1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38 #include "msft.h"
39 #include "eir.h"
40
41 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
42 "\x00\x00\x00\x00\x00\x00\x00\x00"
43
44 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
45
46 /* Handle HCI Event packets */
47
hci_ev_skb_pull(struct hci_dev * hdev,struct sk_buff * skb,u8 ev,size_t len)48 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
49 u8 ev, size_t len)
50 {
51 void *data;
52
53 data = skb_pull_data(skb, len);
54 if (!data)
55 bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
56
57 return data;
58 }
59
hci_cc_skb_pull(struct hci_dev * hdev,struct sk_buff * skb,u16 op,size_t len)60 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
61 u16 op, size_t len)
62 {
63 void *data;
64
65 data = skb_pull_data(skb, len);
66 if (!data)
67 bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
68
69 return data;
70 }
71
hci_le_ev_skb_pull(struct hci_dev * hdev,struct sk_buff * skb,u8 ev,size_t len)72 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
73 u8 ev, size_t len)
74 {
75 void *data;
76
77 data = skb_pull_data(skb, len);
78 if (!data)
79 bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
80
81 return data;
82 }
83
hci_cc_inquiry_cancel(struct hci_dev * hdev,void * data,struct sk_buff * skb)84 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
85 struct sk_buff *skb)
86 {
87 struct hci_ev_status *rp = data;
88
89 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
90
91 /* It is possible that we receive Inquiry Complete event right
92 * before we receive Inquiry Cancel Command Complete event, in
93 * which case the latter event should have status of Command
94 * Disallowed (0x0c). This should not be treated as error, since
95 * we actually achieve what Inquiry Cancel wants to achieve,
96 * which is to end the last Inquiry session.
97 */
98 if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
99 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
100 rp->status = 0x00;
101 }
102
103 if (rp->status)
104 return rp->status;
105
106 clear_bit(HCI_INQUIRY, &hdev->flags);
107 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
108 wake_up_bit(&hdev->flags, HCI_INQUIRY);
109
110 hci_dev_lock(hdev);
111 /* Set discovery state to stopped if we're not doing LE active
112 * scanning.
113 */
114 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
115 hdev->le_scan_type != LE_SCAN_ACTIVE)
116 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
117 hci_dev_unlock(hdev);
118
119 hci_conn_check_pending(hdev);
120
121 return rp->status;
122 }
123
hci_cc_periodic_inq(struct hci_dev * hdev,void * data,struct sk_buff * skb)124 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
125 struct sk_buff *skb)
126 {
127 struct hci_ev_status *rp = data;
128
129 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
130
131 if (rp->status)
132 return rp->status;
133
134 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
135
136 return rp->status;
137 }
138
hci_cc_exit_periodic_inq(struct hci_dev * hdev,void * data,struct sk_buff * skb)139 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
140 struct sk_buff *skb)
141 {
142 struct hci_ev_status *rp = data;
143
144 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
145
146 if (rp->status)
147 return rp->status;
148
149 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
150
151 hci_conn_check_pending(hdev);
152
153 return rp->status;
154 }
155
hci_cc_remote_name_req_cancel(struct hci_dev * hdev,void * data,struct sk_buff * skb)156 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
157 struct sk_buff *skb)
158 {
159 struct hci_ev_status *rp = data;
160
161 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
162
163 return rp->status;
164 }
165
hci_cc_role_discovery(struct hci_dev * hdev,void * data,struct sk_buff * skb)166 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
167 struct sk_buff *skb)
168 {
169 struct hci_rp_role_discovery *rp = data;
170 struct hci_conn *conn;
171
172 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
173
174 if (rp->status)
175 return rp->status;
176
177 hci_dev_lock(hdev);
178
179 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
180 if (conn)
181 conn->role = rp->role;
182
183 hci_dev_unlock(hdev);
184
185 return rp->status;
186 }
187
hci_cc_read_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)188 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
189 struct sk_buff *skb)
190 {
191 struct hci_rp_read_link_policy *rp = data;
192 struct hci_conn *conn;
193
194 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
195
196 if (rp->status)
197 return rp->status;
198
199 hci_dev_lock(hdev);
200
201 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
202 if (conn)
203 conn->link_policy = __le16_to_cpu(rp->policy);
204
205 hci_dev_unlock(hdev);
206
207 return rp->status;
208 }
209
hci_cc_write_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)210 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
211 struct sk_buff *skb)
212 {
213 struct hci_rp_write_link_policy *rp = data;
214 struct hci_conn *conn;
215 void *sent;
216
217 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
218
219 if (rp->status)
220 return rp->status;
221
222 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
223 if (!sent)
224 return rp->status;
225
226 hci_dev_lock(hdev);
227
228 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
229 if (conn)
230 conn->link_policy = get_unaligned_le16(sent + 2);
231
232 hci_dev_unlock(hdev);
233
234 return rp->status;
235 }
236
hci_cc_read_def_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)237 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
238 struct sk_buff *skb)
239 {
240 struct hci_rp_read_def_link_policy *rp = data;
241
242 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
243
244 if (rp->status)
245 return rp->status;
246
247 hdev->link_policy = __le16_to_cpu(rp->policy);
248
249 return rp->status;
250 }
251
hci_cc_write_def_link_policy(struct hci_dev * hdev,void * data,struct sk_buff * skb)252 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
253 struct sk_buff *skb)
254 {
255 struct hci_ev_status *rp = data;
256 void *sent;
257
258 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
259
260 if (rp->status)
261 return rp->status;
262
263 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
264 if (!sent)
265 return rp->status;
266
267 hdev->link_policy = get_unaligned_le16(sent);
268
269 return rp->status;
270 }
271
hci_cc_reset(struct hci_dev * hdev,void * data,struct sk_buff * skb)272 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
273 {
274 struct hci_ev_status *rp = data;
275
276 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
277
278 clear_bit(HCI_RESET, &hdev->flags);
279
280 if (rp->status)
281 return rp->status;
282
283 /* Reset all non-persistent flags */
284 hci_dev_clear_volatile_flags(hdev);
285
286 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
287
288 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
289 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
290
291 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
292 hdev->adv_data_len = 0;
293
294 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
295 hdev->scan_rsp_data_len = 0;
296
297 hdev->le_scan_type = LE_SCAN_PASSIVE;
298
299 hdev->ssp_debug_mode = 0;
300
301 hci_bdaddr_list_clear(&hdev->le_accept_list);
302 hci_bdaddr_list_clear(&hdev->le_resolv_list);
303
304 return rp->status;
305 }
306
hci_cc_read_stored_link_key(struct hci_dev * hdev,void * data,struct sk_buff * skb)307 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
308 struct sk_buff *skb)
309 {
310 struct hci_rp_read_stored_link_key *rp = data;
311 struct hci_cp_read_stored_link_key *sent;
312
313 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
314
315 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
316 if (!sent)
317 return rp->status;
318
319 if (!rp->status && sent->read_all == 0x01) {
320 hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
321 hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
322 }
323
324 return rp->status;
325 }
326
hci_cc_delete_stored_link_key(struct hci_dev * hdev,void * data,struct sk_buff * skb)327 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
328 struct sk_buff *skb)
329 {
330 struct hci_rp_delete_stored_link_key *rp = data;
331 u16 num_keys;
332
333 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
334
335 if (rp->status)
336 return rp->status;
337
338 num_keys = le16_to_cpu(rp->num_keys);
339
340 if (num_keys <= hdev->stored_num_keys)
341 hdev->stored_num_keys -= num_keys;
342 else
343 hdev->stored_num_keys = 0;
344
345 return rp->status;
346 }
347
hci_cc_write_local_name(struct hci_dev * hdev,void * data,struct sk_buff * skb)348 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
349 struct sk_buff *skb)
350 {
351 struct hci_ev_status *rp = data;
352 void *sent;
353
354 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
355
356 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
357 if (!sent)
358 return rp->status;
359
360 hci_dev_lock(hdev);
361
362 if (hci_dev_test_flag(hdev, HCI_MGMT))
363 mgmt_set_local_name_complete(hdev, sent, rp->status);
364 else if (!rp->status)
365 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
366
367 hci_dev_unlock(hdev);
368
369 return rp->status;
370 }
371
hci_cc_read_local_name(struct hci_dev * hdev,void * data,struct sk_buff * skb)372 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
373 struct sk_buff *skb)
374 {
375 struct hci_rp_read_local_name *rp = data;
376
377 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
378
379 if (rp->status)
380 return rp->status;
381
382 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
383 hci_dev_test_flag(hdev, HCI_CONFIG))
384 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
385
386 return rp->status;
387 }
388
hci_cc_write_auth_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)389 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
390 struct sk_buff *skb)
391 {
392 struct hci_ev_status *rp = data;
393 void *sent;
394
395 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
396
397 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
398 if (!sent)
399 return rp->status;
400
401 hci_dev_lock(hdev);
402
403 if (!rp->status) {
404 __u8 param = *((__u8 *) sent);
405
406 if (param == AUTH_ENABLED)
407 set_bit(HCI_AUTH, &hdev->flags);
408 else
409 clear_bit(HCI_AUTH, &hdev->flags);
410 }
411
412 if (hci_dev_test_flag(hdev, HCI_MGMT))
413 mgmt_auth_enable_complete(hdev, rp->status);
414
415 hci_dev_unlock(hdev);
416
417 return rp->status;
418 }
419
hci_cc_write_encrypt_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)420 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
421 struct sk_buff *skb)
422 {
423 struct hci_ev_status *rp = data;
424 __u8 param;
425 void *sent;
426
427 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
428
429 if (rp->status)
430 return rp->status;
431
432 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
433 if (!sent)
434 return rp->status;
435
436 param = *((__u8 *) sent);
437
438 if (param)
439 set_bit(HCI_ENCRYPT, &hdev->flags);
440 else
441 clear_bit(HCI_ENCRYPT, &hdev->flags);
442
443 return rp->status;
444 }
445
hci_cc_write_scan_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)446 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
447 struct sk_buff *skb)
448 {
449 struct hci_ev_status *rp = data;
450 __u8 param;
451 void *sent;
452
453 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
454
455 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
456 if (!sent)
457 return rp->status;
458
459 param = *((__u8 *) sent);
460
461 hci_dev_lock(hdev);
462
463 if (rp->status) {
464 hdev->discov_timeout = 0;
465 goto done;
466 }
467
468 if (param & SCAN_INQUIRY)
469 set_bit(HCI_ISCAN, &hdev->flags);
470 else
471 clear_bit(HCI_ISCAN, &hdev->flags);
472
473 if (param & SCAN_PAGE)
474 set_bit(HCI_PSCAN, &hdev->flags);
475 else
476 clear_bit(HCI_PSCAN, &hdev->flags);
477
478 done:
479 hci_dev_unlock(hdev);
480
481 return rp->status;
482 }
483
hci_cc_set_event_filter(struct hci_dev * hdev,void * data,struct sk_buff * skb)484 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
485 struct sk_buff *skb)
486 {
487 struct hci_ev_status *rp = data;
488 struct hci_cp_set_event_filter *cp;
489 void *sent;
490
491 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
492
493 if (rp->status)
494 return rp->status;
495
496 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
497 if (!sent)
498 return rp->status;
499
500 cp = (struct hci_cp_set_event_filter *)sent;
501
502 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
503 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
504 else
505 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
506
507 return rp->status;
508 }
509
hci_cc_read_class_of_dev(struct hci_dev * hdev,void * data,struct sk_buff * skb)510 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
511 struct sk_buff *skb)
512 {
513 struct hci_rp_read_class_of_dev *rp = data;
514
515 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
516
517 if (rp->status)
518 return rp->status;
519
520 memcpy(hdev->dev_class, rp->dev_class, 3);
521
522 bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
523 hdev->dev_class[1], hdev->dev_class[0]);
524
525 return rp->status;
526 }
527
hci_cc_write_class_of_dev(struct hci_dev * hdev,void * data,struct sk_buff * skb)528 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
529 struct sk_buff *skb)
530 {
531 struct hci_ev_status *rp = data;
532 void *sent;
533
534 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
535
536 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
537 if (!sent)
538 return rp->status;
539
540 hci_dev_lock(hdev);
541
542 if (!rp->status)
543 memcpy(hdev->dev_class, sent, 3);
544
545 if (hci_dev_test_flag(hdev, HCI_MGMT))
546 mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
547
548 hci_dev_unlock(hdev);
549
550 return rp->status;
551 }
552
hci_cc_read_voice_setting(struct hci_dev * hdev,void * data,struct sk_buff * skb)553 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
554 struct sk_buff *skb)
555 {
556 struct hci_rp_read_voice_setting *rp = data;
557 __u16 setting;
558
559 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
560
561 if (rp->status)
562 return rp->status;
563
564 setting = __le16_to_cpu(rp->voice_setting);
565
566 if (hdev->voice_setting == setting)
567 return rp->status;
568
569 hdev->voice_setting = setting;
570
571 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
572
573 if (hdev->notify)
574 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
575
576 return rp->status;
577 }
578
hci_cc_write_voice_setting(struct hci_dev * hdev,void * data,struct sk_buff * skb)579 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
580 struct sk_buff *skb)
581 {
582 struct hci_ev_status *rp = data;
583 __u16 setting;
584 void *sent;
585
586 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
587
588 if (rp->status)
589 return rp->status;
590
591 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
592 if (!sent)
593 return rp->status;
594
595 setting = get_unaligned_le16(sent);
596
597 if (hdev->voice_setting == setting)
598 return rp->status;
599
600 hdev->voice_setting = setting;
601
602 bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
603
604 if (hdev->notify)
605 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
606
607 return rp->status;
608 }
609
hci_cc_read_num_supported_iac(struct hci_dev * hdev,void * data,struct sk_buff * skb)610 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
611 struct sk_buff *skb)
612 {
613 struct hci_rp_read_num_supported_iac *rp = data;
614
615 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
616
617 if (rp->status)
618 return rp->status;
619
620 hdev->num_iac = rp->num_iac;
621
622 bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
623
624 return rp->status;
625 }
626
hci_cc_write_ssp_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)627 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
628 struct sk_buff *skb)
629 {
630 struct hci_ev_status *rp = data;
631 struct hci_cp_write_ssp_mode *sent;
632
633 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
634
635 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
636 if (!sent)
637 return rp->status;
638
639 hci_dev_lock(hdev);
640
641 if (!rp->status) {
642 if (sent->mode)
643 hdev->features[1][0] |= LMP_HOST_SSP;
644 else
645 hdev->features[1][0] &= ~LMP_HOST_SSP;
646 }
647
648 if (!rp->status) {
649 if (sent->mode)
650 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
651 else
652 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
653 }
654
655 hci_dev_unlock(hdev);
656
657 return rp->status;
658 }
659
hci_cc_write_sc_support(struct hci_dev * hdev,void * data,struct sk_buff * skb)660 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
661 struct sk_buff *skb)
662 {
663 struct hci_ev_status *rp = data;
664 struct hci_cp_write_sc_support *sent;
665
666 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
667
668 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
669 if (!sent)
670 return rp->status;
671
672 hci_dev_lock(hdev);
673
674 if (!rp->status) {
675 if (sent->support)
676 hdev->features[1][0] |= LMP_HOST_SC;
677 else
678 hdev->features[1][0] &= ~LMP_HOST_SC;
679 }
680
681 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
682 if (sent->support)
683 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
684 else
685 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
686 }
687
688 hci_dev_unlock(hdev);
689
690 return rp->status;
691 }
692
hci_cc_read_local_version(struct hci_dev * hdev,void * data,struct sk_buff * skb)693 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
694 struct sk_buff *skb)
695 {
696 struct hci_rp_read_local_version *rp = data;
697
698 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
699
700 if (rp->status)
701 return rp->status;
702
703 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
704 hci_dev_test_flag(hdev, HCI_CONFIG)) {
705 hdev->hci_ver = rp->hci_ver;
706 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
707 hdev->lmp_ver = rp->lmp_ver;
708 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
709 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
710 }
711
712 return rp->status;
713 }
714
hci_cc_read_enc_key_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)715 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
716 struct sk_buff *skb)
717 {
718 struct hci_rp_read_enc_key_size *rp = data;
719 struct hci_conn *conn;
720 u16 handle;
721 u8 status = rp->status;
722
723 bt_dev_dbg(hdev, "status 0x%2.2x", status);
724
725 handle = le16_to_cpu(rp->handle);
726
727 hci_dev_lock(hdev);
728
729 conn = hci_conn_hash_lookup_handle(hdev, handle);
730 if (!conn) {
731 status = 0xFF;
732 goto done;
733 }
734
735 /* While unexpected, the read_enc_key_size command may fail. The most
736 * secure approach is to then assume the key size is 0 to force a
737 * disconnection.
738 */
739 if (status) {
740 bt_dev_err(hdev, "failed to read key size for handle %u",
741 handle);
742 conn->enc_key_size = 0;
743 } else {
744 conn->enc_key_size = rp->key_size;
745 status = 0;
746 }
747
748 hci_encrypt_cfm(conn, 0);
749
750 done:
751 hci_dev_unlock(hdev);
752
753 return status;
754 }
755
hci_cc_read_local_commands(struct hci_dev * hdev,void * data,struct sk_buff * skb)756 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
757 struct sk_buff *skb)
758 {
759 struct hci_rp_read_local_commands *rp = data;
760
761 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
762
763 if (rp->status)
764 return rp->status;
765
766 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
767 hci_dev_test_flag(hdev, HCI_CONFIG))
768 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
769
770 return rp->status;
771 }
772
hci_cc_read_auth_payload_timeout(struct hci_dev * hdev,void * data,struct sk_buff * skb)773 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
774 struct sk_buff *skb)
775 {
776 struct hci_rp_read_auth_payload_to *rp = data;
777 struct hci_conn *conn;
778
779 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
780
781 if (rp->status)
782 return rp->status;
783
784 hci_dev_lock(hdev);
785
786 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
787 if (conn)
788 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
789
790 hci_dev_unlock(hdev);
791
792 return rp->status;
793 }
794
hci_cc_write_auth_payload_timeout(struct hci_dev * hdev,void * data,struct sk_buff * skb)795 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
796 struct sk_buff *skb)
797 {
798 struct hci_rp_write_auth_payload_to *rp = data;
799 struct hci_conn *conn;
800 void *sent;
801
802 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
803
804 if (rp->status)
805 return rp->status;
806
807 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
808 if (!sent)
809 return rp->status;
810
811 hci_dev_lock(hdev);
812
813 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
814 if (conn)
815 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
816
817 hci_dev_unlock(hdev);
818
819 return rp->status;
820 }
821
hci_cc_read_local_features(struct hci_dev * hdev,void * data,struct sk_buff * skb)822 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
823 struct sk_buff *skb)
824 {
825 struct hci_rp_read_local_features *rp = data;
826
827 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
828
829 if (rp->status)
830 return rp->status;
831
832 memcpy(hdev->features, rp->features, 8);
833
834 /* Adjust default settings according to features
835 * supported by device. */
836
837 if (hdev->features[0][0] & LMP_3SLOT)
838 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
839
840 if (hdev->features[0][0] & LMP_5SLOT)
841 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
842
843 if (hdev->features[0][1] & LMP_HV2) {
844 hdev->pkt_type |= (HCI_HV2);
845 hdev->esco_type |= (ESCO_HV2);
846 }
847
848 if (hdev->features[0][1] & LMP_HV3) {
849 hdev->pkt_type |= (HCI_HV3);
850 hdev->esco_type |= (ESCO_HV3);
851 }
852
853 if (lmp_esco_capable(hdev))
854 hdev->esco_type |= (ESCO_EV3);
855
856 if (hdev->features[0][4] & LMP_EV4)
857 hdev->esco_type |= (ESCO_EV4);
858
859 if (hdev->features[0][4] & LMP_EV5)
860 hdev->esco_type |= (ESCO_EV5);
861
862 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
863 hdev->esco_type |= (ESCO_2EV3);
864
865 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
866 hdev->esco_type |= (ESCO_3EV3);
867
868 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
869 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
870
871 return rp->status;
872 }
873
hci_cc_read_local_ext_features(struct hci_dev * hdev,void * data,struct sk_buff * skb)874 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
875 struct sk_buff *skb)
876 {
877 struct hci_rp_read_local_ext_features *rp = data;
878
879 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
880
881 if (rp->status)
882 return rp->status;
883
884 if (hdev->max_page < rp->max_page)
885 hdev->max_page = rp->max_page;
886
887 if (rp->page < HCI_MAX_PAGES)
888 memcpy(hdev->features[rp->page], rp->features, 8);
889
890 return rp->status;
891 }
892
hci_cc_read_flow_control_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)893 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
894 struct sk_buff *skb)
895 {
896 struct hci_rp_read_flow_control_mode *rp = data;
897
898 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
899
900 if (rp->status)
901 return rp->status;
902
903 hdev->flow_ctl_mode = rp->mode;
904
905 return rp->status;
906 }
907
hci_cc_read_buffer_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)908 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
909 struct sk_buff *skb)
910 {
911 struct hci_rp_read_buffer_size *rp = data;
912
913 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
914
915 if (rp->status)
916 return rp->status;
917
918 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
919 hdev->sco_mtu = rp->sco_mtu;
920 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
921 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
922
923 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
924 hdev->sco_mtu = 64;
925 hdev->sco_pkts = 8;
926 }
927
928 hdev->acl_cnt = hdev->acl_pkts;
929 hdev->sco_cnt = hdev->sco_pkts;
930
931 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
932 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
933
934 return rp->status;
935 }
936
hci_cc_read_bd_addr(struct hci_dev * hdev,void * data,struct sk_buff * skb)937 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
938 struct sk_buff *skb)
939 {
940 struct hci_rp_read_bd_addr *rp = data;
941
942 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
943
944 if (rp->status)
945 return rp->status;
946
947 if (test_bit(HCI_INIT, &hdev->flags))
948 bacpy(&hdev->bdaddr, &rp->bdaddr);
949
950 if (hci_dev_test_flag(hdev, HCI_SETUP))
951 bacpy(&hdev->setup_addr, &rp->bdaddr);
952
953 return rp->status;
954 }
955
hci_cc_read_local_pairing_opts(struct hci_dev * hdev,void * data,struct sk_buff * skb)956 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
957 struct sk_buff *skb)
958 {
959 struct hci_rp_read_local_pairing_opts *rp = data;
960
961 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
962
963 if (rp->status)
964 return rp->status;
965
966 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
967 hci_dev_test_flag(hdev, HCI_CONFIG)) {
968 hdev->pairing_opts = rp->pairing_opts;
969 hdev->max_enc_key_size = rp->max_key_size;
970 }
971
972 return rp->status;
973 }
974
hci_cc_read_page_scan_activity(struct hci_dev * hdev,void * data,struct sk_buff * skb)975 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
976 struct sk_buff *skb)
977 {
978 struct hci_rp_read_page_scan_activity *rp = data;
979
980 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
981
982 if (rp->status)
983 return rp->status;
984
985 if (test_bit(HCI_INIT, &hdev->flags)) {
986 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
987 hdev->page_scan_window = __le16_to_cpu(rp->window);
988 }
989
990 return rp->status;
991 }
992
hci_cc_write_page_scan_activity(struct hci_dev * hdev,void * data,struct sk_buff * skb)993 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
994 struct sk_buff *skb)
995 {
996 struct hci_ev_status *rp = data;
997 struct hci_cp_write_page_scan_activity *sent;
998
999 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1000
1001 if (rp->status)
1002 return rp->status;
1003
1004 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1005 if (!sent)
1006 return rp->status;
1007
1008 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1009 hdev->page_scan_window = __le16_to_cpu(sent->window);
1010
1011 return rp->status;
1012 }
1013
hci_cc_read_page_scan_type(struct hci_dev * hdev,void * data,struct sk_buff * skb)1014 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1015 struct sk_buff *skb)
1016 {
1017 struct hci_rp_read_page_scan_type *rp = data;
1018
1019 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1020
1021 if (rp->status)
1022 return rp->status;
1023
1024 if (test_bit(HCI_INIT, &hdev->flags))
1025 hdev->page_scan_type = rp->type;
1026
1027 return rp->status;
1028 }
1029
hci_cc_write_page_scan_type(struct hci_dev * hdev,void * data,struct sk_buff * skb)1030 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1031 struct sk_buff *skb)
1032 {
1033 struct hci_ev_status *rp = data;
1034 u8 *type;
1035
1036 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1037
1038 if (rp->status)
1039 return rp->status;
1040
1041 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1042 if (type)
1043 hdev->page_scan_type = *type;
1044
1045 return rp->status;
1046 }
1047
hci_cc_read_data_block_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)1048 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1049 struct sk_buff *skb)
1050 {
1051 struct hci_rp_read_data_block_size *rp = data;
1052
1053 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1054
1055 if (rp->status)
1056 return rp->status;
1057
1058 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1059 hdev->block_len = __le16_to_cpu(rp->block_len);
1060 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1061
1062 hdev->block_cnt = hdev->num_blocks;
1063
1064 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1065 hdev->block_cnt, hdev->block_len);
1066
1067 return rp->status;
1068 }
1069
hci_cc_read_clock(struct hci_dev * hdev,void * data,struct sk_buff * skb)1070 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1071 struct sk_buff *skb)
1072 {
1073 struct hci_rp_read_clock *rp = data;
1074 struct hci_cp_read_clock *cp;
1075 struct hci_conn *conn;
1076
1077 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1078
1079 if (rp->status)
1080 return rp->status;
1081
1082 hci_dev_lock(hdev);
1083
1084 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1085 if (!cp)
1086 goto unlock;
1087
1088 if (cp->which == 0x00) {
1089 hdev->clock = le32_to_cpu(rp->clock);
1090 goto unlock;
1091 }
1092
1093 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1094 if (conn) {
1095 conn->clock = le32_to_cpu(rp->clock);
1096 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1097 }
1098
1099 unlock:
1100 hci_dev_unlock(hdev);
1101 return rp->status;
1102 }
1103
hci_cc_read_local_amp_info(struct hci_dev * hdev,void * data,struct sk_buff * skb)1104 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1105 struct sk_buff *skb)
1106 {
1107 struct hci_rp_read_local_amp_info *rp = data;
1108
1109 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1110
1111 if (rp->status)
1112 return rp->status;
1113
1114 hdev->amp_status = rp->amp_status;
1115 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1116 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1117 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1118 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1119 hdev->amp_type = rp->amp_type;
1120 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1121 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1122 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1123 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1124
1125 return rp->status;
1126 }
1127
hci_cc_read_inq_rsp_tx_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)1128 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1129 struct sk_buff *skb)
1130 {
1131 struct hci_rp_read_inq_rsp_tx_power *rp = data;
1132
1133 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1134
1135 if (rp->status)
1136 return rp->status;
1137
1138 hdev->inq_tx_power = rp->tx_power;
1139
1140 return rp->status;
1141 }
1142
hci_cc_read_def_err_data_reporting(struct hci_dev * hdev,void * data,struct sk_buff * skb)1143 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1144 struct sk_buff *skb)
1145 {
1146 struct hci_rp_read_def_err_data_reporting *rp = data;
1147
1148 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1149
1150 if (rp->status)
1151 return rp->status;
1152
1153 hdev->err_data_reporting = rp->err_data_reporting;
1154
1155 return rp->status;
1156 }
1157
hci_cc_write_def_err_data_reporting(struct hci_dev * hdev,void * data,struct sk_buff * skb)1158 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1159 struct sk_buff *skb)
1160 {
1161 struct hci_ev_status *rp = data;
1162 struct hci_cp_write_def_err_data_reporting *cp;
1163
1164 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1165
1166 if (rp->status)
1167 return rp->status;
1168
1169 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1170 if (!cp)
1171 return rp->status;
1172
1173 hdev->err_data_reporting = cp->err_data_reporting;
1174
1175 return rp->status;
1176 }
1177
hci_cc_pin_code_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1178 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1179 struct sk_buff *skb)
1180 {
1181 struct hci_rp_pin_code_reply *rp = data;
1182 struct hci_cp_pin_code_reply *cp;
1183 struct hci_conn *conn;
1184
1185 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1186
1187 hci_dev_lock(hdev);
1188
1189 if (hci_dev_test_flag(hdev, HCI_MGMT))
1190 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1191
1192 if (rp->status)
1193 goto unlock;
1194
1195 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1196 if (!cp)
1197 goto unlock;
1198
1199 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1200 if (conn)
1201 conn->pin_length = cp->pin_len;
1202
1203 unlock:
1204 hci_dev_unlock(hdev);
1205 return rp->status;
1206 }
1207
hci_cc_pin_code_neg_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1208 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1209 struct sk_buff *skb)
1210 {
1211 struct hci_rp_pin_code_neg_reply *rp = data;
1212
1213 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1214
1215 hci_dev_lock(hdev);
1216
1217 if (hci_dev_test_flag(hdev, HCI_MGMT))
1218 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1219 rp->status);
1220
1221 hci_dev_unlock(hdev);
1222
1223 return rp->status;
1224 }
1225
hci_cc_le_read_buffer_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)1226 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1227 struct sk_buff *skb)
1228 {
1229 struct hci_rp_le_read_buffer_size *rp = data;
1230
1231 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1232
1233 if (rp->status)
1234 return rp->status;
