1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved. 4 Copyright 2023 NXP 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI event handling. */ 27 28 #include <asm/unaligned.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/mgmt.h> 33 34 #include "hci_request.h" 35 #include "hci_debugfs.h" 36 #include "a2mp.h" 37 #include "amp.h" 38 #include "smp.h" 39 #include "msft.h" 40 #include "eir.h" 41 42 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \ 43 "\x00\x00\x00\x00\x00\x00\x00\x00" 44 45 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000) 46 47 /* Handle HCI Event packets */ 48 49 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 50 u8 ev, size_t len) 51 { 52 void *data; 53 54 data = skb_pull_data(skb, len); 55 if (!data) 56 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev); 57 58 return data; 59 } 60 61 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 62 u16 op, size_t len) 63 { 64 void *data; 65 66 data = skb_pull_data(skb, len); 67 if (!data) 68 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op); 69 70 return data; 71 } 72 73 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb, 74 u8 ev, size_t len) 75 { 76 void *data; 77 78 data = skb_pull_data(skb, len); 79 if (!data) 80 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev); 81 82 return data; 83 } 84 85 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data, 86 struct sk_buff *skb) 87 { 88 struct hci_ev_status *rp = data; 89 90 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 91 92 /* It is possible that we receive Inquiry Complete event right 93 * before we receive Inquiry Cancel Command Complete event, in 94 * which case the latter event should have status of Command 95 * Disallowed (0x0c). This should not be treated as error, since 96 * we actually achieve what Inquiry Cancel wants to achieve, 97 * which is to end the last Inquiry session. 98 */ 99 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { 100 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); 101 rp->status = 0x00; 102 } 103 104 if (rp->status) 105 return rp->status; 106 107 clear_bit(HCI_INQUIRY, &hdev->flags); 108 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 109 wake_up_bit(&hdev->flags, HCI_INQUIRY); 110 111 hci_dev_lock(hdev); 112 /* Set discovery state to stopped if we're not doing LE active 113 * scanning. 114 */ 115 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 116 hdev->le_scan_type != LE_SCAN_ACTIVE) 117 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 118 hci_dev_unlock(hdev); 119 120 hci_conn_check_pending(hdev); 121 122 return rp->status; 123 } 124 125 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data, 126 struct sk_buff *skb) 127 { 128 struct hci_ev_status *rp = data; 129 130 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 131 132 if (rp->status) 133 return rp->status; 134 135 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ); 136 137 return rp->status; 138 } 139 140 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data, 141 struct sk_buff *skb) 142 { 143 struct hci_ev_status *rp = data; 144 145 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 146 147 if (rp->status) 148 return rp->status; 149 150 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ); 151 152 hci_conn_check_pending(hdev); 153 154 return rp->status; 155 } 156 157 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data, 158 struct sk_buff *skb) 159 { 160 struct hci_ev_status *rp = data; 161 162 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 163 164 return rp->status; 165 } 166 167 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data, 168 struct sk_buff *skb) 169 { 170 struct hci_rp_role_discovery *rp = data; 171 struct hci_conn *conn; 172 173 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 174 175 if (rp->status) 176 return rp->status; 177 178 hci_dev_lock(hdev); 179 180 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 181 if (conn) 182 conn->role = rp->role; 183 184 hci_dev_unlock(hdev); 185 186 return rp->status; 187 } 188 189 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data, 190 struct sk_buff *skb) 191 { 192 struct hci_rp_read_link_policy *rp = data; 193 struct hci_conn *conn; 194 195 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 196 197 if (rp->status) 198 return rp->status; 199 200 hci_dev_lock(hdev); 201 202 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 203 if (conn) 204 conn->link_policy = __le16_to_cpu(rp->policy); 205 206 hci_dev_unlock(hdev); 207 208 return rp->status; 209 } 210 211 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data, 212 struct sk_buff *skb) 213 { 214 struct hci_rp_write_link_policy *rp = data; 215 struct hci_conn *conn; 216 void *sent; 217 218 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 219 220 if (rp->status) 221 return rp->status; 222 223 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY); 224 if (!sent) 225 return rp->status; 226 227 hci_dev_lock(hdev); 228 229 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 230 if (conn) 231 conn->link_policy = get_unaligned_le16(sent + 2); 232 233 hci_dev_unlock(hdev); 234 235 return rp->status; 236 } 237 238 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data, 239 struct sk_buff *skb) 240 { 241 struct hci_rp_read_def_link_policy *rp = data; 242 243 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 244 245 if (rp->status) 246 return rp->status; 247 248 hdev->link_policy = __le16_to_cpu(rp->policy); 249 250 return rp->status; 251 } 252 253 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data, 254 struct sk_buff *skb) 255 { 256 struct hci_ev_status *rp = data; 257 void *sent; 258 259 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 260 261 if (rp->status) 262 return rp->status; 263 264 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY); 265 if (!sent) 266 return rp->status; 267 268 hdev->link_policy = get_unaligned_le16(sent); 269 270 return rp->status; 271 } 272 273 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb) 274 { 275 struct hci_ev_status *rp = data; 276 277 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 278 279 clear_bit(HCI_RESET, &hdev->flags); 280 281 if (rp->status) 282 return rp->status; 283 284 /* Reset all non-persistent flags */ 285 hci_dev_clear_volatile_flags(hdev); 286 287 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 288 289 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 290 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 291 292 memset(hdev->adv_data, 0, sizeof(hdev->adv_data)); 293 hdev->adv_data_len = 0; 294 295 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data)); 296 hdev->scan_rsp_data_len = 0; 297 298 hdev->le_scan_type = LE_SCAN_PASSIVE; 299 300 hdev->ssp_debug_mode = 0; 301 302 hci_bdaddr_list_clear(&hdev->le_accept_list); 303 hci_bdaddr_list_clear(&hdev->le_resolv_list); 304 305 return rp->status; 306 } 307 308 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data, 309 struct sk_buff *skb) 310 { 311 struct hci_rp_read_stored_link_key *rp = data; 312 struct hci_cp_read_stored_link_key *sent; 313 314 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 315 316 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY); 317 if (!sent) 318 return rp->status; 319 320 if (!rp->status && sent->read_all == 0x01) { 321 hdev->stored_max_keys = le16_to_cpu(rp->max_keys); 322 hdev->stored_num_keys = le16_to_cpu(rp->num_keys); 323 } 324 325 return rp->status; 326 } 327 328 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data, 329 struct sk_buff *skb) 330 { 331 struct hci_rp_delete_stored_link_key *rp = data; 332 u16 num_keys; 333 334 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 335 336 if (rp->status) 337 return rp->status; 338 339 num_keys = le16_to_cpu(rp->num_keys); 340 341 if (num_keys <= hdev->stored_num_keys) 342 hdev->stored_num_keys -= num_keys; 343 else 344 hdev->stored_num_keys = 0; 345 346 return rp->status; 347 } 348 349 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data, 350 struct sk_buff *skb) 351 { 352 struct hci_ev_status *rp = data; 353 void *sent; 354 355 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 356 357 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME); 358 if (!sent) 359 return rp->status; 360 361 hci_dev_lock(hdev); 362 363 if (hci_dev_test_flag(hdev, HCI_MGMT)) 364 mgmt_set_local_name_complete(hdev, sent, rp->status); 365 else if (!rp->status) 366 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH); 367 368 hci_dev_unlock(hdev); 369 370 return rp->status; 371 } 372 373 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data, 374 struct sk_buff *skb) 375 { 376 struct hci_rp_read_local_name *rp = data; 377 378 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 379 380 if (rp->status) 381 return rp->status; 382 383 if (hci_dev_test_flag(hdev, HCI_SETUP) || 384 hci_dev_test_flag(hdev, HCI_CONFIG)) 385 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH); 386 387 return rp->status; 388 } 389 390 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data, 391 struct sk_buff *skb) 392 { 393 struct hci_ev_status *rp = data; 394 void *sent; 395 396 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 397 398 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE); 399 if (!sent) 400 return rp->status; 401 402 hci_dev_lock(hdev); 403 404 if (!rp->status) { 405 __u8 param = *((__u8 *) sent); 406 407 if (param == AUTH_ENABLED) 408 set_bit(HCI_AUTH, &hdev->flags); 409 else 410 clear_bit(HCI_AUTH, &hdev->flags); 411 } 412 413 if (hci_dev_test_flag(hdev, HCI_MGMT)) 414 mgmt_auth_enable_complete(hdev, rp->status); 415 416 hci_dev_unlock(hdev); 417 418 return rp->status; 419 } 420 421 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data, 422 struct sk_buff *skb) 423 { 424 struct hci_ev_status *rp = data; 425 __u8 param; 426 void *sent; 427 428 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 429 430 if (rp->status) 431 return rp->status; 432 433 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE); 434 if (!sent) 435 return rp->status; 436 437 param = *((__u8 *) sent); 438 439 if (param) 440 set_bit(HCI_ENCRYPT, &hdev->flags); 441 else 442 clear_bit(HCI_ENCRYPT, &hdev->flags); 443 444 return rp->status; 445 } 446 447 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data, 448 struct sk_buff *skb) 449 { 450 struct hci_ev_status *rp = data; 451 __u8 param; 452 void *sent; 453 454 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 455 456 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE); 457 if (!sent) 458 return rp->status; 459 460 param = *((__u8 *) sent); 461 462 hci_dev_lock(hdev); 463 464 if (rp->status) { 465 hdev->discov_timeout = 0; 466 goto done; 467 } 468 469 if (param & SCAN_INQUIRY) 470 set_bit(HCI_ISCAN, &hdev->flags); 471 else 472 clear_bit(HCI_ISCAN, &hdev->flags); 473 474 if (param & SCAN_PAGE) 475 set_bit(HCI_PSCAN, &hdev->flags); 476 else 477 clear_bit(HCI_PSCAN, &hdev->flags); 478 479 done: 480 hci_dev_unlock(hdev); 481 482 return rp->status; 483 } 484 485 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data, 486 struct sk_buff *skb) 487 { 488 struct hci_ev_status *rp = data; 489 struct hci_cp_set_event_filter *cp; 490 void *sent; 491 492 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 493 494 if (rp->status) 495 return rp->status; 496 497 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT); 498 if (!sent) 499 return rp->status; 500 501 cp = (struct hci_cp_set_event_filter *)sent; 502 503 if (cp->flt_type == HCI_FLT_CLEAR_ALL) 504 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 505 else 506 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED); 507 508 return rp->status; 509 } 510 511 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data, 512 struct sk_buff *skb) 513 { 514 struct hci_rp_read_class_of_dev *rp = data; 515 516 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 517 518 if (rp->status) 519 return rp->status; 520 521 memcpy(hdev->dev_class, rp->dev_class, 3); 522 523 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2], 524 hdev->dev_class[1], hdev->dev_class[0]); 525 526 return rp->status; 527 } 528 529 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data, 530 struct sk_buff *skb) 531 { 532 struct hci_ev_status *rp = data; 533 void *sent; 534 535 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 536 537 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV); 538 if (!sent) 539 return rp->status; 540 541 hci_dev_lock(hdev); 542 543 if (!rp->status) 544 memcpy(hdev->dev_class, sent, 3); 545 546 if (hci_dev_test_flag(hdev, HCI_MGMT)) 547 mgmt_set_class_of_dev_complete(hdev, sent, rp->status); 548 549 hci_dev_unlock(hdev); 550 551 return rp->status; 552 } 553 554 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data, 555 struct sk_buff *skb) 556 { 557 struct hci_rp_read_voice_setting *rp = data; 558 __u16 setting; 559 560 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 561 562 if (rp->status) 563 return rp->status; 564 565 setting = __le16_to_cpu(rp->voice_setting); 566 567 if (hdev->voice_setting == setting) 568 return rp->status; 569 570 hdev->voice_setting = setting; 571 572 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 573 574 if (hdev->notify) 575 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 576 577 return rp->status; 578 } 579 580 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data, 581 struct sk_buff *skb) 582 { 583 struct hci_ev_status *rp = data; 584 __u16 setting; 585 void *sent; 586 587 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 588 589 if (rp->status) 590 return rp->status; 591 592 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING); 593 if (!sent) 594 return rp->status; 595 596 setting = get_unaligned_le16(sent); 597 598 if (hdev->voice_setting == setting) 599 return rp->status; 600 601 hdev->voice_setting = setting; 602 603 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting); 604 605 if (hdev->notify) 606 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 607 608 return rp->status; 609 } 610 611 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data, 612 struct sk_buff *skb) 613 { 614 struct hci_rp_read_num_supported_iac *rp = data; 615 616 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 617 618 if (rp->status) 619 return rp->status; 620 621 hdev->num_iac = rp->num_iac; 622 623 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac); 624 625 return rp->status; 626 } 627 628 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data, 629 struct sk_buff *skb) 630 { 631 struct hci_ev_status *rp = data; 632 struct hci_cp_write_ssp_mode *sent; 633 634 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 635 636 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE); 637 if (!sent) 638 return rp->status; 639 640 hci_dev_lock(hdev); 641 642 if (!rp->status) { 643 if (sent->mode) 644 hdev->features[1][0] |= LMP_HOST_SSP; 645 else 646 hdev->features[1][0] &= ~LMP_HOST_SSP; 647 } 648 649 if (!rp->status) { 650 if (sent->mode) 651 hci_dev_set_flag(hdev, HCI_SSP_ENABLED); 652 else 653 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); 654 } 655 656 hci_dev_unlock(hdev); 657 658 return rp->status; 659 } 660 661 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data, 662 struct sk_buff *skb) 663 { 664 struct hci_ev_status *rp = data; 665 struct hci_cp_write_sc_support *sent; 666 667 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 668 669 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT); 670 if (!sent) 671 return rp->status; 672 673 hci_dev_lock(hdev); 674 675 if (!rp->status) { 676 if (sent->support) 677 hdev->features[1][0] |= LMP_HOST_SC; 678 else 679 hdev->features[1][0] &= ~LMP_HOST_SC; 680 } 681 682 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) { 683 if (sent->support) 684 hci_dev_set_flag(hdev, HCI_SC_ENABLED); 685 else 686 hci_dev_clear_flag(hdev, HCI_SC_ENABLED); 687 } 688 689 hci_dev_unlock(hdev); 690 691 return rp->status; 692 } 693 694 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data, 695 struct sk_buff *skb) 696 { 697 struct hci_rp_read_local_version *rp = data; 698 699 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 700 701 if (rp->status) 702 return rp->status; 703 704 if (hci_dev_test_flag(hdev, HCI_SETUP) || 705 hci_dev_test_flag(hdev, HCI_CONFIG)) { 706 hdev->hci_ver = rp->hci_ver; 707 hdev->hci_rev = __le16_to_cpu(rp->hci_rev); 708 hdev->lmp_ver = rp->lmp_ver; 709 hdev->manufacturer = __le16_to_cpu(rp->manufacturer); 710 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver); 711 } 712 713 return rp->status; 714 } 715 716 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data, 717 struct sk_buff *skb) 718 { 719 struct hci_rp_read_enc_key_size *rp = data; 720 struct hci_conn *conn; 721 u16 handle; 722 u8 status = rp->status; 723 724 bt_dev_dbg(hdev, "status 0x%2.2x", status); 725 726 handle = le16_to_cpu(rp->handle); 727 728 hci_dev_lock(hdev); 729 730 conn = hci_conn_hash_lookup_handle(hdev, handle); 731 if (!conn) { 732 status = 0xFF; 733 goto done; 734 } 735 736 /* While unexpected, the read_enc_key_size command may fail. The most 737 * secure approach is to then assume the key size is 0 to force a 738 * disconnection. 739 */ 740 if (status) { 741 bt_dev_err(hdev, "failed to read key size for handle %u", 742 handle); 743 conn->enc_key_size = 0; 744 } else { 745 conn->enc_key_size = rp->key_size; 746 status = 0; 747 } 748 749 hci_encrypt_cfm(conn, 0); 750 751 done: 752 hci_dev_unlock(hdev); 753 754 return status; 755 } 756 757 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data, 758 struct sk_buff *skb) 759 { 760 struct hci_rp_read_local_commands *rp = data; 761 762 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 763 764 if (rp->status) 765 return rp->status; 766 767 if (hci_dev_test_flag(hdev, HCI_SETUP) || 768 hci_dev_test_flag(hdev, HCI_CONFIG)) 769 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands)); 770 771 return rp->status; 772 } 773 774 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data, 775 struct sk_buff *skb) 776 { 777 struct hci_rp_read_auth_payload_to *rp = data; 778 struct hci_conn *conn; 779 780 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 781 782 if (rp->status) 783 return rp->status; 784 785 hci_dev_lock(hdev); 786 787 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 788 if (conn) 789 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout); 790 791 hci_dev_unlock(hdev); 792 793 return rp->status; 794 } 795 796 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data, 797 struct sk_buff *skb) 798 { 799 struct hci_rp_write_auth_payload_to *rp = data; 800 struct hci_conn *conn; 801 void *sent; 802 803 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 804 805 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO); 806 if (!sent) 807 return rp->status; 808 809 hci_dev_lock(hdev); 810 811 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 812 if (!conn) { 813 rp->status = 0xff; 814 goto unlock; 815 } 816 817 if (!rp->status) 818 conn->auth_payload_timeout = get_unaligned_le16(sent + 2); 819 820 hci_encrypt_cfm(conn, 0); 821 822 unlock: 823 hci_dev_unlock(hdev); 824 825 return rp->status; 826 } 827 828 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data, 829 struct sk_buff *skb) 830 { 831 struct hci_rp_read_local_features *rp = data; 832 833 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 834 835 if (rp->status) 836 return rp->status; 837 838 memcpy(hdev->features, rp->features, 8); 839 840 /* Adjust default settings according to features 841 * supported by device. */ 842 843 if (hdev->features[0][0] & LMP_3SLOT) 844 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 845 846 if (hdev->features[0][0] & LMP_5SLOT) 847 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 848 849 if (hdev->features[0][1] & LMP_HV2) { 850 hdev->pkt_type |= (HCI_HV2); 851 hdev->esco_type |= (ESCO_HV2); 852 } 853 854 if (hdev->features[0][1] & LMP_HV3) { 855 hdev->pkt_type |= (HCI_HV3); 856 hdev->esco_type |= (ESCO_HV3); 857 } 858 859 if (lmp_esco_capable(hdev)) 860 hdev->esco_type |= (ESCO_EV3); 861 862 if (hdev->features[0][4] & LMP_EV4) 863 hdev->esco_type |= (ESCO_EV4); 864 865 if (hdev->features[0][4] & LMP_EV5) 866 hdev->esco_type |= (ESCO_EV5); 867 868 if (hdev->features[0][5] & LMP_EDR_ESCO_2M) 869 hdev->esco_type |= (ESCO_2EV3); 870 871 if (hdev->features[0][5] & LMP_EDR_ESCO_3M) 872 hdev->esco_type |= (ESCO_3EV3); 873 874 if (hdev->features[0][5] & LMP_EDR_3S_ESCO) 875 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 876 877 return rp->status; 878 } 879 880 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data, 881 struct sk_buff *skb) 882 { 883 struct hci_rp_read_local_ext_features *rp = data; 884 885 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 886 887 if (rp->status) 888 return rp->status; 889 890 if (hdev->max_page < rp->max_page) { 891 if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2, 892 &hdev->quirks)) 893 bt_dev_warn(hdev, "broken local ext features page 2"); 894 else 895 hdev->max_page = rp->max_page; 896 } 897 898 if (rp->page < HCI_MAX_PAGES) 899 memcpy(hdev->features[rp->page], rp->features, 8); 900 901 return rp->status; 902 } 903 904 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data, 905 struct sk_buff *skb) 906 { 907 struct hci_rp_read_flow_control_mode *rp = data; 908 909 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 910 911 if (rp->status) 912 return rp->status; 913 914 hdev->flow_ctl_mode = rp->mode; 915 916 return rp->status; 917 } 918 919 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, 920 struct sk_buff *skb) 921 { 922 struct hci_rp_read_buffer_size *rp = data; 923 924 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 925 926 if (rp->status) 927 return rp->status; 928 929 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu); 930 hdev->sco_mtu = rp->sco_mtu; 931 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt); 932 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt); 933 934 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) { 935 hdev->sco_mtu = 64; 936 hdev->sco_pkts = 8; 937 } 938 939 hdev->acl_cnt = hdev->acl_pkts; 940 hdev->sco_cnt = hdev->sco_pkts; 941 942 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu, 943 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts); 944 945 return rp->status; 946 } 947 948 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data, 949 struct sk_buff *skb) 950 { 951 struct hci_rp_read_bd_addr *rp = data; 952 953 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 954 955 if (rp->status) 956 return rp->status; 957 958 if (test_bit(HCI_INIT, &hdev->flags)) 959 bacpy(&hdev->bdaddr, &rp->bdaddr); 960 961 if (hci_dev_test_flag(hdev, HCI_SETUP)) 962 bacpy(&hdev->setup_addr, &rp->bdaddr); 963 964 return rp->status; 965 } 966 967 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data, 968 struct sk_buff *skb) 969 { 970 struct hci_rp_read_local_pairing_opts *rp = data; 971 972 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 973 974 if (rp->status) 975 return rp->status; 976 977 if (hci_dev_test_flag(hdev, HCI_SETUP) || 978 hci_dev_test_flag(hdev, HCI_CONFIG)) { 979 hdev->pairing_opts = rp->pairing_opts; 980 hdev->max_enc_key_size = rp->max_key_size; 981 } 982 983 return rp->status; 984 } 985 986 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data, 987 struct sk_buff *skb) 988 { 989 struct hci_rp_read_page_scan_activity *rp = data; 990 991 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 992 993 if (rp->status) 994 return rp->status; 995 996 if (test_bit(HCI_INIT, &hdev->flags)) { 997 hdev->page_scan_interval = __le16_to_cpu(rp->interval); 998 hdev->page_scan_window = __le16_to_cpu(rp->window); 999 } 1000 1001 return rp->status; 1002 } 1003 1004 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data, 1005 struct sk_buff *skb) 1006 { 1007 struct hci_ev_status *rp = data; 1008 struct hci_cp_write_page_scan_activity *sent; 1009 1010 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1011 1012 if (rp->status) 1013 return rp->status; 1014 1015 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY); 1016 if (!sent) 1017 return rp->status; 1018 1019 hdev->page_scan_interval = __le16_to_cpu(sent->interval); 1020 hdev->page_scan_window = __le16_to_cpu(sent->window); 1021 1022 return rp->status; 1023 } 1024 1025 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data, 1026 struct sk_buff *skb) 1027 { 1028 struct hci_rp_read_page_scan_type *rp = data; 1029 1030 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1031 1032 if (rp->status) 1033 return rp->status; 1034 1035 if (test_bit(HCI_INIT, &hdev->flags)) 1036 hdev->page_scan_type = rp->type; 1037 1038 return rp->status; 1039 } 1040 1041 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data, 1042 struct sk_buff *skb) 1043 { 1044 struct hci_ev_status *rp = data; 1045 u8 *type; 1046 1047 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1048 1049 if (rp->status) 1050 return rp->status; 1051 1052 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE); 1053 if (type) 1054 hdev->page_scan_type = *type; 1055 1056 return rp->status; 1057 } 1058 1059 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data, 1060 struct sk_buff *skb) 1061 { 1062 struct hci_rp_read_data_block_size *rp = data; 1063 1064 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1065 1066 if (rp->status) 1067 return rp->status; 1068 1069 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len); 1070 hdev->block_len = __le16_to_cpu(rp->block_len); 1071 hdev->num_blocks = __le16_to_cpu(rp->num_blocks); 1072 1073 hdev->block_cnt = hdev->num_blocks; 1074 1075 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu, 1076 hdev->block_cnt, hdev->block_len); 1077 1078 return rp->status; 1079 } 1080 1081 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data, 1082 struct sk_buff *skb) 1083 { 1084 struct hci_rp_read_clock *rp = data; 1085 struct hci_cp_read_clock *cp; 1086 struct hci_conn *conn; 1087 1088 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1089 1090 if (rp->status) 1091 return rp->status; 1092 1093 hci_dev_lock(hdev); 1094 1095 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK); 1096 if (!cp) 1097 goto unlock; 1098 1099 if (cp->which == 0x00) { 1100 hdev->clock = le32_to_cpu(rp->clock); 1101 goto unlock; 1102 } 1103 1104 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 1105 if (conn) { 1106 conn->clock = le32_to_cpu(rp->clock); 1107 conn->clock_accuracy = le16_to_cpu(rp->accuracy); 1108 } 1109 1110 unlock: 1111 hci_dev_unlock(hdev); 1112 return rp->status; 1113 } 1114 1115 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data, 1116 struct sk_buff *skb) 1117 { 1118 struct hci_rp_read_local_amp_info *rp = data; 1119 1120 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1121 1122 if (rp->status) 1123 return rp->status; 1124 1125 hdev->amp_status = rp->amp_status; 1126 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw); 1127 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw); 1128 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency); 1129 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu); 1130 hdev->amp_type = rp->amp_type; 1131 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap); 1132 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size); 1133 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to); 1134 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to); 1135 1136 return rp->status; 1137 } 1138 1139 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data, 1140 struct sk_buff *skb) 1141 { 1142 struct hci_rp_read_inq_rsp_tx_power *rp = data; 1143 1144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1145 1146 if (rp->status) 1147 return rp->status; 1148 1149 