projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'drm/tegra/for-3.19-rc1-fixes' of git://people.freedesktop.org/~tagr/linux...
[deliverable/linux.git] / net / bluetooth / hci_event.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22 SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "a2mp.h"
34 #include "amp.h"
35 #include "smp.h"
36
37 /* Handle HCI Event packets */
38
39 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
40 {
41 __u8 status = *((__u8 *) skb->data);
42
43 BT_DBG("%s status 0x%2.2x", hdev->name, status);
44
45 if (status)
46 return;
47
48 clear_bit(HCI_INQUIRY, &hdev->flags);
49 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
50 wake_up_bit(&hdev->flags, HCI_INQUIRY);
51
52 hci_dev_lock(hdev);
53 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
54 hci_dev_unlock(hdev);
55
56 hci_conn_check_pending(hdev);
57 }
58
59 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
60 {
61 __u8 status = *((__u8 *) skb->data);
62
63 BT_DBG("%s status 0x%2.2x", hdev->name, status);
64
65 if (status)
66 return;
67
68 set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
69 }
70
71 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
72 {
73 __u8 status = *((__u8 *) skb->data);
74
75 BT_DBG("%s status 0x%2.2x", hdev->name, status);
76
77 if (status)
78 return;
79
80 clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
81
82 hci_conn_check_pending(hdev);
83 }
84
85 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
86 struct sk_buff *skb)
87 {
88 BT_DBG("%s", hdev->name);
89 }
90
91 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
92 {
93 struct hci_rp_role_discovery *rp = (void *) skb->data;
94 struct hci_conn *conn;
95
96 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
97
98 if (rp->status)
99 return;
100
101 hci_dev_lock(hdev);
102
103 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
104 if (conn)
105 conn->role = rp->role;
106
107 hci_dev_unlock(hdev);
108 }
109
110 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
111 {
112 struct hci_rp_read_link_policy *rp = (void *) skb->data;
113 struct hci_conn *conn;
114
115 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
116
117 if (rp->status)
118 return;
119
120 hci_dev_lock(hdev);
121
122 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
123 if (conn)
124 conn->link_policy = __le16_to_cpu(rp->policy);
125
126 hci_dev_unlock(hdev);
127 }
128
129 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
130 {
131 struct hci_rp_write_link_policy *rp = (void *) skb->data;
132 struct hci_conn *conn;
133 void *sent;
134
135 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
136
137 if (rp->status)
138 return;
139
140 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
141 if (!sent)
142 return;
143
144 hci_dev_lock(hdev);
145
146 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
147 if (conn)
148 conn->link_policy = get_unaligned_le16(sent + 2);
149
150 hci_dev_unlock(hdev);
151 }
152
153 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
154 struct sk_buff *skb)
155 {
156 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
157
158 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
159
160 if (rp->status)
161 return;
162
163 hdev->link_policy = __le16_to_cpu(rp->policy);
164 }
165
166 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
167 struct sk_buff *skb)
168 {
169 __u8 status = *((__u8 *) skb->data);
170 void *sent;
171
172 BT_DBG("%s status 0x%2.2x", hdev->name, status);
173
174 if (status)
175 return;
176
177 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
178 if (!sent)
179 return;
180
181 hdev->link_policy = get_unaligned_le16(sent);
182 }
183
184 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
185 {
186 __u8 status = *((__u8 *) skb->data);
187
188 BT_DBG("%s status 0x%2.2x", hdev->name, status);
189
190 clear_bit(HCI_RESET, &hdev->flags);
191
192 if (status)
193 return;
194
195 /* Reset all non-persistent flags */
196 hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
197
198 hdev->discovery.state = DISCOVERY_STOPPED;
199 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
200 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
201
202 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
203 hdev->adv_data_len = 0;
204
205 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
206 hdev->scan_rsp_data_len = 0;
207
208 hdev->le_scan_type = LE_SCAN_PASSIVE;
209
210 hdev->ssp_debug_mode = 0;
211
212 hci_bdaddr_list_clear(&hdev->le_white_list);
213 }
214
215 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
216 {
217 __u8 status = *((__u8 *) skb->data);
218 void *sent;
219
220 BT_DBG("%s status 0x%2.2x", hdev->name, status);
221
222 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
223 if (!sent)
224 return;
225
226 hci_dev_lock(hdev);
227
228 if (test_bit(HCI_MGMT, &hdev->dev_flags))
229 mgmt_set_local_name_complete(hdev, sent, status);
230 else if (!status)
231 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
232
233 hci_dev_unlock(hdev);
234 }
235
236 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
237 {
238 struct hci_rp_read_local_name *rp = (void *) skb->data;
239
240 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
241
242 if (rp->status)
243 return;
244
245 if (test_bit(HCI_SETUP, &hdev->dev_flags))
246 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
247 }
248
249 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
250 {
251 __u8 status = *((__u8 *) skb->data);
252 void *sent;
253
254 BT_DBG("%s status 0x%2.2x", hdev->name, status);
255
256 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
257 if (!sent)
258 return;
259
260 hci_dev_lock(hdev);
261
262 if (!status) {
263 __u8 param = *((__u8 *) sent);
264
265 if (param == AUTH_ENABLED)
266 set_bit(HCI_AUTH, &hdev->flags);
267 else
268 clear_bit(HCI_AUTH, &hdev->flags);
269 }
270
271 if (test_bit(HCI_MGMT, &hdev->dev_flags))
272 mgmt_auth_enable_complete(hdev, status);
273
274 hci_dev_unlock(hdev);
275 }
276
277 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
278 {
279 __u8 status = *((__u8 *) skb->data);
280 __u8 param;
281 void *sent;
282
283 BT_DBG("%s status 0x%2.2x", hdev->name, status);
284
285 if (status)
286 return;
287
288 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
289 if (!sent)
290 return;
291
292 param = *((__u8 *) sent);
293
294 if (param)
295 set_bit(HCI_ENCRYPT, &hdev->flags);
296 else
297 clear_bit(HCI_ENCRYPT, &hdev->flags);
298 }
299
300 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
301 {
302 __u8 status = *((__u8 *) skb->data);
303 __u8 param;
304 void *sent;
305
306 BT_DBG("%s status 0x%2.2x", hdev->name, status);
307
308 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
309 if (!sent)
310 return;
311
312 param = *((__u8 *) sent);
313
314 hci_dev_lock(hdev);
315
316 if (status) {
317 hdev->discov_timeout = 0;
318 goto done;
319 }
320
321 if (param & SCAN_INQUIRY)
322 set_bit(HCI_ISCAN, &hdev->flags);
323 else
324 clear_bit(HCI_ISCAN, &hdev->flags);
325
326 if (param & SCAN_PAGE)
327 set_bit(HCI_PSCAN, &hdev->flags);
328 else
329 clear_bit(HCI_PSCAN, &hdev->flags);
330
331 done:
332 hci_dev_unlock(hdev);
333 }
334
335 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
336 {
337 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
338
339 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
340
341 if (rp->status)
342 return;
343
344 memcpy(hdev->dev_class, rp->dev_class, 3);
345
346 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
347 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
348 }
349
350 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
351 {
352 __u8 status = *((__u8 *) skb->data);
353 void *sent;
354
355 BT_DBG("%s status 0x%2.2x", hdev->name, status);
356
357 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
358 if (!sent)
359 return;
360
361 hci_dev_lock(hdev);
362
363 if (status == 0)
364 memcpy(hdev->dev_class, sent, 3);
365
366 if (test_bit(HCI_MGMT, &hdev->dev_flags))
367 mgmt_set_class_of_dev_complete(hdev, sent, status);
368
369 hci_dev_unlock(hdev);
370 }
371
372 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
373 {
374 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
375 __u16 setting;
376
377 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
378
379 if (rp->status)
380 return;
381
382 setting = __le16_to_cpu(rp->voice_setting);
383
384 if (hdev->voice_setting == setting)
385 return;
386
387 hdev->voice_setting = setting;
388
389 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
390
391 if (hdev->notify)
392 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
393 }
394
395 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
396 struct sk_buff *skb)
397 {
398 __u8 status = *((__u8 *) skb->data);
399 __u16 setting;
400 void *sent;
401
402 BT_DBG("%s status 0x%2.2x", hdev->name, status);
403
404 if (status)
405 return;
406
407 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
408 if (!sent)
409 return;
410
411 setting = get_unaligned_le16(sent);
412
413 if (hdev->voice_setting == setting)
414 return;
415
416 hdev->voice_setting = setting;
417
418 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
419
420 if (hdev->notify)
421 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
422 }
423
424 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
425 struct sk_buff *skb)
426 {
427 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
428
429 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
430
431 if (rp->status)
432 return;
433
434 hdev->num_iac = rp->num_iac;
435
436 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
437 }
438
439 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
440 {
441 __u8 status = *((__u8 *) skb->data);
442 struct hci_cp_write_ssp_mode *sent;
443
444 BT_DBG("%s status 0x%2.2x", hdev->name, status);
445
446 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
447 if (!sent)
448 return;
449
450 hci_dev_lock(hdev);
451
452 if (!status) {
453 if (sent->mode)
454 hdev->features[1][0] |= LMP_HOST_SSP;
455 else
456 hdev->features[1][0] &= ~LMP_HOST_SSP;
457 }
458
459 if (test_bit(HCI_MGMT, &hdev->dev_flags))
460 mgmt_ssp_enable_complete(hdev, sent->mode, status);
461 else if (!status) {
462 if (sent->mode)
463 set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
464 else
465 clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
466 }
467
468 hci_dev_unlock(hdev);
469 }
470
471 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
472 {
473 u8 status = *((u8 *) skb->data);
474 struct hci_cp_write_sc_support *sent;
475
476 BT_DBG("%s status 0x%2.2x", hdev->name, status);
477
478 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
479 if (!sent)
480 return;
481
482 hci_dev_lock(hdev);
483
484 if (!status) {
485 if (sent->support)
486 hdev->features[1][0] |= LMP_HOST_SC;
487 else
488 hdev->features[1][0] &= ~LMP_HOST_SC;
489 }
490
491 if (test_bit(HCI_MGMT, &hdev->dev_flags))
492 mgmt_sc_enable_complete(hdev, sent->support, status);
493 else if (!status) {
494 if (sent->support)
495 set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
496 else
497 clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
498 }
499
500 hci_dev_unlock(hdev);
501 }
502
503 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
504 {
505 struct hci_rp_read_local_version *rp = (void *) skb->data;
506
507 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
508
509 if (rp->status)
510 return;
511
512 if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
513 hdev->hci_ver = rp->hci_ver;
514 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
515 hdev->lmp_ver = rp->lmp_ver;
516 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
517 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
518 }
519 }
520
521 static void hci_cc_read_local_commands(struct hci_dev *hdev,
522 struct sk_buff *skb)
523 {
524 struct hci_rp_read_local_commands *rp = (void *) skb->data;
525
526 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
527
528 if (rp->status)
529 return;
530
531 if (test_bit(HCI_SETUP, &hdev->dev_flags))
532 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
533 }
534
535 static void hci_cc_read_local_features(struct hci_dev *hdev,
536 struct sk_buff *skb)
537 {
538 struct hci_rp_read_local_features *rp = (void *) skb->data;
539
540 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
541
542 if (rp->status)
543 return;
544
545 memcpy(hdev->features, rp->features, 8);
546
547 /* Adjust default settings according to features
548 * supported by device. */
549
550 if (hdev->features[0][0] & LMP_3SLOT)
551 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
552
553 if (hdev->features[0][0] & LMP_5SLOT)
554 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
555
556 if (hdev->features[0][1] & LMP_HV2) {
557 hdev->pkt_type |= (HCI_HV2);
558 hdev->esco_type |= (ESCO_HV2);
559 }
560
561 if (hdev->features[0][1] & LMP_HV3) {
562 hdev->pkt_type |= (HCI_HV3);
563 hdev->esco_type |= (ESCO_HV3);
564 }
565
566 if (lmp_esco_capable(hdev))
567 hdev->esco_type |= (ESCO_EV3);
568
569 if (hdev->features[0][4] & LMP_EV4)
570 hdev->esco_type |= (ESCO_EV4);
571
572 if (hdev->features[0][4] & LMP_EV5)
573 hdev->esco_type |= (ESCO_EV5);
574
575 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
576 hdev->esco_type |= (ESCO_2EV3);
577
578 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
579 hdev->esco_type |= (ESCO_3EV3);
580
581 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
582 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
583 }
584
585 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
586 struct sk_buff *skb)
587 {
588 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
589
590 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
591
592 if (rp->status)
593 return;
594
595 if (hdev->max_page < rp->max_page)
596 hdev->max_page = rp->max_page;
597
598 if (rp->page < HCI_MAX_PAGES)
599 memcpy(hdev->features[rp->page], rp->features, 8);
600 }
601
602 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
603 struct sk_buff *skb)
604 {
605 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
606
607 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
608
609 if (rp->status)
610 return;
611
612 hdev->flow_ctl_mode = rp->mode;
613 }
614
615 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
616 {
617 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
618
619 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
620
621 if (rp->status)
622 return;
623
624 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
625 hdev->sco_mtu = rp->sco_mtu;
626 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
627 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
628
629 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
630 hdev->sco_mtu = 64;
631 hdev->sco_pkts = 8;
632 }
633
634 hdev->acl_cnt = hdev->acl_pkts;
635 hdev->sco_cnt = hdev->sco_pkts;
636
637 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
638 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
639 }
640
641 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
642 {
643 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
644
645 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
646
647 if (rp->status)
648 return;
649
650 if (test_bit(HCI_INIT, &hdev->flags))
651 bacpy(&hdev->bdaddr, &rp->bdaddr);
652
653 if (test_bit(HCI_SETUP, &hdev->dev_flags))
654 bacpy(&hdev->setup_addr, &rp->bdaddr);
655 }
656
657 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
658 struct sk_buff *skb)
659 {
660 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
661
662 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
663
664 if (rp->status)
665 return;
666
667 if (test_bit(HCI_INIT, &hdev->flags)) {
668 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
669 hdev->page_scan_window = __le16_to_cpu(rp->window);
670 }
671 }
672
673 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
674 struct sk_buff *skb)
675 {
676 u8 status = *((u8 *) skb->data);
677 struct hci_cp_write_page_scan_activity *sent;
678
679 BT_DBG("%s status 0x%2.2x", hdev->name, status);
680
681 if (status)
682 return;
683
684 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
685 if (!sent)
686 return;
687
688 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
689 hdev->page_scan_window = __le16_to_cpu(sent->window);
690 }
691
692 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
693 struct sk_buff *skb)
694 {
695 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
696
697 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
698
699 if (rp->status)
700 return;
701
702 if (test_bit(HCI_INIT, &hdev->flags))
703 hdev->page_scan_type = rp->type;
704 }
705
706 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
707 struct sk_buff *skb)
708 {
709 u8 status = *((u8 *) skb->data);
710 u8 *type;
711
712 BT_DBG("%s status 0x%2.2x", hdev->name, status);
713
714 if (status)
715 return;
716
717 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
718 if (type)
719 hdev->page_scan_type = *type;
720 }
721
722 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
723 struct sk_buff *skb)
724 {
725 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
726
727 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
728
729 if (rp->status)
730 return;
731
732 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
733 hdev->block_len = __le16_to_cpu(rp->block_len);
734 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
735
736 hdev->block_cnt = hdev->num_blocks;
737
738 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
739 hdev->block_cnt, hdev->block_len);
740 }
741
742 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
743 {
744 struct hci_rp_read_clock *rp = (void *) skb->data;
745 struct hci_cp_read_clock *cp;
746 struct hci_conn *conn;
747
748 BT_DBG("%s", hdev->name);
749
750 if (skb->len < sizeof(*rp))
751 return;
752
753 if (rp->status)
754 return;
755
756 hci_dev_lock(hdev);
757
758 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
759 if (!cp)
760 goto unlock;
761
762 if (cp->which == 0x00) {
763 hdev->clock = le32_to_cpu(rp->clock);
764 goto unlock;
765 }
766
767 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
768 if (conn) {
769 conn->clock = le32_to_cpu(rp->clock);
770 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
771 }
772
773 unlock:
774 hci_dev_unlock(hdev);
775 }
776
777 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
778 struct sk_buff *skb)
779 {
780 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
781
782 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
783
784 if (rp->status)
785 goto a2mp_rsp;
786
787 hdev->amp_status = rp->amp_status;
788 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
789 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
790 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
791 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
792 hdev->amp_type = rp->amp_type;
793 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
794 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
