1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License version 2 as 9 published by the Free Software Foundation; 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 22 SOFTWARE IS DISCLAIMED. 23 */ 24 25 /* Bluetooth HCI event handling. */ 26 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "hci_request.h" 34 #include "hci_debugfs.h" 35 #include "a2mp.h" 36 #include "amp.h" 37 #include "smp.h" 38 39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 40 "\x00\x00\x00\x00\x00\x00\x00\x00" 41 42 /* Handle HCI Event packets */ 43 44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) 45 { 46 __u8 status = *((__u8 *) skb->data); 47 48 BT_DBG("%s status 0x%2.2x", hdev->name, status); 49 50 if (status) 51 return; 52 53 clear_bit(HCI_INQUIRY, &hdev->flags); 54 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 55 wake_up_bit(&hdev->flags, HCI_INQUIRY); 56 57 hci_dev_lock(hdev); 58 /* Set discovery state to stopped if we're not doing LE active 59 * scanning. 60 */ 61 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 62 hdev->le_scan_type != LE_SCAN_ACTIVE) 63 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 64 hci_dev_unlock(hdev); 65 66 hci_conn_check_pending(hdev); 67 } 68 69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 70 { 71 __u8 status = *((__u8 *) skb->data); 72 73 BT_DBG("%s status 0x%2.2x", hdev->name, status); 74 75 if (status) 76 return; 77 78 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 79 } 80 81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb) 82 { 83 __u8 status = *((__u8 *) skb->data); 84 85 BT_DBG("%s status 0x%2.2x", hdev->name, status); 86 87 if (status) 88 return; 89 90 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 91 92 hci_conn_check_pending(hdev); 93 } 94 95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, 96 struct sk_buff *skb) 97 { 98 BT_DBG("%s", hdev->name); 99 } 100 101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb) 102 { 103 struct hci_rp_role_discovery *rp = (void *) skb->data; 104 struct hci_conn *conn; 105 106 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 107 108 if (rp->status) 109 return; 110 111 hci_dev_lock(hdev); 112 113 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 114 if (conn) 115 conn->role = rp->role; 116 117 hci_dev_unlock(hdev); 118 } 119 120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 121 { 122 struct hci_rp_read_link_policy *rp = (void *) skb->data; 123 struct hci_conn *conn; 124 125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 126 127 if (rp->status) 128 return; 129 130 hci_dev_lock(hdev); 131 132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 133 if (conn) 134 conn->link_policy = __le16_to_cpu(rp->policy); 135 136 hci_dev_unlock(hdev); 137 } 138 139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb) 140 { 141 struct hci_rp_write_link_policy *rp = (void *) skb->data; 142 struct hci_conn *conn; 143 void *sent; 144 145 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 146 147 if (rp->status) 148 return; 149 150 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 151 if (!sent) 152 return; 153 154 hci_dev_lock(hdev); 155 156 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 157 if (conn) 158 conn->link_policy = get_unaligned_le16(sent + 2); 159 160 hci_dev_unlock(hdev); 161 } 162 163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, 164 struct sk_buff *skb) 165 { 166 struct hci_rp_read_def_link_policy *rp = (void *) skb->data; 167 168 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 169 170 if (rp->status) 171 return; 172 173 hdev->link_policy = __le16_to_cpu(rp->policy); 174 } 175 176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, 177 struct sk_buff *skb) 178 { 179 __u8 status = *((__u8 *) skb->data); 180 void *sent; 181 182 BT_DBG("%s status 0x%2.2x", hdev->name, status); 183 184 if (status) 185 return; 186 187 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 188 if (!sent) 189 return; 190 191 hdev->link_policy = get_unaligned_le16(sent); 192 } 193 194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb) 195 { 196 __u8 status = *((__u8 *) skb->data); 197 198 BT_DBG("%s status 0x%2.2x", hdev->name, status); 199 200 clear_bit(HCI_RESET, &hdev->flags); 201 202 if (status) 203 return; 204 205 /* Reset all non-persistent flags */ 206 hci_dev_clear_volatile_flags(hdev); 207 208 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 209 210 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 211 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 212 213 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 214 hdev->adv_data_len = 0; 215 216 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 217 hdev->scan_rsp_data_len = 0; 218 219 hdev->le_scan_type = LE_SCAN_PASSIVE; 220 221 hdev->ssp_debug_mode = 0; 222 223 hci_bdaddr_list_clear(&hdev->le_white_list); 224 } 225 226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev, 227 struct sk_buff *skb) 228 { 229 struct hci_rp_read_stored_link_key *rp = (void *)skb->data; 230 struct hci_cp_read_stored_link_key *sent; 231 232 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 233 234 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 235 if (!sent) 236 return; 237 238 if (!rp->status && sent->read_all == 0x01) { 239 hdev->stored_max_keys = rp->max_keys; 240 hdev->stored_num_keys = rp->num_keys; 241 } 242 } 243 244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev, 245 struct sk_buff *skb) 246 { 247 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data; 248 249 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 250 251 if (rp->status) 252 return; 253 254 if (rp->num_keys <= hdev->stored_num_keys) 255 hdev->stored_num_keys -= rp->num_keys; 256 else 257 hdev->stored_num_keys = 0; 258 } 259 260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb) 261 { 262 __u8 status = *((__u8 *) skb->data); 263 void *sent; 264 265 BT_DBG("%s status 0x%2.2x", hdev->name, status); 266 267 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 268 if (!sent) 269 return; 270 271 hci_dev_lock(hdev); 272 273 if (hci_dev_test_flag(hdev, HCI_MGMT)) 274 mgmt_set_local_name_complete(hdev, sent, status); 275 else if (!status) 276 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 277 278 hci_dev_unlock(hdev); 279 } 280 281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb) 282 { 283 struct hci_rp_read_local_name *rp = (void *) skb->data; 284 285 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 286 287 if (rp->status) 288 return; 289 290 if (hci_dev_test_flag(hdev, HCI_SETUP) || 291 hci_dev_test_flag(hdev, HCI_CONFIG)) 292 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 293 } 294 295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb) 296 { 297 __u8 status = *((__u8 *) skb->data); 298 void *sent; 299 300 BT_DBG("%s status 0x%2.2x", hdev->name, status); 301 302 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 303 if (!sent) 304 return; 305 306 hci_dev_lock(hdev); 307 308 if (!status) { 309 __u8 param = *((__u8 *) sent); 310 311 if (param == AUTH_ENABLED) 312 set_bit(HCI_AUTH, &hdev->flags); 313 else 314 clear_bit(HCI_AUTH, &hdev->flags); 315 } 316 317 if (hci_dev_test_flag(hdev, HCI_MGMT)) 318 mgmt_auth_enable_complete(hdev, status); 319 320 hci_dev_unlock(hdev); 321 } 322 323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb) 324 { 325 __u8 status = *((__u8 *) skb->data); 326 __u8 param; 327 void *sent; 328 329 BT_DBG("%s status 0x%2.2x", hdev->name, status); 330 331 if (status) 332 return; 333 334 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 335 if (!sent) 336 return; 337 338 param = *((__u8 *) sent); 339 340 if (param) 341 set_bit(HCI_ENCRYPT, &hdev->flags); 342 else 343 clear_bit(HCI_ENCRYPT, &hdev->flags); 344 } 345 346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb) 347 { 348 __u8 status = *((__u8 *) skb->data); 349 __u8 param; 350 void *sent; 351 352 BT_DBG("%s status 0x%2.2x", hdev->name, status); 353 354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 355 if (!sent) 356 return; 357 358 param = *((__u8 *) sent); 359 360 hci_dev_lock(hdev); 361 362 if (status) { 363 hdev->discov_timeout = 0; 364 goto done; 365 } 366 367 if (param & SCAN_INQUIRY) 368 set_bit(HCI_ISCAN, &hdev->flags); 369 else 370 clear_bit(HCI_ISCAN, &hdev->flags); 371 372 if (param & SCAN_PAGE) 373 set_bit(HCI_PSCAN, &hdev->flags); 374 else 375 clear_bit(HCI_PSCAN, &hdev->flags); 376 377 done: 378 hci_dev_unlock(hdev); 379 } 380 381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 382 { 383 struct hci_rp_read_class_of_dev *rp = (void *) skb->data; 384 385 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 386 387 if (rp->status) 388 return; 389 390 memcpy(hdev->dev_class, rp->dev_class, 3); 391 392 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name, 393 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]); 394 } 395 396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb) 397 { 398 __u8 status = *((__u8 *) skb->data); 399 void *sent; 400 401 BT_DBG("%s status 0x%2.2x", hdev->name, status); 402 403 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 404 if (!sent) 405 return; 406 407 hci_dev_lock(hdev); 408 409 if (status == 0) 410 memcpy(hdev->dev_class, sent, 3); 411 412 if (hci_dev_test_flag(hdev, HCI_MGMT)) 413 mgmt_set_class_of_dev_complete(hdev, sent, status); 414 415 hci_dev_unlock(hdev); 416 } 417 418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 419 { 420 struct hci_rp_read_voice_setting *rp = (void *) skb->data; 421 __u16 setting; 422 423 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 424 425 if (rp->status) 426 return; 427 428 setting = __le16_to_cpu(rp->voice_setting); 429 430 if (hdev->voice_setting == setting) 431 return; 432 433 hdev->voice_setting = setting; 434 435 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 436 437 if (hdev->notify) 438 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 439 } 440 441 static void hci_cc_write_voice_setting(struct hci_dev *hdev, 442 struct sk_buff *skb) 443 { 444 __u8 status = *((__u8 *) skb->data); 445 __u16 setting; 446 void *sent; 447 448 BT_DBG("%s status 0x%2.2x", hdev->name, status); 449 450 if (status) 451 return; 452 453 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 454 if (!sent) 455 return; 456 457 setting = get_unaligned_le16(sent); 458 459 if (hdev->voice_setting == setting) 460 return; 461 462 hdev->voice_setting = setting; 463 464 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting); 465 466 if (hdev->notify) 467 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 468 } 469 470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev, 471 struct sk_buff *skb) 472 { 473 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data; 474 475 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 476 477 if (rp->status) 478 return; 479 480 hdev->num_iac = rp->num_iac; 481 482 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac); 483 } 484 485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb) 486 { 487 __u8 status = *((__u8 *) skb->data); 488 struct hci_cp_write_ssp_mode *sent; 489 490 BT_DBG("%s status 0x%2.2x", hdev->name, status); 491 492 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 493 if (!sent) 494 return; 495 496 hci_dev_lock(hdev); 497 498 if (!status) { 499 if (sent->mode) 500 hdev->features[1][0] |= LMP_HOST_SSP; 501 else 502 hdev->features[1][0] &= ~LMP_HOST_SSP; 503 } 504 505 if (hci_dev_test_flag(hdev, HCI_MGMT)) 506 mgmt_ssp_enable_complete(hdev, sent->mode, status); 507 else if (!status) { 508 if (sent->mode) 509 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 510 else 511 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 512 } 513 514 hci_dev_unlock(hdev); 515 } 516 517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb) 518 { 519 u8 status = *((u8 *) skb->data); 520 struct hci_cp_write_sc_support *sent; 521 522 BT_DBG("%s status 0x%2.2x", hdev->name, status); 523 524 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 525 if (!sent) 526 return; 527 528 hci_dev_lock(hdev); 529 530 if (!status) { 531 if (sent->support) 532 hdev->features[1][0] |= LMP_HOST_SC; 533 else 534 hdev->features[1][0] &= ~LMP_HOST_SC; 535 } 536 537 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) { 538 if (sent->support) 539 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 540 else 541 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 542 } 543 544 hci_dev_unlock(hdev); 545 } 546 547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb) 548 { 549 struct hci_rp_read_local_version *rp = (void *) skb->data; 550 551 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 552 553 if (rp->status) 554 return; 555 556 if (hci_dev_test_flag(hdev, HCI_SETUP) || 557 hci_dev_test_flag(hdev, HCI_CONFIG)) { 558 hdev->hci_ver = rp->hci_ver; 559 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 560 hdev->lmp_ver = rp->lmp_ver; 561 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 562 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 563 } 564 } 565 566 static void hci_cc_read_local_commands(struct hci_dev *hdev, 567 struct sk_buff *skb) 568 { 569 struct hci_rp_read_local_commands *rp = (void *) skb->data; 570 571 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 572 573 if (rp->status) 574 return; 575 576 if (hci_dev_test_flag(hdev, HCI_SETUP) || 577 hci_dev_test_flag(hdev, HCI_CONFIG)) 578 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 579 } 580 581 static void hci_cc_read_local_features(struct hci_dev *hdev, 582 struct sk_buff *skb) 583 { 584 struct hci_rp_read_local_features *rp = (void *) skb->data; 585 586 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 587 588 if (rp->status) 589 return; 590 591 memcpy(hdev->features, rp->features, 8); 592 593 /* Adjust default settings according to features 594 * supported by device. */ 595 596 if (hdev->features[0][0] & LMP_3SLOT) 597 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 598 599 if (hdev->features[0][0] & LMP_5SLOT) 600 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 601 602 if (hdev->features[0][1] & LMP_HV2) { 603 hdev->pkt_type |= (HCI_HV2); 604 hdev->esco_type |= (ESCO_HV2); 605 } 606 607 if (hdev->features[0][1] & LMP_HV3) { 608 hdev->pkt_type |= (HCI_HV3); 609 hdev->esco_type |= (ESCO_HV3); 610 } 611 612 if (lmp_esco_capable(hdev)) 613 hdev->esco_type |= (ESCO_EV3); 614 615 if (hdev->features[0][4] & LMP_EV4) 616 hdev->esco_type |= (ESCO_EV4); 617 618 if (hdev->features[0][4] & LMP_EV5) 619 hdev->esco_type |= (ESCO_EV5); 620 621 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 622 hdev->esco_type |= (ESCO_2EV3); 623 624 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 625 hdev->esco_type |= (ESCO_3EV3); 626 627 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 628 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 629 } 630 631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 632 struct sk_buff *skb) 633 { 634 struct hci_rp_read_local_ext_features *rp = (void *) skb->data; 635 636 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 637 638 if (rp->status) 639 return; 640 641 if (hdev->max_page < rp->max_page) 642 hdev->max_page = rp->max_page; 643 644 if (rp->page < HCI_MAX_PAGES) 645 memcpy(hdev->features[rp->page], rp->features, 8); 646 } 647 648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 649 struct sk_buff *skb) 650 { 651 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data; 652 653 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 654 655 if (rp->status) 656 return; 657 658 hdev->flow_ctl_mode = rp->mode; 659 } 660 661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 662 { 663 struct hci_rp_read_buffer_size *rp = (void *) skb->data; 664 665 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 666 667 if (rp->status) 668 return; 669 670 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 671 hdev->sco_mtu = rp->sco_mtu; 672 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 673 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 674 675 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 676 hdev->sco_mtu = 64; 677 hdev->sco_pkts = 8; 678 } 679 680 hdev->acl_cnt = hdev->acl_pkts; 681 hdev->sco_cnt = hdev->sco_pkts; 682 683 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 684 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 685 } 686 687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb) 688 { 689 struct hci_rp_read_bd_addr *rp = (void *) skb->data; 690 691 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 692 693 if (rp->status) 694 return; 695 696 if (test_bit(HCI_INIT, &hdev->flags)) 697 bacpy(&hdev->bdaddr, &rp->bdaddr); 698 699 if (hci_dev_test_flag(hdev, HCI_SETUP)) 700 bacpy(&hdev->setup_addr, &rp->bdaddr); 701 } 702 703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev, 704 struct sk_buff *skb) 705 { 706 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data; 707 708 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 709 710 if (rp->status) 711 return; 712 713 if (test_bit(HCI_INIT, &hdev->flags)) { 714 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 715 hdev->page_scan_window = __le16_to_cpu(rp->window); 716 } 717 } 718 719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev, 720 struct sk_buff *skb) 721 { 722 u8 status = *((u8 *) skb->data); 723 struct hci_cp_write_page_scan_activity *sent; 724 725 BT_DBG("%s status 0x%2.2x", hdev->name, status); 726 727 if (status) 728 return; 729 730 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 731 if (!sent) 732 return; 733 734 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 735 hdev->page_scan_window = __le16_to_cpu(sent->window); 736 } 737 738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev, 739 struct sk_buff *skb) 740 { 741 struct hci_rp_read_page_scan_type *rp = (void *) skb->data; 742 743 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 744 745 if (rp->status) 746 return; 747 748 if (test_bit(HCI_INIT, &hdev->flags)) 749 hdev->page_scan_type = rp->type; 750 } 751 752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev, 753 struct sk_buff *skb) 754 { 755 u8 status = *((u8 *) skb->data); 756 u8 *type; 757 758 BT_DBG("%s status 0x%2.2x", hdev->name, status); 759 760 if (status) 761 return; 