hdev->inq_tx_power = rp->tx_power; 1150 1151 return rp->status; 1152 } 1153 1154 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data, 1155 struct sk_buff *skb) 1156 { 1157 struct hci_rp_read_def_err_data_reporting *rp = data; 1158 1159 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1160 1161 if (rp->status) 1162 return rp->status; 1163 1164 hdev->err_data_reporting = rp->err_data_reporting; 1165 1166 return rp->status; 1167 } 1168 1169 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data, 1170 struct sk_buff *skb) 1171 { 1172 struct hci_ev_status *rp = data; 1173 struct hci_cp_write_def_err_data_reporting *cp; 1174 1175 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1176 1177 if (rp->status) 1178 return rp->status; 1179 1180 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING); 1181 if (!cp) 1182 return rp->status; 1183 1184 hdev->err_data_reporting = cp->err_data_reporting; 1185 1186 return rp->status; 1187 } 1188 1189 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data, 1190 struct sk_buff *skb) 1191 { 1192 struct hci_rp_pin_code_reply *rp = data; 1193 struct hci_cp_pin_code_reply *cp; 1194 struct hci_conn *conn; 1195 1196 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1197 1198 hci_dev_lock(hdev); 1199 1200 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1201 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status); 1202 1203 if (rp->status) 1204 goto unlock; 1205 1206 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY); 1207 if (!cp) 1208 goto unlock; 1209 1210 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 1211 if (conn) 1212 conn->pin_length = cp->pin_len; 1213 1214 unlock: 1215 hci_dev_unlock(hdev); 1216 return rp->status; 1217 } 1218 1219 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data, 1220 struct sk_buff *skb) 1221 { 1222 struct hci_rp_pin_code_neg_reply *rp = data; 1223 1224 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1225 1226 hci_dev_lock(hdev); 1227 1228 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1229 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr, 1230 rp->status); 1231 1232 hci_dev_unlock(hdev); 1233 1234 return rp->status; 1235 } 1236 1237 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data, 1238 struct sk_buff *skb) 1239 { 1240 struct hci_rp_le_read_buffer_size *rp = data; 1241 1242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1243 1244 if (rp->status) 1245 return rp->status; 1246 1247 hdev->le_mtu = __le16_to_cpu(rp->le_mtu); 1248 hdev->le_pkts = rp->le_max_pkt; 1249 1250 hdev->le_cnt = hdev->le_pkts; 1251 1252 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts); 1253 1254 return rp->status; 1255 } 1256 1257 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data, 1258 struct sk_buff *skb) 1259 { 1260 struct hci_rp_le_read_local_features *rp = data; 1261 1262 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status); 1263 1264 if (rp->status) 1265 return rp->status; 1266 1267 memcpy(hdev->le_features, rp->features, 8); 1268 1269 return rp->status; 1270 } 1271 1272 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data, 1273 struct sk_buff *skb) 1274 { 1275 struct hci_rp_le_read_adv_tx_power *rp = data; 1276 1277 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1278 1279 if (rp->status) 1280 return rp->status; 1281 1282 hdev->adv_tx_power = rp->tx_power; 1283 1284 return rp->status; 1285 } 1286 1287 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data, 1288 struct sk_buff *skb) 1289 { 1290 struct hci_rp_user_confirm_reply *rp = data; 1291 1292 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1293 1294 hci_dev_lock(hdev); 1295 1296 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1297 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0, 1298 rp->status); 1299 1300 hci_dev_unlock(hdev); 1301 1302 return rp->status; 1303 } 1304 1305 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data, 1306 struct sk_buff *skb) 1307 { 1308 struct hci_rp_user_confirm_reply *rp = data; 1309 1310 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1311 1312 hci_dev_lock(hdev); 1313 1314 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1315 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr, 1316 ACL_LINK, 0, rp->status); 1317 1318 hci_dev_unlock(hdev); 1319 1320 return rp->status; 1321 } 1322 1323 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data, 1324 struct sk_buff *skb) 1325 { 1326 struct hci_rp_user_confirm_reply *rp = data; 1327 1328 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1329 1330 hci_dev_lock(hdev); 1331 1332 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1333 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 1334 0, rp->status); 1335 1336 hci_dev_unlock(hdev); 1337 1338 return rp->status; 1339 } 1340 1341 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data, 1342 struct sk_buff *skb) 1343 { 1344 struct hci_rp_user_confirm_reply *rp = data; 1345 1346 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1347 1348 hci_dev_lock(hdev); 1349 1350 if (hci_dev_test_flag(hdev, HCI_MGMT)) 1351 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr, 1352 ACL_LINK, 0, rp->status); 1353 1354 hci_dev_unlock(hdev); 1355 1356 return rp->status; 1357 } 1358 1359 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data, 1360 struct sk_buff *skb) 1361 { 1362 struct hci_rp_read_local_oob_data *rp = data; 1363 1364 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1365 1366 return rp->status; 1367 } 1368 1369 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data, 1370 struct sk_buff *skb) 1371 { 1372 struct hci_rp_read_local_oob_ext_data *rp = data; 1373 1374 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1375 1376 return rp->status; 1377 } 1378 1379 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data, 1380 struct sk_buff *skb) 1381 { 1382 struct hci_ev_status *rp = data; 1383 bdaddr_t *sent; 1384 1385 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1386 1387 if (rp->status) 1388 return rp->status; 1389 1390 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR); 1391 if (!sent) 1392 return rp->status; 1393 1394 hci_dev_lock(hdev); 1395 1396 bacpy(&hdev->random_addr, sent); 1397 1398 if (!bacmp(&hdev->rpa, sent)) { 1399 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED); 1400 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, 1401 secs_to_jiffies(hdev->rpa_timeout)); 1402 } 1403 1404 hci_dev_unlock(hdev); 1405 1406 return rp->status; 1407 } 1408 1409 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data, 1410 struct sk_buff *skb) 1411 { 1412 struct hci_ev_status *rp = data; 1413 struct hci_cp_le_set_default_phy *cp; 1414 1415 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1416 1417 if (rp->status) 1418 return rp->status; 1419 1420 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY); 1421 if (!cp) 1422 return rp->status; 1423 1424 hci_dev_lock(hdev); 1425 1426 hdev->le_tx_def_phys = cp->tx_phys; 1427 hdev->le_rx_def_phys = cp->rx_phys; 1428 1429 hci_dev_unlock(hdev); 1430 1431 return rp->status; 1432 } 1433 1434 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data, 1435 struct sk_buff *skb) 1436 { 1437 struct hci_ev_status *rp = data; 1438 struct hci_cp_le_set_adv_set_rand_addr *cp; 1439 struct adv_info *adv; 1440 1441 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1442 1443 if (rp->status) 1444 return rp->status; 1445 1446 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR); 1447 /* Update only in case the adv instance since handle 0x00 shall be using 1448 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and 1449 * non-extended adverting. 1450 */ 1451 if (!cp || !cp->handle) 1452 return rp->status; 1453 1454 hci_dev_lock(hdev); 1455 1456 adv = hci_find_adv_instance(hdev, cp->handle); 1457 if (adv) { 1458 bacpy(&adv->random_addr, &cp->bdaddr); 1459 if (!bacmp(&hdev->rpa, &cp->bdaddr)) { 1460 adv->rpa_expired = false; 1461 queue_delayed_work(hdev->workqueue, 1462 &adv->rpa_expired_cb, 1463 secs_to_jiffies(hdev->rpa_timeout)); 1464 } 1465 } 1466 1467 hci_dev_unlock(hdev); 1468 1469 return rp->status; 1470 } 1471 1472 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data, 1473 struct sk_buff *skb) 1474 { 1475 struct hci_ev_status *rp = data; 1476 u8 *instance; 1477 int err; 1478 1479 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1480 1481 if (rp->status) 1482 return rp->status; 1483 1484 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET); 1485 if (!instance) 1486 return rp->status; 1487 1488 hci_dev_lock(hdev); 1489 1490 err = hci_remove_adv_instance(hdev, *instance); 1491 if (!err) 1492 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev, 1493 *instance); 1494 1495 hci_dev_unlock(hdev); 1496 1497 return rp->status; 1498 } 1499 1500 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data, 1501 struct sk_buff *skb) 1502 { 1503 struct hci_ev_status *rp = data; 1504 struct adv_info *adv, *n; 1505 int err; 1506 1507 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1508 1509 if (rp->status) 1510 return rp->status; 1511 1512 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS)) 1513 return rp->status; 1514 1515 hci_dev_lock(hdev); 1516 1517 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 1518 u8 instance = adv->instance; 1519 1520 err = hci_remove_adv_instance(hdev, instance); 1521 if (!err) 1522 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), 1523 hdev, instance); 1524 } 1525 1526 hci_dev_unlock(hdev); 1527 1528 return rp->status; 1529 } 1530 1531 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data, 1532 struct sk_buff *skb) 1533 { 1534 struct hci_rp_le_read_transmit_power *rp = data; 1535 1536 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1537 1538 if (rp->status) 1539 return rp->status; 1540 1541 hdev->min_le_tx_power = rp->min_le_tx_power; 1542 hdev->max_le_tx_power = rp->max_le_tx_power; 1543 1544 return rp->status; 1545 } 1546 1547 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, 1548 struct sk_buff *skb) 1549 { 1550 struct hci_ev_status *rp = data; 1551 struct hci_cp_le_set_privacy_mode *cp; 1552 struct hci_conn_params *params; 1553 1554 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1555 1556 if (rp->status) 1557 return rp->status; 1558 1559 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE); 1560 if (!cp) 1561 return rp->status; 1562 1563 hci_dev_lock(hdev); 1564 1565 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); 1566 if (params) 1567 WRITE_ONCE(params->privacy_mode, cp->mode); 1568 1569 hci_dev_unlock(hdev); 1570 1571 return rp->status; 1572 } 1573 1574 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data, 1575 struct sk_buff *skb) 1576 { 1577 struct hci_ev_status *rp = data; 1578 __u8 *sent; 1579 1580 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1581 1582 if (rp->status) 1583 return rp->status; 1584 1585 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE); 1586 if (!sent) 1587 return rp->status; 1588 1589 hci_dev_lock(hdev); 1590 1591 /* If we're doing connection initiation as peripheral. Set a 1592 * timeout in case something goes wrong. 1593 */ 1594 if (*sent) { 1595 struct hci_conn *conn; 1596 1597 hci_dev_set_flag(hdev, HCI_LE_ADV); 1598 1599 conn = hci_lookup_le_connect(hdev); 1600 if (conn) 1601 queue_delayed_work(hdev->workqueue, 1602 &conn->le_conn_timeout, 1603 conn->conn_timeout); 1604 } else { 1605 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1606 } 1607 1608 hci_dev_unlock(hdev); 1609 1610 return rp->status; 1611 } 1612 1613 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, 1614 struct sk_buff *skb) 1615 { 1616 struct hci_cp_le_set_ext_adv_enable *cp; 1617 struct hci_cp_ext_adv_set *set; 1618 struct adv_info *adv = NULL, *n; 1619 struct hci_ev_status *rp = data; 1620 1621 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1622 1623 if (rp->status) 1624 return rp->status; 1625 1626 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE); 1627 if (!cp) 1628 return rp->status; 1629 1630 set = (void *)cp->data; 1631 1632 hci_dev_lock(hdev); 1633 1634 if (cp->num_of_sets) 1635 adv = hci_find_adv_instance(hdev, set->handle); 1636 1637 if (cp->enable) { 1638 struct hci_conn *conn; 1639 1640 hci_dev_set_flag(hdev, HCI_LE_ADV); 1641 1642 if (adv && !adv->periodic) 1643 adv->enabled = true; 1644 1645 conn = hci_lookup_le_connect(hdev); 1646 if (conn) 1647 queue_delayed_work(hdev->workqueue, 1648 &conn->le_conn_timeout, 1649 conn->conn_timeout); 1650 } else { 1651 if (cp->num_of_sets) { 1652 if (adv) 1653 adv->enabled = false; 1654 1655 /* If just one instance was disabled check if there are 1656 * any other instance enabled before clearing HCI_LE_ADV 1657 */ 1658 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1659 list) { 1660 if (adv->enabled) 1661 goto unlock; 1662 } 1663 } else { 1664 /* All instances shall be considered disabled */ 1665 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 1666 list) 1667 adv->enabled = false; 1668 } 1669 1670 hci_dev_clear_flag(hdev, HCI_LE_ADV); 1671 } 1672 1673 unlock: 1674 hci_dev_unlock(hdev); 1675 return rp->status; 1676 } 1677 1678 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data, 1679 struct sk_buff *skb) 1680 { 1681 struct hci_cp_le_set_scan_param *cp; 1682 struct hci_ev_status *rp = data; 1683 1684 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1685 1686 if (rp->status) 1687 return rp->status; 1688 1689 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM); 1690 if (!cp) 1691 return rp->status; 1692 1693 hci_dev_lock(hdev); 1694 1695 hdev->le_scan_type = cp->type; 1696 1697 hci_dev_unlock(hdev); 1698 1699 return rp->status; 1700 } 1701 1702 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data, 1703 struct sk_buff *skb) 1704 { 1705 struct hci_cp_le_set_ext_scan_params *cp; 1706 struct hci_ev_status *rp = data; 1707 struct hci_cp_le_scan_phy_params *phy_param; 1708 1709 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1710 1711 if (rp->status) 1712 return rp->status; 1713 1714 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS); 1715 if (!cp) 1716 return rp->status; 1717 1718 phy_param = (void *)cp->data; 1719 1720 hci_dev_lock(hdev); 1721 1722 hdev->le_scan_type = phy_param->type; 1723 1724 hci_dev_unlock(hdev); 1725 1726 return rp->status; 1727 } 1728 1729 static bool has_pending_adv_report(struct hci_dev *hdev) 1730 { 1731 struct discovery_state *d = &hdev->discovery; 1732 1733 return bacmp(&d->last_adv_addr, BDADDR_ANY); 1734 } 1735 1736 static void clear_pending_adv_report(struct hci_dev *hdev) 1737 { 1738 struct discovery_state *d = &hdev->discovery; 1739 1740 bacpy(&d->last_adv_addr, BDADDR_ANY); 1741 d->last_adv_data_len = 0; 1742 } 1743 1744 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr, 1745 u8 bdaddr_type, s8 rssi, u32 flags, 1746 u8 *data, u8 len) 1747 { 1748 struct discovery_state *d = &hdev->discovery; 1749 1750 if (len > max_adv_len(hdev)) 1751 return; 1752 1753 bacpy(&d->last_adv_addr, bdaddr); 1754 d->last_adv_addr_type = bdaddr_type; 1755 d->last_adv_rssi = rssi; 1756 d->last_adv_flags = flags; 1757 memcpy(d->last_adv_data, data, len); 1758 d->last_adv_data_len = len; 1759 } 1760 1761 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable) 1762 { 1763 hci_dev_lock(hdev); 1764 1765 switch (enable) { 1766 case LE_SCAN_ENABLE: 1767 hci_dev_set_flag(hdev, HCI_LE_SCAN); 1768 if (hdev->le_scan_type == LE_SCAN_ACTIVE) 1769 clear_pending_adv_report(hdev); 1770 if (hci_dev_test_flag(hdev, HCI_MESH)) 1771 hci_discovery_set_state(hdev, DISCOVERY_FINDING); 1772 break; 1773 1774 case LE_SCAN_DISABLE: 1775 /* We do this here instead of when setting DISCOVERY_STOPPED 1776 * since the latter would potentially require waiting for 1777 * inquiry to stop too. 1778 */ 1779 if (has_pending_adv_report(hdev)) { 1780 struct discovery_state *d = &hdev->discovery; 1781 1782 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 1783 d->last_adv_addr_type, NULL, 1784 d->last_adv_rssi, d->last_adv_flags, 1785 d->last_adv_data, 1786 d->last_adv_data_len, NULL, 0, 0); 1787 } 1788 1789 /* Cancel this timer so that we don't try to disable scanning 1790 * when it's already disabled. 1791 */ 1792 cancel_delayed_work(&hdev->le_scan_disable); 1793 1794 hci_dev_clear_flag(hdev, HCI_LE_SCAN); 1795 1796 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we 1797 * interrupted scanning due to a connect request. Mark 1798 * therefore discovery as stopped. 1799 */ 1800 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED)) 1801 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 1802 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) && 1803 hdev->discovery.state == DISCOVERY_FINDING) 1804 queue_work(hdev->workqueue, &hdev->reenable_adv_work); 1805 1806 break; 1807 1808 default: 1809 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d", 1810 enable); 1811 break; 1812 } 1813 1814 hci_dev_unlock(hdev); 1815 } 1816 1817 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data, 1818 struct sk_buff *skb) 1819 { 1820 struct hci_cp_le_set_scan_enable *cp; 1821 struct hci_ev_status *rp = data; 1822 1823 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1824 1825 if (rp->status) 1826 return rp->status; 1827 1828 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE); 1829 if (!cp) 1830 return rp->status; 1831 1832 le_set_scan_enable_complete(hdev, cp->enable); 1833 1834 return rp->status; 1835 } 1836 1837 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data, 1838 struct sk_buff *skb) 1839 { 1840 struct hci_cp_le_set_ext_scan_enable *cp; 1841 struct hci_ev_status *rp = data; 1842 1843 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1844 1845 if (rp->status) 1846 return rp->status; 1847 1848 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE); 1849 if (!cp) 1850 return rp->status; 1851 1852 le_set_scan_enable_complete(hdev, cp->enable); 1853 1854 return rp->status; 1855 } 1856 1857 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data, 1858 struct sk_buff *skb) 1859 { 1860 struct hci_rp_le_read_num_supported_adv_sets *rp = data; 1861 1862 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status, 1863 rp->num_of_sets); 1864 1865 if (rp->status) 1866 return rp->status; 1867 1868 hdev->le_num_of_adv_sets = rp->num_of_sets; 1869 1870 return rp->status; 1871 } 1872 1873 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data, 1874 struct sk_buff *skb) 1875 { 1876 struct hci_rp_le_read_accept_list_size *rp = data; 1877 1878 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 1879 1880 if (rp->status) 1881 return rp->status; 1882 1883 hdev->le_accept_list_size = rp->size; 1884 1885 return rp->status; 1886 } 1887 1888 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data, 1889 struct sk_buff *skb) 1890 { 1891 struct hci_ev_status *rp = data; 1892 1893 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1894 1895 if (rp->status) 1896 return rp->status; 1897 1898 hci_dev_lock(hdev); 1899 hci_bdaddr_list_clear(&hdev->le_accept_list); 1900 hci_dev_unlock(hdev); 1901 1902 return rp->status; 1903 } 1904 1905 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data, 1906 struct sk_buff *skb) 1907 { 1908 struct hci_cp_le_add_to_accept_list *sent; 1909 struct hci_ev_status *rp = data; 1910 1911 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1912 1913 if (rp->status) 1914 return rp->status; 1915 1916 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST); 1917 if (!sent) 1918 return rp->status; 1919 1920 hci_dev_lock(hdev); 1921 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr, 1922 sent->bdaddr_type); 1923 hci_dev_unlock(hdev); 1924 1925 return rp->status; 1926 } 1927 1928 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data, 1929 struct sk_buff *skb) 1930 { 1931 struct hci_cp_le_del_from_accept_list *sent; 1932 struct hci_ev_status *rp = data; 1933 1934 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1935 1936 if (rp->status) 1937 return rp->status; 1938 1939 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST); 1940 if (!sent) 1941 return rp->status; 1942 1943 hci_dev_lock(hdev); 1944 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr, 1945 sent->bdaddr_type); 1946 hci_dev_unlock(hdev); 1947 1948 return rp->status; 1949 } 1950 1951 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data, 1952 struct sk_buff *skb) 1953 { 1954 struct hci_rp_le_read_supported_states *rp = data; 1955 1956 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1957 1958 if (rp->status) 1959 return rp->status; 1960 1961 memcpy(hdev->le_states, rp->le_states, 8); 1962 1963 return rp->status; 1964 } 1965 1966 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data, 1967 struct sk_buff *skb) 1968 { 1969 struct hci_rp_le_read_def_data_len *rp = data; 1970 1971 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1972 1973 if (rp->status) 1974 return rp->status; 1975 1976 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len); 1977 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time); 1978 1979 return rp->status; 1980 } 1981 1982 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data, 1983 struct sk_buff *skb) 1984 { 1985 struct hci_cp_le_write_def_data_len *sent; 1986 struct hci_ev_status *rp = data; 1987 1988 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 1989 1990 if (rp->status) 1991 return rp->status; 1992 1993 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN); 1994 if (!sent) 1995 return rp->status; 1996 1997 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len); 1998 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time); 1999 2000 return rp->status; 2001 } 2002 2003 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data, 2004 struct sk_buff *skb) 2005 { 2006 struct hci_cp_le_add_to_resolv_list *sent; 2007 struct hci_ev_status *rp = data; 2008 2009 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2010 2011 if (rp->status) 2012 return rp->status; 2013 2014 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST); 2015 if (!sent) 2016 return rp->status; 2017 2018 hci_dev_lock(hdev); 2019 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2020 sent->bdaddr_type, sent->peer_irk, 2021 sent->local_irk); 2022 hci_dev_unlock(hdev); 2023 2024 return rp->status; 2025 } 2026 2027 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data, 2028 struct sk_buff *skb) 2029 { 2030 struct hci_cp_le_del_from_resolv_list *sent; 2031 struct hci_ev_status *rp = data; 2032 2033 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2034 2035 if (rp->status) 2036 return rp->status; 2037 2038 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST); 2039 if (!sent) 2040 return rp->status; 2041 2042 hci_dev_lock(hdev); 2043 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr, 2044 sent->bdaddr_type); 2045 hci_dev_unlock(hdev); 2046 2047 return rp->status; 2048 } 2049 2050 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data, 2051 struct sk_buff *skb) 2052 { 2053 struct hci_ev_status *rp = data; 2054 2055 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2056 2057 if (rp->status) 2058 return rp->status; 2059 2060 hci_dev_lock(hdev); 2061 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2062 hci_dev_unlock(hdev); 2063 2064 return rp->status; 2065 } 2066 2067 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data, 2068 struct sk_buff *skb) 2069 { 2070 struct hci_rp_le_read_resolv_list_size *rp = data; 2071 2072 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size); 2073 2074 if (rp->status) 2075 return rp->status; 2076 2077 hdev->le_resolv_list_size = rp->size; 2078 2079 return rp->status; 2080 } 2081 2082 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data, 2083 struct sk_buff *skb) 2084 { 2085 struct hci_ev_status *rp = data; 2086 __u8 *sent; 2087 2088 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2089 2090 if (rp->status) 2091 return rp->status; 2092 2093 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE); 2094 if (!sent) 2095 return rp->status; 2096 2097 hci_dev_lock(hdev); 2098 2099 if (*sent) 2100 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION); 2101 else 2102 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION); 2103 2104 hci_dev_unlock(hdev); 2105 2106 return rp->status; 2107 } 2108 2109 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data, 2110 struct sk_buff *skb) 2111 { 2112 struct hci_rp_le_read_max_data_len *rp = data; 2113 2114 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2115 2116 if (rp->status) 2117 return rp->status; 2118 2119 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len); 2120 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time); 2121 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len); 2122 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time); 2123 2124 return rp->status; 2125 } 2126 2127 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data, 2128 struct sk_buff *skb) 2129 { 2130 struct hci_cp_write_le_host_supported *sent; 2131 struct hci_ev_status *rp = data; 2132 2133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2134 2135 if (rp->status) 2136 return rp->status; 2137 2138 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED); 2139 if (!sent) 2140 return rp->status; 2141 2142 hci_dev_lock(hdev); 2143 2144 if (sent->le) { 2145 hdev->features[1][0] |= LMP_HOST_LE; 2146 hci_dev_set_flag(hdev, HCI_LE_ENABLED); 2147 } else { 2148 hdev->features[1][0] &= ~LMP_HOST_LE; 2149 hci_dev_clear_flag(hdev, HCI_LE_ENABLED); 2150 hci_dev_clear_flag(hdev, HCI_ADVERTISING); 2151 } 2152 2153 if (sent->simul) 2154 hdev->features[1][0] |= LMP_HOST_LE_BREDR; 2155 else 2156 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR; 2157 2158 hci_dev_unlock(hdev); 2159 2160 return rp->status; 2161 } 2162 2163 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, 2164 struct sk_buff *skb) 2165 { 2166 struct hci_cp_le_set_adv_param *cp; 2167 struct hci_ev_status *rp = data; 2168 2169 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2170 2171 if (rp->status) 2172 return rp->status; 2173 2174 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM); 2175 if (!cp) 2176 return rp->status; 2177 2178 hci_dev_lock(hdev); 2179 hdev->adv_addr_type = cp->own_address_type; 2180 hci_dev_unlock(hdev); 2181 2182 return rp->status; 2183 } 2184 2185 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, 2186 struct sk_buff *skb) 2187 { 2188 struct hci_rp_le_set_ext_adv_params *rp = data; 2189 struct hci_cp_le_set_ext_adv_params *cp; 2190 struct adv_info *adv_instance; 2191 2192 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2193 2194 if (rp->status) 2195 return rp->status; 2196 2197 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); 2198 if (!cp) 2199 return rp->status; 2200 2201 hci_dev_lock(hdev); 2202 hdev->adv_addr_type = cp->own_addr_type; 2203 if (!cp->handle) { 2204 /* Store in hdev for instance 0 */ 2205 hdev->adv_tx_power = rp->tx_power; 2206 } else { 2207 adv_instance = hci_find_adv_instance(hdev, cp->handle); 2208 if (adv_instance) 2209 adv_instance->tx_power = rp->tx_power; 2210 } 2211 /* Update adv data as tx power is known now */ 2212 hci_update_adv_data(hdev, cp->handle); 2213 2214 hci_dev_unlock(hdev); 2215 2216 return rp->status; 2217 } 2218 2219 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, 2220 struct sk_buff *skb) 2221 { 2222 struct hci_rp_read_rssi *rp = data; 2223 struct hci_conn *conn; 2224 2225 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2226 2227 if (rp->status) 2228 return rp->status; 2229 2230 hci_dev_lock(hdev); 2231 2232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2233 if (conn) 2234 conn->rssi = rp->rssi; 2235 2236 hci_dev_unlock(hdev); 2237 2238 return rp->status; 2239 } 2240 2241 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data, 2242 struct sk_buff *skb) 