1235
1236 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1237 hdev->le_pkts = rp->le_max_pkt;
1238
1239 hdev->le_cnt = hdev->le_pkts;
1240
1241 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1242
1243 return rp->status;
1244 }
1245
hci_cc_le_read_local_features(struct hci_dev * hdev,void * data,struct sk_buff * skb)1246 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1247 struct sk_buff *skb)
1248 {
1249 struct hci_rp_le_read_local_features *rp = data;
1250
1251 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1252
1253 if (rp->status)
1254 return rp->status;
1255
1256 memcpy(hdev->le_features, rp->features, 8);
1257
1258 return rp->status;
1259 }
1260
hci_cc_le_read_adv_tx_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)1261 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1262 struct sk_buff *skb)
1263 {
1264 struct hci_rp_le_read_adv_tx_power *rp = data;
1265
1266 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1267
1268 if (rp->status)
1269 return rp->status;
1270
1271 hdev->adv_tx_power = rp->tx_power;
1272
1273 return rp->status;
1274 }
1275
hci_cc_user_confirm_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1276 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1277 struct sk_buff *skb)
1278 {
1279 struct hci_rp_user_confirm_reply *rp = data;
1280
1281 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1282
1283 hci_dev_lock(hdev);
1284
1285 if (hci_dev_test_flag(hdev, HCI_MGMT))
1286 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1287 rp->status);
1288
1289 hci_dev_unlock(hdev);
1290
1291 return rp->status;
1292 }
1293
hci_cc_user_confirm_neg_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1294 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1295 struct sk_buff *skb)
1296 {
1297 struct hci_rp_user_confirm_reply *rp = data;
1298
1299 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1300
1301 hci_dev_lock(hdev);
1302
1303 if (hci_dev_test_flag(hdev, HCI_MGMT))
1304 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1305 ACL_LINK, 0, rp->status);
1306
1307 hci_dev_unlock(hdev);
1308
1309 return rp->status;
1310 }
1311
hci_cc_user_passkey_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1312 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1313 struct sk_buff *skb)
1314 {
1315 struct hci_rp_user_confirm_reply *rp = data;
1316
1317 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1318
1319 hci_dev_lock(hdev);
1320
1321 if (hci_dev_test_flag(hdev, HCI_MGMT))
1322 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1323 0, rp->status);
1324
1325 hci_dev_unlock(hdev);
1326
1327 return rp->status;
1328 }
1329
hci_cc_user_passkey_neg_reply(struct hci_dev * hdev,void * data,struct sk_buff * skb)1330 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1331 struct sk_buff *skb)
1332 {
1333 struct hci_rp_user_confirm_reply *rp = data;
1334
1335 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1336
1337 hci_dev_lock(hdev);
1338
1339 if (hci_dev_test_flag(hdev, HCI_MGMT))
1340 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1341 ACL_LINK, 0, rp->status);
1342
1343 hci_dev_unlock(hdev);
1344
1345 return rp->status;
1346 }
1347
hci_cc_read_local_oob_data(struct hci_dev * hdev,void * data,struct sk_buff * skb)1348 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1349 struct sk_buff *skb)
1350 {
1351 struct hci_rp_read_local_oob_data *rp = data;
1352
1353 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1354
1355 return rp->status;
1356 }
1357
hci_cc_read_local_oob_ext_data(struct hci_dev * hdev,void * data,struct sk_buff * skb)1358 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1359 struct sk_buff *skb)
1360 {
1361 struct hci_rp_read_local_oob_ext_data *rp = data;
1362
1363 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1364
1365 return rp->status;
1366 }
1367
hci_cc_le_set_random_addr(struct hci_dev * hdev,void * data,struct sk_buff * skb)1368 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1369 struct sk_buff *skb)
1370 {
1371 struct hci_ev_status *rp = data;
1372 bdaddr_t *sent;
1373
1374 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1375
1376 if (rp->status)
1377 return rp->status;
1378
1379 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1380 if (!sent)
1381 return rp->status;
1382
1383 hci_dev_lock(hdev);
1384
1385 bacpy(&hdev->random_addr, sent);
1386
1387 if (!bacmp(&hdev->rpa, sent)) {
1388 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1389 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1390 secs_to_jiffies(hdev->rpa_timeout));
1391 }
1392
1393 hci_dev_unlock(hdev);
1394
1395 return rp->status;
1396 }
1397
hci_cc_le_set_default_phy(struct hci_dev * hdev,void * data,struct sk_buff * skb)1398 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1399 struct sk_buff *skb)
1400 {
1401 struct hci_ev_status *rp = data;
1402 struct hci_cp_le_set_default_phy *cp;
1403
1404 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1405
1406 if (rp->status)
1407 return rp->status;
1408
1409 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1410 if (!cp)
1411 return rp->status;
1412
1413 hci_dev_lock(hdev);
1414
1415 hdev->le_tx_def_phys = cp->tx_phys;
1416 hdev->le_rx_def_phys = cp->rx_phys;
1417
1418 hci_dev_unlock(hdev);
1419
1420 return rp->status;
1421 }
1422
hci_cc_le_set_adv_set_random_addr(struct hci_dev * hdev,void * data,struct sk_buff * skb)1423 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1424 struct sk_buff *skb)
1425 {
1426 struct hci_ev_status *rp = data;
1427 struct hci_cp_le_set_adv_set_rand_addr *cp;
1428 struct adv_info *adv;
1429
1430 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1431
1432 if (rp->status)
1433 return rp->status;
1434
1435 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1436 /* Update only in case the adv instance since handle 0x00 shall be using
1437 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1438 * non-extended adverting.
1439 */
1440 if (!cp || !cp->handle)
1441 return rp->status;
1442
1443 hci_dev_lock(hdev);
1444
1445 adv = hci_find_adv_instance(hdev, cp->handle);
1446 if (adv) {
1447 bacpy(&adv->random_addr, &cp->bdaddr);
1448 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1449 adv->rpa_expired = false;
1450 queue_delayed_work(hdev->workqueue,
1451 &adv->rpa_expired_cb,
1452 secs_to_jiffies(hdev->rpa_timeout));
1453 }
1454 }
1455
1456 hci_dev_unlock(hdev);
1457
1458 return rp->status;
1459 }
1460
hci_cc_le_remove_adv_set(struct hci_dev * hdev,void * data,struct sk_buff * skb)1461 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1462 struct sk_buff *skb)
1463 {
1464 struct hci_ev_status *rp = data;
1465 u8 *instance;
1466 int err;
1467
1468 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1469
1470 if (rp->status)
1471 return rp->status;
1472
1473 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1474 if (!instance)
1475 return rp->status;
1476
1477 hci_dev_lock(hdev);
1478
1479 err = hci_remove_adv_instance(hdev, *instance);
1480 if (!err)
1481 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1482 *instance);
1483
1484 hci_dev_unlock(hdev);
1485
1486 return rp->status;
1487 }
1488
hci_cc_le_clear_adv_sets(struct hci_dev * hdev,void * data,struct sk_buff * skb)1489 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1490 struct sk_buff *skb)
1491 {
1492 struct hci_ev_status *rp = data;
1493 struct adv_info *adv, *n;
1494 int err;
1495
1496 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1497
1498 if (rp->status)
1499 return rp->status;
1500
1501 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1502 return rp->status;
1503
1504 hci_dev_lock(hdev);
1505
1506 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1507 u8 instance = adv->instance;
1508
1509 err = hci_remove_adv_instance(hdev, instance);
1510 if (!err)
1511 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1512 hdev, instance);
1513 }
1514
1515 hci_dev_unlock(hdev);
1516
1517 return rp->status;
1518 }
1519
hci_cc_le_read_transmit_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)1520 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1521 struct sk_buff *skb)
1522 {
1523 struct hci_rp_le_read_transmit_power *rp = data;
1524
1525 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1526
1527 if (rp->status)
1528 return rp->status;
1529
1530 hdev->min_le_tx_power = rp->min_le_tx_power;
1531 hdev->max_le_tx_power = rp->max_le_tx_power;
1532
1533 return rp->status;
1534 }
1535
hci_cc_le_set_privacy_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)1536 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1537 struct sk_buff *skb)
1538 {
1539 struct hci_ev_status *rp = data;
1540 struct hci_cp_le_set_privacy_mode *cp;
1541 struct hci_conn_params *params;
1542
1543 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1544
1545 if (rp->status)
1546 return rp->status;
1547
1548 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1549 if (!cp)
1550 return rp->status;
1551
1552 hci_dev_lock(hdev);
1553
1554 params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1555 if (params)
1556 params->privacy_mode = cp->mode;
1557
1558 hci_dev_unlock(hdev);
1559
1560 return rp->status;
1561 }
1562
hci_cc_le_set_adv_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1563 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1564 struct sk_buff *skb)
1565 {
1566 struct hci_ev_status *rp = data;
1567 __u8 *sent;
1568
1569 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1570
1571 if (rp->status)
1572 return rp->status;
1573
1574 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1575 if (!sent)
1576 return rp->status;
1577
1578 hci_dev_lock(hdev);
1579
1580 /* If we're doing connection initiation as peripheral. Set a
1581 * timeout in case something goes wrong.
1582 */
1583 if (*sent) {
1584 struct hci_conn *conn;
1585
1586 hci_dev_set_flag(hdev, HCI_LE_ADV);
1587
1588 conn = hci_lookup_le_connect(hdev);
1589 if (conn)
1590 queue_delayed_work(hdev->workqueue,
1591 &conn->le_conn_timeout,
1592 conn->conn_timeout);
1593 } else {
1594 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1595 }
1596
1597 hci_dev_unlock(hdev);
1598
1599 return rp->status;
1600 }
1601
hci_cc_le_set_ext_adv_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1602 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1603 struct sk_buff *skb)
1604 {
1605 struct hci_cp_le_set_ext_adv_enable *cp;
1606 struct hci_cp_ext_adv_set *set;
1607 struct adv_info *adv = NULL, *n;
1608 struct hci_ev_status *rp = data;
1609
1610 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1611
1612 if (rp->status)
1613 return rp->status;
1614
1615 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1616 if (!cp)
1617 return rp->status;
1618
1619 set = (void *)cp->data;
1620
1621 hci_dev_lock(hdev);
1622
1623 if (cp->num_of_sets)
1624 adv = hci_find_adv_instance(hdev, set->handle);
1625
1626 if (cp->enable) {
1627 struct hci_conn *conn;
1628
1629 hci_dev_set_flag(hdev, HCI_LE_ADV);
1630
1631 if (adv)
1632 adv->enabled = true;
1633
1634 conn = hci_lookup_le_connect(hdev);
1635 if (conn)
1636 queue_delayed_work(hdev->workqueue,
1637 &conn->le_conn_timeout,
1638 conn->conn_timeout);
1639 } else {
1640 if (cp->num_of_sets) {
1641 if (adv)
1642 adv->enabled = false;
1643
1644 /* If just one instance was disabled check if there are
1645 * any other instance enabled before clearing HCI_LE_ADV
1646 */
1647 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1648 list) {
1649 if (adv->enabled)
1650 goto unlock;
1651 }
1652 } else {
1653 /* All instances shall be considered disabled */
1654 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1655 list)
1656 adv->enabled = false;
1657 }
1658
1659 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1660 }
1661
1662 unlock:
1663 hci_dev_unlock(hdev);
1664 return rp->status;
1665 }
1666
hci_cc_le_set_scan_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)1667 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1668 struct sk_buff *skb)
1669 {
1670 struct hci_cp_le_set_scan_param *cp;
1671 struct hci_ev_status *rp = data;
1672
1673 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1674
1675 if (rp->status)
1676 return rp->status;
1677
1678 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1679 if (!cp)
1680 return rp->status;
1681
1682 hci_dev_lock(hdev);
1683
1684 hdev->le_scan_type = cp->type;
1685
1686 hci_dev_unlock(hdev);
1687
1688 return rp->status;
1689 }
1690
hci_cc_le_set_ext_scan_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)1691 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1692 struct sk_buff *skb)
1693 {
1694 struct hci_cp_le_set_ext_scan_params *cp;
1695 struct hci_ev_status *rp = data;
1696 struct hci_cp_le_scan_phy_params *phy_param;
1697
1698 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1699
1700 if (rp->status)
1701 return rp->status;
1702
1703 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1704 if (!cp)
1705 return rp->status;
1706
1707 phy_param = (void *)cp->data;
1708
1709 hci_dev_lock(hdev);
1710
1711 hdev->le_scan_type = phy_param->type;
1712
1713 hci_dev_unlock(hdev);
1714
1715 return rp->status;
1716 }
1717
has_pending_adv_report(struct hci_dev * hdev)1718 static bool has_pending_adv_report(struct hci_dev *hdev)
1719 {
1720 struct discovery_state *d = &hdev->discovery;
1721
1722 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1723 }
1724
clear_pending_adv_report(struct hci_dev * hdev)1725 static void clear_pending_adv_report(struct hci_dev *hdev)
1726 {
1727 struct discovery_state *d = &hdev->discovery;
1728
1729 bacpy(&d->last_adv_addr, BDADDR_ANY);
1730 d->last_adv_data_len = 0;
1731 }
1732
store_pending_adv_report(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type,s8 rssi,u32 flags,u8 * data,u8 len)1733 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1734 u8 bdaddr_type, s8 rssi, u32 flags,
1735 u8 *data, u8 len)
1736 {
1737 struct discovery_state *d = &hdev->discovery;
1738
1739 if (len > HCI_MAX_AD_LENGTH)
1740 return;
1741
1742 bacpy(&d->last_adv_addr, bdaddr);
1743 d->last_adv_addr_type = bdaddr_type;
1744 d->last_adv_rssi = rssi;
1745 d->last_adv_flags = flags;
1746 memcpy(d->last_adv_data, data, len);
1747 d->last_adv_data_len = len;
1748 }
1749
le_set_scan_enable_complete(struct hci_dev * hdev,u8 enable)1750 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1751 {
1752 hci_dev_lock(hdev);
1753
1754 switch (enable) {
1755 case LE_SCAN_ENABLE:
1756 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1757 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1758 clear_pending_adv_report(hdev);
1759 if (hci_dev_test_flag(hdev, HCI_MESH))
1760 hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1761 break;
1762
1763 case LE_SCAN_DISABLE:
1764 /* We do this here instead of when setting DISCOVERY_STOPPED
1765 * since the latter would potentially require waiting for
1766 * inquiry to stop too.
1767 */
1768 if (has_pending_adv_report(hdev)) {
1769 struct discovery_state *d = &hdev->discovery;
1770
1771 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1772 d->last_adv_addr_type, NULL,
1773 d->last_adv_rssi, d->last_adv_flags,
1774 d->last_adv_data,
1775 d->last_adv_data_len, NULL, 0, 0);
1776 }
1777
1778 /* Cancel this timer so that we don't try to disable scanning
1779 * when it's already disabled.
1780 */
1781 cancel_delayed_work(&hdev->le_scan_disable);
1782
1783 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1784
1785 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1786 * interrupted scanning due to a connect request. Mark
1787 * therefore discovery as stopped.
1788 */
1789 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1790 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1791 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1792 hdev->discovery.state == DISCOVERY_FINDING)
1793 queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1794
1795 break;
1796
1797 default:
1798 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1799 enable);
1800 break;
1801 }
1802
1803 hci_dev_unlock(hdev);
1804 }
1805
hci_cc_le_set_scan_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1806 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1807 struct sk_buff *skb)
1808 {
1809 struct hci_cp_le_set_scan_enable *cp;
1810 struct hci_ev_status *rp = data;
1811
1812 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1813
1814 if (rp->status)
1815 return rp->status;
1816
1817 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1818 if (!cp)
1819 return rp->status;
1820
1821 le_set_scan_enable_complete(hdev, cp->enable);
1822
1823 return rp->status;
1824 }
1825
hci_cc_le_set_ext_scan_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)1826 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1827 struct sk_buff *skb)
1828 {
1829 struct hci_cp_le_set_ext_scan_enable *cp;
1830 struct hci_ev_status *rp = data;
1831
1832 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1833
1834 if (rp->status)
1835 return rp->status;
1836
1837 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1838 if (!cp)
1839 return rp->status;
1840
1841 le_set_scan_enable_complete(hdev, cp->enable);
1842
1843 return rp->status;
1844 }
1845
hci_cc_le_read_num_adv_sets(struct hci_dev * hdev,void * data,struct sk_buff * skb)1846 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1847 struct sk_buff *skb)
1848 {
1849 struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1850
1851 bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1852 rp->num_of_sets);
1853
1854 if (rp->status)
1855 return rp->status;
1856
1857 hdev->le_num_of_adv_sets = rp->num_of_sets;
1858
1859 return rp->status;
1860 }
1861
hci_cc_le_read_accept_list_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)1862 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1863 struct sk_buff *skb)
1864 {
1865 struct hci_rp_le_read_accept_list_size *rp = data;
1866
1867 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1868
1869 if (rp->status)
1870 return rp->status;
1871
1872 hdev->le_accept_list_size = rp->size;
1873
1874 return rp->status;
1875 }
1876
hci_cc_le_clear_accept_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1877 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1878 struct sk_buff *skb)
1879 {
1880 struct hci_ev_status *rp = data;
1881
1882 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1883
1884 if (rp->status)
1885 return rp->status;
1886
1887 hci_dev_lock(hdev);
1888 hci_bdaddr_list_clear(&hdev->le_accept_list);
1889 hci_dev_unlock(hdev);
1890
1891 return rp->status;
1892 }
1893
hci_cc_le_add_to_accept_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1894 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1895 struct sk_buff *skb)
1896 {
1897 struct hci_cp_le_add_to_accept_list *sent;
1898 struct hci_ev_status *rp = data;
1899
1900 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1901
1902 if (rp->status)
1903 return rp->status;
1904
1905 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1906 if (!sent)
1907 return rp->status;
1908
1909 hci_dev_lock(hdev);
1910 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1911 sent->bdaddr_type);
1912 hci_dev_unlock(hdev);
1913
1914 return rp->status;
1915 }
1916
hci_cc_le_del_from_accept_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1917 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1918 struct sk_buff *skb)
1919 {
1920 struct hci_cp_le_del_from_accept_list *sent;
1921 struct hci_ev_status *rp = data;
1922
1923 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1924
1925 if (rp->status)
1926 return rp->status;
1927
1928 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1929 if (!sent)
1930 return rp->status;
1931
1932 hci_dev_lock(hdev);
1933 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1934 sent->bdaddr_type);
1935 hci_dev_unlock(hdev);
1936
1937 return rp->status;
1938 }
1939
hci_cc_le_read_supported_states(struct hci_dev * hdev,void * data,struct sk_buff * skb)1940 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1941 struct sk_buff *skb)
1942 {
1943 struct hci_rp_le_read_supported_states *rp = data;
1944
1945 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1946
1947 if (rp->status)
1948 return rp->status;
1949
1950 memcpy(hdev->le_states, rp->le_states, 8);
1951
1952 return rp->status;
1953 }
1954
hci_cc_le_read_def_data_len(struct hci_dev * hdev,void * data,struct sk_buff * skb)1955 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1956 struct sk_buff *skb)
1957 {
1958 struct hci_rp_le_read_def_data_len *rp = data;
1959
1960 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1961
1962 if (rp->status)
1963 return rp->status;
1964
1965 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1966 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1967
1968 return rp->status;
1969 }
1970
hci_cc_le_write_def_data_len(struct hci_dev * hdev,void * data,struct sk_buff * skb)1971 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1972 struct sk_buff *skb)
1973 {
1974 struct hci_cp_le_write_def_data_len *sent;
1975 struct hci_ev_status *rp = data;
1976
1977 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1978
1979 if (rp->status)
1980 return rp->status;
1981
1982 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1983 if (!sent)
1984 return rp->status;
1985
1986 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1987 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1988
1989 return rp->status;
1990 }
1991
hci_cc_le_add_to_resolv_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)1992 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
1993 struct sk_buff *skb)
1994 {
1995 struct hci_cp_le_add_to_resolv_list *sent;
1996 struct hci_ev_status *rp = data;
1997
1998 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1999
2000 if (rp->status)
2001 return rp->status;
2002
2003 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2004 if (!sent)
2005 return rp->status;
2006
2007 hci_dev_lock(hdev);
2008 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2009 sent->bdaddr_type, sent->peer_irk,
2010 sent->local_irk);
2011 hci_dev_unlock(hdev);
2012
2013 return rp->status;
2014 }
2015
hci_cc_le_del_from_resolv_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)2016 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2017 struct sk_buff *skb)
2018 {
2019 struct hci_cp_le_del_from_resolv_list *sent;
2020 struct hci_ev_status *rp = data;
2021
2022 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2023
2024 if (rp->status)
2025 return rp->status;
2026
2027 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2028 if (!sent)
2029 return rp->status;
2030
2031 hci_dev_lock(hdev);
2032 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2033 sent->bdaddr_type);
2034 hci_dev_unlock(hdev);
2035
2036 return rp->status;
2037 }
2038
hci_cc_le_clear_resolv_list(struct hci_dev * hdev,void * data,struct sk_buff * skb)2039 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2040 struct sk_buff *skb)
2041 {
2042 struct hci_ev_status *rp = data;
2043
2044 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2045
2046 if (rp->status)
2047 return rp->status;
2048
2049 hci_dev_lock(hdev);
2050 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2051 hci_dev_unlock(hdev);
2052
2053 return rp->status;
2054 }
2055
hci_cc_le_read_resolv_list_size(struct hci_dev * hdev,void * data,struct sk_buff * skb)2056 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2057 struct sk_buff *skb)
2058 {
2059 struct hci_rp_le_read_resolv_list_size *rp = data;
2060
2061 bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2062
2063 if (rp->status)
2064 return rp->status;
2065
2066 hdev->le_resolv_list_size = rp->size;
2067
2068 return rp->status;
2069 }
2070
hci_cc_le_set_addr_resolution_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)2071 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2072 struct sk_buff *skb)
2073 {
2074 struct hci_ev_status *rp = data;
2075 __u8 *sent;
2076
2077 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2078
2079 if (rp->status)
2080 return rp->status;
2081
2082 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2083 if (!sent)
2084 return rp->status;
2085
2086 hci_dev_lock(hdev);
2087
2088 if (*sent)
2089 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2090 else
2091 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2092
2093 hci_dev_unlock(hdev);
2094
2095 return rp->status;
2096 }
2097
hci_cc_le_read_max_data_len(struct hci_dev * hdev,void * data,struct sk_buff * skb)2098 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2099 struct sk_buff *skb)
2100 {
2101 struct hci_rp_le_read_max_data_len *rp = data;
2102
2103 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2104
2105 if (rp->status)
2106 return rp->status;
2107
2108 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2109 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2110 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2111 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2112
2113 return rp->status;
2114 }
2115
hci_cc_write_le_host_supported(struct hci_dev * hdev,void * data,struct sk_buff * skb)2116 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2117 struct sk_buff *skb)
2118 {
2119 struct hci_cp_write_le_host_supported *sent;
2120 struct hci_ev_status *rp = data;
2121
2122 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2123
2124 if (rp->status)
2125 return rp->status;
2126
2127 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2128 if (!sent)
2129 return rp->status;
2130
2131 hci_dev_lock(hdev);
2132
2133 if (sent->le) {
2134 hdev->features[1][0] |= LMP_HOST_LE;
2135 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2136 } else {
2137 hdev->features[1][0] &= ~LMP_HOST_LE;
2138 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2139 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2140 }
2141
2142 if (sent->simul)
2143 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2144 else
2145 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2146
2147 hci_dev_unlock(hdev);
2148
2149 return rp->status;
2150 }
2151
hci_cc_set_adv_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)2152 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2153 struct sk_buff *skb)
2154 {
2155 struct hci_cp_le_set_adv_param *cp;
2156 struct hci_ev_status *rp = data;
2157
2158 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2159
2160 if (rp->status)
2161 return rp->status;
2162
2163 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2164 if (!cp)
2165 return rp->status;
2166
2167 hci_dev_lock(hdev);
2168 hdev->adv_addr_type = cp->own_address_type;
2169 hci_dev_unlock(hdev);
2170
2171 return rp->status;
2172 }
2173
hci_cc_set_ext_adv_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)2174 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2175 struct sk_buff *skb)
2176 {
2177 struct hci_rp_le_set_ext_adv_params *rp = data;
2178 struct hci_cp_le_set_ext_adv_params *cp;
2179 struct adv_info *adv_instance;
2180
2181 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2182
2183 if (rp->status)
2184 return rp->status;
2185
2186 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2187 if (!cp)
2188 return rp->status;
2189
2190 hci_dev_lock(hdev);
2191 hdev->adv_addr_type = cp->own_addr_type;
2192 if (!cp->handle) {
2193 /* Store in hdev for instance 0 */
2194 hdev->adv_tx_power = rp->tx_power;
2195 } else {
2196 adv_instance = hci_find_adv_instance(hdev, cp->handle);
2197 if (adv_instance)
2198 adv_instance->tx_power = rp->tx_power;
2199 }
2200 /* Update adv data as tx power is known now */
2201 hci_update_adv_data(hdev, cp->handle);
2202
2203 hci_dev_unlock(hdev);
2204
2205 return rp->status;
2206 }
2207
hci_cc_read_rssi(struct hci_dev * hdev,void * data,struct sk_buff * skb)2208 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2209 struct sk_buff *skb)
2210 {
2211 struct hci_rp_read_rssi *rp = data;
2212 struct hci_conn *conn;
2213
2214 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2215
2216 if (rp->status)
2217 return rp->status;
2218
2219 hci_dev_lock(hdev);
2220
2221 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2222 if (conn)
2223 conn->rssi = rp->rssi;
2224
2225 hci_dev_unlock(hdev);
2226
2227 return rp->status;
2228 }
2229
hci_cc_read_tx_power(struct hci_dev * hdev,void * data,struct sk_buff * skb)2230 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2231 struct sk_buff *skb)
2232 {
2233 struct hci_cp_read_tx_power *sent;
2234 struct hci_rp_read_tx_power *rp = data;
2235 struct hci_conn *conn;
2236
2237 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2238
2239 if (rp->status)
2240 return rp->status;
2241
2242 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2243 if (!sent)
2244 return rp->status;
2245
2246 hci_dev_lock(hdev);
2247
2248 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2249 if (!conn)
2250 goto unlock;
2251
2252 switch (sent->type) {
2253 case 0x00:
2254 conn->tx_power = rp->tx_power;
2255 break;
2256 case 0x01:
2257 conn->max_tx_power = rp->tx_power;
2258 break;
2259 }
2260
2261 unlock:
2262 hci_dev_unlock(hdev);
2263 return rp->status;
2264 }
2265
hci_cc_write_ssp_debug_mode(struct hci_dev * hdev,void * data,struct sk_buff * skb)2266 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2267 struct sk_buff *skb)
2268 {
2269 struct hci_ev_status *rp = data;
2270 u8 *mode;
2271
2272 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2273
2274 if (rp->status)
2275 return rp->status;
2276
2277 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2278 if (mode)
2279 hdev->ssp_debug_mode = *mode;
2280
2281 return rp->status;
2282 }
2283
hci_cs_inquiry(struct hci_dev * hdev,__u8 status)2284 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2285 {
2286 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2287
2288 if (status) {
2289 hci_conn_check_pending(hdev);
2290 return;
2291 }
2292
2293 set_bit(HCI_INQUIRY, &hdev->flags);
2294 }
2295
hci_cs_create_conn(struct hci_dev * hdev,__u8 status)2296 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2297 {
2298 struct hci_cp_create_conn *cp;
2299 struct hci_conn *conn;
2300
2301 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2302
2303 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2304 if (!cp)
2305 return;
2306
2307 hci_dev_lock(hdev);
2308
2309 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2310
2311 bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2312
2313 if (status) {
2314 if (conn && conn->state == BT_CONNECT) {
2315 if (status != 0x0c || conn->attempt > 2) {
2316 conn->state = BT_CLOSED;
2317 hci_connect_cfm(conn, status);
2318 hci_conn_del(conn);
2319 } else
2320 conn->state = BT_CONNECT2;
2321 }
2322 } else {
2323 if (!conn) {
2324 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
2325 HCI_ROLE_MASTER);
2326 if (!conn)
2327 bt_dev_err(hdev, "no memory for new connection");
2328 }
2329 }
2330
2331 hci_dev_unlock(hdev);
2332 }
2333
hci_cs_add_sco(struct hci_dev * hdev,__u8 status)2334 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2335 {
2336 struct hci_cp_add_sco *cp;
2337 struct hci_conn *acl, *sco;
2338 __u16 handle;
2339
2340 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2341
2342 if (!status)
2343 return;
2344
2345 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2346 if (!cp)
2347 return;
2348
2349 handle = __le16_to_cpu(cp->handle);
2350
2351 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2352
2353 hci_dev_lock(hdev);
2354
2355 acl = hci_conn_hash_lookup_handle(hdev, handle);
2356 if (acl) {
2357 sco = acl->link;
2358 if (sco) {
2359 sco->state = BT_CLOSED;
2360
2361 hci_connect_cfm(sco, status);
2362 hci_conn_del(sco);
2363 }
2364 }
2365
2366 hci_dev_unlock(hdev);
2367 }
2368
hci_cs_auth_requested(struct hci_dev * hdev,__u8 status)2369 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2370 {
2371 struct hci_cp_auth_requested *cp;
2372 struct hci_conn *conn;
2373
2374 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2375
2376 if (!status)
2377 return;
2378
2379 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2380 if (!cp)
2381 return;
2382
2383 hci_dev_lock(hdev);
2384
2385 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2386 if (conn) {
2387 if (conn->state == BT_CONFIG) {
2388 hci_connect_cfm(conn, status);
2389 hci_conn_drop(conn);
2390 }
2391 }
2392
2393 hci_dev_unlock(hdev);
2394 }
2395
hci_cs_set_conn_encrypt(struct hci_dev * hdev,__u8 status)2396 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2397 {
2398 struct hci_cp_set_conn_encrypt *cp;
2399 struct hci_conn *conn;
2400
2401 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2402
2403 if (!status)
2404 return;
2405
2406 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2407 if (!cp)
2408 return;
2409
2410 hci_dev_lock(hdev);
2411
2412 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2413 if (conn) {
2414 if (conn->state == BT_CONFIG) {
2415 hci_connect_cfm(conn, status);
2416 hci_conn_drop(conn);
2417 }
2418 }
2419
2420 hci_dev_unlock(hdev);
2421 }
2422
hci_outgoing_auth_needed(struct hci_dev * hdev,struct hci_conn * conn)2423 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2424 struct hci_conn *conn)
2425 {
2426 if (conn->state != BT_CONFIG || !conn->out)
2427 return 0;
2428
2429 if (conn->pending_sec_level == BT_SECURITY_SDP)
2430 return 0;
2431
2432 /* Only request authentication for SSP connections or non-SSP
2433 * devices with sec_level MEDIUM or HIGH or if MITM protection
2434 * is requested.