762 763 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 764 if (type) 765 hdev->page_scan_type = *type; 766 } 767 768 static void hci_cc_read_data_block_size(struct hci_dev *hdev, 769 struct sk_buff *skb) 770 { 771 struct hci_rp_read_data_block_size *rp = (void *) skb->data; 772 773 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 774 775 if (rp->status) 776 return; 777 778 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 779 hdev->block_len = __le16_to_cpu(rp->block_len); 780 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 781 782 hdev->block_cnt = hdev->num_blocks; 783 784 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 785 hdev->block_cnt, hdev->block_len); 786 } 787 788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb) 789 { 790 struct hci_rp_read_clock *rp = (void *) skb->data; 791 struct hci_cp_read_clock *cp; 792 struct hci_conn *conn; 793 794 BT_DBG("%s", hdev->name); 795 796 if (skb->len < sizeof(*rp)) 797 return; 798 799 if (rp->status) 800 return; 801 802 hci_dev_lock(hdev); 803 804 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 805 if (!cp) 806 goto unlock; 807 808 if (cp->which == 0x00) { 809 hdev->clock = le32_to_cpu(rp->clock); 810 goto unlock; 811 } 812 813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 814 if (conn) { 815 conn->clock = le32_to_cpu(rp->clock); 816 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 817 } 818 819 unlock: 820 hci_dev_unlock(hdev); 821 } 822 823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev, 824 struct sk_buff *skb) 825 { 826 struct hci_rp_read_local_amp_info *rp = (void *) skb->data; 827 828 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 829 830 if (rp->status) 831 return; 832 833 hdev->amp_status = rp->amp_status; 834 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 835 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 836 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 837 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 838 hdev->amp_type = rp->amp_type; 839 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 840 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 841 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 842 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 843 } 844 845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, 846 struct sk_buff *skb) 847 { 848 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data; 849 850 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 851 852 if (rp->status) 853 return; 854 855 hdev->inq_tx_power = rp->tx_power; 856 } 857 858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb) 859 { 860 struct hci_rp_pin_code_reply *rp = (void *) skb->data; 861 struct hci_cp_pin_code_reply *cp; 862 struct hci_conn *conn; 863 864 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 865 866 hci_dev_lock(hdev); 867 868 if (hci_dev_test_flag(hdev, HCI_MGMT)) 869 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 870 871 if (rp->status) 872 goto unlock; 873 874 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 875 if (!cp) 876 goto unlock; 877 878 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 879 if (conn) 880 conn->pin_length = cp->pin_len; 881 882 unlock: 883 hci_dev_unlock(hdev); 884 } 885 886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb) 887 { 888 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data; 889 890 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 891 892 hci_dev_lock(hdev); 893 894 if (hci_dev_test_flag(hdev, HCI_MGMT)) 895 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 896 rp->status); 897 898 hci_dev_unlock(hdev); 899 } 900 901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev, 902 struct sk_buff *skb) 903 { 904 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data; 905 906 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 907 908 if (rp->status) 909 return; 910 911 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 912 hdev->le_pkts = rp->le_max_pkt; 913 914 hdev->le_cnt = hdev->le_pkts; 915 916 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 917 } 918 919 static void hci_cc_le_read_local_features(struct hci_dev *hdev, 920 struct sk_buff *skb) 921 { 922 struct hci_rp_le_read_local_features *rp = (void *) skb->data; 923 924 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 925 926 if (rp->status) 927 return; 928 929 memcpy(hdev->le_features, rp->features, 8); 930 } 931 932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, 933 struct sk_buff *skb) 934 { 935 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data; 936 937 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 938 939 if (rp->status) 940 return; 941 942 hdev->adv_tx_power = rp->tx_power; 943 } 944 945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb) 946 { 947 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 948 949 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 950 951 hci_dev_lock(hdev); 952 953 if (hci_dev_test_flag(hdev, HCI_MGMT)) 954 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 955 rp->status); 956 957 hci_dev_unlock(hdev); 958 } 959 960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, 961 struct sk_buff *skb) 962 { 963 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 964 965 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 966 967 hci_dev_lock(hdev); 968 969 if (hci_dev_test_flag(hdev, HCI_MGMT)) 970 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 971 ACL_LINK, 0, rp->status); 972 973 hci_dev_unlock(hdev); 974 } 975 976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb) 977 { 978 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 979 980 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 981 982 hci_dev_lock(hdev); 983 984 if (hci_dev_test_flag(hdev, HCI_MGMT)) 985 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 986 0, rp->status); 987 988 hci_dev_unlock(hdev); 989 } 990 991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, 992 struct sk_buff *skb) 993 { 994 struct hci_rp_user_confirm_reply *rp = (void *) skb->data; 995 996 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 997 998 hci_dev_lock(hdev); 999 1000 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1001 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1002 ACL_LINK, 0, rp->status); 1003 1004 hci_dev_unlock(hdev); 1005 } 1006 1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev, 1008 struct sk_buff *skb) 1009 { 1010 struct hci_rp_read_local_oob_data *rp = (void *) skb->data; 1011 1012 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1013 } 1014 1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, 1016 struct sk_buff *skb) 1017 { 1018 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data; 1019 1020 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1021 } 1022 1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb) 1024 { 1025 __u8 status = *((__u8 *) skb->data); 1026 bdaddr_t *sent; 1027 1028 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1029 1030 if (status) 1031 return; 1032 1033 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1034 if (!sent) 1035 return; 1036 1037 hci_dev_lock(hdev); 1038 1039 bacpy(&hdev->random_addr, sent); 1040 1041 hci_dev_unlock(hdev); 1042 } 1043 1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb) 1045 { 1046 __u8 *sent, status = *((__u8 *) skb->data); 1047 1048 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1049 1050 if (status) 1051 return; 1052 1053 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1054 if (!sent) 1055 return; 1056 1057 hci_dev_lock(hdev); 1058 1059 /* If we're doing connection initiation as peripheral. Set a 1060 * timeout in case something goes wrong. 1061 */ 1062 if (*sent) { 1063 struct hci_conn *conn; 1064 1065 hci_dev_set_flag(hdev, HCI_LE_ADV); 1066 1067 conn = hci_lookup_le_connect(hdev); 1068 if (conn) 1069 queue_delayed_work(hdev->workqueue, 1070 &conn->le_conn_timeout, 1071 conn->conn_timeout); 1072 } else { 1073 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1074 } 1075 1076 hci_dev_unlock(hdev); 1077 } 1078 1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb) 1080 { 1081 struct hci_cp_le_set_scan_param *cp; 1082 __u8 status = *((__u8 *) skb->data); 1083 1084 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1085 1086 if (status) 1087 return; 1088 1089 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1090 if (!cp) 1091 return; 1092 1093 hci_dev_lock(hdev); 1094 1095 hdev->le_scan_type = cp->type; 1096 1097 hci_dev_unlock(hdev); 1098 } 1099 1100 static bool has_pending_adv_report(struct hci_dev *hdev) 1101 { 1102 struct discovery_state *d = &hdev->discovery; 1103 1104 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1105 } 1106 1107 static void clear_pending_adv_report(struct hci_dev *hdev) 1108 { 1109 struct discovery_state *d = &hdev->discovery; 1110 1111 bacpy(&d->last_adv_addr, BDADDR_ANY); 1112 d->last_adv_data_len = 0; 1113 } 1114 1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1116 u8 bdaddr_type, s8 rssi, u32 flags, 1117 u8 *data, u8 len) 1118 { 1119 struct discovery_state *d = &hdev->discovery; 1120 1121 bacpy(&d->last_adv_addr, bdaddr); 1122 d->last_adv_addr_type = bdaddr_type; 1123 d->last_adv_rssi = rssi; 1124 d->last_adv_flags = flags; 1125 memcpy(d->last_adv_data, data, len); 1126 d->last_adv_data_len = len; 1127 } 1128 1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev, 1130 struct sk_buff *skb) 1131 { 1132 struct hci_cp_le_set_scan_enable *cp; 1133 __u8 status = *((__u8 *) skb->data); 1134 1135 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1136 1137 if (status) 1138 return; 1139 1140 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1141 if (!cp) 1142 return; 1143 1144 hci_dev_lock(hdev); 1145 1146 switch (cp->enable) { 1147 case LE_SCAN_ENABLE: 1148 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1149 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1150 clear_pending_adv_report(hdev); 1151 break; 1152 1153 case LE_SCAN_DISABLE: 1154 /* We do this here instead of when setting DISCOVERY_STOPPED 1155 * since the latter would potentially require waiting for 1156 * inquiry to stop too. 1157 */ 1158 if (has_pending_adv_report(hdev)) { 1159 struct discovery_state *d = &hdev->discovery; 1160 1161 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1162 d->last_adv_addr_type, NULL, 1163 d->last_adv_rssi, d->last_adv_flags, 1164 d->last_adv_data, 1165 d->last_adv_data_len, NULL, 0); 1166 } 1167 1168 /* Cancel this timer so that we don't try to disable scanning 1169 * when it's already disabled. 1170 */ 1171 cancel_delayed_work(&hdev->le_scan_disable); 1172 1173 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1174 1175 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1176 * interrupted scanning due to a connect request. Mark 1177 * therefore discovery as stopped. If this was not 1178 * because of a connect request advertising might have 1179 * been disabled because of active scanning, so 1180 * re-enable it again if necessary. 1181 */ 1182 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1183 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1184 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1185 hdev->discovery.state == DISCOVERY_FINDING) 1186 mgmt_reenable_advertising(hdev); 1187 1188 break; 1189 1190 default: 1191 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable); 1192 break; 1193 } 1194 1195 hci_dev_unlock(hdev); 1196 } 1197 1198 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev, 1199 struct sk_buff *skb) 1200 { 1201 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data; 1202 1203 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size); 1204 1205 if (rp->status) 1206 return; 1207 1208 hdev->le_white_list_size = rp->size; 1209 } 1210 1211 static void hci_cc_le_clear_white_list(struct hci_dev *hdev, 1212 struct sk_buff *skb) 1213 { 1214 __u8 status = *((__u8 *) skb->data); 1215 1216 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1217 1218 if (status) 1219 return; 1220 1221 hci_bdaddr_list_clear(&hdev->le_white_list); 1222 } 1223 1224 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev, 1225 struct sk_buff *skb) 1226 { 1227 struct hci_cp_le_add_to_white_list *sent; 1228 __u8 status = *((__u8 *) skb->data); 1229 1230 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1231 1232 if (status) 1233 return; 1234 1235 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST); 1236 if (!sent) 1237 return; 1238 1239 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr, 1240 sent->bdaddr_type); 1241 } 1242 1243 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev, 1244 struct sk_buff *skb) 1245 { 1246 struct hci_cp_le_del_from_white_list *sent; 1247 __u8 status = *((__u8 *) skb->data); 1248 1249 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1250 1251 if (status) 1252 return; 1253 1254 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST); 1255 if (!sent) 1256 return; 1257 1258 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr, 1259 sent->bdaddr_type); 1260 } 1261 1262 static void hci_cc_le_read_supported_states(struct hci_dev *hdev, 1263 struct sk_buff *skb) 1264 { 1265 struct hci_rp_le_read_supported_states *rp = (void *) skb->data; 1266 1267 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1268 1269 if (rp->status) 1270 return; 1271 1272 memcpy(hdev->le_states, rp->le_states, 8); 1273 } 1274 1275 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev, 1276 struct sk_buff *skb) 1277 { 1278 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data; 1279 1280 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1281 1282 if (rp->status) 1283 return; 1284 1285 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1286 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1287 } 1288 1289 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev, 1290 struct sk_buff *skb) 1291 { 1292 struct hci_cp_le_write_def_data_len *sent; 1293 __u8 status = *((__u8 *) skb->data); 1294 1295 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1296 1297 if (status) 1298 return; 1299 1300 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1301 if (!sent) 1302 return; 1303 1304 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1305 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1306 } 1307 1308 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev, 1309 struct sk_buff *skb) 1310 { 1311 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data; 1312 1313 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1314 1315 if (rp->status) 1316 return; 1317 1318 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 1319 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 1320 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 1321 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 1322 } 1323 1324 static void hci_cc_write_le_host_supported(struct hci_dev *hdev, 1325 struct sk_buff *skb) 1326 { 1327 struct hci_cp_write_le_host_supported *sent; 1328 __u8 status = *((__u8 *) skb->data); 1329 1330 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1331 1332 if (status) 1333 return; 1334 1335 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 1336 if (!sent) 1337 return; 1338 1339 hci_dev_lock(hdev); 1340 1341 if (sent->le) { 1342 hdev->features[1][0] |= LMP_HOST_LE; 1343 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 1344 } else { 1345 hdev->features[1][0] &= ~LMP_HOST_LE; 1346 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 1347 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 1348 } 1349 1350 if (sent->simul) 1351 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 1352 else 1353 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 1354 1355 hci_dev_unlock(hdev); 1356 } 1357 1358 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb) 1359 { 1360 struct hci_cp_le_set_adv_param *cp; 1361 u8 status = *((u8 *) skb->data); 1362 1363 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1364 1365 if (status) 1366 return; 1367 1368 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 1369 if (!cp) 1370 return; 1371 1372 hci_dev_lock(hdev); 1373 hdev->adv_addr_type = cp->own_address_type; 1374 hci_dev_unlock(hdev); 1375 } 1376 1377 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb) 1378 { 1379 struct hci_rp_read_rssi *rp = (void *) skb->data; 1380 struct hci_conn *conn; 1381 1382 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1383 1384 if (rp->status) 1385 return; 1386 1387 hci_dev_lock(hdev); 1388 1389 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1390 if (conn) 1391 conn->rssi = rp->rssi; 1392 1393 hci_dev_unlock(hdev); 1394 } 1395 1396 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb) 1397 { 1398 struct hci_cp_read_tx_power *sent; 1399 struct hci_rp_read_tx_power *rp = (void *) skb->data; 1400 struct hci_conn *conn; 1401 1402 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1403 1404 if (rp->status) 1405 return; 1406 1407 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 1408 if (!sent) 1409 return; 1410 1411 hci_dev_lock(hdev); 1412 1413 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1414 if (!conn) 1415 goto unlock; 1416 1417 switch (sent->type) { 1418 case 0x00: 1419 conn->tx_power = rp->tx_power; 1420 break; 1421 case 0x01: 1422 conn->max_tx_power = rp->tx_power; 1423 break; 1424 } 1425 1426 unlock: 1427 hci_dev_unlock(hdev); 1428 } 1429 1430 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb) 1431 { 1432 u8 status = *((u8 *) skb->data); 1433 u8 *mode; 1434 1435 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1436 1437 if (status) 1438 return; 1439 1440 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 1441 if (mode) 1442 hdev->ssp_debug_mode = *mode; 1443 } 1444 1445 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 1446 { 1447 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1448 1449 if (status) { 1450 hci_conn_check_pending(hdev); 1451 return; 1452 } 1453 1454 set_bit(HCI_INQUIRY, &hdev->flags); 1455 } 1456 1457 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 1458 { 1459 struct hci_cp_create_conn *cp; 1460 struct hci_conn *conn; 1461 1462 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1463 1464 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 