xref: /openbmc/linux/net/bluetooth/hci_event.c (revision 155d9c9e)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4    Copyright 2023 NXP
5 
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11 
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25 
26 /* Bluetooth HCI event handling. */
27 
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
39 #include "smp.h"
40 #include "msft.h"
41 #include "eir.h"
42 
43 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
44 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
45 
46 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
47 
48 /* Handle HCI Event packets */
49 
50 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
51 			     u8 ev, size_t len)
52 {
53 	void *data;
54 
55 	data = skb_pull_data(skb, len);
56 	if (!data)
57 		bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
58 
59 	return data;
60 }
61 
62 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
63 			     u16 op, size_t len)
64 {
65 	void *data;
66 
67 	data = skb_pull_data(skb, len);
68 	if (!data)
69 		bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
70 
71 	return data;
72 }
73 
74 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
75 				u8 ev, size_t len)
76 {
77 	void *data;
78 
79 	data = skb_pull_data(skb, len);
80 	if (!data)
81 		bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
82 
83 	return data;
84 }
85 
86 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
87 				struct sk_buff *skb)
88 {
89 	struct hci_ev_status *rp = data;
90 
91 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
92 
93 	/* It is possible that we receive Inquiry Complete event right
94 	 * before we receive Inquiry Cancel Command Complete event, in
95 	 * which case the latter event should have status of Command
96 	 * Disallowed (0x0c). This should not be treated as error, since
97 	 * we actually achieve what Inquiry Cancel wants to achieve,
98 	 * which is to end the last Inquiry session.
99 	 */
100 	if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
101 		bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
102 		rp->status = 0x00;
103 	}
104 
105 	if (rp->status)
106 		return rp->status;
107 
108 	clear_bit(HCI_INQUIRY, &hdev->flags);
109 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
110 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
111 
112 	hci_dev_lock(hdev);
113 	/* Set discovery state to stopped if we're not doing LE active
114 	 * scanning.
115 	 */
116 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
117 	    hdev->le_scan_type != LE_SCAN_ACTIVE)
118 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
119 	hci_dev_unlock(hdev);
120 
121 	hci_conn_check_pending(hdev);
122 
123 	return rp->status;
124 }
125 
126 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
127 			      struct sk_buff *skb)
128 {
129 	struct hci_ev_status *rp = data;
130 
131 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
132 
133 	if (rp->status)
134 		return rp->status;
135 
136 	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
137 
138 	return rp->status;
139 }
140 
141 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
142 				   struct sk_buff *skb)
143 {
144 	struct hci_ev_status *rp = data;
145 
146 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
147 
148 	if (rp->status)
149 		return rp->status;
150 
151 	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
152 
153 	hci_conn_check_pending(hdev);
154 
155 	return rp->status;
156 }
157 
158 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
159 					struct sk_buff *skb)
160 {
161 	struct hci_ev_status *rp = data;
162 
163 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
164 
165 	return rp->status;
166 }
167 
168 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
169 				struct sk_buff *skb)
170 {
171 	struct hci_rp_role_discovery *rp = data;
172 	struct hci_conn *conn;
173 
174 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
175 
176 	if (rp->status)
177 		return rp->status;
178 
179 	hci_dev_lock(hdev);
180 
181 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
182 	if (conn)
183 		conn->role = rp->role;
184 
185 	hci_dev_unlock(hdev);
186 
187 	return rp->status;
188 }
189 
190 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
191 				  struct sk_buff *skb)
192 {
193 	struct hci_rp_read_link_policy *rp = data;
194 	struct hci_conn *conn;
195 
196 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
197 
198 	if (rp->status)
199 		return rp->status;
200 
201 	hci_dev_lock(hdev);
202 
203 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
204 	if (conn)
205 		conn->link_policy = __le16_to_cpu(rp->policy);
206 
207 	hci_dev_unlock(hdev);
208 
209 	return rp->status;
210 }
211 
212 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
213 				   struct sk_buff *skb)
214 {
215 	struct hci_rp_write_link_policy *rp = data;
216 	struct hci_conn *conn;
217 	void *sent;
218 
219 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
220 
221 	if (rp->status)
222 		return rp->status;
223 
224 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
225 	if (!sent)
226 		return rp->status;
227 
228 	hci_dev_lock(hdev);
229 
230 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
231 	if (conn)
232 		conn->link_policy = get_unaligned_le16(sent + 2);
233 
234 	hci_dev_unlock(hdev);
235 
236 	return rp->status;
237 }
238 
239 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
240 				      struct sk_buff *skb)
241 {
242 	struct hci_rp_read_def_link_policy *rp = data;
243 
244 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
245 
246 	if (rp->status)
247 		return rp->status;
248 
249 	hdev->link_policy = __le16_to_cpu(rp->policy);
250 
251 	return rp->status;
252 }
253 
254 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
255 				       struct sk_buff *skb)
256 {
257 	struct hci_ev_status *rp = data;
258 	void *sent;
259 
260 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
261 
262 	if (rp->status)
263 		return rp->status;
264 
265 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
266 	if (!sent)
267 		return rp->status;
268 
269 	hdev->link_policy = get_unaligned_le16(sent);
270 
271 	return rp->status;
272 }
273 
274 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
275 {
276 	struct hci_ev_status *rp = data;
277 
278 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
279 
280 	clear_bit(HCI_RESET, &hdev->flags);
281 
282 	if (rp->status)
283 		return rp->status;
284 
285 	/* Reset all non-persistent flags */
286 	hci_dev_clear_volatile_flags(hdev);
287 
288 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
289 
290 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
291 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
292 
293 	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
294 	hdev->adv_data_len = 0;
295 
296 	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
297 	hdev->scan_rsp_data_len = 0;
298 
299 	hdev->le_scan_type = LE_SCAN_PASSIVE;
300 
301 	hdev->ssp_debug_mode = 0;
302 
303 	hci_bdaddr_list_clear(&hdev->le_accept_list);
304 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
305 
306 	return rp->status;
307 }
308 
309 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
310 				      struct sk_buff *skb)
311 {
312 	struct hci_rp_read_stored_link_key *rp = data;
313 	struct hci_cp_read_stored_link_key *sent;
314 
315 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
316 
317 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
318 	if (!sent)
319 		return rp->status;
320 
321 	if (!rp->status && sent->read_all == 0x01) {
322 		hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
323 		hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
324 	}
325 
326 	return rp->status;
327 }
328 
329 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
330 					struct sk_buff *skb)
331 {
332 	struct hci_rp_delete_stored_link_key *rp = data;
333 	u16 num_keys;
334 
335 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
336 
337 	if (rp->status)
338 		return rp->status;
339 
340 	num_keys = le16_to_cpu(rp->num_keys);
341 
342 	if (num_keys <= hdev->stored_num_keys)
343 		hdev->stored_num_keys -= num_keys;
344 	else
345 		hdev->stored_num_keys = 0;
346 
347 	return rp->status;
348 }
349 
350 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
351 				  struct sk_buff *skb)
352 {
353 	struct hci_ev_status *rp = data;
354 	void *sent;
355 
356 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
357 
358 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
359 	if (!sent)
360 		return rp->status;
361 
362 	hci_dev_lock(hdev);
363 
364 	if (hci_dev_test_flag(hdev, HCI_MGMT))
365 		mgmt_set_local_name_complete(hdev, sent, rp->status);
366 	else if (!rp->status)
367 		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
368 
369 	hci_dev_unlock(hdev);
370 
371 	return rp->status;
372 }
373 
374 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
375 				 struct sk_buff *skb)
376 {
377 	struct hci_rp_read_local_name *rp = data;
378 
379 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
380 
381 	if (rp->status)
382 		return rp->status;
383 
384 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
385 	    hci_dev_test_flag(hdev, HCI_CONFIG))
386 		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
387 
388 	return rp->status;
389 }
390 
391 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
392 				   struct sk_buff *skb)
393 {
394 	struct hci_ev_status *rp = data;
395 	void *sent;
396 
397 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
398 
399 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
400 	if (!sent)
401 		return rp->status;
402 
403 	hci_dev_lock(hdev);
404 
405 	if (!rp->status) {
406 		__u8 param = *((__u8 *) sent);
407 
408 		if (param == AUTH_ENABLED)
409 			set_bit(HCI_AUTH, &hdev->flags);
410 		else
411 			clear_bit(HCI_AUTH, &hdev->flags);
412 	}
413 
414 	if (hci_dev_test_flag(hdev, HCI_MGMT))
415 		mgmt_auth_enable_complete(hdev, rp->status);
416 
417 	hci_dev_unlock(hdev);
418 
419 	return rp->status;
420 }
421 
422 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
423 				    struct sk_buff *skb)
424 {
425 	struct hci_ev_status *rp = data;
426 	__u8 param;
427 	void *sent;
428 
429 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
430 
431 	if (rp->status)
432 		return rp->status;
433 
434 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
435 	if (!sent)
436 		return rp->status;
437 
438 	param = *((__u8 *) sent);
439 
440 	if (param)
441 		set_bit(HCI_ENCRYPT, &hdev->flags);
442 	else
443 		clear_bit(HCI_ENCRYPT, &hdev->flags);
444 
445 	return rp->status;
446 }
447 
448 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
449 				   struct sk_buff *skb)
450 {
451 	struct hci_ev_status *rp = data;
452 	__u8 param;
453 	void *sent;
454 
455 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
456 
457 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
458 	if (!sent)
459 		return rp->status;
460 
461 	param = *((__u8 *) sent);
462 
463 	hci_dev_lock(hdev);
464 
465 	if (rp->status) {
466 		hdev->discov_timeout = 0;
467 		goto done;
468 	}
469 
470 	if (param & SCAN_INQUIRY)
471 		set_bit(HCI_ISCAN, &hdev->flags);
472 	else
473 		clear_bit(HCI_ISCAN, &hdev->flags);
474 
475 	if (param & SCAN_PAGE)
476 		set_bit(HCI_PSCAN, &hdev->flags);
477 	else
478 		clear_bit(HCI_PSCAN, &hdev->flags);
479 
480 done:
481 	hci_dev_unlock(hdev);
482 
483 	return rp->status;
484 }
485 
486 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
487 				  struct sk_buff *skb)
488 {
489 	struct hci_ev_status *rp = data;
490 	struct hci_cp_set_event_filter *cp;
491 	void *sent;
492 
493 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
494 
495 	if (rp->status)
496 		return rp->status;
497 
498 	sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
499 	if (!sent)
500 		return rp->status;
501 
502 	cp = (struct hci_cp_set_event_filter *)sent;
503 
504 	if (cp->flt_type == HCI_FLT_CLEAR_ALL)
505 		hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
506 	else
507 		hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
508 
509 	return rp->status;
510 }
511 
512 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
513 				   struct sk_buff *skb)
514 {
515 	struct hci_rp_read_class_of_dev *rp = data;
516 
517 	if (WARN_ON(!hdev))
518 		return HCI_ERROR_UNSPECIFIED;
519 
520 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
521 
522 	if (rp->status)
523 		return rp->status;
524 
525 	memcpy(hdev->dev_class, rp->dev_class, 3);
526 
527 	bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
528 		   hdev->dev_class[1], hdev->dev_class[0]);
529 
530 	return rp->status;
531 }
532 
533 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
534 				    struct sk_buff *skb)
535 {
536 	struct hci_ev_status *rp = data;
537 	void *sent;
538 
539 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
540 
541 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
542 	if (!sent)
543 		return rp->status;
544 
545 	hci_dev_lock(hdev);
546 
547 	if (!rp->status)
548 		memcpy(hdev->dev_class, sent, 3);
549 
550 	if (hci_dev_test_flag(hdev, HCI_MGMT))
551 		mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
552 
553 	hci_dev_unlock(hdev);
554 
555 	return rp->status;
556 }
557 
558 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
559 				    struct sk_buff *skb)
560 {
561 	struct hci_rp_read_voice_setting *rp = data;
562 	__u16 setting;
563 
564 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
565 
566 	if (rp->status)
567 		return rp->status;
568 
569 	setting = __le16_to_cpu(rp->voice_setting);
570 
571 	if (hdev->voice_setting == setting)
572 		return rp->status;
573 
574 	hdev->voice_setting = setting;
575 
576 	bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
577 
578 	if (hdev->notify)
579 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
580 
581 	return rp->status;
582 }
583 
584 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
585 				     struct sk_buff *skb)
586 {
587 	struct hci_ev_status *rp = data;
588 	__u16 setting;
589 	void *sent;
590 
591 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
592 
593 	if (rp->status)
594 		return rp->status;
595 
596 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
597 	if (!sent)
598 		return rp->status;
599 
600 	setting = get_unaligned_le16(sent);
601 
602 	if (hdev->voice_setting == setting)
603 		return rp->status;
604 
605 	hdev->voice_setting = setting;
606 
607 	bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
608 
609 	if (hdev->notify)
610 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
611 
612 	return rp->status;
613 }
614 
615 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
616 					struct sk_buff *skb)
617 {
618 	struct hci_rp_read_num_supported_iac *rp = data;
619 
620 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
621 
622 	if (rp->status)
623 		return rp->status;
624 
625 	hdev->num_iac = rp->num_iac;
626 
627 	bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
628 
629 	return rp->status;
630 }
631 
632 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
633 				struct sk_buff *skb)
634 {
635 	struct hci_ev_status *rp = data;
636 	struct hci_cp_write_ssp_mode *sent;
637 
638 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
639 
640 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
641 	if (!sent)
642 		return rp->status;
643 
644 	hci_dev_lock(hdev);
645 
646 	if (!rp->status) {
647 		if (sent->mode)
648 			hdev->features[1][0] |= LMP_HOST_SSP;
649 		else
650 			hdev->features[1][0] &= ~LMP_HOST_SSP;
651 	}
652 
653 	if (!rp->status) {
654 		if (sent->mode)
655 			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
656 		else
657 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
658 	}
659 
660 	hci_dev_unlock(hdev);
661 
662 	return rp->status;
663 }
664 
665 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
666 				  struct sk_buff *skb)
667 {
668 	struct hci_ev_status *rp = data;
669 	struct hci_cp_write_sc_support *sent;
670 
671 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
672 
673 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
674 	if (!sent)
675 		return rp->status;
676 
677 	hci_dev_lock(hdev);
678 
679 	if (!rp->status) {
680 		if (sent->support)
681 			hdev->features[1][0] |= LMP_HOST_SC;
682 		else
683 			hdev->features[1][0] &= ~LMP_HOST_SC;
684 	}
685 
686 	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
687 		if (sent->support)
688 			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
689 		else
690 			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
691 	}
692 
693 	hci_dev_unlock(hdev);
694 
695 	return rp->status;
696 }
697 
698 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
699 				    struct sk_buff *skb)
700 {
701 	struct hci_rp_read_local_version *rp = data;
702 
703 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
704 
705 	if (rp->status)
706 		return rp->status;
707 
708 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
709 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
710 		hdev->hci_ver = rp->hci_ver;
711 		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
712 		hdev->lmp_ver = rp->lmp_ver;
713 		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
714 		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
715 	}
716 
717 	return rp->status;
718 }
719 
720 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
721 				   struct sk_buff *skb)
722 {
723 	struct hci_rp_read_enc_key_size *rp = data;
724 	struct hci_conn *conn;
725 	u16 handle;
726 	u8 status = rp->status;
727 
728 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
729 
730 	handle = le16_to_cpu(rp->handle);
731 
732 	hci_dev_lock(hdev);
733 
734 	conn = hci_conn_hash_lookup_handle(hdev, handle);
735 	if (!conn) {
736 		status = 0xFF;
737 		goto done;
738 	}
739 
740 	/* While unexpected, the read_enc_key_size command may fail. The most
741 	 * secure approach is to then assume the key size is 0 to force a
742 	 * disconnection.
743 	 */
744 	if (status) {
745 		bt_dev_err(hdev, "failed to read key size for handle %u",
746 			   handle);
747 		conn->enc_key_size = 0;
748 	} else {
749 		conn->enc_key_size = rp->key_size;
750 		status = 0;
751 
752 		if (conn->enc_key_size < hdev->min_enc_key_size) {
753 			/* As slave role, the conn->state has been set to
754 			 * BT_CONNECTED and l2cap conn req might not be received
755 			 * yet, at this moment the l2cap layer almost does
756 			 * nothing with the non-zero status.
757 			 * So we also clear encrypt related bits, and then the
758 			 * handler of l2cap conn req will get the right secure
759 			 * state at a later time.
760 			 */
761 			status = HCI_ERROR_AUTH_FAILURE;
762 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
763 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
764 		}
765 	}
766 
767 	hci_encrypt_cfm(conn, status);
768 
769 done:
770 	hci_dev_unlock(hdev);
771 
772 	return status;
773 }
774 
775 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
776 				     struct sk_buff *skb)
777 {
778 	struct hci_rp_read_local_commands *rp = data;
779 
780 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
781 
782 	if (rp->status)
783 		return rp->status;
784 
785 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
786 	    hci_dev_test_flag(hdev, HCI_CONFIG))
787 		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
788 
789 	return rp->status;
790 }
791 
792 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
793 					   struct sk_buff *skb)
794 {
795 	struct hci_rp_read_auth_payload_to *rp = data;
796 	struct hci_conn *conn;
797 
798 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
799 
800 	if (rp->status)
801 		return rp->status;
802 
803 	hci_dev_lock(hdev);
804 
805 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
806 	if (conn)
807 		conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
808 
809 	hci_dev_unlock(hdev);
810 
811 	return rp->status;
812 }
813 
814 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
815 					    struct sk_buff *skb)
816 {
817 	struct hci_rp_write_auth_payload_to *rp = data;
818 	struct hci_conn *conn;
819 	void *sent;
820 
821 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
822 
823 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
824 	if (!sent)
825 		return rp->status;
826 
827 	hci_dev_lock(hdev);
828 
829 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
830 	if (!conn) {
831 		rp->status = 0xff;
832 		goto unlock;
833 	}
834 
835 	if (!rp->status)
836 		conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
837 
838 unlock:
839 	hci_dev_unlock(hdev);
840 
841 	return rp->status;
842 }
843 
844 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
845 				     struct sk_buff *skb)
846 {
847 	struct hci_rp_read_local_features *rp = data;
848 
849 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
850 
851 	if (rp->status)
852 		return rp->status;
853 
854 	memcpy(hdev->features, rp->features, 8);
855 
856 	/* Adjust default settings according to features
857 	 * supported by device. */
858 
859 	if (hdev->features[0][0] & LMP_3SLOT)
860 		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
861 
862 	if (hdev->features[0][0] & LMP_5SLOT)
863 		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
864 
865 	if (hdev->features[0][1] & LMP_HV2) {
866 		hdev->pkt_type  |= (HCI_HV2);
867 		hdev->esco_type |= (ESCO_HV2);
868 	}
869 
870 	if (hdev->features[0][1] & LMP_HV3) {
871 		hdev->pkt_type  |= (HCI_HV3);
872 		hdev->esco_type |= (ESCO_HV3);
873 	}
874 
875 	if (lmp_esco_capable(hdev))
876 		hdev->esco_type |= (ESCO_EV3);
877 
878 	if (hdev->features[0][4] & LMP_EV4)
879 		hdev->esco_type |= (ESCO_EV4);
880 
881 	if (hdev->features[0][4] & LMP_EV5)
882 		hdev->esco_type |= (ESCO_EV5);
883 
884 	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
885 		hdev->esco_type |= (ESCO_2EV3);
886 
887 	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
888 		hdev->esco_type |= (ESCO_3EV3);
889 
890 	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
891 		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
892 
893 	return rp->status;
894 }
895 
896 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
897 					 struct sk_buff *skb)
898 {
899 	struct hci_rp_read_local_ext_features *rp = data;
900 
901 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
902 
903 	if (rp->status)
904 		return rp->status;
905 
906 	if (hdev->max_page < rp->max_page) {
907 		if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
908 			     &hdev->quirks))
909 			bt_dev_warn(hdev, "broken local ext features page 2");
910 		else
911 			hdev->max_page = rp->max_page;
912 	}
913 
914 	if (rp->page < HCI_MAX_PAGES)
915 		memcpy(hdev->features[rp->page], rp->features, 8);
916 
917 	return rp->status;
918 }
919 
920 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
921 				  struct sk_buff *skb)
922 {
923 	struct hci_rp_read_buffer_size *rp = data;
924 
925 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
926 
927 	if (rp->status)
928 		return rp->status;
929 
930 	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
931 	hdev->sco_mtu  = rp->sco_mtu;
932 	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
933 	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
934 
935 	if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
936 		hdev->sco_mtu  = 64;
937 		hdev->sco_pkts = 8;
938 	}
939 
940 	hdev->acl_cnt = hdev->acl_pkts;
941 	hdev->sco_cnt = hdev->sco_pkts;
942 
943 	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
944 	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
945 
946 	if (!hdev->acl_mtu || !hdev->acl_pkts)
947 		return HCI_ERROR_INVALID_PARAMETERS;
948 
949 	return rp->status;
950 }
951 
952 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
953 			      struct sk_buff *skb)
954 {
955 	struct hci_rp_read_bd_addr *rp = data;
956 
957 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
958 
959 	if (rp->status)
960 		return rp->status;
961 
962 	if (test_bit(HCI_INIT, &hdev->flags))
963 		bacpy(&hdev->bdaddr, &rp->bdaddr);
964 
965 	if (hci_dev_test_flag(hdev, HCI_SETUP))
966 		bacpy(&hdev->setup_addr, &rp->bdaddr);
967 
968 	return rp->status;
969 }
970 
971 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
972 					 struct sk_buff *skb)
973 {
974 	struct hci_rp_read_local_pairing_opts *rp = data;
975 
976 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
977 
978 	if (rp->status)
979 		return rp->status;
980 
981 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
982 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
983 		hdev->pairing_opts = rp->pairing_opts;
984 		hdev->max_enc_key_size = rp->max_key_size;
985 	}
986 
987 	return rp->status;
988 }
989 
990 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
991 					 struct sk_buff *skb)
992 {
993 	struct hci_rp_read_page_scan_activity *rp = data;
994 
995 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
996 
997 	if (rp->status)
998 		return rp->status;
999 
1000 	if (test_bit(HCI_INIT, &hdev->flags)) {
1001 		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1002 		hdev->page_scan_window = __le16_to_cpu(rp->window);
1003 	}
1004 
1005 	return rp->status;
1006 }
1007 
1008 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1009 					  struct sk_buff *skb)
1010 {
1011 	struct hci_ev_status *rp = data;
1012 	struct hci_cp_write_page_scan_activity *sent;
1013 
1014 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1015 
1016 	if (rp->status)
1017 		return rp->status;
1018 
1019 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1020 	if (!sent)
1021 		return rp->status;
1022 
1023 	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1024 	hdev->page_scan_window = __le16_to_cpu(sent->window);
1025 
1026 	return rp->status;
1027 }
1028 
1029 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1030 				     struct sk_buff *skb)
1031 {
1032 	struct hci_rp_read_page_scan_type *rp = data;
1033 
1034 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1035 
1036 	if (rp->status)
1037 		return rp->status;
1038 
1039 	if (test_bit(HCI_INIT, &hdev->flags))
1040 		hdev->page_scan_type = rp->type;
1041 
1042 	return rp->status;
1043 }
1044 
1045 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1046 				      struct sk_buff *skb)
1047 {
1048 	struct hci_ev_status *rp = data;
1049 	u8 *type;
1050 
1051 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1052 
1053 	if (rp->status)
1054 		return rp->status;
1055 
1056 	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1057 	if (type)
1058 		hdev->page_scan_type = *type;
1059 
1060 	return rp->status;
1061 }
1062 
1063 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1064 			    struct sk_buff *skb)
1065 {
1066 	struct hci_rp_read_clock *rp = data;
1067 	struct hci_cp_read_clock *cp;
1068 	struct hci_conn *conn;
1069 
1070 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1071 
1072 	if (rp->status)
1073 		return rp->status;
1074 
1075 	hci_dev_lock(hdev);
1076 
1077 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1078 	if (!cp)
1079 		goto unlock;
1080 
1081 	if (cp->which == 0x00) {
1082 		hdev->clock = le32_to_cpu(rp->clock);
1083 		goto unlock;
1084 	}
1085 
1086 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1087 	if (conn) {
1088 		conn->clock = le32_to_cpu(rp->clock);
1089 		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1090 	}
1091 
1092 unlock:
1093 	hci_dev_unlock(hdev);
1094 	return rp->status;
1095 }
1096 
1097 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1098 				       struct sk_buff *skb)
1099 {
1100 	struct hci_rp_read_inq_rsp_tx_power *rp = data;
1101 
1102 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1103 
1104 	if (rp->status)
1105 		return rp->status;
1106 
1107 	hdev->inq_tx_power = rp->tx_power;
1108 
1109 	return rp->status;
1110 }
1111 
1112 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1113 					     struct sk_buff *skb)
1114 {
1115 	struct hci_rp_read_def_err_data_reporting *rp = data;
1116 
1117 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1118 
1119 	if (rp->status)
1120 		return rp->status;
1121 
1122 	hdev->err_data_reporting = rp->err_data_reporting;
1123 
1124 	return rp->status;
1125 }
1126 
1127 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1128 					      struct sk_buff *skb)
1129 {
1130 	struct hci_ev_status *rp = data;
1131 	struct hci_cp_write_def_err_data_reporting *cp;
1132 
1133 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1134 
1135 	if (rp->status)
1136 		return rp->status;
1137 
1138 	cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1139 	if (!cp)
1140 		return rp->status;
1141 
1142 	hdev->err_data_reporting = cp->err_data_reporting;
1143 
1144 	return rp->status;
1145 }
1146 
1147 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1148 				struct sk_buff *skb)
1149 {
1150 	struct hci_rp_pin_code_reply *rp = data;
1151 	struct hci_cp_pin_code_reply *cp;
1152 	struct hci_conn *conn;
1153 
1154 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1155 
1156 	hci_dev_lock(hdev);
1157 
1158 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1159 		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1160 
1161 	if (rp->status)
1162 		goto unlock;
1163 
1164 	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1165 	if (!cp)
1166 		goto unlock;
1167 
1168 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1169 	if (conn)
1170 		conn->pin_length = cp->pin_len;
1171 
1172 unlock:
1173 	hci_dev_unlock(hdev);
1174 	return rp->status;
1175 }
1176 
1177 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1178 				    struct sk_buff *skb)
1179 {
1180 	struct hci_rp_pin_code_neg_reply *rp = data;
1181 
1182 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1183 
1184 	hci_dev_lock(hdev);
1185 
1186 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1187 		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1188 						 rp->status);
1189 
1190 	hci_dev_unlock(hdev);
1191 
1192 	return rp->status;
1193 }
1194 
1195 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1196 				     struct sk_buff *skb)
1197 {
1198 	struct hci_rp_le_read_buffer_size *rp = data;
1199 
1200 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1201 
1202 	if (rp->status)
1203 		return rp->status;
1204 
1205 	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1206 	hdev->le_pkts = rp->le_max_pkt;
1207 
1208 	hdev->le_cnt = hdev->le_pkts;
1209 
1210 	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1211 
1212 	if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
1213 		return HCI_ERROR_INVALID_PARAMETERS;
1214 
1215 	return rp->status;
1216 }
1217 
1218 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1219 					struct sk_buff *skb)
1220 {
1221 	struct hci_rp_le_read_local_features *rp = data;
1222 
1223 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1224 
1225 	if (rp->status)
1226 		return rp->status;
1227 
1228 	memcpy(hdev->le_features, rp->features, 8);
1229 
1230 	return rp->status;
1231 }
1232 
1233 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1234 				      struct sk_buff *skb)
1235 {
1236 	struct hci_rp_le_read_adv_tx_power *rp = data;
1237 
1238 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1239 
1240 	if (rp->status)
1241 		return rp->status;
1242 
1243 	hdev->adv_tx_power = rp->tx_power;
1244 
1245 	return rp->status;
1246 }
1247 
1248 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1249 				    struct sk_buff *skb)
1250 {
1251 	struct hci_rp_user_confirm_reply *rp = data;
1252 
1253 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1254 
1255 	hci_dev_lock(hdev);
1256 
1257 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1258 		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1259 						 rp->status);
1260 
1261 	hci_dev_unlock(hdev);
1262 
1263 	return rp->status;
1264 }
1265 
1266 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1267 					struct sk_buff *skb)
1268 {
1269 	struct hci_rp_user_confirm_reply *rp = data;
1270 
1271 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1272 
1273 	hci_dev_lock(hdev);
1274 
1275 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1276 		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1277 						     ACL_LINK, 0, rp->status);
1278 
1279 	hci_dev_unlock(hdev);
1280 
1281 	return rp->status;
1282 }
1283 
1284 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1285 				    struct sk_buff *skb)
1286 {
1287 	struct hci_rp_user_confirm_reply *rp = data;
1288 
1289 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1290 
1291 	hci_dev_lock(hdev);
1292 
1293 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1294 		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1295 						 0, rp->status);
1296 
1297 	hci_dev_unlock(hdev);
1298 
1299 	return rp->status;
1300 }
1301 
1302 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1303 					struct sk_buff *skb)
1304 {
1305 	struct hci_rp_user_confirm_reply *rp = data;
1306 
1307 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1308 
1309 	hci_dev_lock(hdev);
1310 
1311 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1312 		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1313 						     ACL_LINK, 0, rp->status);
1314 
1315 	hci_dev_unlock(hdev);
1316 
1317 	return rp->status;
1318 }
1319 
1320 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1321 				     struct sk_buff *skb)
1322 {
1323 	struct hci_rp_read_local_oob_data *rp = data;
1324 
1325 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1326 
1327 	return rp->status;
1328 }
1329 
1330 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1331 					 struct sk_buff *skb)
1332 {
1333 	struct hci_rp_read_local_oob_ext_data *rp = data;
1334 
1335 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1336 
1337 	return rp->status;
1338 }
1339 
1340 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1341 				    struct sk_buff *skb)
1342 {
1343 	struct hci_ev_status *rp = data;
1344 	bdaddr_t *sent;
1345 
1346 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1347 
1348 	if (rp->status)
1349 		return rp->status;
1350 
1351 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1352 	if (!sent)
1353 		return rp->status;
1354 
1355 	hci_dev_lock(hdev);
1356 
1357 	bacpy(&hdev->random_addr, sent);
1358 
1359 	if (!bacmp(&hdev->rpa, sent)) {
1360 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1361 		queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1362 				   secs_to_jiffies(hdev->rpa_timeout));
1363 	}
1364 
1365 	hci_dev_unlock(hdev);
1366 
1367 	return rp->status;
1368 }
1369 
1370 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1371 				    struct sk_buff *skb)
1372 {
1373 	struct hci_ev_status *rp = data;
1374 	struct hci_cp_le_set_default_phy *cp;
1375 
1376 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1377 
1378 	if (rp->status)
1379 		return rp->status;
1380 
1381 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1382 	if (!cp)
1383 		return rp->status;
1384 
1385 	hci_dev_lock(hdev);
1386 
1387 	hdev->le_tx_def_phys = cp->tx_phys;
1388 	hdev->le_rx_def_phys = cp->rx_phys;
1389 
1390 	hci_dev_unlock(hdev);
1391 
1392 	return rp->status;
1393 }
1394 
1395 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1396 					    struct sk_buff *skb)
1397 {
1398 	struct hci_ev_status *rp = data;
1399 	struct hci_cp_le_set_adv_set_rand_addr *cp;
1400 	struct adv_info *adv;
1401 
1402 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1403 
1404 	if (rp->status)
1405 		return rp->status;
1406 
1407 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1408 	/* Update only in case the adv instance since handle 0x00 shall be using
1409 	 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1410 	 * non-extended adverting.