2243 { 2244 struct hci_cp_read_tx_power *sent; 2245 struct hci_rp_read_tx_power *rp = data; 2246 struct hci_conn *conn; 2247 2248 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2249 2250 if (rp->status) 2251 return rp->status; 2252 2253 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER); 2254 if (!sent) 2255 return rp->status; 2256 2257 hci_dev_lock(hdev); 2258 2259 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle)); 2260 if (!conn) 2261 goto unlock; 2262 2263 switch (sent->type) { 2264 case 0x00: 2265 conn->tx_power = rp->tx_power; 2266 break; 2267 case 0x01: 2268 conn->max_tx_power = rp->tx_power; 2269 break; 2270 } 2271 2272 unlock: 2273 hci_dev_unlock(hdev); 2274 return rp->status; 2275 } 2276 2277 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data, 2278 struct sk_buff *skb) 2279 { 2280 struct hci_ev_status *rp = data; 2281 u8 *mode; 2282 2283 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 2284 2285 if (rp->status) 2286 return rp->status; 2287 2288 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE); 2289 if (mode) 2290 hdev->ssp_debug_mode = *mode; 2291 2292 return rp->status; 2293 } 2294 2295 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status) 2296 { 2297 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2298 2299 if (status) { 2300 hci_conn_check_pending(hdev); 2301 return; 2302 } 2303 2304 set_bit(HCI_INQUIRY, &hdev->flags); 2305 } 2306 2307 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) 2308 { 2309 struct hci_cp_create_conn *cp; 2310 struct hci_conn *conn; 2311 2312 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2313 2314 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN); 2315 if (!cp) 2316 return; 2317 2318 hci_dev_lock(hdev); 2319 2320 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2321 2322 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn); 2323 2324 if (status) { 2325 if (conn && conn->state == BT_CONNECT) { 2326 if (status != 0x0c || conn->attempt > 2) { 2327 conn->state = BT_CLOSED; 2328 hci_connect_cfm(conn, status); 2329 hci_conn_del(conn); 2330 } else 2331 conn->state = BT_CONNECT2; 2332 } 2333 } else { 2334 if (!conn) { 2335 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr, 2336 HCI_ROLE_MASTER); 2337 if (!conn) 2338 bt_dev_err(hdev, "no memory for new connection"); 2339 } 2340 } 2341 2342 hci_dev_unlock(hdev); 2343 } 2344 2345 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status) 2346 { 2347 struct hci_cp_add_sco *cp; 2348 struct hci_conn *acl; 2349 struct hci_link *link; 2350 __u16 handle; 2351 2352 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2353 2354 if (!status) 2355 return; 2356 2357 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO); 2358 if (!cp) 2359 return; 2360 2361 handle = __le16_to_cpu(cp->handle); 2362 2363 bt_dev_dbg(hdev, "handle 0x%4.4x", handle); 2364 2365 hci_dev_lock(hdev); 2366 2367 acl = hci_conn_hash_lookup_handle(hdev, handle); 2368 if (acl) { 2369 link = list_first_entry_or_null(&acl->link_list, 2370 struct hci_link, list); 2371 if (link && link->conn) { 2372 link->conn->state = BT_CLOSED; 2373 2374 hci_connect_cfm(link->conn, status); 2375 hci_conn_del(link->conn); 2376 } 2377 } 2378 2379 hci_dev_unlock(hdev); 2380 } 2381 2382 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status) 2383 { 2384 struct hci_cp_auth_requested *cp; 2385 struct hci_conn *conn; 2386 2387 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2388 2389 if (!status) 2390 return; 2391 2392 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED); 2393 if (!cp) 2394 return; 2395 2396 hci_dev_lock(hdev); 2397 2398 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2399 if (conn) { 2400 if (conn->state == BT_CONFIG) { 2401 hci_connect_cfm(conn, status); 2402 hci_conn_drop(conn); 2403 } 2404 } 2405 2406 hci_dev_unlock(hdev); 2407 } 2408 2409 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status) 2410 { 2411 struct hci_cp_set_conn_encrypt *cp; 2412 struct hci_conn *conn; 2413 2414 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2415 2416 if (!status) 2417 return; 2418 2419 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT); 2420 if (!cp) 2421 return; 2422 2423 hci_dev_lock(hdev); 2424 2425 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2426 if (conn) { 2427 if (conn->state == BT_CONFIG) { 2428 hci_connect_cfm(conn, status); 2429 hci_conn_drop(conn); 2430 } 2431 } 2432 2433 hci_dev_unlock(hdev); 2434 } 2435 2436 static int hci_outgoing_auth_needed(struct hci_dev *hdev, 2437 struct hci_conn *conn) 2438 { 2439 if (conn->state != BT_CONFIG || !conn->out) 2440 return 0; 2441 2442 if (conn->pending_sec_level == BT_SECURITY_SDP) 2443 return 0; 2444 2445 /* Only request authentication for SSP connections or non-SSP 2446 * devices with sec_level MEDIUM or HIGH or if MITM protection 2447 * is requested. 2448 */ 2449 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) && 2450 conn->pending_sec_level != BT_SECURITY_FIPS && 2451 conn->pending_sec_level != BT_SECURITY_HIGH && 2452 conn->pending_sec_level != BT_SECURITY_MEDIUM) 2453 return 0; 2454 2455 return 1; 2456 } 2457 2458 static int hci_resolve_name(struct hci_dev *hdev, 2459 struct inquiry_entry *e) 2460 { 2461 struct hci_cp_remote_name_req cp; 2462 2463 memset(&cp, 0, sizeof(cp)); 2464 2465 bacpy(&cp.bdaddr, &e->data.bdaddr); 2466 cp.pscan_rep_mode = e->data.pscan_rep_mode; 2467 cp.pscan_mode = e->data.pscan_mode; 2468 cp.clock_offset = e->data.clock_offset; 2469 2470 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 2471 } 2472 2473 static bool hci_resolve_next_name(struct hci_dev *hdev) 2474 { 2475 struct discovery_state *discov = &hdev->discovery; 2476 struct inquiry_entry *e; 2477 2478 if (list_empty(&discov->resolve)) 2479 return false; 2480 2481 /* We should stop if we already spent too much time resolving names. */ 2482 if (time_after(jiffies, discov->name_resolve_timeout)) { 2483 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long."); 2484 return false; 2485 } 2486 2487 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 2488 if (!e) 2489 return false; 2490 2491 if (hci_resolve_name(hdev, e) == 0) { 2492 e->name_state = NAME_PENDING; 2493 return true; 2494 } 2495 2496 return false; 2497 } 2498 2499 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn, 2500 bdaddr_t *bdaddr, u8 *name, u8 name_len) 2501 { 2502 struct discovery_state *discov = &hdev->discovery; 2503 struct inquiry_entry *e; 2504 2505 /* Update the mgmt connected state if necessary. Be careful with 2506 * conn objects that exist but are not (yet) connected however. 2507 * Only those in BT_CONFIG or BT_CONNECTED states can be 2508 * considered connected. 2509 */ 2510 if (conn && 2511 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) && 2512 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 2513 mgmt_device_connected(hdev, conn, name, name_len); 2514 2515 if (discov->state == DISCOVERY_STOPPED) 2516 return; 2517 2518 if (discov->state == DISCOVERY_STOPPING) 2519 goto discov_complete; 2520 2521 if (discov->state != DISCOVERY_RESOLVING) 2522 return; 2523 2524 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING); 2525 /* If the device was not found in a list of found devices names of which 2526 * are pending. there is no need to continue resolving a next name as it 2527 * will be done upon receiving another Remote Name Request Complete 2528 * Event */ 2529 if (!e) 2530 return; 2531 2532 list_del(&e->list); 2533 2534 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN; 2535 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi, 2536 name, name_len); 2537 2538 if (hci_resolve_next_name(hdev)) 2539 return; 2540 2541 discov_complete: 2542 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 2543 } 2544 2545 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status) 2546 { 2547 struct hci_cp_remote_name_req *cp; 2548 struct hci_conn *conn; 2549 2550 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2551 2552 /* If successful wait for the name req complete event before 2553 * checking for the need to do authentication */ 2554 if (!status) 2555 return; 2556 2557 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ); 2558 if (!cp) 2559 return; 2560 2561 hci_dev_lock(hdev); 2562 2563 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 2564 2565 if (hci_dev_test_flag(hdev, HCI_MGMT)) 2566 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0); 2567 2568 if (!conn) 2569 goto unlock; 2570 2571 if (!hci_outgoing_auth_needed(hdev, conn)) 2572 goto unlock; 2573 2574 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 2575 struct hci_cp_auth_requested auth_cp; 2576 2577 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 2578 2579 auth_cp.handle = __cpu_to_le16(conn->handle); 2580 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, 2581 sizeof(auth_cp), &auth_cp); 2582 } 2583 2584 unlock: 2585 hci_dev_unlock(hdev); 2586 } 2587 2588 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status) 2589 { 2590 struct hci_cp_read_remote_features *cp; 2591 struct hci_conn *conn; 2592 2593 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2594 2595 if (!status) 2596 return; 2597 2598 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES); 2599 if (!cp) 2600 return; 2601 2602 hci_dev_lock(hdev); 2603 2604 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2605 if (conn) { 2606 if (conn->state == BT_CONFIG) { 2607 hci_connect_cfm(conn, status); 2608 hci_conn_drop(conn); 2609 } 2610 } 2611 2612 hci_dev_unlock(hdev); 2613 } 2614 2615 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status) 2616 { 2617 struct hci_cp_read_remote_ext_features *cp; 2618 struct hci_conn *conn; 2619 2620 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2621 2622 if (!status) 2623 return; 2624 2625 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES); 2626 if (!cp) 2627 return; 2628 2629 hci_dev_lock(hdev); 2630 2631 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2632 if (conn) { 2633 if (conn->state == BT_CONFIG) { 2634 hci_connect_cfm(conn, status); 2635 hci_conn_drop(conn); 2636 } 2637 } 2638 2639 hci_dev_unlock(hdev); 2640 } 2641 2642 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle, 2643 __u8 status) 2644 { 2645 struct hci_conn *acl; 2646 struct hci_link *link; 2647 2648 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status); 2649 2650 hci_dev_lock(hdev); 2651 2652 acl = hci_conn_hash_lookup_handle(hdev, handle); 2653 if (acl) { 2654 link = list_first_entry_or_null(&acl->link_list, 2655 struct hci_link, list); 2656 if (link && link->conn) { 2657 link->conn->state = BT_CLOSED; 2658 2659 hci_connect_cfm(link->conn, status); 2660 hci_conn_del(link->conn); 2661 } 2662 } 2663 2664 hci_dev_unlock(hdev); 2665 } 2666 2667 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2668 { 2669 struct hci_cp_setup_sync_conn *cp; 2670 2671 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2672 2673 if (!status) 2674 return; 2675 2676 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN); 2677 if (!cp) 2678 return; 2679 2680 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2681 } 2682 2683 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status) 2684 { 2685 struct hci_cp_enhanced_setup_sync_conn *cp; 2686 2687 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2688 2689 if (!status) 2690 return; 2691 2692 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN); 2693 if (!cp) 2694 return; 2695 2696 hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status); 2697 } 2698 2699 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status) 2700 { 2701 struct hci_cp_sniff_mode *cp; 2702 struct hci_conn *conn; 2703 2704 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2705 2706 if (!status) 2707 return; 2708 2709 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE); 2710 if (!cp) 2711 return; 2712 2713 hci_dev_lock(hdev); 2714 2715 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2716 if (conn) { 2717 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2718 2719 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2720 hci_sco_setup(conn, status); 2721 } 2722 2723 hci_dev_unlock(hdev); 2724 } 2725 2726 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status) 2727 { 2728 struct hci_cp_exit_sniff_mode *cp; 2729 struct hci_conn *conn; 2730 2731 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2732 2733 if (!status) 2734 return; 2735 2736 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE); 2737 if (!cp) 2738 return; 2739 2740 hci_dev_lock(hdev); 2741 2742 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2743 if (conn) { 2744 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags); 2745 2746 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 2747 hci_sco_setup(conn, status); 2748 } 2749 2750 hci_dev_unlock(hdev); 2751 } 2752 2753 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) 2754 { 2755 struct hci_cp_disconnect *cp; 2756 struct hci_conn_params *params; 2757 struct hci_conn *conn; 2758 bool mgmt_conn; 2759 2760 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2761 2762 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended 2763 * otherwise cleanup the connection immediately. 2764 */ 2765 if (!status && !hdev->suspended) 2766 return; 2767 2768 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT); 2769 if (!cp) 2770 return; 2771 2772 hci_dev_lock(hdev); 2773 2774 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2775 if (!conn) 2776 goto unlock; 2777 2778 if (status) { 2779 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 2780 conn->dst_type, status); 2781 2782 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 2783 hdev->cur_adv_instance = conn->adv_instance; 2784 hci_enable_advertising(hdev); 2785 } 2786 2787 /* Inform sockets conn is gone before we delete it */ 2788 hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); 2789 2790 goto done; 2791 } 2792 2793 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 2794 2795 if (conn->type == ACL_LINK) { 2796 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 2797 hci_remove_link_key(hdev, &conn->dst); 2798 } 2799 2800 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 2801 if (params) { 2802 switch (params->auto_connect) { 2803 case HCI_AUTO_CONN_LINK_LOSS: 2804 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT) 2805 break; 2806 fallthrough; 2807 2808 case HCI_AUTO_CONN_DIRECT: 2809 case HCI_AUTO_CONN_ALWAYS: 2810 hci_pend_le_list_del_init(params); 2811 hci_pend_le_list_add(params, &hdev->pend_le_conns); 2812 break; 2813 2814 default: 2815 break; 2816 } 2817 } 2818 2819 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 2820 cp->reason, mgmt_conn); 2821 2822 hci_disconn_cfm(conn, cp->reason); 2823 2824 done: 2825 /* If the disconnection failed for any reason, the upper layer 2826 * does not retry to disconnect in current implementation. 2827 * Hence, we need to do some basic cleanup here and re-enable 2828 * advertising if necessary. 2829 */ 2830 hci_conn_del(conn); 2831 unlock: 2832 hci_dev_unlock(hdev); 2833 } 2834 2835 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved) 2836 { 2837 /* When using controller based address resolution, then the new 2838 * address types 0x02 and 0x03 are used. These types need to be 2839 * converted back into either public address or random address type 2840 */ 2841 switch (type) { 2842 case ADDR_LE_DEV_PUBLIC_RESOLVED: 2843 if (resolved) 2844 *resolved = true; 2845 return ADDR_LE_DEV_PUBLIC; 2846 case ADDR_LE_DEV_RANDOM_RESOLVED: 2847 if (resolved) 2848 *resolved = true; 2849 return ADDR_LE_DEV_RANDOM; 2850 } 2851 2852 if (resolved) 2853 *resolved = false; 2854 return type; 2855 } 2856 2857 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr, 2858 u8 peer_addr_type, u8 own_address_type, 2859 u8 filter_policy) 2860 { 2861 struct hci_conn *conn; 2862 2863 conn = hci_conn_hash_lookup_le(hdev, peer_addr, 2864 peer_addr_type); 2865 if (!conn) 2866 return; 2867 2868 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL); 2869 2870 /* Store the initiator and responder address information which 2871 * is needed for SMP. These values will not change during the 2872 * lifetime of the connection. 2873 */ 2874 conn->init_addr_type = own_address_type; 2875 if (own_address_type == ADDR_LE_DEV_RANDOM) 2876 bacpy(&conn->init_addr, &hdev->random_addr); 2877 else 2878 bacpy(&conn->init_addr, &hdev->bdaddr); 2879 2880 conn->resp_addr_type = peer_addr_type; 2881 bacpy(&conn->resp_addr, peer_addr); 2882 } 2883 2884 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status) 2885 { 2886 struct hci_cp_le_create_conn *cp; 2887 2888 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2889 2890 /* All connection failure handling is taken care of by the 2891 * hci_conn_failed function which is triggered by the HCI 2892 * request completion callbacks used for connecting. 2893 */ 2894 if (status) 2895 return; 2896 2897 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN); 2898 if (!cp) 2899 return; 2900 2901 hci_dev_lock(hdev); 2902 2903 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2904 cp->own_address_type, cp->filter_policy); 2905 2906 hci_dev_unlock(hdev); 2907 } 2908 2909 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status) 2910 { 2911 struct hci_cp_le_ext_create_conn *cp; 2912 2913 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2914 2915 /* All connection failure handling is taken care of by the 2916 * hci_conn_failed function which is triggered by the HCI 2917 * request completion callbacks used for connecting. 2918 */ 2919 if (status) 2920 return; 2921 2922 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN); 2923 if (!cp) 2924 return; 2925 2926 hci_dev_lock(hdev); 2927 2928 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type, 2929 cp->own_addr_type, cp->filter_policy); 2930 2931 hci_dev_unlock(hdev); 2932 } 2933 2934 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status) 2935 { 2936 struct hci_cp_le_read_remote_features *cp; 2937 struct hci_conn *conn; 2938 2939 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2940 2941 if (!status) 2942 return; 2943 2944 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES); 2945 if (!cp) 2946 return; 2947 2948 hci_dev_lock(hdev); 2949 2950 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2951 if (conn) { 2952 if (conn->state == BT_CONFIG) { 2953 hci_connect_cfm(conn, status); 2954 hci_conn_drop(conn); 2955 } 2956 } 2957 2958 hci_dev_unlock(hdev); 2959 } 2960 2961 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status) 2962 { 2963 struct hci_cp_le_start_enc *cp; 2964 struct hci_conn *conn; 2965 2966 bt_dev_dbg(hdev, "status 0x%2.2x", status); 2967 2968 if (!status) 2969 return; 2970 2971 hci_dev_lock(hdev); 2972 2973 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC); 2974 if (!cp) 2975 goto unlock; 2976 2977 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 2978 if (!conn) 2979 goto unlock; 2980 2981 if (conn->state != BT_CONNECTED) 2982 goto unlock; 2983 2984 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2985 hci_conn_drop(conn); 2986 2987 unlock: 2988 hci_dev_unlock(hdev); 2989 } 2990 2991 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status) 2992 { 2993 struct hci_cp_switch_role *cp; 2994 struct hci_conn *conn; 2995 2996 BT_DBG("%s status 0x%2.2x", hdev->name, status); 2997 2998 if (!status) 2999 return; 3000 3001 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE); 3002 if (!cp) 3003 return; 3004 3005 hci_dev_lock(hdev); 3006 3007 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr); 3008 if (conn) 3009 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 3010 3011 hci_dev_unlock(hdev); 3012 } 3013 3014 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data, 3015 struct sk_buff *skb) 3016 { 3017 struct hci_ev_status *ev = data; 3018 struct discovery_state *discov = &hdev->discovery; 3019 struct inquiry_entry *e; 3020 3021 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3022 3023 hci_conn_check_pending(hdev); 3024 3025 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 3026 return; 3027 3028 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */ 3029 wake_up_bit(&hdev->flags, HCI_INQUIRY); 3030 3031 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3032 return; 3033 3034 hci_dev_lock(hdev); 3035 3036 if (discov->state != DISCOVERY_FINDING) 3037 goto unlock; 3038 3039 if (list_empty(&discov->resolve)) { 3040 /* When BR/EDR inquiry is active and no LE scanning is in 3041 * progress, then change discovery state to indicate completion. 3042 * 3043 * When running LE scanning and BR/EDR inquiry simultaneously 3044 * and the LE scan already finished, then change the discovery 3045 * state to indicate completion. 3046 */ 3047 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3048 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 3049 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3050 goto unlock; 3051 } 3052 3053 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED); 3054 if (e && hci_resolve_name(hdev, e) == 0) { 3055 e->name_state = NAME_PENDING; 3056 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING); 3057 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION; 3058 } else { 3059 /* When BR/EDR inquiry is active and no LE scanning is in 3060 * progress, then change discovery state to indicate completion. 3061 * 3062 * When running LE scanning and BR/EDR inquiry simultaneously 3063 * and the LE scan already finished, then change the discovery 3064 * state to indicate completion. 3065 */ 3066 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) || 3067 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks)) 3068 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 3069 } 3070 3071 unlock: 3072 hci_dev_unlock(hdev); 3073 } 3074 3075 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata, 3076 struct sk_buff *skb) 3077 { 3078 struct hci_ev_inquiry_result *ev = edata; 3079 struct inquiry_data data; 3080 int i; 3081 3082 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT, 3083 flex_array_size(ev, info, ev->num))) 3084 return; 3085 3086 bt_dev_dbg(hdev, "num %d", ev->num); 3087 3088 if (!ev->num) 3089 return; 3090 3091 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 3092 return; 3093 3094 hci_dev_lock(hdev); 3095 3096 for (i = 0; i < ev->num; i++) { 3097 struct inquiry_info *info = &ev->info[i]; 3098 u32 flags; 3099 3100 bacpy(&data.bdaddr, &info->bdaddr); 3101 data.pscan_rep_mode = info->pscan_rep_mode; 3102 data.pscan_period_mode = info->pscan_period_mode; 3103 data.pscan_mode = info->pscan_mode; 3104 memcpy(data.dev_class, info->dev_class, 3); 3105 data.clock_offset = info->clock_offset; 3106 data.rssi = HCI_RSSI_INVALID; 3107 data.ssp_mode = 0x00; 3108 3109 flags = hci_inquiry_cache_update(hdev, &data, false); 3110 3111 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 3112 info->dev_class, HCI_RSSI_INVALID, 3113 flags, NULL, 0, NULL, 0, 0); 3114 } 3115 3116 hci_dev_unlock(hdev); 3117 } 3118 3119 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data, 3120 struct sk_buff *skb) 3121 { 3122 struct hci_ev_conn_complete *ev = data; 3123 struct hci_conn *conn; 3124 u8 status = ev->status; 3125 3126 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3127 3128 hci_dev_lock(hdev); 3129 3130 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 3131 if (!conn) { 3132 /* In case of error status and there is no connection pending 3133 * just unlock as there is nothing to cleanup. 3134 */ 3135 if (ev->status) 3136 goto unlock; 3137 3138 /* Connection may not exist if auto-connected. Check the bredr 3139 * allowlist to see if this device is allowed to auto connect. 3140 * If link is an ACL type, create a connection class 3141 * automatically. 3142 * 3143 * Auto-connect will only occur if the event filter is 3144 * programmed with a given address. Right now, event filter is 3145 * only used during suspend. 3146 */ 3147 if (ev->link_type == ACL_LINK && 3148 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, 3149 &ev->bdaddr, 3150 BDADDR_BREDR)) { 3151 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 3152 HCI_ROLE_SLAVE); 3153 if (!conn) { 3154 bt_dev_err(hdev, "no memory for new conn"); 3155 goto unlock; 3156 } 3157 } else { 3158 if (ev->link_type != SCO_LINK) 3159 goto unlock; 3160 3161 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, 3162 &ev->bdaddr); 3163 if (!conn) 3164 goto unlock; 3165 3166 conn->type = SCO_LINK; 3167 } 3168 } 3169 3170 /* The HCI_Connection_Complete event is only sent once per connection. 3171 * Processing it more than once per connection can corrupt kernel memory. 3172 * 3173 * As the connection handle is set here for the first time, it indicates 3174 * whether the connection is already set up. 3175 */ 3176 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 3177 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 3178 goto unlock; 3179 } 3180 3181 if (!status) { 3182 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 3183 if (status) 3184 goto done; 3185 3186 if (conn->type == ACL_LINK) { 3187 conn->state = BT_CONFIG; 3188 hci_conn_hold(conn); 3189 3190 if (!conn->out && !hci_conn_ssp_enabled(conn) && 3191 !hci_find_link_key(hdev, &ev->bdaddr)) 3192 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 3193 else 3194 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3195 } else 3196 conn->state = BT_CONNECTED; 3197 3198 hci_debugfs_create_conn(conn); 3199 hci_conn_add_sysfs(conn); 3200 3201 if (test_bit(HCI_AUTH, &hdev->flags)) 3202 set_bit(HCI_CONN_AUTH, &conn->flags); 3203 3204 if (test_bit(HCI_ENCRYPT, &hdev->flags)) 3205 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3206 3207 /* Get remote features */ 3208 if (conn->type == ACL_LINK) { 3209 struct hci_cp_read_remote_features cp; 3210 cp.handle = ev->handle; 3211 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES, 3212 sizeof(cp), &cp); 3213 3214 hci_update_scan(hdev); 3215 } 3216 3217 /* Set packet type for incoming connection */ 3218 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) { 3219 struct hci_cp_change_conn_ptype cp; 3220 cp.handle = ev->handle; 3221 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3222 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp), 3223 &cp); 3224 } 3225 } 3226 3227 if (conn->type == ACL_LINK) 3228 hci_sco_setup(conn, ev->status); 3229 3230 done: 3231 if (status) { 3232 hci_conn_failed(conn, status); 3233 } else if (ev->link_type == SCO_LINK) { 3234 switch (conn->setting & SCO_AIRMODE_MASK) { 3235 case SCO_AIRMODE_CVSD: 3236 if (hdev->notify) 3237 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 3238 break; 3239 } 3240 3241 hci_connect_cfm(conn, status); 3242 } 3243 3244 unlock: 3245 hci_dev_unlock(hdev); 3246 3247 hci_conn_check_pending(hdev); 3248 } 3249 3250 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr) 3251 { 3252 struct hci_cp_reject_conn_req cp; 3253 3254 bacpy(&cp.bdaddr, bdaddr); 3255 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 3256 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp); 3257 } 3258 3259 static void hci_conn_request_evt(struct hci_dev *hdev, void *data, 3260 struct sk_buff *skb) 3261 { 3262 struct hci_ev_conn_request *ev = data; 3263 int mask = hdev->link_mode; 3264 struct inquiry_entry *ie; 3265 struct hci_conn *conn; 3266 __u8 flags = 0; 3267 3268 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type); 3269 3270 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type, 3271 &flags); 3272 3273 if (!