hci_cp_remote_oob_ext_data_reply cp; 3799 3800 bacpy(&cp.bdaddr, &ev->bdaddr); 3801 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 3802 memcpy(cp.randomizer192, data->randomizer192, 3803 sizeof(cp.randomizer192)); 3804 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 3805 memcpy(cp.randomizer256, data->randomizer256, 3806 sizeof(cp.randomizer256)); 3807 3808 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 3809 sizeof(cp), &cp); 3810 } else { 3811 struct hci_cp_remote_oob_data_reply cp; 3812 3813 bacpy(&cp.bdaddr, &ev->bdaddr); 3814 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 3815 memcpy(cp.randomizer, data->randomizer192, 3816 sizeof(cp.randomizer)); 3817 3818 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 3819 sizeof(cp), &cp); 3820 } 3821 } else { 3822 struct hci_cp_remote_oob_data_neg_reply cp; 3823 3824 bacpy(&cp.bdaddr, &ev->bdaddr); 3825 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 3826 sizeof(cp), &cp); 3827 } 3828 3829 unlock: 3830 hci_dev_unlock(hdev); 3831 } 3832 3833 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 3834 struct sk_buff *skb) 3835 { 3836 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 3837 struct hci_conn *hcon, *bredr_hcon; 3838 3839 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 3840 ev->status); 3841 3842 hci_dev_lock(hdev); 3843 3844 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 3845 if (!hcon) { 3846 hci_dev_unlock(hdev); 3847 return; 3848 } 3849 3850 if (ev->status) { 3851 hci_conn_del(hcon); 3852 hci_dev_unlock(hdev); 3853 return; 3854 } 3855 3856 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 3857 3858 hcon->state = BT_CONNECTED; 3859 bacpy(&hcon->dst, &bredr_hcon->dst); 3860 3861 hci_conn_hold(hcon); 3862 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 3863 hci_conn_drop(hcon); 3864 3865 hci_conn_add_sysfs(hcon); 3866 3867 amp_physical_cfm(bredr_hcon, hcon); 3868 3869 hci_dev_unlock(hdev); 3870 } 3871 3872 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 3873 { 3874 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 3875 struct hci_conn *hcon; 3876 struct hci_chan *hchan; 3877 struct amp_mgr *mgr; 3878 3879 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 3880 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 3881 ev->status); 3882 3883 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 3884 if (!hcon) 3885 return; 3886 3887 /* Create AMP hchan */ 3888 hchan = hci_chan_create(hcon); 3889 if (!hchan) 3890 return; 3891 3892 hchan->handle = le16_to_cpu(ev->handle); 3893 3894 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 3895 3896 mgr = hcon->amp_mgr; 3897 if (mgr && mgr->bredr_chan) { 3898 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 3899 3900 l2cap_chan_lock(bredr_chan); 3901 3902 bredr_chan->conn->mtu = hdev->block_mtu; 3903 l2cap_logical_cfm(bredr_chan, hchan, 0); 3904 hci_conn_hold(hcon); 3905 3906 l2cap_chan_unlock(bredr_chan); 3907 } 3908 } 3909 3910 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 3911 struct sk_buff *skb) 3912 { 3913 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 3914 struct hci_chan *hchan; 3915 3916 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 3917 le16_to_cpu(ev->handle), ev->status); 3918 3919 if (ev->status) 3920 return; 3921 3922 hci_dev_lock(hdev); 3923 3924 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 3925 if (!hchan) 3926 goto unlock; 3927 3928 amp_destroy_logical_link(hchan, ev->reason); 3929 3930 unlock: 3931 hci_dev_unlock(hdev); 3932 } 3933 3934 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 3935 struct sk_buff *skb) 3936 { 3937 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 3938 struct hci_conn *hcon; 3939 3940 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3941 3942 if (ev->status) 