795 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
796 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
797
798 a2mp_rsp:
799 a2mp_send_getinfo_rsp(hdev);
800 }
801
802 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
803 struct sk_buff *skb)
804 {
805 struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
806 struct amp_assoc *assoc = &hdev->loc_assoc;
807 size_t rem_len, frag_len;
808
809 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
810
811 if (rp->status)
812 goto a2mp_rsp;
813
814 frag_len = skb->len - sizeof(*rp);
815 rem_len = __le16_to_cpu(rp->rem_len);
816
817 if (rem_len > frag_len) {
818 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
819
820 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
821 assoc->offset += frag_len;
822
823 /* Read other fragments */
824 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
825
826 return;
827 }
828
829 memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
830 assoc->len = assoc->offset + rem_len;
831 assoc->offset = 0;
832
833 a2mp_rsp:
834 /* Send A2MP Rsp when all fragments are received */
835 a2mp_send_getampassoc_rsp(hdev, rp->status);
836 a2mp_send_create_phy_link_req(hdev, rp->status);
837 }
838
839 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
840 struct sk_buff *skb)
841 {
842 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
843
844 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
845
846 if (rp->status)
847 return;
848
849 hdev->inq_tx_power = rp->tx_power;
850 }
851
852 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
853 {
854 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
855 struct hci_cp_pin_code_reply *cp;
856 struct hci_conn *conn;
857
858 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
859
860 hci_dev_lock(hdev);
861
862 if (test_bit(HCI_MGMT, &hdev->dev_flags))
863 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
864
865 if (rp->status)
866 goto unlock;
867
868 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
869 if (!cp)
870 goto unlock;
871
872 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
873 if (conn)
874 conn->pin_length = cp->pin_len;
875
876 unlock:
877 hci_dev_unlock(hdev);
878 }
879
880 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
881 {
882 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
883
884 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
885
886 hci_dev_lock(hdev);
887
888 if (test_bit(HCI_MGMT, &hdev->dev_flags))
889 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
890 rp->status);
891
892 hci_dev_unlock(hdev);
893 }
894
895 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
896 struct sk_buff *skb)
897 {
898 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
899
900 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
901
902 if (rp->status)
903 return;
904
905 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
906 hdev->le_pkts = rp->le_max_pkt;
907
908 hdev->le_cnt = hdev->le_pkts;
909
910 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
911 }
912
913 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
914 struct sk_buff *skb)
915 {
916 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
917
918 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
919
920 if (rp->status)
921 return;
922
923 memcpy(hdev->le_features, rp->features, 8);
924 }
925
926 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
927 struct sk_buff *skb)
928 {
929 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
930
931 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
932
933 if (rp->status)
934 return;
935
936 hdev->adv_tx_power = rp->tx_power;
937 }
938
939 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
940 {
941 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
942
943 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
944
945 hci_dev_lock(hdev);
946
947 if (test_bit(HCI_MGMT, &hdev->dev_flags))
948 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
949 rp->status);
950
951 hci_dev_unlock(hdev);
952 }
953
954 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
955 struct sk_buff *skb)
956 {
957 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
958
959 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
960
961 hci_dev_lock(hdev);
962
963 if (test_bit(HCI_MGMT, &hdev->dev_flags))
964 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
965 ACL_LINK, 0, rp->status);
966
967 hci_dev_unlock(hdev);
968 }
969
970 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
971 {
972 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
973
974 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
975
976 hci_dev_lock(hdev);
977
978 if (test_bit(HCI_MGMT, &hdev->dev_flags))
979 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
980 0, rp->status);
981
982 hci_dev_unlock(hdev);
983 }
984
985 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
986 struct sk_buff *skb)
987 {
988 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
989
990 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
991
992 hci_dev_lock(hdev);
993
994 if (test_bit(HCI_MGMT, &hdev->dev_flags))
995 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
996 ACL_LINK, 0, rp->status);
997
998 hci_dev_unlock(hdev);
999 }
1000
1001 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1002 struct sk_buff *skb)
1003 {
1004 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1005
1006 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1007
1008 hci_dev_lock(hdev);
1009 mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->rand, NULL, NULL,
1010 rp->status);
1011 hci_dev_unlock(hdev);
1012 }
1013
1014 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1015 struct sk_buff *skb)
1016 {
1017 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1018
1019 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1020
1021 hci_dev_lock(hdev);
1022 mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->rand192,
1023 rp->hash256, rp->rand256,
1024 rp->status);
1025 hci_dev_unlock(hdev);
1026 }
1027
1028
1029 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1030 {
1031 __u8 status = *((__u8 *) skb->data);
1032 bdaddr_t *sent;
1033
1034 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1035
1036 if (status)
1037 return;
1038
1039 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1040 if (!sent)
1041 return;
1042
1043 hci_dev_lock(hdev);
1044
1045 bacpy(&hdev->random_addr, sent);
1046
1047 hci_dev_unlock(hdev);
1048 }
1049
1050 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1051 {
1052 __u8 *sent, status = *((__u8 *) skb->data);
1053
1054 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1055
1056 if (status)
1057 return;
1058
1059 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1060 if (!sent)
1061 return;
1062
1063 hci_dev_lock(hdev);
1064
1065 /* If we're doing connection initiation as peripheral. Set a
1066 * timeout in case something goes wrong.
1067 */
1068 if (*sent) {
1069 struct hci_conn *conn;
1070
1071 set_bit(HCI_LE_ADV, &hdev->dev_flags);
1072
1073 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1074 if (conn)
1075 queue_delayed_work(hdev->workqueue,
1076 &conn->le_conn_timeout,
1077 conn->conn_timeout);
1078 } else {
1079 clear_bit(HCI_LE_ADV, &hdev->dev_flags);
1080 }
1081
1082 hci_dev_unlock(hdev);
1083 }
1084
1085 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1086 {
1087 struct hci_cp_le_set_scan_param *cp;
1088 __u8 status = *((__u8 *) skb->data);
1089
1090 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1091
1092 if (status)
1093 return;
1094
1095 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1096 if (!cp)
1097 return;
1098
1099 hci_dev_lock(hdev);
1100
1101 hdev->le_scan_type = cp->type;
1102
1103 hci_dev_unlock(hdev);
1104 }
1105
1106 static bool has_pending_adv_report(struct hci_dev *hdev)
1107 {
1108 struct discovery_state *d = &hdev->discovery;
1109
1110 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1111 }
1112
1113 static void clear_pending_adv_report(struct hci_dev *hdev)
1114 {
1115 struct discovery_state *d = &hdev->discovery;
1116
1117 bacpy(&d->last_adv_addr, BDADDR_ANY);
1118 d->last_adv_data_len = 0;
1119 }
1120
1121 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1122 u8 bdaddr_type, s8 rssi, u32 flags,
1123 u8 *data, u8 len)
1124 {
1125 struct discovery_state *d = &hdev->discovery;
1126
1127 bacpy(&d->last_adv_addr, bdaddr);
1128 d->last_adv_addr_type = bdaddr_type;
1129 d->last_adv_rssi = rssi;
1130 d->last_adv_flags = flags;
1131 memcpy(d->last_adv_data, data, len);
1132 d->last_adv_data_len = len;
1133 }
1134
1135 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1136 struct sk_buff *skb)
1137 {
1138 struct hci_cp_le_set_scan_enable *cp;
1139 __u8 status = *((__u8 *) skb->data);
1140
1141 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1142
1143 if (status)
1144 return;
1145
1146 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1147 if (!cp)
1148 return;
1149
1150 hci_dev_lock(hdev);
1151
1152 switch (cp->enable) {
1153 case LE_SCAN_ENABLE:
1154 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1155 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1156 clear_pending_adv_report(hdev);
1157 break;
1158
1159 case LE_SCAN_DISABLE:
1160 /* We do this here instead of when setting DISCOVERY_STOPPED
1161 * since the latter would potentially require waiting for
1162 * inquiry to stop too.
1163 */
1164 if (has_pending_adv_report(hdev)) {
1165 struct discovery_state *d = &hdev->discovery;
1166
1167 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1168 d->last_adv_addr_type, NULL,
1169 d->last_adv_rssi, d->last_adv_flags,
1170 d->last_adv_data,
1171 d->last_adv_data_len, NULL, 0);
1172 }
1173
1174 /* Cancel this timer so that we don't try to disable scanning
1175 * when it's already disabled.
1176 */
1177 cancel_delayed_work(&hdev->le_scan_disable);
1178
1179 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1180
1181 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1182 * interrupted scanning due to a connect request. Mark
1183 * therefore discovery as stopped. If this was not
1184 * because of a connect request advertising might have
1185 * been disabled because of active scanning, so
1186 * re-enable it again if necessary.
1187 */
1188 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1189 &hdev->dev_flags))
1190 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1191 else if (!test_bit(HCI_LE_ADV, &hdev->dev_flags) &&
1192 hdev->discovery.state == DISCOVERY_FINDING)
1193 mgmt_reenable_advertising(hdev);
1194
1195 break;
1196
1197 default:
1198 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1199 break;
1200 }
1201
1202 hci_dev_unlock(hdev);
1203 }
1204
1205 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1206 struct sk_buff *skb)
1207 {
1208 struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1209
1210 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1211
1212 if (rp->status)
1213 return;
1214
1215 hdev->le_white_list_size = rp->size;
1216 }
1217
1218 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1219 struct sk_buff *skb)
1220 {
1221 __u8 status = *((__u8 *) skb->data);
1222
1223 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1224
1225 if (status)
1226 return;
1227
1228 hci_bdaddr_list_clear(&hdev->le_white_list);
1229 }
1230
1231 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1232 struct sk_buff *skb)
1233 {
1234 struct hci_cp_le_add_to_white_list *sent;
1235 __u8 status = *((__u8 *) skb->data);
1236
1237 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1238
1239 if (status)
1240 return;
1241
1242 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1243 if (!sent)
1244 return;
1245
1246 hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1247 sent->bdaddr_type);
1248 }
1249
1250 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1251 struct sk_buff *skb)
1252 {
1253 struct hci_cp_le_del_from_white_list *sent;
1254 __u8 status = *((__u8 *) skb->data);
1255
1256 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1257
1258 if (status)
1259 return;
1260
1261 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1262 if (!sent)
1263 return;
1264
1265 hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1266 sent->bdaddr_type);
1267 }
1268
1269 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1270 struct sk_buff *skb)
1271 {
1272 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1273
1274 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1275
1276 if (rp->status)
1277 return;
1278
1279 memcpy(hdev->le_states, rp->le_states, 8);
1280 }
1281
1282 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1283 struct sk_buff *skb)
1284 {
1285 struct hci_cp_write_le_host_supported *sent;
1286 __u8 status = *((__u8 *) skb->data);
1287
1288 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1289
1290 if (status)
1291 return;
1292
1293 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1294 if (!sent)
1295 return;
1296
1297 hci_dev_lock(hdev);
1298
1299 if (sent->le) {
1300 hdev->features[1][0] |= LMP_HOST_LE;
1301 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1302 } else {
1303 hdev->features[1][0] &= ~LMP_HOST_LE;
1304 clear_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1305 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
1306 }
1307
1308 if (sent->simul)
1309 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1310 else
1311 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1312
1313 hci_dev_unlock(hdev);
1314 }
1315
1316 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1317 {
1318 struct hci_cp_le_set_adv_param *cp;
1319 u8 status = *((u8 *) skb->data);
1320
1321 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1322
1323 if (status)
1324 return;
1325
1326 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1327 if (!cp)
1328 return;
1329
1330 hci_dev_lock(hdev);
1331 hdev->adv_addr_type = cp->own_address_type;
1332 hci_dev_unlock(hdev);
1333 }
1334
1335 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1336 struct sk_buff *skb)
1337 {
1338 struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1339
1340 BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1341 hdev->name, rp->status, rp->phy_handle);
1342
1343 if (rp->status)
1344 return;
1345
1346 amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1347 }
1348
1349 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1350 {
1351 struct hci_rp_read_rssi *rp = (void *) skb->data;
1352 struct hci_conn *conn;
1353
1354 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1355
1356 if (rp->status)
1357 return;
1358
1359 hci_dev_lock(hdev);
1360
1361 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1362 if (conn)
1363 conn->rssi = rp->rssi;
1364
1365 hci_dev_unlock(hdev);
1366 }
1367
1368 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1369 {
1370 struct hci_cp_read_tx_power *sent;
1371 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1372 struct hci_conn *conn;
1373
1374 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1375
1376 if (rp->status)
1377 return;
1378
1379 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1380 if (!sent)
1381 return;
1382
1383 hci_dev_lock(hdev);
1384
1385 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1386 if (!conn)
1387 goto unlock;
1388
1389 switch (sent->type) {
1390 case 0x00:
1391 conn->tx_power = rp->tx_power;
1392 break;
1393 case 0x01:
1394 conn->max_tx_power = rp->tx_power;
1395 break;
1396 }
1397
1398 unlock:
1399 hci_dev_unlock(hdev);
1400 }
1401
1402 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1403 {
1404 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1405
1406 if (status) {
1407 hci_conn_check_pending(hdev);
1408 return;
1409 }
1410
1411 set_bit(HCI_INQUIRY, &hdev->flags);
1412 }
1413
1414 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1415 {
1416 struct hci_cp_create_conn *cp;
1417 struct hci_conn *conn;
1418
1419 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1420
1421 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1422 if (!cp)
1423 return;
1424
1425 hci_dev_lock(hdev);
1426
1427 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1428
1429 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1430
1431 if (status) {
1432 if (conn && conn->state == BT_CONNECT) {
1433 if (status != 0x0c || conn->attempt > 2) {
1434 conn->state = BT_CLOSED;
1435 hci_proto_connect_cfm(conn, status);
1436 hci_conn_del(conn);
1437 } else
1438 conn->state = BT_CONNECT2;
1439 }
1440 } else {
1441 if (!conn) {
1442 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1443 HCI_ROLE_MASTER);
1444 if (!conn)
1445 BT_ERR("No memory for new connection");
1446 }
1447 }
1448
1449 hci_dev_unlock(hdev);
1450 }
1451
1452 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1453 {
1454 struct hci_cp_add_sco *cp;
1455 struct hci_conn *acl, *sco;
1456 __u16 handle;
1457
1458 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1459
1460 if (!status)
1461 return;
1462
1463 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1464 if (!cp)
1465 return;
1466
1467 handle = __le16_to_cpu(cp->handle);
1468
1469 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1470
1471 hci_dev_lock(hdev);
1472
1473 acl = hci_conn_hash_lookup_handle(hdev, handle);
1474 if (acl) {
1475 sco = acl->link;
1476 if (sco) {
1477 sco->state = BT_CLOSED;
1478
1479 hci_proto_connect_cfm(sco, status);
1480 hci_conn_del(sco);
1481 }
1482 }
1483
1484 hci_dev_unlock(hdev);
1485 }
1486
1487 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1488 {
1489 struct hci_cp_auth_requested *cp;
1490 struct hci_conn *conn;
1491
1492 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1493
1494 if (!status)
1495 return;
1496
1497 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1498 if (!cp)
1499 return;
1500
1501 hci_dev_lock(hdev);
1502
1503 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1504 if (conn) {
1505 if (conn->state == BT_CONFIG) {
1506 hci_proto_connect_cfm(conn, status);
1507 hci_conn_drop(conn);
1508 }
1509 }
1510
1511 hci_dev_unlock(hdev);
1512 }
1513
1514 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1515 {
1516 struct hci_cp_set_conn_encrypt *cp;
1517 struct hci_conn *conn;
1518
1519 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1520
1521 if (!status)
1522 return;
1523
1524 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1525 if (!cp)
1526 return;
1527
1528 hci_dev_lock(hdev);
1529
1530 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1531 if (conn) {
1532 if (conn->state == BT_CONFIG) {
1533 hci_proto_connect_cfm(conn, status);
1534 hci_conn_drop(conn);
1535 }
1536 }
1537
1538 hci_dev_unlock(hdev);
1539 }
1540
1541 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1542 struct hci_conn *conn)
1543 {
1544 if (conn->state != BT_CONFIG || !conn->out)
1545 return 0;
1546
1547 if (conn->pending_sec_level == BT_SECURITY_SDP)
1548 return 0;
1549
1550 /* Only request authentication for SSP connections or non-SSP
1551 * devices with sec_level MEDIUM or HIGH or if MITM protection
1552 * is requested.