2435 */
2436 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2437 conn->pending_sec_level != BT_SECURITY_FIPS &&
2438 conn->pending_sec_level != BT_SECURITY_HIGH &&
2439 conn->pending_sec_level != BT_SECURITY_MEDIUM)
2440 return 0;
2441
2442 return 1;
2443 }
2444
hci_resolve_name(struct hci_dev * hdev,struct inquiry_entry * e)2445 static int hci_resolve_name(struct hci_dev *hdev,
2446 struct inquiry_entry *e)
2447 {
2448 struct hci_cp_remote_name_req cp;
2449
2450 memset(&cp, 0, sizeof(cp));
2451
2452 bacpy(&cp.bdaddr, &e->data.bdaddr);
2453 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2454 cp.pscan_mode = e->data.pscan_mode;
2455 cp.clock_offset = e->data.clock_offset;
2456
2457 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2458 }
2459
hci_resolve_next_name(struct hci_dev * hdev)2460 static bool hci_resolve_next_name(struct hci_dev *hdev)
2461 {
2462 struct discovery_state *discov = &hdev->discovery;
2463 struct inquiry_entry *e;
2464
2465 if (list_empty(&discov->resolve))
2466 return false;
2467
2468 /* We should stop if we already spent too much time resolving names. */
2469 if (time_after(jiffies, discov->name_resolve_timeout)) {
2470 bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2471 return false;
2472 }
2473
2474 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2475 if (!e)
2476 return false;
2477
2478 if (hci_resolve_name(hdev, e) == 0) {
2479 e->name_state = NAME_PENDING;
2480 return true;
2481 }
2482
2483 return false;
2484 }
2485
hci_check_pending_name(struct hci_dev * hdev,struct hci_conn * conn,bdaddr_t * bdaddr,u8 * name,u8 name_len)2486 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2487 bdaddr_t *bdaddr, u8 *name, u8 name_len)
2488 {
2489 struct discovery_state *discov = &hdev->discovery;
2490 struct inquiry_entry *e;
2491
2492 /* Update the mgmt connected state if necessary. Be careful with
2493 * conn objects that exist but are not (yet) connected however.
2494 * Only those in BT_CONFIG or BT_CONNECTED states can be
2495 * considered connected.
2496 */
2497 if (conn &&
2498 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2499 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2500 mgmt_device_connected(hdev, conn, name, name_len);
2501
2502 if (discov->state == DISCOVERY_STOPPED)
2503 return;
2504
2505 if (discov->state == DISCOVERY_STOPPING)
2506 goto discov_complete;
2507
2508 if (discov->state != DISCOVERY_RESOLVING)
2509 return;
2510
2511 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2512 /* If the device was not found in a list of found devices names of which
2513 * are pending. there is no need to continue resolving a next name as it
2514 * will be done upon receiving another Remote Name Request Complete
2515 * Event */
2516 if (!e)
2517 return;
2518
2519 list_del(&e->list);
2520
2521 e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2522 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2523 name, name_len);
2524
2525 if (hci_resolve_next_name(hdev))
2526 return;
2527
2528 discov_complete:
2529 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2530 }
2531
hci_cs_remote_name_req(struct hci_dev * hdev,__u8 status)2532 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2533 {
2534 struct hci_cp_remote_name_req *cp;
2535 struct hci_conn *conn;
2536
2537 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2538
2539 /* If successful wait for the name req complete event before
2540 * checking for the need to do authentication */
2541 if (!status)
2542 return;
2543
2544 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2545 if (!cp)
2546 return;
2547
2548 hci_dev_lock(hdev);
2549
2550 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2551
2552 if (hci_dev_test_flag(hdev, HCI_MGMT))
2553 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2554
2555 if (!conn)
2556 goto unlock;
2557
2558 if (!hci_outgoing_auth_needed(hdev, conn))
2559 goto unlock;
2560
2561 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2562 struct hci_cp_auth_requested auth_cp;
2563
2564 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2565
2566 auth_cp.handle = __cpu_to_le16(conn->handle);
2567 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2568 sizeof(auth_cp), &auth_cp);
2569 }
2570
2571 unlock:
2572 hci_dev_unlock(hdev);
2573 }
2574
hci_cs_read_remote_features(struct hci_dev * hdev,__u8 status)2575 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2576 {
2577 struct hci_cp_read_remote_features *cp;
2578 struct hci_conn *conn;
2579
2580 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2581
2582 if (!status)
2583 return;
2584
2585 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2586 if (!cp)
2587 return;
2588
2589 hci_dev_lock(hdev);
2590
2591 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2592 if (conn) {
2593 if (conn->state == BT_CONFIG) {
2594 hci_connect_cfm(conn, status);
2595 hci_conn_drop(conn);
2596 }
2597 }
2598
2599 hci_dev_unlock(hdev);
2600 }
2601
hci_cs_read_remote_ext_features(struct hci_dev * hdev,__u8 status)2602 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2603 {
2604 struct hci_cp_read_remote_ext_features *cp;
2605 struct hci_conn *conn;
2606
2607 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2608
2609 if (!status)
2610 return;
2611
2612 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2613 if (!cp)
2614 return;
2615
2616 hci_dev_lock(hdev);
2617
2618 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2619 if (conn) {
2620 if (conn->state == BT_CONFIG) {
2621 hci_connect_cfm(conn, status);
2622 hci_conn_drop(conn);
2623 }
2624 }
2625
2626 hci_dev_unlock(hdev);
2627 }
2628
hci_cs_setup_sync_conn(struct hci_dev * hdev,__u8 status)2629 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2630 {
2631 struct hci_cp_setup_sync_conn *cp;
2632 struct hci_conn *acl, *sco;
2633 __u16 handle;
2634
2635 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2636
2637 if (!status)
2638 return;
2639
2640 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2641 if (!cp)
2642 return;
2643
2644 handle = __le16_to_cpu(cp->handle);
2645
2646 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2647
2648 hci_dev_lock(hdev);
2649
2650 acl = hci_conn_hash_lookup_handle(hdev, handle);
2651 if (acl) {
2652 sco = acl->link;
2653 if (sco) {
2654 sco->state = BT_CLOSED;
2655
2656 hci_connect_cfm(sco, status);
2657 hci_conn_del(sco);
2658 }
2659 }
2660
2661 hci_dev_unlock(hdev);
2662 }
2663
hci_cs_enhanced_setup_sync_conn(struct hci_dev * hdev,__u8 status)2664 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2665 {
2666 struct hci_cp_enhanced_setup_sync_conn *cp;
2667 struct hci_conn *acl, *sco;
2668 __u16 handle;
2669
2670 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2671
2672 if (!status)
2673 return;
2674
2675 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2676 if (!cp)
2677 return;
2678
2679 handle = __le16_to_cpu(cp->handle);
2680
2681 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2682
2683 hci_dev_lock(hdev);
2684
2685 acl = hci_conn_hash_lookup_handle(hdev, handle);
2686 if (acl) {
2687 sco = acl->link;
2688 if (sco) {
2689 sco->state = BT_CLOSED;
2690
2691 hci_connect_cfm(sco, status);
2692 hci_conn_del(sco);
2693 }
2694 }
2695
2696 hci_dev_unlock(hdev);
2697 }
2698
hci_cs_sniff_mode(struct hci_dev * hdev,__u8 status)2699 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2700 {
2701 struct hci_cp_sniff_mode *cp;
2702 struct hci_conn *conn;
2703
2704 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2705
2706 if (!status)
2707 return;
2708
2709 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2710 if (!cp)
2711 return;
2712
2713 hci_dev_lock(hdev);
2714
2715 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2716 if (conn) {
2717 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2718
2719 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2720 hci_sco_setup(conn, status);
2721 }
2722
2723 hci_dev_unlock(hdev);
2724 }
2725
hci_cs_exit_sniff_mode(struct hci_dev * hdev,__u8 status)2726 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2727 {
2728 struct hci_cp_exit_sniff_mode *cp;
2729 struct hci_conn *conn;
2730
2731 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2732
2733 if (!status)
2734 return;
2735
2736 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2737 if (!cp)
2738 return;
2739
2740 hci_dev_lock(hdev);
2741
2742 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2743 if (conn) {
2744 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2745
2746 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2747 hci_sco_setup(conn, status);
2748 }
2749
2750 hci_dev_unlock(hdev);
2751 }
2752
hci_cs_disconnect(struct hci_dev * hdev,u8 status)2753 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2754 {
2755 struct hci_cp_disconnect *cp;
2756 struct hci_conn_params *params;
2757 struct hci_conn *conn;
2758 bool mgmt_conn;
2759
2760 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2761
2762 /* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2763 * otherwise cleanup the connection immediately.
2764 */
2765 if (!status && !hdev->suspended)
2766 return;
2767
2768 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2769 if (!cp)
2770 return;
2771
2772 hci_dev_lock(hdev);
2773
2774 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2775 if (!conn)
2776 goto unlock;
2777
2778 if (status) {
2779 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2780 conn->dst_type, status);
2781
2782 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2783 hdev->cur_adv_instance = conn->adv_instance;
2784 hci_enable_advertising(hdev);
2785 }
2786
2787 goto done;
2788 }
2789
2790 mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2791
2792 if (conn->type == ACL_LINK) {
2793 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2794 hci_remove_link_key(hdev, &conn->dst);
2795 }
2796
2797 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2798 if (params) {
2799 switch (params->auto_connect) {
2800 case HCI_AUTO_CONN_LINK_LOSS:
2801 if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2802 break;
2803 fallthrough;
2804
2805 case HCI_AUTO_CONN_DIRECT:
2806 case HCI_AUTO_CONN_ALWAYS:
2807 list_del_init(¶ms->action);
2808 list_add(¶ms->action, &hdev->pend_le_conns);
2809 break;
2810
2811 default:
2812 break;
2813 }
2814 }
2815
2816 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2817 cp->reason, mgmt_conn);
2818
2819 hci_disconn_cfm(conn, cp->reason);
2820
2821 done:
2822 /* If the disconnection failed for any reason, the upper layer
2823 * does not retry to disconnect in current implementation.
2824 * Hence, we need to do some basic cleanup here and re-enable
2825 * advertising if necessary.
2826 */
2827 hci_conn_del(conn);
2828 unlock:
2829 hci_dev_unlock(hdev);
2830 }
2831
ev_bdaddr_type(struct hci_dev * hdev,u8 type,bool * resolved)2832 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2833 {
2834 /* When using controller based address resolution, then the new
2835 * address types 0x02 and 0x03 are used. These types need to be
2836 * converted back into either public address or random address type
2837 */
2838 switch (type) {
2839 case ADDR_LE_DEV_PUBLIC_RESOLVED:
2840 if (resolved)
2841 *resolved = true;
2842 return ADDR_LE_DEV_PUBLIC;
2843 case ADDR_LE_DEV_RANDOM_RESOLVED:
2844 if (resolved)
2845 *resolved = true;
2846 return ADDR_LE_DEV_RANDOM;
2847 }
2848
2849 if (resolved)
2850 *resolved = false;
2851 return type;
2852 }
2853
cs_le_create_conn(struct hci_dev * hdev,bdaddr_t * peer_addr,u8 peer_addr_type,u8 own_address_type,u8 filter_policy)2854 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2855 u8 peer_addr_type, u8 own_address_type,
2856 u8 filter_policy)
2857 {
2858 struct hci_conn *conn;
2859
2860 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2861 peer_addr_type);
2862 if (!conn)
2863 return;
2864
2865 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2866
2867 /* Store the initiator and responder address information which
2868 * is needed for SMP. These values will not change during the
2869 * lifetime of the connection.
2870 */
2871 conn->init_addr_type = own_address_type;
2872 if (own_address_type == ADDR_LE_DEV_RANDOM)
2873 bacpy(&conn->init_addr, &hdev->random_addr);
2874 else
2875 bacpy(&conn->init_addr, &hdev->bdaddr);
2876
2877 conn->resp_addr_type = peer_addr_type;
2878 bacpy(&conn->resp_addr, peer_addr);
2879
2880 /* We don't want the connection attempt to stick around
2881 * indefinitely since LE doesn't have a page timeout concept
2882 * like BR/EDR. Set a timer for any connection that doesn't use
2883 * the accept list for connecting.
2884 */
2885 if (filter_policy == HCI_LE_USE_PEER_ADDR)
2886 queue_delayed_work(conn->hdev->workqueue,
2887 &conn->le_conn_timeout,
2888 conn->conn_timeout);
2889 }
2890
hci_cs_le_create_conn(struct hci_dev * hdev,u8 status)2891 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2892 {
2893 struct hci_cp_le_create_conn *cp;
2894
2895 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2896
2897 /* All connection failure handling is taken care of by the
2898 * hci_conn_failed function which is triggered by the HCI
2899 * request completion callbacks used for connecting.
2900 */
2901 if (status)
2902 return;
2903
2904 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2905 if (!cp)
2906 return;
2907
2908 hci_dev_lock(hdev);
2909
2910 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2911 cp->own_address_type, cp->filter_policy);
2912
2913 hci_dev_unlock(hdev);
2914 }
2915
hci_cs_le_ext_create_conn(struct hci_dev * hdev,u8 status)2916 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2917 {
2918 struct hci_cp_le_ext_create_conn *cp;
2919
2920 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2921
2922 /* All connection failure handling is taken care of by the
2923 * hci_conn_failed function which is triggered by the HCI
2924 * request completion callbacks used for connecting.
2925 */
2926 if (status)
2927 return;
2928
2929 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2930 if (!cp)
2931 return;
2932
2933 hci_dev_lock(hdev);
2934
2935 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2936 cp->own_addr_type, cp->filter_policy);
2937
2938 hci_dev_unlock(hdev);
2939 }
2940
hci_cs_le_read_remote_features(struct hci_dev * hdev,u8 status)2941 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2942 {
2943 struct hci_cp_le_read_remote_features *cp;
2944 struct hci_conn *conn;
2945
2946 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2947
2948 if (!status)
2949 return;
2950
2951 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2952 if (!cp)
2953 return;
2954
2955 hci_dev_lock(hdev);
2956
2957 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2958 if (conn) {
2959 if (conn->state == BT_CONFIG) {
2960 hci_connect_cfm(conn, status);
2961 hci_conn_drop(conn);
2962 }
2963 }
2964
2965 hci_dev_unlock(hdev);
2966 }
2967
hci_cs_le_start_enc(struct hci_dev * hdev,u8 status)2968 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2969 {
2970 struct hci_cp_le_start_enc *cp;
2971 struct hci_conn *conn;
2972
2973 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2974
2975 if (!status)
2976 return;
2977
2978 hci_dev_lock(hdev);
2979
2980 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2981 if (!cp)
2982 goto unlock;
2983
2984 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2985 if (!conn)
2986 goto unlock;
2987
2988 if (conn->state != BT_CONNECTED)
2989 goto unlock;
2990
2991 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2992 hci_conn_drop(conn);
2993
2994 unlock:
2995 hci_dev_unlock(hdev);
2996 }
2997
hci_cs_switch_role(struct hci_dev * hdev,u8 status)2998 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2999 {
3000 struct hci_cp_switch_role *cp;
3001 struct hci_conn *conn;
3002
3003 BT_DBG("%s status 0x%2.2x", hdev->name, status);
3004
3005 if (!status)
3006 return;
3007
3008 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3009 if (!cp)
3010 return;
3011
3012 hci_dev_lock(hdev);
3013
3014 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3015 if (conn)
3016 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3017
3018 hci_dev_unlock(hdev);
3019 }
3020
hci_inquiry_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3021 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3022 struct sk_buff *skb)
3023 {
3024 struct hci_ev_status *ev = data;
3025 struct discovery_state *discov = &hdev->discovery;
3026 struct inquiry_entry *e;
3027
3028 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3029
3030 hci_conn_check_pending(hdev);
3031
3032 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3033 return;
3034
3035 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3036 wake_up_bit(&hdev->flags, HCI_INQUIRY);
3037
3038 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3039 return;
3040
3041 hci_dev_lock(hdev);
3042
3043 if (discov->state != DISCOVERY_FINDING)
3044 goto unlock;
3045
3046 if (list_empty(&discov->resolve)) {
3047 /* When BR/EDR inquiry is active and no LE scanning is in
3048 * progress, then change discovery state to indicate completion.
3049 *
3050 * When running LE scanning and BR/EDR inquiry simultaneously
3051 * and the LE scan already finished, then change the discovery
3052 * state to indicate completion.
3053 */
3054 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3055 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3056 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3057 goto unlock;
3058 }
3059
3060 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3061 if (e && hci_resolve_name(hdev, e) == 0) {
3062 e->name_state = NAME_PENDING;
3063 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3064 discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3065 } else {
3066 /* When BR/EDR inquiry is active and no LE scanning is in
3067 * progress, then change discovery state to indicate completion.
3068 *
3069 * When running LE scanning and BR/EDR inquiry simultaneously
3070 * and the LE scan already finished, then change the discovery
3071 * state to indicate completion.
3072 */
3073 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3074 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3075 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3076 }
3077
3078 unlock:
3079 hci_dev_unlock(hdev);
3080 }
3081
hci_inquiry_result_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)3082 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3083 struct sk_buff *skb)
3084 {
3085 struct hci_ev_inquiry_result *ev = edata;
3086 struct inquiry_data data;
3087 int i;
3088
3089 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3090 flex_array_size(ev, info, ev->num)))
3091 return;
3092
3093 bt_dev_dbg(hdev, "num %d", ev->num);
3094
3095 if (!ev->num)
3096 return;
3097
3098 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3099 return;
3100
3101 hci_dev_lock(hdev);
3102
3103 for (i = 0; i < ev->num; i++) {
3104 struct inquiry_info *info = &ev->info[i];
3105 u32 flags;
3106
3107 bacpy(&data.bdaddr, &info->bdaddr);
3108 data.pscan_rep_mode = info->pscan_rep_mode;
3109 data.pscan_period_mode = info->pscan_period_mode;
3110 data.pscan_mode = info->pscan_mode;
3111 memcpy(data.dev_class, info->dev_class, 3);
3112 data.clock_offset = info->clock_offset;
3113 data.rssi = HCI_RSSI_INVALID;
3114 data.ssp_mode = 0x00;
3115
3116 flags = hci_inquiry_cache_update(hdev, &data, false);
3117
3118 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3119 info->dev_class, HCI_RSSI_INVALID,
3120 flags, NULL, 0, NULL, 0, 0);
3121 }
3122
3123 hci_dev_unlock(hdev);
3124 }
3125
hci_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3126 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3127 struct sk_buff *skb)
3128 {
3129 struct hci_ev_conn_complete *ev = data;
3130 struct hci_conn *conn;
3131 u8 status = ev->status;
3132
3133 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3134
3135 hci_dev_lock(hdev);
3136
3137 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3138 if (!conn) {
3139 /* In case of error status and there is no connection pending
3140 * just unlock as there is nothing to cleanup.