3943 return; 3944 3945 hci_dev_lock(hdev); 3946 3947 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 3948 if (hcon) { 3949 hcon->state = BT_CLOSED; 3950 hci_conn_del(hcon); 3951 } 3952 3953 hci_dev_unlock(hdev); 3954 } 3955 3956 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 3957 { 3958 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 3959 struct hci_conn *conn; 3960 struct smp_irk *irk; 3961 3962 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3963 3964 hci_dev_lock(hdev); 3965 3966 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT); 3967 if (!conn) { 3968 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr); 3969 if (!conn) { 3970 BT_ERR("No memory for new connection"); 3971 goto unlock; 3972 } 3973 3974 conn->dst_type = ev->bdaddr_type; 3975 3976 if (ev->role == LE_CONN_ROLE_MASTER) { 3977 conn->out = true; 3978 conn->link_mode |= HCI_LM_MASTER; 3979 } 3980 3981 /* If we didn't have a hci_conn object previously 3982 * but we're in master role this must be something 3983 * initiated using a white list. Since white list based 3984 * connections are not "first class citizens" we don't 3985 * have full tracking of them. Therefore, we go ahead 3986 * with a "best effort" approach of determining the 3987 * initiator address based on the HCI_PRIVACY flag. 3988 */ 3989 if (conn->out) { 3990 conn->resp_addr_type = ev->bdaddr_type; 3991 bacpy(&conn->resp_addr, &ev->bdaddr); 3992 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) { 3993 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 3994 bacpy(&conn->init_addr, &hdev->rpa); 3995 } else { 3996 hci_copy_identity_address(hdev, 3997 &conn->init_addr, 3998 &conn->init_addr_type); 3999 } 4000 } 4001 } else { 4002 cancel_delayed_work(&conn->le_conn_timeout); 4003 } 4004 4005 if (!conn->out) { 4006 /* Set the responder (our side) address type based on 4007 * the advertising address type. 4008 */ 4009 conn->resp_addr_type = hdev->adv_addr_type; 4010 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) 4011 bacpy(&conn->resp_addr, &hdev->random_addr); 4012 else 4013 bacpy(&conn->resp_addr, &hdev->bdaddr); 4014 4015 conn->init_addr_type = ev->bdaddr_type; 4016 bacpy(&conn->init_addr, &ev->bdaddr); 4017 } 4018 4019 /* Lookup the identity address from the stored connection 4020 * address and address type. 4021 * 4022 * When establishing connections to an identity address, the 4023 * connection procedure will store the resolvable random 4024 * address first. Now if it can be converted back into the 4025 * identity address, start using the identity address from 4026 * now on. 4027 */ 4028 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 4029 if (irk) { 4030 bacpy(&conn->dst, &irk->bdaddr); 4031 conn->dst_type = irk->addr_type; 4032 } 4033 4034 if (ev->status) { 4035 hci_le_conn_failed(conn, ev->status); 4036 goto unlock; 4037 } 4038 4039 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4040 mgmt_device_connected(hdev, &conn->dst, conn->type, 4041 conn->dst_type, 0, NULL, 0, NULL); 4042 4043 conn->sec_level = BT_SECURITY_LOW; 4044 conn->handle = __le16_to_cpu(ev->handle); 4045 conn->state = BT_CONNECTED; 4046 4047 if (test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags)) 4048 set_bit(HCI_CONN_6LOWPAN, &conn->flags); 4049 4050 hci_conn_add_sysfs(conn); 4051 4052 hci_proto_connect_cfm(conn, ev->status); 4053 4054 hci_pend_le_conn_del(hdev, &conn->dst, conn->dst_type); 4055 4056 unlock: 4057 hci_dev_unlock(hdev); 4058 } 4059 4060 /* This function requires the caller holds hdev->lock */ 4061 static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr, 4062 u8 addr_type) 4063 { 4064 struct hci_conn *conn; 4065 struct smp_irk *irk; 4066 4067 /* If this is a resolvable address, we should resolve it and then 4068 * update address and address type variables. 