1553 */
1554 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1555 conn->pending_sec_level != BT_SECURITY_FIPS &&
1556 conn->pending_sec_level != BT_SECURITY_HIGH &&
1557 conn->pending_sec_level != BT_SECURITY_MEDIUM)
1558 return 0;
1559
1560 return 1;
1561 }
1562
1563 static int hci_resolve_name(struct hci_dev *hdev,
1564 struct inquiry_entry *e)
1565 {
1566 struct hci_cp_remote_name_req cp;
1567
1568 memset(&cp, 0, sizeof(cp));
1569
1570 bacpy(&cp.bdaddr, &e->data.bdaddr);
1571 cp.pscan_rep_mode = e->data.pscan_rep_mode;
1572 cp.pscan_mode = e->data.pscan_mode;
1573 cp.clock_offset = e->data.clock_offset;
1574
1575 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1576 }
1577
1578 static bool hci_resolve_next_name(struct hci_dev *hdev)
1579 {
1580 struct discovery_state *discov = &hdev->discovery;
1581 struct inquiry_entry *e;
1582
1583 if (list_empty(&discov->resolve))
1584 return false;
1585
1586 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1587 if (!e)
1588 return false;
1589
1590 if (hci_resolve_name(hdev, e) == 0) {
1591 e->name_state = NAME_PENDING;
1592 return true;
1593 }
1594
1595 return false;
1596 }
1597
1598 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1599 bdaddr_t *bdaddr, u8 *name, u8 name_len)
1600 {
1601 struct discovery_state *discov = &hdev->discovery;
1602 struct inquiry_entry *e;
1603
1604 /* Update the mgmt connected state if necessary. Be careful with
1605 * conn objects that exist but are not (yet) connected however.
1606 * Only those in BT_CONFIG or BT_CONNECTED states can be
1607 * considered connected.
1608 */
1609 if (conn &&
1610 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1611 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1612 mgmt_device_connected(hdev, conn, 0, name, name_len);
1613
1614 if (discov->state == DISCOVERY_STOPPED)
1615 return;
1616
1617 if (discov->state == DISCOVERY_STOPPING)
1618 goto discov_complete;
1619
1620 if (discov->state != DISCOVERY_RESOLVING)
1621 return;
1622
1623 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1624 /* If the device was not found in a list of found devices names of which
1625 * are pending. there is no need to continue resolving a next name as it
1626 * will be done upon receiving another Remote Name Request Complete
1627 * Event */
1628 if (!e)
1629 return;
1630
1631 list_del(&e->list);
1632 if (name) {
1633 e->name_state = NAME_KNOWN;
1634 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1635 e->data.rssi, name, name_len);
1636 } else {
1637 e->name_state = NAME_NOT_KNOWN;
1638 }
1639
1640 if (hci_resolve_next_name(hdev))
1641 return;
1642
1643 discov_complete:
1644 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1645 }
1646
1647 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1648 {
1649 struct hci_cp_remote_name_req *cp;
1650 struct hci_conn *conn;
1651
1652 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1653
1654 /* If successful wait for the name req complete event before
1655 * checking for the need to do authentication */
1656 if (!status)
1657 return;
1658
1659 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1660 if (!cp)
1661 return;
1662
1663 hci_dev_lock(hdev);
1664
1665 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1666
1667 if (test_bit(HCI_MGMT, &hdev->dev_flags))
1668 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1669
1670 if (!conn)
1671 goto unlock;
1672
1673 if (!hci_outgoing_auth_needed(hdev, conn))
1674 goto unlock;
1675
1676 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1677 struct hci_cp_auth_requested auth_cp;
1678
1679 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1680
1681 auth_cp.handle = __cpu_to_le16(conn->handle);
1682 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1683 sizeof(auth_cp), &auth_cp);
1684 }
1685
1686 unlock:
1687 hci_dev_unlock(hdev);
1688 }
1689
1690 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1691 {
1692 struct hci_cp_read_remote_features *cp;
1693 struct hci_conn *conn;
1694
1695 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1696
1697 if (!status)
1698 return;
1699
1700 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1701 if (!cp)
1702 return;
1703
1704 hci_dev_lock(hdev);
1705
1706 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1707 if (conn) {
1708 if (conn->state == BT_CONFIG) {
1709 hci_proto_connect_cfm(conn, status);
1710 hci_conn_drop(conn);
1711 }
1712 }
1713
1714 hci_dev_unlock(hdev);
1715 }
1716
1717 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1718 {
1719 struct hci_cp_read_remote_ext_features *cp;
1720 struct hci_conn *conn;
1721
1722 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1723
1724 if (!status)
1725 return;
1726
1727 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1728 if (!cp)
1729 return;
1730
1731 hci_dev_lock(hdev);
1732
1733 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1734 if (conn) {
1735 if (conn->state == BT_CONFIG) {
1736 hci_proto_connect_cfm(conn, status);
1737 hci_conn_drop(conn);
1738 }
1739 }
1740
1741 hci_dev_unlock(hdev);
1742 }
1743
1744 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1745 {
1746 struct hci_cp_setup_sync_conn *cp;
1747 struct hci_conn *acl, *sco;
1748 __u16 handle;
1749
1750 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1751
1752 if (!status)
1753 return;
1754
1755 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1756 if (!cp)
1757 return;
1758
1759 handle = __le16_to_cpu(cp->handle);
1760
1761 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1762
1763 hci_dev_lock(hdev);
1764
1765 acl = hci_conn_hash_lookup_handle(hdev, handle);
1766 if (acl) {
1767 sco = acl->link;
1768 if (sco) {
1769 sco->state = BT_CLOSED;
1770
1771 hci_proto_connect_cfm(sco, status);
1772 hci_conn_del(sco);
1773 }
1774 }
1775
1776 hci_dev_unlock(hdev);
1777 }
1778
1779 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1780 {
1781 struct hci_cp_sniff_mode *cp;
1782 struct hci_conn *conn;
1783
1784 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1785
1786 if (!status)
1787 return;
1788
1789 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1790 if (!cp)
1791 return;
1792
1793 hci_dev_lock(hdev);
1794
1795 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1796 if (conn) {
1797 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1798
1799 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1800 hci_sco_setup(conn, status);
1801 }
1802
1803 hci_dev_unlock(hdev);
1804 }
1805
1806 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1807 {
1808 struct hci_cp_exit_sniff_mode *cp;
1809 struct hci_conn *conn;
1810
1811 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1812
1813 if (!status)
1814 return;
1815
1816 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1817 if (!cp)
1818 return;
1819
1820 hci_dev_lock(hdev);
1821
1822 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1823 if (conn) {
1824 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1825
1826 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1827 hci_sco_setup(conn, status);
1828 }
1829
1830 hci_dev_unlock(hdev);
1831 }
1832
1833 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1834 {
1835 struct hci_cp_disconnect *cp;
1836 struct hci_conn *conn;
1837
1838 if (!status)
1839 return;
1840
1841 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1842 if (!cp)
1843 return;
1844
1845 hci_dev_lock(hdev);
1846
1847 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1848 if (conn)
1849 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1850 conn->dst_type, status);
1851
1852 hci_dev_unlock(hdev);
1853 }
1854
1855 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1856 {
1857 struct hci_cp_create_phy_link *cp;
1858
1859 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1860
1861 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1862 if (!cp)
1863 return;
1864
1865 hci_dev_lock(hdev);
1866
1867 if (status) {
1868 struct hci_conn *hcon;
1869
1870 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1871 if (hcon)
1872 hci_conn_del(hcon);
1873 } else {
1874 amp_write_remote_assoc(hdev, cp->phy_handle);
1875 }
1876
1877 hci_dev_unlock(hdev);
1878 }
1879
1880 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1881 {
1882 struct hci_cp_accept_phy_link *cp;
1883
1884 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1885
1886 if (status)
1887 return;
1888
1889 cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1890 if (!cp)
1891 return;
1892
1893 amp_write_remote_assoc(hdev, cp->phy_handle);
1894 }
1895
1896 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1897 {
1898 struct hci_cp_le_create_conn *cp;
1899 struct hci_conn *conn;
1900
1901 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1902
1903 /* All connection failure handling is taken care of by the
1904 * hci_le_conn_failed function which is triggered by the HCI
1905 * request completion callbacks used for connecting.
1906 */
1907 if (status)
1908 return;
1909
1910 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1911 if (!cp)
1912 return;
1913
1914 hci_dev_lock(hdev);
1915
1916 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1917 if (!conn)
1918 goto unlock;
1919
1920 /* Store the initiator and responder address information which
1921 * is needed for SMP. These values will not change during the
1922 * lifetime of the connection.
1923 */
1924 conn->init_addr_type = cp->own_address_type;
1925 if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1926 bacpy(&conn->init_addr, &hdev->random_addr);
1927 else
1928 bacpy(&conn->init_addr, &hdev->bdaddr);
1929
1930 conn->resp_addr_type = cp->peer_addr_type;
1931 bacpy(&conn->resp_addr, &cp->peer_addr);
1932
1933 /* We don't want the connection attempt to stick around
1934 * indefinitely since LE doesn't have a page timeout concept
1935 * like BR/EDR. Set a timer for any connection that doesn't use
1936 * the white list for connecting.
1937 */
1938 if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1939 queue_delayed_work(conn->hdev->workqueue,
1940 &conn->le_conn_timeout,
1941 conn->conn_timeout);
1942
1943 unlock:
1944 hci_dev_unlock(hdev);
1945 }
1946
1947 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1948 {
1949 struct hci_cp_le_start_enc *cp;
1950 struct hci_conn *conn;
1951
1952 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1953
1954 if (!status)
1955 return;
1956
1957 hci_dev_lock(hdev);
1958
1959 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1960 if (!cp)
1961 goto unlock;
1962
1963 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1964 if (!conn)
1965 goto unlock;
1966
1967 if (conn->state != BT_CONNECTED)
1968 goto unlock;
1969
1970 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1971 hci_conn_drop(conn);
1972
1973 unlock:
1974 hci_dev_unlock(hdev);
1975 }
1976
1977 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
1978 {
1979 struct hci_cp_switch_role *cp;
1980 struct hci_conn *conn;
1981
1982 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1983
1984 if (!status)
1985 return;
1986
1987 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
1988 if (!cp)
1989 return;
1990
1991 hci_dev_lock(hdev);
1992
1993 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1994 if (conn)
1995 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
1996
1997 hci_dev_unlock(hdev);
1998 }
1999
2000 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2001 {
2002 __u8 status = *((__u8 *) skb->data);
2003 struct discovery_state *discov = &hdev->discovery;
2004 struct inquiry_entry *e;
2005
2006 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2007
2008 hci_conn_check_pending(hdev);
2009
2010 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2011 return;
2012
2013 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2014 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2015
2016 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2017 return;
2018
2019 hci_dev_lock(hdev);
2020
2021 if (discov->state != DISCOVERY_FINDING)
2022 goto unlock;
2023
2024 if (list_empty(&discov->resolve)) {
2025 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2026 goto unlock;
2027 }
2028
2029 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2030 if (e && hci_resolve_name(hdev, e) == 0) {
2031 e->name_state = NAME_PENDING;
2032 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2033 } else {
2034 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2035 }
2036
2037 unlock:
2038 hci_dev_unlock(hdev);
2039 }
2040
2041 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2042 {
2043 struct inquiry_data data;
2044 struct inquiry_info *info = (void *) (skb->data + 1);
2045 int num_rsp = *((__u8 *) skb->data);
2046
2047 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2048
2049 if (!num_rsp)
2050 return;
2051
2052 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
2053 return;
2054
2055 hci_dev_lock(hdev);
2056
2057 for (; num_rsp; num_rsp--, info++) {
2058 u32 flags;
2059
2060 bacpy(&data.bdaddr, &info->bdaddr);
2061 data.pscan_rep_mode = info->pscan_rep_mode;
2062 data.pscan_period_mode = info->pscan_period_mode;
2063 data.pscan_mode = info->pscan_mode;
2064 memcpy(data.dev_class, info->dev_class, 3);
2065 data.clock_offset = info->clock_offset;
2066 data.rssi = HCI_RSSI_INVALID;
2067 data.ssp_mode = 0x00;
2068
2069 flags = hci_inquiry_cache_update(hdev, &data, false);
2070
2071 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2072 info->dev_class, HCI_RSSI_INVALID,
2073 flags, NULL, 0, NULL, 0);
2074 }
2075
2076 hci_dev_unlock(hdev);
2077 }
2078
2079 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2080 {
2081 struct hci_ev_conn_complete *ev = (void *) skb->data;
2082 struct hci_conn *conn;
2083
2084 BT_DBG("%s", hdev->name);
2085
2086 hci_dev_lock(hdev);
2087
2088 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2089 if (!conn) {
2090 if (ev->link_type != SCO_LINK)
2091 goto unlock;
2092
2093 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2094 if (!conn)
2095 goto unlock;
2096
2097 conn->type = SCO_LINK;
2098 }
2099
2100 if (!ev->status) {
2101 conn->handle = __le16_to_cpu(ev->handle);
2102
2103 if (conn->type == ACL_LINK) {
2104 conn->state = BT_CONFIG;
2105 hci_conn_hold(conn);
2106
2107 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2108 !hci_find_link_key(hdev, &ev->bdaddr))
2109 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2110 else
2111 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2112 } else
2113 conn->state = BT_CONNECTED;
2114
2115 hci_conn_add_sysfs(conn);
2116
2117 if (test_bit(HCI_AUTH, &hdev->flags))
2118 set_bit(HCI_CONN_AUTH, &conn->flags);
2119
2120 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2121 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2122
2123 /* Get remote features */
2124 if (conn->type == ACL_LINK) {
2125 struct hci_cp_read_remote_features cp;
2126 cp.handle = ev->handle;
2127 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2128 sizeof(cp), &cp);
2129
2130 hci_update_page_scan(hdev, NULL);
2131 }
2132
2133 /* Set packet type for incoming connection */
2134 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2135 struct hci_cp_change_conn_ptype cp;
2136 cp.handle = ev->handle;
2137 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2138 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2139 &cp);
2140 }
2141 } else {
2142 conn->state = BT_CLOSED;
2143 if (conn->type == ACL_LINK)
2144 mgmt_connect_failed(hdev, &conn->dst, conn->type,
2145 conn->dst_type, ev->status);
2146 }
2147
2148 if (conn->type == ACL_LINK)
2149 hci_sco_setup(conn, ev->status);
2150
2151 if (ev->status) {
2152 hci_proto_connect_cfm(conn, ev->status);
2153 hci_conn_del(conn);
2154 } else if (ev->link_type != ACL_LINK)
2155 hci_proto_connect_cfm(conn, ev->status);
2156
2157 unlock:
2158 hci_dev_unlock(hdev);
2159
2160 hci_conn_check_pending(hdev);
2161 }
2162
2163 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2164 {
2165 struct hci_cp_reject_conn_req cp;
2166
2167 bacpy(&cp.bdaddr, bdaddr);
2168 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2169 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2170 }
2171
2172 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2173 {
2174 struct hci_ev_conn_request *ev = (void *) skb->data;
2175 int mask = hdev->link_mode;
2176 struct inquiry_entry *ie;
2177 struct hci_conn *conn;
2178 __u8 flags = 0;
2179
2180 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2181 ev->link_type);
2182
2183 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2184 &flags);
2185
2186 if (!(mask & HCI_LM_ACCEPT)) {
2187 hci_reject_conn(hdev, &ev->bdaddr);
2188 return;
2189 }
2190
2191 if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2192 BDADDR_BREDR)) {
2193 hci_reject_conn(hdev, &ev->bdaddr);
2194 return;
2195 }
2196
2197 if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags) &&
2198 !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2199 BDADDR_BREDR)) {
2200 hci_reject_conn(hdev, &ev->bdaddr);
2201 return;
2202 }
2203
2204 /* Connection accepted */
2205
2206 hci_dev_lock(hdev);
2207
2208 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2209 if (ie)
2210 memcpy(ie->data.dev_class, ev->dev_class, 3);
2211
2212 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2213 &ev->bdaddr);
2214 if (!conn) {
2215 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2216 HCI_ROLE_SLAVE);
2217 if (!conn) {
2218 BT_ERR("No memory for new connection");
2219 hci_dev_unlock(hdev);
2220 return;
2221 }
2222 }
2223
2224 memcpy(conn->dev_class, ev->dev_class, 3);
2225
2226 hci_dev_unlock(hdev);
2227
2228 if (ev->link_type == ACL_LINK ||
2229 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2230 struct hci_cp_accept_conn_req cp;
2231 conn->state = BT_CONNECT;
2232
2233 bacpy(&cp.bdaddr, &ev->bdaddr);
2234
2235 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2236 cp.role = 0x00; /* Become master */
2237 else
2238 cp.role = 0x01; /* Remain slave */
2239
2240 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2241 } else if (!(flags & HCI_PROTO_DEFER)) {
2242 struct hci_cp_accept_sync_conn_req cp;
2243 conn->state = BT_CONNECT;
2244
2245 bacpy(&cp.bdaddr, &ev->bdaddr);
2246 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2247
2248 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2249 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2250 cp.max_latency = cpu_to_le16(0xffff);
2251 cp.content_format = cpu_to_le16(hdev->voice_setting);
2252 cp.retrans_effort = 0xff;
2253
2254 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2255 &cp);
2256 } else {
2257 conn->state = BT_CONNECT2;
2258 hci_proto_connect_cfm(conn, 0);
2259 }
2260 }
2261
2262 static u8 hci_to_mgmt_reason(u8 err)
2263 {
2264 switch (err) {
2265 case HCI_ERROR_CONNECTION_TIMEOUT:
2266 return MGMT_DEV_DISCONN_TIMEOUT;
2267 case HCI_ERROR_REMOTE_USER_TERM:
2268 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2269 case HCI_ERROR_REMOTE_POWER_OFF:
2270 return MGMT_DEV_DISCONN_REMOTE;
2271 case HCI_ERROR_LOCAL_HOST_TERM:
2272 return MGMT_DEV_DISCONN_LOCAL_HOST;
2273 default:
2274 return MGMT_DEV_DISCONN_UNKNOWN;
2275 }
2276 }
2277
2278 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2279 {
2280 struct hci_ev_disconn_complete *ev = (void *) skb->data;
2281 u8 reason = hci_to_mgmt_reason(ev->reason);
2282 struct hci_conn_params *params;
2283 struct hci_conn *conn;
2284 bool mgmt_connected;
2285 u8 type;
2286
2287 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2288
2289 hci_dev_lock(hdev);
2290
2291 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2292 if (!conn)
2293 goto unlock;
2294
2295 if (ev->status) {
2296 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2297 conn->dst_type, ev->status);
2298 goto unlock;
2299 }
2300
2301 conn->state = BT_CLOSED;
2302
2303 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2304 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2305 reason, mgmt_connected);
2306
2307 if (conn->type == ACL_LINK) {
2308 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2309 hci_remove_link_key(hdev, &conn->dst);
2310
2311 hci_update_page_scan(hdev, NULL);
2312 }
2313
2314 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2315 if (params) {
2316 switch (params->auto_connect) {
2317 case HCI_AUTO_CONN_LINK_LOSS:
2318 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2319 break;
2320 /* Fall through */
2321
2322 case HCI_AUTO_CONN_DIRECT:
2323 case HCI_AUTO_CONN_ALWAYS:
2324 list_del_init(&params->action);
2325 list_add(&params->action, &hdev->pend_le_conns);
2326 hci_update_background_scan(hdev);
2327 break;
2328
2329 default:
2330 break;
2331 }
2332 }
2333
2334 type = conn->type;
2335
2336 hci_proto_disconn_cfm(conn, ev->reason);
2337 hci_conn_del(conn);
2338
2339 /* Re-enable advertising if necessary, since it might
2340 * have been disabled by the connection. From the
2341 * HCI_LE_Set_Advertise_Enable command description in
2342 * the core specification (v4.0):
2343 * "The Controller shall continue advertising until the Host
2344 * issues an LE_Set_Advertise_Enable command with
2345 * Advertising_Enable set to 0x00 (Advertising is disabled)
2346 * or until a connection is created or until the Advertising
2347 * is timed out due to Directed Advertising."