(mask & HCI_LM_ACCEPT)) { 3274 hci_reject_conn(hdev, &ev->bdaddr); 3275 return; 3276 } 3277 3278 hci_dev_lock(hdev); 3279 3280 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr, 3281 BDADDR_BREDR)) { 3282 hci_reject_conn(hdev, &ev->bdaddr); 3283 goto unlock; 3284 } 3285 3286 /* Require HCI_CONNECTABLE or an accept list entry to accept the 3287 * connection. These features are only touched through mgmt so 3288 * only do the checks if HCI_MGMT is set. 3289 */ 3290 if (hci_dev_test_flag(hdev, HCI_MGMT) && 3291 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) && 3292 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr, 3293 BDADDR_BREDR)) { 3294 hci_reject_conn(hdev, &ev->bdaddr); 3295 goto unlock; 3296 } 3297 3298 /* Connection accepted */ 3299 3300 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3301 if (ie) 3302 memcpy(ie->data.dev_class, ev->dev_class, 3); 3303 3304 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, 3305 &ev->bdaddr); 3306 if (!conn) { 3307 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr, 3308 HCI_ROLE_SLAVE); 3309 if (!conn) { 3310 bt_dev_err(hdev, "no memory for new connection"); 3311 goto unlock; 3312 } 3313 } 3314 3315 memcpy(conn->dev_class, ev->dev_class, 3); 3316 3317 hci_dev_unlock(hdev); 3318 3319 if (ev->link_type == ACL_LINK || 3320 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) { 3321 struct hci_cp_accept_conn_req cp; 3322 conn->state = BT_CONNECT; 3323 3324 bacpy(&cp.bdaddr, &ev->bdaddr); 3325 3326 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER)) 3327 cp.role = 0x00; /* Become central */ 3328 else 3329 cp.role = 0x01; /* Remain peripheral */ 3330 3331 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp); 3332 } else if (!(flags & HCI_PROTO_DEFER)) { 3333 struct hci_cp_accept_sync_conn_req cp; 3334 conn->state = BT_CONNECT; 3335 3336 bacpy(&cp.bdaddr, &ev->bdaddr); 3337 cp.pkt_type = cpu_to_le16(conn->pkt_type); 3338 3339 cp.tx_bandwidth = cpu_to_le32(0x00001f40); 3340 cp.rx_bandwidth = cpu_to_le32(0x00001f40); 3341 cp.max_latency = cpu_to_le16(0xffff); 3342 cp.content_format = cpu_to_le16(hdev->voice_setting); 3343 cp.retrans_effort = 0xff; 3344 3345 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp), 3346 &cp); 3347 } else { 3348 conn->state = BT_CONNECT2; 3349 hci_connect_cfm(conn, 0); 3350 } 3351 3352 return; 3353 unlock: 3354 hci_dev_unlock(hdev); 3355 } 3356 3357 static u8 hci_to_mgmt_reason(u8 err) 3358 { 3359 switch (err) { 3360 case HCI_ERROR_CONNECTION_TIMEOUT: 3361 return MGMT_DEV_DISCONN_TIMEOUT; 3362 case HCI_ERROR_REMOTE_USER_TERM: 3363 case HCI_ERROR_REMOTE_LOW_RESOURCES: 3364 case HCI_ERROR_REMOTE_POWER_OFF: 3365 return MGMT_DEV_DISCONN_REMOTE; 3366 case HCI_ERROR_LOCAL_HOST_TERM: 3367 return MGMT_DEV_DISCONN_LOCAL_HOST; 3368 default: 3369 return MGMT_DEV_DISCONN_UNKNOWN; 3370 } 3371 } 3372 3373 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, 3374 struct sk_buff *skb) 3375 { 3376 struct hci_ev_disconn_complete *ev = data; 3377 u8 reason; 3378 struct hci_conn_params *params; 3379 struct hci_conn *conn; 3380 bool mgmt_connected; 3381 3382 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3383 3384 hci_dev_lock(hdev); 3385 3386 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3387 if (!conn) 3388 goto unlock; 3389 3390 if (ev->status) { 3391 mgmt_disconnect_failed(hdev, &conn->dst, conn->type, 3392 conn->dst_type, ev->status); 3393 goto unlock; 3394 } 3395 3396 conn->state = BT_CLOSED; 3397 3398 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags); 3399 3400 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags)) 3401 reason = MGMT_DEV_DISCONN_AUTH_FAILURE; 3402 else 3403 reason = hci_to_mgmt_reason(ev->reason); 3404 3405 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type, 3406 reason, mgmt_connected); 3407 3408 if (conn->type == ACL_LINK) { 3409 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags)) 3410 hci_remove_link_key(hdev, &conn->dst); 3411 3412 hci_update_scan(hdev); 3413 } 3414 3415 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type); 3416 if (params) { 3417 switch (params->auto_connect) { 3418 case HCI_AUTO_CONN_LINK_LOSS: 3419 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT) 3420 break; 3421 fallthrough; 3422 3423 case HCI_AUTO_CONN_DIRECT: 3424 case HCI_AUTO_CONN_ALWAYS: 3425 hci_pend_le_list_del_init(params); 3426 hci_pend_le_list_add(params, &hdev->pend_le_conns); 3427 hci_update_passive_scan(hdev); 3428 break; 3429 3430 default: 3431 break; 3432 } 3433 } 3434 3435 hci_disconn_cfm(conn, ev->reason); 3436 3437 /* Re-enable advertising if necessary, since it might 3438 * have been disabled by the connection. From the 3439 * HCI_LE_Set_Advertise_Enable command description in 3440 * the core specification (v4.0): 3441 * "The Controller shall continue advertising until the Host 3442 * issues an LE_Set_Advertise_Enable command with 3443 * Advertising_Enable set to 0x00 (Advertising is disabled) 3444 * or until a connection is created or until the Advertising 3445 * is timed out due to Directed Advertising." 3446 */ 3447 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) { 3448 hdev->cur_adv_instance = conn->adv_instance; 3449 hci_enable_advertising(hdev); 3450 } 3451 3452 hci_conn_del(conn); 3453 3454 unlock: 3455 hci_dev_unlock(hdev); 3456 } 3457 3458 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data, 3459 struct sk_buff *skb) 3460 { 3461 struct hci_ev_auth_complete *ev = data; 3462 struct hci_conn *conn; 3463 3464 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3465 3466 hci_dev_lock(hdev); 3467 3468 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3469 if (!conn) 3470 goto unlock; 3471 3472 if (!ev->status) { 3473 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3474 3475 if (!hci_conn_ssp_enabled(conn) && 3476 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) { 3477 bt_dev_info(hdev, "re-auth of legacy device is not possible."); 3478 } else { 3479 set_bit(HCI_CONN_AUTH, &conn->flags); 3480 conn->sec_level = conn->pending_sec_level; 3481 } 3482 } else { 3483 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3484 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3485 3486 mgmt_auth_failed(conn, ev->status); 3487 } 3488 3489 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3490 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags); 3491 3492 if (conn->state == BT_CONFIG) { 3493 if (!ev->status && hci_conn_ssp_enabled(conn)) { 3494 struct hci_cp_set_conn_encrypt cp; 3495 cp.handle = ev->handle; 3496 cp.encrypt = 0x01; 3497 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3498 &cp); 3499 } else { 3500 conn->state = BT_CONNECTED; 3501 hci_connect_cfm(conn, ev->status); 3502 hci_conn_drop(conn); 3503 } 3504 } else { 3505 hci_auth_cfm(conn, ev->status); 3506 3507 hci_conn_hold(conn); 3508 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3509 hci_conn_drop(conn); 3510 } 3511 3512 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 3513 if (!ev->status) { 3514 struct hci_cp_set_conn_encrypt cp; 3515 cp.handle = ev->handle; 3516 cp.encrypt = 0x01; 3517 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp), 3518 &cp); 3519 } else { 3520 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3521 hci_encrypt_cfm(conn, ev->status); 3522 } 3523 } 3524 3525 unlock: 3526 hci_dev_unlock(hdev); 3527 } 3528 3529 static void hci_remote_name_evt(struct hci_dev *hdev, void *data, 3530 struct sk_buff *skb) 3531 { 3532 struct hci_ev_remote_name *ev = data; 3533 struct hci_conn *conn; 3534 3535 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3536 3537 hci_conn_check_pending(hdev); 3538 3539 hci_dev_lock(hdev); 3540 3541 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 3542 3543 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 3544 goto check_auth; 3545 3546 if (ev->status == 0) 3547 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name, 3548 strnlen(ev->name, HCI_MAX_NAME_LENGTH)); 3549 else 3550 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0); 3551 3552 check_auth: 3553 if (!conn) 3554 goto unlock; 3555 3556 if (!hci_outgoing_auth_needed(hdev, conn)) 3557 goto unlock; 3558 3559 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) { 3560 struct hci_cp_auth_requested cp; 3561 3562 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags); 3563 3564 cp.handle = __cpu_to_le16(conn->handle); 3565 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp); 3566 } 3567 3568 unlock: 3569 hci_dev_unlock(hdev); 3570 } 3571 3572 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data, 3573 struct sk_buff *skb) 3574 { 3575 struct hci_ev_encrypt_change *ev = data; 3576 struct hci_conn *conn; 3577 3578 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3579 3580 hci_dev_lock(hdev); 3581 3582 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3583 if (!conn) 3584 goto unlock; 3585 3586 if (!ev->status) { 3587 if (ev->encrypt) { 3588 /* Encryption implies authentication */ 3589 set_bit(HCI_CONN_AUTH, &conn->flags); 3590 set_bit(HCI_CONN_ENCRYPT, &conn->flags); 3591 conn->sec_level = conn->pending_sec_level; 3592 3593 /* P-256 authentication key implies FIPS */ 3594 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256) 3595 set_bit(HCI_CONN_FIPS, &conn->flags); 3596 3597 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) || 3598 conn->type == LE_LINK) 3599 set_bit(HCI_CONN_AES_CCM, &conn->flags); 3600 } else { 3601 clear_bit(HCI_CONN_ENCRYPT, &conn->flags); 3602 clear_bit(HCI_CONN_AES_CCM, &conn->flags); 3603 } 3604 } 3605 3606 /* We should disregard the current RPA and generate a new one 3607 * whenever the encryption procedure fails. 3608 */ 3609 if (ev->status && conn->type == LE_LINK) { 3610 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED); 3611 hci_adv_instances_set_rpa_expired(hdev, true); 3612 } 3613 3614 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 3615 3616 /* Check link security requirements are met */ 3617 if (!hci_conn_check_link_mode(conn)) 3618 ev->status = HCI_ERROR_AUTH_FAILURE; 3619 3620 if (ev->status && conn->state == BT_CONNECTED) { 3621 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING) 3622 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags); 3623 3624 /* Notify upper layers so they can cleanup before 3625 * disconnecting. 3626 */ 3627 hci_encrypt_cfm(conn, ev->status); 3628 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3629 hci_conn_drop(conn); 3630 goto unlock; 3631 } 3632 3633 /* Try reading the encryption key size for encrypted ACL links */ 3634 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) { 3635 struct hci_cp_read_enc_key_size cp; 3636 3637 /* Only send HCI_Read_Encryption_Key_Size if the 3638 * controller really supports it. If it doesn't, assume 3639 * the default size (16). 3640 */ 3641 if (!(hdev->commands[20] & 0x10)) { 3642 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3643 goto notify; 3644 } 3645 3646 cp.handle = cpu_to_le16(conn->handle); 3647 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, 3648 sizeof(cp), &cp)) { 3649 bt_dev_err(hdev, "sending read key size failed"); 3650 conn->enc_key_size = HCI_LINK_KEY_SIZE; 3651 goto notify; 3652 } 3653 3654 goto unlock; 3655 } 3656 3657 /* Set the default Authenticated Payload Timeout after 3658 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B 3659 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be 3660 * sent when the link is active and Encryption is enabled, the conn 3661 * type can be either LE or ACL and controller must support LMP Ping. 3662 * Ensure for AES-CCM encryption as well. 3663 */ 3664 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && 3665 test_bit(HCI_CONN_AES_CCM, &conn->flags) && 3666 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) || 3667 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) { 3668 struct hci_cp_write_auth_payload_to cp; 3669 3670 cp.handle = cpu_to_le16(conn->handle); 3671 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout); 3672 if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO, 3673 sizeof(cp), &cp)) { 3674 bt_dev_err(hdev, "write auth payload timeout failed"); 3675 goto notify; 3676 } 3677 3678 goto unlock; 3679 } 3680 3681 notify: 3682 hci_encrypt_cfm(conn, ev->status); 3683 3684 unlock: 3685 hci_dev_unlock(hdev); 3686 } 3687 3688 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data, 3689 struct sk_buff *skb) 3690 { 3691 struct hci_ev_change_link_key_complete *ev = data; 3692 struct hci_conn *conn; 3693 3694 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3695 3696 hci_dev_lock(hdev); 3697 3698 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3699 if (conn) { 3700 if (!ev->status) 3701 set_bit(HCI_CONN_SECURE, &conn->flags); 3702 3703 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags); 3704 3705 hci_key_change_cfm(conn, ev->status); 3706 } 3707 3708 hci_dev_unlock(hdev); 3709 } 3710 3711 static void hci_remote_features_evt(struct hci_dev *hdev, void *data, 3712 struct sk_buff *skb) 3713 { 3714 struct hci_ev_remote_features *ev = data; 3715 struct hci_conn *conn; 3716 3717 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 3718 3719 hci_dev_lock(hdev); 3720 3721 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 3722 if (!conn) 3723 goto unlock; 3724 3725 if (!ev->status) 3726 memcpy(conn->features[0], ev->features, 8); 3727 3728 if (conn->state != BT_CONFIG) 3729 goto unlock; 3730 3731 if (!ev->status && lmp_ext_feat_capable(hdev) && 3732 lmp_ext_feat_capable(conn)) { 3733 struct hci_cp_read_remote_ext_features cp; 3734 cp.handle = ev->handle; 3735 cp.page = 0x01; 3736 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES, 3737 sizeof(cp), &cp); 3738 goto unlock; 3739 } 3740 3741 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 3742 struct hci_cp_remote_name_req cp; 3743 memset(&cp, 0, sizeof(cp)); 3744 bacpy(&cp.bdaddr, &conn->dst); 3745 cp.pscan_rep_mode = 0x02; 3746 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 3747 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 3748 mgmt_device_connected(hdev, conn, NULL, 0); 3749 3750 if (!hci_outgoing_auth_needed(hdev, conn)) { 3751 conn->state = BT_CONNECTED; 3752 hci_connect_cfm(conn, ev->status); 3753 hci_conn_drop(conn); 3754 } 3755 3756 unlock: 3757 hci_dev_unlock(hdev); 3758 } 3759 3760 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd) 3761 { 3762 cancel_delayed_work(&hdev->cmd_timer); 3763 3764 rcu_read_lock(); 3765 if (!test_bit(HCI_RESET, &hdev->flags)) { 3766 if (ncmd) { 3767 cancel_delayed_work(&hdev->ncmd_timer); 3768 atomic_set(&hdev->cmd_cnt, 1); 3769 } else { 3770 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 3771 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer, 3772 HCI_NCMD_TIMEOUT); 3773 } 3774 } 3775 rcu_read_unlock(); 3776 } 3777 3778 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data, 3779 struct sk_buff *skb) 3780 { 3781 struct hci_rp_le_read_buffer_size_v2 *rp = data; 3782 3783 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3784 3785 if (rp->status) 3786 return rp->status; 3787 3788 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu); 3789 hdev->le_pkts = rp->acl_max_pkt; 3790 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu); 3791 hdev->iso_pkts = rp->iso_max_pkt; 3792 3793 hdev->le_cnt = hdev->le_pkts; 3794 hdev->iso_cnt = hdev->iso_pkts; 3795 3796 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu, 3797 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts); 3798 3799 return rp->status; 3800 } 3801 3802 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status) 3803 { 3804 struct hci_conn *conn, *tmp; 3805 3806 lockdep_assert_held(&hdev->lock); 3807 3808 list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) { 3809 if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) || 3810 conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig) 3811 continue; 3812 3813 if (HCI_CONN_HANDLE_UNSET(conn->handle)) 3814 hci_conn_failed(conn, status); 3815 } 3816 } 3817 3818 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data, 3819 struct sk_buff *skb) 3820 { 3821 struct hci_rp_le_set_cig_params *rp = data; 3822 struct hci_cp_le_set_cig_params *cp; 3823 struct hci_conn *conn; 3824 u8 status = rp->status; 3825 bool pending = false; 3826 int i; 3827 3828 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3829 3830 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS); 3831 if (!rp->status && (!cp || rp->num_handles != cp->num_cis || 3832 rp->cig_id != cp->cig_id)) { 3833 bt_dev_err(hdev, "unexpected Set CIG Parameters response data"); 3834 status = HCI_ERROR_UNSPECIFIED; 3835 } 3836 3837 hci_dev_lock(hdev); 3838 3839 /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554 3840 * 3841 * If the Status return parameter is non-zero, then the state of the CIG 3842 * and its CIS configurations shall not be changed by the command. If 3843 * the CIG did not already exist, it shall not be created. 3844 */ 3845 if (status) { 3846 /* Keep current configuration, fail only the unbound CIS */ 3847 hci_unbound_cis_failed(hdev, rp->cig_id, status); 3848 goto unlock; 3849 } 3850 3851 /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553 3852 * 3853 * If the Status return parameter is zero, then the Controller shall 3854 * set the Connection_Handle arrayed return parameter to the connection 3855 * handle(s) corresponding to the CIS configurations specified in 3856 * the CIS_IDs command parameter, in the same order. 3857 */ 3858 for (i = 0; i < rp->num_handles; ++i) { 3859 conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id, 3860 cp->cis[i].cis_id); 3861 if (!conn || !bacmp(&conn->dst, BDADDR_ANY)) 3862 continue; 3863 3864 if (conn->state != BT_BOUND && conn->state != BT_CONNECT) 3865 continue; 3866 3867 if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i]))) 3868 continue; 3869 3870 if (conn->state == BT_CONNECT) 3871 pending = true; 3872 } 3873 3874 unlock: 3875 if (pending) 3876 hci_le_create_cis_pending(hdev); 3877 3878 hci_dev_unlock(hdev); 3879 3880 return rp->status; 3881 } 3882 3883 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data, 3884 struct sk_buff *skb) 3885 { 3886 struct hci_rp_le_setup_iso_path *rp = data; 3887 struct hci_cp_le_setup_iso_path *cp; 3888 struct hci_conn *conn; 3889 3890 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3891 3892 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH); 3893 if (!cp) 3894 return rp->status; 3895 3896 hci_dev_lock(hdev); 3897 3898 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle)); 3899 if (!conn) 3900 goto unlock; 3901 3902 if (rp->status) { 3903 hci_connect_cfm(conn, rp->status); 3904 hci_conn_del(conn); 3905 goto unlock; 3906 } 3907 3908 switch (cp->direction) { 3909 /* Input (Host to Controller) */ 3910 case 0x00: 3911 /* Only confirm connection if output only */ 3912 if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu) 3913 hci_connect_cfm(conn, rp->status); 3914 break; 3915 /* Output (Controller to Host) */ 3916 case 0x01: 3917 /* Confirm connection since conn->iso_qos is always configured 3918 * last. 3919 */ 3920 hci_connect_cfm(conn, rp->status); 3921 break; 3922 } 3923 3924 unlock: 3925 hci_dev_unlock(hdev); 3926 return rp->status; 3927 } 3928 3929 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status) 3930 { 3931 bt_dev_dbg(hdev, "status 0x%2.2x", status); 3932 } 3933 3934 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data, 3935 struct sk_buff *skb) 3936 { 3937 struct hci_ev_status *rp = data; 3938 struct hci_cp_le_set_per_adv_params *cp; 3939 3940 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3941 3942 if (rp->status) 3943 return rp->status; 3944 3945 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS); 3946 if (!cp) 3947 return rp->status; 3948 3949 /* TODO: set the conn state */ 3950 return rp->status; 3951 } 3952 3953 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, 3954 struct sk_buff *skb) 3955 { 3956 struct hci_ev_status *rp = data; 3957 struct hci_cp_le_set_per_adv_enable *cp; 3958 struct adv_info *adv = NULL, *n; 3959 u8 per_adv_cnt = 0; 3960 3961 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); 3962 3963 if (rp->status) 3964 return rp->status; 3965 3966 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE); 3967 if (!cp) 3968 return rp->status; 3969 3970 hci_dev_lock(hdev); 3971 3972 adv = hci_find_adv_instance(hdev, cp->handle); 3973 3974 if (cp->enable) { 3975 hci_dev_set_flag(hdev, HCI_LE_PER_ADV); 3976 3977 if (adv) 3978 adv->enabled = true; 3979 } else { 3980 /* If just one instance was disabled check if there are 3981 * any other instance enabled before clearing HCI_LE_PER_ADV. 3982 * The current periodic adv instance will be marked as 3983 * disabled once extended advertising is also disabled. 3984 */ 3985 list_for_each_entry_safe(adv, n, &hdev->adv_instances, 3986 list) { 3987 if (adv->periodic && adv->enabled) 3988 per_adv_cnt++; 3989 } 3990 3991 if (per_adv_cnt > 1) 3992 goto unlock; 3993 3994 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV); 3995 } 3996 3997 unlock: 3998 hci_dev_unlock(hdev); 3999 4000 return rp->status; 4001 } 4002 4003 #define HCI_CC_VL(_op, _func, _min, _max) \ 4004 { \ 4005 .op = _op, \ 4006 .func = _func, \ 4007 .min_len = _min, \ 4008 .max_len = _max, \ 4009 } 4010 4011 #define HCI_CC(_op, _func, _len) \ 4012 HCI_CC_VL(_op, _func, _len, _len) 4013 4014 #define HCI_CC_STATUS(_op, _func) \ 4015 HCI_CC(_op, _func, sizeof(struct hci_ev_status)) 4016 4017 static const struct hci_cc { 4018 u16 op; 4019 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 4020 u16 min_len; 4021 u16 max_len; 4022 } hci_cc_table[] = { 4023 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel), 4024 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq), 4025 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq), 4026 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL, 4027 hci_cc_remote_name_req_cancel), 4028 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery, 4029 sizeof(struct hci_rp_role_discovery)), 4030 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy, 4031 sizeof(struct hci_rp_read_link_policy)), 4032 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy, 4033 sizeof(struct hci_rp_write_link_policy)), 4034 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy, 4035 sizeof(struct hci_rp_read_def_link_policy)), 4036 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY, 4037 hci_cc_write_def_link_policy), 4038 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset), 4039 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key, 4040 sizeof(struct hci_rp_read_stored_link_key)), 4041 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key, 4042 sizeof(struct hci_rp_delete_stored_link_key)), 4043 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name), 4044 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name, 4045 sizeof(struct hci_rp_read_local_name)), 4046 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable), 4047 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode), 4048 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable), 4049 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter), 4050 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev, 4051 sizeof(struct hci_rp_read_class_of_dev)), 4052 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev), 4053 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting, 4054 sizeof(struct hci_rp_read_voice_setting)), 4055 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting), 4056 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac, 4057 sizeof(struct hci_rp_read_num_supported_iac)), 4058 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode), 4059 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support), 4060 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout, 4061 sizeof(struct hci_rp_read_auth_payload_to)), 4062 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout, 4063 sizeof(struct hci_rp_write_auth_payload_to)), 4064 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version, 4065 sizeof(struct hci_rp_read_local_version)), 4066 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands, 4067 sizeof(struct hci_rp_read_local_commands)), 4068 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features, 4069 sizeof(struct hci_rp_read_local_features)), 4070 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features, 4071 sizeof(struct hci_rp_read_local_ext_features)), 4072 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size, 4073 sizeof(struct hci_rp_read_buffer_size)), 4074 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr, 4075 sizeof(struct hci_rp_read_bd_addr)), 4076 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts, 4077 sizeof(struct hci_rp_read_local_pairing_opts)), 4078 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity, 4079 sizeof(struct hci_rp_read_page_scan_activity)), 4080 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, 4081 hci_cc_write_page_scan_activity), 4082 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type, 4083 sizeof(struct hci_rp_read_page_scan_type)), 4084 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type), 4085 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size, 4086 sizeof(struct hci_rp_read_data_block_size)), 4087 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode, 4088 sizeof(struct hci_rp_read_flow_control_mode)), 4089 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info, 4090 sizeof(struct hci_rp_read_local_amp_info)), 4091 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock, 4092 sizeof(struct hci_rp_read_clock)), 4093 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size, 4094 sizeof(struct hci_rp_read_enc_key_size)), 4095 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power, 4096 sizeof(struct hci_rp_read_inq_rsp_tx_power)), 4097 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING, 4098 hci_cc_read_def_err_data_reporting, 4099 sizeof(struct hci_rp_read_def_err_data_reporting)), 4100 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING, 4101 hci_cc_write_def_err_data_reporting), 4102 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply, 4103 sizeof(struct hci_rp_pin_code_reply)), 4104 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply, 4105 sizeof(struct hci_rp_pin_code_neg_reply)), 4106 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data, 4107 sizeof(struct hci_rp_read_local_oob_data)), 4108 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data, 4109 sizeof(struct hci_rp_read_local_oob_ext_data)), 4110 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size, 4111 sizeof(struct hci_rp_le_read_buffer_size)), 4112 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features, 4113 sizeof(struct hci_rp_le_read_local_features)), 4114 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power, 4115 sizeof(struct hci_rp_le_read_adv_tx_power)), 4116 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply, 4117 sizeof(struct hci_rp_user_confirm_reply)), 4118 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply, 4119 sizeof(struct hci_rp_user_confirm_reply)), 4120 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply, 4121 sizeof(struct hci_rp_user_confirm_reply)), 4122 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply, 4123 sizeof(struct hci_rp_user_confirm_reply)), 4124 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr), 4125 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable), 4126 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param), 4127 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable), 4128 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE, 4129 hci_cc_le_read_accept_list_size, 4130 sizeof(struct hci_rp_le_read_accept_list_size)), 4131 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list), 4132 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST, 4133 hci_cc_le_add_to_accept_list), 4134 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST, 4135 hci_cc_le_del_from_accept_list), 4136 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states, 4137 sizeof(struct hci_rp_le_read_supported_states)), 4138 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len, 4139 sizeof(struct hci_rp_le_read_def_data_len)), 4140 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN, 4141 hci_cc_le_write_def_data_len), 4142 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST, 4143 hci_cc_le_add_to_resolv_list), 4144 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST, 4145 hci_cc_le_del_from_resolv_list), 4146 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST, 4147 hci_cc_le_clear_resolv_list), 4148 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size, 4149 sizeof(struct hci_rp_le_read_resolv_list_size)), 4150 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE, 4151 hci_cc_le_set_addr_resolution_enable), 4152 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len, 4153 sizeof(struct hci_rp_le_read_max_data_len)), 4154 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED, 4155 hci_cc_write_le_host_supported), 4156 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param), 4157 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi, 4158 sizeof(struct hci_rp_read_rssi)), 4159 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power, 4160 sizeof(struct hci_rp_read_tx_power)), 4161 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode), 4162 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS, 4163 hci_cc_le_set_ext_scan_param), 4164 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE, 4165 hci_cc_le_set_ext_scan_enable), 4166 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy), 4167 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, 4168 hci_cc_le_read_num_adv_sets, 4169 sizeof(struct hci_rp_le_read_num_supported_adv_sets)), 4170 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, 4171 sizeof(struct hci_rp_le_set_ext_adv_params)), 4172 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, 4173 hci_cc_le_set_ext_adv_enable), 4174 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, 4175 hci_cc_le_set_adv_set_random_addr), 4176 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set), 4177 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets), 4178 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param), 4179 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE, 4180 hci_cc_le_set_per_adv_enable), 4181 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power, 4182 sizeof(struct hci_rp_le_read_transmit_power)), 4183 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode), 4184 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2, 4185 sizeof(struct hci_rp_le_read_buffer_size_v2)), 4186 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params, 4187 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE), 4188 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path, 4189 sizeof(struct hci_rp_le_setup_iso_path)), 4190 }; 4191 4192 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc, 4193 struct sk_buff *skb) 4194 { 4195 void *data; 4196 4197 if (skb->len < cc->min_len) { 4198 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u", 4199 cc->op, skb->len, cc->min_len); 4200 return HCI_ERROR_UNSPECIFIED; 4201 } 4202 4203 /* Just warn if the length is over max_len size it still be possible to 4204 * partially parse the cc so leave to callback to decide if that is 4205 * acceptable. 