1411 	 */
1412 	if (!cp || !cp->handle)
1413 		return rp->status;
1414 
1415 	hci_dev_lock(hdev);
1416 
1417 	adv = hci_find_adv_instance(hdev, cp->handle);
1418 	if (adv) {
1419 		bacpy(&adv->random_addr, &cp->bdaddr);
1420 		if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1421 			adv->rpa_expired = false;
1422 			queue_delayed_work(hdev->workqueue,
1423 					   &adv->rpa_expired_cb,
1424 					   secs_to_jiffies(hdev->rpa_timeout));
1425 		}
1426 	}
1427 
1428 	hci_dev_unlock(hdev);
1429 
1430 	return rp->status;
1431 }
1432 
1433 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1434 				   struct sk_buff *skb)
1435 {
1436 	struct hci_ev_status *rp = data;
1437 	u8 *instance;
1438 	int err;
1439 
1440 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1441 
1442 	if (rp->status)
1443 		return rp->status;
1444 
1445 	instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1446 	if (!instance)
1447 		return rp->status;
1448 
1449 	hci_dev_lock(hdev);
1450 
1451 	err = hci_remove_adv_instance(hdev, *instance);
1452 	if (!err)
1453 		mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1454 					 *instance);
1455 
1456 	hci_dev_unlock(hdev);
1457 
1458 	return rp->status;
1459 }
1460 
1461 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1462 				   struct sk_buff *skb)
1463 {
1464 	struct hci_ev_status *rp = data;
1465 	struct adv_info *adv, *n;
1466 	int err;
1467 
1468 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1469 
1470 	if (rp->status)
1471 		return rp->status;
1472 
1473 	if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1474 		return rp->status;
1475 
1476 	hci_dev_lock(hdev);
1477 
1478 	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1479 		u8 instance = adv->instance;
1480 
1481 		err = hci_remove_adv_instance(hdev, instance);
1482 		if (!err)
1483 			mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1484 						 hdev, instance);
1485 	}
1486 
1487 	hci_dev_unlock(hdev);
1488 
1489 	return rp->status;
1490 }
1491 
1492 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1493 					struct sk_buff *skb)
1494 {
1495 	struct hci_rp_le_read_transmit_power *rp = data;
1496 
1497 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1498 
1499 	if (rp->status)
1500 		return rp->status;
1501 
1502 	hdev->min_le_tx_power = rp->min_le_tx_power;
1503 	hdev->max_le_tx_power = rp->max_le_tx_power;
1504 
1505 	return rp->status;
1506 }
1507 
1508 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1509 				     struct sk_buff *skb)
1510 {
1511 	struct hci_ev_status *rp = data;
1512 	struct hci_cp_le_set_privacy_mode *cp;
1513 	struct hci_conn_params *params;
1514 
1515 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1516 
1517 	if (rp->status)
1518 		return rp->status;
1519 
1520 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1521 	if (!cp)
1522 		return rp->status;
1523 
1524 	hci_dev_lock(hdev);
1525 
1526 	params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1527 	if (params)
1528 		WRITE_ONCE(params->privacy_mode, cp->mode);
1529 
1530 	hci_dev_unlock(hdev);
1531 
1532 	return rp->status;
1533 }
1534 
1535 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1536 				   struct sk_buff *skb)
1537 {
1538 	struct hci_ev_status *rp = data;
1539 	__u8 *sent;
1540 
1541 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1542 
1543 	if (rp->status)
1544 		return rp->status;
1545 
1546 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1547 	if (!sent)
1548 		return rp->status;
1549 
1550 	hci_dev_lock(hdev);
1551 
1552 	/* If we're doing connection initiation as peripheral. Set a
1553 	 * timeout in case something goes wrong.
1554 	 */
1555 	if (*sent) {
1556 		struct hci_conn *conn;
1557 
1558 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1559 
1560 		conn = hci_lookup_le_connect(hdev);
1561 		if (conn)
1562 			queue_delayed_work(hdev->workqueue,
1563 					   &conn->le_conn_timeout,
1564 					   conn->conn_timeout);
1565 	} else {
1566 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1567 	}
1568 
1569 	hci_dev_unlock(hdev);
1570 
1571 	return rp->status;
1572 }
1573 
1574 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1575 				       struct sk_buff *skb)
1576 {
1577 	struct hci_cp_le_set_ext_adv_enable *cp;
1578 	struct hci_cp_ext_adv_set *set;
1579 	struct adv_info *adv = NULL, *n;
1580 	struct hci_ev_status *rp = data;
1581 
1582 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1583 
1584 	if (rp->status)
1585 		return rp->status;
1586 
1587 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1588 	if (!cp)
1589 		return rp->status;
1590 
1591 	set = (void *)cp->data;
1592 
1593 	hci_dev_lock(hdev);
1594 
1595 	if (cp->num_of_sets)
1596 		adv = hci_find_adv_instance(hdev, set->handle);
1597 
1598 	if (cp->enable) {
1599 		struct hci_conn *conn;
1600 
1601 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1602 
1603 		if (adv && !adv->periodic)
1604 			adv->enabled = true;
1605 
1606 		conn = hci_lookup_le_connect(hdev);
1607 		if (conn)
1608 			queue_delayed_work(hdev->workqueue,
1609 					   &conn->le_conn_timeout,
1610 					   conn->conn_timeout);
1611 	} else {
1612 		if (cp->num_of_sets) {
1613 			if (adv)
1614 				adv->enabled = false;
1615 
1616 			/* If just one instance was disabled check if there are
1617 			 * any other instance enabled before clearing HCI_LE_ADV
1618 			 */
1619 			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1620 						 list) {
1621 				if (adv->enabled)
1622 					goto unlock;
1623 			}
1624 		} else {
1625 			/* All instances shall be considered disabled */
1626 			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1627 						 list)
1628 				adv->enabled = false;
1629 		}
1630 
1631 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1632 	}
1633 
1634 unlock:
1635 	hci_dev_unlock(hdev);
1636 	return rp->status;
1637 }
1638 
1639 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1640 				   struct sk_buff *skb)
1641 {
1642 	struct hci_cp_le_set_scan_param *cp;
1643 	struct hci_ev_status *rp = data;
1644 
1645 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1646 
1647 	if (rp->status)
1648 		return rp->status;
1649 
1650 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1651 	if (!cp)
1652 		return rp->status;
1653 
1654 	hci_dev_lock(hdev);
1655 
1656 	hdev->le_scan_type = cp->type;
1657 
1658 	hci_dev_unlock(hdev);
1659 
1660 	return rp->status;
1661 }
1662 
1663 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1664 				       struct sk_buff *skb)
1665 {
1666 	struct hci_cp_le_set_ext_scan_params *cp;
1667 	struct hci_ev_status *rp = data;
1668 	struct hci_cp_le_scan_phy_params *phy_param;
1669 
1670 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1671 
1672 	if (rp->status)
1673 		return rp->status;
1674 
1675 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1676 	if (!cp)
1677 		return rp->status;
1678 
1679 	phy_param = (void *)cp->data;
1680 
1681 	hci_dev_lock(hdev);
1682 
1683 	hdev->le_scan_type = phy_param->type;
1684 
1685 	hci_dev_unlock(hdev);
1686 
1687 	return rp->status;
1688 }
1689 
1690 static bool has_pending_adv_report(struct hci_dev *hdev)
1691 {
1692 	struct discovery_state *d = &hdev->discovery;
1693 
1694 	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1695 }
1696 
1697 static void clear_pending_adv_report(struct hci_dev *hdev)
1698 {
1699 	struct discovery_state *d = &hdev->discovery;
1700 
1701 	bacpy(&d->last_adv_addr, BDADDR_ANY);
1702 	d->last_adv_data_len = 0;
1703 }
1704 
1705 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1706 				     u8 bdaddr_type, s8 rssi, u32 flags,
1707 				     u8 *data, u8 len)
1708 {
1709 	struct discovery_state *d = &hdev->discovery;
1710 
1711 	if (len > max_adv_len(hdev))
1712 		return;
1713 
1714 	bacpy(&d->last_adv_addr, bdaddr);
1715 	d->last_adv_addr_type = bdaddr_type;
1716 	d->last_adv_rssi = rssi;
1717 	d->last_adv_flags = flags;
1718 	memcpy(d->last_adv_data, data, len);
1719 	d->last_adv_data_len = len;
1720 }
1721 
1722 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1723 {
1724 	hci_dev_lock(hdev);
1725 
1726 	switch (enable) {
1727 	case LE_SCAN_ENABLE:
1728 		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1729 		if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1730 			clear_pending_adv_report(hdev);
1731 		if (hci_dev_test_flag(hdev, HCI_MESH))
1732 			hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1733 		break;
1734 
1735 	case LE_SCAN_DISABLE:
1736 		/* We do this here instead of when setting DISCOVERY_STOPPED
1737 		 * since the latter would potentially require waiting for
1738 		 * inquiry to stop too.
1739 		 */
1740 		if (has_pending_adv_report(hdev)) {
1741 			struct discovery_state *d = &hdev->discovery;
1742 
1743 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1744 					  d->last_adv_addr_type, NULL,
1745 					  d->last_adv_rssi, d->last_adv_flags,
1746 					  d->last_adv_data,
1747 					  d->last_adv_data_len, NULL, 0, 0);
1748 		}
1749 
1750 		/* Cancel this timer so that we don't try to disable scanning
1751 		 * when it's already disabled.
1752 		 */
1753 		cancel_delayed_work(&hdev->le_scan_disable);
1754 
1755 		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1756 
1757 		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1758 		 * interrupted scanning due to a connect request. Mark
1759 		 * therefore discovery as stopped.
1760 		 */
1761 		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1762 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1763 		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1764 			 hdev->discovery.state == DISCOVERY_FINDING)
1765 			queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1766 
1767 		break;
1768 
1769 	default:
1770 		bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1771 			   enable);
1772 		break;
1773 	}
1774 
1775 	hci_dev_unlock(hdev);
1776 }
1777 
1778 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1779 				    struct sk_buff *skb)
1780 {
1781 	struct hci_cp_le_set_scan_enable *cp;
1782 	struct hci_ev_status *rp = data;
1783 
1784 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1785 
1786 	if (rp->status)
1787 		return rp->status;
1788 
1789 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1790 	if (!cp)
1791 		return rp->status;
1792 
1793 	le_set_scan_enable_complete(hdev, cp->enable);
1794 
1795 	return rp->status;
1796 }
1797 
1798 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1799 					struct sk_buff *skb)
1800 {
1801 	struct hci_cp_le_set_ext_scan_enable *cp;
1802 	struct hci_ev_status *rp = data;
1803 
1804 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1805 
1806 	if (rp->status)
1807 		return rp->status;
1808 
1809 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1810 	if (!cp)
1811 		return rp->status;
1812 
1813 	le_set_scan_enable_complete(hdev, cp->enable);
1814 
1815 	return rp->status;
1816 }
1817 
1818 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1819 				      struct sk_buff *skb)
1820 {
1821 	struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1822 
1823 	bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1824 		   rp->num_of_sets);
1825 
1826 	if (rp->status)
1827 		return rp->status;
1828 
1829 	hdev->le_num_of_adv_sets = rp->num_of_sets;
1830 
1831 	return rp->status;
1832 }
1833 
1834 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1835 					  struct sk_buff *skb)
1836 {
1837 	struct hci_rp_le_read_accept_list_size *rp = data;
1838 
1839 	bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1840 
1841 	if (rp->status)
1842 		return rp->status;
1843 
1844 	hdev->le_accept_list_size = rp->size;
1845 
1846 	return rp->status;
1847 }
1848 
1849 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1850 				      struct sk_buff *skb)
1851 {
1852 	struct hci_ev_status *rp = data;
1853 
1854 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1855 
1856 	if (rp->status)
1857 		return rp->status;
1858 
1859 	hci_dev_lock(hdev);
1860 	hci_bdaddr_list_clear(&hdev->le_accept_list);
1861 	hci_dev_unlock(hdev);
1862 
1863 	return rp->status;
1864 }
1865 
1866 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1867 				       struct sk_buff *skb)
1868 {
1869 	struct hci_cp_le_add_to_accept_list *sent;
1870 	struct hci_ev_status *rp = data;
1871 
1872 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1873 
1874 	if (rp->status)
1875 		return rp->status;
1876 
1877 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1878 	if (!sent)
1879 		return rp->status;
1880 
1881 	hci_dev_lock(hdev);
1882 	hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1883 			    sent->bdaddr_type);
1884 	hci_dev_unlock(hdev);
1885 
1886 	return rp->status;
1887 }
1888 
1889 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1890 					 struct sk_buff *skb)
1891 {
1892 	struct hci_cp_le_del_from_accept_list *sent;
1893 	struct hci_ev_status *rp = data;
1894 
1895 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1896 
1897 	if (rp->status)
1898 		return rp->status;
1899 
1900 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1901 	if (!sent)
1902 		return rp->status;
1903 
1904 	hci_dev_lock(hdev);
1905 	hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1906 			    sent->bdaddr_type);
1907 	hci_dev_unlock(hdev);
1908 
1909 	return rp->status;
1910 }
1911 
1912 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1913 					  struct sk_buff *skb)
1914 {
1915 	struct hci_rp_le_read_supported_states *rp = data;
1916 
1917 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1918 
1919 	if (rp->status)
1920 		return rp->status;
1921 
1922 	memcpy(hdev->le_states, rp->le_states, 8);
1923 
1924 	return rp->status;
1925 }
1926 
1927 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1928 				      struct sk_buff *skb)
1929 {
1930 	struct hci_rp_le_read_def_data_len *rp = data;
1931 
1932 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1933 
1934 	if (rp->status)
1935 		return rp->status;
1936 
1937 	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1938 	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1939 
1940 	return rp->status;
1941 }
1942 
1943 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1944 				       struct sk_buff *skb)
1945 {
1946 	struct hci_cp_le_write_def_data_len *sent;
1947 	struct hci_ev_status *rp = data;
1948 
1949 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1950 
1951 	if (rp->status)
1952 		return rp->status;
1953 
1954 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1955 	if (!sent)
1956 		return rp->status;
1957 
1958 	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1959 	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1960 
1961 	return rp->status;
1962 }
1963 
1964 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
1965 				       struct sk_buff *skb)
1966 {
1967 	struct hci_cp_le_add_to_resolv_list *sent;
1968 	struct hci_ev_status *rp = data;
1969 
1970 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1971 
1972 	if (rp->status)
1973 		return rp->status;
1974 
1975 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1976 	if (!sent)
1977 		return rp->status;
1978 
1979 	hci_dev_lock(hdev);
1980 	hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1981 				sent->bdaddr_type, sent->peer_irk,
1982 				sent->local_irk);
1983 	hci_dev_unlock(hdev);
1984 
1985 	return rp->status;
1986 }
1987 
1988 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
1989 					 struct sk_buff *skb)
1990 {
1991 	struct hci_cp_le_del_from_resolv_list *sent;
1992 	struct hci_ev_status *rp = data;
1993 
1994 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1995 
1996 	if (rp->status)
1997 		return rp->status;
1998 
1999 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2000 	if (!sent)
2001 		return rp->status;
2002 
2003 	hci_dev_lock(hdev);
2004 	hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2005 			    sent->bdaddr_type);
2006 	hci_dev_unlock(hdev);
2007 
2008 	return rp->status;
2009 }
2010 
2011 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2012 				      struct sk_buff *skb)
2013 {
2014 	struct hci_ev_status *rp = data;
2015 
2016 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2017 
2018 	if (rp->status)
2019 		return rp->status;
2020 
2021 	hci_dev_lock(hdev);
2022 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
2023 	hci_dev_unlock(hdev);
2024 
2025 	return rp->status;
2026 }
2027 
2028 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2029 					  struct sk_buff *skb)
2030 {
2031 	struct hci_rp_le_read_resolv_list_size *rp = data;
2032 
2033 	bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2034 
2035 	if (rp->status)
2036 		return rp->status;
2037 
2038 	hdev->le_resolv_list_size = rp->size;
2039 
2040 	return rp->status;
2041 }
2042 
2043 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2044 					       struct sk_buff *skb)
2045 {
2046 	struct hci_ev_status *rp = data;
2047 	__u8 *sent;
2048 
2049 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2050 
2051 	if (rp->status)
2052 		return rp->status;
2053 
2054 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2055 	if (!sent)
2056 		return rp->status;
2057 
2058 	hci_dev_lock(hdev);
2059 
2060 	if (*sent)
2061 		hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2062 	else
2063 		hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2064 
2065 	hci_dev_unlock(hdev);
2066 
2067 	return rp->status;
2068 }
2069 
2070 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2071 				      struct sk_buff *skb)
2072 {
2073 	struct hci_rp_le_read_max_data_len *rp = data;
2074 
2075 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2076 
2077 	if (rp->status)
2078 		return rp->status;
2079 
2080 	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2081 	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2082 	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2083 	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2084 
2085 	return rp->status;
2086 }
2087 
2088 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2089 					 struct sk_buff *skb)
2090 {
2091 	struct hci_cp_write_le_host_supported *sent;
2092 	struct hci_ev_status *rp = data;
2093 
2094 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2095 
2096 	if (rp->status)
2097 		return rp->status;
2098 
2099 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2100 	if (!sent)
2101 		return rp->status;
2102 
2103 	hci_dev_lock(hdev);
2104 
2105 	if (sent->le) {
2106 		hdev->features[1][0] |= LMP_HOST_LE;
2107 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2108 	} else {
2109 		hdev->features[1][0] &= ~LMP_HOST_LE;
2110 		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2111 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2112 	}
2113 
2114 	if (sent->simul)
2115 		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2116 	else
2117 		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2118 
2119 	hci_dev_unlock(hdev);
2120 
2121 	return rp->status;
2122 }
2123 
2124 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2125 			       struct sk_buff *skb)
2126 {
2127 	struct hci_cp_le_set_adv_param *cp;
2128 	struct hci_ev_status *rp = data;
2129 
2130 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2131 
2132 	if (rp->status)
2133 		return rp->status;
2134 
2135 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2136 	if (!cp)
2137 		return rp->status;
2138 
2139 	hci_dev_lock(hdev);
2140 	hdev->adv_addr_type = cp->own_address_type;
2141 	hci_dev_unlock(hdev);
2142 
2143 	return rp->status;
2144 }
2145 
2146 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2147 				   struct sk_buff *skb)
2148 {
2149 	struct hci_rp_le_set_ext_adv_params *rp = data;
2150 	struct hci_cp_le_set_ext_adv_params *cp;
2151 	struct adv_info *adv_instance;
2152 
2153 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2154 
2155 	if (rp->status)
2156 		return rp->status;
2157 
2158 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2159 	if (!cp)
2160 		return rp->status;
2161 
2162 	hci_dev_lock(hdev);
2163 	hdev->adv_addr_type = cp->own_addr_type;
2164 	if (!cp->handle) {
2165 		/* Store in hdev for instance 0 */
2166 		hdev->adv_tx_power = rp->tx_power;
2167 	} else {
2168 		adv_instance = hci_find_adv_instance(hdev, cp->handle);
2169 		if (adv_instance)
2170 			adv_instance->tx_power = rp->tx_power;
2171 	}
2172 	/* Update adv data as tx power is known now */
2173 	hci_update_adv_data(hdev, cp->handle);
2174 
2175 	hci_dev_unlock(hdev);
2176 
2177 	return rp->status;
2178 }
2179 
2180 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2181 			   struct sk_buff *skb)
2182 {
2183 	struct hci_rp_read_rssi *rp = data;
2184 	struct hci_conn *conn;
2185 
2186 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2187 
2188 	if (rp->status)
2189 		return rp->status;
2190 
2191 	hci_dev_lock(hdev);
2192 
2193 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2194 	if (conn)
2195 		conn->rssi = rp->rssi;
2196 
2197 	hci_dev_unlock(hdev);
2198 
2199 	return rp->status;
2200 }
2201 
2202 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2203 			       struct sk_buff *skb)
2204 {
2205 	struct hci_cp_read_tx_power *sent;
2206 	struct hci_rp_read_tx_power *rp = data;
2207 	struct hci_conn *conn;
2208 
2209 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2210 
2211 	if (rp->status)
2212 		return rp->status;
2213 
2214 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2215 	if (!sent)
2216 		return rp->status;
2217 
2218 	hci_dev_lock(hdev);
2219 
2220 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2221 	if (!conn)
2222 		goto unlock;
2223 
2224 	switch (sent->type) {
2225 	case 0x00:
2226 		conn->tx_power = rp->tx_power;
2227 		break;
2228 	case 0x01:
2229 		conn->max_tx_power = rp->tx_power;
2230 		break;
2231 	}
2232 
2233 unlock:
2234 	hci_dev_unlock(hdev);
2235 	return rp->status;
2236 }
2237 
2238 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2239 				      struct sk_buff *skb)
2240 {
2241 	struct hci_ev_status *rp = data;
2242 	u8 *mode;
2243 
2244 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2245 
2246 	if (rp->status)
2247 		return rp->status;
2248 
2249 	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2250 	if (mode)
2251 		hdev->ssp_debug_mode = *mode;
2252 
2253 	return rp->status;
2254 }
2255 
2256 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2257 {
2258 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2259 
2260 	if (status) {
2261 		hci_conn_check_pending(hdev);
2262 		return;
2263 	}
2264 
2265 	if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2266 		set_bit(HCI_INQUIRY, &hdev->flags);
2267 }
2268 
2269 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2270 {
2271 	struct hci_cp_create_conn *cp;
2272 	struct hci_conn *conn;
2273 
2274 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2275 
2276 	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2277 	if (!cp)
2278 		return;
2279 
2280 	hci_dev_lock(hdev);
2281 
2282 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2283 
2284 	bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2285 
2286 	if (status) {
2287 		if (conn && conn->state == BT_CONNECT) {
2288 			if (status != 0x0c || conn->attempt > 2) {
2289 				conn->state = BT_CLOSED;
2290 				hci_connect_cfm(conn, status);
2291 				hci_conn_del(conn);
2292 			} else
2293 				conn->state = BT_CONNECT2;
2294 		}
2295 	} else {
2296 		if (!conn) {
2297 			conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2298 						  HCI_ROLE_MASTER);
2299 			if (IS_ERR(conn))
2300 				bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
2301 		}
2302 	}
2303 
2304 	hci_dev_unlock(hdev);
2305 }
2306 
2307 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2308 {
2309 	struct hci_cp_add_sco *cp;
2310 	struct hci_conn *acl;
2311 	struct hci_link *link;
2312 	__u16 handle;
2313 
2314 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2315 
2316 	if (!status)
2317 		return;
2318 
2319 	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2320 	if (!cp)
2321 		return;
2322 
2323 	handle = __le16_to_cpu(cp->handle);
2324 
2325 	bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2326 
2327 	hci_dev_lock(hdev);
2328 
2329 	acl = hci_conn_hash_lookup_handle(hdev, handle);
2330 	if (acl) {
2331 		link = list_first_entry_or_null(&acl->link_list,
2332 						struct hci_link, list);
2333 		if (link && link->conn) {
2334 			link->conn->state = BT_CLOSED;
2335 
2336 			hci_connect_cfm(link->conn, status);
2337 			hci_conn_del(link->conn);
2338 		}
2339 	}
2340 
2341 	hci_dev_unlock(hdev);
2342 }
2343 
2344 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2345 {
2346 	struct hci_cp_auth_requested *cp;
2347 	struct hci_conn *conn;
2348 
2349 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2350 
2351 	if (!status)
2352 		return;
2353 
2354 	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2355 	if (!cp)
2356 		return;
2357 
2358 	hci_dev_lock(hdev);
2359 
2360 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2361 	if (conn) {
2362 		if (conn->state == BT_CONFIG) {
2363 			hci_connect_cfm(conn, status);
2364 			hci_conn_drop(conn);
2365 		}
2366 	}
2367 
2368 	hci_dev_unlock(hdev);
2369 }
2370 
2371 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2372 {
2373 	struct hci_cp_set_conn_encrypt *cp;
2374 	struct hci_conn *conn;
2375 
2376 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2377 
2378 	if (!status)
2379 		return;
2380 
2381 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2382 	if (!cp)
2383 		return;
2384 
2385 	hci_dev_lock(hdev);
2386 
2387 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2388 	if (conn) {
2389 		if (conn->state == BT_CONFIG) {
2390 			hci_connect_cfm(conn, status);
2391 			hci_conn_drop(conn);
2392 		}
2393 	}
2394 
2395 	hci_dev_unlock(hdev);
2396 }
2397 
2398 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2399 				    struct hci_conn *conn)
2400 {
2401 	if (conn->state != BT_CONFIG || !conn->out)
2402 		return 0;
2403 
2404 	if (conn->pending_sec_level == BT_SECURITY_SDP)
2405 		return 0;
2406 
2407 	/* Only request authentication for SSP connections or non-SSP
2408 	 * devices with sec_level MEDIUM or HIGH or if MITM protection
2409 	 * is requested.