4069 */ 4070 irk = hci_get_irk(hdev, addr, addr_type); 4071 if (irk) { 4072 addr = &irk->bdaddr; 4073 addr_type = irk->addr_type; 4074 } 4075 4076 if (!hci_pend_le_conn_lookup(hdev, addr, addr_type)) 4077 return; 4078 4079 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 4080 HCI_AT_NO_BONDING); 4081 if (!IS_ERR(conn)) 4082 return; 4083 4084 switch (PTR_ERR(conn)) { 4085 case -EBUSY: 4086 /* If hci_connect() returns -EBUSY it means there is already 4087 * an LE connection attempt going on. Since controllers don't 4088 * support more than one connection attempt at the time, we 4089 * don't consider this an error case. 4090 */ 4091 break; 4092 default: 4093 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 4094 } 4095 } 4096 4097 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 4098 u8 bdaddr_type, s8 rssi, u8 *data, u8 len) 4099 { 4100 struct discovery_state *d = &hdev->discovery; 4101 bool match; 4102 4103 /* Passive scanning shouldn't trigger any device found events */ 4104 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 4105 if (type == LE_ADV_IND || type == LE_ADV_DIRECT_IND) 4106 check_pending_le_conn(hdev, bdaddr, bdaddr_type); 4107 return; 4108 } 4109 4110 /* If there's nothing pending either store the data from this 4111 * event or send an immediate device found event if the data 4112 * should not be stored for later. 4113 */ 4114 if (!has_pending_adv_report(hdev)) { 4115 /* If the report will trigger a SCAN_REQ store it for 4116 * later merging. 4117 */ 4118 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4119 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4120 rssi, data, len); 4121 return; 4122 } 4123 4124 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4125 rssi, 0, 1, data, len, NULL, 0); 4126 return; 4127 } 4128 4129 /* Check if the pending report is for the same device as the new one */ 4130 match = (!bacmp(bdaddr, &d->last_adv_addr) && 4131 bdaddr_type == d->last_adv_addr_type); 4132 4133 /* If the pending data doesn't match this report or this isn't a 4134 * scan response (e.g. we got a duplicate ADV_IND) then force 4135 * sending of the pending data. 4136 */ 4137 if (type != LE_ADV_SCAN_RSP || !match) { 4138 /* Send out whatever is in the cache, but skip duplicates */ 4139 if (!match) 4140 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4141 d->last_adv_addr_type, NULL, 4142 d->last_adv_rssi, 0, 1, 4143 d->last_adv_data, 4144 d->last_adv_data_len, NULL, 0); 4145 4146 /* If the new report will trigger a SCAN_REQ store it for 4147 * later merging. 4148 */ 4149 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4150 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4151 rssi, data, len); 4152 return; 4153 } 4154 4155 /* The advertising reports cannot be merged, so clear 4156 * the pending report and send out a device found event. 4157 */ 4158 clear_pending_adv_report(hdev); 4159 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4160 rssi, 0, 1, data, len, NULL, 0); 4161 return; 4162 } 4163 4164 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 4165 * the new event is a SCAN_RSP. We can therefore proceed with 4166 * sending a merged device found event. 4167 */ 4168 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4169 d->last_adv_addr_type, NULL, rssi, 0, 1, data, len, 4170 d->last_adv_data, d->last_adv_data_len); 4171 clear_pending_adv_report(hdev); 4172 } 4173 4174 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 4175 { 4176 u8 num_reports = skb->data[0]; 4177 void *ptr = &skb->data[1]; 4178 4179 hci_dev_lock(hdev); 4180 4181 while (num_reports--) { 4182 struct hci_ev_le_advertising_info *ev = ptr; 4183 s8 rssi; 4184 4185 rssi = ev->data[ev->length]; 4186 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 4187 