4206 */ 4207 if (skb->len > cc->max_len) 4208 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u", 4209 cc->op, skb->len, cc->max_len); 4210 4211 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len); 4212 if (!data) 4213 return HCI_ERROR_UNSPECIFIED; 4214 4215 return cc->func(hdev, data, skb); 4216 } 4217 4218 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data, 4219 struct sk_buff *skb, u16 *opcode, u8 *status, 4220 hci_req_complete_t *req_complete, 4221 hci_req_complete_skb_t *req_complete_skb) 4222 { 4223 struct hci_ev_cmd_complete *ev = data; 4224 int i; 4225 4226 *opcode = __le16_to_cpu(ev->opcode); 4227 4228 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4229 4230 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) { 4231 if (hci_cc_table[i].op == *opcode) { 4232 *status = hci_cc_func(hdev, &hci_cc_table[i], skb); 4233 break; 4234 } 4235 } 4236 4237 if (i == ARRAY_SIZE(hci_cc_table)) { 4238 /* Unknown opcode, assume byte 0 contains the status, so 4239 * that e.g. __hci_cmd_sync() properly returns errors 4240 * for vendor specific commands send by HCI drivers. 4241 * If a vendor doesn't actually follow this convention we may 4242 * need to introduce a vendor CC table in order to properly set 4243 * the status. 4244 */ 4245 *status = skb->data[0]; 4246 } 4247 4248 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4249 4250 hci_req_cmd_complete(hdev, *opcode, *status, req_complete, 4251 req_complete_skb); 4252 4253 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4254 bt_dev_err(hdev, 4255 "unexpected event for opcode 0x%4.4x", *opcode); 4256 return; 4257 } 4258 4259 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4260 queue_work(hdev->workqueue, &hdev->cmd_work); 4261 } 4262 4263 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status) 4264 { 4265 struct hci_cp_le_create_cis *cp; 4266 bool pending = false; 4267 int i; 4268 4269 bt_dev_dbg(hdev, "status 0x%2.2x", status); 4270 4271 if (!status) 4272 return; 4273 4274 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS); 4275 if (!cp) 4276 return; 4277 4278 hci_dev_lock(hdev); 4279 4280 /* Remove connection if command failed */ 4281 for (i = 0; cp->num_cis; cp->num_cis--, i++) { 4282 struct hci_conn *conn; 4283 u16 handle; 4284 4285 handle = __le16_to_cpu(cp->cis[i].cis_handle); 4286 4287 conn = hci_conn_hash_lookup_handle(hdev, handle); 4288 if (conn) { 4289 if (test_and_clear_bit(HCI_CONN_CREATE_CIS, 4290 &conn->flags)) 4291 pending = true; 4292 conn->state = BT_CLOSED; 4293 hci_connect_cfm(conn, status); 4294 hci_conn_del(conn); 4295 } 4296 } 4297 4298 if (pending) 4299 hci_le_create_cis_pending(hdev); 4300 4301 hci_dev_unlock(hdev); 4302 } 4303 4304 #define HCI_CS(_op, _func) \ 4305 { \ 4306 .op = _op, \ 4307 .func = _func, \ 4308 } 4309 4310 static const struct hci_cs { 4311 u16 op; 4312 void (*func)(struct hci_dev *hdev, __u8 status); 4313 } hci_cs_table[] = { 4314 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry), 4315 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn), 4316 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect), 4317 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco), 4318 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested), 4319 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt), 4320 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req), 4321 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features), 4322 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES, 4323 hci_cs_read_remote_ext_features), 4324 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn), 4325 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN, 4326 hci_cs_enhanced_setup_sync_conn), 4327 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode), 4328 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode), 4329 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role), 4330 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn), 4331 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features), 4332 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc), 4333 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn), 4334 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis), 4335 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big), 4336 }; 4337 4338 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data, 4339 struct sk_buff *skb, u16 *opcode, u8 *status, 4340 hci_req_complete_t *req_complete, 4341 hci_req_complete_skb_t *req_complete_skb) 4342 { 4343 struct hci_ev_cmd_status *ev = data; 4344 int i; 4345 4346 *opcode = __le16_to_cpu(ev->opcode); 4347 *status = ev->status; 4348 4349 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode); 4350 4351 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) { 4352 if (hci_cs_table[i].op == *opcode) { 4353 hci_cs_table[i].func(hdev, ev->status); 4354 break; 4355 } 4356 } 4357 4358 handle_cmd_cnt_and_timer(hdev, ev->ncmd); 4359 4360 /* Indicate request completion if the command failed. Also, if 4361 * we're not waiting for a special event and we get a success 4362 * command status we should try to flag the request as completed 4363 * (since for this kind of commands there will not be a command 4364 * complete event). 4365 */ 4366 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) { 4367 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete, 4368 req_complete_skb); 4369 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) { 4370 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x", 4371 *opcode); 4372 return; 4373 } 4374 } 4375 4376 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q)) 4377 queue_work(hdev->workqueue, &hdev->cmd_work); 4378 } 4379 4380 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data, 4381 struct sk_buff *skb) 4382 { 4383 struct hci_ev_hardware_error *ev = data; 4384 4385 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code); 4386 4387 hdev->hw_error_code = ev->code; 4388 4389 queue_work(hdev->req_workqueue, &hdev->error_reset); 4390 } 4391 4392 static void hci_role_change_evt(struct hci_dev *hdev, void *data, 4393 struct sk_buff *skb) 4394 { 4395 struct hci_ev_role_change *ev = data; 4396 struct hci_conn *conn; 4397 4398 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4399 4400 hci_dev_lock(hdev); 4401 4402 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4403 if (conn) { 4404 if (!ev->status) 4405 conn->role = ev->role; 4406 4407 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags); 4408 4409 hci_role_switch_cfm(conn, ev->status, ev->role); 4410 } 4411 4412 hci_dev_unlock(hdev); 4413 } 4414 4415 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data, 4416 struct sk_buff *skb) 4417 { 4418 struct hci_ev_num_comp_pkts *ev = data; 4419 int i; 4420 4421 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, 4422 flex_array_size(ev, handles, ev->num))) 4423 return; 4424 4425 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { 4426 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); 4427 return; 4428 } 4429 4430 bt_dev_dbg(hdev, "num %d", ev->num); 4431 4432 for (i = 0; i < ev->num; i++) { 4433 struct hci_comp_pkts_info *info = &ev->handles[i]; 4434 struct hci_conn *conn; 4435 __u16 handle, count; 4436 4437 handle = __le16_to_cpu(info->handle); 4438 count = __le16_to_cpu(info->count); 4439 4440 conn = hci_conn_hash_lookup_handle(hdev, handle); 4441 if (!conn) 4442 continue; 4443 4444 conn->sent -= count; 4445 4446 switch (conn->type) { 4447 case ACL_LINK: 4448 hdev->acl_cnt += count; 4449 if (hdev->acl_cnt > hdev->acl_pkts) 4450 hdev->acl_cnt = hdev->acl_pkts; 4451 break; 4452 4453 case LE_LINK: 4454 if (hdev->le_pkts) { 4455 hdev->le_cnt += count; 4456 if (hdev->le_cnt > hdev->le_pkts) 4457 hdev->le_cnt = hdev->le_pkts; 4458 } else { 4459 hdev->acl_cnt += count; 4460 if (hdev->acl_cnt > hdev->acl_pkts) 4461 hdev->acl_cnt = hdev->acl_pkts; 4462 } 4463 break; 4464 4465 case SCO_LINK: 4466 hdev->sco_cnt += count; 4467 if (hdev->sco_cnt > hdev->sco_pkts) 4468 hdev->sco_cnt = hdev->sco_pkts; 4469 break; 4470 4471 case ISO_LINK: 4472 if (hdev->iso_pkts) { 4473 hdev->iso_cnt += count; 4474 if (hdev->iso_cnt > hdev->iso_pkts) 4475 hdev->iso_cnt = hdev->iso_pkts; 4476 } else if (hdev->le_pkts) { 4477 hdev->le_cnt += count; 4478 if (hdev->le_cnt > hdev->le_pkts) 4479 hdev->le_cnt = hdev->le_pkts; 4480 } else { 4481 hdev->acl_cnt += count; 4482 if (hdev->acl_cnt > hdev->acl_pkts) 4483 hdev->acl_cnt = hdev->acl_pkts; 4484 } 4485 break; 4486 4487 default: 4488 bt_dev_err(hdev, "unknown type %d conn %p", 4489 conn->type, conn); 4490 break; 4491 } 4492 } 4493 4494 queue_work(hdev->workqueue, &hdev->tx_work); 4495 } 4496 4497 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev, 4498 __u16 handle) 4499 { 4500 struct hci_chan *chan; 4501 4502 switch (hdev->dev_type) { 4503 case HCI_PRIMARY: 4504 return hci_conn_hash_lookup_handle(hdev, handle); 4505 case HCI_AMP: 4506 chan = hci_chan_lookup_handle(hdev, handle); 4507 if (chan) 4508 return chan->conn; 4509 break; 4510 default: 4511 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type); 4512 break; 4513 } 4514 4515 return NULL; 4516 } 4517 4518 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data, 4519 struct sk_buff *skb) 4520 { 4521 struct hci_ev_num_comp_blocks *ev = data; 4522 int i; 4523 4524 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS, 4525 flex_array_size(ev, handles, ev->num_hndl))) 4526 return; 4527 4528 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) { 4529 bt_dev_err(hdev, "wrong event for mode %d", 4530 hdev->flow_ctl_mode); 4531 return; 4532 } 4533 4534 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks, 4535 ev->num_hndl); 4536 4537 for (i = 0; i < ev->num_hndl; i++) { 4538 struct hci_comp_blocks_info *info = &ev->handles[i]; 4539 struct hci_conn *conn = NULL; 4540 __u16 handle, block_count; 4541 4542 handle = __le16_to_cpu(info->handle); 4543 block_count = __le16_to_cpu(info->blocks); 4544 4545 conn = __hci_conn_lookup_handle(hdev, handle); 4546 if (!conn) 4547 continue; 4548 4549 conn->sent -= block_count; 4550 4551 switch (conn->type) { 4552 case ACL_LINK: 4553 case AMP_LINK: 4554 hdev->block_cnt += block_count; 4555 if (hdev->block_cnt > hdev->num_blocks) 4556 hdev->block_cnt = hdev->num_blocks; 4557 break; 4558 4559 default: 4560 bt_dev_err(hdev, "unknown type %d conn %p", 4561 conn->type, conn); 4562 break; 4563 } 4564 } 4565 4566 queue_work(hdev->workqueue, &hdev->tx_work); 4567 } 4568 4569 static void hci_mode_change_evt(struct hci_dev *hdev, void *data, 4570 struct sk_buff *skb) 4571 { 4572 struct hci_ev_mode_change *ev = data; 4573 struct hci_conn *conn; 4574 4575 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4576 4577 hci_dev_lock(hdev); 4578 4579 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4580 if (conn) { 4581 conn->mode = ev->mode; 4582 4583 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, 4584 &conn->flags)) { 4585 if (conn->mode == HCI_CM_ACTIVE) 4586 set_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4587 else 4588 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags); 4589 } 4590 4591 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags)) 4592 hci_sco_setup(conn, ev->status); 4593 } 4594 4595 hci_dev_unlock(hdev); 4596 } 4597 4598 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data, 4599 struct sk_buff *skb) 4600 { 4601 struct hci_ev_pin_code_req *ev = data; 4602 struct hci_conn *conn; 4603 4604 bt_dev_dbg(hdev, ""); 4605 4606 hci_dev_lock(hdev); 4607 4608 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4609 if (!conn) 4610 goto unlock; 4611 4612 if (conn->state == BT_CONNECTED) { 4613 hci_conn_hold(conn); 4614 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 4615 hci_conn_drop(conn); 4616 } 4617 4618 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 4619 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) { 4620 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, 4621 sizeof(ev->bdaddr), &ev->bdaddr); 4622 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) { 4623 u8 secure; 4624 4625 if (conn->pending_sec_level == BT_SECURITY_HIGH) 4626 secure = 1; 4627 else 4628 secure = 0; 4629 4630 mgmt_pin_code_request(hdev, &ev->bdaddr, secure); 4631 } 4632 4633 unlock: 4634 hci_dev_unlock(hdev); 4635 } 4636 4637 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len) 4638 { 4639 if (key_type == HCI_LK_CHANGED_COMBINATION) 4640 return; 4641 4642 conn->pin_length = pin_len; 4643 conn->key_type = key_type; 4644 4645 switch (key_type) { 4646 case HCI_LK_LOCAL_UNIT: 4647 case HCI_LK_REMOTE_UNIT: 4648 case HCI_LK_DEBUG_COMBINATION: 4649 return; 4650 case HCI_LK_COMBINATION: 4651 if (pin_len == 16) 4652 conn->pending_sec_level = BT_SECURITY_HIGH; 4653 else 4654 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4655 break; 4656 case HCI_LK_UNAUTH_COMBINATION_P192: 4657 case HCI_LK_UNAUTH_COMBINATION_P256: 4658 conn->pending_sec_level = BT_SECURITY_MEDIUM; 4659 break; 4660 case HCI_LK_AUTH_COMBINATION_P192: 4661 conn->pending_sec_level = BT_SECURITY_HIGH; 4662 break; 4663 case HCI_LK_AUTH_COMBINATION_P256: 4664 conn->pending_sec_level = BT_SECURITY_FIPS; 4665 break; 4666 } 4667 } 4668 4669 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data, 4670 struct sk_buff *skb) 4671 { 4672 struct hci_ev_link_key_req *ev = data; 4673 struct hci_cp_link_key_reply cp; 4674 struct hci_conn *conn; 4675 struct link_key *key; 4676 4677 bt_dev_dbg(hdev, ""); 4678 4679 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4680 return; 4681 4682 hci_dev_lock(hdev); 4683 4684 key = hci_find_link_key(hdev, &ev->bdaddr); 4685 if (!key) { 4686 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr); 4687 goto not_found; 4688 } 4689 4690 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr); 4691 4692 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4693 if (conn) { 4694 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4695 4696 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 || 4697 key->type == HCI_LK_UNAUTH_COMBINATION_P256) && 4698 conn->auth_type != 0xff && (conn->auth_type & 0x01)) { 4699 bt_dev_dbg(hdev, "ignoring unauthenticated key"); 4700 goto not_found; 4701 } 4702 4703 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 && 4704 (conn->pending_sec_level == BT_SECURITY_HIGH || 4705 conn->pending_sec_level == BT_SECURITY_FIPS)) { 4706 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security"); 4707 goto not_found; 4708 } 4709 4710 conn_set_key(conn, key->type, key->pin_len); 4711 } 4712 4713 bacpy(&cp.bdaddr, &ev->bdaddr); 4714 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE); 4715 4716 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp); 4717 4718 hci_dev_unlock(hdev); 4719 4720 return; 4721 4722 not_found: 4723 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr); 4724 hci_dev_unlock(hdev); 4725 } 4726 4727 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data, 4728 struct sk_buff *skb) 4729 { 4730 struct hci_ev_link_key_notify *ev = data; 4731 struct hci_conn *conn; 4732 struct link_key *key; 4733 bool persistent; 4734 u8 pin_len = 0; 4735 4736 bt_dev_dbg(hdev, ""); 4737 4738 hci_dev_lock(hdev); 4739 4740 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 4741 if (!conn) 4742 goto unlock; 4743 4744 hci_conn_hold(conn); 4745 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 4746 hci_conn_drop(conn); 4747 4748 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags); 4749 conn_set_key(conn, ev->key_type, conn->pin_length); 4750 4751 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 4752 goto unlock; 4753 4754 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key, 4755 ev->key_type, pin_len, &persistent); 4756 if (!key) 4757 goto unlock; 4758 4759 /* Update connection information since adding the key will have 4760 * fixed up the type in the case of changed combination keys. 4761 */ 4762 if (ev->key_type == HCI_LK_CHANGED_COMBINATION) 4763 conn_set_key(conn, key->type, key->pin_len); 4764 4765 mgmt_new_link_key(hdev, key, persistent); 4766 4767 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag 4768 * is set. If it's not set simply remove the key from the kernel 4769 * list (we've still notified user space about it but with 4770 * store_hint being 0). 4771 */ 4772 if (key->type == HCI_LK_DEBUG_COMBINATION && 4773 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) { 4774 list_del_rcu(&key->list); 4775 kfree_rcu(key, rcu); 4776 goto unlock; 4777 } 4778 4779 if (persistent) 4780 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4781 else 4782 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags); 4783 4784 unlock: 4785 hci_dev_unlock(hdev); 4786 } 4787 4788 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data, 4789 struct sk_buff *skb) 4790 { 4791 struct hci_ev_clock_offset *ev = data; 4792 struct hci_conn *conn; 4793 4794 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4795 4796 hci_dev_lock(hdev); 4797 4798 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4799 if (conn && !ev->status) { 4800 struct inquiry_entry *ie; 4801 4802 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4803 if (ie) { 4804 ie->data.clock_offset = ev->clock_offset; 4805 ie->timestamp = jiffies; 4806 } 4807 } 4808 4809 hci_dev_unlock(hdev); 4810 } 4811 4812 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data, 4813 struct sk_buff *skb) 4814 { 4815 struct hci_ev_pkt_type_change *ev = data; 4816 struct hci_conn *conn; 4817 4818 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4819 4820 hci_dev_lock(hdev); 4821 4822 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4823 if (conn && !ev->status) 4824 conn->pkt_type = __le16_to_cpu(ev->pkt_type); 4825 4826 hci_dev_unlock(hdev); 4827 } 4828 4829 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data, 4830 struct sk_buff *skb) 4831 { 4832 struct hci_ev_pscan_rep_mode *ev = data; 4833 struct inquiry_entry *ie; 4834 4835 bt_dev_dbg(hdev, ""); 4836 4837 hci_dev_lock(hdev); 4838 4839 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 4840 if (ie) { 4841 ie->data.pscan_rep_mode = ev->pscan_rep_mode; 4842 ie->timestamp = jiffies; 4843 } 4844 4845 hci_dev_unlock(hdev); 4846 } 4847 4848 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata, 4849 struct sk_buff *skb) 4850 { 4851 struct hci_ev_inquiry_result_rssi *ev = edata; 4852 struct inquiry_data data; 4853 int i; 4854 4855 bt_dev_dbg(hdev, "num_rsp %d", ev->num); 4856 4857 if (!ev->num) 4858 return; 4859 4860 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 4861 return; 4862 4863 hci_dev_lock(hdev); 4864 4865 if (skb->len == array_size(ev->num, 4866 sizeof(struct inquiry_info_rssi_pscan))) { 4867 struct inquiry_info_rssi_pscan *info; 4868 4869 for (i = 0; i < ev->num; i++) { 4870 u32 flags; 4871 4872 info = hci_ev_skb_pull(hdev, skb, 4873 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4874 sizeof(*info)); 4875 if (!info) { 4876 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4877 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4878 goto unlock; 4879 } 4880 4881 bacpy(&data.bdaddr, &info->bdaddr); 4882 data.pscan_rep_mode = info->pscan_rep_mode; 4883 data.pscan_period_mode = info->pscan_period_mode; 4884 data.pscan_mode = info->pscan_mode; 4885 memcpy(data.dev_class, info->dev_class, 3); 4886 data.clock_offset = info->clock_offset; 4887 data.rssi = info->rssi; 4888 data.ssp_mode = 0x00; 4889 4890 flags = hci_inquiry_cache_update(hdev, &data, false); 4891 4892 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4893 info->dev_class, info->rssi, 4894 flags, NULL, 0, NULL, 0, 0); 4895 } 4896 } else if (skb->len == array_size(ev->num, 4897 sizeof(struct inquiry_info_rssi))) { 4898 struct inquiry_info_rssi *info; 4899 4900 for (i = 0; i < ev->num; i++) { 4901 u32 flags; 4902 4903 info = hci_ev_skb_pull(hdev, skb, 4904 HCI_EV_INQUIRY_RESULT_WITH_RSSI, 4905 sizeof(*info)); 4906 if (!info) { 4907 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4908 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4909 goto unlock; 4910 } 4911 4912 bacpy(&data.bdaddr, &info->bdaddr); 4913 data.pscan_rep_mode = info->pscan_rep_mode; 4914 data.pscan_period_mode = info->pscan_period_mode; 4915 data.pscan_mode = 0x00; 4916 memcpy(data.dev_class, info->dev_class, 3); 4917 data.clock_offset = info->clock_offset; 4918 data.rssi = info->rssi; 4919 data.ssp_mode = 0x00; 4920 4921 flags = hci_inquiry_cache_update(hdev, &data, false); 4922 4923 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 4924 info->dev_class, info->rssi, 4925 flags, NULL, 0, NULL, 0, 0); 4926 } 4927 } else { 4928 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x", 4929 HCI_EV_INQUIRY_RESULT_WITH_RSSI); 4930 } 4931 unlock: 4932 hci_dev_unlock(hdev); 4933 } 4934 4935 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data, 4936 struct sk_buff *skb) 4937 { 4938 struct hci_ev_remote_ext_features *ev = data; 4939 struct hci_conn *conn; 4940 4941 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 4942 4943 hci_dev_lock(hdev); 4944 4945 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 4946 if (!conn) 4947 goto unlock; 4948 4949 if (ev->page < HCI_MAX_PAGES) 4950 memcpy(conn->features[ev->page], ev->features, 8); 4951 4952 if (!ev->status && ev->page == 0x01) { 4953 struct inquiry_entry *ie; 4954 4955 ie = hci_inquiry_cache_lookup(hdev, &conn->dst); 4956 if (ie) 4957 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 4958 4959 if (ev->features[0] & LMP_HOST_SSP) { 4960 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4961 } else { 4962 /* It is mandatory by the Bluetooth specification that 4963 * Extended Inquiry Results are only used when Secure 4964 * Simple Pairing is enabled, but some devices violate 4965 * this. 4966 * 4967 * To make these devices work, the internal SSP 4968 * enabled flag needs to be cleared if the remote host 4969 * features do not indicate SSP support */ 4970 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 4971 } 4972 4973 if (ev->features[0] & LMP_HOST_SC) 4974 set_bit(HCI_CONN_SC_ENABLED, &conn->flags); 4975 } 4976 4977 if (conn->state != BT_CONFIG) 4978 goto unlock; 4979 4980 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) { 4981 struct hci_cp_remote_name_req cp; 4982 memset(&cp, 0, sizeof(cp)); 4983 bacpy(&cp.bdaddr, &conn->dst); 4984 cp.pscan_rep_mode = 0x02; 4985 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp); 4986 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 4987 mgmt_device_connected(hdev, conn, NULL, 0); 4988 4989 if (!hci_outgoing_auth_needed(hdev, conn)) { 4990 conn->state = BT_CONNECTED; 4991 hci_connect_cfm(conn, ev->status); 4992 hci_conn_drop(conn); 4993 } 4994 4995 unlock: 4996 hci_dev_unlock(hdev); 4997 } 4998 4999 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data, 5000 struct sk_buff *skb) 5001 { 5002 struct hci_ev_sync_conn_complete *ev = data; 5003 struct hci_conn *conn; 5004 u8 status = ev->status; 5005 5006 switch (ev->link_type) { 5007 case SCO_LINK: 5008 case ESCO_LINK: 5009 break; 5010 default: 5011 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type 5012 * for HCI_Synchronous_Connection_Complete is limited to 5013 * either SCO or eSCO 5014 */ 5015 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type"); 5016 return; 5017 } 5018 5019 bt_dev_dbg(hdev, "status 0x%2.2x", status); 5020 5021 hci_dev_lock(hdev); 5022 5023 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr); 5024 if (!conn) { 5025 if (ev->link_type == ESCO_LINK) 5026 goto unlock; 5027 5028 /* When the link type in the event indicates SCO connection 5029 * and lookup of the connection object fails, then check 5030 * if an eSCO connection object exists. 5031 * 5032 * The core limits the synchronous connections to either 5033 * SCO or eSCO. The eSCO connection is preferred and tried 5034 * to be setup first and until successfully established, 5035 * the link type will be hinted as eSCO. 5036 */ 5037 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr); 5038 if (!conn) 5039 goto unlock; 5040 } 5041 5042 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection. 5043 * Processing it more than once per connection can corrupt kernel memory. 