2410 	 */
2411 	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2412 	    conn->pending_sec_level != BT_SECURITY_FIPS &&
2413 	    conn->pending_sec_level != BT_SECURITY_HIGH &&
2414 	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
2415 		return 0;
2416 
2417 	return 1;
2418 }
2419 
2420 static int hci_resolve_name(struct hci_dev *hdev,
2421 				   struct inquiry_entry *e)
2422 {
2423 	struct hci_cp_remote_name_req cp;
2424 
2425 	memset(&cp, 0, sizeof(cp));
2426 
2427 	bacpy(&cp.bdaddr, &e->data.bdaddr);
2428 	cp.pscan_rep_mode = e->data.pscan_rep_mode;
2429 	cp.pscan_mode = e->data.pscan_mode;
2430 	cp.clock_offset = e->data.clock_offset;
2431 
2432 	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2433 }
2434 
2435 static bool hci_resolve_next_name(struct hci_dev *hdev)
2436 {
2437 	struct discovery_state *discov = &hdev->discovery;
2438 	struct inquiry_entry *e;
2439 
2440 	if (list_empty(&discov->resolve))
2441 		return false;
2442 
2443 	/* We should stop if we already spent too much time resolving names. */
2444 	if (time_after(jiffies, discov->name_resolve_timeout)) {
2445 		bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2446 		return false;
2447 	}
2448 
2449 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2450 	if (!e)
2451 		return false;
2452 
2453 	if (hci_resolve_name(hdev, e) == 0) {
2454 		e->name_state = NAME_PENDING;
2455 		return true;
2456 	}
2457 
2458 	return false;
2459 }
2460 
2461 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2462 				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
2463 {
2464 	struct discovery_state *discov = &hdev->discovery;
2465 	struct inquiry_entry *e;
2466 
2467 	/* Update the mgmt connected state if necessary. Be careful with
2468 	 * conn objects that exist but are not (yet) connected however.
2469 	 * Only those in BT_CONFIG or BT_CONNECTED states can be
2470 	 * considered connected.
2471 	 */
2472 	if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED))
2473 		mgmt_device_connected(hdev, conn, name, name_len);
2474 
2475 	if (discov->state == DISCOVERY_STOPPED)
2476 		return;
2477 
2478 	if (discov->state == DISCOVERY_STOPPING)
2479 		goto discov_complete;
2480 
2481 	if (discov->state != DISCOVERY_RESOLVING)
2482 		return;
2483 
2484 	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2485 	/* If the device was not found in a list of found devices names of which
2486 	 * are pending. there is no need to continue resolving a next name as it
2487 	 * will be done upon receiving another Remote Name Request Complete
2488 	 * Event */
2489 	if (!e)
2490 		return;
2491 
2492 	list_del(&e->list);
2493 
2494 	e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2495 	mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2496 			 name, name_len);
2497 
2498 	if (hci_resolve_next_name(hdev))
2499 		return;
2500 
2501 discov_complete:
2502 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2503 }
2504 
2505 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2506 {
2507 	struct hci_cp_remote_name_req *cp;
2508 	struct hci_conn *conn;
2509 
2510 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2511 
2512 	/* If successful wait for the name req complete event before
2513 	 * checking for the need to do authentication */
2514 	if (!status)
2515 		return;
2516 
2517 	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2518 	if (!cp)
2519 		return;
2520 
2521 	hci_dev_lock(hdev);
2522 
2523 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2524 
2525 	if (hci_dev_test_flag(hdev, HCI_MGMT))
2526 		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2527 
2528 	if (!conn)
2529 		goto unlock;
2530 
2531 	if (!hci_outgoing_auth_needed(hdev, conn))
2532 		goto unlock;
2533 
2534 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2535 		struct hci_cp_auth_requested auth_cp;
2536 
2537 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2538 
2539 		auth_cp.handle = __cpu_to_le16(conn->handle);
2540 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2541 			     sizeof(auth_cp), &auth_cp);
2542 	}
2543 
2544 unlock:
2545 	hci_dev_unlock(hdev);
2546 }
2547 
2548 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2549 {
2550 	struct hci_cp_read_remote_features *cp;
2551 	struct hci_conn *conn;
2552 
2553 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2554 
2555 	if (!status)
2556 		return;
2557 
2558 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2559 	if (!cp)
2560 		return;
2561 
2562 	hci_dev_lock(hdev);
2563 
2564 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2565 	if (conn) {
2566 		if (conn->state == BT_CONFIG) {
2567 			hci_connect_cfm(conn, status);
2568 			hci_conn_drop(conn);
2569 		}
2570 	}
2571 
2572 	hci_dev_unlock(hdev);
2573 }
2574 
2575 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2576 {
2577 	struct hci_cp_read_remote_ext_features *cp;
2578 	struct hci_conn *conn;
2579 
2580 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2581 
2582 	if (!status)
2583 		return;
2584 
2585 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2586 	if (!cp)
2587 		return;
2588 
2589 	hci_dev_lock(hdev);
2590 
2591 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2592 	if (conn) {
2593 		if (conn->state == BT_CONFIG) {
2594 			hci_connect_cfm(conn, status);
2595 			hci_conn_drop(conn);
2596 		}
2597 	}
2598 
2599 	hci_dev_unlock(hdev);
2600 }
2601 
2602 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2603 				       __u8 status)
2604 {
2605 	struct hci_conn *acl;
2606 	struct hci_link *link;
2607 
2608 	bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2609 
2610 	hci_dev_lock(hdev);
2611 
2612 	acl = hci_conn_hash_lookup_handle(hdev, handle);
2613 	if (acl) {
2614 		link = list_first_entry_or_null(&acl->link_list,
2615 						struct hci_link, list);
2616 		if (link && link->conn) {
2617 			link->conn->state = BT_CLOSED;
2618 
2619 			hci_connect_cfm(link->conn, status);
2620 			hci_conn_del(link->conn);
2621 		}
2622 	}
2623 
2624 	hci_dev_unlock(hdev);
2625 }
2626 
2627 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2628 {
2629 	struct hci_cp_setup_sync_conn *cp;
2630 
2631 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2632 
2633 	if (!status)
2634 		return;
2635 
2636 	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2637 	if (!cp)
2638 		return;
2639 
2640 	hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2641 }
2642 
2643 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2644 {
2645 	struct hci_cp_enhanced_setup_sync_conn *cp;
2646 
2647 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2648 
2649 	if (!status)
2650 		return;
2651 
2652 	cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2653 	if (!cp)
2654 		return;
2655 
2656 	hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2657 }
2658 
2659 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2660 {
2661 	struct hci_cp_sniff_mode *cp;
2662 	struct hci_conn *conn;
2663 
2664 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2665 
2666 	if (!status)
2667 		return;
2668 
2669 	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2670 	if (!cp)
2671 		return;
2672 
2673 	hci_dev_lock(hdev);
2674 
2675 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2676 	if (conn) {
2677 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2678 
2679 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2680 			hci_sco_setup(conn, status);
2681 	}
2682 
2683 	hci_dev_unlock(hdev);
2684 }
2685 
2686 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2687 {
2688 	struct hci_cp_exit_sniff_mode *cp;
2689 	struct hci_conn *conn;
2690 
2691 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2692 
2693 	if (!status)
2694 		return;
2695 
2696 	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2697 	if (!cp)
2698 		return;
2699 
2700 	hci_dev_lock(hdev);
2701 
2702 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2703 	if (conn) {
2704 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2705 
2706 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2707 			hci_sco_setup(conn, status);
2708 	}
2709 
2710 	hci_dev_unlock(hdev);
2711 }
2712 
2713 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2714 {
2715 	struct hci_cp_disconnect *cp;
2716 	struct hci_conn_params *params;
2717 	struct hci_conn *conn;
2718 	bool mgmt_conn;
2719 
2720 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2721 
2722 	/* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2723 	 * otherwise cleanup the connection immediately.
2724 	 */
2725 	if (!status && !hdev->suspended)
2726 		return;
2727 
2728 	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2729 	if (!cp)
2730 		return;
2731 
2732 	hci_dev_lock(hdev);
2733 
2734 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2735 	if (!conn)
2736 		goto unlock;
2737 
2738 	if (status) {
2739 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2740 				       conn->dst_type, status);
2741 
2742 		if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2743 			hdev->cur_adv_instance = conn->adv_instance;
2744 			hci_enable_advertising(hdev);
2745 		}
2746 
2747 		/* Inform sockets conn is gone before we delete it */
2748 		hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2749 
2750 		goto done;
2751 	}
2752 
2753 	mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2754 
2755 	if (conn->type == ACL_LINK) {
2756 		if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2757 			hci_remove_link_key(hdev, &conn->dst);
2758 	}
2759 
2760 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2761 	if (params) {
2762 		switch (params->auto_connect) {
2763 		case HCI_AUTO_CONN_LINK_LOSS:
2764 			if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2765 				break;
2766 			fallthrough;
2767 
2768 		case HCI_AUTO_CONN_DIRECT:
2769 		case HCI_AUTO_CONN_ALWAYS:
2770 			hci_pend_le_list_del_init(params);
2771 			hci_pend_le_list_add(params, &hdev->pend_le_conns);
2772 			break;
2773 
2774 		default:
2775 			break;
2776 		}
2777 	}
2778 
2779 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2780 				 cp->reason, mgmt_conn);
2781 
2782 	hci_disconn_cfm(conn, cp->reason);
2783 
2784 done:
2785 	/* If the disconnection failed for any reason, the upper layer
2786 	 * does not retry to disconnect in current implementation.
2787 	 * Hence, we need to do some basic cleanup here and re-enable
2788 	 * advertising if necessary.
2789 	 */
2790 	hci_conn_del(conn);
2791 unlock:
2792 	hci_dev_unlock(hdev);
2793 }
2794 
2795 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2796 {
2797 	/* When using controller based address resolution, then the new
2798 	 * address types 0x02 and 0x03 are used. These types need to be
2799 	 * converted back into either public address or random address type
2800 	 */
2801 	switch (type) {
2802 	case ADDR_LE_DEV_PUBLIC_RESOLVED:
2803 		if (resolved)
2804 			*resolved = true;
2805 		return ADDR_LE_DEV_PUBLIC;
2806 	case ADDR_LE_DEV_RANDOM_RESOLVED:
2807 		if (resolved)
2808 			*resolved = true;
2809 		return ADDR_LE_DEV_RANDOM;
2810 	}
2811 
2812 	if (resolved)
2813 		*resolved = false;
2814 	return type;
2815 }
2816 
2817 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2818 			      u8 peer_addr_type, u8 own_address_type,
2819 			      u8 filter_policy)
2820 {
2821 	struct hci_conn *conn;
2822 
2823 	conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2824 				       peer_addr_type);
2825 	if (!conn)
2826 		return;
2827 
2828 	own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2829 
2830 	/* Store the initiator and responder address information which
2831 	 * is needed for SMP. These values will not change during the
2832 	 * lifetime of the connection.
2833 	 */
2834 	conn->init_addr_type = own_address_type;
2835 	if (own_address_type == ADDR_LE_DEV_RANDOM)
2836 		bacpy(&conn->init_addr, &hdev->random_addr);
2837 	else
2838 		bacpy(&conn->init_addr, &hdev->bdaddr);
2839 
2840 	conn->resp_addr_type = peer_addr_type;
2841 	bacpy(&conn->resp_addr, peer_addr);
2842 }
2843 
2844 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2845 {
2846 	struct hci_cp_le_create_conn *cp;
2847 
2848 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2849 
2850 	/* All connection failure handling is taken care of by the
2851 	 * hci_conn_failed function which is triggered by the HCI
2852 	 * request completion callbacks used for connecting.
2853 	 */
2854 	if (status)
2855 		return;
2856 
2857 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2858 	if (!cp)
2859 		return;
2860 
2861 	hci_dev_lock(hdev);
2862 
2863 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2864 			  cp->own_address_type, cp->filter_policy);
2865 
2866 	hci_dev_unlock(hdev);
2867 }
2868 
2869 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2870 {
2871 	struct hci_cp_le_ext_create_conn *cp;
2872 
2873 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2874 
2875 	/* All connection failure handling is taken care of by the
2876 	 * hci_conn_failed function which is triggered by the HCI
2877 	 * request completion callbacks used for connecting.
2878 	 */
2879 	if (status)
2880 		return;
2881 
2882 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2883 	if (!cp)
2884 		return;
2885 
2886 	hci_dev_lock(hdev);
2887 
2888 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2889 			  cp->own_addr_type, cp->filter_policy);
2890 
2891 	hci_dev_unlock(hdev);
2892 }
2893 
2894 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2895 {
2896 	struct hci_cp_le_read_remote_features *cp;
2897 	struct hci_conn *conn;
2898 
2899 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2900 
2901 	if (!status)
2902 		return;
2903 
2904 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2905 	if (!cp)
2906 		return;
2907 
2908 	hci_dev_lock(hdev);
2909 
2910 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2911 	if (conn) {
2912 		if (conn->state == BT_CONFIG) {
2913 			hci_connect_cfm(conn, status);
2914 			hci_conn_drop(conn);
2915 		}
2916 	}
2917 
2918 	hci_dev_unlock(hdev);
2919 }
2920 
2921 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2922 {
2923 	struct hci_cp_le_start_enc *cp;
2924 	struct hci_conn *conn;
2925 
2926 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2927 
2928 	if (!status)
2929 		return;
2930 
2931 	hci_dev_lock(hdev);
2932 
2933 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2934 	if (!cp)
2935 		goto unlock;
2936 
2937 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2938 	if (!conn)
2939 		goto unlock;
2940 
2941 	if (conn->state != BT_CONNECTED)
2942 		goto unlock;
2943 
2944 	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2945 	hci_conn_drop(conn);
2946 
2947 unlock:
2948 	hci_dev_unlock(hdev);
2949 }
2950 
2951 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2952 {
2953 	struct hci_cp_switch_role *cp;
2954 	struct hci_conn *conn;
2955 
2956 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2957 
2958 	if (!status)
2959 		return;
2960 
2961 	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2962 	if (!cp)
2963 		return;
2964 
2965 	hci_dev_lock(hdev);
2966 
2967 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2968 	if (conn)
2969 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2970 
2971 	hci_dev_unlock(hdev);
2972 }
2973 
2974 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
2975 				     struct sk_buff *skb)
2976 {
2977 	struct hci_ev_status *ev = data;
2978 	struct discovery_state *discov = &hdev->discovery;
2979 	struct inquiry_entry *e;
2980 
2981 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
2982 
2983 	hci_conn_check_pending(hdev);
2984 
2985 	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2986 		return;
2987 
2988 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2989 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
2990 
2991 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2992 		return;
2993 
2994 	hci_dev_lock(hdev);
2995 
2996 	if (discov->state != DISCOVERY_FINDING)
2997 		goto unlock;
2998 
2999 	if (list_empty(&discov->resolve)) {
3000 		/* When BR/EDR inquiry is active and no LE scanning is in
3001 		 * progress, then change discovery state to indicate completion.
3002 		 *
3003 		 * When running LE scanning and BR/EDR inquiry simultaneously
3004 		 * and the LE scan already finished, then change the discovery
3005 		 * state to indicate completion.
3006 		 */
3007 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3008 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3009 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3010 		goto unlock;
3011 	}
3012 
3013 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3014 	if (e && hci_resolve_name(hdev, e) == 0) {
3015 		e->name_state = NAME_PENDING;
3016 		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3017 		discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3018 	} else {
3019 		/* When BR/EDR inquiry is active and no LE scanning is in
3020 		 * progress, then change discovery state to indicate completion.
3021 		 *
3022 		 * When running LE scanning and BR/EDR inquiry simultaneously
3023 		 * and the LE scan already finished, then change the discovery
3024 		 * state to indicate completion.
3025 		 */
3026 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3027 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3028 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3029 	}
3030 
3031 unlock:
3032 	hci_dev_unlock(hdev);
3033 }
3034 
3035 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3036 				   struct sk_buff *skb)
3037 {
3038 	struct hci_ev_inquiry_result *ev = edata;
3039 	struct inquiry_data data;
3040 	int i;
3041 
3042 	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3043 			     flex_array_size(ev, info, ev->num)))
3044 		return;
3045 
3046 	bt_dev_dbg(hdev, "num %d", ev->num);
3047 
3048 	if (!ev->num)
3049 		return;
3050 
3051 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3052 		return;
3053 
3054 	hci_dev_lock(hdev);
3055 
3056 	for (i = 0; i < ev->num; i++) {
3057 		struct inquiry_info *info = &ev->info[i];
3058 		u32 flags;
3059 
3060 		bacpy(&data.bdaddr, &info->bdaddr);
3061 		data.pscan_rep_mode	= info->pscan_rep_mode;
3062 		data.pscan_period_mode	= info->pscan_period_mode;
3063 		data.pscan_mode		= info->pscan_mode;
3064 		memcpy(data.dev_class, info->dev_class, 3);
3065 		data.clock_offset	= info->clock_offset;
3066 		data.rssi		= HCI_RSSI_INVALID;
3067 		data.ssp_mode		= 0x00;
3068 
3069 		flags = hci_inquiry_cache_update(hdev, &data, false);
3070 
3071 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3072 				  info->dev_class, HCI_RSSI_INVALID,
3073 				  flags, NULL, 0, NULL, 0, 0);
3074 	}
3075 
3076 	hci_dev_unlock(hdev);
3077 }
3078 
3079 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3080 				  struct sk_buff *skb)
3081 {
3082 	struct hci_ev_conn_complete *ev = data;
3083 	struct hci_conn *conn;
3084 	u8 status = ev->status;
3085 
3086 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
3087 
3088 	hci_dev_lock(hdev);
3089 
3090 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3091 	if (!conn) {
3092 		/* In case of error status and there is no connection pending
3093 		 * just unlock as there is nothing to cleanup.
3094 		 */
3095 		if (ev->status)
3096 			goto unlock;
3097 
3098 		/* Connection may not exist if auto-connected. Check the bredr
3099 		 * allowlist to see if this device is allowed to auto connect.
3100 		 * If link is an ACL type, create a connection class
3101 		 * automatically.
3102 		 *
3103 		 * Auto-connect will only occur if the event filter is
3104 		 * programmed with a given address. Right now, event filter is
3105 		 * only used during suspend.
3106 		 */
3107 		if (ev->link_type == ACL_LINK &&
3108 		    hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3109 						      &ev->bdaddr,
3110 						      BDADDR_BREDR)) {
3111 			conn = hci_conn_add_unset(hdev, ev->link_type,
3112 						  &ev->bdaddr, HCI_ROLE_SLAVE);
3113 			if (IS_ERR(conn)) {
3114 				bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3115 				goto unlock;
3116 			}
3117 		} else {
3118 			if (ev->link_type != SCO_LINK)
3119 				goto unlock;
3120 
3121 			conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3122 						       &ev->bdaddr);
3123 			if (!conn)
3124 				goto unlock;
3125 
3126 			conn->type = SCO_LINK;
3127 		}
3128 	}
3129 
3130 	/* The HCI_Connection_Complete event is only sent once per connection.
3131 	 * Processing it more than once per connection can corrupt kernel memory.
3132 	 *
3133 	 * As the connection handle is set here for the first time, it indicates
3134 	 * whether the connection is already set up.
3135 	 */
3136 	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3137 		bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3138 		goto unlock;
3139 	}
3140 
3141 	if (!status) {
3142 		status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3143 		if (status)
3144 			goto done;
3145 
3146 		if (conn->type == ACL_LINK) {
3147 			conn->state = BT_CONFIG;
3148 			hci_conn_hold(conn);
3149 
3150 			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3151 			    !hci_find_link_key(hdev, &ev->bdaddr))
3152 				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3153 			else
3154 				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3155 		} else
3156 			conn->state = BT_CONNECTED;
3157 
3158 		hci_debugfs_create_conn(conn);
3159 		hci_conn_add_sysfs(conn);
3160 
3161 		if (test_bit(HCI_AUTH, &hdev->flags))
3162 			set_bit(HCI_CONN_AUTH, &conn->flags);
3163 
3164 		if (test_bit(HCI_ENCRYPT, &hdev->flags))
3165 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3166 
3167 		/* "Link key request" completed ahead of "connect request" completes */
3168 		if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3169 		    ev->link_type == ACL_LINK) {
3170 			struct link_key *key;
3171 			struct hci_cp_read_enc_key_size cp;
3172 
3173 			key = hci_find_link_key(hdev, &ev->bdaddr);
3174 			if (key) {
3175 				set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3176 
3177 				if (!read_key_size_capable(hdev)) {
3178 					conn->enc_key_size = HCI_LINK_KEY_SIZE;
3179 				} else {
3180 					cp.handle = cpu_to_le16(conn->handle);
3181 					if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3182 							 sizeof(cp), &cp)) {
3183 						bt_dev_err(hdev, "sending read key size failed");
3184 						conn->enc_key_size = HCI_LINK_KEY_SIZE;
3185 					}
3186 				}
3187 
3188 				hci_encrypt_cfm(conn, ev->status);
3189 			}
3190 		}
3191 
3192 		/* Get remote features */
3193 		if (conn->type == ACL_LINK) {
3194 			struct hci_cp_read_remote_features cp;
3195 			cp.handle = ev->handle;
3196 			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3197 				     sizeof(cp), &cp);
3198 
3199 			hci_update_scan(hdev);
3200 		}
3201 
3202 		/* Set packet type for incoming connection */
3203 		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3204 			struct hci_cp_change_conn_ptype cp;
3205 			cp.handle = ev->handle;
3206 			cp.pkt_type = cpu_to_le16(conn->pkt_type);
3207 			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3208 				     &cp);
3209 		}
3210 	}
3211 
3212 	if (conn->type == ACL_LINK)
3213 		hci_sco_setup(conn, ev->status);
3214 
3215 done:
3216 	if (status) {
3217 		hci_conn_failed(conn, status);
3218 	} else if (ev->link_type == SCO_LINK) {
3219 		switch (conn->setting & SCO_AIRMODE_MASK) {
3220 		case SCO_AIRMODE_CVSD:
3221 			if (hdev->notify)
3222 				hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3223 			break;
3224 		}
3225 
3226 		hci_connect_cfm(conn, status);
3227 	}
3228 
3229 unlock:
3230 	hci_dev_unlock(hdev);
3231 
3232 	hci_conn_check_pending(hdev);
3233 }
3234 
3235 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3236 {
3237 	struct hci_cp_reject_conn_req cp;
3238 
3239 	bacpy(&cp.bdaddr, bdaddr);
3240 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3241 	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3242 }
3243 
3244 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3245 				 struct sk_buff *skb)
3246 {
3247 	struct hci_ev_conn_request *ev = data;
3248 	int mask = hdev->link_mode;
3249 	struct inquiry_entry *ie;
3250 	struct hci_conn *conn;
3251 	__u8 flags = 0;
3252 
3253 	bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3254 
3255 	/* Reject incoming connection from device with same BD ADDR against
3256 	 * CVE-2020-26555
3257 	 */
3258 	if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3259 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3260 			   &ev->bdaddr);
3261 		hci_reject_conn(hdev, &ev->bdaddr);
3262 		return;
3263 	}
3264 
3265 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3266 				      &flags);
3267 
3268 	if (!(mask & HCI_LM_ACCEPT)) {
3269 		hci_reject_conn(hdev, &ev->bdaddr);
3270 		return;
3271 	}
3272 
3273 	hci_dev_lock(hdev);
3274 
3275 	if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3276 				   BDADDR_BREDR)) {
3277 		hci_reject_conn(hdev, &ev->bdaddr);
3278 		goto unlock;
3279 	}
3280 
3281 	/* Require HCI_CONNECTABLE or an accept list entry to accept the
3282 	 * connection. These features are only touched through mgmt so
3283 	 * only do the checks if HCI_MGMT is set.