1465 if (!cp) 1466 return; 1467 1468 hci_dev_lock(hdev); 1469 1470 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1471 1472 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn); 1473 1474 if (status) { 1475 if (conn && conn->state == BT_CONNECT) { 1476 if (status != 0x0c || conn->attempt > 2) { 1477 conn->state = BT_CLOSED; 1478 hci_connect_cfm(conn, status); 1479 hci_conn_del(conn); 1480 } else 1481 conn->state = BT_CONNECT2; 1482 } 1483 } else { 1484 if (!conn) { 1485 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 1486 HCI_ROLE_MASTER); 1487 if (!conn) 1488 BT_ERR("No memory for new connection"); 1489 } 1490 } 1491 1492 hci_dev_unlock(hdev); 1493 } 1494 1495 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 1496 { 1497 struct hci_cp_add_sco *cp; 1498 struct hci_conn *acl, *sco; 1499 __u16 handle; 1500 1501 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1502 1503 if (!status) 1504 return; 1505 1506 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 1507 if (!cp) 1508 return; 1509 1510 handle = __le16_to_cpu(cp->handle); 1511 1512 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1513 1514 hci_dev_lock(hdev); 1515 1516 acl = hci_conn_hash_lookup_handle(hdev, handle); 1517 if (acl) { 1518 sco = acl->link; 1519 if (sco) { 1520 sco->state = BT_CLOSED; 1521 1522 hci_connect_cfm(sco, status); 1523 hci_conn_del(sco); 1524 } 1525 } 1526 1527 hci_dev_unlock(hdev); 1528 } 1529 1530 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 1531 { 1532 struct hci_cp_auth_requested *cp; 1533 struct hci_conn *conn; 1534 1535 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1536 1537 if (!status) 1538 return; 1539 1540 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 1541 if (!cp) 1542 return; 1543 1544 hci_dev_lock(hdev); 1545 1546 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1547 if (conn) { 1548 if (conn->state == BT_CONFIG) { 1549 hci_connect_cfm(conn, status); 1550 hci_conn_drop(conn); 1551 } 1552 } 1553 1554 hci_dev_unlock(hdev); 1555 } 1556 1557 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 1558 { 1559 struct hci_cp_set_conn_encrypt *cp; 1560 struct hci_conn *conn; 1561 1562 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1563 1564 if (!status) 1565 return; 1566 1567 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 1568 if (!cp) 1569 return; 1570 1571 hci_dev_lock(hdev); 1572 1573 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1574 if (conn) { 1575 if (conn->state == BT_CONFIG) { 1576 hci_connect_cfm(conn, status); 1577 hci_conn_drop(conn); 1578 } 1579 } 1580 1581 hci_dev_unlock(hdev); 1582 } 1583 1584 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 1585 struct hci_conn *conn) 1586 { 1587 if (conn->state != BT_CONFIG || !conn->out) 1588 return 0; 1589 1590 if (conn->pending_sec_level == BT_SECURITY_SDP) 1591 return 0; 1592 1593 /* Only request authentication for SSP connections or non-SSP 1594 * devices with sec_level MEDIUM or HIGH or if MITM protection 1595 * is requested. 1596 */ 1597 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 1598 conn->pending_sec_level != BT_SECURITY_FIPS && 1599 conn->pending_sec_level != BT_SECURITY_HIGH && 1600 conn->pending_sec_level != BT_SECURITY_MEDIUM) 1601 return 0; 1602 1603 return 1; 1604 } 1605 1606 static int hci_resolve_name(struct hci_dev *hdev, 1607 struct inquiry_entry *e) 1608 { 1609 struct hci_cp_remote_name_req cp; 1610 1611 memset(&cp, 0, sizeof(cp)); 1612 1613 bacpy(&cp.bdaddr, &e->data.bdaddr); 1614 cp.pscan_rep_mode = e->data.pscan_rep_mode; 1615 cp.pscan_mode = e->data.pscan_mode; 1616 cp.clock_offset = e->data.clock_offset; 1617 1618 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 1619 } 1620 1621 static bool hci_resolve_next_name(struct hci_dev *hdev) 1622 { 1623 struct discovery_state *discov = &hdev->discovery; 1624 struct inquiry_entry *e; 1625 1626 if (list_empty(&discov->resolve)) 1627 return false; 1628 1629 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 1630 if (!e) 1631 return false; 1632 1633 if (hci_resolve_name(hdev, e) == 0) { 1634 e->name_state = NAME_PENDING; 1635 return true; 1636 } 1637 1638 return false; 1639 } 1640 1641 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 1642 bdaddr_t *bdaddr, u8 *name, u8 name_len) 1643 { 1644 struct discovery_state *discov = &hdev->discovery; 1645 struct inquiry_entry *e; 1646 1647 /* Update the mgmt connected state if necessary. Be careful with 1648 * conn objects that exist but are not (yet) connected however. 1649 * Only those in BT_CONFIG or BT_CONNECTED states can be 1650 * considered connected. 1651 */ 1652 if (conn && 1653 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 1654 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 1655 mgmt_device_connected(hdev, conn, 0, name, name_len); 1656 1657 if (discov->state == DISCOVERY_STOPPED) 1658 return; 1659 1660 if (discov->state == DISCOVERY_STOPPING) 1661 goto discov_complete; 1662 1663 if (discov->state != DISCOVERY_RESOLVING) 1664 return; 1665 1666 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 1667 /* If the device was not found in a list of found devices names of which 1668 * are pending. there is no need to continue resolving a next name as it 1669 * will be done upon receiving another Remote Name Request Complete 1670 * Event */ 1671 if (!e) 1672 return; 1673 1674 list_del(&e->list); 1675 if (name) { 1676 e->name_state = NAME_KNOWN; 1677 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, 1678 e->data.rssi, name, name_len); 1679 } else { 1680 e->name_state = NAME_NOT_KNOWN; 1681 } 1682 1683 if (hci_resolve_next_name(hdev)) 1684 return; 1685 1686 discov_complete: 1687 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1688 } 1689 1690 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 1691 { 1692 struct hci_cp_remote_name_req *cp; 1693 struct hci_conn *conn; 1694 1695 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1696 1697 /* If successful wait for the name req complete event before 1698 * checking for the need to do authentication */ 1699 if (!status) 1700 return; 1701 1702 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 1703 if (!cp) 1704 return; 1705 1706 hci_dev_lock(hdev); 1707 1708 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1709 1710 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1711 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 1712 1713 if (!conn) 1714 goto unlock; 1715 1716 if (!hci_outgoing_auth_needed(hdev, conn)) 1717 goto unlock; 1718 1719 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 1720 struct hci_cp_auth_requested auth_cp; 1721 1722 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 1723 1724 auth_cp.handle = __cpu_to_le16(conn->handle); 1725 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 1726 sizeof(auth_cp), &auth_cp); 1727 } 1728 1729 unlock: 1730 hci_dev_unlock(hdev); 1731 } 1732 1733 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 1734 { 1735 struct hci_cp_read_remote_features *cp; 1736 struct hci_conn *conn; 1737 1738 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1739 1740 if (!status) 1741 return; 1742 1743 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 1744 if (!cp) 1745 return; 1746 1747 hci_dev_lock(hdev); 1748 1749 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1750 if (conn) { 1751 if (conn->state == BT_CONFIG) { 1752 hci_connect_cfm(conn, status); 1753 hci_conn_drop(conn); 1754 } 1755 } 1756 1757 hci_dev_unlock(hdev); 1758 } 1759 1760 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 1761 { 1762 struct hci_cp_read_remote_ext_features *cp; 1763 struct hci_conn *conn; 1764 1765 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1766 1767 if (!status) 1768 return; 1769 1770 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 1771 if (!cp) 1772 return; 1773 1774 hci_dev_lock(hdev); 1775 1776 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1777 if (conn) { 1778 if (conn->state == BT_CONFIG) { 1779 hci_connect_cfm(conn, status); 1780 hci_conn_drop(conn); 1781 } 1782 } 1783 1784 hci_dev_unlock(hdev); 1785 } 1786 1787 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 1788 { 1789 struct hci_cp_setup_sync_conn *cp; 1790 struct hci_conn *acl, *sco; 1791 __u16 handle; 1792 1793 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1794 1795 if (!status) 1796 return; 1797 1798 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 1799 if (!cp) 1800 return; 1801 1802 handle = __le16_to_cpu(cp->handle); 1803 1804 BT_DBG("%s handle 0x%4.4x", hdev->name, handle); 1805 1806 hci_dev_lock(hdev); 1807 1808 acl = hci_conn_hash_lookup_handle(hdev, handle); 1809 if (acl) { 1810 sco = acl->link; 1811 if (sco) { 1812 sco->state = BT_CLOSED; 1813 1814 hci_connect_cfm(sco, status); 1815 hci_conn_del(sco); 1816 } 1817 } 1818 1819 hci_dev_unlock(hdev); 1820 } 1821 1822 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 1823 { 1824 struct hci_cp_sniff_mode *cp; 1825 struct hci_conn *conn; 1826 1827 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1828 1829 if (!status) 1830 return; 1831 1832 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 1833 if (!cp) 1834 return; 1835 1836 hci_dev_lock(hdev); 1837 1838 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1839 if (conn) { 1840 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1841 1842 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1843 hci_sco_setup(conn, status); 1844 } 1845 1846 hci_dev_unlock(hdev); 1847 } 1848 1849 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 1850 { 1851 struct hci_cp_exit_sniff_mode *cp; 1852 struct hci_conn *conn; 1853 1854 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1855 1856 if (!status) 1857 return; 1858 1859 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 1860 if (!cp) 1861 return; 1862 1863 hci_dev_lock(hdev); 1864 1865 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1866 if (conn) { 1867 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 1868 1869 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 1870 hci_sco_setup(conn, status); 1871 } 1872 1873 hci_dev_unlock(hdev); 1874 } 1875 1876 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 1877 { 1878 struct hci_cp_disconnect *cp; 1879 struct hci_conn *conn; 1880 1881 if (!status) 1882 return; 1883 1884 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 1885 if (!cp) 1886 return; 1887 1888 hci_dev_lock(hdev); 1889 1890 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1891 if (conn) 1892 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 1893 conn->dst_type, status); 1894 1895 hci_dev_unlock(hdev); 1896 } 1897 1898 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 1899 { 1900 struct hci_cp_le_create_conn *cp; 1901 struct hci_conn *conn; 1902 1903 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1904 1905 /* All connection failure handling is taken care of by the 1906 * hci_le_conn_failed function which is triggered by the HCI 1907 * request completion callbacks used for connecting. 1908 */ 1909 if (status) 1910 return; 1911 1912 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 1913 if (!cp) 1914 return; 1915 1916 hci_dev_lock(hdev); 1917 1918 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr); 1919 if (!conn) 1920 goto unlock; 1921 1922 /* Store the initiator and responder address information which 1923 * is needed for SMP. These values will not change during the 1924 * lifetime of the connection. 1925 */ 1926 conn->init_addr_type = cp->own_address_type; 1927 if (cp->own_address_type == ADDR_LE_DEV_RANDOM) 1928 bacpy(&conn->init_addr, &hdev->random_addr); 1929 else 1930 bacpy(&conn->init_addr, &hdev->bdaddr); 1931 1932 conn->resp_addr_type = cp->peer_addr_type; 1933 bacpy(&conn->resp_addr, &cp->peer_addr); 1934 1935 /* We don't want the connection attempt to stick around 1936 * indefinitely since LE doesn't have a page timeout concept 1937 * like BR/EDR. Set a timer for any connection that doesn't use 1938 * the white list for connecting. 1939 */ 1940 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR) 1941 queue_delayed_work(conn->hdev->workqueue, 1942 &conn->le_conn_timeout, 1943 conn->conn_timeout); 1944 1945 unlock: 1946 hci_dev_unlock(hdev); 1947 } 1948 1949 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 1950 { 1951 struct hci_cp_le_read_remote_features *cp; 1952 struct hci_conn *conn; 1953 1954 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1955 1956 if (!status) 1957 return; 1958 1959 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 1960 if (!cp) 1961 return; 1962 1963 hci_dev_lock(hdev); 1964 1965 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1966 if (conn) { 1967 if (conn->state == BT_CONFIG) { 1968 hci_connect_cfm(conn, status); 1969 hci_conn_drop(conn); 1970 } 1971 } 1972 1973 hci_dev_unlock(hdev); 1974 } 1975 1976 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 1977 { 1978 struct hci_cp_le_start_enc *cp; 1979 struct hci_conn *conn; 1980 1981 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1982 1983 if (!status) 1984 return; 1985 1986 hci_dev_lock(hdev); 1987 1988 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 1989 if (!cp) 1990 goto unlock; 1991 1992 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 1993 if (!conn) 1994 goto unlock; 1995 1996 if (conn->state != BT_CONNECTED) 1997 goto unlock; 1998 1999 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2000 hci_conn_drop(conn); 2001 2002 unlock: 2003 hci_dev_unlock(hdev); 2004 } 2005 2006 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2007 { 2008 struct hci_cp_switch_role *cp; 2009 struct hci_conn *conn; 2010 2011 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2012 2013 if (!status) 2014 return; 2015 2016 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 2017 if (!cp) 2018 return; 2019 2020 hci_dev_lock(hdev); 2021 2022 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2023 if (conn) 2024 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 2025 2026 hci_dev_unlock(hdev); 2027 } 2028 2029 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2030 { 2031 __u8 status = *((__u8 *) skb->data); 2032 struct discovery_state *discov = &hdev->discovery; 2033 struct inquiry_entry *e; 2034 2035 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2036 2037 hci_conn_check_pending(hdev); 2038 2039 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 2040 return; 2041 2042 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 2043 wake_up_bit(&hdev->flags, HCI_INQUIRY); 2044 2045 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2046 return; 2047 2048 hci_dev_lock(hdev); 2049 2050 if (discov->state != DISCOVERY_FINDING) 2051 goto unlock; 2052 2053 if (list_empty(&discov->resolve)) { 2054 /* When BR/EDR inquiry is active and no LE scanning is in 2055 * progress, then change discovery state to indicate completion. 2056 * 2057 * When running LE scanning and BR/EDR inquiry simultaneously 2058 * and the LE scan already finished, then change the discovery 2059 * state to indicate completion. 2060 */ 2061 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2062 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2063 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2064 goto unlock; 2065 } 2066 2067 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2068 if (e && hci_resolve_name(hdev, e) == 0) { 2069 e->name_state = NAME_PENDING; 2070 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 2071 } else { 2072 /* When BR/EDR inquiry is active and no LE scanning is in 2073 * progress, then change discovery state to indicate completion. 2074 * 2075 * When running LE scanning and BR/EDR inquiry simultaneously 2076 * and the LE scan already finished, then change the discovery 2077 * state to indicate completion. 2078 */ 2079 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 2080 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 2081 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2082 } 2083 2084 unlock: 2085 hci_dev_unlock(hdev); 2086 } 2087 2088 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb) 2089 { 2090 struct inquiry_data data; 2091 struct inquiry_info *info = (void *) (skb->data + 1); 2092 int num_rsp = *((__u8 *) skb->data); 2093 2094 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 2095 2096 if (!num_rsp) 2097 return; 2098 2099 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 2100 return; 2101 2102 hci_dev_lock(hdev); 2103 2104 for (; num_rsp; num_rsp--, info++) { 2105 u32 flags; 2106 2107 bacpy(&data.bdaddr, &info->bdaddr); 2108 data.pscan_rep_mode = info->pscan_rep_mode; 2109 data.pscan_period_mode = info->pscan_period_mode; 2110 data.pscan_mode = info->pscan_mode; 2111 memcpy(data.dev_class, info->dev_class, 3); 2112 data.clock_offset = info->clock_offset; 2113 data.rssi = HCI_RSSI_INVALID; 2114 data.ssp_mode = 0x00; 2115 2116 flags = hci_inquiry_cache_update(hdev, &data, false); 2117 2118 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 2119 info->dev_class, HCI_RSSI_INVALID, 2120 flags, NULL, 0, NULL, 0); 2121 } 2122 2123 hci_dev_unlock(hdev); 2124 } 2125 2126 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2127 { 2128 struct hci_ev_conn_complete *ev = (void *) skb->data; 2129 struct hci_conn *conn; 2130 2131 BT_DBG("%s", hdev->name); 2132 2133 hci_dev_lock(hdev); 2134 2135 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 2136 if (!conn) { 2137 if (ev->link_type != SCO_LINK) 2138 goto unlock; 2139 2140 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 2141 if (!conn) 2142 goto unlock; 2143 2144 conn->type = SCO_LINK; 2145 } 2146 2147 if (!ev->status) { 2148 conn->handle = __le16_to_cpu(ev->handle); 2149 2150 if (conn->type == ACL_LINK) { 2151 conn->state = BT_CONFIG; 2152 hci_conn_hold(conn); 2153 2154 if (!conn->out && !hci_conn_ssp_enabled(conn) && 2155 !hci_find_link_key(hdev, &ev->bdaddr)) 2156 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2157 else 2158 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2159 } else 2160 conn->state = BT_CONNECTED; 2161 2162 hci_debugfs_create_conn(conn); 2163 hci_conn_add_sysfs(conn); 2164 2165 if (test_bit(HCI_AUTH, &hdev->flags)) 2166 set_bit(HCI_CONN_AUTH, &conn->flags); 2167 2168 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 2169 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2170 2171 /* Get remote features */ 2172 if (conn->type == ACL_LINK) { 2173 struct hci_cp_read_remote_features cp; 2174 cp.handle = ev->handle; 2175 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 2176 sizeof(cp), &cp); 2177 2178 hci_update_page_scan(hdev); 2179 } 2180 2181 /* Set packet type for incoming connection */ 2182 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 2183 struct hci_cp_change_conn_ptype cp; 2184 cp.handle = ev->handle; 2185 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2186 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 2187 &cp); 2188 } 2189 } else { 2190 conn->state = BT_CLOSED; 2191 if (conn->type == ACL_LINK) 2192 mgmt_connect_failed(hdev, &conn->dst, conn->type, 2193 conn->dst_type, ev->status); 2194 } 2195 2196 if (conn->type == ACL_LINK) 2197 hci_sco_setup(conn, ev->status); 2198 2199 if (ev->status) { 2200 hci_connect_cfm(conn, ev->status); 2201 hci_conn_del(conn); 2202 } else if (ev->link_type != ACL_LINK) 2203 hci_connect_cfm(conn, ev->status); 2204 2205 unlock: 2206 hci_dev_unlock(hdev); 2207 2208 hci_conn_check_pending(hdev); 2209 } 2210 2211 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 2212 { 2213 struct hci_cp_reject_conn_req cp; 2214 2215 bacpy(&cp.bdaddr, bdaddr); 2216 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 2217 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 2218 } 2219 2220 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 2221 { 2222 struct hci_ev_conn_request *ev = (void *) skb->data; 2223 int mask = hdev->link_mode; 2224 struct inquiry_entry *ie; 2225 struct hci_conn *conn; 2226 __u8 flags = 0; 2227 2228 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr, 2229 ev->link_type); 2230 2231 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 2232 &flags); 2233 2234 if (!