ev->bdaddr_type, rssi, ev->data, ev->length); 4188 4189 ptr += sizeof(*ev) + ev->length + 1; 4190 } 4191 4192 hci_dev_unlock(hdev); 4193 } 4194 4195 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4196 { 4197 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 4198 struct hci_cp_le_ltk_reply cp; 4199 struct hci_cp_le_ltk_neg_reply neg; 4200 struct hci_conn *conn; 4201 struct smp_ltk *ltk; 4202 4203 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 4204 4205 hci_dev_lock(hdev); 4206 4207 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4208 if (conn == NULL) 4209 goto not_found; 4210 4211 ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->out); 4212 if (ltk == NULL) 4213 goto not_found; 4214 4215 memcpy(cp.ltk, ltk->val, sizeof(ltk->val)); 4216 cp.handle = cpu_to_le16(conn->handle); 4217 4218 if (ltk->authenticated) 4219 conn->pending_sec_level = BT_SECURITY_HIGH; 4220 else 4221 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4222 4223 conn->enc_key_size = ltk->enc_size; 4224 4225 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 4226 4227 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 4228 * temporary key used to encrypt a connection following 4229 * pairing. It is used during the Encrypted Session Setup to 4230 * distribute the keys. Later, security can be re-established 4231 * using a distributed LTK. 4232 */ 4233 if (ltk->type == HCI_SMP_STK_SLAVE) { 4234 list_del(<k->list); 4235 kfree(ltk); 4236 } 4237 4238 hci_dev_unlock(hdev); 4239 4240 return; 4241 4242 not_found: 4243 neg.handle = ev->handle; 4244 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 4245 hci_dev_unlock(hdev); 4246 } 4247 4248 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 4249 { 4250 struct hci_ev_le_meta *le_ev = (void *) skb->data; 4251 4252 skb_pull(skb, sizeof(*le_ev)); 4253 4254 switch (le_ev->subevent) { 4255 case HCI_EV_LE_CONN_COMPLETE: 4256 hci_le_conn_complete_evt(hdev, skb); 4257 break; 4258 4259 case HCI_EV_LE_ADVERTISING_REPORT: 4260 hci_le_adv_report_evt(hdev, skb); 4261 break; 4262 4263 case HCI_EV_LE_LTK_REQ: 4264 hci_le_ltk_request_evt(hdev, skb); 4265 break; 4266 4267 default: 4268 break; 4269 } 4270 } 4271 4272 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4273 { 4274 struct hci_ev_channel_selected *ev = (void *) skb->data; 4275 struct hci_conn *hcon; 4276 4277 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4278 4279 skb_pull(skb, sizeof(*ev)); 4280 4281 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4282 if (!hcon) 4283 return; 4284 4285 amp_read_loc_assoc_final_data(hdev, hcon); 4286 } 4287 4288 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 4289 { 4290 struct hci_event_hdr *hdr = (void *) skb->data; 4291 __u8 event = hdr->evt; 4292 4293 hci_dev_lock(hdev); 4294 4295 /* Received events are (currently) only needed when a request is 4296 * ongoing so avoid unnecessary memory allocation. 4297 */ 4298 if (hdev->req_status == HCI_REQ_PEND) { 4299 kfree_skb(hdev->recv_evt); 4300 hdev->recv_evt = skb_clone(skb, GFP_KERNEL); 4301 } 4302 4303 hci_dev_unlock(hdev); 4304 4305 skb_pull(skb, HCI_EVENT_HDR_SIZE); 4306 4307 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) { 4308 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 4309 u16 opcode = __le16_to_cpu(cmd_hdr->opcode); 4310 4311 hci_req_cmd_complete(hdev, opcode, 0); 4312 } 4313 4314 switch (event) { 4315 case HCI_EV_INQUIRY_COMPLETE: 4316 hci_inquiry_complete_evt(hdev, skb); 4317 break; 4318 4319 case HCI_EV_INQUIRY_RESULT: 4320 hci_inquiry_result_evt(hdev, skb); 4321 break; 4322 4323 case HCI_EV_CONN_COMPLETE: 4324 hci_conn_complete_evt(hdev, skb); 4325 break; 4326 4327 case HCI_EV_CONN_REQUEST: 4328 hci_conn_request_evt(hdev, skb); 4329 break; 4330 4331 case HCI_EV_DISCONN_COMPLETE: 4332 