3284 	 */
3285 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3286 	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3287 	    !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3288 					       BDADDR_BREDR)) {
3289 		hci_reject_conn(hdev, &ev->bdaddr);
3290 		goto unlock;
3291 	}
3292 
3293 	/* Connection accepted */
3294 
3295 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3296 	if (ie)
3297 		memcpy(ie->data.dev_class, ev->dev_class, 3);
3298 
3299 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3300 			&ev->bdaddr);
3301 	if (!conn) {
3302 		conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3303 					  HCI_ROLE_SLAVE);
3304 		if (IS_ERR(conn)) {
3305 			bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3306 			goto unlock;
3307 		}
3308 	}
3309 
3310 	memcpy(conn->dev_class, ev->dev_class, 3);
3311 
3312 	hci_dev_unlock(hdev);
3313 
3314 	if (ev->link_type == ACL_LINK ||
3315 	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3316 		struct hci_cp_accept_conn_req cp;
3317 		conn->state = BT_CONNECT;
3318 
3319 		bacpy(&cp.bdaddr, &ev->bdaddr);
3320 
3321 		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3322 			cp.role = 0x00; /* Become central */
3323 		else
3324 			cp.role = 0x01; /* Remain peripheral */
3325 
3326 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3327 	} else if (!(flags & HCI_PROTO_DEFER)) {
3328 		struct hci_cp_accept_sync_conn_req cp;
3329 		conn->state = BT_CONNECT;
3330 
3331 		bacpy(&cp.bdaddr, &ev->bdaddr);
3332 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
3333 
3334 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
3335 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
3336 		cp.max_latency    = cpu_to_le16(0xffff);
3337 		cp.content_format = cpu_to_le16(hdev->voice_setting);
3338 		cp.retrans_effort = 0xff;
3339 
3340 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3341 			     &cp);
3342 	} else {
3343 		conn->state = BT_CONNECT2;
3344 		hci_connect_cfm(conn, 0);
3345 	}
3346 
3347 	return;
3348 unlock:
3349 	hci_dev_unlock(hdev);
3350 }
3351 
3352 static u8 hci_to_mgmt_reason(u8 err)
3353 {
3354 	switch (err) {
3355 	case HCI_ERROR_CONNECTION_TIMEOUT:
3356 		return MGMT_DEV_DISCONN_TIMEOUT;
3357 	case HCI_ERROR_REMOTE_USER_TERM:
3358 	case HCI_ERROR_REMOTE_LOW_RESOURCES:
3359 	case HCI_ERROR_REMOTE_POWER_OFF:
3360 		return MGMT_DEV_DISCONN_REMOTE;
3361 	case HCI_ERROR_LOCAL_HOST_TERM:
3362 		return MGMT_DEV_DISCONN_LOCAL_HOST;
3363 	default:
3364 		return MGMT_DEV_DISCONN_UNKNOWN;
3365 	}
3366 }
3367 
3368 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3369 				     struct sk_buff *skb)
3370 {
3371 	struct hci_ev_disconn_complete *ev = data;
3372 	u8 reason;
3373 	struct hci_conn_params *params;
3374 	struct hci_conn *conn;
3375 	bool mgmt_connected;
3376 
3377 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3378 
3379 	hci_dev_lock(hdev);
3380 
3381 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3382 	if (!conn)
3383 		goto unlock;
3384 
3385 	if (ev->status) {
3386 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3387 				       conn->dst_type, ev->status);
3388 		goto unlock;
3389 	}
3390 
3391 	conn->state = BT_CLOSED;
3392 
3393 	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3394 
3395 	if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3396 		reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3397 	else
3398 		reason = hci_to_mgmt_reason(ev->reason);
3399 
3400 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3401 				reason, mgmt_connected);
3402 
3403 	if (conn->type == ACL_LINK) {
3404 		if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3405 			hci_remove_link_key(hdev, &conn->dst);
3406 
3407 		hci_update_scan(hdev);
3408 	}
3409 
3410 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3411 	if (params) {
3412 		switch (params->auto_connect) {
3413 		case HCI_AUTO_CONN_LINK_LOSS:
3414 			if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3415 				break;
3416 			fallthrough;
3417 
3418 		case HCI_AUTO_CONN_DIRECT:
3419 		case HCI_AUTO_CONN_ALWAYS:
3420 			hci_pend_le_list_del_init(params);
3421 			hci_pend_le_list_add(params, &hdev->pend_le_conns);
3422 			hci_update_passive_scan(hdev);
3423 			break;
3424 
3425 		default:
3426 			break;
3427 		}
3428 	}
3429 
3430 	hci_disconn_cfm(conn, ev->reason);
3431 
3432 	/* Re-enable advertising if necessary, since it might
3433 	 * have been disabled by the connection. From the
3434 	 * HCI_LE_Set_Advertise_Enable command description in
3435 	 * the core specification (v4.0):
3436 	 * "The Controller shall continue advertising until the Host
3437 	 * issues an LE_Set_Advertise_Enable command with
3438 	 * Advertising_Enable set to 0x00 (Advertising is disabled)
3439 	 * or until a connection is created or until the Advertising
3440 	 * is timed out due to Directed Advertising."
3441 	 */
3442 	if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3443 		hdev->cur_adv_instance = conn->adv_instance;
3444 		hci_enable_advertising(hdev);
3445 	}
3446 
3447 	hci_conn_del(conn);
3448 
3449 unlock:
3450 	hci_dev_unlock(hdev);
3451 }
3452 
3453 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3454 				  struct sk_buff *skb)
3455 {
3456 	struct hci_ev_auth_complete *ev = data;
3457 	struct hci_conn *conn;
3458 
3459 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3460 
3461 	hci_dev_lock(hdev);
3462 
3463 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3464 	if (!conn)
3465 		goto unlock;
3466 
3467 	if (!ev->status) {
3468 		clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3469 		set_bit(HCI_CONN_AUTH, &conn->flags);
3470 		conn->sec_level = conn->pending_sec_level;
3471 	} else {
3472 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3473 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3474 
3475 		mgmt_auth_failed(conn, ev->status);
3476 	}
3477 
3478 	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3479 
3480 	if (conn->state == BT_CONFIG) {
3481 		if (!ev->status && hci_conn_ssp_enabled(conn)) {
3482 			struct hci_cp_set_conn_encrypt cp;
3483 			cp.handle  = ev->handle;
3484 			cp.encrypt = 0x01;
3485 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3486 				     &cp);
3487 		} else {
3488 			conn->state = BT_CONNECTED;
3489 			hci_connect_cfm(conn, ev->status);
3490 			hci_conn_drop(conn);
3491 		}
3492 	} else {
3493 		hci_auth_cfm(conn, ev->status);
3494 
3495 		hci_conn_hold(conn);
3496 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3497 		hci_conn_drop(conn);
3498 	}
3499 
3500 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3501 		if (!ev->status) {
3502 			struct hci_cp_set_conn_encrypt cp;
3503 			cp.handle  = ev->handle;
3504 			cp.encrypt = 0x01;
3505 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3506 				     &cp);
3507 		} else {
3508 			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3509 			hci_encrypt_cfm(conn, ev->status);
3510 		}
3511 	}
3512 
3513 unlock:
3514 	hci_dev_unlock(hdev);
3515 }
3516 
3517 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3518 				struct sk_buff *skb)
3519 {
3520 	struct hci_ev_remote_name *ev = data;
3521 	struct hci_conn *conn;
3522 
3523 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3524 
3525 	hci_dev_lock(hdev);
3526 
3527 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3528 
3529 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3530 		goto check_auth;
3531 
3532 	if (ev->status == 0)
3533 		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3534 				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3535 	else
3536 		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3537 
3538 check_auth:
3539 	if (!conn)
3540 		goto unlock;
3541 
3542 	if (!hci_outgoing_auth_needed(hdev, conn))
3543 		goto unlock;
3544 
3545 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3546 		struct hci_cp_auth_requested cp;
3547 
3548 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3549 
3550 		cp.handle = __cpu_to_le16(conn->handle);
3551 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3552 	}
3553 
3554 unlock:
3555 	hci_dev_unlock(hdev);
3556 }
3557 
3558 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3559 				   struct sk_buff *skb)
3560 {
3561 	struct hci_ev_encrypt_change *ev = data;
3562 	struct hci_conn *conn;
3563 
3564 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3565 
3566 	hci_dev_lock(hdev);
3567 
3568 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3569 	if (!conn)
3570 		goto unlock;
3571 
3572 	if (!ev->status) {
3573 		if (ev->encrypt) {
3574 			/* Encryption implies authentication */
3575 			set_bit(HCI_CONN_AUTH, &conn->flags);
3576 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3577 			conn->sec_level = conn->pending_sec_level;
3578 
3579 			/* P-256 authentication key implies FIPS */
3580 			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3581 				set_bit(HCI_CONN_FIPS, &conn->flags);
3582 
3583 			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3584 			    conn->type == LE_LINK)
3585 				set_bit(HCI_CONN_AES_CCM, &conn->flags);
3586 		} else {
3587 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3588 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3589 		}
3590 	}
3591 
3592 	/* We should disregard the current RPA and generate a new one
3593 	 * whenever the encryption procedure fails.
3594 	 */
3595 	if (ev->status && conn->type == LE_LINK) {
3596 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3597 		hci_adv_instances_set_rpa_expired(hdev, true);
3598 	}
3599 
3600 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3601 
3602 	/* Check link security requirements are met */
3603 	if (!hci_conn_check_link_mode(conn))
3604 		ev->status = HCI_ERROR_AUTH_FAILURE;
3605 
3606 	if (ev->status && conn->state == BT_CONNECTED) {
3607 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3608 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3609 
3610 		/* Notify upper layers so they can cleanup before
3611 		 * disconnecting.
3612 		 */
3613 		hci_encrypt_cfm(conn, ev->status);
3614 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3615 		hci_conn_drop(conn);
3616 		goto unlock;
3617 	}
3618 
3619 	/* Try reading the encryption key size for encrypted ACL links */
3620 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3621 		struct hci_cp_read_enc_key_size cp;
3622 
3623 		/* Only send HCI_Read_Encryption_Key_Size if the
3624 		 * controller really supports it. If it doesn't, assume
3625 		 * the default size (16).
3626 		 */
3627 		if (!read_key_size_capable(hdev)) {
3628 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
3629 			goto notify;
3630 		}
3631 
3632 		cp.handle = cpu_to_le16(conn->handle);
3633 		if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3634 				 sizeof(cp), &cp)) {
3635 			bt_dev_err(hdev, "sending read key size failed");
3636 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
3637 			goto notify;
3638 		}
3639 
3640 		goto unlock;
3641 	}
3642 
3643 	/* Set the default Authenticated Payload Timeout after
3644 	 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3645 	 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3646 	 * sent when the link is active and Encryption is enabled, the conn
3647 	 * type can be either LE or ACL and controller must support LMP Ping.
3648 	 * Ensure for AES-CCM encryption as well.
3649 	 */
3650 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3651 	    test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3652 	    ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3653 	     (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3654 		struct hci_cp_write_auth_payload_to cp;
3655 
3656 		cp.handle = cpu_to_le16(conn->handle);
3657 		cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3658 		if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3659 				 sizeof(cp), &cp))
3660 			bt_dev_err(hdev, "write auth payload timeout failed");
3661 	}
3662 
3663 notify:
3664 	hci_encrypt_cfm(conn, ev->status);
3665 
3666 unlock:
3667 	hci_dev_unlock(hdev);
3668 }
3669 
3670 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3671 					     struct sk_buff *skb)
3672 {
3673 	struct hci_ev_change_link_key_complete *ev = data;
3674 	struct hci_conn *conn;
3675 
3676 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3677 
3678 	hci_dev_lock(hdev);
3679 
3680 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3681 	if (conn) {
3682 		if (!ev->status)
3683 			set_bit(HCI_CONN_SECURE, &conn->flags);
3684 
3685 		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3686 
3687 		hci_key_change_cfm(conn, ev->status);
3688 	}
3689 
3690 	hci_dev_unlock(hdev);
3691 }
3692 
3693 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3694 				    struct sk_buff *skb)
3695 {
3696 	struct hci_ev_remote_features *ev = data;
3697 	struct hci_conn *conn;
3698 
3699 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3700 
3701 	hci_dev_lock(hdev);
3702 
3703 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3704 	if (!conn)
3705 		goto unlock;
3706 
3707 	if (!ev->status)
3708 		memcpy(conn->features[0], ev->features, 8);
3709 
3710 	if (conn->state != BT_CONFIG)
3711 		goto unlock;
3712 
3713 	if (!ev->status && lmp_ext_feat_capable(hdev) &&
3714 	    lmp_ext_feat_capable(conn)) {
3715 		struct hci_cp_read_remote_ext_features cp;
3716 		cp.handle = ev->handle;
3717 		cp.page = 0x01;
3718 		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3719 			     sizeof(cp), &cp);
3720 		goto unlock;
3721 	}
3722 
3723 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3724 		struct hci_cp_remote_name_req cp;
3725 		memset(&cp, 0, sizeof(cp));
3726 		bacpy(&cp.bdaddr, &conn->dst);
3727 		cp.pscan_rep_mode = 0x02;
3728 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3729 	} else {
3730 		mgmt_device_connected(hdev, conn, NULL, 0);
3731 	}
3732 
3733 	if (!hci_outgoing_auth_needed(hdev, conn)) {
3734 		conn->state = BT_CONNECTED;
3735 		hci_connect_cfm(conn, ev->status);
3736 		hci_conn_drop(conn);
3737 	}
3738 
3739 unlock:
3740 	hci_dev_unlock(hdev);
3741 }
3742 
3743 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3744 {
3745 	cancel_delayed_work(&hdev->cmd_timer);
3746 
3747 	rcu_read_lock();
3748 	if (!test_bit(HCI_RESET, &hdev->flags)) {
3749 		if (ncmd) {
3750 			cancel_delayed_work(&hdev->ncmd_timer);
3751 			atomic_set(&hdev->cmd_cnt, 1);
3752 		} else {
3753 			if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3754 				queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3755 						   HCI_NCMD_TIMEOUT);
3756 		}
3757 	}
3758 	rcu_read_unlock();
3759 }
3760 
3761 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3762 					struct sk_buff *skb)
3763 {
3764 	struct hci_rp_le_read_buffer_size_v2 *rp = data;
3765 
3766 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3767 
3768 	if (rp->status)
3769 		return rp->status;
3770 
3771 	hdev->le_mtu   = __le16_to_cpu(rp->acl_mtu);
3772 	hdev->le_pkts  = rp->acl_max_pkt;
3773 	hdev->iso_mtu  = __le16_to_cpu(rp->iso_mtu);
3774 	hdev->iso_pkts = rp->iso_max_pkt;
3775 
3776 	hdev->le_cnt  = hdev->le_pkts;
3777 	hdev->iso_cnt = hdev->iso_pkts;
3778 
3779 	BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3780 	       hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3781 
3782 	if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
3783 		return HCI_ERROR_INVALID_PARAMETERS;
3784 
3785 	return rp->status;
3786 }
3787 
3788 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3789 {
3790 	struct hci_conn *conn, *tmp;
3791 
3792 	lockdep_assert_held(&hdev->lock);
3793 
3794 	list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3795 		if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3796 		    conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3797 			continue;
3798 
3799 		if (HCI_CONN_HANDLE_UNSET(conn->handle))
3800 			hci_conn_failed(conn, status);
3801 	}
3802 }
3803 
3804 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3805 				   struct sk_buff *skb)
3806 {
3807 	struct hci_rp_le_set_cig_params *rp = data;
3808 	struct hci_cp_le_set_cig_params *cp;
3809 	struct hci_conn *conn;
3810 	u8 status = rp->status;
3811 	bool pending = false;
3812 	int i;
3813 
3814 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3815 
3816 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3817 	if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3818 			    rp->cig_id != cp->cig_id)) {
3819 		bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3820 		status = HCI_ERROR_UNSPECIFIED;
3821 	}
3822 
3823 	hci_dev_lock(hdev);
3824 
3825 	/* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3826 	 *
3827 	 * If the Status return parameter is non-zero, then the state of the CIG
3828 	 * and its CIS configurations shall not be changed by the command. If
3829 	 * the CIG did not already exist, it shall not be created.
3830 	 */
3831 	if (status) {
3832 		/* Keep current configuration, fail only the unbound CIS */
3833 		hci_unbound_cis_failed(hdev, rp->cig_id, status);
3834 		goto unlock;
3835 	}
3836 
3837 	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3838 	 *
3839 	 * If the Status return parameter is zero, then the Controller shall
3840 	 * set the Connection_Handle arrayed return parameter to the connection
3841 	 * handle(s) corresponding to the CIS configurations specified in
3842 	 * the CIS_IDs command parameter, in the same order.
3843 	 */
3844 	for (i = 0; i < rp->num_handles; ++i) {
3845 		conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3846 						cp->cis[i].cis_id);
3847 		if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3848 			continue;
3849 
3850 		if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3851 			continue;
3852 
3853 		if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3854 			continue;
3855 
3856 		if (conn->state == BT_CONNECT)
3857 			pending = true;
3858 	}
3859 
3860 unlock:
3861 	if (pending)
3862 		hci_le_create_cis_pending(hdev);
3863 
3864 	hci_dev_unlock(hdev);
3865 
3866 	return rp->status;
3867 }
3868 
3869 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3870 				   struct sk_buff *skb)
3871 {
3872 	struct hci_rp_le_setup_iso_path *rp = data;
3873 	struct hci_cp_le_setup_iso_path *cp;
3874 	struct hci_conn *conn;
3875 
3876 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3877 
3878 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3879 	if (!cp)
3880 		return rp->status;
3881 
3882 	hci_dev_lock(hdev);
3883 
3884 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3885 	if (!conn)
3886 		goto unlock;
3887 
3888 	if (rp->status) {
3889 		hci_connect_cfm(conn, rp->status);
3890 		hci_conn_del(conn);
3891 		goto unlock;
3892 	}
3893 
3894 	switch (cp->direction) {
3895 	/* Input (Host to Controller) */
3896 	case 0x00:
3897 		/* Only confirm connection if output only */
3898 		if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3899 			hci_connect_cfm(conn, rp->status);
3900 		break;
3901 	/* Output (Controller to Host) */
3902 	case 0x01:
3903 		/* Confirm connection since conn->iso_qos is always configured
3904 		 * last.
3905 		 */
3906 		hci_connect_cfm(conn, rp->status);
3907 
3908 		/* Notify device connected in case it is a BIG Sync */
3909 		if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags))
3910 			mgmt_device_connected(hdev, conn, NULL, 0);
3911 
3912 		break;
3913 	}
3914 
3915 unlock:
3916 	hci_dev_unlock(hdev);
3917 	return rp->status;
3918 }
3919 
3920 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3921 {
3922 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
3923 }
3924 
3925 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3926 				   struct sk_buff *skb)
3927 {
3928 	struct hci_ev_status *rp = data;
3929 	struct hci_cp_le_set_per_adv_params *cp;
3930 
3931 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3932 
3933 	if (rp->status)
3934 		return rp->status;
3935 
3936 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3937 	if (!cp)
3938 		return rp->status;
3939 
3940 	/* TODO: set the conn state */
3941 	return rp->status;
3942 }
3943 
3944 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3945 				       struct sk_buff *skb)
3946 {
3947 	struct hci_ev_status *rp = data;
3948 	struct hci_cp_le_set_per_adv_enable *cp;
3949 	struct adv_info *adv = NULL, *n;
3950 	u8 per_adv_cnt = 0;
3951 
3952 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3953 
3954 	if (rp->status)
3955 		return rp->status;
3956 
3957 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
3958 	if (!cp)
3959 		return rp->status;
3960 
3961 	hci_dev_lock(hdev);
3962 
3963 	adv = hci_find_adv_instance(hdev, cp->handle);
3964 
3965 	if (cp->enable) {
3966 		hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
3967 
3968 		if (adv)
3969 			adv->enabled = true;
3970 	} else {
3971 		/* If just one instance was disabled check if there are
3972 		 * any other instance enabled before clearing HCI_LE_PER_ADV.
3973 		 * The current periodic adv instance will be marked as
3974 		 * disabled once extended advertising is also disabled.
3975 		 */
3976 		list_for_each_entry_safe(adv, n, &hdev->adv_instances,
3977 					 list) {
3978 			if (adv->periodic && adv->enabled)
3979 				per_adv_cnt++;
3980 		}
3981 
3982 		if (per_adv_cnt > 1)
3983 			goto unlock;
3984 
3985 		hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
3986 	}
3987 
3988 unlock:
3989 	hci_dev_unlock(hdev);
3990 
3991 	return rp->status;
3992 }
3993 
3994 #define HCI_CC_VL(_op, _func, _min, _max) \
3995 { \
3996 	.op = _op, \
3997 	.func = _func, \
3998 	.min_len = _min, \
3999 	.max_len = _max, \
4000 }
4001 
4002 #define HCI_CC(_op, _func, _len) \
4003 	HCI_CC_VL(_op, _func, _len, _len)
4004 
4005 #define HCI_CC_STATUS(_op, _func) \
4006 	HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4007 
4008 static const struct hci_cc {
4009 	u16  op;
4010 	u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4011 	u16  min_len;
4012 	u16  max_len;
4013 } hci_cc_table[] = {
4014 	HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4015 	HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4016 	HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4017 	HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4018 		      hci_cc_remote_name_req_cancel),
4019 	HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4020 	       sizeof(struct hci_rp_role_discovery)),
4021 	HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4022 	       sizeof(struct hci_rp_read_link_policy)),
4023 	HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4024 	       sizeof(struct hci_rp_write_link_policy)),
4025 	HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4026 	       sizeof(struct hci_rp_read_def_link_policy)),
4027 	HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4028 		      hci_cc_write_def_link_policy),
4029 	HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4030 	HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4031 	       sizeof(struct hci_rp_read_stored_link_key)),
4032 	HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4033 	       sizeof(struct hci_rp_delete_stored_link_key)),
4034 	HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4035 	HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4036 	       sizeof(struct hci_rp_read_local_name)),
4037 	HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4038 	HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4039 	HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4040 	HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4041 	HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4042 	       sizeof(struct hci_rp_read_class_of_dev)),
4043 	HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4044 	HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4045 	       sizeof(struct hci_rp_read_voice_setting)),
4046 	HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4047 	HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4048 	       sizeof(struct hci_rp_read_num_supported_iac)),
4049 	HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4050 	HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4051 	HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4052 	       sizeof(struct hci_rp_read_auth_payload_to)),
4053 	HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4054 	       sizeof(struct hci_rp_write_auth_payload_to)),
4055 	HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4056 	       sizeof(struct hci_rp_read_local_version)),
4057 	HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4058 	       sizeof(struct hci_rp_read_local_commands)),
4059 	HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4060 	       sizeof(struct hci_rp_read_local_features)),
4061 	HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4062 	       sizeof(struct hci_rp_read_local_ext_features)),
4063 	HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4064 	       sizeof(struct hci_rp_read_buffer_size)),
4065 	HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4066 	       sizeof(struct hci_rp_read_bd_addr)),
4067 	HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4068 	       sizeof(struct hci_rp_read_local_pairing_opts)),
4069 	HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4070 	       sizeof(struct hci_rp_read_page_scan_activity)),
4071 	HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4072 		      hci_cc_write_page_scan_activity),
4073 	HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4074 	       sizeof(struct hci_rp_read_page_scan_type)),
4075 	HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4076 	HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4077 	       sizeof(struct hci_rp_read_clock)),
4078 	HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4079 	       sizeof(struct hci_rp_read_enc_key_size)),
4080 	HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4081 	       sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4082 	HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4083 	       hci_cc_read_def_err_data_reporting,
4084 	       sizeof(struct hci_rp_read_def_err_data_reporting)),
4085 	HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4086 		      hci_cc_write_def_err_data_reporting),
4087 	HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4088 	       sizeof(struct hci_rp_pin_code_reply)),
4089 	HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4090 	       sizeof(struct hci_rp_pin_code_neg_reply)),
4091 	HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4092 	       sizeof(struct hci_rp_read_local_oob_data)),
4093 	HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4094 	       sizeof(struct hci_rp_read_local_oob_ext_data)),
4095 	HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4096 	       sizeof(struct hci_rp_le_read_buffer_size)),
4097 	HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4098 	       sizeof(struct hci_rp_le_read_local_features)),
4099 	HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4100 	       sizeof(struct hci_rp_le_read_adv_tx_power)),
4101 	HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4102 	       sizeof(struct hci_rp_user_confirm_reply)),
4103 	HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4104 	       sizeof(struct hci_rp_user_confirm_reply)),
4105 	HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4106 	       sizeof(struct hci_rp_user_confirm_reply)),
4107 	HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4108 	       sizeof(struct hci_rp_user_confirm_reply)),
4109 	HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4110 	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4111 	HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4112 	HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4113 	HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4114 	       hci_cc_le_read_accept_list_size,
4115 	       sizeof(struct hci_rp_le_read_accept_list_size)),
4116 	HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4117 	HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4118 		      hci_cc_le_add_to_accept_list),
4119 	HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4120 		      hci_cc_le_del_from_accept_list),
4121 	HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4122 	       sizeof(struct hci_rp_le_read_supported_states)),
4123 	HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4124 	       sizeof(struct hci_rp_le_read_def_data_len)),
4125 	HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4126 		      hci_cc_le_write_def_data_len),
4127 	HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4128 		      hci_cc_le_add_to_resolv_list),
4129 	HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4130 		      hci_cc_le_del_from_resolv_list),
4131 	HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4132 		      hci_cc_le_clear_resolv_list),
4133 	HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4134 	       sizeof(struct hci_rp_le_read_resolv_list_size)),
4135 	HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4136 		      hci_cc_le_set_addr_resolution_enable),
4137 	HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4138 	       sizeof(struct hci_rp_le_read_max_data_len)),
4139 	HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4140 		      hci_cc_write_le_host_supported),
4141 	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4142 	HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4143 	       sizeof(struct hci_rp_read_rssi)),
4144 	HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4145 	       sizeof(struct hci_rp_read_tx_power)),
4146 	HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4147 	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4148 		      hci_cc_le_set_ext_scan_param),
4149 	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4150 		      hci_cc_le_set_ext_scan_enable),
4151 	HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4152 	HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4153 	       hci_cc_le_read_num_adv_sets,
4154 	       sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4155 	HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4156 	       sizeof(struct hci_rp_le_set_ext_adv_params)),
4157 	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4158 		      hci_cc_le_set_ext_adv_enable),
4159 	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4160 		      hci_cc_le_set_adv_set_random_addr),
4161 	HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4162 	HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4163 	HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4164 	HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4165 		      hci_cc_le_set_per_adv_enable),
4166 	HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4167 	       sizeof(struct hci_rp_le_read_transmit_power)),
4168 	HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4169 	HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4170 	       sizeof(struct hci_rp_le_read_buffer_size_v2)),
4171 	HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4172 		  sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4173 	HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4174 	       sizeof(struct hci_rp_le_setup_iso_path)),
4175 };
4176 
4177 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4178 		      struct sk_buff *skb)
4179 {
4180 	void *data;
4181 
4182 	if (skb->len < cc->min_len) {
4183 		bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4184 			   cc->op, skb->len, cc->min_len);
4185 		return HCI_ERROR_UNSPECIFIED;
4186 	}
4187 
4188 	/* Just warn if the length is over max_len size it still be possible to
4189 	 * partially parse the cc so leave to callback to decide if that is
4190 	 * acceptable.