(mask & HCI_LM_ACCEPT)) { 2235 hci_reject_conn(hdev, &ev->bdaddr); 2236 return; 2237 } 2238 2239 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr, 2240 BDADDR_BREDR)) { 2241 hci_reject_conn(hdev, &ev->bdaddr); 2242 return; 2243 } 2244 2245 /* Require HCI_CONNECTABLE or a whitelist entry to accept the 2246 * connection. These features are only touched through mgmt so 2247 * only do the checks if HCI_MGMT is set. 2248 */ 2249 if (hci_dev_test_flag(hdev, HCI_MGMT) && 2250 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 2251 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr, 2252 BDADDR_BREDR)) { 2253 hci_reject_conn(hdev, &ev->bdaddr); 2254 return; 2255 } 2256 2257 /* Connection accepted */ 2258 2259 hci_dev_lock(hdev); 2260 2261 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 2262 if (ie) 2263 memcpy(ie->data.dev_class, ev->dev_class, 3); 2264 2265 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 2266 &ev->bdaddr); 2267 if (!conn) { 2268 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 2269 HCI_ROLE_SLAVE); 2270 if (!conn) { 2271 BT_ERR("No memory for new connection"); 2272 hci_dev_unlock(hdev); 2273 return; 2274 } 2275 } 2276 2277 memcpy(conn->dev_class, ev->dev_class, 3); 2278 2279 hci_dev_unlock(hdev); 2280 2281 if (ev->link_type == ACL_LINK || 2282 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 2283 struct hci_cp_accept_conn_req cp; 2284 conn->state = BT_CONNECT; 2285 2286 bacpy(&cp.bdaddr, &ev->bdaddr); 2287 2288 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 2289 cp.role = 0x00; /* Become master */ 2290 else 2291 cp.role = 0x01; /* Remain slave */ 2292 2293 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 2294 } else if (!(flags & HCI_PROTO_DEFER)) { 2295 struct hci_cp_accept_sync_conn_req cp; 2296 conn->state = BT_CONNECT; 2297 2298 bacpy(&cp.bdaddr, &ev->bdaddr); 2299 cp.pkt_type = cpu_to_le16(conn->pkt_type); 2300 2301 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 2302 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 2303 cp.max_latency = cpu_to_le16(0xffff); 2304 cp.content_format = cpu_to_le16(hdev->voice_setting); 2305 cp.retrans_effort = 0xff; 2306 2307 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 2308 &cp); 2309 } else { 2310 conn->state = BT_CONNECT2; 2311 hci_connect_cfm(conn, 0); 2312 } 2313 } 2314 2315 static u8 hci_to_mgmt_reason(u8 err) 2316 { 2317 switch (err) { 2318 case HCI_ERROR_CONNECTION_TIMEOUT: 2319 return MGMT_DEV_DISCONN_TIMEOUT; 2320 case HCI_ERROR_REMOTE_USER_TERM: 2321 case HCI_ERROR_REMOTE_LOW_RESOURCES: 2322 case HCI_ERROR_REMOTE_POWER_OFF: 2323 return MGMT_DEV_DISCONN_REMOTE; 2324 case HCI_ERROR_LOCAL_HOST_TERM: 2325 return MGMT_DEV_DISCONN_LOCAL_HOST; 2326 default: 2327 return MGMT_DEV_DISCONN_UNKNOWN; 2328 } 2329 } 2330 2331 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2332 { 2333 struct hci_ev_disconn_complete *ev = (void *) skb->data; 2334 u8 reason = hci_to_mgmt_reason(ev->reason); 2335 struct hci_conn_params *params; 2336 struct hci_conn *conn; 2337 bool mgmt_connected; 2338 u8 type; 2339 2340 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2341 2342 hci_dev_lock(hdev); 2343 2344 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2345 if (!conn) 2346 goto unlock; 2347 2348 if (ev->status) { 2349 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2350 conn->dst_type, ev->status); 2351 goto unlock; 2352 } 2353 2354 conn->state = BT_CLOSED; 2355 2356 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2357 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2358 reason, mgmt_connected); 2359 2360 if (conn->type == ACL_LINK) { 2361 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2362 hci_remove_link_key(hdev, &conn->dst); 2363 2364 hci_update_page_scan(hdev); 2365 } 2366 2367 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2368 if (params) { 2369 switch (params->auto_connect) { 2370 case HCI_AUTO_CONN_LINK_LOSS: 2371 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2372 break; 2373 /* Fall through */ 2374 2375 case HCI_AUTO_CONN_DIRECT: 2376 case HCI_AUTO_CONN_ALWAYS: 2377 list_del_init(¶ms->action); 2378 list_add(¶ms->action, &hdev->pend_le_conns); 2379 hci_update_background_scan(hdev); 2380 break; 2381 2382 default: 2383 break; 2384 } 2385 } 2386 2387 type = conn->type; 2388 2389 hci_disconn_cfm(conn, ev->reason); 2390 hci_conn_del(conn); 2391 2392 /* Re-enable advertising if necessary, since it might 2393 * have been disabled by the connection. From the 2394 * HCI_LE_Set_Advertise_Enable command description in 2395 * the core specification (v4.0): 2396 * "The Controller shall continue advertising until the Host 2397 * issues an LE_Set_Advertise_Enable command with 2398 * Advertising_Enable set to 0x00 (Advertising is disabled) 2399 * or until a connection is created or until the Advertising 2400 * is timed out due to Directed Advertising." 2401 */ 2402 if (type == LE_LINK) 2403 mgmt_reenable_advertising(hdev); 2404 2405 unlock: 2406 hci_dev_unlock(hdev); 2407 } 2408 2409 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 2410 { 2411 struct hci_ev_auth_complete *ev = (void *) skb->data; 2412 struct hci_conn *conn; 2413 2414 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2415 2416 hci_dev_lock(hdev); 2417 2418 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2419 if (!conn) 2420 goto unlock; 2421 2422 if (!ev->status) { 2423 if (!hci_conn_ssp_enabled(conn) && 2424 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 2425 BT_INFO("re-auth of legacy device is not possible."); 2426 } else { 2427 set_bit(HCI_CONN_AUTH, &conn->flags); 2428 conn->sec_level = conn->pending_sec_level; 2429 } 2430 } else { 2431 mgmt_auth_failed(conn, ev->status); 2432 } 2433 2434 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2435 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 2436 2437 if (conn->state == BT_CONFIG) { 2438 if (!ev->status && hci_conn_ssp_enabled(conn)) { 2439 struct hci_cp_set_conn_encrypt cp; 2440 cp.handle = ev->handle; 2441 cp.encrypt = 0x01; 2442 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2443 &cp); 2444 } else { 2445 conn->state = BT_CONNECTED; 2446 hci_connect_cfm(conn, ev->status); 2447 hci_conn_drop(conn); 2448 } 2449 } else { 2450 hci_auth_cfm(conn, ev->status); 2451 2452 hci_conn_hold(conn); 2453 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 2454 hci_conn_drop(conn); 2455 } 2456 2457 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 2458 if (!ev->status) { 2459 struct hci_cp_set_conn_encrypt cp; 2460 cp.handle = ev->handle; 2461 cp.encrypt = 0x01; 2462 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 2463 &cp); 2464 } else { 2465 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2466 hci_encrypt_cfm(conn, ev->status, 0x00); 2467 } 2468 } 2469 2470 unlock: 2471 hci_dev_unlock(hdev); 2472 } 2473 2474 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) 2475 { 2476 struct hci_ev_remote_name *ev = (void *) skb->data; 2477 struct hci_conn *conn; 2478 2479 BT_DBG("%s", hdev->name); 2480 2481 hci_conn_check_pending(hdev); 2482 2483 hci_dev_lock(hdev); 2484 2485 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 2486 2487 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 2488 goto check_auth; 2489 2490 if (ev->status == 0) 2491 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 2492 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 2493 else 2494 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 2495 2496 check_auth: 2497 if (!conn) 2498 goto unlock; 2499 2500 if (!hci_outgoing_auth_needed(hdev, conn)) 2501 goto unlock; 2502 2503 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2504 struct hci_cp_auth_requested cp; 2505 2506 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2507 2508 cp.handle = __cpu_to_le16(conn->handle); 2509 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 2510 } 2511 2512 unlock: 2513 hci_dev_unlock(hdev); 2514 } 2515 2516 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status, 2517 u16 opcode, struct sk_buff *skb) 2518 { 2519 const struct hci_rp_read_enc_key_size *rp; 2520 struct hci_conn *conn; 2521 u16 handle; 2522 2523 BT_DBG("%s status 0x%02x", hdev->name, status); 2524 2525 if (!skb || skb->len < sizeof(*rp)) { 2526 BT_ERR("%s invalid HCI Read Encryption Key Size response", 2527 hdev->name); 2528 return; 2529 } 2530 2531 rp = (void *)skb->data; 2532 handle = le16_to_cpu(rp->handle); 2533 2534 hci_dev_lock(hdev); 2535 2536 conn = hci_conn_hash_lookup_handle(hdev, handle); 2537 if (!conn) 2538 goto unlock; 2539 2540 /* If we fail to read the encryption key size, assume maximum 2541 * (which is the same we do also when this HCI command isn't 2542 * supported. 2543 */ 2544 if (rp->status) { 2545 BT_ERR("%s failed to read key size for handle %u", hdev->name, 2546 handle); 2547 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2548 } else { 2549 conn->enc_key_size = rp->key_size; 2550 } 2551 2552 if (conn->state == BT_CONFIG) { 2553 conn->state = BT_CONNECTED; 2554 hci_connect_cfm(conn, 0); 2555 hci_conn_drop(conn); 2556 } else { 2557 u8 encrypt; 2558 2559 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 2560 encrypt = 0x00; 2561 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags)) 2562 encrypt = 0x02; 2563 else 2564 encrypt = 0x01; 2565 2566 hci_encrypt_cfm(conn, 0, encrypt); 2567 } 2568 2569 unlock: 2570 hci_dev_unlock(hdev); 2571 } 2572 2573 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2574 { 2575 struct hci_ev_encrypt_change *ev = (void *) skb->data; 2576 struct hci_conn *conn; 2577 2578 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2579 2580 hci_dev_lock(hdev); 2581 2582 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2583 if (!conn) 2584 goto unlock; 2585 2586 if (!ev->status) { 2587 if (ev->encrypt) { 2588 /* Encryption implies authentication */ 2589 set_bit(HCI_CONN_AUTH, &conn->flags); 2590 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 2591 conn->sec_level = conn->pending_sec_level; 2592 2593 /* P-256 authentication key implies FIPS */ 2594 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 2595 set_bit(HCI_CONN_FIPS, &conn->flags); 2596 2597 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 2598 conn->type == LE_LINK) 2599 set_bit(HCI_CONN_AES_CCM, &conn->flags); 2600 } else { 2601 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 2602 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 2603 } 2604 } 2605 2606 /* We should disregard the current RPA and generate a new one 2607 * whenever the encryption procedure fails. 2608 */ 2609 if (ev->status && conn->type == LE_LINK) 2610 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 2611 2612 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 2613 2614 if (ev->status && conn->state == BT_CONNECTED) { 2615 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2616 hci_conn_drop(conn); 2617 goto unlock; 2618 } 2619 2620 /* In Secure Connections Only mode, do not allow any connections 2621 * that are not encrypted with AES-CCM using a P-256 authenticated 2622 * combination key. 2623 */ 2624 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && 2625 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) || 2626 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) { 2627 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE); 2628 hci_conn_drop(conn); 2629 goto unlock; 2630 } 2631 2632 /* Try reading the encryption key size for encrypted ACL links */ 2633 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 2634 struct hci_cp_read_enc_key_size cp; 2635 struct hci_request req; 2636 2637 /* Only send HCI_Read_Encryption_Key_Size if the 2638 * controller really supports it. If it doesn't, assume 2639 * the default size (16). 2640 */ 2641 if (!(hdev->commands[20] & 0x10)) { 2642 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2643 goto notify; 2644 } 2645 2646 hci_req_init(&req, hdev); 2647 2648 cp.handle = cpu_to_le16(conn->handle); 2649 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp); 2650 2651 if (hci_req_run_skb(&req, read_enc_key_size_complete)) { 2652 BT_ERR("Sending HCI Read Encryption Key Size failed"); 2653 conn->enc_key_size = HCI_LINK_KEY_SIZE; 2654 goto notify; 2655 } 2656 2657 goto unlock; 2658 } 2659 2660 notify: 2661 if (conn->state == BT_CONFIG) { 2662 if (!ev->status) 2663 conn->state = BT_CONNECTED; 2664 2665 hci_connect_cfm(conn, ev->status); 2666 hci_conn_drop(conn); 2667 } else 2668 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2669 2670 unlock: 2671 hci_dev_unlock(hdev); 2672 } 2673 2674 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, 2675 struct sk_buff *skb) 2676 { 2677 struct hci_ev_change_link_key_complete *ev = (void *) skb->data; 2678 struct hci_conn *conn; 2679 2680 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2681 2682 hci_dev_lock(hdev); 2683 2684 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2685 if (conn) { 2686 if (!ev->status) 2687 set_bit(HCI_CONN_SECURE, &conn->flags); 2688 2689 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 2690 2691 hci_key_change_cfm(conn, ev->status); 2692 } 2693 2694 hci_dev_unlock(hdev); 2695 } 2696 2697 static void hci_remote_features_evt(struct hci_dev *hdev, 2698 struct sk_buff *skb) 2699 { 2700 struct hci_ev_remote_features *ev = (void *) skb->data; 2701 struct hci_conn *conn; 2702 2703 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 2704 2705 hci_dev_lock(hdev); 2706 2707 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 2708 if (!conn) 2709 goto unlock; 2710 2711 if (!ev->status) 2712 memcpy(conn->features[0], ev->features, 8); 2713 2714 if (conn->state != BT_CONFIG) 2715 goto unlock; 2716 2717 if (!ev->status && lmp_ext_feat_capable(hdev) && 2718 lmp_ext_feat_capable(conn)) { 2719 struct hci_cp_read_remote_ext_features cp; 2720 cp.handle = ev->handle; 2721 cp.page = 0x01; 2722 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 2723 sizeof(cp), &cp); 2724 goto unlock; 2725 } 2726 2727 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 2728 struct hci_cp_remote_name_req cp; 2729 memset(&cp, 0, sizeof(cp)); 2730 bacpy(&cp.bdaddr, &conn->dst); 2731 cp.pscan_rep_mode = 0x02; 2732 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2733 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2734 mgmt_device_connected(hdev, conn, 0, NULL, 0); 2735 2736 if (!hci_outgoing_auth_needed(hdev, conn)) { 2737 conn->state = BT_CONNECTED; 2738 hci_connect_cfm(conn, ev->status); 2739 hci_conn_drop(conn); 2740 } 2741 2742 unlock: 2743 hci_dev_unlock(hdev); 2744 } 2745 2746 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, 2747 u16 *opcode, u8 *status, 2748 hci_req_complete_t *req_complete, 2749 hci_req_complete_skb_t *req_complete_skb) 2750 { 2751 struct hci_ev_cmd_complete *ev = (void *) skb->data; 2752 2753 *opcode = __le16_to_cpu(ev->opcode); 2754 *status = skb->data[sizeof(*ev)]; 2755 2756 skb_pull(skb, sizeof(*ev)); 2757 2758 switch (*opcode) { 2759 case HCI_OP_INQUIRY_CANCEL: 2760 hci_cc_inquiry_cancel(hdev, skb); 2761 break; 2762 2763 case HCI_OP_PERIODIC_INQ: 2764 hci_cc_periodic_inq(hdev, skb); 2765 break; 2766 2767 case HCI_OP_EXIT_PERIODIC_INQ: 2768 hci_cc_exit_periodic_inq(hdev, skb); 2769 break; 2770 2771 case HCI_OP_REMOTE_NAME_REQ_CANCEL: 2772 hci_cc_remote_name_req_cancel(hdev, skb); 2773 break; 2774 2775 case HCI_OP_ROLE_DISCOVERY: 2776 hci_cc_role_discovery(hdev, skb); 2777 break; 2778 2779 case HCI_OP_READ_LINK_POLICY: 2780 hci_cc_read_link_policy(hdev, skb); 2781 break; 2782 2783 case HCI_OP_WRITE_LINK_POLICY: 2784 hci_cc_write_link_policy(hdev, skb); 2785 break; 2786 2787 case HCI_OP_READ_DEF_LINK_POLICY: 2788 hci_cc_read_def_link_policy(hdev, skb); 2789 break; 2790 2791 case HCI_OP_WRITE_DEF_LINK_POLICY: 2792 hci_cc_write_def_link_policy(hdev, skb); 2793 break; 2794 2795 case HCI_OP_RESET: 2796 hci_cc_reset(hdev, skb); 2797 break; 2798 2799 case HCI_OP_READ_STORED_LINK_KEY: 2800 hci_cc_read_stored_link_key(hdev, skb); 2801 break; 2802 2803 case HCI_OP_DELETE_STORED_LINK_KEY: 2804 hci_cc_delete_stored_link_key(hdev, skb); 2805 break; 2806 2807 case HCI_OP_WRITE_LOCAL_NAME: 2808 hci_cc_write_local_name(hdev, skb); 2809 break; 2810 2811 case HCI_OP_READ_LOCAL_NAME: 2812 hci_cc_read_local_name(hdev, skb); 2813 break; 2814 2815 case HCI_OP_WRITE_AUTH_ENABLE: 2816 hci_cc_write_auth_enable(hdev, skb); 