5044 * 5045 * As the connection handle is set here for the first time, it indicates 5046 * whether the connection is already set up. 5047 */ 5048 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5049 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection"); 5050 goto unlock; 5051 } 5052 5053 switch (status) { 5054 case 0x00: 5055 status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle)); 5056 if (status) { 5057 conn->state = BT_CLOSED; 5058 break; 5059 } 5060 5061 conn->state = BT_CONNECTED; 5062 conn->type = ev->link_type; 5063 5064 hci_debugfs_create_conn(conn); 5065 hci_conn_add_sysfs(conn); 5066 break; 5067 5068 case 0x10: /* Connection Accept Timeout */ 5069 case 0x0d: /* Connection Rejected due to Limited Resources */ 5070 case 0x11: /* Unsupported Feature or Parameter Value */ 5071 case 0x1c: /* SCO interval rejected */ 5072 case 0x1a: /* Unsupported Remote Feature */ 5073 case 0x1e: /* Invalid LMP Parameters */ 5074 case 0x1f: /* Unspecified error */ 5075 case 0x20: /* Unsupported LMP Parameter value */ 5076 if (conn->out) { 5077 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) | 5078 (hdev->esco_type & EDR_ESCO_MASK); 5079 if (hci_setup_sync(conn, conn->parent->handle)) 5080 goto unlock; 5081 } 5082 fallthrough; 5083 5084 default: 5085 conn->state = BT_CLOSED; 5086 break; 5087 } 5088 5089 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode); 5090 /* Notify only in case of SCO over HCI transport data path which 5091 * is zero and non-zero value shall be non-HCI transport data path 5092 */ 5093 if (conn->codec.data_path == 0 && hdev->notify) { 5094 switch (ev->air_mode) { 5095 case 0x02: 5096 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD); 5097 break; 5098 case 0x03: 5099 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP); 5100 break; 5101 } 5102 } 5103 5104 hci_connect_cfm(conn, status); 5105 if (status) 5106 hci_conn_del(conn); 5107 5108 unlock: 5109 hci_dev_unlock(hdev); 5110 } 5111 5112 static inline size_t eir_get_length(u8 *eir, size_t eir_len) 5113 { 5114 size_t parsed = 0; 5115 5116 while (parsed < eir_len) { 5117 u8 field_len = eir[0]; 5118 5119 if (field_len == 0) 5120 return parsed; 5121 5122 parsed += field_len + 1; 5123 eir += field_len + 1; 5124 } 5125 5126 return eir_len; 5127 } 5128 5129 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata, 5130 struct sk_buff *skb) 5131 { 5132 struct hci_ev_ext_inquiry_result *ev = edata; 5133 struct inquiry_data data; 5134 size_t eir_len; 5135 int i; 5136 5137 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT, 5138 flex_array_size(ev, info, ev->num))) 5139 return; 5140 5141 bt_dev_dbg(hdev, "num %d", ev->num); 5142 5143 if (!ev->num) 5144 return; 5145 5146 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) 5147 return; 5148 5149 hci_dev_lock(hdev); 5150 5151 for (i = 0; i < ev->num; i++) { 5152 struct extended_inquiry_info *info = &ev->info[i]; 5153 u32 flags; 5154 bool name_known; 5155 5156 bacpy(&data.bdaddr, &info->bdaddr); 5157 data.pscan_rep_mode = info->pscan_rep_mode; 5158 data.pscan_period_mode = info->pscan_period_mode; 5159 data.pscan_mode = 0x00; 5160 memcpy(data.dev_class, info->dev_class, 3); 5161 data.clock_offset = info->clock_offset; 5162 data.rssi = info->rssi; 5163 data.ssp_mode = 0x01; 5164 5165 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5166 name_known = eir_get_data(info->data, 5167 sizeof(info->data), 5168 EIR_NAME_COMPLETE, NULL); 5169 else 5170 name_known = true; 5171 5172 flags = hci_inquiry_cache_update(hdev, &data, name_known); 5173 5174 eir_len = eir_get_length(info->data, sizeof(info->data)); 5175 5176 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00, 5177 info->dev_class, info->rssi, 5178 flags, info->data, eir_len, NULL, 0, 0); 5179 } 5180 5181 hci_dev_unlock(hdev); 5182 } 5183 5184 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data, 5185 struct sk_buff *skb) 5186 { 5187 struct hci_ev_key_refresh_complete *ev = data; 5188 struct hci_conn *conn; 5189 5190 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status, 5191 __le16_to_cpu(ev->handle)); 5192 5193 hci_dev_lock(hdev); 5194 5195 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 5196 if (!conn) 5197 goto unlock; 5198 5199 /* For BR/EDR the necessary steps are taken through the 5200 * auth_complete event. 5201 */ 5202 if (conn->type != LE_LINK) 5203 goto unlock; 5204 5205 if (!ev->status) 5206 conn->sec_level = conn->pending_sec_level; 5207 5208 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags); 5209 5210 if (ev->status && conn->state == BT_CONNECTED) { 5211 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 5212 hci_conn_drop(conn); 5213 goto unlock; 5214 } 5215 5216 if (conn->state == BT_CONFIG) { 5217 if (!ev->status) 5218 conn->state = BT_CONNECTED; 5219 5220 hci_connect_cfm(conn, ev->status); 5221 hci_conn_drop(conn); 5222 } else { 5223 hci_auth_cfm(conn, ev->status); 5224 5225 hci_conn_hold(conn); 5226 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 5227 hci_conn_drop(conn); 5228 } 5229 5230 unlock: 5231 hci_dev_unlock(hdev); 5232 } 5233 5234 static u8 hci_get_auth_req(struct hci_conn *conn) 5235 { 5236 /* If remote requests no-bonding follow that lead */ 5237 if (conn->remote_auth == HCI_AT_NO_BONDING || 5238 conn->remote_auth == HCI_AT_NO_BONDING_MITM) 5239 return conn->remote_auth | (conn->auth_type & 0x01); 5240 5241 /* If both remote and local have enough IO capabilities, require 5242 * MITM protection 5243 */ 5244 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT && 5245 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) 5246 return conn->remote_auth | 0x01; 5247 5248 /* No MITM protection possible so ignore remote requirement */ 5249 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01); 5250 } 5251 5252 static u8 bredr_oob_data_present(struct hci_conn *conn) 5253 { 5254 struct hci_dev *hdev = conn->hdev; 5255 struct oob_data *data; 5256 5257 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR); 5258 if (!data) 5259 return 0x00; 5260 5261 if (bredr_sc_enabled(hdev)) { 5262 /* When Secure Connections is enabled, then just 5263 * return the present value stored with the OOB 5264 * data. The stored value contains the right present 5265 * information. However it can only be trusted when 5266 * not in Secure Connection Only mode. 5267 */ 5268 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY)) 5269 return data->present; 5270 5271 /* When Secure Connections Only mode is enabled, then 5272 * the P-256 values are required. If they are not 5273 * available, then do not declare that OOB data is 5274 * present. 5275 */ 5276 if (!memcmp(data->rand256, ZERO_KEY, 16) || 5277 !memcmp(data->hash256, ZERO_KEY, 16)) 5278 return 0x00; 5279 5280 return 0x02; 5281 } 5282 5283 /* When Secure Connections is not enabled or actually 5284 * not supported by the hardware, then check that if 5285 * P-192 data values are present. 5286 */ 5287 if (!memcmp(data->rand192, ZERO_KEY, 16) || 5288 !memcmp(data->hash192, ZERO_KEY, 16)) 5289 return 0x00; 5290 5291 return 0x01; 5292 } 5293 5294 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data, 5295 struct sk_buff *skb) 5296 { 5297 struct hci_ev_io_capa_request *ev = data; 5298 struct hci_conn *conn; 5299 5300 bt_dev_dbg(hdev, ""); 5301 5302 hci_dev_lock(hdev); 5303 5304 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5305 if (!conn) 5306 goto unlock; 5307 5308 hci_conn_hold(conn); 5309 5310 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5311 goto unlock; 5312 5313 /* Allow pairing if we're pairable, the initiators of the 5314 * pairing or if the remote is not requesting bonding. 5315 */ 5316 if (hci_dev_test_flag(hdev, HCI_BONDABLE) || 5317 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) || 5318 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) { 5319 struct hci_cp_io_capability_reply cp; 5320 5321 bacpy(&cp.bdaddr, &ev->bdaddr); 5322 /* Change the IO capability from KeyboardDisplay 5323 * to DisplayYesNo as it is not supported by BT spec. */ 5324 cp.capability = (conn->io_capability == 0x04) ? 5325 HCI_IO_DISPLAY_YESNO : conn->io_capability; 5326 5327 /* If we are initiators, there is no remote information yet */ 5328 if (conn->remote_auth == 0xff) { 5329 /* Request MITM protection if our IO caps allow it 5330 * except for the no-bonding case. 5331 */ 5332 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5333 conn->auth_type != HCI_AT_NO_BONDING) 5334 conn->auth_type |= 0x01; 5335 } else { 5336 conn->auth_type = hci_get_auth_req(conn); 5337 } 5338 5339 /* If we're not bondable, force one of the non-bondable 5340 * authentication requirement values. 5341 */ 5342 if (!hci_dev_test_flag(hdev, HCI_BONDABLE)) 5343 conn->auth_type &= HCI_AT_NO_BONDING_MITM; 5344 5345 cp.authentication = conn->auth_type; 5346 cp.oob_data = bredr_oob_data_present(conn); 5347 5348 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY, 5349 sizeof(cp), &cp); 5350 } else { 5351 struct hci_cp_io_capability_neg_reply cp; 5352 5353 bacpy(&cp.bdaddr, &ev->bdaddr); 5354 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED; 5355 5356 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY, 5357 sizeof(cp), &cp); 5358 } 5359 5360 unlock: 5361 hci_dev_unlock(hdev); 5362 } 5363 5364 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data, 5365 struct sk_buff *skb) 5366 { 5367 struct hci_ev_io_capa_reply *ev = data; 5368 struct hci_conn *conn; 5369 5370 bt_dev_dbg(hdev, ""); 5371 5372 hci_dev_lock(hdev); 5373 5374 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5375 if (!conn) 5376 goto unlock; 5377 5378 conn->remote_cap = ev->capability; 5379 conn->remote_auth = ev->authentication; 5380 5381 unlock: 5382 hci_dev_unlock(hdev); 5383 } 5384 5385 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data, 5386 struct sk_buff *skb) 5387 { 5388 struct hci_ev_user_confirm_req *ev = data; 5389 int loc_mitm, rem_mitm, confirm_hint = 0; 5390 struct hci_conn *conn; 5391 5392 bt_dev_dbg(hdev, ""); 5393 5394 hci_dev_lock(hdev); 5395 5396 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5397 goto unlock; 5398 5399 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5400 if (!conn) 5401 goto unlock; 5402 5403 loc_mitm = (conn->auth_type & 0x01); 5404 rem_mitm = (conn->remote_auth & 0x01); 5405 5406 /* If we require MITM but the remote device can't provide that 5407 * (it has NoInputNoOutput) then reject the confirmation 5408 * request. We check the security level here since it doesn't 5409 * necessarily match conn->auth_type. 5410 */ 5411 if (conn->pending_sec_level > BT_SECURITY_MEDIUM && 5412 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) { 5413 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM"); 5414 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY, 5415 sizeof(ev->bdaddr), &ev->bdaddr); 5416 goto unlock; 5417 } 5418 5419 /* If no side requires MITM protection; auto-accept */ 5420 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) && 5421 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) { 5422 5423 /* If we're not the initiators request authorization to 5424 * proceed from user space (mgmt_user_confirm with 5425 * confirm_hint set to 1). The exception is if neither 5426 * side had MITM or if the local IO capability is 5427 * NoInputNoOutput, in which case we do auto-accept 5428 */ 5429 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && 5430 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT && 5431 (loc_mitm || rem_mitm)) { 5432 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor"); 5433 confirm_hint = 1; 5434 goto confirm; 5435 } 5436 5437 /* If there already exists link key in local host, leave the 5438 * decision to user space since the remote device could be 5439 * legitimate or malicious. 5440 */ 5441 if (hci_find_link_key(hdev, &ev->bdaddr)) { 5442 bt_dev_dbg(hdev, "Local host already has link key"); 5443 confirm_hint = 1; 5444 goto confirm; 5445 } 5446 5447 BT_DBG("Auto-accept of user confirmation with %ums delay", 5448 hdev->auto_accept_delay); 5449 5450 if (hdev->auto_accept_delay > 0) { 5451 int delay = msecs_to_jiffies(hdev->auto_accept_delay); 5452 queue_delayed_work(conn->hdev->workqueue, 5453 &conn->auto_accept_work, delay); 5454 goto unlock; 5455 } 5456 5457 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, 5458 sizeof(ev->bdaddr), &ev->bdaddr); 5459 goto unlock; 5460 } 5461 5462 confirm: 5463 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, 5464 le32_to_cpu(ev->passkey), confirm_hint); 5465 5466 unlock: 5467 hci_dev_unlock(hdev); 5468 } 5469 5470 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data, 5471 struct sk_buff *skb) 5472 { 5473 struct hci_ev_user_passkey_req *ev = data; 5474 5475 bt_dev_dbg(hdev, ""); 5476 5477 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5478 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0); 5479 } 5480 5481 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data, 5482 struct sk_buff *skb) 5483 { 5484 struct hci_ev_user_passkey_notify *ev = data; 5485 struct hci_conn *conn; 5486 5487 bt_dev_dbg(hdev, ""); 5488 5489 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5490 if (!conn) 5491 return; 5492 5493 conn->passkey_notify = __le32_to_cpu(ev->passkey); 5494 conn->passkey_entered = 0; 5495 5496 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5497 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5498 conn->dst_type, conn->passkey_notify, 5499 conn->passkey_entered); 5500 } 5501 5502 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data, 5503 struct sk_buff *skb) 5504 { 5505 struct hci_ev_keypress_notify *ev = data; 5506 struct hci_conn *conn; 5507 5508 bt_dev_dbg(hdev, ""); 5509 5510 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5511 if (!conn) 5512 return; 5513 5514 switch (ev->type) { 5515 case HCI_KEYPRESS_STARTED: 5516 conn->passkey_entered = 0; 5517 return; 5518 5519 case HCI_KEYPRESS_ENTERED: 5520 conn->passkey_entered++; 5521 break; 5522 5523 case HCI_KEYPRESS_ERASED: 5524 conn->passkey_entered--; 5525 break; 5526 5527 case HCI_KEYPRESS_CLEARED: 5528 conn->passkey_entered = 0; 5529 break; 5530 5531 case HCI_KEYPRESS_COMPLETED: 5532 return; 5533 } 5534 5535 if (hci_dev_test_flag(hdev, HCI_MGMT)) 5536 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type, 5537 conn->dst_type, conn->passkey_notify, 5538 conn->passkey_entered); 5539 } 5540 5541 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data, 5542 struct sk_buff *skb) 5543 { 5544 struct hci_ev_simple_pair_complete *ev = data; 5545 struct hci_conn *conn; 5546 5547 bt_dev_dbg(hdev, ""); 5548 5549 hci_dev_lock(hdev); 5550 5551 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5552 if (!conn) 5553 goto unlock; 5554 5555 /* Reset the authentication requirement to unknown */ 5556 conn->remote_auth = 0xff; 5557 5558 /* To avoid duplicate auth_failed events to user space we check 5559 * the HCI_CONN_AUTH_PEND flag which will be set if we 5560 * initiated the authentication. A traditional auth_complete 5561 * event gets always produced as initiator and is also mapped to 5562 * the mgmt_auth_failed event */ 5563 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status) 5564 mgmt_auth_failed(conn, ev->status); 5565 5566 hci_conn_drop(conn); 5567 5568 unlock: 5569 hci_dev_unlock(hdev); 5570 } 5571 5572 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data, 5573 struct sk_buff *skb) 5574 { 5575 struct hci_ev_remote_host_features *ev = data; 5576 struct inquiry_entry *ie; 5577 struct hci_conn *conn; 5578 5579 bt_dev_dbg(hdev, ""); 5580 5581 hci_dev_lock(hdev); 5582 5583 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); 5584 if (conn) 5585 memcpy(conn->features[1], ev->features, 8); 5586 5587 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 5588 if (ie) 5589 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 5590 5591 hci_dev_unlock(hdev); 5592 } 5593 5594 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata, 5595 struct sk_buff *skb) 5596 { 5597 struct hci_ev_remote_oob_data_request *ev = edata; 5598 struct oob_data *data; 5599 5600 bt_dev_dbg(hdev, ""); 5601 5602 hci_dev_lock(hdev); 5603 5604 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 5605 goto unlock; 5606 5607 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR); 5608 if (!data) { 5609 struct hci_cp_remote_oob_data_neg_reply cp; 5610 5611 bacpy(&cp.bdaddr, &ev->bdaddr); 5612 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, 5613 sizeof(cp), &cp); 5614 goto unlock; 5615 } 5616 5617 if (bredr_sc_enabled(hdev)) { 5618 struct hci_cp_remote_oob_ext_data_reply cp; 5619 5620 bacpy(&cp.bdaddr, &ev->bdaddr); 5621 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 5622 memset(cp.hash192, 0, sizeof(cp.hash192)); 5623 memset(cp.rand192, 0, sizeof(cp.rand192)); 5624 } else { 5625 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192)); 5626 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192)); 5627 } 5628 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256)); 5629 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256)); 5630 5631 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY, 5632 sizeof(cp), &cp); 5633 } else { 5634 struct hci_cp_remote_oob_data_reply cp; 5635 5636 bacpy(&cp.bdaddr, &ev->bdaddr); 5637 memcpy(cp.hash, data->hash192, sizeof(cp.hash)); 5638 memcpy(cp.rand, data->rand192, sizeof(cp.rand)); 5639 5640 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, 5641 sizeof(cp), &cp); 5642 } 5643 5644 unlock: 5645 hci_dev_unlock(hdev); 5646 } 5647 5648 #if IS_ENABLED(CONFIG_BT_HS) 5649 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data, 5650 struct sk_buff *skb) 5651 { 5652 struct hci_ev_channel_selected *ev = data; 5653 struct hci_conn *hcon; 5654 5655 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle); 5656 5657 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5658 if (!hcon) 5659 return; 5660 5661 amp_read_loc_assoc_final_data(hdev, hcon); 5662 } 5663 5664 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data, 5665 struct sk_buff *skb) 5666 { 5667 struct hci_ev_phy_link_complete *ev = data; 5668 struct hci_conn *hcon, *bredr_hcon; 5669 5670 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle, 5671 ev->status); 5672 5673 hci_dev_lock(hdev); 5674 5675 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5676 if (!hcon) 5677 goto unlock; 5678 5679 if (!hcon->amp_mgr) 5680 goto unlock; 5681 5682 if (ev->status) { 5683 hci_conn_del(hcon); 5684 goto unlock; 5685 } 5686 5687 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; 5688 5689 hcon->state = BT_CONNECTED; 5690 bacpy(&hcon->dst, &bredr_hcon->dst); 5691 5692 hci_conn_hold(hcon); 5693 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 5694 hci_conn_drop(hcon); 5695 5696 hci_debugfs_create_conn(hcon); 5697 hci_conn_add_sysfs(hcon); 5698 5699 amp_physical_cfm(bredr_hcon, hcon); 5700 5701 unlock: 5702 hci_dev_unlock(hdev); 5703 } 5704 5705 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data, 5706 struct sk_buff *skb) 5707 { 5708 struct hci_ev_logical_link_complete *ev = data; 5709 struct hci_conn *hcon; 5710 struct hci_chan *hchan; 5711 struct amp_mgr *mgr; 5712 5713 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x", 5714 le16_to_cpu(ev->handle), ev->phy_handle, ev->status); 5715 5716 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5717 if (!hcon) 5718 return; 5719 5720 /* Create AMP hchan */ 5721 hchan = hci_chan_create(hcon); 5722 if (!hchan) 5723 return; 5724 5725 hchan->handle = le16_to_cpu(ev->handle); 5726 hchan->amp = true; 5727 5728 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); 5729 5730 mgr = hcon->amp_mgr; 5731 if (mgr && mgr->bredr_chan) { 5732 struct l2cap_chan *bredr_chan = mgr->bredr_chan; 5733 5734 l2cap_chan_lock(bredr_chan); 5735 5736 bredr_chan->conn->mtu = hdev->block_mtu; 5737 l2cap_logical_cfm(bredr_chan, hchan, 0); 5738 hci_conn_hold(hcon); 5739 5740 l2cap_chan_unlock(bredr_chan); 5741 } 5742 } 5743 5744 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data, 5745 struct sk_buff *skb) 5746 { 5747 struct hci_ev_disconn_logical_link_complete *ev = data; 5748 struct hci_chan *hchan; 5749 5750 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", 5751 le16_to_cpu(ev->handle), ev->status); 5752 5753 if (ev->status) 5754 return; 5755 5756 hci_dev_lock(hdev); 5757 5758 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); 5759 if (!hchan || !hchan->amp) 5760 goto unlock; 5761 5762 amp_destroy_logical_link(hchan, ev->reason); 5763 5764 unlock: 5765 hci_dev_unlock(hdev); 5766 } 5767 5768 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data, 5769 struct sk_buff *skb) 5770 { 5771 struct hci_ev_disconn_phy_link_complete *ev = data; 5772 struct hci_conn *hcon; 5773 5774 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 5775 5776 if (ev->status) 5777 return; 5778 5779 hci_dev_lock(hdev); 5780 5781 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle); 5782 if (hcon && hcon->type == AMP_LINK) { 5783 hcon->state = BT_CLOSED; 5784 hci_disconn_cfm(hcon, ev->reason); 5785 hci_conn_del(hcon); 5786 } 5787 5788 hci_dev_unlock(hdev); 5789 } 5790 #endif 5791 5792 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr, 5793 u8 bdaddr_type, bdaddr_t *local_rpa) 5794 { 5795 if (conn->out) { 5796 conn->dst_type = bdaddr_type; 5797 conn->resp_addr_type = bdaddr_type; 5798 bacpy(&conn->resp_addr, bdaddr); 5799 5800 /* Check if the controller has set a Local RPA then it must be 5801 * used instead or hdev->rpa. 5802 */ 5803 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5804 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5805 bacpy(&conn->init_addr, local_rpa); 5806 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) { 5807 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5808 bacpy(&conn->init_addr, &conn->hdev->rpa); 5809 } else { 5810 hci_copy_identity_address(conn->hdev, &conn->init_addr, 5811 &conn->init_addr_type); 5812 } 5813 } else { 5814 conn->resp_addr_type = conn->hdev->adv_addr_type; 5815 /* Check if the controller has set a Local RPA then it must be 5816 * used instead or hdev->rpa. 5817 */ 5818 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) { 5819 conn->resp_addr_type = ADDR_LE_DEV_RANDOM; 5820 bacpy(&conn->resp_addr, local_rpa); 5821 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) { 5822 /* In case of ext adv, resp_addr will be updated in 5823 * Adv Terminated event. 5824 */ 5825 if (!ext_adv_capable(conn->hdev)) 5826 bacpy(&conn->resp_addr, 5827 &conn->hdev->random_addr); 5828 } else { 5829 bacpy(&conn->resp_addr, &conn->hdev->bdaddr); 5830 } 5831 5832 conn->init_addr_type = bdaddr_type; 5833 bacpy(&conn->init_addr, bdaddr); 5834 5835 /* For incoming connections, set the default minimum 5836 * and maximum connection interval. They will be used 5837 * to check if the parameters are in range and if not 5838 * trigger the connection update procedure. 5839 */ 5840 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval; 5841 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval; 5842 } 5843 } 5844 5845 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, 5846 bdaddr_t *bdaddr, u8 bdaddr_type, 5847 bdaddr_t *local_rpa, u8 role, u16 handle, 5848 u16 interval, u16 latency, 5849 u16 supervision_timeout) 5850 { 5851 struct hci_conn_params *params; 5852 struct hci_conn *conn; 5853 struct smp_irk *irk; 5854 u8 addr_type; 5855 5856 hci_dev_lock(hdev); 5857 5858 /* All controllers implicitly stop advertising in the event of a 5859 * connection, so ensure that the state bit is cleared. 5860 */ 5861 hci_dev_clear_flag(hdev, HCI_LE_ADV); 5862 5863 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr); 5864 if (!conn) { 5865 /* In case of error status and there is no connection pending 5866 * just unlock as there is nothing to cleanup. 5867 */ 5868 if (status) 5869 goto unlock; 5870 5871 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role); 5872 if (!conn) { 5873 bt_dev_err(hdev, "no memory for new connection"); 5874 goto unlock; 5875 } 5876 5877 conn->dst_type = bdaddr_type; 5878 5879 /* If we didn't have a hci_conn object previously 5880 * but we're in central role this must be something 5881 * initiated using an accept list. Since accept list based 5882 * connections are not "first class citizens" we don't 5883 * have full tracking of them. Therefore, we go ahead 5884 * with a "best effort" approach of determining the 5885 * initiator address based on the HCI_PRIVACY flag. 5886 */ 5887 if (conn->out) { 5888 conn->resp_addr_type = bdaddr_type; 5889 bacpy(&conn->resp_addr, bdaddr); 5890 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) { 5891 conn->init_addr_type = ADDR_LE_DEV_RANDOM; 5892 bacpy(&conn->init_addr, &hdev->rpa); 5893 } else { 5894 hci_copy_identity_address(hdev, 5895 &conn->init_addr, 5896 &conn->init_addr_type); 5897 } 5898 } 5899 } else { 5900 cancel_delayed_work(&conn->le_conn_timeout); 5901 } 5902 5903 /* The HCI_LE_Connection_Complete event is only sent once per connection. 5904 * Processing it more than once per connection can corrupt kernel memory. 5905 * 5906 * As the connection handle is set here for the first time, it indicates 5907 * whether the connection is already set up. 5908 */ 5909 if (!HCI_CONN_HANDLE_UNSET(conn->handle)) { 5910 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection"); 5911 goto unlock; 5912 } 5913 5914 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa); 5915 5916 /* Lookup the identity address from the stored connection 5917 * address and address type. 5918 * 5919 * When establishing connections to an identity address, the 5920 * connection procedure will store the resolvable random 5921 * address first. Now if it can be converted back into the 5922 * identity address, start using the identity address from 5923 * now on. 5924 */ 5925 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type); 5926 if (irk) { 5927 bacpy(&conn->dst, &irk->bdaddr); 5928 conn->dst_type = irk->addr_type; 5929 } 5930 5931 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL); 5932 5933 if (handle > HCI_CONN_HANDLE_MAX) { 5934 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", handle, 5935 HCI_CONN_HANDLE_MAX); 5936 status = HCI_ERROR_INVALID_PARAMETERS; 5937 } 5938 5939 /* All connection failure handling is taken care of by the 5940 * hci_conn_failed function which is triggered by the HCI 5941 * request completion callbacks used for connecting. 5942 */ 5943 if (status) 5944 goto unlock; 5945 5946 /* Drop the connection if it has been aborted */ 5947 if (test_bit(HCI_CONN_CANCEL, &conn->flags)) { 5948 hci_conn_drop(conn); 5949 goto unlock; 5950 } 5951 5952 if (conn->dst_type == ADDR_LE_DEV_PUBLIC) 5953 addr_type = BDADDR_LE_PUBLIC; 5954 else 5955 addr_type = BDADDR_LE_RANDOM; 5956 5957 /* Drop the connection if the device is blocked */ 5958 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) { 5959 hci_conn_drop(conn); 5960 goto unlock; 5961 } 5962 5963 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) 5964 mgmt_device_connected(hdev, conn, NULL, 0); 5965 5966 conn->sec_level = BT_SECURITY_LOW; 5967 conn->handle = handle; 5968 conn->state = BT_CONFIG; 5969 5970 /* Store current advertising instance as connection advertising instance 5971 * when sotfware rotation is in use so it can be re-enabled when 5972 * disconnected. 5973 */ 5974 if (!ext_adv_capable(hdev)) 5975 conn->adv_instance = hdev->cur_adv_instance; 5976 5977 conn->le_conn_interval = interval; 5978 conn->le_conn_latency = latency; 5979 conn->le_supv_timeout = supervision_timeout; 5980 5981 hci_debugfs_create_conn(conn); 5982 hci_conn_add_sysfs(conn); 5983 5984 /* The remote features procedure is defined for central 5985 * role only. So only in case of an initiated connection 5986 * request the remote features. 5987 * 5988 * If the local controller supports peripheral-initiated features 5989 * exchange, then requesting the remote features in peripheral 5990 * role is possible. Otherwise just transition into the 5991 * connected state without requesting the remote features. 