2348 */
2349 if (type == LE_LINK)
2350 mgmt_reenable_advertising(hdev);
2351
2352 unlock:
2353 hci_dev_unlock(hdev);
2354 }
2355
2356 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2357 {
2358 struct hci_ev_auth_complete *ev = (void *) skb->data;
2359 struct hci_conn *conn;
2360
2361 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2362
2363 hci_dev_lock(hdev);
2364
2365 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2366 if (!conn)
2367 goto unlock;
2368
2369 if (!ev->status) {
2370 if (!hci_conn_ssp_enabled(conn) &&
2371 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2372 BT_INFO("re-auth of legacy device is not possible.");
2373 } else {
2374 set_bit(HCI_CONN_AUTH, &conn->flags);
2375 conn->sec_level = conn->pending_sec_level;
2376 }
2377 } else {
2378 mgmt_auth_failed(conn, ev->status);
2379 }
2380
2381 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2382 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2383
2384 if (conn->state == BT_CONFIG) {
2385 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2386 struct hci_cp_set_conn_encrypt cp;
2387 cp.handle = ev->handle;
2388 cp.encrypt = 0x01;
2389 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2390 &cp);
2391 } else {
2392 conn->state = BT_CONNECTED;
2393 hci_proto_connect_cfm(conn, ev->status);
2394 hci_conn_drop(conn);
2395 }
2396 } else {
2397 hci_auth_cfm(conn, ev->status);
2398
2399 hci_conn_hold(conn);
2400 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2401 hci_conn_drop(conn);
2402 }
2403
2404 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2405 if (!ev->status) {
2406 struct hci_cp_set_conn_encrypt cp;
2407 cp.handle = ev->handle;
2408 cp.encrypt = 0x01;
2409 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2410 &cp);
2411 } else {
2412 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2413 hci_encrypt_cfm(conn, ev->status, 0x00);
2414 }
2415 }
2416
2417 unlock:
2418 hci_dev_unlock(hdev);
2419 }
2420
2421 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2422 {
2423 struct hci_ev_remote_name *ev = (void *) skb->data;
2424 struct hci_conn *conn;
2425
2426 BT_DBG("%s", hdev->name);
2427
2428 hci_conn_check_pending(hdev);
2429
2430 hci_dev_lock(hdev);
2431
2432 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2433
2434 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2435 goto check_auth;
2436
2437 if (ev->status == 0)
2438 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2439 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2440 else
2441 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2442
2443 check_auth:
2444 if (!conn)
2445 goto unlock;
2446
2447 if (!hci_outgoing_auth_needed(hdev, conn))
2448 goto unlock;
2449
2450 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2451 struct hci_cp_auth_requested cp;
2452
2453 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2454
2455 cp.handle = __cpu_to_le16(conn->handle);
2456 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2457 }
2458
2459 unlock:
2460 hci_dev_unlock(hdev);
2461 }
2462
2463 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2464 {
2465 struct hci_ev_encrypt_change *ev = (void *) skb->data;
2466 struct hci_conn *conn;
2467
2468 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2469
2470 hci_dev_lock(hdev);
2471
2472 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2473 if (!conn)
2474 goto unlock;
2475
2476 if (!ev->status) {
2477 if (ev->encrypt) {
2478 /* Encryption implies authentication */
2479 set_bit(HCI_CONN_AUTH, &conn->flags);
2480 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2481 conn->sec_level = conn->pending_sec_level;
2482
2483 /* P-256 authentication key implies FIPS */
2484 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2485 set_bit(HCI_CONN_FIPS, &conn->flags);
2486
2487 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2488 conn->type == LE_LINK)
2489 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2490 } else {
2491 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2492 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2493 }
2494 }
2495
2496 /* We should disregard the current RPA and generate a new one
2497 * whenever the encryption procedure fails.
2498 */
2499 if (ev->status && conn->type == LE_LINK)
2500 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
2501
2502 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2503
2504 if (ev->status && conn->state == BT_CONNECTED) {
2505 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2506 hci_conn_drop(conn);
2507 goto unlock;
2508 }
2509
2510 if (conn->state == BT_CONFIG) {
2511 if (!ev->status)
2512 conn->state = BT_CONNECTED;
2513
2514 /* In Secure Connections Only mode, do not allow any
2515 * connections that are not encrypted with AES-CCM
2516 * using a P-256 authenticated combination key.
2517 */
2518 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) &&
2519 (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2520 conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2521 hci_proto_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2522 hci_conn_drop(conn);
2523 goto unlock;
2524 }
2525
2526 hci_proto_connect_cfm(conn, ev->status);
2527 hci_conn_drop(conn);
2528 } else
2529 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2530
2531 unlock:
2532 hci_dev_unlock(hdev);
2533 }
2534
2535 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2536 struct sk_buff *skb)
2537 {
2538 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2539 struct hci_conn *conn;
2540
2541 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2542
2543 hci_dev_lock(hdev);
2544
2545 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2546 if (conn) {
2547 if (!ev->status)
2548 set_bit(HCI_CONN_SECURE, &conn->flags);
2549
2550 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2551
2552 hci_key_change_cfm(conn, ev->status);
2553 }
2554
2555 hci_dev_unlock(hdev);
2556 }
2557
2558 static void hci_remote_features_evt(struct hci_dev *hdev,
2559 struct sk_buff *skb)
2560 {
2561 struct hci_ev_remote_features *ev = (void *) skb->data;
2562 struct hci_conn *conn;
2563
2564 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2565
2566 hci_dev_lock(hdev);
2567
2568 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2569 if (!conn)
2570 goto unlock;
2571
2572 if (!ev->status)
2573 memcpy(conn->features[0], ev->features, 8);
2574
2575 if (conn->state != BT_CONFIG)
2576 goto unlock;
2577
2578 if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
2579 struct hci_cp_read_remote_ext_features cp;
2580 cp.handle = ev->handle;
2581 cp.page = 0x01;
2582 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2583 sizeof(cp), &cp);
2584 goto unlock;
2585 }
2586
2587 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2588 struct hci_cp_remote_name_req cp;
2589 memset(&cp, 0, sizeof(cp));
2590 bacpy(&cp.bdaddr, &conn->dst);
2591 cp.pscan_rep_mode = 0x02;
2592 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2593 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2594 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2595
2596 if (!hci_outgoing_auth_needed(hdev, conn)) {
2597 conn->state = BT_CONNECTED;
2598 hci_proto_connect_cfm(conn, ev->status);
2599 hci_conn_drop(conn);
2600 }
2601
2602 unlock:
2603 hci_dev_unlock(hdev);
2604 }
2605
2606 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2607 {
2608 struct hci_ev_cmd_complete *ev = (void *) skb->data;
2609 u8 status = skb->data[sizeof(*ev)];
2610 __u16 opcode;
2611
2612 skb_pull(skb, sizeof(*ev));
2613
2614 opcode = __le16_to_cpu(ev->opcode);
2615
2616 switch (opcode) {
2617 case HCI_OP_INQUIRY_CANCEL:
2618 hci_cc_inquiry_cancel(hdev, skb);
2619 break;
2620
2621 case HCI_OP_PERIODIC_INQ:
2622 hci_cc_periodic_inq(hdev, skb);
2623 break;
2624
2625 case HCI_OP_EXIT_PERIODIC_INQ:
2626 hci_cc_exit_periodic_inq(hdev, skb);
2627 break;
2628
2629 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2630 hci_cc_remote_name_req_cancel(hdev, skb);
2631 break;
2632
2633 case HCI_OP_ROLE_DISCOVERY:
2634 hci_cc_role_discovery(hdev, skb);
2635 break;
2636
2637 case HCI_OP_READ_LINK_POLICY:
2638 hci_cc_read_link_policy(hdev, skb);
2639 break;
2640
2641 case HCI_OP_WRITE_LINK_POLICY:
2642 hci_cc_write_link_policy(hdev, skb);
2643 break;
2644
2645 case HCI_OP_READ_DEF_LINK_POLICY:
2646 hci_cc_read_def_link_policy(hdev, skb);
2647 break;
2648
2649 case HCI_OP_WRITE_DEF_LINK_POLICY:
2650 hci_cc_write_def_link_policy(hdev, skb);
2651 break;
2652
2653 case HCI_OP_RESET:
2654 hci_cc_reset(hdev, skb);
2655 break;
2656
2657 case HCI_OP_WRITE_LOCAL_NAME:
2658 hci_cc_write_local_name(hdev, skb);
2659 break;
2660
2661 case HCI_OP_READ_LOCAL_NAME:
2662 hci_cc_read_local_name(hdev, skb);
2663 break;
2664
2665 case HCI_OP_WRITE_AUTH_ENABLE:
2666 hci_cc_write_auth_enable(hdev, skb);
2667 break;
2668
2669 case HCI_OP_WRITE_ENCRYPT_MODE:
2670 hci_cc_write_encrypt_mode(hdev, skb);
2671 break;
2672
2673 case HCI_OP_WRITE_SCAN_ENABLE:
2674 hci_cc_write_scan_enable(hdev, skb);
2675 break;
2676
2677 case HCI_OP_READ_CLASS_OF_DEV:
2678 hci_cc_read_class_of_dev(hdev, skb);
2679 break;
2680
2681 case HCI_OP_WRITE_CLASS_OF_DEV:
2682 hci_cc_write_class_of_dev(hdev, skb);
2683 break;
2684
2685 case HCI_OP_READ_VOICE_SETTING:
2686 hci_cc_read_voice_setting(hdev, skb);
2687 break;
2688
2689 case HCI_OP_WRITE_VOICE_SETTING:
2690 hci_cc_write_voice_setting(hdev, skb);
2691 break;
2692
2693 case HCI_OP_READ_NUM_SUPPORTED_IAC:
2694 hci_cc_read_num_supported_iac(hdev, skb);
2695 break;
2696
2697 case HCI_OP_WRITE_SSP_MODE:
2698 hci_cc_write_ssp_mode(hdev, skb);
2699 break;
2700
2701 case HCI_OP_WRITE_SC_SUPPORT:
2702 hci_cc_write_sc_support(hdev, skb);
2703 break;
2704
2705 case HCI_OP_READ_LOCAL_VERSION:
2706 hci_cc_read_local_version(hdev, skb);
2707 break;
2708
2709 case HCI_OP_READ_LOCAL_COMMANDS:
2710 hci_cc_read_local_commands(hdev, skb);
2711 break;
2712
2713 case HCI_OP_READ_LOCAL_FEATURES:
2714 hci_cc_read_local_features(hdev, skb);
2715 break;
2716
2717 case HCI_OP_READ_LOCAL_EXT_FEATURES:
2718 hci_cc_read_local_ext_features(hdev, skb);
2719 break;
2720
2721 case HCI_OP_READ_BUFFER_SIZE:
2722 hci_cc_read_buffer_size(hdev, skb);
2723 break;
2724
2725 case HCI_OP_READ_BD_ADDR:
2726 hci_cc_read_bd_addr(hdev, skb);
2727 break;
2728
2729 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2730 hci_cc_read_page_scan_activity(hdev, skb);
2731 break;
2732
2733 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2734 hci_cc_write_page_scan_activity(hdev, skb);
2735 break;
2736
2737 case HCI_OP_READ_PAGE_SCAN_TYPE:
2738 hci_cc_read_page_scan_type(hdev, skb);
2739 break;
2740
2741 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2742 hci_cc_write_page_scan_type(hdev, skb);
2743 break;
2744
2745 case HCI_OP_READ_DATA_BLOCK_SIZE:
2746 hci_cc_read_data_block_size(hdev, skb);
2747 break;
2748
2749 case HCI_OP_READ_FLOW_CONTROL_MODE:
2750 hci_cc_read_flow_control_mode(hdev, skb);
2751 break;
2752
2753 case HCI_OP_READ_LOCAL_AMP_INFO:
2754 hci_cc_read_local_amp_info(hdev, skb);
2755 break;
2756
2757 case HCI_OP_READ_CLOCK:
2758 hci_cc_read_clock(hdev, skb);
2759 break;
2760
2761 case HCI_OP_READ_LOCAL_AMP_ASSOC:
2762 hci_cc_read_local_amp_assoc(hdev, skb);
2763 break;
2764
2765 case HCI_OP_READ_INQ_RSP_TX_POWER:
2766 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2767 break;
2768
2769 case HCI_OP_PIN_CODE_REPLY:
2770 hci_cc_pin_code_reply(hdev, skb);
2771 break;
2772
2773 case HCI_OP_PIN_CODE_NEG_REPLY:
2774 hci_cc_pin_code_neg_reply(hdev, skb);
2775 break;
2776
2777 case HCI_OP_READ_LOCAL_OOB_DATA:
2778 hci_cc_read_local_oob_data(hdev, skb);
2779 break;
2780
2781 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2782 hci_cc_read_local_oob_ext_data(hdev, skb);
2783 break;
2784
2785 case HCI_OP_LE_READ_BUFFER_SIZE:
2786 hci_cc_le_read_buffer_size(hdev, skb);
2787 break;
2788
2789 case HCI_OP_LE_READ_LOCAL_FEATURES:
2790 hci_cc_le_read_local_features(hdev, skb);
2791 break;
2792
2793 case HCI_OP_LE_READ_ADV_TX_POWER:
2794 hci_cc_le_read_adv_tx_power(hdev, skb);
2795 break;
2796
2797 case HCI_OP_USER_CONFIRM_REPLY:
2798 hci_cc_user_confirm_reply(hdev, skb);
2799 break;
2800
2801 case HCI_OP_USER_CONFIRM_NEG_REPLY:
2802 hci_cc_user_confirm_neg_reply(hdev, skb);
2803 break;
2804
2805 case HCI_OP_USER_PASSKEY_REPLY:
2806 hci_cc_user_passkey_reply(hdev, skb);
2807 break;
2808
2809 case HCI_OP_USER_PASSKEY_NEG_REPLY:
2810 hci_cc_user_passkey_neg_reply(hdev, skb);
2811 break;
2812
2813 case HCI_OP_LE_SET_RANDOM_ADDR:
2814 hci_cc_le_set_random_addr(hdev, skb);
2815 break;
2816
2817 case HCI_OP_LE_SET_ADV_ENABLE:
2818 hci_cc_le_set_adv_enable(hdev, skb);
2819 break;
2820
2821 case HCI_OP_LE_SET_SCAN_PARAM:
2822 hci_cc_le_set_scan_param(hdev, skb);
2823 break;
2824
2825 case HCI_OP_LE_SET_SCAN_ENABLE:
2826 hci_cc_le_set_scan_enable(hdev, skb);
2827 break;
2828
2829 case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2830 hci_cc_le_read_white_list_size(hdev, skb);
2831 break;
2832
2833 case HCI_OP_LE_CLEAR_WHITE_LIST:
2834 hci_cc_le_clear_white_list(hdev, skb);
2835 break;
2836
2837 case HCI_OP_LE_ADD_TO_WHITE_LIST:
2838 hci_cc_le_add_to_white_list(hdev, skb);