2817 break; 2818 2819 case HCI_OP_WRITE_ENCRYPT_MODE: 2820 hci_cc_write_encrypt_mode(hdev, skb); 2821 break; 2822 2823 case HCI_OP_WRITE_SCAN_ENABLE: 2824 hci_cc_write_scan_enable(hdev, skb); 2825 break; 2826 2827 case HCI_OP_READ_CLASS_OF_DEV: 2828 hci_cc_read_class_of_dev(hdev, skb); 2829 break; 2830 2831 case HCI_OP_WRITE_CLASS_OF_DEV: 2832 hci_cc_write_class_of_dev(hdev, skb); 2833 break; 2834 2835 case HCI_OP_READ_VOICE_SETTING: 2836 hci_cc_read_voice_setting(hdev, skb); 2837 break; 2838 2839 case HCI_OP_WRITE_VOICE_SETTING: 2840 hci_cc_write_voice_setting(hdev, skb); 2841 break; 2842 2843 case HCI_OP_READ_NUM_SUPPORTED_IAC: 2844 hci_cc_read_num_supported_iac(hdev, skb); 2845 break; 2846 2847 case HCI_OP_WRITE_SSP_MODE: 2848 hci_cc_write_ssp_mode(hdev, skb); 2849 break; 2850 2851 case HCI_OP_WRITE_SC_SUPPORT: 2852 hci_cc_write_sc_support(hdev, skb); 2853 break; 2854 2855 case HCI_OP_READ_LOCAL_VERSION: 2856 hci_cc_read_local_version(hdev, skb); 2857 break; 2858 2859 case HCI_OP_READ_LOCAL_COMMANDS: 2860 hci_cc_read_local_commands(hdev, skb); 2861 break; 2862 2863 case HCI_OP_READ_LOCAL_FEATURES: 2864 hci_cc_read_local_features(hdev, skb); 2865 break; 2866 2867 case HCI_OP_READ_LOCAL_EXT_FEATURES: 2868 hci_cc_read_local_ext_features(hdev, skb); 2869 break; 2870 2871 case HCI_OP_READ_BUFFER_SIZE: 2872 hci_cc_read_buffer_size(hdev, skb); 2873 break; 2874 2875 case HCI_OP_READ_BD_ADDR: 2876 hci_cc_read_bd_addr(hdev, skb); 2877 break; 2878 2879 case HCI_OP_READ_PAGE_SCAN_ACTIVITY: 2880 hci_cc_read_page_scan_activity(hdev, skb); 2881 break; 2882 2883 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY: 2884 hci_cc_write_page_scan_activity(hdev, skb); 2885 break; 2886 2887 case HCI_OP_READ_PAGE_SCAN_TYPE: 2888 hci_cc_read_page_scan_type(hdev, skb); 2889 break; 2890 2891 case HCI_OP_WRITE_PAGE_SCAN_TYPE: 2892 hci_cc_write_page_scan_type(hdev, skb); 2893 break; 2894 2895 case HCI_OP_READ_DATA_BLOCK_SIZE: 2896 hci_cc_read_data_block_size(hdev, skb); 2897 break; 2898 2899 case HCI_OP_READ_FLOW_CONTROL_MODE: 2900 hci_cc_read_flow_control_mode(hdev, skb); 2901 break; 2902 2903 case HCI_OP_READ_LOCAL_AMP_INFO: 2904 hci_cc_read_local_amp_info(hdev, skb); 2905 break; 2906 2907 case HCI_OP_READ_CLOCK: 2908 hci_cc_read_clock(hdev, skb); 2909 break; 2910 2911 case HCI_OP_READ_INQ_RSP_TX_POWER: 2912 hci_cc_read_inq_rsp_tx_power(hdev, skb); 2913 break; 2914 2915 case HCI_OP_PIN_CODE_REPLY: 2916 hci_cc_pin_code_reply(hdev, skb); 2917 break; 2918 2919 case HCI_OP_PIN_CODE_NEG_REPLY: 2920 hci_cc_pin_code_neg_reply(hdev, skb); 2921 break; 2922 2923 case HCI_OP_READ_LOCAL_OOB_DATA: 2924 hci_cc_read_local_oob_data(hdev, skb); 2925 break; 2926 2927 case HCI_OP_READ_LOCAL_OOB_EXT_DATA: 2928 hci_cc_read_local_oob_ext_data(hdev, skb); 2929 break; 2930 2931 case HCI_OP_LE_READ_BUFFER_SIZE: 2932 hci_cc_le_read_buffer_size(hdev, skb); 2933 break; 2934 2935 case HCI_OP_LE_READ_LOCAL_FEATURES: 2936 hci_cc_le_read_local_features(hdev, skb); 2937 break; 2938 2939 case HCI_OP_LE_READ_ADV_TX_POWER: 2940 hci_cc_le_read_adv_tx_power(hdev, skb); 2941 break; 2942 2943 case HCI_OP_USER_CONFIRM_REPLY: 2944 hci_cc_user_confirm_reply(hdev, skb); 2945 break; 2946 2947 case HCI_OP_USER_CONFIRM_NEG_REPLY: 2948 hci_cc_user_confirm_neg_reply(hdev, skb); 2949 break; 2950 2951 case HCI_OP_USER_PASSKEY_REPLY: 2952 hci_cc_user_passkey_reply(hdev, skb); 2953 break; 2954 2955 case HCI_OP_USER_PASSKEY_NEG_REPLY: 2956 hci_cc_user_passkey_neg_reply(hdev, skb); 2957 break; 2958 2959 case HCI_OP_LE_SET_RANDOM_ADDR: 2960 hci_cc_le_set_random_addr(hdev, skb); 2961 break; 2962 2963 case HCI_OP_LE_SET_ADV_ENABLE: 2964 hci_cc_le_set_adv_enable(hdev, skb); 2965 break; 2966 2967 case HCI_OP_LE_SET_SCAN_PARAM: 2968 hci_cc_le_set_scan_param(hdev, skb); 2969 break; 2970 2971 case HCI_OP_LE_SET_SCAN_ENABLE: 2972 hci_cc_le_set_scan_enable(hdev, skb); 2973 break; 2974 2975 case HCI_OP_LE_READ_WHITE_LIST_SIZE: 2976 hci_cc_le_read_white_list_size(hdev, skb); 2977 break; 2978 2979 case HCI_OP_LE_CLEAR_WHITE_LIST: 2980 hci_cc_le_clear_white_list(hdev, skb); 2981 break; 2982 2983 case HCI_OP_LE_ADD_TO_WHITE_LIST: 2984 hci_cc_le_add_to_white_list(hdev, skb); 2985 break; 2986 2987 case HCI_OP_LE_DEL_FROM_WHITE_LIST: 2988 hci_cc_le_del_from_white_list(hdev, skb); 2989 break; 2990 2991 case HCI_OP_LE_READ_SUPPORTED_STATES: 2992 hci_cc_le_read_supported_states(hdev, skb); 2993 break; 2994 2995 case HCI_OP_LE_READ_DEF_DATA_LEN: 2996 hci_cc_le_read_def_data_len(hdev, skb); 2997 break; 2998 2999 case HCI_OP_LE_WRITE_DEF_DATA_LEN: 3000 hci_cc_le_write_def_data_len(hdev, skb); 3001 break; 3002 3003 case HCI_OP_LE_READ_MAX_DATA_LEN: 3004 hci_cc_le_read_max_data_len(hdev, skb); 3005 break; 3006 3007 case HCI_OP_WRITE_LE_HOST_SUPPORTED: 3008 hci_cc_write_le_host_supported(hdev, skb); 3009 break; 3010 3011 case HCI_OP_LE_SET_ADV_PARAM: 3012 hci_cc_set_adv_param(hdev, skb); 3013 break; 3014 3015 case HCI_OP_READ_RSSI: 3016 hci_cc_read_rssi(hdev, skb); 3017 break; 3018 3019 case HCI_OP_READ_TX_POWER: 3020 hci_cc_read_tx_power(hdev, skb); 3021 break; 3022 3023 case HCI_OP_WRITE_SSP_DEBUG_MODE: 3024 hci_cc_write_ssp_debug_mode(hdev, skb); 3025 break; 3026 3027 default: 3028 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3029 break; 3030 } 3031 3032 if (*opcode != HCI_OP_NOP) 3033 cancel_delayed_work(&hdev->cmd_timer); 3034 3035 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3036 atomic_set(&hdev->cmd_cnt, 1); 3037 3038 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 3039 req_complete_skb); 3040 3041 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3042 queue_work(hdev->workqueue, &hdev->cmd_work); 3043 } 3044 3045 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb, 3046 u16 *opcode, u8 *status, 3047 hci_req_complete_t *req_complete, 3048 hci_req_complete_skb_t *req_complete_skb) 3049 { 3050 struct hci_ev_cmd_status *ev = (void *) skb->data; 3051 3052 skb_pull(skb, sizeof(*ev)); 3053 3054 *opcode = __le16_to_cpu(ev->opcode); 3055 *status = ev->status; 3056 3057 switch (*opcode) { 3058 case HCI_OP_INQUIRY: 3059 hci_cs_inquiry(hdev, ev->status); 3060 break; 3061 3062 case HCI_OP_CREATE_CONN: 3063 hci_cs_create_conn(hdev, ev->status); 3064 break; 3065 3066 case HCI_OP_DISCONNECT: 3067 hci_cs_disconnect(hdev, ev->status); 3068 break; 3069 3070 case HCI_OP_ADD_SCO: 3071 hci_cs_add_sco(hdev, ev->status); 3072 break; 3073 3074 case HCI_OP_AUTH_REQUESTED: 3075 hci_cs_auth_requested(hdev, ev->status); 3076 break; 3077 3078 case HCI_OP_SET_CONN_ENCRYPT: 3079 hci_cs_set_conn_encrypt(hdev, ev->status); 3080 break; 3081 3082 case HCI_OP_REMOTE_NAME_REQ: 3083 hci_cs_remote_name_req(hdev, ev->status); 3084 break; 3085 3086 case HCI_OP_READ_REMOTE_FEATURES: 3087 hci_cs_read_remote_features(hdev, ev->status); 3088 break; 3089 3090 case HCI_OP_READ_REMOTE_EXT_FEATURES: 3091 hci_cs_read_remote_ext_features(hdev, ev->status); 3092 break; 3093 3094 case HCI_OP_SETUP_SYNC_CONN: 3095 hci_cs_setup_sync_conn(hdev, ev->status); 3096 break; 3097 3098 case HCI_OP_SNIFF_MODE: 3099 hci_cs_sniff_mode(hdev, ev->status); 3100 break; 3101 3102 case HCI_OP_EXIT_SNIFF_MODE: 3103 hci_cs_exit_sniff_mode(hdev, ev->status); 3104 break; 3105 3106 case HCI_OP_SWITCH_ROLE: 3107 hci_cs_switch_role(hdev, ev->status); 3108 break; 3109 3110 case HCI_OP_LE_CREATE_CONN: 3111 hci_cs_le_create_conn(hdev, ev->status); 3112 break; 3113 3114 case HCI_OP_LE_READ_REMOTE_FEATURES: 3115 hci_cs_le_read_remote_features(hdev, ev->status); 3116 break; 3117 3118 case HCI_OP_LE_START_ENC: 3119 hci_cs_le_start_enc(hdev, ev->status); 3120 break; 3121 3122 default: 3123 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode); 3124 break; 3125 } 3126 3127 if (*opcode != HCI_OP_NOP) 3128 cancel_delayed_work(&hdev->cmd_timer); 3129 3130 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) 3131 atomic_set(&hdev->cmd_cnt, 1); 3132 3133 /* Indicate request completion if the command failed. Also, if 3134 * we're not waiting for a special event and we get a success 3135 * command status we should try to flag the request as completed 3136 * (since for this kind of commands there will not be a command 3137 * complete event). 3138 */ 3139 if (ev->status || 3140 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event)) 3141 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 3142 req_complete_skb); 3143 3144 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 3145 queue_work(hdev->workqueue, &hdev->cmd_work); 3146 } 3147 3148 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb) 3149 { 3150 struct hci_ev_hardware_error *ev = (void *) skb->data; 3151 3152 hdev->hw_error_code = ev->code; 3153 3154 queue_work(hdev->req_workqueue, &hdev->error_reset); 3155 } 3156 3157 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3158 { 3159 struct hci_ev_role_change *ev = (void *) skb->data; 3160 struct hci_conn *conn; 3161 3162 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3163 3164 hci_dev_lock(hdev); 3165 3166 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3167 if (conn) { 3168 if (!ev->status) 3169 conn->role = ev->role; 3170 3171 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3172 3173 hci_role_switch_cfm(conn, ev->status, ev->role); 3174 } 3175 3176 hci_dev_unlock(hdev); 3177 } 3178 3179 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 3180 { 3181 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 3182 int i; 3183 3184 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 3185 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode); 3186 return; 3187 } 3188 3189 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 3190 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) { 3191 BT_DBG("%s bad parameters", hdev->name); 3192 return; 3193 } 3194 3195 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 3196 3197 for (i = 0; i < ev->num_hndl; i++) { 3198 struct hci_comp_pkts_info *info = &ev->handles[i]; 3199 struct hci_conn *conn; 3200 __u16 handle, count; 3201 3202 handle = __le16_to_cpu(info->handle); 3203 count = __le16_to_cpu(info->count); 3204 3205 conn = hci_conn_hash_lookup_handle(hdev, handle); 3206 if (!conn) 3207 continue; 3208 3209 conn->sent -= count; 3210 3211 switch (conn->type) { 3212 case ACL_LINK: 3213 hdev->acl_cnt += count; 3214 if (hdev->acl_cnt > hdev->acl_pkts) 3215 hdev->acl_cnt = hdev->acl_pkts; 3216 break; 3217 3218 case LE_LINK: 3219 if (hdev->le_pkts) { 3220 hdev->le_cnt += count; 3221 if (hdev->le_cnt > hdev->le_pkts) 3222 hdev->le_cnt = hdev->le_pkts; 3223 } else { 3224 hdev->acl_cnt += count; 3225 if (hdev->acl_cnt > hdev->acl_pkts) 3226 hdev->acl_cnt = hdev->acl_pkts; 3227 } 3228 break; 3229 3230 case SCO_LINK: 3231 hdev->sco_cnt += count; 3232 if (hdev->sco_cnt > hdev->sco_pkts) 3233 hdev->sco_cnt = hdev->sco_pkts; 3234 break; 3235 3236 default: 3237 BT_ERR("Unknown type %d conn %p", conn->type, conn); 3238 break; 3239 } 3240 } 3241 3242 queue_work(hdev->workqueue, &hdev->tx_work); 3243 } 3244 3245 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 3246 __u16 handle) 3247 { 3248 struct hci_chan *chan; 3249 3250 switch (hdev->dev_type) { 3251 case HCI_BREDR: 3252 return hci_conn_hash_lookup_handle(hdev, handle); 3253 case HCI_AMP: 3254 chan = hci_chan_lookup_handle(hdev, handle); 3255 if (chan) 3256 return chan->conn; 3257 break; 3258 default: 3259 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type); 3260 break; 3261 } 3262 3263 return NULL; 3264 } 3265 3266 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb) 3267 { 3268 struct hci_ev_num_comp_blocks *ev = (void *) skb->data; 3269 int i; 3270 3271 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 3272 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode); 3273 return; 3274 } 3275 3276 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) + 3277 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) { 3278 BT_DBG("%s bad parameters", hdev->name); 3279 return; 3280 } 3281 3282 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks, 3283 ev->num_hndl); 3284 3285 for (i = 0; i < ev->num_hndl; i++) { 3286 struct hci_comp_blocks_info *info = &ev->handles[i]; 3287 struct hci_conn *conn = NULL; 3288 __u16 handle, block_count; 3289 3290 handle = __le16_to_cpu(info->handle); 3291 block_count = __le16_to_cpu(info->blocks); 3292 3293 conn = __hci_conn_lookup_handle(hdev, handle); 3294 if (!conn) 3295 continue; 3296 3297 conn->sent -= block_count; 3298 3299 switch (conn->type) { 3300 case ACL_LINK: 3301 case AMP_LINK: 3302 hdev->block_cnt += block_count; 3303 if (hdev->block_cnt > hdev->num_blocks) 3304 hdev->block_cnt = hdev->num_blocks; 3305 break; 3306 3307 default: 3308 BT_ERR("Unknown type %d conn %p", conn->type, conn); 3309 break; 3310 } 3311 } 3312 3313 queue_work(hdev->workqueue, &hdev->tx_work); 3314 } 3315 3316 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3317 { 3318 struct hci_ev_mode_change *ev = (void *) skb->data; 3319 struct hci_conn *conn; 3320 3321 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3322 3323 hci_dev_lock(hdev); 3324 3325 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3326 if (conn) { 3327 conn->mode = ev->mode; 3328 3329 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 3330 &conn->flags)) { 3331 if (conn->mode == HCI_CM_ACTIVE) 3332 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3333 else 3334 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 3335 } 3336 3337 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 3338 hci_sco_setup(conn, ev->status); 3339 } 3340 3341 hci_dev_unlock(hdev); 3342 } 3343 3344 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3345 { 3346 struct hci_ev_pin_code_req *ev = (void *) skb->data; 3347 struct hci_conn *conn; 3348 3349 BT_DBG("%s", hdev->name); 3350 3351 hci_dev_lock(hdev); 3352 3353 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3354 if (!conn) 3355 goto unlock; 3356 3357 if (conn->state == BT_CONNECTED) { 3358 hci_conn_hold(conn); 3359 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3360 hci_conn_drop(conn); 3361 } 3362 3363 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 3364 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 3365 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 3366 sizeof(ev->bdaddr), &ev->bdaddr); 3367 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 3368 u8 secure; 3369 3370 if (conn->pending_sec_level == BT_SECURITY_HIGH) 3371 secure = 1; 3372 else 3373 secure = 0; 3374 3375 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 3376 } 3377 3378 unlock: 3379 hci_dev_unlock(hdev); 3380 } 3381 3382 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 3383 { 3384 if (key_type == HCI_LK_CHANGED_COMBINATION) 3385 return; 3386 3387 conn->pin_length = pin_len; 3388 conn->key_type = key_type; 3389 3390 switch (key_type) { 3391 case HCI_LK_LOCAL_UNIT: 3392 case HCI_LK_REMOTE_UNIT: 3393 case HCI_LK_DEBUG_COMBINATION: 3394 return; 3395 case HCI_LK_COMBINATION: 3396 if (pin_len == 16) 3397 conn->pending_sec_level = BT_SECURITY_HIGH; 3398 else 3399 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3400 break; 3401 case HCI_LK_UNAUTH_COMBINATION_P192: 3402 case HCI_LK_UNAUTH_COMBINATION_P256: 3403 conn->pending_sec_level = BT_SECURITY_MEDIUM; 3404 break; 3405 case HCI_LK_AUTH_COMBINATION_P192: 3406 conn->pending_sec_level = BT_SECURITY_HIGH; 3407 break; 3408 case HCI_LK_AUTH_COMBINATION_P256: 3409 conn->pending_sec_level = BT_SECURITY_FIPS; 3410 break; 3411 } 3412 } 3413 3414 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3415 { 3416 struct hci_ev_link_key_req *ev = (void *) skb->data; 3417 struct hci_cp_link_key_reply cp; 3418 struct hci_conn *conn; 3419 struct link_key *key; 3420 3421 BT_DBG("%s", hdev->name); 3422 3423 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3424 return; 3425 3426 hci_dev_lock(hdev); 3427 3428 key = hci_find_link_key(hdev, &ev->bdaddr); 3429 if (!key) { 3430 BT_DBG("%s link key not found for %pMR", hdev->name, 3431 &ev->bdaddr); 3432 goto not_found; 3433 } 3434 3435 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type, 3436 &ev->bdaddr); 3437 3438 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3439 if (conn) { 3440 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3441 3442 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 3443 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 3444 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 3445 BT_DBG("%s ignoring unauthenticated key", hdev->name); 3446 goto not_found; 3447 } 3448 3449 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 3450 (conn->pending_sec_level == BT_SECURITY_HIGH || 3451 conn->pending_sec_level == BT_SECURITY_FIPS)) { 3452 BT_DBG("%s ignoring key unauthenticated for high security", 3453 hdev->name); 3454 goto not_found; 3455 } 3456 3457 conn_set_key(conn, key->type, key->pin_len); 3458 } 3459 3460 bacpy(&cp.bdaddr, &ev->bdaddr); 3461 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 3462 3463 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 3464 3465 hci_dev_unlock(hdev); 3466 3467 return; 3468 3469 not_found: 3470 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 3471 hci_dev_unlock(hdev); 3472 } 3473 3474 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 3475 { 3476 struct hci_ev_link_key_notify *ev = (void *) skb->data; 3477 struct hci_conn *conn; 3478 struct link_key *key; 3479 bool persistent; 3480 u8 pin_len = 0; 3481 3482 BT_DBG("%s", hdev->name); 3483 3484 hci_dev_lock(hdev); 3485 3486 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3487 if (!conn) 3488 goto unlock; 3489 3490 hci_conn_hold(conn); 3491 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3492 hci_conn_drop(conn); 3493 3494 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 3495 conn_set_key(conn, ev->key_type, conn->pin_length); 3496 3497 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3498 goto unlock; 3499 3500 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 3501 ev->key_type, pin_len, &persistent); 3502 if (!key) 3503 goto unlock; 3504 3505 /* Update connection information since adding the key will have 3506 * fixed up the type in the case of changed combination keys. 3507 */ 3508 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 3509 conn_set_key(conn, key->type, key->pin_len); 3510 3511 mgmt_new_link_key(hdev, key, persistent); 3512 3513 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 3514 * is set. If it's not set simply remove the key from the kernel 3515 * list (we've still notified user space about it but with 3516 * store_hint being 0). 