3141 */
3142 if (ev->status)
3143 goto unlock;
3144
3145 /* Connection may not exist if auto-connected. Check the bredr
3146 * allowlist to see if this device is allowed to auto connect.
3147 * If link is an ACL type, create a connection class
3148 * automatically.
3149 *
3150 * Auto-connect will only occur if the event filter is
3151 * programmed with a given address. Right now, event filter is
3152 * only used during suspend.
3153 */
3154 if (ev->link_type == ACL_LINK &&
3155 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3156 &ev->bdaddr,
3157 BDADDR_BREDR)) {
3158 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3159 HCI_ROLE_SLAVE);
3160 if (!conn) {
3161 bt_dev_err(hdev, "no memory for new conn");
3162 goto unlock;
3163 }
3164 } else {
3165 if (ev->link_type != SCO_LINK)
3166 goto unlock;
3167
3168 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3169 &ev->bdaddr);
3170 if (!conn)
3171 goto unlock;
3172
3173 conn->type = SCO_LINK;
3174 }
3175 }
3176
3177 /* The HCI_Connection_Complete event is only sent once per connection.
3178 * Processing it more than once per connection can corrupt kernel memory.
3179 *
3180 * As the connection handle is set here for the first time, it indicates
3181 * whether the connection is already set up.
3182 */
3183 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
3184 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3185 goto unlock;
3186 }
3187
3188 if (!status) {
3189 conn->handle = __le16_to_cpu(ev->handle);
3190 if (conn->handle > HCI_CONN_HANDLE_MAX) {
3191 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
3192 conn->handle, HCI_CONN_HANDLE_MAX);
3193 status = HCI_ERROR_INVALID_PARAMETERS;
3194 goto done;
3195 }
3196
3197 if (conn->type == ACL_LINK) {
3198 conn->state = BT_CONFIG;
3199 hci_conn_hold(conn);
3200
3201 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3202 !hci_find_link_key(hdev, &ev->bdaddr))
3203 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3204 else
3205 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3206 } else
3207 conn->state = BT_CONNECTED;
3208
3209 hci_debugfs_create_conn(conn);
3210 hci_conn_add_sysfs(conn);
3211
3212 if (test_bit(HCI_AUTH, &hdev->flags))
3213 set_bit(HCI_CONN_AUTH, &conn->flags);
3214
3215 if (test_bit(HCI_ENCRYPT, &hdev->flags))
3216 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3217
3218 /* Get remote features */
3219 if (conn->type == ACL_LINK) {
3220 struct hci_cp_read_remote_features cp;
3221 cp.handle = ev->handle;
3222 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3223 sizeof(cp), &cp);
3224
3225 hci_update_scan(hdev);
3226 }
3227
3228 /* Set packet type for incoming connection */
3229 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3230 struct hci_cp_change_conn_ptype cp;
3231 cp.handle = ev->handle;
3232 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3233 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3234 &cp);
3235 }
3236 }
3237
3238 if (conn->type == ACL_LINK)
3239 hci_sco_setup(conn, ev->status);
3240
3241 done:
3242 if (status) {
3243 hci_conn_failed(conn, status);
3244 } else if (ev->link_type == SCO_LINK) {
3245 switch (conn->setting & SCO_AIRMODE_MASK) {
3246 case SCO_AIRMODE_CVSD:
3247 if (hdev->notify)
3248 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3249 break;
3250 }
3251
3252 hci_connect_cfm(conn, status);
3253 }
3254
3255 unlock:
3256 hci_dev_unlock(hdev);
3257
3258 hci_conn_check_pending(hdev);
3259 }
3260
hci_reject_conn(struct hci_dev * hdev,bdaddr_t * bdaddr)3261 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3262 {
3263 struct hci_cp_reject_conn_req cp;
3264
3265 bacpy(&cp.bdaddr, bdaddr);
3266 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3267 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3268 }
3269
hci_conn_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3270 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3271 struct sk_buff *skb)
3272 {
3273 struct hci_ev_conn_request *ev = data;
3274 int mask = hdev->link_mode;
3275 struct inquiry_entry *ie;
3276 struct hci_conn *conn;
3277 __u8 flags = 0;
3278
3279 bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3280
3281 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3282 &flags);
3283
3284 if (!(mask & HCI_LM_ACCEPT)) {
3285 hci_reject_conn(hdev, &ev->bdaddr);
3286 return;
3287 }
3288
3289 hci_dev_lock(hdev);
3290
3291 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3292 BDADDR_BREDR)) {
3293 hci_reject_conn(hdev, &ev->bdaddr);
3294 goto unlock;
3295 }
3296
3297 /* Require HCI_CONNECTABLE or an accept list entry to accept the
3298 * connection. These features are only touched through mgmt so
3299 * only do the checks if HCI_MGMT is set.
3300 */
3301 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3302 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3303 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3304 BDADDR_BREDR)) {
3305 hci_reject_conn(hdev, &ev->bdaddr);
3306 goto unlock;
3307 }
3308
3309 /* Connection accepted */
3310
3311 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3312 if (ie)
3313 memcpy(ie->data.dev_class, ev->dev_class, 3);
3314
3315 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3316 &ev->bdaddr);
3317 if (!conn) {
3318 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
3319 HCI_ROLE_SLAVE);
3320 if (!conn) {
3321 bt_dev_err(hdev, "no memory for new connection");
3322 goto unlock;
3323 }
3324 }
3325
3326 memcpy(conn->dev_class, ev->dev_class, 3);
3327
3328 hci_dev_unlock(hdev);
3329
3330 if (ev->link_type == ACL_LINK ||
3331 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3332 struct hci_cp_accept_conn_req cp;
3333 conn->state = BT_CONNECT;
3334
3335 bacpy(&cp.bdaddr, &ev->bdaddr);
3336
3337 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3338 cp.role = 0x00; /* Become central */
3339 else
3340 cp.role = 0x01; /* Remain peripheral */
3341
3342 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3343 } else if (!(flags & HCI_PROTO_DEFER)) {
3344 struct hci_cp_accept_sync_conn_req cp;
3345 conn->state = BT_CONNECT;
3346
3347 bacpy(&cp.bdaddr, &ev->bdaddr);
3348 cp.pkt_type = cpu_to_le16(conn->pkt_type);
3349
3350 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
3351 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
3352 cp.max_latency = cpu_to_le16(0xffff);
3353 cp.content_format = cpu_to_le16(hdev->voice_setting);
3354 cp.retrans_effort = 0xff;
3355
3356 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3357 &cp);
3358 } else {
3359 conn->state = BT_CONNECT2;
3360 hci_connect_cfm(conn, 0);
3361 }
3362
3363 return;
3364 unlock:
3365 hci_dev_unlock(hdev);
3366 }
3367
hci_to_mgmt_reason(u8 err)3368 static u8 hci_to_mgmt_reason(u8 err)
3369 {
3370 switch (err) {
3371 case HCI_ERROR_CONNECTION_TIMEOUT:
3372 return MGMT_DEV_DISCONN_TIMEOUT;
3373 case HCI_ERROR_REMOTE_USER_TERM:
3374 case HCI_ERROR_REMOTE_LOW_RESOURCES:
3375 case HCI_ERROR_REMOTE_POWER_OFF:
3376 return MGMT_DEV_DISCONN_REMOTE;
3377 case HCI_ERROR_LOCAL_HOST_TERM:
3378 return MGMT_DEV_DISCONN_LOCAL_HOST;
3379 default:
3380 return MGMT_DEV_DISCONN_UNKNOWN;
3381 }
3382 }
3383
hci_disconn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3384 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3385 struct sk_buff *skb)
3386 {
3387 struct hci_ev_disconn_complete *ev = data;
3388 u8 reason;
3389 struct hci_conn_params *params;
3390 struct hci_conn *conn;
3391 bool mgmt_connected;
3392
3393 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3394
3395 hci_dev_lock(hdev);
3396
3397 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3398 if (!conn)
3399 goto unlock;
3400
3401 if (ev->status) {
3402 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3403 conn->dst_type, ev->status);
3404 goto unlock;
3405 }
3406
3407 conn->state = BT_CLOSED;
3408
3409 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3410
3411 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3412 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3413 else
3414 reason = hci_to_mgmt_reason(ev->reason);
3415
3416 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3417 reason, mgmt_connected);
3418
3419 if (conn->type == ACL_LINK) {
3420 if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3421 hci_remove_link_key(hdev, &conn->dst);
3422
3423 hci_update_scan(hdev);
3424 }
3425
3426 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3427 if (params) {
3428 switch (params->auto_connect) {
3429 case HCI_AUTO_CONN_LINK_LOSS:
3430 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3431 break;
3432 fallthrough;
3433
3434 case HCI_AUTO_CONN_DIRECT:
3435 case HCI_AUTO_CONN_ALWAYS:
3436 list_del_init(¶ms->action);
3437 list_add(¶ms->action, &hdev->pend_le_conns);
3438 hci_update_passive_scan(hdev);
3439 break;
3440
3441 default:
3442 break;
3443 }
3444 }
3445
3446 hci_disconn_cfm(conn, ev->reason);
3447
3448 /* Re-enable advertising if necessary, since it might
3449 * have been disabled by the connection. From the
3450 * HCI_LE_Set_Advertise_Enable command description in
3451 * the core specification (v4.0):
3452 * "The Controller shall continue advertising until the Host
3453 * issues an LE_Set_Advertise_Enable command with
3454 * Advertising_Enable set to 0x00 (Advertising is disabled)
3455 * or until a connection is created or until the Advertising
3456 * is timed out due to Directed Advertising."
3457 */
3458 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3459 hdev->cur_adv_instance = conn->adv_instance;
3460 hci_enable_advertising(hdev);
3461 }
3462
3463 hci_conn_del(conn);
3464
3465 unlock:
3466 hci_dev_unlock(hdev);
3467 }
3468
hci_auth_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3469 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3470 struct sk_buff *skb)
3471 {
3472 struct hci_ev_auth_complete *ev = data;
3473 struct hci_conn *conn;
3474
3475 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3476
3477 hci_dev_lock(hdev);
3478
3479 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3480 if (!conn)
3481 goto unlock;
3482
3483 if (!ev->status) {
3484 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3485
3486 if (!hci_conn_ssp_enabled(conn) &&
3487 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
3488 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
3489 } else {
3490 set_bit(HCI_CONN_AUTH, &conn->flags);
3491 conn->sec_level = conn->pending_sec_level;
3492 }
3493 } else {
3494 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3495 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3496
3497 mgmt_auth_failed(conn, ev->status);
3498 }
3499
3500 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3501 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
3502
3503 if (conn->state == BT_CONFIG) {
3504 if (!ev->status && hci_conn_ssp_enabled(conn)) {
3505 struct hci_cp_set_conn_encrypt cp;
3506 cp.handle = ev->handle;
3507 cp.encrypt = 0x01;
3508 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3509 &cp);
3510 } else {
3511 conn->state = BT_CONNECTED;
3512 hci_connect_cfm(conn, ev->status);
3513 hci_conn_drop(conn);
3514 }
3515 } else {
3516 hci_auth_cfm(conn, ev->status);
3517
3518 hci_conn_hold(conn);
3519 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3520 hci_conn_drop(conn);
3521 }
3522
3523 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3524 if (!ev->status) {
3525 struct hci_cp_set_conn_encrypt cp;
3526 cp.handle = ev->handle;
3527 cp.encrypt = 0x01;
3528 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3529 &cp);
3530 } else {
3531 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3532 hci_encrypt_cfm(conn, ev->status);
3533 }
3534 }
3535
3536 unlock:
3537 hci_dev_unlock(hdev);
3538 }
3539
hci_remote_name_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3540 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3541 struct sk_buff *skb)
3542 {
3543 struct hci_ev_remote_name *ev = data;
3544 struct hci_conn *conn;
3545
3546 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3547
3548 hci_conn_check_pending(hdev);
3549
3550 hci_dev_lock(hdev);
3551
3552 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3553
3554 if (!hci_dev_test_flag(hdev, HCI_MGMT))
3555 goto check_auth;
3556
3557 if (ev->status == 0)
3558 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3559 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3560 else
3561 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3562
3563 check_auth:
3564 if (!conn)
3565 goto unlock;
3566
3567 if (!hci_outgoing_auth_needed(hdev, conn))
3568 goto unlock;
3569
3570 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3571 struct hci_cp_auth_requested cp;
3572
3573 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3574
3575 cp.handle = __cpu_to_le16(conn->handle);
3576 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3577 }
3578
3579 unlock:
3580 hci_dev_unlock(hdev);
3581 }
3582
hci_encrypt_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3583 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3584 struct sk_buff *skb)
3585 {
3586 struct hci_ev_encrypt_change *ev = data;
3587 struct hci_conn *conn;
3588
3589 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3590
3591 hci_dev_lock(hdev);
3592
3593 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3594 if (!conn)
3595 goto unlock;
3596
3597 if (!ev->status) {
3598 if (ev->encrypt) {
3599 /* Encryption implies authentication */
3600 set_bit(HCI_CONN_AUTH, &conn->flags);
3601 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3602 conn->sec_level = conn->pending_sec_level;
3603
3604 /* P-256 authentication key implies FIPS */
3605 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3606 set_bit(HCI_CONN_FIPS, &conn->flags);
3607
3608 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3609 conn->type == LE_LINK)
3610 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3611 } else {
3612 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3613 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3614 }
3615 }
3616
3617 /* We should disregard the current RPA and generate a new one
3618 * whenever the encryption procedure fails.
3619 */
3620 if (ev->status && conn->type == LE_LINK) {
3621 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3622 hci_adv_instances_set_rpa_expired(hdev, true);
3623 }
3624
3625 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3626
3627 /* Check link security requirements are met */
3628 if (!hci_conn_check_link_mode(conn))
3629 ev->status = HCI_ERROR_AUTH_FAILURE;
3630
3631 if (ev->status && conn->state == BT_CONNECTED) {
3632 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3633 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3634
3635 /* Notify upper layers so they can cleanup before
3636 * disconnecting.
3637 */
3638 hci_encrypt_cfm(conn, ev->status);
3639 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3640 hci_conn_drop(conn);
3641 goto unlock;
3642 }
3643
3644 /* Try reading the encryption key size for encrypted ACL links */
3645 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3646 struct hci_cp_read_enc_key_size cp;
3647
3648 /* Only send HCI_Read_Encryption_Key_Size if the
3649 * controller really supports it. If it doesn't, assume
3650 * the default size (16).
3651 */
3652 if (!(hdev->commands[20] & 0x10)) {
3653 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3654 goto notify;
3655 }
3656
3657 cp.handle = cpu_to_le16(conn->handle);
3658 if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3659 sizeof(cp), &cp)) {
3660 bt_dev_err(hdev, "sending read key size failed");
3661 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3662 goto notify;
3663 }
3664
3665 goto unlock;
3666 }
3667
3668 /* Set the default Authenticated Payload Timeout after
3669 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3670 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3671 * sent when the link is active and Encryption is enabled, the conn
3672 * type can be either LE or ACL and controller must support LMP Ping.
3673 * Ensure for AES-CCM encryption as well.
3674 */
3675 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3676 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3677 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3678 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3679 struct hci_cp_write_auth_payload_to cp;
3680
3681 cp.handle = cpu_to_le16(conn->handle);
3682 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3683 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3684 sizeof(cp), &cp);
3685 }
3686
3687 notify:
3688 hci_encrypt_cfm(conn, ev->status);
3689
3690 unlock:
3691 hci_dev_unlock(hdev);
3692 }
3693
hci_change_link_key_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3694 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3695 struct sk_buff *skb)
3696 {
3697 struct hci_ev_change_link_key_complete *ev = data;
3698 struct hci_conn *conn;
3699
3700 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3701
3702 hci_dev_lock(hdev);
3703
3704 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3705 if (conn) {
3706 if (!ev->status)
3707 set_bit(HCI_CONN_SECURE, &conn->flags);
3708
3709 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3710
3711 hci_key_change_cfm(conn, ev->status);
3712 }
3713
3714 hci_dev_unlock(hdev);
3715 }
3716
hci_remote_features_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)3717 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3718 struct sk_buff *skb)
3719 {
3720 struct hci_ev_remote_features *ev = data;
3721 struct hci_conn *conn;
3722
3723 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3724
3725 hci_dev_lock(hdev);
3726
3727 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3728 if (!conn)
3729 goto unlock;
3730
3731 if (!ev->status)
3732 memcpy(conn->features[0], ev->features, 8);
3733
3734 if (conn->state != BT_CONFIG)
3735 goto unlock;
3736
3737 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3738 lmp_ext_feat_capable(conn)) {
3739 struct hci_cp_read_remote_ext_features cp;
3740 cp.handle = ev->handle;
3741 cp.page = 0x01;
3742 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3743 sizeof(cp), &cp);
3744 goto unlock;
3745 }
3746
3747 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3748 struct hci_cp_remote_name_req cp;
3749 memset(&cp, 0, sizeof(cp));
3750 bacpy(&cp.bdaddr, &conn->dst);
3751 cp.pscan_rep_mode = 0x02;
3752 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3753 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3754 mgmt_device_connected(hdev, conn, NULL, 0);
3755
3756 if (!hci_outgoing_auth_needed(hdev, conn)) {
3757 conn->state = BT_CONNECTED;
3758 hci_connect_cfm(conn, ev->status);
3759 hci_conn_drop(conn);
3760 }
3761
3762 unlock:
3763 hci_dev_unlock(hdev);
3764 }
3765
handle_cmd_cnt_and_timer(struct hci_dev * hdev,u8 ncmd)3766 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3767 {
3768 cancel_delayed_work(&hdev->cmd_timer);
3769
3770 rcu_read_lock();
3771 if (!test_bit(HCI_RESET, &hdev->flags)) {
3772 if (ncmd) {
3773 cancel_delayed_work(&hdev->ncmd_timer);
3774 atomic_set(&hdev->cmd_cnt, 1);
3775 } else {
3776 if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3777 queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3778 HCI_NCMD_TIMEOUT);
3779 }
3780 }
3781 rcu_read_unlock();
3782 }
3783
hci_cc_le_read_buffer_size_v2(struct hci_dev * hdev,void * data,struct sk_buff * skb)3784 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3785 struct sk_buff *skb)
3786 {
3787 struct hci_rp_le_read_buffer_size_v2 *rp = data;
3788
3789 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3790
3791 if (rp->status)
3792 return rp->status;
3793
3794 hdev->le_mtu = __le16_to_cpu(rp->acl_mtu);
3795 hdev->le_pkts = rp->acl_max_pkt;
3796 hdev->iso_mtu = __le16_to_cpu(rp->iso_mtu);
3797 hdev->iso_pkts = rp->iso_max_pkt;
3798
3799 hdev->le_cnt = hdev->le_pkts;
3800 hdev->iso_cnt = hdev->iso_pkts;
3801
3802 BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3803 hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3804
3805 return rp->status;
3806 }
3807
hci_cc_le_set_cig_params(struct hci_dev * hdev,void * data,struct sk_buff * skb)3808 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3809 struct sk_buff *skb)
3810 {
3811 struct hci_rp_le_set_cig_params *rp = data;
3812 struct hci_conn *conn;
3813 int i = 0;
3814
3815 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3816
3817 hci_dev_lock(hdev);
3818
3819 if (rp->status) {
3820 while ((conn = hci_conn_hash_lookup_cig(hdev, rp->cig_id))) {
3821 conn->state = BT_CLOSED;
3822 hci_connect_cfm(conn, rp->status);
3823 hci_conn_del(conn);
3824 }
3825 goto unlock;
3826 }
3827
3828 rcu_read_lock();
3829
3830 list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
3831 if (conn->type != ISO_LINK || conn->iso_qos.cig != rp->cig_id ||
3832 conn->state == BT_CONNECTED)
3833 continue;
3834
3835 conn->handle = __le16_to_cpu(rp->handle[i++]);
3836
3837 bt_dev_dbg(hdev, "%p handle 0x%4.4x link %p", conn,
3838 conn->handle, conn->link);
3839
3840 /* Create CIS if LE is already connected */
3841 if (conn->link && conn->link->state == BT_CONNECTED) {
3842 rcu_read_unlock();
3843 hci_le_create_cis(conn->link);
3844 rcu_read_lock();
3845 }
3846
3847 if (i == rp->num_handles)
3848 break;
3849 }
3850
3851 rcu_read_unlock();
3852
3853 unlock:
3854 hci_dev_unlock(hdev);
3855
3856 return rp->status;
3857 }
3858
hci_cc_le_setup_iso_path(struct hci_dev * hdev,void * data,struct sk_buff * skb)3859 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3860 struct sk_buff *skb)
3861 {
3862 struct hci_rp_le_setup_iso_path *rp = data;
3863 struct hci_cp_le_setup_iso_path *cp;
3864 struct hci_conn *conn;
3865
3866 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3867
3868 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3869 if (!cp)
3870 return rp->status;
3871
3872 hci_dev_lock(hdev);
3873
3874 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3875 if (!conn)
3876 goto unlock;
3877
3878 if (rp->status) {
3879 hci_connect_cfm(conn, rp->status);
3880 hci_conn_del(conn);
3881 goto unlock;
3882 }
3883
3884 switch (cp->direction) {
3885 /* Input (Host to Controller) */
3886 case 0x00:
3887 /* Only confirm connection if output only */
3888 if (conn->iso_qos.out.sdu && !conn->iso_qos.in.sdu)
3889 hci_connect_cfm(conn, rp->status);
3890 break;
3891 /* Output (Controller to Host) */
3892 case 0x01:
3893 /* Confirm connection since conn->iso_qos is always configured
3894 * last.
3895 */
3896 hci_connect_cfm(conn, rp->status);
3897 break;
3898 }
3899
3900 unlock:
3901 hci_dev_unlock(hdev);
3902 return rp->status;
3903 }
3904
hci_cs_le_create_big(struct hci_dev * hdev,u8 status)3905 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3906 {
3907 bt_dev_dbg(hdev, "status 0x%2.2x", status);
3908 }
3909
hci_cc_set_per_adv_param(struct hci_dev * hdev,void * data,struct sk_buff * skb)3910 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3911 struct sk_buff *skb)
3912 {
3913 struct hci_ev_status *rp = data;
3914 struct hci_cp_le_set_per_adv_params *cp;
3915
3916 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3917
3918 if (rp->status)
3919 return rp->status;
3920
3921 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3922 if (!cp)
3923 return rp->status;
3924
3925 /* TODO: set the conn state */
3926 return rp->status;
3927 }
3928
hci_cc_le_set_per_adv_enable(struct hci_dev * hdev,void * data,struct sk_buff * skb)3929 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3930 struct sk_buff *skb)
3931 {
3932 struct hci_ev_status *rp = data;
3933 __u8 *sent;
3934
3935 bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3936
3937 if (rp->status)
3938 return rp->status;
3939
3940 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
3941 if (!sent)
3942 return rp->status;
3943
3944 hci_dev_lock(hdev);
3945
3946 if (*sent)
3947 hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
3948 else
3949 hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
3950
3951 hci_dev_unlock(hdev);
3952
3953 return rp->status;
3954 }
3955
3956 #define HCI_CC_VL(_op, _func, _min, _max) \
3957 { \
3958 .op = _op, \
3959 .func = _func, \
3960 .min_len = _min, \
3961 .max_len = _max, \
3962 }
3963
3964 #define HCI_CC(_op, _func, _len) \
3965 HCI_CC_VL(_op, _func, _len, _len)
3966
3967 #define HCI_CC_STATUS(_op, _func) \
3968 HCI_CC(_op, _func, sizeof(struct hci_ev_status))
3969
3970 static const struct hci_cc {
3971 u16 op;
3972 u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
3973 u16 min_len;
3974 u16 max_len;
3975 } hci_cc_table[] = {
3976 HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
3977 HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
3978 HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
3979 HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
3980 hci_cc_remote_name_req_cancel),
3981 HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
3982 sizeof(struct hci_rp_role_discovery)),
3983 HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
3984 sizeof(struct hci_rp_read_link_policy)),
3985 HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
3986 sizeof(struct hci_rp_write_link_policy)),
3987 HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
3988 sizeof(struct hci_rp_read_def_link_policy)),
3989 HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
3990 hci_cc_write_def_link_policy),
3991 HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
3992 HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
3993 sizeof(struct hci_rp_read_stored_link_key)),
3994 HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
3995 sizeof(struct hci_rp_delete_stored_link_key)),
3996 HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
3997 HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
3998 sizeof(struct hci_rp_read_local_name)),
3999 HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4000 HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4001 HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4002 HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4003 HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4004 sizeof(struct hci_rp_read_class_of_dev)),
4005 HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4006 HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4007 sizeof(struct hci_rp_read_voice_setting)),
4008 HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4009 HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4010 sizeof(struct hci_rp_read_num_supported_iac)),
4011 HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4012 HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4013 HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4014 sizeof(struct hci_rp_read_auth_payload_to)),
4015 HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4016 sizeof(struct hci_rp_write_auth_payload_to)),
4017 HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4018 sizeof(struct hci_rp_read_local_version)),
4019 HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4020 sizeof(struct hci_rp_read_local_commands)),
4021 HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4022 sizeof(struct hci_rp_read_local_features)),
4023 HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4024 sizeof(struct hci_rp_read_local_ext_features)),
4025 HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4026 sizeof(struct hci_rp_read_buffer_size)),
4027 HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4028 sizeof(struct hci_rp_read_bd_addr)),
4029 HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4030 sizeof(struct hci_rp_read_local_pairing_opts)),
4031 HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4032 sizeof(struct hci_rp_read_page_scan_activity)),
4033 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4034 hci_cc_write_page_scan_activity),
4035 HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4036 sizeof(struct hci_rp_read_page_scan_type)),
4037 HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4038 HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4039 sizeof(struct hci_rp_read_data_block_size)),
4040 HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4041 sizeof(struct hci_rp_read_flow_control_mode)),
4042 HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4043 sizeof(struct hci_rp_read_local_amp_info)),
4044 HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4045 sizeof(struct hci_rp_read_clock)),
4046 HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4047 sizeof(struct hci_rp_read_enc_key_size)),
4048 HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4049 sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4050 HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4051 hci_cc_read_def_err_data_reporting,
4052 sizeof(struct hci_rp_read_def_err_data_reporting)),
4053 HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4054 hci_cc_write_def_err_data_reporting),
4055 HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4056 sizeof(struct hci_rp_pin_code_reply)),
4057 HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4058 sizeof(struct hci_rp_pin_code_neg_reply)),
4059 HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4060 sizeof(struct hci_rp_read_local_oob_data)),
4061 HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4062 sizeof(struct hci_rp_read_local_oob_ext_data)),
4063 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4064 sizeof(struct hci_rp_le_read_buffer_size)),
4065 HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4066 sizeof(struct hci_rp_le_read_local_features)),
4067 HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4068 sizeof(struct hci_rp_le_read_adv_tx_power)),
4069 HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4070 sizeof(struct hci_rp_user_confirm_reply)),
4071 HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4072 sizeof(struct hci_rp_user_confirm_reply)),
4073 HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4074 sizeof(struct hci_rp_user_confirm_reply)),
4075 HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4076 sizeof(struct hci_rp_user_confirm_reply)),
4077 HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4078 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4079 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4080 HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4081 HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4082 hci_cc_le_read_accept_list_size,
4083 sizeof(struct hci_rp_le_read_accept_list_size)),
4084 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4085 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4086 hci_cc_le_add_to_accept_list),
4087 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4088 hci_cc_le_del_from_accept_list),
4089 HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4090 sizeof(struct hci_rp_le_read_supported_states)),
4091 HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4092 sizeof(struct hci_rp_le_read_def_data_len)),
4093 HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4094 hci_cc_le_write_def_data_len),
4095 HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4096 hci_cc_le_add_to_resolv_list),
4097 HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4098 hci_cc_le_del_from_resolv_list),
4099 HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4100 hci_cc_le_clear_resolv_list),
4101 HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4102 sizeof(struct hci_rp_le_read_resolv_list_size)),
4103 HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4104 hci_cc_le_set_addr_resolution_enable),
4105 HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4106 sizeof(struct hci_rp_le_read_max_data_len)),
4107 HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4108 hci_cc_write_le_host_supported),
4109 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4110 HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4111 sizeof(struct hci_rp_read_rssi)),
4112 HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4113 sizeof(struct hci_rp_read_tx_power)),
4114 HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4115 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4116 hci_cc_le_set_ext_scan_param),
4117 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4118 hci_cc_le_set_ext_scan_enable),
4119 HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4120 HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4121 hci_cc_le_read_num_adv_sets,
4122 sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4123 HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4124 sizeof(struct hci_rp_le_set_ext_adv_params)),
4125 HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4126 hci_cc_le_set_ext_adv_enable),
4127 HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4128 hci_cc_le_set_adv_set_random_addr),
4129 HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4130 HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4131 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4132 HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4133 hci_cc_le_set_per_adv_enable),
4134 HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4135 sizeof(struct hci_rp_le_read_transmit_power)),
4136 HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4137 HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4138 sizeof(struct hci_rp_le_read_buffer_size_v2)),
4139 HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4140 sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4141 HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4142 sizeof(struct hci_rp_le_setup_iso_path)),
4143 };
4144
hci_cc_func(struct hci_dev * hdev,const struct hci_cc * cc,struct sk_buff * skb)4145 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4146 struct sk_buff *skb)
4147 {
4148 void *data;
4149
4150 if (skb->len < cc->min_len) {
4151 bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4152 cc->op, skb->len, cc->min_len);
4153 return HCI_ERROR_UNSPECIFIED;
4154 }
4155
4156 /* Just warn if the length is over max_len size it still be possible to
4157 * partially parse the cc so leave to callback to decide if that is
4158 * acceptable.