4191 	 */
4192 	if (skb->len > cc->max_len)
4193 		bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4194 			    cc->op, skb->len, cc->max_len);
4195 
4196 	data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4197 	if (!data)
4198 		return HCI_ERROR_UNSPECIFIED;
4199 
4200 	return cc->func(hdev, data, skb);
4201 }
4202 
4203 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4204 				 struct sk_buff *skb, u16 *opcode, u8 *status,
4205 				 hci_req_complete_t *req_complete,
4206 				 hci_req_complete_skb_t *req_complete_skb)
4207 {
4208 	struct hci_ev_cmd_complete *ev = data;
4209 	int i;
4210 
4211 	*opcode = __le16_to_cpu(ev->opcode);
4212 
4213 	bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4214 
4215 	for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4216 		if (hci_cc_table[i].op == *opcode) {
4217 			*status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4218 			break;
4219 		}
4220 	}
4221 
4222 	if (i == ARRAY_SIZE(hci_cc_table)) {
4223 		/* Unknown opcode, assume byte 0 contains the status, so
4224 		 * that e.g. __hci_cmd_sync() properly returns errors
4225 		 * for vendor specific commands send by HCI drivers.
4226 		 * If a vendor doesn't actually follow this convention we may
4227 		 * need to introduce a vendor CC table in order to properly set
4228 		 * the status.
4229 		 */
4230 		*status = skb->data[0];
4231 	}
4232 
4233 	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4234 
4235 	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4236 			     req_complete_skb);
4237 
4238 	if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4239 		bt_dev_err(hdev,
4240 			   "unexpected event for opcode 0x%4.4x", *opcode);
4241 		return;
4242 	}
4243 
4244 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4245 		queue_work(hdev->workqueue, &hdev->cmd_work);
4246 }
4247 
4248 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4249 {
4250 	struct hci_cp_le_create_cis *cp;
4251 	bool pending = false;
4252 	int i;
4253 
4254 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
4255 
4256 	if (!status)
4257 		return;
4258 
4259 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4260 	if (!cp)
4261 		return;
4262 
4263 	hci_dev_lock(hdev);
4264 
4265 	/* Remove connection if command failed */
4266 	for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4267 		struct hci_conn *conn;
4268 		u16 handle;
4269 
4270 		handle = __le16_to_cpu(cp->cis[i].cis_handle);
4271 
4272 		conn = hci_conn_hash_lookup_handle(hdev, handle);
4273 		if (conn) {
4274 			if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4275 					       &conn->flags))
4276 				pending = true;
4277 			conn->state = BT_CLOSED;
4278 			hci_connect_cfm(conn, status);
4279 			hci_conn_del(conn);
4280 		}
4281 	}
4282 
4283 	if (pending)
4284 		hci_le_create_cis_pending(hdev);
4285 
4286 	hci_dev_unlock(hdev);
4287 }
4288 
4289 #define HCI_CS(_op, _func) \
4290 { \
4291 	.op = _op, \
4292 	.func = _func, \
4293 }
4294 
4295 static const struct hci_cs {
4296 	u16  op;
4297 	void (*func)(struct hci_dev *hdev, __u8 status);
4298 } hci_cs_table[] = {
4299 	HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4300 	HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4301 	HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4302 	HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4303 	HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4304 	HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4305 	HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4306 	HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4307 	HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4308 	       hci_cs_read_remote_ext_features),
4309 	HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4310 	HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4311 	       hci_cs_enhanced_setup_sync_conn),
4312 	HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4313 	HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4314 	HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4315 	HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4316 	HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4317 	HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4318 	HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4319 	HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4320 	HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4321 };
4322 
4323 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4324 			       struct sk_buff *skb, u16 *opcode, u8 *status,
4325 			       hci_req_complete_t *req_complete,
4326 			       hci_req_complete_skb_t *req_complete_skb)
4327 {
4328 	struct hci_ev_cmd_status *ev = data;
4329 	int i;
4330 
4331 	*opcode = __le16_to_cpu(ev->opcode);
4332 	*status = ev->status;
4333 
4334 	bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4335 
4336 	for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4337 		if (hci_cs_table[i].op == *opcode) {
4338 			hci_cs_table[i].func(hdev, ev->status);
4339 			break;
4340 		}
4341 	}
4342 
4343 	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4344 
4345 	/* Indicate request completion if the command failed. Also, if
4346 	 * we're not waiting for a special event and we get a success
4347 	 * command status we should try to flag the request as completed
4348 	 * (since for this kind of commands there will not be a command
4349 	 * complete event).
4350 	 */
4351 	if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) {
4352 		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4353 				     req_complete_skb);
4354 		if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4355 			bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4356 				   *opcode);
4357 			return;
4358 		}
4359 	}
4360 
4361 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4362 		queue_work(hdev->workqueue, &hdev->cmd_work);
4363 }
4364 
4365 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4366 				   struct sk_buff *skb)
4367 {
4368 	struct hci_ev_hardware_error *ev = data;
4369 
4370 	bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4371 
4372 	hdev->hw_error_code = ev->code;
4373 
4374 	queue_work(hdev->req_workqueue, &hdev->error_reset);
4375 }
4376 
4377 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4378 				struct sk_buff *skb)
4379 {
4380 	struct hci_ev_role_change *ev = data;
4381 	struct hci_conn *conn;
4382 
4383 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4384 
4385 	hci_dev_lock(hdev);
4386 
4387 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4388 	if (conn) {
4389 		if (!ev->status)
4390 			conn->role = ev->role;
4391 
4392 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4393 
4394 		hci_role_switch_cfm(conn, ev->status, ev->role);
4395 	}
4396 
4397 	hci_dev_unlock(hdev);
4398 }
4399 
4400 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4401 				  struct sk_buff *skb)
4402 {
4403 	struct hci_ev_num_comp_pkts *ev = data;
4404 	int i;
4405 
4406 	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4407 			     flex_array_size(ev, handles, ev->num)))
4408 		return;
4409 
4410 	bt_dev_dbg(hdev, "num %d", ev->num);
4411 
4412 	for (i = 0; i < ev->num; i++) {
4413 		struct hci_comp_pkts_info *info = &ev->handles[i];
4414 		struct hci_conn *conn;
4415 		__u16  handle, count;
4416 
4417 		handle = __le16_to_cpu(info->handle);
4418 		count  = __le16_to_cpu(info->count);
4419 
4420 		conn = hci_conn_hash_lookup_handle(hdev, handle);
4421 		if (!conn)
4422 			continue;
4423 
4424 		conn->sent -= count;
4425 
4426 		switch (conn->type) {
4427 		case ACL_LINK:
4428 			hdev->acl_cnt += count;
4429 			if (hdev->acl_cnt > hdev->acl_pkts)
4430 				hdev->acl_cnt = hdev->acl_pkts;
4431 			break;
4432 
4433 		case LE_LINK:
4434 			if (hdev->le_pkts) {
4435 				hdev->le_cnt += count;
4436 				if (hdev->le_cnt > hdev->le_pkts)
4437 					hdev->le_cnt = hdev->le_pkts;
4438 			} else {
4439 				hdev->acl_cnt += count;
4440 				if (hdev->acl_cnt > hdev->acl_pkts)
4441 					hdev->acl_cnt = hdev->acl_pkts;
4442 			}
4443 			break;
4444 
4445 		case SCO_LINK:
4446 			hdev->sco_cnt += count;
4447 			if (hdev->sco_cnt > hdev->sco_pkts)
4448 				hdev->sco_cnt = hdev->sco_pkts;
4449 			break;
4450 
4451 		case ISO_LINK:
4452 			if (hdev->iso_pkts) {
4453 				hdev->iso_cnt += count;
4454 				if (hdev->iso_cnt > hdev->iso_pkts)
4455 					hdev->iso_cnt = hdev->iso_pkts;
4456 			} else if (hdev->le_pkts) {
4457 				hdev->le_cnt += count;
4458 				if (hdev->le_cnt > hdev->le_pkts)
4459 					hdev->le_cnt = hdev->le_pkts;
4460 			} else {
4461 				hdev->acl_cnt += count;
4462 				if (hdev->acl_cnt > hdev->acl_pkts)
4463 					hdev->acl_cnt = hdev->acl_pkts;
4464 			}
4465 			break;
4466 
4467 		default:
4468 			bt_dev_err(hdev, "unknown type %d conn %p",
4469 				   conn->type, conn);
4470 			break;
4471 		}
4472 	}
4473 
4474 	queue_work(hdev->workqueue, &hdev->tx_work);
4475 }
4476 
4477 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4478 				struct sk_buff *skb)
4479 {
4480 	struct hci_ev_mode_change *ev = data;
4481 	struct hci_conn *conn;
4482 
4483 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4484 
4485 	hci_dev_lock(hdev);
4486 
4487 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4488 	if (conn) {
4489 		conn->mode = ev->mode;
4490 
4491 		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4492 					&conn->flags)) {
4493 			if (conn->mode == HCI_CM_ACTIVE)
4494 				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4495 			else
4496 				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4497 		}
4498 
4499 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4500 			hci_sco_setup(conn, ev->status);
4501 	}
4502 
4503 	hci_dev_unlock(hdev);
4504 }
4505 
4506 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4507 				     struct sk_buff *skb)
4508 {
4509 	struct hci_ev_pin_code_req *ev = data;
4510 	struct hci_conn *conn;
4511 
4512 	bt_dev_dbg(hdev, "");
4513 
4514 	hci_dev_lock(hdev);
4515 
4516 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4517 	if (!conn)
4518 		goto unlock;
4519 
4520 	if (conn->state == BT_CONNECTED) {
4521 		hci_conn_hold(conn);
4522 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4523 		hci_conn_drop(conn);
4524 	}
4525 
4526 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4527 	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4528 		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4529 			     sizeof(ev->bdaddr), &ev->bdaddr);
4530 	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4531 		u8 secure;
4532 
4533 		if (conn->pending_sec_level == BT_SECURITY_HIGH)
4534 			secure = 1;
4535 		else
4536 			secure = 0;
4537 
4538 		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4539 	}
4540 
4541 unlock:
4542 	hci_dev_unlock(hdev);
4543 }
4544 
4545 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4546 {
4547 	if (key_type == HCI_LK_CHANGED_COMBINATION)
4548 		return;
4549 
4550 	conn->pin_length = pin_len;
4551 	conn->key_type = key_type;
4552 
4553 	switch (key_type) {
4554 	case HCI_LK_LOCAL_UNIT:
4555 	case HCI_LK_REMOTE_UNIT:
4556 	case HCI_LK_DEBUG_COMBINATION:
4557 		return;
4558 	case HCI_LK_COMBINATION:
4559 		if (pin_len == 16)
4560 			conn->pending_sec_level = BT_SECURITY_HIGH;
4561 		else
4562 			conn->pending_sec_level = BT_SECURITY_MEDIUM;
4563 		break;
4564 	case HCI_LK_UNAUTH_COMBINATION_P192:
4565 	case HCI_LK_UNAUTH_COMBINATION_P256:
4566 		conn->pending_sec_level = BT_SECURITY_MEDIUM;
4567 		break;
4568 	case HCI_LK_AUTH_COMBINATION_P192:
4569 		conn->pending_sec_level = BT_SECURITY_HIGH;
4570 		break;
4571 	case HCI_LK_AUTH_COMBINATION_P256:
4572 		conn->pending_sec_level = BT_SECURITY_FIPS;
4573 		break;
4574 	}
4575 }
4576 
4577 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4578 				     struct sk_buff *skb)
4579 {
4580 	struct hci_ev_link_key_req *ev = data;
4581 	struct hci_cp_link_key_reply cp;
4582 	struct hci_conn *conn;
4583 	struct link_key *key;
4584 
4585 	bt_dev_dbg(hdev, "");
4586 
4587 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4588 		return;
4589 
4590 	hci_dev_lock(hdev);
4591 
4592 	key = hci_find_link_key(hdev, &ev->bdaddr);
4593 	if (!key) {
4594 		bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4595 		goto not_found;
4596 	}
4597 
4598 	bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4599 
4600 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4601 	if (conn) {
4602 		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4603 
4604 		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4605 		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4606 		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4607 			bt_dev_dbg(hdev, "ignoring unauthenticated key");
4608 			goto not_found;
4609 		}
4610 
4611 		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4612 		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
4613 		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
4614 			bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4615 			goto not_found;
4616 		}
4617 
4618 		conn_set_key(conn, key->type, key->pin_len);
4619 	}
4620 
4621 	bacpy(&cp.bdaddr, &ev->bdaddr);
4622 	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4623 
4624 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4625 
4626 	hci_dev_unlock(hdev);
4627 
4628 	return;
4629 
4630 not_found:
4631 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4632 	hci_dev_unlock(hdev);
4633 }
4634 
4635 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4636 				    struct sk_buff *skb)
4637 {
4638 	struct hci_ev_link_key_notify *ev = data;
4639 	struct hci_conn *conn;
4640 	struct link_key *key;
4641 	bool persistent;
4642 	u8 pin_len = 0;
4643 
4644 	bt_dev_dbg(hdev, "");
4645 
4646 	hci_dev_lock(hdev);
4647 
4648 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4649 	if (!conn)
4650 		goto unlock;
4651 
4652 	/* Ignore NULL link key against CVE-2020-26555 */
4653 	if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4654 		bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4655 			   &ev->bdaddr);
4656 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4657 		hci_conn_drop(conn);
4658 		goto unlock;
4659 	}
4660 
4661 	hci_conn_hold(conn);
4662 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4663 	hci_conn_drop(conn);
4664 
4665 	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4666 	conn_set_key(conn, ev->key_type, conn->pin_length);
4667 
4668 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4669 		goto unlock;
4670 
4671 	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4672 			        ev->key_type, pin_len, &persistent);
4673 	if (!key)
4674 		goto unlock;
4675 
4676 	/* Update connection information since adding the key will have
4677 	 * fixed up the type in the case of changed combination keys.
4678 	 */
4679 	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4680 		conn_set_key(conn, key->type, key->pin_len);
4681 
4682 	mgmt_new_link_key(hdev, key, persistent);
4683 
4684 	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4685 	 * is set. If it's not set simply remove the key from the kernel
4686 	 * list (we've still notified user space about it but with
4687 	 * store_hint being 0).
4688 	 */
4689 	if (key->type == HCI_LK_DEBUG_COMBINATION &&
4690 	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4691 		list_del_rcu(&key->list);
4692 		kfree_rcu(key, rcu);
4693 		goto unlock;
4694 	}
4695 
4696 	if (persistent)
4697 		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4698 	else
4699 		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4700 
4701 unlock:
4702 	hci_dev_unlock(hdev);
4703 }
4704 
4705 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4706 				 struct sk_buff *skb)
4707 {
4708 	struct hci_ev_clock_offset *ev = data;
4709 	struct hci_conn *conn;
4710 
4711 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4712 
4713 	hci_dev_lock(hdev);
4714 
4715 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4716 	if (conn && !ev->status) {
4717 		struct inquiry_entry *ie;
4718 
4719 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4720 		if (ie) {
4721 			ie->data.clock_offset = ev->clock_offset;
4722 			ie->timestamp = jiffies;
4723 		}
4724 	}
4725 
4726 	hci_dev_unlock(hdev);
4727 }
4728 
4729 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4730 				    struct sk_buff *skb)
4731 {
4732 	struct hci_ev_pkt_type_change *ev = data;
4733 	struct hci_conn *conn;
4734 
4735 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4736 
4737 	hci_dev_lock(hdev);
4738 
4739 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4740 	if (conn && !ev->status)
4741 		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4742 
4743 	hci_dev_unlock(hdev);
4744 }
4745 
4746 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4747 				   struct sk_buff *skb)
4748 {
4749 	struct hci_ev_pscan_rep_mode *ev = data;
4750 	struct inquiry_entry *ie;
4751 
4752 	bt_dev_dbg(hdev, "");
4753 
4754 	hci_dev_lock(hdev);
4755 
4756 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4757 	if (ie) {
4758 		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4759 		ie->timestamp = jiffies;
4760 	}
4761 
4762 	hci_dev_unlock(hdev);
4763 }
4764 
4765 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4766 					     struct sk_buff *skb)
4767 {
4768 	struct hci_ev_inquiry_result_rssi *ev = edata;
4769 	struct inquiry_data data;
4770 	int i;
4771 
4772 	bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4773 
4774 	if (!ev->num)
4775 		return;
4776 
4777 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4778 		return;
4779 
4780 	hci_dev_lock(hdev);
4781 
4782 	if (skb->len == array_size(ev->num,
4783 				   sizeof(struct inquiry_info_rssi_pscan))) {
4784 		struct inquiry_info_rssi_pscan *info;
4785 
4786 		for (i = 0; i < ev->num; i++) {
4787 			u32 flags;
4788 
4789 			info = hci_ev_skb_pull(hdev, skb,
4790 					       HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4791 					       sizeof(*info));
4792 			if (!info) {
4793 				bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4794 					   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4795 				goto unlock;
4796 			}
4797 
4798 			bacpy(&data.bdaddr, &info->bdaddr);
4799 			data.pscan_rep_mode	= info->pscan_rep_mode;
4800 			data.pscan_period_mode	= info->pscan_period_mode;
4801 			data.pscan_mode		= info->pscan_mode;
4802 			memcpy(data.dev_class, info->dev_class, 3);
4803 			data.clock_offset	= info->clock_offset;
4804 			data.rssi		= info->rssi;
4805 			data.ssp_mode		= 0x00;
4806 
4807 			flags = hci_inquiry_cache_update(hdev, &data, false);
4808 
4809 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4810 					  info->dev_class, info->rssi,
4811 					  flags, NULL, 0, NULL, 0, 0);
4812 		}
4813 	} else if (skb->len == array_size(ev->num,
4814 					  sizeof(struct inquiry_info_rssi))) {
4815 		struct inquiry_info_rssi *info;
4816 
4817 		for (i = 0; i < ev->num; i++) {
4818 			u32 flags;
4819 
4820 			info = hci_ev_skb_pull(hdev, skb,
4821 					       HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4822 					       sizeof(*info));
4823 			if (!info) {
4824 				bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4825 					   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4826 				goto unlock;
4827 			}
4828 
4829 			bacpy(&data.bdaddr, &info->bdaddr);
4830 			data.pscan_rep_mode	= info->pscan_rep_mode;
4831 			data.pscan_period_mode	= info->pscan_period_mode;
4832 			data.pscan_mode		= 0x00;
4833 			memcpy(data.dev_class, info->dev_class, 3);
4834 			data.clock_offset	= info->clock_offset;
4835 			data.rssi		= info->rssi;
4836 			data.ssp_mode		= 0x00;
4837 
4838 			flags = hci_inquiry_cache_update(hdev, &data, false);
4839 
4840 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4841 					  info->dev_class, info->rssi,
4842 					  flags, NULL, 0, NULL, 0, 0);
4843 		}
4844 	} else {
4845 		bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4846 			   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4847 	}
4848 unlock:
4849 	hci_dev_unlock(hdev);
4850 }
4851 
4852 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4853 					struct sk_buff *skb)
4854 {
4855 	struct hci_ev_remote_ext_features *ev = data;
4856 	struct hci_conn *conn;
4857 
4858 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4859 
4860 	hci_dev_lock(hdev);
4861 
4862 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4863 	if (!conn)
4864 		goto unlock;
4865 
4866 	if (ev->page < HCI_MAX_PAGES)
4867 		memcpy(conn->features[ev->page], ev->features, 8);
4868 
4869 	if (!ev->status && ev->page == 0x01) {
4870 		struct inquiry_entry *ie;
4871 
4872 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4873 		if (ie)
4874 			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4875 
4876 		if (ev->features[0] & LMP_HOST_SSP) {
4877 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4878 		} else {
4879 			/* It is mandatory by the Bluetooth specification that
4880 			 * Extended Inquiry Results are only used when Secure
4881 			 * Simple Pairing is enabled, but some devices violate
4882 			 * this.
4883 			 *
4884 			 * To make these devices work, the internal SSP
4885 			 * enabled flag needs to be cleared if the remote host
4886 			 * features do not indicate SSP support */
4887 			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4888 		}
4889 
4890 		if (ev->features[0] & LMP_HOST_SC)
4891 			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4892 	}
4893 
4894 	if (conn->state != BT_CONFIG)
4895 		goto unlock;
4896 
4897 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4898 		struct hci_cp_remote_name_req cp;
4899 		memset(&cp, 0, sizeof(cp));
4900 		bacpy(&cp.bdaddr, &conn->dst);
4901 		cp.pscan_rep_mode = 0x02;
4902 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4903 	} else {
4904 		mgmt_device_connected(hdev, conn, NULL, 0);
4905 	}
4906 
4907 	if (!hci_outgoing_auth_needed(hdev, conn)) {
4908 		conn->state = BT_CONNECTED;
4909 		hci_connect_cfm(conn, ev->status);
4910 		hci_conn_drop(conn);
4911 	}
4912 
4913 unlock:
4914 	hci_dev_unlock(hdev);
4915 }
4916 
4917 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
4918 				       struct sk_buff *skb)
4919 {
4920 	struct hci_ev_sync_conn_complete *ev = data;
4921 	struct hci_conn *conn;
4922 	u8 status = ev->status;
4923 
4924 	switch (ev->link_type) {
4925 	case SCO_LINK:
4926 	case ESCO_LINK:
4927 		break;
4928 	default:
4929 		/* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
4930 		 * for HCI_Synchronous_Connection_Complete is limited to
4931 		 * either SCO or eSCO
4932 		 */
4933 		bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
4934 		return;
4935 	}
4936 
4937 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
4938 
4939 	hci_dev_lock(hdev);
4940 
4941 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4942 	if (!conn) {
4943 		if (ev->link_type == ESCO_LINK)
4944 			goto unlock;
4945 
4946 		/* When the link type in the event indicates SCO connection
4947 		 * and lookup of the connection object fails, then check
4948 		 * if an eSCO connection object exists.
4949 		 *
4950 		 * The core limits the synchronous connections to either
4951 		 * SCO or eSCO. The eSCO connection is preferred and tried
4952 		 * to be setup first and until successfully established,
4953 		 * the link type will be hinted as eSCO.
4954 		 */
4955 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4956 		if (!conn)
4957 			goto unlock;
4958 	}
4959 
4960 	/* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
4961 	 * Processing it more than once per connection can corrupt kernel memory.
4962 	 *
4963 	 * As the connection handle is set here for the first time, it indicates
4964 	 * whether the connection is already set up.
4965 	 */
4966 	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
4967 		bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
4968 		goto unlock;
4969 	}
4970 
4971 	switch (status) {
4972 	case 0x00:
4973 		status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
4974 		if (status) {
4975 			conn->state = BT_CLOSED;
4976 			break;
4977 		}
4978 
4979 		conn->state  = BT_CONNECTED;
4980 		conn->type   = ev->link_type;
4981 
4982 		hci_debugfs_create_conn(conn);
4983 		hci_conn_add_sysfs(conn);
4984 		break;
4985 
4986 	case 0x10:	/* Connection Accept Timeout */
4987 	case 0x0d:	/* Connection Rejected due to Limited Resources */
4988 	case 0x11:	/* Unsupported Feature or Parameter Value */
4989 	case 0x1c:	/* SCO interval rejected */
4990 	case 0x1a:	/* Unsupported Remote Feature */
4991 	case 0x1e:	/* Invalid LMP Parameters */
4992 	case 0x1f:	/* Unspecified error */
4993 	case 0x20:	/* Unsupported LMP Parameter value */
4994 		if (conn->out) {
4995 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4996 					(hdev->esco_type & EDR_ESCO_MASK);
4997 			if (hci_setup_sync(conn, conn->parent->handle))
4998 				goto unlock;
4999 		}
5000 		fallthrough;
5001 
5002 	default:
5003 		conn->state = BT_CLOSED;
5004 		break;
5005 	}
5006 
5007 	bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5008 	/* Notify only in case of SCO over HCI transport data path which
5009 	 * is zero and non-zero value shall be non-HCI transport data path
5010 	 */
5011 	if (conn->codec.data_path == 0 && hdev->notify) {
5012 		switch (ev->air_mode) {
5013 		case 0x02:
5014 			hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5015 			break;
5016 		case 0x03:
5017 			hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5018 			break;
5019 		}
5020 	}
5021 
5022 	hci_connect_cfm(conn, status);
5023 	if (status)
5024 		hci_conn_del(conn);
5025 
5026 unlock:
5027 	hci_dev_unlock(hdev);
5028 }
5029 
5030 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5031 {
5032 	size_t parsed = 0;
5033 
5034 	while (parsed < eir_len) {
5035 		u8 field_len = eir[0];
5036 
5037 		if (field_len == 0)
5038 			return parsed;
5039 
5040 		parsed += field_len + 1;
5041 		eir += field_len + 1;
5042 	}
5043 
5044 	return eir_len;
5045 }
5046 
5047 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5048 					    struct sk_buff *skb)
5049 {
5050 	struct hci_ev_ext_inquiry_result *ev = edata;
5051 	struct inquiry_data data;
5052 	size_t eir_len;
5053 	int i;
5054 
5055 	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5056 			     flex_array_size(ev, info, ev->num)))
5057 		return;
5058 
5059 	bt_dev_dbg(hdev, "num %d", ev->num);
5060 
5061 	if (!ev->num)
5062 		return;
5063 
5064 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5065 		return;
5066 
5067 	hci_dev_lock(hdev);
5068 
5069 	for (i = 0; i < ev->num; i++) {
5070 		struct extended_inquiry_info *info = &ev->info[i];
5071 		u32 flags;
5072 		bool name_known;
5073 
5074 		bacpy(&data.bdaddr, &info->bdaddr);
5075 		data.pscan_rep_mode	= info->pscan_rep_mode;
5076 		data.pscan_period_mode	= info->pscan_period_mode;
5077 		data.pscan_mode		= 0x00;
5078 		memcpy(data.dev_class, info->dev_class, 3);
5079 		data.clock_offset	= info->clock_offset;
5080 		data.rssi		= info->rssi;
5081 		data.ssp_mode		= 0x01;
5082 
5083 		if (hci_dev_test_flag(hdev, HCI_MGMT))
5084 			name_known = eir_get_data(info->data,
5085 						  sizeof(info->data),
5086 						  EIR_NAME_COMPLETE, NULL);
5087 		else
5088 			name_known = true;
5089 
5090 		flags = hci_inquiry_cache_update(hdev, &data, name_known);
5091 
5092 		eir_len = eir_get_length(info->data, sizeof(info->data));
5093 
5094 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5095 				  info->dev_class, info->rssi,
5096 				  flags, info->data, eir_len, NULL, 0, 0);
5097 	}
5098 
5099 	hci_dev_unlock(hdev);
5100 }
5101 
5102 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5103 					 struct sk_buff *skb)
5104 {
5105 	struct hci_ev_key_refresh_complete *ev = data;
5106 	struct hci_conn *conn;
5107 
5108 	bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5109 		   __le16_to_cpu(ev->handle));
5110 
5111 	hci_dev_lock(hdev);
5112 
5113 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5114 	if (!conn)
5115 		goto unlock;
5116 
5117 	/* For BR/EDR the necessary steps are taken through the
5118 	 * auth_complete event.