3517 */ 3518 if (key->type == HCI_LK_DEBUG_COMBINATION && 3519 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 3520 list_del_rcu(&key->list); 3521 kfree_rcu(key, rcu); 3522 goto unlock; 3523 } 3524 3525 if (persistent) 3526 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3527 else 3528 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 3529 3530 unlock: 3531 hci_dev_unlock(hdev); 3532 } 3533 3534 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb) 3535 { 3536 struct hci_ev_clock_offset *ev = (void *) skb->data; 3537 struct hci_conn *conn; 3538 3539 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3540 3541 hci_dev_lock(hdev); 3542 3543 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3544 if (conn && !ev->status) { 3545 struct inquiry_entry *ie; 3546 3547 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3548 if (ie) { 3549 ie->data.clock_offset = ev->clock_offset; 3550 ie->timestamp = jiffies; 3551 } 3552 } 3553 3554 hci_dev_unlock(hdev); 3555 } 3556 3557 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 3558 { 3559 struct hci_ev_pkt_type_change *ev = (void *) skb->data; 3560 struct hci_conn *conn; 3561 3562 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3563 3564 hci_dev_lock(hdev); 3565 3566 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3567 if (conn && !ev->status) 3568 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 3569 3570 hci_dev_unlock(hdev); 3571 } 3572 3573 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb) 3574 { 3575 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data; 3576 struct inquiry_entry *ie; 3577 3578 BT_DBG("%s", hdev->name); 3579 3580 hci_dev_lock(hdev); 3581 3582 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3583 if (ie) { 3584 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 3585 ie->timestamp = jiffies; 3586 } 3587 3588 hci_dev_unlock(hdev); 3589 } 3590 3591 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, 3592 struct sk_buff *skb) 3593 { 3594 struct inquiry_data data; 3595 int num_rsp = *((__u8 *) skb->data); 3596 3597 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3598 3599 if (!num_rsp) 3600 return; 3601 3602 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3603 return; 3604 3605 hci_dev_lock(hdev); 3606 3607 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) { 3608 struct inquiry_info_with_rssi_and_pscan_mode *info; 3609 info = (void *) (skb->data + 1); 3610 3611 for (; num_rsp; num_rsp--, info++) { 3612 u32 flags; 3613 3614 bacpy(&data.bdaddr, &info->bdaddr); 3615 data.pscan_rep_mode = info->pscan_rep_mode; 3616 data.pscan_period_mode = info->pscan_period_mode; 3617 data.pscan_mode = info->pscan_mode; 3618 memcpy(data.dev_class, info->dev_class, 3); 3619 data.clock_offset = info->clock_offset; 3620 data.rssi = info->rssi; 3621 data.ssp_mode = 0x00; 3622 3623 flags = hci_inquiry_cache_update(hdev, &data, false); 3624 3625 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3626 info->dev_class, info->rssi, 3627 flags, NULL, 0, NULL, 0); 3628 } 3629 } else { 3630 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1); 3631 3632 for (; num_rsp; num_rsp--, info++) { 3633 u32 flags; 3634 3635 bacpy(&data.bdaddr, &info->bdaddr); 3636 data.pscan_rep_mode = info->pscan_rep_mode; 3637 data.pscan_period_mode = info->pscan_period_mode; 3638 data.pscan_mode = 0x00; 3639 memcpy(data.dev_class, info->dev_class, 3); 3640 data.clock_offset = info->clock_offset; 3641 data.rssi = info->rssi; 3642 data.ssp_mode = 0x00; 3643 3644 flags = hci_inquiry_cache_update(hdev, &data, false); 3645 3646 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3647 info->dev_class, info->rssi, 3648 flags, NULL, 0, NULL, 0); 3649 } 3650 } 3651 3652 hci_dev_unlock(hdev); 3653 } 3654 3655 static void hci_remote_ext_features_evt(struct hci_dev *hdev, 3656 struct sk_buff *skb) 3657 { 3658 struct hci_ev_remote_ext_features *ev = (void *) skb->data; 3659 struct hci_conn *conn; 3660 3661 BT_DBG("%s", hdev->name); 3662 3663 hci_dev_lock(hdev); 3664 3665 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3666 if (!conn) 3667 goto unlock; 3668 3669 if (ev->page < HCI_MAX_PAGES) 3670 memcpy(conn->features[ev->page], ev->features, 8); 3671 3672 if (!ev->status && ev->page == 0x01) { 3673 struct inquiry_entry *ie; 3674 3675 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 3676 if (ie) 3677 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 3678 3679 if (ev->features[0] & LMP_HOST_SSP) { 3680 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3681 } else { 3682 /* It is mandatory by the Bluetooth specification that 3683 * Extended Inquiry Results are only used when Secure 3684 * Simple Pairing is enabled, but some devices violate 3685 * this. 3686 * 3687 * To make these devices work, the internal SSP 3688 * enabled flag needs to be cleared if the remote host 3689 * features do not indicate SSP support */ 3690 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 3691 } 3692 3693 if (ev->features[0] & LMP_HOST_SC) 3694 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 3695 } 3696 3697 if (conn->state != BT_CONFIG) 3698 goto unlock; 3699 3700 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3701 struct hci_cp_remote_name_req cp; 3702 memset(&cp, 0, sizeof(cp)); 3703 bacpy(&cp.bdaddr, &conn->dst); 3704 cp.pscan_rep_mode = 0x02; 3705 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3706 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3707 mgmt_device_connected(hdev, conn, 0, NULL, 0); 3708 3709 if (!hci_outgoing_auth_needed(hdev, conn)) { 3710 conn->state = BT_CONNECTED; 3711 hci_connect_cfm(conn, ev->status); 3712 hci_conn_drop(conn); 3713 } 3714 3715 unlock: 3716 hci_dev_unlock(hdev); 3717 } 3718 3719 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, 3720 struct sk_buff *skb) 3721 { 3722 struct hci_ev_sync_conn_complete *ev = (void *) skb->data; 3723 struct hci_conn *conn; 3724 3725 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 3726 3727 hci_dev_lock(hdev); 3728 3729 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3730 if (!conn) { 3731 if (ev->link_type == ESCO_LINK) 3732 goto unlock; 3733 3734 /* When the link type in the event indicates SCO connection 3735 * and lookup of the connection object fails, then check 3736 * if an eSCO connection object exists. 3737 * 3738 * The core limits the synchronous connections to either 3739 * SCO or eSCO. The eSCO connection is preferred and tried 3740 * to be setup first and until successfully established, 3741 * the link type will be hinted as eSCO. 3742 */ 3743 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 3744 if (!conn) 3745 goto unlock; 3746 } 3747 3748 switch (ev->status) { 3749 case 0x00: 3750 conn->handle = __le16_to_cpu(ev->handle); 3751 conn->state = BT_CONNECTED; 3752 conn->type = ev->link_type; 3753 3754 hci_debugfs_create_conn(conn); 3755 hci_conn_add_sysfs(conn); 3756 break; 3757 3758 case 0x10: /* Connection Accept Timeout */ 3759 case 0x0d: /* Connection Rejected due to Limited Resources */ 3760 case 0x11: /* Unsupported Feature or Parameter Value */ 3761 case 0x1c: /* SCO interval rejected */ 3762 case 0x1a: /* Unsupported Remote Feature */ 3763 case 0x1f: /* Unspecified error */ 3764 case 0x20: /* Unsupported LMP Parameter value */ 3765 if (conn->out) { 3766 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 3767 (hdev->esco_type & EDR_ESCO_MASK); 3768 if (hci_setup_sync(conn, conn->link->handle)) 3769 goto unlock; 3770 } 3771 /* fall through */ 3772 3773 default: 3774 conn->state = BT_CLOSED; 3775 break; 3776 } 3777 3778 hci_connect_cfm(conn, ev->status); 3779 if (ev->status) 3780 hci_conn_del(conn); 3781 3782 unlock: 3783 hci_dev_unlock(hdev); 3784 } 3785 3786 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 3787 { 3788 size_t parsed = 0; 3789 3790 while (parsed < eir_len) { 3791 u8 field_len = eir[0]; 3792 3793 if (field_len == 0) 3794 return parsed; 3795 3796 parsed += field_len + 1; 3797 eir += field_len + 1; 3798 } 3799 3800 return eir_len; 3801 } 3802 3803 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, 3804 struct sk_buff *skb) 3805 { 3806 struct inquiry_data data; 3807 struct extended_inquiry_info *info = (void *) (skb->data + 1); 3808 int num_rsp = *((__u8 *) skb->data); 3809 size_t eir_len; 3810 3811 BT_DBG("%s num_rsp %d", hdev->name, num_rsp); 3812 3813 if (!num_rsp) 3814 return; 3815 3816 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3817 return; 3818 3819 hci_dev_lock(hdev); 3820 3821 for (; num_rsp; num_rsp--, info++) { 3822 u32 flags; 3823 bool name_known; 3824 3825 bacpy(&data.bdaddr, &info->bdaddr); 3826 data.pscan_rep_mode = info->pscan_rep_mode; 3827 data.pscan_period_mode = info->pscan_period_mode; 3828 data.pscan_mode = 0x00; 3829 memcpy(data.dev_class, info->dev_class, 3); 3830 data.clock_offset = info->clock_offset; 3831 data.rssi = info->rssi; 3832 data.ssp_mode = 0x01; 3833 3834 if (hci_dev_test_flag(hdev, HCI_MGMT)) 3835 name_known = eir_has_data_type(info->data, 3836 sizeof(info->data), 3837 EIR_NAME_COMPLETE); 3838 else 3839 name_known = true; 3840 3841 flags = hci_inquiry_cache_update(hdev, &data, name_known); 3842 3843 eir_len = eir_get_length(info->data, sizeof(info->data)); 3844 3845 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3846 info->dev_class, info->rssi, 3847 flags, info->data, eir_len, NULL, 0); 3848 } 3849 3850 hci_dev_unlock(hdev); 3851 } 3852 3853 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, 3854 struct sk_buff *skb) 3855 { 3856 struct hci_ev_key_refresh_complete *ev = (void *) skb->data; 3857 struct hci_conn *conn; 3858 3859 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status, 3860 __le16_to_cpu(ev->handle)); 3861 3862 hci_dev_lock(hdev); 3863 3864 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3865 if (!conn) 3866 goto unlock; 3867 3868 /* For BR/EDR the necessary steps are taken through the 3869 * auth_complete event. 3870 */ 3871 if (conn->type != LE_LINK) 3872 goto unlock; 3873 3874 if (!ev->status) 3875 conn->sec_level = conn->pending_sec_level; 3876 3877 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3878 3879 if (ev->status && conn->state == BT_CONNECTED) { 3880 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3881 hci_conn_drop(conn); 3882 goto unlock; 3883 } 3884 3885 if (conn->state == BT_CONFIG) { 3886 if (!ev->status) 3887 conn->state = BT_CONNECTED; 3888 3889 hci_connect_cfm(conn, ev->status); 3890 hci_conn_drop(conn); 3891 } else { 3892 hci_auth_cfm(conn, ev->status); 3893 3894 hci_conn_hold(conn); 3895 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3896 hci_conn_drop(conn); 3897 } 3898 3899 unlock: 3900 hci_dev_unlock(hdev); 3901 } 3902 3903 static u8 hci_get_auth_req(struct hci_conn *conn) 3904 { 3905 /* If remote requests no-bonding follow that lead */ 3906 if (conn->remote_auth == HCI_AT_NO_BONDING || 3907 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 3908 return conn->remote_auth | (conn->auth_type & 0x01); 3909 3910 /* If both remote and local have enough IO capabilities, require 3911 * MITM protection 3912 */ 3913 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 3914 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 3915 return conn->remote_auth | 0x01; 3916 3917 /* No MITM protection possible so ignore remote requirement */ 3918 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 3919 } 3920 3921 static u8 bredr_oob_data_present(struct hci_conn *conn) 3922 { 3923 struct hci_dev *hdev = conn->hdev; 3924 struct oob_data *data; 3925 3926 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 3927 if (!data) 3928 return 0x00; 3929 3930 if (bredr_sc_enabled(hdev)) { 3931 /* When Secure Connections is enabled, then just 3932 * return the present value stored with the OOB 3933 * data. The stored value contains the right present 3934 * information. However it can only be trusted when 3935 * not in Secure Connection Only mode. 3936 */ 3937 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 3938 return data->present; 3939 3940 /* When Secure Connections Only mode is enabled, then 3941 * the P-256 values are required. If they are not 3942 * available, then do not declare that OOB data is 3943 * present. 3944 */ 3945 if (!memcmp(data->rand256, ZERO_KEY, 16) || 3946 !memcmp(data->hash256, ZERO_KEY, 16)) 3947 return 0x00; 3948 3949 return 0x02; 3950 } 3951 3952 /* When Secure Connections is not enabled or actually 3953 * not supported by the hardware, then check that if 3954 * P-192 data values are present. 3955 */ 3956 if (!memcmp(data->rand192, ZERO_KEY, 16) || 3957 !memcmp(data->hash192, ZERO_KEY, 16)) 3958 return 0x00; 3959 3960 return 0x01; 3961 } 3962 3963 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 3964 { 3965 struct hci_ev_io_capa_request *ev = (void *) skb->data; 3966 struct hci_conn *conn; 3967 3968 BT_DBG("%s", hdev->name); 3969 3970 hci_dev_lock(hdev); 3971 3972 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3973 if (!conn) 3974 goto unlock; 3975 3976 hci_conn_hold(conn); 3977 3978 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3979 goto unlock; 3980 3981 /* Allow pairing if we're pairable, the initiators of the 3982 * pairing or if the remote is not requesting bonding. 3983 */ 3984 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 3985 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 3986 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 3987 struct hci_cp_io_capability_reply cp; 3988 3989 bacpy(&cp.bdaddr, &ev->bdaddr); 3990 /* Change the IO capability from KeyboardDisplay 3991 * to DisplayYesNo as it is not supported by BT spec. */ 3992 cp.capability = (conn->io_capability == 0x04) ? 3993 HCI_IO_DISPLAY_YESNO : conn->io_capability; 3994 3995 /* If we are initiators, there is no remote information yet */ 3996 if (conn->remote_auth == 0xff) { 3997 /* Request MITM protection if our IO caps allow it 3998 * except for the no-bonding case. 3999 */ 4000 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4001 conn->auth_type != HCI_AT_NO_BONDING) 4002 conn->auth_type |= 0x01; 4003 } else { 4004 conn->auth_type = hci_get_auth_req(conn); 4005 } 4006 4007 /* If we're not bondable, force one of the non-bondable 4008 * authentication requirement values. 4009 */ 4010 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 4011 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 4012 4013 cp.authentication = conn->auth_type; 4014 cp.oob_data = bredr_oob_data_present(conn); 4015 4016 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 4017 sizeof(cp), &cp); 4018 } else { 4019 struct hci_cp_io_capability_neg_reply cp; 4020 4021 bacpy(&cp.bdaddr, &ev->bdaddr); 4022 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 4023 4024 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 4025 sizeof(cp), &cp); 4026 } 4027 4028 unlock: 4029 hci_dev_unlock(hdev); 4030 } 4031 4032 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb) 4033 { 4034 struct hci_ev_io_capa_reply *ev = (void *) skb->data; 4035 struct hci_conn *conn; 4036 4037 BT_DBG("%s", hdev->name); 4038 4039 hci_dev_lock(hdev); 4040 4041 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4042 if (!conn) 4043 goto unlock; 4044 4045 conn->remote_cap = ev->capability; 4046 conn->remote_auth = ev->authentication; 4047 4048 unlock: 4049 hci_dev_unlock(hdev); 4050 } 4051 4052 static void hci_user_confirm_request_evt(struct hci_dev *hdev, 4053 struct sk_buff *skb) 4054 { 4055 struct hci_ev_user_confirm_req *ev = (void *) skb->data; 4056 int loc_mitm, rem_mitm, confirm_hint = 0; 4057 struct hci_conn *conn; 4058 4059 BT_DBG("%s", hdev->name); 4060 4061 hci_dev_lock(hdev); 4062 4063 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4064 goto unlock; 4065 4066 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4067 if (!conn) 4068 goto unlock; 4069 4070 loc_mitm = (conn->auth_type & 0x01); 4071 rem_mitm = (conn->remote_auth & 0x01); 4072 4073 /* If we require MITM but the remote device can't provide that 4074 * (it has NoInputNoOutput) then reject the confirmation 4075 * request. We check the security level here since it doesn't 4076 * necessarily match conn->auth_type. 4077 */ 4078 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 4079 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 4080 BT_DBG("Rejecting request: remote device can't provide MITM"); 4081 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 4082 sizeof(ev->bdaddr), &ev->bdaddr); 4083 goto unlock; 4084 } 4085 4086 /* If no side requires MITM protection; auto-accept */ 4087 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 4088 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 4089 4090 /* If we're not the initiators request authorization to 4091 * proceed from user space (mgmt_user_confirm with 4092 * confirm_hint set to 1). The exception is if neither 4093 * side had MITM or if the local IO capability is 4094 * NoInputNoOutput, in which case we do auto-accept 4095 */ 4096 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 4097 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 4098 (loc_mitm || rem_mitm)) { 4099 BT_DBG("Confirming auto-accept as acceptor"); 4100 confirm_hint = 1; 4101 goto confirm; 4102 } 4103 4104 BT_DBG("Auto-accept of user confirmation with %ums delay", 4105 hdev->auto_accept_delay); 4106 4107 if (hdev->auto_accept_delay > 0) { 4108 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 4109 queue_delayed_work(conn->hdev->workqueue, 4110 &conn->auto_accept_work, delay); 4111 goto unlock; 4112 } 4113 4114 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 4115 sizeof(ev->bdaddr), &ev->bdaddr); 4116 goto unlock; 4117 } 4118 4119 confirm: 4120 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 4121 le32_to_cpu(ev->passkey), confirm_hint); 4122 4123 unlock: 4124 hci_dev_unlock(hdev); 4125 } 4126 4127 static void hci_user_passkey_request_evt(struct hci_dev *hdev, 4128 struct sk_buff *skb) 4129 { 