4159 */
4160 if (skb->len > cc->max_len)
4161 bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4162 cc->op, skb->len, cc->max_len);
4163
4164 data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4165 if (!data)
4166 return HCI_ERROR_UNSPECIFIED;
4167
4168 return cc->func(hdev, data, skb);
4169 }
4170
hci_cmd_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)4171 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4172 struct sk_buff *skb, u16 *opcode, u8 *status,
4173 hci_req_complete_t *req_complete,
4174 hci_req_complete_skb_t *req_complete_skb)
4175 {
4176 struct hci_ev_cmd_complete *ev = data;
4177 int i;
4178
4179 *opcode = __le16_to_cpu(ev->opcode);
4180
4181 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4182
4183 for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4184 if (hci_cc_table[i].op == *opcode) {
4185 *status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4186 break;
4187 }
4188 }
4189
4190 if (i == ARRAY_SIZE(hci_cc_table)) {
4191 /* Unknown opcode, assume byte 0 contains the status, so
4192 * that e.g. __hci_cmd_sync() properly returns errors
4193 * for vendor specific commands send by HCI drivers.
4194 * If a vendor doesn't actually follow this convention we may
4195 * need to introduce a vendor CC table in order to properly set
4196 * the status.
4197 */
4198 *status = skb->data[0];
4199 }
4200
4201 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4202
4203 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4204 req_complete_skb);
4205
4206 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4207 bt_dev_err(hdev,
4208 "unexpected event for opcode 0x%4.4x", *opcode);
4209 return;
4210 }
4211
4212 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4213 queue_work(hdev->workqueue, &hdev->cmd_work);
4214 }
4215
hci_cs_le_create_cis(struct hci_dev * hdev,u8 status)4216 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4217 {
4218 struct hci_cp_le_create_cis *cp;
4219 int i;
4220
4221 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4222
4223 if (!status)
4224 return;
4225
4226 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4227 if (!cp)
4228 return;
4229
4230 hci_dev_lock(hdev);
4231
4232 /* Remove connection if command failed */
4233 for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4234 struct hci_conn *conn;
4235 u16 handle;
4236
4237 handle = __le16_to_cpu(cp->cis[i].cis_handle);
4238
4239 conn = hci_conn_hash_lookup_handle(hdev, handle);
4240 if (conn) {
4241 conn->state = BT_CLOSED;
4242 hci_connect_cfm(conn, status);
4243 hci_conn_del(conn);
4244 }
4245 }
4246
4247 hci_dev_unlock(hdev);
4248 }
4249
4250 #define HCI_CS(_op, _func) \
4251 { \
4252 .op = _op, \
4253 .func = _func, \
4254 }
4255
4256 static const struct hci_cs {
4257 u16 op;
4258 void (*func)(struct hci_dev *hdev, __u8 status);
4259 } hci_cs_table[] = {
4260 HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4261 HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4262 HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4263 HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4264 HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4265 HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4266 HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4267 HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4268 HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4269 hci_cs_read_remote_ext_features),
4270 HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4271 HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4272 hci_cs_enhanced_setup_sync_conn),
4273 HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4274 HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4275 HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4276 HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4277 HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4278 HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4279 HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4280 HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4281 HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4282 };
4283
hci_cmd_status_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)4284 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4285 struct sk_buff *skb, u16 *opcode, u8 *status,
4286 hci_req_complete_t *req_complete,
4287 hci_req_complete_skb_t *req_complete_skb)
4288 {
4289 struct hci_ev_cmd_status *ev = data;
4290 int i;
4291
4292 *opcode = __le16_to_cpu(ev->opcode);
4293 *status = ev->status;
4294
4295 bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4296
4297 for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4298 if (hci_cs_table[i].op == *opcode) {
4299 hci_cs_table[i].func(hdev, ev->status);
4300 break;
4301 }
4302 }
4303
4304 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4305
4306 /* Indicate request completion if the command failed. Also, if
4307 * we're not waiting for a special event and we get a success
4308 * command status we should try to flag the request as completed
4309 * (since for this kind of commands there will not be a command
4310 * complete event).
4311 */
4312 if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4313 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4314 req_complete_skb);
4315 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4316 bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4317 *opcode);
4318 return;
4319 }
4320 }
4321
4322 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4323 queue_work(hdev->workqueue, &hdev->cmd_work);
4324 }
4325
hci_hardware_error_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4326 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4327 struct sk_buff *skb)
4328 {
4329 struct hci_ev_hardware_error *ev = data;
4330
4331 bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4332
4333 hdev->hw_error_code = ev->code;
4334
4335 queue_work(hdev->req_workqueue, &hdev->error_reset);
4336 }
4337
hci_role_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4338 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4339 struct sk_buff *skb)
4340 {
4341 struct hci_ev_role_change *ev = data;
4342 struct hci_conn *conn;
4343
4344 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4345
4346 hci_dev_lock(hdev);
4347
4348 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4349 if (conn) {
4350 if (!ev->status)
4351 conn->role = ev->role;
4352
4353 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4354
4355 hci_role_switch_cfm(conn, ev->status, ev->role);
4356 }
4357
4358 hci_dev_unlock(hdev);
4359 }
4360
hci_num_comp_pkts_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4361 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4362 struct sk_buff *skb)
4363 {
4364 struct hci_ev_num_comp_pkts *ev = data;
4365 int i;
4366
4367 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4368 flex_array_size(ev, handles, ev->num)))
4369 return;
4370
4371 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4372 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4373 return;
4374 }
4375
4376 bt_dev_dbg(hdev, "num %d", ev->num);
4377
4378 for (i = 0; i < ev->num; i++) {
4379 struct hci_comp_pkts_info *info = &ev->handles[i];
4380 struct hci_conn *conn;
4381 __u16 handle, count;
4382
4383 handle = __le16_to_cpu(info->handle);
4384 count = __le16_to_cpu(info->count);
4385
4386 conn = hci_conn_hash_lookup_handle(hdev, handle);
4387 if (!conn)
4388 continue;
4389
4390 conn->sent -= count;
4391
4392 switch (conn->type) {
4393 case ACL_LINK:
4394 hdev->acl_cnt += count;
4395 if (hdev->acl_cnt > hdev->acl_pkts)
4396 hdev->acl_cnt = hdev->acl_pkts;
4397 break;
4398
4399 case LE_LINK:
4400 if (hdev->le_pkts) {
4401 hdev->le_cnt += count;
4402 if (hdev->le_cnt > hdev->le_pkts)
4403 hdev->le_cnt = hdev->le_pkts;
4404 } else {
4405 hdev->acl_cnt += count;
4406 if (hdev->acl_cnt > hdev->acl_pkts)
4407 hdev->acl_cnt = hdev->acl_pkts;
4408 }
4409 break;
4410
4411 case SCO_LINK:
4412 hdev->sco_cnt += count;
4413 if (hdev->sco_cnt > hdev->sco_pkts)
4414 hdev->sco_cnt = hdev->sco_pkts;
4415 break;
4416
4417 case ISO_LINK:
4418 if (hdev->iso_pkts) {
4419 hdev->iso_cnt += count;
4420 if (hdev->iso_cnt > hdev->iso_pkts)
4421 hdev->iso_cnt = hdev->iso_pkts;
4422 } else if (hdev->le_pkts) {
4423 hdev->le_cnt += count;
4424 if (hdev->le_cnt > hdev->le_pkts)
4425 hdev->le_cnt = hdev->le_pkts;
4426 } else {
4427 hdev->acl_cnt += count;
4428 if (hdev->acl_cnt > hdev->acl_pkts)
4429 hdev->acl_cnt = hdev->acl_pkts;
4430 }
4431 break;
4432
4433 default:
4434 bt_dev_err(hdev, "unknown type %d conn %p",
4435 conn->type, conn);
4436 break;
4437 }
4438 }
4439
4440 queue_work(hdev->workqueue, &hdev->tx_work);
4441 }
4442
__hci_conn_lookup_handle(struct hci_dev * hdev,__u16 handle)4443 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4444 __u16 handle)
4445 {
4446 struct hci_chan *chan;
4447
4448 switch (hdev->dev_type) {
4449 case HCI_PRIMARY:
4450 return hci_conn_hash_lookup_handle(hdev, handle);
4451 case HCI_AMP:
4452 chan = hci_chan_lookup_handle(hdev, handle);
4453 if (chan)
4454 return chan->conn;
4455 break;
4456 default:
4457 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4458 break;
4459 }
4460
4461 return NULL;
4462 }
4463
hci_num_comp_blocks_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4464 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4465 struct sk_buff *skb)
4466 {
4467 struct hci_ev_num_comp_blocks *ev = data;
4468 int i;
4469
4470 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4471 flex_array_size(ev, handles, ev->num_hndl)))
4472 return;
4473
4474 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4475 bt_dev_err(hdev, "wrong event for mode %d",
4476 hdev->flow_ctl_mode);
4477 return;
4478 }
4479
4480 bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4481 ev->num_hndl);
4482
4483 for (i = 0; i < ev->num_hndl; i++) {
4484 struct hci_comp_blocks_info *info = &ev->handles[i];
4485 struct hci_conn *conn = NULL;
4486 __u16 handle, block_count;
4487
4488 handle = __le16_to_cpu(info->handle);
4489 block_count = __le16_to_cpu(info->blocks);
4490
4491 conn = __hci_conn_lookup_handle(hdev, handle);
4492 if (!conn)
4493 continue;
4494
4495 conn->sent -= block_count;
4496
4497 switch (conn->type) {
4498 case ACL_LINK:
4499 case AMP_LINK:
4500 hdev->block_cnt += block_count;
4501 if (hdev->block_cnt > hdev->num_blocks)
4502 hdev->block_cnt = hdev->num_blocks;
4503 break;
4504
4505 default:
4506 bt_dev_err(hdev, "unknown type %d conn %p",
4507 conn->type, conn);
4508 break;
4509 }
4510 }
4511
4512 queue_work(hdev->workqueue, &hdev->tx_work);
4513 }
4514
hci_mode_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4515 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4516 struct sk_buff *skb)
4517 {
4518 struct hci_ev_mode_change *ev = data;
4519 struct hci_conn *conn;
4520
4521 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4522
4523 hci_dev_lock(hdev);
4524
4525 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4526 if (conn) {
4527 conn->mode = ev->mode;
4528
4529 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4530 &conn->flags)) {
4531 if (conn->mode == HCI_CM_ACTIVE)
4532 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4533 else
4534 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4535 }
4536
4537 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4538 hci_sco_setup(conn, ev->status);
4539 }
4540
4541 hci_dev_unlock(hdev);
4542 }
4543
hci_pin_code_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4544 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4545 struct sk_buff *skb)
4546 {
4547 struct hci_ev_pin_code_req *ev = data;
4548 struct hci_conn *conn;
4549
4550 bt_dev_dbg(hdev, "");
4551
4552 hci_dev_lock(hdev);
4553
4554 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4555 if (!conn)
4556 goto unlock;
4557
4558 if (conn->state == BT_CONNECTED) {
4559 hci_conn_hold(conn);
4560 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4561 hci_conn_drop(conn);
4562 }
4563
4564 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4565 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4566 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4567 sizeof(ev->bdaddr), &ev->bdaddr);
4568 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4569 u8 secure;
4570
4571 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4572 secure = 1;
4573 else
4574 secure = 0;
4575
4576 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4577 }
4578
4579 unlock:
4580 hci_dev_unlock(hdev);
4581 }
4582
conn_set_key(struct hci_conn * conn,u8 key_type,u8 pin_len)4583 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4584 {
4585 if (key_type == HCI_LK_CHANGED_COMBINATION)
4586 return;
4587
4588 conn->pin_length = pin_len;
4589 conn->key_type = key_type;
4590
4591 switch (key_type) {
4592 case HCI_LK_LOCAL_UNIT:
4593 case HCI_LK_REMOTE_UNIT:
4594 case HCI_LK_DEBUG_COMBINATION:
4595 return;
4596 case HCI_LK_COMBINATION:
4597 if (pin_len == 16)
4598 conn->pending_sec_level = BT_SECURITY_HIGH;
4599 else
4600 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4601 break;
4602 case HCI_LK_UNAUTH_COMBINATION_P192:
4603 case HCI_LK_UNAUTH_COMBINATION_P256:
4604 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4605 break;
4606 case HCI_LK_AUTH_COMBINATION_P192:
4607 conn->pending_sec_level = BT_SECURITY_HIGH;
4608 break;
4609 case HCI_LK_AUTH_COMBINATION_P256:
4610 conn->pending_sec_level = BT_SECURITY_FIPS;
4611 break;
4612 }
4613 }
4614
hci_link_key_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4615 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4616 struct sk_buff *skb)
4617 {
4618 struct hci_ev_link_key_req *ev = data;
4619 struct hci_cp_link_key_reply cp;
4620 struct hci_conn *conn;
4621 struct link_key *key;
4622
4623 bt_dev_dbg(hdev, "");
4624
4625 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4626 return;
4627
4628 hci_dev_lock(hdev);
4629
4630 key = hci_find_link_key(hdev, &ev->bdaddr);
4631 if (!key) {
4632 bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4633 goto not_found;
4634 }
4635
4636 bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4637
4638 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4639 if (conn) {
4640 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4641
4642 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4643 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4644 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4645 bt_dev_dbg(hdev, "ignoring unauthenticated key");
4646 goto not_found;
4647 }
4648
4649 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4650 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4651 conn->pending_sec_level == BT_SECURITY_FIPS)) {
4652 bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4653 goto not_found;
4654 }
4655
4656 conn_set_key(conn, key->type, key->pin_len);
4657 }
4658
4659 bacpy(&cp.bdaddr, &ev->bdaddr);
4660 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4661
4662 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4663
4664 hci_dev_unlock(hdev);
4665
4666 return;
4667
4668 not_found:
4669 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4670 hci_dev_unlock(hdev);
4671 }
4672
hci_link_key_notify_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4673 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4674 struct sk_buff *skb)
4675 {
4676 struct hci_ev_link_key_notify *ev = data;
4677 struct hci_conn *conn;
4678 struct link_key *key;
4679 bool persistent;
4680 u8 pin_len = 0;
4681
4682 bt_dev_dbg(hdev, "");
4683
4684 hci_dev_lock(hdev);
4685
4686 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4687 if (!conn)
4688 goto unlock;
4689
4690 hci_conn_hold(conn);
4691 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4692 hci_conn_drop(conn);
4693
4694 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4695 conn_set_key(conn, ev->key_type, conn->pin_length);
4696
4697 if (!hci_dev_test_flag(hdev, HCI_MGMT))
4698 goto unlock;
4699
4700 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4701 ev->key_type, pin_len, &persistent);
4702 if (!key)
4703 goto unlock;
4704
4705 /* Update connection information since adding the key will have
4706 * fixed up the type in the case of changed combination keys.
4707 */
4708 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4709 conn_set_key(conn, key->type, key->pin_len);
4710
4711 mgmt_new_link_key(hdev, key, persistent);
4712
4713 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4714 * is set. If it's not set simply remove the key from the kernel
4715 * list (we've still notified user space about it but with
4716 * store_hint being 0).
4717 */
4718 if (key->type == HCI_LK_DEBUG_COMBINATION &&
4719 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4720 list_del_rcu(&key->list);
4721 kfree_rcu(key, rcu);
4722 goto unlock;
4723 }
4724
4725 if (persistent)
4726 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4727 else
4728 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4729
4730 unlock:
4731 hci_dev_unlock(hdev);
4732 }
4733
hci_clock_offset_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4734 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4735 struct sk_buff *skb)
4736 {
4737 struct hci_ev_clock_offset *ev = data;
4738 struct hci_conn *conn;
4739
4740 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4741
4742 hci_dev_lock(hdev);
4743
4744 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4745 if (conn && !ev->status) {
4746 struct inquiry_entry *ie;
4747
4748 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4749 if (ie) {
4750 ie->data.clock_offset = ev->clock_offset;
4751 ie->timestamp = jiffies;
4752 }
4753 }
4754
4755 hci_dev_unlock(hdev);
4756 }
4757
hci_pkt_type_change_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4758 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4759 struct sk_buff *skb)
4760 {
4761 struct hci_ev_pkt_type_change *ev = data;
4762 struct hci_conn *conn;
4763
4764 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4765
4766 hci_dev_lock(hdev);
4767
4768 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4769 if (conn && !ev->status)
4770 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4771
4772 hci_dev_unlock(hdev);
4773 }
4774
hci_pscan_rep_mode_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4775 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4776 struct sk_buff *skb)
4777 {
4778 struct hci_ev_pscan_rep_mode *ev = data;
4779 struct inquiry_entry *ie;
4780
4781 bt_dev_dbg(hdev, "");
4782
4783 hci_dev_lock(hdev);
4784
4785 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4786 if (ie) {
4787 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4788 ie->timestamp = jiffies;
4789 }
4790
4791 hci_dev_unlock(hdev);
4792 }
4793
hci_inquiry_result_with_rssi_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)4794 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4795 struct sk_buff *skb)
4796 {
4797 struct hci_ev_inquiry_result_rssi *ev = edata;
4798 struct inquiry_data data;
4799 int i;
4800
4801 bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4802
4803 if (!ev->num)
4804 return;
4805
4806 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4807 return;
4808
4809 hci_dev_lock(hdev);
4810
4811 if (skb->len == array_size(ev->num,
4812 sizeof(struct inquiry_info_rssi_pscan))) {
4813 struct inquiry_info_rssi_pscan *info;
4814
4815 for (i = 0; i < ev->num; i++) {
4816 u32 flags;
4817
4818 info = hci_ev_skb_pull(hdev, skb,
4819 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4820 sizeof(*info));
4821 if (!info) {
4822 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4823 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4824 goto unlock;
4825 }
4826
4827 bacpy(&data.bdaddr, &info->bdaddr);
4828 data.pscan_rep_mode = info->pscan_rep_mode;
4829 data.pscan_period_mode = info->pscan_period_mode;
4830 data.pscan_mode = info->pscan_mode;
4831 memcpy(data.dev_class, info->dev_class, 3);
4832 data.clock_offset = info->clock_offset;
4833 data.rssi = info->rssi;
4834 data.ssp_mode = 0x00;
4835
4836 flags = hci_inquiry_cache_update(hdev, &data, false);
4837
4838 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4839 info->dev_class, info->rssi,
4840 flags, NULL, 0, NULL, 0, 0);
4841 }
4842 } else if (skb->len == array_size(ev->num,
4843 sizeof(struct inquiry_info_rssi))) {
4844 struct inquiry_info_rssi *info;
4845
4846 for (i = 0; i < ev->num; i++) {
4847 u32 flags;
4848
4849 info = hci_ev_skb_pull(hdev, skb,
4850 HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4851 sizeof(*info));
4852 if (!info) {
4853 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4854 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4855 goto unlock;
4856 }
4857
4858 bacpy(&data.bdaddr, &info->bdaddr);
4859 data.pscan_rep_mode = info->pscan_rep_mode;
4860 data.pscan_period_mode = info->pscan_period_mode;
4861 data.pscan_mode = 0x00;
4862 memcpy(data.dev_class, info->dev_class, 3);
4863 data.clock_offset = info->clock_offset;
4864 data.rssi = info->rssi;
4865 data.ssp_mode = 0x00;
4866
4867 flags = hci_inquiry_cache_update(hdev, &data, false);
4868
4869 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4870 info->dev_class, info->rssi,
4871 flags, NULL, 0, NULL, 0, 0);
4872 }
4873 } else {
4874 bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4875 HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4876 }
4877 unlock:
4878 hci_dev_unlock(hdev);
4879 }
4880
hci_remote_ext_features_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4881 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4882 struct sk_buff *skb)
4883 {
4884 struct hci_ev_remote_ext_features *ev = data;
4885 struct hci_conn *conn;
4886
4887 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4888
4889 hci_dev_lock(hdev);
4890
4891 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4892 if (!conn)
4893 goto unlock;
4894
4895 if (ev->page < HCI_MAX_PAGES)
4896 memcpy(conn->features[ev->page], ev->features, 8);
4897
4898 if (!ev->status && ev->page == 0x01) {
4899 struct inquiry_entry *ie;
4900
4901 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4902 if (ie)
4903 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4904
4905 if (ev->features[0] & LMP_HOST_SSP) {
4906 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4907 } else {
4908 /* It is mandatory by the Bluetooth specification that
4909 * Extended Inquiry Results are only used when Secure
4910 * Simple Pairing is enabled, but some devices violate
4911 * this.
4912 *
4913 * To make these devices work, the internal SSP
4914 * enabled flag needs to be cleared if the remote host
4915 * features do not indicate SSP support */
4916 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4917 }
4918
4919 if (ev->features[0] & LMP_HOST_SC)
4920 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4921 }
4922
4923 if (conn->state != BT_CONFIG)
4924 goto unlock;
4925
4926 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4927 struct hci_cp_remote_name_req cp;
4928 memset(&cp, 0, sizeof(cp));
4929 bacpy(&cp.bdaddr, &conn->dst);
4930 cp.pscan_rep_mode = 0x02;
4931 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4932 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4933 mgmt_device_connected(hdev, conn, NULL, 0);
4934
4935 if (!hci_outgoing_auth_needed(hdev, conn)) {
4936 conn->state = BT_CONNECTED;
4937 hci_connect_cfm(conn, ev->status);
4938 hci_conn_drop(conn);
4939 }
4940
4941 unlock:
4942 hci_dev_unlock(hdev);
4943 }
4944
hci_sync_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)4945 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
4946 struct sk_buff *skb)
4947 {
4948 struct hci_ev_sync_conn_complete *ev = data;
4949 struct hci_conn *conn;
4950 u8 status = ev->status;
4951
4952 switch (ev->link_type) {
4953 case SCO_LINK:
4954 case ESCO_LINK:
4955 break;
4956 default:
4957 /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
4958 * for HCI_Synchronous_Connection_Complete is limited to
4959 * either SCO or eSCO
4960 */
4961 bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
4962 return;
4963 }
4964
4965 bt_dev_dbg(hdev, "status 0x%2.2x", status);
4966
4967 hci_dev_lock(hdev);
4968
4969 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4970 if (!conn) {
4971 if (ev->link_type == ESCO_LINK)
4972 goto unlock;
4973
4974 /* When the link type in the event indicates SCO connection
4975 * and lookup of the connection object fails, then check
4976 * if an eSCO connection object exists.