2839 break;
2840
2841 case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2842 hci_cc_le_del_from_white_list(hdev, skb);
2843 break;
2844
2845 case HCI_OP_LE_READ_SUPPORTED_STATES:
2846 hci_cc_le_read_supported_states(hdev, skb);
2847 break;
2848
2849 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2850 hci_cc_write_le_host_supported(hdev, skb);
2851 break;
2852
2853 case HCI_OP_LE_SET_ADV_PARAM:
2854 hci_cc_set_adv_param(hdev, skb);
2855 break;
2856
2857 case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2858 hci_cc_write_remote_amp_assoc(hdev, skb);
2859 break;
2860
2861 case HCI_OP_READ_RSSI:
2862 hci_cc_read_rssi(hdev, skb);
2863 break;
2864
2865 case HCI_OP_READ_TX_POWER:
2866 hci_cc_read_tx_power(hdev, skb);
2867 break;
2868
2869 default:
2870 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2871 break;
2872 }
2873
2874 if (opcode != HCI_OP_NOP)
2875 cancel_delayed_work(&hdev->cmd_timer);
2876
2877 hci_req_cmd_complete(hdev, opcode, status);
2878
2879 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2880 atomic_set(&hdev->cmd_cnt, 1);
2881 if (!skb_queue_empty(&hdev->cmd_q))
2882 queue_work(hdev->workqueue, &hdev->cmd_work);
2883 }
2884 }
2885
2886 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2887 {
2888 struct hci_ev_cmd_status *ev = (void *) skb->data;
2889 __u16 opcode;
2890
2891 skb_pull(skb, sizeof(*ev));
2892
2893 opcode = __le16_to_cpu(ev->opcode);
2894
2895 switch (opcode) {
2896 case HCI_OP_INQUIRY:
2897 hci_cs_inquiry(hdev, ev->status);
2898 break;
2899
2900 case HCI_OP_CREATE_CONN:
2901 hci_cs_create_conn(hdev, ev->status);
2902 break;
2903
2904 case HCI_OP_DISCONNECT:
2905 hci_cs_disconnect(hdev, ev->status);
2906 break;
2907
2908 case HCI_OP_ADD_SCO:
2909 hci_cs_add_sco(hdev, ev->status);
2910 break;
2911
2912 case HCI_OP_AUTH_REQUESTED:
2913 hci_cs_auth_requested(hdev, ev->status);
2914 break;
2915
2916 case HCI_OP_SET_CONN_ENCRYPT:
2917 hci_cs_set_conn_encrypt(hdev, ev->status);
2918 break;
2919
2920 case HCI_OP_REMOTE_NAME_REQ:
2921 hci_cs_remote_name_req(hdev, ev->status);
2922 break;
2923
2924 case HCI_OP_READ_REMOTE_FEATURES:
2925 hci_cs_read_remote_features(hdev, ev->status);
2926 break;
2927
2928 case HCI_OP_READ_REMOTE_EXT_FEATURES:
2929 hci_cs_read_remote_ext_features(hdev, ev->status);
2930 break;
2931
2932 case HCI_OP_SETUP_SYNC_CONN:
2933 hci_cs_setup_sync_conn(hdev, ev->status);
2934 break;
2935
2936 case HCI_OP_CREATE_PHY_LINK:
2937 hci_cs_create_phylink(hdev, ev->status);
2938 break;
2939
2940 case HCI_OP_ACCEPT_PHY_LINK:
2941 hci_cs_accept_phylink(hdev, ev->status);
2942 break;
2943
2944 case HCI_OP_SNIFF_MODE:
2945 hci_cs_sniff_mode(hdev, ev->status);
2946 break;
2947
2948 case HCI_OP_EXIT_SNIFF_MODE:
2949 hci_cs_exit_sniff_mode(hdev, ev->status);
2950 break;
2951
2952 case HCI_OP_SWITCH_ROLE:
2953 hci_cs_switch_role(hdev, ev->status);
2954 break;
2955
2956 case HCI_OP_LE_CREATE_CONN:
2957 hci_cs_le_create_conn(hdev, ev->status);
2958 break;
2959
2960 case HCI_OP_LE_START_ENC:
2961 hci_cs_le_start_enc(hdev, ev->status);
2962 break;
2963
2964 default:
2965 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2966 break;
2967 }
2968
2969 if (opcode != HCI_OP_NOP)
2970 cancel_delayed_work(&hdev->cmd_timer);
2971
2972 if (ev->status ||
2973 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
2974 hci_req_cmd_complete(hdev, opcode, ev->status);
2975
2976 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2977 atomic_set(&hdev->cmd_cnt, 1);
2978 if (!skb_queue_empty(&hdev->cmd_q))
2979 queue_work(hdev->workqueue, &hdev->cmd_work);
2980 }
2981 }
2982
2983 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
2984 {
2985 struct hci_ev_hardware_error *ev = (void *) skb->data;
2986
2987 BT_ERR("%s hardware error 0x%2.2x", hdev->name, ev->code);
2988 }
2989
2990 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2991 {
2992 struct hci_ev_role_change *ev = (void *) skb->data;
2993 struct hci_conn *conn;
2994
2995 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2996
2997 hci_dev_lock(hdev);
2998
2999 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3000 if (conn) {
3001 if (!ev->status)
3002 conn->role = ev->role;
3003
3004 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3005
3006 hci_role_switch_cfm(conn, ev->status, ev->role);
3007 }
3008
3009 hci_dev_unlock(hdev);
3010 }
3011
3012 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3013 {
3014 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3015 int i;
3016
3017 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3018 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3019 return;
3020 }
3021
3022 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3023 ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3024 BT_DBG("%s bad parameters", hdev->name);
3025 return;
3026 }
3027
3028 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3029
3030 for (i = 0; i < ev->num_hndl; i++) {
3031 struct hci_comp_pkts_info *info = &ev->handles[i];
3032 struct hci_conn *conn;
3033 __u16 handle, count;
3034
3035 handle = __le16_to_cpu(info->handle);
3036 count = __le16_to_cpu(info->count);
3037
3038 conn = hci_conn_hash_lookup_handle(hdev, handle);
3039 if (!conn)
3040 continue;
3041
3042 conn->sent -= count;
3043
3044 switch (conn->type) {
3045 case ACL_LINK:
3046 hdev->acl_cnt += count;
3047 if (hdev->acl_cnt > hdev->acl_pkts)
3048 hdev->acl_cnt = hdev->acl_pkts;
3049 break;
3050
3051 case LE_LINK:
3052 if (hdev->le_pkts) {
3053 hdev->le_cnt += count;
3054 if (hdev->le_cnt > hdev->le_pkts)
3055 hdev->le_cnt = hdev->le_pkts;
3056 } else {
3057 hdev->acl_cnt += count;
3058 if (hdev->acl_cnt > hdev->acl_pkts)
3059 hdev->acl_cnt = hdev->acl_pkts;
3060 }
3061 break;
3062
3063 case SCO_LINK:
3064 hdev->sco_cnt += count;
3065 if (hdev->sco_cnt > hdev->sco_pkts)
3066 hdev->sco_cnt = hdev->sco_pkts;
3067 break;
3068
3069 default:
3070 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3071 break;
3072 }
3073 }
3074
3075 queue_work(hdev->workqueue, &hdev->tx_work);
3076 }
3077
3078 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3079 __u16 handle)
3080 {
3081 struct hci_chan *chan;
3082
3083 switch (hdev->dev_type) {
3084 case HCI_BREDR:
3085 return hci_conn_hash_lookup_handle(hdev, handle);
3086 case HCI_AMP:
3087 chan = hci_chan_lookup_handle(hdev, handle);
3088 if (chan)
3089 return chan->conn;
3090 break;
3091 default:
3092 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3093 break;
3094 }
3095
3096 return NULL;
3097 }
3098
3099 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3100 {
3101 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3102 int i;
3103
3104 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3105 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3106 return;
3107 }
3108
3109 if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3110 ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3111 BT_DBG("%s bad parameters", hdev->name);
3112 return;
3113 }
3114
3115 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3116 ev->num_hndl);
3117
3118 for (i = 0; i < ev->num_hndl; i++) {
3119 struct hci_comp_blocks_info *info = &ev->handles[i];
3120 struct hci_conn *conn = NULL;
3121 __u16 handle, block_count;
3122
3123 handle = __le16_to_cpu(info->handle);
3124 block_count = __le16_to_cpu(info->blocks);
3125
3126 conn = __hci_conn_lookup_handle(hdev, handle);
3127 if (!conn)
3128 continue;
3129
3130 conn->sent -= block_count;
3131
3132 switch (conn->type) {
3133 case ACL_LINK:
3134 case AMP_LINK:
3135 hdev->block_cnt += block_count;
3136 if (hdev->block_cnt > hdev->num_blocks)
3137 hdev->block_cnt = hdev->num_blocks;
3138 break;
3139
3140 default:
3141 BT_ERR("Unknown type %d conn %p", conn->type, conn);
3142 break;
3143 }
3144 }
3145
3146 queue_work(hdev->workqueue, &hdev->tx_work);
3147 }
3148
3149 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3150 {
3151 struct hci_ev_mode_change *ev = (void *) skb->data;
3152 struct hci_conn *conn;
3153
3154 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3155
3156 hci_dev_lock(hdev);
3157
3158 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3159 if (conn) {
3160 conn->mode = ev->mode;
3161
3162 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3163 &conn->flags)) {
3164 if (conn->mode == HCI_CM_ACTIVE)
3165 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3166 else
3167 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3168 }
3169
3170 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3171 hci_sco_setup(conn, ev->status);
3172 }
3173
3174 hci_dev_unlock(hdev);
3175 }
3176
3177 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3178 {
3179 struct hci_ev_pin_code_req *ev = (void *) skb->data;
3180 struct hci_conn *conn;
3181
3182 BT_DBG("%s", hdev->name);
3183
3184 hci_dev_lock(hdev);
3185
3186 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3187 if (!conn)
3188 goto unlock;
3189
3190 if (conn->state == BT_CONNECTED) {
3191 hci_conn_hold(conn);
3192 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3193 hci_conn_drop(conn);
3194 }
3195
3196 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
3197 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3198 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3199 sizeof(ev->bdaddr), &ev->bdaddr);
3200 } else if (test_bit(HCI_MGMT, &hdev->dev_flags)) {
3201 u8 secure;
3202
3203 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3204 secure = 1;
3205 else
3206 secure = 0;
3207
3208 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3209 }
3210
3211 unlock:
3212 hci_dev_unlock(hdev);
3213 }
3214
3215 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3216 {
3217 if (key_type == HCI_LK_CHANGED_COMBINATION)
3218 return;
3219
3220 conn->pin_length = pin_len;
3221 conn->key_type = key_type;
3222
3223 switch (key_type) {
3224 case HCI_LK_LOCAL_UNIT:
3225 case HCI_LK_REMOTE_UNIT:
3226 case HCI_LK_DEBUG_COMBINATION:
3227 return;
3228 case HCI_LK_COMBINATION:
3229 if (pin_len == 16)
3230 conn->pending_sec_level = BT_SECURITY_HIGH;
3231 else
3232 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3233 break;
3234 case HCI_LK_UNAUTH_COMBINATION_P192:
3235 case HCI_LK_UNAUTH_COMBINATION_P256:
3236 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3237 break;
3238 case HCI_LK_AUTH_COMBINATION_P192:
3239 conn->pending_sec_level = BT_SECURITY_HIGH;
3240 break;
3241 case HCI_LK_AUTH_COMBINATION_P256:
3242 conn->pending_sec_level = BT_SECURITY_FIPS;
3243 break;
3244 }
3245 }
3246
3247 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3248 {
3249 struct hci_ev_link_key_req *ev = (void *) skb->data;
3250 struct hci_cp_link_key_reply cp;
3251 struct hci_conn *conn;
3252 struct link_key *key;
3253
3254 BT_DBG("%s", hdev->name);
3255
3256 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3257 return;
3258
3259 hci_dev_lock(hdev);
3260
3261 key = hci_find_link_key(hdev, &ev->bdaddr);
3262 if (!key) {
3263 BT_DBG("%s link key not found for %pMR", hdev->name,
3264 &ev->bdaddr);
3265 goto not_found;
3266 }
3267
3268 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3269 &ev->bdaddr);
3270
3271 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3272 if (conn) {
3273 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3274
3275 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3276 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3277 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3278 BT_DBG("%s ignoring unauthenticated key", hdev->name);
3279 goto not_found;
3280 }
3281
3282 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3283 (conn->pending_sec_level == BT_SECURITY_HIGH ||
3284 conn->pending_sec_level == BT_SECURITY_FIPS)) {
3285 BT_DBG("%s ignoring key unauthenticated for high security",
3286 hdev->name);
3287 goto not_found;
3288 }
3289
3290 conn_set_key(conn, key->type, key->pin_len);
3291 }
3292
3293 bacpy(&cp.bdaddr, &ev->bdaddr);
3294 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3295
3296 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3297
3298 hci_dev_unlock(hdev);
3299
3300 return;
3301
3302 not_found:
3303 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3304 hci_dev_unlock(hdev);
3305 }
3306
3307 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3308 {
3309 struct hci_ev_link_key_notify *ev = (void *) skb->data;
3310 struct hci_conn *conn;
3311 struct link_key *key;
3312 bool persistent;
3313 u8 pin_len = 0;
3314
3315 BT_DBG("%s", hdev->name);
3316
3317 hci_dev_lock(hdev);
3318
3319 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3320 if (!conn)
3321 goto unlock;
3322
3323 hci_conn_hold(conn);
3324 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3325 hci_conn_drop(conn);
3326
3327 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3328 conn_set_key(conn, ev->key_type, conn->pin_length);
3329
3330 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3331 goto unlock;
3332
3333 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3334 ev->key_type, pin_len, &persistent);
3335 if (!key)
3336 goto unlock;
3337
3338 /* Update connection information since adding the key will have
3339 * fixed up the type in the case of changed combination keys.