4130 struct hci_ev_user_passkey_req *ev = (void *) skb->data; 4131 4132 BT_DBG("%s", hdev->name); 4133 4134 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4135 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 4136 } 4137 4138 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, 4139 struct sk_buff *skb) 4140 { 4141 struct hci_ev_user_passkey_notify *ev = (void *) skb->data; 4142 struct hci_conn *conn; 4143 4144 BT_DBG("%s", hdev->name); 4145 4146 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4147 if (!conn) 4148 return; 4149 4150 conn->passkey_notify = __le32_to_cpu(ev->passkey); 4151 conn->passkey_entered = 0; 4152 4153 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4154 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4155 conn->dst_type, conn->passkey_notify, 4156 conn->passkey_entered); 4157 } 4158 4159 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb) 4160 { 4161 struct hci_ev_keypress_notify *ev = (void *) skb->data; 4162 struct hci_conn *conn; 4163 4164 BT_DBG("%s", hdev->name); 4165 4166 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4167 if (!conn) 4168 return; 4169 4170 switch (ev->type) { 4171 case HCI_KEYPRESS_STARTED: 4172 conn->passkey_entered = 0; 4173 return; 4174 4175 case HCI_KEYPRESS_ENTERED: 4176 conn->passkey_entered++; 4177 break; 4178 4179 case HCI_KEYPRESS_ERASED: 4180 conn->passkey_entered--; 4181 break; 4182 4183 case HCI_KEYPRESS_CLEARED: 4184 conn->passkey_entered = 0; 4185 break; 4186 4187 case HCI_KEYPRESS_COMPLETED: 4188 return; 4189 } 4190 4191 if (hci_dev_test_flag(hdev, HCI_MGMT)) 4192 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 4193 conn->dst_type, conn->passkey_notify, 4194 conn->passkey_entered); 4195 } 4196 4197 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, 4198 struct sk_buff *skb) 4199 { 4200 struct hci_ev_simple_pair_complete *ev = (void *) skb->data; 4201 struct hci_conn *conn; 4202 4203 BT_DBG("%s", hdev->name); 4204 4205 hci_dev_lock(hdev); 4206 4207 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4208 if (!conn) 4209 goto unlock; 4210 4211 /* Reset the authentication requirement to unknown */ 4212 conn->remote_auth = 0xff; 4213 4214 /* To avoid duplicate auth_failed events to user space we check 4215 * the HCI_CONN_AUTH_PEND flag which will be set if we 4216 * initiated the authentication. A traditional auth_complete 4217 * event gets always produced as initiator and is also mapped to 4218 * the mgmt_auth_failed event */ 4219 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 4220 mgmt_auth_failed(conn, ev->status); 4221 4222 hci_conn_drop(conn); 4223 4224 unlock: 4225 hci_dev_unlock(hdev); 4226 } 4227 4228 static void hci_remote_host_features_evt(struct hci_dev *hdev, 4229 struct sk_buff *skb) 4230 { 4231 struct hci_ev_remote_host_features *ev = (void *) skb->data; 4232 struct inquiry_entry *ie; 4233 struct hci_conn *conn; 4234 4235 BT_DBG("%s", hdev->name); 4236 4237 hci_dev_lock(hdev); 4238 4239 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4240 if (conn) 4241 memcpy(conn->features[1], ev->features, 8); 4242 4243 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4244 if (ie) 4245 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4246 4247 hci_dev_unlock(hdev); 4248 } 4249 4250 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, 4251 struct sk_buff *skb) 4252 { 4253 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data; 4254 struct oob_data *data; 4255 4256 BT_DBG("%s", hdev->name); 4257 4258 hci_dev_lock(hdev); 4259 4260 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4261 goto unlock; 4262 4263 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 4264 if (!data) { 4265 struct hci_cp_remote_oob_data_neg_reply cp; 4266 4267 bacpy(&cp.bdaddr, &ev->bdaddr); 4268 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 4269 sizeof(cp), &cp); 4270 goto unlock; 4271 } 4272 4273 if (bredr_sc_enabled(hdev)) { 4274 struct hci_cp_remote_oob_ext_data_reply cp; 4275 4276 bacpy(&cp.bdaddr, &ev->bdaddr); 4277 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 4278 memset(cp.hash192, 0, sizeof(cp.hash192)); 4279 memset(cp.rand192, 0, sizeof(cp.rand192)); 4280 } else { 4281 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 4282 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 4283 } 4284 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 4285 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 4286 4287 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 4288 sizeof(cp), &cp); 4289 } else { 4290 struct hci_cp_remote_oob_data_reply cp; 4291 4292 bacpy(&cp.bdaddr, &ev->bdaddr); 4293 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 4294 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 4295 4296 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 4297 sizeof(cp), &cp); 4298 } 4299 4300 unlock: 4301 hci_dev_unlock(hdev); 4302 } 4303 4304 #if IS_ENABLED(CONFIG_BT_HS) 4305 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb) 4306 { 4307 struct hci_ev_channel_selected *ev = (void *)skb->data; 4308 struct hci_conn *hcon; 4309 4310 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle); 4311 4312 skb_pull(skb, sizeof(*ev)); 4313 4314 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4315 if (!hcon) 4316 return; 4317 4318 amp_read_loc_assoc_final_data(hdev, hcon); 4319 } 4320 4321 static void hci_phy_link_complete_evt(struct hci_dev *hdev, 4322 struct sk_buff *skb) 4323 { 4324 struct hci_ev_phy_link_complete *ev = (void *) skb->data; 4325 struct hci_conn *hcon, *bredr_hcon; 4326 4327 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle, 4328 ev->status); 4329 4330 hci_dev_lock(hdev); 4331 4332 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4333 if (!hcon) { 4334 hci_dev_unlock(hdev); 4335 return; 4336 } 4337 4338 if (ev->status) { 4339 hci_conn_del(hcon); 4340 hci_dev_unlock(hdev); 4341 return; 4342 } 4343 4344 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 4345 4346 hcon->state = BT_CONNECTED; 4347 bacpy(&hcon->dst, &bredr_hcon->dst); 4348 4349 hci_conn_hold(hcon); 4350 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 4351 hci_conn_drop(hcon); 4352 4353 hci_debugfs_create_conn(hcon); 4354 hci_conn_add_sysfs(hcon); 4355 4356 amp_physical_cfm(bredr_hcon, hcon); 4357 4358 hci_dev_unlock(hdev); 4359 } 4360 4361 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4362 { 4363 struct hci_ev_logical_link_complete *ev = (void *) skb->data; 4364 struct hci_conn *hcon; 4365 struct hci_chan *hchan; 4366 struct amp_mgr *mgr; 4367 4368 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 4369 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle, 4370 ev->status); 4371 4372 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4373 if (!hcon) 4374 return; 4375 4376 /* Create AMP hchan */ 4377 hchan = hci_chan_create(hcon); 4378 if (!hchan) 4379 return; 4380 4381 hchan->handle = le16_to_cpu(ev->handle); 4382 4383 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 4384 4385 mgr = hcon->amp_mgr; 4386 if (mgr && mgr->bredr_chan) { 4387 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 4388 4389 l2cap_chan_lock(bredr_chan); 4390 4391 bredr_chan->conn->mtu = hdev->block_mtu; 4392 l2cap_logical_cfm(bredr_chan, hchan, 0); 4393 hci_conn_hold(hcon); 4394 4395 l2cap_chan_unlock(bredr_chan); 4396 } 4397 } 4398 4399 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, 4400 struct sk_buff *skb) 4401 { 4402 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data; 4403 struct hci_chan *hchan; 4404 4405 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name, 4406 le16_to_cpu(ev->handle), ev->status); 4407 4408 if (ev->status) 4409 return; 4410 4411 hci_dev_lock(hdev); 4412 4413 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 4414 if (!hchan) 4415 goto unlock; 4416 4417 amp_destroy_logical_link(hchan, ev->reason); 4418 4419 unlock: 4420 hci_dev_unlock(hdev); 4421 } 4422 4423 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, 4424 struct sk_buff *skb) 4425 { 4426 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data; 4427 struct hci_conn *hcon; 4428 4429 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4430 4431 if (ev->status) 4432 return; 4433 4434 hci_dev_lock(hdev); 4435 4436 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 4437 if (hcon) { 4438 hcon->state = BT_CLOSED; 4439 hci_conn_del(hcon); 4440 } 4441 4442 hci_dev_unlock(hdev); 4443 } 4444 #endif 4445 4446 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) 4447 { 4448 struct hci_ev_le_conn_complete *ev = (void *) skb->data; 4449 struct hci_conn_params *params; 4450 struct hci_conn *conn; 4451 struct smp_irk *irk; 4452 u8 addr_type; 4453 4454 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4455 4456 hci_dev_lock(hdev); 4457 4458 /* All controllers implicitly stop advertising in the event of a 4459 * connection, so ensure that the state bit is cleared. 4460 */ 4461 hci_dev_clear_flag(hdev, HCI_LE_ADV); 4462 4463 conn = hci_lookup_le_connect(hdev); 4464 if (!conn) { 4465 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role); 4466 if (!conn) { 4467 BT_ERR("No memory for new connection"); 4468 goto unlock; 4469 } 4470 4471 conn->dst_type = ev->bdaddr_type; 4472 4473 /* If we didn't have a hci_conn object previously 4474 * but we're in master role this must be something 4475 * initiated using a white list. Since white list based 4476 * connections are not "first class citizens" we don't 4477 * have full tracking of them. Therefore, we go ahead 4478 * with a "best effort" approach of determining the 4479 * initiator address based on the HCI_PRIVACY flag. 4480 */ 4481 if (conn->out) { 4482 conn->resp_addr_type = ev->bdaddr_type; 4483 bacpy(&conn->resp_addr, &ev->bdaddr); 4484 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 4485 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 4486 bacpy(&conn->init_addr, &hdev->rpa); 4487 } else { 4488 hci_copy_identity_address(hdev, 4489 &conn->init_addr, 4490 &conn->init_addr_type); 4491 } 4492 } 4493 } else { 4494 cancel_delayed_work(&conn->le_conn_timeout); 4495 } 4496 4497 if (!conn->out) { 4498 /* Set the responder (our side) address type based on 4499 * the advertising address type. 4500 */ 4501 conn->resp_addr_type = hdev->adv_addr_type; 4502 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) 4503 bacpy(&conn->resp_addr, &hdev->random_addr); 4504 else 4505 bacpy(&conn->resp_addr, &hdev->bdaddr); 4506 4507 conn->init_addr_type = ev->bdaddr_type; 4508 bacpy(&conn->init_addr, &ev->bdaddr); 4509 4510 /* For incoming connections, set the default minimum 4511 * and maximum connection interval. They will be used 4512 * to check if the parameters are in range and if not 4513 * trigger the connection update procedure. 4514 */ 4515 conn->le_conn_min_interval = hdev->le_conn_min_interval; 4516 conn->le_conn_max_interval = hdev->le_conn_max_interval; 4517 } 4518 4519 /* Lookup the identity address from the stored connection 4520 * address and address type. 4521 * 4522 * When establishing connections to an identity address, the 4523 * connection procedure will store the resolvable random 4524 * address first. Now if it can be converted back into the 4525 * identity address, start using the identity address from 4526 * now on. 4527 */ 4528 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 4529 if (irk) { 4530 bacpy(&conn->dst, &irk->bdaddr); 4531 conn->dst_type = irk->addr_type; 4532 } 4533 4534 if (ev->status) { 4535 hci_le_conn_failed(conn, ev->status); 4536 goto unlock; 4537 } 4538 4539 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 4540 addr_type = BDADDR_LE_PUBLIC; 4541 else 4542 addr_type = BDADDR_LE_RANDOM; 4543 4544 /* Drop the connection if the device is blocked */ 4545 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) { 4546 hci_conn_drop(conn); 4547 goto unlock; 4548 } 4549 4550 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4551 mgmt_device_connected(hdev, conn, 0, NULL, 0); 4552 4553 conn->sec_level = BT_SECURITY_LOW; 4554 conn->handle = __le16_to_cpu(ev->handle); 4555 conn->state = BT_CONFIG; 4556 4557 conn->le_conn_interval = le16_to_cpu(ev->interval); 4558 conn->le_conn_latency = le16_to_cpu(ev->latency); 4559 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 4560 4561 hci_debugfs_create_conn(conn); 4562 hci_conn_add_sysfs(conn); 4563 4564 if (!ev->status) { 4565 /* The remote features procedure is defined for master 4566 * role only. So only in case of an initiated connection 4567 * request the remote features. 4568 * 4569 * If the local controller supports slave-initiated features 4570 * exchange, then requesting the remote features in slave 4571 * role is possible. Otherwise just transition into the 4572 * connected state without requesting the remote features. 4573 */ 4574 if (conn->out || 4575 (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) { 4576 struct hci_cp_le_read_remote_features cp; 4577 4578 cp.handle = __cpu_to_le16(conn->handle); 4579 4580 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 4581 sizeof(cp), &cp); 4582 4583 hci_conn_hold(conn); 4584 } else { 4585 conn->state = BT_CONNECTED; 4586 hci_connect_cfm(conn, ev->status); 4587 } 4588 } else { 4589 hci_connect_cfm(conn, ev->status); 4590 } 4591 4592 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 4593 conn->dst_type); 4594 if (params) { 4595 list_del_init(¶ms->action); 4596 if (params->conn) { 4597 hci_conn_drop(params->conn); 4598 hci_conn_put(params->conn); 4599 params->conn = NULL; 4600 } 4601 } 4602 4603 unlock: 4604 hci_update_background_scan(hdev); 4605 hci_dev_unlock(hdev); 4606 } 4607 4608 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, 4609 struct sk_buff *skb) 4610 { 4611 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data; 4612 struct hci_conn *conn; 4613 4614 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4615 4616 if (ev->status) 4617 return; 4618 4619 hci_dev_lock(hdev); 4620 4621 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4622 if (conn) { 4623 conn->le_conn_interval = le16_to_cpu(ev->interval); 4624 conn->le_conn_latency = le16_to_cpu(ev->latency); 4625 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 4626 } 4627 4628 hci_dev_unlock(hdev); 4629 } 4630 4631 /* This function requires the caller holds hdev->lock */ 4632 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 4633 bdaddr_t *addr, 4634 u8 addr_type, u8 adv_type) 4635 { 4636 struct hci_conn *conn; 4637 struct hci_conn_params *params; 4638 4639 /* If the event is not connectable don't proceed further */ 4640 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 4641 return NULL; 4642 4643 /* Ignore if the device is blocked */ 4644 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type)) 4645 return NULL; 4646 4647 /* Most controller will fail if we try to create new connections 4648 * while we have an existing one in slave role. 4649 */ 4650 if (hdev->conn_hash.le_num_slave > 0) 4651 return NULL; 4652 4653 /* If we're not connectable only connect devices that we have in 4654 * our pend_le_conns list. 4655 */ 4656 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 4657 addr_type); 4658 if (!params) 4659 return NULL; 4660 4661 if (!params->explicit_connect) { 4662 switch (params->auto_connect) { 4663 case HCI_AUTO_CONN_DIRECT: 4664 /* Only devices advertising with ADV_DIRECT_IND are 4665 * triggering a connection attempt. This is allowing 4666 * incoming connections from slave devices. 4667 */ 4668 if (adv_type != LE_ADV_DIRECT_IND) 4669 return NULL; 4670 break; 4671 case HCI_AUTO_CONN_ALWAYS: 4672 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 4673 * are triggering a connection attempt. This means 4674 * that incoming connectioms from slave device are 4675 * accepted and also outgoing connections to slave 4676 * devices are established when found. 4677 */ 4678 break; 4679 default: 4680 return NULL; 4681 } 4682 } 4683 4684 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW, 4685 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER); 4686 if (!IS_ERR(conn)) { 4687 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 4688 * by higher layer that tried to connect, if no then 4689 * store the pointer since we don't really have any 4690 * other owner of the object besides the params that 4691 * triggered it. This way we can abort the connection if 4692 * the parameters get removed and keep the reference 4693 * count consistent once the connection is established. 4694 */ 4695 4696 if (!params->explicit_connect) 4697 params->conn = hci_conn_get(conn); 4698 4699 return conn; 4700 } 4701 4702 switch (PTR_ERR(conn)) { 4703 case -EBUSY: 4704 /* If hci_connect() returns -EBUSY it means there is already 4705 * an LE connection attempt going on. Since controllers don't 4706 * support more than one connection attempt at the time, we 4707 * don't consider this an error case. 4708 */ 4709 break; 4710 default: 4711 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 4712 return NULL; 4713 } 4714 4715 return NULL; 4716 } 4717 4718 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 4719 u8 bdaddr_type, bdaddr_t *direct_addr, 4720 u8 direct_addr_type, s8 rssi, u8 *data, u8 len) 4721 { 4722 struct discovery_state *d = &hdev->discovery; 4723 struct smp_irk *irk; 4724 struct hci_conn *conn; 4725 bool match; 4726 u32 flags; 4727 4728 /* If the direct address is present, then this report is from 4729 * a LE Direct Advertising Report event. In that case it is 4730 * important to see if the address is matching the local 4731 * controller address. 4732 */ 4733 if (direct_addr) { 4734 /* Only resolvable random addresses are valid for these 4735 * kind of reports and others can be ignored. 4736 */ 4737 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 4738 return; 4739 4740 /* If the controller is not using resolvable random 4741 * addresses, then this report can be ignored. 4742 */ 4743 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 4744 return; 4745 4746 /* If the local IRK of the controller does not match 4747 * with the resolvable random address provided, then 4748 * this report can be ignored. 