5992 */ 5993 if (conn->out || 5994 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) { 5995 struct hci_cp_le_read_remote_features cp; 5996 5997 cp.handle = __cpu_to_le16(conn->handle); 5998 5999 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES, 6000 sizeof(cp), &cp); 6001 6002 hci_conn_hold(conn); 6003 } else { 6004 conn->state = BT_CONNECTED; 6005 hci_connect_cfm(conn, status); 6006 } 6007 6008 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, 6009 conn->dst_type); 6010 if (params) { 6011 hci_pend_le_list_del_init(params); 6012 if (params->conn) { 6013 hci_conn_drop(params->conn); 6014 hci_conn_put(params->conn); 6015 params->conn = NULL; 6016 } 6017 } 6018 6019 unlock: 6020 hci_update_passive_scan(hdev); 6021 hci_dev_unlock(hdev); 6022 } 6023 6024 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data, 6025 struct sk_buff *skb) 6026 { 6027 struct hci_ev_le_conn_complete *ev = data; 6028 6029 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6030 6031 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 6032 NULL, ev->role, le16_to_cpu(ev->handle), 6033 le16_to_cpu(ev->interval), 6034 le16_to_cpu(ev->latency), 6035 le16_to_cpu(ev->supervision_timeout)); 6036 } 6037 6038 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data, 6039 struct sk_buff *skb) 6040 { 6041 struct hci_ev_le_enh_conn_complete *ev = data; 6042 6043 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6044 6045 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type, 6046 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle), 6047 le16_to_cpu(ev->interval), 6048 le16_to_cpu(ev->latency), 6049 le16_to_cpu(ev->supervision_timeout)); 6050 } 6051 6052 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data, 6053 struct sk_buff *skb) 6054 { 6055 struct hci_evt_le_ext_adv_set_term *ev = data; 6056 struct hci_conn *conn; 6057 struct adv_info *adv, *n; 6058 6059 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6060 6061 /* The Bluetooth Core 5.3 specification clearly states that this event 6062 * shall not be sent when the Host disables the advertising set. So in 6063 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event. 6064 * 6065 * When the Host disables an advertising set, all cleanup is done via 6066 * its command callback and not needed to be duplicated here. 6067 */ 6068 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) { 6069 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event"); 6070 return; 6071 } 6072 6073 hci_dev_lock(hdev); 6074 6075 adv = hci_find_adv_instance(hdev, ev->handle); 6076 6077 if (ev->status) { 6078 if (!adv) 6079 goto unlock; 6080 6081 /* Remove advertising as it has been terminated */ 6082 hci_remove_adv_instance(hdev, ev->handle); 6083 mgmt_advertising_removed(NULL, hdev, ev->handle); 6084 6085 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) { 6086 if (adv->enabled) 6087 goto unlock; 6088 } 6089 6090 /* We are no longer advertising, clear HCI_LE_ADV */ 6091 hci_dev_clear_flag(hdev, HCI_LE_ADV); 6092 goto unlock; 6093 } 6094 6095 if (adv) 6096 adv->enabled = false; 6097 6098 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); 6099 if (conn) { 6100 /* Store handle in the connection so the correct advertising 6101 * instance can be re-enabled when disconnected. 6102 */ 6103 conn->adv_instance = ev->handle; 6104 6105 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM || 6106 bacmp(&conn->resp_addr, BDADDR_ANY)) 6107 goto unlock; 6108 6109 if (!ev->handle) { 6110 bacpy(&conn->resp_addr, &hdev->random_addr); 6111 goto unlock; 6112 } 6113 6114 if (adv) 6115 bacpy(&conn->resp_addr, &adv->random_addr); 6116 } 6117 6118 unlock: 6119 hci_dev_unlock(hdev); 6120 } 6121 6122 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data, 6123 struct sk_buff *skb) 6124 { 6125 struct hci_ev_le_conn_update_complete *ev = data; 6126 struct hci_conn *conn; 6127 6128 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6129 6130 if (ev->status) 6131 return; 6132 6133 hci_dev_lock(hdev); 6134 6135 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6136 if (conn) { 6137 conn->le_conn_interval = le16_to_cpu(ev->interval); 6138 conn->le_conn_latency = le16_to_cpu(ev->latency); 6139 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout); 6140 } 6141 6142 hci_dev_unlock(hdev); 6143 } 6144 6145 /* This function requires the caller holds hdev->lock */ 6146 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev, 6147 bdaddr_t *addr, 6148 u8 addr_type, bool addr_resolved, 6149 u8 adv_type) 6150 { 6151 struct hci_conn *conn; 6152 struct hci_conn_params *params; 6153 6154 /* If the event is not connectable don't proceed further */ 6155 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND) 6156 return NULL; 6157 6158 /* Ignore if the device is blocked or hdev is suspended */ 6159 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) || 6160 hdev->suspended) 6161 return NULL; 6162 6163 /* Most controller will fail if we try to create new connections 6164 * while we have an existing one in peripheral role. 6165 */ 6166 if (hdev->conn_hash.le_num_peripheral > 0 && 6167 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) || 6168 !(hdev->le_states[3] & 0x10))) 6169 return NULL; 6170 6171 /* If we're not connectable only connect devices that we have in 6172 * our pend_le_conns list. 6173 */ 6174 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr, 6175 addr_type); 6176 if (!params) 6177 return NULL; 6178 6179 if (!params->explicit_connect) { 6180 switch (params->auto_connect) { 6181 case HCI_AUTO_CONN_DIRECT: 6182 /* Only devices advertising with ADV_DIRECT_IND are 6183 * triggering a connection attempt. This is allowing 6184 * incoming connections from peripheral devices. 6185 */ 6186 if (adv_type != LE_ADV_DIRECT_IND) 6187 return NULL; 6188 break; 6189 case HCI_AUTO_CONN_ALWAYS: 6190 /* Devices advertising with ADV_IND or ADV_DIRECT_IND 6191 * are triggering a connection attempt. This means 6192 * that incoming connections from peripheral device are 6193 * accepted and also outgoing connections to peripheral 6194 * devices are established when found. 6195 */ 6196 break; 6197 default: 6198 return NULL; 6199 } 6200 } 6201 6202 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved, 6203 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout, 6204 HCI_ROLE_MASTER); 6205 if (!IS_ERR(conn)) { 6206 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned 6207 * by higher layer that tried to connect, if no then 6208 * store the pointer since we don't really have any 6209 * other owner of the object besides the params that 6210 * triggered it. This way we can abort the connection if 6211 * the parameters get removed and keep the reference 6212 * count consistent once the connection is established. 6213 */ 6214 6215 if (!params->explicit_connect) 6216 params->conn = hci_conn_get(conn); 6217 6218 return conn; 6219 } 6220 6221 switch (PTR_ERR(conn)) { 6222 case -EBUSY: 6223 /* If hci_connect() returns -EBUSY it means there is already 6224 * an LE connection attempt going on. Since controllers don't 6225 * support more than one connection attempt at the time, we 6226 * don't consider this an error case. 6227 */ 6228 break; 6229 default: 6230 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn)); 6231 return NULL; 6232 } 6233 6234 return NULL; 6235 } 6236 6237 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr, 6238 u8 bdaddr_type, bdaddr_t *direct_addr, 6239 u8 direct_addr_type, s8 rssi, u8 *data, u8 len, 6240 bool ext_adv, bool ctl_time, u64 instant) 6241 { 6242 struct discovery_state *d = &hdev->discovery; 6243 struct smp_irk *irk; 6244 struct hci_conn *conn; 6245 bool match, bdaddr_resolved; 6246 u32 flags; 6247 u8 *ptr; 6248 6249 switch (type) { 6250 case LE_ADV_IND: 6251 case LE_ADV_DIRECT_IND: 6252 case LE_ADV_SCAN_IND: 6253 case LE_ADV_NONCONN_IND: 6254 case LE_ADV_SCAN_RSP: 6255 break; 6256 default: 6257 bt_dev_err_ratelimited(hdev, "unknown advertising packet " 6258 "type: 0x%02x", type); 6259 return; 6260 } 6261 6262 if (len > max_adv_len(hdev)) { 6263 bt_dev_err_ratelimited(hdev, 6264 "adv larger than maximum supported"); 6265 return; 6266 } 6267 6268 /* Find the end of the data in case the report contains padded zero 6269 * bytes at the end causing an invalid length value. 6270 * 6271 * When data is NULL, len is 0 so there is no need for extra ptr 6272 * check as 'ptr < data + 0' is already false in such case. 6273 */ 6274 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) { 6275 if (ptr + 1 + *ptr > data + len) 6276 break; 6277 } 6278 6279 /* Adjust for actual length. This handles the case when remote 6280 * device is advertising with incorrect data length. 6281 */ 6282 len = ptr - data; 6283 6284 /* If the direct address is present, then this report is from 6285 * a LE Direct Advertising Report event. In that case it is 6286 * important to see if the address is matching the local 6287 * controller address. 6288 */ 6289 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) { 6290 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type, 6291 &bdaddr_resolved); 6292 6293 /* Only resolvable random addresses are valid for these 6294 * kind of reports and others can be ignored. 6295 */ 6296 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type)) 6297 return; 6298 6299 /* If the controller is not using resolvable random 6300 * addresses, then this report can be ignored. 6301 */ 6302 if (!hci_dev_test_flag(hdev, HCI_PRIVACY)) 6303 return; 6304 6305 /* If the local IRK of the controller does not match 6306 * with the resolvable random address provided, then 6307 * this report can be ignored. 6308 */ 6309 if (!smp_irk_matches(hdev, hdev->irk, direct_addr)) 6310 return; 6311 } 6312 6313 /* Check if we need to convert to identity address */ 6314 irk = hci_get_irk(hdev, bdaddr, bdaddr_type); 6315 if (irk) { 6316 bdaddr = &irk->bdaddr; 6317 bdaddr_type = irk->addr_type; 6318 } 6319 6320 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved); 6321 6322 /* Check if we have been requested to connect to this device. 6323 * 6324 * direct_addr is set only for directed advertising reports (it is NULL 6325 * for advertising reports) and is already verified to be RPA above. 6326 */ 6327 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved, 6328 type); 6329 if (!ext_adv && conn && type == LE_ADV_IND && 6330 len <= max_adv_len(hdev)) { 6331 /* Store report for later inclusion by 6332 * mgmt_device_connected 6333 */ 6334 memcpy(conn->le_adv_data, data, len); 6335 conn->le_adv_data_len = len; 6336 } 6337 6338 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND) 6339 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE; 6340 else 6341 flags = 0; 6342 6343 /* All scan results should be sent up for Mesh systems */ 6344 if (hci_dev_test_flag(hdev, HCI_MESH)) { 6345 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6346 rssi, flags, data, len, NULL, 0, instant); 6347 return; 6348 } 6349 6350 /* Passive scanning shouldn't trigger any device found events, 6351 * except for devices marked as CONN_REPORT for which we do send 6352 * device found events, or advertisement monitoring requested. 6353 */ 6354 if (hdev->le_scan_type == LE_SCAN_PASSIVE) { 6355 if (type == LE_ADV_DIRECT_IND) 6356 return; 6357 6358 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports, 6359 bdaddr, bdaddr_type) && 6360 idr_is_empty(&hdev->adv_monitors_idr)) 6361 return; 6362 6363 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6364 rssi, flags, data, len, NULL, 0, 0); 6365 return; 6366 } 6367 6368 /* When receiving a scan response, then there is no way to 6369 * know if the remote device is connectable or not. However 6370 * since scan responses are merged with a previously seen 6371 * advertising report, the flags field from that report 6372 * will be used. 6373 * 6374 * In the unlikely case that a controller just sends a scan 6375 * response event that doesn't match the pending report, then 6376 * it is marked as a standalone SCAN_RSP. 6377 */ 6378 if (type == LE_ADV_SCAN_RSP) 6379 flags = MGMT_DEV_FOUND_SCAN_RSP; 6380 6381 /* If there's nothing pending either store the data from this 6382 * event or send an immediate device found event if the data 6383 * should not be stored for later. 6384 */ 6385 if (!ext_adv && !has_pending_adv_report(hdev)) { 6386 /* If the report will trigger a SCAN_REQ store it for 6387 * later merging. 6388 */ 6389 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) { 6390 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6391 rssi, flags, data, len); 6392 return; 6393 } 6394 6395 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6396 rssi, flags, data, len, NULL, 0, 0); 6397 return; 6398 } 6399 6400 /* Check if the pending report is for the same device as the new one */ 6401 match = (!bacmp(bdaddr, &d->last_adv_addr) && 6402 bdaddr_type == d->last_adv_addr_type); 6403 6404 /* If the pending data doesn't match this report or this isn't a 6405 * scan response (e.g. we got a duplicate ADV_IND) then force 6406 * sending of the pending data. 6407 */ 6408 if (type != LE_ADV_SCAN_RSP || !match) { 6409 /* Send out whatever is in the cache, but skip duplicates */ 6410 if (!match) 6411 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6412 d->last_adv_addr_type, NULL, 6413 d->last_adv_rssi, d->last_adv_flags, 6414 d->last_adv_data, 6415 d->last_adv_data_len, NULL, 0, 0); 6416 6417 /* If the new report will trigger a SCAN_REQ store it for 6418 * later merging. 6419 */ 6420 if (!ext_adv && (type == LE_ADV_IND || 6421 type == LE_ADV_SCAN_IND)) { 6422 store_pending_adv_report(hdev, bdaddr, bdaddr_type, 6423 rssi, flags, data, len); 6424 return; 6425 } 6426 6427 /* The advertising reports cannot be merged, so clear 6428 * the pending report and send out a device found event. 6429 */ 6430 clear_pending_adv_report(hdev); 6431 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL, 6432 rssi, flags, data, len, NULL, 0, 0); 6433 return; 6434 } 6435 6436 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and 6437 * the new event is a SCAN_RSP. We can therefore proceed with 6438 * sending a merged device found event. 6439 */ 6440 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK, 6441 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags, 6442 d->last_adv_data, d->last_adv_data_len, data, len, 0); 6443 clear_pending_adv_report(hdev); 6444 } 6445 6446 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data, 6447 struct sk_buff *skb) 6448 { 6449 struct hci_ev_le_advertising_report *ev = data; 6450 u64 instant = jiffies; 6451 6452 if (!ev->num) 6453 return; 6454 6455 hci_dev_lock(hdev); 6456 6457 while (ev->num--) { 6458 struct hci_ev_le_advertising_info *info; 6459 s8 rssi; 6460 6461 info = hci_le_ev_skb_pull(hdev, skb, 6462 HCI_EV_LE_ADVERTISING_REPORT, 6463 sizeof(*info)); 6464 if (!info) 6465 break; 6466 6467 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT, 6468 info->length + 1)) 6469 break; 6470 6471 if (info->length <= max_adv_len(hdev)) { 6472 rssi = info->data[info->length]; 6473 process_adv_report(hdev, info->type, &info->bdaddr, 6474 info->bdaddr_type, NULL, 0, rssi, 6475 info->data, info->length, false, 6476 false, instant); 6477 } else { 6478 bt_dev_err(hdev, "Dropping invalid advertising data"); 6479 } 6480 } 6481 6482 hci_dev_unlock(hdev); 6483 } 6484 6485 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 6486 { 6487 if (evt_type & LE_EXT_ADV_LEGACY_PDU) { 6488 switch (evt_type) { 6489 case LE_LEGACY_ADV_IND: 6490 return LE_ADV_IND; 6491 case LE_LEGACY_ADV_DIRECT_IND: 6492 return LE_ADV_DIRECT_IND; 6493 case LE_LEGACY_ADV_SCAN_IND: 6494 return LE_ADV_SCAN_IND; 6495 case LE_LEGACY_NONCONN_IND: 6496 return LE_ADV_NONCONN_IND; 6497 case LE_LEGACY_SCAN_RSP_ADV: 6498 case LE_LEGACY_SCAN_RSP_ADV_SCAN: 6499 return LE_ADV_SCAN_RSP; 6500 } 6501 6502 goto invalid; 6503 } 6504 6505 if (evt_type & LE_EXT_ADV_CONN_IND) { 6506 if (evt_type & LE_EXT_ADV_DIRECT_IND) 6507 return LE_ADV_DIRECT_IND; 6508 6509 return LE_ADV_IND; 6510 } 6511 6512 if (evt_type & LE_EXT_ADV_SCAN_RSP) 6513 return LE_ADV_SCAN_RSP; 6514 6515 if (evt_type & LE_EXT_ADV_SCAN_IND) 6516 return LE_ADV_SCAN_IND; 6517 6518 if (evt_type == LE_EXT_ADV_NON_CONN_IND || 6519 evt_type & LE_EXT_ADV_DIRECT_IND) 6520 return LE_ADV_NONCONN_IND; 6521 6522 invalid: 6523 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x", 6524 evt_type); 6525 6526 return LE_ADV_INVALID; 6527 } 6528 6529 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data, 6530 struct sk_buff *skb) 6531 { 6532 struct hci_ev_le_ext_adv_report *ev = data; 6533 u64 instant = jiffies; 6534 6535 if (!ev->num) 6536 return; 6537 6538 hci_dev_lock(hdev); 6539 6540 while (ev->num--) { 6541 struct hci_ev_le_ext_adv_info *info; 6542 u8 legacy_evt_type; 6543 u16 evt_type; 6544 6545 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6546 sizeof(*info)); 6547 if (!info) 6548 break; 6549 6550 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT, 6551 info->length)) 6552 break; 6553 6554 evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK; 6555 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); 6556 if (legacy_evt_type != LE_ADV_INVALID) { 6557 process_adv_report(hdev, legacy_evt_type, &info->bdaddr, 6558 info->bdaddr_type, NULL, 0, 6559 info->rssi, info->data, info->length, 6560 !(evt_type & LE_EXT_ADV_LEGACY_PDU), 6561 false, instant); 6562 } 6563 } 6564 6565 hci_dev_unlock(hdev); 6566 } 6567 6568 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle) 6569 { 6570 struct hci_cp_le_pa_term_sync cp; 6571 6572 memset(&cp, 0, sizeof(cp)); 6573 cp.handle = handle; 6574 6575 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp); 6576 } 6577 6578 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data, 6579 struct sk_buff *skb) 6580 { 6581 struct hci_ev_le_pa_sync_established *ev = data; 6582 int mask = hdev->link_mode; 6583 __u8 flags = 0; 6584 struct hci_conn *bis; 6585 6586 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6587 6588 hci_dev_lock(hdev); 6589 6590 hci_dev_clear_flag(hdev, HCI_PA_SYNC); 6591 6592 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags); 6593 if (!(mask & HCI_LM_ACCEPT)) { 6594 hci_le_pa_term_sync(hdev, ev->handle); 6595 goto unlock; 6596 } 6597 6598 if (!(flags & HCI_PROTO_DEFER)) 6599 goto unlock; 6600 6601 /* Add connection to indicate the PA sync event */ 6602 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, 6603 HCI_ROLE_SLAVE); 6604 6605 if (!bis) 6606 goto unlock; 6607 6608 if (ev->status) 6609 set_bit(HCI_CONN_PA_SYNC_FAILED, &bis->flags); 6610 else 6611 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 6612 6613 /* Notify connection to iso layer */ 6614 hci_connect_cfm(bis, ev->status); 6615 6616 unlock: 6617 hci_dev_unlock(hdev); 6618 } 6619 6620 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data, 6621 struct sk_buff *skb) 6622 { 6623 struct hci_ev_le_per_adv_report *ev = data; 6624 int mask = hdev->link_mode; 6625 __u8 flags = 0; 6626 6627 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 6628 6629 hci_dev_lock(hdev); 6630 6631 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); 6632 if (!(mask & HCI_LM_ACCEPT)) 6633 hci_le_pa_term_sync(hdev, ev->sync_handle); 6634 6635 hci_dev_unlock(hdev); 6636 } 6637 6638 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data, 6639 struct sk_buff *skb) 6640 { 6641 struct hci_ev_le_remote_feat_complete *ev = data; 6642 struct hci_conn *conn; 6643 6644 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6645 6646 hci_dev_lock(hdev); 6647 6648 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6649 if (conn) { 6650 if (!ev->status) 6651 memcpy(conn->features[0], ev->features, 8); 6652 6653 if (conn->state == BT_CONFIG) { 6654 __u8 status; 6655 6656 /* If the local controller supports peripheral-initiated 6657 * features exchange, but the remote controller does 6658 * not, then it is possible that the error code 0x1a 6659 * for unsupported remote feature gets returned. 6660 * 6661 * In this specific case, allow the connection to 6662 * transition into connected state and mark it as 6663 * successful. 6664 */ 6665 if (!conn->out && ev->status == 0x1a && 6666 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) 6667 status = 0x00; 6668 else 6669 status = ev->status; 6670 6671 conn->state = BT_CONNECTED; 6672 hci_connect_cfm(conn, status); 6673 hci_conn_drop(conn); 6674 } 6675 } 6676 6677 hci_dev_unlock(hdev); 6678 } 6679 6680 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data, 6681 struct sk_buff *skb) 6682 { 6683 struct hci_ev_le_ltk_req *ev = data; 6684 struct hci_cp_le_ltk_reply cp; 6685 struct hci_cp_le_ltk_neg_reply neg; 6686 struct hci_conn *conn; 6687 struct smp_ltk *ltk; 6688 6689 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6690 6691 hci_dev_lock(hdev); 6692 6693 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6694 if (conn == NULL) 6695 goto not_found; 6696 6697 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role); 6698 if (!ltk) 6699 goto not_found; 6700 6701 if (smp_ltk_is_sc(ltk)) { 6702 /* With SC both EDiv and Rand are set to zero */ 6703 if (ev->ediv || ev->rand) 6704 goto not_found; 6705 } else { 6706 /* For non-SC keys check that EDiv and Rand match */ 6707 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand) 6708 goto not_found; 6709 } 6710 6711 memcpy(cp.ltk, ltk->val, ltk->enc_size); 6712 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); 6713 cp.handle = cpu_to_le16(conn->handle); 6714 6715 conn->pending_sec_level = smp_ltk_sec_level(ltk); 6716 6717 conn->enc_key_size = ltk->enc_size; 6718 6719 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); 6720 6721 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a 6722 * temporary key used to encrypt a connection following 6723 * pairing. It is used during the Encrypted Session Setup to 6724 * distribute the keys. Later, security can be re-established 6725 * using a distributed LTK. 6726 */ 6727 if (ltk->type == SMP_STK) { 6728 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6729 list_del_rcu(<k->list); 6730 kfree_rcu(ltk, rcu); 6731 } else { 6732 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags); 6733 } 6734 6735 hci_dev_unlock(hdev); 6736 6737 return; 6738 6739 not_found: 6740 neg.handle = ev->handle; 6741 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg); 6742 hci_dev_unlock(hdev); 6743 } 6744 6745 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle, 6746 u8 reason) 6747 { 6748 struct hci_cp_le_conn_param_req_neg_reply cp; 6749 6750 cp.handle = cpu_to_le16(handle); 6751 cp.reason = reason; 6752 6753 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp), 6754 &cp); 6755 } 6756 6757 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, 6758 struct sk_buff *skb) 6759 { 6760 struct hci_ev_le_remote_conn_param_req *ev = data; 6761 struct hci_cp_le_conn_param_req_reply cp; 6762 struct hci_conn *hcon; 6763 u16 handle, min, max, latency, timeout; 6764 6765 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle)); 6766 6767 handle = le16_to_cpu(ev->handle); 6768 min = le16_to_cpu(ev->interval_min); 6769 max = le16_to_cpu(ev->interval_max); 6770 latency = le16_to_cpu(ev->latency); 6771 timeout = le16_to_cpu(ev->timeout); 6772 6773 hcon = hci_conn_hash_lookup_handle(hdev, handle); 6774 if (!hcon || hcon->state != BT_CONNECTED) 6775 return send_conn_param_neg_reply(hdev, handle, 6776 HCI_ERROR_UNKNOWN_CONN_ID); 6777 6778 if (hci_check_conn_params(min, max, latency, timeout)) 6779 return send_conn_param_neg_reply(hdev, handle, 6780 HCI_ERROR_INVALID_LL_PARAMS); 6781 6782 if (hcon->role == HCI_ROLE_MASTER) { 6783 struct hci_conn_params *params; 6784 u8 store_hint; 6785 6786 hci_dev_lock(hdev); 6787 6788 params = hci_conn_params_lookup(hdev, &hcon->dst, 6789 hcon->dst_type); 6790 if (params) { 6791 params->conn_min_interval = min; 6792 params->conn_max_interval = max; 6793 params->conn_latency = latency; 6794 params->supervision_timeout = timeout; 6795 store_hint = 0x01; 6796 } else { 6797 store_hint = 0x00; 6798 } 6799 6800 hci_dev_unlock(hdev); 6801 6802 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, 6803 store_hint, min, max, latency, timeout); 6804 } 6805 6806 cp.handle = ev->handle; 6807 cp.interval_min = ev->interval_min; 6808 cp.interval_max = ev->interval_max; 6809 cp.latency = ev->latency; 6810 cp.timeout = ev->timeout; 6811 cp.min_ce_len = 0; 6812 cp.max_ce_len = 0; 6813 6814 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); 6815 } 6816 6817 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, 6818 struct sk_buff *skb) 6819 { 6820 struct hci_ev_le_direct_adv_report *ev = data; 6821 u64 instant = jiffies; 6822 int i; 6823 6824 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT, 6825 flex_array_size(ev, info, ev->num))) 6826 return; 6827 6828 if (!ev->num) 6829 return; 6830 6831 hci_dev_lock(hdev); 6832 6833 for (i = 0; i < ev->num; i++) { 6834 struct hci_ev_le_direct_adv_info *info = &ev->info[i]; 6835 6836 process_adv_report(hdev, info->type, &info->bdaddr, 6837 info->bdaddr_type, &info->direct_addr, 6838 info->direct_addr_type, info->rssi, NULL, 0, 6839 false, false, instant); 6840 } 6841 6842 hci_dev_unlock(hdev); 6843 } 6844 6845 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data, 6846 struct sk_buff *skb) 6847 { 6848 struct hci_ev_le_phy_update_complete *ev = data; 6849 struct hci_conn *conn; 6850 6851 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6852 6853 if (ev->status) 6854 return; 6855 6856 hci_dev_lock(hdev); 6857 6858 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle)); 6859 if (!conn) 6860 goto unlock; 6861 6862 conn->le_tx_phy = ev->tx_phy; 6863 conn->le_rx_phy = ev->rx_phy; 6864 6865 unlock: 6866 hci_dev_unlock(hdev); 6867 } 6868 6869 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data, 6870 struct sk_buff *skb) 6871 { 6872 struct hci_evt_le_cis_established *ev = data; 6873 struct hci_conn *conn; 6874 struct bt_iso_qos *qos; 6875 bool pending = false; 6876 u16 handle = __le16_to_cpu(ev->handle); 6877 6878 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 6879 6880 hci_dev_lock(hdev); 6881 6882 conn = hci_conn_hash_lookup_handle(hdev, handle); 6883 if (!conn) { 6884 bt_dev_err(hdev, 6885 "Unable to find connection with handle 0x%4.4x", 6886 handle); 6887 goto unlock; 6888 } 6889 6890 if (conn->type != ISO_LINK) { 6891 bt_dev_err(hdev, 6892 "Invalid connection link type handle 0x%4.4x", 6893 handle); 6894 goto unlock; 6895 } 6896 6897 qos = &conn->iso_qos; 6898 6899 pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags); 6900 6901 /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */ 6902 qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250; 6903 qos->ucast.out.interval = qos->ucast.in.interval; 6904 6905 switch (conn->role) { 6906 case HCI_ROLE_SLAVE: 6907 /* Convert Transport Latency (us) to Latency (msec) */ 6908 qos->ucast.in.latency = 6909 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6910 1000); 6911 qos->ucast.out.latency = 6912 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6913 1000); 6914 qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu); 6915 qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu); 6916 qos->ucast.in.phy = ev->c_phy; 6917 qos->ucast.out.phy = ev->p_phy; 6918 break; 6919 case HCI_ROLE_MASTER: 6920 /* Convert Transport Latency (us) to Latency (msec) */ 6921 qos->ucast.out.latency = 6922 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency), 6923 1000); 6924 qos->ucast.in.latency = 6925 DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency), 6926 1000); 6927 qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu); 6928 qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu); 6929 qos->ucast.out.phy = ev->c_phy; 6930 qos->ucast.in.phy = ev->p_phy; 6931 break; 6932 } 6933 6934 if (!ev->status) { 6935 conn->state = BT_CONNECTED; 6936 hci_debugfs_create_conn(conn); 6937 hci_conn_add_sysfs(conn); 6938 hci_iso_setup_path(conn); 6939 goto unlock; 6940 } 6941 6942 conn->state = BT_CLOSED; 6943 hci_connect_cfm(conn, ev->status); 6944 hci_conn_del(conn); 6945 6946 unlock: 6947 if (pending) 6948 hci_le_create_cis_pending(hdev); 6949 6950 hci_dev_unlock(hdev); 6951 } 6952 6953 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle) 6954 { 6955 struct hci_cp_le_reject_cis cp; 6956 6957 memset(&cp, 0, sizeof(cp)); 6958 cp.handle = handle; 6959 cp.reason = HCI_ERROR_REJ_BAD_ADDR; 6960 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp); 6961 } 6962 6963 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle) 6964 { 6965 struct hci_cp_le_accept_cis cp; 6966 6967 memset(&cp, 0, sizeof(cp)); 6968 cp.handle = handle; 6969 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp); 6970 } 6971 6972 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data, 6973 struct sk_buff *skb) 6974 { 6975 struct hci_evt_le_cis_req *ev = data; 6976 u16 acl_handle, cis_handle; 6977 struct hci_conn *acl, *cis; 6978 int mask; 6979 __u8 flags = 0; 6980 6981 acl_handle = __le16_to_cpu(ev->acl_handle); 6982 cis_handle = __le16_to_cpu(ev->cis_handle); 6983 6984 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x", 6985 acl_handle, cis_handle, ev->cig_id, ev->cis_id); 6986 6987 hci_dev_lock(hdev); 6988 6989 acl = hci_conn_hash_lookup_handle(hdev, acl_handle); 6990 if (!acl) 6991 goto unlock; 6992 6993 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags); 6994 if (!