3340 */
3341 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3342 conn_set_key(conn, key->type, key->pin_len);
3343
3344 mgmt_new_link_key(hdev, key, persistent);
3345
3346 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3347 * is set. If it's not set simply remove the key from the kernel
3348 * list (we've still notified user space about it but with
3349 * store_hint being 0).
3350 */
3351 if (key->type == HCI_LK_DEBUG_COMBINATION &&
3352 !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) {
3353 list_del_rcu(&key->list);
3354 kfree_rcu(key, rcu);
3355 goto unlock;
3356 }
3357
3358 if (persistent)
3359 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3360 else
3361 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3362
3363 unlock:
3364 hci_dev_unlock(hdev);
3365 }
3366
3367 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3368 {
3369 struct hci_ev_clock_offset *ev = (void *) skb->data;
3370 struct hci_conn *conn;
3371
3372 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3373
3374 hci_dev_lock(hdev);
3375
3376 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3377 if (conn && !ev->status) {
3378 struct inquiry_entry *ie;
3379
3380 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3381 if (ie) {
3382 ie->data.clock_offset = ev->clock_offset;
3383 ie->timestamp = jiffies;
3384 }
3385 }
3386
3387 hci_dev_unlock(hdev);
3388 }
3389
3390 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3391 {
3392 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3393 struct hci_conn *conn;
3394
3395 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3396
3397 hci_dev_lock(hdev);
3398
3399 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3400 if (conn && !ev->status)
3401 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3402
3403 hci_dev_unlock(hdev);
3404 }
3405
3406 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3407 {
3408 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3409 struct inquiry_entry *ie;
3410
3411 BT_DBG("%s", hdev->name);
3412
3413 hci_dev_lock(hdev);
3414
3415 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3416 if (ie) {
3417 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3418 ie->timestamp = jiffies;
3419 }
3420
3421 hci_dev_unlock(hdev);
3422 }
3423
3424 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3425 struct sk_buff *skb)
3426 {
3427 struct inquiry_data data;
3428 int num_rsp = *((__u8 *) skb->data);
3429
3430 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3431
3432 if (!num_rsp)
3433 return;
3434
3435 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3436 return;
3437
3438 hci_dev_lock(hdev);
3439
3440 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3441 struct inquiry_info_with_rssi_and_pscan_mode *info;
3442 info = (void *) (skb->data + 1);
3443
3444 for (; num_rsp; num_rsp--, info++) {
3445 u32 flags;
3446
3447 bacpy(&data.bdaddr, &info->bdaddr);
3448 data.pscan_rep_mode = info->pscan_rep_mode;
3449 data.pscan_period_mode = info->pscan_period_mode;
3450 data.pscan_mode = info->pscan_mode;
3451 memcpy(data.dev_class, info->dev_class, 3);
3452 data.clock_offset = info->clock_offset;
3453 data.rssi = info->rssi;
3454 data.ssp_mode = 0x00;
3455
3456 flags = hci_inquiry_cache_update(hdev, &data, false);
3457
3458 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3459 info->dev_class, info->rssi,
3460 flags, NULL, 0, NULL, 0);
3461 }
3462 } else {
3463 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3464
3465 for (; num_rsp; num_rsp--, info++) {
3466 u32 flags;
3467
3468 bacpy(&data.bdaddr, &info->bdaddr);
3469 data.pscan_rep_mode = info->pscan_rep_mode;
3470 data.pscan_period_mode = info->pscan_period_mode;
3471 data.pscan_mode = 0x00;
3472 memcpy(data.dev_class, info->dev_class, 3);
3473 data.clock_offset = info->clock_offset;
3474 data.rssi = info->rssi;
3475 data.ssp_mode = 0x00;
3476
3477 flags = hci_inquiry_cache_update(hdev, &data, false);
3478
3479 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3480 info->dev_class, info->rssi,
3481 flags, NULL, 0, NULL, 0);
3482 }
3483 }
3484
3485 hci_dev_unlock(hdev);
3486 }
3487
3488 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3489 struct sk_buff *skb)
3490 {
3491 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3492 struct hci_conn *conn;
3493
3494 BT_DBG("%s", hdev->name);
3495
3496 hci_dev_lock(hdev);
3497
3498 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3499 if (!conn)
3500 goto unlock;
3501
3502 if (ev->page < HCI_MAX_PAGES)
3503 memcpy(conn->features[ev->page], ev->features, 8);
3504
3505 if (!ev->status && ev->page == 0x01) {
3506 struct inquiry_entry *ie;
3507
3508 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3509 if (ie)
3510 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3511
3512 if (ev->features[0] & LMP_HOST_SSP) {
3513 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3514 } else {
3515 /* It is mandatory by the Bluetooth specification that
3516 * Extended Inquiry Results are only used when Secure
3517 * Simple Pairing is enabled, but some devices violate
3518 * this.
3519 *
3520 * To make these devices work, the internal SSP
3521 * enabled flag needs to be cleared if the remote host
3522 * features do not indicate SSP support */
3523 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3524 }
3525
3526 if (ev->features[0] & LMP_HOST_SC)
3527 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3528 }
3529
3530 if (conn->state != BT_CONFIG)
3531 goto unlock;
3532
3533 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3534 struct hci_cp_remote_name_req cp;
3535 memset(&cp, 0, sizeof(cp));
3536 bacpy(&cp.bdaddr, &conn->dst);
3537 cp.pscan_rep_mode = 0x02;
3538 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3539 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3540 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3541
3542 if (!hci_outgoing_auth_needed(hdev, conn)) {
3543 conn->state = BT_CONNECTED;
3544 hci_proto_connect_cfm(conn, ev->status);
3545 hci_conn_drop(conn);
3546 }
3547
3548 unlock:
3549 hci_dev_unlock(hdev);
3550 }
3551
3552 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3553 struct sk_buff *skb)
3554 {
3555 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3556 struct hci_conn *conn;
3557
3558 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3559
3560 hci_dev_lock(hdev);
3561
3562 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3563 if (!conn) {
3564 if (ev->link_type == ESCO_LINK)
3565 goto unlock;
3566
3567 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3568 if (!conn)
3569 goto unlock;
3570
3571 conn->type = SCO_LINK;
3572 }
3573
3574 switch (ev->status) {
3575 case 0x00:
3576 conn->handle = __le16_to_cpu(ev->handle);
3577 conn->state = BT_CONNECTED;
3578
3579 hci_conn_add_sysfs(conn);
3580 break;
3581
3582 case 0x10: /* Connection Accept Timeout */
3583 case 0x0d: /* Connection Rejected due to Limited Resources */
3584 case 0x11: /* Unsupported Feature or Parameter Value */
3585 case 0x1c: /* SCO interval rejected */
3586 case 0x1a: /* Unsupported Remote Feature */
3587 case 0x1f: /* Unspecified error */
3588 case 0x20: /* Unsupported LMP Parameter value */
3589 if (conn->out) {
3590 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3591 (hdev->esco_type & EDR_ESCO_MASK);
3592 if (hci_setup_sync(conn, conn->link->handle))
3593 goto unlock;
3594 }
3595 /* fall through */
3596
3597 default:
3598 conn->state = BT_CLOSED;
3599 break;
3600 }
3601
3602 hci_proto_connect_cfm(conn, ev->status);
3603 if (ev->status)
3604 hci_conn_del(conn);
3605
3606 unlock:
3607 hci_dev_unlock(hdev);
3608 }
3609
3610 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3611 {
3612 size_t parsed = 0;
3613
3614 while (parsed < eir_len) {
3615 u8 field_len = eir[0];
3616
3617 if (field_len == 0)
3618 return parsed;
3619
3620 parsed += field_len + 1;
3621 eir += field_len + 1;
3622 }
3623
3624 return eir_len;
3625 }
3626
3627 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3628 struct sk_buff *skb)
3629 {
3630 struct inquiry_data data;
3631 struct extended_inquiry_info *info = (void *) (skb->data + 1);
3632 int num_rsp = *((__u8 *) skb->data);
3633 size_t eir_len;
3634
3635 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3636
3637 if (!num_rsp)
3638 return;
3639
3640 if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3641 return;
3642
3643 hci_dev_lock(hdev);
3644
3645 for (; num_rsp; num_rsp--, info++) {
3646 u32 flags;
3647 bool name_known;
3648
3649 bacpy(&data.bdaddr, &info->bdaddr);
3650 data.pscan_rep_mode = info->pscan_rep_mode;
3651 data.pscan_period_mode = info->pscan_period_mode;
3652 data.pscan_mode = 0x00;
3653 memcpy(data.dev_class, info->dev_class, 3);
3654 data.clock_offset = info->clock_offset;
3655 data.rssi = info->rssi;
3656 data.ssp_mode = 0x01;
3657
3658 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3659 name_known = eir_has_data_type(info->data,
3660 sizeof(info->data),
3661 EIR_NAME_COMPLETE);
3662 else
3663 name_known = true;
3664
3665 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3666
3667 eir_len = eir_get_length(info->data, sizeof(info->data));
3668
3669 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3670 info->dev_class, info->rssi,
3671 flags, info->data, eir_len, NULL, 0);
3672 }
3673
3674 hci_dev_unlock(hdev);
3675 }
3676
3677 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3678 struct sk_buff *skb)
3679 {
3680 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3681 struct hci_conn *conn;
3682
3683 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3684 __le16_to_cpu(ev->handle));
3685
3686 hci_dev_lock(hdev);
3687
3688 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3689 if (!conn)
3690 goto unlock;
3691
3692 /* For BR/EDR the necessary steps are taken through the
3693 * auth_complete event.
3694 */
3695 if (conn->type != LE_LINK)
3696 goto unlock;
3697
3698 if (!ev->status)
3699 conn->sec_level = conn->pending_sec_level;
3700
3701 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3702
3703 if (ev->status && conn->state == BT_CONNECTED) {
3704 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3705 hci_conn_drop(conn);
3706 goto unlock;
3707 }
3708
3709 if (conn->state == BT_CONFIG) {
3710 if (!ev->status)
3711 conn->state = BT_CONNECTED;
3712
3713 hci_proto_connect_cfm(conn, ev->status);
3714 hci_conn_drop(conn);
3715 } else {
3716 hci_auth_cfm(conn, ev->status);
3717
3718 hci_conn_hold(conn);
3719 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3720 hci_conn_drop(conn);
3721 }
3722
3723 unlock:
3724 hci_dev_unlock(hdev);
3725 }
3726
3727 static u8 hci_get_auth_req(struct hci_conn *conn)
3728 {
3729 /* If remote requests no-bonding follow that lead */
3730 if (conn->remote_auth == HCI_AT_NO_BONDING ||
3731 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3732 return conn->remote_auth | (conn->auth_type & 0x01);
3733
3734 /* If both remote and local have enough IO capabilities, require
3735 * MITM protection
3736 */
3737 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3738 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3739 return conn->remote_auth | 0x01;
3740
3741 /* No MITM protection possible so ignore remote requirement */
3742 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3743 }
3744
3745 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3746 {
3747 struct hci_ev_io_capa_request *ev = (void *) skb->data;
3748 struct hci_conn *conn;
3749
3750 BT_DBG("%s", hdev->name);
3751
3752 hci_dev_lock(hdev);
3753
3754 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3755 if (!conn)
3756 goto unlock;
3757
3758 hci_conn_hold(conn);
3759
3760 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3761 goto unlock;
3762
3763 /* Allow pairing if we're pairable, the initiators of the
3764 * pairing or if the remote is not requesting bonding.
3765 */
3766 if (test_bit(HCI_BONDABLE, &hdev->dev_flags) ||
3767 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3768 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3769 struct hci_cp_io_capability_reply cp;
3770
3771 bacpy(&cp.bdaddr, &ev->bdaddr);
3772 /* Change the IO capability from KeyboardDisplay
3773 * to DisplayYesNo as it is not supported by BT spec. */
3774 cp.capability = (conn->io_capability == 0x04) ?
3775 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3776
3777 /* If we are initiators, there is no remote information yet */
3778 if (conn->remote_auth == 0xff) {
3779 /* Request MITM protection if our IO caps allow it
3780 * except for the no-bonding case.
3781 */
3782 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3783 conn->auth_type != HCI_AT_NO_BONDING)
3784 conn->auth_type |= 0x01;
3785 } else {
3786 conn->auth_type = hci_get_auth_req(conn);
3787 }
3788
3789 /* If we're not bondable, force one of the non-bondable
3790 * authentication requirement values.
3791 */
3792 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags))
3793 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
3794
3795 cp.authentication = conn->auth_type;
3796
3797 if (hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR) &&
3798 (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3799 cp.oob_data = 0x01;
3800 else
3801 cp.oob_data = 0x00;
3802
3803 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3804 sizeof(cp), &cp);
3805 } else {
3806 struct hci_cp_io_capability_neg_reply cp;
3807
3808 bacpy(&cp.bdaddr, &ev->bdaddr);
3809 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3810
3811 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3812 sizeof(cp), &cp);
3813 }
3814
3815 unlock:
3816 hci_dev_unlock(hdev);
3817 }
3818
3819 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3820 {
3821 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3822 struct hci_conn *conn;
3823
3824 BT_DBG("%s", hdev->name);
3825
3826 hci_dev_lock(hdev);
3827
3828 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3829 if (!conn)
3830 goto unlock;
3831
3832 conn->remote_cap = ev->capability;
3833 conn->remote_auth = ev->authentication;
3834 if (ev->oob_data)
3835 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags);
3836
3837 unlock:
3838 hci_dev_unlock(hdev);
3839 }
3840
3841 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3842 struct sk_buff *skb)
3843 {
3844 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
3845 int loc_mitm, rem_mitm, confirm_hint = 0;
3846 struct hci_conn *conn;
3847
3848 BT_DBG("%s", hdev->name);
3849
3850 hci_dev_lock(hdev);
3851
3852 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3853 goto unlock;
3854
3855 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3856 if (!conn)
3857 goto unlock;
3858
3859 loc_mitm = (conn->auth_type & 0x01);
3860 rem_mitm = (conn->remote_auth & 0x01);
3861
3862 /* If we require MITM but the remote device can't provide that
3863 * (it has NoInputNoOutput) then reject the confirmation
3864 * request. We check the security level here since it doesn't
3865 * necessarily match conn->auth_type.