4749 */ 4750 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 4751 return; 4752 } 4753 4754 /* Check if we need to convert to identity address */ 4755 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 4756 if (irk) { 4757 bdaddr = &irk->bdaddr; 4758 bdaddr_type = irk->addr_type; 4759 } 4760 4761 /* Check if we have been requested to connect to this device */ 4762 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type); 4763 if (conn && type == LE_ADV_IND) { 4764 /* Store report for later inclusion by 4765 * mgmt_device_connected 4766 */ 4767 memcpy(conn->le_adv_data, data, len); 4768 conn->le_adv_data_len = len; 4769 } 4770 4771 /* Passive scanning shouldn't trigger any device found events, 4772 * except for devices marked as CONN_REPORT for which we do send 4773 * device found events. 4774 */ 4775 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 4776 if (type == LE_ADV_DIRECT_IND) 4777 return; 4778 4779 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 4780 bdaddr, bdaddr_type)) 4781 return; 4782 4783 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 4784 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 4785 else 4786 flags = 0; 4787 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4788 rssi, flags, data, len, NULL, 0); 4789 return; 4790 } 4791 4792 /* When receiving non-connectable or scannable undirected 4793 * advertising reports, this means that the remote device is 4794 * not connectable and then clearly indicate this in the 4795 * device found event. 4796 * 4797 * When receiving a scan response, then there is no way to 4798 * know if the remote device is connectable or not. However 4799 * since scan responses are merged with a previously seen 4800 * advertising report, the flags field from that report 4801 * will be used. 4802 * 4803 * In the really unlikely case that a controller get confused 4804 * and just sends a scan response event, then it is marked as 4805 * not connectable as well. 4806 */ 4807 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND || 4808 type == LE_ADV_SCAN_RSP) 4809 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 4810 else 4811 flags = 0; 4812 4813 /* If there's nothing pending either store the data from this 4814 * event or send an immediate device found event if the data 4815 * should not be stored for later. 4816 */ 4817 if (!has_pending_adv_report(hdev)) { 4818 /* If the report will trigger a SCAN_REQ store it for 4819 * later merging. 4820 */ 4821 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4822 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4823 rssi, flags, data, len); 4824 return; 4825 } 4826 4827 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4828 rssi, flags, data, len, NULL, 0); 4829 return; 4830 } 4831 4832 /* Check if the pending report is for the same device as the new one */ 4833 match = (!bacmp(bdaddr, &d->last_adv_addr) && 4834 bdaddr_type == d->last_adv_addr_type); 4835 4836 /* If the pending data doesn't match this report or this isn't a 4837 * scan response (e.g. we got a duplicate ADV_IND) then force 4838 * sending of the pending data. 4839 */ 4840 if (type != LE_ADV_SCAN_RSP || !match) { 4841 /* Send out whatever is in the cache, but skip duplicates */ 4842 if (!match) 4843 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4844 d->last_adv_addr_type, NULL, 4845 d->last_adv_rssi, d->last_adv_flags, 4846 d->last_adv_data, 4847 d->last_adv_data_len, NULL, 0); 4848 4849 /* If the new report will trigger a SCAN_REQ store it for 4850 * later merging. 4851 */ 4852 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 4853 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 4854 rssi, flags, data, len); 4855 return; 4856 } 4857 4858 /* The advertising reports cannot be merged, so clear 4859 * the pending report and send out a device found event. 4860 */ 4861 clear_pending_adv_report(hdev); 4862 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 4863 rssi, flags, data, len, NULL, 0); 4864 return; 4865 } 4866 4867 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 4868 * the new event is a SCAN_RSP. We can therefore proceed with 4869 * sending a merged device found event. 4870 */ 4871 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 4872 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 4873 d->last_adv_data, d->last_adv_data_len, data, len); 4874 clear_pending_adv_report(hdev); 4875 } 4876 4877 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 4878 { 4879 u8 num_reports = skb->data[0]; 4880 void *ptr = &skb->data[1]; 4881 4882 hci_dev_lock(hdev); 4883 4884 while (num_reports--) { 4885 struct hci_ev_le_advertising_info *ev = ptr; 4886 s8 rssi; 4887 4888 rssi = ev->data[ev->length]; 4889 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 4890 ev->bdaddr_type, NULL, 0, rssi, 4891 ev->data, ev->length); 4892 4893 ptr += sizeof(*ev) + ev->length + 1; 4894 } 4895 4896 hci_dev_unlock(hdev); 4897 } 4898 4899 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, 4900 struct sk_buff *skb) 4901 { 4902 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data; 4903 struct hci_conn *conn; 4904 4905 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 4906 4907 hci_dev_lock(hdev); 4908 4909 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4910 if (conn) { 4911 if (!ev->status) 4912 memcpy(conn->features[0], ev->features, 8); 4913 4914 if (conn->state == BT_CONFIG) { 4915 __u8 status; 4916 4917 /* If the local controller supports slave-initiated 4918 * features exchange, but the remote controller does 4919 * not, then it is possible that the error code 0x1a 4920 * for unsupported remote feature gets returned. 4921 * 4922 * In this specific case, allow the connection to 4923 * transition into connected state and mark it as 4924 * successful. 4925 */ 4926 if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) && 4927 !conn->out && ev->status == 0x1a) 4928 status = 0x00; 4929 else 4930 status = ev->status; 4931 4932 conn->state = BT_CONNECTED; 4933 hci_connect_cfm(conn, status); 4934 hci_conn_drop(conn); 4935 } 4936 } 4937 4938 hci_dev_unlock(hdev); 4939 } 4940 4941 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 4942 { 4943 struct hci_ev_le_ltk_req *ev = (void *) skb->data; 4944 struct hci_cp_le_ltk_reply cp; 4945 struct hci_cp_le_ltk_neg_reply neg; 4946 struct hci_conn *conn; 4947 struct smp_ltk *ltk; 4948 4949 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle)); 4950 4951 hci_dev_lock(hdev); 4952 4953 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4954 if (conn == NULL) 4955 goto not_found; 4956 4957 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 4958 if (!ltk) 4959 goto not_found; 4960 4961 if (smp_ltk_is_sc(ltk)) { 4962 /* With SC both EDiv and Rand are set to zero */ 4963 if (ev->ediv || ev->rand) 4964 goto not_found; 4965 } else { 4966 /* For non-SC keys check that EDiv and Rand match */ 4967 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 4968 goto not_found; 4969 } 4970 4971 memcpy(cp.ltk, ltk->val, ltk->enc_size); 4972 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 4973 cp.handle = cpu_to_le16(conn->handle); 4974 4975 conn->pending_sec_level = smp_ltk_sec_level(ltk); 4976 4977 conn->enc_key_size = ltk->enc_size; 4978 4979 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 4980 4981 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 4982 * temporary key used to encrypt a connection following 4983 * pairing. It is used during the Encrypted Session Setup to 4984 * distribute the keys. Later, security can be re-established 4985 * using a distributed LTK. 4986 */ 4987 if (ltk->type == SMP_STK) { 4988 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 4989 list_del_rcu(<k->list); 4990 kfree_rcu(ltk, rcu); 4991 } else { 4992 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 4993 } 4994 4995 hci_dev_unlock(hdev); 4996 4997 return; 4998 4999 not_found: 5000 neg.handle = ev->handle; 5001 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 5002 hci_dev_unlock(hdev); 5003 } 5004 5005 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 5006 u8 reason) 5007 { 5008 struct hci_cp_le_conn_param_req_neg_reply cp; 5009 5010 cp.handle = cpu_to_le16(handle); 5011 cp.reason = reason; 5012 5013 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 5014 &cp); 5015 } 5016 5017 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, 5018 struct sk_buff *skb) 5019 { 5020 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data; 5021 struct hci_cp_le_conn_param_req_reply cp; 5022 struct hci_conn *hcon; 5023 u16 handle, min, max, latency, timeout; 5024 5025 handle = le16_to_cpu(ev->handle); 5026 min = le16_to_cpu(ev->interval_min); 5027 max = le16_to_cpu(ev->interval_max); 5028 latency = le16_to_cpu(ev->latency); 5029 timeout = le16_to_cpu(ev->timeout); 5030 5031 hcon = hci_conn_hash_lookup_handle(hdev, handle); 5032 if (!hcon || hcon->state != BT_CONNECTED) 5033 return send_conn_param_neg_reply(hdev, handle, 5034 HCI_ERROR_UNKNOWN_CONN_ID); 5035 5036 if (hci_check_conn_params(min, max, latency, timeout)) 5037 return send_conn_param_neg_reply(hdev, handle, 5038 HCI_ERROR_INVALID_LL_PARAMS); 5039 5040 if (hcon->role == HCI_ROLE_MASTER) { 5041 struct hci_conn_params *params; 5042 u8 store_hint; 5043 5044 hci_dev_lock(hdev); 5045 5046 params = hci_conn_params_lookup(hdev, &hcon->dst, 5047 hcon->dst_type); 5048 if (params) { 5049 params->conn_min_interval = min; 5050 params->conn_max_interval = max; 5051 params->conn_latency = latency; 5052 params->supervision_timeout = timeout; 5053 store_hint = 0x01; 5054 } else{ 5055 store_hint = 0x00; 5056 } 5057 5058 hci_dev_unlock(hdev); 5059 5060 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 5061 store_hint, min, max, latency, timeout); 5062 } 5063 5064 cp.handle = ev->handle; 5065 cp.interval_min = ev->interval_min; 5066 cp.interval_max = ev->interval_max; 5067 cp.latency = ev->latency; 5068 cp.timeout = ev->timeout; 5069 cp.min_ce_len = 0; 5070 cp.max_ce_len = 0; 5071 5072 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 5073 } 5074 5075 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, 5076 struct sk_buff *skb) 5077 { 5078 u8 num_reports = skb->data[0]; 5079 void *ptr = &skb->data[1]; 5080 5081 hci_dev_lock(hdev); 5082 5083 while (num_reports--) { 5084 struct hci_ev_le_direct_adv_info *ev = ptr; 5085 5086 process_adv_report(hdev, ev->evt_type, &ev->bdaddr, 5087 ev->bdaddr_type, &ev->direct_addr, 5088 ev->direct_addr_type, ev->rssi, NULL, 0); 5089 5090 ptr += sizeof(*ev); 5091 } 5092 5093 hci_dev_unlock(hdev); 5094 } 5095 5096 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb) 5097 { 5098 struct hci_ev_le_meta *le_ev = (void *) skb->data; 5099 5100 skb_pull(skb, sizeof(*le_ev)); 5101 5102 switch (le_ev->subevent) { 5103 case HCI_EV_LE_CONN_COMPLETE: 5104 hci_le_conn_complete_evt(hdev, skb); 5105 break; 5106 5107 case HCI_EV_LE_CONN_UPDATE_COMPLETE: 5108 hci_le_conn_update_complete_evt(hdev, skb); 5109 break; 5110 5111 case HCI_EV_LE_ADVERTISING_REPORT: 5112 hci_le_adv_report_evt(hdev, skb); 5113 break; 5114 5115 case HCI_EV_LE_REMOTE_FEAT_COMPLETE: 5116 hci_le_remote_feat_complete_evt(hdev, skb); 5117 break; 5118 5119 case HCI_EV_LE_LTK_REQ: 5120 hci_le_ltk_request_evt(hdev, skb); 5121 break; 5122 5123 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ: 5124 hci_le_remote_conn_param_req_evt(hdev, skb); 5125 break; 5126 5127 case HCI_EV_LE_DIRECT_ADV_REPORT: 5128 hci_le_direct_adv_report_evt(hdev, skb); 5129 break; 5130 5131 default: 5132 break; 5133 } 5134 } 5135 5136 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 5137 u8 event, struct sk_buff *skb) 5138 { 5139 struct hci_ev_cmd_complete *ev; 5140 struct hci_event_hdr *hdr; 5141 5142 if (!skb) 5143 return false; 5144 5145 if (skb->len < sizeof(*hdr)) { 5146 BT_ERR("Too short HCI event"); 5147 return false; 5148 } 5149 5150 hdr = (void *) skb->data; 5151 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5152 5153 if (event) { 5154 if (hdr->evt != event) 5155 return false; 5156 return true; 5157 } 5158 5159 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 5160 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt); 5161 return false; 5162 } 5163 5164 if (skb->len < sizeof(*ev)) { 5165 BT_ERR("Too short cmd_complete event"); 5166 return false; 5167 } 5168 5169 ev = (void *) skb->data; 5170 skb_pull(skb, sizeof(*ev)); 5171 5172 if (opcode != __le16_to_cpu(ev->opcode)) { 5173 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 5174 __le16_to_cpu(ev->opcode)); 5175 return false; 5176 } 5177 5178 return true; 5179 } 5180 5181 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 5182 { 5183 struct hci_event_hdr *hdr = (void *) skb->data; 5184 hci_req_complete_t req_complete = NULL; 5185 hci_req_complete_skb_t req_complete_skb = NULL; 5186 struct sk_buff *orig_skb = NULL; 5187 u8 status = 0, event = hdr->evt, req_evt = 0; 5188 u16 opcode = HCI_OP_NOP; 5189 5190 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) { 5191 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; 5192 opcode = __le16_to_cpu(cmd_hdr->opcode); 5193 hci_req_cmd_complete(hdev, opcode, status, &req_complete, 5194 &req_complete_skb); 5195 req_evt = event; 5196 } 5197 5198 /* If it looks like we might end up having to call 5199 * req_complete_skb, store a pristine copy of the skb since the 5200 * various handlers may modify the original one through 5201 * skb_pull() calls, etc. 5202 */ 5203 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 5204 event == HCI_EV_CMD_COMPLETE) 5205 orig_skb = skb_clone(skb, GFP_KERNEL); 5206 5207 skb_pull(skb, HCI_EVENT_HDR_SIZE); 5208 5209 switch (event) { 5210 case HCI_EV_INQUIRY_COMPLETE: 5211 hci_inquiry_complete_evt(hdev, skb); 5212 break; 5213 5214 case HCI_EV_INQUIRY_RESULT: 5215 hci_inquiry_result_evt(hdev, skb); 5216 break; 5217 5218 case HCI_EV_CONN_COMPLETE: 5219 hci_conn_complete_evt(hdev, skb); 5220 break; 5221 5222 case HCI_EV_CONN_REQUEST: 5223 hci_conn_request_evt(hdev, skb); 5224 break; 5225 5226 case HCI_EV_DISCONN_COMPLETE: 5227 hci_disconn_complete_evt(hdev, skb); 5228 break; 5229 5230 case HCI_EV_AUTH_COMPLETE: 5231 hci_auth_complete_evt(hdev, skb); 5232 break; 5233 5234 case HCI_EV_REMOTE_NAME: 5235 hci_remote_name_evt(hdev, skb); 5236 break; 5237 5238 case HCI_EV_ENCRYPT_CHANGE: 5239 hci_encrypt_change_evt(hdev, skb); 5240 break; 5241 5242 case HCI_EV_CHANGE_LINK_KEY_COMPLETE: 5243 hci_change_link_key_complete_evt(hdev, skb); 5244 break; 5245 5246 case HCI_EV_REMOTE_FEATURES: 5247 hci_remote_features_evt(hdev, skb); 5248 break; 5249 5250 case HCI_EV_CMD_COMPLETE: 5251 hci_cmd_complete_evt(hdev, skb, &opcode, &status, 5252 &req_complete, &req_complete_skb); 5253 break; 5254 5255 case HCI_EV_CMD_STATUS: 5256 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete, 5257 &req_complete_skb); 5258 break; 5259 5260 case HCI_EV_HARDWARE_ERROR: 5261 hci_hardware_error_evt(hdev, skb); 5262 break; 5263 5264 case HCI_EV_ROLE_CHANGE: 5265 hci_role_change_evt(hdev, skb); 5266 break; 5267 5268 case HCI_EV_NUM_COMP_PKTS: 5269 hci_num_comp_pkts_evt(hdev, skb); 5270 break; 5271 5272 case HCI_EV_MODE_CHANGE: 5273 hci_mode_change_evt(hdev, skb); 5274 break; 5275 5276 case HCI_EV_PIN_CODE_REQ: 5277 hci_pin_code_request_evt(hdev, skb); 5278 break; 5279 5280 case HCI_EV_LINK_KEY_REQ: 5281 hci_link_key_request_evt(hdev, skb); 5282 break; 5283 5284 case HCI_EV_LINK_KEY_NOTIFY: 5285 hci_link_key_notify_evt(hdev, skb); 5286 break; 5287 5288 case HCI_EV_CLOCK_OFFSET: 5289 hci_clock_offset_evt(hdev, skb); 5290 break; 5291 5292 case HCI_EV_PKT_TYPE_CHANGE: 5293 hci_pkt_type_change_evt(hdev, skb); 5294 break; 5295 5296 case HCI_EV_PSCAN_REP_MODE: 5297 hci_pscan_rep_mode_evt(hdev, skb); 5298 break; 5299 5300 case HCI_EV_INQUIRY_RESULT_WITH_RSSI: 5301 hci_inquiry_result_with_rssi_evt(hdev, skb); 5302 break; 5303 5304 case HCI_EV_REMOTE_EXT_FEATURES: 5305 hci_remote_ext_features_evt(hdev, skb); 5306 break; 5307 5308 case HCI_EV_SYNC_CONN_COMPLETE: 5309 hci_sync_conn_complete_evt(hdev, skb); 5310 break; 5311 5312 case HCI_EV_EXTENDED_INQUIRY_RESULT: 5313 hci_extended_inquiry_result_evt(hdev, skb); 5314 break; 5315 5316 case HCI_EV_KEY_REFRESH_COMPLETE: 5317 hci_key_refresh_complete_evt(hdev, skb); 5318 break; 5319 5320 case HCI_EV_IO_CAPA_REQUEST: 5321 hci_io_capa_request_evt(hdev, skb); 5322 break; 5323 5324 case HCI_EV_IO_CAPA_REPLY: 5325 hci_io_capa_reply_evt(hdev, skb); 5326 break; 5327 5328 case HCI_EV_USER_CONFIRM_REQUEST: 5329 hci_user_confirm_request_evt(hdev, skb); 5330 break; 5331 5332 case HCI_EV_USER_PASSKEY_REQUEST: 5333 hci_user_passkey_request_evt(hdev, skb); 5334 break; 5335 5336 case HCI_EV_USER_PASSKEY_NOTIFY: 5337 hci_user_passkey_notify_evt(hdev, skb); 5338 break; 5339 5340 case HCI_EV_KEYPRESS_NOTIFY: 5341 hci_keypress_notify_evt(hdev, skb); 5342 break; 5343 5344 case HCI_EV_SIMPLE_PAIR_COMPLETE: 5345 hci_simple_pair_complete_evt(hdev, skb); 5346 break; 5347 5348 case HCI_EV_REMOTE_HOST_FEATURES: 5349 hci_remote_host_features_evt(hdev, skb); 5350 break; 5351 5352 case HCI_EV_LE_META: 5353 hci_le_meta_evt(hdev, skb); 5354 break; 5355 5356 case HCI_EV_REMOTE_OOB_DATA_REQUEST: 5357 hci_remote_oob_data_request_evt(hdev, skb); 5358 break; 5359 5360 #if IS_ENABLED(CONFIG_BT_HS) 5361 case HCI_EV_CHANNEL_SELECTED: 5362 hci_chan_selected_evt(hdev, skb); 5363 break; 5364 5365 case HCI_EV_PHY_LINK_COMPLETE: 5366 hci_phy_link_complete_evt(hdev, skb); 5367 break; 5368 5369 case HCI_EV_LOGICAL_LINK_COMPLETE: 5370 hci_loglink_complete_evt(hdev, skb); 5371 break; 5372 5373 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE: 5374 hci_disconn_loglink_complete_evt(hdev, skb); 5375 break; 5376 5377 case HCI_EV_DISCONN_PHY_LINK_COMPLETE: 5378 hci_disconn_phylink_complete_evt(hdev, skb); 5379 break; 5380 #endif 5381 5382 case HCI_EV_NUM_COMP_BLOCKS: 5383 hci_num_comp_blocks_evt(hdev, skb); 5384 break; 5385 5386 default: 5387 BT_DBG("%s event 0x%2.2x", hdev->name, event); 5388 break; 5389 } 5390 5391 if (req_complete) { 5392 req_complete(hdev, status, opcode); 5393 } else if (req_complete_skb) { 5394 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 5395 kfree_skb(orig_skb); 5396 orig_skb = NULL; 5397 } 5398 req_complete_skb(hdev, status, opcode, orig_skb); 5399 } 5400 5401 kfree_skb(orig_skb); 5402 kfree_skb(skb); 5403 hdev->stat.evt_rx++; 5404 } 5405