4977 *
4978 * The core limits the synchronous connections to either
4979 * SCO or eSCO. The eSCO connection is preferred and tried
4980 * to be setup first and until successfully established,
4981 * the link type will be hinted as eSCO.
4982 */
4983 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4984 if (!conn)
4985 goto unlock;
4986 }
4987
4988 /* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
4989 * Processing it more than once per connection can corrupt kernel memory.
4990 *
4991 * As the connection handle is set here for the first time, it indicates
4992 * whether the connection is already set up.
4993 */
4994 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
4995 bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
4996 goto unlock;
4997 }
4998
4999 switch (status) {
5000 case 0x00:
5001 conn->handle = __le16_to_cpu(ev->handle);
5002 if (conn->handle > HCI_CONN_HANDLE_MAX) {
5003 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
5004 conn->handle, HCI_CONN_HANDLE_MAX);
5005 status = HCI_ERROR_INVALID_PARAMETERS;
5006 conn->state = BT_CLOSED;
5007 break;
5008 }
5009
5010 conn->state = BT_CONNECTED;
5011 conn->type = ev->link_type;
5012
5013 hci_debugfs_create_conn(conn);
5014 hci_conn_add_sysfs(conn);
5015 break;
5016
5017 case 0x10: /* Connection Accept Timeout */
5018 case 0x0d: /* Connection Rejected due to Limited Resources */
5019 case 0x11: /* Unsupported Feature or Parameter Value */
5020 case 0x1c: /* SCO interval rejected */
5021 case 0x1a: /* Unsupported Remote Feature */
5022 case 0x1e: /* Invalid LMP Parameters */
5023 case 0x1f: /* Unspecified error */
5024 case 0x20: /* Unsupported LMP Parameter value */
5025 if (conn->out) {
5026 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5027 (hdev->esco_type & EDR_ESCO_MASK);
5028 if (hci_setup_sync(conn, conn->link->handle))
5029 goto unlock;
5030 }
5031 fallthrough;
5032
5033 default:
5034 conn->state = BT_CLOSED;
5035 break;
5036 }
5037
5038 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5039 /* Notify only in case of SCO over HCI transport data path which
5040 * is zero and non-zero value shall be non-HCI transport data path
5041 */
5042 if (conn->codec.data_path == 0 && hdev->notify) {
5043 switch (ev->air_mode) {
5044 case 0x02:
5045 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5046 break;
5047 case 0x03:
5048 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5049 break;
5050 }
5051 }
5052
5053 hci_connect_cfm(conn, status);
5054 if (status)
5055 hci_conn_del(conn);
5056
5057 unlock:
5058 hci_dev_unlock(hdev);
5059 }
5060
eir_get_length(u8 * eir,size_t eir_len)5061 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5062 {
5063 size_t parsed = 0;
5064
5065 while (parsed < eir_len) {
5066 u8 field_len = eir[0];
5067
5068 if (field_len == 0)
5069 return parsed;
5070
5071 parsed += field_len + 1;
5072 eir += field_len + 1;
5073 }
5074
5075 return eir_len;
5076 }
5077
hci_extended_inquiry_result_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)5078 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5079 struct sk_buff *skb)
5080 {
5081 struct hci_ev_ext_inquiry_result *ev = edata;
5082 struct inquiry_data data;
5083 size_t eir_len;
5084 int i;
5085
5086 if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5087 flex_array_size(ev, info, ev->num)))
5088 return;
5089
5090 bt_dev_dbg(hdev, "num %d", ev->num);
5091
5092 if (!ev->num)
5093 return;
5094
5095 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5096 return;
5097
5098 hci_dev_lock(hdev);
5099
5100 for (i = 0; i < ev->num; i++) {
5101 struct extended_inquiry_info *info = &ev->info[i];
5102 u32 flags;
5103 bool name_known;
5104
5105 bacpy(&data.bdaddr, &info->bdaddr);
5106 data.pscan_rep_mode = info->pscan_rep_mode;
5107 data.pscan_period_mode = info->pscan_period_mode;
5108 data.pscan_mode = 0x00;
5109 memcpy(data.dev_class, info->dev_class, 3);
5110 data.clock_offset = info->clock_offset;
5111 data.rssi = info->rssi;
5112 data.ssp_mode = 0x01;
5113
5114 if (hci_dev_test_flag(hdev, HCI_MGMT))
5115 name_known = eir_get_data(info->data,
5116 sizeof(info->data),
5117 EIR_NAME_COMPLETE, NULL);
5118 else
5119 name_known = true;
5120
5121 flags = hci_inquiry_cache_update(hdev, &data, name_known);
5122
5123 eir_len = eir_get_length(info->data, sizeof(info->data));
5124
5125 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5126 info->dev_class, info->rssi,
5127 flags, info->data, eir_len, NULL, 0, 0);
5128 }
5129
5130 hci_dev_unlock(hdev);
5131 }
5132
hci_key_refresh_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5133 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5134 struct sk_buff *skb)
5135 {
5136 struct hci_ev_key_refresh_complete *ev = data;
5137 struct hci_conn *conn;
5138
5139 bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5140 __le16_to_cpu(ev->handle));
5141
5142 hci_dev_lock(hdev);
5143
5144 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5145 if (!conn)
5146 goto unlock;
5147
5148 /* For BR/EDR the necessary steps are taken through the
5149 * auth_complete event.
5150 */
5151 if (conn->type != LE_LINK)
5152 goto unlock;
5153
5154 if (!ev->status)
5155 conn->sec_level = conn->pending_sec_level;
5156
5157 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5158
5159 if (ev->status && conn->state == BT_CONNECTED) {
5160 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5161 hci_conn_drop(conn);
5162 goto unlock;
5163 }
5164
5165 if (conn->state == BT_CONFIG) {
5166 if (!ev->status)
5167 conn->state = BT_CONNECTED;
5168
5169 hci_connect_cfm(conn, ev->status);
5170 hci_conn_drop(conn);
5171 } else {
5172 hci_auth_cfm(conn, ev->status);
5173
5174 hci_conn_hold(conn);
5175 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5176 hci_conn_drop(conn);
5177 }
5178
5179 unlock:
5180 hci_dev_unlock(hdev);
5181 }
5182
hci_get_auth_req(struct hci_conn * conn)5183 static u8 hci_get_auth_req(struct hci_conn *conn)
5184 {
5185 /* If remote requests no-bonding follow that lead */
5186 if (conn->remote_auth == HCI_AT_NO_BONDING ||
5187 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5188 return conn->remote_auth | (conn->auth_type & 0x01);
5189
5190 /* If both remote and local have enough IO capabilities, require
5191 * MITM protection
5192 */
5193 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5194 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5195 return conn->remote_auth | 0x01;
5196
5197 /* No MITM protection possible so ignore remote requirement */
5198 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5199 }
5200
bredr_oob_data_present(struct hci_conn * conn)5201 static u8 bredr_oob_data_present(struct hci_conn *conn)
5202 {
5203 struct hci_dev *hdev = conn->hdev;
5204 struct oob_data *data;
5205
5206 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5207 if (!data)
5208 return 0x00;
5209
5210 if (bredr_sc_enabled(hdev)) {
5211 /* When Secure Connections is enabled, then just
5212 * return the present value stored with the OOB
5213 * data. The stored value contains the right present
5214 * information. However it can only be trusted when
5215 * not in Secure Connection Only mode.
5216 */
5217 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5218 return data->present;
5219
5220 /* When Secure Connections Only mode is enabled, then
5221 * the P-256 values are required. If they are not
5222 * available, then do not declare that OOB data is
5223 * present.
5224 */
5225 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
5226 !memcmp(data->hash256, ZERO_KEY, 16))
5227 return 0x00;
5228
5229 return 0x02;
5230 }
5231
5232 /* When Secure Connections is not enabled or actually
5233 * not supported by the hardware, then check that if
5234 * P-192 data values are present.
5235 */
5236 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
5237 !memcmp(data->hash192, ZERO_KEY, 16))
5238 return 0x00;
5239
5240 return 0x01;
5241 }
5242
hci_io_capa_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5243 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5244 struct sk_buff *skb)
5245 {
5246 struct hci_ev_io_capa_request *ev = data;
5247 struct hci_conn *conn;
5248
5249 bt_dev_dbg(hdev, "");
5250
5251 hci_dev_lock(hdev);
5252
5253 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5254 if (!conn)
5255 goto unlock;
5256
5257 hci_conn_hold(conn);
5258
5259 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5260 goto unlock;
5261
5262 /* Allow pairing if we're pairable, the initiators of the
5263 * pairing or if the remote is not requesting bonding.
5264 */
5265 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5266 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5267 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5268 struct hci_cp_io_capability_reply cp;
5269
5270 bacpy(&cp.bdaddr, &ev->bdaddr);
5271 /* Change the IO capability from KeyboardDisplay
5272 * to DisplayYesNo as it is not supported by BT spec. */
5273 cp.capability = (conn->io_capability == 0x04) ?
5274 HCI_IO_DISPLAY_YESNO : conn->io_capability;
5275
5276 /* If we are initiators, there is no remote information yet */
5277 if (conn->remote_auth == 0xff) {
5278 /* Request MITM protection if our IO caps allow it
5279 * except for the no-bonding case.
5280 */
5281 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5282 conn->auth_type != HCI_AT_NO_BONDING)
5283 conn->auth_type |= 0x01;
5284 } else {
5285 conn->auth_type = hci_get_auth_req(conn);
5286 }
5287
5288 /* If we're not bondable, force one of the non-bondable
5289 * authentication requirement values.
5290 */
5291 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5292 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5293
5294 cp.authentication = conn->auth_type;
5295 cp.oob_data = bredr_oob_data_present(conn);
5296
5297 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5298 sizeof(cp), &cp);
5299 } else {
5300 struct hci_cp_io_capability_neg_reply cp;
5301
5302 bacpy(&cp.bdaddr, &ev->bdaddr);
5303 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5304
5305 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5306 sizeof(cp), &cp);
5307 }
5308
5309 unlock:
5310 hci_dev_unlock(hdev);
5311 }
5312
hci_io_capa_reply_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5313 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5314 struct sk_buff *skb)
5315 {
5316 struct hci_ev_io_capa_reply *ev = data;
5317 struct hci_conn *conn;
5318
5319 bt_dev_dbg(hdev, "");
5320
5321 hci_dev_lock(hdev);
5322
5323 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5324 if (!conn)
5325 goto unlock;
5326
5327 conn->remote_cap = ev->capability;
5328 conn->remote_auth = ev->authentication;
5329
5330 unlock:
5331 hci_dev_unlock(hdev);
5332 }
5333
hci_user_confirm_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5334 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5335 struct sk_buff *skb)
5336 {
5337 struct hci_ev_user_confirm_req *ev = data;
5338 int loc_mitm, rem_mitm, confirm_hint = 0;
5339 struct hci_conn *conn;
5340
5341 bt_dev_dbg(hdev, "");
5342
5343 hci_dev_lock(hdev);
5344
5345 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5346 goto unlock;
5347
5348 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5349 if (!conn)
5350 goto unlock;
5351
5352 loc_mitm = (conn->auth_type & 0x01);
5353 rem_mitm = (conn->remote_auth & 0x01);
5354
5355 /* If we require MITM but the remote device can't provide that
5356 * (it has NoInputNoOutput) then reject the confirmation
5357 * request. We check the security level here since it doesn't
5358 * necessarily match conn->auth_type.
5359 */
5360 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5361 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5362 bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5363 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5364 sizeof(ev->bdaddr), &ev->bdaddr);
5365 goto unlock;
5366 }
5367
5368 /* If no side requires MITM protection; auto-accept */
5369 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5370 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5371
5372 /* If we're not the initiators request authorization to
5373 * proceed from user space (mgmt_user_confirm with
5374 * confirm_hint set to 1). The exception is if neither
5375 * side had MITM or if the local IO capability is
5376 * NoInputNoOutput, in which case we do auto-accept
5377 */
5378 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5379 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5380 (loc_mitm || rem_mitm)) {
5381 bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5382 confirm_hint = 1;
5383 goto confirm;
5384 }
5385
5386 /* If there already exists link key in local host, leave the
5387 * decision to user space since the remote device could be
5388 * legitimate or malicious.
5389 */
5390 if (hci_find_link_key(hdev, &ev->bdaddr)) {
5391 bt_dev_dbg(hdev, "Local host already has link key");
5392 confirm_hint = 1;
5393 goto confirm;
5394 }
5395
5396 BT_DBG("Auto-accept of user confirmation with %ums delay",
5397 hdev->auto_accept_delay);
5398
5399 if (hdev->auto_accept_delay > 0) {
5400 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5401 queue_delayed_work(conn->hdev->workqueue,
5402 &conn->auto_accept_work, delay);
5403 goto unlock;
5404 }
5405
5406 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5407 sizeof(ev->bdaddr), &ev->bdaddr);
5408 goto unlock;
5409 }
5410
5411 confirm:
5412 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5413 le32_to_cpu(ev->passkey), confirm_hint);
5414
5415 unlock:
5416 hci_dev_unlock(hdev);
5417 }
5418
hci_user_passkey_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5419 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5420 struct sk_buff *skb)
5421 {
5422 struct hci_ev_user_passkey_req *ev = data;
5423
5424 bt_dev_dbg(hdev, "");
5425
5426 if (hci_dev_test_flag(hdev, HCI_MGMT))
5427 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5428 }
5429
hci_user_passkey_notify_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5430 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5431 struct sk_buff *skb)
5432 {
5433 struct hci_ev_user_passkey_notify *ev = data;
5434 struct hci_conn *conn;
5435
5436 bt_dev_dbg(hdev, "");
5437
5438 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5439 if (!conn)
5440 return;
5441
5442 conn->passkey_notify = __le32_to_cpu(ev->passkey);
5443 conn->passkey_entered = 0;
5444
5445 if (hci_dev_test_flag(hdev, HCI_MGMT))
5446 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5447 conn->dst_type, conn->passkey_notify,
5448 conn->passkey_entered);
5449 }
5450
hci_keypress_notify_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5451 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5452 struct sk_buff *skb)
5453 {
5454 struct hci_ev_keypress_notify *ev = data;
5455 struct hci_conn *conn;
5456
5457 bt_dev_dbg(hdev, "");
5458
5459 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5460 if (!conn)
5461 return;
5462
5463 switch (ev->type) {
5464 case HCI_KEYPRESS_STARTED:
5465 conn->passkey_entered = 0;
5466 return;
5467
5468 case HCI_KEYPRESS_ENTERED:
5469 conn->passkey_entered++;
5470 break;
5471
5472 case HCI_KEYPRESS_ERASED:
5473 conn->passkey_entered--;
5474 break;
5475
5476 case HCI_KEYPRESS_CLEARED:
5477 conn->passkey_entered = 0;
5478 break;
5479
5480 case HCI_KEYPRESS_COMPLETED:
5481 return;
5482 }
5483
5484 if (hci_dev_test_flag(hdev, HCI_MGMT))
5485 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5486 conn->dst_type, conn->passkey_notify,
5487 conn->passkey_entered);
5488 }
5489
hci_simple_pair_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5490 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5491 struct sk_buff *skb)
5492 {
5493 struct hci_ev_simple_pair_complete *ev = data;
5494 struct hci_conn *conn;
5495
5496 bt_dev_dbg(hdev, "");
5497
5498 hci_dev_lock(hdev);
5499
5500 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5501 if (!conn)
5502 goto unlock;
5503
5504 /* Reset the authentication requirement to unknown */
5505 conn->remote_auth = 0xff;
5506
5507 /* To avoid duplicate auth_failed events to user space we check
5508 * the HCI_CONN_AUTH_PEND flag which will be set if we
5509 * initiated the authentication. A traditional auth_complete
5510 * event gets always produced as initiator and is also mapped to
5511 * the mgmt_auth_failed event */
5512 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5513 mgmt_auth_failed(conn, ev->status);
5514
5515 hci_conn_drop(conn);
5516
5517 unlock:
5518 hci_dev_unlock(hdev);
5519 }
5520
hci_remote_host_features_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5521 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5522 struct sk_buff *skb)
5523 {
5524 struct hci_ev_remote_host_features *ev = data;
5525 struct inquiry_entry *ie;
5526 struct hci_conn *conn;
5527
5528 bt_dev_dbg(hdev, "");
5529
5530 hci_dev_lock(hdev);
5531
5532 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5533 if (conn)
5534 memcpy(conn->features[1], ev->features, 8);
5535
5536 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5537 if (ie)
5538 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5539
5540 hci_dev_unlock(hdev);
5541 }
5542
hci_remote_oob_data_request_evt(struct hci_dev * hdev,void * edata,struct sk_buff * skb)5543 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5544 struct sk_buff *skb)
5545 {
5546 struct hci_ev_remote_oob_data_request *ev = edata;
5547 struct oob_data *data;
5548
5549 bt_dev_dbg(hdev, "");
5550
5551 hci_dev_lock(hdev);
5552
5553 if (!hci_dev_test_flag(hdev, HCI_MGMT))
5554 goto unlock;
5555
5556 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5557 if (!data) {
5558 struct hci_cp_remote_oob_data_neg_reply cp;
5559
5560 bacpy(&cp.bdaddr, &ev->bdaddr);
5561 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5562 sizeof(cp), &cp);
5563 goto unlock;
5564 }
5565
5566 if (bredr_sc_enabled(hdev)) {
5567 struct hci_cp_remote_oob_ext_data_reply cp;
5568
5569 bacpy(&cp.bdaddr, &ev->bdaddr);
5570 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5571 memset(cp.hash192, 0, sizeof(cp.hash192));
5572 memset(cp.rand192, 0, sizeof(cp.rand192));
5573 } else {
5574 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5575 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5576 }
5577 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5578 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5579
5580 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5581 sizeof(cp), &cp);
5582 } else {
5583 struct hci_cp_remote_oob_data_reply cp;
5584
5585 bacpy(&cp.bdaddr, &ev->bdaddr);
5586 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5587 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5588
5589 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5590 sizeof(cp), &cp);
5591 }
5592
5593 unlock:
5594 hci_dev_unlock(hdev);
5595 }
5596
5597 #if IS_ENABLED(CONFIG_BT_HS)
hci_chan_selected_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5598 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5599 struct sk_buff *skb)
5600 {
5601 struct hci_ev_channel_selected *ev = data;
5602 struct hci_conn *hcon;
5603
5604 bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5605
5606 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5607 if (!hcon)
5608 return;
5609
5610 amp_read_loc_assoc_final_data(hdev, hcon);
5611 }
5612
hci_phy_link_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5613 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5614 struct sk_buff *skb)
5615 {
5616 struct hci_ev_phy_link_complete *ev = data;
5617 struct hci_conn *hcon, *bredr_hcon;
5618
5619 bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5620 ev->status);
5621
5622 hci_dev_lock(hdev);
5623
5624 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5625 if (!hcon)
5626 goto unlock;
5627
5628 if (!hcon->amp_mgr)
5629 goto unlock;
5630
5631 if (ev->status) {
5632 hci_conn_del(hcon);
5633 goto unlock;
5634 }
5635
5636 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5637
5638 hcon->state = BT_CONNECTED;
5639 bacpy(&hcon->dst, &bredr_hcon->dst);
5640
5641 hci_conn_hold(hcon);
5642 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5643 hci_conn_drop(hcon);
5644
5645 hci_debugfs_create_conn(hcon);
5646 hci_conn_add_sysfs(hcon);
5647
5648 amp_physical_cfm(bredr_hcon, hcon);
5649
5650 unlock:
5651 hci_dev_unlock(hdev);
5652 }
5653
hci_loglink_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5654 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5655 struct sk_buff *skb)
5656 {
5657 struct hci_ev_logical_link_complete *ev = data;
5658 struct hci_conn *hcon;
5659 struct hci_chan *hchan;
5660 struct amp_mgr *mgr;
5661
5662 bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5663 le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5664
5665 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5666 if (!hcon)
5667 return;
5668
5669 /* Create AMP hchan */
5670 hchan = hci_chan_create(hcon);
5671 if (!hchan)
5672 return;
5673
5674 hchan->handle = le16_to_cpu(ev->handle);
5675 hchan->amp = true;
5676
5677 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5678
5679 mgr = hcon->amp_mgr;
5680 if (mgr && mgr->bredr_chan) {
5681 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5682
5683 l2cap_chan_lock(bredr_chan);
5684
5685 bredr_chan->conn->mtu = hdev->block_mtu;
5686 l2cap_logical_cfm(bredr_chan, hchan, 0);
5687 hci_conn_hold(hcon);
5688
5689 l2cap_chan_unlock(bredr_chan);
5690 }
5691 }
5692
hci_disconn_loglink_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5693 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5694 struct sk_buff *skb)
5695 {
5696 struct hci_ev_disconn_logical_link_complete *ev = data;
5697 struct hci_chan *hchan;
5698
5699 bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5700 le16_to_cpu(ev->handle), ev->status);
5701
5702 if (ev->status)
5703 return;
5704
5705 hci_dev_lock(hdev);
5706
5707 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5708 if (!hchan || !hchan->amp)
5709 goto unlock;
5710
5711 amp_destroy_logical_link(hchan, ev->reason);
5712
5713 unlock:
5714 hci_dev_unlock(hdev);
5715 }
5716
hci_disconn_phylink_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5717 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5718 struct sk_buff *skb)
5719 {
5720 struct hci_ev_disconn_phy_link_complete *ev = data;
5721 struct hci_conn *hcon;
5722
5723 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5724
5725 if (ev->status)
5726 return;
5727
5728 hci_dev_lock(hdev);
5729
5730 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5731 if (hcon && hcon->type == AMP_LINK) {
5732 hcon->state = BT_CLOSED;
5733 hci_disconn_cfm(hcon, ev->reason);
5734 hci_conn_del(hcon);
5735 }
5736
5737 hci_dev_unlock(hdev);
5738 }
5739 #endif
5740
le_conn_update_addr(struct hci_conn * conn,bdaddr_t * bdaddr,u8 bdaddr_type,bdaddr_t * local_rpa)5741 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5742 u8 bdaddr_type, bdaddr_t *local_rpa)
5743 {
5744 if (conn->out) {
5745 conn->dst_type = bdaddr_type;
5746 conn->resp_addr_type = bdaddr_type;
5747 bacpy(&conn->resp_addr, bdaddr);
5748
5749 /* Check if the controller has set a Local RPA then it must be
5750 * used instead or hdev->rpa.
5751 */
5752 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5753 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5754 bacpy(&conn->init_addr, local_rpa);
5755 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5756 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5757 bacpy(&conn->init_addr, &conn->hdev->rpa);
5758 } else {
5759 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5760 &conn->init_addr_type);
5761 }
5762 } else {
5763 conn->resp_addr_type = conn->hdev->adv_addr_type;
5764 /* Check if the controller has set a Local RPA then it must be
5765 * used instead or hdev->rpa.
5766 */
5767 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5768 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5769 bacpy(&conn->resp_addr, local_rpa);
5770 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5771 /* In case of ext adv, resp_addr will be updated in
5772 * Adv Terminated event.
5773 */
5774 if (!ext_adv_capable(conn->hdev))
5775 bacpy(&conn->resp_addr,
5776 &conn->hdev->random_addr);
5777 } else {
5778 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5779 }
5780
5781 conn->init_addr_type = bdaddr_type;
5782 bacpy(&conn->init_addr, bdaddr);
5783
5784 /* For incoming connections, set the default minimum
5785 * and maximum connection interval. They will be used
5786 * to check if the parameters are in range and if not
5787 * trigger the connection update procedure.
5788 */
5789 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5790 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5791 }
5792 }
5793
le_conn_complete_evt(struct hci_dev * hdev,u8 status,bdaddr_t * bdaddr,u8 bdaddr_type,bdaddr_t * local_rpa,u8 role,u16 handle,u16 interval,u16 latency,u16 supervision_timeout)5794 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5795 bdaddr_t *bdaddr, u8 bdaddr_type,
5796 bdaddr_t *local_rpa, u8 role, u16 handle,
5797 u16 interval, u16 latency,
5798 u16 supervision_timeout)
5799 {
5800 struct hci_conn_params *params;
5801 struct hci_conn *conn;
5802 struct smp_irk *irk;
5803 u8 addr_type;
5804
5805 hci_dev_lock(hdev);
5806
5807 /* All controllers implicitly stop advertising in the event of a
5808 * connection, so ensure that the state bit is cleared.
5809 */
5810 hci_dev_clear_flag(hdev, HCI_LE_ADV);
5811
5812 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5813 if (!conn) {
5814 /* In case of error status and there is no connection pending
5815 * just unlock as there is nothing to cleanup.
5816 */
5817 if (status)
5818 goto unlock;
5819
5820 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5821 if (!conn) {
5822 bt_dev_err(hdev, "no memory for new connection");
5823 goto unlock;
5824 }
5825
5826 conn->dst_type = bdaddr_type;
5827
5828 /* If we didn't have a hci_conn object previously
5829 * but we're in central role this must be something
5830 * initiated using an accept list. Since accept list based
5831 * connections are not "first class citizens" we don't
5832 * have full tracking of them. Therefore, we go ahead
5833 * with a "best effort" approach of determining the
5834 * initiator address based on the HCI_PRIVACY flag.
5835 */
5836 if (conn->out) {
5837 conn->resp_addr_type = bdaddr_type;
5838 bacpy(&conn->resp_addr, bdaddr);
5839 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5840 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5841 bacpy(&conn->init_addr, &hdev->rpa);
5842 } else {
5843 hci_copy_identity_address(hdev,
5844 &conn->init_addr,
5845 &conn->init_addr_type);
5846 }
5847 }
5848 } else {
5849 cancel_delayed_work(&conn->le_conn_timeout);
5850 }
5851
5852 /* The HCI_LE_Connection_Complete event is only sent once per connection.
5853 * Processing it more than once per connection can corrupt kernel memory.
5854 *
5855 * As the connection handle is set here for the first time, it indicates
5856 * whether the connection is already set up.