5119 	 */
5120 	if (conn->type != LE_LINK)
5121 		goto unlock;
5122 
5123 	if (!ev->status)
5124 		conn->sec_level = conn->pending_sec_level;
5125 
5126 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5127 
5128 	if (ev->status && conn->state == BT_CONNECTED) {
5129 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5130 		hci_conn_drop(conn);
5131 		goto unlock;
5132 	}
5133 
5134 	if (conn->state == BT_CONFIG) {
5135 		if (!ev->status)
5136 			conn->state = BT_CONNECTED;
5137 
5138 		hci_connect_cfm(conn, ev->status);
5139 		hci_conn_drop(conn);
5140 	} else {
5141 		hci_auth_cfm(conn, ev->status);
5142 
5143 		hci_conn_hold(conn);
5144 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5145 		hci_conn_drop(conn);
5146 	}
5147 
5148 unlock:
5149 	hci_dev_unlock(hdev);
5150 }
5151 
5152 static u8 hci_get_auth_req(struct hci_conn *conn)
5153 {
5154 	/* If remote requests no-bonding follow that lead */
5155 	if (conn->remote_auth == HCI_AT_NO_BONDING ||
5156 	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5157 		return conn->remote_auth | (conn->auth_type & 0x01);
5158 
5159 	/* If both remote and local have enough IO capabilities, require
5160 	 * MITM protection
5161 	 */
5162 	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5163 	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5164 		return conn->remote_auth | 0x01;
5165 
5166 	/* No MITM protection possible so ignore remote requirement */
5167 	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5168 }
5169 
5170 static u8 bredr_oob_data_present(struct hci_conn *conn)
5171 {
5172 	struct hci_dev *hdev = conn->hdev;
5173 	struct oob_data *data;
5174 
5175 	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5176 	if (!data)
5177 		return 0x00;
5178 
5179 	if (bredr_sc_enabled(hdev)) {
5180 		/* When Secure Connections is enabled, then just
5181 		 * return the present value stored with the OOB
5182 		 * data. The stored value contains the right present
5183 		 * information. However it can only be trusted when
5184 		 * not in Secure Connection Only mode.
5185 		 */
5186 		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5187 			return data->present;
5188 
5189 		/* When Secure Connections Only mode is enabled, then
5190 		 * the P-256 values are required. If they are not
5191 		 * available, then do not declare that OOB data is
5192 		 * present.
5193 		 */
5194 		if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5195 		    !crypto_memneq(data->hash256, ZERO_KEY, 16))
5196 			return 0x00;
5197 
5198 		return 0x02;
5199 	}
5200 
5201 	/* When Secure Connections is not enabled or actually
5202 	 * not supported by the hardware, then check that if
5203 	 * P-192 data values are present.
5204 	 */
5205 	if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5206 	    !crypto_memneq(data->hash192, ZERO_KEY, 16))
5207 		return 0x00;
5208 
5209 	return 0x01;
5210 }
5211 
5212 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5213 				    struct sk_buff *skb)
5214 {
5215 	struct hci_ev_io_capa_request *ev = data;
5216 	struct hci_conn *conn;
5217 
5218 	bt_dev_dbg(hdev, "");
5219 
5220 	hci_dev_lock(hdev);
5221 
5222 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5223 	if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5224 		goto unlock;
5225 
5226 	/* Assume remote supports SSP since it has triggered this event */
5227 	set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5228 
5229 	hci_conn_hold(conn);
5230 
5231 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5232 		goto unlock;
5233 
5234 	/* Allow pairing if we're pairable, the initiators of the
5235 	 * pairing or if the remote is not requesting bonding.
5236 	 */
5237 	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5238 	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5239 	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5240 		struct hci_cp_io_capability_reply cp;
5241 
5242 		bacpy(&cp.bdaddr, &ev->bdaddr);
5243 		/* Change the IO capability from KeyboardDisplay
5244 		 * to DisplayYesNo as it is not supported by BT spec. */
5245 		cp.capability = (conn->io_capability == 0x04) ?
5246 				HCI_IO_DISPLAY_YESNO : conn->io_capability;
5247 
5248 		/* If we are initiators, there is no remote information yet */
5249 		if (conn->remote_auth == 0xff) {
5250 			/* Request MITM protection if our IO caps allow it
5251 			 * except for the no-bonding case.
5252 			 */
5253 			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5254 			    conn->auth_type != HCI_AT_NO_BONDING)
5255 				conn->auth_type |= 0x01;
5256 		} else {
5257 			conn->auth_type = hci_get_auth_req(conn);
5258 		}
5259 
5260 		/* If we're not bondable, force one of the non-bondable
5261 		 * authentication requirement values.
5262 		 */
5263 		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5264 			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5265 
5266 		cp.authentication = conn->auth_type;
5267 		cp.oob_data = bredr_oob_data_present(conn);
5268 
5269 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5270 			     sizeof(cp), &cp);
5271 	} else {
5272 		struct hci_cp_io_capability_neg_reply cp;
5273 
5274 		bacpy(&cp.bdaddr, &ev->bdaddr);
5275 		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5276 
5277 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5278 			     sizeof(cp), &cp);
5279 	}
5280 
5281 unlock:
5282 	hci_dev_unlock(hdev);
5283 }
5284 
5285 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5286 				  struct sk_buff *skb)
5287 {
5288 	struct hci_ev_io_capa_reply *ev = data;
5289 	struct hci_conn *conn;
5290 
5291 	bt_dev_dbg(hdev, "");
5292 
5293 	hci_dev_lock(hdev);
5294 
5295 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5296 	if (!conn)
5297 		goto unlock;
5298 
5299 	conn->remote_cap = ev->capability;
5300 	conn->remote_auth = ev->authentication;
5301 
5302 unlock:
5303 	hci_dev_unlock(hdev);
5304 }
5305 
5306 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5307 					 struct sk_buff *skb)
5308 {
5309 	struct hci_ev_user_confirm_req *ev = data;
5310 	int loc_mitm, rem_mitm, confirm_hint = 0;
5311 	struct hci_conn *conn;
5312 
5313 	bt_dev_dbg(hdev, "");
5314 
5315 	hci_dev_lock(hdev);
5316 
5317 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5318 		goto unlock;
5319 
5320 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5321 	if (!conn)
5322 		goto unlock;
5323 
5324 	loc_mitm = (conn->auth_type & 0x01);
5325 	rem_mitm = (conn->remote_auth & 0x01);
5326 
5327 	/* If we require MITM but the remote device can't provide that
5328 	 * (it has NoInputNoOutput) then reject the confirmation
5329 	 * request. We check the security level here since it doesn't
5330 	 * necessarily match conn->auth_type.
5331 	 */
5332 	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5333 	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5334 		bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5335 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5336 			     sizeof(ev->bdaddr), &ev->bdaddr);
5337 		goto unlock;
5338 	}
5339 
5340 	/* If no side requires MITM protection; auto-accept */
5341 	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5342 	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5343 
5344 		/* If we're not the initiators request authorization to
5345 		 * proceed from user space (mgmt_user_confirm with
5346 		 * confirm_hint set to 1). The exception is if neither
5347 		 * side had MITM or if the local IO capability is
5348 		 * NoInputNoOutput, in which case we do auto-accept
5349 		 */
5350 		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5351 		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5352 		    (loc_mitm || rem_mitm)) {
5353 			bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5354 			confirm_hint = 1;
5355 			goto confirm;
5356 		}
5357 
5358 		/* If there already exists link key in local host, leave the
5359 		 * decision to user space since the remote device could be
5360 		 * legitimate or malicious.
5361 		 */
5362 		if (hci_find_link_key(hdev, &ev->bdaddr)) {
5363 			bt_dev_dbg(hdev, "Local host already has link key");
5364 			confirm_hint = 1;
5365 			goto confirm;
5366 		}
5367 
5368 		BT_DBG("Auto-accept of user confirmation with %ums delay",
5369 		       hdev->auto_accept_delay);
5370 
5371 		if (hdev->auto_accept_delay > 0) {
5372 			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5373 			queue_delayed_work(conn->hdev->workqueue,
5374 					   &conn->auto_accept_work, delay);
5375 			goto unlock;
5376 		}
5377 
5378 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5379 			     sizeof(ev->bdaddr), &ev->bdaddr);
5380 		goto unlock;
5381 	}
5382 
5383 confirm:
5384 	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5385 				  le32_to_cpu(ev->passkey), confirm_hint);
5386 
5387 unlock:
5388 	hci_dev_unlock(hdev);
5389 }
5390 
5391 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5392 					 struct sk_buff *skb)
5393 {
5394 	struct hci_ev_user_passkey_req *ev = data;
5395 
5396 	bt_dev_dbg(hdev, "");
5397 
5398 	if (hci_dev_test_flag(hdev, HCI_MGMT))
5399 		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5400 }
5401 
5402 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5403 					struct sk_buff *skb)
5404 {
5405 	struct hci_ev_user_passkey_notify *ev = data;
5406 	struct hci_conn *conn;
5407 
5408 	bt_dev_dbg(hdev, "");
5409 
5410 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5411 	if (!conn)
5412 		return;
5413 
5414 	conn->passkey_notify = __le32_to_cpu(ev->passkey);
5415 	conn->passkey_entered = 0;
5416 
5417 	if (hci_dev_test_flag(hdev, HCI_MGMT))
5418 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5419 					 conn->dst_type, conn->passkey_notify,
5420 					 conn->passkey_entered);
5421 }
5422 
5423 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5424 				    struct sk_buff *skb)
5425 {
5426 	struct hci_ev_keypress_notify *ev = data;
5427 	struct hci_conn *conn;
5428 
5429 	bt_dev_dbg(hdev, "");
5430 
5431 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5432 	if (!conn)
5433 		return;
5434 
5435 	switch (ev->type) {
5436 	case HCI_KEYPRESS_STARTED:
5437 		conn->passkey_entered = 0;
5438 		return;
5439 
5440 	case HCI_KEYPRESS_ENTERED:
5441 		conn->passkey_entered++;
5442 		break;
5443 
5444 	case HCI_KEYPRESS_ERASED:
5445 		conn->passkey_entered--;
5446 		break;
5447 
5448 	case HCI_KEYPRESS_CLEARED:
5449 		conn->passkey_entered = 0;
5450 		break;
5451 
5452 	case HCI_KEYPRESS_COMPLETED:
5453 		return;
5454 	}
5455 
5456 	if (hci_dev_test_flag(hdev, HCI_MGMT))
5457 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5458 					 conn->dst_type, conn->passkey_notify,
5459 					 conn->passkey_entered);
5460 }
5461 
5462 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5463 					 struct sk_buff *skb)
5464 {
5465 	struct hci_ev_simple_pair_complete *ev = data;
5466 	struct hci_conn *conn;
5467 
5468 	bt_dev_dbg(hdev, "");
5469 
5470 	hci_dev_lock(hdev);
5471 
5472 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5473 	if (!conn || !hci_conn_ssp_enabled(conn))
5474 		goto unlock;
5475 
5476 	/* Reset the authentication requirement to unknown */
5477 	conn->remote_auth = 0xff;
5478 
5479 	/* To avoid duplicate auth_failed events to user space we check
5480 	 * the HCI_CONN_AUTH_PEND flag which will be set if we
5481 	 * initiated the authentication. A traditional auth_complete
5482 	 * event gets always produced as initiator and is also mapped to
5483 	 * the mgmt_auth_failed event */
5484 	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5485 		mgmt_auth_failed(conn, ev->status);
5486 
5487 	hci_conn_drop(conn);
5488 
5489 unlock:
5490 	hci_dev_unlock(hdev);
5491 }
5492 
5493 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5494 					 struct sk_buff *skb)
5495 {
5496 	struct hci_ev_remote_host_features *ev = data;
5497 	struct inquiry_entry *ie;
5498 	struct hci_conn *conn;
5499 
5500 	bt_dev_dbg(hdev, "");
5501 
5502 	hci_dev_lock(hdev);
5503 
5504 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5505 	if (conn)
5506 		memcpy(conn->features[1], ev->features, 8);
5507 
5508 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5509 	if (ie)
5510 		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5511 
5512 	hci_dev_unlock(hdev);
5513 }
5514 
5515 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5516 					    struct sk_buff *skb)
5517 {
5518 	struct hci_ev_remote_oob_data_request *ev = edata;
5519 	struct oob_data *data;
5520 
5521 	bt_dev_dbg(hdev, "");
5522 
5523 	hci_dev_lock(hdev);
5524 
5525 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5526 		goto unlock;
5527 
5528 	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5529 	if (!data) {
5530 		struct hci_cp_remote_oob_data_neg_reply cp;
5531 
5532 		bacpy(&cp.bdaddr, &ev->bdaddr);
5533 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5534 			     sizeof(cp), &cp);
5535 		goto unlock;
5536 	}
5537 
5538 	if (bredr_sc_enabled(hdev)) {
5539 		struct hci_cp_remote_oob_ext_data_reply cp;
5540 
5541 		bacpy(&cp.bdaddr, &ev->bdaddr);
5542 		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5543 			memset(cp.hash192, 0, sizeof(cp.hash192));
5544 			memset(cp.rand192, 0, sizeof(cp.rand192));
5545 		} else {
5546 			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5547 			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5548 		}
5549 		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5550 		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5551 
5552 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5553 			     sizeof(cp), &cp);
5554 	} else {
5555 		struct hci_cp_remote_oob_data_reply cp;
5556 
5557 		bacpy(&cp.bdaddr, &ev->bdaddr);
5558 		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5559 		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5560 
5561 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5562 			     sizeof(cp), &cp);
5563 	}
5564 
5565 unlock:
5566 	hci_dev_unlock(hdev);
5567 }
5568 
5569 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5570 				u8 bdaddr_type, bdaddr_t *local_rpa)
5571 {
5572 	if (conn->out) {
5573 		conn->dst_type = bdaddr_type;
5574 		conn->resp_addr_type = bdaddr_type;
5575 		bacpy(&conn->resp_addr, bdaddr);
5576 
5577 		/* Check if the controller has set a Local RPA then it must be
5578 		 * used instead or hdev->rpa.
5579 		 */
5580 		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5581 			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5582 			bacpy(&conn->init_addr, local_rpa);
5583 		} else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5584 			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5585 			bacpy(&conn->init_addr, &conn->hdev->rpa);
5586 		} else {
5587 			hci_copy_identity_address(conn->hdev, &conn->init_addr,
5588 						  &conn->init_addr_type);
5589 		}
5590 	} else {
5591 		conn->resp_addr_type = conn->hdev->adv_addr_type;
5592 		/* Check if the controller has set a Local RPA then it must be
5593 		 * used instead or hdev->rpa.
5594 		 */
5595 		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5596 			conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5597 			bacpy(&conn->resp_addr, local_rpa);
5598 		} else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5599 			/* In case of ext adv, resp_addr will be updated in
5600 			 * Adv Terminated event.
5601 			 */
5602 			if (!ext_adv_capable(conn->hdev))
5603 				bacpy(&conn->resp_addr,
5604 				      &conn->hdev->random_addr);
5605 		} else {
5606 			bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5607 		}
5608 
5609 		conn->init_addr_type = bdaddr_type;
5610 		bacpy(&conn->init_addr, bdaddr);
5611 
5612 		/* For incoming connections, set the default minimum
5613 		 * and maximum connection interval. They will be used
5614 		 * to check if the parameters are in range and if not
5615 		 * trigger the connection update procedure.
5616 		 */
5617 		conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5618 		conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5619 	}
5620 }
5621 
5622 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5623 				 bdaddr_t *bdaddr, u8 bdaddr_type,
5624 				 bdaddr_t *local_rpa, u8 role, u16 handle,
5625 				 u16 interval, u16 latency,
5626 				 u16 supervision_timeout)
5627 {
5628 	struct hci_conn_params *params;
5629 	struct hci_conn *conn;
5630 	struct smp_irk *irk;
5631 	u8 addr_type;
5632 
5633 	hci_dev_lock(hdev);
5634 
5635 	/* All controllers implicitly stop advertising in the event of a
5636 	 * connection, so ensure that the state bit is cleared.
5637 	 */
5638 	hci_dev_clear_flag(hdev, HCI_LE_ADV);
5639 
5640 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5641 	if (!conn) {
5642 		/* In case of error status and there is no connection pending
5643 		 * just unlock as there is nothing to cleanup.
5644 		 */
5645 		if (status)
5646 			goto unlock;
5647 
5648 		conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5649 		if (IS_ERR(conn)) {
5650 			bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
5651 			goto unlock;
5652 		}
5653 
5654 		conn->dst_type = bdaddr_type;
5655 
5656 		/* If we didn't have a hci_conn object previously
5657 		 * but we're in central role this must be something
5658 		 * initiated using an accept list. Since accept list based
5659 		 * connections are not "first class citizens" we don't
5660 		 * have full tracking of them. Therefore, we go ahead
5661 		 * with a "best effort" approach of determining the
5662 		 * initiator address based on the HCI_PRIVACY flag.
5663 		 */
5664 		if (conn->out) {
5665 			conn->resp_addr_type = bdaddr_type;
5666 			bacpy(&conn->resp_addr, bdaddr);
5667 			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5668 				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5669 				bacpy(&conn->init_addr, &hdev->rpa);
5670 			} else {
5671 				hci_copy_identity_address(hdev,
5672 							  &conn->init_addr,
5673 							  &conn->init_addr_type);
5674 			}
5675 		}
5676 	} else {
5677 		cancel_delayed_work(&conn->le_conn_timeout);
5678 	}
5679 
5680 	/* The HCI_LE_Connection_Complete event is only sent once per connection.
5681 	 * Processing it more than once per connection can corrupt kernel memory.
5682 	 *
5683 	 * As the connection handle is set here for the first time, it indicates
5684 	 * whether the connection is already set up.
5685 	 */
5686 	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5687 		bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5688 		goto unlock;
5689 	}
5690 
5691 	le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5692 
5693 	/* Lookup the identity address from the stored connection
5694 	 * address and address type.
5695 	 *
5696 	 * When establishing connections to an identity address, the
5697 	 * connection procedure will store the resolvable random
5698 	 * address first. Now if it can be converted back into the
5699 	 * identity address, start using the identity address from
5700 	 * now on.
5701 	 */
5702 	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5703 	if (irk) {
5704 		bacpy(&conn->dst, &irk->bdaddr);
5705 		conn->dst_type = irk->addr_type;
5706 	}
5707 
5708 	conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5709 
5710 	/* All connection failure handling is taken care of by the
5711 	 * hci_conn_failed function which is triggered by the HCI
5712 	 * request completion callbacks used for connecting.
5713 	 */
5714 	if (status || hci_conn_set_handle(conn, handle))
5715 		goto unlock;
5716 
5717 	/* Drop the connection if it has been aborted */
5718 	if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5719 		hci_conn_drop(conn);
5720 		goto unlock;
5721 	}
5722 
5723 	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5724 		addr_type = BDADDR_LE_PUBLIC;
5725 	else
5726 		addr_type = BDADDR_LE_RANDOM;
5727 
5728 	/* Drop the connection if the device is blocked */
5729 	if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5730 		hci_conn_drop(conn);
5731 		goto unlock;
5732 	}
5733 
5734 	mgmt_device_connected(hdev, conn, NULL, 0);
5735 
5736 	conn->sec_level = BT_SECURITY_LOW;
5737 	conn->state = BT_CONFIG;
5738 
5739 	/* Store current advertising instance as connection advertising instance
5740 	 * when sotfware rotation is in use so it can be re-enabled when
5741 	 * disconnected.
5742 	 */
5743 	if (!ext_adv_capable(hdev))
5744 		conn->adv_instance = hdev->cur_adv_instance;
5745 
5746 	conn->le_conn_interval = interval;
5747 	conn->le_conn_latency = latency;
5748 	conn->le_supv_timeout = supervision_timeout;
5749 
5750 	hci_debugfs_create_conn(conn);
5751 	hci_conn_add_sysfs(conn);
5752 
5753 	/* The remote features procedure is defined for central
5754 	 * role only. So only in case of an initiated connection
5755 	 * request the remote features.
5756 	 *
5757 	 * If the local controller supports peripheral-initiated features
5758 	 * exchange, then requesting the remote features in peripheral
5759 	 * role is possible. Otherwise just transition into the
5760 	 * connected state without requesting the remote features.
5761 	 */
5762 	if (conn->out ||
5763 	    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5764 		struct hci_cp_le_read_remote_features cp;
5765 
5766 		cp.handle = __cpu_to_le16(conn->handle);
5767 
5768 		hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5769 			     sizeof(cp), &cp);
5770 
5771 		hci_conn_hold(conn);
5772 	} else {
5773 		conn->state = BT_CONNECTED;
5774 		hci_connect_cfm(conn, status);
5775 	}
5776 
5777 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5778 					   conn->dst_type);
5779 	if (params) {
5780 		hci_pend_le_list_del_init(params);
5781 		if (params->conn) {
5782 			hci_conn_drop(params->conn);
5783 			hci_conn_put(params->conn);
5784 			params->conn = NULL;
5785 		}
5786 	}
5787 
5788 unlock:
5789 	hci_update_passive_scan(hdev);
5790 	hci_dev_unlock(hdev);
5791 }
5792 
5793 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
5794 				     struct sk_buff *skb)
5795 {
5796 	struct hci_ev_le_conn_complete *ev = data;
5797 
5798 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5799 
5800 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5801 			     NULL, ev->role, le16_to_cpu(ev->handle),
5802 			     le16_to_cpu(ev->interval),
5803 			     le16_to_cpu(ev->latency),
5804 			     le16_to_cpu(ev->supervision_timeout));
5805 }
5806 
5807 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
5808 					 struct sk_buff *skb)
5809 {
5810 	struct hci_ev_le_enh_conn_complete *ev = data;
5811 
5812 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5813 
5814 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5815 			     &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5816 			     le16_to_cpu(ev->interval),
5817 			     le16_to_cpu(ev->latency),
5818 			     le16_to_cpu(ev->supervision_timeout));
5819 }
5820 
5821 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
5822 				    struct sk_buff *skb)
5823 {
5824 	struct hci_evt_le_ext_adv_set_term *ev = data;
5825 	struct hci_conn *conn;
5826 	struct adv_info *adv, *n;
5827 
5828 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5829 
5830 	/* The Bluetooth Core 5.3 specification clearly states that this event
5831 	 * shall not be sent when the Host disables the advertising set. So in
5832 	 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
5833 	 *
5834 	 * When the Host disables an advertising set, all cleanup is done via
5835 	 * its command callback and not needed to be duplicated here.
5836 	 */
5837 	if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
5838 		bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
5839 		return;
5840 	}
5841 
5842 	hci_dev_lock(hdev);
5843 
5844 	adv = hci_find_adv_instance(hdev, ev->handle);
5845 
5846 	if (ev->status) {
5847 		if (!adv)
5848 			goto unlock;
5849 
5850 		/* Remove advertising as it has been terminated */
5851 		hci_remove_adv_instance(hdev, ev->handle);
5852 		mgmt_advertising_removed(NULL, hdev, ev->handle);
5853 
5854 		list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
5855 			if (adv->enabled)
5856 				goto unlock;
5857 		}
5858 
5859 		/* We are no longer advertising, clear HCI_LE_ADV */
5860 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
5861 		goto unlock;
5862 	}
5863 
5864 	if (adv)
5865 		adv->enabled = false;
5866 
5867 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5868 	if (conn) {
5869 		/* Store handle in the connection so the correct advertising
5870 		 * instance can be re-enabled when disconnected.
5871 		 */
5872 		conn->adv_instance = ev->handle;
5873 
5874 		if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
5875 		    bacmp(&conn->resp_addr, BDADDR_ANY))
5876 			goto unlock;
5877 
5878 		if (!ev->handle) {
5879 			bacpy(&conn->resp_addr, &hdev->random_addr);
5880 			goto unlock;
5881 		}
5882 
5883 		if (adv)
5884 			bacpy(&conn->resp_addr, &adv->random_addr);
5885 	}
5886 
5887 unlock:
5888 	hci_dev_unlock(hdev);
5889 }
5890 
5891 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
5892 					    struct sk_buff *skb)
5893 {
5894 	struct hci_ev_le_conn_update_complete *ev = data;
5895 	struct hci_conn *conn;
5896 
5897 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5898 
5899 	if (ev->status)
5900 		return;
5901 
5902 	hci_dev_lock(hdev);
5903 
5904 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5905 	if (conn) {
5906 		conn->le_conn_interval = le16_to_cpu(ev->interval);
5907 		conn->le_conn_latency = le16_to_cpu(ev->latency);
5908 		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5909 	}
5910 
5911 	hci_dev_unlock(hdev);
5912 }
5913 
5914 /* This function requires the caller holds hdev->lock */
5915 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5916 					      bdaddr_t *addr,
5917 					      u8 addr_type, bool addr_resolved,
5918 					      u8 adv_type)
5919 {
5920 	struct hci_conn *conn;
5921 	struct hci_conn_params *params;
5922 
5923 	/* If the event is not connectable don't proceed further */
5924 	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5925 		return NULL;
5926 
5927 	/* Ignore if the device is blocked or hdev is suspended */
5928 	if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
5929 	    hdev->suspended)
5930 		return NULL;
5931 
5932 	/* Most controller will fail if we try to create new connections
5933 	 * while we have an existing one in peripheral role.