3866 */
3867 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
3868 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3869 BT_DBG("Rejecting request: remote device can't provide MITM");
3870 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3871 sizeof(ev->bdaddr), &ev->bdaddr);
3872 goto unlock;
3873 }
3874
3875 /* If no side requires MITM protection; auto-accept */
3876 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
3877 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
3878
3879 /* If we're not the initiators request authorization to
3880 * proceed from user space (mgmt_user_confirm with
3881 * confirm_hint set to 1). The exception is if neither
3882 * side had MITM or if the local IO capability is
3883 * NoInputNoOutput, in which case we do auto-accept
3884 */
3885 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
3886 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3887 (loc_mitm || rem_mitm)) {
3888 BT_DBG("Confirming auto-accept as acceptor");
3889 confirm_hint = 1;
3890 goto confirm;
3891 }
3892
3893 BT_DBG("Auto-accept of user confirmation with %ums delay",
3894 hdev->auto_accept_delay);
3895
3896 if (hdev->auto_accept_delay > 0) {
3897 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
3898 queue_delayed_work(conn->hdev->workqueue,
3899 &conn->auto_accept_work, delay);
3900 goto unlock;
3901 }
3902
3903 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
3904 sizeof(ev->bdaddr), &ev->bdaddr);
3905 goto unlock;
3906 }
3907
3908 confirm:
3909 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
3910 le32_to_cpu(ev->passkey), confirm_hint);
3911
3912 unlock:
3913 hci_dev_unlock(hdev);
3914 }
3915
3916 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
3917 struct sk_buff *skb)
3918 {
3919 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
3920
3921 BT_DBG("%s", hdev->name);
3922
3923 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3924 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
3925 }
3926
3927 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
3928 struct sk_buff *skb)
3929 {
3930 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
3931 struct hci_conn *conn;
3932
3933 BT_DBG("%s", hdev->name);
3934
3935 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3936 if (!conn)
3937 return;
3938
3939 conn->passkey_notify = __le32_to_cpu(ev->passkey);
3940 conn->passkey_entered = 0;
3941
3942 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3943 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3944 conn->dst_type, conn->passkey_notify,
3945 conn->passkey_entered);
3946 }
3947
3948 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3949 {
3950 struct hci_ev_keypress_notify *ev = (void *) skb->data;
3951 struct hci_conn *conn;
3952
3953 BT_DBG("%s", hdev->name);
3954
3955 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3956 if (!conn)
3957 return;
3958
3959 switch (ev->type) {
3960 case HCI_KEYPRESS_STARTED:
3961 conn->passkey_entered = 0;
3962 return;
3963
3964 case HCI_KEYPRESS_ENTERED:
3965 conn->passkey_entered++;
3966 break;
3967
3968 case HCI_KEYPRESS_ERASED:
3969 conn->passkey_entered--;
3970 break;
3971
3972 case HCI_KEYPRESS_CLEARED:
3973 conn->passkey_entered = 0;
3974 break;
3975
3976 case HCI_KEYPRESS_COMPLETED:
3977 return;
3978 }
3979
3980 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3981 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3982 conn->dst_type, conn->passkey_notify,
3983 conn->passkey_entered);
3984 }
3985
3986 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3987 struct sk_buff *skb)
3988 {
3989 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
3990 struct hci_conn *conn;
3991
3992 BT_DBG("%s", hdev->name);
3993
3994 hci_dev_lock(hdev);
3995
3996 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3997 if (!conn)
3998 goto unlock;
3999
4000 /* Reset the authentication requirement to unknown */
4001 conn->remote_auth = 0xff;
4002
4003 /* To avoid duplicate auth_failed events to user space we check
4004 * the HCI_CONN_AUTH_PEND flag which will be set if we
4005 * initiated the authentication. A traditional auth_complete
4006 * event gets always produced as initiator and is also mapped to
4007 * the mgmt_auth_failed event */
4008 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4009 mgmt_auth_failed(conn, ev->status);
4010
4011 hci_conn_drop(conn);
4012
4013 unlock:
4014 hci_dev_unlock(hdev);
4015 }
4016
4017 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4018 struct sk_buff *skb)
4019 {
4020 struct hci_ev_remote_host_features *ev = (void *) skb->data;
4021 struct inquiry_entry *ie;
4022 struct hci_conn *conn;
4023
4024 BT_DBG("%s", hdev->name);
4025
4026 hci_dev_lock(hdev);
4027
4028 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4029 if (conn)
4030 memcpy(conn->features[1], ev->features, 8);
4031
4032 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4033 if (ie)
4034 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4035
4036 hci_dev_unlock(hdev);
4037 }
4038
4039 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4040 struct sk_buff *skb)
4041 {
4042 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4043 struct oob_data *data;
4044
4045 BT_DBG("%s", hdev->name);
4046
4047 hci_dev_lock(hdev);
4048
4049 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
4050 goto unlock;
4051
4052 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4053 if (data) {
4054 if (bredr_sc_enabled(hdev)) {
4055 struct hci_cp_remote_oob_ext_data_reply cp;
4056
4057 bacpy(&cp.bdaddr, &ev->bdaddr);
4058 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4059 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4060 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4061 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4062
4063 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4064 sizeof(cp), &cp);
4065 } else {
4066 struct hci_cp_remote_oob_data_reply cp;
4067
4068 bacpy(&cp.bdaddr, &ev->bdaddr);
4069 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4070 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4071
4072 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4073 sizeof(cp), &cp);
4074 }
4075 } else {
4076 struct hci_cp_remote_oob_data_neg_reply cp;
4077
4078 bacpy(&cp.bdaddr, &ev->bdaddr);
4079 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4080 sizeof(cp), &cp);
4081 }
4082
4083 unlock:
4084 hci_dev_unlock(hdev);
4085 }
4086
4087 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4088 struct sk_buff *skb)
4089 {
4090 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4091 struct hci_conn *hcon, *bredr_hcon;
4092
4093 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4094 ev->status);
4095
4096 hci_dev_lock(hdev);
4097
4098 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4099 if (!hcon) {
4100 hci_dev_unlock(hdev);
4101 return;
4102 }
4103
4104 if (ev->status) {
4105 hci_conn_del(hcon);
4106 hci_dev_unlock(hdev);
4107 return;
4108 }
4109
4110 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4111
4112 hcon->state = BT_CONNECTED;
4113 bacpy(&hcon->dst, &bredr_hcon->dst);
4114
4115 hci_conn_hold(hcon);
4116 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4117 hci_conn_drop(hcon);
4118
4119 hci_conn_add_sysfs(hcon);
4120
4121 amp_physical_cfm(bredr_hcon, hcon);
4122
4123 hci_dev_unlock(hdev);
4124 }
4125
4126 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4127 {
4128 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4129 struct hci_conn *hcon;
4130 struct hci_chan *hchan;
4131 struct amp_mgr *mgr;
4132
4133 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4134 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4135 ev->status);
4136
4137 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4138 if (!hcon)
4139 return;
4140
4141 /* Create AMP hchan */
4142 hchan = hci_chan_create(hcon);
4143 if (!hchan)
4144 return;
4145
4146 hchan->handle = le16_to_cpu(ev->handle);
4147
4148 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4149
4150 mgr = hcon->amp_mgr;
4151 if (mgr && mgr->bredr_chan) {
4152 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4153
4154 l2cap_chan_lock(bredr_chan);
4155
4156 bredr_chan->conn->mtu = hdev->block_mtu;
4157 l2cap_logical_cfm(bredr_chan, hchan, 0);
4158 hci_conn_hold(hcon);
4159
4160 l2cap_chan_unlock(bredr_chan);
4161 }
4162 }
4163
4164 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4165 struct sk_buff *skb)
4166 {
4167 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4168 struct hci_chan *hchan;
4169
4170 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4171 le16_to_cpu(ev->handle), ev->status);
4172
4173 if (ev->status)
4174 return;
4175
4176 hci_dev_lock(hdev);
4177
4178 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4179 if (!hchan)
4180 goto unlock;
4181
4182 amp_destroy_logical_link(hchan, ev->reason);
4183
4184 unlock:
4185 hci_dev_unlock(hdev);
4186 }
4187
4188 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4189 struct sk_buff *skb)
4190 {
4191 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4192 struct hci_conn *hcon;
4193
4194 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4195
4196 if (ev->status)
4197 return;
4198
4199 hci_dev_lock(hdev);
4200
4201 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4202 if (hcon) {
4203 hcon->state = BT_CLOSED;
4204 hci_conn_del(hcon);
4205 }
4206
4207 hci_dev_unlock(hdev);
4208 }
4209
4210 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4211 {
4212 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4213 struct hci_conn_params *params;
4214 struct hci_conn *conn;
4215 struct smp_irk *irk;
4216 u8 addr_type;
4217
4218 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4219
4220 hci_dev_lock(hdev);
4221
4222 /* All controllers implicitly stop advertising in the event of a
4223 * connection, so ensure that the state bit is cleared.
4224 */
4225 clear_bit(HCI_LE_ADV, &hdev->dev_flags);
4226
4227 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
4228 if (!conn) {
4229 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4230 if (!conn) {
4231 BT_ERR("No memory for new connection");
4232 goto unlock;
4233 }
4234
4235 conn->dst_type = ev->bdaddr_type;
4236
4237 /* If we didn't have a hci_conn object previously
4238 * but we're in master role this must be something
4239 * initiated using a white list. Since white list based
4240 * connections are not "first class citizens" we don't
4241 * have full tracking of them. Therefore, we go ahead
4242 * with a "best effort" approach of determining the
4243 * initiator address based on the HCI_PRIVACY flag.
4244 */
4245 if (conn->out) {
4246 conn->resp_addr_type = ev->bdaddr_type;
4247 bacpy(&conn->resp_addr, &ev->bdaddr);
4248 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
4249 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4250 bacpy(&conn->init_addr, &hdev->rpa);
4251 } else {
4252 hci_copy_identity_address(hdev,
4253 &conn->init_addr,
4254 &conn->init_addr_type);
4255 }
4256 }
4257 } else {
4258 cancel_delayed_work(&conn->le_conn_timeout);
4259 }
4260
4261 if (!conn->out) {
4262 /* Set the responder (our side) address type based on
4263 * the advertising address type.
4264 */
4265 conn->resp_addr_type = hdev->adv_addr_type;
4266 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4267 bacpy(&conn->resp_addr, &hdev->random_addr);
4268 else
4269 bacpy(&conn->resp_addr, &hdev->bdaddr);
4270
4271 conn->init_addr_type = ev->bdaddr_type;
4272 bacpy(&conn->init_addr, &ev->bdaddr);
4273
4274 /* For incoming connections, set the default minimum
4275 * and maximum connection interval. They will be used
4276 * to check if the parameters are in range and if not
4277 * trigger the connection update procedure.
4278 */
4279 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4280 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4281 }
4282
4283 /* Lookup the identity address from the stored connection
4284 * address and address type.
4285 *
4286 * When establishing connections to an identity address, the
4287 * connection procedure will store the resolvable random
4288 * address first. Now if it can be converted back into the
4289 * identity address, start using the identity address from
4290 * now on.
4291 */
4292 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4293 if (irk) {
4294 bacpy(&conn->dst, &irk->bdaddr);
4295 conn->dst_type = irk->addr_type;
4296 }
4297
4298 if (ev->status) {
4299 hci_le_conn_failed(conn, ev->status);
4300 goto unlock;
4301 }
4302
4303 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4304 addr_type = BDADDR_LE_PUBLIC;
4305 else
4306 addr_type = BDADDR_LE_RANDOM;
4307
4308 /* Drop the connection if the device is blocked */
4309 if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4310 hci_conn_drop(conn);
4311 goto unlock;
4312 }
4313
4314 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4315 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4316
4317 conn->sec_level = BT_SECURITY_LOW;
4318 conn->handle = __le16_to_cpu(ev->handle);
4319 conn->state = BT_CONNECTED;
4320
4321 conn->le_conn_interval = le16_to_cpu(ev->interval);
4322 conn->le_conn_latency = le16_to_cpu(ev->latency);
4323 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4324
4325 hci_conn_add_sysfs(conn);
4326
4327 hci_proto_connect_cfm(conn, ev->status);
4328
4329 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4330 conn->dst_type);
4331 if (params) {
4332 list_del_init(&params->action);
4333 if (params->conn) {
4334 hci_conn_drop(params->conn);
4335 hci_conn_put(params->conn);
4336 params->conn = NULL;
4337 }
4338 }
4339
4340 unlock:
4341 hci_update_background_scan(hdev);
4342 hci_dev_unlock(hdev);
4343 }
4344
4345 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4346 struct sk_buff *skb)
4347 {
4348 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4349 struct hci_conn *conn;
4350
4351 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4352
4353 if (ev->status)
4354 return;
4355
4356 hci_dev_lock(hdev);
4357
4358 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4359 if (conn) {
4360 conn->le_conn_interval = le16_to_cpu(ev->interval);
4361 conn->le_conn_latency = le16_to_cpu(ev->latency);
4362 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4363 }
4364
4365 hci_dev_unlock(hdev);
4366 }
4367
4368 /* This function requires the caller holds hdev->lock */
4369 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4370 bdaddr_t *addr,
4371 u8 addr_type, u8 adv_type)
4372 {
4373 struct hci_conn *conn;
4374 struct hci_conn_params *params;
4375
4376 /* If the event is not connectable don't proceed further */
4377 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4378 return NULL;
4379
4380 /* Ignore if the device is blocked */
4381 if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4382 return NULL;
4383
4384 /* Most controller will fail if we try to create new connections
4385 * while we have an existing one in slave role.
4386 */
4387 if (hdev->conn_hash.le_num_slave > 0)
4388 return NULL;
4389
4390 /* If we're not connectable only connect devices that we have in
4391 * our pend_le_conns list.
4392 */
4393 params = hci_pend_le_action_lookup(&hdev->pend_le_conns,
4394 addr, addr_type);
4395 if (!params)
4396 return NULL;
4397
4398 switch (params->auto_connect) {
4399 case HCI_AUTO_CONN_DIRECT:
4400 /* Only devices advertising with ADV_DIRECT_IND are
4401 * triggering a connection attempt. This is allowing
4402 * incoming connections from slave devices.
4403 */
4404 if (adv_type != LE_ADV_DIRECT_IND)
4405 return NULL;
4406 break;
4407 case HCI_AUTO_CONN_ALWAYS:
4408 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4409 * are triggering a connection attempt. This means
4410 * that incoming connectioms from slave device are
4411 * accepted and also outgoing connections to slave
4412 * devices are established when found.
4413 */
4414 break;
4415 default:
4416 return NULL;
4417 }
4418
4419 conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4420 HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4421 if (!IS_ERR(conn)) {
4422 /* Store the pointer since we don't really have any
4423 * other owner of the object besides the params that
4424 * triggered it. This way we can abort the connection if
4425 * the parameters get removed and keep the reference
4426 * count consistent once the connection is established.
4427 */
4428 params->conn = hci_conn_get(conn);
4429 return conn;
4430 }
4431
4432 switch (PTR_ERR(conn)) {
4433 case -EBUSY:
4434 /* If hci_connect() returns -EBUSY it means there is already
4435 * an LE connection attempt going on. Since controllers don't
4436 * support more than one connection attempt at the time, we
4437 * don't consider this an error case.
4438 */
4439 break;
4440 default:
4441 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4442 return NULL;
4443 }
4444
4445 return NULL;
4446 }
4447
4448 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4449 u8 bdaddr_type, bdaddr_t *direct_addr,
4450 u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4451 {
4452 struct discovery_state *d = &hdev->discovery;
4453 struct smp_irk *irk;
4454 struct hci_conn *conn;
4455 bool match;
4456 u32 flags;
4457
4458 /* If the direct address is present, then this report is from
4459 * a LE Direct Advertising Report event. In that case it is
4460 * important to see if the address is matching the local
4461 * controller address.
4462 */
4463 if (direct_addr) {
4464 /* Only resolvable random addresses are valid for these
4465 * kind of reports and others can be ignored.
4466 */
4467 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4468 return;
4469
4470 /* If the controller is not using resolvable random
4471 * addresses, then this report can be ignored.
4472 */
4473 if (!test_bit(HCI_PRIVACY, &hdev->dev_flags))
4474 return;
4475
4476 /* If the local IRK of the controller does not match
4477 * with the resolvable random address provided, then
4478 * this report can be ignored.
4479 */
4480 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4481 return;
4482 }
4483
4484 /* Check if we need to convert to identity address */
4485 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4486 if (irk) {
4487 bdaddr = &irk->bdaddr;
4488 bdaddr_type = irk->addr_type;
4489 }
4490
4491 /* Check if we have been requested to connect to this device */
4492 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4493 if (conn && type == LE_ADV_IND) {
4494 /* Store report for later inclusion by
4495 * mgmt_device_connected
4496 */
4497 memcpy(conn->le_adv_data, data, len);
4498 conn->le_adv_data_len = len;
4499 }
4500
4501 /* Passive scanning shouldn't trigger any device found events,
4502 * except for devices marked as CONN_REPORT for which we do send
4503 * device found events.