5857 */
5858 if (conn->handle != HCI_CONN_HANDLE_UNSET) {
5859 bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5860 goto unlock;
5861 }
5862
5863 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5864
5865 /* Lookup the identity address from the stored connection
5866 * address and address type.
5867 *
5868 * When establishing connections to an identity address, the
5869 * connection procedure will store the resolvable random
5870 * address first. Now if it can be converted back into the
5871 * identity address, start using the identity address from
5872 * now on.
5873 */
5874 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5875 if (irk) {
5876 bacpy(&conn->dst, &irk->bdaddr);
5877 conn->dst_type = irk->addr_type;
5878 }
5879
5880 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5881
5882 if (handle > HCI_CONN_HANDLE_MAX) {
5883 bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x", handle,
5884 HCI_CONN_HANDLE_MAX);
5885 status = HCI_ERROR_INVALID_PARAMETERS;
5886 }
5887
5888 /* All connection failure handling is taken care of by the
5889 * hci_conn_failed function which is triggered by the HCI
5890 * request completion callbacks used for connecting.
5891 */
5892 if (status)
5893 goto unlock;
5894
5895 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5896 addr_type = BDADDR_LE_PUBLIC;
5897 else
5898 addr_type = BDADDR_LE_RANDOM;
5899
5900 /* Drop the connection if the device is blocked */
5901 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5902 hci_conn_drop(conn);
5903 goto unlock;
5904 }
5905
5906 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5907 mgmt_device_connected(hdev, conn, NULL, 0);
5908
5909 conn->sec_level = BT_SECURITY_LOW;
5910 conn->handle = handle;
5911 conn->state = BT_CONFIG;
5912
5913 /* Store current advertising instance as connection advertising instance
5914 * when sotfware rotation is in use so it can be re-enabled when
5915 * disconnected.
5916 */
5917 if (!ext_adv_capable(hdev))
5918 conn->adv_instance = hdev->cur_adv_instance;
5919
5920 conn->le_conn_interval = interval;
5921 conn->le_conn_latency = latency;
5922 conn->le_supv_timeout = supervision_timeout;
5923
5924 hci_debugfs_create_conn(conn);
5925 hci_conn_add_sysfs(conn);
5926
5927 /* The remote features procedure is defined for central
5928 * role only. So only in case of an initiated connection
5929 * request the remote features.
5930 *
5931 * If the local controller supports peripheral-initiated features
5932 * exchange, then requesting the remote features in peripheral
5933 * role is possible. Otherwise just transition into the
5934 * connected state without requesting the remote features.
5935 */
5936 if (conn->out ||
5937 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5938 struct hci_cp_le_read_remote_features cp;
5939
5940 cp.handle = __cpu_to_le16(conn->handle);
5941
5942 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5943 sizeof(cp), &cp);
5944
5945 hci_conn_hold(conn);
5946 } else {
5947 conn->state = BT_CONNECTED;
5948 hci_connect_cfm(conn, status);
5949 }
5950
5951 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5952 conn->dst_type);
5953 if (params) {
5954 list_del_init(¶ms->action);
5955 if (params->conn) {
5956 hci_conn_drop(params->conn);
5957 hci_conn_put(params->conn);
5958 params->conn = NULL;
5959 }
5960 }
5961
5962 unlock:
5963 hci_update_passive_scan(hdev);
5964 hci_dev_unlock(hdev);
5965 }
5966
hci_le_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5967 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
5968 struct sk_buff *skb)
5969 {
5970 struct hci_ev_le_conn_complete *ev = data;
5971
5972 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5973
5974 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5975 NULL, ev->role, le16_to_cpu(ev->handle),
5976 le16_to_cpu(ev->interval),
5977 le16_to_cpu(ev->latency),
5978 le16_to_cpu(ev->supervision_timeout));
5979 }
5980
hci_le_enh_conn_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5981 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
5982 struct sk_buff *skb)
5983 {
5984 struct hci_ev_le_enh_conn_complete *ev = data;
5985
5986 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5987
5988 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5989 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5990 le16_to_cpu(ev->interval),
5991 le16_to_cpu(ev->latency),
5992 le16_to_cpu(ev->supervision_timeout));
5993 }
5994
hci_le_ext_adv_term_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)5995 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
5996 struct sk_buff *skb)
5997 {
5998 struct hci_evt_le_ext_adv_set_term *ev = data;
5999 struct hci_conn *conn;
6000 struct adv_info *adv, *n;
6001
6002 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6003
6004 /* The Bluetooth Core 5.3 specification clearly states that this event
6005 * shall not be sent when the Host disables the advertising set. So in
6006 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6007 *
6008 * When the Host disables an advertising set, all cleanup is done via
6009 * its command callback and not needed to be duplicated here.
6010 */
6011 if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6012 bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6013 return;
6014 }
6015
6016 hci_dev_lock(hdev);
6017
6018 adv = hci_find_adv_instance(hdev, ev->handle);
6019
6020 if (ev->status) {
6021 if (!adv)
6022 goto unlock;
6023
6024 /* Remove advertising as it has been terminated */
6025 hci_remove_adv_instance(hdev, ev->handle);
6026 mgmt_advertising_removed(NULL, hdev, ev->handle);
6027
6028 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6029 if (adv->enabled)
6030 goto unlock;
6031 }
6032
6033 /* We are no longer advertising, clear HCI_LE_ADV */
6034 hci_dev_clear_flag(hdev, HCI_LE_ADV);
6035 goto unlock;
6036 }
6037
6038 if (adv)
6039 adv->enabled = false;
6040
6041 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6042 if (conn) {
6043 /* Store handle in the connection so the correct advertising
6044 * instance can be re-enabled when disconnected.
6045 */
6046 conn->adv_instance = ev->handle;
6047
6048 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6049 bacmp(&conn->resp_addr, BDADDR_ANY))
6050 goto unlock;
6051
6052 if (!ev->handle) {
6053 bacpy(&conn->resp_addr, &hdev->random_addr);
6054 goto unlock;
6055 }
6056
6057 if (adv)
6058 bacpy(&conn->resp_addr, &adv->random_addr);
6059 }
6060
6061 unlock:
6062 hci_dev_unlock(hdev);
6063 }
6064
hci_le_conn_update_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6065 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6066 struct sk_buff *skb)
6067 {
6068 struct hci_ev_le_conn_update_complete *ev = data;
6069 struct hci_conn *conn;
6070
6071 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6072
6073 if (ev->status)
6074 return;
6075
6076 hci_dev_lock(hdev);
6077
6078 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6079 if (conn) {
6080 conn->le_conn_interval = le16_to_cpu(ev->interval);
6081 conn->le_conn_latency = le16_to_cpu(ev->latency);
6082 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6083 }
6084
6085 hci_dev_unlock(hdev);
6086 }
6087
6088 /* This function requires the caller holds hdev->lock */
check_pending_le_conn(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type,bool addr_resolved,u8 adv_type)6089 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6090 bdaddr_t *addr,
6091 u8 addr_type, bool addr_resolved,
6092 u8 adv_type)
6093 {
6094 struct hci_conn *conn;
6095 struct hci_conn_params *params;
6096
6097 /* If the event is not connectable don't proceed further */
6098 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6099 return NULL;
6100
6101 /* Ignore if the device is blocked or hdev is suspended */
6102 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6103 hdev->suspended)
6104 return NULL;
6105
6106 /* Most controller will fail if we try to create new connections
6107 * while we have an existing one in peripheral role.
6108 */
6109 if (hdev->conn_hash.le_num_peripheral > 0 &&
6110 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6111 !(hdev->le_states[3] & 0x10)))
6112 return NULL;
6113
6114 /* If we're not connectable only connect devices that we have in
6115 * our pend_le_conns list.
6116 */
6117 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6118 addr_type);
6119 if (!params)
6120 return NULL;
6121
6122 if (!params->explicit_connect) {
6123 switch (params->auto_connect) {
6124 case HCI_AUTO_CONN_DIRECT:
6125 /* Only devices advertising with ADV_DIRECT_IND are
6126 * triggering a connection attempt. This is allowing
6127 * incoming connections from peripheral devices.
6128 */
6129 if (adv_type != LE_ADV_DIRECT_IND)
6130 return NULL;
6131 break;
6132 case HCI_AUTO_CONN_ALWAYS:
6133 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
6134 * are triggering a connection attempt. This means
6135 * that incoming connections from peripheral device are
6136 * accepted and also outgoing connections to peripheral
6137 * devices are established when found.
6138 */
6139 break;
6140 default:
6141 return NULL;
6142 }
6143 }
6144
6145 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6146 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6147 HCI_ROLE_MASTER);
6148 if (!IS_ERR(conn)) {
6149 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6150 * by higher layer that tried to connect, if no then
6151 * store the pointer since we don't really have any
6152 * other owner of the object besides the params that
6153 * triggered it. This way we can abort the connection if
6154 * the parameters get removed and keep the reference
6155 * count consistent once the connection is established.
6156 */
6157
6158 if (!params->explicit_connect)
6159 params->conn = hci_conn_get(conn);
6160
6161 return conn;
6162 }
6163
6164 switch (PTR_ERR(conn)) {
6165 case -EBUSY:
6166 /* If hci_connect() returns -EBUSY it means there is already
6167 * an LE connection attempt going on. Since controllers don't
6168 * support more than one connection attempt at the time, we
6169 * don't consider this an error case.
6170 */
6171 break;
6172 default:
6173 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6174 return NULL;
6175 }
6176
6177 return NULL;
6178 }
6179
process_adv_report(struct hci_dev * hdev,u8 type,bdaddr_t * bdaddr,u8 bdaddr_type,bdaddr_t * direct_addr,u8 direct_addr_type,s8 rssi,u8 * data,u8 len,bool ext_adv,bool ctl_time,u64 instant)6180 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6181 u8 bdaddr_type, bdaddr_t *direct_addr,
6182 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6183 bool ext_adv, bool ctl_time, u64 instant)
6184 {
6185 struct discovery_state *d = &hdev->discovery;
6186 struct smp_irk *irk;
6187 struct hci_conn *conn;
6188 bool match, bdaddr_resolved;
6189 u32 flags;
6190 u8 *ptr;
6191
6192 switch (type) {
6193 case LE_ADV_IND:
6194 case LE_ADV_DIRECT_IND:
6195 case LE_ADV_SCAN_IND:
6196 case LE_ADV_NONCONN_IND:
6197 case LE_ADV_SCAN_RSP:
6198 break;
6199 default:
6200 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6201 "type: 0x%02x", type);
6202 return;
6203 }
6204
6205 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
6206 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
6207 return;
6208 }
6209
6210 /* Find the end of the data in case the report contains padded zero
6211 * bytes at the end causing an invalid length value.
6212 *
6213 * When data is NULL, len is 0 so there is no need for extra ptr
6214 * check as 'ptr < data + 0' is already false in such case.
6215 */
6216 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6217 if (ptr + 1 + *ptr > data + len)
6218 break;
6219 }
6220
6221 /* Adjust for actual length. This handles the case when remote
6222 * device is advertising with incorrect data length.
6223 */
6224 len = ptr - data;
6225
6226 /* If the direct address is present, then this report is from
6227 * a LE Direct Advertising Report event. In that case it is
6228 * important to see if the address is matching the local
6229 * controller address.
6230 */
6231 if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6232 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6233 &bdaddr_resolved);
6234
6235 /* Only resolvable random addresses are valid for these
6236 * kind of reports and others can be ignored.
6237 */
6238 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6239 return;
6240
6241 /* If the controller is not using resolvable random
6242 * addresses, then this report can be ignored.
6243 */
6244 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6245 return;
6246
6247 /* If the local IRK of the controller does not match
6248 * with the resolvable random address provided, then
6249 * this report can be ignored.
6250 */
6251 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6252 return;
6253 }
6254
6255 /* Check if we need to convert to identity address */
6256 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6257 if (irk) {
6258 bdaddr = &irk->bdaddr;
6259 bdaddr_type = irk->addr_type;
6260 }
6261
6262 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6263
6264 /* Check if we have been requested to connect to this device.
6265 *
6266 * direct_addr is set only for directed advertising reports (it is NULL
6267 * for advertising reports) and is already verified to be RPA above.
6268 */
6269 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6270 type);
6271 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
6272 /* Store report for later inclusion by
6273 * mgmt_device_connected
6274 */
6275 memcpy(conn->le_adv_data, data, len);
6276 conn->le_adv_data_len = len;
6277 }
6278
6279 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6280 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6281 else
6282 flags = 0;
6283
6284 /* All scan results should be sent up for Mesh systems */
6285 if (hci_dev_test_flag(hdev, HCI_MESH)) {
6286 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6287 rssi, flags, data, len, NULL, 0, instant);
6288 return;
6289 }
6290
6291 /* Passive scanning shouldn't trigger any device found events,
6292 * except for devices marked as CONN_REPORT for which we do send
6293 * device found events, or advertisement monitoring requested.
6294 */
6295 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6296 if (type == LE_ADV_DIRECT_IND)
6297 return;
6298
6299 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6300 bdaddr, bdaddr_type) &&
6301 idr_is_empty(&hdev->adv_monitors_idr))
6302 return;
6303
6304 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6305 rssi, flags, data, len, NULL, 0, 0);
6306 return;
6307 }
6308
6309 /* When receiving non-connectable or scannable undirected
6310 * advertising reports, this means that the remote device is
6311 * not connectable and then clearly indicate this in the
6312 * device found event.
6313 *
6314 * When receiving a scan response, then there is no way to
6315 * know if the remote device is connectable or not. However
6316 * since scan responses are merged with a previously seen
6317 * advertising report, the flags field from that report
6318 * will be used.
6319 *
6320 * In the really unlikely case that a controller get confused
6321 * and just sends a scan response event, then it is marked as
6322 * not connectable as well.
6323 */
6324 if (type == LE_ADV_SCAN_RSP)
6325 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6326
6327 /* If there's nothing pending either store the data from this
6328 * event or send an immediate device found event if the data
6329 * should not be stored for later.
6330 */
6331 if (!ext_adv && !has_pending_adv_report(hdev)) {
6332 /* If the report will trigger a SCAN_REQ store it for
6333 * later merging.
6334 */
6335 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6336 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6337 rssi, flags, data, len);
6338 return;
6339 }
6340
6341 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6342 rssi, flags, data, len, NULL, 0, 0);
6343 return;
6344 }
6345
6346 /* Check if the pending report is for the same device as the new one */
6347 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6348 bdaddr_type == d->last_adv_addr_type);
6349
6350 /* If the pending data doesn't match this report or this isn't a
6351 * scan response (e.g. we got a duplicate ADV_IND) then force
6352 * sending of the pending data.
6353 */
6354 if (type != LE_ADV_SCAN_RSP || !match) {
6355 /* Send out whatever is in the cache, but skip duplicates */
6356 if (!match)
6357 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6358 d->last_adv_addr_type, NULL,
6359 d->last_adv_rssi, d->last_adv_flags,
6360 d->last_adv_data,
6361 d->last_adv_data_len, NULL, 0, 0);
6362
6363 /* If the new report will trigger a SCAN_REQ store it for
6364 * later merging.
6365 */
6366 if (!ext_adv && (type == LE_ADV_IND ||
6367 type == LE_ADV_SCAN_IND)) {
6368 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6369 rssi, flags, data, len);
6370 return;
6371 }
6372
6373 /* The advertising reports cannot be merged, so clear
6374 * the pending report and send out a device found event.
6375 */
6376 clear_pending_adv_report(hdev);
6377 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6378 rssi, flags, data, len, NULL, 0, 0);
6379 return;
6380 }
6381
6382 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6383 * the new event is a SCAN_RSP. We can therefore proceed with
6384 * sending a merged device found event.
6385 */
6386 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6387 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6388 d->last_adv_data, d->last_adv_data_len, data, len, 0);
6389 clear_pending_adv_report(hdev);
6390 }
6391
hci_le_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6392 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6393 struct sk_buff *skb)
6394 {
6395 struct hci_ev_le_advertising_report *ev = data;
6396 u64 instant = jiffies;
6397
6398 if (!ev->num)
6399 return;
6400
6401 hci_dev_lock(hdev);
6402
6403 while (ev->num--) {
6404 struct hci_ev_le_advertising_info *info;
6405 s8 rssi;
6406
6407 info = hci_le_ev_skb_pull(hdev, skb,
6408 HCI_EV_LE_ADVERTISING_REPORT,
6409 sizeof(*info));
6410 if (!info)
6411 break;
6412
6413 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6414 info->length + 1))
6415 break;
6416
6417 if (info->length <= HCI_MAX_AD_LENGTH) {
6418 rssi = info->data[info->length];
6419 process_adv_report(hdev, info->type, &info->bdaddr,
6420 info->bdaddr_type, NULL, 0, rssi,
6421 info->data, info->length, false,
6422 false, instant);
6423 } else {
6424 bt_dev_err(hdev, "Dropping invalid advertising data");
6425 }
6426 }
6427
6428 hci_dev_unlock(hdev);
6429 }
6430
ext_evt_type_to_legacy(struct hci_dev * hdev,u16 evt_type)6431 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6432 {
6433 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6434 switch (evt_type) {
6435 case LE_LEGACY_ADV_IND:
6436 return LE_ADV_IND;
6437 case LE_LEGACY_ADV_DIRECT_IND:
6438 return LE_ADV_DIRECT_IND;
6439 case LE_LEGACY_ADV_SCAN_IND:
6440 return LE_ADV_SCAN_IND;
6441 case LE_LEGACY_NONCONN_IND:
6442 return LE_ADV_NONCONN_IND;
6443 case LE_LEGACY_SCAN_RSP_ADV:
6444 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6445 return LE_ADV_SCAN_RSP;
6446 }
6447
6448 goto invalid;
6449 }
6450
6451 if (evt_type & LE_EXT_ADV_CONN_IND) {
6452 if (evt_type & LE_EXT_ADV_DIRECT_IND)
6453 return LE_ADV_DIRECT_IND;
6454
6455 return LE_ADV_IND;
6456 }
6457
6458 if (evt_type & LE_EXT_ADV_SCAN_RSP)
6459 return LE_ADV_SCAN_RSP;
6460
6461 if (evt_type & LE_EXT_ADV_SCAN_IND)
6462 return LE_ADV_SCAN_IND;
6463
6464 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6465 evt_type & LE_EXT_ADV_DIRECT_IND)
6466 return LE_ADV_NONCONN_IND;
6467
6468 invalid:
6469 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6470 evt_type);
6471
6472 return LE_ADV_INVALID;
6473 }
6474
hci_le_ext_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6475 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6476 struct sk_buff *skb)
6477 {
6478 struct hci_ev_le_ext_adv_report *ev = data;
6479 u64 instant = jiffies;
6480
6481 if (!ev->num)
6482 return;
6483
6484 hci_dev_lock(hdev);
6485
6486 while (ev->num--) {
6487 struct hci_ev_le_ext_adv_info *info;
6488 u8 legacy_evt_type;
6489 u16 evt_type;
6490
6491 info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6492 sizeof(*info));
6493 if (!info)
6494 break;
6495
6496 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6497 info->length))
6498 break;
6499
6500 evt_type = __le16_to_cpu(info->type);
6501 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6502 if (legacy_evt_type != LE_ADV_INVALID) {
6503 process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6504 info->bdaddr_type, NULL, 0,
6505 info->rssi, info->data, info->length,
6506 !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6507 false, instant);
6508 }
6509 }
6510
6511 hci_dev_unlock(hdev);
6512 }
6513
hci_le_pa_term_sync(struct hci_dev * hdev,__le16 handle)6514 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6515 {
6516 struct hci_cp_le_pa_term_sync cp;
6517
6518 memset(&cp, 0, sizeof(cp));
6519 cp.handle = handle;
6520
6521 return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6522 }
6523
hci_le_pa_sync_estabilished_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6524 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6525 struct sk_buff *skb)
6526 {
6527 struct hci_ev_le_pa_sync_established *ev = data;
6528 int mask = hdev->link_mode;
6529 __u8 flags = 0;
6530
6531 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6532
6533 if (ev->status)
6534 return;
6535
6536 hci_dev_lock(hdev);
6537
6538 hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6539
6540 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6541 if (!(mask & HCI_LM_ACCEPT))
6542 hci_le_pa_term_sync(hdev, ev->handle);
6543
6544 hci_dev_unlock(hdev);
6545 }
6546
hci_le_remote_feat_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6547 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6548 struct sk_buff *skb)
6549 {
6550 struct hci_ev_le_remote_feat_complete *ev = data;
6551 struct hci_conn *conn;
6552
6553 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6554
6555 hci_dev_lock(hdev);
6556
6557 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6558 if (conn) {
6559 if (!ev->status)
6560 memcpy(conn->features[0], ev->features, 8);
6561
6562 if (conn->state == BT_CONFIG) {
6563 __u8 status;
6564
6565 /* If the local controller supports peripheral-initiated
6566 * features exchange, but the remote controller does
6567 * not, then it is possible that the error code 0x1a
6568 * for unsupported remote feature gets returned.
6569 *
6570 * In this specific case, allow the connection to
6571 * transition into connected state and mark it as
6572 * successful.
6573 */
6574 if (!conn->out && ev->status == 0x1a &&
6575 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6576 status = 0x00;
6577 else
6578 status = ev->status;
6579
6580 conn->state = BT_CONNECTED;
6581 hci_connect_cfm(conn, status);
6582 hci_conn_drop(conn);
6583 }
6584 }
6585
6586 hci_dev_unlock(hdev);
6587 }
6588
hci_le_ltk_request_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6589 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6590 struct sk_buff *skb)
6591 {
6592 struct hci_ev_le_ltk_req *ev = data;
6593 struct hci_cp_le_ltk_reply cp;
6594 struct hci_cp_le_ltk_neg_reply neg;
6595 struct hci_conn *conn;
6596 struct smp_ltk *ltk;
6597
6598 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6599
6600 hci_dev_lock(hdev);
6601
6602 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6603 if (conn == NULL)
6604 goto not_found;
6605
6606 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6607 if (!ltk)
6608 goto not_found;
6609
6610 if (smp_ltk_is_sc(ltk)) {
6611 /* With SC both EDiv and Rand are set to zero */
6612 if (ev->ediv || ev->rand)
6613 goto not_found;
6614 } else {
6615 /* For non-SC keys check that EDiv and Rand match */
6616 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6617 goto not_found;
6618 }
6619
6620 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6621 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6622 cp.handle = cpu_to_le16(conn->handle);
6623
6624 conn->pending_sec_level = smp_ltk_sec_level(ltk);
6625
6626 conn->enc_key_size = ltk->enc_size;
6627
6628 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6629
6630 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6631 * temporary key used to encrypt a connection following
6632 * pairing. It is used during the Encrypted Session Setup to
6633 * distribute the keys. Later, security can be re-established
6634 * using a distributed LTK.