5934 	 */
5935 	if (hdev->conn_hash.le_num_peripheral > 0 &&
5936 	    (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5937 	     !(hdev->le_states[3] & 0x10)))
5938 		return NULL;
5939 
5940 	/* If we're not connectable only connect devices that we have in
5941 	 * our pend_le_conns list.
5942 	 */
5943 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5944 					   addr_type);
5945 	if (!params)
5946 		return NULL;
5947 
5948 	if (!params->explicit_connect) {
5949 		switch (params->auto_connect) {
5950 		case HCI_AUTO_CONN_DIRECT:
5951 			/* Only devices advertising with ADV_DIRECT_IND are
5952 			 * triggering a connection attempt. This is allowing
5953 			 * incoming connections from peripheral devices.
5954 			 */
5955 			if (adv_type != LE_ADV_DIRECT_IND)
5956 				return NULL;
5957 			break;
5958 		case HCI_AUTO_CONN_ALWAYS:
5959 			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
5960 			 * are triggering a connection attempt. This means
5961 			 * that incoming connections from peripheral device are
5962 			 * accepted and also outgoing connections to peripheral
5963 			 * devices are established when found.
5964 			 */
5965 			break;
5966 		default:
5967 			return NULL;
5968 		}
5969 	}
5970 
5971 	conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
5972 			      BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
5973 			      HCI_ROLE_MASTER);
5974 	if (!IS_ERR(conn)) {
5975 		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5976 		 * by higher layer that tried to connect, if no then
5977 		 * store the pointer since we don't really have any
5978 		 * other owner of the object besides the params that
5979 		 * triggered it. This way we can abort the connection if
5980 		 * the parameters get removed and keep the reference
5981 		 * count consistent once the connection is established.
5982 		 */
5983 
5984 		if (!params->explicit_connect)
5985 			params->conn = hci_conn_get(conn);
5986 
5987 		return conn;
5988 	}
5989 
5990 	switch (PTR_ERR(conn)) {
5991 	case -EBUSY:
5992 		/* If hci_connect() returns -EBUSY it means there is already
5993 		 * an LE connection attempt going on. Since controllers don't
5994 		 * support more than one connection attempt at the time, we
5995 		 * don't consider this an error case.
5996 		 */
5997 		break;
5998 	default:
5999 		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6000 		return NULL;
6001 	}
6002 
6003 	return NULL;
6004 }
6005 
6006 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6007 			       u8 bdaddr_type, bdaddr_t *direct_addr,
6008 			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6009 			       bool ext_adv, bool ctl_time, u64 instant)
6010 {
6011 	struct discovery_state *d = &hdev->discovery;
6012 	struct smp_irk *irk;
6013 	struct hci_conn *conn;
6014 	bool match, bdaddr_resolved;
6015 	u32 flags;
6016 	u8 *ptr;
6017 
6018 	switch (type) {
6019 	case LE_ADV_IND:
6020 	case LE_ADV_DIRECT_IND:
6021 	case LE_ADV_SCAN_IND:
6022 	case LE_ADV_NONCONN_IND:
6023 	case LE_ADV_SCAN_RSP:
6024 		break;
6025 	default:
6026 		bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6027 				       "type: 0x%02x", type);
6028 		return;
6029 	}
6030 
6031 	if (len > max_adv_len(hdev)) {
6032 		bt_dev_err_ratelimited(hdev,
6033 				       "adv larger than maximum supported");
6034 		return;
6035 	}
6036 
6037 	/* Find the end of the data in case the report contains padded zero
6038 	 * bytes at the end causing an invalid length value.
6039 	 *
6040 	 * When data is NULL, len is 0 so there is no need for extra ptr
6041 	 * check as 'ptr < data + 0' is already false in such case.
6042 	 */
6043 	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6044 		if (ptr + 1 + *ptr > data + len)
6045 			break;
6046 	}
6047 
6048 	/* Adjust for actual length. This handles the case when remote
6049 	 * device is advertising with incorrect data length.
6050 	 */
6051 	len = ptr - data;
6052 
6053 	/* If the direct address is present, then this report is from
6054 	 * a LE Direct Advertising Report event. In that case it is
6055 	 * important to see if the address is matching the local
6056 	 * controller address.
6057 	 */
6058 	if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6059 		direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6060 						  &bdaddr_resolved);
6061 
6062 		/* Only resolvable random addresses are valid for these
6063 		 * kind of reports and others can be ignored.
6064 		 */
6065 		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6066 			return;
6067 
6068 		/* If the controller is not using resolvable random
6069 		 * addresses, then this report can be ignored.
6070 		 */
6071 		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6072 			return;
6073 
6074 		/* If the local IRK of the controller does not match
6075 		 * with the resolvable random address provided, then
6076 		 * this report can be ignored.
6077 		 */
6078 		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6079 			return;
6080 	}
6081 
6082 	/* Check if we need to convert to identity address */
6083 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6084 	if (irk) {
6085 		bdaddr = &irk->bdaddr;
6086 		bdaddr_type = irk->addr_type;
6087 	}
6088 
6089 	bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6090 
6091 	/* Check if we have been requested to connect to this device.
6092 	 *
6093 	 * direct_addr is set only for directed advertising reports (it is NULL
6094 	 * for advertising reports) and is already verified to be RPA above.
6095 	 */
6096 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6097 				     type);
6098 	if (!ext_adv && conn && type == LE_ADV_IND &&
6099 	    len <= max_adv_len(hdev)) {
6100 		/* Store report for later inclusion by
6101 		 * mgmt_device_connected
6102 		 */
6103 		memcpy(conn->le_adv_data, data, len);
6104 		conn->le_adv_data_len = len;
6105 	}
6106 
6107 	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6108 		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6109 	else
6110 		flags = 0;
6111 
6112 	/* All scan results should be sent up for Mesh systems */
6113 	if (hci_dev_test_flag(hdev, HCI_MESH)) {
6114 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6115 				  rssi, flags, data, len, NULL, 0, instant);
6116 		return;
6117 	}
6118 
6119 	/* Passive scanning shouldn't trigger any device found events,
6120 	 * except for devices marked as CONN_REPORT for which we do send
6121 	 * device found events, or advertisement monitoring requested.
6122 	 */
6123 	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6124 		if (type == LE_ADV_DIRECT_IND)
6125 			return;
6126 
6127 		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6128 					       bdaddr, bdaddr_type) &&
6129 		    idr_is_empty(&hdev->adv_monitors_idr))
6130 			return;
6131 
6132 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6133 				  rssi, flags, data, len, NULL, 0, 0);
6134 		return;
6135 	}
6136 
6137 	/* When receiving a scan response, then there is no way to
6138 	 * know if the remote device is connectable or not. However
6139 	 * since scan responses are merged with a previously seen
6140 	 * advertising report, the flags field from that report
6141 	 * will be used.
6142 	 *
6143 	 * In the unlikely case that a controller just sends a scan
6144 	 * response event that doesn't match the pending report, then
6145 	 * it is marked as a standalone SCAN_RSP.
6146 	 */
6147 	if (type == LE_ADV_SCAN_RSP)
6148 		flags = MGMT_DEV_FOUND_SCAN_RSP;
6149 
6150 	/* If there's nothing pending either store the data from this
6151 	 * event or send an immediate device found event if the data
6152 	 * should not be stored for later.
6153 	 */
6154 	if (!ext_adv &&	!has_pending_adv_report(hdev)) {
6155 		/* If the report will trigger a SCAN_REQ store it for
6156 		 * later merging.
6157 		 */
6158 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6159 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6160 						 rssi, flags, data, len);
6161 			return;
6162 		}
6163 
6164 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6165 				  rssi, flags, data, len, NULL, 0, 0);
6166 		return;
6167 	}
6168 
6169 	/* Check if the pending report is for the same device as the new one */
6170 	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6171 		 bdaddr_type == d->last_adv_addr_type);
6172 
6173 	/* If the pending data doesn't match this report or this isn't a
6174 	 * scan response (e.g. we got a duplicate ADV_IND) then force
6175 	 * sending of the pending data.
6176 	 */
6177 	if (type != LE_ADV_SCAN_RSP || !match) {
6178 		/* Send out whatever is in the cache, but skip duplicates */
6179 		if (!match)
6180 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6181 					  d->last_adv_addr_type, NULL,
6182 					  d->last_adv_rssi, d->last_adv_flags,
6183 					  d->last_adv_data,
6184 					  d->last_adv_data_len, NULL, 0, 0);
6185 
6186 		/* If the new report will trigger a SCAN_REQ store it for
6187 		 * later merging.
6188 		 */
6189 		if (!ext_adv && (type == LE_ADV_IND ||
6190 				 type == LE_ADV_SCAN_IND)) {
6191 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6192 						 rssi, flags, data, len);
6193 			return;
6194 		}
6195 
6196 		/* The advertising reports cannot be merged, so clear
6197 		 * the pending report and send out a device found event.
6198 		 */
6199 		clear_pending_adv_report(hdev);
6200 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6201 				  rssi, flags, data, len, NULL, 0, 0);
6202 		return;
6203 	}
6204 
6205 	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6206 	 * the new event is a SCAN_RSP. We can therefore proceed with
6207 	 * sending a merged device found event.
6208 	 */
6209 	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6210 			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6211 			  d->last_adv_data, d->last_adv_data_len, data, len, 0);
6212 	clear_pending_adv_report(hdev);
6213 }
6214 
6215 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6216 				  struct sk_buff *skb)
6217 {
6218 	struct hci_ev_le_advertising_report *ev = data;
6219 	u64 instant = jiffies;
6220 
6221 	if (!ev->num)
6222 		return;
6223 
6224 	hci_dev_lock(hdev);
6225 
6226 	while (ev->num--) {
6227 		struct hci_ev_le_advertising_info *info;
6228 		s8 rssi;
6229 
6230 		info = hci_le_ev_skb_pull(hdev, skb,
6231 					  HCI_EV_LE_ADVERTISING_REPORT,
6232 					  sizeof(*info));
6233 		if (!info)
6234 			break;
6235 
6236 		if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6237 					info->length + 1))
6238 			break;
6239 
6240 		if (info->length <= max_adv_len(hdev)) {
6241 			rssi = info->data[info->length];
6242 			process_adv_report(hdev, info->type, &info->bdaddr,
6243 					   info->bdaddr_type, NULL, 0, rssi,
6244 					   info->data, info->length, false,
6245 					   false, instant);
6246 		} else {
6247 			bt_dev_err(hdev, "Dropping invalid advertising data");
6248 		}
6249 	}
6250 
6251 	hci_dev_unlock(hdev);
6252 }
6253 
6254 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6255 {
6256 	if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6257 		switch (evt_type) {
6258 		case LE_LEGACY_ADV_IND:
6259 			return LE_ADV_IND;
6260 		case LE_LEGACY_ADV_DIRECT_IND:
6261 			return LE_ADV_DIRECT_IND;
6262 		case LE_LEGACY_ADV_SCAN_IND:
6263 			return LE_ADV_SCAN_IND;
6264 		case LE_LEGACY_NONCONN_IND:
6265 			return LE_ADV_NONCONN_IND;
6266 		case LE_LEGACY_SCAN_RSP_ADV:
6267 		case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6268 			return LE_ADV_SCAN_RSP;
6269 		}
6270 
6271 		goto invalid;
6272 	}
6273 
6274 	if (evt_type & LE_EXT_ADV_CONN_IND) {
6275 		if (evt_type & LE_EXT_ADV_DIRECT_IND)
6276 			return LE_ADV_DIRECT_IND;
6277 
6278 		return LE_ADV_IND;
6279 	}
6280 
6281 	if (evt_type & LE_EXT_ADV_SCAN_RSP)
6282 		return LE_ADV_SCAN_RSP;
6283 
6284 	if (evt_type & LE_EXT_ADV_SCAN_IND)
6285 		return LE_ADV_SCAN_IND;
6286 
6287 	if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6288 	    evt_type & LE_EXT_ADV_DIRECT_IND)
6289 		return LE_ADV_NONCONN_IND;
6290 
6291 invalid:
6292 	bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6293 			       evt_type);
6294 
6295 	return LE_ADV_INVALID;
6296 }
6297 
6298 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6299 				      struct sk_buff *skb)
6300 {
6301 	struct hci_ev_le_ext_adv_report *ev = data;
6302 	u64 instant = jiffies;
6303 
6304 	if (!ev->num)
6305 		return;
6306 
6307 	hci_dev_lock(hdev);
6308 
6309 	while (ev->num--) {
6310 		struct hci_ev_le_ext_adv_info *info;
6311 		u8 legacy_evt_type;
6312 		u16 evt_type;
6313 
6314 		info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6315 					  sizeof(*info));
6316 		if (!info)
6317 			break;
6318 
6319 		if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6320 					info->length))
6321 			break;
6322 
6323 		evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6324 		legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6325 		if (legacy_evt_type != LE_ADV_INVALID) {
6326 			process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6327 					   info->bdaddr_type, NULL, 0,
6328 					   info->rssi, info->data, info->length,
6329 					   !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6330 					   false, instant);
6331 		}
6332 	}
6333 
6334 	hci_dev_unlock(hdev);
6335 }
6336 
6337 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6338 {
6339 	struct hci_cp_le_pa_term_sync cp;
6340 
6341 	memset(&cp, 0, sizeof(cp));
6342 	cp.handle = handle;
6343 
6344 	return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6345 }
6346 
6347 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6348 					    struct sk_buff *skb)
6349 {
6350 	struct hci_ev_le_pa_sync_established *ev = data;
6351 	int mask = hdev->link_mode;
6352 	__u8 flags = 0;
6353 	struct hci_conn *pa_sync;
6354 
6355 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6356 
6357 	hci_dev_lock(hdev);
6358 
6359 	hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6360 
6361 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6362 	if (!(mask & HCI_LM_ACCEPT)) {
6363 		hci_le_pa_term_sync(hdev, ev->handle);
6364 		goto unlock;
6365 	}
6366 
6367 	if (!(flags & HCI_PROTO_DEFER))
6368 		goto unlock;
6369 
6370 	if (ev->status) {
6371 		/* Add connection to indicate the failed PA sync event */
6372 		pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6373 					     HCI_ROLE_SLAVE);
6374 
6375 		if (!pa_sync)
6376 			goto unlock;
6377 
6378 		set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6379 
6380 		/* Notify iso layer */
6381 		hci_connect_cfm(pa_sync, ev->status);
6382 	}
6383 
6384 unlock:
6385 	hci_dev_unlock(hdev);
6386 }
6387 
6388 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6389 				      struct sk_buff *skb)
6390 {
6391 	struct hci_ev_le_per_adv_report *ev = data;
6392 	int mask = hdev->link_mode;
6393 	__u8 flags = 0;
6394 
6395 	bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6396 
6397 	hci_dev_lock(hdev);
6398 
6399 	mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6400 	if (!(mask & HCI_LM_ACCEPT))
6401 		hci_le_pa_term_sync(hdev, ev->sync_handle);
6402 
6403 	hci_dev_unlock(hdev);
6404 }
6405 
6406 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6407 					    struct sk_buff *skb)
6408 {
6409 	struct hci_ev_le_remote_feat_complete *ev = data;
6410 	struct hci_conn *conn;
6411 
6412 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6413 
6414 	hci_dev_lock(hdev);
6415 
6416 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6417 	if (conn) {
6418 		if (!ev->status)
6419 			memcpy(conn->features[0], ev->features, 8);
6420 
6421 		if (conn->state == BT_CONFIG) {
6422 			__u8 status;
6423 
6424 			/* If the local controller supports peripheral-initiated
6425 			 * features exchange, but the remote controller does
6426 			 * not, then it is possible that the error code 0x1a
6427 			 * for unsupported remote feature gets returned.
6428 			 *
6429 			 * In this specific case, allow the connection to
6430 			 * transition into connected state and mark it as
6431 			 * successful.
6432 			 */
6433 			if (!conn->out && ev->status == 0x1a &&
6434 			    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6435 				status = 0x00;
6436 			else
6437 				status = ev->status;
6438 
6439 			conn->state = BT_CONNECTED;
6440 			hci_connect_cfm(conn, status);
6441 			hci_conn_drop(conn);
6442 		}
6443 	}
6444 
6445 	hci_dev_unlock(hdev);
6446 }
6447 
6448 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6449 				   struct sk_buff *skb)
6450 {
6451 	struct hci_ev_le_ltk_req *ev = data;
6452 	struct hci_cp_le_ltk_reply cp;
6453 	struct hci_cp_le_ltk_neg_reply neg;
6454 	struct hci_conn *conn;
6455 	struct smp_ltk *ltk;
6456 
6457 	bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6458 
6459 	hci_dev_lock(hdev);
6460 
6461 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6462 	if (conn == NULL)
6463 		goto not_found;
6464 
6465 	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6466 	if (!ltk)
6467 		goto not_found;
6468 
6469 	if (smp_ltk_is_sc(ltk)) {
6470 		/* With SC both EDiv and Rand are set to zero */
6471 		if (ev->ediv || ev->rand)
6472 			goto not_found;
6473 	} else {
6474 		/* For non-SC keys check that EDiv and Rand match */
6475 		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6476 			goto not_found;
6477 	}
6478 
6479 	memcpy(cp.ltk, ltk->val, ltk->enc_size);
6480 	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6481 	cp.handle = cpu_to_le16(conn->handle);
6482 
6483 	conn->pending_sec_level = smp_ltk_sec_level(ltk);
6484 
6485 	conn->enc_key_size = ltk->enc_size;
6486 
6487 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6488 
6489 	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6490 	 * temporary key used to encrypt a connection following
6491 	 * pairing. It is used during the Encrypted Session Setup to
6492 	 * distribute the keys. Later, security can be re-established
6493 	 * using a distributed LTK.
6494 	 */
6495 	if (ltk->type == SMP_STK) {
6496 		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6497 		list_del_rcu(&ltk->list);
6498 		kfree_rcu(ltk, rcu);
6499 	} else {
6500 		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6501 	}
6502 
6503 	hci_dev_unlock(hdev);
6504 
6505 	return;
6506 
6507 not_found:
6508 	neg.handle = ev->handle;
6509 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6510 	hci_dev_unlock(hdev);
6511 }
6512 
6513 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6514 				      u8 reason)
6515 {
6516 	struct hci_cp_le_conn_param_req_neg_reply cp;
6517 
6518 	cp.handle = cpu_to_le16(handle);
6519 	cp.reason = reason;
6520 
6521 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6522 		     &cp);
6523 }
6524 
6525 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6526 					     struct sk_buff *skb)
6527 {
6528 	struct hci_ev_le_remote_conn_param_req *ev = data;
6529 	struct hci_cp_le_conn_param_req_reply cp;
6530 	struct hci_conn *hcon;
6531 	u16 handle, min, max, latency, timeout;
6532 
6533 	bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6534 
6535 	handle = le16_to_cpu(ev->handle);
6536 	min = le16_to_cpu(ev->interval_min);
6537 	max = le16_to_cpu(ev->interval_max);
6538 	latency = le16_to_cpu(ev->latency);
6539 	timeout = le16_to_cpu(ev->timeout);
6540 
6541 	hcon = hci_conn_hash_lookup_handle(hdev, handle);
6542 	if (!hcon || hcon->state != BT_CONNECTED)
6543 		return send_conn_param_neg_reply(hdev, handle,
6544 						 HCI_ERROR_UNKNOWN_CONN_ID);
6545 
6546 	if (max > hcon->le_conn_max_interval)
6547 		return send_conn_param_neg_reply(hdev, handle,
6548 						 HCI_ERROR_INVALID_LL_PARAMS);
6549 
6550 	if (hci_check_conn_params(min, max, latency, timeout))
6551 		return send_conn_param_neg_reply(hdev, handle,
6552 						 HCI_ERROR_INVALID_LL_PARAMS);
6553 
6554 	if (hcon->role == HCI_ROLE_MASTER) {
6555 		struct hci_conn_params *params;
6556 		u8 store_hint;
6557 
6558 		hci_dev_lock(hdev);
6559 
6560 		params = hci_conn_params_lookup(hdev, &hcon->dst,
6561 						hcon->dst_type);
6562 		if (params) {
6563 			params->conn_min_interval = min;
6564 			params->conn_max_interval = max;
6565 			params->conn_latency = latency;
6566 			params->supervision_timeout = timeout;
6567 			store_hint = 0x01;
6568 		} else {
6569 			store_hint = 0x00;
6570 		}
6571 
6572 		hci_dev_unlock(hdev);
6573 
6574 		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6575 				    store_hint, min, max, latency, timeout);
6576 	}
6577 
6578 	cp.handle = ev->handle;
6579 	cp.interval_min = ev->interval_min;
6580 	cp.interval_max = ev->interval_max;
6581 	cp.latency = ev->latency;
6582 	cp.timeout = ev->timeout;
6583 	cp.min_ce_len = 0;
6584 	cp.max_ce_len = 0;
6585 
6586 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6587 }
6588 
6589 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6590 					 struct sk_buff *skb)
6591 {
6592 	struct hci_ev_le_direct_adv_report *ev = data;
6593 	u64 instant = jiffies;
6594 	int i;
6595 
6596 	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6597 				flex_array_size(ev, info, ev->num)))
6598 		return;
6599 
6600 	if (!ev->num)
6601 		return;
6602 
6603 	hci_dev_lock(hdev);
6604 
6605 	for (i = 0; i < ev->num; i++) {
6606 		struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6607 
6608 		process_adv_report(hdev, info->type, &info->bdaddr,
6609 				   info->bdaddr_type, &info->direct_addr,
6610 				   info->direct_addr_type, info->rssi, NULL, 0,
6611 				   false, false, instant);
6612 	}
6613 
6614 	hci_dev_unlock(hdev);
6615 }
6616 
6617 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6618 				  struct sk_buff *skb)
6619 {
6620 	struct hci_ev_le_phy_update_complete *ev = data;
6621 	struct hci_conn *conn;
6622 
6623 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6624 
6625 	if (ev->status)
6626 		return;
6627 
6628 	hci_dev_lock(hdev);
6629 
6630 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6631 	if (!conn)
6632 		goto unlock;
6633 
6634 	conn->le_tx_phy = ev->tx_phy;
6635 	conn->le_rx_phy = ev->rx_phy;
6636 
6637 unlock:
6638 	hci_dev_unlock(hdev);
6639 }
6640 
6641 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6642 					struct sk_buff *skb)
6643 {
6644 	struct hci_evt_le_cis_established *ev = data;
6645 	struct hci_conn *conn;
6646 	struct bt_iso_qos *qos;
6647 	bool pending = false;
6648 	u16 handle = __le16_to_cpu(ev->handle);
6649 	u32 c_sdu_interval, p_sdu_interval;
6650 
6651 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6652 
6653 	hci_dev_lock(hdev);
6654 
6655 	conn = hci_conn_hash_lookup_handle(hdev, handle);
6656 	if (!conn) {
6657 		bt_dev_err(hdev,
6658 			   "Unable to find connection with handle 0x%4.4x",
6659 			   handle);
6660 		goto unlock;
6661 	}
6662 
6663 	if (conn->type != ISO_LINK) {
6664 		bt_dev_err(hdev,
6665 			   "Invalid connection link type handle 0x%4.4x",
6666 			   handle);
6667 		goto unlock;
6668 	}
6669 
6670 	qos = &conn->iso_qos;
6671 
6672 	pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6673 
6674 	/* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G
6675 	 * page 3075:
6676 	 * Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) ×
6677 	 * ISO_Interval + SDU_Interval_C_To_P
6678 	 * ...