(mask & HCI_LM_ACCEPT)) { 6995 hci_le_reject_cis(hdev, ev->cis_handle); 6996 goto unlock; 6997 } 6998 6999 cis = hci_conn_hash_lookup_handle(hdev, cis_handle); 7000 if (!cis) { 7001 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE); 7002 if (!cis) { 7003 hci_le_reject_cis(hdev, ev->cis_handle); 7004 goto unlock; 7005 } 7006 cis->handle = cis_handle; 7007 } 7008 7009 cis->iso_qos.ucast.cig = ev->cig_id; 7010 cis->iso_qos.ucast.cis = ev->cis_id; 7011 7012 if (!(flags & HCI_PROTO_DEFER)) { 7013 hci_le_accept_cis(hdev, ev->cis_handle); 7014 } else { 7015 cis->state = BT_CONNECT2; 7016 hci_connect_cfm(cis, 0); 7017 } 7018 7019 unlock: 7020 hci_dev_unlock(hdev); 7021 } 7022 7023 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, 7024 struct sk_buff *skb) 7025 { 7026 struct hci_evt_le_create_big_complete *ev = data; 7027 struct hci_conn *conn; 7028 __u8 i = 0; 7029 7030 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); 7031 7032 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE, 7033 flex_array_size(ev, bis_handle, ev->num_bis))) 7034 return; 7035 7036 hci_dev_lock(hdev); 7037 rcu_read_lock(); 7038 7039 /* Connect all BISes that are bound to the BIG */ 7040 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) { 7041 if (bacmp(&conn->dst, BDADDR_ANY) || 7042 conn->type != ISO_LINK || 7043 conn->iso_qos.bcast.big != ev->handle) 7044 continue; 7045 7046 if (hci_conn_set_handle(conn, 7047 __le16_to_cpu(ev->bis_handle[i++]))) 7048 continue; 7049 7050 if (!ev->status) { 7051 conn->state = BT_CONNECTED; 7052 set_bit(HCI_CONN_BIG_CREATED, &conn->flags); 7053 rcu_read_unlock(); 7054 hci_debugfs_create_conn(conn); 7055 hci_conn_add_sysfs(conn); 7056 hci_iso_setup_path(conn); 7057 rcu_read_lock(); 7058 continue; 7059 } 7060 7061 hci_connect_cfm(conn, ev->status); 7062 rcu_read_unlock(); 7063 hci_conn_del(conn); 7064 rcu_read_lock(); 7065 } 7066 7067 if (!ev->status && !i) 7068 /* If no BISes have been connected for the BIG, 7069 * terminate. This is in case all bound connections 7070 * have been closed before the BIG creation 7071 * has completed. 7072 */ 7073 hci_le_terminate_big_sync(hdev, ev->handle, 7074 HCI_ERROR_LOCAL_HOST_TERM); 7075 7076 rcu_read_unlock(); 7077 hci_dev_unlock(hdev); 7078 } 7079 7080 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, 7081 struct sk_buff *skb) 7082 { 7083 struct hci_evt_le_big_sync_estabilished *ev = data; 7084 struct hci_conn *bis; 7085 struct hci_conn *pa_sync; 7086 int i; 7087 7088 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status); 7089 7090 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 7091 flex_array_size(ev, bis, ev->num_bis))) 7092 return; 7093 7094 hci_dev_lock(hdev); 7095 7096 if (!ev->status) { 7097 pa_sync = hci_conn_hash_lookup_pa_sync(hdev, ev->handle); 7098 if (pa_sync) 7099 /* Also mark the BIG sync established event on the 7100 * associated PA sync hcon 7101 */ 7102 set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags); 7103 } 7104 7105 for (i = 0; i < ev->num_bis; i++) { 7106 u16 handle = le16_to_cpu(ev->bis[i]); 7107 __le32 interval; 7108 7109 bis = hci_conn_hash_lookup_handle(hdev, handle); 7110 if (!bis) { 7111 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY, 7112 HCI_ROLE_SLAVE); 7113 if (!bis) 7114 continue; 7115 bis->handle = handle; 7116 } 7117 7118 if (ev->status != 0x42) 7119 /* Mark PA sync as established */ 7120 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 7121 7122 bis->iso_qos.bcast.big = ev->handle; 7123 memset(&interval, 0, sizeof(interval)); 7124 memcpy(&interval, ev->latency, sizeof(ev->latency)); 7125 bis->iso_qos.bcast.in.interval = le32_to_cpu(interval); 7126 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */ 7127 bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100; 7128 bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu); 7129 7130 if (!ev->status) { 7131 set_bit(HCI_CONN_BIG_SYNC, &bis->flags); 7132 hci_iso_setup_path(bis); 7133 } 7134 } 7135 7136 /* In case BIG sync failed, notify each failed connection to 7137 * the user after all hci connections have been added 7138 */ 7139 if (ev->status) 7140 for (i = 0; i < ev->num_bis; i++) { 7141 u16 handle = le16_to_cpu(ev->bis[i]); 7142 7143 bis = hci_conn_hash_lookup_handle(hdev, handle); 7144 7145 set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); 7146 hci_connect_cfm(bis, ev->status); 7147 } 7148 7149 hci_dev_unlock(hdev); 7150 } 7151 7152 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data, 7153 struct sk_buff *skb) 7154 { 7155 struct hci_evt_le_big_info_adv_report *ev = data; 7156 int mask = hdev->link_mode; 7157 __u8 flags = 0; 7158 7159 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); 7160 7161 hci_dev_lock(hdev); 7162 7163 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); 7164 if (!(mask & HCI_LM_ACCEPT)) 7165 hci_le_pa_term_sync(hdev, ev->sync_handle); 7166 7167 hci_dev_unlock(hdev); 7168 } 7169 7170 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \ 7171 [_op] = { \ 7172 .func = _func, \ 7173 .min_len = _min_len, \ 7174 .max_len = _max_len, \ 7175 } 7176 7177 #define HCI_LE_EV(_op, _func, _len) \ 7178 HCI_LE_EV_VL(_op, _func, _len, _len) 7179 7180 #define HCI_LE_EV_STATUS(_op, _func) \ 7181 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status)) 7182 7183 /* Entries in this table shall have their position according to the subevent 7184 * opcode they handle so the use of the macros above is recommend since it does 7185 * attempt to initialize at its proper index using Designated Initializers that 7186 * way events without a callback function can be ommited. 7187 */ 7188 static const struct hci_le_ev { 7189 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb); 7190 u16 min_len; 7191 u16 max_len; 7192 } hci_le_ev_table[U8_MAX + 1] = { 7193 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */ 7194 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt, 7195 sizeof(struct hci_ev_le_conn_complete)), 7196 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */ 7197 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt, 7198 sizeof(struct hci_ev_le_advertising_report), 7199 HCI_MAX_EVENT_SIZE), 7200 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */ 7201 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE, 7202 hci_le_conn_update_complete_evt, 7203 sizeof(struct hci_ev_le_conn_update_complete)), 7204 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */ 7205 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE, 7206 hci_le_remote_feat_complete_evt, 7207 sizeof(struct hci_ev_le_remote_feat_complete)), 7208 /* [0x05 = HCI_EV_LE_LTK_REQ] */ 7209 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt, 7210 sizeof(struct hci_ev_le_ltk_req)), 7211 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */ 7212 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ, 7213 hci_le_remote_conn_param_req_evt, 7214 sizeof(struct hci_ev_le_remote_conn_param_req)), 7215 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */ 7216 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE, 7217 hci_le_enh_conn_complete_evt, 7218 sizeof(struct hci_ev_le_enh_conn_complete)), 7219 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */ 7220 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt, 7221 sizeof(struct hci_ev_le_direct_adv_report), 7222 HCI_MAX_EVENT_SIZE), 7223 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */ 7224 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt, 7225 sizeof(struct hci_ev_le_phy_update_complete)), 7226 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */ 7227 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt, 7228 sizeof(struct hci_ev_le_ext_adv_report), 7229 HCI_MAX_EVENT_SIZE), 7230 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */ 7231 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED, 7232 hci_le_pa_sync_estabilished_evt, 7233 sizeof(struct hci_ev_le_pa_sync_established)), 7234 /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */ 7235 HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT, 7236 hci_le_per_adv_report_evt, 7237 sizeof(struct hci_ev_le_per_adv_report), 7238 HCI_MAX_EVENT_SIZE), 7239 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ 7240 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, 7241 sizeof(struct hci_evt_le_ext_adv_set_term)), 7242 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */ 7243 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt, 7244 sizeof(struct hci_evt_le_cis_established)), 7245 /* [0x1a = HCI_EVT_LE_CIS_REQ] */ 7246 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt, 7247 sizeof(struct hci_evt_le_cis_req)), 7248 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */ 7249 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE, 7250 hci_le_create_big_complete_evt, 7251 sizeof(struct hci_evt_le_create_big_complete), 7252 HCI_MAX_EVENT_SIZE), 7253 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */ 7254 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED, 7255 hci_le_big_sync_established_evt, 7256 sizeof(struct hci_evt_le_big_sync_estabilished), 7257 HCI_MAX_EVENT_SIZE), 7258 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */ 7259 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT, 7260 hci_le_big_info_adv_report_evt, 7261 sizeof(struct hci_evt_le_big_info_adv_report), 7262 HCI_MAX_EVENT_SIZE), 7263 }; 7264 7265 static void hci_le_meta_evt(struct hci_dev *hdev, void *data, 7266 struct sk_buff *skb, u16 *opcode, u8 *status, 7267 hci_req_complete_t *req_complete, 7268 hci_req_complete_skb_t *req_complete_skb) 7269 { 7270 struct hci_ev_le_meta *ev = data; 7271 const struct hci_le_ev *subev; 7272 7273 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent); 7274 7275 /* Only match event if command OGF is for LE */ 7276 if (hdev->sent_cmd && 7277 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 && 7278 hci_skb_event(hdev->sent_cmd) == ev->subevent) { 7279 *opcode = hci_skb_opcode(hdev->sent_cmd); 7280 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete, 7281 req_complete_skb); 7282 } 7283 7284 subev = &hci_le_ev_table[ev->subevent]; 7285 if (!subev->func) 7286 return; 7287 7288 if (skb->len < subev->min_len) { 7289 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u", 7290 ev->subevent, skb->len, subev->min_len); 7291 return; 7292 } 7293 7294 /* Just warn if the length is over max_len size it still be 7295 * possible to partially parse the event so leave to callback to 7296 * decide if that is acceptable. 7297 */ 7298 if (skb->len > subev->max_len) 7299 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u", 7300 ev->subevent, skb->len, subev->max_len); 7301 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len); 7302 if (!data) 7303 return; 7304 7305 subev->func(hdev, data, skb); 7306 } 7307 7308 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, 7309 u8 event, struct sk_buff *skb) 7310 { 7311 struct hci_ev_cmd_complete *ev; 7312 struct hci_event_hdr *hdr; 7313 7314 if (!skb) 7315 return false; 7316 7317 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr)); 7318 if (!hdr) 7319 return false; 7320 7321 if (event) { 7322 if (hdr->evt != event) 7323 return false; 7324 return true; 7325 } 7326 7327 /* Check if request ended in Command Status - no way to retrieve 7328 * any extra parameters in this case. 7329 */ 7330 if (hdr->evt == HCI_EV_CMD_STATUS) 7331 return false; 7332 7333 if (hdr->evt != HCI_EV_CMD_COMPLETE) { 7334 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)", 7335 hdr->evt); 7336 return false; 7337 } 7338 7339 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev)); 7340 if (!ev) 7341 return false; 7342 7343 if (opcode != __le16_to_cpu(ev->opcode)) { 7344 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode, 7345 __le16_to_cpu(ev->opcode)); 7346 return false; 7347 } 7348 7349 return true; 7350 } 7351 7352 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, 7353 struct sk_buff *skb) 7354 { 7355 struct hci_ev_le_advertising_info *adv; 7356 struct hci_ev_le_direct_adv_info *direct_adv; 7357 struct hci_ev_le_ext_adv_info *ext_adv; 7358 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data; 7359 const struct hci_ev_conn_request *conn_request = (void *)skb->data; 7360 7361 hci_dev_lock(hdev); 7362 7363 /* If we are currently suspended and this is the first BT event seen, 7364 * save the wake reason associated with the event. 7365 */ 7366 if (!hdev->suspended || hdev->wake_reason) 7367 goto unlock; 7368 7369 /* Default to remote wake. Values for wake_reason are documented in the 7370 * Bluez mgmt api docs. 7371 */ 7372 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE; 7373 7374 /* Once configured for remote wakeup, we should only wake up for 7375 * reconnections. It's useful to see which device is waking us up so 7376 * keep track of the bdaddr of the connection event that woke us up. 7377 */ 7378 if (event == HCI_EV_CONN_REQUEST) { 7379 bacpy(&hdev->wake_addr, &conn_complete->bdaddr); 7380 hdev->wake_addr_type = BDADDR_BREDR; 7381 } else if (event == HCI_EV_CONN_COMPLETE) { 7382 bacpy(&hdev->wake_addr, &conn_request->bdaddr); 7383 hdev->wake_addr_type = BDADDR_BREDR; 7384 } else if (event == HCI_EV_LE_META) { 7385 struct hci_ev_le_meta *le_ev = (void *)skb->data; 7386 u8 subevent = le_ev->subevent; 7387 u8 *ptr = &skb->data[sizeof(*le_ev)]; 7388 u8 num_reports = *ptr; 7389 7390 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT || 7391 subevent == HCI_EV_LE_DIRECT_ADV_REPORT || 7392 subevent == HCI_EV_LE_EXT_ADV_REPORT) && 7393 num_reports) { 7394 adv = (void *)(ptr + 1); 7395 direct_adv = (void *)(ptr + 1); 7396 ext_adv = (void *)(ptr + 1); 7397 7398 switch (subevent) { 7399 case HCI_EV_LE_ADVERTISING_REPORT: 7400 bacpy(&hdev->wake_addr, &adv->bdaddr); 7401 hdev->wake_addr_type = adv->bdaddr_type; 7402 break; 7403 case HCI_EV_LE_DIRECT_ADV_REPORT: 7404 bacpy(&hdev->wake_addr, &direct_adv->bdaddr); 7405 hdev->wake_addr_type = direct_adv->bdaddr_type; 7406 break; 7407 case HCI_EV_LE_EXT_ADV_REPORT: 7408 bacpy(&hdev->wake_addr, &ext_adv->bdaddr); 7409 hdev->wake_addr_type = ext_adv->bdaddr_type; 7410 break; 7411 } 7412 } 7413 } else { 7414 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED; 7415 } 7416 7417 unlock: 7418 hci_dev_unlock(hdev); 7419 } 7420 7421 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \ 7422 [_op] = { \ 7423 .req = false, \ 7424 .func = _func, \ 7425 .min_len = _min_len, \ 7426 .max_len = _max_len, \ 7427 } 7428 7429 #define HCI_EV(_op, _func, _len) \ 7430 HCI_EV_VL(_op, _func, _len, _len) 7431 7432 #define HCI_EV_STATUS(_op, _func) \ 7433 HCI_EV(_op, _func, sizeof(struct hci_ev_status)) 7434 7435 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \ 7436 [_op] = { \ 7437 .req = true, \ 7438 .func_req = _func, \ 7439 .min_len = _min_len, \ 7440 .max_len = _max_len, \ 7441 } 7442 7443 #define HCI_EV_REQ(_op, _func, _len) \ 7444 HCI_EV_REQ_VL(_op, _func, _len, _len) 7445 7446 /* Entries in this table shall have their position according to the event opcode 7447 * they handle so the use of the macros above is recommend since it does attempt 7448 * to initialize at its proper index using Designated Initializers that way 7449 * events without a callback function don't have entered. 7450 */ 7451 static const struct hci_ev { 7452 bool req; 7453 union { 7454 void (*func)(struct hci_dev *hdev, void *data, 7455 struct sk_buff *skb); 7456 void (*func_req)(struct hci_dev *hdev, void *data, 7457 struct sk_buff *skb, u16 *opcode, u8 *status, 7458 hci_req_complete_t *req_complete, 7459 hci_req_complete_skb_t *req_complete_skb); 7460 }; 7461 u16 min_len; 7462 u16 max_len; 7463 } hci_ev_table[U8_MAX + 1] = { 7464 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */ 7465 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt), 7466 /* [0x02 = HCI_EV_INQUIRY_RESULT] */ 7467 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt, 7468 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE), 7469 /* [0x03 = HCI_EV_CONN_COMPLETE] */ 7470 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt, 7471 sizeof(struct hci_ev_conn_complete)), 7472 /* [0x04 = HCI_EV_CONN_REQUEST] */ 7473 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt, 7474 sizeof(struct hci_ev_conn_request)), 7475 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */ 7476 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt, 7477 sizeof(struct hci_ev_disconn_complete)), 7478 /* [0x06 = HCI_EV_AUTH_COMPLETE] */ 7479 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt, 7480 sizeof(struct hci_ev_auth_complete)), 7481 /* [0x07 = HCI_EV_REMOTE_NAME] */ 7482 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt, 7483 sizeof(struct hci_ev_remote_name)), 7484 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */ 7485 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt, 7486 sizeof(struct hci_ev_encrypt_change)), 7487 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */ 7488 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE, 7489 hci_change_link_key_complete_evt, 7490 sizeof(struct hci_ev_change_link_key_complete)), 7491 /* [0x0b = HCI_EV_REMOTE_FEATURES] */ 7492 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt, 7493 sizeof(struct hci_ev_remote_features)), 7494 /* [0x0e = HCI_EV_CMD_COMPLETE] */ 7495 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt, 7496 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE), 7497 /* [0x0f = HCI_EV_CMD_STATUS] */ 7498 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt, 7499 sizeof(struct hci_ev_cmd_status)), 7500 /* [0x10 = HCI_EV_CMD_STATUS] */ 7501 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt, 7502 sizeof(struct hci_ev_hardware_error)), 7503 /* [0x12 = HCI_EV_ROLE_CHANGE] */ 7504 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt, 7505 sizeof(struct hci_ev_role_change)), 7506 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */ 7507 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt, 7508 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE), 7509 /* [0x14 = HCI_EV_MODE_CHANGE] */ 7510 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt, 7511 sizeof(struct hci_ev_mode_change)), 7512 /* [0x16 = HCI_EV_PIN_CODE_REQ] */ 7513 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt, 7514 sizeof(struct hci_ev_pin_code_req)), 7515 /* [0x17 = HCI_EV_LINK_KEY_REQ] */ 7516 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt, 7517 sizeof(struct hci_ev_link_key_req)), 7518 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */ 7519 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt, 7520 sizeof(struct hci_ev_link_key_notify)), 7521 /* [0x1c = HCI_EV_CLOCK_OFFSET] */ 7522 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt, 7523 sizeof(struct hci_ev_clock_offset)), 7524 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */ 7525 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt, 7526 sizeof(struct hci_ev_pkt_type_change)), 7527 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */ 7528 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt, 7529 sizeof(struct hci_ev_pscan_rep_mode)), 7530 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */ 7531 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI, 7532 hci_inquiry_result_with_rssi_evt, 7533 sizeof(struct hci_ev_inquiry_result_rssi), 7534 HCI_MAX_EVENT_SIZE), 7535 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */ 7536 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt, 7537 sizeof(struct hci_ev_remote_ext_features)), 7538 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */ 7539 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt, 7540 sizeof(struct hci_ev_sync_conn_complete)), 7541 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */ 7542 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT, 7543 hci_extended_inquiry_result_evt, 7544 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE), 7545 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */ 7546 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt, 7547 sizeof(struct hci_ev_key_refresh_complete)), 7548 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */ 7549 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt, 7550 sizeof(struct hci_ev_io_capa_request)), 7551 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */ 7552 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt, 7553 sizeof(struct hci_ev_io_capa_reply)), 7554 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */ 7555 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt, 7556 sizeof(struct hci_ev_user_confirm_req)), 7557 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */ 7558 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt, 7559 sizeof(struct hci_ev_user_passkey_req)), 7560 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */ 7561 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt, 7562 sizeof(struct hci_ev_remote_oob_data_request)), 7563 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */ 7564 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt, 7565 sizeof(struct hci_ev_simple_pair_complete)), 7566 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */ 7567 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt, 7568 sizeof(struct hci_ev_user_passkey_notify)), 7569 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */ 7570 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt, 7571 sizeof(struct hci_ev_keypress_notify)), 7572 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */ 7573 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt, 7574 sizeof(struct hci_ev_remote_host_features)), 7575 /* [0x3e = HCI_EV_LE_META] */ 7576 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt, 7577 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE), 7578 #if IS_ENABLED(CONFIG_BT_HS) 7579 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */ 7580 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt, 7581 sizeof(struct hci_ev_phy_link_complete)), 7582 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */ 7583 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt, 7584 sizeof(struct hci_ev_channel_selected)), 7585 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */ 7586 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE, 7587 hci_disconn_loglink_complete_evt, 7588 sizeof(struct hci_ev_disconn_logical_link_complete)), 7589 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */ 7590 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt, 7591 sizeof(struct hci_ev_logical_link_complete)), 7592 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */ 7593 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE, 7594 hci_disconn_phylink_complete_evt, 7595 sizeof(struct hci_ev_disconn_phy_link_complete)), 7596 #endif 7597 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */ 7598 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt, 7599 sizeof(struct hci_ev_num_comp_blocks)), 7600 /* [0xff = HCI_EV_VENDOR] */ 7601 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE), 7602 }; 7603 7604 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb, 7605 u16 *opcode, u8 *status, 7606 hci_req_complete_t *req_complete, 7607 hci_req_complete_skb_t *req_complete_skb) 7608 { 7609 const struct hci_ev *ev = &hci_ev_table[event]; 7610 void *data; 7611 7612 if (!ev->func) 7613 return; 7614 7615 if (skb->len < ev->min_len) { 7616 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u", 7617 event, skb->len, ev->min_len); 7618 return; 7619 } 7620 7621 /* Just warn if the length is over max_len size it still be 7622 * possible to partially parse the event so leave to callback to 7623 * decide if that is acceptable. 7624 */ 7625 if (skb->len > ev->max_len) 7626 bt_dev_warn_ratelimited(hdev, 7627 "unexpected event 0x%2.2x length: %u > %u", 7628 event, skb->len, ev->max_len); 7629 7630 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len); 7631 if (!data) 7632 return; 7633 7634 if (ev->req) 7635 ev->func_req(hdev, data, skb, opcode, status, req_complete, 7636 req_complete_skb); 7637 else 7638 ev->func(hdev, data, skb); 7639 } 7640 7641 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) 7642 { 7643 struct hci_event_hdr *hdr = (void *) skb->data; 7644 hci_req_complete_t req_complete = NULL; 7645 hci_req_complete_skb_t req_complete_skb = NULL; 7646 struct sk_buff *orig_skb = NULL; 7647 u8 status = 0, event, req_evt = 0; 7648 u16 opcode = HCI_OP_NOP; 7649 7650 if (skb->len < sizeof(*hdr)) { 7651 bt_dev_err(hdev, "Malformed HCI Event"); 7652 goto done; 7653 } 7654 7655 kfree_skb(hdev->recv_event); 7656 hdev->recv_event = skb_clone(skb, GFP_KERNEL); 7657 7658 event = hdr->evt; 7659 if (!event) { 7660 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x", 7661 event); 7662 goto done; 7663 } 7664 7665 /* Only match event if command OGF is not for LE */ 7666 if (hdev->sent_cmd && 7667 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 && 7668 hci_skb_event(hdev->sent_cmd) == event) { 7669 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd), 7670 status, &req_complete, &req_complete_skb); 7671 req_evt = event; 7672 } 7673 7674 /* If it looks like we might end up having to call 7675 * req_complete_skb, store a pristine copy of the skb since the 7676 * various handlers may modify the original one through 7677 * skb_pull() calls, etc. 7678 */ 7679 if (req_complete_skb || event == HCI_EV_CMD_STATUS || 7680 event == HCI_EV_CMD_COMPLETE) 7681 orig_skb = skb_clone(skb, GFP_KERNEL); 7682 7683 skb_pull(skb, HCI_EVENT_HDR_SIZE); 7684 7685 /* Store wake reason if we're suspended */ 7686 hci_store_wake_reason(hdev, event, skb); 7687 7688 bt_dev_dbg(hdev, "event 0x%2.2x", event); 7689 7690 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete, 7691 &req_complete_skb); 7692 7693 if (req_complete) { 7694 req_complete(hdev, status, opcode); 7695 } else if (req_complete_skb) { 7696 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) { 7697 kfree_skb(orig_skb); 7698 orig_skb = NULL; 7699 } 7700 req_complete_skb(hdev, status, opcode, orig_skb); 7701 } 7702 7703 done: 7704 kfree_skb(orig_skb); 7705 kfree_skb(skb); 7706 hdev->stat.evt_rx++; 7707 } 7708