hci_disconn_complete_evt(hdev, skb); 4333 break; 4334 4335 case HCI_EV_AUTH_COMPLETE: 4336 hci_auth_complete_evt(hdev, skb); 4337 break; 4338 4339 case HCI_EV_REMOTE_NAME: 4340 hci_remote_name_evt(hdev, skb); 4341 break; 4342 4343 case HCI_EV_ENCRYPT_CHANGE: 4344 hci_encrypt_change_evt(hdev, skb); 4345 break; 4346 4347 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 4348 hci_change_link_key_complete_evt(hdev, skb); 4349 break; 4350 4351 case HCI_EV_REMOTE_FEATURES: 4352 hci_remote_features_evt(hdev, skb); 4353 break; 4354 4355 case HCI_EV_CMD_COMPLETE: 4356 hci_cmd_complete_evt(hdev, skb); 4357 break; 4358 4359 case HCI_EV_CMD_STATUS: 4360 hci_cmd_status_evt(hdev, skb); 4361 break; 4362 4363 case HCI_EV_ROLE_CHANGE: 4364 hci_role_change_evt(hdev, skb); 4365 break; 4366 4367 case HCI_EV_NUM_COMP_PKTS: 4368 hci_num_comp_pkts_evt(hdev, skb); 4369 break; 4370 4371 case HCI_EV_MODE_CHANGE: 4372 hci_mode_change_evt(hdev, skb); 4373 break; 4374 4375 case HCI_EV_PIN_CODE_REQ: 4376 hci_pin_code_request_evt(hdev, skb); 4377 break; 4378 4379 case HCI_EV_LINK_KEY_REQ: 4380 hci_link_key_request_evt(hdev, skb); 4381 break; 4382 4383 case HCI_EV_LINK_KEY_NOTIFY: 4384 hci_link_key_notify_evt(hdev, skb); 4385 break; 4386 4387 case HCI_EV_CLOCK_OFFSET: 4388 hci_clock_offset_evt(hdev, skb); 4389 break; 4390 4391 case HCI_EV_PKT_TYPE_CHANGE: 4392 hci_pkt_type_change_evt(hdev, skb); 4393 break; 4394 4395 case HCI_EV_PSCAN_REP_MODE: 4396 hci_pscan_rep_mode_evt(hdev, skb); 4397 break; 4398 4399 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 4400 hci_inquiry_result_with_rssi_evt(hdev, skb); 4401 break; 4402 4403 case HCI_EV_REMOTE_EXT_FEATURES: 4404 hci_remote_ext_features_evt(hdev, skb); 4405 break; 4406 4407 case HCI_EV_SYNC_CONN_COMPLETE: 4408 hci_sync_conn_complete_evt(hdev, skb); 4409 break; 4410 4411 case HCI_EV_EXTENDED_INQUIRY_RESULT: 4412 hci_extended_inquiry_result_evt(hdev, skb); 4413 break; 4414 4415 case HCI_EV_KEY_REFRESH_COMPLETE: 4416 hci_key_refresh_complete_evt(hdev, skb); 4417 break; 4418 4419 case HCI_EV_IO_CAPA_REQUEST: 4420 hci_io_capa_request_evt(hdev, skb); 4421 break; 4422 4423 case HCI_EV_IO_CAPA_REPLY: 4424 hci_io_capa_reply_evt(hdev, skb); 4425 break; 4426 4427 case HCI_EV_USER_CONFIRM_REQUEST: 4428 hci_user_confirm_request_evt(hdev, skb); 4429 break; 4430 4431 case HCI_EV_USER_PASSKEY_REQUEST: 4432 hci_user_passkey_request_evt(hdev, skb); 4433 break; 4434 4435 case HCI_EV_USER_PASSKEY_NOTIFY: 4436 hci_user_passkey_notify_evt(hdev, skb); 4437 break; 4438 4439 case HCI_EV_KEYPRESS_NOTIFY: 4440 hci_keypress_notify_evt(hdev, skb); 4441 break; 4442 4443 case HCI_EV_SIMPLE_PAIR_COMPLETE: 4444 hci_simple_pair_complete_evt(hdev, skb); 4445 break; 4446 4447 case HCI_EV_REMOTE_HOST_FEATURES: 4448 hci_remote_host_features_evt(hdev, skb); 4449 break; 4450 4451 case HCI_EV_LE_META: 4452 hci_le_meta_evt(hdev, skb); 4453 break; 4454 4455 case HCI_EV_CHANNEL_SELECTED: 4456 hci_chan_selected_evt(hdev, skb); 4457 break; 4458 4459 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 4460 hci_remote_oob_data_request_evt(hdev, skb); 4461 break; 4462 4463 case HCI_EV_PHY_LINK_COMPLETE: 4464 hci_phy_link_complete_evt(hdev, skb); 4465 break; 4466 4467 case HCI_EV_LOGICAL_LINK_COMPLETE: 4468 hci_loglink_complete_evt(hdev, skb); 4469 break; 4470 4471 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 4472 hci_disconn_loglink_complete_evt(hdev, skb); 4473 break; 4474 4475 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 4476 hci_disconn_phylink_complete_evt(hdev, skb); 4477 break; 4478 4479 case HCI_EV_NUM_COMP_BLOCKS: 4480 hci_num_comp_blocks_evt(hdev, skb); 4481 break; 4482 4483 default: 4484 BT_DBG("%s event 0x%2.2x", hdev->name, event); 4485 break; 4486 } 4487 4488 kfree_skb(skb); 4489 hdev->stat.evt_rx++; 4490 } 4491