6679 	 * SDU_Interval = (CIG_Sync_Delay + (FT) x ISO_Interval) -
6680 	 *					Transport_Latency
6681 	 */
6682 	c_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) +
6683 			 (ev->c_ft * le16_to_cpu(ev->interval) * 1250)) -
6684 			get_unaligned_le24(ev->c_latency);
6685 	p_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) +
6686 			 (ev->p_ft * le16_to_cpu(ev->interval) * 1250)) -
6687 			get_unaligned_le24(ev->p_latency);
6688 
6689 	switch (conn->role) {
6690 	case HCI_ROLE_SLAVE:
6691 		qos->ucast.in.interval = c_sdu_interval;
6692 		qos->ucast.out.interval = p_sdu_interval;
6693 		/* Convert Transport Latency (us) to Latency (msec) */
6694 		qos->ucast.in.latency =
6695 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6696 					  1000);
6697 		qos->ucast.out.latency =
6698 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6699 					  1000);
6700 		qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
6701 		qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
6702 		qos->ucast.in.phy = ev->c_phy;
6703 		qos->ucast.out.phy = ev->p_phy;
6704 		break;
6705 	case HCI_ROLE_MASTER:
6706 		qos->ucast.in.interval = p_sdu_interval;
6707 		qos->ucast.out.interval = c_sdu_interval;
6708 		/* Convert Transport Latency (us) to Latency (msec) */
6709 		qos->ucast.out.latency =
6710 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6711 					  1000);
6712 		qos->ucast.in.latency =
6713 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6714 					  1000);
6715 		qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
6716 		qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
6717 		qos->ucast.out.phy = ev->c_phy;
6718 		qos->ucast.in.phy = ev->p_phy;
6719 		break;
6720 	}
6721 
6722 	if (!ev->status) {
6723 		conn->state = BT_CONNECTED;
6724 		hci_debugfs_create_conn(conn);
6725 		hci_conn_add_sysfs(conn);
6726 		hci_iso_setup_path(conn);
6727 		goto unlock;
6728 	}
6729 
6730 	conn->state = BT_CLOSED;
6731 	hci_connect_cfm(conn, ev->status);
6732 	hci_conn_del(conn);
6733 
6734 unlock:
6735 	if (pending)
6736 		hci_le_create_cis_pending(hdev);
6737 
6738 	hci_dev_unlock(hdev);
6739 }
6740 
6741 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6742 {
6743 	struct hci_cp_le_reject_cis cp;
6744 
6745 	memset(&cp, 0, sizeof(cp));
6746 	cp.handle = handle;
6747 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6748 	hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6749 }
6750 
6751 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6752 {
6753 	struct hci_cp_le_accept_cis cp;
6754 
6755 	memset(&cp, 0, sizeof(cp));
6756 	cp.handle = handle;
6757 	hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6758 }
6759 
6760 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6761 			       struct sk_buff *skb)
6762 {
6763 	struct hci_evt_le_cis_req *ev = data;
6764 	u16 acl_handle, cis_handle;
6765 	struct hci_conn *acl, *cis;
6766 	int mask;
6767 	__u8 flags = 0;
6768 
6769 	acl_handle = __le16_to_cpu(ev->acl_handle);
6770 	cis_handle = __le16_to_cpu(ev->cis_handle);
6771 
6772 	bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
6773 		   acl_handle, cis_handle, ev->cig_id, ev->cis_id);
6774 
6775 	hci_dev_lock(hdev);
6776 
6777 	acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
6778 	if (!acl)
6779 		goto unlock;
6780 
6781 	mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
6782 	if (!(mask & HCI_LM_ACCEPT)) {
6783 		hci_le_reject_cis(hdev, ev->cis_handle);
6784 		goto unlock;
6785 	}
6786 
6787 	cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
6788 	if (!cis) {
6789 		cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
6790 				   cis_handle);
6791 		if (IS_ERR(cis)) {
6792 			hci_le_reject_cis(hdev, ev->cis_handle);
6793 			goto unlock;
6794 		}
6795 	}
6796 
6797 	cis->iso_qos.ucast.cig = ev->cig_id;
6798 	cis->iso_qos.ucast.cis = ev->cis_id;
6799 
6800 	if (!(flags & HCI_PROTO_DEFER)) {
6801 		hci_le_accept_cis(hdev, ev->cis_handle);
6802 	} else {
6803 		cis->state = BT_CONNECT2;
6804 		hci_connect_cfm(cis, 0);
6805 	}
6806 
6807 unlock:
6808 	hci_dev_unlock(hdev);
6809 }
6810 
6811 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
6812 {
6813 	u8 handle = PTR_UINT(data);
6814 
6815 	return hci_le_terminate_big_sync(hdev, handle,
6816 					 HCI_ERROR_LOCAL_HOST_TERM);
6817 }
6818 
6819 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
6820 					   struct sk_buff *skb)
6821 {
6822 	struct hci_evt_le_create_big_complete *ev = data;
6823 	struct hci_conn *conn;
6824 	__u8 i = 0;
6825 
6826 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6827 
6828 	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
6829 				flex_array_size(ev, bis_handle, ev->num_bis)))
6830 		return;
6831 
6832 	hci_dev_lock(hdev);
6833 	rcu_read_lock();
6834 
6835 	/* Connect all BISes that are bound to the BIG */
6836 	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
6837 		if (bacmp(&conn->dst, BDADDR_ANY) ||
6838 		    conn->type != ISO_LINK ||
6839 		    conn->iso_qos.bcast.big != ev->handle)
6840 			continue;
6841 
6842 		if (hci_conn_set_handle(conn,
6843 					__le16_to_cpu(ev->bis_handle[i++])))
6844 			continue;
6845 
6846 		if (!ev->status) {
6847 			conn->state = BT_CONNECTED;
6848 			set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
6849 			rcu_read_unlock();
6850 			hci_debugfs_create_conn(conn);
6851 			hci_conn_add_sysfs(conn);
6852 			hci_iso_setup_path(conn);
6853 			rcu_read_lock();
6854 			continue;
6855 		}
6856 
6857 		hci_connect_cfm(conn, ev->status);
6858 		rcu_read_unlock();
6859 		hci_conn_del(conn);
6860 		rcu_read_lock();
6861 	}
6862 
6863 	rcu_read_unlock();
6864 
6865 	if (!ev->status && !i)
6866 		/* If no BISes have been connected for the BIG,
6867 		 * terminate. This is in case all bound connections
6868 		 * have been closed before the BIG creation
6869 		 * has completed.
6870 		 */
6871 		hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
6872 				   UINT_PTR(ev->handle), NULL);
6873 
6874 	hci_dev_unlock(hdev);
6875 }
6876 
6877 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
6878 					    struct sk_buff *skb)
6879 {
6880 	struct hci_evt_le_big_sync_estabilished *ev = data;
6881 	struct hci_conn *bis;
6882 	struct hci_conn *pa_sync;
6883 	int i;
6884 
6885 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6886 
6887 	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
6888 				flex_array_size(ev, bis, ev->num_bis)))
6889 		return;
6890 
6891 	hci_dev_lock(hdev);
6892 
6893 	if (!ev->status) {
6894 		pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
6895 		if (pa_sync)
6896 			/* Also mark the BIG sync established event on the
6897 			 * associated PA sync hcon
6898 			 */
6899 			set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
6900 	}
6901 
6902 	for (i = 0; i < ev->num_bis; i++) {
6903 		u16 handle = le16_to_cpu(ev->bis[i]);
6904 		__le32 interval;
6905 
6906 		bis = hci_conn_hash_lookup_handle(hdev, handle);
6907 		if (!bis) {
6908 			if (handle > HCI_CONN_HANDLE_MAX) {
6909 				bt_dev_dbg(hdev, "ignore too large handle %u", handle);
6910 				continue;
6911 			}
6912 			bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
6913 					   HCI_ROLE_SLAVE, handle);
6914 			if (IS_ERR(bis))
6915 				continue;
6916 		}
6917 
6918 		if (ev->status != 0x42)
6919 			/* Mark PA sync as established */
6920 			set_bit(HCI_CONN_PA_SYNC, &bis->flags);
6921 
6922 		bis->iso_qos.bcast.big = ev->handle;
6923 		memset(&interval, 0, sizeof(interval));
6924 		memcpy(&interval, ev->latency, sizeof(ev->latency));
6925 		bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
6926 		/* Convert ISO Interval (1.25 ms slots) to latency (ms) */
6927 		bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
6928 		bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
6929 
6930 		if (!ev->status) {
6931 			set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
6932 			hci_iso_setup_path(bis);
6933 		}
6934 	}
6935 
6936 	/* In case BIG sync failed, notify each failed connection to
6937 	 * the user after all hci connections have been added
6938 	 */
6939 	if (ev->status)
6940 		for (i = 0; i < ev->num_bis; i++) {
6941 			u16 handle = le16_to_cpu(ev->bis[i]);
6942 
6943 			bis = hci_conn_hash_lookup_handle(hdev, handle);
6944 			if (!bis)
6945 				continue;
6946 
6947 			set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
6948 			hci_connect_cfm(bis, ev->status);
6949 		}
6950 
6951 	hci_dev_unlock(hdev);
6952 }
6953 
6954 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
6955 					   struct sk_buff *skb)
6956 {
6957 	struct hci_evt_le_big_info_adv_report *ev = data;
6958 	int mask = hdev->link_mode;
6959 	__u8 flags = 0;
6960 	struct hci_conn *pa_sync;
6961 
6962 	bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6963 
6964 	hci_dev_lock(hdev);
6965 
6966 	mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6967 	if (!(mask & HCI_LM_ACCEPT)) {
6968 		hci_le_pa_term_sync(hdev, ev->sync_handle);
6969 		goto unlock;
6970 	}
6971 
6972 	if (!(flags & HCI_PROTO_DEFER))
6973 		goto unlock;
6974 
6975 	pa_sync = hci_conn_hash_lookup_pa_sync_handle
6976 			(hdev,
6977 			le16_to_cpu(ev->sync_handle));
6978 
6979 	if (pa_sync)
6980 		goto unlock;
6981 
6982 	/* Add connection to indicate the PA sync event */
6983 	pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6984 				     HCI_ROLE_SLAVE);
6985 
6986 	if (IS_ERR(pa_sync))
6987 		goto unlock;
6988 
6989 	pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
6990 	set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
6991 
6992 	/* Notify iso layer */
6993 	hci_connect_cfm(pa_sync, 0x00);
6994 
6995 	/* Notify MGMT layer */
6996 	mgmt_device_connected(hdev, pa_sync, NULL, 0);
6997 
6998 unlock:
6999 	hci_dev_unlock(hdev);
7000 }
7001 
7002 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7003 [_op] = { \
7004 	.func = _func, \
7005 	.min_len = _min_len, \
7006 	.max_len = _max_len, \
7007 }
7008 
7009 #define HCI_LE_EV(_op, _func, _len) \
7010 	HCI_LE_EV_VL(_op, _func, _len, _len)
7011 
7012 #define HCI_LE_EV_STATUS(_op, _func) \
7013 	HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7014 
7015 /* Entries in this table shall have their position according to the subevent
7016  * opcode they handle so the use of the macros above is recommend since it does
7017  * attempt to initialize at its proper index using Designated Initializers that
7018  * way events without a callback function can be ommited.
7019  */
7020 static const struct hci_le_ev {
7021 	void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7022 	u16  min_len;
7023 	u16  max_len;
7024 } hci_le_ev_table[U8_MAX + 1] = {
7025 	/* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7026 	HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7027 		  sizeof(struct hci_ev_le_conn_complete)),
7028 	/* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7029 	HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7030 		     sizeof(struct hci_ev_le_advertising_report),
7031 		     HCI_MAX_EVENT_SIZE),
7032 	/* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7033 	HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7034 		  hci_le_conn_update_complete_evt,
7035 		  sizeof(struct hci_ev_le_conn_update_complete)),
7036 	/* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7037 	HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7038 		  hci_le_remote_feat_complete_evt,
7039 		  sizeof(struct hci_ev_le_remote_feat_complete)),
7040 	/* [0x05 = HCI_EV_LE_LTK_REQ] */
7041 	HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7042 		  sizeof(struct hci_ev_le_ltk_req)),
7043 	/* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7044 	HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7045 		  hci_le_remote_conn_param_req_evt,
7046 		  sizeof(struct hci_ev_le_remote_conn_param_req)),
7047 	/* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7048 	HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7049 		  hci_le_enh_conn_complete_evt,
7050 		  sizeof(struct hci_ev_le_enh_conn_complete)),
7051 	/* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7052 	HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7053 		     sizeof(struct hci_ev_le_direct_adv_report),
7054 		     HCI_MAX_EVENT_SIZE),
7055 	/* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7056 	HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7057 		  sizeof(struct hci_ev_le_phy_update_complete)),
7058 	/* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7059 	HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7060 		     sizeof(struct hci_ev_le_ext_adv_report),
7061 		     HCI_MAX_EVENT_SIZE),
7062 	/* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7063 	HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7064 		  hci_le_pa_sync_estabilished_evt,
7065 		  sizeof(struct hci_ev_le_pa_sync_established)),
7066 	/* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7067 	HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7068 				 hci_le_per_adv_report_evt,
7069 				 sizeof(struct hci_ev_le_per_adv_report),
7070 				 HCI_MAX_EVENT_SIZE),
7071 	/* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7072 	HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7073 		  sizeof(struct hci_evt_le_ext_adv_set_term)),
7074 	/* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7075 	HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7076 		  sizeof(struct hci_evt_le_cis_established)),
7077 	/* [0x1a = HCI_EVT_LE_CIS_REQ] */
7078 	HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7079 		  sizeof(struct hci_evt_le_cis_req)),
7080 	/* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7081 	HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7082 		     hci_le_create_big_complete_evt,
7083 		     sizeof(struct hci_evt_le_create_big_complete),
7084 		     HCI_MAX_EVENT_SIZE),
7085 	/* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7086 	HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7087 		     hci_le_big_sync_established_evt,
7088 		     sizeof(struct hci_evt_le_big_sync_estabilished),
7089 		     HCI_MAX_EVENT_SIZE),
7090 	/* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7091 	HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7092 		     hci_le_big_info_adv_report_evt,
7093 		     sizeof(struct hci_evt_le_big_info_adv_report),
7094 		     HCI_MAX_EVENT_SIZE),
7095 };
7096 
7097 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7098 			    struct sk_buff *skb, u16 *opcode, u8 *status,
7099 			    hci_req_complete_t *req_complete,
7100 			    hci_req_complete_skb_t *req_complete_skb)
7101 {
7102 	struct hci_ev_le_meta *ev = data;
7103 	const struct hci_le_ev *subev;
7104 
7105 	bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7106 
7107 	/* Only match event if command OGF is for LE */
7108 	if (hdev->req_skb &&
7109 	    hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 &&
7110 	    hci_skb_event(hdev->req_skb) == ev->subevent) {
7111 		*opcode = hci_skb_opcode(hdev->req_skb);
7112 		hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7113 				     req_complete_skb);
7114 	}
7115 
7116 	subev = &hci_le_ev_table[ev->subevent];
7117 	if (!subev->func)
7118 		return;
7119 
7120 	if (skb->len < subev->min_len) {
7121 		bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7122 			   ev->subevent, skb->len, subev->min_len);
7123 		return;
7124 	}
7125 
7126 	/* Just warn if the length is over max_len size it still be
7127 	 * possible to partially parse the event so leave to callback to
7128 	 * decide if that is acceptable.
7129 	 */
7130 	if (skb->len > subev->max_len)
7131 		bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7132 			    ev->subevent, skb->len, subev->max_len);
7133 	data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7134 	if (!data)
7135 		return;
7136 
7137 	subev->func(hdev, data, skb);
7138 }
7139 
7140 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7141 				 u8 event, struct sk_buff *skb)
7142 {
7143 	struct hci_ev_cmd_complete *ev;
7144 	struct hci_event_hdr *hdr;
7145 
7146 	if (!skb)
7147 		return false;
7148 
7149 	hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7150 	if (!hdr)
7151 		return false;
7152 
7153 	if (event) {
7154 		if (hdr->evt != event)
7155 			return false;
7156 		return true;
7157 	}
7158 
7159 	/* Check if request ended in Command Status - no way to retrieve
7160 	 * any extra parameters in this case.
7161 	 */
7162 	if (hdr->evt == HCI_EV_CMD_STATUS)
7163 		return false;
7164 
7165 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7166 		bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7167 			   hdr->evt);
7168 		return false;
7169 	}
7170 
7171 	ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7172 	if (!ev)
7173 		return false;
7174 
7175 	if (opcode != __le16_to_cpu(ev->opcode)) {
7176 		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7177 		       __le16_to_cpu(ev->opcode));
7178 		return false;
7179 	}
7180 
7181 	return true;
7182 }
7183 
7184 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7185 				  struct sk_buff *skb)
7186 {
7187 	struct hci_ev_le_advertising_info *adv;
7188 	struct hci_ev_le_direct_adv_info *direct_adv;
7189 	struct hci_ev_le_ext_adv_info *ext_adv;
7190 	const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7191 	const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7192 
7193 	hci_dev_lock(hdev);
7194 
7195 	/* If we are currently suspended and this is the first BT event seen,
7196 	 * save the wake reason associated with the event.
7197 	 */
7198 	if (!hdev->suspended || hdev->wake_reason)
7199 		goto unlock;
7200 
7201 	/* Default to remote wake. Values for wake_reason are documented in the
7202 	 * Bluez mgmt api docs.
7203 	 */
7204 	hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7205 
7206 	/* Once configured for remote wakeup, we should only wake up for
7207 	 * reconnections. It's useful to see which device is waking us up so
7208 	 * keep track of the bdaddr of the connection event that woke us up.
7209 	 */
7210 	if (event == HCI_EV_CONN_REQUEST) {
7211 		bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7212 		hdev->wake_addr_type = BDADDR_BREDR;
7213 	} else if (event == HCI_EV_CONN_COMPLETE) {
7214 		bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7215 		hdev->wake_addr_type = BDADDR_BREDR;
7216 	} else if (event == HCI_EV_LE_META) {
7217 		struct hci_ev_le_meta *le_ev = (void *)skb->data;
7218 		u8 subevent = le_ev->subevent;
7219 		u8 *ptr = &skb->data[sizeof(*le_ev)];
7220 		u8 num_reports = *ptr;
7221 
7222 		if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7223 		     subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7224 		     subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7225 		    num_reports) {
7226 			adv = (void *)(ptr + 1);
7227 			direct_adv = (void *)(ptr + 1);
7228 			ext_adv = (void *)(ptr + 1);
7229 
7230 			switch (subevent) {
7231 			case HCI_EV_LE_ADVERTISING_REPORT:
7232 				bacpy(&hdev->wake_addr, &adv->bdaddr);
7233 				hdev->wake_addr_type = adv->bdaddr_type;
7234 				break;
7235 			case HCI_EV_LE_DIRECT_ADV_REPORT:
7236 				bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7237 				hdev->wake_addr_type = direct_adv->bdaddr_type;
7238 				break;
7239 			case HCI_EV_LE_EXT_ADV_REPORT:
7240 				bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7241 				hdev->wake_addr_type = ext_adv->bdaddr_type;
7242 				break;
7243 			}
7244 		}
7245 	} else {
7246 		hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7247 	}
7248 
7249 unlock:
7250 	hci_dev_unlock(hdev);
7251 }
7252 
7253 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7254 [_op] = { \
7255 	.req = false, \
7256 	.func = _func, \
7257 	.min_len = _min_len, \
7258 	.max_len = _max_len, \
7259 }
7260 
7261 #define HCI_EV(_op, _func, _len) \
7262 	HCI_EV_VL(_op, _func, _len, _len)
7263 
7264 #define HCI_EV_STATUS(_op, _func) \
7265 	HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7266 
7267 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7268 [_op] = { \
7269 	.req = true, \
7270 	.func_req = _func, \
7271 	.min_len = _min_len, \
7272 	.max_len = _max_len, \
7273 }
7274 
7275 #define HCI_EV_REQ(_op, _func, _len) \
7276 	HCI_EV_REQ_VL(_op, _func, _len, _len)
7277 
7278 /* Entries in this table shall have their position according to the event opcode
7279  * they handle so the use of the macros above is recommend since it does attempt
7280  * to initialize at its proper index using Designated Initializers that way
7281  * events without a callback function don't have entered.
7282  */
7283 static const struct hci_ev {
7284 	bool req;
7285 	union {
7286 		void (*func)(struct hci_dev *hdev, void *data,
7287 			     struct sk_buff *skb);
7288 		void (*func_req)(struct hci_dev *hdev, void *data,
7289 				 struct sk_buff *skb, u16 *opcode, u8 *status,
7290 				 hci_req_complete_t *req_complete,
7291 				 hci_req_complete_skb_t *req_complete_skb);
7292 	};
7293 	u16  min_len;
7294 	u16  max_len;
7295 } hci_ev_table[U8_MAX + 1] = {
7296 	/* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7297 	HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7298 	/* [0x02 = HCI_EV_INQUIRY_RESULT] */
7299 	HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7300 		  sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7301 	/* [0x03 = HCI_EV_CONN_COMPLETE] */
7302 	HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7303 	       sizeof(struct hci_ev_conn_complete)),
7304 	/* [0x04 = HCI_EV_CONN_REQUEST] */
7305 	HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7306 	       sizeof(struct hci_ev_conn_request)),
7307 	/* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7308 	HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7309 	       sizeof(struct hci_ev_disconn_complete)),
7310 	/* [0x06 = HCI_EV_AUTH_COMPLETE] */
7311 	HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7312 	       sizeof(struct hci_ev_auth_complete)),
7313 	/* [0x07 = HCI_EV_REMOTE_NAME] */
7314 	HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7315 	       sizeof(struct hci_ev_remote_name)),
7316 	/* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7317 	HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7318 	       sizeof(struct hci_ev_encrypt_change)),
7319 	/* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7320 	HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7321 	       hci_change_link_key_complete_evt,
7322 	       sizeof(struct hci_ev_change_link_key_complete)),
7323 	/* [0x0b = HCI_EV_REMOTE_FEATURES] */
7324 	HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7325 	       sizeof(struct hci_ev_remote_features)),
7326 	/* [0x0e = HCI_EV_CMD_COMPLETE] */
7327 	HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7328 		      sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7329 	/* [0x0f = HCI_EV_CMD_STATUS] */
7330 	HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7331 		   sizeof(struct hci_ev_cmd_status)),
7332 	/* [0x10 = HCI_EV_CMD_STATUS] */
7333 	HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7334 	       sizeof(struct hci_ev_hardware_error)),
7335 	/* [0x12 = HCI_EV_ROLE_CHANGE] */
7336 	HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7337 	       sizeof(struct hci_ev_role_change)),
7338 	/* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7339 	HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7340 		  sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7341 	/* [0x14 = HCI_EV_MODE_CHANGE] */
7342 	HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7343 	       sizeof(struct hci_ev_mode_change)),
7344 	/* [0x16 = HCI_EV_PIN_CODE_REQ] */
7345 	HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7346 	       sizeof(struct hci_ev_pin_code_req)),
7347 	/* [0x17 = HCI_EV_LINK_KEY_REQ] */
7348 	HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7349 	       sizeof(struct hci_ev_link_key_req)),
7350 	/* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7351 	HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7352 	       sizeof(struct hci_ev_link_key_notify)),
7353 	/* [0x1c = HCI_EV_CLOCK_OFFSET] */
7354 	HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7355 	       sizeof(struct hci_ev_clock_offset)),
7356 	/* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7357 	HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7358 	       sizeof(struct hci_ev_pkt_type_change)),
7359 	/* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7360 	HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7361 	       sizeof(struct hci_ev_pscan_rep_mode)),
7362 	/* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7363 	HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7364 		  hci_inquiry_result_with_rssi_evt,
7365 		  sizeof(struct hci_ev_inquiry_result_rssi),
7366 		  HCI_MAX_EVENT_SIZE),
7367 	/* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7368 	HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7369 	       sizeof(struct hci_ev_remote_ext_features)),
7370 	/* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7371 	HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7372 	       sizeof(struct hci_ev_sync_conn_complete)),
7373 	/* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7374 	HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7375 		  hci_extended_inquiry_result_evt,
7376 		  sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7377 	/* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7378 	HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7379 	       sizeof(struct hci_ev_key_refresh_complete)),
7380 	/* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7381 	HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7382 	       sizeof(struct hci_ev_io_capa_request)),
7383 	/* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7384 	HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7385 	       sizeof(struct hci_ev_io_capa_reply)),
7386 	/* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7387 	HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7388 	       sizeof(struct hci_ev_user_confirm_req)),
7389 	/* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7390 	HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7391 	       sizeof(struct hci_ev_user_passkey_req)),
7392 	/* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7393 	HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7394 	       sizeof(struct hci_ev_remote_oob_data_request)),
7395 	/* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7396 	HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7397 	       sizeof(struct hci_ev_simple_pair_complete)),
7398 	/* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7399 	HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7400 	       sizeof(struct hci_ev_user_passkey_notify)),
7401 	/* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7402 	HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7403 	       sizeof(struct hci_ev_keypress_notify)),
7404 	/* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7405 	HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7406 	       sizeof(struct hci_ev_remote_host_features)),
7407 	/* [0x3e = HCI_EV_LE_META] */
7408 	HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7409 		      sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7410 	/* [0xff = HCI_EV_VENDOR] */
7411 	HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7412 };
7413 
7414 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7415 			   u16 *opcode, u8 *status,
7416 			   hci_req_complete_t *req_complete,
7417 			   hci_req_complete_skb_t *req_complete_skb)
7418 {
7419 	const struct hci_ev *ev = &hci_ev_table[event];
7420 	void *data;
7421 
7422 	if (!ev->func)
7423 		return;
7424 
7425 	if (skb->len < ev->min_len) {
7426 		bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7427 			   event, skb->len, ev->min_len);
7428 		return;
7429 	}
7430 
7431 	/* Just warn if the length is over max_len size it still be
7432 	 * possible to partially parse the event so leave to callback to
7433 	 * decide if that is acceptable.
7434 	 */
7435 	if (skb->len > ev->max_len)
7436 		bt_dev_warn_ratelimited(hdev,
7437 					"unexpected event 0x%2.2x length: %u > %u",
7438 					event, skb->len, ev->max_len);
7439 
7440 	data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7441 	if (!data)
7442 		return;
7443 
7444 	if (ev->req)
7445 		ev->func_req(hdev, data, skb, opcode, status, req_complete,
7446 			     req_complete_skb);
7447 	else
7448 		ev->func(hdev, data, skb);
7449 }
7450 
7451 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7452 {
7453 	struct hci_event_hdr *hdr = (void *) skb->data;
7454 	hci_req_complete_t req_complete = NULL;
7455 	hci_req_complete_skb_t req_complete_skb = NULL;
7456 	struct sk_buff *orig_skb = NULL;
7457 	u8 status = 0, event, req_evt = 0;
7458 	u16 opcode = HCI_OP_NOP;
7459 
7460 	if (skb->len < sizeof(*hdr)) {
7461 		bt_dev_err(hdev, "Malformed HCI Event");
7462 		goto done;
7463 	}
7464 
7465 	kfree_skb(hdev->recv_event);
7466 	hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7467 
7468 	event = hdr->evt;
7469 	if (!event) {
7470 		bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7471 			    event);
7472 		goto done;
7473 	}
7474 
7475 	/* Only match event if command OGF is not for LE */
7476 	if (hdev->req_skb &&
7477 	    hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 &&
7478 	    hci_skb_event(hdev->req_skb) == event) {
7479 		hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb),
7480 				     status, &req_complete, &req_complete_skb);
7481 		req_evt = event;
7482 	}
7483 
7484 	/* If it looks like we might end up having to call
7485 	 * req_complete_skb, store a pristine copy of the skb since the
7486 	 * various handlers may modify the original one through
7487 	 * skb_pull() calls, etc.
7488 	 */
7489 	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7490 	    event == HCI_EV_CMD_COMPLETE)
7491 		orig_skb = skb_clone(skb, GFP_KERNEL);
7492 
7493 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
7494 
7495 	/* Store wake reason if we're suspended */
7496 	hci_store_wake_reason(hdev, event, skb);
7497 
7498 	bt_dev_dbg(hdev, "event 0x%2.2x", event);
7499 
7500 	hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7501 		       &req_complete_skb);
7502 
7503 	if (req_complete) {
7504 		req_complete(hdev, status, opcode);
7505 	} else if (req_complete_skb) {
7506 		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7507 			kfree_skb(orig_skb);
7508 			orig_skb = NULL;
7509 		}
7510 		req_complete_skb(hdev, status, opcode, orig_skb);
7511 	}
7512 
7513 done:
7514 	kfree_skb(orig_skb);
7515 	kfree_skb(skb);
7516 	hdev->stat.evt_rx++;
7517 }
7518