6635 */
6636 if (ltk->type == SMP_STK) {
6637 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6638 list_del_rcu(<k->list);
6639 kfree_rcu(ltk, rcu);
6640 } else {
6641 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6642 }
6643
6644 hci_dev_unlock(hdev);
6645
6646 return;
6647
6648 not_found:
6649 neg.handle = ev->handle;
6650 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6651 hci_dev_unlock(hdev);
6652 }
6653
send_conn_param_neg_reply(struct hci_dev * hdev,u16 handle,u8 reason)6654 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6655 u8 reason)
6656 {
6657 struct hci_cp_le_conn_param_req_neg_reply cp;
6658
6659 cp.handle = cpu_to_le16(handle);
6660 cp.reason = reason;
6661
6662 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6663 &cp);
6664 }
6665
hci_le_remote_conn_param_req_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6666 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6667 struct sk_buff *skb)
6668 {
6669 struct hci_ev_le_remote_conn_param_req *ev = data;
6670 struct hci_cp_le_conn_param_req_reply cp;
6671 struct hci_conn *hcon;
6672 u16 handle, min, max, latency, timeout;
6673
6674 bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6675
6676 handle = le16_to_cpu(ev->handle);
6677 min = le16_to_cpu(ev->interval_min);
6678 max = le16_to_cpu(ev->interval_max);
6679 latency = le16_to_cpu(ev->latency);
6680 timeout = le16_to_cpu(ev->timeout);
6681
6682 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6683 if (!hcon || hcon->state != BT_CONNECTED)
6684 return send_conn_param_neg_reply(hdev, handle,
6685 HCI_ERROR_UNKNOWN_CONN_ID);
6686
6687 if (hci_check_conn_params(min, max, latency, timeout))
6688 return send_conn_param_neg_reply(hdev, handle,
6689 HCI_ERROR_INVALID_LL_PARAMS);
6690
6691 if (hcon->role == HCI_ROLE_MASTER) {
6692 struct hci_conn_params *params;
6693 u8 store_hint;
6694
6695 hci_dev_lock(hdev);
6696
6697 params = hci_conn_params_lookup(hdev, &hcon->dst,
6698 hcon->dst_type);
6699 if (params) {
6700 params->conn_min_interval = min;
6701 params->conn_max_interval = max;
6702 params->conn_latency = latency;
6703 params->supervision_timeout = timeout;
6704 store_hint = 0x01;
6705 } else {
6706 store_hint = 0x00;
6707 }
6708
6709 hci_dev_unlock(hdev);
6710
6711 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6712 store_hint, min, max, latency, timeout);
6713 }
6714
6715 cp.handle = ev->handle;
6716 cp.interval_min = ev->interval_min;
6717 cp.interval_max = ev->interval_max;
6718 cp.latency = ev->latency;
6719 cp.timeout = ev->timeout;
6720 cp.min_ce_len = 0;
6721 cp.max_ce_len = 0;
6722
6723 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6724 }
6725
hci_le_direct_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6726 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6727 struct sk_buff *skb)
6728 {
6729 struct hci_ev_le_direct_adv_report *ev = data;
6730 u64 instant = jiffies;
6731 int i;
6732
6733 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6734 flex_array_size(ev, info, ev->num)))
6735 return;
6736
6737 if (!ev->num)
6738 return;
6739
6740 hci_dev_lock(hdev);
6741
6742 for (i = 0; i < ev->num; i++) {
6743 struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6744
6745 process_adv_report(hdev, info->type, &info->bdaddr,
6746 info->bdaddr_type, &info->direct_addr,
6747 info->direct_addr_type, info->rssi, NULL, 0,
6748 false, false, instant);
6749 }
6750
6751 hci_dev_unlock(hdev);
6752 }
6753
hci_le_phy_update_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6754 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6755 struct sk_buff *skb)
6756 {
6757 struct hci_ev_le_phy_update_complete *ev = data;
6758 struct hci_conn *conn;
6759
6760 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6761
6762 if (ev->status)
6763 return;
6764
6765 hci_dev_lock(hdev);
6766
6767 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6768 if (!conn)
6769 goto unlock;
6770
6771 conn->le_tx_phy = ev->tx_phy;
6772 conn->le_rx_phy = ev->rx_phy;
6773
6774 unlock:
6775 hci_dev_unlock(hdev);
6776 }
6777
hci_le_cis_estabilished_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6778 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6779 struct sk_buff *skb)
6780 {
6781 struct hci_evt_le_cis_established *ev = data;
6782 struct hci_conn *conn;
6783 u16 handle = __le16_to_cpu(ev->handle);
6784
6785 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6786
6787 hci_dev_lock(hdev);
6788
6789 conn = hci_conn_hash_lookup_handle(hdev, handle);
6790 if (!conn) {
6791 bt_dev_err(hdev,
6792 "Unable to find connection with handle 0x%4.4x",
6793 handle);
6794 goto unlock;
6795 }
6796
6797 if (conn->type != ISO_LINK) {
6798 bt_dev_err(hdev,
6799 "Invalid connection link type handle 0x%4.4x",
6800 handle);
6801 goto unlock;
6802 }
6803
6804 if (conn->role == HCI_ROLE_SLAVE) {
6805 __le32 interval;
6806
6807 memset(&interval, 0, sizeof(interval));
6808
6809 memcpy(&interval, ev->c_latency, sizeof(ev->c_latency));
6810 conn->iso_qos.in.interval = le32_to_cpu(interval);
6811 memcpy(&interval, ev->p_latency, sizeof(ev->p_latency));
6812 conn->iso_qos.out.interval = le32_to_cpu(interval);
6813 conn->iso_qos.in.latency = le16_to_cpu(ev->interval);
6814 conn->iso_qos.out.latency = le16_to_cpu(ev->interval);
6815 conn->iso_qos.in.sdu = le16_to_cpu(ev->c_mtu);
6816 conn->iso_qos.out.sdu = le16_to_cpu(ev->p_mtu);
6817 conn->iso_qos.in.phy = ev->c_phy;
6818 conn->iso_qos.out.phy = ev->p_phy;
6819 }
6820
6821 if (!ev->status) {
6822 conn->state = BT_CONNECTED;
6823 hci_debugfs_create_conn(conn);
6824 hci_conn_add_sysfs(conn);
6825 hci_iso_setup_path(conn);
6826 goto unlock;
6827 }
6828
6829 hci_connect_cfm(conn, ev->status);
6830 hci_conn_del(conn);
6831
6832 unlock:
6833 hci_dev_unlock(hdev);
6834 }
6835
hci_le_reject_cis(struct hci_dev * hdev,__le16 handle)6836 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6837 {
6838 struct hci_cp_le_reject_cis cp;
6839
6840 memset(&cp, 0, sizeof(cp));
6841 cp.handle = handle;
6842 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6843 hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6844 }
6845
hci_le_accept_cis(struct hci_dev * hdev,__le16 handle)6846 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6847 {
6848 struct hci_cp_le_accept_cis cp;
6849
6850 memset(&cp, 0, sizeof(cp));
6851 cp.handle = handle;
6852 hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6853 }
6854
hci_le_cis_req_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6855 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6856 struct sk_buff *skb)
6857 {
6858 struct hci_evt_le_cis_req *ev = data;
6859 u16 acl_handle, cis_handle;
6860 struct hci_conn *acl, *cis;
6861 int mask;
6862 __u8 flags = 0;
6863
6864 acl_handle = __le16_to_cpu(ev->acl_handle);
6865 cis_handle = __le16_to_cpu(ev->cis_handle);
6866
6867 bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
6868 acl_handle, cis_handle, ev->cig_id, ev->cis_id);
6869
6870 hci_dev_lock(hdev);
6871
6872 acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
6873 if (!acl)
6874 goto unlock;
6875
6876 mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
6877 if (!(mask & HCI_LM_ACCEPT)) {
6878 hci_le_reject_cis(hdev, ev->cis_handle);
6879 goto unlock;
6880 }
6881
6882 cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
6883 if (!cis) {
6884 cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE);
6885 if (!cis) {
6886 hci_le_reject_cis(hdev, ev->cis_handle);
6887 goto unlock;
6888 }
6889 cis->handle = cis_handle;
6890 }
6891
6892 cis->iso_qos.cig = ev->cig_id;
6893 cis->iso_qos.cis = ev->cis_id;
6894
6895 if (!(flags & HCI_PROTO_DEFER)) {
6896 hci_le_accept_cis(hdev, ev->cis_handle);
6897 } else {
6898 cis->state = BT_CONNECT2;
6899 hci_connect_cfm(cis, 0);
6900 }
6901
6902 unlock:
6903 hci_dev_unlock(hdev);
6904 }
6905
hci_le_create_big_complete_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6906 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
6907 struct sk_buff *skb)
6908 {
6909 struct hci_evt_le_create_big_complete *ev = data;
6910 struct hci_conn *conn;
6911
6912 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6913
6914 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
6915 flex_array_size(ev, bis_handle, ev->num_bis)))
6916 return;
6917
6918 hci_dev_lock(hdev);
6919
6920 conn = hci_conn_hash_lookup_big(hdev, ev->handle);
6921 if (!conn)
6922 goto unlock;
6923
6924 if (conn->type != ISO_LINK) {
6925 bt_dev_err(hdev,
6926 "Invalid connection link type handle 0x%2.2x",
6927 ev->handle);
6928 goto unlock;
6929 }
6930
6931 if (ev->num_bis)
6932 conn->handle = __le16_to_cpu(ev->bis_handle[0]);
6933
6934 if (!ev->status) {
6935 conn->state = BT_CONNECTED;
6936 hci_debugfs_create_conn(conn);
6937 hci_conn_add_sysfs(conn);
6938 hci_iso_setup_path(conn);
6939 goto unlock;
6940 }
6941
6942 hci_connect_cfm(conn, ev->status);
6943 hci_conn_del(conn);
6944
6945 unlock:
6946 hci_dev_unlock(hdev);
6947 }
6948
hci_le_big_sync_established_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6949 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
6950 struct sk_buff *skb)
6951 {
6952 struct hci_evt_le_big_sync_estabilished *ev = data;
6953 struct hci_conn *bis;
6954 int i;
6955
6956 bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6957
6958 if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
6959 flex_array_size(ev, bis, ev->num_bis)))
6960 return;
6961
6962 if (ev->status)
6963 return;
6964
6965 hci_dev_lock(hdev);
6966
6967 for (i = 0; i < ev->num_bis; i++) {
6968 u16 handle = le16_to_cpu(ev->bis[i]);
6969 __le32 interval;
6970
6971 bis = hci_conn_hash_lookup_handle(hdev, handle);
6972 if (!bis) {
6973 bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
6974 HCI_ROLE_SLAVE);
6975 if (!bis)
6976 continue;
6977 bis->handle = handle;
6978 }
6979
6980 bis->iso_qos.big = ev->handle;
6981 memset(&interval, 0, sizeof(interval));
6982 memcpy(&interval, ev->latency, sizeof(ev->latency));
6983 bis->iso_qos.in.interval = le32_to_cpu(interval);
6984 /* Convert ISO Interval (1.25 ms slots) to latency (ms) */
6985 bis->iso_qos.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
6986 bis->iso_qos.in.sdu = le16_to_cpu(ev->max_pdu);
6987
6988 hci_connect_cfm(bis, ev->status);
6989 }
6990
6991 hci_dev_unlock(hdev);
6992 }
6993
hci_le_big_info_adv_report_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb)6994 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
6995 struct sk_buff *skb)
6996 {
6997 struct hci_evt_le_big_info_adv_report *ev = data;
6998 int mask = hdev->link_mode;
6999 __u8 flags = 0;
7000
7001 bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7002
7003 hci_dev_lock(hdev);
7004
7005 mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7006 if (!(mask & HCI_LM_ACCEPT))
7007 hci_le_pa_term_sync(hdev, ev->sync_handle);
7008
7009 hci_dev_unlock(hdev);
7010 }
7011
7012 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7013 [_op] = { \
7014 .func = _func, \
7015 .min_len = _min_len, \
7016 .max_len = _max_len, \
7017 }
7018
7019 #define HCI_LE_EV(_op, _func, _len) \
7020 HCI_LE_EV_VL(_op, _func, _len, _len)
7021
7022 #define HCI_LE_EV_STATUS(_op, _func) \
7023 HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7024
7025 /* Entries in this table shall have their position according to the subevent
7026 * opcode they handle so the use of the macros above is recommend since it does
7027 * attempt to initialize at its proper index using Designated Initializers that
7028 * way events without a callback function can be ommited.
7029 */
7030 static const struct hci_le_ev {
7031 void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7032 u16 min_len;
7033 u16 max_len;
7034 } hci_le_ev_table[U8_MAX + 1] = {
7035 /* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7036 HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7037 sizeof(struct hci_ev_le_conn_complete)),
7038 /* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7039 HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7040 sizeof(struct hci_ev_le_advertising_report),
7041 HCI_MAX_EVENT_SIZE),
7042 /* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7043 HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7044 hci_le_conn_update_complete_evt,
7045 sizeof(struct hci_ev_le_conn_update_complete)),
7046 /* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7047 HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7048 hci_le_remote_feat_complete_evt,
7049 sizeof(struct hci_ev_le_remote_feat_complete)),
7050 /* [0x05 = HCI_EV_LE_LTK_REQ] */
7051 HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7052 sizeof(struct hci_ev_le_ltk_req)),
7053 /* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7054 HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7055 hci_le_remote_conn_param_req_evt,
7056 sizeof(struct hci_ev_le_remote_conn_param_req)),
7057 /* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7058 HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7059 hci_le_enh_conn_complete_evt,
7060 sizeof(struct hci_ev_le_enh_conn_complete)),
7061 /* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7062 HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7063 sizeof(struct hci_ev_le_direct_adv_report),
7064 HCI_MAX_EVENT_SIZE),
7065 /* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7066 HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7067 sizeof(struct hci_ev_le_phy_update_complete)),
7068 /* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7069 HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7070 sizeof(struct hci_ev_le_ext_adv_report),
7071 HCI_MAX_EVENT_SIZE),
7072 /* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7073 HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7074 hci_le_pa_sync_estabilished_evt,
7075 sizeof(struct hci_ev_le_pa_sync_established)),
7076 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7077 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7078 sizeof(struct hci_evt_le_ext_adv_set_term)),
7079 /* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7080 HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7081 sizeof(struct hci_evt_le_cis_established)),
7082 /* [0x1a = HCI_EVT_LE_CIS_REQ] */
7083 HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7084 sizeof(struct hci_evt_le_cis_req)),
7085 /* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7086 HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7087 hci_le_create_big_complete_evt,
7088 sizeof(struct hci_evt_le_create_big_complete),
7089 HCI_MAX_EVENT_SIZE),
7090 /* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7091 HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7092 hci_le_big_sync_established_evt,
7093 sizeof(struct hci_evt_le_big_sync_estabilished),
7094 HCI_MAX_EVENT_SIZE),
7095 /* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7096 HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7097 hci_le_big_info_adv_report_evt,
7098 sizeof(struct hci_evt_le_big_info_adv_report),
7099 HCI_MAX_EVENT_SIZE),
7100 };
7101
hci_le_meta_evt(struct hci_dev * hdev,void * data,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)7102 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7103 struct sk_buff *skb, u16 *opcode, u8 *status,
7104 hci_req_complete_t *req_complete,
7105 hci_req_complete_skb_t *req_complete_skb)
7106 {
7107 struct hci_ev_le_meta *ev = data;
7108 const struct hci_le_ev *subev;
7109
7110 bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7111
7112 /* Only match event if command OGF is for LE */
7113 if (hdev->sent_cmd &&
7114 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7115 hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7116 *opcode = hci_skb_opcode(hdev->sent_cmd);
7117 hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7118 req_complete_skb);
7119 }
7120
7121 subev = &hci_le_ev_table[ev->subevent];
7122 if (!subev->func)
7123 return;
7124
7125 if (skb->len < subev->min_len) {
7126 bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7127 ev->subevent, skb->len, subev->min_len);
7128 return;
7129 }
7130
7131 /* Just warn if the length is over max_len size it still be
7132 * possible to partially parse the event so leave to callback to
7133 * decide if that is acceptable.
7134 */
7135 if (skb->len > subev->max_len)
7136 bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7137 ev->subevent, skb->len, subev->max_len);
7138 data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7139 if (!data)
7140 return;
7141
7142 subev->func(hdev, data, skb);
7143 }
7144
hci_get_cmd_complete(struct hci_dev * hdev,u16 opcode,u8 event,struct sk_buff * skb)7145 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7146 u8 event, struct sk_buff *skb)
7147 {
7148 struct hci_ev_cmd_complete *ev;
7149 struct hci_event_hdr *hdr;
7150
7151 if (!skb)
7152 return false;
7153
7154 hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7155 if (!hdr)
7156 return false;
7157
7158 if (event) {
7159 if (hdr->evt != event)
7160 return false;
7161 return true;
7162 }
7163
7164 /* Check if request ended in Command Status - no way to retrieve
7165 * any extra parameters in this case.
7166 */
7167 if (hdr->evt == HCI_EV_CMD_STATUS)
7168 return false;
7169
7170 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7171 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7172 hdr->evt);
7173 return false;
7174 }
7175
7176 ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7177 if (!ev)
7178 return false;
7179
7180 if (opcode != __le16_to_cpu(ev->opcode)) {
7181 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7182 __le16_to_cpu(ev->opcode));
7183 return false;
7184 }
7185
7186 return true;
7187 }
7188
hci_store_wake_reason(struct hci_dev * hdev,u8 event,struct sk_buff * skb)7189 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7190 struct sk_buff *skb)
7191 {
7192 struct hci_ev_le_advertising_info *adv;
7193 struct hci_ev_le_direct_adv_info *direct_adv;
7194 struct hci_ev_le_ext_adv_info *ext_adv;
7195 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7196 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7197
7198 hci_dev_lock(hdev);
7199
7200 /* If we are currently suspended and this is the first BT event seen,
7201 * save the wake reason associated with the event.
7202 */
7203 if (!hdev->suspended || hdev->wake_reason)
7204 goto unlock;
7205
7206 /* Default to remote wake. Values for wake_reason are documented in the
7207 * Bluez mgmt api docs.
7208 */
7209 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7210
7211 /* Once configured for remote wakeup, we should only wake up for
7212 * reconnections. It's useful to see which device is waking us up so
7213 * keep track of the bdaddr of the connection event that woke us up.
7214 */
7215 if (event == HCI_EV_CONN_REQUEST) {
7216 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7217 hdev->wake_addr_type = BDADDR_BREDR;
7218 } else if (event == HCI_EV_CONN_COMPLETE) {
7219 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7220 hdev->wake_addr_type = BDADDR_BREDR;
7221 } else if (event == HCI_EV_LE_META) {
7222 struct hci_ev_le_meta *le_ev = (void *)skb->data;
7223 u8 subevent = le_ev->subevent;
7224 u8 *ptr = &skb->data[sizeof(*le_ev)];
7225 u8 num_reports = *ptr;
7226
7227 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7228 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7229 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7230 num_reports) {
7231 adv = (void *)(ptr + 1);
7232 direct_adv = (void *)(ptr + 1);
7233 ext_adv = (void *)(ptr + 1);
7234
7235 switch (subevent) {
7236 case HCI_EV_LE_ADVERTISING_REPORT:
7237 bacpy(&hdev->wake_addr, &adv->bdaddr);
7238 hdev->wake_addr_type = adv->bdaddr_type;
7239 break;
7240 case HCI_EV_LE_DIRECT_ADV_REPORT:
7241 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7242 hdev->wake_addr_type = direct_adv->bdaddr_type;
7243 break;
7244 case HCI_EV_LE_EXT_ADV_REPORT:
7245 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7246 hdev->wake_addr_type = ext_adv->bdaddr_type;
7247 break;
7248 }
7249 }
7250 } else {
7251 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7252 }
7253
7254 unlock:
7255 hci_dev_unlock(hdev);
7256 }
7257
7258 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7259 [_op] = { \
7260 .req = false, \
7261 .func = _func, \
7262 .min_len = _min_len, \
7263 .max_len = _max_len, \
7264 }
7265
7266 #define HCI_EV(_op, _func, _len) \
7267 HCI_EV_VL(_op, _func, _len, _len)
7268
7269 #define HCI_EV_STATUS(_op, _func) \
7270 HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7271
7272 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7273 [_op] = { \
7274 .req = true, \
7275 .func_req = _func, \
7276 .min_len = _min_len, \
7277 .max_len = _max_len, \
7278 }
7279
7280 #define HCI_EV_REQ(_op, _func, _len) \
7281 HCI_EV_REQ_VL(_op, _func, _len, _len)
7282
7283 /* Entries in this table shall have their position according to the event opcode
7284 * they handle so the use of the macros above is recommend since it does attempt
7285 * to initialize at its proper index using Designated Initializers that way
7286 * events without a callback function don't have entered.
7287 */
7288 static const struct hci_ev {
7289 bool req;
7290 union {
7291 void (*func)(struct hci_dev *hdev, void *data,
7292 struct sk_buff *skb);
7293 void (*func_req)(struct hci_dev *hdev, void *data,
7294 struct sk_buff *skb, u16 *opcode, u8 *status,
7295 hci_req_complete_t *req_complete,
7296 hci_req_complete_skb_t *req_complete_skb);
7297 };
7298 u16 min_len;
7299 u16 max_len;
7300 } hci_ev_table[U8_MAX + 1] = {
7301 /* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7302 HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7303 /* [0x02 = HCI_EV_INQUIRY_RESULT] */
7304 HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7305 sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7306 /* [0x03 = HCI_EV_CONN_COMPLETE] */
7307 HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7308 sizeof(struct hci_ev_conn_complete)),
7309 /* [0x04 = HCI_EV_CONN_REQUEST] */
7310 HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7311 sizeof(struct hci_ev_conn_request)),
7312 /* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7313 HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7314 sizeof(struct hci_ev_disconn_complete)),
7315 /* [0x06 = HCI_EV_AUTH_COMPLETE] */
7316 HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7317 sizeof(struct hci_ev_auth_complete)),
7318 /* [0x07 = HCI_EV_REMOTE_NAME] */
7319 HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7320 sizeof(struct hci_ev_remote_name)),
7321 /* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7322 HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7323 sizeof(struct hci_ev_encrypt_change)),
7324 /* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7325 HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7326 hci_change_link_key_complete_evt,
7327 sizeof(struct hci_ev_change_link_key_complete)),
7328 /* [0x0b = HCI_EV_REMOTE_FEATURES] */
7329 HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7330 sizeof(struct hci_ev_remote_features)),
7331 /* [0x0e = HCI_EV_CMD_COMPLETE] */
7332 HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7333 sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7334 /* [0x0f = HCI_EV_CMD_STATUS] */
7335 HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7336 sizeof(struct hci_ev_cmd_status)),
7337 /* [0x10 = HCI_EV_CMD_STATUS] */
7338 HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7339 sizeof(struct hci_ev_hardware_error)),
7340 /* [0x12 = HCI_EV_ROLE_CHANGE] */
7341 HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7342 sizeof(struct hci_ev_role_change)),
7343 /* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7344 HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7345 sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7346 /* [0x14 = HCI_EV_MODE_CHANGE] */
7347 HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7348 sizeof(struct hci_ev_mode_change)),
7349 /* [0x16 = HCI_EV_PIN_CODE_REQ] */
7350 HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7351 sizeof(struct hci_ev_pin_code_req)),
7352 /* [0x17 = HCI_EV_LINK_KEY_REQ] */
7353 HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7354 sizeof(struct hci_ev_link_key_req)),
7355 /* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7356 HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7357 sizeof(struct hci_ev_link_key_notify)),
7358 /* [0x1c = HCI_EV_CLOCK_OFFSET] */
7359 HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7360 sizeof(struct hci_ev_clock_offset)),
7361 /* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7362 HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7363 sizeof(struct hci_ev_pkt_type_change)),
7364 /* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7365 HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7366 sizeof(struct hci_ev_pscan_rep_mode)),
7367 /* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7368 HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7369 hci_inquiry_result_with_rssi_evt,
7370 sizeof(struct hci_ev_inquiry_result_rssi),
7371 HCI_MAX_EVENT_SIZE),
7372 /* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7373 HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7374 sizeof(struct hci_ev_remote_ext_features)),
7375 /* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7376 HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7377 sizeof(struct hci_ev_sync_conn_complete)),
7378 /* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7379 HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7380 hci_extended_inquiry_result_evt,
7381 sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7382 /* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7383 HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7384 sizeof(struct hci_ev_key_refresh_complete)),
7385 /* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7386 HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7387 sizeof(struct hci_ev_io_capa_request)),
7388 /* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7389 HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7390 sizeof(struct hci_ev_io_capa_reply)),
7391 /* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7392 HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7393 sizeof(struct hci_ev_user_confirm_req)),
7394 /* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7395 HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7396 sizeof(struct hci_ev_user_passkey_req)),
7397 /* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7398 HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7399 sizeof(struct hci_ev_remote_oob_data_request)),
7400 /* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7401 HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7402 sizeof(struct hci_ev_simple_pair_complete)),
7403 /* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7404 HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7405 sizeof(struct hci_ev_user_passkey_notify)),
7406 /* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7407 HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7408 sizeof(struct hci_ev_keypress_notify)),
7409 /* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7410 HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7411 sizeof(struct hci_ev_remote_host_features)),
7412 /* [0x3e = HCI_EV_LE_META] */
7413 HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7414 sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7415 #if IS_ENABLED(CONFIG_BT_HS)
7416 /* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7417 HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7418 sizeof(struct hci_ev_phy_link_complete)),
7419 /* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7420 HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7421 sizeof(struct hci_ev_channel_selected)),
7422 /* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7423 HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7424 hci_disconn_loglink_complete_evt,
7425 sizeof(struct hci_ev_disconn_logical_link_complete)),
7426 /* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7427 HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7428 sizeof(struct hci_ev_logical_link_complete)),
7429 /* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7430 HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7431 hci_disconn_phylink_complete_evt,
7432 sizeof(struct hci_ev_disconn_phy_link_complete)),
7433 #endif
7434 /* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7435 HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7436 sizeof(struct hci_ev_num_comp_blocks)),
7437 /* [0xff = HCI_EV_VENDOR] */
7438 HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7439 };
7440
hci_event_func(struct hci_dev * hdev,u8 event,struct sk_buff * skb,u16 * opcode,u8 * status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)7441 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7442 u16 *opcode, u8 *status,
7443 hci_req_complete_t *req_complete,
7444 hci_req_complete_skb_t *req_complete_skb)
7445 {
7446 const struct hci_ev *ev = &hci_ev_table[event];
7447 void *data;
7448
7449 if (!ev->func)
7450 return;
7451
7452 if (skb->len < ev->min_len) {
7453 bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7454 event, skb->len, ev->min_len);
7455 return;
7456 }
7457
7458 /* Just warn if the length is over max_len size it still be
7459 * possible to partially parse the event so leave to callback to
7460 * decide if that is acceptable.
7461 */
7462 if (skb->len > ev->max_len)
7463 bt_dev_warn_ratelimited(hdev,
7464 "unexpected event 0x%2.2x length: %u > %u",
7465 event, skb->len, ev->max_len);
7466
7467 data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7468 if (!data)
7469 return;
7470
7471 if (ev->req)
7472 ev->func_req(hdev, data, skb, opcode, status, req_complete,
7473 req_complete_skb);
7474 else
7475 ev->func(hdev, data, skb);
7476 }
7477
hci_event_packet(struct hci_dev * hdev,struct sk_buff * skb)7478 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7479 {
7480 struct hci_event_hdr *hdr = (void *) skb->data;
7481 hci_req_complete_t req_complete = NULL;
7482 hci_req_complete_skb_t req_complete_skb = NULL;
7483 struct sk_buff *orig_skb = NULL;
7484 u8 status = 0, event, req_evt = 0;
7485 u16 opcode = HCI_OP_NOP;
7486
7487 if (skb->len < sizeof(*hdr)) {
7488 bt_dev_err(hdev, "Malformed HCI Event");
7489 goto done;
7490 }
7491
7492 kfree_skb(hdev->recv_event);
7493 hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7494
7495 event = hdr->evt;
7496 if (!event) {
7497 bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7498 event);
7499 goto done;
7500 }
7501
7502 /* Only match event if command OGF is not for LE */
7503 if (hdev->sent_cmd &&
7504 hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7505 hci_skb_event(hdev->sent_cmd) == event) {
7506 hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7507 status, &req_complete, &req_complete_skb);
7508 req_evt = event;
7509 }
7510
7511 /* If it looks like we might end up having to call
7512 * req_complete_skb, store a pristine copy of the skb since the
7513 * various handlers may modify the original one through
7514 * skb_pull() calls, etc.
7515 */
7516 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7517 event == HCI_EV_CMD_COMPLETE)
7518 orig_skb = skb_clone(skb, GFP_KERNEL);
7519
7520 skb_pull(skb, HCI_EVENT_HDR_SIZE);
7521
7522 /* Store wake reason if we're suspended */
7523 hci_store_wake_reason(hdev, event, skb);
7524
7525 bt_dev_dbg(hdev, "event 0x%2.2x", event);
7526
7527 hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7528 &req_complete_skb);
7529
7530 if (req_complete) {
7531 req_complete(hdev, status, opcode);
7532 } else if (req_complete_skb) {
7533 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7534 kfree_skb(orig_skb);
7535 orig_skb = NULL;
7536 }
7537 req_complete_skb(hdev, status, opcode, orig_skb);
7538 }
7539
7540 done:
7541 kfree_skb(orig_skb);
7542 kfree_skb(skb);
7543 hdev->stat.evt_rx++;
7544 }
7545