4504 */
4505 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4506 if (type == LE_ADV_DIRECT_IND)
4507 return;
4508
4509 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4510 bdaddr, bdaddr_type))
4511 return;
4512
4513 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4514 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4515 else
4516 flags = 0;
4517 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4518 rssi, flags, data, len, NULL, 0);
4519 return;
4520 }
4521
4522 /* When receiving non-connectable or scannable undirected
4523 * advertising reports, this means that the remote device is
4524 * not connectable and then clearly indicate this in the
4525 * device found event.
4526 *
4527 * When receiving a scan response, then there is no way to
4528 * know if the remote device is connectable or not. However
4529 * since scan responses are merged with a previously seen
4530 * advertising report, the flags field from that report
4531 * will be used.
4532 *
4533 * In the really unlikely case that a controller get confused
4534 * and just sends a scan response event, then it is marked as
4535 * not connectable as well.
4536 */
4537 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4538 type == LE_ADV_SCAN_RSP)
4539 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4540 else
4541 flags = 0;
4542
4543 /* If there's nothing pending either store the data from this
4544 * event or send an immediate device found event if the data
4545 * should not be stored for later.
4546 */
4547 if (!has_pending_adv_report(hdev)) {
4548 /* If the report will trigger a SCAN_REQ store it for
4549 * later merging.
4550 */
4551 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4552 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4553 rssi, flags, data, len);
4554 return;
4555 }
4556
4557 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4558 rssi, flags, data, len, NULL, 0);
4559 return;
4560 }
4561
4562 /* Check if the pending report is for the same device as the new one */
4563 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4564 bdaddr_type == d->last_adv_addr_type);
4565
4566 /* If the pending data doesn't match this report or this isn't a
4567 * scan response (e.g. we got a duplicate ADV_IND) then force
4568 * sending of the pending data.
4569 */
4570 if (type != LE_ADV_SCAN_RSP || !match) {
4571 /* Send out whatever is in the cache, but skip duplicates */
4572 if (!match)
4573 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4574 d->last_adv_addr_type, NULL,
4575 d->last_adv_rssi, d->last_adv_flags,
4576 d->last_adv_data,
4577 d->last_adv_data_len, NULL, 0);
4578
4579 /* If the new report will trigger a SCAN_REQ store it for
4580 * later merging.
4581 */
4582 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4583 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4584 rssi, flags, data, len);
4585 return;
4586 }
4587
4588 /* The advertising reports cannot be merged, so clear
4589 * the pending report and send out a device found event.
4590 */
4591 clear_pending_adv_report(hdev);
4592 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4593 rssi, flags, data, len, NULL, 0);
4594 return;
4595 }
4596
4597 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4598 * the new event is a SCAN_RSP. We can therefore proceed with
4599 * sending a merged device found event.
4600 */
4601 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4602 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4603 d->last_adv_data, d->last_adv_data_len, data, len);
4604 clear_pending_adv_report(hdev);
4605 }
4606
4607 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4608 {
4609 u8 num_reports = skb->data[0];
4610 void *ptr = &skb->data[1];
4611
4612 hci_dev_lock(hdev);
4613
4614 while (num_reports--) {
4615 struct hci_ev_le_advertising_info *ev = ptr;
4616 s8 rssi;
4617
4618 rssi = ev->data[ev->length];
4619 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4620 ev->bdaddr_type, NULL, 0, rssi,
4621 ev->data, ev->length);
4622
4623 ptr += sizeof(*ev) + ev->length + 1;
4624 }
4625
4626 hci_dev_unlock(hdev);
4627 }
4628
4629 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4630 {
4631 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4632 struct hci_cp_le_ltk_reply cp;
4633 struct hci_cp_le_ltk_neg_reply neg;
4634 struct hci_conn *conn;
4635 struct smp_ltk *ltk;
4636
4637 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4638
4639 hci_dev_lock(hdev);
4640
4641 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4642 if (conn == NULL)
4643 goto not_found;
4644
4645 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4646 if (!ltk)
4647 goto not_found;
4648
4649 if (smp_ltk_is_sc(ltk)) {
4650 /* With SC both EDiv and Rand are set to zero */
4651 if (ev->ediv || ev->rand)
4652 goto not_found;
4653 } else {
4654 /* For non-SC keys check that EDiv and Rand match */
4655 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4656 goto not_found;
4657 }
4658
4659 memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4660 cp.handle = cpu_to_le16(conn->handle);
4661
4662 conn->pending_sec_level = smp_ltk_sec_level(ltk);
4663
4664 conn->enc_key_size = ltk->enc_size;
4665
4666 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4667
4668 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4669 * temporary key used to encrypt a connection following
4670 * pairing. It is used during the Encrypted Session Setup to
4671 * distribute the keys. Later, security can be re-established
4672 * using a distributed LTK.
4673 */
4674 if (ltk->type == SMP_STK) {
4675 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4676 list_del_rcu(&ltk->list);
4677 kfree_rcu(ltk, rcu);
4678 } else {
4679 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4680 }
4681
4682 hci_dev_unlock(hdev);
4683
4684 return;
4685
4686 not_found:
4687 neg.handle = ev->handle;
4688 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4689 hci_dev_unlock(hdev);
4690 }
4691
4692 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
4693 u8 reason)
4694 {
4695 struct hci_cp_le_conn_param_req_neg_reply cp;
4696
4697 cp.handle = cpu_to_le16(handle);
4698 cp.reason = reason;
4699
4700 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
4701 &cp);
4702 }
4703
4704 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
4705 struct sk_buff *skb)
4706 {
4707 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
4708 struct hci_cp_le_conn_param_req_reply cp;
4709 struct hci_conn *hcon;
4710 u16 handle, min, max, latency, timeout;
4711
4712 handle = le16_to_cpu(ev->handle);
4713 min = le16_to_cpu(ev->interval_min);
4714 max = le16_to_cpu(ev->interval_max);
4715 latency = le16_to_cpu(ev->latency);
4716 timeout = le16_to_cpu(ev->timeout);
4717
4718 hcon = hci_conn_hash_lookup_handle(hdev, handle);
4719 if (!hcon || hcon->state != BT_CONNECTED)
4720 return send_conn_param_neg_reply(hdev, handle,
4721 HCI_ERROR_UNKNOWN_CONN_ID);
4722
4723 if (hci_check_conn_params(min, max, latency, timeout))
4724 return send_conn_param_neg_reply(hdev, handle,
4725 HCI_ERROR_INVALID_LL_PARAMS);
4726
4727 if (hcon->role == HCI_ROLE_MASTER) {
4728 struct hci_conn_params *params;
4729 u8 store_hint;
4730
4731 hci_dev_lock(hdev);
4732
4733 params = hci_conn_params_lookup(hdev, &hcon->dst,
4734 hcon->dst_type);
4735 if (params) {
4736 params->conn_min_interval = min;
4737 params->conn_max_interval = max;
4738 params->conn_latency = latency;
4739 params->supervision_timeout = timeout;
4740 store_hint = 0x01;
4741 } else{
4742 store_hint = 0x00;
4743 }
4744
4745 hci_dev_unlock(hdev);
4746
4747 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
4748 store_hint, min, max, latency, timeout);
4749 }
4750
4751 cp.handle = ev->handle;
4752 cp.interval_min = ev->interval_min;
4753 cp.interval_max = ev->interval_max;
4754 cp.latency = ev->latency;
4755 cp.timeout = ev->timeout;
4756 cp.min_ce_len = 0;
4757 cp.max_ce_len = 0;
4758
4759 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
4760 }
4761
4762 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
4763 struct sk_buff *skb)
4764 {
4765 u8 num_reports = skb->data[0];
4766 void *ptr = &skb->data[1];
4767
4768 hci_dev_lock(hdev);
4769
4770 while (num_reports--) {
4771 struct hci_ev_le_direct_adv_info *ev = ptr;
4772
4773 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4774 ev->bdaddr_type, &ev->direct_addr,
4775 ev->direct_addr_type, ev->rssi, NULL, 0);
4776
4777 ptr += sizeof(*ev);
4778 }
4779
4780 hci_dev_unlock(hdev);
4781 }
4782
4783 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4784 {
4785 struct hci_ev_le_meta *le_ev = (void *) skb->data;
4786
4787 skb_pull(skb, sizeof(*le_ev));
4788
4789 switch (le_ev->subevent) {
4790 case HCI_EV_LE_CONN_COMPLETE:
4791 hci_le_conn_complete_evt(hdev, skb);
4792 break;
4793
4794 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
4795 hci_le_conn_update_complete_evt(hdev, skb);
4796 break;
4797
4798 case HCI_EV_LE_ADVERTISING_REPORT:
4799 hci_le_adv_report_evt(hdev, skb);
4800 break;
4801
4802 case HCI_EV_LE_LTK_REQ:
4803 hci_le_ltk_request_evt(hdev, skb);
4804 break;
4805
4806 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
4807 hci_le_remote_conn_param_req_evt(hdev, skb);
4808 break;
4809
4810 case HCI_EV_LE_DIRECT_ADV_REPORT:
4811 hci_le_direct_adv_report_evt(hdev, skb);
4812 break;
4813
4814 default:
4815 break;
4816 }
4817 }
4818
4819 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4820 {
4821 struct hci_ev_channel_selected *ev = (void *) skb->data;
4822 struct hci_conn *hcon;
4823
4824 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4825
4826 skb_pull(skb, sizeof(*ev));
4827
4828 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4829 if (!hcon)
4830 return;
4831
4832 amp_read_loc_assoc_final_data(hdev, hcon);
4833 }
4834
4835 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
4836 {
4837 struct hci_event_hdr *hdr = (void *) skb->data;
4838 __u8 event = hdr->evt;
4839
4840 hci_dev_lock(hdev);
4841
4842 /* Received events are (currently) only needed when a request is
4843 * ongoing so avoid unnecessary memory allocation.
4844 */
4845 if (hci_req_pending(hdev)) {
4846 kfree_skb(hdev->recv_evt);
4847 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
4848 }
4849
4850 hci_dev_unlock(hdev);
4851
4852 skb_pull(skb, HCI_EVENT_HDR_SIZE);
4853
4854 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
4855 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
4856 u16 opcode = __le16_to_cpu(cmd_hdr->opcode);
4857
4858 hci_req_cmd_complete(hdev, opcode, 0);
4859 }
4860
4861 switch (event) {
4862 case HCI_EV_INQUIRY_COMPLETE:
4863 hci_inquiry_complete_evt(hdev, skb);
4864 break;
4865
4866 case HCI_EV_INQUIRY_RESULT:
4867 hci_inquiry_result_evt(hdev, skb);
4868 break;
4869
4870 case HCI_EV_CONN_COMPLETE:
4871 hci_conn_complete_evt(hdev, skb);
4872 break;
4873
4874 case HCI_EV_CONN_REQUEST:
4875 hci_conn_request_evt(hdev, skb);
4876 break;
4877
4878 case HCI_EV_DISCONN_COMPLETE:
4879 hci_disconn_complete_evt(hdev, skb);
4880 break;
4881
4882 case HCI_EV_AUTH_COMPLETE:
4883 hci_auth_complete_evt(hdev, skb);
4884 break;
4885
4886 case HCI_EV_REMOTE_NAME:
4887 hci_remote_name_evt(hdev, skb);
4888 break;
4889
4890 case HCI_EV_ENCRYPT_CHANGE:
4891 hci_encrypt_change_evt(hdev, skb);
4892 break;
4893
4894 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
4895 hci_change_link_key_complete_evt(hdev, skb);
4896 break;
4897
4898 case HCI_EV_REMOTE_FEATURES:
4899 hci_remote_features_evt(hdev, skb);
4900 break;
4901
4902 case HCI_EV_CMD_COMPLETE:
4903 hci_cmd_complete_evt(hdev, skb);
4904 break;
4905
4906 case HCI_EV_CMD_STATUS:
4907 hci_cmd_status_evt(hdev, skb);
4908 break;
4909
4910 case HCI_EV_HARDWARE_ERROR:
4911 hci_hardware_error_evt(hdev, skb);
4912 break;
4913
4914 case HCI_EV_ROLE_CHANGE:
4915 hci_role_change_evt(hdev, skb);
4916 break;
4917
4918 case HCI_EV_NUM_COMP_PKTS:
4919 hci_num_comp_pkts_evt(hdev, skb);
4920 break;
4921
4922 case HCI_EV_MODE_CHANGE:
4923 hci_mode_change_evt(hdev, skb);
4924 break;
4925
4926 case HCI_EV_PIN_CODE_REQ:
4927 hci_pin_code_request_evt(hdev, skb);
4928 break;
4929
4930 case HCI_EV_LINK_KEY_REQ:
4931 hci_link_key_request_evt(hdev, skb);
4932 break;
4933
4934 case HCI_EV_LINK_KEY_NOTIFY:
4935 hci_link_key_notify_evt(hdev, skb);
4936 break;
4937
4938 case HCI_EV_CLOCK_OFFSET:
4939 hci_clock_offset_evt(hdev, skb);
4940 break;
4941
4942 case HCI_EV_PKT_TYPE_CHANGE:
4943 hci_pkt_type_change_evt(hdev, skb);
4944 break;
4945
4946 case HCI_EV_PSCAN_REP_MODE:
4947 hci_pscan_rep_mode_evt(hdev, skb);
4948 break;
4949
4950 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
4951 hci_inquiry_result_with_rssi_evt(hdev, skb);
4952 break;
4953
4954 case HCI_EV_REMOTE_EXT_FEATURES:
4955 hci_remote_ext_features_evt(hdev, skb);
4956 break;
4957
4958 case HCI_EV_SYNC_CONN_COMPLETE:
4959 hci_sync_conn_complete_evt(hdev, skb);
4960 break;
4961
4962 case HCI_EV_EXTENDED_INQUIRY_RESULT:
4963 hci_extended_inquiry_result_evt(hdev, skb);
4964 break;
4965
4966 case HCI_EV_KEY_REFRESH_COMPLETE:
4967 hci_key_refresh_complete_evt(hdev, skb);
4968 break;
4969
4970 case HCI_EV_IO_CAPA_REQUEST:
4971 hci_io_capa_request_evt(hdev, skb);
4972 break;
4973
4974 case HCI_EV_IO_CAPA_REPLY:
4975 hci_io_capa_reply_evt(hdev, skb);
4976 break;
4977
4978 case HCI_EV_USER_CONFIRM_REQUEST:
4979 hci_user_confirm_request_evt(hdev, skb);
4980 break;
4981
4982 case HCI_EV_USER_PASSKEY_REQUEST:
4983 hci_user_passkey_request_evt(hdev, skb);
4984 break;
4985
4986 case HCI_EV_USER_PASSKEY_NOTIFY:
4987 hci_user_passkey_notify_evt(hdev, skb);
4988 break;
4989
4990 case HCI_EV_KEYPRESS_NOTIFY:
4991 hci_keypress_notify_evt(hdev, skb);
4992 break;
4993
4994 case HCI_EV_SIMPLE_PAIR_COMPLETE:
4995 hci_simple_pair_complete_evt(hdev, skb);
4996 break;
4997
4998 case HCI_EV_REMOTE_HOST_FEATURES:
4999 hci_remote_host_features_evt(hdev, skb);
5000 break;
5001
5002 case HCI_EV_LE_META:
5003 hci_le_meta_evt(hdev, skb);
5004 break;
5005
5006 case HCI_EV_CHANNEL_SELECTED:
5007 hci_chan_selected_evt(hdev, skb);
5008 break;
5009
5010 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5011 hci_remote_oob_data_request_evt(hdev, skb);
5012 break;
5013
5014 case HCI_EV_PHY_LINK_COMPLETE:
5015 hci_phy_link_complete_evt(hdev, skb);
5016 break;
5017
5018 case HCI_EV_LOGICAL_LINK_COMPLETE:
5019 hci_loglink_complete_evt(hdev, skb);
5020 break;
5021
5022 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5023 hci_disconn_loglink_complete_evt(hdev, skb);
5024 break;
5025
5026 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5027 hci_disconn_phylink_complete_evt(hdev, skb);
5028 break;
5029
5030 case HCI_EV_NUM_COMP_BLOCKS:
5031 hci_num_comp_blocks_evt(hdev, skb);
5032 break;
5033
5034 default:
5035 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5036 break;
5037 }
5038
5039 kfree_skb(skb);
5040 hdev->stat.evt_rx++;
5041 }
Linux kernel - Deliverables
This page took 0.126263 seconds and 6 git commands to generate.